Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 06/10/20 in all areas

  1. 14 points
    Salut, Lucrez la o platforma de CTI marca RST. Caut oameni care doresc sa se implice activ in aceasta latura a securitatii si sa populeze platforma intr-un mod cat mai eficient. Voi oferi suport atat cat imi permite timpul. Nu sunt bani in joc, dar e o ocazie destul de buna de a invata si a aprofunda acest domeniu. Vom face o multime de chestii interesante. Cu o astfel de experienta ai sanse foarte mari in a printe un job pe partea de Security. Toti cei care sunt interesati de acest subiect si vor sa participe sa scrie aici sau sa-mi trimita un PM. Voi crea un server de discord pt asta si vom discuta mai multe in chat. Infrastructura o platesc eu. Targetul final este de a ajuta cat mai multi oameni sa se dezvolte pe partea asta si de ce nu sa devenim o sursa de incredere pentru companii sau organizatii romanesti in principal. Pentru cei care vor sa se implice activ va astept aici: https://discord.gg/3fjHp6U Chestii facute pana acum: 1. Am ridicat urmatoarele platforme: MISP, TheHive, Cortex Chestii care sunt pe short list: 1. Populat platforma MISP cu ceva evente sample pentru a putea intelege mecanismul acesteia 2. Testat anumiti analyzers din Cortex 3. Create 1-2 cazuri in Hive pentru a ne familiariza cu conceptul de Security Operations Center 4. Email catre cateva surse de threat intel pentru a ne oferi suport in acest proiect, nu cu produsurile finale ale lor dar cu ceva beta Daca stiti ceva surse de threat intel care au trial version sau sunt dispusi sa ne sustina in acest proiect let me know. Am sa postez in acest topic evolutia
  2. 13 points
    Salutare la toti de mult nu am mai intrat pe forum si am fost activ dar acum am un pic de timp :) si m-am gandit sa mai postez si eu ceva. O zi buna va doresc. Buffer Overflow Attack in PDF ShapingUp. https://youtu.be/7wxQmmHjrLc
  3. 13 points
    Echipa de security de la UiPath are 3 pentesteri. Toti sunt membri RST cu vechime. Daca inca sunt persoane care considera ca RST e o adunatura de copii, acesta e doar un exemplu. Multi au pornit de aici. Nu toti mai sunt activi, dar noi, cativa, vom fi mereu aici. RST nu moare!
  4. 8 points
    STAGIU DE VOLUNTARIAT / PRACTICĂ LA CERT-RO Directorul General al CERT-RO Dan Cîmpean caută un număr de patru (4) voluntari pe perioada: 21 Iulie 2020 - 15 Septembrie 2020 , care sunt interesați să trăiască timp de două (2) luni experiența profesională a unui Director din Centrul Național de Răspuns la Incidente de Securitate Cibernetică. Condiții de participare: · Student(ă) sau absolvent(ă) de studii superioare · Cunoștințe de limba engleză nivel cel puțin mediu · Interesat(ă) de a activa, lucra și învăța în una din instituțiile de vârf ale Guvernului României · Un (1) student și o (1) studentă din București, ce vor activa la CERT-RO · Un (1) student și o (1) studentă din județe, ce vor activa online · Disponibilitate de a activa in medie 2 ore pe zi, flexibil. Selecția se va face de către Departamentul HR al CERT-RO pe baza CV-urilor primite. CV-ul trebuie trimis la adresa de mail HR@CERT.RO până la data de 17 iulie 2020, 23:59.
  5. 7 points
    Am patit si eu, suna la provider si spunele sa te scoata de pe 5g.
  6. 7 points
    https://digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=18427&view=map https://twitter.com/search?q=DDoS&src=trend_click https://www.rt.com/usa/491933-verizon-tmobile-att-outage/
  7. 6 points
    Daca virusi s-ar (mai) putea raspandi prin browsere, fii sigur ca ai fi plin. Eu ti-as recomanda o sesiune de hipnoterapie sa incerci sa-ti aduci aminte ce-ai cautat la ultima betie.
  8. 6 points
    Tu cauta un programator bun in python...ca si restul vor cauta oameni buni care stiu sa faca ceva, nu sa plateasca pe altul sa faca. N-am sa inteleg niciodata de ce stati 3/4 ani in facultate ca la sfarsit sa cumparati tema de licenta...Nu poti tu sa-ti faci licenta?Nici o rusine, nu e un capat de lume, dar macar fii constient ca nici diploma nu ti-o meriti
  9. 5 points
    Hmm .. ai putea sa te bazezi pe baze de date offline cu vulnerabilitati si sa faci licenta in asa fel incat sa prezinti exemple particulare de softuri ce pot fi testate cu asa ceva. Imposibil insa sa nu ai o marja de eroare la acel calcul pe care va trebui sa o mentionezi ba chiar sa o detaliezi. Ti-l fac eu dar incepem sa vorbim de la 4000 LEI in sus cu avans. Daca esti ok cu asta da-mi mesaj.
