2.95 score from hupso.pl for:
funoverip.net



HTML Content


Titlefun over ip

Length: 11, Words: 3
Description pusty

Length: 0, Words: 0
Keywords pusty
Robots
Charset UTF-8
Og Meta - Title pusty
Og Meta - Description pusty
Og Meta - Site name pusty
Tytuł powinien zawierać pomiędzy 10 a 70 znaków (ze spacjami), a mniej niż 12 słów w długości.
Meta opis powinien zawierać pomiędzy 50 a 160 znaków (łącznie ze spacjami), a mniej niż 24 słów w długości.
Kodowanie znaków powinny być określone , UTF-8 jest chyba najlepszy zestaw znaków, aby przejść z powodu UTF-8 jest bardziej międzynarodowy kodowaniem.
Otwarte obiekty wykresu powinny być obecne w stronie internetowej (więcej informacji na temat protokołu OpenGraph: http://ogp.me/)

SEO Content

Words/Characters 2232
Text/HTML 29.54 %
Headings H1 4
H2 21
H3 0
H4 0
H5 0
H6 0
H1
fun over ip
1. introduction
1. introduction
1. introduction
H2
mcafee sitelist.xml password decryption
reverse engineer a verisure wireless alarm part 2 – firmwares and crypto keys
reverse engineer a verisure wireless alarm part 1 – radio communications
gnu radio – cc1111 packets encoder/decoder blocks
introduction
packet encoder
exploit: mcafee epolicy 0wner (epowner) v0.1 – release
symantec endpoint protection manager – cve-2013-1612 – remote buffer overflow – poc
seh-based approach
pointer overwriting approach
please help
downloads
turning your antivirus into my botnet – owasp benelux 2013 – slides
watchguard – cve-2013-6021 – stack based buffer overflow exploit
1.1 references
looking for an ethical hacker ?
latest posts
archives
about
categories
search
H3
H4
H5
H6
strong
5
5.00
second chapter
firmwares
various aes keys
part 3
physical access
anti-sabotage
translate the radio communication into binary messages
verisure
securitas-direct
cve-2013-1612
symantec endpoint protection manager
memcpy()
memcpy()
0xaaaacccc
memcpy()
memcpy()
memcpy()
memcpy()
memcpy()
a predictable stack-based address
memcpy()
poc code:
vulnerable sepm version
3
5.00
mcafee epolicy orchestrator
3
5.00
fun over ip
b
i
em 5
5.00
second chapter
firmwares
various aes keys
part 3
physical access
anti-sabotage
translate the radio communication into binary messages
verisure
securitas-direct
cve-2013-1612
symantec endpoint protection manager
memcpy()
memcpy()
0xaaaacccc
memcpy()
memcpy()
memcpy()
memcpy()
memcpy()
a predictable stack-based address
memcpy()
poc code:
vulnerable sepm version
3
5.00
mcafee epolicy orchestrator
3
5.00
fun over ip
Bolds strong 31
b 0
i 0
em 31
Zawartość strony internetowej powinno zawierać więcej niż 250 słów, z stopa tekst / kod jest wyższy niż 20%.
Pozycji używać znaczników (h1, h2, h3, ...), aby określić temat sekcji lub ustępów na stronie, ale zwykle, użyj mniej niż 6 dla każdego tagu pozycje zachować swoją stronę zwięzły.
Styl używać silnych i kursywy znaczniki podkreślić swoje słowa kluczowe swojej stronie, ale nie nadużywać (mniej niż 16 silnych tagi i 16 znaczników kursywy)

Statystyki strony

twitter:title pusty
twitter:description pusty
google+ itemprop=name pusty
Pliki zewnętrzne 21
Pliki CSS 7
Pliki javascript 14
Plik należy zmniejszyć całkowite odwołanie plików (CSS + JavaScript) do 7-8 maksymalnie.

Linki wewnętrzne i zewnętrzne

Linki 117
Linki wewnętrzne 2
Linki zewnętrzne 115
Linki bez atrybutu Title 86
Linki z atrybutem NOFOLLOW 0
Linki - Użyj atrybutu tytuł dla każdego łącza. Nofollow link jest link, który nie pozwala wyszukiwarkom boty zrealizują są odnośniki no follow. Należy zwracać uwagę na ich użytkowania

Linki wewnętrzne

skip to content #content
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20130618_00 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20130618_00

