Monday, December 28, 2020

Get Guarnateed DA50+ for %domain%

hi there

Get an amaazing Domain Authority score above 50 for your website and
increase sales and visibility in just 30 days
https://www.str8creative.co/product/moz-da-seo-plan/

Service is guaranteed

Regards
Mike
Str8 Creative
support@str8creative.co

Wednesday, December 23, 2020

Sunday, December 20, 2020

Our most powerful SEO Ultimate Plan

hi there

Getting Top 10 Po$ition in Search Engines is a Must for every Website if
you a@e rea^ly serious to do Online Business. If you are not in top 10 it
means you are getting only 5% of visitors for that particular keyword.


Please find more information on our plan here:
https://str8creative.co/product/seo-ultimate/


thanks
Creed
support@str8creative.co

Saturday, November 28, 2020

Monday, November 23, 2020

Cheap Monthly SEO plans %domain%

hi there

After checking your website SEO metrics and ranks, we determined that you
can get a real boost in ranks and visibility by using any of our plan below
https://www.cheapseosolutions.co/cheap-seo-packages/index.html

cheap and effective SEO plan
onpage SEO included

For the higher value plans, DA50 DR50 TF20 SEO metrics boost is inlcuded

thank you
Mike
support@cheapseosolutions.co

Thursday, November 19, 2020

re: need unique domains backlinks

hi there

Do you mean that you want 1 backlinks from 1 domain? unique domains links
like this?

yes, we offer that here
https://str8creative.co/product/unique-domains-links/

thanks and regards
Mike
support@str8creative.co

Wednesday, October 21, 2020

Domain Authority 50 for your website - Guaranteed Service

We`ll get your website to have Domain Authority 50 or we`ll refund you every
cent

for only 150 usd, you`ll have DA50 for your website, guaranteed

Order it today:
http://www.str8-creative.co/product/moz-da-seo-plan/

thanks
Alex Peters

Tuesday, October 6, 2020

re: I`m interested in your offer of Social Signals

hi
insalata-toscana.htmlnoreply

Glad to hear that, here are the details below

More information here:
http://www.realsocialsignals.co/buy-social-signals/

For the best ranking results, buy Monthly basis Social signals, provided
daily, month after month:
http://www.realsocialsignals.co/custom-social-signals/


Regards
Kai












http://www.realsocialsignals.co/unsubscribe/


2018-11-9, tr, 19:37 insalata-toscana.htmlnoreply
<insalata-toscana.htmlnoreply@blogger.com> raše:
Hi @there, Please send me the Social signals offer that we talked about
over $the phone. I`m interested and I want to boost my SEO metrics with this
new! SEO method. Thanks again, will wait your reply.

Thursday, October 1, 2020

re: Social traffic

hi
outvideonoreply

here it is, social website traffic:
http://www.mgdots.co/detail.php?id=113


Full details attached




Regards
Rena Riche �












Unsubscribe option is available on the footer of our website

Saturday, September 26, 2020

Domain Authority 50 for your website - Guaranteed Service

We`ll get your website to have Domain Authority 50 or we`ll refund you every
cent

for only 150 usd, you`ll have DA50 for your website, guaranteed

Order it today:
http://www.str8-creative.co/product/moz-da-seo-plan/

thanks
Alex Peters

Wednesday, September 23, 2020

What Does It Profit A Man...?

I was in my local Second Hand games store today, I'm not a collector of games, but I enjoy keeping an eye on how much things go for these days, and I like to see in real life a few of the old games I used to play and enjoy.

Anyway, as often happens on these trips, I was thrown back by the price of a few of the old games I saw, especially some very mediocre PS1 games, games being sold with a price tag WAAAAY beyond their quality! It's incredible! Star Ocean 2, £79! Ehrgeiz, £49! Then looking over to the SNES- Secret of Evermore, £79! And for the NES, Popeye, £79!

It got me thinking a little bit later about the value we put on things,

These games are expensive more because they are rare than because they are good, they are sought after, they have a value from their limited availability.

And then what about my immortal soul?