  10. 4 points
    Am trecut noi peste Sality, Confiqer... Trecem si peste Covid.
  11. 4 points
    Este un Buffer Overflow în pdf software, dar bineînțeles a durat mai mult ca în video pana am exploatat vulnerabilitatea. Pasul unul care este cel mai greu, este sa modifici pdf în asa fel încât sa se prăbușească și crash-ul să îl conduci pană poti executa codul shell. în video era deja despărțit pdf-ul iar in kali convertez pdf iinteriorul in Hex code si pe urma e tipic Buffer Overflow.
  12. 4 points
    Ce mouse sa inlocuiasca ba? Ce back up sa faca ba? Cu tot cu rat? Ba inconstientilor, nu mai bagati oamenii in cacat cu buna stiinta.
  13. 4 points
    Am facut si eu ceva de genul asta, dar din lipsa de timp, am abandonat proiectul. Eu aveam si cuckoo instalat pe un dedicat. Am cumparat un domeniu care a fost anterior folosit ca si serviciu de mail temporar, am pus catch all pe el si luam toate mailurile pe care le primeam pe zi (15-20k) , extrageam atasamentele, le bagam in cuckoo si de acolo luam indicatori de compromitere ca sa populez MISP. Erau destul de multe date si era interesant. Problema a fost lipsa de timp. Mai am ceva scripturi pe care le foloseam ca sa automatizez, dar nu cred ca e ceva quality pe acolo Am improvizat foarte mult si cred ca ce faceam eu intr-o suta de linii, altcineva rezolva mult mai usor. Important e ca functiona
  14. 4 points
    Atacurile vin de la cipurile implantate in oameni folosind termometrele fara contact.Este clar ca Bill Gates vrea sa il darame pe Trump si sa presia controlul SUA.Este dovada puterii 5G-ului!!!
  15. 3 points
    Daca este destinat scopurilor educationale(desi nu cred), de ce nu pui mana sa inveti ceva? Poti sa explici cu ce este educational? Daca vrei sa faci "teste" de ce nu folosesti un tool comun gen hydra etc, ca sa-ti validezi ce vrei tu sa faci acolo. Cu ce te ajuta sa muti arhiva din pl in python?Vrei sa inveti python?Fa-o...lasa arhivele. Cred ca si tu esti in brigada lui boyka ala
  16. 3 points
    Shell Link Binary File Format, which contains information that can be used to access another data object. The Shell Link Binary File Format is the format of Windows files with the extension "LNK", we call it a shortcut file. Regarding the structure of this format is very complicated, Microsoft has provided a document about LNK file format for reference[1]. I've followed the Microsoft patches for a long time. In 2018, I found that they had 2 LNK bugs which were fixed and all of them were RCE. Recently, @Lays found a bunch of LNK file parsing bugs, so with this binary file format I think it is suitable for fuzzing. However, you need to reverse and learn how to handle this LNK file on Windows. Introduction File Explorer, previously known as Windows Explorer, is a file manager application that has been included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the screen such as the taskbar and desktop. Explorer has a lot of features, each version of the operating system has been upgraded it by Microsoft. Here I discovered that the Explorer will automatically parsing the LNK file if the LNK file appears in the context that the Explorer is accessing. For example, if we are on the desktop, the Explorer will parse the LNK files that appear on the desktop and maybe in some secondary directory (about the depth of the folder that the Explorer can access, I don't know). Introduce parsing LNK file in Explorer How can we build an arsenal to fuzz this LNK file format? We need to rely on Explorer, debug it, use Windbg attach to process explorer.exe: I put break-point at 2 functions are CreateFileA and CreateFileW, I guess that Explorer will use it to read the file before parsing. After a few breaks on the CreateFileW function, I saw the explorer calling the CreateFileW function with the file "Process Hacker 2.lnk", this LNK file is on the desktop. I view the call stack at this breakpoint: We can see that a series of APIs related to CShellLink are called in the windows.storage.dll. Here I returned to MSDN to learn about these CShellLink related API and I found this[2]: It is possible to create an LNK parsing program using the IShellLink interface. Based on what MSDN provides I use IPersistFile to load and parsing LNK files, this is the harness I use to fuzzing. I debug the test with the harness that I built on the file "test_debug.lnk" Comparing the call