Linki zewnętrzne

rss https://funoverip.net/feed/
twitter https://twitter.com/funoverip
fun over ip https://funoverip.net
home https://funoverip.net
about https://funoverip.net/about/
hacking https://funoverip.net/category/hacking-cat/
backdoor https://funoverip.net/category/hacking-cat/backdoor/
exploits https://funoverip.net/category/hacking-cat/exploits/
metasploit https://funoverip.net/category/hacking-cat/metasploit-cat/
network https://funoverip.net/category/hacking-cat/network/
password cracking https://funoverip.net/category/hacking-cat/password-cracking/
radio https://funoverip.net/category/hacking-cat/radio/
reverse engineering https://funoverip.net/category/hacking-cat/reverse-engineering/
shellcoding https://funoverip.net/category/hacking-cat/shellcoding/
web https://funoverip.net/category/hacking-cat/web/
mcafee sitelist.xml password decryption https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
@sn0rky https://twitter.com/_sn0rky
link https://github.com/tfairane/hackstory/blob/master/mcafeeprivesc.md
epolicy 0wner https://funoverip.net/2013/12/turning-your-antivirus-into-my-botnet-owasp-benelux-2013-slides/
syss gmbh https://www.syss.de/fileadmin/dokumente/publikationen/2011/syss_2011_deeg_privilege_escalation_via_antivirus_software.pdf
https://github.com/funoverip/mcafee-sitelist-pwd-decryption https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
1 comment https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/#comments
reverse engineer a verisure wireless alarm part 2 – firmwares and crypto keys https://funoverip.net/2014/12/reverse-engineer-a-verisure-wireless-alarm-part-2-firmwares-and-crypto-keys/
verisure http://www.verisure.com
following location https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/
gnu radio http://gnuradio.org
hackrf one https://greatscottgadgets.com/hackrf/
part 1 https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/
read more… https://funoverip.net/2014/12/reverse-engineer-a-verisure-wireless-alarm-part-2-firmwares-and-crypto-keys/#more-1879
26 comments https://funoverip.net/2014/12/reverse-engineer-a-verisure-wireless-alarm-part-2-firmwares-and-crypto-keys/#comments
reverse engineer a verisure wireless alarm part 1 – radio communications https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/
verisure http://www.verisure.com
- https://funoverip.net/wp-content/uploads/2014/11/verisure1.jpg
read more… https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/#more-1791
1 comment https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/#comments
gnu radio – cc1111 packets encoder/decoder blocks https://funoverip.net/2014/07/gnu-radio-cc1111-packets-encoderdecoder-blocks/
rfcat https://code.google.com/p/rfcat/
gnu radio http://gnuradio.org
http://www.ti.com/lit/an/swra322/swra322.pdf http://www.ti.com/lit/an/swra322/swra322.pdf
- https://funoverip.net/wp-content/uploads/2014/07/hackrf_sender_grc1.jpg
read more… https://funoverip.net/2014/07/gnu-radio-cc1111-packets-encoderdecoder-blocks/#more-1755
1 comment https://funoverip.net/2014/07/gnu-radio-cc1111-packets-encoderdecoder-blocks/#comments
exploit: mcafee epolicy 0wner (epowner) v0.1 – release https://funoverip.net/2014/04/mcafee-epolicy-0wner-0-1-release/
https://github.com/funoverip/epowner https://github.com/funoverip/epowner
- https://funoverip.net/wp-content/uploads/2014/04/yeswecan2.jpg
security patch https://kc.mcafee.com/corporate/index?page=content&id=sb10042
read more… https://funoverip.net/2014/04/mcafee-epolicy-0wner-0-1-release/#more-1685
symantec endpoint protection manager – cve-2013-1612 – remote buffer overflow – poc https://funoverip.net/2014/04/symantec-endpoint-protection-manager-cve-2013-1612-remote-buffer-overflow-poc/
http://www.securityfocus.com/bid/60542/info http://www.securityfocus.com/bid/60542/info
https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1612 https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1612
- https://funoverip.net/wp-content/uploads/2014/04/memcpy-forget-dest.jpg
here https://funoverip.net/wp-content/uploads/2014/04/sepm-secars-poc-v0.3.tar.gz
exploit-db mirror http://www.exploit-db.com/sploits/33056-sepm-secars-poc-v0.3.tar.gz
here https://funoverip.net/wp-content/uploads/2014/04/symantec_endpoint_protection_12.1.2_part1_trialware_en.zip
turning your antivirus into my botnet – owasp benelux 2013 – slides https://funoverip.net/2013/12/turning-your-antivirus-into-my-botnet-owasp-benelux-2013-slides/
owasp benelux day 2013 https://www.owasp.org/index.php/benelux_owasp_day_2013
epolicy 0wner https://funoverip.net/2013/06/mcafee-epolicy-0wner-preview/
- https://funoverip.net/wp-content/uploads/2013/12/turning-your-managed-av-into-my-botnet_owasp2013_nokin-jerome_v1.1.pdf
https://kc.mcafee.com/corporate/index?page=content&id=sb10042 https://kc.mcafee.com/corporate/index?page=content&id=sb10042
http://www.kb.cert.org/vuls/id/209131 http://www.kb.cert.org/vuls/id/209131
http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0140 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0140
http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0141 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0141
watchguard – cve-2013-6021 – stack based buffer overflow exploit https://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/
cve-2013-6021 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6021
http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6021 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6021
http://www.kb.cert.org/vuls/id/233990 http://www.kb.cert.org/vuls/id/233990
http://watchguardsecuritycenter.com/2013/10/17/xtm-11-8-secfixes/ http://watchguardsecuritycenter.com/2013/10/17/xtm-11-8-secfixes/
http://watchguardsecuritycenter.com/2013/10/17/watchguard-dimension-and-fireware-xtm-11-8/ http://watchguardsecuritycenter.com/2013/10/17/watchguard-dimension-and-fireware-xtm-11-8/
read more… https://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/#more-1519
4 comments https://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/#comments
« older entries https://funoverip.net/page/2/
https://www.jnxsecurity.com https://www.jnxsecurity.com
mcafee sitelist.xml password decryption https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
reverse engineer a verisure wireless alarm part 2 – firmwares and crypto keys https://funoverip.net/2014/12/reverse-engineer-a-verisure-wireless-alarm-part-2-firmwares-and-crypto-keys/
reverse engineer a verisure wireless alarm part 1 – radio communications https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/
gnu radio – cc1111 packets encoder/decoder blocks https://funoverip.net/2014/07/gnu-radio-cc1111-packets-encoderdecoder-blocks/
exploit: mcafee epolicy 0wner (epowner) v0.1 – release https://funoverip.net/2014/04/mcafee-epolicy-0wner-0-1-release/
symantec endpoint protection manager – cve-2013-1612 – remote buffer overflow – poc https://funoverip.net/2014/04/symantec-endpoint-protection-manager-cve-2013-1612-remote-buffer-overflow-poc/
turning your antivirus into my botnet – owasp benelux 2013 – slides https://funoverip.net/2013/12/turning-your-antivirus-into-my-botnet-owasp-benelux-2013-slides/
watchguard – cve-2013-6021 – stack based buffer overflow exploit https://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/
cracking watchguard passwords https://funoverip.net/2013/09/cracking-watchguard-passwords/
exploit: mcafee epolicy 0wner (epowner) – preview https://funoverip.net/2013/06/mcafee-epolicy-0wner-preview/
february 2016 https://funoverip.net/2016/02/
december 2014 https://funoverip.net/2014/12/
november 2014 https://funoverip.net/2014/11/
july 2014 https://funoverip.net/2014/07/
april 2014 https://funoverip.net/2014/04/
december 2013 https://funoverip.net/2013/12/
october 2013 https://funoverip.net/2013/10/
september 2013 https://funoverip.net/2013/09/
june 2013 https://funoverip.net/2013/06/
october 2012 https://funoverip.net/2012/10/
july 2012 https://funoverip.net/2012/07/
june 2012 https://funoverip.net/2012/06/
february 2012 https://funoverip.net/2012/02/
september 2011 https://funoverip.net/2011/09/
april 2011 https://funoverip.net/2011/04/
march 2011 https://funoverip.net/2011/03/
january 2011 https://funoverip.net/2011/01/
december 2010 https://funoverip.net/2010/12/
november 2010 https://funoverip.net/2010/11/
backdoor https://funoverip.net/category/hacking-cat/backdoor/
exploits https://funoverip.net/category/hacking-cat/exploits/
hacking https://funoverip.net/category/hacking-cat/
metasploit https://funoverip.net/category/hacking-cat/metasploit-cat/
network https://funoverip.net/category/hacking-cat/network/
password cracking https://funoverip.net/category/hacking-cat/password-cracking/
radio https://funoverip.net/category/hacking-cat/radio/
reverse engineering https://funoverip.net/category/hacking-cat/reverse-engineering/
shellcoding https://funoverip.net/category/hacking-cat/shellcoding/
web https://funoverip.net/category/hacking-cat/web/
titan theme http://thethemefoundry.com/titan/
the theme foundry http://thethemefoundry.com
fun over ip http://funoverip.net
blog copyright http://www.blogtrafficexchange.com/blog-copyright

