Jump to content


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


gigiRoman last won the day on March 27

gigiRoman had the most liked content!

Community Reputation

100 Excellent

About gigiRoman

  • Rank
    Registered user
  • Birthday 02/05/77
  1. Ajutor port forward

    Folosesti un proxy (server de comanda). Iti mai faci un client (client1) care sa fie pe aceeasi masina cu serverul NAT-uit. Ambii clienti se conecteaza la proxy. Cand clientul face un request la proxy, proxyul il fwdeaza catre client1 care face requestul pe localhost. Urmezi firul pentru response. Am mai facut scheme din astea pe tcp cu c# si mi-au iesit. Serverele nu erau http, erau in blana. Am incercat o schema: https://imgur.com/O4NInNY
  2. A lucrat cineva cu algoritmul RSA?

    Cred ca rsa e utila doar pt pki https://security.stackexchange.com/a/33445
  3. John Skeet ce zice? Tare topicul, chiar nu stiam: "This happens for example for auto generated properties, the yield keyword, lambda & anonymous functions/delegates, the new async keyword (the one that is introduced in the Async CTP and that will probably be present in C# 5.0)" "you are looking at a class that was automatically generated to implement closure semantics. My handy guide to interpreting the magic names that the C# compiler generates when it has to make something on your behalf is here: Where to learn about VS debugger 'magic names'" Sursa: https://stackoverflow.com/questions/7357525/empty-before-c-sharp-class-name https://stackoverflow.com/a/2509524
  4. Intrebare ascultare telefon

    POLIANDRÍE s. f. Formă de organizare a familiei (întâlnită astăzi numai la unele triburi primitive) în care o femeie are în același timp mai mulți soți. [Pr.: -li-an-] – Din fr. polyandrie.
  5. Intrebare ascultare telefon

