Garage4hackers Forum

Selective Symbolic Execution(S2E)

Arunpreet Singh — Sat, 25 May 2013 03:03:18 GMT

i was looking into some academic research papers ,found this interesting Project

S2E: Selective Symbolic Execution - Dependable Systems Lab

Course Related
Syllabus - CS-617: Testing Software Systems

Rsearch paper (S2E Vs Recursive Decent(used by IDA Pro))

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA559973

Open challenge to Design the logo for Ground Zero Summit

GroundZeroS — Fri, 24 May 2013 06:56:48 GMT

Hello All!

The GroundZero Summit (G0S) is an international platform for Information Security professionals showcasing their research, products and case studies to industry leaders, policy makers, investigators and decision makers from various Government Department of India and abroad.

G0S is a largest collaborative platform in Asia founded together by leading Cyber Security thought leaders and Government of India to address the Cyber Security challenges of the hour and demonstrating cutting-edge technologies. G0S is the only platform in the region providing opportunities to establish and strengthen relationships with the corporates, public sector undertakings (PSUs), Government Departments, Security and Defense Establishments.

GroundZero Summit is organized under the patronage of National Critical Information Infrastructure Protection Centre (NCIIPC), a body under the National Technical Research Organisation (NTRO), Government of India.

For this mega conference we have thrown open challenge to Design the logo for Ground Zero Summit. For rules and other details kindly go through -

Code:

http://g0s.org/category/blog/

Design a Logo Contest!

India, has in the past , exhibited enough credibility that changed the way, world used to view things. Now it is time to show our IT Prowess to the world.

All the major cyber security community in the country have already come together with the support of Government organizations to host a mega conference this year.

Now it’s your turn. To start with, we throw open challenges to all for designing a logo for the Indian cyber security summit – GroundZeroSummit.
Contest Rules:

Submit the logo via email at info@g0s.org
The email must include the name, age and phone number of the Entrant.
Logo should reflect the best creativity of designer
The entries must be submitted as a scalable vector graphic as well as a JPG
Submited JPG file of must be bigger than 500px on the smaller side. e.g 500�800, 1200�500, 500�500
The limit on attachment sizes for our email is 10Mb. If your submission exceeds this size please use services like dropbox to send.
There is no fee to enter the Contest.
All submitted work must be original and not based on any pre-existing design.
Logo must not use official Indian symbols such as ashok stambh, chakra or tricolor flag.

Prizes:

The winning logo will be announced on the website and social media accounts of g0s.

The winner will receive:

A prize worth cherishing for a whole lifetime.
A free entry to the event g0s.
A felicitation during the inaugural ceremony by the guest of honor.

Selection of Winner:

All Entries will be evaluated by the core team and select entries will be posted online on facebook page of g0s
Top 3 logos with maximum number of likes will go into the final round of judgement.
A jury will select the winning logo out of the top 3 chosen by community on Facebook

Intellectual Property:

By entering this competition, the designer assigns the rights to g0s
Winner will be awarded, other entrants will be acknowledged on the social media
In consideration for the prize and/or acknowledgement received, the entrant agrees to transfer all applicable intellectual property considerations to g0s
g0s may go ahead and get a trademark on the submitted logo.
The entrant is responsible for the contents of the advertisement which cannot include copyright protected material.
The entrant must have the rights for all the texts and images used in the submitted work.

[/B]

i am a secret hacker with all information and all technology so any now who will need

shuura — Wed, 22 May 2013 16:05:38 GMT

i am a secret hacker with all information and all technology so any now who will need any help on hacking should hit me up now.

Using Beautiful Soup Library for Parsing HTML in python

D4rk357 — Wed, 22 May 2013 11:27:21 GMT

This is a code which downloads a html page and then parses a table from it to display output . Without Beautiful Soup it would require a lot of work and a lot of exception handling but Beautiful Soup makes the work lot

Code:

#!/usr/bin/python



# D4rk-Parser-- A small code for parsing HTML tables in python using Beautiful Soup 

# Coded By D4rk357[2013]





import os , sys, urllib2 ,re

from bs4 import BeautifulSoup

response = urllib2.urlopen('https://urlquery.net/report.php?id=2602506')

html1 = response.read()



soup = BeautifulSoup(html1)



table = soup.find(lambda tag: tag.name=='table' ) 

rows = table.findAll('tr')



for x in rows:

 print '|'.join(x.stripped_strings) # important thing to note is the usage of stripped_strings function . This function is important in cases where there are some other HTML tags inside the table like  etc . In that case normal strip functions won't function properly . It is true in this particular case as well

Output

Attached Images

Crack passwords using John the Ripper (JTR) using multiple CPU cores

b0nd — Wed, 22 May 2013 10:06:58 GMT

oclhashcat, cudahashcat etc. have capability to exploit the power of GPU for cracking. I am not sure whether JTR too possess the same. Anyway, my requirement was to use all 8 cores of my machine, which doesn't have GPU, while running JTR.