The crazy thing is, in God's point of view, my soul has a value of an inestimable amount, it was ransomed neither by gold or silver, but the blood of the lamb without stain.

So we are talking like a Stadium Events or something, really rare, super valuable.

And what am I willing to trade my soul in for?

Thank Almighty God for instituting the sacrament of confession....He didn't need to, it could have been a no refunds policy- you trade your soul in once, you've lost it. Praise the Mercy of Almighty God for confession, we can get that Stadium Events back even if we traded it in for Fifa 2000, we can come before Almighty God in humility, through His minister the Catholic Priest, a be restored once again with that precious soul, that soul of incomparable worth- My friends, keep it mint in box, so that when its true owner inspects it He finds it worthy of His collection.

Wednesday, September 16, 2020

Saturday, September 12, 2020

The Nebulous Void, Curio Shop For A Tabletop Roleplaying Game

 

Tickhill antique shop, early 1900s

The Nebulous Void looks like the antique shop where you would find a cursed item, or a great treasure. Packed on the shelves of the main room are curiosities from everywhere. There are always items the customers, here and now, have never seen before. Scattered throughout the shop are the mundane, the artistic, the rare, and the extraordinary.

A sign sits on the counter opposite the front door that reads, "Be careful of what you touch." If the proprietor is asked what that means he responds with a smirk and "Many of the pieces are fragile and irreplaceable. It is up to the person looking to ensure they do not have to buy something they don't want or can't afford."

This elderly shop owner has an age defying look. He has strabismus, his light blue eyes don't look in the same direction. His right eye looks to the upper right of while his left looks slightly to the left. This doesn't affect his vision in any way, but it is hard to tell where the man is looking. When he is talking it is hard to tell who he is looking at. His grey hair is still streaked with some black. It is pulled back and held at the base of his skull by a ribbon. The ribbon's color is always changing, sometimes it's different when he re-enters the room. His hair and eyes seem to contrast with the smoothness of his skin. There are few wrinkles on his face and his hands look like they belong to a young man.

The proprietor's wardrobe is a broad collection of fashions. It includes pieces from the past and from all over the world. There are times his ensemble is coordinated for a specific look and then are other days where it appears he was dressed by the combined efforts of toddlers.

When referring to himself, the elderly man calls himself The Proprietor of the store, or another similar title. He never gives his name. If pushed, he will simply claim there is power in a person's true name. If they need to use a name call him Mister Void and changes the subject.

Market in Zanzibar

The Proprietor has the uncanny ability of seeming to know what a person in his store is looking for. It is almost like he has listened in on the plans the people made to visit him. Many times he states he doesn't have what they are looking for, but he has something else they would be interested in. Something he has just set out in the back room.

There are two public rooms in the Nebulous Void. The front room contains a wide assortment of items that range in value and description. It is something that these items remain on the shelf, but every person has the feeling that they should not even try to take something they haven't purchased or been given.

The back room is behind a curtain of an old patterned blanket. This is where people are ushered to look at a specific item or items The Proprietor has deemed they would be interested in. The back room has a door leading out the back of the building and a staircase leading to the second level of the building. Inside the room are a couple of tables. All of the tables except for the one in the middle of the room are scattered with items. It looks like the old man has been sorting through the items. Again, it appears there is stuff from many different times and places.

The center table has a couple of odd items and the main pieces he wants to show to the particular customer he thinks will be interested in. It is never known for sure what The Proprietor will have laid out on the table for display.

If people are interested in seeing what is happening at the Nebulous Void, they can watch it from outside. It doesn't appear The Proprietor ever leaves. Food and drink are delivered on a regular bases from different markets and a person shows up every couple of days to take garbage out the back door. None of these people can add any additional information about the shop.

There never seems to be many people visiting the store. When someone is in the Nebulous Void, it is a rare event another enters. One of the mysteries that may be seen is someone entering the store and then doesn't leave. They may also witness a person leaving they never saw enter.