Zdjęcia

Zdjęcia 26
Zdjęcia bez atrybutu ALT 3
Zdjęcia bez atrybutu TITLE 11
Korzystanie Obraz ALT i TITLE atrybutu dla każdego obrazu.

Zdjęcia bez atrybutu TITLE

https://funoverip.net/wp-content/uploads/2016/02/10-feb-2016-12-59-15.png
https://funoverip.net/wp-content/plugins/wp-postratings/images/loading.gif
https://funoverip.net/wp-content/uploads/2014/11/olimex-to-pcb.png
https://funoverip.net/wp-content/uploads/2014/11/gnuradio_grc_fft21.png
https://funoverip.net/wp-content/uploads/2014/11/verisure1.jpg
https://funoverip.net/wp-content/uploads/2014/07/hackrf_sender_grc1.jpg
https://funoverip.net/wp-content/uploads/2014/04/yeswecan2.jpg
https://funoverip.net/wp-content/uploads/2014/04/memcpy-forget-dest.jpg
https://funoverip.net/wp-content/plugins/wp-postratings/images/loading.gif
https://funoverip.net/wp-content/uploads/2013/12/av_owasp_2013_cover2.png
https://funoverip.net/wp-content/plugins/wp-postratings/images/loading.gif

Zdjęcia bez atrybutu ALT

https://funoverip.net/wp-content/plugins/wp-postratings/images/loading.gif
https://funoverip.net/wp-content/plugins/wp-postratings/images/loading.gif
https://funoverip.net/wp-content/plugins/wp-postratings/images/loading.gif

Ranking:


Alexa Traffic
Daily Global Rank Trend
Daily Reach (Percent)









Majestic SEO











Text on page:

skip to content follow: rss twitter fun over ip sendp(ether()/ip(ttl=32, dst='255.255.255.255')/fun(\x77\x30\x30\x74\x21)); home about hacking backdoor exploits metasploit network password cracking radio reverse engineering shellcoding web feb 10 16 mcafee sitelist.xml password decryption by foip recently, a very good friend of mine (@sn0rky) pointed me out the story of a pentester who recovered the encrypted passwords from a mcafee sitelist.xml file, using responder (link). simply clever. since i worked hard on mcafee products in the past (see epolicy 0wner), he asked me if i knew how to decrypt these passwords, directly from the sitelist.xml file. the answer was no. but, another link from syss gmbh pointed out that the encryption was based on 3des and some xor. what ?!? that sounds very similar to what i’ve found earlier in epolicy orchestrator ! so, back into ida pro and immunity debugger, i’ve found that – indeed – the algorithm reused the same hardcoded 3des key in ecb mode, but that the xor was a bit different. a short python implementation of the reversed algorithm provided me with the following result: $ ./mcafee_sitelist_pwd_decrypt.py 'jwbtys7bl1hj7pko5di/qhhymcgj5cooz2okdtrfxsr/abafpm9b3q==' crypted password : jwbtys7bl1hj7pko5di/qhhymcgj5cooz2okdtrfxsr/abafpm9b3q== decrypted password : mystrongpassword! yes ! :-) it is time to share this knowledge with the penetration testing community. isn’t ? https://github.com/funoverip/mcafee-sitelist-pwd-decryption happy password recovering! foip (5 votes, average: 5.00 out of 5) loading... 1 comment dec 1 14 reverse engineer a verisure wireless alarm part 2 – firmwares and crypto keys by foip 1. introduction so we’re back, ready to run through an additional step into our verisure wireless alarm journey. this post is the second chapter of my verisure story where we’ll learn how to extract and dig into firmwares. getting firmware out of the memory will actually help us to grab various aes keys, a required step to decrypt both radio and ethernet communications, but also authenticating against the local console using usb connector (this will be described in part 3). the reader can found the first part of this journey at the following location, where we briefly introduced the verisure wireless equipments and shown how to demodulate rf messages  using gnu radio framework and the hackrf one sdr platform. our initial investigations aimed to get a clear view on the alarm design and more especially, its security level. we learned from part 1 that radio communication is encrypted using a strong algorithm (aes-128). however, even the strongest cryptographic algorithm can be broken if weaknesses exist in the software and particularly in the keys management. we’ve been reassured to see that verisure made a very good choice in their design. additionally, keep in mind throughout this article that our work was performed inside a lab, and successfully achieved because we got physical access to the alarm. we were indeed able to read and/or modify firmware and memory which is not possible in a live environment, at least not without triggering multiple anti-sabotage sensors. read more… 26 comments nov 16 14 reverse engineer a verisure wireless alarm part 1 – radio communications by foip 1. introduction verisure is a supplier of wireless home alarms and connected services for the home. a verisure setup can be composed of multiple devices, sensors and/or detectors such as motion detectors with camera, magnetic contacts for doors or windows, smoke detectors, keypads, sirens, etc. each component of the setup communicates using wireless technology with the central gateway called “vbox”, it-self monitored by verisure agents through the internet and/or 3g  connection. as a verisure customer, i was curious to get a clear view of the design and security measures implemented by the manufacturer. i therefore decided to buy a testing kit on ebay (120 euros) to open it and starting an exciting journey inside the boxes. this post is the first part of my verisure story and aims to observe radio communications between the multiple devices of the alarm. in other words, we will translate the radio communication into binary messages. please note that verisure is the new name of securitas-direct. you may potentially find both names in my scripts and screenshots. read more… 1 comment jul 18 14 gnu radio – cc1111 packets encoder/decoder blocks by foip introduction i recently worked with rf transmissions between cc1111-based devices (the chips that are supported by rfcat) and i was in the need to easily encode and decode my payloads using gnu radio. gnu radio already contains several packets encoder/decoder blocks, but none of them (if i’m right, and i hope that i am) deal with the same header length, whitening algorithm and/or checksum used by the cc1111 chips. in the cc1111 world, the header is one byte length, the checksum is crc16 and the data whitening is performed using the following algorithm http://www.ti.com/lit/an/swra322/swra322.pdf. packet encoder here is a simple grc flow-graph demonstrating how to encode and transmit cc1111 packets using your favorite sdr device: read more… 1 comment apr 27 14 exploit: mcafee epolicy 0wner (epowner) v0.1 – release by foip update: version 0.2 released on 29th of june 2014. check out https://github.com/funoverip/epowner. hi, i received so many requests for this exploit code. usually my response was something similar to: “because the exploit can p0wn a whole network environment within 2 minutes (only by talking with the mcafee epo server), and that vulnerable epo servers are currently exposed on the internet, i have to wait a little bit before releasing it” (problem of consciousness the doctor said…). mcafee released a security patch on march 2013. so one year ago. guess what, internet servers are still vulnerable (come on.. really ?) i think that i did my job and waited long enough. i can’t save the planet every day.. some companies will be magisterially owned but after the openssl heartbleed story, i don’t really care anymore. i consider these companies already compromised since a while .. read more… comments off on exploit: mcafee epolicy 0wner (epowner) v0.1 – release apr 26 14 symantec endpoint protection manager – cve-2013-1612 – remote buffer overflow – poc by foip hello, do want to help me to turn this poc into reliable exploit code ? here is the short story about cve-2013-1612, a remote buffer overflow that i’ve reported to symantec in june 2013. the vulnerability impacts symantec endpoint protection manager (sepm, a.k.a. the central sep server) versions 12.1.0 to 12.1.2. here are some references about the bug: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20130618_00 http://www.securityfocus.com/bid/60542/info https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1612 seh-based approach the poc code (provided below), simply overwrite eip by using a seh-based technique. unfortunately, due to memory protection mechanisms, i wasn’t able to