Earlier, what I was aware of till date, was MPI patch for JTR for the same purpose. But with the latest releases of JTR, it has got built-in feature for it.

Following snippet is the work around taken from Crack Passwords using John the Ripper with Multiple CPU Cores (OpenMP) � Thireus' Bl0g

Quote:

Johncan break many password hashes, but one of the primary missing feature was the CPU multiple core support. But today, John the Ripper 1.7.9 supports OpenMP which brings Multi-Processing. Of course this feature was present on some patched versions of John, but since the 1.7.9 version it is officially integrated.One of the best platform where you should use John the Ripper is UNIX, I personally prefer using john on Debian x86_64.Let�s try some simple steps to enable and illustrate the new feature

First go to John the Ripper password cracker, and download the latest version. When I write this article the latest stable release was 1.7.9.

$ wget http://www.openwall.com/john/g/john-1.7.9.tar.gz
$ tar -xvzf john-1.7.9.tar.gz

Now let�s make some changes into the Makefile to enable the use of OpenMP

$ cd john-1.7.9/src/
john-1.7.9/src$ nano Makefile

Locate the following lines

# gcc with OpenMP
#OMPFLAGS = -fopenmp
#OMPFLAGS = -fopenmp -msse2

Uncomment OMPFLAGS

# gcc with OpenMP
OMPFLAGS = -fopenmp
OMPFLAGS = -fopenmp -msse2

Before compiling john, make sure you have gcc installed! Now, let�s compile john.

john-1.7.9/src$ make

This command will list all the systems where john can be compiled on. As I�m running Debian x86_64, I will choose linux-x86-64.
john-1.7.9/src$ make linux-x86-64

John should be located in the ../run folder.
Let�s try John

john-1.7.9/src$ cd ../run/
john-1.7.9/run$ ./john --test

Some benches should appear�
Benchmarking: Traditional DES [128/128 BS SSE2-16]... DONE
Many salts: 7651K c/s real, 3872K c/s virtual
Only one salt: 6876K c/s real, 3487K c/s virtual

And John might use all your CPU cores.
Now let�s do something fun, if you want John to use a certain amount of cores you can adjust it with the environment variable OMP_NUM_THREADS:

john-1.7.9/run$ OMP_NUM_THREADS=1 ./john --test

Benchmarking: Traditional DES [128/128 BS SSE2-16]... DONE
Many salts: 3982K c/s real, 3990K c/s virtual
Only one salt: 3770K c/s real, 3770K c/s virtual

any ms08-067 alternative for w7/8?

MissJoJo — Tue, 21 May 2013 04:14:50 GMT

are there any exploits against windows 7 that don't require any user actions (like the infamous ms08-067).
metasploit exploits preferred

CMS Hacking, A Look Into The ECCouncil Hack

prashant_uniyal — Fri, 17 May 2013 09:33:24 GMT

Yesterday, EC Council was reported to have been compromised by a hacker called �Godzilla�. The site that got hacked was the Academy site of EC Council i.e eccouncilacademy.org

Read complete analysis: CMS Hacking, A Look Into The ECCouncil Hack - Imperva Data Security Blog

Introduction to Windows Kernel Security Research

prashant_uniyal — Thu, 16 May 2013 08:39:45 GMT

Article by Tavis Ormandy on Introduction to windows kernel security research

Tavis Ormandy: Introduction to Windows Kernel Security Research

Understanding Assembly Code

Unity — Wed, 15 May 2013 14:03:05 GMT

Hi,

My knowledge regarding assembly code is very limited and I wanted to ask if someone could help me figure out what the following is doing? There is a routine that calls the disk ( loaded directly by BIOS) and I would like to know where this is and how it is called / executed:

Quote:

; ---------------------------------------------------------------------------
; Format : Binary file
; Base Address: 0000h Range: 0000h - 0098h Loaded length: 0098h

