Linux Kernel 2.6.36 Kernel Memory Disclosure

/*

* cve-2010-3437.c

*

* Linux Kernel <>

* Jon Oberheide

* http://jon.oberheide.org

*

* Information:

*

* https://bugzilla.redhat.com/show_bug.cgi?id=638085

*

* The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a

* pktcdvd_device from the global pkt_devs array. The index into this

* array is provided directly by the user and is a signed integer, so the

* comparison to ensure that it falls within the bounds of this array will

* fail when provided with a negative index.

*

* Usage:

*

* $ gcc cve-2010-3437.c -o cve-2010-3437

* $ ./cve-2010-3437

* usage: ./cve-2010-3437

* $ ./cve-2010-3437 0xc0102290 64

* [+] searching for pkt_devs kernel symbol...

* [+] found pkt_devs at 0xc086fcc0

* [+] opening pktcdvd device...

* [+] calculated dereference address of 0x790070c0

* [+] mapping page at 0x79007000 for pktcdvd_device dereference...

* [+] setting up fake pktcdvd_device structure...

* [+] dumping kmem from 0xc0102290 to 0xc01022d0 via malformed ioctls...

* [+] dumping kmem to output...

*

* 55 89 e5 0f 1f 44 00 00 8b 48 3c 8b 50 04 8b ...

* 55 89 e5 57 56 53 0f 1f 44 00 00 89 d3 89 e2 ...

*

* Notes:

*

* Pass the desired kernel memory address and dump length as arguments.

*

* We can disclose 4 bytes of arbitrary kernel memory per ioctl call by

* specifying a large negative device index, causing the kernel to

* dereference to our fake pktcdvd_device structure in userspace and copy

* data to userspace from an attacker-controlled address. Since only 4

* bytes of kmem are disclosed per ioctl call, large dump sizes may take a

* few seconds.

*

* Tested on Ubuntu Lucid 10.04. 32-bit only for now.

*/

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

Download Full


Linux RDS Protocol Local Privilege Escalation

/*

* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit

* CVE-2010-3904

* by Dan Rosenberg

*

* Copyright 2010 Virtual Security Research, LLC

*

* The handling functions for sending and receiving RDS messages

* use unchecked __copy_*_user_inatomic functions without any

* access checks on user-provided pointers. As a result, by

* passing a kernel address as an iovec base address in recvmsg-style

* calls, a local user can overwrite arbitrary kernel memory, which

* can easily be used to escalate privileges to root. Alternatively,

* an arbitrary kernel read can be performed via sendmsg calls.

*

* This exploit is simple - it resolves a few kernel symbols,

* sets the security_ops to the default structure, then overwrites

* a function pointer (ptrace_traceme) in that structure to point

* to the payload. After triggering the payload, the original

* value is restored. Hard-coding the offset of this function

* pointer is a bit inelegant, but I wanted to keep it simple and

* architecture-independent (i.e. no inline assembly).

*

* The vulnerability is yet another example of why you shouldn't

* allow loading of random packet families unless you actually

* need them.

*

* Greets to spender, kees, taviso, hawkes, team lollerskaters,

* joberheide, bla, sts, and VSR

*

*/

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define RECVPORT 5555

#define SENDPORT 6666

int prep_sock(int port)

Download Full



Easy Upload Shell in Joomla

Ada simple trik untuk mengupload shell di cms joomla, mungkin udah banyak yang tahu tentang ini. Sebenarnya memakai aplikasi kayak ninja explorer juga bisa sih, tapi kalau koneksi kita lemot kan agak lumayan merepotkan ,atau kalau gak si admin setting biar tidak ada aplikasi yang boleh di install, nah ini caranya gan, lebih praktis juga loh. Langsung aja lah..

Persiapan pertama sudah ada site joomla yang jadi target, sama siapkan shell/ injector. Kalau semua sudah beres langsung saja kita praktekkan.
jangan lupa kopi + rokok, biar lancar awkakwkakwkawk

1. Kalau sudah masuk di cmsnya kan ada tuh menu-menu atau kotak-kotak dibagian tengah, atau klik site > pilih Global Configuration, kalau udah Pilih System, lihat gambar dibawah ini.

