Leaderboard
Popular Content
Showing content with the highest reputation on 03/03/19 in all areas
-
2 points
-
WGIWH-BG6DF-7T9MR DJ4JA-GQ6YC-PZBTI Vad ca nimeni nu a scris nimic, sper sa scrie acum1 point
-
An extra whitespace in a server response allowed a security firm to track a hackers' favorite tool for years. https://www.zdnet.com/video/free-malware-tools-are-being-exploited-for-malicious-intent/ A vulnerability in a tool used by cyber-criminal gangs is now helping researchers expose the locations of thousands of malware command-and-control (C&C) servers. The vulnerability --now patched since the start of the year-- affected cobalt strike , a legitimate penetration testing tool used by security researchers to emulate cyber-attacks. Cobalt Strike has been around for more than a decade, but for the past five years, it has slowly been adopted by cyber-criminal groups as well. Malware gangs and nation-state cyber-espionage groups have used Cobalt Strike because of its simple and very efficient client-server architecture. Cyber-criminals use Cobalt Strike to host their C&C servers, and then deploy malware on company networks through Cobalt "beacons" they plant on infected hosts. Over the past few years, Cobalt Strike slowly became the go-to toolkit for many threat actors, such as the FIN6 and FIN7 (Carbanak) cyber-criminal gangs, but also nation-state hackers such as APT29 (Cozy Bear). But unbeknownst to all these hacker groups was that Fox-IT researchers discovered a bug in the Cobalt Strike server component. Built on NanoHTTPD, a Java-based web server, crooks didn't know that it contained a bug that allowed Fox-IT to track them since 2015. According to Fox-IT researchers, the NanoHTTPD server accidentally added an additional space in the server's HTTP responses, like in the image below. This extra whitespace allowed Fox-IT to detect Cobalt Strike communications between beacons and their C&C servers across the years, until January 2, 2019, when Cobalt Strike developers patched the bug and removed the extra space in version 3.13. "In total Fox-IT has observed 7718 unique Cobalt Strike team server or NanoHTTPD hosts between the period of 2015-01 and 2019-02," the company said in a blog post this week. Because the issue is now patched, Fox-IT researchers revealed this little trick, along with a list of historical IP addresses that used to or are still hosting Cobalt Strike C&C servers. The company hopes that security teams use this list to check their network logs for these IP addresses and identify past or current security breaches. Some of these IP addresses might belong to legitimate Cobalt Strike instances hosted by security firms for testing purposes, but Fox-IT believes that many of these are also from hacker groups. They said that a cursory examination of their list of 7,700+ IP addresses revealed malware C&C servers tied to China's APT10 government hacking unit, the Bokbot banking trojan, and servers managed by remnants of the Cobalt Group (also known as FIN7 or Carbanak). KnownSec 404 Team, a Chinese cyber-security company that runs the ZoomEye IoT search engine confirmed Fox-IT's discovery by identifying 3,643 Cobalt Strike NanoHTTPD-based servers that are still operational at this moment --86 percent of which were also on Fox-IT's list, the company said. Fox-IT says that current scans for the extra whitespace are turning fewer and fewer results, as servers are getting patched. However, the company says that most threat actors tend to use pirated, cracked, and unregistered versions of the Cobalt Strike software, and therefore will remain unpatched for a long time to come. As legitimately-owned servers will receive the Cobalt Strike patch, most of the servers that will come up during scans in the coming future will most likely be part of malware operations. Source : https://www.zdnet.com/article/vulnerability-exposes-location-of-thousands-of-malware-c-c-servers/?fbclid=IwAR3ZLo-hRSTyZ6jxgp7bhU4K2MTv-cMh00ci3Bi9IwUi0kCw90OAExw-1h81 point
-