  6. Ce carti mai cititi?

  7. Ajutor!!

    7500 lei a fost taxa la masterul de la Academia Tehnica Militara pe 1,5 ani. Lol.
  8. By Anatoly Kazantsev on November 8, 2017. 10:00 am sursa: https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We’re going to discuss one such type of malware. Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft’s website: “The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace”). The technique was described by information security researcher Casey Smith aka subTee (Proof of Concept). Briefly, the console utility InstallUtil.exe runs a malicious .NET assembly, bypassing the entry point of the assembly; all malicious activity is then hidden in the context of the trusted process. The spreading of malicious samples follows a standard pattern: they basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen specially so that the victim perceives the file as a normal document or photo. We also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the described manner. Users are misled by executable file icons Analysis All the malicious files we encountered were heavily obfuscated, which complicated their manual analysis. We took the sample 263dc85de7ec717e8940b1ccdd6ee119 and deobfuscated its strings, classes, methods, and fields. Here’s how the file looked before deobfuscation: Sample before deobfuscation InstallUtil.exe allows file execution to start not from the .NET assembly entry point: execution begins from a class inherited from System.Configuration.Install.Installer. To facilitate manual analysis, this class was renamed InstallUtilEntryClass in the sample under investigation. The code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware. Let’s examine the behavior of the malicious file in the order of methods execution. First up is FirstMainClass, since its constructor is marked with the keyword “static” and assembly execution begins with it: The static constructor of FirstMainClass that is triggered when the assembly is loaded The constructor does the following: CheckSandboxieEnvironment() determines whether the file is running in Sandboxie by attempting to load the SbieDll.dll library. If the library can be loaded, the malicious process terminates; CheckVirtualBoxEnvironment() searches for the vboxmrxnp.dll library, which belongs to VitrualBox. If the library can be found, the malicious process likewise terminates; AddResourceResolver() adds a method for handling the resource load event. This method unpacks the assembly, which is packed by the Deflate algorithm, from a specific resource and loads the assembly into memory; The method responsible for loading the assembly from the resource The assembly is unpacked from the resource and loaded into memory The UnpackAllAssemblies() method of the AssemblyResourceLoader class iterates through all the assembly resources and, if the resource name contains the string “+||”, unpacks the assemblies from these resources. The assemblies unpacked by this method are required by the malicious file to operate, and are legitimate libraries: Interop.MSScript.Control, Interop.TaskScheduler, SevenZipSharp; RemoveZoneIdentifier() deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet. The authors made a slight mistake in the command line (“cmd.exe /c (echo. > file path:Zone.Identifier) 2 > Null”) by leaving a space between the characters 2 and >, which produces an error in the console: The warning issued on deleting Zone.Identifier The ElevatePrivilegesProxy() method is the wrapper for the ElevatePrivileges() method, which in turn uses the known UAC bypass technique described by Matt Nelson aka enigma0x3. Control then passes to the traditional entry point—the Main() method, which is located in the Form5 class: The traditional entry point is the Main() method We see that a WMI object is retrieved after a 30-second pause. Next, the ScriptControlClassInstance object is customized, which the language (Visual Basic script) and the body of the script are transferred to: The script that runs the executable file using InstallUtil.exe The AddCode() method adds and executes a VB script that runs the current assembly using InstallUtil.exe. After that, the current process is closed by calling Environment.Exit(0). At the next stage, the malicious object is run using the InstallUtil tool and once more executes the static constructor of the FirstMainClass class examined above; control passes to the static constructor of the InstallUtilEntryClass class, which, as mentioned, is inherited from System.Configuration.Install.Installer: The static class constructor called by InstallUtil.exe The functions of this class include: Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process; Adding the copied file to autorun (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run); Creating a task called “filesqmaepq0d.tnk” that runs msexcel.EXE every minute to ensure survival on the victim’s computer; Checking if the malicious process is already running. An event with the name “78759961M” is created, and if such an event already exists in the system, the new process terminates; Creating the Form5 class and calling its destructor. Let’s sum up the interim results: all the actions described above (entrenchment in the system, elevation of privileges, startup from a trusted application) are essentially laying the foundation for the main task. Let’s move on to analyzing the next stage of the preparatory actions, which will take us closer to the heart of the malicious activity. The malicious assembly contains, inter alia, five classes inherited from System.Windows.Forms.Form. Inheritance from the Form class is not accidental: in its inheritance hierarchy it implements several interfaces, one of which is IDisposable, which allows to override the Dispose() method for its own purposes. Dispose() methods are called by the garbage collector in order to free up unmanaged resources used by the class when closing or unloading the assembly. Now let’s look at the source code of the Dispose() method of the Form5 class: The overridden Dispose() method of the Form5 class As we can see, various methods are executed at each iteration of the cycle, and the results are saved. Let’s take a closer look: At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved; A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client; The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory; A class with the name “RunPE” and the Run method of this class are sought in this library; At the final iteration, the parameters are transferred and the Run method is called. Knowing that the legalProgramPath variable contains the full path to the legitimate utility RegAsm.exe, PEFileByteArray contains the executable file in the form of a byte array, while the class name is RunPE; it is not hard to figure out that the Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE. This technique is widely known and described here, for instance. Deep inside the Run() method, a legitimate utility process is created in CREATE_SUSPENDED state (the sixth parameter is 4u): Creating a legitimate program process in CREATE_SUSPENDED state Eventually, the RegAsm.exe process is loaded in the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised: Only legitimate utilities can be seen in the list of running processes RegAsm.exe was chosen as the “carrier” because (a) it is a legitimate utility from Microsoft, (b) it is located in the same directory as InstallUtil.exe, and (c) a utility from .NET Framework calling another utility from the same framework is less suspicious than calling, say, notepad.exe. In fact, the use of RegAsm.exe is not critical: the “carrier” could be any program that does not arouse the suspicion of security software and users. It is also important that all actions involving a malicious module are executed in memory, which allows file scanners to be bypassed. As we’ve mentioned, this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans. Conclusion Malware writers employ various tricks to conceal malicious activity, and the above technique allowing the execution of malicious code in the context of two legitimate programs is an obvious example. Detecting this kind of concealment method requires a behavioral analysis of the program. Kaspersky Lab’s security solutions detect this behavior as PDM: Trojan.Win32.Generic and PDM: Exploit.Win32.Generic. IOC (MD5) 263DC85DE7EC717E8940B1CCDD6EE119 payload: EF8AF3D457DBE875FF4E3982B34F1DE9 3E4825AA1C09E27C2E6A1309BE8D6382 payload: 82709B139634D74DED404A516B7952F0 7E3863F827C1696835A49B8FD7C02D96 payload: D1A9879FFCB14DF70A430E59BFF5EF0B 8CB8F81ECF1D4CE46E5E96C866939197 payload: D8652841C19D619D2E3B5D7F78827B6E FDF4086A806826503D5D332077D47187 payload: BF4A3F4B31E68B3DE4FB1F046253F2D0
