mtg to relieve my cortisol

Follow Wikipedia:
https://en.wikipedia.org/wiki/Magic:_The_Gathering

 
There's a lot of strategic depth to Magic or MTG. There is usually a pretty good variety of top-tier decks you can play. From my perspective, you can generally find a tier that fits your playstyle or color preference and is still competitive.

Do you believe that games can relieve stress levels?
So, I choice play mtg to do that.

The cool thing is, if you stop playing for a year or four, it's not like your deck becomes obsolete. If you were playing standard, you could switch to modern legacy, and that's that.

Here "brazil" have devir call events and challenges https://magic.wizards.com/pt-br/events/event-types

If you have some curiosity to view my strategy's look that following:
https://tappedout.net/users/Cooler_/mtg-decks/

Open Source simulators:
https://www.slightlymagic.net/wiki/Forge
http://www.blueisme.com/portfolio/cardforge/  

Firefox tunnel

A crucial element of the Red Team's task is stealth in the attack. Success is its ability to espouse an aggressive mindset. If the red team wins, an absolute cracker's point of view can help construct a better defence for the Blue Team in the future. Don't bear this content. All content here has a practical purpose.

This blog post is about a different attack approach to remote control the machine and bypasses the firewall. We have many weapons to work in that perspective, something like veil framework, msfvenom. But sometimes, following a different path will generally bring good results.

 The attack aims to use firefox to communicate between client and server. Using hooks to do that is not impossible, but DLL injection sometimes is boring to implement and can be harder to turn in portable. Do you know that? x32 and x64, each architecture needs a different approach to develop(in the future, I discovered that the easy hook API could solve that). Another day I was studying the firefox internals, reading something about the use of SQLite to work with cookies that gave me a different focus.
Look at the following:

That is a complete plan to create a program to use firefox with the tunnel. I going to explain in each step:

1- Programm of tunnel call firefox browser in hidden mode, sending a URL, URL has a malicious server, that malicious server sends a cookie with command.

2- The tunnel gets a cookie of evil server in the cookie.SQLite uses that in the command shell.

3- Result of command shell is used to write an HTML with javascript to make auto-submit with the content result.

4- Programm open wrote HTML in hidden mode to send CMD to the malicious server.


 Now you can look at the following:

For a satisfactory conclusion, I wrote the code and recorded the proof of concept. The incredible fact of the empirical point turns all into reality. You can view all staff at the following:

https://github.com/convisoappsec/firefox_tunnel

Future insights:

* Insert persistence, using function RegOpenKeyEx() to open path: 

"Software\Microsoft\Windows\CurrentVersion\Run" 

write with function RegSetValueEx() to launches a program automatically at system startup.

 *Using images in I/O using steganography.

 *Running process in hidden mode.

 *Turn to tunnel unkillable process.

Possible mitigations:

* Global hooking, to get OpenFile(), CreateFIle() functions and filter argv "cookie.sqlite" and block when programm route is different of firefox.exe.

* File watch API to monitor the database of cookies.

* Programm to open database of cookies by periodicity and search wrong domain or hosts, that can use a blocklist to find and uses DELETE query to remove the evil cookie.

Thank you for reading this. Cheers!

Killing dragons spawned by arithmetic-related security pitfalls

In the last week, which followed my attempt to earn money with financial trading, I glanced through the Black & Scholes model.

This study resulted in the creation of OptionsCat, an open-source tool to work with European options. I faced many Arithmetic-related security pitfalls when writing this tool, which motivated me to study it and write a blog post.  

  

 I always develop my implementations for the algorithms presented throughout the finance books. That's because the writers are often careless about security pitfalls. From this article's perspective, this is a problem or dragon that can be solved by adding a chapter about validation.

Programming languages that enable direct memory access and do not provide buffer boundary checks and arithmetic numeric checks are particularly vulnerable to integer overflow attacks. An integer overflow may occur when computing the memory size to allocate a buffer, often leading to a buffer overflow.

 

 Look at the following quote: 

 "Integer overflows cannot be detected after they have happened, so there is no way for an application to tell if a result it has calculated previously is correct. This action can get dangerous if the calculation has to do with a buffer's size or how far into an array to index. Of course, most integer overflows are not exploitable because memory is not being directly overwritten, but sometimes they can lead to other bug classes, frequently buffer overflows. As well as this, integer overflows can be difficult to spot, so even well-audited code can spring surprises." 

 by blexim - Phrack Volume 0x0b, Issue 0x3c, Phile #0x0a of 0x10

Some people talk to me about the use of the Big integer library. Like LibGMP to solve it, but when you work with big int need limit that numbers, arithmetic operations with bigint when a user has input with considerable length can cause Denial of service. The use of Integers is not hard to find in the stock markets. But double is then expected and can bring you a problem if you don't control the length, for example:

#include < math.h>
#include < stdio.h> 

double mul_code(double x,double y) 
{
  double result=0;
   
  return result = x*y;
}

int main()
{
 double a=90000000000, b=20000000000000;

 printf("Result: %f\n", mul_code(a,b));
 return 0;
}

If you compile it and run it, it returns something like "1799999999999999916112.*(dirts...)". You ask me, "why to return it ?" you don't validate the operation and pass the carrying limit. This action can cause undefined behaviour and overflow.

