Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 02/02/19 in all areas

  1. Mihaita Boss a gasit solutia: https://www.youtube.com/watch?v=lbc-z3e7LRs
    2 points
  2. Tu ar trebui sa fii impuscat. Direct.
    1 point
  3. Tu si cu aureL vad ca sunteti pe-o mana. Lucrati pentru Scamatoru' Vlad, ii invartiti ruleta?
    1 point
  4. Sa tot ai asa prof https://m.facebook.com/story.php?story_fbid=1739838822809785&id=313227042137369
    1 point
  5. Cum gratis, daca omul ofera premii, si cazino renumit.. spor la treaba baietii
    1 point
  6. https://security-tracker.debian.org/tracker/CVE-2019-3462 Hmm, interesant: https://github.com/asim-jaweesh/Packet-Injection-in-Sudan-Analysis TL;DR All issues discussed here ARE a result of caching servers that served older versions of software over insecure protocols and channels. Shady downloads and redirections To analyze samples downloaded over insecure channel and secure channels from Sudanese ISPs. [Update] January 2019 Some people started referencing this repo as a solid proof that the Sudanese government is using the APT vulnerability CVE-2019-3462 (https://security-tracker.debian.org/tracker/CVE-2019-3462 ) and maybe others like CVE-2016-1252 (https://security-tracker.debian.org/tracker/CVE-2016-1252 ) to run malicous payloads. I do not support this theory without a solid proof and I don't have one. SO DON'T REFERENCE THIS REPO AS A PROOF FOR THE USAGE OF APT-GET VULNERABILITY BY SUDANESE GOVT. Someone (Thank you!) pointed out to me that the hashes for the Comodo antivirus sample I had are the ligit ones, only old vs new hash difference which is a valid claim i can confirm #md5sum cav_installer-original.exe cav_installer-intercepted.exe 7ac6a0bd1c5c0513b2a0bd800a52d084 cav_installer-original.exe 2a2cc463a03efd593ed0da875227cee4 cav_installer-intercepted.exe this hash 7ac6a0bd1c5c0513b2a0bd800a52d084 dates to 22 feb 2018 (the file downloaded over VPN hence it was over HTTPS and a caching proxy if any couldn't cache it ) (https://malwaretips.com/threads/comodo-internet-security-v10-2-0-6514-released.80123/ ) while this hash 2a2cc463a03efd593ed0da875227cee4 dates to 24 Nov 2017 (the file that got redirected to an IP owned by ZAIN ISP, is probably a caching server with an old version ) (https://malwaretips.com/threads/comodo-internet-security-v10-0-2-6420-hotfix-released.77556/ ) As I found out there are only 5 different installed files between the two installers which is a good way to say that these installers had hotfixes. Moreover, when I ran apt-get update a hash-mismatch error was generated because out of the box my kali linux supports only HTTP updates and my ISP servers happily served an older files with differnet hashes. As I said before, The sole purpose of this repository is just to try and shed some light of what was happening to me and others in Sudan. Introduction and Disclaimers I created this repository to analyze, collect samples and collaborate efforts towards what is now affecting all ISPs in Sudan (Zain, MTN and Sudani ). I am not, and will not be held responsible for any illegal actions or misinterpretation of what comes next in the following analysis, this project started to shed some light on what is going on with internet usage and freedom in my country and nothing else. I am not carrying any illegal actions, any thing will be mentioned here is readily available on the internet with the respected mentioned sources. The story begins when noticing a mismatch hash when running apt-get update on most linux distributions, the issue was more clear when WhatsApp used to download APK files over HTTP, and the connection gets redirected and tampered with resulting in a different APK in size and hash when downloaded over a VPN connection. However since WhatsApp started using HTTPS for downloading and shifted to Google Play and Apple Store, we started collecting samples from AntiVirus software that is downloaded over un-encrpted channels HTTP for comparison purposes. Organization of the Repo analysis will be on this page while samples will have their own folder, executables, packet captures and binary diffs will be on the respected folder for each sample. Repo samples Comodo antivirus files, description and details network captures files, description and details main analysis page Observations and Analysis when updating linux repositories one notices a hash mismatch and have