AutoCad .NET Deserialisation Vulnerability Product AutoCad Severity Medium CVE Reference CVE-2019-7361 Type Code Execution Description The Action Macro functionality of AutoDesk’s AutoCad software suite is vulnerable to code execution due to improper validation of user input passed to a deserialization call. AutoCad provides the ability to automate a set of tasks by recording the user performing those tasks and replaying them later. This functionality is called Action Macros. Before playing an Action Macro, the list of actions performed are presented to the user, as shown in the next figure. This recording will create a number of “DONUT” objects within the current drawing. Once an Action Macro has been recorded, it is saved to the user’s “Actions” directory as a .actm file. A snippet of the underlying data of the Action Macro file for the above recording is shown below: This data is made up of a number of .NET serialized objects. Highlighted in red is the length of the first object (of type AutoDesk.AutoCad.MacroRecorder.MacroNode). The green outline highlights the actual object, and the blue is the beginning of the next object. It should be noted that this data is deserialized to allow the user to view the tree of actions within a recording prior to the user clicking “play”. The vulnerability ultimately lies in AcMR.dll, specifically the method AutoDesk.AutoCad.MacroRecorder.BaseNode.Load: public static INode Load(Stream stream) { if (!DebugUtil.Verify(stream != null)) return (INode) null; object obj = MacroManager.Formatter.Deserialize(stream); (2) if (DebugUtil.Verify(obj is INode)) (3) return obj as INode; return (INode) null; } public void Save(Stream stream) { if (!DebugUtil.Verify(stream != null)) return; MacroManager.Formatter.Serialize(stream, (object) this); (1) } At (1) the object is saved using MacroManager.Formatter’s Serialize method – this occurs when an Action Macro is saved. At (2), the user input stream is Deserialized prior to being checked as a valid Inode object at (3). These actions occur when the Action Macro is loaded into memory. The MacroManager.Formatter.Deserialize method is a wrapper to the .NET BinaryFormatter function: public static IFormatter Formatter { get { if (MacroManager.m_formatter == null) { MacroManager.m_formatter = (IFormatter) new BinaryFormatter(); MacroManager.m_formatter.Binder = (SerializationBinder) new MacroManager.TypeRedirectionBinder(); } return MacroManager.m_formatter; } } A malicious user is able to gain code execution by replacing legitimate serialized objects in an Action Macro file. As a proof of concept, the ysoserial.net tool was used to generate a series of .NET gadgets that, when deserialised, would cause a calculator to be opened. The command used for this proof of concept was: ysoserial.exe -o raw -g TypeConfuseDelegate -c "calc.exe" -f BinaryFormatter > poc_calc_action_macro.actm Code execution occurs when a user attempts to view the actions within an Action Macro, this occurs directly prior to replaying it, as demonstrated in the next figure. Note that the Action Macro is never “played”. Impact This vulnerability is of medium risk to end users. Code execution occurs in the context of the current user, no extra privileges are gained. The potential attack vector could be through phishing of end users, whereby they are coerced into playing malicious Action Macros believing them to be legitimate. The most likely scenario could involve a malicious actor sharing an ActionMacro file online that supposedly solves a community problem. Solution As of February 1st 2019 AutoDesk have released a patch migitating this vulnerability. Users are advised to update AutoCad to the most recent version available. AutoDesk have also produced following advisory pertaining to this vulnerability as well as a number of others [2]. References [1] ysoserial.net - https://github.com/pwntester/ysoserial.net/tree/master/ysoserial [2] AutoDesk Advisory - https://www.autodesk.com/trust/security-advisories/adsk-sa-2019-0001 Sursa: https://labs.mwrinfosecurity.com/advisories/autocad-net-deserialisation-vulnerability/1 point
-
-1 points
-
-1 points
-
#!/usr/bin/perl # # compare two groups of equal length (per row) binary data # looking for similarities between each group, both groups, # and differences between individual groups # # -samy kamkar use strict; use Term::ANSIColor; my $verbose = $ARGV[0] eq "-v" ? shift() : 0; die "usage: $0 [-v] <file>\n" if -t STDIN && !@ARGV; # binary set a and b my (@a, @b, @orig); my $next = 0; my $ind = 0; my @comments; # read in our data while (<>) { chomp; # s/\s//g; # strip comment if present s/(\s*#.*)//; my $comment = $1; if ($_ eq "") { $next++; next; } else { push @orig, $_; } # already binary if (/^[01\s_]+$/) { } elsif (/^[a-f\d\s_]+/i) # hex { s/([a-f\d])/unpack("B4", pack("H", $1))/eg; } else # ascii { s/(.)