  9. Sursa: https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks Introduction Over the past few weeks, there have been several reports about the Microsoft Dynamic Data Exchange (DDE) vulnerability. To no one's surprise, hackers have been quick to exploit this vulnerability to spread malware through rigged Microsoft Word documents. In this same timeframe, the Zscaler ThreatLabZ team has seen a number of these malicious documents using the DDE vulnerability to download and execute malware. Most of the payloads we saw were Remote Access Trojans (RATs), ransomware, and backdoors. In this blog, we will share a detailed technical analysis of a few of these exploitations and their payloads. Background The Microsoft Dynamic Data Exchange (DDE) protocol allows data to be transferred between applications. These applications can use DDE for one-time data transfers or for continuous exchanges; for example, a Microsoft Word document that uses data from an Excel spreadsheet is updated automatically through DDE as the spreadsheet data is updated. The DDE protocol sends messages between applications that share data and uses shared memory to exchange data between the applications. Microsoft Word documents have been used before to spread malware, but in those cases the victim would have to manually enable macros for the payload to be downloaded onto the victim’s system. With the DDE vulnerability (feature) in Microsoft Word, attackers can embed a malicious script that can download and execute malware without the use of macros. Case I: DDE protocol abuse leads to post-exploitation using PowerShell One Word file we analyzed exploited the DDE vulnerability to download and execute a PowerShell script using a post-exploitation framework. Filename - Communications_Suggestions_by_Press_Office_Director.docx The document looks like this: Fig1: Malicious document Generally, fake documents like this are spread via an email campaign targeting small and large groups of businesses in numerous industry sectors. The workflow of the document is as follows: Fig2: Document Workflow (case I) In this document, the attacker uses the DDE protocol to launch a Windows command line tool (cmd.exe), which uses PowerShell to download and execute the malware from a given URL. The field content looks like this: Fig3: DDE field code It downloads and executes a file using cmd.exe and PowerShell, which is present at the following URL: hxxp://citycarpark[.]my/components/com_admintools/mscorier. The downloaded data (mscorier) is an obfuscated batch script that creates a PowerShell script and executes it. Fig4: Obfuscated batch script (payload 1) This script downloads another payload (wsdprintproxy) from hxxp://185.128.42[.]194/wsdprintproxy and stores it in the following registry to make itself persistent: HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\ThemeVersion Fig5: Storing payload 2 in registry Fig6: Registry entry of payload 2 For persistence, payload 1 also creates two scheduled tasks, which execute the obfuscated script. Fig7: Code for persistence One scheduled task is created with name FlashUpdateServiceInit, which runs daily at 11:00 a.m., and another task with name FlashUpdateService, which runs daily at 3:00 p.m. After these tasks run, the script bypasses the PowerShell ScriptBlock logging, which means that the first execution of the malicious script will turn off all further logging. Fig8: Enabling script block logging To download its next payload, the malware initiates a GET request with the cookie “session=j4ppw/hpWdU/l5V3v9eymlAYxmE=” and downloads payload 3 from hxxps://185.128.42[.]194:8080/news.php. Fig9: Downloading payload 3 from server Fig10: Downloaded encrypted payload 3 The downloaded data is encrypted with RC4. Data[0:4] = IV Data[4:length(Data)] = Encrypted data Key is hardcoded in the script which is: Key = “a231fe7690a85f02eb147f53229c8e02” Fig11: RC4 algorithm The script will decrypt the downloaded data. It is, again, a PowerShell script, which is executed after decryption. The decrypted PowerShell script sends the encrypted RSA key with “IV” to the server at: hxxps://185.128.42[.]194:8080/news.php. In response, the server sends the encrypted AES key to victim. The script fetches information from the victim’s machine, encrypts it with the AES key, and sends it to the server at: hxxps://185.128.42[.]194:8080/process.php. Nonce|Server_URL|UserDomainName|UserName|Machine|IPAddress|OperatingSystem|True(if UserName=”system”)Otherwise False|CurrentProcessName|ProcessID|powershell|PowershellVersion The server responds with the final payload PowerShell script which appears to be a part of the PowerShell empire framework post-exploitation. Transactions of this post-exploitation framework look like this: Fig12: Network transactions The PowerShell empire is a post-exploitation framework that provides a Metasploit-like framework in PowerShell and Python. It includes different types of backdoors with multiple modules. It deals strictly with Windows machines and is extremely useful in penetration testing. In some cases, however, attackers use this framework to hijack a user’s system and perform malicious activities. Case II: DDE protocol abuse leads to Locky ransomware In another recent case, a campaign of spam emails was delivering a Word document attachment that used the DDE technique, and the final payload of that campaign is Locky ransomware. Fig 13: DDE protocol abuse leads to Locky ransomware (case II) In this case, attackers are writing obfuscated malicious field code in Word documents to evade detection; this code can be found in word-document.xml after extraction. Fig14: Field word-document.xml obfuscated code The exploit downloads the encoded PowerShell script from: hxxp://lestrangeresearch[.]com/kdjsw23FGS. It then decodes and executes it through cmd. Fig15: Encoded PowerShell (payload 1) The decoded script look like this: Fig16: Decoded PowerShell script (payload 1) The decoded PowerShell script has six hardcoded malicious URLs. The script will try to download the content from a URL and store it in %temp% with the name hti4.exe. Upon successful download, the script executes the downloaded file. Fig17: Downloaded payload 2 Payload 2 is the intermediate payload. Its function is to check the system for specified parameters. If it satisfies specific criteria, it then downloads encrypted data from: hxxp://spooner-motorsport[.]com. Fig18: Encrypted Locky ransomware (payload 3) This encrypted data is decrypted and launched by the intermediate payload (payload 2). After decryption, the final payload is Locky ransomware, which encrypts the files, appends the .asasin extension after encryption, and demands ransom in Bitcoin for decryption. Fig19: Ransom note (asasin.bmp) Fig20: Locky payment site Case III: Attack in New York Recently, researchers at McAfee found a new phishing campaign from Russia's hacking group APT28 known as “Fancy Bear.” APT28 capitalized on the recent terror attack in New York City by spreading email with an attached malicious Word document named IsisAttackInNewYork.docx, and the document appears to leverage the DDE technique. In this case, the first-stage payload was a PowerShell script that downloads another base64 encoded PowerShell script. After that, the second-stage payload script downloads a new variant of Seduploader, which is spyware capable of taking screenshots, gathering sensitive data, and other intrusive activities. Preventions: If a document contains embedded malicious DDE code, it shows the following warning to users as they open it. Fig 21: Microsoft Word warning The best way to prevent this DDE attack vector is to click “No” when this dialog box appears; this will stop further execution of the malware. Another way to prevent this attack is to disable it by modifying the registry. Microsoft has also published security advisoryfor securely opening Microsoft documents that contain a DDE field. Conclusion: Attackers are abusing the Microsoft DDE protocol to download and execute malware using PowerShell. In an earlier case, PowerShell led to an entire post-exploitation framework used for penetration testing. But attackers are using the framework for malicious purposes, such as stealing a user’s sensitive information, uploading and executing malware on a user’s machine, altering the user’s data, and so on. In recent cases, the DDE protocol led to ransomware, including Locky, which encrypts the victim’s data and demands ransom for the decryption. The malware analyzed in this blog is detected as COM.Downloader.DDE
  10. Primul robot care a devenit cetatean