Killing dragons in integers 

There are lots of ways for you to solve. One is validating user input. This way, you can use automatons, regular expressions, and strnlen() to limit the number of lengths. Remember phrack; the correct way to test for integer overflow during multiplication is to try before the multiplication, test if the number is negative, and replace functions like atoi() to strtol().

 

 

 Some operating systems have solutions at libraries to mitigate the problem. For example, OSX has os/overflow.h. With this header, you can do something like it:

#include < "os/overflow.h">
 
if (os_mul_overflow(m, n, &bytes)) {
    /* Overflow occured.  Handle appropriately. */
} else {
    /* Allocate "bytes" space. */

Another way to mitigate this way is from OpenBSD:

#define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t)*4))
// based in OpenBSD reallocarray() function http://man.openbsd.org/reallocarray.3
void *reallocarray (void *ptr, size_t nmemb, size_t size) 
{
 if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && nmemb > 0 && SIZE_MAX / nmemb < size) 
 {
  DEBUG("integer overflow block");
  return NULL;
 }

 void *p = realloc (ptr, nmemb*size);

 if (p == NULL) 
  return NULL;

 return p;
}

Other approaches that you can see is the using libraries and different ways to write safe code with integers, sometimes calling each function safe_add(), safe_sub(), safe_mul(), and safe_div() is very dull when having significant expressions, and thinking about it I wrote a solution, look my project Here!

Killing dragons in double

 The Cert C book by Robert Seacord has an example of solving the problem at the double, the derivatives and futures have a lot of operations with double, one way to detect possible bug is using the function fetestexcept() :

At inputs, don't use the atof() function. Replace to strtod(), and double look the following code here.

Thank you for reading.
Cheers!

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app on the application level. Nowadays, a WAF action is not only defined by the web app. It’s not a customized solution specific to that application but similarly to a general software firewall, where one contains parameters to protect against intrusion in a wide variety of frameworks and codes.

Firewall burning invasors hehehe !

Let's go to clear your mind. There is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, with their specialized function for web applications, WAFs can take the form of input of either of those two main types. Per default, a firewall uses a blocklist, protecting against an individual, previously logged attacks.

Additionally, it can also use an allowlist, providing allowable users and instances of interaction for the application. Another function is to block SQL Injection attacks and XSS attacks... In another context, WAFs can create random tokens and put them in forms to stop web robots and automated attacks. This practice can try to mitigate CSRF pitfalls.

Before you ask, "how-to, I create my WAF ?" I have got to bring you some principles, anyway, the theory around facts.

Have two common WAFs:

 1-Uses plugin in HTTPd to get information of INPUT or OUTPUT, before the finish he receives the request and blocks some contents, this function focuses at HTTP METHODs POST, GET... 

2-this way is my favourite. It is an independent reverse proxy server. He brings all requests of the client to the proxy. The proxy makes some analysis in the content. If not, block, he sends all the information to the external server.

Number One is cold, and this path is not fully portable. Another bad thing is you need to create a different plugin for each HTTPd, something to apache another to NGINX, IIs, Lighttpd... it's not cool! If you are not an excellent low-level programmer. You can try using twisted python. It is easy to make a reverse proxy with it, but it is not the right way because not have good performance in production. If you piss off at it, study the Stevens book of sockets.

It is OK, the title of this post is "create waf in C", Task is entirely done here and commented and with some documentations in LaTex... relax, you can get it in this repository: https://github.com/CoolerVoid/raptor_waf

 

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use the select() function, is not better than epoll() or kqueue() from *BSD but is portable, the core of match engine using DFA to detect XSS, SQLi and path traversal, you can see here https://github.com/CoolerVoid/raptor_waf/tree/master/doc/test_dfa

 No more words, look at the following :

Thank you for reading this! 
Cheeers!

Talking about text classifiers

In the last year following search, I searched something about machine learning, like trying to detect SPAMs at my private projects. I saw something about KNN, random decision forests and naive Bayes.

Consequently, I wrote a C++ library to classify texts and some slides for a presentation, which you can view at the end of this blog post.

So I chose Naive Bayes because Naive Bayes is one of the simplest classifiers, based on Bayes theorem with naïve and complete independence assumptions. It is one of the most basic text classification techniques with various email spam detection, document categorization, sexually explicit content detection, personal email sorting, language detection and sentiment detection(i think something like NLP). Despite the naïve design and oversimplified assumptions that this technique uses, Naive Bayes performs well in many complex real-world problems. Another good thing, Naive Bayes is suitable for limited CPU and memory resources.

To optimize detection accuracy, I use DFA(deterministic finite automaton) to match patterns and put each mark in ranking. That ranking has one classification. You can view the following code here. To make your automaton, you can use Flex, bison in another way.