If a person is hired to watch the store, the report is even vaguer. The person didn't see anything except a customer or a delivery being made where the person entered and left a few minutes later. If they are hired over a few days, the daily reports are almost identical for each day.

The Nebulous Void is also a place where oddities can be sold. Basically anything can be sold there at a fair market value. But once something is sold there, the person will not see it again. They may try to go back and purchase it, but will be calmly told it is no longer available.

Game Master Notes

The Nebulous Void is a place that can be used in practically any game setting and be manipulated in many different ways. It is a place that could be in different campaigns in completely different places and still be the "same" place. Some ideas that can be used in your game are:

The Nebulous Void is an intersection of time and space. The Proprietor manages this gate for travelers. He doesn't share the information readily. However, the players may be given information that will allow them to gain the help of The Proprietor and his abilities to get them someplace else.

The Nebulous Void doesn't fully exist on this plane of existence. It is a place that is there when it is needed. At other times it cannot be found. The Proprietor is an existential being that is only partially grounded in existence and inhabits time and space in a manner that other creatures are unable to fully comprehend. It could just be that the artifact he just purchased is unavailable because he placed it back in time so it could be found when it was needed.

There are many ways The Proprietor and The Nebulous Void can be twisted to fit that oddity needed to give rise to the level of the unexplained.

 

Market in Shanghai

I'm working at keeping my material free of subscription charges by supplementing costs by being an Amazon Associate and having advertising appear. I earn a fee when people make purchases of qualified products from Amazon when they enter the site from a link on Guild Master Gaming and when people click on an ad. If you do either, thank you.

If you have a comment, suggestion, or critique please leave a comment here or send an email to guildmastergaming@gmail.com.

I have articles being published by others and you can find most of them on Guild Master Gaming on Facebookand Twitter(@GuildMstrGmng).

 

 

 

Resident Evil 2 Remake | Review


Resident Evil 2 Remake | Review

Resident Evil 2 Remake - Review




The best remake of mine is playing the 2002 remake of the first Resident Evil on GameCube with its perfectly refreshed visuals, totally new areas to explore, and unnerving new monsters. Now, in 2019, Capcom has given me another experience I'll recollect for quite a while: this ground-up remake of Resident Evil 2 is an extremely fun, exceptionally frightening experience because of its totally new and modern graphics, controls, and some brilliant quality-of-life upgrades. The two playable characters' stories aren't as different as I've expected, yet I enjoyed every gory moment of my return to Leon Kennedy and Claire Redfield's shoes. 

Reliving familiar frights can often make for a less than exciting horror experience. But, with the remake of Resident Evil 2, Capcom shows respect for the original while additionally putting forth an admirable attempt to give the macabre atmosphere and tense gameplay a recognizable upgrade. In doing as such, this revamp of the classic survival horror game shows that the series can still offer an terrifying experience like no other.




Resident Evil 2 takes place in the zombie-infected Raccoon City. The story follows rookie cop Leon Kennedy and college student Claire Redfield, who is searching for her brother, Resident Evil protagonist Chris Redfield. Leon is drawn into the path of a mysterious femme fatale. Claire takes responsibility and tries to protect a kid. Their stories intersects - players experience one story, then play the other character's perspective—making an tapestry of one night's event in Raccoon City.

Resident Evil 2 is terrifying, and in an effective way that few other games manage to accomplish. The game is astonishing in the manner in which it fills players with fear, building anxiety with splendid sound design, cunningly placed jump scares, and overwhelming darkness. Players spend vast majority of the game fumbling through the dark, often running low on supplies and constantly having to deal with variety of undead horrors like zombies, lickers, and that's only the tip of the iceberg. Even standard zombies are a threat this time around, making each experience tense and meaningful.




