Tuesday, June 30, 2020

TARDE INTENSA DE INCENDIOS EN VILLAFRANCA DE LOS BARROS.


Tuvieron que emplearse a fondo los profesionales del Parque Comarcal de Bomberos de Villafranca la jornada del martes 23 de junio para atender cuatro incidencias: el incendio de una nave situada en la Avenida de Almendralejo, concretamente en el patio interior de la misma que afectó a una subestación de luz; el incendio de los cables en el exterior de una vivienda en la calle Concejo, el incendio de pastos en la zona de la barriada Bonhaval; y la quema de un cañaveral próximo a la carretera de Ribera.

Related links


  1. Viaje 4 De Cristobal Colon
  2. Viaje Zombie Antidote
  3. Why Lifestyle Is Important For Modern Life
  4. Curiosidades 2019
  5. Lifestyle Kids
  6. Lifestyle Expenses 5E
  7. Viaje Vs Viaja
  8. Lifestyle 08
  9. Viaje 5 Dias Grecia
  10. Lifestyle 033
  11. Viaje 9 Dias Croacia
  12. When Lifestyle Is Sedentary
  13. Curiosidades Minecraft
  14. Curiosidades Hipopotamo
  15. Viaje Zombie Cigars For Sale
  16. Love 020 Curiosidades
  17. Viaje Honey And Hand Grenades
  18. Curiosidades Del Mundo Y La Naturaleza
  19. Viaje How To Say
  20. Curiosidades Puerto Rico
  21. Viaje Virtual A Paris
  22. Viaje Leaded
  23. Viaje Ghost Pepper
  24. Viaje 4 Dias Pais Vasco
  25. How Lifestyle Affects The Condition Of The Skin
  26. 7 Curiosidades Sobre O Universo
  27. Curiosidades India
  28. Lifestyle 18
  29. 13 Reasons Why Curiosidades
  30. Viaje Gravedad 0
  31. Viaje 2 Cast
  32. Lifestyle Flooring
  33. Viaje Gravedad 0
  34. Lifestyle 30
  35. Lifestyle Trader
  36. Viaje Por El Mundo
  37. Curiosidades 101 Dalmatas
  38. Curiosidades 7 Pecados Capitales
  39. Lifestyle Appliances
  40. Curiosidades Sobre Gatos
  41. Curiosidades En Ingles
  42. Viaje Ou Viaje
  43. Curiosidades Yoonmin
  44. Lifestyle Elliptical
  45. Lifestyle Group
  46. Is Lifestyle A Niche
  47. Who Lifestyle Guidelines
  48. To Lifestyle Synonym
  49. Curiosidades Barcelona
  50. 8 Curiosidades Sobre O Trânsito
  51. What Viajar Mean In Spanish
  52. Lifestyle Z Square Kanpur
  53. Viaje Oro
  54. Lifestyle Services Group
  55. Viaje Frases
  56. Lifestyle Motors
  57. Viaje Espacial Letra
  58. What Lifestyle Causes Diabetes
  59. Lifestyle 52
  60. Viaje Insolito
  61. Lifestyle In Spanish
  62. Curiosidades Karate
  63. Curiosidades Tortugas
  64. Will Poulter Curiosidades
  65. Is Lifestyle Open
  66. How Many Lifestyle Stores Are There In India
  67. Lifestyle Xperia Mall Palava
  68. Viaje Lleva Tilde
  69. Curiosidades 8 Mile
  70. Lifestyle Kitchens
  71. Lifestyle Screens
  72. Lifestyle 48
  73. Viaje 4 Dias España
  74. Viaje Or Cuzco
  75. Curiosidades Grace And Frankie
  76. Translation For Viaje De Ida
  77. Curiosidades Libros
  78. Lifestyle Hoodie
  79. Lifestyle 72 Stafford Lane
  80. Viaje 1
  81. Viaje Gold Bar Cigar
  82. Viaje Skull And Bones Cigars For Sale
  83. Curiosidades Xiaomi
  84. Lifestyle Articles
  85. When Does Lifestyle Sale Start
  86. Curiosidades Random
  87. Viaje Oro Review
  88. Is Lifestyle Open
  89. Lifestyle Download
  90. Viaje Birthday Blend 2020 Review
  91. Viaje Platino Perfecto
  92. Curiosidades Em Ingles
  93. Viaje 4X4 Marruecos
  94. Curiosidades Olimpiadas
  95. Lifestyle Junior Golf Tour
  96. Lifestyle Magazine
  97. Lifestyle Galaxy
  98. Curiosidades Holanda
  99. Curiosidades Naturaleza
  100. Curiosidades Ranas
  101. Are Lifestyle Condoms Durable
  102. Curiosidades Nova Zelandia
  103. Viaje How Do You Pronounce It
  104. Lifestyle Young Thug
Posted by at No comments:

7 Useful Websites for Hackers

  1. Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
  2. Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  3. Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  4. Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
  5. HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  6. KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
  7. The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
Posted by at No comments:

Thursday, June 11, 2020

Magecart Targets Emergency Services-related Sites Via Insecure S3 Buckets

Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns. In a new report shared with The Hacker News, cybersecurity firm RiskIQ said it identified three compromised websites belonging to Endeavor Business Media last month that are still hosting

via The Hacker News
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
Related news
Posted by at No comments:

Open Sesame (Dlink - CVE-2012-4046)

A couple weeks ago a vulnerability was posted for the dlink DCS-9xx series of cameras. The author of the disclosure found that the setup application that comes with the camera is able to send a specifically crafted request to a camera on the same network and receive its password in plaintext. I figured this was a good chance to do some analysis and figure out exactly how the application carried out this functionality and possibly create a script to pull the password out of a camera.

The basic functionality of the application is as follows:

  • Application sends out a UDP broadcast on port 5978
  • Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
  • Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
  • Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)

After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:


super exciting screen shot.
After spending some time documenting the functionality I came up with the following notes (messy wall of text):

CommandComments
.JGE SHORT 0A729D36; stage1
./MOV EDX,DWORD PTR SS:[LOCAL.2]; set EDX to our 1st stage half decoded buffer
.|MOV ECX,DWORD PTR SS:[LOCAL.4]; set ECX to our current count/offset
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our base64 encoded payload
.|MOVSX EAX,BYTE PTR DS:[EAX]; set EAX to the current value in our base64 payload
.|MOV AL,BYTE PTR DS:[EAX+0A841934]; set EAX/AL to a hardcoded offset of its value table is at 0a841934
.|MOV BYTE PTR DS:[ECX+EDX],AL; ECX = Offset, EDX = start of our half-decoded buffer, write our current byte there
.|INC DWORD PTR SS:[LOCAL.4]; increment our offset/count
.|INC DWORD PTR SS:[LOCAL.3]; increment our base64 buffer to next value
.|MOV EDX,DWORD PTR SS:[LOCAL.4]; set EDX to our counter
.|CMP EDX,DWORD PTR SS:[ARG.2]; compare EDX (counter) to our total size
.\JL SHORT 0A729D13; jump back if we have not finished half decoding our input value
.MOV ECX,DWORD PTR SS:[ARG.3]; Looks like this will point at our decoded buffer
.MOV DWORD PTR SS:[LOCAL.5],ECX; set Arg5 to our decoded destination
.MOV EAX,DWORD PTR SS:[LOCAL.2]; set EAX to our half-decoded buffer
.MOV DWORD PTR SS:[LOCAL.3],EAX; set arg3 to point at our half-decoded buffer
.MOV EDX,DWORD PTR SS:[ARG.4]; ???? 1500 decimal
.XOR ECX,ECX; clear ECX
.MOV DWORD PTR DS:[EDX],ECX; clear out arg4 value
.XOR EAX,EAX; clear out EAX
.MOV DWORD PTR SS:[LOCAL.6],EAX; clear out local.6
.JMP SHORT 0A729DAE; JUMP
./MOV EDX,DWORD PTR SS:[LOCAL.3]; move our current half-decoded dword position into EDX
.|MOV CL,BYTE PTR DS:[EDX]; move our current byte into ECX (CL) (dword[0])
.|SHL ECX,2; shift left 2 dword[0]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; move our current dword position into EAX
.|MOVSX EDX,BYTE PTR DS:[EAX+1]; move our current dword position + 1 (dword[1]) into EDX
.|SAR EDX,4; shift right 4 dword[1]
.|ADD CL,DL; add (shift left 2 dword[0]) + (shift right 4 dword[1])
.|MOV EAX,DWORD PTR SS:[LOCAL.5]; set EAX to our current decoded buffer position
.|MOV BYTE PTR DS:[EAX],CL; write our decoded (dword[0]) value to or decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; increment our position in the decoded buffer