create a stable exploit using this technique since all modules are compiled using the /safeseh flag and workarounds (that i knew) were found useless. pointer overwriting approach i finally tried a second approach which only requires to bypass dep and stack canary protections (/gs). btw, symantec dll aren’t compiled with aslr. so, instead of triggering a memory access violation by filling the stack (as for a usual seh-based overflow), i’ve observed the process behavior when only a few bytes are overwritten and realized that an interesting pointer is overwritten. this pointer is a “destination address” argument passed to a memcpy() call, a few instructions after the the overflow. on top of that, the “source address” given to memcpy() points to our shellcode! so, i have the pleasant capability to copy “anything” “anywhere”, as illustrated by the following screenshot. the source pointer contains to the shellcode address and destination pointer is currently set to 0xaaaacccc. using this memcpy(), my goal was to overwrite the “saved return address” value of the memcpy() frame, with the first instruction of my rop chain. therefore, as soon as memcpy() returns, it starts executing my payload. by doing this, no stack-guard cookies are broken :-) (do you get the big picture?). using this approach, /gs protections is bypassed and a classical rop can be used to circumvent dep. so far so good excepted that i need to know the address of the memcpy() frame, and here comes the problem. by default, sepm runs 330 threads, and each of them use its own stack based-address. therefore, the address of the memcpy() frame is different for each thread. so, i need to know which thread is dealing with my http request :-/ can i use a brute-force approach ? yes. the service restarts automatically upon crash (example: if i write at the wrong address). however, it will take a while and the service remains unavailable during the attack (constantly restarting). there is however something interesting to know here. i have observed that right after the service restart, the first http request sent to the server is “most of the time” handled by a predictable thread id and therefore, a predictable stack-based address ! when you find it, only a few attempts are needed to write at the correct memcpy() frame address. unfortunately, this knowledge was still found useless to me because the thread id that serves the first request seems to be hardware-dependent. actually, i have no idea how windows allocates new threads and this is where i stuck in this approach… my exploit works in my labs, but won’t work in yours. i’ve observed totally different thread id on other platforms :-/ please help if you have any brilliant idea or find another approach, please give it a try ! (and please keep me informed :-) ). the poc code and a vulnerable version of the software is provided below. cheers, foip downloads poc code: download the seh-based poc code here. there is an encryption key (kcs) to provide to the obfuscation function. the poc will let you know where to find your environment key. (exploit-db mirror) vulnerable sepm version: a copy of the vulnerable software can be found here. you will find two httpd processes running, one of them has 330 threads. attach your debugger to that one. (3 votes, average: 5.00 out of 5) loading... comments off on symantec endpoint protection manager – cve-2013-1612 – remote buffer overflow – poc dec 11 13 turning your antivirus into my botnet – owasp benelux 2013 – slides by foip below are the slides that i’ve presented at the owasp benelux day 2013 (amsterdam). it covers partial results of my research about managed antivirus software, especially how i’ve chained multiple mcafee epolicy orchestrator bugs and weaknesses in order to compromise both the epo server(s) and the managed stations. this is how epolicy 0wner tool was born. thanks to the audience and the staff ! it was a very pleasant moment :-) references: https://kc.mcafee.com/corporate/index?page=content&id=sb10042 http://www.kb.cert.org/vuls/id/209131 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0140 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0141 enjoy! (3 votes, average: 5.00 out of 5) loading... comments off on turning your antivirus into my botnet – owasp benelux 2013 – slides oct 27 13 watchguard – cve-2013-6021 – stack based buffer overflow exploit by foip 1. introduction this blog entry aims to provide the reader with technical details about the stack-based buffer overflow that we’ve discovered in the web administration console of the watchguard xtm appliance (cve-2013-6021), as well as our journey into the exploit development. while the bug was quite easy to discover, writing a reliable exploit was more challenging due to several limitations, including an impressive hardening of the device. it is worth to mention that by default,  the web console of the xtm appliance is not reachable from the untrusted interface as long as the firewall policy hasn’t been modified to allow external access. however, the xtmv version (virtual appliance) allows external access to the web console by default. 1.1 references http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6021 http://www.kb.cert.org/vuls/id/233990 http://watchguardsecuritycenter.com/2013/10/17/xtm-11-8-secfixes/ http://watchguardsecuritycenter.com/2013/10/17/watchguard-dimension-and-fireware-xtm-11-8/ read more… 4 comments « older entries looking for an ethical hacker ? i am also working as freelancer! please visit my company website: https://www.jnxsecurity.com . latest posts mcafee sitelist.xml password decryption reverse engineer a verisure wireless alarm part 2 – firmwares and crypto keys reverse engineer a verisure wireless alarm part 1 – radio communications gnu radio – cc1111 packets encoder/decoder blocks exploit: mcafee epolicy 0wner (epowner) v0.1 – release symantec endpoint protection manager – cve-2013-1612 – remote buffer overflow – poc turning your antivirus into my botnet – owasp benelux 2013 – slides watchguard – cve-2013-6021 – stack based buffer overflow exploit cracking watchguard passwords exploit: mcafee epolicy 0wner (epowner) – preview archives february 2016 (1) december 2014 (1) november 2014 (1) july 2014 (1) april 2014 (2) december 2013 (1) october 2013 (1) september 2013 (1) june 2013 (1) october 2012 (2) july 2012 (2) june 2012 (1) february 2012 (1) september 2011 (1) april 2011 (1) march 2011 (1) january 2011 (1) december 2010 (4) november 2010 (1) about these are small tips & trik that could be useful to you, or not. these materials are for educational and research purposes only. any actions and or activities related to the material contained within this website is solely your responsibility. categories backdoor exploits hacking metasploit network password cracking radio reverse engineering shellcoding web search copyright © 2016 your name here. titan theme by the theme foundry. © 2010-2016 fun over ip all rights reserved -- copyright notice by blog copyright