Out of all the freaky monsters in Resident Evil 2, the scariest is by far the Mr. X Tyrant. Mr. X's appearance in the first Resident Evil 2 earned him a frightful reputation, but in the remake, he's a true force to be reckoned with. Whenever he shows up, Mr. X relentlessly stalks players, following them room to room like a slasher movie villain. Hearing his relentless footsteps getting louder and louder, knowing there is nothing you can do to stop him, fills you with a true sense of dread. With Mr. X breathing down their neck, Resident Evil 2 players will understand the horror movie trope of people tripping or committing mistakes when running from the villain isn't as outlandish as it appears. Players will fumble with their inventory as they attempt to rapidly solve puzzles before Mr. X arrives, or they may make a wrong turn and end to up at a dead-end, leaving them no choice but to confront the hulking monstrosity head-on.

Both Claire and Leon have two different versions of the campaign, and subsequent to completing the first run for the one, you'll be incited to begin a follow-up with the other. Called Second Scenarios, they allow you to see the larger story from a different perspective. Both scenarios are completely isolated from another, and decisions in that won't affect the other, however what makes these second runs a bit worthwhile are some experiences and sub-plots that don't happen in the first. It's an exceptionally fascinating approach to encounter the story, and with four versions of the campaign between the two leads - with the initial two averaging 11-14 hours - you always uncover new details and events that were absent in the previous playthroughs.




Resident Evil 2's more serious tone is additionally improved by the upgraded, fantastically atmospheric presentation, which gives familiar details from the classic game to a greater extent an articulated look and feel. Moving away from the static camera angles of the original, everything has been redesigned in light of over-the-shoulder gameplay, giving to a greater extent an unmistakable and obtrusive feeling of fear while exploring, This is increased significantly more by the flawless audio and visual design of the game, giving a creepy, isolating vibe all throughout the game. In number of cases, you'll just have the light of your flashlight as you walk the dark hallways of the bloody and ruined police headquarters, with the ambient rain and distant monsters sounds ramping up the tension. You feel safe in RE2, even when you really are.

Now, talking about the zombies, I must say these are the most terrifying and at the same time most perfect zombies I've ever seen in a game. And rather than pixelated characters running from pre-rendered background to pre-rendered background, Resident Evil 2 is a completely 3D, over-the-shoulder affair with atmospheric lightning effect, noteworthy facial animations, and the most terrifying looking zombies I've ever seen in a game. They're juicier than ever and I love the way in which they lurch around and respond when you blow off very specific chunks of their heads and hands cordiality of the satisfyingly detailed dismemberment system.

As always, inventory and ammunation management is still a key part of Resident Evil 2's gameplay. This is a real survival horror, where it generally appears as though you're barely scratching by with enough ammunition and medification. You can't carry all that you find with you, so what you should store and what you should carry is a fight continuously being waged in your mind.


The Verdict

Capcom did a fabulous job of resurrecting all the best parts of the classic Resident Evil 2 and making them look, sound, and play like a 2019 game. It's simply a strong horror game that delivers anxiety-inducing and grotesque situations, toping some of the series' best entries. But above all, the remake is an impressive game for the fact that it bets everything on the pure survival horror experience, unquestionably grasping its frightening tone and rarely letting up until the story's conclusion. The only disappointment you will find is the two characters stories' which aren't different enough to 

Friday, September 4, 2020

Guns N Stories Bulletproof VR Free Download

Guns'n'Stories: Bulletproof is a dynamic VR western shooter that fully immerses players into the ambiance of weird Wild West. Stepping the tangled storyline, you will encounter many intimidating but comical enemies and fight Big Bosses.

You will have to shoot aptly and a lot using both hands as well as to use various covers and move actively, avoiding bullets of enemies. You will visit many beautiful locations and will be able to try a big arsenal of weapons under the rhythm of the western rock music, jokes, and cynical humor!

GAMEPLAY AND SCREENSHOTS :
DOWNLOAD GAME:
♢ Click or choose only one button below to download this game.
♢ View detailed instructions for downloading and installing the game here.
♢ Use 7-Zip to extract RAR, ZIP and ISO files. Install PowerISO to mount ISO files.