to connect to a VPN in order to successfully update the system repositories which indicate that ISPs like MTN, Zain and Sudani have some sort of caching proxies or packet injection on the fly, however some people would say this is a caching proxy which is invalid claim as caching proxies does not tamper with the package, it may cache an older version but will not change a package structure so it is not the case here. Indeed I was served an older versions of software!. running linux update from MTN network results in an mismatch size and ignored (notice the HTTP connectins) apt-get update Get:1 http://kali-za.bitcrack.net/kali kali-rolling InRelease [30.5 kB] Get:2 http://kali-za.bitcrack.net/kali kali-rolling/main i386 Packages [15.9 MB] Get:3 http://kali-za.bitcrack.net/kali kali-rolling/main i386 Contents (deb) [33.9 MB] Err:3 http://kali-za.bitcrack.net/kali kali-rolling/main i386 Contents (deb) File has unexpected size (32613856 != 33858927). Mirror sync in progress? [IP: 172.19.66.104 80] Hashes of expected file: - Filesize:33858927 [weak] - SHA256:dbde5770ab080420d319c9e0017bc02acd4d7af859176d4a7eb48a954da77e85 - SHA1:32a011cc46fa16ac7c266010afc8f25ce3e50a08 [weak] - MD5Sum:39c82afd6f4b1bdda0f0f03d2369a3fe [weak] Release file created at: Tue, 13 Mar 2018 06:05:18 +0000 Fetched 15.9 MB in 27s (579 kB/s) Reading package lists... Done E: Failed to fetch http://172.19.66.104:80/videoplayer/Contents-i386.gz?ich_u_r_i=5822d70054b7a4f932aa42e6efd1a6e0&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=ad2b5c90b231a53049d2521a25604a0e4db61d405213ad8bbadbfbc1e219b072&ich_t_y_p_e=1&ich_d_i_s_k_i_d=12&ich_s_e_q=2679810&ich_u_n_i_t=1 File has unexpected size (32613856 != 33858927). Mirror sync in progress? [IP: 172.19.66.104 80] Hashes of expected file: - Filesize:33858927 [weak] - SHA256:dbde5770ab080420d319c9e0017bc02acd4d7af859176d4a7eb48a954da77e85 - SHA1:32a011cc46fa16ac7c266010afc8f25ce3e50a08 [weak] - MD5Sum:39c82afd6f4b1bdda0f0f03d2369a3fe [weak] Release file created at: Tue, 13 Mar 2018 06:05:18 +0000 E: Some index files failed to download. They have been ignored, or old ones used instead. IP addresses in question caching servers IP addresses that I was redirected to IP net Date reported notes 172.19.66.104 PRIVATE IP SPACE 13-March-2018 indicates inside MTN network device 41.223.201.247 Zain IP is down Trying to download an Antivirus software over unencrypted HTTP channel results in the same IP address redirection and size mismatch, however when downloading the same file over a VPN results in a proper safe download of the file again a cahching server presenting older version wget -d "http://download.comodo.com/cis/download/installs/1000/standalone/cav_installer.exe" DEBUG output created by Wget 1.19.4 on linux-gnu. Reading HSTS entries from /root/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'cav_installer.exe' (UTF-8) -> 'cav_installer.exe' (UTF-8) --2018-03-13 14:17:04-- http://download.comodo.com/cis/download/installs/1000/standalone/cav_installer.exe Resolving download.comodo.com (download.comodo.com)... 178.255.82.5, 2a02:1788:4fd::b2ff:5205 Caching download.comodo.com => 178.255.82.5 2a02:1788:4fd::b2ff:5205 Connecting to download.comodo.com (download.comodo.com)|178.255.82.5|:80... connected. Created socket 3. Releasing 0x019330a0 (new refcount 1). ---request begin--- GET /cis/download/installs/1000/standalone/cav_installer.exe HTTP/1.1 User-Agent: Wget/1.19.4 (linux-gnu) Accept: */* Accept-Encoding: identity Host: download.comodo.com Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 302 Found Connection: close Location: http://172.19.66.104:80/videoplayer/cav_installer.exe?ich_u_r_i=61fee96fe236ac22746eb8d0992e0474&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=ad2b5c90b231a53049d2521a25604a0e510bcc0556d2e91988e988dfb864d267&ich_t_y_p_e=1&ich_d_i_s_k_i_d=6&ich_s_e_q=2691841&ich_u_n_i_t=1 Pragma: no-cache ---response end--- 302 Found Location: http://172.19.66.104:80/videoplayer/cav_installer.exe?ich_u_r_i=61fee96fe236ac22746eb8d0992e0474&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=ad2b5c90b231a53049d2521a25604a0e510bcc0556d2e91988e988dfb864d267&ich_t_y_p_e=1&ich_d_i_s_k_i_d=6&ich_s_e_q=2691841&ich_u_n_i_t=1 [following] Closed fd 3 URI content encoding = None Converted file name 'cav_installer.exe' (UTF-8) -> 'cav_installer.exe' (UTF-8) --2018-03-13 