Here you find all texts from your page as Google (googlebot) and others search engines seen it.

Words density analysis:

Numbers of all words: 2155

One word

Two words phrases

Three words phrases

the - 6.36% (137)
and - 2.18% (47)
– - 1.44% (31)
pro - 1.25% (27)
are - 1.16% (25)
that - 1.11% (24)
2013 - 1.11% (24)
over - 1.07% (23)
all - 1.07% (23)
our - 0.93% (20)
for - 0.93% (20)
here - 0.88% (19)
read - 0.88% (19)
this - 0.88% (19)
code - 0.88% (19)
was - 0.84% (18)
http - 0.84% (18)
epo - 0.79% (17)
dec - 0.79% (17)
exploit - 0.74% (16)
you - 0.74% (16)
out - 0.7% (15)
(1) - 0.7% (15)
mcafee - 0.65% (14)
able - 0.65% (14)
with - 0.65% (14)
verisure - 0.65% (14)
using - 0.6% (13)
radio - 0.6% (13)
how - 0.56% (12)
based - 0.51% (11)
use - 0.51% (11)
web - 0.51% (11)
password - 0.51% (11)
security - 0.51% (11)
work - 0.51% (11)
part - 0.46% (10)
address - 0.46% (10)
own - 0.46% (10)
foip - 0.46% (10)
alarm - 0.42% (9)
into - 0.42% (9)
policy - 0.42% (9)
overflow - 0.42% (9)
poc - 0.42% (9)
your - 0.42% (9)
can - 0.42% (9)
memcpy() - 0.37% (8)
more - 0.37% (8)
stack - 0.37% (8)
epolicy - 0.37% (8)
comment - 0.37% (8)
thread - 0.37% (8)
wireless - 0.37% (8)
key - 0.37% (8)
not - 0.37% (8)
one - 0.32% (7)
will - 0.32% (7)
view - 0.32% (7)
watchguard - 0.32% (7)
symantec - 0.32% (7)
protection - 0.32% (7)
reverse - 0.32% (7)
buffer - 0.32% (7)
decrypt - 0.32% (7)
found - 0.32% (7)
approach - 0.32% (7)
any - 0.32% (7)
i’ve - 0.32% (7)
fun - 0.28% (6)
about - 0.28% (6)
encode - 0.28% (6)
communication - 0.28% (6)
sep - 0.28% (6)
but - 0.28% (6)
turn - 0.28% (6)
server - 0.28% (6)
cc1111 - 0.28% (6)
engineer - 0.28% (6)
0wner - 0.28% (6)
there - 0.28% (6)
know - 0.28% (6)
algorithm - 0.28% (6)
right - 0.28% (6)
comments - 0.23% (5)
bug - 0.23% (5)
please - 0.23% (5)
very - 0.23% (5)
provide - 0.23% (5)
gnu - 0.23% (5)
first - 0.23% (5)
where - 0.23% (5)
pointer - 0.23% (5)
only - 0.23% (5)
find - 0.23% (5)
copy - 0.23% (5)
version - 0.23% (5)
release - 0.23% (5)
firmware - 0.23% (5)
packet - 0.23% (5)
story - 0.23% (5)
2014 - 0.23% (5)
have - 0.23% (5)
them - 0.23% (5)
from - 0.23% (5)
more… - 0.23% (5)
some - 0.23% (5)
vulnerable - 0.23% (5)
cve-2013-1612 - 0.23% (5)
xtm - 0.23% (5)
nov - 0.23% (5)
frame - 0.23% (5)
communications - 0.19% (4)
here. - 0.19% (4)
observe - 0.19% (4)
antivirus - 0.19% (4)
therefore - 0.19% (4)
exploit: - 0.19% (4)
apr - 0.19% (4)
access - 0.19% (4)
however - 0.19% (4)
multiple - 0.19% (4)
two - 0.19% (4)
service - 0.19% (4)
new - 0.19% (4)
write - 0.19% (4)
decode - 0.19% (4)
each - 0.19% (4)
and/or - 0.19% (4)
encoder - 0.19% (4)
other - 0.19% (4)
need - 0.19% (4)
(epowner) - 0.19% (4)
so, - 0.19% (4)
:-) - 0.19% (4)
crypted - 0.19% (4)
following - 0.19% (4)
endpoint - 0.19% (4)
manager - 0.19% (4)
back - 0.19% (4)
remote - 0.19% (4)
cve-2013-6021 - 0.19% (4)
these - 0.19% (4)
hard - 0.19% (4)
seh-based - 0.19% (4)
2012 - 0.19% (4)
sitelist.xml - 0.19% (4)
2011 - 0.19% (4)
software - 0.19% (4)
packets - 0.19% (4)
keys - 0.19% (4)
june - 0.19% (4)
owasp - 0.19% (4)
benelux - 0.19% (4)
its - 0.19% (4)
get - 0.19% (4)
slides - 0.19% (4)
journey - 0.19% (4)
console - 0.19% (4)
request - 0.19% (4)
memory - 0.19% (4)
oct - 0.19% (4)
introduction - 0.19% (4)
off - 0.14% (3)
sepm - 0.14% (3)
environment - 0.14% (3)
while - 0.14% (3)
different - 0.14% (3)
references - 0.14% (3)
check - 0.14% (3)
v0.1 - 0.14% (3)
set - 0.14% (3)
after - 0.14% (3)
therefore, - 0.14% (3)
dep - 0.14% (3)
observed - 0.14% (3)
few - 0.14% (3)
used - 0.14% (3)
see - 0.14% (3)
blocks - 0.14% (3)
what - 0.14% (3)
help - 0.14% (3)
post - 0.14% (3)
through - 0.14% (3)
run - 0.14% (3)
ready - 0.14% (3)
crypto - 0.14% (3)
firmwares - 0.14% (3)
5.00 - 0.14% (3)
average: - 0.14% (3)
votes, - 0.14% (3)
appliance - 0.14% (3)
2016 - 0.14% (3)
december - 0.14% (3)
below - 0.14% (3)
since - 0.14% (3)
(2) - 0.14% (3)
passwords - 0.14% (3)
good - 0.14% (3)
decryption - 0.14% (3)
feb - 0.14% (3)
2010 - 0.14% (3)
cracking - 0.14% (3)
network - 0.14% (3)
search - 0.14% (3)
copyright - 0.14% (3)
home - 0.14% (3)
both - 0.14% (3)
loading... - 0.14% (3)
design - 0.14% (3)
because - 0.14% (3)
encoder/decoder - 0.14% (3)
jul - 0.14% (3)
name - 0.14% (3)
devices - 0.14% (3)
threads - 0.14% (3)
internet - 0.14% (3)
provided - 0.14% (3)
which - 0.14% (3)
detectors - 0.14% (3)
turning - 0.14% (3)
strong - 0.14% (3)
address” - 0.14% (3)
however, - 0.14% (3)