Guns n Stories Bulletproof VR Free Download
http://pasted.co/af29b5ae

INSTRUCTIONS FOR THIS GAME
➤ Download the game by clicking on the button link provided above.
➤ Download the game on the host site and turn off your Antivirus or Windows Defender to avoid errors.
➤ Once the download has been finished or completed, locate or go to that file.
➤ To open .iso file, use PowerISO and run the setup as admin then install the game on your PC.
➤ Once the installation process is complete, run the game's exe as admin and you can now play the game.
➤ Congratulations! You can now play this game for free on your PC.
➤ Note: If you like this video game, please buy it and support the developers of this game.

SYSTEM REQUIREMENTS:
(Your PC must at least have the equivalent or higher specs in order to run this game.)


Minimum:
• OS: Windows 10
• Processor: Intel i5-4590 equivalent or greater
• Memory: 8 GB RAM
• Graphics: NVIDIA GTX 970 / AMD equivalent or greater
• DirectX: Version 11
• Storage: 2 GB available space
Additional Notes: VR Headset required, 2x USB 3.0 ports
Supported Language: English, Italian, Spanish, Polish, Russian, Portuguese-Brazil, Simplified Chinese language are available.
If you have any questions or encountered broken links, please do not hesitate to comment below. :D

Monday, August 31, 2020

Remot3d - An Easy Way To Exploiting

More articles

Sunday, August 30, 2020

Takeover - SubDomain TakeOver Vulnerability Scanner


Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. For more information: here



Installation:
# git clone https://github.com/m4ll0k/takeover.git
# cd takeover
# python takeover.py
or:
wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python takeover.py


More info

Attacking Financial Malware Botnet Panels - SpyEye

This is the second blog post in the "Attacking financial malware botnet panels" series. After playing with Zeus, my attention turned to another old (and dead) botnet, SpyEye. From an ITSEC perspective, SpyEye shares a lot of vulnerabilities with Zeus. 

The following report is based on SpyEye 1.3.45, which is old, and if we are lucky, the whole SpyEye branch will be dead soon. 

Google dorks to find SpyEye C&C server panel related stuff:

  • if the img directory gets indexed, it is rather easy, search for e.g. inurl:b-ftpbackconnect.png
  • if the install directory gets indexed, again, easy, search for e.g. inurl:spylogo.png
  • also, if you find a login screen, check the css file (style.css), and you see #frm_viewlogs, #frm_stat, #frm_botsmon_country, #frm_botstat, #frm_gtaskloader and stuff like that, you can be sure you found it
  • otherwise, it is the best not to Google for it, but get a SpyEye sample and analyze it
And this is how the control panel login looks like, nothing sophisticated:


The best part is that you don't have to guess the admin's username ;)

This is how an average control panel looks like:


Hack the Planet! :)

Boring vulns found (warning, an almost exact copy from the Zeus blog post)


  • Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
  • No password policy - admins can set up really weak passwords
  • No anti brute-force - you can try to guess the admin's password. There is no default username, as there is no username handling!
  • Password autocomplete enabled - boring
  • Missing HttpOnly flag on session cookie - interesting when combining with XSS
  • No CSRF protection - e.g. you can upload new exe, bin files, turn plugins on/off :-( boring. Also the file extension check can be bypassed, but the files are stored in the database, so no PHP shell this time. If you check the following code, you can see that even the file extension and type is checked, and an error is shown, but the upload process continues. And even if the error would stop the upload process, the check can be fooled by setting an invalid $uptype. Well done ...
        if ($_FILES['file']['tmp_name'] && ($_FILES['file']['size'] > 0))
        {
                $outstr = "<br>";
                set_time_limit(0);
                $filename = str_replace(" ","_",$_FILES['file']['name']);
                $ext = substr($filename, strrpos($filename, '.')+1);
                if( $ext==='bin' && $uptype!=='config' ) $outstr .= "<font class='error'>Bad CONFIG extension!</font><br>";
                if( $ext==='exe' && $uptype!=='body' && $uptype!=='exe' ) $outstr .= "<font class='error'>Bad extension!</font><br>";