14:17:04-- http://172.19.66.104/videoplayer/cav_installer.exe?ich_u_r_i=61fee96fe236ac22746eb8d0992e0474&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=ad2b5c90b231a53049d2521a25604a0e510bcc0556d2e91988e988dfb864d267&ich_t_y_p_e=1&ich_d_i_s_k_i_d=6&ich_s_e_q=2691841&ich_u_n_i_t=1 Connecting to 172.19.66.104:80... connected. Created socket 3. Releasing 0x01934090 (new refcount 0). Deleting unused 0x01934090. ---request begin--- GET /videoplayer/cav_installer.exe?ich_u_r_i=61fee96fe236ac22746eb8d0992e0474&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=ad2b5c90b231a53049d2521a25604a0e510bcc0556d2e91988e988dfb864d267&ich_t_y_p_e=1&ich_d_i_s_k_i_d=6&ich_s_e_q=2691841&ich_u_n_i_t=1 HTTP/1.1 User-Agent: Wget/1.19.4 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 172.19.66.104 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: httpserver Date: Tue, 13 Mar 2018 11:17:42 GMT Content-Type: application/octet-stream Connection: keep-alive Content-Length: 5500784 Last-Modified: Fri, 24 Nov 2017 08:44:30 GMT Content-Disposition: attachment; filename="cav_installer.exe" Expires: Tue, 13 Mar 2018 11:17:42 GMT Cache-Control: max-age=0 Accept-Ranges: bytes ---response end--- 200 OK Registered socket 3 for persistent reuse. Length: 5500784 (5.2M) [application/octet-stream] Saving to: ‘cav_installer.exe’ cav_installer.exe 100%[====================================================================================================>] 5.25M 880KB/s in 9.4s 2018-03-13 14:17:14 (570 KB/s) - ‘cav_installer.exe’ saved [5500784/5500784] sha256sum * 24f071a2cad7c90b31bf6a3d380ac960d582684379b8ebee1359c3a610f04814 cav_installer-over-VPN.exe 2f3effd8f5598264ec0f39f6880ccf46c1cab8168abfe283a70a3ee4c0c8fffd cav_installer-intercepted.exe an old WhatsApp download from a strange IP address Past stories and leaks irrelevant after confirming caching servers In 2013 reports found that Blue Coat's tools have been used to censor web sites and monitor the communications of dissidents, activists and journalists in Sudan, Iran and Syria. These countries are sanctioned and sales of such devices, technology and systems are prohibited by law but they managed to get them and utilize them.https://www.washingtonpost.com/world/national-security/report-web-monitoring-devices-made-by-us-firm-blue-coat-detected-in-iran-sudan/2013/07/08/09877ad6-e7cf-11e2-a301-ea5a8116d211_story.html?utm_term=.01efb1ac0017 In Sudan, the Citizen Lab identified the Blue Coat devices on the networks of commercial Internet service provider Canar Telecom. The country, which also faces U.S. sanctions, continues to use the Internet to restrict freedom of expression and crack down on journalists. Sudanese Internet service providers have censored Web sites covering sensitive political protests.same source In 2014 a Citizen Lab report revealed evidence that Hacking Team's RCS (Remote Control System) was being used by the Sudanese government, something the Italian company flat-out denied. https://citizenlab.ca/storage/bluecoat/CitLab-PlanetBlueCoatRedux-FINAL.pdf In 2015 HackingTeam, an Italian based IT company that sells offensive intrusion and surveillance software to governments, law enforcement agencies and corporations was hacked and 400GB of data including internal emails, nvoices and source code was leaked and WikiLeaks has an indexed files you can lookup. However HackingTeam stated before that it has never done business with Sudan. On the leak a contract with Sudan valued at 480,000 Euro and dated July 2, 2012 was published as part of the 400GB cache, in addition, a maintenance list named Sudan as a customer, but one that was "not officially supported".https://www.csoonline.com/article/2944333/data-breach/hacking-team-responds-to-data-breach-issues-public-threats-and-denials.html In 2016 a friend of mine faced the same issue https://twitter.com/el_ammari/status/723555290550013957 Conclusions What was happening is ISPs was using caching server and serving older versions of any software downlaoded over insecure channels there is some sort of packet interception and modification on the fly for unencrypted download and traffic, however a VPN connection will prevent this from happening. How you can help? Please, if you live in Sudan and can provide me with a network capture or a memory dump of running apt-get update while you get a hash mismatch error I would be sure of if this is a threat or just a case of noisy caching servers.