/unpack("B8", $1)/eg; } my $bits = [split //]; $next ? push(@b, $bits) : push(@a, $bits); push(@comments, $comment); } # bit length my $bitlen = @{$a[0]}; # find common bits between pieces my @common = find_common(@a, @b); my @common_a = find_common(@a); my @common_b = find_common(@b); # find differences between the two groups my @diff = map { !$common[$_] && $common_a[$_] && $common_b[$_] ? 1 : 0 } 0 .. $bitlen-1; # now print the sets cmpr(\@a, \@common_a); midrow(); # print just same/diff rows easier cmpr(\@b, \@common_b); # print bits printbits(); sub printbits { my $max = ($bitlen - 1) % 8; print " " x (length($orig[0]) + 1) if $verbose; foreach (1 .. $bitlen) { print color($max == 0 ? 'bold' : $max == 4 ? 'yellow' : 'reset') . $max . color('reset'); $max = ($max - 1) % 8; } print "\n"; } sub midrow { print " " x (length($orig[0]) + 1) if $verbose; for (my $i = 0; $i < $bitlen; $i++) { my $color = $diff[$i] ? 'bold blue' : # if different between groups $common[$i] ? 'bold green' : # same between groups $common_a[$i] || $common_b[$i] ? 'cyan' : # common in single group 'reset'; my $letter = $diff[$i] ? 'X' : $common[$i] ? '=' : $common_a[$i] ? '^' : $common_b[$i] ? 'v' : '-'; print color($color) . $letter . color('reset'); } print "\n"; } sub cmpr { my ($rows, $common) = @_; # go through rows of the set foreach my $bits (@{$rows}) { print "$orig[$ind++] " if $verbose; # go through each bit in the row for (my $i = 0; $i < $bitlen; $i++) { my $bit = $bits->[$i]; my $commbit = $common->[$i]; my $color = $bit ne '0' && $bit ne '1' ? 'reset' : # ignore space/underlines $common[$i] ? 'green' : # same on all rows is green $diff[$i] ? ($bit ? 'magenta' : 'red') : # common in this set and not other is blue/red $commbit ? 'cyan' : # common just in the group 'reset'; print color($color) . $bit . color('reset'); } print shift(@comments); print "\n"; } # print "\n"; } # find common bits among all rows sub find_common { my @common = (1) x $bitlen; my @lastbit = (-1) x $bitlen; # go through all array refs passed in foreach my $bits (@_) { # go through all bits in the array ref for (my $i = 0; $i < @{$bits}; $i++) { my $bit = $bits->[$i]; # ignore comparing first bit (nothing to compare to yet) if ($lastbit[$i] != -1) { # if last bit is different if ($lastbit[$i] != $bit) { $common[$i] = 0; } } $lastbit[$i] = $bit; } } #print "@common\n"; return @common; } https://github.com/samyk/samytools Source github-1 points
-
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available. Want to say thanks? Click the star at the top of the page. Or fork dnSpy and send a PR! The following pictures show dnSpy in action. It shows dnSpy editing and debugging a .NET EXE file, not source code. Source: https://github.com/0xd4d/dnSpy-1 points
-
Bilute mici :))) Asterix, alta arternativa, Go to Settings > Security. Check "Make passwords visible".-1 points
-
-1 points
-
-1 points
-
Salutare. Mai e cineva activ pe aici? Am si eu nevoie de niste nologin bune. Daca merita pot plati-1 points
-
Poti testa pe pingsms +447383453599 Joaca-te Pinger.com slesh text free si ai nr dedicat, fludeaza si fa experimente cate vrei-2 points
-
Scanner for Simple Indicators of Compromise Detection is based on four detection methods: File Name IOC Regex match on full file path/name Yara Rule Check Yara signature match on file data and process memory Hash check Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files C2 Back Connect Check Compares process connection endpoints with C2 IOCs (new since version v.10) Additional Checks: Regin filesystem check (via --reginfs) Process anomaly check (based on Sysforensics) SWF decompressed scan (new since version v0.8) SAM dump check DoublePulsar check - tries to detect DoublePulsar backdoor on port 445/tcp and 3389/tcp PE-Sieve process check The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems. Download Download the latest version of LOKI from the releases section. Source: https://github.com/Neo23x0/Loki/blob/master/README.md-2 points
-
This evening at a press event to kickoff MWC Barcelona, I had the pleasure of joining CEO Satya Nadella and Technical Fellow Alex Kipman onstage to talk in depth about Microsoft’s worldview for the intelligent cloud and intelligent edge. As part of today’s press event, we also introduced the world to HoloLens 2. Articol complet: https://blogs.microsoft.com/blog/2019/02/24/microsoft-at-mwc-barcelona-introducing-microsoft-hololens-2/-2 points