Next Page >>
Win32
Solaris
RADINFRASOL_00009 or subsequent
http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRASOL_00009
CM Infrastructure v4.0
Win32
RADINFRAWIN32_00023 or subsequent
http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAWIN32_00023
CM Infrastructure v4.0i
Win32
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:15 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
And here is the error log: fragment
[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:15 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
// Dirty mitigation for the Internet Explorer 6/7
// getElementsByTagName Body Style zero-day. Downgrades an
// exploitation attempt to a harmless crash.
//
// This mitigation is for 32-bit (x86) Windows only -- it does
// not work on 64-bit Windows, even though 64-bit Internet
// Explorer is technically affected.
//
// To build:
//
// 1. Start Visual Studio 2008 (2005 should also work)
POC:
#include <windows.h>
typedef BOOL (WINAPI *INIT_REG_ENGINE)();
typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);
typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);
typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);
typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);
[PoC #1 - firefox_3.6.3_dos_poc_1.htm] --
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #1
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Win32 binary codecs: Multiple vulnerabilities
Date: March 04, 2008
Bugs: #150288
ID: 200803-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-WIN
Release Notes:
http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 2dc393fcc4e78dcf2165098a4938699a
sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569
For Linux
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-LX
/**********main.cpp***********/
#include <stdio.h>
#include <string>
using namespace std;
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define close closesocket
#define write(a,b,c) send(a, b, c, 0)
#define writeto(a,b,c,d,e) sendto(a, b, c, 0, d, e)
/**********main.cpp***********/
#include <stdio.h>
#include <string>
using namespace std;
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define close closesocket
#define write(a,b,c) send(a, b, c, 0)
#define writeto(a,b,c,d,e) sendto(a, b, c, 0, d, e)
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
On 2 Jan 2008 18:04:08 -0000, <unix_semaphore@yahoo.com.br> wrote:
> hello,
>
> I am a newbie in win32 software hacking.
>
> when i have a open source software,i use the gdb to debug the software,but the most of win32 app, is not a open source,why i know the functions?the operations?what tools i will use to this?
Not sure if I understand you correctly, but here it goes
(did you try using the google translator bot? I am not sure if they
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-WIN
Release Notes:
http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 2dc393fcc4e78dcf2165098a4938699a
sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569
For Linux
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-LX
http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html
For Windows
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 7565d16b7d7e0173b90c3b76ca4656bc
sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1
For Linux
hello,
I am a newbie in win32 software hacking.
when i have a open source software,i use the gdb to debug the software,but the most of win32 app, is not a open source,why i know the functions?the operations?what tools i will use to this?
For example is simpliest search buffer overflows in open code,why to do this in non open source software?
thank´s
http://www.vmware.com/support/ws65/doc/releasenotes_ws652.html
For Windows
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 8336586b9f9e5180d5279a0b988e82a6
sha1sum: ccdb6bcb867638e8f4f493bc02c6f70c5ebbb88e
For Linux
scripts in Python under a Windows environment.
It uses ctypes to wrap many Win32 API calls related to debugging, and provides
an object-oriented abstraction layer to manipulate threads, libraries and
processes, attach your script as a debugger, trace execution, hook API calls,
http://www.vmware.com/support/ws65/doc/releasenotes_ws652.html
For Windows
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 8336586b9f9e5180d5279a0b988e82a6
sha1sum: ccdb6bcb867638e8f4f493bc02c6f70c5ebbb88e
For Linux
http://www.vmware.com/support/ws65/doc/releasenotes_ws652.html
For Windows
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 8336586b9f9e5180d5279a0b988e82a6
sha1sum: ccdb6bcb867638e8f4f493bc02c6f70c5ebbb88e
For Linux
http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html
For Windows
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 7565d16b7d7e0173b90c3b76ca4656bc
sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1
For Linux
uses “jmp short 0x69”. So, ENG still has more options in this case as well,
and it uses the range from “jmp short 0x10” to “jmp short 0x7f”, randomly.
-[ Writable Address [11]
According to many papers about Win32 buffer overflows, and “The Shellcoder’s
Handbook”, ENG needs to set a memory space it can write to inject the
shellcode. In this case there are two approaches:
1. First exploit and Slammer uses 0x42ae7001 (SQLSORT.DLL);
2. MSF uses 0x7ffde0cc (“write to thread storage space ala msrpc”).
http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html
For Windows
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 7565d16b7d7e0173b90c3b76ca4656bc
sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1
For Linux
POST /dokeos/main/create_course/add_course.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Content-Length: 107
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/dokeos/main/create_course/add_course.php
title=1234&category_code=PROJ&wanted_code=1234&course_language=slovenian&_qf__add_course=&
Hello Sebastien!
You can confirm it by yourself. Just find a site on XAMPP (Google can help
you with it) and check the holes using PoCs which I provided.
> and what target of xampp is it ? win32 ? linux ?
As far as I remember last year when I found all these vulnerabilities in
XAMPP, it was XAMPP on Windows servers on all those sites where I found
these holes.
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:37:17 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 510
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
DWORD WINAPI LegoThread(LPVOID lpThreadParameter)
{
while(TRUE)
{
Sleep(0x1000);
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.
This means we ended up with a fully flexible and extendible Win32
debugger that has all of it's features, both debugging and graphical,
easily accessible from it's Python scripting engine.
And best of all, it's available for free. That's right, Immunity
Debugger is released for free, including free monthly updates.
Description:
Xpdf is an open-source viewer for Portable Document Format (PDF) files. Xpdf project also includes
a PDF text extractor, PDF-to-PostScript converter, and various other utilities. Xpdf runs under
the X Window System on UNIX, VMS, and OS/2. The non-X components (pdftops, pdftotext, etc.) also
run on Win32 systems and should run on pretty much any system with a decent C++ compiler.
Xpdf is designed to be small and efficient. It can use Type 1, TrueType, or standard X fonts.
Details:
==================
The WinAppDbg python module allows developers to quickly code instrumentation
scripts in Python under a Windows environment.
It uses ctypes to wrap many Win32 API calls related to debugging, and provides
an object-oriented abstraction layer to manipulate threads, libraries and
processes, attach your script as a debugger, trace execution, hook API calls,
handle events in your debugee and set breakpoints of different kinds (code,
hardware and memory). Additionally it has no native code at all, making it
easier to maintain or modify than other debuggers on Windows.
within the logged user context.
Combining this method with the system command shell one can execute any shell command sequence
within the remote user context(e.g. format, del, copy ...) providing '/c' switch as a first parameter
for the cmd.exe ("execute and exit" option).
At this point, owning the shell commands execution access, CreateProcess() win32 Api function access
and access to the system directory, we can construct an armed remote code execution exploit.
All we need is to use the shell access to build remotely a batch file that after executed will
launch 'ftp.exe' Windows NT ftp client utility, download arbitrary remote file into local system
and execute it afterwards.
Such an exploit however, would have a visible cmd shell window during the exploit driven
Next Page>>
|