botnet - 0.14% (3)
debugger - 0.09% (2)
managed - 0.09% (2)
october - 0.09% (2)
september - 0.09% (2)
frame, - 0.09% (2)
return - 0.09% (2)
idea - 0.09% (2)
destination - 0.09% (2)
sent - 0.09% (2)
shellcode - 0.09% (2)
predictable - 0.09% (2)
useless - 0.09% (2)
instruction - 0.09% (2)
material - 0.09% (2)
source - 0.09% (2)
website - 0.09% (2)
research - 0.09% (2)
pleasant - 0.09% (2)
stack-based - 0.09% (2)
windows - 0.09% (2)
rop - 0.09% (2)
especially - 0.09% (2)
writing - 0.09% (2)
330 - 0.09% (2)
address. - 0.09% (2)
default, - 0.09% (2)
/gs - 0.09% (2)
approach, - 0.09% (2)
starts - 0.09% (2)
download - 0.09% (2)
:-/ - 0.09% (2)
blog - 0.09% (2)
allow - 0.09% (2)
compromise - 0.09% (2)
external - 0.09% (2)
february - 0.09% (2)
try - 0.09% (2)
day - 0.09% (2)
give - 0.09% (2)
november - 0.09% (2)
july - 0.09% (2)
april - 0.09% (2)
has - 0.09% (2)
passed - 0.09% (2)
content - 0.09% (2)
interesting - 0.09% (2)
reader - 0.09% (2)
knowledge - 0.09% (2)
testing - 0.09% (2)
additional - 0.09% (2)
step - 0.09% (2)
second - 0.09% (2)
learn - 0.09% (2)
actually - 0.09% (2)
aes - 0.09% (2)
also - 0.09% (2)
sdr - 0.09% (2)
yes - 0.09% (2)
clear - 0.09% (2)
broken - 0.09% (2)
weaknesses - 0.09% (2)
we’ve - 0.09% (2)
been - 0.09% (2)
keep - 0.09% (2)
performed - 0.09% (2)
inside - 0.09% (2)
alarm. - 0.09% (2)
time - 0.09% (2)
jwbtys7bl1hj7pko5di/qhhymcgj5cooz2okdtrfxsr/abafpm9b3q== - 0.09% (2)
triggering - 0.09% (2)
simply - 0.09% (2)
hacking - 0.09% (2)
backdoor - 0.09% (2)
exploits - 0.09% (2)
metasploit - 0.09% (2)
engineering - 0.09% (2)
shellcoding - 0.09% (2)
pointed - 0.09% (2)
who - 0.09% (2)
encrypted - 0.09% (2)
worked - 0.09% (2)
short - 0.09% (2)
knew - 0.09% (2)
another - 0.09% (2)
link - 0.09% (2)
encryption - 0.09% (2)
3des - 0.09% (2)
orchestrator - 0.09% (2)
indeed - 0.09% (2)
same - 0.09% (2)
xor - 0.09% (2)
bit - 0.09% (2)
were - 0.09% (2)
setup - 0.09% (2)
overwritten - 0.09% (2)
server) - 0.09% (2)
wait - 0.09% (2)
march - 0.09% (2)
2013. - 0.09% (2)
still - 0.09% (2)
really - 0.09% (2)
long - 0.09% (2)
save - 0.09% (2)
companies - 0.09% (2)
reliable - 0.09% (2)
overwrite - 0.09% (2)
servers - 0.09% (2)
unfortunately, - 0.09% (2)
due - 0.09% (2)
technique - 0.09% (2)
compiled - 0.09% (2)
bypass - 0.09% (2)
protections - 0.09% (2)
usual - 0.09% (2)
process - 0.09% (2)
when - 0.09% (2)
currently - 0.09% (2)
within - 0.09% (2)
sensors - 0.09% (2)
contains - 0.09% (2)
central - 0.09% (2)
open - 0.09% (2)
starting - 0.09% (2)
aims - 0.09% (2)
between - 0.09% (2)
words, - 0.09% (2)
recently - 0.09% (2)
chips - 0.09% (2)
already - 0.09% (2)
several - 0.09% (2)
similar - 0.09% (2)
am) - 0.09% (2)
deal - 0.09% (2)
header - 0.09% (2)
length, - 0.09% (2)
whitening - 0.09% (2)
checksum - 0.09% (2)
byte - 0.09% (2)
released - 0.09% (2)
response - 0.09% (2)
something - 0.09% (2)
theme - 0.09% (2)
of the - 0.79% (17)
to the - 0.37% (8)
by foip - 0.37% (8)
buffer overflow - 0.32% (7)
in the - 0.32% (7)
reverse engineer - 0.28% (6)
with the - 0.28% (6)
a verisure - 0.28% (6)
epolicy 0wner - 0.28% (6)
and the - 0.28% (6)
at the - 0.28% (6)
verisure wireless - 0.28% (6)
that i - 0.28% (6)
the first - 0.23% (5)
wireless alarm - 0.23% (5)
gnu radio - 0.23% (5)
mcafee epolicy - 0.23% (5)
read more… - 0.23% (5)
the following - 0.19% (4)
engineer a - 0.19% (4)
is the - 0.19% (4)
remote buffer - 0.19% (4)
can be - 0.19% (4)
exploit: mcafee - 0.19% (4)
owasp benelux - 0.19% (4)
out of - 0.19% (4)
0wner (epowner) - 0.19% (4)
endpoint protection - 0.19% (4)
alarm part - 0.19% (4)
here is - 0.19% (4)
poc code - 0.19% (4)
memcpy() frame - 0.19% (4)
2011 (1) - 0.19% (4)
out the - 0.19% (4)
how to - 0.19% (4)
i have - 0.19% (4)
2013 (1) - 0.19% (4)
by the - 0.19% (4)
protection manager - 0.19% (4)
symantec endpoint - 0.19% (4)
– cve-2013-1612 - 0.14% (3)
about the - 0.14% (3)
after the - 0.14% (3)
1 comment - 0.14% (3)
the memcpy() - 0.14% (3)
need to - 0.14% (3)
using this - 0.14% (3)
v0.1 – - 0.14% (3)
2013 – - 0.14% (3)
thread id - 0.14% (3)
cve-2013-1612 – - 0.14% (3)
botnet – - 0.14% (3)
off on - 0.14% (3)
the poc - 0.14% (3)
– remote - 0.14% (3)
– poc - 0.14% (3)
– release - 0.14% (3)
your antivirus - 0.14% (3)
). the - 0.14% (3)
into my - 0.14% (3)
manager – - 0.14% (3)
(epowner) v0.1 - 0.14% (3)
overflow – - 0.14% (3)
of them - 0.14% (3)
the web - 0.14% (3)
mcafee sitelist.xml - 0.14% (3)
2014 (1) - 0.14% (3)
votes, average: - 0.14% (3)
5.00 out - 0.14% (3)