    1 point
  7. Scamatori. Propun urmatorul challenge sa fie ceva cu karaoke. Cu siguranta sunt oameni pe aici care au talente ascunse sau si-au gresit vocatia.
    1 point
  8. Creating your own Wallhack niemand Posted on January 13, 2019 Wallhack In the previous posts we have done most of the heavy work, but what comes now is really simple compared with the rest. We have created a basic template for hooking DirectX11 and inject our own interface, then we created a Model Logger to allows us to highlight and identify the most important Models we wanted to modify, but something is missing, right? What can we do once we have the correct model highlighted? One of those things is a Wallhack of course! If you are here you know what a Wallhack is, this kind of game tweaking has been always known. In this post, we are going to see how to use our template to enable Wallhacking on the selected models, or what it is the same, disable Z-Buffering on DirectX. Revealing enemies behind another objects. How Z-Buffering works? Z-Buffering or Depth-Stencil (as is known in version 11), is a property that stored depth information used by DirectX when it is rendering a scene. It determines how deep each pixel is in the scene. By doing this, DirectX knows exactly which pixels to render from each model based on the value of this attribute. If we imagine this as two dimensions array, it will select for each pixel in X and Y the value based on Z-Buffering value. In other words, the object/model that its closer to the point of view. http://www.racketboy.com/retro/about-video-games-rasterization-and-z-buffer The main idea here will be to disable Z-Buffering for the models we want to reveal behind the rest of the models (walls, floors, etc). DirectX 9 vs DirectX 11 In both versions, this is actually quite easy, however, I want to remark the differences. For version 9, disabling is as simple as calling the method IDirect3DDevice9::SetRenderState, which receives two parameters: the device state variable that will be modified, and the new value. pDevice->SetRenderState(D3DRS_ZENABLE, false); In this case, the variable we need to modify is D3DRS_ZENABLE, and the new value is false. It’s just as simple as that. Something important that we have to remember for both versions is that we need to enable this again after calling the original DrawIndexedPrimitive, enabling Z-Buffering for all the rest of the models. For version 11, two different methods are required: ID3D11Device::CreateDepthStencilStateand ID3D11DeviceContext::OMSetDepthStencilState. The first one will be used to create an ID3D11DepthStencilState that will disable Z-Buffering and then be sent as a parameter to the second method when the model we want to reveal is being rendered, that means inside DrawIndexed. More info here. Let’s jump to the code! Oh wait, before that, I will like to resume the steps we need to implement our wallhack. Create a new DepthStencilState disabling Z-Buffering Check if we are rendering the target model. Disable Z-Buffering Render the Model Enable Z-Buffering again Create a new DepthStencilState disabling Z-Buffering How to create a new DepthStencilState is detailed in Microsoft documentation: Configuring Depth-Stencil Functionality. But remember that we will need to disable the Z-Buffering, so our version will be like this: ID3D11DepthStencilState *m_DepthStencilState; // Disabling Z-Buffering D3D11_DEPTH_STENCIL_DESC depthStencilDesc; depthStencilDesc.DepthEnable = TRUE; depthStencilDesc.DepthWriteMask = D3D11_DEPTH_WRITE_MASK_ALL; depthStencilDesc.DepthFunc = D3D11_COMPARISON_ALWAYS; depthStencilDesc.StencilEnable = FALSE; depthStencilDesc.StencilReadMask = 0xFF; depthStencilDesc.StencilWriteMask = 0xFF; // Stencil operations if pixel is front-facing depthStencilDesc.FrontFace.StencilFailOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.FrontFace.StencilDepthFailOp = D3D11_STENCIL_OP_INCR; depthStencilDesc.FrontFace.StencilPassOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.FrontFace.StencilFunc = D3D11_COMPARISON_ALWAYS; // Stencil operations if pixel is back-facing