.686p
.mmx
.model flat

; ================================================== =========================

; Segment type: Pure code
seg000 segment byte public 'CODE' use16
assume cs:seg000
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
cli
xor ax, ax
mov ss, ax
mov sp, 7C00h
mov si, sp
push ax
pop es
push ax
pop ds
sti
cld
mov di, 600h
mov cx, 100h
rep movsw
jmp far ptr 0:61Dh
; ---------------------------------------------------------------------------
mov dh, 0
mov cx, 2
mov di, 5

loc_25: ; CODE XREF: seg000:0036j
mov bx, 700h
mov ax, 201h
push di
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
pop di
jnb short loc_3D
xor ax, ax
int 13h ; DISK - RESET DISK SYSTEM
; DL = drive (if bit 7 is set both hard disks and floppy disks reset)
dec di
jnz short loc_25
mov si, 68Ah
jmp short loc_78
; ---------------------------------------------------------------------------

loc_3D: ; CODE XREF: seg000:002Fj
mov cx, 3

loc_40: ; DATA XREF: seg000:0083r
mov di, 5

loc_43: ; CODE XREF: seg000:0059j
mov bx, 2000h
push bx
pop es
assume es:nothing
mov bx, 0
mov ax, 220h ; DATA XREF: seg000:002Cr seg000:0033r ...
push di
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
pop di
jnb short loc_60
xor ax, ax
int 13h ; DISK - RESET DISK SYSTEM
; DL = drive (if bit 7 is set both hard disks and floppy disks reset)
dec di
jnz short loc_43
mov si, 68Ah
jmp short loc_78
; ---------------------------------------------------------------------------

loc_60: ; CODE XREF: seg000:0052j
mov cx, 3FFFh
mov si, 800h
xor di, di

loc_68: ; CODE XREF: seg000:0071j
lodsw
and si, 0FFBFh
xor ax, es:[di]
stosw
dec cx
jnz short loc_68
jmp far ptr 2000h:0
; ---------------------------------------------------------------------------

loc_78: ; CODE XREF: seg000:003Bj seg000:005Ej ...
lodsb
cmp al, 0
jz short loc_88
push si
mov bx, 7
mov ah, 0Eh
int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
; AL = character, BH = display page (alpha modes)
; BL = foreground color (graphics modes)
pop si
jmp short loc_78
; ---------------------------------------------------------------------------

loc_88: ; CODE XREF: seg000:007Bj
; seg000:loc_88j
jmp short loc_88
; ---------------------------------------------------------------------------
db 44h ; D
db 69h ; i
db 73h ; s
db 6Bh ; k
db 20h
db 49h ; I
db 2Fh ; /
db 4Fh ; O
db 20h
db 45h ; E
db 72h ; r
db 72h ; r
db 6Fh ; o
db 72h ; r
seg000 ends

end

it is loaded by the BIOS at boot. There is a part at which 32 sectors of data are read and loaded from the disk but I am unsure of what it is doing with this. I would like to know how loc_43 is being called and what it is doing to it

What we can see is that the bootloader is reading first the sector 1 of the disk and then loads it in memory. but after if we look at the way the code is chained, it just writes some data to the screen and that's all.

There is an other piece of code at loc_43 which is doing interesting things such as reading 32 sectors of the disk ( sector 1 to 33 ) in memory, making operations on them ( basically removing some junk data ) and then apparently loading it.

What we cannot understand at the moment is how the code at loc_43 gets executed.

If someone have any clue about how the code in loc_43 gets executed? I initially thought that since the bootloader was loaded at 0x7C00 , loc_43 was called using a pointer to the address in the memory but it seems that not.

So now the code at loc_43 is orphan.

If more information is needed Ill try my best to provide as much detail as possible.

Thanks!

Scope for VA/PT , exploit research and development at senior level?

sagar525 — Tue, 14 May 2013 15:52:51 GMT

Hello All, I would like to know views on whether there are any career prospects available in VA/PT, exploit research etc at senior level? In most cases I have seen, companies hire people having 1-3 years experience for conducting VA/PT (mostly because it costs them less and automated tools are available for scanning). But what I would like to know is what are the possible opportunities for experienced people say having around 7 years of experience into security. What profiles exist at senior levels related to VA/PT? Also I am not very sure about scope for such opportunities at senior level since (atleast in many companies in India) a senior security guy is expected to look after all the compliance and not just VA/PT. Also what certifications would be ideal for such profiles? CEH and ECSA/LPT are easy to get and may not really prove core hacking skills... OSCP from Offensive Security looks certainly better.
Any views/suggestions/recommendations on above would be appreciated....