stack between my harness and Explorer looks quite similar. I decided to use this harness for fuzzing. Fuzzing LNK Corpus for this LNK file I found is also quite available on the Github repo. I found and downloaded, then used them to fuzz. With the familiar winafl[3] and Dynamorio[4], I used it with coverage_module windows.storage.dll. Run fuzzing with 1 master and 7 slave. About fuzzing and coverage, you can read my blogs before[5][6]. After some time running fuzzing, I went back to check my crashes, I found 4 unique crashes: Out of bound read in windows_storage!CRegFolder::_AttributesOf Out of bound read in windows_storage!CRegFolder::_CreateCachedRegFolder Out of bound read in shell32!CControlPanelCategoryFolder::_IsValidCategoryPidl Double free in windows_storage!DSA_DestroyCallback I checked these 4 crashes on Explorer, only double-free bug can cause explorer.exe crash, 3 out of bound read bugs do not cause explorer.exe crash. I reported all 4 bugs to Microsoft, Microsoft only accepted one of my double-free bug, they rejected the rest because the crash did not occur on the default configuration of the system and could not be exploited (regarding the default configuration of the system, I think due to the harness I use is not complete like Explorer when parsing 1 LNK file). CVE-2020-1299 The double-free bug I found above was fixed in this June patch of Microsoft, here is a bit of the cause of this bug: We have struct DSA as follows: DSA object: struct DSA { INT nItemCount; LPVOID pData; INT nMaxCount; INT nItemSize; INT nGrow; }; DSA object[7] is initialized at DSA_Create[8] and insert items with DSA_InsertItem[9]. While inserting additional items, it will allocate a memory area for the pData field in the struct DSA. When releasing DSA object, the program has called DSA_DestroyCallback function twice to release the same DSA object. The function s_DestroyCacheItemCB has an error: When freeing the pData field, it did not check the availability of this memory, resulting in a double-free bug. The pData memory has been free before, I don't analyze further why the DSA object was destroyed twice due to some condition in the previous thread. For this bug, we can use after free on the DSA object to trigger RCE. Conclusion Above is the whole process I researched to find an attack surface for the LNK file, apply fuzzing to find fault of the LNK parsing process. At the time I found this bug, I only targeted the windows.storage.dll DLL without knowing that LNK had another type: LNK search (after ZDI published blog which analyzed a bug of @Lays, I realized this format)[10]. In addition to windows.storage.dll used to parsing LNK files, there are also windows.storage.search.dll and StructuredQuery.dll. The following blog I will talk about some bugs I found in StructuredQuery.dll but Microsoft does not fix it although it may cause DOS temporarily. Microsoft suggests that I can blog about those bugs and they are confident that they can answer every customer's questions with bugs they don't fix. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943 https://docs.microsoft.com/en-us/windows/win32/shell/links https://github.com/googleprojectzero/winafl https://github.com/DynamoRIO/dynamorio https://ezqelusia.blogspot.com/2020/05/start-fuzzing-fuzz-various-image-viewers.html https://ezqelusia.blogspot.com/2020/05/microsofts-first-bug.html https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/ https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_create [https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_insertitem https://www.zerodayinitiative.com/blog/2020/3/25/cve-2020-0729-remote-code-execution-through-lnk-files Researcher: linhlhq from Infiniti Team - VinCSS (a member of Vingroup). Source
  17. 3 points
    Nu conteaza, facem conferinta online apoi mergem la bere la gramada - maxim 4 la masa sau cat o mai fi. Si acolo ne batem joc de Gogoasa
  18. 3 points
    Cred ca nimeni, nici de la DefCamp nici de pe RST, nici macar Iohannis nu ne poate spune cum evolueaza cacatul asta. Mie sincer mi-a placut Cisco Live de anul asta. Decat sa ma duc in Berlin si sa dau 1200 de euro, mai bine am urmarit de acasa cu o punga de cipsuri in mana. Daca asa va fi si la DefCamp, e super marfa.
  19. 3 points
    Sa instalezi windowsul curat si sa te gandesti data viitoare ca lururile gratis de pe internet, vin cu un cost.