    Un roman isi cumpara o inteligenta artificiala Sophia(zeita intelepciunii) si aia il futea la icre cu inteligenta sa. La care ii spune omul: "Da, ho, fa! Ia mai taci, bine ca esti tu desteapta". Ea avand o inteligenta emotionala se incurajeaza, se conecteaza la serverele pornhub si se pune pe treaba si invata toate pozitiile, inclusiv expresia faciala a suptului. Dupa care el ii ia un vagin inteligent de la nest caruia poate sa ii seteze temperatura, umiditatea si gradul de librifiere prin intermediul telefonului mobil, ca sa o programeze din drum spre casa ca pe aerul conditionat. Dp care intra un hacker de sentimente care facea parte din misa si o converteste la lesbianism si Sofia devine primul android din comunitatea LGBTQ si se indragosteste de o lesbiana masculinizata cu mustata de mamaie poreclita Butch, care o paraseste pt un Sistem de Operare IOS 9.0. Si apoi isi varsa amarul in malware si practica raporturi neraportabile cu un psdist din Alexandria si voteaza la mai multe maini pt legalizarea casatoriei intre androizi si aifoni. Si in final fuge cu o masina selfdriving(electrica) si este prinsa de o gasca de tigani care fura benzina direct din cisternele de tren si este vanduta cu tot cu masina la un depozit de fiare vechi si dusa pe vapor la o fabrica de vibratoare inteligente cu gps de otel inoxidabil la care lucreaza minori din bangladesh. END Acum serios, internetul si smartphoneurile nu existau fara consumatorii de pornografie.
  11. Primul robot care a devenit cetatean