depthStencilDesc.BackFace.StencilFailOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.BackFace.StencilDepthFailOp = D3D11_STENCIL_OP_DECR; depthStencilDesc.BackFace.StencilPassOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.BackFace.StencilFunc = D3D11_COMPARISON_ALWAYS; Now its time to call CreateDepthStencilState. We will pass as parameter the D3D11_DEPTH_STENCIL_DESC we just created and a pointer to our new ID3D11DepthStencilState. pDevice->CreateDepthStencilState(&depthStencilDesc, &m_DepthStencilState); Now we are ready to move to the next step. Check if we are rendering the target model In our previous version of the template, we have been doing something similar to what we need here, but it will be better if we do some improvements. Until now we were checking the model we were currently rendering inside our hooked DrawIndexed method, but this was when we had a list of Models and we wanted to identify our target. What could we do now? Well, if we did our homework, we should have by now the Model Properties of our target and it’s time to use them. Let’s create a new std::unordered_set to store all the properties belonging to the Models we want to reveal and store there our collected values: std::unordered_set<propertiesModel> wallhackParams; void setupWallhack() { propertiesModel wallhackParamsItem; wallhackParamsItem.stride = 8; wallhackParamsItem.vedesc_ByteWidth = 16552; wallhackParamsItem.indesc_ByteWidth = 10164; wallhackParamsItem.pscdesc_ByteWidth = 832; wallhackParams.insert(wallhackParamsItem); } Those values, belong to the models of the enemies in mid/large range for Vermintide 2, and I found them by logging the Models with our template. In many games you will see that enemies may be split in multiple models, not only for the parts of the body/clothes but also this models could change depending on the distance between you and the object. By selecting the model used for rendering my enemy in a mid/large range, allows me to see them normally when they are close but highlighted when they aren’t next to me. Now we will modify our validations to see if we are rendering not only our current item from the Model List, but also one of the targeted models: if ((paramsModel == currentParams || wallhackParams.find(paramsModel) != wallhackParams.end() )&& bShader) { // SNIPPED if (bWallhack) { // DISABLE Z-Buffering } } else if ( (paramsModel == currentParams || wallhackParams.find(paramsModel) != wallhackParams.end()) && bTexture) { // SNIPPED if (bWallhack) { // DISABLE Z-Buffering } } If wallhackParams.find does not contain paramsModel it will be equal to .end element as the documentation says: std::set::find Disable Z-Buffering It’s so simple as the following line: pContext->OMSetDepthStencilState(m_DepthStencilState, 0); We are calling OMSetDepthStencilState with the DepthStencilState pointer we created before. Render the Model Then we have to call to the original the original DrawIndexed: fnID3D11DrawIndexed(pContext, IndexCount, StartIndexLocation, BaseVertexLocation); Enable Z-Buffering again What would happen if we do not enable Z-Buffering again? We are reveling multiple objects of the game since non of them have Z-Buffering enabled That’s why we will need to store the original DepthStencilState we had before disabling it: UINT stencilValue = 0; pContext->OMGetDepthStencilState(&m_origDepthStencilState, &stencilValue); And finally, after calling DrawIndexed, we set this value again: pContext->OMSetDepthStencilState(m_origDepthStencilState, stencilValue); Result Once we have everything working we will see something like this: Next Steps? DirectX is extremely powerful and we have seen just a few examples of what we can do. In the following posts we will continue discovering all the different kind of things we can achieve and the best way to approach them. Sursa: https://niemand.com.ar/2019/01/13/creating-your-own-wallhack/
    1 point
  9. salut,ma poate ajuta cineva cu ghidul "cum sa ti recastigi iubita" de alex david?un link de download?
    1 point
  10. Da, Dropbox - Alex David - Cum s? vorbe?ti cu o femeie.pdf
    1 point
×
×
  • Create New...