If you view a presentation on slide number 12, you can see my point of view about ranking to optimize the accuracy of the classifier at results.

 

Improving spam detection with automaton from Antonio Costa aka Cooler_

SO, This is a very cool trick to gain accuracy. No more words, friends. Thank you for reading this! 

Cheers!

References:

• Natural Language Processing by Dan Jurafsky, Christopher Manning
• John, G. H. e Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. Montreal, Quebec; Canada.
• Svore, K. M., Wu, Q., e Burges, C. J. (2007). Improving web spam classification using rank-time features. Banff, Alberta, Canada.

Uncommon trick to bypass windows firewall

When I was about to write post I remembered a scene from the movie Monty Python. It's about a black knight that blocks a bridge (his main purpose) saying the following to Arthur, a guy who insisted on crossing the bridge in safety: "None shall pass!". But Arthur kept on insisting, so the black night said: "Then you shall die.".

A firewall is supposed to stop all applications that don't have a good reason to get privileged access to computers or networks. If your app could "bypass" it, so could malicious applications. Firewall plays the same role as the black night, i.e. prevent anything suspicious from going through the bridge.

You can configure firewalls to let particular connections go through the checks, but sometimes you need physical access to the equipment running the firewall to do that.  Don't you have access to the equipment running the firewall? If so, you need to bypass it.

Are you willing to change rules via RegEdit to allow a specific service to run? I have some bad news to you. Your antivirus can detect this trick, because it's a common approach used by malwares.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
• SYSTEM\ControlSet%03d\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Before you say "I can try to hook it" or "I can execute a function like execl(), system() with the argument: 

• netsh advfirewall set currentprofile state off

What if I tell you that you can use Windows API to simulate a keystroke so as to bypass firewall checks?

Windows has the function SendInput() to simulate a keystroke. This function accepts as argument an array of INPUT structures. The INPUT structures can be either a mouse or a keyboard event. The keyboard event structure has a member called wVk which can be any key on the keyboard.

SendInput() played an important role when writing the code for bypassing Windows firewall. How does it work? 

Firstly, it finds a window with title 'Windows Security Alert' using the function GetWindowText(). Secondly, it calls SendInput() with TAB and ENTER keys to choose button 'allow access'. As simple as that

Take a look at the following video:

Take a look at my code that bypasses Windows firewall:
https://github.com/CoolerVoid/X_files/blob/master/docs/PoCs/bypass_firewall_windows.cpp 

This is a very cool trick. No more words friends. Thank you for reading this!

cheers !

Hack any TV remote control

Do you have an old TV remote? What if I told you can create your code to make communication with this remote controller.

You can do it!

Infrared remote control is cool, the idea of this blog post is turn it in presentation tool. It is easy with this remote to keep your finger on the advance button and simply advance slides — or turn the screen back, at your favorite PDF viewer. 

Think like MacGyver,  to handle a difficult situation through improvisation using only available materials to do an intelligent activity...

Its Ok, lets go to the hack...

First step you need get some things:

• Computer with Unix Like OS(at my tests i using Fedora Linux) 
• Any TV remote control (i use a samsung model “AA59-00469A”) 
• Arduino nano 12,00 USD 
• IR recv (model “1838B”) - 2,00 USD 
• Jumpers 1,00 USD 
• Breadboard 2,50 USD

Total of costs is 17.50 USD, looks good  is not expensive, try following this image to assembly your hardware:

• Green wire is GND 
• Orange wire is 5v 
• Yellow wire is pin 6(this is input  to make communication with arduino) 
• USB connected at arduino(usually at mini series uses FTDI input)

Second step mapping your TV remote control:

At this step we are get some libraries, look this following:

• $ git clone https://github.com/shirriff/Arduino-IRremote 

• $ mv Arduino-IRremote ArduinoRemote; sudo cp -rf ArduinoRemote/ /usr/share/arduino/libraries 

At your arduino IDE tool, you can view examples of use it at tab "File", load example that show the input of serial, look this following:

The function Serial.println() shows the output of serial input. for example: when you hold the button one of TV remote control, this action shows the hexadecimal value "E13DDA28".

Done the mapping process of buttons, the next step is use syscall open() to open the file "/dev/ttyUSB0" and use  the syscall read() to get INPUTs of arduino device, remember to put diferent condition at each button input of device.

To automate keyboard hold keys, at Unix like system, you need use some libraries like libXtst and libX11, to emulate keys to turn screens of presentation, to install this libraries look the following:

$ yum install libXtst-devel libX11-devel
at deb based distros uses apt-get install pkg_name-dev

To get final code, rewrite this lines 152 and 159 with address of your button mapping,  compile it and run:
$ git clone https://github.com/CoolerVoid/arduino_ppt_walk 
$ gcc IR_remote.c -o IR_remote -lX11 -lXtst -Wall
$ ./IR_remote /dev/ttyUSB0
Look this following:

https://www.youtube.com/watch?v=Wx64BfLgxQU