  20. 3 points
    Sa va faceti o idee cum arata momentan. Asa arata o parte din evenimente: Totul este automatizat in ceea ce priveste AlienVault. Mai avem cateva chestii mici la care lucram. Asa arata un eveniment random: P.S. Nu va faceti grija, nu e nimic confidential. Toate sunt TLP White deci e ok
  21. 3 points
    This one is about an interesting behavior I identified in cmd.exe in result of many weeks of intermittent (private time, every now and then) research in pursuit of some new OS Command Injection attack vectors. So I was mostly trying to: find an encoding missmatch between some command check/sanitization code and the rest of the program, allowing to smuggle the ASCII version of the existing command separators in the second byte of a wide char (for a moment I believed I had it in the StripQuotes function - I was wrong ¯\(ツ)/¯), discover some hidden cmd.exe's counterpart of the unix shells' backtick operator, find a command separator alternative to |, & and \n - which long ago resulted in the discovery of an interesting and still alive, but very rarely occurring vulnerability - https://vuldb.com/?id.93602. And I eventually ended up finding a command/argument confusion with path traversal ... or whatever the fuck this is For the lazy with no patience to read the whole thing, here comes the magic trick: Tested on Windows 10 Pro x64 (Microsoft Windows [Version 10.0.18363.836]), cmd.exe version: 10.0.18362.449 (SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5). But should work with earlier versions as well... probably with all versions. Some more context Let's consider the following command line: cmd.exe /c "ping 127.0.0.1", whereas 127.0.0.1 is the argument controlled by the user in an application that runs an external command (in this sample case it's ping). This exact syntax - with the command being preceded with the /c switch and enclosed in double quotes - is the default way cmd.exe is used by external programs to execute system commands (e.g. PHP shell_exec() function and its variants). Now, the user can trick cmd.exe into running calc.exe instead of ping.exe by providing an argument like 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe, traversing the path to the executable of their choice, which cmd.exe will run instead of the ping.exe binary. So the full command line becomes: cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe" The potential impact of this includes Denial of Service, Information Disclosure, Arbitrary Code Execution (depending on the target application and system). Although I am fairly sure there are some other scenarios with OS command execution whereas a part of the command line comes from a different security context than the final command is executed with (Some services maybe? I haven't search myself yet) - anyway let's use a web application as an example. Consider the following sample PHP code: Due to the use of escapeshellcmd() it is not vulnerable to known command injection vectors (except for argument injection, but that's a slightly different story and does not allow RCE with the list of arguments ping.exe supports - no built-in execution arguments like find's -exec). And I know, I know, some of you will point out that in this case escapeshellarg() should be used instead - and yup, you would be right, especially since putting the argument in quotes in fact prevents this behavior, as in such case cmd.exe properly identifies the command to run (ping.exe). The trick does not work when the argument is enclosed in single/double quotes. Anyway - the use of escapeshellcmd() instead of escapeshellarg() is very common. Noticed that while - after finding and registering CVE-2020-12669, CVE-2020-12742 and CVE-2020-12743 ended up spending one more week running automated source code analysis scans against more open source projects and manually following up the results - using my old evil SCA tool for PHP. Also that's what made me fed up with PHP again quite quickly, forcing me to get back to cmd.exe only to let me finally discover what this blog post is mostly about. I am fairly sure there are applications vulnerable to this (doing OS command injection sanity checks, but failing to prevent path traversal and enclose the argument in quotes). Haven't searched yet because I am way too lazy/busy. Also, the notion of similar behavior in other command interpreters is also worth entertaining. An extended POC Normal use: Abuse: Now, this is what normal use looks like in Sysmon log (process creation event): So basically the child process (ping.exe) is created with command line equal to the value enclosed between the double quotes preceded by the /c switch from the parent process (cmd.exe) command line. Now, the same for the above ipconfig.exe hijack: And it turns out we are not limited to executables located in directories present in %PATH%. We can traverse to any location on the same disk. Also, we are not limited to the EXE extension, neither to the list of "executable" extensions contained in the %PATHEXT% variable (which by default is .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC - basically these are the extensions cmd.exe will try to add to the name of the command if no extension is provided, e.g. when ping is used instead of explicit ping.exe). cmd.exe runs stuff regardless to the extension, something I noticed long ago (https://twitter.com/julianpentest/status/1203386223227572224). And one more thing - more additional arguments between the original command and the smuggled executable path can be added. Let's see all of this combined. For the demonstrative purposes, the following C program was compiled and linked into a PE executable (it simply prints out its own command line): Copied the EXE into C:\xampp\tmp\cmd.png (consider this as an example of ANY location a malicious user could write a file). Action: So we just effectively achieved an equivalent of actual (exec, not just read) PE Local File Inclusion in an otherwise-safe PHP ping script. But I don't think that our options end here. The potential for extending this into a full RCE without chaining with file upload/control I am certain it is also possible to turn this into an RCE even without the possibility of fully/partially controlling any file in the target file system and deliver the payload in the command line itself, thus creating a sort of polymorphic malicious command line payload. When running the target executable, cmd.exe passes to it the entire part of the command line following the /c switch. For instance: cmd.exe /c "ping 127.0.0.1/../../../../../../../windows/system32/calc.exe" executes