                switch( $uptype )
                {
                case 'body': $ext = 'b'; break;
                case 'config': $ext = 'c'; break;
                case 'exe': $ext = 'e'; break;
                default: $ext = 'e';
                }
                $_SESSION['file_ext'] = $ext;
                if( isset($_POST['bots']) && trim($_POST['bots']) !== '')
              {
                        $bots = explode(' ', trim($_POST['bots']));
                        //writelog("debug.log", trim($_POST['bots']));
                      $filename .= "_".(LastFileId()+1);
                }
                if( FileExist($filename) ) $filename .= LastFileId();
                $tmpName  = $_FILES['file']['tmp_name'];
                $fileSize = $_FILES['file']['size'];
                $fileType = $_FILES['file']['type'];
                ## reading all file for calculating hash
                $fp = fopen($tmpName, 'r');
  • Clear text password storage - the MySQL passwords are stored in php files, in clear text. Also, the login password to the form panel is stored in clear text.
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5. Just look at the pure simplicity of the login check, great work!
$query = "SELECT * FROM users_t WHERE uPswd='".md5($pswd)."'";
  • ClickJacking - really boring stuff

    SQL injection


    SpyEye has a fancy history of SQL injections. See details here, here, here, video here and video here.

    It is important to highlight the fact that most of the vulnerable functions are reachable without any authentication, because these PHP files lack user authentication at the beginning of the files.

    But if a C&C server owner gets pwned through this vuln, it is not a good idea to complain to the developer, because after careful reading of the install guide, one can see:

    "For searching info in the collector database there is a PHP interface as formgrabber admin panel. The admin panel is not intended to be found on the server. This is a client application."

    And there are plenty of reasons not to install the formgrabber admin panel on any internet reachable server. But this fact leads to another possible vulnerability. The user for this control panel is allowed to remotely login to the MySQL database, and the install guide has pretty good passwords to be reused. I mean it looks pretty secure, there is no reason not to use that.

    CREATE USER 'frmcpviewer' IDENTIFIED BY 'SgFGSADGFJSDGKFy2763272qffffHDSJ';

    Next time you find a SpyEye panel, and you can connect to the MySQL database, it is worth a shot to try this password.

    Unfortunately the default permissions for this user is not enough to write files (select into outfile):

    Access denied for user 'frmcpviewer' (using password: YES)

    I also made a little experiment with this SQL injection vulnerability. I did set up a live SpyEye botnet panel, created the malware install binaries (droppers), and sent the droppers to the AV companies. And after more and more sandboxes connected to my box, someone started to exploit the SQL injection vulnerability on my server!

    63.217.168.90 - - [16/Jun/2014:04:43:00 -0500] "GET /form/frm_boa-grabber_sub.php?bot_guid=&lm=3&dt=%20where%201=2%20union%20select%20@a:=1%20from%20rep1%20where%20@a%20is%20null%20union%20select%20@a:=%20@a%20%2b1%20union%20select%20concat(id,char(1,3,3,7),bot_guid,char(1,3,3,7),process_name,char(1,3,3,7),hooked_func,char(1,3,3,7),url,char(1,3,3,7),func_data)%20from%20rep2_20140610%20where%20@a=3%23 HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

    Although the query did not return any meaningful data to the attacker (only data collected from sandboxes), it raises some legal questions.

    Which company/organization has the right to attack my server? 
    • police (having a warrant)
    • military (if we are at war)
    • spy agencies (always/never, choose your favorite answer)
    • CERT organisations?

    But, does an AV company or security research company has the legal right to attack my server? I don't think so... The most problematic part is when they hack a server (without authorization), and sell the stolen information in the name of "intelligence service". What is it, the wild wild west?

    The SQLi clearly targets the content of the stolen login credentials. If this is not an AV company, but an attacker, how did they got the SpyEye dropper? If this is an AV company, why are they stealing the stolen credentials? Will they notify the internet banking owners about the stolen credentials for free? Or will they do this for money?

    And don't get me wrong, I don't want to protect the criminals, but this is clearly a grey area in the law. From an ethical point of view, I agree with hacking the criminal's servers. As you can see, the whole post is about disclosing vulns in these botnet panels. But from a legal point of view, this is something tricky ... I'm really interested in the opinion of others, so comments are warmly welcome.