2. Pada bagian Media Settings, Legal Extensions (File Types) kita harus merubah salah satu ekstensi disitu contoh yang bisa kita rubah adalah ODP atau ODG ada juga JPG. Rubahlah jadi PHP, kalau sudah liaht pada bagian Restrict Uploads dan Check MIME Types, kalau default itu di centang ke YES, nah kita rubah lah jadi NO.
Perhatiin pada bagian Legal MIME Types nah pada bagian disitu kan banyak tuh tulisan kayak image/jpeg,image/gif,image dll lah, pilih pada bagian belakang klo gak salah X-ZIP atau yang mana aja terserah pokoknya rubah jadi PHP. Kalau sudah di save then NEXT STEP.

3. Pada langkah nomor 2 kalau berahasil ada tulisan �The Global Configuration details have been updated.� klo gagal �An Error has occurred! Unable to open configuration.php file to write!�.Kalau ternyata gagal, anda bisa melakukan cara lain dengan mengganti source index.php templates dengan source injector kamu.
disini kita ngomongin yang berhasil, kalau berahasil pilih MEDIA MANAGER. Perhatikan pada bagian bawah, Upload file injector atau shell anda. misalkan : shell.php
kalau sukses, hasilnya seperti screen shoot dibawah ini..

4. Selanjutnya pemanggilan URL shell nya seperti ini: http://[localhost]/images/shell.php

Mudah kan,gagaga...selamat menikmati hasil kejahatan anda..
Just share buat newbie,yang udah mastah dilarang keras baca ini artikel..!!

Protect WordPress Directory with .Htaccess

Kembali lagi ma ane gan, kali ini kita membahas soal keamanan wordpress,kita membahas salah satu keamanan seperti judul di atas, dengan file .htaccess. Mungkin banyak yang sudah tahu atau yang sudah membahas tentang ini,tapi tidak ada salahnya jika mau dishare lagi..

Mari kita bahas tentang file .htaccess,apa itu .htacess..? file .htaccess adalah file teks ASCII yang terletak di dalam root direktori biasanya �public_html� atau klo hosting free di �htdocs� yang sering digunakan untuk mengubah pengaturan default dari web server yang digunakan. Sehingga manfaat dari file .htaccess ini besar sekali. Dan merupakan Web Utility yang sering digunakan oleh para web master.
lalu apa saja yang harus di amankan di wordpress.?bnyak gan,conthnya /wp-admin,/wp-includes,wp-login.php,wp-db.php,wp-config.php ./etc..
langsung aja gan, source code yang nanti ane kasih agan tinggal copy lalu paste aja di .htaccess,udah tahu kali..

Akses halaman /Wp-Admin Login dengan Private IP/Single IP

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName �Access Control�

AuthType Basic

order deny,allow

deny from all

# IP address sobat

allow from **.***.***.**

Coba perhatikan sama huruf yang berwarna merah itu gan, **.***.***.** rubah sama IP agan,jadi khusus satu IP aja yang bisa akses halaman itu..
Terus gimana dengan wp-login.php itu juga sama kan buat login..? Hmm tenang gan, kita lanjut ke wp-login.php, pake private IP juga..

Order deny,allow

Deny from All

Allow from **.***.***.**

sama seperti diatas, ganti tulisan yang berwarna merah pake IP agan, kalau buat yang IP nya dinamis mending tidak usah, coz itu cuma buat satu IP doanq,

Amankan Wp-Config.php

Lanjut gan,sekarang kita mw amanin file wp-config.php,dh tahu kan wp-config.php itu kegunaanya,maka dari itu mari kita amankan..
nih codenya..

# protect wpconfig.php

order allow,deny

deny from all

Selajutnya kita bahas kebagian direktori Wp-includes,nah klo kata orang-orang sih di dalem direktori wp-includes itu ada wp-db.php yang bisa ngebongkar semua data penting kita gan,
buat jaga-jaga wp-includes dari serangan yang gk berwenang buat file index.php atau index.html di direktori itu gan. Untuk wp-db.php coba agan akses, adanya di wp-includes/wp-db.php pasti terjadi error gitu kan, klo emang disitu kelemahanya marilah kita tutupi, caranya buat file .htaccess dibagian di rektori wp-includes, terus isi sama code ini..