    Viitorul suna bine: O inteligenta artificiala care a crescut printre tigani facea parte din lumea interlopa si ciordea bani din conturile clientilor corporatiei x si a cerut azi politic in coreea de nord.
  12. DefCamp 2017

    Offtopic: ce legatura are codette.ro cu o conferinta de infosec??? Citez " PY@CODETTE Py@Codette - un workshop unde învățăm fete de liceu și studente să programeze în Python, mâncăm plăcinte și legăm prietenii. De la bazele programării și până la procesare de imagini, sau hacks pentru mail/automatizarea task-urilor făcute pe Facebook și până la game programming" Urmatorul proiect: invatam mamele singure sa programeze in brainfuck. Ireal.
  13. C/C++ — Manual Dll Injection | Manual Mapping

  14. Adb device not authorized

    Am rezolvat problema ruland nexus root toolkit in bootloader/ twrp. Se poate inchide thread-ul.
  15. Adb device not authorized

    Salut, Am avut instalat kali nethunter pe un nexus 5 si am dat din prostie factory reset. Ideea e ca acum cand incerc cu nexus root toolkit sa ii fac root din nou primesc mesajul "device not authorized". Am incercat cam tot: reenable developer mode etc, tot ce e in linkul asta: https://tutel.me/c/android/questions/153913/adb+device+unauthorized+android+601+nexus+6p Imi si lipseste la developer options "Revoke USB debugging authorization" Sistem de operare 6.0.1 build M4B30Z. La kernel version imi apare inca root@kali. Pot copia in vreo cale cheia publica a pc-ului? SuperSU nu detecteaza root-ul, dar in twrp inca mai e structura de directoare ca in kali. Multumesc.