.|MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current dword position
.|MOV CL,BYTE PTR DS:[EDX+1]; set ECX to dword[1]
.|SHL ECX,4; left shift 4 dword[1]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current dword position
.|MOVSX EDX,BYTE PTR DS:[EAX+2]; set EDX to dword[2]
.|SAR EDX,2; shift right 2 dword[2]
.|ADD CL,DL; add (left shift 4 dword[1]) + (right shift 2 dword[2])
.|MOV EAX,DWORD PTR SS:[LOCAL.5]; set EAX to our next spot in the decoded buffer
.|MOV BYTE PTR DS:[EAX],CL; write our decoded value into our decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.|MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current half-decoded dword
.|MOV CL,BYTE PTR DS:[EDX+2]; set ECX dword[2]
.|SHL ECX,6; shift left 6 dword[2]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current half-decoded dword
.|ADD CL,BYTE PTR DS:[EAX+3]; add dword[2] + dword[3]
.|MOV EDX,DWORD PTR SS:[LOCAL.5]; set EDX to point at our next spot in our decoded buffer
.|MOV BYTE PTR DS:[EDX],CL; write our decoded byte to our decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.|ADD DWORD PTR SS:[LOCAL.3],4; increment our encoded buffer to point at our next dword
.|MOV ECX,DWORD PTR SS:[ARG.4]; set ECX to our current offset?
.|ADD DWORD PTR DS:[ECX],3; add 3 to our current offset?
.|ADD DWORD PTR SS:[LOCAL.6],4; add 4 to our byte counter??
.|MOV EAX,DWORD PTR SS:[ARG.2]; move total size into EAX
.|ADD EAX,-4; subtract 4 from total size
.|CMP EAX,DWORD PTR SS:[LOCAL.6]; compare our total bytes to read bytes
.\JG SHORT 0A729D50; jump back if we are not done
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our last DWORD of encoded buffer
.MOVSX ECX,BYTE PTR DS:[EDX+3]; set ECX to dword[3] last byte of our half-decoded dword (dword + 3)
.INC ECX; increment the value of dword[3]
.JE SHORT 0A729E1E
.MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current half-decoded dword
.MOV DL,BYTE PTR DS:[EAX]; set EDX (DL) to dword[0]
.SHL EDX,2; shift left 2 dword[0]
.MOV ECX,DWORD PTR SS:[LOCAL.3]; set ECX to our current encoded dword position
.MOVSX EAX,BYTE PTR DS:[ECX+1]; set EAX to dword[1]
.SAR EAX,4; shift right 4 dword[1]
.ADD DL,AL; add (shifted left 2 dword[0]) + (shifted right 4 dword[1])
.MOV ECX,DWORD PTR SS:[LOCAL.5]; set ECX to point at our next spot in our decoded buffer
.MOV BYTE PTR DS:[ECX],DL; write our decoded value (EDX/DL) to our decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to point at our dword
.MOV AL,BYTE PTR DS:[EDX+1]; set EAX/AL to dword[1]
.SHL EAX,4; shift left 4 dword[1]
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current dword
.MOVSX ECX,BYTE PTR DS:[EDX+2]; set ECX to dword[2]
.SAR ECX,2; shift right 2 dword[2]
.ADD AL,CL; add (shifted left 4 dword[1]) + (shifted right 2 dword[2])
.MOV EDX,DWORD PTR SS:[LOCAL.5]; set EDX to point at our current spot in our decoded buffer
.MOV BYTE PTR DS:[EDX],AL; write our decoded value to the decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to point at our current dword
.MOV CL,BYTE PTR DS:[EAX+2]; set ECX/CL to dword[2]
.SHL ECX,6; shift left 6 dword[2]
.MOV EAX,DWORD PTR SS:[LOCAL.3]; point EAX at our current dword
.ADD CL,BYTE PTR DS:[EAX+3]; add dword[3] + (shifted left 6 dword[2])
.MOV EDX,DWORD PTR SS:[LOCAL.5]; point EDX at our current decoded buffer
.MOV BYTE PTR DS:[EDX],CL; write our decoded value to the decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; increment our deocded buffer
.MOV ECX,DWORD PTR SS:[ARG.4]; set ECX to our current offset?
.ADD DWORD PTR DS:[ECX],3; add 4 for our current byte counter?
.JMP 0A729EA6; jump

Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table.  After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:
(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1 
(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2 
(Dword[2] << 6) + Dword[3] = unencoded byte 3

I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).
More articles
  1. Hacker Wifi Password
  2. Hacking Books
  3. Pentest Tools
  4. Hacker Attack
  5. Hacking Language
  6. Pentest Azure
Posted by at No comments:
Subscribe to: Posts (Atom)