Flash XSS in Summify.com (Twitter acquisition)

prakhar — Mon, 13 May 2013 18:22:11 GMT

My write-up of a Flash XSS in Summify.com (via ZeroClipboard plugin):

http://blog.prakharprasad.com/2013/0...-for-2013.html

Facebook?

leelad03 — Sat, 11 May 2013 21:16:49 GMT

hey guys, I'm Lee,

Just wondering is it actually possible to get into someone elses facebook account?

I have searched google etc but it seems there are alot of scammers viruses etc etc, I have been online a long time so i know a virus before i even try to download. people asking for money to hack an account.

The reason is not what alot of people need a hacker for, its not anything to do with relationships, My reason is because a girl is currently a admin of a tv show/facebook page which i run a Campaign on at the moment, She does not use this page anymore which has over 16k fans on which would help a great deal to my campaign. But the girl also does not use facebook anymore as far as i know, But still have a profile active. Therefore i only need to go onto her profile if its possible to gain access of the fan page to make myself a admin. thats all. and then leave I dont need to look at her messages nor anything like this.

If it is possible to do this then great, I would even be more than happy of a hacker to do this for me and all you do is find my name in the 'admin roles' part of the page edit.

Thanks
Lee

Hey everyone

leelad03 — Sat, 11 May 2013 20:53:50 GMT

Alright guys and gals, hows it going?

I'm Lee from England, Merseyside, Glad to be on the forum, hope to get to know some of you.

Lee

Google Website Translator (Add Editor) CSRF and Google Tasks (Add Task) Clickjacking

prakhar — Fri, 10 May 2013 19:29:52 GMT

Hello All,

Here are POCs for two issues I found in different Google products back in late 2012.

Google Website Translator (Add Editor) CSRF

Google Tasks (Add Task) Clickjacking

Originally posted on my blog : Security.log: Google Website Translator (Add Editor) CSRF and Google Tasks Clickjacking

Python SSl connections.

fb1h2s — Fri, 10 May 2013 06:06:11 GMT

Last day we were stuck with an error in a python program of ours . The code was working fine on our dev environment, but when it was moved to production, we were getting the following error [ even when we had the same python virtual environment as that of production ] for a particular domain/server.

Error:

: [Errno 104] Connection reset by peer)

A sample code to make a python Https request [something we used].

Code:

import httplib h = httplib.HTTPSConnection(host, port) headers = { 'User-Agent': 'trap', 'Content-Type': content_type } h.request('POST', uri, body, headers) res = h.getresponse() return res.status, res.reason, res.read()

Python handles https communication by using Openssl lib [ Python openssl lib ] . Actually many apps out there use openssl libs for there https communication.

Even Wget was failing

So for debugging an htpps /ssl issue you can use the openssl client to directly connect to our target the following way.

openssl s_client -connect Google -verify -debug -ssl3

And this should give back the server Cert, tokens and necessary info for the communication .

But when we tried to connect to our faulting server we were getting .

openssl s_client -connect target-server.com:443 -verify -debug -ssl3
verify depth is 0
CONNECTED(00000003)
52709:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 40
52709:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:539:

Based on Openssl documentation the faulting function is used to initiate the ssl connection |ssl handshake http://www.openssl.org/docs/ssl/SSL_do_handshake.html

So from this it is clear that the ssl handshake failed and that's the reason why the server closed the connection. So I tried to changing from ssl3 to tls1

openssl s_client -connect Google -verify -debug -tls1

and the connection was successful. So this solution was to force tls1 when making the request. And later I found that the current issue was a bug in openssl https://bugs.launchpad.net/ubuntu/+s...sl/+bug/965371 . And why it was working on dev server was it was running an updated version of openssl, and the production had an outdated openssl.

Fix is you can upgrade openssl [fekd up thing to do ] or force tls1 on your programs when dealing with such servers.

You can also patch httplib in python

Forcing TLSv1 on python:

sock = socket.create_connection(host, port),
self.timeout, self.source_address)

self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
ssl_version=ssl.PROTOCOL_TLSv1)
httplib.HTTPSConnection.connect = connect

Forcing tls in perl:

my $thing = whatever->new(
ssl_opts => { SSL_version => 'TLSv1' },
);

Forcing TLS in Wget and Curl

wget --secure-protocol=TLSv1 ...

curl --tlsv1

Ref: Python HTTPS requests (urllib2) to some sites fail on Ubuntu 12.04 without proxy - Ask Ubuntu
https://bugs.launchpad.net/ubuntu/+s...sl/+bug/965371
ssl - Is there a difference between SSLv3 and TLS1.0? - Stack Overflow
pyOpenSSL - Python interface to the OpenSSL library