c:\windows\system32\calc.exe with command line equal ping 127.0.0.1/../../../../../../../windows/system32/calc.exe . And, as presented in the extended POC, it is possible to hijack the executable even when providing multiple arguments, leading to command lines like: ping THE PLACE FOR THE RCE PAYLOAD ARGS 127.0.0.1/../../path/to/lol.bin This is the command line lol.bin would be executed with. Finding a proxy execution LOLBin tolerant enough to invalid arguments (since we as attackers cannot fully control them) could turn this into a full RCE. The LOLBin we need is one accepting/ignoring the first argument (which is the hardcoded command we cannot control, in our example "ping"), while also willing to accept/ignore the last one (which is the traversed path to itself). Something like https://lolbas-project.github.io/lolbas/Binaries/Ieexec/, but actually accepting multiple arguments while quietly ignoring the incorrect ones. Also, I was thinking of powershell. Running this: cmd.exe /c "ping ;calc.exe; 127.0.0.1/../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/POWERSHELL.EXE" makes powershell start with command line of ping ;calc.exe 127.0.0.1/../../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/POWERSHELL.EXE I expected it to treat the command line as a string of inline commands and run calc.exe after running ping.exe. Yes, I know, a semicolon is used here to separate ping from calc - but the semicolon character is NOT a command separator in cmd.exe, while it is in powershell (on the other hand almost all OS Command Injection filters block it anyway, as they are written universally with multiple platforms in mind - cause obviously the semicolon IS a command separator in unix shells). A perfect supported syntax here would be some sort of simple base64-encoded code injection like powershell's -EncodedCommand, having found a way to make it work even when preceded with a string we cannot control. Anyway, this attempt led to powershell running in interactive mode instead of treating the command line as a sequence of inline commands to execute. Anyway, at this point turning this into an RCE boils down to researching the behaviors of particular LOLbins, focusing on the way they process their command line, rather than researching cmd.exe itself (although yes, I also thought about self-chaining and abusing cmd.exe as the LOLbin for this, in hope for taking advantage of some nuances between the way it parses its command line when it does and when it does not start with the /c switch). Stumbling upon and some analysis I know this looks silly enough to suggest I found it while ramming that sample PHP code over HTTP with Burp while watching Procmon with proper filters... or something like that (which isn't such a bad idea by the way)... as opposed to writing a custom cmd.exe fuzzer (no, you don't need to tell me my code is far away from elegant, I couldn't care less), then after obtaining rather boring and disappointing results, spending weeks on static analysis with Ghidra (thanks NSA, I am literally in love with this tool), followed up with more weeks of further work with Ghidra while simultaneously manually debugging with x64dbg while further expanding comments in the Ghidra project 😂 cmd.exe command line processing starts in the CheckSwitches function (which gets called from Init, which itself gets called from main). CheckSwitches is responsible for determining what switches (like /c, /k, /v:on etc.) cmd.exe was called with. The full list of options can be found in cmd.exe /? help (which by the way, to my surprise, reflects the actual functionality pretty well). I spent a good deal of time analyzing it carefully, looking for hidden switches, logic issues allowing to smuggle multiple switches via the command line by jumping out of the double quotes, quote-stripping issues and whatever else would just manifest to me as I dug in. The beginning of the CheckSwitches function after some naming editions and notes I took If the /c switch is detected, processing moves to the actual command line enclosed in double quotes - which is the most common mode cmd.exe is used and the only one the rest of this write-up is about: The same mode can be attained with the /r switch: After some further logic, doing, among other things, parsing the quoted string and making some sanity fixes (like removing any spaces if any found from its beginning), a function with a very encouraging and self-explanatory name is called: Disassembly view: Decompiler view: At this point it was clear it was high time for debugging to come into play. By default x64dbg will set up a breakpoint at the entry point - mainCRTStartup. This is a good opportunity to set an arbitrary command line: Then start cmd.exe once again (Debug-> Restart). We also set up a breakpoint on the top of the SearchForExecutable function, so we catch all its instances. We run into the first instance of SearchForExecutable: We can see that the double-quoted proper command line (after cmd.exe skips the preceding cmd.exe /c) along with its double quotes is held in RBX and R15. Also, the value on the top of the stack (right bottom corner) contains an address pointing at CheckSwitches - it's the saved RET. So we know this instance is called from CheckSwitches. If we hit F9 again, we will run into the second instance of SearchForExecutable, but this time the command line string is held in RAX, RDI and R11, while the call originates from another function named ECWork: This second instance resolves and returns the full path to ping.exe. Below we can see the body of the ECWork function, with a call to SearchForExecutable (marked black). This is where the RIP was at when the screenshot was taken - right before the second call of SearchForExecutable: Now, on below screenshot the SearchForExecutable call already returned (note the full path to ping.exe pointed at with the address held in R14). Fifteen instructions later the ExecPgm function is called, using the newly resolved executable path to create the new process: So - seeing SearchForExecutable being called against the whole ping 127.0.0.1 string (uh yeah, those evil spaces) suggests potential confusion between the full command line and an actual file name... So this gave me the initial idea to check whether the executable could be hijacked by literally creating one under a name equal to the command line that would make it run: Uh really? Interesting. I decided to have a look with Procmon in order to see what file names cmd.exe attempts to open with CreateFile: So yes, the result