RewriteEngine On
RewriteBase /
RewriteRule .*\.php$ readme.html [L]

Perhatikan sama tulisan yang berwarna merah itu, itu file readme dari wordpress, nah kita coba mengalihkan file wp-db.php ke file readme.html dengan cara di atas.

Ok selesai,semoga bermanfaat dan berguna..

Linux Kernel 2.6.37 Local Privilege Escalation

/*

* Linux Kernel <= 2.6.37 local privilege escalation

* by Dan Rosenberg

* @djrbliss on twitter

*

* Usage:

* gcc full-nelson.c -o full-nelson

* ./full-nelson

*

* This exploit leverages three vulnerabilities to get root, all of which were

* discovered by Nelson Elhage:

*

* CVE-2010-4258

* -------------

* This is the interesting one, and the reason I wrote this exploit. If a

* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL

* word will be written to a user-specified pointer when that thread exits.

* This write is done using put_user(), which ensures the provided destination

* resides in valid userspace by invoking access_ok(). However, Nelson

* discovered that when the kernel performs an address limit override via

* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,

* etc.), this override is not reverted before calling put_user() in the exit

* path, allowing a user to write a NULL word to an arbitrary kernel address.

* Note that this issue requires an additional vulnerability to trigger.

*

* CVE-2010-3849

* -------------

* This is a NULL pointer dereference in the Econet protocol. By itself, it's

* fairly benign as a local denial-of-service. It's a perfect candidate to

* trigger the above issue, since it's reachable via sock_no_sendpage(), which

* subsequently calls sendmsg under KERNEL_DS.

*

* CVE-2010-3850

* -------------

* I wouldn't be able to reach the NULL pointer dereference and trigger the

* OOPS if users weren't able to assign Econet addresses to arbitrary

* interfaces due to a missing capabilities check.

*

* In the interest of public safety, this exploit was specifically designed to

* be limited:

*

* * The particular symbols I resolve are not exported on Slackware or Debian

* * Red Hat does not support Econet by default

* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and

* Debian

*

* However, the important issue, CVE-2010-4258, affects everyone, and it would

* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly

* more sophisticated version of this that doesn't have the roadblocks I put in

* to prevent abuse by script kiddies.

*

* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.

*

* NOTE: the exploit process will deadlock and stay in a zombie state after you

* exit your root shell because the Econet thread OOPSes while holding the

* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.

*

* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla

*/

Download Full


Oscommerce Online Merchant v2.2

Recode by arianom

[$] Exploit Title : Oscommerce Online Merchant v2.2 - Remote File Upload
[$] Date : 30-05-2010
[$] Author : MasterGipy
[$] Email : mastergipy [at] gmail.com
[$] Bug : Remote File Upload
[$] Vendor : http://www.oscommerce.com
[$] Google Dork : n/a
[%] vulnerable file: /admin/file_manager.php
[$] Exploit: Download

Note:
Open and edit script,
Change http://kill-9.org with your website target.
Then upload to shell or hosting. Run it and Resolve to the Target.
Good Luck,,Bro

Greats : All Kill-9 Crew and IndonesianCoder Team , Malang-Cyber Crew and You

Just in Memorian

Tutina Fitri
malang, juli '03

Dear...Kadang kita berharap
Tuhan akan menunjuk jalan kita
dan membuka sedikit tabir rahasianya.
Seperti matahari yang terbit di timur dan terbenam di barat
atau seperti waktu yang tidak pernah berhenti,
perasaanku akan selalu dekat denganmu
Sepi bicara,
betapa sempitnya waktu, betapa terasa besarnya cinta,
jikapun aku percaya ada hidup setelah mati, kita tidak akan pernah bertemu lagi.
Dear...Kita selalu mencoba untuk menghargai hidup agar lebih berarti,
meskipun kecil tapi embun adalah pertanda datangnya musim semi.
Suara burung atau bunyi yang indah adalah bukan pilihan,
keduanya akan selalu ingin kita nikmati.
Jika aku harus memilih aku tidak akan memilih
karna angin akan selalu membawa legenda cerita kita
yang akan selalu berakhir bahagia.
Hanya waktu yang bisa merenggutmu dariku..

sumbersari gang 5/503