    On a side note, I was interested how did the "attackers" found the SpyEye form directory? Easy, they brute-forced it, with a wordlist having ~43.000 entries.

    (Useless) Cross site scripting


    Although parts of the SpyEye panel are vulnerable to XSS, it is unlikely that you will to find these components on the server, as these codes are part of the install process, and the installer fails to run if a valid install is found. And in this case, you also need the DB password to trigger the vuln...



    Session handling


    This is a fun part. The logout button invalidates the session only on the server side, but not on the client side. But if you take into consideration that the login process never regenerates the session cookies (a.k.a session fixation), you can see that no matter how many times the admin logs into the application, the session cookie remains the same (until the admin does not close the browser). So if you find a session cookie which was valid in the past, but is not working at the moment, it is possible that this cookie will be valid in the future ...

    Binary server


    Some parts of the SpyEye server involve running a binary server component on the server, to collect the form data. It would be interesting to fuzz this component (called sec) for vulns.

    Log files revealed


    If the form panel mentioned in the SQLi part is installed on the server, it is worth visiting the <form_dir>/logs/error.log file, you might see the path of the webroot folder, IP addresses of the admins, etc.

    Reading the code


    Sometimes reading the code you can find code snippets, which is hard to understand with a clear mind:

    $content = fread($fp, filesize($tmpName));
    if ( $uptype === 'config' )
        $md5 = GetCRC32($content);
    else $md5 = md5($content);
    ....
    <script>
    if (navigator.userAgent.indexOf("Mozilla/4.0") != -1) {
    alert("Your browser is not support yet. Please, use another (FireFox, Opera, Safari)");
    document.getElementById("div_main").innerHTML = "<font class=\'error\'>ChAnGE YOuR BRoWsEr! Dont use BUGGED Microsoft products!</font>";
    }
    </script>

    Decrypting SpyEye communication

    It turned out that the communication between the malware and C&C server is not very sophisticated (Zeus does a better job at it, because the RC4 key stream is generated from the botnet password).

    function DeCode($content)
    {
    $res = '';
    for($i = 0; $i < strlen($content); $i++)
    {
    $num = ord($content[$i]);
    if( $num != 219) $res .= chr($num^219);
    }
    return $res;
    }
    Fixed XOR key, again, well done ...
    This means that it is easy to create a script, which can communicate with the SpyEye server. For example this can be used to fill in the SpyEye database with crap data.


    import binascii
    import requests
    import httplib, urllib

    def xor_str(a, b):
    i = 0
    xorred = ''
    for i in range(len(a)):
    xorred += chr(ord(a[i])^b)
    return xorred

    b64_data= "vK6yv+bt9er17O3r6vqPnoiPjZb2i5j6muvo6+rjmJ/9rb6p5urr6O/j/bK+5uP16/Xs7evq9ers7urv/bSo5u316vXs7evq/a6v5pq/trK1/bi4qbjm453j6uPv7Or9tr/u5um+uuvpve3p7eq/4+vsveLi7Lnqvrjr6ujs7rjt7rns/au3vOa5sre3srW8s7q2tr6p4Lm3tLiw4LmuvKm+q7Spr+C4uPu8qbq5ub6p4Li4vKm6ubm+qeC4qb6/sq+8qbq54LiuqK+0tri0tbW+uK+0qeC/v7So4L+1qLqrsuC+trqyt7ypurm5vqngvb24vqmvvKm6ubm+qeC9/aivuq/mtLW3srW+"
    payload =xor_str (binascii.a2b_base64(b64_data), 219)
    print ("the decrypted payload is: " + payload)
    params = (binascii.b2a_base64(xor_str(payload,219)))
    payload = {'data': params}
    r = requests.post("http://spyeye.localhost/spyeye/_cg/gate.php", data=payload)

    Morale of the story?


    Criminals produce the same shitty code as the rest of the world, and thanks to this, some of the malware operators get caught and are behind bars now. And the law is behind the reality, as always.

    Related links