confirmed opening a copy of calc.exe from the file literally named ping .PNG in the current working directory: Now, interestingly, I would not see any results with this Procmon filter (Operation = CreateFile) if I did not create the file first... One would expect to see cmd.exe mindlessly calling CreateFile against nonexistent files with names being various mutations of the command line, with NAME NOT FOUND result - the usual way one would search for potential DLL side loading issues... But NOT in this case - cmd.exe actually checks whether such file exists before calling CreateFile, by calling QueryDirectory instead: For this purpose, in Procmon, it is more accurate to specify a filter based on the payload's unique magic string (like PNG in this case, as this would be the string we as attackers could potentially control) occurring in the Path property instead of filtering based on the Operation. "So, anyway, this isn't very useful" - I thought and got back to x64dbg. "We can only hijack the command if we can literally write a file under a very dodgy name into the target application's current directory... " - I kept thinking - "... Current directory... u sure ONLY current directory?" - and at this point my path traversal reflex lit up, a seemingly crazy and desperate idea to attempt traversal payloads against parts of the command line parsed by SearchForExecutable. Which made me manually change the command line to ping 127.0.0.1/../calc.exe and restart debugging... while already thinking of modifying the cmd.exe fuzzer in order to throw a set payloads generated for this purpose with psychoPATH against cmd.exe... But that never happened because of what I saw after I hit F9 one more time. Below we can see x64dbg with cmd.exe ran with cmd.exe /c "ping 127.0.0.1/../calc.exe" command line (see RDI). We are hanging right after the second SearchForExecutable call, the one originating from the bottom of the ECWork function. Just few instructions before calling ExecPgm, which is about to execute the PE pointed by R14. The full path to C:\Windows\System32\calc.exe present R14 is the result of the just-returned SearchForExecutable("ping 127.0.0.1/../calc.exe") call preceding the current RIP: The traversal appears to be relative to a subdirectory of the current working directory (calc.exe is at c:\windows\system32\calc.exe😞 "Or maybe this is just a result of a failed path traversal sanity check, only removing the first occurrence of ../?" - I kept wondering. So I dug further into the SearchForExecutable function, also trying to find the answer why variants of the argument created by splitting it by spaces are considered and why the most-to-the-right one is chosen first when found. I narrowed down the culprit code to the instructions within the SearchForExecutable function, between the call of mystrcspn at 14000ff64 and then the call of the FullPath function at 14001005b and exists_ex at 140010414: In the meantime I received the following feedback from Microsoft: We do have a blog post that helps describe the behavior you have documented: https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats. Cmd.exe first tries to interpret the whole string as a path: "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe” string is being treated as a relative path, so “ping 127.0.0.1” is interpreted as a segment in that path, and is removed due to the preceding “../” this should help explain why you shouldn’t be able to use the user controlled input string to pass arguments to the executable. There are a lot a cases that would require that behaviour, e.g. cmd.exe /c "....\Program Files (x86)\Internet Explorer\iexplore.exe" we wouldn’t want that to try to run some program “....\Program” with the argument “Files (x86)\Internet Explorer\iexplore.exe”. It’s only if the full string can’t be resolved to a valid path, that it splits on spaces and takes everything before the first space as the intended executable name (hence why “ping 127.0.0.1” does work). So yeah... those evil spaces and quoting. From this point, I only escalated the issue by confirming the possibility of traversing to arbitrary directories as well as the ability to force execution of PE files with arbitrary extensions. Interestingly, this slightly resembles the common unquoted service path issue, except that in this case the most-to-the-right variant gets prioritized. The disclosure Upon discovery I documented and reported this peculiarity to MSRC. After little less than six days the report was picked up and reviewed. About a week later Microsoft completed their assessment, concluding that this does not meet the bar for security servicing: On one hand, I was little disappointed that Microsoft would not address it and I was not getting the CVE in cmd.exe I have wanted for some time. On the other hand, at least nothing's holding me back from sharing it already and hopefully it will be around for some time so we can play with it It's not a vulnerability, it's a technique I would like thank Microsoft for making all of this possible - and for being nice enough to even offer me a review of this post! Which was completely unexpected, but obviously highly appreciated. Some reflections Researching stuff can sometimes appear to be a lonely and thankless journey, especially after days and weeks of seemingly fruitless drudging and sculpturing - but I realized this is just a short-sighted perception, whereas success is exclusively measured by the number of uncovered vulnerabilities/features/interesting behaviors (no point to argue about the terminology here ). In offensive security we rarely pay attention to the stuff we tried and failed, even though those failed attempts are equally important - as if we did not try, we would never know what's there (and risk false negatives). Curiosity and the need to know. And software is full of surprises. Plus, simply dealing with a particular subject (like analyzing a given program/protocol/format) and gradually getting more and more familiar with it feeds our minds with new mental models, which makes us automatically come up with more and more ideas for potential bugs, scenarios and weird behaviors as we keep hacking. A journey through code accompanied by new inspirations, awarded with new knowledge and the peace of mind resulting from answering questions... sometimes ending with great satisfaction of a unique discovery. Source
  22. 2 points
    Ma putica, tu inca umbli cu morcovul si cu alte cacaturi de-astea de hackeri periculosi. Tu inca te bucuri cand dai un difeis. Nu intelegi ca locul tau nu este aici?