based buffer - 0.14% (3)
foip 1. - 0.14% (3)
radio communications - 0.14% (3)
the alarm - 0.14% (3)
part 1 - 0.14% (3)
to know - 0.14% (3)
the service - 0.14% (3)
packets encoder/decoder - 0.14% (3)
5) loading... - 0.14% (3)
comments off - 0.14% (3)
average: 5.00 - 0.14% (3)
stack based - 0.14% (3)
therefore, a - 0.09% (2)
reverse engineering - 0.09% (2)
cracking radio - 0.09% (2)
(1) april - 0.09% (2)
shellcoding web - 0.09% (2)
network password - 0.09% (2)
over ip - 0.09% (2)
2012 (1) - 0.09% (2)
2012 (2) - 0.09% (2)
(1) october - 0.09% (2)
in this - 0.09% (2)
xtm appliance - 0.09% (2)
loading... comments - 0.09% (2)
writing a - 0.09% (2)
is how - 0.09% (2)
overflow exploit - 0.09% (2)
– stack - 0.09% (2)
(3 votes, - 0.09% (2)
watchguard – - 0.09% (2)
web console - 0.09% (2)
external access - 0.09% (2)
cve-2013-6021 – - 0.09% (2)
the xtm - 0.09% (2)
console of - 0.09% (2)
– cve-2013-6021 - 0.09% (2)
fun over - 0.09% (2)
write at - 0.09% (2)
part 2 - 0.09% (2)
access to - 0.09% (2)
that verisure - 0.09% (2)
design and - 0.09% (2)
a clear - 0.09% (2)
to get - 0.09% (2)
using gnu - 0.09% (2)
first part - 0.09% (2)
my verisure - 0.09% (2)
post is - 0.09% (2)
and crypto - 0.09% (2)
– firmwares - 0.09% (2)
password : - 0.09% (2)
is not - 0.09% (2)
epolicy orchestrator - 0.09% (2)
i’ve found - 0.09% (2)
that the - 0.09% (2)
from the - 0.09% (2)
i knew - 0.09% (2)
very good - 0.09% (2)
password decryption - 0.09% (2)
engineering shellcoding - 0.09% (2)
radio reverse - 0.09% (2)
password cracking - 0.09% (2)
metasploit network - 0.09% (2)
the alarm. - 0.09% (2)
– radio - 0.09% (2)
http request - 0.09% (2)
overflow that - 0.09% (2)
i need - 0.09% (2)
the address - 0.09% (2)
by default, - 0.09% (2)
address of - 0.09% (2)
memcpy() frame, - 0.09% (2)
to our - 0.09% (2)
the the - 0.09% (2)
only a - 0.09% (2)
i’ve observed - 0.09% (2)
the stack - 0.09% (2)
due to - 0.09% (2)
reliable exploit - 0.09% (2)
the central - 0.09% (2)
backdoor exploits - 0.09% (2)
a while - 0.09% (2)
will be - 0.09% (2)
on the - 0.09% (2)
servers are - 0.09% (2)
using the - 0.09% (2)
encode and - 0.09% (2)
– cc1111 - 0.09% (2)
more… 1 - 0.09% (2)
aims to - 0.09% (2)
part of - 0.09% (2)
clear view - 0.09% (2)
copyright - 0.09% (2)
verisure wireless alarm - 0.23% (5)
mcafee epolicy 0wner - 0.19% (4)
reverse engineer a - 0.19% (4)
engineer a verisure - 0.19% (4)
wireless alarm part - 0.19% (4)
remote buffer overflow - 0.19% (4)
endpoint protection manager - 0.19% (4)
exploit: mcafee epolicy - 0.19% (4)
botnet – owasp - 0.14% (3)
benelux 2013 – - 0.14% (3)
the memcpy() frame - 0.14% (3)
based buffer overflow - 0.14% (3)
buffer overflow – - 0.14% (3)
cve-2013-1612 – remote - 0.14% (3)
protection manager – - 0.14% (3)
(epowner) v0.1 – - 0.14% (3)
packets encoder/decoder blocks - 0.14% (3)
antivirus into my - 0.14% (3)
0wner (epowner) v0.1 - 0.14% (3)
foip 1. introduction - 0.14% (3)
– cve-2013-1612 – - 0.14% (3)
your antivirus into - 0.14% (3)
my botnet – - 0.14% (3)
owasp benelux 2013 - 0.14% (3)
out of 5) - 0.14% (3)
votes, average: 5.00 - 0.14% (3)
radio – cc1111 - 0.09% (2)
and crypto keys - 0.09% (2)
2 – firmwares - 0.09% (2)
the web console - 0.09% (2)
cve-2013-6021 – stack - 0.09% (2)
– cve-2013-6021 – - 0.09% (2)
fun over ip - 0.09% (2)
the address of - 0.09% (2)
loading... comments off - 0.09% (2)
more… 1 comment - 0.09% (2)
reverse engineering shellcoding - 0.09% (2)
part 2 – - 0.09% (2)
firmwares and crypto - 0.09% (2)
this post is - 0.09% (2)
of my verisure - 0.09% (2)
the first part - 0.09% (2)
part 1 – - 0.09% (2)
a clear view - 0.09% (2)
gnu radio – - 0.09% (2)
write at the - 0.09% (2)
cc1111 packets encoder/decoder - 0.09% (2)
here is a - 0.09% (2)
buffer overflow that - 0.09% (2)
the poc code - 0.09% (2)
need to know - 0.09% (2)
password cracking radio - 0.09% (2)
the memcpy() frame, - 0.09% (2)
i need to - 0.09% (2)
stack based buffer - 0.09% (2)

Here you can find chart of all your popular one, two and three word phrases. Google and others search engines means your page is about words you use frequently.

Copyright © 2015-2016 hupso.pl. All rights reserved. FB | +G | Twitter

Hupso.pl jest serwisem internetowym, w którym jednym kliknieciem możesz szybko i łatwo sprawdź stronę www pod kątem SEO. Oferujemy darmowe pozycjonowanie stron internetowych oraz wycena domen i stron internetowych. Prowadzimy ranking polskich stron internetowych oraz ranking stron alexa.