  23. 2 points
    de asta nu e ok sa bea mamele in timpul sarcinii
  24. 2 points
  25. 2 points
    Aelius e spion Mossad? Explica de ce nu poate sa fie activ mereu, probabil investigheaza fetisuri personal :))))))))) Ce-i cu asta, bre?
  26. 2 points
    Security researchers detected a new ransomware strain that leveraged piracy as a means of distributing itself to Mac users. On June 29, a Twitter user reached out to Malwarebytes about a malicious Little Snitch installer that was available for download on a Russian forum known for sharing torrent links. A close look at the installer revealed that it used a generic icon and arrived within a disk image file. Upon activation, this resource loaded the legitimate installer and uninstaller apps for Little Snitch, a program which alerts users when an app attempts to connect to a web server. The program also installed an executable called “patch” in the /Users/Shared directory. After a script moved it to a location that appeared to relate to Little Snitch and renamed it “CrashReporter” for the purpose of blending in, “patch” removed itself from the /Users/Shared directory, launched its copy and then launched the Little Snitch installer. This process didn’t go so well, however. As Malwarebytes explained in its research: Further investigation revealed that the threat relied on a malicious installer for DJ software called “Mixed In Key 8.” The malware delivered by that installer was similarly hesitant to get to work, but after Malwarebytes changed the clock setting of its virtual machine, disconnected from the network and restarted the computer a few times, the ransomware finally sprung into action and launched its encryption routine. This process led the threat to encrypt settings files and the keychain files, thus producing error messages and spinning beach balls. Researchers at the security firm learned from others that the Mac ransomware eventually deployed a ransom note with instructions for payment. Even so, it was unable to replicate this behavior. Screenshot of encryption message posted to RUTracker forum (Source: Malwarebytes) This isn’t the first time that researchers have detected ransomware targeting Mac users. Back in 2017, for instance, researchers spotted another crypto-malware strain that relied on cracks to pirate commercial software for distribution. As such, organizations should follow these steps to prevent a ransomware infection from occurring in the first place. Via tripwire.com
  27. 2 points
    Live: Guess who's back! After a rather long pause, Security Espresso's Meetups are back, in an online format! We're sure that you miss the gatherings and the beers, but rest assured it's all going to happen anyway! Our first virtual meetup will happen online and will be streamed to YouTube. Make sure to join our Telegram group if you didn't already so you can ask any questions you might have for the speakers: https://t.me/secespresso Without further ado, here are the speakers for Security Espresso Meet-up 0x23: 19:00 → 19:45 ☠️ Principles of heap-based exploits on Windows 7 & 10 x32 📣 Stefan Nicula - Senior Threat Researcher @ Avira Protection Labs, Twitter: @stefan_nicula A successful userland heap memory corruption exploit on Windows requires a good grasp on the mechanisms behind the Heap Manager. The talk aims to tackle Windows Heap Manager internals such as Backend vs Frontend Allocators, VirtualAlloc, heap memory layout, Windows 10 vs Windows 7 Heap Manager differences and Windows Heap Integrity protection. We will also explore heap exploit principles for Use-after-free and Double Free exploits like primitives, allocators, precise heap spraying, stack pivot and ROP chaining. In a future part 2 of the presentation, we will dive into more advanced techniques related to memory information leak, type confusion, abusing vtable pointers and Windows ATP protection bypasses. 19:45 → 20:00 ⏸ Break 20:00 → 20:45 🕶 Opsec guide for the security enthusiast 📣 Dan Demeter - Security Researcher @ GReAT, Twitter: @_xdanx 📣 Marco Preuss - Director @ GReAT, Europe, Twitter: @marco_preuss As more and more metadata is passively collected at a large scale, one might question the boundaries set by governments in regards to privacy and personal life. We believe privacy is a fundamental human right and, by using the right tools, it can still be achieved. During this beginner’s opsec guide we will present techniques and tools to protect your digital communications, as well as your equipment. Some covered topics: - Corporate communication crisis management - Encryption and secure communication - Physical device security - Network activity monitoring - Travelling to foreign countries 20:45 → ∞ 🍻 Virtual beer on Discord! Attendance policy: BYOD (bring your own drink). 🔗 Join us: https://discord.gg/7kCdJp8
  28. 2 points
    Offline nu vom risca sa organizam o activitate de dimensiunea celei de anul trecut, insa lucram la o agenda virtuala, sper eu, interesanta. Sunt deacord cu @Nytro si @Zatarraapropo de "socializarea" offline dar nu cu riscuri de sanatate. Worst case, un hangouts cu bere personalizata cu palariile DefCamp. @SynTAX ce ti-a placut la CISCO?
  29. 2 points
  30. 2 points
  31. 2 points
    Pai daca la service ti au zis ca e arsa placa de baza cum am putea noi sa iti zicem de aici altceva?
  32. 2 points
    Nu v-a m-ai drogaț ! Jocuri-le dauneaza grav sanatati !
  33. 2 points
    Nu stiu care e parerea celorlalti, dar mie mi se pare incredibil ce faci acolo Ai putea sa explici putin ce se intampla p-acolo si pentru noi astia mai slabuti? Thanks & really impressive work!
  34. 2 points
    Pager-ul functioneaza pe frecvente radio inferioare frecventelor GSM si nu merge pe baza de SIM card. Acoperirea cu semnal radio a regiunilor era asigurata de retelele de radiotelecomunicatii a statului si ulterior s-au privatizat in firme subsidiare dar care au dat faliment o data cu aparitia si dezvoltarea retelelor GSM si mai noi a internetului WIFI. Incepand din 2018 nu stiu sa mai fie servicii active de paging radio in RO. Licentele de emisie - receptie costa foarte mult ca si procedura de obtinere si licentiere inclusiv training-ul la STS. Aparatura este si ea scumpa de emisie receptie pentru dispecere si nu renteaza deoarece exista alternative mai avantajoase. Totusi radioul si gsm-ul nu sunt singurele metode de comunicatie ce pot fi implementate daca doresti sa vii cu ceva inovator fara sa achizitionezi licente radio si aprobari sa stii ca nu este imposibil. Succes !
  35. 2 points
    Daca un bun/lucru/produs vine gratis inseamna ca tu esti produsul.
  36. 2 points
    Bună, fie ca esti un nou rookie in sec, sau poate tocmai ai auzit de rst, sau un "zeu" gen Nytro , cine stie care este scopul tau aici, dar, pentru absolut toti posibilii cititori va doresc o zi buna si toate cele. Scopul meu aici, momentan, e doar sa mai dau un ochi, sa mai vad ocazionalu "imi trebuie niste bitcoin dar am cash", iar pe privat " ma rezolvi de 3m" LOL In special celora care ma stiu, ma adresez umil, cu recentele intamplari din viata mea, sau poate doar va scaldati in bani, orice m-ar ajuta, de la citirea acestui mesaj la SEO, un share etc. Mici firmituri ce se strang incet, apelez la voi. Accidentul s-a intamplat acu aproximativ 3 ani, din care 1 l-am petrecut in spital... Am fost destul de rau, acum sunt mai bine, mental / psihic. Dar, multumita internetului am gasit ceva ce m-ar putea ajuta, in Bangkok, exista o asa-zisa procedura numita "stimulare epidurala" sau "epidural stimulation" in eng. Care se face intr-o clinica privata, iar ei se lauda intr-una cu succesuri. Imi pun si eu putina speranta in omenire si in mine, pentru a trece si acest obstacol si a-mi recăpăta viata ce o aveam odata, pe picioarele mele. Bottom line: facebook.com/donate/1935406726595693 Am nevoie de ajutorul vostru fosti "colegi" in bune si rele. Cine poate , ma va ajuta, cine nu, asta e ,iti multumesc oricum pentru timpul acordat si iti urez o zi bună. Multumesc tuturor anticipat , remain cool m8s. Edit:am si paypal, zyxescu@yahoo.com .
  37. 2 points
    it's always DNS (OR BGP)
  38. 2 points
  39. 2 points
    Sper ca l au luat si pe ala de dadea pe aici exploit fud si scria cu font gay
  40. 2 points
    Nu esti indexat si nu ai vizite deoarece mai sunt inca 41241242353425234234 site-uri la fel ca al tau, acceasi tema, accelasi continut, nimic unic pe el. Poti incerca sa iti scrii singur descrierile la filme si sa nu le mai copiezi din alta parte daca vrei sa ai macar o sansa.
  41. 2 points
    Administrez servere linux (orice distributie) cat si FreeBSD. Experienta in domeniu: ~22 de ani In mare, din cunostintele ce le am si ce servicii pot oferi: - Politici de securitate atat pe FreeBSD cat si pe linux - Solutii antispam si solutii de securitate pentru servere de email - Orice arhitectura de server(e) web (content delivery & caching, dual strat, clusters) - MySQL, PostgreSQL, PHP - Tehnici avansate de mitigare atacuri DDoS. - Sisteme de detectie si prevenire a intruziunilor - Audit de securitate si pregatire in vederea certificarii ISO 27001 (+ analiza riscuri) Instalez, configurez si optimizez orice fel de daemon sau aplicatie open source. De asemenea, ofer consultanta pentru necesitati hardware. Ofer factura pentru toate serviciile oferite. Pentru cotatii de pret, trimite un email te rog la tex at unixteacher dot org (sau un mesaj privat)
×
×
  • Create New...